Handle TLS file updates during startup

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java

@@ -66,6 +66,7 @@
 import org.elasticsearch.xpack.core.rest.action.RestXPackInfoAction;
 import org.elasticsearch.xpack.core.rest.action.RestXPackUsageAction;
 import org.elasticsearch.xpack.core.security.authc.TokenMetadata;
+import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
 import org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.elasticsearch.xpack.core.watcher.WatcherMetadata;
@@ -87,8 +88,8 @@
 
 public class XPackPlugin extends XPackClientPlugin implements ExtensiblePlugin, RepositoryPlugin, EnginePlugin {
 
-    private static Logger logger = LogManager.getLogger(XPackPlugin.class);
-    private static DeprecationLogger deprecationLogger = new DeprecationLogger(logger);
+    private static final Logger logger = LogManager.getLogger(XPackPlugin.class);
+    private static final DeprecationLogger deprecationLogger = new DeprecationLogger(logger);
 
     public static final String XPACK_INSTALLED_NODE_ATTR = "xpack.installed";
 
@@ -259,11 +260,7 @@ public Collection<Object> createComponents(Client client, ClusterService cluster
                                                Supplier<RepositoriesService> repositoriesServiceSupplier) {
         List<Object> components = new ArrayList<>();
 
-        final SSLService sslService = new SSLService(environment);
-        setSslService(sslService);
-        // just create the reloader as it will pull all of the loaded ssl configurations and start watching them
-        new SSLConfigurationReloader(environment, sslService, resourceWatcherService);
-
+        final SSLService sslService = createSSLService(environment, resourceWatcherService);
         setLicenseService(new LicenseService(settings, clusterService, getClock(),
                 environment, resourceWatcherService, getLicenseState()));
 
@@ -387,4 +384,18 @@ public List<Setting<?>> getSettings() {
         settings.add(SourceOnlySnapshotRepository.SOURCE_ONLY);
         return settings;
     }
+
+    /**
+     * Handles the creation of the SSLService along with the necessary actions to enable reloading
+     * of SSLContexts when configuration files change on disk.
+     */
+    private SSLService createSSLService(Environment environment, ResourceWatcherService resourceWatcherService) {
+        final Map<String, SSLConfiguration> sslConfigurations = SSLService.getSSLConfigurations(environment.settings());
+        final SSLConfigurationReloader reloader =
+            new SSLConfigurationReloader(environment, resourceWatcherService, sslConfigurations.values());
+        final SSLService sslService = new SSLService(environment, sslConfigurations);
+        reloader.setSSLService(sslService);
+        setSslService(sslService);
+        return sslService;
+    }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloader.java

@@ -7,78 +7,103 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.watcher.ResourceWatcherService.Frequency;
 
 import javax.net.ssl.SSLContext;
-
 import java.io.IOException;
 import java.nio.file.Path;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
 import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.CopyOnWriteArraySet;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.function.Consumer;
 
 /**
  * Ensures that the files backing an {@link SSLConfiguration} are monitored for changes and the underlying key/trust material is reloaded
  * and the {@link SSLContext} has existing sessions invalidated to force the use of the new key/trust material
  */
-public class SSLConfigurationReloader {
+public final class SSLConfigurationReloader {
 
     private static final Logger logger = LogManager.getLogger(SSLConfigurationReloader.class);
 
-    private final ConcurrentHashMap<Path, ChangeListener> pathToChangeListenerMap = new ConcurrentHashMap<>();
-    private final Environment environment;
-    private final ResourceWatcherService resourceWatcherService;
-    private final SSLService sslService;
+    private final CompletableFuture<SSLService> sslServiceFuture = new CompletableFuture<>();
+
+    public SSLConfigurationReloader(Environment environment,
+                                    ResourceWatcherService resourceWatcherService,
+                                    Collection<SSLConfiguration> sslConfigurations) {
+        startWatching(environment, reloadConsumer(sslServiceFuture), resourceWatcherService, sslConfigurations);
+    }
+
+    // for testing
+    SSLConfigurationReloader(Environment environment,
+                             Consumer<SSLConfiguration> reloadConsumer,
+                             ResourceWatcherService resourceWatcherService,
+                             Collection<SSLConfiguration> sslConfigurations) {
+        startWatching(environment, reloadConsumer, resourceWatcherService, sslConfigurations);
+    }
+
+    public void setSSLService(SSLService sslService) {
+        final boolean completed = sslServiceFuture.complete(sslService);
+        if (completed == false) {
+            throw new IllegalStateException("ssl service future was already completed!");
+        }
+    }
 
