From 77fb77003e91a21db953d1f96be1907c5c238fea Mon Sep 17 00:00:00 2001
From: Zane Geiger <zane.geiger@relativity.com>
Date: Tue, 26 Feb 2019 16:48:10 -0600
Subject: [PATCH 1/6] Add attribute to allow SSL connections to PostgreSQL

Signed-off-by: Zane Geiger <zane.geiger@relativity.com>
---
 .../opscode-pushy-server/attributes/default.rb                   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/attributes/default.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/attributes/default.rb
index 7f0f563a..5b381f9a 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/attributes/default.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/attributes/default.rb
@@ -77,6 +77,7 @@
 default['pushy']['postgresql']['sql_ro_user'] = "opscode_pushy_ro"
 default['pushy']['postgresql']['vip'] = "127.0.0.1"
 default['pushy']['postgresql']['port'] = 5432
+default['pushy']['postgresql']['sslmode'] = 'disable'
 
 ####
 # Chef Pedant

From 062003b714b402e22e2f276a165be23e65d28021 Mon Sep 17 00:00:00 2001
From: Zane Geiger <zane.geiger@relativity.com>
Date: Tue, 26 Feb 2019 16:58:33 -0600
Subject: [PATCH 2/6] Pass PostgreSQL ssl attribute to service config template

Signed-off-by: Zane Geiger <zane.geiger@relativity.com>
---
 .../templates/default/opscode-pushy-server.config.erb            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/templates/default/opscode-pushy-server.config.erb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/templates/default/opscode-pushy-server.config.erb
index 4b4c376f..601aa251 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/templates/default/opscode-pushy-server.config.erb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/templates/default/opscode-pushy-server.config.erb
@@ -79,6 +79,7 @@
           {db_port, <%= node['pushy']['postgresql']['port'] %>},
           {db_user, "<%= node['pushy']['postgresql']['sql_user'] %>"},
           {db_name,   "opscode_pushy" },
+          {db_options, [{ssl, <%= { 'disable' => false, 'prefer' => true, 'require' => 'required' }[node['pushy']['postgresql']['sslmode']] %>}]},
           {idle_check, 10000},
           {prepared_statements, {pushy_sql, statements, []} },
           {column_transforms, []}

From dd6cd00d4c7c0eea9657db8c421b3d72865c215b Mon Sep 17 00:00:00 2001
From: Zane Geiger <zane.geiger@relativity.com>
Date: Tue, 26 Feb 2019 16:59:23 -0600
Subject: [PATCH 3/6] Inherit sslmode attribute from Chef server settings

Signed-off-by: Zane Geiger <zane.geiger@relativity.com>
---
 .../opscode-pushy-server/libraries/pushy_server.rb               | 1 +
 1 file changed, 1 insertion(+)

diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/pushy_server.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/pushy_server.rb
index b271027d..c681329a 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/pushy_server.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/pushy_server.rb
@@ -54,6 +54,7 @@ def generate_config(node_name)
       PushJobsServer['postgresql']['vip']           = node['private_chef']['postgresql']['vip']
       PushJobsServer['postgresql']['port']          = node['private_chef']['postgresql']['port']
       PushJobsServer['postgresql']['db_superuser']  = node['private_chef']['postgresql']['db_superuser']
+      PushJobsServer['postgresql']['sslmode']       = node['private_chef']['postgresql']['sslmode']
 
       topology = node['private_chef']['topology']
       case topology

From e7bc6cda4d851396a0dba6a73864dcc876fabe57 Mon Sep 17 00:00:00 2001
From: Zane Geiger <zane.geiger@relativity.com>
Date: Tue, 26 Feb 2019 17:00:02 -0600
Subject: [PATCH 4/6] Fix sqitch and ec_postgres to respect sslmode attribute

Signed-off-by: Zane Geiger <zane.geiger@relativity.com>
---
 .../opscode-pushy-server/libraries/ec_postgres.rb              | 1 +
 .../opscode-pushy-server/providers/pg_sqitch.rb                | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/ec_postgres.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/ec_postgres.rb
index 6f15a420..56e1a82b 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/ec_postgres.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/libraries/ec_postgres.rb
@@ -8,6 +8,7 @@ def self.with_connection(node, database = 'template1', opts = {})
                                'host' => postgres['vip'],
                                'password' => password,
                                'port' => postgres['port'],
+                               'sslmode' => postgres['sslmode'],
                                'dbname' => database)
     begin
       yield connection
diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb
index e66f4cb6..ccf4be7d 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb
@@ -19,7 +19,8 @@ def whyrun_supported?
                deploy #{target} --verify
       EOM
       environment "PERL5LIB" => "", # force us to use omnibus perl
-                  "PGPASSWORD" => new_resource.password
+                  "PGPASSWORD" => new_resource.password,
+                  "PGSSLMODE" => node['pushy']['postgresql']['sslmode']
 
       # Sqitch Return Codes
       # 0 - when changes are applied

From 276633fa6b2fb9d3965fd712115c736f6131b5df Mon Sep 17 00:00:00 2001
From: Zane Geiger <zane.geiger@relativity.com>
Date: Tue, 26 Feb 2019 17:00:12 -0600
Subject: [PATCH 5/6] Bump opscode-pushy-server cookbook version

Signed-off-by: Zane Geiger <zane.geiger@relativity.com>
---
 .../pushy-server-cookbooks/opscode-pushy-server/metadata.rb     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/metadata.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/metadata.rb
index 21cb9fc3..c5b8adff 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/metadata.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/metadata.rb
@@ -4,6 +4,6 @@
 license          "Apache 2.0"
 description      "Installs/Configures opscode-pushy-server"
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "0.1.0"
+version          "0.2.0"
 
 depends          'enterprise' # grabbed via Berkshelf + Git

From a0e1c46d98b4703fb954e58fcb83470487bad288 Mon Sep 17 00:00:00 2001
From: Zane Geiger <zane.geiger@relativity.com>
Date: Mon, 4 Mar 2019 15:35:09 -0600
Subject: [PATCH 6/6] Add sslmode property to pg_sqitch resource

Signed-off-by: Zane Geiger <zane.geiger@relativity.com>
---
 .../opscode-pushy-server/providers/pg_sqitch.rb                | 2 +-
 .../opscode-pushy-server/recipes/push_database.rb              | 1 +
 .../opscode-pushy-server/resources/pg_sqitch.rb                | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb
index ccf4be7d..82d08116 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/providers/pg_sqitch.rb
@@ -20,7 +20,7 @@ def whyrun_supported?
       EOM
       environment "PERL5LIB" => "", # force us to use omnibus perl
                   "PGPASSWORD" => new_resource.password,
-                  "PGSSLMODE" => node['pushy']['postgresql']['sslmode']
+                  "PGSSLMODE" => new_resource.sslmode
 
       # Sqitch Return Codes
       # 0 - when changes are applied
diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/recipes/push_database.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/recipes/push_database.rb
index e34644b6..148b226b 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/recipes/push_database.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/recipes/push_database.rb
@@ -55,4 +55,5 @@
   username  push_attrs['db_superuser']
   password  PushServer::Secrets.veil.get('postgresql', 'db_superuser_password')
   database database_name
+  sslmode  push_attrs['sslmode']
 end
diff --git a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/resources/pg_sqitch.rb b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/resources/pg_sqitch.rb
index cbe721c6..858f0c16 100644
--- a/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/resources/pg_sqitch.rb
+++ b/omnibus/files/pushy-server-cookbooks/opscode-pushy-server/resources/pg_sqitch.rb
@@ -7,4 +7,5 @@
 attribute :password,       kind_of: String, required: false, default: ""
 attribute :target_version, kind_of: String
 attribute :hostname,       kind_of: String, required: true
-attribute :port,           kind_of: Integer, required: true
\ No newline at end of file
+attribute :port,           kind_of: Integer, required: true
+attribute :sslmode,        kind_of: String, required: false, default: "prefer"
\ No newline at end of file