Merge pull request #1753 from ClickHouse/feat_support_https

[client-v2] Https Support

Author: chernser

.github/workflows/build.yml

@@ -41,14 +41,14 @@ jobs:
     name: Compile using JDK 8
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
             origin pull/${{ github.event.inputs.pr }}/merge:merged-pr && git checkout merged-pr
         if: github.event.inputs.pr != ''
       - name: Install JDK 8 and Maven
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: 8
@@ -60,6 +60,14 @@ jobs:
           export LIB_VER=$(grep '<revision>' pom.xml | sed -e 's|[[:space:]]*<[/]*revision>[[:space:]]*||g')
           find `pwd`/examples -type f -name pom.xml -exec sed -i -e "s|\(<clickhouse-java.version>\).*\(<\)|\1$LIB_VER\2|g" {} \;
           for d in $(ls -d `pwd`/examples/*/); do cd $d && mvn  --batch-mode --no-transfer-progress clean compile; done
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: result ${{ github.job }}
+          path: |
+            **/target/failsafe-reports
+            **/target/surefire-reports          
 
   test-multi-env:
     needs: compile
@@ -77,22 +85,22 @@ jobs:
     name: ${{ matrix.dist }} JDK 17 on ${{ matrix.os }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
             origin pull/${{ github.event.inputs.pr }}/merge:merged-pr && git checkout merged-pr
         if: github.event.inputs.pr != ''
       - name: Install JDK 17 and Maven
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ matrix.dist }}
           java-version: 17
           cache: "maven"
       - name: Test libraries
         run: mvn --batch-mode --no-transfer-progress -Dj8 -DskipITs verify
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: result ${{ github.job }}
@@ -107,7 +115,7 @@ jobs:
     name: Test Native Image
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
@@ -140,14 +148,14 @@ jobs:
     name: CLI client + CH LTS
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
             origin pull/${{ github.event.inputs.pr }}/merge:merged-pr && git checkout merged-pr
         if: github.event.inputs.pr != ''
       - name: Install JDK 8 and Maven
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: 8
@@ -164,7 +172,7 @@ jobs:
         run: |
           mvn --also-make --batch-mode --no-transfer-progress --projects clickhouse-cli-client -DclickhouseVersion=$PREFERRED_LTS_VERSION -Dj8 -DskipUTs verify
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: result ${{ github.job }}
@@ -185,14 +193,14 @@ jobs:
     name: Java client + CH ${{ matrix.clickhouse }}
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
             origin pull/${{ github.event.inputs.pr }}/merge:merged-pr && git checkout merged-pr
         if: github.event.inputs.pr != ''
       - name: Install JDK 17 and Maven
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: |
@@ -224,7 +232,7 @@ jobs:
         run: |
           mvn --also-make --batch-mode --no-transfer-progress --projects clickhouse-cli-client,clickhouse-grpc-client,clickhouse-http-client -DclickhouseVersion=${{ matrix.clickhouse }} verify
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: result ${{ github.job }}
@@ -306,14 +314,14 @@ jobs:
     name: JDBC driver + CH ${{ matrix.clickhouse }} (${{ matrix.protocol }})
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
             origin pull/${{ github.event.inputs.pr }}/merge:merged-pr && git checkout merged-pr
         if: github.event.inputs.pr != ''
       - name: Install JDK 17 and Maven
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: |
@@ -347,7 +355,7 @@ jobs:
         run: |
           mvn --batch-mode --no-transfer-progress --projects clickhouse-jdbc -DclickhouseVersion=${{ matrix.clickhouse }} -Dprotocol=${{ matrix.protocol }} verify
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: result ${{ github.job }}
@@ -369,14 +377,14 @@ jobs:
     name: R2DBC ${{ matrix.r2dbc }} + CH ${{ matrix.clickhouse }} (${{ matrix.protocol }})
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
             origin pull/${{ github.event.inputs.pr }}/merge:merged-pr && git checkout merged-pr
         if: github.event.inputs.pr != ''
       - name: Install JDK 17 and Maven
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: |
@@ -408,7 +416,7 @@ jobs:
           mvn --batch-mode --no-transfer-progress --projects clickhouse-r2dbc -DclickhouseVersion=${{ matrix.clickhouse }} \
             -D'r2dbc-spi.version=${{ matrix.r2dbc }}' -Dprotocol=${{ matrix.protocol }} verify
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: result ${{ github.job }}
@@ -442,14 +450,14 @@ jobs:
     name: "TimeZone(C/S): ${{ matrix.clientTz }} vs. ${{ matrix.serverTz }}"
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out PR
         run: |
           git fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 \
             origin pull/${{ github.event.inputs.pr }}/merge:merged-pr && git checkout merged-pr
         if: github.event.inputs.pr != ''
       - name: Install JDK 8 and Maven
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: 8
@@ -462,7 +470,7 @@ jobs:
             -DclickhouseTimezone=${{ matrix.serverTz }} -Duser.timezone=${{ matrix.clientTz }} \
             -Dj8 -DskipUTs verify
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: result ${{ github.job }}

