Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8787 from eclipse/jetty-10.0.x-8786-KeyStoreScanner-Symlink 

Issue #8786 - add configuration for KeyStoreScanner to not resolve aliases
This commit is contained in:
Lachlan 2022-11-10 17:17:59 +11:00 committed by GitHub
parent 4f633e945c 0a14cca307
commit 690220fc40
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 67 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
documentation/jetty-documentation/src/main/asciidoc/operations-guide/modules/module-ssl-reload.adoc
View File

@ -22,3 +22,6 @@ The module properties are:
----
include::{JETTY_HOME}/modules/ssl-reload.mod[tags=documentation]
----
The `followLinks` property is used to specify whether symlinks should be resolved in the path of the KeyStore.
If set to false and the path of the KeyStore is a symbolic link, the scanner will monitor the symbolic link file for changes instead of its target.

1
jetty-server/src/main/config/etc/jetty-ssl-context-reload.xml
View File

@ -5,6 +5,7 @@
<Arg>
<New id="keyStoreScanner" class="org.eclipse.jetty.util.ssl.KeyStoreScanner">
<Arg><Ref refid="sslContextFactory"/></Arg>
<Arg type="boolean"><Property name="jetty.sslContext.reload.followLinks" default="true"/></Arg>
<Set name="scanInterval"><Property name="jetty.sslContext.reload.scanInterval" default="1"/></Set>
</New>
</Arg>

3
jetty-server/src/main/config/modules/ssl-reload.mod
View File

@ -15,4 +15,7 @@ etc/jetty-ssl-context-reload.xml
# tag::documentation[]
# Monitored directory scan period, in seconds.
# jetty.sslContext.reload.scanInterval=1
# Whether to resolve symbolic links in the KeyStore path.
# jetty.sslContext.reload.followLinks=true
# end::documentation[]

11
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java
View File

@ -43,6 +43,11 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr
private final Scanner _scanner;
public KeyStoreScanner(SslContextFactory sslContextFactory)
{
this(sslContextFactory, true);
}
public KeyStoreScanner(SslContextFactory sslContextFactory, boolean followLinks)
{
this.sslContextFactory = sslContextFactory;
try
@ -54,9 +59,9 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr
if (monitoredFile.isDirectory())
throw new IllegalArgumentException("expected keystore file not directory");
if (keystoreResource.getAlias() != null)
if (followLinks && keystoreResource.isAlias())
{
// this resource has an alias, use the alias, as that's what's returned in the Scanner
// This resource has an alias, so monitor the target of the alias.
monitoredFile = new File(keystoreResource.getAlias());
}
@ -73,7 +78,7 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr
if (!parentFile.exists() || !parentFile.isDirectory())
throw new IllegalArgumentException("error obtaining keystore dir");
_scanner = new Scanner();
_scanner = new Scanner(null, followLinks);
_scanner.addDirectory(parentFile.toPath());
_scanner.setScanInterval(1);
_scanner.setReportDirs(false);

