Skip to main content

rivet/config/
source.rs

1//! Source-database connection config: URL/structured fields, TLS, environment hints.
2
3use schemars::JsonSchema;
4use serde::{Deserialize, Serialize};
5
6use super::resolve::resolve_env_vars;
7use crate::tuning::{TuningConfig, TuningProfile};
8
9#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone)]
10#[serde(deny_unknown_fields)]
11pub struct SourceConfig {
12    #[serde(rename = "type")]
13    pub source_type: SourceType,
14
15    pub url: Option<String>,
16    pub url_env: Option<String>,
17    pub url_file: Option<String>,
18
19    pub host: Option<String>,
20    pub port: Option<u16>,
21    pub user: Option<String>,
22    pub password: Option<String>,
23    pub password_env: Option<String>,
24    pub database: Option<String>,
25
26    /// Operational profile of the source database.
27    ///
28    /// Selects the **default** tuning profile when none is explicitly set in
29    /// `source.tuning.profile` or `export.tuning.profile`:
30    ///
31    /// | `environment`           | default profile |
32    /// |-------------------------|------------------|
33    /// | `production` (default)  | `balanced` (50 ms throttle, 10 k batch, retries) |
34    /// | `replica`               | `balanced` |
35    /// | `local`                 | `fast` (no throttle, 50 k batch — saves ~30% wall on localhost) |
36    ///
37    /// Explicit `tuning.profile:` always wins over this hint.
38    #[serde(default)]
39    pub environment: Option<SourceEnvironment>,
40
41    #[serde(default)]
42    pub tuning: Option<TuningConfig>,
43
44    /// Transport security settings (ADR: SecOps). When absent, Rivet connects
45    /// without TLS — a warning is emitted so operators are aware. See [`TlsConfig`].
46    #[serde(default)]
47    pub tls: Option<TlsConfig>,
48}
49
50/// Operational environment of the source database — drives the default tuning
51/// profile when none is explicitly set. Opt-in: existing configs without
52/// `environment:` continue to use `balanced` as today.
53#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Copy, PartialEq, Eq)]
54#[serde(rename_all = "lowercase")]
55pub enum SourceEnvironment {
56    /// Localhost / Docker compose / read-only container — no throttle by default
57    /// (compiles to `fast` profile defaults). Use when DB load is not a concern.
58    Local,
59    /// Read replica — `balanced` default. Same throttle as production, but free
60    /// to dial up `tuning.batch_size`.
61    Replica,
62    /// Live production primary — `balanced` default. Bias toward source-safety.
63    Production,
64}
65
66impl SourceEnvironment {
67    /// Default tuning profile selected by this environment when the user has
68    /// not set `tuning.profile:` explicitly.
69    pub fn default_profile(self) -> TuningProfile {
70        match self {
71            SourceEnvironment::Local => TuningProfile::Fast,
72            SourceEnvironment::Replica | SourceEnvironment::Production => TuningProfile::Balanced,
73        }
74    }
75}
76
77/// Transport security for the source database connection.
78///
79/// Credentials and exported data cross the wire on every connection; without TLS
80/// they are visible to anyone on the network path (cloud inter-VPC, cross-AZ, or
81/// a compromised upstream). The default for all new connections is
82/// [`TlsMode::Require`] when `tls:` is present; setting `tls: { mode: disable }`
83/// is explicit opt-out.
84///
85/// ```yaml
86/// source:
87///   type: postgres
88///   url_env: DATABASE_URL
89///   tls:
90///     mode: verify-full
91///     ca_file: /etc/ssl/certs/rds-ca-2019-root.pem
92/// ```
93#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Default)]
94#[serde(deny_unknown_fields)]
95pub struct TlsConfig {
96    /// Enforcement level. See [`TlsMode`].
97    #[serde(default)]
98    pub mode: TlsMode,
99    /// PEM-encoded CA certificate to trust for server verification. Required
100    /// for [`TlsMode::VerifyCa`] and [`TlsMode::VerifyFull`] against a private CA.
101    pub ca_file: Option<String>,
102    /// Accept certificates not chained to a trusted CA. Dangerous — disables
103    /// server authentication — and only honored when explicitly `true`.
104    #[serde(default)]
105    pub accept_invalid_certs: bool,
106    /// Accept certificates whose subjectAltName does not match the connection
107    /// hostname. Dangerous — disables hostname verification.
108    #[serde(default)]
109    pub accept_invalid_hostnames: bool,
110}
111
112/// TLS enforcement mode, mirroring libpq's `sslmode` semantics where possible.
113#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Copy, PartialEq, Eq, Default)]
114#[serde(rename_all = "kebab-case")]
115pub enum TlsMode {
116    /// Plaintext. Use only inside trusted networks (loopback, cgroup-private).
117    Disable,
118    /// Require a TLS handshake; accept the server certificate without verifying
119    /// issuer or hostname. Protects against passive sniffing, not MITM.
120    Require,
121    /// TLS + verify certificate chains to the configured / system trust store.
122    /// Does not check hostname (useful for IP-addressed or internal names).
123    VerifyCa,
124    /// TLS + verify chain **and** hostname against the server cert's SAN/CN.
125    /// Recommended default for production.
126    #[default]
127    VerifyFull,
128}
129
130impl TlsMode {
131    pub fn is_enforced(self) -> bool {
132        !matches!(self, TlsMode::Disable)
133    }
134}
135
136impl SourceConfig {
137    /// Return a copy of this config with **all plaintext credential material stripped**,
138    /// safe to embed in a persisted [`crate::plan::PlanArtifact`] (ADR-0005 PA9).
139    ///
140    /// Redaction rules:
141    /// - `password` → always `None` (plaintext password never leaves the process).
142    /// - `url` containing `user[:password]@` → userinfo segment replaced with `"REDACTED"`.
143    /// - `url_env`, `url_file`, `password_env` — kept (env var **names** and file paths
144    ///   are references, not secrets; `apply` needs them to re-resolve credentials).
145    /// - `host`, `port`, `user`, `database` — kept (structured connection metadata).
146    ///
147    /// If a plaintext `password` or `url` is redacted, callers should surface a warning
148    /// to the operator so env/file-based auth is available at apply time.
149    pub fn redact_for_artifact(&self) -> (Self, bool) {
150        let mut out = self.clone();
151        let mut redacted = false;
152
153        if out.password.is_some() {
154            out.password = None;
155            redacted = true;
156        }
157
158        if let Some(ref raw) = out.url
159            && let Some((userinfo_end, scheme_end)) = find_userinfo(raw)
160        {
161            let mut s = String::with_capacity(raw.len());
162            s.push_str(&raw[..scheme_end]); // "postgresql://"
163            s.push_str("REDACTED");
164            s.push_str(&raw[userinfo_end..]); // "@host:port/db…"
165            out.url = Some(s);
166            redacted = true;
167        }
168
169        (out, redacted)
170    }
171
172    pub(crate) fn has_structured_fields(&self) -> bool {
173        self.host.is_some()
174            || self.user.is_some()
175            || self.database.is_some()
176            || self.password.is_some()
177            || self.password_env.is_some()
178    }
179
180    pub(crate) fn has_url_fields(&self) -> bool {
181        self.url.is_some() || self.url_env.is_some() || self.url_file.is_some()
182    }
183
184    fn build_url_from_fields(&self) -> crate::error::Result<String> {
185        // First-user-friendly errors: name the missing field, suggest a
186        // concrete value, and remind the operator that `url_env` is the
187        // alternative path so they don't bounce.  See
188        // `docs/getting-started.md` for the full onboarding flow.
189        let host = self.host.as_deref().ok_or_else(|| {
190            anyhow::anyhow!(
191                "source: structured config is missing 'host'.\n  Hint: add `host: localhost` (or your DB host) under `source:` in rivet.yaml.\n  Or switch to URL-based config: `url_env: DATABASE_URL`."
192            )
193        })?;
194        let user = self.user.as_deref().ok_or_else(|| {
195            anyhow::anyhow!(
196                "source: structured config is missing 'user'.\n  Hint: add `user: <username>` under `source:` in rivet.yaml."
197            )
198        })?;
199        let database = self.database.as_deref().ok_or_else(|| {
200            anyhow::anyhow!(
201                "source: structured config is missing 'database'.\n  Hint: add `database: <dbname>` under `source:` in rivet.yaml."
202            )
203        })?;
204
205        // SecOps: keep the plaintext password inside a `Zeroizing<String>` until it
206        // is spliced into the final URL, so the standalone password buffer is
207        // wiped on drop (the final URL still lives as a plain String but is
208        // shorter-lived and dropped by the driver constructor).
