composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-20 17:18:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°1260 MySQL TLS connection : change parameters to only enable checkbox + CA (remove client key, client cert, cappath, cipher)

Browse Source 
SVN:trunk[5682]
This commit is contained in:
Pierre Goiffon
2018-04-18 06:57:38 +00:00
parent e3a2c5b05b
commit f07bbfa174
8 changed files with 158 additions and 301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
core/cmdbsource.class.inc.php
View File

@@ -122,12 +122,22 @@ class CMDBSource
protected static $m_sDBUser;
protected static $m_sDBPwd;
protected static $m_sDBName;
protected static $m_sDBTlsKey;
protected static $m_sDBTlsCert;
/**
* @var boolean
* @since 2.5 #1260 MySQL TLS first implementation
*/
protected static $m_bDBTlsEnabled;
/**
* @var string
* @since 2.5 #1260 MySQL TLS first implementation
*/
protected static $m_sDBTlsCA;
protected static $m_sDBTlsCaPath;
protected static $m_sDBTlsCipher;
/**
* @var boolean
* @since 2.5 #1260 MySQL TLS first implementation
*/
protected static $m_bDBTlsVerifyServerCert;
/** @var mysqli $m_oMysqli */
protected static $m_oMysqli;
@@ -144,15 +154,11 @@ class CMDBSource
$sUser = $oConfig->Get('db_user');
$sPwd = $oConfig->Get('db_pwd');
$sSource = $oConfig->Get('db_name');
$sTlsKey = $oConfig->Get('db_tls.key');
$sTlsCert = $oConfig->Get('db_tls.cert');
$bTlsEnabled = $oConfig->Get('db_tls.enabled');
$sTlsCA = $oConfig->Get('db_tls.ca');
$sTlsCaPath = $oConfig->Get('db_tls.capath');
$sTlsCipher = $oConfig->Get('db_tls.cipher');
$sTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
self::Init($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
$sTlsVerifyServerCert);
self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, $sTlsVerifyServerCert);
$sCharacterSet = DEFAULT_CHARACTER_SET;
$sCollation = DEFAULT_COLLATION;
@@ -164,61 +170,50 @@ class CMDBSource
* @param string $sUser
* @param string $sPwd
* @param string $sSource database to use
* @param string $sTlsKey
* @param string $sTlsCert
* @param bool $bTlsEnabled
* @param string $sTlsCA
* @param string $sTlsCaPath
* @param string $sTlsCipher
* @param bool $sTlsVerifyServerCert
*
* @throws \MySQLException
*/
public static function Init(
$sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCA = null, $sTlsCaPath = null,
$sTlsCipher = null, $sTlsVerifyServerCert = false
$sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null, $sTlsVerifyServerCert = false
)
{
self::$m_sDBHost = $sServer;
self::$m_sDBUser = $sUser;
self::$m_sDBPwd = $sPwd;
self::$m_sDBName = $sSource;
self::$m_sDBTlsKey = empty($sTlsKey) ? null : $sTlsKey;
self::$m_sDBTlsCert = empty($sTlsCert) ? null : $sTlsCert;
self::$m_bDBTlsEnabled = empty($bTlsEnabled) ? false : $bTlsEnabled;
self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA;
self::$m_sDBTlsCaPath = empty($sTlsCaPath) ? null : $sTlsCaPath;
self::$m_sDBTlsCipher = empty($sTlsCipher) ? null : $sTlsCipher;
self::$m_bDBTlsVerifyServerCert = empty($sTlsVerifyServerCert) ? null : $sTlsVerifyServerCert;
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA,
$sTlsCaPath, $sTlsCipher, true, $sTlsVerifyServerCert);
self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true,
$sTlsVerifyServerCert);
}
/**
* @param string $sServer
* @param string $sDbHost
* @param string $sUser
* @param string $sPwd
* @param string $sSource database to use
* @param string $sTlsKey
* @param string $sTlsCert
* @param bool $bTlsEnabled
* @param string $sTlsCa
* @param string $sTlsCaPath
* @param string $sTlsCipher
* @param bool $bCheckTlsAfterConnection
* @param bool $bVerifyTlsServerCert Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)
* @param bool $bCheckTlsAfterConnection If true then verify after connection if it is encrypted
* @param bool $bVerifyTlsServerCert If true then verify server certificate when connecting
*
* @return \mysqli
* @throws \MySQLException
*/
public static function GetMysqliInstance(
$sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCaPath = null,
$sTlsCipher = null, $bCheckTlsAfterConnection = false, $bVerifyTlsServerCert = false
$sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false,
$bVerifyTlsServerCert = false
) {
$oMysqli = null;
$sServer = null;
$iPort = null;
$bTlsEnabled = self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCa);
self::InitServerAndPort(self::$m_sDBHost, $sServer, $iPort);
self::InitServerAndPort($sDbHost, $sServer, $iPort);
$iFlags = null;
@@ -236,18 +231,20 @@ class CMDBSource
$iFlags = ($bVerifyTlsServerCert)
? MYSQLI_CLIENT_SSL
: MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
$oMysqli->ssl_set($sTlsKey, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher);
$sTlsCert = null; // not implemented
$sTlsCaPath = null; // not implemented
$sTlsCipher = null; // not implemented
$oMysqli->ssl_set($bTlsEnabled, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher);
}
$oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort,
ini_get("mysqli.default_socket"), $iFlags);
$oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort, ini_get("mysqli.default_socket"), $iFlags);
}
catch(mysqli_sql_exception $e)
{
throw new MySQLException('Could not connect to the DB server', array('host' => $sServer, 'user' => $sUser), $e);
}
if ($bCheckTlsAfterConnection
&& self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCa)
if ($bTlsEnabled
&& $bCheckTlsAfterConnection
&& !self::IsOpenedDbConnectionUsingTls($oMysqli))
{
throw new MySQLException("Connection to the database is not encrypted whereas it was opened using TLS parameters",
@@ -307,32 +304,6 @@ class CMDBSource
}
}
/**
* @param \Config $oConfig
*
* @return boolean
*/
public static function IsDbConnectionInConfigUsingTls($oConfig)
{
$sTlsKey = $oConfig->Get('db_tls.key');
$sTlsCert = $oConfig->Get('db_tls.cert');
$sTlsCA = $oConfig->Get('db_tls.ca');
return self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA);
}
/**
* @param string $sTlsKey
* @param string $sTlsCert
* @param string $sTlsCA
*
* @return bool
*/
public static function IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA)
{
return (!empty($sTlsKey) && !empty($sTlsCert) && !empty($sTlsCA));
}
/**
* <p>A DB connection can be opened transparently (no errors thrown) without being encrypted, whereas the TLS
* parameters were used.<br>

67
core/config.class.inc.php
View File

@@ -150,19 +150,11 @@ class Config
'source_of_value' => '',
'show_in_conf_sample' => true,
),
'db_tls.key' => array(
'type' => 'string',
'description' => 'Path to client key file for SSL',
'default' => null,
'value' => '',
'source_of_value' => '',
'show_in_conf_sample' => false,
),
'db_tls.cert' => array(
'type' => 'string',
'description' => 'Path to client certificate file for SSL',
'default' => null,
'value' => '',
'db_tls.enabled' => array(
'type' => 'bool',
'description' => 'If true then the connection to the DB will be encrypted',
'default' => false,
'value' => false,
'source_of_value' => '',
'show_in_conf_sample' => false,
),
@@ -174,27 +166,11 @@ class Config
'source_of_value' => '',
'show_in_conf_sample' => false,
),
'db_tls.capath' => array(
'type' => 'string',
'description' => 'Path to a directory that contains trusted SSL CA certificates in PEM format',
'default' => null,
'value' => '',
'source_of_value' => '',
'show_in_conf_sample' => false,
),
'db_tls.cipher' => array(
'type' => 'string',
'description' => 'Optional : separated list of permissible cyphers to use for SSL encryption',
'default' => null,
'value' => '',
'source_of_value' => '',
'show_in_conf_sample' => false,
),
'db_tls.verify_server_cert' => array(
'type' => 'bool',
'description' => 'Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)',
'default' => false,
'value' => '',
'value' => false,
'source_of_value' => '',
'show_in_conf_sample' => false,
),
@@ -1908,30 +1884,23 @@ class Config
}
$this->Set('db_name', $sDBName);
$this->Set('db_subname', $aParamValues['db_prefix']);
$sDbTlsKey = $aParamValues['db_tls_key'];
if (isset($sDbTlsKey) && !empty($sDbTlsKey))
$bDbTlsEnabled = (bool) $aParamValues['db_tls_enabled'];
if ($bDbTlsEnabled)
{
$this->Set('db_tls.key', $sDbTlsKey, 'UpdateFromParams');
$this->Set('db_tls.enabled', $bDbTlsEnabled, 'UpdateFromParams');
}
$sDbTlsCert = $aParamValues['db_tls_cert'];
if (isset($sDbTlsCert) && !empty($sDbTlsCert))
else
{
$this->Set('db_tls.cert', $sDbTlsCert, 'UpdateFromParams');
// disabled : we don't want parameter in the file
$this->Set('db_tls.enabled', $bDbTlsEnabled, null);
}
$sDbTlsCa = $aParamValues['db_tls_ca'];
if (isset($sDbTlsCa) && !empty($sDbTlsCa))
{
$sDbTlsCa = $bDbTlsEnabled ? $aParamValues['db_tls_ca'] : null;
if (isset($sDbTlsCa) && !empty($sDbTlsCa)) {
$this->Set('db_tls.ca', $sDbTlsCa, 'UpdateFromParams');
}
$sDbTlsCaPath = $aParamValues['db_tls_capath'];
if (isset($sDbTlsCaPath) && !empty($sDbTlsCaPath))
{
$this->Set('db_tls.capath', $sDbTlsCaPath, 'UpdateFromParams');
}
$sDbTlsCipher = $aParamValues['db_tls_cipher'];
if (isset($sDbTlsCipher) && !empty($sDbTlsCipher))
{
$this->Set('db_tls.cipher', $sDbTlsCipher, 'UpdateFromParams');
} else {
// empty parameter : we don't want it in the file
$this->Set('db_tls.ca', null, null);
}
}

27
core/mutex.class.inc.php
View File

@@ -40,17 +40,14 @@ class iTopMutex
protected $sDBPwd;
protected $sDBName;
protected $sDBSubname;
protected $sDBTlsKey;
protected $sDBTlsCert;
protected $bDBTlsEnabled;
protected $sDBTlsCA;
protected $sDBTlsCaPath;
protected $sDBTlsCipher;
protected $bDBTlsVerifyServerCert;
static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page
public function __construct(
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $sDBTlsKey = null, $sDBTlsCert = null,
$sDBTlsCA = null, $sDBTlsCaPath = null, $sDBTlsCypher = null, $bDBTlsVerifyServerCert = null
$sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null,
$bDBTlsVerifyServerCert = null
)
{
// Compute the name of a lock for mysql
@@ -66,11 +63,8 @@ class iTopMutex
$this->sDBName = $oConfig->Get('db_name');
$sDBSubname = $oConfig->Get('db_subname');
$this->sDBTlsKey = is_null($sDBTlsKey) ? $oConfig->Get('db_tls.key') : $sDBTlsKey;
$this->sDBTlsCert = is_null($sDBTlsCert) ? $oConfig->Get('db_tls.cert') : $sDBTlsCert;
$this->bDBTlsEnabled = is_null($bDBTlsEnabled) ? $oConfig->Get('db_tls.enabled') : $bDBTlsEnabled;
$this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA;
$this->sDBTlsCaPath = is_null($sDBTlsCaPath) ? $oConfig->Get('db_tls.capath') : $sDBTlsCaPath;
$this->sDBTlsCipher = is_null($sDBTlsCypher) ? $oConfig->Get('db_tls.cipher') : $sDBTlsCypher;
$this->bDBTlsVerifyServerCert = is_null($bDBTlsVerifyServerCert) ? $oConfig->Get('db_tls.verify_server_cert') : $bDBTlsVerifyServerCert;
$this->sName = $sName;
@@ -228,7 +222,7 @@ class iTopMutex
}
/**
* Initialiaze database connection. Mandatory attributes must be already set !
* Initialize database connection. Mandatory attributes must be already set !
*
* @throws \Exception
* @throws \MySQLException
@@ -239,17 +233,12 @@ class iTopMutex
$sUser = $this->sDBUser;
$sPwd = $this->sDBPwd;
$sSource = $this->sDBName;
$sTlsKey = $this->sDBTlsKey;
$sTlsCert = $this->sDBTlsCert;
$bTlsEnabled = $this->bDBTlsEnabled;
$sTlsCA = $this->sDBTlsCA;
$sTlsCaPath = $this->sDBTlsCaPath;
$sTlsCipher = $this->sDBTlsCipher;
$bTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
$bDBTlsVerifyServerCert = $this->bDBTlsVerifyServerCert;
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource,
$sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
$bTlsVerifyServerCert, $bDBTlsVerifyServerCert);
$this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA,
false, $bTlsVerifyServerCert);
if (!$this->hDBLink)
{

5
setup/applicationinstaller.class.inc.php
View File

@@ -384,11 +384,8 @@ class ApplicationInstaller
'db_name' => $aDBParams['name'],
'new_db_name' => $aDBParams['name'],
'db_prefix' => $aDBParams['prefix'],
'db_tls_key' => $aDBParams['db_tls_key'],
'db_tls_cert' => $aDBParams['db_tls_cert'],
'db_tls_enabled' => $aDBParams['db_tls_enabled'],
'db_tls_ca' => $aDBParams['db_tls_ca'],
'db_tls_capath' => $aDBParams['db_tls_capath'],
'db_tls_cipher' => $aDBParams['db_tls_cipher'],
'application_path' => $oParams->Get('url', ''),
'language' => $oParams->Get('language', ''),
'graphviz_path' => $oParams->Get('graphviz_path', ''),

22
setup/backup.class.inc.php
View File

@@ -550,18 +550,14 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
$sUser = $oConfig->Get('db_user');
$sPwd = $oConfig->Get('db_pwd');
$sSource = $oConfig->Get('db_name');
$sTlsKey = $oConfig->Get('db_tls.key');
$sTlsCert = $oConfig->Get('db_tls.cert');
$sTlsEnabled = $oConfig->Get('db_tls.enabled');
$sTlsCA = $oConfig->Get('db_tls.ca');
$sTlsCaPath = $oConfig->Get('db_tls.capath');
$sTlsCipher = $oConfig->Get('db_tls.cipher');
$bTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert');
try
{
$oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource,
$sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
false, $bTlsVerifyServerCert);
$oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA, false,
$bTlsVerifyServerCert);
if ($oMysqli->connect_errno)
{
@@ -621,7 +617,8 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
*/
public static function GetMysqlCliTlsOptions($oConfig)
{
if (!CMDBSource::IsDbConnectionInConfigUsingTls($oConfig))
$bDbTlsEnabled = $oConfig->Get('db_tls.enabled');
if (!$bDbTlsEnabled)
{
return '';
}
@@ -629,12 +626,13 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the "
$sTlsOptions = '';
$sTlsOptions .= ' --ssl';
$sTlsOptions .= self::GetMysqliCliSingleOption('ssl-key', $oConfig->Get('db_tls.key'));
$sTlsOptions .= self::GetMysqliCliSingleOption('ssl-cert', $oConfig->Get('db_tls.cert'));
// ssl-key parameter : not implemented
// ssl-cert parameter : not implemented
$sTlsOptions .= self::GetMysqliCliSingleOption('ssl-ca', $oConfig->Get('db_tls.ca'));
$sTlsOptions .= self::GetMysqliCliSingleOption('ssl-cipher', $oConfig->Get('db_tls.cipher'));
$sTlsOptions .= self::GetMysqliCliSingleOption('ssl-capath', $oConfig->Get('db_tls.capath'));
// ssl-cipher parameter : not implemented
// ssl-capath parameter : not implemented
return $sTlsOptions;
}

172
setup/setuputils.class.inc.php
View File

@@ -845,11 +845,8 @@ class SetupUtils
'db_pwd' => $oPrevConf->Get('db_pwd'),
'db_name' => $oPrevConf->Get('db_name'),
'db_prefix' => $oPrevConf->Get('db_subname'),
'db_tls_key' => $oPrevConf->Get('db_tls.key'),
'db_tls_cert' => $oPrevConf->Get('db_tls.cert'),
'db_tls_enabled' => $oPrevConf->Get('db_tls.enabled'),
'db_tls_ca' => $oPrevConf->Get('db_tls.ca'),
'db_tls_capath' => $oPrevConf->Get('db_tls.capath'),
'db_tls_cipher' => $oPrevConf->Get('db_tls.cipher'),
'graphviz_path' => $oPrevConf->Get('graphviz_path'),
);
}
@@ -890,16 +887,13 @@ class SetupUtils
* @param string $sDBPwd
* @param string $sDBName
* @param string $sDBPrefix
* @param string $sTlsKey
* @param string $sTlsCert
* @param string $bTlsEnabled
* @param string $sTlsCA
* @param string $sTlsCaPath
* @param string $sTlsCypher
* @param string $sNewDBName
*/
static function DisplayDBParameters(
$oPage, $bAllowDBCreation, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsKey, $sTlsCert, $sTlsCA,
$sTlsCaPath, $sTlsCypher, $sNewDBName = ''
$oPage, $bAllowDBCreation, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $bTlsEnabled, $sTlsCA,
$sNewDBName = ''
) {
$oPage->add('<tr><td colspan="2">');
$oPage->add('<fieldset><legend>Database Server Connection</legend>');
@@ -913,29 +907,16 @@ class SetupUtils
$oPage->add('</tbody>');
//-- TLS params (N°1260)
$sTlsEnabledChecked = $bTlsEnabled ? ' checked' : '';
$sTlsCaDisabled = $bTlsEnabled ? '' : ' disabled';
$oPage->add('<tbody id="tls_options">');
$oPage->add('<tr><th colspan="3" style="text-align: left;"><label style="margin: 1em;"><img id="db_tls_img">Use encrypted connection with TLS</label></th></tr>');
$oPage->add('<tr><td colspan="3" style="background-color: #f9e0df; padding: 1em; border: 1px solid #950303; color: #950303;">Before configuring MySQL with TLS encryption, read the documentation <a href="https://wiki.openitop.org/doku.php?id=2_4_0:install:php_and_mysql_tls" target="_blank">on Combodo\'s Wiki</a></td>');
$oPage->add('<tr><td>SSL Key:</td>');
$oPage->add('<td><input id="db_tls_key" autocomplete="off" type="text" name="db_tls_key" value="'.htmlentities($sTlsKey,
ENT_QUOTES, 'UTF-8').'" size="15"/></td>');
$oPage->add('<td>Path to client key file for SSL</td></tr>');
$oPage->add('<tr><td>SSL CERT:</td>');
$oPage->add('<td><input id="db_tls_cert" autocomplete="off" type="text" name="db_tls_cert" value="'.htmlentities($sTlsCert,
ENT_QUOTES, 'UTF-8').'" size="15"/></td>');
$oPage->add('<td>Path to client certificate file for SSL</td></tr>');
$oPage->add('<tr><th colspan="3" style="text-align: left;"><label style="margin: 1em; font-weight: normal; font-style: italic;"><img id="db_tls_img">Use TLS encrypted connection</label></th></tr>');
$oPage->add('<tr><td colspan="3" style="background-color: #f9e0df; padding: 1em; border: 1px solid #950303; color: #950303;">Before configuring MySQL with TLS encryption, read the documentation <a href="https://wiki.openitop.org/doku.php?id=2_4_0:install:php_and_mysql_tls" target="_blank">on Combodo\'s Wiki</a></td></tr>');
$oPage->add('<tr><td colspan="3"><label><input id="db_tls_enabled" type="checkbox"'.$sTlsEnabledChecked.' name="db_tls_enabled" value="1"> Encrypted connection enabled</label></td></tr>');
$oPage->add('<tr><td>SSL CA:</td>');
$oPage->add('<td><input id="db_tls_ca" autocomplete="off" type="text" name="db_tls_ca" value="'.htmlentities($sTlsCA,
ENT_QUOTES, 'UTF-8').'" size="15"/></td>');
ENT_QUOTES, 'UTF-8').'" size="15"'.$sTlsCaDisabled.'></td>');
$oPage->add('<td>Path to certificate authority file for SSL</td></tr>');
$oPage->add('<tr><td>SSL CA path:</td>');
$oPage->add('<td><input id="db_tls_capath" autocomplete="off" type="text" name="db_tls_capath" value="'.htmlentities($sTlsCaPath,
ENT_QUOTES, 'UTF-8').'" size="15"/></td>');
$oPage->add('<td></td></td></tr>');
$oPage->add('<tr><td>SSL cypher:</td>');
$oPage->add('<td><input id="db_tls_cipher" autocomplete="off" type="text" name="db_tls_cipher" value="'.htmlentities($sTlsCypher,
ENT_QUOTES, 'UTF-8').'" size="15"/></td>');
$oPage->add('<td>Optional : separated list of permissible cyphers to use for SSL encryption</td></tr>');
$oPage->add('</tbody>');
$oPage->add('</table>');
@@ -981,7 +962,6 @@ function updateTlsImage() {
}
EOF
);
$bTlsEnabled = CMDBSource::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA);
if (!$bTlsEnabled)
{
$oPage->add_ready_script('toggleTlsOptions();');
@@ -991,6 +971,10 @@ EOF
$("tbody#tls_options>tr>th>label").click(function() {
toggleTlsOptions();
});
$("#db_tls_enabled").click(function() {
var bTlsEnabled = $("#db_tls_enabled").is(":checked");
$("#db_tls_ca").prop("disabled", !bTlsEnabled);
});
updateTlsImage();
EOF
);
@@ -1019,11 +1003,8 @@ function DoCheckDBConnection()
'db_user': $("#db_user").val(),
'db_pwd': $("#db_pwd").val(),
'db_name': $("#db_name").val(),
'db_tls_key': $("input#db_tls_key").val(),
'db_tls_cert': $("input#db_tls_cert").val(),
'db_tls_enabled': $("input#db_tls_enabled").val(),
'db_tls_ca': $("input#db_tls_ca").val(),
'db_tls_capath': $("input#db_tls_capath").val(),
'db_tls_cypher': $("input#db_tls_cypher").val()
}
if ((oXHRCheckDB != null) && (oXHRCheckDB != undefined))
{
@@ -1111,7 +1092,7 @@ EOF
<<<EOF
DoCheckDBConnection(); // Validate the initial values immediately
$("table#table_db_options").on("keyup change", "tr>td>input", function() { CheckDBConnection(); });
$("table#table_db_options").on("keyup change", "tr>td input", function() { CheckDBConnection(); });
$("#db_new_name").on("click keyup change", function() { $("#create_db").attr("checked", "checked"); WizardUpdateButtons(); });
$("#db_name").on("click keyup change", function() { $("#existing_db").attr("checked", "checked"); WizardUpdateButtons(); });
@@ -1130,33 +1111,21 @@ EOF
* @param string $sDBServer
* @param string $sDBUser
* @param string $sDBPwd
* @param string $sTlsKey
* @param string $sTlsCert
* @param bool $bTlsEnabled
* @param string $sTlsCA
* @param string $sTlsCaPath
* @param string $sTlsCipher
*
* @return bool|array false if the connection failed or array('checks' => Array of CheckResult, 'databases' =>
* Array of database names (as strings) or null if not allowed)
*/
static function CheckDbServer(
$sDBServer, $sDBUser, $sDBPwd, $sTlsKey = null, $sTlsCert = null, $sTlsCA = null, $sTlsCaPath = null,
$sTlsCipher = null
$sDBServer, $sDBUser, $sDBPwd, $bTlsEnabled = false, $sTlsCA = null
)
{
$aResult = array('checks' => array(), 'databases' => null);
if (CMDBSource::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA))
if ($bTlsEnabled)
{
if (!self::CheckFileExists($sTlsKey, $aResult, 'Can\'t open SSL Key file'))
{
return $aResult;
}
if (!self::CheckFileExists($sTlsCert, $aResult, 'Can\'t open SSL Cert file'))
{
return $aResult;
}
if (!self::CheckFileExists($sTlsCA, $aResult, 'Can\'t open SSL CA file'))
if (!empty($sTlsCA) && !self::CheckFileExists($sTlsCA, $aResult, 'Can\'t open SSL CA file'))
{
return $aResult;
}
@@ -1165,48 +1134,50 @@ EOF
try
{
$oDBSource = new CMDBSource;
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher,
false);
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA, false);
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Connection to '$sDBServer' as '$sDBUser' successful.");
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "Info - User privileges: ".($oDBSource->GetRawPrivileges()));
$bHasDbVersionRequired = self::CheckDbServerVersion($aResult, $oDBSource);
if ($bHasDbVersionRequired)
if (!$bHasDbVersionRequired)
{
// Check some server variables
$iMaxAllowedPacket = $oDBSource->GetServerVariable('max_allowed_packet');
$iMaxUploadSize = utils::ConvertToBytes(ini_get('upload_max_filesize'));
if ($iMaxAllowedPacket >= (500 + $iMaxUploadSize)) // Allow some space for the query + the file to upload
{
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is big enough compared to upload_max_filesize ($iMaxUploadSize).");
}
else if($iMaxAllowedPacket < $iMaxUploadSize)
{
$aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is not big enough. Please, consider setting it to at least ".(500 + $iMaxUploadSize).".");
}
return $aResult;
}
$iMaxConnections = $oDBSource->GetServerVariable('max_connections');
if ($iMaxConnections < 5)
{
$aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_connections ($iMaxConnections) is not enough. Please, consider setting it to at least 5.");
}
else
{
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_connections is set to $iMaxConnections.");
}
// Check some server variables
$iMaxAllowedPacket = $oDBSource->GetServerVariable('max_allowed_packet');
$iMaxUploadSize = utils::ConvertToBytes(ini_get('upload_max_filesize'));
if ($iMaxAllowedPacket >= (500 + $iMaxUploadSize)) // Allow some space for the query + the file to upload
{
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is big enough compared to upload_max_filesize ($iMaxUploadSize).");
}
else if($iMaxAllowedPacket < $iMaxUploadSize)
{
$aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is not big enough. Please, consider setting it to at least ".(500 + $iMaxUploadSize).".");
}
$iInnodbLargePrefix = $oDBSource->GetServerVariable('innodb_large_prefix');
$bInnodbLargePrefix = ($iInnodbLargePrefix == 1);
if (!$bInnodbLargePrefix)
{
$aResult['checks'][] = new CheckResult(CheckResult::ERROR,
"MySQL variable innodb_large_prefix is set to false, but must be set to true ! Otherwise this will limit indexes size and cause issues (iTop charset is utf8mb4).");
}
else
{
$aResult['checks'][] = new CheckResult(CheckResult::INFO,
"MySQL innodb_large_prefix is active, so the iTop charset utf8mb4 can be used.");
}
$iMaxConnections = $oDBSource->GetServerVariable('max_connections');
if ($iMaxConnections < 5)
{
$aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_connections ($iMaxConnections) is not enough. Please, consider setting it to at least 5.");
}
else
{
$aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_connections is set to $iMaxConnections.");
}
// innodb_large_prefix : since 2.5 #1001 utf8mb4 switch
$iInnodbLargePrefix = $oDBSource->GetServerVariable('innodb_large_prefix');
$bInnodbLargePrefix = ($iInnodbLargePrefix == 1);
if (!$bInnodbLargePrefix)
{
$aResult['checks'][] = new CheckResult(CheckResult::ERROR,
"MySQL variable innodb_large_prefix is set to false, but must be set to true ! Otherwise this will limit indexes size and cause issues (iTop charset is utf8mb4).");
}
else
{
$aResult['checks'][] = new CheckResult(CheckResult::INFO,
"MySQL innodb_large_prefix is active, so the iTop charset utf8mb4 can be used.");
}
try
@@ -1290,23 +1261,18 @@ EOF
* @param string $sDBServer
* @param string $sDBUser
* @param string $sDBPwd
* @param string $sTlsKey
* @param string $sTlsCert
* @param bool $bTlsEnabled
* @param string $sTlsCa
* @param string $sTlsCapath
*
* @param string $sTlsCipher
*
* @return string
* @throws \MySQLException
*/
static public function GetMySQLVersion(
$sDBServer, $sDBUser, $sDBPwd, $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCapath = null,
$sTlsCipher = null
$sDBServer, $sDBUser, $sDBPwd, $bTlsEnabled = false, $sTlsCa = null
)
{
$oDBSource = new CMDBSource;
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCa, $sTlsCapath, $sTlsCipher);
$oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa, false);
$sDBVersion = $oDBSource->GetDBVersion();
return $sDBVersion;
}
@@ -1317,16 +1283,12 @@ EOF
$sDBUser = $aParameters['db_user'];
$sDBPwd = $aParameters['db_pwd'];
$sDBName = $aParameters['db_name'];
$sTlsKey = (isset($aParameters['db_tls_key'])) ? $aParameters['db_tls_key'] : null;
$sTlsCert = isset($aParameters['db_tls_cert']) ? $aParameters['db_tls_cert'] : null;
$sTlsEnabled = (isset($aParameters['db_tls_enabled'])) ? $aParameters['db_tls_enabled'] : null;
$sTlsCA = (isset($aParameters['db_tls_ca'])) ? $aParameters['db_tls_ca'] : null;
$sTlsCaPath = (isset($aParameters['db_tls_capath'])) ? $aParameters['db_tls_capath'] : null;
$sTlsCipher = (isset($aParameters['db_tls_cipher'])) ? $aParameters['db_tls_cipher'] : null;
$oPage->add_ready_script('oXHRCheckDB = null;');
$checks = SetupUtils::CheckDbServer($sDBServer, $sDBUser, $sDBPwd, $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath,
$sTlsCipher);
$checks = SetupUtils::CheckDbServer($sDBServer, $sDBUser, $sDBPwd, $sTlsEnabled, $sTlsCA);
if ($checks === false)
{
@@ -1469,11 +1431,8 @@ EOF
'db_pwd' => $oWizard->GetParameter('db_pwd', ''),
'db_name' => $oWizard->GetParameter('db_name', ''),
'db_prefix' => $oWizard->GetParameter('db_prefix', ''),
'db_tls_key' => $oWizard->GetParameter('db_tls_key', ''),
'db_tls_cert' => $oWizard->GetParameter('db_tls_cert', ''),
'db_tls_enabled' => $oWizard->GetParameter('db_tls_enabled', false),
'db_tls_ca' => $oWizard->GetParameter('db_tls_ca', ''),
'db_tls_capath' => $oWizard->GetParameter('db_tls_capath', ''),
'db_tls_cipher' => $oWizard->GetParameter('db_tls_cipher', ''),
'source_dir' => $sRelativeSourceDir,
);
$oConfig->UpdateFromParams($aParamValues, null);
@@ -1524,11 +1483,8 @@ EOF
'db_pwd' => $oWizard->GetParameter('db_pwd', ''),
'db_name' => $oWizard->GetParameter('db_name', ''),
'db_prefix' => $oWizard->GetParameter('db_prefix', ''),
'db_tls_key' => $oWizard->GetParameter('db_tls_key', ''),
'db_tls_cert' => $oWizard->GetParameter('db_tls_cert', ''),
'db_tls_enabled' => $oWizard->GetParameter('db_tls_enabled', false),
'db_tls_ca' => $oWizard->GetParameter('db_tls_ca', ''),
'db_tls_capath' => $oWizard->GetParameter('db_tls_capath', ''),
'db_tls_cipher' => $oWizard->GetParameter('db_tls_cipher', ''),
'source_dir' => '',
);
$oConfig->UpdateFromParams($aParamValues, null);

