Skip to content

Commit

Permalink
MDEV-10847 Bring AWS KMS encryption plugin up-to-date with released SDK
Browse files Browse the repository at this point in the history 
- Library path's are different now
- New dependency on Linux libuuid
- Add calls for SDK Initialization/shutdown
- Also add request_timeout parameter, default SDK HTTPs timeout appears
to be too short in my tests
  • Loading branch information
@vaintroub
vaintroub committed Sep 27, 2016
1 parent f1aefd9 commit 3f5aedc
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 34 deletions.
57 changes: 25 additions & 32 deletions plugin/aws_key_management/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# are

# - OS : Windows,Linux or OSX
# - C++11 compiler : VS2013+, gcc 4.7+, clang 3.3+
# - C++11 compiler : VS2013+, gcc 4.8+, clang 3.3+
# - libcurl development package needs to be present on Unixes
#
# If we build SDK outselves, we'll need require GIT to be present on the build machine
Expand All @@ -13,7 +13,10 @@
# or if plugin is explicitely requested to build. Then bail out.
MACRO(SKIP_AWS_PLUGIN msg)
IF(VERBOSE OR "${PLUGIN_AWS_KEY_MANAGEMENT}" MATCHES "^(STATIC|DYNAMIC)$")
MESSAGE(STATUS "Skip aws_key_management - ${msg}")
MESSAGE(STATUS "Can't build aws_key_management - ${msg}")
ENDIF()
IF(TARGET aws_key_management)
MESSAGE(FATAL_ERROR "Error configuring aws_key_management - aborting")
ENDIF()
RETURN()
ENDMACRO()
Expand All @@ -27,7 +30,7 @@ ENDIF()

# This plugin needs recent C++ compilers (AWS C++ SDK header files are using C++11 features)
SET(CXX11_FLAGS)
SET(OLD_COMPILER_MSG "AWS SDK requires c++11 -capable compiler (minimal supported versions are g++ 4.7, clang 3.3, VS2103)")
SET(OLD_COMPILER_MSG "AWS SDK requires c++11 -capable compiler (minimal supported versions are g++ 4.8, clang 3.3, VS2103)")

IF(CMAKE_CXX_COMPILER_ID MATCHES "GNU")
EXECUTE_PROCESS(COMMAND ${CMAKE_CXX_COMPILER} -dumpversion OUTPUT_VARIABLE GCC_VERSION)
Expand All @@ -54,26 +57,6 @@ IF (NOT(WIN32 OR APPLE OR (CMAKE_SYSTEM_NAME MATCHES "Linux")))
ENDIF()


# Figure out where AWS installs SDK libraries
# The below is defined in AWS SDK's CMakeLists.txt
# (and their handling is weird, every OS has special install directory)
IF(WIN32)
SET(SDK_INSTALL_BINARY_PREFIX "windows")
ELSEIF(APPLE)
SET(SDK_INSTALL_BINARY_PREFIX "mac")
ELSEIF(UNIX)
SET(SDK_INSTALL_BINARY_PREFIX "linux")
ENDIF()
IF(NOT APPLE)
IF(CMAKE_SIZEOF_VOID_P EQUAL 8)
SET(SDK_INSTALL_BINARY_PREFIX "${SDK_INSTALL_BINARY_PREFIX}/intel64")
ELSE()
SET(SDK_INSTALL_BINARY_PREFIX "${SDK_INSTALL_BINARY_PREFIX}/ia32")
ENDIF()
ENDIF()
IF(CMAKE_CONFIGURATION_TYPES)
SET(SDK_INSTALL_BINARY_PREFIX "${SDK_INSTALL_BINARY_PREFIX}/${CMAKE_CFG_INTDIR}")
ENDIF()

FIND_LIBRARY(AWS_CPP_SDK_CORE NAMES aws-cpp-sdk-core PATH_SUFFIXES "${SDK_INSTALL_BINARY_PREFIX}")
FIND_LIBRARY(AWS_CPP_SDK_KMS NAMES aws-cpp-sdk-core PATH_SUFFIXES "${SDK_INSTALL_BINARY_PREFIX}")
Expand All @@ -99,26 +82,35 @@ ELSE()
SKIP_AWS_PLUGIN("AWS C++ SDK requires libcurl development package")
ENDIF()
SET(PIC_FLAG -fPIC)
FIND_PATH(UUID_INCLUDE_DIR uuid/uuid.h)
IF(NOT UUID_INCLUDE_DIR)
SKIP_AWS_PLUGIN("AWS C++ SDK requires uuid development package")
ENDIF()
IF(NOT APPLE)
FIND_LIBRARY(UUID_LIBRARIES uuid)
IF(NOT UUID_LIBRARIES)
SKIP_AWS_PLUGIN("AWS C++ SDK requires uuid development package")
ENDIF()
ENDIF()
ENDIF()
IF(MSVC)
SET(EXTRA_SDK_CMAKE_FLAGS -DCMAKE_CXX_FLAGS_DEBUGOPT="" -DCMAKE_EXE_LINKER_FLAGS_DEBUGOPT="" -DCMAKE_CXX_FLAGS=/wd4592)
SET(EXTRA_SDK_CMAKE_FLAGS -DCMAKE_CXX_FLAGS_DEBUGOPT="" -DCMAKE_EXE_LINKER_FLAGS_DEBUGOPT="" "-DCMAKE_CXX_FLAGS=/wd4530 /WX-")
ENDIF()
IF(CMAKE_CXX_COMPILER)
SET(EXTRA_SDK_CMAKE_FLAGS ${EXTRA_SDK_CMAKE_FLAGS} -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER})
ENDIF()

# Relax AWS C++ SDK unreasonably high requirements for CMake version. Use replace utility (from MariaDB build)
# to patch their CMakeLists.txt
SET(AWS_SDK_PATCH_COMMAND )
ExternalProject_Add(
aws_sdk_cpp
GIT_REPOSITORY "https://github.com/awslabs/aws-sdk-cpp.git"
GIT_TAG "0.9.6" # single tag
GIT_TAG "1.0.8"
UPDATE_COMMAND ""
PATCH_COMMAND replace 3.1.2 2.8 -- ${CMAKE_BINARY_DIR}/aws-sdk-cpp/CMakeLists.txt
SOURCE_DIR "${CMAKE_BINARY_DIR}/aws-sdk-cpp"
CMAKE_ARGS
-DBUILD_ONLY=aws-cpp-sdk-kms -DSTATIC_LINKING=1
-DBUILD_ONLY=kms
-DBUILD_SHARED_LIBS=OFF
-DFORCE_SHARED_CRT=OFF
"-DCMAKE_CXX_FLAGS_DEBUG=${CMAKE_CXX_FLAGS_DEBUG} ${PIC_FLAG}"
"-DCMAKE_CXX_FLAGS_RELWITHDEBINFO=${CMAKE_CXX_FLAGS_RELWITHDEBINFO} ${PIC_FLAG}"
"-DCMAKE_CXX_FLAGS_RELEASE=${CMAKE_CXX_FLAGS_RELEASE} ${PIC_FLAG}"
Expand All @@ -127,18 +119,18 @@ ELSE()
-DCMAKE_INSTALL_PREFIX=${CMAKE_BINARY_DIR}/aws_sdk_cpp
TEST_COMMAND ""
)

SET_TARGET_PROPERTIES(aws_sdk_cpp PROPERTIES EXCLUDE_FROM_ALL TRUE)
# We do not need to build the whole SDK , just 2 of its libs
set(AWS_SDK_LIBS aws-cpp-sdk-core aws-cpp-sdk-kms)
FOREACH(lib ${AWS_SDK_LIBS})
ADD_LIBRARY(${lib} STATIC IMPORTED GLOBAL)
ADD_DEPENDENCIES(${lib} aws_sdk_cpp)
SET(loc "${CMAKE_BINARY_DIR}/aws_sdk_cpp/lib/${SDK_INSTALL_BINARY_PREFIX}/${CMAKE_STATIC_LIBRARY_PREFIX}${lib}${CMAKE_STATIC_LIBRARY_SUFFIX}")
SET(loc "${CMAKE_BINARY_DIR}/aws_sdk_cpp/lib/${CMAKE_STATIC_LIBRARY_PREFIX}${lib}${CMAKE_STATIC_LIBRARY_SUFFIX}")
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LOCATION ${loc})
IF(WIN32)
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LINK_INTERFACE_LIBRARIES "bcrypt;winhttp;wininet;userenv")
ELSE()
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LINK_INTERFACE_LIBRARIES "${SSL_LIBRARIES};${CURL_LIBRARIES}")
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LINK_INTERFACE_LIBRARIES "${SSL_LIBRARIES};${CURL_LIBRARIES};${UUID_LIBRARIES}")
ENDIF()
ENDFOREACH()

Expand All @@ -150,5 +142,6 @@ ELSE()
INCLUDE_DIRECTORIES(${CMAKE_BINARY_DIR}/aws_sdk_cpp/include)
ENDIF()

ADD_DEFINITIONS(${SSL_DEFINES}) # Need to know whether openssl should be initialized
SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CXX11_FLAGS}")
TARGET_LINK_LIBRARIES(aws_key_management ${AWS_SDK_LIBS})
34 changes: 32 additions & 2 deletions plugin/aws_key_management/aws_key_management_plugin.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
#include <sstream>
#include <fstream>

#include <aws/core/Aws.h>
#include <aws/core/client/AWSError.h>
#include <aws/core/utils/logging/AWSLogging.h>
#include <aws/core/utils/logging/ConsoleLogSystem.h>
Expand Down Expand Up @@ -79,6 +80,7 @@ static char* master_key_id;
static unsigned long key_spec;
static unsigned long log_level;
static int rotate_key;
static int request_timeout;

/* AWS functionality*/
static int aws_decrypt_key(const char *path, KEY_INFO *info);
Expand Down Expand Up @@ -138,6 +140,7 @@ class MySQLLogSystem : public Aws::Utils::Logging::FormattedLogSystem
}
};

Aws::SDKOptions sdkOptions;

/*
Plugin initialization.
Expand All @@ -148,13 +151,30 @@ class MySQLLogSystem : public Aws::Utils::Logging::FormattedLogSystem
static int plugin_init(void *p)
{
DBUG_ENTER("plugin_init");
client = new KMSClient();

#ifdef HAVE_YASSL
sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true;
#else
/* Server initialized OpenSSL already, thus AWS must skip it */
sdkOptions.cryptoOptions.initAndCleanupOpenSSL = false;
#endif

Aws::InitAPI(sdkOptions);
InitializeAWSLogging(Aws::MakeShared<MySQLLogSystem>("aws_key_management_plugin", (Aws::Utils::Logging::LogLevel) log_level));

Aws::Client::ClientConfiguration clientConfiguration;
if (request_timeout)
{
clientConfiguration.requestTimeoutMs= request_timeout;
clientConfiguration.connectTimeoutMs= request_timeout;
}
client = new KMSClient(clientConfiguration);
if (!client)
{
sql_print_error("Can not initialize KMS client");
DBUG_RETURN(-1);
}
InitializeAWSLogging(Aws::MakeShared<MySQLLogSystem>("aws_key_management_plugin", (Aws::Utils::Logging::LogLevel) log_level));

#ifdef HAVE_PSI_INTERFACE
mysql_mutex_register("aws_key_management", &mtx_info, 1);
#endif
Expand Down Expand Up @@ -189,6 +209,8 @@ static int plugin_deinit(void *p)
mysql_mutex_destroy(&mtx);
delete client;
ShutdownAWSLogging();

Aws::ShutdownAPI(sdkOptions);
DBUG_RETURN(0);
}

Expand Down Expand Up @@ -557,11 +579,19 @@ static MYSQL_SYSVAR_INT(rotate_key, rotate_key,
"Set this variable to key id to perform rotation of the key. Specify -1 to rotate all keys",
NULL, update_rotate, 0, -1, INT_MAX, 1);


static MYSQL_SYSVAR_INT(request_timeout, request_timeout,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
"Timeout in milliseconds for create HTTPS connection or execute AWS request. Specify 0 to use SDK default.",
NULL, NULL, 0, 0, INT_MAX, 1);


static struct st_mysql_sys_var* settings[]= {
MYSQL_SYSVAR(master_key_id),
MYSQL_SYSVAR(key_spec),
MYSQL_SYSVAR(rotate_key),
MYSQL_SYSVAR(log_level),
MYSQL_SYSVAR(request_timeout),
NULL
};

Expand Down

0 comments on commit 3f5aedc

Please sign in to comment.