From 2f22cbd0cfc2d2a8239f3e4541cc96a548ab6ed4 Mon Sep 17 00:00:00 2001
From: Bitnami Bot <containers-bot@bitnami.com>
Date: Thu, 21 Jan 2021 09:40:18 +0000
Subject: [PATCH] 4.1.1-debian-10-r4 release

---
 bitnami/matomo/4/debian-10/Dockerfile         |   4 +-
 .../opt/bitnami/scripts/libmysqlclient.sh     | 145 ++++++++++++++----
 .../opt/bitnami/scripts/matomo/postunpack.sh  |   1 +
 .../opt/bitnami/scripts/mysql-client-env.sh   |  21 ++-
 bitnami/matomo/README.md                      |  15 +-
 5 files changed, 141 insertions(+), 45 deletions(-)

diff --git a/bitnami/matomo/4/debian-10/Dockerfile b/bitnami/matomo/4/debian-10/Dockerfile
index 5a4d79f130c8..21ce536d7a51 100644
--- a/bitnami/matomo/4/debian-10/Dockerfile
+++ b/bitnami/matomo/4/debian-10/Dockerfile
@@ -23,8 +23,8 @@ RUN chmod g+rwX /opt/bitnami
 RUN sed -i -e '/pam_loginuid.so/ s/^#*/#/' /etc/pam.d/cron
 
 COPY rootfs /
-RUN /opt/bitnami/scripts/apache/postunpack.sh
 RUN /opt/bitnami/scripts/php/postunpack.sh
+RUN /opt/bitnami/scripts/apache/postunpack.sh
 RUN /opt/bitnami/scripts/apache-modphp/postunpack.sh
 RUN /opt/bitnami/scripts/matomo/postunpack.sh
 RUN /opt/bitnami/scripts/mysql-client/postunpack.sh
@@ -33,7 +33,7 @@ ENV ALLOW_EMPTY_PASSWORD="no" \
     APACHE_HTTPS_PORT_NUMBER="" \
     APACHE_HTTP_PORT_NUMBER="" \
     BITNAMI_APP_NAME="matomo" \
-    BITNAMI_IMAGE_VERSION="4.1.1-debian-10-r3" \
+    BITNAMI_IMAGE_VERSION="4.1.1-debian-10-r4" \
     MARIADB_HOST="mariadb" \
     MARIADB_PORT_NUMBER="3306" \
     MARIADB_ROOT_PASSWORD="" \
diff --git a/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/libmysqlclient.sh b/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/libmysqlclient.sh
index e7e95782e827..bcded330aff4 100644
--- a/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/libmysqlclient.sh
+++ b/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/libmysqlclient.sh
@@ -45,7 +45,7 @@ mysql_client_validate() {
     }
 
     # Only validate environment variables if any action needs to be performed
-    check_yes_no_value "DB_TLS_ENABLED"
+    check_yes_no_value "DB_ENABLE_SSL_WRAPPER"
 
     if [[ -n "$DB_CREATE_DATABASE_USER" || -n "$DB_CREATE_DATABASE_NAME" ]]; then
         if is_boolean_yes "$ALLOW_EMPTY_PASSWORD"; then
@@ -78,9 +78,9 @@ mysql_client_validate() {
 #   None
 #########################
 mysql_client_initialize() {
-    # Wrap binary to force the usage of TLS
-    if is_boolean_yes "$DB_TLS_ENABLED"; then
-        mysql_client_wrap_binary_for_tls
+    # Wrap binary to force the usage of SSL
+    if is_boolean_yes "$DB_ENABLE_SSL_WRAPPER"; then
+        mysql_client_wrap_binary_for_ssl
     fi
     # Wait for the database to be accessible if any action needs to be performed
     if [[ -n "$DB_CREATE_DATABASE_USER" || -n "$DB_CREATE_DATABASE_NAME" ]]; then
@@ -113,7 +113,7 @@ mysql_client_initialize() {
 }
 
