Skip to content

Commit

Permalink
fix subscription model, and add tests
Browse files Browse the repository at this point in the history
  • Loading branch information
trentjeff committed Sep 25, 2023
1 parent e6ba175 commit f7caf28
Show file tree
Hide file tree
Showing 8 changed files with 217 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public class ConfiguredTlsManager implements TlsManager {

private final String name;
private final String type;
private final Set<Consumer<SSLContext>> sslContextConsumers = new LinkedHashSet<>();
private final Set<Consumer<SSLContext>> subscribers = new LinkedHashSet<>();
private volatile SSLContext sslContext;

ConfiguredTlsManager() {
Expand Down Expand Up @@ -96,7 +96,7 @@ public SSLContext sslContext() {

@Override // TlsManager
public void subscribe(Consumer<SSLContext> sslContextConsumer) {
sslContextConsumers.add(Objects.requireNonNull(sslContextConsumer));
subscribers.add(Objects.requireNonNull(sslContextConsumer));
}

@Override // TlsManager
Expand Down Expand Up @@ -129,7 +129,9 @@ public void init(WebServerTls tlsConfig) {
* @param tlsConfig the tls config
* @param keyManagers the key managers
* @param trustManagers the trust managers
* @deprecated this method will removed in a future release.
*/
@Deprecated
protected void initSslContext(WebServerTls tlsConfig,
KeyManager[] keyManagers,
TrustManager[] trustManagers) {
Expand Down Expand Up @@ -159,7 +161,7 @@ protected void reload(WebServerTls tlsConfig,
initSslContext(tlsConfig, keyManagers, trustManagers);

// notify subscribers
sslContextConsumers.forEach(c -> c.accept(sslContext));
subscribers.forEach(c -> c.accept(sslContext));
}

/**
Expand All @@ -186,7 +188,9 @@ protected TrustManagerFactory trustAllTmf() {
*
* @param tlsConfig TLS config
* @return a new trust manager factory
* @deprecated this method will removed in a future release.
*/
@Deprecated
protected TrustManagerFactory createTmf(WebServerTls tlsConfig) {
try {
return TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
Expand All @@ -195,8 +199,16 @@ protected TrustManagerFactory createTmf(WebServerTls tlsConfig) {
}
}

private void configureAndSet(WebServerTls tlsConfig,
SSLContext sslContext) {
/**
* Configure the {@link SSLContext} based upon configuration, and then store the instance.
*
* @param tlsConfig TLS config
* @param sslContext ssl context to store
* @deprecated this method will removed in a future release.
*/
@Deprecated
protected void configureAndSet(WebServerTls tlsConfig,
SSLContext sslContext) {
SSLSessionContext serverSessionContext = sslContext.getServerSessionContext();
if (serverSessionContext != null) {
int sessionCacheSize = tlsConfig.sessionCacheSize();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,13 @@ class NettyWebServer implements WebServer {
bootstraps.put(name, bootstrap);

// subscribe to updates
soConfig.tls().ifPresent(tlsConfig -> updateTls(tlsConfig, name));
Optional<WebServerTls> webServerTls = soConfig.tls();
webServerTls
.map(WebServerTls::manager)
.ifPresent(manager -> manager.subscribe(newCtx -> {
SslContext newSslCts = createSslContext(webServerTls.get(), newCtx);
childHandler.updateSslContext(newSslCts);
}));
}

// Log entry that also initializes NettyInitializer class
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, 2022 Oracle and/or its affiliates.
* Copyright (c) 2017, 2023 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -30,17 +30,24 @@
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.net.ssl.SSLContext;

import io.helidon.common.http.DataChunk;
import io.helidon.common.http.Http;
import io.helidon.common.reactive.Multi;
import io.helidon.config.Config;
import io.helidon.config.ConfigSources;
import io.helidon.webserver.spi.FakeReloadableTlsManager;

import org.hamcrest.collection.IsCollectionWithSize;
import org.hamcrest.core.Is;
import org.junit.jupiter.api.Test;

import static io.helidon.config.testing.OptionalMatcher.present;
import static org.hamcrest.CoreMatchers.instanceOf;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.CoreMatchers.notNullValue;
import static org.hamcrest.CoreMatchers.sameInstance;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.greaterThan;
import static org.hamcrest.core.AllOf.allOf;
Expand Down Expand Up @@ -272,4 +279,32 @@ public void additionalCoupledPairedRoutingsDoWork() {

assertThat(webServer.configuration().namedSocket("matched"), present());
}

@Test
@SuppressWarnings("deprecation")
void tlsManagerReloadability() {
Config config = Config.builder().sources(ConfigSources.classpath("config-with-ssl-and-tls-manager.conf")).build();
Config webServerConfig = config.get("webserver");
assertThat(webServerConfig.exists(), is(true));

WebServer webServer = WebServer.builder().config(webServerConfig).build();
assertThat(webServer.hasTls("secure"), is(true));

WebServerTls tlsConfig = webServer.configuration().namedSocket("secure").orElseThrow().tls().orElseThrow();
assertThat(tlsConfig.manager(), instanceOf(FakeReloadableTlsManager.class));
FakeReloadableTlsManager fake = (FakeReloadableTlsManager) tlsConfig.manager();
assertThat(fake.subscribers().size(), is(1));

SSLContext sslContext = fake.sslContext();
assertThat(sslContext, notNullValue());
assertThat("should only change after reload", sslContext, sameInstance(fake.sslContext()));

fake.reload(tlsConfig, null, null);
assertThat("sanity", fake.subscribers().size(), is(1));

SSLContext sslContextAfter = fake.sslContext();
assertThat(sslContextAfter, notNullValue());
assertThat("should be changed after reload", sslContextAfter, not(sameInstance(sslContext)));
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,23 @@
package io.helidon.webserver;

import java.net.InetAddress;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;

import javax.net.ssl.SSLContext;

import io.helidon.config.Config;
import io.helidon.config.ConfigSources;
import io.helidon.webserver.spi.FakeReloadableTlsManager;

import org.junit.jupiter.api.Test;

import static org.hamcrest.CoreMatchers.instanceOf;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.CoreMatchers.not;
import static org.hamcrest.CoreMatchers.notNullValue;
import static org.hamcrest.CoreMatchers.nullValue;
import static org.hamcrest.CoreMatchers.sameInstance;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.hasSize;
Expand Down Expand Up @@ -126,4 +134,44 @@ public void sslFromConfig() throws Exception {
assertThat(sc.socket("secure").enabledSslProtocols(), contains("TLSv1.2"));
assertThat(sc.socket("secure").ssl(), notNullValue());
}

@Test
@SuppressWarnings({"deprecation", "removal"})
public void tlsManagerWithConsumerSubscriptionsOnReload() {
Config config = Config.builder().sources(ConfigSources.classpath("config-with-ssl-and-tls-manager.conf")).build();
ServerConfiguration sc = config.get("webserver").as(ServerConfiguration::create).get();
SocketConfiguration sockCfg = sc.socket("secure");
SSLContext sslCtx = sockCfg.ssl();

assertThat(sockCfg.port(), is(8443));
assertThat(sockCfg.enabledSslProtocols(), contains("TLSv1.2"));
assertThat(sslCtx, notNullValue());

WebServerTls secureConfig = sc.socket("secure").tls().orElseThrow();
assertThat(secureConfig.trustAll(), is(true));

TlsManager manager = secureConfig.manager();
assertThat(manager, instanceOf(FakeReloadableTlsManager.class));

FakeReloadableTlsManager fake = (FakeReloadableTlsManager) manager;
assertThat(fake.tlsConfig(), sameInstance(secureConfig));
assertThat(fake.sslContext(), sameInstance(sockCfg.ssl()));
assertThat(fake.subscribers().size(), is(0));

AtomicInteger counter = new AtomicInteger();
AtomicReference<SSLContext> sslCtxRef = new AtomicReference<>();
fake.subscribe(sslContext -> {
assertThat(sslContext, notNullValue());
sslCtxRef.set(sslContext);
counter.incrementAndGet();
});
assertThat(fake.subscribers().size(), is(1));
assertThat(counter.get(), is(0));

fake.reload(secureConfig, null, null);
assertThat(counter.get(), is(1));
assertThat(sslCtxRef, notNullValue());
assertThat(sslCtxRef, not(sameInstance(sslCtx)));
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
/*
* Copyright (c) 2023 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package io.helidon.webserver.spi;

import java.util.LinkedHashSet;
import java.util.Set;
import java.util.function.Consumer;

import javax.net.ssl.SSLContext;

import io.helidon.webserver.ConfiguredTlsManager;
import io.helidon.webserver.WebServerTls;

@SuppressWarnings("deprecation")
public class FakeReloadableTlsManager extends ConfiguredTlsManager {
private final Set<Consumer<SSLContext>> subscribers = new LinkedHashSet<>();
private WebServerTls tlsConfig;

FakeReloadableTlsManager(String name) {
super(name, "fake-type");
}

@Override // TlsManager
public void init(WebServerTls tlsConfig) {
super.init(tlsConfig);
}

@Override // TlsManager
public void subscribe(Consumer<SSLContext> sslContextConsumer) {
super.subscribe(sslContextConsumer);
subscribers.add(sslContextConsumer);
}

public Set<Consumer<SSLContext>> subscribers() {
return subscribers;
}

@Override
protected void configureAndSet(WebServerTls tlsConfig,
SSLContext sslContext) {
super.configureAndSet(tlsConfig, sslContext);

this.tlsConfig = tlsConfig;
}

public WebServerTls tlsConfig() {
return tlsConfig;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@
package io.helidon.webserver.spi;

import io.helidon.config.Config;
import io.helidon.webserver.ConfiguredTlsManager;
import io.helidon.webserver.TlsManager;

/**
* Testing only - service loaded.
*
* @deprecated
*/
@Deprecated
Expand All @@ -40,7 +40,7 @@ public String configKey() {

@Override
public TlsManager create(Config config, String name) {
return new ConfiguredTlsManager(name, name) {};
return new FakeReloadableTlsManager(name);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ void goodConfig() {
assertThat(configuredTlsManager.name(),
equalTo("fake"));
assertThat(configuredTlsManager.type(),
equalTo("fake"));
equalTo("fake-type"));
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#
# Copyright (c) 2023 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

webserver: {
sockets: {
secure: {
port: 8443,
bind-address: "127.0.0.1",
tls: {
trust-all: true
manager: {
fake: {
}
},
protocols: [
"TLSv1.2"
],
private-key: {
keystore: {
resource {
resource-path: "certificate.p12"
}
passphrase: "helidon"
}
}
}
}
}
}

0 comments on commit f7caf28

Please sign in to comment.