feat: validate RDS certificate

mbta · Nov 24, 2023 · d52669e · d52669e
1 parent 7e37627
commit d52669e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -13,6 +13,10 @@ RUN apt-get update --allow-releaseinfo-change && \
 RUN mix local.hex --force && \
   mix local.rebar --force
 
+RUN curl https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem \
+  -o /root/aws-cert-bundle.pem
+RUN echo "2c151768edd48e9ef6719de74fdcbdebe290d1e87bc02ce9014ea6eea557d2a0 /root/aws-cert-bundle.pem" | sha256sum -c -
+
 # Instructions from:
 # https://github.com/nodesource/distributions#debian-versions
 
@@ -47,6 +51,7 @@ RUN mix phx.digest
 RUN mix compile
 
 COPY config/runtime.exs config
+RUN cp /root/aws-cert-bundle.pem priv/
 
 RUN mix release
 

diff --git a/lib/arrow/repo.ex b/lib/arrow/repo.ex
@@ -20,6 +20,15 @@ defmodule Arrow.Repo do
     token = mod.generate_db_auth_token(hostname, username, port, %{})
     :ok = Logger.info("generated_aws_rds_iam_auth_token")
 
-    Keyword.put(config, :password, token)
+    Keyword.merge(config,
+      password: token,
+      ssl_opts: [
+        cacertfile: Path.join(:code.priv_dir(:arrow), "aws-cert-bundle.pem"),
+        verify: :verify_peer,
+        server_name_indication: String.to_charlist(hostname),
+        verify_fun:
+          {&:ssl_verify_hostname.verify_fun/3, [check_hostname: String.to_charlist(hostname)]}
+      ]
+    )
   end
 end