WL10770: Ensure all Session connections are secure by default

amitab · amitab · commit e619b5135809 · 2017-06-02T20:10:21.000+05:30
Option ssl-enable is replaced by ssl-mode with the following possible values:
1. required (default)
2. disabled
3. verify_ca (ssl-ca is required)
4. verify_identity (ssl-ca is required)

All values are case-insensitive.
Tests have been added for regression.
diff --git a/lib/mysqlx/__init__.py b/lib/mysqlx/__init__.py
@@ -28,6 +28,7 @@
 
 from .compat import STRING_TYPES, urlparse, unquote, parse_qsl
 from .connection import Session
+from .constants import SSLMode
 from .crud import Schema, Collection, Table, View
 from .dbdoc import DbDoc
 from .errors import (Error, Warning, InterfaceError, DatabaseError,
@@ -45,6 +46,7 @@
 
 _SPLIT = re.compile(r',(?![^\(\)]*\))')
 _PRIORITY = re.compile(r'^\(address=(.+),priority=(\d+)\)$', re.VERBOSE)
+ssl_opts = ["ssl-cert", "ssl-ca", "ssl-key", "ssl-crl"]
 
 def _parse_address_list(path):
     """Parses a list of host, port pairs
@@ -114,8 +116,14 @@ def _parse_connection_uri(uri):
     else:
         settings.update(_parse_address_list(host))
 
-    for opt, val in dict(parse_qsl(query_str, True)).items():
-        settings[opt] = unquote(val.strip("()")) or True
+    for key, val in parse_qsl(query_str, True):
+        opt = key.lower()
+        if opt in settings:
+            raise InterfaceError("Duplicate option '{0}'.".format(key))
+        if opt in ssl_opts:
+            settings[opt] = unquote(val.strip("()"))
+        else:
+            settings[opt] = val.lower()
     return settings
 
 def _validate_settings(settings):
@@ -127,6 +135,33 @@ def _validate_settings(settings):
     Args:
         settings: dict containing connection settings.
     """
+    if "routers" in settings:
+        for router in settings["routers"]:
+            _validate_hosts(router)
+    elif "host" in settings:
+        _validate_hosts(settings)
+
+    if "ssl-mode" in settings and settings["ssl-mode"] not in SSLMode:
+        raise InterfaceError("Invalid SSL Mode '{0}'."
+                             "".format(settings["ssl-mode"]))
+    elif settings.get("ssl-mode") == SSLMode.DISABLED and \
+        any(key in settings for key in ssl_opts):
+        raise InterfaceError("SSL options used with ssl-mode 'disabled'.")
+
+    if "ssl-crl" in settings and not "ssl-ca" in settings:
+        raise InterfaceError("CA Certificate not provided.")
+    if "ssl-key" in settings and not "ssl-cert" in settings:
+        raise InterfaceError("Client Certificate not provided.")
+
+    if not "ssl-ca" in settings and settings.get("ssl-mode") \
+        in [SSLMode.VERIFY_IDENTITY, SSLMode.VERIFY_CA]:
+        raise InterfaceError("Cannot verify Server without CA.")
+    if "ssl-ca" in settings and settings.get("ssl-mode") \
+        not in [SSLMode.VERIFY_IDENTITY, SSLMode.VERIFY_CA]:
+        raise InterfaceError("Must verify Server if CA is provided.")
+
+
+def _validate_hosts(settings):
     if "priority" in settings and settings["priority"]:
         try:
             settings["priority"] = int(settings["priority"])
@@ -163,16 +198,14 @@ def _get_connection_settings(*args, **kwargs):
             settings.update(args[0])
     elif kwargs:
         settings.update(kwargs)
+        for key, val in settings.items():
+            if "_" in key:
+                settings[key.replace("_", "-")] = settings.pop(key)
 
     if not settings:
         raise InterfaceError("Settings not provided")
 
-    if "routers" in settings:
-        for router in settings.get("routers"):
-            _validate_settings(router)
-    else:
-        _validate_settings(settings)
-
+    _validate_settings(settings)
     return settings
 
 def get_session(*args, **kwargs):
diff --git a/lib/mysqlx/connection.py b/lib/mysqlx/connection.py
@@ -31,29 +31,33 @@
 
 import sys
 import socket
+import logging
 
 from functools import wraps
 
 from .authentication import MySQL41AuthPlugin
 from .errors import InterfaceError, OperationalError, ProgrammingError
 from .compat import PY3, STRING_TYPES, UNICODE_TYPES
 from .crud import Schema
+from .constants import SSLMode
 from .protocol import Protocol, MessageReaderWriter
 from .result import Result, RowResult, DocResult
 from .statement import SqlStatement, AddStatement
 
 
 _DROP_DATABASE_QUERY = "DROP DATABASE IF EXISTS `{0}`"
 _CREATE_DATABASE_QUERY = "CREATE DATABASE IF NOT EXISTS `{0}`"
-
+_LOGGER = logging.getLogger("mysqlx")
 
 class SocketStream(object):
     def __init__(self):
         self._socket = None
         self._is_ssl = False
+        self._host = None
 
     def connect(self, params):
         if isinstance(params, tuple):
+            self._host = params[0]
             s_type = socket.AF_INET6 if ":" in params[0] else socket.AF_INET
         else:
             s_type = socket.AF_UNIX
@@ -84,39 +88,46 @@ def close(self):
         self._socket.close()
         self._socket = None
 
