Revert unintended changes.

Author: kannanjgithub

examples/build.gradle

@@ -45,7 +45,7 @@ dependencies {
 protobuf {
     protoc { artifact = "com.google.protobuf:protoc:${protocVersion}" }
     plugins {
-        grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.70.0" }
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:${grpcVersion}" }
     }
     generateProtoTasks {
         all()*.plugins { grpc {} }

examples/example-tls/build.gradle

@@ -34,7 +34,7 @@ dependencies {
 protobuf {
     protoc { artifact = "com.google.protobuf:protoc:${protocVersion}" }
     plugins {
-        grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.70.0" }
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:${grpcVersion}" }
     }
     generateProtoTasks {
         all()*.plugins { grpc {} }

examples/example-tls/src/main/java/io/grpc/examples/helloworldtls/HelloWorldClientTls.java

@@ -16,9 +16,6 @@
 
 package io.grpc.examples.helloworldtls;
 
-import static io.grpc.examples.helloworld.GreeterGrpc.getSayHelloMethod;
-
-import io.grpc.CallOptions;
 import io.grpc.Channel;
 import io.grpc.Grpc;
 import io.grpc.ManagedChannel;
@@ -28,7 +25,6 @@
 import io.grpc.examples.helloworld.HelloReply;
 import io.grpc.examples.helloworld.HelloRequest;
 import java.io.File;
-import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -56,11 +52,7 @@ public void greet(String name) {
         HelloRequest request = HelloRequest.newBuilder().setName(name).build();
         HelloReply response;
         try {
-            CallOptions callOptions = blockingStub.getCallOptions()
-                .withAuthority("moo.test.goog.fr");
-            response = io.grpc.stub.ClientCalls.blockingUnaryCall(
-                blockingStub.getChannel(), getSayHelloMethod(),
-                callOptions, request);
+            response = blockingStub.sayHello(request);
         } catch (StatusRuntimeException e) {
             logger.log(Level.WARNING, "RPC failed: {0}", e.getStatus());
             return;

netty/src/main/java/io/grpc/netty/NettyClientHandler.java

@@ -586,6 +586,17 @@ protected boolean isGracefulShutdownComplete() {
         && ((StreamBufferingEncoder) encoder()).numBufferedStreams() == 0;
   }
 
+  private String getAuthorityPseudoHeader(Http2Headers http2Headers) {
+    if (http2Headers instanceof GrpcHttp2OutboundHeaders) {
+      return ((GrpcHttp2OutboundHeaders) http2Headers).getAuthority();
+    }
+    try {
+      return http2Headers.authority().toString();
+    } catch (UnsupportedOperationException e) {
+      return null;
+    }
+  }
+
   /**
    * Attempts to create a new stream from the given command. If there are too many active streams,
    * the creation request is queued.
@@ -602,15 +613,16 @@ private void createStream(CreateStreamCommand command, ChannelPromise promise)
       return;
     }
 
-    String authority = ((GrpcHttp2OutboundHeaders) command.headers()).getAuthority();
+    String authority = getAuthorityPseudoHeader(command.headers());
     if (authority != null) {
       Status authorityVerificationStatus = peerVerificationResults.get(authority);
-      if (authorityVerificationStatus == null) {
+      if (authorityVerificationStatus == null && attributes != null
+          && attributes.get(GrpcAttributes.ATTR_AUTHORITY_VERIFIER) != null) {
         authorityVerificationStatus = attributes.get(GrpcAttributes.ATTR_AUTHORITY_VERIFIER)
             .verifyAuthority(((GrpcHttp2OutboundHeaders) command.headers()).getAuthority());
         peerVerificationResults.put(authority, authorityVerificationStatus);
       }
-      if (!authorityVerificationStatus.isOk()) {
+      if (authorityVerificationStatus != null && !authorityVerificationStatus.isOk()) {
         logger.log(Level.WARNING, String.format("%s.%s",
                 authorityVerificationStatus.getDescription(), enablePerRpcAuthorityCheck
             ? "" : "This will be an error in the future."),

netty/src/main/java/io/grpc/netty/X509AuthorityVerifier.java

@@ -65,7 +65,9 @@ public Status verifyAuthority(@Nonnull String authority) {
     }
     Status peerVerificationStatus;
     try {
-      verifyAuthorityAllowedForPeerCert(authority);
+      // Because the authority pseudo-header can contain a port number:
+      // https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.3com
+      verifyAuthorityAllowedForPeerCert(removeAnyPortNumber(authority));
       peerVerificationStatus = Status.OK;
     } catch (SSLPeerUnverifiedException | CertificateException | InvocationTargetException
              | IllegalAccessException | IllegalStateException e) {
@@ -76,6 +78,15 @@ public Status verifyAuthority(@Nonnull String authority) {
     return peerVerificationStatus;
   }
 
+  private String removeAnyPortNumber(String authority) {
+    int closingSquareBracketIndex = authority.lastIndexOf(']');
+    int portNumberSeperatorColonIndex = authority.lastIndexOf(':');
+    if (portNumberSeperatorColonIndex > closingSquareBracketIndex) {
+      return authority.substring(0, portNumberSeperatorColonIndex);
+    }
+    return authority;
+  }
+
   private void verifyAuthorityAllowedForPeerCert(String authority)
           throws SSLPeerUnverifiedException, CertificateException, InvocationTargetException,
           IllegalAccessException {

netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java

@@ -37,9 +37,7 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.timeout;
-import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -139,8 +137,6 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
-import org.mockito.AdditionalAnswers;
-import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnit;
 import org.mockito.junit.MockitoRule;
@@ -955,47 +951,58 @@ public void authorityOverrideInCallOptions_matchesServerPeerHost_newStreamCreati
     }
   }
 
