Merge pull request #7233 from johndalangin/7077-add-mysql-pdo-ssl

NEW Added MySQL SSL PDO Support (fixes #7077)
This commit is contained in:
Daniel Hensby 2017-08-03 12:20:51 +02:00 committed by GitHub
commit 723ae37b7d
5 changed files with 111 additions and 1 deletions

View File

@ -91,6 +91,14 @@ define('SS_DATABASE_SERVER', 'localhost');
define('SS_DATABASE_USERNAME', '<user>'); define('SS_DATABASE_USERNAME', '<user>');
define('SS_DATABASE_PASSWORD', '<password>'); define('SS_DATABASE_PASSWORD', '<password>');
define('SS_DATABASE_NAME', '<database>'); define('SS_DATABASE_NAME', '<database>');
/* SSL support for MySQLPDODatabase */
/*
define('SS_DATABASE_CLASS', 'MySQLPDODatabase');
define('SS_DATABASE_SSL_KEY', '/path/to/keyfile');
define('SS_DATABASE_SSL_CERT', '/path/to/certfile');
define('SS_DATABASE_SSL_CA', '/path/to/cafile');;
*/
-------------------------------------------------- --------------------------------------------------
Once you have done that, run 'composer install' or './framework/sake dev/build' to create Once you have done that, run 'composer install' or './framework/sake dev/build' to create

View File

@ -20,6 +20,14 @@
* - SS_DATABASE_MEMORY: Use in-memory state if possible. Useful for testing, currently only * - SS_DATABASE_MEMORY: Use in-memory state if possible. Useful for testing, currently only
* supported by the SQLite database adapter. * supported by the SQLite database adapter.
* *
* SSL Support (for MySQLPDODatabase)
*
* - SS_DATABASE_SSL_KEY: Path to SSL private key file
* - SS_DATABASE_SSL_CERT: Path to SSL certificate file
* - SS_DATABASE_SSL_CA: Path to SSL CA file
* - SS_DATABASE_SSL_CIPHER: Override default cipher (defaults are set per database connector)
*
*
* There is one more setting that is intended to be used by people who work on SilverStripe. * There is one more setting that is intended to be used by people who work on SilverStripe.
* - SS_DATABASE_CHOOSE_NAME: Boolean/Int. If set, then the system will choose a default database name for you if * - SS_DATABASE_CHOOSE_NAME: Boolean/Int. If set, then the system will choose a default database name for you if
* one isn't give in the $database variable. The database name will be "SS_" followed by the name of the folder * one isn't give in the $database variable. The database name will be "SS_" followed by the name of the folder
@ -116,6 +124,30 @@ if(defined('SS_DATABASE_USERNAME') && defined('SS_DATABASE_PASSWORD')) {
// For SQlite3 memory databases (mainly for testing purposes) // For SQlite3 memory databases (mainly for testing purposes)
if(defined('SS_DATABASE_MEMORY')) if(defined('SS_DATABASE_MEMORY'))
$databaseConfig["memory"] = SS_DATABASE_MEMORY; $databaseConfig["memory"] = SS_DATABASE_MEMORY;
// Add ssl parameters to databaseConfig if these are defined
if(
defined('SS_DATABASE_SSL_KEY') &&
defined('SS_DATABASE_SSL_CERT')
) {
$databaseConfig['ssl_key'] = SS_DATABASE_SSL_KEY;
$databaseConfig['ssl_cert'] = SS_DATABASE_SSL_CERT;
}
// Some databases do not require a CA so this is optional
if(defined('SS_DATABASE_SSL_CA')) {
$databaseConfig['ssl_ca'] = SS_DATABASE_SSL_CA;
}
// Cipher defaults should be set per connector
if(defined('SS_DATABASE_SSL_CIPHER')) {
$databaseConfig['ssl_cipher'] = SS_DATABASE_SSL_CIPHER;
}
} }
if(defined('SS_SEND_ALL_EMAILS_TO')) { if(defined('SS_SEND_ALL_EMAILS_TO')) {

View File

@ -36,8 +36,31 @@ class MySQLDatabaseConfigurationHelper implements DatabaseConfigurationHelper {
} }
case 'MySQLPDODatabase': case 'MySQLPDODatabase':
// May throw a PDOException if fails // May throw a PDOException if fails
// Set SSL parameters
$ssl = null;
$defaultCipher = 'DHE-RSA-AES256-SHA';
if(
array_key_exists('ssl_key', $databaseConfig) &&
array_key_exists('ssl_cert', $databaseConfig)) {
$ssl = array(
PDO::MYSQL_ATTR_SSL_KEY => $databaseConfig['ssl_key'],
PDO::MYSQL_ATTR_SSL_CERT => $databaseConfig['ssl_cert'],
);
if(array_key_exists('ssl_ca', $databaseConfig)) {
$ssl[PDO::MYSQL_ATTR_SSL_CA] = $databaseConfig['ssl_ca'];
}
// use default cipher if not provided
$ssl[PDO::MYSQL_ATTR_SSL_CA] = array_key_exists('ssl_ca', $databaseConfig) ? $databaseConfig['ssl_ca'] : $defaultCipher;
}
$conn = @new PDO('mysql:host='.$databaseConfig['server'], $databaseConfig['username'], $conn = @new PDO('mysql:host='.$databaseConfig['server'], $databaseConfig['username'],
$databaseConfig['password']); $databaseConfig['password'], $ssl);
if($conn) { if($conn) {
$conn->query("SET sql_mode = 'ANSI'"); $conn->query("SET sql_mode = 'ANSI'");
return $conn; return $conn;

View File

@ -132,6 +132,26 @@ if(isset($_REQUEST['db'])) {
"database" => $_REQUEST['db'][$type]['database'], "database" => $_REQUEST['db'][$type]['database'],
); );
// Set SSL parameters if they exist
if(
defined('SS_DATABASE_SSL_KEY') &&
defined('SS_DATABASE_SSL_CERT')
) {
$databaseConfig['ssl_key'] = SS_DATABASE_SSL_KEY;
$databaseConfig['ssl_cert'] = SS_DATABASE_SSL_CERT;
}
if(defined('SS_DATABASE_SSL_CA')) {
$databaseConfig['ssl_ca'] = SS_DATABASE_SSL_CA;
}
if(defined('SS_DATABASE_SSL_CIPHER')) {
$databaseConfig['ssl_cipher'] = SS_DATABASE_SSL_CIPHER;
}
} else { } else {
// Normal behaviour without the environment // Normal behaviour without the environment
$databaseConfig = $_REQUEST['db'][$type]; $databaseConfig = $_REQUEST['db'][$type];

View File

@ -15,6 +15,14 @@ class PDOConnector extends DBConnector {
*/ */
private static $emulate_prepare = false; private static $emulate_prepare = false;
/**
* Default strong SSL cipher to be used
*
* @config
* @var boolean
*/
private static $ssl_cipher_default = 'DHE-RSA-AES256-SHA';
/** /**
* The PDO connection instance * The PDO connection instance
* *
@ -159,6 +167,25 @@ class PDOConnector extends DBConnector {
$options = array(); $options = array();
if($parameters['driver'] == 'mysql') { if($parameters['driver'] == 'mysql') {
$options[PDO::MYSQL_ATTR_INIT_COMMAND] = 'SET NAMES ' . $charset . ' COLLATE ' . $connCollation; $options[PDO::MYSQL_ATTR_INIT_COMMAND] = 'SET NAMES ' . $charset . ' COLLATE ' . $connCollation;
// Set SSL options if they are defined
if(
array_key_exists('ssl_key', $parameters) &&
array_key_exists('ssl_cert', $parameters)) {
$options[PDO::MYSQL_ATTR_SSL_KEY] = $parameters['ssl_key'];
$options[PDO::MYSQL_ATTR_SSL_CERT] = $parameters['ssl_cert'];
if(array_key_exists('ssl_ca', $parameters)) {
$options[PDO::MYSQL_ATTR_SSL_CA] = $parameters['ssl_ca'];
}
// use default cipher if not provided
$options[PDO::MYSQL_ATTR_SSL_CIPHER] = $parameters['ssl_cipher'] ?: $this->config()->ssl_cipher_default;
}
} }
if(self::is_emulate_prepare()) { if(self::is_emulate_prepare()) {
$options[PDO::ATTR_EMULATE_PREPARES] = true; $options[PDO::ATTR_EMULATE_PREPARES] = true;