WL14846: Align TLS option checking across connectors

silvakid · silvakid · commit 0b33f3e0e20c · 2021-12-22T18:11:16.000Z
diff --git a/cppconn/connection.h b/cppconn/connection.h
@@ -68,16 +68,16 @@
 /*
  SSL related
 */
-#define OPT_SSL_MODE          "OPT_SSL_MODE"
-#define OPT_SSL_KEY           "sslKey"
-#define OPT_SSL_CERT          "sslCert"
-#define OPT_SSL_CA            "sslCA"
-#define OPT_SSL_CAPATH        "sslCAPath"
-#define OPT_SSL_CIPHER        "sslCipher"
-#define OPT_SSL_CRL           "sslCRL"
-#define OPT_SSL_CRLPATH       "sslCRLPath"
+#define OPT_SSL_MODE          "ssl-mode"
+#define OPT_SSL_KEY           "ssl-key"
+#define OPT_SSL_CERT          "ssl-cert"
+#define OPT_SSL_CA            "ssl-ca"
+#define OPT_SSL_CAPATH        "ssl-capath"
+#define OPT_SSL_CIPHER        "ssl-cipher"
+#define OPT_SSL_CRL           "ssl-crl"
+#define OPT_SSL_CRLPATH       "ssl-crlpath"
 #define OPT_SERVER_PUBLIC_KEY "rsaKey"
-#define OPT_TLS_VERSION       "OPT_TLS_VERSION"
+#define OPT_TLS_VERSION       "tls-version"
 
 /*
  Connection related
diff --git a/driver/mysql_connection.cpp b/driver/mysql_connection.cpp
@@ -277,6 +277,7 @@ static const String2IntMap intOptions[]=
     {OPT_NET_BUFFER_LENGTH,   MYSQL_OPT_NET_BUFFER_LENGTH, false},
 #endif
     {OPT_SSL_MODE,            MYSQL_OPT_SSL_MODE    , false},
+    {"OPT_SSL_MODE",          MYSQL_OPT_SSL_MODE    , false},
 #if MYCPPCONN_STATIC_MYSQL_VERSION_ID >= 80000
     {OPT_RETRY_COUNT,         MYSQL_OPT_RETRY_COUNT, false},
 #endif
@@ -291,7 +292,9 @@ static const String2IntMap stringOptions[]=
     {OPT_SSL_CAPATH,           MYSQL_OPT_SSL_CAPATH, true},
     {OPT_SSL_CIPHER,           MYSQL_OPT_SSL_CIPHER, true},
     {OPT_SSL_CRL,              MYSQL_OPT_SSL_CRL, false},
+    {"sslCRL",                 MYSQL_OPT_SSL_CRL, false},
     {OPT_SSL_CRLPATH,          MYSQL_OPT_SSL_CRLPATH, false},
+    {"sslCRLPath",             MYSQL_OPT_SSL_CRLPATH, false},
     {OPT_SERVER_PUBLIC_KEY,    MYSQL_SERVER_PUBLIC_KEY, false},
     {OPT_SET_CHARSET_DIR,      MYSQL_SET_CHARSET_DIR, false},
     {OPT_PLUGIN_DIR,           MYSQL_PLUGIN_DIR, false},
@@ -302,6 +305,7 @@ static const String2IntMap stringOptions[]=
     {OPT_CHARSET_NAME,         MYSQL_SET_CHARSET_NAME, true},
 #if MYCPPCONN_STATIC_MYSQL_VERSION_ID >= 50700
     {OPT_TLS_VERSION,          MYSQL_OPT_TLS_VERSION, true},
+    {"OPT_TLS_VERSION",        MYSQL_OPT_TLS_VERSION, true},
 #endif
     {OPT_LOAD_DATA_LOCAL_DIR, MYSQL_OPT_LOAD_DATA_LOCAL_DIR, false}
   };
@@ -695,67 +699,67 @@ void MySQL_Connection::init(ConnectOptionsMap & properties)
       } else {
         throw sql::InvalidArgumentException("No string value passed for characterSetResults");
       }
-    } else if (!it->first.compare(OPT_SSL_KEY)) {
+    } else if (!it->first.compare(OPT_SSL_KEY) || !it->first.compare("sslKey")) {
       try {
         p_s = (it->second).get< sql::SQLString >();
       } catch (sql::InvalidArgumentException&) {
-        throw sql::InvalidArgumentException("Wrong type passed for sslKey expected sql::SQLString");
+        throw sql::InvalidArgumentException("Wrong type passed for ssl-key expected sql::SQLString");
       }
       if (p_s) {
         sslKey = *p_s;
       } else {
-        throw sql::InvalidArgumentException("No string value passed for sslKey");
+        throw sql::InvalidArgumentException("No string value passed for ssl-key");
       }
       ssl_used = true;
-    } else if (!it->first.compare(OPT_SSL_CERT)) {
+    } else if (!it->first.compare(OPT_SSL_CERT) || !it->first.compare("sslCert")) {
       try {
         p_s = (it->second).get< sql::SQLString >();
       } catch (sql::InvalidArgumentException&) {
-        throw sql::InvalidArgumentException("Wrong type passed for sslCert expected sql::SQLString");
+        throw sql::InvalidArgumentException("Wrong type passed for ssl-cert expected sql::SQLString");
       }
       if (p_s) {
         sslCert = *p_s;
       } else {
-        throw sql::InvalidArgumentException("No string value passed for sslCert");
+        throw sql::InvalidArgumentException("No string value passed for ssl-cert");
       }
       ssl_used = true;
-    } else if (!it->first.compare(OPT_SSL_CA)) {
+    } else if (!it->first.compare(OPT_SSL_CA) || !it->first.compare("sslCA") ) {
       try {
         p_s = (it->second).get< sql::SQLString >();
       } catch (sql::InvalidArgumentException&) {
-        throw sql::InvalidArgumentException("Wrong type passed for sslCA expected sql::SQLString");
+        throw sql::InvalidArgumentException("Wrong type passed for ssl-ca expected sql::SQLString");
       }
       if (p_s) {
         sslCA = *p_s;
       } else {
-        throw sql::InvalidArgumentException("No string value passed for sslCA");
+        throw sql::InvalidArgumentException("No string value passed for ssl-ca");
       }
       ssl_used = true;
-    } else if (!it->first.compare(OPT_SSL_CAPATH)) {
+    } else if (!it->first.compare(OPT_SSL_CAPATH) || !it->first.compare("sslCAPath")) {
       try {
         p_s = (it->second).get< sql::SQLString >();
       } catch (sql::InvalidArgumentException&) {
-        throw sql::InvalidArgumentException("Wrong type passed for sslCAPath expected sql::SQLString");
+        throw sql::InvalidArgumentException("Wrong type passed for ssl-capath expected sql::SQLString");
       }
       if (p_s) {
         sslCAPath = *p_s;
       } else {
-        throw sql::InvalidArgumentException("No string value passed for sslCAPath");
+        throw sql::InvalidArgumentException("No string value passed for ssl-capath");
       }
       ssl_used = true;
-    } else if (!it->first.compare(OPT_SSL_CIPHER)) {
+    } else if (!it->first.compare(OPT_SSL_CIPHER) || !it->first.compare("sslCipher")) {
       try {
         p_s = (it->second).get< sql::SQLString >();
       } catch (sql::InvalidArgumentException&) {
-        throw sql::InvalidArgumentException("Wrong type passed for sslCipher expected sql::SQLString");
+        throw sql::InvalidArgumentException("Wrong type passed for ssl-cipher expected sql::SQLString");
       }
       if (p_s) {
         sslCipher = *p_s;
       } else {
-        throw sql::InvalidArgumentException("No string value passed for sslCipher");
+        throw sql::InvalidArgumentException("No string value passed for ssl-cipher");
       }
       ssl_used = true;
-    } else if (!it->first.compare(OPT_TLS_VERSION)) {
+    } else if (!it->first.compare(OPT_TLS_VERSION) || !it->first.compare("OPT_TLS_VERSION")) {
       try {
         p_s = (it->second).get< sql::SQLString >();
       } catch (sql::InvalidArgumentException&) {
@@ -1064,6 +1068,10 @@ void MySQL_Connection::init(ConnectOptionsMap & properties)
 
   it = properties.find(OPT_SSL_MODE);
 
