xds: Enable deprecation warnings

The security code referenced fields removed from gRFC A29 before it was
finalized.

Note that this fixes a bug in CommonTlsContextUtil where
CombinedValidationContext was not checked. I believe this was the only
location with such a bug as I audited all non-test usages of
has/getValidationContext() and confirmed they have have a corresponding
has/getCombinedValidationContext().

Author: ejona86

Diff for: xds/build.gradle

@@ -133,8 +133,6 @@ tasks.named("checkstyleThirdparty").configure {
 
 tasks.named("compileJava").configure {
     it.options.compilerArgs += [
-        // TODO: remove
-        "-Xlint:-deprecation",
         // only has AutoValue annotation processor
         "-Xlint:-processing",
     ]

Diff for: xds/src/main/java/io/grpc/xds/ClusterResolverLoadBalancer.java

@@ -673,7 +673,7 @@ public Status onResult2(final ResolutionResult resolutionResult) {
                   resolutionResult.getAddressesOrError();
           if (addressesOrError.hasValue()) {
             backoffPolicy = null;  // reset backoff sequence if succeeded
-            for (EquivalentAddressGroup eag : resolutionResult.getAddresses()) {
+            for (EquivalentAddressGroup eag : addressesOrError.getValue()) {
               // No weight attribute is attached, all endpoint-level LB policy should be able
               // to handle such it.
               String localityName = localityName(LOGICAL_DNS_CLUSTER_LOCALITY);

Diff for: xds/src/main/java/io/grpc/xds/RbacFilter.java

@@ -276,8 +276,13 @@ private static Matcher parsePrincipal(Principal principal) {
         return createSourceIpMatcher(principal.getDirectRemoteIp());
       case REMOTE_IP:
         return createSourceIpMatcher(principal.getRemoteIp());
-      case SOURCE_IP:
-        return createSourceIpMatcher(principal.getSourceIp());
+      case SOURCE_IP: {
+        // gRFC A41 has identical handling of source_ip as remote_ip and direct_remote_ip and
+        // pre-dates the deprecation.
+        @SuppressWarnings("deprecation")
+        CidrRange sourceIp = principal.getSourceIp();
+        return createSourceIpMatcher(sourceIp);
+      }
       case HEADER:
         return parseHeaderMatcher(principal.getHeader());
       case NOT_ID:

Diff for: xds/src/main/java/io/grpc/xds/XdsClusterResource.java

@@ -450,15 +450,6 @@ static void validateCommonTlsContext(
       throw new ResourceInvalidException(
           "common-tls-context with validation_context_sds_secret_config is not supported");
     }
-    if (commonTlsContext.hasValidationContextCertificateProvider()) {
-      throw new ResourceInvalidException(
-          "common-tls-context with validation_context_certificate_provider is not supported");
-    }
-    if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
-      throw new ResourceInvalidException(
-          "common-tls-context with validation_context_certificate_provider_instance is not"
-              + " supported");
-    }
     String certInstanceName = getIdentityCertInstanceName(commonTlsContext);
     if (certInstanceName == null) {
       if (server) {
@@ -473,10 +464,6 @@ static void validateCommonTlsContext(
         throw new ResourceInvalidException(
             "tls_certificate_provider_instance is unset");
       }
-      if (commonTlsContext.hasTlsCertificateCertificateProvider()) {
-        throw new ResourceInvalidException(
-            "tls_certificate_provider_instance is unset");
-      }
     } else if (certProviderInstances == null || !certProviderInstances.contains(certInstanceName)) {
       throw new ResourceInvalidException(
           "CertificateProvider instance name '" + certInstanceName
@@ -505,7 +492,9 @@ static void validateCommonTlsContext(
             .getDefaultValidationContext();
       }
       if (certificateValidationContext != null) {
-        if (certificateValidationContext.getMatchSubjectAltNamesCount() > 0 && server) {
+        @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
+        int matchSubjectAltNamesCount = certificateValidationContext.getMatchSubjectAltNamesCount();
+        if (matchSubjectAltNamesCount > 0 && server) {
           throw new ResourceInvalidException(
               "match_subject_alt_names only allowed in upstream_tls_context");
         }
@@ -536,8 +525,6 @@ static void validateCommonTlsContext(
   private static String getIdentityCertInstanceName(CommonTlsContext commonTlsContext) {
     if (commonTlsContext.hasTlsCertificateProviderInstance()) {
       return commonTlsContext.getTlsCertificateProviderInstance().getInstanceName();
-    } else if (commonTlsContext.hasTlsCertificateCertificateProviderInstance()) {
-      return commonTlsContext.getTlsCertificateCertificateProviderInstance().getInstanceName();
     }
     return null;
   }
@@ -556,10 +543,6 @@ private static String getRootCertInstanceName(CommonTlsContext commonTlsContext)
           .hasCaCertificateProviderInstance()) {
         return combinedCertificateValidationContext.getDefaultValidationContext()
             .getCaCertificateProviderInstance().getInstanceName();
-      } else if (combinedCertificateValidationContext
-          .hasValidationContextCertificateProviderInstance()) {
-        return combinedCertificateValidationContext
-            .getValidationContextCertificateProviderInstance().getInstanceName();
       }
     }
     return null;

Diff for: xds/src/main/java/io/grpc/xds/XdsRouteConfigureResource.java

@@ -451,8 +451,7 @@ static StructOrError<RouteAction> parseRouteAction(
               config.getHeader();
           Pattern regEx = null;
           String regExSubstitute = null;
-          if (headerCfg.hasRegexRewrite() && headerCfg.getRegexRewrite().hasPattern()
-              && headerCfg.getRegexRewrite().getPattern().hasGoogleRe2()) {
+          if (headerCfg.hasRegexRewrite() && headerCfg.getRegexRewrite().hasPattern()) {
             regEx = Pattern.compile(headerCfg.getRegexRewrite().getPattern().getRegex());
             regExSubstitute = headerCfg.getRegexRewrite().getSubstitution();
           }

Diff for: xds/src/main/java/io/grpc/xds/internal/MatcherParser.java

@@ -26,9 +26,12 @@ public static Matchers.HeaderMatcher parseHeaderMatcher(
           io.envoyproxy.envoy.config.route.v3.HeaderMatcher proto) {
     switch (proto.getHeaderMatchSpecifierCase()) {
       case EXACT_MATCH:
+        @SuppressWarnings("deprecation") // gRFC A63: support indefinitely
+        String exactMatch = proto.getExactMatch();
         return Matchers.HeaderMatcher.forExactValue(
-                        proto.getName(), proto.getExactMatch(), proto.getInvertMatch());
+                        proto.getName(), exactMatch, proto.getInvertMatch());
       case SAFE_REGEX_MATCH:
+        @SuppressWarnings("deprecation") // gRFC A63: support indefinitely
         String rawPattern = proto.getSafeRegexMatch().getRegex();
         Pattern safeRegExMatch;
         try {
@@ -49,14 +52,20 @@ public static Matchers.HeaderMatcher parseHeaderMatcher(
         return Matchers.HeaderMatcher.forPresent(
               proto.getName(), proto.getPresentMatch(), proto.getInvertMatch());
       case PREFIX_MATCH:
+        @SuppressWarnings("deprecation") // gRFC A63: support indefinitely
+        String prefixMatch = proto.getPrefixMatch();
         return Matchers.HeaderMatcher.forPrefix(
-              proto.getName(), proto.getPrefixMatch(), proto.getInvertMatch());
+              proto.getName(), prefixMatch, proto.getInvertMatch());
       case SUFFIX_MATCH:
+        @SuppressWarnings("deprecation") // gRFC A63: support indefinitely
+        String suffixMatch = proto.getSuffixMatch();
         return Matchers.HeaderMatcher.forSuffix(
-              proto.getName(), proto.getSuffixMatch(), proto.getInvertMatch());
+              proto.getName(), suffixMatch, proto.getInvertMatch());
       case CONTAINS_MATCH:
+        @SuppressWarnings("deprecation") // gRFC A63: support indefinitely
+        String containsMatch = proto.getContainsMatch();
         return Matchers.HeaderMatcher.forContains(
-              proto.getName(), proto.getContainsMatch(), proto.getInvertMatch());
+              proto.getName(), containsMatch, proto.getInvertMatch());
       case STRING_MATCH:
         return Matchers.HeaderMatcher.forString(
           proto.getName(), parseStringMatcher(proto.getStringMatch()), proto.getInvertMatch());

Diff for: xds/src/main/java/io/grpc/xds/internal/security/CommonTlsContextUtil.java

@@ -18,7 +18,6 @@
 
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
-import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
 
