From e01a99da815b65881c662098a906c228c4e39e5a Mon Sep 17 00:00:00 2001
From: Alexander Todorov <atodorov@otb.bg>
Date: Thu, 28 Jul 2022 17:32:40 +0300
Subject: [PATCH 1/3] Generate SSL certificates for DB during testing

gencerts.sh - https://gitlab.com/damp-stack/mysql-ssl-docker/
---
 .github/workflows/ssl-db.yml | 68 ++++++++++++++++++++++++++++++++++++
 .gitignore                   |  1 +
 docker-compose.mariadb-ssl   | 24 +++++++++++++
 tests/gen-db-certs.sh        | 43 +++++++++++++++++++++++
 4 files changed, 136 insertions(+)
 create mode 100644 .github/workflows/ssl-db.yml
 create mode 100644 docker-compose.mariadb-ssl
 create mode 100755 tests/gen-db-certs.sh

diff --git a/.github/workflows/ssl-db.yml b/.github/workflows/ssl-db.yml
new file mode 100644
index 0000000000..d02233c08b
--- /dev/null
+++ b/.github/workflows/ssl-db.yml
@@ -0,0 +1,68 @@
+name: database-connection-via-ssl
+
+on:
+  push:
+    branches: master
+  pull_request:
+
+jobs:
+  mariadb:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.8]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Generate DB certificates
+        run: |
+          # docker run -v $(pwd)/tests/db-certs/:/Kiwi/db-certs/:Z --rm -i kiwitcms/kiwi \
+          #        /usr/bin/sscg \
+          #            -v -f \
+          #            --country BG --locality Sofia \
+          #            --organization "Kiwi TCMS" \
+          #            --organizational-unit "DevOps" \
+          #            --ca-file /Kiwi/db-certs/ca.crt \
+          #            --ca-key-file /Kiwi/db-certs/ca.key \
+          #            --cert-file /Kiwi/db-certs/server.crt \
+          #            --cert-key-file /Kiwi/db-certs/server.key
+          # re-enable & add client cert when https://github.com/sgallagher/sscg/issues/3 is fixed
+          pushd ./tests/ && ./gen-db-certs.sh && popd
+
+      - name: Create database
+        run: |
+          docker-compose -f docker-compose.mariadb-ssl pull db
+          docker-compose -f docker-compose.mariadb-ssl run -d -p 3306:3306 --name kiwi_db db
+          sleep 20  # wait to initialize
+
+          set -e
+          docker exec -i kiwi_db mariadb -u root -pkiwi-1s-aw3s0m3 \
+                --ssl-ca=/etc/certs/ca.pem \
+                --ssl-cert=/etc/certs/client-cert.pem \
+                --ssl-key=/etc/certs/client-key.pem -e 'status' | grep "Cipher in use is"
+
+      - name: Initialize DB tables & records
+        run: |
+          sudo apt-get update
+          sudo apt-get install gettext
+
+          sudo mkdir /Kiwi
+          sudo chmod a+w /Kiwi
+
+          pip install -r requirements/devel.txt
+          pip install -r requirements/mariadb.txt
+          pushd tcms/ && npm install && popd
+
+          export LANG=bg-bg
+          set -e
+          coverage run --source='.' ./manage.py migrate -v2 --noinput --settings tcms.settings.test.mariadb
+
+      - name: Send coverage to codecov.io
+        run: |
+          coverage report -m
+          bash <(curl -s https://codecov.io/bash)
diff --git a/.gitignore b/.gitignore
index 4bb4c37d48..ec886d5579 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,4 +16,5 @@ docs/target/
 .vscode/
 .cache/
 tcms/node_modules/
+tests/db-certs/*.pem
 package-lock.json
diff --git a/docker-compose.mariadb-ssl b/docker-compose.mariadb-ssl
new file mode 100644
index 0000000000..b427ca8f08
--- /dev/null
+++ b/docker-compose.mariadb-ssl
@@ -0,0 +1,24 @@
+version: '2'
+
+services:
+    db:
+        container_name: kiwi_db
+        image: mariadb:latest
+        command: [  "--character-set-server=utf8mb4",
+                    "--collation-server=utf8mb4_unicode_ci",
+                    "--require-secure-transport=ON",
+                    "--ssl-ca=/etc/certs/ca.pem",
+                    "--ssl-cert=/etc/certs/server-cert.pem",
+                    "--ssl-key=/etc/certs/server-key.pem" ]
+        volumes:
+            - db_data:/var/lib/mysql
+            - ./tests/db-certs/:/etc/certs/
+        restart: always
+        environment:
+            MYSQL_ROOT_PASSWORD: kiwi-1s-aw3s0m3
+            MYSQL_DATABASE: kiwi
+            MYSQL_USER: kiwi
+            MYSQL_PASSWORD: kiwi
+
+volumes:
+    db_data:
diff --git a/tests/gen-db-certs.sh b/tests/gen-db-certs.sh
new file mode 100755
index 0000000000..1252ae77e3
--- /dev/null
+++ b/tests/gen-db-certs.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+OPENSSL_SUBJ="/C=BG/ST=Sofia/L=Sofia"
+OPENSSL_CA="${OPENSSL_SUBJ}/CN=fake-CA"
+OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=fake-server"
+OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=fake-client"
+
+mkdir -p db-certs/
+pushd db-certs/
+
+# Generate new CA certificate ca.pem file.
+openssl genrsa 2048 > ca-key.pem
+
+# TODO This has interaction that must be automated
+openssl req -new -x509 -nodes -days 3600 \
+    -subj "${OPENSSL_CA}" \
+    -key ca-key.pem -out ca.pem
+
+
+# Create the server-side certificates
+# This has more interaction that must be automated
+
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+    -subj "${OPENSSL_SERVER}" \
+    -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+    -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+
+# Create the client-side certificates
+openssl req -newkey rsa:2048 -days 3600 -nodes \
+    -subj "${OPENSSL_CLIENT}" \
+    -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+    -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
+
+# Verify the certificates are correct
+openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
+
+# make the keys readable b/c we're having issues with uid/gid inside the containers
+chmod 644 client-key.pem server-key.pem ca-key.pem
+popd

