update javadocs + add mtlsServiceAddress.

Author: rmehta19

gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java

@@ -107,6 +107,8 @@ public final class InstantiatingGrpcChannelProvider implements TransportChannelP
   @VisibleForTesting
   static final String DIRECT_PATH_ENV_ENABLE_XDS = "GOOGLE_CLOUD_ENABLE_DIRECT_PATH_XDS";
 
+  // The public portion of the mTLS MDS root certificate is stored for performing
+  // cert verification when establishing an mTLS connection with the MDS.
   private static final String MTLS_MDS_ROOT = "/run/google-mds-mtls/root.crt";
   // The mTLS MDS credentials are formatted as the concatenation of a PEM-encoded certificate chain
   // followed by a PEM-encoded private key.
@@ -463,7 +465,9 @@ ChannelCredentials createPlaintextToS2AChannelCredentials(String plaintextAddres
    * use the {@code mtlsAddress} address to reach S2A if it is non-empty and the MTLS-MDS
    * credentials can successfully be discovered and used to create {@link TlsChannelCredentials}. If
    * there is any failure using mTLS-to-S2A, fallback to using a plaintext connection to S2A using
-   * the {@code plaintextAddress}.
+   * the {@code plaintextAddress}. If {@code plaintextAddress} is not available, this function
+   * returns null; in this case S2A will not be used, and a TLS connection to the service will be
+   * established.
    *
    * @return {@link ChannelCredentials} configured to use S2A to create mTLS connection to
    *     mtlsEndpoint.
@@ -524,6 +528,14 @@ private ManagedChannel createSingleChannel() throws IOException {
     int port = Integer.parseInt(endpoint.substring(colon + 1));
     String serviceAddress = endpoint.substring(0, colon);
 
+    int mtlsColon = endpointContext.mtlsEndpoint().lastIndexOf(':');
+    if (mtlsColon < 0) {
+      throw new IllegalStateException(
+          "invalid mtlsEndpoint - should have been validated: " + endpointContext.mtlsEndpoint());
+    }
+    int mtlsPort = Integer.parseInt(endpointContext.mtlsEndpoint().substring(mtlsColon + 1));
+    String mtlsServiceAddress = endpointContext.mtlsEndpoint().substring(0, mtlsColon);
+
     ManagedChannelBuilder<?> builder;
 
     // Check DirectPath traffic.
@@ -566,7 +578,7 @@ private ManagedChannel createSingleChannel() throws IOException {
         }
         if (channelCredentials != null) {
           // Create the channel using S2A-secured channel credentials.
-          builder = Grpc.newChannelBuilder(endpointContext.mtlsEndpoint(), channelCredentials);
+          builder = Grpc.newChannelBuilder(mtlsServiceAddress, channelCredentials);
         } else {
           // Use default if we cannot initialize channel credentials via DCA or S2A.
           builder = ManagedChannelBuilder.forAddress(serviceAddress, port);

gax-java/gax-grpc/src/test/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProviderTest.java

@@ -86,6 +86,7 @@
 
 class InstantiatingGrpcChannelProviderTest extends AbstractMtlsTransportChannelTest {
   private static final String DEFAULT_ENDPOINT = "test.googleapis.com:443";
+  private static final String DEFAULT_MTLS_ENDPOINT = "test.mtls.googleapis.com:443";
   private static final String API_KEY_HEADER_VALUE = "fake_api_key_2";
   private static final String API_KEY_AUTH_HEADER_KEY = "x-goog-api-key";
   private static String originalOSName;
@@ -205,6 +206,7 @@ void testWithPoolSize() throws IOException {
     executor.shutdown();
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
     TransportChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
             .build()
@@ -272,6 +274,7 @@ private void testWithInterceptors(int numChannels) throws Exception {
 
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
 
     InstantiatingGrpcChannelProvider channelProvider =
         InstantiatingGrpcChannelProvider.newBuilder()
@@ -309,6 +312,7 @@ void testChannelConfigurator() throws IOException {
 
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
 
     // Invoke the provider
     InstantiatingGrpcChannelProvider.newBuilder()
@@ -334,6 +338,7 @@ void testWithGCECredentials() throws IOException {
 
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
 
     TransportChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
@@ -419,6 +424,7 @@ void testWithNonGCECredentials() throws IOException {
 
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
 
     TransportChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
@@ -451,6 +457,7 @@ void testWithDirectPathDisabled() throws IOException {
 
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
 
     TransportChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
@@ -483,6 +490,7 @@ void testWithNoDirectPathFlagSet() throws IOException {
 
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
 
     TransportChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
@@ -507,6 +515,7 @@ void testWithIPv6Address() throws IOException {
 
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
 
     TransportChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
@@ -526,6 +535,7 @@ void testWithIPv6Address() throws IOException {
   void testWithPrimeChannel() throws IOException {
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
     // create channelProvider with different pool sizes to verify ChannelPrimer is called the
     // correct number of times
     for (int poolSize = 1; poolSize < 5; poolSize++) {
@@ -659,6 +669,7 @@ private void createAndCloseTransportChannel(InstantiatingGrpcChannelProvider pro
     InstantiatingGrpcChannelProvider.LOG.addHandler(logHandler);
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
     InstantiatingGrpcChannelProvider provider =
         createChannelProviderBuilderForDirectPathLogTests()
             .setAttemptDirectPathXds()
@@ -706,6 +717,7 @@ void testLogDirectPathMisconfigWrongCredential() throws Exception {
     InstantiatingGrpcChannelProvider.LOG.addHandler(logHandler);
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
     InstantiatingGrpcChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
             .setAttemptDirectPathXds()
@@ -734,6 +746,7 @@ void testLogDirectPathMisconfigNotOnGCE() throws Exception {
     InstantiatingGrpcChannelProvider.LOG.addHandler(logHandler);
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
     InstantiatingGrpcChannelProvider provider =
         InstantiatingGrpcChannelProvider.newBuilder()
             .setAttemptDirectPathXds()
@@ -766,13 +779,16 @@ public void canUseDirectPath_happyPath() throws IOException {
             envProvider.getenv(
                 InstantiatingGrpcChannelProvider.DIRECT_PATH_ENV_DISABLE_DIRECT_PATH))
         .thenReturn("false");
+    EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
     InstantiatingGrpcChannelProvider.Builder builder =
         InstantiatingGrpcChannelProvider.newBuilder()
             .setAttemptDirectPath(true)
             .setCredentials(computeEngineCredentials)
             .setEndpoint(DEFAULT_ENDPOINT)
             .setEnvProvider(envProvider)
-            .setHeaderProvider(Mockito.mock(HeaderProvider.class));
+            .setHeaderProvider(Mockito.mock(HeaderProvider.class))
+            .setEndpointContext(endpointContext);
     InstantiatingGrpcChannelProvider provider =
         new InstantiatingGrpcChannelProvider(builder, GCE_PRODUCTION_NAME_AFTER_2016);
     Truth.assertThat(provider.canUseDirectPath()).isTrue();
@@ -793,6 +809,7 @@ public void canUseDirectPath_directPathEnvVarDisabled() throws IOException {
         .thenReturn("true");
     EndpointContext endpointContext = Mockito.mock(EndpointContext.class);
     Mockito.when(endpointContext.useS2A()).thenReturn(false);
+    Mockito.when(endpointContext.mtlsEndpoint()).thenReturn(DEFAULT_MTLS_ENDPOINT);
     InstantiatingGrpcChannelProvider.Builder builder =
         InstantiatingGrpcChannelProvider.newBuilder()
             .setAttemptDirectPath(true)