SSL support for PostgreSQL hooks #331
No reviewers
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#331
Loading…
Reference in New Issue
No description provided.
Delete Branch ":postgres_sql"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Thank you so much for taking the time to develop and submit this! Looks like a great addition to the Postgres hook. A few minor comments and requests follow.
@ -559,0 +583,4 @@
type: str
desc: |
Path to a certificate revocation list.
example: "/root/.postgresql/root.crl"
For these various new options, their naming would be more in keeping with the rest of borgmatic's configuration options if they were more like:
ssl_mode
,ssl_key
,ssl_root_cert
, etc.Changed
@ -60,0 +59,4 @@
extra_environment = dict()
if 'password' in database:
extra_environment['PGPASSWORD'] = database['password']
extra_environment['PGSSLMODE'] = database['sslmode'] if 'sslmode' in database else 'disable'
Equivalent:
I don't feel strongly either way.
That looks better. Changed.
@ -145,0 +164,4 @@
if 'sslrootcert' in database:
extra_environment['PGSSLROOTCERT'] = database['sslrootcert']
if 'sslcrl' in database:
extra_environment['PGSSLCRL'] = database['sslcrl']
Given that this code is repeated twice, you could factor it out into a common function for creating Postgres SSL environment variables from a borgmatic database dict.
Do not feel strongly about that in terms of factoring. However, it may make writing tests easier, because then you could test that factored-out function only once.
Changed, though whether the name that I chose is acceptable might be debatable.
@ -30,3 +30,3 @@
),
shell=True,
extra_environment=None,
extra_environment={'PGSSLMODE': 'disable'},
Speaking of tests, it's awesome that you updated the existing tests. Do you think you'd be able to add new tests for the additional functionality you've added? I'm happy to help if it's not straight-forward. (This is the test file where any new unit tests on this code belong.)
These changes were tested locally by modifying
pg_hba.conf
to make SSL/TLS mandatory and running borgmatic while manually changing the config file to set the various options, e.g. commenting outssl_mode
to ensure the default ofdisabled
is set (and the dump/restore fails), settingssl_mode
toverify-full
and seeingpg_dump
/pg_restore
complain about not providing the path to the root CA cert, settingssl_root_cert
to a non-existant path and seeing the dump/restore referring to this path, etc., so I am confident that these changes are at least functionally correct. Stylistically on the other hand…I can try to take a stab at writing tests for these new additions but might need some "hand holding" being as though I consider myself to be rather n00bish with Python and coding in general (and having close to 0 experience with writing tests).
So...I created two new functions in the postgres unittest file.
The changes I pushed last night:
With the changes I made this morning and the tests I just pushed:
Hopefully the tests look like what is needed?
This is looking great. I appreciate you making all the updates!
The one change I would suggest is to make a dedicated unit test of just your new
make_extra_environment()
function. That way, you can test only that functionality by itself separate from all of the dump/restore functionality. That'll let you get rid oftest_dump_databases_runs_pg_dump_with_ssl_options()
andtest_restore_database_dump_runs_pg_restore_with_ssl_options()
, since you'd be testing the SSL options in your dediceatedtest_make_extra_environment_does_whatever()
.As part of that, it would probably make sense to mock out your new
make_extra_environment()
function in any of the existing dump/restore test functions.. So any given test just has a single actual function under test. An example of what that might look like:Given that all of this is pretty minor, I'm happy to make these updates if you just want to be done with this pull request! Either way, please let me know.
I came up with this which shows 100% coverage for Postgres and it passes but I have my doubts about this being correct.
If this is OK I can commit and submit. If it's still wrong, thanks in advance for your patience…
The test function looks great except for the
flexmock(module).should_receive('make_extra_environment').and_return(expected)
part. That's not needed in this test function because as it's written, the test function is testing that the mock returns what's expected, rather than testing thatmake_extra_environment()
does! If you take that line out, then I think the test will do what you want.What I was actually suggesting about
flexmock(module).should_receive('make_extra_environment')
was to add it within thetest_dump_databases_*
andtest_restore_database_*
functions only. Sorry if that wasn't clear. Expanding on the example above, the way that could go might be something like:That last line is the only addition. The idea is that in
test_dump_databases_*()
, the only unit you want to test isdump_databases()
... and therefore all other units thatdump_databases()
calls out to (likemake_extra_environment()
should get mocked out so that their implementation details don't impact the test.Thanks for your perseverence here!
I rebased a "fixed" version into the previous commit which added the tests. Perhaps it's now correct.
I genuinely appreciate the patience that you've demonstrated. :)
Thank you for your review and kind crititques. The suggestions have been implemented. I added a few more commits to wrap some of my schema lines which were > 80 characters.
If all of this looks OK I can rebase the changes to fix up the commits, if that'd be desirable (it'd look like https://projects.torsion.org/s1shed/borgmatic/commits/branch/postgres_ssl )
Looks great to me. I may also add another couple of mocks, because apparently I love mocks. Thanks again!
Thank you for your help along the way (and again for this incredibly useful tool). :)
Released in borgmatic 1.5.7!