Refresh Certs every X minutes (apache#3568)

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java

@@ -447,6 +447,11 @@ public class ServiceConfiguration implements PulsarConfiguration {
     )
     @Deprecated
     private boolean tlsEnabled = false;
+    @FieldContext(
+        category = CATEGORY_TLS,
+        doc = "Time Interval in Mins between checks for Cert Refresh."
+    )
+    private long certRefreshCheckDurationInMins = 0;
     @FieldContext(
         category = CATEGORY_TLS,
         doc = "Path for the TLS certificate file"

pulsar-broker/src/main/java/org/apache/pulsar/broker/service/PulsarChannelInitializer.java

@@ -18,23 +18,23 @@
  */
 package org.apache.pulsar.broker.service;
 
-import io.netty.channel.ChannelInitializer;
-import io.netty.channel.socket.SocketChannel;
-import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
-import io.netty.handler.ssl.SslContext;
-
 import org.apache.pulsar.broker.PulsarService;
 import org.apache.pulsar.broker.ServiceConfiguration;
 import org.apache.pulsar.common.api.ByteBufPair;
 import org.apache.pulsar.common.api.PulsarDecoder;
-import org.apache.pulsar.common.util.SecurityUtility;
+import org.apache.pulsar.common.util.ServerSslContextRefresher;
+
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.socket.SocketChannel;
+import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
 
 public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel> {
 
     public static final String TLS_HANDLER = "tls";
 
     private final PulsarService pulsar;
-    private final SslContext sslCtx;
+    private final boolean enableTls;
+    private final ServerSslContextRefresher sslCtxRefresher;
 
     /**
      *
@@ -43,21 +43,23 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
     public PulsarChannelInitializer(PulsarService pulsar, boolean enableTLS) throws Exception {
         super();
         this.pulsar = pulsar;
-        if (enableTLS) {
+        this.enableTls = enableTLS;
+        if (this.enableTls) {
             ServiceConfiguration serviceConfig = pulsar.getConfiguration();
-            this.sslCtx = SecurityUtility.createNettySslContextForServer(serviceConfig.isTlsAllowInsecureConnection(),
+            sslCtxRefresher = new ServerSslContextRefresher(serviceConfig.isTlsAllowInsecureConnection(),
                     serviceConfig.getTlsTrustCertsFilePath(), serviceConfig.getTlsCertificateFilePath(),
                     serviceConfig.getTlsKeyFilePath(), serviceConfig.getTlsCiphers(), serviceConfig.getTlsProtocols(),
-                    serviceConfig.isTlsRequireTrustedClientCertOnConnect());
+                    serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
+                    serviceConfig.getCertRefreshCheckDurationInMins());
         } else {
-            this.sslCtx = null;
+            this.sslCtxRefresher = null;
         }
     }
 
     @Override
     protected void initChannel(SocketChannel ch) throws Exception {
-        if (sslCtx != null) {
-            ch.pipeline().addLast(TLS_HANDLER, sslCtx.newHandler(ch.alloc()));
+        if (this.enableTls) {
+            ch.pipeline().addLast(TLS_HANDLER, sslCtxRefresher.get().newHandler(ch.alloc()));
             ch.pipeline().addLast("ByteBufPairEncoder", ByteBufPair.COPYING_ENCODER);
         } else {
             ch.pipeline().addLast("ByteBufPairEncoder", ByteBufPair.ENCODER);

pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/AuthenticationDataTls.java

@@ -20,15 +20,19 @@
 
 import java.security.KeyManagementException;
 import java.security.PrivateKey;
+import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 
 import org.apache.pulsar.client.api.AuthenticationDataProvider;
+import org.apache.pulsar.common.util.FileModifiedTimeUpdater;
 import org.apache.pulsar.common.util.SecurityUtility;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class AuthenticationDataTls implements AuthenticationDataProvider {
-
-    protected final X509Certificate[] certificates;
-    protected final PrivateKey privateKey;
+    protected X509Certificate[] tlsCertificates;
+    protected PrivateKey tlsPrivateKey;
+    protected FileModifiedTimeUpdater certFile, keyFile;
 
     public AuthenticationDataTls(String certFilePath, String keyFilePath) throws KeyManagementException {
         if (certFilePath == null) {
@@ -37,8 +41,10 @@ public AuthenticationDataTls(String certFilePath, String keyFilePath) throws Key
         if (keyFilePath == null) {
             throw new IllegalArgumentException("keyFilePath must not be null");
         }
-        certificates = SecurityUtility.loadCertificatesFromPemFile(certFilePath);
-        privateKey = SecurityUtility.loadPrivateKeyFromPemFile(keyFilePath);
+        this.certFile = new FileModifiedTimeUpdater(certFilePath);
+        this.keyFile = new FileModifiedTimeUpdater(keyFilePath);
+        this.tlsCertificates = SecurityUtility.loadCertificatesFromPemFile(certFilePath);
+        this.tlsPrivateKey = SecurityUtility.loadPrivateKeyFromPemFile(keyFilePath);
     }
 
     /*
@@ -51,13 +57,28 @@ public boolean hasDataForTls() {
     }
 
     @Override
-    public X509Certificate[] getTlsCertificates() {
-        return certificates;
+    public Certificate[] getTlsCertificates() {
+        if (this.certFile.checkAndRefresh()) {
+            try {
+                this.tlsCertificates = SecurityUtility.loadCertificatesFromPemFile(certFile.getFileName());
+            } catch (KeyManagementException e) {
+                LOG.error("Unable to refresh authData for cert {}: ", certFile.getFileName(), e);
+            }
+        }
+        return this.tlsCertificates;
     }
 
     @Override
     public PrivateKey getTlsPrivateKey() {
-        return privateKey;
+        if (this.keyFile.checkAndRefresh()) {
+            try {
+                this.tlsPrivateKey = SecurityUtility.loadPrivateKeyFromPemFile(keyFile.getFileName());
+            } catch (KeyManagementException e) {
+                LOG.error("Unable to refresh authData for cert {}: ", keyFile.getFileName(), e);
+            }
+        }
+        return this.tlsPrivateKey;
     }
 
+    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationDataTls.class);
 }

pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/AuthenticationTls.java

@@ -49,7 +49,7 @@ public class AuthenticationTls implements Authentication, EncodedAuthenticationP
 
     public AuthenticationTls() {
     }
-
+    
     public AuthenticationTls(String certFilePath, String keyFilePath) {
         this.certFilePath = certFilePath;
         this.keyFilePath = keyFilePath;

pulsar-common/src/main/java/org/apache/pulsar/common/util/ClientSslContextRefresher.java

@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.common.util;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
+
+import org.apache.pulsar.client.api.AuthenticationDataProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.netty.handler.ssl.SslContext;
+
+public class ClientSslContextRefresher {
+    private volatile SslContext sslContext;
+    private boolean tlsAllowInsecureConnection;
+    private String tlsTrustCertsFilePath;
+    private AuthenticationDataProvider authData;
+
+    public ClientSslContextRefresher(boolean allowInsecure, String trustCertsFilePath,
+            AuthenticationDataProvider authData) throws IOException, GeneralSecurityException {
+        this.tlsAllowInsecureConnection = allowInsecure;
+        this.tlsTrustCertsFilePath = trustCertsFilePath;
+        this.authData = authData;
+
+        if (authData != null && authData.hasDataForTls()) {
+            this.sslContext = SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
+                    this.tlsTrustCertsFilePath, (X509Certificate[]) authData.getTlsCertificates(),
+                    authData.getTlsPrivateKey());
+        } else {
+            this.sslContext = SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
+                    this.tlsTrustCertsFilePath);
+        }
+    }
+
+    public SslContext get() {
+        if (authData != null && authData.hasDataForTls()) {
+            try {
+                this.sslContext = SecurityUtility.createNettySslContextForClient(this.tlsAllowInsecureConnection,
+                        this.tlsTrustCertsFilePath, (X509Certificate[]) authData.getTlsCertificates(),
+                        authData.getTlsPrivateKey());
+            } catch (GeneralSecurityException | IOException e) {
+                LOG.error("Exception occured while trying to refresh sslContext: ", e);
+            }
+
+        }
+        return sslContext;
+    }
+
+    private static final Logger LOG = LoggerFactory.getLogger(ClientSslContextRefresher.class);
+}

pulsar-common/src/main/java/org/apache/pulsar/common/util/FileModifiedTimeUpdater.java

@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.common.util;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.attribute.FileTime;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import lombok.Getter;
+
+public class FileModifiedTimeUpdater {
+    @Getter
+    String fileName;
+    @Getter
+    FileTime lastModifiedTime;
+
+    public FileModifiedTimeUpdater(String fileName) {
+        this.fileName = fileName;
+        this.lastModifiedTime = updateLastModifiedTime();
+    }
+
+    private FileTime updateLastModifiedTime() {
+        if (fileName != null) {
+            Path p = Paths.get(fileName);
+            try {
+                return Files.getLastModifiedTime(p);
+            } catch (IOException e) {
+                LOG.error("Unable to fetch lastModified time for file {}: ", fileName, e);
+            }
+        }
+        return null;
+    }
+
+    public boolean checkAndRefresh() {
+        FileTime newLastModifiedTime = updateLastModifiedTime();
+        if (newLastModifiedTime != null && !newLastModifiedTime.equals(lastModifiedTime)) {
+            this.lastModifiedTime = newLastModifiedTime;
+            return true;
+        }
+        return false;
+    }
+
+    private static final Logger LOG = LoggerFactory.getLogger(FileModifiedTimeUpdater.class);
+}

pulsar-common/src/main/java/org/apache/pulsar/common/util/ServerSslContextRefresher.java

@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.common.util;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
+import javax.net.ssl.SSLException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.netty.handler.ssl.SslContext;
+
+public class ServerSslContextRefresher {
+    private final boolean tlsAllowInsecureConnection;
+    private final FileModifiedTimeUpdater tlsTrustCertsFilePath, tlsCertificateFilePath, tlsKeyFilePath;
+    private final Set<String> tlsCiphers;
+    private final Set<String> tlsProtocols;
+    private final boolean tlsRequireTrustedClientCertOnConnect;
+    private final long delayInMins;
+    private long nextRefreshTimeInMins;
+    private volatile SslContext sslContext;
+
+    public ServerSslContextRefresher(boolean allowInsecure, String trustCertsFilePath, String certificateFilePath,
+            String keyFilePath, Set<String> ciphers, Set<String> protocols, boolean requireTrustedClientCertOnConnect,
+            long delayInMins) throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
+        this.tlsAllowInsecureConnection = allowInsecure;
+        this.tlsTrustCertsFilePath = new FileModifiedTimeUpdater(trustCertsFilePath);
+        this.tlsCertificateFilePath = new FileModifiedTimeUpdater(certificateFilePath);
+        this.tlsKeyFilePath = new FileModifiedTimeUpdater(keyFilePath);
+        this.tlsCiphers = ciphers;
+        this.tlsProtocols = protocols;
+        this.tlsRequireTrustedClientCertOnConnect = requireTrustedClientCertOnConnect;
+        this.delayInMins = delayInMins;
+        this.nextRefreshTimeInMins = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()) + delayInMins;
+
+        buildSSLContext();
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Certs will be refreshed every {} minutes", delayInMins);
+        }
+    }
+
+    public void buildSSLContext() throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
+        this.sslContext = SecurityUtility.createNettySslContextForServer(tlsAllowInsecureConnection,
+                tlsTrustCertsFilePath.getFileName(), tlsCertificateFilePath.getFileName(), tlsKeyFilePath.getFileName(),
+                tlsCiphers, tlsProtocols, tlsRequireTrustedClientCertOnConnect);
+    }
+
+    public synchronized SslContext get() {
+        long nowInSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
+        if (nextRefreshTimeInMins > nowInSeconds) {
+            nextRefreshTimeInMins = nowInSeconds + delayInMins;
+            if (tlsTrustCertsFilePath.checkAndRefresh() || tlsCertificateFilePath.checkAndRefresh()
+                    || tlsKeyFilePath.checkAndRefresh()) {
+                try {
+                    buildSSLContext();
+                } catch (GeneralSecurityException | IOException e) {
+                    LOG.error("Execption while trying to refresh ssl Context: ", e);
+                }
+            }
+        }
+        return this.sslContext;
+    }
+
+    private static final Logger LOG = LoggerFactory.getLogger(ServerSslContextRefresher.class);
+}