Skip to content

Ensure consistent X.509 SVID and bundle reads in DefaultX509Source #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maxlambrecht merged 2 commits into from
Jan 22, 2026
+27 −7
Merged

Ensure consistent X.509 SVID and bundle reads in DefaultX509Source #397

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eeeb203
fix(x509source): ensure atomic snapshot of SVID and bundles
maxlambrecht Jan 22, 2026
2b6ead3
Merge branch 'main' into fix/x509source-atomic-snapshot
maxlambrecht Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 27 additions & 7 deletions java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,17 @@ public final class DefaultX509Source implements X509Source {
private static final String TIMEOUT_SYSTEM_PROPERTY = "spiffe.newX509Source.timeout";
private static final Duration DEFAULT_TIMEOUT = Duration.parse(System.getProperty(TIMEOUT_SYSTEM_PROPERTY, "PT0S"));

private X509Svid svid;
private X509BundleSet bundles;
private static final class X509Snapshot {
final X509Svid svid;
final X509BundleSet bundles;

X509Snapshot(X509Svid svid, X509BundleSet bundles) {
this.svid = svid;
this.bundles = bundles;
}
}

private volatile X509Snapshot snapshot;

private final Function<List<X509Svid>, X509Svid> picker;
private final WorkloadApiClient workloadApiClient;
Expand Down Expand Up @@ -134,7 +143,11 @@ public X509Svid getX509Svid() {
if (isClosed()) {
throw new IllegalStateException("X.509 SVID source is closed");
}
return svid;
X509Snapshot snap = snapshot;
if (snap == null) {
throw new IllegalStateException("X.509 SVID source not initialized");
}
return snap.svid;
}

/**
Expand All @@ -149,7 +162,11 @@ public X509Bundle getBundleForTrustDomain(TrustDomain trustDomain) throws Bundle
if (isClosed()) {
throw new IllegalStateException("X.509 bundle source is closed");
}
return bundles.getBundleForTrustDomain(trustDomain);
X509Snapshot snap = snapshot;
if (snap == null) {
throw new IllegalStateException("X.509 bundle source not initialized");
}
return snap.bundles.getBundleForTrustDomain(trustDomain);
}

/**
Expand Down Expand Up @@ -224,10 +241,13 @@ private void setX509Context(final X509Context update) {
} else {
svidUpdate = picker.apply(update.getX509Svids());
}
synchronized (this) {
this.svid = svidUpdate;
this.bundles = update.getX509BundleSet();

X509BundleSet bundleSet = update.getX509BundleSet();
if (bundleSet == null) {
throw new IllegalArgumentException("X509Context bundle set cannot be null");
}

this.snapshot = new X509Snapshot(svidUpdate, bundleSet);
}

private boolean isClosed() {
Expand Down