sesion cpp ssl

.github/workflows/multi-language-client.yml

@@ -56,12 +56,14 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install libboost-all-dev
+          sudo apt-get install openssl libssl-dev
       - name: Install CPP Dependencies (Mac)
         # remove some xcode to release disk space
         if: runner.os == 'macOS'
         shell: bash
         run: |
           brew install boost
+          brew install openssl
           sudo rm -rf /Applications/Xcode_14.3.1.app
           sudo rm -rf /Applications/Xcode_15.0.1.app
           sudo rm -rf /Applications/Xcode_15.1.app
@@ -74,6 +76,11 @@ jobs:
           choco install boost-msvc-14.3
           $boost_path = (Get-ChildItem -Path 'C:\local\' -Filter 'boost_*').FullName
           echo $boost_path >> $env:GITHUB_PATH
+
+          choco install openssl
+          $sslPath = (Get-ChildItem 'C:\Program Files\OpenSSL*' -Directory | Select-Object -First 1).FullName
+          echo "$sslPath\bin" >> $env:GITHUB_PATH
+          echo "OPENSSL_ROOT_DIR=$sslPath" >> $env:GITHUB_ENV
       - name: Cache Maven packages
         uses: actions/cache@v4
         with:

iotdb-client/client-cpp/src/main/AbstractSessionBuilder.h

@@ -39,6 +39,8 @@ class AbstractSessionBuilder {
     bool enableRedirections = true;
     bool enableRPCCompression = false;
     std::vector<std::string> nodeUrls;
+    bool useSSL = false;
+    std::string trustCertFilePath;
 };
 
 #endif // IOTDB_ABSTRACTSESSIONBUILDER_H

iotdb-client/client-cpp/src/main/CMakeLists.txt

@@ -26,6 +26,15 @@ SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -Wall -g -O2 ")
 # Add Thrift include directory
 INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/../../thrift/include)
 
+# Find OpenSSL Library
+FIND_PACKAGE(OpenSSL REQUIRED)
+IF(OpenSSL_FOUND)
+    MESSAGE(STATUS "OpenSSL found: ${OPENSSL_VERSION}")
+    INCLUDE_DIRECTORIES(${OPENSSL_INCLUDE_DIR})
+ELSE()
+    MESSAGE(FATAL_ERROR "OpenSSL not found")
+ENDIF()
+
 # Add Boost include path for MacOS
 INCLUDE_DIRECTORIES(/usr/local/include)
 
@@ -55,4 +64,10 @@ ELSE()
 ENDIF()
 
 # Link with Thrift static library
-TARGET_LINK_LIBRARIES(iotdb_session ${THRIFT_STATIC_LIB})
+target_link_libraries(iotdb_session
+    PUBLIC
+        OpenSSL::SSL
+        OpenSSL::Crypto
+    PRIVATE
+        ${THRIFT_STATIC_LIB}
+)

iotdb-client/client-cpp/src/main/NodesSupplier.cpp

@@ -68,32 +68,57 @@ std::vector<TEndPoint> StaticNodesSupplier::getEndPointList() {
 StaticNodesSupplier::~StaticNodesSupplier() = default;
 
 std::shared_ptr<NodesSupplier> NodesSupplier::create(
-    std::vector<TEndPoint> endpoints,
-    std::string userName, std::string password, std::string zoneId,
-    int32_t thriftDefaultBufferSize, int32_t thriftMaxFrameSize,
-    int32_t connectionTimeoutInMs, bool useSSL, bool enableRPCCompression,
-    std::string version, std::chrono::milliseconds refreshInterval,
+    const std::vector<TEndPoint>& endpoints,
+    const std::string& userName,
+    const std::string& password,
+    bool useSSL,
+    const std::string& trustCertFilePath,
+    const std::string& zoneId,
+    int32_t thriftDefaultBufferSize,
+    int32_t thriftMaxFrameSize,
+    int32_t connectionTimeoutInMs,
+    bool enableRPCCompression,
+    const std::string& version,
+    std::chrono::milliseconds refreshInterval,
     NodeSelectionPolicy policy) {
     if (endpoints.empty()) {
         return nullptr;
     }
     auto supplier = std::make_shared<NodesSupplier>(
-        userName, password, zoneId, thriftDefaultBufferSize,
-        thriftMaxFrameSize, connectionTimeoutInMs, useSSL,
-        enableRPCCompression, version, std::move(endpoints), std::move(policy)
+        userName, password, useSSL, trustCertFilePath, zoneId,
+        thriftDefaultBufferSize, thriftMaxFrameSize, connectionTimeoutInMs,
+        enableRPCCompression,
+        version, endpoints, policy
     );
     supplier->startBackgroundRefresh(refreshInterval);
     return supplier;
 }
 
