django-DefectDojo
django-DefectDojo copied to clipboard
DefectDojo
Database Options for SSL
:warning: Note on feature completeness :warning:
We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
Is your feature request related to a problem? Please describe A clear and concise description of what the problem is. Ex: I'm always frustrated when [...]
Describe the solution you'd like
In my specific use case of Defectdojo, I run it in EC2 using Docker Compose. This is relatively straightforward when it comes to configuration however to configure Database sslmode I need to edit settings.dist.py and add the OPTIONS section in Databse configuration. Having this done with env variables would be extremely helpful.
if os.getenv('DD_DATABASE_URL') is not None:
DATABASES = {
'default': env.db('DD_DATABASE_URL')
}
else:
DATABASES = {
'default': {
'ENGINE': env('DD_DATABASE_ENGINE'),
'NAME': env('DD_DATABASE_NAME'),
'TEST': {
'NAME': env('DD_TEST_DATABASE_NAME'),
},
'USER': env('DD_DATABASE_USER'),
'PASSWORD': env('DD_DATABASE_PASSWORD'),
'HOST': env('DD_DATABASE_HOST'),
'PORT': env('DD_DATABASE_PORT'),
'OPTIONS': {
'sslmode': 'verify-full',
'sslrootcert': '/var/www/tls/global-bundle.pem'
}
}
}
Adding something like:
if os.getenv('DD_DATABASE_URL') is not None:
DATABASES = {
'default': env.db('DD_DATABASE_URL')
}
else:
DATABASES = {
'default': {
'ENGINE': env('DD_DATABASE_ENGINE'),
'NAME': env('DD_DATABASE_NAME'),
'TEST': {
'NAME': env('DD_TEST_DATABASE_NAME'),
},
'USER': env('DD_DATABASE_USER'),
'PASSWORD': env('DD_DATABASE_PASSWORD'),
'HOST': env('DD_DATABASE_HOST'),
'PORT': env('DD_DATABASE_PORT'),
if os.getenv('DD_DATABASE_OPTIONS') is not None:
'OPTIONS': {
'sslmode': 'verify-full',
'sslrootcert': '/var/www/tls/global-bundle.pem'
}
}
}
These options vary a bit based on the engine but having variables for common options would be extremely helpful. Documentation for them is found in Django Docs. This is not fully inclusive. This example shows the sslmode, sslcert, sslkey, sslrootcert options for PostgreSQL.
I don't know how to determine what options would be supported but having SSL options are ones that I would gladly contribute to adding. The idea is something along the lines of:
if os.getenv('DD_DATABASE_URL') is not None:
DATABASES = {
'default': env.db('DD_DATABASE_URL')
}
else:
DATABASES = {
'default': {
'ENGINE': env('DD_DATABASE_ENGINE'),
'NAME': env('DD_DATABASE_NAME'),
'TEST': {
'NAME': env('DD_TEST_DATABASE_NAME'),
},
'USER': env('DD_DATABASE_USER'),
'PASSWORD': env('DD_DATABASE_PASSWORD'),
'HOST': env('DD_DATABASE_HOST'),
'PORT': env('DD_DATABASE_PORT'),
if os.getenv('DD_DATABASE_OPTIONS') is not None:
'OPTIONS': {
if os.getenv('DD_DATABASE_OPTIONS_SSLMODE') == 'require':
'sslmode': env('DD_DATABASE_OPTIONS_SSLMODE'),
'sslcert': env('DD_DATABASE_OPTIONS_SSLCERT'),
'sslkey': env('DD_DATABASE_OPTIONS_SSLKEY'),
'sslrootcert': env('DD_DATABASE_OPTIONS_SSLROOTCERT')'
elif os.getenv('DD_DATABASE_OPTIONS_SSLMODE') == 'verify-full':
'sslmode': env('DD_DATABASE_OPTIONS_SSLMODE'),
'sslrootcert': env('DD_DATABASE_OPTIONS_SSLROOTCERT')'
elif os.getenv('DD_DATABASE_OPTIONS_SSLMODE') == 'verify-ca':
'sslmode': env('DD_DATABASE_OPTIONS_SSLMODE')
}
}
}
These options are based on the PostgreSQL documentation found on postgresql.org. There are additional options that could be added in the same manner. In turn the env variables would need to be added to the docker-compose.yml file in the environment blocks for uwsgi, celerybeat, celertyworker, and init containers.
I haven't seen any activity on this. I can work on a PR. In all my deployments of Defectdojo, I enforce SSL with DB connections so this would be a huge help. :-)