Changed polling mechanism for certificate files

Author: Zgoda91

api/src/main/java/io/grpc/TlsChannelCredentials.java

@@ -26,7 +26,6 @@
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.TrustManager;
@@ -50,7 +49,6 @@ public static ChannelCredentials create() {
   private final List<KeyManager> keyManagers;
   private final byte[] rootCertificates;
   private final List<TrustManager> trustManagers;
-  private final Map<String, ?> customCertificatesConfig;
 
   TlsChannelCredentials(Builder builder) {
     fakeFeature = builder.fakeFeature;
@@ -60,7 +58,6 @@ public static ChannelCredentials create() {
     keyManagers = builder.keyManagers;
     rootCertificates = builder.rootCertificates;
     trustManagers = builder.trustManagers;
-    customCertificatesConfig = builder.customCertificatesConfig;
   }
 
   /**
@@ -124,21 +121,6 @@ public List<TrustManager> getTrustManagers() {
     return trustManagers;
   }
 
-  /**
-   * Returns custom certificates config. It contains following entries:
-   *
-   * <ul>
-   *   <li>{@code "ca_certificate_file"} key containing the path to the root certificate file</li>
-   *   <li>{@code "certificate_file"} key containing the path to the identity certificate file</li>
-   *   <li>{@code "private_key_file"} key containing the path to the private key</li>
-   *   <li>{@code "refresh_interval"} key specifying the frequency of updates to the above
-   * files</li>
-   * </ul>
-   */
-  public Map<String, ?> getCustomCertificatesConfig() {
-    return customCertificatesConfig;
-  }
-
   /**
    * Returns an empty set if this credential can be adequately understood via
    * the features listed, otherwise returns a hint of features that are lacking
@@ -246,7 +228,6 @@ public static final class Builder {
     private List<KeyManager> keyManagers;
     private byte[] rootCertificates;
     private List<TrustManager> trustManagers;
-    private Map<String, ?> customCertificatesConfig;
 
     private Builder() {}
 
@@ -374,11 +355,6 @@ public Builder trustManager(TrustManager... trustManagers) {
       return this;
     }
 
-    public Builder customCertificatesConfig(Map<String, ?> customCertificatesConfig) {
-      this.customCertificatesConfig = customCertificatesConfig;
-      return this;
-    }
-
     private void clearTrustManagers() {
       this.rootCertificates = null;
       this.trustManagers = null;

xds/src/main/java/io/grpc/xds/client/BootstrapperImpl.java

@@ -21,7 +21,6 @@
 import com.google.common.collect.ImmutableMap;
 import io.grpc.Internal;
 import io.grpc.InternalLogId;
-import io.grpc.TlsChannelCredentials;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.GrpcUtil.GrpcBuildVersion;
 import io.grpc.internal.JsonParser;
@@ -163,9 +162,9 @@ protected BootstrapInfo.Builder bootstrapBuilder(Map<String, ?> rawData)
     builder.node(nodeBuilder.build());
 
     Map<String, ?> certProvidersBlob = JsonUtil.getObject(rawData, "certificate_providers");
-    Map<String, CertificateProviderInfo> certProviders = new HashMap<>();
     if (certProvidersBlob != null) {
       logger.log(XdsLogLevel.INFO, "Configured with {0} cert providers", certProvidersBlob.size());
+      Map<String, CertificateProviderInfo> certProviders = new HashMap<>(certProvidersBlob.size());
       for (String name : certProvidersBlob.keySet()) {
         Map<String, ?> valueMap = JsonUtil.getObject(certProvidersBlob, name);
         String pluginName =
@@ -176,21 +175,6 @@ protected BootstrapInfo.Builder bootstrapBuilder(Map<String, ?> rawData)
             CertificateProviderInfo.create(pluginName, config);
         certProviders.put(name, certificateProviderInfo);
       }
-    }
-
-    for (ServerInfo serverInfo : servers) {
-      Object creds = serverInfo.implSpecificConfig();
-      if (creds instanceof TlsChannelCredentials) {
-        Map<String, ?> config = ((TlsChannelCredentials)creds).getCustomCertificatesConfig();
-        if (config != null) {
-          CertificateProviderInfo certificateProviderInfo =
-              CertificateProviderInfo.create("file_watcher", config);
-          certProviders.put("mtls_channel_creds_identity_certs", certificateProviderInfo);
-        }
-      }
-    }
-
-    if (!certProviders.isEmpty()) {
       builder.certProviders(certProviders);
     }
 

