Save changes.

kannanjgithub · kannanjgithub · commit a3710655684d · 2025-09-01T11:26:18.000Z
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java
@@ -54,20 +54,10 @@ protected Callback(Executor executor) {
       this.hostname = null;
     }
 
-    // Only for client SslContextProvider.
-    protected Callback(Executor executor, String hostname) {
-      this.executor = executor;
-      this.hostname = hostname;
-    }
-
     @VisibleForTesting public Executor getExecutor() {
       return executor;
     }
 
-    protected String getHostname() {
-      return hostname;
-    }
-
     /** Informs callee of new/updated SslContext. */
     @VisibleForTesting public abstract void updateSslContext(SslContext sslContext);
 
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java b/xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java
@@ -60,6 +60,12 @@ public BaseTlsContext getTlsContext() {
   public synchronized void updateSslContext(final SslContextProvider.Callback callback, String sni) {
     checkNotNull(callback, "callback");
     try {
+      if (!shutdown) {
+        if (sslContextProvider == null) {
+          sslContextProvider = getSslContextProvider(sni);
+        }
+      }
+
       // we want to increment the ref-count so call findOrCreate again...
       final SslContextProvider toRelease = getSslContextProvider(sni);
       toRelease.addCallback(
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java b/xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java
@@ -25,7 +25,6 @@
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
 
 import io.grpc.xds.EnvoyServerProtoData;
 import io.grpc.xds.TlsContextManager;
@@ -47,41 +46,39 @@
 public class SslContextProviderSupplierTest {
   @Rule public final MockitoRule mocks = MockitoJUnit.rule();
 
-  private static final String ENDPOINT_HOSTNAME_FROM_ATTR = "endpoint-hostname-from-attribute";
-  private static final String SNI_IN_UTC = "sni-in-upstream-tls-context";
+  private static final String SNI = "sni";
 
   @Mock private TlsContextManager mockTlsContextManager;
   private SslContextProviderSupplier supplier;
   private SslContextProvider mockSslContextProvider;
   private EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext;
   private SslContextProvider.Callback mockCallback;
 
-  private void prepareSupplier(boolean autoHostSni, String sniInUTC, String sniSentByClient) {
+  private void prepareSupplier() {
     upstreamTlsContext = CommonTlsContextTestsUtil.buildUpstreamTlsContext(
-            "google_cloud_private_spiffe", true, sniInUTC, autoHostSni);
+            "google_cloud_private_spiffe", true, SNI, false);
     mockSslContextProvider = mock(SslContextProvider.class);
     doReturn(mockSslContextProvider)
             .when(mockTlsContextManager)
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(sniSentByClient));
+            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
     supplier = new SslContextProviderSupplier(upstreamTlsContext, mockTlsContextManager);
   }
 
-  private void callUpdateSslContext(String endpointHostname) {
+  private void callUpdateSslContext() {
     mockCallback = mock(SslContextProvider.Callback.class);
-    when(mockCallback.getHostname()).thenReturn(endpointHostname);
     Executor mockExecutor = mock(Executor.class);
     doReturn(mockExecutor).when(mockCallback).getExecutor();
-    supplier.updateSslContext(mockCallback, null);
+    supplier.updateSslContext(mockCallback, SNI);
   }
 
   @Test
   public void get_updateSecret() {
-    prepareSupplier(false, null, "");
-    callUpdateSslContext(ENDPOINT_HOSTNAME_FROM_ATTR);
+    prepareSupplier();
+    callUpdateSslContext();
     verify(mockTlsContextManager, times(2))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(""));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
     verify(mockTlsContextManager, times(0))
-        .releaseClientSslContextProvider(any(SslContextProvider.class), eq(""));
+        .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI));
     ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
         ArgumentCaptor.forClass(SslContextProvider.Callback.class);
     verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
@@ -91,21 +88,21 @@ public void get_updateSecret() {
     capturedCallback.updateSslContext(mockSslContext);
     verify(mockCallback, times(1)).updateSslContext(eq(mockSslContext));
     verify(mockTlsContextManager, times(1))
-        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(""));
+        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI));
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    supplier.updateSslContext(mockCallback, null);
+    supplier.updateSslContext(mockCallback, SNI);
     verify(mockTlsContextManager, times(3))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(""));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
   }
 
