Add XDG standard path auto-discovery for PVA TLS keychains#3782
Conversation
kasemir
left a comment
kasemir
left a comment
There was a problem hiding this comment.
Actually, that might now work.
if (EPICS_PVAS_TLS_KEYCHAIN.isEmpty()), it auto-discovers. How do I disable TLS? With the C++ implementation, I understand you can
export EPICS_PVAS_TLS_KEYCHAIN=""
so now it's defined but empty, and that disables TLS.
Right now it's a little hard to distinguish between not-defined and defined-as-empty....
When EPICS_PVA_TLS_KEYCHAIN or EPICS_PVAS_TLS_KEYCHAIN is explicitly set to an empty string, TLS should be disabled -- matching PVXS behaviour where 'export EPICS_PVA_TLS_KEYCHAIN=""' is the documented way to force plain TCP. Previously isEmpty() was the only guard, which conflated two distinct cases: 1. Variable not defined at all -> auto-discover from XDG path 2. Variable explicitly set to "" -> user wants TLS disabled Add isDefined() helper that checks both System.getProperty() and System.getenv(). XDG discovery now only runs when the variable is absent (case 1); an explicitly-blank value suppresses discovery (case 2).
george-mcintyre
left a comment
george-mcintyre
left a comment
There was a problem hiding this comment.
Good catch, thanks Kay. Fixed in a9d5e46 — added isDefined() which checks System.getProperty() and System.getenv() directly to distinguish "variable absent" from "variable explicitly set to empty".
The XDG auto-discovery now only runs when the variable is absent (not defined in env or as a Java property). Setting export EPICS_PVA_TLS_KEYCHAIN="" (or export EPICS_PVAS_TLS_KEYCHAIN="") explicitly to blank will suppress discovery and keep TLS disabled, matching the C++ behaviour you described.
|
2 participants
Motivation
PVXS (the reference C++ PVA implementation) stores its keystores at the XDG standard location:
where
$XDG_CONFIG_HOMEdefaults to~/.configon Linux and the platform-appropriate equivalent on macOS/Windows.The Java client had no equivalent discovery logic:
EPICS_PVA_TLS_KEYCHAINhad to be set explicitly, making interoperability with a PVXS-configured system painful in development environments and CI.Change
PVASettingsnow probes the XDG path forclient.p12/server.p12at startup whenEPICS_PVA_TLS_KEYCHAIN/EPICS_PVAS_TLS_KEYCHAINare not explicitly set. If a keychain is found at the XDG location it is used automatically, matching PVXS behaviour and requiring zero configuration when the user has already set up PVXS.Explicit env-var settings always take precedence; the XDG probe is only a fallback.
Files Changed
core/pva/src/main/java/org/epics/pva/PVASettings.java