mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-23 00:41:35 -05:00
cfcc3128c2
Refer to
https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
GOV.UK PaaS gives us the database URI, and we use the default mode of
postgres auth which prefers a TLS connection instead of a plain TCP
connection
We are now specifying the SSL mode in the URI when establishing our
connection to the database, so that:
* We will not connect to the database via a plaintext connection
* We will verify the database connection against a list of trusted CAs
The RDS CA from which the database's certificate is issued is added into
the Cloud Foundry app container via
925681f19b/manifests/cf-manifest/operations.d/350-diego-cell.yml (L17-L22)
Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
Co-authored-by: David <david.mcdonald@digital.cabinet-office.gov.uk>
83 lines
2.2 KiB
Python
83 lines
2.2 KiB
Python
import os
|
|
import json
|
|
|
|
import pytest
|
|
|
|
from app.cloudfoundry_config import extract_cloudfoundry_config, set_config_env_vars
|
|
|
|
|
|
@pytest.fixture
|
|
def postgres_config():
|
|
return [
|
|
{
|
|
'credentials': {
|
|
'uri': 'postgres uri'
|
|
}
|
|
}
|
|
]
|
|
|
|
|
|
@pytest.fixture
|
|
def cloudfoundry_config(postgres_config):
|
|
return {
|
|
'postgres': postgres_config,
|
|
'user-provided': []
|
|
}
|
|
|
|
|
|
@pytest.fixture
|
|
def cloudfoundry_environ(os_environ, cloudfoundry_config):
|
|
os.environ['VCAP_SERVICES'] = json.dumps(cloudfoundry_config)
|
|
os.environ['VCAP_APPLICATION'] = '{"space_name": "🚀🌌"}'
|
|
|
|
|
|
@pytest.fixture
|
|
def postgres_config_with_setting():
|
|
return [
|
|
{
|
|
'credentials': {
|
|
'uri': 'postgres uri?setting=true'
|
|
}
|
|
}
|
|
]
|
|
|
|
|
|
@pytest.fixture
|
|
def cloudfoundry_config_with_setting(postgres_config_with_setting):
|
|
return {
|
|
'postgres': postgres_config_with_setting,
|
|
'user-provided': []
|
|
}
|
|
|
|
|
|
@pytest.fixture
|
|
def cloudfoundry_environ_with_setting(os_environ, cloudfoundry_config_with_setting):
|
|
os.environ['VCAP_SERVICES'] = json.dumps(cloudfoundry_config_with_setting)
|
|
os.environ['VCAP_APPLICATION'] = '{"space_name": "🚀🌌"}'
|
|
|
|
|
|
def test_extract_cloudfoundry_config_populates_other_vars(cloudfoundry_environ):
|
|
extract_cloudfoundry_config()
|
|
|
|
assert os.environ['SQLALCHEMY_DATABASE_URI'] == 'postgres uri?sslmode=verify-full'
|
|
assert os.environ['NOTIFY_ENVIRONMENT'] == '🚀🌌'
|
|
assert os.environ['NOTIFY_LOG_PATH'] == '/home/vcap/logs/app.log'
|
|
|
|
|
|
def test_set_config_env_vars_ignores_unknown_configs(cloudfoundry_config, cloudfoundry_environ):
|
|
cloudfoundry_config['foo'] = {'credentials': {'foo': 'foo'}}
|
|
cloudfoundry_config['user-provided'].append({
|
|
'name': 'bar', 'credentials': {'bar': 'bar'}
|
|
})
|
|
|
|
set_config_env_vars(cloudfoundry_config)
|
|
|
|
assert 'foo' not in os.environ
|
|
assert 'bar' not in os.environ
|
|
|
|
|
|
def test_extract_cloudfoundry_config_populates_postgres_with_setting(cloudfoundry_environ_with_setting):
|
|
extract_cloudfoundry_config()
|
|
|
|
assert os.environ['SQLALCHEMY_DATABASE_URI'] == 'postgres uri?setting=true&sslmode=verify-full'
|