Changes according to PR review comments
This commit is contained in:
parent
f49da62e5b
commit
fb1a2ecb70
|
@ -419,11 +419,15 @@ pdo_error PDO_ERRORS[] = {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
SQLSRV_ERROR_AKV_NAME_MISSING,
|
SQLSRV_ERROR_AKV_NAME_MISSING,
|
||||||
{ IMSSP, (SQLCHAR*) "ID for Azure Key Vault is missing. A username or client Id is required.", -87, false }
|
{ IMSSP, (SQLCHAR*) "The username or client Id for Azure Key Vault is missing.", -87, false }
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
SQLSRV_ERROR_AKV_SECRET_MISSING,
|
SQLSRV_ERROR_AKV_SECRET_MISSING,
|
||||||
{ IMSSP, (SQLCHAR*) "Secret for Azure Key Vault is missing. A password or client secret is required.", -88, false }
|
{ IMSSP, (SQLCHAR*) "The password or client secret for Azure Key Vault is missing.", -88, false }
|
||||||
|
},
|
||||||
|
{
|
||||||
|
SQLSRV_ERROR_KEYSTORE_INVALID_VALUE,
|
||||||
|
{ IMSSP, (SQLCHAR*) "Invalid value for loading Azure Key Vault.", -89, false}
|
||||||
},
|
},
|
||||||
{ UINT_MAX, {} }
|
{ UINT_MAX, {} }
|
||||||
};
|
};
|
||||||
|
|
|
@ -945,15 +945,15 @@ void load_azure_key_vault( _Inout_ sqlsrv_conn* conn TSRMLS_DC )
|
||||||
if ( ! conn->ce_option.enabled || ! conn->ce_option.akv_required )
|
if ( ! conn->ce_option.enabled || ! conn->ce_option.akv_required )
|
||||||
return;
|
return;
|
||||||
|
|
||||||
CHECK_CUSTOM_ERROR( conn->ce_option.akv_auth == NULL || Z_STRLEN_P(conn->ce_option.akv_auth) <= 0, conn, SQLSRV_ERROR_AKV_AUTH_MISSING) {
|
CHECK_CUSTOM_ERROR( conn->ce_option.akv_auth == NULL, conn, SQLSRV_ERROR_AKV_AUTH_MISSING) {
|
||||||
throw core::CoreException();
|
throw core::CoreException();
|
||||||
}
|
}
|
||||||
|
|
||||||
CHECK_CUSTOM_ERROR( conn->ce_option.akv_id == NULL || Z_STRLEN_P(conn->ce_option.akv_id) <= 0, conn, SQLSRV_ERROR_AKV_NAME_MISSING) {
|
CHECK_CUSTOM_ERROR( conn->ce_option.akv_id == NULL, conn, SQLSRV_ERROR_AKV_NAME_MISSING) {
|
||||||
throw core::CoreException();
|
throw core::CoreException();
|
||||||
}
|
}
|
||||||
|
|
||||||
CHECK_CUSTOM_ERROR( conn->ce_option.akv_secret == NULL || Z_STRLEN_P(conn->ce_option.akv_secret) <= 0, conn, SQLSRV_ERROR_AKV_SECRET_MISSING) {
|
CHECK_CUSTOM_ERROR( conn->ce_option.akv_secret == NULL, conn, SQLSRV_ERROR_AKV_SECRET_MISSING) {
|
||||||
throw core::CoreException();
|
throw core::CoreException();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -963,15 +963,7 @@ void load_azure_key_vault( _Inout_ sqlsrv_conn* conn TSRMLS_DC )
|
||||||
unsigned int id_len = static_cast<unsigned int>( Z_STRLEN_P( conn->ce_option.akv_id ));
|
unsigned int id_len = static_cast<unsigned int>( Z_STRLEN_P( conn->ce_option.akv_id ));
|
||||||
unsigned int key_size = static_cast<unsigned int>( Z_STRLEN_P( conn->ce_option.akv_secret ));
|
unsigned int key_size = static_cast<unsigned int>( Z_STRLEN_P( conn->ce_option.akv_secret ));
|
||||||
|
|
||||||
if ( !stricmp(akv_auth, "KeyVaultPassword") )
|
configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, conn->ce_option.akv_mode, 0 );
|
||||||
{
|
|
||||||
configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, AKVCFG_AUTHMODE_PASSWORD, 0 );
|
|
||||||
}
|
|
||||||
else if ( !stricmp(akv_auth, "KeyVaultClientSecret") )
|
|
||||||
{
|
|
||||||
configure_azure_key_vault( conn, AKV_CONFIG_FLAGS, AKVCFG_AUTHMODE_CLIENTKEY, 0 );
|
|
||||||
}
|
|
||||||
|
|
||||||
configure_azure_key_vault( conn, AKV_CONFIG_PRINCIPALID, akv_id, id_len );
|
configure_azure_key_vault( conn, AKV_CONFIG_PRINCIPALID, akv_id, id_len );
|
||||||
configure_azure_key_vault( conn, AKV_CONFIG_AUTHSECRET, akv_secret, key_size );
|
configure_azure_key_vault( conn, AKV_CONFIG_AUTHSECRET, akv_secret, key_size );
|
||||||
}
|
}
|
||||||
|
@ -1078,6 +1070,12 @@ void ce_akv_str_set_func::func( _In_ connection_option const* option, _In_ zval*
|
||||||
{
|
{
|
||||||
SQLSRV_ASSERT( Z_TYPE_P( value ) == IS_STRING, "Azure Key Vault keywords accept only strings." );
|
SQLSRV_ASSERT( Z_TYPE_P( value ) == IS_STRING, "Azure Key Vault keywords accept only strings." );
|
||||||
|
|
||||||
|
size_t value_len = Z_STRLEN_P( value );
|
||||||
|
|
||||||
|
CHECK_CUSTOM_ERROR( value_len <= 0, conn, SQLSRV_ERROR_KEYSTORE_INVALID_VALUE ) {
|
||||||
|
throw core::CoreException();
|
||||||
|
}
|
||||||
|
|
||||||
switch( option->conn_option_key )
|
switch( option->conn_option_key )
|
||||||
{
|
{
|
||||||
case SQLSRV_CONN_OPTION_KEYSTORE_AUTHENTICATION:
|
case SQLSRV_CONN_OPTION_KEYSTORE_AUTHENTICATION:
|
||||||
|
@ -1088,6 +1086,7 @@ void ce_akv_str_set_func::func( _In_ connection_option const* option, _In_ zval*
|
||||||
throw core::CoreException();
|
throw core::CoreException();
|
||||||
}
|
}
|
||||||
conn->ce_option.akv_auth = value;
|
conn->ce_option.akv_auth = value;
|
||||||
|
conn->ce_option.akv_mode = stricmp( value_str, "KeyVaultPassword" ) ? AKVCFG_AUTHMODE_CLIENTKEY : AKVCFG_AUTHMODE_PASSWORD;
|
||||||
conn->ce_option.akv_required = true;
|
conn->ce_option.akv_required = true;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1055,6 +1055,7 @@ struct stmt_option;
|
||||||
// This holds the various details of column encryption.
|
// This holds the various details of column encryption.
|
||||||
struct col_encryption_option {
|
struct col_encryption_option {
|
||||||
bool enabled; // column encryption enabled, false by default
|
bool enabled; // column encryption enabled, false by default
|
||||||
|
SQLINTEGER akv_mode;
|
||||||
zval_auto_ptr akv_auth;
|
zval_auto_ptr akv_auth;
|
||||||
zval_auto_ptr akv_id;
|
zval_auto_ptr akv_id;
|
||||||
zval_auto_ptr akv_secret;
|
zval_auto_ptr akv_secret;
|
||||||
|
@ -1717,6 +1718,7 @@ enum SQLSRV_ERROR_CODES {
|
||||||
SQLSRV_ERROR_AKV_AUTH_MISSING,
|
SQLSRV_ERROR_AKV_AUTH_MISSING,
|
||||||
SQLSRV_ERROR_AKV_NAME_MISSING,
|
SQLSRV_ERROR_AKV_NAME_MISSING,
|
||||||
SQLSRV_ERROR_AKV_SECRET_MISSING,
|
SQLSRV_ERROR_AKV_SECRET_MISSING,
|
||||||
|
SQLSRV_ERROR_KEYSTORE_INVALID_VALUE,
|
||||||
SQLSRV_ERROR_ENCRYPTED_STREAM_FETCH,
|
SQLSRV_ERROR_ENCRYPTED_STREAM_FETCH,
|
||||||
|
|
||||||
// Driver specific error codes starts from here.
|
// Driver specific error codes starts from here.
|
||||||
|
|
|
@ -410,11 +410,15 @@ ss_error SS_ERRORS[] = {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
SQLSRV_ERROR_AKV_NAME_MISSING,
|
SQLSRV_ERROR_AKV_NAME_MISSING,
|
||||||
{ IMSSP, (SQLCHAR*) "ID for Azure Key Vault is missing. A username or client Id is required.", -112, false }
|
{ IMSSP, (SQLCHAR*) "The username or client Id for Azure Key Vault is missing.", -112, false }
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
SQLSRV_ERROR_AKV_SECRET_MISSING,
|
SQLSRV_ERROR_AKV_SECRET_MISSING,
|
||||||
{ IMSSP, (SQLCHAR*) "Secret for Azure Key Vault is missing. A password or client secret is required.", -113, false }
|
{ IMSSP, (SQLCHAR*) "The password or client secret for Azure Key Vault is missing.", -113, false }
|
||||||
|
},
|
||||||
|
{
|
||||||
|
SQLSRV_ERROR_KEYSTORE_INVALID_VALUE,
|
||||||
|
{ IMSSP, (SQLCHAR*) "Invalid value for loading Azure Key Vault.", -114, false}
|
||||||
},
|
},
|
||||||
|
|
||||||
// terminate the list of errors/warnings
|
// terminate the list of errors/warnings
|
||||||
|
|
|
@ -45,10 +45,10 @@ $keystore = "none"; // key store provider, acceptable values are none, w
|
||||||
$dataEncrypted = false; // whether data is to be encrypted
|
$dataEncrypted = false; // whether data is to be encrypted
|
||||||
|
|
||||||
// for Azure Key Vault
|
// for Azure Key Vault
|
||||||
$keyStoreAuthentication = 'KeyVaultPassword'; // can be KeyVaultPassword or KeyVaultClientSecret
|
$AKVKeyStoreAuthentication = 'TARGET_AKV_AUTH'; // can be KeyVaultPassword or KeyVaultClientSecret
|
||||||
$principalName = 'name'; // for use with KeyVaultPassword
|
$AKVPrincipalName = 'TARGET_AKV_PRINCIPAL_NAME'; // for use with KeyVaultPassword
|
||||||
$AKVPassword = 'password'; // for use with KeyVaultPassword
|
$AKVPassword = 'TARGET_AKV_PASSWORD'; // for use with KeyVaultPassword
|
||||||
$clientID = 'clientid'; // for use with KeyVaultClientSecret
|
$AKVClientID = 'TARGET_AKV_CLIENT_ID'; // for use with KeyVaultClientSecret
|
||||||
$AKVSecret = 'secret'; // for use with KeyVaultClientSecret
|
$AKVSecret = 'TARGET_AKV_CLIENT_SECRET'; // for use with KeyVaultClientSecret
|
||||||
|
|
||||||
?>
|
?>
|
|
@ -45,10 +45,10 @@ $keystore = "none"; // key store provider, acceptable values are none, w
|
||||||
$dataEncrypted = false; // whether data is to be encrypted
|
$dataEncrypted = false; // whether data is to be encrypted
|
||||||
|
|
||||||
// for Azure Key Vault
|
// for Azure Key Vault
|
||||||
$keyStoreAuthentication = 'KeyVaultPassword'; // can be KeyVaultPassword or KeyVaultClientSecret
|
$AKVKeyStoreAuthentication = 'TARGET_AKV_AUTH'; // can be KeyVaultPassword or KeyVaultClientSecret
|
||||||
$principalName = 'name'; // for use with KeyVaultPassword
|
$AKVPrincipalName = 'TARGET_AKV_PRINCIPAL_NAME'; // for use with KeyVaultPassword
|
||||||
$AKVPassword = 'password'; // for use with KeyVaultPassword
|
$AKVPassword = 'TARGET_AKV_PASSWORD'; // for use with KeyVaultPassword
|
||||||
$clientID = 'clientid'; // for use with KeyVaultClientSecret
|
$AKVClientID = 'TARGET_AKV_CLIENT_ID'; // for use with KeyVaultClientSecret
|
||||||
$AKVSecret = 'secret'; // for use with KeyVaultClientSecret
|
$AKVSecret = 'TARGET_AKV_CLIENT_SECRET'; // for use with KeyVaultClientSecret
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|
Loading…
Reference in a new issue