Cache server certificates for up to 30 min

The server certificates and corresponding keys are encrypted by KMS and stored on GCS. This allows us to easily replace expiring certs without having to roll out a new proxy release. However currently the certificate is obtained as a singleton and used in all connections served by a proxy instance. This means that if we were to upload a new cert, all existing instances will not use it. This CL makes it so that we only cache the certificate for 30 min, after which a new cert is fetched and decrypted. Local certificates used for testing are still singletons. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=206976318
2025-05-12 22:38:16 +02:00 · 2018-08-01 12:50:25 -07:00 · 2018-08-01 12:50:25 -07:00 · 628aacd754
commit 628aacd754
parent e665a34810
8 changed files with 59 additions and 25 deletions
--- a/java/google/registry/proxy/handler/SslServerInitializer.java
+++ b/java/google/registry/proxy/handler/SslServerInitializer.java
@ -29,6 +29,7 @@ import io.netty.util.concurrent.Future;
 import io.netty.util.concurrent.Promise;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
+import java.util.function.Supplier;

 /**
 * Adds a server side SSL handler to the channel pipeline.
@ -57,25 +58,25 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
  private final boolean requireClientCert;
  private final SslProvider sslProvider;
-  private final PrivateKey privateKey;
-  private final X509Certificate[] certificates;
+  private final Supplier<PrivateKey> privateKeySupplier;
+  private final Supplier<X509Certificate[]> certificatesSupplier;

  public SslServerInitializer(
      boolean requireClientCert,
      SslProvider sslProvider,
-      PrivateKey privateKey,
-      X509Certificate... certificates) {
+      Supplier<PrivateKey> privateKeySupplier,
+      Supplier<X509Certificate[]> certificatesSupplier) {
    logger.atInfo().log("Server SSL Provider: %s", sslProvider);
    this.requireClientCert = requireClientCert;
    this.sslProvider = sslProvider;
-    this.privateKey = privateKey;
-    this.certificates = certificates;
+    this.privateKeySupplier = privateKeySupplier;
+    this.certificatesSupplier = certificatesSupplier;
  }

  @Override
  protected void initChannel(C channel) throws Exception {
    SslHandler sslHandler =
-        SslContextBuilder.forServer(privateKey, certificates)
+        SslContextBuilder.forServer(privateKeySupplier.get(), certificatesSupplier.get())
            .sslProvider(sslProvider)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .clientAuth(requireClientCert ? ClientAuth.REQUIRE : ClientAuth.NONE)