From 3d6259cb00d32818b9bc98f154a772543e524509 Mon Sep 17 00:00:00 2001
From: Markus Makela <markus.makela@mariadb.com>
Date: Thu, 28 May 2015 16:33:51 +0300
Subject: [PATCH] Added configuration options for different SSL modes.

---
 server/core/config.c                   |  9 ++++++++-
 server/core/service.c                  | 20 ++++++++++++++++----
 server/include/service.h               |  1 +
 server/modules/protocol/mysql_client.c | 12 ++++++++++++
 4 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/server/core/config.c b/server/core/config.c
index ccbeee0e0..f6721a28e 100644
--- a/server/core/config.c
+++ b/server/core/config.c
@@ -345,6 +345,7 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
 				char *weightby;
 				char *version_string;
 				char *subservices;
+				char* ssl;
 				bool  is_rwsplit = false;
 				bool  is_schemarouter = false;
 				char *allow_localhost_match_wildcard_host;
@@ -353,6 +354,8 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
 				user = config_get_value(obj->parameters, "user");
 				auth = config_get_value(obj->parameters, "passwd");
 				subservices = config_get_value(obj->parameters, "subservices");
+				ssl = config_get_value(obj->parameters, "ssl");
+
 				enable_root_user = config_get_value(
 							obj->parameters, 
 							"enable_root_user");
@@ -443,7 +446,11 @@ hashtable_memory_fns(monitorhash,strdup,NULL,free,NULL);
                                 max_slave_rlag_str = 
                                         config_get_value(obj->parameters, 
                                                          "max_slave_replication_lag");
-                                        
+
+				if(ssl)
+				    if(serviceSetSSL(obj->element,ssl) != 0)
+					skygw_log_write(LE,"Error: Unknown parameter for service '%s': %s",obj->object,ssl);
+
 				if (enable_root_user)
 					serviceEnableRootUser(
                                                 obj->element, 
diff --git a/server/core/service.c b/server/core/service.c
index 8297ea6fd..4ef9b3515 100644
--- a/server/core/service.c
+++ b/server/core/service.c
@@ -136,7 +136,7 @@ SERVICE 	*service;
 	service->routerModule = strdup(router);
 	service->users_from_all = false;
 	service->resources = NULL;
-	service->ssl_mode = SSL_REQUIRED;
+	service->ssl_mode = SSL_DISABLED;
 
 	if (service->name == NULL || service->routerModule == NULL)
 	{
@@ -858,12 +858,20 @@ serviceOptimizeWildcard(SERVICE *service, int action)
 
 /** Enable or disable the service SSL capability*/
 int
-serviceSetSSL(SERVICE *service, int action)
+serviceSetSSL(SERVICE *service, char* action)
 {
-    if(action)
+    int rval = 0;
+
+    if(strcasecmp(action,"required") == 0)
 	service->ssl_mode = SSL_REQUIRED;
-    else
+    else if(strcasecmp(action,"enabled") == 0)
+	service->ssl_mode = SSL_ENABLED;
+    else if(strcasecmp(action,"disabled") == 0)
 	service->ssl_mode = SSL_DISABLED;
+    else
+	rval = -1;
+
+    return rval;
 }
 
 /**
@@ -1029,6 +1037,8 @@ int		i;
 	printf("\tUsers data:        	%p\n", (void *)service->users);
 	printf("\tTotal connections:	%d\n", service->stats.n_sessions);
 	printf("\tCurrently connected:	%d\n", service->stats.n_current);
+	printf("\tSSL:	%s\n", service->ssl_mode == SSL_DISABLED ? "Disabled":
+	    (service->ssl_mode == SSL_ENABLED ? "Enabled":"Required"));
 }
 
 /**
@@ -1138,6 +1148,8 @@ int		i;
 						service->stats.n_sessions);
 	dcb_printf(dcb, "\tCurrently connected:			%d\n",
 						service->stats.n_current);
+		dcb_printf(dcb,"\tSSL:	%s\n", service->ssl_mode == SSL_DISABLED ? "Disabled":
+	    (service->ssl_mode == SSL_ENABLED ? "Enabled":"Required"));
 }
 
 /**
diff --git a/server/include/service.h b/server/include/service.h
index a6fea6d56..e0ae151cf 100644
--- a/server/include/service.h
+++ b/server/include/service.h
@@ -185,6 +185,7 @@ extern	int	serviceRestart(SERVICE *);
 extern	int	serviceSetUser(SERVICE *, char *, char *);
 extern	int	serviceGetUser(SERVICE *, char **, char **);
 extern	void	serviceSetFilters(SERVICE *, char *);
+extern  int     serviceSetSSL(SERVICE *service, char* action);
 extern	int	serviceEnableRootUser(SERVICE *, int );
 extern	int	serviceSetTimeout(SERVICE *, int );
 extern	void	serviceWeightBy(SERVICE *, char *);
diff --git a/server/modules/protocol/mysql_client.c b/server/modules/protocol/mysql_client.c
index d1e188281..eaf061334 100644
--- a/server/modules/protocol/mysql_client.c
+++ b/server/modules/protocol/mysql_client.c
@@ -466,9 +466,21 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
 	/** Client didn't requested SSL when SSL mode was required*/
 	if(!ssl && protocol->owner_dcb->service->ssl_mode == SSL_REQUIRED)
 	{
+	    LOGIF(LT,(skygw_log_write(LT,"User %s@%s connected to service '%s' without SSL when SSL was required.",
+		    protocol->owner_dcb->user,
+	            protocol->owner_dcb->remote,
+		    protocol->owner_dcb->service->name)));
 	    return 1;
 	}
 
+	if(LOG_IS_ENABLED(LT))
+	{
+	    skygw_log_write(LT,"User %s@%s connected to service '%s' with SSL.",
+		    protocol->owner_dcb->user,
+		    protocol->owner_dcb->remote,
+		    protocol->owner_dcb->service->name);
+	}
+
 	username = get_username_from_auth(username, client_auth_packet);
 	
 	if (username == NULL)