Support requiring SSL, and verifying CA, for MySQL

Author: MatthiasKunnen

docker-compose.yml

@@ -18,6 +18,7 @@ services:
       CLICKHOUSE_CLUSTER_01_TEST_URL: clickhouse://ch-cluster-01:9000/dbmate_test
       CLICKHOUSE_CLUSTER_02_TEST_URL: clickhouse://ch-cluster-02:9000/dbmate_test
       MYSQL_TEST_URL: mysql://root:root@mysql/dbmate_test
+      DBMATE_MYSQL_SSL_MODE: DISABLED
       POSTGRES_TEST_URL: postgres://postgres:postgres@postgres/dbmate_test?sslmode=disable
       BIGQUERY_TEST_URL: bigquery://test/us-east5/dbmate_test?disable_auth=true&endpoint=http%3A%2F%2Fbigquery%3A9050
       SPANNER_POSTGRES_TEST_URL: spanner-postgres://spanner-emulator/dbmate_test?sslmode=disable

pkg/driver/mysql/mysql.go

@@ -2,37 +2,61 @@ package mysql
 
 import (
 	"bytes"
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"fmt"
 	"io"
 	"net/url"
+	"os"
 	"regexp"
 	"strings"
 
+	"github.com/go-sql-driver/mysql" // database/sql driver
+
 	"github.com/amacneil/dbmate/v2/pkg/dbmate"
 	"github.com/amacneil/dbmate/v2/pkg/dbutil"
-
-	_ "github.com/go-sql-driver/mysql" // database/sql driver
 )
 
 func init() {
 	dbmate.RegisterDriver(NewDriver, "mysql")
 }
 
+// sslMode refers to the --ssl-mode options in
+// https://dev.mysql.com/doc/refman/8.4/en/connection-options.html#option_general_ssl-mode
+type sslMode string
+
+const (
+	sslModeDisabled       sslMode = "DISABLED"
+	sslModePreferred      sslMode = "PREFERRED"
+	sslModeRequired       sslMode = "REQUIRED"
+	sslModeVerifyCa       sslMode = "VERIFY_CA"
+	sslModeVerifyIdentity sslMode = "VERIFY_IDENTITY"
+)
+
 // Driver provides top level database functions
 type Driver struct {
 	migrationsTableName string
 	databaseURL         *url.URL
 	log                 io.Writer
+
+	sslMode    sslMode
+	sslConfErr error
+	// Path to the file containing the certificate authority file in PEM format.
+	caPath string
 }
 
 // NewDriver initializes the driver
 func NewDriver(config dbmate.DriverConfig) dbmate.Driver {
-	return &Driver{
+	driver := &Driver{
 		migrationsTableName: config.MigrationsTableName,
 		databaseURL:         config.DatabaseURL,
 		log:                 config.Log,
+		caPath:              os.Getenv("DBMATE_MYSQL_CA_PATH"),
 	}
+	driver.sslConfErr = driver.configureSsl(os.Getenv("DBMATE_MYSQL_SSL_MODE"))
+
+	return driver
 }
 
 func connectionString(u *url.URL) string {
@@ -69,12 +93,68 @@ func connectionString(u *url.URL) string {
 	return normalizedString
 }
 
