From 38a94879f9f6db8670f4a93ef19a06a6c4a23746 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Tue, 21 Jul 2020 11:23:57 +1000 Subject: [PATCH 1/2] Issue #5062 - KeyStoreScannerTest should use manual scanning to avoid timing issues Signed-off-by: Lachlan Roberts --- .../jetty/util/ssl/KeyStoreScanner.java | 10 ++++++++ .../jetty/test/KeyStoreScannerTest.java | 23 +++++++++---------- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java index 3c4197552d4..e7e817780e8 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/KeyStoreScanner.java @@ -104,6 +104,16 @@ public class KeyStoreScanner extends ContainerLifeCycle implements Scanner.Discr reload(); } + @ManagedOperation(value = "Scan for changes in the SSL Keystore", impact = "ACTION") + public void scan() + { + if (LOG.isDebugEnabled()) + LOG.debug("scanning"); + + _scanner.scan(); + _scanner.scan(); + } + @ManagedOperation(value = "Reload the SSL Keystore", impact = "ACTION") public void reload() { diff --git a/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java b/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java index 1b54fdefae7..d7aba199434 100644 --- a/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java +++ b/tests/test-integration/src/test/java/org/eclipse/jetty/test/KeyStoreScannerTest.java @@ -24,7 +24,6 @@ import java.nio.file.Path; import java.security.SecureRandom; import java.security.cert.Certificate; import java.security.cert.X509Certificate; -import java.time.Duration; import java.util.Calendar; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManager; @@ -57,10 +56,10 @@ import static org.junit.jupiter.api.Assertions.assertThrows; @ExtendWith(WorkDirExtension.class) public class KeyStoreScannerTest { - private static final int scanInterval = 1; public WorkDir testdir; private Server server; private Path keystoreDir; + private KeyStoreScanner keystoreScanner; @BeforeEach public void before() @@ -99,8 +98,8 @@ public class KeyStoreScannerTest server.addConnector(connector); // Configure Keystore Reload. - KeyStoreScanner keystoreScanner = new KeyStoreScanner(sslContextFactory); - keystoreScanner.setScanInterval(scanInterval); + keystoreScanner = new KeyStoreScanner(sslContextFactory); + keystoreScanner.setScanInterval(0); server.addBean(keystoreScanner); server.start(); @@ -123,7 +122,7 @@ public class KeyStoreScannerTest // Switch to use newKeystore which has a later expiry date. useKeystore("newKeystore"); - Thread.sleep(Duration.ofSeconds(scanInterval * 2).toMillis()); + keystoreScanner.scan(); // The scanner should have detected the updated keystore, expiry should be renewed. X509Certificate cert2 = getCertificateFromServer(); @@ -143,11 +142,11 @@ public class KeyStoreScannerTest try (StacklessLogging ignored = new StacklessLogging(KeyStoreScanner.class)) { useKeystore("badKeystore"); - Thread.sleep(Duration.ofSeconds(scanInterval * 2).toMillis()); + keystoreScanner.scan(); } // The good keystore is removed, now the bad keystore now causes an exception. - assertThrows(Throwable.class, () -> getCertificateFromServer()); + assertThrows(Throwable.class, this::getCertificateFromServer); } @Test @@ -163,15 +162,15 @@ public class KeyStoreScannerTest try (StacklessLogging ignored = new StacklessLogging(KeyStoreScanner.class)) { useKeystore(null); - Thread.sleep(Duration.ofSeconds(scanInterval * 2).toMillis()); + keystoreScanner.scan(); } // The good keystore is removed, having no keystore causes an exception. - assertThrows(Throwable.class, () -> getCertificateFromServer()); + assertThrows(Throwable.class, this::getCertificateFromServer); // Switch to use keystore2 which has a later expiry date. useKeystore("newKeystore"); - Thread.sleep(Duration.ofSeconds(scanInterval * 2).toMillis()); + keystoreScanner.scan(); X509Certificate cert2 = getCertificateFromServer(); assertThat(getExpiryYear(cert2), is(2020)); } @@ -195,7 +194,7 @@ public class KeyStoreScannerTest // Change the symlink to point to the newKeystore file location which has a later expiry date. Files.delete(keystorePath); Files.createSymbolicLink(keystorePath, useKeystore("newKeystore")); - Thread.sleep(Duration.ofSeconds(scanInterval * 2).toMillis()); + keystoreScanner.scan(); // The scanner should have detected the updated keystore, expiry should be renewed. X509Certificate cert2 = getCertificateFromServer(); @@ -220,7 +219,7 @@ public class KeyStoreScannerTest // Change the target file of the symlink to the newKeystore which has a later expiry date. useKeystore("newKeystore"); - Thread.sleep(Duration.ofSeconds(scanInterval * 2).toMillis()); + keystoreScanner.scan(); // The scanner should have detected the updated keystore, expiry should be renewed. X509Certificate cert2 = getCertificateFromServer(); From d9f930fcaa8b34e56612edb4e541b5e3f4ba0209 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Wed, 22 Jul 2020 18:57:20 +1000 Subject: [PATCH 2/2] fix links links to jetty.toolchain in jetty setuid documentation Signed-off-by: Lachlan Roberts --- .../security/setting-port80-access-for-non-root-user.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jetty-documentation/src/main/asciidoc/configuring/security/setting-port80-access-for-non-root-user.adoc b/jetty-documentation/src/main/asciidoc/configuring/security/setting-port80-access-for-non-root-user.adoc index a4a3d552a57..5d8f862e65d 100644 --- a/jetty-documentation/src/main/asciidoc/configuring/security/setting-port80-access-for-non-root-user.adoc +++ b/jetty-documentation/src/main/asciidoc/configuring/security/setting-port80-access-for-non-root-user.adoc @@ -102,8 +102,8 @@ As well as opening the connectors as `root`, you can also have Jetty start the S ____ . A native code library is required to perform user switching. -This code is hosted as part of the Jetty ToolChain project and is released independently from Jetty itself. -You can find the source code https://github.com/eclipsejetty.toolchain[here] in the https://github.com/eclipse/jetty.toolchain/jetty-setuid[jetty-setuid] project. +This code is hosted as part of the https://github.com/eclipse/jetty.toolchain[Jetty ToolChain] project and is released independently from Jetty itself. +You can find the source code in the https://github.com/eclipse/jetty.toolchain/tree/master/jetty-setuid[eclipse/jetty.toolchain/jetty-setuid] project. Build it locally, which will produce a native library appropriate for the operating system: + [source, screen, subs="{sub-order}"]