refactor(proxy): 重构 TLS证书管理

- 移除 CertChangeSource 接口和相关实现
- 使用 FileWatchService 监控证书和密钥文件变化- 简化 TlsCertificateManager 类结构和逻辑
- 更新相关测试用例

Signed-off-by: Async <raisinata@foxmail.com>

Author: EnableAsync

proxy/src/main/java/org/apache/rocketmq/proxy/ProxyStartup.java

@@ -44,8 +44,6 @@
 import org.apache.rocketmq.proxy.processor.DefaultMessagingProcessor;
 import org.apache.rocketmq.proxy.processor.MessagingProcessor;
 import org.apache.rocketmq.proxy.remoting.RemotingProtocolServer;
-import org.apache.rocketmq.proxy.service.cert.CertChangeSource;
-import org.apache.rocketmq.proxy.service.cert.FileCertChangeSource;
 import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 import org.apache.rocketmq.remoting.protocol.RemotingCommand;
 import org.apache.rocketmq.srvutil.ServerUtil;
@@ -79,10 +77,8 @@ public static void main(String[] args) {
 
             MessagingProcessor messagingProcessor = createMessagingProcessor();
 
-            CertChangeSource fileCertChangeSource = new FileCertChangeSource(
-                ConfigurationManager.getProxyConfig().getTlsCertPath(),
-                ConfigurationManager.getProxyConfig().getTlsKeyPath());
-            TlsCertificateManager tlsCertificateManager = new TlsCertificateManager(fileCertChangeSource);
+            // tls cert update
+            TlsCertificateManager tlsCertificateManager = new TlsCertificateManager();
             PROXY_START_AND_SHUTDOWN.appendStartAndShutdown(tlsCertificateManager);
 
             // create grpcServer

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServer.java

@@ -26,7 +26,6 @@
 import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.security.cert.CertificateException;
 import java.util.concurrent.TimeUnit;
 
@@ -55,6 +54,7 @@ protected GrpcServer(Server server, long timeout, TimeUnit unit, TlsCertificateM
     public void start() throws Exception {
         // Register the TLS context reload handler
         tlsCertificateManager.registerReloadListener(this.tlsReloadHandler);
+
         this.server.start();
         log.info("grpc server start successfully.");
     }
@@ -76,9 +76,9 @@ public void shutdown() {
     @VisibleForTesting
     class GrpcTlsReloadHandler implements TlsCertificateManager.TlsContextReloadListener {
         @Override
-        public void onTlsContextReload(InputStream certInputStream, InputStream keyInputStream) {
+        public void onTlsContextReload() {
             try {
-                ProxyAndTlsProtocolNegotiator.loadSslContext(certInputStream, keyInputStream);
+                ProxyAndTlsProtocolNegotiator.loadSslContext();
                 log.info("SSLContext reloaded for grpc server");
             } catch (CertificateException | IOException e) {
                 log.error("Failed to reload SSLContext for server", e);

proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServerBuilder.java

@@ -31,10 +31,10 @@
 import org.apache.rocketmq.proxy.grpc.interceptor.ContextInterceptor;
 import org.apache.rocketmq.proxy.grpc.interceptor.GlobalExceptionInterceptor;
 import org.apache.rocketmq.proxy.grpc.interceptor.HeaderInterceptor;
-import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
+import org.apache.rocketmq.proxy.service.cert.TlsCertificateManager;
 
 public class GrpcServerBuilder {
     private static final Logger log = LoggerFactory.getLogger(LoggerName.PROXY_LOGGER_NAME);
@@ -52,7 +52,6 @@ public static GrpcServerBuilder newBuilder(ThreadPoolExecutor executor, int port
 
     protected GrpcServerBuilder(ThreadPoolExecutor executor, int port, TlsCertificateManager tlsCertificateManager) {
         this.tlsCertificateManager = tlsCertificateManager;
-
         serverBuilder = NettyServerBuilder.forPort(port);
 
         serverBuilder.protocolNegotiator(new ProxyAndTlsProtocolNegotiator());

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/RemotingProtocolServer.java

@@ -59,7 +59,6 @@
 import org.apache.rocketmq.remoting.protocol.RequestCode;
 import org.apache.rocketmq.remoting.protocol.ResponseCode;
 
