drop client cache when refreshing certificates

2025-10-29 04:57:48 +01:00 · 2024-07-09 21:52:35 +02:00
parent da33d3e036
commit 04b37a7457
4 changed files with 31 additions and 5 deletions
--- a/server/src/main/java/com/usatiuk/dhfs/objects/repository/PersistentRemoteHostsService.java
+++ b/server/src/main/java/com/usatiuk/dhfs/objects/repository/PersistentRemoteHostsService.java
@@ -50,6 +50,9 @@ public class PersistentRemoteHostsService {
    @Inject
    InvalidationQueueService invalidationQueueService;

+    @Inject
+    RpcClientFactory rpcClientFactory;
+
    final String dataFileName = "hosts";

    private PersistentRemoteHosts _persistentData = new PersistentRemoteHosts();
@@ -220,6 +223,9 @@ public class PersistentRemoteHostsService {
    private void updateCerts() {
        getPeerDirectory().runReadLocked(JObject.ResolutionStrategy.LOCAL_ONLY, (m, d) -> {
            peerTrustManager.reloadTrustManagerHosts(getHostsNoNulls());
+            // Fixme:? I don't think it should be needed with custom trust store
+            // but it doesn't work?
+            rpcClientFactory.dropCache();
            return null;
        });
    }
--- a/server/src/main/java/com/usatiuk/dhfs/objects/repository/RpcChannelFactory.java
+++ b/server/src/main/java/com/usatiuk/dhfs/objects/repository/RpcChannelFactory.java
@@ -38,8 +38,8 @@ public class RpcChannelFactory {
    private record InsecureChannelKey(String address, int port) {
    }

-    private final ConcurrentMap<SecureChannelKey, ManagedChannel> _secureChannelCache = new ConcurrentHashMap<>();
-    private final ConcurrentMap<InsecureChannelKey, ManagedChannel> _insecureChannelCache = new ConcurrentHashMap<>();
+    private ConcurrentMap<SecureChannelKey, ManagedChannel> _secureChannelCache = new ConcurrentHashMap<>();
+    private ConcurrentMap<InsecureChannelKey, ManagedChannel> _insecureChannelCache = new ConcurrentHashMap<>();

    private ChannelCredentials getChannelCredentials() {
        try {
@@ -71,4 +71,13 @@ public class RpcChannelFactory {
            return NettyChannelBuilder.forAddress(address, port).negotiationType(NegotiationType.PLAINTEXT).idleTimeout(10, TimeUnit.SECONDS).usePlaintext().build();
        });
    }
+
+    public void dropCache() {
+        var oldS = _secureChannelCache;
+        var oldI = _insecureChannelCache;
+        _secureChannelCache = new ConcurrentHashMap<>();
+        _insecureChannelCache = new ConcurrentHashMap<>();
+        oldS.values().forEach(ManagedChannel::shutdown);
+        oldI.values().forEach(ManagedChannel::shutdown);
+    }
 }
--- a/server/src/main/java/com/usatiuk/dhfs/objects/repository/RpcClientFactory.java
+++ b/server/src/main/java/com/usatiuk/dhfs/objects/repository/RpcClientFactory.java
@@ -38,8 +38,8 @@ public class RpcClientFactory {
    }

    // FIXME: Leaks!
-    private final ConcurrentMap<ObjSyncStubKey, DhfsObjectSyncGrpcGrpc.DhfsObjectSyncGrpcBlockingStub> _objSyncCache = new ConcurrentHashMap<>();
-    private final ConcurrentMap<PeerSyncStubKey, DhfsObjectPeerSyncGrpcGrpc.DhfsObjectPeerSyncGrpcBlockingStub> _peerSyncCache = new ConcurrentHashMap<>();
+    private ConcurrentMap<ObjSyncStubKey, DhfsObjectSyncGrpcGrpc.DhfsObjectSyncGrpcBlockingStub> _objSyncCache = new ConcurrentHashMap<>();
+    private ConcurrentMap<PeerSyncStubKey, DhfsObjectPeerSyncGrpcGrpc.DhfsObjectPeerSyncGrpcBlockingStub> _peerSyncCache = new ConcurrentHashMap<>();


    @FunctionalInterface
@@ -121,4 +121,11 @@ public class RpcClientFactory {
        });
        return fn.apply(stub.withDeadlineAfter(timeout, TimeUnit.SECONDS));
    }
+
+    public void dropCache() {
+        rpcChannelFactory.dropCache();
+        _objSyncCache = new ConcurrentHashMap<>();
+        _peerSyncCache = new ConcurrentHashMap<>();
+    }
+
 }
--- a/server/src/main/java/com/usatiuk/dhfs/objects/repository/peertrust/PeerRolesAugmentor.java
+++ b/server/src/main/java/com/usatiuk/dhfs/objects/repository/peertrust/PeerRolesAugmentor.java
@@ -1,6 +1,7 @@
 package com.usatiuk.dhfs.objects.repository.peertrust;

 import com.usatiuk.dhfs.objects.repository.PersistentRemoteHostsService;
+import io.quarkus.logging.Log;
 import io.quarkus.security.credential.CertificateCredential;
 import io.quarkus.security.identity.AuthenticationRequestContext;
 import io.quarkus.security.identity.SecurityIdentity;
@@ -34,12 +35,15 @@ public class PeerRolesAugmentor implements SecurityIdentityAugmentor {
            try {
                var entry = persistentRemoteHostsService.getHost(UUID.fromString(uuid));

-                if (!entry.getCertificate().equals(identity.getCredential(CertificateCredential.class).getCertificate()))
+                if (!entry.getCertificate().equals(identity.getCredential(CertificateCredential.class).getCertificate())) {
+                    Log.error("Certificate mismatch for " + uuid);
                    return () -> identity;
+                }

                builder.addRole("cluster-member");
                return builder::build;
            } catch (Exception e) {
+                Log.error("Error when checking certificate for " + uuid, e);
                return () -> identity;
            }
        }