Merge branch 'grpc:master' into master

Author: Kainsin

MODULE.bazel

@@ -23,20 +23,20 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "com.google.truth:truth:1.4.5",
     "com.squareup.okhttp:okhttp:2.7.5",
     "com.squareup.okio:okio:2.10.0",  # 3.0+ needs swapping to -jvm; need work to avoid flag-day
-    "io.netty:netty-buffer:4.1.130.Final",
-    "io.netty:netty-codec-http2:4.1.130.Final",
-    "io.netty:netty-codec-http:4.1.130.Final",
-    "io.netty:netty-codec-socks:4.1.130.Final",
-    "io.netty:netty-codec:4.1.130.Final",
-    "io.netty:netty-common:4.1.130.Final",
-    "io.netty:netty-handler-proxy:4.1.130.Final",
-    "io.netty:netty-handler:4.1.130.Final",
-    "io.netty:netty-resolver:4.1.130.Final",
-    "io.netty:netty-tcnative-boringssl-static:2.0.74.Final",
-    "io.netty:netty-tcnative-classes:2.0.74.Final",
-    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.130.Final",
-    "io.netty:netty-transport-native-unix-common:4.1.130.Final",
-    "io.netty:netty-transport:4.1.130.Final",
+    "io.netty:netty-buffer:4.1.132.Final",
+    "io.netty:netty-codec-http2:4.1.132.Final",
+    "io.netty:netty-codec-http:4.1.132.Final",
+    "io.netty:netty-codec-socks:4.1.132.Final",
+    "io.netty:netty-codec:4.1.132.Final",
+    "io.netty:netty-common:4.1.132.Final",
+    "io.netty:netty-handler-proxy:4.1.132.Final",
+    "io.netty:netty-handler:4.1.132.Final",
+    "io.netty:netty-resolver:4.1.132.Final",
+    "io.netty:netty-tcnative-boringssl-static:2.0.75.Final",
+    "io.netty:netty-tcnative-classes:2.0.75.Final",
+    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.132.Final",
+    "io.netty:netty-transport-native-unix-common:4.1.132.Final",
+    "io.netty:netty-transport:4.1.132.Final",
     "io.opencensus:opencensus-api:0.31.0",
     "io.opencensus:opencensus-contrib-grpc-metrics:0.31.0",
     "io.perfmark:perfmark-api:0.27.0",

SECURITY.md

@@ -399,7 +399,8 @@ grpc-netty version | netty-handler version | netty-tcnative-boringssl-static ver
 1.71.x-1.74.x      | 4.1.110.Final         | 2.0.70.Final
 1.75.x-1.76.x      | 4.1.124.Final         | 2.0.72.Final
 1.77.x-1.78.x      | 4.1.127.Final         | 2.0.74.Final
-1.79.x-            | 4.1.130.Final         | 2.0.74.Final
+1.79.x-1.80.x      | 4.1.130.Final         | 2.0.74.Final
+1.81.x-            | 4.1.132.Final         | 2.0.75.Final
 
 _(grpc-netty-shaded avoids issues with keeping these versions in sync.)_
 

alts/src/test/java/io/grpc/alts/internal/AltsProtocolNegotiatorTest.java

@@ -202,8 +202,11 @@ public void operationComplete(ChannelFuture future) throws Exception {
     channel.flush();
 
     // Capture the protected data written to the wire.
-    assertEquals(1, channel.outboundMessages().size());
-    ByteBuf protectedData = channel.readOutbound();
+    assertThat(channel.outboundMessages()).isNotEmpty();
+    ByteBuf protectedData = channel.alloc().buffer();
+    while (!channel.outboundMessages().isEmpty()) {
+      protectedData.writeBytes((ByteBuf) channel.readOutbound());
+    }
     assertEquals(message.length(), writeCount.get());
 
     // Read the protected message at the server and verify it matches the original message.
@@ -327,16 +330,18 @@ public void doNotFlushEmptyBuffer() throws Exception {
     String message = "hello";
     ByteBuf in = Unpooled.copiedBuffer(message, UTF_8);
 
-    assertEquals(0, protector.flushes.get());
+    int flushes = protector.flushes.get();
     Future<?> done = channel.write(in);
     channel.flush();
+    flushes++;
     done.get(5, TimeUnit.SECONDS);
-    assertEquals(1, protector.flushes.get());
+    assertEquals(flushes, protector.flushes.get());
 
+    // Flush does not propagate
     done = channel.write(Unpooled.EMPTY_BUFFER);
     channel.flush();
     done.get(5, TimeUnit.SECONDS);
-    assertEquals(1, protector.flushes.get());
+    assertEquals(flushes, protector.flushes.get());
   }
 
   @Test

gradle/libs.versions.toml

@@ -101,17 +101,17 @@ mockito-android = "org.mockito:mockito-android:4.4.0"
 mockito-core = "org.mockito:mockito-core:4.4.0"
 # Need to decide when we require users to absorb the breaking changes in 4.2
 # checkForUpdates: netty-codec-http2:4.1.+
-netty-codec-http2 = "io.netty:netty-codec-http2:4.1.130.Final"
+netty-codec-http2 = "io.netty:netty-codec-http2:4.1.132.Final"
 # checkForUpdates: netty-handler-proxy:4.1.+
-netty-handler-proxy = "io.netty:netty-handler-proxy:4.1.130.Final"
+netty-handler-proxy = "io.netty:netty-handler-proxy:4.1.132.Final"
 # Keep the following references of tcnative version in sync whenever it's updated:
 #   SECURITY.md
-netty-tcnative = "io.netty:netty-tcnative-boringssl-static:2.0.74.Final"
-netty-tcnative-classes = "io.netty:netty-tcnative-classes:2.0.74.Final"
+netty-tcnative = "io.netty:netty-tcnative-boringssl-static:2.0.75.Final"
+netty-tcnative-classes = "io.netty:netty-tcnative-classes:2.0.75.Final"
 # checkForUpdates: netty-transport-epoll:4.1.+
-netty-transport-epoll = "io.netty:netty-transport-native-epoll:4.1.130.Final"
+netty-transport-epoll = "io.netty:netty-transport-native-epoll:4.1.132.Final"
 # checkForUpdates: netty-unix-common:4.1.+
-netty-unix-common = "io.netty:netty-transport-native-unix-common:4.1.130.Final"
+netty-unix-common = "io.netty:netty-transport-native-unix-common:4.1.132.Final"
 okhttp = "com.squareup.okhttp:okhttp:2.7.5"
 # okio 3.5+ uses Kotlin 1.9+ which requires Android Gradle Plugin 9+
 # checkForUpdates: okio:3.4.+

repositories.bzl

@@ -27,20 +27,20 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "com.google.truth:truth:1.4.5",
     "com.squareup.okhttp:okhttp:2.7.5",
     "com.squareup.okio:okio:2.10.0",  # 3.0+ needs swapping to -jvm; need work to avoid flag-day
-    "io.netty:netty-buffer:4.1.130.Final",
-    "io.netty:netty-codec-http2:4.1.130.Final",
-    "io.netty:netty-codec-http:4.1.130.Final",
-    "io.netty:netty-codec-socks:4.1.130.Final",
-    "io.netty:netty-codec:4.1.130.Final",
-    "io.netty:netty-common:4.1.130.Final",
-    "io.netty:netty-handler-proxy:4.1.130.Final",
-    "io.netty:netty-handler:4.1.130.Final",
-    "io.netty:netty-resolver:4.1.130.Final",
-    "io.netty:netty-tcnative-boringssl-static:2.0.74.Final",
-    "io.netty:netty-tcnative-classes:2.0.74.Final",
-    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.130.Final",
-    "io.netty:netty-transport-native-unix-common:4.1.130.Final",
-    "io.netty:netty-transport:4.1.130.Final",
+    "io.netty:netty-buffer:4.1.132.Final",
+    "io.netty:netty-codec-http2:4.1.132.Final",
+    "io.netty:netty-codec-http:4.1.132.Final",
+    "io.netty:netty-codec-socks:4.1.132.Final",
+    "io.netty:netty-codec:4.1.132.Final",
+    "io.netty:netty-common:4.1.132.Final",
+    "io.netty:netty-handler-proxy:4.1.132.Final",
+    "io.netty:netty-handler:4.1.132.Final",
+    "io.netty:netty-resolver:4.1.132.Final",
+    "io.netty:netty-tcnative-boringssl-static:2.0.75.Final",
+    "io.netty:netty-tcnative-classes:2.0.75.Final",
+    "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.132.Final",
+    "io.netty:netty-transport-native-unix-common:4.1.132.Final",
+    "io.netty:netty-transport:4.1.132.Final",
     "io.opencensus:opencensus-api:0.31.0",
     "io.opencensus:opencensus-contrib-grpc-metrics:0.31.0",
     "io.perfmark:perfmark-api:0.27.0",

xds/src/main/java/io/grpc/xds/ExtAuthzConfigParser.java

@@ -0,0 +1,103 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds;
+
+import com.google.common.collect.ImmutableList;
+import io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3.ExtAuthz;
+import io.grpc.internal.GrpcUtil;
+import io.grpc.xds.client.Bootstrapper.BootstrapInfo;
+import io.grpc.xds.client.Bootstrapper.ServerInfo;
+import io.grpc.xds.internal.MatcherParser;
+import io.grpc.xds.internal.extauthz.ExtAuthzConfig;
+import io.grpc.xds.internal.extauthz.ExtAuthzParseException;
+import io.grpc.xds.internal.grpcservice.GrpcServiceConfig;
+import io.grpc.xds.internal.grpcservice.GrpcServiceParseException;
+import io.grpc.xds.internal.headermutations.HeaderMutationRulesParseException;
+import io.grpc.xds.internal.headermutations.HeaderMutationRulesParser;
+
+
+/**
+ * Parser for {@link io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3.ExtAuthz}.
+ */
+final class ExtAuthzConfigParser {
+
+  private ExtAuthzConfigParser() {}
+
+  /**
+   * Parses the {@link io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3.ExtAuthz} proto to
+   * create an {@link ExtAuthzConfig} instance.
+   *
+   * @param extAuthzProto The ext_authz proto to parse.
+   * @return An {@link ExtAuthzConfig} instance.
+   * @throws ExtAuthzParseException if the proto is invalid or contains unsupported features.
+   */
+  public static ExtAuthzConfig parse(
+      ExtAuthz extAuthzProto, BootstrapInfo bootstrapInfo, ServerInfo serverInfo)
+      throws ExtAuthzParseException {
+    if (!extAuthzProto.hasGrpcService()) {
+      throw new ExtAuthzParseException(
+          "unsupported ExtAuthz service type: only grpc_service is supported");
+    }
+    GrpcServiceConfig grpcServiceConfig;
+    try {
+      grpcServiceConfig =
+          GrpcServiceConfigParser.parse(extAuthzProto.getGrpcService(), bootstrapInfo, serverInfo);
+    } catch (GrpcServiceParseException e) {
+      throw new ExtAuthzParseException("Failed to parse GrpcService config: " + e.getMessage(), e);
+    }
+    ExtAuthzConfig.Builder builder = ExtAuthzConfig.builder().grpcService(grpcServiceConfig)
+        .failureModeAllow(extAuthzProto.getFailureModeAllow())
+        .failureModeAllowHeaderAdd(extAuthzProto.getFailureModeAllowHeaderAdd())
+        .includePeerCertificate(extAuthzProto.getIncludePeerCertificate())
+        .denyAtDisable(extAuthzProto.getDenyAtDisable().getDefaultValue().getValue());
+
+    if (extAuthzProto.hasFilterEnabled()) {
+      try {
+        builder.filterEnabled(
+            MatcherParser.parseFractionMatcher(extAuthzProto.getFilterEnabled().getDefaultValue()));
+      } catch (IllegalArgumentException e) {
+        throw new ExtAuthzParseException(e.getMessage());
+      }
+    }
+
+    if (extAuthzProto.hasStatusOnError()) {
+      builder.statusOnError(
+          GrpcUtil.httpStatusToGrpcStatus(extAuthzProto.getStatusOnError().getCodeValue()));
+    }
+
+    if (extAuthzProto.hasAllowedHeaders()) {
+      builder.allowedHeaders(extAuthzProto.getAllowedHeaders().getPatternsList().stream()
+          .map(MatcherParser::parseStringMatcher).collect(ImmutableList.toImmutableList()));
+    }
+
+    if (extAuthzProto.hasDisallowedHeaders()) {
+      builder.disallowedHeaders(extAuthzProto.getDisallowedHeaders().getPatternsList().stream()
+          .map(MatcherParser::parseStringMatcher).collect(ImmutableList.toImmutableList()));
+    }
+
+    if (extAuthzProto.hasDecoderHeaderMutationRules()) {
+      try {
+        builder.decoderHeaderMutationRules(
+            HeaderMutationRulesParser.parse(extAuthzProto.getDecoderHeaderMutationRules()));
+      } catch (HeaderMutationRulesParseException e) {
+        throw new ExtAuthzParseException(e.getMessage(), e);
+      }
+    }
+
+    return builder.build();
+  }
+}

xds/src/main/java/io/grpc/xds/GrpcBootstrapImplConfig.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2025 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds;
+
+import com.google.auto.value.AutoValue;
+import io.grpc.Internal;
+import io.grpc.xds.client.AllowedGrpcServices;
+
+/**
+ * Custom configuration for gRPC xDS bootstrap implementation.
+ */
+@Internal
+@AutoValue
+public abstract class GrpcBootstrapImplConfig {
+  public abstract AllowedGrpcServices allowedGrpcServices();
+
+  public static GrpcBootstrapImplConfig create(AllowedGrpcServices services) {
+    return new AutoValue_GrpcBootstrapImplConfig(services);
+  }
+}