config update for tls files and mysql register tls config

2024-06-06 08:13:05 +10:00 · 2024-06-06 08:13:05 +10:00 · 7ddfd1b9c2
parent acdcfcc6eb
commit 7ddfd1b9c2
1 changed files with 48 additions and 0 deletions
--- a/modules/setting/database.go
+++ b/modules/setting/database.go
@ -4,8 +4,11 @@
 package setting

 import (
+	gotls "crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"github.com/go-sql-driver/mysql"
 	"net"
 	"net/url"
 	"os"
@ -32,6 +35,9 @@ var (
 		Passwd            string
 		Schema            string
 		SSLMode           string
+		SSLCAFile         string
+		SSLCertFile       string
+		SSLKeyFile        string
 		Path              string
 		LogSQL            bool
 		MysqlCharset      string
@ -69,6 +75,12 @@ func loadDBSetting(rootCfg ConfigProvider) {
 	Database.SSLMode = sec.Key("SSL_MODE").MustString("disable")
 	Database.MysqlCharset = sec.Key("MYSQL_CHARSET").MustString("utf8mb4") // do not document it, end users won't need it.

+	if Database.SSLMode != "disable" {
+		Database.SSLCAFile = sec.Key("SSL_CA_FILE").String()
+		Database.SSLCertFile = sec.Key("SSL_CERT_FILE").String()
+		Database.SSLKeyFile = sec.Key("SSL_KEY_FILE").String()
+	}
+
 	Database.Path = sec.Key("PATH").MustString(filepath.Join(AppDataPath, "gitea.db"))
 	Database.Timeout = sec.Key("SQLITE_TIMEOUT").MustInt(500)
 	Database.SQLiteJournalMode = sec.Key("SQLITE_JOURNAL_MODE").MustString("")
@ -88,6 +100,37 @@ func loadDBSetting(rootCfg ConfigProvider) {
 	Database.AutoMigration = sec.Key("AUTO_MIGRATION").MustBool(true)
 }

+func mysqlRegisterTLSConfig(name string) error {
+	var (
+		pem  []byte
+		err  error
+		ok   bool
+		cert gotls.Certificate
+	)
+
+	rootCertPool := x509.NewCertPool()
+	if pem, err = os.ReadFile(Database.SSLCAFile); err != nil {
+		return err
+	}
+
+	if ok = rootCertPool.AppendCertsFromPEM(pem); !ok {
+		return fmt.Errorf("failed to append cert to cert pool")
+	}
+
+	clientCert := make([]gotls.Certificate, 0, 1)
+	if cert, err = gotls.LoadX509KeyPair(Database.SSLCertFile, Database.SSLKeyFile); err != nil {
+		return err
+	}
+
+	clientCert = append(clientCert, cert)
+	err = mysql.RegisterTLSConfig(name, &gotls.Config{
+		Certificates: clientCert,
+		RootCAs:      rootCertPool,
+	})
+
+	return err
+}
+
 // DBConnStr returns database connection string
 func DBConnStr() (string, error) {
 	var connStr string
@ -104,6 +147,11 @@ func DBConnStr() (string, error) {
 		tls := Database.SSLMode
 		if tls == "disable" { // allow (Postgres-inspired) default value to work in MySQL
 			tls = "false"
+		} else if Database.SSLCAFile != "" && Database.SSLCertFile != "" && Database.SSLKeyFile != "" {
+			if err := mysqlRegisterTLSConfig("full"); err != nil {
+				return "", err
+			}
+			tls = "full"
 		}
 		connStr = fmt.Sprintf("%s:%s@%s(%s)/%s%scharset=%s&parseTime=true&tls=%s",
 			Database.User, Database.Passwd, connType, Database.Host, Database.Name, paramSep, Database.MysqlCharset, tls)