Fix plumbings.

Author: kannanjgithub

api/src/main/java/io/grpc/EquivalentAddressGroup.java

@@ -55,7 +55,6 @@ public final class EquivalentAddressGroup {
    */
   public static final Attributes.Key<String> ATTR_LOCALITY_NAME =
       Attributes.Key.create("io.grpc.EquivalentAddressGroup.LOCALITY");
-
   private final List<SocketAddress> addrs;
   private final Attributes attrs;
 

netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java

@@ -40,7 +40,6 @@ private InternalProtocolNegotiators() {}
    * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
    * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
    * may happen immediately, even before the TLS Handshake is complete.
-   *
    * @param executorPool             a dedicated {@link Executor} pool for time-consuming TLS tasks
    */
   public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
@@ -67,7 +66,6 @@ public void close() {
         negotiator.close();
       }
     }
-
     return new TlsNegotiator();
   }
 

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -131,7 +131,7 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
           trustManagers = tlsCreds.getTrustManagers();
         } else if (tlsCreds.getRootCertificates() != null) {
           trustManagers = Arrays.asList(CertificateUtils.createTrustManager(
-                new ByteArrayInputStream(tlsCreds.getRootCertificates())));
+                  new ByteArrayInputStream(tlsCreds.getRootCertificates())));
         } else { // else use system default
           TrustManagerFactory tmf = TrustManagerFactory.getInstance(
               TrustManagerFactory.getDefaultAlgorithm());
@@ -142,7 +142,7 @@ public static FromChannelCredentialsResult from(ChannelCredentials creds) {
         TrustManager x509ExtendedTrustManager =
             CertificateUtils.getX509ExtendedTrustManager(trustManagers);
         return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build(),
-            (X509TrustManager) x509ExtendedTrustManager));
+                (X509TrustManager) x509ExtendedTrustManager));
       } catch (SSLException | GeneralSecurityException ex) {
         log.log(Level.FINE, "Exception building SslContext", ex);
         return FromChannelCredentialsResult.error(
@@ -458,7 +458,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
         }
         SslHandler sslHandler = ctx.pipeline().get(SslHandler.class);
         if (!sslContext.applicationProtocolNegotiator().protocols().contains(
-            sslHandler.applicationProtocol())) {
+                sslHandler.applicationProtocol())) {
           logSslEngineDetails(Level.FINE, ctx, "TLS negotiation failed for new client.", null);
           ctx.fireExceptionCaught(unavailableException(
               "Failed protocol negotiation: Unable to find compatible protocol"));
@@ -618,18 +618,21 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     private final int port;
     private Executor executor;
     private final Optional<Runnable> handshakeCompleteRunnable;
-    private final X509TrustManager x509ExtendedTrustManager;
+    private final X509TrustManager x509TrustManager;
     private SSLEngine sslEngine;
 
-    ClientTlsHandler(ChannelHandler next, SslContext sslContext, String sniHostPort,
+    ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
         Executor executor, ChannelLogger negotiationLogger,
         Optional<Runnable> handshakeCompleteRunnable,
         ClientTlsProtocolNegotiator clientTlsProtocolNegotiator,
-        X509TrustManager x509ExtendedTrustManager) {
+        X509TrustManager x509TrustManager) {
       super(next, negotiationLogger);
       this.sslContext = Preconditions.checkNotNull(sslContext, "sslContext");
-      if (!Strings.isNullOrEmpty(sniHostPort)) {
-        HostPort hostPort = parseAuthority(sniHostPort);
+      // TODO: For empty authority and fallback flag
+      // GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE present, we should parse authority
+      // but prevent it from being used for SAN validation in the TrustManager.
+      if (authority != null && !authority.isEmpty()) {
+        HostPort hostPort = parseAuthority(authority);
         this.host = hostPort.host;
         this.port = hostPort.port;
       } else {
@@ -638,7 +641,7 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
       }
       this.executor = executor;
       this.handshakeCompleteRunnable = handshakeCompleteRunnable;
-      this.x509ExtendedTrustManager = x509ExtendedTrustManager;
+      this.x509TrustManager = x509TrustManager;
     }
 