209        let password: zeroize::Zeroizing<String> =
210            zeroize::Zeroizing::new(match (&self.password, &self.password_env) {
211                (Some(_), Some(_)) => {
212                    anyhow::bail!("source: specify 'password' or 'password_env', not both");
213                }
214                (Some(p), None) => {
215                    static WARNED: std::sync::Once = std::sync::Once::new();
216                    WARNED.call_once(|| {
217                        log::warn!(
218                            "source config contains plaintext password -- consider using password_env"
219                        );
220                    });
221                    resolve_env_vars(p)?
222                }
223                (None, Some(env)) => std::env::var(env).map_err(|_| {
224                    anyhow::anyhow!(
225                        "source: env var '{0}' is not set (referenced by password_env).\n  Hint: export the value before running, e.g.\n      export {0}='your-database-password'",
226                        env
227                    )
228                })?,
229                (None, None) => String::new(),
230            });
231
232        let default_port = match self.source_type {
233            SourceType::Postgres => 5432,
234            SourceType::Mysql => 3306,
235        };
236        let port = self.port.unwrap_or(default_port);
237
238        let scheme = match self.source_type {
239            SourceType::Postgres => "postgresql",
240            SourceType::Mysql => "mysql",
241        };
242
243        if password.is_empty() {
244            Ok(format!(
245                "{}://{}@{}:{}/{}",
246                scheme, user, host, port, database
247            ))
248        } else {
249            Ok(format!(
250                "{}://{}:{}@{}:{}/{}",
251                scheme,
252                user,
253                password.as_str(),
254                host,
255                port,
256                database
257            ))
258        }
259    }
260
261    pub fn resolve_url(&self) -> crate::error::Result<String> {
262        if self.has_url_fields() && self.has_structured_fields() {
263            anyhow::bail!(
264                "source: pick either URL-based config (url/url_env/url_file) OR structured fields (host/user/database/port/password_env), not both.\n  Hint: remove whichever block you don't want; mixing the two is ambiguous."
265            );
266        }
267
268        if self.has_structured_fields() {
269            return self.build_url_from_fields();
270        }
271
272        // Capture *where* the URL came from so the password warning below
273        // can be specific: scolding an operator who already used
274        // `url_env:` (the recommendation!) for "considering url_env" is
275        // misleading and trains them to tune out our warnings.
276        //
277        // The `EnvVar(&str)` / `File(&str)` payloads are retained for
278        // future use (e.g. mentioning the env-var name in a richer
279        // diagnostic later) — `#[allow(dead_code)]` keeps clippy quiet
280        // while we keep the slot open. Renaming the variants to unit
281        // would lose the documentation that "this came from <name>".
282        #[allow(dead_code)]
283        enum UrlSource<'a> {
284            InlineYaml,
285            EnvVar(&'a str),
286            File(&'a str),
287        }
288        let (raw, source) = match (&self.url, &self.url_env, &self.url_file) {
289            (Some(u), None, None) => (u.clone(), UrlSource::InlineYaml),
290            (None, Some(env), None) => (
291                std::env::var(env).map_err(|_| {
292                    anyhow::anyhow!(
293                        "source: env var '{0}' is not set (referenced by url_env).\n  Hint: export the value before running, e.g.\n      export {0}='postgresql://user:pass@host:5432/dbname'\n  Or change `url_env: {0}` in your config to a different env var name.",
294                        env
295                    )
296                })?,
297                UrlSource::EnvVar(env),
298            ),
299            (None, None, Some(file)) => (
300                std::fs::read_to_string(file)
301                    .map_err(|e| {
302                        anyhow::anyhow!(
303                            "source: cannot read url_file '{}': {}.\n  Hint: ensure the file exists and is readable; the file should contain only the URL on a single line.",
304                            file,
305                            e
306                        )
307                    })?
308                    .trim()
309                    .to_string(),
310                UrlSource::File(file),
311            ),
312            _ => anyhow::bail!(
313                "source: configure exactly one connection method:\n  url_env: DATABASE_URL                          (URL from env var — recommended)\n  url: 'postgresql://user:pass@host:5432/db'      (inline — not recommended for committed configs)\n  url_file: /etc/rivet/source.url                 (URL from file — rotation-friendly)\n  host/user/database/...                          (structured fields under `source:`)"
314            ),
315        };
316
317        let resolved = resolve_env_vars(&raw)?;
318
319        if resolved.contains('@')
320            && resolved.contains(':')
321            && let Some(userinfo) = resolved.split('@').next()
322            && userinfo.contains(':')
323            && !userinfo.ends_with(':')
324        {
325            // `resolve_url` is called from many places per run (plan build,
326            // doctor, every export, every chunk worker). Fire each variant
327            // of this warning exactly once per process so operators see
328            // one clean nudge, not 3-4 stacked copies in stderr.
