From b34b1e7791ee229de1b4d380e244c6d4c1334b7e Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 10 Jun 2021 16:22:20 -0400
Subject: [PATCH] plugins/cassandra: add tls_server_name (#11820)

* db/cassandra: add tls_server_name

* Remove changes from deprecated engine
---
 plugins/database/cassandra/connection_producer.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/plugins/database/cassandra/connection_producer.go b/plugins/database/cassandra/connection_producer.go
index 5b8ff4df625d3..eff2f03bb952a 100644
--- a/plugins/database/cassandra/connection_producer.go
+++ b/plugins/database/cassandra/connection_producer.go
@@ -28,6 +28,7 @@ type cassandraConnectionProducer struct {
 	Password           string      `json:"password" structs:"password" mapstructure:"password"`
 	TLS                bool        `json:"tls" structs:"tls" mapstructure:"tls"`
 	InsecureTLS        bool        `json:"insecure_tls" structs:"insecure_tls" mapstructure:"insecure_tls"`
+	TLSServerName      string      `json:"tls_server_name" structs:"tls_server_name" mapstructure:"tls_server_name"`
 	ProtocolVersion    int         `json:"protocol_version" structs:"protocol_version" mapstructure:"protocol_version"`
 	ConnectTimeoutRaw  interface{} `json:"connect_timeout" structs:"connect_timeout" mapstructure:"connect_timeout"`
 	SocketKeepAliveRaw interface{} `json:"socket_keep_alive" structs:"socket_keep_alive" mapstructure:"socket_keep_alive"`
@@ -189,7 +190,7 @@ func (c *cassandraConnectionProducer) createSession(ctx context.Context) (*gocql
 	clusterConfig.SocketKeepalive = c.socketKeepAlive
 
 	if c.TLS {
-		sslOpts, err := getSslOpts(c.certBundle, c.TLSMinVersion, c.InsecureTLS)
+		sslOpts, err := getSslOpts(c.certBundle, c.TLSMinVersion, c.TLSServerName, c.InsecureTLS)
 		if err != nil {
 			return nil, err
 		}
@@ -235,7 +236,7 @@ func (c *cassandraConnectionProducer) createSession(ctx context.Context) (*gocql
 	return session, nil
 }
 
-func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion string, insecureSkipVerify bool) (*gocql.SslOptions, error) {
+func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion, serverName string, insecureSkipVerify bool) (*gocql.SslOptions, error) {
 	tlsConfig := &tls.Config{}
 	if certBundle != nil {
 		if certBundle.Certificate == "" && certBundle.PrivateKey != "" {
@@ -258,6 +259,10 @@ func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion string, insecureS
 
 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 
+	if serverName != "" {
+		tlsConfig.ServerName = serverName
+	}
+
 	if minTLSVersion != "" {
 		var ok bool
 		tlsConfig.MinVersion, ok = tlsutil.TLSLookup[minTLSVersion]