Use a single, shared TlsContext instance

The configuration is based on environment variables, which are effectively fixed through the life of the JVM instance. This simplifaction removes the need for complex cleanup logic based on manual reference counting and weak references.
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-01-14 13:41:08 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-01-14 13:49:44 +0100
commit: 2985d11c35f0e5eb6f176c1ef758ada7fc910e60 (patch)
tree: 93b90ffdd4351b3a808cbb7fb42ac579d187fa23 /security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
parent: ca91a0771b5b4fffd6e883dc2868a1cce2bfb9d5 (diff)
1 files changed, 22 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
index f28cad2a071..af77827ae16 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
@@ -13,6 +13,8 @@ import java.util.Optional;
  */
 public class TransportSecurityUtils {
 
+    private static ConfigFileBasedTlsContext systemTlsContext;
+
     public static final String CONFIG_FILE_ENVIRONMENT_VARIABLE = "VESPA_TLS_CONFIG_FILE";
     public static final String INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_MIXED_MODE";
     public static final String INSECURE_AUTHORIZATION_MODE_ENVIRONMENT_VARIABLE = "VESPA_TLS_INSECURE_AUTHORIZATION_MODE";
@@ -64,13 +66,30 @@ public class TransportSecurityUtils {
                 .map(TransportSecurityOptions::fromJsonFile);
     }
 
-    public static Optional<TlsContext> createTlsContext() {
-        return getConfigFile()
-                .map(configFile -> new ConfigFileBasedTlsContext(configFile, getInsecureAuthorizationMode()));
+    /**
+     * @return The shared {@link TlsContext} for the Vespa system environment
+     */
+    public static Optional<TlsContext> getSystemTlsContext() {
+        synchronized (TransportSecurityUtils.class) {
+            Path configFile = getConfigFile().orElse(null);
+            if (configFile == null) return Optional.empty();
+            if (systemTlsContext == null) {
+                systemTlsContext = new SystemTlsContext(configFile);
+            }
+            return Optional.of(systemTlsContext);
+        }
     }
 
     private static Optional<String> getEnvironmentVariable(Map<String, String> environmentVariables, String variableName) {
         return Optional.ofNullable(environmentVariables.get(variableName))
                 .filter(var -> !var.isEmpty());
     }
+
+    private static class SystemTlsContext extends ConfigFileBasedTlsContext {
+        SystemTlsContext(Path tlsOptionsConfigFile) {
+            super(tlsOptionsConfigFile, getInsecureAuthorizationMode());
+        }
+
+        @Override public void close() { throw new UnsupportedOperationException("Shared TLS context cannot be closed"); }
+    }
 }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-01-14 13:41:08 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-01-14 13:49:44 +0100
commit	2985d11c35f0e5eb6f176c1ef758ada7fc910e60 (patch)
tree	93b90ffdd4351b3a808cbb7fb42ac579d187fa23 /security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityUtils.java
parent	ca91a0771b5b4fffd6e883dc2868a1cce2bfb9d5 (diff)