Add HostNameInCertificate

Author: David Shiflet (from Dev Box)

README.md

@@ -130,6 +130,7 @@ The following switches have different behavior in this version of `sqlcmd` compa
   - If `-N` is provided but `-C` is not, sqlcmd will require validation of the server certificate. Note that a `false` value for encryption could still lead to encryption of the login packet.
   - `-C` has no effect when `strict` value is specified for `-N`.
   - If both `-N` and `-C` are provided, sqlcmd will use their values for encryption negotiation.
+  - To provide the value of the host name in the server certificate when using strict encryption, append the name after a `:` to the `-Ns[trict]`. Example: `-Ns:myhost.domain.com`
   - More information about client/server encryption negotiation can be found at <https://docs.microsoft.com/openspecs/windows_protocols/ms-tds/60f56408-0188-4cd5-8b90-25c6f2423868>
 - `-u` The generated Unicode output file will have the UTF16 Little-Endian Byte-order mark (BOM) written to it.
 - Some behaviors that were kept to maintain compatibility with `OSQL` may be changed, such as alignment of column headers for some data types.

cmd/sqlcmd/sqlcmd.go

@@ -314,14 +314,16 @@ func checkDefaultValue(args []string, i int) (val string) {
 		'k': "0",
 		'L': "|", // | is the sentinel for no value since users are unlikely to use it. It's "reserved" in most shells
 		'X': "0",
-		'N': "true",
 	}
 	if isFlag(args[i]) && (len(args) == i+1 || args[i+1][0] == '-') {
 		if v, ok := flags[rune(args[i][1])]; ok {
 			val = v
 			return
 		}
 	}
+	if args[i] == "-N" && (len(args) == i+1 || args[i+1][0] == '-') {
+		val = "true"
+	}
 	return
 }
 
@@ -406,7 +408,7 @@ func setFlags(rootCmd *cobra.Command, args *SQLCmdArguments) {
 	rootCmd.Flags().StringVarP(&args.EncryptConnection, encryptConnection, "N", "default", localizer.Sprintf("This switch is used by the client to request an encrypted connection"))
 	// Can't use NoOptDefVal until this fix: https://github.com/spf13/cobra/issues/866
 	//rootCmd.Flags().Lookup(encryptConnection).NoOptDefVal = "true"
-	rootCmd.Flags().StringVarP(&args.Format, format, "F", "horiz", localizer.Sprintf("Specifies the formatting for results"))
+	rootCmd.Flags().StringVarP(&args.Format, format, "F", "horiz", localizer.Sprintf("Specifies the formatting for results. Can be either %s or %s. The default is %s.", "horiz[ontal]", "vert[ical]", "horiz[ontal]"))
 	_ = rootCmd.Flags().IntP(errorsToStderr, "r", -1, localizer.Sprintf("%s Redirects error messages with severity >= 11 output to stderr. Pass 1 to to redirect all errors including PRINT.", "-r[0 | 1]"))
 	rootCmd.Flags().IntVar(&args.DriverLoggingLevel, "driver-logging-level", 0, localizer.Sprintf("Level of mssql driver messages to print"))
 	rootCmd.Flags().BoolVarP(&args.ExitOnError, "exit-on-error", "b", false, localizer.Sprintf("Specifies that sqlcmd exits and returns a %s value when an error occurs", localizer.DosErrorLevel))
@@ -463,11 +465,14 @@ func normalizeFlags(cmd *cobra.Command) error {
 			}
 		case encryptConnection:
 			value := strings.ToLower(v)
+			if strictEncryptRegexp.MatchString(value) {
+				return pflag.NormalizedName(name)
+			}
 			switch value {
 			case "mandatory", "yes", "1", "t", "true", "disable", "optional", "no", "0", "f", "false", "strict", "m", "s", "o":
 				return pflag.NormalizedName(name)
 			default:
-				err = invalidParameterError("-N", v, "m[andatory]", "yes", "1", "t[rue]", "disable", "o[ptional]", "no", "0", "f[alse]", "s[trict]")
+				err = invalidParameterError("-N", v, "m[andatory]", "yes", "1", "t[rue]", "disable", "o[ptional]", "no", "0", "f[alse]", "s[trict][:hostnameincertificate]")
 				return pflag.NormalizedName("")
 			}
 		case format:
@@ -525,6 +530,7 @@ func normalizeFlags(cmd *cobra.Command) error {
 var invalidArgRegexp = regexp.MustCompile(`invalid argument \"(.*)\" for \"(-.), (--.*)\"`)
 var missingArgRegexp = regexp.MustCompile(`flag needs an argument: '.' in (-.)`)
 var unknownArgRegexp = regexp.MustCompile(`unknown shorthand flag: '(.)' in -.`)
+var strictEncryptRegexp = regexp.MustCompile(`^((s)|(strict)):(.+)`)
 
 func rangeParameterError(flag string, value string, min int, max int, inclusive bool) error {
 	if inclusive {
@@ -689,15 +695,21 @@ func setConnect(connect *sqlcmd.ConnectSettings, args *SQLCmdArguments, vars *sq
 	connect.DisableVariableSubstitution = args.DisableVariableSubstitution
 	connect.ApplicationIntent = args.ApplicationIntent
 	connect.LoginTimeoutSeconds = args.LoginTimeout
-	switch args.EncryptConnection {
-	case "s":
+	matches := strictEncryptRegexp.FindStringSubmatch(args.EncryptConnection)
+	if len(matches) == 5 {
 		connect.Encrypt = "strict"
-	case "o":
-		connect.Encrypt = "optional"
-	case "m":
-		connect.Encrypt = "mandatory"
-	default:
-		connect.Encrypt = args.EncryptConnection
+		connect.HostNameInCertificate = matches[4]
+	} else {
+		switch args.EncryptConnection {
+		case "s":
+			connect.Encrypt = "strict"
+		case "o":
+			connect.Encrypt = "optional"
+		case "m":
+			connect.Encrypt = "mandatory"
+		default:
+			connect.Encrypt = args.EncryptConnection
+		}
 	}
 	connect.PacketSize = args.PacketSize
 	connect.WorkstationName = args.WorkstationName

cmd/sqlcmd/sqlcmd_test.go

@@ -108,6 +108,9 @@ func TestValidCommandLineToArgsConversion(t *testing.T) {
 		{[]string{"-ifoo.sql", "bar.sql", "-V10"}, func(args SQLCmdArguments) bool {
 			return args.ErrorSeverityLevel == 10 && args.InputFile[0] == "foo.sql" && args.InputFile[1] == "bar.sql"
 		}},
+		{[]string{"-N", "s:myserver.domain.com"}, func(args SQLCmdArguments) bool {
+			return args.EncryptConnection == "s:myserver.domain.com"
+		}},
 	}
 
 	for _, test := range commands {
@@ -580,25 +583,40 @@ func TestConvertOsArgs(t *testing.T) {
 
 func TestEncryptionOptions(t *testing.T) {
 	type test struct {
-		input  string
-		output string
+		input                 string
+		output                string
+		hostnameincertificate string
 	}
 	tests := []test{
 		{
 			"s",
 			"strict",
+			"",
 		},
 		{
 			"m",
 			"mandatory",
+			"",
 		},
 		{
 			"o",
 			"optional",
+			"",
 		},
 		{
 			"mandatory",
 			"mandatory",
+			"",
+		},
+		{
+			"s:myserver.domain.com",
+			"strict",
+			"myserver.domain.com",
+		},
+		{
+			"strict:myserver.domain.com",
+			"strict",
+			"myserver.domain.com",
 		},
 	}
 	for _, c := range tests {
@@ -610,6 +628,7 @@ func TestEncryptionOptions(t *testing.T) {
 			var connectConfig sqlcmd.ConnectSettings
 			setConnect(&connectConfig, &args, vars)
 			assert.Equal(t, c.output, connectConfig.Encrypt, "Incorrect connect.Encrypt")
+			assert.Equal(t, c.hostnameincertificate, connectConfig.HostNameInCertificate, "Incorrect connect.HostNameInCertificate")
 		})
 	}
 }

pkg/sqlcmd/connect.go

@@ -58,6 +58,8 @@ type ConnectSettings struct {
 	EnableColumnEncryption bool
 	// ChangePassword is the new password for the user to set during login
 	ChangePassword string
+	// The HostNameInCertificate is the name to use for the host in the certificate validation
+	HostNameInCertificate string
 }
 
 func (c ConnectSettings) authenticationMethod() string {
@@ -145,6 +147,9 @@ func (connect ConnectSettings) ConnectionString() (connectionString string, err
 	if connect.Encrypt != "" && connect.Encrypt != "default" {
 		query.Add(msdsn.Encrypt, connect.Encrypt)
 	}
+	if connect.HostNameInCertificate != "" {
+		query.Add(msdsn.HostNameInCertificate, connect.HostNameInCertificate)
+	}
 	if connect.LogLevel > 0 {
 		query.Add(msdsn.LogParam, fmt.Sprint(connect.LogLevel))
 	}

pkg/sqlcmd/sqlcmd_test.go

@@ -51,8 +51,8 @@ func TestConnectionStringFromSqlCmd(t *testing.T) {
 			"sqlserver://someserver:1045?protocol=tcp&trustservercertificate=true",
 		},
 		{
-			&ConnectSettings{ServerName: `tcp:someserver,1045`},
-			"sqlserver://someserver:1045?protocol=tcp",
+			&ConnectSettings{ServerName: `tcp:someserver,1045`, Encrypt: "strict", HostNameInCertificate: "*.mydomain.com"},
+			"sqlserver://someserver:1045?encrypt=strict&hostnameincertificate=%2A.mydomain.com&protocol=tcp",
 		},
 		{
 			&ConnectSettings{ServerName: "someserver", AuthenticationMethod: azuread.ActiveDirectoryServicePrincipal, UserName: "myapp@mytenant", Password: pwd},