[ISSUE apache#6866] Move the judgment logic of grpc TLS mode to improve the scalability of ProtocolNegotiator (apache#6867)

[ISSUE apache#6866] Move the judgment logic of grpc TLS mode to improve the scalability of ProtocolNegotiator

---------

Co-authored-by: 徒钟 <[email protected]>

Author: dingshuangxi888

Diff for: proxy/src/main/java/org/apache/rocketmq/proxy/grpc/GrpcServerBuilder.java

@@ -19,21 +19,11 @@
 import io.grpc.BindableService;
 import io.grpc.ServerInterceptor;
 import io.grpc.ServerServiceDefinition;
-import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
 import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
 import io.grpc.netty.shaded.io.netty.channel.epoll.EpollEventLoopGroup;
 import io.grpc.netty.shaded.io.netty.channel.epoll.EpollServerSocketChannel;
 import io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoopGroup;
 import io.grpc.netty.shaded.io.netty.channel.socket.nio.NioServerSocketChannel;
-import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
-import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
-import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
-import io.grpc.netty.shaded.io.netty.handler.ssl.util.SelfSignedCertificate;
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.security.cert.CertificateException;
 import java.util.List;
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
@@ -44,13 +34,10 @@
 import org.apache.rocketmq.logging.org.slf4j.Logger;
 import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
 import org.apache.rocketmq.proxy.config.ConfigurationManager;
-import org.apache.rocketmq.proxy.config.ProxyConfig;
 import org.apache.rocketmq.proxy.grpc.interceptor.AuthenticationInterceptor;
 import org.apache.rocketmq.proxy.grpc.interceptor.ContextInterceptor;
 import org.apache.rocketmq.proxy.grpc.interceptor.GlobalExceptionInterceptor;
 import org.apache.rocketmq.proxy.grpc.interceptor.HeaderInterceptor;
-import org.apache.rocketmq.remoting.common.TlsMode;
-import org.apache.rocketmq.remoting.netty.TlsSystemConfig;
 
 public class GrpcServerBuilder {
     private static final Logger log = LoggerFactory.getLogger(LoggerName.PROXY_LOGGER_NAME);
@@ -63,12 +50,7 @@ public static GrpcServerBuilder newBuilder(ThreadPoolExecutor executor, int port
     protected GrpcServerBuilder(ThreadPoolExecutor executor, int port) {
         serverBuilder = NettyServerBuilder.forPort(port);
 
-        try {
-            configSslContext(serverBuilder);
-        } catch (Exception e) {
-            log.error("grpc tls set failed. msg: {}, e:", e.getMessage(), e);
-            throw new RuntimeException("grpc tls set failed: " + e.getMessage());
-        }
+        serverBuilder.protocolNegotiator(new OptionalSSLProtocolNegotiator());
 
         // build server
         int bossLoopNum = ConfigurationManager.getProxyConfig().getGrpcBossLoopNum();
@@ -116,45 +98,6 @@ public GrpcServer build() {
         return new GrpcServer(this.serverBuilder.build());
     }
 
-    protected void configSslContext(NettyServerBuilder serverBuilder) throws IOException, CertificateException {
-        if (null == serverBuilder) {
-            return;
-        }
-
-        TlsMode tlsMode = TlsSystemConfig.tlsMode;
-        if (!TlsMode.DISABLED.equals(tlsMode)) {
-            SslContext sslContext = loadSslContext();
-            if (TlsMode.PERMISSIVE.equals(tlsMode)) {
-                serverBuilder.protocolNegotiator(new OptionalSSLProtocolNegotiator(sslContext));
-            } else {
-                serverBuilder.sslContext(sslContext);
-            }
-        }
-    }
-
-    protected SslContext loadSslContext() throws CertificateException, IOException {
-        ProxyConfig proxyConfig = ConfigurationManager.getProxyConfig();
-        if (proxyConfig.isTlsTestModeEnable()) {
-            SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
-            return GrpcSslContexts.forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
-                .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                .clientAuth(ClientAuth.NONE)
-                .build();
-        } else {
-            String tlsKeyPath = ConfigurationManager.getProxyConfig().getTlsKeyPath();
-            String tlsCertPath = ConfigurationManager.getProxyConfig().getTlsCertPath();
-            try (InputStream serverKeyInputStream = Files.newInputStream(Paths.get(tlsKeyPath));
-                 InputStream serverCertificateStream = Files.newInputStream(Paths.get(tlsCertPath))) {
-                SslContext res = GrpcSslContexts.forServer(serverCertificateStream, serverKeyInputStream)
-                    .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                    .clientAuth(ClientAuth.NONE)
-                    .build();
-                log.info("load TLS configured OK");
-                return res;
-            }
-        }
-    }
-
     public GrpcServerBuilder configInterceptor() {
         // grpc interceptors, including acl, logging etc.
         List<AccessValidator> accessValidators = ServiceProvider.load(AccessValidator.class);

Diff for: proxy/src/main/java/org/apache/rocketmq/proxy/grpc/OptionalSSLProtocolNegotiator.java

@@ -17,31 +17,44 @@
 package org.apache.rocketmq.proxy.grpc;
 
 import io.grpc.netty.shaded.io.grpc.netty.GrpcHttp2ConnectionHandler;
+import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
 import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiationEvent;
 import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiator;
 import io.grpc.netty.shaded.io.grpc.netty.InternalProtocolNegotiators;
 import io.grpc.netty.shaded.io.netty.buffer.ByteBuf;
 import io.grpc.netty.shaded.io.netty.channel.ChannelHandler;
 import io.grpc.netty.shaded.io.netty.channel.ChannelHandlerContext;
 import io.grpc.netty.shaded.io.netty.handler.codec.ByteToMessageDecoder;
+import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
 import io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler;
+import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import io.grpc.netty.shaded.io.netty.handler.ssl.util.SelfSignedCertificate;
 import io.grpc.netty.shaded.io.netty.util.AsciiString;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.util.List;
 import org.apache.rocketmq.common.constant.LoggerName;
 import org.apache.rocketmq.logging.org.slf4j.Logger;
 import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
+import org.apache.rocketmq.proxy.config.ConfigurationManager;
+import org.apache.rocketmq.proxy.config.ProxyConfig;
+import org.apache.rocketmq.remoting.common.TlsMode;
+import org.apache.rocketmq.remoting.netty.TlsSystemConfig;
 
 public class OptionalSSLProtocolNegotiator implements InternalProtocolNegotiator.ProtocolNegotiator {
-    private static final Logger log = LoggerFactory.getLogger(LoggerName.PROXY_LOGGER_NAME);
-    private final SslContext sslContext;
+    protected static final Logger log = LoggerFactory.getLogger(LoggerName.PROXY_LOGGER_NAME);
+
     /**
      * the length of the ssl record header (in bytes)
      */
     private static final int SSL_RECORD_HEADER_LENGTH = 5;
 
-    public OptionalSSLProtocolNegotiator(SslContext sslContext) {
-        this.sslContext = sslContext;
+    private static SslContext sslContext;
+
+    public OptionalSSLProtocolNegotiator() {
+        sslContext = loadSslContext();
     }
 
     @Override
@@ -50,43 +63,81 @@ public AsciiString scheme() {
     }
 
     @Override
-    public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHttp2ConnectionHandler) {
-        ChannelHandler plaintext =
-            InternalProtocolNegotiators.serverPlaintext().newHandler(grpcHttp2ConnectionHandler);
-        ChannelHandler ssl =
-            InternalProtocolNegotiators.serverTls(sslContext).newHandler(grpcHttp2ConnectionHandler);
-        return new PortUnificationServerHandler(ssl, plaintext);
+    public ChannelHandler newHandler(GrpcHttp2ConnectionHandler grpcHandler) {
+        return new PortUnificationServerHandler(grpcHandler);
     }
 
     @Override
     public void close() {}
 
+    private static SslContext loadSslContext() {
+        try {
+            ProxyConfig proxyConfig = ConfigurationManager.getProxyConfig();
+            if (proxyConfig.isTlsTestModeEnable()) {
+                SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
+                return GrpcSslContexts.forServer(selfSignedCertificate.certificate(),
+                                selfSignedCertificate.privateKey())
+                        .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                        .clientAuth(ClientAuth.NONE)
+                        .build();
+            } else {
+                String tlsKeyPath = ConfigurationManager.getProxyConfig().getTlsKeyPath();
+                String tlsCertPath = ConfigurationManager.getProxyConfig().getTlsCertPath();
+                try (InputStream serverKeyInputStream = Files.newInputStream(
+                        Paths.get(tlsKeyPath));
+                        InputStream serverCertificateStream = Files.newInputStream(
+                                Paths.get(tlsCertPath))) {
+                    SslContext res = GrpcSslContexts.forServer(serverCertificateStream,
+                                    serverKeyInputStream)
+                            .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                            .clientAuth(ClientAuth.NONE)
+                            .build();
+                    log.info("grpc load TLS configured OK");
+                    return res;
+                }
+            }
+        } catch (Exception e) {
+            log.error("grpc tls set failed. msg: {}, e:", e.getMessage(), e);
+            throw new RuntimeException("grpc tls set failed: " + e.getMessage());
+        }
+    }
+
     public static class PortUnificationServerHandler extends ByteToMessageDecoder {
+
         private final ChannelHandler ssl;
         private final ChannelHandler plaintext;
 
-        public PortUnificationServerHandler(ChannelHandler ssl, ChannelHandler plaintext) {
-            this.ssl = ssl;
-            this.plaintext = plaintext;
+        public PortUnificationServerHandler(GrpcHttp2ConnectionHandler grpcHandler) {
+            this.ssl = InternalProtocolNegotiators.serverTls(sslContext)
+                    .newHandler(grpcHandler);
+            this.plaintext = InternalProtocolNegotiators.serverPlaintext()
+                    .newHandler(grpcHandler);
         }
 
         @Override
         protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out)
-            throws Exception {
+                throws Exception {
             try {
-                // in SslHandler.isEncrypted, it need at least 5 bytes to judge is encrypted or not
-                if (in.readableBytes() < SSL_RECORD_HEADER_LENGTH) {
-                    return;
-                }
-                if (SslHandler.isEncrypted(in)) {
+                TlsMode tlsMode = TlsSystemConfig.tlsMode;
+                if (TlsMode.ENFORCING.equals(tlsMode)) {
                     ctx.pipeline().addAfter(ctx.name(), null, this.ssl);
-                } else {
+                } else if (TlsMode.DISABLED.equals(tlsMode)) {
                     ctx.pipeline().addAfter(ctx.name(), null, this.plaintext);
+                } else {
+                    // in SslHandler.isEncrypted, it need at least 5 bytes to judge is encrypted or not
+                    if (in.readableBytes() < SSL_RECORD_HEADER_LENGTH) {
+                        return;
+                    }
+                    if (SslHandler.isEncrypted(in)) {
+                        ctx.pipeline().addAfter(ctx.name(), null, this.ssl);
+                    } else {
+                        ctx.pipeline().addAfter(ctx.name(), null, this.plaintext);
+                    }
                 }
                 ctx.fireUserEventTriggered(InternalProtocolNegotiationEvent.getDefault());
                 ctx.pipeline().remove(this);
             } catch (Exception e) {
-                log.error("process protocol negotiator failed.", e);
+                log.error("process ssl protocol negotiator failed.", e);
                 throw e;
             }
         }