Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mTLS based Passwordless Authentication to Postgres DB #32635

Closed
dokhremenko opened this issue Nov 25, 2024 · 4 comments
Closed

mTLS based Passwordless Authentication to Postgres DB #32635

dokhremenko opened this issue Nov 25, 2024 · 4 comments
Labels
issue/workaround it is or has a workaround type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@dokhremenko
Copy link

Feature Description

Postgres DB supports passwordless authentication based on mutual TLS client-server certificates.
Can such a mechanism be implemented for Gitea? Probably it's not supported by PG driver https://pkg.go.dev/github.com/lib/pq used in Gitea but maybe such an approach can be evaluated?

Screenshots

No response
@dokhremenko dokhremenko added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Nov 25, 2024
@lunny
Copy link
Member

lunny commented Nov 30, 2024

It depends on the upstream library. Please send an issue also to the upstream repository.

@lunny lunny added the type/upstream This is an issue in one of Gitea's dependencies and should be reported there label Nov 30, 2024
@lafriks
Copy link
Member

lafriks commented Nov 30, 2024

Both lib/pq and pgx does support this

@dokhremenko
Copy link
Author

Hi @lunny
I double checked and, as @lafriks mentioned, mTLS based auth is supported by underlying libs.
But after fast code checking I didn't find relevant parameters for db needed to pass certificates, something similar to SSL_MODE, but for sslcert, sslkey, sslcacert

So it can be assumed that issue is in Gitea itself.

May ask you if it going to be supported by Gitea(or maybe I missed something and it is already supported)?

@lunny lunny removed the type/upstream This is an issue in one of Gitea's dependencies and should be reported there label Dec 2, 2024
@dokhremenko
Copy link
Author

It was working for me to just to pass env vars PGSSLROOTCERT, PGSSLCERT, PGSSLKEY with the path to certs, and remove PASSWD env from gitea config

@lunny lunny added the issue/workaround it is or has a workaround label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue/workaround it is or has a workaround type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lunny @lafriks @dokhremenko