Merge pull request #55258 from nextcloud/backport/55170/stable30

[stable30] feat(db): add SSL/TLS support for PostgreSQL

Author: AndyScherzinger

config/config.sample.php

@@ -502,7 +502,7 @@
 
 /**
  * Enable SMTP class debugging.
- * NOTE: ``loglevel`` will likely need to be adjusted too. See docs: 
+ * NOTE: ``loglevel`` will likely need to be adjusted too. See docs:
  *   https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/email_configuration.html#enabling-debug-mode
  *
  * Defaults to ``false``
@@ -663,7 +663,7 @@
  * are generated within Nextcloud using any kind of command line tools (cron or
  * occ). The value should contain the full base URL:
  * ``https://www.example.com/nextcloud``
- * Please make sure to set the value to the URL that your users mainly use to access this Nextcloud. 
+ * Please make sure to set the value to the URL that your users mainly use to access this Nextcloud.
  * Otherwise there might be problems with the URL generation via cron.
  *
  * Defaults to ``''`` (empty string)
@@ -1323,18 +1323,18 @@
 /**
  * custom path for ffmpeg binary
  *
- * Defaults to ``null`` and falls back to searching ``avconv`` and ``ffmpeg`` 
+ * Defaults to ``null`` and falls back to searching ``avconv`` and ``ffmpeg``
  * in the configured ``PATH`` environment
  */
 'preview_ffmpeg_path' => '/usr/bin/ffmpeg',
 
 /**
  * Set the URL of the Imaginary service to send image previews to.
- * Also requires the ``OC\Preview\Imaginary`` provider to be enabled in the 
- * ``enabledPreviewProviders`` array, to create previews for these mimetypes: bmp, 
+ * Also requires the ``OC\Preview\Imaginary`` provider to be enabled in the
+ * ``enabledPreviewProviders`` array, to create previews for these mimetypes: bmp,
  * x-bitmap, png, jpeg, gif, heic, heif, svg+xml, tiff, webp and illustrator.
  *
- * If you want Imaginary to also create preview images from PDF Documents, you 
+ * If you want Imaginary to also create preview images from PDF Documents, you
  * have to add the ``OC\Preview\ImaginaryPDF`` provider as well.
  *
  * See https://github.com/h2non/imaginary
@@ -1978,6 +1978,17 @@
  */
 'mysql.collation' => null,
 
+/**
+ * PostgreSQL SSL connection
+ */
+'pgsql_ssl' => [
+	'mode' => '',
+	'cert' => '',
+	'rootcert' => '',
+	'key' => '',
+	'crl' => '',
+],
+
 /**
  * Database types that are supported for installation.
  *
@@ -2066,9 +2077,9 @@
 /**
  * Deny extensions from being used for filenames.
  * Matching existing files can no longer be updated and in matching folders no files can be created anymore.
- * 
+ *
  * The '.part' extension is always forbidden, as this is used internally by Nextcloud.
- * 
+ *
  * Defaults to ``array('.filepart', '.part')``
  */
 'forbidden_filename_extensions' => ['.part', '.filepart'],

lib/private/DB/ConnectionFactory.php

@@ -198,6 +198,17 @@ public function createConnectionParams(string $configPrefix = '', array $additio
 			'tablePrefix' => $connectionParams['tablePrefix']
 		];
 
+		if ($type === 'pgsql') {
+			$pgsqlSsl = $this->config->getValue('pgsql_ssl', false);
+			if (is_array($pgsqlSsl)) {
+				$connectionParams['sslmode'] = $pgsqlSsl['mode'] ?? '';
+				$connectionParams['sslrootcert'] = $pgsqlSsl['rootcert'] ?? '';
+				$connectionParams['sslcert'] = $pgsqlSsl['cert'] ?? '';
+				$connectionParams['sslkey'] = $pgsqlSsl['key'] ?? '';
+				$connectionParams['sslcrl'] = $pgsqlSsl['crl'] ?? '';
+			}
+		}
+
 		if ($type === 'mysql' && $this->config->getValue('mysql.utf8mb4', false)) {
 			$connectionParams['defaultTableOptions'] = [
 				'collate' => 'utf8mb4_bin',

tests/lib/DB/ConnectionFactoryTest.php

@@ -40,4 +40,33 @@ public function testSplitHostFromPortAndSocket($host, array $expected) {
 
 		$this->assertEquals($expected, self::invokePrivate($factory, 'splitHostFromPortAndSocket', [$host]));
 	}
+
+	public function testPgsqlSslConnection(): void {
+		/** @var SystemConfig|\PHPUnit\Framework\MockObject\MockObject $config */
+		$config = $this->createMock(SystemConfig::class);
+		$config->method('getValue')
+			->willReturnCallback(function ($key, $default) {
+				return match ($key) {
+					'dbtype' => 'pgsql',
+					'pgsql_ssl' => [
+						'mode' => 'verify-full',
+						'cert' => 'client.crt',
+						'key' => 'client.key',
+						'crl' => 'client.crl',
+						'rootcert' => 'rootCA.crt',
+					],
+					default => $default,
+				};
+			});
+		$factory = new ConnectionFactory($config);
+
+		$params = $factory->createConnectionParams();
+
+		$this->assertEquals('pdo_pgsql', $params['driver']);
+		$this->assertEquals('verify-full', $params['sslmode']);
+		$this->assertEquals('rootCA.crt', $params['sslrootcert']);
+		$this->assertEquals('client.crt', $params['sslcert']);
+		$this->assertEquals('client.key', $params['sslkey']);
+		$this->assertEquals('client.crl', $params['sslcrl']);
+	}
 }