Query S2A Address from MDS #1400
Conversation
rmehta19
force-pushed
the
s2a-java-integration
branch
from
0f96e86
to
ddac7aa
Compare
|
cc: @xmenxk |
| if (transportFactory == null) { | ||
| transportFactory = | ||
| Iterables.getFirst( | ||
| ServiceLoader.load(HttpTransportFactory.class), OAuth2Utils.HTTP_TRANSPORT_FACTORY); | ||
| } | ||
| String url = getMdsMtlsEndpoint(); | ||
| GenericUrl genericUrl = new GenericUrl(url); | ||
| HttpRequest request = | ||
| transportFactory.create().createRequestFactory().buildGetRequest(genericUrl); | ||
| JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY); | ||
| request.setParser(parser); | ||
| request.getHeaders().set(METADATA_FLAVOR, GOOGLE); | ||
| request.setThrowExceptionOnExecuteError(false); | ||
| HttpResponse response = request.execute(); | ||
|
|
||
| if (!response.isSuccessStatusCode()) { | ||
| return MtlsConfig.createBuilder().build(); | ||
| } | ||
|
|
||
| InputStream content = response.getContent(); | ||
| if (content == null) { | ||
| return MtlsConfig.createBuilder().build(); | ||
| } |
There was a problem hiding this comment.
is it possible to reuse the code below for querying mds endpoint?
There was a problem hiding this comment.
We could use this function to get the MDS HttpResponse, but it would only replace a few lines (~7) in this function:
creating the HttpRequest and executing it to get the response, replaced with
response = getMetadataResponse(url).
However, in order to do this, we would also have to:
- ignore the
ComputeEngineCredentialsspecific errors thrown by the function, because we only care if we are able to successfully create a response (aligning with Go implementation, return empty S2A Address if any error). This technically works, although I am not sure it is best practice. getMetadataResponse(String url)is not static, so we would have to create an instance ofComputeEngineCredentialsto use it.
WDYT?
|
|
@westarle, friendly ping :). Please review when you get a chance. |
| import com.google.errorprone.annotations.CanIgnoreReturnValue; | ||
|
|
||
| /** Holds an mTLS configuration (consists of address of S2A) retrieved from the Metadata Server. */ | ||
| public final class MtlsConfig { |
There was a problem hiding this comment.
I think this should be re-branded to S2AConfig. MtlsConfig is much more generic than the settings in this class.
| public static final String METADATA_FLAVOR = "Metadata-Flavor"; | ||
| public static final String GOOGLE = "Google"; | ||
| private static final int MAX_MDS_PING_TRIES = 3; | ||
| private static final String PARSE_ERROR_S2A = "Error parsing Mtls Auto Config response."; |
There was a problem hiding this comment.
Is there any existing code for these constants?
There was a problem hiding this comment.
Some are defined in ComputeEngineCredentials.
| */ | ||
| @ThreadSafe | ||
| public final class S2A { | ||
| public static final String MTLS_CONFIG_ENDPOINT = |
There was a problem hiding this comment.
| public static final String MTLS_CONFIG_ENDPOINT = | |
| public static final String S2A_CONFIG_ENDPOINT_POSTFIX = |
| public static final String METADATA_FLAVOR = "Metadata-Flavor"; | ||
| public static final String GOOGLE = "Google"; | ||
| private static final int MAX_MDS_PING_TRIES = 3; | ||
| private static final String PARSE_ERROR_S2A = "Error parsing Mtls Auto Config response."; |
There was a problem hiding this comment.
I think this error message should be expanded to explain what went wrong and how it can be triaged.
| if (config == null) { | ||
| config = getMdsMtlsConfig(); | ||
| } | ||
| return config.getMtlsS2AAddress(); |
There was a problem hiding this comment.
Could a valid config be a requirement to instantiate this class?
There was a problem hiding this comment.
The behavior we would like is for the S2A config to be queried once from the MDS, all subsequent requests from the application for the S2A config should return the cached config.
Re: Could a valid config be a requirement to instantiate this class
I think we can do this and perhaps simplify the code. I moved the call to get the config to the constructor.
| * | ||
| * @return the {@link MtlsConfig}. | ||
| */ | ||
| private MtlsConfig getMdsMtlsConfig() { |
There was a problem hiding this comment.
| private MtlsConfig getMdsMtlsConfig() { | |
| private MtlsConfig getS2AConfigFromMDS() { |
| if (transportFactory == null) { | ||
| transportFactory = | ||
| Iterables.getFirst( | ||
| ServiceLoader.load(HttpTransportFactory.class), OAuth2Utils.HTTP_TRANSPORT_FACTORY); | ||
| } |
There was a problem hiding this comment.
Should this be outside of the loop?
| } | ||
| HttpRequest request = | ||
| transportFactory.create().createRequestFactory().buildGetRequest(genericUrl); | ||
| JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY); |
There was a problem hiding this comment.
Should this be outside of the loop?
| .setMtlsS2AAddress(mtlsS2AAddress) | ||
| .build(); | ||
| } | ||
| return MtlsConfig.createBuilder().build(); |
There was a problem hiding this comment.
How will callers know if a valid config is returned?
There was a problem hiding this comment.
If the plaintext and mTLS S2A addresses are able to be parsed from the MDS response, it is a valid config. The MDS MTLS Autoconfig endpoint always returns the address that S2A is running at, if available. It is the caller's responsibility to check if the address is empty before passing it on the S2A Client to create ChannelCredentials (example). This is similar to what we do in Go: https://github.com/googleapis/google-api-go-client/blob/main/internal/s2a.go#L22-L31
|
| HttpRequest request = | ||
| transportFactory.create().createRequestFactory().buildGetRequest(genericUrl); | ||
| request.setParser(parser); | ||
| request.getHeaders().set(METADATA_FLAVOR, GOOGLE); | ||
| request.setThrowExceptionOnExecuteError(false); |
There was a problem hiding this comment.
Can the request be re-used across loops?
Not familiar with Java, but I imagine it's re-usable / expensive to create on each loop.
| String plaintextS2AAddress = ""; | ||
| String mtlsS2AAddress = ""; |
There was a problem hiding this comment.
nit: Why declare these at the top? Is it a code style choice?
There was a problem hiding this comment.
It could be declared in the loop, moved in be1cfd2
| .setMtlsAddress(mtlsS2AAddress) | ||
| .build(); | ||
| } | ||
| return S2AConfig.createBuilder().build(); |
There was a problem hiding this comment.
So consumers will have to check if the config contains empty strings? Could you use a result type or other form of indication that you were unable to build a valid config?
There was a problem hiding this comment.
This was done to keep consistency with Go implementation: https://github.com/googleapis/google-api-go-client/blob/main/internal/s2a.go#L22
The rationale is that we do not want to throw an error from this API that the client has to handle. If any problem occurs querying the endpoint for the address, we return an empty address. The client can pass that empty address to the S2A Client libraries, which will throw an error (e.g. something like "Error: Empty S2A Address.").
rmehta19
force-pushed
the
s2a-java-integration
branch
from
99b7257
to
1466f0d
Compare
Add utility to get S2A address from MDS MTLS autoconfiguration endpoint.
This utility will be used when creating mTLS channel using S2A Java Client, which takes S2A Address as input to create S2AChannelCredentials.
Parallel change in go: googleapis/google-api-go-client#1874
S2A Java client: grpc/grpc-java#11113