Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

credentials: Apply defaults to TLS configs provided through GetConfigForClient #7754

Merged
merged 6 commits into from
Oct 22, 2024
Merged

credentials: Apply defaults to TLS configs provided through GetConfigForClient #7754

merged 6 commits into from
Oct 22, 2024

Conversation

arjan-bal
Copy link
Contributor

@arjan-bal arjan-bal commented Oct 17, 2024
edited
Loading

Fixes: #7709

TLS server configs provided at TLS handshake time through GetConfigForClient were not modified by grpc-go to ensure secure defaults and a valid ALPN configuration. This PR applies the same handling applied to static TLS configs to the configs obtained by GetConfigForClient.

RELEASE NOTES:

  • credentials: TLS credentials created via NewTLS that use tls.Config.GetConfigForClient will now have necessary gRPC-Go defaults, namely CipherSuites, supported TLS versions and ALPN configured automatically. This handling was already present for configs not using the GetConfigForClient function.

@arjan-bal arjan-bal added the Type: Feature New features or improvements in behavior label Oct 17, 2024
@arjan-bal arjan-bal added this to the 1.69 Release milestone Oct 17, 2024
@arjan-bal arjan-bal force-pushed the defaults-in-get-config-for-client branch from b3de47d to 87016c7 Compare October 17, 2024 11:43
@codecov Codecov
Copy link

codecov bot commented Oct 17, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.81%. Comparing base (c538c31) to head (0922abc).
Report is 28 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7754      +/-   ##
==========================================
+ Coverage   79.70%   79.81%   +0.11%     
==========================================
  Files         365      365              
  Lines       36383    36394      +11     
==========================================
+ Hits        29000    29049      +49     
+ Misses       6183     6154      -29     
+ Partials     1200     1191       -9
Files with missing lines Coverage Δ
credentials/tls.go 86.57% <100.00%> (+1.06%) ⬆️

... and 17 files with indirect coverage changes

@arjan-bal arjan-bal added the Type: Behavior Change Behavior changes not categorized as bugs label Oct 17, 2024
gtcooke94
gtcooke94 reviewed Oct 17, 2024
View reviewed changes
Copy link
Contributor

@gtcooke94 gtcooke94 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

cc: @matthewstevenson88

I think this is good, NewTLS should (generally) support the features of the tls.Config where we can and it makes sense. WDYT Matt?

I haven't done a pass on the test file yet, I'll go through that when we are sure we want to add this handling in general.

credentials/tls.go Outdated
@@ -200,25 +200,41 @@ var tls12ForbiddenCipherSuites = map[uint16]struct{}{

// NewTLS uses c to construct a TransportCredentials based on TLS.
func NewTLS(c *tls.Config) TransportCredentials {
tc := &tlsCreds{credinternal.CloneTLSConfig(c)}
tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos)
cfg := applyDefaults(c)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't shorten names - cfg -> config

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed as suggested.

credentials/tls.go Outdated
return applyDefaults(cfgForClient), nil
}
}
tc := &tlsCreds{config: cfg}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit tc -> creds

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed the temporary variable an inlined the return.

credentials/tls.go Show resolved Hide resolved
@gtcooke94
Copy link
Contributor

Also, regarding the release notes, let's specify that this is specifically for NewTLS as well, the advancedtls way of configuring would not be affected by this. Suggested wording:

credentials: TLS credentials created via NewTLS that use tls.Config.GetConfigForClient will now have necessary gRPC-Go defaults, namely CipherSuites, supported TLS versions and ALPN configured automatically. This handling was already present for configs not using the GetConfigForClient function.

@arjan-bal
Copy link
Contributor Author

Also, regarding the release notes, let's specify that this is specifically for NewTLS as well, the advancedtls way of configuring would not be affected by this. Suggested wording:

credentials: TLS credentials created via NewTLS that use tls.Config.GetConfigForClient will now have necessary gRPC-Go defaults, namely CipherSuites, supported TLS versions and ALPN configured automatically. This handling was already present for configs not using the GetConfigForClient function.

Updated, thanks for the suggestion.

easwars
easwars approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@easwars easwars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

credentials/tls_ext_test.go Outdated Show resolved Hide resolved
credentials/tls_ext_test.go Outdated Show resolved Hide resolved
credentials/tls_ext_test.go Outdated Show resolved Hide resolved
@easwars easwars assigned arjan-bal and unassigned easwars Oct 17, 2024
gtcooke94
gtcooke94 approved these changes Oct 18, 2024
View reviewed changes
Copy link
Contributor

@gtcooke94 gtcooke94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just that one test structure question, otherwise LGTM

dfawley
dfawley approved these changes Oct 18, 2024
View reviewed changes
Copy link
Member

@dfawley dfawley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@dfawley dfawley assigned arjan-bal and unassigned dfawley and gtcooke94 Oct 18, 2024
@arjan-bal arjan-bal merged commit 80937a9 into grpc:master Oct 22, 2024
15 checks passed
@arjan-bal arjan-bal deleted the defaults-in-get-config-for-client branch October 22, 2024 17:28
@DmitriyMV DmitriyMV mentioned this pull request Oct 22, 2024
Closed
@arjan-bal arjan-bal added Area: Auth Includes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc. and removed Area: Auth Includes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc. labels Nov 6, 2024
purnesh42H pushed a commit to purnesh42H/grpc-go that referenced this pull request Nov 6, 2024
@arjan-bal @purnesh42H
credentials: Apply defaults to TLS configs provided through GetConfig…
bcfee8a 
…ForClient (grpc#7754)
@purnesh42H purnesh42H mentioned this pull request Nov 6, 2024
Merged
purnesh42H added a commit that referenced this pull request Nov 6, 2024
@purnesh42H
credentials: Apply defaults to TLS configs provided through GetConfig…
5363dca 
…ForClient (#7754) (#7813)
misvivek pushed a commit to misvivek/grpc-go that referenced this pull request Nov 7, 2024
@arjan-bal @misvivek
credentials: Apply defaults to TLS configs provided through GetConfig…
f3dcf12 
…ForClient (grpc#7754)
@tbg tbg mentioned this pull request Nov 27, 2024
Draft
16 tasks
@dfawley dfawley modified the milestones: 1.69 Release, 1.68 Release Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gtcooke94 gtcooke94 gtcooke94 approved these changes

@dfawley dfawley dfawley approved these changes

@easwars easwars easwars approved these changes

Assignees

@arjan-bal arjan-bal

Labels
Type: Behavior Change Behavior changes not categorized as bugs Type: Feature New features or improvements in behavior
Projects
None yet
Milestone
1.68 Release
Development

Successfully merging this pull request may close these issues.

auto-set ALPN when using GetConfigForClient
5 participants
@arjan-bal @gtcooke94 @easwars @dfawley @matthewstevenson88