Save changes.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java

@@ -44,6 +44,7 @@ public abstract class DynamicSslContextProvider extends SslContextProvider {
   @Nullable protected final CertificateValidationContext staticCertificateValidationContext;
   @Nullable protected AbstractMap.SimpleImmutableEntry<SslContext, X509TrustManager>
       sslContextAndTrustManager;
+  private boolean autoSniSanValidationDoesNotApply;
 
   protected DynamicSslContextProvider(
       BaseTlsContext tlsContext, CertificateValidationContext staticCertValidationContext) {
@@ -59,6 +60,10 @@ protected DynamicSslContextProvider(
 
   protected abstract CertificateValidationContext generateCertificateValidationContext();
 
+  public void setAutoSniSanValidationDoesNotApply() {
+    autoSniSanValidationDoesNotApply = true;
+  }
+
   /** Gets a server or client side SslContextBuilder. */
   protected abstract AbstractMap.SimpleImmutableEntry<SslContextBuilder, X509TrustManager>
       getSslContextBuilderAndTrustManager(

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -260,8 +260,8 @@ public void updateSslContextAndExtendedX509TrustManager(
             public void onException(Throwable throwable) {
               ctx.fireExceptionCaught(throwable);
             }
-          }
-      );
+          },
+          false);
     }
 
     @Override
@@ -399,8 +399,8 @@ public void updateSslContextAndExtendedX509TrustManager(
             public void onException(Throwable throwable) {
               ctx.fireExceptionCaught(throwable);
             }
-          }
-      );
+          },
+          false);
     }
   }
 }

xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java

@@ -55,12 +55,15 @@ public BaseTlsContext getTlsContext() {
 
   /** Updates SslContext via the passed callback. */
   public synchronized void updateSslContext(
-      final SslContextProvider.Callback callback) {
+      final SslContextProvider.Callback callback, boolean autoSniSanValidationDoesNotApply) {
     checkNotNull(callback, "callback");
     try {
       if (!shutdown) {
         if (sslContextProvider == null) {
           sslContextProvider = getSslContextProvider();
+          if (tlsContext instanceof UpstreamTlsContext && autoSniSanValidationDoesNotApply) {
+            ((DynamicSslContextProvider) sslContextProvider).setAutoSniSanValidationDoesNotApply();
+          }
         }
       }
       // we want to increment the ref-count so call findOrCreate again...

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java

@@ -64,13 +64,15 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
         new XdsTrustManagerFactory(
             savedSpiffeTrustMap,
             certificateValidationContext,
-            ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
+            autoSniSanValidationDoesNotApply
+                ? false : ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
     } else if (savedTrustedRoots != null) {
       sslContextBuilder = sslContextBuilder.trustManager(
           new XdsTrustManagerFactory(
               savedTrustedRoots.toArray(new X509Certificate[0]),
               certificateValidationContext,
-              ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
+              autoSniSanValidationDoesNotApply
+                  ? false : ((UpstreamTlsContext) tlsContext).getAutoSniSanValidation()));
     } else {
       // Should be impossible because of the check in CertProviderClientSslContextProviderFactory
       throw new IllegalStateException("There must be trusted roots or a SPIFFE trust map");

xds/src/test/java/io/grpc/xds/XdsClientWrapperForServerSdsTestMisc.java

@@ -301,7 +301,7 @@ public void releaseOldSupplierOnTemporaryError_noClose() throws Exception {
   private void callUpdateSslContext(SslContextProviderSupplier sslContextProviderSupplier) {
     assertThat(sslContextProviderSupplier).isNotNull();
     SslContextProvider.Callback callback = mock(SslContextProvider.Callback.class);
-    sslContextProviderSupplier.updateSslContext(callback);
+    sslContextProviderSupplier.updateSslContext(callback, false);
   }
 
   private void sendListenerUpdate(

xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java

@@ -215,7 +215,7 @@ public void updateSslContextAndExtendedX509TrustManager(
           protected void onException(Throwable throwable) {
             future.set(throwable);
           }
-        });
+        }, false);
     assertThat(executor.runDueTasks()).isEqualTo(1);
     channel.runPendingTasks();
     Object fromFuture = future.get(2, TimeUnit.SECONDS);
@@ -401,7 +401,7 @@ public void updateSslContextAndExtendedX509TrustManager(
           protected void onException(Throwable throwable) {
             future.set(throwable);
           }
-        });
+        }, false);
     channel.runPendingTasks(); // need this for tasks to execute on eventLoop
     assertThat(executor.runDueTasks()).isEqualTo(1);
     Object fromFuture = future.get(2, TimeUnit.SECONDS);
@@ -540,7 +540,7 @@ public void updateSslContextAndExtendedX509TrustManager(
             protected void onException(Throwable throwable) {
               future.set(throwable);
             }
-          });
+          }, false);
       executor.runDueTasks();
       channel.runPendingTasks(); // need this for tasks to execute on eventLoop
       Object fromFuture = future.get(5, TimeUnit.SECONDS);

xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java

@@ -69,7 +69,7 @@ private void prepareSupplier() {
   private void callUpdateSslContext() {
     mockCallback = mock(SslContextProvider.Callback.class);
     doReturn(mockExecutor).when(mockCallback).getExecutor();
-    supplier.updateSslContext(mockCallback);
+    supplier.updateSslContext(mockCallback, false);
   }
 
   @Test
@@ -94,7 +94,7 @@ public void get_updateSecret() {
     verify(mockTlsContextManager, times(1))
         .releaseClientSslContextProvider(eq(mockSslContextProvider));
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    supplier.updateSslContext(mockCallback);
+    supplier.updateSslContext(mockCallback, false);
     verify(mockTlsContextManager, times(3))
         .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
   }
@@ -121,7 +121,7 @@ public void autoHostSniFalse_usesSniFromUpstreamTlsContext() {
     verify(mockTlsContextManager, times(1))
         .releaseClientSslContextProvider(eq(mockSslContextProvider));
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    supplier.updateSslContext(mockCallback);
+    supplier.updateSslContext(mockCallback, false);
     verify(mockTlsContextManager, times(3))
         .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
   }
@@ -178,7 +178,7 @@ public void systemRootCertsWithMtls_callbackExecutedFromProvider() {
     verify(mockTlsContextManager, times(1))
         .releaseClientSslContextProvider(eq(mockSslContextProvider));
     SslContextProvider.Callback mockCallback = mock(SslContextProvider.Callback.class);
-    supplier.updateSslContext(mockCallback);
+    supplier.updateSslContext(mockCallback, false);
     verify(mockTlsContextManager, times(3))
         .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
   }
@@ -190,7 +190,7 @@ public void testClose() {
     supplier.close();
     verify(mockTlsContextManager, times(1))
         .releaseClientSslContextProvider(eq(mockSslContextProvider));
-    supplier.updateSslContext(mockCallback);
+    supplier.updateSslContext(mockCallback, false);
     verify(mockTlsContextManager, times(3))
         .findOrCreateClientSslContextProvider(eq(upstreamTlsContext));
     verify(mockTlsContextManager, times(1))