+  //Use legacy option
+  if(it == properties.end())
+    it = properties.find("OPT_SSL_MODE");
+
   if (it != properties.end())
   {
      PROCESS_CONN_OPTION(int, intOptions);
diff --git a/test/unit/classes/connection.cpp b/test/unit/classes/connection.cpp
@@ -3455,7 +3455,7 @@ void connection::ssl_mode()
   connection_properties["userName"]=user;
   connection_properties["password"]=passwd;
 
-  connection_properties["OPT_SSL_MODE"] = sql::SSL_MODE_DISABLED;
+  connection_properties[OPT_SSL_MODE] = sql::SSL_MODE_DISABLED;
 
   created_objects.clear();
   con.reset(driver->connect(connection_properties));
@@ -3482,7 +3482,7 @@ void connection::ssl_mode()
 
   ASSERT_EQUALS(0, static_cast<int>(res->getString(2).length()));
 
-  connection_properties["OPT_SSL_MODE"] = sql::SSL_MODE_REQUIRED;
+  connection_properties[OPT_SSL_MODE] = sql::SSL_MODE_REQUIRED;
 
   try
   {
@@ -3510,12 +3510,12 @@ void connection::ssl_mode()
   connection_properties["userName"]="ssluser";
   connection_properties["password"]="sslpass";
 
-  connection_properties["OPT_SSL_MODE"] = sql::SSL_MODE_REQUIRED;
+  connection_properties[OPT_SSL_MODE] = sql::SSL_MODE_REQUIRED;
 
   created_objects.clear();
   con.reset(driver->connect(connection_properties));
 
-  connection_properties["OPT_SSL_MODE"] = sql::SSL_MODE_DISABLED;
+  connection_properties[OPT_SSL_MODE] = sql::SSL_MODE_DISABLED;
 
   //only to trigger setssl which changes SSL_MODE
   connection_properties["sslCA"] = "invalid_path";
@@ -3543,7 +3543,7 @@ void connection::tls_version()
   connection_properties["userName"]=user;
   connection_properties["password"]=passwd;
 
-  connection_properties["OPT_SSL_MODE"] = sql::SSL_MODE_DISABLED;
+  connection_properties[OPT_SSL_MODE] = sql::SSL_MODE_DISABLED;
 
   created_objects.clear();
   con.reset(driver->connect(connection_properties));
@@ -3570,10 +3570,10 @@ void connection::tls_version()
     tls_versions.push_back(tls_available.substr(begin_pos, end_pos-begin_pos));
   }
 
-  connection_properties["OPT_SSL_MODE"] = sql::SSL_MODE_REQUIRED;
+  connection_properties[OPT_SSL_MODE] = sql::SSL_MODE_REQUIRED;
 
   // Using ALL TLS version... should connect
-  connection_properties["OPT_TLS_VERSION"] = tls_available;
+  connection_properties[OPT_TLS_VERSION] = tls_available;
 
   created_objects.clear();
   try
@@ -3588,7 +3588,7 @@ void connection::tls_version()
 
 
   // Using wrong TLS version... should fail to connect
-  connection_properties["OPT_TLS_VERSION"] = sql::SQLString("TLSv999");
+  connection_properties[OPT_TLS_VERSION] = sql::SQLString("TLSv999");
 
   created_objects.clear();
   try
@@ -3608,7 +3608,7 @@ void connection::tls_version()
        version != tls_versions.end();
        ++version)
   {
-    connection_properties["OPT_TLS_VERSION"] = sql::SQLString(*version);
+    connection_properties[OPT_TLS_VERSION] = sql::SQLString(*version);
 
     created_objects.clear();
     try
@@ -3656,7 +3656,7 @@ void connection::cached_sha2_auth()
   opts["userName"] = "doomuser";
   opts["password"] = "!sha2user_pass";
   opts["OPT_GET_SERVER_PUBLIC_KEY"] = false;
-  opts["OPT_SSL_MODE"] = sql::SSL_MODE_DISABLED;
+  opts[OPT_SSL_MODE] = sql::SSL_MODE_DISABLED;
 
   try {
 
@@ -3953,5 +3953,98 @@ void connection::tls_deprecation()
 
