SERVER-49113 Rewrote CertificateExpirationMonitor class

5 files changed, 48 insertions, 26 deletions

diff --git a/src/mongo/util/net/private/ssl_expiration.cpp b/src/mongo/util/net/private/ssl_expiration.cpp
index 59810487b11..142ee713405 100644
--- a/src/mongo/util/net/private/ssl_expiration.cpp
+++ b/src/mongo/util/net/private/ssl_expiration.cpp
@@ -34,20 +34,29 @@
 #include <string>
 
 #include "mongo/logv2/log.h"
+#include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/time_support.h"
 
 namespace mongo {
 
 static const auto oneDay = Hours(24);
 
-CertificateExpirationMonitor::CertificateExpirationMonitor(Date_t date)
-    : _certExpiration(date), _lastCheckTime(Date_t::now()) {}
+std::unique_ptr<CertificateExpirationMonitor::CertificateExpirationMonitorTask>
+    CertificateExpirationMonitor::_task;
 
-std::string CertificateExpirationMonitor::taskName() const {
+void CertificateExpirationMonitor::updateExpirationDeadline(Date_t date) {
+    if (!_task) {
+        _task = std::make_unique<CertificateExpirationMonitorTask>();
+    }
+    stdx::lock_guard<Mutex> lock(_task->_mutex);
+    _task->_certExpiration = date;
+}
+
+std::string CertificateExpirationMonitor::CertificateExpirationMonitorTask::taskName() const {
     return "CertificateExpirationMonitor";
 }
 
-void CertificateExpirationMonitor::taskDoWork() {
+void CertificateExpirationMonitor::CertificateExpirationMonitorTask::taskDoWork() {
     const Milliseconds timeSinceLastCheck = Date_t::now() - _lastCheckTime;
 
     if (timeSinceLastCheck < oneDay)
@@ -56,6 +65,7 @@ void CertificateExpirationMonitor::taskDoWork() {
     const Date_t now = Date_t::now();
     _lastCheckTime = now;
 
+    stdx::lock_guard<Mutex> lock(_mutex);
     if (_certExpiration <= now) {
         // The certificate has expired.
         LOGV2_WARNING(23785,
@@ -68,7 +78,7 @@ void CertificateExpirationMonitor::taskDoWork() {
     const auto remainingValidDuration = _certExpiration - now;
 
     if (remainingValidDuration <= 30 * oneDay) {
-        // The certificate will expire in the next 30 days.
+        // The certificate will expire in the next 30 days
         LOGV2_WARNING(23786,
                       "Server certificate will expire on {certExpiration} in "
                       "{validDuration}.",
diff --git a/src/mongo/util/net/private/ssl_expiration.h b/src/mongo/util/net/private/ssl_expiration.h
index fb22505c020..bd1370ce28f 100644
--- a/src/mongo/util/net/private/ssl_expiration.h
+++ b/src/mongo/util/net/private/ssl_expiration.h
@@ -34,27 +34,39 @@
 
 namespace mongo {
 
-class CertificateExpirationMonitor : public PeriodicTask {
-public:
-    explicit CertificateExpirationMonitor(Date_t date);
+class CertificateExpirationMonitor {
+private:
+    class CertificateExpirationMonitorTask : public PeriodicTask {
+        /**
+         * Gets the PeriodicTask's name.
+         * @return CertificateExpirationMonitorTask's name.
+         */
+        std::string taskName() const override;
 
-    /**
-     * Gets the PeriodicTask's name.
-     * @return CertificateExpirationMonitor's name.
-     */
-    virtual std::string taskName() const;
+        /**
+         * Wakes up every minute as it is a PeriodicTask.
+         * Checks once a day if the server certificate has expired
+         * or will expire in the next 30 days and sends a warning
+         * to the log accordingly.
+         */
+        void taskDoWork() override;
 
+        Date_t _lastCheckTime{Date_t::now()};
+
+    public:
+        Mutex _mutex = MONGO_MAKE_LATCH("CertificateExpirationMonitorTask::_mutex");
+        Date_t _certExpiration;
+    };
+
+public:
     /**
-     * Wakes up every minute as it is a PeriodicTask.
-     * Checks once a day if the server certificate has expired
-     * or will expire in the next 30 days and sends a warning
-     * to the log accordingly.
+     * Updates the server certificate's expiration deadline.
+     * Instantiates a CertificateExpirationMonitorTask if needed.
      */
-    virtual void taskDoWork();
+    static void updateExpirationDeadline(Date_t date);
 
 private:
-    const Date_t _certExpiration;
-    Date_t _lastCheckTime;
+    static std::unique_ptr<CertificateExpirationMonitorTask> _task;
 };
 
 }  // namespace mongo
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index d96ee83ced1..ceef3eff55f 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -1294,8 +1294,8 @@ SSLManagerApple::SSLManagerApple(const SSLParams& params, bool isServer)
             uassertStatusOK(
                 _sslConfiguration.setServerSubjectName(uassertStatusOK(certificateGetSubject(
                     _serverCtx.certs.get(), &_sslConfiguration.serverCertificateExpirationDate))));
-            static auto task =
-                CertificateExpirationMonitor(_sslConfiguration.serverCertificateExpirationDate);
+            CertificateExpirationMonitor::updateExpirationDeadline(
+                _sslConfiguration.serverCertificateExpirationDate);
         }
     }
 
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 90fd2d5eba9..466da80d840 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1381,8 +1381,8 @@ SSLManagerOpenSSL::SSLManagerOpenSSL(const SSLParams& params, bool isServer)
 
         uassertStatusOK(_sslConfiguration.setServerSubjectName(std::move(serverSubjectName)));
 
-        static CertificateExpirationMonitor task =
-            CertificateExpirationMonitor(_sslConfiguration.serverCertificateExpirationDate);
+        CertificateExpirationMonitor::updateExpirationDeadline(
+            _sslConfiguration.serverCertificateExpirationDate);
     }
 }
 
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 5eed0bdb6a1..0e50c4c98fd 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -435,8 +435,8 @@ SSLManagerWindows::SSLManagerWindows(const SSLParams& params, bool isServer)
         }
 
         // Monitor the server certificate's expiration
-        static CertificateExpirationMonitor task =
-            CertificateExpirationMonitor(_sslConfiguration.serverCertificateExpirationDate);
+        CertificateExpirationMonitor::updateExpirationDeadline(
+            _sslConfiguration.serverCertificateExpirationDate);
     }
 
     uassertStatusOK(_initChainEngines(&_serverEngine));