From 39fa99726b947d202fc41fd1d01bd230ef8de58d Mon Sep 17 00:00:00 2001
From: Andrew Garner <garnera@vmware.com>
Date: Tue, 13 Apr 2021 19:14:22 -0500
Subject: [PATCH] Update TLS test to drive our require_secure_transport

- Assert that require_secure_transport is enabled (tls.required is
  enabled)
- Assert that TLS < v1.2 are disallowed (tls.enforce_tls_v1_2 is
  enabled)
- Assert that TLS connections otherwise succeed

[#177349859](https://www.pivotaltracker.com/story/show/177349859)
---
 src/specs/integration/tls/README.md         |  8 +++
 src/specs/integration/tls/tls_suite_test.go |  8 +++
 src/specs/integration/tls/tls_test.go       | 71 +++++++++++++--------
 3 files changed, 59 insertions(+), 28 deletions(-)
 create mode 100644 src/specs/integration/tls/README.md

diff --git a/src/specs/integration/tls/README.md b/src/specs/integration/tls/README.md
new file mode 100644
index 000000000..4c750d54d
--- /dev/null
+++ b/src/specs/integration/tls/README.md
@@ -0,0 +1,8 @@
+This test suite verifies TLS behavior of a PXC deployment.
+
+The assumes are that the deployment was deployed with:
+
+- spec.tls.required = true, rejecting any plaintext connections
+- spec.tls.enforce_tls_v1_2 = true; rejecting attempts by clients to use old TLS protocol versions
+
+This test will fail if either plaintext connections are allowed or older TLS versions are allowed in the environment.
diff --git a/src/specs/integration/tls/tls_suite_test.go b/src/specs/integration/tls/tls_suite_test.go
index aa1c260de..db75cf2b7 100644
--- a/src/specs/integration/tls/tls_suite_test.go
+++ b/src/specs/integration/tls/tls_suite_test.go
@@ -1,10 +1,13 @@
 package tls_test
 
 import (
+	"crypto/tls"
 	"database/sql"
 	"os"
 	"testing"
 
+	"github.com/go-sql-driver/mysql"
+
 	helpers "github.com/cloudfoundry/pxc-release/specs/test_helpers"
 
 	. "github.com/onsi/ginkgo"
@@ -39,6 +42,11 @@ var _ = BeforeSuite(func() {
 		helpers.SetupSocks5Proxy()
 	}
 
+	Expect(mysql.RegisterTLSConfig("deprecated-tls11", &tls.Config{
+		MaxVersion: tls.VersionTLS11,
+		InsecureSkipVerify: true,
+	})).To(Succeed())
+
 	mysqlUsername := "root"
 	mysqlPassword, err := helpers.GetMySQLAdminPassword()
 	Expect(err).NotTo(HaveOccurred())
diff --git a/src/specs/integration/tls/tls_test.go b/src/specs/integration/tls/tls_test.go
index c113293b9..b30e1b84e 100644
--- a/src/specs/integration/tls/tls_test.go
+++ b/src/specs/integration/tls/tls_test.go
@@ -1,40 +1,55 @@
 package tls_test
 
 import (
+	"database/sql"
+	"fmt"
+
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+
+	helpers "github.com/cloudfoundry/pxc-release/specs/test_helpers"
 )
 
-var _ = Describe("Tls", func() {
-	It("tests all the connections are TLS", func() {
+var _ = Describe("TLS", func() {
+	var (
+		rootPassword string
+		proxyHost    string
+	)
+	BeforeEach(func() {
+		var err error
+		rootPassword, err = helpers.GetMySQLAdminPassword()
+		Expect(err).NotTo(HaveOccurred())
+
+		proxyHost, err = helpers.FirstProxyHost(helpers.BoshDeployment)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("requires a secure transport for client connections", func() {
+		dsn := fmt.Sprintf("root:%s@tcp(%s:3306)/?tls=false", rootPassword, proxyHost)
+		db, err := sql.Open("mysql", dsn)
+		Expect(err).NotTo(HaveOccurred())
+
+		err = db.Ping()
+		Expect(err).To(MatchError(`Error 3159: Connections using insecure transport are prohibited while --require_secure_transport=ON.`))
+	})
+
+	It("requires TLSv1.2 for connections", func() {
+		dsn := fmt.Sprintf("root:%s@tcp(%s:3306)/?tls=deprecated-tls11", rootPassword, proxyHost)
+		db, err := sql.Open("mysql", dsn)
+		Expect(err).NotTo(HaveOccurred())
+
+		err = db.Ping()
+		Expect(err).To(HaveOccurred())
+	})
 
-		query := `SELECT sbt.variable_value AS tls_version,  t2.variable_value AS cipher,
-			processlist_user AS user, processlist_host AS host
-			FROM performance_schema.status_by_thread  AS sbt
-			JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id
-			JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
-			WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version`
-		rows, err := mysqlConn.Query(query)
+	It("accepts valid TLS connections", func() {
+		// certificates aren't setup such that we can do proper TLS verification
+		// This test exists to prove TLS < v1.2, fails but normal TLS connections succeed
+		dsn := fmt.Sprintf("root:%s@tcp(%s:3306)/?tls=skip-verify", rootPassword, proxyHost)
+		db, err := sql.Open("mysql", dsn)
 		Expect(err).NotTo(HaveOccurred())
 
-		var (
-			tls_version string
-			cipher      string
-			user        string
-			host        string
-		)
-
-		defer rows.Close()
-		for rows.Next() {
-			err = rows.Scan(&tls_version, &cipher, &user, &host)
-			Expect(err).NotTo(HaveOccurred())
-			Expect(user).NotTo(BeNil())
-			Expect(host).NotTo(BeNil())
-
-			if !(host == "localhost" || host == "127.0.0.1") {
-				Expect(tls_version).To(MatchRegexp("TLSv1\\.[1,2,3]"))
-				Expect(cipher).To(MatchRegexp("ECDHE-RSA.+"))
-			}
-		}
+		err = db.Ping()
+		Expect(err).ToNot(HaveOccurred())
 	})
 })