From f051b0c297db194abf31f9b2dc294ecc81fa1e45 Mon Sep 17 00:00:00 2001
From: Norman Maurer <norman_maurer@apple.com>
Date: Wed, 24 Jun 2020 08:42:08 +0200
Subject: [PATCH] =?UTF-8?q?Ensure=20ApplicationProtocolNegotiationHandler?=
 =?UTF-8?q?=20does=20handle=20handshake=20fa=E2=80=A6=20(#10363)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Motivation:

When ApplicationProtocolNegotiationHandler is in the pipeline we should expect that its handshakeFailure(...) method will be able to completly handle the handshake error. At the moment this is not the case as it only handled SslHandshakeCompletionEvent but not the exceptionCaught(...) that is also triggered in this case

Modifications:

- Call handshakeFailure(...) in exceptionCaught and so fix double notification.
- Add testcases

Result:

Fixes https://github.com/netty/netty/issues/10342
---
 ...ApplicationProtocolNegotiationHandler.java | 34 +++++--
 ...icationProtocolNegotiationHandlerTest.java | 95 +++++++++++++++++++
 2 files changed, 122 insertions(+), 7 deletions(-)
 create mode 100644 handler/src/test/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandlerTest.java

diff --git a/handler/src/main/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandler.java b/handler/src/main/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandler.java
index df1afe4a23..140eb3df03 100644
--- a/handler/src/main/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandler.java
+++ b/handler/src/main/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandler.java
@@ -22,9 +22,12 @@ import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelInitializer;
 import io.netty.channel.ChannelPipeline;
+import io.netty.handler.codec.DecoderException;
 import io.netty.util.internal.logging.InternalLogger;
 import io.netty.util.internal.logging.InternalLoggerFactory;
 
+import javax.net.ssl.SSLException;
+
 /**
  * Configures a {@link ChannelPipeline} depending on the application-level protocol negotiation result of
  * {@link SslHandler}.  For example, you could configure your HTTP pipeline depending on the result of ALPN:
@@ -80,9 +83,8 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
     @Override
     public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
         if (evt instanceof SslHandshakeCompletionEvent) {
-
+            SslHandshakeCompletionEvent handshakeEvent = (SslHandshakeCompletionEvent) evt;
             try {
-                SslHandshakeCompletionEvent handshakeEvent = (SslHandshakeCompletionEvent) evt;
                 if (handshakeEvent.isSuccess()) {
                     SslHandler sslHandler = ctx.pipeline().get(SslHandler.class);
                     if (sslHandler == null) {
@@ -92,16 +94,19 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
                     String protocol = sslHandler.applicationProtocol();
                     configurePipeline(ctx, protocol != null ? protocol : fallbackProtocol);
                 } else {
-                    handshakeFailure(ctx, handshakeEvent.cause());
+                    // if the event is not produced because of an successful handshake we will receive the same
+                    // exception in exceptionCaught(...) and handle it there. This will allow us more fine-grained
+                    // control over which exception we propagate down the ChannelPipeline.
+                    //
+                    // See https://github.com/netty/netty/issues/10342
                 }
             } catch (Throwable cause) {
                 exceptionCaught(ctx, cause);
             } finally {
                 ctx.fireUserEventTriggered(evt);
-
-                ChannelPipeline pipeline = ctx.pipeline();
-                if (pipeline.context(this) != null) {
-                    pipeline.remove(this);
+                // Handshake failures are handled in exceptionCaught(...).
+                if (handshakeEvent.isSuccess()) {
+                    removeSelfIfPresent(ctx);
                 }
             }
         } else {
@@ -109,6 +114,12 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
         }
     }
 
+    private void removeSelfIfPresent(ChannelHandlerContext ctx) {
+        ChannelPipeline pipeline = ctx.pipeline();
+        if (pipeline.context(this) != null) {
+            pipeline.remove(this);
+        }
+    }
     /**
      * Invoked on successful initial SSL/TLS handshake. Implement this method to configure your pipeline
      * for the negotiated application-level protocol.
@@ -129,6 +140,15 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
 
     @Override
     public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
+        Throwable wrapped;
+        if (cause instanceof DecoderException && ((wrapped = cause.getCause()) instanceof SSLException)) {
+            try {
+                handshakeFailure(ctx, wrapped);
+                return;
+            } finally {
+                removeSelfIfPresent(ctx);
+            }
+        }
         logger.warn("{} Failed to select the application-level protocol:", ctx.channel(), cause);
         ctx.fireExceptionCaught(cause);
         ctx.close();
diff --git a/handler/src/test/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandlerTest.java b/handler/src/test/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandlerTest.java
new file mode 100644
index 0000000000..9677c5b861
--- /dev/null
+++ b/handler/src/test/java/io/netty/handler/ssl/ApplicationProtocolNegotiationHandlerTest.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2020 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.ssl;
+
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.handler.codec.DecoderException;
+import org.junit.Test;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLHandshakeException;
+import java.security.NoSuchAlgorithmException;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+
+public class ApplicationProtocolNegotiationHandlerTest {
+
+    @Test
+    public void testHandshakeFailure() {
+        ChannelHandler alpnHandler = new ApplicationProtocolNegotiationHandler(ApplicationProtocolNames.HTTP_1_1) {
+            @Override
+            protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
+                fail();
+            }
+        };
+
+        EmbeddedChannel channel = new EmbeddedChannel(alpnHandler);
+        SSLHandshakeException exception = new SSLHandshakeException("error");
+        SslHandshakeCompletionEvent completionEvent = new SslHandshakeCompletionEvent(exception);
+        channel.pipeline().fireUserEventTriggered(completionEvent);
+        channel.pipeline().fireExceptionCaught(new DecoderException(exception));
+        assertNull(channel.pipeline().context(alpnHandler));
+        assertFalse(channel.finishAndReleaseAll());
+    }
+
+    @Test
+    public void testHandshakeSuccess() throws NoSuchAlgorithmException {
+        final AtomicBoolean configureCalled = new AtomicBoolean(false);
+        ChannelHandler alpnHandler = new ApplicationProtocolNegotiationHandler(ApplicationProtocolNames.HTTP_1_1) {
+            @Override
+            protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
+                configureCalled.set(true);
+                assertEquals(ApplicationProtocolNames.HTTP_1_1, protocol);
+            }
+        };
+
+        SSLEngine engine = SSLContext.getDefault().createSSLEngine();
+        engine.setUseClientMode(false);
+
+        EmbeddedChannel channel = new EmbeddedChannel(new SslHandler(engine), alpnHandler);
+        channel.pipeline().fireUserEventTriggered(SslHandshakeCompletionEvent.SUCCESS);
+        assertNull(channel.pipeline().context(alpnHandler));
+        // Should produce the close_notify messages
+        assertTrue(channel.finishAndReleaseAll());
+        assertTrue(configureCalled.get());
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testHandshakeSuccessButNoSslHandler() {
+        ChannelHandler alpnHandler = new ApplicationProtocolNegotiationHandler(ApplicationProtocolNames.HTTP_1_1) {
+            @Override
+            protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
+                fail();
+            }
+        };
+        EmbeddedChannel channel = new EmbeddedChannel(alpnHandler);
+        try {
+            channel.pipeline().fireUserEventTriggered(SslHandshakeCompletionEvent.SUCCESS);
+        } finally {
+            assertNull(channel.pipeline().context(alpnHandler));
+            assertFalse(channel.finishAndReleaseAll());
+        }
+    }
+}