Support for SSL certificates for DB connections

.github/workflows/ssl-db.yml

@@ -0,0 +1,68 @@
+name: database-connection-via-ssl
+
+on:
+  push:
+    branches: master
+  pull_request:
+
+jobs:
+  mariadb:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.8]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Generate DB certificates
+        run: |
+          # docker run -v $(pwd)/tests/db-certs/:/Kiwi/db-certs/:Z --rm -i kiwitcms/kiwi \
+          #        /usr/bin/sscg \
+          #            -v -f \
+          #            --country BG --locality Sofia \
+          #            --organization "Kiwi TCMS" \
+          #            --organizational-unit "DevOps" \
+          #            --ca-file /Kiwi/db-certs/ca.crt \
+          #            --ca-key-file /Kiwi/db-certs/ca.key \
+          #            --cert-file /Kiwi/db-certs/server.crt \
+          #            --cert-key-file /Kiwi/db-certs/server.key
+          # re-enable & add client cert when https://github.com/sgallagher/sscg/issues/3 is fixed
+          pushd ./tests/ && ./gen-db-certs.sh && popd
+
+      - name: Create database
+        run: |
+          docker-compose -f docker-compose.mariadb-ssl pull db
+          docker-compose -f docker-compose.mariadb-ssl run -d -p 3306:3306 --name kiwi_db db
+          sleep 20  # wait to initialize
+
+          set -e
+          docker exec -i kiwi_db mariadb -u root -pkiwi-1s-aw3s0m3 \
+                --ssl-ca=/etc/certs/ca.pem \
+                --ssl-cert=/etc/certs/client-cert.pem \
+                --ssl-key=/etc/certs/client-key.pem -e 'status' | grep "Cipher in use is"
+
+      - name: Initialize DB tables & records
+        run: |
+          sudo apt-get update
+          sudo apt-get install gettext
+
+          sudo mkdir /Kiwi
+          sudo chmod a+w /Kiwi
+
+          pip install -r requirements/devel.txt
+          pip install -r requirements/mariadb.txt
+          pushd tcms/ && npm install && popd
+
+          export LANG=bg-bg
+          set -e
+          coverage run --source='.' ./manage.py migrate -v2 --noinput --settings tcms.settings.test.mariadb
+
+      - name: Send coverage to codecov.io
+        run: |
+          coverage report -m
+          bash <(curl -s https://codecov.io/bash)

.gitignore

@@ -16,4 +16,5 @@ docs/target/
 .vscode/
 .cache/
 tcms/node_modules/
+tests/db-certs/*.pem
 package-lock.json

check-ssl.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+import MySQLdb
+
+config = {
+    "user": "kiwi",
+    "password": "kiwi",
+    "host": "127.0.0.1",
+    "ssl": {
+        #        'ca': '/home/senko/Kiwi/tests/db-certs/ca.pem',
+        #        'cert': '/home/senko/Kiwi/tests/db-certs/client-cert.pem',
+        #        'key': '/home/senko/Kiwi/tests/db-certs/client-key.pem',
+    },
+}
+
+db = MySQLdb.connect(**config)
+cur = db.cursor()
+cur.execute("SHOW STATUS LIKE 'Ssl_cipher'")
+print(cur.fetchone())
+cur.close()
+db.close()

docker-compose.mariadb-ssl

@@ -0,0 +1,24 @@
+version: '2'
+
+services:
+    db:
+        container_name: kiwi_db
+        image: mariadb:latest
+        command: [  "--character-set-server=utf8mb4",
+                    "--collation-server=utf8mb4_unicode_ci",
+                    "--require-secure-transport=ON",
+                    "--ssl-ca=/etc/certs/ca.pem",
+                    "--ssl-cert=/etc/certs/server-cert.pem",
+                    "--ssl-key=/etc/certs/server-key.pem" ]
+        volumes:
+            - db_data:/var/lib/mysql
+            - ./tests/db-certs/:/etc/certs/
+        restart: always
+        environment:
+            MYSQL_ROOT_PASSWORD: kiwi-1s-aw3s0m3
+            MYSQL_DATABASE: kiwi
+            MYSQL_USER: kiwi
+            MYSQL_PASSWORD: kiwi
+
+volumes:
+    db_data:

tests/gen-db-certs.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+OPENSSL_SUBJ="/C=BG/ST=Sofia/L=Sofia"
+OPENSSL_CA="${OPENSSL_SUBJ}/CN=fake-CA"
+OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=fake-server"
+OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=fake-client"
+
+mkdir -p db-certs/
+pushd db-certs/
+
+# Generate new CA certificate ca.pem file.
+openssl genrsa 2048 > ca-key.pem
+
+# TODO This has interaction that must be automated
+openssl req -new -x509 -nodes -days 3600 \
+    -subj "${OPENSSL_CA}" \
+    -key ca-key.pem -out ca.pem
+
+
+# Create the server-side certificates
+# This has more interaction that must be automated
+
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+    -subj "${OPENSSL_SERVER}" \
+    -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+    -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+
+# Create the client-side certificates
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+    -subj "${OPENSSL_CLIENT}" \
+    -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+    -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
+
+# Verify the certificates are correct
+openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
+
+# make the keys readable b/c we're having issues with uid/gid inside the containers
+chmod 644 client-key.pem server-key.pem ca-key.pem
+popd