From 9e55ef14f5e4610e956e541d48587f8524526b93 Mon Sep 17 00:00:00 2001
From: Alexander Todorov <atodorov@otb.bg>
Date: Thu, 28 Jul 2022 23:39:51 +0300
Subject: [PATCH 2/3] DEBUG: the mariadb connection

---
 check-ssl.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100755 check-ssl.py

diff --git a/check-ssl.py b/check-ssl.py
new file mode 100755
index 0000000000..d7aaae5571
--- /dev/null
+++ b/check-ssl.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+import MySQLdb
+
+config = {
+    'user': 'kiwi',
+    'password': 'kiwi',
+    'host': '127.0.0.1',
+    'ssl': {
+#        'ca': '/home/senko/Kiwi/tests/db-certs/ca.pem',
+#        'cert': '/home/senko/Kiwi/tests/db-certs/client-cert.pem',
+#        'key': '/home/senko/Kiwi/tests/db-certs/client-key.pem',
+    }
+}
+
+db = MySQLdb.connect(**config)
+cur = db.cursor()
+cur.execute("SHOW STATUS LIKE 'Ssl_cipher'")
+print(cur.fetchone())
+cur.close()
+db.close()

From 9ade907b30f6008ce16af3c1f0438a866ba4dc54 Mon Sep 17 00:00:00 2001
From: "deepsource-autofix[bot]"
 <62050782+deepsource-autofix[bot]@users.noreply.github.com>
Date: Thu, 28 Jul 2022 20:40:38 +0000
Subject: [PATCH 3/3] Format code with black

---
 check-ssl.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/check-ssl.py b/check-ssl.py
index d7aaae5571..5b2608fc03 100755
--- a/check-ssl.py
+++ b/check-ssl.py
@@ -3,14 +3,14 @@
 import MySQLdb
 
 config = {
-    'user': 'kiwi',
-    'password': 'kiwi',
-    'host': '127.0.0.1',
-    'ssl': {
-#        'ca': '/home/senko/Kiwi/tests/db-certs/ca.pem',
-#        'cert': '/home/senko/Kiwi/tests/db-certs/client-cert.pem',
-#        'key': '/home/senko/Kiwi/tests/db-certs/client-key.pem',
-    }
+    "user": "kiwi",
+    "password": "kiwi",
+    "host": "127.0.0.1",
+    "ssl": {
+        #        'ca': '/home/senko/Kiwi/tests/db-certs/ca.pem',
+        #        'cert': '/home/senko/Kiwi/tests/db-certs/client-cert.pem',
+        #        'key': '/home/senko/Kiwi/tests/db-certs/client-key.pem',
+    },
 }
 
 db = MySQLdb.connect(**config)