Fix ydb cli auth file options (#19577)

UgnineSirdis · Gazizonoki · commit eba62fdd4a4b · 2025-06-17T23:09:49.000+03:00
diff --git a/.github/last_commit.txt b/.github/last_commit.txt
@@ -1 +1 @@
-a01853cb85b51ba9c678dffd9d2c0cda8e7e55f3
+8e0f901efb6d5580fe9f5409b4cf761160fb7f24
diff --git a/include/ydb-cpp-sdk/client/iam/common/types.h b/include/ydb-cpp-sdk/client/iam/common/types.h
@@ -33,6 +33,7 @@ struct TIamEndpoint {
     TDuration RefreshPeriod = NIam::DEFAULT_REFRESH_PERIOD;
     TDuration RequestTimeout = NIam::DEFAULT_REQUEST_TIMEOUT;
     bool EnableSsl = NIam::DEFAULT_ENABLE_SSL;
+    std::string CaCerts;
 };
 
 struct TIamJwtFilename : TIamEndpoint { std::string JwtFilename; };
diff --git a/src/client/iam/common/iam.h b/src/client/iam/common/iam.h
@@ -45,6 +45,9 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
             NYdbGrpc::TGRpcClientConfig grpcConf;
             grpcConf.Locator = IamEndpoint_.Endpoint;
             grpcConf.EnableSsl = IamEndpoint_.EnableSsl;
+            if (!IamEndpoint_.CaCerts.empty()) {
+                grpcConf.SslCredentials.pem_root_certs = IamEndpoint_.CaCerts;
+            }
             Connection_ = std::unique_ptr<NYdbGrpc::TServiceConnection<TService>>(Client->CreateGRpcServiceConnection<TService>(grpcConf).release());
         }
 
diff --git a/tests/unit/client/oauth2_token_exchange/credentials_ut.cpp b/tests/unit/client/oauth2_token_exchange/credentials_ut.cpp
@@ -1,13 +1,9 @@
 #include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/credentials.h>
 #include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/from_file.h>
-#include "jwt_check_helper.h"
+#include <tests/unit/client/oauth2_token_exchange/helpers/test_token_exchange_server.h>
 
 #include <src/library/string_utils/base64/base64.h>
 
-#include <library/cpp/cgiparam/cgiparam.h>
-#include <library/cpp/http/misc/parsed_request.h>
-#include <library/cpp/http/server/http.h>
-#include <library/cpp/http/server/response.h>
 #include <library/cpp/json/json_writer.h>
 #include <library/cpp/testing/unittest/registar.h>
 #include <library/cpp/testing/unittest/tests_data.h>
@@ -24,164 +20,6 @@ extern const std::string TestECPrivateKeyContent;
 extern const std::string TestECPublicKeyContent;
 extern const std::string TestHMACSecretKeyBase64Content;
 
-class TTestTokenExchangeServer: public THttpServer::ICallBack {
-public:
-    struct TCheck {
-        bool ExpectRequest = true;
-        HttpCodes StatusCode = HTTP_OK;
-        TCgiParameters ExpectedInputParams;
-        std::optional<TCgiParameters> InputParams;
-        std::string Response;
-        std::string ExpectedErrorPart;
-        std::string Error;
-        std::optional<TJwtCheck> SubjectJwtCheck;
-        std::optional<TJwtCheck> ActorJwtCheck;
-
-        void Check() {
-            UNIT_ASSERT_C(InputParams || !ExpectRequest, "Request error: " << Error);
-            if (InputParams) {
-                if (SubjectJwtCheck || ActorJwtCheck) {
-                    TCgiParameters inputParamsCopy = *InputParams;
-                    if (SubjectJwtCheck) {
-                        std::string subjectJwt;
-                        UNIT_ASSERT(inputParamsCopy.Has("subject_token"));
-                        UNIT_ASSERT(inputParamsCopy.Has("subject_token_type", "urn:ietf:params:oauth:token-type:jwt"));
-                        subjectJwt = inputParamsCopy.Get("subject_token");
-                        inputParamsCopy.Erase("subject_token");
-                        inputParamsCopy.Erase("subject_token_type");
-                        SubjectJwtCheck->Check(subjectJwt);
-                    }
-                    if (ActorJwtCheck) {
-                        std::string actorJwt;
-                        UNIT_ASSERT(inputParamsCopy.Has("actor_token"));
-                        UNIT_ASSERT(inputParamsCopy.Has("actor_token_type", "urn:ietf:params:oauth:token-type:jwt"));
-                        actorJwt = inputParamsCopy.Get("actor_token");
-                        inputParamsCopy.Erase("actor_token");
-                        inputParamsCopy.Erase("actor_token_type");
-                        ActorJwtCheck->Check(actorJwt);
-                    }
-                    UNIT_ASSERT_VALUES_EQUAL(ExpectedInputParams.Print(), inputParamsCopy.Print());
-                } else {
-                    UNIT_ASSERT_VALUES_EQUAL(ExpectedInputParams.Print(), InputParams->Print());
-                }
-            }
-
-            if (!ExpectedErrorPart.empty()) {
-                UNIT_ASSERT_STRING_CONTAINS(Error, ExpectedErrorPart);
-            } else {
-                UNIT_ASSERT(Error.empty());
-            }
-        }
-
-        void Reset() {
-            Error.clear();
-            InputParams = std::nullopt;
-        }
-    };
-
-    class TRequest: public TRequestReplier {
-    public:
-        explicit TRequest(TTestTokenExchangeServer* server)
-            : Server(server)
-        {
-        }
-
-        bool DoReply(const TReplyParams& params) override {
-            with_lock (Server->Lock) {
-                const TParsedHttpFull parsed(params.Input.FirstLine());
-                UNIT_ASSERT_VALUES_EQUAL(parsed.Path, "/exchange/token");
-                const std::string bodyStr = params.Input.ReadAll();
-
-                Server->Check.InputParams.emplace(bodyStr);
-                THttpResponse resp(Server->Check.StatusCode);
-                resp.SetContent(TString{Server->Check.Response});
-                resp.OutTo(params.Output);
-                return true;
-            }
-        }
-
-    public:
-        TTestTokenExchangeServer* Server = nullptr;
-    };
-
-    TTestTokenExchangeServer()
-        : HttpOptions(PortManager.GetPort())
-        , HttpServer(this, HttpOptions)
-    {
-        HttpServer.Start();
-    }
-
-    TClientRequest* CreateClient() override {
-        return new TRequest(this);
-    }
-
-    std::string GetEndpoint() const {
-        return TStringBuilder() << "http://localhost:" << HttpOptions.Port << "/exchange/token";
-    }
-
-    void Run(const std::function<void()>& f, bool checkExpectations = true) {
-        Check.Reset();
-        try {
-            f();
-        } catch (const std::exception& ex) {
-            Check.Error = ex.what();
-        }
-
-        if (checkExpectations) {
-            CheckExpectations();
-        }
-    }
-
-    void Run(const TOauth2TokenExchangeParams& params, const std::string& expectedToken = {}, bool checkExpectations = true) {
-        std::string token;
-        Run([&]() {
-            auto factory = CreateOauth2TokenExchangeCredentialsProviderFactory(params);
-            if (!expectedToken.empty()) {
-                token = factory->CreateProvider()->GetAuthInfo();
-            }
-        },
-        checkExpectations);
-
-        if (!expectedToken.empty()) {
-            UNIT_ASSERT_VALUES_EQUAL(expectedToken, token);
-        }
-    }
-
-    void RunFromConfig(const std::string& fileName, const std::string& expectedToken = {}, bool checkExpectations = true, const std::string& explicitTokenEndpoint = {}) {
-        std::string token;
-        Run([&]() {
-            auto factory = CreateOauth2TokenExchangeFileCredentialsProviderFactory(fileName, explicitTokenEndpoint);
-            if (!expectedToken.empty()) {
-                token = factory->CreateProvider()->GetAuthInfo();
-            }
-        },
-        checkExpectations);
-
-        if (!expectedToken.empty()) {
-            UNIT_ASSERT_VALUES_EQUAL(expectedToken, token);
-        }
-    }
-
-    void CheckExpectations() {
-        with_lock (Lock) {
-            Check.Check();
-        }
-    }
-
-    void WithLock(const std::function<void()>& f) {
-        with_lock (Lock) {
-            f();
-        }
-    }
-
-public:
-    TAdaptiveLock Lock;
-    TPortManager PortManager;
-    THttpServer::TOptions HttpOptions;
-    THttpServer HttpServer;
-    TCheck Check;
-};
-
 template <class TParent>
  struct TJsonFillerArray {
      TJsonFillerArray(TParent* parent, NJson::TJsonWriter* writer)
diff --git a/tests/unit/client/oauth2_token_exchange/helpers/jwt_check_helper.h b/tests/unit/client/oauth2_token_exchange/helpers/jwt_check_helper.h
diff --git a/tests/unit/client/oauth2_token_exchange/helpers/test_token_exchange_server.cpp b/tests/unit/client/oauth2_token_exchange/helpers/test_token_exchange_server.cpp
@@ -0,0 +1,94 @@
+#include "test_token_exchange_server.h"
+
+void TTestTokenExchangeServer::Run(const std::function<void()>& f, bool checkExpectations) {
+    Check.Reset();
+    try {
+        f();
+    } catch (const std::exception& ex) {
+        Check.Error = ex.what();
+    }
+
+    if (checkExpectations) {
+        CheckExpectations();
+    }
+}
+
+void TTestTokenExchangeServer::Run(const NYdb::TOauth2TokenExchangeParams& params, const std::string& expectedToken, bool checkExpectations) {
+    std::string token;
+    Run([&]() {
+        auto factory = CreateOauth2TokenExchangeCredentialsProviderFactory(params);
+        if (!expectedToken.empty()) {
+            token = factory->CreateProvider()->GetAuthInfo();
+        }
+    },
+    checkExpectations);
+
+    if (!expectedToken.empty()) {
+        UNIT_ASSERT_VALUES_EQUAL(expectedToken, token);
+    }
+}
+
+void TTestTokenExchangeServer::RunFromConfig(const std::string& fileName, const std::string& expectedToken, bool checkExpectations, const std::string& explicitTokenEndpoint) {
+    std::string token;
+    Run([&]() {
+        auto factory = NYdb::CreateOauth2TokenExchangeFileCredentialsProviderFactory(fileName, explicitTokenEndpoint);
+        if (!expectedToken.empty()) {
+            token = factory->CreateProvider()->GetAuthInfo();
+        }
+    },
+    checkExpectations);
+
+    if (!expectedToken.empty()) {
+        UNIT_ASSERT_VALUES_EQUAL(expectedToken, token);
+    }
+}
+
+void TTestTokenExchangeServer::TCheck::Check() {
+    UNIT_ASSERT_C(InputParams || !ExpectRequest, "Request error: " << Error);
+    if (InputParams) {
+        if (SubjectJwtCheck || ActorJwtCheck) {
+            TCgiParameters inputParamsCopy = *InputParams;
+            if (SubjectJwtCheck) {
+                std::string subjectJwt;
+                UNIT_ASSERT(inputParamsCopy.Has("subject_token"));
+                UNIT_ASSERT(inputParamsCopy.Has("subject_token_type", "urn:ietf:params:oauth:token-type:jwt"));
+                subjectJwt = inputParamsCopy.Get("subject_token");
+                inputParamsCopy.Erase("subject_token");
+                inputParamsCopy.Erase("subject_token_type");
+                SubjectJwtCheck->Check(subjectJwt);
+            }
+            if (ActorJwtCheck) {
+                std::string actorJwt;
+                UNIT_ASSERT(inputParamsCopy.Has("actor_token"));
+                UNIT_ASSERT(inputParamsCopy.Has("actor_token_type", "urn:ietf:params:oauth:token-type:jwt"));
+                actorJwt = inputParamsCopy.Get("actor_token");
+                inputParamsCopy.Erase("actor_token");
+                inputParamsCopy.Erase("actor_token_type");
+                ActorJwtCheck->Check(actorJwt);
+            }
+            UNIT_ASSERT_VALUES_EQUAL(ExpectedInputParams.Print(), inputParamsCopy.Print());
+        } else {
+            UNIT_ASSERT_VALUES_EQUAL(ExpectedInputParams.Print(), InputParams->Print());
+        }
+    }
+
+    if (!ExpectedErrorPart.empty()) {
+        UNIT_ASSERT_STRING_CONTAINS(Error, ExpectedErrorPart);
+    } else {
+        UNIT_ASSERT(Error.empty());
+    }
+}
+
+bool TTestTokenExchangeServer::TRequest::DoReply(const TReplyParams& params) {
+    with_lock (Server->Lock) {
+        const TParsedHttpFull parsed(params.Input.FirstLine());
+        UNIT_ASSERT_VALUES_EQUAL(parsed.Path, "/exchange/token");
+        const std::string bodyStr = params.Input.ReadAll();
+
+        Server->Check.InputParams.emplace(bodyStr);
+        THttpResponse resp(Server->Check.StatusCode);
+        resp.SetContent(TString{Server->Check.Response});
+        resp.OutTo(params.Output);
+        return true;
+    }
+}
diff --git a/tests/unit/client/oauth2_token_exchange/helpers/test_token_exchange_server.h b/tests/unit/client/oauth2_token_exchange/helpers/test_token_exchange_server.h
@@ -0,0 +1,86 @@
+#pragma once
+#include "jwt_check_helper.h"
+
+#include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/credentials.h>
+#include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/from_file.h>
+
+#include <library/cpp/cgiparam/cgiparam.h>
+#include <library/cpp/http/misc/parsed_request.h>
+#include <library/cpp/http/server/http.h>
+#include <library/cpp/http/server/response.h>
+#include <library/cpp/json/json_writer.h>
+#include <library/cpp/testing/unittest/tests_data.h>
+
+class TTestTokenExchangeServer: public THttpServer::ICallBack {
+public:
+    struct TCheck {
+        bool ExpectRequest = true;
+        HttpCodes StatusCode = HTTP_OK;
+        TCgiParameters ExpectedInputParams;
+        std::optional<TCgiParameters> InputParams;
+        std::string Response;
+        std::string ExpectedErrorPart;
+        std::string Error;
+        std::optional<TJwtCheck> SubjectJwtCheck;
+        std::optional<TJwtCheck> ActorJwtCheck;
+
+        void Check();
+
+        void Reset() {
+            Error.clear();
+            InputParams = std::nullopt;
+        }
+    };
+
+    class TRequest: public TRequestReplier {
+    public:
+        explicit TRequest(TTestTokenExchangeServer* server)
+            : Server(server)
+        {
+        }
+
+        bool DoReply(const TReplyParams& params) override;
+
+    public:
+        TTestTokenExchangeServer* Server = nullptr;
+    };
+
+    TTestTokenExchangeServer()
+        : HttpOptions(PortManager.GetPort())
+        , HttpServer(this, HttpOptions)
+    {
+        HttpServer.Start();
+    }
+
+    TClientRequest* CreateClient() override {
+        return new TRequest(this);
+    }
+
+    std::string GetEndpoint() const {
+        return TStringBuilder() << "http://localhost:" << HttpOptions.Port << "/exchange/token";
+    }
+
+    void Run(const std::function<void()>& f, bool checkExpectations = true);
+    void Run(const NYdb::TOauth2TokenExchangeParams& params, const std::string& expectedToken = {}, bool checkExpectations = true);
+
+    void RunFromConfig(const std::string& fileName, const std::string& expectedToken = {}, bool checkExpectations = true, const std::string& explicitTokenEndpoint = {});
+
+    void CheckExpectations() {
+        with_lock (Lock) {
+            Check.Check();
+        }
+    }
+
+    void WithLock(const std::function<void()>& f) {
+        with_lock (Lock) {
+            f();
+        }
+    }
+
+public:
+    TAdaptiveLock Lock;
+    TPortManager PortManager;
+    THttpServer::TOptions HttpOptions;
+    THttpServer HttpServer;
+    TCheck Check;
+};
diff --git a/tests/unit/client/oauth2_token_exchange/jwt_token_source_ut.cpp b/tests/unit/client/oauth2_token_exchange/jwt_token_source_ut.cpp
@@ -1,5 +1,5 @@
 #include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/jwt_token_source.h>
-#include "jwt_check_helper.h"
+#include <tests/unit/client/oauth2_token_exchange/helpers/jwt_check_helper.h>
 
 #include <library/cpp/testing/unittest/registar.h>
 

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-a01853cb85b51ba9c678dffd9d2c0cda8e7e55f3`
	`1`	`+8e0f901efb6d5580fe9f5409b4cf761160fb7f24`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,9 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {`
`45`	`45`	`NYdbGrpc::TGRpcClientConfig grpcConf;`
`46`	`46`	`grpcConf.Locator = IamEndpoint_.Endpoint;`
`47`	`47`	`grpcConf.EnableSsl = IamEndpoint_.EnableSsl;`
	`48`	`+ if (!IamEndpoint_.CaCerts.empty()) {`
	`49`	`+ grpcConf.SslCredentials.pem_root_certs = IamEndpoint_.CaCerts;`
	`50`	`+ }`
`48`	`51`	`Connection_ = std::unique_ptr<NYdbGrpc::TServiceConnection<TService>>(Client->CreateGRpcServiceConnection<TService>(grpcConf).release());`
`49`	`52`	`}`
`50`	`53`