xds: security code refactoring/renaming (#9555)

* xds: security code refactoring/renaming
1) move certprovider package under security
2) refactor inner Factory into  CertProviderClientSslContextProviderFactory and CertProviderServerSslContextProviderFactory
3) Make CertProviderClientSslContextProvider and CertProviderServerSslContextProvider non-public
4) use only public (non package private) types like SslContextProvider (instead of CertProviderClientSslContextProvider etc)

xds/src/main/java/io/grpc/xds/internal/security/ClientSslContextProviderFactory.java

@@ -20,23 +20,23 @@
 
 import io.grpc.xds.Bootstrapper.BootstrapInfo;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
-import io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider;
 import io.grpc.xds.internal.security.ReferenceCountingMap.ValueFactory;
+import io.grpc.xds.internal.security.certprovider.CertProviderClientSslContextProviderFactory;
 
 /** Factory to create client-side SslContextProvider from UpstreamTlsContext. */
 final class ClientSslContextProviderFactory
     implements ValueFactory<UpstreamTlsContext, SslContextProvider> {
 
   private BootstrapInfo bootstrapInfo;
-  private final CertProviderClientSslContextProvider.Factory
+  private final CertProviderClientSslContextProviderFactory
       certProviderClientSslContextProviderFactory;
 
   ClientSslContextProviderFactory(BootstrapInfo bootstrapInfo) {
-    this(bootstrapInfo, CertProviderClientSslContextProvider.Factory.getInstance());
+    this(bootstrapInfo, CertProviderClientSslContextProviderFactory.getInstance());
   }
 
   ClientSslContextProviderFactory(
-      BootstrapInfo bootstrapInfo, CertProviderClientSslContextProvider.Factory factory) {
+      BootstrapInfo bootstrapInfo, CertProviderClientSslContextProviderFactory factory) {
     this.bootstrapInfo = bootstrapInfo;
     this.certProviderClientSslContextProviderFactory = factory;
   }

xds/src/main/java/io/grpc/xds/internal/security/DynamicSslContextProvider.java

@@ -21,6 +21,7 @@
 import com.google.common.collect.ImmutableList;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
+import io.grpc.Internal;
 import io.grpc.Status;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.netty.handler.ssl.ApplicationProtocolConfig;
@@ -34,6 +35,7 @@
 import javax.annotation.Nullable;
 
 /** Base class for dynamic {@link SslContextProvider}s. */
+@Internal
 public abstract class DynamicSslContextProvider extends SslContextProvider {
 
   protected final List<Callback> pendingCallbacks = new ArrayList<>();

xds/src/main/java/io/grpc/xds/internal/security/ServerSslContextProviderFactory.java

@@ -20,23 +20,23 @@
 
 import io.grpc.xds.Bootstrapper.BootstrapInfo;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
-import io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider;
 import io.grpc.xds.internal.security.ReferenceCountingMap.ValueFactory;
+import io.grpc.xds.internal.security.certprovider.CertProviderServerSslContextProviderFactory;
 
 /** Factory to create server-side SslContextProvider from DownstreamTlsContext. */
 final class ServerSslContextProviderFactory
     implements ValueFactory<DownstreamTlsContext, SslContextProvider> {
 
   private BootstrapInfo bootstrapInfo;
-  private final CertProviderServerSslContextProvider.Factory
+  private final CertProviderServerSslContextProviderFactory
       certProviderServerSslContextProviderFactory;
 
   ServerSslContextProviderFactory(BootstrapInfo bootstrapInfo) {
-    this(bootstrapInfo, CertProviderServerSslContextProvider.Factory.getInstance());
+    this(bootstrapInfo, CertProviderServerSslContextProviderFactory.getInstance());
   }
 
   ServerSslContextProviderFactory(
-      BootstrapInfo bootstrapInfo, CertProviderServerSslContextProvider.Factory factory) {
+      BootstrapInfo bootstrapInfo, CertProviderServerSslContextProviderFactory factory) {
     this.bootstrapInfo = bootstrapInfo;
     this.certProviderServerSslContextProviderFactory = factory;
   }

xds/src/main/java/io/grpc/xds/internal/security/SslContextProvider.java

@@ -21,6 +21,7 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
+import io.grpc.Internal;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
@@ -39,6 +40,7 @@
  * stream that is receiving the requested secret(s) or it could represent file-system based
  * secret(s) that are dynamic.
  */
+@Internal
 public abstract class SslContextProvider implements Closeable {
 
   protected final BaseTlsContext tlsContext;

xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderClientSslContextProvider.java → xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java

@@ -14,15 +14,13 @@
  * limitations under the License.
  */
 
-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
-import com.google.common.annotations.VisibleForTesting;
 import io.envoyproxy.envoy.config.core.v3.Node;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
-import io.grpc.Internal;
 import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
@@ -34,10 +32,9 @@
 import javax.annotation.Nullable;
 
 /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */
-@Internal
-public final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
+final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {
 
-  private CertProviderClientSslContextProvider(
+  CertProviderClientSslContextProvider(
       Node node,
       @Nullable Map<String, CertificateProviderInfo> certProviders,
       CommonTlsContext.CertificateProviderInstance certInstance,
@@ -71,42 +68,4 @@ protected final SslContextBuilder getSslContextBuilder(
     return sslContextBuilder;
   }
 
-  /** Creates CertProviderClientSslContextProvider. */
-  @Internal
-  public static final class Factory {
-    private static final Factory DEFAULT_INSTANCE =
-        new Factory(CertificateProviderStore.getInstance());
-    private final CertificateProviderStore certificateProviderStore;
-
-    @VisibleForTesting public Factory(CertificateProviderStore certificateProviderStore) {
-      this.certificateProviderStore = certificateProviderStore;
-    }
-
-    public static Factory getInstance() {
-      return DEFAULT_INSTANCE;
-    }
-
-    /** Creates a {@link CertProviderClientSslContextProvider}. */
-    public CertProviderClientSslContextProvider getProvider(
-        UpstreamTlsContext upstreamTlsContext,
-        Node node,
-        @Nullable Map<String, CertificateProviderInfo> certProviders) {
-      checkNotNull(upstreamTlsContext, "upstreamTlsContext");
-      CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
-      CertificateValidationContext staticCertValidationContext = getStaticValidationContext(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance rootCertInstance = getRootCertProviderInstance(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance certInstance = getCertProviderInstance(
-          commonTlsContext);
-      return new CertProviderClientSslContextProvider(
-          node,
-          certProviders,
-          certInstance,
-          rootCertInstance,
-          staticCertValidationContext,
-          upstreamTlsContext,
-          certificateProviderStore);
-    }
-  }
 }

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderFactory.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright 2022 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.security.certprovider;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.envoyproxy.envoy.config.core.v3.Node;
+import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
+import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
+import io.grpc.Internal;
+import io.grpc.xds.Bootstrapper.CertificateProviderInfo;
+import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
+import io.grpc.xds.internal.security.SslContextProvider;
+import java.util.Map;
+import javax.annotation.Nullable;
+
+/**
+ * Creates CertProviderClientSslContextProvider.
+ */
+@Internal
+public final class CertProviderClientSslContextProviderFactory {
+
+  private static final CertProviderClientSslContextProviderFactory DEFAULT_INSTANCE =
+      new CertProviderClientSslContextProviderFactory(CertificateProviderStore.getInstance());
+  private final CertificateProviderStore certificateProviderStore;
+
+  @VisibleForTesting
+  public CertProviderClientSslContextProviderFactory(
+      CertificateProviderStore certificateProviderStore) {
+    this.certificateProviderStore = certificateProviderStore;
+  }
+
+  public static CertProviderClientSslContextProviderFactory getInstance() {
+    return DEFAULT_INSTANCE;
+  }
+
+  /**
+   * Creates a {@link CertProviderClientSslContextProvider}.
+   */
+  public SslContextProvider getProvider(
+      UpstreamTlsContext upstreamTlsContext,
+      Node node,
+      @Nullable Map<String, CertificateProviderInfo> certProviders) {
+    checkNotNull(upstreamTlsContext, "upstreamTlsContext");
+    CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
+    CertificateValidationContext staticCertValidationContext
+        = CertProviderSslContextProvider.getStaticValidationContext(commonTlsContext);
+    CommonTlsContext.CertificateProviderInstance rootCertInstance
+        = CertProviderSslContextProvider.getRootCertProviderInstance(commonTlsContext);
+    CommonTlsContext.CertificateProviderInstance certInstance
+        = CertProviderSslContextProvider.getCertProviderInstance(commonTlsContext);
+    return new CertProviderClientSslContextProvider(
+        node,
+        certProviders,
+        certInstance,
+        rootCertInstance,
+        staticCertValidationContext,
+        upstreamTlsContext,
+        certificateProviderStore);
+  }
+}

xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderServerSslContextProvider.java → xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderServerSslContextProvider.java

