Handle Sslcontext updates for System root certs with and without Mtls.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java

@@ -20,12 +20,14 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
+import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.TlsContextManager;
 import io.netty.handler.ssl.SslContext;
 import java.util.Objects;
+import javax.net.ssl.SSLException;
 
 /**
  * Enables Client or server side to initialize this object with the received {@link BaseTlsContext}
@@ -62,21 +64,36 @@ public synchronized void updateSslContext(final SslContextProvider.Callback call
       }
       // we want to increment the ref-count so call findOrCreate again...
       final SslContextProvider toRelease = getSslContextProvider();
-      toRelease.addCallback(
-          new SslContextProvider.Callback(callback.getExecutor()) {
-
-            @Override
-            public void updateSslContext(SslContext sslContext) {
-              callback.updateSslContext(sslContext);
-              releaseSslContextProvider(toRelease);
-            }
-
-            @Override
-            public void onException(Throwable throwable) {
-              callback.onException(throwable);
-              releaseSslContextProvider(toRelease);
-            }
-          });
+      // When using system root certs on client side, SslContext updates via CertificateProvider is
+      // only required if Mtls is also enabled, i.e. tlsContext has a cert provider instance.
+      if (tlsContext instanceof UpstreamTlsContext
+          && !CommonTlsContextUtil.hasCertProviderInstance(tlsContext.getCommonTlsContext())
+          && CommonTlsContextUtil.isUsingSystemRootCerts(tlsContext.getCommonTlsContext())) {
+        callback.getExecutor().execute(() -> {
+          try {
+            callback.updateSslContext(GrpcSslContexts.forClient().build());
+            releaseSslContextProvider(toRelease);
+          } catch (SSLException e) {
+            callback.onException(e);
+          }
+        });
+      } else {
+        toRelease.addCallback(
+            new SslContextProvider.Callback(callback.getExecutor()) {
+
+              @Override
+              public void updateSslContext(SslContext sslContext) {
+                callback.updateSslContext(sslContext);
+                releaseSslContextProvider(toRelease);
+              }
+
+              @Override
+              public void onException(Throwable throwable) {
+                callback.onException(throwable);
+                releaseSslContextProvider(toRelease);
+              }
+            });
+      }
     } catch (final Throwable throwable) {
       callback.getExecutor().execute(new Runnable() {
         @Override

xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java

@@ -17,15 +17,18 @@
 package io.grpc.xds.internal.security;
 
 import static com.google.common.truth.Truth.assertThat;
+import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.buildUpstreamTlsContext;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 
+import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.grpc.xds.EnvoyServerProtoData;
 import io.grpc.xds.TlsContextManager;
 import io.netty.handler.ssl.SslContext;
@@ -47,14 +50,17 @@ public class SslContextProviderSupplierTest {
   @Rule public final MockitoRule mocks = MockitoJUnit.rule();
 
   @Mock private TlsContextManager mockTlsContextManager;
+  @Mock private Executor mockExecutor;
   private SslContextProviderSupplier supplier;
   private SslContextProvider mockSslContextProvider;
   private EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext;
   private SslContextProvider.Callback mockCallback;
 
-  private void prepareSupplier() {
-    upstreamTlsContext =
-            CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true);
+  private void prepareSupplier(boolean createUpstreamTlsContext) {
+    if (createUpstreamTlsContext) {
+      upstreamTlsContext =
+          buildUpstreamTlsContext("google_cloud_private_spiffe", true);
+    }
     mockSslContextProvider = mock(SslContextProvider.class);
     doReturn(mockSslContextProvider)
             .when(mockTlsContextManager)
@@ -64,14 +70,13 @@ private void prepareSupplier() {
 
   private void callUpdateSslContext() {
     mockCallback = mock(SslContextProvider.Callback.class);
-    Executor mockExecutor = mock(Executor.class);
     doReturn(mockExecutor).when(mockCallback).getExecutor();
     supplier.updateSslContext(mockCallback);
   }
 
   @Test
   public void get_updateSecret() {
-    prepareSupplier();
+    prepareSupplier(true);
     callUpdateSslContext();
     verify(mockTlsContextManager, times(2))
         .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
@@ -95,11 +100,12 @@ public void get_updateSecret() {
 
   @Test
   public void get_onException() {
-    prepareSupplier();
+    prepareSupplier(true);
     callUpdateSslContext();
     ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
         ArgumentCaptor.forClass(SslContextProvider.Callback.class);
-    verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
+    verify(mockSslContextProvider, times(1))
+            .addCallback(callbackCaptor.capture());
     SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
     assertThat(capturedCallback).isNotNull();
     Exception exception = new Exception("test");
@@ -109,9 +115,71 @@ public void get_onException() {
         .releaseClientSslContextProvider(eq(mockSslContextProvider));
   }
 
+  @Test
+  public void systemRootCertsWithMtls_callbackExecutedFromProvider() {
+    upstreamTlsContext =
+        CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(
+            "gcp_id",
+            "cert-default",
+            null,
+            "root-default",
+            null,
+            CertificateValidationContext.newBuilder()
+                .setSystemRootCerts(
+                    CertificateValidationContext.SystemRootCerts.getDefaultInstance())
+                .build());
+    prepareSupplier(false);
+
+    callUpdateSslContext();
+
+    verify(mockTlsContextManager, times(2))
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
+    verify(mockTlsContextManager, times(0))
+        .releaseClientSslContextProvider(any(SslContextProvider.class));
+    ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
+        ArgumentCaptor.forClass(SslContextProvider.Callback.class);
+    verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
+    SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
+    assertThat(capturedCallback).isNotNull();
+    SslContext mockSslContext = mock(SslContext.class);
+    capturedCallback.updateSslContext(mockSslContext);
+    verify(mockCallback, times(1)).updateSslContext(eq(mockSslContext));
+    verify(mockTlsContextManager, times(1))
+        .releaseClientSslContextProvider(eq(mockSslContextProvider));
+    SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
+    supplier.updateSslContext(mockCallback);
+    verify(mockTlsContextManager, times(3))
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
+  }
+
+  @Test
+  public void systemRootCertsWithRegularTls_callbackExecutedFromSupplier() {
+    upstreamTlsContext =
+        CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(
+            null,
+            null,
+            null,
+            "root-default",
+            null,
+            CertificateValidationContext.newBuilder()
+                .setSystemRootCerts(
+                        CertificateValidationContext.SystemRootCerts.getDefaultInstance())
+                .build());
+    supplier = new SslContextProviderSupplier(upstreamTlsContext, mockTlsContextManager);
+    reset(mockTlsContextManager);
+
+    callUpdateSslContext();
+    ArgumentCaptor<Runnable> runnableArgumentCaptor = ArgumentCaptor.forClass(Runnable.class);
+    verify(mockExecutor).execute(runnableArgumentCaptor.capture());
+    runnableArgumentCaptor.getValue().run();
+    verify(mockCallback, times(1)).updateSslContext(any(SslContext.class));
+    verify(mockTlsContextManager, times(1))
+            .releaseClientSslContextProvider(eq(mockSslContextProvider));
+  }
+
   @Test
   public void testClose() {
-    prepareSupplier();
+    prepareSupplier(true);
     callUpdateSslContext();
     supplier.close();
     verify(mockTlsContextManager, times(1))
@@ -125,7 +193,7 @@ public void testClose() {
 
   @Test
   public void testClose_nullSslContextProvider() {
-    prepareSupplier();
+    prepareSupplier(true);
     doThrow(new NullPointerException()).when(mockTlsContextManager)
         .releaseClientSslContextProvider(null);
     supplier.close();

xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java

@@ -187,14 +187,19 @@ public void testProviderForClient_mtls() throws Exception {
   }
 
   @Test
-  public void testProviderForClient_systemRootCerts() throws Exception {
+  /**
+   * Note this route will not really be invoked since {@link SslContextProviderSupplier} will
+   * shortcircuit creating the certificate provider and directly invoke the callback with the
+   * SslContext in this case.
+   */
+  public void testProviderForClient_systemRootCerts_regularTls() throws Exception {
     final CertificateProvider.DistributorWatcher[] watcherCaptor =
             new CertificateProvider.DistributorWatcher[1];
     TestCertificateProvider.createAndRegisterProviderProvider(
             certificateProviderRegistry, watcherCaptor, "testca", 0);
     CertProviderClientSslContextProvider provider =
         getSslContextProvider(
-                "gcp_id",
+                null,
                 null,
             CommonBootstrapperTestUtils.getTestBootstrapInfo(),
             /* alpnProtocols= */ null,
@@ -209,36 +214,69 @@ public void testProviderForClient_systemRootCerts() throws Exception {
     assertThat(provider.savedTrustedRoots).isNull();
     assertThat(provider.getSslContext()).isNull();
 
-    // now generate cert update, updates SslContext
+    assertThat(watcherCaptor[0]).isNull();
+  }
+
+  @Test
+  public void testProviderForClient_systemRootCerts_mtls() throws Exception {
+    final CertificateProvider.DistributorWatcher[] watcherCaptor =
+        new CertificateProvider.DistributorWatcher[1];
+    TestCertificateProvider.createAndRegisterProviderProvider(
+        certificateProviderRegistry, watcherCaptor, "testca", 0);
+    CertProviderClientSslContextProvider provider =
+        getSslContextProvider(
+            "gcp_id",
+            null,
+            CommonBootstrapperTestUtils.getTestBootstrapInfo(),
+            /* alpnProtocols= */ null,
+            CertificateValidationContext.newBuilder()
+                .setSystemRootCerts(
+                    CertificateValidationContext.SystemRootCerts.getDefaultInstance())
+                .build(),
+        true);
+
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNull();
+    assertThat(provider.getSslContext()).isNull();
+
+    // now generate root cert update, will get ignored because of systemRootCerts config
+    watcherCaptor[0].updateTrustedRoots(ImmutableList.of(getCertFromResourceName(CA_PEM_FILE)));
+    assertThat(provider.getSslContext()).isNull();
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNull();
+
+    // now generate cert update
     watcherCaptor[0].updateCertificate(
-            CommonCertProviderTestUtils.getPrivateKey(CLIENT_KEY_FILE),
-            ImmutableList.of(getCertFromResourceName(CLIENT_PEM_FILE)));
+        CommonCertProviderTestUtils.getPrivateKey(CLIENT_KEY_FILE),
+        ImmutableList.of(getCertFromResourceName(CLIENT_PEM_FILE)));
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
     assertThat(provider.getSslContext()).isNotNull();
 
     TestCallback testCallback =
-            CommonTlsContextTestsUtil.getValueThruCallback(provider);
+        CommonTlsContextTestsUtil.getValueThruCallback(provider);
 
     doChecksOnSslContext(false, testCallback.updatedSslContext, /* expectedApnProtos= */ null);
     TestCallback testCallback1 =
-            CommonTlsContextTestsUtil.getValueThruCallback(provider);
+        CommonTlsContextTestsUtil.getValueThruCallback(provider);
     assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
 
-    // just do root cert update: trusted roots is not updated (because of system root certs config)
-    // and sslContext should still be the same
+    // just do root cert update: sslContext should still be the same, will get ignored because of
+    // systemRootCerts config
     watcherCaptor[0].updateTrustedRoots(
-            ImmutableList.of(getCertFromResourceName(SERVER_0_PEM_FILE)));
+        ImmutableList.of(getCertFromResourceName(SERVER_0_PEM_FILE)));
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
     assertThat(provider.savedTrustedRoots).isNull();
     testCallback1 = CommonTlsContextTestsUtil.getValueThruCallback(provider);
     assertThat(testCallback1.updatedSslContext).isSameInstanceAs(testCallback.updatedSslContext);
 
-    // now update id cert: sslContext should be updated i.e.different from the previous one
+    // now update id cert: sslContext should be updated i.e. different from the previous one
     watcherCaptor[0].updateCertificate(
-            CommonCertProviderTestUtils.getPrivateKey(SERVER_1_KEY_FILE),
-            ImmutableList.of(getCertFromResourceName(SERVER_1_PEM_FILE)));
+        CommonCertProviderTestUtils.getPrivateKey(SERVER_1_KEY_FILE),
+        ImmutableList.of(getCertFromResourceName(SERVER_1_PEM_FILE)));
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
     assertThat(provider.savedTrustedRoots).isNull();