[icinga-checkins] icinga.org: icinga2/feature/mysql-ssl-9725: Add SSL support to MySQL connections via IDO

git at icinga.org git at icinga.org
Mon Feb 8 13:10:16 CET 2016


Module: icinga2
Branch: feature/mysql-ssl-9725
Commit: 56e2a5726b2663bbca95aa8fcbfbd10fca6f7db0
URL:    https://git.icinga.org/?p=icinga2.git;a=commit;h=56e2a5726b2663bbca95aa8fcbfbd10fca6f7db0

Author: Lee Clemens <java at leeclemens.net>
Date:   Wed Jan 20 21:51:00 2016 -0500

Add SSL support to MySQL connections via IDO

---

 doc/6-object-types.md                            |   12 ++++++++
 etc/icinga2/features-available/ido-mysql.conf    |    6 ++++
 lib/db_ido_mysql/idomysqlconnection.cpp          |   33 ++++++++++++++++++++++
 lib/db_ido_mysql/idomysqlconnection.ti           |    5 ++++
 test/jenkins/files/configs/ido_checkresults.conf |    5 ++++
 5 files changed, 61 insertions(+)

diff --git a/doc/6-object-types.md b/doc/6-object-types.md
index 76cceb9..a7d47eb 100644
--- a/doc/6-object-types.md
+++ b/doc/6-object-types.md
@@ -673,6 +673,13 @@ Example:
       user = "icinga"
       password = "icinga"
       database = "icinga"
+
+      ssl_key = ""
+      ssl_cert = ""
+      ssl_ca = ""
+      ssl_capath = ""
+      ssl_cipher = ""
+
       table_prefix = "icinga_"
       instance_name = "icinga2"
       instance_description = "icinga2 instance"
@@ -695,6 +702,11 @@ Configuration Attributes:
   user            |**Optional.** MySQL database user with read/write permission to the icinga database. Defaults to "icinga".
   password        |**Optional.** MySQL database user's password. Defaults to "icinga".
   database        |**Optional.** MySQL database name. Defaults to "icinga".
+  ssl_key         |**Optional.** MySQL SSL client key file path.
+  ssl_cert        |**Optional.** MySQL SSL certificate file path.
+  ssl_ca          |**Optional.** MySQL SSL Certificate Authority certificate file path.
+  ssl_capath      |**Optional.** MySQL SSL trusted SSL CA certificates in PEM format directory path.
+  ssl_cipher      |**Optional.** MySQL SSL list of permissible ciphers.
   table\_prefix   |**Optional.** MySQL database table prefix. Defaults to "icinga\_".
   instance\_name  |**Optional.** Unique identifier for the local Icinga 2 instance. Defaults to "default".
   instance\_description|**Optional.** Description for the Icinga 2 instance.
diff --git a/etc/icinga2/features-available/ido-mysql.conf b/etc/icinga2/features-available/ido-mysql.conf
index beab89f..34c82f1 100644
--- a/etc/icinga2/features-available/ido-mysql.conf
+++ b/etc/icinga2/features-available/ido-mysql.conf
@@ -10,4 +10,10 @@ object IdoMysqlConnection "ido-mysql" {
   //password = "icinga"
   //host = "localhost"
   //database = "icinga"
+
+  //ssl_key = ""
+  //ssl_cert = ""
+  //ssl_ca = ""
+  //ssl_capath = ""
+  //ssl_cipher = ""
 }
diff --git a/lib/db_ido_mysql/idomysqlconnection.cpp b/lib/db_ido_mysql/idomysqlconnection.cpp
index 56ed3a0..5d98c58 100644
--- a/lib/db_ido_mysql/idomysqlconnection.cpp
+++ b/lib/db_ido_mysql/idomysqlconnection.cpp
@@ -187,7 +187,9 @@ void IdoMysqlConnection::Reconnect(void)
 	ClearIDCache();
 
 	String ihost, isocket_path, iuser, ipasswd, idb;
+	String issl_key, issl_cert, issl_ca, issl_capath, issl_cipher;
 	const char *host, *socket_path, *user , *passwd, *db;
+	const char *ssl_key, *ssl_cert, *ssl_ca, *ssl_capath, *ssl_cipher;
 	long port;
 
 	ihost = GetHost();
@@ -196,6 +198,12 @@ void IdoMysqlConnection::Reconnect(void)
 	ipasswd = GetPassword();
 	idb = GetDatabase();
 
