ssl tests and CACertificateFile docs

caleblloyd · caleblloyd · commit acead3aee24a · 2017-06-26T09:03:54.000-04:00
diff --git a/.ci/server/certs/ssl-client-pw-test.pfx b/.ci/server/certs/ssl-client-pw-test.pfx
diff --git a/.gitattributes b/.gitattributes
@@ -12,3 +12,5 @@
 *.ttf binary
 *.woff binary
 *.woff2 binary
+*.pfx binary
+
diff --git a/docs/content/connection-options.md b/docs/content/connection-options.md
@@ -78,13 +78,18 @@ These are the options that need to be used in order to configure a connection to
   <tr>
     <td>Certificate File, CertificateFile</td>
     <td></td>
-    <td>This option specifies the path to a certificate file in PKCS #12 format (.pfx). </td>
+    <td>This option specifies the path to a certificate file in a PEM Encoded (.pem) or PKCS #12 (.pfx) format. </td>
   </tr>
   <tr>
     <td>Certificate Password, CertificatePassword	</td>
     <td></td>
     <td>Specifies a password that is used in conjunction with a certificate specified using the option CertificateFile.  Not required if the certificate file is not password protected.</td>
   </tr>
+  <tr>
+    <td>CA Certificate File, CACertificateFile</td>
+    <td></td>
+    <td>This option specifies the path to a CA certificate file in a PEM Encoded (.pem) format.  This should be used in with <code>SslMode=VerifyCA</code> or <code>SslMode=VerifyFull</code> to enable verification of a CA certificate that is not trusted by the Operating System's certificate store.</td>
+  </tr>
 </table>
 
 Connection Pooling Options
diff --git a/tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs b/tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs
@@ -28,6 +28,7 @@ public void Defaults()
 			Assert.Equal(false, csb.BufferResultSets);
 			Assert.Equal(180u, csb.ConnectionIdleTimeout);
 			Assert.Equal(false, csb.ForceSynchronous);
+			Assert.Equal(null, csb.CACertificateFile);
 #endif
 			Assert.Equal(0u, csb.Keepalive);
 			Assert.Equal(100u, csb.MaximumPoolSize);
@@ -70,6 +71,7 @@ public void ParseConnectionString()
 					"connectionidletimeout=30;" +
 					"bufferresultsets=true;" +
 					"forcesynchronous=true;" +
+				    "ca certificate file=ca.pem;" +
 #endif
 					"Keep Alive=90;" +
 					"minpoolsize=5;" +
@@ -98,6 +100,7 @@ public void ParseConnectionString()
 			Assert.Equal(true, csb.BufferResultSets);
 			Assert.Equal(30u, csb.ConnectionIdleTimeout);
 			Assert.Equal(true, csb.ForceSynchronous);
+			Assert.Equal("ca.pem", csb.CACertificateFile);
 #endif
 			Assert.Equal(90u, csb.Keepalive);
 			Assert.Equal(15u, csb.MaximumPoolSize);
diff --git a/tests/SideBySide/Attributes.cs b/tests/SideBySide/Attributes.cs
@@ -107,4 +107,14 @@ public SslRequiredConnectionFactAttribute()
 				Skip = "SSL not explicitly required";
 		}
 	}
+
+	public class SslRequiredConnectionTheoryAttribute : TheoryAttribute
+	{
+		public SslRequiredConnectionTheoryAttribute()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			if(csb.SslMode == MySqlSslMode.None || csb.SslMode == MySqlSslMode.Preferred)
+				Skip = "SSL not explicitly required";
+		}
+	}
 }
diff --git a/tests/SideBySide/ConnectAsync.cs b/tests/SideBySide/ConnectAsync.cs
@@ -115,70 +115,6 @@ public async Task ConnectKeepAlive()
 			}
 		}
 
-		[SslRequiredConnectionFact]
-		public async Task ConnectSslPreferred()
-		{
-			var csb = AppConfig.CreateConnectionStringBuilder();
-			string requiredSslVersion;
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-				using (var cmd = connection.CreateCommand())
-				{
-					await connection.OpenAsync();
-					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					requiredSslVersion = (string)await cmd.ExecuteScalarAsync();
-				}
-			}
-			Assert.False(string.IsNullOrWhiteSpace(requiredSslVersion));
-
-			csb.SslMode = MySqlSslMode.Preferred;
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-				using (var cmd = connection.CreateCommand())
-				{
-					await connection.OpenAsync();
-					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					var preferredSslVersion = (string)await cmd.ExecuteScalarAsync();
-					Assert.Equal(requiredSslVersion, preferredSslVersion);
-				}
-			}
-		}
-
-		[SslRequiredConnectionFact]
-		public async Task ConnectSslClientCertificate()
-		{
-			var csb = AppConfig.CreateConnectionStringBuilder();
-			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client.pfx");
-			csb.CertificatePassword = "";
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-				using (var cmd = connection.CreateCommand())
-				{
-					await connection.OpenAsync();
-					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
-					var sslVersion = (string)await cmd.ExecuteScalarAsync();
-					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
-				}
-			}
-		}
-
-		[SslRequiredConnectionFact]
-		public async Task ConnectSslBadClientCertificate()
-		{
-			var csb = AppConfig.CreateConnectionStringBuilder();
-			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "non-ca-client.pfx");
-			csb.CertificatePassword = "";
-			using (var connection = new MySqlConnection(csb.ConnectionString))
-			{
-#if BASELINE
-				var exType = typeof(IOException);
-#else
-				var exType = typeof(MySqlException);
-#endif
-				await Assert.ThrowsAsync(exType, async () => await connection.OpenAsync());
-			}
-		}
-
 		[Fact]
 		public async Task ConnectionDatabase()
 		{
diff --git a/tests/SideBySide/SslTests.cs b/tests/SideBySide/SslTests.cs
@@ -0,0 +1,118 @@
+﻿using System;
+using System.Data;
+using System.IO;
+using System.Threading.Tasks;
+using MySql.Data.MySqlClient;
+using Xunit;
+
+namespace SideBySide
+{
+	public class SslTests : IClassFixture<DatabaseFixture>
+	{
+		public SslTests(DatabaseFixture database)
+		{
+			m_database = database;
+		}
+
+		[SslRequiredConnectionFact]
+		public async Task ConnectSslPreferred()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			string requiredSslVersion;
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				using (var cmd = connection.CreateCommand())
+				{
+					await connection.OpenAsync();
+					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
+					requiredSslVersion = (string)await cmd.ExecuteScalarAsync();
+				}
+			}
+			Assert.False(string.IsNullOrWhiteSpace(requiredSslVersion));
+
+			csb.SslMode = MySqlSslMode.Preferred;
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				using (var cmd = connection.CreateCommand())
+				{
+					await connection.OpenAsync();
+					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
+					var preferredSslVersion = (string)await cmd.ExecuteScalarAsync();
+					Assert.Equal(requiredSslVersion, preferredSslVersion);
+				}
+			}
+		}
+
+		[SslRequiredConnectionTheory]
+		[InlineData("ssl-client.pfx", null, null)]
+		[InlineData("ssl-client-pw-test.pfx", "test", null)]
+		[InlineData("ssl-client-cert.pem", null, null)]
+#if !BASELINE
+		[InlineData("ssl-client.pfx", null, "ssl-ca-cert.pem")]
+		[InlineData("ssl-client-pw-test.pfx", "test", "ssl-ca-cert.pem")]
+		[InlineData("ssl-client-cert.pem", null, "ssl-ca-cert.pem")]
+#endif
+		public async Task ConnectSslClientCertificate(string certFile, string certFilePassword, string caCertFile)
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, certFile);
+			csb.CertificatePassword = certFilePassword;
+			if (caCertFile != null)
+			{
+				csb.SslMode = MySqlSslMode.VerifyCA;
+#if !BASELINE
+				csb.CACertificateFile = Path.Combine(AppConfig.CertsPath, caCertFile);
+#endif
+			}
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				using (var cmd = connection.CreateCommand())
+				{
+					await connection.OpenAsync();
+					cmd.CommandText = "SHOW SESSION STATUS LIKE 'Ssl_version'";
+					var sslVersion = (string)await cmd.ExecuteScalarAsync();
+					Assert.False(string.IsNullOrWhiteSpace(sslVersion));
+				}
+			}
+		}
+
+		[SslRequiredConnectionFact]
+		public async Task ConnectSslBadClientCertificate()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "non-ca-client.pfx");
+			csb.CertificatePassword = "";
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+#if BASELINE
+				var exType = typeof(IOException);
+#else
+				var exType = typeof(MySqlException);
+#endif
+				await Assert.ThrowsAsync(exType, async () => await connection.OpenAsync());
+			}
+		}
+
+#if BASELINE
+		[Fact(Skip = "MySql.Data does not support CACertificateFile")]
+#else
+		[SslRequiredConnectionFact]
+#endif
+		public async Task ConnectSslBadCaCertificate()
+		{
+			var csb = AppConfig.CreateConnectionStringBuilder();
+			csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client-cert.pem");
+			csb.SslMode = MySqlSslMode.VerifyCA;
+#if !BASELINE
+			csb.CACertificateFile = Path.Combine(AppConfig.CertsPath, "non-ca-client-cert.pem");
+#endif
+			using (var connection = new MySqlConnection(csb.ConnectionString))
+			{
+				await Assert.ThrowsAsync(typeof(MySqlException), async () => await connection.OpenAsync());
+			}
+		}
+
+		readonly DatabaseFixture m_database;
+	}
+
+}

Original file line number	Diff line number	Diff line change
`@@ -107,4 +107,14 @@ public SslRequiredConnectionFactAttribute()`
`107`	`107`	`Skip = "SSL not explicitly required";`
`108`	`108`	`}`
`109`	`109`	`}`
	`110`	`+`
	`111`	`+ public class SslRequiredConnectionTheoryAttribute : TheoryAttribute`
	`112`	`+ {`
	`113`	`+ public SslRequiredConnectionTheoryAttribute()`
	`114`	`+ {`
	`115`	`+ var csb = AppConfig.CreateConnectionStringBuilder();`
	`116`	`+ if(csb.SslMode == MySqlSslMode.None \|\| csb.SslMode == MySqlSslMode.Preferred)`
	`117`	`+ Skip = "SSL not explicitly required";`
	`118`	`+ }`
	`119`	`+ }`
`110`	`120`	`}`