Postponed resources allocation

Author: Zgoda91

util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java

@@ -460,7 +460,7 @@ public Builder setSslSocketAndEnginePeerVerifier(SslSocketAndEnginePeerVerifier
       return this;
     }
 
-    public AdvancedTlsX509TrustManager build() throws CertificateException {
+    public AdvancedTlsX509TrustManager build() {
       return new AdvancedTlsX509TrustManager(this.verification, this.socketAndEnginePeerVerifier);
     }
   }

xds/src/main/java/io/grpc/xds/GrpcXdsTransportFactory.java

@@ -55,6 +55,7 @@ public XdsTransport createForTest(ManagedChannel channel) {
   static class GrpcXdsTransport implements XdsTransport {
 
     private final ManagedChannel channel;
+    private final ResourceAllocatingChannelCredentials resourceAllocatingChannelCredentials;
     private final CallCredentials callCredentials;
 
     public GrpcXdsTransport(Bootstrapper.ServerInfo serverInfo) {
@@ -69,6 +70,13 @@ public GrpcXdsTransport(ManagedChannel channel) {
     public GrpcXdsTransport(Bootstrapper.ServerInfo serverInfo, CallCredentials callCredentials) {
       String target = serverInfo.target();
       ChannelCredentials channelCredentials = (ChannelCredentials) serverInfo.implSpecificConfig();
+      if (channelCredentials instanceof ResourceAllocatingChannelCredentials) {
+        this.resourceAllocatingChannelCredentials =
+            (ResourceAllocatingChannelCredentials) channelCredentials;
+        channelCredentials = resourceAllocatingChannelCredentials.acquireChannelCredentials();
+      } else {
+        this.resourceAllocatingChannelCredentials = null;
+      }
       this.channel = Grpc.newChannelBuilder(target, channelCredentials)
           .keepAliveTime(5, TimeUnit.MINUTES)
           .build();
@@ -78,6 +86,7 @@ public GrpcXdsTransport(Bootstrapper.ServerInfo serverInfo, CallCredentials call
     @VisibleForTesting
     public GrpcXdsTransport(ManagedChannel channel, CallCredentials callCredentials) {
       this.channel = checkNotNull(channel, "channel");
+      this.resourceAllocatingChannelCredentials = null;
       this.callCredentials = callCredentials;
     }
 
@@ -99,6 +108,9 @@ public <ReqT, RespT> StreamingCall<ReqT, RespT> createStreamingCall(
     @Override
     public void shutdown() {
       channel.shutdown();
+      if (resourceAllocatingChannelCredentials != null) {
+        resourceAllocatingChannelCredentials.releaseChannelCredentials();
+      }
     }
 
     private class XdsStreamingCall<ReqT, RespT> implements

xds/src/main/java/io/grpc/xds/ResourceAllocatingChannelCredentials.java

@@ -17,8 +17,10 @@
 package io.grpc.xds;
 
 import com.google.common.base.Preconditions;
+import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableList;
 import io.grpc.ChannelCredentials;
+import io.grpc.internal.GrpcUtil;
 import java.io.Closeable;
 
 /**
@@ -28,29 +30,47 @@
  */
 public final class ResourceAllocatingChannelCredentials extends ChannelCredentials {
   public static ChannelCredentials create(
-      ChannelCredentials channelCreds, ImmutableList<Closeable> resources) {
-    return new ResourceAllocatingChannelCredentials(channelCreds, resources);
+      ChannelCredentials channelCreds, Supplier<ImmutableList<Closeable>> resourcesSupplier) {
+    return new ResourceAllocatingChannelCredentials(channelCreds, resourcesSupplier);
   }
 
   private final ChannelCredentials channelCreds;
-  private final ImmutableList<Closeable> resources;
+  private final Supplier<ImmutableList<Closeable>> resourcesSupplier;
+  private int refCount;
+  private ImmutableList<Closeable> resourcesReleaser;
 
   private ResourceAllocatingChannelCredentials(
-      ChannelCredentials channelCreds, ImmutableList<Closeable> resources) {
+      ChannelCredentials channelCreds, Supplier<ImmutableList<Closeable>> resourcesSupplier) {
     this.channelCreds = Preconditions.checkNotNull(channelCreds, "channelCreds");
-    this.resources = Preconditions.checkNotNull(resources, "resources");
+    this.resourcesSupplier = Preconditions.checkNotNull(resourcesSupplier, "resourcesSupplier");
+    this.refCount = 0;
+    this.resourcesReleaser = null;
   }
 
