Eager parse certificate. Better but I kinda hate it

Signed-off-by: itowlson <ivan.towlson@fermyon.com>

Author: itowlson

crates/factor-outbound-pg/src/client.rs

@@ -23,7 +23,27 @@ pub trait ClientFactory: Default + Send + Sync + 'static {
     /// The type of client produced by `get_client`.
     type Client: Client;
     /// Gets a client from the factory.
-    async fn get_client(&self, address: &str, root_ca: Option<&String>) -> Result<Self::Client>;
+    async fn get_client(
+        &self,
+        address: &str,
+        root_ca: Option<HashableCertificate>,
+    ) -> Result<Self::Client>;
+}
+
+#[derive(Clone)]
+pub struct HashableCertificate {
+    certificate: native_tls::Certificate,
+    hash: String,
+}
+
+impl HashableCertificate {
+    pub fn from_pem(text: &str) -> anyhow::Result<Self> {
+        let cert_bytes = text.as_bytes();
+        let hash = spin_common::sha256::hex_digest_from_bytes(cert_bytes);
+        let certificate =
+            native_tls::Certificate::from_pem(cert_bytes).context("invalid root certificate")?;
+        Ok(Self { certificate, hash })
+    }
 }
 
 /// A `ClientFactory` that uses a connection pool per address.
@@ -43,8 +63,16 @@ impl Default for PooledTokioClientFactory {
 impl ClientFactory for PooledTokioClientFactory {
     type Client = deadpool_postgres::Object;
 
-    async fn get_client(&self, address: &str, root_ca: Option<&String>) -> Result<Self::Client> {
-        let pool_key = (address.to_string(), root_ca.cloned());
+    async fn get_client(
+        &self,
+        address: &str,
+        root_ca: Option<HashableCertificate>,
+    ) -> Result<Self::Client> {
+        let (root_ca, root_ca_hash) = match root_ca {
+            None => (None, None),
+            Some(HashableCertificate { certificate, hash }) => (Some(certificate), Some(hash)),
+        };
+        let pool_key = (address.to_string(), root_ca_hash);
         let pool = self
             .pools
             .try_get_with_by_ref(&pool_key, || create_connection_pool(address, root_ca))
@@ -58,7 +86,7 @@ impl ClientFactory for PooledTokioClientFactory {
 /// Creates a Postgres connection pool for the given address.
 fn create_connection_pool(
     address: &str,
-    root_ca: Option<&String>,
+    root_ca: Option<native_tls::Certificate>,
 ) -> Result<deadpool_postgres::Pool> {
     let config = address
         .parse::<tokio_postgres::Config>()
@@ -75,8 +103,7 @@ fn create_connection_pool(
     } else {
         let mut builder = TlsConnector::builder();
         if let Some(root_ca) = root_ca {
-            let cert_bytes = root_ca.as_bytes();
-            builder.add_root_certificate(native_tls::Certificate::from_pem(cert_bytes)?);
+            builder.add_root_certificate(root_ca);
         }
         let connector = MakeTlsConnector::new(builder.build()?);
         deadpool_postgres::Manager::from_config(config, connector, mgr_config)

crates/factor-outbound-pg/src/host.rs

@@ -10,14 +10,14 @@ use tracing::field::Empty;
 use tracing::instrument;
 use tracing::Level;
 
-use crate::client::{Client, ClientFactory};
+use crate::client::{Client, ClientFactory, HashableCertificate};
 use crate::InstanceState;
 
 impl<CF: ClientFactory> InstanceState<CF> {
     async fn open_connection<Conn: 'static>(
         &mut self,
         address: &str,
-        root_ca: Option<&String>,
+        root_ca: Option<HashableCertificate>,
     ) -> Result<Resource<Conn>, v4::Error> {
         self.connections
             .push(
@@ -143,7 +143,7 @@ impl<CF: ClientFactory> v3::HostConnection for InstanceState<CF> {
 
 pub(crate) struct ConnectionBuilder {
     address: String,
-    root_ca: Option<String>,
+    root_ca: Option<HashableCertificate>,
 }
 
 impl<CF: ClientFactory> v4::HostConnectionBuilder for InstanceState<CF> {
@@ -165,11 +165,13 @@ impl<CF: ClientFactory> v4::HostConnectionBuilder for InstanceState<CF> {
         self_: Resource<v4::ConnectionBuilder>,
         certificate: String,
     ) -> Result<(), v4::Error> {
+        let root_ca = HashableCertificate::from_pem(&certificate)
+            .map_err(|e| v4::Error::Other(format!("invalid root certificate: {e}")))?;
         let builder = self
             .builders
             .get_mut(self_.rep())
             .ok_or_else(|| v4::Error::ConnectionFailed("no builder found".into()))?;
-        builder.root_ca = Some(certificate);
+        builder.root_ca = Some(root_ca);
         Ok(())
     }
 
@@ -184,7 +186,7 @@ impl<CF: ClientFactory> v4::HostConnectionBuilder for InstanceState<CF> {
         // borrow checker gets pedantic here, so we need to outsmart it
         let address = builder.address.clone();
         let root_ca = builder.root_ca.clone();
-        let conn = self.open_connection(&address, root_ca.as_ref()).await;
+        let conn = self.open_connection(&address, root_ca).await;
         conn
     }
 

crates/factor-outbound-pg/tests/factor_test.rs

@@ -2,6 +2,7 @@ use anyhow::{bail, Result};
 use spin_factor_outbound_networking::OutboundNetworkingFactor;
 use spin_factor_outbound_pg::client::Client;
 use spin_factor_outbound_pg::client::ClientFactory;
+use spin_factor_outbound_pg::client::HashableCertificate;
 use spin_factor_outbound_pg::OutboundPgFactor;
 use spin_factor_variables::VariablesFactor;
 use spin_factors::{anyhow, RuntimeFactors};
@@ -112,7 +113,11 @@ pub struct MockClient {}
 #[async_trait]
 impl ClientFactory for MockClientFactory {
     type Client = MockClient;
-    async fn get_client(&self, _address: &str, _root_ca: Option<&String>) -> Result<Self::Client> {
+    async fn get_client(
+        &self,
+        _address: &str,
+        _root_ca: Option<HashableCertificate>,
+    ) -> Result<Self::Client> {
         Ok(MockClient {})
     }
 }