Add support for mTLS authentication in Arrow Flight client

Author: elbinpallimalilibm

presto-base-arrow-flight/src/main/java/com/facebook/plugin/arrow/ArrowFlightConfig.java

@@ -20,6 +20,8 @@ public class ArrowFlightConfig
     private String server;
     private boolean verifyServer = true;
     private String flightServerSSLCertificate;
+    private String flightClientSSLCertificate;
+    private String flightClientSSLKey;
     private boolean arrowFlightServerSslEnabled;
     private Integer arrowFlightPort;
 
@@ -82,4 +84,38 @@ public ArrowFlightConfig setArrowFlightServerSslEnabled(boolean arrowFlightServe
         this.arrowFlightServerSslEnabled = arrowFlightServerSslEnabled;
         return this;
     }
+
+    public String getFlightClientSSLCertificate()
+    {
+        return flightClientSSLCertificate;
+    }
+
+    /***
+     * Set the client SSL certificate used for mTLS authentication with Flight server.
+     * @param flightClientSSLCertificate path to the certificate file
+     * @return Returns this config instance
+     */
+    @Config("arrow-flight.client-ssl-certificate")
+    public ArrowFlightConfig setFlightClientSSLCertificate(String flightClientSSLCertificate)
+    {
+        this.flightClientSSLCertificate = flightClientSSLCertificate;
+        return this;
+    }
+
+    public String getFlightClientSSLKey()
+    {
+        return flightClientSSLKey;
+    }
+
+    /***
+     * Set the client SSL key used for mTLS authentication with Flight server
+     * @param flightClientSSLKey path to the key file
+     * @return Returns this config instance
+     */
+    @Config("arrow-flight.client-ssl-key")
+    public ArrowFlightConfig setFlightClientSSLKey(String flightClientSSLKey)
+    {
+        this.flightClientSSLKey = flightClientSSLKey;
+        return this;
+    }
 }

presto-base-arrow-flight/src/main/java/com/facebook/plugin/arrow/BaseArrowFlightClientHandler.java

@@ -73,10 +73,24 @@ protected FlightClient createFlightClient(Location location)
                 flightClientBuilder.trustedCertificates(trustedCertificate.get()).useTls();
             }
 
+            Optional<InputStream> clientCertificate = Optional.empty();
+            Optional<InputStream> clientKey = Optional.empty();
+            if (config.getFlightClientSSLCertificate() != null && config.getFlightClientSSLKey() != null) {
+                clientCertificate = Optional.of(newInputStream(Paths.get(config.getFlightClientSSLCertificate())));
+                clientKey = Optional.of(newInputStream(Paths.get(config.getFlightClientSSLKey())));
+                flightClientBuilder.clientCertificate(clientCertificate.get(), clientKey.get()).useTls();
+            }
+
             FlightClient flightClient = flightClientBuilder.build();
             if (trustedCertificate.isPresent()) {
                 trustedCertificate.get().close();
             }
+            if (clientCertificate.isPresent()) {
+                clientCertificate.get().close();
+            }
+            if (clientKey.isPresent()) {
+                clientKey.get().close();
+            }
 
             return flightClient;
         }

presto-base-arrow-flight/src/test/java/com/facebook/plugin/arrow/AbstractArrowFlightMTLSTestFramework.java

