security: Stabilize AdvancedTlsX509TrustManager.

[erm-g]

This PR is a part of 'Stabilize Advanced TLS' effort.
Clean up, improve javadoc, de-experimentalize of AdvancedTlsX509TrustManager, add a unit test (e2e already exists).

[matthewstevenson88]

Thanks for the PR @erm-g! Generally LG, just a few minor comments.

[matthewstevenson88]

Pre-existing readability nit: this. is redundant here and can be removed. There seem to be a few other instances of this pattern in this file, feel free to clean them all up if you like.

[erm-g]

Agreed, it's redundant here and the G style guide suggest to omit it.
I code it that way because it was the style here and at KeyManager, plus it also exists at

grpc-java/api/src/main/java/io/grpc/TlsServerCredentials.java

Line 326 in 8aaace1

this.keyManagers = keyManagerList;

Let's defer to Eric

[matthewstevenson88]

Can you elaborate on what happens if the user does not respect this?

[erm-g]

Theoretically speaking, a user can do the following trick:

1. Some process (non gRPC) updates the cert file
2. User spawns a thread to periodically call updateTrustCredentialsFromFile(file)
3. User calls updateTrustCredentialsFromFile(File trustCertFile, long period, TimeUnit unit,
   ScheduledExecutorService executor) multiple times without cancelling the result

As a result an outdated version of creds might be used till the next update. It's not truly a synchronization issue (that's why we don't guard this methods with locks) but a similar to it - so we decided to add a warning. Definitely the example is a made up one and we don't expect a user do anything like that

[matthewstevenson88]

Makes sense, thanks for clarifying.

[matthewstevenson88]

Optional presentation suggestion: Consider structuring the Javadoc as:

AdvancedTlsX509TrustManager is an {@code X509ExtendedTrustManager} that allows users to configure
advanced TLS features, such as root certificate reloading, peer cert custom verification, etc.

For Android users: this class is only supported in API level 24 and above.

We expect only one of {@link AdvancedTlsX509TrustManager#useSystemDefaultTrustCerts()},
{@link AdvancedTlsX509TrustManager#updateTrustCredentials(X509Certificate[])},
 {@link AdvancedTlsX509TrustManager#updateTrustCredentialsFromFile(File, long, TimeUnit,
 ScheduledExecutorService)},
{@link AdvancedTlsX509TrustManager#updateTrustCredentialsFromFile(File)} methods to be called
 after instantiation of this class.

[erm-g]

I like the idea of extra empty LOCs for separation (pushed). But I prefer the current order because of

1. Overall description
2. Impl notes (for all users, including Android)
3. Extra note (for Android users only)

[matthewstevenson88]

SG, just an optional suggestion. :)

[matthewstevenson88]

micro-nit: s/and update the/and updates the

[erm-g]

2 instances fixed, thank you!

[matthewstevenson88]

nit: Prefer using Duration here.

[erm-g]

Same problem with the KeyManager - they use 'period' as a param name (plus it's long + TimeUnit) -

grpc-java/util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java

Line 222 in 8aaace1

public Closeable updateTrustCredentialsFromFile(File trustCertFile, long period, TimeUnit unit,

Let's defer to Eric if I need to refactor all of it.

[matthewstevenson88]

nit: Constants generally should be private unless we have a need for them to be visible.

[erm-g]

Agreed - nothing in the codebase depends on this const. However this style is in AdvancedTlsTest -

grpc-java/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java

Line 72 in 8aaace1

public static final String CA_PEM_FILE = "ca.pem";

Let's defer to Eric, I can also refactor the AdvancedTlsTest to make it consistent

[erm-g]

Fixed here and in AdvancedTlsTest (#11139)

[matthewstevenson88]

Same style nits here RE test structure as in the key manager PR, but we can defer to Eric if you prefer.

[matthewstevenson88]

LGTM modulo readability concerns, for which I'll defer to @ejona86.

[ejona86]

API review meeting notes:

CERTIFICATE_ONLY_VERIFICATION and INSECURELY_SKIP_ALL_VERIFICATION

Should document that these are dangerous to us, unless also specifying your own cert validation. Yes, one has INSECURELY in its name, but there should be some javadoc.

INSECURELY_SKIP_ALL_VERIFICATION

Mention that any loaded trust certs will be ignored. Yes, that's what it says, but just "those other methods that you use all the time stop doing anything" is helpful to point out.

• Add docs to say that after build, no trust certs are loaded. You need to call one of the update/usesystem methods.
• Builder needs more docs. For example, to explain that setSslSocketAndEnginePeerVerifier is called in addition to verifying certs as specified by Verification.
• Should make clear that it is normal for nothing in the builder needs to be called? That should be the common case. Maybe just improve the AdvancedTlsX509TrustManager javadoc with a code snippet?

The minimum refresh period of 1 minute is enforced.

"enforced" could mean several different things, including "causes an error." Probably want to tweak that to be more clear.

[erm-g]

API review meeting notes:

CERTIFICATE_ONLY_VERIFICATION and INSECURELY_SKIP_ALL_VERIFICATION

Should document that these are dangerous to us, unless also specifying your own cert validation. Yes, one has INSECURELY in its name, but there should be some javadoc.

INSECURELY_SKIP_ALL_VERIFICATION

Mention that any loaded trust certs will be ignored. Yes, that's what it says, but just "those other methods that you use all the time stop doing anything" is helpful to point out.

• Add docs to say that after build, no trust certs are loaded. You need to call one of the update/usesystem methods.
• Builder needs more docs. For example, to explain that setSslSocketAndEnginePeerVerifier is called in addition to verifying certs as specified by Verification.
• Should make clear that it is normal for nothing in the builder needs to be called? That should be the common case. Maybe just improve the AdvancedTlsX509TrustManager javadoc with a code snippet?

The minimum refresh period of 1 minute is enforced.

"enforced" could mean several different things, including "causes an error." Probably want to tweak that to be more clear.

Done - I also reworded few comments before 'bumping up' to javadoc level. PTAL