-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow TLS certificate reloading for the HTTP server
Key store, trust store and certificate files can be reloaded periodically. The period is configured using the `quarkus.http.ssl.certificate.reload-period` property. The files are reloaded from the same location as they were initially loaded from. If there is no content change, the reloading is a no-op. It the reloading fails, the server will continue to use the previous certificates.
- Loading branch information
1 parent
cf7ae80
commit 1beea62
Showing
5 changed files
with
185 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
133 changes: 133 additions & 0 deletions
133
...untime/src/main/java/io/quarkus/vertx/http/runtime/options/TlsCertificateReloadUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
package io.quarkus.vertx.http.runtime.options; | ||
|
||
import static io.quarkus.vertx.http.runtime.options.HttpServerOptionsUtils.getFileContent; | ||
|
||
import java.io.IOException; | ||
import java.nio.file.Path; | ||
import java.util.ArrayList; | ||
import java.util.List; | ||
import java.util.concurrent.Callable; | ||
import java.util.function.Function; | ||
|
||
import org.jboss.logging.Logger; | ||
|
||
import io.quarkus.vertx.http.runtime.HttpConfiguration; | ||
import io.vertx.core.AsyncResult; | ||
import io.vertx.core.Future; | ||
import io.vertx.core.Handler; | ||
import io.vertx.core.Vertx; | ||
import io.vertx.core.buffer.Buffer; | ||
import io.vertx.core.http.HttpServer; | ||
import io.vertx.core.http.HttpServerOptions; | ||
import io.vertx.core.net.KeyStoreOptions; | ||
import io.vertx.core.net.PemKeyCertOptions; | ||
import io.vertx.core.net.SSLOptions; | ||
|
||
/** | ||
* Utility class to handle TLS certificate reloading. | ||
*/ | ||
public class TlsCertificateReloadUtils { | ||
|
||
public static long handleCertificateReloading(Vertx vertx, HttpServer server, | ||
HttpServerOptions options, HttpConfiguration configuration) { | ||
// Validation | ||
if (configuration.ssl.certificate.reloadPeriod.isEmpty()) { | ||
return -1; | ||
} | ||
if (configuration.ssl.certificate.reloadPeriod.get().toMillis() < 1000) { | ||
throw new IllegalArgumentException( | ||
"Unable to configure TLS reloading - The reload period cannot be less than 1 second"); | ||
} | ||
if (options == null) { | ||
throw new IllegalArgumentException("Unable to configure TLS reloading - The HTTP server options were not provided"); | ||
} | ||
SSLOptions ssl = options.getSslOptions(); | ||
if (ssl == null) { | ||
throw new IllegalArgumentException("Unable to configure TLS reloading - TLS/SSL is not enabled on the server"); | ||
} | ||
|
||
Logger log = Logger.getLogger(TlsCertificateReloadUtils.class); | ||
return vertx.setPeriodic(configuration.ssl.certificate.reloadPeriod.get().toMillis(), id -> { | ||
|
||
vertx.executeBlocking(new Callable<SSLOptions>() { | ||
@Override | ||
public SSLOptions call() throws Exception { | ||
// We are reading files - must be done on a worker thread. | ||
var c = reloadFileContent(ssl, configuration); | ||
if (c.equals(ssl)) { // No change, skip the update | ||
return null; | ||
} | ||
return c; | ||
} | ||
}, true) | ||
.flatMap(new Function<SSLOptions, Future<Boolean>>() { | ||
@Override | ||
public Future<Boolean> apply(SSLOptions res) { | ||
if (res != null) { | ||
return server.updateSSLOptions(res); | ||
} else { | ||
return Future.succeededFuture(false); | ||
} | ||
} | ||
}) | ||
.onComplete(new Handler<AsyncResult<Boolean>>() { | ||
@Override | ||
public void handle(AsyncResult<Boolean> ar) { | ||
if (ar.failed()) { | ||
log.error("Unable to reload the TLS certificate, keeping the current one.", ar.cause()); | ||
} else { | ||
if (ar.result()) { | ||
log.debug("TLS certificates updated"); | ||
} | ||
// Not updated, no change. | ||
} | ||
} | ||
}); | ||
}); | ||
} | ||
|
||
private static SSLOptions reloadFileContent(SSLOptions ssl, HttpConfiguration configuration) throws IOException { | ||
var copy = new SSLOptions(ssl); | ||
|
||
final List<Path> keys = new ArrayList<>(); | ||
final List<Path> certificates = new ArrayList<>(); | ||
|
||
if (configuration.ssl.certificate.keyFiles.isPresent()) { | ||
keys.addAll(configuration.ssl.certificate.keyFiles.get()); | ||
} | ||
if (configuration.ssl.certificate.files.isPresent()) { | ||
certificates.addAll(configuration.ssl.certificate.files.get()); | ||
} | ||
|
||
if (!certificates.isEmpty() && !keys.isEmpty()) { | ||
List<Buffer> certBuffer = new ArrayList<>(); | ||
List<Buffer> keysBuffer = new ArrayList<>(); | ||
|
||
for (Path p : certificates) { | ||
byte[] cert = getFileContent(p); | ||
certBuffer.add(Buffer.buffer(cert)); | ||
} | ||
for (Path p : keys) { | ||
byte[] key = getFileContent(p); | ||
keysBuffer.add(Buffer.buffer(key)); | ||
} | ||
|
||
PemKeyCertOptions opts = new PemKeyCertOptions() | ||
.setCertValues(certBuffer) | ||
.setKeyValues(keysBuffer); | ||
copy.setKeyCertOptions(opts); | ||
} else if (configuration.ssl.certificate.keyStoreFile.isPresent()) { | ||
var opts = ((KeyStoreOptions) copy.getKeyCertOptions()); | ||
opts.setValue(Buffer.buffer(getFileContent(configuration.ssl.certificate.keyStoreFile.get()))); | ||
copy.setKeyCertOptions(opts); | ||
} | ||
|
||
if (configuration.ssl.certificate.trustStoreFile.isPresent()) { | ||
var opts = ((KeyStoreOptions) copy.getKeyCertOptions()); | ||
opts.setValue(Buffer.buffer(getFileContent(configuration.ssl.certificate.trustStoreFile.get()))); | ||
copy.setTrustOptions(opts); | ||
} | ||
|
||
return copy; | ||
} | ||
} |