Added support for wildcard usage in x509 SubjectAltName identification.

[marco-vb]

Added support for single wildcard usage in x509 SubjectAltName, supports both DNS and URI.

With this change, a user can be defined as:

<user>
    <ssl_certificates>
        <subject_alt_name>URI:spiffe://foo.com/*/bar</subject_alt_name>
    </ssl_certificates>
</user>

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Add wildcard support for user identification in x509 SubjectAltName extension.

Documentation entry for user-facing changes

• Documentation is written (mandatory for new features)

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

CI Settings (Only check the boxes if you know what you are doing):

• Allow: All Required Checks
• Allow: Stateless tests
• Allow: Stateful tests
• Allow: Integration Tests
• Allow: Performance tests
• Allow: All Builds
• Allow: batch 1, 2 for multi-batch jobs
• Allow: batch 3, 4, 5, 6 for multi-batch jobs

---

• Exclude: Style check
• Exclude: Fast test
• Exclude: All with ASAN
• Exclude: All with TSAN, MSAN, UBSAN, Coverage
• Exclude: All with aarch64, release, debug

---

• Do not test
• Woolen Wolfdog
• Upload binaries for special builds
• Disable merge-commit
• Disable CI cache

[CLAassistant]

All committers have signed the CLA.

[yakov-olkhovskiy]

This proposal requires security evaluation.
cc @santrancisco

[santrancisco]

Hi all - thank you for tagging me, @yakov-olkhovskiy . While this is more about implementation details, i did take a quick look through RFC anyway just in case and don't see any specific clause about how to implement it.

The implementation adds more flexibility in managing endpoints communicating with Clickhouse servers when performing the same task, making it easier to manage certificates. It does add some challenge from security that we should at least make a note about it in the documentation:

• Difficulty in Auditing - All clients will be sharing the same user to authenticate into ClickHouse database (Query log does show source IP for queries so this can be used for auditing purposes)
• Revoking certification can be come a challenge as it would require modifying the config and revoking every other clients instead of single client

But overall, i think it's a nice feature to have :)

[tonickkozlov]

@yakov-olkhovskiy @santrancisco any update please?

What can be done from our side (mine and @marco-vb's) to get this PR tested? Thank you

[robot-ch-test-poll2]

This is an automated comment for commit 185d940 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check name	Description	Status
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	❌ failure

Successful checks

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	✅ success
Builds	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
ClickBench	Runs [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker keeper image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docker server image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docs check	Builds and tests the documentation	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	✅ success
Style check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success

[marco-vb]

hey @yakov-olkhovskiy thank you for reviewing these and testing. Does this approach look good to you overall? Is it okay to merge? Not sure about the red checks, seems like some mutation tests are not passing and not sure about the performance ones, as my change should not impact query performance.

[yakov-olkhovskiy]

@marco-vb flaky test is failing:
https://s3.amazonaws.com/clickhouse-test-reports/68236/d6ea08e8122c2577b5c486fae4e880217908ace9/integration_tests_flaky_check__asan_/integration_run_flaky_0.log
but it seems like a general flaw in the CI setup... will investigate today and probably merge as is...

[marco-vb]

@yakov-olkhovskiy thanks again for taking a look and fixing things. Now CI complains that 'New settings are not reflected in settings changes history' even though I do not add nor change any settings in this PR... Do you know why this is happening? This was also happening before I updated with new master commits too

[yakov-olkhovskiy]

I don't think it's relevant. Merging.