Fix PostgreSQL 15 SSL authentication and test with SSL

scram_sha_256 auth requires lua-resty-openssl, which currently has some
issues with the latest OpenResty versions, so temporarily patch it.

Author: GUI

Dockerfile

@@ -62,7 +62,7 @@ COPY src/api-umbrella/web-app/package.json src/api-umbrella/web-app/pnpm-lock.ya
 COPY tasks/app-deps/web-app/pnpm /app/tasks/app-deps/web-app/
 RUN make app-deps:web-app:pnpm && make clean:dev
 
-COPY build/patches/lrexlib-pcre2.patch /app/build/patches/
+COPY build/patches/lrexlib-pcre2.patch build/patches/lua-resty-openssl.patch /app/build/patches/
 COPY tasks/app-deps/luarocks /app/tasks/app-deps/
 RUN make app-deps:luarocks && make clean:dev
 

Dockerfile-postgres

@@ -0,0 +1,6 @@
+FROM public.ecr.aws/docker/library/postgres:15.10-bookworm
+COPY ./test/config/ssl_test.crt /var/lib/postgresql/server.crt
+COPY ./test/config/ssl_test.key /var/lib/postgresql/server.key
+RUN chown postgres /var/lib/postgresql/server.key /var/lib/postgresql/server.key && chmod 600 /var/lib/postgresql/server.key
+
+CMD ["postgres", "-c", "ssl=on", "-c", "ssl_cert_file=/var/lib/postgresql/server.crt", "-c", "ssl_key_file=/var/lib/postgresql/server.key"]

build/patches/lua-resty-openssl.patch

@@ -0,0 +1,34 @@
+diff --git a/lib/resty/openssl/auxiliary/nginx.lua b/lib/resty/openssl/auxiliary/nginx.lua
+index 5755d8a..540cbc1 100644
+--- a/lib/resty/openssl/auxiliary/nginx.lua
++++ b/lib/resty/openssl/auxiliary/nginx.lua
+@@ -44,8 +44,9 @@ else
+   local ngx_has_http_v3 = ngx_configure and ngx_configure:find("--with-http_v3_module", 1, true)
+   -- https://github.com/nginx/nginx/blob/master/src/core/ngx_connection.h
+   if ngx_version == 1017008 or ngx_version == 1019003 or ngx_version == 1019009 
+-    or ngx_version == 1021004 or (not ngx_has_http_v3 and ngx_version == 1025003) then
+-    -- 1.17.8, 1.19.3, 1.19.9, 1.21.4, 1.25.3
++    or ngx_version == 1021004
++    or (not ngx_has_http_v3 and (ngx_version == 1025003 or ngx_version == 1027001)) then
++    -- 1.17.8, 1.19.3, 1.19.9, 1.21.4, 1.25.3, 1.27.1
+     ffi.cdef [[
+     typedef struct ngx_proxy_protocol_s ngx_proxy_protocol_t;
+ 
+@@ -82,7 +83,7 @@ else
+       // trimmed
+     } ngx_connection_s;
+   ]]
+-  elseif ngx_has_http_v3 and ngx_version == 1025003 then
++  elseif ngx_has_http_v3 and (ngx_version == 1025003 or ngx_version == 1027001) then
+     -- 1.25.3
+     ffi.cdef [[
+     typedef struct ngx_proxy_protocol_s ngx_proxy_protocol_t;
+@@ -255,7 +256,7 @@ else
+         ngx.config.ngx_lua_version and
+         ngx.config.ngx_lua_version
+ 
+-  if ngx_lua_version >= 10019 and ngx_lua_version <= 10026 then
++  if ngx_lua_version >= 10019 and ngx_lua_version <= 10027 then
+     -- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
+     ffi.cdef[[
+       typedef struct {

config/test.yml

@@ -98,6 +98,8 @@ fluent_bit:
 geoip:
   db_update_frequency: false
 postgresql:
+  ssl: true
+  ssl_required: true
   database: api_umbrella_test
   password: dev_password
   migrations:

docker-compose.ci.yml

@@ -9,7 +9,9 @@ services:
       - postgres
       - opensearch
   postgres:
-    image: postgres:15.10-bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile-postgres
     environment:
       POSTGRES_PASSWORD: dev_password
     healthcheck:

docker-compose.yml

@@ -24,7 +24,9 @@ services:
       - postgres
       - opensearch
   postgres:
-    image: postgres:15.10-bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile-postgres
     environment:
       POSTGRES_PASSWORD: dev_password
     volumes:

tasks/app-deps/luarocks

@@ -17,6 +17,13 @@ extra_args=(
 
 luarocks_install "./api-umbrella-git-1.rockspec" "git-1" "${extra_args[@]}"
 
+# Temporary workaround for lua-resty-openssl and OpenResty 1.27:
+# https://github.com/fffonion/lua-resty-openssl/pull/200
+(
+  cd "${APP_VENDOR_LUA_SHARE_DIR}/resty/openssl"
+  patch -p4 < "$SOURCE_DIR/build/patches/lua-resty-openssl.patch"
+)
+
 # lrexlib-pcre2
 (
   lrexlib_pcre2_version="2.9.2-1"