From 088137ef49811cc4f33cfe8a470cdf22a960f971 Mon Sep 17 00:00:00 2001 From: lordrobincbz Date: Sat, 21 Dec 2024 16:24:25 +0100 Subject: [PATCH] fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files, in all other build --- README.md | 12 +++---- fpm-alpine/Dockerfile | 1 + fpm-alpine/config.inc.php | 41 +++++++++++++++++++++ fpm-alpine/docker-entrypoint.sh | 64 --------------------------------- fpm-alpine/helpers.php | 43 ++++++++++++++++++++++ fpm/Dockerfile | 1 + fpm/config.inc.php | 41 +++++++++++++++++++++ fpm/docker-entrypoint.sh | 64 --------------------------------- fpm/helpers.php | 43 ++++++++++++++++++++++ 9 files changed, 176 insertions(+), 134 deletions(-) create mode 100644 fpm-alpine/helpers.php create mode 100644 fpm/helpers.php diff --git a/README.md b/README.md index dfa2279..34c202b 100644 --- a/README.md +++ b/README.md @@ -187,12 +187,12 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1, * ``PMA_SSL`` - when set to 1, defines SSL usage for the MySQL connection * ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection. * ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections. -* ``PMA_SSL_CA_BASE64`` - in the context of mTLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_CAS_BASE64`` - in the context of mTLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`. -* ``PMA_SSL_CERT_BASE64`` - in the context of mTLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_CERTS_BASE64`` - in the context of mTLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`. -* ``PMA_SSL_KEY_BASE64`` - in the context of mTLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_KEYS_BASE64`` - in the context of mTLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_CA_BASE64`` - in the context of mutual TLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_CAS_BASE64`` - in the context of mutual TLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_CERT_BASE64`` - in the context of mutual TLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_CERTS_BASE64`` - in the context of mutual TLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_KEY_BASE64`` - in the context of mutual TLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_KEYS_BASE64`` - in the context of mutual TLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`. * ``PMA_USER`` and ``PMA_PASSWORD`` - define username and password to use only with the `config` authentication method * ``PMA_ABSOLUTE_URI`` - the full URL to phpMyAdmin. Sometimes needed when used in a reverse-proxy configuration. Don't set this unless needed. See [documentation](https://docs.phpmyadmin.net/en/latest/config.html#cfg_PmaAbsoluteUri). * ``PMA_CONFIG_BASE64`` - if set, this option will override the default `config.inc.php` with the base64 decoded contents of the variable diff --git a/fpm-alpine/Dockerfile b/fpm-alpine/Dockerfile index f947994..4e189a0 100644 --- a/fpm-alpine/Dockerfile +++ b/fpm-alpine/Dockerfile @@ -120,6 +120,7 @@ RUN set -ex; \ # Copy configuration COPY config.inc.php /etc/phpmyadmin/config.inc.php +COPY helpers.php /etc/phpmyadmin/helpers.php RUN chown www-data:www-data -R /etc/phpmyadmin/ # Copy main script diff --git a/fpm-alpine/config.inc.php b/fpm-alpine/config.inc.php index 693a715..fb0feeb 100644 --- a/fpm-alpine/config.inc.php +++ b/fpm-alpine/config.inc.php @@ -63,6 +63,47 @@ $cfg['PmaAbsoluteUri'] = trim($_ENV['PMA_ABSOLUTE_URI']); } +if (isset($_ENV['PMA_SSL_CA_BASE64'])) { + if (!is_dir(SSL_DIR)) { + mkdir(SSL_DIR, 0755, true); + } + file_put_contents(SSL_DIR . '/pma-ssl-ca.pem', base64_decode($_ENV['PMA_SSL_CA_BASE64'])); + $_ENV['PMA_SSL_CA'] = SSL_DIR . '/pma-ssl-ca.pem'; +} + +/* Decode and save the SSL key from base64 */ +if (isset($_ENV['PMA_SSL_KEY_BASE64'])) { + if (!is_dir(SSL_DIR)) { + mkdir(SSL_DIR, 0755, true); + } + file_put_contents(SSL_DIR . '/pma-ssl-key.key', base64_decode($_ENV['PMA_SSL_KEY_BASE64'])); + $_ENV['PMA_SSL_KEY'] = SSL_DIR . '/pma-ssl-key.key'; +} + +/* Decode and save the SSL certificate from base64 */ +if (isset($_ENV['PMA_SSL_CERT_BASE64'])) { + if (!is_dir(SSL_DIR)) { + mkdir(SSL_DIR, 0755, true); + } + file_put_contents(SSL_DIR . '/pma-ssl-cert.pem', base64_decode($_ENV['PMA_SSL_CERT_BASE64'])); + $_ENV['PMA_SSL_CERT'] = SSL_DIR . '/pma-ssl-cert.pem'; +} + +/* Decode and save multiple SSL CA certificates from base64 */ +if (isset($_ENV['PMA_SSL_CAS_BASE64'])) { + $_ENV['PMA_SSL_CAS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CAS_BASE64'], 'CA', 'pem'); +} + +/* Decode and save multiple SSL keys from base64 */ +if (isset($_ENV['PMA_SSL_KEYS_BASE64'])) { + $_ENV['PMA_SSL_KEYS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_KEYS_BASE64'], 'CERT', 'cert'); +} + +/* Decode and save multiple SSL certificates from base64 */ +if (isset($_ENV['PMA_SSL_CERTS_BASE64'])) { + $_ENV['PMA_SSL_CERTS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CERTS_BASE64'], 'KEY', 'key'); +} + /* Figure out hosts */ /* Fallback to default linked */ diff --git a/fpm-alpine/docker-entrypoint.sh b/fpm-alpine/docker-entrypoint.sh index 7a4c8f7..51c8303 100755 --- a/fpm-alpine/docker-entrypoint.sh +++ b/fpm-alpine/docker-entrypoint.sh @@ -29,45 +29,6 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php fi -if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-ca from base64." - echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem - export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" -fi - -if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-key from base64." - echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key - export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" -fi - -if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-cert from base64." - echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem - export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" -fi - -if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-ca from base64." - PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") - export "PMA_SSL_CAS" -fi - -if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-key from base64." - PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") - export "PMA_SSL_KEYS" -fi - -if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-cert from base64." - PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") - export "PMA_SSL_CERTS" -fi - get_docker_secret() { local env_var="${1}" local env_var_file="${env_var}_FILE" @@ -80,31 +41,6 @@ get_docker_secret() { fi } -# This function generates SSL files from a base64 encoded string. -# Arguments: -# 1. base64_string: A comma-separated string of base64 encoded SSL files. -# 2. prefix: A prefix to be used in the output file names. -# 3. extension: The file extension to be used for the output files. -# The function creates a directory for the SSL files, decodes each base64 string, -# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. -# -generate_ssl_files() { - local base64_string="${1}" - local output_dir="/etc/phpmyadmin/ssl" - mkdir -p "${output_dir}" - IFS=',' read -ra FILES <<< "${base64_string}" - local counter=1 - local ssl_files="" - for file in "${FILES[@]}"; do - local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" - echo "${file}" | base64 -d > "${output_file}" - ssl_files="${ssl_files}${output_file}," - counter=$((counter + 1)) - done - ssl_files="${ssl_files%,}" - echo "${ssl_files}" -} - get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD diff --git a/fpm-alpine/helpers.php b/fpm-alpine/helpers.php new file mode 100644 index 0000000..54d2942 --- /dev/null +++ b/fpm-alpine/helpers.php @@ -0,0 +1,43 @@ + /etc/phpmyadmin/config.user.inc.php fi -if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-ca from base64." - echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem - export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" -fi - -if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-key from base64." - echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key - export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" -fi - -if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-cert from base64." - echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem - export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" -fi - -if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-ca from base64." - PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") - export "PMA_SSL_CAS" -fi - -if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-key from base64." - PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") - export "PMA_SSL_KEYS" -fi - -if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-cert from base64." - PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") - export "PMA_SSL_CERTS" -fi - get_docker_secret() { local env_var="${1}" local env_var_file="${env_var}_FILE" @@ -80,31 +41,6 @@ get_docker_secret() { fi } -# This function generates SSL files from a base64 encoded string. -# Arguments: -# 1. base64_string: A comma-separated string of base64 encoded SSL files. -# 2. prefix: A prefix to be used in the output file names. -# 3. extension: The file extension to be used for the output files. -# The function creates a directory for the SSL files, decodes each base64 string, -# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. -# -generate_ssl_files() { - local base64_string="${1}" - local output_dir="/etc/phpmyadmin/ssl" - mkdir -p "${output_dir}" - IFS=',' read -ra FILES <<< "${base64_string}" - local counter=1 - local ssl_files="" - for file in "${FILES[@]}"; do - local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" - echo "${file}" | base64 -d > "${output_file}" - ssl_files="${ssl_files}${output_file}," - counter=$((counter + 1)) - done - ssl_files="${ssl_files%,}" - echo "${ssl_files}" -} - get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD diff --git a/fpm/helpers.php b/fpm/helpers.php new file mode 100644 index 0000000..54d2942 --- /dev/null +++ b/fpm/helpers.php @@ -0,0 +1,43 @@ +