flasn4nt
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

xds: remove remaining occurences of SDS in the security code (#10219)

This commit is contained in:
sanjaypujare 2023-05-25 10:28:37 -07:00 committed by GitHub
parent e172ea7efc
commit e875d1b01c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 63 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java
View File

@ -44,7 +44,7 @@ import java.util.logging.Logger;
import javax.annotation.Nullable;
/**
* Provides client and server side gRPC {@link ProtocolNegotiator}s that use SDS to provide the SSL
* Provides client and server side gRPC {@link ProtocolNegotiator}s to provide the SSL
* context.
*/
@VisibleForTesting
@ -61,7 +61,7 @@ public final class SecurityProtocolNegotiators {
public static final Attributes.Key<SslContextProviderSupplier>
ATTR_SERVER_SSL_CONTEXT_PROVIDER_SUPPLIER =
Attributes.Key.create("io.grpc.xds.internal.sds.server.sslContextProviderSupplier");
Attributes.Key.create("io.grpc.xds.internal.security.server.sslContextProviderSupplier");
/**
* Returns a {@link InternalProtocolNegotiator.ClientFactory}.
@ -88,7 +88,7 @@ public final class SecurityProtocolNegotiators {
@Override
public ProtocolNegotiator newNegotiator(ObjectPool<? extends Executor> offloadExecutorPool) {
return new ServerSdsProtocolNegotiator(
return new ServerSecurityProtocolNegotiator(
fallbackProtocolNegotiator.newNegotiator(offloadExecutorPool));
}
}
@ -103,7 +103,7 @@ public final class SecurityProtocolNegotiators {
@Override
public ProtocolNegotiator newNegotiator() {
return new ClientSdsProtocolNegotiator(fallbackProtocolNegotiator.newNegotiator());
return new ClientSecurityProtocolNegotiator(fallbackProtocolNegotiator.newNegotiator());
}
@Override
@ -113,11 +113,11 @@ public final class SecurityProtocolNegotiators {
}
@VisibleForTesting
static final class ClientSdsProtocolNegotiator implements ProtocolNegotiator {
static final class ClientSecurityProtocolNegotiator implements ProtocolNegotiator {
@Nullable private final ProtocolNegotiator fallbackProtocolNegotiator;
ClientSdsProtocolNegotiator(@Nullable ProtocolNegotiator fallbackProtocolNegotiator) {
ClientSecurityProtocolNegotiator(@Nullable ProtocolNegotiator fallbackProtocolNegotiator) {
this.fallbackProtocolNegotiator = fallbackProtocolNegotiator;
}
@ -137,7 +137,7 @@ public final class SecurityProtocolNegotiators {
fallbackProtocolNegotiator, "No TLS config and no fallbackProtocolNegotiator!");
return fallbackProtocolNegotiator.newHandler(grpcHandler);
}
return new ClientSdsHandler(grpcHandler, localSslContextProviderSupplier);
return new ClientSecurityHandler(grpcHandler, localSslContextProviderSupplier);
}
@Override
@ -176,12 +176,12 @@ public final class SecurityProtocolNegotiators {
}
@VisibleForTesting
static final class ClientSdsHandler
static final class ClientSecurityHandler
extends InternalProtocolNegotiators.ProtocolNegotiationHandler {
private final GrpcHttp2ConnectionHandler grpcHandler;
private final SslContextProviderSupplier sslContextProviderSupplier;
ClientSdsHandler(
ClientSecurityHandler(
GrpcHttp2ConnectionHandler grpcHandler,
SslContextProviderSupplier sslContextProviderSupplier) {
super(
@ -214,7 +214,7 @@ public final class SecurityProtocolNegotiators {
}
logger.log(
Level.FINEST,
"ClientSdsHandler.updateSslContext authority={0}, ctx.name={1}",
"ClientSecurityHandler.updateSslContext authority={0}, ctx.name={1}",
new Object[]{grpcHandler.getAuthority(), ctx.name()});
ChannelHandler handler =
InternalProtocolNegotiators.tls(sslContext).newHandler(grpcHandler);
@ -241,13 +241,14 @@ public final class SecurityProtocolNegotiators {
}
}
private static final class ServerSdsProtocolNegotiator implements ProtocolNegotiator {
private static final class ServerSecurityProtocolNegotiator implements ProtocolNegotiator {
@Nullable private final ProtocolNegotiator fallbackProtocolNegotiator;
/** Constructor. */
@VisibleForTesting
public ServerSdsProtocolNegotiator(@Nullable ProtocolNegotiator fallbackProtocolNegotiator) {
public ServerSecurityProtocolNegotiator(
@Nullable ProtocolNegotiator fallbackProtocolNegotiator) {
this.fallbackProtocolNegotiator = fallbackProtocolNegotiator;
}
@ -306,7 +307,7 @@ public final class SecurityProtocolNegotiators {
.replace(
this,
null,
new ServerSdsHandler(
new ServerSecurityHandler(
grpcHandler, sslContextProviderSupplier));
ctx.fireUserEventTriggered(pne);
return;
@ -318,12 +319,12 @@ public final class SecurityProtocolNegotiators {
}
@VisibleForTesting
static final class ServerSdsHandler
static final class ServerSecurityHandler
extends InternalProtocolNegotiators.ProtocolNegotiationHandler {
private final GrpcHttp2ConnectionHandler grpcHandler;
private final SslContextProviderSupplier sslContextProviderSupplier;
ServerSdsHandler(
ServerSecurityHandler(
GrpcHttp2ConnectionHandler grpcHandler,
SslContextProviderSupplier sslContextProviderSupplier) {
super(

6
xds/src/main/java/io/grpc/xds/internal/security/trust/XdsTrustManagerFactory.java
View File

@ -73,7 +73,7 @@ public final class XdsTrustManagerFactory extends SimpleTrustManagerFactory {
certificateValidationContext == null || !certificateValidationContext.hasTrustedCa(),
"only static certificateValidationContext expected");
}
xdsX509TrustManager = createSdsX509TrustManager(certs, certificateValidationContext);
xdsX509TrustManager = createX509TrustManager(certs, certificateValidationContext);
}
private static X509Certificate[] getTrustedCaFromCertContext(
@ -98,7 +98,7 @@ public final class XdsTrustManagerFactory extends SimpleTrustManagerFactory {
}
@VisibleForTesting
static XdsX509TrustManager createSdsX509TrustManager(
static XdsX509TrustManager createX509TrustManager(
X509Certificate[] certs, CertificateValidationContext certContext) throws CertStoreException {
TrustManagerFactory tmf = null;
try {
@ -115,7 +115,7 @@ public final class XdsTrustManagerFactory extends SimpleTrustManagerFactory {
}
tmf.init(ks);
} catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException e) {
logger.log(Level.SEVERE, "createSdsX509TrustManager", e);
logger.log(Level.SEVERE, "createX509TrustManager", e);
throw new CertStoreException(e);
}
TrustManager[] tms = tmf.getTrustManagers();

8
xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java → xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
View File

@ -88,7 +88,7 @@ import org.junit.runners.JUnit4;
* modes.
*/
@RunWith(JUnit4.class)
public class XdsSdsClientServerTest {
public class XdsSecurityClientServerTest {
@Rule public final GrpcCleanupRule cleanupRule = new GrpcCleanupRule();
private int port;
@ -356,7 +356,7 @@ public class XdsSdsClientServerTest {
xdsClient.deliverLdsUpdate(listenerUpdate);
startFuture.get(10, TimeUnit.SECONDS);
port = xdsServer.getPort();
URI expectedUri = new URI("sdstest://localhost:" + port);
URI expectedUri = new URI("sectest://localhost:" + port);
fakeNameResolverFactory = new FakeNameResolverFactory.Builder(expectedUri).build();
NameResolverRegistry.getDefaultRegistry().register(fakeNameResolverFactory);
}
@ -400,7 +400,7 @@ public class XdsSdsClientServerTest {
throws URISyntaxException {
ManagedChannelBuilder<?> channelBuilder =
Grpc.newChannelBuilder(
"sdstest://localhost:" + port,
"sectest://localhost:" + port,
XdsChannelCredentials.create(InsecureChannelCredentials.create()));
if (overrideAuthority != null) {
@ -486,7 +486,7 @@ public class XdsSdsClientServerTest {
@Override
public String getDefaultScheme() {
return "sdstest";
return "sectest";
}
@Override

2
xds/src/test/java/io/grpc/xds/XdsServerBuilderTest.java
View File

@ -54,7 +54,7 @@ import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
import org.mockito.ArgumentCaptor;
// TODO (zivy@): move certain tests down to XdsServerWrapperTest, or up to XdsSdsClientServerTest.
// TODO (zivy@): move certain tests down to XdsServerWrapperTest or to XdsSecurityClientServerTest
/**
* Unit tests for {@link XdsServerBuilder}.
*/

75
xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java
View File

@ -51,8 +51,8 @@ import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
import io.grpc.xds.InternalXdsAttributes;
import io.grpc.xds.TlsContextManager;
import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSdsHandler;
import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSdsProtocolNegotiator;
import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSecurityHandler;
import io.grpc.xds.internal.security.SecurityProtocolNegotiators.ClientSecurityProtocolNegotiator;
import io.grpc.xds.internal.security.certprovider.CommonCertProviderTestUtils;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
@ -95,20 +95,21 @@ public class SecurityProtocolNegotiatorsTest {
private ChannelHandlerContext channelHandlerCtx;
@Test
public void clientSdsProtocolNegotiatorNewHandler_noTlsContextAttribute() {
public void clientSecurityProtocolNegotiatorNewHandler_noTlsContextAttribute() {
ChannelHandler mockChannelHandler = mock(ChannelHandler.class);
ProtocolNegotiator mockProtocolNegotiator = mock(ProtocolNegotiator.class);
when(mockProtocolNegotiator.newHandler(grpcHandler)).thenReturn(mockChannelHandler);
ClientSdsProtocolNegotiator pn = new ClientSdsProtocolNegotiator(mockProtocolNegotiator);
ClientSecurityProtocolNegotiator pn
= new ClientSecurityProtocolNegotiator(mockProtocolNegotiator);
ChannelHandler newHandler = pn.newHandler(grpcHandler);
assertThat(newHandler).isNotNull();
assertThat(newHandler).isSameInstanceAs(mockChannelHandler);
}
@Test
public void clientSdsProtocolNegotiatorNewHandler_noFallback_expectException() {
ClientSdsProtocolNegotiator pn =
new ClientSdsProtocolNegotiator(/* fallbackProtocolNegotiator= */ null);
public void clientSecurityProtocolNegotiatorNewHandler_noFallback_expectException() {
ClientSecurityProtocolNegotiator pn =
new ClientSecurityProtocolNegotiator(/* fallbackProtocolNegotiator= */ null);
try {
pn.newHandler(grpcHandler);
fail("exception expected!");
@ -120,11 +121,11 @@ public class SecurityProtocolNegotiatorsTest {
}
@Test
public void clientSdsProtocolNegotiatorNewHandler_withTlsContextAttribute() {
public void clientSecurityProtocolNegotiatorNewHandler_withTlsContextAttribute() {
UpstreamTlsContext upstreamTlsContext =
CommonTlsContextTestsUtil.buildUpstreamTlsContext(CommonTlsContext.newBuilder().build());
ClientSdsProtocolNegotiator pn =
new ClientSdsProtocolNegotiator(InternalProtocolNegotiators.plaintext());
ClientSecurityProtocolNegotiator pn =
new ClientSecurityProtocolNegotiator(InternalProtocolNegotiators.plaintext());
GrpcHttp2ConnectionHandler mockHandler = mock(GrpcHttp2ConnectionHandler.class);
ChannelLogger logger = mock(ChannelLogger.class);
doNothing().when(logger).log(any(ChannelLogLevel.class), anyString());
@ -138,11 +139,11 @@ public class SecurityProtocolNegotiatorsTest {
.build());
ChannelHandler newHandler = pn.newHandler(mockHandler);
assertThat(newHandler).isNotNull();
assertThat(newHandler).isInstanceOf(ClientSdsHandler.class);
assertThat(newHandler).isInstanceOf(ClientSecurityHandler.class);
}
@Test
public void clientSdsHandler_addLast()
public void clientSecurityHandler_addLast()
throws InterruptedException, TimeoutException, ExecutionException {
FakeClock executor = new FakeClock();
CommonCertProviderTestUtils.register(executor);
@ -156,11 +157,11 @@ public class SecurityProtocolNegotiatorsTest {
SslContextProviderSupplier sslContextProviderSupplier =
new SslContextProviderSupplier(upstreamTlsContext,
new TlsContextManagerImpl(bootstrapInfoForClient));
SecurityProtocolNegotiators.ClientSdsHandler clientSdsHandler =
new SecurityProtocolNegotiators.ClientSdsHandler(grpcHandler, sslContextProviderSupplier);
pipeline.addLast(clientSdsHandler);
channelHandlerCtx = pipeline.context(clientSdsHandler);
assertNotNull(channelHandlerCtx); // clientSdsHandler ctx is non-null since we just added it
ClientSecurityHandler clientSecurityHandler =
new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier);
pipeline.addLast(clientSecurityHandler);
channelHandlerCtx = pipeline.context(clientSecurityHandler);
assertNotNull(channelHandlerCtx);
// kick off protocol negotiation.
pipeline.fireUserEventTriggered(InternalProtocolNegotiationEvent.getDefault());
@ -182,7 +183,7 @@ public class SecurityProtocolNegotiatorsTest {
Object fromFuture = future.get(2, TimeUnit.SECONDS);
assertThat(fromFuture).isInstanceOf(SslContext.class);
channel.runPendingTasks();
channelHandlerCtx = pipeline.context(clientSdsHandler);
channelHandlerCtx = pipeline.context(clientSecurityHandler);
assertThat(channelHandlerCtx).isNull();
// pipeline should have SslHandler and ClientTlsHandler
@ -195,7 +196,7 @@ public class SecurityProtocolNegotiatorsTest {
}
@Test
public void serverSdsHandler_addLast()
public void serverSecurityHandler_addLast()
throws InterruptedException, TimeoutException, ExecutionException {
FakeClock executor = new FakeClock();
CommonCertProviderTestUtils.register(executor);
@ -228,7 +229,7 @@ public class SecurityProtocolNegotiatorsTest {
channelHandlerCtx = pipeline.context(handlerPickerHandler);
assertThat(channelHandlerCtx).isNotNull(); // should find HandlerPickerHandler
// kick off protocol negotiation: should replace HandlerPickerHandler with ServerSdsHandler
// kick off protocol negotiation: should replace HandlerPickerHandler with ServerSecurityHandler
ProtocolNegotiationEvent event = InternalProtocolNegotiationEvent.getDefault();
Attributes attr = InternalProtocolNegotiationEvent.getAttributes(event)
.toBuilder().set(ATTR_SERVER_SSL_CONTEXT_PROVIDER_SUPPLIER,
@ -236,7 +237,7 @@ public class SecurityProtocolNegotiatorsTest {
pipeline.fireUserEventTriggered(InternalProtocolNegotiationEvent.withAttributes(event, attr));
channelHandlerCtx = pipeline.context(handlerPickerHandler);
assertThat(channelHandlerCtx).isNull();
channelHandlerCtx = pipeline.context(SecurityProtocolNegotiators.ServerSdsHandler.class);
channelHandlerCtx = pipeline.context(SecurityProtocolNegotiators.ServerSecurityHandler.class);
assertThat(channelHandlerCtx).isNotNull();
SslContextProviderSupplier sslContextProviderSupplier =
@ -259,7 +260,7 @@ public class SecurityProtocolNegotiatorsTest {
Object fromFuture = future.get(2, TimeUnit.SECONDS);
assertThat(fromFuture).isInstanceOf(SslContext.class);
channel.runPendingTasks();
channelHandlerCtx = pipeline.context(SecurityProtocolNegotiators.ServerSdsHandler.class);
channelHandlerCtx = pipeline.context(SecurityProtocolNegotiators.ServerSecurityHandler.class);
assertThat(channelHandlerCtx).isNull();
// pipeline should only have SslHandler and ServerTlsHandler
@ -272,7 +273,7 @@ public class SecurityProtocolNegotiatorsTest {
}
@Test
public void serverSdsHandler_defaultDownstreamTlsContext_expectFallbackProtocolNegotiator()
public void serverSecurityHandler_defaultDownstreamTlsContext_expectFallbackProtocolNegotiator()
throws IOException {
ChannelHandler mockChannelHandler = mock(ChannelHandler.class);
ProtocolNegotiator mockProtocolNegotiator = mock(ProtocolNegotiator.class);
@ -294,7 +295,7 @@ public class SecurityProtocolNegotiatorsTest {
channelHandlerCtx = pipeline.context(handlerPickerHandler);
assertThat(channelHandlerCtx).isNotNull(); // should find HandlerPickerHandler
// kick off protocol negotiation: should replace HandlerPickerHandler with ServerSdsHandler
// kick off protocol negotiation: should replace HandlerPickerHandler with ServerSecurityHandler
ProtocolNegotiationEvent event = InternalProtocolNegotiationEvent.getDefault();
Attributes attr = InternalProtocolNegotiationEvent.getAttributes(event)
.toBuilder().set(ATTR_SERVER_SSL_CONTEXT_PROVIDER_SUPPLIER, null).build();
@ -309,7 +310,7 @@ public class SecurityProtocolNegotiatorsTest {
}
@Test
