2020-10-08 16:07:58 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
2022-09-28 08:45:15 +00:00
|
|
|
#include "config.h"
|
2021-07-09 02:27:01 +00:00
|
|
|
|
|
|
|
|
#if USE_SSL
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
#include <string>
|
2021-07-09 02:27:01 +00:00
|
|
|
#include <filesystem>
|
2024-05-22 10:28:40 +00:00
|
|
|
#include <list>
|
|
|
|
|
#include <unordered_map>
|
|
|
|
|
#include <mutex>
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
#include <Poco/Logger.h>
|
|
|
|
|
#include <Poco/Util/AbstractConfiguration.h>
|
2021-07-09 02:27:01 +00:00
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
#include <openssl/x509v3.h>
|
|
|
|
|
#include <Poco/Crypto/RSAKey.h>
|
|
|
|
|
#include <Poco/Crypto/X509Certificate.h>
|
|
|
|
|
#include <Common/MultiVersion.h>
|
2024-01-23 17:04:50 +00:00
|
|
|
#include <Common/Logger.h>
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace DB
|
|
|
|
|
{
|
|
|
|
|
|
2021-07-06 23:15:30 +00:00
|
|
|
/// The CertificateReloader singleton performs 2 functions:
|
2021-07-10 03:01:24 +00:00
|
|
|
/// 1. Dynamic reloading of TLS key-pair when requested by server:
|
|
|
|
|
/// Server config reloader notifies CertificateReloader when the config changes.
|
|
|
|
|
/// On changed config, CertificateReloader reloads certs from disk.
|
2020-10-08 16:07:58 +00:00
|
|
|
/// 2. Implement `SSL_CTX_set_cert_cb` to set certificate for a new connection:
|
2021-07-10 03:01:24 +00:00
|
|
|
/// OpenSSL invokes a callback to setup a connection.
|
2021-07-06 23:15:30 +00:00
|
|
|
class CertificateReloader
|
2020-10-08 16:07:58 +00:00
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
using stat_t = struct stat;
|
|
|
|
|
|
2024-05-22 10:28:40 +00:00
|
|
|
struct Data
|
|
|
|
|
{
|
|
|
|
|
Poco::Crypto::X509Certificate::List certs_chain;
|
|
|
|
|
Poco::Crypto::EVPPKey key;
|
|
|
|
|
|
|
|
|
|
Data(std::string cert_path, std::string key_path, std::string pass_phrase);
|
|
|
|
|
};
|
|
|
|
|
|
2024-05-22 15:29:50 +00:00
|
|
|
struct File
|
|
|
|
|
{
|
|
|
|
|
const char * description;
|
|
|
|
|
explicit File(const char * description_) : description(description_) {}
|
|
|
|
|
|
|
|
|
|
std::string path;
|
|
|
|
|
std::filesystem::file_time_type modification_time;
|
|
|
|
|
|
|
|
|
|
bool changeIfModified(std::string new_path, LoggerPtr logger);
|
|
|
|
|
};
|
|
|
|
|
|
2024-05-22 10:28:40 +00:00
|
|
|
struct MultiData
|
|
|
|
|
{
|
2024-06-18 09:20:50 +00:00
|
|
|
SSL_CTX * ctx = nullptr;
|
2024-05-22 10:28:40 +00:00
|
|
|
MultiVersion<Data> data;
|
|
|
|
|
bool init_was_not_made = true;
|
2024-05-22 15:29:50 +00:00
|
|
|
|
|
|
|
|
File cert_file{"certificate"};
|
|
|
|
|
File key_file{"key"};
|
|
|
|
|
|
|
|
|
|
explicit MultiData(SSL_CTX * ctx_) : ctx(ctx_) {}
|
2024-05-22 10:28:40 +00:00
|
|
|
};
|
|
|
|
|
|
2020-10-08 16:07:58 +00:00
|
|
|
/// Singleton
|
2021-07-06 23:15:30 +00:00
|
|
|
CertificateReloader(CertificateReloader const &) = delete;
|
|
|
|
|
void operator=(CertificateReloader const &) = delete;
|
|
|
|
|
static CertificateReloader & instance()
|
2020-10-08 16:07:58 +00:00
|
|
|
{
|
2021-07-06 23:15:30 +00:00
|
|
|
static CertificateReloader instance;
|
2020-10-08 16:07:58 +00:00
|
|
|
return instance;
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-22 10:28:40 +00:00
|
|
|
/// Handle configuration reload for default path
|
|
|
|
|
void tryLoad(const Poco::Util::AbstractConfiguration & config);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2024-10-23 22:06:04 +00:00
|
|
|
/// Handle configuration reload client for default path
|
|
|
|
|
void tryLoadClient(const Poco::Util::AbstractConfiguration & config);
|
|
|
|
|
|
2020-10-08 16:07:58 +00:00
|
|
|
/// Handle configuration reload
|
2024-05-22 10:28:40 +00:00
|
|
|
void tryLoad(const Poco::Util::AbstractConfiguration & config, SSL_CTX * ctx, const std::string & prefix);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2024-05-22 15:29:50 +00:00
|
|
|
/// Handle configuration reload for all contexts
|
|
|
|
|
void tryReloadAll(const Poco::Util::AbstractConfiguration & config);
|
|
|
|
|
|
2021-07-10 03:01:24 +00:00
|
|
|
/// A callback for OpenSSL
|
2024-05-22 10:28:40 +00:00
|
|
|
int setCertificate(SSL * ssl, const MultiData * pdata);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
private:
|
2022-04-21 12:26:30 +00:00
|
|
|
CertificateReloader() = default;
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2024-05-22 10:28:40 +00:00
|
|
|
/// Initialize the callback and perform the initial cert loading
|
2024-06-14 12:31:58 +00:00
|
|
|
void init(MultiData * pdata) TSA_REQUIRES(data_mutex);
|
2024-05-22 10:28:40 +00:00
|
|
|
|
2024-05-22 15:29:50 +00:00
|
|
|
/// Unsafe implementation
|
2024-06-14 12:31:58 +00:00
|
|
|
void tryLoadImpl(const Poco::Util::AbstractConfiguration & config, SSL_CTX * ctx, const std::string & prefix) TSA_REQUIRES(data_mutex);
|
|
|
|
|
|
|
|
|
|
std::list<MultiData>::iterator findOrInsert(SSL_CTX * ctx, const std::string & prefix) TSA_REQUIRES(data_mutex);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2024-05-22 15:29:50 +00:00
|
|
|
LoggerPtr log = getLogger("CertificateReloader");
|
2021-07-09 02:27:01 +00:00
|
|
|
|
2024-06-14 12:31:58 +00:00
|
|
|
std::list<MultiData> data TSA_GUARDED_BY(data_mutex);
|
|
|
|
|
std::unordered_map<std::string, std::list<MultiData>::iterator> data_index TSA_GUARDED_BY(data_mutex);
|
|
|
|
|
mutable std::mutex data_mutex;
|
2020-10-08 16:07:58 +00:00
|
|
|
};
|
|
|
|
|
|
2024-09-13 11:34:21 +00:00
|
|
|
/// A callback for OpenSSL
|
|
|
|
|
int setCertificateCallback(SSL * ssl, const CertificateReloader::Data * current_data, LoggerPtr log);
|
|
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|
