introduce sslcompat=libpq flag to support libpq sslmode semantics

hjr3 · hjr3 · commit 8d56f865a8e9 · 2025-04-09T06:26:22.000-04:00
diff --git a/packages/pg-connection-string/README.md b/packages/pg-connection-string/README.md
@@ -87,12 +87,17 @@ Query parameters follow a `?` character, including the following special query p
  * `host=<host>` - sets `host` property, overriding the URL's host
  * `encoding=<encoding>` - sets the `client_encoding` property
  * `ssl=1`, `ssl=true`, `ssl=0`, `ssl=false` - sets `ssl` to true or false, accordingly
-* `sslmode=<sslmode>`
+ * `sslcompat=libpq` - use libpq semantics for `sslmode`
+ * `sslmode=<sslmode>` when `sslcompat=libpq`
    * `sslmode=disable` - sets `ssl` to false
    * `sslmode=no-verify`, `sslmode=prefer` - sets `ssl` to `{ rejectUnauthorized: false }`
    * `sslmode=require` - sets `ssl` to `{ rejectUnauthorized: false }` unless `sslrootcert` is specified, in which case it behaves like `verify-ca`
    * `sslmode=verify-ca` - sets `ssl` to `{ checkServerIdentity: no-op }` (verify CA, but not server identity)
    * `sslmode=verify-full` - sets `ssl` to `{}` (verify CA and server identity)
+ * `sslmode=<sslmode>` when `sslcompat` is not set
+   * `sslmode=disable` - sets `ssl` to false
+   * `sslmode=no-verify` - sets `ssl` to `{ rejectUnauthorized: false }`
+   * `sslmode=prefer`, `sslmode=require`, `sslmode=verify-ca`, `sslmode=verify-full` - sets `ssl` to true
  * `sslcert=<filename>` - reads data from the given file and includes the result as `ssl.cert`
  * `sslkey=<filename>` - reads data from the given file and includes the result as `ssl.key`
  * `sslrootcert=<filename>` - reads data from the given file and includes the result as `ssl.ca`
diff --git a/packages/pg-connection-string/index.js b/packages/pg-connection-string/index.js
@@ -87,31 +87,50 @@ function parse(str) {
     config.ssl.ca = fs.readFileSync(config.sslrootcert).toString()
   }
 
-  switch (config.sslmode) {
-    case 'disable': {
-      config.ssl = false
-      break
-    }
-    case 'prefer':
-    case 'no-verify': {
-      config.ssl.rejectUnauthorized = false
-      break
-    }
-    case 'require': {
-      if (config.sslrootcert) {
-        // If a root CA is specified, behavior of `sslmode=require` will be the same as that of `verify-ca`
-        config.ssl.checkServerIdentity = function () {}
-      } else {
+  if (config.sslcompat === 'libpq') {
+    switch (config.sslmode) {
+      case 'disable': {
+        config.ssl = false
+        break
+      }
+      case 'prefer':
+      case 'no-verify': {
         config.ssl.rejectUnauthorized = false
+        break
+      }
+      case 'require': {
+        if (config.sslrootcert) {
+          // If a root CA is specified, behavior of `sslmode=require` will be the same as that of `verify-ca`
+          config.ssl.checkServerIdentity = function () {}
+        } else {
+          config.ssl.rejectUnauthorized = false
+        }
+        break
+      }
+      case 'verify-ca': {
+        config.ssl.checkServerIdentity = function () {}
+        break
+      }
+      case 'verify-full': {
+        break
       }
-      break
-    }
-    case 'verify-ca': {
-      config.ssl.checkServerIdentity = function () {}
-      break
     }
-    case 'verify-full': {
-      break
+  } else {
+    switch (config.sslmode) {
+      case 'disable': {
+        config.ssl = false
+        break
+      }
+      case 'prefer':
+      case 'require':
+      case 'verify-ca':
+      case 'verify-full': {
+        break
+      }
+      case 'no-verify': {
+        config.ssl.rejectUnauthorized = false
+        break
+      }
     }
   }
 
diff --git a/packages/pg-connection-string/test/parse.js b/packages/pg-connection-string/test/parse.js
@@ -1,6 +1,7 @@
 'use strict'
 
 var chai = require('chai')
+var expect = chai.expect
 chai.should()
 
 var parse = require('../').parse
@@ -255,29 +256,52 @@ describe('parse', function () {
     subject.ssl.should.eql(false)
   })
 
-  it('configuration parameter sslmode=prefer', function () {
-    var connectionString = 'pg:///?sslmode=prefer'
+  it('configuration parameter sslmode=prefer with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=prefer&sslcompat=libpq'
     var subject = parse(connectionString)
     subject.ssl.should.eql({
       rejectUnauthorized: false,
     })
   })
 
-  it('configuration parameter sslmode=require', function () {
-    var connectionString = 'pg:///?sslmode=require'
+  it('configuration parameter sslmode=require with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=require&sslcompat=libpq'
     var subject = parse(connectionString)
     subject.ssl.should.eql({
       rejectUnauthorized: false,
     })
   })
 
-  it('configuration parameter sslmode=verify-ca', function () {
-    var connectionString = 'pg:///?sslmode=verify-ca'
+  it('configuration parameter sslmode=verify-ca with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq'
     var subject = parse(connectionString)
     subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
     expect(subject.ssl.checkServerIdentity()).to.be.undefined
   })
 
+  it('configuration parameter sslmode=prefer with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=prefer&sslcompat=libpq'
+    var subject = parse(connectionString)
+    subject.ssl.should.eql({
+      rejectUnauthorized: false,
+    })
+  })
+
+  it('configuration parameter sslmode=require with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=require&sslcompat=libpq'
+    var subject = parse(connectionString)
+    subject.ssl.should.eql({
+      rejectUnauthorized: false,
+    })
+  })
+
+  it('configuration parameter sslmode=verify-ca with libpq compatibility', function () {
+    var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq'
+    var subject = parse(connectionString)
+    subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
+    expect(subject.ssl.checkServerIdentity()).be.undefined
+  })
+
   it('configuration parameter sslmode=verify-full', function () {
     var connectionString = 'pg:///?sslmode=verify-full'
     var subject = parse(connectionString)
@@ -287,9 +311,17 @@ describe('parse', function () {
   it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca', function () {
     var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require'
     var subject = parse(connectionString)
+    subject.ssl.should.eql({
+      ca: 'example ca\n',
+    })
+  })
+
+  it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca with libpq compatibility', function () {
+    var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require&sslcompat=libpq'
+    var subject = parse(connectionString)
     subject.ssl.should.have.property('ca', 'example ca\n')
     subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
-    expect(subject.ssl.checkServerIdentity()).to.be.undefined
+    expect(subject.ssl.checkServerIdentity()).be.undefined
   })
 
   it('allow other params like max, ...', function () {
