apache · AlbumenJ · Aug 21, 2024 · Aug 12, 2024 · Aug 13, 2024 · Aug 14, 2024
diff --git a/.../dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/http3/Http3SslContexts.java b/.../dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/http3/Http3SslContexts.java
@@ -0,0 +1,168 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.remoting.http3;
+
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
+import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.common.ssl.AuthPolicy;
+import org.apache.dubbo.common.ssl.Cert;
+import org.apache.dubbo.common.ssl.CertManager;
+import org.apache.dubbo.common.ssl.ProviderCert;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSessionContext;
+
+import java.io.InputStream;
+import java.util.List;
+
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.ApplicationProtocolNegotiator;
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import io.netty.handler.ssl.util.SelfSignedCertificate;
+import io.netty.incubator.codec.http3.Http3;
+import io.netty.incubator.codec.quic.QuicSslContext;
+import io.netty.incubator.codec.quic.QuicSslContextBuilder;
+
+public final class Http3SslContexts extends SslContext {
+
+    private static final ErrorTypeAwareLogger LOGGER = LoggerFactory.getErrorTypeAwareLogger(Http3SslContexts.class);
+
+    private Http3SslContexts() {}
+
+    public static QuicSslContext buildServerSslContext(URL url) {
+        CertManager certManager = getCertManager(url);
+        ProviderCert cert = certManager.getProviderConnectionConfig(url, url.toInetSocketAddress());
+        if (cert == null) {
+            return buildSelfSignedServerSslContext(url);
+        }
+        QuicSslContextBuilder builder;
+        try {
+            try (InputStream privateKeyIn = cert.getPrivateKeyInputStream();
+                    InputStream keyCertChainIn = cert.getKeyCertChainInputStream()) {
+                if (keyCertChainIn == null || privateKeyIn == null) {
+                    return buildSelfSignedServerSslContext(url);
+                }
+                builder = QuicSslContextBuilder.forServer(
+                        toPrivateKey(privateKeyIn, cert.getPassword()),
+                        cert.getPassword(),
+                        toX509Certificates(keyCertChainIn));
+                try (InputStream trustCertIn = cert.getTrustCertInputStream()) {
+                    if (trustCertIn != null) {
+                        ClientAuth clientAuth = cert.getAuthPolicy() == AuthPolicy.CLIENT_AUTH
+                                ? ClientAuth.REQUIRE
+                                : ClientAuth.OPTIONAL;
+                        builder.trustManager(toX509Certificates(trustCertIn)).clientAuth(clientAuth);
+                    }
+                }
+            }
+        } catch (IllegalStateException t) {
+            throw t;
+        } catch (Throwable t) {
+            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", t);
+        }
+        try {
+            return builder.applicationProtocols(Http3.supportedApplicationProtocols())
+                    .build();
+        } catch (Throwable t) {
+            throw new IllegalStateException("Build SslSession failed.", t);
+        }
+    }
+
+    @SuppressWarnings("DataFlowIssue")
+    private static QuicSslContext buildSelfSignedServerSslContext(URL url) {
+        LOGGER.info("Provider cert not configured, build self signed sslContext, url=[{}]", url.toString(""));
+        SelfSignedCertificate certificate;
+        try {
+            certificate = new SelfSignedCertificate();
+        } catch (Throwable e) {
+            throw new IllegalStateException("Failed to create self signed certificate, Please import bcpkix jar", e);
+        }
+        return QuicSslContextBuilder.forServer(certificate.privateKey(), null, certificate.certificate())
+                .applicationProtocols(Http3.supportedApplicationProtocols())
+                .build();
+    }
+
+    public static QuicSslContext buildClientSslContext(URL url) {
+        CertManager certManager = getCertManager(url);
+        Cert cert = certManager.getConsumerConnectionConfig(url);
+        QuicSslContextBuilder builder = QuicSslContextBuilder.forClient();
+        try {
+            if (cert == null) {
+                LOGGER.info("Consumer cert not configured, build insecure sslContext, url=[{}]", url.toString(""));
+                builder.trustManager(InsecureTrustManagerFactory.INSTANCE);
+            } else {
+                try (InputStream trustCertIn = cert.getTrustCertInputStream();
+                        InputStream privateKeyIn = cert.getPrivateKeyInputStream();
+                        InputStream keyCertChainIn = cert.getKeyCertChainInputStream()) {
+                    if (trustCertIn != null) {
+                        builder.trustManager(toX509Certificates(trustCertIn));
+                    }
+                    builder.keyManager(
+                            toPrivateKey(privateKeyIn, cert.getPassword()),
+                            cert.getPassword(),
+                            toX509Certificates(keyCertChainIn));
+                }
+            }
+        } catch (Throwable t) {
+            throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", t);
+        }
+        try {
+            return builder.applicationProtocols(Http3.supportedApplicationProtocols())
+                    .build();
+        } catch (Throwable t) {
+            throw new IllegalStateException("Build SslSession failed.", t);
+        }
+    }
+
+    private static CertManager getCertManager(URL url) {
+        return url.getOrDefaultFrameworkModel().getBeanFactory().getBean(CertManager.class);
+    }
+
+    @Override
+    public boolean isClient() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public List<String> cipherSuites() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    @SuppressWarnings("deprecation")
+    public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public SSLEngine newEngine(ByteBufAllocator alloc) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public SSLSessionContext sessionContext() {
+        throw new UnsupportedOperationException();
+    }
+}
diff --git a/.../src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3ConnectionClient.java b/.../src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3ConnectionClient.java
@@ -20,6 +20,7 @@
 import org.apache.dubbo.remoting.ChannelHandler;
 import org.apache.dubbo.remoting.Constants;
 import org.apache.dubbo.remoting.RemotingException;
+import org.apache.dubbo.remoting.http3.Http3SslContexts;
 import org.apache.dubbo.remoting.utils.UrlUtils;
 
