forked from woggioni/rbcs
Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
bfce91905f
|
|||
|
ab2a06e810
|
|||
|
1d938b7ea3
|
|||
|
5d190d81ab
|
|||
|
e6f35f4340
|
|||
|
6d214eb066
|
|||
|
0a50ae0643
|
@@ -32,7 +32,7 @@ jobs:
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
gitea.woggioni.net/woggioni/rbcs:vanilla-dev
|
||||
gitea.woggioni.net/woggioni/rbcs:dev-vanilla
|
||||
target: release-vanilla
|
||||
-
|
||||
name: Build rbcs memcache Docker image
|
||||
@@ -44,7 +44,7 @@ jobs:
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
gitea.woggioni.net/woggioni/rbcs:memcache-dev
|
||||
gitea.woggioni.net/woggioni/rbcs:dev-memcache
|
||||
target: release-memcache
|
||||
-
|
||||
name: Build rbcs redis Docker image
|
||||
@@ -56,8 +56,20 @@ jobs:
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
gitea.woggioni.net/woggioni/rbcs:redis-dev
|
||||
gitea.woggioni.net/woggioni/rbcs:dev-redis
|
||||
target: release-redis
|
||||
-
|
||||
name: Build rbcs full Docker image
|
||||
uses: docker/build-push-action@v5.3.0
|
||||
with:
|
||||
builder: "multiplatform-builder"
|
||||
context: "docker/build/docker"
|
||||
platforms: linux/amd64,linux/arm64
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
gitea.woggioni.net/woggioni/rbcs:dev-full
|
||||
target: release-full
|
||||
-
|
||||
name: Build rbcs native Docker image
|
||||
uses: docker/build-push-action@v5.3.0
|
||||
@@ -68,7 +80,7 @@ jobs:
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
gitea.woggioni.net/woggioni/rbcs:native-dev
|
||||
gitea.woggioni.net/woggioni/rbcs:dev-native
|
||||
target: release-native
|
||||
-
|
||||
name: Build rbcs jlink Docker image
|
||||
@@ -80,6 +92,6 @@ jobs:
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
gitea.woggioni.net/woggioni/rbcs:jlink-dev
|
||||
gitea.woggioni.net/woggioni/rbcs:dev-jlink
|
||||
target: release-jlink
|
||||
|
||||
|
||||
@@ -61,6 +61,19 @@ jobs:
|
||||
gitea.woggioni.net/woggioni/rbcs:redis
|
||||
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-redis
|
||||
target: release-redis
|
||||
-
|
||||
name: Build rbcs full Docker image
|
||||
uses: docker/build-push-action@v5.3.0
|
||||
with:
|
||||
builder: "multiplatform-builder"
|
||||
context: "docker/build/docker"
|
||||
platforms: linux/amd64,linux/arm64
|
||||
push: true
|
||||
pull: true
|
||||
tags: |
|
||||
gitea.woggioni.net/woggioni/rbcs:full
|
||||
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-full
|
||||
target: release-full
|
||||
-
|
||||
name: Build rbcs native Docker image
|
||||
uses: docker/build-push-action@v5.3.0
|
||||
|
||||
5
.gitignore
vendored
5
.gitignore
vendored
@@ -5,3 +5,8 @@
|
||||
build
|
||||
|
||||
rbcs-cli/native-image/*.json
|
||||
|
||||
# Ignore JDTLS files
|
||||
.classpath
|
||||
.project
|
||||
.settings
|
||||
|
||||
@@ -139,6 +139,7 @@ Configures TLS encryption.
|
||||
<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:rbcs="urn:net.woggioni.rbcs.server"
|
||||
xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs-server.xsd"
|
||||
path="/my/custom/path"
|
||||
>
|
||||
<bind host="0.0.0.0" port="8080" incoming-connections-backlog-size="1024" proxy-protocol="true">
|
||||
<trusted-proxies>
|
||||
|
||||
@@ -1,33 +1,49 @@
|
||||
FROM eclipse-temurin:25-jre-alpine AS base-release
|
||||
RUN adduser -D luser
|
||||
USER luser
|
||||
WORKDIR /home/luser
|
||||
RUN adduser -D rbcs
|
||||
USER rbcs
|
||||
WORKDIR /var/lib/rbcs
|
||||
|
||||
FROM base-release AS release-vanilla
|
||||
ADD rbcs-cli-envelope-*.jar rbcs.jar
|
||||
ENTRYPOINT ["java", "-Dlogback.configurationFile=logback.xml", "-XX:MaxRAMPercentage=70", "-XX:GCTimeRatio=24", "-XX:+UseZGC", "-XX:+ZGenerational", "-jar", "/home/luser/rbcs.jar"]
|
||||
ADD logback.xml /etc/rbcs/logback.xml
|
||||
ENV RBCS_CONFIGURATION_DIR="/etc/rbcs"
|
||||
ENV JDK_JAVA_OPTIONS=-Dlogback.configurationFile=/etc/rbcs/logback.xml\ -XX:MaxRAMPercentage=70\ -XX:GCTimeRatio=24\ -XX:+UseZGC
|
||||
ENTRYPOINT ["java", "-jar", "/var/lib/rbcs/rbcs.jar"]
|
||||
|
||||
FROM base-release AS release-memcache
|
||||
ADD --chown=luser:luser rbcs-cli-envelope-*.jar rbcs.jar
|
||||
ADD --chown=rbcs:rbcs rbcs-cli-envelope-*.jar rbcs.jar
|
||||
RUN mkdir plugins
|
||||
WORKDIR /home/luser/plugins
|
||||
WORKDIR /var/lib/rbcs/plugins
|
||||
RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-server-memcache*.tar
|
||||
WORKDIR /home/luser
|
||||
ADD logback.xml .
|
||||
ENTRYPOINT ["java", "-Dlogback.configurationFile=logback.xml", "-XX:MaxRAMPercentage=70", "-XX:GCTimeRatio=24", "-XX:+UseZGC", "-XX:+ZGenerational", "-jar", "/home/luser/rbcs.jar"]
|
||||
WORKDIR /var/lib/rbcs
|
||||
ADD logback.xml /etc/rbcs/logback.xml
|
||||
ENTRYPOINT ["java", "-jar", "/var/lib/rbcs/rbcs.jar"]
|
||||
|
||||
FROM base-release AS release-redis
|
||||
ADD --chown=luser:luser rbcs-cli-envelope-*.jar rbcs.jar
|
||||
ADD --chown=rbcs:rbcs rbcs-cli-envelope-*.jar rbcs.jar
|
||||
RUN mkdir plugins
|
||||
WORKDIR /home/luser/plugins
|
||||
WORKDIR /var/lib/rbcs/plugins
|
||||
RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-server-redis*.tar
|
||||
WORKDIR /home/luser
|
||||
ADD logback.xml .
|
||||
ENTRYPOINT ["java", "-Dlogback.configurationFile=logback.xml", "-XX:MaxRAMPercentage=70", "-XX:GCTimeRatio=24", "-XX:+UseZGC", "-XX:+ZGenerational", "-jar", "/home/luser/rbcs.jar"]
|
||||
WORKDIR /var/lib/rbcs
|
||||
ADD logback.xml /etc/rbcs/logback.xml
|
||||
ENTRYPOINT ["java", "-jar", "/var/lib/rbcs/rbcs.jar"]
|
||||
|
||||
FROM base-release AS release-full
|
||||
ADD --chown=rbcs:rbcs rbcs-cli-envelope-*.jar rbcs.jar
|
||||
RUN mkdir plugins
|
||||
WORKDIR /var/lib/rbcs/plugins
|
||||
RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-server-memcache*.tar
|
||||
RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-server-redis*.tar
|
||||
RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-server-otel*.tar
|
||||
WORKDIR /var/lib/rbcs
|
||||
ADD logback.xml /etc/rbcs/logback.xml
|
||||
ENV OTEL_SDK_DISABLED="true"
|
||||
ENTRYPOINT ["java", "-jar", "/var/lib/rbcs/rbcs.jar"]
|
||||
|
||||
FROM busybox:musl AS base-native
|
||||
RUN mkdir -p /var/lib/rbcs /etc/rbcs
|
||||
RUN mkdir -p /var/lib/rbcs /var/tmp/rbcs /etc/rbcs
|
||||
RUN adduser -D -u 1000 rbcs -h /var/lib/rbcs
|
||||
RUN chown rbcs:rbcs /var/tmp/rbcs
|
||||
|
||||
FROM scratch AS release-native
|
||||
COPY --from=base-native /etc/passwd /etc/passwd
|
||||
@@ -37,16 +53,17 @@ ADD rbcs-cli.upx /usr/bin/rbcs-cli
|
||||
ENV RBCS_CONFIGURATION_DIR="/etc/rbcs"
|
||||
USER rbcs
|
||||
WORKDIR /var/lib/rbcs
|
||||
ENTRYPOINT ["/usr/bin/rbcs-cli", "-XX:MaximumHeapSizePercent=70"]
|
||||
ENTRYPOINT ["/usr/bin/rbcs-cli", "-XX:MaximumHeapSizePercent=70", "-Dio.netty.tmpdir=/var/tmp/rbcs", "-Dlogback.configurationFile=/etc/rbcs/logback.xml"]
|
||||
|
||||
FROM debian:12-slim AS release-jlink
|
||||
RUN mkdir -p /usr/share/java/rbcs
|
||||
RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-cli*.tar -C /usr/share/java/rbcs
|
||||
RUN chmod 755 /usr/share/java/rbcs/bin/*
|
||||
ADD --chmod=755 rbcs-cli.sh /usr/local/bin/rbcs-cli
|
||||
RUN adduser -u 1000 luser
|
||||
USER luser
|
||||
WORKDIR /home/luser
|
||||
ADD logback.xml .
|
||||
ENV JAVA_OPTS=-XX:-UseJVMCICompiler\ -Dlogback.configurationFile=logback.xml\ -XX:MaxRAMPercentage=70\ -XX:GCTimeRatio=24\ -XX:+UseZGC\ -XX:+ZGenerational
|
||||
RUN adduser -u 1000 rbcs
|
||||
USER rbcs
|
||||
WORKDIR /var/lib/rbcs
|
||||
ADD logback.xml /etc/rbcs/logback.xml
|
||||
ENV RBCS_CONFIGURATION_DIR="/etc/rbcs"
|
||||
ENV JDK_JAVA_OPTIONS=-XX:-UseJVMCICompiler\ -Dlogback.configurationFile=/etc/rbcs/logback.xml\ -XX:MaxRAMPercentage=70\ -XX:GCTimeRatio=24\ -XX:+UseZGC
|
||||
ENTRYPOINT ["/usr/local/bin/rbcs-cli"]
|
||||
|
||||
@@ -21,6 +21,7 @@ dependencies {
|
||||
docker project(path: ':rbcs-cli', configuration: 'release')
|
||||
docker project(path: ':rbcs-server-memcache', configuration: 'release')
|
||||
docker project(path: ':rbcs-server-redis', configuration: 'release')
|
||||
docker project(path: ':rbcs-server-otel', configuration: 'release')
|
||||
}
|
||||
|
||||
Provider<Task> cleanTaskProvider = tasks.named(BasePlugin.CLEAN_TASK_NAME) {}
|
||||
|
||||
@@ -2,9 +2,9 @@ org.gradle.configuration-cache=false
|
||||
org.gradle.parallel=true
|
||||
org.gradle.caching=true
|
||||
|
||||
rbcs.version = 0.4.0
|
||||
rbcs.version = 0.5.0
|
||||
|
||||
lys.version = 2026.03.26
|
||||
lys.version = 2026.04.29
|
||||
|
||||
gitea.maven.url = https://gitea.woggioni.net/api/packages/woggioni/maven
|
||||
docker.registry.url=gitea.woggioni.net
|
||||
|
||||
@@ -11,6 +11,7 @@ dependencies {
|
||||
api catalog.netty.buffer
|
||||
api catalog.netty.handler
|
||||
api catalog.netty.codec.http
|
||||
api catalog.jetbrains.annotations
|
||||
}
|
||||
|
||||
publishing {
|
||||
|
||||
@@ -8,7 +8,7 @@ module net.woggioni.rbcs.api {
|
||||
requires io.netty.buffer;
|
||||
requires org.slf4j;
|
||||
requires java.xml;
|
||||
|
||||
requires org.jetbrains.annotations;
|
||||
|
||||
exports net.woggioni.rbcs.api;
|
||||
exports net.woggioni.rbcs.api.exception;
|
||||
|
||||
@@ -18,10 +18,10 @@ import java.util.stream.Collectors;
|
||||
public class Configuration {
|
||||
String host;
|
||||
int port;
|
||||
String serverPath;
|
||||
boolean proxyProtocolEnabled;
|
||||
List<Cidr> trustedProxyIPs;
|
||||
int incomingConnectionsBacklogSize;
|
||||
String serverPath;
|
||||
@NonNull
|
||||
EventExecutor eventExecutor;
|
||||
@NonNull
|
||||
@@ -136,6 +136,13 @@ public class Configuration {
|
||||
TlsCertificateExtractor groupExtractor;
|
||||
}
|
||||
|
||||
@Value
|
||||
public static class ForwardedClientCertificateAuthentication implements Authentication {
|
||||
String headerName;
|
||||
TlsCertificateExtractor userExtractor;
|
||||
TlsCertificateExtractor groupExtractor;
|
||||
}
|
||||
|
||||
public interface Cache {
|
||||
CacheHandlerFactory materialize();
|
||||
String getNamespaceURI();
|
||||
@@ -161,10 +168,10 @@ public class Configuration {
|
||||
return new Configuration(
|
||||
host,
|
||||
port,
|
||||
serverPath != null && !serverPath.isEmpty() && !serverPath.equals("/") ? serverPath : null,
|
||||
proxyProtocolEnabled,
|
||||
trustedProxyIPs,
|
||||
incomingConnectionsBacklogSize,
|
||||
serverPath != null && !serverPath.isEmpty() && !serverPath.equals("/") ? serverPath : null,
|
||||
eventExecutor,
|
||||
rateLimiter,
|
||||
connection,
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
package net.woggioni.rbcs.api;
|
||||
|
||||
import io.netty.channel.ChannelHandler;
|
||||
import org.jetbrains.annotations.NotNull;
|
||||
|
||||
public interface TelemetryController {
|
||||
void initialize();
|
||||
@NotNull ChannelHandler createHandler();
|
||||
}
|
||||
@@ -30,7 +30,6 @@ configurations {
|
||||
transitive = false
|
||||
canBeConsumed = true
|
||||
canBeResolved = true
|
||||
visible = true
|
||||
}
|
||||
|
||||
configureNativeImageImplementation {
|
||||
@@ -51,6 +50,7 @@ dependencies {
|
||||
configureNativeImageImplementation project
|
||||
configureNativeImageImplementation project(':rbcs-server-memcache')
|
||||
configureNativeImageImplementation project(':rbcs-server-redis')
|
||||
// configureNativeImageImplementation project(':rbcs-server-otel')
|
||||
|
||||
implementation catalog.jwo
|
||||
implementation catalog.slf4j.api
|
||||
@@ -59,9 +59,7 @@ dependencies {
|
||||
implementation project(':rbcs-client')
|
||||
implementation project(':rbcs-server')
|
||||
|
||||
// runtimeOnly catalog.slf4j.jdk14
|
||||
runtimeOnly catalog.logback.classic
|
||||
// runtimeOnly catalog.slf4j.simple
|
||||
nativeImage project(':rbcs-server-memcache')
|
||||
nativeImage project(':rbcs-server-redis')
|
||||
|
||||
@@ -142,7 +140,12 @@ Provider<JlinkTask> jlinkTaskProvider = tasks.named(JlinkPlugin.JLINK_TASK_NAME,
|
||||
'net.woggioni.rbcs.server.memcache',
|
||||
'net.woggioni.rbcs.server.redis',
|
||||
'ch.qos.logback.classic',
|
||||
'jdk.crypto.ec'
|
||||
'jdk.crypto.ec',
|
||||
// 'io.opentelemetry.api',
|
||||
// 'io.opentelemetry.instrumentation.netty_4_1',
|
||||
// 'io.opentelemetry.sdk.autoconfigure',
|
||||
// 'io.opentelemetry.instrumentation.logback_appender_1_0',
|
||||
// 'io.opentelemetry.extension.trace.propagation'
|
||||
]
|
||||
compressionLevel = 2
|
||||
stripDebug = false
|
||||
|
||||
@@ -120,10 +120,10 @@ object GraalNativeImageConfiguration {
|
||||
val serverConfiguration = Configuration(
|
||||
"127.0.0.1",
|
||||
serverPort,
|
||||
null,
|
||||
false,
|
||||
emptyList(),
|
||||
100,
|
||||
null,
|
||||
Configuration.EventExecutor(true),
|
||||
Configuration.RateLimiter(
|
||||
false, 0x100000, 10
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
module net.woggioni.rbcs.cli {
|
||||
requires org.slf4j;
|
||||
requires net.woggioni.jwo;
|
||||
requires net.woggioni.rbcs.server;
|
||||
requires info.picocli;
|
||||
requires net.woggioni.rbcs.common;
|
||||
requires net.woggioni.rbcs.client;
|
||||
requires kotlin.stdlib;
|
||||
requires net.woggioni.jwo;
|
||||
requires net.woggioni.rbcs.api;
|
||||
|
||||
exports net.woggioni.rbcs.cli.impl.converters to info.picocli;
|
||||
@@ -14,4 +14,6 @@ module net.woggioni.rbcs.cli {
|
||||
opens net.woggioni.rbcs.cli to info.picocli, net.woggioni.rbcs.common;
|
||||
|
||||
exports net.woggioni.rbcs.cli;
|
||||
|
||||
uses net.woggioni.rbcs.api.TelemetryController;
|
||||
}
|
||||
@@ -1,6 +1,8 @@
|
||||
package net.woggioni.rbcs.cli
|
||||
|
||||
import net.woggioni.jwo.Application
|
||||
import net.woggioni.jwo.LoggerController
|
||||
import net.woggioni.rbcs.api.TelemetryController
|
||||
import net.woggioni.rbcs.cli.impl.AbstractVersionProvider
|
||||
import net.woggioni.rbcs.cli.impl.RbcsCommand
|
||||
import net.woggioni.rbcs.cli.impl.commands.BenchmarkCommand
|
||||
@@ -14,6 +16,8 @@ import net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory
|
||||
import net.woggioni.rbcs.common.createLogger
|
||||
import picocli.CommandLine
|
||||
import picocli.CommandLine.Model.CommandSpec
|
||||
import java.util.ServiceLoader
|
||||
import net.woggioni.rbcs.common.RBCS.loadService
|
||||
|
||||
|
||||
@CommandLine.Command(
|
||||
@@ -61,6 +65,10 @@ class RemoteBuildCacheServerCli : RbcsCommand() {
|
||||
|
||||
@JvmStatic
|
||||
fun main(vararg args: String) {
|
||||
loadService(TelemetryController::class.java)
|
||||
.firstOrNull()
|
||||
?.initialize()
|
||||
LoggerController.initializeLoggers()
|
||||
System.exit(createCommandLine().execute(*args))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@ package net.woggioni.rbcs.common
|
||||
|
||||
import io.netty.channel.Channel
|
||||
import io.netty.channel.ChannelHandlerContext
|
||||
import net.woggioni.jwo.LoggerController
|
||||
import java.nio.file.Files
|
||||
import java.nio.file.Path
|
||||
import java.util.logging.LogManager
|
||||
@@ -11,8 +12,10 @@ import org.slf4j.MDC
|
||||
import org.slf4j.event.Level
|
||||
import org.slf4j.spi.LoggingEventBuilder
|
||||
|
||||
inline fun <reified T> T.contextLogger() = LoggerFactory.getLogger(T::class.java)
|
||||
inline fun <reified T> createLogger() = LoggerFactory.getLogger(T::class.java)
|
||||
fun <T> lazyLogger(cls: Class<T>) = LoggerController.lazyLogger(cls)
|
||||
|
||||
inline fun <reified T> T.contextLogger() = lazyLogger(T::class.java)
|
||||
inline fun <reified T> createLogger() = lazyLogger(T::class.java)
|
||||
|
||||
inline fun Logger.traceParam(messageBuilder: () -> Pair<String, Array<Any>>) {
|
||||
if (isTraceEnabled) {
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
package net.woggioni.rbcs.common
|
||||
|
||||
import net.woggioni.jwo.JWO
|
||||
import net.woggioni.jwo.Tuple2
|
||||
import java.io.IOException
|
||||
import java.net.InetAddress
|
||||
import java.net.ServerSocket
|
||||
@@ -9,18 +11,10 @@ import java.nio.file.Files
|
||||
import java.nio.file.Path
|
||||
import java.security.KeyStore
|
||||
import java.security.MessageDigest
|
||||
import java.security.cert.CertPathValidator
|
||||
import java.security.cert.CertPathValidatorException
|
||||
import java.security.cert.CertificateException
|
||||
import java.security.cert.CertificateFactory
|
||||
import java.security.cert.PKIXParameters
|
||||
import java.security.cert.PKIXRevocationChecker
|
||||
import java.security.cert.X509Certificate
|
||||
import java.util.EnumSet
|
||||
import java.security.cert.*
|
||||
import java.util.*
|
||||
import javax.net.ssl.TrustManagerFactory
|
||||
import javax.net.ssl.X509TrustManager
|
||||
import net.woggioni.jwo.JWO
|
||||
import net.woggioni.jwo.Tuple2
|
||||
|
||||
object RBCS {
|
||||
fun String.toUrl(): URL = URL.of(URI(this), null)
|
||||
@@ -164,4 +158,10 @@ object RBCS {
|
||||
.single() as X509TrustManager
|
||||
}
|
||||
}
|
||||
|
||||
inline fun <T, reified U> U.loadService(serviceClass : Class<T>): Sequence<T> {
|
||||
return (U::class.java.module.layer?.let { layer ->
|
||||
ServiceLoader.load(layer, serviceClass)
|
||||
} ?: ServiceLoader.load(serviceClass)).asSequence()
|
||||
}
|
||||
}
|
||||
81
rbcs-server-otel/build.gradle
Normal file
81
rbcs-server-otel/build.gradle
Normal file
@@ -0,0 +1,81 @@
|
||||
plugins {
|
||||
id 'java-library'
|
||||
id 'maven-publish'
|
||||
alias catalog.plugins.kotlin.jvm
|
||||
}
|
||||
|
||||
configurations {
|
||||
|
||||
bundle {
|
||||
canBeResolved = false
|
||||
canBeConsumed = false
|
||||
transitive = true
|
||||
}
|
||||
|
||||
filteredBundle {
|
||||
canBeResolved = true
|
||||
canBeConsumed = false
|
||||
transitive = true
|
||||
|
||||
extendsFrom bundle
|
||||
|
||||
resolutionStrategy {
|
||||
dependencies {
|
||||
exclude group: 'org.slf4j', module: 'slf4j-api'
|
||||
exclude group: 'org.jetbrains.kotlin', module: 'kotlin-stdlib'
|
||||
exclude group: 'org.jetbrains', module: 'annotations'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
release {
|
||||
transitive = false
|
||||
canBeConsumed = true
|
||||
canBeResolved = true
|
||||
}
|
||||
|
||||
compileOnly {
|
||||
extendsFrom bundle
|
||||
}
|
||||
}
|
||||
|
||||
dependencies {
|
||||
compileOnly project(':rbcs-common')
|
||||
compileOnly project(':rbcs-api')
|
||||
|
||||
compileOnly catalog.netty.transport
|
||||
compileOnly catalog.slf4j.api
|
||||
compileOnly catalog.kotlin.stdlib.jdk8
|
||||
compileOnly catalog.logback.core
|
||||
compileOnly catalog.logback.classic
|
||||
|
||||
bundle catalog.opentelemetry.netty.'4'.'1'
|
||||
bundle catalog.opentelemetry.sdk.extension.autoconfigure
|
||||
bundle catalog.opentelemetry.logback.appender.'1'.'0'
|
||||
bundle catalog.opentelemetry.logback.mdc.'1'.'0'
|
||||
bundle catalog.opentelemetry.extension.trace.propagators
|
||||
bundle catalog.opentelemetry.exporter.otlp
|
||||
bundle catalog.opentelemetry.runtime.telemetry
|
||||
}
|
||||
|
||||
Provider<Tar> bundleTask = tasks.register("bundle", Tar) {
|
||||
from(tasks.named(JavaPlugin.JAR_TASK_NAME))
|
||||
from(configurations.filteredBundle)
|
||||
group = BasePlugin.BUILD_GROUP
|
||||
}
|
||||
|
||||
tasks.named(BasePlugin.ASSEMBLE_TASK_NAME) {
|
||||
dependsOn(bundleTask)
|
||||
}
|
||||
|
||||
artifacts {
|
||||
release(bundleTask)
|
||||
}
|
||||
|
||||
publishing {
|
||||
publications {
|
||||
maven(MavenPublication) {
|
||||
artifact bundleTask
|
||||
}
|
||||
}
|
||||
}
|
||||
20
rbcs-server-otel/src/main/java/module-info.java
Normal file
20
rbcs-server-otel/src/main/java/module-info.java
Normal file
@@ -0,0 +1,20 @@
|
||||
module net.woggioni.rbcs.server.otel {
|
||||
requires net.woggioni.rbcs.common;
|
||||
requires kotlin.stdlib;
|
||||
requires io.netty.transport;
|
||||
requires io.netty.common;
|
||||
requires io.netty.buffer;
|
||||
requires org.slf4j;
|
||||
|
||||
requires ch.qos.logback.core;
|
||||
requires ch.qos.logback.classic;
|
||||
requires io.opentelemetry.api;
|
||||
requires io.opentelemetry.sdk.autoconfigure;
|
||||
requires io.opentelemetry.instrumentation.runtime_telemetry;
|
||||
requires io.opentelemetry.instrumentation.netty_4_1;
|
||||
requires io.opentelemetry.instrumentation.logback_appender_1_0;
|
||||
requires io.opentelemetry.extension.trace.propagation;
|
||||
requires net.woggioni.rbcs.api;
|
||||
|
||||
provides net.woggioni.rbcs.api.TelemetryController with net.woggioni.rbcs.server.otel.OtelController;
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
package net.woggioni.rbcs.server.otel
|
||||
|
||||
import io.netty.channel.ChannelHandler
|
||||
import io.opentelemetry.api.GlobalOpenTelemetry
|
||||
import io.opentelemetry.instrumentation.logback.appender.v1_0.OpenTelemetryAppender
|
||||
import io.opentelemetry.instrumentation.netty.v4_1.NettyServerTelemetry
|
||||
import io.opentelemetry.instrumentation.runtimetelemetry.RuntimeTelemetry
|
||||
import io.opentelemetry.sdk.autoconfigure.AutoConfiguredOpenTelemetrySdk
|
||||
import net.woggioni.rbcs.api.TelemetryController
|
||||
import net.woggioni.rbcs.common.createLogger
|
||||
import net.woggioni.rbcs.common.info
|
||||
|
||||
class OtelController : TelemetryController {
|
||||
|
||||
private val log = createLogger<OtelController>()
|
||||
|
||||
override fun initialize() {
|
||||
log.info { "Initializing OpenTelemetry SDK with auto-configuration" }
|
||||
|
||||
val sdk = AutoConfiguredOpenTelemetrySdk.builder()
|
||||
.setResultAsGlobal()
|
||||
.build()
|
||||
.openTelemetrySdk
|
||||
RuntimeTelemetry.create(sdk)
|
||||
|
||||
runCatching {
|
||||
OpenTelemetryAppender.install(sdk)
|
||||
log.info { "OpenTelemetry logback appender installed" }
|
||||
}.onFailure { ex ->
|
||||
val msg = ex.localizedMessage ?: ex.javaClass.name
|
||||
log.info { "Failed to install OpenTelemetry logback appender: $msg" }
|
||||
}
|
||||
log.info { "OpenTelemetry SDK initialized successfully" }
|
||||
}
|
||||
|
||||
override fun createHandler(): ChannelHandler {
|
||||
return NettyServerTelemetry.create(GlobalOpenTelemetry.get()).createCombinedHandler()
|
||||
}
|
||||
}
|
||||
@@ -13,6 +13,11 @@ dependencies {
|
||||
implementation catalog.netty.buffer
|
||||
implementation catalog.netty.transport
|
||||
implementation catalog.netty.codec.haproxy
|
||||
compileOnly catalog.opentelemetry.netty['4']['1']
|
||||
compileOnly catalog.opentelemetry.sdk.extension.autoconfigure
|
||||
compileOnly catalog.opentelemetry.logback.appender['1']['0']
|
||||
compileOnly catalog.opentelemetry.extension.trace.propagators
|
||||
compileOnly catalog.logback.classic
|
||||
|
||||
api project(':rbcs-common')
|
||||
api project(':rbcs-api')
|
||||
|
||||
@@ -26,5 +26,6 @@ module net.woggioni.rbcs.server {
|
||||
|
||||
|
||||
uses CacheProvider;
|
||||
uses net.woggioni.rbcs.api.TelemetryController;
|
||||
provides CacheProvider with FileSystemCacheProvider, InMemoryCacheProvider;
|
||||
}
|
||||
@@ -2,16 +2,8 @@ package net.woggioni.rbcs.server
|
||||
|
||||
import io.netty.bootstrap.ServerBootstrap
|
||||
import io.netty.buffer.ByteBuf
|
||||
import io.netty.channel.Channel
|
||||
import io.netty.channel.ChannelFactory
|
||||
import io.netty.channel.ChannelFuture
|
||||
import io.netty.channel.*
|
||||
import io.netty.channel.ChannelHandler.Sharable
|
||||
import io.netty.channel.ChannelHandlerContext
|
||||
import io.netty.channel.ChannelInboundHandlerAdapter
|
||||
import io.netty.channel.ChannelInitializer
|
||||
import io.netty.channel.ChannelOption
|
||||
import io.netty.channel.ChannelPromise
|
||||
import io.netty.channel.MultiThreadIoEventLoopGroup
|
||||
import io.netty.channel.nio.NioIoHandler
|
||||
import io.netty.channel.socket.DatagramChannel
|
||||
import io.netty.channel.socket.ServerSocketChannel
|
||||
@@ -21,12 +13,7 @@ import io.netty.channel.socket.nio.NioServerSocketChannel
|
||||
import io.netty.channel.socket.nio.NioSocketChannel
|
||||
import io.netty.handler.codec.compression.CompressionOptions
|
||||
import io.netty.handler.codec.haproxy.HAProxyMessageDecoder
|
||||
import io.netty.handler.codec.http.DefaultHttpContent
|
||||
import io.netty.handler.codec.http.HttpContentCompressor
|
||||
import io.netty.handler.codec.http.HttpDecoderConfig
|
||||
import io.netty.handler.codec.http.HttpHeaderNames
|
||||
import io.netty.handler.codec.http.HttpRequest
|
||||
import io.netty.handler.codec.http.HttpServerCodec
|
||||
import io.netty.handler.codec.http.*
|
||||
import io.netty.handler.ssl.ClientAuth
|
||||
import io.netty.handler.ssl.SslContext
|
||||
import io.netty.handler.ssl.SslContextBuilder
|
||||
@@ -37,37 +24,17 @@ import io.netty.handler.timeout.IdleStateEvent
|
||||
import io.netty.handler.timeout.IdleStateHandler
|
||||
import io.netty.util.AttributeKey
|
||||
import io.netty.util.concurrent.EventExecutorGroup
|
||||
import java.io.OutputStream
|
||||
import java.net.InetSocketAddress
|
||||
import java.nio.file.Files
|
||||
import java.nio.file.Path
|
||||
import java.security.PrivateKey
|
||||
import java.security.cert.X509Certificate
|
||||
import java.time.Duration
|
||||
import java.time.Instant
|
||||
import java.util.Arrays
|
||||
import java.util.Base64
|
||||
import java.util.concurrent.CompletableFuture
|
||||
import java.util.concurrent.Future
|
||||
import java.util.concurrent.TimeUnit
|
||||
import java.util.concurrent.TimeoutException
|
||||
import java.util.regex.Matcher
|
||||
import java.util.regex.Pattern
|
||||
import javax.naming.ldap.LdapName
|
||||
import javax.net.ssl.SSLPeerUnverifiedException
|
||||
import net.woggioni.rbcs.api.AsyncCloseable
|
||||
import net.woggioni.rbcs.api.Configuration
|
||||
import net.woggioni.rbcs.api.TelemetryController
|
||||
import net.woggioni.rbcs.api.exception.ConfigurationException
|
||||
import net.woggioni.rbcs.common.Cidr
|
||||
import net.woggioni.rbcs.common.*
|
||||
import net.woggioni.rbcs.common.PasswordSecurity.decodePasswordHash
|
||||
import net.woggioni.rbcs.common.PasswordSecurity.hashPassword
|
||||
import net.woggioni.rbcs.common.RBCS.getTrustManager
|
||||
import net.woggioni.rbcs.common.RBCS.loadKeystore
|
||||
import net.woggioni.rbcs.common.RBCS.loadService
|
||||
import net.woggioni.rbcs.common.RBCS.toUrl
|
||||
import net.woggioni.rbcs.common.Xml
|
||||
import net.woggioni.rbcs.common.createLogger
|
||||
import net.woggioni.rbcs.common.debug
|
||||
import net.woggioni.rbcs.common.info
|
||||
import net.woggioni.rbcs.server.auth.AbstractNettyHttpAuthenticator
|
||||
import net.woggioni.rbcs.server.auth.Authorizer
|
||||
import net.woggioni.rbcs.server.auth.RoleAuthorizer
|
||||
@@ -80,6 +47,23 @@ import net.woggioni.rbcs.server.handler.ReadTriggerDuplexHandler
|
||||
import net.woggioni.rbcs.server.handler.ServerHandler
|
||||
import net.woggioni.rbcs.server.throttling.BucketManager
|
||||
import net.woggioni.rbcs.server.throttling.ThrottlingHandler
|
||||
import java.io.OutputStream
|
||||
import java.net.InetSocketAddress
|
||||
import java.nio.file.Files
|
||||
import java.nio.file.Path
|
||||
import java.security.PrivateKey
|
||||
import java.security.cert.X509Certificate
|
||||
import java.time.Duration
|
||||
import java.time.Instant
|
||||
import java.util.*
|
||||
import java.util.concurrent.CompletableFuture
|
||||
import java.util.concurrent.Future
|
||||
import java.util.concurrent.TimeUnit
|
||||
import java.util.concurrent.TimeoutException
|
||||
import java.util.regex.Matcher
|
||||
import java.util.regex.Pattern
|
||||
import javax.naming.ldap.LdapName
|
||||
import javax.net.ssl.SSLPeerUnverifiedException
|
||||
|
||||
class RemoteBuildCacheServer(private val cfg: Configuration) {
|
||||
|
||||
@@ -149,12 +133,68 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
|
||||
((user?.groups ?: emptySet()).asSequence() + sequenceOf(group).filterNotNull()).toSet()
|
||||
AuthenticationResult(user, allGroups)
|
||||
} ?: anonymousUserGroups?.let { AuthenticationResult(null, it) }
|
||||
} catch (es: SSLPeerUnverifiedException) {
|
||||
} catch (ex: SSLPeerUnverifiedException) {
|
||||
log.debug(ctx) {
|
||||
ex.message ?: "Error witch client certificate authentication"
|
||||
}
|
||||
anonymousUserGroups?.let { AuthenticationResult(null, it) }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Sharable
|
||||
private class ForwardedClientCertificateAuthenticator(
|
||||
authorizer: Authorizer,
|
||||
private val anonymousUserGroups: Set<Configuration.Group>?,
|
||||
private val subjectDnUserExtractor: SubjectDnExtractor?,
|
||||
private val subjectDnGroupExtractor: SubjectDnExtractor?,
|
||||
private val headerName: String,
|
||||
private val trustedProxyIPs: List<Cidr>,
|
||||
private val users: Map<String, Configuration.User>,
|
||||
private val groups: Map<String, Configuration.Group>,
|
||||
) : AbstractNettyHttpAuthenticator(authorizer) {
|
||||
|
||||
companion object {
|
||||
private val log = createLogger<ForwardedClientCertificateAuthenticator>()
|
||||
}
|
||||
|
||||
override fun authenticate(ctx: ChannelHandlerContext, req: HttpRequest): AuthenticationResult? {
|
||||
val clientIp = ctx.channel().attr(clientIp).get()
|
||||
if (clientIp == null || trustedProxyIPs.none { it.contains(clientIp.address) }) {
|
||||
log.debug(ctx) {
|
||||
"Rejecting forwarded client certificate authentication from untrusted address: $clientIp"
|
||||
}
|
||||
return null
|
||||
}
|
||||
val subjectDn = req.headers()[headerName]
|
||||
?: return anonymousUserGroups?.let { AuthenticationResult(null, it) }
|
||||
val ldapName = try {
|
||||
LdapName(subjectDn)
|
||||
} catch (e: Exception) {
|
||||
log.debug(ctx) {
|
||||
"Invalid subject DN in header $headerName: $subjectDn"
|
||||
}
|
||||
return anonymousUserGroups?.let { AuthenticationResult(null, it) }
|
||||
}
|
||||
val user = subjectDnUserExtractor?.extract(ldapName)?.let { userName ->
|
||||
users[userName] ?: throw RuntimeException("Failed to extract user '$userName'")
|
||||
}
|
||||
val group = subjectDnGroupExtractor?.extract(ldapName)?.let { groupName ->
|
||||
groups[groupName] ?: throw RuntimeException("Failed to extract group '$groupName'")
|
||||
}
|
||||
val allGroups = ((user?.groups ?: emptySet()).asSequence() + sequenceOf(group).filterNotNull()).toSet()
|
||||
return AuthenticationResult(user, allGroups)
|
||||
}
|
||||
}
|
||||
|
||||
private data class SubjectDnExtractor(val rdnType: String, val pattern: Pattern) {
|
||||
fun extract(ldapName: LdapName): String? {
|
||||
return ldapName.rdns.find { it.type == rdnType }
|
||||
?.let { pattern.matcher(it.value.toString()) }
|
||||
?.takeIf(Matcher::matches)?.group(1)
|
||||
}
|
||||
}
|
||||
|
||||
@Sharable
|
||||
private class NettyHttpBasicAuthenticator(
|
||||
private val users: Map<String, Configuration.User>, authorizer: Authorizer
|
||||
@@ -261,6 +301,23 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
|
||||
)
|
||||
}
|
||||
|
||||
is Configuration.ForwardedClientCertificateAuthentication -> {
|
||||
ForwardedClientCertificateAuthenticator(
|
||||
RoleAuthorizer(),
|
||||
cfg.users[""]?.groups,
|
||||
auth.userExtractor?.let { extractor ->
|
||||
SubjectDnExtractor(extractor.rdnType, Pattern.compile(extractor.pattern))
|
||||
},
|
||||
auth.groupExtractor?.let { extractor ->
|
||||
SubjectDnExtractor(extractor.rdnType, Pattern.compile(extractor.pattern))
|
||||
},
|
||||
auth.headerName,
|
||||
cfg.trustedProxyIPs,
|
||||
cfg.users,
|
||||
cfg.groups,
|
||||
)
|
||||
}
|
||||
|
||||
else -> null
|
||||
}
|
||||
|
||||
@@ -358,6 +415,10 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
|
||||
maxChunkSize = cfg.connection.chunkSize
|
||||
}
|
||||
pipeline.addLast(HttpServerCodec(httpDecoderConfig))
|
||||
loadService(TelemetryController::class.java)
|
||||
.firstOrNull()
|
||||
?.createHandler()
|
||||
?.let { pipeline.addLast(it) }
|
||||
pipeline.addLast(ReadTriggerDuplexHandler.NAME, ReadTriggerDuplexHandler())
|
||||
pipeline.addLast(MaxRequestSizeHandler.NAME, MaxRequestSizeHandler(cfg.connection.maxRequestSize))
|
||||
pipeline.addLast(HttpChunkContentCompressor(1024))
|
||||
|
||||