xds/src/main/java/io/grpc/xds/internal/TlsXdsCredentialsProvider.java

@@ -19,9 +19,10 @@
 import io.grpc.ChannelCredentials;
 import io.grpc.TlsChannelCredentials;
 import io.grpc.internal.JsonUtil;
+import io.grpc.util.AdvancedTlsX509KeyManager;
+import io.grpc.util.AdvancedTlsX509TrustManager;
 import io.grpc.xds.XdsCredentialsProvider;
 import java.io.File;
-import java.io.IOException;
 import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -33,6 +34,9 @@
 public final class TlsXdsCredentialsProvider extends XdsCredentialsProvider {
   private static final Logger logger = Logger.getLogger(TlsXdsCredentialsProvider.class.getName());
   private static final String CREDS_NAME = "tls";
+  private static final String CERT_FILE_KEY = "certificate_file";
+  private static final String KEY_FILE_KEY = "private_key_file";
+  private static final String ROOT_FILE_KEY = "ca_certificate_file";
 
   @Override
   protected ChannelCredentials newChannelCredentials(Map<String, ?> jsonConfig) {
@@ -43,24 +47,28 @@ protected ChannelCredentials newChannelCredentials(Map<String, ?> jsonConfig) {
     }
 
     // use trust certificate file path from bootstrap config if provided; else use system default
-    String rootCertPath = JsonUtil.getString(jsonConfig, "ca_certificate_file");
+    String rootCertPath = JsonUtil.getString(jsonConfig, ROOT_FILE_KEY);
     if (rootCertPath != null) {
       try {
-        builder.trustManager(new File(rootCertPath));
-      } catch (IOException e) {
+        AdvancedTlsX509TrustManager trustManager = AdvancedTlsX509TrustManager.newBuilder().build();
+        trustManager.updateTrustCredentials(new File(rootCertPath));
+        builder.trustManager(trustManager);
+      } catch (Exception e) {
         logger.log(Level.WARNING, "Unable to read root certificates", e);
         return null;
       }
     }
 
     // use certificate chain and private key file paths from bootstrap config if provided. Mind that
     // both JSON values must be either set (mTLS case) or both unset (TLS case)
-    String certChainPath = JsonUtil.getString(jsonConfig, "certificate_file");
-    String privateKeyPath = JsonUtil.getString(jsonConfig, "private_key_file");
+    String certChainPath = JsonUtil.getString(jsonConfig, CERT_FILE_KEY);
+    String privateKeyPath = JsonUtil.getString(jsonConfig, KEY_FILE_KEY);
     if (certChainPath != null && privateKeyPath != null) {
       try {
-        builder.keyManager(new File(certChainPath), new File(privateKeyPath));
-      } catch (IOException e) {
+        AdvancedTlsX509KeyManager keyManager = new AdvancedTlsX509KeyManager();
+        keyManager.updateIdentityCredentials(new File(certChainPath), new File(privateKeyPath));
+        builder.keyManager(keyManager);
+      } catch (Exception e) {
         logger.log(Level.WARNING, "Unable to read certificate chain or private key", e);
         return null;
       }
@@ -69,11 +77,6 @@ protected ChannelCredentials newChannelCredentials(Map<String, ?> jsonConfig) {
       return null;
     }
 
-    // save json config when custom certificate paths were provided in a bootstrap
-    if (rootCertPath != null || certChainPath != null) {
-      builder.customCertificatesConfig(jsonConfig);
-    }
-    
     return builder.build();
   }
 

xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProvider.java

@@ -73,12 +73,10 @@ final class FileWatcherCertificateProvider extends CertificateProvider implement
     this.scheduledExecutorService =
         checkNotNull(scheduledExecutorService, "scheduledExecutorService");
     this.timeProvider = checkNotNull(timeProvider, "timeProvider");
-    checkArgument(((certFile != null) == (keyFile != null)),
-        "certFile and keyFile must be both set or both unset");
-    this.certFile = certFile == null ? null : Paths.get(certFile);
-    this.keyFile = keyFile == null ? null : Paths.get(keyFile);
-    checkArgument((trustFile != null || spiffeTrustMapFile != null || keyFile != null),
-        "must be watching either root or identity certificates");
+    this.certFile = Paths.get(checkNotNull(certFile, "certFile"));
+    this.keyFile = Paths.get(checkNotNull(keyFile, "keyFile"));
+    checkArgument((trustFile != null || spiffeTrustMapFile != null),
+        "either trustFile or spiffeTrustMapFile must be present");
     if (spiffeTrustMapFile != null) {
       this.spiffeTrustMapFile = Paths.get(spiffeTrustMapFile);
       this.trustFile = null;
@@ -115,26 +113,23 @@ private synchronized void scheduleNextRefreshCertificate(long delayInSeconds) {
   void checkAndReloadCertificates() {
     try {
       try {
-        if (certFile != null && keyFile != null) {
-          FileTime currentCertTime = Files.getLastModifiedTime(certFile);
-          FileTime currentKeyTime = Files.getLastModifiedTime(keyFile);
-          if (!currentCertTime.equals(lastModifiedTimeCert)
-              && !currentKeyTime.equals(lastModifiedTimeKey)) {
-            byte[] certFileContents = Files.readAllBytes(certFile);
-            byte[] keyFileContents = Files.readAllBytes(keyFile);
-            FileTime currentCertTime2 = Files.getLastModifiedTime(certFile);
-            FileTime currentKeyTime2 = Files.getLastModifiedTime(keyFile);
-            if (currentCertTime2.equals(currentCertTime)
-                && currentKeyTime2.equals(currentKeyTime)) {
-              try (ByteArrayInputStream certStream = new ByteArrayInputStream(certFileContents);
-                  ByteArrayInputStream keyStream = new ByteArrayInputStream(keyFileContents)) {
-                PrivateKey privateKey = CertificateUtils.getPrivateKey(keyStream);
-                X509Certificate[] certs = CertificateUtils.toX509Certificates(certStream);
-                getWatcher().updateCertificate(privateKey, Arrays.asList(certs));
-              }
-              lastModifiedTimeCert = currentCertTime;
-              lastModifiedTimeKey = currentKeyTime;
+        FileTime currentCertTime = Files.getLastModifiedTime(certFile);
+        FileTime currentKeyTime = Files.getLastModifiedTime(keyFile);
+        if (!currentCertTime.equals(lastModifiedTimeCert)
+            && !currentKeyTime.equals(lastModifiedTimeKey)) {
+          byte[] certFileContents = Files.readAllBytes(certFile);
+          byte[] keyFileContents = Files.readAllBytes(keyFile);
+          FileTime currentCertTime2 = Files.getLastModifiedTime(certFile);
+          FileTime currentKeyTime2 = Files.getLastModifiedTime(keyFile);
+          if (currentCertTime2.equals(currentCertTime) && currentKeyTime2.equals(currentKeyTime)) {
+            try (ByteArrayInputStream certStream = new ByteArrayInputStream(certFileContents);
+                ByteArrayInputStream keyStream = new ByteArrayInputStream(keyFileContents)) {
+              PrivateKey privateKey = CertificateUtils.getPrivateKey(keyStream);
+              X509Certificate[] certs = CertificateUtils.toX509Certificates(certStream);
+              getWatcher().updateCertificate(privateKey, Arrays.asList(certs));
             }
+            lastModifiedTimeCert = currentCertTime;
+            lastModifiedTimeKey = currentKeyTime;
           }
         }
       } catch (Throwable t) {

xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProvider.java

@@ -17,6 +17,7 @@
 package io.grpc.xds.internal.security.certprovider;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkNotNull;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
@@ -93,27 +94,30 @@ public CertificateProvider createCertificateProvider(
         timeProvider);
   }
 
+  private static String checkForNullAndGet(Map<String, ?> map, String key) {
+    return checkNotNull(JsonUtil.getString(map, key), "'" + key + "' is required in the config");
+  }
+
   private static Config validateAndTranslateConfig(Object config) {
     checkArgument(config instanceof Map, "Only Map supported for config");
     @SuppressWarnings("unchecked") Map<String, ?> map = (Map<String, ?>)config;
 
     Config configObj = new Config();
-    configObj.certFile = JsonUtil.getString(map, CERT_FILE_KEY);
-    configObj.keyFile = JsonUtil.getString(map, KEY_FILE_KEY);
-    if ((configObj.certFile != null) != (configObj.keyFile != null)) {
-      throw new NullPointerException(
-          String.format("'%s' and '%s' must be both set or both unset",
-              CERT_FILE_KEY, KEY_FILE_KEY));
-    }
-    if (!map.containsKey(ROOT_FILE_KEY)
-        && !map.containsKey(CERT_FILE_KEY)
-        && (!enableSpiffe || !map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY))) {
-      throw new NullPointerException("must be watching either root or identity certificates");
-    }
-    if (enableSpiffe && map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY)) {
-      configObj.spiffeTrustMapFile = JsonUtil.getString(map, SPIFFE_TRUST_MAP_FILE_KEY);
+    configObj.certFile = checkForNullAndGet(map, CERT_FILE_KEY);
+    configObj.keyFile = checkForNullAndGet(map, KEY_FILE_KEY);
+    if (enableSpiffe) {
+      if (!map.containsKey(ROOT_FILE_KEY) && !map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY)) {
+        throw new NullPointerException(
+            String.format("either '%s' or '%s' is required in the config",
+                ROOT_FILE_KEY, SPIFFE_TRUST_MAP_FILE_KEY));
+      }
+      if (map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY)) {
+        configObj.spiffeTrustMapFile = JsonUtil.getString(map, SPIFFE_TRUST_MAP_FILE_KEY);
+      } else {
+        configObj.rootFile = JsonUtil.getString(map, ROOT_FILE_KEY);
+      }
     } else {
-      configObj.rootFile = JsonUtil.getString(map, ROOT_FILE_KEY);
+      configObj.rootFile = checkForNullAndGet(map, ROOT_FILE_KEY);
     }
     String refreshIntervalString = JsonUtil.getString(map, REFRESH_INTERVAL_KEY);
     if (refreshIntervalString != null) {

xds/src/test/java/io/grpc/xds/GrpcBootstrapperImplTest.java

@@ -32,10 +32,11 @@
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.GrpcUtil.GrpcBuildVersion;
 import io.grpc.internal.testing.TestUtils;
+import io.grpc.util.AdvancedTlsX509KeyManager;
+import io.grpc.util.AdvancedTlsX509TrustManager;
 import io.grpc.xds.client.Bootstrapper;
 import io.grpc.xds.client.Bootstrapper.AuthorityInfo;
 import io.grpc.xds.client.Bootstrapper.BootstrapInfo;
-import io.grpc.xds.client.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.client.Bootstrapper.ServerInfo;
 import io.grpc.xds.client.BootstrapperImpl;
 import io.grpc.xds.client.CommonBootstrapperTestUtils;
@@ -45,6 +46,8 @@
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.TrustManager;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -934,21 +937,16 @@ public void parseTlsChannelCredentialsWithCustomCertificatesConfig()
     ServerInfo serverInfo = Iterables.getOnlyElement(info.servers());
     assertThat(serverInfo.target()).isEqualTo(SERVER_URI);
     assertThat(serverInfo.implSpecificConfig()).isInstanceOf(TlsChannelCredentials.class);
-    assertThat(info.node()).isEqualTo(getNodeBuilder().build());
 
-    assertThat(info.certProviders()).hasSize(1);
-    ImmutableMap<String, CertificateProviderInfo> certProviderInfo = info.certProviders();
-    assertThat(certProviderInfo.keySet()).containsExactly("mtls_channel_creds_identity_certs");
-    CertificateProviderInfo mtlsChannelCredCertProviderInfo =
-        certProviderInfo.get("mtls_channel_creds_identity_certs");
-    assertThat(mtlsChannelCredCertProviderInfo.config().keySet())
-        .containsExactly("ca_certificate_file", "certificate_file", "private_key_file");
-    assertThat(mtlsChannelCredCertProviderInfo.config().get("ca_certificate_file"))
-        .isEqualTo(rootCertPath);
-    assertThat(mtlsChannelCredCertProviderInfo.config().get("certificate_file"))
-        .isEqualTo(certChainPath);
-    assertThat(mtlsChannelCredCertProviderInfo.config().get("private_key_file"))
-        .isEqualTo(privateKeyPath);
+    TlsChannelCredentials tlsChannelCredentials =
+        (TlsChannelCredentials) serverInfo.implSpecificConfig();
+    assertThat(tlsChannelCredentials.getKeyManagers()).hasSize(1);
+    KeyManager keyManager = Iterables.getOnlyElement(tlsChannelCredentials.getKeyManagers());
+    assertThat(keyManager).isInstanceOf(AdvancedTlsX509KeyManager.class);
+    assertThat(tlsChannelCredentials.getTrustManagers()).hasSize(1);
+    TrustManager trustManager = Iterables.getOnlyElement(tlsChannelCredentials.getTrustManagers());
+    assertThat(trustManager).isInstanceOf(AdvancedTlsX509TrustManager.class);
+
   }
 
   private static BootstrapperImpl.FileReader createFileReader(