From aecd31a84f7c247fc5e2e7fafb1643e96ce4985f Mon Sep 17 00:00:00 2001
From: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Date: Fri, 30 Aug 2024 19:31:14 +0200
Subject: [PATCH] Streaming: improve handling of SSLMODE and cert/key/ca files

---
 streaming/database.js | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/streaming/database.js b/streaming/database.js
index 9f1d742143a..419e9ed7031 100644
--- a/streaming/database.js
+++ b/streaming/database.js
@@ -1,3 +1,6 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
 import pg from 'pg';
 import pgConnectionString from 'pg-connection-string';
 
@@ -83,19 +86,34 @@ export function configFromEnv(env, environment) {
     baseConfig = pgConfigs[environment];
 
     if (env.DB_SSLMODE) {
-      switch(env.DB_SSLMODE) {
+      // This is the same logic used by `pg` for handling sslmode:
+      switch (env.DB_SSLMODE) {
       case 'disable':
-      case '':
         baseConfig.ssl = false;
         break;
+      case 'prefer':
+      case 'require':
+      case 'verify-ca':
+      case 'verify-full':
+        baseConfig.ssl = {};
+        break;
       case 'no-verify':
         baseConfig.ssl = { rejectUnauthorized: false };
         break;
-      default:
-        baseConfig.ssl = {};
-        break;
       }
     }
+
+    if (typeof env.DB_SSL_CERT === 'string' && typeof baseConfig.ssl === 'object') {
+      baseConfig.ssl.cert = fs.readFileSync(path.resolve(env.DB_SSL_CERT), 'ascii');
+    }
+
+    if (typeof env.DB_SSL_KEY === 'string' && typeof baseConfig.ssl === 'object') {
+      baseConfig.ssl.key = fs.readFileSync(path.resolve(env.DB_SSL_KEY), 'ascii');
+    }
+
+    if (typeof env.DB_SSL_CA === 'string' && typeof baseConfig.ssl === 'object') {
+      baseConfig.ssl.ca = fs.readFileSync(path.resolve(env.DB_SSL_CA), 'ascii');
+    }
   } else {
     throw new Error('Unable to resolve postgresql database configuration.');
   }