From: Lee Clemens <java@leeclemens.net>
Date: Thu, 21 Jan 2016 02:51:00 +0000 (-0500)
Subject: Add SSL support for the IdoMysqlConnection feature
X-Git-Tag: v2.5.0~347
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=70505299764e72340e52e2c6c407d9553f289656;p=icinga2

Add SSL support for the IdoMysqlConnection feature

fixes #9725

Signed-off-by: Michael Friedrich <michael.friedrich@netways.de>
---

diff --git a/doc/6-object-types.md b/doc/6-object-types.md
index e4826d838..54fb0e0e9 100644
--- a/doc/6-object-types.md
+++ b/doc/6-object-types.md
@@ -691,6 +691,12 @@ Configuration Attributes:
   user            |**Optional.** MySQL database user with read/write permission to the icinga database. Defaults to "icinga".
   password        |**Optional.** MySQL database user's password. Defaults to "icinga".
   database        |**Optional.** MySQL database name. Defaults to "icinga".
+  enable\_ssl     |**Optional.** Use SSL. Defaults to false. Change to `true` in case you want to use any of the SSL options.
+  ssl\_key        |**Optional.** MySQL SSL client key file path.
+  ssl\_cert       |**Optional.** MySQL SSL certificate file path.
+  ssl\_ca         |**Optional.** MySQL SSL certificate authority certificate file path.
+  ssl\_capath     |**Optional.** MySQL SSL trusted SSL CA certificates in PEM format directory path.
+  ssl\_cipher     |**Optional.** MySQL SSL list of allowed ciphers.
   table\_prefix   |**Optional.** MySQL database table prefix. Defaults to "icinga\_".
   instance\_name  |**Optional.** Unique identifier for the local Icinga 2 instance. Defaults to "default".
   instance\_description|**Optional.** Description for the Icinga 2 instance.
diff --git a/lib/db_ido_mysql/idomysqlconnection.cpp b/lib/db_ido_mysql/idomysqlconnection.cpp
index 56c2767a8..1d2317d34 100644
--- a/lib/db_ido_mysql/idomysqlconnection.cpp
+++ b/lib/db_ido_mysql/idomysqlconnection.cpp
@@ -187,7 +187,10 @@ void IdoMysqlConnection::Reconnect(void)
 	ClearIDCache();
 
 	String ihost, isocket_path, iuser, ipasswd, idb;
+	String isslKey, isslCert, isslCa, isslCaPath, isslCipher;
 	const char *host, *socket_path, *user , *passwd, *db;
+	const char *sslKey, *sslCert, *sslCa, *sslCaPath, *sslCipher;
+	bool enableSsl;
 	long port;
 
 	ihost = GetHost();
@@ -196,6 +199,13 @@ void IdoMysqlConnection::Reconnect(void)
 	ipasswd = GetPassword();
 	idb = GetDatabase();
 
+	enableSsl = GetEnableSsl();
+	isslKey = GetSslKey();
+	isslCert = GetSslCert();
+	isslCa = GetSslCa();
+	isslCaPath = GetSslCapath();
+	isslCipher = GetSslCipher();
+
 	host = (!ihost.IsEmpty()) ? ihost.CStr() : NULL;
 	port = GetPort();
 	socket_path = (!isocket_path.IsEmpty()) ? isocket_path.CStr() : NULL;
@@ -203,6 +213,12 @@ void IdoMysqlConnection::Reconnect(void)
 	passwd = (!ipasswd.IsEmpty()) ? ipasswd.CStr() : NULL;
 	db = (!idb.IsEmpty()) ? idb.CStr() : NULL;
 
+	sslKey = (!isslKey.IsEmpty()) ? isslKey.CStr() : NULL;
+	sslCert = (!isslCert.IsEmpty()) ? isslCert.CStr() : NULL;
+	sslCa = (!isslCa.IsEmpty()) ? isslCa.CStr() : NULL;
+	sslCaPath = (!isslCaPath.IsEmpty()) ? isslCaPath.CStr() : NULL;
+	sslCipher = (!isslCipher.IsEmpty()) ? isslCipher.CStr() : NULL;
+
 	/* connection */
 	if (!mysql_init(&m_Connection)) {
 		Log(LogCritical, "IdoMysqlConnection")
@@ -211,10 +227,13 @@ void IdoMysqlConnection::Reconnect(void)
 		BOOST_THROW_EXCEPTION(std::bad_alloc());
 	}
 
+	if (enableSsl)
+		mysql_ssl_set(&m_Connection, sslKey, sslCert, sslCa, sslCaPath, sslCipher);
+
 	if (!mysql_real_connect(&m_Connection, host, user, passwd, db, port, socket_path, CLIENT_FOUND_ROWS | CLIENT_MULTI_STATEMENTS)) {
 		Log(LogCritical, "IdoMysqlConnection")
 		    << "Connection to database '" << db << "' with user '" << user << "' on '" << host << ":" << port
-		    << "' failed: \"" << mysql_error(&m_Connection) << "\"";
+		    << "' " << (enableSsl ? "(SSL enabled) " : "") << "failed: \"" << mysql_error(&m_Connection) << "\"";
 
 		BOOST_THROW_EXCEPTION(std::runtime_error(mysql_error(&m_Connection)));
 	}
diff --git a/lib/db_ido_mysql/idomysqlconnection.ti b/lib/db_ido_mysql/idomysqlconnection.ti
index 40917c15c..434fdc1e4 100644
--- a/lib/db_ido_mysql/idomysqlconnection.ti
+++ b/lib/db_ido_mysql/idomysqlconnection.ti
@@ -42,6 +42,12 @@ class IdoMysqlConnection : DbConnection
 	[config] String database {
 		default {{{ return "icinga"; }}}
 	};
+	[config] bool enable_ssl;
+	[config] String ssl_key;
+	[config] String ssl_cert;
+	[config] String ssl_ca;
+	[config] String ssl_capath;
+	[config] String ssl_cipher;
 	[config] String instance_name {
 		default {{{ return "default"; }}}
 	};