save changed

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java

@@ -241,9 +241,9 @@ public Subchannel createSubchannel(CreateSubchannelArgs args) {
           .set(ATTR_CLUSTER_LOCALITY, localityAtomicReference);
       if (GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)) {
         String hostname = args.getAddresses().get(0).getAttributes()
-            .get(XdsAttributes.ATTR_ADDRESS_NAME);
+            .get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME);
         if (hostname != null) {
-          attrsBuilder.set(XdsAttributes.ATTR_ADDRESS_NAME, hostname);
+          attrsBuilder.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, hostname);
         }
       }
       args = args.toBuilder().setAddresses(addresses).setAttributes(attrsBuilder.build()).build();
@@ -438,7 +438,7 @@ public PickResult pickSubchannel(PickSubchannelArgs args) {
             result = PickResult.withSubchannel(result.getSubchannel(),
                 result.getStreamTracerFactory(),
                 result.getSubchannel().getAttributes().get(
-                    XdsAttributes.ATTR_ADDRESS_NAME));
+                    SecurityProtocolNegotiators.ATTR_ADDRESS_NAME));
           }
         }
         return result;

xds/src/main/java/io/grpc/xds/ClusterResolverLoadBalancer.java

@@ -61,6 +61,7 @@
 import io.grpc.xds.client.XdsClient.ResourceWatcher;
 import io.grpc.xds.client.XdsLogger;
 import io.grpc.xds.client.XdsLogger.XdsLogLevel;
+import io.grpc.xds.internal.security.SecurityProtocolNegotiators;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.net.URI;
@@ -432,7 +433,7 @@ public void run() {
                           .set(XdsAttributes.ATTR_LOCALITY_WEIGHT,
                               localityLbInfo.localityWeight())
                           .set(XdsAttributes.ATTR_SERVER_WEIGHT, weight)
-                          .set(XdsAttributes.ATTR_ADDRESS_NAME, endpoint.hostname())
+                          .set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, endpoint.hostname())
                           .build();
 
                   EquivalentAddressGroup eag;
@@ -680,7 +681,7 @@ public Status onResult2(final ResolutionResult resolutionResult) {
               Attributes attr = eag.getAttributes().toBuilder()
                       .set(XdsAttributes.ATTR_LOCALITY, LOGICAL_DNS_CLUSTER_LOCALITY)
                       .set(XdsAttributes.ATTR_LOCALITY_NAME, localityName)
-                      .set(XdsAttributes.ATTR_ADDRESS_NAME, dnsHostName)
+                      .set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, dnsHostName)
                       .build();
               eag = new EquivalentAddressGroup(eag.getAddresses(), attr);
               eag = AddressFilter.setPathFilter(eag, Arrays.asList(priorityName, localityName));

xds/src/main/java/io/grpc/xds/XdsAttributes.java

@@ -95,11 +95,6 @@ final class XdsAttributes {
   static final Attributes.Key<Long> ATTR_SERVER_WEIGHT =
       Attributes.Key.create("io.grpc.xds.XdsAttributes.serverWeight");
 
-  /** Name associated with individual address, if available (e.g., DNS name). */
-  @EquivalentAddressGroup.Attr
-  static final Attributes.Key<String> ATTR_ADDRESS_NAME =
-      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
-
   /**
    * Filter chain match for network filters.
    */

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -20,6 +20,7 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import io.grpc.Attributes;
+import io.grpc.EquivalentAddressGroup;
 import io.grpc.Grpc;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.ObjectPool;
@@ -50,6 +51,11 @@
 @VisibleForTesting
 public final class SecurityProtocolNegotiators {
 
+  /** Name associated with individual address, if available (e.g., DNS name). */
+  @EquivalentAddressGroup.Attr
+  public static final Attributes.Key<String> ATTR_ADDRESS_NAME =
+      Attributes.Key.create("io.grpc.xds.XdsAttributes.addressName");
+
   // Prevent instantiation.
   private SecurityProtocolNegotiators() {
   }
@@ -142,7 +148,8 @@ public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
             fallbackProtocolNegotiator, "No TLS config and no fallbackProtocolNegotiator!");
         return fallbackProtocolNegotiator.newHandler(grpcHandler);
       }
-      return new ClientSecurityHandler(grpcHandler, localSslContextProviderSupplier);
+      return new ClientSecurityHandler(grpcHandler, localSslContextProviderSupplier,
+          grpcHandler.getEagAttributes().get(ATTR_ADDRESS_NAME));
     }
 
     @Override
@@ -185,10 +192,12 @@ static final class ClientSecurityHandler
       extends InternalProtocolNegotiators.ProtocolNegotiationHandler {
     private final GrpcHttp2ConnectionHandler grpcHandler;
     private final SslContextProviderSupplier sslContextProviderSupplier;
+    private final String hostname;
 
     ClientSecurityHandler(
         GrpcHttp2ConnectionHandler grpcHandler,
-        SslContextProviderSupplier sslContextProviderSupplier) {
+        SslContextProviderSupplier sslContextProviderSupplier,
+        String hostname) {
       super(
           // superclass (InternalProtocolNegotiators.ProtocolNegotiationHandler) expects 'next'
           // handler but we don't have a next handler _yet_. So we "disable" superclass's behavior
@@ -202,6 +211,7 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
       checkNotNull(grpcHandler, "grpcHandler");
       this.grpcHandler = grpcHandler;
       this.sslContextProviderSupplier = sslContextProviderSupplier;
+      this.hostname = hostname;
     }
 
     @Override
@@ -210,7 +220,7 @@ protected void handlerAdded0(final ChannelHandlerContext ctx) {
       ctx.pipeline().addBefore(ctx.name(), null, bufferReads);
 
       sslContextProviderSupplier.updateSslContext(
-          new SslContextProvider.Callback(ctx.executor()) {
+          new SslContextProvider.Callback(ctx.executor(), hostname) {
 
             @Override
             public void updateSslContext(SslContext sslContext, String sni) {

xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java

@@ -48,19 +48,16 @@ public abstract class SslContextProvider implements Closeable {
   @VisibleForTesting public abstract static class Callback {
     private final Executor executor;
     private final String hostname;
-    private final boolean isClientSide;
 
     protected Callback(Executor executor) {
       this.executor = executor;
       this.hostname = null;
-      this.isClientSide = false;
     }
 
     // Only for client SslContextProvider.
     protected Callback(Executor executor, String hostname) {
       this.executor = executor;
       this.hostname = hostname;
-      this.isClientSide = true;
     }
 
     @VisibleForTesting public Executor getExecutor() {
@@ -71,10 +68,6 @@ protected String getHostname() {
       return hostname;
     }
 
-    public boolean isClientSide() {
-      return isClientSide;
-    }
-
     /** Informs callee of new/updated SslContext. */
     @VisibleForTesting public abstract void updateSslContext(SslContext sslContext, String sni);
 

xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java

@@ -62,7 +62,7 @@ public synchronized void updateSslContext(final SslContextProvider.Callback call
     checkNotNull(callback, "callback");
     try {
       String sni;
-      if (callback.isClientSide()) {
+      if (tlsContext instanceof UpstreamTlsContext) {
         UpstreamTlsContext upstreamTlsContext = ((UpstreamTlsContext) tlsContext);
         sni = upstreamTlsContext.getAutoHostSni() ? callback.getHostname() : upstreamTlsContext.getSni();
       } else {
@@ -75,33 +75,21 @@ public synchronized void updateSslContext(final SslContextProvider.Callback call
       }
       // we want to increment the ref-count so call findOrCreate again...
       final SslContextProvider toRelease = getSslContextProvider(sni);
-      if (toRelease instanceof CertProviderClientSslContextProvider
-          && ((CertProviderClientSslContextProvider) toRelease).isUsingSystemRootCerts()) {
-        callback.getExecutor().execute(() -> {
-          try {
-            callback.updateSslContext(GrpcSslContexts.forClient().build(), sni);
-            releaseSslContextProvider(toRelease, sni);
-          } catch (SSLException e) {
-            callback.onException(e);
-          }
-        });
-      } else {
-        toRelease.addCallback(
-            new SslContextProvider.Callback(callback.getExecutor()) {
-
-              @Override
-              public void updateSslContext(SslContext sslContext, String sni) {
-                callback.updateSslContext(sslContext, sni);
-                releaseSslContextProvider(toRelease, sni);
-              }
-
-              @Override
-              public void onException(Throwable throwable) {
-                callback.onException(throwable);
-                releaseSslContextProvider(toRelease, sni);
-              }
-            });
-      };
+      toRelease.addCallback(
+          new SslContextProvider.Callback(callback.getExecutor()) {
+
+            @Override
+            public void updateSslContext(SslContext sslContext, String sni) {
+              callback.updateSslContext(sslContext, sni);
+              releaseSslContextProvider(toRelease, sni);
+            }
+
+            @Override
+            public void onException(Throwable throwable) {
+              callback.onException(throwable);
+              releaseSslContextProvider(toRelease, sni);
+            }
+          });
     } catch (final Throwable throwable) {
       callback.getExecutor().execute(new Runnable() {
         @Override

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -21,6 +21,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Optional;
 import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.re2j.Pattern;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
@@ -60,21 +61,34 @@ final class XdsX509TrustManager extends X509ExtendedTrustManager implements X509
   private final X509ExtendedTrustManager delegate;
   private final Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates;
   private final CertificateValidationContext certContext;
+  private final String sni;
 
   XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
                       X509ExtendedTrustManager delegate) {
+    this(certContext, delegate, null);
+  }
+
+  XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
+                      X509ExtendedTrustManager delegate, @Nullable String sni) {
     checkNotNull(delegate, "delegate");
     this.certContext = certContext;
     this.delegate = delegate;
     this.spiffeTrustMapDelegates = null;
+    this.sni = sni;
+  }
+
+  XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
+                      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates) {
+    this(certContext, spiffeTrustMapDelegates, null);
   }
 
   XdsX509TrustManager(@Nullable CertificateValidationContext certContext,
-      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates) {
+                      Map<String, X509ExtendedTrustManager> spiffeTrustMapDelegates, @Nullable String sni) {
     checkNotNull(spiffeTrustMapDelegates, "spiffeTrustMapDelegates");
     this.spiffeTrustMapDelegates = ImmutableMap.copyOf(spiffeTrustMapDelegates);
     this.certContext = certContext;
     this.delegate = null;
+    this.sni = sni;
   }
 
   private static boolean verifyDnsNameInPattern(
@@ -208,7 +222,7 @@ void verifySubjectAltNameInChain(X509Certificate[] peerCertChain) throws Certifi
       return;
     }
     @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
-    List<StringMatcher> verifyList = certContext.getMatchSubjectAltNamesList();
+    List<StringMatcher> verifyList = sni != null? ImmutableList.of(StringMatcher.newBuilder().setExact(sni).build()) : certContext.getMatchSubjectAltNamesList();
     if (verifyList.isEmpty()) {
       return;
     }

xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java

@@ -811,10 +811,10 @@ public void endpointAddressesAttachedWithClusterName() {
               new FixedResultPicker(PickResult.withSubchannel(subchannel)));
         }
       });
-      assertThat(subchannel.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME)).isEqualTo(
+      assertThat(subchannel.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME)).isEqualTo(
           "authority-host-name");
       for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
-        assertThat(eag.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME))
+        assertThat(eag.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME))
             .isEqualTo("authority-host-name");
       }
 
