Merge pull request #7233 from johndalangin/7077-add-mysql-pdo-ssl

NEW Added MySQL SSL PDO Support (fixes #7077)
2024-10-02 14:18:46 +02:00 · 2017-08-03 12:20:51 +02:00 · 2017-08-03 12:20:51 +02:00 · 723ae37b7d
commit 723ae37b7d
parent d3f700e134 a3678c73b9
5 changed files with 111 additions and 1 deletions
--- a/cli-script.php
+++ b/cli-script.php
@ -91,6 +91,14 @@ define('SS_DATABASE_SERVER', 'localhost');
 define('SS_DATABASE_USERNAME', '<user>');
 define('SS_DATABASE_PASSWORD', '<password>');
 define('SS_DATABASE_NAME', '<database>');
+
+/* SSL support for MySQLPDODatabase */
+/*
+define('SS_DATABASE_CLASS', 'MySQLPDODatabase');
+define('SS_DATABASE_SSL_KEY', '/path/to/keyfile');
+define('SS_DATABASE_SSL_CERT', '/path/to/certfile');
+define('SS_DATABASE_SSL_CA', '/path/to/cafile');;
+*/
 --------------------------------------------------

 Once you have done that, run 'composer install' or './framework/sake dev/build' to create
--- a/conf/ConfigureFromEnv.php
+++ b/conf/ConfigureFromEnv.php
@ -20,6 +20,14 @@
 *  - SS_DATABASE_MEMORY:   Use in-memory state if possible. Useful for testing, currently only
 *                          supported by the SQLite database adapter.
 *
+ * SSL Support (for MySQLPDODatabase)
+ *
+ * - SS_DATABASE_SSL_KEY:		Path to SSL private key file
+ * - SS_DATABASE_SSL_CERT:		Path to SSL certificate file
+ * - SS_DATABASE_SSL_CA:		Path to SSL CA file
+ * - SS_DATABASE_SSL_CIPHER: 	Override default cipher (defaults are set per database connector)
+ *
+ *
 * There is one more setting that is intended to be used by people who work on SilverStripe.
 *  - SS_DATABASE_CHOOSE_NAME: Boolean/Int.  If set, then the system will choose a default database name for you if
 *    one isn't give in the $database variable.  The database name will be "SS_" followed by the name of the folder
@ -116,6 +124,30 @@ if(defined('SS_DATABASE_USERNAME') && defined('SS_DATABASE_PASSWORD')) {
 	// For SQlite3 memory databases (mainly for testing purposes)
 	if(defined('SS_DATABASE_MEMORY'))
 		$databaseConfig["memory"] = SS_DATABASE_MEMORY;
+
+	// Add ssl parameters to databaseConfig if these are defined
+	if(
+		defined('SS_DATABASE_SSL_KEY') && 
+		defined('SS_DATABASE_SSL_CERT')
+		) {
+
+		$databaseConfig['ssl_key'] = SS_DATABASE_SSL_KEY;
+		$databaseConfig['ssl_cert'] = SS_DATABASE_SSL_CERT;
+
+	}
+
+	// Some databases do not require a CA so this is optional
+	if(defined('SS_DATABASE_SSL_CA')) {
+		$databaseConfig['ssl_ca'] = SS_DATABASE_SSL_CA;		
+	}
+
+	// Cipher defaults should be set per connector
+	if(defined('SS_DATABASE_SSL_CIPHER')) {
+		$databaseConfig['ssl_cipher'] = SS_DATABASE_SSL_CIPHER;
+	}
+
+
+
 }

 if(defined('SS_SEND_ALL_EMAILS_TO')) {
--- a/dev/install/MySQLDatabaseConfigurationHelper.php
+++ b/dev/install/MySQLDatabaseConfigurationHelper.php
@ -36,8 +36,31 @@ class MySQLDatabaseConfigurationHelper implements DatabaseConfigurationHelper {
 					}
 				case 'MySQLPDODatabase':
 					// May throw a PDOException if fails
+
+					// Set SSL parameters
+					$ssl = null;
+					$defaultCipher = 'DHE-RSA-AES256-SHA';
+
+					if(
+						array_key_exists('ssl_key', $databaseConfig) &&
+						array_key_exists('ssl_cert', $databaseConfig)) {
+
+							$ssl = array(
+								PDO::MYSQL_ATTR_SSL_KEY => $databaseConfig['ssl_key'],
+								PDO::MYSQL_ATTR_SSL_CERT => $databaseConfig['ssl_cert'],
+							);
+
+						if(array_key_exists('ssl_ca', $databaseConfig)) {
+							$ssl[PDO::MYSQL_ATTR_SSL_CA] = $databaseConfig['ssl_ca'];
+						}
+
+						// use default cipher if not provided
+						$ssl[PDO::MYSQL_ATTR_SSL_CA] = array_key_exists('ssl_ca', $databaseConfig) ? $databaseConfig['ssl_ca'] : $defaultCipher;
+
+					}
+
 					$conn = @new PDO('mysql:host='.$databaseConfig['server'], $databaseConfig['username'],
-									$databaseConfig['password']);
+									$databaseConfig['password'], $ssl);
 					if($conn) {
 						$conn->query("SET sql_mode = 'ANSI'");
 						return $conn;
--- a/dev/install/install.php5
+++ b/dev/install/install.php5
@ -132,6 +132,26 @@ if(isset($_REQUEST['db'])) {
 			"database" => $_REQUEST['db'][$type]['database'],
 		);

+		// Set SSL parameters if they exist
+		if(
+			defined('SS_DATABASE_SSL_KEY') && 
+			defined('SS_DATABASE_SSL_CERT')
+			) {
+
+			$databaseConfig['ssl_key'] = SS_DATABASE_SSL_KEY;
+			$databaseConfig['ssl_cert'] = SS_DATABASE_SSL_CERT;
+
+		}
+
+		if(defined('SS_DATABASE_SSL_CA')) {
+			$databaseConfig['ssl_ca'] = SS_DATABASE_SSL_CA;
+		}
+
+		if(defined('SS_DATABASE_SSL_CIPHER')) {
+			$databaseConfig['ssl_cipher'] = SS_DATABASE_SSL_CIPHER;
+		}
+
+
 	} else {
 		// Normal behaviour without the environment
 		$databaseConfig = $_REQUEST['db'][$type];
--- a/model/connect/PDOConnector.php
+++ b/model/connect/PDOConnector.php
@ -15,6 +15,14 @@ class PDOConnector extends DBConnector {
 	 */
 	private static $emulate_prepare = false;

+	/**
+	 * Default strong SSL cipher to be used
+	 *
+	 * @config
+	 * @var boolean
+	 */
+	private static $ssl_cipher_default = 'DHE-RSA-AES256-SHA';
+
 	/**
 	 * The PDO connection instance
 	 *
@ -159,6 +167,25 @@ class PDOConnector extends DBConnector {
 		$options = array();
 		if($parameters['driver'] == 'mysql') {
 			$options[PDO::MYSQL_ATTR_INIT_COMMAND] = 'SET NAMES ' . $charset . ' COLLATE ' . $connCollation;
+
+			// Set SSL options if they are defined
+			if(
+				array_key_exists('ssl_key', $parameters) &&
+				array_key_exists('ssl_cert', $parameters)) {
+
+					$options[PDO::MYSQL_ATTR_SSL_KEY] = $parameters['ssl_key'];
+					$options[PDO::MYSQL_ATTR_SSL_CERT] = $parameters['ssl_cert'];
+
+				if(array_key_exists('ssl_ca', $parameters)) {
+					$options[PDO::MYSQL_ATTR_SSL_CA] = $parameters['ssl_ca'];
+				}
+
+				// use default cipher if not provided
+				$options[PDO::MYSQL_ATTR_SSL_CIPHER] = $parameters['ssl_cipher'] ?: $this->config()->ssl_cipher_default;
+
+			}
+
+
 		}
 		if(self::is_emulate_prepare()) {
 			$options[PDO::ATTR_EMULATE_PREPARES] = true;