+func (drv *Driver) configureSsl(mode string) error {
+	switch sslMode(mode) {
+	case sslModeDisabled,
+		sslModePreferred:
+		drv.sslMode = sslMode(mode)
+		return nil
+		// required?
+	case sslModeRequired,
+		sslModeVerifyCa,
+		sslModeVerifyIdentity:
+		drv.sslMode = sslMode(mode)
+	case "":
+		drv.sslMode = sslModePreferred
+		return nil
+	default:
+		return fmt.Errorf("unknown ssl mode: %s", mode)
+	}
+
+	var tlsConf tls.Config
+
+	if drv.caPath != "" {
+		caPem, err := os.ReadFile(drv.caPath)
+		if err != nil {
+			return fmt.Errorf("failed to read CA file: %w", err)
+		}
+
+		rootCertPool := x509.NewCertPool()
+		if ok := rootCertPool.AppendCertsFromPEM(caPem); !ok {
+			return fmt.Errorf("failed to append to root cert pool")
+		}
+		tlsConf.RootCAs = rootCertPool
+	}
+	switch drv.sslMode {
+	case sslModeRequired:
+		tlsConf.InsecureSkipVerify = true
+	case sslModeVerifyCa:
+	case sslModeVerifyIdentity:
+		tlsConf.ServerName = drv.databaseURL.Hostname()
+	}
+
+	err := mysql.RegisterTLSConfig("custom", &tlsConf)
+	if err != nil {
+		return fmt.Errorf("failed to register custom TLS config: %v", err)
+	}
+	query := drv.databaseURL.Query()
+	query.Set("tls", "custom")
+	drv.databaseURL.RawQuery = query.Encode()
+	return nil
+}
+
 // Open creates a new database connection
 func (drv *Driver) Open() (*sql.DB, error) {
+	if drv.sslConfErr != nil {
+		return nil, fmt.Errorf("failed to configure ssl: %w", drv.sslConfErr)
+	}
 	return sql.Open("mysql", connectionString(drv.databaseURL))
 }
 
 func (drv *Driver) openRootDB() (*sql.DB, error) {
+	if drv.sslConfErr != nil {
+		return nil, fmt.Errorf("failed to configure ssl: %w", drv.sslConfErr)
+	}
 	// clone databaseURL
 	rootURL, err := url.Parse(drv.databaseURL.String())
 	if err != nil {
@@ -129,8 +209,17 @@ func (drv *Driver) DropDatabase() error {
 
 func (drv *Driver) mysqldumpArgs() []string {
 	// generate CLI arguments
-	args := []string{"--opt", "--routines", "--no-data",
-		"--skip-dump-date", "--skip-add-drop-table"}
+	args := []string{
+		"--opt", "--routines", "--no-data",
+		"--skip-dump-date", "--skip-add-drop-table",
+	}
+
+	if drv.sslMode != sslModePreferred {
+		args = append(args, "--ssl-mode", string(drv.sslMode))
+	}
+	if drv.caPath != "" {
+		args = append(args, "--ssl-ca", drv.caPath)
+	}
 
 	socket := drv.databaseURL.Query().Get("socket")
 	if socket != "" {

pkg/driver/mysql/mysql_test.go

@@ -146,6 +146,7 @@ func TestMySQLCreateDropDatabase(t *testing.T) {
 }
 
 func TestMySQLDumpArgs(t *testing.T) {
+	t.Setenv("DBMATE_MYSQL_SSL_MODE", "PREFERRED")
 	drv := testMySQLDriver(t)
 	drv.databaseURL = dbtest.MustParseURL(t, "mysql://bob/mydb")
 
@@ -181,6 +182,114 @@ func TestMySQLDumpArgs(t *testing.T) {
 		"mydb"}, drv.mysqldumpArgs())
 }
 
