Postgres: Add SSL support for datasource (#21341)

* Add SSL certificate/key fields to Postgres data source configuration Co-authored-by: Edwin Cordeiro <edwin@scordeiro.net> Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2024-12-28 01:41:24 -06:00 · 2020-04-09 22:48:29 +12:00 · 2020-04-09 22:48:29 +12:00 · 1f0e1b33bc
commit 1f0e1b33bc
parent 94f2a3ebae
3 changed files with 85 additions and 21 deletions
--- a/docs/sources/administration/provisioning.md
+++ b/docs/sources/administration/provisioning.md
@ -160,6 +160,9 @@ Since not all datasources have the same configuration settings we only have the
 | tsdbVersion | string | OpenTSDB | Version |
 | tsdbResolution | string | OpenTSDB | Resolution |
 | sslmode | string | PostgreSQL | SSLmode. 'disable', 'require', 'verify-ca' or 'verify-full' |
+| sslRootCertFile | string | PostgreSQL | SSL server root certificate file, must be readable by the Grafana user |
+| sslCertFile | string | PostgreSQL | SSL client certificate file, must be readable by the Grafana user |
+| sslKeyFile | string | PostgreSQL | SSL client key file, must be readable by *only* the Grafana user |
 | encrypt | string | MSSQL | Connection SSL encryption handling. 'disable', 'false' or 'true' |
 | postgresVersion | number | PostgreSQL | Postgres version as a number (903/904/905/906/1000) meaning v9.3, v9.4, ..., v10 |
 | timescaledb | boolean | PostgreSQL | Enable usage of TimescaleDB extension |
--- a/pkg/tsdb/postgres/postgres.go
+++ b/pkg/tsdb/postgres/postgres.go
@ -2,8 +2,10 @@ package postgres

 import (
 	"database/sql"
+	"fmt"
 	"net/url"
 	"strconv"
+	"strings"

 	"github.com/grafana/grafana/pkg/setting"

@ -20,8 +22,13 @@ func init() {

 func newPostgresQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndpoint, error) {
 	logger := log.New("tsdb.postgres")
+	logger.Debug("Creating Postgres query endpoint")
+
+	cnnstr, err := generateConnectionString(datasource, logger)
+	if err != nil {
+		return nil, err
+	}

-	cnnstr := generateConnectionString(datasource)
 	if setting.Env == setting.DEV {
 		logger.Debug("getEngine", "connection", cnnstr)
 	}
@ -39,19 +46,51 @@ func newPostgresQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndp

 	timescaledb := datasource.JsonData.Get("timescaledb").MustBool(false)

-	return sqleng.NewSqlQueryEndpoint(&config, &queryResultTransformer, newPostgresMacroEngine(timescaledb), logger)
+	endpoint, err := sqleng.NewSqlQueryEndpoint(&config, &queryResultTransformer, newPostgresMacroEngine(timescaledb), logger)
+	if err == nil {
+		logger.Debug("Successfully connected to Postgres")
+	} else {
+		logger.Debug("Failed connecting to Postgres", "err", err)
+	}
+	return endpoint, err
 }

-func generateConnectionString(datasource *models.DataSource) string {
-	sslmode := datasource.JsonData.Get("sslmode").MustString("verify-full")
+func generateConnectionString(datasource *models.DataSource, logger log.Logger) (string, error) {
+	sslMode := strings.TrimSpace(strings.ToLower(datasource.JsonData.Get("sslmode").MustString("verify-full")))
+	isSSLDisabled := sslMode == "disable"
+
+	// Always pass SSL mode
+	sslOpts := fmt.Sprintf("sslmode=%s", url.QueryEscape(sslMode))
+	if isSSLDisabled {
+		logger.Debug("Postgres SSL is disabled")
+	} else {
+		logger.Debug("Postgres SSL is enabled", "sslMode", sslMode)
+
+		// Attach root certificate if provided
+		if sslRootCert := datasource.JsonData.Get("sslRootCertFile").MustString(""); sslRootCert != "" {
+			logger.Debug("Setting server root certificate", "sslRootCert", sslRootCert)
+			sslOpts = fmt.Sprintf("%s&sslrootcert=%s", sslOpts, url.QueryEscape(sslRootCert))
+		}
+
+		// Attach client certificate and key if both are provided
+		sslCert := datasource.JsonData.Get("sslCertFile").MustString("")
+		sslKey := datasource.JsonData.Get("sslKeyFile").MustString("")
+		if sslCert != "" && sslKey != "" {
+			logger.Debug("Setting SSL client auth", "sslCert", sslCert, "sslKey", sslKey)
+			sslOpts = fmt.Sprintf("%s&sslcert=%s&sslkey=%s", sslOpts, url.QueryEscape(sslCert), url.QueryEscape(sslKey))
+		} else if sslCert != "" || sslKey != "" {
+			return "", fmt.Errorf("SSL client certificate and key must both be specified")
+		}
+	}
+
 	u := &url.URL{
 		Scheme: "postgres",
 		User:   url.UserPassword(datasource.User, datasource.DecryptedPassword()),
 		Host:   datasource.Url, Path: datasource.Database,
-		RawQuery: "sslmode=" + url.QueryEscape(sslmode),
+		RawQuery: sslOpts,
 	}

-	return u.String()
+	return u.String(), nil
 }

 type postgresQueryResultTransformer struct {
--- a/public/app/plugins/datasource/postgres/partials/config.html
+++ b/public/app/plugins/datasource/postgres/partials/config.html
@ -3,18 +3,18 @@

 <div class="gf-form-group">
 	<div class="gf-form max-width-30">
-		<span class="gf-form-label width-7">Host</span>
+		<span class="gf-form-label width-10">Host</span>
 		<input type="text" class="gf-form-input" ng-model='ctrl.current.url' placeholder="localhost:5432" bs-typeahead="{{['localhost:5432', 'localhost:5433']}}" required></input>
 	</div>

 	<div class="gf-form max-width-30">
-		<span class="gf-form-label width-7">Database</span>
+		<span class="gf-form-label width-10">Database</span>
 		<input type="text" class="gf-form-input" ng-model='ctrl.current.database' placeholder="database name" required></input>
 	</div>

 	<div class="gf-form-inline">
 		<div class="gf-form max-width-15">
-			<span class="gf-form-label width-7">User</span>
+			<span class="gf-form-label width-10">User</span>
 			<input type="text" class="gf-form-input" ng-model='ctrl.current.user' placeholder="user"></input>
 		</div>
    <div class="gf-form">
@ -26,17 +26,40 @@
        inputWidth="9"
      />
    </div>
-	</div>
-
-	<div class="gf-form">
-		<label class="gf-form-label width-7">SSL Mode</label>
-		<div class="gf-form-select-wrapper max-width-15 gf-form-select-wrapper--has-help-icon">
-			<select class="gf-form-input" ng-model="ctrl.current.jsonData.sslmode" ng-options="mode for mode in ['disable', 'require', 'verify-ca', 'verify-full']" ng-init="ctrl.current.jsonData.sslmode"></select>
-			<info-popover mode="right-absolute">
-				This option determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server.
-			</info-popover>
-		</div>
-	</div>
+  </div>
+  <div class="gf-form">
+    <label class="gf-form-label width-10">SSL Mode</label>
+    <div class="gf-form-select-wrapper max-width-15 gf-form-select-wrapper--has-help-icon">
+      <select class="gf-form-input" ng-model="ctrl.current.jsonData.sslmode" ng-options="mode for mode in ['disable', 'require', 'verify-ca', 'verify-full']" ng-init="ctrl.current.jsonData.sslmode"></select>
+      <info-popover mode="right-absolute">
+        This option determines whether or with what priority a secure SSL (TLS) TCP/IP connection will be negotiated with the server.
+      </info-popover>
+    </div>
+  </div>
+  <div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
+    <span class="gf-form-label width-10">SSL Root Certificate</span>
+    <input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslRootCertFile' placeholder="SSL/TLS root cert file"></input>
+    <info-popover mode="right-absolute">
+      If the selected SSL mode requires a server root certificate, provide the path to the file here.
+      Be sure that the file is readable by the user executing the grafana process.
+    </info-popover>
+  </div>
+  <div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
+    <span class="gf-form-label width-10">SSL Client Certificate</span>
+    <input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslCertFile' placeholder="SSL/TLS client cert file"></input>
+    <info-popover mode="right-absolute">
+      To authenticate with an SSL/TLS client certificate, provide the path to the file here.
+      Be sure that the file is readable by the user executing the grafana process.
+    </info-popover>
+  </div>
+  <div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
+    <span class="gf-form-label width-10">SSL Client Key</span>
+    <input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslKeyFile' placeholder="SSL/TLS client key file"></input>
+    <info-popover mode="right-absolute">
+      To authenticate with a client SSL/TLS certificate, provide the path to the corresponding key file here.
+      Be sure that the file is <i>only</i> readable by the user executing the grafana process.
+    </info-popover>
+  </div>
 </div>

 <b>Connection limits</b>
@ -132,4 +155,3 @@
 		</p>
 	</div>
 </div>
-