From 9069730a04d96a4f52be24331089a4f5f038ec8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9D=A8=E7=BF=8A=20SionYang?=
Date: Tue, 11 Jul 2023 19:10:00 +0800
Subject: [PATCH] Refactor grpc tls (#10759)
* Move Tls negotiator to GrpcSdkServer.
* use protocol negotiator builder replace directly create.
* use SPI load negotiator and set tls as default negotiator.
* Remove tlsconfig in BaseRpcServer.
* Add some ut.
* For checkstyle.
---
.../core/ServiceInfoUpdateServiceTest.java | 2 +-
.../nacos/core/remote/BaseRpcServer.java | 30 ++--
.../core/remote/grpc/BaseGrpcServer.java | 135 +++++-------------
.../core/remote/grpc/GrpcClusterServer.java | 16 +--
.../nacos/core/remote/grpc/GrpcSdkServer.java | 32 ++++-
.../NacosGrpcProtocolNegotiator.java | 32 +++++
.../negotiator/ProtocolNegotiatorBuilder.java | 39 +++++
.../ProtocolNegotiatorBuilderSingleton.java | 82 +++++++++++
.../tls/DefaultTlsContextBuilder.java | 101 +++++++++++++
.../DefaultTlsProtocolNegotiatorBuilder.java | 47 ++++++
.../tls}/OptionalTlsProtocolNegotiator.java | 19 ++-
.../RpcServerSslContextRefresher.java | 20 +--
.../RpcServerSslContextRefresherHolder.java | 15 +-
.../remote/{ => tls}/RpcServerTlsConfig.java | 39 +++--
.../{ => tls}/SslContextChangeAware.java | 6 +-
....grpc.negotiator.ProtocolNegotiatorBuilder | 17 +++
.../core/remote/grpc/GrpcServerTest.java | 111 ++------------
.../tls/DefaultTlsContextBuilderTest.java | 104 ++++++++++++++
...faultTlsProtocolNegotiatorBuilderTest.java | 55 +++++++
...ConfigServiceComTlsGrpcClient_CITCase.java | 2 +-
...nfigServiceNoComTlsGrpcClient_CITCase.java | 2 +-
.../NacosConfigV2MutualAuth_CITCase.java | 2 +-
...ationV1ServerNonCompatibility_CITCase.java | 2 +-
...ConfigIntegrationV2MutualAuth_CITCase.java | 2 +-
.../client/ConfigIntegrationV3_CITCase.java | 2 +-
.../NamingCompatibilityServiceTls_ITCase.java | 2 +-
.../NamingTlsServiceAndMutualAuth_ITCase.java | 2 +-
.../naming/NamingTlsServiceTls_ITCase.java | 2 +-
28 files changed, 648 insertions(+), 272 deletions(-)
create mode 100644 core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/NacosGrpcProtocolNegotiator.java
create mode 100644 core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilder.java
create mode 100644 core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilderSingleton.java
create mode 100644 core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilder.java
create mode 100644 core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilder.java
rename core/src/main/java/com/alibaba/nacos/core/remote/grpc/{ => negotiator/tls}/OptionalTlsProtocolNegotiator.java (85%)
rename core/src/main/java/com/alibaba/nacos/core/remote/{ => tls}/RpcServerSslContextRefresher.java (88%)
rename core/src/main/java/com/alibaba/nacos/core/remote/{ => tls}/RpcServerSslContextRefresherHolder.java (83%)
rename core/src/main/java/com/alibaba/nacos/core/remote/{ => tls}/RpcServerTlsConfig.java (51%)
rename core/src/main/java/com/alibaba/nacos/core/remote/{ => tls}/SslContextChangeAware.java (88%)
create mode 100644 core/src/main/resources/META-INF/services/com.alibaba.nacos.core.remote.grpc.negotiator.ProtocolNegotiatorBuilder
create mode 100644 core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilderTest.java
create mode 100644 core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilderTest.java
diff --git a/client/src/test/java/com/alibaba/nacos/client/naming/core/ServiceInfoUpdateServiceTest.java b/client/src/test/java/com/alibaba/nacos/client/naming/core/ServiceInfoUpdateServiceTest.java
index 404722f79c7..b5e911db1db 100644
--- a/client/src/test/java/com/alibaba/nacos/client/naming/core/ServiceInfoUpdateServiceTest.java
+++ b/client/src/test/java/com/alibaba/nacos/client/naming/core/ServiceInfoUpdateServiceTest.java
@@ -54,7 +54,7 @@ public void testScheduleUpdateIfAbsent() throws InterruptedException, NacosExcep
notifyer);
serviceInfoUpdateService.scheduleUpdateIfAbsent("aa", "bb", "cc");
- TimeUnit.SECONDS.sleep(2);
+ TimeUnit.MILLISECONDS.sleep(1500);
Mockito.verify(proxy).queryInstancesOfService(serviceName, group, clusters, 0, false);
}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/BaseRpcServer.java b/core/src/main/java/com/alibaba/nacos/core/remote/BaseRpcServer.java
index a60ee1b4e30..3b5fe849a8f 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/BaseRpcServer.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/BaseRpcServer.java
@@ -18,10 +18,9 @@
import com.alibaba.nacos.common.remote.ConnectionType;
import com.alibaba.nacos.common.remote.PayloadRegistry;
-import com.alibaba.nacos.common.utils.JacksonUtils;
+import com.alibaba.nacos.core.remote.tls.RpcServerSslContextRefresherHolder;
import com.alibaba.nacos.core.utils.Loggers;
import com.alibaba.nacos.sys.env.EnvUtil;
-import org.springframework.beans.factory.annotation.Autowired;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
@@ -38,18 +37,13 @@ public abstract class BaseRpcServer {
PayloadRegistry.init();
}
- @Autowired
- protected RpcServerTlsConfig rpcServerTlsConfig;
-
/**
* Start sever.
*/
@PostConstruct
public void start() throws Exception {
String serverName = getClass().getSimpleName();
- String tlsConfig = JacksonUtils.toJson(rpcServerTlsConfig);
- Loggers.REMOTE.info("Nacos {} Rpc server starting at port {} and tls config:{}", serverName, getServicePort(),
- tlsConfig);
+ Loggers.REMOTE.info("Nacos {} Rpc server starting at port {}", serverName, getServicePort());
startServer();
@@ -57,8 +51,7 @@ public void start() throws Exception {
RpcServerSslContextRefresherHolder.getInstance().refresh(this);
}
- Loggers.REMOTE.info("Nacos {} Rpc server started at port {} and tls config:{}", serverName, getServicePort(),
- tlsConfig);
+ Loggers.REMOTE.info("Nacos {} Rpc server started at port {}", serverName, getServicePort());
Runtime.getRuntime().addShutdownHook(new Thread(() -> {
Loggers.REMOTE.info("Nacos {} Rpc server stopping", serverName);
try {
@@ -78,18 +71,15 @@ public void start() throws Exception {
*/
public abstract ConnectionType getConnectionType();
- public RpcServerTlsConfig getRpcServerTlsConfig() {
- return rpcServerTlsConfig;
- }
-
- public void setRpcServerTlsConfig(RpcServerTlsConfig rpcServerTlsConfig) {
- this.rpcServerTlsConfig = rpcServerTlsConfig;
- }
-
/**
- * reload ssl context.
+ * Reload protocol context if necessary.
+ *
+ *
+ * protocol like:
+ *
Tls
+ *
*/
- public abstract void reloadSslContext();
+ public abstract void reloadProtocolContext();
/**
* Start sever.
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/BaseGrpcServer.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/BaseGrpcServer.java
index 983fe041524..da193160957 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/BaseGrpcServer.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/BaseGrpcServer.java
@@ -17,14 +17,7 @@
package com.alibaba.nacos.core.remote.grpc;
import com.alibaba.nacos.api.grpc.auto.Payload;
-import com.alibaba.nacos.common.packagescan.resource.DefaultResourceLoader;
-import com.alibaba.nacos.common.packagescan.resource.Resource;
-import com.alibaba.nacos.common.packagescan.resource.ResourceLoader;
import com.alibaba.nacos.common.remote.ConnectionType;
-
-import com.alibaba.nacos.common.utils.JacksonUtils;
-import com.alibaba.nacos.common.utils.StringUtils;
-import com.alibaba.nacos.common.utils.TlsTypeResolve;
import com.alibaba.nacos.core.remote.BaseRpcServer;
import com.alibaba.nacos.core.remote.ConnectionManager;
import com.alibaba.nacos.core.utils.Loggers;
@@ -37,22 +30,14 @@
import io.grpc.ServerInterceptor;
import io.grpc.ServerInterceptors;
import io.grpc.ServerServiceDefinition;
-import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
+import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiator;
import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
-import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
-import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
-
-import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
-import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.grpc.protobuf.ProtoUtils;
import io.grpc.stub.ServerCalls;
import io.grpc.util.MutableHandlerRegistry;
import org.springframework.beans.factory.annotation.Autowired;
-import javax.net.ssl.SSLException;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Arrays;
+import java.util.Optional;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
@@ -66,8 +51,6 @@ public abstract class BaseGrpcServer extends BaseRpcServer {
private Server server;
- private final ResourceLoader resourceLoader = new DefaultResourceLoader();
-
@Autowired
private GrpcRequestAcceptor grpcCommonRequestAcceptor;
@@ -77,8 +60,6 @@ public abstract class BaseGrpcServer extends BaseRpcServer {
@Autowired
private ConnectionManager connectionManager;
- private OptionalTlsProtocolNegotiator optionalTlsProtocolNegotiator;
-
@Override
public ConnectionType getConnectionType() {
return ConnectionType.GRPC;
@@ -90,10 +71,11 @@ public void startServer() throws Exception {
addServices(handlerRegistry, new GrpcConnectionInterceptor(), new GrpcServerParamCheckInterceptor());
NettyServerBuilder builder = NettyServerBuilder.forPort(getServicePort()).executor(getRpcExecutor());
- if (rpcServerTlsConfig.getEnableTls()) {
- builder.protocolNegotiator(
- new OptionalTlsProtocolNegotiator(getSslContextBuilder(), rpcServerTlsConfig.getCompatibility()));
-
+ Optional negotiator = newProtocolNegotiator();
+ if (negotiator.isPresent()) {
+ InternalProtocolNegotiator.ProtocolNegotiator actual = negotiator.get();
+ Loggers.REMOTE.info("Add protocol negotiator {}", actual.getClass().getCanonicalName());
+ builder.protocolNegotiator(actual);
}
server = builder.maxInboundMessageSize(getMaxInboundMessageSize()).fallbackHandlerRegistry(handlerRegistry)
@@ -107,20 +89,26 @@ public void startServer() throws Exception {
server.start();
}
+ @Override
+ public void reloadProtocolContext() {
+ reloadProtocolNegotiator();
+ }
+
/**
- * reload ssl context.
+ * Build new one protocol negotiator.
+ *
+ * Such as support tls, proxy protocol and so on
+ *
+ * @return ProtocolNegotiator
*/
- public void reloadSslContext() {
- if (optionalTlsProtocolNegotiator != null) {
- try {
- optionalTlsProtocolNegotiator.setSslContext(getSslContextBuilder());
- } catch (Throwable throwable) {
- Loggers.REMOTE.info("Nacos {} Rpc server reload ssl context fail at port {} and tls config:{}",
- this.getClass().getSimpleName(), getServicePort(),
- JacksonUtils.toJson(super.rpcServerTlsConfig));
- throw throwable;
- }
- }
+ protected Optional newProtocolNegotiator() {
+ return Optional.empty();
+ }
+
+ /**
+ * reload protocol negotiator If necessary.
+ */
+ public void reloadProtocolNegotiator() {
}
protected long getPermitKeepAliveTime() {
@@ -136,8 +124,8 @@ protected long getKeepAliveTimeout() {
}
protected int getMaxInboundMessageSize() {
- Integer property = EnvUtil.getProperty(GrpcServerConstants.GrpcConfig.MAX_INBOUND_MSG_SIZE_PROPERTY,
- Integer.class);
+ Integer property = EnvUtil
+ .getProperty(GrpcServerConstants.GrpcConfig.MAX_INBOUND_MSG_SIZE_PROPERTY, Integer.class);
if (property != null) {
return property;
}
@@ -148,8 +136,8 @@ private void addServices(MutableHandlerRegistry handlerRegistry, ServerIntercept
// unary common call register.
final MethodDescriptor unaryPayloadMethod = MethodDescriptor.newBuilder()
- .setType(MethodDescriptor.MethodType.UNARY).setFullMethodName(
- MethodDescriptor.generateFullMethodName(GrpcServerConstants.REQUEST_SERVICE_NAME,
+ .setType(MethodDescriptor.MethodType.UNARY).setFullMethodName(MethodDescriptor
+ .generateFullMethodName(GrpcServerConstants.REQUEST_SERVICE_NAME,
GrpcServerConstants.REQUEST_METHOD_NAME))
.setRequestMarshaller(ProtoUtils.marshaller(Payload.getDefaultInstance()))
.setResponseMarshaller(ProtoUtils.marshaller(Payload.getDefaultInstance())).build();
@@ -157,8 +145,9 @@ private void addServices(MutableHandlerRegistry handlerRegistry, ServerIntercept
final ServerCallHandler payloadHandler = ServerCalls.asyncUnaryCall(
(request, responseObserver) -> grpcCommonRequestAcceptor.request(request, responseObserver));
- final ServerServiceDefinition serviceDefOfUnaryPayload = ServerServiceDefinition.builder(
- GrpcServerConstants.REQUEST_SERVICE_NAME).addMethod(unaryPayloadMethod, payloadHandler).build();
+ final ServerServiceDefinition serviceDefOfUnaryPayload = ServerServiceDefinition
+ .builder(GrpcServerConstants.REQUEST_SERVICE_NAME).addMethod(unaryPayloadMethod, payloadHandler)
+ .build();
handlerRegistry.addService(ServerInterceptors.intercept(serviceDefOfUnaryPayload, serverInterceptor));
// bi stream register.
@@ -166,14 +155,15 @@ private void addServices(MutableHandlerRegistry handlerRegistry, ServerIntercept
(responseObserver) -> grpcBiStreamRequestAcceptor.requestBiStream(responseObserver));
final MethodDescriptor biStreamMethod = MethodDescriptor.newBuilder()
- .setType(MethodDescriptor.MethodType.BIDI_STREAMING).setFullMethodName(
- MethodDescriptor.generateFullMethodName(GrpcServerConstants.REQUEST_BI_STREAM_SERVICE_NAME,
+ .setType(MethodDescriptor.MethodType.BIDI_STREAMING).setFullMethodName(MethodDescriptor
+ .generateFullMethodName(GrpcServerConstants.REQUEST_BI_STREAM_SERVICE_NAME,
GrpcServerConstants.REQUEST_BI_STREAM_METHOD_NAME))
.setRequestMarshaller(ProtoUtils.marshaller(Payload.newBuilder().build()))
.setResponseMarshaller(ProtoUtils.marshaller(Payload.getDefaultInstance())).build();
- final ServerServiceDefinition serviceDefOfBiStream = ServerServiceDefinition.builder(
- GrpcServerConstants.REQUEST_BI_STREAM_SERVICE_NAME).addMethod(biStreamMethod, biStreamHandler).build();
+ final ServerServiceDefinition serviceDefOfBiStream = ServerServiceDefinition
+ .builder(GrpcServerConstants.REQUEST_BI_STREAM_SERVICE_NAME).addMethod(biStreamMethod, biStreamHandler)
+ .build();
handlerRegistry.addService(ServerInterceptors.intercept(serviceDefOfBiStream, serverInterceptor));
}
@@ -185,57 +175,6 @@ public void shutdownServer() {
}
}
- private SslContext getSslContextBuilder() {
- try {
- if (StringUtils.isBlank(rpcServerTlsConfig.getCertChainFile()) || StringUtils.isBlank(
- rpcServerTlsConfig.getCertPrivateKey())) {
- throw new IllegalArgumentException("Server certChainFile or certPrivateKey must be not null");
- }
- InputStream certificateChainFile = getInputStream(rpcServerTlsConfig.getCertChainFile(), "certChainFile");
- InputStream privateKeyFile = getInputStream(rpcServerTlsConfig.getCertPrivateKey(), "certPrivateKey");
- SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(certificateChainFile,
- privateKeyFile, rpcServerTlsConfig.getCertPrivateKeyPassword());
-
- if (StringUtils.isNotBlank(rpcServerTlsConfig.getProtocols())) {
- sslClientContextBuilder.protocols(rpcServerTlsConfig.getProtocols().split(","));
- }
-
- if (StringUtils.isNotBlank(rpcServerTlsConfig.getCiphers())) {
- sslClientContextBuilder.ciphers(Arrays.asList(rpcServerTlsConfig.getCiphers().split(",")));
- }
- if (rpcServerTlsConfig.getMutualAuthEnable()) {
- // trust all certificate
- if (rpcServerTlsConfig.getTrustAll()) {
- sslClientContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
- } else {
- if (StringUtils.isBlank(rpcServerTlsConfig.getTrustCollectionCertFile())) {
- throw new IllegalArgumentException(
- "enable mutual auth,trustCollectionCertFile must be not null");
- }
-
- InputStream clientCert = getInputStream(rpcServerTlsConfig.getTrustCollectionCertFile(),
- "trustCollectionCertFile");
- sslClientContextBuilder.trustManager(clientCert);
- }
- sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
- }
- SslContextBuilder configure = GrpcSslContexts.configure(sslClientContextBuilder,
- TlsTypeResolve.getSslProvider(rpcServerTlsConfig.getSslProvider()));
- return configure.build();
- } catch (SSLException e) {
- throw new RuntimeException(e);
- }
- }
-
- private InputStream getInputStream(String path, String config) {
- try {
- Resource resource = resourceLoader.getResource(path);
- return resource.getInputStream();
- } catch (IOException e) {
- throw new RuntimeException(config + " load fail", e);
- }
- }
-
/**
* get rpc executor.
*
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcClusterServer.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcClusterServer.java
index ed8fa6fd9e1..9b070cb861d 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcClusterServer.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcClusterServer.java
@@ -48,8 +48,8 @@ public ThreadPoolExecutor getRpcExecutor() {
@Override
protected long getKeepAliveTime() {
- Long property = EnvUtil.getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_KEEP_ALIVE_TIME_PROPERTY,
- Long.class);
+ Long property = EnvUtil
+ .getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_KEEP_ALIVE_TIME_PROPERTY, Long.class);
if (property != null) {
return property;
}
@@ -58,8 +58,8 @@ protected long getKeepAliveTime() {
@Override
protected long getKeepAliveTimeout() {
- Long property = EnvUtil.getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_KEEP_ALIVE_TIMEOUT_PROPERTY,
- Long.class);
+ Long property = EnvUtil
+ .getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_KEEP_ALIVE_TIMEOUT_PROPERTY, Long.class);
if (property != null) {
return property;
}
@@ -68,8 +68,7 @@ protected long getKeepAliveTimeout() {
@Override
protected long getPermitKeepAliveTime() {
- Long property = EnvUtil.getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_PERMIT_KEEP_ALIVE_TIME,
- Long.class);
+ Long property = EnvUtil.getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_PERMIT_KEEP_ALIVE_TIME, Long.class);
if (property != null) {
return property;
}
@@ -78,8 +77,8 @@ protected long getPermitKeepAliveTime() {
@Override
protected int getMaxInboundMessageSize() {
- Integer property = EnvUtil.getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_MAX_INBOUND_MSG_SIZE_PROPERTY,
- Integer.class);
+ Integer property = EnvUtil
+ .getProperty(GrpcServerConstants.GrpcConfig.CLUSTER_MAX_INBOUND_MSG_SIZE_PROPERTY, Integer.class);
if (property != null) {
return property;
}
@@ -92,5 +91,4 @@ protected int getMaxInboundMessageSize() {
}
return size;
}
-
}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcSdkServer.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcSdkServer.java
index c4f05c8d904..47674b6b8ce 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcSdkServer.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/GrpcSdkServer.java
@@ -17,11 +17,15 @@
package com.alibaba.nacos.core.remote.grpc;
import com.alibaba.nacos.api.common.Constants;
+import com.alibaba.nacos.core.remote.grpc.negotiator.NacosGrpcProtocolNegotiator;
+import com.alibaba.nacos.core.remote.grpc.negotiator.ProtocolNegotiatorBuilderSingleton;
import com.alibaba.nacos.core.utils.GlobalExecutor;
import com.alibaba.nacos.core.utils.Loggers;
import com.alibaba.nacos.sys.env.EnvUtil;
+import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiator;
import org.springframework.stereotype.Service;
+import java.util.Optional;
import java.util.concurrent.ThreadPoolExecutor;
/**
@@ -33,6 +37,8 @@
@Service
public class GrpcSdkServer extends BaseGrpcServer {
+ private NacosGrpcProtocolNegotiator protocolNegotiator;
+
@Override
public int rpcPortOffset() {
return Constants.SDK_GRPC_PORT_DEFAULT_OFFSET;
@@ -64,8 +70,8 @@ protected long getKeepAliveTimeout() {
@Override
protected int getMaxInboundMessageSize() {
- Integer property = EnvUtil.getProperty(GrpcServerConstants.GrpcConfig.SDK_MAX_INBOUND_MSG_SIZE_PROPERTY,
- Integer.class);
+ Integer property = EnvUtil
+ .getProperty(GrpcServerConstants.GrpcConfig.SDK_MAX_INBOUND_MSG_SIZE_PROPERTY, Integer.class);
if (property != null) {
return property;
}
@@ -89,4 +95,26 @@ protected long getPermitKeepAliveTime() {
}
return super.getPermitKeepAliveTime();
}
+
+ @Override
+ protected Optional newProtocolNegotiator() {
+ protocolNegotiator = ProtocolNegotiatorBuilderSingleton.getSingleton().build();
+ return Optional.ofNullable(protocolNegotiator);
+ }
+
+ /**
+ * reload ssl context.
+ */
+ public void reloadProtocolNegotiator() {
+ if (protocolNegotiator != null) {
+ try {
+ protocolNegotiator.reloadNegotiator();
+ } catch (Throwable throwable) {
+ Loggers.REMOTE
+ .info("Nacos {} Rpc server reload negotiator fail at port {}.", this.getClass().getSimpleName(),
+ getServicePort());
+ throw throwable;
+ }
+ }
+ }
}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/NacosGrpcProtocolNegotiator.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/NacosGrpcProtocolNegotiator.java
new file mode 100644
index 00000000000..ed7bca722e6
--- /dev/null
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/NacosGrpcProtocolNegotiator.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.remote.grpc.negotiator;
+
+import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiator;
+
+/**
+ * Nacos Grpc protocol negotiator.
+ *
+ * @author xiweng.yy
+ */
+public interface NacosGrpcProtocolNegotiator extends InternalProtocolNegotiator.ProtocolNegotiator {
+
+ /**
+ * Reload this negotiator, such as config, tls context and so on if necessary.
+ */
+ void reloadNegotiator();
+}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilder.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilder.java
new file mode 100644
index 00000000000..1225e60b882
--- /dev/null
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilder.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.remote.grpc.negotiator;
+
+/**
+ * Protocol negotiator builder.
+ *
+ * @author xiweng.yy
+ */
+public interface ProtocolNegotiatorBuilder {
+
+ /**
+ * Build new ProtocolNegotiator.
+ *
+ * @return ProtocolNegotiator, Nullable.
+ */
+ NacosGrpcProtocolNegotiator build();
+
+ /**
+ * Builder type of ProtocolNegotiator.
+ *
+ * @return type
+ */
+ String type();
+}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilderSingleton.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilderSingleton.java
new file mode 100644
index 00000000000..9d30d3676ca
--- /dev/null
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/ProtocolNegotiatorBuilderSingleton.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.remote.grpc.negotiator;
+
+import com.alibaba.nacos.common.spi.NacosServiceLoader;
+import com.alibaba.nacos.core.remote.grpc.negotiator.tls.DefaultTlsProtocolNegotiatorBuilder;
+import com.alibaba.nacos.core.utils.Loggers;
+import com.alibaba.nacos.sys.env.EnvUtil;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+import static com.alibaba.nacos.core.remote.grpc.negotiator.tls.DefaultTlsProtocolNegotiatorBuilder.TYPE_DEFAULT_TLS;
+
+/**
+ * Protocol Negotiator Builder Singleton.
+ *
+ * @author xiweng.yy
+ */
+public class ProtocolNegotiatorBuilderSingleton implements ProtocolNegotiatorBuilder {
+
+ private static final String TYPE_PROPERTY_KEY = "nacos.remote.server.rpc.protocol.negotiator.type";
+
+ private static final ProtocolNegotiatorBuilderSingleton SINGLETON = new ProtocolNegotiatorBuilderSingleton();
+
+ private final Map builderMap;
+
+ private String actualType;
+
+ private ProtocolNegotiatorBuilderSingleton() {
+ actualType = EnvUtil.getProperty(TYPE_PROPERTY_KEY, TYPE_DEFAULT_TLS);
+ builderMap = new ConcurrentHashMap<>();
+ loadAllBuilders();
+ }
+
+ private void loadAllBuilders() {
+ try {
+ for (ProtocolNegotiatorBuilder each : NacosServiceLoader.load(ProtocolNegotiatorBuilder.class)) {
+ builderMap.put(each.type(), each);
+ Loggers.REMOTE.info("Load ProtocolNegotiatorBuilder {} for type {}", each.getClass().getCanonicalName(),
+ each.type());
+ }
+ } catch (Exception e) {
+ Loggers.REMOTE.warn("Load ProtocolNegotiatorBuilder failed, use default ProtocolNegotiatorBuilder", e);
+ builderMap.put(TYPE_DEFAULT_TLS, new DefaultTlsProtocolNegotiatorBuilder());
+ actualType = TYPE_DEFAULT_TLS;
+ }
+ }
+
+ public static ProtocolNegotiatorBuilderSingleton getSingleton() {
+ return SINGLETON;
+ }
+
+ @Override
+ public NacosGrpcProtocolNegotiator build() {
+ ProtocolNegotiatorBuilder actualBuilder = builderMap.get(actualType);
+ if (null == actualBuilder) {
+ Loggers.REMOTE.warn("Not found ProtocolNegotiatorBuilder for type {}, will use default", actualType);
+ return builderMap.get(TYPE_DEFAULT_TLS).build();
+ }
+ return actualBuilder.build();
+ }
+
+ @Override
+ public String type() {
+ return actualType;
+ }
+}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilder.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilder.java
new file mode 100644
index 00000000000..19093ff3b27
--- /dev/null
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilder.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.remote.grpc.negotiator.tls;
+
+import com.alibaba.nacos.api.exception.NacosException;
+import com.alibaba.nacos.api.exception.runtime.NacosRuntimeException;
+import com.alibaba.nacos.common.packagescan.resource.DefaultResourceLoader;
+import com.alibaba.nacos.common.packagescan.resource.Resource;
+import com.alibaba.nacos.common.packagescan.resource.ResourceLoader;
+import com.alibaba.nacos.common.utils.JacksonUtils;
+import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.common.utils.TlsTypeResolve;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
+import com.alibaba.nacos.core.utils.Loggers;
+import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
+import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
+import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
+import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+
+import javax.net.ssl.SSLException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Arrays;
+
+/**
+ * Ssl context builder.
+ *
+ * @author xiweng.yy
+ */
+public class DefaultTlsContextBuilder {
+
+ private static final ResourceLoader RESOURCE_LOADER = new DefaultResourceLoader();
+
+ static SslContext getSslContext(RpcServerTlsConfig rpcServerTlsConfig) {
+ try {
+ if (StringUtils.isBlank(rpcServerTlsConfig.getCertChainFile()) || StringUtils
+ .isBlank(rpcServerTlsConfig.getCertPrivateKey())) {
+ throw new IllegalArgumentException("Server certChainFile or certPrivateKey must be not null");
+ }
+ InputStream certificateChainFile = getInputStream(rpcServerTlsConfig.getCertChainFile(), "certChainFile");
+ InputStream privateKeyFile = getInputStream(rpcServerTlsConfig.getCertPrivateKey(), "certPrivateKey");
+ SslContextBuilder sslClientContextBuilder = SslContextBuilder
+ .forServer(certificateChainFile, privateKeyFile, rpcServerTlsConfig.getCertPrivateKeyPassword());
+
+ if (StringUtils.isNotBlank(rpcServerTlsConfig.getProtocols())) {
+ sslClientContextBuilder.protocols(rpcServerTlsConfig.getProtocols().split(","));
+ }
+
+ if (StringUtils.isNotBlank(rpcServerTlsConfig.getCiphers())) {
+ sslClientContextBuilder.ciphers(Arrays.asList(rpcServerTlsConfig.getCiphers().split(",")));
+ }
+ if (rpcServerTlsConfig.getMutualAuthEnable()) {
+ // trust all certificate
+ if (rpcServerTlsConfig.getTrustAll()) {
+ sslClientContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+ } else {
+ if (StringUtils.isBlank(rpcServerTlsConfig.getTrustCollectionCertFile())) {
+ throw new IllegalArgumentException(
+ "enable mutual auth,trustCollectionCertFile must be not null");
+ }
+
+ InputStream clientCert = getInputStream(rpcServerTlsConfig.getTrustCollectionCertFile(),
+ "trustCollectionCertFile");
+ sslClientContextBuilder.trustManager(clientCert);
+ }
+ sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
+ }
+ SslContextBuilder configure = GrpcSslContexts.configure(sslClientContextBuilder,
+ TlsTypeResolve.getSslProvider(rpcServerTlsConfig.getSslProvider()));
+ return configure.build();
+ } catch (SSLException e) {
+ Loggers.REMOTE.info("Nacos Rpc server reload ssl context fail tls config:{}",
+ JacksonUtils.toJson(rpcServerTlsConfig));
+ throw new NacosRuntimeException(NacosException.SERVER_ERROR, e);
+ }
+ }
+
+ private static InputStream getInputStream(String path, String config) {
+ try {
+ Resource resource = RESOURCE_LOADER.getResource(path);
+ return resource.getInputStream();
+ } catch (IOException e) {
+ throw new NacosRuntimeException(NacosException.SERVER_ERROR, config + " load fail", e);
+ }
+ }
+}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilder.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilder.java
new file mode 100644
index 00000000000..aa64cf91d04
--- /dev/null
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilder.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.remote.grpc.negotiator.tls;
+
+import com.alibaba.nacos.core.remote.grpc.negotiator.NacosGrpcProtocolNegotiator;
+import com.alibaba.nacos.core.remote.grpc.negotiator.ProtocolNegotiatorBuilder;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
+import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
+
+/**
+ * Default optional tls protocol negotiator builder.
