diff --git a/bin/pt-archiver b/bin/pt-archiver index a5b1a4618..47e57f879 100755 --- a/bin/pt-archiver +++ b/bin/pt-archiver @@ -2489,7 +2489,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -8121,6 +8121,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --no-ascend Do not use ascending index optimization. @@ -8708,6 +8714,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 EXTENDING diff --git a/bin/pt-config-diff b/bin/pt-config-diff index 08dbc9c6c..75930bc09 100755 --- a/bin/pt-config-diff +++ b/bin/pt-config-diff @@ -2039,7 +2039,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -5813,6 +5813,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -5978,6 +5984,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-deadlock-logger b/bin/pt-deadlock-logger index 190dad575..ab6e33d9d 100755 --- a/bin/pt-deadlock-logger +++ b/bin/pt-deadlock-logger @@ -2386,7 +2386,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -5566,6 +5566,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --numeric-ip Express IP addresses as integers. @@ -5739,6 +5745,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-duplicate-key-checker b/bin/pt-duplicate-key-checker index 381f3b30e..670c8d7db 100755 --- a/bin/pt-duplicate-key-checker +++ b/bin/pt-duplicate-key-checker @@ -873,7 +873,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -5594,6 +5594,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -5774,6 +5780,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-find b/bin/pt-find index 85a9c94d9..658fa32b5 100755 --- a/bin/pt-find +++ b/bin/pt-find @@ -265,7 +265,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -4623,6 +4623,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --or Combine tests with OR, not AND. @@ -5161,6 +5167,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-fk-error-logger b/bin/pt-fk-error-logger index d9038ba84..a508553f4 100755 --- a/bin/pt-fk-error-logger +++ b/bin/pt-fk-error-logger @@ -1540,7 +1540,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -4563,6 +4563,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -4727,6 +4733,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-heartbeat b/bin/pt-heartbeat index 6733c0004..7230f744b 100755 --- a/bin/pt-heartbeat +++ b/bin/pt-heartbeat @@ -2991,7 +2991,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -7335,6 +7335,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -7655,6 +7661,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-index-usage b/bin/pt-index-usage index e135fa43b..fd9fb6d3a 100755 --- a/bin/pt-index-usage +++ b/bin/pt-index-usage @@ -275,7 +275,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -7326,6 +7326,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -7678,6 +7684,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-kill b/bin/pt-kill index 604e906bb..06fe29bf2 100755 --- a/bin/pt-kill +++ b/bin/pt-kill @@ -2043,7 +2043,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -8756,6 +8756,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --print group: Actions @@ -8844,6 +8850,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-online-schema-change b/bin/pt-online-schema-change index 4c3b2dfaf..d9018d372 100755 --- a/bin/pt-online-schema-change +++ b/bin/pt-online-schema-change @@ -2293,7 +2293,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -13439,6 +13439,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --preserve-triggers Preserves old triggers when specified. @@ -14161,6 +14167,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-query-digest b/bin/pt-query-digest index bf51c82b2..abaab823c 100755 --- a/bin/pt-query-digest +++ b/bin/pt-query-digest @@ -943,7 +943,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -16207,6 +16207,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --order-by type: Array; default: Query_time:sum @@ -16937,6 +16943,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-replica-find b/bin/pt-replica-find index c9939652a..8e0b0069b 100755 --- a/bin/pt-replica-find +++ b/bin/pt-replica-find @@ -1971,7 +1971,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -4461,6 +4461,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -4698,6 +4704,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-replica-restart