[jira] [Commented] (GEODE-9017) Reload key store and trust store upon change

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/GEODE-9017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299074#comment-17299074
 ] 

ASF GitHub Bot commented on GEODE-9017:
---------------------------------------

kirklund commented on a change in pull request #6106:
URL: https://github.com/apache/geode/pull/6106#discussion_r591783955



##########
File path: 
geode-core/src/main/java/org/apache/geode/internal/net/filewatch/FileWatchingX509ExtendedKeyManager.java
##########
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more 
contributor license
+ * agreements. See the NOTICE file distributed with this work for additional 
information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache 
License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the 
License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software 
distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 
KIND, either express
+ * or implied. See the License for the specific language governing permissions 
and limitations under
+ * the License.
+ */
+package org.apache.geode.internal.net.filewatch;
+
+import static java.util.concurrent.Executors.newSingleThreadExecutor;
+
+import java.net.Socket;
+import java.nio.file.Path;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.atomic.AtomicReference;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedKeyManager;
+
+import org.apache.logging.log4j.Logger;
+
+import org.apache.geode.annotations.VisibleForTesting;
+import org.apache.geode.logging.internal.log4j.api.LogService;
+
+/**
+ * Watches a key store file and updates the underlying key manager when the 
file is changed.
+ */
+public final class FileWatchingX509ExtendedKeyManager extends 
X509ExtendedKeyManager {
+
+  private static final Logger logger = LogService.getLogger();
+  private static final ConcurrentHashMap<Path, 
FileWatchingX509ExtendedKeyManager> instances =
+      new ConcurrentHashMap<>();
+
+  private final AtomicReference<X509ExtendedKeyManager> keyManager = new 
AtomicReference<>();
+  private final Path keyStorePath;
+  private final ThrowingSupplier<KeyManager[]> keyManagerSupplier;
+
+  @VisibleForTesting
+  FileWatchingX509ExtendedKeyManager(Path keystorePath,
+      ThrowingSupplier<KeyManager[]> keyManagerSupplier,
+      ExecutorService executor) {
+    this.keyStorePath = keystorePath;
+    this.keyManagerSupplier = keyManagerSupplier;
+
+    loadKeyManager();
+
+    executor.submit(new FileWatcher(this.keyStorePath, this::loadKeyManager));
+  }
+
+  /**
+   * Returns a {@link FileWatchingX509ExtendedKeyManager} for the given path. 
A new instance will be
+   * created only if one does not already exist for that path.
+   *
+   * @param path The path to the key store file
+   * @param supplier A supplier which returns an {@link X509ExtendedKeyManager}
+   */
+  public static FileWatchingX509ExtendedKeyManager forPath(Path path,
+      ThrowingSupplier<KeyManager[]> supplier) {
+    return instances.computeIfAbsent(path,
+        (Path p) -> new FileWatchingX509ExtendedKeyManager(p, supplier, 
newSingleThreadExecutor()));
+  }
+
+  @Override
+  public String chooseClientAlias(String[] strings, Principal[] principals, 
Socket socket) {
+    return keyManager.get().chooseClientAlias(strings, principals, socket);
+  }
+
+  @Override
+  public String chooseEngineClientAlias(String[] strings, Principal[] 
principals,
+      SSLEngine sslEngine) {
+    return keyManager.get().chooseEngineClientAlias(strings, principals, 
sslEngine);
+  }
+
+  @Override
+  public String chooseEngineServerAlias(String s, Principal[] principals, 
SSLEngine sslEngine) {
+    return keyManager.get().chooseEngineServerAlias(s, principals, sslEngine);
+  }
+
+  @Override
+  public String chooseServerAlias(String s, Principal[] principals, Socket 
socket) {
+    return keyManager.get().chooseServerAlias(s, principals, socket);
+  }
+
+  @Override
+  public X509Certificate[] getCertificateChain(String s) {
+    return keyManager.get().getCertificateChain(s);
+  }
+
+  @Override
+  public String[] getClientAliases(String s, Principal[] principals) {
+    return keyManager.get().getClientAliases(s, principals);
+  }
+
+  @Override
+  public PrivateKey getPrivateKey(String s) {
+    return keyManager.get().getPrivateKey(s);
+  }
+
+  @Override
+  public String[] getServerAliases(String s, Principal[] principals) {
+    return keyManager.get().getServerAliases(s, principals);
+  }
+
+  private void loadKeyManager() {
+    KeyManager[] keyManagers;
+    try {
+      keyManagers = keyManagerSupplier.get();
+    } catch (Throwable t) {
+      throw new RuntimeException("Unable to load KeyManager", t);
+    }

Review comment:
       Usually we try to avoid catching VirtualMachineErrors and its 
subclasses. For example if OutOfMemoryError is thrown and caught here, there's 
actually no guarantee it will be thrown again/elsewhere even if the JVM is OOM.
   
