Refresh Certs every X minutes #3568
Conversation
|
rerun java8 tests |
| this.sslContext = sslContext; | ||
| } | ||
|
|
||
| public SslContext get() { |
There was a problem hiding this comment.
Instead of using a background thread, couldn't we just check a timestamp here to check whether the cached context is still valid?
There was a problem hiding this comment.
We could even just check the stat of the file each time, without having to configure a caching time. If the file hasn't changed since last time, then reuse context.
There was a problem hiding this comment.
Agreed - will make the changes accordingly.
| for (String file : files) { | ||
| LOG.info("File {}", file); | ||
| Path p = Paths.get(file).getParent(); | ||
| WatchService watchService = p.getFileSystem().newWatchService(); |
There was a problem hiding this comment.
Why to do we need to poll if we're using a "watch-service"? Isn't this supposed to notify when the files are changed?
There was a problem hiding this comment.
I believe Watch service doesn't have a callback, it just has a polling mechanism.
https://docs.oracle.com/javase/8/docs/api/java/nio/file/WatchService.html
| * | ||
| * @return a Client Certificate File Path, or null if data is not available | ||
| */ | ||
| default String getCertFilePath() { |
There was a problem hiding this comment.
Again, I don't think it's a good option to have these 2 here, since the auth data provider is not specific to TLS.
There was a problem hiding this comment.
I added refresh() instead
jai1
force-pushed
the
expiry
branch
2 times, most recently
from
810cf2e
to
c55ac9b
Compare
| * Refresh Authentication Data. | ||
| * | ||
| */ | ||
| default void refresh() { |
There was a problem hiding this comment.
But shouldn't this be dealt internally by implementations? Why should we triggering it from outside?
For example: when reading token credential you have different ways to refresh the token data (eg: passing a Supplier<String> or by refreshing the token file).
The implementation will have more information about when it has to refresh, so it would be better to leave the decision inside there.
My point is that TLS plugin should do the caching in its own implementation, for example by checking the last modified of cert file when client lib calls getTlsCertificates()
|
@merlimat and @rdhabalia - Can you review this? |
| } | ||
| } | ||
|
|
||
| @Override | ||
| protected void initChannel(SocketChannel ch) throws Exception { | ||
| if (serverSslCtx != null) { | ||
| ch.pipeline().addLast(TLS_HANDLER, serverSslCtx.newHandler(ch.alloc())); | ||
| if (this.enableTls) { |
There was a problem hiding this comment.
can we check null for serverSslCtxRefresher to avoid NPE in future.
| } | ||
| } | ||
|
|
||
| @Override | ||
| protected void initChannel(SocketChannel ch) throws Exception { | ||
| if (sslCtx != null) { | ||
| ch.pipeline().addLast(TLS_HANDLER, sslCtx.newHandler(ch.alloc())); | ||
| if (this.enableTls) { |
There was a problem hiding this comment.
same here.. can we add null check for sslCtxRefresher.get()
| FileTime newLastModifiedTime = updateLastModifiedTime(); | ||
| if (newLastModifiedTime != null && !newLastModifiedTime.equals(lastModifiedTime)) { | ||
| this.lastModifiedTime = newLastModifiedTime; | ||
| ret = true; |
There was a problem hiding this comment.
instead having boolean var, can we just return true here and return false in the next line.
| try { | ||
| return Files.getLastModifiedTime(p); | ||
| } catch (IOException e) { | ||
| LOG.error("Unable to fetch lastModified time for file {}: ", fileName, e); |
There was a problem hiding this comment.
instead catching exception, should we log and throw up to top level and let it be handled at caller?
| tlsCiphers, tlsProtocols, tlsRequireTrustedClientCertOnConnect); | ||
| } | ||
|
|
||
| public SslContext get() { |
There was a problem hiding this comment.
do we need this method thread-safe?
|
rerun integration tests |
| } | ||
| } | ||
|
|
||
| @Override | ||
| protected void initChannel(SocketChannel ch) throws Exception { | ||
| if (sslCtx != null) { | ||
| ch.pipeline().addLast(TLS_HANDLER, sslCtx.newHandler(ch.alloc())); | ||
| if (this.enableTls) { |
There was a problem hiding this comment.
can you also add null check for sslCtxRefresher here.
Motivation
If certs are refreshed on the file system we need to refresh the certs and recreate the TLS Channel.
Modifications
SslContextRefresher.javawhich usesjava.nio.file.WatchEventsto detect file system changes and refresh the certs.java.nio.file.WatchEventsdetects file system changes it will refresh the sslcontext