[WIP]: Add clickhouse SSL\TLS connection

clickhouse-native-jdbc/src/test/java/com/github/housepower/jdbc/AbstractITest.java

@@ -41,27 +41,36 @@ public abstract class AbstractITest implements Serializable {
     protected static final String CLICKHOUSE_PASSWORD = SystemUtil.loadProp("CLICKHOUSE_PASSWORD", "");
     protected static final String CLICKHOUSE_DB = SystemUtil.loadProp("CLICKHOUSE_DB", "");
 
-    protected static final int CLICKHOUSE_GRPC_PORT = 9100;
     protected static final int CLICKHOUSE_HTTP_PORT = 8123;
+    protected static final int CLICKHOUSE_HTTPS_PORT = 8443;
     protected static final int CLICKHOUSE_NATIVE_PORT = 9000;
+    protected static final int CLICKHOUSE_NATIVE_SECURE_PORT = 9440;
 
     @Container
     public static ClickHouseContainer container = new ClickHouseContainer(CLICKHOUSE_IMAGE)
             .withEnv("CLICKHOUSE_USER", CLICKHOUSE_USER)
             .withEnv("CLICKHOUSE_PASSWORD", CLICKHOUSE_PASSWORD)
             .withEnv("CLICKHOUSE_DB", CLICKHOUSE_DB)
-            .withExposedPorts(CLICKHOUSE_HTTP_PORT, CLICKHOUSE_NATIVE_PORT, CLICKHOUSE_GRPC_PORT)
-            .withCopyFileToContainer(MountableFile.forClasspathResource("grpc_config.xml"), "/etc/clickhouse-server/config.d/grpc_config.xml");
+            .withExposedPorts(CLICKHOUSE_HTTP_PORT,
+                    CLICKHOUSE_HTTPS_PORT,
+                    CLICKHOUSE_NATIVE_PORT,
+                    CLICKHOUSE_NATIVE_SECURE_PORT)
+            .withCopyFileToContainer(MountableFile.forClasspathResource("clickhouse/config/config.xml"),
+                    "/etc/clickhouse-server/config.xml")
+            .withCopyFileToContainer(MountableFile.forClasspathResource("clickhouse/config/users.xml"),
+                    "/etc/clickhouse-server/users.xml")
+            .withCopyFileToContainer(MountableFile.forClasspathResource("clickhouse/server.key"),
+                    "/etc/clickhouse-server/server.key")
+            .withCopyFileToContainer(MountableFile.forClasspathResource("clickhouse/server.crt"),
+                    "/etc/clickhouse-server/server.crt");
 
     protected static String CK_HOST;
     protected static int CK_PORT;
-    protected static int CK_GRPC_PORT;
 
     @BeforeAll
     public static void extractContainerInfo() {
         CK_HOST = container.getHost();
         CK_PORT = container.getMappedPort(CLICKHOUSE_NATIVE_PORT);
-        CK_GRPC_PORT = container.getMappedPort(CLICKHOUSE_GRPC_PORT);
     }
 