 }
 
+
+//Test if ssl is enabled using cipher
+auto check_ssl_impl = [](std::shared_ptr<sql::Connection> sess, bool enable, int line)
+{
+  std::unique_ptr<sql::Statement> stmt(sess->createStatement());
+  std::unique_ptr<sql::ResultSet> res(stmt->executeQuery("SHOW STATUS LIKE 'Ssl_cipher'"));
+
+  res->next();
+  std::cout << "Line "<< line << ": " << res->getString(1) << ":" << res->getString(2) << std::endl;
+
+  std::string cipher = res->getString(2);
+
+  ASSERT_EQUALS(enable, !cipher.empty());
+};
+
+#define check_ssl(x,y) check_ssl_impl(x, y, __LINE__)
+
+
+void connection::normalize_ssl_options()
+{
+
+  std::vector<std::string> options =
+  {
+    OPT_SSL_MODE,
+    OPT_SSL_CA,
+    OPT_SSL_CAPATH,
+    OPT_SSL_CRL,
+    OPT_SSL_CRLPATH,
+    OPT_TLS_VERSION,
+    "sslKey",
+    "sslCert",
+    "sslCA",
+    "sslCAPath",
+    "sslCipher",
+    "sslCRL",
+    "sslCRLPath",
+    "rsaKey",
+    "OPT_SSL_MODE",
+    "OPT_TLS_VERSION"
+  };
+
+  for(auto &opt : options)
+  {
+    {
+      std::cout << "Option: " << opt << std::endl;
+
+      sql::ConnectOptionsMap sess_opt;
+
+      if(opt == "OPT_SSL_MODE" || opt == OPT_SSL_MODE)
+      {
+        sess_opt[opt]=sql::SSL_MODE_DISABLED;
+      }
+      else
+      {
+        sess_opt[opt] ="BAD";
+        sess_opt[opt] ="GOOD";
+        sess_opt[OPT_SSL_MODE]=sql::SSL_MODE_DISABLED;
+      }
+
+
+      std::shared_ptr<sql::Connection> s(getConnection(&sess_opt));
+      check_ssl(s, false);
+
+       if(opt != "OPT_SSL_MODE" && opt != OPT_SSL_MODE)
+        ASSERT_EQUALS("GOOD", sess_opt[opt].get<std::string>());
+    }
+
+  }
+
+  //Defined Twice. Last one wins
+  {
+    sql::ConnectOptionsMap sess_opt;
+
+    sess_opt[OPT_SSL_MODE] = sql::SSL_MODE_DISABLED;
+    sess_opt[OPT_SSL_MODE] = sql::SSL_MODE_REQUIRED;
+
+    std::shared_ptr<sql::Connection> s(getConnection(&sess_opt));
+    check_ssl(s, true);
+  }
+  {
+    sql::ConnectOptionsMap sess_opt;
+
+    sess_opt[OPT_SSL_MODE] = sql::SSL_MODE_REQUIRED;
+    sess_opt[OPT_SSL_MODE] = sql::SSL_MODE_DISABLED;
+
+    std::shared_ptr<sql::Connection> s(getConnection(&sess_opt));
+    check_ssl(s, false);
+  }
+
+}
+
+
+
 } /* namespace connection */
 } /* namespace testsuite */
diff --git a/test/unit/classes/connection.h b/test/unit/classes/connection.h
@@ -93,6 +93,7 @@ class connection : public unit_fixture
   TEST_CASE(dns_srv);
   TEST_CASE(mfa);
   TEST_CASE(tls_deprecation);
+  TEST_CASE(normalize_ssl_options);
   }
 
   /**
@@ -297,6 +298,11 @@ class connection : public unit_fixture
    */
   void tls_deprecation();
 
+  /*
+   * Test of MySQL_Connection::normalize_ssl_options()
+   *
+   */
+  void normalize_ssl_options();
 
 };
 
