Changes according to PR review comments

source/pdo_sqlsrv/pdo_util.cpp

@@ -419,11 +419,15 @@ pdo_error PDO_ERRORS[] = {
     },
     {
         SQLSRV_ERROR_AKV_NAME_MISSING,
-        { IMSSP, (SQLCHAR*) "ID for Azure Key Vault is missing. A username or client Id is required.", -87, false }
+        { IMSSP, (SQLCHAR*) "The username or client Id for Azure Key Vault is missing.", -87, false }
     },
     {
         SQLSRV_ERROR_AKV_SECRET_MISSING,
-        { IMSSP, (SQLCHAR*) "Secret for Azure Key Vault is missing. A password or client secret is required.", -88, false }
+        { IMSSP, (SQLCHAR*) "The password or client secret for Azure Key Vault is missing.", -88, false }
+    },
+    {
+        SQLSRV_ERROR_KEYSTORE_INVALID_VALUE,
+        { IMSSP, (SQLCHAR*) "Invalid value for loading Azure Key Vault.", -89, false}
     },
     { UINT_MAX, {} }
 };

source/shared/core_conn.cpp

@@ -945,15 +945,15 @@ void load_azure_key_vault( _Inout_ sqlsrv_conn* conn TSRMLS_DC )
     if ( ! conn->ce_option.enabled || ! conn->ce_option.akv_required )
         return;
     
-    CHECK_CUSTOM_ERROR( conn->ce_option.akv_auth == NULL || Z_STRLEN_P(conn->ce_option.akv_auth) <= 0, conn, SQLSRV_ERROR_AKV_AUTH_MISSING) {
+    CHECK_CUSTOM_ERROR( conn->ce_option.akv_auth == NULL, conn, SQLSRV_ERROR_AKV_AUTH_MISSING) {
         throw core::CoreException();
     }
 
-    CHECK_CUSTOM_ERROR( conn->ce_option.akv_id == NULL || Z_STRLEN_P(conn->ce_option.akv_id) <= 0, conn, SQLSRV_ERROR_AKV_NAME_MISSING) {
+    CHECK_CUSTOM_ERROR( conn->ce_option.akv_id == NULL, conn, SQLSRV_ERROR_AKV_NAME_MISSING) {
         throw core::CoreException();
     }
 
-    CHECK_CUSTOM_ERROR( conn->ce_option.akv_secret == NULL || Z_STRLEN_P(conn->ce_option.akv_secret) <= 0, conn, SQLSRV_ERROR_AKV_SECRET_MISSING) {
+    CHECK_CUSTOM_ERROR( conn->ce_option.akv_secret == NULL, conn, SQLSRV_ERROR_AKV_SECRET_MISSING) {
         throw core::CoreException();
     }
     
@@ -962,16 +962,8 @@ void load_azure_key_vault( _Inout_ sqlsrv_conn* conn TSRMLS_DC )
     char *akv_secret = Z_STRVAL_P( conn->ce_option.akv_secret );    
     unsigned int id_len = static_cast<unsigned int>( Z_STRLEN_P( conn->ce_option.akv_id ));
     unsigned int key_size = static_cast<unsigned int>( Z_STRLEN_P( conn->ce_option.akv_secret ));    
-      
-    if ( !stricmp(akv_auth, "KeyVaultPassword") )
-    {
-        configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, AKVCFG_AUTHMODE_PASSWORD, 0 );
-    }
-    else if ( !stricmp(akv_auth, "KeyVaultClientSecret") )
-    {
-        configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, AKVCFG_AUTHMODE_CLIENTKEY, 0 );
-    }
-    
+
+    configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, conn->ce_option.akv_mode, 0 );
     configure_azure_key_vault( conn, AKV_CONFIG_PRINCIPALID, akv_id, id_len );
     configure_azure_key_vault( conn, AKV_CONFIG_AUTHSECRET, akv_secret, key_size );
 }
@@ -1078,6 +1070,12 @@ void ce_akv_str_set_func::func( _In_ connection_option const* option, _In_ zval*
 {
     SQLSRV_ASSERT( Z_TYPE_P( value ) == IS_STRING, "Azure Key Vault keywords accept only strings." );
         
+    size_t value_len = Z_STRLEN_P( value );
+
+    CHECK_CUSTOM_ERROR( value_len <= 0, conn, SQLSRV_ERROR_KEYSTORE_INVALID_VALUE ) {
+        throw core::CoreException();
+    }
+    
     switch( option->conn_option_key )
     {
         case SQLSRV_CONN_OPTION_KEYSTORE_AUTHENTICATION: 
@@ -1088,6 +1086,7 @@ void ce_akv_str_set_func::func( _In_ connection_option const* option, _In_ zval*
                 throw core::CoreException();
             }
             conn->ce_option.akv_auth = value;
+            conn->ce_option.akv_mode = stricmp( value_str, "KeyVaultPassword" ) ? AKVCFG_AUTHMODE_CLIENTKEY : AKVCFG_AUTHMODE_PASSWORD;
             conn->ce_option.akv_required = true;
             break;
         }

source/shared/core_sqlsrv.h

@@ -1055,6 +1055,7 @@ struct stmt_option;
 // This holds the various details of column encryption. 
 struct col_encryption_option {
     bool            enabled;            // column encryption enabled, false by default
+    SQLINTEGER      akv_mode;
     zval_auto_ptr   akv_auth;
     zval_auto_ptr   akv_id;
     zval_auto_ptr   akv_secret;
@@ -1717,6 +1718,7 @@ enum SQLSRV_ERROR_CODES {
     SQLSRV_ERROR_AKV_AUTH_MISSING,
     SQLSRV_ERROR_AKV_NAME_MISSING,
     SQLSRV_ERROR_AKV_SECRET_MISSING,
+    SQLSRV_ERROR_KEYSTORE_INVALID_VALUE,
     SQLSRV_ERROR_ENCRYPTED_STREAM_FETCH,
 
     // Driver specific error codes starts from here.

source/sqlsrv/util.cpp

@@ -410,11 +410,15 @@ ss_error SS_ERRORS[] = {
     },
     {
         SQLSRV_ERROR_AKV_NAME_MISSING,
-        { IMSSP, (SQLCHAR*) "ID for Azure Key Vault is missing. A username or client Id is required.", -112, false }
+        { IMSSP, (SQLCHAR*) "The username or client Id for Azure Key Vault is missing.", -112, false }
     },
     {
         SQLSRV_ERROR_AKV_SECRET_MISSING,
-        { IMSSP, (SQLCHAR*) "Secret for Azure Key Vault is missing. A password or client secret is required.", -113, false }
+        { IMSSP, (SQLCHAR*) "The password or client secret for Azure Key Vault is missing.", -113, false }
+    },
+    {
+        SQLSRV_ERROR_KEYSTORE_INVALID_VALUE,
+        { IMSSP, (SQLCHAR*) "Invalid value for loading Azure Key Vault.", -114, false}
     },
 
     // terminate the list of errors/warnings

test/functional/pdo_sqlsrv/MsSetup.inc

@@ -45,10 +45,10 @@ $keystore = "none";         // key store provider, acceptable values are none, w
 $dataEncrypted = false;     // whether data is to be encrypted
 
 // for Azure Key Vault
-$keyStoreAuthentication = 'KeyVaultPassword';   // can be KeyVaultPassword or KeyVaultClientSecret
-$principalName = 'name';                        // for use with KeyVaultPassword
-$AKVPassword = 'password';                      // for use with KeyVaultPassword
-$clientID = 'clientid';                         // for use with KeyVaultClientSecret
-$AKVSecret = 'secret';                          // for use with KeyVaultClientSecret
+$AKVKeyStoreAuthentication = 'TARGET_AKV_AUTH';   // can be KeyVaultPassword or KeyVaultClientSecret
+$AKVPrincipalName = 'TARGET_AKV_PRINCIPAL_NAME';  // for use with KeyVaultPassword
+$AKVPassword = 'TARGET_AKV_PASSWORD';             // for use with KeyVaultPassword
+$AKVClientID = 'TARGET_AKV_CLIENT_ID';            // for use with KeyVaultClientSecret
+$AKVSecret = 'TARGET_AKV_CLIENT_SECRET';          // for use with KeyVaultClientSecret
 
 ?>

test/functional/sqlsrv/MsSetup.inc

@@ -45,10 +45,10 @@ $keystore = "none";         // key store provider, acceptable values are none, w
 $dataEncrypted = false;     // whether data is to be encrypted
 
 // for Azure Key Vault
-$keyStoreAuthentication = 'KeyVaultPassword';   // can be KeyVaultPassword or KeyVaultClientSecret
-$principalName = 'name';                        // for use with KeyVaultPassword
-$AKVPassword = 'password';                      // for use with KeyVaultPassword
-$clientID = 'clientid';                         // for use with KeyVaultClientSecret
-$AKVSecret = 'secret';                          // for use with KeyVaultClientSecret
+$AKVKeyStoreAuthentication = 'TARGET_AKV_AUTH';   // can be KeyVaultPassword or KeyVaultClientSecret
+$AKVPrincipalName = 'TARGET_AKV_PRINCIPAL_NAME';  // for use with KeyVaultPassword
+$AKVPassword = 'TARGET_AKV_PASSWORD';             // for use with KeyVaultPassword
+$AKVClientID = 'TARGET_AKV_CLIENT_ID';            // for use with KeyVaultClientSecret
+$AKVSecret = 'TARGET_AKV_CLIENT_SECRET';          // for use with KeyVaultClientSecret
 
 ?>