Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Extend connection options #181

Merged
merged 6 commits into from
Jan 21, 2025
Merged

Extend connection options #181

merged 6 commits into from
Jan 21, 2025

Conversation

rkistner
Copy link
Contributor

This extends database connection a little:

  1. Postgres connections now support a tls_servername option. This can be used with sslmode: verify-full when the hostname does not match the TLS certificate name, for example when connecting to a specific IP. This is not relevant for sslmode: disable or sslmode: verify-ca, since neither of those verify the hostname.
  2. Add reject_ip_ranges: [...] support to all connections, to avoid connecting to specific hosts. The implementation does not check all cases for MongoDB and MySQL yet, but combined enforced TLS, this should be fairly effective.
  3. Similarly, the client_auth.block_local_jwks option now accepts an array of ranges. This means we now also support IPv6-only servers for the JWKS URI.

This required a bit of restructuring to the connection libs. I also restructured things a bit to improve internal dependencies: the jpgwire package no longer depends on sync-rules or service-types.

The implementation of blocking IP ranges operates on two levels:

  1. Override the lookup function used for DNS lookups. This is the same as the normal lookup, except it now validates the IP ranges.
  2. If the connection specifies an IP directly, validate it synchronously (since it's never passed to the lookup function).

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jan 16, 2025
edited
Loading

🦋 Changeset detected

Latest commit: aed762f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 15 packages
Name Type
@powersync/service-core Minor
@powersync/service-types Patch
@powersync/service-module-postgres Minor
@powersync/service-module-mongodb Minor
@powersync/service-module-mysql Minor
@powersync/lib-service-postgres Minor
@powersync/lib-services-framework Minor
@powersync/lib-service-mongodb Minor
@powersync/service-jpgwire Minor
@powersync/service-core-tests Patch
@powersync/service-module-mongodb-storage Patch
@powersync/service-module-postgres-storage Patch
@powersync/service-image Patch
test-client Patch
@powersync/service-rsocket-router Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@rkistner rkistner marked this pull request as ready for review January 16, 2025 15:06
stevensJourney
stevensJourney previously approved these changes Jan 16, 2025
View reviewed changes
@rkistner rkistner merged commit 8675236 into main Jan 21, 2025
20 checks passed
@rkistner rkistner deleted the reject-ip-ranges branch January 21, 2025 09:07
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@stevensJourney stevensJourney stevensJourney approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rkistner @stevensJourney