ENGCOM-6218: Enable Magento 2 to connect MySQL through SSL. magento#25398

Author: VladimirZaets

lib/internal/Magento/Framework/Config/ConfigOptionsListConstants.php

@@ -21,6 +21,7 @@ class ConfigOptionsListConstants
     const CONFIG_PATH_CRYPT_KEY = 'crypt/key';
     const CONFIG_PATH_SESSION_SAVE = 'session/save';
     const CONFIG_PATH_RESOURCE_DEFAULT_SETUP = 'resource/default_setup/connection';
+    const CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS = 'db/connection/default/driver_options';
     const CONFIG_PATH_DB_CONNECTION_DEFAULT = 'db/connection/default';
     const CONFIG_PATH_DB_CONNECTIONS = 'db/connection';
     const CONFIG_PATH_DB_PREFIX = 'db/table_prefix';
@@ -64,6 +65,10 @@ class ConfigOptionsListConstants
     const INPUT_KEY_DB_MODEL = 'db-model';
     const INPUT_KEY_DB_INIT_STATEMENTS = 'db-init-statements';
     const INPUT_KEY_DB_ENGINE = 'db-engine';
+    const INPUT_KEY_DB_SSL_KEY = 'db-ssl-key';
+    const INPUT_KEY_DB_SSL_CERT = 'db-ssl-cert';
+    const INPUT_KEY_DB_SSL_CA = 'db-ssl-ca';
+    const INPUT_KEY_DB_SSL_VERIFY = 'db-ssl-verify';
     const INPUT_KEY_RESOURCE = 'resource';
     const INPUT_KEY_SKIP_DB_VALIDATION = 'skip-db-validation';
     const INPUT_KEY_CACHE_HOSTS = 'http-cache-hosts';
@@ -75,7 +80,11 @@ class ConfigOptionsListConstants
     const KEY_CACHE_FRONTEND = 'cache/frontend';
     const CONFIG_PATH_BACKEND_OPTIONS = 'backend_options';
 
-    /** @deprecated */
+    /**
+     * @deprecated
+     *
+     * Definition format constant.
+     */
     const INPUT_KEY_DEFINITION_FORMAT = 'definition-format';
 
     /**#@+
@@ -104,6 +113,21 @@ class ConfigOptionsListConstants
     const KEY_MODEL = 'model';
     const KEY_INIT_STATEMENTS = 'initStatements';
     const KEY_ACTIVE = 'active';
+    const KEY_DRIVER_OPTIONS = 'driver_options';
+    /**#@-*/
+
+    /**#@+
+     * Array keys for database driver options configurations
+     */
+    const KEY_MYSQL_SSL_KEY = \PDO::MYSQL_ATTR_SSL_KEY;
+    const KEY_MYSQL_SSL_CERT = \PDO::MYSQL_ATTR_SSL_CERT;
+    const KEY_MYSQL_SSL_CA = \PDO::MYSQL_ATTR_SSL_CA;
+
+    /**
+     * Constant \PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT cannot be used as it was introduced in PHP 7.1.4
+     * and Magento 2 is currently supporting PHP 7.1.3.
+     */
+    const KEY_MYSQL_SSL_VERIFY = 1014;
     /**#@-*/
 
     /**
@@ -128,6 +152,8 @@ class ConfigOptionsListConstants
 
     /**
      * Size of random string generated for store's encryption key
+     * phpcs:disable
      */
     const STORE_KEY_RANDOM_STRING_SIZE = SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_KEYBYTES;
+    //phpcs:enable
 }

setup/src/Magento/Setup/Controller/DatabaseCheck.php

@@ -5,6 +5,7 @@
  */
 namespace Magento\Setup\Controller;
 
+use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Setup\Validator\DbValidator;
 use Zend\Json\Json;
 use Zend\Mvc\Controller\AbstractActionController;
@@ -40,12 +41,45 @@ public function indexAction()
         try {
             $params = Json::decode($this->getRequest()->getContent(), Json::TYPE_ARRAY);
             $password = isset($params['password']) ? $params['password'] : '';
-            $this->dbValidator->checkDatabaseConnection($params['name'], $params['host'], $params['user'], $password);
+            $driverOptions = [];
+            if ($this->isDriverOptionsGiven($params)) {
+                if (empty($params['driverOptionsSslVerify'])) {
+                    $params['driverOptionsSslVerify'] = 0;
+                }
+                $driverOptions = [
+                    ConfigOptionsListConstants::KEY_MYSQL_SSL_KEY => $params['driverOptionsSslKey'],
+                    ConfigOptionsListConstants::KEY_MYSQL_SSL_CERT => $params['driverOptionsSslCert'],
+                    ConfigOptionsListConstants::KEY_MYSQL_SSL_CA => $params['driverOptionsSslCa'],
+                    ConfigOptionsListConstants::KEY_MYSQL_SSL_VERIFY => (int) $params['driverOptionsSslVerify'],
+                ];
+            }
+            $this->dbValidator->checkDatabaseConnectionWithDriverOptions(
+                $params['name'],
+                $params['host'],
+                $params['user'],
+                $password,
+                $driverOptions
+            );
             $tablePrefix = isset($params['tablePrefix']) ? $params['tablePrefix'] : '';
             $this->dbValidator->checkDatabaseTablePrefix($tablePrefix);
             return new JsonModel(['success' => true]);
         } catch (\Exception $e) {
             return new JsonModel(['success' => false, 'error' => $e->getMessage()]);
         }
     }
+
+    /**
+     * Is Driver Options Given
+     *
+     * @param array $params
+     * @return bool
+     */
+    private function isDriverOptionsGiven($params)
+    {
+        return !(
+            empty($params['driverOptionsSslKey']) ||
+            empty($params['driverOptionsSslCert']) ||
+            empty($params['driverOptionsSslCa'])
+        );
+    }
 }

setup/src/Magento/Setup/Model/ConfigGenerator.php

@@ -14,11 +14,12 @@
 use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\App\State;
 use Magento\Framework\Math\Random;
+use Magento\Setup\Model\ConfigOptionsList\DriverOptions;
 
 /**
  * Creates deployment config data based on user input array
  *
- * This class introduced to break down {@see Magento\Setup\Model\ConfigOptionsList::createConfig}
+ * This class introduced to break down {@see \Magento\Setup\Model\ConfigOptionsList::createConfig}
  */
 class ConfigGenerator
 {
@@ -62,24 +63,32 @@ class ConfigGenerator
      */
     private $cryptKeyGenerator;
 
+    /**
+     * @var DriverOptions
+     */
+    private $driverOptions;
+
     /**
      * Constructor
      *
      * @param Random $random Deprecated since 100.2.0
      * @param DeploymentConfig $deploymentConfig
      * @param ConfigDataFactory|null $configDataFactory
      * @param CryptKeyGeneratorInterface|null $cryptKeyGenerator
+     * @param DriverOptions|null $driverOptions
      */
     public function __construct(
         Random $random,
         DeploymentConfig $deploymentConfig,
         ConfigDataFactory $configDataFactory = null,
-        CryptKeyGeneratorInterface $cryptKeyGenerator = null
+        CryptKeyGeneratorInterface $cryptKeyGenerator = null,
+        DriverOptions $driverOptions = null
     ) {
         $this->random = $random;
         $this->deploymentConfig = $deploymentConfig;
         $this->configDataFactory = $configDataFactory ?? ObjectManager::getInstance()->get(ConfigDataFactory::class);
         $this->cryptKeyGenerator = $cryptKeyGenerator ?? ObjectManager::getInstance()->get(CryptKeyGenerator::class);
+        $this->driverOptions = $driverOptions ?? ObjectManager::getInstance()->get(DriverOptions::class);
     }
 
     /**
@@ -181,6 +190,9 @@ public function createDbConfig(array $data)
             $configData->set($dbConnectionPrefix . ConfigOptionsListConstants::KEY_ACTIVE, '1');
         }
 
+        $driverOptions = $this->driverOptions->getDriverOptions($data);
+        $configData->set($dbConnectionPrefix . ConfigOptionsListConstants::KEY_DRIVER_OPTIONS, $driverOptions);
+
         return $configData;
     }
 

setup/src/Magento/Setup/Model/ConfigOptionsList.php

@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\Setup\Model;
 
@@ -12,6 +13,7 @@
 use Magento\Framework\Setup\ConfigOptionsListInterface;
 use Magento\Framework\Setup\Option\FlagConfigOption;
 use Magento\Framework\Setup\Option\TextConfigOption;
+use Magento\Setup\Model\ConfigOptionsList\DriverOptions;
 use Magento\Setup\Validator\DbValidator;
 
 /**
@@ -53,17 +55,24 @@ class ConfigOptionsList implements ConfigOptionsListInterface
         \Magento\Setup\Model\ConfigOptionsList\Lock::class,
     ];
 
+    /**
+     * @var DriverOptions
+     */
+    private $driverOptions;
+
     /**
      * Constructor
      *
      * @param ConfigGenerator $configGenerator
      * @param DbValidator $dbValidator
      * @param KeyValidator|null $encryptionKeyValidator
+     * @param DriverOptions|null $driverOptions
      */
     public function __construct(
         ConfigGenerator $configGenerator,
         DbValidator $dbValidator,
-        KeyValidator $encryptionKeyValidator = null
+        KeyValidator $encryptionKeyValidator = null,
+        DriverOptions $driverOptions = null
     ) {
         $this->configGenerator = $configGenerator;
         $this->dbValidator = $dbValidator;
@@ -72,6 +81,7 @@ public function __construct(
             $this->configOptionsCollection[] = $objectManager->get($className);
         }
         $this->encryptionKeyValidator = $encryptionKeyValidator ?: $objectManager->get(KeyValidator::class);
+        $this->driverOptions = $driverOptions ?? $objectManager->get(DriverOptions::class);
     }
 
     /**
@@ -162,6 +172,36 @@ public function getOptions()
                 ConfigOptionsListConstants::CONFIG_PATH_CACHE_HOSTS,
                 'http Cache hosts'
             ),
+            new TextConfigOption(
+                ConfigOptionsListConstants::INPUT_KEY_DB_SSL_KEY,
+                TextConfigOption::FRONTEND_WIZARD_TEXT,
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS .
+                '/' . ConfigOptionsListConstants::KEY_MYSQL_SSL_KEY,
+                'Full path of client key file in order to establish db connection through SSL',
+                ''
+            ),
+            new TextConfigOption(
+                ConfigOptionsListConstants::INPUT_KEY_DB_SSL_CERT,
+                TextConfigOption::FRONTEND_WIZARD_TEXT,
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS .
+                '/' . ConfigOptionsListConstants::KEY_MYSQL_SSL_CERT,
+                'Full path of client certificate file in order to establish db connection through SSL',
+                ''
+            ),
+            new TextConfigOption(
+                ConfigOptionsListConstants::INPUT_KEY_DB_SSL_CA,
+                TextConfigOption::FRONTEND_WIZARD_TEXT,
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS .
+                '/' . ConfigOptionsListConstants::KEY_MYSQL_SSL_CA,
+                'Full path of server certificate file in order to establish db connection through SSL',
+                ''
+            ),
+            new FlagConfigOption(
+                ConfigOptionsListConstants::INPUT_KEY_DB_SSL_VERIFY,
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS .
+                '/' . ConfigOptionsListConstants::KEY_MYSQL_SSL_VERIFY,
+                'Verify server certification'
+            ),
         ];
 
         foreach ($this->configOptionsCollection as $configOptionsList) {
@@ -349,12 +389,14 @@ private function validateDbSettings(array $options, DeploymentConfig $deployment
         ) {
             try {
                 $options = $this->getDbSettings($options, $deploymentConfig);
+                $driverOptions = $this->driverOptions->getDriverOptions($options);
 
-                $this->dbValidator->checkDatabaseConnection(
+                $this->dbValidator->checkDatabaseConnectionWithDriverOptions(
                     $options[ConfigOptionsListConstants::INPUT_KEY_DB_NAME],
                     $options[ConfigOptionsListConstants::INPUT_KEY_DB_HOST],
                     $options[ConfigOptionsListConstants::INPUT_KEY_DB_USER],
-                    $options[ConfigOptionsListConstants::INPUT_KEY_DB_PASSWORD]
+                    $options[ConfigOptionsListConstants::INPUT_KEY_DB_PASSWORD],
+                    $driverOptions
                 );
             } catch (\Exception $exception) {
                 $errors[] = $exception->getMessage();

setup/src/Magento/Setup/Model/ConfigOptionsList/DriverOptions.php

@@ -0,0 +1,51 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Setup\Model\ConfigOptionsList;
+
+use Magento\Framework\Config\ConfigOptionsListConstants;
+
+/**
+ * Mysql driver options.
+ */
+class DriverOptions
+{
+    /**
+     * Get mysql driver options.
+     *
+     * @param array $options
+     * @return array
+     */
+    public function getDriverOptions(array $options): array
+    {
+        $driverOptionKeys = [
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_KEY => ConfigOptionsListConstants::INPUT_KEY_DB_SSL_KEY,
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_CERT => ConfigOptionsListConstants::INPUT_KEY_DB_SSL_CERT,
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_CA => ConfigOptionsListConstants::INPUT_KEY_DB_SSL_CA,
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_VERIFY => ConfigOptionsListConstants::INPUT_KEY_DB_SSL_VERIFY
+        ];
+        $driverOptions = [];
+        foreach ($driverOptionKeys as $configKey => $driverOptionKey) {
+            if ($this->optionExists($options, $driverOptionKey)) {
+                $driverOptions[$configKey] = $options[$driverOptionKey];
+            }
+        }
+        return $driverOptions;
+    }
+
+    /**
+     * Verify if option exists.
+     *
+     * @param array $options
+     * @param string $driverOptionKey
+     * @return bool
+     */
+    private function optionExists($options, $driverOptionKey): bool
+    {
+        return $options[$driverOptionKey] === false || !empty($options[$driverOptionKey]);
+    }
+}

setup/src/Magento/Setup/Model/Installer.php

@@ -1375,7 +1375,32 @@ private function deleteDeploymentConfig()
      */
     private function assertDbAccessible()
     {
-        $this->dbValidator->checkDatabaseConnection(
+        $driverOptionKeys = [
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_KEY =>
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS . '/' .
+                ConfigOptionsListConstants::KEY_MYSQL_SSL_KEY,
+
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_CERT =>
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS . '/' .
+                ConfigOptionsListConstants::KEY_MYSQL_SSL_CERT,
+
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_CA =>
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS . '/' .
+                ConfigOptionsListConstants::KEY_MYSQL_SSL_CA,
+
+            ConfigOptionsListConstants::KEY_MYSQL_SSL_VERIFY =>
+                ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT_DRIVER_OPTIONS . '/' .
+                ConfigOptionsListConstants::KEY_MYSQL_SSL_VERIFY
+        ];
+        $driverOptions = [];
+        foreach ($driverOptionKeys as $driverOptionKey => $driverOptionConfig) {
+            $config = $this->deploymentConfig->get($driverOptionConfig);
+            if ($config !== null) {
+                $driverOptions[$driverOptionKey] = $config;
+            }
+        }
+
+        $this->dbValidator->checkDatabaseConnectionWithDriverOptions(
             $this->deploymentConfig->get(
                 ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT .
                 '/' . ConfigOptionsListConstants::KEY_NAME
@@ -1391,7 +1416,8 @@ private function assertDbAccessible()
             $this->deploymentConfig->get(
                 ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT .
                 '/' . ConfigOptionsListConstants::KEY_PASSWORD
-            )
+            ),
+            $driverOptions
         );
         $prefix = $this->deploymentConfig->get(
             ConfigOptionsListConstants::CONFIG_PATH_DB_CONNECTION_DEFAULT .

setup/src/Magento/Setup/Model/RequestDataConverter.php

@@ -51,6 +51,14 @@ private function convertDeploymentConfigForm(array $source)
             isset($source['db']['tablePrefix']) ? $source['db']['tablePrefix'] : '';
         $result[BackendConfigOptionsList::INPUT_KEY_BACKEND_FRONTNAME] = isset($source['config']['address']['admin'])
             ? $source['config']['address']['admin'] : '';
+        $result[SetupConfigOptionsList::INPUT_KEY_DB_SSL_KEY] = isset($source['db']['driverOptionsSslKey'])
+            ? $source['db']['driverOptionsSslKey'] : '';
+        $result[SetupConfigOptionsList::INPUT_KEY_DB_SSL_CERT] = isset($source['db']['driverOptionsSslCert'])
+            ? $source['db']['driverOptionsSslCert'] : '';
+        $result[SetupConfigOptionsList::INPUT_KEY_DB_SSL_CA] = isset($source['db']['driverOptionsSslCa'])
+            ? $source['db']['driverOptionsSslCa'] : '';
+        $result[SetupConfigOptionsList::INPUT_KEY_DB_SSL_VERIFY] = isset($source['db']['driverOptionsSslVerify'])
+            ? $source['db']['driverOptionsSslVerify'] : '';
         $result[SetupConfigOptionsList::INPUT_KEY_ENCRYPTION_KEY] = isset($source['config']['encrypt']['key'])
             ? $source['config']['encrypt']['key'] : null;
         $result[SetupConfigOptionsList::INPUT_KEY_SESSION_SAVE] = isset($source['config']['sessionSave']['type'])