329            //
330            // Only the InlineYaml case is a real misconfiguration to flag:
331            // the password is sitting in a committed file. EnvVar / File
332            // sources are explicitly the recommended forms — scolding an
333            // operator who already uses them for "considering url_env"
334            // would be a false alarm.
335            match source {
336                UrlSource::InlineYaml => {
337                    static WARNED: std::sync::Once = std::sync::Once::new();
338                    WARNED.call_once(|| {
339                        log::warn!(
340                            "source: inline `url:` in YAML contains a plaintext password — \
341                             move it to `url_env: DATABASE_URL` (or `url_file:`) to keep \
342                             credentials out of committed configs"
343                        );
344                    });
345                }
346                UrlSource::EnvVar(_) | UrlSource::File(_) => {
347                    // The recommended forms — no warning. Operator hygiene
348                    // for shell history / file permissions is out of scope.
349                }
350            }
351        }
352
353        Ok(resolved)
354    }
355}
356
357#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone, Copy, PartialEq, Eq)]
358#[serde(rename_all = "lowercase")]
359pub enum SourceType {
360    Postgres,
361    Mysql,
362}
363
364/// Locate `user[:password]@` userinfo inside a standard URL.
365///
366/// Returns `(userinfo_end_index, scheme_end_index)` where:
367/// - `scheme_end_index` points right after `"://"` (start of userinfo)
368/// - `userinfo_end_index` points at the `@` separator (exclusive of `@`)
369///
370/// Returns `None` if the URL has no userinfo segment.
371fn find_userinfo(raw: &str) -> Option<(usize, usize)> {
372    let scheme = raw.find("://")? + 3;
373    let rest = &raw[scheme..];
374    let at = rest.find('@')?;
375    // `@` must appear before the path/query start so we don't match `?foo=a@b` etc.
376    if let Some(path) = rest.find('/')
377        && path < at
378    {
379        return None;
380    }
381    Some((scheme + at, scheme))
382}
383
384#[cfg(test)]
385mod tests {
386    use super::*;
387
388    // ── TlsMode::is_enforced ────────────────────────────────────────────────
389
390    #[test]
391    fn tls_mode_disable_not_enforced() {
392        assert!(!TlsMode::Disable.is_enforced());
393    }
394
395    #[test]
396    fn tls_mode_require_is_enforced() {
397        assert!(TlsMode::Require.is_enforced());
398        assert!(TlsMode::VerifyCa.is_enforced());
399        assert!(TlsMode::VerifyFull.is_enforced());
400    }
401
402    // ── SourceConfig::redact_for_artifact ───────────────────────────────────
403
404    fn make_source(source_type: SourceType) -> SourceConfig {
405        SourceConfig {
406            source_type,
407            url: None,
408            url_env: None,
409            url_file: None,
410            host: None,
411            port: None,
412            user: None,
413            password: None,
414            password_env: None,
415            database: None,
416            environment: None,
417            tuning: None,
418            tls: None,
419        }
420    }
421
422    #[test]
423    fn redact_plaintext_password() {
424        let mut src = make_source(SourceType::Postgres);
425        src.password = Some("s3cr3t".into());
426        let (redacted, flag) = src.redact_for_artifact();
427        assert!(flag, "redaction should be flagged");
428        assert!(
429            redacted.password.is_none(),
430            "plaintext password must be stripped"
431        );
432    }
433
434    #[test]
435    fn redact_url_with_password() {
436        let mut src = make_source(SourceType::Postgres);
437        src.url = Some("postgresql://user:hunter2@db.example.com:5432/app".into());
438        let (redacted, flag) = src.redact_for_artifact();
439        assert!(flag, "URL redaction flagged");
440        let url = redacted.url.unwrap();
441        assert!(!url.contains("hunter2"), "password must not appear: {url}");
442        assert!(url.contains("REDACTED"), "placeholder must appear: {url}");
443        assert!(url.contains("@db.example.com"), "host retained: {url}");
444    }
445
446    #[test]
447    fn redact_url_without_at_sign_not_flagged() {
448        let mut src = make_source(SourceType::Postgres);
449        src.url = Some("postgresql://db.example.com:5432/app".into());
450        let (_, flag) = src.redact_for_artifact();
451        assert!(!flag, "URL with no userinfo must not be flagged");
452    }
453
454    #[test]
455    fn redact_url_with_user_but_no_password_is_flagged() {
456        let mut src = make_source(SourceType::Postgres);
457        src.url = Some("postgresql://user@db.example.com:5432/app".into());
458        let (redacted, flag) = src.redact_for_artifact();
459        assert!(flag, "bare user@ is still userinfo and gets redacted");
460        let url = redacted.url.unwrap();
461        assert!(url.contains("REDACTED"), "userinfo replaced: {url}");
462        assert!(!url.contains("user@"), "bare username removed: {url}");
463    }
464
465    #[test]
466    fn redact_env_var_reference_kept_intact() {
467        let mut src = make_source(SourceType::Mysql);
468        src.url_env = Some("DB_URL".into());
469        src.password_env = Some("DB_PASS".into());
470        let (redacted, flag) = src.redact_for_artifact();
471        assert!(!flag, "env var references are not secrets");
472        assert_eq!(redacted.url_env.as_deref(), Some("DB_URL"));
473        assert_eq!(redacted.password_env.as_deref(), Some("DB_PASS"));
474    }
475
476    #[test]
477    fn redact_mysql_url_with_password() {
478        let mut src = make_source(SourceType::Mysql);
479        src.url = Some("mysql://root:pass@127.0.0.1:3306/mydb".into());
480        let (redacted, flag) = src.redact_for_artifact();
481        assert!(flag);
482        let url = redacted.url.unwrap();
483        assert!(url.contains("REDACTED"), "{url}");
484        assert!(!url.contains("pass"), "{url}");
485    }
486
487    // ── SourceConfig::resolve_url (structured fields) ───────────────────────
488
489    #[test]
490    fn resolve_url_from_structured_fields_postgres() {
491        let mut src = make_source(SourceType::Postgres);
492        src.host = Some("pg.internal".into());
493        src.user = Some("alice".into());
494        src.database = Some("warehouse".into());
495        src.port = Some(5433);
496        let url = src.resolve_url().unwrap();
497        assert_eq!(url, "postgresql://alice@pg.internal:5433/warehouse");
498    }
499
500    #[test]
501    fn resolve_url_from_structured_fields_defaults_port() {
502        let mut src = make_source(SourceType::Mysql);
503        src.host = Some("my.internal".into());
504        src.user = Some("bob".into());
505        src.database = Some("orders".into());
506        let url = src.resolve_url().unwrap();
507        assert_eq!(url, "mysql://bob@my.internal:3306/orders");
508    }
509
510    #[test]
511    fn resolve_url_direct_url_passthrough() {
512        let mut src = make_source(SourceType::Postgres);
513        src.url = Some("postgresql://carol@pg.example.com:5432/db".into());
514        let url = src.resolve_url().unwrap();
515        assert_eq!(url, "postgresql://carol@pg.example.com:5432/db");
516    }
517
518    #[test]
519    fn resolve_url_rejects_mixed_url_and_structured() {
520        let mut src = make_source(SourceType::Postgres);
521        src.url = Some("postgresql://carol@pg.example.com/db".into());
522        src.host = Some("other".into());
523        let err = src.resolve_url().unwrap_err();
524        let msg = format!("{err:#}");
525        assert!(
526            msg.contains("URL-based") || msg.contains("structured"),
527            "{msg}"
528        );
529    }
530
531    #[test]
532    fn resolve_url_rejects_missing_host() {
533        let mut src = make_source(SourceType::Postgres);
534        src.user = Some("alice".into());
535        src.database = Some("warehouse".into());
536        let err = src.resolve_url().unwrap_err();
537        let msg = format!("{err:#}");
538        assert!(msg.contains("host"), "{msg}");
539    }
540
541    // ── find_userinfo ────────────────────────────────────────────────────────
542
543    #[test]
544    fn find_userinfo_detects_password_in_url() {
545        let url = "postgresql://user:pass@host/db";
546        let result = find_userinfo(url);
547        assert!(result.is_some(), "should detect user:pass@");
548    }
549
550    #[test]
551    fn find_userinfo_no_password_no_at_returns_none() {
552        assert!(find_userinfo("postgresql://host/db").is_none());
553    }
554
555    #[test]
556    fn find_userinfo_user_only_at_sign_matches() {
557        let url = "postgresql://user@host/db";
558        assert!(find_userinfo(url).is_some(), "bare user@ should match");
559    }
560
561    #[test]
562    fn find_userinfo_no_at_sign_returns_none() {
563        assert!(find_userinfo("postgresql://db.example.com:5432/app").is_none());
564    }
565}