diff options
| author | Morten Tokle <mortent@oath.com> | 2018-03-19 09:53:50 +0100 |
|---|---|---|
| committer | Morten Tokle <mortent@oath.com> | 2018-03-19 10:39:35 +0100 |
| commit | afcd6a38c9c4c60158538ef6e60cac3fccd85243 (patch) | |
| tree | 1f30808dab4f3aadd59c8207fa0400486e073c14 /vespa-athenz | |
| parent | fef6ee8bfec60b77723a980e74527c29315e7e95 (diff) | |
Cache sslcontext
Diffstat (limited to 'vespa-athenz')
| -rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index 67d8c20d6a1..c0705926a0a 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.identity; import com.yahoo.athenz.auth.util.Crypto; +import com.yahoo.component.AbstractComponent; import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate; @@ -14,22 +15,36 @@ import java.io.File; import java.nio.file.Paths; import java.security.PrivateKey; import java.security.cert.X509Certificate; +import java.time.Duration; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.ScheduledFuture; +import java.util.concurrent.ScheduledThreadPoolExecutor; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicReference; /** * @author mortent */ -public class SiaIdentityProvider implements AthenzIdentityProvider { +public class SiaIdentityProvider extends AbstractComponent implements AthenzIdentityProvider { + + private static final Duration REFRESH_INTERVAL = Duration.ofHours(1); private final AthenzDomain domain; private final AthenzService service; private final String path; private final String trustStorePath; + AtomicReference<SSLContext> sslContext; + private final ScheduledExecutorService scheduler = new ScheduledThreadPoolExecutor(1); public SiaIdentityProvider(SiaProviderConfig siaProviderConfig) { this.domain = new AthenzDomain(siaProviderConfig.athenzDomain()); this.service = new AthenzService(domain, siaProviderConfig.athenzService()); this.path = siaProviderConfig.keyPathPrefix(); this.trustStorePath = siaProviderConfig.trustStorePath(); + + sslContext.set(createIdentitySslContext()); + + scheduler.scheduleAtFixedRate(this::reloadSslContext, REFRESH_INTERVAL.toMinutes(), REFRESH_INTERVAL.toMinutes(), TimeUnit.MINUTES); } @Override @@ -44,6 +59,10 @@ public class SiaIdentityProvider implements AthenzIdentityProvider { @Override public SSLContext getIdentitySslContext() { + return sslContext.get(); + } + + private SSLContext createIdentitySslContext() { X509Certificate certificate = Crypto.loadX509Certificate(Paths.get(path, "certs", String.format("%s.%s.cert.pem", getDomain(),getService())).toFile()); PrivateKey privateKey = Crypto.loadPrivateKey(Paths.get(path, "keys", String.format("%s.%s.key.pem", getDomain(),getService())).toFile()); @@ -52,4 +71,18 @@ public class SiaIdentityProvider implements AthenzIdentityProvider { .withIdentityCertificate(new AthenzIdentityCertificate(certificate, privateKey)) .build(); } + + private void reloadSslContext() { + this.sslContext.set(createIdentitySslContext()); + } + + @Override + public void deconstruct() { + try { + scheduler.shutdownNow(); + scheduler.awaitTermination(90, TimeUnit.SECONDS); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } + } } |