1use schemars::JsonSchema;
4use serde::{Deserialize, Serialize};
5
6use super::resolve::resolve_env_vars;
7use crate::tuning::{TuningConfig, TuningProfile};
8
9#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone)]
10#[serde(deny_unknown_fields)]
11pub struct SourceConfig {
12 #[serde(rename = "type")]
13 pub source_type: SourceType,
14
15 pub url: Option<String>,
16 pub url_env: Option<String>,
17 pub url_file: Option<String>,
18
19 pub host: Option<String>,
20 pub port: Option<u16>,
21 pub user: Option<String>,
22 pub password: Option<String>,
23 pub password_env: Option<String>,
24 pub database: Option<String>,
25
26 #[serde(default)]
39 pub environment: Option<SourceEnvironment>,
40
41 #[serde(default)]
42 pub tuning: Option<TuningConfig>,
43
44 #[serde(default)]
47 pub tls: Option<TlsConfig>,
48}
49
50#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Copy, PartialEq, Eq)]
54#[serde(rename_all = "lowercase")]
55pub enum SourceEnvironment {
56 Local,
59 Replica,
62 Production,
64}
65
66impl SourceEnvironment {
67 pub fn default_profile(self) -> TuningProfile {
70 match self {
71 SourceEnvironment::Local => TuningProfile::Fast,
72 SourceEnvironment::Replica | SourceEnvironment::Production => TuningProfile::Balanced,
73 }
74 }
75}
76
77#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Default)]
94#[serde(deny_unknown_fields)]
95pub struct TlsConfig {
96 #[serde(default)]
98 pub mode: TlsMode,
99 pub ca_file: Option<String>,
102 #[serde(default)]
105 pub accept_invalid_certs: bool,
106 #[serde(default)]
109 pub accept_invalid_hostnames: bool,
110}
111
112#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Copy, PartialEq, Eq, Default)]
114#[serde(rename_all = "kebab-case")]
115pub enum TlsMode {
116 Disable,
118 Require,
121 VerifyCa,
124 #[default]
127 VerifyFull,
128}
129
130impl TlsMode {
131 pub fn is_enforced(self) -> bool {
132 !matches!(self, TlsMode::Disable)
133 }
134}
135
136impl SourceConfig {
137 pub fn redact_for_artifact(&self) -> (Self, bool) {
150 let mut out = self.clone();
151 let mut redacted = false;
152
153 if out.password.is_some() {
154 out.password = None;
155 redacted = true;
156 }
157
158 if let Some(ref raw) = out.url
159 && let Some((userinfo_end, scheme_end)) = find_userinfo(raw)
160 {
161 let mut s = String::with_capacity(raw.len());
162 s.push_str(&raw[..scheme_end]); s.push_str("REDACTED");
164 s.push_str(&raw[userinfo_end..]); out.url = Some(s);
166 redacted = true;
167 }
168
169 (out, redacted)
170 }
171
172 pub(crate) fn has_structured_fields(&self) -> bool {
173 self.host.is_some()
174 || self.user.is_some()
175 || self.database.is_some()
176 || self.password.is_some()
177 || self.password_env.is_some()
178 }
179
180 pub(crate) fn has_url_fields(&self) -> bool {
181 self.url.is_some() || self.url_env.is_some() || self.url_file.is_some()
182 }
183
184 fn build_url_from_fields(&self) -> crate::error::Result<String> {
185 let host = self.host.as_deref().ok_or_else(|| {
190 anyhow::anyhow!(
191 "source: structured config is missing 'host'.\n Hint: add `host: localhost` (or your DB host) under `source:` in rivet.yaml.\n Or switch to URL-based config: `url_env: DATABASE_URL`."
192 )
193 })?;
194 let user = self.user.as_deref().ok_or_else(|| {
195 anyhow::anyhow!(
196 "source: structured config is missing 'user'.\n Hint: add `user: <username>` under `source:` in rivet.yaml."
197 )
198 })?;
199 let database = self.database.as_deref().ok_or_else(|| {
200 anyhow::anyhow!(
201 "source: structured config is missing 'database'.\n Hint: add `database: <dbname>` under `source:` in rivet.yaml."
202 )
203 })?;
204
205 let password: zeroize::Zeroizing<String> =
210 zeroize::Zeroizing::new(match (&self.password, &self.password_env) {
211 (Some(_), Some(_)) => {
212 anyhow::bail!("source: specify 'password' or 'password_env', not both");
213 }
214 (Some(p), None) => {
215 static WARNED: std::sync::Once = std::sync::Once::new();
216 WARNED.call_once(|| {
217 log::warn!(
218 "source config contains plaintext password -- consider using password_env"
219 );
220 });
221 resolve_env_vars(p)?
222 }
223 (None, Some(env)) => std::env::var(env).map_err(|_| {
224 anyhow::anyhow!(
225 "source: env var '{0}' is not set (referenced by password_env).\n Hint: export the value before running, e.g.\n export {0}='your-database-password'",
226 env
227 )
228 })?,
229 (None, None) => String::new(),
230 });
231
232 let default_port = match self.source_type {
233 SourceType::Postgres => 5432,
234 SourceType::Mysql => 3306,
235 };
236 let port = self.port.unwrap_or(default_port);
237
238 let scheme = match self.source_type {
239 SourceType::Postgres => "postgresql",
240 SourceType::Mysql => "mysql",
241 };
242
243 if password.is_empty() {
244 Ok(format!(
245 "{}://{}@{}:{}/{}",
246 scheme, user, host, port, database
247 ))
248 } else {
249 Ok(format!(
250 "{}://{}:{}@{}:{}/{}",
251 scheme,
252 user,
253 password.as_str(),
254 host,
255 port,
256 database
257 ))
258 }
259 }
260
261 pub fn resolve_url(&self) -> crate::error::Result<String> {
262 if self.has_url_fields() && self.has_structured_fields() {
263 anyhow::bail!(
264 "source: pick either URL-based config (url/url_env/url_file) OR structured fields (host/user/database/port/password_env), not both.\n Hint: remove whichever block you don't want; mixing the two is ambiguous."
265 );
266 }
267
268 if self.has_structured_fields() {
269 return self.build_url_from_fields();
270 }
271
272 #[allow(dead_code)]
283 enum UrlSource<'a> {
284 InlineYaml,
285 EnvVar(&'a str),
286 File(&'a str),
287 }
288 let (raw, source) = match (&self.url, &self.url_env, &self.url_file) {
289 (Some(u), None, None) => (u.clone(), UrlSource::InlineYaml),
290 (None, Some(env), None) => (
291 std::env::var(env).map_err(|_| {
292 anyhow::anyhow!(
293 "source: env var '{0}' is not set (referenced by url_env).\n Hint: export the value before running, e.g.\n export {0}='postgresql://user:pass@host:5432/dbname'\n Or change `url_env: {0}` in your config to a different env var name.",
294 env
295 )
296 })?,
297 UrlSource::EnvVar(env),
298 ),
299 (None, None, Some(file)) => (
300 std::fs::read_to_string(file)
301 .map_err(|e| {
302 anyhow::anyhow!(
303 "source: cannot read url_file '{}': {}.\n Hint: ensure the file exists and is readable; the file should contain only the URL on a single line.",
304 file,
305 e
306 )
307 })?
308 .trim()
309 .to_string(),
310 UrlSource::File(file),
311 ),
312 _ => anyhow::bail!(
313 "source: configure exactly one connection method:\n url_env: DATABASE_URL (URL from env var — recommended)\n url: 'postgresql://user:pass@host:5432/db' (inline — not recommended for committed configs)\n url_file: /etc/rivet/source.url (URL from file — rotation-friendly)\n host/user/database/... (structured fields under `source:`)"
314 ),
315 };
316
317 let resolved = resolve_env_vars(&raw)?;
318
319 if resolved.contains('@')
320 && resolved.contains(':')
321 && let Some(userinfo) = resolved.split('@').next()
322 && userinfo.contains(':')
323 && !userinfo.ends_with(':')
324 {
325 match source {
336 UrlSource::InlineYaml => {
337 static WARNED: std::sync::Once = std::sync::Once::new();
338 WARNED.call_once(|| {
339 log::warn!(
340 "source: inline `url:` in YAML contains a plaintext password — \
341 move it to `url_env: DATABASE_URL` (or `url_file:`) to keep \
342 credentials out of committed configs"
343 );
344 });
345 }
346 UrlSource::EnvVar(_) | UrlSource::File(_) => {
347 }
350 }
351 }
352
353 Ok(resolved)
354 }
355}
356
357#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Copy, PartialEq, Eq)]
358#[serde(rename_all = "lowercase")]
359pub enum SourceType {
360 Postgres,
361 Mysql,
362}
363
364fn find_userinfo(raw: &str) -> Option<(usize, usize)> {
372 let scheme = raw.find("://")? + 3;
373 let rest = &raw[scheme..];
374 let at = rest.find('@')?;
375 if let Some(path) = rest.find('/')
377 && path < at
378 {
379 return None;
380 }
381 Some((scheme + at, scheme))
382}
383
384#[cfg(test)]
385mod tests {
386 use super::*;
387
388 #[test]
391 fn tls_mode_disable_not_enforced() {
392 assert!(!TlsMode::Disable.is_enforced());
393 }
394
395 #[test]
396 fn tls_mode_require_is_enforced() {
397 assert!(TlsMode::Require.is_enforced());
398 assert!(TlsMode::VerifyCa.is_enforced());
399 assert!(TlsMode::VerifyFull.is_enforced());
400 }
401
402 fn make_source(source_type: SourceType) -> SourceConfig {
405 SourceConfig {
406 source_type,
407 url: None,
408 url_env: None,
409 url_file: None,
410 host: None,
411 port: None,
412 user: None,
413 password: None,
414 password_env: None,
415 database: None,
416 environment: None,
417 tuning: None,
418 tls: None,
419 }
420 }
421
422 #[test]
423 fn redact_plaintext_password() {
424 let mut src = make_source(SourceType::Postgres);
425 src.password = Some("s3cr3t".into());
426 let (redacted, flag) = src.redact_for_artifact();
427 assert!(flag, "redaction should be flagged");
428 assert!(
429 redacted.password.is_none(),
430 "plaintext password must be stripped"
431 );
432 }
433
434 #[test]
435 fn redact_url_with_password() {
436 let mut src = make_source(SourceType::Postgres);
437 src.url = Some("postgresql://user:hunter2@db.example.com:5432/app".into());
438 let (redacted, flag) = src.redact_for_artifact();
439 assert!(flag, "URL redaction flagged");
440 let url = redacted.url.unwrap();
441 assert!(!url.contains("hunter2"), "password must not appear: {url}");
442 assert!(url.contains("REDACTED"), "placeholder must appear: {url}");
443 assert!(url.contains("@db.example.com"), "host retained: {url}");
444 }
445
446 #[test]
447 fn redact_url_without_at_sign_not_flagged() {
448 let mut src = make_source(SourceType::Postgres);
449 src.url = Some("postgresql://db.example.com:5432/app".into());
450 let (_, flag) = src.redact_for_artifact();
451 assert!(!flag, "URL with no userinfo must not be flagged");
452 }
453
454 #[test]
455 fn redact_url_with_user_but_no_password_is_flagged() {
456 let mut src = make_source(SourceType::Postgres);