     @Override
@@ -706,7 +709,7 @@ private void propagateTlsComplete(ChannelHandlerContext ctx, SSLSession session)
           .set(GrpcAttributes.ATTR_SECURITY_LEVEL, SecurityLevel.PRIVACY_AND_INTEGRITY)
           .set(Grpc.TRANSPORT_ATTR_SSL_SESSION, session)
           .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, new X509AuthorityVerifier(
-              sslEngine, x509ExtendedTrustManager))
+              sslEngine, x509TrustManager))
           .build();
       replaceProtocolNegotiationEvent(existingPne.withAttributes(attrs).withSecurity(security));
       if (handshakeCompleteRunnable.isPresent()) {
@@ -1058,8 +1061,8 @@ static final class PlaintextHandler extends ProtocolNegotiationHandler {
     protected void protocolNegotiationEventTriggered(ChannelHandlerContext ctx) {
       ProtocolNegotiationEvent existingPne = getProtocolNegotiationEvent();
       Attributes attrs = existingPne.getAttributes().toBuilder()
-            .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, (authority) -> Status.OK)
-            .build();
+              .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, (authority) -> Status.OK)
+              .build();
       replaceProtocolNegotiationEvent(existingPne.withAttributes(attrs));
       fireProtocolNegotiationEvent(ctx);
     }
@@ -1219,4 +1222,4 @@ public String getPeerHost() {
       return peerHost;
     }
   }
-}
+}

netty/src/test/java/io/grpc/netty/ProtocolNegotiatorsTest.java

@@ -918,7 +918,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        null, null);
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -957,7 +957,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        null, null);
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(handler);
     pipeline.replace(SslHandler.class, null, goodSslHandler);
     pipeline.fireUserEventTriggered(ProtocolNegotiationEvent.DEFAULT);
@@ -982,7 +982,7 @@ public String applicationProtocol() {
 
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", elg, noopLogger, Optional.absent(),
-        null, null);
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(handler);
 
     final AtomicReference<Throwable> error = new AtomicReference<>();
@@ -1011,7 +1011,7 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
   public void clientTlsHandler_closeDuringNegotiation() throws Exception {
     ClientTlsHandler handler = new ClientTlsHandler(grpcHandler, sslContext,
         "authority", null, noopLogger, Optional.absent(),
-        null, null);
+        getClientTlsProtocolNegotiator(), null);
     pipeline.addLast(new WriteBufferingAndExceptionHandler(handler));
     ChannelFuture pendingWrite = channel.writeAndFlush(NettyClientHandler.NOOP_MESSAGE);
 
@@ -1023,6 +1023,12 @@ public void clientTlsHandler_closeDuringNegotiation() throws Exception {
         .isEqualTo(Status.Code.UNAVAILABLE);
   }
 
+  private ClientTlsProtocolNegotiator getClientTlsProtocolNegotiator() throws SSLException {
+    return new ClientTlsProtocolNegotiator(GrpcSslContexts.forClient().trustManager(
+        TlsTesting.loadCert("ca.pem")).build(),
+        null, Optional.absent(), null, "");
+  }
+
   @Test
   public void engineLog() {
     ChannelHandler handler = new ServerTlsHandler(grpcHandler, sslContext, null);

xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java

@@ -153,8 +153,8 @@ public Status acceptResolvedAddresses(ResolvedAddresses resolvedAddresses) {
     childSwitchLb.handleResolvedAddresses(
         resolvedAddresses.toBuilder()
             .setAttributes(attributes.toBuilder()
-                .set(NameResolver.ATTR_BACKEND_SERVICE, cluster)
-                .build())
+              .set(NameResolver.ATTR_BACKEND_SERVICE, cluster)
+              .build())
             .setLoadBalancingPolicyConfig(config.childConfig)
             .build());
     return Status.OK;
@@ -321,7 +321,7 @@ private ClusterLocality createClusterLocalityFromAttributes(Attributes addressAt
           (lrsServerInfo == null)
               ? null
               : xdsClient.addClusterLocalityStats(lrsServerInfo, cluster,
-              edsServiceName, locality);
+                  edsServiceName, locality);
 
       return new ClusterLocality(localityStats, localityName);
     }
@@ -363,7 +363,7 @@ private void updateSslContextProviderSupplier(@Nullable UpstreamTlsContext tlsCo
       sslContextProviderSupplier =
           tlsContext != null
               ? new SslContextProviderSupplier(tlsContext,
-              (TlsContextManager) xdsClient.getSecurityConfig())
+                                               (TlsContextManager) xdsClient.getSecurityConfig())
               : null;
     }
 
@@ -378,9 +378,9 @@ private class RequestLimitingSubchannelPicker extends SubchannelPicker {
       private final Map<String, Struct> filterMetadata;
 
       private RequestLimitingSubchannelPicker(SubchannelPicker delegate,
-                                              List<DropOverload> dropPolicies,
-                                              long maxConcurrentRequests,
-                                              Map<String, Struct> filterMetadata) {
+          List<DropOverload> dropPolicies,
+          long maxConcurrentRequests,
+          Map<String, Struct> filterMetadata) {
         this.delegate = delegate;
         this.dropPolicies = dropPolicies;
         this.maxConcurrentRequests = maxConcurrentRequests;
@@ -544,4 +544,4 @@ void release() {
       }
     }
   }
-}
+}

xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java

@@ -98,8 +98,7 @@ public UpstreamTlsContext(
     public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext(
         io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
             upstreamTlsContext) {
-      UpstreamTlsContext o = new UpstreamTlsContext(upstreamTlsContext);
-      return o;
+      return new UpstreamTlsContext(upstreamTlsContext);
     }
 
     public String getSni() {
@@ -118,7 +117,7 @@ public boolean getAutoSniSanValidation() {
     public String toString() {
       return "UpstreamTlsContext{"
           + "commonTlsContext=" + commonTlsContext
-          + "sni=" + sni
+          + "\nsni=" + sni
           + "\nauto_host_sni=" + autoHostSni
           + "\nauto_sni_san_validation=" + autoSniSanValidation
           + "}";

xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java

@@ -42,9 +42,9 @@ final class ClientSslContextProviderFactory
 
   /** Creates an SslContextProvider from the given UpstreamTlsContext. */
   @Override
-  public SslContextProvider create(UpstreamTlsContext key) {
+  public SslContextProvider create(UpstreamTlsContext upstreamTlsContext) {
     return certProviderClientSslContextProviderFactory.getProvider(
-        key,
+        upstreamTlsContext,
         bootstrapInfo.node().toEnvoyProtoNode(),
         bootstrapInfo.certProviders());
   }

xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java

@@ -43,7 +43,7 @@ public abstract class DynamicSslContextProvider extends SslContextProvider {
   protected final List<Callback> pendingCallbacks = new ArrayList<>();
   @Nullable protected final CertificateValidationContext staticCertificateValidationContext;
   @Nullable protected AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
-      sslContextAndExtendedX509TrustManager;
+      sslContextAndTrustManager;
 
   protected DynamicSslContextProvider(
       BaseTlsContext tlsContext, CertificateValidationContext staticCertValidationContext) {
@@ -53,17 +53,15 @@ protected DynamicSslContextProvider(
 
   @Nullable
   public AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
-      getSslContextAndExtendedX509TrustManager() {
-    return sslContextAndExtendedX509TrustManager;
+  getSslContextAndTrustManager() {
+    return sslContextAndTrustManager;
   }
 
   protected abstract CertificateValidationContext generateCertificateValidationContext();
 
-  /**
-   * Gets a server or client side SslContextBuilder.
-   */
+  /** Gets a server or client side SslContextBuilder. */
   protected abstract AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager>
-      getSslContextBuilderAndExtendedX509TrustManager(
+  getSslContextBuilderAndTrustManager(
           CertificateValidationContext certificateValidationContext)
       throws CertificateException, IOException, CertStoreException;
 
