Re: [PR] GH-43535: [C++] support the AWS S3 SSE-C encryption [arrow]

via GitHub Tue, 08 Oct 2024 19:45:11 -0700


ripplehang commented on code in PR #43601:
URL: https://github.com/apache/arrow/pull/43601#discussion_r1792675831



##########
cpp/src/arrow/filesystem/s3_test_util.cc:
##########
@@ -69,6 +76,47 @@ std::string MinioTestServer::access_key() const { return 
impl_->access_key_; }
 
 std::string MinioTestServer::secret_key() const { return impl_->secret_key_; }
 
+std::string MinioTestServer::ca_path() const {
+  return impl_->temp_dir_ca_->path().ToString();
+}
+
+Status MinioTestServer::GenerateCertificateFile() {
+  // create the dedicated folder for certificate file, rather than reuse the 
data
+  // folder, since there is test case to check whether the folder is empty.
+  ARROW_ASSIGN_OR_RAISE(impl_->temp_dir_ca_, 
TemporaryDir::Make("s3fs-test-ca-"));
+
+  ARROW_ASSIGN_OR_RAISE(auto public_crt_file,
+                        PlatformFilename::FromString(ca_path() + 
"/public.crt"));
+  ARROW_ASSIGN_OR_RAISE(auto public_cert_fd, 
FileOpenWritable(public_crt_file));
+  ARROW_RETURN_NOT_OK(FileWrite(public_cert_fd.fd(),
+                                reinterpret_cast<const uint8_t*>(kMinioCert),
+                                strlen(kMinioCert)));
+  ARROW_RETURN_NOT_OK(public_cert_fd.Close());
+
+  ARROW_ASSIGN_OR_RAISE(auto private_key_file,
+                        PlatformFilename::FromString(ca_path() + 
"/private.key"));
+  ARROW_ASSIGN_OR_RAISE(auto private_key_fd, 
FileOpenWritable(private_key_file));
+  ARROW_RETURN_NOT_OK(FileWrite(private_key_fd.fd(),
+                                reinterpret_cast<const 
uint8_t*>(kMinioPrivateKey),
+                                strlen(kMinioPrivateKey)));
+  ARROW_RETURN_NOT_OK(private_key_fd.Close());
+
+  // Set the trusted CA certificate
+#if defined(__linux__)
+  arrow::fs::FileSystemGlobalOptions global_options;
+  global_options.tls_ca_dir_path = ca_path();
+  ARROW_RETURN_NOT_OK(arrow::fs::Initialize(global_options));
+#elif defined(_WIN32)
+  // Windows does not have a standard location for CA certificates
+  auto import_cert_process = std::make_unique<util::Process>();
+  ARROW_RETURN_NOT_OK(import_cert_process->SetExecutable("certutil"));
+  import_cert_process->SetArgs(
+      {"-addstore", "-f", "ArrowTest", public_crt_file.ToString()});
+  ARROW_RETURN_NOT_OK(import_cert_process->Execute());

Review Comment:
   @pitrou I think tls_ca_file_path would also NOT work on windows,  according 
to 
https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/client-config.html 
caPath, caFile only work on linux. 
   but if we could expose the verify_tls setting on 
arrow::fs::FileSystemGlobalOptions or arrow::fs::S3Options as @kou  suggested, 
then we could also run the test case on windows. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] GH-43535: [C++] support the AWS S3 SSE-C encryption [arrow]

Reply via email to