feat(proxy): 添加证书变更监听功能

- 新增 CertChangeEvent、CertChangeSource 和 FileCertChangeSource 类
- 实现证书文件变更监听和事件处理机制
- 修改 GrpcServer 以支持证书变更热重载
- 更新相关测试用例

Signed-off-by: Async <raisinata@foxmail.com>

Author: EnableAsync

proxy/src/main/java/org/apache/rocketmq/proxy/ProxyStartup.java

@@ -44,6 +44,7 @@
 import org.apache.rocketmq.proxy.processor.DefaultMessagingProcessor;
 import org.apache.rocketmq.proxy.processor.MessagingProcessor;
 import org.apache.rocketmq.proxy.remoting.RemotingProtocolServer;
+import org.apache.rocketmq.proxy.service.cert.FileCertChangeSource;
 import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 import org.apache.rocketmq.remoting.protocol.RemotingCommand;
 import org.apache.rocketmq.srvutil.ServerUtil;
@@ -77,8 +78,15 @@ public static void main(String[] args) {
 
             MessagingProcessor messagingProcessor = createMessagingProcessor();
 
+            FileCertChangeSource fileCertChangeSource = new FileCertChangeSource(
+                ConfigurationManager.getProxyConfig().getTlsCertPath(),
+                ConfigurationManager.getProxyConfig().getTlsKeyPath());
+            TlsCertificateManager tlsCertificateManager = new TlsCertificateManager(fileCertChangeSource);
+            PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(tlsCertificateManager);
+
             // create grpcServer
-            GrpcServer grpcServer = GrpcServerBuilder.newBuilder(executor, ConfigurationManager.getProxyConfig().getGrpcServerPort())
+            GrpcServer grpcServer = GrpcServerBuilder.newBuilder(executor,
+                    ConfigurationManager.getProxyConfig().getGrpcServerPort(), tlsCertificateManager)
                 .addService(createServiceProcessor(messagingProcessor))
                 .addService(ChannelzService.newInstance(100))
                 .addService(ProtoReflectionService.newInstance())
@@ -87,11 +95,9 @@ public static void main(String[] args) {
                 .build();
             PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(grpcServer);
 
-            RemotingProtocolServer remotingServer = new RemotingProtocolServer(messagingProcessor);
+            RemotingProtocolServer remotingServer = new RemotingProtocolServer(messagingProcessor, tlsCertificateManager);
             PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(remotingServer);
 
-            initTlsCertificateManager();
-
             // start servers one by one.
             PROXY_START_AND_SHUTDOWN.start();
 
@@ -125,11 +131,6 @@ protected static void initConfiguration(CommandLineArgument commandLineArgument)
 
     }
 
-    protected static void initTlsCertificateManager() {
-        TlsCertificateManager tlsCertManager = TlsCertificateManager.getInstance();
-        PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(tlsCertManager);
-    }
-
     protected static CommandLineArgument parseCommandLineArgument(String[] args) {
         CommandLine commandLine = ServerUtil.parseCmdLine("mqproxy", args,
             buildCommandlineOptions(), new DefaultParser());

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServer.java

@@ -26,6 +26,7 @@
 import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.cert.CertificateException;
 import java.util.concurrent.TimeUnit;
 
@@ -38,28 +39,30 @@ public class GrpcServer implements StartAndShutdown {
 
     private final TimeUnit unit;
 
+    private final TlsCertificateManager tlsCertificateManager;
+
+    @VisibleForTesting
     final GrpcTlsReloadHandler tlsReloadHandler;
 
-    protected GrpcServer(Server server, long timeout, TimeUnit unit) throws Exception {
+    protected GrpcServer(Server server, long timeout, TimeUnit unit, TlsCertificateManager tlsCertificateManager) throws Exception {
         this.server = server;
         this.timeout = timeout;
         this.unit = unit;
-
+        this.tlsCertificateManager = tlsCertificateManager;
         this.tlsReloadHandler = new GrpcTlsReloadHandler();
-
-        // Register the TLS context reload handler
-        TlsCertificateManager.getInstance().registerReloadListener(this.tlsReloadHandler);
     }
 
     public void start() throws Exception {
+        // Register the TLS context reload handler
+        tlsCertificateManager.registerReloadListener(this.tlsReloadHandler);
         this.server.start();
         log.info("grpc server start successfully.");
     }
 
     public void shutdown() {
         try {
             // Unregister the TLS context reload handler
-            TlsCertificateManager.getInstance().unregisterReloadListener(this.tlsReloadHandler);
+            tlsCertificateManager.unregisterReloadListener(this.tlsReloadHandler);
 
             this.server.shutdown().awaitTermination(timeout, unit);
 
@@ -72,9 +75,9 @@ public void shutdown() {
     @VisibleForTesting
     class GrpcTlsReloadHandler implements TlsCertificateManager.TlsContextReloadListener {
         @Override
-        public void onTlsContextReload() {
+        public void onTlsContextReload(InputStream certInputStream, InputStream keyInputStream) {
             try {
-                ProxyAndTlsProtocolNegotiator.loadSslContext();
+                ProxyAndTlsProtocolNegotiator.loadSslContext(null, null);
                 log.info("SSLContext reloaded for grpc server");
             } catch (CertificateException | IOException e) {
                 log.error("Failed to reload SSLContext for server", e);

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServerBuilder.java

@@ -31,6 +31,7 @@
 import org.apache.rocketmq.proxy.grpc.interceptor.ContextInterceptor;
 import org.apache.rocketmq.proxy.grpc.interceptor.GlobalExceptionInterceptor;
 import org.apache.rocketmq.proxy.grpc.interceptor.HeaderInterceptor;
+import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
@@ -43,11 +44,15 @@ public class GrpcServerBuilder {
 
     protected TimeUnit unit = TimeUnit.SECONDS;
 
-    public static GrpcServerBuilder newBuilder(ThreadPoolExecutor executor, int port) {
-        return new GrpcServerBuilder(executor, port);
+    protected TlsCertificateManager tlsCertificateManager;
+
+    public static GrpcServerBuilder newBuilder(ThreadPoolExecutor executor, int port, TlsCertificateManager tlsCertificateManager) {
+        return new GrpcServerBuilder(executor, port, tlsCertificateManager);
     }
 
-    protected GrpcServerBuilder(ThreadPoolExecutor executor, int port) {
+    protected GrpcServerBuilder(ThreadPoolExecutor executor, int port, TlsCertificateManager tlsCertificateManager) {
+        this.tlsCertificateManager = tlsCertificateManager;
+
         serverBuilder = NettyServerBuilder.forPort(port);
 
         serverBuilder.protocolNegotiator(new ProxyAndTlsProtocolNegotiator());
@@ -99,7 +104,7 @@ public GrpcServerBuilder appendInterceptor(ServerInterceptor interceptor) {
     }
 
     public GrpcServer build() throws Exception {
-        return new GrpcServer(this.serverBuilder.build(), time, unit);
+        return new GrpcServer(this.serverBuilder.build(), time, unit, tlsCertificateManager);
     }
 
     public GrpcServerBuilder configInterceptor() {

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/ProxyAndTlsProtocolNegotiator.java

@@ -81,8 +81,8 @@ public class ProxyAndTlsProtocolNegotiator implements InternalProtocolNegotiator
 
     public ProxyAndTlsProtocolNegotiator() {
         try {
-            loadSslContext();
-            log.info("SSLContext created for proxy server");
+            loadSslContext(null, null);
+            log.info("SSLContext created for proxy grpc server");
         } catch (IOException | CertificateException e) {
             log.error("SslContext init error", e);
             throw new RuntimeException(e);
@@ -103,7 +103,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
     public void close() {
     }
 
