ISSUE-1722: add ordinal update handling to listener

kgiusti · Jan 30, 2025 · e1d4c3d · e1d4c3d
1 parent db41091
commit e1d4c3d
Show file tree

Hide file tree

Showing 9 changed files with 59 additions and 6 deletions.
diff --git a/include/qpid/dispatch/protocol_adaptor.h b/include/qpid/dispatch/protocol_adaptor.h
@@ -928,6 +928,7 @@ qdr_connection_info_t *qdr_connection_info(bool             is_encrypted,
                                            const char      *user,
                                            const char      *container,
                                            pn_data_t       *connection_properties,
+                                           uint64_t         tls_ordinal,
                                            int              ssl_ssf,
                                            bool             ssl,
                                            const char      *version,

diff --git a/src/adaptors/amqp/amqp_adaptor.c b/src/adaptors/amqp/amqp_adaptor.c
@@ -1560,6 +1560,7 @@ static void AMQP_opened_handler(qd_router_t *router, qd_connection_t *conn, bool
                                                                  (char*) user,
                                                                  container,
                                                                  props,
+                                                                 qd_tls_session_get_profile_ordinal(conn->ssl),
                                                                  ssl_ssf,
                                                                  !!conn->ssl,
                                                                  rversion,

diff --git a/src/adaptors/amqp/connection_manager.c b/src/adaptors/amqp/connection_manager.c
@@ -59,6 +59,24 @@ static void log_config(qd_server_config_t *c, const char *what, bool create)
 }
 
 
+// Handler invoked by mgmt thread whenever the sslProfile is updated for a given qd_listener_t. Check for changes to
+// the sslProfile ordinal and oldestValidOrdinal attributes.  Note this is called with the sslProfile lock held to
+// prevent new connections from being activated until after this call returns.
+//
+static void handle_listener_ssl_profile_mgmt_update(const qd_tls_config_t *config, void *context)
+{
+    uint64_t new_ordinal = qd_tls_config_get_ordinal(config);
+    uint64_t new_oldest_ordinal = qd_tls_config_get_oldest_valid_ordinal(config);
+    qd_listener_t *li = (qd_listener_t *) context;
+
+    if (new_ordinal > li->tls_ordinal)
+        qd_listener_update_tls_ordinal(li, new_ordinal);
+
+    if (new_oldest_ordinal > li->tls_oldest_valid_ordinal)
+        qd_listener_update_tls_oldest_valid_ordinal(li, new_oldest_ordinal);
+}
+
+
 QD_EXPORT qd_listener_t *qd_dispatch_configure_listener(qd_dispatch_t *qd, qd_entity_t *entity)
 {
     qd_connection_manager_t *cm = qd->connection_manager;
@@ -70,19 +88,23 @@ QD_EXPORT qd_listener_t *qd_dispatch_configure_listener(qd_dispatch_t *qd, qd_en
     }
 
     if (li->config.ssl_profile_name) {
+        bool do_cb = strcmp(li->config.role, "inter-router") == 0;
         li->tls_config = qd_tls_config(li->config.ssl_profile_name,
                                        QD_TLS_TYPE_PROTON_AMQP,
                                        QD_TLS_CONFIG_SERVER_MODE,
                                        li->config.verify_host_name,
                                        li->config.ssl_require_peer_authentication,
-                                       0, 0);
+                                       li,
+                                       do_cb ? handle_listener_ssl_profile_mgmt_update : 0);
         if (!li->tls_config) {
             // qd_tls_config() sets qd_error_message():
             qd_log(LOG_CONN_MGR, QD_LOG_ERROR, "Failed to configure TLS for Listener %s: %s",
                    li->config.name, qd_error_message());
             qd_listener_decref(li);
             return 0;
         }
+        li->tls_ordinal = qd_tls_config_get_ordinal(li->tls_config);
+        li->tls_oldest_valid_ordinal = qd_tls_config_get_oldest_valid_ordinal(li->tls_config);
     }
 
     char *fol = qd_entity_opt_string(entity, "failoverUrls", 0);
@@ -308,7 +330,7 @@ QD_EXPORT qd_connector_t *qd_dispatch_configure_connector(qd_dispatch_t *qd, qd_
         // If an sslProfile is configured allocate a TLS config for this connector's connections
         //
         if (ct->config.ssl_profile_name) {
-            bool do_cb = !!strcmp(ct->config.role, "inter-router");
+            bool do_cb = strcmp(ct->config.role, "inter-router") == 0;
             ct->tls_config = qd_tls_config(ct->config.ssl_profile_name,
                                            QD_TLS_TYPE_PROTON_AMQP,
                                            QD_TLS_CONFIG_CLIENT_MODE,

diff --git a/src/adaptors/amqp/qd_listener.c b/src/adaptors/amqp/qd_listener.c
@@ -216,3 +216,20 @@ void qd_listener_remove_link(qd_listener_t *li)
         vflow_set_uint64(li->vflow_record, VFLOW_ATTRIBUTE_LINK_COUNT, count);
     }
 }
+
+
+void qd_listener_update_tls_ordinal(qd_listener_t *li, uint64_t new_ordinal)
+{
+    qd_log(LOG_SERVER, QD_LOG_DEBUG,
+           "Listener %s new ordinal: %"PRIu64", previous: %"PRIu64,
+           li->config.name, new_ordinal, li->tls_ordinal);
+    li->tls_ordinal = new_ordinal;
+}
+
+void qd_listener_update_tls_oldest_valid_ordinal(qd_listener_t *li, uint64_t new_oldest_valid_ordinal)
+{
+    qd_log(LOG_SERVER, QD_LOG_DEBUG,
+           "Listener %s new oldest valid ordinal: %"PRIu64", previous: %"PRIu64,
+           li->config.name, new_oldest_valid_ordinal, li->tls_oldest_valid_ordinal);
+    li->tls_oldest_valid_ordinal = new_oldest_valid_ordinal;
+}
diff --git a/src/adaptors/amqp/qd_listener.h b/src/adaptors/amqp/qd_listener.h
@@ -49,7 +49,11 @@ struct qd_listener_t {
     DEQ_LINKS(qd_listener_t);
     bool                      exit_on_error;
     vflow_record_t           *vflow_record;
+
+    // TLS Configuration. Keep a local copy of the TLS ordinals to monitor changes by management
     qd_tls_config_t          *tls_config;
+    uint64_t                  tls_ordinal;
+    uint64_t                  tls_oldest_valid_ordinal;
 };
 
 DEQ_DECLARE(qd_listener_t, qd_listener_list_t);
@@ -78,4 +82,6 @@ void qd_listener_add_link(qd_listener_t *li);
 // account for a removed link from the listener
 void qd_listener_remove_link(qd_listener_t *li);
 
+void qd_listener_update_tls_ordinal(qd_listener_t *li, uint64_t new_ordinal);
+void qd_listener_update_tls_oldest_valid_ordinal(qd_listener_t *li, uint64_t new_oldest_valid_ordinal);
 #endif
diff --git a/src/adaptors/tcp/tcp_adaptor.c b/src/adaptors/tcp/tcp_adaptor.c
@@ -336,6 +336,7 @@ static qdr_connection_t *TL_open_core_connection(uint64_t conn_id, bool incoming
                                                       "",           // user,
                                                       "TcpAdaptor", // container,
                                                       properties,   // connection_properties,
+                                                      0,            // TLS Ordinal
                                                       0,            // ssl_ssf,
                                                       false,        // ssl,
                                                       "",           // peer router version,

diff --git a/src/router_core/connections.c b/src/router_core/connections.c
@@ -190,6 +190,7 @@ qdr_connection_info_t *qdr_connection_info(bool             is_encrypted,
                                            const char      *user,
                                            const char      *container,
                                            pn_data_t       *connection_properties,
+                                           uint64_t         tls_ordinal,
                                            int              tls_ssf,
                                            bool             tls,
                                            const char      *version,
@@ -223,8 +224,9 @@ qdr_connection_info_t *qdr_connection_info(bool             is_encrypted,
         pn_data_copy(qdr_conn_properties, connection_properties);
 
     connection_info->connection_properties = qdr_conn_properties;
-    connection_info->tls_ssf = tls_ssf;
-    connection_info->tls     = tls;
+    connection_info->tls_ssf     = tls_ssf;
+    connection_info->tls         = tls;
+    connection_info->tls_ordinal = tls_ordinal;
     connection_info->streaming_links = streaming_links;
     connection_info->connection_trunking = connection_trunking;
     sys_mutex_init(&connection_info->connection_info_lock);

diff --git a/src/router_core/router_core_private.h b/src/router_core/router_core_private.h
@@ -654,10 +654,11 @@ struct qdr_connection_info_t {
     bool                   opened;
     bool                   streaming_links;  // will allow streaming links
     bool                   connection_trunking; // peer supports connection trunking
+    bool                   tls;
     qd_direction_t         dir;
     qdr_connection_role_t  role;
     pn_data_t             *connection_properties;
-    bool                   tls;
+    uint64_t               tls_ordinal;  // sslProfile revision used for the TLS session
     int                    tls_ssf; // TLS strength factor
     char                  *version; // if role is router or edge
     sys_mutex_t            connection_info_lock;

diff --git a/src/tls/tls.c b/src/tls/tls.c
@@ -629,7 +629,9 @@ int qd_tls_session_get_ssf(const qd_tls_session_t *tls_session)
 
 uint64_t qd_tls_session_get_profile_ordinal(const qd_tls_session_t *session)
 {
-    return session->ordinal;
+    if (session)
+        return session->ordinal;
+    return 0;
 }