54
setup/wizardsteps.class.inc.php
View File

@@ -177,11 +177,8 @@ class WizStepInstallOrUpgrade extends WizardStep
$this->oWizard->SaveParameter('db_prefix', '');
$this->oWizard->SaveParameter('db_backup', false);
$this->oWizard->SaveParameter('db_backup_path', '');
$this->oWizard->SaveParameter('db_tls_key', '');
$this->oWizard->SaveParameter('db_tls_cert', '');
$this->oWizard->SaveParameter('db_tls_enabled', false);
$this->oWizard->SaveParameter('db_tls_ca', '');
$this->oWizard->SaveParameter('db_tls_capath', '');
$this->oWizard->SaveParameter('db_tls_cipher', '');
if ($sInstallMode == 'install')
{
@@ -210,11 +207,8 @@ class WizStepInstallOrUpgrade extends WizardStep
$sDBPrefix = $this->oWizard->GetParameter('db_prefix', '');
$bDBBackup = $this->oWizard->GetParameter('db_backup', false);
$sDBBackupPath = $this->oWizard->GetParameter('db_backup_path', '');
$sTlsKey = $this->oWizard->GetParameter('db_tls_key', '');
$sTlsCert = $this->oWizard->GetParameter('db_tls_cert', '');
$sTlsEnabled = $this->oWizard->GetParameter('db_tls_enabled', false);
$sTlsCA = $this->oWizard->GetParameter('db_tls_ca', '');
$sTlsCaPath = $this->oWizard->GetParameter('db_tls_capath', '');
$sTlsCypher = $this->oWizard->GetParameter('db_tls_cipher', '');
$sPreviousVersionDir = '';
if ($sInstallMode == '')
{
@@ -229,11 +223,8 @@ class WizStepInstallOrUpgrade extends WizardStep
$sDBPwd = $aPreviousInstance['db_pwd'];
$sDBName = $aPreviousInstance['db_name'];
$sDBPrefix = $aPreviousInstance['db_prefix'];
$sTlsKey = $aPreviousInstance['db_tls_key'];
$sTlsCert = $aPreviousInstance['db_tls_cert'];
$sTlsEnabled = $aPreviousInstance['db_tls_enabled'];
$sTlsCA = $aPreviousInstance['db_tls_ca'];
$sTlsCaPath = $aPreviousInstance['db_tls_capath'];
$sTlsCypher = $aPreviousInstance['db_tls_cipher'];
$this->oWizard->SaveParameter('graphviz_path', $aPreviousInstance['graphviz_path']);
$sPreviousVersionDir = APPROOT;
}
@@ -259,8 +250,8 @@ class WizStepInstallOrUpgrade extends WizardStep
$oPage->add('<table id="upgrade_info"'.$sUpgradeInfoStyle.'>');
$oPage->add('<tr><td>Location on the disk:</td><td><input id="previous_version_dir" type="text" name="previous_version_dir" value="'.htmlentities($sPreviousVersionDir,
ENT_QUOTES, 'UTF-8').'" style="width: 98%;"/></td></tr>');
SetupUtils::DisplayDBParameters($oPage, false, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsKey,
$sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCypher, null);
SetupUtils::DisplayDBParameters($oPage, false, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix,
$sTlsEnabled, $sTlsCA, null);
$aBackupChecks = SetupUtils::CheckBackupPrerequisites($sDBBackupPath);
$bCanBackup = true;
@@ -639,11 +630,9 @@ EOF
$this->oWizard->GetParameter('db_server', ''),
$this->oWizard->GetParameter('db_user', ''),
$this->oWizard->GetParameter('db_pwd', ''),
$this->oWizard->GetParameter('db_tls_key', ''),
$this->oWizard->GetParameter('db_tls_cert', ''),
$this->oWizard->GetParameter('db_tls_enabled', ''),
$this->oWizard->GetParameter('db_tls_ca', ''),
$this->oWizard->GetParameter('db_tls_capath', ''),
$this->oWizard->GetParameter('db_tls_cypher', '')
false
);
if ($oMutex->IsLocked())
{
@@ -777,11 +766,8 @@ class WizStepDBParams extends WizardStep
$this->oWizard->SaveParameter('new_db_name', '');
$this->oWizard->SaveParameter('create_db', '');
$this->oWizard->SaveParameter('db_new_name', '');
$this->oWizard->SaveParameter('db_tls_key', '');
$this->oWizard->SaveParameter('db_tls_cert', '');
$this->oWizard->SaveParameter('db_tls_enabled', false);
$this->oWizard->SaveParameter('db_tls_ca', '');
$this->oWizard->SaveParameter('db_tls_capath', '');
$this->oWizard->SaveParameter('db_tls_cipher', '');
return array('class' => 'WizStepAdminAccount', 'state' => '');
}
@@ -794,16 +780,13 @@ class WizStepDBParams extends WizardStep
$sDBPwd = $this->oWizard->GetParameter('db_pwd', '');
$sDBName = $this->oWizard->GetParameter('db_name', '');
$sDBPrefix = $this->oWizard->GetParameter('db_prefix', '');
$sNewDBName = $this->oWizard->GetParameter('db_new_name', false);
$sTlsKey = $this->oWizard->GetParameter('db_tls_key', '');
$sTlsCert = $this->oWizard->GetParameter('db_tls_cert', '');
$sTlsEnabled = $this->oWizard->GetParameter('db_tls_enabled', '');
$sTlsCA = $this->oWizard->GetParameter('db_tls_ca', '');
$sTlsCaPath = $this->oWizard->GetParameter('db_tls_capath', '');
$sTlsCypher = $this->oWizard->GetParameter('db_tls_cipher', '');
$sNewDBName = $this->oWizard->GetParameter('db_new_name', false);
$oPage->add('<table>');
SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsKey,
$sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCypher, $sNewDBName);
SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsEnabled,
$sTlsCA, $sNewDBName);
$oPage->add('</table>');
$sCreateDB = $this->oWizard->GetParameter('create_db', 'yes');
if ($sCreateDB == 'no')
@@ -2343,11 +2326,8 @@ EOF
'user' => $this->oWizard->GetParameter('db_user'),
'pwd' => $this->oWizard->GetParameter('db_pwd'),
'name' => $sDBName,
'db_tls_key' => $this->oWizard->GetParameter('db_tls_key'),
'db_tls_cert' => $this->oWizard->GetParameter('db_tls_cert'),
'db_tls_enabled' => $this->oWizard->GetParameter('db_tls_enabled'),
'db_tls_ca' => $this->oWizard->GetParameter('db_tls_ca'),
'db_tls_capath' => $this->oWizard->GetParameter('db_tls_capath'),
'db_tls_cipher' => $this->oWizard->GetParameter('db_tls_cipher'),
'prefix' => $this->oWizard->GetParameter('db_prefix'),
),
'url' => $this->oWizard->GetParameter('application_url'),
@@ -2552,11 +2532,9 @@ class WizStepDone extends WizardStep
$this->oWizard->GetParameter('db_server'),
$this->oWizard->GetParameter('db_user'),
$this->oWizard->GetParameter('db_pwd'),
$this->oWizard->GetParameter('db_tls_key'),
$this->oWizard->GetParameter('db_tls_cert'),
$this->oWizard->GetParameter('db_tls_ca'),
$this->oWizard->GetParameter('db_tls_capath'),
$this->oWizard->GetParameter('db_tls_cipher'));
$this->oWizard->GetParameter('db_tls_enabled'),
$this->oWizard->GetParameter('db_tls_ca')
);
$aParameters = json_decode($this->oWizard->GetParameter('selected_components', '{}'), true);
$sCompactWizChoices = array();
foreach($aParameters as $iStep => $aChoices)

13
test/setup/DBBackupTest.php
View File

@@ -18,19 +18,18 @@ class DBBackupTest extends ItopTestCase
public function testGetMysqlCliTlsOptions()
{
$oConfig = new Config();
$oConfig->Set('db_tls.key', 'key');
$oConfig->Set('db_tls.cert', 'cert');
$oConfig->Set('db_tls.enabled', false);
$sCliArgsNoTls = \DBBackup::GetMysqlCliTlsOptions($oConfig);
$this->assertEmpty($sCliArgsNoTls);
$oConfig->Set('db_tls.ca', 'ca');
$oConfig->Set('db_tls.enabled', true);
$sCliArgsMinCfg = \DBBackup::GetMysqlCliTlsOptions($oConfig);
$this->assertEquals(' --ssl --ssl-key="key" --ssl-cert="cert" --ssl-ca="ca"', $sCliArgsMinCfg);
$this->assertEquals(' --ssl', $sCliArgsMinCfg);
$oConfig->Set('db_tls.capath', 'capath');
$sTestCa = 'my_test_ca';
$oConfig->Set('db_tls.ca', $sTestCa);
$sCliArgsCapathCfg = \DBBackup::GetMysqlCliTlsOptions($oConfig);
$this->assertEquals(' --ssl --ssl-key="key" --ssl-cert="cert" --ssl-ca="ca" --ssl-capath="capath"',
$sCliArgsCapathCfg);
$this->assertEquals(' --ssl --ssl-ca="'.$sTestCa.'"', $sCliArgsCapathCfg);
}
}