Support PostgreSQL connection with SSL #1243

.github/workflows/build-binary-for-release.yml

@@ -53,7 +53,7 @@ jobs:
         args: release --clean --skip=validate
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       with:
         name: answer
         path: ./dist/*

.goreleaser.yaml

@@ -65,8 +65,6 @@ archives:
         dst: NOTICE
       - src: "docs/release/licenses/*"
         dst: licenses/
-      - src: "DISCLAIMER"
-        dst: DISCLAIMER
     wrap_in_directory: true
 checksum:
   name_template: 'checksums.txt'

configs/config.yaml

@@ -24,6 +24,12 @@ data:
     connection: "/data/sqlite3/answer.db"
   cache:
     file_path: "/data/cache/cache.db"
+  ssl:
+    enabled: "no"
+    mode: "require"
+    cert_file: "/data/cache/ssl/certs/server-ca.pem"           
+    key_file: "/data/cache/ssl/certs/client-cert.pem"
+    pem_file: "/data/cache/ssl/certs/client-key.pem"             
 i18n:
   bundle_dir: "/data/i18n"
 swaggerui:

i18n/en_US.yaml

@@ -1637,6 +1637,19 @@ ui:
       label: Database file
       placeholder: /data/answer.db
       msg: Database file cannot be empty.
+    ssl_enabled:
+      label: SSL On/Off 
+    ssl_mode:
+      label: SSL Mode
+    key_file:
+      placeholder: Key file path
+      msg: Path to file cannot be empty
+    cert_file:
+      placeholder: Cert file path
+      msg: Path to file cannot be empty
+    pem_file:
+      placeholder: Pem file path
+      msg: Path to file cannot be empty
     config_yaml:
       title: Create config.yaml
       label: The config.yaml file created.

i18n/zh_CN.yaml

@@ -1603,6 +1603,19 @@ ui:
       label: 数据库文件
       placeholder: /data/answer.db
       msg: 数据库文件不能为空。
+    ssl_enabled:
+      label: SSL 开/关
+    ssl_mode:
+      label: SSL 模式
+    key_file:
+      placeholder: Key 文件路径
+      msg: 文件路径不能为空
+    cert_file:
+      placeholder: Cert 文件路径
+      msg: 文件路径不能为空
+    pem_file:
+      placeholder: Pem 文件路径
+      msg: 文件路径不能为空
     config_yaml:
       title: 创建 config.yaml
       label: 已创建 config.yaml 文件。

internal/install/install_req.go

@@ -21,7 +21,9 @@ package install
 
 import (
 	"fmt"
+	"log"
 	"net/url"
+	"os"
 	"strings"
 
 	"github.com/apache/answer/internal/base/reason"
@@ -40,12 +42,17 @@ type CheckConfigFileResp struct {
 
 // CheckDatabaseReq check database
 type CheckDatabaseReq struct {
-	DbType     string `validate:"required,oneof=postgres sqlite3 mysql" json:"db_type"`
-	DbUsername string `json:"db_username"`
-	DbPassword string `json:"db_password"`
-	DbHost     string `json:"db_host"`
-	DbName     string `json:"db_name"`
-	DbFile     string `json:"db_file"`
+	DbType       string `validate:"required,oneof=postgres sqlite3 mysql" json:"db_type"`
+	DbUsername   string `json:"db_username"`
+	DbPassword   string `json:"db_password"`
+	DbHost       string `json:"db_host"`
+	DbName       string `json:"db_name"`
+	DbFile       string `json:"db_file"`
+	Ssl          bool   `json:"ssl_enabled"`
+	SslMode      string `json:"ssl_mode"`
+	SslCrt       string `json:"pem_file"`
+	SslKey       string `json:"key_file"`
+	SslCrtClient string `json:"cert_file"`
 }
 
