From 335a8d7895a0d73df3d41fac750ff8f412a989b2 Mon Sep 17 00:00:00 2001
From: Paul Tiplady <paultiplady@users.noreply.github.com>
Date: Mon, 19 Jun 2017 15:11:25 -0700
Subject: [PATCH] Fixed #28322 -- Added dbshell support for MySQL client TLS
 certs.

---
 django/db/backends/mysql/client.py | 12 +++++++++---
 docs/releases/2.0.txt              |  2 ++
 tests/dbshell/test_mysql.py        | 11 +++++++++--
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/django/db/backends/mysql/client.py b/django/db/backends/mysql/client.py
index c5cc69c3a0..224bfc3dc6 100644
--- a/django/db/backends/mysql/client.py
+++ b/django/db/backends/mysql/client.py
@@ -14,7 +14,9 @@ class DatabaseClient(BaseDatabaseClient):
         passwd = settings_dict['OPTIONS'].get('passwd', settings_dict['PASSWORD'])
         host = settings_dict['OPTIONS'].get('host', settings_dict['HOST'])
         port = settings_dict['OPTIONS'].get('port', settings_dict['PORT'])
-        cert = settings_dict['OPTIONS'].get('ssl', {}).get('ca')
+        server_ca = settings_dict['OPTIONS'].get('ssl', {}).get('ca')
+        client_cert = settings_dict['OPTIONS'].get('ssl', {}).get('cert')
+        client_key = settings_dict['OPTIONS'].get('ssl', {}).get('key')
         defaults_file = settings_dict['OPTIONS'].get('read_default_file')
         # Seems to be no good way to set sql_mode with CLI.
 
@@ -31,8 +33,12 @@ class DatabaseClient(BaseDatabaseClient):
                 args += ["--host=%s" % host]
         if port:
             args += ["--port=%s" % port]
-        if cert:
-            args += ["--ssl-ca=%s" % cert]
+        if server_ca:
+            args += ["--ssl-ca=%s" % server_ca]
+        if client_cert:
+            args += ["--ssl-cert=%s" % client_cert]
+        if client_key:
+            args += ["--ssl-key=%s" % client_key]
         if db:
             args += [db]
         return args
diff --git a/docs/releases/2.0.txt b/docs/releases/2.0.txt
index 9a7c207fd6..70a21d3da6 100644
--- a/docs/releases/2.0.txt
+++ b/docs/releases/2.0.txt
@@ -210,6 +210,8 @@ Management Commands
 * On Oracle, :djadmin:`inspectdb` can now introspect ``AutoField`` if the
   column is created as an identity column.
 
+* On MySQL, :djadmin:`dbshell` now supports client-side TLS certificates.
+
 Migrations
 ~~~~~~~~~~
 
diff --git a/tests/dbshell/test_mysql.py b/tests/dbshell/test_mysql.py
index 7efb97d9cb..6b60e2722e 100644
--- a/tests/dbshell/test_mysql.py
+++ b/tests/dbshell/test_mysql.py
@@ -59,14 +59,21 @@ class MySqlDbshellCommandTestCase(SimpleTestCase):
     def test_ssl_certificate_is_added(self):
         self.assertEqual(
             ['mysql', '--user=someuser', '--password=somepassword',
-             '--host=somehost', '--port=444', '--ssl-ca=sslca', 'somedbname'],
+             '--host=somehost', '--port=444', '--ssl-ca=sslca',
+             '--ssl-cert=sslcert', '--ssl-key=sslkey', 'somedbname'],
             self.get_command_line_arguments({
                 'NAME': 'somedbname',
                 'USER': 'someuser',
                 'PASSWORD': 'somepassword',
                 'HOST': 'somehost',
                 'PORT': 444,
-                'OPTIONS': {'ssl': {'ca': 'sslca'}},
+                'OPTIONS': {
+                    'ssl': {
+                        'ca': 'sslca',
+                        'cert': 'sslcert',
+                        'key': 'sslkey',
+                    },
+                },
             }))
 
     def get_command_line_arguments(self, connection_settings):