Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tls support for mysql client #186

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Add tls support for mysql client #186

Changes from 4 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e7cfc4b
Add tls support for mysql client
db-will Nov 24, 2024
52095d4
Update cmd/go-tpc/main.go
db-will Jan 1, 2025
0c2b45d
Update cmd/go-tpc/main.go
db-will Jan 1, 2025
c8dffdf
Update cmd/go-tpc/main.go
db-will Jan 1, 2025
a7957cb
Update cmd/go-tpc/main.go
db-will Jan 3, 2025
4b2c7db
Update cmd/go-tpc/main.go
db-will Jan 3, 2025
9ad25f9
Update cmd/go-tpc/main.go
db-will Jan 3, 2025
41368bb
Adjust code based on reviews
db-will Jan 4, 2025
56b6a64
Update cmd/go-tpc/main.go
db-will Jan 6, 2025
7f4316b
Update cmd/go-tpc/main.go
db-will Jan 6, 2025
3b8119a
Update error message
db-will Jan 6, 2025
aace302
Update cmd/go-tpc/main.go
db-will Jan 7, 2025
58133ef
Update cmd/go-tpc/main.go
dveeden Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 68 additions & 5 deletions cmd/go-tpc/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package main
import (
"context"
"crypto/sha1"
"crypto/tls"
"crypto/x509"
"database/sql"
sqldrv "database/sql/driver"
"encoding/hex"
Expand All @@ -18,6 +20,7 @@ import (
"github.com/pingcap/go-tpc/pkg/util"
"github.com/spf13/cobra"
_ "go.uber.org/automaxprocs"

// mysql package
"github.com/go-sql-driver/mysql"
// pg
Expand Down Expand Up @@ -47,15 +50,19 @@ var (
connParams string
outputStyle string
targets []string
sslCA string
sslCert string
sslKey string

globalDB *sql.DB
globalCtx context.Context
)

const (
createDBDDL = "CREATE DATABASE "
mysqlDriver = "mysql"
pgDriver = "postgres"
createDBDDL = "CREATE DATABASE "
mysqlDriver = "mysql"
pgDriver = "postgres"
customTlsName = "custom"
)

type MuxDriver struct {
Expand Down Expand Up @@ -93,18 +100,31 @@ func newDB(targets []string, driver string, user string, password string, dbName
hash.Write([]byte(password))
hash.Write([]byte(dbName))
hash.Write([]byte(connParams))

if driver == mysqlDriver && len(sslCA) > 0 {
db-will marked this conversation as resolved.
Show resolved Hide resolved
registerMysqlTLSConfig()
}

for i, addr := range targets {
hash.Write([]byte(addr))
switch driver {
case mysqlDriver:
var tlsName string = "preferred"
if len(sslCA) > 0 {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if len(sslCA) > 0 {
if len(sslCA) > 0 || len(sslKey) > 0 || len(sslCert) > 0 {

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refer https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers#enable-authentication

By default, the server-to-client authentication is optional. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be still established.

If sslKey and sslCert are not provided, we will only authenticate the TiDB server from the MySQL client.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think valid configurations are:

  • Only sslCA provided
  • sslCA, sslCert, sslKey all provided.

Not valid:

  • sslCert and/or sslKey set, but no sslCA.
  • sslCert set, but not sslKey
  • sslKey set, but not sslCert

So I think we should set the tlsName to custom if any of sslCert, sslKey or sslCA is set and then later on verify if it is valid (which might already be done)

tlsName = customTlsName
}
// allow multiple statements in one query to allow q15 on the TPC-H
dsn := fmt.Sprintf("%s:%s@tcp(%s)/%s?multiStatements=true&tls=preferred", user, password, addr, dbName)
dsn := fmt.Sprintf("%s:%s@tcp(%s)/%s?multiStatements=true&tls=%s", user, password, addr, dbName, tlsName)
if len(connParams) > 0 {
dsn = dsn + "&" + connParams
}
names[i] = dsn
drv = &mysql.MySQLDriver{}
case pgDriver:
if len(sslCA) > 0 {
db-will marked this conversation as resolved.
Show resolved Hide resolved
panic("postgresql driver doesn't support TLS yet")
}

dsn := fmt.Sprintf("postgres://%s:%s@%s/%s", user, password, addr, dbName)
if len(connParams) > 0 {
dsn = dsn + "?" + connParams
Expand Down Expand Up @@ -150,9 +170,10 @@ func openDB() {
tmpDB, _ = newDB(targets, driver, user, password, "", connParams)
defer tmpDB.Close()
if _, err := tmpDB.Exec(createDBDDL + dbName); err != nil {
panic(fmt.Errorf("failed to create database, err %v\n", err))
panic(fmt.Errorf("failed to create database, err %v", err))
}
} else {
fmt.Printf("failed to ping db, err %v\n", err)
globalDB = nil
}
} else {
Expand Down Expand Up @@ -209,6 +230,9 @@ func main() {
rootCmd.PersistentFlags().StringVar(&outputStyle, "output", util.OutputStylePlain, "output style, valid values can be { plain | table | json }")
rootCmd.PersistentFlags().StringSliceVar(&targets, "targets", nil, "Target database addresses")
rootCmd.PersistentFlags().MarkHidden("targets")
rootCmd.PersistentFlags().StringVar(&sslCA, "ssl-ca", "", "Path of file that contains list of trusted SSL CAs for connection")
rootCmd.PersistentFlags().StringVar(&sslCert, "ssl-cert", "", "Path of file that contains X509 certificate in PEM format for connection")
rootCmd.PersistentFlags().StringVar(&sslKey, "ssl-key", "", "Path of file that contains X509 key in PEM format for connection")

cobra.EnablePrefixMatching = true

Expand Down Expand Up @@ -251,3 +275,42 @@ func main() {

cancel()
}

// registerMysqlTLSConfig constructs a `*tls.Config` from the CA, certification and key
// paths, and register to mysql client.
func registerMysqlTLSConfig() {
// Load the client certificates from disk
var certificates []tls.Certificate
if len(sslCert) != 0 && len(sslKey) != 0 {
cert, err := tls.LoadX509KeyPair(sslCert, sslKey)
if err != nil {
panic(fmt.Errorf("could not load client key pair, err %v", err))
}
certificates = []tls.Certificate{cert}
}
db-will marked this conversation as resolved.
Show resolved Hide resolved

// Create a certificate pool from CA
certPool := x509.NewCertPool()
ca, err := os.ReadFile(sslCA)
if err != nil {
panic(fmt.Errorf("could not read ca certificate, err %v", err))
db-will marked this conversation as resolved.
Show resolved Hide resolved
}

// Append the certificates from the CA
if !certPool.AppendCertsFromPEM(ca) {
panic(fmt.Errorf("failed to append ca certs"))
db-will marked this conversation as resolved.
Show resolved Hide resolved
}

tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
dveeden marked this conversation as resolved.
Show resolved Hide resolved
Certificates: certificates,
RootCAs: certPool,
ClientCAs: certPool,
NextProtos: []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2.
dveeden marked this conversation as resolved.
Show resolved Hide resolved
}

err = mysql.RegisterTLSConfig(customTlsName, tlsConfig)
if err != nil {
panic(fmt.Errorf("failed to register TLS configs, err %v", err))
db-will marked this conversation as resolved.
Show resolved Hide resolved
}
}
Loading