Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ok-http: Per-rpc call option authority verification #11754

Open
wants to merge 27 commits into
base: master
Choose a base branch
from

Conversation

kannanjgithub
Copy link
Contributor

No description provided.

Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still need to look at the core of it, but the shape looks right. These comments are mostly surface-level.

@@ -99,10 +99,10 @@ public int compare(ManagedChannelProvider o1, ManagedChannelProvider o2) {
public static synchronized ManagedChannelRegistry getDefaultRegistry() {
if (instance == null) {
List<ManagedChannelProvider> providerList = ServiceProviders.loadAll(
ManagedChannelProvider.class,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert all changes to this file? I only see reformatting.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Comment on lines 31 to 32
implementation "io.grpc:grpc-api:${grpcVersion}"
implementation "io.grpc:grpc-okhttp:${grpcVersion}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@Override
public SSLParameters getSSLParameters() {
SSLParameters sslParameters = sslSocket.getSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The endpointIdentificationAlgorithm in sslParameters of the real sslSocket is null. In the case of Netty we are setting it here

sslParams.setEndpointIdentificationAlgorithm("HTTPS");
for the handshake but not for Okhttp.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But changing here isn't actually changing it for the connection. I think we're generally depending on the HostnameVerifier instead. setEndpointIdentificationAlgorithm() was added in Android API level 24. We're claiming to support API level 21 (although we should change that to 23)

I'm really bothered by the lack of failure building this. AnimalSniffer missed some things at times, but it seems to be completely broken right now. Running with --console=plain I see animalsnifferMain is SKIPPED. Digging deeper, it seems we're missing @signature in the version so it hasn't been running.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the setting endpoint algorithm in the wrapper SslSocket was for causing the hostname check to occur when we do the per rpc check using the X509ExrendedTrustManager. Do we not want that to happen?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as we don't have a minimum API level of 24 we can't check authority using X509ExtendedTrustManager. Should we then remove these changes and use only HostnameVerifier, and disallow per rpc authority override if one is not provided?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed offline and understood we let the same checks during handshake apply during RPC and removed calling setEndpointIdentificationAlgorithm.

/**
* SSLSocket wrapper that provides a fake SSLSession for handshake session.
*/
static class SslSocketWrapper extends SSLSocket {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make a NoopSslSocket, like we did for Netty?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

/**
* Fake SSLSession instance that provides the peer host name to verify for per-rpc check.
*/
static class FakeSslSession implements SSLSession {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want the NoopSslSession from Netty to move to io.grpc.internal and then use it here? Or we just make a copy. I don't think it actually matters much which way we go in this case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@@ -425,7 +426,7 @@ static HandshakerSocketFactoryResult handshakerSocketFactoryFrom(ServerCredentia
tm = tlsCreds.getTrustManagers().toArray(new TrustManager[0]);
} else if (tlsCreds.getRootCertificates() != null) {
try {
tm = OkHttpChannelBuilder.createTrustManager(tlsCreds.getRootCertificates());
tm = createTrustManager(tlsCreds.getRootCertificates());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert? This is the only change, and it seems more clear before.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I have moved this method to io.grpc.internal.CertificateUtil and static imported the method since there is a name clash for CertificateUtil.

if (tlsCreds.getTrustManagers() != null) {
tm = tlsCreds.getTrustManagers().toArray(new TrustManager[0]);
} else if (tlsCreds.getRootCertificates() != null) {
tm = io.grpc.internal.CertificateUtils.createTrustManager(tlsCreds.getRootCertificates());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Import CertificateUtils? Is there a name collision I'm not seeing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

throws GeneralSecurityException {
TrustManager[] tm = null;
// Using the same way of creating TrustManager from
// {@link OkHttpChannelBuilder#sslSocketFactoryFrom}.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use Javadoc-style in regular comments. OkHttpChannelBuilder.sslSocketFactoryFrom()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

tmf.init((KeyStore) null);
tm = tmf.getTrustManagers();
}
return Arrays.stream(tm).filter(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No java.util.stream

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@kannanjgithub
Copy link
Contributor Author

Yet to make the changes to use X509ExtendedTrustManager only via reflection if it is available in the class loader.

@kannanjgithub
Copy link
Contributor Author

Yet to make the changes to use X509ExtendedTrustManager only via reflection if it is available in the class loader.

Done. Still need to figure how to disable animal sniffer check for tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants