From 48b048830d7b9526166932bc81a8a31e404551bf Mon Sep 17 00:00:00 2001 From: David Puglielli Date: Mon, 25 Nov 2019 15:29:32 -0800 Subject: [PATCH] Fix AKV keyword test for AE v2 behaviour (#1061) * Master (#936) 5.6.0 RTW * 5.6.1 hotfix (#959) * Updated links and versions (#987) * Fixed AKV keyword tests for AE v2 * Added comment * Free proc cache before starting test * Fixed comment --- .../pdo_ae_azure_key_vault_keywords.phpt | 29 ++++++++++++++-- .../sqlsrv_ae_azure_key_vault_keywords.phpt | 34 +++++++++++++++++-- 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/test/functional/pdo_sqlsrv/pdo_ae_azure_key_vault_keywords.phpt b/test/functional/pdo_sqlsrv/pdo_ae_azure_key_vault_keywords.phpt index cc49693b..2e22a203 100644 --- a/test/functional/pdo_sqlsrv/pdo_ae_azure_key_vault_keywords.phpt +++ b/test/functional/pdo_sqlsrv/pdo_ae_azure_key_vault_keywords.phpt @@ -48,6 +48,26 @@ $dataTypes = array("char(".SHORT_STRSIZE.")", "varchar(".SHORT_STRSIZE.")", "nva $tableName = "akv_comparison_table"; +// First determine if the server is AE v2 enabled +$isEnclaveEnabled = false; +$connectionOptions = "sqlsrv:Server=$server;Database=$databaseName"; + +$conn = new PDO($connectionOptions, $uid, $pwd); +if (!$conn) { + fatalError("Initial connection failed\n"); +} else { + $query = "SELECT [name], [value], [value_in_use] FROM sys.configurations WHERE [name] = 'column encryption enclave type';"; + $stmt = $conn->query($query); + $info = $stmt->fetch(); + if ($info['value'] == 1 and $info['value_in_use'] == 1) { + $isEnclaveEnabled = true; + } + + $conn->query("DBCC FREEPROCCACHE"); +} + +unset($conn); + // Test every combination of the keywords above. // Leave out good credentials to ensure that caching does not influence the // results. The cache timeout can only be changed with SQLSetConnectAttr, so @@ -117,8 +137,11 @@ for ($i = 0; $i < sizeof($columnEncryption); ++$i) { unset($stmt); } else { // The INSERT query succeeded with bad credentials, which - // should only happen when encryption is not enabled. - if (isColEncrypted()) { + // should only happen when 1. encryption is not enabled or + // 2. when ColumnEncryption is set to something other than + // enabled or disabled (i.e. $i == 2), and the server is + // not enclave-enabled + if (!(!isColEncrypted() or ($i == 2 and !$isEnclaveEnabled))) { fatalError("Successful insertion with bad credentials\n"); } } @@ -135,6 +158,7 @@ for ($i = 0; $i < sizeof($columnEncryption); ++$i) { $errors, array('CE258', '0'), array('CE275', '0'), + array('CE400', '0'), array('IMSSP', '-85'), array('IMSSP', '-86'), array('IMSSP', '-87'), @@ -147,6 +171,7 @@ for ($i = 0; $i < sizeof($columnEncryption); ++$i) { $errors, array('CE258', '0'), array('CE275', '0'), + array('CE400', '0'), array('IMSSP', '-85'), array('IMSSP', '-86'), array('IMSSP', '-87'), diff --git a/test/functional/sqlsrv/sqlsrv_ae_azure_key_vault_keywords.phpt b/test/functional/sqlsrv/sqlsrv_ae_azure_key_vault_keywords.phpt index 3734e0be..e6f03d27 100644 --- a/test/functional/sqlsrv/sqlsrv_ae_azure_key_vault_keywords.phpt +++ b/test/functional/sqlsrv/sqlsrv_ae_azure_key_vault_keywords.phpt @@ -47,6 +47,30 @@ $dataTypes = array("char(".SHORT_STRSIZE.")", "varchar(".SHORT_STRSIZE.")", "nva $tableName = "akv_comparison_table"; +// First determine if the server is AE v2 enabled +$isEnclaveEnabled = false; +$connectionOptions = array("CharacterSet"=>"UTF-8", + "database"=>$databaseName, + "uid"=>$uid, + "pwd"=>$pwd, + "ConnectionPooling"=>0); + +$conn = sqlsrv_connect($server, $connectionOptions); +if (!$conn) { + fatalError("Initial connection failed\n"); +} else { + $query = "SELECT [name], [value], [value_in_use] FROM sys.configurations WHERE [name] = 'column encryption enclave type';"; + $stmt = sqlsrv_query($conn, $query); + $info = sqlsrv_fetch_array($stmt); + if ($info['value'] == 1 and $info['value_in_use'] == 1) { + $isEnclaveEnabled = true; + } + + sqlsrv_query($conn, "DBCC FREEPROCCACHE"); +} + +unset($conn); + // Test every combination of the keywords above. // Leave out good credentials to ensure that caching does not influence the // results. The cache timeout can only be changed with SQLSetConnectAttr, so @@ -96,7 +120,8 @@ for ($i = 0; $i < sizeof($columnEncryption); ++$i) { array('IMSSP','-110'), array('IMSSP','-111'), array('IMSSP','-112'), - array('IMSSP','-113') + array('IMSSP','-113'), + array('CE400','0') ); } else { $columns = array(); @@ -148,8 +173,11 @@ for ($i = 0; $i < sizeof($columnEncryption); ++$i) { sqlsrv_free_stmt($stmt); } else { // The INSERT query succeeded with bad credentials, which - // should only happen when encryption is not enabled. - if (AE\isDataEncrypted()) { + // should only happen when 1. encryption is not enabled or + // 2. when ColumnEncryption is set to something other than + // enabled or disabled (i.e. $i == 2), and the server is + // not enclave-enabled + if (!(!AE\isDataEncrypted() or ($i == 2 and !$isEnclaveEnabled))) { fatalError("Successful insertion with bad credentials\n"); } }