From be1d1c10a930fa0e91fc4bcd01963035011e2466 Mon Sep 17 00:00:00 2001 From: erm-g <110920239+erm-g@users.noreply.github.com> Date: Wed, 8 Nov 2023 19:10:14 +0000 Subject: [PATCH] security/advancedtls: FileWatcher CRL provider initialization enhancement (#6760) * Add initial scan as a part of FWCP creation * Add comment about default value for RefreshDuration * Promote Close() to the interface level * Revert "Promote Close() to the interface level" This reverts commit 465ebacc5ccbf673f6e4476ae3e757f20c3d7058. --- security/advancedtls/crl_provider.go | 9 +++++---- security/advancedtls/crl_provider_test.go | 6 ++---- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/security/advancedtls/crl_provider.go b/security/advancedtls/crl_provider.go index 590906169f35..6777be0c5554 100644 --- a/security/advancedtls/crl_provider.go +++ b/security/advancedtls/crl_provider.go @@ -91,7 +91,7 @@ func (p *StaticCRLProvider) CRL(cert *x509.Certificate) (*CRL, error) { // FileWatcherCRLProvider. type FileWatcherOptions struct { CRLDirectory string // Path of the directory containing CRL files - RefreshDuration time.Duration // Time interval between CRLDirectory scans, can't be smaller than 1 minute + RefreshDuration time.Duration // Time interval (default value is 1 hour) between CRLDirectory scans, can't be smaller than 1 minute CRLReloadingFailedCallback func(err error) // Custom callback executed when a CRL file can’t be processed } @@ -109,8 +109,9 @@ type FileWatcherCRLProvider struct { // NewFileWatcherCRLProvider returns a new instance of the // FileWatcherCRLProvider. It uses FileWatcherOptions to validate and apply -// configuration required for creating a new instance. Users should call Close -// to stop the background refresh of CRLDirectory. +// configuration required for creating a new instance. The initial scan of +// CRLDirectory is performed inside this function. Users should call Close to +// stop the background refresh of CRLDirectory. func NewFileWatcherCRLProvider(o FileWatcherOptions) (*FileWatcherCRLProvider, error) { if err := o.validate(); err != nil { return nil, err @@ -121,6 +122,7 @@ func NewFileWatcherCRLProvider(o FileWatcherOptions) (*FileWatcherCRLProvider, e stop: make(chan struct{}), done: make(chan struct{}), } + provider.scanCRLDirectory() go provider.run() return provider, nil } @@ -149,7 +151,6 @@ func (p *FileWatcherCRLProvider) run() { defer close(p.done) ticker := time.NewTicker(p.opts.RefreshDuration) defer ticker.Stop() - p.scanCRLDirectory() for { select { diff --git a/security/advancedtls/crl_provider_test.go b/security/advancedtls/crl_provider_test.go index 5245f58895ab..bd200475373e 100644 --- a/security/advancedtls/crl_provider_test.go +++ b/security/advancedtls/crl_provider_test.go @@ -45,6 +45,7 @@ func (s) TestStaticCRLProvider(t *testing.T) { rawCRLs = append(rawCRLs, rawCRL) } p := NewStaticCRLProvider(rawCRLs) + // Each test data entry contains a description of a certificate chain, // certificate chain itself, and if CRL is not expected to be found. tests := []struct { @@ -154,10 +155,6 @@ func (s) TestFileWatcherCRLProvider(t *testing.T) { t.Fatal("Unexpected error while creating FileWatcherCRLProvider:", err) } - // We need to make sure that initial CRLDirectory scan is completed before - // querying the internal map. - p.Close() - // Each test data entry contains a description of a certificate chain, // certificate chain itself, and if CRL is not expected to be found. tests := []struct { @@ -197,6 +194,7 @@ func (s) TestFileWatcherCRLProvider(t *testing.T) { } }) } + p.Close() if diff := cmp.Diff(len(nonCRLFilesSet), nonCRLFilesUnderCRLDirectory); diff != "" { t.Errorf("Unexpected number Number of callback executions\ndiff (-got +want):\n%s", diff) }