-    public SSLConfigurationReloader(Environment env, SSLService sslService, ResourceWatcherService resourceWatcher) {
-        this.environment = env;
-        this.resourceWatcherService = resourceWatcher;
-        this.sslService = sslService;
-        startWatching(sslService.getLoadedSSLConfigurations());
+    private static Consumer<SSLConfiguration> reloadConsumer(CompletableFuture<SSLService> future) {
+        return sslConfiguration -> {
+            try {
+                final SSLService sslService = future.get();
+                logger.debug("reloading ssl configuration [{}]", sslConfiguration);
+                sslService.reloadSSLContext(sslConfiguration);
+            } catch (InterruptedException e) {
+                Thread.currentThread().interrupt();
+            } catch (ExecutionException e) {
+                throw new ElasticsearchException("failed to obtain ssl service", e);
+            }
+        };
     }
 
     /**
      * Collects all of the directories that need to be monitored for the provided {@link SSLConfiguration} instances and ensures that
      * they are being watched for changes
      */
-    private void startWatching(Collection<SSLConfiguration> sslConfigurations) {
+    private static void startWatching(Environment environment, Consumer<SSLConfiguration> reloadConsumer,
+                                      ResourceWatcherService resourceWatcherService, Collection<SSLConfiguration> sslConfigurations) {
+        Map<Path, List<SSLConfiguration>> pathToConfigurationsMap = new HashMap<>();
         for (SSLConfiguration sslConfiguration : sslConfigurations) {
             for (Path directory : directoriesToMonitor(sslConfiguration.filesToMonitor(environment))) {
-                pathToChangeListenerMap.compute(directory, (path, listener) -> {
-                    if (listener != null) {
-                        listener.addSSLConfiguration(sslConfiguration);
-                        return listener;
-                    }
-
-                    ChangeListener changeListener = new ChangeListener();
-                    changeListener.addSSLConfiguration(sslConfiguration);
-                    FileWatcher fileWatcher = new FileWatcher(path);
-                    fileWatcher.addListener(changeListener);
-                    try {
-                        resourceWatcherService.add(fileWatcher, Frequency.HIGH);
-                        return changeListener;
-                    } catch (IOException e) {
-                        logger.error("failed to start watching directory [{}] for ssl configuration [{}]", path, sslConfiguration);
+                pathToConfigurationsMap.compute(directory, (path, list) -> {
+                    if (list == null) {
+                        list = new ArrayList<>();
                     }
-                    return null;
+                    list.add(sslConfiguration);
+                    return list;
                 });
             }
         }
-    }
 
-    /**
-     * Reloads the ssl context associated with this configuration. It is visible so that tests can override as needed
-     */
-    void reloadSSLContext(SSLConfiguration configuration) {
-        logger.debug("reloading ssl configuration [{}]", configuration);
-        sslService.sslContextHolder(configuration).reload();
+        for (Entry<Path, List<SSLConfiguration>> entry : pathToConfigurationsMap.entrySet()) {
+            ChangeListener changeListener = new ChangeListener(environment, Collections.unmodifiableList(entry.getValue()), reloadConsumer);
+            FileWatcher fileWatcher = new FileWatcher(entry.getKey());
+            fileWatcher.addListener(changeListener);
+            try {
+                resourceWatcherService.add(fileWatcher, Frequency.HIGH);
+            } catch (IOException e) {
+                logger.error("failed to start watching directory [{}] for ssl configurations [{}]", entry.getKey(), sslConfigurations);
+            }
+        }
     }
 
     /**
@@ -92,15 +117,17 @@ private static Set<Path> directoriesToMonitor(List<Path> filePaths) {
         return paths;
     }
 
-    private class ChangeListener implements FileChangesListener {
+    private static class ChangeListener implements FileChangesListener {
 
-        private final CopyOnWriteArraySet<SSLConfiguration> sslConfigurations = new CopyOnWriteArraySet<>();
+        private final Environment environment;
+        private final List<SSLConfiguration> sslConfigurations;
+        private final Consumer<SSLConfiguration> reloadConsumer;
 
-        /**
-         * Adds the given ssl configuration to those that have files within the directory watched by this change listener
-         */
-        private void addSSLConfiguration(SSLConfiguration sslConfiguration) {
-            sslConfigurations.add(sslConfiguration);
+        private ChangeListener(Environment environment, List<SSLConfiguration> sslConfigurations,
+                               Consumer<SSLConfiguration> reloadConsumer) {
+            this.environment = environment;
+            this.sslConfigurations = sslConfigurations;
+            this.reloadConsumer = reloadConsumer;
         }
 
         @Override
@@ -118,7 +145,7 @@ public void onFileChanged(Path file) {
             boolean reloaded = false;
             for (SSLConfiguration sslConfiguration : sslConfigurations) {
                 if (sslConfiguration.filesToMonitor(environment).contains(file)) {
-                    reloadSSLContext(sslConfiguration);
+                    reloadConsumer.accept(sslConfiguration);
                     reloaded = true;
                 }
             }