blob: 352ff7c0779146d0678ca9a25c7015220a308d2a [file] [log] [blame]
// Copyright 2015 The Vanadium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package dbutil implements utilities for opening and configuring connections
// to MySQL-like databases, with optional TLS support.
// Functions in this file are not thread-safe. However, the returned *sql.DB is.
// Sane defaults are assumed: utf8mb4 encoding, UTC timezone, parsing date/time
// into time.Time.
package dbutil
import (
// SQL statement suffix to be appended when creating tables.
const SqlCreateTableSuffix = "CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci"
// Description of the SQL configuration file format.
const SqlConfigFileDescription = `File must contain a JSON object of the following form:
"dataSourceName": "[username[:password]@][protocol[(address)]]/dbname", (the connection string required by go-sql-driver; database name must be specified, query parameters are not supported)
"tlsDisable": "false|true", (defaults to false; if set to true, uses an unencrypted connection; otherwise, the following fields are mandatory)
"tlsServerName": "serverName", (the domain name of the SQL server for TLS)
"rootCertPath": "[/]path/server-ca.pem", (the root certificate of the SQL server for TLS)
"clientCertPath": "[/]path/client-cert.pem", (the client certificate for TLS)
"clientKeyPath": "[/]path/client-key.pem" (the client private key for TLS)
Paths must be either absolute or relative to the configuration file directory.`
// SqlConfig holds the fields needed to connect to a SQL instance and to
// configure TLS encryption of the information sent over the wire. It must be
// activated via Activate() before use.
type SqlConfig struct {
// DataSourceName is the connection string as required by go-sql-driver:
// "[username[:password]@][protocol[(address)]]/dbname";
// database name must be specified, query parameters are not supported.
DataSourceName string `json:"dataSourceName"`
// TLSDisable, if set to true, uses an unencrypted connection;
// otherwise, the following fields are mandatory.
TLSDisable bool `json:"tlsDisable"`
// TLSServerName is the domain name of the SQL server for TLS.
TLSServerName string `json:"tlsServerName"`
// RootCertPath is the root certificate of the SQL server for TLS.
RootCertPath string `json:"rootCertPath"`
// ClientCertPath is the client certificate for TLS.
ClientCertPath string `json:"clientCertPath"`
// ClientKeyPath is the client private key for TLS.
ClientKeyPath string `json:"clientKeyPath"`
// ActiveSqlConfig represents a SQL configuration that has been activated
// by registering the TLS configuration (if applicable). It can be used for
// opening SQL database connections.
type ActiveSqlConfig struct {
// cfg is a copy of the SqlConfig that was activated.
cfg *SqlConfig
// tlsConfigIdentifier is the identifier under which the TLS configuration
// is registered with go-sql-driver. It is computed as a secure hash of the
// SqlConfig after resolving any relative paths.
tlsConfigIdentifier string
// Parses the SQL configuration file pointed to by sqlConfigFile (format
// described in SqlConfigFileDescription; also see links below).
func ParseSqlConfigFromFile(sqlConfigFile string) (*SqlConfig, error) {
configJSON, err := ioutil.ReadFile(sqlConfigFile)
if err != nil {
return nil, fmt.Errorf("failed reading SQL config file %q: %v", sqlConfigFile, err)
var config SqlConfig
if err = json.Unmarshal(configJSON, &config); err != nil {
// TODO(ivanpi): Parsing errors might leak the SQL password into error
// logs, depending on standard library implementation.
return nil, fmt.Errorf("failed parsing SQL config file %q: %v", sqlConfigFile, err)
return &config, nil
// Activates the SQL configuration by registering the TLS configuration with
// go-mysql-driver (if TLSDisable is not set).
// Certificate paths from SqlConfig that aren't absolute are interpreted relative
// to certBaseDir.
// For more information see
func (sc *SqlConfig) Activate(certBaseDir string) (*ActiveSqlConfig, error) {
if sc.TLSDisable {
return &ActiveSqlConfig{
cfg: sc.normalizePaths(""),
}, nil
cbdAbs, err := filepath.Abs(certBaseDir)
if err != nil {
return nil, fmt.Errorf("failed resolving certificate base directory %q: %v", certBaseDir, err)
scn := sc.normalizePaths(cbdAbs)
configId := scn.hash()
if err = registerSqlTLSConfig(scn, configId); err != nil {
return nil, fmt.Errorf("failed registering TLS config: %v", err)
return &ActiveSqlConfig{
cfg: scn,
tlsConfigIdentifier: configId,
}, nil
// Convenience function to parse and activate the SQL configuration file.
// Certificate paths that aren't absolute are interpreted relative to the
// directory containing sqlConfigFile.
func ActivateSqlConfigFromFile(sqlConfigFile string) (*ActiveSqlConfig, error) {
cfg, err := ParseSqlConfigFromFile(sqlConfigFile)
if err != nil {
return nil, err
activeCfg, err := cfg.Activate(filepath.Dir(sqlConfigFile))
if err != nil {
return nil, fmt.Errorf("failed activating SQL config from file %q: %v", sqlConfigFile, err)
return activeCfg, nil
// Opens a connection to the SQL database using the provided configuration.
// Sets the specified transaction isolation (see link below).
func (sqlConfig *ActiveSqlConfig) NewSqlDBConn(txIsolation string) (*sql.DB, error) {
return openSqlDBConn(configureSqlDBConn(sqlConfig, txIsolation))
// Convenience function to parse and activate the configuration file and open
// a connection to the SQL database. If multiple connections with the same
// configuration are needed, a single ActivateSqlConfigFromFile() and multiple
// NewSqlDbConn() calls are recommended instead.
func NewSqlDBConnFromFile(sqlConfigFile, txIsolation string) (*sql.DB, error) {
config, err := ActivateSqlConfigFromFile(sqlConfigFile)
if err != nil {
return nil, err
return config.NewSqlDBConn(txIsolation)
func configureSqlDBConn(sqlConfig *ActiveSqlConfig, txIsolation string) string {
params := url.Values{}
// Setting charset is unneccessary when collation is set, according to
params.Set("collation", "utf8mb4_general_ci")
// Maps SQL date/time values into time.Time instead of strings.
params.Set("parseTime", "true")
params.Set("loc", "UTC")
params.Set("time_zone", "'+00:00'")
if !sqlConfig.cfg.TLSDisable {
params.Set("tls", sqlConfig.tlsConfigIdentifier)
params.Set("tx_isolation", "'"+txIsolation+"'")
return sqlConfig.cfg.DataSourceName + "?" + params.Encode()
func openSqlDBConn(dataSrcName string) (*sql.DB, error) {
// Prevent leaking the SQL password into error logs.
sanitizedDSN := dataSrcName[strings.LastIndex(dataSrcName, "@")+1:]
db, err := sql.Open("mysql", dataSrcName)
if err != nil {
return nil, fmt.Errorf("failed opening database connection at %q: %v", sanitizedDSN, err)
if err := db.Ping(); err != nil {
return nil, fmt.Errorf("failed connecting to database at %q: %v", sanitizedDSN, err)
return db, nil
// registerSqlTLSConfig sets up the SQL connection to use TLS encryption
// and registers the configuration under configId.
// For more information see
func registerSqlTLSConfig(cfg *SqlConfig, configId string) error {
rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile(cfg.RootCertPath)
if err != nil {
return fmt.Errorf("failed reading root certificate: %v", err)
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return fmt.Errorf("failed to append PEM to cert pool")
ckpair, err := tls.LoadX509KeyPair(cfg.ClientCertPath, cfg.ClientKeyPath)
if err != nil {
return fmt.Errorf("failed loading client key pair: %v", err)
clientCert := []tls.Certificate{ckpair}
return mysql.RegisterTLSConfig(configId, &tls.Config{
RootCAs: rootCertPool,
Certificates: clientCert,
ServerName: cfg.TLSServerName,
// SSLv3 is more vulnerable than TLSv1.0, see
// TODO(ivanpi): Increase when Cloud SQL starts supporting higher TLS versions.
MinVersion: tls.VersionTLS10,
ClientAuth: tls.RequireAndVerifyClientCert,
// Computes a secure hash of the SqlConfig. Paths are canonicalized before
// hashing.
func (sc *SqlConfig) hash() string {
scn := sc.normalizePaths("")
fieldsToHash := []interface{}{
scn.DataSourceName, scn.TLSDisable, scn.TLSServerName,
scn.RootCertPath, scn.ClientCertPath, scn.ClientKeyPath,
hashAcc := make([]byte, 0, len(fieldsToHash)*sha256.Size)
for _, field := range fieldsToHash {
fieldHash := sha256.Sum256([]byte(fmt.Sprintf("%v", field)))
hashAcc = append(hashAcc, fieldHash[:]...)
structHash := sha256.Sum256(hashAcc)
return hex.EncodeToString(structHash[:])
// Returns a copy of the SqlConfig with certificate paths canonicalized and
// resolved relative to certBaseDir. Blank paths remain blank.
func (sc *SqlConfig) normalizePaths(certBaseDir string) *SqlConfig {
scn := *sc
for _, path := range []*string{&scn.RootCertPath, &scn.ClientCertPath, &scn.ClientKeyPath} {
*path = normalizePath(*path, certBaseDir)
return &scn
// If path is not absolute, resolves path relative to baseDir. Otherwise,
// canonicalizes path. Blank paths are not resolved or canonicalized.
func normalizePath(path, baseDir string) string {
if strings.TrimSpace(path) == "" {
return ""
if filepath.IsAbs(path) {
return filepath.Clean(path)
return filepath.Join(baseDir, path)