Commit 7b49f53d authored by Jérome Perrin's avatar Jérome Perrin

Products/ZMySQLDA: ssl support

See merge request nexedi/erp5!1772
parents bbdc9fdf 36d93f4c
Pipeline #28700 failed with stage
...@@ -56,7 +56,7 @@ ...@@ -56,7 +56,7 @@
<dd> <dd>
The connection string used for Z MySQL Database Connection is of the form: The connection string used for Z MySQL Database Connection is of the form:
<br /> <br />
<code>[*lock] [+/-][database][@host[:port]] [user [password [unix_socket]]]</code> <code>[%ssl_name] [*lock] [+/-][database][@host[:port]] [user [password [unix_socket]]]</code>
<br /> <br />
or typically: or typically:
<br /> <br />
...@@ -73,6 +73,16 @@ ...@@ -73,6 +73,16 @@
If the UNIX socket is in a non-standard location, you can specify If the UNIX socket is in a non-standard location, you can specify
the full path to it after the password. the full path to it after the password.
</dd> </dd>
<dd>
%<em>ssl_name</em> at the begining of the connection string means to use
a ssl client certificate for authentication.
This will use a CA certificate located at
<code>$INSTANCEHOME/etc/zmysqlda/[%ssl_name]-ca.pem</code>, a client certificate
at <code>$INSTANCEHOME/etc/zmysqlda/[%ssl_name]-cert.pem</code> with a key
at <code>$INSTANCEHOME/etc/zmysqlda/[%ssl_name]-key.pem</code>.
This will also verify that the connection is using ssl and cause an error
when an encrypted connection can not be established.
</dd>
<dd> <dd>
A '-' in front of the database tells ZMySQLDA to not use Zope's A '-' in front of the database tells ZMySQLDA to not use Zope's
Transaction Manager, even if the server supports transactions. A Transaction Manager, even if the server supports transactions. A
......
...@@ -107,6 +107,7 @@ if _v < MySQLdb_version_required: ...@@ -107,6 +107,7 @@ if _v < MySQLdb_version_required:
from MySQLdb.converters import conversions from MySQLdb.converters import conversions
from MySQLdb.constants import FIELD_TYPE, CR, ER, CLIENT from MySQLdb.constants import FIELD_TYPE, CR, ER, CLIENT
from App.config import getConfiguration
from Shared.DC.ZRDB.TM import TM from Shared.DC.ZRDB.TM import TM
from DateTime import DateTime from DateTime import DateTime
from zLOG import LOG, ERROR, WARNING from zLOG import LOG, ERROR, WARNING
...@@ -245,6 +246,14 @@ class DB(TM): ...@@ -245,6 +246,14 @@ class DB(TM):
items = self._connection.split() items = self._connection.split()
if not items: if not items:
return return
if items[0][0] == "%":
cert_base_name = items.pop(0)[1:]
instancehome = getConfiguration().instancehome
kwargs['ssl'] = {
'ca': os.path.join(instancehome, 'etc', 'zmysqlda', cert_base_name + '-ca.pem'),
'cert': os.path.join(instancehome, 'etc', 'zmysqlda', cert_base_name + '-cert.pem'),
'key': os.path.join(instancehome, 'etc', 'zmysqlda', cert_base_name + '-key.pem'),
}
if items[0] == "~": if items[0] == "~":
kwargs['compress'] = True kwargs['compress'] = True
del items[0] del items[0]
...@@ -319,7 +328,12 @@ class DB(TM): ...@@ -319,7 +328,12 @@ class DB(TM):
error=True, error=True,
) )
self.db = MySQLdb.connect(**self._kw_args) self.db = MySQLdb.connect(**self._kw_args)
self._query("SET time_zone='+00:00'") self._query(b"SET time_zone='+00:00'")
# BBB mysqlclient on python2 does not support sql_mode, check that
# the connection is actually encrypted.
if self._kw_args.get('ssl') and \
not self._query(b"SHOW STATUS LIKE 'Ssl_version'").fetch_row()[0][1]:
raise NotSupportedError("Connection established without SSL")
def tables(self, rdb=0, def tables(self, rdb=0,
_care=('TABLE', 'VIEW')): _care=('TABLE', 'VIEW')):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment