grpc · nichite · Oct 13, 2020 · Oct 13, 2020 · Oct 13, 2020 · mraleph
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 2.6.1
+
+* Create `Securesocket` directly when `ChannelCredentials.authority` is not
+  present instead of always creating an insecure socket first and upgrading.
+* Throw on insecure connections when disallowed by clients dealing with
+  socket code, if set via `isInsecureConnectionAllowed`.
+
 ## 2.6.0
 
 * Create gRPC servers and clients with [Server|Client]TransportConnnection.

diff --git a/lib/src/client/call.dart b/lib/src/client/call.dart
@@ -224,7 +224,8 @@ class ClientCall<Q, R> implements Response {
   void _sendRequest(ClientConnection connection, Map<String, String> metadata) {
     try {
       _stream = connection.makeRequest(
-          _method.path, options.timeout, metadata, _onRequestError);
+          _method.path, options.timeout, metadata, _onRequestError,
+          callOptions: options);
     } catch (e) {
       _terminateWithError(GrpcError.unavailable('Error making call: $e'));
       return;

diff --git a/lib/src/client/http2_connection.dart b/lib/src/client/http2_connection.dart
@@ -308,21 +308,36 @@ class _SocketTransportConnector implements ClientTransportConnector {
   @override
   Future<ClientTransportConnection> connect() async {
     final securityContext = _options.credentials.securityContext;
-    _socket = await Socket.connect(_host, _port);
-    // Don't wait for io buffers to fill up before sending requests.
-    _socket.setOption(SocketOption.tcpNoDelay, true);
-    if (securityContext != null) {
-      // Todo(sigurdm): We want to pass supportedProtocols: ['h2'].
-      // http://dartbug.com/37950
-      _socket = await SecureSocket.secure(_socket,
+    if (securityContext == null) {
+      if (!isInsecureConnectionAllowed(_host)) {
+        throw StateError("Insecure gRPC is not allowed by platform: $_host");
+      }
+      _socket = await Socket.connect(_host, _port);
+    } else {
+      if (_options.credentials.authority == null) {
+        // Todo(sigurdm): We want to pass supportedProtocols: ['h2'].
+        // http://dartbug.com/37950
+        _socket = await SecureSocket.connect(
+          _host,
+          _port,
+          context: securityContext,
+          onBadCertificate: _validateBadCertificate,
+        );
+      } else {
+        _socket = await SecureSocket.secure(
+          await Socket.connect(_host, _port),
           // This is not really the host, but the authority to verify the TLC
           // connection against.
           //
           // We don't use `this.authority` here, as that includes the port.
-          host: _options.credentials.authority ?? _host,
+          host: _options.credentials.authority,
           context: securityContext,
-          onBadCertificate: _validateBadCertificate);
+          onBadCertificate: _validateBadCertificate,
+        );
+      }
     }
+    // Don't wait for io buffers to fill up before sending requests.
+    _socket.setOption(SocketOption.tcpNoDelay, true);
 
     return ClientTransportConnection.viaSocket(_socket);
   }

diff --git a/lib/src/client/transport/xhr_transport.dart b/lib/src/client/transport/xhr_transport.dart
@@ -169,9 +169,6 @@ class XhrClientConnection extends ClientConnection {
     for (final header in metadata.keys) {
       request.setRequestHeader(header, metadata[header]);
     }
-    request.setRequestHeader('Content-Type', 'application/grpc-web+proto');
-    request.setRequestHeader('X-User-Agent', 'grpc-web-dart/0.1');
-    request.setRequestHeader('X-Grpc-Web', '1');
     // Overriding the mimetype allows us to stream and parse the data
     request.overrideMimeType('text/plain; charset=x-user-defined');
     request.responseType = 'text';

diff --git a/lib/src/server/server.dart b/lib/src/server/server.dart
@@ -174,6 +174,11 @@ class Server extends ConnectionServer {
       socket.setOption(SocketOption.tcpNoDelay, true);
       final connection = ServerTransportConnection.viaSocket(socket,
           settings: http2ServerSettings);
+      if (security != null && !security.validateClient(socket)) {
+        _printSocketError('unable to serve $address:$port - '
+            'unable to validate client socket');
+        return socket.close();
+      }
       serveConnection(connection);
     }, onError: _printSocketError);
   }

diff --git a/pubspec.yaml b/pubspec.yaml
@@ -1,7 +1,7 @@
 name: grpc
 description: Dart implementation of gRPC, a high performance, open-source universal RPC framework.
 
-version: 2.6.0
+version: 2.6.1
 
 author: Dart Team <misc@dartlang.org>
 homepage: https://github.com/dart-lang/grpc-dart