Modify interconnect to get root CA in a grpc way if CA file is not provided.

author: yuryalekseev <yuryalekseev@yandex-team.com> 2022-07-22 13:33:44 +0300
committer: yuryalekseev <yuryalekseev@yandex-team.com> 2022-07-22 13:33:44 +0300
commit: 5aaaf1ee4044f09b292da97e6b89c1d886ab37cf (patch)
tree: bf5278ad72b0668a21f97db7ded330bdc7e2b614 /library/cpp
parent: 48b8dd7fa906ee3da1a1c9ddf102b2aa5e6773c8 (diff)
download: ydb-5aaaf1ee4044f09b292da97e6b89c1d886ab37cf.tar.gz
7 files changed, 91 insertions, 0 deletions
diff --git a/library/cpp/actors/interconnect/CMakeLists.darwin.txt b/library/cpp/actors/interconnect/CMakeLists.darwin.txt
index 9bd0c83fcea..76c4edcf5c8 100644
--- a/library/cpp/actors/interconnect/CMakeLists.darwin.txt
+++ b/library/cpp/actors/interconnect/CMakeLists.darwin.txt
@@ -9,9 +9,13 @@
 find_package(OpenSSL REQUIRED)
 
 add_library(cpp-actors-interconnect)
+target_include_directories(cpp-actors-interconnect PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/grpc
+)
 target_link_libraries(cpp-actors-interconnect PUBLIC
   contrib-libs-cxxsupp
   yutil
+  src-core-lib
   contrib-libs-libc_compat
   OpenSSL::OpenSSL
   cpp-actors-core
@@ -22,6 +26,7 @@ target_link_libraries(cpp-actors-interconnect PUBLIC
   cpp-actors-protos
   cpp-actors-util
   cpp-actors-wilson
+  cpp-grpc-common
   cpp-digest-crc32c
   library-cpp-json
   library-cpp-lwtrace
diff --git a/library/cpp/actors/interconnect/CMakeLists.linux.txt b/library/cpp/actors/interconnect/CMakeLists.linux.txt
index c0e1b39c45d..e6794c331f1 100644
--- a/library/cpp/actors/interconnect/CMakeLists.linux.txt
+++ b/library/cpp/actors/interconnect/CMakeLists.linux.txt
@@ -9,9 +9,13 @@
 find_package(OpenSSL REQUIRED)
 
 add_library(cpp-actors-interconnect)
+target_include_directories(cpp-actors-interconnect PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/grpc
+)
 target_link_libraries(cpp-actors-interconnect PUBLIC
   contrib-libs-cxxsupp
   yutil
+  src-core-lib
   contrib-libs-libc_compat
   OpenSSL::OpenSSL
   cpp-actors-core
@@ -22,6 +26,7 @@ target_link_libraries(cpp-actors-interconnect PUBLIC
   cpp-actors-protos
   cpp-actors-util
   cpp-actors-wilson
+  cpp-grpc-common
   cpp-digest-crc32c
   library-cpp-json
   library-cpp-lwtrace
diff --git a/library/cpp/actors/interconnect/interconnect_stream.cpp b/library/cpp/actors/interconnect/interconnect_stream.cpp
index ad46453acb7..ff3f0f0b52c 100644
--- a/library/cpp/actors/interconnect/interconnect_stream.cpp
+++ b/library/cpp/actors/interconnect/interconnect_stream.cpp
@@ -1,10 +1,15 @@
 #include "interconnect_stream.h"
 #include "logging.h"
+
+#include <library/cpp/grpc/common/default_root_certs.h>
 #include <library/cpp/openssl/init/init.h>
+
 #include <util/network/socket.h>
+
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/x509_vfy.h>
 
 #if defined(_win_)
 #include <util/system/file.h>
@@ -319,6 +324,20 @@ namespace NInterconnect {
             if (caFilePath) {
                 ret = SSL_CTX_load_verify_locations(Ctx.get(), caFilePath.data(), nullptr);
                 Y_VERIFY(ret == 1);
+            } else {
+                auto defaultPemRootCerts = NGrpc::GetDefaultPemRootCerts();
+                if (defaultPemRootCerts != nullptr) {
+                    std::unique_ptr<BIO, TDeleter> bio(BIO_new_mem_buf(defaultPemRootCerts, -1));
+                    Y_VERIFY(bio);
+
+                    auto store = SSL_CTX_get_cert_store(Ctx.get());
+                    Y_VERIFY(store != nullptr);
+
+                    while (auto cert = PEM_read_bio_X509(bio.get(), nullptr, 0, nullptr)) {
+                        ret = X509_STORE_add_cert(store, cert);
+                        Y_VERIFY(ret == 1, "X509_STORE_add_cert failed, reason: %s", ERR_reason_error_string(ERR_peek_last_error()));
+                    }
+                }
             }
 
             int success = SSL_CTX_set_cipher_list(Ctx.get(), ciphers ? ciphers.data() : "AES128-GCM-SHA256");
diff --git a/library/cpp/grpc/common/CMakeLists.txt b/library/cpp/grpc/common/CMakeLists.txt
new file mode 100644
index 00000000000..39a5c752a9b
--- /dev/null
+++ b/library/cpp/grpc/common/CMakeLists.txt
@@ -0,0 +1,21 @@
+
+# This file was gererated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(cpp-grpc-common)
+target_include_directories(cpp-grpc-common PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/grpc
+)
+target_link_libraries(cpp-grpc-common PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-grpc
+)
+target_sources(cpp-grpc-common PRIVATE
+  ${CMAKE_SOURCE_DIR}/library/cpp/grpc/common/default_root_certs.cpp
+)
diff --git a/library/cpp/grpc/common/default_root_certs.cpp b/library/cpp/grpc/common/default_root_certs.cpp
new file mode 100644
index 00000000000..5dd56f468a3
--- /dev/null
+++ b/library/cpp/grpc/common/default_root_certs.cpp
@@ -0,0 +1,11 @@
+#include "default_root_certs.h"
+
+#include <contrib/libs/grpc/src/core/lib/security/security_connector/ssl_utils.h>
+
+namespace NGrpc {
+
+const char* GetDefaultPemRootCerts() {
+    return grpc_core::DefaultSslRootStore::GetPemRootCerts();
+}
+
+} // namespace NGrpc
diff --git a/library/cpp/grpc/common/default_root_certs.h b/library/cpp/grpc/common/default_root_certs.h
new file mode 100644
index 00000000000..1c8ca03b42e
--- /dev/null
+++ b/library/cpp/grpc/common/default_root_certs.h
@@ -0,0 +1,7 @@
+#pragma once
+
+namespace NGrpc {
+
+const char* GetDefaultPemRootCerts();
+
+} // namespace NGrpc
diff --git a/library/cpp/grpc/common/time_point.h b/library/cpp/grpc/common/time_point.h
new file mode 100644
index 00000000000..c2b81262974
--- /dev/null
+++ b/library/cpp/grpc/common/time_point.h
@@ -0,0 +1,23 @@
+#pragma once
+
+#include <contrib/libs/grpc/include/grpcpp/support/time.h>
+
+#include <util/datetime/base.h>
+
+#include <chrono>
+
+namespace grpc {
+// Specialization of TimePoint for TInstant
+template <>
+class TimePoint<TInstant> : public TimePoint<std::chrono::system_clock::time_point> {
+    using TChronoDuration = std::chrono::duration<TDuration::TValue, std::micro>;
+
+public:
+    TimePoint(const TInstant& time)
+        : TimePoint<std::chrono::system_clock::time_point>(
+              std::chrono::system_clock::time_point(
+                  std::chrono::duration_cast<std::chrono::system_clock::duration>(
+                      TChronoDuration(time.GetValue())))) {
+    }
+};
+} // namespace grpc
author	yuryalekseev <yuryalekseev@yandex-team.com>	2022-07-22 13:33:44 +0300
committer	yuryalekseev <yuryalekseev@yandex-team.com>	2022-07-22 13:33:44 +0300
commit	5aaaf1ee4044f09b292da97e6b89c1d886ab37cf (patch)
tree	bf5278ad72b0668a21f97db7ded330bdc7e2b614 /library/cpp
parent	48b8dd7fa906ee3da1a1c9ddf102b2aa5e6773c8 (diff)
download	ydb-5aaaf1ee4044f09b292da97e6b89c1d886ab37cf.tar.gz