[DRILL-6586] Add SSL Hostname verification with zookeeper connection mode support

author: superbstreak <robwu15@gmail.com> 2018-07-09 01:33:55 -0700
committer: Sorabh Hamirwasia <sorabh@apache.org> 2018-07-12 18:52:16 -0700
commit: b1eb9d76cda84661e5ebd6f1d87a5d5ee0501526 (patch)
tree: 93247cc81b87f202a7c3e462921e2e00422899c9 /contrib
parent: bd4049dc657e2f74d69abd7289482a57ea1d98cc (diff)
2 files changed, 21 insertions, 19 deletions
diff --git a/contrib/native/client/src/clientlib/channel.cpp b/contrib/native/client/src/clientlib/channel.cpp
index fc978168c..e368cd08b 100644
--- a/contrib/native/client/src/clientlib/channel.cpp
+++ b/contrib/native/client/src/clientlib/channel.cpp
@@ -376,13 +376,8 @@ connectionStatus_t SSLStreamChannel::init(){
     std::string disableHostVerification;
     props->getProp(USERPROP_DISABLE_HOSTVERIFICATION, disableHostVerification);
     if (disableHostVerification != "true") {
-        // Populate endpoint information before we retrieve host name.
-        m_pEndpoint->parseConnectString();
-        std::string hostStr  = m_pEndpoint->getHost();
         ((SSLChannelContext_t *) m_pContext)->getSslContext().set_verify_callback(
-                DrillSSLHostnameVerifier(
-                    ((SSLChannelContext_t *)m_pContext), 
-                    boost::asio::ssl::rfc2818_verification(hostStr.c_str())));
+                DrillSSLHostnameVerifier(this));
     }
 
     m_pSocket=new SslSocket(m_ioService, ((SSLChannelContext_t*)m_pContext)->getSslContext() );
diff --git a/contrib/native/client/src/clientlib/channel.hpp b/contrib/native/client/src/clientlib/channel.hpp
index e73911886..76bedde34 100644
--- a/contrib/native/client/src/clientlib/channel.hpp
+++ b/contrib/native/client/src/clientlib/channel.hpp
@@ -41,13 +41,14 @@ class UserProperties;
 
             //parse the connection string and set up the host and port to connect to
             connectionStatus_t getDrillbitEndpoint();
-            void parseConnectString();
+            
             const std::string& getProtocol() const {return m_protocol;}
             const std::string& getHost() const {return m_host;}
             const std::string& getPort() const {return m_port;}
             DrillClientError* getError(){ return m_pError;};
 
         private:
+            void parseConnectString();
             bool isDirectConnection();
             bool isZookeeperConnection();
             connectionStatus_t getDrillbitEndpointFromZk();
@@ -171,6 +172,8 @@ class UserProperties;
 
             ConnectionEndpoint* getEndpoint(){return m_pEndpoint;}
 
+            ChannelContext_t* getChannelContext(){ return m_pContext; }
+
         protected:
             connectionStatus_t handleError(connectionStatus_t status, std::string msg);
 
@@ -276,11 +279,8 @@ class UserProperties;
         public:
             /// @brief The constructor.
             /// 
-            /// @param in_pctx                  The SSL Channel Context.
-            /// @param in_verifier              The wrapped verifier.
-            DrillSSLHostnameVerifier(SSLChannelContext_t* in_pctx, boost::asio::ssl::rfc2818_verification in_verifier) : 
-                m_verifier(in_verifier),
-                m_pctx(in_pctx){
+            /// @param in_channel                  The Channel.
+            DrillSSLHostnameVerifier(Channel* in_channel) : m_channel(in_channel){
                 DRILL_LOG(LOG_INFO)
                     << "DrillSSLHostnameVerifier::DrillSSLHostnameVerifier: +++++ Enter +++++" 
                     << std::endl;
@@ -295,23 +295,30 @@ class UserProperties;
                 boost::asio::ssl::verify_context& in_ctx){
                 DRILL_LOG(LOG_INFO) << "DrillSSLHostnameVerifier::operator(): +++++ Enter +++++" << std::endl;
 
-                bool verified = m_verifier(in_preverified, in_ctx);
+                // Gets the channel context.
+                SSLChannelContext_t* context = (SSLChannelContext_t*)(m_channel->getChannelContext());
+
+                // Retrieve the host before we perform Host name verification.
+                // This is because host with ZK mode is selected after the connect() function is called.
+                boost::asio::ssl::rfc2818_verification verifier(m_channel->getEndpoint()->getHost().c_str());
+
+                // Perform verification.
+                bool verified = verifier(in_preverified, in_ctx);
 
                 DRILL_LOG(LOG_DEBUG) 
                     << "DrillSSLHostnameVerifier::operator(): Verification Result: " 
                     << verified 
                     << std::endl;
 
-                m_pctx->SetCertHostnameVerificationStatus(verified);
-                return verified;
+                // Sets the result back to the context.
+                context->SetCertHostnameVerificationStatus(verified);
+                return verified && in_preverified;
             }
 
         private:
-            // The inner verifier.
-            boost::asio::ssl::rfc2818_verification m_verifier;
 
-            // The SSL channel context.
-            SSLChannelContext_t* m_pctx;
+            // The SSL channel.
+            Channel* m_channel;
     };
 
 } // namespace Drill
author	superbstreak <robwu15@gmail.com>	2018-07-09 01:33:55 -0700
committer	Sorabh Hamirwasia <sorabh@apache.org>	2018-07-12 18:52:16 -0700
commit	b1eb9d76cda84661e5ebd6f1d87a5d5ee0501526 (patch)
tree	93247cc81b87f202a7c3e462921e2e00422899c9 /contrib
parent	bd4049dc657e2f74d69abd7289482a57ea1d98cc (diff)