 NodesSupplier::NodesSupplier(
-    std::string userName, std::string password, const std::string& zoneId,
-    int32_t thriftDefaultBufferSize, int32_t thriftMaxFrameSize,
-    int32_t connectionTimeoutInMs, bool useSSL, bool enableRPCCompression,
-    std::string version, std::vector<TEndPoint> endpoints, NodeSelectionPolicy policy) : userName_(std::move(userName)), password_(std::move(password)), zoneId_(zoneId),
-    thriftDefaultBufferSize_(thriftDefaultBufferSize), thriftMaxFrameSize_(thriftMaxFrameSize),
-    connectionTimeoutInMs_(connectionTimeoutInMs), useSSL_(useSSL), enableRPCCompression_(enableRPCCompression), version(version), endpoints_(std::move(endpoints)),
-    selectionPolicy_(std::move(policy)) {
+    const std::string& userName,
+    const std::string& password,
+    bool useSSL,
+    const std::string& trustCertFilePath,
+    const std::string& zoneId,
+    int32_t thriftDefaultBufferSize,
+    int32_t thriftMaxFrameSize,
+    int32_t connectionTimeoutInMs,
+    bool enableRPCCompression,
+    const std::string& version,
+    const std::vector<TEndPoint>& endpoints,
+    NodeSelectionPolicy policy)
+    : userName_(userName)
+      , password_(password)
+      , zoneId_(zoneId)
+      , thriftDefaultBufferSize_(thriftDefaultBufferSize)
+      , thriftMaxFrameSize_(thriftMaxFrameSize)
+      , connectionTimeoutInMs_(connectionTimeoutInMs)
+      , useSSL_(useSSL)
+      , trustCertFilePath_(trustCertFilePath)
+      , enableRPCCompression_(enableRPCCompression)
+      , version_(version)
+      , endpoints_(endpoints)
+      , selectionPolicy_(policy) {
     deduplicateEndpoints();
 }
 
@@ -157,7 +182,7 @@ std::vector<TEndPoint> NodesSupplier::fetchLatestEndpoints() {
     try {
       if (client_ == nullptr) {
         client_ = std::make_shared<ThriftConnection>(endpoint);
-        client_->init(userName_, password_, enableRPCCompression_, zoneId_, version);
+        client_->init(userName_, password_, enableRPCCompression_, useSSL_, trustCertFilePath_, zoneId_, version_);
       }
 
       auto sessionDataSet = client_->executeQueryStatement(SHOW_DATA_NODES_COMMAND);

iotdb-client/client-cpp/src/main/NodesSupplier.h

@@ -78,23 +78,36 @@ class NodesSupplier : public INodesSupplier {
     static const int CONNECTION_TIMEOUT_IN_MS;
 
     static std::shared_ptr<NodesSupplier> create(
-        std::vector<TEndPoint> endpoints,
-        std::string userName, std::string password, std::string zoneId = "",
+        const std::vector<TEndPoint>& endpoints,
+        const std::string& userName,
+        const std::string& password,
+        bool useSSL = false,
+        const std::string& trustCertFilePath = "",
+        const std::string& zoneId = "",
         int32_t thriftDefaultBufferSize = ThriftConnection::THRIFT_DEFAULT_BUFFER_SIZE,
         int32_t thriftMaxFrameSize = ThriftConnection::THRIFT_MAX_FRAME_SIZE,
         int32_t connectionTimeoutInMs = ThriftConnection::CONNECTION_TIMEOUT_IN_MS,
-        bool useSSL = false, bool enableRPCCompression = false,
-        std::string version = "V_1_0",
+        bool enableRPCCompression = false,
+        const std::string& version = "V_1_0",
         std::chrono::milliseconds refreshInterval = std::chrono::milliseconds(TIMEOUT_IN_MS),
         NodeSelectionPolicy policy = RoundRobinPolicy::select
     );
 
     NodesSupplier(
-        std::string userName, std::string password, const std::string& zoneId,
-        int32_t thriftDefaultBufferSize, int32_t thriftMaxFrameSize,
-        int32_t connectionTimeoutInMs, bool useSSL, bool enableRPCCompression,
-        std::string version, std::vector<TEndPoint> endpoints, NodeSelectionPolicy policy
+        const std::string& userName,
+        const std::string& password,
+        bool useSSL,
+        const std::string& trustCertFilePath,
+        const std::string& zoneId,
+        int32_t thriftDefaultBufferSize,
+        int32_t thriftMaxFrameSize,
+        int32_t connectionTimeoutInMs,
+        bool enableRPCCompression,
+        const std::string& version,
+        const std::vector<TEndPoint>& endpoints,
+        NodeSelectionPolicy policy
     );
+
     std::vector<TEndPoint> getEndPointList() override;
 
     boost::optional<TEndPoint> getQueryEndPoint() override;
@@ -108,8 +121,9 @@ class NodesSupplier : public INodesSupplier {
     int32_t thriftMaxFrameSize_;
     int32_t connectionTimeoutInMs_;
     bool useSSL_;
+    std::string trustCertFilePath_;
     bool enableRPCCompression_;
-    std::string version;
+    std::string version_;
     std::string zoneId_;
 
     std::mutex mutex_;

iotdb-client/client-cpp/src/main/Session.cpp

@@ -763,7 +763,7 @@ void Session::initNodesSupplier(const std::vector<std::string>& nodeUrls) {
     }
 
     if (enableAutoFetch_) {
-        nodesSupplier_ = NodesSupplier::create(endPoints, username_, password_);
+        nodesSupplier_ = NodesSupplier::create(endPoints, username_, password_, useSSL_, trustCertFilePath_);
     }
     else {
         nodesSupplier_ = make_shared<StaticNodesSupplier>(endPoints);

iotdb-client/client-cpp/src/main/Session.h

@@ -535,6 +535,8 @@ class Session {
 private:
     std::string host_;
     int rpcPort_;
+    bool useSSL_;
+    std::string trustCertFilePath_;
     std::vector<string> nodeUrls_;
     std::string username_;
     std::string password_;
@@ -724,6 +726,8 @@ class Session {
         this->enableRedirection_ = builder->enableRedirections;
         this->connectTimeoutMs_ = builder->connectTimeoutMs;
         this->nodeUrls_ = builder->nodeUrls;
+        this->useSSL_ = builder->useSSL;
+        this->trustCertFilePath_ = builder->trustCertFilePath;
         initZoneId();
         initNodesSupplier(this->nodeUrls_);
     }

iotdb-client/client-cpp/src/main/SessionBuilder.h

@@ -34,6 +34,16 @@ class SessionBuilder : public AbstractSessionBuilder {
         return this;
     }
 
+    SessionBuilder* useSSL(bool useSSL) {
+        AbstractSessionBuilder::useSSL = useSSL;
+        return this;
+    }
+
+    SessionBuilder* trustCertFilePath(const std::string &trustCertFilePath) {
+        AbstractSessionBuilder::trustCertFilePath = trustCertFilePath;
+        return this;
+    }
+
     SessionBuilder* username(const std::string &username) {
         AbstractSessionBuilder::username = username;
         return this;

iotdb-client/client-cpp/src/main/SessionConnection.cpp

@@ -50,7 +50,7 @@ SessionConnection::SessionConnection(Session* session_ptr, const TEndPoint& endp
       database(std::move(db)) {
     this->zoneId = zoneId.empty() ? getSystemDefaultZoneId() : zoneId;
     endPointList.push_back(endpoint);
-    init(endPoint);
+    init(endPoint, session->useSSL_, session->trustCertFilePath_);
 }
 
 void SessionConnection::close() {
@@ -98,10 +98,18 @@ SessionConnection::~SessionConnection() {
     }
 }
 
-void SessionConnection::init(const TEndPoint& endpoint) {
-    shared_ptr<TSocket> socket(new TSocket(endpoint.ip, endpoint.port));
-    transport = std::make_shared<TFramedTransport>(socket);
-    socket->setConnTimeout(connectionTimeoutInMs);
+void SessionConnection::init(const TEndPoint& endpoint, bool useSSL, const std::string& trustCertFilePath) {
+    if (useSSL) {
+        socketFactory_->loadTrustedCertificates(trustCertFilePath.c_str());
+        socketFactory_->authenticate(false);
+        auto sslSocket = socketFactory_->createSocket(endPoint.ip, endPoint.port);
+        sslSocket->setConnTimeout(connectionTimeoutInMs);
+        transport = std::make_shared<TFramedTransport>(sslSocket);
+    } else {
+        auto socket = std::make_shared<TSocket>(endPoint.ip, endPoint.port);
+        socket->setConnTimeout(connectionTimeoutInMs);
+        transport = std::make_shared<TFramedTransport>(socket);
+    }
     if (!transport->isOpen()) {
         try {
             transport->open();
@@ -341,7 +349,7 @@ bool SessionConnection::reconnect() {
                 }
                 tryHostNum++;
                 try {
-                    init(this->endPoint);
+                    init(this->endPoint, this->session->useSSL_, this->session->trustCertFilePath_);
                     reconnect = true;
                 }
                 catch (const IoTDBConnectionException& e) {

iotdb-client/client-cpp/src/main/SessionConnection.h

@@ -23,6 +23,7 @@
 #include <vector>
 #include <string>
 #include <thrift/transport/TTransport.h>
+#include <thrift/transport/TSSLSocket.h>
 #include "IClientRPCService.h"
 #include "common_types.h"
 #include "NodesSupplier.h"
@@ -50,7 +51,7 @@ class SessionConnection : public std::enable_shared_from_this<SessionConnection>
 
     const TEndPoint& getEndPoint();
 
-    void init(const TEndPoint& endpoint);
+    void init(const TEndPoint& endpoint, bool useSSL, const std::string& trustCertFilePath);
 
     void insertStringRecord(const TSInsertStringRecordReq& request);
 
@@ -179,6 +180,8 @@ class SessionConnection : public std::enable_shared_from_this<SessionConnection>
 
     TSStatus deleteDataInternal(TSDeleteDataReq request);
 
+    std::shared_ptr<apache::thrift::transport::TSSLSocketFactory> socketFactory_ =
+        std::make_shared<apache::thrift::transport::TSSLSocketFactory>();;
     std::shared_ptr<TTransport> transport;
     std::shared_ptr<IClientRPCServiceClient> client;
     Session* session;

iotdb-client/client-cpp/src/main/TableSessionBuilder.h

@@ -45,6 +45,16 @@ class TableSessionBuilder : public AbstractSessionBuilder {
         AbstractSessionBuilder::rpcPort = rpcPort;
         return this;
     }
+    TableSessionBuilder* useSSL(bool useSSL) {
+        AbstractSessionBuilder::useSSL = useSSL;
+        return this;
+    }
+
+    TableSessionBuilder* trustCertFilePath(const std::string &trustCertFilePath) {
+        AbstractSessionBuilder::trustCertFilePath = trustCertFilePath;
+        return this;
+    }
+
     TableSessionBuilder* username(const std::string &username) {
         AbstractSessionBuilder::username = username;
         return this;

iotdb-client/client-cpp/src/main/ThriftConnection.cpp

@@ -64,11 +64,21 @@ void ThriftConnection::initZoneId() {
 void ThriftConnection::init(const std::string& username,
                             const std::string& password,
                             bool enableRPCCompression,
+                            bool useSSL,
+                            const std::string& trustCertFilePath,
                             const std::string& zoneId,
                             const std::string& version) {
-    std::shared_ptr<TSocket> socket(new TSocket(endPoint_.ip, endPoint_.port));
-    socket->setConnTimeout(connectionTimeoutInMs_);
-    transport_ = std::make_shared<TFramedTransport>(socket);
+    if (useSSL) {
+        socketFactory_->loadTrustedCertificates(trustCertFilePath.c_str());
+        socketFactory_->authenticate(false);
+        auto sslSocket = socketFactory_->createSocket(endPoint_.ip, endPoint_.port);
+        sslSocket->setConnTimeout(connectionTimeoutInMs_);
+        transport_ = std::make_shared<TFramedTransport>(sslSocket);
+    } else {
+        auto socket = std::make_shared<TSocket>(endPoint_.ip, endPoint_.port);
+        socket->setConnTimeout(connectionTimeoutInMs_);
+        transport_ = std::make_shared<TFramedTransport>(socket);
+    }
     if (!transport_->isOpen()) {
         try {
             transport_->open();

iotdb-client/client-cpp/src/main/ThriftConnection.h

@@ -20,7 +20,7 @@
 #define IOTDB_THRIFTCONNECTION_H
 
 #include <memory>
-#include <thrift/transport/TBufferTransports.h>
+#include <thrift/transport/TSSLSocket.h>
 #include "IClientRPCService.h"
 
 class SessionDataSet;
@@ -43,6 +43,8 @@ class ThriftConnection {
     void init(const std::string& username,
               const std::string& password,
               bool enableRPCCompression = false,
+              bool useSSL = false,
+              const std::string& trustCertFilePath = "",
               const std::string& zoneId = std::string(),
               const std::string& version = "V_1_0");
 
@@ -58,6 +60,8 @@ class ThriftConnection {
     int connectionTimeoutInMs_;
     int fetchSize_;
 
+    std::shared_ptr<apache::thrift::transport::TSSLSocketFactory> socketFactory_ =
+        std::make_shared<apache::thrift::transport::TSSLSocketFactory>();
     std::shared_ptr<apache::thrift::transport::TTransport> transport_;
     std::shared_ptr<IClientRPCServiceClient> client_;
     int64_t sessionId_{};