Skip to content

Commit

Permalink
Merge pull request #3 from LordRobinCbz/develop
Browse files Browse the repository at this point in the history
fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files, in all other build
  • Loading branch information
LordRobinCbz authored Dec 21, 2024
2 parents a284aff + 088137e commit 0ffaad3
Show file tree
Hide file tree
Showing 9 changed files with 176 additions and 134 deletions.
12 changes: 6 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,12 +187,12 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1,
* ``PMA_SSL`` - when set to 1, defines SSL usage for the MySQL connection
* ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection.
* ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections.
* ``PMA_SSL_CA_BASE64`` - in the context of mTLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`.
* ``PMA_SSL_CAS_BASE64`` - in the context of mTLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`.
* ``PMA_SSL_CERT_BASE64`` - in the context of mTLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`.
* ``PMA_SSL_CERTS_BASE64`` - in the context of mTLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`.
* ``PMA_SSL_KEY_BASE64`` - in the context of mTLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`.
* ``PMA_SSL_KEYS_BASE64`` - in the context of mTLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`.
* ``PMA_SSL_CA_BASE64`` - in the context of mutual TLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`.
* ``PMA_SSL_CAS_BASE64`` - in the context of mutual TLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`.
* ``PMA_SSL_CERT_BASE64`` - in the context of mutual TLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`.
* ``PMA_SSL_CERTS_BASE64`` - in the context of mutual TLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`.
* ``PMA_SSL_KEY_BASE64`` - in the context of mutual TLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`.
* ``PMA_SSL_KEYS_BASE64`` - in the context of mutual TLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`.
* ``PMA_USER`` and ``PMA_PASSWORD`` - define username and password to use only with the `config` authentication method
* ``PMA_ABSOLUTE_URI`` - the full URL to phpMyAdmin. Sometimes needed when used in a reverse-proxy configuration. Don't set this unless needed. See [documentation](https://docs.phpmyadmin.net/en/latest/config.html#cfg_PmaAbsoluteUri).
* ``PMA_CONFIG_BASE64`` - if set, this option will override the default `config.inc.php` with the base64 decoded contents of the variable
Expand Down
1 change: 1 addition & 0 deletions fpm-alpine/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ RUN set -ex; \

# Copy configuration
COPY config.inc.php /etc/phpmyadmin/config.inc.php
COPY helpers.php /etc/phpmyadmin/helpers.php
RUN chown www-data:www-data -R /etc/phpmyadmin/

# Copy main script
Expand Down
41 changes: 41 additions & 0 deletions fpm-alpine/config.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,47 @@
$cfg['PmaAbsoluteUri'] = trim($_ENV['PMA_ABSOLUTE_URI']);
}

if (isset($_ENV['PMA_SSL_CA_BASE64'])) {
if (!is_dir(SSL_DIR)) {
mkdir(SSL_DIR, 0755, true);
}
file_put_contents(SSL_DIR . '/pma-ssl-ca.pem', base64_decode($_ENV['PMA_SSL_CA_BASE64']));
$_ENV['PMA_SSL_CA'] = SSL_DIR . '/pma-ssl-ca.pem';
}

/* Decode and save the SSL key from base64 */
if (isset($_ENV['PMA_SSL_KEY_BASE64'])) {
if (!is_dir(SSL_DIR)) {
mkdir(SSL_DIR, 0755, true);
}
file_put_contents(SSL_DIR . '/pma-ssl-key.key', base64_decode($_ENV['PMA_SSL_KEY_BASE64']));
$_ENV['PMA_SSL_KEY'] = SSL_DIR . '/pma-ssl-key.key';
}

/* Decode and save the SSL certificate from base64 */
if (isset($_ENV['PMA_SSL_CERT_BASE64'])) {
if (!is_dir(SSL_DIR)) {
mkdir(SSL_DIR, 0755, true);
}
file_put_contents(SSL_DIR . '/pma-ssl-cert.pem', base64_decode($_ENV['PMA_SSL_CERT_BASE64']));
$_ENV['PMA_SSL_CERT'] = SSL_DIR . '/pma-ssl-cert.pem';
}

/* Decode and save multiple SSL CA certificates from base64 */
if (isset($_ENV['PMA_SSL_CAS_BASE64'])) {
$_ENV['PMA_SSL_CAS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CAS_BASE64'], 'CA', 'pem');
}

/* Decode and save multiple SSL keys from base64 */
if (isset($_ENV['PMA_SSL_KEYS_BASE64'])) {
$_ENV['PMA_SSL_KEYS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_KEYS_BASE64'], 'CERT', 'cert');
}

/* Decode and save multiple SSL certificates from base64 */
if (isset($_ENV['PMA_SSL_CERTS_BASE64'])) {
$_ENV['PMA_SSL_CERTS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CERTS_BASE64'], 'KEY', 'key');
}

/* Figure out hosts */

/* Fallback to default linked */
Expand Down
64 changes: 0 additions & 64 deletions fpm-alpine/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -29,45 +29,6 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then
echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php
fi

if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then
mkdir -p /etc/phpmyadmin/ssl
echo "Adding the custom pma-ssl-ca from base64."
echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem
export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem"
fi

if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then
mkdir -p /etc/phpmyadmin/ssl
echo "Adding the custom pma-ssl-key from base64."
echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key
export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key"
fi

if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then
mkdir -p /etc/phpmyadmin/ssl
echo "Adding the custom pma-ssl-cert from base64."
echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem
export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem"
fi

if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then
echo "Adding multiples custom pma-ssl-ca from base64."
PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem")
export "PMA_SSL_CAS"
fi

if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then
echo "Adding multiples custom pma-ssl-key from base64."
PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert")
export "PMA_SSL_KEYS"
fi

if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then
echo "Adding multiples custom pma-ssl-cert from base64."
PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key")
export "PMA_SSL_CERTS"
fi

get_docker_secret() {
local env_var="${1}"
local env_var_file="${env_var}_FILE"
Expand All @@ -80,31 +41,6 @@ get_docker_secret() {
fi
}

# This function generates SSL files from a base64 encoded string.
# Arguments:
# 1. base64_string: A comma-separated string of base64 encoded SSL files.
# 2. prefix: A prefix to be used in the output file names.
# 3. extension: The file extension to be used for the output files.
# The function creates a directory for the SSL files, decodes each base64 string,
# writes the decoded content to a file, and returns a comma-separated list of the generated file paths.
#
generate_ssl_files() {
local base64_string="${1}"
local output_dir="/etc/phpmyadmin/ssl"
mkdir -p "${output_dir}"
IFS=',' read -ra FILES <<< "${base64_string}"
local counter=1
local ssl_files=""
for file in "${FILES[@]}"; do
local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}"
echo "${file}" | base64 -d > "${output_file}"
ssl_files="${ssl_files}${output_file},"
counter=$((counter + 1))
done
ssl_files="${ssl_files%,}"
echo "${ssl_files}"
}

get_docker_secret PMA_USER
get_docker_secret PMA_PASSWORD
get_docker_secret MYSQL_ROOT_PASSWORD
Expand Down
43 changes: 43 additions & 0 deletions fpm-alpine/helpers.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<?php

class SslFileGenerationException extends Exception {}

define('OUTPUT_DIR', '/etc/phpmyadmin/ssl');

/**
* Helper function to decode and save multiple SSL files from base64.
*
* @param string $base64_string The base64 encoded string containing multiple SSL files separated by commas.
* If no commas are present, the entire string is treated as a single file.
* @param string $prefix The prefix to use for the generated SSL file names.
* @param string $extension The file extension to use for the generated SSL files.
* @return string A comma-separated list of paths to the generated SSL files.
*/
function decodeAndSaveSslFiles($base64_string, $prefix, $extension) {
// Ensure the output directory exists
if (!is_dir(OUTPUT_DIR)) {
mkdir(OUTPUT_DIR, 0755, true);
}

// Split the base64 string into an array of files
$files = strpos($base64_string, ',') !== false ? explode(',', $base64_string) : [$base64_string];
$counter = 1;
$ssl_files = [];

// Process each file
foreach ($files as $file) {
$output_file = OUTPUT_DIR . "/pma-ssl-$prefix-$counter.$extension";

// Write the decoded file to the output directory
if (file_put_contents($output_file, base64_decode($file)) === false) {
throw new SslFileGenerationException("Failed to write to $output_file");
}

// Add the output file path to the list
$ssl_files[] = $output_file;
$counter++;
}

// Return a comma-separated list of the generated file paths
return implode(',', $ssl_files);
}
1 change: 1 addition & 0 deletions fpm/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ RUN set -ex; \

# Copy configuration
COPY config.inc.php /etc/phpmyadmin/config.inc.php
COPY helpers.php /etc/phpmyadmin/helpers.php
RUN chown www-data:www-data -R /etc/phpmyadmin/

# Copy main script
Expand Down
41 changes: 41 additions & 0 deletions fpm/config.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,47 @@
$cfg['PmaAbsoluteUri'] = trim($_ENV['PMA_ABSOLUTE_URI']);
}

if (isset($_ENV['PMA_SSL_CA_BASE64'])) {
if (!is_dir(SSL_DIR)) {
mkdir(SSL_DIR, 0755, true);
}
file_put_contents(SSL_DIR . '/pma-ssl-ca.pem', base64_decode($_ENV['PMA_SSL_CA_BASE64']));
$_ENV['PMA_SSL_CA'] = SSL_DIR . '/pma-ssl-ca.pem';
}

/* Decode and save the SSL key from base64 */
if (isset($_ENV['PMA_SSL_KEY_BASE64'])) {
if (!is_dir(SSL_DIR)) {
mkdir(SSL_DIR, 0755, true);
}
file_put_contents(SSL_DIR . '/pma-ssl-key.key', base64_decode($_ENV['PMA_SSL_KEY_BASE64']));
$_ENV['PMA_SSL_KEY'] = SSL_DIR . '/pma-ssl-key.key';
}