 import java.util.concurrent.atomic.AtomicReference;
@@ -31,14 +32,11 @@
 import io.netty.channel.ChannelOption;
 import io.netty.channel.ChannelPromise;
 import io.netty.channel.socket.nio.NioDatagramChannel;
-import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import io.netty.handler.timeout.IdleStateHandler;
 import io.netty.incubator.codec.http3.Http3;
 import io.netty.incubator.codec.http3.Http3ClientConnectionHandler;
 import io.netty.incubator.codec.quic.QuicChannel;
 import io.netty.incubator.codec.quic.QuicChannelBootstrap;
-import io.netty.incubator.codec.quic.QuicSslContext;
-import io.netty.incubator.codec.quic.QuicSslContextBuilder;
 import io.netty.util.concurrent.Future;
 import io.netty.util.concurrent.GenericFutureListener;
 
@@ -62,14 +60,10 @@ protected void initConnectionClient() {
 
     @Override
     protected void initBootstrap() throws Exception {
-        QuicSslContext context = QuicSslContextBuilder.forClient()
-                .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                .applicationProtocols(Http3.supportedApplicationProtocols())
-                .build();
         int idleTimeout = UrlUtils.getIdleTimeout(getUrl());
         io.netty.channel.ChannelHandler codec = Helper.configCodec(Http3.newQuicClientCodecBuilder(), getUrl())
                 .maxIdleTimeout(idleTimeout, MILLISECONDS)
-                .sslContext(context)
+                .sslContext(Http3SslContexts.buildClientSslContext(getUrl()))
                 .build();
         io.netty.channel.Channel nettyDatagramChannel = new Bootstrap()
                 .option(ChannelOption.CONNECT_TIMEOUT_MILLIS, getConnectTimeout())

diff --git a/...ting-http3/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3Server.java b/...ting-http3/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3Server.java
@@ -26,6 +26,7 @@
 import org.apache.dubbo.remoting.ChannelHandler;
 import org.apache.dubbo.remoting.RemotingException;
 import org.apache.dubbo.remoting.http12.netty4.HttpWriteQueueHandler;
+import org.apache.dubbo.remoting.http3.Http3SslContexts;
 import org.apache.dubbo.remoting.http3.netty4.NettyHttp3FrameCodec;
 import org.apache.dubbo.remoting.http3.netty4.NettyHttp3ProtocolSelectorHandler;
 import org.apache.dubbo.remoting.transport.AbstractServer;
@@ -44,14 +45,11 @@
 import io.netty.channel.ChannelInitializer;
 import io.netty.channel.EventLoopGroup;
 import io.netty.channel.socket.nio.NioDatagramChannel;
-import io.netty.handler.ssl.util.SelfSignedCertificate;
 import io.netty.handler.timeout.IdleStateHandler;
 import io.netty.incubator.codec.http3.Http3;
 import io.netty.incubator.codec.http3.Http3ServerConnectionHandler;
 import io.netty.incubator.codec.quic.InsecureQuicTokenHandler;
 import io.netty.incubator.codec.quic.QuicChannel;
-import io.netty.incubator.codec.quic.QuicSslContext;
-import io.netty.incubator.codec.quic.QuicSslContextBuilder;
 import io.netty.incubator.codec.quic.QuicStreamChannel;
 import io.netty.util.concurrent.Future;
 