@@ -14,21 +14,18 @@
  * limitations under the License.
  */
 
-package io.grpc.xds.internal.certprovider;
+package io.grpc.xds.internal.security.certprovider;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
-import com.google.common.annotations.VisibleForTesting;
 import io.envoyproxy.envoy.config.core.v3.Node;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
-import io.grpc.Internal;
 import io.grpc.netty.GrpcSslContexts;
 import io.grpc.xds.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.internal.security.trust.XdsTrustManagerFactory;
 import io.netty.handler.ssl.SslContextBuilder;
-
 import java.io.IOException;
 import java.security.cert.CertStoreException;
 import java.security.cert.CertificateException;
@@ -37,17 +34,16 @@
 import javax.annotation.Nullable;
 
 /** A server SslContext provider using CertificateProviderInstance to fetch secrets. */
-@Internal
-public final class CertProviderServerSslContextProvider extends CertProviderSslContextProvider {
+final class CertProviderServerSslContextProvider extends CertProviderSslContextProvider {
 
-  private CertProviderServerSslContextProvider(
-          Node node,
-          @Nullable Map<String, CertificateProviderInfo> certProviders,
-          CommonTlsContext.CertificateProviderInstance certInstance,
-          CommonTlsContext.CertificateProviderInstance rootCertInstance,
-          CertificateValidationContext staticCertValidationContext,
-          DownstreamTlsContext downstreamTlsContext,
-          CertificateProviderStore certificateProviderStore) {
+  CertProviderServerSslContextProvider(
+      Node node,
+      @Nullable Map<String, CertificateProviderInfo> certProviders,
+      CommonTlsContext.CertificateProviderInstance certInstance,
+      CommonTlsContext.CertificateProviderInstance rootCertInstance,
+      CertificateValidationContext staticCertValidationContext,
+      DownstreamTlsContext downstreamTlsContext,
+      CertificateProviderStore certificateProviderStore) {
     super(
         node,
         certProviders,
@@ -74,42 +70,4 @@ protected final SslContextBuilder getSslContextBuilder(
     return sslContextBuilder;
   }
 
-  /** Creates CertProviderServerSslContextProvider. */
-  @Internal
-  public static final class Factory {
-    private static final Factory DEFAULT_INSTANCE =
-        new Factory(CertificateProviderStore.getInstance());
-    private final CertificateProviderStore certificateProviderStore;
-
-    @VisibleForTesting public Factory(CertificateProviderStore certificateProviderStore) {
-      this.certificateProviderStore = certificateProviderStore;
-    }
-
-    public static Factory getInstance() {
-      return DEFAULT_INSTANCE;
-    }
-
-    /** Creates a {@link CertProviderServerSslContextProvider}. */
-    public CertProviderServerSslContextProvider getProvider(
-        DownstreamTlsContext downstreamTlsContext,
-        Node node,
-        @Nullable Map<String, CertificateProviderInfo> certProviders) {
-      checkNotNull(downstreamTlsContext, "downstreamTlsContext");
-      CommonTlsContext commonTlsContext = downstreamTlsContext.getCommonTlsContext();
-      CertificateValidationContext staticCertValidationContext = getStaticValidationContext(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance rootCertInstance = getRootCertProviderInstance(
-          commonTlsContext);
-      CommonTlsContext.CertificateProviderInstance certInstance = getCertProviderInstance(
-          commonTlsContext);
-      return new CertProviderServerSslContextProvider(
-          node,
-          certProviders,
-          certInstance,
-          rootCertInstance,
-          staticCertValidationContext,
-          downstreamTlsContext,
-          certificateProviderStore);
-    }
-  }
 }