Added Spring Boot Starter gRPC SSL reloading

Author: Hakky54

README.MD

@@ -27,6 +27,7 @@ A repository containing different java tutorials
 - Instant Server SSL Reloading
   - [Spring Boot and Jetty](instant-server-ssl-reloading)
   - [Spring Boot and Tomcat](instant-ssl-reloading-with-spring-tomcat)
+  - [Spring Boot gRPC](instant-ssl-reloading-with-spring-grpc)
   - [Vert.x](instant-server-ssl-reloading-with-vertx/vertx-server)
   - [Netty](instant-server-ssl-reloading-with-netty/netty-server)
   - [gRPC](grpc-client-server-with-ssl/instant-server-ssl-reloading-with-grpc)

instant-ssl-reloading-with-spring-grpc/README.md

@@ -0,0 +1,49 @@
+# Instant SSL Reloading 🔐
+A server configured with ssl has a key material and trust material. These materials are generated from a keypair and certificate which always have an expiration date.
+In a traditional server configuration a reboot of the server is required to apply the latest key material and trust material changes when the keystore and truststore are changed.
+A downtime is therefore unavoidable. This project demonstrates with a basic setup how update the server certificate from an external source without the need of restarting your server. In this way you can achieve zero downtime.
+
+The repository contains:
+- Server, based on Spring Boot with Netty as a server engine for gRPC
+
+### SSL Updating entrypoint for the server:
+The server has two ways to update the existing ssl material:
+- File based aka file change listener, see here for the implementation: [FilesBasedSslUpdateService](src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java)
+- Databased based, aka database change listener. This option is hosted in a separate module within this repository, see here: [Instant SSL Reloading With Database](https://github.com/Hakky54/java-tutorials/tree/main/instant-ssl-reloading-with-spring-jetty-database)
+
+#### Requirements
+- Java 21
+- Terminal
+
+#### Start the server
+```
+mvn spring-boot:run
+```
+Visit the server with the following url on your browser: https://localhost:8443
+Open the certificate details in your browser by clicking on the lock logo (on Chrome). You will see a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading/images/before-reloading.png?raw=true)
+
+Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
+
+#### Refresh the server certificates with the file listener
+The file based ssl update service will listen to changes on a specific file on the file system. Adjust the path to your identity and truststore within [FilesBasedSslUpdateService](server/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java).
+```java
+private static final Path identityPath = Path.of("/path/to/your/identity.jks");
+private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
+```
+Also change the passwords if it is different.
+```java
+private static final char[] identityPassword = "secret".toCharArray();
+private static final char[] trustStorePassword = "secret".toCharArray();
+```
+Adjust the content of the identity and truststore and after 10 seonds the cron job will be triggered to validate if the content has been changed, and it will update the ssl configuration if there are any changes on it.
+
+Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down.
+You should have a similar certificate detail as shown below:
+
+![alt text](https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading/images/after-reloading.png?raw=true)
+
+#### Testing with a client
+
+Run the App from the client module [here](https://github.com/Hakky54/java-tutorials/blob/main/grpc-client-server-with-ssl/grpc-client/src/main/java/nl/altindag/grpc/client/App.java)

instant-ssl-reloading-with-spring-grpc/pom.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>io.github.hakky54</groupId>
+        <artifactId>java-tutorials</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>instant-ssl-reloading-with-spring-grpc</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>sslcontext-kickstart-for-netty</artifactId>
+            <version>${version.sslcontext-kickstart}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.grpc</groupId>
+            <artifactId>grpc-services</artifactId>
+            <version>${version.grpc}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.grpc</groupId>
+            <artifactId>spring-grpc-spring-boot-starter</artifactId>
+            <version>${version.spring-grpc-spring-boot-starter}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>common-proto</artifactId>
+            <version>1.0.0-SNAPSHOT</version>
+        </dependency>
+    </dependencies>
+
+</project>

instant-ssl-reloading-with-spring-grpc/src/main/java/nl/altindag/server/App.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.scheduling.annotation.EnableScheduling;
+
+@EnableScheduling
+@SpringBootApplication
+public class App {
+
+    public static void main(String[] args) {
+        SpringApplication.run(App.class, args);
+    }
+
+}

instant-ssl-reloading-with-spring-grpc/src/main/java/nl/altindag/server/config/SSLConfig.java

@@ -0,0 +1,116 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.config;
+
+import nl.altindag.ssl.SSLFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.ssl.NoSuchSslBundleException;
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslBundleKey;
+import org.springframework.boot.ssl.SslBundles;
+import org.springframework.boot.ssl.SslManagerBundle;
+import org.springframework.boot.ssl.SslOptions;
+import org.springframework.boot.ssl.SslStoreBundle;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+import java.util.Collections;
+import java.util.List;
+import java.util.function.BiConsumer;
+import java.util.function.Consumer;
+
+@Configuration
+public class SSLConfig {
+
+    @Bean
+    public SSLFactory sslFactory(@Value("${ssl.keystore-path}") String keyStorePath,
+                                 @Value("${ssl.keystore-password}") char[] keyStorePassword,
+                                 @Value("${ssl.truststore-path}") String trustStorePath,
+                                 @Value("${ssl.truststore-password}") char[] trustStorePassword,
+                                 @Value("${ssl.client-auth}") boolean isClientAuthenticationRequired) {
+
+        return SSLFactory.builder()
+                .withSwappableIdentityMaterial()
+                .withSwappableTrustMaterial()
+                .withIdentityMaterial(keyStorePath, keyStorePassword)
+                .withTrustMaterial(trustStorePath, trustStorePassword)
+                .withNeedClientAuthentication(isClientAuthenticationRequired)
+                .build();
+    }
+
+    @Bean
+    public SslBundles sslBundles(SSLFactory sslFactory) {
+        return new SslBundles() {
+            @Override
+            public SslBundle getBundle(String name) throws NoSuchSslBundleException {
+                return new SslBundle() {
+                    @Override
+                    public SslStoreBundle getStores() {
+                        return null;
+                    }
+
+                    @Override
+                    public SslBundleKey getKey() {
+                        return null;
+                    }
+
+                    @Override
+                    public SslOptions getOptions() {
+                        return null;
+                    }
+
+                    @Override
+                    public String getProtocol() {
+                        return "";
+                    }
+
+                    @Override
+                    public SslManagerBundle getManagers() {
+                        return new SslManagerBundle() {
+                            @Override
+                            public KeyManagerFactory getKeyManagerFactory() {
+                                return sslFactory.getKeyManagerFactory().get();
+                            }
+
+                            @Override
+                            public TrustManagerFactory getTrustManagerFactory() {
+                                return sslFactory.getTrustManagerFactory().get();
+                            }
+                        };
+                    }
+                };
+            }
+
+            @Override
+            public void addBundleUpdateHandler(String name, Consumer<SslBundle> updateHandler) throws NoSuchSslBundleException {
+
+            }
+
+            @Override
+            public void addBundleRegisterHandler(BiConsumer<String, SslBundle> registerHandler) {
+
+            }
+
+            @Override
+            public List<String> getBundleNames() {
+                return Collections.emptyList();
+            }
+        };
+    }
+
+}

instant-ssl-reloading-with-spring-grpc/src/main/java/nl/altindag/server/service/FileBasedSslUpdateService.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.service;
+
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.util.SSLFactoryUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.stereotype.Service;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.time.Instant;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+
+@Service
+public class FileBasedSslUpdateService {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(FileBasedSslUpdateService.class);
+
+    private static final Path identityPath = Path.of("/path/to/your/identity.jks");
+    private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
+    private static final char[] identityPassword = "secret".toCharArray();
+    private static final char[] trustStorePassword = "secret".toCharArray();
+
+    private ZonedDateTime lastModifiedTimeIdentityStore = ZonedDateTime.ofInstant(Instant.EPOCH, ZoneOffset.UTC);
+    private ZonedDateTime lastModifiedTimeTrustStore = ZonedDateTime.ofInstant(Instant.EPOCH, ZoneOffset.UTC);
+
+    private final SSLFactory baseSslFactory;
+
+    public FileBasedSslUpdateService(SSLFactory baseSslFactory) {
+        this.baseSslFactory = baseSslFactory;
+    }
+
+    /**
+     * Checks every 10 seconds if the keystore files have been updated.
+     * If the files have been updated the service will read the content and update the ssl material
+     * within the existing ssl configuration.
+     */
+    @Scheduled(cron = "*/10 * * * * *")
+    private void updateSslMaterial() throws IOException {
+        if (Files.exists(identityPath) && Files.exists(trustStorePath)) {
+            BasicFileAttributes identityAttributes = Files.readAttributes(identityPath, BasicFileAttributes.class);
+            BasicFileAttributes trustStoreAttributes = Files.readAttributes(trustStorePath, BasicFileAttributes.class);
+
+            boolean identityUpdated = lastModifiedTimeIdentityStore.isBefore(ZonedDateTime.ofInstant(identityAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC));
+            boolean trustStoreUpdated = lastModifiedTimeTrustStore.isBefore(ZonedDateTime.ofInstant(trustStoreAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC));
+
+            if (identityUpdated && trustStoreUpdated) {
+                LOGGER.info("Keystore files have been changed. Trying to read the file content and preparing to update the ssl material");
+
+                SSLFactory updatedSslFactory = SSLFactory.builder()
+                        .withIdentityMaterial(identityPath, identityPassword)
+                        .withTrustMaterial(trustStorePath, trustStorePassword)
+                        .build();
+
+                SSLFactoryUtils.reload(baseSslFactory, updatedSslFactory);
+
+                lastModifiedTimeIdentityStore = ZonedDateTime.ofInstant(identityAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC);
+                lastModifiedTimeTrustStore = ZonedDateTime.ofInstant(trustStoreAttributes.lastModifiedTime().toInstant(), ZoneOffset.UTC);
+
+                LOGGER.info("Updating ssl material finished");
+            }
+        }
+    }
+
+}

instant-ssl-reloading-with-spring-grpc/src/main/java/nl/altindag/server/service/GrpcServerService.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2022 Thunderberry.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nl.altindag.server.service;
+
+import io.grpc.stub.StreamObserver;
+import nl.altindag.grpc.HelloRequest;
+import nl.altindag.grpc.HelloResponse;
+import nl.altindag.grpc.HelloServiceGrpc;
+import org.springframework.stereotype.Service;
+
+@Service
+public class GrpcServerService extends HelloServiceGrpc.HelloServiceImplBase {
+
+    @Override
+    public void hello(HelloRequest request, StreamObserver<HelloResponse> responseObserver) {
+        HelloResponse response = HelloResponse.newBuilder()
+                .setMessage(String.format("Hello %s, nice to meet you!", request.getName()))
+                .build();
+
+        responseObserver.onNext(response);
+        responseObserver.onCompleted();
+    }
+
+}

instant-ssl-reloading-with-spring-grpc/src/main/resources/application.yml

@@ -0,0 +1,15 @@
+ssl:
+  client-auth: true
+  keystore-path: identity.jks
+  keystore-password: secret
+  truststore-path: truststore.jks
+  truststore-password: secret
+
+spring:
+  grpc:
+    server:
+      port: 8443
+      ssl:
+        enabled: true
+        client-auth: require
+        secure: true