security/advancedtls: FileWatcher CRL provider initialization enhance…

…ment (#6760) * Add initial scan as a part of FWCP creation * Add comment about default value for RefreshDuration * Promote Close() to the interface level * Revert "Promote Close() to the interface level" This reverts commit 465ebac.
grpc · Nov 8, 2023 · be1d1c1 · be1d1c1
1 parent 482de22
commit be1d1c1
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 8 deletions.
diff --git a/security/advancedtls/crl_provider.go b/security/advancedtls/crl_provider.go
@@ -91,7 +91,7 @@ func (p *StaticCRLProvider) CRL(cert *x509.Certificate) (*CRL, error) {
 // FileWatcherCRLProvider.
 type FileWatcherOptions struct {
 	CRLDirectory               string          // Path of the directory containing CRL files
-	RefreshDuration            time.Duration   // Time interval between CRLDirectory scans, can't be smaller than 1 minute
+	RefreshDuration            time.Duration   // Time interval (default value is 1 hour) between CRLDirectory scans, can't be smaller than 1 minute
 	CRLReloadingFailedCallback func(err error) // Custom callback executed when a CRL file can’t be processed
 }
 
@@ -109,8 +109,9 @@ type FileWatcherCRLProvider struct {
 
 // NewFileWatcherCRLProvider returns a new instance of the
 // FileWatcherCRLProvider. It uses FileWatcherOptions to validate and apply
-// configuration required for creating a new instance. Users should call Close
-// to stop the background refresh of CRLDirectory.
+// configuration required for creating a new instance. The initial scan of
+// CRLDirectory is performed inside this function. Users should call Close to
+// stop the background refresh of CRLDirectory.
 func NewFileWatcherCRLProvider(o FileWatcherOptions) (*FileWatcherCRLProvider, error) {
 	if err := o.validate(); err != nil {
 		return nil, err
@@ -121,6 +122,7 @@ func NewFileWatcherCRLProvider(o FileWatcherOptions) (*FileWatcherCRLProvider, e
 		stop: make(chan struct{}),
 		done: make(chan struct{}),
 	}
+	provider.scanCRLDirectory()
 	go provider.run()
 	return provider, nil
 }
@@ -149,7 +151,6 @@ func (p *FileWatcherCRLProvider) run() {
 	defer close(p.done)
 	ticker := time.NewTicker(p.opts.RefreshDuration)
 	defer ticker.Stop()
-	p.scanCRLDirectory()
 
 	for {
 		select {

diff --git a/security/advancedtls/crl_provider_test.go b/security/advancedtls/crl_provider_test.go
@@ -45,6 +45,7 @@ func (s) TestStaticCRLProvider(t *testing.T) {
 		rawCRLs = append(rawCRLs, rawCRL)
 	}
 	p := NewStaticCRLProvider(rawCRLs)
+
 	// Each test data entry contains a description of a certificate chain,
 	// certificate chain itself, and if CRL is not expected to be found.
 	tests := []struct {
@@ -154,10 +155,6 @@ func (s) TestFileWatcherCRLProvider(t *testing.T) {
 		t.Fatal("Unexpected error while creating FileWatcherCRLProvider:", err)
 	}
 
-	// We need to make sure that initial CRLDirectory scan is completed before
-	// querying the internal map.
-	p.Close()
-
 	// Each test data entry contains a description of a certificate chain,
 	// certificate chain itself, and if CRL is not expected to be found.
 	tests := []struct {
@@ -197,6 +194,7 @@ func (s) TestFileWatcherCRLProvider(t *testing.T) {
 			}
 		})
 	}
+	p.Close()
 	if diff := cmp.Diff(len(nonCRLFilesSet), nonCRLFilesUnderCRLDirectory); diff != "" {
 		t.Errorf("Unexpected number Number of callback executions\ndiff (-got +want):\n%s", diff)
 	}