diff --git a/source/pdo_sqlsrv/pdo_util.cpp b/source/pdo_sqlsrv/pdo_util.cpp index c8942666..c65b4b53 100644 --- a/source/pdo_sqlsrv/pdo_util.cpp +++ b/source/pdo_sqlsrv/pdo_util.cpp @@ -419,11 +419,15 @@ pdo_error PDO_ERRORS[] = { }, { SQLSRV_ERROR_AKV_NAME_MISSING, - { IMSSP, (SQLCHAR*) "ID for Azure Key Vault is missing. A username or client Id is required.", -87, false } + { IMSSP, (SQLCHAR*) "The username or client Id for Azure Key Vault is missing.", -87, false } }, { SQLSRV_ERROR_AKV_SECRET_MISSING, - { IMSSP, (SQLCHAR*) "Secret for Azure Key Vault is missing. A password or client secret is required.", -88, false } + { IMSSP, (SQLCHAR*) "The password or client secret for Azure Key Vault is missing.", -88, false } + }, + { + SQLSRV_ERROR_KEYSTORE_INVALID_VALUE, + { IMSSP, (SQLCHAR*) "Invalid value for loading Azure Key Vault.", -89, false} }, { UINT_MAX, {} } }; diff --git a/source/shared/core_conn.cpp b/source/shared/core_conn.cpp index 8db47e9e..58feb783 100644 --- a/source/shared/core_conn.cpp +++ b/source/shared/core_conn.cpp @@ -945,15 +945,15 @@ void load_azure_key_vault( _Inout_ sqlsrv_conn* conn TSRMLS_DC ) if ( ! conn->ce_option.enabled || ! conn->ce_option.akv_required ) return; - CHECK_CUSTOM_ERROR( conn->ce_option.akv_auth == NULL || Z_STRLEN_P(conn->ce_option.akv_auth) <= 0, conn, SQLSRV_ERROR_AKV_AUTH_MISSING) { + CHECK_CUSTOM_ERROR( conn->ce_option.akv_auth == NULL, conn, SQLSRV_ERROR_AKV_AUTH_MISSING) { throw core::CoreException(); } - CHECK_CUSTOM_ERROR( conn->ce_option.akv_id == NULL || Z_STRLEN_P(conn->ce_option.akv_id) <= 0, conn, SQLSRV_ERROR_AKV_NAME_MISSING) { + CHECK_CUSTOM_ERROR( conn->ce_option.akv_id == NULL, conn, SQLSRV_ERROR_AKV_NAME_MISSING) { throw core::CoreException(); } - CHECK_CUSTOM_ERROR( conn->ce_option.akv_secret == NULL || Z_STRLEN_P(conn->ce_option.akv_secret) <= 0, conn, SQLSRV_ERROR_AKV_SECRET_MISSING) { + CHECK_CUSTOM_ERROR( conn->ce_option.akv_secret == NULL, conn, SQLSRV_ERROR_AKV_SECRET_MISSING) { throw core::CoreException(); } @@ -962,16 +962,8 @@ void load_azure_key_vault( _Inout_ sqlsrv_conn* conn TSRMLS_DC ) char *akv_secret = Z_STRVAL_P( conn->ce_option.akv_secret ); unsigned int id_len = static_cast( Z_STRLEN_P( conn->ce_option.akv_id )); unsigned int key_size = static_cast( Z_STRLEN_P( conn->ce_option.akv_secret )); - - if ( !stricmp(akv_auth, "KeyVaultPassword") ) - { - configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, AKVCFG_AUTHMODE_PASSWORD, 0 ); - } - else if ( !stricmp(akv_auth, "KeyVaultClientSecret") ) - { - configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, AKVCFG_AUTHMODE_CLIENTKEY, 0 ); - } - + + configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, conn->ce_option.akv_mode, 0 ); configure_azure_key_vault( conn, AKV_CONFIG_PRINCIPALID, akv_id, id_len ); configure_azure_key_vault( conn, AKV_CONFIG_AUTHSECRET, akv_secret, key_size ); } @@ -1078,6 +1070,12 @@ void ce_akv_str_set_func::func( _In_ connection_option const* option, _In_ zval* { SQLSRV_ASSERT( Z_TYPE_P( value ) == IS_STRING, "Azure Key Vault keywords accept only strings." ); + size_t value_len = Z_STRLEN_P( value ); + + CHECK_CUSTOM_ERROR( value_len <= 0, conn, SQLSRV_ERROR_KEYSTORE_INVALID_VALUE ) { + throw core::CoreException(); + } + switch( option->conn_option_key ) { case SQLSRV_CONN_OPTION_KEYSTORE_AUTHENTICATION: @@ -1088,6 +1086,7 @@ void ce_akv_str_set_func::func( _In_ connection_option const* option, _In_ zval* throw core::CoreException(); } conn->ce_option.akv_auth = value; + conn->ce_option.akv_mode = stricmp( value_str, "KeyVaultPassword" ) ? AKVCFG_AUTHMODE_CLIENTKEY : AKVCFG_AUTHMODE_PASSWORD; conn->ce_option.akv_required = true; break; } diff --git a/source/shared/core_sqlsrv.h b/source/shared/core_sqlsrv.h index 12c82fc7..1ff7a049 100644 --- a/source/shared/core_sqlsrv.h +++ b/source/shared/core_sqlsrv.h @@ -1055,6 +1055,7 @@ struct stmt_option; // This holds the various details of column encryption. struct col_encryption_option { bool enabled; // column encryption enabled, false by default + SQLINTEGER akv_mode; zval_auto_ptr akv_auth; zval_auto_ptr akv_id; zval_auto_ptr akv_secret; @@ -1717,6 +1718,7 @@ enum SQLSRV_ERROR_CODES { SQLSRV_ERROR_AKV_AUTH_MISSING, SQLSRV_ERROR_AKV_NAME_MISSING, SQLSRV_ERROR_AKV_SECRET_MISSING, + SQLSRV_ERROR_KEYSTORE_INVALID_VALUE, SQLSRV_ERROR_ENCRYPTED_STREAM_FETCH, // Driver specific error codes starts from here. diff --git a/source/sqlsrv/util.cpp b/source/sqlsrv/util.cpp index cc07ac3d..f13e0c07 100644 --- a/source/sqlsrv/util.cpp +++ b/source/sqlsrv/util.cpp @@ -410,11 +410,15 @@ ss_error SS_ERRORS[] = { }, { SQLSRV_ERROR_AKV_NAME_MISSING, - { IMSSP, (SQLCHAR*) "ID for Azure Key Vault is missing. A username or client Id is required.", -112, false } + { IMSSP, (SQLCHAR*) "The username or client Id for Azure Key Vault is missing.", -112, false } }, { SQLSRV_ERROR_AKV_SECRET_MISSING, - { IMSSP, (SQLCHAR*) "Secret for Azure Key Vault is missing. A password or client secret is required.", -113, false } + { IMSSP, (SQLCHAR*) "The password or client secret for Azure Key Vault is missing.", -113, false } + }, + { + SQLSRV_ERROR_KEYSTORE_INVALID_VALUE, + { IMSSP, (SQLCHAR*) "Invalid value for loading Azure Key Vault.", -114, false} }, // terminate the list of errors/warnings diff --git a/test/functional/pdo_sqlsrv/MsSetup.inc b/test/functional/pdo_sqlsrv/MsSetup.inc index e818dca0..e07c46a7 100644 --- a/test/functional/pdo_sqlsrv/MsSetup.inc +++ b/test/functional/pdo_sqlsrv/MsSetup.inc @@ -45,10 +45,10 @@ $keystore = "none"; // key store provider, acceptable values are none, w $dataEncrypted = false; // whether data is to be encrypted // for Azure Key Vault -$keyStoreAuthentication = 'KeyVaultPassword'; // can be KeyVaultPassword or KeyVaultClientSecret -$principalName = 'name'; // for use with KeyVaultPassword -$AKVPassword = 'password'; // for use with KeyVaultPassword -$clientID = 'clientid'; // for use with KeyVaultClientSecret -$AKVSecret = 'secret'; // for use with KeyVaultClientSecret +$AKVKeyStoreAuthentication = 'TARGET_AKV_AUTH'; // can be KeyVaultPassword or KeyVaultClientSecret +$AKVPrincipalName = 'TARGET_AKV_PRINCIPAL_NAME'; // for use with KeyVaultPassword +$AKVPassword = 'TARGET_AKV_PASSWORD'; // for use with KeyVaultPassword +$AKVClientID = 'TARGET_AKV_CLIENT_ID'; // for use with KeyVaultClientSecret +$AKVSecret = 'TARGET_AKV_CLIENT_SECRET'; // for use with KeyVaultClientSecret ?> \ No newline at end of file diff --git a/test/functional/sqlsrv/MsSetup.inc b/test/functional/sqlsrv/MsSetup.inc index 8b71e4bc..1ec7ceef 100644 --- a/test/functional/sqlsrv/MsSetup.inc +++ b/test/functional/sqlsrv/MsSetup.inc @@ -45,10 +45,10 @@ $keystore = "none"; // key store provider, acceptable values are none, w $dataEncrypted = false; // whether data is to be encrypted // for Azure Key Vault -$keyStoreAuthentication = 'KeyVaultPassword'; // can be KeyVaultPassword or KeyVaultClientSecret -$principalName = 'name'; // for use with KeyVaultPassword -$AKVPassword = 'password'; // for use with KeyVaultPassword -$clientID = 'clientid'; // for use with KeyVaultClientSecret -$AKVSecret = 'secret'; // for use with KeyVaultClientSecret +$AKVKeyStoreAuthentication = 'TARGET_AKV_AUTH'; // can be KeyVaultPassword or KeyVaultClientSecret +$AKVPrincipalName = 'TARGET_AKV_PRINCIPAL_NAME'; // for use with KeyVaultPassword +$AKVPassword = 'TARGET_AKV_PASSWORD'; // for use with KeyVaultPassword +$AKVClientID = 'TARGET_AKV_CLIENT_ID'; // for use with KeyVaultClientSecret +$AKVSecret = 'TARGET_AKV_CLIENT_SECRET'; // for use with KeyVaultClientSecret ?>