Merge pull request #1971 from Kobzol/certificates-async

Make loading of PEM certificates async

Author: Kobzol

Cargo.lock

@@ -18,7 +18,7 @@ libc = "0.2"
 chrono = { version = "0.4", features = ["serde"] }
 lazy_static = "1"
 semver = "1.0"
-reqwest = { version = "0.11", features = ["json"] }
+reqwest = { version = "0.11", features = ["json", "blocking"] }
 xz2 = "0.1.3"
 tar = "0.4"
 tokio = { version = "1.6", features = ["rt", "process"] }

collector/Cargo.toml

@@ -11,13 +11,12 @@ rusqlite = { version = "0.28", features = ["bundled"] }
 tokio-postgres = { version = "0.7", features = ["with-chrono-0_4", "runtime"] }
 anyhow = "1"
 async-trait = "0.1"
-tokio = { version = "1.6", features = ["sync", "macros"] }
+tokio = { version = "1.6", features = ["sync", "macros", "parking_lot"] }
 intern = { path = "../intern" }
 chrono = { version = "0.4.38", features = ["serde"] }
-reqwest = { version = "0.11", features = ["blocking"] }
+reqwest = { version = "0.11" }
 postgres-native-tls = "0.5"
 native-tls = "0.2"
-lazy_static = "1"
 env_logger = "0.10"
 futures-util = "0.3.5"
 log = "0.4"

database/Cargo.toml

@@ -11,6 +11,7 @@ use postgres_native_tls::MakeTlsConnector;
 use std::str::FromStr;
 use std::sync::Arc;
 use std::time::Duration;
+use tokio::sync::Mutex;
 use tokio_postgres::GenericClient;
 use tokio_postgres::Statement;
 
@@ -24,21 +25,10 @@ impl Postgres {
 
 const CERT_URL: &str = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem";
 
-lazy_static::lazy_static! {
-    static ref CERTIFICATE_PEMS: Vec<u8> = {
-        let client = reqwest::blocking::Client::new();
-        let resp = client
-            .get(CERT_URL)
-            .send()
-            .expect("failed to get RDS cert");
-         resp.bytes().expect("failed to get RDS cert body").to_vec()
-    };
-}
-
 async fn make_client(db_url: &str) -> anyhow::Result<tokio_postgres::Client> {
     if db_url.contains("rds.amazonaws.com") {
         let mut builder = TlsConnector::builder();
-        for cert in make_certificates() {
+        for cert in make_certificates().await {
             builder.add_root_certificate(cert);
         }
         let connector = builder.build().context("built TlsConnector")?;
@@ -75,11 +65,28 @@ async fn make_client(db_url: &str) -> anyhow::Result<tokio_postgres::Client> {
         Ok(db_client)
     }
 }
-fn make_certificates() -> Vec<Certificate> {
+async fn make_certificates() -> Vec<Certificate> {
     use x509_cert::der::pem::LineEnding;
     use x509_cert::der::EncodePem;
 
-    let certs = x509_cert::Certificate::load_pem_chain(&CERTIFICATE_PEMS[..]).unwrap();
+    static CERTIFICATE_PEMS: Mutex<Option<Vec<u8>>> = Mutex::const_new(None);
+
+    let mut guard = CERTIFICATE_PEMS.lock().await;
+    if guard.is_none() {
+        let client = reqwest::Client::new();
+        let resp = client
+            .get(CERT_URL)
+            .send()
+            .await
+            .expect("failed to get RDS cert");
+        let certificate_pems = resp
+            .bytes()
+            .await
+            .expect("failed to get RDS cert body")
+            .to_vec();
+        *guard = Some(certificate_pems.clone());
+    }
+    let certs = x509_cert::Certificate::load_pem_chain(&guard.as_ref().unwrap()[..]).unwrap();
     certs
         .into_iter()
         .map(|cert| Certificate::from_pem(cert.to_pem(LineEnding::LF).unwrap().as_bytes()).unwrap())
@@ -1365,9 +1372,9 @@ mod tests {
 
     // Makes sure we successfully parse the RDS certificates and load them into native-tls compatible
     // format.
-    #[test]
-    fn can_make_certificates() {
-        let certs = make_certificates();
+    #[tokio::test]
+    async fn can_make_certificates() {
+        let certs = make_certificates().await;
         assert!(!certs.is_empty());
     }
 }