CE-158 oap-http: autoreload certificates

oap-http/oap-http/src/main/java/oap/http/server/nio/NioHttpServer.java

@@ -36,6 +36,8 @@
 import lombok.SneakyThrows;
 import lombok.ToString;
 import lombok.extern.slf4j.Slf4j;
+import oap.concurrent.scheduler.Scheduled;
+import oap.concurrent.scheduler.Scheduler;
 import oap.http.server.nio.handlers.CompressionNioHandler;
 import oap.io.Closeables;
 import oap.util.Dates;
@@ -44,9 +46,11 @@
 import org.xnio.Options;
 import org.xnio.Xnio;
 import org.xnio.XnioWorker;
+import org.xnio.ssl.JsseSslUtils;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
 import java.io.Closeable;
 import java.io.IOException;
 import java.io.InputStream;
@@ -55,6 +59,7 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
@@ -80,7 +85,6 @@ public class NioHttpServer implements Closeable, AutoCloseable {
     public final ArrayList<NioHandlerBuilder> handlers = new ArrayList<>();
     private final ConcurrentHashMap<Integer, PathHandler> pathHandler = new ConcurrentHashMap<>();
     private final AtomicLong requestId = new AtomicLong();
-    private final KeyManager[] keyManagers;
     public int backlog = -1;
     public long idleTimeout = -1;
     public boolean tcpNodelay = true;
@@ -94,9 +98,11 @@ public class NioHttpServer implements Closeable, AutoCloseable {
     public boolean alwaysSetDate = true;
     public boolean alwaysSetKeepAlive = true;
     public int pathHandlerCacheSize = 0; // without cache
-
+    public long autoRefreshCertificates = Dates.h( 12 );
     public Undertow undertow;
+    private KeyManager[] keyManagers;
     private XnioWorker xnioWorker;
+    private Scheduled autoRefreshCertificatesScheduled;
 
     public NioHttpServer( DefaultPort defaultPort ) {
         this.defaultPort = defaultPort;
@@ -214,6 +220,10 @@ public void start() {
             addStats( undertow );
         }
 
+        if( autoRefreshCertificates > 0 ) {
+            autoRefreshCertificatesScheduled = Scheduler.scheduleWithFixedDelay( autoRefreshCertificates, TimeUnit.MILLISECONDS, this::refreshCertificates );
+        }
+
         log.info( "server on ports: {} (statistics: {}, ioThreads: {}, workerThreads: {}) has started in {} ms",
             pathHandler.keySet(), statistics,
             undertow.getWorker().getMXBean().getIoThreadCount(),
@@ -222,6 +232,7 @@ public void start() {
         );
     }
 
+    @SneakyThrows
     private void addPortListener( int port, PathHandler portPathHandler, Undertow.Builder builder ) {
         Preconditions.checkNotNull( portPathHandler );
 
@@ -237,7 +248,8 @@ private void addPortListener( int port, PathHandler portPathHandler, Undertow.Bu
         handler = new GracefulShutdownHandler( handler );
 
         if( port == defaultPort.httpsPort ) {
-            builder.addHttpsListener( port, "0.0.0.0", keyManagers, null, handler );
+            SSLContext sslContext = JsseSslUtils.createSSLContext( keyManagers, null, new SecureRandom(), OptionMap.create( Options.SSL_PROTOCOL, "TLSv1.2" ) );
+            builder.addHttpsListener( port, "0.0.0.0", sslContext, handler );
         } else {
             builder.addHttpListener( port, "0.0.0.0", handler );
         }
@@ -351,6 +363,11 @@ public void preStop() {
 
     @Override
     public void close() throws IOException {
+        if( autoRefreshCertificatesScheduled != null ) {
+            Closeables.close( autoRefreshCertificatesScheduled );
+            autoRefreshCertificatesScheduled = null;
+        }
+
         preStop();
 
         Closeables.close( xnioWorker );
@@ -360,6 +377,29 @@ public boolean hasHandler( Class<? extends NioHandler> handlerClass ) {
         return Lists.anyMatch( handlers, h -> h.getClass().equals( handlerClass ) );
     }
 
+    public void refreshCertificates() {
+        try {
+            if( isHttpsEnabled() ) {
+                log.debug( "refreshCertificates location {}...", defaultPort.keyStore );
+
+                keyManagers = makeKeyManagers( defaultPort.keyStore, defaultPort.password );
+
+                List<Undertow.ListenerInfo> listenerInfo = undertow.getListenerInfo();
+
+                SSLContext sslContext = JsseSslUtils.createSSLContext( keyManagers, null, new SecureRandom(), OptionMap.create( Options.SSL_PROTOCOL, "TLSv1.2" ) );
+
+                listenerInfo
+                    .stream()
+                    .filter( li -> li.getSslContext() != null )
+                    .forEach( li -> li.setSslContext( sslContext ) );
+
+                log.debug( "refreshCertificates location {}... Done", defaultPort.keyStore );
+            }
+        } catch( Exception e ) {
+            log.error( e.getMessage(), e );
+        }
+    }
+
     public enum PortType {
         HTTP, HTTPS
     }

oap-http/oap-http/src/main/resources/META-INF/oap-module.oap

@@ -30,6 +30,7 @@ services {
       additionalHttpPorts {
         httpprivate = 8081
       }
+      autoRefreshCertificates = 12h // -1 - disable
 
       backlog = -1
       idleTimeout = -1

pom.xml

@@ -57,7 +57,7 @@
     </distributionManagement>
 
     <properties>
-        <oap.project.version>25.6.7</oap.project.version>
+        <oap.project.version>25.6.8</oap.project.version>
 
         <oap.deps.config.version>25.0.1</oap.deps.config.version>
         <oap.deps.oap-teamcity.version>25.0.0</oap.deps.oap-teamcity.version>