Merge pull request #3393 from bpatath/feature/add-ssl-to-mysql

Add SSL conf to MySQL and LDAP
2024-11-28 03:34:32 -06:00 · 2020-05-29 06:13:16 +02:00 · 2020-05-29 06:13:16 +02:00 · be8a0ddb3e
commit be8a0ddb3e
parent 49b1a6d844 8aa7776072
3 changed files with 59 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -65,6 +65,17 @@ DB_DATABASE=firefly
 DB_USERNAME=firefly
 DB_PASSWORD=secret_firefly_password

+# MySQL supports SSL. You can configure it here.
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+MYSQL_USE_SSL=false
+MYSQL_SSL_VERIFY_SERVER_CERT=true
+# You need to set at least of these options
+MYSQL_SSL_CAPATH=/etc/ssl/certs/
+MYSQL_SSL_CA=
+MYSQL_SSL_CERT=
+MYSQL_SSL_KEY=
+MYSQL_SSL_CIPHER=
+
 # PostgreSQL supports SSL. You can configure it here.
 # If you use Docker or similar, you can set these variables from a file by appending them with _FILE
 PGSQL_SSL_MODE=prefer
@ -170,8 +181,16 @@ ADLDAP_PORT=389
 ADLDAP_TIMEOUT=5
 ADLDAP_BASEDN=""
 ADLDAP_FOLLOW_REFFERALS=false
+
+# SSL/TLS settings
 ADLDAP_USE_SSL=false
 ADLDAP_USE_TLS=false
+ADLDAP_SSL_CACERTDIR=
+ADLDAP_SSL_CACERTFILE=
+ADLDAP_SSL_CERTFILE=
+ADLDAP_SSL_KEYFILE=
+ADLDAP_SSL_CIPHER_SUITE=
+ADLDAP_SSL_REQUIRE_CERT=

 # You can set the following variables from a file by appending them with _FILE:
 ADLDAP_ADMIN_USERNAME=
--- a/config/database.php
+++ b/config/database.php
@ -39,6 +39,26 @@ if (!(false === $databaseUrl)) {
    $database = substr($options['path'] ?? '/firefly', 1);
 }

+/*
+ * Get SSL parameters from .env file.
+ */
+$mysql_ssl_ca_dir =  envNonEmpty('MYSQL_SSL_CAPATH',             null);
+$mysql_ssl_ca_file = envNonEmpty('MYSQL_SSL_CA',                 null);
+$mysql_ssl_cert =    envNonEmpty('MYSQL_SSL_CERT',               null);
+$mysql_ssl_key =     envNonEmpty('MYSQL_SSL_KEY',                null);
+$mysql_ssl_ciphers = envNonEmpty('MYSQL_SSL_CIPHER',             null);
+$mysql_ssl_verify  = envNonEmpty('MYSQL_SSL_VERIFY_SERVER_CERT', null);
+
+$mysql_ssl_options = [];
+if (!(false === envNonEmpty('MYSQL_USE_SSL', false))) {
+    if ($mysql_ssl_ca_dir  !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CAPATH            ] = $mysql_ssl_ca_dir;
+    if ($mysql_ssl_ca_file !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CA                ] = $mysql_ssl_ca_file;
+    if ($mysql_ssl_cert    !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CERT              ] = $mysql_ssl_cert;
+    if ($mysql_ssl_key     !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_KEY               ] = $mysql_ssl_key;
+    if ($mysql_ssl_ciphers !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_CIPHER            ] = $mysql_ssl_ciphers;
+    if ($mysql_ssl_verify  !== null) $mysql_ssl_options[PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = $mysql_ssl_verify;
+}
+
 return [
    'default'     => envNonEmpty('DB_CONNECTION', 'pgsql'),
    'connections' => [
@ -60,6 +80,7 @@ return [
            'prefix'      => '',
            'strict'      => true,
            'engine'      => 'InnoDB',
+            'options'     => $mysql_ssl_options,
        ],
        'pgsql'  => [
            'driver'      => 'pgsql',
--- a/config/ldap.php
+++ b/config/ldap.php
@ -38,6 +38,24 @@ if ('ActiveDirectory' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) {
    $schema = ActiveDirectory::class;
 }

+/*
+ * Get SSL parameters from .env file.
+ */
+$ssl_ca_dir =  envNonEmpty('ADLDAP_SSL_CACERTDIR', null);
+$ssl_ca_file = envNonEmpty('ADLDAP_SSL_CACERTFILE', null);
+$ssl_cert =    envNonEmpty('ADLDAP_SSL_CERTFILE', null);
+$ssl_key =     envNonEmpty('ADLDAP_SSL_KEYFILE', null);
+$ssl_ciphers = envNonEmpty('ADLDAP_SSL_CIPHER_SUITE', null);
+$ssl_require = envNonEmpty('ADLDAP_SSL_REQUIRE_CERT', null);
+
+$ssl_options = [];
+if ($ssl_ca_dir  !== null) $ssl_options[LDAP_OPT_X_TLS_CACERTDIR   ] = $ssl_ca_dir;
+if ($ssl_ca_file !== null) $ssl_options[LDAP_OPT_X_TLS_CACERTFILE  ] = $ssl_ca_file;
+if ($ssl_cert    !== null) $ssl_options[LDAP_OPT_X_TLS_CERTFILE    ] = $ssl_cert;
+if ($ssl_key     !== null) $ssl_options[LDAP_OPT_X_TLS_KEYFILE     ] = $ssl_key;
+if ($ssl_ciphers !== null) $ssl_options[LDAP_OPT_X_TLS_CIPHER_SUITE] = $ssl_ciphers;
+if ($ssl_require !== null) $ssl_options[LDAP_OPT_X_TLS_REQUIRE_CERT] = $ssl_require;
+
 return [
    /*
    |--------------------------------------------------------------------------
@ -254,6 +272,7 @@ return [
                'use_ssl' => env('ADLDAP_USE_SSL', false),
                'use_tls' => env('ADLDAP_USE_TLS', false),

+                'custom_options' => $ssl_options,
            ],

        ],