s2a: Address comments on PR#11113 (#11534)

* Mark S2A public APIs as experimental.

* Rename S2AChannelCredentials createBuilder API to newBuilder.

* Remove usage of AdvancedTls.

* Use InsecureChannelCredentials.create instead of Optional.

* Invoke Thread.currentThread().interrupt() in a InterruptedException block.

s2a/src/main/java/io/grpc/s2a/MtlsToS2AChannelCredentials.java

@@ -21,17 +21,16 @@
 import static com.google.common.base.Strings.isNullOrEmpty;
 
 import io.grpc.ChannelCredentials;
+import io.grpc.ExperimentalApi;
 import io.grpc.TlsChannelCredentials;
-import io.grpc.util.AdvancedTlsX509KeyManager;
-import io.grpc.util.AdvancedTlsX509TrustManager;
 import java.io.File;
 import java.io.IOException;
-import java.security.GeneralSecurityException;
 
 /**
  * Configures an {@code S2AChannelCredentials.Builder} instance with credentials used to establish a
  * connection with the S2A to support talking to the S2A over mTLS.
  */
+@ExperimentalApi("https://github.com/grpc/grpc-java/issues/11533")
 public final class MtlsToS2AChannelCredentials {
  /**
  * Creates a {@code S2AChannelCredentials.Builder} builder, that talks to the S2A over mTLS.
@@ -42,7 +41,7 @@ public final class MtlsToS2AChannelCredentials {
  * @param trustBundlePath the path to the trust bundle PEM.
  * @return a {@code MtlsToS2AChannelCredentials.Builder} instance.
  */
- public static Builder createBuilder(
+ public static Builder newBuilder(
  String s2aAddress, String privateKeyPath, String certChainPath, String trustBundlePath) {
  checkArgument(!isNullOrEmpty(s2aAddress), "S2A address must not be null or empty.");
  checkArgument(!isNullOrEmpty(privateKeyPath), "privateKeyPath must not be null or empty.");
@@ -66,7 +65,7 @@ public static final class Builder {
  this.trustBundlePath = trustBundlePath;
  }
 
- public S2AChannelCredentials.Builder build() throws GeneralSecurityException, IOException {
+ public S2AChannelCredentials.Builder build() throws IOException {
  checkState(!isNullOrEmpty(s2aAddress), "S2A address must not be null or empty.");
  checkState(!isNullOrEmpty(privateKeyPath), "privateKeyPath must not be null or empty.");
  checkState(!isNullOrEmpty(certChainPath), "certChainPath must not be null or empty.");
@@ -75,19 +74,13 @@ public S2AChannelCredentials.Builder build() throws GeneralSecurityException, IO
  File certChainFile = new File(certChainPath);
  File trustBundleFile = new File(trustBundlePath);
 
- AdvancedTlsX509KeyManager keyManager = new AdvancedTlsX509KeyManager();
- keyManager.updateIdentityCredentials(certChainFile, privateKeyFile);
-
- AdvancedTlsX509TrustManager trustManager = AdvancedTlsX509TrustManager.newBuilder().build();
- trustManager.updateTrustCredentials(trustBundleFile);
-
  ChannelCredentials channelToS2ACredentials =
  TlsChannelCredentials.newBuilder()
- .keyManager(keyManager)
- .trustManager(trustManager)
+ .keyManager(certChainFile, privateKeyFile)
+ .trustManager(trustBundleFile)
  .build();
 
- return S2AChannelCredentials.createBuilder(s2aAddress)
+ return S2AChannelCredentials.newBuilder(s2aAddress)
  .setS2AChannelCredentials(channelToS2ACredentials);
  }
  }

s2a/src/main/java/io/grpc/s2a/S2AChannelCredentials.java

@@ -24,29 +24,31 @@
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import io.grpc.Channel;
 import io.grpc.ChannelCredentials;
+import io.grpc.ExperimentalApi;
+import io.grpc.InsecureChannelCredentials;
 import io.grpc.internal.ObjectPool;
 import io.grpc.internal.SharedResourcePool;
 import io.grpc.netty.InternalNettyChannelCredentials;
 import io.grpc.netty.InternalProtocolNegotiator;
 import io.grpc.s2a.channel.S2AHandshakerServiceChannel;
 import io.grpc.s2a.handshaker.S2AIdentity;
 import io.grpc.s2a.handshaker.S2AProtocolNegotiatorFactory;
-import java.util.Optional;
 import javax.annotation.concurrent.NotThreadSafe;
 import org.checkerframework.checker.nullness.qual.Nullable;
 
 /**
  * Configures gRPC to use S2A for transport security when establishing a secure channel. Only for
  * use on the client side of a gRPC connection.
  */
+@ExperimentalApi("https://github.com/grpc/grpc-java/issues/11533")
 public final class S2AChannelCredentials {
  /**
  * Creates a channel credentials builder for establishing an S2A-secured connection.
  *
  * @param s2aAddress the address of the S2A server used to secure the connection.
  * @return a {@code S2AChannelCredentials.Builder} instance.
  */
- public static Builder createBuilder(String s2aAddress) {
+ public static Builder newBuilder(String s2aAddress) {
  checkArgument(!isNullOrEmpty(s2aAddress), "S2A address must not be null or empty.");
  return new Builder(s2aAddress);
  }
@@ -56,13 +58,13 @@ public static Builder createBuilder(String s2aAddress) {
  public static final class Builder {
  private final String s2aAddress;
  private ObjectPool<Channel> s2aChannelPool;
- private Optional<ChannelCredentials> s2aChannelCredentials;
+ private ChannelCredentials s2aChannelCredentials;
  private @Nullable S2AIdentity localIdentity = null;
 
  Builder(String s2aAddress) {
  this.s2aAddress = s2aAddress;
  this.s2aChannelPool = null;
- this.s2aChannelCredentials = Optional.empty();
+ this.s2aChannelCredentials = InsecureChannelCredentials.create();
  }
 
  /**
@@ -107,7 +109,7 @@ public Builder setLocalUid(String localUid) {
  /** Sets the credentials to be used when connecting to the S2A. */
  @CanIgnoreReturnValue
  public Builder setS2AChannelCredentials(ChannelCredentials s2aChannelCredentials) {
- this.s2aChannelCredentials = Optional.of(s2aChannelCredentials);
+ this.s2aChannelCredentials = s2aChannelCredentials;
  return this;
  }
 

s2a/src/main/java/io/grpc/s2a/channel/S2AHandshakerServiceChannel.java

@@ -30,7 +30,6 @@
 import io.grpc.internal.SharedResourceHolder.Resource;
 import io.grpc.netty.NettyChannelBuilder;
 import java.time.Duration;
-import java.util.Optional;
 import java.util.concurrent.ConcurrentMap;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -71,8 +70,9 @@ public final class S2AHandshakerServiceChannel {
  * running at {@code s2aAddress}.
  */
  public static Resource<Channel> getChannelResource(
- String s2aAddress, Optional<ChannelCredentials> s2aChannelCredentials) {
+ String s2aAddress, ChannelCredentials s2aChannelCredentials) {
  checkNotNull(s2aAddress);
+ checkNotNull(s2aChannelCredentials);
  return SHARED_RESOURCE_CHANNELS.computeIfAbsent(
  s2aAddress, channelResource -> new ChannelResource(s2aAddress, s2aChannelCredentials));
  }
@@ -84,9 +84,9 @@ public static Resource<Channel> getChannelResource(
  */
  private static class ChannelResource implements Resource<Channel> {
  private final String targetAddress;
- private final Optional<ChannelCredentials> channelCredentials;
+ private final ChannelCredentials channelCredentials;
 
- public ChannelResource(String targetAddress, Optional<ChannelCredentials> channelCredentials) {
+ public ChannelResource(String targetAddress, ChannelCredentials channelCredentials) {
  this.targetAddress = targetAddress;
  this.channelCredentials = channelCredentials;
  }
@@ -97,21 +97,10 @@ public ChannelResource(String targetAddress, Optional<ChannelCredentials> channe
  */
  @Override
  public Channel create() {
- ManagedChannel channel = null;
- if (channelCredentials.isPresent()) {
- // Create a secure channel.
- channel =
- NettyChannelBuilder.forTarget(targetAddress, channelCredentials.get())
- .directExecutor()
- .build();
- } else {
- // Create a plaintext channel.
- channel =
- NettyChannelBuilder.forTarget(targetAddress)
- .directExecutor()
- .usePlaintext()
- .build();
- }
+ ManagedChannel channel =
+ NettyChannelBuilder.forTarget(targetAddress, channelCredentials)
+ .directExecutor()
+ .build();
  return HandshakerServiceChannel.create(channel);
  }
 

