forked from dexidp/dex
/
mysql.go
158 lines (128 loc) · 3.25 KB
/
mysql.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
package ent
import (
"context"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"database/sql"
"fmt"
"net"
"os"
"strconv"
"time"
entSQL "entgo.io/ent/dialect/sql"
"github.com/go-sql-driver/mysql" // Register mysql driver.
"github.com/awsong/dex/pkg/log"
"github.com/awsong/dex/storage"
"github.com/awsong/dex/storage/ent/client"
"github.com/awsong/dex/storage/ent/db"
)
const (
// MySQL SSL modes
mysqlSSLTrue = "true"
mysqlSSLFalse = "false"
mysqlSSLSkipVerify = "skip-verify"
mysqlSSLCustom = "custom"
)
// MySQL options for creating an SQL db.
type MySQL struct {
NetworkDB
SSL SSL `json:"ssl"`
params map[string]string
}
// Open always returns a new in sqlite3 storage.
func (m *MySQL) Open(logger log.Logger) (storage.Storage, error) {
logger.Debug("experimental ent-based storage driver is enabled")
drv, err := m.driver()
if err != nil {
return nil, err
}
databaseClient := client.NewDatabase(
client.WithClient(db.NewClient(db.Driver(drv))),
client.WithHasher(sha256.New),
// Set tx isolation leve for each transaction as dex does for postgres
client.WithTxIsolationLevel(sql.LevelSerializable),
)
if err := databaseClient.Schema().Create(context.TODO()); err != nil {
return nil, err
}
return databaseClient, nil
}
func (m *MySQL) driver() (*entSQL.Driver, error) {
var tlsConfig string
switch {
case m.SSL.CAFile != "" || m.SSL.CertFile != "" || m.SSL.KeyFile != "":
if err := m.makeTLSConfig(); err != nil {
return nil, fmt.Errorf("failed to make TLS config: %v", err)
}
tlsConfig = mysqlSSLCustom
case m.SSL.Mode == "":
tlsConfig = mysqlSSLTrue
default:
tlsConfig = m.SSL.Mode
}
drv, err := entSQL.Open("mysql", m.dsn(tlsConfig))
if err != nil {
return nil, err
}
if m.MaxIdleConns == 0 {
/* Override default behaviour to fix https://github.com/awsong/dex/issues/1608 */
drv.DB().SetMaxIdleConns(0)
} else {
drv.DB().SetMaxIdleConns(m.MaxIdleConns)
}
return drv, nil
}
func (m *MySQL) dsn(tlsConfig string) string {
cfg := mysql.Config{
User: m.User,
Passwd: m.Password,
DBName: m.Database,
AllowNativePasswords: true,
Timeout: time.Second * time.Duration(m.ConnectionTimeout),
TLSConfig: tlsConfig,
ParseTime: true,
Params: make(map[string]string),
}
if m.Host != "" {
if m.Host[0] != '/' {
cfg.Net = "tcp"
cfg.Addr = m.Host
if m.Port != 0 {
cfg.Addr = net.JoinHostPort(m.Host, strconv.Itoa(int(m.Port)))
}
} else {
cfg.Net = "unix"
cfg.Addr = m.Host
}
}
for k, v := range m.params {
cfg.Params[k] = v
}
return cfg.FormatDSN()
}
func (m *MySQL) makeTLSConfig() error {
cfg := &tls.Config{}
if m.SSL.CAFile != "" {
rootCertPool := x509.NewCertPool()
pem, err := os.ReadFile(m.SSL.CAFile)
if err != nil {
return err
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return fmt.Errorf("failed to append PEM")
}
cfg.RootCAs = rootCertPool
}
if m.SSL.CertFile != "" && m.SSL.KeyFile != "" {
clientCert := make([]tls.Certificate, 0, 1)
certs, err := tls.LoadX509KeyPair(m.SSL.CertFile, m.SSL.KeyFile)
if err != nil {
return err
}
clientCert = append(clientCert, certs)
cfg.Certificates = clientCert
}
mysql.RegisterTLSConfig(mysqlSSLCustom, cfg)
return nil
}