@@ -73,7 +71,7 @@ protected final void updateSslContext() {
       CertificateValidationContext localCertValidationContext =
           generateCertificateValidationContext();
       AbstractMap.SimpleImmutableEntry<SslContextBuilder, TrustManager> sslContextBuilderAndTm =
-          getSslContextBuilderAndExtendedX509TrustManager(localCertValidationContext);
+          getSslContextBuilderAndTrustManager(localCertValidationContext);
       CommonTlsContext commonTlsContext = getCommonTlsContext();
       if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
         List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
@@ -89,9 +87,9 @@ protected final void updateSslContext() {
       AbstractMap.SimpleImmutableEntry<SslContext, TrustManager>
           sslContextAndExtendedX09TrustManagerCopy;
       synchronized (pendingCallbacks) {
-        sslContextAndExtendedX509TrustManager = new AbstractMap.SimpleImmutableEntry<>(
+        sslContextAndTrustManager = new AbstractMap.SimpleImmutableEntry<>(
             sslContextBuilderAndTm.getKey().build(), sslContextBuilderAndTm.getValue());
-        sslContextAndExtendedX09TrustManagerCopy = sslContextAndExtendedX509TrustManager;
+        sslContextAndExtendedX09TrustManagerCopy = sslContextAndTrustManager;
         pendingCallbacksCopy = clonePendingCallbacksAndClear();
       }
       makePendingCallbacks(sslContextAndExtendedX09TrustManagerCopy, pendingCallbacksCopy);
@@ -121,8 +119,8 @@ public final void addCallback(Callback callback) {
     // if there is a computed sslContext just send it
     AbstractMap.SimpleImmutableEntry<SslContext, TrustManager> sslContextCopy = null;
     synchronized (pendingCallbacks) {
-      if (sslContextAndExtendedX509TrustManager != null) {
-        sslContextCopy = sslContextAndExtendedX509TrustManager;
+      if (sslContextAndTrustManager != null) {
+        sslContextCopy = sslContextAndTrustManager;
       } else {
         pendingCallbacks.add(callback);
       }

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -261,7 +261,8 @@ public void updateSslContextAndExtendedX509TrustManager(
             public void onException(Throwable throwable) {
               ctx.fireExceptionCaught(throwable);
             }
-          });
+          }
+      );
     }
 
     @Override
@@ -351,13 +352,13 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
 
   @VisibleForTesting
   static final class ServerSecurityHandler
-      extends InternalProtocolNegotiators.ProtocolNegotiationHandler {
+          extends InternalProtocolNegotiators.ProtocolNegotiationHandler {
     private final GrpcHttp2ConnectionHandler grpcHandler;
     private final SslContextProviderSupplier sslContextProviderSupplier;
 
     ServerSecurityHandler(
-        GrpcHttp2ConnectionHandler grpcHandler,
-        SslContextProviderSupplier sslContextProviderSupplier) {
+            GrpcHttp2ConnectionHandler grpcHandler,
+            SslContextProviderSupplier sslContextProviderSupplier) {
       super(
           // superclass (InternalProtocolNegotiators.ProtocolNegotiationHandler) expects 'next'
           // handler but we don't have a next handler _yet_. So we "disable" superclass's behavior
@@ -399,7 +400,8 @@ public void updateSslContextAndExtendedX509TrustManager(
             public void onException(Throwable throwable) {
               ctx.fireExceptionCaught(throwable);
             }
-          });
+          }
+      );
     }
   }
-}
+}

xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java

@@ -114,7 +114,7 @@ public UpstreamTlsContext getUpstreamTlsContext() {
   public abstract void addCallback(Callback callback);
 
   protected final void performCallback(
-      final SslContextGetter sslContextGetter, final Callback callback) {
+          final SslContextGetter sslContextGetter, final Callback callback) {
     checkNotNull(sslContextGetter, "sslContextGetter");
     checkNotNull(callback, "callback");
     callback.executor.execute(