From eb98e34176e5964d883d57e1b9c0cb196ae49c64 Mon Sep 17 00:00:00 2001 From: Andrew Shuvalov Date: Wed, 4 Nov 2020 03:47:34 +0000 Subject: SERVER-51811: No-op wiring of transient SSL params in related methods --- src/mongo/executor/connection_pool.cpp | 9 +++++--- src/mongo/executor/connection_pool.h | 23 +++++++++++++++++---- src/mongo/executor/connection_pool_tl.cpp | 3 ++- src/mongo/executor/connection_pool_tl.h | 24 ++++++++++++---------- .../network_interface_integration_fixture.cpp | 3 +-- .../network_interface_integration_fixture.h | 4 +++- src/mongo/executor/network_interface_tl.cpp | 16 +++++++++++++-- src/mongo/executor/network_interface_tl.h | 2 +- 8 files changed, 59 insertions(+), 25 deletions(-) (limited to 'src/mongo/executor') diff --git a/src/mongo/executor/connection_pool.cpp b/src/mongo/executor/connection_pool.cpp index 38ff62eebf4..36275566ce0 100644 --- a/src/mongo/executor/connection_pool.cpp +++ b/src/mongo/executor/connection_pool.cpp @@ -450,12 +450,15 @@ auto ConnectionPool::SpecificPool::make(std::shared_ptr parent, const Status ConnectionPool::kConnectionStateUnknown = Status(ErrorCodes::InternalError, "Connection is in an unknown state"); -ConnectionPool::ConnectionPool(std::shared_ptr impl, - std::string name, - Options options) +ConnectionPool::ConnectionPool( + std::shared_ptr impl, + std::string name, + Options options, + std::shared_ptr transientSSLContext) : _name(std::move(name)), _factory(std::move(impl)), _options(std::move(options)), + _transientSSLContext(std::move(transientSSLContext)), _controller(_options.controllerFactory()), _manager(options.egressTagCloserManager) { if (_manager) { diff --git a/src/mongo/executor/connection_pool.h b/src/mongo/executor/connection_pool.h index 88348a34423..64ee4c22cbb 100644 --- a/src/mongo/executor/connection_pool.h +++ b/src/mongo/executor/connection_pool.h @@ -33,6 +33,7 @@ #include #include +#include "mongo/config.h" #include "mongo/executor/egress_tag_closer.h" #include "mongo/executor/egress_tag_closer_manager.h" #include "mongo/platform/mutex.h" @@ -43,6 +44,7 @@ #include "mongo/util/future.h" #include "mongo/util/hierarchical_acquisition.h" #include "mongo/util/net/hostandport.h" +#include "mongo/util/net/ssl_options.h" #include "mongo/util/out_of_line_executor.h" #include "mongo/util/time_support.h" @@ -150,6 +152,14 @@ public: */ bool skipAuthentication = false; +#ifdef MONGO_CONFIG_SSL + /** + * Provides SSL params if the egress cluster connection requires custom SSL certificates + * different from the global (default) certificates. + */ + boost::optional transientSSLParams; +#endif + std::function(void)> controllerFactory = &ConnectionPool::makeLimitController; }; @@ -226,9 +236,11 @@ public: bool canShutdown = false; }; - explicit ConnectionPool(std::shared_ptr impl, - std::string name, - Options options = Options{}); + explicit ConnectionPool( + std::shared_ptr impl, + std::string name, + Options options = Options{}, + std::shared_ptr transientSSLContext = {}); ~ConnectionPool(); @@ -257,7 +269,10 @@ private: std::string _name; const std::shared_ptr _factory; - Options _options; + const Options _options; + + // SSL context for the connections that require non-default SSL paramaeters. + std::shared_ptr _transientSSLContext; std::shared_ptr _controller; diff --git a/src/mongo/executor/connection_pool_tl.cpp b/src/mongo/executor/connection_pool_tl.cpp index 1961c9b21d1..4ae4faf570a 100644 --- a/src/mongo/executor/connection_pool_tl.cpp +++ b/src/mongo/executor/connection_pool_tl.cpp @@ -271,7 +271,8 @@ void TLConnection::setup(Milliseconds timeout, SetupCallback cb) { auto isMasterHook = std::make_shared(_onConnectHook); - AsyncDBClient::connect(_peer, _sslMode, _serviceContext, _reactor, timeout, _sslContextOverride) + AsyncDBClient::connect( + _peer, _sslMode, _serviceContext, _reactor, timeout, _transientSSLContext) .thenRunOn(_reactor) .onError([](StatusWith swc) -> StatusWith { return Status(ErrorCodes::HostUnreachable, swc.getStatus().reason()); diff --git a/src/mongo/executor/connection_pool_tl.h b/src/mongo/executor/connection_pool_tl.h index a1338c98b86..a147071f54d 100644 --- a/src/mongo/executor/connection_pool_tl.h +++ b/src/mongo/executor/connection_pool_tl.h @@ -134,15 +134,16 @@ private: class TLConnection final : public ConnectionPool::ConnectionInterface, public TLTypeFactory::Type { public: - TLConnection(const std::shared_ptr& factory, - transport::ReactorHandle reactor, - ServiceContext* serviceContext, - HostAndPort peer, - transport::ConnectSSLMode sslMode, - size_t generation, - NetworkConnectionHook* onConnectHook, - bool skipAuth, - std::shared_ptr sslContextOverride = nullptr) + TLConnection( + const std::shared_ptr& factory, + transport::ReactorHandle reactor, + ServiceContext* serviceContext, + HostAndPort peer, + transport::ConnectSSLMode sslMode, + size_t generation, + NetworkConnectionHook* onConnectHook, + bool skipAuth, + std::shared_ptr transientSSLContext = nullptr) : ConnectionInterface(generation), TLTypeFactory::Type(factory), _reactor(reactor), @@ -152,7 +153,7 @@ public: _peer(std::move(peer)), _sslMode(sslMode), _onConnectHook(onConnectHook), - _sslContextOverride(sslContextOverride) {} + _transientSSLContext(transientSSLContext) {} ~TLConnection() { // Release must be the first expression of this dtor release(); @@ -190,7 +191,8 @@ private: HostAndPort _peer; transport::ConnectSSLMode _sslMode; NetworkConnectionHook* const _onConnectHook; - std::shared_ptr _sslContextOverride; + // SSL context to use intead of the default one for this pool. + std::shared_ptr _transientSSLContext; AsyncDBClient::Handle _client; }; diff --git a/src/mongo/executor/network_interface_integration_fixture.cpp b/src/mongo/executor/network_interface_integration_fixture.cpp index 77ea859440b..7577c7c2a1e 100644 --- a/src/mongo/executor/network_interface_integration_fixture.cpp +++ b/src/mongo/executor/network_interface_integration_fixture.cpp @@ -48,8 +48,7 @@ namespace mongo { namespace executor { void NetworkInterfaceIntegrationFixture::createNet( - std::unique_ptr connectHook) { - ConnectionPool::Options options; + std::unique_ptr connectHook, ConnectionPool::Options options) { options.minConnections = 0u; diff --git a/src/mongo/executor/network_interface_integration_fixture.h b/src/mongo/executor/network_interface_integration_fixture.h index b52a5bb28d4..c98b7e70393 100644 --- a/src/mongo/executor/network_interface_integration_fixture.h +++ b/src/mongo/executor/network_interface_integration_fixture.h @@ -31,6 +31,7 @@ #include "mongo/unittest/unittest.h" #include "mongo/client/connection_string.h" +#include "mongo/executor/connection_pool.h" #include "mongo/executor/network_connection_hook.h" #include "mongo/executor/network_interface.h" #include "mongo/executor/task_executor.h" @@ -63,7 +64,8 @@ using StartCommandCB = std::function; class NetworkInterfaceIntegrationFixture : public mongo::unittest::Test { public: - void createNet(std::unique_ptr connectHook = nullptr); + void createNet(std::unique_ptr connectHook = nullptr, + ConnectionPool::Options options = {}); void startNet(std::unique_ptr connectHook = nullptr); void tearDown() override; diff --git a/src/mongo/executor/network_interface_tl.cpp b/src/mongo/executor/network_interface_tl.cpp index ecc650fd17f..d74e3bf9ce6 100644 --- a/src/mongo/executor/network_interface_tl.cpp +++ b/src/mongo/executor/network_interface_tl.cpp @@ -124,11 +124,23 @@ NetworkInterfaceTL::NetworkInterfaceTL(std::string instanceName, _tl = _ownedTransportLayer.get(); } + std::shared_ptr transientSSLContext; + if (_connPoolOpts.transientSSLParams) { + // TODO: uncomment when changes for SERVER-51599 are submitted. + // auto statusOrContext = _tl->createTransientSSLContext( + // _connPoolOpts.transientSSLParams.get(), nullptr, true /* asyncOCSPStaple */); + // uassertStatusOK(statusOrContext.getStatus()); + // transientSSLContext = std::make_shared( + // std::move(statusOrContext.getValue())); + } + _reactor = _tl->getReactor(transport::TransportLayer::kNewReactor); auto typeFactory = std::make_unique( _reactor, _tl, std::move(_onConnectHook), _connPoolOpts); - _pool = std::make_shared( - std::move(typeFactory), std::string("NetworkInterfaceTL-") + _instanceName, _connPoolOpts); + _pool = std::make_shared(std::move(typeFactory), + std::string("NetworkInterfaceTL-") + _instanceName, + _connPoolOpts, + transientSSLContext); if (TestingProctor::instance().isEnabled()) { _counters = std::make_unique(); diff --git a/src/mongo/executor/network_interface_tl.h b/src/mongo/executor/network_interface_tl.h index 7dfb40fbba4..4dde6c8fdfd 100644 --- a/src/mongo/executor/network_interface_tl.h +++ b/src/mongo/executor/network_interface_tl.h @@ -342,7 +342,7 @@ private: mutable Mutex _mutex = MONGO_MAKE_LATCH(HierarchicalAcquisitionLevel(3), "NetworkInterfaceTL::_mutex"); - ConnectionPool::Options _connPoolOpts; + const ConnectionPool::Options _connPoolOpts; std::unique_ptr _onConnectHook; std::shared_ptr _pool; -- cgit v1.2.1