-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
urabbitmq: support setting client + ca certs #515
base: develop
Are you sure you want to change the base?
Conversation
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
I hereby agree to the terms of the CLA available at: https://yandex.ru/legal/cla/ |
recheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGMT overall, with a couple of things I'd like to see changed a bit
@@ -29,6 +29,12 @@ struct AuthSettings final { | |||
|
|||
/// RabbitMQs vhost | |||
std::string vhost = "/"; | |||
|
|||
/// TLS | |||
std::string client_cert_path; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's move all these fields into an std::optional<TlsSettings>
, I think it would be cleaner this way
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
if (!auth_settings.client_cert_path.empty() || | ||
!auth_settings.client_private_key_path.empty() || | ||
!auth_settings.ca_cert_paths.empty()) { | ||
if (auth_settings.client_cert_path.empty() != |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like this validation belongs to where the settings are parsed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, is there a way to express this condition in the type system?
Say, something like std::optional<CertSettings>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
crypto::Certificate client_cert; | ||
if (!auth_settings.client_cert_path.empty()) { | ||
auto contents = | ||
fs::blocking::ReadFileContents(auth_settings.client_cert_path); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think fs::
operations should be performed once, at the component initialization, for two reasons:
- They are partly a validation
- They are potentially costly with a high socket reopen rate (shouldn't be a common case. but still)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I thought it will be a good idea to (re)load them in runtime in case certs will change on disk (as a part of regular certs rotation for example) without service restart.
- Even if there are a high socket reopen rate, read should be relatively fast once files will be in the filesystem cache.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, fixed
@itrofimow ping |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking much better, thanks!
Do you intent to add some tests for the code?
Testing the functionality for the RabbitMQ driver might be too tricky, since there's no easy way to set the server up accordingly, but testing just TlsWrapper
should be possible.
Going forward, please don't just "ping" me -- there are more respectful ways to achieve the same, for one you might want to use "re-request review" github functionality at the top right corner of the page when the review comments are addressed
ClientCertSettings client_cert_settings; | ||
|
||
const auto& client_cert_contents = | ||
fs::blocking::ReadFileContents(client_cert_path.As<std::string>()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This blocks the thread, and considering that this code is executed at components initialization, which is done in parallel, might lead to application start slowdown.
Is there a way to use this overload instead?
client_cert_settings.key = | ||
crypto::PrivateKey::LoadFromString(client_key_contents); | ||
|
||
tls_settings.client_cert_settings = client_cert_settings; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider std::move
-ing here
crypto::Certificate::LoadFromString(ca_cert_contents)); | ||
} | ||
|
||
tls_settings.verify_host = doc["tls"]["verify_host"].As<bool>(true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We prefer to default-initialize the struct and use something in the lines of
doc["tls"]["verify_host"].As<bool>(tls_settings.verify_host);
-- this way one has to only change the default value in one place
|
||
if (tls_settings.client_cert_settings || !tls_settings.ca_certs.empty() || | ||
!tls_settings.verify_host) { | ||
auth.tls_settings = tls_settings; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider std::move
-ing here
if (auth_settings.tls_settings) { | ||
const auto& tls_settings = *auth_settings.tls_settings; | ||
const crypto::Certificate& client_cert = | ||
tls_settings.client_cert_settings |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I personally prefer explicit .has_value()
This implements #514