diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-28 15:07:46 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-28 15:10:09 +0100 |
commit | 910fd0b29b0fdaf7660dc22ed289dc0c7748fa89 (patch) | |
tree | 4051a7bd703c2f1575dc69cb7480a33f342c9944 /security-utils | |
parent | 92160a2154e6c3f4fbe964f0a89b89443ea668ee (diff) |
Add TlsContext interface with a implementation based on tls options
Diffstat (limited to 'security-utils')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java | 87 | ||||
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java | 18 |
2 files changed, 105 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java new file mode 100644 index 00000000000..7c487388e2f --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java @@ -0,0 +1,87 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import com.yahoo.security.SslContextBuilder; +import com.yahoo.security.tls.authz.PeerAuthorizerTrustManager; +import com.yahoo.security.tls.authz.PeerAuthorizerTrustManagersFactory; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; +import java.nio.file.Path; +import java.time.Duration; +import java.util.concurrent.Executors; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicReference; +import java.util.logging.Level; +import java.util.logging.Logger; + +/** + * A {@link TlsContext} that regularly reloads the credentials referred to from the transport security options file. + * + * @author bjorncs + */ +public class ConfigFileManagedTlsContext implements TlsContext { + + private static final Duration UPDATE_PERIOD = Duration.ofHours(1); + + private static final Logger log = Logger.getLogger(ConfigFileManagedTlsContext.class.getName()); + + private final Path tlsOptionsConfigFile; + private final PeerAuthorizerTrustManager.Mode mode; + private final AtomicReference<SSLContext> currentSslContext; + private final ScheduledExecutorService scheduler = + Executors.newSingleThreadScheduledExecutor(runnable -> { + Thread thread = new Thread(runnable, "tls-context-reloader"); + thread.setDaemon(true); + return thread; + }); + + + public ConfigFileManagedTlsContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { + this.tlsOptionsConfigFile = tlsOptionsConfigFile; + this.mode = mode; + this.currentSslContext = new AtomicReference<>(createSslContext(tlsOptionsConfigFile, mode)); + this.scheduler.scheduleAtFixedRate(new SslContextReloader(), + UPDATE_PERIOD.getSeconds()/*initial delay*/, + UPDATE_PERIOD.getSeconds(), + TimeUnit.SECONDS); + } + + public SSLEngine createSslEngine() { + return currentSslContext.get().createSSLEngine(); + } + + private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { + TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile); + SslContextBuilder builder = new SslContextBuilder(); + options.getCertificatesFile() + .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates)); + options.getCaCertificatesFile().ifPresent(builder::withTrustStore); + options.getAuthorizedPeers().ifPresent( + authorizedPeers -> builder.withTrustManagerFactory(new PeerAuthorizerTrustManagersFactory(authorizedPeers, mode))); + return builder.build(); + } + + @Override + public void close() { + try { + scheduler.shutdownNow(); + scheduler.awaitTermination(5, TimeUnit.SECONDS); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } + } + + private class SslContextReloader implements Runnable { + @Override + public void run() { + try { + currentSslContext.set(createSslContext(tlsOptionsConfigFile, mode)); + } catch (Throwable t) { + log.log(Level.SEVERE, String.format("Failed to load SSLContext (path='%s'): %s", tlsOptionsConfigFile, t.getMessage()), t); + } + } + } + +} diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java new file mode 100644 index 00000000000..58687a0ba8f --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -0,0 +1,18 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; + +/** + * A simplified version of {@link SSLContext} modelled as an interface. + * + * @author bjorncs + */ +public interface TlsContext extends AutoCloseable { + + SSLEngine createSslEngine(); + + @Override default void close() {} + +} |