diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-01-14 13:41:08 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-01-14 13:49:44 +0100 |
commit | 2985d11c35f0e5eb6f176c1ef758ada7fc910e60 (patch) | |
tree | 93b90ffdd4351b3a808cbb7fb42ac579d187fa23 /security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java | |
parent | ca91a0771b5b4fffd6e883dc2868a1cce2bfb9d5 (diff) |
Use a single, shared TlsContext instance
The configuration is based on environment variables, which are effectively fixed through the life of the JVM instance.
This simplifaction removes the need for complex cleanup logic based on manual reference counting and weak references.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java index f28cad2a071..af77827ae16 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java @@ -13,6 +13,8 @@ import java.util.Optional; */ public class TransportSecurityUtils { + private static ConfigFileBasedTlsContext systemTlsContext; + public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE"; public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE"; public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE"; @@ -64,13 +66,30 @@ public class TransportSecurityUtils { .map(TransportSecurityOptions::fromJsonFile); } - public static Optional<TlsContext> createTlsContext() { - return getConfigFile() - .map(configFile -> new ConfigFileBasedTlsContext(configFile, getInsecureAuthorizationMode())); + /** + * @return The shared {@link TlsContext} for the Vespa system environment + */ + public static Optional<TlsContext> getSystemTlsContext() { + synchronized (TransportSecurityUtils.class) { + Path configFile = getConfigFile().orElse(null); + if (configFile == null) return Optional.empty(); + if (systemTlsContext == null) { + systemTlsContext = new SystemTlsContext(configFile); + } + return Optional.of(systemTlsContext); + } } private static Optional<String> getEnvironmentVariable(Map<String, String> environmentVariables, String variableName) { return Optional.ofNullable(environmentVariables.get(variableName)) .filter(var -> !var.isEmpty()); } + + private static class SystemTlsContext extends ConfigFileBasedTlsContext { + SystemTlsContext(Path tlsOptionsConfigFile) { + super(tlsOptionsConfigFile, getInsecureAuthorizationMode()); + } + + @Override public void close() { throw new UnsupportedOperationException("Shared TLS context cannot be closed"); } + } } |