From commits-return-22330-archive-asf-public=cust-asf.ponee.io@pulsar.apache.org Wed Feb 13 00:18:30 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id D0378180718 for ; Wed, 13 Feb 2019 01:18:29 +0100 (CET) Received: (qmail 13433 invoked by uid 500); 13 Feb 2019 00:18:29 -0000 Mailing-List: contact commits-help@pulsar.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@pulsar.apache.org Delivered-To: mailing list commits@pulsar.apache.org Received: (qmail 13423 invoked by uid 99); 13 Feb 2019 00:18:29 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Feb 2019 00:18:29 +0000 From: GitBox To: commits@pulsar.apache.org Subject: [GitHub] merlimat commented on a change in pull request #3568: Refresh Certs every X minutes Message-ID: <155001710844.30420.6029019135635127817.gitbox@gitbox.apache.org> Date: Wed, 13 Feb 2019 00:18:28 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit merlimat commented on a change in pull request #3568: Refresh Certs every X minutes URL: https://github.com/apache/pulsar/pull/3568#discussion_r256202140 ########## File path: pulsar-common/src/main/java/org/apache/pulsar/common/util/SslContextRefresher.java ########## @@ -0,0 +1,146 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.pulsar.common.util; + +import java.io.FileNotFoundException; +import java.io.IOException; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.StandardWatchEventKinds; +import java.nio.file.WatchEvent; +import java.nio.file.WatchKey; +import java.nio.file.WatchService; +import java.security.GeneralSecurityException; +import java.util.List; +import java.util.Set; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.TimeUnit; + +import javax.net.ssl.SSLException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Strings; +import com.google.common.collect.Sets; + +import io.netty.handler.ssl.SslContext; + +public class SslContextRefresher implements Runnable { + private final boolean tlsAllowInsecureConnection; + private final String tlsTrustCertsFilePath; + private final String tlsCertificateFilePath; + private final String tlsKeyFilePath; + private final Set tlsCiphers; + private final Set tlsProtocols; + private final boolean tlsRequireTrustedClientCertOnConnect; + private final ScheduledExecutorService eventLoopGroup; + private final Set files; + private final Set watchKeys; + private final long delay; + private final TimeUnit timeunit; + private volatile SslContext sslContext; + + public SslContextRefresher(boolean allowInsecure, String trustCertsFilePath, String certificateFilePath, + String keyFilePath, Set ciphers, Set protocols, boolean requireTrustedClientCertOnConnect, + ScheduledExecutorService eventLoopGroup, long delay, TimeUnit timeunit) + throws SSLException, FileNotFoundException, GeneralSecurityException, IOException { + this.tlsAllowInsecureConnection = allowInsecure; + this.tlsTrustCertsFilePath = trustCertsFilePath; + this.tlsCertificateFilePath = certificateFilePath; + this.tlsKeyFilePath = keyFilePath; + this.tlsCiphers = ciphers; + this.tlsProtocols = protocols; + this.tlsRequireTrustedClientCertOnConnect = requireTrustedClientCertOnConnect; + this.watchKeys = Sets.newHashSet(); + this.files = Sets.newHashSet(); + this.delay = delay; + this.timeunit = timeunit; + this.eventLoopGroup = eventLoopGroup; + + files.add(trustCertsFilePath); + files.add(certificateFilePath); + files.add(keyFilePath); + + // Remove all Null Or Empty Files + files.removeIf(file -> Strings.isNullOrEmpty(file)); + + this.sslContext = SecurityUtility.createNettySslContextForServer(tlsAllowInsecureConnection, + tlsTrustCertsFilePath, tlsCertificateFilePath, tlsKeyFilePath, tlsCiphers, tlsProtocols, + tlsRequireTrustedClientCertOnConnect); + + for (String file : files) { + LOG.info("File {}", file); + Path p = Paths.get(file).getParent(); + WatchService watchService = p.getFileSystem().newWatchService(); + WatchKey key = p.register(watchService, StandardWatchEventKinds.ENTRY_CREATE, + StandardWatchEventKinds.ENTRY_DELETE, StandardWatchEventKinds.ENTRY_MODIFY, + StandardWatchEventKinds.OVERFLOW); + watchKeys.add(key); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("Certs will be refreshed every {} minutes", delay); + } + + if (delay > 0) { + run(); + } + } + + public void run() { + for (WatchKey key : watchKeys) { + List> events = key.pollEvents(); + for (WatchEvent e : events) { + String file = ((Path) key.watchable()).toFile().getAbsolutePath(); + if (e.kind().equals(StandardWatchEventKinds.OVERFLOW)) { + LOG.warn("Overflow occured for file {} - rebuilding sslContext", file); + buildSSLContext(); + break; + } else if (files.contains(file)) { + LOG.info("Changed found for file {} - rebuilding sslContext", file); + buildSSLContext(); + break; + } else if (LOG.isDebugEnabled()) { + LOG.debug("Ignoring changes for file {}.", file); + } + } + } + this.eventLoopGroup.schedule(this, this.delay, this.timeunit); + } + + public void buildSSLContext() { + SslContext sslContext; + try { + sslContext = SecurityUtility.createNettySslContextForServer(tlsAllowInsecureConnection, + tlsTrustCertsFilePath, tlsCertificateFilePath, tlsKeyFilePath, tlsCiphers, tlsProtocols, + tlsRequireTrustedClientCertOnConnect); + } catch (GeneralSecurityException | IOException e) { + LOG.error("Error occured while trying to create sslContext - using previous one."); + return; + } + this.sslContext = sslContext; + } + + public SslContext get() { Review comment: Instead of using a background thread, couldn't we just check a timestamp here to check whether the cached context is still valid? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org With regards, Apache Git Services