credentials, transport, grpc : add a call option to override the :authority header on a per-RPC basis #8068
Conversation
eshitachandwani
added
Type: Feature
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #8068 +/- ##
==========================================
+ Coverage 82.32% 82.36% +0.04%
==========================================
Files 387 387
Lines 39064 39091 +27
==========================================
+ Hits 32159 32197 +38
+ Misses 5593 5584 -9
+ Partials 1312 1310 -2
|
credentials/credentials.go
Outdated
| @@ -120,6 +120,14 @@ type AuthInfo interface { | |||
| AuthType() string | |||
| } | |||
|
|
|||
| // AuthorityValidator defines an interface for validating the authority used to | |||
There was a problem hiding this comment.
no need to mention "defines an interface". Can just say "AuthorityValidator validates the authority....."
internal/transport/http2_client.go
Outdated
| // precedence to determine the :authority header. Any value in Host field of | ||
| // CallHdr is overwritten. But before overriding, we validate the authority | ||
| // string against the peer certificates and fail the RPC with `UNAVAILABLE` | ||
| // status code if eirther of the condition fails. |
internal/transport/http2_client.go
Outdated
| if !ok { | ||
| return nil, &NewStreamError{Err: status.Error(codes.Unavailable, fmt.Sprintf("credentials type %s does not implement the AuthorityValidator interface", t.authInfo.AuthType())), AllowTransparentRetry: false} | ||
| } | ||
| err := auth.ValidateAuthority(callHdr.Authority) |
There was a problem hiding this comment.
can combine this with if
| // | ||
| // Notice: This API is EXPERIMENTAL and may be changed or removed in a | ||
| // later release. | ||
| func CallAuthority(auth string) CallOption { |
There was a problem hiding this comment.
should we call it PerRPCAuthority? Similar to PerRPCCredentials?
| // | ||
| // Notice: This type is EXPERIMENTAL and may be changed or removed in a | ||
| // later release. | ||
| type AuthorityOverrideCallOption struct { |
There was a problem hiding this comment.
If we name above PerRPCAuthority, AuthorityOverrideCallOption can change to PerRPCAuthorityCallOption
credentials/credentials_ext_test.go
Outdated
| defer cancel() | ||
|
|
||
| _, err = testgrpc.NewTestServiceClient(cc).EmptyCall(ctx, &testpb.Empty{}, grpc.CallAuthority(tt.expectedAuth)) | ||
| if tt.expectRPCError { |
| } | ||
| } | ||
|
|
||
| func (s) TestTLSCredsWithNoAuthorityOverride(t *testing.T) { |
There was a problem hiding this comment.
the tests tls_ext_test.go should already be testing this right? Does this need to be here? or it should just be another test case in the above TestAuthorityCallOptionsWithTLSCreds
| // Perform a test RPC with a specified call authority. | ||
| ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) | ||
| defer cancel() | ||
|
|
| } | ||
|
|
||
| // FakeCredsNoAuthValidator is a test credential that does not implement AuthorityValidator. | ||
| type FakeCredsNoAuthValidator struct { |
There was a problem hiding this comment.
the FakeCreds can be at the top
credentials/credentials_ext_test.go
Outdated
| // TestCallOptionWithNoAuthorityValidator tests the CallAuthority call option | ||
| // with custom credentials that do not implement AuthorityValidator and verifies | ||
| // that it fails with `UNAVAILABLE` status code. | ||
| func (s) TestCallOptionWithNoAuthorityValidator(t *testing.T) { |
There was a problem hiding this comment.
Same. This can be another test case in test with CustomCreds
|
Also, don't feel strongly but may be we can utilize the setup in tls_ext_test or move the tls tests to tls_ext_test.go |
Fixes: #5361
RELEASE NOTES:
CallAuthoritycallOption that can be used to overwrite the http:authorityheader on per-RPC basis.AuthorityValidatorinterface which needs to be implemented by credentials that want to allow authority overwrite.AuthorityValidatorinterface for Insecure and TLS credentials.