     /**

clickhouse-native-jdbc/src/test/resources/clickhouse/config/users.xml

@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<yandex>
+    <!-- See also the files in users.d directory where the settings can be overridden. -->
+
+    <!-- Profiles of settings. -->
+    <profiles>
+        <!-- Default settings. -->
+        <default>
+            <!-- Maximum memory usage for processing single query, in bytes. -->
+            <max_memory_usage>10000000000</max_memory_usage>
+
+            <!-- How to choose between replicas during distributed query processing.
+                 random - choose random replica from set of replicas with minimum number of errors
+                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
+                  with minimum number of different symbols between replica's hostname and local hostname
+                  (Hamming distance).
+                 in_order - first live replica is chosen in specified order.
+                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
+            -->
+            <load_balancing>random</load_balancing>
+        </default>
+
+        <!-- Profile that allows only read queries. -->
+        <readonly>
+            <readonly>1</readonly>
+        </readonly>
+    </profiles>
+
+    <!-- Users and ACL. -->
+    <users>
+        <!-- If user name was not specified, 'default' user is used. -->
+        <default>
+            <!-- See also the files in users.d directory where the password can be overridden.
+
+                 Password could be specified in plaintext or in SHA256 (in hex format).
+
+                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
+                 Example: <password>qwerty</password>.
+                 Password could be empty.
+
+                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
+                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
+                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
+
+                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
+                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
+
+                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
+                  place its name in 'server' element inside 'ldap' element.
+                 Example: <ldap><server>my_ldap_server</server></ldap>
+
+                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
+                  place 'kerberos' element instead of 'password' (and similar) elements.
+                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
+                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
+                  whose initiator's realm matches it.
+                 Example: <kerberos />
+                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
+
+                 How to generate decent password:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
+                 In first line will be password and in second - corresponding SHA256.
+
+                 How to generate double SHA1:
+                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
+                 In first line will be password and in second - corresponding double SHA1.
+            -->
+            <password></password>
+
+            <!-- List of networks with open access.
+
+                 To open access from everywhere, specify:
+                    <ip>::/0</ip>
+
+                 To open access only from localhost, specify:
+                    <ip>::1</ip>
+                    <ip>127.0.0.1</ip>
+
+                 Each element of list has one of the following forms:
+                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
+                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
+                 <host> Hostname. Example: server01.yandex.ru.
+                     To check access, DNS query is performed, and all received addresses compared to peer address.
+                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.yandex\.ru$
+                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
+                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
+                     Strongly recommended that regexp is ends with $
+                 All results of DNS requests are cached till server restart.
+            -->
+            <networks>
+                <ip>::/0</ip>
+            </networks>
+
+            <!-- Settings profile for user. -->
+            <profile>default</profile>
+
+            <!-- Quota for user. -->
+            <quota>default</quota>
+
+            <!-- User can create other users and grant rights to them. -->
+            <!-- <access_management>1</access_management> -->
+        </default>
+    </users>
+
+    <!-- Quotas. -->
+    <quotas>
+        <!-- Name of quota. -->
+        <default>
+            <!-- Limits for time interval. You could specify many intervals with different limits. -->
+            <interval>
+                <!-- Length of interval. -->
+                <duration>3600</duration>
+
+                <!-- No limits. Just calculate resource usage for time interval. -->
+                <queries>0</queries>
+                <errors>0</errors>
+                <result_rows>0</result_rows>
+                <read_rows>0</read_rows>
+                <execution_time>0</execution_time>
+            </interval>
+        </default>
+    </quotas>
+</yandex>

clickhouse-native-jdbc/src/test/resources/clickhouse/server.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUGiof/tcvWR9ITSWwONatZC68ys0wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDgyNjIxMTczN1oXDTI0MDgy
+NTIxMTczN1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAmC1y+HO3QzDIk5DnK6ouUoxCIH6c/zeT/uYSCmvUQU1l
+rEWQ5+U/iEAQkmIyK/7yvyHromp+ZfzoVlDANF/5d3OaRcXxLKjVBf1xxELlEzXR
+Jw2Vx3KnrxO0P9RXwmuc+n8alYZwxIbt1IPlqGJzgUHd3cFcjXe7Z8dnhAO3zekr
+UDRP028LdIrLPGpBanHNKiJv73o3QrNJKLw9l5kDPMlmrXb/9uot4xxYj6L3Kz84
+lACApL04tkH3+W6vadwdzWjPEvFwlLIoRBV1YXnzKUlgNwey6PLDo5jE+2AXR433
+6UPHZJ5XNTtJ1zSe+wiC8xqA5zgv2f/S6KNrGAZ4JQIDAQABo1MwUTAdBgNVHQ4E
+FgQUucBNLF7S0DEqgJYTpD0Y6rKZx6kwHwYDVR0jBBgwFoAUucBNLF7S0DEqgJYT
+pD0Y6rKZx6kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAN9i6
+xLrh4DyJOV1KsIM1nrWq1P5wZjQny9i4TmU6doGXIiTIAipXyL8liX5/3qVGZkBb
+WYWgQTdfjjZJENSawxUiIQnsvqO83dyzRaMg+yKRUPf6MZTQDxjgmK3BZ6qmMLbj
+BhMYAA5r6b6oTW5pmqo+wQxP7doZOiX/Xcjw2iHBtL1jy4rEwsEoOYpH7u0ywWiQ
+9WsaYNcm+b452MJBYWeRqxJx4gtvcBFAii2Win5AT/SUTtHQcQKrDxv+osGS5vZj
+v+2LxCCNfTmJfIsGPSsyiqulvzzn4xcNE6ETzAcvudx+to9YfUogJYmhsQpc/CBa
+7DYS2q7Uf7a7d7xZDw==
+-----END CERTIFICATE-----

