chore(database): Add ssl support

Adds ssl/tls support for the edgehog <-> database communication. Closes #419. Signed-off-by: Luca Zaninotto <[email protected]>
edgehog-device-manager · Dec 18, 2024 · c395699 · c395699
1 parent ad4cb42
commit c395699
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 10 deletions.
diff --git a/.env b/.env
@@ -22,6 +22,19 @@ IPBASE_API_KEY=
 GOOGLE_GEOLOCATION_API_KEY=
 GOOGLE_GEOCODING_API_KEY=
 
+# Wether to use SSL/TLS connection to the database, defaults to `false`.
+DATABASE_ENABLE_SSL=false
+
+# Whether to use the host machine certificates or not to verify the connection
+# with the database.
+# DATABASE_USE_OS_CERTS=true
+
+# The CA certificate file to use to verify the TLS connection to the database.
+# DATABASE_SSL_CACERTFILE=./example_cacert.pem
+
+# Whether verify the SSL connection with the database or not.
+# DATABASE_SSL_VERIFY=true
+
 # The top level domain of your edgehog instance.
 # In case you want to make Edgehog visible in your LAN, consider setting the variable
 # to <HOST_IP>.nip.io

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.10] - Unreleased
 ### Added
 - Managed OTA operations expose the update target that created them in graphql ([#356](https://github.com/edgehog-device-manager/edgehog/issues/356).
+- Ecto SSL configuration is exposed trough `DATABASE_*` environment variables (see [.env](./.env))
 
 ## [0.9.3] - Unreleased
 ### Fixed

diff --git a/backend/config/runtime.exs b/backend/config/runtime.exs
@@ -31,10 +31,13 @@ end
 # any compile-time configuration in here, as it won't be applied.
 # The block below contains prod specific runtime configuration.
 if config_env() == :prod do
-  database_username = System.fetch_env!("DATABASE_USERNAME")
-  database_password = System.fetch_env!("DATABASE_PASSWORD")
-  database_hostname = System.fetch_env!("DATABASE_HOSTNAME")
-  database_name = System.fetch_env!("DATABASE_NAME")
+  database = %{
+    username: System.fetch_env!("DATABASE_USERNAME"),
+    password: System.fetch_env!("DATABASE_PASSWORD"),
+    hostname: System.fetch_env!("DATABASE_HOSTNAME"),
+    name: System.fetch_env!("DATABASE_NAME"),
+    ssl: Config.database_ssl_config()
+  }
 
   # The secret key base is used to sign/encrypt cookies and other secrets.
   # A default value is used in config/dev.exs and config/test.exs but you
@@ -102,13 +105,13 @@ if config_env() == :prod do
   forwarder_hostname = System.get_env("EDGEHOG_FORWARDER_HOSTNAME")
 
   config :edgehog, Edgehog.Repo,
-    # ssl: true,
     # socket_options: [:inet6],
-    username: database_username,
-    password: database_password,
-    hostname: database_hostname,
-    database: database_name,
-    pool_size: String.to_integer(System.get_env("POOL_SIZE") || "10")
+    username: database.username,
+    password: database.password,
+    hostname: database.hostname,
+    database: database.name,
+    pool_size: String.to_integer(System.get_env("POOL_SIZE") || "10"),
+    ssl: database.ssl
 
   config :edgehog, EdgehogWeb.Endpoint,
     http: [

diff --git a/backend/lib/edgehog/config.ex b/backend/lib/edgehog/config.ex
@@ -43,6 +43,30 @@ defmodule Edgehog.Config do
     os_env: "ADMIN_JWT_PUBLIC_KEY_PATH",
     type: JWTPublicKeyPEMType
 
+  @envdoc "Whether edgehog should use a tls connection with the database or not."
+  app_env :database_enable_ssl, :edgehog, :database_enable_ssl,
+    os_env: "DATABASE_ENABLE_SSL",
+    type: :boolean,
+    default: false
+
+  @envdoc "The certificate file to use to verify the ssl connection with the database."
+  app_env :database_ssl_cacertfile, :edgehog, :database_ssl_cacertfile,
+    os_env: "DATABASE_SSL_CACERTFILE",
+    type: :binary,
+    default: ""
+
+  @envdoc "Whether to use the os certificates to communicate with the database over ssl."
+  app_env :database_use_os_certs, :edgehog, :database_use_os_certs,
+    os_env: "DATABASE_USE_OS_CERTS",
+    type: :boolean,
+    default: false
+
+  @envdoc "Whether to verify the ssl connection with the database or not."
+  app_env :database_ssl_verify, :edgehog, :database_ssl_verify,
+    os_env: "DATABASE_SSL_VERIFY",
+    type: :boolean,
+    default: false
+
   @envdoc """
   Disables tenant authentication. CHANGING IT TO TRUE IS GENERALLY A REALLY BAD IDEA IN A PRODUCTION ENVIRONMENT, IF YOU DON'T KNOW WHAT YOU ARE DOING.
   """
@@ -94,6 +118,71 @@ defmodule Edgehog.Config do
   @spec admin_authentication_disabled?() :: boolean()
   def admin_authentication_disabled?, do: disable_admin_authentication!()
 
+  @doc """
+  Returns true if edgehog should use an ssl connection with the database.
+  """
+  @spec database_enable_ssl?() :: boolean()
+  def database_enable_ssl?, do: database_enable_ssl!()
+
+  @doc """
+  Reutrns whether to verify the ssl connection witht he database or not.
+  """
+  @spec database_ssl_verify?() :: boolean()
+  def database_ssl_verify?, do: database_ssl_verify!()
+
+  @doc """
+  Returns true if edgehog should use the operative system certificates.
+  """
+  @spec database_use_os_certs?() :: boolean()
+  def database_use_os_certs?, do: database_use_os_certs!()
+
+  @doc """
+  Returns the ssl configuration for the ssl connection with the database.
+  """
+  @spec database_ssl_cert_config() :: {:cacerts, [term()]} | {:cacertfile, binary()}
+  def database_ssl_cert_config do
+    use_os_certs = database_use_os_certs?()
+
+    certfile = System.get_env("DATABASE_SSL_CACERTFILE")
+
+    case {certfile, use_os_certs} do
+      {nil, false} ->
+        raise """
+        invalid database SSL configuration:
+        either set DATABASE_USE_OS_CERTS true to use system's certificates
+        or provide a CA certificate file with DATABASE_SSL_CACERTFILE.
+        The latter will take precedence.
+        """
+
+      {nil, true} ->
+        {:cacerts, :public_key.cacerts_get()}
+
+      {file, _} ->
+        # Assuming `file` is a file path
+        {:cacertfile, file}
+    end
+  end
+
+  @doc """
+  Returns the Ecto configuration for the ssl connection to the database.
+  """
+  @spec database_ssl_config_opts() :: list(term())
+  def database_ssl_config_opts do
+    if database_ssl_verify?(),
+      do: [{:verify, :verify_peer}, database_ssl_cert_config()],
+      else: [verify: :verify_none]
+  end
+
+  @doc """
+  Returns the database configuration for the database connection.
+  """
+  @spec database_ssl_config() :: false | list(term())
+  def database_ssl_config do
+    if database_enable_ssl?(),
+      do: database_ssl_config_opts(),
+      else: false
+  end
+
   @doc """
   Returns true if tenant authentication is disabled.
   """