Skip to content

Commit

Permalink
FIX Add back missing SSL support for database connections
Browse files Browse the repository at this point in the history
  • Loading branch information
GuySartorelli committed May 18, 2023
1 parent 2256799 commit 34f1d6f
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 13 deletions.
22 changes: 22 additions & 0 deletions src/Core/CoreKernel.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
use SilverStripe\Dev\Install\DatabaseAdapterRegistry;
use SilverStripe\ORM\DB;
use Exception;
use LogicException;

/**
* Simple Kernel container
Expand Down Expand Up @@ -116,6 +117,27 @@ protected function getDatabaseConfig()
"password" => Environment::getEnv('SS_DATABASE_PASSWORD') ?: null,
];

// Only add SSL keys in the array if there is an actual value associated with them
$sslConf = [
'ssl_key' => 'SS_DATABASE_SSL_KEY',
'ssl_cert' => 'SS_DATABASE_SSL_CERT',
'ssl_ca' => 'SS_DATABASE_SSL_CA',
'ssl_cipher' => 'SS_DATABASE_SSL_CIPHER',
];
foreach ($sslConf as $key => $envVar) {
$envValue = Environment::getEnv($envVar);
if ($envValue) {
$databaseConfig[$key] = $envValue;
}
}

// Having only the key or cert without the other is bad configuration.
if (isset($databaseConfig['ssl_key']) xor isset($databaseConfig['ssl_cert'])) {
user_error('Database SSL cert and key must both be defined to use SSL in the database.', E_USER_WARNING);
unset($databaseConfig['ssl_key']);
unset($databaseConfig['ssl_cert']);
}

// Set the port if called for
$dbPort = Environment::getEnv('SS_DATABASE_PORT');
if ($dbPort) {
Expand Down
12 changes: 6 additions & 6 deletions src/Dev/Install/MySQLDatabaseConfigurationHelper.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@ protected function createConnection($databaseConfig, &$error)
case 'MySQLDatabase':
$conn = mysqli_init();

// Set SSL parameters if they exist. All parameters are required.
if (array_key_exists('ssl_key', $databaseConfig) &&
array_key_exists('ssl_cert', $databaseConfig) &&
array_key_exists('ssl_ca', $databaseConfig)
// Set SSL parameters if they exist.
// Must have both the SSL cert and key, or the common authority, or preferably all three.
if ((array_key_exists('ssl_key', $databaseConfig) && array_key_exists('ssl_cert', $databaseConfig))
|| array_key_exists('ssl_ca', $databaseConfig)
) {
$conn->ssl_set(
$databaseConfig['ssl_key'],
$databaseConfig['ssl_cert'],
$databaseConfig['ssl_key'] ?? null,
$databaseConfig['ssl_cert'] ?? null,
$databaseConfig['ssl_ca'],
dirname($databaseConfig['ssl_ca']),
array_key_exists('ssl_cipher', $databaseConfig)
Expand Down
15 changes: 8 additions & 7 deletions src/ORM/Connect/MySQLiConnector.php
Original file line number Diff line number Diff line change
Expand Up @@ -96,14 +96,15 @@ public function connect($parameters, $selectDB = false)
);
}

// Set SSL parameters if they exist. All parameters are required.
if (array_key_exists('ssl_key', $parameters ?? []) &&
array_key_exists('ssl_cert', $parameters ?? []) &&
array_key_exists('ssl_ca', $parameters ?? [])) {
// Set SSL parameters if they exist.
// Must have both the SSL cert and key, or the common authority, or preferably all three.
if ((array_key_exists('ssl_key', $parameters ?? []) && array_key_exists('ssl_cert', $parameters ?? []))
|| array_key_exists('ssl_ca', $parameters ?? [])
) {
$this->dbConn->ssl_set(
$parameters['ssl_key'],
$parameters['ssl_cert'],
$parameters['ssl_ca'],
$parameters['ssl_key'] ?? null,
$parameters['ssl_cert'] ?? null,
$parameters['ssl_ca'] ?? null,
dirname($parameters['ssl_ca'] ?? ''),
array_key_exists('ssl_cipher', $parameters ?? [])
? $parameters['ssl_cipher']
Expand Down

0 comments on commit 34f1d6f

Please sign in to comment.