HPCC-30411 Add support for dynamically updating TLS config

Signed-off-by: Gavin Halliday <[email protected]>
hpcc-systems · Oct 25, 2023 · ee85cf9 · ee85cf9
1 parent 5161525
commit ee85cf9
Show file tree

Hide file tree

Showing 23 changed files with 625 additions and 406 deletions.
diff --git a/common/thorhelper/thorsoapcall.cpp b/common/thorhelper/thorsoapcall.cpp
@@ -1242,7 +1242,10 @@ class CWSCHelper : implements IWSCHelper, public CInterface
         if (!ownedSC)
         {
             if (clientCert != NULL)
-                ownedSC.setown(createSecureSocketContextEx(clientCert->certificate, clientCert->privateKey, clientCert->passphrase, ClientSocket));
+            {
+                Owned<IPropertyTree> config = createSecureSocketConfig(clientCert->certificate, clientCert->privateKey, clientCert->passphrase);
+                ownedSC.setown(createSecureSocketContextEx2(config, ClientSocket));
+            }
             else if (clientCertIssuer.length())
                 ownedSC.setown(createSecureSocketContextSecret(clientCertIssuer.str(), ClientSocket));
             else

diff --git a/esp/bindings/http/client/httpclient.cpp b/esp/bindings/http/client/httpclient.cpp
@@ -123,7 +123,7 @@ IHttpClient* CHttpClientContext::createHttpClient(const char* proxy, const char*
                 if (xproc)
                     m_ssctx.setown(xproc(m_config.get(),ClientSocket));
                 else
-                    throw MakeStringException(-1, "procedure createSecureSocketContext can't be loaded");
+                    throw MakeStringException(-1, "procedure createSecureSocketContextEx2 can't be loaded");
 
             }
             if(m_ssctx.get() == NULL)

diff --git a/esp/clients/wsdfuaccess/wsdfuaccess.cpp b/esp/clients/wsdfuaccess/wsdfuaccess.cpp
@@ -534,7 +534,6 @@ StringBuffer &encodeDFUFileMeta(StringBuffer &metaInfoBlob, IPropertyTree *metaI
         metaInfo->serialize(metaInfoBlob);
         const char *keyPairName = metaInfo->queryProp("keyPairName"); // NB: in container mode, this is the name of the secret containing the cert.
 
-        const char *privateKeyFName = nullptr;
         Owned<IPropertyTree> metaInfoEnvelope = createPTree();
 #ifdef _CONTAINERIZED
         /* Encode the public certificate in the request. NB: this is an approach used for JWT token delegation.
@@ -543,24 +542,24 @@ StringBuffer &encodeDFUFileMeta(StringBuffer &metaInfoBlob, IPropertyTree *metaI
          * If the size of this initial request was ever a concern, we could consider other ways to ensure a one-off
          * delivery of this esp public signing cert. to dafilesrv, e.g. by dafilesrv reaching out to esp to request it.
          */
-        Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
-        if (!info)
+        Owned<const ISyncedPropertyTree> config = getIssuerTlsSyncedConfig(keyPairName);
+        if (!config || !config->isValid())
             throw makeStringExceptionV(-1, "encodeDFUFileMeta: No '%s' MTLS certificate detected.", keyPairName);
-        privateKeyFName = info->queryProp("privatekey");
-        if (isEmptyString(privateKeyFName))
-            throw makeStringException(-1, "encodeDFUFileMeta: MTLS - private path missing");
-        const char *certPath = info->queryProp("certificate");
-        verifyex(certPath);
-        StringBuffer certificate;
-        certificate.loadFile(certPath);
-        verifyex(certificate.length());
+
+        Owned<const IPropertyTree> info = config->getTree();
+        const char *privateKeyText = info->queryProp("privatekey");
+        if (isEmptyString(privateKeyText))
+            throw makeStringException(-1, "encodeDFUFileMeta: MTLS - private key missing");
+        const char *certificate = info->queryProp("certificate");
+        verifyex(certificate);
         metaInfoEnvelope->setProp("certificate", certificate);
+        Owned<CLoadedKey> privateKey = loadPrivateKeyFromMemory(privateKeyText, nullptr);
 #else
-        privateKeyFName = environment->getPrivateKeyPath(keyPairName);
+        const char *privateKeyFName = privateKeyFName = environment->getPrivateKeyPath(keyPairName);
         if (isEmptyString(privateKeyFName))
             throw makeStringExceptionV(-1, "Key name '%s' is not found in environment settings: /EnvSettings/Keys/KeyPair.", keyPairName);
-#endif
         Owned<CLoadedKey> privateKey = loadPrivateKeyFromFile(privateKeyFName, nullptr);
+#endif
         StringBuffer metaInfoSignature;
         digiSign(metaInfoSignature, metaInfoBlob.length(), metaInfoBlob.bytes(), *privateKey);
 

diff --git a/esp/services/ws_dfu/ws_dfuService.cpp b/esp/services/ws_dfu/ws_dfuService.cpp
@@ -6113,8 +6113,7 @@ void CWsDfuEx::dFUFileAccessCommon(IEspContext &context, const CDfsLogicalFileNa
     StringBuffer dafilesrvHost;
 #ifdef _CONTAINERIZED
     keyPairName.set("signing");
-    Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
-    if (!info)
+    if (!hasIssuerTlsConfig(keyPairName))
         throw makeStringExceptionV(-1, "dFUFileAccessCommon: file signing certificate ('%s') not defined in configuration.", keyPairName.str());
 
     auto externalService = k8s::getDafileServiceFromConfig("stream");
@@ -6490,8 +6489,7 @@ bool CWsDfuEx::onDFUFileCreateV2(IEspContext &context, IEspDFUFileCreateV2Reques
 
 #ifdef _CONTAINERIZED
         keyPairName.set("signing");
-        Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
-        if (!info)
+        if (!hasIssuerTlsConfig(keyPairName))
             throw makeStringExceptionV(-1, "onDFUFileCreateV2: file signing certificate ('%s' ) not defined in configuration.", keyPairName.str());
 
         const char *planeName = clusterName;

diff --git a/esp/test/httptest/httptest.cpp b/esp/test/httptest/httptest.cpp
@@ -152,10 +152,7 @@ HttpClient::HttpClient(int threads, int times, const char* host, int port, FILE*
     if(use_ssl)
     {
 #ifdef _USE_OPENSSL
-        if(sslconfig != NULL)
-            m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ClientSocket));
-        else
-            m_ssctx.setown(createSecureSocketContext(ClientSocket));
+        m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ClientSocket));
 #else
         throw MakeStringException(-1, "HttpClient: failure to create SSL connection to host '%s': OpenSSL not enabled in build", host);
 #endif
@@ -614,10 +611,7 @@ HttpServer::HttpServer(int port, const char* in, FILE* ofile, bool use_ssl, IPro
     if(use_ssl)
     {
 #ifdef _USE_OPENSSL
-        if(sslconfig != NULL)
-            m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ServerSocket));
-        else
-            m_ssctx.setown(createSecureSocketContext(ServerSocket));
+        m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ServerSocket));
 #else
         throw MakeStringException(-1, "HttpServer: failure to create SSL socket - OpenSSL not enabled in build");
 #endif
@@ -1180,10 +1174,7 @@ HttpProxy::HttpProxy(int localport, const char* host, int port, FILE* ofile, boo
     if(use_ssl)
     {
 #if _USE_OPENSSL
-        if(sslconfig != NULL)
-            m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ClientSocket));
-        else
-            m_ssctx.setown(createSecureSocketContext(ClientSocket));
+        m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ClientSocket));
 #else
         throw MakeStringException(-1, "HttpProxy: failure to create SSL connection to host '%s': OpenSSL not enabled in build", host);
 #endif

