579 lines
18 KiB
PHP
579 lines
18 KiB
PHP
## Script connection_ssl.inc
|
|
#
|
|
# Extracted test logic form 'connection_openssl.test' and changed to
|
|
# a parametric test.
|
|
#
|
|
# Arguments:
|
|
#
|
|
# $INCREMENT - defines if SSL status variables will be incremented
|
|
# $USE_SOCKET - defines if the test should use UNIX socket (must be set to
|
|
# MYSQLXTEST argument setting unix socket or must be empty)
|
|
# $USER_AUTH_PLUGIN - defines MySQL Servers account types that is going to
|
|
# be tested
|
|
# $ERROR_IF_CHANNEL_UNSECURE - defined expected error code for MYSQLXTEST
|
|
# default connection when test verifies X Plugin logic that
|
|
# handles "require_secure_transport" system variable.
|
|
# $NO_SSL_ACCESS_DENIED_ERROR - expected error code when connecting using
|
|
# SHA256_MEMORY authentication on an unsecure channel
|
|
#
|
|
# Usage:
|
|
#
|
|
# --let $INCREMENT=0|1
|
|
# --let $USER_AUTH_PLUGIN=mysql_native_password|sha256_password|caching_sha2_password
|
|
# --let $ERROR_IF_CHANNEL_UNSECURE=EXPECTED_ERROR_MESSAGE
|
|
# --let $NO_SSL_ACCESS_DENIED_ERROR=ER_ACCESS_DENIED_ERROR
|
|
# --let $USE_SOCKET=UNIX_SOCKET_CONFIGURATION
|
|
# --source ../include/connection_ssl.inc
|
|
#
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## Preamble
|
|
--source ../include/have_performance_schema_threads.inc
|
|
--source include/xplugin_preamble.inc
|
|
--source include/xplugin_create_user.inc
|
|
|
|
SET GLOBAL mysqlx_connect_timeout = 300;
|
|
call mtr.add_suppression("Maximum number of authentication attempts reached");
|
|
call mtr.add_suppression("Access denied for user .*");
|
|
|
|
## Test starts here
|
|
--write_file $MYSQL_TMP_DIR/mysqlx-enable-ssl.tmp
|
|
-->import connection.macro
|
|
-->noquery_result
|
|
-->recvmessage Mysqlx.Notice.Frame {type:5}
|
|
-->query_result
|
|
Mysqlx.Connection.CapabilitiesGet {
|
|
}
|
|
-->recv capabilities[0]
|
|
|
|
-->callmacro Enable_ssl_on_xprotocol_and_transmision_layer
|
|
-->echo # SSL Enabled
|
|
|
|
Mysqlx.Connection.CapabilitiesGet {
|
|
}
|
|
-->recv capabilities[0]
|
|
|
|
EOF
|
|
|
|
--write_file $MYSQL_TMP_DIR/mysqlx-setcapabilities-tls-invalid.tmp
|
|
-->echo # setting read/write tls param with possible invalid data types:
|
|
-->echo # V_SINT,V_UINT ,V_NULL,V_OCTETS ,V_DOUBLE,V_FLOAT,V_STRING
|
|
-->noquery_result
|
|
-->recvmessage Mysqlx.Notice.Frame {type:5}
|
|
-->query_result
|
|
Mysqlx.Connection.CapabilitiesGet {
|
|
}
|
|
-->recv capabilities[0]
|
|
|
|
-->echo # Checking CapSet TLS to bool 0
|
|
Mysqlx.Connection.CapabilitiesSet {
|
|
capabilities {
|
|
capabilities {
|
|
name: "tls"
|
|
value {
|
|
type: SCALAR
|
|
scalar {
|
|
type: V_BOOL
|
|
v_bool: 0
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
-->recverror ER_X_CAPABILITIES_PREPARE_FAILED
|
|
|
|
-->echo # CapSet TLS to null
|
|
Mysqlx.Connection.CapabilitiesSet {
|
|
capabilities {
|
|
capabilities {
|
|
name: "tls"
|
|
value {
|
|
type: SCALAR
|
|
scalar {
|
|
type: V_NULL
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
-->recverror ER_X_CAPABILITIES_PREPARE_FAILED
|
|
|
|
-->echo # CapSet TLS to empty octet
|
|
Mysqlx.Connection.CapabilitiesSet {
|
|
capabilities {
|
|
capabilities {
|
|
name: "tls"
|
|
value {
|
|
type: SCALAR
|
|
scalar {
|
|
type:V_OCTETS
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
-->recverror ER_X_CAPABILITIES_PREPARE_FAILED
|
|
|
|
-->echo # CapSet TLS to empty uint
|
|
Mysqlx.Connection.CapabilitiesSet {
|
|
capabilities {
|
|
capabilities {
|
|
name: "tls"
|
|
value {
|
|
type: SCALAR
|
|
scalar {
|
|
type:V_UINT
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
-->recverror ER_X_CAPABILITIES_PREPARE_FAILED
|
|
|
|
-->echo # CapSet TLS to empty sint
|
|
Mysqlx.Connection.CapabilitiesSet {
|
|
capabilities {
|
|
capabilities {
|
|
name: "tls"
|
|
value {
|
|
type: SCALAR
|
|
scalar {
|
|
type:V_SINT
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
-->recverror ER_X_CAPABILITIES_PREPARE_FAILED
|
|
EOF
|
|
|
|
|
|
--write_file $MYSQL_TMP_DIR/verify-ssl-connection-info.tmp
|
|
-->import assert_select.macro
|
|
-->import assert_status_variable.macro
|
|
|
|
callmacro Assert_select
|
|
column_user
|
|
%OPTION_CLIENT_USER%@localhost
|
|
SELECT USER() as column_user;
|
|
|
|
callmacro Assert_select
|
|
CONNECTION_TYPE
|
|
SSL/TLS
|
|
SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE processlist_id = connection_id();
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_version
|
|
%OPTION_TLS_VERSION%;
|
|
|
|
# Use either option with which mysqlxtest was started or the default one: DHE-RSA-AES256-SHA
|
|
-->stmtsql SELECT IF(""="%OPTION_SSL_CIPHER%","DHE-RSA-AES256-SHA","%OPTION_SSL_CIPHER%") as Value;
|
|
-->recvtovar %EXPECTED_SSL_CIPHER% Value
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_cipher
|
|
%EXPECTED_SSL_CIPHER%;
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_accepts
|
|
%VAR_SSL_ACCEPTS%;
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_finished_accepts
|
|
%VAR_SSL_ACCEPTS%;
|
|
EOF
|
|
|
|
|
|
--write_file $MYSQL_TMP_DIR/verify-non-ssl-connection-info.tmp
|
|
-->import assert_select.macro
|
|
-->import assert_status_variable.macro
|
|
|
|
callmacro Assert_select
|
|
column_user
|
|
%OPTION_CLIENT_USER%@localhost
|
|
SELECT USER() as column_user;
|
|
|
|
callmacro Assert_select
|
|
is_non_ssl_con
|
|
1
|
|
SELECT CONNECTION_TYPE in ("TCP/IP", "Socket") as is_non_ssl_con FROM performance_schema.threads WHERE processlist_id = connection_id();
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_version
|
|
;
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_cipher
|
|
;
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_accepts
|
|
%VAR_SSL_ACCEPTS%;
|
|
|
|
callmacro Assert_status_variable
|
|
Mysqlx_ssl_finished_accepts
|
|
%VAR_SSL_ACCEPTS%;
|
|
EOF
|
|
|
|
|
|
# Using "connect-expired-password" Option to allow expired password.
|
|
|
|
--write_file $MYSQL_TMP_DIR/mysqlx-alter-pwd.tmp
|
|
-->sql
|
|
ALTER USER USER() IDENTIFIED BY 'alter-new-auth';
|
|
-->endsql
|
|
EOF
|
|
|
|
|
|
--write_file $MYSQL_TMP_DIR/mysqlx-set-pwd.tmp
|
|
-->sql
|
|
SET PASSWORD='set-new-auth';
|
|
-->endsql
|
|
EOF
|
|
|
|
|
|
--write_file $MYSQL_TMP_DIR/mysqlx-status.tmp
|
|
-->sql
|
|
SHOW STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$';
|
|
-->endsql
|
|
EOF
|
|
|
|
############################################################################
|
|
|
|
eval CREATE USER user1_mysqlx@localhost
|
|
IDENTIFIED WITH $USER_AUTH_PLUGIN BY 'auth_string1';
|
|
eval CREATE USER user2_mysqlx@localhost
|
|
IDENTIFIED WITH $USER_AUTH_PLUGIN BY 'auth_string2'
|
|
PASSWORD EXPIRE;
|
|
|
|
|
|
eval CREATE USER user3_mysqlx@localhost
|
|
IDENTIFIED WITH $USER_AUTH_PLUGIN BY 'auth_string3'
|
|
REQUIRE CIPHER "AES256-SHA" AND
|
|
SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
|
|
ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
|
|
PASSWORD EXPIRE NEVER;
|
|
|
|
eval CREATE USER user4_mysqlx@localhost REQUIRE SSL ACCOUNT LOCK;
|
|
|
|
eval CREATE USER user5_mysqlx@localhost
|
|
IDENTIFIED WITH $USER_AUTH_PLUGIN BY 'auth_string'
|
|
REQUIRE SSL;
|
|
|
|
eval CREATE USER user6_mysqlx@localhost
|
|
IDENTIFIED WITH $USER_AUTH_PLUGIN BY 'dwh@#ghd'
|
|
REQUIRE x509;
|
|
|
|
|
|
eval CREATE USER user7_mysqlx@localhost
|
|
IDENTIFIED WITH $USER_AUTH_PLUGIN BY ''
|
|
REQUIRE CIPHER "AES256-SHA";
|
|
|
|
GRANT ALL ON *.* TO user1_mysqlx@localhost;
|
|
GRANT ALL ON *.* TO user2_mysqlx@localhost;
|
|
GRANT ALL ON *.* TO user3_mysqlx@localhost;
|
|
GRANT ALL ON *.* TO user4_mysqlx@localhost;
|
|
GRANT ALL ON *.* TO user5_mysqlx@localhost;
|
|
GRANT ALL ON *.* TO user6_mysqlx@localhost;
|
|
GRANT ALL ON *.* TO user7_mysqlx@localhost;
|
|
|
|
--let $SSL_CONNECTION_MADE=0
|
|
--let $CLIENT_SSL_KEY=--ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem
|
|
--let $CLIENT_SSL_CERT=--ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem
|
|
--let $CLIENT_SSL_CA= --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem
|
|
|
|
let $MYSQLXTEST=$MYSQLXTEST $USE_SOCKET;
|
|
let $MYSQLXTEST_VERIFY_SSL=
|
|
$MYSQLXTEST
|
|
--tls-version=TLSv1
|
|
--file=$MYSQL_TMP_DIR/verify-ssl-connection-info.tmp
|
|
--ssl-mode=REQUIRED
|
|
--quiet;
|
|
let $MYSQLXTEST_VERIFY_NON_SSL=
|
|
$MYSQLXTEST
|
|
--file=$MYSQL_TMP_DIR/verify-non-ssl-connection-info.tmp
|
|
--ssl-mode=DISABLED
|
|
--quiet;
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## I. Verify handling of SSL with normal account ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user1_mysqlx --password='auth_string1'
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## II. Verify handling of SSL with super account and XProtocol message
|
|
--echo ## CapabilitySet (without SSL options on it)
|
|
--echo #
|
|
--echo # 1. Try to set "tls" capability with invalid data (no-ssl connection)
|
|
--echo # 2. Try to set "tls" capability with valid data (ssl connection)
|
|
--echo #
|
|
--echo # II.1
|
|
exec $MYSQLXTEST -u x_root --password='' -h127.0.0.1
|
|
--no-auth
|
|
--file=$MYSQL_TMP_DIR/mysqlx-setcapabilities-tls-invalid.tmp 2>&1;
|
|
|
|
--echo # II.2
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST -u x_root --password='' -h127.0.0.1
|
|
--no-auth --ssl-mode=REQUIRED
|
|
--file=$MYSQL_TMP_DIR/mysqlx-enable-ssl.tmp 2>&1;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## III. Verify handling of expired password with user2_mysqlx account ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. When client doesn't support handling of expired password,
|
|
--echo # then connection must be rejected
|
|
--echo # 2. When client support expired password, then he must be able
|
|
--echo # to alter password
|
|
--echo # 3. Verify that after the alter password, account can be used
|
|
--echo # without any additional support for expired password on the client
|
|
--echo # 4. When client support expired password, then he must be able
|
|
--echo # to set the password
|
|
--echo # 5. Verify that after the set password, account can be used
|
|
--echo # without any additional support for expired password on the client
|
|
--echo #
|
|
--echo # III.1
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_MUST_CHANGE_PASSWORD_LOGIN -u user2_mysqlx --password='auth_string2' 2>&1;
|
|
|
|
--echo # III.2
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST -u user2_mysqlx --password='auth_string2'
|
|
--connect-expired-password --ssl-mode=REQUIRED
|
|
--file=$MYSQL_TMP_DIR/mysqlx-alter-pwd.tmp 2>&1;
|
|
|
|
--echo # III.3
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user2_mysqlx --password='alter-new-auth'
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
--echo # III.4
|
|
ALTER USER user2_mysqlx@localhost PASSWORD EXPIRE;
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST -u user2_mysqlx --password='alter-new-auth'
|
|
--connect-expired-password --ssl-mode=REQUIRED
|
|
--file=$MYSQL_TMP_DIR/mysqlx-set-pwd.tmp 2>&1;
|
|
|
|
--echo # III.5
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user2_mysqlx --password='set-new-auth'
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## IV. Verify handling of account that has requires concrete cipher, signed cert
|
|
--echo ## ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. Verify that user can connect when it has allowed cipher and matching cert
|
|
--echo # 2. Verify that user can't connect when it has allowed cipher and non-matching cert
|
|
--echo # 3. Verify that user can't connect when it doesn't use SSL
|
|
--echo # 4. Verify that user can't connect when it use basic SSL configuration
|
|
--echo # 5. Verify that user can't connect when it has allowed cipher and its without a cert
|
|
--echo #
|
|
--echo # IV.1
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user3_mysqlx --password='auth_string3'
|
|
--ssl-cipher='AES256-SHA' $CLIENT_SSL_KEY $CLIENT_SSL_CERT
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
--echo # IV.2
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user3_mysqlx --password='auth_string3'
|
|
--ssl-cipher='AES256-SHA' --ssl-cert=$MYSQL_TEST_DIR/std_data/server-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/server-key.pem 2>&1;
|
|
|
|
--echo # IV.3
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user3_mysqlx --password='auth_string3' 2>&1;
|
|
|
|
--echo # IV.4
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user3_mysqlx --password='auth_string3' 2>&1;
|
|
|
|
--echo # IV.5
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user3_mysqlx --password='auth_string3'
|
|
--ssl-cipher='AES256-SHA' 2>&1;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## V. Verify handling of locked account ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. Verify that locked account can't connect
|
|
--echo # 2. Unlock the account and verify that it can connect
|
|
--echo #
|
|
--echo # V.1
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCOUNT_HAS_BEEN_LOCKED -u user4_mysqlx --password=''
|
|
$CLIENT_SSL_KEY $CLIENT_SSL_CERT 2>&1;
|
|
|
|
--echo # V.2
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
ALTER USER user4_mysqlx@localhost ACCOUNT UNLOCK;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user4_mysqlx --password=''
|
|
$CLIENT_SSL_KEY $CLIENT_SSL_CERT
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## VI. Verify handling of account that was marked as SSL required ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. Verify connection with basic SSL configuration
|
|
--echo # 2. Verify connection with SSL key & cert
|
|
--echo # 3. Verify connection with SSL ca
|
|
--echo #
|
|
--echo # VI.1
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user5_mysqlx --password='auth_string'
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
--echo # VI.2
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user5_mysqlx --password='auth_string'
|
|
$CLIENT_SSL_KEY $CLIENT_SSL_CERT
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
--echo # VI.3
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user5_mysqlx --password='auth_string'
|
|
$CLIENT_SSL_CA
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## VII. Verify handling of account that was marked as SSL required with signed cert
|
|
--echo ## ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. Verify connection with signed cert
|
|
--echo # 2. Verify that connection is rejected when SSL is disabled
|
|
--echo # 3. Verify that connection is rejected when CA is set
|
|
--echo # 4. Verify that connection is rejected when using basic SSL configuration
|
|
--echo #
|
|
--echo # VII.1
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user6_mysqlx --password='dwh@#ghd'
|
|
$CLIENT_SSL_KEY $CLIENT_SSL_CERT
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
--echo # VII.2
|
|
exec $MYSQLXTEST_VERIFY_NON_SSL --expect-error $NO_SSL_ACCESS_DENIED_ERROR -u user6_mysqlx --password='dwh@#ghd' 2>&1;
|
|
|
|
--echo # VII.3
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user6_mysqlx --password='dwh@#ghd'
|
|
$CLIENT_SSL_CA 2>&1;
|
|
|
|
--echo # VII.4
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user6_mysqlx --password='dwh@#ghd' 2>&1;
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## VIII. Verify handling of account that was marked that requires concrete SSL cipher
|
|
--echo ## ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. Verify connection with concrete cipher and signed cert
|
|
--echo # 2. Verify that connection is rejected with concrete cipher and without a cert
|
|
--echo # 3. Verify that connection is rejected when SSL is disabled
|
|
--echo # 4. Verify that connection is rejected with basic SSL configuration
|
|
--echo # 5. Verify that connection is rejected with wrong cipher and signed cert
|
|
--echo #
|
|
--echo # VIII.1
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -u user7_mysqlx
|
|
--ssl-cipher="AES256-SHA" $CLIENT_SSL_CA $CLIENT_SSL_KEY $CLIENT_SSL_CERT
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
--echo # VIII.2
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user7_mysqlx
|
|
--ssl-cipher="AES256-SHA" 2>&1;
|
|
|
|
--echo # VIII.3
|
|
let $expected_error_msg= Access denied for user 'user7_mysqlx'@'localhost' \(using password: YES\) \(code 1045\);
|
|
exec $MYSQLXTEST_VERIFY_NON_SSL --expect-error $NO_SSL_ACCESS_DENIED_ERROR -u user7_mysqlx 2>&1;
|
|
|
|
--echo # VIII.4
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user7_mysqlx 2>&1;
|
|
|
|
--echo # VIII.5
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL --expect-error ER_ACCESS_DENIED_ERROR -u user7_mysqlx
|
|
--ssl-cipher='DHE-RSA-AES256-SHA' $CLIENT_SSL_CA $CLIENT_SSL_KEY $CLIENT_SSL_CERT 2>&1;
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## IX. Verify X Plugins global and session status variables ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. Verify global SSL setup
|
|
--echo # 2. Verify session SSL setup
|
|
--echo #
|
|
--echo # IX.1
|
|
replace_regex /4294967295/-1/ /18446744073709551615/-1/;
|
|
SHOW GLOBAL STATUS WHERE `Variable_name` RLIKE '^Mysqlx_ssl_(cipher_list|ctx_verify_(depth|mode)|server_not_(after|before)|verify_(depth|mode))$';
|
|
|
|
--echo # IX.2
|
|
replace_regex /4294967295/-1/ /18446744073709551615/-1/;
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST -u x_root
|
|
--ssl-cipher="AES256-SHA" $CLIENT_SSL_CA $CLIENT_SSL_KEY $CLIENT_SSL_CERT
|
|
--file=$MYSQL_TMP_DIR/mysqlx-status.tmp 2>&1;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## X. Lets confirm that Mysqlx plugin validates the connection_type vs 'require_secure_transport'
|
|
--echo ## system variable ($USER_AUTH_PLUGIN)
|
|
--echo #
|
|
--echo # 1. Connection without SSL (fails on TCP, it works on UNIX socket)
|
|
--echo # 2. Connection with SSL (always must be successful)
|
|
--echo #
|
|
--echo # X.1
|
|
SET GLOBAL require_secure_transport:=1;
|
|
exec $MYSQLXTEST_VERIFY_NON_SSL --expect-error $ERROR_IF_CHANNEL_UNSECURE -ux_root --password=''
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
|
|
--echo # X.2
|
|
expr $SSL_CONNECTION_MADE= $SSL_CONNECTION_MADE + $INCREMENT;
|
|
exec $MYSQLXTEST_VERIFY_SSL -ux_root --password=''
|
|
$CLIENT_SSL_CA $CLIENT_SSL_KEY $CLIENT_SSL_CERT
|
|
-v%VAR_SSL_ACCEPTS%=$SSL_CONNECTION_MADE 2>&1;
|
|
SET GLOBAL require_secure_transport:=0;
|
|
|
|
|
|
--echo
|
|
--echo
|
|
--echo ## Cleanup
|
|
--remove_file $MYSQL_TMP_DIR/verify-ssl-connection-info.tmp
|
|
--remove_file $MYSQL_TMP_DIR/verify-non-ssl-connection-info.tmp
|
|
--remove_file $MYSQL_TMP_DIR/mysqlx-alter-pwd.tmp
|
|
--remove_file $MYSQL_TMP_DIR/mysqlx-set-pwd.tmp
|
|
--remove_file $MYSQL_TMP_DIR/mysqlx-setcapabilities-tls-invalid.tmp
|
|
--remove_file $MYSQL_TMP_DIR/mysqlx-status.tmp
|
|
--remove_file $MYSQL_TMP_DIR/mysqlx-enable-ssl.tmp
|
|
|
|
--source include/xplugin_drop_user.inc
|
|
|
|
DROP USER user1_mysqlx@localhost;
|
|
DROP USER user2_mysqlx@localhost;
|
|
DROP USER user3_mysqlx@localhost;
|
|
DROP USER user4_mysqlx@localhost;
|
|
DROP USER user5_mysqlx@localhost;
|
|
DROP USER user6_mysqlx@localhost;
|
|
DROP USER user7_mysqlx@localhost;
|
|
|
|
SET GLOBAL mysqlx_connect_timeout = DEFAULT;
|
|
|