From e0fa00c859a67a4b87d2356709c191513efa2b51 Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Fri, 15 Jul 2022 15:53:56 -0700
Subject: [PATCH] Use to_atom/1 for some ssl_opts keys (#806)

---
 config/runtime.exs                            | 23 +++++++++++++++++--
 .../cookbooks/firezone/attributes/default.rb  | 12 ++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/config/runtime.exs b/config/runtime.exs
index c6c6301bd..8c95f1285 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -108,8 +108,27 @@ if config_env() == :prod do
   database_password = System.get_env("DATABASE_PASSWORD")
 
   # XXX: Using to_atom here because this is trusted input and to_existing_atom
-  # won't work because we won't know the keys ahead of time.
-  ssl_opts = Keyword.new(database_ssl_opts, fn {k, v} -> {String.to_atom(k), v} end)
+  # won't work because we won't know the keys ahead of time. Hardcoding supported
+  # ssl_opts as well.
+  map_ssl_opt_val = fn k, v ->
+    case k do
+      "verify" ->
+        # verify expects an atom
+        String.to_atom(v)
+
+      "versions" ->
+        # versions expects a list of atoms
+        Enum.map(v, &String.to_atom(&1))
+
+      _ ->
+        # Everything else is usually a string
+        v
+    end
+  end
+
+  ssl_opts =
+    Keyword.new(database_ssl_opts, fn {k, v} -> {String.to_atom(k), map_ssl_opt_val.(k, v)} end)
+
   parameters = Keyword.new(database_parameters, fn {k, v} -> {String.to_atom(k), v} end)
 
   # Database configuration
diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb
index 876481362..1af873f47 100644
--- a/omnibus/cookbooks/firezone/attributes/default.rb
+++ b/omnibus/cookbooks/firezone/attributes/default.rb
@@ -268,8 +268,20 @@ default['firezone']['database']['name'] = 'firezone'
 default['firezone']['database']['host'] = node['firezone']['postgresql']['listen_address']
 default['firezone']['database']['port'] = node['firezone']['postgresql']['port']
 default['firezone']['database']['ssl'] = false
+
+# SSL opts to pass to Erlang's SSL module. See a full listing at https://www.erlang.org/doc/man/ssl.html
+# Firezone supports the following subset:
+# {
+#   verify: :verify_peer, # or :verify_none
+#   cacerts: "...",       # The DER-encoded trusted certificates. Overrides :cacertfile if specified.
+#   cacertfile: "/path/to/cert.pem", # Path to a file containing PEM-encoded CA certificates.
+#   versions: ["tlsv1.1", "tlsv1.2", "tlsv1.3"], # Array of TLS versions to enable
+# }
 default['firezone']['database']['ssl_opts'] = {}
+
+# DB Connection Parameters to pass to the Postgrex driver. If you're unsure, leave this blank.
 default['firezone']['database']['parameters'] = {}
+
 default['firezone']['database']['pool'] = [10, Etc.nprocessors].max
 default['firezone']['database']['extensions'] = { 'plpgsql' => true, 'pg_trgm' => true }