Enable JEP-380 when supported (#3151)

kevink-sq · web-flow · commit 38a1d370735e · 2024-02-20T15:23:09.000-05:00
* Enable JEP-380 when supported

supported when:
- running Java 16+
- using file based unix domain socket paths (non-abstract)

also deprecated `unix_domain_socket` in favor of the generalized
`unix_domain_sockets` to allow more multiple ingress.

* Add new generated artifacts for changes to WebConfig

* opt to not include deprecated annotation

* Update tests to ignore if not running Java 16+.
diff --git a/.palantir/revapi.yml b/.palantir/revapi.yml
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -102,6 +102,7 @@ jettyServer = { module = "org.eclipse.jetty:jetty-server" }
 jettyServlet = { module = "org.eclipse.jetty:jetty-servlet" }
 jettyServletApi = { module = "org.eclipse.jetty.toolchain:jetty-servlet-api", version = "4.0.6" }
 jettyServlets = { module = "org.eclipse.jetty:jetty-servlets" }
+jettyUds = { module = "org.eclipse.jetty:jetty-unixdomain-server" }
 jettyUnixSocket = { module = "org.eclipse.jetty:jetty-unixsocket-server" }
 jettyUtil = { module = "org.eclipse.jetty:jetty-util" }
 jettyWebsocketApi = { module = "org.eclipse.jetty.websocket:websocket-jetty-api" }
diff --git a/misk/api/misk.api b/misk/api/misk.api
@@ -1451,7 +1451,8 @@ public final class misk/web/WebConfig : wisp/config/Config {
 	public fun <init> (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;)V
 	public fun <init> (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;)V
 	public fun <init> (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;Z)V
-	public synthetic fun <init> (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;ZIILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun <init> (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;Z[Lmisk/web/WebUnixDomainSocketConfig;)V
+	public synthetic fun <init> (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;Z[Lmisk/web/WebUnixDomainSocketConfig;IILkotlin/jvm/internal/DefaultConstructorMarker;)V
 	public final fun component1 ()I
 	public final fun component10 ()Ljava/lang/Integer;
 	public final fun component11 ()I
@@ -1481,14 +1482,15 @@ public final class misk/web/WebConfig : wisp/config/Config {
 	public final fun component33 ()Ljava/lang/Integer;
 	public final fun component34 ()Ljava/lang/Integer;
 	public final fun component35 ()Z
+	public final fun component36 ()[Lmisk/web/WebUnixDomainSocketConfig;
 	public final fun component4 ()Ljava/lang/String;
 	public final fun component5 ()Lmisk/web/WebSslConfig;
 	public final fun component6 ()Lmisk/web/WebUnixDomainSocketConfig;
 	public final fun component7 ()Z
 	public final fun component8 ()Ljava/lang/Integer;
 	public final fun component9 ()Ljava/lang/Integer;
-	public final fun copy (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;Z)Lmisk/web/WebConfig;
-	public static synthetic fun copy$default (Lmisk/web/WebConfig;IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;ZIILjava/lang/Object;)Lmisk/web/WebConfig;
+	public final fun copy (IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;Z[Lmisk/web/WebUnixDomainSocketConfig;)Lmisk/web/WebConfig;
+	public static synthetic fun copy$default (Lmisk/web/WebConfig;IJILjava/lang/String;Lmisk/web/WebSslConfig;Lmisk/web/WebUnixDomainSocketConfig;ZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;IIIZLmisk/web/exceptions/ActionExceptionLogLevelConfig;Ljava/lang/Integer;DZILjava/util/Map;ZLorg/slf4j/event/Level;Lmisk/web/ConcurrencyLimiterConfig;ILjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Long;IIZZLjava/lang/Integer;Ljava/lang/Integer;Ljava/lang/Integer;Z[Lmisk/web/WebUnixDomainSocketConfig;IILjava/lang/Object;)Lmisk/web/WebConfig;
 	public fun equals (Ljava/lang/Object;)Z
 	public final fun getAcceptors ()Ljava/lang/Integer;
 	public final fun getAction_exception_log_level ()Lmisk/web/exceptions/ActionExceptionLogLevelConfig;
@@ -1524,6 +1526,7 @@ public final class misk/web/WebConfig : wisp/config/Config {
 	public final fun getShutdown_sleep_ms ()I
 	public final fun getSsl ()Lmisk/web/WebSslConfig;
 	public final fun getUnix_domain_socket ()Lmisk/web/WebUnixDomainSocketConfig;
+	public final fun getUnix_domain_sockets ()[Lmisk/web/WebUnixDomainSocketConfig;
 	public final fun getUse_virtual_threads ()Z
 	public fun hashCode ()I
 	public fun toString ()Ljava/lang/String;
diff --git a/misk/build.gradle.kts b/misk/build.gradle.kts
@@ -45,6 +45,7 @@ dependencies {
   implementation(libs.jettyIo)
   implementation(libs.jettyServlet)
   implementation(libs.jettyServlets)
+  implementation(libs.jettyUds)
   implementation(libs.jettyUnixSocket)
   implementation(libs.jettyWebsocketApi)
   implementation(libs.jettyWebsocketServer)
diff --git a/misk/src/main/kotlin/misk/web/WebConfig.kt b/misk/src/main/kotlin/misk/web/WebConfig.kt
@@ -150,6 +150,9 @@ data class WebConfig @JvmOverloads constructor(
 
   /** Wires up health checks on whether Jetty's thread pool is low on threads. */
   val enable_thread_pool_health_check: Boolean = false,
+
+  /** Configurations to enable Jetty to listen for traffic on a unix domain socket being proxied through a sidecar (e.g. envoy, istio) */
+  val unix_domain_sockets: Array<WebUnixDomainSocketConfig>? = null,
   ) : Config
 
 data class WebSslConfig @JvmOverloads constructor(
@@ -181,7 +184,7 @@ data class WebSslConfig @JvmOverloads constructor(
 }
 
 data class WebUnixDomainSocketConfig @JvmOverloads constructor(
-  /** The Unix Domain Socket to listen on. */
+  /** The Unix Domain Socket to listen on. Will attempt to use the JEP-380 connector when supported (using Java 16+ and file path) */
   val path: String,
   /** If true, the listener will support H2C. */
   val h2c: Boolean? = true
diff --git a/misk/src/main/kotlin/misk/web/jetty/JettyService.kt b/misk/src/main/kotlin/misk/web/jetty/JettyService.kt
@@ -1,15 +1,18 @@
 package misk.web.jetty
 
 import com.google.common.base.Stopwatch
+import com.google.common.base.Strings
 import com.google.common.util.concurrent.AbstractIdleService
 import com.google.common.util.concurrent.ThreadFactoryBuilder
+import com.squareup.wire.internal.newMutableList
 import jakarta.inject.Inject
 import jakarta.inject.Singleton
 import misk.security.ssl.CipherSuites
 import misk.security.ssl.SslLoader
 import misk.security.ssl.TlsProtocols
 import misk.web.WebConfig
 import misk.web.WebSslConfig
+import misk.web.WebUnixDomainSocketConfig
 import misk.web.mediatype.MediaTypes
 import okhttp3.HttpUrl
 import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory
@@ -33,18 +36,22 @@ import org.eclipse.jetty.servlet.FilterHolder
 import org.eclipse.jetty.servlet.ServletContextHandler
 import org.eclipse.jetty.servlet.ServletHolder
 import org.eclipse.jetty.servlets.CrossOriginFilter
+import org.eclipse.jetty.unixdomain.server.UnixDomainServerConnector
 import org.eclipse.jetty.unixsocket.server.UnixSocketConnector
+import org.eclipse.jetty.util.JavaVersion
 import org.eclipse.jetty.util.ssl.SslContextFactory
 import org.eclipse.jetty.util.thread.ThreadPool
 import org.eclipse.jetty.websocket.server.config.JettyWebSocketServletContainerInitializer
 import wisp.logging.getLogger
+import java.io.File
 import java.lang.Thread.sleep
 import java.net.InetAddress
 import java.nio.file.InvalidPathException
 import java.util.EnumSet
 import java.util.concurrent.SynchronousQueue
 import java.util.concurrent.ThreadPoolExecutor
 import java.util.concurrent.TimeUnit
+import java.util.regex.Pattern
 import javax.servlet.DispatcherType
 
 @Singleton
@@ -230,25 +237,49 @@ class JettyService @Inject internal constructor(
       server.addConnector(httpsConnector)
     }
 
+    var socketConfigs = newMutableList<WebUnixDomainSocketConfig>()
     if (webConfig.unix_domain_socket != null) {
+      socketConfigs.add(webConfig.unix_domain_socket)
+    }
+    if (webConfig.unix_domain_sockets != null) {
+      socketConfigs.addAll(webConfig.unix_domain_sockets)
+    }
+    socketConfigs.stream().forEach() { socketConfig ->
       val udsConnFactories = mutableListOf<ConnectionFactory>()
       udsConnFactories.add(HttpConnectionFactory(httpConfig))
-      if (webConfig.unix_domain_socket.h2c == true) {
+      if (socketConfig.h2c == true) {
         udsConnFactories.add(HTTP2CServerConnectionFactory(httpConfig))
       }
 
-      val udsConnector = UnixSocketConnector(
-        server,
-        null /* executor */,
-        null /* scheduler */,
-        null /* buffer pool */,
-        webConfig.selectors ?: -1,
-        *udsConnFactories.toTypedArray()
-      )
-      udsConnector.setUnixSocket(webConfig.unix_domain_socket.path)
-      udsConnector.addBean(connectionMetricsCollector.newConnectionListener("http", 0))
-      udsConnector.name = "uds"
-      server.addConnector(udsConnector)
+      if (isJEP380Supported(socketConfig.path)) {
+        logger.info("Using UnixDomainServerConnector for ${socketConfig.path}")
+        val udsConnector = UnixDomainServerConnector(
+          server,
+          null /* executor */,
+          null /* scheduler */,
+          null /* buffer pool */,
+          webConfig.acceptors ?: -1 ,
+          webConfig.selectors ?: -1,
+          *udsConnFactories.toTypedArray()
+        )
+        udsConnector.unixDomainPath = File(socketConfig.path).toPath()
+        udsConnector.addBean(connectionMetricsCollector.newConnectionListener("http", 0))
+        udsConnector.name = "uds"
+        server.addConnector(udsConnector)
+      } else {
+        val udsConnector = UnixSocketConnector(
+          server,
+          null /* executor */,
+          null /* scheduler */,
+          null /* buffer pool */,
+          webConfig.selectors ?: -1,
+          *udsConnFactories.toTypedArray()
+        )
+        udsConnector.setUnixSocket(socketConfig.path)
+        udsConnector.addBean(connectionMetricsCollector.newConnectionListener("http", 0))
+        udsConnector.name = "uds"
+        server.addConnector(udsConnector)
+      }
     }
 
     // TODO(mmihic): Force security handler?
@@ -425,3 +456,16 @@ private fun AbstractHTTP2ServerConnectionFactory.customize(webConfig: WebConfig)
     initialStreamRecvWindow = webConfig.jetty_initial_stream_recv_window
   }
 }
+
+/**
+ * JEP-380 is supported when running Java 16+ and the provided socket path is non-abstract. Abstract
+ * socket paths are identified by paths prefixed with an `@` symbol or a null byte.
+ */
+internal fun isJEP380Supported(
+  path: String,
+  javaVersion: Int = JavaVersion.VERSION.major
+) : Boolean {
+  return javaVersion >= 16 &&
+    !Strings.isNullOrEmpty(path) &&
+    !Pattern.compile("^@|\u0000").matcher(path).find()
+}
diff --git a/misk/src/main/kotlin/misk/web/jetty/WebActionsServlet.kt b/misk/src/main/kotlin/misk/web/jetty/WebActionsServlet.kt
@@ -24,6 +24,7 @@ import org.eclipse.jetty.http.HttpMethod
 import org.eclipse.jetty.server.Request
 import org.eclipse.jetty.server.Response
 import org.eclipse.jetty.server.ServerConnector
+import org.eclipse.jetty.unixdomain.server.UnixDomainServerConnector
 import org.eclipse.jetty.unixsocket.server.UnixSocketConnector
 import org.eclipse.jetty.websocket.server.JettyServerUpgradeResponse
 import org.eclipse.jetty.websocket.server.JettyWebSocketServlet
@@ -119,6 +120,10 @@ internal class WebActionsServlet @Inject constructor(
         request = request,
         linkLayerLocalAddress = with((request as? Request)?.httpChannel) {
           when (this?.connector) {
+            is UnixDomainServerConnector -> SocketAddress.Unix(
+              (this.connector as UnixDomainServerConnector).unixDomainPath.toString()
+            )
+
             is UnixSocketConnector -> SocketAddress.Unix(
               (this.connector as UnixSocketConnector).unixSocket
             )
diff --git a/misk/src/test/kotlin/misk/web/jetty/JettyServiceTest.kt b/misk/src/test/kotlin/misk/web/jetty/JettyServiceTest.kt
@@ -0,0 +1,17 @@
+package misk.web.jetty
+
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.api.Test
+
+class JettyServiceTest {
+
+  @Test
+  fun isJEP380Supported() {
+    assertThat(isJEP380Supported("", 16)).isFalse()
+    assertThat(isJEP380Supported("@socket.sock", 16)).isFalse()
+    assertThat(isJEP380Supported("\u0000socket.sock", 16)).isFalse()
+    assertThat(isJEP380Supported("socket.sock", 15)).isFalse()
+    assertThat(isJEP380Supported("socket.sock", 16)).isTrue()
+    assertThat(isJEP380Supported("/socket.sock", 16)).isTrue()
+  }
+}
diff --git a/misk/src/test/kotlin/misk/web/jetty/WebActionsServletTest.kt b/misk/src/test/kotlin/misk/web/jetty/WebActionsServletTest.kt
@@ -25,6 +25,8 @@ import wisp.client.UnixDomainSocketFactory
 import java.io.File
 import java.util.UUID
 import jakarta.inject.Inject
+import org.eclipse.jetty.util.JavaVersion
+import org.junit.jupiter.api.Assumptions
 
 @MiskTest(startService = true)
 class WebActionsServletTest {
@@ -35,6 +37,7 @@ class WebActionsServletTest {
   internal lateinit var jettyService: JettyService
 
   private var socketName: String = "@udstest" + UUID.randomUUID().toString()
+  private var fileSocketName: String = "/tmp/udstest" + UUID.randomUUID().toString()
 
   @Test
   fun networkSocketSuccess() {
@@ -47,7 +50,7 @@ class WebActionsServletTest {
   @Test
   fun parseNonAsciiHeaders() {
     val response = get(
-      "/potato", false,
+      "/potato", false, false,
       Headers.Builder()
         .addUnsafeNonAscii("X-device-name", "Walé Iphone")
         .build()
@@ -62,6 +65,13 @@ class WebActionsServletTest {
     assertThat(response.header("ActualSocketName")).isEqualTo(socketName)
   }
 
+  @Test
+  fun fileUdsSocketSuccess() {
+    Assumptions.assumeTrue(isJEP380Supported(fileSocketName))
+    val response = get("/potato", false, true)
+    assertThat(response.header("ActualSocketName")).isEqualTo(fileSocketName)
+  }
+
   @Test
   fun testPatch404() {
     val response = call(
@@ -109,6 +119,7 @@ class WebActionsServletTest {
   private fun get(
     path: String,
     viaUDS: Boolean,
+    viaFileUDS: Boolean = false,
     headers: Headers = Headers.headersOf()
   ): okhttp3.Response =
     with(
@@ -123,7 +134,9 @@ class WebActionsServletTest {
         viaUDS -> {
           udsCall(get())
         }
-
+        viaFileUDS -> {
+          fileUdsCall(get())
+        }
         else -> {
           call(get())
         }
@@ -141,13 +154,22 @@ class WebActionsServletTest {
       .newCall(request.build())
       .execute()
   }
+  private fun fileUdsCall(request: Request.Builder): okhttp3.Response {
+    return OkHttpClient().newBuilder()
+      .socketFactory(UnixDomainSocketFactory(File(fileSocketName)))
+      .build()
+      .newCall(request.build())
+      .execute()
+  }
 
   inner class TestModule : KAbstractModule() {
     override fun configure() {
       install(
         WebServerTestingModule(
           webConfig = WebServerTestingModule.TESTING_WEB_CONFIG.copy(
-            unix_domain_socket = WebUnixDomainSocketConfig(path = socketName)
+            unix_domain_sockets = arrayOf(
+              WebUnixDomainSocketConfig(path = socketName),
+              WebUnixDomainSocketConfig(path = fileSocketName))
           )
         )
       )
