Merge db255d7 into 7672737

Author: UgnineSirdis

ydb/apps/dstool/lib/common.py

@@ -159,7 +159,7 @@ def add_host_access_options(self, parser, with_endpoint=True):
         g.add_argument('--mon-port', type=int, default=8765, metavar='PORT', help='HTTP monitoring port for viewer JSON access')
         g.add_argument('--mon-protocol', type=str, metavar='PROTOCOL', choices=('http', 'https'), help='HTTP monitoring protocol for viewer JSON access')
         g.add_argument('--token-file', type=FileType(encoding='ascii'), metavar='PATH', help='Path to token file')
-        g.add_argument('--ca-file', metavar='PATH', dest='cafile', type=str, help='Path to a file containing the PEM encoding of the server root certificates for tls connections.')
+        g.add_argument('--ca-file', metavar='PATH', dest='cafile', type=str, help='Path to a file containing PEM encoded root certificates for TLS connections.')
         g.add_argument('--http', action='store_true', help='Use HTTP to connect to blob storage controller instead of GRPC')
         g.add_argument('--http-timeout', type=int, default=5, help='Timeout for blocking socket I/O operations during HTTP(s) queries')
         g.add_argument('--insecure', action='store_true', help='Allow insecure HTTPS fetching')

ydb/core/driver_lib/cli_base/cli_cmds_db.cpp

@@ -831,6 +831,8 @@ class TClientCommandSchemaTableOptions : public TClientCommand {
         ClientConfig.MaxInFlight = CommandConfig.ClientConfig.MaxInFlight;
         ClientConfig.EnableSsl = CommandConfig.ClientConfig.EnableSsl;
         ClientConfig.SslCredentials.pem_root_certs = CommandConfig.ClientConfig.SslCredentials.pem_root_certs;
+        ClientConfig.SslCredentials.pem_cert_chain = CommandConfig.ClientConfig.SslCredentials.pem_cert_chain;
+        ClientConfig.SslCredentials.pem_private_key = CommandConfig.ClientConfig.SslCredentials.pem_private_key;
     }
 
     template<typename T>

ydb/core/driver_lib/cli_base/cli_cmds_root.cpp

@@ -184,6 +184,7 @@ class TClientCommandRootLite : public TClientCommandRootKikimrBase {
             throw TMisuseException() << message;
         }
         ParseCaCerts(config);
+        ParseClientCert(config);
         config.Address = Address;
 
         if (!hostname) {
@@ -193,6 +194,10 @@ class TClientCommandRootLite : public TClientCommandRootKikimrBase {
         if (config.EnableSsl) {
             CommandConfig.ClientConfig.EnableSsl = config.EnableSsl;
             CommandConfig.ClientConfig.SslCredentials.pem_root_certs = config.CaCerts;
+            if (config.ClientCert) {
+                CommandConfig.ClientConfig.SslCredentials.pem_cert_chain = config.ClientCert;
+                CommandConfig.ClientConfig.SslCredentials.pem_private_key = config.ClientCertPrivateKey;
+            }
         }
     }
 

ydb/core/driver_lib/cli_base/cli_grpc.h

@@ -94,6 +94,8 @@ class TClientGRpcCommand : public TClientCommand {
         ClientConfig.MaxInFlight = CommandConfig.ClientConfig.MaxInFlight;
         ClientConfig.EnableSsl = CommandConfig.ClientConfig.EnableSsl;
         ClientConfig.SslCredentials.pem_root_certs = CommandConfig.ClientConfig.SslCredentials.pem_root_certs;
+        ClientConfig.SslCredentials.pem_cert_chain = CommandConfig.ClientConfig.SslCredentials.pem_cert_chain;
+        ClientConfig.SslCredentials.pem_private_key = CommandConfig.ClientConfig.SslCredentials.pem_private_key;
     }
 
     static int PrepareConfigCredentials(NGRpcProxy::TGRpcClientConfig clientConfig, TConfig& commandConfig) {
@@ -159,4 +161,3 @@ class TClientGRpcCommand : public TClientCommand {
 
 }
 }
-

ydb/core/driver_lib/cli_utils/cli_cmds_root.cpp

@@ -56,11 +56,16 @@ class TClientCommandRoot : public TClientCommandRootKikimrBase {
             config.EnableSsl = endpoint.EnableSsl.GetRef();
         }
         ParseCaCerts(config);
+        ParseClientCert(config);
 
         CommandConfig.ClientConfig = NYdbGrpc::TGRpcClientConfig(endpoint.Address);
         if (config.EnableSsl) {
             CommandConfig.ClientConfig.EnableSsl = config.EnableSsl;
             CommandConfig.ClientConfig.SslCredentials.pem_root_certs = config.CaCerts;
+            if (config.ClientCert) {
+                CommandConfig.ClientConfig.SslCredentials.pem_cert_chain = config.ClientCert;
+                CommandConfig.ClientConfig.SslCredentials.pem_private_key = config.ClientCertPrivateKey;
+            }
         }
     }
 };

ydb/core/driver_lib/cli_utils/cli_cmds_tenant.cpp

@@ -142,6 +142,8 @@ class TTenantClientGRpcCommand : public TTenantClientCommand {
         ClientConfig.MaxInFlight = CommandConfig.ClientConfig.MaxInFlight;
         ClientConfig.EnableSsl = CommandConfig.ClientConfig.EnableSsl;
         ClientConfig.SslCredentials.pem_root_certs = CommandConfig.ClientConfig.SslCredentials.pem_root_certs;
+        ClientConfig.SslCredentials.pem_cert_chain = CommandConfig.ClientConfig.SslCredentials.pem_cert_chain;
+        ClientConfig.SslCredentials.pem_private_key = CommandConfig.ClientConfig.SslCredentials.pem_private_key;
     }
 
     int Run(TConfig &config) override

ydb/core/driver_lib/run/main.cpp

@@ -89,7 +89,9 @@ int MainRun(const TKikimrRunConfig& runConfig, std::shared_ptr<TModuleFactories>
         configParser.SetupGlobalOpts(opts);
         NMsgBusProxy::TMsgBusClientConfig mbusConfig;
         mbusConfig.ConfigureLastGetopt(opts, "mb-");
-        opts.AddLongOption("ca-file", "Path to a file containing the PEM encoding of the server root certificates for tls connections.\n").RequiredArgument("PATH");
+        opts.AddLongOption("ca-file", "Path to a file containing PEM encoded root certificates for TLS connections.\n").RequiredArgument("PATH");
+        opts.AddLongOption("client-cert-file", "Path to a file containing PEM encoded client certificate for TLS connections.\n").RequiredArgument("PATH");
+        opts.AddLongOption("client-cert-key-file", "Path to a file containing PEM encoded client certificate private key for TLS connections.\n").RequiredArgument("PATH");
         NDriverClient::HideOptions(opts);
         opts.AddLongOption('s', "server", "Server address to connect (default $KIKIMR_SERVER)").RequiredArgument("ADDR[:NUM]");
         opts.AddLongOption('k', "token", "Security token").RequiredArgument("TOKEN");
@@ -205,4 +207,3 @@ int ParameterizedMain(int argc, char **argv, std::shared_ptr<NKikimr::TModuleFac
         return 1;
     }
 }
-

ydb/public/lib/ydb_cli/commands/ydb_command.cpp

@@ -18,6 +18,7 @@ TDriverConfig TYdbCommand::CreateDriverConfig(const TConfig& config) {
         driverConfig.UseSecureConnection(config.CaCerts);
     if (config.IsNetworkIntensive)
         driverConfig.SetNetworkThreadsNum(16);
+    driverConfig.UseClientCertificate(config.ClientCert, config.ClientCertPrivateKey);
 
     return driverConfig;
 }

ydb/public/lib/ydb_cli/commands/ydb_profile.cpp

@@ -244,6 +244,12 @@ namespace {
         if (profile->Has("ca-file")) {
             Cout << "  ca-file: " << profile->GetValue("ca-file").as<TString>() << Endl;
         }
+        if (profile->Has("client-cert-file")) {
+            Cout << "  client-cert-file: " << profile->GetValue("client-cert-file").as<TString>() << Endl;
+        }
+        if (profile->Has("client-cert-key-file")) {
+            Cout << "  client-cert-key-file: " << profile->GetValue("client-cert-key-file").as<TString>() << Endl;
+        }
     }
 }
 
@@ -307,6 +313,10 @@ void TCommandConnectionInfo::PrintInfo(TConfig& config) {
     if (config.CaCertsFile) {
         Cout << "ca-file: " << config.CaCertsFile << Endl;
     }
+    if (config.ClientCertFile) {
+        Cout << "client-cert-file: " << config.ClientCertFile << Endl;
+        Cout << "client-cert-key-file: " << config.ClientCertPrivateKeyFile << Endl;
+    }
 }
 
 void TCommandConnectionInfo::PrintVerboseInfo(TConfig& config) {
@@ -382,7 +392,9 @@ void TCommandProfileCommon::GetOptionsFromStdin() {
         {"user", User},
         {"password-file", PasswordFile},
         {"iam-endpoint", IamEndpoint},
-        {"ca-file", CaCertsFile}
+        {"ca-file", CaCertsFile},
+        {"client-cert-file", ClientCertFile},
+        {"client-cert-key-file", ClientCertPrivateKeyFile},
     };
     while (Cin.ReadLine(line)) {
         Strip(line, trimmedLine);
@@ -432,6 +444,12 @@ void TCommandProfileCommon::ConfigureProfile(const TString& profileName, std::sh
     if (cmdLine && CaCertsFile) {
         profile->SetValue("ca-file", CaCertsFile);
     }
+    if (cmdLine && ClientCertFile) {
+        profile->SetValue("client-cert-file", ClientCertFile);
+    }
+    if (cmdLine && ClientCertPrivateKeyFile) {
+        profile->SetValue("client-cert-key-file", ClientCertPrivateKeyFile);
+    }
 
     if (interactive) {
         TString activeProfileName = profileManager->GetActiveProfileName();
@@ -669,11 +687,22 @@ void TCommandProfileCommon::ValidateAuth() {
     }
 }
 
+void TCommandProfileCommon::ValidateClientCert() {
+    if (ClientCertFile.empty() && ClientCertPrivateKeyFile.empty()) {
+        return;
+    }
+    if (ClientCertFile.empty() || ClientCertPrivateKeyFile.empty()) { // One option is set, another is not set
+        throw TMisuseException()
+            << "Both \"client-cert-file\" and \"client-cert-key-file\" options must be provided.";
+    }
+}
+
 bool TCommandProfileCommon::AnyProfileOptionInCommandLine() {
     return Endpoint || Database || TokenFile || Oauth2KeyFile ||
            IamTokenFile || YcTokenFile ||
            SaKeyFile || UseMetadataCredentials || User ||
-           PasswordFile || IamEndpoint || AnonymousAuth || CaCertsFile;
+           PasswordFile || IamEndpoint || AnonymousAuth || CaCertsFile ||
+           ClientCertFile || ClientCertPrivateKeyFile;
 }
 
 TCommandCreateProfile::TCommandCreateProfile()
@@ -711,8 +740,14 @@ void TCommandProfileCommon::Config(TConfig& config) {
         .RequiredArgument("STR").StoreResult(&IamEndpoint);
     }
     opts.AddLongOption("ca-file",
-        "Path to a file containing the PEM encoding of the server root certificates for tls connections.")
+        "Path to a file containing PEM encoded root certificates for TLS connections.")
         .RequiredArgument("PATH").StoreResult(&CaCertsFile);
+    opts.AddLongOption("client-cert-file",
+        "Path to a file containing PEM encoded client certificate for TLS connections")
+        .RequiredArgument("PATH").StoreResult(&ClientCertFile);
+    opts.AddLongOption("client-cert-key-file",
+        "Path to a file containing PEM encoded client certificate private key for TLS connections")
+        .RequiredArgument("PATH").StoreResult(&ClientCertPrivateKeyFile);
     if (!IsStdinInteractive()) {
         GetOptionsFromStdin();
     }
@@ -721,6 +756,7 @@ void TCommandProfileCommon::Config(TConfig& config) {
 void TCommandProfileCommon::Parse(TConfig& config) {
     TClientCommand::Parse(config);
     ValidateAuth();
+    ValidateClientCert();
 }
 
 void TCommandCreateProfile::Config(TConfig& config) {
@@ -1064,8 +1100,12 @@ void TCommandUpdateProfile::Config(TConfig& config) {
     if (config.UseIamAuth) {
         opts.AddLongOption("no-iam-endpoint", "Delete endpoint of IAM service from the profile").StoreTrue(&NoIamEndpoint);
     }
-    opts.AddLongOption("no-ca-file", "Delete path to file containing the PEM encoding of the "
-        "server root certificates for tls connections from the profile").StoreTrue(&NoCaCertsFile);
+    opts.AddLongOption("no-ca-file", "Delete path to file containing PEM encoded "
+        "server root certificates for TLS connections from the profile").StoreTrue(&NoCaCertsFile);
+    opts.AddLongOption("no-client-cert-file", "Delete path to a file containing PEM encoded "
+        "client certificate for TLS connections").StoreTrue(&NoClientCertFile);
+    opts.AddLongOption("no-client-cert-key-file", "Delete path to a file containing PEM encoded "
+        "client certificate private key for TLS connections").StoreTrue(&NoClientCertPrivateKeyFile);
 }
 
 void TCommandUpdateProfile::ValidateNoOptions() {
@@ -1082,22 +1122,30 @@ void TCommandUpdateProfile::ValidateNoOptions() {
     TStringBuilder str;
     if (Endpoint && NoEndpoint) {
         str << "\"--endpoint\" and \"--no-endpoint\"";
-    } else {
-        if (Database && NoDatabase) {
-            str << "\"--database and \"--no-database\"";
-        } else {
-            if (IamEndpoint && NoIamEndpoint) {
-                str << "\"--iam-endpoint\" and \"--no-iam-endpoint\"";
-            } else {
-                if (CaCertsFile && NoCaCertsFile) {
-                    str << "\"--ca-file\" and \"--no-ca-file\"";
-                }
-            }
-        }
     }
+    if (!str && Database && NoDatabase) {
+        str << "\"--database and \"--no-database\"";
+    }
+    if (!str && IamEndpoint && NoIamEndpoint) {
+        str << "\"--iam-endpoint\" and \"--no-iam-endpoint\"";
+    }
+    if (!str && CaCertsFile && NoCaCertsFile) {
+        str << "\"--ca-file\" and \"--no-ca-file\"";
+    }
+    if (!str && ClientCertFile && NoClientCertFile) {
+        str << "\"--client-cert-file\" and \"--no-client-cert-file\"";
+    }
+    if (!str && ClientCertPrivateKeyFile && NoClientCertPrivateKeyFile) {
+        str << "\"--client-cert-key-file\" and \"--no-client-cert-key-file\"";
+    }
+
     if (!str.empty()) {
         throw TMisuseException() << "Options " << str << " are mutually exclusive";
     }
+
+    if (NoClientCertFile && !NoClientCertPrivateKeyFile || !NoClientCertFile && NoClientCertPrivateKeyFile) {
+        throw TMisuseException() << "Options \"--no-client-cert-file\" and \"--no-client-cert-key-file\" must be both set or unset";
+    }
 }
 
 void TCommandUpdateProfile::DropNoOptions(std::shared_ptr<IProfile> profile) {
@@ -1116,6 +1164,12 @@ void TCommandUpdateProfile::DropNoOptions(std::shared_ptr<IProfile> profile) {
     if (NoCaCertsFile) {
         profile->RemoveValue("ca-file");
     }
+    if (NoClientCertFile) {
+        profile->RemoveValue("client-cert-file");
+    }
+    if (NoClientCertPrivateKeyFile) {
+        profile->RemoveValue("client-cert-key-file");
+    }
 }
 
 void TCommandUpdateProfile::Parse(TConfig& config) {

ydb/public/lib/ydb_cli/commands/ydb_profile.h

@@ -38,12 +38,13 @@ class TCommandProfileCommon : public TClientCommand {
 
 protected:
     void ValidateAuth();
+    void ValidateClientCert();
     bool AnyProfileOptionInCommandLine();
     void ConfigureProfile(const TString& profileName, std::shared_ptr<IProfileManager> profileManager,
                      TConfig& config, bool interactive, bool cmdLine);
 
     TString ProfileName, Endpoint, Database, TokenFile, Oauth2KeyFile, YcTokenFile, SaKeyFile,
-            IamTokenFile, IamEndpoint, User, PasswordFile, CaCertsFile;
+            IamTokenFile, IamEndpoint, User, PasswordFile, CaCertsFile, ClientCertFile, ClientCertPrivateKeyFile;
 
     bool UseMetadataCredentials = false;
     bool AnonymousAuth = false;
@@ -141,6 +142,8 @@ class TCommandUpdateProfile : public TCommandProfileCommon {
     bool NoAuth = false;
     bool NoIamEndpoint = false;
     bool NoCaCertsFile = false;
+    bool NoClientCertFile = false;
+    bool NoClientCertPrivateKeyFile = false;
 };
 
 class TCommandReplaceProfile : public TCommandProfileCommon {