Save changes.

kannanjgithub · kannanjgithub · commit 30ffa7b23eca · 2025-08-03T12:54:43.000+05:30
diff --git a/netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java
@@ -171,7 +171,7 @@ public static ChannelHandler clientTlsHandler(
       ChannelHandler next, SslContext sslContext, String authority,
       ChannelLogger negotiationLogger) {
     return new ClientTlsHandler(next, sslContext, authority, null, negotiationLogger,
-        Optional.absent(), null, null, sni);
+        Optional.absent(), null, null);
   }
 
   public static class ProtocolNegotiationHandler
diff --git a/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
@@ -609,7 +609,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
       ChannelHandler gnh = new GrpcNegotiationHandler(grpcHandler);
       ChannelLogger negotiationLogger = grpcHandler.getNegotiationLogger();
       ChannelHandler cth = new ClientTlsHandler(gnh, sslContext, grpcHandler.getAuthority(),
-          this.executor, negotiationLogger, handshakeCompleteRunnable, this,
+          this.executor, negotiationLogger, handshakeCompleteRunnable,
               x509ExtendedTrustManager, sni);
       return new WaitUntilActiveHandler(cth, negotiationLogger);
     }
@@ -641,7 +641,6 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
                      Executor executor, ChannelLogger negotiationLogger,
                      Optional<Runnable> handshakeCompleteRunnable,
-                     ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
                      X509TrustManager x509ExtendedTrustManager, String sni) {
       super(next, negotiationLogger);
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
@@ -754,7 +753,7 @@ static HostPort parseAuthority(String authority) {
    * may happen immediately, even before the TLS Handshake is complete.
    *
    * @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
-   * @param sni
+   * @param sni the SNI value to use in the Tls handshake
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
                                        ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
diff --git a/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java b/netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java
@@ -918,7 +918,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null, sni);
+        null, null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -957,7 +957,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null, sni);
+        null, null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -982,7 +982,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null, sni);
+        null, null);
     pipeline.addLast(handler);
 
     final AtomicReference<Throwable> error = new AtomicReference<>();
@@ -1011,7 +1011,7 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
   public void clientTlsHandler_closeDuringNegotiation() throws Exception {
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", null, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null, sni);
+        null, null);
     pipeline.addLast(new WriteBufferingAndExceptionHandler(handler));
     ChannelFuture pendingWrite = channel.writeAndFlush(NettyClientHandler.NOOP_MESSAGE);
 
@@ -1023,12 +1023,6 @@ public void clientTlsHandler_closeDuringNegotiation() throws Exception {
         .isEqualTo(Status.Code.UNAVAILABLE);
   }
 
-  private ClientTlsProtocolNegotiator getClientTlsProtocolNegotiator() throws SSLException {
-    return new ClientTlsProtocolNegotiator(GrpcSslContexts.forClient().trustManager(
-        TlsTesting.loadCert("ca.pem")).build(),
-        null, Optional.absent(), null, sni);
-  }
-
   @Test
   public void engineLog() {
     ChannelHandler handler = new ServerTlsHandler(grpcHandler, sslContext, null);
@@ -1277,7 +1271,7 @@ public void clientTlsHandler_firesNegotiation() throws Exception {
     }
     FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
     ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext,
-        null, Optional.absent(), null, sni);
+        null, Optional.absent(), null, null);
     WriteBufferingAndExceptionHandler clientWbaeh =
         new WriteBufferingAndExceptionHandler(pn.newHandler(gh));
 
diff --git a/xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java b/xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java
@@ -59,6 +59,7 @@
 import io.grpc.xds.orca.OrcaPerRequestUtil.OrcaPerRequestReportListener;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -208,6 +209,7 @@ private final class ClusterImplLbHelper extends ForwardingLoadBalancerHelper {
     private Map<String, Struct> filterMetadata = ImmutableMap.of();
     @Nullable
     private final ServerInfo lrsServerInfo;
+    private final Map<String, SslContextProviderSupplier> sslContextProviderSupplierMap = new HashMap<>();
 
     private ClusterImplLbHelper(AtomicLong inFlights, @Nullable ServerInfo lrsServerInfo) {
       this.inFlights = checkNotNull(inFlights, "inFlights");
@@ -294,11 +296,16 @@ private List<EquivalentAddressGroup> withAdditionalAttributes(
         Attributes.Builder attrBuilder = eag.getAttributes().toBuilder().set(
             XdsAttributes.ATTR_CLUSTER_NAME, cluster);
         if (tlsContext != null) {
+          String addressNameAttr = eag.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME);
+          if (!sslContextProviderSupplierMap.containsKey(addressNameAttr)) {
+            sslContextProviderSupplierMap.put(addressNameAttr,
+                new SslContextProviderSupplier(tlsContext,
+                    (TlsContextManager) xdsClient.getSecurityConfig(),
+                    eag.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME)));
+          }
           attrBuilder.set(
               SecurityProtocolNegotiators.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER,
-              new SslContextProviderSupplier(tlsContext,
-                  (TlsContextManager) xdsClient.getSecurityConfig(),
-                  eag.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME)));
+              sslContextProviderSupplierMap.get(addressNameAttr));
         }
         newAddresses.add(new EquivalentAddressGroup(eag.getAddresses(), attrBuilder.build()));
       }
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java b/xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java
@@ -20,10 +20,11 @@
 import io.grpc.xds.client.Bootstrapper.BootstrapInfo;
 import io.grpc.xds.internal.security.ReferenceCountingMap.ValueFactory;
 import io.grpc.xds.internal.security.certprovider.CertProviderClientSslContextProviderFactory;
+import java.util.AbstractMap;
 
 /** Factory to create client-side SslContextProvider from UpstreamTlsContext. */
 final class ClientSslContextProviderFactory
-    implements ValueFactory<UpstreamTlsContext, SslContextProvider> {
+    implements ValueFactory<AbstractMap.SimpleImmutableEntry<UpstreamTlsContext, String>, SslContextProvider> {
 
   private BootstrapInfo bootstrapInfo;
   private final CertProviderClientSslContextProviderFactory
@@ -41,9 +42,9 @@ final class ClientSslContextProviderFactory
 
   /** Creates an SslContextProvider from the given UpstreamTlsContext. */
   @Override
-  public SslContextProvider create(UpstreamTlsContext upstreamTlsContext) {
+  public SslContextProvider create(AbstractMap.SimpleImmutableEntry<UpstreamTlsContext, String> key) {
     return certProviderClientSslContextProviderFactory.getProvider(
-        upstreamTlsContext,
+        key.getKey(), key.getValue(),
         bootstrapInfo.node().toEnvoyProtoNode(),
         bootstrapInfo.certProviders());
   }
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java
@@ -44,6 +44,7 @@
 public abstract class SslContextProvider implements Closeable {
 
   protected final BaseTlsContext tlsContext;
+  private String sni;
 
   @VisibleForTesting public abstract static class Callback {
     private final Executor executor;
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
@@ -39,7 +39,7 @@ public final class CertProviderClientSslContextProvider extends CertProviderSslC
       CommonTlsContext.CertificateProviderInstance rootCertInstance,
       CertificateValidationContext staticCertValidationContext,
       UpstreamTlsContext upstreamTlsContext,
-      CertificateProviderStore certificateProviderStore) {
+      String sni, CertificateProviderStore certificateProviderStore) {
     super(
         node,
         certProviders,
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderFactory.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderFactory.java
@@ -55,7 +55,7 @@ public static CertProviderClientSslContextProviderFactory getInstance() {
    */
   public SslContextProvider getProvider(
       UpstreamTlsContext upstreamTlsContext,
-      Node node,
+      String sni, Node node,
       @Nullable Map<String, CertificateProviderInfo> certProviders) {
     checkNotNull(upstreamTlsContext, "upstreamTlsContext");
     CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
@@ -74,6 +74,7 @@ public SslContextProvider getProvider(
           rootCertInstance,
           staticCertValidationContext,
           upstreamTlsContext,
+          sni,
           certificateProviderStore);
     }
     throw new UnsupportedOperationException("Unsupported configurations in UpstreamTlsContext!");
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
@@ -84,7 +84,7 @@ private CertProviderClientSslContextProvider getSslContextProvider(
     return (CertProviderClientSslContextProvider)
         certProviderClientSslContextProviderFactory.getProvider(
             upstreamTlsContext,
-            bootstrapInfo.node().toEnvoyProtoNode(),
+            key.getValue(), bootstrapInfo.node().toEnvoyProtoNode(),
             bootstrapInfo.certProviders());
   }
 
@@ -106,7 +106,7 @@ private CertProviderClientSslContextProvider getNewSslContextProvider(
     return (CertProviderClientSslContextProvider)
         certProviderClientSslContextProviderFactory.getProvider(
             upstreamTlsContext,
-            bootstrapInfo.node().toEnvoyProtoNode(),
+            key.getValue(), bootstrapInfo.node().toEnvoyProtoNode(),
             bootstrapInfo.certProviders());
   }
 

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,7 @@ public static ChannelHandler clientTlsHandler(`
`171`	`171`	`ChannelHandler next, SslContext sslContext, String authority,`
`172`	`172`	`ChannelLogger negotiationLogger) {`
`173`	`173`	`return new ClientTlsHandler(next, sslContext, authority, null, negotiationLogger,`
`174`		`- Optional.absent(), null, null, sni);`
	`174`	`+ Optional.absent(), null, null);`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`public static class ProtocolNegotiationHandler`