Support tls certificates reload and crls #66
Merged
+1,075
−227
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kezhuw
force-pushed
the
tls-certs-reload
branch
2 times, most recently
from
2bc7594 to
a7a17be
Compare
|
@behos Would you mind take a look ? Does it solve your concerns ? I included a file-based certs in test. zookeeper-client-rust/src/tls/client.rs Lines 352 to 452 in a7a17be |
behos
approved these changes
Jul 8, 2025
src/tls/client.rs
Outdated
Comment on lines
352
to
531
| struct FileBasedDynamicCerts { | ||
| ca: Ca, | ||
| dir: TempDir, | ||
| certs: TlsDynamicCerts, | ||
| feedback: UnboundedReceiver<()>, | ||
| _task: TaskHandle<()>, | ||
| } | ||
|
|
||
| struct EventSender { | ||
| sender: UnboundedSender<Event>, | ||
| } | ||
|
|
||
| impl notify::EventHandler for EventSender { | ||
| fn handle_event(&mut self, event: Result<Event, notify::Error>) { | ||
| if let Ok(event) = event { | ||
| self.sender.unbounded_send(event).unwrap(); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| impl FileBasedDynamicCerts { | ||
| pub fn new(ca: Ca, client_name: &str) -> Self { | ||
| let dir = TempDir::new().unwrap(); | ||
| Self::generate_cert(&ca, dir.path(), client_name); | ||
| let (certs, feedback, _task) = Self::load_dynamic_certs(dir.path()); | ||
| Self { ca, dir, certs, feedback, _task } | ||
| } | ||
|
|
||
| fn load_dynamic_certs(dir: &Path) -> (TlsDynamicCerts, UnboundedReceiver<()>, TaskHandle<()>) { | ||
| let cert_path = dir.join("cert.pem").to_path_buf(); | ||
| let key_path = dir.join("cert.key.pem").to_path_buf(); | ||
|
|
||
| let mut cert_modified = std::fs::metadata(&cert_path).unwrap().modified().unwrap(); | ||
| let mut key_modified = std::fs::metadata(&key_path).unwrap().modified().unwrap(); | ||
| let client_cert = std::fs::read_to_string(&cert_path).unwrap(); | ||
| let client_key = std::fs::read_to_string(&key_path).unwrap(); | ||
|
|
||
| let dynamic_certs = | ||
| TlsDynamicCerts::new(TlsCerts::default().with_pem_identity(&client_cert, &client_key).unwrap()); | ||
| let dynamic_certs_updator = dynamic_certs.clone(); | ||
|
|
||
| let (feedback_sender, feedback_receiver) = mpsc::unbounded(); | ||
| let task = asyncs::spawn(async move { | ||
| let (tx, mut rx) = mpsc::unbounded(); | ||
| let mut watcher = notify::recommended_watcher(EventSender { sender: tx }).unwrap(); | ||
| watcher.watch(&cert_path, RecursiveMode::NonRecursive).unwrap(); | ||
| watcher.watch(&key_path, RecursiveMode::NonRecursive).unwrap(); | ||
| while rx.next().await.is_some() { | ||
| let updated_cert_modified = std::fs::metadata(&cert_path).unwrap().modified().unwrap(); | ||
| let updated_key_modified = std::fs::metadata(&key_path).unwrap().modified().unwrap(); | ||
| if updated_cert_modified <= cert_modified || updated_key_modified <= key_modified { | ||
| continue; | ||
| } | ||
| cert_modified = updated_cert_modified; | ||
| key_modified = updated_key_modified; | ||
| let client_cert = std::fs::read_to_string(&cert_path).unwrap(); | ||
| let client_key = std::fs::read_to_string(&key_path).unwrap(); | ||
| dynamic_certs_updator | ||
| .update(TlsCerts::default().with_pem_identity(&client_cert, &client_key).unwrap()); | ||
| feedback_sender.unbounded_send(()).unwrap(); | ||
| } | ||
| }) | ||
| .attach(); | ||
| (dynamic_certs, feedback_receiver, task) | ||
| } | ||
|
|
||
| fn generate_cert(ca: &Ca, dir: &Path, name: &str) { | ||
| let client_cert = generate_client_cert(name, &ca.issuer); | ||
| let file = AtomicWriteFile::open(dir.join("cert.pem")).unwrap(); | ||
| write!(&file, "{}", client_cert.cert.pem()).unwrap(); | ||
| file.commit().unwrap(); | ||
|
|
||
| let file = AtomicWriteFile::open(dir.join("cert.key.pem")).unwrap(); | ||
| write!(&file, "{}", client_cert.signing_key.serialize_pem()).unwrap(); | ||
| file.commit().unwrap(); | ||
| } | ||
|
|
||
| pub async fn regenerate_cert(&mut self, client_name: &str) { | ||
| Self::generate_cert(&self.ca, self.dir.path(), client_name); | ||
| self.feedback.next().await; | ||
| } | ||
| } |
There was a problem hiding this comment.
Do you think it's worth having a FileBased implementation into the main package so that it's easily reusable?
There was a problem hiding this comment.
I think such an official file based implementation may have biased on the change detection. And, worse, it will propgate this to applications. I think we should avoid such a thing in library.
There was a problem hiding this comment.
That sounds good to me! The example looks clean enough to use as a basis for an implementation anyway. Thanks
behos
reviewed
Jul 9, 2025
src/tls/options.rs
Outdated
Comment on lines
98
to
174
| /// Cell to keep up to date [TlsCerts]. | ||
| #[derive(Clone, Debug)] | ||
| pub struct TlsDynamicCerts { | ||
| certs: Arc<RwLock<(u64, Arc<TlsCerts>)>>, | ||
| } |
There was a problem hiding this comment.
I'm trying to use this from the branch and it seems it's not visible.
There was a problem hiding this comment.
My fault! I have referenced it in integration test.
There was a problem hiding this comment.
Thanks, I was able to create and test a simple file-based reloader that can be plugged into the new structs. It works great
kezhuw
force-pushed
the
tls-certs-reload
branch
8 times, most recently
from
e3adbc4 to
c70064a
Compare
This allows creating a client with dynamic tls certificates. When created this way, on reconnection the client will use latest tls certificates. This allows us to reload refreshed certificates stored somewhere in client side. This commit also adds support for crls in cert verifier to reject revoked server certs. Resolves #59.
kezhuw
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #66 +/- ##
==========================================
+ Coverage 85.53% 85.83% +0.30%
==========================================
Files 37 39 +2
Lines 5323 5782 +459
==========================================
+ Hits 4553 4963 +410
- Misses 770 819 +49 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows creating a client with dynamic tls certificates. When created this way, on reconnection the client will use latest tls certificates.
This allows us to reload refreshed certificates stored somewhere in client side.
This commit also adds support for crls in cert verifier to reject revoked server certs.
Resolves #59.