Add env var override to all postgresql configuration settings

Also consolidate host and port settings into single socket address
settings.

Author: tankyleo

rust/impls/src/postgres_store.rs

@@ -147,11 +147,10 @@ impl PostgresPlaintextBackend {
 impl PostgresTlsBackend {
 	/// Constructs a [`PostgresTlsBackend`] using `postgres_endpoint` for PostgreSQL connection information.
 	pub async fn new(
-		postgres_endpoint: &str, default_db: &str, vss_db: &str,
-		additional_certificate: Option<Certificate>,
+		postgres_endpoint: &str, default_db: &str, vss_db: &str, certificate: Option<Certificate>,
 	) -> Result<Self, Error> {
 		let mut builder = TlsConnector::builder();
-		if let Some(cert) = additional_certificate {
+		if let Some(cert) = certificate {
 			builder.add_root_certificate(cert);
 		}
 		let connector = builder.build().map_err(|e| {

rust/server/src/main.rs

@@ -9,8 +9,6 @@
 #![deny(rustdoc::private_intra_doc_links)]
 #![deny(missing_docs)]
 
-use std::net::SocketAddr;
-
 use tokio::net::TcpListener;
 use tokio::signal::unix::SignalKind;
 
@@ -20,37 +18,24 @@ use hyper_util::rt::TokioIo;
 use crate::vss_service::VssService;
 use api::auth::{Authorizer, NoopAuthorizer};
 use api::kv_store::KvStore;
-use auth_impls::{DecodingKey, JWTAuthorizer};
-use impls::postgres_store::{Certificate, PostgresPlaintextBackend, PostgresTlsBackend};
+use auth_impls::JWTAuthorizer;
+use impls::postgres_store::{PostgresPlaintextBackend, PostgresTlsBackend};
 use std::sync::Arc;
 
 mod util;
 mod vss_service;
 
-use util::config::{Config, ServerConfig};
-
 fn main() {
 	let args: Vec<String> = std::env::args().collect();
 	if args.len() != 2 {
 		eprintln!("Usage: {} <config-file-path>", args[0]);
 		std::process::exit(1);
 	}
 
-	let Config { server_config: ServerConfig { host, port, rsa_pub_file_path }, postgresql_config } =
-		match util::config::load_config(&args[1]) {
-			Ok(cfg) => cfg,
-			Err(e) => {
-				eprintln!("Failed to load configuration: {}", e);
-				std::process::exit(1);
-			},
-		};
-	let addr: SocketAddr = match format!("{}:{}", host, port).parse() {
-		Ok(addr) => addr,
-		Err(e) => {
-			eprintln!("Invalid host/port configuration: {}", e);
-			std::process::exit(1);
-		},
-	};
+	let config = util::config::load_configuration(&args[1]).unwrap_or_else(|e| {
+		eprintln!("Failed to load configuration: {}", e);
+		std::process::exit(-1);
+	});
 
 	let runtime = match tokio::runtime::Builder::new_multi_thread().enable_all().build() {
 		Ok(runtime) => Arc::new(runtime),
@@ -69,73 +54,58 @@ fn main() {
 			},
 		};
 
-		let authorizer: Arc<dyn Authorizer> = if let Some(file_path) = rsa_pub_file_path {
-			let rsa_pub_file = match std::fs::read(file_path) {
-				Ok(pem) => pem,
-				Err(e) => {
-					println!("Failed to read RSA public key file: {}", e);
-					std::process::exit(-1);
-				},
+		let authorizer: Arc<dyn Authorizer> =
+			if let Some(rsa_public_key) = config.jwt_rsa_public_key {
+				let jwt_authorizer = JWTAuthorizer::new(rsa_public_key).await;
+				println!("Configured JWT authorizer");
+				Arc::new(jwt_authorizer)
+			} else {
+				let noop_authorizer = NoopAuthorizer {};
+				println!("No authentication method configured");
+				Arc::new(noop_authorizer)
 			};
-			let rsa_public_key = match DecodingKey::from_rsa_pem(&rsa_pub_file) {
-				Ok(pem) => pem,
-				Err(e) => {
-					println!("Failed to parse RSA public key file: {}", e);
-					std::process::exit(-1);
-				},
-			};
-			Arc::new(JWTAuthorizer::new(rsa_public_key).await)
-		} else {
-			Arc::new(NoopAuthorizer {})
-		};
 
-		let endpoint = postgresql_config.to_postgresql_endpoint();
-		let default_db = postgresql_config.default_database;
-		let vss_db = postgresql_config.vss_database;
-		let store: Arc<dyn KvStore> = if let Some(tls_config) = postgresql_config.tls {
-			let addl_certificate = tls_config.ca_file.map(|file| {
-				let certificate = match std::fs::read(&file) {
-					Ok(cert) => cert,
-					Err(e) => {
-						println!("Failed to read certificate file: {}", e);
-						std::process::exit(-1);
-					},
-				};
-				match Certificate::from_pem(&certificate) {
-					Ok(cert) => cert,
-					Err(e) => {
-						println!("Failed to parse certificate file: {}", e);
-						std::process::exit(-1);
-					},
-				}
+		let store: Arc<dyn KvStore> = if let Some(certificate) = config.tls_config {
+			let postgres_tls_backend = PostgresTlsBackend::new(
+				&config.postgresql_prefix,
+				&config.default_db,
+				&config.vss_db,
+				certificate,
+			)
+			.await
+			.unwrap_or_else(|e| {
+				println!("Failed to start postgres TLS backend: {}", e);
+				std::process::exit(-1);
 			});
-			let postgres_tls_backend =
-				match PostgresTlsBackend::new(&endpoint, &default_db, &vss_db, addl_certificate)
-					.await
-				{
-					Ok(backend) => backend,
-					Err(e) => {
-						println!("Failed to start postgres tls backend: {}", e);
-						std::process::exit(-1);
-					},
-				};
+			println!(
+				"Connected to PostgreSQL TLS backend with DSN: {}/{}",
+				config.postgresql_prefix, config.vss_db
+			);
 			Arc::new(postgres_tls_backend)
 		} else {
-			let postgres_plaintext_backend =
-				match PostgresPlaintextBackend::new(&endpoint, &default_db, &vss_db).await {
-					Ok(backend) => backend,
-					Err(e) => {
-						println!("Failed to start postgres plaintext backend: {}", e);
-						std::process::exit(-1);
-					},
-				};
+			let postgres_plaintext_backend = PostgresPlaintextBackend::new(
+				&config.postgresql_prefix,
+				&config.default_db,
+				&config.vss_db,
+			)
+			.await
+			.unwrap_or_else(|e| {
+				println!("Failed to start postgres plaintext backend: {}", e);
+				std::process::exit(-1);
+			});
+			println!(
+				"Connected to PostgreSQL plaintext backend with DSN: {}/{}",
+				config.postgresql_prefix, config.vss_db
+			);
 			Arc::new(postgres_plaintext_backend)
 		};
-		println!("Connected to PostgreSQL backend with DSN: {}/{}", endpoint, vss_db);
 
-		let rest_svc_listener =
-			TcpListener::bind(&addr).await.expect("Failed to bind listening port");
-		println!("Listening for incoming connections on {}", addr);
+		let rest_svc_listener = TcpListener::bind(&config.bind_address).await.unwrap_or_else(|e| {
+			println!("Failed to bind listening port: {}", e);
+			std::process::exit(-1);
+		});
+		println!("Listening for incoming connections on {}", config.bind_address);
+
 		loop {
 			tokio::select! {
 				res = rest_svc_listener.accept() => {

rust/server/src/util/config.rs

@@ -1,53 +1,138 @@
+use auth_impls::DecodingKey;
+use impls::postgres_store::Certificate;
 use serde::Deserialize;
+use std::net::SocketAddr;
 
 #[derive(Deserialize)]
-pub(crate) struct Config {
-	pub(crate) server_config: ServerConfig,
-	pub(crate) postgresql_config: PostgreSQLConfig,
+struct Config {
+	server_config: ServerConfig,
+	postgresql_config: Option<PostgreSQLConfig>,
 }
 
 #[derive(Deserialize)]
-pub(crate) struct ServerConfig {
-	pub(crate) host: String,
-	pub(crate) port: u16,
-	pub(crate) rsa_pub_file_path: Option<String>,
+struct ServerConfig {
+	bind_address: SocketAddr,
+	rsa_pub_file_path: Option<String>,
 }
 
