Modify interconnect to get root CA in a grpc way if CA file is not provided.

11 files changed, 112 insertions, 12 deletions

diff --git a/CMakeLists.darwin.txt b/CMakeLists.darwin.txt
index c828db9f9ef..4dc26d70da0 100644
--- a/CMakeLists.darwin.txt
+++ b/CMakeLists.darwin.txt
@@ -377,12 +377,6 @@ add_subdirectory(library/cpp/actors/protos)
 add_subdirectory(library/cpp/execprofile)
 add_subdirectory(library/cpp/actors/dnsresolver)
 add_subdirectory(library/cpp/actors/interconnect)
-add_subdirectory(library/cpp/actors/dnscachelib)
-add_subdirectory(library/cpp/actors/helpers)
-add_subdirectory(library/cpp/actors/wilson)
-add_subdirectory(library/cpp/actors/wilson/protos)
-add_subdirectory(contrib/libs/grpc)
-add_subdirectory(contrib/libs/grpc/grpc)
 add_subdirectory(contrib/libs/grpc/src/core/lib)
 add_subdirectory(contrib/libs/grpc/third_party/upb)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/base/internal/spinlock_wait)
@@ -419,6 +413,12 @@ add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/types)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/types/bad_optional_access)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/utility)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/strings/internal/str_format)
+add_subdirectory(library/cpp/actors/dnscachelib)
+add_subdirectory(library/cpp/actors/helpers)
+add_subdirectory(library/cpp/actors/wilson)
+add_subdirectory(library/cpp/actors/wilson/protos)
+add_subdirectory(contrib/libs/grpc)
+add_subdirectory(contrib/libs/grpc/grpc)
 add_subdirectory(contrib/libs/grpc/third_party/address_sorting)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/hash)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/city)
@@ -431,6 +431,7 @@ add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/container/internal
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/container/internal/absl_hashtablez_sampler)
 add_subdirectory(contrib/tools/protoc/plugins/grpc_cpp)
 add_subdirectory(contrib/libs/grpc/src/compiler/grpc_plugin_support)
+add_subdirectory(library/cpp/grpc/common)
 add_subdirectory(library/cpp/digest/crc32c)
 add_subdirectory(contrib/libs/crcutil)
 add_subdirectory(library/cpp/monlib/service/pages/tablesorter)
diff --git a/CMakeLists.linux.txt b/CMakeLists.linux.txt
index f787d0e2234..bf49da37f2d 100644
--- a/CMakeLists.linux.txt
+++ b/CMakeLists.linux.txt
@@ -381,12 +381,6 @@ add_subdirectory(library/cpp/actors/protos)
 add_subdirectory(library/cpp/execprofile)
 add_subdirectory(library/cpp/actors/dnsresolver)
 add_subdirectory(library/cpp/actors/interconnect)
-add_subdirectory(library/cpp/actors/dnscachelib)
-add_subdirectory(library/cpp/actors/helpers)
-add_subdirectory(library/cpp/actors/wilson)
-add_subdirectory(library/cpp/actors/wilson/protos)
-add_subdirectory(contrib/libs/grpc)
-add_subdirectory(contrib/libs/grpc/grpc)
 add_subdirectory(contrib/libs/grpc/src/core/lib)
 add_subdirectory(contrib/libs/grpc/third_party/upb)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/base/internal/spinlock_wait)
@@ -423,6 +417,12 @@ add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/types)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/types/bad_optional_access)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/utility)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/strings/internal/str_format)
+add_subdirectory(library/cpp/actors/dnscachelib)
+add_subdirectory(library/cpp/actors/helpers)
+add_subdirectory(library/cpp/actors/wilson)
+add_subdirectory(library/cpp/actors/wilson/protos)
+add_subdirectory(contrib/libs/grpc)
+add_subdirectory(contrib/libs/grpc/grpc)
 add_subdirectory(contrib/libs/grpc/third_party/address_sorting)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/hash)
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/city)
@@ -435,6 +435,7 @@ add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/container/internal
 add_subdirectory(contrib/restricted/abseil-cpp-tstring/y_absl/container/internal/absl_hashtablez_sampler)
 add_subdirectory(contrib/tools/protoc/plugins/grpc_cpp)
 add_subdirectory(contrib/libs/grpc/src/compiler/grpc_plugin_support)
+add_subdirectory(library/cpp/grpc/common)
 add_subdirectory(library/cpp/digest/crc32c)
 add_subdirectory(contrib/libs/crcutil)
 add_subdirectory(library/cpp/monlib/service/pages/tablesorter)
diff --git a/library/cpp/actors/interconnect/CMakeLists.darwin.txt b/library/cpp/actors/interconnect/CMakeLists.darwin.txt
index 9bd0c83fcea..76c4edcf5c8 100644
--- a/library/cpp/actors/interconnect/CMakeLists.darwin.txt
+++ b/library/cpp/actors/interconnect/CMakeLists.darwin.txt
@@ -9,9 +9,13 @@
 find_package(OpenSSL REQUIRED)
 
 add_library(cpp-actors-interconnect)
+target_include_directories(cpp-actors-interconnect PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/grpc
+)
 target_link_libraries(cpp-actors-interconnect PUBLIC
   contrib-libs-cxxsupp
   yutil
+  src-core-lib
   contrib-libs-libc_compat
   OpenSSL::OpenSSL
   cpp-actors-core
@@ -22,6 +26,7 @@ target_link_libraries(cpp-actors-interconnect PUBLIC
   cpp-actors-protos
   cpp-actors-util
   cpp-actors-wilson
+  cpp-grpc-common
   cpp-digest-crc32c
   library-cpp-json
   library-cpp-lwtrace
diff --git a/library/cpp/actors/interconnect/CMakeLists.linux.txt b/library/cpp/actors/interconnect/CMakeLists.linux.txt
index c0e1b39c45d..e6794c331f1 100644
--- a/library/cpp/actors/interconnect/CMakeLists.linux.txt
+++ b/library/cpp/actors/interconnect/CMakeLists.linux.txt
@@ -9,9 +9,13 @@
 find_package(OpenSSL REQUIRED)
 
 add_library(cpp-actors-interconnect)
+target_include_directories(cpp-actors-interconnect PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/grpc
+)
 target_link_libraries(cpp-actors-interconnect PUBLIC
   contrib-libs-cxxsupp
   yutil
+  src-core-lib
   contrib-libs-libc_compat
   OpenSSL::OpenSSL
   cpp-actors-core
@@ -22,6 +26,7 @@ target_link_libraries(cpp-actors-interconnect PUBLIC
   cpp-actors-protos
   cpp-actors-util
   cpp-actors-wilson
+  cpp-grpc-common
   cpp-digest-crc32c
   library-cpp-json
   library-cpp-lwtrace
diff --git a/library/cpp/actors/interconnect/interconnect_stream.cpp b/library/cpp/actors/interconnect/interconnect_stream.cpp
index ad46453acb7..ff3f0f0b52c 100644
--- a/library/cpp/actors/interconnect/interconnect_stream.cpp
+++ b/library/cpp/actors/interconnect/interconnect_stream.cpp
@@ -1,10 +1,15 @@
 #include "interconnect_stream.h"
 #include "logging.h"
+
+#include <library/cpp/grpc/common/default_root_certs.h>
 #include <library/cpp/openssl/init/init.h>
+
 #include <util/network/socket.h>
+
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/x509_vfy.h>
 
 #if defined(_win_)
 #include <util/system/file.h>
@@ -319,6 +324,20 @@ namespace NInterconnect {
             if (caFilePath) {
                 ret = SSL_CTX_load_verify_locations(Ctx.get(), caFilePath.data(), nullptr);
                 Y_VERIFY(ret == 1);
+            } else {
+                auto defaultPemRootCerts = NGrpc::GetDefaultPemRootCerts();
+                if (defaultPemRootCerts != nullptr) {
+                    std::unique_ptr<BIO, TDeleter> bio(BIO_new_mem_buf(defaultPemRootCerts, -1));
+                    Y_VERIFY(bio);
+
+                    auto store = SSL_CTX_get_cert_store(Ctx.get());
+                    Y_VERIFY(store != nullptr);
+
+                    while (auto cert = PEM_read_bio_X509(bio.get(), nullptr, 0, nullptr)) {
+                        ret = X509_STORE_add_cert(store, cert);
+                        Y_VERIFY(ret == 1, "X509_STORE_add_cert failed, reason: %s", ERR_reason_error_string(ERR_peek_last_error()));
+                    }
+                }
             }
 
             int success = SSL_CTX_set_cipher_list(Ctx.get(), ciphers ? ciphers.data() : "AES128-GCM-SHA256");
diff --git a/library/cpp/grpc/common/CMakeLists.txt b/library/cpp/grpc/common/CMakeLists.txt
new file mode 100644
index 00000000000..39a5c752a9b
--- /dev/null
+++ b/library/cpp/grpc/common/CMakeLists.txt
@@ -0,0 +1,21 @@
+
+# This file was gererated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(cpp-grpc-common)
+target_include_directories(cpp-grpc-common PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/grpc
+)
+target_link_libraries(cpp-grpc-common PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-grpc
+)
+target_sources(cpp-grpc-common PRIVATE
+  ${CMAKE_SOURCE_DIR}/library/cpp/grpc/common/default_root_certs.cpp
+)
diff --git a/library/cpp/grpc/common/default_root_certs.cpp b/library/cpp/grpc/common/default_root_certs.cpp
new file mode 100644
index 00000000000..5dd56f468a3
--- /dev/null
+++ b/library/cpp/grpc/common/default_root_certs.cpp
@@ -0,0 +1,11 @@
+#include "default_root_certs.h"
+
+#include <contrib/libs/grpc/src/core/lib/security/security_connector/ssl_utils.h>
+
+namespace NGrpc {
+
+const char* GetDefaultPemRootCerts() {
+    return grpc_core::DefaultSslRootStore::GetPemRootCerts();
+}
+
+} // namespace NGrpc
diff --git a/library/cpp/grpc/common/default_root_certs.h b/library/cpp/grpc/common/default_root_certs.h
new file mode 100644
index 00000000000..1c8ca03b42e
--- /dev/null
+++ b/library/cpp/grpc/common/default_root_certs.h
@@ -0,0 +1,7 @@
+#pragma once
+
+namespace NGrpc {
+
+const char* GetDefaultPemRootCerts();
+
+} // namespace NGrpc
diff --git a/library/cpp/grpc/common/time_point.h b/library/cpp/grpc/common/time_point.h
new file mode 100644
index 00000000000..c2b81262974
--- /dev/null
+++ b/library/cpp/grpc/common/time_point.h
@@ -0,0 +1,23 @@
+#pragma once
+
+#include <contrib/libs/grpc/include/grpcpp/support/time.h>
+
+#include <util/datetime/base.h>
+
+#include <chrono>
+
+namespace grpc {
+// Specialization of TimePoint for TInstant
+template <>
+class TimePoint<TInstant> : public TimePoint<std::chrono::system_clock::time_point> {
+    using TChronoDuration = std::chrono::duration<TDuration::TValue, std::micro>;
+
+public:
+    TimePoint(const TInstant& time)
+        : TimePoint<std::chrono::system_clock::time_point>(
+              std::chrono::system_clock::time_point(
+                  std::chrono::duration_cast<std::chrono::system_clock::duration>(
+                      TChronoDuration(time.GetValue())))) {
+    }
+};
+} // namespace grpc
diff --git a/ydb/core/driver_lib/cli_utils/CMakeLists.txt b/ydb/core/driver_lib/cli_utils/CMakeLists.txt
index bab2c0e2606..fa90dd0fe42 100644
--- a/ydb/core/driver_lib/cli_utils/CMakeLists.txt
+++ b/ydb/core/driver_lib/cli_utils/CMakeLists.txt
@@ -16,6 +16,7 @@ target_link_libraries(cli_utils PUBLIC
   yutil
   cpp-deprecated-enum_codegen
   cpp-grpc-client
+  cpp-grpc-common
   cpp-protobuf-json
   library-cpp-yson
   ydb-core-actorlib_impl
diff --git a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp
index 63d4863b3a5..3c0ba54d3cf 100644
--- a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp
+++ b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp
@@ -1,10 +1,14 @@
 #include "cli.h"
 #include "cli_cmds.h"
+
 #include <ydb/core/base/location.h>
 #include <ydb/core/base/path.h>
 #include <ydb/core/driver_lib/run/run.h>
 #include <ydb/library/yaml_config/yaml_config_parser.h>
 #include <ydb/public/lib/deprecated/kicli/kicli.h>
+
+#include <library/cpp/grpc/common/default_root_certs.h>
+
 #include <util/digest/city.h>
 #include <util/random/random.h>
 #include <util/string/cast.h>
@@ -1119,6 +1123,8 @@ private:
             grpcConfig.EnableSsl = endpoint.EnableSsl.GetRef();
             if (PathToCA) {
                 grpcConfig.SslCaCert = ReadFromFile(PathToCA, "CA certificates");
+            } else if (grpcConfig.EnableSsl) {
+                grpcConfig.SslCaCert = NGrpc::GetDefaultPemRootCerts();
             }
         }
         return NClient::TKikimr(grpcConfig);