implemented passing custom ssl config

Author: chernser

clickhouse-client/src/main/java/com/clickhouse/client/ClickHouseSslContextProvider.java

@@ -1,10 +1,13 @@
 package com.clickhouse.client;
 
+import java.security.KeyStore;
 import java.util.Optional;
 import java.util.ServiceLoader;
 
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 
+import com.clickhouse.client.config.ClickHouseSslMode;
 import com.clickhouse.data.ClickHouseChecker;
 
 /**
@@ -44,4 +47,26 @@ static ClickHouseSslContextProvider getProvider() {
      * @throws SSLException when error occured getting SSL context
      */
     <T> Optional<T> getSslContext(Class<? extends T> sslContextClass, ClickHouseConfig config) throws SSLException;
+
+    /**
+     * Use this method if trust store should be imported
+     *
+     * @param clientCert
+     * @param clientKey
+     * @param sslRootCert
+     * @return
+     * @throws SSLException
+     */
+    SSLContext getSslContextFromCerts(String clientCert, String clientKey, String sslRootCert) throws SSLException;
+
+    /**
+     * Use this method if client has separate certs
+     *
+     * @param truststorePath
+     * @param truststorePassword
+     * @param keyStoreType
+     * @return
+     * @throws SSLException
+     */
+    SSLContext getSslContextFromKeyStore(String truststorePath, String truststorePassword, String keyStoreType) throws SSLException;
 }

clickhouse-client/src/main/java/com/clickhouse/client/config/ClickHouseDefaultSslContextProvider.java

@@ -65,7 +65,7 @@ static String getAlgorithm(String header, String defaultAlg) {
         return startIndex < endIndex ? header.substring(startIndex, endIndex) : defaultAlg;
     }
 
-    static PrivateKey getPrivateKey(String keyFile)
+    public static PrivateKey getPrivateKey(String keyFile)
             throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
         String algorithm = (String) ClickHouseDefaults.SSL_KEY_ALGORITHM.getEffectiveDefaultValue();
         StringBuilder builder = new StringBuilder();
@@ -90,7 +90,7 @@ static PrivateKey getPrivateKey(String keyFile)
         return kf.generatePrivate(keySpec);
     }
 
-    protected KeyStore getKeyStore(String cert, String key) throws NoSuchAlgorithmException, InvalidKeySpecException,
+    public KeyStore getKeyStore(String cert, String key) throws NoSuchAlgorithmException, InvalidKeySpecException,
             IOException, CertificateException, KeyStoreException {
         final KeyStore ks;
         try {
@@ -117,7 +117,7 @@ protected KeyStore getKeyStore(String cert, String key) throws NoSuchAlgorithmEx
         return ks;
     }
 
-    protected SSLContext getJavaSslContext(ClickHouseConfig config) throws SSLException {
+    public SSLContext getJavaSslContext(ClickHouseConfig config) throws SSLException {
         ClickHouseSslMode sslMode = config.getSslMode();
         String clientCert = config.getSslCert();
         String clientKey = config.getSslKey();
@@ -126,6 +126,20 @@ protected SSLContext getJavaSslContext(ClickHouseConfig config) throws SSLExcept
         String truststorePassword = config.getTrustStorePassword();
         String keyStoreType = (!config.getKeyStoreType().isEmpty() && config.getKeyStoreType() != null) ? config.getKeyStoreType() : KeyStore.getDefaultType();
 
+        return getSslContextImpl(sslMode, clientCert, clientKey, sslRootCert, truststorePath, truststorePassword,
+                keyStoreType);
+    }
+
+    public SSLContext getSslContextFromCerts(String clientCert, String clientKey, String sslRootCert) throws SSLException {
+        return getSslContextImpl(ClickHouseSslMode.STRICT,
+                clientCert, clientKey, sslRootCert, null, null, KeyStore.getDefaultType());
+    }
+
+    public SSLContext getSslContextFromKeyStore(String truststorePath, String truststorePassword, String keyStoreType) throws SSLException {
+        return getSslContextImpl(ClickHouseSslMode.STRICT, null, null, null, truststorePath, truststorePassword, keyStoreType);
+    }
+
+    private SSLContext getSslContextImpl(ClickHouseSslMode sslMode, String clientCert, String clientKey, String sslRootCert, String truststorePath, String truststorePassword, String keyStoreType) throws SSLException {
         SSLContext ctx;
         try {
             ctx = SSLContext.getInstance((String) ClickHouseDefaults.SSL_PROTOCOL.getEffectiveDefaultValue());

clickhouse-http-client/src/main/java/com/clickhouse/client/http/ClickHouseHttpProto.java

@@ -39,6 +39,13 @@ public class ClickHouseHttpProto {
      */
     public static final String HEADER_DATABASE = "X-ClickHouse-Database";
 
+    /**
+     * Name of user to be used to authenticate
+     */
+    public static final String HEADER_DB_USER = "X-ClickHouse-User";
+
+    public static final String HEADER_DB_PASSWORD = "X-ClickHouse-Key";
+
     /**
      * Query parameter to specify the query ID.
      */

client-v2/src/main/java/com/clickhouse/client/api/Client.java

@@ -456,6 +456,75 @@ public Builder setHttpCookiesEnabled(boolean enabled) {
             return this;
         }
 
+
+        /**
+         * Defines path to the trust store file. It cannot be combined with
+         * certificates. Either trust store or certificates should be used.
+         *
+         * {@see setSSLTrustStorePassword} and {@see setSSLTrustStoreType}
+         * @param path
+         * @return
+         */
+        public Builder setSSLTrustStore(String path) {
+            this.configuration.put(ClickHouseClientOption.TRUST_STORE.getKey(), path);
+            return this;
+        }
+
+        /**
+         * Password for the SSL Trust Store.
+         *
+         * @param password
+         * @return
+         */
+        public Builder setSSLTrustStorePassword(String password) {
+            this.configuration.put(ClickHouseClientOption.KEY_STORE_PASSWORD.getKey(), password);
+            return this;
+        }
+
+        /**
+         * Type of the SSL Trust Store. Usually JKS
+         *
+         * @param type
+         * @return
+         */
+        public Builder setSSLTrustStoreType(String type) {
+            this.configuration.put(ClickHouseClientOption.KEY_STORE_TYPE.getKey(), type);
+            return this;
+        }
+
+        /**
+         * Defines path to the key store file. It cannot be combined with
+         * certificates. Either key store or certificates should be used.
+         *
+         * {@see setSSLKeyStorePassword} and {@see setSSLKeyStoreType}
+         * @param path
+         * @return
+         */
+        public Builder setRootCertificate(String path) {
+            this.configuration.put(ClickHouseClientOption.SSL_ROOT_CERTIFICATE.getKey(), path);
+            return this;
+        }
+
+        /**
+         * Client certificate for mTLS.
+         * @param path
+         * @return
+         */
+        public Builder setClientCertificate(String path) {
+            this.configuration.put(ClickHouseClientOption.SSL_CERTIFICATE.getKey(), path);
+            return this;
+        }
+
+        /**
+         * Client key for mTLS.
+         * @param path
+         * @return
+         */
+        public Builder setClientKey(String path) {
+            this.configuration.put(ClickHouseClientOption.SSL_KEY.getKey(), path);
+            return this;
+        }
+
         public Client build() {
             // check if endpoint are empty. so can not initiate client
             if (this.endpoints.isEmpty()) {
@@ -466,6 +535,11 @@ public Client build() {
                 throw new IllegalArgumentException("Username and password are required");
             }
 
+            if (this.configuration.containsKey(ClickHouseClientOption.TRUST_STORE) &&
+                this.configuration.containsKey(ClickHouseClientOption.SSL_CERTIFICATE)) {
+                throw new IllegalArgumentException("Trust store and certificates cannot be used together");
+            }
+
             this.configuration = setDefaults(this.configuration);
 
             return new Client(this.endpoints, this.configuration, this.useNewImplementation);

client-v2/src/main/java/com/clickhouse/client/api/internal/HttpAPIClientHelper.java

