Add hot reloading of SslContext (#376)

* When TLS is enabled, create a Filewatcher to detect any changes in the filesystem related to these TLS files (key, CA, cert). If something happens on the disk to these files, simply reload the SslContext.

* Add smallish test for the reload

* Change the test to use spy instance

* Add logging to indicate that the TLS/SSL certificates are being reloaded

Author: burmanm

management-api-server/src/main/java/com/datastax/mgmtapi/Cli.java

@@ -46,15 +46,21 @@
 import java.io.IOException;
 import java.net.SocketAddress;
 import java.net.URI;
+import java.nio.file.FileSystems;
 import java.nio.file.Files;
 import java.nio.file.InvalidPathException;
 import java.nio.file.Paths;
+import java.nio.file.StandardWatchEventKinds;
+import java.nio.file.WatchEvent;
+import java.nio.file.WatchKey;
+import java.nio.file.WatchService;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
@@ -74,7 +80,6 @@
     name = "cassandra-management-api",
     description = "REST service for managing an Apache Cassandra or DSE node")
 public class Cli implements Runnable {
-  public static final String PROTOCOL_TLS_V1_2 = "TLSv1.2";
 
   static {
     InternalLoggerFactory.setDefaultFactory(new Slf4JLoggerFactory());
@@ -136,20 +141,26 @@ public class Cli implements Runnable {
       description = "Path to trust certs signed only by this CA")
   private String tls_ca_cert_file;
 
+  private File tlsCaCert;
+
   @Path(writable = false)
   @Option(
       name = {"--tlscert"},
       arity = 1,
       description = "Path to TLS certificate file")
   private String tls_cert_file;
 
+  private File tlsCert;
+
   @Path(writable = false)
   @Option(
       name = {"--tlskey"},
       arity = 1,
       description = "Path to TLS key file")
   private String tls_key_file;
 
+  private File tlsKey;
+
   private boolean useTls = false;
   private File dbUnixSocketFile = null;
   private File dbHomeDir = null;
@@ -159,6 +170,8 @@ public class Cli implements Runnable {
   private final CountDownLatch shutdownLatch = new CountDownLatch(1);
   private List<NettyJaxrsServer> servers = new ArrayList<>();
 
+  private SslContext sslContext;
+
   public Cli() {}
 
   @VisibleForTesting
@@ -387,6 +400,7 @@ void checkTLSDeps() {
         logger.error("Specified CA Cert file does not exist: {}", tls_ca_cert_file);
         System.exit(10);
       }
+      tlsCaCert = new File(tls_ca_cert_file);
     }
 
     // CERT File Checks
@@ -406,6 +420,7 @@ void checkTLSDeps() {
         logger.error("Specified Cert file does not exist: {}", tls_cert_file);
         System.exit(13);
       }
+      tlsCert = new File(tls_cert_file);
     }
 
     // KEY File Checks
@@ -424,6 +439,7 @@ void checkTLSDeps() {
         logger.error("Specified Key file does not exist: {}", tls_key_file);
         System.exit(16);
       }
+      tlsKey = new File(tls_key_file);
     }
 
     useTls = hasAny;
@@ -436,18 +452,86 @@ void preflightChecks() {
     checkUnixSocket();
   }
 
