urabbitmq: support setting client + ca certs #515
Conversation
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I hereby agree to the terms of the CLA available at: https://yandex.ru/legal/cla/ |
|
recheck |
| @@ -29,6 +29,12 @@ struct AuthSettings final { | |||
|
|
|||
| /// RabbitMQs vhost | |||
| std::string vhost = "/"; | |||
|
|
|||
| /// TLS | |||
| std::string client_cert_path; | |||
There was a problem hiding this comment.
Let's move all these fields into an std::optional<TlsSettings>, I think it would be cleaner this way
| if (!auth_settings.client_cert_path.empty() || | ||
| !auth_settings.client_private_key_path.empty() || | ||
| !auth_settings.ca_cert_paths.empty()) { | ||
| if (auth_settings.client_cert_path.empty() != |
There was a problem hiding this comment.
I feel like this validation belongs to where the settings are parsed
There was a problem hiding this comment.
Also, is there a way to express this condition in the type system?
Say, something like std::optional<CertSettings>
| crypto::Certificate client_cert; | ||
| if (!auth_settings.client_cert_path.empty()) { | ||
| auto contents = | ||
| fs::blocking::ReadFileContents(auth_settings.client_cert_path); |
There was a problem hiding this comment.
I think fs:: operations should be performed once, at the component initialization, for two reasons:
- They are partly a validation
- They are potentially costly with a high socket reopen rate (shouldn't be a common case. but still)
There was a problem hiding this comment.
- I thought it will be a good idea to (re)load them in runtime in case certs will change on disk (as a part of regular certs rotation for example) without service restart.
- Even if there are a high socket reopen rate, read should be relatively fast once files will be in the filesystem cache.
|
@itrofimow ping |
There was a problem hiding this comment.
This is looking much better, thanks!
Do you intent to add some tests for the code?
Testing the functionality for the RabbitMQ driver might be too tricky, since there's no easy way to set the server up accordingly, but testing just TlsWrapper should be possible.
Going forward, please don't just "ping" me -- there are more respectful ways to achieve the same, for one you might want to use "re-request review" github functionality at the top right corner of the page when the review comments are addressed
| ClientCertSettings client_cert_settings; | ||
|
|
||
| const auto& client_cert_contents = | ||
| fs::blocking::ReadFileContents(client_cert_path.As<std::string>()); |
There was a problem hiding this comment.
This blocks the thread, and considering that this code is executed at components initialization, which is done in parallel, might lead to application start slowdown.
Is there a way to use this overload instead?
| client_cert_settings.key = | ||
| crypto::PrivateKey::LoadFromString(client_key_contents); | ||
|
|
||
| tls_settings.client_cert_settings = client_cert_settings; |
There was a problem hiding this comment.
Consider std::move-ing here
| crypto::Certificate::LoadFromString(ca_cert_contents)); | ||
| } | ||
|
|
||
| tls_settings.verify_host = doc["tls"]["verify_host"].As<bool>(true); |
There was a problem hiding this comment.
We prefer to default-initialize the struct and use something in the lines of
doc["tls"]["verify_host"].As<bool>(tls_settings.verify_host); -- this way one has to only change the default value in one place
|
|
||
| if (tls_settings.client_cert_settings || !tls_settings.ca_certs.empty() || | ||
| !tls_settings.verify_host) { | ||
| auth.tls_settings = tls_settings; |
There was a problem hiding this comment.
Consider std::move-ing here
| if (auth_settings.tls_settings) { | ||
| const auto& tls_settings = *auth_settings.tls_settings; | ||
| const crypto::Certificate& client_cert = | ||
| tls_settings.client_cert_settings |
There was a problem hiding this comment.
nit: I personally prefer explicit .has_value()
This implements #514