Changes to move the authority verification logic to the stream creation code.

Author: kannanjgithub

examples/build.gradle

@@ -45,7 +45,7 @@ dependencies {
 protobuf {
     protoc { artifact = "com.google.protobuf:protoc:${protocVersion}" }
     plugins {
-        grpc { artifact = "io.grpc:protoc-gen-grpc-java:${grpcVersion}" }
+        grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.70.0" }
     }
     generateProtoTasks {
         all()*.plugins { grpc {} }

examples/src/main/java/io/grpc/examples/deadline/DeadlineServer.java

@@ -23,6 +23,7 @@
 import io.grpc.examples.helloworld.GreeterGrpc;
 import io.grpc.examples.helloworld.HelloReply;
 import io.grpc.examples.helloworld.HelloRequest;
+import io.grpc.stub.ServerCallStreamObserver;
 import io.grpc.stub.StreamObserver;
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
@@ -100,6 +101,11 @@ void setClientStub(GreeterGrpc.GreeterBlockingStub clientStub) {
 
     @Override
     public void sayHello(HelloRequest req, StreamObserver<HelloReply> responseObserver) {
+      ServerCallStreamObserver<HelloReply> serverCallStreamObserver =
+              (ServerCallStreamObserver<HelloReply>) responseObserver;
+      serverCallStreamObserver.setOnCloseHandler(() -> {
+        System.out.println("rpc close called.");
+      });
       try {
         Thread.sleep(500);
       } catch (InterruptedException e) {

okhttp/src/main/java/io/grpc/okhttp/OkHttpClientStream.java

@@ -409,7 +409,7 @@ private void streamReady(Metadata metadata, String path) {
               transport.isUsingPlaintext());
       // TODO(b/145386688): This access should be guarded by 'this.transport.lock'; instead found:
       // 'this.lock'
-      transport.streamReadyToStart(OkHttpClientStream.this);
+      transport.streamReadyToStart(OkHttpClientStream.this, authority);
     }
 
     Tag tag() {

okhttp/src/main/java/io/grpc/okhttp/OkHttpClientTransport.java

@@ -450,61 +450,7 @@ public ClientStream newStream(
     Preconditions.checkNotNull(headers, "headers");
     StatsTraceContext statsTraceContext =
         StatsTraceContext.newClientContext(tracers, getAttributes(), headers);
-    if (hostnameVerifier != null && socket instanceof SSLSocket
-            && !hostnameVerifier.verify(callOptions.getAuthority(),
-                    ((SSLSocket) socket).getSession())) {
-      if (enablePerRpcAuthorityCheck) {
-        return new FailingClientStream(Status.UNAVAILABLE.withDescription(
-                String.format("HostNameVerifier verification failed for authority '%s'",
-                        callOptions.getAuthority())), tracers);
-      }
-    }
-    if (socket instanceof SSLSocket && callOptions.getAuthority() != null
-        && channelCredentials != null && channelCredentials instanceof TlsChannelCredentials) {
-      Status peerVerificationStatus = null;
-      if (peerVerificationResults.containsKey(callOptions.getAuthority())) {
-        peerVerificationStatus = peerVerificationResults.get(callOptions.getAuthority());
-      } else {
-        TrustManager x509ExtendedTrustManager;
-        try {
-          x509ExtendedTrustManager = x509ExtendedTrustManagerClass != null
-                  ? getX509ExtendedTrustManager((TlsChannelCredentials) channelCredentials) : null;
-          if (x509ExtendedTrustManager == null) {
-            if (GrpcUtil.getFlag(GRPC_ENABLE_PER_RPC_AUTHORITY_CHECK, false)) {
-              return new FailingClientStream(Status.UNAVAILABLE.withDescription(
-                      "Can't allow authority override in rpc when X509ExtendedTrustManager is not "
-                              + "available"), tracers);
-            }
-          } else {
-            try {
-              Certificate[] peerCertificates = sslSession.getPeerCertificates();
-              X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
-              for (int i = 0; i < peerCertificates.length; i++) {
-                x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
-              }
-              checkServerTrustedMethod.invoke(x509ExtendedTrustManager, x509PeerCertificates,
-                      "RSA", new SslSocketWrapper((SSLSocket) socket, callOptions.getAuthority()));
-              peerVerificationStatus = Status.OK;
-            } catch (SSLPeerUnverifiedException | InvocationTargetException
-                     | IllegalAccessException e) {
-              peerVerificationStatus = Status.UNAVAILABLE.withDescription(
-                      String.format("Failure in verifying authority '%s' against peer during rpc",
-                              callOptions.getAuthority())).withCause(e);
-            }
-            peerVerificationResults.put(callOptions.getAuthority(), peerVerificationStatus);
-          }
-        } catch (GeneralSecurityException e) {
-          if (GrpcUtil.getFlag(GRPC_ENABLE_PER_RPC_AUTHORITY_CHECK, false)) {
-            return new FailingClientStream(Status.UNAVAILABLE.withDescription(
-                    "Failure getting X509ExtendedTrustManager from TlsCredentials").withCause(e),
-                    tracers);
-          }
-        }
-      }
-      if (peerVerificationStatus != null && !peerVerificationStatus.isOk()) {
-        return new FailingClientStream(peerVerificationStatus, tracers);
-      }
-    }
+
     // FIXME: it is likely wrong to pass the transportTracer here as it'll exit the lock's scope
     synchronized (lock) { // to make @GuardedBy linter happy
       return new OkHttpClientStream(
@@ -548,14 +494,87 @@ private TrustManager getX509ExtendedTrustManager(TlsChannelCredentials tlsCreds)
   }
 