+	issl_key = GetSslKey();
+	issl_cert = GetSslCert();
+	issl_ca = GetSslCa();
+	issl_capath = GetSslCapath();
+	issl_cipher = GetSslCipher();
+
 	host = (!ihost.IsEmpty()) ? ihost.CStr() : NULL;
 	port = GetPort();
 	socket_path = (!isocket_path.IsEmpty()) ? isocket_path.CStr() : NULL;
@@ -203,6 +211,13 @@ void IdoMysqlConnection::Reconnect(void)
 	passwd = (!ipasswd.IsEmpty()) ? ipasswd.CStr() : NULL;
 	db = (!idb.IsEmpty()) ? idb.CStr() : NULL;
 
+	ssl_key = (!issl_key.IsEmpty()) ? issl_key.CStr() : NULL;
+	ssl_cert = (!issl_cert.IsEmpty()) ? issl_cert.CStr() : NULL;
+	ssl_ca = (!issl_ca.IsEmpty()) ? issl_ca.CStr() : NULL;
+	ssl_capath = (!issl_capath.IsEmpty()) ? issl_capath.CStr() : NULL;
+	ssl_cipher = (!issl_cipher.IsEmpty()) ? issl_cipher.CStr() : NULL;
+	bool have_ssl = (ssl_key || ssl_cert || ssl_ca || ssl_capath || ssl_cipher);
+
 	/* connection */
 	if (!mysql_init(&m_Connection)) {
 		Log(LogCritical, "IdoMysqlConnection")
@@ -211,10 +226,28 @@ void IdoMysqlConnection::Reconnect(void)
 		BOOST_THROW_EXCEPTION(std::bad_alloc());
 	}
 
+	if (have_ssl) {
+		mysql_ssl_set(&m_Connection, ssl_key, ssl_cert, ssl_ca, ssl_capath, ssl_cipher);
+	}
+
 	if (!mysql_real_connect(&m_Connection, host, user, passwd, db, port, socket_path, CLIENT_FOUND_ROWS | CLIENT_MULTI_STATEMENTS)) {
 		Log(LogCritical, "IdoMysqlConnection")
 		    << "Connection to database '" << db << "' with user '" << user << "' on '" << host << ":" << port
 		    << "' failed: \"" << mysql_error(&m_Connection) << "\"";
+		Log(LogDebug, "IdoMySqlConnection")
+		    << "Have SSL: " << (have_ssl ? "YES": "NO");
+		if (have_ssl) {
+			Log(LogDebug, "IdoMysqlConnection")
+			    << "ssl_key: " << ssl_key;
+			Log(LogDebug, "IdoMysqlConnection")
+			    << "ssl_cert: " << ssl_cert;
+			Log(LogDebug, "IdoMysqlConnection")
+			    << "ssl_ca: " << ssl_ca;
+			Log(LogDebug, "IdoMysqlConnection")
+			    << "ssl_capath: " << ssl_capath;
+			Log(LogDebug, "IdoMysqlConnection")
+			    << "ssl_cipher: " << ssl_cipher;
+		}
 
 		BOOST_THROW_EXCEPTION(std::runtime_error(mysql_error(&m_Connection)));
 	}
diff --git a/lib/db_ido_mysql/idomysqlconnection.ti b/lib/db_ido_mysql/idomysqlconnection.ti
index 40917c1..c185e66 100644
--- a/lib/db_ido_mysql/idomysqlconnection.ti
+++ b/lib/db_ido_mysql/idomysqlconnection.ti
@@ -42,6 +42,11 @@ class IdoMysqlConnection : DbConnection
 	[config] String database {
 		default {{{ return "icinga"; }}}
 	};
+	[config] String ssl_key;
+	[config] String ssl_cert;
+	[config] String ssl_ca;
+	[config] String ssl_capath;
+	[config] String ssl_cipher;
 	[config] String instance_name {
 		default {{{ return "default"; }}}
 	};
diff --git a/test/jenkins/files/configs/ido_checkresults.conf b/test/jenkins/files/configs/ido_checkresults.conf
index a2c4da2..7b35bb3 100644
--- a/test/jenkins/files/configs/ido_checkresults.conf
+++ b/test/jenkins/files/configs/ido_checkresults.conf
@@ -9,6 +9,11 @@ object IdoMysqlConnection "ido-mysql" {
   password = "icinga",
   host = "localhost",
   database = "icinga",
+  ssl_key = "",
+  ssl_cert = "",
+  ssl_ca = "",
+  ssl_capath = "",
+  ssl_cipher = "",
   categories = (DbCatCheck | DbCatConfig | DbCatState | DbCatAcknowledgement |
                 DbCatComment | DbCatDowntime | DbCatEventHandler | DbCatExternalCommand | DbCatFlapping |
                 DbCatLog | DbCatNotification | DbCatProgramStatus | DbCatRetention | DbCatStateHistory)



More information about the icinga-checkins mailing list