changes to ssl-reload module & documentation from review

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2022-11-03 18:54:53 +11:00 · 2022-11-03 18:54:53 +11:00 · 8607e3ef15
parent 4d15593d63
commit 8607e3ef15
5 changed files with 17 additions and 11 deletions
--- a/documentation/jetty-documentation/src/main/asciidoc/operations-guide/modules/module-ssl-reload.adoc
+++ b/documentation/jetty-documentation/src/main/asciidoc/operations-guide/modules/module-ssl-reload.adoc
@ -22,3 +22,5 @@ The module properties are:
 ----
 include::{JETTY_HOME}/modules/ssl-reload.mod[tags=documentation]
 ----
+
+The `resolveAlias` property is used to specify whether aliases should be resolved in the path of the KeyStore. If set to false and the path of the KeyStore is a symbolic link, the scanner will monitor the symbolic link file for changes instead of its target.
--- a/jetty-server/src/main/config/etc/jetty-ssl-context-reload.xml
+++ b/jetty-server/src/main/config/etc/jetty-ssl-context-reload.xml
@ -5,6 +5,7 @@
    <Arg>
      <New id="keyStoreScanner" class="org.eclipse.jetty.util.ssl.KeyStoreScanner">
        <Arg><Ref refid="sslContextFactory"/></Arg>
+        <Arg><Property name="jetty.sslContext.reload.resolveAlias" default="true"/></Arg>
        <Set name="scanInterval"><Property name="jetty.sslContext.reload.scanInterval" default="1"/></Set>
      </New>
    </Arg>
--- a/jetty-server/src/main/config/modules/ssl-reload.mod
+++ b/jetty-server/src/main/config/modules/ssl-reload.mod
@ -15,4 +15,7 @@ etc/jetty-ssl-context-reload.xml
 # tag::documentation[]
 # Monitored directory scan period, in seconds.
 # jetty.sslContext.reload.scanInterval=1
+
+# Whether to resolve aliases in the KeyStore path.
+# jetty.sslContext.reload.resolveAlias=true
 # end::documentation[]
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java
@ -44,7 +44,7 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr

    public KeyStoreScanner(SslContextFactory sslContextFactory)
    {
-        this(sslContextFactory, false);
+        this(sslContextFactory, true);
    }

    public KeyStoreScanner(SslContextFactory sslContextFactory, boolean resolveAlias)
--- a/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java
+++ b/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java
@ -61,7 +61,7 @@ public class KeyStoreScannerTest
    public WorkDir testdir;
    private Server server;
    private Path keystoreDir;
-    private KeyStoreScanner keystoreScanner;
+    private KeyStoreScanner keyStoreScanner;

    @BeforeEach
    public void before()
@ -105,9 +105,9 @@ public class KeyStoreScannerTest
        server.addConnector(connector);

        // Configure Keystore Reload.
-        keystoreScanner = new KeyStoreScanner(sslContextFactory, resolveAlias);
-        keystoreScanner.setScanInterval(0);
-        server.addBean(keystoreScanner);
+        keyStoreScanner = new KeyStoreScanner(sslContextFactory, resolveAlias);
+        keyStoreScanner.setScanInterval(0);
+        server.addBean(keyStoreScanner);

        server.start();
    }
@ -129,7 +129,7 @@ public class KeyStoreScannerTest

        // Switch to use newKeystore which has a later expiry date.
        useKeystore("newKeystore");
-        assertTrue(keystoreScanner.scan(5000));
+        assertTrue(keyStoreScanner.scan(5000));

        // The scanner should have detected the updated keystore, expiry should be renewed.
        X509Certificate cert2 = getCertificateFromServer();
@ -149,7 +149,7 @@ public class KeyStoreScannerTest
        try (StacklessLogging ignored = new StacklessLogging(KeyStoreScanner.class))
        {
            useKeystore("badKeystore");
-            keystoreScanner.scan(5000);
+            keyStoreScanner.scan(5000);
        }

        // The good keystore is removed, now the bad keystore now causes an exception.
@ -170,7 +170,7 @@ public class KeyStoreScannerTest
        {
            Path keystorePath = keystoreDir.resolve("keystore");
            assertTrue(Files.deleteIfExists(keystorePath));
-            keystoreScanner.scan(5000);
+            keyStoreScanner.scan(5000);
        }

        // The good keystore is removed, having no keystore causes an exception.
@ -178,7 +178,7 @@ public class KeyStoreScannerTest

        // Switch to use keystore2 which has a later expiry date.
        useKeystore("newKeystore");
-        keystoreScanner.scan(5000);
+        keyStoreScanner.scan(5000);
        X509Certificate cert2 = getCertificateFromServer();
        assertThat(getExpiryYear(cert2), is(2020));
    }
@ -206,7 +206,7 @@ public class KeyStoreScannerTest
        // Change the symlink to point to the newKeystore file location which has a later expiry date.
        Files.delete(symlinkKeystorePath);
        Files.createSymbolicLink(symlinkKeystorePath, newKeystore);
-        keystoreScanner.scan(5000);
+        keyStoreScanner.scan(5000);

        // The scanner should have detected the updated keystore, expiry should be renewed.
        X509Certificate cert2 = getCertificateFromServer();
@ -238,7 +238,7 @@ public class KeyStoreScannerTest
        // Change the target file of the symlink to the newKeystore which has a later expiry date.
        Files.copy(newKeystoreSrc, target, StandardCopyOption.REPLACE_EXISTING);
        System.err.println("### Triggering scan");
-        keystoreScanner.scan(5000);
+        keyStoreScanner.scan(5000);

        // The scanner should have detected the updated keystore, expiry should be renewed.
        X509Certificate cert2 = getCertificateFromServer();