public void serverSdsHandler_nullTlsContext_expectFallbackProtocolNegotiator() {
public void serverSecurityHandler_nullTlsContext_expectFallbackProtocolNegotiator() {
ChannelHandler mockChannelHandler = mock(ChannelHandler.class);
ProtocolNegotiator mockProtocolNegotiator = mock(ProtocolNegotiator.class);
when(mockProtocolNegotiator.newHandler(grpcHandler)).thenReturn(mockChannelHandler);
@ -354,7 +355,7 @@ public class SecurityProtocolNegotiatorsTest {
}
@Test
public void clientSdsProtocolNegotiatorNewHandler_fireProtocolNegotiationEvent()
public void clientSecurityProtocolNegotiatorNewHandler_fireProtocolNegotiationEvent()
throws InterruptedException, TimeoutException, ExecutionException {
FakeClock executor = new FakeClock();
CommonCertProviderTestUtils.register(executor);
@ -368,11 +369,11 @@ public class SecurityProtocolNegotiatorsTest {
SslContextProviderSupplier sslContextProviderSupplier =
new SslContextProviderSupplier(upstreamTlsContext,
new TlsContextManagerImpl(bootstrapInfoForClient));
SecurityProtocolNegotiators.ClientSdsHandler clientSdsHandler =
new SecurityProtocolNegotiators.ClientSdsHandler(grpcHandler, sslContextProviderSupplier);
ClientSecurityHandler clientSecurityHandler =
new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier);
pipeline.addLast(clientSdsHandler);
channelHandlerCtx = pipeline.context(clientSdsHandler);
pipeline.addLast(clientSecurityHandler);
channelHandlerCtx = pipeline.context(clientSecurityHandler);
assertNotNull(channelHandlerCtx); // non-null since we just added it
// kick off protocol negotiation.
@ -395,7 +396,7 @@ public class SecurityProtocolNegotiatorsTest {
Object fromFuture = future.get(5, TimeUnit.SECONDS);
assertThat(fromFuture).isInstanceOf(SslContext.class);
channel.runPendingTasks();
channelHandlerCtx = pipeline.context(clientSdsHandler);
channelHandlerCtx = pipeline.context(clientSecurityHandler);
assertThat(channelHandlerCtx).isNull();
Object sslEvent = SslHandshakeCompletionEvent.SUCCESS;
@ -406,7 +407,7 @@ public class SecurityProtocolNegotiatorsTest {
}
@Test
public void clientSdsProtocolNegotiatorNewHandler_handleHandlerRemoved() {
public void clientSecurityProtocolNegotiatorNewHandler_handleHandlerRemoved() {
FakeClock executor = new FakeClock();
CommonCertProviderTestUtils.register(executor);
Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
@ -419,17 +420,17 @@ public class SecurityProtocolNegotiatorsTest {
SslContextProviderSupplier sslContextProviderSupplier =
new SslContextProviderSupplier(upstreamTlsContext,
new TlsContextManagerImpl(bootstrapInfoForClient));
SecurityProtocolNegotiators.ClientSdsHandler clientSdsHandler =
new SecurityProtocolNegotiators.ClientSdsHandler(grpcHandler, sslContextProviderSupplier);
ClientSecurityHandler clientSecurityHandler =
new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier);
pipeline.addLast(clientSdsHandler);
channelHandlerCtx = pipeline.context(clientSdsHandler);
pipeline.addLast(clientSecurityHandler);
channelHandlerCtx = pipeline.context(clientSecurityHandler);
// kick off protocol negotiation.
pipeline.fireUserEventTriggered(InternalProtocolNegotiationEvent.getDefault());
executor.runDueTasks();
pipeline.remove(clientSdsHandler);
pipeline.remove(clientSecurityHandler);
channel.runPendingTasks();
channel.checkException();
CommonCertProviderTestUtils.register0();

2
xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java
View File

@ -629,7 +629,7 @@ public class XdsX509TrustManagerTest {
throws CertificateException, IOException, CertStoreException {
X509Certificate[] caCerts =
CertificateUtils.toX509Certificates(TlsTesting.loadCert(CA_PEM_FILE));
trustManager = XdsTrustManagerFactory.createSdsX509TrustManager(caCerts,
trustManager = XdsTrustManagerFactory.createX509TrustManager(caCerts,
null);
when(mockSession.getProtocol()).thenReturn("TLSv1.2");
when(mockSession.getPeerHost()).thenReturn("peer-host-from-mock");