[WIP] HTTP exporter support ssl credentials

[pavanshahm]

Fixes # (issue)

Changes

We needed to include ssl credentials if we wanted to use the http exporter so we added an additional option in http_exporter_options in order to allow it.

We also needed to update the curl.BUILD files in order to build cURL with the https protocol supported. This was done with a lot of trial and error and copied from the tensorflow build file, so I'm not sure which options are actually necessary and which ones are not.

Unit Tests are pending, but let me know if this is the right approach before I write those tests.

• CHANGELOG.md updated for non-trivial changes
• Unit tests have been added
• Changes in public API reviewed

[linux-foundation-easycla]

• ❌ - Pavan The commit (45a438e) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[codecov]

Codecov Report

Merging #938 (45a438e) into main (d6c187c) will decrease coverage by 0.06%.
The diff coverage is 55.56%.

@@            Coverage Diff             @@
##             main     #938      +/-   ##
==========================================
- Coverage   95.36%   95.30%   -0.05%     
==========================================
  Files         160      160              
  Lines        6779     6786       +7     
==========================================
+ Hits         6464     6467       +3     
- Misses        315      319       +4     

Impacted Files	Coverage Δ
...nclude/opentelemetry/ext/http/client/http_client.h	93.34% <ø> (ø)
...ntelemetry/ext/http/client/curl/http_client_curl.h	89.63% <33.34%> (-1.72%)	⬇️
...lemetry/ext/http/client/curl/http_operation_curl.h	77.34% <66.67%> (-0.74%)	⬇️
...pi/include/opentelemetry/context/runtime_context.h	97.50% <0.00%> (+0.04%)	⬆️

[owent]

I have thought using civetweb to setup a temporary HTTP server for unit test. Because prometheus-cpp also depend it. We can also use it without import another library or binary.
It maybe need more discussion about how to test HTTP requests. @maxgolov @lalitb

[lalitb]

I have thought using civetweb to setup a temporary HTTP server for unit test. Because prometheus-cpp also depend it. We can also use it without import another library or binary.
It maybe need more discussion about how to test HTTP requests. @maxgolov @lalitb

@owent - This looks good - production-ready embeddable web-server, but just wondering whether we really need this for unit tests. What advantage do you think we will get from this over our internal http server specifically for unit-tests?

[owent]

I have thought using civetweb to setup a temporary HTTP server for unit test. Because prometheus-cpp also depend it. We can also use it without import another library or binary.
It maybe need more discussion about how to test HTTP requests. @maxgolov @lalitb

@owent - This looks good - production-ready embeddable web-server, but just wondering whether we really need this for unit tests. What advantage do you think we will get from this over our internal http server specifically for unit-tests?

We need HTTPS here.If implementation SSL support for http server need a lot codes, maybe it's easier to use a third party library?

[owent]

Maybe we should use nosdt::string_view instead of std::string here?

[owent]

Should we use lower case to keep the same style as before?

[owent]

I think it's better to use a option use_ssl_credentials to control whether to ignore SSL verification which just like in OtlpGrpcExporterOptions.
And we should also privide options to set CURLOPT_SSLKEY and CURLOPT_SSLCERT .

[lalitb]

@pavanshahm - Thanks for this PR. It would be good to have SSL certificate check integrated. A couple of comments here:

1. Can we avoid adding code to build curl with SSL support as part of the otel-cpp build? I am not a bazel expert, but with cmake, we can build curl + SSL through vcpkg toolchain.
2. instead of adding a certificate path, can we leverage the EventHandler class to pass the certificate:
   

   opentelemetry-cpp/ext/include/opentelemetry/ext/http/client/http_client.h

   Line 205 in dc25ea6

   virtual void OnConnecting(const SSLCertificate &) noexcept {}

[lalitb]

We need HTTPS here.If implementation SSL support for http server need a lot codes, maybe it's easier to use a third party library?

OK. I thought we don't really need to test the ssl-handshake as part of the unit test here, as it should work correctly with curl as long as the correct certificate is passed. We can locally add unit-test tests to ensure that the SSL certificate is set correctly through our HTTP client library. But we can discuss if you feel it is really required?

[owent]

We need HTTPS here.If implementation SSL support for http server need a lot codes, maybe it's easier to use a third party library?

OK. I thought we don't really need to test the ssl-handshake as part of the unit test here, as it should work correctly with curl as long as the correct certificate is passed. We can locally add unit-test tests to ensure that the SSL certificate is set correctly through our HTTP client library. But we can discuss if you feel it is really required?

I don't think we need to test ssl-handshake either. But I think we should test whether the new options (sslCertPath) works. Is there any better suggestion to approach it?

[lalitb]

We need HTTPS here.If implementation SSL support for http server need a lot codes, maybe it's easier to use a third party library?

OK. I thought we don't really need to test the ssl-handshake as part of the unit test here, as it should work correctly with curl as long as the correct certificate is passed. We can locally add unit-test tests to ensure that the SSL certificate is set correctly through our HTTP client library. But we can discuss if you feel it is really required?

I don't think we need to test ssl-handshake either. But I think we should test whether the new options (sslCertPath) works. Is there any better suggestion to approach it?

ok, I was thinking to avoid testing the HTTPS request path as part of the unit test if it needs us to build and link with a third-party library. On second thought - I had a quick look at civetweb usage in prometheus-cpp. Perhaps it can be a good replacement for internal http_server for both unit tests ( for http/https requests) and pages. But needs more discussion with other community members.

[lalitb]

@pavanshahm - just wondering if you have plans to continue on this PR? As this has been at WIP state for some time now.

[lalitb]

@pavanshahm - just wondering if you have plans to continue on this PR? As this has been at WIP state for some time now.

@pavanshahm - Checking one more time if you have plans to work on this PR. While it would be really good to get it merged, we also don't want to keep it stale for long.

[sirzooro]

mTLS support (requested by someone else here in another issue) will require two more fields for paths to private and public key. To avoid confusion please rename this field to make it more clear that this is path to trusted root CA certificates, e.g. sslCaCertPath.
In my issue I also asked about way to specify minimum TLS version (CURLOPT_SSLVERSION) and allowed ciphers (CURLOPT_SSL_CIPHER_LIST). Below I also mentioned another one to disable certificate validation. All of them would need corresponding fields here.
BTW, you also have typo in comment above - sll -> ssl

[sirzooro]

Other methods here uses nostd::string_view for parameters instead of std::string, please make it consistent.

[sirzooro]

Empty CA cert path should mean that user wants to use default system path, not disable certificate validation. Ability to disable validation is another use case. Please add another option to disable certificate validation.

[sirzooro]

This option is set by default to 1, so this line can be skipped.