@@ -863,9 +863,9 @@ public void endpointAddressesAttachedWithClusterName() {
       }
     });
     // Sub Channel wrapper args won't have the address name although addresses will.
-    assertThat(subchannel.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME)).isNull();
+    assertThat(subchannel.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME)).isNull();
     for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
-      assertThat(eag.getAttributes().get(XdsAttributes.ATTR_ADDRESS_NAME))
+      assertThat(eag.getAttributes().get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME))
           .isEqualTo("authority-host-name");
     }
 
@@ -1019,7 +1019,7 @@ public String toString() {
         // Unique but arbitrary string
         .set(XdsAttributes.ATTR_LOCALITY_NAME, locality.toString());
     if (authorityHostname != null) {
-      attributes.set(XdsAttributes.ATTR_ADDRESS_NAME, authorityHostname);
+      attributes.set(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME, authorityHostname);
     }
     EquivalentAddressGroup eag = new EquivalentAddressGroup(new FakeSocketAddress(name),
         attributes.build());

xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java

@@ -84,6 +84,7 @@
 import io.grpc.xds.client.XdsClient;
 import io.grpc.xds.client.XdsResourceType;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil;
+import io.grpc.xds.internal.security.SecurityProtocolNegotiators;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.net.URI;
@@ -378,7 +379,7 @@ public void edsClustersEndpointHostname_addedToAddressAttribute() {
 
     assertThat(
         childBalancer.addresses.get(0).getAttributes()
-            .get(XdsAttributes.ATTR_ADDRESS_NAME)).isEqualTo("hostname1");
+            .get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME)).isEqualTo("hostname1");
   }
 
   @Test
@@ -864,9 +865,9 @@ void do_onlyLogicalDnsCluster_endpointsResolved() {
         Collections.<DropOverload>emptyList(), "pick_first");
     assertAddressesEqual(Arrays.asList(endpoint1, endpoint2), childBalancer.addresses);
     assertThat(childBalancer.addresses.get(0).getAttributes()
-        .get(XdsAttributes.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME);
+        .get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME);
     assertThat(childBalancer.addresses.get(1).getAttributes()
-        .get(XdsAttributes.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME);
+        .get(SecurityProtocolNegotiators.ATTR_ADDRESS_NAME)).isEqualTo(DNS_HOST_NAME);
   }
 
   @Test

xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java

@@ -86,6 +86,8 @@
 @RunWith(JUnit4.class)
 public class SecurityProtocolNegotiatorsTest {
 
+  private static final String HOSTNAME = "hostname";
+
   private final GrpcHttp2ConnectionHandler grpcHandler =
       FakeGrpcHttp2ConnectionHandler.newHandler();
 
@@ -157,7 +159,7 @@ public void clientSecurityHandler_addLast()
         new SslContextProviderSupplier(upstreamTlsContext,
             new TlsContextManagerImpl(bootstrapInfoForClient));
     ClientSecurityHandler clientSecurityHandler =
-        new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier);
+        new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier, HOSTNAME);
     pipeline.addLast(clientSecurityHandler);
     channelHandlerCtx = pipeline.context(clientSecurityHandler);
     assertNotNull(channelHandlerCtx);
@@ -369,7 +371,7 @@ public void clientSecurityProtocolNegotiatorNewHandler_fireProtocolNegotiationEv
         new SslContextProviderSupplier(upstreamTlsContext,
             new TlsContextManagerImpl(bootstrapInfoForClient));
     ClientSecurityHandler clientSecurityHandler =
-        new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier);
+        new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier, HOSTNAME);
 
     pipeline.addLast(clientSecurityHandler);
     channelHandlerCtx = pipeline.context(clientSecurityHandler);
@@ -420,7 +422,7 @@ public void clientSecurityProtocolNegotiatorNewHandler_handleHandlerRemoved() {
         new SslContextProviderSupplier(upstreamTlsContext,
             new TlsContextManagerImpl(bootstrapInfoForClient));
     ClientSecurityHandler clientSecurityHandler =
-        new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier);
+        new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier, HOSTNAME);
 
     pipeline.addLast(clientSecurityHandler);
     channelHandlerCtx = pipeline.context(clientSecurityHandler);