feat(database): Optional TLS for DB connections

[samsteele]

Probably getting waaaaaaay ahead of myself here but I ran into this face first while playing around with hooking Marko up to Amazon RDS so thought I'd have a crack at it.

Added 5 new optional config keys to database.php to facilitate one-way or mutual TLS for database connections.

• ssl_cert = Path to client certificate for mutual TLS
• ssl_key = Path to client private key for mutual TLS
• ssl_ca = Path to the CA certificate
• sslmode = Postgres ssl mode flags (disable, require, verify-ca, verify-full)
• ssl_verify_server_cert = Bool flag to control whether Mysql verifies the CA cert. Doesn't strictly need to exist, but it's here for more granular control. Could just force it to true if a cert is provided.

Functionality enabled by those flags is implemented in Mysql and Postgres drivers. If the new flags are not present no behaviour changes.

Includes test coverage for new stuff + a small phpcs fix.

Example config blocks...

MySQL:

  return [
      'driver' => 'mysql',
      'host' => '127.0.0.1',
      'port' => 3306,
      'database' => 'myapp',
      'username' => 'root',
      'password' => 'secret',
      'ssl_ca' => '/path/to/ca-cert.pem',
      'ssl_verify_server_cert' => true,
      'ssl_cert' => '/path/to/client-cert.pem',
      'ssl_key' => '/path/to/client-key.pem',
  ];

PostgreSQL:

  return [
      'driver' => 'pgsql',
      'host' => '127.0.0.1',
      'port' => 5432,
      'database' => 'myapp',
      'username' => 'postgres',
      'password' => 'secret',
      'sslmode' => 'verify-full',
      'ssl_ca' => '/path/to/ca-cert.pem',
      'ssl_cert' => '/path/to/client-cert.pem',
      'ssl_key' => '/path/to/client-key.pem',
  ];

[markshust]

Very very cool, appreciate the update! Can I ask what you used to build this out?! I can provide you with my internal workflow that I've been using, but would love to also hear what you are using.

I'm still on vacation but am heading back today. Hope to get a chance to check it out and merge this in asap!

You're not getting ahead of yourself at all -- this is exactly what I'd like to see come in 😄

[samsteele]

Used Claude as a test writer and research assistant (eg, "where is the postgres dsn built?") but hand wrote the business logic myself, can't let it have all of the fun.

I did get Claude to write a bash script that spins up mysql & postgres containers with/without SSL enforced, hot swap the DB config between them and run some pseudo integration tests to verify connections work as they should with and without TLS which I thought was pretty cool.