From 751ce2ac1b4f8c19d0bb2e3ac7b6bced4c1ac071 Mon Sep 17 00:00:00 2001 From: zb0 Date: Thu, 9 Sep 2021 10:16:49 +0800 Subject: [PATCH] liboblog support ssl - observer part --- deps/oblib/src/rpc/frame/ob_net_easy.cpp | 19 ++---- deps/oblib/src/rpc/frame/ob_net_easy.h | 7 ++- deps/oblib/src/rpc/frame/ob_req_transport.cpp | 13 ++-- deps/oblib/src/rpc/frame/ob_req_transport.h | 6 ++ deps/oblib/src/rpc/obrpc/ob_net_client.cpp | 21 +++++++ deps/oblib/src/rpc/obrpc/ob_net_client.h | 16 +++++ src/observer/ob_srv_network_frame.cpp | 59 ++++++++++++------- src/observer/ob_srv_network_frame.h | 6 +- 8 files changed, 104 insertions(+), 43 deletions(-) diff --git a/deps/oblib/src/rpc/frame/ob_net_easy.cpp b/deps/oblib/src/rpc/frame/ob_net_easy.cpp index 61dc0f60d4..9528fb12ec 100644 --- a/deps/oblib/src/rpc/frame/ob_net_easy.cpp +++ b/deps/oblib/src/rpc/frame/ob_net_easy.cpp @@ -303,22 +303,13 @@ int ObNetEasy::set_easy_keepalive(int easy_keepalive_enabled) return OB_SUCCESS; } -int ObNetEasy::load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert, - const common::ObString& public_cert, const common::ObString& private_key) +int ObNetEasy::load_ssl_config(const bool use_bkmi, + const bool use_sm, + const char *ca_ptr, + const char *cert_ptr, + const char *key_ptr) { int ret = OB_SUCCESS; - const char* ca_ptr = NULL; - const char* cert_ptr = NULL; - const char* key_ptr = NULL; - if (use_bkmi) { - ca_ptr = cert.ptr(); - cert_ptr = public_cert.ptr(); - key_ptr = private_key.ptr(); - } else { - ca_ptr = OB_SSL_CA_FILE; - cert_ptr = OB_SSL_CERT_FILE; - key_ptr = OB_SSL_KEY_FILE; - } const int from_file = use_bkmi ? 0 : 1; const int use_babassl = use_sm ? 1 : 0; if (EASY_OK != (easy_ssl_ob_config_load(mysql_eio_, ca_ptr, cert_ptr, key_ptr, from_file, use_babassl, 0))) { diff --git a/deps/oblib/src/rpc/frame/ob_net_easy.h b/deps/oblib/src/rpc/frame/ob_net_easy.h index 3ca889c5d4..df56c11a8b 100644 --- a/deps/oblib/src/rpc/frame/ob_net_easy.h +++ b/deps/oblib/src/rpc/frame/ob_net_easy.h @@ -79,8 +79,11 @@ public: int add_mysql_listen(const uint32_t port, ObReqHandler& handler, ObReqTransport*& transport); int add_mysql_unix_listen(const char* path, ObReqHandler& handler); int set_easy_keepalive(int easy_keepalive_enabled); - int load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert, - const common::ObString& public_cert, const common::ObString& private_key); + int load_ssl_config(const bool use_bkmi, + const bool use_sm, + const char *cert, + const char *public_cert, + const char *private_key); void on_ioth_start(); diff --git a/deps/oblib/src/rpc/frame/ob_req_transport.cpp b/deps/oblib/src/rpc/frame/ob_req_transport.cpp index bca47263ef..19acb60c4f 100644 --- a/deps/oblib/src/rpc/frame/ob_req_transport.cpp +++ b/deps/oblib/src/rpc/frame/ob_req_transport.cpp @@ -148,7 +148,7 @@ int ObReqTransport::AsyncCB::on_error(int) } ObReqTransport::ObReqTransport(easy_io_t* eio, easy_io_handler_pt* handler) - : eio_(eio), handler_(handler), sgid_(0), bucket_count_(0) + : eio_(eio), handler_(handler), sgid_(0), bucket_count_(0), enable_use_ssl_(false) { // empty } @@ -230,9 +230,12 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr, session->timeout = static_cast(timeout / 1000); bool use_ssl = false; - if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt && NULL != eio_ && NULL != eio_->ssl) { - if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) { - // nothing + if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt + && NULL != eio_ && NULL != eio_->ssl) { + if (enable_use_ssl_) { + use_ssl = true; + } else if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) { + //nothing } else if (0 == ssl_invited_nodes.case_compare("ALL")) { use_ssl = true; } else { @@ -246,7 +249,7 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr, } } } - LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes)); + LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes), K(enable_use_ssl_)); if (use_ssl) { session->packet_id |= (EASY_CONNECT_SSL | EASY_CONNECT_SSL_OB); diff --git a/deps/oblib/src/rpc/frame/ob_req_transport.h b/deps/oblib/src/rpc/frame/ob_req_transport.h index dd112d5663..413be960f2 100644 --- a/deps/oblib/src/rpc/frame/ob_req_transport.h +++ b/deps/oblib/src/rpc/frame/ob_req_transport.h @@ -238,6 +238,11 @@ public: { bucket_count_ = bucket_cnt; } + void enable_use_ssl() + { + enable_use_ssl_ = true; + } + template int create_request(Request& req, const ObAddr& addr, int64_t size, int64_t timeout, const ObAddr& local_addr, const common::ObString& ssl_invited_nodes, const AsyncCB* cb = NULL) const; @@ -269,6 +274,7 @@ private: easy_io_handler_pt* handler_; int32_t sgid_; int32_t bucket_count_; // Control the number of buckets of batch_rpc_eio + bool enable_use_ssl_; // External client support enable ssl }; // end of class ObReqTransport template diff --git a/deps/oblib/src/rpc/obrpc/ob_net_client.cpp b/deps/oblib/src/rpc/obrpc/ob_net_client.cpp index 57f82b8ca4..5a6530bcc6 100644 --- a/deps/oblib/src/rpc/obrpc/ob_net_client.cpp +++ b/deps/oblib/src/rpc/obrpc/ob_net_client.cpp @@ -75,6 +75,27 @@ int ObNetClient::init() return ret; } +int ObNetClient::load_ssl_config(const char *ca_cert, + const char *public_cert, + const char *private_key) +{ + int ret = OB_SUCCESS; + bool use_bkmi = false; + bool use_sm = false; + if (OB_ISNULL(ca_cert) || OB_ISNULL(public_cert) || OB_ISNULL(private_key)) { + ret = OB_INVALID_ARGUMENT; + OB_LOG(ERROR, "invalid argument", K(ret)); + } else if (OB_FAIL(net_.load_ssl_config(use_bkmi, use_sm, ca_cert, public_cert, private_key))) { + OB_LOG(ERROR, "ObNetEasy load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm)); + } else { + set_pkt_handler_ssl_opt(); + set_transport_ssl_opt(); + LOG_INFO("ObNetClient load_ssl_config succ", K(use_bkmi), K(use_sm)); + } + + return ret; +} + int ObNetClient::init(const ObNetOptions opts) { return init_(opts); diff --git a/deps/oblib/src/rpc/obrpc/ob_net_client.h b/deps/oblib/src/rpc/obrpc/ob_net_client.h index 7acd50e5c0..561224051c 100644 --- a/deps/oblib/src/rpc/obrpc/ob_net_client.h +++ b/deps/oblib/src/rpc/obrpc/ob_net_client.h @@ -36,6 +36,22 @@ public: void destroy(); int