 ########################
-# Wrap binary to force the usage of TLS
+# Wrap binary to force the usage of SSL
 # Globals:
 #   DB_*
 # Arguments:
@@ -121,14 +121,16 @@ mysql_client_initialize() {
 # Returns:
 #   None
 #########################
-mysql_client_wrap_binary_for_tls() {
+mysql_client_wrap_binary_for_ssl() {
     local -r wrapper_file="${DB_BIN_DIR}/mysql"
     local -r wrapped_binary_file="${DB_BASE_DIR}/.bin/mysql"
+    local -a ssl_opts=()
+    read -r -a ssl_opts <<< "$(mysql_client_extra_opts)"
 
     mv "$wrapper_file" "$wrapped_binary_file"
     cat >"$wrapper_file" <<EOF
 #!/bin/sh
-exec "${wrapped_binary_file}" "\$@" --ssl=1
+exec "${wrapped_binary_file}" "\$@" ${ssl_opts[@]:-}
 EOF
     chmod +x "$wrapper_file"
 }
@@ -209,8 +211,9 @@ mysql_execute_print_output() {
     local -r db="${1:-}"
     local -r user="${2:-root}"
     local -r pass="${3:-}"
-    local mysql_cmd opts
-    read -r -a opts <<<"${@:4}"
+    local -a opts extra_opts
+    read -r -a opts <<< "${@:4}"
+    read -r -a extra_opts <<< "$(mysql_client_extra_opts)"
 
     # Process mysql CLI arguments
     local -a args=()
@@ -219,9 +222,11 @@ mysql_execute_print_output() {
     fi
     args+=("-N" "-u" "$user" "$db")
     [[ -n "$pass" ]] && args+=("-p$pass")
-    [[ -n "${opts[*]:-}" ]] && args+=("${opts[@]:-}")
+    [[ "${#opts[@]}" -gt 0 ]] && args+=("${opts[@]}")
+    [[ "${#extra_opts[@]}" -gt 0 ]] && args+=("${extra_opts[@]}")
 
     # Obtain the command specified via stdin
+    local mysql_cmd
     mysql_cmd="$(</dev/stdin)"
     debug "Executing SQL command:\n$mysql_cmd"
     "$DB_BIN_DIR/mysql" "${args[@]}" <<<"$mysql_cmd"
@@ -245,6 +250,30 @@ mysql_execute() {
     debug_execute "mysql_execute_print_output" "$@"
 }
 
+########################
+# Execute an arbitrary query/queries against a remote MySQL/MariaDB service and print to stdout
+# Stdin:
+#   Query/queries to execute
+# Globals:
+#   BITNAMI_DEBUG
+#   DB_*
+# Arguments:
+#   $1 - Remote MySQL/MariaDB service hostname
+#   $2 - Remote MySQL/MariaDB service port
+#   $3 - Database where to run the queries
+#   $4 - User to run queries
+#   $5 - Password
+#   $6 - Extra MySQL CLI options
+# Returns:
+#   None
+mysql_remote_execute_print_output() {
+    local -r hostname="${1:?hostname is required}"
+    local -r port="${2:?port is required}"
+    local -a args=("-h" "$hostname" "-P" "$port" "--connect-timeout=5")
+    shift 2
+    "mysql_execute_print_output" "$@" "${args[@]}"
+}
+
 ########################
 # Execute an arbitrary query/queries against a remote MySQL/MariaDB service
 # Stdin:
@@ -262,11 +291,7 @@ mysql_execute() {
 # Returns:
 #   None
 mysql_remote_execute() {
-    local -r hostname="${1:?hostname is required}"
-    local -r port="${2:?port is required}"
-    local -a args=("-h" "$hostname" "-P" "$port" "--connect-timeout=5")
-    shift 2
-    debug_execute "mysql_execute_print_output" "$@" "${args[@]}"
+    debug_execute "mysql_remote_execute_print_output" "$@"
 }
 
