updated tls_options return to match MySQL documentation, added spec and acceptance tests

Author: koshatul

lib/puppet/provider/mysql_user/mysql.rb

@@ -244,9 +244,9 @@ def self.parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject)
       ['X509']
     elsif ssl_type == 'SPECIFIED'
       options = []
-      options << "CIPHER #{ssl_cipher}" if !ssl_cipher.nil? && !ssl_cipher.empty?
-      options << "ISSUER #{x509_issuer}" if !x509_issuer.nil? && !x509_issuer.empty?
-      options << "SUBJECT #{x509_subject}" if !x509_subject.nil? && !x509_subject.empty?
+      options << "CIPHER '#{ssl_cipher}'" if !ssl_cipher.nil? && !ssl_cipher.empty?
+      options << "ISSUER '#{x509_issuer}'" if !x509_issuer.nil? && !x509_issuer.empty?
+      options << "SUBJECT '#{x509_subject}'" if !x509_subject.nil? && !x509_subject.empty?
       options
     else
       ['NONE']

spec/acceptance/types/mysql_user_spec.rb

@@ -199,4 +199,58 @@ class { 'mysql::server': * => $ed25519_opts }
       end
     end
   end
+  context 'using user-w-subject@localhost with ISSUER and SUBJECT' do
+    describe 'adding user' do
+      pp_six = <<-MANIFEST
+          mysql_user { 'user-w-subject@localhost':
+            plugin        => 'mysql_native_password',
+            password_hash => '',
+            tls_options   => [
+              "SUBJECT '/OU=MySQL Users/CN=username'",
+              "ISSUER '/CN=Certificate Authority'",
+              "CIPHER 'EDH-RSA-DES-CBC3-SHA'",
+            ],
+          }
+      MANIFEST
+
+      it 'works without errors' do
+        idempotent_apply(pp_six)
+      end
+
+      it 'finds the user #stdout' do
+        run_shell("mysql -NBe \"select '1' from mysql.user where CONCAT(user, '@', host) = 'user-w-subject@localhost'\"") do |r|
+          expect(r.stdout).to match(%r{^1$})
+          expect(r.stderr).to be_empty
+        end
+      end
+
+      it 'shows correct ssl_type #stdout' do
+        run_shell("mysql -NBe \"select SSL_TYPE from mysql.user where CONCAT(user, '@', host) = 'user-w-subject@localhost'\"") do |r|
+          expect(r.stdout).to match(%r{^SPECIFIED$})
+          expect(r.stderr).to be_empty
+        end
+      end
+
+      it 'shows correct x509_issuer #stdout' do
+        run_shell("mysql -NBe \"select X509_ISSUER from mysql.user where CONCAT(user, '@', host) = 'user-w-subject@localhost'\"") do |r|
+          expect(r.stdout).to match(%r{^/CN=Certificate Authority$})
+          expect(r.stderr).to be_empty
+        end
+      end
+
+      it 'shows correct x509_subject #stdout' do
+        run_shell("mysql -NBe \"select X509_SUBJECT from mysql.user where CONCAT(user, '@', host) = 'user-w-subject@localhost'\"") do |r|
+          expect(r.stdout).to match(%r{^/OU=MySQL Users/CN=username$})
+          expect(r.stderr).to be_empty
+        end
+      end
+
+      it 'shows correct ssl_cipher #stdout' do
+        run_shell("mysql -NBe \"select SSL_CIPHER from mysql.user where CONCAT(user, '@', host) = 'user-w-subject@localhost'\"") do |r|
+          expect(r.stdout).to match(%r{^EDH-RSA-DES-CBC3-SHA$})
+          expect(r.stderr).to be_empty
+        end
+      end
+    end
+  end
 end

spec/unit/puppet/provider/mysql_user/mysql_spec.rb

@@ -439,6 +439,44 @@
     end
   end
 
+  describe 'tls_options=required' do
+    it 'adds mTLS option grant in mysql 5.5' do
+      provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.5'][:string])
+      provider.class.expects(:mysql_caller).with("GRANT USAGE ON *.* TO 'joe'@'localhost' REQUIRE ISSUER '/CN=Certificate Authority' AND SUBJECT '/OU=MySQL Users/CN=Username'", 'system').returns('0')
+
+      provider.expects(:tls_options).returns(['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\''])
+      provider.tls_options = ['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\'']
+    end
+    it 'adds mTLS option grant in mysql 5.6' do
+      provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.6'][:string])
+      provider.class.expects(:mysql_caller).with("GRANT USAGE ON *.* TO 'joe'@'localhost' REQUIRE ISSUER '/CN=Certificate Authority' AND SUBJECT '/OU=MySQL Users/CN=Username'", 'system').returns('0')
+
+      provider.expects(:tls_options).returns(['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\''])
+      provider.tls_options = ['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\'']
+    end
+    it 'adds mTLS option grant in mysql < 5.7.6' do
+      provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.7.1'][:string])
+      provider.class.expects(:mysql_caller).with("GRANT USAGE ON *.* TO 'joe'@'localhost' REQUIRE ISSUER '/CN=Certificate Authority' AND SUBJECT '/OU=MySQL Users/CN=Username'", 'system').returns('0')
+
+      provider.expects(:tls_options).returns(['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\''])
+      provider.tls_options = ['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\'']
+    end
+    it 'adds mTLS option grant in mysql >= 5.7.6' do
+      provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mysql-5.7.6'][:string])
+      provider.class.expects(:mysql_caller).with("ALTER USER 'joe'@'localhost' REQUIRE ISSUER '/CN=Certificate Authority' AND SUBJECT '/OU=MySQL Users/CN=Username'", 'system').returns('0')
+
+      provider.expects(:tls_options).returns(['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\''])
+      provider.tls_options = ['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\'']
+    end
+    it 'adds mTLS option grant in mariadb-10.0' do
+      provider.class.instance_variable_set(:@mysqld_version_string, mysql_version_string_hash['mariadb-10.0'][:string])
+      provider.class.expects(:mysql_caller).with("GRANT USAGE ON *.* TO 'joe'@'localhost' REQUIRE ISSUER '/CN=Certificate Authority' AND SUBJECT '/OU=MySQL Users/CN=Username'", 'system').returns('0')
+
+      provider.expects(:tls_options).returns(['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\''])
+      provider.tls_options = ['ISSUER \'/CN=Certificate Authority\'', 'SUBJECT \'/OU=MySQL Users/CN=Username\'']
+    end
+  end
+
   ['max_user_connections', 'max_connections_per_hour', 'max_queries_per_hour', 'max_updates_per_hour'].each do |property|
     describe property do
       it "returns #{property}" do