Add TLS/mTLS settings for postgreSQL and Redis (fossasia#47)

eMBee · May 5, 2024 · f52f931 · f52f931
1 parent 7b29d7c
commit f52f931
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 9 deletions.
diff --git a/src/pretix/settings.py b/src/pretix/settings.py
@@ -3,7 +3,7 @@
 import os
 import sys
 from urllib.parse import urlparse
-
+from .settings_helpers import build_db_tls_config, build_redis_tls_config
 import django.conf.locale
 from django.utils.crypto import get_random_string
 from kombu import Queue
@@ -83,6 +83,11 @@
     db_options['charset'] = 'utf8mb4'
 JSON_FIELD_AVAILABLE = db_backend in ('mysql', 'postgresql')
 
+db_tls_config = build_db_tls_config(config, db_backend)
+if (db_tls_config is not None):
+    db_options.update(db_tls_config)
+
+
 DATABASES = {
     'default': {
         'ENGINE': 'django.db.backends.' + db_backend,
@@ -209,22 +214,28 @@
 
 HAS_REDIS = config.has_option('redis', 'location')
 if HAS_REDIS:
+    redis_options = {
+        "CLIENT_CLASS": "django_redis.client.DefaultClient",
+        "REDIS_CLIENT_KWARGS": {"health_check_interval": 30}
+    }
+    redis_tls_config = build_redis_tls_config(config)
+    if (redis_tls_config is not None):
+        redis_options["CONNECTION_POOL_KWARGS"] = redis_tls_config
+        redis_options["REDIS_CLIENT_KWARGS"].update(redis_tls_config)
+
+    if config.has_option('redis', 'password'):
+        redis_options["PASSWORD"] = config.get('redis', 'password')
+
     CACHES['redis'] = {
         "BACKEND": "django_redis.cache.RedisCache",
         "LOCATION": config.get('redis', 'location'),
-        "OPTIONS": {
-            "CLIENT_CLASS": "django_redis.client.DefaultClient",
-            "REDIS_CLIENT_KWARGS": {"health_check_interval": 30}
-        }
+        "OPTIONS": redis_options
     }
     CACHES['redis_sessions'] = {
         "BACKEND": "django_redis.cache.RedisCache",
         "LOCATION": config.get('redis', 'location'),
         "TIMEOUT": 3600 * 24 * 30,
-        "OPTIONS": {
-            "CLIENT_CLASS": "django_redis.client.DefaultClient",
-            "REDIS_CLIENT_KWARGS": {"health_check_interval": 30}
-        }
+        "OPTIONS": redis_options
     }
     if not HAS_MEMCACHED:
         CACHES['default'] = CACHES['redis']

diff --git a/src/pretix/settings_helpers.py b/src/pretix/settings_helpers.py
@@ -0,0 +1,30 @@
+def build_db_tls_config(config, db_backend):
+    db_ssl_mode = config.get("database", "sslmode", fallback="disable")
+    # add postgresql TLS options
+    if db_ssl_mode != "disable" and db_backend == "postgresql":
+        db_tls_config = {
+            "sslmode": db_ssl_mode,
+            "sslrootcert": config.get("database", "sslrootcert"),
+        }
+        # add postgresql mTLS options
+        if config.has_option("database", "sslcert"):
+            db_tls_config["sslcert"] = config.get("database", "sslcert")
+            db_tls_config["sslkey"] = config.get("database", "sslkey")
+        return db_tls_config
+    return None
+
+
+def build_redis_tls_config(config):
+    redis_ssl_cert_reqs = config.get("redis", "ssl_cert_reqs", fallback="none")
+    # add redis tls options
+    if redis_ssl_cert_reqs != "none":
+        redis_tls_config = {
+            "ssl_cert_reqs": redis_ssl_cert_reqs,
+            "ssl_ca_certs": config.get("redis", "ssl_ca_certs"),
+        }
+        # add redis mTLS options
+        if config.has_option("redis", "ssl_certfile"):
+            redis_tls_config["ssl_keyfile"] = config.get("redis", "ssl_keyfile")
+            redis_tls_config["ssl_certfile"] = config.get("redis", "ssl_certfile")
+        return redis_tls_config
+    return None