Add E2E TLS tests

Author: gjcairo

Package.swift

@@ -57,6 +57,10 @@ let dependencies: [Package.Dependency] = [
     url: "https://github.com/apple/swift-nio-extras.git",
     from: "1.4.0"
   ),
+  .package(
+    url: "https://github.com/apple/swift-certificates.git",
+    from: "1.5.0"
+  ),
 ]
 
 let defaultSwiftSettings: [SwiftSetting] = [
@@ -104,6 +108,7 @@ let targets: [Target] = [
       .target(name: "GRPCNIOTransportCore"),
       .product(name: "GRPCCore", package: "grpc-swift"),
       .product(name: "NIOPosix", package: "swift-nio"),
+      .product(name: "NIOSSL", package: "swift-nio-ssl"),
     ],
     swiftSettings: defaultSwiftSettings
   ),
@@ -132,6 +137,8 @@ let targets: [Target] = [
     name: "GRPCNIOTransportHTTP2Tests",
     dependencies: [
       .target(name: "GRPCNIOTransportHTTP2"),
+      .product(name: "X509", package: "swift-certificates"),
+      .product(name: "NIOSSL", package: "swift-nio-ssl"),
     ]
   )
 ]

Sources/GRPCNIOTransportCore/Client/Connection/Connection.swift

@@ -236,6 +236,7 @@ package final class Connection: Sendable {
     // This state is tracked here so that if the connection events sequence finishes and the
     // connection never became ready then the connection can report that the connect failed.
     var isReady = false
+    var unexpectedCloseError: (any Error)?
 
     func makeNeverReadyError(cause: (any Error)?) -> RPCError {
       return RPCError(
@@ -265,10 +266,15 @@ package final class Connection: Sendable {
             // The connection will close at some point soon, yield a notification for this
             // because the close might not be imminent and this could result in address resolution.
             self.event.continuation.yield(.goingAway(errorCode, reason))
-          case .idle, .keepaliveExpired, .initiatedLocally, .unexpected:
+          case .idle, .keepaliveExpired, .initiatedLocally:
             // The connection will be closed imminently in these cases there's no need to do
             // anything.
             ()
+          case .unexpected(let error, _):
+            // The connection will be closed imminently in this case.
+            // We'll store the error that caused the unexpected closure so we
+            // can surface it.
+            unexpectedCloseError = error
           }
 
           // Take the reason with the highest precedence. A GOAWAY may be superseded by user
@@ -318,7 +324,7 @@ package final class Connection: Sendable {
         finalEvent = .closed(connectionCloseReason)
       } else {
         // The connection never became ready, this therefore counts as a failed connect attempt.
-        finalEvent = .connectFailed(makeNeverReadyError(cause: nil))
+        finalEvent = .connectFailed(makeNeverReadyError(cause: unexpectedCloseError))
       }
 
       // The connection events sequence has finished: the connection is now closed.

Sources/GRPCNIOTransportCore/Client/Connection/GRPCChannel.swift

@@ -290,7 +290,7 @@ extension GRPCChannel {
       }
 
     case .failRPC:
-      return .stopTrying(RPCError(code: .unavailable, message: "channel isn't ready"))
+      return .stopTrying(RPCError(code: .unavailable, message: "Channel isn't ready."))
     }
   }
 
@@ -300,7 +300,7 @@ extension GRPCChannel {
     loadBalancer: LoadBalancer
   ) async -> MakeStreamResult {
     guard let subchannel = loadBalancer.pickSubchannel() else {
-      return .tryAgain(RPCError(code: .unavailable, message: "channel isn't ready"))
+      return .tryAgain(RPCError(code: .unavailable, message: "Channel isn't ready."))
     }
 
     let methodConfig = self.config(forMethod: descriptor)
@@ -768,8 +768,9 @@ extension GRPCChannel.StateMachine {
             result: .failure(
               RPCError(
                 code: .unavailable,
-                message: "channel isn't ready",
-                cause: cause
+                message: "Channel isn't ready.",
+                cause: cause,
+                flatteningCauses: true
               )
             )
           )
@@ -781,7 +782,7 @@ extension GRPCChannel.StateMachine {
           let continuations = state.queue.removeFastFailingEntries()
           actions.resumeContinuations = ConnectivityStateChangeActions.ResumableContinuations(
             continuations: continuations,
-            result: .failure(RPCError(code: .unavailable, message: "channel isn't ready"))
+            result: .failure(RPCError(code: .unavailable, message: "Channel isn't ready."))
           )
 
         case .idle, .connecting:

Sources/GRPCNIOTransportCore/Client/Connection/LoadBalancers/RoundRobinLoadBalancer.swift

@@ -735,6 +735,10 @@ extension ConnectivityState {
   static func aggregate(_ states: some Collection<ConnectivityState>) -> ConnectivityState {
     // See https://github.com/grpc/grpc/blob/master/doc/load-balancing.md
 
+    if states.isEmpty {
+      return .shutdown
+    }
+
     // If any one subchannel is in READY state, the channel's state is READY.
     if states.contains(where: { $0 == .ready }) {
       return .ready
@@ -751,15 +755,15 @@ extension ConnectivityState {
     }
 
     // Otherwise, if all subchannels are in state TRANSIENT_FAILURE, the channel's state is TRANSIENT_FAILURE.
+    // Pick one of the errors to surface, as we can't surface all of them.
+    var cause: RPCError!
     for state in states {
-      guard case .transientFailure = state else {
+      guard case .transientFailure(let error) = state else {
         return .shutdown
       }
+      cause = error
     }
 
-    return .transientFailure(cause: RPCError(
-      code: .internalError,
-      message: "All subchannels are in TRANSIENT_FAILURE state."
-    ))
+    return .transientFailure(cause: cause)
   }
 }

Sources/GRPCNIOTransportCore/Client/Connection/LoadBalancers/Subchannel.swift

@@ -256,8 +256,8 @@ extension Subchannel {
     switch event {
     case .connectSucceeded:
       self.handleConnectSucceededEvent()
-    case .connectFailed:
-      self.handleConnectFailedEvent(in: &group)
+    case .connectFailed(let cause):
+      self.handleConnectFailedEvent(in: &group, error: cause)
     case .goingAway:
       self.handleGoingAwayEvent()
     case .closed(let reason):
@@ -282,21 +282,23 @@ extension Subchannel {
     }
   }
 
-  private func handleConnectFailedEvent(in group: inout DiscardingTaskGroup) {
+  private func handleConnectFailedEvent(in group: inout DiscardingTaskGroup, error: any Error) {
     let onConnectFailed = self.state.withLock { $0.connectFailed(connector: self.connector) }
     switch onConnectFailed {
     case .connect(let connection):
       // Try the next address.
       self.runConnection(connection, in: &group)
 
     case .backoff(let duration):
+      let transientFailureCause = (error as? RPCError) ?? RPCError(
+        code: .unavailable,
+        message: "All addresses have been tried: backing off.",
+        cause: error
+      )
       // All addresses have been tried, backoff for some time.
       self.event.continuation.yield(
         .connectivityStateChanged(
-          .transientFailure(cause: RPCError(
-            code: .unavailable, 
-            message: "All addresses have been tried: backing off."
-          ))
+          .transientFailure(cause: transientFailureCause)
         )
       )
       group.addTask {

Sources/GRPCNIOTransportHTTP2Posix/TLSConfig.swift

@@ -171,6 +171,27 @@ extension HTTP2ServerTransport.Posix.Config {
     ///
     /// If this is set to `true` but the client does not support ALPN, then the connection will be rejected.
     public var requireALPN: Bool
+    
+    /// Create a new HTTP2 NIO Posix server transport TLS config.
+    /// - Parameters:
+    ///   - certificateChain: The certificates the server will offer during negotiation.
+    ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - clientCertificateVerification: How to verify the client certificate, if one is presented.
+    ///   - trustRoots: The trust roots to be used when verifying client certificates.
+    ///   - requireALPN: Whether ALPN is required.
+    public init(
+      certificateChain: [TLSConfig.CertificateSource],
+      privateKey: TLSConfig.PrivateKeySource,
+      clientCertificateVerification: TLSConfig.CertificateVerification,
+      trustRoots: TLSConfig.TrustRootsSource,
+      requireALPN: Bool
+    ) {
+      self.certificateChain = certificateChain
+      self.privateKey = privateKey
+      self.clientCertificateVerification = clientCertificateVerification
+      self.trustRoots = trustRoots
+      self.requireALPN = requireALPN
+    }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted:
     /// - `clientCertificateVerificationMode` equals `doNotVerify`
@@ -180,18 +201,22 @@ extension HTTP2ServerTransport.Posix.Config {
     /// - Parameters:
     ///   - certificateChain: The certificates the server will offer during negotiation.
     ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
     public static func defaults(
       certificateChain: [TLSConfig.CertificateSource],
-      privateKey: TLSConfig.PrivateKeySource
+      privateKey: TLSConfig.PrivateKeySource,
+      configure: (_ config: inout Self) -> Void = { _ in }
     ) -> Self {
-      Self(
+      var config = Self(
         certificateChain: certificateChain,
         privateKey: privateKey,
         clientCertificateVerification: .noVerification,
         trustRoots: .systemDefault,
         requireALPN: false
       )
+      configure(&config)
+      return config
     }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted to match
@@ -203,18 +228,22 @@ extension HTTP2ServerTransport.Posix.Config {
     /// - Parameters:
     ///   - certificateChain: The certificates the server will offer during negotiation.
     ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
     public static func mTLS(
       certificateChain: [TLSConfig.CertificateSource],
-      privateKey: TLSConfig.PrivateKeySource
+      privateKey: TLSConfig.PrivateKeySource,
+      configure: (_ config: inout Self) -> Void = { _ in }
     ) -> Self {
-      Self(
+      var config = Self(
         certificateChain: certificateChain,
         privateKey: privateKey,
         clientCertificateVerification: .noHostnameVerification,
         trustRoots: .systemDefault,
         requireALPN: false
       )
+      configure(&config)
+      return config
     }
   }
 }
@@ -255,6 +284,27 @@ extension HTTP2ClientTransport.Posix.Config {
 
     /// An optional server hostname to use when verifying certificates.
     public var serverHostname: String?
+    
+    /// Create a new HTTP2 NIO Posix client transport TLS config.
+    /// - Parameters:
+    ///   - certificateChain: The certificates the client will offer during negotiation.
+    ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - serverCertificateVerification: How to verify the server certificate, if one is presented.
+    ///   - trustRoots: The trust roots to be used when verifying server certificates.
+    ///   - serverHostname: An optional server hostname to use when verifying certificates.
+    public init(
+      certificateChain: [TLSConfig.CertificateSource],
+      privateKey: TLSConfig.PrivateKeySource? = nil,
+      serverCertificateVerification: TLSConfig.CertificateVerification,
+      trustRoots: TLSConfig.TrustRootsSource,
+      serverHostname: String? = nil
+    ) {
+      self.certificateChain = certificateChain
+      self.privateKey = privateKey
+      self.serverCertificateVerification = serverCertificateVerification
+      self.trustRoots = trustRoots
+      self.serverHostname = serverHostname
+    }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted:
     /// - `certificateChain` equals `[]`
@@ -263,35 +313,46 @@ extension HTTP2ClientTransport.Posix.Config {
     /// - `trustRoots` equals `systemDefault`
     /// - `serverHostname` equals `nil`
     ///
+    /// - Parameters:
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
-    public static var defaults: Self {
-      Self(
+    public static func defaults(
+      configure: (_ config: inout Self) -> Void = { _ in }
+    ) -> Self {
+      var config = Self(
         certificateChain: [],
         privateKey: nil,
         serverCertificateVerification: .fullVerification,
         trustRoots: .systemDefault,
         serverHostname: nil
       )
+      configure(&config)
+      return config
     }
 
