added GraalVM native image executable build

2025-02-25 15:30:58 +08:00
parent 23f2a351a6
commit ca18b63f27
25 changed files with 1420 additions and 292 deletions
--- a/rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/RemoteBuildCacheServer.kt
+++ b/rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/RemoteBuildCacheServer.kt
@@ -35,13 +35,13 @@ import io.netty.handler.timeout.IdleStateHandler
 import io.netty.util.AttributeKey
 import io.netty.util.concurrent.DefaultEventExecutorGroup
 import io.netty.util.concurrent.EventExecutorGroup
-import net.woggioni.jwo.JWO
-import net.woggioni.jwo.Tuple2
 import net.woggioni.rbcs.api.AsyncCloseable
 import net.woggioni.rbcs.api.Configuration
 import net.woggioni.rbcs.api.exception.ConfigurationException
 import net.woggioni.rbcs.common.PasswordSecurity.decodePasswordHash
 import net.woggioni.rbcs.common.PasswordSecurity.hashPassword
+import net.woggioni.rbcs.common.RBCS.getTrustManager
+import net.woggioni.rbcs.common.RBCS.loadKeystore
 import net.woggioni.rbcs.common.RBCS.toUrl
 import net.woggioni.rbcs.common.Xml
 import net.woggioni.rbcs.common.createLogger
@@ -49,7 +49,6 @@ import net.woggioni.rbcs.common.debug
 import net.woggioni.rbcs.common.info
 import net.woggioni.rbcs.server.auth.AbstractNettyHttpAuthenticator
 import net.woggioni.rbcs.server.auth.Authorizer
-import net.woggioni.rbcs.server.auth.ClientCertificateValidator
 import net.woggioni.rbcs.server.auth.RoleAuthorizer
 import net.woggioni.rbcs.server.configuration.Parser
 import net.woggioni.rbcs.server.configuration.Serializer
@@ -63,7 +62,6 @@ import java.io.OutputStream
 import java.net.InetSocketAddress
 import java.nio.file.Files
 import java.nio.file.Path
-import java.security.KeyStore
 import java.security.PrivateKey
 import java.security.cert.X509Certificate
 import java.time.Duration
@@ -230,7 +228,7 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
                        val clientAuth = tls.trustStore?.let { trustStore ->
                            val ts = loadKeystore(trustStore.file, trustStore.password)
                            trustManager(
-                                ClientCertificateValidator.getTrustManager(ts, trustStore.isCheckCertificateStatus)
+                                getTrustManager(ts, trustStore.isCheckCertificateStatus)
                            )
                            if (trustStore.isRequireClientCertificate) ClientAuth.REQUIRE
                            else ClientAuth.OPTIONAL
@@ -240,27 +238,6 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
                }
            }

-            fun loadKeystore(file: Path, password: String?): KeyStore {
-                val ext = JWO.splitExtension(file)
-                    .map(Tuple2<String, String>::get_2)
-                    .orElseThrow {
-                        IllegalArgumentException(
-                            "Keystore file '${file}' must have .jks, .p12, .pfx extension"
-                        )
-                    }
-                val keystore = when (ext.substring(1).lowercase()) {
-                    "jks" -> KeyStore.getInstance("JKS")
-                    "p12", "pfx" -> KeyStore.getInstance("PKCS12")
-                    else -> throw IllegalArgumentException(
-                        "Keystore file '${file}' must have .jks, .p12, .pfx extension"
-                    )
-                }
-                Files.newInputStream(file).use {
-                    keystore.load(it, password?.let(String::toCharArray))
-                }
-                return keystore
-            }
-
            private val log = createLogger<ServerInitializer>()
        }

--- a/rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/auth/ClientCertificateValidator.kt
+++ b/rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/auth/ClientCertificateValidator.kt
@@ -1,90 +0,0 @@
-package net.woggioni.rbcs.server.auth
-
-import io.netty.channel.ChannelHandlerContext
-import io.netty.channel.ChannelInboundHandlerAdapter
-import io.netty.handler.ssl.SslHandler
-import io.netty.handler.ssl.SslHandshakeCompletionEvent
-import java.security.KeyStore
-import java.security.cert.CertPathValidator
-import java.security.cert.CertPathValidatorException
-import java.security.cert.CertificateException
-import java.security.cert.CertificateFactory
-import java.security.cert.PKIXParameters
-import java.security.cert.PKIXRevocationChecker
-import java.security.cert.X509Certificate
-import java.util.EnumSet
-import javax.net.ssl.SSLSession
-import javax.net.ssl.TrustManagerFactory
-import javax.net.ssl.X509TrustManager
-
-
-class ClientCertificateValidator private constructor(
-    private val sslHandler: SslHandler,
-    private val x509TrustManager: X509TrustManager
-) : ChannelInboundHandlerAdapter() {
-    override fun userEventTriggered(ctx: ChannelHandlerContext, evt: Any) {
-        if (evt is SslHandshakeCompletionEvent) {
-            if (evt.isSuccess) {
-                val session: SSLSession = sslHandler.engine().session
-                val clientCertificateChain = session.peerCertificates as Array<X509Certificate>
-                val authType: String = clientCertificateChain[0].publicKey.algorithm
-                x509TrustManager.checkClientTrusted(clientCertificateChain, authType)
-            } else {
-                // Handle the failure, for example by closing the channel.
-            }
-        }
-        super.userEventTriggered(ctx, evt)
-    }
-
-    companion object {
-        fun getTrustManager(trustStore: KeyStore?, certificateRevocationEnabled: Boolean): X509TrustManager {
-            return if (trustStore != null) {
-                val certificateFactory = CertificateFactory.getInstance("X.509")
-                val validator = CertPathValidator.getInstance("PKIX").apply {
-                    val rc = revocationChecker as PKIXRevocationChecker
-                    rc.options = EnumSet.of(
-                        PKIXRevocationChecker.Option.NO_FALLBACK
-                    )
-                }
-                val params = PKIXParameters(trustStore).apply {
-                    isRevocationEnabled = certificateRevocationEnabled
-                }
-                object : X509TrustManager {
-                    override fun checkClientTrusted(chain: Array<out X509Certificate>, authType: String) {
-                        val clientCertificateChain = certificateFactory.generateCertPath(chain.toList())
-                        try {
-                            validator.validate(clientCertificateChain, params)
-                        } catch (ex: CertPathValidatorException) {
-                            throw CertificateException(ex)
-                        }
-                    }
-
-                    override fun checkServerTrusted(chain: Array<out X509Certificate>, authType: String) {
-                        throw NotImplementedError()
-                    }
-
-                    private val acceptedIssuers = trustStore.aliases().asSequence()
-                        .filter(trustStore::isCertificateEntry)
-                        .map(trustStore::getCertificate)
-                        .map { it as X509Certificate }
-                        .toList()
-                        .toTypedArray()
-
-                    override fun getAcceptedIssuers() = acceptedIssuers
-                }
-            } else {
-                val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-                trustManagerFactory.trustManagers.asSequence().filter { it is X509TrustManager }
-                    .single() as X509TrustManager
-            }
-        }
-
-        fun of(
-            sslHandler: SslHandler,
-            trustStore: KeyStore?,
-            certificateRevocationEnabled: Boolean
-        ): ClientCertificateValidator {
-            return ClientCertificateValidator(sslHandler, getTrustManager(trustStore, certificateRevocationEnabled))
-        }
-    }
-}