@@ -1,12 +1,14 @@
 package com.clickhouse.client.api.internal;
 
 import com.clickhouse.client.ClickHouseNode;
+import com.clickhouse.client.ClickHouseSslContextProvider;
 import com.clickhouse.client.api.Client;
 import com.clickhouse.client.api.ClientException;
 import com.clickhouse.client.api.ClientMisconfigurationException;
 import com.clickhouse.client.api.ServerException;
 import com.clickhouse.client.api.enums.ProxyType;
 import com.clickhouse.client.config.ClickHouseClientOption;
+import com.clickhouse.client.config.ClickHouseDefaults;
 import com.clickhouse.client.http.ApacheHttpConnectionImpl;
 import com.clickhouse.client.http.ClickHouseHttpProto;
 import com.clickhouse.client.http.config.ClickHouseHttpOption;
@@ -34,21 +36,29 @@
 import org.apache.hc.core5.http.io.entity.EntityTemplate;
 import org.apache.hc.core5.io.IOCallback;
 import org.apache.hc.core5.net.URIBuilder;
+import org.apache.hc.core5.ssl.SSLContexts;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSocketFactory;
 import java.io.ByteArrayOutputStream;
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.ConnectException;
 import java.net.InetSocketAddress;
 import java.net.NoRouteToHostException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.net.UnknownHostException;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
 import java.util.Base64;
 import java.util.EnumSet;
 import java.util.Map;
@@ -80,27 +90,67 @@ public HttpAPIClientHelper(Map<String, String> configuration) {
     }
 
     public CloseableHttpClient createHttpClient() {
+
+        // Top Level builders
         HttpClientBuilder clientBuilder = HttpClientBuilder.create();
-        CredentialsProviderBuilder credProviderBuilder = CredentialsProviderBuilder.create();
-        SocketConfig.Builder soCfgBuilder = SocketConfig.custom();
-        PoolingHttpClientConnectionManagerBuilder connMgrBuilder = PoolingHttpClientConnectionManagerBuilder.create();
 
 
+        // Socket configuration
+        SocketConfig.Builder soCfgBuilder = SocketConfig.custom();
         MapUtils.applyInt(chConfiguration, ClickHouseClientOption.SOCKET_TIMEOUT.getKey(),
                 (t) -> soCfgBuilder.setSoTimeout(t, TimeUnit.MILLISECONDS));
         MapUtils.applyInt(chConfiguration, ClickHouseClientOption.SOCKET_RCVBUF.getKey(),
                 soCfgBuilder::setRcvBufSize);
         MapUtils.applyInt(chConfiguration, ClickHouseClientOption.SOCKET_SNDBUF.getKey(),
                 soCfgBuilder::setSndBufSize);
 
+
+        // Connection manager
+        PoolingHttpClientConnectionManagerBuilder connMgrBuilder = PoolingHttpClientConnectionManagerBuilder.create();
+
+        ClickHouseSslContextProvider sslContextProvider = ClickHouseSslContextProvider.getProvider();
+
+        String trustStorePath = chConfiguration.get(ClickHouseClientOption.TRUST_STORE.getKey());
+        SSLContext sslContext = null;
+        if (trustStorePath != null ) {
+            try {
+                sslContext = sslContextProvider.getSslContextFromKeyStore(
+                        trustStorePath,
+                        chConfiguration.get(ClickHouseClientOption.KEY_STORE_PASSWORD.getKey()),
+                        chConfiguration.get(ClickHouseClientOption.KEY_STORE_TYPE.getKey())
+                );
+            } catch (SSLException e) {
+                throw new ClientMisconfigurationException("Failed to create SSL context from a keystore", e);
+            }
+        } else if (chConfiguration.get(ClickHouseClientOption.SSL_ROOT_CERTIFICATE.getKey()) != null ||
+                chConfiguration.get(ClickHouseClientOption.SSL_CERTIFICATE.getKey()) != null ||
+                chConfiguration.get(ClickHouseClientOption.SSL_KEY.getKey()) != null) {
+
+            try {
+                sslContext = sslContextProvider.getSslContextFromCerts(
+                        chConfiguration.get(ClickHouseClientOption.SSL_CERTIFICATE.getKey()),
+                        chConfiguration.get(ClickHouseClientOption.SSL_KEY.getKey()),
+                        chConfiguration.get(ClickHouseClientOption.SSL_ROOT_CERTIFICATE.getKey())
+                );
+            } catch (SSLException e) {
+                throw new ClientMisconfigurationException("Failed to create SSL context from certificates", e);
+            }
+        }
+        if (sslContext !=null) {
+            connMgrBuilder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslContext));
+        }
+
+        connMgrBuilder.setDefaultSocketConfig(soCfgBuilder.build());
+        clientBuilder.setConnectionManager(connMgrBuilder.build());
+
+        // Proxy
         String proxyHost = chConfiguration.get(ClickHouseClientOption.PROXY_HOST.getKey());
         String proxyPort = chConfiguration.get(ClickHouseClientOption.PROXY_PORT.getKey());
         HttpHost proxy = null;
         if (proxyHost != null && proxyPort != null) {
             proxy = new HttpHost(proxyHost, Integer.parseInt(proxyPort));
         }
 