     /// Create a new HTTP2 NIO Posix transport TLS config, with some values defaulted to match
     /// the requirements of mTLS:
     /// - `trustRoots` equals `systemDefault`
+    /// - `serverCertificateVerification` equals `fullVerification`
     ///
     /// - Parameters:
     ///   - certificateChain: The certificates the client will offer during negotiation.
     ///   - privateKey: The private key associated with the leaf certificate.
+    ///   - configure: A closure which allows you to modify the defaults before returning them.
     /// - Returns: A new HTTP2 NIO Posix transport TLS config.
     public static func mTLS(
       certificateChain: [TLSConfig.CertificateSource],
-      privateKey: TLSConfig.PrivateKeySource
+      privateKey: TLSConfig.PrivateKeySource,
+      configure: (_ config: inout Self) -> Void = { _ in }
     ) -> Self {
-      Self(
+      var config = Self(
         certificateChain: certificateChain,
         privateKey: privateKey,
         serverCertificateVerification: .fullVerification,
         trustRoots: .systemDefault
       )
+      configure(&config)
+      return config
     }
   }
 }

Sources/GRPCNIOTransportHTTP2TransportServices/TLSConfig.swift

@@ -45,17 +45,26 @@ extension HTTP2ServerTransport.TransportServices.Config {
     /// If this is set to `true` but the client does not support ALPN, then the connection will be rejected.
     public var requireALPN: Bool
 
+    /// Create a new HTTP2 NIO Transport Services transport TLS config.
+    /// - Parameters:
+    ///   - requireALPN: Whether ALPN is required.
+    ///   - identityProvider: A provider for the `SecIdentity` to be used when setting up TLS.
+    public init(
+      requireALPN: Bool,
+      identityProvider: @Sendable @escaping () throws -> SecIdentity
+    ) {
+      self.requireALPN = requireALPN
+      self.identityProvider = identityProvider
+    }
+
     /// Create a new HTTP2 NIO Transport Services transport TLS config, with some values defaulted:
     /// - `requireALPN` equals `false`
     ///
     /// - Returns: A new HTTP2 NIO Transport Services transport TLS config.
     public static func defaults(
       identityProvider: @Sendable @escaping () throws -> SecIdentity
     ) -> Self {
-      Self(
-        identityProvider: identityProvider,
-        requireALPN: false
-      )
+      Self(requireALPN: false, identityProvider: identityProvider)
     }
   }
 }

Tests/GRPCNIOTransportHTTP2Tests/HTTP2TransportNIOPosixTests.swift

@@ -410,7 +410,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_Defaults() throws {
-    let grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    let grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     let nioSSLTLSConfig = try TLSConfiguration(grpcTLSConfig)
 
     XCTAssertEqual(nioSSLTLSConfig.certificateChain, [])
@@ -422,7 +422,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_CustomCertificateChainAndPrivateKey() throws {
-    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     grpcTLSConfig.certificateChain = [
       .bytes(Array(Self.samplePemCert.utf8), format: .pem)
     ]
@@ -451,7 +451,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_CustomTrustRoots() throws {
-    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     grpcTLSConfig.trustRoots = .certificates([.bytes(Array(Self.samplePemCert.utf8), format: .pem)])
     let nioSSLTLSConfig = try TLSConfiguration(grpcTLSConfig)
 
@@ -467,7 +467,7 @@ final class HTTP2TransportNIOPosixTests: XCTestCase {
   }
 
   func testClientTLSConfig_CustomCertificateVerification() throws {
-    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults
+    var grpcTLSConfig = HTTP2ClientTransport.Posix.Config.TLS.defaults()
     grpcTLSConfig.serverCertificateVerification = .noHostnameVerification
     let nioSSLTLSConfig = try TLSConfiguration(grpcTLSConfig)