feat(db): add SSL/TLS support for PostgreSQL

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2025-09-18 10:53:31 +07:00 · 2025-09-18 10:53:31 +07:00 · 8fbd7633fe
parent 936da13953
commit 8fbd7633fe
3 changed files with 59 additions and 8 deletions
--- a/config/config.sample.php
+++ b/config/config.sample.php
@ -502,7 +502,7 @@ $CONFIG = [

 /**
 * Enable SMTP class debugging.
- * NOTE: ``loglevel`` will likely need to be adjusted too. See docs: 
+ * NOTE: ``loglevel`` will likely need to be adjusted too. See docs:
 *   https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/email_configuration.html#enabling-debug-mode
 *
 * Defaults to ``false``
@ -663,7 +663,7 @@ $CONFIG = [
 * are generated within Nextcloud using any kind of command line tools (cron or
 * occ). The value should contain the full base URL:
 * ``https://www.example.com/nextcloud``
- * Please make sure to set the value to the URL that your users mainly use to access this Nextcloud. 
+ * Please make sure to set the value to the URL that your users mainly use to access this Nextcloud.
 * Otherwise there might be problems with the URL generation via cron.
 *
 * Defaults to ``''`` (empty string)
@ -1323,18 +1323,18 @@ $CONFIG = [
 /**
 * custom path for ffmpeg binary
 *
- * Defaults to ``null`` and falls back to searching ``avconv`` and ``ffmpeg`` 
+ * Defaults to ``null`` and falls back to searching ``avconv`` and ``ffmpeg``
 * in the configured ``PATH`` environment
 */
 'preview_ffmpeg_path' => '/usr/bin/ffmpeg',

 /**
 * Set the URL of the Imaginary service to send image previews to.
- * Also requires the ``OC\Preview\Imaginary`` provider to be enabled in the 
- * ``enabledPreviewProviders`` array, to create previews for these mimetypes: bmp, 
+ * Also requires the ``OC\Preview\Imaginary`` provider to be enabled in the
+ * ``enabledPreviewProviders`` array, to create previews for these mimetypes: bmp,
 * x-bitmap, png, jpeg, gif, heic, heif, svg+xml, tiff, webp and illustrator.
 *
- * If you want Imaginary to also create preview images from PDF Documents, you 
+ * If you want Imaginary to also create preview images from PDF Documents, you
 * have to add the ``OC\Preview\ImaginaryPDF`` provider as well.
 *
 * See https://github.com/h2non/imaginary
@ -1978,6 +1978,17 @@ $CONFIG = [
 */
 'mysql.collation' => null,

+/**
+ * PostgreSQL SSL connection
+ */
+'pgsql_ssl' => [
+	'mode' => '',
+	'cert' => '',
+	'rootcert' => '',
+	'key' => '',
+	'crl' => '',
+],
+
 /**
 * Database types that are supported for installation.
 *
@ -2066,9 +2077,9 @@ $CONFIG = [
 /**
 * Deny extensions from being used for filenames.
 * Matching existing files can no longer be updated and in matching folders no files can be created anymore.
- * 
+ *
 * The '.part' extension is always forbidden, as this is used internally by Nextcloud.
- * 
+ *
 * Defaults to ``array('.filepart', '.part')``
 */
 'forbidden_filename_extensions' => ['.part', '.filepart'],
--- a/lib/private/DB/ConnectionFactory.php
+++ b/lib/private/DB/ConnectionFactory.php
@ -198,6 +198,17 @@ class ConnectionFactory {
 			'tablePrefix' => $connectionParams['tablePrefix']
 		];

+		if ($type === 'pgsql') {
+			$pgsqlSsl = $this->config->getValue('pgsql_ssl', false);
+			if (is_array($pgsqlSsl)) {
+				$connectionParams['sslmode'] = $pgsqlSsl['mode'] ?? '';
+				$connectionParams['sslrootcert'] = $pgsqlSsl['rootcert'] ?? '';
+				$connectionParams['sslcert'] = $pgsqlSsl['cert'] ?? '';
+				$connectionParams['sslkey'] = $pgsqlSsl['key'] ?? '';
+				$connectionParams['sslcrl'] = $pgsqlSsl['crl'] ?? '';
+			}
+		}
+
 		if ($type === 'mysql' && $this->config->getValue('mysql.utf8mb4', false)) {
 			$connectionParams['defaultTableOptions'] = [
 				'collate' => 'utf8mb4_bin',
--- a/tests/lib/DB/ConnectionFactoryTest.php
+++ b/tests/lib/DB/ConnectionFactoryTest.php
@ -40,4 +40,33 @@ class ConnectionFactoryTest extends TestCase {

 		$this->assertEquals($expected, self::invokePrivate($factory, 'splitHostFromPortAndSocket', [$host]));
 	}
+
+	public function testPgsqlSslConnection(): void {
+		/** @var SystemConfig|\PHPUnit\Framework\MockObject\MockObject $config */
+		$config = $this->createMock(SystemConfig::class);
+		$config->method('getValue')
+			->willReturnCallback(function ($key, $default) {
+				return match ($key) {
+					'dbtype' => 'pgsql',
+					'pgsql_ssl' => [
+						'mode' => 'verify-full',
+						'cert' => 'client.crt',
+						'key' => 'client.key',
+						'crl' => 'client.crl',
+						'rootcert' => 'rootCA.crt',
+					],
+					default => $default,
+				};
+			});
+		$factory = new ConnectionFactory($config);
+
+		$params = $factory->createConnectionParams();
+
+		$this->assertEquals('pdo_pgsql', $params['driver']);
+		$this->assertEquals('verify-full', $params['sslmode']);
+		$this->assertEquals('rootCA.crt', $params['sslrootcert']);
+		$this->assertEquals('client.crt', $params['sslcert']);
+		$this->assertEquals('client.key', $params['sslkey']);
+		$this->assertEquals('client.crl', $params['sslcrl']);
+	}
 }