get_proxy(ObRpcProxy& proxy); + int load_ssl_config(const char *ca_cert, + const char *public_cert, + const char *private_key); + + void set_pkt_handler_ssl_opt() + { + pkt_handler_.ez_handler()->is_ssl = 1; + pkt_handler_.ez_handler()->is_ssl_opt = 0; + } + + void set_transport_ssl_opt() + { + if (NULL != transport_) { + transport_->enable_use_ssl(); + } + } private: int init_(const rpc::frame::ObNetOptions opts); diff --git a/src/observer/ob_srv_network_frame.cpp b/src/observer/ob_srv_network_frame.cpp index 45256469ce..7192ace3f2 100644 --- a/src/observer/ob_srv_network_frame.cpp +++ b/src/observer/ob_srv_network_frame.cpp @@ -178,11 +178,11 @@ int ObSrvNetworkFrame::reload_config() return ret; } -int extract_expired_time(const char* const cert_file, int64_t& expired_time) +int ObSrvNetworkFrame::extract_expired_time(const char *const cert_file, int64_t &expired_time) { int ret = OB_SUCCESS; - X509* cert = NULL; - BIO* b = NULL; + X509 *cert = NULL; + BIO *b = NULL; if (OB_ISNULL(b = BIO_new_file(cert_file, "r"))) { ret = OB_ERR_UNEXPECTED; OB_LOG(WARN, "BIO_new_file failed", K(ret), K(cert_file)); @@ -190,16 +190,16 @@ int extract_expired_time(const char* const cert_file, int64_t& expired_time) ret = OB_ERR_UNEXPECTED; OB_LOG(WARN, "PEM_read_bio_X509 failed", K(ret), K(cert_file)); } else { - ASN1_TIME* notAfter = X509_get_notAfter(cert); + ASN1_TIME *notAfter = X509_get_notAfter(cert); struct tm tm1; - memset(&tm1, 0, sizeof(tm1)); - tm1.tm_year = (notAfter->data[0] - '0') * 10 + (notAfter->data[1] - '0') + 100; - tm1.tm_mon = (notAfter->data[2] - '0') * 10 + (notAfter->data[3] - '0') - 1; - tm1.tm_mday = (notAfter->data[4] - '0') * 10 + (notAfter->data[5] - '0'); - tm1.tm_hour = (notAfter->data[6] - '0') * 10 + (notAfter->data[7] - '0'); - tm1.tm_min = (notAfter->data[8] - '0') * 10 + (notAfter->data[9] - '0'); - tm1.tm_sec = (notAfter->data[10] - '0') * 10 + (notAfter->data[11] - '0'); - expired_time = mktime(&tm1) * 1000000; // us + memset (&tm1, 0, sizeof (tm1)); + tm1.tm_year = (notAfter->data[ 0] - '0') * 10 + (notAfter->data[ 1] - '0') + 100; + tm1.tm_mon = (notAfter->data[ 2] - '0') * 10 + (notAfter->data[ 3] - '0') - 1; + tm1.tm_mday = (notAfter->data[ 4] - '0') * 10 + (notAfter->data[ 5] - '0'); + tm1.tm_hour = (notAfter->data[ 6] - '0') * 10 + (notAfter->data[ 7] - '0'); + tm1.tm_min = (notAfter->data[ 8] - '0') * 10 + (notAfter->data[ 9] - '0'); + tm1.tm_sec = (notAfter->data[10] - '0') * 10 + (notAfter->data[11] - '0'); + expired_time = mktime(&tm1) * 1000000;//us } if (NULL != cert) { @@ -211,14 +211,18 @@ int extract_expired_time(const char* const cert_file, int64_t& expired_time) return ret; } -uint64_t ObSrvNetworkFrame::get_ssl_file_hash(bool& file_exist) +uint64_t ObSrvNetworkFrame::get_ssl_file_hash(const char *ca_cert_file, + const char *ssl_cert_file, + const char *ssl_key_file, + bool &file_exist) { file_exist = false; uint64_t hash_value = 0; struct stat tmp_buf[3]; - if (0 == stat(OB_SSL_CA_FILE, tmp_buf + 0) && 0 == stat(OB_SSL_CERT_FILE, tmp_buf + 1) && - 0 == stat(OB_SSL_KEY_FILE, tmp_buf + 