Skip to content

Commit

Permalink
HPCC-30131 Cloud: Support HPCC Remote Trust via shared cert authority
Browse files Browse the repository at this point in the history
Signed-off-by: Anthony Fishbeck <[email protected]>
  • Loading branch information
afishbeck committed Sep 21, 2023
1 parent 5f388e5 commit a5ba772
Show file tree
Hide file tree
Showing 38 changed files with 890 additions and 559 deletions.
24 changes: 18 additions & 6 deletions common/thorhelper/thorsoapcall.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -876,14 +876,15 @@ class CWSCHelper : implements IWSCHelper, public CInterface
static CriticalSection secureContextCrit;
static Owned<ISecureSocketContext> tlsSecureContext;
static Owned<ISecureSocketContext> localMtlsSecureContext;
static Owned<ISecureSocketContext> remoteMtlsSecureContext;

Owned<ISecureSocketContext> customSecureContext;

CTimeMon timeLimitMon;
bool complete;
std::atomic_bool timeLimitExceeded{false};
bool customClientCert = false;
bool localClientCert = false;
StringAttr clientCertIssuer;
IRoxieAbortMonitor * roxieAbortMonitor;

protected:
Expand Down Expand Up @@ -1021,9 +1022,14 @@ class CWSCHelper : implements IWSCHelper, public CInterface
throw MakeStringException(0, "%sCALL specified no URLs",wscType == STsoap ? "SOAP" : "HTTP");
if (0==strncmp(hosts, "mtls:", 5))
{
localClientCert = true;
clientCertIssuer.set("local");
hosts += 5;
}
else if (0==strncmp(hosts, "remote-mtls:", 12))
{
clientCertIssuer.set("remote");
hosts += 12;
}
if (0==strncmp(hosts, "secret:", 7))
{
const char *finger = hosts+7;
Expand Down Expand Up @@ -1184,8 +1190,8 @@ class CWSCHelper : implements IWSCHelper, public CInterface
{
if (clientCert != NULL)
ownedSC.setown(createSecureSocketContextEx(clientCert->certificate, clientCert->privateKey, clientCert->passphrase, ClientSocket));
else if (localClientCert)
ownedSC.setown(createSecureSocketContextSecret("local", ClientSocket));
else if (clientCertIssuer.length())
ownedSC.setown(createSecureSocketContextSecret(clientCertIssuer.str(), ClientSocket));
else
ownedSC.setown(createSecureSocketContext(ClientSocket));
}
Expand All @@ -1194,8 +1200,13 @@ class CWSCHelper : implements IWSCHelper, public CInterface
ISecureSocketContext *ensureStaticSecureContext()
{
CriticalBlock b(secureContextCrit);
if (localClientCert)
return ensureSecureContext(localMtlsSecureContext);
if (clientCertIssuer.length())
{
if (strieq(clientCertIssuer.str(), "local"))
return ensureSecureContext(localMtlsSecureContext);
if (strieq(clientCertIssuer.str(), "remote"))
return ensureSecureContext(remoteMtlsSecureContext);
}
return ensureSecureContext(tlsSecureContext);
}
ISecureSocket *createSecureSocket(ISocket *sock, const char *fqdn = nullptr)
Expand Down Expand Up @@ -1333,6 +1344,7 @@ class CWSCHelper : implements IWSCHelper, public CInterface
CriticalSection CWSCHelper::secureContextCrit;
Owned<ISecureSocketContext> CWSCHelper::tlsSecureContext; // created on first use
Owned<ISecureSocketContext> CWSCHelper::localMtlsSecureContext; // created on first use
Owned<ISecureSocketContext> CWSCHelper::remoteMtlsSecureContext; // created on first use