@@ -88,15 +86,9 @@ protected void doOpen() throws Throwable {
         NettyHttp3ProtocolSelectorHandler selectorHandler =
                 new NettyHttp3ProtocolSelectorHandler(getUrl(), frameworkModel);
 
-        SelfSignedCertificate certificate = new SelfSignedCertificate();
-        QuicSslContext context = QuicSslContextBuilder.forServer(
-                        certificate.privateKey(), null, certificate.certificate())
-                .applicationProtocols(Http3.supportedApplicationProtocols())
-                .build();
-
         int idleTimeout = UrlUtils.getIdleTimeout(getUrl());
         io.netty.channel.ChannelHandler codec = Helper.configCodec(Http3.newQuicServerCodecBuilder(), getUrl())
-                .sslContext(context)
+                .sslContext(Http3SslContexts.buildServerSslContext(getUrl()))
                 .maxIdleTimeout(idleTimeout, MILLISECONDS)
                 .tokenHandler(InsecureQuicTokenHandler.INSTANCE)
                 .handler(new ChannelInitializer<QuicChannel>() {

diff --git a/...o-rpc-triple/src/test/java/org/apache/dubbo/rpc/protocol/tri/TripleHttp3ProtocolTest.java b/...o-rpc-triple/src/test/java/org/apache/dubbo/rpc/protocol/tri/TripleHttp3ProtocolTest.java
@@ -0,0 +1,139 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.rpc.protocol.tri;
+
+import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.stream.StreamObserver;
+import org.apache.dubbo.common.utils.ClassUtils;
+import org.apache.dubbo.common.utils.NetUtils;
+import org.apache.dubbo.config.SslConfig;
+import org.apache.dubbo.config.context.ConfigManager;
+import org.apache.dubbo.rpc.Constants;
+import org.apache.dubbo.rpc.Exporter;
+import org.apache.dubbo.rpc.Invoker;
+import org.apache.dubbo.rpc.Protocol;
+import org.apache.dubbo.rpc.ProxyFactory;
+import org.apache.dubbo.rpc.model.ApplicationModel;
+import org.apache.dubbo.rpc.model.ConsumerModel;
+import org.apache.dubbo.rpc.model.ModuleServiceRepository;
+import org.apache.dubbo.rpc.model.ProviderModel;
+import org.apache.dubbo.rpc.model.ServiceDescriptor;
+import org.apache.dubbo.rpc.model.ServiceMetadata;
+import org.apache.dubbo.rpc.protocol.tri.support.IGreeter;
+import org.apache.dubbo.rpc.protocol.tri.support.IGreeterImpl;
+import org.apache.dubbo.rpc.protocol.tri.support.MockStreamObserver;
+
+import java.nio.file.Paths;
+import java.util.concurrent.TimeUnit;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import static org.apache.dubbo.rpc.protocol.tri.support.IGreeter.SERVER_MSG;
+
+class TripleHttp3ProtocolTest {
+
+    @Test
+    void testDemoProtocol() throws Exception {
+        IGreeter serviceImpl = new IGreeterImpl();
+        int availablePort = NetUtils.getAvailablePort();
+        ApplicationModel applicationModel = ApplicationModel.defaultModel();
+        ConfigManager configManager = applicationModel.getApplicationConfigManager();
+
+        SslConfig sslConfig = new SslConfig();
+        sslConfig.setScopeModel(applicationModel);
+
+        sslConfig.setServerKeyCertChainPath(getAbsolutePath("/certs/server.pem"));
+        sslConfig.setServerPrivateKeyPath(getAbsolutePath("/certs/server.key"));
+        sslConfig.setServerTrustCertCollectionPath(getAbsolutePath("/certs/ca.pem"));
+        sslConfig.setClientKeyCertChainPath(getAbsolutePath("/certs/client.pem"));
+        sslConfig.setClientPrivateKeyPath(getAbsolutePath("/certs/client.key"));
+        sslConfig.setClientTrustCertCollectionPath(getAbsolutePath("/certs/ca.pem"));
+
+        configManager.setSsl(sslConfig);
+
+        URL providerUrl = URL.valueOf("tri://127.0.0.1:" + availablePort + "/" + IGreeter.class.getName());
+
+        providerUrl = providerUrl.addParameter(Constants.HTTP3_KEY, "true");
+        ModuleServiceRepository serviceRepository =