   It's usually more appropriate to use InternalGemFireException or 
GemFireSecurityException (both are RuntimeExceptions):
   ```
   throw new InternalGemFireException("Unable to load KeyManager", t);
   ```

##########
File path: 
geode-assembly/src/acceptanceTest/java/org/apache/geode/ssl/CertificateRotationTest.java
##########
@@ -0,0 +1,427 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more 
contributor license
+ * agreements. See the NOTICE file distributed with this work for additional 
information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache 
License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the 
License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software 
distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 
KIND, either express
+ * or implied. See the License for the specific language governing permissions 
and limitations under
+ * the License.
+ */
+package org.apache.geode.ssl;
+
+import static java.util.regex.Pattern.compile;
+import static java.util.regex.Pattern.quote;
+import static org.apache.geode.cache.client.ClientRegionShortcut.PROXY;
+import static 
org.apache.geode.internal.AvailablePortHelper.getRandomAvailableTCPPorts;
+import static org.apache.geode.test.awaitility.GeodeAwaitility.await;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.time.Duration;
+import java.util.Properties;
+import java.util.regex.Pattern;
+import java.util.stream.Stream;
+
+import javax.net.ssl.SSLException;
+
+import org.assertj.core.api.Condition;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import org.apache.geode.cache.Region;
+import org.apache.geode.cache.client.ClientCache;
+import org.apache.geode.cache.client.ClientCacheFactory;
+import org.apache.geode.cache.ssl.CertStores;
+import org.apache.geode.cache.ssl.CertificateBuilder;
+import org.apache.geode.cache.ssl.CertificateMaterial;
+import org.apache.geode.test.junit.rules.gfsh.GfshRule;
+
+/**
+ * This test creates a cluster and a client with SSL enabled for all 
components and client
+ * authentication enabled.
+ *
+ * It verifies that the cluster certificate, the client certificate, and the 
CA certificate can be
+ * rotated without having to restart the client or the members.
+ */
+public class CertificateRotationTest {
+
+  private static final String regionName = "region";
+  private static final String dummyStorePass = "geode";
+  private static final Pattern updatedKeyManager = compile("Updated 
KeyManager");
+  private static final Pattern updatedTrustManager = compile("Updated 
TrustManager");
+
+  @Rule
+  public TemporaryFolder temporaryFolder = new TemporaryFolder();
+
+  @Rule
+  public GfshRule gfshRule = new GfshRule();
+
+  private CertificateMaterial caCert;
+
+  private String[] memberNames;
+  private int locatorPort;
+  private int locatorHttpPort;
+  private File clusterKeyStore;
+  private File clusterTrustStore;
+  private File clusterSecurityProperties;
+
+  private ClientCache client;
+  private Region<String, String> region;
+  private File clientKeyStore;
+  private File clientTrustStore;
+  private File clientLogFile;
+
+  /**
+   * The test setup creates a cluster with 1 locator and 2 servers, a client 
cache, and a CA
+   * certificate. The cluster has SSL enabled for all components and uses 
client authentication. The
+   * cluster members share a certificate which is signed by a CA and trust the 
CA certificate. The
+   * client has a certificate signed by the same CA and also trusts the CA 
certificate.
+   */
+  @Before
+  public void setUp() throws Exception {
+    caCert = new CertificateBuilder()
+        .commonName("ca")
+        .isCA()
+        .generate();
+
+    startCluster();
+    startClient();
+  }
+
+  @After
+  public void tearDown() {
+    if (client != null) {
+      client.close();
+    }
+
+    shutdownCluster();
+  }
+
+  /**
+   * This test rotates the cluster's certificate and verifies that the client 
can form a new secure
+   * connection.
+   */
+  @Test
+  public void rotateClusterCertificate() throws Exception {
+    CertificateMaterial newClusterCert = new CertificateBuilder()
+        .commonName("cluster")
+        .issuedBy(caCert)
+        .sanDnsName("localhost")
+        .sanIpAddress(InetAddress.getByName("127.0.0.1"))
+        .generate();
+
+    writeCertsToKeyStore(clusterKeyStore.toPath(), newClusterCert);
+    waitForMembersToLogMessage(updatedKeyManager);
+
+    assertThatCode(() -> region.put("foo", "bar"))
+        .as("The client performs an operation which requires a new secure 
connection")
+        .doesNotThrowAnyException();
+  }
+
+  /**
+   * This test rotates the client's certificate and verifies that the client 
can form a new secure
+   * connection.
+   */
+  @Test
+  public void rotateClientCertificate() throws Exception {
+    CertificateMaterial newClientCert = new CertificateBuilder()
+        .commonName("client")
+        .issuedBy(caCert)
+        .sanDnsName("localhost")
+        .sanIpAddress(InetAddress.getByName("127.0.0.1"))
+        .generate();
+
+    writeCertsToKeyStore(clientKeyStore.toPath(), newClientCert);
+    waitForClientToLogMessage(updatedKeyManager);
+
+    assertThatCode(() -> region.put("foo", "bar"))
+        .as("The client performs an operation which requires a new secure 
connection")
+        .doesNotThrowAnyException();
+  }
+
+  /**
+   * This test rotates the CA certificate in both the cluster and the client. 
It verifies that the
+   * client can form a new secure connection after the new CA certificate has 
been added and the old
+   * CA certificate removed.
+   */
+  @Test
+  public void rotateCaCertificate() throws Exception {
+    /*
+     * First, create a new CA certificate and add it to both the cluster's and 
the client's trust
+     * stores. The trust stores will contain both the old and the new CA 
certificates.
+     */
+
+    CertificateMaterial newCaCert = new CertificateBuilder()
+        .commonName("ca")
+        .isCA()
+        .generate();
+
+    writeCertsToTrustStore(clusterTrustStore.toPath(), caCert, newCaCert);
+    writeCertsToTrustStore(clientTrustStore.toPath(), caCert, newCaCert);
+
+    waitForMembersToLogMessage(updatedTrustManager);
+    waitForClientToLogMessage(updatedTrustManager);
+
+    /*
+     * Next, create new certificates for the cluster and the client which are 
signed by the new CA,
+     * and replace the certificates in the cluster's and the client's key 
stores.
+     */
+
+    CertificateMaterial newClusterCert = new CertificateBuilder()
+        .commonName("cluster")
+        .issuedBy(newCaCert)
+        .sanDnsName("localhost")
+        .sanIpAddress(InetAddress.getByName("127.0.0.1"))
+        .generate();
+
+    CertificateMaterial newClientCert = new CertificateBuilder()
+        .commonName("client")
+        .issuedBy(newCaCert)
+        .sanDnsName("localhost")
+        .sanIpAddress(InetAddress.getByName("127.0.0.1"))
+        .generate();
+
+    writeCertsToKeyStore(clusterKeyStore.toPath(), newClusterCert);
+    writeCertsToKeyStore(clientKeyStore.toPath(), newClientCert);
+
+    waitForMembersToLogMessage(updatedKeyManager);
+    waitForClientToLogMessage(updatedKeyManager);
+
+    /*
+     * Finally, remove the old CA certificate from both the cluster's and the 
client's trust stores.
+     */
+
+    writeCertsToTrustStore(clusterTrustStore.toPath(), newCaCert);
+    writeCertsToTrustStore(clientTrustStore.toPath(), newCaCert);
+
+    for (String name : memberNames) {
+      await().untilAsserted(() -> assertThat(logsForMember(name))
+          .as("The cluster's trust manager has been updated twice")
+          .haveExactly(2, linesMatching(updatedTrustManager)));
+    }
+
+    await().untilAsserted(() -> assertThat(logsForClient())
+        .as("The client's trust manager has been updated twice")
+        .haveExactly(2, linesMatching(updatedTrustManager)));