457 src.url = Some("postgresql://user@db.example.com:5432/app".into());
458 let (redacted, flag) = src.redact_for_artifact();
459 assert!(flag, "bare user@ is still userinfo and gets redacted");
460 let url = redacted.url.unwrap();
461 assert!(url.contains("REDACTED"), "userinfo replaced: {url}");
462 assert!(!url.contains("user@"), "bare username removed: {url}");
463 }
464
465 #[test]
466 fn redact_env_var_reference_kept_intact() {
467 let mut src = make_source(SourceType::Mysql);
468 src.url_env = Some("DB_URL".into());
469 src.password_env = Some("DB_PASS".into());
470 let (redacted, flag) = src.redact_for_artifact();
471 assert!(!flag, "env var references are not secrets");
472 assert_eq!(redacted.url_env.as_deref(), Some("DB_URL"));
473 assert_eq!(redacted.password_env.as_deref(), Some("DB_PASS"));
474 }
475
476 #[test]
477 fn redact_mysql_url_with_password() {
478 let mut src = make_source(SourceType::Mysql);
479 src.url = Some("mysql://root:pass@127.0.0.1:3306/mydb".into());
480 let (redacted, flag) = src.redact_for_artifact();
481 assert!(flag);
482 let url = redacted.url.unwrap();
483 assert!(url.contains("REDACTED"), "{url}");
484 assert!(!url.contains("pass"), "{url}");
485 }
486
487 #[test]
490 fn resolve_url_from_structured_fields_postgres() {
491 let mut src = make_source(SourceType::Postgres);
492 src.host = Some("pg.internal".into());
493 src.user = Some("alice".into());
494 src.database = Some("warehouse".into());
495 src.port = Some(5433);
496 let url = src.resolve_url().unwrap();
497 assert_eq!(url, "postgresql://alice@pg.internal:5433/warehouse");
498 }
499
500 #[test]
501 fn resolve_url_from_structured_fields_defaults_port() {
502 let mut src = make_source(SourceType::Mysql);
503 src.host = Some("my.internal".into());
504 src.user = Some("bob".into());
505 src.database = Some("orders".into());
506 let url = src.resolve_url().unwrap();
507 assert_eq!(url, "mysql://bob@my.internal:3306/orders");
508 }
509
510 #[test]
511 fn resolve_url_direct_url_passthrough() {
512 let mut src = make_source(SourceType::Postgres);
513 src.url = Some("postgresql://carol@pg.example.com:5432/db".into());
514 let url = src.resolve_url().unwrap();
515 assert_eq!(url, "postgresql://carol@pg.example.com:5432/db");
516 }
517
518 #[test]
519 fn resolve_url_rejects_mixed_url_and_structured() {
520 let mut src = make_source(SourceType::Postgres);
521 src.url = Some("postgresql://carol@pg.example.com/db".into());
522 src.host = Some("other".into());
523 let err = src.resolve_url().unwrap_err();
524 let msg = format!("{err:#}");
525 assert!(
526 msg.contains("URL-based") || msg.contains("structured"),
527 "{msg}"
528 );
529 }
530
531 #[test]
532 fn resolve_url_rejects_missing_host() {
533 let mut src = make_source(SourceType::Postgres);
534 src.user = Some("alice".into());
535 src.database = Some("warehouse".into());
536 let err = src.resolve_url().unwrap_err();
537 let msg = format!("{err:#}");
538 assert!(msg.contains("host"), "{msg}");
539 }
540
541 #[test]
544 fn find_userinfo_detects_password_in_url() {
545 let url = "postgresql://user:pass@host/db";
546 let result = find_userinfo(url);
547 assert!(result.is_some(), "should detect user:pass@");
548 }
549
550 #[test]
551 fn find_userinfo_no_password_no_at_returns_none() {
552 assert!(find_userinfo("postgresql://host/db").is_none());
553 }
554
555 #[test]
556 fn find_userinfo_user_only_at_sign_matches() {
557 let url = "postgresql://user@host/db";
558 assert!(find_userinfo(url).is_some(), "bare user@ should match");
559 }
560
561 #[test]
562 fn find_userinfo_no_at_sign_returns_none() {
563 assert!(find_userinfo("postgresql://db.example.com:5432/app").is_none());
564 }
565}