Support force encryption for the MSSQL server

.github/workflows/ci.yml

@@ -12,6 +12,9 @@ jobs:
     name: Tests
     strategy:
       matrix:
+        force-encryption:
+          - "true"
+          - "false"
         os:
           # ignore ARM64 flavours
           - ubuntu-20.04
@@ -22,7 +25,20 @@ jobs:
         version:
           - 2017
         exclude:
-          - os: ubuntu-24.04
+          - force-encryption: "true"
+            os: ubuntu-24.04
+            version: 2017
+
+          - force-encryption: "false"
+            os: ubuntu-24.04
+            version: 2017
+
+          - force-encryption: "true"
+            os: windows-2019
+            version: 2017
+
+          - force-encryption: "true"
+            os: windows-2022
             version: 2017
 
     runs-on: ${{ matrix.os }}
@@ -39,6 +55,7 @@ jobs:
         uses: ./action
         with:
           components: sqlcmd,sqlengine
+          force-encryption: ${{ matrix.force-encryption }}
           sa-password: "bHuZH81%cGC6"
           version: ${{ matrix.version }}
 
@@ -47,4 +64,5 @@ jobs:
           action/test.ps1
         shell: pwsh
         env:
+          FORCE_ENCRYPTION: ${{ matrix.force-encryption }}
           SA_PASSWORD: "bHuZH81%cGC6"

action.yml

@@ -7,6 +7,10 @@ inputs:
   components:
     description: "The components to install"
     required: true
+  force-encryption:
+    description: "Should the server force encryption?"
+    required: false
+    default: "false"
   sa-password:
     description: "The SA password for the SQL instance"
     required: true
@@ -20,6 +24,7 @@ runs:
       run: |
         $params = @{
             Components = ("${{ inputs.components }}" -split ",").Trim()
+            ForceEncryption = "${{ inputs.force-encryption }}" -eq "true"
             SaPassword = "${{ inputs.sa-password }}"
             Version = "${{ inputs.version }}"
         }

install.ps1

@@ -1,6 +1,7 @@
 param (
     [ValidateSet("sqlcmd", "sqlengine")]
     [string[]]$Components,
+    [bool]$ForceEncryption,
     [string]$SaPassword,
     [ValidateSet("2017")]
     [string]$Version
@@ -9,7 +10,7 @@ param (
 function Wait-ForContainer {
     $checkInterval = 5
     $containerName = "sql"
-    $timeout = 120
+    $timeout = 60
 
     $startTime = Get-Date
     Write-Host "Waiting for the container '$containerName' to be healthy..."
@@ -42,6 +43,30 @@ if ($IsLinux) {
 }
 
 if ("sqlengine" -in $Components) {
+    if ($ForceEncryption) {
+        Write-Output "Force encryption is set, generating self-signed certificate ..."
+
+        if ($IsLinux) {
+            & mkdir -p /opt/mssql
+            & openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=sql1.contoso.com' -keyout /opt/mssql/mssql.key -out /opt/mssql/mssql.pem -days 365
+            $MssqlConf = @'
+[network]
+tlscert = /etc/ssl/certs/mssql.pem
+tlskey = /etc/ssl/private/mssql.key
+tlsprotocols = 1.2
+forceencryption = 1
+'@
+
+            Set-Content -Path /opt/mssql/mssql.conf -Value $MssqlConf
+            & sudo chmod -R 775 /opt/mssql
+
+            Copy-Item -Path /opt/mssql/mssql.pem -Destination /usr/share/ca-certificates/mssql.crt
+            & sudo dpkg-reconfigure ca-certificates 
+
+            $AdditionalContainerConfiguration = "-v /opt/mssql/mssql.conf:/var/opt/mssql/mssql.conf -v /opt/mssql/mssql.pem:/etc/ssl/certs/mssql.pem -v /opt/mssql/mssql.key:/etc/ssl/private/mssql.key"
+        }
+    }
+
     if ($IsLinux) {
         # the Ubuntu 24.04 image uses a kernel version which does not work with the current 2017 version.
         # see https://github.com/microsoft/mssql-docker/issues/868
@@ -74,7 +99,7 @@ if ("sqlengine" -in $Components) {
         }
 
         Write-Output "Starting a Docker Container"
-        Invoke-Expression "docker run --name=`"sql`" -e `"ACCEPT_EULA=Y`"-e `"SA_PASSWORD=$SaPassword`" -e `"MSSQL_PID=Express`" --health-cmd=`"/opt/mssql-tools/bin/sqlcmd -C -S localhost -U sa -P '$SaPassword' -Q 'SELECT 1' -b -o /dev/null`" --health-start-period=`"10s`" --health-retries=3 --health-interval=`"10s`" -p 1433:1433 -d `"mcr.microsoft.com/mssql/server:$Version-latest`""
+        Invoke-Expression "docker run --name=`"sql`" -e `"ACCEPT_EULA=Y`"-e `"SA_PASSWORD=$SaPassword`" -e `"MSSQL_PID=Express`" --health-cmd=`"/opt/mssql-tools/bin/sqlcmd -C -S localhost -U sa -P '$SaPassword' -Q 'SELECT 1' -b -o /dev/null`" --health-start-period=`"10s`" --health-retries=3 --health-interval=`"10s`" -p 1433:1433 $AdditionalContainerConfiguration -d `"mcr.microsoft.com/mssql/server:$Version-latest`""
         Wait-ForContainer
     }
 

test.ps1

@@ -8,3 +8,22 @@ else {
 
 Write-Output "Checking if SQL Server is available ..."
 & sqlcmd -S 127.0.0.1 -U sa -P $env:SA_PASSWORD -Q "SELECT 1"
+
+Write-Output "Check status of connection encryption ..."
+
+$sqlQuery = @"
+SELECT 
+session_id,
+encrypt_option
+FROM sys.dm_exec_connections
+WHERE session_id = @@SPID;
+"@
+
+$results = sqlcmd -S 127.0.0.1 -U sa -P $env:SA_PASSWORD -Q $sqlQuery -h -1 -W
+
+Write-Output $results
+
+if (-not($results -match "TRUE")) {
+    Write-Error "Connection to SQL server is not encrypted!"
+    exit 1
+}