alts: support google credential CFE cluster name in XDSTP format (#9246)

2022-06-08 14:26:47 -07:00 · 2022-06-08 14:26:47 -07:00 · a738bc8f22
parent 56e28bc9fa
commit a738bc8f22
2 changed files with 70 additions and 5 deletions
--- a/alts/src/main/java/io/grpc/alts/internal/AltsProtocolNegotiator.java
+++ b/alts/src/main/java/io/grpc/alts/internal/AltsProtocolNegotiator.java
@ -39,6 +39,8 @@ import io.grpc.netty.InternalProtocolNegotiators;
 import io.netty.channel.ChannelHandler;
 import io.netty.handler.ssl.SslContext;
 import io.netty.util.AsciiString;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.security.GeneralSecurityException;
 import java.util.List;
 import java.util.logging.Level;
@ -67,6 +69,10 @@ public final class AltsProtocolNegotiator {
  private static final AsciiString SCHEME = AsciiString.of("https");

  private static final String DIRECT_PATH_SERVICE_CFE_CLUSTER_PREFIX = "google_cfe_";
+  private static final String CFE_CLUSTER_RESOURCE_NAME_PREFIX =
+      "/envoy.config.cluster.v3.Cluster/google_cfe_";
+  private static final String CFE_CLUSTER_AUTHORITY_NAME =
+      "traffic-director-c2p.xds.googleapis.com";

  /**
   * ClientAltsProtocolNegotiatorFactory is a factory for doing client side negotiation of an ALTS
@ -288,11 +294,8 @@ public final class AltsProtocolNegotiator {
      ChannelHandler securityHandler;
      boolean isXdsDirectPath = false;
      if (clusterNameAttrKey != null) {
-        String clusterName = grpcHandler.getEagAttributes().get(clusterNameAttrKey);
-        if (clusterName != null
-            && !clusterName.startsWith(DIRECT_PATH_SERVICE_CFE_CLUSTER_PREFIX)) {
-          isXdsDirectPath = true;
-        }
+        isXdsDirectPath = isDirectPathCluster(
+            grpcHandler.getEagAttributes().get(clusterNameAttrKey));
      }
      if (grpcHandler.getEagAttributes().get(GrpclbConstants.ATTR_LB_ADDR_AUTHORITY) != null
          || grpcHandler.getEagAttributes().get(GrpclbConstants.ATTR_LB_PROVIDED_BACKEND) != null
@ -312,6 +315,26 @@ public final class AltsProtocolNegotiator {
      return wuah;
    }

+    private boolean isDirectPathCluster(String clusterName) {
+      if (clusterName == null) {
+        return false;
+      }
+      if (clusterName.startsWith(DIRECT_PATH_SERVICE_CFE_CLUSTER_PREFIX)) {
+        return false;
+      }
+      if (!clusterName.startsWith("xdstp:")) {
+        return true;
+      }
+      try {
+        URI uri = new URI(clusterName);
+        // If authority AND path match our CFE checks, use TLS; otherwise use ALTS.
+        return !CFE_CLUSTER_AUTHORITY_NAME.equals(uri.getHost())
+            || !uri.getPath().startsWith(CFE_CLUSTER_RESOURCE_NAME_PREFIX);
+      } catch (URISyntaxException e) {
+        return true; // Shouldn't happen, but assume ALTS.
+      }
+    }
+
    @Override
    public void close() {
      logger.finest("ALTS Server ProtocolNegotiator Closed");
--- a/alts/src/test/java/io/grpc/alts/internal/GoogleDefaultProtocolNegotiatorTest.java
+++ b/alts/src/test/java/io/grpc/alts/internal/GoogleDefaultProtocolNegotiatorTest.java
@ -185,5 +185,47 @@ public final class GoogleDefaultProtocolNegotiatorTest {
          XDS_CLUSTER_NAME_ATTR_KEY, "google_cfe_api.googleapis.com").build();
      subtest_tlsHandler(attrs);
    }
+
+    @Test
+    public void altsHandler_googleCfe_federation() {
+      Attributes attrs = Attributes.newBuilder().set(
+          XDS_CLUSTER_NAME_ATTR_KEY, "xdstp1://").build();
+      subtest_altsHandler(attrs);
+    }
+
+    @Test
+    public void tlsHanlder_googleCfe() {
+      Attributes attrs = Attributes.newBuilder().set(
+          XDS_CLUSTER_NAME_ATTR_KEY,
+          "xdstp://traffic-director-c2p.xds.googleapis.com/"
+              + "envoy.config.cluster.v3.Cluster/google_cfe_example/apis")
+          .build();
+      subtest_tlsHandler(attrs);
+    }
+
+    @Test
+    public void altsHanlder_nonGoogleCfe_authorityNotMatch() {
+      Attributes attrs = Attributes.newBuilder().set(
+              XDS_CLUSTER_NAME_ATTR_KEY,
+              "//example.com/envoy.config.cluster.v3.Cluster/google_cfe_")
+          .build();
+      subtest_altsHandler(attrs);
+    }
+
+    @Test
+    public void altsHanlder_nonGoogleCfe_pathNotMatch() {
+      Attributes attrs = Attributes.newBuilder().set(
+          XDS_CLUSTER_NAME_ATTR_KEY,
+          "//traffic-director-c2p.xds.googleapis.com/envoy.config.cluster.v3.Cluster/google_gfe")
+          .build();
+      subtest_altsHandler(attrs);
+    }
+
+    @Test
+    public void altsHandler_googleCfe_invalidUri() {
+      Attributes attrs = Attributes.newBuilder().set(
+          XDS_CLUSTER_NAME_ATTR_KEY, "//").build();
+      subtest_altsHandler(attrs);
+    }
  }
 }