 ########################
@@ -468,7 +493,7 @@ mysql_upgrade() {
 # Returns:
 #   None
 #########################
-migrate_old_configuration() {
+mysql_migrate_old_configuration() {
     local -r old_custom_conf_file="$DB_VOLUME_DIR/conf/my_custom.cnf"
     local -r custom_conf_file="$DB_CONF_DIR/bitnami/my_custom.cnf"
     debug "Persisted configuration detected. Migrating any existing 'my_custom.cnf' file to new location"
@@ -529,10 +554,6 @@ mysql_ensure_user_exists() {
             --use-ldap)
                 use_ldap="yes"
                 ;;
-            --ssl-ca)
-                shift
-                ssl_ca="${1:?missing path to ssl CA}"
-                ;;
             --host)
                 shift
                 db_host="${1:?missing database host}"
@@ -558,22 +579,26 @@ mysql_ensure_user_exists() {
         fi
     fi
     debug "creating database user \'$user\'"
-    local -a opts=()
-    [[ -n "$db_host" ]] && opts+=("-h" "${db_host}")
-    [[ -n "$db_port" ]] && opts+=("-P" "${db_port}")
-    [[ -n "$ssl_ca" ]] && opts+=("--ssl-ca" "$ssl_ca")
+
+    local -a mysql_execute_cmd=("mysql_execute")
+    local -a mysql_execute_print_output_cmd=("mysql_execute_print_output")
+    if [[ -n "$db_host" && -n "$db_port" ]]; then
+        mysql_execute_cmd=("mysql_remote_execute" "$db_host" "$db_port")
+        mysql_execute_print_output_cmd=("mysql_remote_execute_print_output" "$db_host" "$db_port")
+    fi
+
     local mysql_create_user_cmd
     [[ "$DB_FLAVOR" = "mariadb" ]] && mysql_create_user_cmd="create or replace user" || mysql_create_user_cmd="create user if not exists"
-    mysql_execute "mysql" "$DB_ROOT_USER" "$DB_ROOT_PASSWORD" "${opts[@]:-}" <<EOF
+    "${mysql_execute_cmd[@]}" "mysql" "$DB_ROOT_USER" "$DB_ROOT_PASSWORD" <<EOF
 ${mysql_create_user_cmd} '${user}'@'%' ${auth_string};
 EOF
     debug "Removing all other hosts for the user"
-    hosts=$(mysql_execute_print_output "mysql" "$DB_ROOT_USER" "$DB_ROOT_PASSWORD" "${opts[@]:-}" <<EOF
+    hosts=$("${mysql_execute_print_output_cmd[@]}" "mysql" "$DB_ROOT_USER" "$DB_ROOT_PASSWORD" <<EOF
 select Host from user where User='${user}' and Host!='%';
 EOF
 )
     for host in $hosts; do
-        mysql_execute "mysql" "$DB_ROOT_USER" "$DB_ROOT_PASSWORD" "${opts[@]:-}" <<EOF
+        "${mysql_execute_cmd[@]}" "mysql" "$DB_ROOT_USER" "$DB_ROOT_PASSWORD" <<EOF
 drop user '$user'@'$host';
 EOF
     done
@@ -713,16 +738,16 @@ mysql_ensure_database_exists() {
         shift
     done
 
-    local -a extra_args=()
-    [[ -n "$character_set" ]] && extra_args=("character set = '${character_set}'")
-    [[ -n "$collate" ]] && extra_args=("collate = '${collate}'")
-
     local -a mysql_execute_cmd=("mysql_execute")
     [[ -n "$db_host" && -n "$db_port" ]] && mysql_execute_cmd=("mysql_remote_execute" "$db_host" "$db_port")
 
+    local -a create_database_args=()
+    [[ -n "$character_set" ]] && create_database_args+=("character set = '${character_set}'")
+    [[ -n "$collate" ]] && create_database_args+=("collate = '${collate}'")
+
     debug "Creating database $database"
     "${mysql_execute_cmd[@]}" "mysql" "$DB_ROOT_USER" "$DB_ROOT_PASSWORD" <<EOF
-create database if not exists \`$database\` ${extra_args[@]:-};
+create database if not exists \`$database\` ${create_database_args[@]:-};
 EOF
 }
 
@@ -924,7 +949,7 @@ mysql_conf_set() {
 #########################
 mysql_update_custom_config() {
     # Persisted configuration files from old versions
-    ! is_dir_empty "$DB_VOLUME_DIR" && [[ -d "$DB_VOLUME_DIR/conf" ]] && migrate_old_configuration
+    ! is_dir_empty "$DB_VOLUME_DIR" && [[ -d "$DB_VOLUME_DIR/conf" ]] && mysql_migrate_old_configuration
 
     # User injected custom configuration
     if [[ -f "$DB_CONF_DIR/my_custom.cnf" ]]; then
@@ -986,3 +1011,57 @@ mysql_healthcheck() {
 
