fix(pg-connection-string): get closer to libpq semantics for sslmode

Author: Patrick Malouin

packages/pg-connection-string/README.md

@@ -89,8 +89,10 @@ Query parameters follow a `?` character, including the following special query p
  * `ssl=1`, `ssl=true`, `ssl=0`, `ssl=false` - sets `ssl` to true or false, accordingly
  * `sslmode=<sslmode>`
    * `sslmode=disable` - sets `ssl` to false
-   * `sslmode=no-verify` - sets `ssl` to `{ rejectUnauthorized: false }`
-   * `sslmode=prefer`, `sslmode=require`, `sslmode=verify-ca`, `sslmode=verify-full` - sets `ssl` to true
+   * `sslmode=no-verify`, `sslmode=prefer`, - sets `ssl` to `{ rejectUnauthorized: false }`
+   * `sslmode=require`, - sets `ssl` to `{ rejectUnauthorized: false }` unless `sslrootcert` is specified, in which case it behaves like `verify-ca`
+   * `sslmode=verify-ca` - sets `ssl` to `{ checkServerIdentity: no-op}` (verify CA, but not server identity)
+   * `sslmode=verify-full` - sets `ssl` to `{}` (verify CA and server identity)
  * `sslcert=<filename>` - reads data from the given file and includes the result as `ssl.cert`
  * `sslkey=<filename>` - reads data from the given file and includes the result as `ssl.key`
  * `sslrootcert=<filename>` - reads data from the given file and includes the result as `ssl.ca`

packages/pg-connection-string/index.js

@@ -93,15 +93,26 @@ function parse(str) {
       break
     }
     case 'prefer':
-    case 'require':
-    case 'verify-ca':
-    case 'verify-full': {
-      break
-    }
     case 'no-verify': {
       config.ssl.rejectUnauthorized = false
       break
     }
+    case 'require': {
+      if (config.sslrootcert) {
+        // If a root CA is specified, behavior of `sslmode=require` will be the same as that of `verify-ca`
+        config.ssl.checkServerIdentity = function () {}
+      } else {
+        config.ssl.rejectUnauthorized = false
+      }
+      break
+    }
+    case 'verify-ca': {
+      config.ssl.checkServerIdentity = function () {}
+      break
+    }
+    case 'verify-full': {
+      break
+    }
   }
 
   return config

packages/pg-connection-string/test/parse.js

@@ -258,19 +258,24 @@ describe('parse', function () {
   it('configuration parameter sslmode=prefer', function () {
     var connectionString = 'pg:///?sslmode=prefer'
     var subject = parse(connectionString)
-    subject.ssl.should.eql({})
+    subject.ssl.should.eql({
+      rejectUnauthorized: false,
+    })
   })
 
   it('configuration parameter sslmode=require', function () {
     var connectionString = 'pg:///?sslmode=require'
     var subject = parse(connectionString)
-    subject.ssl.should.eql({})
+    subject.ssl.should.eql({
+      rejectUnauthorized: false,
+    })
   })
 
   it('configuration parameter sslmode=verify-ca', function () {
     var connectionString = 'pg:///?sslmode=verify-ca'
     var subject = parse(connectionString)
-    subject.ssl.should.eql({})
+    subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
+    expect(subject.ssl.checkServerIdentity()).be.undefined
   })
 
   it('configuration parameter sslmode=verify-full', function () {
@@ -282,9 +287,9 @@ describe('parse', function () {
   it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca', function () {
     var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require'
     var subject = parse(connectionString)
-    subject.ssl.should.eql({
-      ca: 'example ca\n',
-    })
+    subject.ssl.should.have.property('ca', 'example ca\n')
+    subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
+    expect(subject.ssl.checkServerIdentity()).be.undefined
   })
 
   it('allow other params like max, ...', function () {