clickhouse-client/src/main/java/com/clickhouse/client/ClickHouseSslContextProvider.java

@@ -1,10 +1,13 @@
 package com.clickhouse.client;
 
+import java.security.KeyStore;
 import java.util.Optional;
 import java.util.ServiceLoader;
 
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 
+import com.clickhouse.client.config.ClickHouseSslMode;
 import com.clickhouse.data.ClickHouseChecker;
 
 /**
@@ -44,4 +47,26 @@ static ClickHouseSslContextProvider getProvider() {
      * @throws SSLException when error occured getting SSL context
      */
     <T> Optional<T> getSslContext(Class<? extends T> sslContextClass, ClickHouseConfig config) throws SSLException;
+
+    /**
+     * Use this method if trust store should be imported
+     *
+     * @param clientCert
+     * @param clientKey
+     * @param sslRootCert
+     * @return
+     * @throws SSLException
+     */
+    SSLContext getSslContextFromCerts(String clientCert, String clientKey, String sslRootCert) throws SSLException;
+
+    /**
+     * Use this method if client has separate certs
+     *
+     * @param truststorePath
+     * @param truststorePassword
+     * @param keyStoreType
+     * @return
+     * @throws SSLException
+     */
+    SSLContext getSslContextFromKeyStore(String truststorePath, String truststorePassword, String keyStoreType) throws SSLException;
 }

clickhouse-client/src/main/java/com/clickhouse/client/config/ClickHouseDefaultSslContextProvider.java

@@ -65,7 +65,7 @@ static String getAlgorithm(String header, String defaultAlg) {
         return startIndex < endIndex ? header.substring(startIndex, endIndex) : defaultAlg;
     }
 
-    static PrivateKey getPrivateKey(String keyFile)
+    public static PrivateKey getPrivateKey(String keyFile)
             throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
         String algorithm = (String) ClickHouseDefaults.SSL_KEY_ALGORITHM.getEffectiveDefaultValue();
         StringBuilder builder = new StringBuilder();
@@ -90,7 +90,7 @@ static PrivateKey getPrivateKey(String keyFile)
         return kf.generatePrivate(keySpec);
     }
 
-    protected KeyStore getKeyStore(String cert, String key) throws NoSuchAlgorithmException, InvalidKeySpecException,
+    public KeyStore getKeyStore(String cert, String key) throws NoSuchAlgorithmException, InvalidKeySpecException,
             IOException, CertificateException, KeyStoreException {
         final KeyStore ks;
         try {
@@ -117,7 +117,7 @@ protected KeyStore getKeyStore(String cert, String key) throws NoSuchAlgorithmEx
         return ks;
     }
 
-    protected SSLContext getJavaSslContext(ClickHouseConfig config) throws SSLException {
+    public SSLContext getJavaSslContext(ClickHouseConfig config) throws SSLException {
         ClickHouseSslMode sslMode = config.getSslMode();
         String clientCert = config.getSslCert();
         String clientKey = config.getSslKey();
@@ -126,6 +126,20 @@ protected SSLContext getJavaSslContext(ClickHouseConfig config) throws SSLExcept
         String truststorePassword = config.getTrustStorePassword();
         String keyStoreType = (!config.getKeyStoreType().isEmpty() && config.getKeyStoreType() != null) ? config.getKeyStoreType() : KeyStore.getDefaultType();
 
+        return getSslContextImpl(sslMode, clientCert, clientKey, sslRootCert, truststorePath, truststorePassword,
+                keyStoreType);
+    }
+
+    public SSLContext getSslContextFromCerts(String clientCert, String clientKey, String sslRootCert) throws SSLException {
+        return getSslContextImpl(ClickHouseSslMode.STRICT,
+                clientCert, clientKey, sslRootCert, null, null, KeyStore.getDefaultType());
+    }
+
+    public SSLContext getSslContextFromKeyStore(String truststorePath, String truststorePassword, String keyStoreType) throws SSLException {
+        return getSslContextImpl(ClickHouseSslMode.STRICT, null, null, null, truststorePath, truststorePassword, keyStoreType);
+    }
+
+    private SSLContext getSslContextImpl(ClickHouseSslMode sslMode, String clientCert, String clientKey, String sslRootCert, String truststorePath, String truststorePassword, String keyStoreType) throws SSLException {
         SSLContext ctx;
         try {
             ctx = SSLContext.getInstance((String) ClickHouseDefaults.SSL_PROTOCOL.getEffectiveDefaultValue());

clickhouse-http-client/src/main/java/com/clickhouse/client/http/ClickHouseHttpProto.java

@@ -39,6 +39,13 @@ public class ClickHouseHttpProto {
      */
     public static final String HEADER_DATABASE = "X-ClickHouse-Database";
 
+    /**
+     * Name of user to be used to authenticate
+     */
+    public static final String HEADER_DB_USER = "X-ClickHouse-User";
+
+    public static final String HEADER_DB_PASSWORD = "X-ClickHouse-Key";
+
     /**
      * Query parameter to specify the query ID.
      */

client-v2/src/main/java/com/clickhouse/client/api/Client.java

@@ -459,6 +459,75 @@ public Builder setHttpCookiesEnabled(boolean enabled) {
             return this;
         }
 
+
+        /**
+         * Defines path to the trust store file. It cannot be combined with
+         * certificates. Either trust store or certificates should be used.
+         *
+         * {@see setSSLTrustStorePassword} and {@see setSSLTrustStoreType}
+         * @param path
+         * @return
+         */
+        public Builder setSSLTrustStore(String path) {
+            this.configuration.put(ClickHouseClientOption.TRUST_STORE.getKey(), path);
+            return this;
+        }
+
+        /**
+         * Password for the SSL Trust Store.
+         *
+         * @param password
+         * @return
+         */
+        public Builder setSSLTrustStorePassword(String password) {
+            this.configuration.put(ClickHouseClientOption.KEY_STORE_PASSWORD.getKey(), password);
+            return this;
+        }
+
+        /**
+         * Type of the SSL Trust Store. Usually JKS
+         *
+         * @param type
+         * @return
+         */
+        public Builder setSSLTrustStoreType(String type) {
+            this.configuration.put(ClickHouseClientOption.KEY_STORE_TYPE.getKey(), type);
+            return this;
+        }
+
+        /**
+         * Defines path to the key store file. It cannot be combined with
+         * certificates. Either key store or certificates should be used.
+         *
+         * {@see setSSLKeyStorePassword} and {@see setSSLKeyStoreType}
+         * @param path
+         * @return
+         */
+        public Builder setRootCertificate(String path) {
+            this.configuration.put(ClickHouseClientOption.SSL_ROOT_CERTIFICATE.getKey(), path);
+            return this;
+        }
+
+        /**
+         * Client certificate for mTLS.
+         * @param path
+         * @return
+         */
+        public Builder setClientCertificate(String path) {
+            this.configuration.put(ClickHouseClientOption.SSL_CERTIFICATE.getKey(), path);
+            return this;
+        }
+
+        /**
+         * Client key for mTLS.
+         * @param path
+         * @return
+         */
+        public Builder setClientKey(String path) {
+            this.configuration.put(ClickHouseClientOption.SSL_KEY.getKey(), path);
+            return this;
+        }
+
         public Client build() {
             // check if endpoint are empty. so can not initiate client
             if (this.endpoints.isEmpty()) {
@@ -469,6 +538,11 @@ public Client build() {
                 throw new IllegalArgumentException("Username and password are required");
             }
 
+            if (this.configuration.containsKey(ClickHouseClientOption.TRUST_STORE) &&
+                this.configuration.containsKey(ClickHouseClientOption.SSL_CERTIFICATE)) {
+                throw new IllegalArgumentException("Trust store and certificates cannot be used together");
+            }
+
             this.configuration = setDefaults(this.configuration);
 
             return new Client(this.endpoints, this.configuration, this.useNewImplementation);