add support for sslcert, sslkey and sslrootcert parameters

jdobes · jdobes · commit 457e26f08814 · 2021-06-08T16:44:29.000+02:00
diff --git a/asyncpg/connect_utils.py b/asyncpg/connect_utils.py
@@ -222,6 +222,7 @@ def _parse_hostlist(hostlist, port, *, unquote=False):
 
 def _parse_connect_dsn_and_args(*, dsn, host, port, user,
                                 password, passfile, database, ssl,
+                                sslcert, sslkey, sslrootcert,
                                 connect_timeout, server_settings):
     # `auth_hosts` is the version of host information for the purposes
     # of reading the pgpass file.
@@ -310,6 +311,21 @@ def _parse_connect_dsn_and_args(*, dsn, host, port, user,
                 if ssl is None:
                     ssl = val
 
+            if 'sslcert' in query:
+                val = query.pop('sslcert')
+                if sslcert is None:
+                    sslcert = val
+
+            if 'sslkey' in query:
+                val = query.pop('sslkey')
+                if sslkey is None:
+                    sslkey = val
+
+            if 'sslrootcert' in query:
+                val = query.pop('sslrootcert')
+                if sslrootcert is None:
+                    sslrootcert = val
+
             if query:
                 if server_settings is None:
                     server_settings = query
@@ -427,7 +443,7 @@ def _parse_connect_dsn_and_args(*, dsn, host, port, user,
                 '`sslmode` parameter must be one of: {}'.format(modes))
 
         # docs at https://www.postgresql.org/docs/10/static/libpq-connect.html
-        # Not implemented: sslcert & sslkey & sslrootcert & sslcrl params.
+        # Not implemented: sslcrl param.
         if sslmode < SSLMode.allow:
             ssl = False
         else:
@@ -442,6 +458,21 @@ def _parse_connect_dsn_and_args(*, dsn, host, port, user,
     else:
         sslmode = SSLMode.disable
 
+    if sslcert is None:
+        sslcert = os.getenv('PGSSLCERT')
+
+    if sslkey is None:
+        sslkey = os.getenv('PGSSLKEY')
+
+    if sslrootcert is None:
+        sslrootcert = os.getenv('PGSSLROOTCERT')
+
+    if isinstance(ssl, ssl_module.SSLContext):
+        if sslcert:
+            ssl.load_cert_chain(sslcert, keyfile=sslkey)
+        if sslrootcert:
+            ssl.load_verify_locations(cafile=sslrootcert)
+
     if server_settings is not None and (
             not isinstance(server_settings, dict) or
             not all(isinstance(k, str) for k in server_settings) or
@@ -463,7 +494,8 @@ def _parse_connect_arguments(*, dsn, host, port, user, password, passfile,
                              statement_cache_size,
                              max_cached_statement_lifetime,
                              max_cacheable_statement_size,
-                             ssl, server_settings):
+                             ssl, sslcert, sslkey, sslrootcert,
+                             server_settings):
 
     local_vars = locals()
     for var_name in {'max_cacheable_statement_size',
@@ -491,6 +523,7 @@ def _parse_connect_arguments(*, dsn, host, port, user, password, passfile,
     addrs, params = _parse_connect_dsn_and_args(
         dsn=dsn, host=host, port=port, user=user,
         password=password, passfile=passfile, ssl=ssl,
+        sslcert=sslcert, sslkey=sslkey, sslrootcert=sslrootcert,
         database=database, connect_timeout=timeout,
         server_settings=server_settings)
 
diff --git a/asyncpg/connection.py b/asyncpg/connection.py
@@ -1755,6 +1755,9 @@ async def connect(dsn=None, *,
                   max_cacheable_statement_size=1024 * 15,
                   command_timeout=None,
                   ssl=None,
+                  sslcert=None,
+                  sslkey=None,
+                  sslrootcert=None,
                   connection_class=Connection,
                   record_class=protocol.Record,
                   server_settings=None):
@@ -1897,6 +1900,17 @@ async def connect(dsn=None, *,
         .. note::
 
            *ssl* is ignored for Unix domain socket communication.
+    
+    :param sslcert:
+        This parameter specifies the file name of the client SSL certificate.
+
+    :param sslkey:
+        This parameter specifies the location for the secret key used for
+        the client certificate.
+
+    :param sslrootcert:
+        This parameter specifies the name of a file containing SSL certificate
+        authority (CA) certificate(s).
 
     :param dict server_settings:
         An optional dict of server runtime parameters.  Refer to
@@ -1990,6 +2004,9 @@ async def connect(dsn=None, *,
         password=password,
         passfile=passfile,
         ssl=ssl,
+        sslcert=sslcert,
+        sslkey=sslkey,
+        sslrootcert=sslrootcert,
         database=database,
         server_settings=server_settings,
         command_timeout=command_timeout,
