Ensure ApplicationProtocolNegotiationHandler does handle handshake fa… (#10363)

Motivation:

When ApplicationProtocolNegotiationHandler is in the pipeline we should expect that its handshakeFailure(...) method will be able to completly handle the handshake error. At the moment this is not the case as it only handled SslHandshakeCompletionEvent but not the exceptionCaught(...) that is also triggered in this case

Modifications:

- Call handshakeFailure(...) in exceptionCaught and so fix double notification.
- Add testcases

Result:

Fixes https://github.com/netty/netty/issues/10342
This commit is contained in:
Norman Maurer 2020-06-24 08:42:08 +02:00
parent 0185ccc157
commit f051b0c297
2 changed files with 122 additions and 7 deletions

View File

@ -22,9 +22,12 @@ import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.DecoderException;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import javax.net.ssl.SSLException;
/**
* Configures a {@link ChannelPipeline} depending on the application-level protocol negotiation result of
* {@link SslHandler}. For example, you could configure your HTTP pipeline depending on the result of ALPN:
@ -80,9 +83,8 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
if (evt instanceof SslHandshakeCompletionEvent) {
SslHandshakeCompletionEvent handshakeEvent = (SslHandshakeCompletionEvent) evt;
try {
SslHandshakeCompletionEvent handshakeEvent = (SslHandshakeCompletionEvent) evt;
if (handshakeEvent.isSuccess()) {
SslHandler sslHandler = ctx.pipeline().get(SslHandler.class);
if (sslHandler == null) {
@ -92,16 +94,19 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
String protocol = sslHandler.applicationProtocol();
configurePipeline(ctx, protocol != null ? protocol : fallbackProtocol);
} else {
handshakeFailure(ctx, handshakeEvent.cause());
// if the event is not produced because of an successful handshake we will receive the same
// exception in exceptionCaught(...) and handle it there. This will allow us more fine-grained
// control over which exception we propagate down the ChannelPipeline.
//
// See https://github.com/netty/netty/issues/10342
}
} catch (Throwable cause) {
exceptionCaught(ctx, cause);
} finally {
ctx.fireUserEventTriggered(evt);
ChannelPipeline pipeline = ctx.pipeline();
if (pipeline.context(this) != null) {
pipeline.remove(this);
// Handshake failures are handled in exceptionCaught(...).
if (handshakeEvent.isSuccess()) {
removeSelfIfPresent(ctx);
}
}
} else {
@ -109,6 +114,12 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
}
}
private void removeSelfIfPresent(ChannelHandlerContext ctx) {
ChannelPipeline pipeline = ctx.pipeline();
if (pipeline.context(this) != null) {
pipeline.remove(this);
}
}
/**
* Invoked on successful initial SSL/TLS handshake. Implement this method to configure your pipeline
* for the negotiated application-level protocol.
@ -129,6 +140,15 @@ public abstract class ApplicationProtocolNegotiationHandler implements ChannelHa
@Override
public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
Throwable wrapped;
if (cause instanceof DecoderException && ((wrapped = cause.getCause()) instanceof SSLException)) {
try {
handshakeFailure(ctx, wrapped);
return;
} finally {
removeSelfIfPresent(ctx);
}
}
logger.warn("{} Failed to select the application-level protocol:", ctx.channel(), cause);
ctx.fireExceptionCaught(cause);
ctx.close();

View File

@ -0,0 +1,95 @@
/*
* Copyright 2020 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.embedded.EmbeddedChannel;
import io.netty.handler.codec.DecoderException;
import org.junit.Test;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import java.security.NoSuchAlgorithmException;
import java.util.concurrent.atomic.AtomicBoolean;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
public class ApplicationProtocolNegotiationHandlerTest {
@Test
public void testHandshakeFailure() {
ChannelHandler alpnHandler = new ApplicationProtocolNegotiationHandler(ApplicationProtocolNames.HTTP_1_1) {
@Override
protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
fail();
}
};
EmbeddedChannel channel = new EmbeddedChannel(alpnHandler);
SSLHandshakeException exception = new SSLHandshakeException("error");
SslHandshakeCompletionEvent completionEvent = new SslHandshakeCompletionEvent(exception);
channel.pipeline().fireUserEventTriggered(completionEvent);
channel.pipeline().fireExceptionCaught(new DecoderException(exception));
assertNull(channel.pipeline().context(alpnHandler));
assertFalse(channel.finishAndReleaseAll());
}
@Test
public void testHandshakeSuccess() throws NoSuchAlgorithmException {
final AtomicBoolean configureCalled = new AtomicBoolean(false);
ChannelHandler alpnHandler = new ApplicationProtocolNegotiationHandler(ApplicationProtocolNames.HTTP_1_1) {
@Override
protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
configureCalled.set(true);
assertEquals(ApplicationProtocolNames.HTTP_1_1, protocol);
}
};
SSLEngine engine = SSLContext.getDefault().createSSLEngine();
engine.setUseClientMode(false);
EmbeddedChannel channel = new EmbeddedChannel(new SslHandler(engine), alpnHandler);
channel.pipeline().fireUserEventTriggered(SslHandshakeCompletionEvent.SUCCESS);
assertNull(channel.pipeline().context(alpnHandler));
// Should produce the close_notify messages
assertTrue(channel.finishAndReleaseAll());
assertTrue(configureCalled.get());
}
@Test(expected = IllegalStateException.class)
public void testHandshakeSuccessButNoSslHandler() {
ChannelHandler alpnHandler = new ApplicationProtocolNegotiationHandler(ApplicationProtocolNames.HTTP_1_1) {
@Override
protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
fail();
}
};
EmbeddedChannel channel = new EmbeddedChannel(alpnHandler);
try {
channel.pipeline().fireUserEventTriggered(SslHandshakeCompletionEvent.SUCCESS);
} finally {
assertNull(channel.pipeline().context(alpnHandler));
assertFalse(channel.finishAndReleaseAll());
}
}
}