Create gRPC managed channel builder for ITs.

Signed-off-by: Finn Carroll <carrofin@amazon.com>

Author: finnegancarroll

src/integrationTest/java/org/opensearch/security/grpc/GrpcHelpers.java

@@ -9,28 +9,33 @@
  */
 package org.opensearch.security.grpc;
 
+import java.net.InetSocketAddress;
 import java.util.Map;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import io.grpc.ManagedChannel;
 import io.netty.handler.ssl.ClientAuth;
-import org.junit.ClassRule;
-import org.junit.Test;
-import org.junit.runner.RunWith;
 
+import org.opensearch.common.transport.PortsRange;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.plugin.transport.grpc.GrpcPlugin;
+import org.opensearch.protobufs.BulkRequest;
+import org.opensearch.protobufs.BulkRequestBody;
+import org.opensearch.protobufs.BulkResponse;
+import org.opensearch.protobufs.IndexOperation;
 import org.opensearch.protobufs.MatchAllQuery;
 import org.opensearch.protobufs.QueryContainer;
 import org.opensearch.protobufs.SearchRequest;
 import org.opensearch.protobufs.SearchRequestBody;
 import org.opensearch.protobufs.SearchResponse;
+import org.opensearch.protobufs.services.DocumentServiceGrpc;
+import org.opensearch.protobufs.services.SearchServiceGrpc;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.certificate.TestCertificates;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
-import org.opensearch.test.framework.cluster.TestGrpcClient;
-import org.opensearch.test.framework.cluster.TestRestClient;
 
-import static org.hamcrest.MatcherAssert.assertThat;
+import javax.net.ssl.SSLException;
+
 import static org.opensearch.plugin.transport.grpc.ssl.SecureNetty4GrpcServerTransport.GRPC_SECURE_TRANSPORT_SETTING_KEY;
 import static org.opensearch.plugin.transport.grpc.ssl.SecureNetty4GrpcServerTransport.SETTING_GRPC_SECURE_PORT;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_CLIENTAUTH_MODE;
@@ -46,10 +51,12 @@ public class GrpcHelpers {
     protected static final Map<String, Object> CLIENT_AUTH_OPT = Map.of(SECURITY_SSL_AUX_CLIENTAUTH_MODE.getConcreteSettingForNamespace(GRPC_SECURE_TRANSPORT_SETTING_KEY).getKey(), ClientAuth.OPTIONAL.name());
     protected static final Map<String, Object> CLIENT_AUTH_REQUIRE = Map.of(SECURITY_SSL_AUX_CLIENTAUTH_MODE.getConcreteSettingForNamespace(GRPC_SECURE_TRANSPORT_SETTING_KEY).getKey(), ClientAuth.REQUIRE.name());
 
+    private static final PortsRange PORTS_RANGE = new PortsRange("9400-9500");
+    private static final String HOST_ADDR = "127.0.0.1";
     private static final Map<String, Object> SECURE_GRPC_TRANSPORT_SETTINGS = Map.of(
             ConfigConstants.SECURITY_SSL_ONLY, true,
             AUX_TRANSPORT_TYPES_KEY, GRPC_SECURE_TRANSPORT_SETTING_KEY,
-            SETTING_GRPC_SECURE_PORT.getKey(), "9400-9500",
+            SETTING_GRPC_SECURE_PORT.getKey(), PORTS_RANGE.getPortRangeString(),
             SECURITY_SSL_AUX_ENABLED.getConcreteSettingForNamespace(GRPC_SECURE_TRANSPORT_SETTING_KEY).getKey(), true,
             SECURITY_SSL_AUX_PEMKEY_FILEPATH.getConcreteSettingForNamespace(GRPC_SECURE_TRANSPORT_SETTING_KEY).getKey(), TEST_CERTIFICATES.getNodeKey(0, null).getAbsolutePath(),
             SECURITY_SSL_AUX_PEMCERT_FILEPATH.getConcreteSettingForNamespace(GRPC_SECURE_TRANSPORT_SETTING_KEY).getKey(), TEST_CERTIFICATES.getNodeCertificate(0).getAbsolutePath(),
@@ -66,19 +73,60 @@ public static LocalCluster.Builder baseGrpcCluster(){
                 .sslOnly(true);
     }
 
-    public static void createTestIndex(TestRestClient client, String index, long numDocs) {
-        try (client) {
-            client.put(index).assertStatusCode(200);
-            for (int i = 0; i < numDocs; i++) {
-                String docURI = index + "/_doc/" + i;
-                String docBody = "{\"field\": \"doc " + i + " body\"}";
-                client.postJson(docURI, docBody)
-                        .assertStatusCode(201);
-            }
+    public static ManagedChannel plaintextManagedChannel() throws SSLException {
+        return new NettyGrpcChannelBuilder()
+                .setAddress(new TransportAddress(new InetSocketAddress(HOST_ADDR, PORTS_RANGE.ports()[0])))
+                .build();
+    }
+
+    public static ManagedChannel noAuthChannel() throws SSLException {
+        return new NettyGrpcChannelBuilder()
+                .setAddress(new TransportAddress(new InetSocketAddress(HOST_ADDR, PORTS_RANGE.ports()[0])))
+                .clientAuth(ClientAuth.NONE)
+                .build();
+    }
+
+    public static ManagedChannel optAuthChannel() throws SSLException {
+        return new NettyGrpcChannelBuilder()
+                .setAddress(new TransportAddress(new InetSocketAddress(HOST_ADDR, PORTS_RANGE.ports()[0])))
+                .clientAuth(ClientAuth.OPTIONAL)
+                .keyManager(
+                        TEST_CERTIFICATES.getNodeKey(0, null).getAbsolutePath(),
+                        TEST_CERTIFICATES.getNodeCertificate(0).getAbsolutePath()
+                )
+                .build();
+    }
+
+    public static ManagedChannel requireAuthChannel() throws SSLException {
+        return new NettyGrpcChannelBuilder()
+                .setAddress(new TransportAddress(new InetSocketAddress(HOST_ADDR, PORTS_RANGE.ports()[0])))
+                .clientAuth(ClientAuth.REQUIRE)
+                .keyManager(
+                        TEST_CERTIFICATES.getNodeKey(0, null).getAbsolutePath(),
+                        TEST_CERTIFICATES.getNodeCertificate(0).getAbsolutePath()
+                )
+                .build();
+    }
+
+    public static BulkResponse doBulk(ManagedChannel channel, String index, long numDocs) {
+        BulkRequest.Builder requestBuilder = BulkRequest.newBuilder();
+        for (int i = 0; i < numDocs; i++) {
+            String docBody = "{\"field\": \"doc " + i + " body\"}";
+            IndexOperation indexOp = IndexOperation.newBuilder()
+                    .setIndex(index)
+                    .setId(String.valueOf(i))
+                    .build();
+            BulkRequestBody requestBody = BulkRequestBody.newBuilder()
+                    .setIndex(indexOp)
+                    .setDoc(com.google.protobuf.ByteString.copyFromUtf8(docBody))
+                    .build();
+            requestBuilder.addRequestBody(requestBody);
         }
+        DocumentServiceGrpc.DocumentServiceBlockingStub stub = DocumentServiceGrpc.newBlockingStub(channel);
+        return stub.bulk(requestBuilder.build());
     }
 
-    protected static SearchResponse grpcMatchAllQuery(TestGrpcClient client, String index, int size) {
+    public static SearchResponse doMatchAll(ManagedChannel channel, String index, int size) {
         QueryContainer query = QueryContainer.newBuilder()
                 .setMatchAll(MatchAllQuery.newBuilder().build())
                 .build();
@@ -91,6 +139,7 @@ protected static SearchResponse grpcMatchAllQuery(TestGrpcClient client, String
                 .addIndex(index)
                 .setRequestBody(requestBody)
                 .build();
-        return client.search(searchRequest);
+        SearchServiceGrpc.SearchServiceBlockingStub stub = SearchServiceGrpc.newBlockingStub(channel);
+        return stub.search(searchRequest);
     }
 }

src/integrationTest/java/org/opensearch/security/grpc/GrpcTestsClientAuthOptionalTest.java

@@ -13,9 +13,12 @@
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.opensearch.protobufs.BulkResponse;
 import org.opensearch.protobufs.SearchResponse;
 import org.opensearch.test.framework.cluster.LocalCluster;
 
+import javax.net.ssl.SSLException;
+
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.opensearch.security.grpc.GrpcHelpers.CLIENT_AUTH_OPT;
 import static org.opensearch.security.grpc.GrpcHelpers.TEST_CERTIFICATES;
@@ -30,15 +33,19 @@ public class GrpcTestsClientAuthOptionalTest {
             .build();
 
     @Test
-    public void testSearch() {
+    public void testSearch() throws SSLException {
         long testDocs = 9;
         String testIndex = "test-index";
-        GrpcHelpers.createTestIndex(cluster.getRestClient(), testIndex, testDocs);
-        SearchResponse resp = GrpcHelpers.grpcMatchAllQuery(cluster.getGrpcClient(TEST_CERTIFICATES), testIndex, 100);
+        BulkResponse bulkResp = GrpcHelpers.doBulk(GrpcHelpers.plaintextManagedChannel(), testIndex, testDocs);
+
+
+
+
+        SearchResponse searchResp = GrpcHelpers.doMatchAll(GrpcHelpers.plaintextManagedChannel(), testIndex, 100);
         assertThat("Search response should not be null", resp != null);
-        SearchResponse.ResponseCase respCase = resp.getResponseCase();
+        SearchResponse.ResponseCase respCase = searchResp.getResponseCase();
         assertThat("Search response should indicate success", respCase.getNumber() == SearchResponse.ResponseCase.RESPONSE_BODY.getNumber());
-        long hits = resp.getResponseBody().getHits().getTotal().getTotalHits().getValue();
+        long hits = searchResp.getResponseBody().getHits().getTotal().getTotalHits().getValue();
         assertThat("Search response has correct hits count", hits == 9);
     }
 }

src/integrationTest/java/org/opensearch/security/grpc/NettyGrpcChannelBuilder.java

@@ -0,0 +1,83 @@
+package org.opensearch.security.grpc;
+
+import javax.net.ssl.SSLException;
+import java.io.File;
+
+import io.netty.handler.ssl.ClientAuth;
+
+import io.grpc.ManagedChannel;
+import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolNames;
+import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
+import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider;
+import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+
+import org.opensearch.core.common.transport.TransportAddress;
+
+import static io.grpc.internal.GrpcUtil.NOOP_PROXY_DETECTOR;
+
+public class NettyGrpcChannelBuilder {
+    private ClientAuth clientAuth = null;
+    private TransportAddress addr;
+    SslContextBuilder sslContextBuilder = null;
+
+    private static final ApplicationProtocolConfig CLIENT_ALPN = new ApplicationProtocolConfig(
+            ApplicationProtocolConfig.Protocol.ALPN,
+            ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
+            ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
+            ApplicationProtocolNames.HTTP_2
+    );
+
+    NettyGrpcChannelBuilder() {
+        // Default options required for gRPC clients
+        this.sslContextBuilder = SslContextBuilder.forClient()
+            .sslProvider(SslProvider.JDK)
+            .applicationProtocolConfig(CLIENT_ALPN)
+            .trustManager(InsecureTrustManagerFactory.INSTANCE);
+    }
+
+    public ManagedChannel build() throws SSLException {
+        NettyChannelBuilder channelBuilder = NettyChannelBuilder
+                .forAddress(addr.getAddress(), addr.getPort())
+                .proxyDetector(NOOP_PROXY_DETECTOR);
+
+        if (clientAuth == null) {
+            return channelBuilder.usePlaintext().build();
+        }
+
+        switch (clientAuth) {
+            case ClientAuth.NONE -> channelBuilder.usePlaintext();
+            case ClientAuth.OPTIONAL, ClientAuth.REQUIRE ->
+                channelBuilder.sslContext(this.sslContextBuilder.build());
+        }
+
+        return channelBuilder.build();
+    }
+
+    /**
+     * Set server address.
+     */
+    public NettyGrpcChannelBuilder setAddress(TransportAddress addr) {
+        this.addr = addr;
+        return this;
+    }
+
+    /**
+     * Configure key store by filepath of .pem key.
+     * Required for mTLS/client auth required configurations.
+     */
+    public NettyGrpcChannelBuilder keyManager(String privateKeyPath, String certChainPath) {
+        this.sslContextBuilder.keyManager(new File(certChainPath), new File(privateKeyPath));
+        return this;
+    }
+
+    /**
+     * Set client auth mode.
+     * No client auth set gives plaintext connection.
+     */
+    public NettyGrpcChannelBuilder clientAuth(ClientAuth clientAuth) {
+        this.clientAuth = clientAuth;
+        return this;
+    }
+}

src/integrationTest/java/org/opensearch/test/framework/cluster/OpenSearchClientProvider.java

@@ -232,10 +232,6 @@ default TestRestClient getRestClient(List<Header> headers, CertificateData useCe
         return createGenericClientRestClient(headers, useCertificateData, null);
     }
 
-    default TestGrpcClient getGrpcClient(TestCertificates testCertificates) {
-        return createGenericClientGrpcClient(testCertificates);
-    }
-
     default TestRestClient getSecurityDisabledRestClient() {
         return new TestRestClient(getHttpAddress(), List.of(), getSSLContext(null), null, false, false);
     }
@@ -248,10 +244,6 @@ default TestRestClient createGenericClientRestClient(
         return new TestRestClient(getHttpAddress(), headers, getSSLContext(useCertificateData), sourceInetAddress, true, false);
     }
 
-    default TestGrpcClient createGenericClientGrpcClient(TestCertificates testCertificates) {
-        return new TestGrpcClient(getHttpAddress(), "", getSSLContext(), testCertificates);
-    }
-
     default TestRestClient createGenericClientRestClient(TestRestClientConfiguration configuration) {
         return new TestRestClient(
             getHttpAddress(),