Support pass SSLSession in Invocation to check permission (#15049)

Author: AlbumenJ

dubbo-common/src/main/java/org/apache/dubbo/common/ssl/CertManager.java

@@ -32,8 +32,8 @@ public CertManager(FrameworkModel frameworkModel) {
 
     public ProviderCert getProviderConnectionConfig(URL localAddress, SocketAddress remoteAddress) {
         for (CertProvider certProvider : certProviders) {
-            if (certProvider.isSupport(localAddress)) {
-                ProviderCert cert = certProvider.getProviderConnectionConfig(localAddress);
+            if (certProvider.isSupport(localAddress, remoteAddress)) {
+                ProviderCert cert = certProvider.getProviderConnectionConfig(localAddress, remoteAddress);
                 if (cert != null) {
                     return cert;
                 }

dubbo-common/src/main/java/org/apache/dubbo/common/ssl/CertProvider.java

@@ -20,11 +20,21 @@
 import org.apache.dubbo.common.extension.ExtensionScope;
 import org.apache.dubbo.common.extension.SPI;
 
+import java.net.SocketAddress;
+
 @SPI(scope = ExtensionScope.FRAMEWORK)
 public interface CertProvider {
     boolean isSupport(URL address);
 
+    default boolean isSupport(URL address, SocketAddress remoteAddress) {
+        return isSupport(address);
+    }
+
     ProviderCert getProviderConnectionConfig(URL localAddress);
 
+    default ProviderCert getProviderConnectionConfig(URL localAddress, SocketAddress remoteAddress) {
+        return getProviderConnectionConfig(localAddress);
+    }
+
     Cert getConsumerConnectionConfig(URL remoteAddress);
 }

dubbo-remoting/dubbo-remoting-api/src/main/java/org/apache/dubbo/remoting/Constants.java

@@ -175,6 +175,7 @@ public interface Constants {
     String APACHE_HTTP_CLIENT = "apache-http-client";
 
     String CONTENT_LENGTH_KEY = "content-length";
+    String SSL_SESSION_KEY = "ssl-session";
 
     String USE_SECURE_RANDOM_ID = "dubbo.application.use-secure-random-request-id";
 

dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java

@@ -23,6 +23,7 @@
 import org.apache.dubbo.common.ssl.CertManager;
 import org.apache.dubbo.common.ssl.ProviderCert;
 import org.apache.dubbo.remoting.ChannelHandler;
+import org.apache.dubbo.remoting.Constants;
 import org.apache.dubbo.remoting.api.ProtocolDetector;
 import org.apache.dubbo.remoting.api.WireProtocol;
 import org.apache.dubbo.remoting.buffer.ChannelBuffer;
@@ -42,6 +43,7 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
 import io.netty.handler.ssl.SslHandshakeCompletionEvent;
+import io.netty.util.AttributeKey;
 
 import static org.apache.dubbo.common.constants.LoggerCodeConstants.INTERNAL_ERROR;
 
@@ -55,6 +57,7 @@ public class NettyPortUnificationServerHandler extends ByteToMessageDecoder {
     private final Map<String, WireProtocol> protocols;
     private final Map<String, URL> urlMapper;
     private final Map<String, ChannelHandler> handlerMapper;
+    private static final AttributeKey<SSLSession> SSL_SESSION_KEY = AttributeKey.valueOf(Constants.SSL_SESSION_KEY);
 
     public NettyPortUnificationServerHandler(
             URL url,
@@ -89,6 +92,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
                 SSLSession session =
                         ctx.pipeline().get(SslHandler.class).engine().getSession();
                 LOGGER.info("TLS negotiation succeed with session: " + session);
+                ctx.channel().attr(SSL_SESSION_KEY).set(session);
             } else {
                 LOGGER.error(
                         INTERNAL_ERROR,

dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyServerHandler.java

@@ -22,6 +22,9 @@
 import org.apache.dubbo.common.utils.NetUtils;
 import org.apache.dubbo.remoting.Channel;
 import org.apache.dubbo.remoting.ChannelHandler;
+import org.apache.dubbo.remoting.Constants;
+
+import javax.net.ssl.SSLSession;
 
 import java.net.InetSocketAddress;
 import java.util.Map;
@@ -30,7 +33,9 @@
 import io.netty.channel.ChannelDuplexHandler;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelPromise;
+import io.netty.handler.ssl.SslHandshakeCompletionEvent;
 import io.netty.handler.timeout.IdleStateEvent;
+import io.netty.util.AttributeKey;
 
 /**
  * NettyServerHandler.
@@ -44,6 +49,8 @@ public class NettyServerHandler extends ChannelDuplexHandler {
      */
     private final Map<String, Channel> channels = new ConcurrentHashMap<>();
 
+    private static final AttributeKey<SSLSession> SSL_SESSION_KEY = AttributeKey.valueOf(Constants.SSL_SESSION_KEY);
+
     private final URL url;
 
     private final ChannelHandler handler;
@@ -123,6 +130,15 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
             }
         }
         super.userEventTriggered(ctx, evt);
+        if (evt instanceof SslHandshakeCompletionEvent) {
+            SslHandshakeCompletionEvent handshakeEvent = (SslHandshakeCompletionEvent) evt;
+            if (handshakeEvent.isSuccess()) {
+                NettyChannel channel = NettyChannel.getOrAddChannel(ctx.channel(), url, handler);
+                channel.setAttribute(
+                        Constants.SSL_SESSION_KEY,
+                        ctx.channel().attr(SSL_SESSION_KEY).get());
+            }
+        }
     }
 
     @Override

dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/ssl/SslClientTlsHandler.java

