Fixes.

Author: kannanjgithub

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -21,6 +21,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Optional;
 import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
 import com.google.errorprone.annotations.ForOverride;
 import io.grpc.Attributes;
 import io.grpc.CallCredentials;
@@ -89,6 +90,7 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
+
 import org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement;
 
 /**
@@ -641,16 +643,21 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     private final X509TrustManager x509ExtendedTrustManager;
     private SSLEngine sslEngine;
 
-    ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
+    ClientTlsHandler(ChannelHandler next, SslContext sslContext, String sniHostPort,
                      Executor executor, ChannelLogger negotiationLogger,
                      Optional<Runnable> handshakeCompleteRunnable,
                      ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
                      X509TrustManager x509ExtendedTrustManager) {
       super(next, negotiationLogger);
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
-      HostPort hostPort = parseAuthority(authority);
-      this.host = hostPort.host;
-      this.port = hostPort.port;
+      if (!Strings.isNullOrEmpty(sniHostPort)) {
+        HostPort hostPort = parseAuthority(sniHostPort);
+        this.host = hostPort.host;
+        this.port = hostPort.port;
+      } else {
+        this.host = null;
+        this.port = 0;
+      }
       this.executor = executor;
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
       this.x509ExtendedTrustManager = x509ExtendedTrustManager;
@@ -659,7 +666,11 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     @Override
     @IgnoreJRERequirement
     protected void handlerAdded0(ChannelHandlerContext ctx) {
-      sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      if (host != null) {
+        sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      } else {
+        sslEngine = sslContext.newEngine(ctx.alloc());
+      }
       SSLParameters sslParams = sslEngine.getSSLParameters();
       sslParams.setEndpointIdentificationAlgorithm("HTTPS");
       sslEngine.setSSLParameters(sslParams);

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -33,6 +33,7 @@
 import io.grpc.netty.InternalProtocolNegotiators;
 import io.grpc.netty.ProtocolNegotiationEvent;
 import io.grpc.xds.EnvoyServerProtoData;
+import io.grpc.xds.internal.security.trust.CertificateUtils;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerAdapter;
 import io.netty.channel.ChannelHandlerContext;
@@ -193,7 +194,6 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
   @VisibleForTesting
   static final class ClientSecurityHandler
       extends InternalProtocolNegotiators.ProtocolNegotiationHandler {
-    static boolean isXdsSniEnabled = GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_SNI", false);
 
     private final GrpcHttp2ConnectionHandler grpcHandler;
     private final SslContextProviderSupplier sslContextProviderSupplier;
@@ -218,7 +218,7 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
       this.sslContextProviderSupplier = sslContextProviderSupplier;
       EnvoyServerProtoData.BaseTlsContext tlsContext = sslContextProviderSupplier.getTlsContext();
       UpstreamTlsContext upstreamTlsContext = ((UpstreamTlsContext) tlsContext);
-      if (isXdsSniEnabled) {
+      if (CertificateUtils.isXdsSniEnabled) {
         sni = upstreamTlsContext.getAutoHostSni() && !Strings.isNullOrEmpty(endpointHostname)
             ? endpointHostname : upstreamTlsContext.getSni();
       } else {

xds/src/main/java/io/grpc/xds/internal/security/trust/CertificateUtils.java

@@ -16,6 +16,8 @@
 
 package io.grpc.xds.internal.security.trust;
 
+import io.grpc.internal.GrpcUtil;
+
 import java.io.BufferedInputStream;
 import java.io.File;
 import java.io.FileInputStream;
@@ -29,6 +31,8 @@
  * Contains certificate utility method(s).
  */
 public final class CertificateUtils {
+  public static boolean isXdsSniEnabled = GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_SNI", false);
+
   /**
    * Generates X509Certificate array from a file on disk.
    *

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -53,8 +53,6 @@
  */
 final class XdsX509TrustManager extends X509ExtendedTrustManager implements X509TrustManager {
 
-  static boolean isXdsSniEnabled = GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_SNI", false);
-
   // ref: io.grpc.okhttp.internal.OkHostnameVerifier and
   // sun.security.x509.GeneralNameInterface
   private static final int ALT_DNS_NAME = 2;
@@ -220,7 +218,7 @@ void verifySubjectAltNameInChain(X509Certificate[] peerCertChain) throws Certifi
       return;
     }
     @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
-    List<StringMatcher> verifyList = isXdsSniEnabled && !Strings.isNullOrEmpty(sniForSanMatching)
+    List<StringMatcher> verifyList = CertificateUtils.isXdsSniEnabled && !Strings.isNullOrEmpty(sniForSanMatching)
             ? ImmutableList.of(StringMatcher.newBuilder().setExact(sniForSanMatching).build())
             : certContext.getMatchSubjectAltNamesList();
     if (verifyList.isEmpty()) {

xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java

@@ -76,6 +76,7 @@
 import io.grpc.xds.internal.security.SslContextProviderSupplier;
 import io.grpc.xds.internal.security.TlsContextManagerImpl;
 import io.grpc.xds.internal.security.certprovider.FileWatcherCertificateProviderProvider;
+import io.grpc.xds.internal.security.trust.CertificateUtils;
 import io.netty.handler.ssl.NotSslRecordException;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -315,6 +316,7 @@ public void tlsClientServer_noAutoSniValidation_failureToMatchSubjAltNames()
   @Test
   public void tlsClientServer_autoSniValidation_sniInUTC()
       throws Exception {
+    CertificateUtils.isXdsSniEnabled = true;
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -338,12 +340,14 @@ public void tlsClientServer_autoSniValidation_sniInUTC()
     } finally {
       Files.deleteIfExists(trustStoreFilePath);
       clearTrustStoreSystemProperties();
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void tlsClientServer_autoSniValidation_sniFromHostname()
       throws Exception {
+    CertificateUtils.isXdsSniEnabled = true;
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -370,12 +374,14 @@ public void tlsClientServer_autoSniValidation_sniFromHostname()
     } finally {
       Files.deleteIfExists(trustStoreFilePath);
       clearTrustStoreSystemProperties();
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void tlsClientServer_autoSniValidation_noSNIApplicable_usesMatcherFromCmnVdnCtx()
       throws Exception {
+    CertificateUtils.isXdsSniEnabled = true;
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -399,6 +405,7 @@ public void tlsClientServer_autoSniValidation_noSNIApplicable_usesMatcherFromCmn
     } finally {
       Files.deleteIfExists(trustStoreFilePath);
       clearTrustStoreSystemProperties();
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
@@ -815,7 +822,7 @@ private SimpleServiceGrpc.SimpleServiceBlockingStub getBlockingStub(
   // in the certificate SNI, which isn't implemented yet (https://github.com/grpc/grpc-java/pull/12345 implements it)
   // so use an exact match SAN such as waterzooi.test.google.be for SNI for this testcase.
   private SimpleServiceGrpc.SimpleServiceBlockingStub getBlockingStub(
-      final UpstreamTlsContext upstreamTlsContext, String overrideAuthority, String addrAttribute) {
+      final UpstreamTlsContext upstreamTlsContext, String overrideAuthority, String addrNameAttribute) {
     ManagedChannelBuilder<?> channelBuilder =
         Grpc.newChannelBuilder(
             "sectest://localhost:" + port,
@@ -833,8 +840,8 @@ private SimpleServiceGrpc.SimpleServiceBlockingStub getBlockingStub(
             new SslContextProviderSupplier(
                 upstreamTlsContext, tlsContextManagerForClient))
         : Attributes.newBuilder();
-    if (addrAttribute != null) {
-      sslContextAttributesBuilder.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, addrAttribute);
+    if (addrNameAttribute != null) {
+      sslContextAttributesBuilder.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, addrNameAttribute);
     }
     sslContextAttributes = sslContextAttributesBuilder.build();
     fakeNameResolverFactory.setServers(

xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java

@@ -51,6 +51,7 @@
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSecurityHandler;
 import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSecurityProtocolNegotiator;
 import io.grpc.xds.internal.security.certprovider.CommonCertProviderTestUtils;
+import io.grpc.xds.internal.security.trust.CertificateUtils;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelPipeline;
@@ -145,7 +146,7 @@ public void clientSecurityProtocolNegotiatorNewHandler_withTlsContextAttribute()
 
   @Test
   public void clientSecurityProtocolNegotiatorNewHandler_autoHostSni_hostnameIsPassedToClientSecurityHandler() {
-    ClientSecurityHandler.isXdsSniEnabled = true;
+    CertificateUtils.isXdsSniEnabled = true;
     try {
       UpstreamTlsContext upstreamTlsContext =
           CommonTlsContextTestsUtil.buildUpstreamTlsContext(CommonTlsContext.newBuilder().build(), null, true, false);
@@ -168,7 +169,7 @@ public void clientSecurityProtocolNegotiatorNewHandler_autoHostSni_hostnameIsPas
       assertThat(newHandler).isInstanceOf(ClientSecurityHandler.class);
       assertThat(((ClientSecurityHandler) newHandler).getSni()).isEqualTo(FAKE_AUTHORITY);
     } finally {
-      ClientSecurityHandler.isXdsSniEnabled = false;
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
@@ -207,7 +208,7 @@ public void updateSslContext(SslContext sslContext) {
           protected void onException(Throwable throwable) {
             future.set(throwable);
           }
-        }, null);
+        }, FAKE_AUTHORITY);
     assertThat(executor.runDueTasks()).isEqualTo(1);
     channel.runPendingTasks();
     Object fromFuture = future.get(2, TimeUnit.SECONDS);
@@ -227,7 +228,7 @@ protected void onException(Throwable throwable) {
 
