From e9619af60838a06ed3266b3f9a46b74d551ff9aa Mon Sep 17 00:00:00 2001 From: Shivangi-ch <57783826+Shivangi-ch@users.noreply.github.com> Date: Tue, 12 Mar 2024 15:56:56 +0530 Subject: [PATCH] Add TLS/mTLS settings for postgreSQL and Redis (#47) --- src/pretix/settings.py | 29 ++++++++++++++++++++--------- src/pretix/settings_helpers.py | 30 ++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 9 deletions(-) create mode 100644 src/pretix/settings_helpers.py diff --git a/src/pretix/settings.py b/src/pretix/settings.py index 3213182bc..4f99360b8 100644 --- a/src/pretix/settings.py +++ b/src/pretix/settings.py @@ -3,7 +3,7 @@ import os import sys from urllib.parse import urlparse - +from .settings_helpers import build_db_tls_config, build_redis_tls_config import django.conf.locale from django.utils.crypto import get_random_string from kombu import Queue @@ -83,6 +83,11 @@ db_options['charset'] = 'utf8mb4' JSON_FIELD_AVAILABLE = db_backend in ('mysql', 'postgresql') +db_tls_config = build_db_tls_config(config, db_backend) +if (db_tls_config is not None): + db_options.update(db_tls_config) + + DATABASES = { 'default': { 'ENGINE': 'django.db.backends.' + db_backend, @@ -209,22 +214,28 @@ HAS_REDIS = config.has_option('redis', 'location') if HAS_REDIS: + redis_options = { + "CLIENT_CLASS": "django_redis.client.DefaultClient", + "REDIS_CLIENT_KWARGS": {"health_check_interval": 30} + } + redis_tls_config = build_redis_tls_config(config) + if (redis_tls_config is not None): + redis_options["CONNECTION_POOL_KWARGS"] = redis_tls_config + redis_options["REDIS_CLIENT_KWARGS"].update(redis_tls_config) + + if config.has_option('redis', 'password'): + redis_options["PASSWORD"] = config.get('redis', 'password') + CACHES['redis'] = { "BACKEND": "django_redis.cache.RedisCache", "LOCATION": config.get('redis', 'location'), - "OPTIONS": { - "CLIENT_CLASS": "django_redis.client.DefaultClient", - "REDIS_CLIENT_KWARGS": {"health_check_interval": 30} - } + "OPTIONS": redis_options } CACHES['redis_sessions'] = { "BACKEND": "django_redis.cache.RedisCache", "LOCATION": config.get('redis', 'location'), "TIMEOUT": 3600 * 24 * 30, - "OPTIONS": { - "CLIENT_CLASS": "django_redis.client.DefaultClient", - "REDIS_CLIENT_KWARGS": {"health_check_interval": 30} - } + "OPTIONS": redis_options } if not HAS_MEMCACHED: CACHES['default'] = CACHES['redis'] diff --git a/src/pretix/settings_helpers.py b/src/pretix/settings_helpers.py new file mode 100644 index 000000000..52d70a749 --- /dev/null +++ b/src/pretix/settings_helpers.py @@ -0,0 +1,30 @@ +def build_db_tls_config(config, db_backend): + db_ssl_mode = config.get("database", "sslmode", fallback="disable") + # add postgresql TLS options + if db_ssl_mode != "disable" and db_backend == "postgresql": + db_tls_config = { + "sslmode": db_ssl_mode, + "sslrootcert": config.get("database", "sslrootcert"), + } + # add postgresql mTLS options + if config.has_option("database", "sslcert"): + db_tls_config["sslcert"] = config.get("database", "sslcert") + db_tls_config["sslkey"] = config.get("database", "sslkey") + return db_tls_config + return None + + +def build_redis_tls_config(config): + redis_ssl_cert_reqs = config.get("redis", "ssl_cert_reqs", fallback="none") + # add redis tls options + if redis_ssl_cert_reqs != "none": + redis_tls_config = { + "ssl_cert_reqs": redis_ssl_cert_reqs, + "ssl_ca_certs": config.get("redis", "ssl_ca_certs"), + } + # add redis mTLS options + if config.has_option("redis", "ssl_certfile"): + redis_tls_config["ssl_keyfile"] = config.get("redis", "ssl_keyfile") + redis_tls_config["ssl_certfile"] = config.get("redis", "ssl_certfile") + return redis_tls_config + return None