+// All fields can be overriden by their corresponding environment variables
 #[derive(Deserialize)]
-pub(crate) struct PostgreSQLConfig {
-	pub(crate) username: Option<String>, // Optional in TOML, can be overridden by env
-	pub(crate) password: Option<String>, // Optional in TOML, can be overridden by env
-	pub(crate) host: String,
-	pub(crate) port: u16,
-	pub(crate) default_database: String,
-	pub(crate) vss_database: String,
-	pub(crate) tls: Option<TlsConfig>,
+struct PostgreSQLConfig {
+	// VSS_POSTGRESQL_USERNAME
+	username: Option<String>,
+	// VSS_POSTGRESQL_PASSWORD
+	password: Option<String>,
+	// VSS_POSTGRESQL_ADDRESS
+	address: Option<SocketAddr>,
+	// VSS_POSTGRESQL_DEFAULT_DATABASE
+	default_database: Option<String>,
+	// VSS_POSTGRESQL_VSS_DATABASE
+	vss_database: Option<String>,
+	// Set VSS_POSTGRESQL_TLS=1 for tls: Some(TlsConfig { crt_file_path: None })
+	// Set VSS_POSTGRESQL_CRT_FILE_PATH=ca.crt for tls: Some(TlsConfig { crt_file_path: String::from("ca.crt") })
+	tls: Option<TlsConfig>,
 }
 
 #[derive(Deserialize)]
-pub(crate) struct TlsConfig {
-	pub(crate) ca_file: Option<String>,
+struct TlsConfig {
+	crt_file_path: Option<String>,
 }
 
-impl PostgreSQLConfig {
-	pub(crate) fn to_postgresql_endpoint(&self) -> String {
-		let username_env = std::env::var("VSS_POSTGRESQL_USERNAME");
-		let username = username_env.as_ref()
-			.ok()
-			.or_else(|| self.username.as_ref())
-			.expect("PostgreSQL database username must be provided in config or env var VSS_POSTGRESQL_USERNAME must be set.");
-		let password_env = std::env::var("VSS_POSTGRESQL_PASSWORD");
-		let password = password_env.as_ref()
-			.ok()
-			.or_else(|| self.password.as_ref())
-			.expect("PostgreSQL database password must be provided in config or env var VSS_POSTGRESQL_PASSWORD must be set.");
-
-		format!("postgresql://{}:{}@{}:{}", username, password, self.host, self.port)
-	}
+pub(crate) struct Configuration {
+	pub(crate) bind_address: SocketAddr,
+	pub(crate) jwt_rsa_public_key: Option<DecodingKey>,
+	pub(crate) postgresql_prefix: String,
+	pub(crate) default_db: String,
+	pub(crate) vss_db: String,
+	// The Some(None) variant maps to a TLS connection with no additional certificates
+	pub(crate) tls_config: Option<Option<Certificate>>,
 }
 