@@ -0,0 +1,91 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.plugin.arrow;
+
+import com.facebook.airlift.log.Logger;
+import com.facebook.plugin.arrow.testingServer.TestingArrowProducer;
+import com.facebook.presto.testing.QueryRunner;
+import com.facebook.presto.tests.AbstractTestQueryFramework;
+import com.facebook.presto.tests.DistributedQueryRunner;
+import com.google.common.collect.ImmutableMap;
+import org.apache.arrow.flight.FlightServer;
+import org.apache.arrow.flight.Location;
+import org.apache.arrow.memory.RootAllocator;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Map;
+import java.util.Optional;
+
+public abstract class AbstractArrowFlightMTLSTestFramework
+        extends AbstractTestQueryFramework
+{
+    private static final Logger logger = Logger.get(AbstractArrowFlightMTLSTestFramework.class);
+    private final int serverPort;
+    private RootAllocator allocator;
+    private FlightServer server;
+    private DistributedQueryRunner arrowFlightQueryRunner;
+
+    public AbstractArrowFlightMTLSTestFramework()
+            throws IOException
+    {
+        this.serverPort = ArrowFlightQueryRunner.findUnusedPort();
+    }
+
+    @BeforeClass
+    public void setup()
+            throws Exception
+    {
+        arrowFlightQueryRunner = getDistributedQueryRunner();
+        File certChainFile = new File("src/test/resources/mtls/server.crt");
+        File privateKeyFile = new File("src/test/resources/mtls/server.key");
+        File caCertFile = new File("src/test/resources/mtls/ca.crt");
+
+        allocator = new RootAllocator(Long.MAX_VALUE);
+
+        Location location = Location.forGrpcTls("localhost", serverPort);
+        server = FlightServer.builder(allocator, location, new TestingArrowProducer(allocator))
+                .useTls(certChainFile, privateKeyFile)
+                .useMTlsClientVerification(caCertFile)
+                .build();
+
+        server.start();
+        logger.info("Server listening on port %s", server.getPort());
+    }
+
+    @AfterClass(alwaysRun = true)
+    public void close()
+            throws InterruptedException
+    {
+        arrowFlightQueryRunner.close();
+        server.close();
+        allocator.close();
+    }
+
+    @Override
+    protected QueryRunner createQueryRunner()
+            throws Exception
+    {
+        return ArrowFlightQueryRunner.createQueryRunner(ImmutableMap.of(), getCatalogProperties(), ImmutableMap.of(), Optional.empty());
+    }
+
+    protected abstract Map<String, String> getCatalogProperties();
+
+    protected int getServerPort()
+    {
+        return serverPort;
+    }
+}

presto-base-arrow-flight/src/test/java/com/facebook/plugin/arrow/ArrowFlightQueryRunner.java

@@ -64,10 +64,15 @@ public static DistributedQueryRunner createQueryRunner(
             Optional<BiFunction<Integer, URI, Process>> externalWorkerLauncher)
             throws Exception
     {
-        return createQueryRunner(extraProperties, ImmutableMap.of("arrow-flight.server.port", String.valueOf(flightServerPort)), coordinatorProperties, externalWorkerLauncher);
+        ImmutableMap.Builder<String, String> catalogProperties = ImmutableMap.<String, String>builder()
+                .put("arrow-flight.server.port", String.valueOf(flightServerPort))
+                .put("arrow-flight.server", "localhost")
+                .put("arrow-flight.server-ssl-enabled", "true")
+                .put("arrow-flight.server-ssl-certificate", "src/test/resources/server.crt");
+        return createQueryRunner(extraProperties, catalogProperties.build(), coordinatorProperties, externalWorkerLauncher);
     }
 
-    private static DistributedQueryRunner createQueryRunner(
+    public static DistributedQueryRunner createQueryRunner(
             Map<String, String> extraProperties,
             Map<String, String> catalogProperties,
             Map<String, String> coordinatorProperties,
@@ -92,13 +97,7 @@ private static DistributedQueryRunner createQueryRunner(
             boolean nativeExecution = externalWorkerLauncher.isPresent();
             queryRunner.installPlugin(new TestingArrowFlightPlugin(nativeExecution));
 
-            ImmutableMap.Builder<String, String> properties = ImmutableMap.<String, String>builder()
-                    .putAll(catalogProperties)
-                    .put("arrow-flight.server", "localhost")
-                    .put("arrow-flight.server-ssl-enabled", "true")
-                    .put("arrow-flight.server-ssl-certificate", "src/test/resources/server.crt");
-
-            queryRunner.createCatalog(ARROW_FLIGHT_CATALOG, ARROW_FLIGHT_CONNECTOR, properties.build());
+            queryRunner.createCatalog(ARROW_FLIGHT_CATALOG, ARROW_FLIGHT_CONNECTOR, catalogProperties);
 
             return queryRunner;
         }
@@ -140,8 +139,8 @@ public static void main(String[] args)
         log.info("Server listening on port " + server.getPort());
 
         DistributedQueryRunner queryRunner = createQueryRunner(
+                9443,
                 ImmutableMap.of("http-server.http.port", "8080"),
-                ImmutableMap.of("arrow-flight.server.port", String.valueOf(9443)),
                 ImmutableMap.of(),
                 Optional.empty());
         Thread.sleep(10);

presto-base-arrow-flight/src/test/java/com/facebook/plugin/arrow/TestArrowFlightMTLS.java

@@ -0,0 +1,52 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.plugin.arrow;
+
+import com.facebook.airlift.log.Logger;
+import com.google.common.collect.ImmutableMap;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+import java.util.Map;
+
+public class TestArrowFlightMTLS
+        extends AbstractArrowFlightMTLSTestFramework
+{
+    private static final Logger logger = Logger.get(TestArrowFlightMTLS.class);
+
+    public TestArrowFlightMTLS()
+            throws IOException
+    {
+        super();
+    }
+
+    @Override
+    protected Map<String, String> getCatalogProperties()
+    {
+        ImmutableMap.Builder<String, String> catalogProperties = ImmutableMap.<String, String>builder()
+                .put("arrow-flight.server.port", String.valueOf(getServerPort()))
+                .put("arrow-flight.server", "localhost")
+                .put("arrow-flight.server-ssl-enabled", "true")
+                .put("arrow-flight.server-ssl-certificate", "src/test/resources/mtls/server.crt")
+                .put("arrow-flight.client-ssl-certificate", "src/test/resources/mtls/client.crt")
+                .put("arrow-flight.client-ssl-key", "src/test/resources/mtls/client.key");
+        return catalogProperties.build();
+    }
+
+    @Test
+    public void testMtls()
+    {
+        assertQuery("SELECT COUNT(*) FROM orders");
+    }
+}

presto-base-arrow-flight/src/test/java/com/facebook/plugin/arrow/TestArrowFlightMTLSFails.java

@@ -0,0 +1,50 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.plugin.arrow;
+
+import com.facebook.airlift.log.Logger;
+import com.google.common.collect.ImmutableMap;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+import java.util.Map;
+
+public class TestArrowFlightMTLSFails
+        extends AbstractArrowFlightMTLSTestFramework
+{
+    private static final Logger logger = Logger.get(TestArrowFlightMTLSFails.class);
+
+    public TestArrowFlightMTLSFails()
+            throws IOException
+    {
+        super();
+    }
+
+    @Override
+    protected Map<String, String> getCatalogProperties()
+    {
+        ImmutableMap.Builder<String, String> catalogProperties = ImmutableMap.<String, String>builder()
+                .put("arrow-flight.server.port", String.valueOf(getServerPort()))
+                .put("arrow-flight.server", "localhost")
+                .put("arrow-flight.server-ssl-enabled", "true")
+                .put("arrow-flight.server-ssl-certificate", "src/test/resources/mtls/server.crt");
+        return catalogProperties.build();
+    }
+
+    @Test
+    public void testMtlsFailure()
+    {
+        assertQueryFails("SELECT COUNT(*) FROM orders", "ssl exception");
+    }
+}

presto-base-arrow-flight/src/test/java/com/facebook/plugin/arrow/TestArrowFlightMTLSInvalidCert.java

@@ -0,0 +1,52 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.facebook.plugin.arrow;
+
+import com.facebook.airlift.log.Logger;
+import com.google.common.collect.ImmutableMap;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+import java.util.Map;
+
+public class TestArrowFlightMTLSInvalidCert
+        extends AbstractArrowFlightMTLSTestFramework
+{
+    private static final Logger logger = Logger.get(TestArrowFlightMTLSInvalidCert.class);
+
+    public TestArrowFlightMTLSInvalidCert()
+            throws IOException
+    {
+        super();
+    }
+
+    @Override
+    protected Map<String, String> getCatalogProperties()
+    {
+        ImmutableMap.Builder<String, String> catalogProperties = ImmutableMap.<String, String>builder()
+                .put("arrow-flight.server.port", String.valueOf(getServerPort()))
+                .put("arrow-flight.server", "localhost")
+                .put("arrow-flight.server-ssl-enabled", "true")
+                .put("arrow-flight.server-ssl-certificate", "src/test/resources/mtls/server.crt")
+                .put("arrow-flight.client-ssl-certificate", "src/test/resources/mtls/invalid_cert.crt")
+                .put("arrow-flight.client-ssl-key", "src/test/resources/mtls/client.key");
+        return catalogProperties.build();
+    }
+
+    @Test
+    public void testMtls()
+    {
+        assertQueryFails("SELECT COUNT(*) FROM orders", ".*Input stream not contain valid certificates.*");
+    }
+}

presto-base-arrow-flight/src/test/resources/mtls/ca.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFozCCA4ugAwIBAgIUTnZhzGzxAzaTJ5DDQnmBp8jvBUMwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MQ4wDAYDVQQKDAVNeU9yZzEPMA0GA1UECwwGTXlVbml0MREwDwYDVQQDDAhNeVJv
+b3RDQTAgFw0yNTA1MjIxNjA2MDNaGA8yMTI1MDQyODE2MDYwM1owYDELMAkGA1UE
+BhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQ4wDAYDVQQKDAVN
+eU9yZzEPMA0GA1UECwwGTXlVbml0MREwDwYDVQQDDAhNeVJvb3RDQTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBALmNRxPZt9vvFvIQcdCM3xcAOiTepahR
+zsK86AwzXbwcWwOw+rQP0iXiMGjP9wJy0C1hU+j7F+gu5+d5j3DK9/iTlIqByjN+
+gffsZDSBBZBozJxARBWKaEFKRKbhCmr+v92ZN1KMYhhwc5W3SRp6y3kvsWYM4/JE
+pRzYUy0505g3p7PnpQzZZSSzV33+9fn5ggafVB9FSJqOuBKUBTITt+Rf1pNV2ZGC
+f2X39KOIIRz2Hz1L6hdqeMQN9V5KQ7C6oPfl+ho97JHaZirtHr1XZJ6YQRy7Mldp
+jOPj4MMKqi8m+HhyCSznIDNiMp0OACX3CZ5RmKRYfnunOuw+fvI28HyOXMgfWKa2
+o/2/YlAzNrD50hJPwQMTlKWJm2gY2n5x2FWT6/8aXeCnsJALK6Dj6Ax0wxkAFfIo
+76REHlXX2fIiz0cciYwYtvwhjp5efqX22B7LDkhu7fJ42yUd6g3crbmGM8OOoXgL
+w3MWx30FatTyDT8un2ZvVDJEADW3+WWtyrZWHFMVFrVnN7Di4MAuWsRIVtuO6PEV
+6pPS55NBmvKzWAoYBmpH103GlIxvZ6CCTeKqFbcrI77smrIO5CLmzl5yjb/urmy4
+GLYHM+EPB5pJKQO8g6fyM369mhEjBxt/RJGv9E0Jw7KmnHn5V2qSn4Yi41dUp7Cp
+pQVIaYlJGn65AgMBAAGjUzBRMB0GA1UdDgQWBBRjt9KoJO8CO/Cy/xTJztrbdUlv
+9DAfBgNVHSMEGDAWgBRjt9KoJO8CO/Cy/xTJztrbdUlv9DAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQApizBpSaZDYjBhOxD6+B5em18OIf5ZIjHk
+iAhuppR+HaqyAHJgCO707dZVmFz9ECUZI9mvKcmj+h0Wh/mK4cSiDunFB9yUr67U
+wV5F2/u/JAAq6VsbdrDiZPUwET8U9ai14LMEgPPF+Zif+wnopRav5lbiPoJVUjqr
+wVoP2AHijIP46YCWwXqOTJMC79ccUMBZeDwF4bOquIADLmEnANp6fiMI+eE6OLFs
+fDtjFqybRUZqzewv2lpzH2ZYEYk4bIk76TGkOYtrwJ+iQj77ZZFSBW5zkry/zaG3
+/5Ufjv65T9Zr1jmIMigcmCHwNsCLOYzIKjRaiuLGs4B9s8SGEauTRhP0dG5ndWPw
+50NeSNJr37MHdKky44WAFlAk9BAKlghOaC5m2RyMof8DwYKPEe5epe1wBotiPqSX
+doaZvch6wkuo8xvFKqH6rBTWJLMwuFt7m3XrGqGYlE+1gvuEfn7ZGzG00sl218mZ
+MfsLqJfft92ARC1/qJvUFr5mM6SV4eQeTl1tAtv6Xfczr+3/iqc5gbeG25dXQclO
+y1qIKthAoXFq6rAZ+bvfASiVV1OQS76nWSiYYS1dDPQJ/g4aawOkUYr9OjS5HNQ+
+rNAcLB+I0oaZQzZ85098qAVAJ76eFATb4ieDK6m0j6Fq5ddwrlYzxEEr7TscfHW2
+zPCtinUe0w==
+-----END CERTIFICATE-----