+ *
+ * @author xiweng.yy
+ */
+public class DefaultTlsProtocolNegotiatorBuilder implements ProtocolNegotiatorBuilder {
+
+ public static final String TYPE_DEFAULT_TLS = "DEFAULT_TLS";
+
+ @Override
+ public NacosGrpcProtocolNegotiator build() {
+ RpcServerTlsConfig rpcServerTlsConfig = RpcServerTlsConfig.getInstance();
+ if (rpcServerTlsConfig.getEnableTls()) {
+ SslContext sslContext = DefaultTlsContextBuilder.getSslContext(rpcServerTlsConfig);
+ return new OptionalTlsProtocolNegotiator(sslContext, rpcServerTlsConfig.getCompatibility());
+ }
+ return null;
+ }
+
+ @Override
+ public String type() {
+ return TYPE_DEFAULT_TLS;
+ }
+}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/OptionalTlsProtocolNegotiator.java b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/OptionalTlsProtocolNegotiator.java
similarity index 85%
rename from core/src/main/java/com/alibaba/nacos/core/remote/grpc/OptionalTlsProtocolNegotiator.java
rename to core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/OptionalTlsProtocolNegotiator.java
index 50cefc9314a..c73f51250dc 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/grpc/OptionalTlsProtocolNegotiator.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/OptionalTlsProtocolNegotiator.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2022 Alibaba Group Holding Ltd.
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,10 +14,11 @@
* limitations under the License.
*/
-package com.alibaba.nacos.core.remote.grpc;
+package com.alibaba.nacos.core.remote.grpc.negotiator.tls;
+import com.alibaba.nacos.core.remote.grpc.negotiator.NacosGrpcProtocolNegotiator;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import io.grpc.netty.shaded.io.grpc.netty.GrpcHttp2ConnectionHandler;
-import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiator;
import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiators;
import io.grpc.netty.shaded.io.grpc.netty.ProtocolNegotiationEvent;
import io.grpc.netty.shaded.io.netty.buffer.ByteBuf;
@@ -36,11 +37,11 @@
*
* @author githubcheng2978.
*/
-public class OptionalTlsProtocolNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
+public class OptionalTlsProtocolNegotiator implements NacosGrpcProtocolNegotiator {
private static final int MAGIC_VALUE = 5;
- private boolean supportPlainText;
+ private final boolean supportPlainText;
private SslContext sslContext;
@@ -71,6 +72,14 @@ public void close() {
}
+ @Override
+ public void reloadNegotiator() {
+ RpcServerTlsConfig rpcServerTlsConfig = RpcServerTlsConfig.getInstance();
+ if (rpcServerTlsConfig.getEnableTls()) {
+ sslContext = DefaultTlsContextBuilder.getSslContext(rpcServerTlsConfig);
+ }
+ }
+
private ProtocolNegotiationEvent getDefPne() {
ProtocolNegotiationEvent protocolNegotiationEvent = null;
try {
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/RpcServerSslContextRefresher.java b/core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerSslContextRefresher.java
similarity index 88%
rename from core/src/main/java/com/alibaba/nacos/core/remote/RpcServerSslContextRefresher.java
rename to core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerSslContextRefresher.java
index 06ad43afa33..c68f93eea7a 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/RpcServerSslContextRefresher.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerSslContextRefresher.java
@@ -1,13 +1,5 @@
-package com.alibaba.nacos.core.remote;
-
-/**
- * ssl context refresher spi holder.
- *
- * @author liuzunfei
- * @version $Id: RequestFilters.java, v 0.1 2023年03月17日 12:00 PM liuzunfei Exp $
- */
/*
- * Copyright 1999-2020 Alibaba Group Holding Ltd.
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,6 +14,16 @@
* limitations under the License.
*/
+package com.alibaba.nacos.core.remote.tls;
+
+import com.alibaba.nacos.core.remote.BaseRpcServer;
+
+/**
+ * ssl context refresher spi holder.
+ *
+ * @author liuzunfei
+ * @version $Id: RequestFilters.java, v 0.1 2023年03月17日 12:00 PM liuzunfei Exp $
+ */
public interface RpcServerSslContextRefresher {
/**
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/RpcServerSslContextRefresherHolder.java b/core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerSslContextRefresherHolder.java
similarity index 83%
rename from core/src/main/java/com/alibaba/nacos/core/remote/RpcServerSslContextRefresherHolder.java
rename to core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerSslContextRefresherHolder.java
index 6b910cd868d..b423442319c 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/RpcServerSslContextRefresherHolder.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerSslContextRefresherHolder.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2020 Alibaba Group Holding Ltd.
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,12 +14,11 @@
* limitations under the License.
*/
-package com.alibaba.nacos.core.remote;
+package com.alibaba.nacos.core.remote.tls;
import com.alibaba.nacos.common.spi.NacosServiceLoader;
import com.alibaba.nacos.common.utils.StringUtils;
import com.alibaba.nacos.core.utils.Loggers;
-import com.alibaba.nacos.sys.utils.ApplicationUtils;
import java.util.Collection;
@@ -43,11 +42,11 @@ public static RpcServerSslContextRefresher getInstance() {
if (init) {
return instance;
}
- RpcServerTlsConfig rpcServerTlsConfig = ApplicationUtils.getBean(RpcServerTlsConfig.class);
+ RpcServerTlsConfig rpcServerTlsConfig = RpcServerTlsConfig.getInstance();
String sslContextRefresher = rpcServerTlsConfig.getSslContextRefresher();
if (StringUtils.isNotBlank(sslContextRefresher)) {
- Collection load = NacosServiceLoader.load(
- RpcServerSslContextRefresher.class);
+ Collection load = NacosServiceLoader
+ .load(RpcServerSslContextRefresher.class);
for (RpcServerSslContextRefresher contextRefresher : load) {
if (sslContextRefresher.equals(contextRefresher.getName())) {
instance = contextRefresher;
@@ -61,8 +60,8 @@ public static RpcServerSslContextRefresher getInstance() {
}
} else {
- Loggers.REMOTE.info(
- "No RpcServerSslContextRefresher specified,Ssl Context auto refresh not supported.");
+ Loggers.REMOTE
+ .info("No RpcServerSslContextRefresher specified,Ssl Context auto refresh not supported.");
}
Loggers.REMOTE.info("RpcServerSslContextRefresher init end");
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/RpcServerTlsConfig.java b/core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerTlsConfig.java
similarity index 51%
rename from core/src/main/java/com/alibaba/nacos/core/remote/RpcServerTlsConfig.java
rename to core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerTlsConfig.java
index 528d2f1c5cd..8548879db79 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/RpcServerTlsConfig.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/tls/RpcServerTlsConfig.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2022 Alibaba Group Holding Ltd.
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,32 +14,49 @@
* limitations under the License.
*/
-package com.alibaba.nacos.core.remote;
+package com.alibaba.nacos.core.remote.tls;
import com.alibaba.nacos.common.remote.TlsConfig;
-import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.stereotype.Component;
+import com.alibaba.nacos.common.utils.JacksonUtils;
+import com.alibaba.nacos.core.utils.Loggers;
+import com.alibaba.nacos.sys.env.EnvUtil;
+import com.alibaba.nacos.sys.utils.PropertiesUtil;
+
+import java.lang.reflect.InvocationTargetException;
/**
* Grpc config.
*
* @author githubcheng2978.
*/
-
-@ConfigurationProperties(prefix = RpcServerTlsConfig.PREFIX)
-@Component
public class RpcServerTlsConfig extends TlsConfig {
-
- public static final String PREFIX = "nacos.remote.server.rpc.tls";
+
+ public static final String PREFIX = "nacos.remote.server.rpc.tls";
+
+ private static RpcServerTlsConfig instance;
private String sslContextRefresher = "";
private Boolean compatibility = true;
-
+
+ public static synchronized RpcServerTlsConfig getInstance() {
+ if (null == instance) {
+ try {
+ instance = PropertiesUtil
+ .handleSpringBinder(EnvUtil.getEnvironment(), PREFIX, RpcServerTlsConfig.class);
+ } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException | ClassNotFoundException e) {
+ Loggers.REMOTE.warn("TLS config bind failed, use default value", e);
+ instance = new RpcServerTlsConfig();
+ }
+ }
+ Loggers.REMOTE.info("Nacos Rpc server tls config:{}", JacksonUtils.toJson(instance));
+ return instance;
+ }
+
public Boolean getCompatibility() {
return compatibility;
}
-
+
public void setCompatibility(Boolean compatibility) {
this.compatibility = compatibility;
}
diff --git a/core/src/main/java/com/alibaba/nacos/core/remote/SslContextChangeAware.java b/core/src/main/java/com/alibaba/nacos/core/remote/tls/SslContextChangeAware.java
similarity index 88%
rename from core/src/main/java/com/alibaba/nacos/core/remote/SslContextChangeAware.java
rename to core/src/main/java/com/alibaba/nacos/core/remote/tls/SslContextChangeAware.java
index 347de201d1d..c62c3ee6098 100644
--- a/core/src/main/java/com/alibaba/nacos/core/remote/SslContextChangeAware.java
+++ b/core/src/main/java/com/alibaba/nacos/core/remote/tls/SslContextChangeAware.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2020 Alibaba Group Holding Ltd.
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,7 +14,9 @@
* limitations under the License.
*/
-package com.alibaba.nacos.core.remote;
+package com.alibaba.nacos.core.remote.tls;
+
+import com.alibaba.nacos.core.remote.BaseRpcServer;
/**
* ssl context refresher spi holder.
diff --git a/core/src/main/resources/META-INF/services/com.alibaba.nacos.core.remote.grpc.negotiator.ProtocolNegotiatorBuilder b/core/src/main/resources/META-INF/services/com.alibaba.nacos.core.remote.grpc.negotiator.ProtocolNegotiatorBuilder
new file mode 100644
index 00000000000..1ea83c1f0b2
--- /dev/null
+++ b/core/src/main/resources/META-INF/services/com.alibaba.nacos.core.remote.grpc.negotiator.ProtocolNegotiatorBuilder
@@ -0,0 +1,17 @@
+#
+# Copyright 1999-2023 Alibaba Group Holding Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+com.alibaba.nacos.core.remote.grpc.negotiator.tls.DefaultTlsProtocolNegotiatorBuilder
\ No newline at end of file
diff --git a/core/src/test/java/com/alibaba/nacos/core/remote/grpc/GrpcServerTest.java b/core/src/test/java/com/alibaba/nacos/core/remote/grpc/GrpcServerTest.java
index d0250049a69..2b99a809017 100644
--- a/core/src/test/java/com/alibaba/nacos/core/remote/grpc/GrpcServerTest.java
+++ b/core/src/test/java/com/alibaba/nacos/core/remote/grpc/GrpcServerTest.java
@@ -18,9 +18,9 @@
package com.alibaba.nacos.core.remote.grpc;
import com.alibaba.nacos.common.remote.ConnectionType;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
import com.alibaba.nacos.sys.env.EnvUtil;
import com.alibaba.nacos.sys.utils.ApplicationUtils;
+import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
@@ -31,11 +31,6 @@
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.mock.env.MockEnvironment;
-import java.util.concurrent.ThreadPoolExecutor;
-
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
/**
* {@link GrpcSdkServer} and {@link GrpcClusterServer} unit test.
*
@@ -45,12 +40,12 @@
@RunWith(MockitoJUnitRunner.Silent.class)
public class GrpcServerTest {
- private final RpcServerTlsConfig grpcServerConfig = mock(RpcServerTlsConfig.class);
-
static MockedStatic applicationUtilsMockedStatic = null;
+ private BaseGrpcServer grpcSdkServer;
+
@BeforeClass
- public static void setUp() {
+ public static void setUpBeforeClass() {
EnvUtil.setEnvironment(new MockEnvironment());
applicationUtilsMockedStatic = Mockito.mockStatic(ApplicationUtils.class);
}
@@ -60,107 +55,27 @@ public static void after() {
applicationUtilsMockedStatic.close();
}
+ @After
+ public void tearDown() throws Exception {
+ if (null != grpcSdkServer) {
+ grpcSdkServer.stopServer();
+ }
+ }
+
@Test
public void testGrpcSdkServer() throws Exception {
- BaseGrpcServer grpcSdkServer = new GrpcSdkServer();
- grpcSdkServer.setRpcServerTlsConfig(grpcServerConfig);
- when(grpcServerConfig.getEnableTls()).thenReturn(false);
- when(ApplicationUtils.getBean(RpcServerTlsConfig.class)).thenReturn(grpcServerConfig);
+ grpcSdkServer = new GrpcSdkServer();
grpcSdkServer.start();
Assert.assertEquals(grpcSdkServer.getConnectionType(), ConnectionType.GRPC);
Assert.assertEquals(grpcSdkServer.rpcPortOffset(), 1000);
- grpcSdkServer.stopServer();
}
@Test
public void testGrpcClusterServer() throws Exception {
- BaseGrpcServer grpcSdkServer = new GrpcClusterServer();
- grpcSdkServer.setRpcServerTlsConfig(grpcServerConfig);
- when(grpcServerConfig.getEnableTls()).thenReturn(false);
- when(ApplicationUtils.getBean(RpcServerTlsConfig.class)).thenReturn(grpcServerConfig);
+ grpcSdkServer = new GrpcClusterServer();
grpcSdkServer.start();
Assert.assertEquals(grpcSdkServer.getConnectionType(), ConnectionType.GRPC);
Assert.assertEquals(grpcSdkServer.rpcPortOffset(), 1001);
grpcSdkServer.stopServer();
}
-
- @Test
- public void testGrpcEnableTls() throws Exception {
- final BaseGrpcServer grpcSdkServer = new BaseGrpcServer() {
- @Override
- public ThreadPoolExecutor getRpcExecutor() {
- return null;
- }
-
- @Override
- public int rpcPortOffset() {
- return 100;
- }
- };
- when(grpcServerConfig.getEnableTls()).thenReturn(true);
- when(grpcServerConfig.getCiphers()).thenReturn("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
- when(grpcServerConfig.getProtocols()).thenReturn("TLSv1.2,TLSv1.3");
-
- when(grpcServerConfig.getCertPrivateKey()).thenReturn("test-server-key.pem");
- when(grpcServerConfig.getCertChainFile()).thenReturn("test-server-cert.pem");
- when(ApplicationUtils.getBean(RpcServerTlsConfig.class)).thenReturn(grpcServerConfig);
- grpcSdkServer.setRpcServerTlsConfig(grpcServerConfig);
- grpcSdkServer.start();
- grpcSdkServer.shutdownServer();
- }
-
- @Test
- public void testGrpcEnableMutualAuthAndTrustAll() throws Exception {
-
- final BaseGrpcServer grpcSdkServer = new BaseGrpcServer() {
- @Override
- public ThreadPoolExecutor getRpcExecutor() {
- return null;
- }
-
- @Override
- public int rpcPortOffset() {
- return 100;
- }
- };
-
- when(grpcServerConfig.getEnableTls()).thenReturn(true);
- when(grpcServerConfig.getTrustAll()).thenReturn(true);
- when(grpcServerConfig.getCiphers()).thenReturn("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
- when(grpcServerConfig.getProtocols()).thenReturn("TLSv1.2,TLSv1.3");
- when(grpcServerConfig.getCertPrivateKey()).thenReturn("test-server-key.pem");
- when(grpcServerConfig.getCertChainFile()).thenReturn("test-server-cert.pem");
- grpcSdkServer.setRpcServerTlsConfig(grpcServerConfig);
- grpcSdkServer.start();
- grpcSdkServer.shutdownServer();
- }
-
- @Test
- public void testGrpcEnableMutualAuthAndPart() throws Exception {
- final BaseGrpcServer grpcSdkServer = new BaseGrpcServer() {
- @Override
- public ThreadPoolExecutor getRpcExecutor() {
- return null;
- }
-
- @Override
- public int rpcPortOffset() {
- return 100;
- }
- };
- when(grpcServerConfig.getEnableTls()).thenReturn(true);
- when(grpcServerConfig.getMutualAuthEnable()).thenReturn(true);
- when(grpcServerConfig.getEnableTls()).thenReturn(true);
- when(grpcServerConfig.getCiphers()).thenReturn("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
- when(grpcServerConfig.getProtocols()).thenReturn("TLSv1.2,TLSv1.3");
-
- when(grpcServerConfig.getCertPrivateKey()).thenReturn("test-server-key.pem");
- when(grpcServerConfig.getCertChainFile()).thenReturn("test-server-cert.pem");
- when(grpcServerConfig.getTrustCollectionCertFile()).thenReturn("test-ca-cert.pem");
-
- grpcSdkServer.setRpcServerTlsConfig(grpcServerConfig);
-
- grpcSdkServer.start();
- grpcSdkServer.shutdownServer();
- }
}
diff --git a/core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilderTest.java b/core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilderTest.java
new file mode 100644
index 00000000000..7a8224bb779
--- /dev/null
+++ b/core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilderTest.java
@@ -0,0 +1,104 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.remote.grpc.negotiator.tls;
+
+import com.alibaba.nacos.api.exception.runtime.NacosRuntimeException;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+public class DefaultTlsContextBuilderTest {
+
+ @Before
+ public void setUp() throws Exception {
+ RpcServerTlsConfig.getInstance().setEnableTls(true);
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ RpcServerTlsConfig.getInstance().setEnableTls(false);
+ RpcServerTlsConfig.getInstance().setTrustAll(false);
+ RpcServerTlsConfig.getInstance().setMutualAuthEnable(false);
+ RpcServerTlsConfig.getInstance().setCertChainFile(null);
+ RpcServerTlsConfig.getInstance().setCertPrivateKey(null);
+ RpcServerTlsConfig.getInstance().setCiphers(null);
+ RpcServerTlsConfig.getInstance().setProtocols(null);
+ RpcServerTlsConfig.getInstance().setTrustCollectionCertFile(null);
+ RpcServerTlsConfig.getInstance().setSslProvider("");
+ }
+
+ @Test(expected = IllegalArgumentException.class)
+ public void testGetSslContextIllegal() {
+ DefaultTlsContextBuilder.getSslContext(RpcServerTlsConfig.getInstance());
+ }
+
+ @Test
+ public void testGetSslContextWithoutMutual() {
+ RpcServerTlsConfig grpcServerConfig = RpcServerTlsConfig.getInstance();
+ grpcServerConfig.setCiphers("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
+ grpcServerConfig.setProtocols("TLSv1.2,TLSv1.3");
+ grpcServerConfig.setCertPrivateKey("test-server-key.pem");
+ grpcServerConfig.setCertChainFile("test-server-cert.pem");
+ DefaultTlsContextBuilder.getSslContext(RpcServerTlsConfig.getInstance());
+ }
+
+ @Test
+ public void testGetSslContextWithMutual() {
+ RpcServerTlsConfig grpcServerConfig = RpcServerTlsConfig.getInstance();
+ grpcServerConfig.setTrustAll(true);
+ grpcServerConfig.setMutualAuthEnable(true);
+ grpcServerConfig.setCiphers("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
+ grpcServerConfig.setProtocols("TLSv1.2,TLSv1.3");
+ grpcServerConfig.setCertPrivateKey("test-server-key.pem");
+ grpcServerConfig.setCertChainFile("test-server-cert.pem");
+ DefaultTlsContextBuilder.getSslContext(RpcServerTlsConfig.getInstance());
+ }
+
+ @Test
+ public void testGetSslContextWithMutualAndPart() {
+ RpcServerTlsConfig grpcServerConfig = RpcServerTlsConfig.getInstance();
+ grpcServerConfig.setMutualAuthEnable(true);
+ grpcServerConfig.setCiphers("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
+ grpcServerConfig.setProtocols("TLSv1.2,TLSv1.3");
+ grpcServerConfig.setCertPrivateKey("test-server-key.pem");
+ grpcServerConfig.setCertChainFile("test-server-cert.pem");
+ grpcServerConfig.setTrustCollectionCertFile("test-ca-cert.pem");
+ DefaultTlsContextBuilder.getSslContext(RpcServerTlsConfig.getInstance());
+ }
+
+ @Test(expected = IllegalArgumentException.class)
+ public void testGetSslContextWithMutualAndPartIllegal() {
+ RpcServerTlsConfig grpcServerConfig = RpcServerTlsConfig.getInstance();
+ grpcServerConfig.setMutualAuthEnable(true);
+ grpcServerConfig.setCiphers("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
+ grpcServerConfig.setProtocols("TLSv1.2,TLSv1.3");
+ grpcServerConfig.setCertPrivateKey("test-server-key.pem");
+ grpcServerConfig.setCertChainFile("test-server-cert.pem");
+ DefaultTlsContextBuilder.getSslContext(RpcServerTlsConfig.getInstance());
+ }
+
+ @Test(expected = NacosRuntimeException.class)
+ public void testGetSslContextForNonExistFile() {
+ RpcServerTlsConfig grpcServerConfig = RpcServerTlsConfig.getInstance();
+ grpcServerConfig.setCiphers("ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384");
+ grpcServerConfig.setProtocols("TLSv1.2,TLSv1.3");
+ grpcServerConfig.setCertPrivateKey("non-exist-server-key.pem");
+ grpcServerConfig.setCertChainFile("non-exist-cert.pem");
+ DefaultTlsContextBuilder.getSslContext(RpcServerTlsConfig.getInstance());
+ }
+}
\ No newline at end of file
diff --git a/core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilderTest.java b/core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilderTest.java
new file mode 100644
index 00000000000..ac8be81b618
--- /dev/null
+++ b/core/src/test/java/com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsProtocolNegotiatorBuilderTest.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright 1999-2023 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.core.remote.grpc.negotiator.tls;
+
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+public class DefaultTlsProtocolNegotiatorBuilderTest {
+
+ private DefaultTlsProtocolNegotiatorBuilder builder;
+
+ @Before
+ public void setUp() throws Exception {
+ builder = new DefaultTlsProtocolNegotiatorBuilder();
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ RpcServerTlsConfig.getInstance().setEnableTls(false);
+ RpcServerTlsConfig.getInstance().setCertChainFile(null);
+ RpcServerTlsConfig.getInstance().setCertPrivateKey(null);
+ }
+
+ @Test
+ public void testBuildDisabled() {
+ assertNull(builder.build());
+ }
+
+ @Test