-    def set_ssl(self, ssl_opts={}):
+    def set_ssl(self, ssl_mode, ssl_ca, ssl_crl, ssl_cert, ssl_key):
         if not SSL_AVAILABLE:
             self.close()
             raise RuntimeError("Python installation has no SSL support.")
 
         context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
         context.load_default_certs()
-        if "ssl-ca" in ssl_opts:
+
+        if ssl_ca:
             try:
-                context.load_verify_locations(ssl_opts["ssl-ca"])
+                context.load_verify_locations(ssl_ca)
                 context.verify_mode = ssl.CERT_REQUIRED
-            except (IOError, ssl.SSLError):
+            except (IOError, ssl.SSLError) as err:
                 self.close()
-                raise InterfaceError("Invalid CA certificate.")
-        if "ssl-crl" in ssl_opts:
+                raise InterfaceError("Invalid CA Certificate: {}".format(err))
+
+        if ssl_crl:
             try:
-                context.load_verify_locations(ssl_opts["ssl-crl"])
-                context.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
-            except (IOError, ssl.SSLError):
+                context.load_verify_locations(ssl_crl)
+                context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
+            except (IOError, ssl.SSLError) as err:
                 self.close()
-                raise InterfaceError("Invalid CRL.")
-        if "ssl-cert" in ssl_opts:
+                raise InterfaceError("Invalid CRL: {}".format(err))
+
+        if ssl_cert:
             try:
-                context.load_cert_chain(ssl_opts["ssl-cert"],
-                    ssl_opts.get("ssl-key", None))
-            except (IOError, ssl.SSLError):
+                context.load_cert_chain(ssl_cert, ssl_key)
+            except (IOError, ssl.SSLError) as err:
                 self.close()
-                raise InterfaceError("Invalid Client Certificate/Key.")
-        elif "ssl-key" in ssl_opts:
-            self.close()
-            raise InterfaceError("Client Certificate not provided.")
+                raise InterfaceError("Invalid Certificate/Key: {}".format(err))
 
         self._socket = context.wrap_socket(self._socket)
+        if ssl_mode == SSLMode.VERIFY_IDENTITY:
+            try:
+                hostname = socket.gethostbyaddr(self._host)
+                ssl.match_hostname(self._socket.getpeercert(), hostname[0])
+            except ssl.CertificateError as err:
+                self.close()
+                raise InterfaceError("Unable to verify server identity: {}"
+                                     "".format(err))
         self._is_ssl = True
 
 
@@ -223,22 +234,29 @@ def connect(self):
         raise InterfaceError("Failed to connect to any of the routers.", 4001)
 
     def _handle_capabilities(self):
+        if self.settings.get("ssl-mode") == SSLMode.DISABLED:
+            return
+        if "socket" in self.settings:
+            if self.settings.get("ssl-mode"):
+                _LOGGER.warning("SSL not required when using Unix socket.")
+            return
+
         data = self.protocol.get_capabilites().capabilities
         if not (data[0]["name"].lower() == "tls" if data else False):
-            if self.settings.get("ssl-enable", False):
-                self.close()
-                raise OperationalError("SSL not enabled at server.")
-            return
+            self.close()
+            raise OperationalError("SSL not enabled at server.")
 
         if sys.version_info < (2, 7, 9):
-            if self.settings.get("ssl-enable", False):
-                self.close()
-                raise RuntimeError("The support for SSL is not available for "
-                    "this Python version.")
-            return
+            self.close()
+            raise RuntimeError("The support for SSL is not available for "
+                "this Python version.")
 
         self.protocol.set_capabilities(tls=True)
-        self.stream.set_ssl(self.settings)
+        self.stream.set_ssl(self.settings.get("ssl-mode", SSLMode.REQUIRED),
+                            self.settings.get("ssl-ca"),
+                            self.settings.get("ssl-crl"),
+                            self.settings.get("ssl-cert"),
+                            self.settings.get("ssl-key"))
 
     def _authenticate(self):
         plugin = MySQL41AuthPlugin(self._user, self._password)
diff --git a/lib/mysqlx/constants.py b/lib/mysqlx/constants.py
@@ -46,6 +46,9 @@ def create_enum(name, fields, values=None):
 Algorithms = create_enum("Algorithms", ("MERGE", "TMPTABLE", "UNDEFINED"))
 Securities = create_enum("Securities", ("DEFINER", "INVOKER"))
 CheckOptions = create_enum("CheckOptions", ("CASCADED", "LOCAL"))
+SSLMode = create_enum("SSLMode",
+    ("REQUIRED", "DISABLED", "VERIFY_CA", "VERIFY_IDENTITY"),
+    ("required", "disabled", "verify_ca", "verify_identity"))
 
 
 __all__ = ["Algorithms", "Securities", "CheckOptions"]
diff --git a/tests/test_mysqlx_connection.py b/tests/test_mysqlx_connection.py