2)) { + if (0 == stat(ca_cert_file, tmp_buf + 0) + && 0 == stat(ssl_cert_file, tmp_buf + 1) + && 0 == stat(ssl_key_file, tmp_buf + 2)) { file_exist = true; hash_value = murmurhash(&(tmp_buf[0].st_mtime), sizeof(tmp_buf[0].st_mtime), hash_value); hash_value = murmurhash(&(tmp_buf[1].st_mtime), sizeof(tmp_buf[1].st_mtime), hash_value); @@ -236,17 +240,22 @@ int ObSrvNetworkFrame::reload_ssl_config() ObString ssl_config(GCONF.ssl_external_kms_info.str()); bool file_exist = false; - const uint64_t new_hash_value = ssl_config.empty() ? get_ssl_file_hash(file_exist) : ssl_config.hash(); + const uint64_t new_hash_value = ssl_config.empty() + ? get_ssl_file_hash(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, file_exist) + : ssl_config.hash(); if (ssl_config.empty() && !file_exist) { ret = OB_INVALID_CONFIG; LOG_WARN("ssl file not available", K(new_hash_value)); LOG_USER_ERROR(OB_INVALID_CONFIG, "ssl file not available"); } else if (last_ssl_info_hash_ == new_hash_value) { LOG_INFO("no need reload_ssl_config", K(new_hash_value)); - } else { bool use_bkmi = false; bool use_sm = false; + const char *ca_cert = NULL; + const char *public_cert = NULL; + const char *private_key = NULL; + share::ObSSLClient client; if (!ssl_config.empty()) { if (OB_FAIL(client.init(ssl_config.ptr(), ssl_config.length()))) { @@ -256,12 +265,20 @@ int ObSrvNetworkFrame::reload_ssl_config() } else { use_bkmi = client.is_bkmi_mode(); use_sm = client.is_sm_scene(); + ca_cert = client.get_root_ca().ptr(); + public_cert = client.public_cert_.content_.ptr(); + private_key = client.private_key_.content_.ptr(); } } else { - if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, true, false)) { + if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, + OB_SSL_KEY_FILE, true, false)) { ret = OB_INVALID_CONFIG; LOG_WARN("key and cert not match", K(ret)); LOG_USER_ERROR(OB_INVALID_CONFIG, "key and cert not match"); + } else { + ca_cert = OB_SSL_CA_FILE; + public_cert = OB_SSL_CERT_FILE; + private_key = OB_SSL_KEY_FILE; } } @@ -271,9 +288,9 @@ int ObSrvNetworkFrame::reload_ssl_config() OB_LOG(WARN, "extract_expired_time failed", K(ret), K(use_bkmi)); } else if (OB_FAIL(net_.load_ssl_config(use_bkmi, use_sm, - client.get_root_ca(), - client.public_cert_.content_, - client.private_key_.content_))) { + ca_cert, + public_cert, + private_key))) { OB_LOG(WARN, "load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm)); } else { mysql_handler_.ez_handler()->is_ssl = 1; diff --git a/src/observer/ob_srv_network_frame.h b/src/observer/ob_srv_network_frame.h index 19cbacab67..72325630a4 100644 --- a/src/observer/ob_srv_network_frame.h +++ b/src/observer/ob_srv_network_frame.h @@ -52,7 +52,11 @@ public: int reload_config(); int reload_ssl_config(); - static uint64_t get_ssl_file_hash(bool& file_exist); + static int extract_expired_time(const char *const cert_file, int64_t &expired_time); + static uint64_t get_ssl_file_hash(const char *ca_cert_file, + const char *ssl_cert_file, + const char *ssl_key_file, + bool &file_exist); ObSrvDeliver& get_deliver() { return deliver_;