Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #8786 - add configuration for KeyStoreScanner to not resolve aliases #8787

Merged
merged 4 commits into from
Nov 10, 2022
Merged

Issue #8786 - add configuration for KeyStoreScanner to not resolve aliases #8787

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4d15593
Issue #8786 - add configuration for KeyStoreScanner to not resolve al…
lachlan-roberts Oct 31, 2022
8607e3e
changes to ssl-reload module & documentation from review
lachlan-roberts Nov 3, 2022
3b7ea99
set type of arg in jetty-ssl-context-reload.xml
lachlan-roberts Nov 3, 2022
0a14cca
changes from review - rename resolveAlias to followLinks
lachlan-roberts Nov 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr
private final Scanner _scanner;

public KeyStoreScanner(SslContextFactory sslContextFactory)
{
this(sslContextFactory, false);
lachlan-roberts marked this conversation as resolved.
Show resolved Hide resolved
}

public KeyStoreScanner(SslContextFactory sslContextFactory, boolean resolveAlias)
{
this.sslContextFactory = sslContextFactory;
try
Expand All @@ -54,9 +59,9 @@ public KeyStoreScanner(SslContextFactory sslContextFactory)
if (monitoredFile.isDirectory())
throw new IllegalArgumentException("expected keystore file not directory");

if (keystoreResource.getAlias() != null)
if (resolveAlias && keystoreResource.isAlias())
{
// this resource has an alias, use the alias, as that's what's returned in the Scanner
// This resource has an alias, so monitor the target of the alias.
monitoredFile = new File(keystoreResource.getAlias());
}

Expand All @@ -73,7 +78,7 @@ public KeyStoreScanner(SslContextFactory sslContextFactory)
if (!parentFile.exists() || !parentFile.isDirectory())
throw new IllegalArgumentException("error obtaining keystore dir");

_scanner = new Scanner();
_scanner = new Scanner(null, resolveAlias);
_scanner.addDirectory(parentFile.toPath());
_scanner.setScanInterval(1);
_scanner.setReportDirs(false);
Expand Down
40 changes: 33 additions & 7 deletions tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,11 @@ public void start() throws Exception
}

public void start(Configuration configuration) throws Exception
{
start(configuration, true);
}

public void start(Configuration configuration, boolean resolveAlias) throws Exception
{
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
configuration.configure(sslContextFactory);
Expand All @@ -100,7 +105,7 @@ public void start(Configuration configuration) throws Exception
server.addConnector(connector);

// Configure Keystore Reload.
keystoreScanner = new KeyStoreScanner(sslContextFactory);
keystoreScanner = new KeyStoreScanner(sslContextFactory, resolveAlias);
keystoreScanner.setScanInterval(0);
server.addBean(keystoreScanner);

Expand Down Expand Up @@ -182,22 +187,25 @@ public void testKeystoreRemoval() throws Exception
public void testReloadChangingSymbolicLink() throws Exception
{
assumeFileSystemSupportsSymlink();
Path keystorePath = keystoreDir.resolve("symlinkKeystore");
Path newKeystore = useKeystore("newKeystore", "newKeystore");
Path oldKeystore = useKeystore("oldKeystore", "oldKeystore");

Path symlinkKeystorePath = keystoreDir.resolve("symlinkKeystore");
start(sslContextFactory ->
{
Files.createSymbolicLink(keystorePath, useKeystore("oldKeystore"));
sslContextFactory.setKeyStorePath(keystorePath.toString());
Files.createSymbolicLink(symlinkKeystorePath, oldKeystore);
sslContextFactory.setKeyStorePath(symlinkKeystorePath.toString());
sslContextFactory.setKeyStorePassword("storepwd");
sslContextFactory.setKeyManagerPassword("keypwd");
});
}, false);

// Check the original certificate expiry.
X509Certificate cert1 = getCertificateFromServer();
assertThat(getExpiryYear(cert1), is(2015));

// Change the symlink to point to the newKeystore file location which has a later expiry date.
Files.delete(keystorePath);
Files.createSymbolicLink(keystorePath, useKeystore("newKeystore"));
Files.delete(symlinkKeystorePath);
Files.createSymbolicLink(symlinkKeystorePath, newKeystore);
keystoreScanner.scan(5000);

// The scanner should have detected the updated keystore, expiry should be renewed.
Expand Down Expand Up @@ -237,6 +245,24 @@ public void testReloadChangingTargetOfSymbolicLink() throws Exception
assertThat(getExpiryYear(cert2), is(2020));
}

public Path useKeystore(String keystoreToUse, String keystorePath) throws Exception
{
return useKeystore(MavenTestingUtils.getTestResourcePath(keystoreToUse), keystoreDir.resolve(keystorePath));
}

public Path useKeystore(Path keystoreToUse, Path keystorePath) throws Exception
{
if (Files.exists(keystorePath))
Files.delete(keystorePath);

Files.copy(keystoreToUse, keystorePath);

if (!Files.exists(keystorePath))
throw new IllegalStateException("keystore file was not created");

return keystorePath.toAbsolutePath();
}

public Path useKeystore(String keystore) throws Exception
{
Path keystorePath = keystoreDir.resolve("keystore");
Expand Down