Add ability to set ssl_mode. (brianmario#793)

Adam Palmblad · sodabrew · commit deda0c7b6121 · 2016-10-18T11:09:02.000-07:00
This PR adds support for the new MySQL 5.7.3 ssl_mode option and additional ssl_mode options in MySQL 5.7.11 and higher. See the MySQL docs for details: http://dev.mysql.com/doc/refman/5.7/en/mysql-options.html
diff --git a/README.md b/README.md
@@ -203,6 +203,7 @@ Mysql2::Client.new(
   :reconnect = true/false,
   :local_infile = true/false,
   :secure_auth = true/false,
+  :ssl_mode = :disabled / :preferred / :required / :verify_ca / :verify_identity,
   :default_file = '/path/to/my.cfg',
   :default_group = 'my.cfg section',
   :init_command => sql
diff --git a/ext/mysql2/client.c b/ext/mysql2/client.c
@@ -83,6 +83,43 @@ struct nogvl_select_db_args {
   char *db;
 };
 
+static VALUE rb_set_ssl_mode_option(VALUE self, VALUE setting) {
+  unsigned long version = mysql_get_client_version();
+
+  if (version < 50703) {
+    rb_warn( "Your mysql client library does not support setting ssl_mode; full support comes with 5.7.11." );
+    return Qnil;
+  }
+#ifdef HAVE_CONST_MYSQL_OPT_SSL_ENFORCE
+  GET_CLIENT(self); 
+  int val = NUM2INT( setting );
+  if (version >= 50703 && version < 50711) {
+    if (val == SSL_MODE_DISABLED || val == SSL_MODE_REQUIRED) {
+      bool b = ( val == SSL_MODE_REQUIRED );
+      int result = mysql_options( wrapper->client, MYSQL_OPT_SSL_ENFORCE, &b );
+      return INT2NUM(result);
+      
+    } else {
+      rb_warn( "MySQL client libraries between 5.7.3 and 5.7.10 only support SSL_MODE_DISABLED and SSL_MODE_REQUIRED" );
+      return Qnil;
+    }
+  }
+#endif
+#ifdef FULL_SSL_MODE_SUPPORT
+  GET_CLIENT(self); 
+  int val = NUM2INT( setting );
+
+  if (val != SSL_MODE_DISABLED && val != SSL_MODE_PREFERRED && val != SSL_MODE_REQUIRED && val != SSL_MODE_VERIFY_CA && val != SSL_MODE_VERIFY_IDENTITY) {
+    rb_raise(cMysql2Error, "ssl_mode= takes DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY, you passed: %d", val );
+  }
+  int result = mysql_options( wrapper->client, MYSQL_OPT_SSL_MODE, &val );
+
+  return INT2NUM(result);
+#endif
+#ifdef NO_SSL_MODE_SUPPORT
+  return Qnil;
+#endif
+}
 /*
  * non-blocking mysql_*() functions that we won't be wrapping since
  * they do not appear to hit the network nor issue any interruptible
@@ -1337,6 +1374,7 @@ void init_mysql2_client() {
   rb_define_private_method(cMysql2Client, "default_group=", set_read_default_group, 1);
   rb_define_private_method(cMysql2Client, "init_command=", set_init_command, 1);
   rb_define_private_method(cMysql2Client, "ssl_set", set_ssl_options, 5);
+  rb_define_private_method(cMysql2Client, "ssl_mode=", rb_set_ssl_mode_option, 1);
   rb_define_private_method(cMysql2Client, "initialize_ext", initialize_ext, 0);
   rb_define_private_method(cMysql2Client, "connect", rb_connect, 7);
   rb_define_private_method(cMysql2Client, "_query", rb_query, 2);
@@ -1464,4 +1502,35 @@ void init_mysql2_client() {
   rb_const_set(cMysql2Client, rb_intern("BASIC_FLAGS"),
       LONG2NUM(CLIENT_BASIC_FLAGS));
 #endif
+#ifdef FULL_SSL_MODE_SUPPORT
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_DISABLED"), INT2NUM(SSL_MODE_DISABLED));
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_PREFERRED"), INT2NUM(SSL_MODE_PREFERRED));
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_REQUIRED"), INT2NUM(SSL_MODE_REQUIRED));
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_VERIFY_CA"), INT2NUM(SSL_MODE_VERIFY_CA));
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_VERIFY_IDENTITY"), INT2NUM(SSL_MODE_VERIFY_IDENTITY));
+#endif
+#ifdef HAVE_CONST_MYSQL_OPT_SSL_ENFORCE
+  #define SSL_MODE_DISABLED 1
+  #define SSL_MODE_REQUIRED 3
+  #define HAVE_CONST_SSL_MODE_DISABLED
+  #define HAVE_CONST_SSL_MODE_REQUIRED
+
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_DISABLED"), INT2NUM(SSL_MODE_DISABLED));
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_REQUIRED"), INT2NUM(SSL_MODE_REQUIRED));
+#endif
+#ifndef HAVE_CONST_SSL_MODE_DISABLED
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_DISABLED"), INT2NUM(0));
+#endif
+#ifndef HAVE_CONST_SSL_MODE_PREFERRED
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_PREFERRED"), INT2NUM(0));
+#endif
+#ifndef HAVE_CONST_SSL_MODE_REQUIRED
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_REQUIRED"), INT2NUM(0));
+#endif
+#ifndef HAVE_CONST_SSL_MODE_VERIFY_CA
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_VERIFY_CA"), INT2NUM(0));
+#endif
+#ifndef HAVE_CONST_SSL_MODE_VERIFY_IDENTITY
+  rb_const_set(cMysql2Client, rb_intern("SSL_MODE_VERIFY_IDENTITY"), INT2NUM(0));
+#endif
 }
diff --git a/ext/mysql2/extconf.rb b/ext/mysql2/extconf.rb
@@ -12,6 +12,16 @@ def asplode(lib)
   end
 end
 
+def add_ssl_defines(header)
+  all_modes_found = %w(SSL_MODE_DISABLED SSL_MODE_PREFERRED SSL_MODE_REQUIRED SSL_MODE_VERIFY_CA SSL_MODE_VERIFY_IDENTITY).inject(true) do |m, ssl_mode|
+    m && have_const(ssl_mode, header)
+  end
+  $CFLAGS << ' -DFULL_SSL_MODE_SUPPORT' if all_modes_found
+  # if we only have ssl toggle (--ssl,--disable-ssl) from 5.7.3 to 5.7.10
+  has_no_support = all_modes_found ? false : !have_const('MYSQL_OPT_SSL_ENFORCE', header)
+  $CFLAGS << ' -DNO_SSL_MODE_SUPPORT' if has_no_support
+end
+
 # 2.0-only
 have_header('ruby/thread.h') && have_func('rb_thread_call_without_gvl', 'ruby/thread.h')
 
@@ -87,6 +97,8 @@ def asplode(lib)
   asplode 'mysql.h'
 end
 
+add_ssl_defines([prefix, 'mysql.h'].compact.join('/'))
+
 %w(errmsg.h mysqld_error.h).each do |h|
   header = [prefix, h].compact.join '/'
   asplode h unless have_header header
diff --git a/lib/mysql2/client.rb b/lib/mysql2/client.rb
@@ -47,6 +47,7 @@ def initialize(opts = {})
 
       ssl_options = opts.values_at(:sslkey, :sslcert, :sslca, :sslcapath, :sslcipher)
       ssl_set(*ssl_options) if ssl_options.any?
+      self.ssl_mode = parse_ssl_mode(opts[:ssl_mode]) if opts[:ssl_mode]
 
       case opts[:flags]
       when Array
@@ -87,6 +88,17 @@ def initialize(opts = {})
       connect user, pass, host, port, database, socket, flags
     end
 
+    def parse_ssl_mode(mode)
+      m = mode.to_s.upcase
+      if m.start_with?('SSL_MODE_')
+        return Mysql2::Client.const_get(m) if Mysql2::Client.const_defined?(m)
+      else
+        x = 'SSL_MODE_' + m
+        return Mysql2::Client.const_get(x) if Mysql2::Client.const_defined?(x)
+      end
+      warn "Unknown MySQL ssl_mode flag: #{mode}"
+    end
+
     def parse_flags_array(flags, initial = 0)
       flags.reduce(initial) do |memo, f|
         fneg = f.start_with?('-') ? f[1..-1] : nil
