2020-10-08 16:07:58 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
#if !defined(ARCADIA_BUILD)
|
|
|
|
|
# include <Common/config.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#if USE_SSL
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
#include <string>
|
2021-07-09 02:27:01 +00:00
|
|
|
#include <filesystem>
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
#include <Poco/Logger.h>
|
|
|
|
|
#include <Poco/Util/AbstractConfiguration.h>
|
2021-07-09 02:27:01 +00:00
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
#include <openssl/x509v3.h>
|
|
|
|
|
#include <Poco/Crypto/RSAKey.h>
|
|
|
|
|
#include <Poco/Crypto/X509Certificate.h>
|
|
|
|
|
#include <Common/MultiVersion.h>
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace DB
|
|
|
|
|
{
|
|
|
|
|
|
2021-07-06 23:15:30 +00:00
|
|
|
/// The CertificateReloader singleton performs 2 functions:
|
2021-07-09 02:27:01 +00:00
|
|
|
/// 1. Dynamic reloading of TLS key-pair when requested by main:
|
2021-07-06 23:15:30 +00:00
|
|
|
/// Main notifies CertificateReloader when the config changes. On changed config,
|
|
|
|
|
/// CertificateReloader reloads certs from disk.
|
2020-10-08 16:07:58 +00:00
|
|
|
/// 2. Implement `SSL_CTX_set_cert_cb` to set certificate for a new connection:
|
|
|
|
|
/// OpenSSL invokes `cert_reloader_dispatch_set_cert` to setup a connection.
|
2021-07-06 23:15:30 +00:00
|
|
|
class CertificateReloader
|
2020-10-08 16:07:58 +00:00
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
using stat_t = struct stat;
|
|
|
|
|
|
|
|
|
|
/// Singleton
|
2021-07-06 23:15:30 +00:00
|
|
|
CertificateReloader(CertificateReloader const &) = delete;
|
|
|
|
|
void operator=(CertificateReloader const &) = delete;
|
|
|
|
|
static CertificateReloader & instance()
|
2020-10-08 16:07:58 +00:00
|
|
|
{
|
2021-07-06 23:15:30 +00:00
|
|
|
static CertificateReloader instance;
|
2020-10-08 16:07:58 +00:00
|
|
|
return instance;
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
/// Initialize the callback and perform the initial cert loading
|
2021-07-07 00:13:37 +00:00
|
|
|
void init(const Poco::Util::AbstractConfiguration & config);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
/// Handle configuration reload
|
|
|
|
|
void reload(const Poco::Util::AbstractConfiguration & config);
|
|
|
|
|
|
2021-07-06 23:15:30 +00:00
|
|
|
/// Add cert, key to SSL* connection. SetCertificate runs in an IO thread during
|
|
|
|
|
/// connection setup. SetCertificate is
|
2020-10-08 16:07:58 +00:00
|
|
|
/// establishing a new TLS connection.
|
2021-07-06 23:15:30 +00:00
|
|
|
int setCertificate(SSL * ssl);
|
2020-10-08 16:07:58 +00:00
|
|
|
|
|
|
|
|
private:
|
2021-07-06 23:15:30 +00:00
|
|
|
CertificateReloader()
|
2021-07-06 22:18:41 +00:00
|
|
|
{
|
|
|
|
|
}
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2021-07-06 23:15:30 +00:00
|
|
|
Poco::Logger * log = &Poco::Logger::get("CertificateReloader");
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
struct File
|
|
|
|
|
{
|
|
|
|
|
const char * description;
|
|
|
|
|
File(const char * description_) : description(description_) {}
|
|
|
|
|
|
|
|
|
|
std::string path;
|
|
|
|
|
std::filesystem::file_time_type modification_time;
|
|
|
|
|
|
|
|
|
|
bool changeIfModified(std::string new_path, Poco::Logger * logger);
|
|
|
|
|
};
|
2020-10-08 16:07:58 +00:00
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
File cert_file{"certificate"};
|
|
|
|
|
File key_file{"key"};
|
|
|
|
|
|
|
|
|
|
struct Data
|
|
|
|
|
{
|
|
|
|
|
Poco::Crypto::X509Certificate cert;
|
|
|
|
|
Poco::Crypto::RSAKey key;
|
|
|
|
|
|
|
|
|
|
Data(std::string cert_path, std::string key_path);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
MultiVersion<Data> data;
|
2020-10-08 16:07:58 +00:00
|
|
|
};
|
|
|
|
|
|
2021-07-09 02:27:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|