+                applicationModel.getDefaultModule().getServiceRepository();
+        ServiceDescriptor serviceDescriptor = serviceRepository.registerService(IGreeter.class);
+
+        ProviderModel providerModel = new ProviderModel(
+                providerUrl.getServiceKey(),
+                serviceImpl,
+                serviceDescriptor,
+                new ServiceMetadata(),
+                ClassUtils.getClassLoader(IGreeter.class));
+        serviceRepository.registerProvider(providerModel);
+        providerUrl = providerUrl.setServiceModel(providerModel);
+
+        Protocol protocol = new TripleProtocol(providerUrl.getOrDefaultFrameworkModel());
+        ProxyFactory proxy =
+                applicationModel.getExtensionLoader(ProxyFactory.class).getAdaptiveExtension();
+        Invoker<IGreeter> invoker = proxy.getInvoker(serviceImpl, IGreeter.class, providerUrl);
+        Exporter<IGreeter> export = protocol.export(invoker);
+        URL consumerUrl = URL.valueOf("tri://127.0.0.1:" + availablePort + "/" + IGreeter.class.getName());
+
+        ConsumerModel consumerModel =
+                new ConsumerModel(consumerUrl.getServiceKey(), null, serviceDescriptor, null, null, null);
+        consumerUrl = consumerUrl.setServiceModel(consumerModel);
+        consumerUrl = consumerUrl.addParameter(Constants.HTTP3_KEY, "true");
+        IGreeter greeterProxy = proxy.getProxy(protocol.refer(IGreeter.class, consumerUrl));
+        Thread.sleep(1000);
+
+        // 1. test unaryStream
+        String REQUEST_MSG = "hello world";
+        Assertions.assertEquals(REQUEST_MSG, greeterProxy.echo(REQUEST_MSG));
+        Assertions.assertEquals(REQUEST_MSG, serviceImpl.echoAsync(REQUEST_MSG).get());
+
+        // 2. test serverStream
+        MockStreamObserver outboundMessageSubscriber1 = new MockStreamObserver();
+        greeterProxy.serverStream(REQUEST_MSG, outboundMessageSubscriber1);
+        outboundMessageSubscriber1.getLatch().await(3000, TimeUnit.MILLISECONDS);
+        Assertions.assertEquals(outboundMessageSubscriber1.getOnNextData(), REQUEST_MSG);
+        Assertions.assertTrue(outboundMessageSubscriber1.isOnCompleted());
+
+        // 3. test bidirectionalStream
+        MockStreamObserver outboundMessageSubscriber2 = new MockStreamObserver();
+        StreamObserver<String> inboundMessageObserver = greeterProxy.bidirectionalStream(outboundMessageSubscriber2);
+        inboundMessageObserver.onNext(REQUEST_MSG);
+        inboundMessageObserver.onCompleted();
+        outboundMessageSubscriber2.getLatch().await(3000, TimeUnit.MILLISECONDS);
+        // verify client
+        Assertions.assertEquals(outboundMessageSubscriber2.getOnNextData(), SERVER_MSG);
+        Assertions.assertTrue(outboundMessageSubscriber2.isOnCompleted());
+        // verify server
+        MockStreamObserver serverOutboundMessageSubscriber =
+                (MockStreamObserver) ((IGreeterImpl) serviceImpl).getMockStreamObserver();
+        serverOutboundMessageSubscriber.getLatch().await(1000, TimeUnit.MILLISECONDS);
+        Assertions.assertEquals(REQUEST_MSG, serverOutboundMessageSubscriber.getOnNextData());
+        Assertions.assertTrue(serverOutboundMessageSubscriber.isOnCompleted());
+
+        export.unexport();
+        protocol.destroy();
+        // resource recycle.
+        serviceRepository.destroy();
+        System.out.println("serviceRepository destroyed");
+    }
+
+    private String getAbsolutePath(String resourcePath) throws Exception {
+        java.net.URL resourceUrl = TripleHttp3ProtocolTest.class.getResource(resourcePath);
+        Assertions.assertNotNull(resourceUrl, "Cert file '/certs/" + resourcePath + " is required");
+        return Paths.get(resourceUrl.toURI()).toAbsolutePath().toString();
+    }
+}