From: Jiffin Tony Thottan <jthottan@redhat.com>
Date: Mon, 22 Feb 2021 09:46:10 +0000 (+0530)
Subject: rgw: add support for client cert and key for vault
X-Git-Tag: v16.2.6~158^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=42efe3a371b503f2541dacd6efb38f743510c2bf;p=ceph.git

rgw: add support for client cert and key for vault

Authenticate vault with help of user supplied client cert and keys.

Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
(cherry picked from commit 5b9139bd366d029871d29ca90971c5ad058fcf01)

Conflicts:
	src/common/options/rgw.yaml.in
- added required changes in options.cc and legacy_config_opts.h
---

diff --git a/src/common/legacy_config_opts.h b/src/common/legacy_config_opts.h
index 5f81a7c41443..476a16cc2162 100644
--- a/src/common/legacy_config_opts.h
+++ b/src/common/legacy_config_opts.h
@@ -1511,6 +1511,8 @@ OPTION(rgw_crypt_vault_secret_engine, OPT_STR) // kv, transit or other supported
 OPTION(rgw_crypt_vault_namespace, OPT_STR) // Vault Namespace (only availabe in Vault Enterprise Version)
 OPTION(rgw_crypt_vault_verify_ssl, OPT_BOOL) // should we try to verify vault's ssl
 OPTION(rgw_crypt_vault_ssl_cacert, OPT_STR) // optional ca certificate for accessing vault
+OPTION(rgw_crypt_vault_ssl_clientcert, OPT_STR) // client certificate for accessing vault
+OPTION(rgw_crypt_vault_ssl_clientkey, OPT_STR) // private key for client certificate
 
 OPTION(rgw_crypt_kmip_addr, OPT_STR) // kmip server address
 OPTION(rgw_crypt_kmip_ca_path, OPT_STR) // ca for kmip servers
diff --git a/src/common/options.cc b/src/common/options.cc
index 21ff3344c1f9..96bbf56c1a02 100644
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -7183,6 +7183,14 @@ std::vector<Option> get_rgw_options() {
     .set_default("")
     .set_description("Path for custom ca certificate for accessing vault server"),
 
+    Option("rgw_crypt_vault_ssl_clientcert", Option::TYPE_STR, Option::LEVEL_ADVANCED)
+    .set_default("")
+    .set_description("Path for customed client certificate for accessing vault server"),
+
+    Option("rgw_crypt_vault_ssl_clientkey", Option::TYPE_STR, Option::LEVEL_ADVANCED)
+    .set_default("")
+    .set_description("Path for private key required for client cert"),
+
     Option("rgw_crypt_kmip_addr", Option::TYPE_STR, Option::LEVEL_ADVANCED)
     .set_default("")
     .set_description("kmip server address"),
diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc
index 2b7675768d36..01457a7c98ae 100644
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@@ -564,9 +564,21 @@ int RGWHTTPClient::init_request(rgw_http_req_data *_req_data)
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L);
     curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L);
     dout(20) << "ssl verification is set to off" << dendl;
-  } else if (!ca_path.empty()) {
-    curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
-    dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
+  } else {
+    if (!ca_path.empty()) {
+      curl_easy_setopt(easy_handle, CURLOPT_CAINFO, ca_path.c_str());
+      dout(20) << "using custom ca cert "<< ca_path.c_str() << " for ssl" << dendl;
+    }
+    if (!client_cert.empty()) {
+      if (!client_key.empty()) {
+	curl_easy_setopt(easy_handle, CURLOPT_SSLCERT, client_cert.c_str());
+	curl_easy_setopt(easy_handle, CURLOPT_SSLKEY, client_key.c_str());
+	dout(20) << "using custom client cert " << client_cert.c_str()
+	  << " and private key " << client_key.c_str() << dendl;
+      } else {
+	dout(5) << "private key is missing for client certificate" << dendl;
+      }
+    }
   }
   curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data);
   curl_easy_setopt(easy_handle, CURLOPT_TIMEOUT, req_timeout);
diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h
index 265ae2615793..79de60a17966 100644
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@@ -42,6 +42,10 @@ class RGWHTTPClient : public RGWIOProvider
 
   string ca_path;
 
+  string client_cert;
+
+  string client_key;
+
   std::atomic<unsigned> stopped { 0 };
 
 
@@ -177,6 +181,14 @@ public:
   void set_ca_path(const string& _ca_path) {
     ca_path = _ca_path;
   }
+
+  void set_client_cert(const string& _client_cert) {
+    client_cert = _client_cert;
+  }
+
+  void set_client_key(const string& _client_key) {
+    client_key = _client_key;
+  }
 };
 
 
diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc
index 687adb7700b8..dcdcf875115d 100644
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -258,6 +258,13 @@ protected:
       secret_req.set_ca_path(cct->_conf->rgw_crypt_vault_ssl_cacert);
     }
 
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientcert.empty()) {
+      secret_req.set_client_cert(cct->_conf->rgw_crypt_vault_ssl_clientcert);
+    }
+    if (!cct->_conf->rgw_crypt_vault_ssl_clientkey.empty()) {
+      secret_req.set_client_key(cct->_conf->rgw_crypt_vault_ssl_clientkey);
+    }
+
     res = secret_req.process(null_yield);
     if (res < 0) {
       ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl;