mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-21 15:12:02 +00:00
Fix CertificateReloader usage for custom protocols
This commit is contained in:
Anton Ivashkin
parent
298b19c19d
commit
983fa64e4f
@ -17,6 +17,7 @@
|
||||
#ifndef NetSSL_SSLManager_INCLUDED
|
||||
#define NetSSL_SSLManager_INCLUDED
|
||||
|
||||
#include <unordered_map>
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
#include "Poco/BasicEvent.h"
|
||||
@ -219,6 +220,13 @@ namespace Net
|
||||
/// Unless initializeClient() has been called, the first call to this method initializes the default Context
|
||||
/// from the application configuration.
|
||||
|
||||
Context::Ptr getCustomServerContext(const std::string & name);
|
||||
/// Return custom Context used by the server.
|
||||
|
||||
Context::Ptr setCustomServerContext(const std::string & name, Context::Ptr ctx);
|
||||
/// Set custom Context used by the server.
|
||||
/// Return pointer on inserted Context or on old Context if exists.
|
||||
|
||||
PrivateKeyPassphraseHandlerPtr serverPassphraseHandler();
|
||||
/// Returns the configured passphrase handler of the server. If none is set, the method will create a default one
|
||||
/// from an application configuration.
|
||||
@ -348,6 +356,8 @@ namespace Net
|
||||
InvalidCertificateHandlerPtr _ptrClientCertificateHandler;
|
||||
Poco::FastMutex _mutex;
|
||||
|
||||
std::unordered_map<std::string, Context::Ptr> _mapPtrServerContexts;
|
||||
|
||||
friend class Poco::SingletonHolder<SSLManager>;
|
||||
friend class Context;
|
||||
};
|
||||
|
||||
@ -429,6 +429,23 @@ void SSLManager::initCertificateHandler(bool server)
|
||||
}
|
||||
|
||||
|
||||
Context::Ptr SSLManager::getCustomServerContext(const std::string & name)
|
||||
{
|
||||
Poco::FastMutex::ScopedLock lock(_mutex);
|
||||
auto it = _mapPtrServerContexts.find(name);
|
||||
if (it != _mapPtrServerContexts.end())
|
||||
return it->second;
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
Context::Ptr SSLManager::setCustomServerContext(const std::string & name, Context::Ptr ctx)
|
||||
{
|
||||
Poco::FastMutex::ScopedLock lock(_mutex);
|
||||
ctx = _mapPtrServerContexts.insert({name, ctx}).first->second;
|
||||
return ctx;
|
||||
}
|
||||
|
||||
|
||||
Poco::Util::AbstractConfiguration& SSLManager::appConfig()
|
||||
{
|
||||
try
|
||||
|
||||
@ -1359,8 +1359,8 @@ try
|
||||
tryLogCurrentException(log, "Disabling cgroup memory observer because of an error during initialization");
|
||||
}
|
||||
|
||||
const std::string cert_path = config().getString("openSSL.server.certificateFile", "");
|
||||
const std::string key_path = config().getString("openSSL.server.privateKeyFile", "");
|
||||
std::string cert_path = config().getString("openSSL.server.certificateFile", "");
|
||||
std::string key_path = config().getString("openSSL.server.privateKeyFile", "");
|
||||
|
||||
std::vector<std::string> extra_paths = {include_from_path};
|
||||
if (!cert_path.empty())
|
||||
@ -1368,6 +1368,18 @@ try
|
||||
if (!key_path.empty())
|
||||
extra_paths.emplace_back(key_path);
|
||||
|
||||
Poco::Util::AbstractConfiguration::Keys protocols;
|
||||
config().keys("protocols", protocols);
|
||||
for (const auto & protocol : protocols)
|
||||
{
|
||||
cert_path = config().getString("protocols." + protocol + ".certificateFile", "");
|
||||
key_path = config().getString("protocols." + protocol + ".privateKeyFile", "");
|
||||
if (!cert_path.empty())
|
||||
extra_paths.emplace_back(cert_path);
|
||||
if (!key_path.empty())
|
||||
extra_paths.emplace_back(key_path);
|
||||
}
|
||||
|
||||
auto main_config_reloader = std::make_unique<ConfigReloader>(
|
||||
config_path,
|
||||
extra_paths,
|
||||
@ -1602,7 +1614,7 @@ try
|
||||
|
||||
CompressionCodecEncrypted::Configuration::instance().tryLoad(*config, "encryption_codecs");
|
||||
#if USE_SSL
|
||||
CertificateReloader::instance().tryLoad(*config);
|
||||
CertificateReloader::instance().tryReloadAll(*config);
|
||||
#endif
|
||||
NamedCollectionUtils::reloadFromConfig(*config);
|
||||
|
||||
|
||||
@ -70,25 +70,30 @@ int CertificateReloader::setCertificate(SSL * ssl, const CertificateReloader::Mu
|
||||
}
|
||||
|
||||
|
||||
void CertificateReloader::init(MultiData * pdata, SSL_CTX * ctx)
|
||||
void CertificateReloader::init(MultiData * pdata)
|
||||
{
|
||||
LOG_DEBUG(log, "Initializing certificate reloader.");
|
||||
|
||||
/// Set a callback for OpenSSL to allow get the updated cert and key.
|
||||
|
||||
SSL_CTX_set_cert_cb(ctx, callSetCertificate, reinterpret_cast<void *>(pdata));
|
||||
SSL_CTX_set_cert_cb(pdata->ctx, callSetCertificate, reinterpret_cast<void *>(pdata));
|
||||
pdata->init_was_not_made = false;
|
||||
}
|
||||
|
||||
|
||||
void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & config)
|
||||
{
|
||||
auto* ctx = Poco::Net::SSLManager::instance().defaultServerContext()->sslContext();
|
||||
tryLoad(config, ctx, Poco::Net::SSLManager::CFG_SERVER_PREFIX);
|
||||
tryLoad(config, nullptr, Poco::Net::SSLManager::CFG_SERVER_PREFIX);
|
||||
}
|
||||
|
||||
|
||||
void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & config, SSL_CTX * ctx, const std::string & prefix)
|
||||
{
|
||||
std::unique_lock<std::mutex> lock(data_mutex);
|
||||
tryLoadImpl(config, ctx, prefix);
|
||||
}
|
||||
|
||||
void CertificateReloader::tryLoadImpl(const Poco::Util::AbstractConfiguration & config, SSL_CTX * ctx, const std::string & prefix)
|
||||
{
|
||||
/// If at least one of the files is modified - recreate
|
||||
|
||||
@ -104,34 +109,39 @@ void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & conf
|
||||
}
|
||||
else
|
||||
{
|
||||
bool cert_file_changed = cert_file.changeIfModified(std::move(new_cert_path), log);
|
||||
bool key_file_changed = key_file.changeIfModified(std::move(new_key_path), log);
|
||||
std::string pass_phrase = config.getString(prefix + "privateKeyPassphraseHandler.options.password", "");
|
||||
|
||||
std::unique_lock<std::mutex> lock(data_mutex);
|
||||
auto it = data.end();
|
||||
auto i = data_index.find(prefix);
|
||||
if (i != data_index.end())
|
||||
it = i->second;
|
||||
else
|
||||
{
|
||||
data.push_back(MultiData());
|
||||
data.push_back(MultiData(ctx));
|
||||
--it;
|
||||
data_index[prefix] = it;
|
||||
}
|
||||
|
||||
bool cert_file_changed = it->cert_file.changeIfModified(std::move(new_cert_path), log);
|
||||
bool key_file_changed = it->key_file.changeIfModified(std::move(new_key_path), log);
|
||||
std::string pass_phrase = config.getString(prefix + "privateKeyPassphraseHandler.options.password", "");
|
||||
|
||||
if (cert_file_changed || key_file_changed)
|
||||
{
|
||||
LOG_DEBUG(log, "Reloading certificate ({}) and key ({}).", cert_file.path, key_file.path);
|
||||
it->data.set(std::make_unique<const Data>(cert_file.path, key_file.path, pass_phrase));
|
||||
LOG_INFO(log, "Reloaded certificate ({}) and key ({}).", cert_file.path, key_file.path);
|
||||
LOG_DEBUG(log, "Reloading certificate ({}) and key ({}).", it->cert_file.path, it->key_file.path);
|
||||
it->data.set(std::make_unique<const Data>(it->cert_file.path, it->key_file.path, pass_phrase));
|
||||
LOG_INFO(log, "Reloaded certificate ({}) and key ({}).", it->cert_file.path, it->key_file.path);
|
||||
}
|
||||
|
||||
/// If callback is not set yet
|
||||
try
|
||||
{
|
||||
if (!ctx)
|
||||
{
|
||||
ctx = Poco::Net::SSLManager::instance().defaultServerContext()->sslContext();
|
||||
it->ctx = ctx;
|
||||
}
|
||||
|
||||
if (it->init_was_not_made)
|
||||
init(&*it, ctx);
|
||||
init(&*it);
|
||||
}
|
||||
catch (...)