-  public ChannelCredentials getChannelCredentials() {
+  public synchronized ChannelCredentials acquireChannelCredentials() {
+    if (refCount++ == 0) {
+      resourcesReleaser = resourcesSupplier.get();
+    }
     return channelCreds;
   }
 
-  public ImmutableList<Closeable> getAllocatedResources() {
-    return resources;
+  public synchronized void releaseChannelCredentials() {
+    if (--refCount == 0) {
+      for (Closeable resource : resourcesReleaser) {
+        GrpcUtil.closeQuietly(resource);
+      }
+      resourcesReleaser = null;
+    }
+    Preconditions.checkState(
+        refCount >= 0, "Channel credentials were released more times than they were acquired");
   }
 
+  /**
+   * Please use {@link #acquireChannelCredentials()} to get a shared instance of
+   * {@code ChannelCredentials} for which stripped tokens can be obtained.
+   */
   @Override
   public ChannelCredentials withoutBearerTokens() {
-    return channelCreds.withoutBearerTokens();
+    throw new UnsupportedOperationException("Cannot get stripped tokens");
   }
 }

xds/src/main/java/io/grpc/xds/internal/TlsXdsCredentialsProvider.java

@@ -16,6 +16,7 @@
 
 package io.grpc.xds.internal;
 
+import com.google.common.base.Supplier;
 import com.google.common.collect.ImmutableList;
 import com.google.protobuf.Duration;
 import com.google.protobuf.util.Durations;
@@ -73,66 +74,36 @@ protected ChannelCredentials newChannelCredentials(Map<String, ?> jsonConfig) {
       }
     }
 
-    ImmutableList.Builder<Closeable> resourcesBuilder = ImmutableList.builder();
-    ScheduledExecutorService scheduledExecutorService = null;
-
     // use trust certificate file path from bootstrap config if provided; else use system default
     String rootCertPath = JsonUtil.getString(jsonConfig, ROOT_FILE_KEY);
+    AdvancedTlsX509TrustManager trustManager = null;
     if (rootCertPath != null) {
-      try {
-        scheduledExecutorService = scheduledExecutorServiceFactory.create();
-        AdvancedTlsX509TrustManager trustManager = AdvancedTlsX509TrustManager.newBuilder().build();
-        Closeable trustManagerFuture = trustManager.updateTrustCredentials(
-            new File(rootCertPath),
-            refreshIntervalSeconds,
-            TimeUnit.SECONDS,
-            scheduledExecutorService);
-        resourcesBuilder.add(trustManagerFuture);
-        tlsChannelCredsBuilder.trustManager(trustManager);
-      } catch (Exception e) {
-        logger.log(Level.WARNING, "Unable to read root certificates", e);
-        return null;
-      }
+      trustManager = AdvancedTlsX509TrustManager.newBuilder().build();
+      tlsChannelCredsBuilder.trustManager(trustManager);
     }
 
     // use certificate chain and private key file paths from bootstrap config if provided. Mind that
     // both JSON values must be either set (mTLS case) or both unset (TLS case)
     String certChainPath = JsonUtil.getString(jsonConfig, CERT_FILE_KEY);
     String privateKeyPath = JsonUtil.getString(jsonConfig, KEY_FILE_KEY);
+    AdvancedTlsX509KeyManager keyManager = null;
     if (certChainPath != null && privateKeyPath != null) {
-      try {
-        if (scheduledExecutorService == null) {
-          scheduledExecutorService = scheduledExecutorServiceFactory.create();
-        }
-        AdvancedTlsX509KeyManager keyManager = new AdvancedTlsX509KeyManager();
-        Closeable keyManagerFuture = keyManager.updateIdentityCredentials(
-            new File(certChainPath),
-            new File(privateKeyPath),
-            refreshIntervalSeconds,
-            TimeUnit.SECONDS,
-            scheduledExecutorService);
-        resourcesBuilder.add(keyManagerFuture);
-        tlsChannelCredsBuilder.keyManager(keyManager);
-      } catch (Exception e) {
-        logger.log(Level.WARNING, "Unable to read certificate chain or private key", e);
-        return null;
-      }
+      keyManager = new AdvancedTlsX509KeyManager();
+      tlsChannelCredsBuilder.keyManager(keyManager);
     } else if (certChainPath != null || privateKeyPath != null) {
       logger.log(Level.WARNING, "Certificate chain and private key must be both set or unset");
       return null;
     }
 
