ARTEMIS-5116 Fix web binding SSL auto reload from symbolic links

apache · Nov 25, 2024 · 6747f56 · 6747f56
1 parent ea3486a
commit 6747f56
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 12 deletions.
diff --git a/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java b/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
@@ -28,6 +28,7 @@
 import java.lang.invoke.MethodHandles;
 import java.net.URI;
 import java.nio.file.Files;
+import java.nio.file.LinkOption;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.ArrayList;
@@ -105,6 +106,7 @@ public class WebServerComponent implements ExternalComponent, WebServerComponent
    private Scanner scanner;
    private ScheduledExecutorScheduler scannerScheduler;
    private Map<String, List<Runnable>> scannerTasks = new HashMap<>();
+   private LinkOption[] scannerLinkOptions = new LinkOption[]{LinkOption.NOFOLLOW_LINKS};
 
    @Override
    public void configure(ComponentDTO config, String artemisInstance, String artemisHome) throws Exception {
@@ -358,7 +360,7 @@ private Scanner getScanner() {
       }
 
       if (scanner == null) {
-         scanner = new Scanner(scannerScheduler);
+         scanner = new Scanner(scannerScheduler, false);
          scanner.setScanInterval(scanPeriod);
          scanner.setReportDirs(false);
          scanner.setReportExistingFilesOnStartup(false);
@@ -377,9 +379,9 @@ private Scanner getScanner() {
       return scanner;
    }
 
-   private void addScannerTask(File file, Runnable task) {
+   private void addScannerTask(File file, Runnable task) throws IOException {
       File parentFile = getParentStoreFile(file);
-      String storeFilename = file.toPath().toString();
+      String storeFilename = file.toPath().toRealPath(scannerLinkOptions).toString();
       List<Runnable> tasks = scannerTasks.get(storeFilename);
       if (tasks == null) {
          tasks = new ArrayList<>();
@@ -389,7 +391,7 @@ private void addScannerTask(File file, Runnable task) {
       getScanner().addDirectory(parentFile.toPath());
    }
 
-   private void addStoreResourceScannerTask(String storeFilename, String storeType, SslContextFactory.Server sslFactory) {
+   private void addStoreResourceScannerTask(String storeFilename, String storeType, SslContextFactory.Server sslFactory) throws IOException {
       if (storeFilename != null) {
          File storeFile = getStoreFile(storeFilename);
          addScannerTask(storeFile, () -> {

diff --git a/artemis-web/src/test/java/org/apache/activemq/cli/test/WebServerComponentTest.java b/artemis-web/src/test/java/org/apache/activemq/cli/test/WebServerComponentTest.java
@@ -431,14 +431,36 @@ private void testSimpleSecureServerWithSniRequired(Boolean enabled) throws Excep
 
    @Test
    public void testSSLAutoReload() throws Exception {
-      File keyStoreFile = new File(tempFolder, "server-keystore.p12");
+      testSSLAutoReload(false);
+   }
+   @Test
+   public void testSSLAutoReloadWithSymbolicLinks() throws Exception {
+      testSSLAutoReload(true);
+   }
+
+   public void testSSLAutoReload(boolean useSymbolicLinks) throws Exception {
+      File serverFolder = new File(tempFolder, "server");
+      File keyStoreFile = new File(serverFolder, "server-keystore.p12");
+
+      assertTrue(serverFolder.mkdir());
 
       Files.copy(WebServerComponentTest.class.getClassLoader().getResourceAsStream("server-keystore.p12"),
          keyStoreFile.toPath(), StandardCopyOption.REPLACE_EXISTING);
 
