From 77978c1518f3f2808947696f1b80e0eb8bd8ff9c Mon Sep 17 00:00:00 2001
From: Florian Jacob <fjacob@lavabit.com>
Date: Mon, 1 Apr 2019 20:01:29 +0200
Subject: [PATCH 1/2] nixos/mysql: fix support for non-specified database
 schema and increase test coverage to catch this

---
 nixos/modules/services/databases/mysql.nix |  2 +-
 nixos/tests/mysql.nix                      | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
index 89291d4438f..12dbc07dcf0 100644
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@@ -360,7 +360,7 @@ in
                         echo "Creating initial database: ${database.name}"
                         ( echo 'create database `${database.name}`;'
 
-                          ${optionalString (database ? "schema") ''
+                          ${optionalString (database.schema != null) ''
                           echo 'use `${database.name}`;'
 
                           if [ -f "${database.schema}" ]
diff --git a/nixos/tests/mysql.nix b/nixos/tests/mysql.nix
index fedc7f0ab1f..97a4dee7f99 100644
--- a/nixos/tests/mysql.nix
+++ b/nixos/tests/mysql.nix
@@ -10,7 +10,10 @@ import ./make-test.nix ({ pkgs, ...} : {
 
       {
         services.mysql.enable = true;
-        services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
+        services.mysql.initialDatabases = [
+          { name = "testdb"; schema = ./testdb.sql; }
+          { name = "empty_testdb"; }
+        ];
         services.mysql.package = pkgs.mysql;
       };
 
@@ -36,11 +39,12 @@ import ./make-test.nix ({ pkgs, ...} : {
     startAll;
 
     $mysql->waitForUnit("mysql");
-    $mysql->succeed("echo 'use testdb; select * from tests' | mysql -u root -N | grep 4");
+    $mysql->succeed("echo 'use empty_testdb;' | mysql -u root");
+    $mysql->succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4");
 
     $mariadb->waitForUnit("mysql");
     $mariadb->succeed("echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser");
     $mariadb->succeed("echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser");
-    $mariadb->succeed("echo 'use testdb; select test_id from tests' | sudo -u testuser mysql -u testuser -N | grep 42");
+    $mariadb->succeed("echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42");
   '';
 })

From 14571f5ed02fea504d131b130327f845715a7714 Mon Sep 17 00:00:00 2001
From: Florian Jacob <fjacob@lavabit.com>
Date: Mon, 1 Apr 2019 21:08:47 +0200
Subject: [PATCH 2/2] nixos/mysql: fix initialScript option which was wrongly
 specified as types.lines Prevent it from getting copied to nix store as
 people might use it for credentials, and make the tests cover it.

---
 nixos/modules/services/databases/mysql.nix | 8 ++++++--
 nixos/tests/mysql.nix                      | 7 +++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
index 12dbc07dcf0..7e3c230fff7 100644
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@@ -133,7 +133,7 @@ in
       };
 
       initialScript = mkOption {
-        type = types.nullOr types.lines;
+        type = types.nullOr types.path;
         default = null;
         description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database";
       };
@@ -363,6 +363,8 @@ in
                           ${optionalString (database.schema != null) ''
                           echo 'use `${database.name}`;'
 
+                          # TODO: this silently falls through if database.schema does not exist,
+                          # we should catch this somehow and exit, but can't do it here because we're in a subshell.
                           if [ -f "${database.schema}" ]
                           then
                               cat ${database.schema}
@@ -399,7 +401,9 @@ in
                 ${optionalString (cfg.initialScript != null)
                   ''
                     # Execute initial script
-                    cat ${cfg.initialScript} | ${mysql}/bin/mysql -u root -N
+                    # using toString to avoid copying the file to nix store if given as path instead of string,
+                    # as it might contain credentials
+                    cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
                   ''}
 
                 ${optionalString (cfg.rootPassword != null)
diff --git a/nixos/tests/mysql.nix b/nixos/tests/mysql.nix
index 97a4dee7f99..cfe10bc41b0 100644
--- a/nixos/tests/mysql.nix
+++ b/nixos/tests/mysql.nix
@@ -14,6 +14,11 @@ import ./make-test.nix ({ pkgs, ...} : {
           { name = "testdb"; schema = ./testdb.sql; }
           { name = "empty_testdb"; }
         ];
+        # note that using pkgs.writeText here is generally not a good idea,
+        # as it will store the password in world-readable /nix/store ;)
+        services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
+          CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
+        '';
         services.mysql.package = pkgs.mysql;
       };
 
@@ -41,6 +46,8 @@ import ./make-test.nix ({ pkgs, ...} : {
     $mysql->waitForUnit("mysql");
     $mysql->succeed("echo 'use empty_testdb;' | mysql -u root");
     $mysql->succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4");
+    # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
+    $mysql->succeed("echo ';' | mysql -u passworduser --password=password123");
 
     $mariadb->waitForUnit("mysql");
     $mariadb->succeed("echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser");