In-progress changes.

Author: kannanjgithub

netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java

@@ -42,9 +42,10 @@ private InternalProtocolNegotiators() {}
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
           ObjectPool<? extends Executor> executorPool,
-          Optional<Runnable> handshakeCompleteRunnable) {
+          Optional<Runnable> handshakeCompleteRunnable,
+          String sni) {
     final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
-        executorPool, handshakeCompleteRunnable, null);
+        executorPool, handshakeCompleteRunnable, null, sni);
     final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
 
       @Override
@@ -71,8 +72,8 @@ public void close() {
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
    */
-  public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext) {
-    return tls(sslContext, null, Optional.absent());
+  public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext, String sni) {
+    return tls(sslContext, null, Optional.absent(), sni);
   }
 
   /**
@@ -170,7 +171,7 @@ public static ChannelHandler clientTlsHandler(
       ChannelHandler next, SslContext sslContext, String authority,
       ChannelLogger negotiationLogger) {
     return new ClientTlsHandler(next, sslContext, authority, null, negotiationLogger,
-        Optional.absent(), null, null);
+        Optional.absent(), null, null, sni);
   }
 
   public static class ProtocolNegotiationHandler

netty/src/main/java/io/grpc/netty/NettyChannelBuilder.java

@@ -652,7 +652,7 @@ static ProtocolNegotiator createProtocolNegotiatorByType(
       case PLAINTEXT_UPGRADE:
         return ProtocolNegotiators.plaintextUpgrade();
       case TLS:
-        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.absent(), null);
+        return ProtocolNegotiators.tls(sslContext, executorPool, Optional.absent(), null, null);
       default:
         throw new IllegalArgumentException("Unsupported negotiationType: " + negotiationType);
     }

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -46,6 +46,7 @@
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.NoopSslSession;
 import io.grpc.internal.ObjectPool;
+import io.netty.channel.Channel;
 import io.netty.channel.ChannelDuplexHandler;
 import io.netty.channel.ChannelFutureListener;
 import io.netty.channel.ChannelHandler;
@@ -60,6 +61,7 @@
 import io.netty.handler.codec.http2.Http2ClientUpgradeCodec;
 import io.netty.handler.proxy.HttpProxyHandler;
 import io.netty.handler.proxy.ProxyConnectionEvent;
+import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.OpenSsl;
 import io.netty.handler.ssl.OpenSslEngine;
 import io.netty.handler.ssl.SslContext;
@@ -223,15 +225,15 @@ public static FromServerCredentialsResult from(ServerCredentials creds) {
       } // else use system default
       switch (tlsCreds.getClientAuth()) {
         case OPTIONAL:
-          builder.clientAuth(io.netty.handler.ssl.ClientAuth.OPTIONAL);
+          builder.clientAuth(ClientAuth.OPTIONAL);
           break;
 
         case REQUIRE:
-          builder.clientAuth(io.netty.handler.ssl.ClientAuth.REQUIRE);
+          builder.clientAuth(ClientAuth.REQUIRE);
           break;
 
         case NONE:
-          builder.clientAuth(io.netty.handler.ssl.ClientAuth.NONE);
+          builder.clientAuth(ClientAuth.NONE);
           break;
 
         default:
@@ -578,21 +580,23 @@ protected void userEventTriggered0(ChannelHandlerContext ctx, Object evt) throws
   static final class ClientTlsProtocolNegotiator implements ProtocolNegotiator {
 
     public ClientTlsProtocolNegotiator(SslContext sslContext,
-        ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-        X509TrustManager x509ExtendedTrustManager) {
+                                       ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
+                                       X509TrustManager x509ExtendedTrustManager, String sni) {
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
       this.executorPool = executorPool;
       if (this.executorPool != null) {
         this.executor = this.executorPool.getObject();
       }
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
       this.x509ExtendedTrustManager = x509ExtendedTrustManager;
+      this.sni = sni;
     }
 
     private final SslContext sslContext;
     private final ObjectPool<? extends Executor> executorPool;
     private final Optional<Runnable> handshakeCompleteRunnable;
     private final X509TrustManager x509ExtendedTrustManager;
+    private final String sni;
     private Executor executor;
 
     @Override
@@ -606,7 +610,7 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
       ChannelLogger negotiationLogger = grpcHandler.getNegotiationLogger();
       ChannelHandler cth = new ClientTlsHandler(gnh, sslContext, grpcHandler.getAuthority(),
           this.executor, negotiationLogger, handshakeCompleteRunnable, this,
-              x509ExtendedTrustManager);
+              x509ExtendedTrustManager, sni);
       return new WaitUntilActiveHandler(cth, negotiationLogger);
     }
 
@@ -631,15 +635,17 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     private Executor executor;
     private final Optional<Runnable> handshakeCompleteRunnable;
     private final X509TrustManager x509ExtendedTrustManager;
+    private final String sni;
     private SSLEngine sslEngine;
 
     ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
-        Executor executor, ChannelLogger negotiationLogger,
-        Optional<Runnable> handshakeCompleteRunnable,
-        ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
-         X509TrustManager x509ExtendedTrustManager) {
+                     Executor executor, ChannelLogger negotiationLogger,
+                     Optional<Runnable> handshakeCompleteRunnable,
+                     ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
+                     X509TrustManager x509ExtendedTrustManager, String sni) {
       super(next, negotiationLogger);
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
+      this.sni = sni;
       HostPort hostPort = parseAuthority(authority);
       this.host = hostPort.host;
       this.port = hostPort.port;
@@ -651,11 +657,7 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     @Override
     @IgnoreJRERequirement
     protected void handlerAdded0(ChannelHandlerContext ctx) {
-      /*if (host.equals("psm-grpc-server")) {
-        sslEngine = sslContext.newEngine(ctx.alloc(), "kannanj-psm-server-20250604-1226-8bkw5-830293263384.us-east7.run.app", 443);
-      } else {*/
-        sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
-      // }
+      sslEngine = sslContext.newEngine(ctx.alloc(), sni != null? sni : host, port);
       SSLParameters sslParams = sslEngine.getSSLParameters();
       sslParams.setEndpointIdentificationAlgorithm("HTTPS");
       sslEngine.setSSLParameters(sslParams);
@@ -748,25 +750,27 @@ static HostPort parseAuthority(String authority) {
 
   /**
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
-   * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
+   * be negotiated, the {@code handler} is added and writes to the {@link Channel}
    * may happen immediately, even before the TLS Handshake is complete.
+   *
    * @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
+   * @param sni
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
-      ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
-      X509TrustManager x509ExtendedTrustManager) {
+                                       ObjectPool<? extends Executor> executorPool, Optional<Runnable> handshakeCompleteRunnable,
+                                       X509TrustManager x509ExtendedTrustManager, String sni) {
     return new ClientTlsProtocolNegotiator(sslContext, executorPool, handshakeCompleteRunnable,
-        x509ExtendedTrustManager);
+        x509ExtendedTrustManager, sni);
   }
 
   /**
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
-   * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
+   * be negotiated, the {@code handler} is added and writes to the {@link Channel}
    * may happen immediately, even before the TLS Handshake is complete.
    */
   public static ProtocolNegotiator tls(SslContext sslContext,
       X509TrustManager x509ExtendedTrustManager) {
-    return tls(sslContext, null, Optional.absent(), x509ExtendedTrustManager);
+    return tls(sslContext, null, Optional.absent(), x509ExtendedTrustManager, null);
   }
 
   public static ProtocolNegotiator.ClientFactory tlsClientFactory(SslContext sslContext,
@@ -908,8 +912,8 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
   }
 
   /**
-   * Returns a {@link io.netty.channel.ChannelHandler} that ensures that the {@code handler} is
-   * added to the pipeline writes to the {@link io.netty.channel.Channel} may happen immediately,
+   * Returns a {@link ChannelHandler} that ensures that the {@code handler} is
+   * added to the pipeline writes to the {@link Channel} may happen immediately,
    * even before it is active.
    */
   public static ProtocolNegotiator plaintext() {

netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java

@@ -836,7 +836,7 @@ public void tlsNegotiationServerExecutorShouldSucceed() throws Exception {
         .keyManager(clientCert, clientKey)
         .build();
     ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, clientExecutorPool,
-        Optional.absent(), null);
+        Optional.absent(), null, sni);
     // after starting the client, the Executor in the client pool should be used
     assertEquals(true, clientExecutorPool.isInUse());
     final NettyClientTransport transport = newTransport(negotiator);

netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java

@@ -918,7 +918,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        getClientTlsProtocolNegotiator(), null, sni);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -957,7 +957,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        getClientTlsProtocolNegotiator(), null, sni);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -982,7 +982,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        getClientTlsProtocolNegotiator(), null, sni);
     pipeline.addLast(handler);
 
     final AtomicReference<Throwable> error = new AtomicReference<>();
@@ -1011,7 +1011,7 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
   public void clientTlsHandler_closeDuringNegotiation() throws Exception {
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", null, noopLogger, Optional.absent(),
-        getClientTlsProtocolNegotiator(), null);
+        getClientTlsProtocolNegotiator(), null, sni);
     pipeline.addLast(new WriteBufferingAndExceptionHandler(handler));
     ChannelFuture pendingWrite = channel.writeAndFlush(NettyClientHandler.NOOP_MESSAGE);
 
@@ -1026,7 +1026,7 @@ public void clientTlsHandler_closeDuringNegotiation() throws Exception {
   private ClientTlsProtocolNegotiator getClientTlsProtocolNegotiator() throws SSLException {
     return new ClientTlsProtocolNegotiator(GrpcSslContexts.forClient().trustManager(
         TlsTesting.loadCert("ca.pem")).build(),
-        null, Optional.absent(), null);
+        null, Optional.absent(), null, sni);
   }
 
   @Test
@@ -1277,7 +1277,7 @@ public void clientTlsHandler_firesNegotiation() throws Exception {
     }
     FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
     ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext,
-        null, Optional.absent(), null);
+        null, Optional.absent(), null, sni);
     WriteBufferingAndExceptionHandler clientWbaeh =
         new WriteBufferingAndExceptionHandler(pn.newHandler(gh));
 

xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java

@@ -146,7 +146,7 @@ public Status acceptResolvedAddresses(ResolvedAddresses resolvedAddresses) {
 
     childLbHelper.updateDropPolicies(config.dropCategories);
     childLbHelper.updateMaxConcurrentRequests(config.maxConcurrentRequests);
-    childLbHelper.updateSslContextProviderSupplier(config.tlsContext);
+    childLbHelper.updateSslContext(config.tlsContext);
     childLbHelper.updateFilterMetadata(config.filterMetadata);
 
     childSwitchLb.handleResolvedAddresses(
@@ -184,7 +184,7 @@ public void shutdown() {
     if (childSwitchLb != null) {
       childSwitchLb.shutdown();
       if (childLbHelper != null) {
-        childLbHelper.updateSslContextProviderSupplier(null);
+        childLbHelper.updateSslContext(null);
         childLbHelper = null;
       }
     }
@@ -204,7 +204,7 @@ private final class ClusterImplLbHelper extends ForwardingLoadBalancerHelper {
     private List<DropOverload> dropPolicies = Collections.emptyList();
     private long maxConcurrentRequests = DEFAULT_PER_CLUSTER_MAX_CONCURRENT_REQUESTS;
     @Nullable
-    private SslContextProviderSupplier sslContextProviderSupplier;
+    private UpstreamTlsContext tlsContext;
     private Map<String, Struct> filterMetadata = ImmutableMap.of();
     @Nullable
     private final ServerInfo lrsServerInfo;
@@ -293,10 +293,12 @@ private List<EquivalentAddressGroup> withAdditionalAttributes(
       for (EquivalentAddressGroup eag : addresses) {
         Attributes.Builder attrBuilder = eag.getAttributes().toBuilder().set(
             XdsAttributes.ATTR_CLUSTER_NAME, cluster);
-        if (sslContextProviderSupplier != null) {
+        if (tlsContext != null) {
           attrBuilder.set(
               SecurityProtocolNegotiators.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER,
-              sslContextProviderSupplier);
+              new SslContextProviderSupplier(tlsContext,
+                  (TlsContextManager) xdsClient.getSecurityConfig(),
+                  eag.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME)));
         }
         newAddresses.add(new EquivalentAddressGroup(eag.getAddresses(), attrBuilder.build()));
       }
@@ -348,22 +350,11 @@ private void updateMaxConcurrentRequests(@Nullable Long maxConcurrentRequests) {
       updateBalancingState(currentState, currentPicker);
     }
 
-    private void updateSslContextProviderSupplier(@Nullable UpstreamTlsContext tlsContext) {
-      UpstreamTlsContext currentTlsContext =
-          sslContextProviderSupplier != null
-              ? (UpstreamTlsContext)sslContextProviderSupplier.getTlsContext()
-              : null;
-      if (Objects.equals(currentTlsContext,  tlsContext)) {
+    private void updateSslContext(@Nullable UpstreamTlsContext tlsContext) {
+      if (Objects.equals(this.tlsContext,  tlsContext)) {
         return;
       }
-      if (sslContextProviderSupplier != null) {
-        sslContextProviderSupplier.close();
-      }
-      sslContextProviderSupplier =
-          tlsContext != null
-              ? new SslContextProviderSupplier(tlsContext,
-                                               (TlsContextManager) xdsClient.getSecurityConfig())
-              : null;
+      this.tlsContext = tlsContext;
     }
 
     private void updateFilterMetadata(Map<String, Struct> filterMetadata) {

xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java

@@ -73,15 +73,28 @@ public int hashCode() {
 
   public static final class UpstreamTlsContext extends BaseTlsContext {
 
+    private final String sni;
+    private final boolean auto_host_sni;
+
     @VisibleForTesting
-    public UpstreamTlsContext(CommonTlsContext commonTlsContext) {
-      super(commonTlsContext);
+    public UpstreamTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext upstreamTlsContext) {
+      super(upstreamTlsContext.getCommonTlsContext());
+      this.sni = upstreamTlsContext.getSni();
+      this.auto_host_sni = upstreamTlsContext.getAutoHostSni();
     }
 
     public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext(
         io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
             upstreamTlsContext) {
-      return new UpstreamTlsContext(upstreamTlsContext.getCommonTlsContext());
+      return new UpstreamTlsContext(upstreamTlsContext);
+    }
+
+    public String getSni() {
+      return sni;
+    }
+
+    public boolean getAutoHostSni() {
+      return auto_host_sni;
     }
 
     @Override

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -213,7 +213,7 @@ protected void handlerAdded0(final ChannelHandlerContext ctx) {
           new SslContextProvider.Callback(ctx.executor()) {
 
             @Override
-            public void updateSslContext(SslContext sslContext) {
+            public void updateSslContext(SslContext sslContext, String sni) {
               if (ctx.isRemoved()) {
                 return;
               }
@@ -222,7 +222,7 @@ public void updateSslContext(SslContext sslContext) {
                   "ClientSecurityHandler.updateSslContext authority={0}, ctx.name={1}",
                   new Object[]{grpcHandler.getAuthority(), ctx.name()});
               ChannelHandler handler =
-                  InternalProtocolNegotiators.tls(sslContext).newHandler(grpcHandler);
+                  InternalProtocolNegotiators.tls(sslContext, sni).newHandler(grpcHandler);
 
               // Delegate rest of handshake to TLS handler
               ctx.pipeline().addAfter(ctx.name(), null, handler);
@@ -356,7 +356,7 @@ protected void handlerAdded0(final ChannelHandlerContext ctx) {
           new SslContextProvider.Callback(ctx.executor()) {
 
             @Override
-            public void updateSslContext(SslContext sslContext) {
+            public void updateSslContext(SslContext sslContext, String sni) {
               ChannelHandler handler =
                   InternalProtocolNegotiators.serverTls(sslContext).newHandler(grpcHandler);
 

xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java

@@ -57,7 +57,7 @@ protected Callback(Executor executor) {
     }
 
     /** Informs callee of new/updated SslContext. */
-    @VisibleForTesting public abstract void updateSslContext(SslContext sslContext);
+    @VisibleForTesting public abstract void updateSslContext(SslContext sslContext, String sni);
 
     /** Informs callee of an exception that was generated. */
     @VisibleForTesting protected abstract void onException(Throwable throwable);
@@ -120,7 +120,7 @@ protected final void performCallback(
           public void run() {
             try {
               SslContext sslContext = sslContextGetter.get();
-              callback.updateSslContext(sslContext);
+              callback.updateSslContext(sslContext, sni);
             } catch (Throwable e) {
               callback.onException(e);
             }