From a5c6dab7c31584b91e06949299ebea2c0046b780 Mon Sep 17 00:00:00 2001
From: Markus Ongyerth <ongyerth@google.com>
Date: Wed, 15 Mar 2023 18:04:19 +0100
Subject: [PATCH] Allow psql client certificate authentication

---
 docs/configuration.md     | 30 ++++++++++++++++++++++++++++++
 src/paperless/settings.py |  7 ++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index d3b391f1a..61b510305 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -86,6 +86,36 @@ changed here.
 
     Default is `prefer`.
 
+`PAPERLESS_DBSSLROOTCERT=<ca-path>`
+
+: SSL root certificate path
+
+    See [the official documentation about
+    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    Changes path of `root.crt`.
+
+    Defaults to unset, using the documented path in the home directory.
+
+`PAPERLESS_DBSSLCERT=<client-cert-path>`
+
+: SSL client certificate path
+
+    See [the official documentation about
+    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    Changes path of `postgresql.crt`.
+
+    Defaults to unset, using the documented path in the home directory.
+
+`PAPERLESS_DBSSLKEY=<client-cert-key>`
+
+: SSL client key path
+
+    See [the official documentation about
+    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    Changes path of `postgresql.key`.
+
+    Defaults to unset, using the documented path in the home directory.
+
 `PAPERLESS_DB_TIMEOUT=<float>`
 
 : Amount of time for a database connection to wait for the database to
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 6768704a0..c809f0a7a 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -509,7 +509,12 @@ if os.getenv("PAPERLESS_DBHOST"):
 
     else:  # Default to PostgresDB
         engine = "django.db.backends.postgresql_psycopg2"
-        options = {"sslmode": os.getenv("PAPERLESS_DBSSLMODE", "prefer")}
+        options = {
+            "sslmode": os.getenv("PAPERLESS_DBSSLMODE", "prefer"),
+            "sslrootcert": os.getenv("PAPERLESS_DBSSLROOTCERT", None),
+            "sslcert": os.getenv("PAPERLESS_DBSSLCERT", None),
+            "sslkey": os.getenv("PAPERLESS_DBSSLKEY", None),
+        }
 
     DATABASES["default"]["ENGINE"] = engine
     DATABASES["default"]["OPTIONS"].update(options)