fix(runtime): ensure TransportSubjectBuilder callbacks run on Netty event loop (kroxylicious#3748)

Discovered during the investigation of kroxylicious#3745

When a TransportSubjectBuilder completes asynchronously on a non-Netty
thread, the completion callback may update ClientSubjectManager.subject
from a foreign thread, creating a race condition where the Netty event
loop thread reads a stale value.

The original code used whenComplete() without an executor, allowing the
callback to run on whichever thread completed the CompletableFuture.
Test plugin MyTransportSubjectBuilderService created unmanaged threads
that completed futures after delays, triggering cross-thread writes.

The race became observable after commit 25aa9d9 introduced shared Kafka
clusters across test parameters, tightening timing windows.

Pass the Netty event loop executor to ClientSubjectManager.subjectFromTransport()
and use whenCompleteAsync(..., eventLoopExecutor) to ensure callbacks always
execute on the channel's event loop thread.

This provides:
- Thread affinity: ClientSubjectManager state only modified on event loop
- Happens-before guarantee: executor submission creates memory barrier
- Netty best practices: don't mutate channel state from foreign threads

Test code updated to use CompletableFuture.delayedExecutor() instead of
unmanaged threads for cleaner async simulation.

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Signed-off-by: Keith Wall <kwall@apache.org>

Author: k-wall

CHANGELOG.md

@@ -7,6 +7,7 @@ Format `<github issue/pr number>: <short description>`.
 
 ## SNAPSHOT
 
+* [#3745](https://github.com/kroxylicious/kroxylicious/issues/3745): fix(runtime): ensure async TransportSubjectBuilder callbacks execute on Netty event loop to prevent race conditions
 * [#3620](https://github.com/kroxylicious/kroxylicious/issues/3620): Removed Deprecated clientSaslAuthenticationSuccess from FilterContext
 * [#3624](https://github.com/kroxylicious/kroxylicious/pull/3624): feat(operator): set Kubernetes client User-Agent to `kroxylicious-operator/<version>` for API server audit log identification
 * [#3565](https://github.com/kroxylicious/kroxylicious/pull/3514): build(deps): bump kubernetes-client.version from 7.5.2 to 7.6.1

kroxylicious-integration-tests/src/test/java/io/kroxylicious/it/MyTransportSubjectBuilderService.java

@@ -9,6 +9,7 @@
 import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionStage;
+import java.util.concurrent.TimeUnit;
 
 import javax.security.auth.x500.X500Principal;
 
@@ -56,22 +57,15 @@ CompletionStage<Subject> delayed(Subject subject) {
                 }
             }
             else {
-                var fut = new CompletableFuture<Subject>();
-                new Thread(() -> {
-                    try {
-                        Thread.sleep(delayMs);
-                    }
-                    catch (InterruptedException e) {
-                        throw new RuntimeException(e);
-                    }
-                    if (completeSuccessfully) {
-                        fut.complete(subject);
-                    }
-                    else {
-                        fut.completeExceptionally(new RuntimeException("Oops"));
-                    }
-                }).start();
-                return fut;
+                if (completeSuccessfully) {
+                    return CompletableFuture.supplyAsync(() -> subject,
+                            CompletableFuture.delayedExecutor(delayMs, TimeUnit.MILLISECONDS));
+                }
+                else {
+                    return CompletableFuture.supplyAsync(() -> {
+                        throw new RuntimeException("Oops");
+                    }, CompletableFuture.delayedExecutor(delayMs, TimeUnit.MILLISECONDS));
+                }
             }
         }
     }

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/ClientSubjectManager.java

@@ -10,6 +10,7 @@
 import java.security.cert.X509Certificate;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.concurrent.Executor;
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
@@ -86,10 +87,11 @@ public class ClientSubjectManager implements
 
     public void subjectFromTransport(@Nullable SSLSession session,
                                      TransportSubjectBuilder transportSubjectBuilder,
+                                     Executor eventLoopExecutor,
                                      Runnable whenDoneCallback) {
         this.clientCertificate = peerTlsCertificate(session);
         this.proxyCertificate = localTlsCertificate(session);
-        transportSubjectBuilder.buildTransportSubject(this).whenComplete((newSubject, error) -> {
+        transportSubjectBuilder.buildTransportSubject(this).whenCompleteAsync((newSubject, error) -> {
             if (error == null) {
                 this.subject = newSubject;
             }
@@ -101,7 +103,7 @@ public void subjectFromTransport(@Nullable SSLSession session,
             }
             this.mechanismName = null;
             whenDoneCallback.run();
-        });
+        }, eventLoopExecutor);
     }
 
     void clientSaslAuthenticationSuccess(

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/KafkaProxyFrontendHandler.java

@@ -12,6 +12,7 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.concurrent.Executor;
 import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.SSLEngine;
@@ -558,6 +559,10 @@ void unblockClient() {
         proxyChannelStateMachine.onClientWritable();
     }
 
+    Executor eventLoopExecutor() {
+        return Objects.requireNonNull(clientCtx().executor(), "executor must not be null");
+    }
+
     private ChannelHandlerContext clientCtx() {
         return Objects.requireNonNull(this.clientCtx, "clientCtx was null while in state " + this.proxyChannelStateMachine.currentState());
     }

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/ProxyChannelStateMachine.java

@@ -581,7 +581,8 @@ public void clientSaslAuthenticationFailure() {
     }
 
     public void onClientTlsHandshakeSuccess(SSLSession sslSession) {
-        this.clientSubjectManager.subjectFromTransport(sslSession, transportSubjectBuilder, this::onTransportSubjectBuilt);
+        this.clientSubjectManager.subjectFromTransport(sslSession, transportSubjectBuilder,
+                Objects.requireNonNull(frontendHandler).eventLoopExecutor(), this::onTransportSubjectBuilt);
     }
 
     @SuppressWarnings("java:S5738")
@@ -596,7 +597,8 @@ private void toClientActive(
         // these can happen in either order
         this.progressionLatch = 2;
         if (!this.isTlsListener()) {
-            this.clientSubjectManager.subjectFromTransport(null, this.transportSubjectBuilder, this::onTransportSubjectBuilt);
+            this.clientSubjectManager.subjectFromTransport(null, this.transportSubjectBuilder,
+                    frontendHandler.eventLoopExecutor(), this::onTransportSubjectBuilt);
         }
         frontendHandler.inClientActive();
 

kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/internal/ClientSubjectManagerTest.java

@@ -10,6 +10,7 @@
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.atomic.AtomicBoolean;
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
@@ -108,7 +109,7 @@ void initialState() {
     void transitionInitialToAuthorized() {
         // Given
         ClientSubjectManager impl = new ClientSubjectManager();
-        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), () -> {
+        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), Runnable::run, () -> {
         });
         // When
         impl.clientSaslAuthenticationSuccess("FOO", new Subject(new User("bob")));
@@ -123,7 +124,7 @@ void transitionInitialToAuthorized() {
     void transitionInitialToFailed() {
         // Given
         ClientSubjectManager impl = new ClientSubjectManager();
-        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), () -> {
+        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), Runnable::run, () -> {
         });
         // When
         impl.clientSaslAuthenticationFailure();
@@ -135,7 +136,7 @@ void transitionInitialToFailed() {
     void transitionAuthorizedToAuthorized() {
         // Given
         ClientSubjectManager impl = new ClientSubjectManager();
-        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), () -> {
+        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), Runnable::run, () -> {
         });
         impl.clientSaslAuthenticationSuccess("FOO", new Subject(new User("bob")));
         // When
@@ -151,7 +152,7 @@ void transitionAuthorizedToAuthorized() {
     void transitionAuthorizedToFailed() {
         // Given
         ClientSubjectManager impl = new ClientSubjectManager();
-        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), () -> {
+        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), Runnable::run, () -> {
         });
         impl.clientSaslAuthenticationSuccess("FOO", new Subject(new User("bob")));
         // When
@@ -164,7 +165,7 @@ void transitionAuthorizedToFailed() {
     void transitionFailedToAuthorized() {
         // Given
         ClientSubjectManager impl = new ClientSubjectManager();
-        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), () -> {
+        impl.subjectFromTransport(null, context -> CompletableFuture.completedStage(Subject.anonymous()), Runnable::run, () -> {
         });
         impl.clientSaslAuthenticationFailure();
 
@@ -177,4 +178,71 @@ void transitionFailedToAuthorized() {
         });
     }
 
+    @Test
+    void subjectFromTransportUsesProvidedExecutor() {
+        // Given
+        ClientSubjectManager impl = new ClientSubjectManager();
+        AtomicBoolean executorUsed = new AtomicBoolean(false);
+        AtomicBoolean callbackRan = new AtomicBoolean(false);
+
+        // When
+        impl.subjectFromTransport(
+                null,
+                context -> CompletableFuture.completedStage(Subject.anonymous()),
+                command -> {
+                    executorUsed.set(true);
+                    command.run();
+                },
+                () -> callbackRan.set(true));
+
+        // Then
+        assertThat(executorUsed).isTrue();
+        assertThat(callbackRan).isTrue();
+    }
+
+    @Test
+    void subjectFromTransportHandlesAsyncCompletion() {
+        // Given
+        ClientSubjectManager impl = new ClientSubjectManager();
+        CompletableFuture<Subject> asyncFuture = new CompletableFuture<>();
+        AtomicBoolean callbackRan = new AtomicBoolean(false);
+        Subject expectedSubject = new Subject(new User("alice"));
+
+        // When
+        impl.subjectFromTransport(
+                null,
+                context -> asyncFuture,
+                Runnable::run,
+                () -> callbackRan.set(true));
+
+        assertThat(callbackRan).isFalse(); // Not yet complete
+
+        asyncFuture.complete(expectedSubject);
+
+        // Then
+        assertThat(callbackRan).isTrue();
+        assertThat(impl.authenticatedSubject()).isEqualTo(expectedSubject);
+    }
+
+    @Test
+    void subjectFromTransportHandlesAsyncException() {
+        // Given
+        ClientSubjectManager impl = new ClientSubjectManager();
+        CompletableFuture<Subject> asyncFuture = new CompletableFuture<>();
+        AtomicBoolean callbackRan = new AtomicBoolean(false);
+
+        // When
+        impl.subjectFromTransport(
+                null,
+                context -> asyncFuture,
+                Runnable::run,
+                () -> callbackRan.set(true));
+
+        asyncFuture.completeExceptionally(new RuntimeException("Transport auth failed"));
+
+        // Then
+        assertThat(callbackRan).isTrue();
+        assertThat(impl.authenticatedSubject()).isEqualTo(Subject.anonymous());
+    }
+
 }

kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/internal/KafkaProxyFrontendHandlerMockCollaboratorsTest.java

@@ -28,6 +28,7 @@
 import io.netty.handler.codec.haproxy.HAProxyProtocolVersion;
 import io.netty.handler.codec.haproxy.HAProxyProxiedProtocol;
 import io.netty.handler.timeout.IdleStateHandler;
+import io.netty.util.concurrent.EventExecutor;
 
 import io.kroxylicious.proxy.authentication.Subject;
 import io.kroxylicious.proxy.authentication.TransportSubjectBuilder;
@@ -46,6 +47,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.times;
@@ -90,6 +92,9 @@ class KafkaProxyFrontendHandlerMockCollaboratorsTest {
     @Mock(strictness = Mock.Strictness.LENIENT)
     TransportSubjectBuilder subjectBuilder;
 
+    @Mock(strictness = Mock.Strictness.LENIENT)
+    EventExecutor executor;
+
     private KafkaProxyFrontendHandler handler;
 
