N°8638 - Adapt mysqldump calls to follow iTop SSL configuration

[bdalsass]

Base information

Question	Answer
Related to a SourceForge thread / Another PR / Combodo ticket?	https://support.combodo.com/pages/UI.php?operation=details&class=Bug&id=8638#ObjectProperties=tab_UIPropertiesTab
Type of change?	Enhancement

Symptom (bug) / Objective (enhancement)

see related ticket

[greptile-apps]

Greptile Summary

This PR adds SSL/TLS options to mysqldump invocations so that backup calls follow iTop's db_tls.* configuration, and moves IsSslModeDBVersion() into CMDBSource for shared access. Two P1 defects are introduced:

• --skip-ssl fails on MySQL 8.0+: when TLS is disabled (db_tls.enabled = false, which is the default), GetMysqlCliTlsOptions returns --skip-ssl for any MySQL ≥ 5.7.11. That option was removed in MySQL 8.0 — mysqldump exits with an unrecognized-option error, breaking all backups. The fix is --ssl-mode=DISABLED.
• Shell-escaped credential in MySQL option file: the DB credential is wrapped with EscapeShellArg() before being written to the --defaults-extra-file. MySQL 5.7 option files treat single quotes as literal characters, so the stored credential gains spurious quote characters and authentication fails.

Confidence Score: 3/5

Not safe to merge — two P1 defects will break mysqldump on MySQL 8.0+ and corrupt the credential in the option file.

Both P1 issues are on the hot path of every backup run: the first causes mysqldump to immediately fail with an unrecognized option on MySQL 8.0+; the second causes authentication failure when the credential is written shell-escaped to the option file.

setup/backup.class.inc.php — specifically GetMysqlCliTlsOptions() (line 514) and DoBackup() (line 324).

Important Files Changed

Filename	Overview
setup/backup.class.inc.php	Adds TLS/SSL options to mysqldump command; contains two P1 bugs: --skip-ssl is removed in MySQL 8.0+ (should be --ssl-mode=DISABLED), and the credential is shell-escaped before being written to a MySQL option file, corrupting its value.
core/cmdbsource.class.inc.php	Moves IsSslModeDBVersion() into CMDBSource so backup and other callers can use a shared implementation; logic is correct, minor doc comment says '5.7.0' while the actual threshold is 5.7.11.

Comments Outside Diff (1)

1. setup/backup.class.inc.php, line 324 (link)

   Shell-escaped value written verbatim to MySQL option file

   EscapeShellArg() surrounds the raw string with single quotes on Linux. That quoted string is then interpolated into the MySQL option file at line 368. MySQL 5.7 option-file parsing treats single quotes as literal characters rather than delimiters, so the effective credential stored in the file includes the surrounding quote characters, and authentication fails.

   Because this variable is only used in the option file (not on the shell command line), the EscapeShellArg call should be removed so the raw value is written directly to the option file.

_{Reviews (1): Last reviewed commit: "N°8638 - Adapt mysqldump calls to follow..." | Re-trigger Greptile}

[greptile-apps]

--skip-ssl removed in MySQL 8.0+

When TLS is disabled in iTop config and the DB vendor is MySQL ≥ 5.7.11 (i.e., IsSslModeDBVersion() returns true), this line emits --skip-ssl. That option was removed in MySQL 8.0 — the mysql/mysqldump client returns unknown option '--skip-ssl' and exits with a non-zero code, causing every backup to fail. The correct option for all versions where --ssl-mode is supported is --ssl-mode=DISABLED, which is consistent with how this method handles the enabled TLS paths above.

Suggested change

	return CMDBSource::IsSslModeDBVersion() ? ' --skip-ssl' : '';
	return CMDBSource::IsSslModeDBVersion() ? ' --ssl-mode=DISABLED' : '';