From: Yuri Weinstein <yweinste@redhat.com>
Date: Wed, 12 Dec 2018 16:49:12 +0000 (-0800)
Subject: Merge pull request #24621 from cbodley/wip-24358
X-Git-Tag: v12.2.11~117
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0d99c9122ad8acdd282e43179a1fe1c1e7fa922b;p=ceph.git

Merge pull request #24621 from cbodley/wip-24358

luminous: rgw: add ssl support to beast frontend

Reviewed-by: Casey Bodley <cbodley@redhat.com>
---

0d99c9122ad8acdd282e43179a1fe1c1e7fa922b
diff --cc src/rgw/rgw_asio_frontend.cc
index db0ef66ddcf1,b160c4ef4d9b..bf5b6be0bde9
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@@ -8,9 -8,8 +8,10 @@@
  #include <vector>
  
  #include <boost/asio.hpp>
+ #include <boost/asio/spawn.hpp>
  
 +#include "common/errno.h"
 +
  #include "rgw_asio_client.h"
  #include "rgw_asio_frontend.h"
  
@@@ -332,9 -330,91 +355,91 @@@ int AsioFrontend::init(
  
      ldout(ctx(), 4) << "frontend listening on " << l.endpoint << dendl;
    }
 -  return 0;
 +  return drop_privileges(ctx());
  }
  
+ #ifdef WITH_RADOSGW_BEAST_OPENSSL
+ int AsioFrontend::init_ssl()
+ {
+   boost::system::error_code ec;
+   auto& config = conf->get_config_map();
+ 
+   // ssl configuration
+   auto cert = config.find("ssl_certificate");
+   const bool have_cert = cert != config.end();
+   if (have_cert) {
+     // only initialize the ssl context if it's going to be used
+     ssl_context = boost::in_place(ssl::context::tls);
+   }
+ 
+   auto key = config.find("ssl_private_key");
+   const bool have_private_key = key != config.end();
+   if (have_private_key) {
+     if (!have_cert) {
+       lderr(ctx()) << "no ssl_certificate configured for ssl_private_key" << dendl;
+       return -EINVAL;
+     }
+     ssl_context->use_private_key_file(key->second, ssl::context::pem, ec);
+     if (ec) {
+       lderr(ctx()) << "failed to add ssl_private_key=" << key->second
+           << ": " << ec.message() << dendl;
+       return -ec.value();
+     }
+   }
+   if (have_cert) {
+     ssl_context->use_certificate_chain_file(cert->second, ec);
+     if (ec) {
+       lderr(ctx()) << "failed to use ssl_certificate=" << cert->second
+           << ": " << ec.message() << dendl;
+       return -ec.value();
+     }
+     if (!have_private_key) {
+       // attempt to use it as a private key if a separate one wasn't provided
+       ssl_context->use_private_key_file(cert->second, ssl::context::pem, ec);
+       if (ec) {
+         lderr(ctx()) << "failed to use ssl_certificate=" << cert->second
+             << " as a private key: " << ec.message() << dendl;
+         return -ec.value();
+       }
+     }
+   }
+ 
+   // parse ssl endpoints
+   auto ports = config.equal_range("ssl_port");
+   for (auto i = ports.first; i != ports.second; ++i) {
+     if (!have_cert) {
+       lderr(ctx()) << "no ssl_certificate configured for ssl_port" << dendl;
+       return -EINVAL;
+     }
+     auto port = parse_port(i->second.c_str(), ec);
+     if (ec) {
+       lderr(ctx()) << "failed to parse ssl_port=" << i->second << dendl;
+       return -ec.value();
+     }
+     listeners.emplace_back(service);
+     listeners.back().endpoint.port(port);
+     listeners.back().use_ssl = true;
+   }
+ 
+   auto endpoints = config.equal_range("ssl_endpoint");
+   for (auto i = endpoints.first; i != endpoints.second; ++i) {
+     if (!have_cert) {
+       lderr(ctx()) << "no ssl_certificate configured for ssl_endpoint" << dendl;
+       return -EINVAL;
+     }
+     auto endpoint = parse_endpoint(i->second, ec);
+     if (ec) {
+       lderr(ctx()) << "failed to parse ssl_endpoint=" << i->second << dendl;
+       return -ec.value();
+     }
+     listeners.emplace_back(service);
+     listeners.back().endpoint = endpoint;
+     listeners.back().use_ssl = true;
+   }
+   return 0;
+ }
+ #endif // WITH_RADOSGW_BEAST_OPENSSL
+ 
  void AsioFrontend::accept(Listener& l, boost::system::error_code ec)
  {
    if (!l.acceptor.is_open()) {