-    // if executor was initialized, add it to allocated resource list
-    if (scheduledExecutorService != null) {
-      resourcesBuilder.add(asCloseable(scheduledExecutorService));
-    }
-
     return ResourceAllocatingChannelCredentials.create(
-      tlsChannelCredsBuilder.build(), resourcesBuilder.build());
-  }
-
-  private static Closeable asCloseable(ScheduledExecutorService scheduledExecutorService) {
-    return () -> scheduledExecutorService.shutdownNow();
+        tlsChannelCredsBuilder.build(),
+        new ResourcesSupplier(
+            refreshIntervalSeconds,
+            rootCertPath,
+            trustManager,
+            certChainPath,
+            privateKeyPath,
+            keyManager));
   }
 
   @Override
@@ -150,6 +121,84 @@ public int priority() {
     return 5;
   }
 
+  private static final class ResourcesSupplier implements Supplier<ImmutableList<Closeable>> {
+    private final long refreshIntervalSeconds;
+    private final String rootCertPath;
+    private final AdvancedTlsX509TrustManager trustManager;
+    private final String certChainPath;
+    private final String privateKeyPath;
+    private final AdvancedTlsX509KeyManager keyManager;
+
+    ResourcesSupplier(
+        long refreshIntervalSeconds,
+        String rootCertPath,
+        AdvancedTlsX509TrustManager trustManager,
+        String certChainPath,
+        String privateKeyPath,
+        AdvancedTlsX509KeyManager keyManager) {
+      this.refreshIntervalSeconds = refreshIntervalSeconds;
+      this.rootCertPath = rootCertPath;
+      this.trustManager = trustManager;
+      this.certChainPath = certChainPath;
+      this.privateKeyPath = privateKeyPath;
+      this.keyManager = keyManager;
+    }
+
+    @Override
+    public ImmutableList<Closeable> get() {
+      ImmutableList.Builder<Closeable> resourcesBuilder = ImmutableList.builder();
+
+      ScheduledExecutorService scheduledExecutorService =
+          (trustManager != null || keyManager != null)
+              ? scheduledExecutorService = scheduledExecutorServiceFactory.create()
+              : null;
+      if (scheduledExecutorService != null) {
+        resourcesBuilder.add(asCloseable(scheduledExecutorService));
+      }
+
+      if (trustManager != null) {
+        try {
+          Closeable trustManagerFuture = trustManager.updateTrustCredentials(
+              new File(rootCertPath),
+              refreshIntervalSeconds,
+              TimeUnit.SECONDS,
+              scheduledExecutorService);
+          resourcesBuilder.add(trustManagerFuture);
+        } catch (Exception e) {
+          cleanupResources(resourcesBuilder.build());
+          throw new RuntimeException("Unable to read root certificates", e);
+        }
+      }
+
+      if (keyManager != null) {
+        try {
+          Closeable keyManagerFuture = keyManager.updateIdentityCredentials(
+              new File(certChainPath),
+              new File(privateKeyPath),
+              refreshIntervalSeconds,
+              TimeUnit.SECONDS,
+              scheduledExecutorService);
+          resourcesBuilder.add(keyManagerFuture);
+        } catch (Exception e) {
+          cleanupResources(resourcesBuilder.build());
+          throw new RuntimeException("Unable to read certificate chain or private key", e);
+        }
+      }
+
+      return resourcesBuilder.build();
+    }
+
+    private static Closeable asCloseable(ScheduledExecutorService scheduledExecutorService) {
+      return () -> scheduledExecutorService.shutdownNow();
+    }
+
+    private static void cleanupResources(ImmutableList<Closeable> resources) {
+      for (Closeable resource : resources) {
+        GrpcUtil.closeQuietly(resource);
+      }
+    }
+  }
+
   abstract static class ScheduledExecutorServiceFactory {
 
     private static final ScheduledExecutorServiceFactory DEFAULT_INSTANCE =