implemented ssl authentication

Author: chernser

clickhouse-client/src/test/resources/README.md

@@ -18,3 +18,11 @@ openssl x509 -req -in server.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -o
 openssl req -nodes -subj "/CN=me" -newkey rsa:2048 -keyout client.key -out client.csr
 openssl x509 -req -in client.csr -out client.crt -CAcreateserial -CA myCA.crt -CAkey myCA.key -days 36500
 ```
+
+### Some_user
+
+```bash
+openssl req -nodes -subj "/CN=some_user" -newkey rsa:2048 -keyout some_user.key -out some_user.csr
+openssl x509 -req -in some_user.csr -out some_user.crt -CAcreateserial -CA marsnet_ca.crt -CAkey marsnet_ca.key -days 36500
+
+```

clickhouse-http-client/src/main/java/com/clickhouse/client/http/ClickHouseHttpProto.java

@@ -46,6 +46,8 @@ public class ClickHouseHttpProto {
 
     public static final String HEADER_DB_PASSWORD = "X-ClickHouse-Key";
 
+    public static final String HEADER_SSL_CERT_AUTH = "x-clickhouse-ssl-certificate-auth";
+
     /**
      * Query parameter to specify the query ID.
      */

client-v2/src/main/java/com/clickhouse/client/api/Client.java

@@ -320,6 +320,17 @@ public Builder setAccessToken(String accessToken) {
             return this;
         }
 
+        /**
+         * Makes client to use SSL Client Certificate to authenticate with server.
+         * Client certificate should be set as well. {@link Client.Builder#setClientCertificate(String)}
+         * @param useSSLAuthentication
+         * @return
+         */
+        public Builder useSSLAuthentication(boolean useSSLAuthentication) {
+            this.configuration.put("ssl_authentication", String.valueOf(useSSLAuthentication));
+            return this;
+        }
+
         /**
          * Configures client to use build-in connection pool
          * @param enable - if connection pool should be enabled
@@ -854,12 +865,19 @@ public Client build() {
                 throw new IllegalArgumentException("At least one endpoint is required");
             }
             // check if username and password are empty. so can not initiate client?
-            if (!this.configuration.containsKey("access_token") && (!this.configuration.containsKey("user") || !this.configuration.containsKey("password"))) {
-                throw new IllegalArgumentException("Username and password are required");
+            if (!this.configuration.containsKey("access_token") &&
+                (!this.configuration.containsKey("user") || !this.configuration.containsKey("password")) &&
+                !MapUtils.getFlag(this.configuration, "ssl_authentication")) {
+                throw new IllegalArgumentException("Username and password (or access token, or SSL authentication) are required");
+            }
+
+            if (this.configuration.containsKey("ssl_authentication") &&
+                !this.configuration.containsKey(ClickHouseClientOption.SSL_CERTIFICATE.getKey())) {
+                throw new IllegalArgumentException("SSL authentication requires a client certificate");
             }
 
-            if (this.configuration.containsKey(ClickHouseClientOption.TRUST_STORE) &&
-                this.configuration.containsKey(ClickHouseClientOption.SSL_CERTIFICATE)) {
+            if (this.configuration.containsKey(ClickHouseClientOption.TRUST_STORE.getKey()) &&
+                this.configuration.containsKey(ClickHouseClientOption.SSL_CERTIFICATE.getKey())) {
                 throw new IllegalArgumentException("Trust store and certificates cannot be used together");
             }
 

client-v2/src/main/java/com/clickhouse/client/api/command/CommandResponse.java

@@ -5,7 +5,7 @@
 import com.clickhouse.client.api.metrics.ServerMetrics;
 import com.clickhouse.client.api.query.QueryResponse;
 
-public class CommandResponse{
+public class CommandResponse implements AutoCloseable {
 
     private final QueryResponse response;
 
@@ -71,4 +71,9 @@ public long getWrittenBytes() {
     public long getServerTime() {
         return response.getServerTime();
     }
+
+    @Override
+    public void close() throws Exception {
+        response.close();
+    }
 }

client-v2/src/main/java/com/clickhouse/client/api/internal/HttpAPIClientHelper.java

@@ -394,8 +394,11 @@ private void addHeaders(HttpPost req, Map<String, String> chConfig, Map<String,
         }
         req.addHeader(ClickHouseHttpProto.HEADER_DATABASE, chConfig.get(ClickHouseClientOption.DATABASE.getKey()));
         req.addHeader(ClickHouseHttpProto.HEADER_DB_USER, chConfig.get(ClickHouseDefaults.USER.getKey()));
-        req.addHeader(ClickHouseHttpProto.HEADER_DB_PASSWORD, chConfig.get(ClickHouseDefaults.PASSWORD.getKey()));
-
+        if (MapUtils.getFlag(chConfig, "ssl_authentication", false)) {
+            req.addHeader(ClickHouseHttpProto.HEADER_SSL_CERT_AUTH, "on");
+        } else {
+            req.addHeader(ClickHouseHttpProto.HEADER_DB_PASSWORD, chConfig.get(ClickHouseDefaults.PASSWORD.getKey()));
+        }
         if (proxyAuthHeaderValue != null) {
             req.addHeader(HttpHeaders.PROXY_AUTHORIZATION, proxyAuthHeaderValue);
         }

client-v2/src/main/java/com/clickhouse/client/api/internal/MapUtils.java

@@ -68,6 +68,21 @@ public static boolean getFlag(Map<String, String> map, String key) {
         throw new IllegalArgumentException("Invalid non-boolean value for the key '" + key + "': '" + val + "'");
     }
 
+    public static boolean getFlag(Map<String, String> map, String key, boolean defaultValue) {
+        String val = map.get(key);
+        if (val == null) {
+            return defaultValue;
+        }
+        if (val.equalsIgnoreCase("true")) {
+            return true;
+        } else if (val.equalsIgnoreCase("false")) {
+            return false;
+        }
+
+        throw new IllegalArgumentException("Invalid non-boolean value for the key '" + key + "': '" + val + "'");
+    }
+
+
     public static boolean getFlag(Map<String, ?> p1, Map<String, ?> p2, String key) {
         Object val = p1.get(key);
         if (val == null) {

client-v2/src/test/java/com/clickhouse/client/HttpTransportTests.java

@@ -6,6 +6,7 @@
 import com.clickhouse.client.api.ConnectionInitiationException;
 import com.clickhouse.client.api.ConnectionReuseStrategy;
 import com.clickhouse.client.api.ServerException;
+import com.clickhouse.client.api.command.CommandResponse;
 import com.clickhouse.client.api.enums.Protocol;
 import com.clickhouse.client.api.enums.ProxyType;
 import com.clickhouse.client.api.insert.InsertResponse;
@@ -414,6 +415,38 @@ public void testServerSettings() {
                 Assert.fail("Unexpected exception", e);
             }
         }
+    }
 
+    static {
+        System.setProperty("org.slf4j.simpleLogger.defaultLogLevel", "DEBUG");
+    }
+    @Test(groups = { "integration" })
+    public void testSSLAuthentication() throws Exception {
+        ClickHouseNode server = getSecureServer(ClickHouseProtocol.HTTP);
+        try (Client client = new Client.Builder().addEndpoint(Protocol.HTTP, "localhost",server.getPort(), true)
+                .setUsername("default")
+                .setPassword("")
+                .setRootCertificate("containers/clickhouse-server/certs/localhost.crt")
+                .build()) {
+
+            try (CommandResponse resp = client.execute("DROP USER IF EXISTS some_user").get()) {
+            }
+            try (CommandResponse resp = client.execute("CREATE USER some_user IDENTIFIED WITH ssl_certificate CN 'some_user'").get()) {
+            }
+        }
+
+        try (Client client = new Client.Builder().addEndpoint(Protocol.HTTP, "localhost",server.getPort(), true)
+                .useSSLAuthentication(true)
+                .setUsername("some_user")
+                .setRootCertificate("containers/clickhouse-server/certs/localhost.crt")
+                .setClientCertificate("some_user.crt")
+                .setClientKey("some_user.key")
+                .compressServerResponse(false)
+                .build()) {
+
+            try (QueryResponse resp = client.query("SELECT 1").get()) {
+                Assert.assertEquals(resp.getReadRows(), 1);
+            }
+        }
     }
 }