xds: server-side security: server integration

[easwars]

Summary of changes:

• Add security integration to xds.GRPCServer:
  • Retrieve configured transport credentials from the underlying grpc.Server
  • Handle security configuration in received Listener resource
    • create appropriate certificate providers
    • setup HandshakeInfo to be passed to xds.Credentials
    • wrap the underlying net.Conn
      • support for setting and getting deadline
      • support for retrieving the HandshakeInfo
• e2e test which exercises xDS security with a file watcher plugin.
• A way to retrieve the transport credentials configured on a grpc.Server through the internal package.

[easwars]

@dfawley : This is now ready to be looked at. Thanks.

[dfawley]

Why not func (s *grpc.Server) ...?

Also it seems the convention is mostly to not give names to the parameters, just list their types.

[easwars]

We cannot have this package depend on the grpc package, right. That would lead to a cyclic dependency.

Removed the parameter names.

[dfawley]

This was referring to the comment. The type would still be interface{}

[dfawley]

Is this xds going to be redundant?

[easwars]

The convention seems to be that we add the component prefix to errors that we generate. The same or closely related prefix might also get added by the prefix logger if the returned error is logged at some point. I still haven't looked at any real logs to see how useful/bad these prefixes are getting.

[dfawley]

This isn't a convention we should have, unless the error is leaving the xds component. Let's be careful about these so our logs are clear and not cluttered.

[easwars]

Can I leave it as-is for now? We should probably discuss this and come up with a convention that we can follow.

[dfawley]

I don't understand the pushback. If we're producing an error solely to log it later, it's equivalent to directly writing:

logger.Warning("Error doing whatever: xds: couldn't do that thing")

...which would result in the output:

[xds] [xds-server 0xf34a89d] Error doing whatever: xds: couldn't do that thing

...which has "xds" in it 3 times!

[easwars]

I've removed the xds prefix from the errors returned from here.

I didn't mean to pushback on the change you are suggesting here. I'm only saying that this is widespread and that we should talk about it and decide how we want to go about structuring error messages.

[dfawley]

I'm all in favor of discussing and fixing the other areas! But I think we should not make things worse in the meantime.

[easwars]

Thanks for the review. PTAL.

[easwars]

We cannot have this package depend on the grpc package, right. That would lead to a cyclic dependency.

Removed the parameter names.

[easwars]

The convention seems to be that we add the component prefix to errors that we generate. The same or closely related prefix might also get added by the prefix logger if the returned error is logged at some point. I still haven't looked at any real logs to see how useful/bad these prefixes are getting.

[dfawley]

This was referring to the comment. The type would still be interface{}

[dfawley]

This isn't a convention we should have, unless the error is leaving the xds component. Let's be careful about these so our logs are clear and not cluttered.

[easwars]

Had to rebase because of a merge conflict and the comments are now all over the place :(

[easwars]

For comments where I'm not able to reply inline:

• Added the bc == nil check back
• As for polluting the logs with our prefixes: can I leave it as-is for now. We should discuss this and come to a consensus on what would be the best strategy forward. It might require some wholesale changes
• As for the type in the comment in the internal package: server.go which implements internal.GetServerCredentials accepts an interface{} and not a *grpc.Server. It then goes ahead and type asserts to a *grpc.Server. I did this so that tests which fake out the underlying grpc.Server will continue to work without extensive changes. Let me know if you still want me to change the type in the comment.

Thanks.

[dfawley]

We're still type asserting this to interface{} so now the comment doesn't match reality.

[easwars]

Fixed it now.

[dfawley]

I don't understand the pushback. If we're producing an error solely to log it later, it's equivalent to directly writing:

logger.Warning("Error doing whatever: xds: couldn't do that thing")

...which would result in the output:

[xds] [xds-server 0xf34a89d] Error doing whatever: xds: couldn't do that thing

...which has "xds" in it 3 times!

[dfawley]

As for the type in the comment in the internal package: server.go which implements internal.GetServerCredentials accepts an interface{} and not a *grpc.Server. It then goes ahead and type asserts to a *grpc.Server. I did this so that tests which fake out the underlying grpc.Server will continue to work without extensive changes. Let me know if you still want me to change the type in the comment.

Which tests do this?

[easwars]

As for the type in the comment in the internal package: server.go which implements internal.GetServerCredentials accepts an interface{} and not a *grpc.Server. It then goes ahead and type asserts to a *grpc.Server. I did this so that tests which fake out the underlying grpc.Server will continue to work without extensive changes. Let me know if you still want me to change the type in the comment.

Which tests do this?

Tests in xds/server_test.go use a fakeGRPCServer to make sure that things like Serve(), Stop() etc on the xds.GRPCServer ends up calling the appropriate methods on the grpc.Server.

[easwars]

I've removed the xds prefix from the errors returned from here.

I didn't mean to pushback on the change you are suggesting here. I'm only saying that this is widespread and that we should talk about it and decide how we want to go about structuring error messages.

[dfawley]

Tests in xds/server_test.go use a fakeGRPCServer to make sure that things like Serve(), Stop() etc on the xds.GRPCServer ends up calling the appropriate methods on the grpc.Server.

Okay, I get what's happening now, thanks.

How about if we do the type assertion in the xds code instead, since that's where the interface is used instead of a direct *grpc.Server? It seems like a minor change (it is), but I think it's a little cleaner if the grpc package and its (semi-)exported functions don't have to do type assertions like this.

Also, conceptually, it's more appropriate to determine what to do if the server isn't a *grpc.Server closer to the code that knows what else it might be. E.g., the fake could support this feature as well, but doing the type assertion in grpc makes that harder.

[dfawley]

I'm all in favor of discussing and fixing the other areas! But I think we should not make things worse in the meantime.

[easwars]

Tests in xds/server_test.go use a fakeGRPCServer to make sure that things like Serve(), Stop() etc on the xds.GRPCServer ends up calling the appropriate methods on the grpc.Server.

Okay, I get what's happening now, thanks.

How about if we do the type assertion in the xds code instead, since that's where the interface is used instead of a direct *grpc.Server? It seems like a minor change (it is), but I think it's a little cleaner if the grpc package and its (semi-)exported functions don't have to do type assertions like this.

Also, conceptually, it's more appropriate to determine what to do if the server isn't a *grpc.Server closer to the code that knows what else it might be. E.g., the fake could support this feature as well, but doing the type assertion in grpc makes that harder.

Makes sense. Moved the type assertion to the xds code. Thanks. It does look cleaner now.

[dfawley]

For future consideration: moving this to a function would allow it to be stubbed for testing:

var usesXDS = func(s *GRPCServer) bool { ... }

in tests:

usesXDS = func(s *GRPCServer) bool { return s.gs.(*fakeGRPCServer).whatever }

[easwars]

Ack