pulsar-broker/src/main/java/org/apache/pulsar/broker/service/PulsarChannelInitializer.java - pulsar - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.pulsar.broker.service;

 import static org.apache.bookkeeper.util.SafeRunnable.safeRun;
 import com.github.benmanes.caffeine.cache.Cache;
 import com.github.benmanes.caffeine.cache.Caffeine;
 import io.netty.channel.ChannelInitializer;
 import io.netty.channel.socket.SocketChannel;
 import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
 import io.netty.handler.flow.FlowControlHandler;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
 import java.net.SocketAddress;
 import java.util.concurrent.TimeUnit;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.pulsar.broker.PulsarService;
 import org.apache.pulsar.broker.ServiceConfiguration;
 import org.apache.pulsar.common.protocol.ByteBufPair;
 import org.apache.pulsar.common.protocol.Commands;
 import org.apache.pulsar.common.protocol.OptionalProxyProtocolDecoder;
 import org.apache.pulsar.common.util.NettyServerSslContextBuilder;
 import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;
 import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;

 @Slf4j
 public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel> {

     public static final String TLS_HANDLER = "tls";

     private final PulsarService pulsar;
     private final boolean enableTls;
     private final boolean tlsEnabledWithKeyStore;
     private SslContextAutoRefreshBuilder<SslContext> sslCtxRefresher;
     private final ServiceConfiguration brokerConf;
     private NettySSLContextAutoRefreshBuilder nettySSLContextAutoRefreshBuilder;

     // This cache is used to maintain a list of active connections to iterate over them
     // We keep weak references to have the cache to be auto cleaned up when the connections
     // objects are GCed.
     private final Cache<SocketAddress, ServerCnx> connections = Caffeine.newBuilder()
             .weakKeys()
             .weakValues()
             .build();

     /**
      * @param pulsar
      *              An instance of {@link PulsarService}
      * @param enableTLS
      *              Enable tls or not
      */
     public PulsarChannelInitializer(PulsarService pulsar, boolean enableTLS) throws Exception {
         super();
         this.pulsar = pulsar;
         this.enableTls = enableTLS;
         ServiceConfiguration serviceConfig = pulsar.getConfiguration();
         this.tlsEnabledWithKeyStore = serviceConfig.isTlsEnabledWithKeyStore();
         if (this.enableTls) {
             if (tlsEnabledWithKeyStore) {
                 nettySSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
                         serviceConfig.getTlsProvider(),
                         serviceConfig.getTlsKeyStoreType(),
                         serviceConfig.getTlsKeyStore(),
                         serviceConfig.getTlsKeyStorePassword(),
                         serviceConfig.isTlsAllowInsecureConnection(),
                         serviceConfig.getTlsTrustStoreType(),
                         serviceConfig.getTlsTrustStore(),
                         serviceConfig.getTlsTrustStorePassword(),
                         serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
                         serviceConfig.getTlsCiphers(),
                         serviceConfig.getTlsProtocols(),
                         serviceConfig.getTlsCertRefreshCheckDurationSec());
             } else {
                 sslCtxRefresher = new NettyServerSslContextBuilder(serviceConfig.isTlsAllowInsecureConnection(),
                         serviceConfig.getTlsTrustCertsFilePath(), serviceConfig.getTlsCertificateFilePath(),
                         serviceConfig.getTlsKeyFilePath(),
                         serviceConfig.getTlsCiphers(), serviceConfig.getTlsProtocols(),
                         serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
                         serviceConfig.getTlsCertRefreshCheckDurationSec());
             }
         } else {
             this.sslCtxRefresher = null;
         }
         this.brokerConf = pulsar.getConfiguration();

         pulsar.getExecutor().scheduleAtFixedRate(safeRun(this::refreshAuthenticationCredentials),
                 pulsar.getConfig().getAuthenticationRefreshCheckSeconds(),
                 pulsar.getConfig().getAuthenticationRefreshCheckSeconds(), TimeUnit.SECONDS);
     }

     @Override
     protected void initChannel(SocketChannel ch) throws Exception {
         if (this.enableTls) {
             if (this.tlsEnabledWithKeyStore) {
                 ch.pipeline().addLast(TLS_HANDLER,
                         new SslHandler(nettySSLContextAutoRefreshBuilder.get().createSSLEngine()));
             } else {
                 ch.pipeline().addLast(TLS_HANDLER, sslCtxRefresher.get().newHandler(ch.alloc()));
             }
             ch.pipeline().addLast("ByteBufPairEncoder", ByteBufPair.COPYING_ENCODER);
         } else {
             ch.pipeline().addLast("ByteBufPairEncoder", ByteBufPair.ENCODER);
         }

         if (pulsar.getConfiguration().isHaProxyProtocolEnabled()) {
             ch.pipeline().addLast(OptionalProxyProtocolDecoder.NAME, new OptionalProxyProtocolDecoder());
         }
         ch.pipeline().addLast("frameDecoder", new LengthFieldBasedFrameDecoder(
             brokerConf.getMaxMessageSize() + Commands.MESSAGE_SIZE_FRAME_PADDING, 0, 4, 0, 4));
         // https://stackoverflow.com/questions/37535482/netty-disabling-auto-read-doesnt-work-for-bytetomessagedecoder
         // Classes such as {@link ByteToMessageDecoder} or {@link MessageToByteEncoder} are free to emit as many events
         // as they like for any given input. so, disabling auto-read on `ByteToMessageDecoder` doesn't work properly and
         // ServerCnx ends up reading higher number of messages and broker can not throttle the messages by disabling
         // auto-read.
         ch.pipeline().addLast("flowController", new FlowControlHandler());
         ServerCnx cnx = new ServerCnx(pulsar);
         ch.pipeline().addLast("handler", cnx);

         connections.put(ch.remoteAddress(), cnx);
     }

     private void refreshAuthenticationCredentials() {
         connections.asMap().values().forEach(cnx -> {
             try {
                 cnx.refreshAuthenticationCredentials();
             } catch (Throwable t) {
                 log.warn("[{}] Failed to refresh auth credentials", cnx.clientAddress());
             }
         });
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.pulsar.broker.service;

	import static org.apache.bookkeeper.util.SafeRunnable.safeRun;
	import com.github.benmanes.caffeine.cache.Cache;
	import com.github.benmanes.caffeine.cache.Caffeine;
	import io.netty.channel.ChannelInitializer;
	import io.netty.channel.socket.SocketChannel;
	import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
	import io.netty.handler.flow.FlowControlHandler;
	import io.netty.handler.ssl.SslContext;
	import io.netty.handler.ssl.SslHandler;
	import java.net.SocketAddress;
	import java.util.concurrent.TimeUnit;
	import lombok.extern.slf4j.Slf4j;
	import org.apache.pulsar.broker.PulsarService;
	import org.apache.pulsar.broker.ServiceConfiguration;
	import org.apache.pulsar.common.protocol.ByteBufPair;
	import org.apache.pulsar.common.protocol.Commands;
	import org.apache.pulsar.common.protocol.OptionalProxyProtocolDecoder;
	import org.apache.pulsar.common.util.NettyServerSslContextBuilder;
	import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;
	import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;

	@Slf4j
	public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel> {

	public static final String TLS_HANDLER = "tls";

	private final PulsarService pulsar;
	private final boolean enableTls;
	private final boolean tlsEnabledWithKeyStore;
	private SslContextAutoRefreshBuilder<SslContext> sslCtxRefresher;
	private final ServiceConfiguration brokerConf;
	private NettySSLContextAutoRefreshBuilder nettySSLContextAutoRefreshBuilder;

	// This cache is used to maintain a list of active connections to iterate over them
	// We keep weak references to have the cache to be auto cleaned up when the connections
	// objects are GCed.
	private final Cache<SocketAddress, ServerCnx> connections = Caffeine.newBuilder()
	.weakKeys()
	.weakValues()
	.build();