Review comment:
       Fancy :)




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Reload key store and trust store upon change
> --------------------------------------------
>
>                 Key: GEODE-9017
>                 URL: https://issues.apache.org/jira/browse/GEODE-9017
>             Project: Geode
>          Issue Type: New Feature
>            Reporter: Aaron Lindsey
>            Assignee: Aaron Lindsey
>            Priority: Major
>              Labels: pull-request-available
>
> [Link to 
> RFC|https://cwiki.apache.org/confluence/display/GEODE/Make+key+and+trust+stores+reload+automatically+upon+change]
> (The below text is copied from the RFC document.)
> h3. Problem
> Currently, in order to rotate certificates each member of the cluster needs 
> to be restarted to load new certs and trust. It would be preferable if 
> certificates can be rotated without having to restart members.
> h3. Solution
> When starting up a cluster member we currently read the TLS configuration 
> which, when TLS is enabled has key and trust store files defined. In case 
> those files are defined they are read, and the information inside them is 
> loaded into the key and trust manager objects that are loaded into the 
> SSLContext.
> This solution will introduce wrapper objects for the key and trust managers 
> and file/directory watcher(s) that can detect changes to the key and trust 
> store files. When key and trust store files are changed this will trigger a 
> reload into key and trust managers and through the wrapper objects these new 
> key and trust managers will be injected into the SSLContext so that the 
> context can start using the new key and trust managers in process.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)