#20002

Committed 29 Sep 2025 04:21PM UTC coverage: 88.592% (+0.02%) from 88.575%

Build # #20002

Build Type

push

github

Committed by

web-flow

Commit Message

xds: xDS based SNI setting and SAN validation (#12378)

When using xDS credentials make SNI for the Tls handshake to be
configured via xDS, rather than use the channel authority as the SNI,
and make SAN validation to be able to use the SNI sent when so
instructed via xDS.

Implements A101.

Run Details

34877 of 39368 relevant lines covered (88.59%)

0.89 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

56.76

/../netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java

/*
 * Copyright 2019 The gRPC Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package io.grpc.netty;

import com.google.common.base.Optional;
import io.grpc.ChannelLogger;
import io.grpc.internal.ObjectPool;
import io.grpc.netty.ProtocolNegotiators.ClientTlsHandler;
import io.grpc.netty.ProtocolNegotiators.GrpcNegotiationHandler;
import io.grpc.netty.ProtocolNegotiators.WaitUntilActiveHandler;
import io.netty.channel.ChannelHandler;
import io.netty.handler.ssl.SslContext;
import io.netty.util.AsciiString;
import java.util.concurrent.Executor;
import javax.net.ssl.X509TrustManager;

/**
 * Internal accessor for {@link ProtocolNegotiators}.
 */
public final class InternalProtocolNegotiators {

  private InternalProtocolNegotiators() {}

  /**
   * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
   * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
   * may happen immediately, even before the TLS Handshake is complete.
   * @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
   */
  public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
          ObjectPool<? extends Executor> executorPool,
          Optional<Runnable> handshakeCompleteRunnable,
          X509TrustManager extendedX509TrustManager,
          String sni) {
    final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,
        executorPool, handshakeCompleteRunnable, extendedX509TrustManager, sni);
    final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {

      @Override
      public AsciiString scheme() {
        return negotiator.scheme();
      }

      @Override
      public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
        return negotiator.newHandler(grpcHandler);
      }

      @Override
      public void close() {
        negotiator.close();
      }
    }

    return new TlsNegotiator();
  }

  /**
   * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
   * be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
   * may happen immediately, even before the TLS Handshake is complete.
   */
  public static InternalProtocolNegotiator.ProtocolNegotiator tls(
      SslContext sslContext, String sni,
      X509TrustManager extendedX509TrustManager) {
    return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni);
  }

  /**
   * Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will be
   * negotiated, the server TLS {@code handler} is added and writes to the {@link
   * io.netty.channel.Channel} may happen immediately, even before the TLS Handshake is complete.
   */
  public static InternalProtocolNegotiator.ProtocolNegotiator serverTls(SslContext sslContext) {
    final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.serverTls(sslContext);
    final class ServerTlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {

      @Override
      public AsciiString scheme() {
        return negotiator.scheme();
      }

      @Override
      public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
        return negotiator.newHandler(grpcHandler);
      }

      @Override
      public void close() {
        negotiator.close();
      }
    }

    return new ServerTlsNegotiator();
  }

  /** Returns a {@link ProtocolNegotiator} for plaintext client channel. */
  public static InternalProtocolNegotiator.ProtocolNegotiator plaintext() {
    final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.plaintext();
    final class PlaintextNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {

      @Override
      public AsciiString scheme() {
        return negotiator.scheme();
      }

      @Override
      public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
        return negotiator.newHandler(grpcHandler);
      }

      @Override
      public void close() {
        negotiator.close();
      }
    }

    return new PlaintextNegotiator();
  }

  /** Returns a {@link ProtocolNegotiator} for plaintext server channel. */
  public static InternalProtocolNegotiator.ProtocolNegotiator serverPlaintext() {
    final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.serverPlaintext();
    final class ServerPlaintextNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {

      @Override
      public AsciiString scheme() {
        return negotiator.scheme();
      }

      @Override
      public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
        return negotiator.newHandler(grpcHandler);
      }

      @Override
      public void close() {
        negotiator.close();
      }
    }

    return new ServerPlaintextNegotiator();
  }

  /**
   * Internal version of {@link WaitUntilActiveHandler}.
   */
  public static ChannelHandler waitUntilActiveHandler(ChannelHandler next,
      ChannelLogger negotiationLogger) {
    return new WaitUntilActiveHandler(next, negotiationLogger);
  }

  /**
   * Internal version of {@link GrpcNegotiationHandler}.
   */
  public static ChannelHandler grpcNegotiationHandler(GrpcHttp2ConnectionHandler next) {
    return new GrpcNegotiationHandler(next);
  }

  public static ChannelHandler clientTlsHandler(
      ChannelHandler next, SslContext sslContext, String authority,
      ChannelLogger negotiationLogger) {
    return new ClientTlsHandler(next, sslContext, authority, null, negotiationLogger,
        Optional.absent(), null, null);
  }

  public static class ProtocolNegotiationHandler
      extends ProtocolNegotiators.ProtocolNegotiationHandler {

    protected ProtocolNegotiationHandler(ChannelHandler next, String negotiatorName,
        ChannelLogger negotiationLogger) {
      super(next, negotiatorName, negotiationLogger);
    }

    protected ProtocolNegotiationHandler(ChannelHandler next, ChannelLogger negotiationLogger) {
      super(next, negotiationLogger);
    }
  }
}

