-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Query S2A Address from MDS #1400
base: main
Are you sure you want to change the base?
Conversation
0f96e86
to
ddac7aa
Compare
cc: @xmenxk |
if (transportFactory == null) { | ||
transportFactory = | ||
Iterables.getFirst( | ||
ServiceLoader.load(HttpTransportFactory.class), OAuth2Utils.HTTP_TRANSPORT_FACTORY); | ||
} | ||
String url = getMdsMtlsEndpoint(); | ||
GenericUrl genericUrl = new GenericUrl(url); | ||
HttpRequest request = | ||
transportFactory.create().createRequestFactory().buildGetRequest(genericUrl); | ||
JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY); | ||
request.setParser(parser); | ||
request.getHeaders().set(METADATA_FLAVOR, GOOGLE); | ||
request.setThrowExceptionOnExecuteError(false); | ||
HttpResponse response = request.execute(); | ||
|
||
if (!response.isSuccessStatusCode()) { | ||
return MtlsConfig.createBuilder().build(); | ||
} | ||
|
||
InputStream content = response.getContent(); | ||
if (content == null) { | ||
return MtlsConfig.createBuilder().build(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it possible to reuse the code below for querying mds endpoint?
google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
Line 338 in dde6876
private HttpResponse getMetadataResponse(String url) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use this function to get the MDS HttpResponse, but it would only replace a few lines (~7) in this function:
creating the HttpRequest and executing it to get the response, replaced with
response = getMetadataResponse(url)
.
However, in order to do this, we would also have to:
- ignore the
ComputeEngineCredentials
specific errors thrown by the function, because we only care if we are able to successfully create a response (aligning with Go implementation, return empty S2A Address if any error). This technically works, although I am not sure it is best practice. getMetadataResponse(String url)
is not static, so we would have to create an instance ofComputeEngineCredentials
to use it.
WDYT?
Quality Gate passedIssues Measures |
@westarle, friendly ping :). Please review when you get a chance. |
import com.google.errorprone.annotations.CanIgnoreReturnValue; | ||
|
||
/** Holds an mTLS configuration (consists of address of S2A) retrieved from the Metadata Server. */ | ||
public final class MtlsConfig { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be re-branded to S2AConfig
. MtlsConfig
is much more generic than the settings in this class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 359fd43
public static final String METADATA_FLAVOR = "Metadata-Flavor"; | ||
public static final String GOOGLE = "Google"; | ||
private static final int MAX_MDS_PING_TRIES = 3; | ||
private static final String PARSE_ERROR_S2A = "Error parsing Mtls Auto Config response."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any existing code for these constants?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some are defined in ComputeEngineCredentials.
*/ | ||
@ThreadSafe | ||
public final class S2A { | ||
public static final String MTLS_CONFIG_ENDPOINT = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public static final String MTLS_CONFIG_ENDPOINT = | |
public static final String S2A_CONFIG_ENDPOINT_POSTFIX = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in bce602e
public static final String METADATA_FLAVOR = "Metadata-Flavor"; | ||
public static final String GOOGLE = "Google"; | ||
private static final int MAX_MDS_PING_TRIES = 3; | ||
private static final String PARSE_ERROR_S2A = "Error parsing Mtls Auto Config response."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this error message should be expanded to explain what went wrong and how it can be triaged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in b82790a
if (config == null) { | ||
config = getMdsMtlsConfig(); | ||
} | ||
return config.getMtlsS2AAddress(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could a valid config be a requirement to instantiate this class?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The behavior we would like is for the S2A config to be queried once from the MDS, all subsequent requests from the application for the S2A config should return the cached config.
Re: Could a valid config be a requirement to instantiate this class
I think we can do this and perhaps simplify the code. I moved the call to get the config to the constructor.
* | ||
* @return the {@link MtlsConfig}. | ||
*/ | ||
private MtlsConfig getMdsMtlsConfig() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
private MtlsConfig getMdsMtlsConfig() { | |
private MtlsConfig getS2AConfigFromMDS() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in bce602e
if (transportFactory == null) { | ||
transportFactory = | ||
Iterables.getFirst( | ||
ServiceLoader.load(HttpTransportFactory.class), OAuth2Utils.HTTP_TRANSPORT_FACTORY); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be outside of the loop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 05aa9cc
} | ||
HttpRequest request = | ||
transportFactory.create().createRequestFactory().buildGetRequest(genericUrl); | ||
JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be outside of the loop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 05aa9cc
.setMtlsS2AAddress(mtlsS2AAddress) | ||
.build(); | ||
} | ||
return MtlsConfig.createBuilder().build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How will callers know if a valid config is returned?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the plaintext and mTLS S2A addresses are able to be parsed from the MDS response, it is a valid config. The MDS MTLS Autoconfig endpoint always returns the address that S2A is running at, if available. It is the caller's responsibility to check if the address is empty before passing it on the S2A Client to create ChannelCredentials (example). This is similar to what we do in Go: https://github.com/googleapis/google-api-go-client/blob/main/internal/s2a.go#L22-L31
Quality Gate passedIssues Measures |
HttpRequest request = | ||
transportFactory.create().createRequestFactory().buildGetRequest(genericUrl); | ||
request.setParser(parser); | ||
request.getHeaders().set(METADATA_FLAVOR, GOOGLE); | ||
request.setThrowExceptionOnExecuteError(false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the request be re-used across loops?
Not familiar with Java, but I imagine it's re-usable / expensive to create on each loop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 1466f0d
String plaintextS2AAddress = ""; | ||
String mtlsS2AAddress = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Why declare these at the top? Is it a code style choice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It could be declared in the loop, moved in be1cfd2
.setMtlsAddress(mtlsS2AAddress) | ||
.build(); | ||
} | ||
return S2AConfig.createBuilder().build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So consumers will have to check if the config contains empty strings? Could you use a result type or other form of indication that you were unable to build a valid config?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was done to keep consistency with Go implementation: https://github.com/googleapis/google-api-go-client/blob/main/internal/s2a.go#L22
The rationale is that we do not want to throw an error from this API that the client has to handle. If any problem occurs querying the endpoint for the address, we return an empty address. The client can pass that empty address to the S2A Client libraries, which will throw an error (e.g. something like "Error: Empty S2A Address.").
99b7257
to
1466f0d
Compare
Add utility to get S2A address from MDS MTLS autoconfiguration endpoint.
This utility will be used when creating mTLS channel using S2A Java Client, which takes S2A Address as input to create S2AChannelCredentials.
Parallel change in go: googleapis/google-api-go-client#1874
S2A Java client: grpc/grpc-java#11113