Propagate CallCredentials.ATTR_SECURITY_LEVEL from transports

Previously no transport provided the key so CallCredentials would always
see the security as NONE.

core/src/main/java/io/grpc/inprocess/InProcessTransport.java

@@ -24,6 +24,7 @@ import com.google.common.base.MoreObjects;
 import com.google.common.util.concurrent.ListenableFuture;
 import com.google.common.util.concurrent.SettableFuture;
 import io.grpc.Attributes;
+import io.grpc.CallCredentials;
 import io.grpc.CallOptions;
 import io.grpc.Compressor;
 import io.grpc.Deadline;
@@ -32,6 +33,7 @@ import io.grpc.DecompressorRegistry;
 import io.grpc.Grpc;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
+import io.grpc.SecurityLevel;
 import io.grpc.ServerStreamTracer;
 import io.grpc.Status;
 import io.grpc.internal.Channelz.SocketStats;
@@ -88,6 +90,9 @@ final class InProcessTransport implements ServerTransport, ConnectionClientTrans
   private Set<InProcessStream> streams = new HashSet<InProcessStream>();
   @GuardedBy("this")
   private List<ServerStreamTracer.Factory> serverStreamTracerFactories;
+  private final Attributes attributes = Attributes.newBuilder()
+      .set(CallCredentials.ATTR_SECURITY_LEVEL, SecurityLevel.PRIVACY_AND_INTEGRITY)
+      .build();
 
   public InProcessTransport(String name, String authority, String userAgent) {
     this.name = name;
@@ -224,7 +229,7 @@ final class InProcessTransport implements ServerTransport, ConnectionClientTrans
 
   @Override
   public Attributes getAttributes() {
-    return Attributes.EMPTY;
+    return attributes;
   }
 
   @Override

netty/src/main/java/io/grpc/netty/NettyClientTransport.java

@@ -313,8 +313,7 @@ class NettyClientTransport implements ConnectionClientTransport {
 
   @Override
   public Attributes getAttributes() {
-    // TODO(zhangkun83): fill channel security attributes
+    return handler.getAttributes();
-    return Attributes.EMPTY;
   }
 
   @Override

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java

@@ -22,8 +22,10 @@ import static io.grpc.netty.GrpcSslContexts.NEXT_PROTOCOL_VERSIONS;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import io.grpc.Attributes;
+import io.grpc.CallCredentials;
 import io.grpc.Grpc;
 import io.grpc.Internal;
+import io.grpc.SecurityLevel;
 import io.grpc.Status;
 import io.grpc.internal.Channelz;
 import io.grpc.internal.GrpcUtil;
@@ -645,6 +647,7 @@ public final class ProtocolNegotiators {
                 Attributes.newBuilder()
                     .set(Grpc.TRANSPORT_ATTR_SSL_SESSION, session)
                     .set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, ctx.channel().remoteAddress())
+                    .set(CallCredentials.ATTR_SECURITY_LEVEL, SecurityLevel.PRIVACY_AND_INTEGRITY)
                     .build(),
                 new Channelz.Security(new Channelz.Tls(session)));
             writeBufferedAndRemove(ctx);
@@ -692,6 +695,7 @@ public final class ProtocolNegotiators {
           Attributes
               .newBuilder()
               .set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, ctx.channel().remoteAddress())
+              .set(CallCredentials.ATTR_SECURITY_LEVEL, SecurityLevel.NONE)
               .build(),
           /*securityInfo=*/ null);
       super.channelActive(ctx);
@@ -734,6 +738,7 @@ public final class ProtocolNegotiators {
             Attributes
                 .newBuilder()
                 .set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, ctx.channel().remoteAddress())
+                .set(CallCredentials.ATTR_SECURITY_LEVEL, SecurityLevel.NONE)
                 .build(),
             /*securityInfo=*/ null);
       } else if (evt == HttpClientUpgradeHandler.UpgradeEvent.UPGRADE_REJECTED) {

netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java

@@ -503,17 +503,10 @@ public class NettyClientTransportTest {
     address = TestUtils.testServerAddress(12345);
     authority = GrpcUtil.authorityFromHostAndPort(address.getHostString(), address.getPort());
 
-    NettyClientTransport transport = newTransport(
+    NettyClientTransport transport = newTransport(new NoopProtocolNegotiator());
-        new ProtocolNegotiator() {
+    callMeMaybe(transport.start(clientTransportListener));
-          @Override
-          public Handler newHandler(GrpcHttp2ConnectionHandler handler) {
-            return null;
-          }
-        });
 
     assertEquals(Attributes.EMPTY, transport.getAttributes());
-
-    transports.clear();
   }
 
   @Test

okhttp/src/main/java/io/grpc/okhttp/OkHttpClientTransport.java

@@ -31,11 +31,13 @@ import com.squareup.okhttp.HttpUrl;
 import com.squareup.okhttp.Request;
 import com.squareup.okhttp.internal.http.StatusLine;
 import io.grpc.Attributes;
+import io.grpc.CallCredentials;
 import io.grpc.CallOptions;
 import io.grpc.Grpc;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
 import io.grpc.MethodDescriptor.MethodType;
+import io.grpc.SecurityLevel;
 import io.grpc.Status;
 import io.grpc.Status.Code;
 import io.grpc.StatusException;
@@ -478,12 +480,13 @@ class OkHttpClientTransport implements ConnectionClientTransport {
           sock.setTcpNoDelay(true);
           source = Okio.buffer(Okio.source(sock));
           sink = Okio.buffer(Okio.sink(sock));
-          // TODO(zhangkun83): fill channel security attributes
           // The return value of OkHttpTlsUpgrader.upgrade is an SSLSocket that has this info
           attributes = Attributes
               .newBuilder()
               .set(Grpc.TRANSPORT_ATTR_REMOTE_ADDR, sock.getRemoteSocketAddress())
               .set(Grpc.TRANSPORT_ATTR_SSL_SESSION, sslSession)
+              .set(CallCredentials.ATTR_SECURITY_LEVEL,
+                  sslSession == null ? SecurityLevel.NONE : SecurityLevel.PRIVACY_AND_INTEGRITY)
               .build();
         } catch (StatusException e) {
           startGoAway(0, ErrorCode.INTERNAL_ERROR, e.getStatus());

testing/src/main/java/io/grpc/internal/testing/AbstractTransportTest.java

@@ -44,6 +44,7 @@ import com.google.common.collect.Lists;
 import com.google.common.util.concurrent.MoreExecutors;
 import com.google.common.util.concurrent.SettableFuture;
 import io.grpc.Attributes;
+import io.grpc.CallCredentials;
 import io.grpc.CallOptions;
 import io.grpc.ClientStreamTracer;
 import io.grpc.Grpc;
@@ -56,6 +57,7 @@ import io.grpc.internal.Channelz.TransportStats;
 import io.grpc.internal.ClientStream;
 import io.grpc.internal.ClientStreamListener;
 import io.grpc.internal.ClientTransport;
+import io.grpc.internal.ConnectionClientTransport;
 import io.grpc.internal.Instrumented;
 import io.grpc.internal.InternalServer;
 import io.grpc.internal.IoUtils;
@@ -334,6 +336,19 @@ public abstract class AbstractTransportTest {
     verify(mockClientTransportListener, never()).transportInUse(anyBoolean());
   }
 
+  @Test
+  public void checkClientAttributes() throws Exception {
+    server.start(serverListener);
+    client = newClientTransport(server);
+    assumeTrue(client instanceof ConnectionClientTransport);
+    ConnectionClientTransport connectionClient = (ConnectionClientTransport) client;
+    startTransport(connectionClient, mockClientTransportListener);
+    verify(mockClientTransportListener, timeout(TIMEOUT_MS)).transportReady();
+
+    assertNotNull("security level should be set in client attributes",
+        connectionClient.getAttributes().get(CallCredentials.ATTR_SECURITY_LEVEL));
+  }
+
   @Test
   public void serverAlreadyListening() throws Exception {
     client = null;