//=================================================================================================
Expand Down
2 changes: 1 addition & 1 deletion esp/clients/wsdfuaccess/wsdfuaccess.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -543,7 +543,7 @@ StringBuffer &encodeDFUFileMeta(StringBuffer &metaInfoBlob, IPropertyTree *metaI
* If the size of this initial request was ever a concern, we could consider other ways to ensure a one-off
* delivery of this esp public signing cert. to dafilesrv, e.g. by dafilesrv reaching out to esp to request it.
*/
IPropertyTree *info = queryTlsSecretInfo(keyPairName);
Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
if (!info)
throw makeStringExceptionV(-1, "encodeDFUFileMeta: No '%s' MTLS certificate detected.", keyPairName);
privateKeyFName = info->queryProp("privatekey");
Expand Down
4 changes: 2 additions & 2 deletions esp/services/ws_dfu/ws_dfuService.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -6112,7 +6112,7 @@ void CWsDfuEx::dFUFileAccessCommon(IEspContext &context, const CDfsLogicalFileNa
StringBuffer dafilesrvHost;
#ifdef _CONTAINERIZED
keyPairName.set("signing");
IPropertyTree *info = queryTlsSecretInfo(keyPairName);
Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
if (!info)
throw makeStringExceptionV(-1, "dFUFileAccessCommon: file signing certificate ('%s') not defined in configuration.", keyPairName.str());

Expand Down Expand Up @@ -6489,7 +6489,7 @@ bool CWsDfuEx::onDFUFileCreateV2(IEspContext &context, IEspDFUFileCreateV2Reques

#ifdef _CONTAINERIZED
keyPairName.set("signing");
IPropertyTree *info = queryTlsSecretInfo(keyPairName);
Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
if (!info)
throw makeStringExceptionV(-1, "onDFUFileCreateV2: file signing certificate ('%s' ) not defined in configuration.", keyPairName.str());

Expand Down
2 changes: 1 addition & 1 deletion esp/services/ws_ecl/ws_ecl_service.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2082,8 +2082,8 @@ void CWsEclBinding::sendRoxieRequest(const char *target, StringBuffer &req, Stri
throw MakeStringException(-1, "roxie target cluster not mapped: %s", target);
ep = conn->nextEndpoint();

Owned<IHttpClientContext> httpctx = getHttpClientContext();
WsEclSocketFactory *roxieConn = static_cast<WsEclSocketFactory*>(conn);
Owned<IHttpClientContext> httpctx = getHttpClientSecretContext(roxieConn->queryTlsIssuer());
StringBuffer url(roxieConn->isTlsService() ? "https://" : "http://");
ep.getIpText(url).append(':').append(ep.port ? ep.port : 9876).append('/');
if (roxieConn->includeTargetInURL)
Expand Down
2 changes: 1 addition & 1 deletion fs/dafilesrv/dafilesrv.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -395,7 +395,7 @@ int main(int argc, const char* argv[])
// Use the "public" certificate issuer, unless it's visibility is "cluster" (meaning internal only)
const char *visibility = getComponentConfigSP()->queryProp("service/@visibility");
const char *certScope = strsame("cluster", visibility) ? "local" : "public";
IPropertyTree *info = queryTlsSecretInfo(certScope);
Owned<IPropertyTree> info = getIssuerTlsServerConfig(certScope);
connectMethod = info ? SSLOnly : SSLNone;
// NB: connectMethod will direct the CRemoteFileServer on accept to create a secure socket based on the same issuer certificates

Expand Down
2 changes: 1 addition & 1 deletion fs/dafsclient/rmtclient.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ static ISecureSocket *createSecureSocket(ISocket *sock, const char *issuer)
auto it = secureCtxClientIssuerMap.find(issuer);
if (it == secureCtxClientIssuerMap.end())
{
IPropertyTree *info = queryTlsSecretInfo(issuer);
Owned<IPropertyTree> info = getIssuerTlsServerConfig(issuer);
if (!info)
throw makeStringExceptionV(-1, "createSecureSocket() : missing MTLS configuration for issuer: %s", issuer);
secureContext.setown(createSecureSocketContextEx2(info, ClientSocket));
Expand Down
2 changes: 1 addition & 1 deletion fs/dafsserver/dafsserver.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ static ISecureSocket *createSecureSocket(ISocket *sock, bool disableClientCertVe
*/

const char *certScope = strsame("cluster", getComponentConfigSP()->queryProp("service/@visibility")) ? "local" : "public";
IPropertyTree *info = queryTlsSecretInfo(certScope);
Owned<IPropertyTree> info = getIssuerTlsServerConfig(certScope);
if (!info)
throw makeStringException(-1, "createSecureSocket() : missing MTLS configuration");
Owned<IPropertyTree> cloneInfo;
Expand Down
Loading

0 comments on commit a5ba772

Please sign in to comment.