SSL support for Reactive MySQL Client

Fixes #6321

docs/src/main/asciidoc/native-and-ssl.adoc

@@ -79,7 +79,7 @@ As SSL is de facto the standard nowadays, we decided to enable its support autom
  * the OAuth2 extension (`quarkus-elytron-security-oauth2`),
  * the REST client extension (`quarkus-rest-client`),
  * the Reactive client for PostgreSQL extension (`quarkus-reactive-pg-client`).
-
+ * the Reactive client for MySQL extension (`quarkus-reactive-mysql-client`).
 
 As long as you have one of those extensions in your project, the SSL support will be enabled by default.
 

extensions/reactive-datasource/runtime/pom.xml

@@ -30,6 +30,10 @@
             <groupId>io.vertx</groupId>
             <artifactId>vertx-sql-client</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-vertx-core</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

extensions/reactive-datasource/runtime/src/main/java/io/quarkus/reactive/datasource/runtime/DataSourceReactiveRuntimeConfig.java

@@ -6,6 +6,10 @@
 import io.quarkus.runtime.annotations.ConfigItem;
 import io.quarkus.runtime.annotations.ConfigPhase;
 import io.quarkus.runtime.annotations.ConfigRoot;
+import io.quarkus.vertx.core.runtime.config.JksConfiguration;
+import io.quarkus.vertx.core.runtime.config.PemKeyCertConfiguration;
+import io.quarkus.vertx.core.runtime.config.PemTrustCertConfiguration;
+import io.quarkus.vertx.core.runtime.config.PfxConfiguration;
 
 /**
  * For now, the reactive extensions only support a default datasource.
@@ -24,4 +28,58 @@ public class DataSourceReactiveRuntimeConfig {
      */
     @ConfigItem
     public OptionalInt maxSize;
+
+    /**
+     * Whether all server certificates should be trusted.
+     */
+    @ConfigItem(defaultValue = "false")
+    public boolean trustAll;
+
+    /**
+     * Trust configuration in the PEM format.
+     * <p>
+     * When enabled, {@link #trustCertificateJks} and {@link #trustCertificatePfx} must be disabled.
+     */
+    @ConfigItem
+    public PemTrustCertConfiguration trustCertificatePem;
+
+    /**
+     * Trust configuration in the JKS format.
+     * <p>
+     * When enabled, {@link #trustCertificatePem} and {@link #trustCertificatePfx} must be disabled.
+     */
+    @ConfigItem
+    public JksConfiguration trustCertificateJks;
+
+    /**
+     * Trust configuration in the PFX format.
+     * <p>
+     * When enabled, {@link #trustCertificateJks} and {@link #trustCertificatePem} must be disabled.
+     */
+    @ConfigItem
+    public PfxConfiguration trustCertificatePfx;
+
+    /**
+     * Key/cert configuration in the PEM format.
+     * <p>
+     * When enabled, {@link #keyCertificateJks} and {@link #keyCertificatePfx} must be disabled.
+     */
+    @ConfigItem
+    public PemKeyCertConfiguration keyCertificatePem;
+
+    /**
+     * Key/cert configuration in the JKS format.
+     * <p>
+     * When enabled, {@link #keyCertificatePem} and {@link #keyCertificatePfx} must be disabled.
+     */
+    @ConfigItem
+    public JksConfiguration keyCertificateJks;
+
+    /**
+     * Key/cert configuration in the PFX format.
+     * <p>
+     * When enabled, {@link #keyCertificateJks} and {@link #keyCertificatePem} must be disabled.
+     */
+    @ConfigItem
+    public PfxConfiguration keyCertificatePfx;
 }

extensions/reactive-mysql-client/deployment/src/main/java/io/quarkus/reactive/mysql/client/deployment/ReactiveMySQLClientProcessor.java

@@ -11,6 +11,7 @@
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Record;
+import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.ServiceStartBuildItem;
 import io.quarkus.deployment.builditem.ShutdownContextBuildItem;
@@ -42,6 +43,7 @@ ServiceStartBuildItem build(BuildProducer<FeatureBuildItem> feature,
             MySQLPoolRecorder recorder,
             VertxBuildItem vertx,
             BeanContainerBuildItem beanContainer, ShutdownContextBuildItem shutdown,
+            BuildProducer<ExtensionSslNativeSupportBuildItem> sslNativeSupport,
             DataSourcesBuildTimeConfig dataSourcesBuildTimeConfig, DataSourcesRuntimeConfig dataSourcesRuntimeConfig,
             DataSourceReactiveBuildTimeConfig dataSourceReactiveBuildTimeConfig,
             DataSourceReactiveRuntimeConfig dataSourceReactiveRuntimeConfig,
@@ -72,6 +74,9 @@ ServiceStartBuildItem build(BuildProducer<FeatureBuildItem> feature,
         boolean isDefault = true; // assume always the default pool for now
         vertxPool.produce(new VertxPoolBuildItem(mySqlPool, DatabaseKind.MYSQL, isDefault));
 
+        // Enable SSL support by default
+        sslNativeSupport.produce(new ExtensionSslNativeSupportBuildItem(Feature.REACTIVE_MYSQL_CLIENT));
+
         return serviceStart;
     }
 

extensions/reactive-mysql-client/runtime/src/main/java/io/quarkus/reactive/mysql/client/runtime/DataSourceReactiveMySQLConfig.java

@@ -5,6 +5,7 @@
 import io.quarkus.runtime.annotations.ConfigItem;
 import io.quarkus.runtime.annotations.ConfigPhase;
 import io.quarkus.runtime.annotations.ConfigRoot;
+import io.vertx.mysqlclient.SslMode;
 
 @ConfigRoot(name = "datasource.reactive.mysql", phase = ConfigPhase.RUN_TIME)
 public class DataSourceReactiveMySQLConfig {
@@ -26,4 +27,13 @@ public class DataSourceReactiveMySQLConfig {
      */
     @ConfigItem
     public Optional<String> collation;
+
+    /**
+     * Desired security state of the connection to the server.
+     * <p>
+     * See <a href="https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-mode">MySQL Reference
+     * Manual</a>.
+     */
+    @ConfigItem(defaultValueDocumentation = "disabled")
+    public Optional<SslMode> sslMode;
 }

extensions/reactive-mysql-client/runtime/src/main/java/io/quarkus/reactive/mysql/client/runtime/MySQLPoolRecorder.java

@@ -2,6 +2,12 @@
 
 import static io.quarkus.credentials.CredentialsProvider.PASSWORD_PROPERTY_NAME;
 import static io.quarkus.credentials.CredentialsProvider.USER_PROPERTY_NAME;
+import static io.quarkus.vertx.core.runtime.SSLConfigHelper.configureJksKeyCertOptions;
+import static io.quarkus.vertx.core.runtime.SSLConfigHelper.configureJksTrustOptions;
+import static io.quarkus.vertx.core.runtime.SSLConfigHelper.configurePemKeyCertOptions;
+import static io.quarkus.vertx.core.runtime.SSLConfigHelper.configurePemTrustOptions;
+import static io.quarkus.vertx.core.runtime.SSLConfigHelper.configurePfxKeyCertOptions;
+import static io.quarkus.vertx.core.runtime.SSLConfigHelper.configurePfxTrustOptions;
 
 import java.util.Map;
 
@@ -122,6 +128,20 @@ private MySQLConnectOptions toMySQLConnectOptions(DataSourceRuntimeConfig dataSo
             mysqlConnectOptions.setCollation(dataSourceReactiveMySQLConfig.collation.get());
         }
 
+        if (dataSourceReactiveMySQLConfig.sslMode.isPresent()) {
+            mysqlConnectOptions.setSslMode(dataSourceReactiveMySQLConfig.sslMode.get());
+        }
+
+        mysqlConnectOptions.setTrustAll(dataSourceReactiveRuntimeConfig.trustAll);
+
+        configurePemTrustOptions(mysqlConnectOptions, dataSourceReactiveRuntimeConfig.trustCertificatePem);
+        configureJksTrustOptions(mysqlConnectOptions, dataSourceReactiveRuntimeConfig.trustCertificateJks);
+        configurePfxTrustOptions(mysqlConnectOptions, dataSourceReactiveRuntimeConfig.trustCertificatePfx);
+
+        configurePemKeyCertOptions(mysqlConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificatePem);
+        configureJksKeyCertOptions(mysqlConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificateJks);
+        configurePfxKeyCertOptions(mysqlConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificatePfx);
+
         return mysqlConnectOptions;
     }
 

extensions/reactive-pg-client/runtime/src/main/java/io/quarkus/reactive/pg/client/runtime/DataSourceReactivePostgreSQLConfig.java

@@ -6,10 +6,6 @@
 import io.quarkus.runtime.annotations.ConfigItem;
 import io.quarkus.runtime.annotations.ConfigPhase;
 import io.quarkus.runtime.annotations.ConfigRoot;
-import io.quarkus.vertx.core.runtime.config.JksConfiguration;
-import io.quarkus.vertx.core.runtime.config.PemKeyCertConfiguration;
-import io.quarkus.vertx.core.runtime.config.PemTrustCertConfiguration;
-import io.quarkus.vertx.core.runtime.config.PfxConfiguration;
 import io.vertx.pgclient.SslMode;
 
 @ConfigRoot(name = "datasource.reactive.postgresql", phase = ConfigPhase.RUN_TIME)
@@ -35,52 +31,4 @@ public class DataSourceReactivePostgreSQLConfig {
      */
     @ConfigItem(defaultValueDocumentation = "disable")
     public Optional<SslMode> sslMode;
-
-    /**
-     * Trust configuration in the PEM format.
-     * <p>
-     * When enabled, {@link #trustCertificateJks} and {@link #trustCertificatePfx} must be disabled.
-     */
-    @ConfigItem
-    public PemTrustCertConfiguration trustCertificatePem;
-
-    /**
-     * Trust configuration in the JKS format.
-     * <p>
-     * When enabled, {@link #trustCertificatePem} and {@link #trustCertificatePfx} must be disabled.
-     */
-    @ConfigItem
-    public JksConfiguration trustCertificateJks;
-
-    /**
-     * Trust configuration in the PFX format.
-     * <p>
-     * When enabled, {@link #trustCertificateJks} and {@link #trustCertificatePem} must be disabled.
-     */
-    @ConfigItem
-    public PfxConfiguration trustCertificatePfx;
-
-    /**
-     * Key/cert configuration in the PEM format.
-     * <p>
-     * When enabled, {@link #keyCertificateJks} and {@link #keyCertificatePfx} must be disabled.
-     */
-    @ConfigItem
-    public PemKeyCertConfiguration keyCertificatePem;
-
-    /**
-     * Key/cert configuration in the JKS format.
-     * <p>
-     * When enabled, {@link #keyCertificatePem} and {@link #keyCertificatePfx} must be disabled.
-     */
-    @ConfigItem
-    public JksConfiguration keyCertificateJks;
-
-    /**
-     * Key/cert configuration in the PFX format.
-     * <p>
-     * When enabled, {@link #keyCertificateJks} and {@link #keyCertificatePem} must be disabled.
-     */
-    @ConfigItem
-    public PfxConfiguration keyCertificatePfx;
 }

extensions/reactive-pg-client/runtime/src/main/java/io/quarkus/reactive/pg/client/runtime/PgPoolRecorder.java

@@ -131,13 +131,15 @@ private PgConnectOptions toPgConnectOptions(DataSourceRuntimeConfig dataSourceRu
             pgConnectOptions.setSslMode(dataSourceReactivePostgreSQLConfig.sslMode.get());
         }
 
-        configurePemTrustOptions(pgConnectOptions, dataSourceReactivePostgreSQLConfig.trustCertificatePem);
-        configureJksTrustOptions(pgConnectOptions, dataSourceReactivePostgreSQLConfig.trustCertificateJks);
-        configurePfxTrustOptions(pgConnectOptions, dataSourceReactivePostgreSQLConfig.trustCertificatePfx);
+        pgConnectOptions.setTrustAll(dataSourceReactiveRuntimeConfig.trustAll);
 
-        configurePemKeyCertOptions(pgConnectOptions, dataSourceReactivePostgreSQLConfig.keyCertificatePem);
-        configureJksKeyCertOptions(pgConnectOptions, dataSourceReactivePostgreSQLConfig.keyCertificateJks);
-        configurePfxKeyCertOptions(pgConnectOptions, dataSourceReactivePostgreSQLConfig.keyCertificatePfx);
+        configurePemTrustOptions(pgConnectOptions, dataSourceReactiveRuntimeConfig.trustCertificatePem);
+        configureJksTrustOptions(pgConnectOptions, dataSourceReactiveRuntimeConfig.trustCertificateJks);
+        configurePfxTrustOptions(pgConnectOptions, dataSourceReactiveRuntimeConfig.trustCertificatePfx);
+
+        configurePemKeyCertOptions(pgConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificatePem);
+        configureJksKeyCertOptions(pgConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificateJks);
+        configurePfxKeyCertOptions(pgConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificatePfx);
 
         return pgConnectOptions;
     }