s2a/src/main/java/io/grpc/s2a/handshaker/S2ATrustManager.java

@@ -121,6 +121,9 @@ private void checkPeerTrusted(X509Certificate[] chain, boolean isCheckingClientC
  try {
  resp = stub.send(reqBuilder.build());
  } catch (IOException | InterruptedException e) {
+ if (e instanceof InterruptedException) {
+ Thread.currentThread().interrupt();
+ }
  throw new CertificateException("Failed to send request to S2A.", e);
  }
  if (resp.hasStatus() && resp.getStatus().getCode() != 0) {

s2a/src/test/java/io/grpc/s2a/MtlsToS2AChannelCredentialsTest.java

@@ -26,95 +26,95 @@
 @RunWith(JUnit4.class)
 public final class MtlsToS2AChannelCredentialsTest {
  @Test
- public void createBuilder_nullAddress_throwsException() throws Exception {
+ public void newBuilder_nullAddress_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ null,
  /* privateKeyPath= */ "src/test/resources/client_key.pem",
  /* certChainPath= */ "src/test/resources/client_cert.pem",
  /* trustBundlePath= */ "src/test/resources/root_cert.pem"));
  }
 
  @Test
- public void createBuilder_nullPrivateKeyPath_throwsException() throws Exception {
+ public void newBuilder_nullPrivateKeyPath_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "s2a_address",
  /* privateKeyPath= */ null,
  /* certChainPath= */ "src/test/resources/client_cert.pem",
  /* trustBundlePath= */ "src/test/resources/root_cert.pem"));
  }
 
  @Test
- public void createBuilder_nullCertChainPath_throwsException() throws Exception {
+ public void newBuilder_nullCertChainPath_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "s2a_address",
  /* privateKeyPath= */ "src/test/resources/client_key.pem",
  /* certChainPath= */ null,
  /* trustBundlePath= */ "src/test/resources/root_cert.pem"));
  }
 
  @Test
- public void createBuilder_nullTrustBundlePath_throwsException() throws Exception {
+ public void newBuilder_nullTrustBundlePath_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "s2a_address",
  /* privateKeyPath= */ "src/test/resources/client_key.pem",
  /* certChainPath= */ "src/test/resources/client_cert.pem",
  /* trustBundlePath= */ null));
  }
 
  @Test
- public void createBuilder_emptyAddress_throwsException() throws Exception {
+ public void newBuilder_emptyAddress_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "",
  /* privateKeyPath= */ "src/test/resources/client_key.pem",
  /* certChainPath= */ "src/test/resources/client_cert.pem",
  /* trustBundlePath= */ "src/test/resources/root_cert.pem"));
  }
 
  @Test
- public void createBuilder_emptyPrivateKeyPath_throwsException() throws Exception {
+ public void newBuilder_emptyPrivateKeyPath_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "s2a_address",
  /* privateKeyPath= */ "",
  /* certChainPath= */ "src/test/resources/client_cert.pem",
  /* trustBundlePath= */ "src/test/resources/root_cert.pem"));
  }
 
  @Test
- public void createBuilder_emptyCertChainPath_throwsException() throws Exception {
+ public void newBuilder_emptyCertChainPath_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "s2a_address",
  /* privateKeyPath= */ "src/test/resources/client_key.pem",
  /* certChainPath= */ "",
  /* trustBundlePath= */ "src/test/resources/root_cert.pem"));
  }
 
  @Test
- public void createBuilder_emptyTrustBundlePath_throwsException() throws Exception {
+ public void newBuilder_emptyTrustBundlePath_throwsException() throws Exception {
  assertThrows(
  IllegalArgumentException.class,
  () ->
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "s2a_address",
  /* privateKeyPath= */ "src/test/resources/client_key.pem",
  /* certChainPath= */ "src/test/resources/client_cert.pem",
@@ -124,7 +124,7 @@ public void createBuilder_emptyTrustBundlePath_throwsException() throws Exceptio
  @Test
  public void build_s2AChannelCredentials_success() throws Exception {
  assertThat(
- MtlsToS2AChannelCredentials.createBuilder(
+ MtlsToS2AChannelCredentials.newBuilder(
  /* s2aAddress= */ "s2a_address",
  /* privateKeyPath= */ "src/test/resources/client_key.pem",
  /* certChainPath= */ "src/test/resources/client_cert.pem",

s2a/src/test/java/io/grpc/s2a/S2AChannelCredentialsTest.java

@@ -30,40 +30,40 @@
 @RunWith(JUnit4.class)
 public final class S2AChannelCredentialsTest {
  @Test
- public void createBuilder_nullArgument_throwsException() throws Exception {
- assertThrows(IllegalArgumentException.class, () -> S2AChannelCredentials.createBuilder(null));
+ public void newBuilder_nullArgument_throwsException() throws Exception {
+ assertThrows(IllegalArgumentException.class, () -> S2AChannelCredentials.newBuilder(null));
  }
 
  @Test
- public void createBuilder_emptyAddress_throwsException() throws Exception {
- assertThrows(IllegalArgumentException.class, () -> S2AChannelCredentials.createBuilder(""));
+ public void newBuilder_emptyAddress_throwsException() throws Exception {
+ assertThrows(IllegalArgumentException.class, () -> S2AChannelCredentials.newBuilder(""));
  }
 
  @Test
  public void setLocalSpiffeId_nullArgument_throwsException() throws Exception {
  assertThrows(
  NullPointerException.class,
- () -> S2AChannelCredentials.createBuilder("s2a_address").setLocalSpiffeId(null));
+ () -> S2AChannelCredentials.newBuilder("s2a_address").setLocalSpiffeId(null));
  }
 
  @Test
  public void setLocalHostname_nullArgument_throwsException() throws Exception {
  assertThrows(
  NullPointerException.class,
- () -> S2AChannelCredentials.createBuilder("s2a_address").setLocalHostname(null));
+ () -> S2AChannelCredentials.newBuilder("s2a_address").setLocalHostname(null));
  }
 
  @Test
  public void setLocalUid_nullArgument_throwsException() throws Exception {
  assertThrows(
  NullPointerException.class,
- () -> S2AChannelCredentials.createBuilder("s2a_address").setLocalUid(null));
+ () -> S2AChannelCredentials.newBuilder("s2a_address").setLocalUid(null));
  }
 
  @Test
  public void build_withLocalSpiffeId_succeeds() throws Exception {
  assertThat(
- S2AChannelCredentials.createBuilder("s2a_address")
+ S2AChannelCredentials.newBuilder("s2a_address")
  .setLocalSpiffeId("spiffe://test")
  .build())
  .isNotNull();
@@ -72,28 +72,28 @@ public void build_withLocalSpiffeId_succeeds() throws Exception {
  @Test
  public void build_withLocalHostname_succeeds() throws Exception {
  assertThat(
- S2AChannelCredentials.createBuilder("s2a_address")
+ S2AChannelCredentials.newBuilder("s2a_address")
  .setLocalHostname("local_hostname")
  .build())
  .isNotNull();
  }
 
  @Test
  public void build_withLocalUid_succeeds() throws Exception {
- assertThat(S2AChannelCredentials.createBuilder("s2a_address").setLocalUid("local_uid").build())
+ assertThat(S2AChannelCredentials.newBuilder("s2a_address").setLocalUid("local_uid").build())
  .isNotNull();
  }
 
  @Test
  public void build_withNoLocalIdentity_succeeds() throws Exception {
- assertThat(S2AChannelCredentials.createBuilder("s2a_address").build())
+ assertThat(S2AChannelCredentials.newBuilder("s2a_address").build())
  .isNotNull();
  }
 
  @Test
  public void build_withTlsChannelCredentials_succeeds() throws Exception {
  assertThat(
- S2AChannelCredentials.createBuilder("s2a_address")
+ S2AChannelCredentials.newBuilder("s2a_address")
  .setLocalSpiffeId("spiffe://test")
  .setS2AChannelCredentials(getTlsChannelCredentials())
  .build())