     mysqladmin "${args[@]}" ping && mysqladmin "${args[@]}" status
 }
+
+########################
+# Prints flavor of 'mysql' client (useful to determine proper CLI flags that can be used)
+# Globals:
+#   DB_*
+# Arguments:
+#   None
+# Returns:
+#   mysql client flavor
+#########################
+mysql_client_flavor() {
+    if "${DB_BIN_DIR}/mysql" "--version" 2>&1 | grep -q MariaDB; then
+        echo "mariadb"
+    else
+        echo "mysql"
+    fi
+}
+
+########################
+# Prints extra options for MySQL client calls (i.e. SSL options)
+# Globals:
+#   DB_*
+# Arguments:
+#   None
+# Returns:
+#   List of options to pass to "mysql" CLI
+#########################
+mysql_client_extra_opts() {
+    # Helper to get the proper value for the MySQL client environment variable
+    mysql_client_env_value() {
+        local env_name="MYSQL_CLIENT_${1:?missing name}"
+        if [[ -n "${!env_name:-}" ]]; then
+            echo "${!env_name:-}"
+        else
+            env_name="DB_CLIENT_${1}"
+            echo "${!env_name:-}"
+        fi
+    }
+    local -a opts=()
+    local key value
+    if is_boolean_yes "$DB_ENABLE_SSL"; then
+        if [[ "$(mysql_client_flavor)" = "mysql" ]]; then
+            opts+=("--ssl-mode=REQUIRED")
+        else
+            opts+=("--ssl=TRUE")
+        fi
+        # Add "--ssl-ca", "--ssl-key" and "--ssl-cert" options if the env vars are defined
+        for key in ca key cert; do
+            value="$(mysql_client_env_value "SSL_${key^^}_FILE")"
+            [[ -n "${value}" ]] && opts+=("--ssl-${key}=${value}")
+        done
+    fi
+    echo "${opts[@]:-}"
+}
diff --git a/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/matomo/postunpack.sh b/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/matomo/postunpack.sh
index 7e956fe2c4e9..a7e5370f79f3 100755
--- a/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/matomo/postunpack.sh
+++ b/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/matomo/postunpack.sh
@@ -36,6 +36,7 @@ for dir in "$MATOMO_BASE_DIR" "$MATOMO_VOLUME_DIR" "${MATOMO_BASE_DIR}/tmp" "${M
 done
 
 info "Configuring default PHP options for Matomo"
+php_conf_set memory_limit "$PHP_DEFAULT_MEMORY_LIMIT"
 # Fix the MySQL local infile system check
 # https://matomo.org/faq/troubleshooting/faq_194/
 php_conf_set mysqli.allow_local_infile "1"
diff --git a/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/mysql-client-env.sh b/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/mysql-client-env.sh
index 2d364c1d33fb..ae42e8827305 100644
--- a/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/mysql-client-env.sh
+++ b/bitnami/matomo/4/debian-10/rootfs/opt/bitnami/scripts/mysql-client-env.sh
@@ -29,7 +29,12 @@ mysql_env_vars=(
     MYSQL_CLIENT_CREATE_DATABASE_PASSWORD
     MYSQL_CLIENT_CREATE_DATABASE_CHARACTER_SET
     MYSQL_CLIENT_CREATE_DATABASE_COLLATE
-    MYSQL_CLIENT_TLS_ENABLED
+    MYSQL_CLIENT_ENABLE_SSL_WRAPPER
+    MYSQL_CLIENT_ENABLE_SSL
+    MYSQL_CLIENT_SSL_CA_FILE
+    MYSQL_CLIENT_SSL_CERT_FILE
+    MYSQL_CLIENT_SSL_KEY_FILE
+    MYSQL_CLIENT_EXTRA_FLAGS
 )
 for env_var in "${mysql_env_vars[@]}"; do
     file_env_var="${env_var}_FILE"
@@ -79,7 +84,17 @@ export MYSQL_CLIENT_CREATE_DATABASE_CHARACTER_SET="${MYSQL_CLIENT_CREATE_DATABAS
 export DB_CREATE_DATABASE_CHARACTER_SET="$MYSQL_CLIENT_CREATE_DATABASE_CHARACTER_SET"
 export MYSQL_CLIENT_CREATE_DATABASE_COLLATE="${MYSQL_CLIENT_CREATE_DATABASE_COLLATE:-}"
 export DB_CREATE_DATABASE_COLLATE="$MYSQL_CLIENT_CREATE_DATABASE_COLLATE"
-export MYSQL_CLIENT_TLS_ENABLED="${MYSQL_CLIENT_TLS_ENABLED:-no}"
-export DB_TLS_ENABLED="$MYSQL_CLIENT_TLS_ENABLED"
+export MYSQL_CLIENT_ENABLE_SSL_WRAPPER="${MYSQL_CLIENT_ENABLE_SSL_WRAPPER:-no}"
+export DB_ENABLE_SSL_WRAPPER="$MYSQL_CLIENT_ENABLE_SSL_WRAPPER"
+export MYSQL_CLIENT_ENABLE_SSL="${MYSQL_CLIENT_ENABLE_SSL:-no}"
+export DB_ENABLE_SSL="$MYSQL_CLIENT_ENABLE_SSL"
+export MYSQL_CLIENT_SSL_CA_FILE="${MYSQL_CLIENT_SSL_CA_FILE:-}"
+export DB_SSL_CA_FILE="$MYSQL_CLIENT_SSL_CA_FILE"
+export MYSQL_CLIENT_SSL_CERT_FILE="${MYSQL_CLIENT_SSL_CERT_FILE:-}"
+export DB_SSL_CERT_FILE="$MYSQL_CLIENT_SSL_CERT_FILE"
+export MYSQL_CLIENT_SSL_KEY_FILE="${MYSQL_CLIENT_SSL_KEY_FILE:-}"
+export DB_SSL_KEY_FILE="$MYSQL_CLIENT_SSL_KEY_FILE"
+export MYSQL_CLIENT_EXTRA_FLAGS="${MYSQL_CLIENT_EXTRA_FLAGS:-no}"
+export DB_EXTRA_FLAGS="$MYSQL_CLIENT_EXTRA_FLAGS"
 
 # Custom environment variables may be defined below
diff --git a/bitnami/matomo/README.md b/bitnami/matomo/README.md
index 12bbc86627e5..99249eeb3406 100644
--- a/bitnami/matomo/README.md
+++ b/bitnami/matomo/README.md
@@ -36,7 +36,7 @@ Non-root container images add an extra layer of security and are generally recom
 Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags [in our documentation page](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers/).
 
 
-* [`4`, `4-debian-10`, `4.1.1`, `4.1.1-debian-10-r3`, `latest` (4/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-matomo/blob/4.1.1-debian-10-r3/4/debian-10/Dockerfile)
+* [`4`, `4-debian-10`, `4.1.1`, `4.1.1-debian-10-r4`, `latest` (4/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-matomo/blob/4.1.1-debian-10-r4/4/debian-10/Dockerfile)
 
 Subscribe to project updates by watching the [bitnami/matomo GitHub repo](https://github.com/bitnami/bitnami-docker-matomo).
 
@@ -295,13 +295,15 @@ When you start the Matomo image, you can adjust the configuration of the instanc
 
 ### Create a database for Matomo using mysql-client
 
-- `MARIADB_HOST`: Hostname for MariaDB server. Default: **mariadb**
-- `MARIADB_PORT_NUMBER`: Port used by MariaDB server. Default: **3306**
-- `MARIADB_ROOT_USER`: Database admin user. Default: **root**
-- `MARIADB_ROOT_PASSWORD`: Database password for the `MARIADB_ROOT_USER` user. No defaults.
+- `MYSQL_CLIENT_DATABASE_HOST`: Hostname for MariaDB server. Default: **mariadb**
+- `MYSQL_CLIENT_DATABASE_PORT_NUMBER`: Port used by MariaDB server. Default: **3306**
+- `MYSQL_CLIENT_DATABASE_ROOT_USER`: Database admin user. Default: **root**
+- `MYSQL_CLIENT_DATABASE_ROOT_PASSWORD`: Database password for the database admin user. No defaults.
 - `MYSQL_CLIENT_CREATE_DATABASE_NAME`: New database to be created by the mysql client module. No defaults.
 - `MYSQL_CLIENT_CREATE_DATABASE_USER`: New database user to be created by the mysql client module. No defaults.
 - `MYSQL_CLIENT_CREATE_DATABASE_PASSWORD`: Database password for the `MYSQL_CLIENT_CREATE_DATABASE_USER` user. No defaults.
+- `MYSQL_CLIENT_CREATE_DATABASE_CHARACTER_SET`: Character set to use for the new database. No defaults.
+- `MYSQL_CLIENT_CREATE_DATABASE_COLLATE`: Database collation to use for the new database. No defaults.
 - `ALLOW_EMPTY_PASSWORD`: It can be used to allow blank passwords. Default: **no**
 
 ##### SMTP Configuration
@@ -350,14 +352,13 @@ This would be an example of SMTP configuration using a Gmail account:
 
 ### PHP configuration
 
-- `PHP_MEMORY_LIMIT`: Memory limit for PHP scripts. Default: **128M**
+- `PHP_EXPOSE_PHP`: Enables HTTP header with PHP version. No default.
 - `PHP_MAX_EXECUTION_TIME`: Maximum execution time for PHP scripts. No default.
 - `PHP_MAX_INPUT_TIME`: Maximum input time for PHP scripts. No default.
 - `PHP_MAX_INPUT_VARS`: Maximum amount of input variables for PHP scripts. No default.
 - `PHP_MEMORY_LIMIT`: Memory limit for PHP scripts. Default: **256M**
 - `PHP_POST_MAX_SIZE`: Maximum size for PHP POST requests. No default.
 - `PHP_UPLOAD_MAX_FILESIZE`: Maximum file size for PHP uploads. No default.
-- `PHP_EXPOSE_PHP`: Enables HTTP header with PHP version. No default.
 
 If you want to add a new environment variable: