PT-191 - add ssl options to DSN

- Added test t/pt-replica-find/ssl.t
- Added option --mysql_ssl to all tools that support own connection
  options

bin/pt-archiver

@@ -8108,6 +8108,12 @@ until the replica is caught up, then proceeds to fetch and archive the row.
 
 This option may eliminate the need for L<"--sleep"> or L<"--sleep-coef">.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --no-ascend
 
 Do not use ascending index optimization.

bin/pt-config-diff

@@ -5791,6 +5791,12 @@ type: array
 
 Ignore, do not compare, these variables.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-deadlock-logger

@@ -5549,6 +5549,12 @@ type: string
 
 Print all output to this file when daemonized.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --numeric-ip
 
 Express IP addresses as integers.

bin/pt-duplicate-key-checker

@@ -5561,6 +5561,12 @@ type: string; default: fk
 
 Check for duplicate f=foreign keys, k=keys or fk=both.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-fk-error-logger

@@ -4546,6 +4546,12 @@ type: string
 
 Print all output to this file when daemonized.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-heartbeat

@@ -7322,6 +7322,12 @@ type: int
 If specified, pt-heartbeat will fail after given number of successive DBI errors
 (failure to connect to server or issue a query).
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-kill

@@ -8743,6 +8743,12 @@ This option makes pt-kill kill matching queries.  This requires MySQL 5.0 or
 newer.  Unlike L<"--kill"> which kills the connection for matching queries,
 this option only kills the query, not its connection.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --print
 
 group: Actions

bin/pt-online-schema-change

@@ -13383,6 +13383,12 @@ until queries are running normally again.  This will not prevent queueing,
 however; it will only give the server a chance to recover from the queueing.  If
 you notice queueing, it is best to decrease the chunk time.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --preserve-triggers
 
 Preserves old triggers when specified.

bin/pt-replica-find

@@ -4444,6 +4444,12 @@ short form: -h; type: string
 
 Connect to host.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-replica-restart

@@ -6036,6 +6036,12 @@ See L<"SLEEP">.
 Whether to monitor the replica (default).  Unless you specify --monitor
 explicitly, L<"--stop"> will disable it.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-show-grants

@@ -2471,6 +2471,12 @@ type: array
 
 Ignore this comma-separated list of users.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --only
 
 type: array

bin/pt-table-checksum

@@ -13336,6 +13336,16 @@ This is useful in cases where you have trouble checksumming tables with keys tha
 include a binary data type or that have non-standard character sets.
 See L<"--replicate">.
 
+=item --charset
+
+short form: -A; type: string
+
+Default character set.  If the value is utf8, sets Perl's binmode on
+STDOUT to utf8, passes the mysql_enable_utf8 option to DBD::mysql, and
+runs SET NAMES UTF8 after connecting to MySQL.  Any other value sets
+binmode on STDOUT without the utf8 layer, and runs SET NAMES after
+connecting to MySQL.
+
 =item --check-interval
 
 type: time; default: 1; group: Throttle
@@ -13761,6 +13771,12 @@ wait until queries are running normally again.  This will not prevent queueing,
 however; it will only give the server a chance to recover from the queueing.  If
 you notice queueing, it is best to decrease the chunk time.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string; group: Connection

bin/pt-table-sync

@@ -12909,6 +12909,12 @@ dump and reload or even something like L<pt-archiver>).  It requires exactly two
 DSNs and assumes they are on the same server, so it does no waiting for
 replication or the like.  Tables are locked with LOCK TABLES.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-table-usage

@@ -8372,6 +8372,12 @@ type: string
 
 Print all output to this file when daemonized.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-upgrade

@@ -11198,6 +11198,12 @@ Max number of examples to list for each L<"QUERY DIFFERENCES">.  A query
 class is reported as soon as this many examples for any type of query
 difference are found.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

bin/pt-variable-advisor

@@ -6154,6 +6154,12 @@ Ignore these rule IDs.
 Specify a comma-separated list of rule IDs (e.g. LIT.001,RES.002,etc.)
 to ignore.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string

t/pt-replica-find/ssl.t

@@ -0,0 +1,126 @@
+#!/usr/bin/env perl
+
+BEGIN {
+   die "The PERCONA_TOOLKIT_BRANCH environment variable is not set.\n"
+      unless $ENV{PERCONA_TOOLKIT_BRANCH} && -d $ENV{PERCONA_TOOLKIT_BRANCH};
+   unshift @INC, "$ENV{PERCONA_TOOLKIT_BRANCH}/lib";
+};
+
+use strict;
+use warnings FATAL => 'all';
+use English qw(-no_match_vars);
+use Test::More;
+
+use PerconaTest;
+use Sandbox;
+require "$trunk/bin/pt-replica-find";
+
+if ( $sandbox_version lt '8.0' ) {
+   plan skip_all => "Requires MySQL 8.0 or newer";
+}
+
+my $dp = new DSNParser(opts=>$dsn_opts);
+my $sb = new Sandbox(basedir => '/tmp', DSNParser => $dp);
+my $source_dbh = $sb->get_dbh_for('source');
+my $replica1_dbh = $sb->get_dbh_for('replica1');
+my $replica2_dbh = $sb->get_dbh_for('replica2');
+my $output;
+
+# This test is sensitive to ghost/old replicas created/destroyed by other
+# tests.  So we stop the replicas, restart the source, and start everything
+# again.  Hopefully this will return the env to its original state.
+$replica2_dbh->do("STOP ${replica_name}");
+$replica1_dbh->do("STOP ${replica_name}");
+diag(`/tmp/12345/stop >/dev/null`);
+diag(`/tmp/12345/start >/dev/null`);
+$replica1_dbh->do("START ${replica_name}");
+$replica2_dbh->do("START ${replica_name}");
+
+if ( !$source_dbh ) {
+   plan skip_all => 'Cannot connect to sandbox source';
+}
+elsif ( !$replica1_dbh ) {
+   plan skip_all => 'Cannot connect to sandbox replica';
+}
+elsif ( !$replica2_dbh ) {
+   plan skip_all => 'Cannot connect to second sandbox replica';
+}
+
+$sb->do_as_root(
+   'source',
+   q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/,
+   q/GRANT REPLICATION SLAVE, PROCESS ON *.* TO sha256_user@'%'/,
+);
+
+# Start an instance
+$output = `$trunk/bin/pt-replica-find h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=0 --report-format hostname 2>&1`;
+
+isnt(
+   $?,
+   0,
+   "Error raised when SSL connection is not used"
+) or diag($output);
+
+like(
+   $output,
+   qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./,
+   'Secure connection error raised when no SSL connection used'
+) or diag($output);
+
+$output = `$trunk/bin/pt-replica-find h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1 --report-format hostname 2>&1`;
+
+is(
+   $?,
+   0,
+   "No error for user, identified with caching_sha2_password"
+) or diag($output);
+
+unlike(
+   $output,
+   qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./,
+   'No secure connection error'
+) or diag($output);
+
+my $expected = <<EOF;
+127.1:12345
++- 127.0.0.1:12346
+   +- 127.0.0.1:12347
+EOF
+
+is($output, $expected, 'Source with replica and replica of replica');
+
+$output = `$trunk/bin/pt-replica-find F=t/pt-archiver/samples/pt-191.cnf,h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1 --report-format hostname  --recurse 0 2>&1`;
+
+is(
+   $?,
+   0,
+   "No error for SSL options in the configuration file"
+) or diag($output);
+
+unlike(
+   $output,
+   qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./,
+   'No secure connection error with correct SSL options in the configuration file'
+) or diag($output);
+
+$output = `$trunk/bin/pt-replica-find F=t/pt-archiver/samples/pt-191-error.cnf,h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1 --report-format hostname  --recurse 0 2>&1`;
+
+isnt(
+   $?,
+   0,
+   "Error for invalid SSL options in the configuration file"
+) or diag($output);
+
+like(
+   $output,
+   qr/SSL connection error: Unable to get private key at/,
+   'SSL connection error with incorrect SSL options in the configuration file'
+) or diag($output);
+
+# #############################################################################
+# Done.
+# #############################################################################
+$sb->do_as_root('source', q/DROP USER 'sha256_user'@'%'/);
+
+ok($sb->ok(), "Sandbox servers") or BAIL_OUT(__FILE__ . " broke the sandbox");
+done_testing;