From e2115fdd1d2b6c3f04990ce5f7cdeb4a8b0ecf7c Mon Sep 17 00:00:00 2001
From: Alex Stockinger <mail@alexstockinger.de>
Date: Sat, 22 Aug 2020 09:25:47 +0200
Subject: [PATCH] Change interval precision of truststore/keystore refreshes
 from ms to sec

---
 README.md                                     |  8 +++---
 build.gradle                                  |  2 +-
 .../config/KeyStoreConfigHelper.java          | 25 ++++++++++++++++---
 .../roundtrip/ssl/KeyStoreData.java           |  8 +++---
 .../roundtrip/util/TestFilesystem.java        | 17 +++++++++++++
 5 files changed, 47 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index cd07583..e095a00 100644
--- a/README.md
+++ b/README.md
@@ -93,12 +93,12 @@ Configuration can be provided using the following environment variables:
 | ---------------------------------------------------- | ------------- | -----------
 | `KAFKAPROXY_CLIENT_SSL_ENABLED`                      | `false`       | Enables SSL encrypted communication between clients and kafkaproxy. 
 | `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_LOCATION`          |               | The filesystem location of the trust store to use. If no value is provided the JRE's default trust store will be used.
-| `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_REFRESH_MSECS`     | 30000         | The minimum amount if time between checks for updates of the trust store in milliseconds.
+| `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_REFRESH_SECS`      | 300           | The minimum amount if time between checks for updates of the trust store in seconds.
 | `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_PASSWORD`          |               | The password to access the trust store. Provide no value if the trust store is not password protected. Ignored when `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_PASSWORD_LOCATION` is set.
 | `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_PASSWORD_LOCATION` |               | The filesystem location of the password to access the trust store. Overrides `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_PASSWORD`.
 | `KAFKAPROXY_CLIENT_SSL_TRUSTSTORE_TYPE`              | `jks`         | The type of the trust store.
 | `KAFKAPROXY_CLIENT_SSL_KEYSTORE_LOCATION`            |               | The filesystem location of the proxy's server key store. If no value is provided the JRE's default key store will be used.
-| `KAFKAPROXY_CLIENT_SSL_KEYSTORE_REFRESH_MSECS`       | 30000         | The minimum amount if time between checks for updates of the proxy's server key store in milliseconds.
+| `KAFKAPROXY_CLIENT_SSL_KEYSTORE_REFRESH_SECS`        | 300           | The minimum amount if time between checks for updates of the proxy's server key store in seconds.
 | `KAFKAPROXY_CLIENT_SSL_KEYSTORE_PASSWORD`            |               | The password to access the proxy's server key store. Provide no value if the key store is not password protected. Ignored when `KAFKAPROXY_CLIENT_SSL_KEYSTORE_PASSWORD_LOCATION` is set.
 | `KAFKAPROXY_CLIENT_SSL_KEYSTORE_PASSWORD_LOCATION`   |               | The filesystem location of the password to access the proxy's server key store. Overrides `KAFKAPROXY_CLIENT_SSL_KEYSTORE_PASSWORD`.
 | `KAFKAPROXY_CLIENT_SSL_KEY_PASSWORD`                 |               | The password to access the proxy's server key. Provide no value if the key is not password protected.
@@ -113,13 +113,13 @@ Configuration can be provided using the following environment variables:
 | --------------------------------------------------- | ------------- | -----------
 | `KAFKAPROXY_KAFKA_SSL_ENABLED`                      | `false`       | Enables SSL encrypted communication kafkaproxy and the Kafka brokers.
 | `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_LOCATION`          |               | The filesystem location of the trust store to use. If no value is provided the JRE's default trust store will be used.
-| `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_REFRESH_MSECS`     | 30000         | The minimum amount if time between checks for updates of the trust store store in milliseconds.
+| `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_REFRESH_SECS`      | 300           | The minimum amount if time between checks for updates of the trust store store in seconds.
 | `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_PASSWORD`          |               | The password to access the trust store. Provide no value if the trust store is not password protected. Ignored when `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_PASSWORD_LOCATION` is set.
 | `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_PASSWORD_LOCATION` |               | The filesystem location of the password to access the trust store. Overrides `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_PASSWORD`. 
 | `KAFKAPROXY_KAFKA_SSL_TRUSTSTORE_TYPE`              | `jks`         | The type of the trust store.
 | `KAFKAPROXY_KAFKA_SSL_VERIFY_HOSTNAME`              | `true`        | Indicates if the hostnames of the Kafka brokers are validated against the SSL certificates they provide when connecting.
 | `KAFKAPROXY_KAFKA_SSL_KEYSTORE_LOCATION`            |               | The filesystem location of the proxy's client key store. Required only when `KAFKAPROXY_KAFKA_SSL_CLIENT_CERT_STRATEGY` is set to `KEYSTORE`.
-| `KAFKAPROXY_KAFKA_SSL_KEYSTORE_REFRESH_MSECS`       | 30000         | The minimum amount if time between checks for updates of the proxy client's key store in milliseconds.
+| `KAFKAPROXY_KAFKA_SSL_KEYSTORE_REFRESH_SECS`        | 300           | The minimum amount if time between checks for updates of the proxy client's key store in seconds.
 | `KAFKAPROXY_KAFKA_SSL_KEYSTORE_PASSWORD`            |               | The password to access the proxy's client key store. Provide no value if the key store is not password protected. Ignored when `KAFKAPROXY_KAFKA_SSL_KEYSTORE_PASSWORD_LOCATION` is set.
 | `KAFKAPROXY_KAFKA_SSL_KEYSTORE_PASSWORD_LOCATION`   |               | The filesystem location of the password to access the proxy's client key store. Overrides `KAFKAPROXY_KAFKA_SSL_KEYSTORE_PASSWORD`.
 | `KAFKAPROXY_KAFKA_SSL_KEYSTORE_TYPE`                | `jks`         | The type of the key store.
diff --git a/build.gradle b/build.gradle
index b1b4272..a87b24d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -4,7 +4,7 @@ plugins {
 
 ext {
     kafkaClientVersion = "2.5.0"
-    proxyBaseVersion = "0.0.11"
+    proxyBaseVersion = "0.0.12"
     libKafkaClient = "org.apache.kafka:kafka-clients:$kafkaClientVersion"
     libProxyBase = "com.dajudge.proxybase:proxybase:$proxyBaseVersion"
     libProxyBaseTestca = "com.dajudge.proxybase:testca:$proxyBaseVersion"
diff --git a/core/src/main/java/com/dajudge/kafkaproxy/config/KeyStoreConfigHelper.java b/core/src/main/java/com/dajudge/kafkaproxy/config/KeyStoreConfigHelper.java
index c750ced..ac07002 100644
--- a/core/src/main/java/com/dajudge/kafkaproxy/config/KeyStoreConfigHelper.java
+++ b/core/src/main/java/com/dajudge/kafkaproxy/config/KeyStoreConfigHelper.java
@@ -1,3 +1,20 @@
+/*
+ * Copyright 2019-2020 The kafkaproxy developers (see CONTRIBUTORS)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
 package com.dajudge.kafkaproxy.config;
 
 import com.dajudge.proxybase.certs.KeyStoreConfig;
@@ -6,7 +23,7 @@
 
 final class KeyStoreConfigHelper {
     private static final String SUFFIX_PASSWORD = "PASSWORD";
-    private static final String SUFFIX_REFRESH_MSECS = "REFRESH_MSECS";
+    private static final String SUFFIX_REFRESH_SECS = "REFRESH_SECS";
     private static final String SUFFIX_TYPE = "TYPE";
     private static final String SUFFIX_LOCATION = "LOCATION";
     private static final String SUFFIX_PASSWORD_LOCATION = SUFFIX_PASSWORD + "_" + SUFFIX_LOCATION;
@@ -14,7 +31,7 @@ final class KeyStoreConfigHelper {
     private static final String QUALIFIER_KEYSTORE = "KEYSTORE_";
     private static final String QUALIFIER_KEY = "KEY_";
     private static final String DEFAULT_TYPE = "jks";
-    private static final int DEFAULT_REFRESH_MSECS = 30000;
+    private static final int DEFAULT_REFRESH_SECS = 300;
 
     private KeyStoreConfigHelper() {
     }
@@ -51,7 +68,7 @@ private static Optional<KeyStoreConfig> loadTrustStoreConfig(
                 null,
                 null,
                 environment.optionalString(truststorePrefix + SUFFIX_TYPE).orElse(DEFAULT_TYPE),
-                environment.optionalInt(truststorePrefix + SUFFIX_REFRESH_MSECS).orElse(DEFAULT_REFRESH_MSECS)
+                environment.optionalInt(truststorePrefix + SUFFIX_REFRESH_SECS).orElse(DEFAULT_REFRESH_SECS) * 1000
         ));
     }
 
@@ -72,7 +89,7 @@ private static Optional<KeyStoreConfig> loadKeyStoreConfig(
                 environment.optionalString(keyPrefix + SUFFIX_PASSWORD).orElse("").toCharArray(),
                 environment.optionalString(keyPrefix + SUFFIX_PASSWORD_LOCATION).orElse(null),
                 environment.optionalString(keystorePrefix + SUFFIX_TYPE).orElse(DEFAULT_TYPE),
-                environment.optionalInt(keystorePrefix + SUFFIX_REFRESH_MSECS).orElse(DEFAULT_REFRESH_MSECS)
+                environment.optionalInt(keystorePrefix + SUFFIX_REFRESH_SECS).orElse(DEFAULT_REFRESH_SECS) * 1000
         ));
     }
 }
diff --git a/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/ssl/KeyStoreData.java b/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/ssl/KeyStoreData.java
index 4755538..6a8e4ae 100644
--- a/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/ssl/KeyStoreData.java
+++ b/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/ssl/KeyStoreData.java
@@ -30,8 +30,8 @@ public KeyStoreData(
             final String type
     ) {
         this.keyStore = keyStore.clone();
-        this.keyStorePassword = keyStorePassword;
-        this.keyPassword = keyPassword;
+        this.keyStorePassword = keyStorePassword == null ? null : keyStorePassword.clone();
+        this.keyPassword = keyPassword == null ? null : keyPassword.clone();
         this.type = type;
     }
 
@@ -44,10 +44,10 @@ public String getType() {
     }
 
     public char[] getKeyStorePassword() {
-        return keyStorePassword;
+        return keyStorePassword == null ? null : keyStorePassword.clone();
     }
 
     public char[] getKeyPassword() {
-        return keyPassword;
+        return keyPassword == null ? null : keyPassword.clone();
     }
 }
diff --git a/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/util/TestFilesystem.java b/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/util/TestFilesystem.java
index 7c05203..85ee944 100644
--- a/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/util/TestFilesystem.java
+++ b/core/src/test/java/com/dajudge/kafkaproxy/roundtrip/util/TestFilesystem.java
@@ -1,3 +1,20 @@
+/*
+ * Copyright 2019-2020 The kafkaproxy developers (see CONTRIBUTORS)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
 package com.dajudge.kafkaproxy.roundtrip.util;
 
 import com.dajudge.proxybase.certs.Filesystem;