Add TlsContext interface with a implementation based on tls options

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-11-28 15:07:46 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-11-28 15:10:09 +0100
commit: 910fd0b29b0fdaf7660dc22ed289dc0c7748fa89 (patch)
tree: 4051a7bd703c2f1575dc69cb7480a33f342c9944 /security-utils
parent: 92160a2154e6c3f4fbe964f0a89b89443ea668ee (diff)
2 files changed, 105 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java
new file mode 100644
index 00000000000..7c487388e2f
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java
@@ -0,0 +1,87 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import com.yahoo.security.SslContextBuilder;
+import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager;
+import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import java.nio.file.Path;
+import java.time.Duration;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * A {@link TlsContext} that regularly reloads the credentials referred to from the transport security options file.
+ *
+ * @author bjorncs
+ */
+public class ConfigFileManagedTlsContext implements TlsContext {
+
+    private static final Duration UPDATE_PERIOD = Duration.ofHours(1);
+
+    private static final Logger log = Logger.getLogger(ConfigFileManagedTlsContext.class.getName());
+
+    private final Path tlsOptionsConfigFile;
+    private final PeerAuthorizerTrustManager.Mode mode;
+    private final AtomicReference<SSLContext> currentSslContext;
+    private final ScheduledExecutorService scheduler =
+            Executors.newSingleThreadScheduledExecutor(runnable -> {
+                Thread thread = new Thread(runnable, "tls-context-reloader");
+                thread.setDaemon(true);
+                return thread;
+            });
+
+
+    public ConfigFileManagedTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
+        this.tlsOptionsConfigFile = tlsOptionsConfigFile;
+        this.mode = mode;
+        this.currentSslContext = new AtomicReference<>(createSslContext(tlsOptionsConfigFile, mode));
+        this.scheduler.scheduleAtFixedRate(new SslContextReloader(),
+                                           UPDATE_PERIOD.getSeconds()/*initial delay*/,
+                                           UPDATE_PERIOD.getSeconds(),
+                                           TimeUnit.SECONDS);
+    }
+
+    public SSLEngine createSslEngine() {
+        return currentSslContext.get().createSSLEngine();
+    }
+
+    private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
+        TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile);
+        SslContextBuilder builder = new SslContextBuilder();
+        options.getCertificatesFile()
+                .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates));
+        options.getCaCertificatesFile().ifPresent(builder::withTrustStore);
+        options.getAuthorizedPeers().ifPresent(
+                authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode)));
+        return builder.build();
+    }
+
+    @Override
+    public void close() {
+        try {
+            scheduler.shutdownNow();
+            scheduler.awaitTermination(5, TimeUnit.SECONDS);
+        } catch (InterruptedException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private class SslContextReloader implements Runnable {
+        @Override
+        public void run() {
+            try {
+                currentSslContext.set(createSslContext(tlsOptionsConfigFile, mode));
+            } catch (Throwable t) {
+                log.log(Level.SEVERE, String.format("Failed to load SSLContext (path='%s'): %s", tlsOptionsConfigFile, t.getMessage()), t);
+            }
+        }
+    }
+
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
new file mode 100644
index 00000000000..58687a0ba8f
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -0,0 +1,18 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+
+/**
+ * A simplified version of {@link SSLContext} modelled as an interface.
+ *
+ * @author bjorncs
+ */
+public interface TlsContext extends AutoCloseable {
+
+    SSLEngine createSslEngine();
+
+    @Override default void close() {}
+
+}
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-11-28 15:07:46 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-11-28 15:10:09 +0100
commit	910fd0b29b0fdaf7660dc22ed289dc0c7748fa89 (patch)
tree	4051a7bd703c2f1575dc69cb7480a33f342c9944 /security-utils
parent	92160a2154e6c3f4fbe964f0a89b89443ea668ee (diff)