Unit tests and using HostnameVerifier in per-rpc.

Author: kannanjgithub

okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java

@@ -16,14 +16,38 @@
 
 package io.grpc.okhttp;
 
+import static com.google.common.base.Preconditions.checkNotNull;
+import static io.grpc.internal.CertificateUtils.createTrustManager;
+import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
+import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
+
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
-import io.grpc.*;
-import io.grpc.internal.*;
+import io.grpc.CallCredentials;
+import io.grpc.ChannelCredentials;
+import io.grpc.ChannelLogger;
+import io.grpc.ChoiceChannelCredentials;
+import io.grpc.CompositeCallCredentials;
+import io.grpc.CompositeChannelCredentials;
+import io.grpc.ExperimentalApi;
+import io.grpc.ForwardingChannelBuilder2;
+import io.grpc.InsecureChannelCredentials;
+import io.grpc.Internal;
+import io.grpc.ManagedChannelBuilder;
+import io.grpc.TlsChannelCredentials;
+import io.grpc.internal.AtomicBackoff;
+import io.grpc.internal.ClientTransportFactory;
+import io.grpc.internal.ConnectionClientTransport;
+import io.grpc.internal.FixedObjectPool;
+import io.grpc.internal.GrpcUtil;
+import io.grpc.internal.KeepAliveManager;
+import io.grpc.internal.ManagedChannelImplBuilder;
 import io.grpc.internal.ManagedChannelImplBuilder.ChannelBuilderDefaultPortProvider;
 import io.grpc.internal.ManagedChannelImplBuilder.ClientTransportFactoryBuilder;
+import io.grpc.internal.ObjectPool;
 import io.grpc.internal.SharedResourceHolder.Resource;
-import io.grpc.internal.TransportTracer.Factory;
+import io.grpc.internal.SharedResourcePool;
+import io.grpc.internal.TransportTracer;
 import io.grpc.okhttp.internal.CipherSuite;
 import io.grpc.okhttp.internal.ConnectionSpec;
 import io.grpc.okhttp.internal.Platform;
@@ -42,18 +66,22 @@
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.Set;
-import java.util.concurrent.*;
+import java.util.concurrent.Executor;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.CheckReturnValue;
 import javax.annotation.Nullable;
 import javax.net.SocketFactory;
-import javax.net.ssl.*;
-
-import static com.google.common.base.Preconditions.checkNotNull;
-import static io.grpc.internal.CertificateUtils.createTrustManager;
-import static io.grpc.internal.GrpcUtil.DEFAULT_KEEPALIVE_TIMEOUT_NANOS;
-import static io.grpc.internal.GrpcUtil.KEEPALIVE_TIME_NANOS_DISABLED;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
 
 /** Convenience class for building channels with the OkHttp transport. */
 @ExperimentalApi("https://github.com/grpc/grpc-java/issues/1785")
@@ -762,7 +790,7 @@ private OkHttpTransportFactory(
         int flowControlWindow,
         boolean keepAliveWithoutCalls,
         int maxInboundMetadataSize,
-        Factory transportTracerFactory,
+        TransportTracer.Factory transportTracerFactory,
         boolean useGetForSafeMethods,
         ChannelCredentials channelCredentials) {
       this.executorPool = executorPool;

okhttp/src/main/java/io/grpc/okhttp/OkHttpClientTransport.java

@@ -84,7 +84,19 @@
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.util.*;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Deque;
+import java.util.EnumMap;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Random;
 import java.util.concurrent.BrokenBarrierException;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.CyclicBarrier;
@@ -421,48 +433,47 @@ public ClientStream newStream(
     Preconditions.checkNotNull(headers, "headers");
     StatsTraceContext statsTraceContext =
         StatsTraceContext.newClientContext(tracers, getAttributes(), headers);
+    if (hostnameVerifier != null && socket instanceof SSLSocket
+            && !hostnameVerifier.verify(callOptions.getAuthority(),
+                    ((SSLSocket) socket).getSession())) {
+      return new FailingClientStream(Status.UNAVAILABLE.withDescription(
+              String.format("HostNameVerifier verification failed for authority '%s'",
+                      callOptions.getAuthority())), tracers);
+    }
     if (socket instanceof SSLSocket && callOptions.getAuthority() != null
         && channelCredentials != null && channelCredentials instanceof TlsChannelCredentials) {
       Status peerVerificationStatus;
       if (peerVerificationResults.containsKey(callOptions.getAuthority())) {
         peerVerificationStatus = peerVerificationResults.get(callOptions.getAuthority());
       } else {
-        if (hostnameVerifier != null &&
-                !hostnameVerifier.verify(callOptions.getAuthority(),
-                        ((SSLSocket) socket).getSession())) {
-          peerVerificationStatus = Status.UNAVAILABLE.withDescription(
-                  String.format("HostNameVerifier verification failed for authority '%s'.",
-                          callOptions.getAuthority()));
-        } else {
-          Optional<TrustManager> x509ExtendedTrustManager;
-          try {
-            x509ExtendedTrustManager = getX509ExtendedTrustManager(
-                    (TlsChannelCredentials) channelCredentials);
-          } catch (GeneralSecurityException e) {
-            return new FailingClientStream(Status.UNAVAILABLE.withDescription(
-                    "Failure getting X509ExtendedTrustManager from TlsCredentials").withCause(e),
-                    tracers);
-          }
-          if (!x509ExtendedTrustManager.isPresent()) {
-            return new FailingClientStream(Status.UNAVAILABLE.withDescription(
-                    "Can't allow authority override in rpc when X509ExtendedTrustManager is not "
-                            + "available"), tracers);
-          }
-          try {
-            Certificate[] peerCertificates = sslSession.getPeerCertificates();
-            X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
-            for (int i = 0; i < peerCertificates.length; i++) {
-              x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
-            }
-            ((X509ExtendedTrustManager) x509ExtendedTrustManager.get()).checkServerTrusted(
-                    x509PeerCertificates, "RSA",
-                    new SslSocketWrapper((SSLSocket) socket, callOptions.getAuthority()));
-            peerVerificationStatus = Status.OK;
-          } catch (SSLPeerUnverifiedException | CertificateException e) {
-            peerVerificationStatus = Status.INTERNAL.withDescription(
-                    String.format("Failure in verifying authority '%s' against peer",
-                            callOptions.getAuthority())).withCause(e);
+        Optional<TrustManager> x509ExtendedTrustManager;
+        try {
+          x509ExtendedTrustManager = getX509ExtendedTrustManager(
+                  (TlsChannelCredentials) channelCredentials);
+        } catch (GeneralSecurityException e) {
+          return new FailingClientStream(Status.UNAVAILABLE.withDescription(
+                  "Failure getting X509ExtendedTrustManager from TlsCredentials").withCause(e),
+                  tracers);
+        }
+        if (!x509ExtendedTrustManager.isPresent()) {
+          return new FailingClientStream(Status.UNAVAILABLE.withDescription(
+                  "Can't allow authority override in rpc when X509ExtendedTrustManager is not "
+                          + "available"), tracers);
+        }
+        try {
+          Certificate[] peerCertificates = sslSession.getPeerCertificates();
+          X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
+          for (int i = 0; i < peerCertificates.length; i++) {
+            x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
           }
+          ((X509ExtendedTrustManager) x509ExtendedTrustManager.get()).checkServerTrusted(
+                  x509PeerCertificates, "RSA",
+                  new SslSocketWrapper((SSLSocket) socket, callOptions.getAuthority()));
+          peerVerificationStatus = Status.OK;
+        } catch (SSLPeerUnverifiedException | CertificateException e) {
+          peerVerificationStatus = Status.UNAVAILABLE.withDescription(
+                  String.format("Failure in verifying authority '%s' against peer",
+                          callOptions.getAuthority())).withCause(e);
         }
         peerVerificationResults.put(callOptions.getAuthority(), peerVerificationStatus);
       }
@@ -493,7 +504,8 @@ public ClientStream newStream(
   private Optional<TrustManager> getX509ExtendedTrustManager(TlsChannelCredentials tlsCreds)
       throws GeneralSecurityException {
     TrustManager[] tm = null;
-    // Using the same way of creating TrustManager from {@link OkHttpChannelBuilder#sslSocketFactoryFrom}.
+    // Using the same way of creating TrustManager from
+    // {@link OkHttpChannelBuilder#sslSocketFactoryFrom}.
     if (tlsCreds.getTrustManagers() != null) {
       tm = tlsCreds.getTrustManagers().toArray(new TrustManager[0]);
     } else if (tlsCreds.getRootCertificates() != null) {
@@ -504,7 +516,9 @@ private Optional<TrustManager> getX509ExtendedTrustManager(TlsChannelCredentials
       tmf.init((KeyStore) null);
       tm = tmf.getTrustManagers();
     }
-    return Arrays.stream(tm).filter(trustManager -> trustManager instanceof X509ExtendedTrustManager).findFirst();
+    return Arrays.stream(tm).filter(
+            trustManager -> trustManager instanceof X509ExtendedTrustManager)
+            .findFirst();
   }
 
   @GuardedBy("lock")
@@ -1690,6 +1704,7 @@ public String getPeerHost() {
     }
 
     @SuppressWarnings("deprecation")
+    @Override
     public javax.security.cert.X509Certificate[] getPeerCertificateChain() {
       throw new UnsupportedOperationException("This method is deprecated and marked for removal. "
           + "Use the getPeerCertificates() method instead.");