Skip to content

Commit

Permalink
session/variable: forbid changing @@global.require_secure_transport t…
Browse files Browse the repository at this point in the history
…o 'on' with SEM enabled (#47677) (#51207)

close #47665
  • Loading branch information
ti-chi-bot authored Feb 22, 2024
1 parent 08498f0 commit e73d335
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/sessionctx/sessionstates/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ go_test(
],
embed = [":sessionstates"],
flaky = True,
shard_count = 15,
shard_count = 16,
deps = [
"//pkg/config",
"//pkg/errno",
Expand Down
13 changes: 13 additions & 0 deletions pkg/sessionctx/sessionstates/session_states_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package sessionstates_test

import (
"context"
"crypto/tls"
"encoding/binary"
"fmt"
"strconv"
Expand Down Expand Up @@ -336,6 +337,18 @@ func TestInvisibleVars(t *testing.T) {
}
}

func TestIssue47665(t *testing.T) {
store := testkit.CreateMockStore(t)
tk := testkit.NewTestKit(t, store)
tk.Session().GetSessionVars().TLSConnectionState = &tls.ConnectionState{} // unrelated mock for the test.
originSEM := config.GetGlobalConfig().Security.EnableSEM
config.GetGlobalConfig().Security.EnableSEM = true
tk.MustGetErrMsg("set @@global.require_secure_transport = on", "require_secure_transport can not be set to ON with SEM(security enhanced mode) enabled")
config.GetGlobalConfig().Security.EnableSEM = originSEM
tk.MustExec("set @@global.require_secure_transport = on")
tk.MustExec("set @@global.require_secure_transport = off") // recover to default value
}

func TestSessionCtx(t *testing.T) {
store := testkit.CreateMockStore(t)
tk := testkit.NewTestKit(t, store)
Expand Down
8 changes: 8 additions & 0 deletions pkg/sessionctx/variable/sysvar.go
Original file line number Diff line number Diff line change
Expand Up @@ -1118,6 +1118,14 @@ var defaultSysVars = []*SysVar{
return nil
}, Validation: func(vars *SessionVars, normalizedValue string, originalValue string, scope ScopeFlag) (string, error) {
if vars.StmtCtx.StmtType == "Set" && TiDBOptOn(normalizedValue) {
// On tidbcloud dedicated cluster with the default configuration, if an user modify
// @@global.require_secure_transport=on, he can not login the cluster anymore!
// A workaround for this is making require_secure_transport read-only for that case.
// SEM(security enhanced mode) is enabled by default with only that settings.
cfg := config.GetGlobalConfig()
if cfg.Security.EnableSEM {
return "", errors.New("require_secure_transport can not be set to ON with SEM(security enhanced mode) enabled")
}
// Refuse to set RequireSecureTransport to ON if the connection
// issuing the change is not secure. This helps reduce the chance of users being locked out.
if vars.TLSConnectionState == nil {
Expand Down

0 comments on commit e73d335

Please sign in to comment.