|
||||
{
|
||||
@ -142,6 +152,14 @@ void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & conf
|
||||
}
|
||||
|
||||
|
||||
void CertificateReloader::tryReloadAll(const Poco::Util::AbstractConfiguration & config)
|
||||
{
|
||||
std::unique_lock<std::mutex> lock(data_mutex);
|
||||
for (auto & item : data_index)
|
||||
tryLoadImpl(config, item.second->ctx, item.first);
|
||||
}
|
||||
|
||||
|
||||
CertificateReloader::Data::Data(std::string cert_path, std::string key_path, std::string pass_phrase)
|
||||
: certs_chain(Poco::Crypto::X509Certificate::readPEM(cert_path)), key(/* public key */ "", /* private key */ key_path, pass_phrase)
|
||||
{
|
||||
|
||||
@ -42,10 +42,27 @@ public:
|
||||
Data(std::string cert_path, std::string key_path, std::string pass_phrase);
|
||||
};
|
||||
|
||||
struct File
|
||||
{
|
||||
const char * description;
|
||||
explicit File(const char * description_) : description(description_) {}
|
||||
|
||||
std::string path;
|
||||
std::filesystem::file_time_type modification_time;
|
||||
|
||||
bool changeIfModified(std::string new_path, LoggerPtr logger);
|
||||
};
|
||||
|
||||
struct MultiData
|
||||
{
|
||||
SSL_CTX * ctx;
|
||||
MultiVersion<Data> data;
|
||||
bool init_was_not_made = true;
|
||||
|
||||
File cert_file{"certificate"};
|
||||
File key_file{"key"};
|
||||
|
||||
explicit MultiData(SSL_CTX * ctx_) : ctx(ctx_) {}
|
||||
};
|
||||
|
||||
/// Singleton
|
||||
@ -63,6 +80,9 @@ public:
|
||||
/// Handle configuration reload
|
||||
void tryLoad(const Poco::Util::AbstractConfiguration & config, SSL_CTX * ctx, const std::string & prefix);
|
||||
|
||||
/// Handle configuration reload for all contexts
|
||||
void tryReloadAll(const Poco::Util::AbstractConfiguration & config);
|
||||
|
||||
/// A callback for OpenSSL
|
||||
int setCertificate(SSL * ssl, const MultiData * pdata);
|
||||
|
||||
@ -70,24 +90,13 @@ private:
|
||||
CertificateReloader() = default;
|
||||
|
||||
/// Initialize the callback and perform the initial cert loading
|
||||
void init(MultiData * pdata, SSL_CTX * ctx);
|
||||
void init(MultiData * pdata);
|
||||
|
||||
/// Unsafe implementation
|
||||
void tryLoadImpl(const Poco::Util::AbstractConfiguration & config, SSL_CTX * ctx, const std::string & prefix);
|
||||
|
||||
LoggerPtr log = getLogger("CertificateReloader");
|
||||
|
||||
struct File
|
||||
{
|
||||
const char * description;
|
||||
explicit File(const char * description_) : description(description_) {}
|
||||
|
||||
std::string path;
|
||||
std::filesystem::file_time_type modification_time;
|
||||
|
||||
bool changeIfModified(std::string new_path, LoggerPtr logger);
|
||||
};
|
||||
|
||||
File cert_file{"certificate"};
|
||||
File key_file{"key"};
|
||||
|
||||
std::mutex data_mutex;
|
||||
std::list<MultiData> data;
|
||||
std::unordered_map<std::string, std::list<MultiData>::iterator> data_index;
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
#include <Poco/SharedPtr.h>
|
||||
#include <Common/Exception.h>
|
||||
|
||||
|
||||
#if USE_SSL
|
||||
# include <Poco/Net/Utility.h>
|
||||
# include <Poco/StringTokenizer.h>
|
||||
@ -96,12 +97,17 @@ void DB::TLSHandler::run()
|
||||
auto ctx = SSLManager::instance().defaultServerContext();
|
||||
if (!params.privateKeyFile.empty() && !params.certificateFile.empty())
|
||||
{
|
||||
ctx = new Context(usage, params);
|
||||
ctx->disableProtocols(disabled_protocols);
|
||||
ctx->enableExtendedCertificateVerification(extended_verification);
|
||||
if (prefer_server_ciphers)
|
||||
ctx->preferServerCiphers();
|
||||
CertificateReloader::instance().tryLoad(config, ctx->sslContext(), prefix);
|
||||
ctx = SSLManager::instance().getCustomServerContext(prefix);
|
||||
if (!ctx)
|
||||
{
|
||||
ctx = new Context(usage, params);
|
||||
ctx->disableProtocols(disabled_protocols);
|
||||
ctx->enableExtendedCertificateVerification(extended_verification);
|
||||
if (prefer_server_ciphers)
|
||||
ctx->preferServerCiphers();
|
||||
CertificateReloader::instance().tryLoad(config, ctx->sslContext(), prefix);
|
||||
ctx = SSLManager::instance().setCustomServerContext(prefix, ctx);
|
||||
}
|
||||
}
|
||||
socket() = SecureStreamSocket::attach(socket(), ctx);
|
||||
stack_data.socket = socket();
|
||||
|
||||
Loading…
Reference in New Issue
Block a user