grpc / grpc-java / #20254
89%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 652
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 88.827% (+0.01%) from 88.814%
#20254

push

github

web-flow 
xds: Trust Manager fix for when SAN validation against SNI sent doesn't apply (#12775)

Fixes a bug in propagation of `autoSniSanValidationDoesNotApply` (from
PR #12422). It added an argument `autoSniSanValidationDoesNotApply` to
`SslContextProviderSupplier.updateSslContext` that sets it on the
`DynamicSslContextProvider` but because `UpstreamTlsContext` equals
wasn't implemented, it was getting replaced by a new instance and the
flag getting lost. This issue was identified when fixing an incorrect
merge caused error in `CertProviderClientSslContextProvider` that
recreated the trust manager without consideration to
`autoSniSanValidationDoesNotApply`. It ought to have caused failure in
the test
`XdsSecurityClientServerTest.tlsClientServer_autoSniValidation_noSniApplicable_usesMatcherFromCmnVdnCtx`
but it wasn't, because even though `autoSniSanValidationDoesNotApply`
was false due to not getting the propagated true value, SAN matcher
fallback was still happening because there was no server SNI sent.

With the new changes, in addition to fixing the equals method, by moving
the decision about autoSniSanValidationDoesNotApply to
TlsContextManagerImpl.findOrCreateClientSslContextProvider I have
eliminated the need to have a deferred setting of this decision via
DynamicSslContextProvider.setAutoSniSanValidationDoesNotApply called
from SslContextProviderSupplier.updateSslContext.

Summary of Changes:

   1. Enhanced `UpstreamTlsContext` (EnvoyServerProtoData.java):
* Modified Caching Behavior: Implemented full equals() and hashCode()
overrides for `UpstreamTlsContext`. Previously, it relied on the base
class which only compared the commonTlsContext, causing different SNI or
auto-validation settings to incorrectly share the same cache entry.
* Normalization: Updated constructors to normalize the sni field to an
empty string ("") if null. This prevents equality mismatches between
context objects created from different sources (e.g., test helpers vs.
Envoy proto... (continued)

36141 of 40687 relevant lines covered (88.83%)

0.89 hits per line

Coverage Regressions

Lines Coverage File
8
81.36
 1.36% ../xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java
5
94.34
 -1.45% ../xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java
3
95.07
 -0.44% ../core/src/main/java/io/grpc/internal/RetriableStream.java
3
94.23
 -0.21% ../xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java
2
83.16
 0.0% ../okhttp/src/main/java/io/grpc/okhttp/ExceptionHandlingFrameWriter.java
1
93.83
 -0.62% ../opentelemetry/src/main/java/io/grpc/opentelemetry/OpenTelemetryMetricSink.java
1
93.33
 -0.48% ../xds/src/main/java/io/grpc/xds/client/ControlPlaneClient.java
1
94.12
 -2.04% ../xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
Jobs
ID Job ID Ran Files Coverage
1 #20254.1 652
88.83
Source Files on build #20254