-    public static void loadSslContext() throws CertificateException, IOException {
+    public static void loadSslContext(InputStream certInputStream, InputStream keyInputStream) throws CertificateException, IOException {
         ProxyConfig proxyConfig = ConfigurationManager.getProxyConfig();
         SslProvider provider;
         if (OpenSsl.isAvailable()) {
@@ -116,22 +116,31 @@ public static void loadSslContext() throws CertificateException, IOException {
         if (proxyConfig.isTlsTestModeEnable()) {
             SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
             sslContext = GrpcSslContexts.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
-                    .sslProvider(provider)
+                .sslProvider(provider)
+                .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                .clientAuth(ClientAuth.NONE)
+                .build();
+        } else {
+            boolean fromStream = certInputStream != null && keyInputStream != null;
+
+            if (fromStream) {
+                sslContext = GrpcSslContexts.forServer(certInputStream, keyInputStream)
                     .trustManager(InsecureTrustManagerFactory.INSTANCE)
                     .clientAuth(ClientAuth.NONE)
                     .build();
-        } else {
-            String tlsCertPath = ConfigurationManager.getProxyConfig().getTlsCertPath();
-            String tlsKeyPath = ConfigurationManager.getProxyConfig().getTlsKeyPath();
-            try (InputStream serverKeyInputStream = Files.newInputStream(
+            } else {
+                String tlsCertPath = ConfigurationManager.getProxyConfig().getTlsCertPath();
+                String tlsKeyPath = ConfigurationManager.getProxyConfig().getTlsKeyPath();
+                try (InputStream serverKeyInputStream = Files.newInputStream(
                     Paths.get(tlsKeyPath));
-                 InputStream serverCertificateStream = Files.newInputStream(
+                     InputStream serverCertificateStream = Files.newInputStream(
                          Paths.get(tlsCertPath))) {
-                sslContext = GrpcSslContexts.forServer(serverCertificateStream,
-                                serverKeyInputStream)
+                    sslContext = GrpcSslContexts.forServer(serverCertificateStream,
+                            serverKeyInputStream)
                         .trustManager(InsecureTrustManagerFactory.INSTANCE)
                         .clientAuth(ClientAuth.NONE)
                         .build();
+                }
             }
         }
     }
@@ -150,14 +159,14 @@ public ProxyAndTlsProtocolHandler(GrpcHttp2ConnectionHandler grpcHandler) {
         protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) {
             try {
                 ProtocolDetectionResult<HAProxyProtocolVersion> ha = HAProxyMessageDecoder.detectProtocol(
-                        in);
+                    in);
                 if (ha.state() == ProtocolDetectionState.NEEDS_MORE_DATA) {
                     return;
                 }
                 if (ha.state() == ProtocolDetectionState.DETECTED) {
                     ctx.pipeline().addAfter(ctx.name(), HA_PROXY_DECODER, new HAProxyMessageDecoder())
-                            .addAfter(HA_PROXY_DECODER, HA_PROXY_HANDLER, new HAProxyMessageHandler())
-                            .addAfter(HA_PROXY_HANDLER, TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
+                        .addAfter(HA_PROXY_DECODER, HA_PROXY_HANDLER, new HAProxyMessageHandler())
+                        .addAfter(HA_PROXY_HANDLER, TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
                 } else {
                     ctx.pipeline().addAfter(ctx.name(), TLS_MODE_HANDLER, new TlsModeHandler(grpcHandler));
                 }
@@ -223,7 +232,7 @@ private void handleWithMessage(HAProxyMessage msg) {
                     msg.tlvs().forEach(tlv -> handleHAProxyTLV(tlv, builder));
                 }
                 pne = InternalProtocolNegotiationEvent
-                        .withAttributes(InternalProtocolNegotiationEvent.getDefault(), builder.build());
+                    .withAttributes(InternalProtocolNegotiationEvent.getDefault(), builder.build());
             } finally {
                 msg.release();
             }
@@ -245,7 +254,7 @@ protected void handleHAProxyTLV(HAProxyTLV tlv, Attributes.Builder builder) {
             return;
         }
         Attributes.Key<String> key = AttributeKeys.valueOf(
-                HAProxyConstants.PROXY_PROTOCOL_TLV_PREFIX + String.format("%02x", tlv.typeByteValue()));
+            HAProxyConstants.PROXY_PROTOCOL_TLV_PREFIX + String.format("%02x", tlv.typeByteValue()));
         builder.set(key, new String(valueBytes, CharsetUtil.UTF_8));
     }
 
@@ -258,9 +267,9 @@ private class TlsModeHandler extends ByteToMessageDecoder {
 
         public TlsModeHandler(GrpcHttp2ConnectionHandler grpcHandler) {
             this.ssl = InternalProtocolNegotiators.serverTls(sslContext)
-                    .newHandler(grpcHandler);
+                .newHandler(grpcHandler);
             this.plaintext = InternalProtocolNegotiators.serverPlaintext()
-                    .newHandler(grpcHandler);
+                .newHandler(grpcHandler);
         }
 