@@ -19,6 +19,7 @@
 import org.apache.dubbo.common.URL;
 import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
 import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.remoting.Constants;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLSession;
@@ -28,13 +29,14 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
 import io.netty.handler.ssl.SslHandshakeCompletionEvent;
+import io.netty.util.AttributeKey;
 
 import static org.apache.dubbo.common.constants.LoggerCodeConstants.INTERNAL_ERROR;
 
 public class SslClientTlsHandler extends ChannelInboundHandlerAdapter {
 
     private static final ErrorTypeAwareLogger logger = LoggerFactory.getErrorTypeAwareLogger(SslClientTlsHandler.class);
-
+    private static final AttributeKey<SSLSession> SSL_SESSION_KEY = AttributeKey.valueOf(Constants.SSL_SESSION_KEY);
     private final SslContext sslContext;
 
     public SslClientTlsHandler(URL url) {
@@ -60,6 +62,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
                         ctx.pipeline().get(SslHandler.class).engine().getSession();
                 logger.info("TLS negotiation succeed with: " + session.getPeerHost());
                 ctx.pipeline().remove(this);
+                ctx.channel().attr(SSL_SESSION_KEY).set(session);
             } else {
                 logger.error(
                         INTERNAL_ERROR,

dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/ssl/SslServerTlsHandler.java

@@ -22,6 +22,7 @@
 import org.apache.dubbo.common.ssl.AuthPolicy;
 import org.apache.dubbo.common.ssl.CertManager;
 import org.apache.dubbo.common.ssl.ProviderCert;
+import org.apache.dubbo.remoting.Constants;
 
 import javax.net.ssl.SSLSession;
 
@@ -34,6 +35,7 @@
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
 import io.netty.handler.ssl.SslHandshakeCompletionEvent;
+import io.netty.util.AttributeKey;
 
 import static org.apache.dubbo.common.constants.LoggerCodeConstants.INTERNAL_ERROR;
 
@@ -43,6 +45,7 @@ public class SslServerTlsHandler extends ByteToMessageDecoder {
     private final URL url;
 
     private final boolean sslDetected;
+    private static final AttributeKey<SSLSession> SSL_SESSION_KEY = AttributeKey.valueOf(Constants.SSL_SESSION_KEY);
 
     public SslServerTlsHandler(URL url) {
         this.url = url;
@@ -74,6 +77,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
                 logger.info("TLS negotiation succeed with: " + session.getPeerHost());
                 // Remove after handshake success.
                 ctx.pipeline().remove(this);
+                ctx.channel().attr(SSL_SESSION_KEY).set(session);
             } else {
                 logger.error(
                         INTERNAL_ERROR,

dubbo-rpc/dubbo-rpc-dubbo/src/main/java/org/apache/dubbo/rpc/protocol/dubbo/DecodeableRpcInvocation.java

@@ -124,6 +124,10 @@ public void encode(Channel channel, OutputStream output, Object message) throws
     public Object decode(Channel channel, InputStream input) throws IOException {
         int contentLength = input.available();
         getAttributes().put(Constants.CONTENT_LENGTH_KEY, contentLength);
+        Object sslSession = channel.getAttribute(Constants.SSL_SESSION_KEY);
+        if (null != sslSession) {
+            put(Constants.SSL_SESSION_KEY, sslSession);
+        }
 
         ObjectInput in = CodecSupport.getSerialization(serializationType).deserialize(channel.getUrl(), input);
         this.put(SERIALIZATION_ID_KEY, serializationType);

dubbo-rpc/dubbo-rpc-triple/src/main/java/org/apache/dubbo/rpc/protocol/tri/call/AbstractServerCall.java

@@ -21,6 +21,7 @@
 import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
 import org.apache.dubbo.common.logger.LoggerFactory;
 import org.apache.dubbo.common.utils.StringUtils;
+import org.apache.dubbo.remoting.Constants;
 import org.apache.dubbo.rpc.CancellationContext;
 import org.apache.dubbo.rpc.Invoker;
 import org.apache.dubbo.rpc.RpcContext;
@@ -39,6 +40,8 @@
 import org.apache.dubbo.rpc.protocol.tri.stream.ServerStream;
 import org.apache.dubbo.rpc.protocol.tri.stream.StreamUtils;
 
+import javax.net.ssl.SSLSession;
+
 import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.Executor;
@@ -264,6 +267,10 @@ protected RpcInvocation buildInvocation(MethodDescriptor methodDescriptor) {
         inv.setReturnTypes(methodDescriptor.getReturnTypes());
         inv.setObjectAttachments(StreamUtils.toAttachments(requestMetadata));
         inv.put(REMOTE_ADDRESS_KEY, stream.remoteAddress());
+        SSLSession sslSession = stream.getSslSession();
+        if (null != sslSession) {
+            inv.put(Constants.SSL_SESSION_KEY, sslSession);
+        }
         // handle timeout
         String timeout = (String) requestMetadata.get(TripleHeaderEnum.TIMEOUT.getHeader());
         try {

dubbo-rpc/dubbo-rpc-triple/src/main/java/org/apache/dubbo/rpc/protocol/tri/stream/Stream.java

@@ -18,6 +18,8 @@
 
 import org.apache.dubbo.rpc.TriRpcStatus;
 
+import javax.net.ssl.SSLSession;
+
 import java.net.SocketAddress;
 
 import io.netty.handler.codec.http2.Http2Headers;
@@ -74,6 +76,13 @@ interface Listener {
      */
     SocketAddress remoteAddress();
 
+    /**
+     * Get ssl session.
+     *
+     * @return ssl session
+     */
+    SSLSession getSslSession();
+
     /**
      * Request n message from remote peer.
      *