-pub(crate) fn load_config(config_path: &str) -> Result<Config, Box<dyn std::error::Error>> {
-	let config_str = std::fs::read_to_string(config_path)?;
-	let config: Config = toml::from_str(&config_str)?;
-	Ok(config)
+fn load_postgresql_prefix(config: Option<&PostgreSQLConfig>) -> Result<String, String> {
+	let username_env = std::env::var("VSS_POSTGRESQL_USERNAME").ok();
+	let username = username_env.as_ref()
+		.or(config.and_then(|c| c.username.as_ref()))
+		.ok_or("PostgreSQL database username must be provided in config or env var VSS_POSTGRESQL_USERNAME must be set.")?;
+
+	let password_env = std::env::var("VSS_POSTGRESQL_PASSWORD").ok();
+	let password = password_env.as_ref()
+		.or(config.and_then(|c| c.password.as_ref()))
+		.ok_or("PostgreSQL database password must be provided in config or env var VSS_POSTGRESQL_PASSWORD must be set.")?;
+
+	let address_env: Option<SocketAddr> =
+		if let Some(addr) = std::env::var("VSS_POSTGRESQL_ADDRESS").ok() {
+			let socket_addr = addr
+				.parse()
+				.map_err(|e| format!("Unable to parse postgresql address env var: {}", e))?;
+			Some(socket_addr)
+		} else {
+			None
+		};
+	let address = address_env.as_ref()
+		.or(config.and_then(|c| c.address.as_ref()))
+		.ok_or("PostgreSQL service address must be provided in config or env var VSS_POSTGRESQL_ADDRESS must be set.")?;
+
+	Ok(format!("postgresql://{}:{}@{}", username, password, address))
+}
+
+pub(crate) fn load_configuration(config_file_path: &str) -> Result<Configuration, String> {
+	let config_file = std::fs::read_to_string(config_file_path)
+		.map_err(|e| format!("Failed to read configuration file: {}", e))?;
+	let Config {
+		server_config: ServerConfig { bind_address, rsa_pub_file_path },
+		postgresql_config,
+	} = toml::from_str(&config_file)
+		.map_err(|e| format!("Failed to parse configuration file: {}", e))?;
+
+	let jwt_rsa_public_key = if let Some(file_path) = rsa_pub_file_path {
+		let rsa_pub_file = std::fs::read(file_path)
+			.map_err(|e| format!("Failed to read RSA public key file: {}", e))?;
+		let rsa_public_key = DecodingKey::from_rsa_pem(&rsa_pub_file)
+			.map_err(|e| format!("Failed to parse RSA public key file: {}", e))?;
+		Some(rsa_public_key)
+	} else {
+		None
+	};
+
+	let postgresql_prefix = load_postgresql_prefix(postgresql_config.as_ref())?;
+
+	let default_db_env = std::env::var("VSS_POSTGRESQL_DEFAULT_DATABASE").ok();
+	let default_db = default_db_env
+		.or(postgresql_config.as_ref().and_then(|c| c.default_database.clone()))
+		.ok_or(String::from("PostgreSQL default database name must be provided in config or env var VSS_POSTGRESQL_DEFAULT_DATABASE must be set."))?;
+
+	let vss_db_env = std::env::var("VSS_POSTGRESQL_VSS_DATABASE").ok();
+	let vss_db = vss_db_env
+		.or(postgresql_config.as_ref().and_then(|c| c.vss_database.clone()))
+		.ok_or(String::from("PostgreSQL vss database name must be provided in config or env var VSS_POSTGRESQL_VSS_DATABASE must be set."))?;
+
+	let crt_file_path_env = std::env::var("VSS_POSTGRESQL_CRT_FILE_PATH").ok();
+	let crt_file_path = crt_file_path_env.or(postgresql_config
+		.as_ref()
+		.and_then(|c| c.tls.as_ref())
+		.and_then(|tls| tls.crt_file_path.clone()));
+	let certificate = if let Some(file_path) = crt_file_path {
+		let crt_file = std::fs::read(&file_path)
+			.map_err(|e| format!("Failed to read certificate file: {}", e))?;
+		let certificate = Certificate::from_pem(&crt_file)
+			.map_err(|e| format!("Failed to parse certificate file: {}", e))?;
+		Some(certificate)
+	} else {
+		None
+	};
+
+	let tls_config_env = std::env::var("VSS_POSTGRESQL_TLS").ok();
+	let tls_config = (certificate.is_some()
+		|| tls_config_env.is_some()
+		|| postgresql_config.and_then(|c| c.tls).is_some())
+	.then_some(certificate);
+
+	Ok(Configuration {
+		bind_address,
+		jwt_rsa_public_key,
+		postgresql_prefix,
+		default_db,
+		vss_db,
+		tls_config,
+	})
 }

rust/server/vss-server-config.toml

@@ -1,14 +1,12 @@
 [server_config]
-host = "127.0.0.1"
-port = 8080
-# rsa_pub_file_path = "rsa_public_key.pem" # Uncomment to verify JWT tokens in the HTTP Authorization header
+bind_address = "127.0.0.1:8080"
+# rsa_pub_file_path = "rsa_public_key.pem"        # Uncomment to verify JWT tokens in the HTTP Authorization header
 
 [postgresql_config]
-username = "postgres"  # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_USERNAME`
-password = "postgres"  # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_PASSWORD`
-host = "localhost"
-port = 5432
-default_database = "postgres"
-vss_database = "vss"
-# tls = { }                        # Uncomment to make TLS connections to the postgres database using your machine's PKI
-# tls = { ca_file = "ca.pem" }     # Uncomment to make TLS connections to the postgres database with an additional root certificate
+username = "postgres"                            # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_USERNAME`
+password = "postgres"                            # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_PASSWORD`
+address = "127.0.0.1:5432"                       # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_ADDRESS`
+default_database = "postgres"                    # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_DEFAULT_DATABASE`
+vss_database = "vss"                             # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_VSS_DATABASE`
+# tls = { }                                      # Uncomment, or set env var `VSS_POSTGRESQL_TLS=1` to make TLS connections to the postgres database using your machine's PKI
+# tls = { crt_file_path = "ca.crt" }             # Uncomment, or set env var `VSS_POSTGRESQL_CRT_FILE_PATH=ca.crt` to make TLS connections to the postgres database with an additional root certificate