+ public void testBuildEnabled() {
+ RpcServerTlsConfig.getInstance().setEnableTls(true);
+ RpcServerTlsConfig.getInstance().setCertPrivateKey("test-server-key.pem");
+ RpcServerTlsConfig.getInstance().setCertChainFile("test-server-cert.pem");
+ assertNotNull(builder.build());
+ }
+}
\ No newline at end of file
diff --git a/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceComTlsGrpcClient_CITCase.java b/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceComTlsGrpcClient_CITCase.java
index a5dac11f20a..b15c1e05f22 100644
--- a/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceComTlsGrpcClient_CITCase.java
+++ b/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceComTlsGrpcClient_CITCase.java
@@ -23,7 +23,7 @@
import com.alibaba.nacos.client.config.NacosConfigService;
import com.alibaba.nacos.client.config.listener.impl.AbstractConfigChangeListener;
import com.alibaba.nacos.common.remote.client.RpcConstants;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import com.alibaba.nacos.test.base.ConfigCleanUtils;
import org.junit.*;
import org.junit.runner.RunWith;
diff --git a/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceNoComTlsGrpcClient_CITCase.java b/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceNoComTlsGrpcClient_CITCase.java
index 1edc752fe14..da5ee0a6b05 100644
--- a/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceNoComTlsGrpcClient_CITCase.java
+++ b/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigServiceNoComTlsGrpcClient_CITCase.java
@@ -23,7 +23,7 @@
import com.alibaba.nacos.client.config.NacosConfigService;
import com.alibaba.nacos.client.config.listener.impl.AbstractConfigChangeListener;
import com.alibaba.nacos.common.remote.client.RpcConstants;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import com.alibaba.nacos.test.base.ConfigCleanUtils;
import org.junit.AfterClass;
import org.junit.Assert;
diff --git a/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigV2MutualAuth_CITCase.java b/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigV2MutualAuth_CITCase.java
index 07eee10d307..b06c6d62095 100644
--- a/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigV2MutualAuth_CITCase.java
+++ b/test/config-test/src/test/java/com/alibaba/nacos/test/config/NacosConfigV2MutualAuth_CITCase.java
@@ -24,7 +24,7 @@
import com.alibaba.nacos.client.config.NacosConfigService;
import com.alibaba.nacos.client.config.listener.impl.AbstractConfigChangeListener;
import com.alibaba.nacos.common.remote.client.RpcConstants;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import com.alibaba.nacos.test.base.ConfigCleanUtils;
import org.junit.After;
import org.junit.Assert;
diff --git a/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV1ServerNonCompatibility_CITCase.java b/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV1ServerNonCompatibility_CITCase.java
index 1b895884148..74a4d18b423 100644
--- a/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV1ServerNonCompatibility_CITCase.java
+++ b/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV1ServerNonCompatibility_CITCase.java
@@ -25,7 +25,7 @@
import com.alibaba.nacos.common.remote.client.RpcClient;
import com.alibaba.nacos.common.remote.client.RpcClientFactory;
import com.alibaba.nacos.common.remote.client.RpcClientTlsConfig;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import com.alibaba.nacos.test.ConfigCleanUtils;
import org.junit.AfterClass;
import org.junit.Assert;
diff --git a/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV2MutualAuth_CITCase.java b/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV2MutualAuth_CITCase.java
index 1d9b97630c6..2d28d0621e5 100644
--- a/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV2MutualAuth_CITCase.java
+++ b/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV2MutualAuth_CITCase.java
@@ -25,7 +25,7 @@
import com.alibaba.nacos.common.remote.client.RpcClient;
import com.alibaba.nacos.common.remote.client.RpcClientFactory;
import com.alibaba.nacos.common.remote.client.RpcClientTlsConfig;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import com.alibaba.nacos.test.ConfigCleanUtils;
import org.junit.*;
import org.junit.runner.RunWith;
diff --git a/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV3_CITCase.java b/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV3_CITCase.java
index adabe7f0d77..17e93a6e560 100644
--- a/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV3_CITCase.java
+++ b/test/core-test/src/test/java/com/alibaba/nacos/test/client/ConfigIntegrationV3_CITCase.java
@@ -25,7 +25,7 @@
import com.alibaba.nacos.common.remote.client.RpcClient;
import com.alibaba.nacos.common.remote.client.RpcClientFactory;
import com.alibaba.nacos.common.remote.client.RpcClientTlsConfig;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import com.alibaba.nacos.sys.env.EnvUtil;
import com.alibaba.nacos.test.ConfigCleanUtils;
import org.junit.*;
diff --git a/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingCompatibilityServiceTls_ITCase.java b/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingCompatibilityServiceTls_ITCase.java
index 786f5187a59..1379445f621 100644
--- a/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingCompatibilityServiceTls_ITCase.java
+++ b/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingCompatibilityServiceTls_ITCase.java
@@ -27,7 +27,7 @@
import com.alibaba.nacos.api.naming.pojo.Service;
import com.alibaba.nacos.api.selector.ExpressionSelector;
import com.alibaba.nacos.api.selector.NoneSelector;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
diff --git a/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceAndMutualAuth_ITCase.java b/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceAndMutualAuth_ITCase.java
index 83faa6c8767..2b598cdd294 100644
--- a/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceAndMutualAuth_ITCase.java
+++ b/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceAndMutualAuth_ITCase.java
@@ -23,7 +23,7 @@
import com.alibaba.nacos.api.naming.NamingService;
import com.alibaba.nacos.api.naming.pojo.Instance;
import com.alibaba.nacos.common.remote.client.RpcConstants;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import org.junit.After;
import org.junit.Assert;
import org.junit.FixMethodOrder;
diff --git a/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceTls_ITCase.java b/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceTls_ITCase.java
index c6aa94450e9..8597a1aad2b 100644
--- a/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceTls_ITCase.java
+++ b/test/naming-test/src/test/java/com/alibaba/nacos/test/naming/NamingTlsServiceTls_ITCase.java
@@ -23,7 +23,7 @@
import com.alibaba.nacos.api.naming.NamingService;
import com.alibaba.nacos.api.naming.pojo.Instance;
import com.alibaba.nacos.common.remote.client.RpcConstants;
-import com.alibaba.nacos.core.remote.RpcServerTlsConfig;
+import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import org.junit.Assert;
import org.junit.FixMethodOrder;
import org.junit.Ignore;