Add TLS options (encrypt, trust-server-certificate, hostname-in-certificate, disable TNIR); ensure target DB is used; handle missing VIEW SERVER STATE when showing connection info

Sire · Sire · commit 4d89eeb9fd7c · 2025-10-22T12:46:16.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -361,6 +361,9 @@ MigrationBackup/
 
 # Fody - auto-generated XML schema
 FodyWeavers.xsd
+
+
+# Custom
 /Properties/launchSettings.json
 
 # Private todo list
diff --git a/Commands/PingCommand.cs b/Commands/PingCommand.cs
@@ -2,7 +2,7 @@
 using Microsoft.Data.SqlClient;
 using System.Reflection;
 using System.Text;
-using System.Threading;
+using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using Spectre.Console;
@@ -24,34 +24,33 @@ public override async Task<int> ExecuteAsync(CommandContext context, ConsoleSett
             // Apply secure credential handling
             ApplySecureCredentials(settings);
 
-            //Logger.LogInformation("Connection string: {Mandatory}", connectionString);
-            //Logger.LogInformation("SQL Command: {Optional}", settings.SQLCommand);
-            //Logger.LogInformation("CommandOptionFlag: {CommandOptionFlag}", settings.CommandOptionFlag);
-            //Logger.LogInformation("CommandOptionValue: {CommandOptionValue}", settings.CommandOptionValue);
-
             var connString = GetConnectionString(settings);
 
-            //Logger.LogInformation("");
             AnsiConsole.MarkupLine($"ConnectionString: [teal]{RedactConnectionString(connString).EscapeMarkup()}[/]");
             AnsiConsole.MarkupLine($"SQL Query       : [teal]{settings.SQLCommand.EscapeMarkup()}[/]");
 
+            // Helpful warning if using IP
+            if (LooksLikeIp(settings.Server)
+                && (settings.TrustServerCertificate != true)
+                && string.IsNullOrWhiteSpace(settings.HostNameInCertificate))
+            {
+                AnsiConsole.MarkupLine("[yellow]Hint:[/] You're connecting by IP. TLS certificate name validation usually fails with IPs unless the cert has the IP in SAN. Use a DNS name, set [teal]--hostname-in-certificate[/], or [teal]--trust-server-certificate true[/] for dev.");
+            }
+
             bool running = true;
 
             while (running)
             {
-
                 int sec = settings.Wait;
                 await AnsiConsole.Status()
                     .AutoRefresh(true)
-                    .Spinner(Spinner.Known.Dots) // https://jsfiddle.net/sindresorhus/2eLtsbey/embedded/result/
+                    .Spinner(Spinner.Known.Dots)
                     .SpinnerStyle(Style.Parse("green bold"))
                     .StartAsync("Please wait...", async ctx =>
                     {
-                        // Simulate some work
                         ctx.Status($"Trying to connect to server [teal]{settings.Server.EscapeMarkup()}[/]...");
                         await CallDatabaseAsync(connString, settings);
 
-                        // Update the status and spinner
                         ctx.Status($"Waiting [teal]{sec}[/] seconds...");
 
                         if (settings.NonStop)
@@ -61,17 +60,12 @@ await AnsiConsole.Status()
                     });
             }
 
-            //Console.WriteLine("\nDone. Press enter.");
-            //Console.ReadLine();
-
             return await Task.FromResult(0);
         }
 
         // Validate as part of the command. This is a good way of validating options if you require any injected services.
         public override ValidationResult Validate(CommandContext context, ConsoleSettings settings)
         {
-            //if (settings.Wait < 1)
-            //    return ValidationResult.Error("...");
             return ValidationResult.Success();
         }
 
@@ -115,7 +109,6 @@ private static void ApplySecureCredentials(ConsoleSettings settings)
 
         private static string GetConnectionString(ConsoleSettings settings) {
             SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder();
-            //builder.ConnectionString = settings.ConnectionString;
             builder.DataSource = settings.Server;
             if (!string.IsNullOrEmpty(settings.Username)) {
                 builder.UserID = settings.Username;
@@ -135,6 +128,33 @@ private static string GetConnectionString(ConsoleSettings settings) {
             builder.WorkstationID = Environment.MachineName;
             builder.ApplicationName = Assembly.GetExecutingAssembly().FullName;
 
+            // TLS related options
+            if (settings.TrustServerCertificate.HasValue)
+                builder.TrustServerCertificate = settings.TrustServerCertificate.Value;
+
+            if (!string.IsNullOrWhiteSpace(settings.Encrypt))
+            {
+                var encValue = settings.Encrypt.Trim().ToLowerInvariant();
+                if (encValue is "true" or "false" or "strict")
+                {
+                    builder["Encrypt"] = settings.Encrypt;
+                }
+                else
+                {
+                    AnsiConsole.MarkupLine("[yellow]Invalid --encrypt value. Use true|false|strict. Ignoring.[/]");
+                }
+            }
+
+            if (!string.IsNullOrWhiteSpace(settings.HostNameInCertificate))
+            {
+                builder["HostNameInCertificate"] = settings.HostNameInCertificate;
+            }
+
+            if (settings.NoTransparentNetworkIPResolution)
+            {
+                builder["TransparentNetworkIPResolution"] = "false";
+            }
+
             string connString = builder.ConnectionString;
             return connString;
         }
@@ -167,39 +187,96 @@ private async Task CallDatabaseAsync(string connString, ConsoleSettings settings
             try
             {
 
-                using (SqlConnection connection = new SqlConnection(connString))
+                await using (SqlConnection connection = new SqlConnection(connString))
                 {
                     await connection.OpenAsync();
+
+                    // Ensure we are in the requested database even if Initial Catalog was not applied for any reason
+                    if (!string.IsNullOrWhiteSpace(settings.Database))
+                    {
+                        try
+                        {
+                            connection.ChangeDatabase(settings.Database);
+                        }
+                        catch (Exception dbEx)
+                        {
+                            AnsiConsole.MarkupLine($"[yellow]Warning:[/] Failed to change database to '[teal]{settings.Database.EscapeMarkup()}[/]': {dbEx.Message.EscapeMarkup()}");
+                        }
+                    }
+
                     var sb = new StringBuilder();
-                    using (SqlCommand command = new SqlCommand(settings.SQLCommand, connection))
+                    await using (SqlCommand command = new SqlCommand(settings.SQLCommand!, connection))
                     {
                         // Add parameter if the query contains @DatabaseName placeholder
-                        if (settings.SQLCommand.Contains("@DatabaseName"))
+                        if (settings.SQLCommand != null && settings.SQLCommand.Contains("@DatabaseName"))
                         {
                             command.Parameters.AddWithValue("@DatabaseName", settings.Database);
                         }
 
-                        using (SqlDataReader reader = await command.ExecuteReaderAsync())
+                        await using (SqlDataReader reader = await command.ExecuteReaderAsync())
                         {
                             while (await reader.ReadAsync())
                             {
                                 for (int i = 0; i < reader.FieldCount; i++)
                                     if (reader.GetValue(i) != DBNull.Value)
                                         sb.Append($"{reader.GetName(i)}: {Convert.ToString(reader.GetValue(i))}  ");
-                                //sb.AppendLine();
                             }
                         }
                     }
-                    AnsiConsole.MarkupLine($"  [green]SUCCESS[/] {sb.ToString().EscapeMarkup()}");
+
+                    // Try to show connection encryption info, but ignore permission errors
+                    string info;
+                    string currentDbName = connection.Database;
+                    try
+                    {
+                        await using var infoCmd = new SqlCommand(
+                            "SELECT encrypt_option, net_transport FROM sys.dm_exec_connections WHERE session_id = @@SPID;", connection);
+                        await using var infoReader = await infoCmd.ExecuteReaderAsync();
+                        if (await infoReader.ReadAsync())
+                        {
+                            var encryptOption = Convert.ToString(infoReader["encrypt_option"]);
+                            var transport = Convert.ToString(infoReader["net_transport"]);
+                            info = $" (db={currentDbName}, encrypt_option={encryptOption}, net_transport={transport})";
+                        }
+                        else
+                        {
+                            info = $" (db={currentDbName})";
+                        }
+                    }
+                    catch (SqlException)
+                    {
+                        info = $" (db={currentDbName}, connection details unavailable: requires VIEW SERVER STATE)";
+                    }
+
+                    AnsiConsole.MarkupLine($"  [green]SUCCESS[/] {sb.ToString().EscapeMarkup()}{info}");
                 }
             }
             catch (SqlException ex)
             {
                 AnsiConsole.MarkupLine($"  [red]ERROR: {ex.Message.EscapeMarkup()}[/] ");
+
+                if (ex.Message.IndexOf("certificate chain was issued by an authority that is not trusted", StringComparison.OrdinalIgnoreCase) >= 0)
+                {
+                    AnsiConsole.MarkupLine("[yellow]Troubleshooting tips:[/]");
+                    AnsiConsole.MarkupLine("- Ensure SQL Server uses a certificate trusted by this machine's Trusted Root store.");
+                    AnsiConsole.MarkupLine("- Connect using a DNS name that matches the certificate's CN/SAN.");
+                    AnsiConsole.MarkupLine("- Or set [teal]--hostname-in-certificate[/] to the certificate subject.");
+                    AnsiConsole.MarkupLine("- For dev only, use [teal]--trust-server-certificate true[/] to bypass validation.");
+                    AnsiConsole.MarkupLine("- If name keeps flipping to an IP, try [teal]--no-tnir[/].");
+                }
             }
 
         }
 
+        private static bool LooksLikeIp(string server)
+        {
+            // Accept formats: "x.x.x.x" or "x.x.x.x,port"
+            var parts = server.Split('\\')[0]; // ignore instance suffix
+            var ipAndPort = parts.Split(',');
+            var ip = ipAndPort[0].Trim();
+            return Regex.IsMatch(ip, @"^\d{1,3}(\.\d{1,3}){3}$");
+        }
+
         public PingCommand(ILogger<PingCommand> logger)
         {
             Logger = logger;
diff --git a/Commands/Settings/ConsoleSettings.cs b/Commands/Settings/ConsoleSettings.cs
@@ -62,6 +62,24 @@ public override ValidationResult Validate()
         [DefaultValue(10)]
         public int Wait { get; set; }
 
+        // TLS-related options
+        [CommandOption("--encrypt <true|false|strict>")]
+        [Description("Encrypt mode: true|false|strict. Default follows Microsoft.Data.SqlClient (true).")]
+        public string? Encrypt { get; set; }
+
+        [CommandOption("--trust-server-certificate|-T <true|false>")]
+        [Description("Set TrustServerCertificate=true (DEV ONLY). Bypasses cert validation but keeps encryption.")]
+        public bool? TrustServerCertificate { get; set; }
+
+        [CommandOption("--hostname-in-certificate|-H <name>")]
+        [Description("Override HostNameInCertificate for TLS validation (use the subject/SAN on the server certificate).")]
+        public string? HostNameInCertificate { get; set; }
+
+        [CommandOption("--no-tnir")]
+        [Description("Disable TransparentNetworkIPResolution to avoid host->IP substitution that breaks TLS name matching.")]
+        [DefaultValue(false)]
+        public bool NoTransparentNetworkIPResolution { get; set; } = false;
+
 
 
         //[CommandOption("--command-option-value <value>")]
