xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java - platform/external/grpc-grpc-java - Git at Google

 /*
  * Copyright 2020 The gRPC Authors
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package io.grpc.xds.internal.security;

 import static com.google.common.base.Preconditions.checkNotNull;

 import com.google.common.collect.ImmutableList;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
 import io.grpc.Status;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import java.io.IOException;
 import java.security.cert.CertStoreException;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
 import javax.annotation.Nullable;

 /** Base class for dynamic {@link SslContextProvider}s. */
 public abstract class DynamicSslContextProvider extends SslContextProvider {

   protected final List<Callback> pendingCallbacks = new ArrayList<>();
   @Nullable protected final CertificateValidationContext staticCertificateValidationContext;
   @Nullable protected SslContext sslContext;

   protected DynamicSslContextProvider(
       BaseTlsContext tlsContext, CertificateValidationContext staticCertValidationContext) {
     super(tlsContext);
     this.staticCertificateValidationContext = staticCertValidationContext;
   }

   @Nullable
   public SslContext getSslContext() {
     return sslContext;
   }

   protected abstract CertificateValidationContext generateCertificateValidationContext();

   /** Gets a server or client side SslContextBuilder. */
   protected abstract SslContextBuilder getSslContextBuilder(
       CertificateValidationContext certificateValidationContext)
       throws CertificateException, IOException, CertStoreException;

   // this gets called only when requested secrets are ready...
   protected final void updateSslContext() {
     try {
       CertificateValidationContext localCertValidationContext =
           generateCertificateValidationContext();
       SslContextBuilder sslContextBuilder = getSslContextBuilder(localCertValidationContext);
       CommonTlsContext commonTlsContext = getCommonTlsContext();
       if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
         List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
         ApplicationProtocolConfig apn =
             new ApplicationProtocolConfig(
                 ApplicationProtocolConfig.Protocol.ALPN,
                 ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                 ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                 alpnList);
         sslContextBuilder.applicationProtocolConfig(apn);
       }
       List<Callback> pendingCallbacksCopy;
       SslContext sslContextCopy;
       synchronized (pendingCallbacks) {
         sslContext = sslContextBuilder.build();
         sslContextCopy = sslContext;
         pendingCallbacksCopy = clonePendingCallbacksAndClear();
       }
       makePendingCallbacks(sslContextCopy, pendingCallbacksCopy);
     } catch (Exception e) {
       onError(Status.fromThrowable(e));
       throw new RuntimeException(e);
     }
   }

   protected final void callPerformCallback(
           Callback callback, final SslContext sslContextCopy) {
     performCallback(
         new SslContextGetter() {
           @Override
           public SslContext get() {
             return sslContextCopy;
           }
         },
         callback
     );
   }

   @Override
   public final void addCallback(Callback callback) {
     checkNotNull(callback, "callback");
     // if there is a computed sslContext just send it
     SslContext sslContextCopy = null;
     synchronized (pendingCallbacks) {
       if (sslContext != null) {
         sslContextCopy = sslContext;
       } else {
         pendingCallbacks.add(callback);
       }
     }
     if (sslContextCopy != null) {
       callPerformCallback(callback, sslContextCopy);
     }
   }

   private final void makePendingCallbacks(
       SslContext sslContextCopy, List<Callback> pendingCallbacksCopy) {
     for (Callback callback : pendingCallbacksCopy) {
       callPerformCallback(callback, sslContextCopy);
     }
   }

   /** Propagates error to all the callback receivers. */
   public final void onError(Status error) {
     for (Callback callback : clonePendingCallbacksAndClear()) {
       callback.onException(error.asException());
     }
   }

   private List<Callback> clonePendingCallbacksAndClear() {
     synchronized (pendingCallbacks) {
       List<Callback> copy = ImmutableList.copyOf(pendingCallbacks);
       pendingCallbacks.clear();
       return copy;
     }
   }
 }
	/*
	* Copyright 2020 The gRPC Authors
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package io.grpc.xds.internal.security;

	import static com.google.common.base.Preconditions.checkNotNull;

	import com.google.common.collect.ImmutableList;
	import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
	import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
	import io.grpc.Status;
	import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
	import io.netty.handler.ssl.ApplicationProtocolConfig;
	import io.netty.handler.ssl.SslContext;
	import io.netty.handler.ssl.SslContextBuilder;
	import java.io.IOException;
	import java.security.cert.CertStoreException;
	import java.security.cert.CertificateException;
	import java.util.ArrayList;
	import java.util.List;
	import javax.annotation.Nullable;

	/** Base class for dynamic {@link SslContextProvider}s. */
	public abstract class DynamicSslContextProvider extends SslContextProvider {

	protected final List<Callback> pendingCallbacks = new ArrayList<>();
	@Nullable protected final CertificateValidationContext staticCertificateValidationContext;
	@Nullable protected SslContext sslContext;

	protected DynamicSslContextProvider(
	BaseTlsContext tlsContext, CertificateValidationContext staticCertValidationContext) {
	super(tlsContext);
	this.staticCertificateValidationContext = staticCertValidationContext;
	}

	@Nullable
	public SslContext getSslContext() {
	return sslContext;
	}

	protected abstract CertificateValidationContext generateCertificateValidationContext();

	/** Gets a server or client side SslContextBuilder. */
	protected abstract SslContextBuilder getSslContextBuilder(
	CertificateValidationContext certificateValidationContext)
	throws CertificateException, IOException, CertStoreException;

	// this gets called only when requested secrets are ready...
	protected final void updateSslContext() {
	try {
	CertificateValidationContext localCertValidationContext =
	generateCertificateValidationContext();
	SslContextBuilder sslContextBuilder = getSslContextBuilder(localCertValidationContext);
	CommonTlsContext commonTlsContext = getCommonTlsContext();
	if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
	List<String> alpnList = commonTlsContext.getAlpnProtocolsList();
	ApplicationProtocolConfig apn =
	new ApplicationProtocolConfig(
	ApplicationProtocolConfig.Protocol.ALPN,
	ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
	ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
	alpnList);
	sslContextBuilder.applicationProtocolConfig(apn);
	}
	List<Callback> pendingCallbacksCopy;
	SslContext sslContextCopy;
	synchronized (pendingCallbacks) {
	sslContext = sslContextBuilder.build();
	sslContextCopy = sslContext;
	pendingCallbacksCopy = clonePendingCallbacksAndClear();
	}
	makePendingCallbacks(sslContextCopy, pendingCallbacksCopy);
	} catch (Exception e) {
	onError(Status.fromThrowable(e));
	throw new RuntimeException(e);
	}
	}

	protected final void callPerformCallback(
	Callback callback, final SslContext sslContextCopy) {
	performCallback(
	new SslContextGetter() {
	@Override
	public SslContext get() {
	return sslContextCopy;
	}
	},
	callback
	);
	}

	@Override
	public final void addCallback(Callback callback) {
	checkNotNull(callback, "callback");
	// if there is a computed sslContext just send it
	SslContext sslContextCopy = null;
	synchronized (pendingCallbacks) {
	if (sslContext != null) {
	sslContextCopy = sslContext;
	} else {
	pendingCallbacks.add(callback);
	}
	}
	if (sslContextCopy != null) {
	callPerformCallback(callback, sslContextCopy);
	}
	}

	private final void makePendingCallbacks(
	SslContext sslContextCopy, List<Callback> pendingCallbacksCopy) {
	for (Callback callback : pendingCallbacksCopy) {
	callPerformCallback(callback, sslContextCopy);
	}
	}

	/** Propagates error to all the callback receivers. */
	public final void onError(Status error) {
	for (Callback callback : clonePendingCallbacksAndClear()) {
	callback.onException(error.asException());
	}
	}

	private List<Callback> clonePendingCallbacksAndClear() {
	synchronized (pendingCallbacks) {
	List<Callback> copy = ImmutableList.copyOf(pendingCallbacks);
	pendingCallbacks.clear();
	return copy;
	}
	}
	}