-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
util: Stabilize AdvancedTlsX509TrustManager #11216
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @erm-g! Generally LG, just a few minor comments.
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
@IgnoreJRERequirement | ||
public final class AdvancedTlsX509TrustManager extends X509ExtendedTrustManager { | ||
private static final Logger log = Logger.getLogger(AdvancedTlsX509TrustManager.class.getName()); | ||
|
||
// Minimum allowed period for refreshing files with credential information. | ||
private static final int MINIMUM_REFRESH_PERIOD = 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Prefer using Duration
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same problem with the KeyManager - they use 'period' as a param name (plus it's long + TimeUnit) -
public Closeable updateTrustCredentialsFromFile(File trustCertFile, long period, TimeUnit unit, |
Let's defer to Eric if I need to refactor all of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't yet depend on java.time, as that requires API desugaring on Android.
util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java
Outdated
Show resolved
Hide resolved
util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM modulo readability concerns, for which I'll defer to @ejona86.
API review meeting notes:
Should document that these are dangerous to us, unless also specifying your own cert validation. Yes, one has INSECURELY in its name, but there should be some javadoc.
Mention that any loaded trust certs will be ignored. Yes, that's what it says, but just "those other methods that you use all the time stop doing anything" is helpful to point out.
"enforced" could mean several different things, including "causes an error." Probably want to tweak that to be more clear. |
Done - I also reworded few comments before 'bumping up' to javadoc level. PTAL |
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java
Outdated
Show resolved
Hide resolved
util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
Outdated
Show resolved
Hide resolved
@ejona86 I applied the changes we discussed - PTAL |
This PR is a part of 'Stabilize Advanced TLS' effort.
Clean up, improve javadoc, de-experimentalize of AdvancedTlsX509TrustManager, add a unit test (e2e already exists).