Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable support for verify-ca SSL mode for cases when hostname verification is not possible/required #2462

Merged
merged 1 commit into from
Aug 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions jobs/director/templates/director.yml.erb
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ director_db = {
'connection_options' => p('director.db.connection_options'),
'tls' => {
'enabled' => p('director.db.tls.enabled', false),
'skip_host_verify' => p('director.db.tls.skip_host_verify', false),
'cert' => {
'ca' => '/var/vcap/jobs/director/config/db/ca.pem',
'certificate' => '/var/vcap/jobs/director/config/db/client_certificate.pem',
Expand Down
30 changes: 30 additions & 0 deletions spec/director.yml.erb_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -419,6 +419,36 @@
end
end

context 'when director.db.tls.skip_host_verify is true' do
before do
merged_manifest_properties['director']['db']['tls']['skip_host_verify'] = true
end

it 'configures enabled TLS for database property' do
expect(parsed_yaml['db']['tls']['skip_host_verify']).to be_truthy
end
end

context 'when director.db.tls.skip_host_verify is false' do
before do
merged_manifest_properties['director']['db']['tls']['skip_host_verify'] = false
end

it 'configures disables TLS for database property' do
expect(parsed_yaml['db']['tls']['skip_host_verify']).to be_falsey
end
end

context 'when director.db.tls.skip_host_verify is not defined' do
before do
merged_manifest_properties['director']['db']['tls'].delete('skip_host_verify')
end

it 'configures disables TLS for database property' do
expect(parsed_yaml['db']['tls']['skip_host_verify']).to be_falsey
end
end

context 'when director.db.tls.cert.ca is provided' do
it 'set bosh_internal ca_provided to true' do
expect(parsed_yaml['db']['tls']['bosh_internal']['ca_provided']).to be_truthy
Expand Down
4 changes: 2 additions & 2 deletions src/bosh-director/lib/bosh/director/config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -326,14 +326,14 @@ def configure_db(db_config)
case connection_config['adapter']
when 'mysql2'
# http://sequel.jeremyevans.net/rdoc/files/doc/opening_databases_rdoc.html#label-mysql+
connection_config['ssl_mode'] = 'verify_identity'
connection_config['ssl_mode'] = tls_options.fetch('skip_host_verify', false) ? 'verify_ca' : 'verify_identity'
connection_config['sslverify'] = true
connection_config['sslca'] = db_ca_path if db_ca_provided
connection_config['sslcert'] = db_client_cert_path if mutual_tls_enabled
connection_config['sslkey'] = db_client_private_key_path if mutual_tls_enabled
when 'postgres'
# http://sequel.jeremyevans.net/rdoc/files/doc/opening_databases_rdoc.html#label-postgres
connection_config['sslmode'] = 'verify-full'
connection_config['sslmode'] = tls_options.fetch('skip_host_verify', false) ? 'verify-ca' : 'verify-full'
connection_config['sslrootcert'] = db_ca_path if db_ca_provided

postgres_driver_options = {
Expand Down
77 changes: 77 additions & 0 deletions src/bosh-director/spec/unit/config_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -967,6 +967,45 @@
end
end
end

context 'when skip_host_verify is enabled' do
it_behaves_like 'db connects with custom parameters' do
let(:config) do
{
'adapter' => 'postgres',
'host' => '127.0.0.1',
'port' => 5432,
'tls' => {
'enabled' => true,
'cert' => {
'ca' => '/path/to/root/ca',
'certificate' => '/path/to/client/certificate',
'private_key' => '/path/to/client/private_key',
},
'skip_host_verify' => true,
'bosh_internal' => {
'ca_provided' => true,
'mutual_tls_enabled' => true,
},
},
}
end

let(:connection_parameters) do
{
'adapter' => 'postgres',
'host' => '127.0.0.1',
'port' => 5432,
'sslmode' => 'verify-ca',
'sslrootcert' => '/path/to/root/ca',
'driver_options' => {
'sslcert' => '/path/to/client/certificate',
'sslkey' => '/path/to/client/private_key',
},
}
end
end
end
end

context 'mysql2' do
Expand Down Expand Up @@ -1113,6 +1152,44 @@
end
end
end

context 'when skip_host_verify is enabled' do
it_behaves_like 'db connects with custom parameters' do
let(:config) do
{
'adapter' => 'mysql2',
'host' => '127.0.0.1',
'port' => 3306,
'tls' => {
'enabled' => true,
'skip_host_verify' => true,
'cert' => {
'ca' => '/path/to/root/ca',
'certificate' => '/path/to/client/certificate',
'private_key' => '/path/to/client/private_key',
},
'bosh_internal' => {
'ca_provided' => true,
'mutual_tls_enabled' => true,
},
},
}
end

let(:connection_parameters) do
{
'adapter' => 'mysql2',
'host' => '127.0.0.1',
'port' => 3306,
'ssl_mode' => 'verify_ca',
'sslca' => '/path/to/root/ca',
'sslverify' => true,
'sslcert' => '/path/to/client/certificate',
'sslkey' => '/path/to/client/private_key',
}
end
end
end
end
end
end
Expand Down