Address review comments.

kannanjgithub · kannanjgithub · commit 8902dbdc0e71 · 2024-12-14T14:52:32.000+05:30
diff --git a/core/src/main/java/io/grpc/internal/CertificateUtils.java b/core/src/main/java/io/grpc/internal/CertificateUtils.java
@@ -26,21 +26,19 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Optional;
+import java.util.List;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509ExtendedTrustManager;
 import javax.security.auth.x500.X500Principal;
 
 /**
  * Contains certificate/key PEM file utility method(s) for internal usage.
  */
 public class CertificateUtils {
   /**
-   * Creates a X509ExtendedTrustManager using the provided CA certs if applicable for the
-   * certificate type.
+   * Creates a X509TrustManagers using the provided CA certs.
    */
-  public static Optional<TrustManager> getX509ExtendedTrustManager(InputStream rootCerts)
+  public static List<TrustManager> getTrustManagers(InputStream rootCerts)
       throws GeneralSecurityException {
     KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
     try {
@@ -58,8 +56,7 @@ public static Optional<TrustManager> getX509ExtendedTrustManager(InputStream roo
     TrustManagerFactory trustManagerFactory =
         TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
     trustManagerFactory.init(ks);
-    return Arrays.stream(trustManagerFactory.getTrustManagers())
-        .filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+    return Arrays.asList(trustManagerFactory.getTrustManagers());
   }
 
   private static X509Certificate[] getX509Certificates(InputStream inputStream)
diff --git a/netty/src/main/java/io/grpc/netty/NettyClientTransport.java b/netty/src/main/java/io/grpc/netty/NettyClientTransport.java
@@ -196,7 +196,7 @@ public ClientStream newStream(
     }
     if (callOptions.getAuthority() != null) {
       Status verificationStatus = negotiator.verifyAuthority(callOptions.getAuthority());
-      if (!verificationStatus.equals(Status.OK)) {
+      if (!verificationStatus.isOk()) {
         return new FailingClientStream(verificationStatus, tracers);
       }
     }
diff --git a/netty/src/main/java/io/grpc/netty/NoopSslEngine.java b/netty/src/main/java/io/grpc/netty/NoopSslEngine.java
@@ -26,7 +26,7 @@
  * A no-op implementation of SslEngine, to facilitate overriding only the required methods in
  * specific implementations.
  */
-public class NoopSslEngine extends SSLEngine {
+class NoopSslEngine extends SSLEngine {
   @Override
   public SSLEngineResult wrap(ByteBuffer[] srcs, int offset, int length, ByteBuffer dst)
           throws SSLException {
diff --git a/netty/src/main/java/io/grpc/netty/ProtocolNegotiator.java b/netty/src/main/java/io/grpc/netty/ProtocolNegotiator.java
@@ -69,6 +69,7 @@ interface ServerFactory {
    * Verify the authority against peer if applicable depending on the transport credential type.
    */
   default Status verifyAuthority(String authority) {
-    return Status.UNAVAILABLE;
+    return Status.UNAVAILABLE.withDescription("Per-rpc authority verification not implemented by "
+            + "the protocol negotiator");
   }
 }
diff --git a/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
@@ -18,7 +18,6 @@
 
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
-import static io.grpc.internal.CertificateUtils.getX509ExtendedTrustManager;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
@@ -42,6 +41,7 @@
 import io.grpc.Status;
 import io.grpc.TlsChannelCredentials;
 import io.grpc.TlsServerCredentials;
+import io.grpc.internal.CertificateUtils;
 import io.grpc.internal.GrpcAttributes;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.ObjectPool;
@@ -79,6 +79,7 @@
 import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -130,27 +131,24 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
             new ByteArrayInputStream(tlsCreds.getPrivateKey()),
             tlsCreds.getPrivateKeyPassword());
       }
-      Optional<TrustManager> x509ExtendedTrustManager;
       try {
+        List<TrustManager> trustManagers;
         if (tlsCreds.getTrustManagers() != null) {
-          builder.trustManager(new FixedTrustManagerFactory(tlsCreds.getTrustManagers()));
-          x509ExtendedTrustManager = tlsCreds.getTrustManagers().stream().filter(
-              trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+          trustManagers = tlsCreds.getTrustManagers();
         } else if (tlsCreds.getRootCertificates() != null) {
-          builder.trustManager(new ByteArrayInputStream(tlsCreds.getRootCertificates()));
-          x509ExtendedTrustManager = getX509ExtendedTrustManager(new ByteArrayInputStream(
-              tlsCreds.getRootCertificates()));
+          trustManagers = CertificateUtils.getTrustManagers(
+                  new ByteArrayInputStream(tlsCreds.getRootCertificates()));
         } else { // else use system default
           TrustManagerFactory tmf = TrustManagerFactory.getInstance(
               TrustManagerFactory.getDefaultAlgorithm());
           tmf.init((KeyStore) null);
-          x509ExtendedTrustManager = Arrays.stream(tmf.getTrustManagers())
-              .filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+          trustManagers = Arrays.asList(tmf.getTrustManagers());
         }
+        builder.trustManager(new FixedTrustManagerFactory(trustManagers));
+        Optional<TrustManager> x509ExtendedTrustManager = trustManagers.stream().filter(
+                trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
         return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build(),
-            x509ExtendedTrustManager.isPresent()
-                ? (X509ExtendedTrustManager) x509ExtendedTrustManager.get()
-                : null));
+                (X509ExtendedTrustManager) x509ExtendedTrustManager.orElse(null)));
       } catch (SSLException | GeneralSecurityException ex) {
         log.log(Level.FINE, "Exception building SslContext", ex);
         return FromChannelCredentialsResult.error(
@@ -1233,7 +1231,7 @@ public SSLParameters getSSLParameters() {
     }
   }
 
-  static class FakeSslSession extends NoopSslSession {
+  static final class FakeSslSession extends NoopSslSession {
     private final String peerHost;
 
     FakeSslSession(String peerHost) {

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ public ClientStream newStream(`
`196`	`196`	`}`
`197`	`197`	`if (callOptions.getAuthority() != null) {`
`198`	`198`	`Status verificationStatus = negotiator.verifyAuthority(callOptions.getAuthority());`
`199`		`- if (!verificationStatus.equals(Status.OK)) {`
	`199`	`+ if (!verificationStatus.isOk()) {`
`200`	`200`	`return new FailingClientStream(verificationStatus, tracers);`
`201`	`201`	`}`
`202`	`202`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,7 @@ interface ServerFactory {`
`69`	`69`	`* Verify the authority against peer if applicable depending on the transport credential type.`
`70`	`70`	`*/`
`71`	`71`	`default Status verifyAuthority(String authority) {`
`72`		`- return Status.UNAVAILABLE;`
	`72`	`+ return Status.UNAVAILABLE.withDescription("Per-rpc authority verification not implemented by "`
	`73`	`+ + "the protocol negotiator");`
`73`	`74`	`}`
`74`	`75`	`}`