Add SSL Support for MariaDB (#3444)

* Add ssl options for mariadb

* Add ssl mode for mariadb

Add ssl mode as documented in https://mysqlclient.readthedocs.io/user_guide.html#functions-and-attributes

* run linting over settings.py

* Add docs for SSL mode with MariaDB

---------

Co-authored-by: shamoon <4887959+shamoon@users.noreply.github.com>

diff --git a/docs/configuration.md b/docs/configuration.md
index cb5af9d86613898a6f0fd9fb438b4e1bebfad1ac..35dc86ffbe9d8376ece47c31eb0c5e14b3896c7b 100644 (file)
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -83,21 +83,29 @@ changed here.
 
 `PAPERLESS_DBSSLMODE=<mode>`
 
-: SSL mode to use when connecting to PostgreSQL.
+: SSL mode to use when connecting to PostgreSQL or MariaDB.
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
 
-    Default is `prefer`.
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-mode).
+
+    *Note*: SSL mode values differ between PostgreSQL and MariaDB.
+
+    Default is `prefer` for PostgreSQL and `PREFERRED` for MariaDB.
 
 `PAPERLESS_DBSSLROOTCERT=<ca-path>`
 
 : SSL root certificate path
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
     Changes path of `root.crt`.
 
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-ca).
+
     Defaults to unset, using the documented path in the home directory.
 
 `PAPERLESS_DBSSLCERT=<client-cert-path>`
@@ -105,7 +113,11 @@ changed here.
 : SSL client certificate path
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-cert).
+
     Changes path of `postgresql.crt`.
 
     Defaults to unset, using the documented path in the home directory.
@@ -115,7 +127,11 @@ changed here.
 : SSL client key path
 
     See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-key).
+
     Changes path of `postgresql.key`.
 
     Defaults to unset, using the documented path in the home directory.

diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 122806516cad7e2d732ba8e1236ab302fb3a694d..c3e75e402ccc86aea679a78992e0932343ea6770 100644 (file)
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -506,7 +506,16 @@ if os.getenv("PAPERLESS_DBHOST"):
     # Leave room for future extensibility
     if os.getenv("PAPERLESS_DBENGINE") == "mariadb":
         engine = "django.db.backends.mysql"
-        options = {"read_default_file": "/etc/mysql/my.cnf", "charset": "utf8mb4"}
+        options = {
+            "read_default_file": "/etc/mysql/my.cnf",
+            "charset": "utf8mb4",
+            "ssl": {
+                "ssl_mode": os.getenv("PAPERLESS_DBSSLMODE", "PREFERRED"),
+                "ca": os.getenv("PAPERLESS_DBSSLROOTCERT", None),
+                "cert": os.getenv("PAPERLESS_DBSSLCERT", None),
+                "key": os.getenv("PAPERLESS_DBSSLKEY", None),
+            },
+        }
 
         # Silence Django error on old MariaDB versions.
         # VARCHAR can support > 255 in modern versions