   @Test
   public void sniInClientSecurityHandler_autoHostSniIsTrue_usesEndpointHostname() {
-    ClientSecurityHandler.isXdsSniEnabled = true;
+    CertificateUtils.isXdsSniEnabled = true;
     try {
       Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
           .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE,
@@ -244,13 +245,13 @@ public void sniInClientSecurityHandler_autoHostSniIsTrue_usesEndpointHostname()
 
       assertThat(clientSecurityHandler.getSni()).isEqualTo(HOSTNAME);
     } finally {
-      ClientSecurityHandler.isXdsSniEnabled = false;
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void sniInClientSecurityHandler_autoHostSniIsTrue_endpointHostnameIsEmpty_usesSniFromUpstreamTlsContext() {
-    ClientSecurityHandler.isXdsSniEnabled = true;
+    CertificateUtils.isXdsSniEnabled = true;
     try {
       Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
           .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE,
@@ -267,13 +268,13 @@ public void sniInClientSecurityHandler_autoHostSniIsTrue_endpointHostnameIsEmpty
 
       assertThat(clientSecurityHandler.getSni()).isEqualTo(SNI_IN_UTC);
     } finally {
-      ClientSecurityHandler.isXdsSniEnabled = false;
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void sniInClientSecurityHandler_autoHostSniIsTrue_endpointHostnameIsNull_usesSniFromUpstreamTlsContext() {
-    ClientSecurityHandler.isXdsSniEnabled = true;
+    CertificateUtils.isXdsSniEnabled = true;
     try {
       Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
           .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE,
@@ -290,13 +291,13 @@ public void sniInClientSecurityHandler_autoHostSniIsTrue_endpointHostnameIsNull_
 
       assertThat(clientSecurityHandler.getSni()).isEqualTo(SNI_IN_UTC);
     } finally {
-      ClientSecurityHandler.isXdsSniEnabled = false;
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void sniInClientSecurityHandler_autoHostSniIsFalse_usesSniFromUpstreamTlsContext() {
-    ClientSecurityHandler.isXdsSniEnabled = true;
+    CertificateUtils.isXdsSniEnabled = true;
     try {
       Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
           .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE,
@@ -313,13 +314,13 @@ public void sniInClientSecurityHandler_autoHostSniIsFalse_usesSniFromUpstreamTls
 
       assertThat(clientSecurityHandler.getSni()).isEqualTo(SNI_IN_UTC);
     } finally {
-      ClientSecurityHandler.isXdsSniEnabled = false;
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void sniFeatureNotEnabled_usesChannelAuthorityForSni() {
-    ClientSecurityHandler.isXdsSniEnabled = false;
+    CertificateUtils.isXdsSniEnabled = false;
     Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
             .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE,
                     CA_PEM_FILE, null, null, null, null, null);
@@ -498,7 +499,7 @@ public void nullTlsContext_nullFallbackProtocolNegotiator_expectException() {
   @Test
   public void clientSecurityProtocolNegotiatorNewHandler_fireProtocolNegotiationEvent()
           throws InterruptedException, TimeoutException, ExecutionException {
-    ClientSecurityHandler.isXdsSniEnabled = true;
+    CertificateUtils.isXdsSniEnabled = true;
     try {
       FakeClock executor = new FakeClock();
       CommonCertProviderTestUtils.register(executor);
@@ -533,7 +534,7 @@ public void updateSslContext(SslContext sslContext) {
             protected void onException(Throwable throwable) {
               future.set(throwable);
             }
-          }, null);
+          }, "");
       executor.runDueTasks();
       channel.runPendingTasks(); // need this for tasks to execute on eventLoop
       Object fromFuture = future.get(5, TimeUnit.SECONDS);
@@ -548,7 +549,7 @@ protected void onException(Throwable throwable) {
       assertTrue(channel.isOpen());
       CommonCertProviderTestUtils.register0();
     } finally {
-      ClientSecurityHandler.isXdsSniEnabled = false;
+      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 

xds/src/test/java/io/grpc/xds/internal/security/TlsContextManagerTest.java

@@ -169,7 +169,7 @@ public void createClientSslContextProvider_releaseInstance() {
     TlsContextManagerImpl tlsContextManagerImpl =
         new TlsContextManagerImpl(mockClientFactory, mockServerFactory);
     SslContextProvider mockProvider = mock(SslContextProvider.class);
-    when(mockClientFactory.create(new AbstractMap.SimpleImmutableEntry("sni", upstreamTlsContext)))
+    when(mockClientFactory.create(new AbstractMap.SimpleImmutableEntry(upstreamTlsContext, SNI)))
         .thenReturn(mockProvider);
     SslContextProvider clientSecretProvider =
         tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext, SNI);