b/bin/pt-replica-restart index 1b4049412..606fb3b25 100755 --- a/bin/pt-replica-restart +++ b/bin/pt-replica-restart @@ -2385,7 +2385,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -6053,6 +6053,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -6396,6 +6402,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-show-grants b/bin/pt-show-grants index d3e96ed65..e6e518cfb 100755 --- a/bin/pt-show-grants +++ b/bin/pt-show-grants @@ -1315,7 +1315,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } diff --git a/bin/pt-slave-delay b/bin/pt-slave-delay index b973bad22..b36b6fd0c 100755 --- a/bin/pt-slave-delay +++ b/bin/pt-slave-delay @@ -2037,7 +2037,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } diff --git a/bin/pt-table-checksum b/bin/pt-table-checksum index 7493e347e..a94b8766e 100755 --- a/bin/pt-table-checksum +++ b/bin/pt-table-checksum @@ -1581,7 +1581,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -13784,6 +13784,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string; group: Connection @@ -14365,6 +14371,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-table-sync b/bin/pt-table-sync index 392b948e9..394362964 100755 --- a/bin/pt-table-sync +++ b/bin/pt-table-sync @@ -2207,7 +2207,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -12922,6 +12922,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -13332,6 +13338,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-table-usage b/bin/pt-table-usage index eeb25ca72..78fd23e99 100755 --- a/bin/pt-table-usage +++ b/bin/pt-table-usage @@ -217,7 +217,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -8385,6 +8385,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -8543,6 +8549,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-upgrade b/bin/pt-upgrade index 5b1cdc237..7aa481373 100755 --- a/bin/pt-upgrade +++ b/bin/pt-upgrade @@ -940,7 +940,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -11215,6 +11215,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -11479,6 +11485,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-variable-advisor b/bin/pt-variable-advisor index ee0152cfc..30ecca956 100755 --- a/bin/pt-variable-advisor +++ b/bin/pt-variable-advisor @@ -2040,7 +2040,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -6171,6 +6171,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -6337,6 +6343,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/bin/pt-visual-explain b/bin/pt-visual-explain index 849275c52..d9356b17b 100755 --- a/bin/pt-visual-explain +++ b/bin/pt-visual-explain @@ -2001,7 +2001,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } @@ -4032,6 +4032,12 @@ short form: -s; type: int Create SSL MySQL connection. +=item --mysql_ssl_optional + +short form: -o; type: int + +Disables strict SSL enforcement and makes SSL connection optional. + =item --password short form: -p; type: string @@ -4156,6 +4162,12 @@ dsn: mysql_ssl; copy: yes Create SSL connection +=item * o + +dsn: mysql_ssl_optional; copy: yes + +Disables strict SSL enforcement and makes SSL connection optional + =back =head1 ENVIRONMENT diff --git a/lib/DSNParser.pm b/lib/DSNParser.pm index c5f81ff5a..9f9ac570a 100644 --- a/lib/DSNParser.pm +++ b/lib/DSNParser.pm @@ -243,7 +243,7 @@ sub get_cxn_params { $dsn = 'DBI:mysql:' . ( $info->{D} || '' ) . ';' . join(';', map { "$opts{$_}->{dsn}=$info->{$_}" } grep { defined $info->{$_} } - qw(F h P S A s)) + qw(F h P S A s o)) . ';mysql_read_default_group=client' . ($info->{L} ? ';mysql_local_infile=1' : ''); } diff --git a/lib/Sandbox.pm b/lib/Sandbox.pm index 26fdab8ad..189fe6c4d 100644 --- a/lib/Sandbox.pm +++ b/lib/Sandbox.pm @@ -134,12 +134,7 @@ sub create_dbs { sub get_dbh_for { my ( $self, $server, $cxn_ops, $user ) = @_; _check_server($server); - if ($ENV{FORK} || "" eq 'mariadb') { - $cxn_ops ||= { AutoCommit => 1, mysql_enable_utf8 => 1, mysql_ssl => 0 }; - } - else { - $cxn_ops ||= { AutoCommit => 1, mysql_enable_utf8 => 1, mysql_ssl => 1 }; - } + $cxn_ops ||= { AutoCommit => 1, mysql_enable_utf8 => 1, mysql_ssl => 1, mysql_ssl_optional => 1 }; $user ||= 'msandbox'; PTDEBUG && _d('dbh for', $server, 'on port', $port_for{$server}); my $dp = $self->{DSNParser}; diff --git a/t/pt-archiver/ssl.t b/t/pt-archiver/ssl.t index 54de6e2bf..1c51e5f4e 100644 --- a/t/pt-archiver/ssl.t +++ b/t/pt-archiver/ssl.t @@ -29,6 +29,19 @@ elsif ( $sandbox_version lt '8.0' ) { my ($output, $exit_code); my $cnf = "/tmp/12345/my.sandbox.cnf"; +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_archiver::main('--source', "F=$cnf,h=127.1,P=12345,D=sakila,t=film,u=msandbox,p=msandbox,s=1", + qw(--no-check-charset --purge --dry-run --port 12345), + "--where", "film_id < 100") + }, + stderr => 1, +); + +if ( $exit_code != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->do_as_root( 'source', q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/, @@ -154,6 +167,66 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +($output, $exit_code) = full_output( + sub { + pt_archiver::main('--source', "F=$cnf,h=127.1,P=12345,D=sakila,t=film,u=sha256_user,p=sha256_user%password,s=1,o=1", + qw(--no-check-charset --purge --dry-run --port 12345), + "--where", "film_id < 100") + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password and option --mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl_optional' +) or diag($output); + +like( + $output, + qr/DELETE FROM `sakila`.`film` WHERE/, + 'Queries printed with option --mysql_ssl_optional' +) or diag($output); + +($output, $exit_code) = full_output( + sub { + pt_archiver::main('--source=t=film', + qw(--host 127.1 --port 12345 -D sakila), + qw(--user sha256_user --password sha256_user%password --mysql_ssl 1 --mysql_ssl_optional 1), + qw(--no-check-charset --purge --dry-run --port 12345), + "--where", "film_id < 100") + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password and option --mysql_ssl" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl and --mysql_ssl_optional' +) or diag($output); + +like( + $output, + qr/DELETE FROM `sakila`.`film` WHERE/, + 'Queries printed with option --mysql_ssl' +) or diag($output); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-config-diff/ssl.t b/t/pt-config-diff/ssl.t index 46c472249..405552463 100644 --- a/t/pt-config-diff/ssl.t +++ b/t/pt-config-diff/ssl.t @@ -30,6 +30,18 @@ elsif ( $sandbox_version lt '8.0' ) { my ($output, $exit_code); my $cnf = "/tmp/12345/my.sandbox.cnf"; +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_config_diff::main( + 'h=127.1,P=12345,u=msandbox,p=msandbox,s=1', 'h=127.1') + }, + stderr => 1, +); + +if ( $exit_code != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->do_as_root( 'source', q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password'/, @@ -145,6 +157,62 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +($output, $exit_code) = full_output( + sub { pt_config_diff::main( + 'h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1,o=1', 'h=127.1') + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password and option --mysql_ssl_optional 1" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl_optional 1' +) or diag($output); + +is( + $output, + "", + "No output when no diff" +) or diag($output); + +($output, $exit_code) = full_output( + sub { pt_config_diff::main( + qw(--host 127.1 --port 12345 --user sha256_user), + qw(--password sha256_user%password --mysql_ssl 1 --mysql_ssl_optional 1), + 'h=127.1') + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password and option --mysql_ssl and --mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl and --mysql_ssl_optional' +) or diag($output); + +is( + $output, + "", + "No output when no diff and option --mysql_ssl" +) or diag($output); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-deadlock-logger/ssl.t b/t/pt-deadlock-logger/ssl.t index 581985671..6cb75a74d 100644 --- a/t/pt-deadlock-logger/ssl.t +++ b/t/pt-deadlock-logger/ssl.t @@ -31,6 +31,19 @@ my ($output, $exit_code); my $dsn = $sb->dsn_for('source'); my @args = ($dsn, qw(--iterations 1)); +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_deadlock_logger::main("h=127.1,P=12345,D=sakila,t=film,u=msandbox,p=msandbox,s=1", + qw(--iterations 1) + ); + }, + stderr => 1, +); + +if ( $exit_code != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $dbh1->commit; $dbh2->commit; $sb->wipe_clean($dbh1); @@ -192,6 +205,7 @@ like( qr/127\.1.+msandbox.+GEN_CLUST_INDEX/, 'Deadlock logger prints the output with option --mysql_ssl' ) or diag($output); + ($output, $exit_code) = full_output( sub { pt_deadlock_logger::main("F=t/pt-archiver/samples/pt-191.cnf,h=127.1,P=12345,D=sakila,t=film,u=sha256_user,p=sha256_user%password,s=1", @@ -232,6 +246,64 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +($output, $exit_code) = full_output( + sub { + pt_deadlock_logger::main("h=127.1,P=12345,D=sakila,t=film,u=sha256_user,p=sha256_user%password,s=1,o=1", + qw(--iterations 1)); + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password and option --mysql_ssl_optional 1" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl_optional 1' +) or diag($output); + +like( + $output, + qr/127\.1.+msandbox.+GEN_CLUST_INDEX/, + 'Deadlock logger prints the output with option --mysql_ssl_optional 1' +) or diag($output); + +($output, $exit_code) = full_output( + sub { + pt_deadlock_logger::main( + qw(--host 127.1 --port 12345 --user sha256_user), + qw(--password sha256_user%password --mysql_ssl 1 --mysql_ssl_optional 1), + qw(--iterations 1)); + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password with option --mysql_ssl and --mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl and --mysql_ssl_optional' +) or diag($output); + +like( + $output, + qr/127\.1.+msandbox.+GEN_CLUST_INDEX/, + 'Deadlock logger prints the output with option --mysql_ssl and --mysql_ssl_optional' +) or diag($output); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-duplicate-key-checker/ssl.t b/t/pt-duplicate-key-checker/ssl.t index d79d9abee..53826e74d 100644 --- a/t/pt-duplicate-key-checker/ssl.t +++ b/t/pt-duplicate-key-checker/ssl.t @@ -32,6 +32,13 @@ my $sample = "t/pt-duplicate-key-checker/samples/"; my $cnf = "/tmp/12345/my.sandbox.cnf"; my $cmd = "$trunk/bin/pt-duplicate-key-checker -F $cnf -h 127.1"; +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +$output = `$cmd -d mysql -t columns_priv -v P=12345,u=msandbox,p=msandbox,s=1 2>&1`; + +if ( $? != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->wipe_clean($dbh); $sb->create_dbs($dbh, ['test']); @@ -148,6 +155,64 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +$output = `$cmd -d mysql -t columns_priv -v P=12345,u=sha256_user,p=sha256_user%password,s=1,o=1`; + +is( + $?, + 0, + "No error for user, identified with caching_sha2_password with option --mysql_ssl_optional 1" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl_optional 1' +) or diag($output); + +# In version 8.0 order of columns in the index changed +if ($sandbox_version ge '8.0') { + like($output, + qr/PRIMARY \(`Host`,`User`,`Db`,`Table_name`,`Column_name`\)/, + 'Finds mysql.columns_priv PK with option --mysql_ssl_optional 1' + ); +} else { + like($output, + qr/PRIMARY \(`Host`,`Db`,`User`,`Table_name`,`Column_name`\)/, + 'Finds mysql.columns_priv PK with option --mysql_ssl_optional 1' + ); +} + +$output = `$cmd -d mysql -t columns_priv -v --host 127.1 --port 12345 --user sha256_user --password=sha256_user%password --mysql_ssl=1 --mysql_ssl_optional=1`; + +is( + $?, + 0, + "No error for user, identified with caching_sha2_password with option --mysql_ssl=1 and --mysql_ssl_optional=1" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl=1 and --mysql_ssl_optional=1' +) or diag($output); + +# In version 8.0 order of columns in the index changed +if ($sandbox_version ge '8.0') { + like($output, + qr/PRIMARY \(`Host`,`User`,`Db`,`Table_name`,`Column_name`\)/, + 'Finds mysql.columns_priv PK with option --mysql_ssl=1 and --mysql_ssl_optional=1' + ); +} else { + like($output, + qr/PRIMARY \(`Host`,`Db`,`User`,`Table_name`,`Column_name`\)/, + 'Finds mysql.columns_priv PKi with option --mysql_ssl=1 and --mysql_ssl_optional=1' + ); +} + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-find/ssl.t b/t/pt-find/ssl.t index eee18d4f4..7648137b2 100644 --- a/t/pt-find/ssl.t +++ b/t/pt-find/ssl.t @@ -31,6 +31,13 @@ my $output; my $cnf = '/tmp/12345/my.sandbox.cnf'; my $cmd = "$trunk/bin/pt-find"; +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +$output = `$cmd -F $cnf --host=127.0.0.1 --port=12345 mysql --tblregex column --user=msandbox --password=msandbox --mysql_ssl=1 2>&1`; + +if ( $? != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->do_as_root( 'source', q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/, @@ -48,7 +55,7 @@ isnt( like( $output, qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, - 'No secure connection error raised when SSL connection used' + 'Secure connection error raised when no SSL connection used' ) or diag($output); $output = `$cmd -F $cnf --host=127.0.0.1 --port=12345 mysql --tblregex column --user=sha256_user --password=sha256_user%password --mysql_ssl=1 2>&1`; @@ -62,7 +69,7 @@ is( unlike( $output, qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, - 'Secure connection error raised when no SSL connection used' + 'No secure connection error raised when SSL connection used' ) or diag($output); like($output, qr/`mysql`.`columns_priv`/, 'Found mysql.columns_priv'); @@ -121,6 +128,49 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +$output = `$cmd -F $cnf --host=127.0.0.1 --port=12345 mysql --tblregex column --user=sha256_user --password=sha256_user%password --mysql_ssl=1 --mysql_ssl_optional=1 2>&1`; + +is( + $?, + 0, + "Error not raised when SSL connection is used with mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error raised when SSL connection used with mysql_ssl_optional' +) or diag($output); + +like($output, qr/`mysql`.`columns_priv`/, 'Found mysql.columns_priv with mysql_ssl_optional'); + +$output = `$cmd -F $cnf --host=127.0.0.1 --port=12345 mysql --tblregex column --user=sha256_user --password=sha256_user%password --mysql_ssl=1 --mysql_ssl_optional=1 --exec-dsn=h=127.1,P=12346,u=sha256_user,p=sha256_user%password,s=1,o=1 --exec-plus "INSERT INTO test.pt_find_ssl() SELECT COUNT(*) FROM %s" 2>&1`; + +is( + $?, + 0, + "Error not raised when SSL connection is used with DSN and mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error raised when SSL connection used with DSN and mysql_ssl_optional' +) or diag($output); + +$output = `/tmp/12346/use -N -e "SELECT COUNT(*) FROM test.pt_find_ssl"`; +chomp($output); + +is( + $output, + 2, + 'DSN option s works with pt-find and mysql_ssl_optional' +) or diag($output); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-fk-error-logger/ssl.t b/t/pt-fk-error-logger/ssl.t index c7b234436..17f1bc635 100644 --- a/t/pt-fk-error-logger/ssl.t +++ b/t/pt-fk-error-logger/ssl.t @@ -35,6 +35,17 @@ my $cnf = '/tmp/12345/my.sandbox.cnf'; my $cmd = "$trunk/bin/pt-fk-error-logger -F $cnf "; my @args = qw(--iterations 1); +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_fk_error_logger::main(@args, 'h=127.1,P=12345,u=msandbox,p=msandbox,s=1'), + }, + stderr => 1, +); + +if ( $exit_code != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->do_as_root( 'source', q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/, @@ -160,6 +171,62 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +($output, $exit_code) = full_output( + sub { + pt_fk_error_logger::main(@args, 'h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1,o=1'), + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password with option mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option mysql_ssl_optional' +) or diag($output); + +like( + $output, + qr/Foreign key constraint fails/, + "Prints fk error by default with option mysql_ssl_optional" +); + +($output, $exit_code) = full_output( + sub { + pt_fk_error_logger::main(@args, 'h=127.1', + qw(--port 12345 --user sha256_user), + qw(--password sha256_user%password --mysql_ssl 1 --mysql_ssl_optional 1)) + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password with option mysql_ssl and mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option mysql_ssl and mysql_ssl_optional' +) or diag($output); + +like( + $output, + qr/Foreign key constraint fails/, + "Prints fk error by default with option mysql_ssl and mysql_ssl_optional" +); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-heartbeat/ssl.t b/t/pt-heartbeat/ssl.t index 22582f573..81542d4db 100644 --- a/t/pt-heartbeat/ssl.t +++ b/t/pt-heartbeat/ssl.t @@ -40,6 +40,18 @@ $dbh->do(q{CREATE TABLE test.heartbeat ( ) ENGINE=MEMORY}); $sb->wait_for_replicas; +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_heartbeat::main("F=$cnf,h=127.1,P=12345,u=msandbox,p=msandbox,s=1", + qw(-D test --check)), + }, + stderr => 1, +); + +if ( $exit_code != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->do_as_root( 'source', q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/, @@ -152,6 +164,62 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +($output, $exit_code) = full_output( + sub { pt_heartbeat::main("F=$cnf,h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1,o=1", + qw(-D test --check)) }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password with option mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option mysql_ssl_optional' +) or diag($output); + +$row = $dbh->selectall_hashref('select * from test.heartbeat', 'id'); +is( + $row->{1}->{id}, + 1, + "Automatically inserts heartbeat row (issue 1292) with option mysql_ssl_optional" +); + +($output, $exit_code) = full_output( + sub { pt_heartbeat::main( + qw(--host 127.1 --port 12345 --user sha256_user), + qw(--password sha256_user%password --mysql_ssl=1 --mysql_ssl_optional=1), + qw(-D test --check)) }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password with option --mysql_ssl and --mysql_ssl_optional" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl and --mysql_ssl_optional' +) or diag($output); + +$row = $dbh->selectall_hashref('select * from test.heartbeat', 'id'); +is( + $row->{1}->{id}, + 1, + "Automatically inserts heartbeat row (issue 1292) with option --mysql_ssl and --mysql_ssl_optional" +); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-index-usage/ssl.t b/t/pt-index-usage/ssl.t index 9db86c489..c4b9d05d9 100644 --- a/t/pt-index-usage/ssl.t +++ b/t/pt-index-usage/ssl.t @@ -35,6 +35,20 @@ my @args = ('-F', $cnf); my $samples = "t/pt-index-usage/samples/"; my ($output, $exit_code); +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_index_usage::main( + @args, + qw(--host=127.1 --port=12345 --user=msandbox --password=msandbox --mysql_ssl=1), + "$trunk/$samples/slow001.txt") + }, + stderr => 1, +); + +if ( $exit_code != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->do_as_root( 'source', q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/, @@ -182,6 +196,64 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +@args = ('-F', $cnf); + +($output, $exit_code) = full_output( + sub { + pt_index_usage::main( + @args, + qw(--host=127.1 --port=12345 --user=sha256_user --password=sha256_user%password --mysql_ssl=1 --mysql_ssl_optional=1), + "$trunk/$samples/slow001.txt") + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password with option --mysql_ssl_optional 1 --mysql_ssl" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl_optional 1 --mysql_ssl' +) or diag($output); + +like( + $output, + qr/ALTER TABLE `sakila`.`film_text` DROP KEY `idx_title_description`; -- type:non-unique/, + 'A simple query that does not use any indexes with option --mysql_ssl_optional 1 --mysql_ssl', +) or diag($output); + +($output, $exit_code) = full_output( + sub { + pt_index_usage::main( + @args, + qw(--host=127.1 --port=12345 --user=sha256_user --password=sha256_user%password --mysql_ssl=1), + qw(--create-save-results-database), + '--save-results-database=h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1,o=1,D=test', + "$trunk/$samples/slow001.txt") + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password via DSN with option --mysql_ssl_optional 1" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with DSN with option --mysql_ssl_optional 1' +) or diag($output); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-online-schema-change/option_sanity.t b/t/pt-online-schema-change/option_sanity.t index d53e5b7cd..10d34dd40 100644 --- a/t/pt-online-schema-change/option_sanity.t +++ b/t/pt-online-schema-change/option_sanity.t @@ -57,6 +57,12 @@ like( "--statistics is FALSE by default" ); +like( + $output, + qr/--mysql_ssl_optional/, + "--mysql_ssl_optional option exists in help" +); + $output = `$cmd h=127.1,P=12345,u=msandbox,p=msandbox --alter-foreign-keys-method drop_swap --no-drop-new-table`; like( $output, diff --git a/t/pt-online-schema-change/ssl.t b/t/pt-online-schema-change/ssl.t index 584d0a428..1e3faba3a 100644 --- a/t/pt-online-schema-change/ssl.t +++ b/t/pt-online-schema-change/ssl.t @@ -41,6 +41,21 @@ my $output; my $exit_code; my $sample = "t/pt-online-schema-change/samples/"; +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,D=sakila,t=actor,u=msandbox,p=msandbox,s=1", + "--alter", "force", + "--alter-foreign-keys-method", "auto", + qw(--dry-run --no-check-alter)), + }, + stderr => 1, +); + +if ( $exit_code != 0 || $output =~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test does not work with DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + $sb->do_as_root( 'source', q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/, @@ -179,6 +194,57 @@ like( 'SSL connection error with incorrect SSL options in the configuration file' ) or diag($output); +# ############################################################################# +# Test mysql_ssl_optional option +# ############################################################################# + +# Restoring environment for the new test +$sb->load_file('source', "$sample/del-trg-bug-1103672.sql"); + +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,D=test,t=t1,u=sha256_user,p=sha256_user%password,s=1,o=1", + "--alter", "drop primary key, add column _id int unsigned not null primary key auto_increment FIRST", + qw(--execute --no-check-alter)), + }, +); + +is( + $exit_code, + 0, + "No error when using mysql_ssl_optional DSN parameter (o=1)" +) or diag($output); + +like( + $output, + qr/Successfully altered `test`.`t1`/, + "DROP PRIMARY KEY with mysql_ssl_optional DSN parameter" +); + +# Restoring environment for the new test +$sb->load_file('source', "$sample/del-trg-bug-1103672.sql"); + +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,D=test,t=t1", + qw(--user sha256_user --password sha256_user%password --mysql_ssl_optional 1 --mysql_ssl 1), + "--alter", "drop primary key, add column _id int unsigned not null primary key auto_increment FIRST", + qw(--execute --no-check-alter)), + }, +); + +is( + $exit_code, + 0, + "No error when using --mysql_ssl_optional option" +) or diag($output); + +like( + $output, + qr/Successfully altered `test`.`t1`/, + "DROP PRIMARY KEY with --mysql_ssl_optional option" +); + # ############################################################################# # Done. # ############################################################################# diff --git a/t/pt-online-schema-change/ssl_optional.t b/t/pt-online-schema-change/ssl_optional.t new file mode 100644 index 000000000..c4e9c1371 --- /dev/null +++ b/t/pt-online-schema-change/ssl_optional.t @@ -0,0 +1,204 @@ +#!/usr/bin/env perl + +BEGIN { + die "The PERCONA_TOOLKIT_BRANCH environment variable is not set.\n" + unless $ENV{PERCONA_TOOLKIT_BRANCH} && -d $ENV{PERCONA_TOOLKIT_BRANCH}; + unshift @INC, "$ENV{PERCONA_TOOLKIT_BRANCH}/lib"; +}; + +use strict; +use warnings FATAL => 'all'; +use English qw(-no_match_vars); +use Test::More; + +use Data::Dumper; +use PerconaTest; +use Sandbox; + +require "$trunk/bin/pt-online-schema-change"; + +my $dp = new DSNParser(opts=>$dsn_opts); +my $sb = new Sandbox(basedir => '/tmp', DSNParser => $dp); +my $source_dbh = $sb->get_dbh_for('source'); +my $replica_dbh = $sb->get_dbh_for('replica1'); + +if ( !$source_dbh ) { + plan skip_all => 'Cannot connect to sandbox source'; +} +elsif ( !$replica_dbh ) { + plan skip_all => 'Cannot connect to sandbox replica1'; +} +elsif ( $sandbox_version lt '8.0' ) { + plan skip_all => "Requires MySQL 8.0 or newer"; +} + +# The sandbox servers run with lock_wait_timeout=3 and it's not dynamic +# so we need to specify --set-vars innodb_lock_wait_timeout=3 else the +# tool will die. +my $source_dsn = 'h=127.1,P=12345'; +my @args = (qw(--set-vars innodb_lock_wait_timeout=3)); +my $output; +my $exit_code; +my $sample = "t/pt-online-schema-change/samples/"; + +# Testing if we are using DBD::mysql compiled with MariaDB library, which does not support enforcing SSL encryption +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,D=sakila,t=actor,u=msandbox,p=msandbox,s=1", + "--alter", "force", + "--alter-foreign-keys-method", "auto", + qw(--dry-run --no-check-alter)), + }, + stderr => 1, +); + +if ( $exit_code == 0 || $output !~ /SSL connection error: Enforcing SSL encryption is not supported/ ) { + plan skip_all => "Test requires DBD::mysql compiled with MariaDB library that does not support enforcing SSL encryption"; +} + +$sb->do_as_root( + 'source', + q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/, + q/GRANT ALL ON test.* TO sha256_user@'%'/, + q/GRANT SELECT ON test_ssl.* TO sha256_user@'%'/, + q/GRANT REPLICATION SLAVE ON *.* TO sha256_user@'%'/, + q/GRANT SUPER ON *.* TO sha256_user@'%'/, +); + +# ############################################################################# +# DROP PRIMARY KEY +# ############################################################################# + +$sb->load_file('source', "$sample/del-trg-bug-1103672.sql"); +$sb->load_file('source', "$sample/ssl_dsns.sql"); + +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,D=test,t=t1,u=sha256_user,p=sha256_user%password,s=0", + "--alter", "drop primary key, add column _id int unsigned not null primary key auto_increment FIRST", + qw(--execute --no-check-alter)), + }, +); + +isnt( + $exit_code, + 0, + "Error raised when SSL connection is not used" +) or diag($output); + +like( + $output, + qr/Access denied/, + 'Secure connection error raised when no SSL connection used' +) or diag($output); + +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,D=test,t=t1,u=sha256_user,p=sha256_user%password,s=1,o=1", + "--alter", "drop primary key, add column _id int unsigned not null primary key auto_increment FIRST", + qw(--execute --no-check-alter)), + }, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error' +) or diag($output); + +like( + $output, + qr/Successfully altered `test`.`t1`/, + "DROP PRIMARY KEY" +); + +# Restoring environment for the new test +$sb->load_file('source', "$sample/del-trg-bug-1103672.sql"); + +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,D=test,t=t1", + qw(--user sha256_user --password sha256_user%password --mysql_ssl_optional 1 --mysql_ssl 1), + "--alter", "drop primary key, add column _id int unsigned not null primary key auto_increment FIRST", + qw(--execute --no-check-alter)), + }, +); + +is( + $exit_code, + 0, + "No error for user, identified with caching_sha2_password with option --mysql_ssl_optional 1 --mysql_ssl" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with option --mysql_ssl_optional 1 --mysql_ssl' +) or diag($output); + +like( + $output, + qr/Successfully altered `test`.`t1`/, + "DROP PRIMARY KEY with option --mysql_ssl_optional 1 --mysql_ssl" +); + +# Restoring environment for the new test +$sb->load_file('source', "$sample/del-trg-bug-1103672.sql"); + +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "$source_dsn,F=t/pt-archiver/samples/pt-191.cnf,D=test,t=t1,u=sha256_user,p=sha256_user%password,s=1,o=1", + "--alter", "drop primary key, add column _id int unsigned not null primary key auto_increment FIRST", + qw(--execute --no-check-alter), + "--recursion-method=dsn=F=t/pt-archiver/samples/pt-191.cnf,D=test_ssl,t=dsns,h=127.0.0.1,P=12345,u=sha256_user,p=sha256_user%password,s=1,o=1"), + }, + stderr => 1, +); + +is( + $exit_code, + 0, + "No error for SSL options in the configuration file" +) or diag($output); + +unlike( + $output, + qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./, + 'No secure connection error with correct SSL options in the configuration file' +) or diag($output); + +($output, $exit_code) = full_output( + sub { pt_online_schema_change::main(@args, + "F=$trunk/t/pt-archiver/samples/pt-191-error.cnf,$source_dsn,D=test,t=t1,u=sha256_user,p=sha256_user%password,s=1,o=1", + "--alter", "drop primary key, add column _id int unsigned not null primary key auto_increment FIRST", + qw(--execute --no-check-alter)), + }, + stderr => 1, +); + +isnt( + $exit_code, + 0, + "Error for invalid SSL options in the configuration file" +) or diag($output); + +like( + $output, + qr/SSL error: key values mismatch/, + 'SSL connection error with incorrect SSL options in the configuration file' +) or diag($output); + +# ############################################################################# +# Done. +# ############################################################################# +$sb->do_as_root('source', q/DROP USER 'sha256_user'@'%'/); + +$sb->wipe_clean($source_dbh); +ok($sb->ok(), "Sandbox servers") or BAIL_OUT(__FILE__ . " broke the sandbox"); +done_testing;