-import java.io.InputStream;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ScheduledExecutorService;
@@ -93,6 +92,7 @@ public class RemotingProtocolServer implements StartAndShutdown, RemotingProxyOu
     protected final TlsCertificateManager tlsCertificateManager;
     protected final RemotingTlsReloadHandler tlsReloadHandler;
 
+
     public RemotingProtocolServer(MessagingProcessor messagingProcessor, TlsCertificateManager tlsCertificateManager) throws Exception {
         this.messagingProcessor = messagingProcessor;
         this.remotingChannelManager = new RemotingChannelManager(this, messagingProcessor.getProxyRelayService());
@@ -118,6 +118,8 @@ public RemotingProtocolServer(MessagingProcessor messagingProcessor, TlsCertific
         System.setProperty(TlsSystemConfig.TLS_SERVER_CERTPATH, config.getTlsCertPath());
         TlsSystemConfig.tlsServerKeyPath = config.getTlsKeyPath();
         System.setProperty(TlsSystemConfig.TLS_SERVER_KEYPATH, config.getTlsKeyPath());
+        this.tlsCertificateManager = tlsCertificateManager;
+        this.tlsReloadHandler = new RemotingTlsReloadHandler();
 
         this.clientHousekeepingService = new ClientHousekeepingService(this.clientManagerActivity);
 
@@ -192,18 +194,14 @@ public RemotingProtocolServer(MessagingProcessor messagingProcessor, TlsCertific
         );
         this.timerExecutor.scheduleAtFixedRate(this::cleanExpireRequest, 10, 10, TimeUnit.SECONDS);
 
-        this.tlsCertificateManager = tlsCertificateManager;
-        this.tlsReloadHandler = new RemotingTlsReloadHandler();
-        tlsCertificateManager.registerReloadListener(this.tlsReloadHandler);
-
         this.registerRemotingServer(this.defaultRemotingServer);
     }
 
     protected class RemotingTlsReloadHandler implements TlsCertificateManager.TlsContextReloadListener {
         @Override
-        public void onTlsContextReload(InputStream certInputStream, InputStream keyInputStream) {
+        public void onTlsContextReload() {
             if (defaultRemotingServer instanceof NettyRemotingServer) {
-                ((NettyRemotingServer) defaultRemotingServer).loadSslContext(certInputStream, keyInputStream);
+                ((NettyRemotingServer) defaultRemotingServer).loadSslContext();
                 log.info("SSLContext reloaded for remoting server");
             }
         }
@@ -259,6 +257,9 @@ public void shutdown() throws Exception {
 
     @Override
     public void start() throws Exception {
+        // Register the TLS context reload handler
+        tlsCertificateManager.registerReloadListener(this.tlsReloadHandler);
+
         this.remotingChannelManager.start();
         this.defaultRemotingServer.start();
     }

proxy/src/main/java/org/apache/rocketmq/proxy/service/cert/TlsCertificateManager.java

@@ -15,30 +15,40 @@
  * limitations under the License.
  */
 package org.apache.rocketmq.proxy.service.cert;
-
-import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.commons.io.IOUtils;
 import org.apache.rocketmq.common.constant.LoggerName;
 import org.apache.rocketmq.common.utils.StartAndShutdown;
 import org.apache.rocketmq.logging.org.slf4j.Logger;
 import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
 import org.apache.rocketmq.proxy.config.ConfigurationManager;
+import org.apache.rocketmq.remoting.netty.TlsSystemConfig;
+import org.apache.rocketmq.srvutil.FileWatchService;
+import java.util.ArrayList;
+import java.util.List;
 
-public class TlsCertificateManager implements StartAndShutdown, CertChangeSource.ChangeListener {
+public class TlsCertificateManager implements StartAndShutdown {
     private static final Logger log = LoggerFactory.getLogger(LoggerName.PROXY_LOGGER_NAME);
 
-    private final CertChangeSource certChangeSource;
+    private final FileWatchService fileWatchService;
     private final List<TlsContextReloadListener> reloadListeners = new ArrayList<>();
 
-    private boolean certChanged = false;
-    private boolean keyChanged = false;
+    public TlsCertificateManager() {
+        try {
+            this.fileWatchService = new FileWatchService(
+                new String[] {
+                    ConfigurationManager.getProxyConfig().getTlsCertPath(),
+                    ConfigurationManager.getProxyConfig().getTlsKeyPath()
+                },
+                new CertKeyFileWatchListener(),
+                60 * 60 * 1000 /* 1 hour */
+            );
+        } catch (Exception e) {
+            log.error("Failed to initialize TLS certificate watch service", e);
+            throw new RuntimeException("Failed to initialize TLS certificate manager", e);
+        }
+    }
 
-    public TlsCertificateManager(CertChangeSource source) {
-        this.certChangeSource = source;
-        source.setListener(this);
+    public FileWatchService getFileWatchService() {
+        return this.fileWatchService;
     }
 
     public void registerReloadListener(TlsContextReloadListener listener) {
@@ -53,58 +63,59 @@ public void unregisterReloadListener(TlsContextReloadListener listener) {
         }
     }
 
+    public List<TlsContextReloadListener> getReloadListeners() {
+        return this.reloadListeners;
+    }
+
     @Override
     public void start() throws Exception {
-        certChangeSource.start();
-        log.info("TLS certificate manager started successfully");
+        this.fileWatchService.start();
+        log.info("TLS certificate manager started successfully, start watching: {} {}",
+            ConfigurationManager.getProxyConfig().getTlsCertPath(),
+            ConfigurationManager.getProxyConfig().getTlsKeyPath()
+        );
     }
 
     @Override
     public void shutdown() throws Exception {
-        certChangeSource.shutdown();
+        this.fileWatchService.shutdown();
         log.info("TLS certificate manager shutdown successfully");
     }
 
-    @Override
-    public void onCertChanged(List<CertChangeEvent> events) {
-        log.info("cert changed: {}", events);
-        if (events.size() == 1 && events.get(0).getSourceType() == CertChangeEvent.SourceType.FILE) {
-            CertChangeEvent event = events.get(0);
-            if (event.getValue() == null) {
-                log.warn("cert path is empty, ignore");
-                return;
-            }
-            String path = event.getValue();
-            if (path.equals(ConfigurationManager.getProxyConfig().getTlsCertPath())) {
+    private class CertKeyFileWatchListener implements FileWatchService.Listener {
+        private boolean certChanged = false;
+        private boolean keyChanged = false;
+
+        @Override
+        public void onChanged(String path) {
+            log.info("File changed: {}", path);
+            if (path.equals(TlsSystemConfig.tlsServerCertPath)) {
                 certChanged = true;
-            } else if (path.equals(ConfigurationManager.getProxyConfig().getTlsKeyPath())) {
+            } else if (path.equals(TlsSystemConfig.tlsServerKeyPath)) {
                 keyChanged = true;
             }
 
             if (certChanged && keyChanged) {
-                log.info("The certificate and private key changed, reload the SSLContext from file");
-                for (TlsContextReloadListener listener : reloadListeners) {
-                    listener.onTlsContextReload(null, null);
-                }
+                log.info("The certificate and private key changed, reload the ssl context");
+                notifyContextReload();
                 certChanged = false;
                 keyChanged = false;
             }
-        } else if (events.size() == 2 && events.get(0).getSourceType() == CertChangeEvent.SourceType.INLINE) {
-            if (events.get(0).getValue() == null || events.get(1).getValue() == null) {
-                log.warn("cert or key value is empty, ignore");
-                return;
-            }
+        }
+
+        private void notifyContextReload() {
             for (TlsContextReloadListener listener : reloadListeners) {
-                listener.onTlsContextReload(
-                    IOUtils.toInputStream(events.get(0).getValue(), StandardCharsets.UTF_8),
-                    IOUtils.toInputStream(events.get(1).getValue(), StandardCharsets.UTF_8)
-                );
+                try {
+                    listener.onTlsContextReload();
+                } catch (Exception e) {
+                    log.error("Failed to notify TLS context reload to listener: " + listener, e);
+                }
             }
         }
     }
 
     // Interface for listeners interested in TLS context reload events
     public interface TlsContextReloadListener {
-        void onTlsContextReload(InputStream certInputStream, InputStream keyInputStream);
+        void onTlsContextReload();
     }
 }