MYCPP-284: TLS Options implementation on DevAPI

Author: rsomla1

cdk/core/tests/session-t.cc

@@ -1032,6 +1032,11 @@ TEST_F(Session_core, tls_options)
       }
     }
 
+    if (ssl_ca.find('\\') == string::npos && ssl_ca.find('/') == string::npos)
+    { //not full path
+      ssl_ca = datadir + ssl_ca;
+    }
+
     cout << "Setting CA to: " << ssl_ca << endl;
 
     tls_options.set_ca(ssl_ca);

cdk/include/mysql/cdk/data_source.h

@@ -131,12 +131,16 @@ class TCPIP::Options : public ds::Options
 public:
 
   Options()
+#ifdef WITH_SSL
     : m_tls_options(false)
+#endif
   {}
 
   Options(const string &usr, const std::string *pwd =NULL)
     : ds::Options(usr, pwd)
-    , m_tls_options(false)
+  #ifdef WITH_SSL
+    ,m_tls_options(false)
+  #endif
   {}
 
 #ifdef WITH_SSL

cdk/include/mysql/cdk/foundation/connection_yassl.h

@@ -75,6 +75,7 @@ class TLS::Options
     : m_use_tls(use_tls)
   {}
 
+  void set_use_tls(bool use_tls) { m_use_tls = use_tls; }
   bool use_tls() const { return m_use_tls; }
 
   void set_key(const string &key) { m_key = key; }

devapi/session.cc

@@ -129,13 +129,18 @@ struct URI_parser
   , private endpoint::TCPIP
   , public parser::URI_processor
 {
+
+#ifdef WITH_SSL
+  // tls off by default on URI connection
+  cdk::connection::TLS::Options m_tls_opt = false;
+#endif
+
   URI_parser(const std::string &uri)
   {
+    parser::parse_conn_str(uri, *this);
 #ifdef WITH_SSL
-    // TLS OFF by default on URI
-    set_tls(false);
+    set_tls(m_tls_opt);
 #endif
-    parser::parse_conn_str(uri, *this);
   }
 
 
@@ -173,14 +178,36 @@ struct URI_parser
   void key_val(const std::string &key) override
   {
     if (key == "ssl-enable")
+    {
+#ifdef WITH_SSL
+      m_tls_opt.set_use_tls(true);
+#else
+      throw_error(
+            "Can not create TLS session - this connector is built"
+            " without TLS support."
+            );
+#endif
+    }
+  }
+
+  void key_val(const std::string &key, const std::string &val) override
+  {
+    if (key == "ssl-ca")
+    {
 #ifdef WITH_SSL
-      set_tls(true);
+      m_tls_opt.set_ca(val);
 #else
       throw_error(
-        "Can not create TLS session - this connector is built"
-        " without TLS support."
-      );
+          "Can not create TLS session - this connector is built"
+          " without TLS support."
+          );
 #endif
+    } else
+    {
+      std::stringstream err;
+      err << "Unexpected key " << key << "=" << val << " on URI";
+      throw_error(err.str().c_str());
+    }
   }
 
 };
@@ -197,8 +224,8 @@ internal::XSession_base::XSession_base(SessionSettings settings)
           );
 
       m_impl = new Impl(
-        static_cast<endpoint::TCPIP&>(parser.get_endpoint()),
-        static_cast<XSession_base::Options&>(parser));
+                 static_cast<endpoint::TCPIP&>(parser.get_endpoint()),
+                 static_cast<XSession_base::Options&>(parser));
     }
     else
     {
@@ -246,16 +273,25 @@ internal::XSession_base::XSession_base(SessionSettings settings)
             );
 
       if (settings.has_option(SessionSettings::SSL_ENABLE))
+      {
 #ifdef WITH_SSL
-        opt.set_tls(settings[SessionSettings::SSL_ENABLE].get<bool>());
+        cdk::connection::TLS::Options opt_ssl(settings[SessionSettings::SSL_ENABLE]);
+
+
+        if (settings.has_option(SessionSettings::SSL_CA))
+          opt_ssl.set_ca(settings[SessionSettings::SSL_ENABLE].get<string>());
+
+        opt.set_tls(opt_ssl);
 #else
         throw_error(
-          "Can not create TLS session - this connector is built"
-          " without TLS support."
-        );
+              "Can not create TLS session - this connector is built"
+              " without TLS support."
+              );
 #endif
+      }
 
       m_impl = new Impl(ep, opt);
+
     }
   }
   CATCH_AND_WRAP

devapi/tests/session-t.cc

@@ -431,6 +431,72 @@ TEST_F(Sess, ssl_session)
     EXPECT_FALSE(cipher.empty());
   }
 
+
+  //using wrong ssl-ca and ssl-ca-path as SessionSettings
+  {
+    EXPECT_THROW(
+    mysqlx::XSession sess(SessionSettings::PORT, get_port(),
+                          SessionSettings::USER,get_user(),
+                          SessionSettings::PWD, get_password() ? get_password() : NULL ,
+                          SessionSettings::SSL_ENABLE, true,
+                          SessionSettings::SSL_CA, "unknown")
+          , mysqlx::Error);
+
+
+  }
+
+  //using wrong ssl-ca and ssl-ca-path on URI
+  {
+    std::stringstream bad_uri;
+    bad_uri << uri.str() << "&ssl-ca=" << "unknown.file" << "&ssl-ca-path=" << "unknown.path";
+
+    EXPECT_THROW(mysqlx::XSession sess(bad_uri.str()), mysqlx::Error);
+  }
+
+  string ssl_ca;
+  string datadir;
+
+  {
+    mysqlx::XSession sess(uri.str());
+
+    SqlResult res = sess.bindToDefaultShard()
+                    .sql("show global variables like 'ssl_ca'")
+                    .execute();
+
+    ssl_ca = res.fetchOne().get(1);
+
+    res = sess.bindToDefaultShard()
+          .sql("show global variables like 'datadir'")
+          .execute();
+
+    datadir = res.fetchOne().get(1);
+
+  }
+
+  std::cout << "ssl-ca:" << ssl_ca
+             << " datadir:" << datadir
+             << std::endl;
+
+  if (ssl_ca.find('\\') == string::npos && ssl_ca.find('/') == string::npos)
+  { //not full path
+    ssl_ca = datadir + ssl_ca;
+  }
+
+  uri << "&ssl-ca=" << ssl_ca;
+
+  {
+    mysqlx::XSession sess(uri.str());
+
+    SqlResult res =  sess.bindToDefaultShard().sql("SHOW STATUS LIKE 'mysqlx_ssl_cipher'").execute();
+
+    auto row = res.fetchOne();
+    cout << row[0] << ":" << row[1] << endl;
+
+    string cipher = row[1];
+
+    EXPECT_FALSE(cipher.empty());
+  }
+
 }
 
 TEST_F(Sess, ipv6)

include/mysql_devapi.h

@@ -516,7 +516,8 @@ class PUBLIC_API SessionSettings
     USER,
     PWD,
     DB,
-    SSL_ENABLE
+    SSL_ENABLE,
+    SSL_CA
   };