 // GetConnection get connection string
@@ -59,8 +66,22 @@ func (r *CheckDatabaseReq) GetConnection() string {
 	}
 	if r.DbType == string(schemas.POSTGRES) {
 		host, port := parsePgSQLHostPort(r.DbHost)
-		return fmt.Sprintf("host=%s port=%s user=%s password=%s dbname=%s sslmode=disable",
-			host, port, r.DbUsername, r.DbPassword, r.DbName)
+		if !r.Ssl {
+			return fmt.Sprintf("host=%s port=%s user=%s password=%s dbname=%s sslmode=disable",
+				host, port, r.DbUsername, r.DbPassword, r.DbName)
+		} else if r.SslMode == "require" {
+			return fmt.Sprintf("host=%s port=%s user=%s password=%s dbname=%s sslmode=%s",
+				host, port, r.DbUsername, r.DbPassword, r.DbName, r.SslMode)
+		} else if r.SslMode == "verify-ca" || r.SslMode == "verify-full" {
+			_, err_server_ca := os.Stat(r.SslCrt)
+			_, err_client_cert := os.Stat(r.SslKey)
+			_, err_client_key := os.Stat(r.SslCrtClient)
+			if err_server_ca == nil || err_client_cert == nil || err_client_key == nil {
+				return fmt.Sprintf("host=%s port=%s user=%s password=%s dbname=%s sslmode=%s sslrootcert=%s sslcert=%s sslkey=%s",
+					host, port, r.DbUsername, r.DbPassword, r.DbName, r.SslMode, r.SslCrt, r.SslCrtClient, r.SslKey)
+			}
+			log.Fatal("Certificate not Found !!")
+		}
 	}
 	return ""
 }

internal/service/question_common/question.go

@@ -23,11 +23,12 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/apache/answer/internal/service/siteinfo_common"
 	"math"
 	"strings"
 	"time"
 
+	"github.com/apache/answer/internal/service/siteinfo_common"
+
 	"github.com/apache/answer/internal/base/constant"
 	"github.com/apache/answer/internal/base/data"
 	"github.com/apache/answer/internal/base/handler"

ui/src/pages/Install/components/SecondStep/index.tsx

@@ -18,7 +18,7 @@
  */
 
 import { FC, FormEvent } from 'react';
-import { Form, Button } from 'react-bootstrap';
+import { Form, Button, InputGroup } from 'react-bootstrap';
 import { useTranslation } from 'react-i18next';
 
 import Progress from '../Progress';
@@ -46,13 +46,36 @@ const sqlData = [
   },
 ];
 
+const sslModes = [
+  {
+    value: 'require',
+  },
+  {
+    value: 'verify-ca',
+  },
+  {
+    value: 'verify-full',
+  },
+];
+
 const Index: FC<Props> = ({ visible, data, changeCallback, nextCallback }) => {
   const { t } = useTranslation('translation', { keyPrefix: 'install' });
 
   const checkValidated = (): boolean => {
     let bol = true;
-    const { db_type, db_username, db_password, db_host, db_name, db_file } =
-      data;
+    const {
+      db_type,
+      db_username,
+      db_password,
+      db_host,
+      db_name,
+      db_file,
+      ssl_enabled,
+      ssl_mode,
+      key_file,
+      cert_file,
+      pem_file,
+    } = data;
 
     if (db_type.value !== 'sqlite3') {
       if (!db_username.value) {
@@ -81,7 +104,47 @@ const Index: FC<Props> = ({ visible, data, changeCallback, nextCallback }) => {
           errorMsg: t('db_host.msg'),
         };
       }
-
+      if (!ssl_enabled.value) {
+        bol = true;
+        data.ssl_enabled = {
+          value: false,
+          isInvalid: true,
+          errorMsg: t('ssl_enabled.msg'),
+        };
+      } else if (!ssl_mode.value) {
+        bol = true;
+        data.ssl_mode = {
+          value: 'require',
+          isInvalid: true,
+          errorMsg: '',
+        };
+      }
+      if (ssl_mode.value === 'verify-ca' || ssl_mode.value === 'verify-full') {
+        if (!key_file.value) {
+          bol = false;
+          data.key_file = {
+            value: '',
+            isInvalid: true,
+            errorMsg: t('key_file.msg'),
+          };
+        }
+        if (!pem_file.value) {
+          bol = false;
+          data.pem_file = {
+            value: '',
+            isInvalid: true,
+            errorMsg: t('pem_file.msg'),
+          };
+        }
+        if (!cert_file.value) {
+          bol = false;
+          data.cert_file = {
+            value: '',
+            isInvalid: true,
+            errorMsg: t('cert_file.msg'),
+          };
+        }
+      }
       if (!db_name.value) {
         bol = false;
         data.db_name = {
@@ -179,12 +242,107 @@ const Index: FC<Props> = ({ visible, data, changeCallback, nextCallback }) => {
                 });
               }}
             />
-
             <Form.Control.Feedback type="invalid">
               {data.db_password.errorMsg}
             </Form.Control.Feedback>
           </Form.Group>
+          {data.db_type.value === 'postgres' && (
+            <Form.Group
+              controlId="ssl_enabled"
+              className="conditional-checkbox">
+              <Form.Check type="checkbox" id="sslEnabled">
+                <Form.Check.Input
+                  value={data.ssl_enabled.value}
+                  type="checkbox"
+                  onChange={(e) => {
+                    changeCallback({
+                      ssl_enabled: {
+                        value: e.target.checked,
+                        isInvalid: false,
+                        errorMsg: '',
+                      },
+                    });
+                  }}
+                />
+                <Form.Label className="ms-1" htmlFor="ssl_enabled">
+                  {t('ssl_enabled.label')}
+                </Form.Label>
+              </Form.Check>
+            </Form.Group>
+          )}
+          {data.db_type.value === 'postgres' && data.ssl_enabled.value && (
+            <Form.Group controlId="sslmodeOptionsDropdown" className="mb-3">
+              <Form.Label>{t('ssl_mode.label')}</Form.Label>
+              <Form.Select
+                value={data.ssl_mode.value}
+                onChange={(e) => {
+                  changeCallback({
+                    ssl_mode: {
+                      value: e.target.value,
+                      isInvalid: false,
+                      errorMsg: '',
+                    },
+                  });
+                }}>
+                {sslModes.map((item) => {
+                  return <option value={item.value}>{item.value}</option>;
+                })}
+              </Form.Select>
+            </Form.Group>
+          )}
+          {data.db_type.value === 'postgres' &&
+            data.ssl_enabled.value &&
+            (data.ssl_mode.value === 'verify-ca' ||
+              data.ssl_mode.value === 'verify-full') && (
+              <InputGroup className="mb-3">
+                <Form.Control
+                  placeholder={t('key_file.placeholder')}
+                  aria-label="key_file"
+                  aria-describedby="basic-addon1"
+                  // value={data.key_file.value}
+                  onChange={(e) => {
+                    changeCallback({
+                      key_file: {
+                        value: e.target.value,
+                        isInvalid: false,
+                        errorMsg: '',
+                      },
+                    });
+                  }}
+                />
+                <Form.Control
+                  placeholder={t('cert_file.placeholder')}
+                  aria-label="cert_file"
+                  aria-describedby="basic-addon1"
+                  // value={data.cert_file.value}
+                  onChange={(e) => {
+                    changeCallback({
+                      cert_file: {
+                        value: e.target.value,
+                        isInvalid: false,
+                        errorMsg: '',
+                      },
+                    });
+                  }}
+                />
 
+                <Form.Control
+                  placeholder={t('pem_file.placeholder')}
+                  aria-label="pem_file"
+                  aria-describedby="basic-addon1"
+                  // value={data.pem_file.value }
+                  onChange={(e) => {
+                    changeCallback({
+                      pem_file: {
+                        value: e.target.value,
+                        isInvalid: false,
+                        errorMsg: '',
+                      },
+                    });
+                  }}
+                />
+              </InputGroup>
+            )}
           <Form.Group controlId="db_host" className="mb-3">
             <Form.Label>{t('db_host.label')}</Form.Label>
             <Form.Control