DSS0200 and DSS0205 uss_qualifier checks to verify ASTM F3548-21

[mickmis]

As part of #274, we should check DSS0200 and DSS0205.

DSS0205: Proposed approach

Require that the host and port of the DSS instance's CockroachDB is provided in the DSSInstanceSpecification.
Use those with the psycopg library to attempt to establish a connection to the DB, and validate that the connection attempts fails with the correct error message.
Relying on the error message is not great, but from my fiddling it looks like there is no specific error code that is returned. Given that those error messages originate from the underlying libpq, those should be relatively stable, but it's not impossible

Attempt unencrypted connection

Attempt connection with sslmode="disable", if the connection attempt does not fail with the error message node is running secure mode, SSL connection required the check fails.

Attempt encrypted connection with obsolete TLS version

Attempt connection with sslmode="require" and ssl_max_protocol_version="TLSv1.1", if the connection attempt does not fail with the error message invalid SSL protocol version range the check fails.

DSS0200

This is about authentication. It does seem more complicated to test, so suggestions are welcome.

[BenjaminPelletier]

For both authentication (DSS0200) and encryption (DSS0205), I would expect the only likely way an InterUSS DSS implementation could fail to meet these requirements is if a CockroachDB node were in insecure mode. In insecure mode, neither authentication nor encryption are in place, so I would try to detect whether any nodes were in insecure mode and fail both of these requirements if any nodes were found to be in that mode. I believe attempting to connect with psychopg should be a good way to detect insecure mode, but if we use that approach, we should verify (once, manually) that connection is indeed possible to a node in insecure mode. Another possible way to detect insecure mode could be to use the cockroach binary, but I don't know that that has any advantages over psychopg connection attempts.

To perform any kind of operations on CRDB nodes, I think we'll need to make a new resource describing where to find the nodes to test. Note that this resource should be optional because some hypothetical system may use a non-InterUSS DSS which isn't backed by CockroachDB.

The other two means of verifying encryption (sslmode="disable" and attempting TLSv1.1) sound good as well.