Changes discussed.

kannanjgithub · kannanjgithub · commit 0034d9cde542 · 2025-09-25T11:27:47.000Z
diff --git a/netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java
@@ -47,11 +47,9 @@ public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslCo
           ObjectPool<? extends Executor> executorPool,
           Optional<Runnable> handshakeCompleteRunnable,
           TrustManager extendedX509TrustManager,
-          String sni,
-          boolean isXdsTarget) {
+          String sni) {
     final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
-        executorPool, handshakeCompleteRunnable, (X509TrustManager) extendedX509TrustManager, sni,
-        isXdsTarget);
+        executorPool, handshakeCompleteRunnable, (X509TrustManager) extendedX509TrustManager, sni);
     final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
 
       @Override
@@ -79,9 +77,9 @@ public void close() {
    * may happen immediately, even before the TLS Handshake is complete.
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(
-      SslContext sslContext, String sni, boolean isXdsTarget,
+      SslContext sslContext, String sni,
       TrustManager extendedX509TrustManager) {
-    return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni, isXdsTarget);
+    return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni);
   }
 
   /**
diff --git a/netty/src/main/java/io/grpc/netty/NettyChannelBuilder.java b/netty/src/main/java/io/grpc/netty/NettyChannelBuilder.java
@@ -653,7 +653,7 @@ static ProtocolNegotiator createProtocolNegotiatorByType(
         return ProtocolNegotiators.plaintextUpgrade();
       case TLS:
         return ProtocolNegotiators.tls(
-            sslContext, executorPool, Optional.absent(), null, null, false);
+            sslContext, executorPool, Optional.absent(), null, null);
       default:
         throw new IllegalArgumentException("Unsupported negotiationType: " + negotiationType);
     }
diff --git a/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
@@ -564,7 +564,7 @@ static final class ClientTlsProtocolNegotiator implements ProtocolNegotiator {
 
     public ClientTlsProtocolNegotiator(SslContext sslContext,
         ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-        X509TrustManager x509ExtendedTrustManager, String sni, boolean isXdsTarget) {
+        X509TrustManager x509ExtendedTrustManager, String sni) {
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
       this.executorPool = executorPool;
       if (this.executorPool != null) {
@@ -573,18 +573,13 @@ public ClientTlsProtocolNegotiator(SslContext sslContext,
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
       this.x509ExtendedTrustManager = x509ExtendedTrustManager;
       this.sni = sni;
-      this.isXdsTarget = isXdsTarget;
     }
 
     private final SslContext sslContext;
     private final ObjectPool<? extends Executor> executorPool;
     private final Optional<Runnable> handshakeCompleteRunnable;
     private final X509TrustManager x509ExtendedTrustManager;
     private final String sni;
-    // For xds targets there may be no SNI determined, and no SNI may be sent in that case.
-    // Non xds-targets will always use channel authority for SNI. This field is used to handle
-    // the two cases differently.
-    private final boolean isXdsTarget;
     private Executor executor;
 
     @Override
@@ -597,7 +592,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
       ChannelHandler gnh = new GrpcNegotiationHandler(grpcHandler);
       ChannelLogger negotiationLogger = grpcHandler.getNegotiationLogger();
       ChannelHandler cth = new ClientTlsHandler(gnh, sslContext,
-          isXdsTarget ? sni : grpcHandler.getAuthority(),
+          sni != null? sni : grpcHandler.getAuthority(),
           this.executor, negotiationLogger, handshakeCompleteRunnable, null,
           x509ExtendedTrustManager);
       return new WaitUntilActiveHandler(cth, negotiationLogger);
@@ -753,9 +748,9 @@ static HostPort parseAuthority(String authority) {
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
       ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-      X509TrustManager x509ExtendedTrustManager, String sni, boolean isXdsTarget) {
+      X509TrustManager x509ExtendedTrustManager, String sni) {
     return new ClientTlsProtocolNegotiator(sslContext, executorPool, handshakeCompleteRunnable,
-        x509ExtendedTrustManager, sni, isXdsTarget);
+        x509ExtendedTrustManager, sni);
   }
 
   /**
diff --git a/netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java b/netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java
@@ -877,7 +877,7 @@ public void tlsNegotiationServerExecutorShouldSucceed() throws Exception {
         .keyManager(clientCert, clientKey)
         .build();
     ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, clientExecutorPool,
-        Optional.absent(), null, null, false);
+        Optional.absent(), null, null);
     // after starting the client, the Executor in the client pool should be used
     assertEquals(true, clientExecutorPool.isInUse());
     final NettyClientTransport transport = newTransport(negotiator);
diff --git a/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java b/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java
@@ -1271,7 +1271,7 @@ public void clientTlsHandler_firesNegotiation() throws Exception {
     }
     FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
     ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext,
-        null, Optional.absent(), null, null, false);
+        null, Optional.absent(), null, null);
     WriteBufferingAndExceptionHandler clientWbaeh =
         new WriteBufferingAndExceptionHandler(pn.newHandler(gh));
 
diff --git a/xds/src/main/java/io/grpc/xds/TlsContextManager.java b/xds/src/main/java/io/grpc/xds/TlsContextManager.java
@@ -30,7 +30,7 @@ SslContextProvider findOrCreateServerSslContextProvider(
 
   /** Creates a SslContextProvider. Used for retrieving a client-side SslContext. */
   SslContextProvider findOrCreateClientSslContextProvider(
-      UpstreamTlsContext upstreamTlsContext, String sni);
+      UpstreamTlsContext upstreamTlsContext);
 
   /**
    * Releases an instance of the given client-side {@link SslContextProvider}.
@@ -41,8 +41,7 @@ SslContextProvider findOrCreateClientSslContextProvider(
    * <p>Caller must not release a reference more than once. It's advised that you clear the
    * reference to the instance with the null returned by this method.
    */
-  SslContextProvider releaseClientSslContextProvider(SslContextProvider sslContextProvider,
-      String sni);
+  SslContextProvider releaseClientSslContextProvider(SslContextProvider sslContextProvider);
 
   /**
    * Releases an instance of the given server-side {@link SslContextProvider}.
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java b/xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
@@ -247,7 +247,7 @@ public void updateSslContextAndExtendedX509TrustManager(
                   new Object[]{grpcHandler.getAuthority(), ctx.name()});
               ChannelHandler handler =
                   InternalProtocolNegotiators.tls(
-                      sslContextAndTm.getKey(), sni, true, sslContextAndTm.getValue())
+                      sslContextAndTm.getKey(), sni, sslContextAndTm.getValue())
                       .newHandler(grpcHandler);
 
               // Delegate rest of handshake to TLS handler
@@ -260,8 +260,7 @@ public void updateSslContextAndExtendedX509TrustManager(
             public void onException(Throwable throwable) {
               ctx.fireExceptionCaught(throwable);
             }
-          },
-          sni);
+          });
     }
 
     @Override
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java b/xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java
@@ -42,7 +42,6 @@ public final class SslContextProviderSupplier implements Closeable {
 
   private final BaseTlsContext tlsContext;
   private final TlsContextManager tlsContextManager;
-  private final Set<String> snisSentByClients = new HashSet<>();
   private SslContextProvider sslContextProvider;
   private boolean shutdown;
 
@@ -58,30 +57,30 @@ public BaseTlsContext getTlsContext() {
 
   /** Updates SslContext via the passed callback. */
   public synchronized void updateSslContext(
-      final SslContextProvider.Callback callback, String sni) {
+      final SslContextProvider.Callback callback) {
     checkNotNull(callback, "callback");
     try {
       if (!shutdown) {
         if (sslContextProvider == null) {
-          sslContextProvider = getSslContextProvider(sni);
+          sslContextProvider = getSslContextProvider();
         }
       }
       // we want to increment the ref-count so call findOrCreate again...
-      final SslContextProvider toRelease = getSslContextProvider(sni);
+      final SslContextProvider toRelease = getSslContextProvider();
       toRelease.addCallback(
           new SslContextProvider.Callback(callback.getExecutor()) {
 
           @Override
           public void updateSslContextAndExtendedX509TrustManager(
               AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextAndTm) {
             callback.updateSslContextAndExtendedX509TrustManager(sslContextAndTm);
-            releaseSslContextProvider(toRelease, sni);
+            releaseSslContextProvider(toRelease);
           }
 
           @Override
           public void onException(Throwable throwable) {
             callback.onException(throwable);
-            releaseSslContextProvider(toRelease, sni);
+            releaseSslContextProvider(toRelease);
           }
         });
     } catch (final Throwable throwable) {
@@ -94,20 +93,18 @@ public void run() {
     }
   }
 
-  private void releaseSslContextProvider(SslContextProvider toRelease, String sni) {
+  private void releaseSslContextProvider(SslContextProvider toRelease) {
     if (tlsContext instanceof UpstreamTlsContext) {
-      tlsContextManager.releaseClientSslContextProvider(toRelease, sni);
-      snisSentByClients.remove(sni);
+      tlsContextManager.releaseClientSslContextProvider(toRelease);
     } else {
       tlsContextManager.releaseServerSslContextProvider(toRelease);
     }
   }
 
-  private SslContextProvider getSslContextProvider(String sni) {
+  private SslContextProvider getSslContextProvider() {
     if (tlsContext instanceof UpstreamTlsContext) {
-      snisSentByClients.add(sni);
       return tlsContextManager.findOrCreateClientSslContextProvider(
-          (UpstreamTlsContext) tlsContext, sni);
+          (UpstreamTlsContext) tlsContext);
     }
     return tlsContextManager.findOrCreateServerSslContextProvider(
         (DownstreamTlsContext) tlsContext);
@@ -122,9 +119,7 @@ private SslContextProvider getSslContextProvider(String sni) {
   public synchronized void close() {
     if (sslContextProvider != null) {
       if (tlsContext instanceof UpstreamTlsContext) {
-        for (String sni: snisSentByClients) {
-          tlsContextManager.releaseClientSslContextProvider(sslContextProvider, sni);
-        }
+        tlsContextManager.releaseClientSslContextProvider(sslContextProvider);
       } else {
         tlsContextManager.releaseServerSslContextProvider(sslContextProvider);
       }
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/TlsContextManagerImpl.java b/xds/src/main/java/io/grpc/xds/internal/security/TlsContextManagerImpl.java
@@ -72,7 +72,7 @@ public SslContextProvider findOrCreateServerSslContextProvider(
 
   @Override
   public SslContextProvider findOrCreateClientSslContextProvider(
-      UpstreamTlsContext upstreamTlsContext, String sni) {
+      UpstreamTlsContext upstreamTlsContext) {
     checkNotNull(upstreamTlsContext, "upstreamTlsContext");
     return mapForClients.get(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, sni));
   }
diff --git a/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java b/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java
@@ -1259,7 +1259,7 @@ public Map<ServerInfo, LoadReportClient> getServerLrsClientMap() {
   private static final class FakeTlsContextManager implements TlsContextManager {
     @Override
     public SslContextProvider findOrCreateClientSslContextProvider(
-        UpstreamTlsContext upstreamTlsContext, String sni) {
+        UpstreamTlsContext upstreamTlsContext) {
       SslContextProvider sslContextProvider = mock(SslContextProvider.class);
       when(sslContextProvider.getUpstreamTlsContext()).thenReturn(upstreamTlsContext);
       return sslContextProvider;
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java b/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java
@@ -67,7 +67,7 @@ private void prepareSupplier(boolean createUpstreamTlsContext) {
     mockSslContextProvider = mock(SslContextProvider.class);
     doReturn(mockSslContextProvider)
             .when(mockTlsContextManager)
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
     supplier = new SslContextProviderSupplier(upstreamTlsContext, mockTlsContextManager);
   }
 
@@ -82,7 +82,7 @@ public void get_updateSecret() {
     prepareSupplier(true);
     callUpdateSslContext();
     verify(mockTlsContextManager, times(2))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
     verify(mockTlsContextManager, times(0))
         .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI));
     ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
@@ -100,15 +100,15 @@ public void get_updateSecret() {
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
     supplier.updateSslContext(mockCallback, SNI);
     verify(mockTlsContextManager, times(3))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
   }
 
   @Test
   public void autoHostSniFalse_usesSniFromUpstreamTlsContext() {
     prepareSupplier(true);
     callUpdateSslContext();
     verify(mockTlsContextManager, times(2))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
     verify(mockTlsContextManager, times(0))
             .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI));
     ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
@@ -127,7 +127,7 @@ public void autoHostSniFalse_usesSniFromUpstreamTlsContext() {
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
     supplier.updateSslContext(mockCallback, SNI);
     verify(mockTlsContextManager, times(3))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
   }
 
   @Test
@@ -165,7 +165,7 @@ public void systemRootCertsWithMtls_callbackExecutedFromProvider() {
     callUpdateSslContext();
 
     verify(mockTlsContextManager, times(2))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
     verify(mockTlsContextManager, times(0))
         .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI));
     ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
@@ -184,7 +184,7 @@ public void systemRootCertsWithMtls_callbackExecutedFromProvider() {
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
     supplier.updateSslContext(mockCallback, SNI);
     verify(mockTlsContextManager, times(3))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
   }
 
   @Test
@@ -196,7 +196,7 @@ public void testClose() {
         .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI));
     supplier.updateSslContext(mockCallback, SNI);
     verify(mockTlsContextManager, times(3))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
     verify(mockTlsContextManager, times(1))
         .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI));
   }
@@ -211,6 +211,6 @@ public void testClose_nullSslContextProvider() {
         .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI));
     callUpdateSslContext();
     verify(mockTlsContextManager, times(1))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
   }
 }
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/TlsContextManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/security/TlsContextManagerTest.java
@@ -86,11 +86,11 @@ public void createClientSslContextProvider() {
 
     TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(bootstrapInfoForClient);
     SslContextProvider clientSecretProvider =
-        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext, SNI);
+        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext);
     assertThat(clientSecretProvider).isNotNull();
 
     SslContextProvider clientSecretProvider1 =
-        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext, SNI);
+        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext);
     assertThat(clientSecretProvider1).isSameInstanceAs(clientSecretProvider);
   }
 
@@ -130,14 +130,14 @@ public void createClientSslContextProvider_differentInstance() {
 
     TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(bootstrapInfoForClient);
     SslContextProvider clientSecretProvider =
-        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext, SNI);
+        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext);
     assertThat(clientSecretProvider).isNotNull();
 
     UpstreamTlsContext upstreamTlsContext1 =
         CommonTlsContextTestsUtil.buildUpstreamTlsContext("cert-instance-2", true, null, false);
 
     SslContextProvider clientSecretProvider1 =
-        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext1, SNI);
+        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext1);
     assertThat(clientSecretProvider1).isNotSameInstanceAs(clientSecretProvider);
   }
 
@@ -172,7 +172,7 @@ public void createClientSslContextProvider_releaseInstance() {
     when(mockClientFactory.create(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, SNI)))
         .thenReturn(mockProvider);
     SslContextProvider clientSecretProvider =
-        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext, SNI);
+        tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext);
     assertThat(clientSecretProvider).isSameInstanceAs(mockProvider);
     verify(mockProvider, never()).close();
     when(mockProvider.getUpstreamTlsContext()).thenReturn(upstreamTlsContext);

Original file line number	Diff line number	Diff line change
`@@ -653,7 +653,7 @@ static ProtocolNegotiator createProtocolNegotiatorByType(`
`653`	`653`	`return ProtocolNegotiators.plaintextUpgrade();`
`654`	`654`	`case TLS:`
`655`	`655`	`return ProtocolNegotiators.tls(`
`656`		`- sslContext, executorPool, Optional.absent(), null, null, false);`
	`656`	`+ sslContext, executorPool, Optional.absent(), null, null);`
`657`	`657`	`default:`
`658`	`658`	`throw new IllegalArgumentException("Unsupported negotiationType: " + negotiationType);`
`659`	`659`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1271,7 +1271,7 @@ public void clientTlsHandler_firesNegotiation() throws Exception {`
`1271`	`1271`	`}`
`1272`	`1272`	`FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();`
`1273`	`1273`	`ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext,`
`1274`		`- null, Optional.absent(), null, null, false);`
	`1274`	`+ null, Optional.absent(), null, null);`
`1275`	`1275`	`WriteBufferingAndExceptionHandler clientWbaeh =`
`1276`	`1276`	`new WriteBufferingAndExceptionHandler(pn.newHandler(gh));`
`1277`	`1277`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ public SslContextProvider findOrCreateServerSslContextProvider(`
`72`	`72`
`73`	`73`	`@Override`
`74`	`74`	`public SslContextProvider findOrCreateClientSslContextProvider(`
`75`		`- UpstreamTlsContext upstreamTlsContext, String sni) {`
	`75`	`+ UpstreamTlsContext upstreamTlsContext) {`
`76`	`76`	`checkNotNull(upstreamTlsContext, "upstreamTlsContext");`
`77`	`77`	`return mapForClients.get(new AbstractMap.SimpleImmutableEntry<>(upstreamTlsContext, sni));`
`78`	`78`	`}`