78
tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java
View File

@ -61,7 +61,7 @@ public class KeyStoreScannerTest
public WorkDir testdir;
private Server server;
private Path keystoreDir;
private KeyStoreScanner keystoreScanner;
private KeyStoreScanner keyStoreScanner;
@BeforeEach
public void before()
@ -79,7 +79,7 @@ public class KeyStoreScannerTest
{
start(sslContextFactory ->
{
String keystorePath = useKeystore("oldKeystore").toString();
String keystorePath = useKeystore("oldKeyStore").toString();
sslContextFactory.setKeyStorePath(keystorePath);
sslContextFactory.setKeyStorePassword("storepwd");
sslContextFactory.setKeyManagerPassword("keypwd");
@ -87,6 +87,11 @@ public class KeyStoreScannerTest
}
public void start(Configuration configuration) throws Exception
{
start(configuration, true);
}
public void start(Configuration configuration, boolean resolveAlias) throws Exception
{
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
configuration.configure(sslContextFactory);
@ -100,9 +105,9 @@ public class KeyStoreScannerTest
server.addConnector(connector);
// Configure Keystore Reload.
keystoreScanner = new KeyStoreScanner(sslContextFactory);
keystoreScanner.setScanInterval(0);
server.addBean(keystoreScanner);
keyStoreScanner = new KeyStoreScanner(sslContextFactory, resolveAlias);
keyStoreScanner.setScanInterval(0);
server.addBean(keyStoreScanner);
server.start();
}
@ -122,9 +127,9 @@ public class KeyStoreScannerTest
X509Certificate cert1 = getCertificateFromServer();
assertThat(getExpiryYear(cert1), is(2015));
// Switch to use newKeystore which has a later expiry date.
useKeystore("newKeystore");
assertTrue(keystoreScanner.scan(5000));
// Switch to use newKeyStore which has a later expiry date.
useKeystore("newKeyStore");
assertTrue(keyStoreScanner.scan(5000));
// The scanner should have detected the updated keystore, expiry should be renewed.
X509Certificate cert2 = getCertificateFromServer();
@ -144,7 +149,7 @@ public class KeyStoreScannerTest
try (StacklessLogging ignored = new StacklessLogging(KeyStoreScanner.class))
{
useKeystore("badKeystore");
keystoreScanner.scan(5000);
keyStoreScanner.scan(5000);
}
// The good keystore is removed, now the bad keystore now causes an exception.
@ -165,15 +170,15 @@ public class KeyStoreScannerTest
{
Path keystorePath = keystoreDir.resolve("keystore");
assertTrue(Files.deleteIfExists(keystorePath));
keystoreScanner.scan(5000);
keyStoreScanner.scan(5000);
}
// The good keystore is removed, having no keystore causes an exception.
assertThrows(Throwable.class, this::getCertificateFromServer);
// Switch to use keystore2 which has a later expiry date.
useKeystore("newKeystore");
keystoreScanner.scan(5000);
useKeystore("newKeyStore");
keyStoreScanner.scan(5000);
X509Certificate cert2 = getCertificateFromServer();
assertThat(getExpiryYear(cert2), is(2020));
}
@ -182,23 +187,26 @@ public class KeyStoreScannerTest
public void testReloadChangingSymbolicLink() throws Exception
{
assumeFileSystemSupportsSymlink();
Path keystorePath = keystoreDir.resolve("symlinkKeystore");
Path newKeyStore = useKeystore("newKeyStore", "newKeyStore");
Path oldKeyStore = useKeystore("oldKeyStore", "oldKeyStore");
Path symlinkKeystorePath = keystoreDir.resolve("symlinkKeystore");
start(sslContextFactory ->
{
Files.createSymbolicLink(keystorePath, useKeystore("oldKeystore"));
sslContextFactory.setKeyStorePath(keystorePath.toString());
Files.createSymbolicLink(symlinkKeystorePath, oldKeyStore);
sslContextFactory.setKeyStorePath(symlinkKeystorePath.toString());
sslContextFactory.setKeyStorePassword("storepwd");
sslContextFactory.setKeyManagerPassword("keypwd");
});
}, false);
// Check the original certificate expiry.
X509Certificate cert1 = getCertificateFromServer();
assertThat(getExpiryYear(cert1), is(2015));
// Change the symlink to point to the newKeystore file location which has a later expiry date.
Files.delete(keystorePath);
Files.createSymbolicLink(keystorePath, useKeystore("newKeystore"));
keystoreScanner.scan(5000);
// Change the symlink to point to the newKeyStore file location which has a later expiry date.
Files.delete(symlinkKeystorePath);
Files.createSymbolicLink(symlinkKeystorePath, newKeyStore);
keyStoreScanner.scan(5000);
// The scanner should have detected the updated keystore, expiry should be renewed.
X509Certificate cert2 = getCertificateFromServer();
@ -210,13 +218,13 @@ public class KeyStoreScannerTest
{
assumeFileSystemSupportsSymlink();
Path keystoreLink = keystoreDir.resolve("symlinkKeystore");
Path oldKeystoreSrc = MavenTestingUtils.getTestResourcePathFile("oldKeystore");
Path newKeystoreSrc = MavenTestingUtils.getTestResourcePathFile("newKeystore");
Path oldKeyStoreSrc = MavenTestingUtils.getTestResourcePathFile("oldKeyStore");
Path newKeyStoreSrc = MavenTestingUtils.getTestResourcePathFile("newKeyStore");
Path target = keystoreDir.resolve("keystore");
start(sslContextFactory ->
{
Files.copy(oldKeystoreSrc, target);
Files.copy(oldKeyStoreSrc, target);
Files.createSymbolicLink(keystoreLink, target);
sslContextFactory.setKeyStorePath(keystoreLink.toString());
sslContextFactory.setKeyStorePassword("storepwd");
@ -227,16 +235,34 @@ public class KeyStoreScannerTest
X509Certificate cert1 = getCertificateFromServer();
assertThat(getExpiryYear(cert1), is(2015));
// Change the target file of the symlink to the newKeystore which has a later expiry date.
Files.copy(newKeystoreSrc, target, StandardCopyOption.REPLACE_EXISTING);
// Change the target file of the symlink to the newKeyStore which has a later expiry date.
Files.copy(newKeyStoreSrc, target, StandardCopyOption.REPLACE_EXISTING);
System.err.println("### Triggering scan");
keystoreScanner.scan(5000);
keyStoreScanner.scan(5000);
// The scanner should have detected the updated keystore, expiry should be renewed.
X509Certificate cert2 = getCertificateFromServer();
assertThat(getExpiryYear(cert2), is(2020));
}
public Path useKeystore(String keystoreToUse, String keystorePath) throws Exception
{
return useKeystore(MavenTestingUtils.getTestResourcePath(keystoreToUse), keystoreDir.resolve(keystorePath));
}
public Path useKeystore(Path keystoreToUse, Path keystorePath) throws Exception
{
if (Files.exists(keystorePath))
Files.delete(keystorePath);
Files.copy(keystoreToUse, keystorePath);
if (!Files.exists(keystorePath))
throw new IllegalStateException("keystore file was not created");
return keystorePath.toAbsolutePath();
}
public Path useKeystore(String keystore) throws Exception
{
Path keystorePath = keystoreDir.resolve("keystore");

0
tests/test-integration/src/test/resources/newKeystore → tests/test-integration/src/test/resources/newKeyStore
View File

0
tests/test-integration/src/test/resources/oldKeystore → tests/test-integration/src/test/resources/oldKeyStore
View File