-
         String proxyTypeVal = chConfiguration.get(ClickHouseClientOption.PROXY_TYPE.getKey());
         ProxyType proxyType = proxyTypeVal == null ? null : ProxyType.valueOf(proxyTypeVal);
         if (proxyType == ProxyType.HTTP) {
@@ -117,10 +167,7 @@ public CloseableHttpClient createHttpClient() {
                 .equalsIgnoreCase("false")) {
             clientBuilder.disableCookieManagement();
         }
-        clientBuilder.setDefaultCredentialsProvider(credProviderBuilder.build());
 
-        connMgrBuilder.setDefaultSocketConfig(soCfgBuilder.build());
-        clientBuilder.setConnectionManager(connMgrBuilder.build());
         return clientBuilder.build();
     }
 
@@ -211,6 +258,8 @@ private void addHeaders(HttpPost req, Map<String, String> chConfig, Map<String,
             }
         }
         req.addHeader(ClickHouseHttpProto.HEADER_DATABASE, chConfig.get(ClickHouseClientOption.DATABASE.getKey()));
+        req.addHeader(ClickHouseHttpProto.HEADER_DB_USER, chConfig.get(ClickHouseDefaults.USER.getKey()));
+        req.addHeader(ClickHouseHttpProto.HEADER_DB_PASSWORD, chConfig.get(ClickHouseDefaults.PASSWORD.getKey()));
 
         if (proxyAuthHeaderValue != null) {
             req.addHeader(HttpHeaders.PROXY_AUTHORIZATION, proxyAuthHeaderValue);

client-v2/src/test/java/com/clickhouse/client/ClientTests.java

@@ -62,19 +62,21 @@ private static Client[] secureClientProvider() throws Exception {
     }
 
     @Test(groups = { "integration" })
-    public void testConnectThruHttps() {
+    public void testSecureConnection() {
         ClickHouseNode secureServer = getSecureServer(ClickHouseProtocol.HTTP);
 
         try (Client client = new Client.Builder()
-                .addEndpoint(Protocol.HTTP, secureServer.getHost(), secureServer.getPort(), true)
+                .addEndpoint("https://localhost:8443")
                 .setUsername("default")
                 .setPassword("")
+                .setRootCertificate("containers/clickhouse-server/certs/localhost.crt")
+//                .useNewImplementation(System.getProperty("client.tests.useNewImplementation", "false").equals("true"))
                 .useNewImplementation(true)
                 .build()) {
 
             List<GenericRecord> records = client.queryAll("SELECT timezone()");
             Assert.assertTrue(records.size() > 0);
-            Assert.assertEquals(records.get(0).getString(0), "UTC");
+            Assert.assertEquals(records.get(0).getString(1), "UTC");
         } catch (Exception e) {
             e.printStackTrace();
             Assert.fail(e.getMessage());