[Improve][Common] add client SSL mutual authentication config.v1.7.0-SNAPSHOT

7 files changed, 65 insertions, 32 deletions

diff --git a/config/grootstream.yaml b/config/grootstream.yaml
index d78376d..fdefe44 100644
--- a/config/grootstream.yaml
+++ b/config/grootstream.yaml
@@ -21,9 +21,10 @@ grootstream:
       key_path: <vault-key-path>
 
   ssl:
-    disabled: true
-    cert_path: ./config/ssl/cert.pem
-    private_key_path: ./config/ssl/key.pem
+    enabled: false
+    cert_file: ./config/ssl/cert.pem
+    key_file: ./config/ssl/key.pem
+    require_client_auth: false
 
 
   properties:
diff --git a/docs/grootstream-config.md b/docs/grootstream-config.md
index 6627314..5526037 100644
--- a/docs/grootstream-config.md
+++ b/docs/grootstream-config.md
@@ -83,10 +83,11 @@ Key Management System(KMS). It is a service that provides a secure way to create
 
 | Name | Type   | Required | Default | Description                                      |
 |:-----| :----- | :------- | :-- ---- |:------------------------------------------------  |
-| type | String | Yes       | local     | The type of the Key Management Service. Enum: local, vault. |
-| url | String | No | (none) | The kms server's URL (e.g., `http://localhost:8200`). |
+| type | String  | Yes       | local     | The type of the Key Management Service. Enum: local, vault. |
+| url | String |  No | (none) | The kms server's URL (e.g., `http://localhost:8200`). |
 | token | String | No | (none) | The authentication token |
-| key_path | String | No | (none) | If you enabled authentication in HashiCorp Vault with a custom path. |
+| default_key_path | String | No | (none) | HashiCorp Vault default key path. for example, `transit/` |
+| plugin_key_path | String | No | (none) | HashiCorp Vault plugin key path. for example, `plugin/gmsm` |
 
 ```yaml
   kms:
@@ -96,7 +97,27 @@ Key Management System(KMS). It is a service that provides a secure way to create
       type: vault
       url: <vault-url>
       token: <vault-token>
-      key_path: <vault-key-path>
+      default_key_path: <vault-key-path>
+      plugin_key_path: <vault-plugin-key-path>
+```
+
+## SSL
+
+Client enabled SSL configuration. It is used to client SSL mutual authentication with Vault.
+
+| Name | Type   | Required | Default | Description                                      |
+|:-----| :----- | :------- | :-- ---- |:------------------------------------------------  |
+| enabled | Boolean | Yes | false | Enable SSL configuration. |
+| cert_file | String | Yes | (none) | The path of the certificate file. |
+| key_file | String | Yes | (none) | The path of the private key file. |
+| require_client_auth | Boolean | Yes | false |  Enable client authentication  |
+
+```yaml
+    ssl:
+        enabled: true
+        cert_file: /path/to/cert.pem
+        key_file: /path/to/key.pem
+        require_client_auth: true
 ```
 
 
diff --git a/docs/grootstream-design-cn.md b/docs/grootstream-design-cn.md
index 253f95d..bde9c9d 100644
--- a/docs/grootstream-design-cn.md
+++ b/docs/grootstream-design-cn.md
@@ -118,9 +118,10 @@ grootstream:
       default_key_path: <default-vault-key-path>
       plugin_key_path: <plugin-vault-key-path>
   ssl:
-    disabled: true
-    cert_path: <certificate-path>
-    private_key_path: <private-key-path>
+    enabled: false
+    cert_file: <certificate-file>
+    key_file: <private-key-file>
+    require_client_auth: false
    
   properties:   # 用户自定义属性的支持从函数中获取，使用方式见函数定义
     hos.path: http://127.0.0.1:9093
@@ -129,11 +130,11 @@ grootstream:
     scheduler.knowledge_base.update.interval.minutes: 1  #知识库文件定时更新时间
 ```
 
-| 属性名         | 必填 | 默认值 | 类型               | 描述                                           |
-| -------------- | ---- | ------ | ------------------ | ---------------------------------------------- |
+| 属性名            | 必填 | 默认值 | 类型               | 描述                                           |
+|----------------| ---- | ------ | ------------------ | ---------------------------------------------- |
 | knowledge_base | Y    | -      | Object             | 知识库配置                                     |
 | kms            | N    | -      | Object             | kms (key management system, 密钥管理系统) 配置 |
-| tls            | N    | -      | Object             | 客户端启用SSL双向认证                          |
+| ssl            | N    | -      | Object             | 客户端启用SSL双向认证                          |
 | properties     | N    | -      | Map(String,Object) | 自定义属性配置：key-value 格式                 |
 
 
diff --git a/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigDomProcessor.java b/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigDomProcessor.java
index 249033d..eec66fa 100644
--- a/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigDomProcessor.java
+++ b/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigDomProcessor.java
@@ -88,12 +88,14 @@ public class CommonConfigDomProcessor extends AbstractDomConfigProcessor {
         SSLConfig sslConfig = new SSLConfig();
         for (Node node : childElements(sslRootNode)) {
             String name = cleanNodeName(node);
-            if (CommonConfigOptions.SSL_DISABLED.key().equals(name)) {
-                sslConfig.setDisabled(getBooleanValue(getTextContent(node)));
-            } else if (CommonConfigOptions.SSL_CERT_PATH.key().equals(name)) {
-                sslConfig.setCertPath(getTextContent(node));
-            } else if (CommonConfigOptions.SSL_PRIVATE_KEY_PATH.key().equals(name)) {
-                sslConfig.setPrivateKeyPath(getTextContent(node));
+            if (CommonConfigOptions.SSL_ENABLED.key().equals(name)) {
+                sslConfig.setEnabled(getBooleanValue(getTextContent(node)));
+            } else if (CommonConfigOptions.SSL_CERT_FILE.key().equals(name)) {
+                sslConfig.setCertFile(getTextContent(node));
+            } else if (CommonConfigOptions.SSL_KEY_FILE.key().equals(name)) {
+                sslConfig.setKeyFile(getTextContent(node));
+            } else if (CommonConfigOptions.SSL_REQUIRE_CLIENT_AUTH.key().equals(name)) {
+                sslConfig.setRequireClientAuth(getBooleanValue(getTextContent(node)));
             } else {
                 log.warn("Unrecognized SSL configuration element: {}", name);
             }
diff --git a/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigOptions.java b/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigOptions.java
index 48a99ba..d3f1cb9 100644
--- a/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigOptions.java
+++ b/groot-common/src/main/java/com/geedgenetworks/common/config/CommonConfigOptions.java
@@ -88,20 +88,25 @@ public class CommonConfigOptions {
             .noDefaultValue()
             .withDescription("The ssl configuration.");
 
-    public static final Option<Boolean> SSL_DISABLED = Options.key("disabled")
+    public static final Option<Boolean> SSL_ENABLED = Options.key("enabled")
             .booleanType()
-            .defaultValue(true)
-            .withDescription("The disabled flag of the configuration.");
+            .defaultValue(false)
+            .withDescription("The enabled flag of the configuration.");
 
-    public static final Option<String> SSL_CERT_PATH = Options.key("cert_path")
+    public static final Option<String> SSL_CERT_FILE = Options.key("cert_file")
             .stringType()
             .defaultValue("")
-            .withDescription("The certificate path of the configuration.");
+            .withDescription("The certificate file path of the configuration.");
 
-    public static final Option<String> SSL_PRIVATE_KEY_PATH = Options.key("private_key_path")
+    public static final Option<String> SSL_KEY_FILE = Options.key("key_file")
             .stringType()
             .defaultValue("")
-            .withDescription("The private key path of the configuration.");
+            .withDescription("The private key file path of the configuration.");
+
+    public static final Option<Boolean> SSL_REQUIRE_CLIENT_AUTH = Options.key("require_client_auth")
+            .booleanType()
+            .defaultValue(false)
+            .withDescription("The require client auth flag of the configuration.");
 
 
 
diff --git a/groot-common/src/main/java/com/geedgenetworks/common/config/SSLConfig.java b/groot-common/src/main/java/com/geedgenetworks/common/config/SSLConfig.java
index 0759711..7df5c5b 100644
--- a/groot-common/src/main/java/com/geedgenetworks/common/config/SSLConfig.java
+++ b/groot-common/src/main/java/com/geedgenetworks/common/config/SSLConfig.java
@@ -7,11 +7,13 @@ import java.io.Serializable;
 @Data
 public class SSLConfig implements Serializable {
 
-    private Boolean disabled = CommonConfigOptions.SSL_DISABLED.defaultValue();
+    private Boolean enabled = CommonConfigOptions.SSL_ENABLED.defaultValue();
 
-    private String certPath = CommonConfigOptions.SSL_CERT_PATH.defaultValue();
+    private String certFile = CommonConfigOptions.SSL_CERT_FILE.defaultValue();
 
-    private String privateKeyPath = CommonConfigOptions.SSL_PRIVATE_KEY_PATH.defaultValue();
+    private String keyFile = CommonConfigOptions.SSL_KEY_FILE.defaultValue();
+
+    private Boolean requireClientAuth = CommonConfigOptions.SSL_REQUIRE_CLIENT_AUTH.defaultValue();
 
 
 }
diff --git a/groot-examples/end-to-end-example/src/main/resources/grootstream.yaml b/groot-examples/end-to-end-example/src/main/resources/grootstream.yaml
index 20c71f5..2c352a2 100644
--- a/groot-examples/end-to-end-example/src/main/resources/grootstream.yaml
+++ b/groot-examples/end-to-end-example/src/main/resources/grootstream.yaml
@@ -20,9 +20,10 @@ grootstream:
       key_path: <vault-key-path>
 
   ssl:
-    disabled: false
-    cert_path: ./config/ssl/cert.pem
-    private_key_path: ./config/ssl/key.pem
+    enabled: true
+    cert_file: ./config/ssl/cert.pem
+    key_file: ./config/ssl/key.pem
+    require_client_auth: true
 
   properties:
     hos.path: http://192.168.44.12:9098/hos