clickhouse-native-jdbc/src/test/resources/clickhouse/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYLXL4c7dDMMiT
+kOcrqi5SjEIgfpz/N5P+5hIKa9RBTWWsRZDn5T+IQBCSYjIr/vK/Ieuian5l/OhW
+UMA0X/l3c5pFxfEsqNUF/XHEQuUTNdEnDZXHcqevE7Q/1FfCa5z6fxqVhnDEhu3U
+g+WoYnOBQd3dwVyNd7tnx2eEA7fN6StQNE/Tbwt0iss8akFqcc0qIm/vejdCs0ko
+vD2XmQM8yWatdv/26i3jHFiPovcrPziUAICkvTi2Qff5bq9p3B3NaM8S8XCUsihE
+FXVhefMpSWA3B7Lo8sOjmMT7YBdHjffpQ8dknlc1O0nXNJ77CILzGoDnOC/Z/9Lo
+o2sYBnglAgMBAAECggEAFJKXB48+jWb+brNOX+D5XdqCpA70iCzfepG9ivV0iUF+
+hxwT0MMgDs+OY05tdvTX+fk1eExfpcew3IkSeuImARKP9B0kPhky90TXSPo8KsKB
+8dQh1V1NiFsoaTVP30OaF2Pwgu9dC7csAX4KoZ7G+7NHsbokGic/dB0JLwKA/4/v
+vSAEpyZpoCEK9AjfqkFNYHTtuAmuIfBvHGcDdcDHsCh+c1MevqTlL5wBElr8RKJ7
+Vxb4eApwwWLB2aQnmcyCOpJQtb/XpuMNZ5/IsBNVmUDCRNYbKCFx4Ts/mwVbL1jz
+e4YD1DKiEtZ9Wzy7saZFIM2L7k8JuUomGucuqUHaLwKBgQDWnFLtwB7Lcbmv3QWz
+CDrNqFOTTrlLEbLgawXeCFyuL/QKSiI7VLGYo3FfCBMKE9bQf11AYKlP6dhW7f/G
+z0iHuy4wKhPHPKDmsJT3lnJlshayxjyr5RfT29bfz0vw/UJ+U4bEs46rTkEi6ZyW
+pCopD+az0BvyidkjQAMjbBW1HwKBgQC1hrOJ8eZkX5tCflRNVqmuX6QkINOLhErw
+4I41i0oaJVD0KU3hLHtTD57bn36q8tWuaFrubUir9OSz9r1nLCc4uu2OUUn0t9sy
+IvoG4JHWHkFdaOxGheWFdoCkTRnyU8mb4196h7C2MIQ6a6SwuaF9y9/p7l1/JjWu
+PI6vq1kGOwKBgQCGWwWb7Iwa587NJ7z6sWtG91ujPETKl4D5+GaK84c6UbEhg/nc
+VRB+M8y1JvPsejEhBKuXsywsaITVH1ji2UBaITgwVRdewzkkU2ZffmOOASkusOao
+4trA+r+SDFBJxfQL7DTSDmuCGZKzzbcHpCz02gyfg+kLNXuoEtokIfWRFwKBgGFR
+YOmgfTLsqrEgRxPbVUa90aLo0mDmwMKYsMT18vlHbjon9q+0iD1Ej5cQz/jYDUTe
+f3l5r085EG+G5Y3tdu2MEZWN8Qc4llQvujl7pdPUDpkEij9Yw28k09zB1Ro8X0aq
+xGJNYqiaJBmp4fY43uIxLc8dUpS7KGZL4vc89pJHAoGAET1i4vxlD6BMgwJCyCmc
+afJ5Eh4WrrBYM+E4emGS0/pgeRkjRk5cCaKJ/IEO8x2uxr/EGmlZa+ki8ETc8/9m
+LG9sX9za2lg9tiZW8A676hheVHe4IOIjkldey9ovxm8ar12PECwgkkJ6WXeG4uzJ
+lqaPsbBiOzZvBiBBJLpydYY=
+-----END PRIVATE KEY-----

clickhouse-native-jdbc/src/test/resources/keymanagement/bin/generate.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+# Versions:
+# Windows 10
+# OpenSSL Version: OpenSSL 3.1.2 1
+# Keytool Version: openjdk-17.0.2
+
+KEY_FILE=server.key
+CRT_FILE=server.crt
+PKCS12_FILE=server.p12
+JKS_FILE=server.jks
+PASSWORD=mypassword
+ALIAS=myalias
+
+echo "Generating the private key and certificate..."
+openssl req -subj "//CN=localhost" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout ${KEY_FILE} -out ${CRT_FILE}
+if [ $? -ne 0 ]; then
+    echo "Failed to generate the private key and certificate."
+    exit 1
+fi
+
+echo "Converting to PKCS12 format..."
+openssl pkcs12 -export -in ${CRT_FILE} -inkey ${KEY_FILE} -out ${PKCS12_FILE} -name ${ALIAS} -password pass:${PASSWORD}
+if [ $? -ne 0 ]; then
+    echo "Failed to convert to PKCS12 format."
+    exit 1
+fi
+
+echo "Importing keystore ${PKCS12_FILE} to ${JKS_FILE}..."
+keytool -importkeystore\
+        -srckeystore ${PKCS12_FILE}\
+        -srcstoretype PKCS12\
+        -srcstorepass ${PASSWORD}\
+        -destkeystore ${JKS_FILE}\
+        -deststoretype JKS\
+        -deststorepass ${PASSWORD}
+if [ $? -ne 0 ]; then
+    echo "Failed to import keystore."
+    exit 1
+fi
+
+echo "Done!"