-
Notifications
You must be signed in to change notification settings - Fork 145
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[WIP]: Add clickhouse SSL\TLS connection
- Loading branch information
Showing
17 changed files
with
1,831 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
62 changes: 62 additions & 0 deletions
62
...se-native-jdbc/src/main/java/com/github/housepower/client/ssl/PermissiveTrustManager.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
/* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package com.github.housepower.client.ssl; | ||
|
||
import javax.net.ssl.X509TrustManager; | ||
import java.security.cert.X509Certificate; | ||
|
||
/** | ||
* An implementation of X509TrustManager that trusts all certificates. | ||
* This class is not secure and should only be used for debugging or | ||
* in a completely isolated environment. | ||
*/ | ||
public class PermissiveTrustManager implements X509TrustManager { | ||
|
||
/** | ||
* Checks the client certificates but does nothing. | ||
* It effectively trusts all client certificates. | ||
* | ||
* @param x509Certificates Array of client certificates to check | ||
* @param s The auth type (e.g., "RSA", "DSS") | ||
*/ | ||
@Override | ||
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) { | ||
// Do nothing to bypass client checks | ||
} | ||
|
||
/** | ||
* Checks the server certificates but does nothing. | ||
* It effectively trusts all server certificates. | ||
* | ||
* @param x509Certificates Array of server certificates to check | ||
* @param s The auth type (e.g., "RSA", "DSS") | ||
*/ | ||
@Override | ||
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) { | ||
// Do nothing to bypass server checks | ||
} | ||
|
||
/** | ||
* Returns an empty array of certificate authorities, indicating | ||
* that all certificates are trusted, subject to the | ||
* verification done in the checkClientTrusted and checkServerTrusted methods. | ||
* | ||
* @return An empty X509Certificate array | ||
*/ | ||
@Override | ||
public X509Certificate[] getAcceptedIssuers() { | ||
return new X509Certificate[0]; | ||
} | ||
} |
83 changes: 83 additions & 0 deletions
83
clickhouse-native-jdbc/src/main/java/com/github/housepower/client/ssl/SSLContextBuilder.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
/* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package com.github.housepower.client.ssl; | ||
|
||
import com.github.housepower.client.NativeClient; | ||
import com.github.housepower.log.Logger; | ||
import com.github.housepower.log.LoggerFactory; | ||
import com.github.housepower.settings.ClickHouseConfig; | ||
import com.github.housepower.settings.KeyStoreConfig; | ||
import com.github.housepower.settings.SettingKey; | ||
|
||
|
||
import javax.net.ssl.*; | ||
import java.io.IOException; | ||
import java.nio.file.Files; | ||
import java.nio.file.Paths; | ||
import java.security.*; | ||
import java.security.cert.CertificateException; | ||
|
||
public class SSLContextBuilder { | ||
private static final Logger LOG = LoggerFactory.getLogger(NativeClient.class); | ||
|
||
private ClickHouseConfig config; | ||
|
||
private KeyStoreConfig keyStoreConfig; | ||
|
||
public SSLContextBuilder(ClickHouseConfig config) { | ||
this.config = config; | ||
this.keyStoreConfig = new KeyStoreConfig( | ||
(String) config.settings().get(SettingKey.keyStoreType), | ||
(String) config.settings().get(SettingKey.keyStorePath), | ||
(String) config.settings().get(SettingKey.keyStorePassword) | ||
); | ||
} | ||
|
||
public SSLContext getSSLContext() throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, UnrecoverableKeyException, KeyManagementException { | ||
SSLContext sslContext = SSLContext.getInstance("TLS"); | ||
TrustManager[] trustManager = null; | ||
KeyManager[] keyManager = null; | ||
SecureRandom secureRandom = new SecureRandom(); | ||
String sslMode = config.sslMode(); | ||
LOG.debug("Client SSL mode: '" + sslMode + "'"); | ||
|
||
switch (sslMode) { | ||
case "disabled": | ||
trustManager = new TrustManager[]{new PermissiveTrustManager()}; | ||
keyManager = new KeyManager[]{}; | ||
break; | ||
case "verify_ca": | ||
KeyStore keyStore = KeyStore.getInstance(keyStoreConfig.getKeyStoreType()); | ||
keyStore.load(Files.newInputStream(Paths.get(keyStoreConfig.getKeyStorePath()).toFile().toPath()), | ||
keyStoreConfig.getKeyStorePassword().toCharArray()); | ||
|
||
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); | ||
keyManagerFactory.init(keyStore, keyStoreConfig.getKeyStorePassword().toCharArray()); | ||
|
||
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); | ||
trustManagerFactory.init(keyStore); | ||
|
||
trustManager = trustManagerFactory.getTrustManagers(); | ||
keyManager = keyManagerFactory.getKeyManagers(); | ||
break; | ||
default: | ||
throw new IllegalArgumentException("Unknown SSL mode: '" + sslMode + "'"); | ||
} | ||
|
||
sslContext.init(keyManager, trustManager, secureRandom); | ||
return sslContext; | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
clickhouse-native-jdbc/src/main/java/com/github/housepower/settings/KeyStoreConfig.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
/* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package com.github.housepower.settings; | ||
|
||
public class KeyStoreConfig { | ||
private String keyStoreType; | ||
private String keyStorePath; | ||
private String keyStorePassword; | ||
|
||
public KeyStoreConfig() { | ||
} | ||
|
||
public KeyStoreConfig(String keyStoreType, String keyStorePath, String keyStorePassword) { | ||
this.keyStoreType = keyStoreType; | ||
this.keyStorePath = keyStorePath; | ||
this.keyStorePassword = keyStorePassword; | ||
} | ||
|
||
public String getKeyStorePath() { | ||
return this.keyStorePath; | ||
} | ||
|
||
public String getKeyStorePassword() { | ||
return this.keyStorePassword; | ||
} | ||
|
||
public String getKeyStoreType() { | ||
return this.keyStoreType; | ||
} | ||
} |
Oops, something went wrong.