	/**
	* @param pulsar
	* An instance of {@link PulsarService}
	* @param enableTLS
	* Enable tls or not
	*/
	public PulsarChannelInitializer(PulsarService pulsar, boolean enableTLS) throws Exception {
	super();
	this.pulsar = pulsar;
	this.enableTls = enableTLS;
	ServiceConfiguration serviceConfig = pulsar.getConfiguration();
	this.tlsEnabledWithKeyStore = serviceConfig.isTlsEnabledWithKeyStore();
	if (this.enableTls) {
	if (tlsEnabledWithKeyStore) {
	nettySSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
	serviceConfig.getTlsProvider(),
	serviceConfig.getTlsKeyStoreType(),
	serviceConfig.getTlsKeyStore(),
	serviceConfig.getTlsKeyStorePassword(),
	serviceConfig.isTlsAllowInsecureConnection(),
	serviceConfig.getTlsTrustStoreType(),
	serviceConfig.getTlsTrustStore(),
	serviceConfig.getTlsTrustStorePassword(),
	serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
	serviceConfig.getTlsCiphers(),
	serviceConfig.getTlsProtocols(),
	serviceConfig.getTlsCertRefreshCheckDurationSec());
	} else {
	sslCtxRefresher = new NettyServerSslContextBuilder(serviceConfig.isTlsAllowInsecureConnection(),
	serviceConfig.getTlsTrustCertsFilePath(), serviceConfig.getTlsCertificateFilePath(),
	serviceConfig.getTlsKeyFilePath(),
	serviceConfig.getTlsCiphers(), serviceConfig.getTlsProtocols(),
	serviceConfig.isTlsRequireTrustedClientCertOnConnect(),
	serviceConfig.getTlsCertRefreshCheckDurationSec());
	}
	} else {
	this.sslCtxRefresher = null;
	}
	this.brokerConf = pulsar.getConfiguration();

	pulsar.getExecutor().scheduleAtFixedRate(safeRun(this::refreshAuthenticationCredentials),
	pulsar.getConfig().getAuthenticationRefreshCheckSeconds(),
	pulsar.getConfig().getAuthenticationRefreshCheckSeconds(), TimeUnit.SECONDS);
	}

	@Override
	protected void initChannel(SocketChannel ch) throws Exception {
	if (this.enableTls) {
	if (this.tlsEnabledWithKeyStore) {
	ch.pipeline().addLast(TLS_HANDLER,
	new SslHandler(nettySSLContextAutoRefreshBuilder.get().createSSLEngine()));
	} else {
	ch.pipeline().addLast(TLS_HANDLER, sslCtxRefresher.get().newHandler(ch.alloc()));
	}
	ch.pipeline().addLast("ByteBufPairEncoder", ByteBufPair.COPYING_ENCODER);
	} else {
	ch.pipeline().addLast("ByteBufPairEncoder", ByteBufPair.ENCODER);
	}

	if (pulsar.getConfiguration().isHaProxyProtocolEnabled()) {
	ch.pipeline().addLast(OptionalProxyProtocolDecoder.NAME, new OptionalProxyProtocolDecoder());
	}
	ch.pipeline().addLast("frameDecoder", new LengthFieldBasedFrameDecoder(
	brokerConf.getMaxMessageSize() + Commands.MESSAGE_SIZE_FRAME_PADDING, 0, 4, 0, 4));
	// https://stackoverflow.com/questions/37535482/netty-disabling-auto-read-doesnt-work-for-bytetomessagedecoder
	// Classes such as {@link ByteToMessageDecoder} or {@link MessageToByteEncoder} are free to emit as many events
	// as they like for any given input. so, disabling auto-read on `ByteToMessageDecoder` doesn't work properly and
	// ServerCnx ends up reading higher number of messages and broker can not throttle the messages by disabling
	// auto-read.
	ch.pipeline().addLast("flowController", new FlowControlHandler());
	ServerCnx cnx = new ServerCnx(pulsar);
	ch.pipeline().addLast("handler", cnx);

	connections.put(ch.remoteAddress(), cnx);
	}

	private void refreshAuthenticationCredentials() {
	connections.asMap().values().forEach(cnx -> {
	try {
	cnx.refreshAuthenticationCredentials();
	} catch (Throwable t) {
	log.warn("[{}] Failed to refresh auth credentials", cnx.clientAddress());
	}
	});
	}
	}