+func TestMySQLDumpArgsWithSsl(t *testing.T) {
+	t.Run("mode=DISABLED,ca=empty", func(t *testing.T) {
+		t.Setenv("DBMATE_MYSQL_SSL_MODE", "DISABLED")
+		drv := testMySQLDriver(t)
+		drv.databaseURL = dbtest.MustParseURL(t, "mysql://bob/mydb")
+		require.Equal(t, []string{
+			"--opt",
+			"--routines",
+			"--no-data",
+			"--skip-dump-date",
+			"--skip-add-drop-table",
+			"--ssl-mode",
+			"DISABLED",
+			"--host=bob",
+			"mydb",
+		}, drv.mysqldumpArgs())
+	})
+	t.Run("mode=DISABLED,ca=set", func(t *testing.T) {
+		t.Setenv("DBMATE_MYSQL_SSL_MODE", "DISABLED")
+		t.Setenv("DBMATE_MYSQL_CA_PATH", "/tmp/404")
+		drv := testMySQLDriver(t)
+		drv.databaseURL = dbtest.MustParseURL(t, "mysql://bob/mydb")
+		require.Equal(t, []string{
+			"--opt",
+			"--routines",
+			"--no-data",
+			"--skip-dump-date",
+			"--skip-add-drop-table",
+			"--ssl-mode",
+			"DISABLED",
+			"--ssl-ca",
+			"/tmp/404",
+			"--host=bob",
+			"mydb",
+		}, drv.mysqldumpArgs())
+	})
+	t.Run("mode=VERIFY_IDENTITY,ca=empty", func(t *testing.T) {
+		t.Setenv("DBMATE_MYSQL_SSL_MODE", "VERIFY_IDENTITY")
+		drv := testMySQLDriver(t)
+		drv.databaseURL = dbtest.MustParseURL(t, "mysql://bob/mydb")
+		require.Equal(t, []string{
+			"--opt",
+			"--routines",
+			"--no-data",
+			"--skip-dump-date",
+			"--skip-add-drop-table",
+			"--ssl-mode",
+			"VERIFY_IDENTITY",
+			"--host=bob",
+			"mydb",
+		}, drv.mysqldumpArgs())
+	})
+	t.Run("mode=VERIFY_IDENTITY,ca=set", func(t *testing.T) {
+		t.Setenv("DBMATE_MYSQL_SSL_MODE", "VERIFY_IDENTITY")
+		t.Setenv("DBMATE_MYSQL_CA_PATH", "/tmp/404")
+		drv := testMySQLDriver(t)
+		drv.databaseURL = dbtest.MustParseURL(t, "mysql://bob/mydb")
+		require.Equal(t, []string{
+			"--opt",
+			"--routines",
+			"--no-data",
+			"--skip-dump-date",
+			"--skip-add-drop-table",
+			"--ssl-mode",
+			"VERIFY_IDENTITY",
+			"--ssl-ca",
+			"/tmp/404",
+			"--host=bob",
+			"mydb",
+		}, drv.mysqldumpArgs())
+	})
+	t.Run("mode=REQUIRED,ca=empty", func(t *testing.T) {
+		t.Setenv("DBMATE_MYSQL_SSL_MODE", "REQUIRED")
+		drv := testMySQLDriver(t)
+		drv.databaseURL = dbtest.MustParseURL(t, "mysql://bob/mydb")
+		require.Equal(t, []string{
+			"--opt",
+			"--routines",
+			"--no-data",
+			"--skip-dump-date",
+			"--skip-add-drop-table",
+			"--ssl-mode",
+			"REQUIRED",
+			"--host=bob",
+			"mydb",
+		}, drv.mysqldumpArgs())
+	})
+	t.Run("mode=REQUIRED,ca=set", func(t *testing.T) {
+		t.Setenv("DBMATE_MYSQL_SSL_MODE", "REQUIRED")
+		t.Setenv("DBMATE_MYSQL_CA_PATH", "/tmp/404")
+		drv := testMySQLDriver(t)
+		drv.databaseURL = dbtest.MustParseURL(t, "mysql://bob/mydb")
+		require.Equal(t, []string{
+			"--opt",
+			"--routines",
+			"--no-data",
+			"--skip-dump-date",
+			"--skip-add-drop-table",
+			"--ssl-mode",
+			"REQUIRED",
+			"--ssl-ca",
+			"/tmp/404",
+			"--host=bob",
+			"mydb",
+		}, drv.mysqldumpArgs())
+	})
+}
+
 func TestMySQLDumpSchema(t *testing.T) {
 	drv := testMySQLDriver(t)
 	drv.migrationsTableName = "test_migrations"