 /** Class for utility functions for {@link CommonTlsContext}. */
 public final class CommonTlsContextUtil {
@@ -29,30 +28,18 @@ public static boolean hasCertProviderInstance(CommonTlsContext commonTlsContext)
     if (commonTlsContext == null) {
       return false;
     }
-    return hasIdentityCertificateProviderInstance(commonTlsContext)
-        || hasCertProviderValidationContext(commonTlsContext);
-  }
-
-  private static boolean hasCertProviderValidationContext(CommonTlsContext commonTlsContext) {
-    if (commonTlsContext.hasCombinedValidationContext()) {
-      CombinedCertificateValidationContext combinedCertificateValidationContext =
-          commonTlsContext.getCombinedValidationContext();
-      return combinedCertificateValidationContext.hasValidationContextCertificateProviderInstance();
-    }
-    return hasValidationProviderInstance(commonTlsContext);
-  }
-
-  private static boolean hasIdentityCertificateProviderInstance(CommonTlsContext commonTlsContext) {
     return commonTlsContext.hasTlsCertificateProviderInstance()
-        || commonTlsContext.hasTlsCertificateCertificateProviderInstance();
+        || hasValidationProviderInstance(commonTlsContext);
   }
 
   private static boolean hasValidationProviderInstance(CommonTlsContext commonTlsContext) {
     if (commonTlsContext.hasValidationContext() && commonTlsContext.getValidationContext()
         .hasCaCertificateProviderInstance()) {
       return true;
     }
-    return commonTlsContext.hasValidationContextCertificateProviderInstance();
+    return commonTlsContext.hasCombinedValidationContext()
+        && commonTlsContext.getCombinedValidationContext().getDefaultValidationContext()
+          .hasCaCertificateProviderInstance();
   }
 
   /**

Diff for: xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java

@@ -99,8 +99,6 @@ protected static CertificateProviderInstance getCertProviderInstance(
       CommonTlsContext commonTlsContext) {
     if (commonTlsContext.hasTlsCertificateProviderInstance()) {
       return CommonTlsContextUtil.convert(commonTlsContext.getTlsCertificateProviderInstance());
-    } else if (commonTlsContext.hasTlsCertificateCertificateProviderInstance()) {
-      return commonTlsContext.getTlsCertificateCertificateProviderInstance();
     }
     return null;
   }
@@ -128,15 +126,6 @@ protected static CommonTlsContext.CertificateProviderInstance getRootCertProvide
     if (certValidationContext != null && certValidationContext.hasCaCertificateProviderInstance()) {
       return CommonTlsContextUtil.convert(certValidationContext.getCaCertificateProviderInstance());
     }
-    if (commonTlsContext.hasCombinedValidationContext()) {
-      CommonTlsContext.CombinedCertificateValidationContext combinedValidationContext =
-          commonTlsContext.getCombinedValidationContext();
-      if (combinedValidationContext.hasValidationContextCertificateProviderInstance()) {
-        return combinedValidationContext.getValidationContextCertificateProviderInstance();
-      }
-    } else if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
-      return commonTlsContext.getValidationContextCertificateProviderInstance();
-    }
     return null;
   }
 

Diff for: xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -207,6 +207,7 @@ void verifySubjectAltNameInChain(X509Certificate[] peerCertChain) throws Certifi
     if (certContext == null) {
       return;
     }
+    @SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
     List<StringMatcher> verifyList = certContext.getMatchSubjectAltNamesList();
     if (verifyList.isEmpty()) {
       return;

Diff for: xds/src/test/java/io/grpc/xds/FilterChainMatchingProtocolNegotiatorsTest.java

@@ -1125,7 +1125,6 @@ public void filterChain_5stepMatch() throws Exception {
   }
 
   @Test
-  @SuppressWarnings("deprecation")
   public void filterChainMatch_unsupportedMatchers() throws Exception {
     EnvoyServerProtoData.DownstreamTlsContext tlsContext1 =
             CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "ROOTCA");
@@ -1194,7 +1193,7 @@ public void filterChainMatch_unsupportedMatchers() throws Exception {
     assertThat(sslSet.get()).isEqualTo(defaultFilterChain.sslContextProviderSupplier());
     assertThat(routingSettable.get()).isEqualTo(noopConfig);
     assertThat(sslSet.get().getTlsContext().getCommonTlsContext()
-            .getTlsCertificateCertificateProviderInstance()
+            .getTlsCertificateProviderInstance()
             .getCertificateName()).isEqualTo("CERT3");
   }