refactoring - rename method requiresTls -> requiresServerNameIndication (kroxylicious#1854)

* refactoring - rename method requireTls -> requireServerNameIndication to better communicate the reliance on Server Name Indication TLS extension.

why: renamed for clarity.

Signed-off-by: Keith Wall <kwall@apache.org>

* chase some coverage

Signed-off-by: Keith Wall <kwall@apache.org>

---------

Signed-off-by: Keith Wall <kwall@apache.org>

Author: k-wall

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/clusternetworkaddressconfigprovider/SniRoutingClusterNetworkAddressConfigProvider.java

@@ -114,7 +114,7 @@ public Set<Integer> getSharedPorts() {
         }
 
         @Override
-        public boolean requiresTls() {
+        public boolean requiresServerNameIndication() {
             return true;
         }
 

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/net/EndpointListener.java

@@ -34,10 +34,12 @@ public interface EndpointListener {
     boolean isUseTls();
 
     /**
-     * true if this listener requires TLS (in other words, use SNI).
-     * @return true if this listener requires TLS.
+     * Indicates if the provider requires that connections utilise the Server Name Indication (SNI)
+     * extension to TLS.  If this is true, then the provider cannot support plain connections.
+     *
+     * @return true if this provider requires Server Name Indication (SNI).
      */
-    boolean requiresTls();
+    boolean requiresServerNameIndication();
 
     VirtualClusterModel virtualCluster();
 

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/net/EndpointRegistry.java

@@ -465,7 +465,7 @@ private CompletionStage<Endpoint> registerBinding(Endpoint key, String host, End
                 var bindings = acceptorChannel.attr(CHANNEL_BINDINGS);
                 bindings.setIfAbsent(new ConcurrentHashMap<>());
                 var bindingMap = bindings.get();
-                var bindingKey = virtualCluster.requiresTls() ? RoutingKey.createBindingKey(host) : RoutingKey.NULL_ROUTING_KEY;
+                var bindingKey = virtualCluster.requiresServerNameIndication() ? RoutingKey.createBindingKey(host) : RoutingKey.NULL_ROUTING_KEY;
 
                 // we use a bindingMap attached to the channel to record the bindings to the channel. the #deregisterBinding path
                 // knows to tear down the acceptorChannel when the map becomes empty.

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/model/VirtualClusterModel.java

@@ -116,8 +116,6 @@ private static String generateTlsSummary(Optional<Tls> tlsToSummarize) {
     }
 
     public void addListener(String name, ClusterNetworkAddressConfigProvider provider, Optional<Tls> tls) {
-        validateTLsSettings(provider, tls);
-        validatePortUsage(provider);
         listeners.put(name, new VirtualClusterListenerModel(this, provider, tls, name));
     }
 
@@ -250,21 +248,6 @@ private static SSLParameters getSupportedSSLParameters() {
         }
     }
 
-    private static void validatePortUsage(ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider) {
-        var conflicts = clusterNetworkAddressConfigProvider.getExclusivePorts().stream().filter(p -> clusterNetworkAddressConfigProvider.getSharedPorts().contains(p))
-                .collect(Collectors.toSet());
-        if (!conflicts.isEmpty()) {
-            throw new IllegalStateException(
-                    "The set of exclusive ports described by the cluster endpoint provider must be distinct from those described as shared. Intersection: " + conflicts);
-        }
-    }
-
-    private static void validateTLsSettings(ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider, Optional<Tls> tls) {
-        if (clusterNetworkAddressConfigProvider.requiresTls() && (tls.isEmpty() || !tls.get().definesKey())) {
-            throw new IllegalStateException("Cluster endpoint provider requires server TLS, but this virtual cluster does not define it.");
-        }
-    }
-
     public @NonNull List<NamedFilterDefinition> getFilters() {
         return filters;
     }
@@ -286,8 +269,29 @@ public static class VirtualClusterListenerModel implements EndpointListener {
             this.virtualCluster = virtualCluster;
             this.provider = provider;
             this.tls = tls;
-            this.downstreamSslContext = buildDownstreamSslContext();
             this.name = name;
+            validatePortUsage(provider);
+            validateTLsSettings(provider, tls);
+            this.downstreamSslContext = buildDownstreamSslContext();
+        }
+
+        private void validatePortUsage(ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider) {
+            // This validation seems misplaced.
+            var conflicts = clusterNetworkAddressConfigProvider.getExclusivePorts().stream().filter(p -> clusterNetworkAddressConfigProvider.getSharedPorts().contains(p))
+                    .collect(Collectors.toSet());
+            if (!conflicts.isEmpty()) {
+                throw new IllegalStateException(
+                        "The set of exclusive ports described by the cluster endpoint provider must be distinct from those described as shared. Intersection: "
+                                + conflicts);
+            }
+        }
+
+        private void validateTLsSettings(ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider, Optional<Tls> tls) {
+            if (clusterNetworkAddressConfigProvider.requiresServerNameIndication() && (tls.isEmpty() || !tls.get().definesKey())) {
+                throw new IllegalStateException(
+                        "Cluster endpoint provider requires ServerNameIndication, but virtual cluster listener '%s' does not configure TLS and provide a certificate for the server"
+                                .formatted(name()));
+            }
         }
 
         @Override
@@ -320,8 +324,8 @@ public Optional<String> getBindAddress() {
         }
 
         @Override
-        public boolean requiresTls() {
-            return getClusterNetworkAddressConfigProvider().requiresTls();
+        public boolean requiresServerNameIndication() {
+            return getClusterNetworkAddressConfigProvider().requiresServerNameIndication();
         }
 
         @Override

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/service/ClusterNetworkAddressConfigProvider.java

@@ -69,11 +69,12 @@ default Optional<String> getBindAddress() {
     }
 
     /**
-     * Indicates if this provider requires the use of TLS.
+     * Indicates if the provider requires that connections utilise the Server Name Indication (SNI)
+     * extension to TLS.  If this is true, then the provider cannot support plain connections.
      *
-     * @return true if this provider requires the use of TLS.
+     * @return true if this provider requires Server Name Indication (SNI).
      */
-    default boolean requiresTls() {
+    default boolean requiresServerNameIndication() {
         return false;
     }
 

kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/KafkaProxyTest.java

@@ -120,7 +120,8 @@ public static Stream<Arguments> missingTls() {
                         advertisedBrokerAddressPattern:  broker-$(nodeId)
                     targetCluster:
                       bootstrapServers: kafka.example:1234
-                """, "Cluster endpoint provider requires server TLS, but this virtual cluster does not define it"));
+                """,
+                "Cluster endpoint provider requires ServerNameIndication, but virtual cluster listener 'default' does not configure TLS and provide a certificate for the server"));
     }
 
     @ParameterizedTest(name = "{0}")

kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/internal/net/EndpointRegistryTest.java

@@ -733,7 +733,7 @@ private void configureVirtualClusterMock(EndpointListener cluster, HostPort down
                                              Map<Integer, HostPort> discoveryAddressMap) {
         when(cluster.getClusterBootstrapAddress()).thenReturn(downstreamBootstrap);
         when(cluster.isUseTls()).thenReturn(tls);
-        when(cluster.requiresTls()).thenReturn(sni);
+        when(cluster.requiresServerNameIndication()).thenReturn(sni);
         when(cluster.discoveryAddressMap()).thenReturn(discoveryAddressMap);
         when(cluster.targetCluster()).thenReturn(new TargetCluster(upstreamBootstrap.toString(), null));
         when(cluster.getBrokerIdFromBrokerAddress(any(HostPort.class))).thenReturn(null);

kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/model/VirtualClusterListenerModelTest.java

@@ -43,6 +43,7 @@
 
 import static io.kroxylicious.proxy.service.HostPort.parse;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.junit.jupiter.params.provider.Arguments.argumentSet;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -85,6 +86,33 @@ void delegatesToProviderForAdvertisedPort() {
         assertThat(listener.getAdvertisedBrokerAddress(0)).isEqualTo(advertisedHostPort);
     }
 
+    @Test
+    void delegatesToProviderForBrokerAddress() {
+        var mock = mock(ClusterNetworkAddressConfigProvider.class);
+        var listener = new VirtualClusterListenerModel(mock(VirtualClusterModel.class), mock, Optional.empty(), "default");
+        var brokerAddress = new HostPort("broker", 55);
+        when(mock.getBrokerAddress(0)).thenReturn(brokerAddress);
+        assertThat(listener.getBrokerAddress(0)).isEqualTo(brokerAddress);
+    }
+
+    @Test
+    void delegatesToProviderForBrokerIdFromBrokerAddress() {
+        var mock = mock(ClusterNetworkAddressConfigProvider.class);
+        var listener = new VirtualClusterListenerModel(mock(VirtualClusterModel.class), mock, Optional.empty(), "default");
+        var brokerAddress = new HostPort("broker", 55);
+        when(mock.getBrokerIdFromBrokerAddress(brokerAddress)).thenReturn(1);
+        assertThat(listener.getBrokerIdFromBrokerAddress(brokerAddress)).isEqualTo(1);
+    }
+
+    @Test
+    void delegatesToProviderForServerNameIndication() {
+        var mock = mock(ClusterNetworkAddressConfigProvider.class);
+        var listener = new VirtualClusterListenerModel(mock(VirtualClusterModel.class), mock, Optional.empty(), "default");
+        var brokerAddress = new HostPort("broker", 55);
+        when(mock.requiresServerNameIndication()).thenReturn(true);
+        assertThat(listener.requiresServerNameIndication()).isTrue();
+    }
+
     @Test
     void shouldBuildDownstreamSslContext() {
         // Given
@@ -214,6 +242,44 @@ void shouldApplyDownstreamCipherSuiteRestriction(AllowDeny<String> cipherSuiteAl
                                 }));
     }
 
+    static Stream<Arguments> downstreamListenerThatRequiresSniEnforcesTlsWithKey() {
+        return Stream.of(
+                argumentSet("no tls", Optional.empty()),
+                argumentSet("no key", Optional.of(new Tls(null, null, null, null))));
+    }
+
+    @ParameterizedTest
+    @MethodSource
+    @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+    void downstreamListenerThatRequiresSniEnforcesTlsWithKey(Optional<Tls> downstreamTls) {
+        // Given
+        var model = mock(VirtualClusterModel.class);
+        var provider = mock(ClusterNetworkAddressConfigProvider.class);
+        when(provider.requiresServerNameIndication()).thenReturn(true);
+
+        // When/Then
+        assertThatThrownBy(() -> new VirtualClusterListenerModel(model, provider, downstreamTls, "mylistener"))
+                .isInstanceOf(IllegalStateException.class)
+                .hasMessageContaining(
+                        "Cluster endpoint provider requires ServerNameIndication, but virtual cluster listener 'mylistener' does not configure TLS and provide a certificate for the server");
+    }
+
+    @Test
+    void detectsBadPortConfiguration() {
+        // Given
+        var tls = Optional.<Tls> empty();
+        var model = mock(VirtualClusterModel.class);
+        var provider = mock(ClusterNetworkAddressConfigProvider.class);
+        when(provider.getSharedPorts()).thenReturn(Set.of(9080, 9081));
+        when(provider.getExclusivePorts()).thenReturn(Set.of(9080));
+
+        // When/Then
+        assertThatThrownBy(() -> new VirtualClusterListenerModel(model, provider, tls, "mylistener"))
+                .isInstanceOf(IllegalStateException.class)
+                .hasMessageContaining(
+                        "The set of exclusive ports described by the cluster endpoint provider must be distinct from those described as shared. Intersection: [9080]");
+    }
+
     @NonNull
     private ClusterNetworkAddressConfigProvider createTestClusterNetworkAddressConfigProvider() {
         final PortPerBrokerClusterNetworkAddressConfigProviderConfig clusterNetworkAddressConfigProviderConfig = new PortPerBrokerClusterNetworkAddressConfigProviderConfig(