   @Test
   public void autoHostSniFalse_usesSniFromUpstreamTlsContext() {
-    prepareSupplier(false, SNI_IN_UTC, SNI_IN_UTC);
-    callUpdateSslContext(ENDPOINT_HOSTNAME_FROM_ATTR);
+    prepareSupplier();
+    callUpdateSslContext();
     verify(mockTlsContextManager, times(2))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI_IN_UTC));
+            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
     verify(mockTlsContextManager, times(0))
-            .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI_IN_UTC));
+            .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI));
     ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
             ArgumentCaptor.forClass(SslContextProvider.Callback.class);
     verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
@@ -115,92 +112,17 @@ public void autoHostSniFalse_usesSniFromUpstreamTlsContext() {
     capturedCallback.updateSslContext(mockSslContext);
     verify(mockCallback, times(1)).updateSslContext(eq(mockSslContext));
     verify(mockTlsContextManager, times(1))
-            .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI_IN_UTC));
+            .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI));
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    supplier.updateSslContext(mockCallback, null);
+    supplier.updateSslContext(mockCallback, SNI);
     verify(mockTlsContextManager, times(3))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI_IN_UTC));
-  }
-
-  @Test
-  public void autoHostSniTrue_usesSniFromEndpointHostname() {
-    prepareSupplier(true, SNI_IN_UTC, ENDPOINT_HOSTNAME_FROM_ATTR);
-    callUpdateSslContext(ENDPOINT_HOSTNAME_FROM_ATTR);
-    verify(mockTlsContextManager, times(2))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(ENDPOINT_HOSTNAME_FROM_ATTR));
-    verify(mockTlsContextManager, times(0))
-            .releaseClientSslContextProvider(any(SslContextProvider.class), eq(ENDPOINT_HOSTNAME_FROM_ATTR));
-    ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
-            ArgumentCaptor.forClass(SslContextProvider.Callback.class);
-    verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
-    SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
-    assertThat(capturedCallback).isNotNull();
-    SslContext mockSslContext = mock(SslContext.class);
-    capturedCallback.updateSslContext(mockSslContext);
-    verify(mockCallback, times(1)).updateSslContext(eq(mockSslContext));
-    verify(mockTlsContextManager, times(1))
-            .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(ENDPOINT_HOSTNAME_FROM_ATTR));
-    SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    when(mockCallback.getHostname()).thenReturn(ENDPOINT_HOSTNAME_FROM_ATTR);
-    supplier.updateSslContext(mockCallback, null);
-    verify(mockTlsContextManager, times(3))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(ENDPOINT_HOSTNAME_FROM_ATTR));
-  }
-
-  @Test
-  public void autoHostSniTrue_endpointHostNameIsNull_usesSniFromUpstreamTlsContext() {
-    prepareSupplier(true, SNI_IN_UTC, SNI_IN_UTC);
-    callUpdateSslContext(null);
-    verify(mockTlsContextManager, times(2))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI_IN_UTC));
-    verify(mockTlsContextManager, times(0))
-            .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI_IN_UTC));
-    ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
-            ArgumentCaptor.forClass(SslContextProvider.Callback.class);
-    verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
-    SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
-    assertThat(capturedCallback).isNotNull();
-    SslContext mockSslContext = mock(SslContext.class);
-    capturedCallback.updateSslContext(mockSslContext);
-    verify(mockCallback, times(1)).updateSslContext(eq(mockSslContext));
-    verify(mockTlsContextManager, times(1))
-            .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI_IN_UTC));
-    SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    when(mockCallback.getHostname()).thenReturn(null);
-    supplier.updateSslContext(mockCallback, null);
-    verify(mockTlsContextManager, times(3))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI_IN_UTC));
-  }
-
-  @Test
-  public void autoHostSniTrue_endpointHostNameIsEmpty_usesSniFromUpstreamTlsContext() {
-    prepareSupplier(true, SNI_IN_UTC, SNI_IN_UTC);
-    callUpdateSslContext("");
-    verify(mockTlsContextManager, times(2))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI_IN_UTC));
-    verify(mockTlsContextManager, times(0))
-            .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI_IN_UTC));
-    ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
-            ArgumentCaptor.forClass(SslContextProvider.Callback.class);
-    verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
-    SslContextProvider.Callback capturedCallback = callbackCaptor.getValue();
-    assertThat(capturedCallback).isNotNull();
-    SslContext mockSslContext = mock(SslContext.class);
-    capturedCallback.updateSslContext(mockSslContext);
-    verify(mockCallback, times(1)).updateSslContext(eq(mockSslContext));
-    verify(mockTlsContextManager, times(1))
-            .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI_IN_UTC));
-    SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    when(mockCallback.getHostname()).thenReturn("");
-    supplier.updateSslContext(mockCallback, null);
-    verify(mockTlsContextManager, times(3))
-            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI_IN_UTC));
+            .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
   }
 
   @Test
   public void get_onException() {
-    prepareSupplier(false, null, "");
-    callUpdateSslContext(ENDPOINT_HOSTNAME_FROM_ATTR);
+    prepareSupplier();
+    callUpdateSslContext();
     ArgumentCaptor<SslContextProvider.Callback> callbackCaptor =
         ArgumentCaptor.forClass(SslContextProvider.Callback.class);
     verify(mockSslContextProvider, times(1)).addCallback(callbackCaptor.capture());
@@ -210,33 +132,33 @@ public void get_onException() {
     capturedCallback.onException(exception);
     verify(mockCallback, times(1)).onException(eq(exception));
     verify(mockTlsContextManager, times(1))
-        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(""));
+        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI));
   }
 
   @Test
   public void testClose() {
-    prepareSupplier(false, null, "");
-    callUpdateSslContext(ENDPOINT_HOSTNAME_FROM_ATTR);
+    prepareSupplier();
+    callUpdateSslContext();
     supplier.close();
     verify(mockTlsContextManager, times(1))
-        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(""));
-    supplier.updateSslContext(mockCallback, null);
+        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI));
+    supplier.updateSslContext(mockCallback, SNI);
     verify(mockTlsContextManager, times(3))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(""));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
     verify(mockTlsContextManager, times(1))
-        .releaseClientSslContextProvider(any(SslContextProvider.class), eq(""));
+        .releaseClientSslContextProvider(any(SslContextProvider.class), eq(SNI));
   }
 
   @Test
   public void testClose_nullSslContextProvider() {
-    prepareSupplier(false, null, "");
+    prepareSupplier();
     doThrow(new NullPointerException()).when(mockTlsContextManager)
-        .releaseClientSslContextProvider(null, "");
+        .releaseClientSslContextProvider(null, SNI);
     supplier.close();
     verify(mockTlsContextManager, never())
-        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(""));
-    callUpdateSslContext(ENDPOINT_HOSTNAME_FROM_ATTR);
+        .releaseClientSslContextProvider(eq(mockSslContextProvider), eq(SNI));
+    callUpdateSslContext();
     verify(mockTlsContextManager, times(1))
-        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(""));
+        .findOrCreateClientSslContextProvider(eq(upstreamTlsContext), eq(SNI));
   }
 }
