Skip to main content

mz_sql_server_util/
config.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10use anyhow::Context;
11use mz_ore::future::InTask;
12use mz_repr::CatalogItemId;
13use mz_ssh_util::tunnel::{SshTimeoutConfig, SshTunnelConfig};
14use mz_ssh_util::tunnel_manager::SshTunnelManager;
15use proptest_derive::Arbitrary;
16use serde::{Deserialize, Serialize};
17
18/// Materialize specific configuration for SQL Server connections.
19///
20/// This wraps a [`tiberius::Config`] so we can configure a tunnel over SSH, AWS
21/// PrivateLink, or various other techniques, via a [`TunnelConfig`]
22#[derive(Clone, Debug)]
23pub struct Config {
24    /// SQL Server specific configuration.
25    pub(crate) inner: tiberius::Config,
26    /// Details of how we'll connect to the upstream SQL Server instance.
27    pub(crate) tunnel: TunnelConfig,
28    /// If all of the I/O for this connection will be done in a separate task.
29    ///
30    /// Note: This is used to prevent accidentally doing I/O in timely threads.
31    pub(crate) in_task: InTask,
32}
33
34impl Config {
35    pub fn new(inner: tiberius::Config, tunnel: TunnelConfig, in_task: InTask) -> Self {
36        Config {
37            inner,
38            tunnel,
39            in_task,
40        }
41    }
42
43    /// Create a new [`Config`] from an ActiveX Data Object.
44    ///
45    /// Generally this is only used in test environments, see [`Config::new`]
46    /// for regular/production use cases.
47    pub fn from_ado_string(s: &str) -> Result<Self, anyhow::Error> {
48        let inner = tiberius::Config::from_ado_string(s).context("tiberius config")?;
49        Ok(Config {
50            inner,
51            tunnel: TunnelConfig::Direct,
52            in_task: InTask::No,
53        })
54    }
55}
56
57/// Configures an optional tunnel for use when connecting to a SQL Server database.
58///
59/// TODO(sql_server2): De-duplicate this with MySQL and Postgres sources.
60#[derive(Debug, Clone)]
61pub enum TunnelConfig {
62    /// No tunnelling.
63    Direct,
64    /// Establish a TCP connection to the database via an SSH tunnel.
65    Ssh {
66        /// Config for opening the SSH tunnel.
67        config: SshTunnelConfig,
68        /// Global manager of SSH tunnels.
69        manager: SshTunnelManager,
70        /// Timeout config for the SSH tunnel.
71        timeout: SshTimeoutConfig,
72        // TODO(sql_server3): Remove these fields by forking the `tiberius`
73        // crate and expose the `get_host` and `get_port` methods.
74        //
75        // See: <https://github.com/MaterializeInc/tiberius/blob/406ad2780d206617bd41689b1b638bddf4538f89/src/client/config.rs#L174-L191>
76        host: String,
77        port: u16,
78    },
79    /// Establish a TCP connection to the database via an AWS PrivateLink service.
80    AwsPrivatelink {
81        /// The ID of the AWS PrivateLink service.
82        connection_id: CatalogItemId,
83        port: u16,
84    },
85}
86
87/// Level of encryption to use with a SQL Server connection.
88///
89/// Mirror of [`tiberius::EncryptionLevel`] but we define our own so we can
90/// implement traits like [`Serialize`].
91#[derive(
92    Copy,
93    Clone,
94    Debug,
95    PartialEq,
96    Eq,
97    Hash,
98    Arbitrary,
99    Serialize,
100    Deserialize
101)]
102pub enum EncryptionLevel {
103    /// Do not use encryption at all.
104    None,
105    /// Only use encryption for the login procedure.
106    Login,
107    /// Use encryption for everything, if possible.
108    Preferred,
109    /// Require encryption, failing if not possible.
110    Required,
111}
112
113impl From<tiberius::EncryptionLevel> for EncryptionLevel {
114    fn from(value: tiberius::EncryptionLevel) -> Self {
115        match value {
116            tiberius::EncryptionLevel::NotSupported => EncryptionLevel::None,
117            tiberius::EncryptionLevel::Off => EncryptionLevel::Login,
118            tiberius::EncryptionLevel::On => EncryptionLevel::Preferred,
119            tiberius::EncryptionLevel::Required => EncryptionLevel::Required,
120        }
121    }
122}
123
124impl From<EncryptionLevel> for tiberius::EncryptionLevel {
125    fn from(value: EncryptionLevel) -> Self {
126        match value {
127            EncryptionLevel::None => tiberius::EncryptionLevel::NotSupported,
128            EncryptionLevel::Login => tiberius::EncryptionLevel::Off,
129            EncryptionLevel::Preferred => tiberius::EncryptionLevel::On,
130            EncryptionLevel::Required => tiberius::EncryptionLevel::Required,
131        }
132    }
133}
134
135/// Policy that dictates validation of the SQL-SERVER certificate.
136#[derive(
137    Copy,
138    Clone,
139    Debug,
140    PartialEq,
141    Eq,
142    Hash,
143    Arbitrary,
144    Serialize,
145    Deserialize
146)]
147pub enum CertificateValidationPolicy {
148    /// Don't validate the server's certificate; trust all certificates.
149    TrustAll,
150    /// Validate server's certificate using system certificates.
151    VerifySystem,
152    /// Validate server's certifiacte using provided CA certificate.
153    VerifyCA,
154}