From c1707b911e6357772bd8236bab146cabfcdf989d Mon Sep 17 00:00:00 2001 From: tiancaiamao Date: Tue, 17 Oct 2023 11:11:53 +0800 Subject: [PATCH 1/2] util/sem: forbid changing @@global.require_secure_transport to 'on' with SEM enabled #47677 --- sessionctx/sessionstates/session_states_test.go | 13 +++++++++++++ sessionctx/variable/sysvar.go | 9 +++++++++ 2 files changed, 22 insertions(+) diff --git a/sessionctx/sessionstates/session_states_test.go b/sessionctx/sessionstates/session_states_test.go index 5f4c791b948ff..c55d1a8b1c5fb 100644 --- a/sessionctx/sessionstates/session_states_test.go +++ b/sessionctx/sessionstates/session_states_test.go @@ -16,6 +16,7 @@ package sessionstates_test import ( "context" + "crypto/tls" "encoding/binary" "fmt" "strconv" @@ -1484,3 +1485,15 @@ func getResetBytes(stmtID uint32) []byte { binary.LittleEndian.PutUint32(buf[pos:], stmtID) return buf } + +func TestIssue47665(t *testing.T) { + store := testkit.CreateMockStore(t) + tk := testkit.NewTestKit(t, store) + tk.Session().GetSessionVars().TLSConnectionState = &tls.ConnectionState{} // unrelated mock for the test. + originSEM := config.GetGlobalConfig().Security.EnableSEM + config.GetGlobalConfig().Security.EnableSEM = true + tk.MustGetErrMsg("set @@global.require_secure_transport = on", "require_secure_transport can not be set to ON with SEM(security enhanced mode) enabled") + config.GetGlobalConfig().Security.EnableSEM = originSEM + tk.MustExec("set @@global.require_secure_transport = on") + tk.MustExec("set @@global.require_secure_transport = off") // recover to default value +} diff --git a/sessionctx/variable/sysvar.go b/sessionctx/variable/sysvar.go index 5a8681f24711d..835103bac9f2e 100644 --- a/sessionctx/variable/sysvar.go +++ b/sessionctx/variable/sysvar.go @@ -1033,6 +1033,15 @@ var defaultSysVars = []*SysVar{ return nil }, Validation: func(vars *SessionVars, normalizedValue string, originalValue string, scope ScopeFlag) (string, error) { if vars.StmtCtx.StmtType == "Set" && TiDBOptOn(normalizedValue) { + // On tidbcloud dedicated cluster with the default configuration, if an user modify + // @@global.require_secure_transport=on, he can not login the cluster anymore! + // A workaround for this is making require_secure_transport read-only for that case. + // SEM(security enhanced mode) is enabled by default with only that settings. + cfg := config.GetGlobalConfig() + if cfg.Security.EnableSEM { + return "", errors.New("require_secure_transport can not be set to ON with SEM(security enhanced mode) enabled") + } + // Refuse to set RequireSecureTransport to ON if the connection // issuing the change is not secure. This helps reduce the chance of users being locked out. if vars.TLSConnectionState == nil { From 6a124c3794359109b5e183035075e4fcb479dbcf Mon Sep 17 00:00:00 2001 From: tiancaiamao Date: Tue, 17 Oct 2023 11:47:53 +0800 Subject: [PATCH 2/2] make bazel_prepare --- sessionctx/sessionstates/BUILD.bazel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sessionctx/sessionstates/BUILD.bazel b/sessionctx/sessionstates/BUILD.bazel index 2348abae1ea6d..ea4cde5fb4e1c 100644 --- a/sessionctx/sessionstates/BUILD.bazel +++ b/sessionctx/sessionstates/BUILD.bazel @@ -30,7 +30,7 @@ go_test( ], embed = [":sessionstates"], flaky = True, - shard_count = 14, + shard_count = 15, deps = [ "//config", "//errno",