Add extra_opts to endpoints config (#572)

Author: mrnovalles

Diff for: lib/postgrex.ex

@@ -78,10 +78,12 @@ defmodule Postgrex do
 
     * `:hostname` - Server hostname (default: PGHOST env variable, then localhost);
     * `:port` - Server port (default: PGPORT env variable, then 5432);
-    * `:endpoints` - A list of endpoints (host and port pairs); Postgrex will try
-      each endpoint in order, one by one, until the connection succeeds; The syntax
-      is `[{host1,port1},{host2,port2},{host3,port3}]`; This option takes precedence
-      over `:hostname+:port`;
+    * `:endpoints` - A list of endpoints (host and port pairs, with an optional
+      extra_opts keyword list);
+      Postgrex will try each endpoint in order, one by one, until the connection succeeds;
+      The syntax is `[{host1, port1},{host2, port2},{host3, port3}]` or
+      `[{host1, port1, extra_opt1: value},{host2, port2, extra_opt2: value}}]`;
+      This option takes precedence over `:hostname+:port`;
     * `:socket_dir` - Connect to PostgreSQL via UNIX sockets in the given directory;
       The socket name is derived based on the port. This is the preferred method
       for configuring sockets and it takes precedence over the hostname. If you are
@@ -154,21 +156,23 @@ defmodule Postgrex do
 
       iex> {:ok, pid} = Postgrex.start_link(socket_dir: "/tmp", database: "postgres")
       {:ok, #PID<0.69.0>}
-      
-  ## SSL client authentication 
 
-  When connecting to CockroachDB instances running in secure mode it is idiomatic to use 
-  client SSL certificate authentication. 
+  ## SSL client authentication
+
+  When connecting to CockroachDB instances running in secure mode it is idiomatic to use
+  client SSL certificate authentication.
 
   An example of Repository configuration:
 
       config :app, App.Repo,
         ssl: String.to_existing_atom(System.get_env("DB_SSL_ENABLED", "true")),
         ssl_opts: [
           verify: :verify_peer,
+          server_name_indication: System.get_env("DB_HOSTNAME")
           cacertfile: System.get_env("DB_CA_CERT_FILE"),
-          verify_fun: &:ssl_verify_hostname.verify_fun/3
-        ]  
+          customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)],
+          depth: 3
+        ]
 
   ## PgBouncer
 
@@ -215,6 +219,28 @@ defmodule Postgrex do
         (...),
         {"test-instance-N.xyz.eu-west-1.rds.amazonaws.com", 5432}
       ]
+
+  ### Failover with SSL support
+
+  As specified in Erlang [:ssl.connect](https://erlang.org/doc/man/ssl.html#connect-3),
+  host verification using `:public_key.pkix_verify_hostname_match_fun(:https)`
+  requires that the ssl_opt `server_name_indication` is set, and for this reason,
+  the aforementioned `endpoints` list can become a three element tuple as:
+
+      endpoints: [
+        {
+          "test-instance-1.xyz.eu-west-1.rds.amazonaws.com",
+          5432,
+          [ssl: [server_name_indication: String.to_charlist("test-instance-1.xyz.eu-west-1.rds.amazonaws.com")]]
+        },
+        (...),
+        {
+          "test-instance-2.xyz.eu-west-1.rds.amazonaws.com",
+          5432,
+          [ssl: [server_name_indication: String.to_charlist("test-instance-2.xyz.eu-west-1.rds.amazonaws.com")]]
+        }
+      ]
+
   """
   @spec start_link([start_option]) :: {:ok, pid} | {:error, Postgrex.Error.t() | term}
   def start_link(opts) do

Diff for: lib/postgrex/protocol.ex

@@ -112,25 +112,28 @@ defmodule Postgrex.Protocol do
 
     case Keyword.fetch(opts, :socket) do
       {:ok, file} ->
-        [{{:local, file}, 0}]
+        [{{:local, file}, 0, []}]
 
       :error ->
         case Keyword.fetch(opts, :socket_dir) do
           {:ok, dir} ->
-            [{{:local, "#{dir}/.s.PGSQL.#{port}"}, 0}]
+            [{{:local, "#{dir}/.s.PGSQL.#{port}"}, 0, []}]
 
           :error ->
             case Keyword.fetch(opts, :endpoints) do
               {:ok, endpoints} when is_list(endpoints) ->
-                Enum.map(endpoints, fn {hostname, port} -> {to_charlist(hostname), port} end)
+                Enum.map(endpoints, fn
+                  {hostname, port} -> {to_charlist(hostname), port, []}
+                  {hostname, port, extra_opts} -> {to_charlist(hostname), port, extra_opts}
+                end)
 
               {:ok, _} ->
                 raise ArgumentError, "expected :endpoints to be a list of tuples"
 
               :error ->
                 case Keyword.fetch(opts, :hostname) do
                   {:ok, hostname} ->
-                    [{to_charlist(hostname), port}]
+                    [{to_charlist(hostname), port, []}]
 
                   :error ->
                     raise ArgumentError,
@@ -142,15 +145,17 @@ defmodule Postgrex.Protocol do
   end
 
   defp connect_endpoints(
-         [{host, port} | remaining_endpoints],
+         [{host, port, extra_opts} | remaining_endpoints],
          sock_opts,
          timeout,
          s,
          %{opts: opts, types_mod: types_mod} = status,
          previous_errors
        ) do
     types_key = if types_mod, do: {host, port, Keyword.fetch!(opts, :database)}
-    status = %{status | types_key: types_key}
+    opts = Config.Reader.merge(opts, extra_opts)
+
+    status = %{status | types_key: types_key, opts: opts}
 
     case connect_and_handshake(host, port, sock_opts, timeout, s, status) do
       {:ok, _} = ret ->

Diff for: test/login_test.exs

@@ -82,6 +82,21 @@ defmodule LoginTest do
     assert {:ok, %Postgrex.Result{}} = P.query(pid, "SELECT 123", [])
   end
 
+  @tag :ssl
+  test "ssl with extra_ssl_opts in endpoints succeeds", context do
+    opts = [ssl: true, endpoints: [{"localhost", 5555, [ssl: [verify_peer: :none]]}]]
+    assert {:ok, pid} = P.start_link(opts ++ context[:options])
+    assert {:ok, %Postgrex.Result{}} = P.query(pid, "SELECT 123", [])
+  end
+
+  @tag :ssl
+  test "ssl with extra_ssl_opts in endpoints fails due to bad ssl_opt", context do
+    assert capture_log(fn ->
+             opts = [ssl: true, endpoints: [{"localhost", 5555, [ssl: [verify_peer: :foobar]]}]]
+             assert_start_and_killed(opts ++ context[:options])
+           end)
+  end
+
   test "env var defaults", context do
     assert {:ok, pid} = P.start_link(context[:options])
     assert {:ok, %Postgrex.Result{}} = P.query(pid, "SELECT 123", [])
@@ -199,6 +214,12 @@ defmodule LoginTest do
     assert {:ok, %Postgrex.Result{}} = P.query(pid, "SELECT 123", [])
   end
 
+  test "endpoints with extra_opts", context do
+    opts = [endpoints: [{"localhost", 5555, [ssl: [depth: 3]]}, {"localhost", 5432, [depth: 3]}]]
+    assert {:ok, pid} = P.start_link(opts ++ context[:options])
+    assert {:ok, %Postgrex.Result{}} = P.query(pid, "SELECT 123", [])
+  end
+
   test "server type 'primary' against two primary instances", context do
     opts = [endpoints: [{"localhost", 5432}, {"localhost", 5432}], target_server_type: :primary]
     assert {:ok, pid} = P.start_link(opts ++ context[:options])