+      File storeFolder = new File(tempFolder, "store");
+      assertTrue(storeFolder.mkdir());
+
+      String keyStorePath;
+      if (useSymbolicLinks) {
+         keyStorePath = Files.createSymbolicLink(storeFolder.toPath().resolve(
+             "store-keystore.p12"), keyStoreFile.toPath()).toString();
+      } else {
+         keyStorePath = keyStoreFile.getAbsolutePath();
+      }
+
       BindingDTO bindingDTO = new BindingDTO();
       bindingDTO.setSslAutoReload(true);
-      bindingDTO.setKeyStorePath(keyStoreFile.getAbsolutePath());
+      bindingDTO.setKeyStorePath(keyStorePath);
       bindingDTO.setKeyStorePassword(KEY_STORE_PASSWORD);
       WebServerComponent webServerComponent = startSimpleSecureServer(bindingDTO);
 
@@ -476,24 +498,59 @@ public void testSSLAutoReload() throws Exception {
 
    @Test
    public void testSSLAutoReloadPemConfigSources() throws Exception {
-      File serverKeyFile = new File(tempFolder, "server-key.pem");
-      File serverCertFile = new File(tempFolder, "server-cert.pem");
-      File serverPemConfigFile = new File(tempFolder, "server-pem-config.properties");
+      testSSLAutoReloadPemConfigSources(false);
+   }
+
+   @Test
+   public void testSSLAutoReloadPemConfigSourcesWithSymbolicLinks() throws Exception {
+      testSSLAutoReloadPemConfigSources(true);
+   }
+
+   private void testSSLAutoReloadPemConfigSources(boolean useSymbolicLinks) throws Exception {
+      File serverFolder = new File(tempFolder, "server");
+      File serverKeyFile = new File(serverFolder, "server-key.pem");
+      File serverCertFile = new File(serverFolder, "server-cert.pem");
+      File serverPemConfigFile = new File(serverFolder, "server-pem-config.properties");
+
+      assertTrue(serverFolder.mkdir());
 
       Files.copy(WebServerComponentTest.class.getClassLoader().getResourceAsStream("server-key.pem"),
          serverKeyFile.toPath(), StandardCopyOption.REPLACE_EXISTING);
 
       Files.copy(WebServerComponentTest.class.getClassLoader().getResourceAsStream("server-cert.pem"),
          serverCertFile.toPath(), StandardCopyOption.REPLACE_EXISTING);
 
+      File storeFolder = new File(tempFolder, "store");
+      assertTrue(storeFolder.mkdir());
+
+      String sourceKey;
+      String sourceCert;
+      if (useSymbolicLinks) {
+         sourceKey = Files.createSymbolicLink(storeFolder.toPath().resolve(
+             "store-key.pem"), serverKeyFile.toPath()).toString();
+         sourceCert = Files.createSymbolicLink(storeFolder.toPath().resolve(
+             "store-cert.pem"), serverCertFile.toPath()).toString();
+      } else {
+         sourceKey = serverKeyFile.getAbsolutePath();
+         sourceCert = serverCertFile.getAbsolutePath();
+      }
+
       Files.write(serverPemConfigFile.toPath(), Arrays.asList(new String[]{
-         "source.key=" + serverKeyFile.getAbsolutePath(),
-         "source.cert=" + serverCertFile.getAbsolutePath()
+         "source.key=" + sourceKey,
+         "source.cert=" + sourceCert
       }));
 
+      String keyStorePath;
+      if (useSymbolicLinks) {
+         keyStorePath = Files.createSymbolicLink(storeFolder.toPath().resolve(
+             "store-pem-config.properties"), serverPemConfigFile.toPath()).toString();
+      } else {
+         keyStorePath = serverPemConfigFile.getAbsolutePath();
+      }
+
       BindingDTO bindingDTO = new BindingDTO();
       bindingDTO.setSslAutoReload(true);
-      bindingDTO.setKeyStorePath(serverPemConfigFile.getAbsolutePath());
+      bindingDTO.setKeyStorePath(keyStorePath);
       bindingDTO.setKeyStoreType(PemConfigUtil.PEMCFG_STORE_TYPE);
 
       WebServerComponent webServerComponent = startSimpleSecureServer(bindingDTO);