Merge pull request #1183 from vakuum/master

Can't enable SSL with MariaDB driver library. (#1182)

.github/workflows/build.yml

@@ -31,7 +31,7 @@ jobs:
           - {os: ubuntu-16.04, ruby: 2.4, db: mariadb10.0, allow-failure: true}
           # Comment out due to ci/setup.sh stucking.
           # - {os: ubuntu-18.04, ruby: 2.4, db: mariadb10.1}
-          # `service mysql restart` fails.
+          # Allow failure due to the issue #965, #1165.
           - {os: ubuntu-20.04, ruby: 2.4, db: mariadb10.3, allow-failure: true}
           - {os: ubuntu-18.04, ruby: 2.4, db: mysql57}
           # Allow failure due to the issue #1165.

ci/setup.sh

@@ -72,8 +72,13 @@ fi
 
 # Install MariaDB 10.3 if DB=mariadb10.3
 if [[ -n ${GITHUB_ACTIONS-} && -n ${DB-} && x$DB =~ ^xmariadb10.3 ]]; then
+  sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
+  sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
+  sudo apt-get purge -y 'mysql-common*' 'mysql-client*' 'mysql-server*'
+  sudo mv /etc/mysql "/etc/mysql-$(date +%Y%m%d-%H%M%S)"
+  sudo mv /var/lib/mysql "/var/lib/mysql-$(date +%Y%m%d-%H%M%S)"
   sudo apt-get install -y -o Dpkg::Options::='--force-confnew' mariadb-server mariadb-server-10.3 libmariadb-dev
-  CHANGED_PASSWORD=true
+  CHANGED_PASSWORD_BY_RECREATE=true
 fi
 
 # Install MySQL/MariaDB if OS=darwin

ext/mysql2/client.c

@@ -124,8 +124,8 @@ static VALUE rb_set_ssl_mode_option(VALUE self, VALUE setting) {
 #ifdef HAVE_CONST_MYSQL_OPT_SSL_ENFORCE
   GET_CLIENT(self);
   int val = NUM2INT( setting );
-  // Either MySQL 5.7.3 - 5.7.10, or Connector/C 6.1.3 - 6.1.x
-  if ((version >= 50703 && version < 50711) || (version >= 60103 && version < 60200)) {
+  // Either MySQL 5.7.3 - 5.7.10, or Connector/C 6.1.3 - 6.1.x, or MariaDB 10.x
+  if ((version >= 50703 && version < 50711) || (version >= 60103 && version < 60200) || (version >= 100000 && version < 110000)) {
     if (val == SSL_MODE_DISABLED || val == SSL_MODE_REQUIRED) {
       my_bool b = ( val == SSL_MODE_REQUIRED );
       int result = mysql_options( wrapper->client, MYSQL_OPT_SSL_ENFORCE, &b );

spec/mysql2/client_spec.rb

@@ -131,39 +131,63 @@ def connect(*args)
     expect(Mysql2::Client).to respond_to(:default_query_options)
   end
 
-  it "should be able to connect via SSL options" do
-    ssl = @client.query "SHOW VARIABLES LIKE 'have_ssl'"
-    ssl_uncompiled = ssl.any? { |x| x['Value'] == 'OFF' }
-    pending("DON'T WORRY, THIS TEST PASSES - but SSL is not compiled into your MySQL daemon.") if ssl_uncompiled
-    ssl_disabled = ssl.any? { |x| x['Value'] == 'DISABLED' }
-    pending("DON'T WORRY, THIS TEST PASSES - but SSL is not enabled in your MySQL daemon.") if ssl_disabled
-
-    # You may need to adjust the lines below to match your SSL certificate paths
-    ssl_client = nil
-    option_overrides = {
-      'host'     => 'mysql2gem.example.com', # must match the certificates
-      :sslkey    => '/etc/mysql/client-key.pem',
-      :sslcert   => '/etc/mysql/client-cert.pem',
-      :sslca     => '/etc/mysql/ca-cert.pem',
-      :sslcipher => 'DHE-RSA-AES256-SHA',
-      :sslverify => true,
-    }
-    %i[sslkey sslcert sslca].each do |item|
-      unless File.exist?(option_overrides[item])
-        pending("DON'T WORRY, THIS TEST PASSES - but #{option_overrides[item]} does not exist.")
-        break
+  context "SSL" do
+    before(:example) do
+      ssl = @client.query "SHOW VARIABLES LIKE 'have_ssl'"
+      ssl_uncompiled = ssl.any? { |x| x['Value'] == 'OFF' }
+      ssl_disabled = ssl.any? { |x| x['Value'] == 'DISABLED' }
+      if ssl_uncompiled
+        skip("DON'T WORRY, THIS TEST PASSES - but SSL is not compiled into your MySQL daemon.")
+      elsif ssl_disabled
+        skip("DON'T WORRY, THIS TEST PASSES - but SSL is not enabled in your MySQL daemon.")
+      else
+        %i[sslkey sslcert sslca].each do |item|
+          unless File.exist?(option_overrides[item])
+            skip("DON'T WORRY, THIS TEST PASSES - but #{option_overrides[item]} does not exist.")
+            break
+          end
+        end
       end
     end
-    expect do
-      ssl_client = new_client(option_overrides)
-    end.not_to raise_error
 
-    results = Hash[ssl_client.query('SHOW STATUS WHERE Variable_name LIKE "Ssl_%"').map { |x| x.values_at('Variable_name', 'Value') }]
-    expect(results['Ssl_cipher']).not_to be_empty
-    expect(results['Ssl_version']).not_to be_empty
+    let(:option_overrides) do
+      {
+        'host'     => 'mysql2gem.example.com', # must match the certificates
+        :sslkey    => '/etc/mysql/client-key.pem',
+        :sslcert   => '/etc/mysql/client-cert.pem',
+        :sslca     => '/etc/mysql/ca-cert.pem',
+        :sslcipher => 'DHE-RSA-AES256-SHA',
+        :sslverify => true,
+      }
+    end
+
+    let(:ssl_client) do
+      new_client(option_overrides)
+    end
+
+    %i[disabled preferred required verify_ca verify_identity].each do |ssl_mode|
+      it "should set ssl_mode option #{ssl_mode}" do
+        options = {
+          ssl_mode: ssl_mode,
+        }
+        options.merge!(option_overrides)
+        # Relax the matching condition by checking if an error is not raised.
+        # TODO: Verify warnings by checking stderr.
+        expect do
+          new_client(options)
+        end.not_to raise_error
+      end
+    end
 
-    expect(ssl_client.ssl_cipher).not_to be_empty
-    expect(results['Ssl_cipher']).to eql(ssl_client.ssl_cipher)
+    it "should be able to connect via SSL options" do
+      # You may need to adjust the lines below to match your SSL certificate paths
+      results = Hash[ssl_client.query('SHOW STATUS WHERE Variable_name LIKE "Ssl_%"').map { |x| x.values_at('Variable_name', 'Value') }]
+      expect(results['Ssl_cipher']).not_to be_empty
+      expect(results['Ssl_version']).not_to be_empty
+
+      expect(ssl_client.ssl_cipher).not_to be_empty
+      expect(results['Ssl_cipher']).to eql(ssl_client.ssl_cipher)
+    end
   end
 
   def run_gc