-  private NettyJaxrsServer startHTTPService(String hostname, int port) throws SSLException {
+  @VisibleForTesting
+  void createSSLContext() throws SSLException {
+    this.sslContext =
+        SslContextBuilder.forServer(tlsCert, tlsKey)
+            .trustManager(tlsCaCert)
+            .clientAuth(ClientAuth.REQUIRE)
+            .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
+            .build();
+  }
+
+  @VisibleForTesting
+  void createSSLWatcher() throws IOException {
+    // Watch for tls_cert_file, tls_key_file and tls_ca_cert_file, add all their directories to
+    // Filesystem Watcher
+    WatchService watchService = FileSystems.getDefault().newWatchService();
+    java.nio.file.Path tlsCertParent = tlsCert.toPath().getParent();
+    java.nio.file.Path tlsKeyParent = tlsKey.toPath().getParent();
+    java.nio.file.Path tlsCaCertParent = tlsCaCert.toPath().getParent();
+
+    tlsCertParent.register(
+        watchService,
+        StandardWatchEventKinds.ENTRY_CREATE,
+        StandardWatchEventKinds.ENTRY_DELETE,
+        StandardWatchEventKinds.ENTRY_MODIFY);
+    tlsKeyParent.register(
+        watchService,
+        StandardWatchEventKinds.ENTRY_CREATE,
+        StandardWatchEventKinds.ENTRY_DELETE,
+        StandardWatchEventKinds.ENTRY_MODIFY);
+    tlsCaCertParent.register(
+        watchService,
+        StandardWatchEventKinds.ENTRY_CREATE,
+        StandardWatchEventKinds.ENTRY_DELETE,
+        StandardWatchEventKinds.ENTRY_MODIFY);
+
+    ExecutorService executorService = Executors.newSingleThreadExecutor();
+    executorService.execute(
+        () -> {
+          while (true) {
+            try {
+              WatchKey key = watchService.take();
+              List<WatchEvent<?>> events = key.pollEvents();
+              boolean reloadNeeded = false;
+              for (WatchEvent<?> event : events) {
+                WatchEvent.Kind<?> kind = event.kind();
+
+                WatchEvent<java.nio.file.Path> ev = (WatchEvent<java.nio.file.Path>) event;
+                java.nio.file.Path eventFilename = ev.context();
+
+                if (tlsCertParent.resolve(eventFilename).equals(tlsCert.toPath())
+                    || tlsKeyParent.resolve(eventFilename).equals(tlsKey.toPath())
+                    || tlsCaCertParent.resolve(eventFilename).equals(tlsCaCert)) {
+                  // Something in the TLS has been modified.. recreate SslContext
+                  reloadNeeded = true;
+                }
+              }
+              if (!key.reset()) {
+                // The watched directories have disappeared..
+                break;
+              }
+              if (reloadNeeded) {
+                logger.info("Detected change in the SSL/TLS certificates, reloading.");
+                createSSLContext();
+              }
+            } catch (InterruptedException e) {
+              // Do something.. just log?
+              logger.error("Filesystem watcher received InterruptedException", e);
+            } catch (IOException e) {
+              logger.error("Filesystem watcher received IOException", e);
+            }
+          }
+        });
+  }
+
+  private NettyJaxrsServer startHTTPService(String hostname, int port) throws IOException {
     NettyJaxrsServer server;
 
     if (useTls) {
-      SslContext sslContext =
-          SslContextBuilder.forServer(new File(tls_cert_file), new File(tls_key_file))
-              .trustManager(new File(tls_ca_cert_file))
-              .clientAuth(ClientAuth.REQUIRE)
-              .protocols(PROTOCOL_TLS_V1_2)
-              .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
-              .build();
-
+      createSSLContext();
+      createSSLWatcher();
       server = new NettyJaxrsTLSServer(sslContext);
     } else {
       server = new NettyJaxrsServer();

management-api-server/src/test/java/com/datastax/mgmtapi/NettyTlsClientAuthTest.java

@@ -9,6 +9,8 @@
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assume.assumeTrue;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 
 import com.datastax.mgmtapi.helpers.IntegrationTestUtils;
 import com.datastax.mgmtapi.helpers.NettyHttpClient;
@@ -41,6 +43,8 @@
 import java.io.IOException;
 import java.net.URI;
 import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
@@ -56,6 +60,7 @@
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
+import org.mockito.Mockito;
 