/* Decode and save the SSL certificate from base64 */
if (isset($_ENV['PMA_SSL_CERT_BASE64'])) {
if (!is_dir(SSL_DIR)) {
mkdir(SSL_DIR, 0755, true);
}
file_put_contents(SSL_DIR . '/pma-ssl-cert.pem', base64_decode($_ENV['PMA_SSL_CERT_BASE64']));
$_ENV['PMA_SSL_CERT'] = SSL_DIR . '/pma-ssl-cert.pem';
}

/* Decode and save multiple SSL CA certificates from base64 */
if (isset($_ENV['PMA_SSL_CAS_BASE64'])) {
$_ENV['PMA_SSL_CAS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CAS_BASE64'], 'CA', 'pem');
}

/* Decode and save multiple SSL keys from base64 */
if (isset($_ENV['PMA_SSL_KEYS_BASE64'])) {
$_ENV['PMA_SSL_KEYS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_KEYS_BASE64'], 'CERT', 'cert');
}

/* Decode and save multiple SSL certificates from base64 */
if (isset($_ENV['PMA_SSL_CERTS_BASE64'])) {
$_ENV['PMA_SSL_CERTS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CERTS_BASE64'], 'KEY', 'key');
}

/* Figure out hosts */

/* Fallback to default linked */
Expand Down
64 changes: 0 additions & 64 deletions fpm/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -29,45 +29,6 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then
echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php
fi

if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then
mkdir -p /etc/phpmyadmin/ssl
echo "Adding the custom pma-ssl-ca from base64."
echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem
export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem"
fi

if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then
mkdir -p /etc/phpmyadmin/ssl
echo "Adding the custom pma-ssl-key from base64."
echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key
export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key"
fi

if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then
mkdir -p /etc/phpmyadmin/ssl
echo "Adding the custom pma-ssl-cert from base64."
echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem
export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem"
fi

if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then
echo "Adding multiples custom pma-ssl-ca from base64."
PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem")
export "PMA_SSL_CAS"
fi

if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then
echo "Adding multiples custom pma-ssl-key from base64."
PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert")
export "PMA_SSL_KEYS"
fi

if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then
echo "Adding multiples custom pma-ssl-cert from base64."
PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key")
export "PMA_SSL_CERTS"
fi

get_docker_secret() {
local env_var="${1}"
local env_var_file="${env_var}_FILE"
Expand All @@ -80,31 +41,6 @@ get_docker_secret() {
fi
}

# This function generates SSL files from a base64 encoded string.
# Arguments:
# 1. base64_string: A comma-separated string of base64 encoded SSL files.
# 2. prefix: A prefix to be used in the output file names.
# 3. extension: The file extension to be used for the output files.
# The function creates a directory for the SSL files, decodes each base64 string,
# writes the decoded content to a file, and returns a comma-separated list of the generated file paths.
#
generate_ssl_files() {
local base64_string="${1}"
local output_dir="/etc/phpmyadmin/ssl"
mkdir -p "${output_dir}"
IFS=',' read -ra FILES <<< "${base64_string}"
local counter=1
local ssl_files=""
for file in "${FILES[@]}"; do
local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}"
echo "${file}" | base64 -d > "${output_file}"
ssl_files="${ssl_files}${output_file},"
counter=$((counter + 1))
done
ssl_files="${ssl_files%,}"
echo "${ssl_files}"
}

get_docker_secret PMA_USER
get_docker_secret PMA_PASSWORD
get_docker_secret MYSQL_ROOT_PASSWORD
Expand Down
43 changes: 43 additions & 0 deletions fpm/helpers.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<?php

class SslFileGenerationException extends Exception {}

define('OUTPUT_DIR', '/etc/phpmyadmin/ssl');

/**
* Helper function to decode and save multiple SSL files from base64.
*
* @param string $base64_string The base64 encoded string containing multiple SSL files separated by commas.
* If no commas are present, the entire string is treated as a single file.
* @param string $prefix The prefix to use for the generated SSL file names.
* @param string $extension The file extension to use for the generated SSL files.
* @return string A comma-separated list of paths to the generated SSL files.
*/
function decodeAndSaveSslFiles($base64_string, $prefix, $extension) {
// Ensure the output directory exists
if (!is_dir(OUTPUT_DIR)) {
mkdir(OUTPUT_DIR, 0755, true);
}

// Split the base64 string into an array of files
$files = strpos($base64_string, ',') !== false ? explode(',', $base64_string) : [$base64_string];
$counter = 1;
$ssl_files = [];

// Process each file
foreach ($files as $file) {
$output_file = OUTPUT_DIR . "/pma-ssl-$prefix-$counter.$extension";

// Write the decoded file to the output directory
if (file_put_contents($output_file, base64_decode($file)) === false) {
throw new SslFileGenerationException("Failed to write to $output_file");
}

// Add the output file path to the list
$ssl_files[] = $output_file;
$counter++;
}

// Return a comma-separated list of the generated file paths
return implode(',', $ssl_files);
}

0 comments on commit 0ffaad3

Please sign in to comment.