Issue #8786 - add configuration for KeyStoreScanner to not resolve aliases

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2022-10-31 14:37:56 +11:00 · 2022-10-31 14:37:56 +11:00 · 4d15593d63
parent 8e63e872f7
commit 4d15593d63
2 changed files with 41 additions and 10 deletions
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java
@ -43,6 +43,11 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr
    private final Scanner _scanner;

    public KeyStoreScanner(SslContextFactory sslContextFactory)
+    {
+        this(sslContextFactory, false);
+    }
+
+    public KeyStoreScanner(SslContextFactory sslContextFactory, boolean resolveAlias)
    {
        this.sslContextFactory = sslContextFactory;
        try
@ -54,9 +59,9 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr
            if (monitoredFile.isDirectory())
                throw new IllegalArgumentException("expected keystore file not directory");

-            if (keystoreResource.getAlias() != null)
+            if (resolveAlias && keystoreResource.isAlias())
            {
-                // this resource has an alias, use the alias, as that's what's returned in the Scanner
+                // This resource has an alias, so monitor the target of the alias.
                monitoredFile = new File(keystoreResource.getAlias());
            }

@ -73,7 +78,7 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr
        if (!parentFile.exists() || !parentFile.isDirectory())
            throw new IllegalArgumentException("error obtaining keystore dir");

-        _scanner = new Scanner();
+        _scanner = new Scanner(null, resolveAlias);
        _scanner.addDirectory(parentFile.toPath());
        _scanner.setScanInterval(1);
        _scanner.setReportDirs(false);
--- a/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java
+++ b/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java
@ -87,6 +87,11 @@ public class KeyStoreScannerTest
    }

    public void start(Configuration configuration) throws Exception
+    {
+        start(configuration, true);
+    }
+
+    public void start(Configuration configuration, boolean resolveAlias) throws Exception
    {
        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
        configuration.configure(sslContextFactory);
@ -100,7 +105,7 @@ public class KeyStoreScannerTest
        server.addConnector(connector);

        // Configure Keystore Reload.
-        keystoreScanner = new KeyStoreScanner(sslContextFactory);
+        keystoreScanner = new KeyStoreScanner(sslContextFactory, resolveAlias);
        keystoreScanner.setScanInterval(0);
        server.addBean(keystoreScanner);

@ -182,22 +187,25 @@ public class KeyStoreScannerTest
    public void testReloadChangingSymbolicLink() throws Exception
    {
        assumeFileSystemSupportsSymlink();
-        Path keystorePath = keystoreDir.resolve("symlinkKeystore");
+        Path newKeystore = useKeystore("newKeystore", "newKeystore");
+        Path oldKeystore = useKeystore("oldKeystore", "oldKeystore");
+
+        Path symlinkKeystorePath = keystoreDir.resolve("symlinkKeystore");
        start(sslContextFactory ->
        {
-            Files.createSymbolicLink(keystorePath, useKeystore("oldKeystore"));
-            sslContextFactory.setKeyStorePath(keystorePath.toString());
+            Files.createSymbolicLink(symlinkKeystorePath, oldKeystore);
+            sslContextFactory.setKeyStorePath(symlinkKeystorePath.toString());
            sslContextFactory.setKeyStorePassword("storepwd");
            sslContextFactory.setKeyManagerPassword("keypwd");
-        });
+        }, false);

        // Check the original certificate expiry.
        X509Certificate cert1 = getCertificateFromServer();
        assertThat(getExpiryYear(cert1), is(2015));

        // Change the symlink to point to the newKeystore file location which has a later expiry date.
-        Files.delete(keystorePath);
-        Files.createSymbolicLink(keystorePath, useKeystore("newKeystore"));
+        Files.delete(symlinkKeystorePath);
+        Files.createSymbolicLink(symlinkKeystorePath, newKeystore);
        keystoreScanner.scan(5000);

        // The scanner should have detected the updated keystore, expiry should be renewed.
@ -237,6 +245,24 @@ public class KeyStoreScannerTest
        assertThat(getExpiryYear(cert2), is(2020));
    }

+    public Path useKeystore(String keystoreToUse, String keystorePath) throws Exception
+    {
+        return useKeystore(MavenTestingUtils.getTestResourcePath(keystoreToUse), keystoreDir.resolve(keystorePath));
+    }
+
+    public Path useKeystore(Path keystoreToUse, Path keystorePath) throws Exception
+    {
+        if (Files.exists(keystorePath))
+            Files.delete(keystorePath);
+
+        Files.copy(keystoreToUse, keystorePath);
+
+        if (!Files.exists(keystorePath))
+            throw new IllegalStateException("keystore file was not created");
+
+        return keystorePath.toAbsolutePath();
+    }
+
    public Path useKeystore(String keystore) throws Exception
    {
        Path keystorePath = keystoreDir.resolve("keystore");