Introduce flag for fallback to use the xds channel authority if no SNI is determined to be used.

Author: kannanjgithub

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -634,9 +634,6 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
         X509TrustManager x509TrustManager) {
       super(next, negotiationLogger);
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
-      // TODO: For empty authority and fallback flag
-      // GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE present, we should parse authority
-      // but prevent it from being used for SAN validation in the TrustManager.
       if (authority != null) {
         HostPort hostPort = parseAuthority(authority);
         this.host = hostPort.host;

xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java

@@ -44,7 +44,7 @@ public abstract class DynamicSslContextProvider extends SslContextProvider {
   @Nullable protected final CertificateValidationContext staticCertificateValidationContext;
   @Nullable protected AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager>
       sslContextAndTrustManager;
-  private boolean autoSniSanValidationDoesNotApply;
+  protected boolean autoSniSanValidationDoesNotApply;
 
   protected DynamicSslContextProvider(
       BaseTlsContext tlsContext, CertificateValidationContext staticCertValidationContext) {

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -194,6 +194,7 @@ static final class ClientSecurityHandler
     private final GrpcHttp2ConnectionHandler grpcHandler;
     private final SslContextProviderSupplier sslContextProviderSupplier;
     private final String sni;
+    private final boolean autoSniSanValidationDoesNotApply;
 
     ClientSecurityHandler(
         GrpcHttp2ConnectionHandler grpcHandler,
@@ -215,10 +216,19 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
       EnvoyServerProtoData.BaseTlsContext tlsContext = sslContextProviderSupplier.getTlsContext();
       UpstreamTlsContext upstreamTlsContext = ((UpstreamTlsContext) tlsContext);
       if (CertificateUtils.isXdsSniEnabled) {
-        sni = upstreamTlsContext.getAutoHostSni() && !Strings.isNullOrEmpty(endpointHostname)
+        String sniToUse = upstreamTlsContext.getAutoHostSni()
+            && !Strings.isNullOrEmpty(endpointHostname)
             ? endpointHostname : upstreamTlsContext.getSni();
+        if (sniToUse.isEmpty() && CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
+          sniToUse = grpcHandler.getAuthority();
+          autoSniSanValidationDoesNotApply = true;
+        } else {
+          autoSniSanValidationDoesNotApply = false;
+        }
+        sni = sniToUse;
       } else {
         sni = grpcHandler.getAuthority();
+        autoSniSanValidationDoesNotApply = false;
       }
     }
 
@@ -261,7 +271,7 @@ public void onException(Throwable throwable) {
               ctx.fireExceptionCaught(throwable);
             }
           },
-          false);
+          autoSniSanValidationDoesNotApply);
     }
 
     @Override

xds/src/main/java/io/grpc/xds/internal/security/trust/CertificateUtils.java

@@ -31,6 +31,8 @@
  */
 public final class CertificateUtils {
   public static boolean isXdsSniEnabled = GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_SNI", false);
+  public static boolean useChannelAuthorityIfNoSniApplicable
+      = GrpcUtil.getFlag("GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE", false);
 
   /**
    * Generates X509Certificate array from a file on disk.