Remove TSSslSecretXxx TS API functions.

Author: ywkaras

doc/developer-guide/api/functions/TSLifecycleHookAdd.en.rst

@@ -40,8 +40,8 @@ specified by :arg:`id`. Lifecycle hooks are based on the Traffic Server
 process, not on any specific transaction or session. These will typically be
 called only once during the execution of the Traffic Server process and
 therefore should be added in :func:`TSPluginInit` (which could itself be
-considered a lifecycle hook). Unlike other hooks, lifecycle hooks may not have a
-well defined ordering and use of them should not assume that one of the hooks
+considered a lifecycle hook). Unlike other hooks, lifecycle hooks may not have
+a well defined ordering and use of them should not assume that one of the hooks
 is always called before another unless specifically mentioned.
 
 Types
@@ -106,14 +106,6 @@ Types
       Invoked with the event :c:data:`TS_EVENT_LIFECYCLE_TASK_THREADS_READY` and ``NULL``
       data.
 
-   .. cpp:enumerator:: TS_LIFECYCLE_SSL_SECRET_HOOK
-
-      Called before the data for the certificate or key is loaded.  The data argument to the callback is a pointer to a :type:`TSSecretID` which
-      contains a pointer to the name of the certificate or key and the relevant version if applicable.
-
-      This hook gives the plugin a chance to load the certificate or key from an alternative source and set via the :c:func:`TSSslSecretSet` API.
-      If there is no plugin override, the certificate or key will be loaded from disk and the secret name will be interpreted as a file path.
-
    .. cpp:enumerator:: TS_LIFECYCLE_SHUTDOWN_HOOK
 
       Called after |TS| receiving a shutdown signal, such as SIGTERM.

doc/developer-guide/api/functions/TSSslSecret.en.rst

@@ -547,9 +547,6 @@ make the older ``stats_over_http`` obsolete.
 Plugin APIs
 -----------
 
-A new hook for loading certificates was added, :cpp:enumerator:`TS_LIFECYCLE_SSL_SECRET_HOOK`. When using
-this hook, the plugin recieved a structure with a type :c:type:`TSSecretID`.
-
 The transction control APIs where refactored and promoted to that ``ts.h`` public APIs. This adds
 :c:func:`TSHttpTxnCntlGet` and :c:func:`TSHttpTxnCntlSet`, and the c:enum::`TSHttpCntlType` enum.
 

doc/release-notes/whats-new.en.rst

@@ -438,8 +438,8 @@ typedef enum {
   TS_LIFECYCLE_MSG_HOOK,
   TS_LIFECYCLE_TASK_THREADS_READY_HOOK,
   TS_LIFECYCLE_SHUTDOWN_HOOK,
-  TS_LIFECYCLE_SSL_SECRET_HOOK,
-  TS_LIFECYCLE_LAST_HOOK
+  // TS_LIFECYCLE_SSL_SECRET_HOOK, future release
+  TS_LIFECYCLE_LAST_HOOK = TS_LIFECYCLE_SHUTDOWN_HOOK + 2
 } TSLifecycleHookID;
 
 /**

include/ts/apidefs.h.in

@@ -1302,15 +1302,6 @@ tsapi TSSslContext TSSslClientContextFindByName(const char *ca_paths, const char
 tsapi TSReturnCode TSSslClientCertUpdate(const char *cert_path, const char *key_path);
 tsapi TSReturnCode TSSslServerCertUpdate(const char *cert_path, const char *key_path);
 
-/* Update the transient secret table for SSL_CTX loading */
-tsapi TSReturnCode TSSslSecretSet(const char *secret_name, int secret_name_length, const char *secret_data, int secret_data_length);
-
-/* Returns secret with given name (not null terminted).  If there is no secret with the given name, return value will
-** be null and secret_data_lenght will be zero.  Calling code must free data buffer by calling TSfree(). */
-tsapi char *TSSslSecretGet(const char *secret_name, int secret_name_length, int *secret_data_length);
-
-tsapi TSReturnCode TSSslSecretUpdate(const char *secret_name, int secret_name_length);
-
 /* Create a new SSL context based on the settings in records.config */
 tsapi TSSslContext TSSslServerContextCreate(TSSslX509 cert, const char *certname, const char *rsp_file);
 tsapi void TSSslContextDestroy(TSSslContext ctx);

include/ts/ts.h

@@ -28,14 +28,14 @@
 // NOTE: The secret_map_mutex should not be held by the caller of this
 // function. The implementation of this function may call a plugin's
 // TS_EVENT_SSL_SECRET handler which in turn may grab a lock for
-// secret_map_mutex via a TSSslSecretSet call. These events will result in a
-// deadlock.
+// secret_map_mutex via a TSSslSecretSet (proposed in a future release) call.
+// These events will result in a deadlock.
 void
 SSLSecret::loadSecret(const std::string &name1, const std::string &name2, std::string &data1, std::string &data2)
 {
   // Call the load secret hooks
   //
-  class APIHook *curHook = lifecycle_hooks->get(TS_LIFECYCLE_SSL_SECRET_HOOK);
+  class APIHook *curHook = lifecycle_hooks->get(/* TS_LIFECYCLE_SSL_SECRET_HOOK */ TS_LIFECYCLE_LAST_HOOK /* dummy value */);
   TSSecretID secret_name;
   secret_name.cert_name     = name1.data();
   secret_name.cert_name_len = name1.size();

iocore/net/SSLSecret.cc

@@ -9640,74 +9640,6 @@ TSSslContextFindByAddr(struct sockaddr const *addr)
   return ret;
 }
 
-/**
- * This function sets the secret cache value for a given secret name.  This allows
- * plugins to load cert/key PEM information on for use by the TLS core
- */
-tsapi TSReturnCode
-TSSslSecretSet(const char *secret_name, int secret_name_length, const char *secret_data, int secret_data_len)
-{
-  TSReturnCode retval = TS_SUCCESS;
-  std::string const secret_name_str{secret_name, unsigned(secret_name_length)};
-  SSLConfigParams *load_params = SSLConfig::load_acquire();
-  SSLConfigParams *params      = SSLConfig::acquire();
-  if (load_params != nullptr) { // Update the current data structure
-    Debug("ssl.cert_update", "Setting secrets in SSLConfig load for: %.*s", secret_name_length, secret_name);
-    load_params->secrets.setSecret(secret_name_str, std::string_view(secret_data, secret_data_len));
-    load_params->updateCTX(secret_name_str);
-    SSLConfig::load_release(load_params);
-  }
-  if (params != nullptr) {
-    Debug("ssl.cert_update", "Setting secrets in SSLConfig for: %.*s", secret_name_length, secret_name);
-    params->secrets.setSecret(secret_name_str, std::string_view(secret_data, secret_data_len));
-    params->updateCTX(secret_name_str);
-    SSLConfig::release(params);
-  }
-  return retval;
-}
-
-tsapi TSReturnCode
-TSSslSecretUpdate(const char *secret_name, int secret_name_length)
-{
-  TSReturnCode retval     = TS_SUCCESS;
-  SSLConfigParams *params = SSLConfig::acquire();
-  if (params != nullptr) {
-    params->updateCTX(std::string(secret_name, secret_name_length));
-  }
-  SSLConfig::release(params);
-  return retval;
-}
-
-tsapi char *
-TSSslSecretGet(const char *secret_name, int secret_name_length, int *secret_data_length)
-{
-  sdk_assert(secret_name != nullptr);
-  sdk_assert(secret_data_length != nullptr);
-
-  bool loading            = true;
-  SSLConfigParams *params = SSLConfig::load_acquire();
-  if (params == nullptr) {
-    params  = SSLConfig::acquire();
-    loading = false;
-  }
-  std::string const secret_data = params->secrets.getSecret(std::string(secret_name, secret_name_length));
-  char *data{nullptr};
-  if (secret_data.empty()) {
-    *secret_data_length = 0;
-
-  } else {
-    data = static_cast<char *>(ats_malloc(secret_data.size()));
-    memcpy(data, secret_data.data(), secret_data.size());
-    *secret_data_length = secret_data.size();
-  }
-  if (loading) {
-    SSLConfig::load_release(params);
-  } else {
-    SSLConfig::release(params);
-  }
-  return data;
-}
-
 /**
  * This function retrieves an array of lookup keys for client contexts loaded in
  * traffic server. Given a 2-level mapping for client contexts, every 2 lookup keys