release(secrets-mcp): v0.3.3 — 强制 PostgreSQL TLS 校验

显式引入数据库 TLS 配置并在生产环境拒绝弱 sslmode，避免连接静默降级。同步更新 deploy/README 与运维 runbook，落地 db.refining.ltd 的证书与服务器配置流程。 Made-with: Cursor
2026-04-01 15:18:14 +08:00
parent 08e81363c9
commit 1b11f7e976
8 changed files with 223 additions and 12 deletions
--- a/crates/secrets-core/src/config.rs
+++ b/crates/secrets-core/src/config.rs
@@ -1,4 +1,15 @@
-use anyhow::Result;
+use std::path::PathBuf;
+
+use anyhow::{Context, Result};
+use sqlx::postgres::PgSslMode;
+
+#[derive(Debug, Clone)]
+pub struct DatabaseConfig {
+    pub url: String,
+    pub ssl_mode: Option<PgSslMode>,
+    pub ssl_root_cert: Option<PathBuf>,
+    pub enforce_strict_tls: bool,
+}

 /// Resolve database URL from environment.
 /// Priority: `SECRETS_DATABASE_URL` env var → error.
@@ -18,3 +29,54 @@ pub fn resolve_db_url(override_url: &str) -> Result<String> {
         Example: SECRETS_DATABASE_URL=postgres://user:pass@host:port/dbname"
    )
 }
+
+fn env_var_non_empty(name: &str) -> Option<String> {
+    std::env::var(name)
+        .ok()
+        .filter(|value| !value.trim().is_empty())
+}
+
+fn parse_ssl_mode_from_env() -> Result<Option<PgSslMode>> {
+    let Some(mode) = env_var_non_empty("SECRETS_DATABASE_SSL_MODE") else {
+        return Ok(None);
+    };
+
+    let parsed = mode.parse::<PgSslMode>().with_context(|| {
+        format!(
+            "Invalid SECRETS_DATABASE_SSL_MODE='{mode}'. Use one of: disable, allow, prefer, require, verify-ca, verify-full."
+        )
+    })?;
+    Ok(Some(parsed))
+}
+
+fn resolve_ssl_root_cert_from_env() -> Result<Option<PathBuf>> {
+    let Some(path) = env_var_non_empty("SECRETS_DATABASE_SSL_ROOT_CERT") else {
+        return Ok(None);
+    };
+    let path = PathBuf::from(path);
+    if !path.exists() {
+        anyhow::bail!(
+            "SECRETS_DATABASE_SSL_ROOT_CERT points to a missing file: {}",
+            path.display()
+        );
+    }
+    Ok(Some(path))
+}
+
+fn is_production_env() -> bool {
+    matches!(
+        env_var_non_empty("SECRETS_ENV")
+            .as_deref()
+            .map(|value| value.to_ascii_lowercase()),
+        Some(value) if value == "prod" || value == "production"
+    )
+}
+
+pub fn resolve_db_config(override_url: &str) -> Result<DatabaseConfig> {
+    Ok(DatabaseConfig {
+        url: resolve_db_url(override_url)?,
+        ssl_mode: parse_ssl_mode_from_env()?,
+        ssl_root_cert: resolve_ssl_root_cert_from_env()?,
+        enforce_strict_tls: is_production_env(),
+    })
+}
--- a/crates/secrets-core/src/db.rs
+++ b/crates/secrets-core/src/db.rs
@@ -1,14 +1,45 @@
-use anyhow::Result;
+use std::str::FromStr;
+
+use anyhow::{Context, Result};
 use serde_json::Value;
 use sqlx::PgPool;
-use sqlx::postgres::PgPoolOptions;
+use sqlx::postgres::{PgConnectOptions, PgPoolOptions, PgSslMode};

-pub async fn create_pool(database_url: &str) -> Result<PgPool> {
+use crate::config::DatabaseConfig;
+
+fn build_connect_options(config: &DatabaseConfig) -> Result<PgConnectOptions> {
+    let mut options = PgConnectOptions::from_str(&config.url)
+        .with_context(|| "failed to parse SECRETS_DATABASE_URL".to_string())?;
+
+    if let Some(mode) = config.ssl_mode {
+        options = options.ssl_mode(mode);
+    }
+    if let Some(path) = &config.ssl_root_cert {
+        options = options.ssl_root_cert(path);
+    }
+
+    if config.enforce_strict_tls
+        && !matches!(
+            options.get_ssl_mode(),
+            PgSslMode::VerifyCa | PgSslMode::VerifyFull
+        )
+    {
+        anyhow::bail!(
+            "Refusing to start in production with weak PostgreSQL TLS mode. \
+             Set SECRETS_DATABASE_SSL_MODE=verify-ca or verify-full."
+        );
+    }
+
+    Ok(options)
+}
+
+pub async fn create_pool(config: &DatabaseConfig) -> Result<PgPool> {
    tracing::debug!("connecting to database");
+    let connect_options = build_connect_options(config)?;
    let pool = PgPoolOptions::new()
        .max_connections(10)
        .acquire_timeout(std::time::Duration::from_secs(5))
-        .connect(database_url)
+        .connect_with(connect_options)
        .await?;
    tracing::debug!("database connection established");
    Ok(pool)
--- a/crates/secrets-mcp/Cargo.toml
+++ b/crates/secrets-mcp/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.3.2"
+version = "0.3.3"
 edition.workspace = true

 [[bin]]
--- a/crates/secrets-mcp/src/main.rs
+++ b/crates/secrets-mcp/src/main.rs
@@ -21,7 +21,7 @@ use tower_sessions_sqlx_store_chrono::PostgresStore;
 use tracing_subscriber::EnvFilter;
 use tracing_subscriber::fmt::time::FormatTime;

-use secrets_core::config::resolve_db_url;
+use secrets_core::config::resolve_db_config;
 use secrets_core::db::{create_pool, migrate};

 use crate::oauth::OAuthConfig;
@@ -78,9 +78,9 @@ async fn main() -> Result<()> {
        .init();

    // ── Database ──────────────────────────────────────────────────────────────
-    let db_url = resolve_db_url("")
+    let db_config = resolve_db_config("")
        .context("Database not configured. Set SECRETS_DATABASE_URL environment variable.")?;
-    let pool = create_pool(&db_url)
+    let pool = create_pool(&db_config)
        .await
        .context("failed to connect to database")?;
    migrate(&pool)