         @Override

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/RemotingProtocolServer.java

@@ -59,6 +59,7 @@
 import org.apache.rocketmq.remoting.protocol.RequestCode;
 import org.apache.rocketmq.remoting.protocol.ResponseCode;
 
+import java.io.InputStream;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ScheduledExecutorService;
@@ -89,10 +90,10 @@ public class RemotingProtocolServer implements StartAndShutdown, RemotingProxyOu
     protected final ThreadPoolExecutor topicRouteExecutor;
     protected final ThreadPoolExecutor defaultExecutor;
     protected final ScheduledExecutorService timerExecutor;
+    protected final TlsCertificateManager tlsCertificateManager;
     protected final RemotingTlsReloadHandler tlsReloadHandler;
 
-
-    public RemotingProtocolServer(MessagingProcessor messagingProcessor) throws Exception {
+    public RemotingProtocolServer(MessagingProcessor messagingProcessor, TlsCertificateManager tlsCertificateManager) throws Exception {
         this.messagingProcessor = messagingProcessor;
         this.remotingChannelManager = new RemotingChannelManager(this, messagingProcessor.getProxyRelayService());
 
@@ -191,15 +192,16 @@ public RemotingProtocolServer(MessagingProcessor messagingProcessor) throws Exce
         );
         this.timerExecutor.scheduleAtFixedRate(this::cleanExpireRequest, 10, 10, TimeUnit.SECONDS);
 
+        this.tlsCertificateManager = tlsCertificateManager;
         this.tlsReloadHandler = new RemotingTlsReloadHandler();
-        TlsCertificateManager.getInstance().registerReloadListener(this.tlsReloadHandler);
+        tlsCertificateManager.registerReloadListener(this.tlsReloadHandler);
 
         this.registerRemotingServer(this.defaultRemotingServer);
     }
 
     protected class RemotingTlsReloadHandler implements TlsCertificateManager.TlsContextReloadListener {
         @Override
-        public void onTlsContextReload() {
+        public void onTlsContextReload(InputStream certInputStream, InputStream keyInputStream) {
             if (defaultRemotingServer instanceof NettyRemotingServer) {
                 ((NettyRemotingServer) defaultRemotingServer).loadSslContext();
                 log.info("SSLContext reloaded for remoting server");
@@ -243,7 +245,7 @@ protected void registerRemotingServer(RemotingServer remotingServer) {
     @Override
     public void shutdown() throws Exception {
         // Unregister the TLS context reload handler
-        TlsCertificateManager.getInstance().unregisterReloadListener(this.tlsReloadHandler);
+        tlsCertificateManager.unregisterReloadListener(this.tlsReloadHandler);
 
         this.defaultRemotingServer.shutdown();
         this.remotingChannelManager.shutdown();

proxy/src/main/java/org/apache/rocketmq/proxy/service/cert/CertChangeEvent.java

@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rocketmq.proxy.service.cert;
+
+import java.util.List;
+
+public class CertChangeEvent {
+
+    public enum Kind {
+        SERVER_CERT,
+        SERVER_KEY,
+        TRUST_CERT
+    }
+
+    public enum SourceType {
+        FILE,
+        INLINE
+    }
+
+    private final Kind kind;
+
+    private final SourceType sourceType;
+
+    private final List<String> values;
+
+    public CertChangeEvent(Kind kind, SourceType type, List<String> values) {
+        this.kind = kind;
+        this.sourceType = type;
+        this.values = values;
+    }
+
+    public Kind getKind() {
+        return kind;
+    }
+
+    public SourceType getSourceType() {
+        return sourceType;
+    }
+
+    public List<String> getValues() {
+        return values;
+    }
+
+    @Override public String toString() {
+        return "CertChangeEvent{" +
+            "kind=" + kind +
+            ", sourceType=" + sourceType +
+            ", values=" + values +
+            '}';
+    }
+}

proxy/src/main/java/org/apache/rocketmq/proxy/service/cert/CertChangeSource.java

@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rocketmq.proxy.service.cert;
+
+import org.apache.rocketmq.common.utils.StartAndShutdown;
+
+public interface CertChangeSource extends StartAndShutdown {
+
+    void setListener(ChangeListener listener);
+
+    interface ChangeListener {
+        void onCertChanged(CertChangeEvent event);
+    }
+}