elixir-ecto · chrismccord · May 17, 2024
diff --git a/lib/ecto/repo/supervisor.ex b/lib/ecto/repo/supervisor.ex
@@ -25,7 +25,8 @@ defmodule Ecto.Repo.Supervisor do
     case repo_init(type, repo, config) do
       {:ok, config} ->
         {url, config} = Keyword.pop(config, :url)
-        {:ok, Keyword.merge(config, parse_url(url || ""))}
+        ssl_opts = Keyword.get(config, :ssl_opts, [])
+        {:ok, Keyword.merge(config, parse_url(url || "", ssl_opts))}
 
       :ignore ->
         :ignore
@@ -84,9 +85,10 @@ defmodule Ecto.Repo.Supervisor do
       "ecto://username:password@hostname:port/database?ssl=true&timeout=1000"
 
   """
-  def parse_url(""), do: []
+  def parse_url(url, ssl_opts \\ [])
+  def parse_url("", _ssl_opts), do: []
 
-  def parse_url(url) when is_binary(url) do
+  def parse_url(url, ssl_opts) when is_binary(url) do
     info = URI.parse(url)
 
     if is_nil(info.host) do
@@ -109,7 +111,7 @@ defmodule Ecto.Repo.Supervisor do
     ]
 
     url_opts = put_hostname_if_present(url_opts, info.host)
-    query_opts = parse_uri_query(info)
+    query_opts = parse_uri_query(info, ssl_opts)
 
     for {k, v} <- url_opts ++ query_opts,
         not is_nil(v),
@@ -124,10 +126,10 @@ defmodule Ecto.Repo.Supervisor do
     Keyword.put(keyword, :hostname, hostname)
   end
 
-  defp parse_uri_query(%URI{query: nil}),
+  defp parse_uri_query(%URI{query: nil}, _ssl_opts),
     do: []
 
-  defp parse_uri_query(%URI{query: query} = url) do
+  defp parse_uri_query(%URI{query: query} = url, ssl_opts) do
     query
     |> URI.query_decoder()
     |> Enum.reduce([], fn
@@ -137,6 +139,17 @@ defmodule Ecto.Repo.Supervisor do
       {"ssl", "false"}, acc ->
         [{:ssl, false}] ++ acc
 
+      {"sslmode", "verify-full"}, acc ->
+        if Keyword.take(ssl_opts, [:server_name_indication, :customize_hostname_check]) == [] do
+          new_ssl_opts = [
+            server_name_indication: url.host,
+            customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
+          ]
+          [ssl: true, ssl_opts: Keyword.merge(ssl_opts, new_ssl_opts)] ++ acc
+        else
+          [ssl: true] ++ acc
+        end
+
       {key, value}, acc when key in @integer_url_query_params ->
         [{String.to_atom(key), parse_integer!(key, value, url)}] ++ acc
 

diff --git a/mix.exs b/mix.exs
@@ -25,7 +25,7 @@ defmodule Ecto.MixProject do
 
   def application do
     [
-      extra_applications: [:logger, :crypto, :eex],
+      extra_applications: [:logger, :crypto, :eex, :public_key],
       mod: {Ecto.Application, []}
     ]
   end

diff --git a/test/ecto/repo/supervisor_test.exs b/test/ecto/repo/supervisor_test.exs
@@ -168,6 +168,26 @@ defmodule Ecto.Repo.SupervisorTest do
       assert {:ssl, false} in parse_url(encoded_url)
     end
 
+    test "supports sslmode=verify-full query string option" do
+      url = "ecto://eric:it+й@host:12345/mydb"
+
+      encoded_url = URI.encode("#{url}?sslmode=verify-full")
+      config = parse_url(encoded_url)
+
+      assert {:ssl, true} in config
+      assert {:ssl_opts,
+              server_name_indication: "host",
+              customize_hostname_check: [
+                match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+              ]} in config
+
+      # does not override if ssl_opts user defined keys exist
+      encoded_url = URI.encode("#{url}?sslmode=verify-full")
+      config = parse_url(encoded_url, [server_name_indication: "custom-host"])
+      assert {:ssl, true} in config
+      refute Keyword.has_key?(config, :ssl_opts)
+    end
+
     test "supports camelCase query string options" do
       encoded_url = URI.encode("ecto://eric:it+й@host:12345/mydb?currentSchema=my_schema")
       assert {:currentSchema, "my_schema"} in parse_url(encoded_url)