Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

s2a: Combine MtlsToS2ChannelCredentials and S2AChannelCredentials. #11544

Merged
merged 8 commits into from
Sep 30, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 0 additions & 89 deletions s2a/src/main/java/io/grpc/s2a/MtlsToS2AChannelCredentials.java

This file was deleted.

67 changes: 57 additions & 10 deletions s2a/src/main/java/io/grpc/s2a/S2AChannelCredentials.java
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,16 @@
import io.grpc.ChannelCredentials;
import io.grpc.ExperimentalApi;
import io.grpc.InsecureChannelCredentials;
import io.grpc.TlsChannelCredentials;
import io.grpc.internal.ObjectPool;
import io.grpc.internal.SharedResourcePool;
import io.grpc.netty.InternalNettyChannelCredentials;
import io.grpc.netty.InternalProtocolNegotiator;
import io.grpc.s2a.channel.S2AHandshakerServiceChannel;
import io.grpc.s2a.handshaker.S2AIdentity;
import io.grpc.s2a.handshaker.S2AProtocolNegotiatorFactory;
import java.io.File;
import java.io.IOException;
import javax.annotation.concurrent.NotThreadSafe;
import org.checkerframework.checker.nullness.qual.Nullable;

Expand All @@ -58,13 +61,46 @@ public static Builder newBuilder(String s2aAddress) {
public static final class Builder {
private final String s2aAddress;
private ObjectPool<Channel> s2aChannelPool;
private ChannelCredentials s2aChannelCredentials;
private @Nullable S2AIdentity localIdentity = null;
private boolean useMtlsToS2A = false;
private @Nullable String privateKeyPath;
private @Nullable String certChainPath;
private @Nullable String trustBundlePath;

Builder(String s2aAddress) {
this.s2aAddress = s2aAddress;
this.s2aChannelPool = null;
this.s2aChannelCredentials = InsecureChannelCredentials.create();
}

/**
* Sets whether to use mTLS to S2A. If true, the {@code privateKeyPath}, {@code certChainPath},
* and {@code trustBundlePath} must also be set.
*/
@CanIgnoreReturnValue
public Builder setUseMtlsToS2A(boolean useMtlsToS2A) {
ejona86 marked this conversation as resolved.
Show resolved Hide resolved
this.useMtlsToS2A = useMtlsToS2A;
return this;
}

/** Sets the path to the private key PEM to use for authenticating to the S2A. */
@CanIgnoreReturnValue
public Builder setPrivateKeyPath(String privateKeyPath) {
this.privateKeyPath = privateKeyPath;
return this;
}

/** Sets the path to the certificate chain PEM to use for authenticating to the S2A. */
@CanIgnoreReturnValue
public Builder setCertChainPath(String certChainPath) {
this.certChainPath = certChainPath;
return this;
}

/** Sets the path to the trust bundle PEM to use for authenticating to the S2A. */
@CanIgnoreReturnValue
public Builder setTrustBundlePath(String trustBundlePath) {
this.trustBundlePath = trustBundlePath;
return this;
}

/**
Expand Down Expand Up @@ -106,15 +142,26 @@ public Builder setLocalUid(String localUid) {
return this;
}

/** Sets the credentials to be used when connecting to the S2A. */
@CanIgnoreReturnValue
public Builder setS2AChannelCredentials(ChannelCredentials s2aChannelCredentials) {
this.s2aChannelCredentials = s2aChannelCredentials;
return this;
}

public ChannelCredentials build() {
public ChannelCredentials build() throws IOException {
checkState(!isNullOrEmpty(s2aAddress), "S2A address must not be null or empty.");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both of these are already checked in newBuilder(). They should be verified when being set, not during build(), so even if we add set methods later, we wouldn't want them here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 36222a0

ChannelCredentials s2aChannelCredentials;
if (useMtlsToS2A) {
checkState(!isNullOrEmpty(privateKeyPath), "privateKeyPath must not be null or empty.");
checkState(!isNullOrEmpty(certChainPath), "certChainPath must not be null or empty.");
checkState(!isNullOrEmpty(trustBundlePath), "trustBundlePath must not be null or empty.");

File privateKeyFile = new File(privateKeyPath);
File certChainFile = new File(certChainPath);
File trustBundleFile = new File(trustBundlePath);

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should verify that the files exist so that you can provide a meaningful error message if they don't.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 2407bb6

s2aChannelCredentials =
TlsChannelCredentials.newBuilder()
.keyManager(certChainFile, privateKeyFile)
.trustManager(trustBundleFile)
.build();
} else {
s2aChannelCredentials = InsecureChannelCredentials.create();
}
ObjectPool<Channel> s2aChannelPool =
SharedResourcePool.forResource(
S2AHandshakerServiceChannel.getChannelResource(s2aAddress, s2aChannelCredentials));
Expand Down
135 changes: 0 additions & 135 deletions s2a/src/test/java/io/grpc/s2a/MtlsToS2AChannelCredentialsTest.java

This file was deleted.

Loading
Loading