diff --git a/esp/tools/soapplus/http.cpp b/esp/tools/soapplus/http.cpp
@@ -505,10 +505,7 @@ HttpClient::HttpClient(IProperties* globals, const char* url, const char* inname
                     if (cfg && *cfg)
                         cfgtree.setown(createPTreeFromXMLFile(cfg));
                 }
-                if (cfgtree)
-                    m_ssctx.setown(createSecureSocketContextEx2(cfgtree, ClientSocket));
-                else
-                    m_ssctx.setown(createSecureSocketContext(ClientSocket));
+                m_ssctx.setown(createSecureSocketContextEx2(cfgtree, ClientSocket));
             }
 #else
         throw MakeStringException(-1, "HttpClient: failure to create SSL socket - OpenSSL not enabled in build");

diff --git a/esp/tools/soapplus/httpproxy.cpp b/esp/tools/soapplus/httpproxy.cpp
@@ -582,10 +582,7 @@ HttpProxy::HttpProxy(int localport, const char* host, int port, FILE* ofile, boo
     if(use_ssl)
     {
 #ifdef _USE_OPENSSL
-        if(sslconfig != NULL)
-            m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ClientSocket));
-        else
-            m_ssctx.setown(createSecureSocketContext(ClientSocket));
+        m_ssctx.setown(createSecureSocketContextEx2(sslconfig, ClientSocket));
 #else
         throw MakeStringException(-1, "HttpProxy: failure to create SSL socket - OpenSSL not enabled in build");
 #endif

diff --git a/fs/dafilesrv/dafilesrv.cpp b/fs/dafilesrv/dafilesrv.cpp
@@ -395,8 +395,7 @@ int main(int argc, const char* argv[])
     // Use the "public" certificate issuer, unless it's visibility is "cluster" (meaning internal only)
     const char *visibility = getComponentConfigSP()->queryProp("service/@visibility");
     const char *certScope = strsame("cluster", visibility) ? "local" : "public";
-    Owned<IPropertyTree> info = getIssuerTlsServerConfig(certScope);
-    connectMethod = info ? SSLOnly : SSLNone;
+    connectMethod = hasIssuerTlsConfig(certScope) ? SSLOnly : SSLNone;
     // NB: connectMethod will direct the CRemoteFileServer on accept to create a secure socket based on the same issuer certificates
 
     dedicatedRowServicePort = 0; // row service always runs on same secure ssl port in containerized mode

diff --git a/fs/dafsclient/rmtclient.cpp b/fs/dafsclient/rmtclient.cpp
@@ -112,6 +112,12 @@ static class _securitySettingsClient
         }
     }
 
+    const IPropertyTree * getSecureConfig()
+    {
+        //Later: return a synced tree...
+        return createSecureSocketConfig(queryCertificate(), queryPrivateKey(), queryPassPhrase());
+    }
+
 protected:
     DAFSConnectCfg  connectMethod;
     unsigned short  daFileSrvPort;
@@ -156,10 +162,10 @@ static ISecureSocket *createSecureSocket(ISocket *sock, const char *issuer)
             auto it = secureCtxClientIssuerMap.find(issuer);
             if (it == secureCtxClientIssuerMap.end())
             {
-                Owned<IPropertyTree> info = getIssuerTlsServerConfig(issuer);
-                if (!info)
+                Owned<const ISyncedPropertyTree> info = getIssuerTlsSyncedConfig(issuer);
+                if (!info || !info->isValid())
                     throw makeStringExceptionV(-1, "createSecureSocket() : missing MTLS configuration for issuer: %s", issuer);
-                secureContext.setown(createSecureSocketContextEx2(info, ClientSocket));
+                secureContext.setown(createSecureSocketContextSynced(info, ClientSocket));
                 secureCtxClientIssuerMap.emplace(issuer, secureContext.getLink());
             }
             else
@@ -168,7 +174,10 @@ static ISecureSocket *createSecureSocket(ISocket *sock, const char *issuer)
         else
         {
             if (!secureContextClient)
-                secureContextClient.setown(createSecureSocketContextEx(securitySettings.queryCertificate(), securitySettings.queryPrivateKey(), securitySettings.queryPassPhrase(), ClientSocket));
+            {
+                Owned<const IPropertyTree> config = securitySettings.getSecureConfig();
+                secureContextClient.setown(createSecureSocketContextEx2(config, ClientSocket));
+            }
             secureContext.set(secureContextClient);
         }
     }
@@ -722,17 +731,8 @@ void CRemoteBase::connectSocket(SocketEndpoint &ep, unsigned connectTimeoutMs, u
                     // The context would be 'owned' by the hook, and would expire when the mappings are removed (when removeMappedDafileSrvSecrets is called).
                     if (storageSecret)
                     {
-                        Owned<IPropertyTree> secretPTree = getSecret("storage", storageSecret);
-                        if (!secretPTree)
-                            throw makeStringExceptionV(-1, "secret %s.%s not found", "storage", storageSecret.str());
-
-                        StringBuffer certSecretBuf;
-                        getSecretKeyValue(certSecretBuf, secretPTree, "tls.crt");
-
-                        StringBuffer privKeySecretBuf;
-                        getSecretKeyValue(privKeySecretBuf, secretPTree, "tls.key");
-
-                        Owned<ISecureSocketContext> secureContext = createSecureSocketContextEx(certSecretBuf, privKeySecretBuf, nullptr, ClientSocket);
+                        Owned<ISyncedPropertyTree> config = createStorageTlsConfig(storageSecret, false);
+                        Owned<ISecureSocketContext> secureContext = createSecureSocketContextSynced(config, ClientSocket);
                         int loglevel = SSLogNormal;
 #ifdef _DEBUG
                         loglevel = SSLogMax;