 public class NettyTlsClientAuthTest {
   static String BASE_URI = generateURL("");
@@ -391,4 +396,56 @@ public void testManagementAPIWithTLS() throws IOException {
       FileUtils.deleteQuietly(new File(mgmtSock));
     }
   }
+
+  @Test
+  public void testHotReload() throws Exception {
+    assumeTrue(IntegrationTestUtils.shouldRun());
+
+    String mgmtSock = SocketUtils.makeValidUnixSocketFile(null, "management-netty-tls-mgmt");
+    new File(mgmtSock).deleteOnExit();
+    String cassSock = SocketUtils.makeValidUnixSocketFile(null, "management-netty-tls-cass");
+    new File(cassSock).deleteOnExit();
+
+    Path tempDirectory = Files.createTempDirectory("reload-test");
+
+    List<String> extraArgs =
+        IntegrationTestUtils.getExtraArgs(
+            NettyTlsClientAuthTest.class, "", temporaryFolder.getRoot());
+
+    File trustCertFile =
+        IntegrationTestUtils.getFile(getClass(), "mutual_auth_client_cert_chain.pem");
+    File serverKeyFile = IntegrationTestUtils.getFile(getClass(), "mutual_auth_server.key");
+    File serverCrtFile = IntegrationTestUtils.getFile(getClass(), "mutual_auth_server.crt");
+
+    // Copy TLS files to temp directory
+    Path trustCertCopy =
+        Files.copy(trustCertFile.toPath(), tempDirectory.resolve(trustCertFile.toPath()));
+    Path keyCopy =
+        Files.copy(serverKeyFile.toPath(), tempDirectory.resolve(serverKeyFile.toPath()));
+    Path crtCopy =
+        Files.copy(serverCrtFile.toPath(), tempDirectory.resolve(serverCrtFile.toPath()));
+
+    Cli cli =
+        new Cli(
+            Lists.newArrayList("file://" + mgmtSock, BASE_URI),
+            IntegrationTestUtils.getCassandraHome(),
+            cassSock,
+            false,
+            extraArgs,
+            trustCertCopy.toFile().getAbsolutePath(),
+            crtCopy.toFile().getAbsolutePath(),
+            keyCopy.toFile().getAbsolutePath());
+    cli.preflightChecks();
+    Cli spy = Mockito.spy(cli);
+    spy.createSSLContext();
+    spy.createSSLWatcher();
+
+    verify(spy, times(1)).createSSLContext();
+    verify(spy, times(1)).createSSLWatcher();
+
+    // Modify files..
+    Files.copy(trustCertFile.toPath(), tempDirectory.resolve(trustCertFile.toPath()));
+
+    verify(spy, Mockito.timeout(1000)).createSSLContext();
+  }
 }

management-api-server/src/test/java/com/datastax/mgmtapi/helpers/NettyHttpClient.java

@@ -7,7 +7,6 @@
 
 import static org.junit.Assert.fail;
 
-import com.datastax.mgmtapi.Cli;
 import com.google.common.util.concurrent.Uninterruptibles;
 import io.netty.bootstrap.Bootstrap;
 import io.netty.channel.Channel;
@@ -59,7 +58,6 @@ public NettyHttpClient(URL endpoint, File clientCaFile, File clientCertFile, Fil
               .trustManager(clientCaFile)
               .keyManager(clientCertFile, clientKeyFile, null)
               .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
-              .protocols(Cli.PROTOCOL_TLS_V1_2)
               .sessionCacheSize(0)
               .sessionTimeout(0)
               .build();

management-api-server/src/test/java/com/datastax/mgmtapi/helpers/NettyHttpIPCClient.java

@@ -7,7 +7,6 @@
 
 import static org.junit.Assert.fail;
 
-import com.datastax.mgmtapi.Cli;
 import com.datastax.mgmtapi.ipc.IPCController;
 import com.google.common.util.concurrent.Uninterruptibles;
 import io.netty.channel.Channel;
@@ -63,7 +62,6 @@ public NettyHttpIPCClient(
           SslContextBuilder.forClient()
               .trustManager(clientCaFile)
               .keyManager(clientCertFile, clientKeyFile, null)
-              .protocols(Cli.PROTOCOL_TLS_V1_2)
               .ciphers(null, IdentityCipherSuiteFilter.INSTANCE)
               .sessionCacheSize(0)
               .sessionTimeout(0)