Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

util: Stabilize AdvancedTlsX509TrustManager #11216

Merged
merged 28 commits into from
Jul 11, 2024
Merged

util: Stabilize AdvancedTlsX509TrustManager #11216

merged 28 commits into from
Jul 11, 2024

Conversation

erm-g
Copy link
Contributor

@erm-g erm-g commented May 16, 2024

This PR is a part of 'Stabilize Advanced TLS' effort.
Clean up, improve javadoc, de-experimentalize of AdvancedTlsX509TrustManager, add a unit test (e2e already exists).

matthewstevenson88
matthewstevenson88 reviewed May 16, 2024
View reviewed changes
Copy link
Contributor

@matthewstevenson88 matthewstevenson88 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @erm-g! Generally LG, just a few minor comments.

util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated
@IgnoreJRERequirement
public final class AdvancedTlsX509TrustManager extends X509ExtendedTrustManager {
private static final Logger log = Logger.getLogger(AdvancedTlsX509TrustManager.class.getName());

// Minimum allowed period for refreshing files with credential information.
private static final int MINIMUM_REFRESH_PERIOD = 1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Prefer using Duration here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same problem with the KeyManager - they use 'period' as a param name (plus it's long + TimeUnit) -

grpc-java/util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java

Line 222 in 8aaace1

public Closeable updateTrustCredentialsFromFile(File trustCertFile, long period, TimeUnit unit,

Let's defer to Eric if I need to refactor all of it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't yet depend on java.time, as that requires API desugaring on Android.

util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java Outdated Show resolved Hide resolved
util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java Outdated Show resolved Hide resolved
@erm-g erm-g requested review from ejona86 May 16, 2024 19:20
matthewstevenson88
matthewstevenson88 approved these changes May 30, 2024
View reviewed changes
Copy link
Contributor

@matthewstevenson88 matthewstevenson88 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM modulo readability concerns, for which I'll defer to @ejona86.

@ejona86
Copy link
Member

ejona86 commented May 30, 2024

API review meeting notes:

CERTIFICATE_ONLY_VERIFICATION and INSECURELY_SKIP_ALL_VERIFICATION

Should document that these are dangerous to us, unless also specifying your own cert validation. Yes, one has INSECURELY in its name, but there should be some javadoc.

INSECURELY_SKIP_ALL_VERIFICATION

Mention that any loaded trust certs will be ignored. Yes, that's what it says, but just "those other methods that you use all the time stop doing anything" is helpful to point out.

  • Add docs to say that after build, no trust certs are loaded. You need to call one of the update/usesystem methods.
  • Builder needs more docs. For example, to explain that setSslSocketAndEnginePeerVerifier is called in addition to verifying certs as specified by Verification.
  • Should make clear that it is normal for nothing in the builder needs to be called? That should be the common case. Maybe just improve the AdvancedTlsX509TrustManager javadoc with a code snippet?

The minimum refresh period of 1 minute is enforced.

"enforced" could mean several different things, including "causes an error." Probably want to tweak that to be more clear.

@erm-g
Copy link
Contributor Author

erm-g commented Jun 1, 2024

API review meeting notes:

CERTIFICATE_ONLY_VERIFICATION and INSECURELY_SKIP_ALL_VERIFICATION

Should document that these are dangerous to us, unless also specifying your own cert validation. Yes, one has INSECURELY in its name, but there should be some javadoc.

INSECURELY_SKIP_ALL_VERIFICATION

Mention that any loaded trust certs will be ignored. Yes, that's what it says, but just "those other methods that you use all the time stop doing anything" is helpful to point out.

  • Add docs to say that after build, no trust certs are loaded. You need to call one of the update/usesystem methods.
  • Builder needs more docs. For example, to explain that setSslSocketAndEnginePeerVerifier is called in addition to verifying certs as specified by Verification.
  • Should make clear that it is normal for nothing in the builder needs to be called? That should be the common case. Maybe just improve the AdvancedTlsX509TrustManager javadoc with a code snippet?

The minimum refresh period of 1 minute is enforced.

"enforced" could mean several different things, including "causes an error." Probably want to tweak that to be more clear.

Done - I also reworded few comments before 'bumping up' to javadoc level. PTAL

@erm-g erm-g mentioned this pull request Jun 7, 2024
Merged
ejona86
ejona86 reviewed Jun 7, 2024
View reviewed changes
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java Outdated Show resolved Hide resolved
util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java Outdated Show resolved Hide resolved
@erm-g
Copy link
Contributor Author

erm-g commented Jun 13, 2024

@ejona86 I applied the changes we discussed - PTAL

@erm-g erm-g requested a review from ejona86 July 11, 2024 02:33
@ejona86 ejona86 merged commit 658cbf6 into grpc:master Jul 11, 2024
10 of 11 checks passed
@ejona86 ejona86 changed the title security: Stabilize AdvancedTlsX509TrustManager. util: Stabilize AdvancedTlsX509TrustManager Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ejona86 ejona86 ejona86 approved these changes

@matthewstevenson88 matthewstevenson88 matthewstevenson88 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@erm-g @ejona86 @matthewstevenson88