From 5f16fea0a647c14cf2702b2c042dea26a8a2ac14 Mon Sep 17 00:00:00 2001
From: Andy Pfister <andy.pfister@hey.com>
Date: Sat, 27 Jul 2024 16:59:04 +0200
Subject: [PATCH] Support `force encryption` for the MSSQL server

---
 .github/workflows/ci.yml | 19 ++++++++++++++++++-
 action.yml               |  5 +++++
 install.ps1              | 29 +++++++++++++++++++++++++++--
 3 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d25cf1a..3d043d5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ jobs:
     name: Tests
     strategy:
       matrix:
+        force-encryption:
+          - "true"
+          - "false"
         os:
           # ignore ARM64 flavours
           - ubuntu-20.04
@@ -22,7 +25,20 @@ jobs:
         version:
           - 2017
         exclude:
-          - os: ubuntu-24.04
+          - force-encryption: "true"
+            os: ubuntu-24.04
+            version: 2017
+
+          - force-encryption: "false"
+            os: ubuntu-24.04
+            version: 2017
+
+          - force-encryption: "true"
+            os: windows-2019
+            version: 2017
+
+          - force-encryption: "true"
+            os: windows-2022
             version: 2017
 
     runs-on: ${{ matrix.os }}
@@ -39,6 +55,7 @@ jobs:
         uses: ./action
         with:
           components: sqlcmd,sqlengine
+          force-encryption: ${{ matrix.force-encryption }}
           sa-password: "bHuZH81%cGC6"
           version: ${{ matrix.version }}
 
diff --git a/action.yml b/action.yml
index 85f6377..f8577b7 100644
--- a/action.yml
+++ b/action.yml
@@ -7,6 +7,10 @@ inputs:
   components:
     description: "The components to install"
     required: true
+  force-encryption:
+    description: "Should the server force encryption?"
+    required: false
+    default: "false"
   sa-password:
     description: "The SA password for the SQL instance"
     required: true
@@ -20,6 +24,7 @@ runs:
       run: |
         $params = @{
             Components = ("${{ inputs.components }}" -split ",").Trim()
+            ForceEncryption = "${{ inputs.force-encryption }}" -eq "true"
             SaPassword = "${{ inputs.sa-password }}"
             Version = "${{ inputs.version }}"
         }
diff --git a/install.ps1 b/install.ps1
index 4105189..052758d 100644
--- a/install.ps1
+++ b/install.ps1
@@ -1,6 +1,7 @@
 param (
     [ValidateSet("sqlcmd", "sqlengine")]
     [string[]]$Components,
+    [bool]$ForceEncryption,
     [string]$SaPassword,
     [ValidateSet("2017")]
     [string]$Version
@@ -9,7 +10,7 @@ param (
 function Wait-ForContainer {
     $checkInterval = 5
     $containerName = "sql"
-    $timeout = 120
+    $timeout = 60
 
     $startTime = Get-Date
     Write-Host "Waiting for the container '$containerName' to be healthy..."
@@ -42,6 +43,30 @@ if ($IsLinux) {
 }
 
 if ("sqlengine" -in $Components) {
+    if ($ForceEncryption) {
+        Write-Output "Force encryption is set, generating self-signed certificate ..."
+
+        if ($IsLinux) {
+            & mkdir -p /opt/mssql
+            & openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=sql1.contoso.com' -keyout /opt/mssql/mssql.key -out /opt/mssql/mssql.pem -days 365
+            $MssqlConf = @'
+[network]
+tlscert = /etc/ssl/certs/mssql.pem
+tlskey = /etc/ssl/private/mssql.key
+tlsprotocols = 1.2
+forceencryption = 1
+'@
+
+            Set-Content -Path /opt/mssql/mssql.conf -Value $MssqlConf
+            & sudo chmod -R 775 /opt/mssql
+
+            Copy-Item -Path /opt/mssql/mssql.pem -Destination /usr/share/ca-certificates/mssql.crt
+            & sudo dpkg-reconfigure ca-certificates 
+            
+            $AdditionalContainerConfiguration = "-v /opt/mssql/mssql.conf:/var/opt/mssql/mssql.conf -v /opt/mssql/mssql.pem:/etc/ssl/certs/mssql.pem -v /opt/mssql/mssql.key:/etc/ssl/private/mssql.key"
+        }
+    }
+
     if ($IsLinux) {
         # the Ubuntu 24.04 image uses a kernel version which does not work with the current 2017 version.
         # see https://github.com/microsoft/mssql-docker/issues/868
@@ -74,7 +99,7 @@ if ("sqlengine" -in $Components) {
         }
 
         Write-Output "Starting a Docker Container"
-        Invoke-Expression "docker run --name=`"sql`" -e `"ACCEPT_EULA=Y`"-e `"SA_PASSWORD=$SaPassword`" -e `"MSSQL_PID=Express`" --health-cmd=`"/opt/mssql-tools/bin/sqlcmd -C -S localhost -U sa -P '$SaPassword' -Q 'SELECT 1' -b -o /dev/null`" --health-start-period=`"10s`" --health-retries=3 --health-interval=`"10s`" -p 1433:1433 -d `"mcr.microsoft.com/mssql/server:$Version-latest`""
+        Invoke-Expression "docker run --name=`"sql`" -e `"ACCEPT_EULA=Y`"-e `"SA_PASSWORD=$SaPassword`" -e `"MSSQL_PID=Express`" --health-cmd=`"/opt/mssql-tools/bin/sqlcmd -C -S localhost -U sa -P '$SaPassword' -Q 'SELECT 1' -b -o /dev/null`" --health-start-period=`"10s`" --health-retries=3 --health-interval=`"10s`" -p 1433:1433 $AdditionalContainerConfiguration -d `"mcr.microsoft.com/mssql/server:$Version-latest`""
         Wait-ForContainer
     }