refactor(proxy): 重构 TLS证书管理功能

- 新增 FileCertChangeSource 类，用于监听证书文件变化
- 添加 GrpcServer 和 MultiProtocolRemotingServer 的 TLS 证书重载处理
- 修改 ProxyAndTlsProtocolNegotiator 类，支持从输入流加载 SSL 上下文
- 删除冗余测试类，优化测试用例

Signed-off-by: Async <raisinata@foxmail.com>

Author: EnableAsync

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServer.java

@@ -78,7 +78,7 @@ class GrpcTlsReloadHandler implements TlsCertificateManager.TlsContextReloadList
         @Override
         public void onTlsContextReload(InputStream certInputStream, InputStream keyInputStream) {
             try {
-                ProxyAndTlsProtocolNegotiator.loadSslContext(null, null);
+                ProxyAndTlsProtocolNegotiator.loadSslContext(certInputStream, keyInputStream);
                 log.info("SSLContext reloaded for grpc server");
             } catch (CertificateException | IOException e) {
                 log.error("Failed to reload SSLContext for server", e);

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/ProxyAndTlsProtocolNegotiator.java

@@ -103,7 +103,8 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
     public void close() {
     }
 
-    public static void loadSslContext(InputStream certInputStream, InputStream keyInputStream) throws CertificateException, IOException {
+    public static void loadSslContext(InputStream certInputStream,
+        InputStream keyInputStream) throws CertificateException, IOException {
         ProxyConfig proxyConfig = ConfigurationManager.getProxyConfig();
         SslProvider provider;
         if (OpenSsl.isAvailable()) {
@@ -165,8 +166,8 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) {
                 }
                 if (ha.state() == ProtocolDetectionState.DETECTED) {
                     ctx.pipeline().addAfter(ctx.name(), HA_PROXY_DECODER, new HAProxyMessageDecoder())
-                        .addAfter(HA_PROXY_DECODER, HA_PROXY_HANDLER, new HAProxyMessageHandler())
-                        .addAfter(HA_PROXY_HANDLER, TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
+                            .addAfter(HA_PROXY_DECODER, HA_PROXY_HANDLER, new HAProxyMessageHandler())
+                            .addAfter(HA_PROXY_HANDLER, TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
                 } else {
                     ctx.pipeline().addAfter(ctx.name(), TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
                 }
@@ -232,7 +233,7 @@ private void handleWithMessage(HAProxyMessage msg) {
                     msg.tlvs().forEach(tlv -> handleHAProxyTLV(tlv, builder));
                 }
                 pne = InternalProtocolNegotiationEvent
-                    .withAttributes(InternalProtocolNegotiationEvent.getDefault(), builder.build());
+                        .withAttributes(InternalProtocolNegotiationEvent.getDefault(), builder.build());
             } finally {
                 msg.release();
             }

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolRemotingServer.java

@@ -20,6 +20,7 @@
 import io.netty.channel.ChannelPipeline;
 import io.netty.channel.socket.SocketChannel;
 import io.netty.handler.timeout.IdleStateHandler;
+import java.io.InputStream;
 import org.apache.rocketmq.common.constant.LoggerName;
 import org.apache.rocketmq.logging.org.slf4j.Logger;
 import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
@@ -61,14 +62,14 @@ public MultiProtocolRemotingServer(NettyServerConfig nettyServerConfig, ChannelE
     }
 
     @Override
-    public void loadSslContext() {
+    public void loadSslContext(InputStream certInputStream, InputStream keyInputStream) {
         TlsMode tlsMode = TlsSystemConfig.tlsMode;
         log.info("Server is running in TLS {} mode", tlsMode.getName());
 
         if (tlsMode != TlsMode.DISABLED) {
             try {
                 sslContext = MultiProtocolTlsHelper.buildSslContext();
-                log.info("SSLContext created for remoting server");
+                log.info("SSLContext created for multi protocol remoting server");
             } catch (CertificateException | IOException e) {
                 throw new ProxyException(ProxyExceptionCode.INTERNAL_SERVER_ERROR, "Failed to create SSLContext for server", e);
             }

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.java

@@ -29,6 +29,7 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.cert.CertificateException;
@@ -51,6 +52,10 @@ public class MultiProtocolTlsHelper extends TlsHelper {
     private static final DecryptionStrategy DECRYPTION_STRATEGY = (privateKeyEncryptPath, forClient) -> new FileInputStream(privateKeyEncryptPath);
 
     public static SslContext buildSslContext() throws IOException, CertificateException {
+        return buildSslContext(null, null);
+    }
+    public static SslContext buildSslContext(InputStream certInputStream,
+        InputStream keyInputStream) throws IOException, CertificateException {
         TlsHelper.buildSslContext(false);
         SslProvider provider;
         if (OpenSsl.isAvailable()) {
@@ -61,19 +66,28 @@ public static SslContext buildSslContext() throws IOException, CertificateExcept
             log.info("Using JDK SSL provider");
         }
 
-        SslContextBuilder sslContextBuilder = null;
+        SslContextBuilder sslContextBuilder;
         if (tlsTestModeEnable) {
             SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
             sslContextBuilder = SslContextBuilder
                 .forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
-                .sslProvider(SslProvider.OPENSSL)
+                .sslProvider(provider)
                 .clientAuth(ClientAuth.OPTIONAL);
         } else {
-            sslContextBuilder = SslContextBuilder.forServer(
-                !StringUtils.isBlank(tlsServerCertPath) ? Files.newInputStream(Paths.get(tlsServerCertPath)) : null,
-                !StringUtils.isBlank(tlsServerKeyPath) ? DECRYPTION_STRATEGY.decryptPrivateKey(tlsServerKeyPath, false) : null,
-                !StringUtils.isBlank(tlsServerKeyPassword) ? tlsServerKeyPassword : null)
-                .sslProvider(provider);
+
+            boolean fromStream = certInputStream != null && keyInputStream != null;
+            // Give priority to reading from input stream
+            if (fromStream) {
+                sslContextBuilder = SslContextBuilder.forServer(
+                        certInputStream, keyInputStream)
+                    .sslProvider(provider);
+            } else {
+                sslContextBuilder = SslContextBuilder.forServer(
+                        !StringUtils.isBlank(tlsServerCertPath) ? Files.newInputStream(Paths.get(tlsServerCertPath)) : null,
+                        !StringUtils.isBlank(tlsServerKeyPath) ? DECRYPTION_STRATEGY.decryptPrivateKey(tlsServerKeyPath, false) : null,
+                        !StringUtils.isBlank(tlsServerKeyPassword) ? tlsServerKeyPassword : null)
+                    .sslProvider(provider);
+            }
 
             if (!tlsServerAuthClient) {
                 sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/RemotingProtocolServer.java

@@ -203,7 +203,7 @@ protected class RemotingTlsReloadHandler implements TlsCertificateManager.TlsCon
         @Override
         public void onTlsContextReload(InputStream certInputStream, InputStream keyInputStream) {
             if (defaultRemotingServer instanceof NettyRemotingServer) {
-                ((NettyRemotingServer) defaultRemotingServer).loadSslContext();
+                ((NettyRemotingServer) defaultRemotingServer).loadSslContext(certInputStream, keyInputStream);
                 log.info("SSLContext reloaded for remoting server");
             }
         }

proxy/src/main/java/org/apache/rocketmq/proxy/service/cert/FileCertChangeSource.java

@@ -30,6 +30,10 @@ public class FileCertChangeSource implements CertChangeSource {
     private ChangeListener listener;
 
     public FileCertChangeSource(String certPath, String keyPath) {
+        this(certPath, keyPath, 10 * 60 * 1000);
+    }
+
+    public FileCertChangeSource(String certPath, String keyPath, int watchInterval) {
         try {
             this.watchService = new FileWatchService(
                 new String[] {certPath, keyPath},
@@ -38,15 +42,15 @@ public FileCertChangeSource(String certPath, String keyPath) {
                         return;
                     }
                     CertChangeEvent.Kind kind;
-                    if (path.equals(ConfigurationManager.getProxyConfig().getTlsCertPath())) {
+                    if (path.equals(certPath)) {
                         kind = CertChangeEvent.Kind.SERVER_CERT;
                     } else {
                         kind = CertChangeEvent.Kind.SERVER_KEY;
                     }
 
                     listener.onCertChanged(new CertChangeEvent(kind, CertChangeEvent.SourceType.FILE,
                         Collections.singletonList(path)));
-                }, 10 * 60 * 1000);
+                }, watchInterval);
         } catch (Exception e) {
             throw new RuntimeException(e);
         }