release(secrets-mcp): 0.5.17 — 取消生产环境强制 PG TLS 校验
移除 SECRETS_ENV=production 时对 verify-ca/verify-full 的硬性要求, 仍可通过 SECRETS_DATABASE_SSL_MODE 显式选择模式。 Made-with: Cursor
This commit is contained in:
2
Cargo.lock
generated
2
Cargo.lock
generated
@@ -2065,7 +2065,7 @@ dependencies = [
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "secrets-mcp"
|
name = "secrets-mcp"
|
||||||
version = "0.5.16"
|
version = "0.5.17"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"anyhow",
|
"anyhow",
|
||||||
"askama",
|
"askama",
|
||||||
|
|||||||
@@ -8,7 +8,6 @@ pub struct DatabaseConfig {
|
|||||||
pub url: String,
|
pub url: String,
|
||||||
pub ssl_mode: Option<PgSslMode>,
|
pub ssl_mode: Option<PgSslMode>,
|
||||||
pub ssl_root_cert: Option<PathBuf>,
|
pub ssl_root_cert: Option<PathBuf>,
|
||||||
pub enforce_strict_tls: bool,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Resolve database URL from environment.
|
/// Resolve database URL from environment.
|
||||||
@@ -63,20 +62,10 @@ fn resolve_ssl_root_cert_from_env() -> Result<Option<PathBuf>> {
|
|||||||
Ok(Some(path))
|
Ok(Some(path))
|
||||||
}
|
}
|
||||||
|
|
||||||
fn is_production_env() -> bool {
|
|
||||||
matches!(
|
|
||||||
env_var_non_empty("SECRETS_ENV")
|
|
||||||
.as_deref()
|
|
||||||
.map(|value| value.to_ascii_lowercase()),
|
|
||||||
Some(value) if value == "prod" || value == "production"
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn resolve_db_config(override_url: &str) -> Result<DatabaseConfig> {
|
pub fn resolve_db_config(override_url: &str) -> Result<DatabaseConfig> {
|
||||||
Ok(DatabaseConfig {
|
Ok(DatabaseConfig {
|
||||||
url: resolve_db_url(override_url)?,
|
url: resolve_db_url(override_url)?,
|
||||||
ssl_mode: parse_ssl_mode_from_env()?,
|
ssl_mode: parse_ssl_mode_from_env()?,
|
||||||
ssl_root_cert: resolve_ssl_root_cert_from_env()?,
|
ssl_root_cert: resolve_ssl_root_cert_from_env()?,
|
||||||
enforce_strict_tls: is_production_env(),
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ use std::str::FromStr;
|
|||||||
use anyhow::{Context, Result};
|
use anyhow::{Context, Result};
|
||||||
use serde_json::{Map, Value};
|
use serde_json::{Map, Value};
|
||||||
use sqlx::PgPool;
|
use sqlx::PgPool;
|
||||||
use sqlx::postgres::{PgConnectOptions, PgPoolOptions, PgSslMode};
|
use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
|
||||||
|
|
||||||
use crate::config::DatabaseConfig;
|
use crate::config::DatabaseConfig;
|
||||||
|
|
||||||
@@ -18,18 +18,6 @@ fn build_connect_options(config: &DatabaseConfig) -> Result<PgConnectOptions> {
|
|||||||
options = options.ssl_root_cert(path);
|
options = options.ssl_root_cert(path);
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.enforce_strict_tls
|
|
||||||
&& !matches!(
|
|
||||||
options.get_ssl_mode(),
|
|
||||||
PgSslMode::VerifyCa | PgSslMode::VerifyFull
|
|
||||||
)
|
|
||||||
{
|
|
||||||
anyhow::bail!(
|
|
||||||
"Refusing to start in production with weak PostgreSQL TLS mode. \
|
|
||||||
Set SECRETS_DATABASE_SSL_MODE=verify-ca or verify-full."
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
Ok(options)
|
Ok(options)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "secrets-mcp"
|
name = "secrets-mcp"
|
||||||
version = "0.5.16"
|
version = "0.5.17"
|
||||||
edition.workspace = true
|
edition.workspace = true
|
||||||
|
|
||||||
[[bin]]
|
[[bin]]
|
||||||
|
|||||||
Reference in New Issue
Block a user