From 67561266a693d8de36b6afbf715b5f30d9fe919b Mon Sep 17 00:00:00 2001
From: Francis Dupont <fdupont@isc.org>
Date: Fri, 20 Dec 2024 18:31:37 +0100
Subject: [PATCH] [#3398] Protected SQL databases

---
 src/lib/mysql/mysql_connection.cc             |  6 +++
 .../mysql/tests/mysql_connection_unittest.cc  | 45 +++++++++++++++++++
 src/lib/pgsql/pgsql_connection.cc             |  6 +++
 .../pgsql/tests/pgsql_connection_unittest.cc  |  9 ++++
 4 files changed, 66 insertions(+)

diff --git a/src/lib/mysql/mysql_connection.cc b/src/lib/mysql/mysql_connection.cc
index 6e30bfbe10..b2039fc77f 100644
--- a/src/lib/mysql/mysql_connection.cc
+++ b/src/lib/mysql/mysql_connection.cc
@@ -8,6 +8,7 @@
 
 #include <asiolink/io_service.h>
 #include <asiolink/process_spawn.h>
+#include <cc/default_credentials.h>
 #include <database/database_connection.h>
 #include <database/db_log.h>
 #include <exceptions/exceptions.h>
@@ -24,6 +25,7 @@
 
 using namespace isc;
 using namespace isc::asiolink;
+using namespace isc::data;
 using namespace std;
 
 namespace isc {
@@ -96,6 +98,10 @@ MySqlConnection::openDatabase() {
     } catch (...) {
         // No password.  Fine, we'll use NULL
     }
+    if (password) {
+        // Refuse default password.
+        DefaultCredentials::check(spassword);
+    }
 
     const char* name = NULL;
     string sname;
diff --git a/src/lib/mysql/tests/mysql_connection_unittest.cc b/src/lib/mysql/tests/mysql_connection_unittest.cc
index c43a20663b..f3c5c41edb 100644
--- a/src/lib/mysql/tests/mysql_connection_unittest.cc
+++ b/src/lib/mysql/tests/mysql_connection_unittest.cc
@@ -6,6 +6,7 @@
 
 #include <config.h>
 
+#include <cc/default_credentials.h>
 #include <database/database_connection.h>
 #include <exceptions/exceptions.h>
 #include <mysql/mysql_connection.h>
@@ -903,6 +904,50 @@ TEST_F(MySqlSecureConnectionTest, TlsInvalidPassword) {
     }
 }
 
+/// @brief Check the SSL/TLS protected connection refuse default passwords.
+TEST_F(MySqlSecureConnectionTest, TlsDefaultPassword) {
+    SKIP_IF(!hasMySQLTls());
+    std::string conn_str = connectionString(MYSQL_VALID_TYPE, VALID_NAME,
+                                            VALID_HOST_TCP, VALID_SECURE_USER,
+                                            DEFAULT_PASSWORD, 0, 0,
+                                            VALID_CERT, VALID_KEY, VALID_CA,
+                                            VALID_CIPHER);
+    MySqlConnection conn(DatabaseConnection::parse(conn_str));
+
+    try {
+        conn.openDatabase();
+    } catch (isc::data::DefaultCredential const& exception) {
+        string const message(exception.what());
+        if (message == "illegal use of a default value as credential") {
+            return;
+        }
+        ADD_FAILURE() << "Unexpected exception message '" << message << "'";
+    } catch (exception const& exception) {
+        ADD_FAILURE() << exception.what();
+    }
+}
+
+/// @brief Check the SSL/TLS protected connection refuse default passwords.
+TEST_F(MySqlSecureConnectionTest, noTlsDefaultPassword) {
+    SKIP_IF(hasMySQLTls());
+    std::string conn_str = connectionString(MYSQL_VALID_TYPE, VALID_NAME,
+                                            VALID_HOST_TCP, VALID_USER,
+                                            DEFAULT_PASSWORD);
+    MySqlConnection conn(DatabaseConnection::parse(conn_str));
+
+    try {
+        conn.openDatabase();
+    } catch (isc::data::DefaultCredential const& exception) {
+        string const message(exception.what());
+        if (message == "illegal use of a default value as credential") {
+            return;
+        }
+        ADD_FAILURE() << "Unexpected exception message '" << message << "'";
+    } catch (exception const& exception) {
+        ADD_FAILURE() << exception.what();
+    }
+}
+
 /// @brief Check the SSL/TLS protected connection requires crypto parameters.
 TEST_F(MySqlSecureConnectionTest, TlsNoCrypto) {
     SKIP_IF(!hasMySQLTls());
diff --git a/src/lib/pgsql/pgsql_connection.cc b/src/lib/pgsql/pgsql_connection.cc
index 7a808b9896..580e16fddf 100644
--- a/src/lib/pgsql/pgsql_connection.cc
+++ b/src/lib/pgsql/pgsql_connection.cc
@@ -8,6 +8,7 @@
 
 #include <asiolink/io_service.h>
 #include <asiolink/process_spawn.h>
+#include <cc/default_credentials.h>
 #include <database/database_connection.h>
 #include <database/db_exceptions.h>
 #include <database/db_log.h>
@@ -36,6 +37,7 @@
 #include <sstream>
 
 using namespace isc::asiolink;
+using namespace isc::data;
 using namespace std;
 
 namespace isc {
@@ -358,6 +360,10 @@ PgSqlConnection::getConnParametersInternal(bool logging) {
     } catch(...) {
         // No password. Fine, we'll use NULL
     }
+    if (!spassword.empty()) {
+        // Refuse default password.
+        DefaultCredentials::check(spassword);
+    }
 
     string sname;
     try {
diff --git a/src/lib/pgsql/tests/pgsql_connection_unittest.cc b/src/lib/pgsql/tests/pgsql_connection_unittest.cc
index 04007dd87d..d4be3f4a99 100644
--- a/src/lib/pgsql/tests/pgsql_connection_unittest.cc
+++ b/src/lib/pgsql/tests/pgsql_connection_unittest.cc
@@ -6,6 +6,7 @@
 
 #include <config.h>
 
+#include <cc/default_credentials.h>
 #include <database/db_exceptions.h>
 #include <pgsql/pgsql_connection.h>
 #include <pgsql/pgsql_exchange.h>
@@ -576,6 +577,14 @@ TEST_F(PgSqlConnectionTest, portInvalid) {
     EXPECT_THROW(conn.getConnParameters(), DbInvalidPort);
 }
 
+// Tests that default password causes an error.
+TEST_F(PgSqlConnectionTest, defaultPassword) {
+    std::string conn_str = connectionString(PGSQL_VALID_TYPE, VALID_NAME,
+                                            VALID_USER, DEFAULT_PASSWORD);
+    PgSqlConnection conn(DatabaseConnection::parse(conn_str));
+    EXPECT_THROW(conn.getConnParameters(), isc::data::DefaultCredential);
+}
+
 // Tests that valid connection timeout is accepted.
 TEST_F(PgSqlConnectionTest, connectionTimeout) {
     std::string conn_str = connectionString(PGSQL_VALID_TYPE, VALID_NAME,
-- 
2.47.3