   @GuardedBy("lock")
-  void streamReadyToStart(OkHttpClientStream clientStream) {
+  void streamReadyToStart(OkHttpClientStream clientStream, String authority) {
     if (goAwayStatus != null) {
       clientStream.transportState().transportReportStatus(
           goAwayStatus, RpcProgress.MISCARRIED, true, new Metadata());
     } else if (streams.size() >= maxConcurrentStreams) {
       pendingStreams.add(clientStream);
       setInUse(clientStream);
     } else {
+      if (hostnameVerifier != null
+              && socket instanceof SSLSocket
+              && !hostnameVerifier.verify(authority,
+              ((SSLSocket) socket).getSession())) {
+        if (enablePerRpcAuthorityCheck) {
+          clientStream.transportState().transportReportStatus(
+                  Status.UNAVAILABLE.withDescription(
+                          String.format("HostNameVerifier verification failed for authority '%s'",
+                                  authority)),
+                  RpcProgress.DROPPED, true, new Metadata());
+          return;
+        } else {
+          log.log(Level.WARNING, String.format("HostNameVerifier verification failed for authority "
+                          + "'%s'. This will be an error in the future.",
+                  authority));
+        }
+      }
+      if (socket instanceof SSLSocket && authority != null
+              && channelCredentials != null && channelCredentials instanceof TlsChannelCredentials) {
+        Status peerVerificationStatus = null;
+        if (peerVerificationResults.containsKey(authority)) {
+          peerVerificationStatus = peerVerificationResults.get(authority);
+        } else {
+          TrustManager x509ExtendedTrustManager = null;
+          try {
+            x509ExtendedTrustManager = x509ExtendedTrustManagerClass != null
+                    ? getX509ExtendedTrustManager((TlsChannelCredentials) channelCredentials) : null;
+          } catch (GeneralSecurityException e) {
+            peerVerificationStatus = Status.UNAVAILABLE.withCause(e)
+                    .withDescription("Could not verify authority due to failure getting "
+                            + "X509ExtendedTrustManager from TlsCredentials");
+          }
+          if (x509ExtendedTrustManager == null) {
+            peerVerificationStatus = Status.UNAVAILABLE.withDescription(String.format("Could not verify authority '%s' for "
+                            + "the rpc with no X509ExtendedTrustManager available",
+                    authority));
+          }
+          if (x509ExtendedTrustManager != null) {
+            try {
+              Certificate[] peerCertificates = sslSession.getPeerCertificates();
+              X509Certificate[] x509PeerCertificates = new X509Certificate[peerCertificates.length];
+              for (int i = 0; i < peerCertificates.length; i++) {
+                x509PeerCertificates[i] = (X509Certificate) peerCertificates[i];
+              }
+              checkServerTrustedMethod.invoke(x509ExtendedTrustManager, x509PeerCertificates,
+                      "RSA", new SslSocketWrapper((SSLSocket) socket, authority));
+              peerVerificationStatus = Status.OK;
+            } catch (SSLPeerUnverifiedException | InvocationTargetException
+                     | IllegalAccessException e) {
+              peerVerificationStatus = Status.UNAVAILABLE.withCause(e).withDescription(
+                      "Peer verification failed");
+            }
+            if (peerVerificationStatus != null) {
+              peerVerificationResults.put(authority, peerVerificationStatus);
+            }
+          }
+        }
+        if (peerVerificationStatus != null && !peerVerificationStatus.isOk()) {
+          if (enablePerRpcAuthorityCheck) {
+            clientStream.transportState().transportReportStatus(
+                    peerVerificationStatus, RpcProgress.DROPPED, true, new Metadata());
+            return;
+          } else {
+            if (peerVerificationStatus.getCause() != null) {
+              log.log(Level.WARNING, peerVerificationStatus.getDescription()
+                      + ". This will be an error in the future.", peerVerificationStatus.getCause());
+            } else {
+              log.log(Level.WARNING, peerVerificationStatus.getDescription()
+                      + ". This will be an error in the future.");
+            }
+          }
+        }
+      }
       startStream(clientStream);
     }
   }

okhttp/src/test/java/io/grpc/okhttp/OkHttpClientStreamTest.java

@@ -20,6 +20,7 @@
 import static io.grpc.internal.ClientStreamListener.RpcProgress.PROCESSED;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.ArgumentMatchers.isA;
 import static org.mockito.Mockito.times;
@@ -244,12 +245,13 @@ public void getUnaryRequest() throws IOException {
     // GET streams send headers after halfClose is called.
     verify(mockedFrameWriter, times(0)).synStream(
         eq(false), eq(false), eq(3), eq(0), headersCaptor.capture());
-    verify(transport, times(0)).streamReadyToStart(isA(OkHttpClientStream.class));
+    verify(transport, times(0)).streamReadyToStart(isA(OkHttpClientStream.class),
+            isA(String.class));
 
     byte[] msg = "request".getBytes(Charset.forName("UTF-8"));
     stream.writeMessage(new ByteArrayInputStream(msg));
     stream.halfClose();
-    verify(transport).streamReadyToStart(eq(stream));
+    verify(transport).streamReadyToStart(eq(stream), any(String.class));
     stream.transportState().start(3);
 
     verify(mockedFrameWriter)