From 29e0be5a31f5c324c3ffc4cc83af8d087dea78bb Mon Sep 17 00:00:00 2001
From: richardjcai <caioftherichard@gmail.com>
Date: Fri, 9 Apr 2021 19:59:46 -0400
Subject: [PATCH] Require users to pass certs when PG environment variable
 PGSSLMODE is specified and is either require, verify-ca or verify-full.

---
 packages/pg/lib/connection-parameters.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/packages/pg/lib/connection-parameters.js b/packages/pg/lib/connection-parameters.js
index 165e6d5d3..04c65f12f 100644
--- a/packages/pg/lib/connection-parameters.js
+++ b/packages/pg/lib/connection-parameters.js
@@ -1,6 +1,7 @@
 'use strict'
 
 var dns = require('dns')
+var fs = require('fs')
 
 var defaults = require('./defaults')
 
@@ -23,10 +24,20 @@ var readSSLConfigFromEnvironment = function () {
     case 'disable':
       return false
     case 'prefer':
+      return true
     case 'require':
     case 'verify-ca':
     case 'verify-full':
-      return true
+      if (process.env.PGSSLROOTCERT && process.env.PGSSLKEY && process.env.PGSSLCERT) {
+        return {
+          ca: process.env.PGSSLROOTCERT ? fs.readFileSync(process.env.PGSSLROOTCERT).toString() : undefined,
+          key: process.env.PGSSLKEY ? fs.readFileSync(process.env.PGSSLKEY).toString() : undefined,
+          cert: process.env.PGSSLCERT ? fs.readFileSync(process.env.PGSSLCERT).toString() : undefined,
+        }
+      } else {
+        console.error(`PG Environment Variables PGSSLROOTCERT, PGSSLKEY and PGSSLCERT must be specified when PGSSLMODE=${process.env.PGSSLMODE} is specified`)
+        process.exit(-1)
+      }
     case 'no-verify':
       return { rejectUnauthorized: false }
   }