     @BeforeEach
@@ -99,6 +104,14 @@ void setUp() {
         when(endpointBinding.endpointGateway()).thenReturn(endpointGateway);
         when(proxyChannelStateMachine.endpointBinding()).thenReturn(endpointBinding);
         when(proxyChannelStateMachine.virtualCluster()).thenReturn(virtualCluster);
+        // Make the executor run tasks synchronously
+        doAnswer(invocation -> {
+            Runnable runnable = invocation.getArgument(0);
+            runnable.run();
+            return null;
+        }).when(executor).execute(any(Runnable.class));
+        when(clientCtx.executor()).thenReturn(executor);
+
         handler = new KafkaProxyFrontendHandler(
                 pfr,
                 filterChainFactory,
@@ -339,4 +352,16 @@ void shouldNotMarkSessionAuthenticatedWhenSessionTransportAuthenticatedIsAnonymo
         assertThat(pcsm.kafkaSession().currentState())
                 .isEqualTo(KafkaSessionState.ESTABLISHING);
     }
+
+    @Test
+    void eventLoopExecutorReturnsContextExecutor() throws Exception {
+        // Given
+        handler.channelActive(clientCtx);
+
+        // When
+        var result = handler.eventLoopExecutor();
+
+        // Then
+        assertThat(result).isSameAs(executor);
+    }
 }

kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/internal/KafkaProxyFrontendHandlerTest.java

@@ -588,6 +588,7 @@ private ChannelHandlerContext mockChannelContext() {
         ChannelPipeline mockPipeline = mock(ChannelPipeline.class);
         doReturn(inboundChannel).when(mockChannelCtx).channel();
         doReturn(mockPipeline).when(mockChannelCtx).pipeline();
+        doReturn(inboundChannel.eventLoop()).when(mockChannelCtx).executor();
         return mockChannelCtx;
     }
 

kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/internal/ProxyChannelStateMachineTest.java

@@ -8,9 +8,11 @@
 
 import java.util.List;
 import java.util.Optional;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Stream;
 
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
 
 import org.apache.kafka.common.errors.ApiException;
 import org.apache.kafka.common.errors.InvalidRequestException;
@@ -110,6 +112,8 @@ void setUp() {
         when(endpointGateway.virtualCluster()).thenReturn(VIRTUAL_CLUSTER_MODEL);
         proxyChannelStateMachine = new ProxyChannelStateMachine(endpointBinding, new DefaultSubjectBuilder(List.of()), new KafkaSession(KafkaSessionState.ESTABLISHING));
         when(frontendHandler.channelId()).thenReturn(DefaultChannelId.newInstance());
+        // Make the executor run tasks synchronously for tests
+        when(frontendHandler.eventLoopExecutor()).thenReturn(Runnable::run);
     }
 
     @AfterEach
@@ -1015,6 +1019,24 @@ private int getVirtualNodeProxyToServerActiveConnections() {
         return io.kroxylicious.proxy.internal.util.Metrics.proxyToServerConnectionCounter(VIRTUAL_CLUSTER_NODE).get();
     }
 
+    @Test
+    void onClientTlsHandshakeSuccessPassesExecutorToSubjectManager() {
+        // Given
+        proxyChannelStateMachine.onClientActive(frontendHandler);
+        SSLSession sslSession = mock(SSLSession.class);
+        AtomicBoolean executorUsed = new AtomicBoolean(false);
+        when(frontendHandler.eventLoopExecutor()).thenReturn(command -> {
+            executorUsed.set(true);
+            command.run();
+        });
+
+        // When
+        proxyChannelStateMachine.onClientTlsHandshakeSuccess(sslSession);
+
+        // Then - verify the executor was actually used, proving the new parameter is passed through correctly
+        assertThat(executorUsed).isTrue();
+    }
+
     @org.junit.jupiter.api.Nested
     class DisconnectMetricsTest {