Skip to content

credentials, transport, grpc : add a call option to override the :authority header on a per-RPC basis #8068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Apr 30, 2025
Merged

credentials, transport, grpc : add a call option to override the :authority header on a per-RPC basis #8068

merged 19 commits into from
Apr 30, 2025

Conversation

eshitachandwani
Copy link
Member

@eshitachandwani eshitachandwani commented Feb 6, 2025
edited
Loading

Fixes: #5361

RELEASE NOTES:

  • Added a CallAuthority callOption that can be used to overwrite the http :authority header on per-RPC basis.

@eshitachandwani eshitachandwani added Type: Feature New features or improvements in behavior Area: Auth Includes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc. labels Feb 6, 2025
@eshitachandwani eshitachandwani added this to the 1.71 Release milestone Feb 6, 2025
@codecov Codecov
Copy link

codecov bot commented Feb 6, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.24%. Comparing base (0003b4f) to head (4efe178).
Report is 94 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #8068      +/-   ##
==========================================
- Coverage   82.32%   82.24%   -0.08%     
==========================================
  Files         387      417      +30     
  Lines       39064    41385    +2321     
==========================================
+ Hits        32159    34037    +1878     
- Misses       5593     5926     +333     
- Partials     1312     1422     +110
Files with missing lines Coverage Δ
credentials/credentials.go 88.57% <ø> (+0.69%) ⬆️
credentials/insecure/insecure.go 83.33% <100.00%> (+1.51%) ⬆️
credentials/tls.go 90.50% <100.00%> (+3.92%) ⬆️
internal/transport/http2_client.go 92.36% <100.00%> (+0.66%) ⬆️
internal/transport/transport.go 91.56% <ø> (ø)
rpc_util.go 82.51% <100.00%> (+1.84%) ⬆️
stream.go 81.82% <100.00%> (+0.04%) ⬆️

... and 140 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

purnesh42H
purnesh42H reviewed Feb 7, 2025
View reviewed changes
Copy link
Contributor

@purnesh42H purnesh42H left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall lgtm. Just few minor comments. I think we can combine some individual into t-tests.

@purnesh42H
Copy link
Contributor

Also, don't feel strongly but may be we can utilize the setup in tls_ext_test or move the tls tests to tls_ext_test.go

easwars
easwars reviewed Feb 13, 2025
View reviewed changes
easwars
easwars reviewed Feb 14, 2025
View reviewed changes
@easwars easwars removed their assignment Feb 14, 2025
@arjan-bal arjan-bal modified the milestones: 1.71 Release, 1.72 Release Feb 19, 2025
@eshitachandwani eshitachandwani requested a review from easwars April 14, 2025 19:23
@purnesh42H
Copy link
Contributor

purnesh42H commented Apr 22, 2025
edited
Loading

Added a CallAuthority callOption that can be used to overwrite the http :authority header on per-RPC basis.
Introduces an option AuthorityValidator interface which needs to be implemented by credentials that want to allow authority overwrite.
Adds implementations of AuthorityValidator interface for Insecure and TLS credentials.

these aren't the release notes. Are they? Release notes needs to make sense to the user which is the new call option we are introducing. So it can be something close to what you have in the PR title. The above bullets can just be moved to PR description.

purnesh42H
purnesh42H reviewed Apr 22, 2025
View reviewed changes
rpc_util.go Outdated
}
func (o MaxRecvMsgSizeCallOption) after(*callInfo, *csAttempt) {}

// CallAuthority creates a CallOption that sets the HTTP/2 :authority header of
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should mention here that if this dial option is used, the credentials in use must implement AuthorityValidator

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

purnesh42H
purnesh42H reviewed Apr 22, 2025
View reviewed changes
easwars
easwars reviewed Apr 22, 2025
View reviewed changes
internal/transport/http2_client.go Outdated
if callHdr.Authority != "" {
auth, ok := t.authInfo.(credentials.AuthorityValidator)
if !ok {
return nil, &NewStreamError{Err: status.Error(codes.Unavailable, fmt.Sprintf("credentials type %s does not implement the AuthorityValidator interface, but authority override specified with CallAuthority call option", t.authInfo.AuthType()))}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here too. Use status.Errorf.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And use %q formatting directive for the credentials type.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

internal/transport/http2_client.go Outdated
return nil, &NewStreamError{Err: status.Error(codes.Unavailable, fmt.Sprintf("credentials type %s does not implement the AuthorityValidator interface, but authority override specified with CallAuthority call option", t.authInfo.AuthType()))}
}
if err := auth.ValidateAuthority(callHdr.Authority); err != nil {
return nil, &NewStreamError{Err: status.Error(codes.Unavailable, fmt.Sprintf("failed to validate authority %s : %s", callHdr.Authority, err))}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both the above comments here too. And use %v for err.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

easwars
easwars approved these changes Apr 29, 2025
View reviewed changes
Copy link
Contributor

@easwars easwars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM modulo minor nits in this last pass

credentials/credentials_ext_test.go Outdated
if authority == v.validAuthority {
return nil
}
return fmt.Errorf("invalid authority")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: capture the invalid authority value in the returned error

@easwars easwars assigned eshitachandwani and unassigned easwars and purnesh42H Apr 29, 2025
@eshitachandwani eshitachandwani merged commit 080f956 into grpc:master Apr 30, 2025
23 of 24 checks passed
purnesh42H pushed a commit to purnesh42H/grpc-go that referenced this pull request May 4, 2025
@eshitachandwani @purnesh42H
credentials, transport, grpc : add a call option to override the :aut…
863a463 
…hority header on a per-RPC basis (grpc#8068)
vinothkumarr227 pushed a commit to vinothkumarr227/grpc-go that referenced this pull request May 26, 2025
@eshitachandwani @vinothkumarr227
credentials, transport, grpc : add a call option to override the :aut…
699cb70 
…hority header on a per-RPC basis (grpc#8068)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@easwars easwars easwars approved these changes

@purnesh42H purnesh42H Awaiting requested review from purnesh42H

Assignees

@eshitachandwani eshitachandwani

Labels
Area: Auth Includes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc. Type: Feature New features or improvements in behavior
Projects
None yet
Milestone
1.73 Release
Development

Successfully merging this pull request may close these issues.

grpc: add a call option to override the :authority header on a per-RPC basis
4 participants
@eshitachandwani @purnesh42H @easwars @arjan-bal