pass session certificate for showCertificate()

2024-11-23 16:12:01 +00:00 · 2022-09-18 07:11:52 +00:00 · 2022-09-18 07:11:52 +00:00 · c66f412300
commit c66f412300
parent 910d49302c
8 changed files with 26 additions and 6 deletions
--- a/src/Functions/FunctionShowCertificate.h
+++ b/src/Functions/FunctionShowCertificate.h
@ -1,5 +1,7 @@
 #pragma once

+#include <memory>
+#include <string>
 #include <Common/config.h>

 #include <Columns/ColumnMap.h>
@ -33,14 +35,18 @@ class FunctionShowCertificate : public IFunction
 public:
    static constexpr auto name = "showCertificate";

-    static FunctionPtr create(ContextPtr)
+    static FunctionPtr create(ContextPtr ctx)
    {
 #if !defined(USE_SSL) || USE_SSL == 0
        throw Exception(ErrorCodes::SUPPORT_IS_DISABLED, "SSL support is disabled");
 #endif
-        return std::make_shared<FunctionShowCertificate>();
+        return std::make_shared<FunctionShowCertificate>(ctx->getQueryContext()->getClientInfo().certificate);
    }

+    std::string certificate;
+
+    explicit FunctionShowCertificate(const std::string & certificate_ = "") : certificate(certificate_) {}
+
    String getName() const override { return name; }

    size_t getNumberOfArguments() const override { return 0; }
@ -61,7 +67,15 @@ public:
        if (input_rows_count)
        {
 #if USE_SSL
-            if (const X509 * cert = SSL_CTX_get0_certificate(Poco::Net::SSLManager::instance().defaultServerContext()->sslContext()))
+            std::unique_ptr<Poco::Crypto::X509Certificate> x509_cert;
+            if (!certificate.empty())
+                x509_cert = std::make_unique<Poco::Crypto::X509Certificate>(certificate);
+
+            const X509 * cert = x509_cert ?
+                x509_cert->certificate() :
+                SSL_CTX_get0_certificate(Poco::Net::SSLManager::instance().defaultServerContext()->sslContext());
+
+            if (cert)
            {
                BIO * b = BIO_new(BIO_s_mem());
                SCOPE_EXIT(
--- a/src/Interpreters/ClientInfo.h
+++ b/src/Interpreters/ClientInfo.h
@ -69,6 +69,7 @@ public:

    Interface interface = Interface::TCP;
    bool is_secure = false;
+    String certificate;

    /// For tcp
    String os_user;
--- a/src/Interpreters/Session.cpp
+++ b/src/Interpreters/Session.cpp
@ -244,7 +244,7 @@ void Session::shutdownNamedSessions()
    NamedSessionsStorage::instance().shutdown();
 }

-Session::Session(const ContextPtr & global_context_, ClientInfo::Interface interface_, bool is_secure)
+Session::Session(const ContextPtr & global_context_, ClientInfo::Interface interface_, bool is_secure, const std::string & certificate)
    : auth_id(UUIDHelpers::generateV4()),
      global_context(global_context_),
      log(&Poco::Logger::get(String{magic_enum::enum_name(interface_)} + "-Session"))
@ -252,6 +252,7 @@ Session::Session(const ContextPtr & global_context_, ClientInfo::Interface inter
    prepared_client_info.emplace();
    prepared_client_info->interface = interface_;
    prepared_client_info->is_secure = is_secure;
+    prepared_client_info->certificate = certificate;
 }

 Session::~Session()
--- a/src/Interpreters/Session.h
+++ b/src/Interpreters/Session.h
@ -32,7 +32,7 @@ public:
    /// Stops using named sessions. The method must be called at the server shutdown.
    static void shutdownNamedSessions();

-    Session(const ContextPtr & global_context_, ClientInfo::Interface interface_, bool is_secure = false);
+    Session(const ContextPtr & global_context_, ClientInfo::Interface interface_, bool is_secure = false, const std::string & certificate = "");
    ~Session();

    Session(const Session &&) = delete;
--- a/src/Server/TCPHandler.cpp
+++ b/src/Server/TCPHandler.cpp
@ -115,6 +115,7 @@ TCPHandler::TCPHandler(IServer & server_, TCPServer & tcp_server_, const Poco::N
    , tcp_server(tcp_server_)
    , log(&Poco::Logger::get("TCPHandler"))
    , forwarded_for(stack_data.forwarded_for)
+    , certificate(stack_data.certificate)
    , server_display_name(std::move(server_display_name_))
 {
 }
@ -1065,7 +1066,7 @@ std::unique_ptr<Session> TCPHandler::makeSession()
 {
    auto interface = is_interserver_mode ? ClientInfo::Interface::TCP_INTERSERVER : ClientInfo::Interface::TCP;

-    auto res = std::make_unique<Session>(server.context(), interface, socket().secure());
+    auto res = std::make_unique<Session>(server.context(), interface, socket().secure(), certificate);

    auto & client_info = res->getClientInfo();
    client_info.forwarded_for = forwarded_for;
--- a/src/Server/TCPHandler.h
+++ b/src/Server/TCPHandler.h
@ -153,6 +153,7 @@ private:
    Poco::Logger * log;

    String forwarded_for;
+    String certificate;

    String client_name;
    UInt64 client_version_major = 0;
--- a/src/Server/TCPProtocolStackData.h
+++ b/src/Server/TCPProtocolStackData.h
@ -10,6 +10,7 @@ struct TCPProtocolStackData
 {
    Poco::Net::StreamSocket socket;
    std::string forwarded_for;
+    std::string certificate;
 };

 }
--- a/src/Server/TLSHandler.h
+++ b/src/Server/TLSHandler.h
@ -43,6 +43,7 @@ public:
            ctx = new Context(Context::Usage::SERVER_USE, key, certificate, ctx->getCAPaths().caLocation);
        socket() = SecureStreamSocket::attach(socket(), ctx);
        stack_data.socket = socket();
+        stack_data.certificate = certificate;
 #else
        throw Exception{"SSL support for TCP protocol is disabled because Poco library was built without NetSSL support.",
                        ErrorCodes::SUPPORT_IS_DISABLED};