From adceff30de2d87c61b73d99f21174b9e35e0c901 Mon Sep 17 00:00:00 2001
From: Robert Varga <robert.varga@pantheon.tech>
Date: Sun, 3 Jul 2022 03:40:31 +0200
Subject: [PATCH] Migrate CERT_MANAGER_TL

This thread local has a single user, make sure we encapsulate it.

Change-Id: I6463aa48d1f2d6798f9dc2a8b5e1fa2eac21790d
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
---
 .../aaa/shiro/realm/KeystoneAuthRealm.java    | 16 ++++++++++++--
 .../shiro/web/env/AAAIniWebEnvironment.java   | 21 ++++++++++---------
 .../aaa/shiro/web/env/ThreadLocals.java       |  3 ---
 .../shiro/realm/KeystoneAuthRealmTest.java    | 12 ++++-------
 4 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealm.java b/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealm.java
index a5e212785..278a5af84 100644
--- a/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealm.java
+++ b/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealm.java
@@ -7,6 +7,7 @@
  */
 package org.opendaylight.aaa.shiro.realm;
 
+import static com.google.common.base.Verify.verifyNotNull;
 import static java.util.Objects.requireNonNull;
 
 import com.google.common.base.Throwables;
@@ -45,7 +46,7 @@ import org.opendaylight.aaa.shiro.principal.ODLPrincipalImpl;
 import org.opendaylight.aaa.shiro.realm.util.http.SimpleHttpClient;
 import org.opendaylight.aaa.shiro.realm.util.http.SimpleHttpRequest;
 import org.opendaylight.aaa.shiro.realm.util.http.UntrustedSSL;
-import org.opendaylight.aaa.shiro.web.env.ThreadLocals;
+import org.opendaylight.yangtools.concepts.Registration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -67,6 +68,8 @@ public class KeystoneAuthRealm extends AuthorizingRealm {
     private static final int CLIENT_EXPIRE_AFTER_ACCESS = 1;
     private static final int CLIENT_EXPIRE_AFTER_WRITE = 10;
 
+    private static final ThreadLocal<ICertificateManager> CERT_MANAGER_TL = new ThreadLocal<>();
+
     private volatile URI serverUri = null;
     private volatile boolean sslVerification = true;
     private volatile String defaultDomain = DEFAULT_KEYSTONE_DOMAIN;
@@ -83,10 +86,19 @@ public class KeystoneAuthRealm extends AuthorizingRealm {
         });
 
     public KeystoneAuthRealm() {
-        certManager = requireNonNull(ThreadLocals.CERT_MANAGER_TL.get());
+        this(verifyNotNull(CERT_MANAGER_TL.get(), "KeystoneAuthRealm loading not prepared"));
+    }
+
+    public KeystoneAuthRealm(final ICertificateManager certManager) {
+        this.certManager = requireNonNull(certManager);
         LOG.info("KeystoneAuthRealm created");
     }
 
+    public static Registration prepareForLoad(final ICertificateManager certManager) {
+        CERT_MANAGER_TL.set(requireNonNull(certManager));
+        return CERT_MANAGER_TL::remove;
+    }
+
     @Override
     protected AuthorizationInfo doGetAuthorizationInfo(final PrincipalCollection principalCollection) {
         final var primaryPrincipal = getAvailablePrincipal(principalCollection);
diff --git a/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/AAAIniWebEnvironment.java b/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/AAAIniWebEnvironment.java
index 696142e41..87956637b 100644
--- a/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/AAAIniWebEnvironment.java
+++ b/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/AAAIniWebEnvironment.java
@@ -18,6 +18,7 @@ import org.opendaylight.aaa.api.AuthenticationService;
 import org.opendaylight.aaa.api.TokenStore;
 import org.opendaylight.aaa.api.password.service.PasswordHashService;
 import org.opendaylight.aaa.cert.api.ICertificateManager;
+import org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm;
 import org.opendaylight.aaa.shiro.realm.MoonRealm;
 import org.opendaylight.aaa.tokenauthrealm.auth.TokenAuthenticators;
 import org.opendaylight.aaa.web.servlet.ServletSupport;
@@ -93,22 +94,22 @@ class AAAIniWebEnvironment extends IniWebEnvironment {
     @Override
     public void init() {
         ThreadLocals.DATABROKER_TL.set(dataBroker);
-        ThreadLocals.CERT_MANAGER_TL.set(certificateManager);
         ThreadLocals.AUTH_SETVICE_TL.set(authenticationService);
         ThreadLocals.TOKEN_AUTHENICATORS_TL.set(tokenAuthenticators);
         ThreadLocals.TOKEN_STORE_TL.set(tokenStore);
         ThreadLocals.PASSWORD_HASH_SERVICE_TL.set(passwordHashService);
-        try (var moonLoad = MoonRealm.prepareForLoad(servletSupport)) {
-            // Initialize the Shiro environment from clustered-app-config
-            final Ini ini = createIniFromClusteredAppConfig(shiroConfiguration);
-            setIni(ini);
-            ClassLoaderUtils.getWithClassLoader(AAAIniWebEnvironment.class.getClassLoader(), (Supplier<Void>) () -> {
-                super.init();
-                return null;
-            });
+        try (var keyStoneLoad = KeystoneAuthRealm.prepareForLoad(certificateManager)) {
+            try (var moonLoad = MoonRealm.prepareForLoad(servletSupport)) {
+                // Initialize the Shiro environment from clustered-app-config
+                final Ini ini = createIniFromClusteredAppConfig(shiroConfiguration);
+                setIni(ini);
+                ClassLoaderUtils.getWithClassLoader(AAAIniWebEnvironment.class.getClassLoader(), () -> {
+                    super.init();
+                    return null;
+                });
+            }
         } finally {
             ThreadLocals.DATABROKER_TL.remove();
-            ThreadLocals.CERT_MANAGER_TL.remove();
             ThreadLocals.AUTH_SETVICE_TL.remove();
             ThreadLocals.TOKEN_AUTHENICATORS_TL.remove();
             ThreadLocals.TOKEN_STORE_TL.remove();
diff --git a/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/ThreadLocals.java b/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/ThreadLocals.java
index 4c819e94a..aed2ae91f 100644
--- a/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/ThreadLocals.java
+++ b/aaa-shiro/impl/src/main/java/org/opendaylight/aaa/shiro/web/env/ThreadLocals.java
@@ -10,7 +10,6 @@ package org.opendaylight.aaa.shiro.web.env;
 import org.opendaylight.aaa.api.AuthenticationService;
 import org.opendaylight.aaa.api.TokenStore;
 import org.opendaylight.aaa.api.password.service.PasswordHashService;
-import org.opendaylight.aaa.cert.api.ICertificateManager;
 import org.opendaylight.aaa.tokenauthrealm.auth.TokenAuthenticators;
 import org.opendaylight.mdsal.binding.api.DataBroker;
 
@@ -23,8 +22,6 @@ import org.opendaylight.mdsal.binding.api.DataBroker;
 public final class ThreadLocals {
     public static final ThreadLocal<DataBroker> DATABROKER_TL = new ThreadLocal<>();
 
-    public static final ThreadLocal<ICertificateManager> CERT_MANAGER_TL = new ThreadLocal<>();
-
     public static final ThreadLocal<AuthenticationService> AUTH_SETVICE_TL = new ThreadLocal<>();
 
     public static final ThreadLocal<TokenStore> TOKEN_STORE_TL = new ThreadLocal<>();
diff --git a/aaa-shiro/impl/src/test/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealmTest.java b/aaa-shiro/impl/src/test/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealmTest.java
index 81d8da629..81a2b7099 100644
--- a/aaa-shiro/impl/src/test/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealmTest.java
+++ b/aaa-shiro/impl/src/test/java/org/opendaylight/aaa/shiro/realm/KeystoneAuthRealmTest.java
@@ -13,6 +13,7 @@ import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.same;
+import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -37,7 +38,6 @@ import org.junit.runner.RunWith;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Captor;
 import org.mockito.Mock;
-import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.opendaylight.aaa.api.shiro.principal.ODLPrincipal;
 import org.opendaylight.aaa.cert.api.ICertificateManager;
@@ -47,7 +47,6 @@ import org.opendaylight.aaa.shiro.keystone.domain.KeystoneToken;
 import org.opendaylight.aaa.shiro.realm.util.http.SimpleHttpClient;
 import org.opendaylight.aaa.shiro.realm.util.http.SimpleHttpRequest;
 import org.opendaylight.aaa.shiro.realm.util.http.UntrustedSSL;
-import org.opendaylight.aaa.shiro.web.env.ThreadLocals;
 
 @RunWith(MockitoJUnitRunner.class)
 public class KeystoneAuthRealmTest {
@@ -78,17 +77,14 @@ public class KeystoneAuthRealmTest {
 
     private KeystoneAuthRealm keystoneAuthRealm;
 
-    private KeystoneToken.Token ksToken;
+    // a token for a user without roles
+    private KeystoneToken.Token ksToken = new KeystoneToken.Token();
 
     @Before
     public void setup() throws MalformedURLException, URISyntaxException {
-        ThreadLocals.CERT_MANAGER_TL.set(certificateManager);
-
-        keystoneAuthRealm = Mockito.spy(new KeystoneAuthRealm());
+        keystoneAuthRealm = spy(new KeystoneAuthRealm(certificateManager));
 
         final String testUrl = "http://example.com";
-        // a token for a user without roles
-        ksToken = new KeystoneToken.Token();
 
         when(certificateManager.getServerContext()).thenReturn(sslContext);
         when(client.requestBuilder(KeystoneToken.class)).thenReturn(requestBuilder);
-- 
2.36.6