diff --git a/fs/dafsserver/dafsserver.cpp b/fs/dafsserver/dafsserver.cpp
@@ -112,6 +112,13 @@ static class _securitySettingsServer
     {
         queryDafsSecSettings(&connectMethod, &daFileSrvPort, &daFileSrvSSLPort, &certificate, &privateKey, &passPhrase);
     }
+
+    const IPropertyTree * getSecureConfig()
+    {
+        //Later: return a synced tree...
+        return createSecureSocketConfig(certificate, privateKey, passPhrase);
+    }
+
 } securitySettings;
 #endif
 
@@ -133,23 +140,23 @@ static ISecureSocket *createSecureSocket(ISocket *sock, bool disableClientCertVe
              */
 
             const char *certScope = strsame("cluster", getComponentConfigSP()->queryProp("service/@visibility")) ? "local" : "public";
-            Owned<IPropertyTree> info = getIssuerTlsServerConfig(certScope);
-            if (!info)
+            Owned<const ISyncedPropertyTree> info = getIssuerTlsSyncedConfig(certScope);
+            if (!info || !info->isValid())
                 throw makeStringException(-1, "createSecureSocket() : missing MTLS configuration");
             Owned<IPropertyTree> cloneInfo;
             if (disableClientCertVerification)
             {
-                // do not insist clients provide a cerificate for verification.
+                // do not insist clients provide a certificate for verification.
                 // This is used when the connection is TLS, but the authentication is done via other means
                 // e.g. in the case of the streaming service a opaque signed blob is transmitted and must
                 // be verified before proceeding.
                 cloneInfo.setown(createPTreeFromIPT(info));
                 cloneInfo->setPropBool("verify/@enable", false);
-                info = cloneInfo;
+                info.set(cloneInfo);
             }
-            secureContextServer.setown(createSecureSocketContextEx2(info, ServerSocket));
+            secureContextServer.setown(createSecureSocketContextSynced(info, ServerSocket));
 #else
-            secureContextServer.setown(createSecureSocketContextEx(securitySettings.certificate, securitySettings.privateKey, securitySettings.passPhrase, ServerSocket));
+            secureContextServer.setown(createSecureSocketContextEx2(securitySettings.getSecureConfig(), ServerSocket));
 #endif
         }
     }

diff --git a/roxie/ccd/ccd.hpp b/roxie/ccd/ccd.hpp
@@ -410,7 +410,7 @@ extern int backgroundCopyClass;
 extern int backgroundCopyPrio;
 
 extern unsigned roxiePort;     // If listening on multiple, this is the first. Used for lock cascading
-extern IPropertyTree *roxiePortTlsClientConfig;
+extern ISyncedPropertyTree *roxiePortTlsClientConfig;
 
 
 extern unsigned udpMulticastBufferSize;

diff --git a/roxie/ccd/ccdlistener.cpp b/roxie/ccd/ccdlistener.cpp
@@ -79,7 +79,7 @@ class CascadeManager : public CInterface
     CriticalSection revisionCrit;
     int myEndpoint;
     const IRoxieContextLogger &logctx;
-    IPropertyTree *tlsConfig = nullptr;
+    ISyncedPropertyTree *tlsConfig = nullptr;
 
     void unlockChildren()
     {
@@ -135,7 +135,7 @@ class CascadeManager : public CInterface
                 assertex(sock);
                 if (tlsConfig)
                 {
-                    Owned<ISecureSocketContext> secureCtx = createSecureSocketContextEx2(tlsConfig, ClientSocket);
+                    Owned<ISecureSocketContext> secureCtx = createSecureSocketContextSynced(tlsConfig, ClientSocket);
                     if (!secureCtx)
                         throw makeStringException(ROXIE_TLS_ERROR, "Roxie CascadeManager failed creating secure context for roxie control message");
                     Owned<ISecureSocket> ssock = secureCtx->createSecureSocket(sock.getClear());

diff --git a/roxie/ccd/ccdmain.cpp b/roxie/ccd/ccdmain.cpp
@@ -230,7 +230,7 @@ unsigned leafCacheMB = 50;
 unsigned blobCacheMB = 0;
 
 unsigned roxiePort = 0;
-IPropertyTree *roxiePortTlsClientConfig = nullptr;
+ISyncedPropertyTree *roxiePortTlsClientConfig = nullptr;
 
 #ifndef _CONTAINERIZED
 Owned<IPerfMonHook> perfMonHook;
@@ -1501,7 +1501,7 @@ int CCD_API roxie_main(int argc, const char *argv[], const char * defaultYaml)
                     {
                         roxiePort = port;
                         if (roxieFarm.getPropBool("@tls"))
-                            roxiePortTlsClientConfig = createIssuerTlsClientConfig(roxieFarm.queryProp("@issuer"), roxieFarm.getPropBool("@selfSigned"));
+                            roxiePortTlsClientConfig = createIssuerTlsConfig(roxieFarm.queryProp("@issuer"), nullptr, true, roxieFarm.getPropBool("@selfSigned"), true);
                         debugEndpoint.set(roxiePort, ip);
                     }
                     bool suspended = roxieFarm.getPropBool("@suspended", false);
@@ -1513,7 +1513,7 @@ int CCD_API roxie_main(int argc, const char *argv[], const char * defaultYaml)
                         StringBuffer certFileName;
                         StringBuffer keyFileName;
                         StringBuffer passPhraseStr;
-                        Owned<IPropertyTree> tlsConfig;
+                        Owned<const IPropertyTree> tlsConfig;
                         if (serviceTLS)
                         {
                             protocol = "ssl";

diff --git a/roxie/ccd/ccdprotocol.cpp b/roxie/ccd/ccdprotocol.cpp
@@ -246,10 +246,13 @@ class ProtocolSocketListener : public ProtocolListener
 #ifdef _USE_OPENSSL
         if (isSSL)
         {
-            if (_tlsConfig)
-                secureContext.setown(createSecureSocketContextEx2(_tlsConfig, ServerSocket));
-            else
-                secureContext.setown(createSecureSocketContextEx(certFile.get(), keyFile.get(), passPhrase.get(), ServerSocket));
+            Owned<IPropertyTree> config;
+            if (!_tlsConfig)
+            {
+                config.setown(createSecureSocketConfig(certFile.get(), keyFile.get(), passPhrase.get()));
+                _tlsConfig = config;
+            }
+            secureContext.setown(createSecureSocketContextEx2(_tlsConfig, ServerSocket));
         }
 #endif
     }