+  // Without removing the port number part that {@link X509AuthorityVerifier} does, there will be a
+  // java.security.cert.CertificateException: Illegal given domain name: foo.test.google.fr:12345
   @Test
-  public void authorityOverrideInCallOptions_lruCache()
-          throws IOException, InterruptedException, GeneralSecurityException, ExecutionException,
-          TimeoutException {
+  public void authorityOverrideInCallOptions_portNumberInAuthority_isStrippedForPeerVerification()
+      throws IOException, InterruptedException, GeneralSecurityException, ExecutionException,
+      TimeoutException {
     NettyClientHandler.enablePerRpcAuthorityCheck = true;
     try {
       startServer();
-      ProtocolNegotiator mockNegotiator =
-              mock(ProtocolNegotiator.class, AdditionalAnswers.delegatesTo(newNegotiator()));
-      NettyClientTransport transport = newTransport(mockNegotiator);
+      NettyClientTransport transport = newTransport(newNegotiator());
       SettableFuture<Void> connected = SettableFuture.create();
       FakeClientTransportListener fakeClientTransportListener =
-              new FakeClientTransportListener(connected);
+          new FakeClientTransportListener(connected);
       callMeMaybe(transport.start(fakeClientTransportListener));
       connected.get(10, TimeUnit.SECONDS);
       assertThat(fakeClientTransportListener.isConnected()).isTrue();
 
-      ArgumentCaptor<String> authorityArgumentCaptor = ArgumentCaptor.forClass(String.class);
-      new Rpc(transport, new Metadata(), "foo-0.test.google.fr").halfClose()
-              .waitForResponse();
-      // Should use cache.
-      new Rpc(transport, new Metadata(), "foo-0.test.google.fr").waitForResponse();
-      for (int i = 1; i < 100; i++) {
-        // Should call verifyAuthority each time here and the cache grows with each call.
-        new Rpc(transport, new Metadata(), "foo-" + i + ".test.google.fr").halfClose()
-                .waitForResponse();
-      }
-      // Cache is full at this point. Eviction occurs here for foo-0.test.google.fr.
-      new Rpc(transport, new Metadata(), "foo-100.test.google.fr").halfClose()
-              .waitForResponse();
-      // verifyAuthority call happens for foo-0.test.google.fr.
-      new Rpc(transport, new Metadata(), "foo-0.test.google.fr").halfClose()
-              .waitForResponse();
-      verify(mockNegotiator, times(102)).verifyAuthority(
-              authorityArgumentCaptor.capture());
-      List<String> authorityValues = authorityArgumentCaptor.getAllValues();
-      for (int i = 0; i < 100; i++) {
-        assertThat(authorityValues.get(i)).isEqualTo("foo-" + i + ".test.google.fr");
-      }
-      assertThat(authorityValues.get(100)).isEqualTo("foo-100.test.google.fr");
-      assertThat(authorityValues.get(101)).isEqualTo("foo-0.test.google.fr");
+      new Rpc(transport, new Metadata(), "foo.test.google.fr:12345").waitForResponse();
+    } finally {
+      NettyClientHandler.enablePerRpcAuthorityCheck = false;;
+    }
+  }
+
+  @Test
+  public void authorityOverrideInCallOptions_portNumberAndIpv6_isStrippedForPeerVerification()
+      throws IOException, InterruptedException, GeneralSecurityException, ExecutionException,
+      TimeoutException {
+    NettyClientHandler.enablePerRpcAuthorityCheck = true;
+    try {
+      startServer();
+      NettyClientTransport transport = newTransport(newNegotiator());
+      SettableFuture<Void> connected = SettableFuture.create();
+      FakeClientTransportListener fakeClientTransportListener =
+          new FakeClientTransportListener(connected);
+      callMeMaybe(transport.start(fakeClientTransportListener));
+      connected.get(10, TimeUnit.SECONDS);
+      assertThat(fakeClientTransportListener.isConnected()).isTrue();
+
+      new Rpc(transport, new Metadata(), "[2001:db8:3333:4444:5555:6666:1.2.3.4]:12345")
+          .waitForResponse();
+    } catch (ExecutionException ex) {
+      Status status = ((StatusException) ex.getCause()).getStatus();
+      assertThat(status.getDescription()).isEqualTo("Peer hostname verification during rpc "
+          + "failed for authority '[2001:db8:3333:4444:5555:6666:1.2.3.4]:12345'");
+      assertThat(status.getCode()).isEqualTo(Code.UNAVAILABLE);
+      assertThat(((InvocationTargetException) ex.getCause().getCause()).getTargetException())
+          .isInstanceOf(CertificateException.class);
+      // Port number is removed by {@link X509AuthorityVerifier}.
+      assertThat(((InvocationTargetException) ex.getCause().getCause()).getTargetException()
+          .getMessage()).isEqualTo(
+          "No subject alternative names matching IP address 2001:db8:3333:4444:5555:6666:1.2.3.4 "
+              + "found");
     } finally {
       NettyClientHandler.enablePerRpcAuthorityCheck = false;;
     }
@@ -1182,9 +1189,11 @@ private static class Rpc {
 
     Rpc(NettyClientTransport transport, Metadata headers, String authorityOverride) {
       stream = transport.newStream(
-          METHOD, headers, authorityOverride != null
-                      ? CallOptions.DEFAULT.withAuthority(authorityOverride) : CallOptions.DEFAULT,
+          METHOD, headers, CallOptions.DEFAULT,
           new ClientStreamTracer[]{ new ClientStreamTracer() {} });
+      if (authorityOverride != null) {
+        stream.setAuthority(authorityOverride);
+      }
       stream.start(listener);
       stream.request(1);
       stream.writeMessage(new ByteArrayInputStream(MESSAGE.getBytes(UTF_8)));