Changes needed for System root certs to work. Commented out the change for SNI in ProtocolNegotiators.java

Author: kannanjgithub

interop-testing/src/main/java/io/grpc/testing/integration/XdsTestClient.java

@@ -452,12 +452,14 @@ public void onNext(SimpleResponse response) {
 
       private void handleRpcCompleted(long requestId, RpcType rpcType, String hostname,
           Set<XdsStatsWatcher> watchers) {
+        logger.info("RPC completed");
         statsAccumulator.recordRpcFinished(rpcType, Status.OK);
         notifyWatchers(watchers, rpcType, requestId, hostname);
       }
 
       private void handleRpcError(long requestId, RpcType rpcType, Status status,
           Set<XdsStatsWatcher> watchers) {
+        logger.info("RPC error with status " + status);
         statsAccumulator.recordRpcFinished(rpcType, status);
         notifyWatchers(watchers, rpcType, requestId, null);
       }

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -651,7 +651,11 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     @Override
     @IgnoreJRERequirement
     protected void handlerAdded0(ChannelHandlerContext ctx) {
-      sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      /*if (host.equals("psm-grpc-server")) {
+        sslEngine = sslContext.newEngine(ctx.alloc(), "kannanj-psm-server-20250604-1226-8bkw5-830293263384.us-east7.run.app", 443);
+      } else {*/
+        sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      // }
       SSLParameters sslParams = sslEngine.getSSLParameters();
       sslParams.setEndpointIdentificationAlgorithm("HTTPS");
       sslEngine.setSSLParameters(sslParams);

xds/src/main/java/io/grpc/xds/GcpAuthenticationFilter.java

@@ -37,6 +37,7 @@
 import io.grpc.ClientCall;
 import io.grpc.ClientInterceptor;
 import io.grpc.CompositeCallCredentials;
+import io.grpc.InternalLogId;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
 import io.grpc.Status;
@@ -45,10 +46,13 @@
 import io.grpc.xds.GcpAuthenticationFilter.AudienceMetadataParser.AudienceWrapper;
 import io.grpc.xds.MetadataRegistry.MetadataValueParser;
 import io.grpc.xds.XdsConfig.XdsClusterConfig;
+import io.grpc.xds.client.XdsLogger;
+import io.grpc.xds.client.XdsLogger.XdsLogLevel;
 import io.grpc.xds.client.XdsResourceType.ResourceInvalidException;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
 import java.util.function.Function;
 import javax.annotation.Nullable;
 
@@ -61,6 +65,7 @@ final class GcpAuthenticationFilter implements Filter {
   static final String TYPE_URL =
       "type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig";
   private final LruCache<String, CallCredentials> callCredentialsCache;
+  private final XdsLogger logger = XdsLogger.withLogId(InternalLogId.allocate("bootstrapper", null));
   final String filterInstanceName;
 
   GcpAuthenticationFilter(String name, int cacheSize) {
@@ -193,6 +198,8 @@ public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
         } else {
           callOptions = callOptions.withCallCredentials(newCallCredentials);
         }
+        logger.log(XdsLogLevel.INFO, "Time to expiry of the auth token=" + callOptions.getDeadline().timeRemaining(
+            TimeUnit.SECONDS));
         return next.newCall(method, callOptions);
       }
     };

xds/src/main/java/io/grpc/xds/XdsNameResolver.java

@@ -515,7 +515,7 @@ public void onClose(Status status, Metadata trailers) {
           Result.newBuilder()
               .setConfig(config)
               .setInterceptor(combineInterceptors(
-                  ImmutableList.of(filters, new ClusterSelectionInterceptor())))
+                  ImmutableList.of(new ClusterSelectionInterceptor(), filters)))
               .build();
     }
 

xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java

@@ -20,12 +20,15 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
+import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
 import io.grpc.xds.TlsContextManager;
+import io.grpc.xds.internal.security.certprovider.CertProviderClientSslContextProvider;
 import io.netty.handler.ssl.SslContext;
 import java.util.Objects;
+import javax.net.ssl.SSLException;
 
 /**
  * Enables Client or server side to initialize this object with the received {@link BaseTlsContext}
@@ -62,21 +65,33 @@ public synchronized void updateSslContext(final SslContextProvider.Callback call
       }
       // we want to increment the ref-count so call findOrCreate again...
       final SslContextProvider toRelease = getSslContextProvider();
-      toRelease.addCallback(
-          new SslContextProvider.Callback(callback.getExecutor()) {
-
-            @Override
-            public void updateSslContext(SslContext sslContext) {
-              callback.updateSslContext(sslContext);
-              releaseSslContextProvider(toRelease);
-            }
-
-            @Override
-            public void onException(Throwable throwable) {
-              callback.onException(throwable);
-              releaseSslContextProvider(toRelease);
-            }
-          });
+      if (toRelease instanceof CertProviderClientSslContextProvider
+          && ((CertProviderClientSslContextProvider) toRelease).isUsingSystemRootCerts()) {
+        callback.getExecutor().execute(() -> {
+          try {
+            callback.updateSslContext(GrpcSslContexts.forClient().build());
+            releaseSslContextProvider(toRelease);
+          } catch (SSLException e) {
+            callback.onException(e);
+          }
+        });
+      } else {
+        toRelease.addCallback(
+            new SslContextProvider.Callback(callback.getExecutor()) {
+
+              @Override
+              public void updateSslContext(SslContext sslContext) {
+                callback.updateSslContext(sslContext);
+                releaseSslContextProvider(toRelease);
+              }
+
+              @Override
+              public void onException(Throwable throwable) {
+                callback.onException(throwable);
+                releaseSslContextProvider(toRelease);
+              }
+            });
+      };
     } catch (final Throwable throwable) {
       callback.getExecutor().execute(new Runnable() {
         @Override

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java

@@ -30,7 +30,7 @@
 import javax.annotation.Nullable;
 
 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
-final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
+public final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
 
   CertProviderClientSslContextProvider(
       Node node,

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java

@@ -89,6 +89,10 @@ protected CertProviderSslContextProvider(
         && CommonTlsContextUtil.isUsingSystemRootCerts(tlsContext.getCommonTlsContext());
   }
 
+  public boolean isUsingSystemRootCerts() {
+    return this.isUsingSystemRootCerts;
+  }
+
   private static CertificateProviderInfo getCertProviderConfig(
       @Nullable Map<String, CertificateProviderInfo> certProviders, String pluginInstanceName) {
     return certProviders != null ? certProviders.get(pluginInstanceName) : null;