Skip to content

binder: Let the server know when the client fails to authorize it. #12445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 27, 2025
Merged

binder: Let the server know when the client fails to authorize it. #12445

merged 1 commit into from
Oct 27, 2025
+124 −17

Conversation

@jdcormie
Copy link
Member

@jdcormie jdcormie commented Oct 24, 2025
edited
Loading

Avoids waiting for the handshake timeout on the server side in this case.

I also add test coverage for the !setOutgoingBinder() case to make sure it works in the new location.

My ulterior motive for this change is simplifying the client handshake code in preparation for #12398 -- An (impossible) !isShutdown() clause goes away for easy to understand reasons and I'll no longer have to pass the server's binder as an arg from async function to function in two separate handshake impls.

TGP passes: fusion2/OCL:823722865:BASE:823829545:1761379767122:2d595b69

Fixes #12438

@jdcormie
Let the server know when the client fails to authorize it.
b9745a2 
Avoids handshake timeout on the server side in this case. Also has the
nice side effect that the client handshake code doesn't have to pass the
server's binder from async function to function as an argument.
@jdcormie jdcormie requested a review from ejona86 October 27, 2025 18:55
ejona86
ejona86 approved these changes Oct 27, 2025
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect the code was delaying setOutgoingBinder() on purpose, to prevent accidentally sending on a unauthenticated binder. But that can be changed. It seems to have simply been a bug where the client wouldn't notify the server of failures during handshaking. I agree the code should notify the server when shut down while handshaking.

Note that the text of #12438 would seem to imply "Wire format version mismatch" and "Malformed SETUP_TRANSPORT data" aren't handled properly, and you didn't actually change the behavior here. But they don't respond because the handshake was too broken to figure out how to respond.

@jdcormie
Copy link
Member Author

Thanks for looking!

I believe your theory about the intent of the delayed setOutgoingBinder() call. After this PR, we'll depend on the !inState(READY) to prevent creating streams too early. As for accidental transactions during the handshake, I agree this deferral never accomplished much. The handshake code will always have to be carefully checked for security problems with or without it.

Good point about those two early error cases. I updated the text of the bug.

@jdcormie jdcormie merged commit 599a0a1 into grpc:master Oct 27, 2025
15 of 17 checks passed
@jdcormie jdcormie deleted the set-outgoing-binder-earlier branch October 27, 2025 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ejona86 ejona86 ejona86 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

binder: client doesn't tell the server about errors during the handshake

2 participants

@jdcormie @ejona86