Parse out custom TLS params and register the TLS config before calling mysql.ParseDSN

Fixes: golang-migrate/migrate#411

Author: Prometheus2677

database/mysql/mysql.go

@@ -118,6 +118,68 @@ func extractCustomQueryParams(c *mysql.Config) (map[string]string, error) {
 }
 
 func urlToMySQLConfig(url string) (*mysql.Config, error) {
+	// Need to parse out custom TLS parameters and call
+	// mysql.RegisterTLSConfig() before mysql.ParseDSN() is called
+	// which consumes the registered tls.Config
+	// Fixes: https://github.com/golang-migrate/migrate/issues/411
+	//
+	// Can't use url.Parse() since it fails to parse MySQL DSNs
+	// mysql.ParseDSN() also searches for "?" to find query parameters:
+	// https://github.com/go-sql-driver/mysql/blob/46351a8/dsn.go#L344
+	if idx := strings.LastIndex(url, "?"); idx > 0 {
+		rawParams := url[idx+1:]
+		parsedParams, err := nurl.ParseQuery(rawParams)
+		if err != nil {
+			return nil, err
+		}
+
+		ctls := parsedParams.Get("tls")
+		if len(ctls) > 0 {
+			if _, isBool := readBool(ctls); !isBool && strings.ToLower(ctls) != "skip-verify" {
+				rootCertPool := x509.NewCertPool()
+				pem, err := ioutil.ReadFile(parsedParams.Get("x-tls-ca"))
+				if err != nil {
+					return nil, err
+				}
+
+				if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+					return nil, ErrAppendPEM
+				}
+
+				clientCert := make([]tls.Certificate, 0, 1)
+				if ccert, ckey := parsedParams.Get("x-tls-cert"), parsedParams.Get("x-tls-key"); ccert != "" || ckey != "" {
+					if ccert == "" || ckey == "" {
+						return nil, ErrTLSCertKeyConfig
+					}
+					certs, err := tls.LoadX509KeyPair(ccert, ckey)
+					if err != nil {
+						return nil, err
+					}
+					clientCert = append(clientCert, certs)
+				}
+
+				insecureSkipVerify := false
+				insecureSkipVerifyStr := parsedParams.Get("x-tls-insecure-skip-verify")
+				if len(insecureSkipVerifyStr) > 0 {
+					x, err := strconv.ParseBool(insecureSkipVerifyStr)
+					if err != nil {
+						return nil, err
+					}
+					insecureSkipVerify = x
+				}
+
+				err = mysql.RegisterTLSConfig(ctls, &tls.Config{
+					RootCAs:            rootCertPool,
+					Certificates:       clientCert,
+					InsecureSkipVerify: insecureSkipVerify,
+				})
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+
 	config, err := mysql.ParseDSN(strings.TrimPrefix(url, "mysql://"))
 	if err != nil {
 		return nil, err
@@ -140,52 +202,6 @@ func urlToMySQLConfig(url string) (*mysql.Config, error) {
 	}
 	config.Passwd = password
 
-	// use custom TLS?
-	ctls := config.TLSConfig
-	if len(ctls) > 0 {
-		if _, isBool := readBool(ctls); !isBool && strings.ToLower(ctls) != "skip-verify" {
-			rootCertPool := x509.NewCertPool()
-			pem, err := ioutil.ReadFile(config.Params["x-tls-ca"])
-			if err != nil {
-				return nil, err
-			}
-
-			if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
-				return nil, ErrAppendPEM
-			}
-
-			clientCert := make([]tls.Certificate, 0, 1)
-			if ccert, ckey := config.Params["x-tls-cert"], config.Params["x-tls-key"]; ccert != "" || ckey != "" {
-				if ccert == "" || ckey == "" {
-					return nil, ErrTLSCertKeyConfig
-				}
-				certs, err := tls.LoadX509KeyPair(ccert, ckey)
-				if err != nil {
-					return nil, err
-				}
-				clientCert = append(clientCert, certs)
-			}
-
-			insecureSkipVerify := false
-			if len(config.Params["x-tls-insecure-skip-verify"]) > 0 {
-				x, err := strconv.ParseBool(config.Params["x-tls-insecure-skip-verify"])
-				if err != nil {
-					return nil, err
-				}
-				insecureSkipVerify = x
-			}
-
-			err = mysql.RegisterTLSConfig(ctls, &tls.Config{
-				RootCAs:            rootCertPool,
-				Certificates:       clientCert,
-				InsecureSkipVerify: insecureSkipVerify,
-			})
-			if err != nil {
-				return nil, err
-			}
-		}
-	}
-
 	return config, nil
 }
 

database/mysql/mysql_test.go

@@ -2,11 +2,19 @@ package mysql
 
 import (
 	"context"
+	"crypto/ed25519"
+	"crypto/x509"
 	"database/sql"
 	sqldriver "database/sql/driver"
+	"encoding/pem"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"log"
+	"math/big"
+	"math/rand"
+	"net/url"
+	"os"
 	"strconv"
 	"testing"
 )
@@ -284,7 +292,42 @@ func TestExtractCustomQueryParams(t *testing.T) {
 	}
 }
 
+func createTmpCert(t *testing.T) string {
+	tmpCertFile, err := ioutil.TempFile("", "migrate_test_cert")
+	if err != nil {
+		t.Fatal("Failed to create temp cert file:", err)
+	}
+	t.Cleanup(func() {
+		if err := os.Remove(tmpCertFile.Name()); err != nil {
+			t.Log("Failed to cleanup temp cert file:", err)
+		}
+	})
+
+	r := rand.New(rand.NewSource(0))
+	pub, priv, err := ed25519.GenerateKey(r)
+	if err != nil {
+		t.Fatal("Failed to generate ed25519 key for temp cert file:", err)
+	}
+	tmpl := x509.Certificate{
+		SerialNumber: big.NewInt(0),
+	}
+	derBytes, err := x509.CreateCertificate(r, &tmpl, &tmpl, pub, priv)
+	if err != nil {
+		t.Fatal("Failed to generate temp cert file:", err)
+	}
+	if err := pem.Encode(tmpCertFile, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+		t.Fatal("Failed to encode ")
+	}
+	if err := tmpCertFile.Close(); err != nil {
+		t.Fatal("Failed to close temp cert file:", err)
+	}
+	return tmpCertFile.Name()
+}
+
 func TestURLToMySQLConfig(t *testing.T) {
+	tmpCertFilename := createTmpCert(t)
+	tmpCertFilenameEscaped := url.PathEscape(tmpCertFilename)
+
 	testcases := []struct {
 		name        string
 		urlStr      string
@@ -315,6 +358,9 @@ func TestURLToMySQLConfig(t *testing.T) {
 		{name: "user/password - password with encoded @",
 			urlStr:      "mysql://username:password%40@tcp(127.0.0.1:3306)/myDB?multiStatements=true",
 			expectedDSN: "username:password@@tcp(127.0.0.1:3306)/myDB?multiStatements=true"},
+		{name: "custom tls",
+			urlStr:      "mysql://username:password@tcp(127.0.0.1:3306)/myDB?multiStatements=true&tls=custom&x-tls-ca=" + tmpCertFilenameEscaped,
+			expectedDSN: "username:password@tcp(127.0.0.1:3306)/myDB?multiStatements=true&tls=custom&x-tls-ca=" + tmpCertFilenameEscaped},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {