Products/ZMySQLDA: ssl support

See merge request nexedi/erp5!1772

Products/ZMySQLDA: ssl support
See merge request nexedi/erp5!1772
7b49f53d · Jérome Perrin · bbdc9fdf · 36d93f4c · 7b49f53d · 7b49f53d
Commit 7b49f53d authored Jun 20, 2023 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 2 deletions

product/ZMySQLDA/connectionAdd.dtml product/ZMySQLDA/connectionAdd.dtml +11 -1

product/ZMySQLDA/db.py product/ZMySQLDA/db.py +15 -1

No files found.
--- a/product/ZMySQLDA/connectionAdd.dtml
+++ b/product/ZMySQLDA/connectionAdd.dtml
@@ -56,7 +56,7 @@
    <dd>
      The connection string used for Z MySQL Database Connection is of the form:
      <br />
-      <code>[*lock] [+/-][database][@host[:port]] [user [password [unix_socket]]]</code>
+      <code>[%ssl_name] [*lock] [+/-][database][@host[:port]] [user [password [unix_socket]]]</code>
      <br />
      or typically:
      <br />
@@ -73,6 +73,16 @@
      If the UNIX socket is in a non-standard location, you can specify
      the full path to it after the password.
    </dd>
+    <dd>
+      %<em>ssl_name</em> at the begining of the connection string means to use
+      a ssl client certificate for authentication. 
+      This will use a CA certificate located at
+      <code>$INSTANCEHOME/etc/zmysqlda/[%ssl_name]-ca.pem</code>, a client certificate
+      at <code>$INSTANCEHOME/etc/zmysqlda/[%ssl_name]-cert.pem</code> with a key
+      at <code>$INSTANCEHOME/etc/zmysqlda/[%ssl_name]-key.pem</code>.
+      This will also verify that the connection is using ssl and cause an error
+      when an encrypted connection can not be established.
+    </dd>
    <dd>
      A '-' in front of the database tells ZMySQLDA to not use Zope's
      Transaction Manager, even if the server supports transactions. A

--- a/product/ZMySQLDA/db.py
+++ b/product/ZMySQLDA/db.py
@@ -107,6 +107,7 @@ if _v < MySQLdb_version_required:
 from MySQLdb.converters import conversions
 from MySQLdb.constants import FIELD_TYPE, CR, ER, CLIENT
+from App.config import getConfiguration
 from Shared.DC.ZRDB.TM import TM
 from DateTime import DateTime
 from zLOG import LOG, ERROR, WARNING
@@ -245,6 +246,14 @@ class DB(TM):
        items = self._connection.split()
        if not items:
            return
+        if items[0][0] == "%":
+            cert_base_name = items.pop(0)[1:]
+            instancehome = getConfiguration().instancehome
+            kwargs['ssl'] = {
+              'ca': os.path.join(instancehome, 'etc', 'zmysqlda', cert_base_name + '-ca.pem'),
+              'cert': os.path.join(instancehome, 'etc', 'zmysqlda', cert_base_name + '-cert.pem'),
+              'key': os.path.join(instancehome, 'etc', 'zmysqlda', cert_base_name + '-key.pem'),
+            }
        if items[0] == "~":
            kwargs['compress'] = True
            del items[0]
@@ -319,7 +328,12 @@ class DB(TM):
              error=True,
            )
      self.db = MySQLdb.connect(**self._kw_args)
-      self._query("SET time_zone='+00:00'")
+      self._query(b"SET time_zone='+00:00'")
+      # BBB mysqlclient on python2 does not support sql_mode, check that
+      # the connection is actually encrypted.
+      if self._kw_args.get('ssl') and \
+          not self._query(b"SHOW STATUS LIKE 'Ssl_version'").fetch_row()[0][1]:
+          raise NotSupportedError("Connection established without SSL")
    def tables(self, rdb=0,
               _care=('TABLE', 'VIEW')):