feat: add tls verification to mysql dsn

- Update mysql.template.json with new TLS options
- Handle custom TLS configuration
- Add tests

Author: Saransh Gupta

mysql.template.json

@@ -2,5 +2,9 @@
   "username": "user",
   "password": "password",
   "server": "localhost",
-  "database": "mydb"
+  "database": "mydb",
+  "tls": false,
+  "caCertPath": "/path/to/CA/certificate",
+  "clientCertPath": "/path/to/client/certificate",
+  "clientKeyPath": "/path/to/client/key"
 }

utils/utils.go

@@ -2,18 +2,22 @@ package utils
 
 import (
 	"bufio"
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/rs/zerolog"
-	"golang.org/x/sys/unix"
 	"io"
 	"os"
 	"path/filepath"
 	"pbench/log"
 	"reflect"
 	"strings"
+
+	"github.com/go-sql-driver/mysql"
+	"github.com/rs/zerolog"
+	"golang.org/x/sys/unix"
 )
 
 const (
@@ -64,6 +68,33 @@ func InitLogFile(logPath string) (finalizer func()) {
 	}
 }
 
+func createTLSConfig(caCertPath, clientCertPath, clientKeyPath string) (*tls.Config, error) {
+	rootCertPool := x509.NewCertPool()
+	pem, err := os.ReadFile(caCertPath)
+	if err != nil {
+		log.Error().Err(err).Msg("failed to read CA certificate")
+		return nil, err
+	}
+	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+		log.Error().Msg("failed to append CA certificate")
+		return nil, fmt.Errorf("failed to append CA certificate from PEM")
+	}
+	tlsConfig := &tls.Config{
+		RootCAs: rootCertPool,
+	}
+
+	// Check if client certificate and key are provided for mutual TLS
+	if clientCertPath != "" && clientKeyPath != "" {
+		certs, err := tls.LoadX509KeyPair(clientCertPath, clientKeyPath)
+		if err != nil {
+			log.Error().Err(err).Msg("failed to load client certificate or key")
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{certs}
+	}
+	return tlsConfig, nil
+}
+
 func InitMySQLConnFromCfg(cfgPath string) *sql.DB {
 	if cfgPath == "" {
 		return nil
@@ -73,17 +104,33 @@ func InitMySQLConnFromCfg(cfgPath string) *sql.DB {
 		return nil
 	} else {
 		mySQLCfg := &struct {
-			Username string `json:"username"`
-			Password string `json:"password"`
-			Server   string `json:"server"`
-			Database string `json:"database"`
-		}{}
+			Username       string `json:"username"`
+			Password       string `json:"password"`
+			Server         string `json:"server"`
+			Database       string `json:"database"`
+			TLS            bool   `json:"tls"`
+			CaCertPath     string `json:"caCertPath"`
+			ClientCertPath string `json:"clientCertPath"`
+			ClientKeyPath  string `json:"clientKeyPath"`
+		}{
+			TLS: false,
+		}
 		if err := json.Unmarshal(cfgBytes, mySQLCfg); err != nil {
 			log.Error().Err(err).Msg("failed to unmarshal MySQL connection config for the run recorder")
 			return nil
 		}
-		if db, err := sql.Open("mysql", fmt.Sprintf("%s:%s@tcp(%s)/%s?parseTime=true",
-			mySQLCfg.Username, mySQLCfg.Password, mySQLCfg.Server, mySQLCfg.Database)); err != nil {
+		tlsType := "false"
+		if mySQLCfg.TLS {
+			tlsType = "custom"
+			tlsConfig, err := createTLSConfig(mySQLCfg.CaCertPath, mySQLCfg.ClientCertPath, mySQLCfg.ClientKeyPath)
+			if err != nil {
+				log.Error().Msg("TLS enabled but failed to load certificates")
+				return nil
+			}
+			mysql.RegisterTLSConfig(tlsType, tlsConfig)
+		}
+		if db, err := sql.Open("mysql", fmt.Sprintf("%s:%s@tcp(%s)/%s?tls=%s&parseTime=true",
+			mySQLCfg.Username, mySQLCfg.Password, mySQLCfg.Server, mySQLCfg.Database, tlsType)); err != nil {
 			log.Error().Err(err).Msg("failed to initialize MySQL connection for the run recorder")
 			return nil
 		} else if err = db.Ping(); err != nil {

utils/utils_test.go

@@ -1,10 +1,12 @@
 package utils
 
 import (
-	"github.com/stretchr/testify/assert"
+	"encoding/json"
 	"os"
 	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestExpandHomeDirectory(t *testing.T) {
@@ -25,3 +27,66 @@ func TestExpandHomeDirectory_JustTilde(t *testing.T) {
 	ExpandHomeDirectory(&path)
 	assert.Equal(t, os.Getenv("HOME"), path)
 }
+
+func TestCreateTLSConfig_InvalidCAPath(t *testing.T) {
+	// tests error handling when CA cert file doesn't exist
+	tlsConfig, err := createTLSConfig("/nonexistent/ca.pem", "", "")
+
+	assert.Error(t, err, "should return error for non-existent CA certificate")
+	assert.Nil(t, tlsConfig, "should return nil config on error")
+}
+
+func TestCreateTLSConfig_InvalidCAPEM(t *testing.T) {
+	// tests error handling when CA cert has invalid PEM content
+	tmpDir := t.TempDir()
+	caPath := filepath.Join(tmpDir, "invalid-ca.pem")
+	err := os.WriteFile(caPath, []byte("invalid pem content"), 0644)
+	assert.NoError(t, err)
+
+	tlsConfig, err := createTLSConfig(caPath, "", "")
+
+	assert.Error(t, err, "should return error for invalid PEM content")
+	assert.Nil(t, tlsConfig, "should return nil config on error")
+}
+
+func TestCreateTLSConfig_InvalidClientCert(t *testing.T) {
+	// tests error handling with invalid client certificates
+	tmpDir := t.TempDir()
+	clientCertPath := filepath.Join(tmpDir, "client.pem")
+	clientKeyPath := filepath.Join(tmpDir, "client-key.pem")
+
+	err := os.WriteFile(clientCertPath, []byte("dummy cert"), 0644)
+	assert.NoError(t, err)
+	err = os.WriteFile(clientKeyPath, []byte("dummy key"), 0644)
+	assert.NoError(t, err)
+
+	// Should fail because CA cert doesn't exist
+	tlsConfig, err := createTLSConfig("/nonexistent/ca.pem", clientCertPath, clientKeyPath)
+
+	assert.Error(t, err, "should fail with invalid certificates")
+	assert.Nil(t, tlsConfig, "should return nil on error")
+}
+
+func TestInitMySQLConnFromCfg_TLSEnabledInvalidCerts(t *testing.T) {
+	// When TLS is enabled but certificates are invalid, function should return nil early
+	config := map[string]interface{}{
+		"username":       "testuser",
+		"password":       "testpass",
+		"server":         "localhost:3306",
+		"database":       "testdb",
+		"tls":            true,
+		"caCertPath":     "/nonexistent/ca.pem",
+		"clientCertPath": "/nonexistent/client.pem",
+		"clientKeyPath":  "/nonexistent/client-key.pem",
+	}
+
+	tmpDir := t.TempDir()
+	cfgPath := filepath.Join(tmpDir, "config.json")
+	configJSON, err := json.Marshal(config)
+	assert.NoError(t, err)
+	err = os.WriteFile(cfgPath, configJSON, 0644)
+	assert.NoError(t, err)
+
+	db := InitMySQLConnFromCfg(cfgPath)
+	assert.Nil(t, db, "should return nil when TLS config fails")
+}