2020-10-08 16:07:58 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
2022-09-28 08:45:15 +00:00
|
|
|
#include "config.h"
|
2021-07-09 02:27:01 +00:00
|
|
|
|
|
|
|
|
#if USE_SSL
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
#include <string>
|
2021-07-09 02:27:01 +00:00
|
|
|
#include <filesystem>
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
#include <Poco/Logger.h>
|
|
|
|
|
#include <Poco/Util/AbstractConfiguration.h>
|
2021-07-09 02:27:01 +00:00
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
#include <openssl/x509v3.h>
|
|
|
|
|
#include <Poco/Crypto/RSAKey.h>
|
|
|
|
|
#include <Poco/Crypto/X509Certificate.h>
|
|
|
|
|
#include <Common/MultiVersion.h>
|
2024-01-23 17:04:50 +00:00
|
|
|
#include <Common/Logger.h>
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace DB
|
|
|
|
|
{
|
|
|
|
|
|
2021-07-06 23:15:30 +00:00
|
|
|
/// The CertificateReloader singleton performs 2 functions:
|
2021-07-10 03:01:24 +00:00
|
|
|
/// 1. Dynamic reloading of TLS key-pair when requested by server:
|
|
|
|
|
/// Server config reloader notifies CertificateReloader when the config changes.
|
|
|
|
|
/// On changed config, CertificateReloader reloads certs from disk.
|
2020-10-08 16:07:58 +00:00
|
|
|
/// 2. Implement `SSL_CTX_set_cert_cb` to set certificate for a new connection:
|
2021-07-10 03:01:24 +00:00
|
|
|
/// OpenSSL invokes a callback to setup a connection.
|
2021-07-06 23:15:30 +00:00
|
|
|
class CertificateReloader
|
2020-10-08 16:07:58 +00:00
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
using stat_t = struct stat;
|
|
|
|
|
|
|
|
|
|
/// Singleton
|
2021-07-06 23:15:30 +00:00
|
|
|
CertificateReloader(CertificateReloader const &) = delete;
|
|
|
|
|
void operator=(CertificateReloader const &) = delete;
|
|
|
|
|
static CertificateReloader & instance()
|
2020-10-08 16:07:58 +00:00
|
|
|
{
|
2021-07-06 23:15:30 +00:00
|
|
|
static CertificateReloader instance;
|
2020-10-08 16:07:58 +00:00
|
|
|
return instance;
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
/// Initialize the callback and perform the initial cert loading
|
2021-11-10 16:56:07 +00:00
|
|
|
void init();
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
/// Handle configuration reload
|
2021-11-10 16:56:07 +00:00
|
|
|
void tryLoad(const Poco::Util::AbstractConfiguration & config);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2021-07-10 03:01:24 +00:00
|
|
|
/// A callback for OpenSSL
|
2021-07-06 23:15:30 +00:00
|
|
|
int setCertificate(SSL * ssl);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
private:
|
2022-04-21 12:26:30 +00:00
|
|
|
CertificateReloader() = default;
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2024-01-23 17:04:50 +00:00
|
|
|
LoggerPtr log = getLogger("CertificateReloader");
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
struct File
|
|
|
|
|
{
|
|
|
|
|
const char * description;
|
2022-04-21 12:26:30 +00:00
|
|
|
explicit File(const char * description_) : description(description_) {}
|
2021-07-09 02:27:01 +00:00
|
|
|
|
|
|
|
|
std::string path;
|
|
|
|
|
std::filesystem::file_time_type modification_time;
|
|
|
|
|
|
2024-01-23 17:04:50 +00:00
|
|
|
bool changeIfModified(std::string new_path, LoggerPtr logger);
|
2021-07-09 02:27:01 +00:00
|
|
|
};
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
File cert_file{"certificate"};
|
|
|
|
|
File key_file{"key"};
|
|
|
|
|
|
|
|
|
|
struct Data
|
|
|
|
|
{
|
2024-03-20 19:27:33 +00:00
|
|
|
Poco::Crypto::X509Certificate::List certs_chain;
|
2022-02-28 18:30:02 +00:00
|
|
|
Poco::Crypto::EVPPKey key;
|
2021-07-09 02:27:01 +00:00
|
|
|
|
2022-04-21 12:26:30 +00:00
|
|
|
Data(std::string cert_path, std::string key_path, std::string pass_phrase);
|
2021-07-09 02:27:01 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
MultiVersion<Data> data;
|
2022-01-31 12:13:28 +00:00
|
|
|
bool init_was_not_made = true;
|
2020-10-08 16:07:58 +00:00
|
|
|
};
|
|
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|
