Merge pull request #323 from goffrie/disable-built-in-roots

blackbeam · web-flow · commit 73976c1a0e8f · 2024-12-24T08:40:39.000+03:00
Add SslOpts::disable_built_in_roots flag
diff --git a/src/io/tls/native_tls_io.rs b/src/io/tls/native_tls_io.rs
@@ -36,6 +36,7 @@ impl Endpoint {
         }
         builder.danger_accept_invalid_hostnames(ssl_opts.skip_domain_validation());
         builder.danger_accept_invalid_certs(ssl_opts.accept_invalid_certs());
+        builder.disable_built_in_roots(ssl_opts.disable_built_in_roots());
         let tls_connector: tokio_native_tls::TlsConnector = builder.build()?.into();
 
         *self = match self {
diff --git a/src/io/tls/rustls_io.rs b/src/io/tls/rustls_io.rs
@@ -46,7 +46,9 @@ impl Endpoint {
         }
 
         let mut root_store = RootCertStore::empty();
-        root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|x| x.to_owned()));
+        if !ssl_opts.disable_built_in_roots() {
+            root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|x| x.to_owned()));
+        }
 
         for cert in ssl_opts.load_root_certs().await? {
             root_store.add(cert)?;
diff --git a/src/opts/mod.rs b/src/opts/mod.rs
@@ -214,6 +214,7 @@ pub struct SslOpts {
     #[cfg(any(feature = "native-tls-tls", feature = "rustls-tls"))]
     client_identity: Option<ClientIdentity>,
     root_certs: Vec<PathOrBuf<'static>>,
+    disable_built_in_roots: bool,
     skip_domain_validation: bool,
     accept_invalid_certs: bool,
     tls_hostname_override: Option<Cow<'static, str>>,
@@ -236,15 +237,61 @@ impl SslOpts {
         self
     }
 
-    /// The way to not validate the server's domain
-    /// name against its certificate (defaults to `false`).
+    /// If `true`, use only the root certificates configured via [`SslOpts::with_root_certs`],
+    /// not any system or built-in certs. By default system built-in certs _will be_ used.
+    ///
+    /// # Connection URL
+    ///
+    /// Use `built_in_roots` URL parameter to set this value:
+    ///
+    /// ```
+    /// # use mysql_async::*;
+    /// # use std::time::Duration;
+    /// # fn main() -> Result<()> {
+    /// let opts = Opts::from_url("mysql://localhost/db?require_ssl=true&built_in_roots=false")?;
+    /// assert_eq!(opts.ssl_opts().unwrap().disable_built_in_roots(), true);
+    /// # Ok(()) }
+    /// ```
+    pub fn with_disable_built_in_roots(mut self, disable_built_in_roots: bool) -> Self {
+        self.disable_built_in_roots = disable_built_in_roots;
+        self
+    }
+
+    /// The way to not validate the server's domain name against its certificate.
+    /// By default domain name _will be_ validated.
+    ///
+    /// # Connection URL
+    ///
+    /// Use `verify_identity` URL parameter to set this value:
+    ///
+    /// ```
+    /// # use mysql_async::*;
+    /// # use std::time::Duration;
+    /// # fn main() -> Result<()> {
+    /// let opts = Opts::from_url("mysql://localhost/db?require_ssl=true&verify_identity=false")?;
+    /// assert_eq!(opts.ssl_opts().unwrap().skip_domain_validation(), true);
+    /// # Ok(()) }
+    /// ```
     pub fn with_danger_skip_domain_validation(mut self, value: bool) -> Self {
         self.skip_domain_validation = value;
         self
     }
 
-    /// If `true` then client will accept invalid certificate (expired, not trusted, ..)
-    /// (defaults to `false`).
+    /// If `true` then client will accept invalid certificate (expired, not trusted, ..).
+    /// Invalid certificates _won't get_ accepted by default.
+    ///
+    /// # Connection URL
+    ///
+    /// Use `verify_ca` URL parameter to set this value:
+    ///
+    /// ```
+    /// # use mysql_async::*;
+    /// # use std::time::Duration;
+    /// # fn main() -> Result<()> {
+    /// let opts = Opts::from_url("mysql://localhost/db?require_ssl=true&verify_ca=false")?;
+    /// assert_eq!(opts.ssl_opts().unwrap().accept_invalid_certs(), true);
+    /// # Ok(()) }
+    /// ```
     pub fn with_danger_accept_invalid_certs(mut self, value: bool) -> Self {
         self.accept_invalid_certs = value;
         self
@@ -271,6 +318,10 @@ impl SslOpts {
         &self.root_certs
     }
 
+    pub fn disable_built_in_roots(&self) -> bool {
+        self.disable_built_in_roots
+    }
+
     pub fn skip_domain_validation(&self) -> bool {
         self.skip_domain_validation
     }
@@ -1584,6 +1635,7 @@ fn mysqlopts_from_url(url: &Url) -> std::result::Result<MysqlOpts, UrlError> {
 
     let mut skip_domain_validation = false;
     let mut accept_invalid_certs = false;
+    let mut disable_built_in_roots = false;
 
     for (key, value) in query_pairs {
         if key == "pool_min" {
@@ -1684,10 +1736,7 @@ fn mysqlopts_from_url(url: &Url) -> std::result::Result<MysqlOpts, UrlError> {
             }
         } else if key == "max_allowed_packet" {
             match usize::from_str(&value) {
-                Ok(value) => {
-                    opts.max_allowed_packet =
-                        Some(std::cmp::max(1024, std::cmp::min(1073741824, value)))
-                }
+                Ok(value) => opts.max_allowed_packet = Some(value.clamp(1024, 1073741824)),
                 _ => {
                     return Err(UrlError::InvalidParamValue {
                         param: "max_allowed_packet".into(),
@@ -1839,6 +1888,18 @@ fn mysqlopts_from_url(url: &Url) -> std::result::Result<MysqlOpts, UrlError> {
                     });
                 }
             }
+        } else if key == "built_in_roots" {
+            match bool::from_str(&value) {
+                Ok(x) => {
+                    disable_built_in_roots = !x;
+                }
+                _ => {
+                    return Err(UrlError::InvalidParamValue {
+                        param: "built_in_roots".into(),
+                        value,
+                    });
+                }
+            }
         } else {
             return Err(UrlError::UnknownParameter { param: key });
         }
@@ -1856,6 +1917,7 @@ fn mysqlopts_from_url(url: &Url) -> std::result::Result<MysqlOpts, UrlError> {
     if let Some(ref mut ssl_opts) = opts.ssl_opts.as_mut() {
         ssl_opts.accept_invalid_certs = accept_invalid_certs;
         ssl_opts.skip_domain_validation = skip_domain_validation;
+        ssl_opts.disable_built_in_roots = disable_built_in_roots;
     }
 
     Ok(opts)
@@ -1973,14 +2035,15 @@ mod test {
         );
 
         const URL4: &str =
-            "mysql://localhost/foo?require_ssl=true&verify_ca=false&verify_identity=false";
+            "mysql://localhost/foo?require_ssl=true&verify_ca=false&verify_identity=false&built_in_roots=false";
         let opts = Opts::from_url(URL4).unwrap();
         assert_eq!(
             opts.ssl_opts(),
             Some(
                 &SslOpts::default()
                     .with_danger_accept_invalid_certs(true)
                     .with_danger_skip_domain_validation(true)
+                    .with_disable_built_in_roots(true)
             )
         );
 

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ impl Endpoint {`
`36`	`36`	`}`
`37`	`37`	`builder.danger_accept_invalid_hostnames(ssl_opts.skip_domain_validation());`
`38`	`38`	`builder.danger_accept_invalid_certs(ssl_opts.accept_invalid_certs());`
	`39`	`+ builder.disable_built_in_roots(ssl_opts.disable_built_in_roots());`
`39`	`40`	`let tls_connector: tokio_native_tls::TlsConnector = builder.build()?.into();`
`40`	`41`
`41`	`42`	`*self = match self {`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,9 @@ impl Endpoint {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`let mut root_store = RootCertStore::empty();`
`49`		`- root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(\|x\| x.to_owned()));`
	`49`	`+ if !ssl_opts.disable_built_in_roots() {`
	`50`	`+ root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(\|x\| x.to_owned()));`
	`51`	`+ }`
`50`	`52`
`51`	`53`	`for cert in ssl_opts.load_root_certs().await? {`
`52`	`54`	`root_store.add(cert)?;`