1	/*
2	* Copyright 2019 The gRPC Authors
3	*
4	* Licensed under the Apache License, Version 2.0 (the "License");
5	* you may not use this file except in compliance with the License.
6	* You may obtain a copy of the License at
7	*
8	* http://www.apache.org/licenses/LICENSE-2.0
9	*
10	* Unless required by applicable law or agreed to in writing, software
11	* distributed under the License is distributed on an "AS IS" BASIS,
12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	* See the License for the specific language governing permissions and
14	* limitations under the License.
15	*/
16
17	package io.grpc.netty;
18
19	import com.google.common.base.Optional;
20	import io.grpc.ChannelLogger;
21	import io.grpc.internal.ObjectPool;
22	import io.grpc.netty.ProtocolNegotiators.ClientTlsHandler;
23	import io.grpc.netty.ProtocolNegotiators.GrpcNegotiationHandler;
24	import io.grpc.netty.ProtocolNegotiators.WaitUntilActiveHandler;
25	import io.netty.channel.ChannelHandler;
26	import io.netty.handler.ssl.SslContext;
27	import io.netty.util.AsciiString;
28	import java.util.concurrent.Executor;
29	import javax.net.ssl.X509TrustManager;
30
31	/**
32	* Internal accessor for {@link ProtocolNegotiators}.
33	*/
34	public final class InternalProtocolNegotiators {
35
36	private InternalProtocolNegotiators() {}
37
38	/**
39	* Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
40	* be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
41	* may happen immediately, even before the TLS Handshake is complete.
42	* @param executorPool a dedicated {@link Executor} pool for time-consuming TLS tasks
43	*/
44	public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext,
45	ObjectPool<? extends Executor> executorPool,
46	Optional<Runnable> handshakeCompleteRunnable,
47	X509TrustManager extendedX509TrustManager,
48	String sni) {
49	final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.tls(sslContext,	1✔
50	executorPool, handshakeCompleteRunnable, extendedX509TrustManager, sni);
51	final class TlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {	1✔
52
53	@Override
54	public AsciiString scheme() {
55	return negotiator.scheme();	×
56	}
57
58	@Override
59	public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
60	return negotiator.newHandler(grpcHandler);	1✔
61	}
62
63	@Override
64	public void close() {
65	negotiator.close();	×
66	}	×
67	}
68
69	return new TlsNegotiator();	1✔
70	}
71
72	/**
73	* Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will
74	* be negotiated, the {@code handler} is added and writes to the {@link io.netty.channel.Channel}
75	* may happen immediately, even before the TLS Handshake is complete.
76	*/
77	public static InternalProtocolNegotiator.ProtocolNegotiator tls(
78	SslContext sslContext, String sni,
79	X509TrustManager extendedX509TrustManager) {
80	return tls(sslContext, null, Optional.absent(), extendedX509TrustManager, sni);	1✔
81	}
82
83	/**
84	* Returns a {@link ProtocolNegotiator} that ensures the pipeline is set up so that TLS will be
85	* negotiated, the server TLS {@code handler} is added and writes to the {@link
86	* io.netty.channel.Channel} may happen immediately, even before the TLS Handshake is complete.
87	*/
88	public static InternalProtocolNegotiator.ProtocolNegotiator serverTls(SslContext sslContext) {
89	final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.serverTls(sslContext);	1✔
90	final class ServerTlsNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {	1✔
91
92	@Override
93	public AsciiString scheme() {
94	return negotiator.scheme();	×
95	}
96
97	@Override
98	public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
99	return negotiator.newHandler(grpcHandler);	1✔
100	}
101
102	@Override
103	public void close() {
104	negotiator.close();	×
105	}	×
106	}
107
108	return new ServerTlsNegotiator();	1✔
109	}
110
111	/** Returns a {@link ProtocolNegotiator} for plaintext client channel. */
112	public static InternalProtocolNegotiator.ProtocolNegotiator plaintext() {
113	final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.plaintext();	1✔
114	final class PlaintextNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {	1✔
115
116	@Override
117	public AsciiString scheme() {
118	return negotiator.scheme();	1✔
119	}
120
121	@Override
122	public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
123	return negotiator.newHandler(grpcHandler);	1✔
124	}
125
126	@Override
127	public void close() {
128	negotiator.close();	1✔
129	}	1✔
130	}
131
132	return new PlaintextNegotiator();	1✔
133	}
134
135	/** Returns a {@link ProtocolNegotiator} for plaintext server channel. */
136	public static InternalProtocolNegotiator.ProtocolNegotiator serverPlaintext() {
137	final io.grpc.netty.ProtocolNegotiator negotiator = ProtocolNegotiators.serverPlaintext();	1✔
138	final class ServerPlaintextNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {	1✔
139
140	@Override
141	public AsciiString scheme() {
142	return negotiator.scheme();	×
143	}
144
145	@Override
146	public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
147	return negotiator.newHandler(grpcHandler);	×
148	}
149
150	@Override
151	public void close() {
152	negotiator.close();	×
153	}	×
154	}
155
156	return new ServerPlaintextNegotiator();	1✔
157	}
158
159	/**
160	* Internal version of {@link WaitUntilActiveHandler}.
161	*/
162	public static ChannelHandler waitUntilActiveHandler(ChannelHandler next,
163	ChannelLogger negotiationLogger) {
164	return new WaitUntilActiveHandler(next, negotiationLogger);	×
165	}
166
167	/**
168	* Internal version of {@link GrpcNegotiationHandler}.
169	*/
170	public static ChannelHandler grpcNegotiationHandler(GrpcHttp2ConnectionHandler next) {
171	return new GrpcNegotiationHandler(next);	×
172	}
173
174	public static ChannelHandler clientTlsHandler(
175	ChannelHandler next, SslContext sslContext, String authority,
176	ChannelLogger negotiationLogger) {
177	return new ClientTlsHandler(next, sslContext, authority, null, negotiationLogger,	×
178	Optional.absent(), null, null);	×
179	}
180
181	public static class ProtocolNegotiationHandler
182	extends ProtocolNegotiators.ProtocolNegotiationHandler {
183
184	protected ProtocolNegotiationHandler(ChannelHandler next, String negotiatorName,
185	ChannelLogger negotiationLogger) {
186	super(next, negotiatorName, negotiationLogger);	×
187	}	×
188
189	protected ProtocolNegotiationHandler(ChannelHandler next, ChannelLogger negotiationLogger) {
190	super(next, negotiationLogger);	1✔
191	}	1✔
192	}
193	}

grpc / grpc-java / #20002

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous