From 7ccbb37c4e1f5b879921f1a8df0f2da0a5688c4f Mon Sep 17 00:00:00 2001 From: Nick Ufer Date: Fri, 8 Oct 2021 08:28:32 +0200 Subject: [PATCH] feat: adds mysql tls support (#979) --- install/lib/class.FroxlorInstall.php | 27 +++++++++++++++++++++++++++ install/lng/english.lng.php | 2 ++ install/lng/german.lng.php | 2 ++ lib/Froxlor/Database/Database.php | 13 ++++++++++++- lib/Froxlor/Dns/PowerDNS.php | 5 +++++ 5 files changed, 48 insertions(+), 1 deletion(-) diff --git a/install/lib/class.FroxlorInstall.php b/install/lib/class.FroxlorInstall.php index 62c6a66a..7669381b 100644 --- a/install/lib/class.FroxlorInstall.php +++ b/install/lib/class.FroxlorInstall.php @@ -168,6 +168,8 @@ class FroxlorInstall $this->_getPostField('mysql_unpriv_pass'); $this->_getPostField('mysql_root_user', 'root'); $this->_getPostField('mysql_root_pass'); + $this->_getPostField('mysql_ssl_ca_file'); + $this->_getPostField('mysql_ssl_verify_server_certificate', 0); $this->_getPostField('admin_user', 'admin'); $this->_getPostField('admin_pass1'); $this->_getPostField('admin_pass2'); @@ -213,6 +215,12 @@ class FroxlorInstall $options = array( 'PDO::MYSQL_ATTR_INIT_COMMAND' => 'SET names utf8' ); + + if (!empty($this->_data['mysql_ssl_ca_file'])) { + $options[\PDO::MYSQL_ATTR_SSL_CA] = $this->_data['mysql_ssl_ca_file']; + $options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $this->_data['mysql_ssl_verify_server_certificate']; + } + $dsn = "mysql:host=" . $this->_data['mysql_host'] . ";"; $fatal_fail = false; try { @@ -258,6 +266,12 @@ class FroxlorInstall $options = array( 'PDO::MYSQL_ATTR_INIT_COMMAND' => 'SET names utf8' ); + + if (!empty($this->_data['mysql_ssl_ca_file'])) { + $options[\PDO::MYSQL_ATTR_SSL_CA] = $this->_data['mysql_ssl_ca_file']; + $options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $this->_data['mysql_ssl_verify_server_certificate']; + } + $dsn = "mysql:host=" . $this->_data['mysql_host'] . ";dbname=" . $this->_data['mysql_database'] . ";"; $another_fail = false; try { @@ -327,10 +341,14 @@ class FroxlorInstall $userdata .= "\$sql['user']='" . addcslashes($this->_data['mysql_unpriv_user'], "'\\") . "';\n"; $userdata .= "\$sql['password']='" . addcslashes($this->_data['mysql_unpriv_pass'], "'\\") . "';\n"; $userdata .= "\$sql['db']='" . addcslashes($this->_data['mysql_database'], "'\\") . "';\n"; + $userdata .= "\$sql['ssl']['caFile']='" . addcslashes($this->_data['mysql_ssl_ca_file'], "'\\") . "';\n"; + $userdata .= "\$sql['ssl']['verifyServerCertificate']='" . addcslashes($this->_data['mysql_ssl_verify_server_certificate'], "'\\") . "';\n"; $userdata .= "\$sql_root[0]['caption']='Default';\n"; $userdata .= "\$sql_root[0]['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n"; $userdata .= "\$sql_root[0]['user']='" . addcslashes($this->_data['mysql_root_user'], "'\\") . "';\n"; $userdata .= "\$sql_root[0]['password']='" . addcslashes($this->_data['mysql_root_pass'], "'\\") . "';\n"; + $userdata .= "\$sql_root[0]['ssl']['caFile']='" . addcslashes($this->_data['mysql_ssl_ca_file'], "'\\") . "';\n"; + $userdata .= "\$sql_root[0]['ssl']['verifyServerCertificate']='" . addcslashes($this->_data['mysql_ssl_verify_server_certificate'], "'\\") . "';\n"; $userdata .= "// enable debugging to browser in case of SQL errors\n"; $userdata .= "\$sql['debug'] = false;\n"; $userdata .= "?>"; @@ -582,6 +600,12 @@ class FroxlorInstall $options = array( 'PDO::MYSQL_ATTR_INIT_COMMAND' => 'SET names utf8' ); + + if (!empty($this->_data['mysql_ssl_ca_file'])) { + $options[\PDO::MYSQL_ATTR_SSL_CA] = $this->_data['mysql_ssl_ca_file']; + $options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $this->_data['mysql_ssl_verify_server_certificate']; + } + $dsn = "mysql:host=" . $this->_data['mysql_host'] . ";dbname=" . $this->_data['mysql_database'] . ";"; $fatal_fail = false; try { @@ -875,6 +899,9 @@ class FroxlorInstall } $formdata .= $this->_getSectionItemString('mysql_root_pass', true, $style, 'password'); + $formdata .= $this->_getSectionItemString('mysql_ssl_ca_file', false, $style); + $formdata .= $this->_getSectionItemYesNo('mysql_ssl_verify_server_certificate', false, $style); + /** * admin data */ diff --git a/install/lng/english.lng.php b/install/lng/english.lng.php index 98967ca6..8701a494 100644 --- a/install/lng/english.lng.php +++ b/install/lng/english.lng.php @@ -58,6 +58,8 @@ $lng['install']['mysql_unpriv_user'] = 'Username for the unprivileged MySQL-acco $lng['install']['mysql_unpriv_pass'] = 'Password for the unprivileged MySQL-account'; $lng['install']['mysql_root_user'] = 'Username for the MySQL-root-account'; $lng['install']['mysql_root_pass'] = 'Password for the MySQL-root-account'; +$lng['install']['mysql_ssl_ca_file'] = 'MySQL server certificate file path'; +$lng['install']['mysql_ssl_verify_server_certificate'] = 'Verify MySQL TLS certificate'; $lng['install']['admin_account'] = 'Administrator Account'; $lng['install']['admin_user'] = 'Administrator Username'; $lng['install']['admin_pass1'] = 'Administrator Password'; diff --git a/install/lng/german.lng.php b/install/lng/german.lng.php index 62493acb..8cde4390 100644 --- a/install/lng/german.lng.php +++ b/install/lng/german.lng.php @@ -58,6 +58,8 @@ $lng['install']['mysql_unpriv_user'] = 'Benutzername für den unprivilegierten M $lng['install']['mysql_unpriv_pass'] = 'Passwort für den unprivilegierten MySQL-Account'; $lng['install']['mysql_root_user'] = 'Benutzername für den MySQL-Root-Account'; $lng['install']['mysql_root_pass'] = 'Passwort für den MySQL-Root-Account'; +$lng['install']['mysql_ssl_ca_file'] = 'MySQL-Server Zertifikatspfad'; +$lng['install']['mysql_ssl_verify_server_certificate'] = 'Validieren des MySQL-Server Zertifikats'; $lng['install']['admin_account'] = 'Admin-Zugang'; $lng['install']['admin_user'] = 'Administrator-Benutzername'; $lng['install']['admin_pass1'] = 'Administrator-Passwort'; diff --git a/lib/Froxlor/Database/Database.php b/lib/Froxlor/Database/Database.php index fd498dee..5235cf11 100644 --- a/lib/Froxlor/Database/Database.php +++ b/lib/Froxlor/Database/Database.php @@ -279,6 +279,8 @@ class Database $host = $sql_root[self::$dbserver]['host']; $socket = isset($sql_root[self::$dbserver]['socket']) ? $sql_root[self::$dbserver]['socket'] : null; $port = isset($sql_root[self::$dbserver]['port']) ? $sql_root[self::$dbserver]['port'] : '3306'; + $sslCAFile = $sql_root[self::$dbserver]['ssl']['caFile'] ?? ""; + $sslVerifyServerCertificate = $sql_root[self::$dbserver]['ssl']['verifyServerCertificate'] ?? false; } else { $caption = 'localhost'; $user = $sql["user"]; @@ -286,6 +288,8 @@ class Database $host = $sql["host"]; $socket = isset($sql['socket']) ? $sql['socket'] : null; $port = isset($sql['port']) ? $sql['port'] : '3306'; + $sslCAFile = $sql['ssl']['caFile'] ?? ""; + $sslVerifyServerCertificate = $sql['ssl']['verifyServerCertificate'] ?? false; } // save sql-access-data if needed @@ -297,7 +301,9 @@ class Database 'port' => $port, 'socket' => $socket, 'db' => $sql["db"], - 'caption' => $caption + 'caption' => $caption, + 'ssl_ca_file' => $sslCAFile, + 'ssl_verify_server_certificate' => $sslVerifyServerCertificate ); } @@ -321,6 +327,11 @@ class Database } else { $dbconf["dsn"]['host'] = $host; $dbconf["dsn"]['port'] = $port; + + if (!empty(self::$sqldata['ssl_ca_file'])) { + $options[\PDO::MYSQL_ATTR_SSL_CA] = self::$sqldata['ssl_ca_file']; + $options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) self::$sqldata['ssl_verify_server_certificate']; + } } self::$dbname = $sql["db"]; diff --git a/lib/Froxlor/Dns/PowerDNS.php b/lib/Froxlor/Dns/PowerDNS.php index b8ba6692..45262147 100644 --- a/lib/Froxlor/Dns/PowerDNS.php +++ b/lib/Froxlor/Dns/PowerDNS.php @@ -62,6 +62,11 @@ class PowerDNS } else { $dbconf["dsn"]['host'] = $mysql_data['gmysql-host']; $dbconf["dsn"]['port'] = $mysql_data['gmysql-port']; + + if (!empty($mysql_data['gmysql-ssl-ca-file'])) { + $options[\PDO::MYSQL_ATTR_SSL_CA] = $mysql_data['gmysql-ssl-ca-file']; + $options[\PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT] = (bool) $mysql_data['gmysql-ssl-verify-server-certificate']; + } } // add options to dsn-string