lib/dbutil: Refactor mysql support, allow relative cert paths.
Refactored mysql configuration flow to allow external code to
populate config structs directly instead of parsing from file.
Added support for relative TLS certificate paths. When parsing
config from file, paths are resolved relative to the directory
containing the config file.
Attempted to remove SQL passwords from error messages.
MultiPart: 1/2
Change-Id: I579c6ab78132f286cdcc468f051f754d78fe87f0
diff --git a/dbutil/mysql.go b/dbutil/mysql.go
index 747c9f2..a1e4eee 100644
--- a/dbutil/mysql.go
+++ b/dbutil/mysql.go
@@ -17,6 +17,8 @@
"fmt"
"io/ioutil"
"net/url"
+ "path/filepath"
+ "strings"
"github.com/go-sql-driver/mysql"
)
@@ -30,18 +32,16 @@
"dataSourceName": "[username[:password]@][protocol[(address)]]/dbname", (the connection string required by go-sql-driver; database name must be specified, query parameters are not supported)
"tlsDisable": "false|true", (defaults to false; if set to true, uses an unencrypted connection; otherwise, the following fields are mandatory)
"tlsServerName": "serverName", (the domain name of the SQL server for TLS)
- "rootCertPath": "/path/server-ca.pem", (the root certificate of the SQL server for TLS)
- "clientCertPath": "/path/client-cert.pem", (the client certificate for TLS)
- "clientKeyPath": "/path/client-key.pem" (the client private key for TLS)
- }`
+ "rootCertPath": "[/]path/server-ca.pem", (the root certificate of the SQL server for TLS)
+ "clientCertPath": "[/]path/client-cert.pem", (the client certificate for TLS)
+ "clientKeyPath": "[/]path/client-key.pem" (the client private key for TLS)
+ }
+Paths must be either absolute or relative to the configuration file directory.`
// SqlConfig holds the fields needed to connect to a SQL instance and to
-// configure TLS encryption of the information sent over the wire.
+// configure TLS encryption of the information sent over the wire. It must be
+// activated via Activate() before use.
type SqlConfig struct {
- wrapped *iSqlConfig
-}
-
-type iSqlConfig struct {
// DataSourceName is the connection string as required by go-sql-driver:
// "[username[:password]@][protocol[(address)]]/dbname";
// database name must be specified, query parameters are not supported.
@@ -57,15 +57,22 @@
ClientCertPath string `json:"clientCertPath"`
// ClientKeyPath is the client private key for TLS.
ClientKeyPath string `json:"clientKeyPath"`
+}
+
+// ActiveSqlConfig represents a SQL configuration that has been activated
+// by registering the TLS configuration (if applicable). It can be used for
+// opening SQL database connections.
+type ActiveSqlConfig struct {
+ // cfg is a copy of the SqlConfig that was activated.
+ cfg *SqlConfig
// tlsConfigIdentifier is the identifier under which the TLS configuration
// is registered with go-sql-driver. It is computed as a secure hash of the
- // configuration file path and contents.
+ // SqlConfig after resolving any relative paths.
tlsConfigIdentifier string `json:"-"`
}
// Parses the SQL configuration file pointed to by sqlConfigFile (format
-// described in SqlConfigFileDescription; also see links below) and registers
-// the TLS configuration with go-mysql-driver.
+// described in SqlConfigFileDescription; also see links below).
// https://github.com/go-sql-driver/mysql/#dsn-data-source-name
// https://github.com/go-sql-driver/mysql/#tls
func ParseSqlConfigFromFile(sqlConfigFile string) (*SqlConfig, error) {
@@ -73,40 +80,76 @@
if err != nil {
return nil, fmt.Errorf("failed reading SQL config file %q: %v", sqlConfigFile, err)
}
- var config iSqlConfig
+ var config SqlConfig
if err = json.Unmarshal(configJSON, &config); err != nil {
+ // TODO(ivanpi): Parsing errors might leak the SQL password into error
+ // logs, depending on standard library implementation.
return nil, fmt.Errorf("failed parsing SQL config file %q: %v", sqlConfigFile, err)
}
- if !config.TLSDisable {
- rawHash := sha256.Sum256(append([]byte(sqlConfigFile+":"), configJSON...))
- config.tlsConfigIdentifier = hex.EncodeToString(rawHash[:])
- if err = registerSqlTLSConfig(&config); err != nil {
- return nil, fmt.Errorf("failed registering TLS config from %q: %v", sqlConfigFile, err)
- }
+ return &config, nil
+}
+
+// Activates the SQL configuration by registering the TLS configuration with
+// go-mysql-driver (if TLSDisable is not set).
+// Certificate paths from SqlConfig that aren't absolute are interpreted relative
+// to certBaseDir.
+// For more information see https://github.com/go-sql-driver/mysql/#tls
+func (sc *SqlConfig) Activate(certBaseDir string) (*ActiveSqlConfig, error) {
+ if sc.TLSDisable {
+ return &ActiveSqlConfig{
+ cfg: sc.normalizePaths(""),
+ }, nil
}
- return &SqlConfig{wrapped: &config}, nil
+ cbdAbs, err := filepath.Abs(certBaseDir)
+ if err != nil {
+ return nil, fmt.Errorf("failed resolving certificate base directory %q: %v", certBaseDir, err)
+ }
+ scn := sc.normalizePaths(cbdAbs)
+ configId := scn.hash()
+ if err = registerSqlTLSConfig(scn, configId); err != nil {
+ return nil, fmt.Errorf("failed registering TLS config: %v", err)
+ }
+ return &ActiveSqlConfig{
+ cfg: scn,
+ tlsConfigIdentifier: configId,
+ }, nil
+}
+
+// Convenience function to parse and activate the SQL configuration file.
+// Certificate paths that aren't absolute are interpreted relative to the
+// directory containing sqlConfigFile.
+func ActivateSqlConfigFromFile(sqlConfigFile string) (*ActiveSqlConfig, error) {
+ cfg, err := ParseSqlConfigFromFile(sqlConfigFile)
+ if err != nil {
+ return nil, err
+ }
+ activeCfg, err := cfg.Activate(filepath.Dir(sqlConfigFile))
+ if err != nil {
+ return nil, fmt.Errorf("failed activating SQL config from file %q: %v", sqlConfigFile, err)
+ }
+ return activeCfg, nil
}
// Opens a connection to the SQL database using the provided configuration.
// Sets the specified transaction isolation (see link below).
// https://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_tx_isolation
-func NewSqlDBConn(sqlConfig *SqlConfig, txIsolation string) (*sql.DB, error) {
- return openSqlDBConn(configureSqlDBConn(sqlConfig.wrapped, txIsolation))
+func (sqlConfig *ActiveSqlConfig) NewSqlDBConn(txIsolation string) (*sql.DB, error) {
+ return openSqlDBConn(configureSqlDBConn(sqlConfig, txIsolation))
}
-// Convenience function to parse the configuration file and open a connection
-// to the SQL database. If multiple connections with the same configuration are
-// needed, a single ParseSqlConfigFromFile() and multiple NewSqlDbConn() calls
-// are recommended instead.
+// Convenience function to parse and activate the configuration file and open
+// a connection to the SQL database. If multiple connections with the same
+// configuration are needed, a single ActivateSqlConfigFromFile() and multiple
+// NewSqlDbConn() calls are recommended instead.
func NewSqlDBConnFromFile(sqlConfigFile, txIsolation string) (*sql.DB, error) {
- config, err := ParseSqlConfigFromFile(sqlConfigFile)
+ config, err := ActivateSqlConfigFromFile(sqlConfigFile)
if err != nil {
return nil, err
}
- return NewSqlDBConn(config, txIsolation)
+ return config.NewSqlDBConn(txIsolation)
}
-func configureSqlDBConn(sqlConfig *iSqlConfig, txIsolation string) string {
+func configureSqlDBConn(sqlConfig *ActiveSqlConfig, txIsolation string) string {
params := url.Values{}
// Setting charset is unneccessary when collation is set, according to
// https://github.com/go-sql-driver/mysql/#charset
@@ -115,47 +158,89 @@
params.Set("parseTime", "true")
params.Set("loc", "UTC")
params.Set("time_zone", "'+00:00'")
- if !sqlConfig.TLSDisable {
+ if !sqlConfig.cfg.TLSDisable {
params.Set("tls", sqlConfig.tlsConfigIdentifier)
}
params.Set("tx_isolation", "'"+txIsolation+"'")
- return sqlConfig.DataSourceName + "?" + params.Encode()
+ return sqlConfig.cfg.DataSourceName + "?" + params.Encode()
}
func openSqlDBConn(dataSrcName string) (*sql.DB, error) {
+ // Prevent leaking the SQL password into error logs.
+ sanitizedDSN := dataSrcName[strings.LastIndex(dataSrcName, "@")+1:]
db, err := sql.Open("mysql", dataSrcName)
if err != nil {
- return nil, fmt.Errorf("failed opening database connection at %q: %v", dataSrcName, err)
+ return nil, fmt.Errorf("failed opening database connection at %q: %v", sanitizedDSN, err)
}
if err := db.Ping(); err != nil {
- return nil, fmt.Errorf("failed connecting to database at %q: %v", dataSrcName, err)
+ return nil, fmt.Errorf("failed connecting to database at %q: %v", sanitizedDSN, err)
}
return db, nil
}
-// registerSqlTLSConfig sets up the SQL connection to use TLS encryption.
+// registerSqlTLSConfig sets up the SQL connection to use TLS encryption
+// and registers the configuration under configId.
// For more information see https://github.com/go-sql-driver/mysql/#tls
-func registerSqlTLSConfig(config *iSqlConfig) error {
+func registerSqlTLSConfig(cfg *SqlConfig, configId string) error {
rootCertPool := x509.NewCertPool()
- pem, err := ioutil.ReadFile(config.RootCertPath)
+ pem, err := ioutil.ReadFile(cfg.RootCertPath)
if err != nil {
return fmt.Errorf("failed reading root certificate: %v", err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return fmt.Errorf("failed to append PEM to cert pool")
}
- ckpair, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
+ ckpair, err := tls.LoadX509KeyPair(cfg.ClientCertPath, cfg.ClientKeyPath)
if err != nil {
return fmt.Errorf("failed loading client key pair: %v", err)
}
clientCert := []tls.Certificate{ckpair}
- return mysql.RegisterTLSConfig(config.tlsConfigIdentifier, &tls.Config{
+ return mysql.RegisterTLSConfig(configId, &tls.Config{
RootCAs: rootCertPool,
Certificates: clientCert,
- ServerName: config.TLSServerName,
+ ServerName: cfg.TLSServerName,
// SSLv3 is more vulnerable than TLSv1.0, see https://en.wikipedia.org/wiki/POODLE
// TODO(ivanpi): Increase when Cloud SQL starts supporting higher TLS versions.
MinVersion: tls.VersionTLS10,
ClientAuth: tls.RequireAndVerifyClientCert,
})
}
+
+// Computes a secure hash of the SqlConfig. Paths are canonicalized before
+// hashing.
+func (sc *SqlConfig) hash() string {
+ scn := sc.normalizePaths("")
+ fieldsToHash := []interface{}{
+ scn.DataSourceName, scn.TLSDisable, scn.TLSServerName,
+ scn.RootCertPath, scn.ClientCertPath, scn.ClientKeyPath,
+ }
+ hashAcc := make([]byte, 0, len(fieldsToHash)*sha256.Size)
+ for _, field := range fieldsToHash {
+ fieldHash := sha256.Sum256([]byte(fmt.Sprintf("%v", field)))
+ hashAcc = append(hashAcc, fieldHash[:]...)
+ }
+ structHash := sha256.Sum256(hashAcc)
+ return hex.EncodeToString(structHash[:])
+}
+
+// Returns a copy of the SqlConfig with certificate paths canonicalized and
+// resolved relative to certBaseDir. Blank paths remain blank.
+func (sc *SqlConfig) normalizePaths(certBaseDir string) *SqlConfig {
+ scn := *sc
+ for _, path := range []*string{&scn.RootCertPath, &scn.ClientCertPath, &scn.ClientKeyPath} {
+ *path = normalizePath(*path, certBaseDir)
+ }
+ return &scn
+}
+
+// If path is not absolute, resolves path relative to baseDir. Otherwise,
+// canonicalizes path. Blank paths are not resolved or canonicalized.
+func normalizePath(path, baseDir string) string {
+ if strings.TrimSpace(path) == "" {
+ return ""
+ }
+ if filepath.IsAbs(path) {
+ return filepath.Clean(path)
+ }
+ return filepath.Join(baseDir, path)
+}