@@ -12,15 +12,18 @@ import io.netty.handler.codec.http.HttpRequest
|
||||
import io.netty.handler.codec.http.HttpResponseStatus
|
||||
import io.netty.handler.codec.http.HttpVersion
|
||||
import io.netty.util.ReferenceCountUtil
|
||||
import java.net.InetSocketAddress
|
||||
import net.woggioni.rbcs.api.Configuration
|
||||
import net.woggioni.rbcs.api.Configuration.Group
|
||||
import net.woggioni.rbcs.api.Role
|
||||
import net.woggioni.rbcs.common.createLogger
|
||||
import net.woggioni.rbcs.server.RemoteBuildCacheServer
|
||||
|
||||
|
||||
abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer) : ChannelInboundHandlerAdapter() {
|
||||
|
||||
companion object {
|
||||
private val log = createLogger<AbstractNettyHttpAuthenticator>()
|
||||
|
||||
private val AUTHENTICATION_FAILED: FullHttpResponse = DefaultFullHttpResponse(
|
||||
HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.EMPTY_BUFFER
|
||||
).apply {
|
||||
@@ -53,6 +56,16 @@ abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer
|
||||
result.groups.asSequence().flatMap { it.roles.asSequence() }
|
||||
).toSet()
|
||||
val authorized = authorizer.authorize(roles, msg)
|
||||
if(log.isDebugEnabled) {
|
||||
val authorizedMessage = if(authorized) { "Authorized" } else { "Forbidden" }
|
||||
val clientAddress = ctx.channel().attr<InetSocketAddress>(RemoteBuildCacheServer.clientIp).get()
|
||||
val roleString = "[" + roles.asSequence().map { "\"" + it + "\""}.joinToString(", ") + "]"
|
||||
result.user?.name?.takeUnless(String::isEmpty)?.let { username ->
|
||||
log.debug("$authorizedMessage ${msg.method()} request from user $username with address $clientAddress, granted roles $roleString")
|
||||
} ?: {
|
||||
log.debug("$authorizedMessage anonymous ${msg.method()} request with address $clientAddress, granted roles $roleString")
|
||||
}
|
||||
}
|
||||
if (authorized) {
|
||||
super.channelRead(ctx, msg)
|
||||
} else {
|
||||
|
||||
@@ -8,6 +8,7 @@ import net.woggioni.rbcs.api.Configuration.Authentication
|
||||
import net.woggioni.rbcs.api.Configuration.BasicAuthentication
|
||||
import net.woggioni.rbcs.api.Configuration.Cache
|
||||
import net.woggioni.rbcs.api.Configuration.ClientCertificateAuthentication
|
||||
import net.woggioni.rbcs.api.Configuration.ForwardedClientCertificateAuthentication
|
||||
import net.woggioni.rbcs.api.Configuration.Group
|
||||
import net.woggioni.rbcs.api.Configuration.KeyStore
|
||||
import net.woggioni.rbcs.api.Configuration.Tls
|
||||
@@ -77,6 +78,28 @@ object Parser {
|
||||
}
|
||||
authentication = ClientCertificateAuthentication(tlsExtractorUser, tlsExtractorGroup)
|
||||
}
|
||||
|
||||
"forwarded-client-certificate" -> {
|
||||
val headerName = gchild.renderAttribute("header-name") ?: "X-Client-Cert-Subject-DN"
|
||||
var tlsExtractorUser: TlsCertificateExtractor? = null
|
||||
var tlsExtractorGroup: TlsCertificateExtractor? = null
|
||||
for (ggchild in gchild.asIterable()) {
|
||||
when (ggchild.localName) {
|
||||
"group-extractor" -> {
|
||||
val attrName = ggchild.renderAttribute("attribute-name")
|
||||
val pattern = ggchild.renderAttribute("pattern")
|
||||
tlsExtractorGroup = TlsCertificateExtractor(attrName, pattern)
|
||||
}
|
||||
|
||||
"user-extractor" -> {
|
||||
val attrName = ggchild.renderAttribute("attribute-name")
|
||||
val pattern = ggchild.renderAttribute("pattern")
|
||||
tlsExtractorUser = TlsCertificateExtractor(attrName, pattern)
|
||||
}
|
||||
}
|
||||
}
|
||||
authentication = ForwardedClientCertificateAuthentication(headerName, tlsExtractorUser, tlsExtractorGroup)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -165,6 +165,23 @@ object Serializer {
|
||||
}
|
||||
}
|
||||
}
|
||||
is Configuration.ForwardedClientCertificateAuthentication -> {
|
||||
node("forwarded-client-certificate") {
|
||||
attr("header-name", authentication.headerName)
|
||||
authentication.groupExtractor?.let { extractor ->
|
||||
node("group-extractor") {
|
||||
attr("attribute-name", extractor.rdnType)
|
||||
attr("pattern", extractor.pattern)
|
||||
}
|
||||
}
|
||||
authentication.userExtractor?.let { extractor ->
|
||||
node("user-extractor") {
|
||||
attr("attribute-name", extractor.rdnType)
|
||||
attr("pattern", extractor.pattern)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -22,6 +22,7 @@ import net.woggioni.rbcs.api.exception.ContentTooLargeException
|
||||
import net.woggioni.rbcs.common.contextLogger
|
||||
import net.woggioni.rbcs.common.debug
|
||||
import net.woggioni.rbcs.common.log
|
||||
import net.woggioni.rbcs.server.RemoteBuildCacheServer
|
||||
import org.slf4j.event.Level
|
||||
import org.slf4j.spi.LoggingEventBuilder
|
||||
|
||||
@@ -59,27 +60,38 @@ object ExceptionHandler : ChannelDuplexHandler() {
|
||||
override fun exceptionCaught(ctx: ChannelHandlerContext, cause: Throwable) {
|
||||
when (cause) {
|
||||
is DecoderException -> {
|
||||
log.debug(cause.message, cause)
|
||||
if(log.isDebugEnabled) {
|
||||
log.debug(cause.message, cause)
|
||||
}
|
||||
ctx.close()
|
||||
}
|
||||
|
||||
is ConnectException -> {
|
||||
log.error(cause.message, cause)
|
||||
if(log.isErrorEnabled) {
|
||||
log.error(cause.message, cause)
|
||||
}
|
||||
ctx.writeAndFlush(SERVER_ERROR.retainedDuplicate())
|
||||
}
|
||||
|
||||
is SocketException -> {
|
||||
log.debug(cause.message, cause)
|
||||
if(log.isDebugEnabled) {
|
||||
log.debug(cause.message, cause)
|
||||
}
|
||||
ctx.close()
|
||||
}
|
||||
|
||||
is SSLPeerUnverifiedException -> {
|
||||
if(log.isDebugEnabled) {
|
||||
log.debug(cause.message, cause)
|
||||
}
|
||||
ctx.writeAndFlush(NOT_AUTHORIZED.retainedDuplicate())
|
||||
.addListener(ChannelFutureListener.CLOSE_ON_FAILURE)
|
||||
}
|
||||
|
||||
is SSLException -> {
|
||||
log.debug(cause.message, cause)
|
||||
if(log.isDebugEnabled) {
|
||||
log.debug(cause.message, cause)
|
||||
}
|
||||
ctx.close()
|
||||
}
|
||||
|
||||
@@ -108,13 +120,17 @@ object ExceptionHandler : ChannelDuplexHandler() {
|
||||
}
|
||||
|
||||
is CacheException -> {
|
||||
log.error(cause.message, cause)
|
||||
if(log.isErrorEnabled) {
|
||||
log.error(cause.message, cause)
|
||||
}
|
||||
ctx.writeAndFlush(NOT_AVAILABLE.retainedDuplicate())
|
||||
.addListener(ChannelFutureListener.CLOSE_ON_FAILURE)
|
||||
}
|
||||
|
||||
else -> {
|
||||
log.error(cause.message, cause)
|
||||
if(log.isErrorEnabled) {
|
||||
log.error(cause.message, cause)
|
||||
}
|
||||
ctx.writeAndFlush(SERVER_ERROR.retainedDuplicate())
|
||||
.addListener(ChannelFutureListener.CLOSE_ON_FAILURE)
|
||||
}
|
||||
|
||||
@@ -311,6 +311,45 @@
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
|
||||
<xs:complexType name="forwardedClientCertificateAuthorizationType">
|
||||
<xs:annotation>
|
||||
<xs:documentation>
|
||||
Authenticate clients based on a custom HTTP header containing the client TLS certificate
|
||||
subject DN, forwarded by a reverse proxy that performs TLS termination. The proxy must be
|
||||
listed in the trusted-proxies configuration for the header to be accepted.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:sequence>
|
||||
<xs:element name="group-extractor" type="rbcs:X500NameExtractorType" minOccurs="0">
|
||||
<xs:annotation>
|
||||
<xs:documentation>
|
||||
A regex based extractor that will be used to determine which group the client belongs to,
|
||||
based on the X.500 name of the subject DN forwarded by the reverse proxy.
|
||||
When this is set RBAC works even if the user isn't listed in the <users/> section as
|
||||
the client will be assigned role solely based on the group he is found to belong to.
|
||||
Note that this does not allow for a client to be part of multiple groups.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:element>
|
||||
<xs:element name="user-extractor" type="rbcs:X500NameExtractorType" minOccurs="0">
|
||||
<xs:annotation>
|
||||
<xs:documentation>
|
||||
A regex based extractor that will be used to assign a user to a connected client,
|
||||
based on the X.500 name of the subject DN forwarded by the reverse proxy.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:element>
|
||||
</xs:sequence>
|
||||
<xs:attribute name="header-name" type="xs:token">
|
||||
<xs:annotation>
|
||||
<xs:documentation>
|
||||
Name of the HTTP header containing the client certificate subject DN
|
||||
forwarded by the reverse proxy. Defaults to "X-Client-Cert-Subject-DN".
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:attribute>
|
||||
</xs:complexType>
|
||||
|
||||
<xs:complexType name="X500NameExtractorType">
|
||||
<xs:annotation>
|
||||
<xs:documentation>
|
||||
@@ -380,6 +419,15 @@
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:element>
|
||||
<xs:element name="forwarded-client-certificate" type="rbcs:forwardedClientCertificateAuthorizationType">
|
||||
<xs:annotation>
|
||||
<xs:documentation>
|
||||
Enable forwarded client certificate authentication. Authenticates clients based on
|
||||
a custom HTTP header containing the client certificate subject DN, forwarded by a
|
||||
reverse proxy that performs TLS termination. Requires trusted-proxies to be configured.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:element>
|
||||
<xs:element name="none">
|
||||
<xs:annotation>
|
||||
<xs:documentation>
|
||||
|
||||
@@ -140,11 +140,10 @@ abstract class AbstractTlsServerTest : AbstractServerTest() {
|
||||
cfg = Configuration(
|
||||
"127.0.0.1",
|
||||
getFreePort(),
|
||||
serverPath,
|
||||
false,
|
||||
emptyList(),
|
||||
|
||||
100,
|
||||
serverPath,
|
||||
Configuration.EventExecutor(false),
|
||||
Configuration.RateLimiter(true, 0x100000, 50),
|
||||
Configuration.Connection(
|
||||
|
||||
@@ -34,10 +34,10 @@ class NoAuthServerTest : AbstractServerTest() {
|
||||
cfg = Configuration(
|
||||
"127.0.0.1",
|
||||
getFreePort(),
|
||||
serverPath,
|
||||
false,
|
||||
emptyList(),
|
||||
100,
|
||||
serverPath,
|
||||
Configuration.EventExecutor(false),
|
||||
Configuration.RateLimiter(true, 0x100000, 50),
|
||||
Configuration.Connection(
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:rbcs="urn:net.woggioni.rbcs.server"
|
||||
xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs-server.xsd">
|
||||
xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs-server.xsd"
|
||||
path="/my/custom/path">
|
||||
<bind host="127.0.0.1" port="11443" incoming-connections-backlog-size="22" proxy-protocol="true">
|
||||
<trusted-proxies>
|
||||
<allow cidr="192.168.0.11/32"/>
|
||||
|
||||
@@ -33,4 +33,5 @@ include 'rbcs-cli'
|
||||
include 'rbcs-client'
|
||||
include 'rbcs-server'
|
||||
include 'rbcs-servlet'
|
||||
include 'rbcs-server-otel'
|
||||
include 'docker'
|
||||
|
||||
Reference in New Issue
Block a user