From 92a1127f19cf1db717dedae0207a2d2951d7ea3b Mon Sep 17 00:00:00 2001
From: Kevin Flansburg <kflansburg@cloudflare.com>
Date: Wed, 8 Nov 2023 09:07:20 -0500
Subject: [PATCH] Postgres TLS Support (#403)

* Implement TlsStream for Socket

* starttls trait

* Implement TlsConnection in workers-rs

* Update example

* fmt

* docs and fix example
---
 Cargo.lock                         | 28 ++++++++++++----
 examples/tokio-postgres/Cargo.toml |  5 +--
 examples/tokio-postgres/src/lib.rs |  7 ++--
 worker/Cargo.toml                  |  6 ++++
 worker/src/socket.rs               | 54 ++++++++++++++++++++++++++++++
 5 files changed, 90 insertions(+), 10 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 17c911f4..4d4fc6fa 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -993,8 +993,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
 
 [[package]]
 name = "postgres-protocol"
-version = "0.6.5"
-source = "git+https://github.com/sfackler/rust-postgres?branch=master#790af54a0fdd5c487e77dc9a25d82921ee31ffe6"
+version = "0.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49b6c5ef183cd3ab4ba005f1ca64c21e8bd97ce4699cfea9e8d9a2c4958ca520"
 dependencies = [
  "base64 0.21.2",
  "byteorder",
@@ -1011,8 +1012,9 @@ dependencies = [
 
 [[package]]
 name = "postgres-types"
-version = "0.2.5"
-source = "git+https://github.com/sfackler/rust-postgres?branch=master#790af54a0fdd5c487e77dc9a25d82921ee31ffe6"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d2234cdee9408b523530a9b6d2d6b373d1db34f6a8e51dc03ded1828d7fb67c"
 dependencies = [
  "bytes",
  "fallible-iterator",
@@ -1589,8 +1591,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-postgres"
-version = "0.7.8"
-source = "git+https://github.com/sfackler/rust-postgres?branch=master#790af54a0fdd5c487e77dc9a25d82921ee31ffe6"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d340244b32d920260ae7448cb72b6e238bddc3d4f7603394e7dd46ed8e48f5b8"
 dependencies = [
  "async-trait",
  "byteorder",
@@ -1605,9 +1608,11 @@ dependencies = [
  "pin-project-lite",
  "postgres-protocol",
  "postgres-types",
+ "rand",
  "socket2 0.5.3",
  "tokio",
  "tokio-util",
+ "whoami",
 ]
 
 [[package]]
@@ -2136,6 +2141,16 @@ dependencies = [
  "webpki",
 ]
 
+[[package]]
+name = "whoami"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22fc3756b8a9133049b26c7f61ab35416c130e8c09b660f5b3958b446f52cc50"
+dependencies = [
+ "wasm-bindgen",
+ "web-sys",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
@@ -2316,6 +2331,7 @@ dependencies = [
  "serde-wasm-bindgen",
  "serde_json",
  "tokio",
+ "tokio-postgres",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
diff --git a/examples/tokio-postgres/Cargo.toml b/examples/tokio-postgres/Cargo.toml
index 72f9353a..68475a89 100644
--- a/examples/tokio-postgres/Cargo.toml
+++ b/examples/tokio-postgres/Cargo.toml
@@ -2,6 +2,7 @@
 name = "tokio-postgres-on-workers"
 version = "0.1.0"
 edition = "2021"
+resolver = "2"
 
 # https://github.com/rustwasm/wasm-pack/issues/1247
 [package.metadata.wasm-pack.profile.release]
@@ -11,5 +12,5 @@ wasm-opt = false
 crate-type = ["cdylib"]
 
 [dependencies]
-worker = { workspace=true }
-tokio-postgres = { git="https://github.com/sfackler/rust-postgres", branch="master", features=['js'], default-features=false }
+worker = { workspace=true, features=["tokio-postgres"] }
+tokio-postgres = { version="0.7", features=['js'], default-features=false }
diff --git a/examples/tokio-postgres/src/lib.rs b/examples/tokio-postgres/src/lib.rs
index 34b805e9..610fcc02 100644
--- a/examples/tokio-postgres/src/lib.rs
+++ b/examples/tokio-postgres/src/lib.rs
@@ -1,3 +1,4 @@
+use worker::postgres_tls::PassthroughTls;
 use worker::*;
 
 #[event(fetch)]
@@ -7,9 +8,11 @@ async fn main(_req: Request, _env: Env, _ctx: Context) -> Result<Response> {
     config.user("postgres");
 
     // Connect using Worker Socket
-    let socket = Socket::builder().connect("database_url", 5432)?;
+    let socket = Socket::builder()
+        .secure_transport(SecureTransport::StartTls)
+        .connect("database_url", 5432)?;
     let (_client, connection) = config
-        .connect_raw(socket, tokio_postgres::tls::NoTls)
+        .connect_raw(socket, PassthroughTls)
         .await
         .map_err(|e| worker::Error::RustError(format!("tokio-postgres: {:?}", e)))?;
 
diff --git a/worker/Cargo.toml b/worker/Cargo.toml
index 42297d4e..eb5fafc9 100644
--- a/worker/Cargo.toml
+++ b/worker/Cargo.toml
@@ -42,6 +42,12 @@ features = [
     "WritableStreamDefaultWriter"
 ]
 
+[dependencies.tokio-postgres]
+version = "0.7"
+default-features=false
+features = ["js"]
+optional = true
+
 [features]
 queue = ["worker-macros/queue", "worker-sys/queue"]
 d1 = ["worker-sys/d1"]
diff --git a/worker/src/socket.rs b/worker/src/socket.rs
index d33aeb16..99f43a20 100644
--- a/worker/src/socket.rs
+++ b/worker/src/socket.rs
@@ -376,6 +376,60 @@ fn handle_data(buf: &mut ReadBuf<'_>, mut data: Vec<u8>) -> (Reading, Poll<IoRes
     }
 }
 
+#[cfg(feature = "tokio-postgres")]
+/// Implements [`TlsConnect`](tokio_postgres::TlsConnect) for
+/// [`Socket`](crate::Socket) to enable `tokio_postgres` connections
+/// to databases using TLS.
+pub mod postgres_tls {
+    use super::Socket;
+    use futures_util::future::{ready, Ready};
+    use std::error::Error;
+    use std::fmt::{self, Display, Formatter};
+    use tokio_postgres::tls::{ChannelBinding, TlsConnect, TlsStream};
+
+    /// Supply this to `connect_raw` in place of `NoTls` to specify TLS
+    /// when using Workers.
+    ///
+    /// ```rust
+    /// let config = tokio_postgres::config::Config::new();
+    /// let socket = Socket::builder()
+    ///     .secure_transport(SecureTransport::StartTls)
+    ///     .connect("database_url", 5432)?;
+    /// let _ = config.connect_raw(socket, PassthroughTls).await?;
+    /// ```
+    pub struct PassthroughTls;
+
+    #[derive(Debug)]
+    /// Error type for PassthroughTls.
+    /// Should never be returned.
+    pub struct PassthroughTlsError;
+
+    impl Error for PassthroughTlsError {}
+
+    impl Display for PassthroughTlsError {
+        fn fmt(&self, fmt: &mut Formatter<'_>) -> fmt::Result {
+            fmt.write_str("PassthroughTlsError")
+        }
+    }
+
+    impl TlsConnect<Socket> for PassthroughTls {
+        type Stream = Socket;
+        type Error = PassthroughTlsError;
+        type Future = Ready<Result<Socket, PassthroughTlsError>>;
+
+        fn connect(self, s: Self::Stream) -> Self::Future {
+            let tls = s.start_tls();
+            ready(Ok(tls))
+        }
+    }
+
+    impl TlsStream for Socket {
+        fn channel_binding(&self) -> ChannelBinding {
+            ChannelBinding::none()
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;