s2a: Add gRPC S2A

[rmehta19]

Add S2A Java client to gRPC Java.

Context: https://github.com/google/s2a-go/blob/main/README.md

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: rmehta19 / name: Riya Mehta (739ee23, 44fe552, f94cc10, b35f145, d1f413b, 46691df, f47c560, 72630d8, 42cd3e8, 2dd1c7e, 217a3e4)

[matthewstevenson88]

Thanks @rmehta19. Can you PTAL at the test failures?

[rmehta19]

@matthewstevenson88, I made 2 changes and it looks like 2/3 linux runs are passing. tests(11) is failing with an error in code that was not affected by this PR, so I don't think that failure is related.

The changes:

• The build originally failed because the generated grpc code in this PR did not match the code generated by the codegen plugin. I couldn't easily compile the codegen myself(due to reasons explained in: protoc-gen-grpc-java not available on apple m1 #7690). So instead I used the latest published binary available on https://mvnrepository.com/artifact/io.grpc/protoc-gen-grpc-java (1.63) to generate S2AServiceGrpc.java (Created and used a separate simple maven project just to run the plugin and get grpc gen code). Then I changed line 8 & 9 of S2AServiceGrpc.java to match other generated code in this repo (ex:

  grpc-java/alts/src/generated/main/grpc/io/grpc/alts/internal/HandshakerServiceGrpc.java

  Lines 8 to 9 in fb9a108

  	value = "by gRPC proto compiler",
  	comments = "Source: grpc/gcp/handshaker.proto")

  ). This resolved the errors thrown by

  grpc-java/.github/workflows/testing.yml

  Lines 65 to 66 in 3c867c9

  	- name: Check for modified codegen
  	run: test -z "$(git status --porcelain)" || (git status && echo Error Working directory is not clean. Forget to commit generated files? && false)

• A failure in the tests was caused when IntegrationTest.java is in package io.grpc.s2a: GetAuthenticationMechanismsTest.java fails because the flag is not being set by JCommander (or perhaps it is getting overwritten). When I moved IntegrationTest.java into the same package as GetAuthenticationMechanismsTest.java: io.grpc.s2a.handshaker, this error does not happen.

[matthewstevenson88]

Just to confirm, this proto will be removed from this PR once the other PR is merged?

[rmehta19]

I believe we will maintain a copy of the protos in this directory. IIUC, there is an automated process that syncs protos in grpc-proto to protos here. Context: grpc/grpc-proto#12

E.g. ALTS protos are maintained here: alts/src/main/proto/grpc/gcp

[matthewstevenson88]

Makes sense, thanks for clarifying!

[ejona86]

You'll want to add s2a to the list of modules we copy protos for:

grpc-java/buildscripts/sync-protos.sh

Line 11 in 06df25b

for project in alts grpclb services rls interop-testing; do

[rmehta19]

Done

[matthewstevenson88]

LGTM, thanks @rmehta19! When you have a chance, please remove "draft" to the PR title and can we say a bit more in the CL description including pointing to the S2A-Go README (similar to what we did in the proto PR)?

After that, can we get sign-off from @erm-g and @ejona86?

[rmehta19]

LGTM, thanks @rmehta19! When you have a chance, please remove "draft" to the PR title and can we say a bit more in the CL description including pointing to the S2A-Go README (similar to what we did in the proto PR)?

After that, can we get sign-off from @erm-g and @ejona86?

Done -- thank you for the review @matthewstevenson88!

[erm-g]

Not really sure about naming conventions here, but does 'releaseChannel' or 'returnToPool' sound better?

[rmehta19]

Changed naming to returnToPool.

See commit: S2AChannelPool returnChannel --> returnToPool name change.

cc: @matthewstevenson88

[erm-g]

Are we ok to keep it hardcoded instead of exposing it via some param/flag?

[rmehta19]

hardcoding 100000 seems fine to me, @matthewstevenson88 WDYT?

[matthewstevenson88]

If it's OK with you all, I'd prefer to keep it hardcoded until we have a use case that requires us to expose it.

[erm-g]

I'm not sure how numberOfUsersOfCachedChannel can be negative. It's a private var, and you decrease it by -1 in LOC 96 after checking that it's >0 in LOC 93. Am I missing something?

[rmehta19]

You are right, thanks for pointing this out -- removed this unnecessary state check.

[erm-g]

Are we ok to keep these 2 hardcoded instead of exposing it via some param/flag?

[rmehta19]

Hardcoding these two timeouts is ok with me, keeping it as is might help readability. @matthewstevenson88 WDYT?

[matthewstevenson88]

If it's OK with you all, I'd prefer to keep it hardcoded until we have a use case that requires us to expose it.

[erm-g]

Never seen such naming, typically in Java it's 'ConnectionClosedException'

[rmehta19]

Done. Changed to ConnectionClosedException.

[erm-g]

Looks like a getter, should it be 'getIdentity'?

[rmehta19]

Done.

[erm-g]

I'm not sure I understand why 'synchronized' is needed here.

[rmehta19]

This code doesn't exist anymore, as we removed the dependency on Jcommander and replaced it with a private field & setter

[erm-g]

Could you add the values you entered while generating certs?

[rmehta19]

Done, as discussed offline, I updated the README with the the values used to populate these fields.

@ejona86, does this sound ok to you? @erm-g pointed me to something similar he has done in go: https://github.com/grpc/grpc-go/pull/6670/files#diff-ac85255b49c8d65b03b560d9959b99c6d9338de1400da6fc2d4133a434a376ad

[ejona86]

You're using jcommander to just set a static field. This is many more steps than just having a package-private field/setter. Let's not add a dependency on jcommander.

[rmehta19]

Done: refactored and removed the JCommander dependency.

[ejona86]

To make sure I understand, s2a is the public API, and s2a/channel and s2a/handshaker are internal APIs. Are those internal APIs to be used anywhere, even within Google?

[ejona86]

Credentials must be thread-safe. Should this be on the Builder instead?

[rmehta19]

Yes, the Builder is the one that's not thread safe -- done.

[ejona86]

You'll want to add s2a to the list of modules we copy protos for:

grpc-java/buildscripts/sync-protos.sh

Line 11 in 06df25b

for project in alts grpclb services rls interop-testing; do

[rmehta19]

To make sure I understand, s2a is the public API, and s2a/channel and s2a/handshaker are internal APIs. Are those internal APIs to be used anywhere, even within Google?

Correct s2a is the public api, s2a/handshaker and s2a/channel are internal APIs to only be used within the s2a package.

cc: @matthewstevenson88

[rmehta19]

Thank you for reviewing @erm-g, @ejona86 ! I have addressed the comments in separate commits. PTAL when you get a chance, and provide any additional feedback.