Package com.linkedin.venice.controller.grpc.server.interceptor

Class ControllerGrpcSslSessionInterceptor

java.lang.Object

com.linkedin.venice.controller.grpc.server.interceptor.ControllerGrpcSslSessionInterceptor

All Implemented Interfaces:

io.grpc.ServerInterceptor

public class ControllerGrpcSslSessionInterceptor
extends Object
implements io.grpc.ServerInterceptor

Intercepts gRPC calls to enforce SSL/TLS requirements and propagate client certificate and remote address details into the gRPC Context.

If the gRPC connection does not have an SSL session, the interceptor rejects the call with an UNAUTHENTICATED status. Otherwise, it extracts the client certificate and remote address, injecting them into the gRPC context for downstream processing.

The following attributes are injected into the Context:

• CLIENT_CERTIFICATE_CONTEXT_KEY: The client's X.509 certificate.
• CLIENT_ADDRESS_CONTEXT_KEY: The client's remote address as a string.

Errors are logged if the SSL session is missing or if certificate extraction fails.

Field Summary

Fields

Modifier and Type	Field	Description
protected static final io.grpc.StatusRuntimeException	NON_SSL_CONNECTION_ERROR
protected static final VeniceControllerGrpcErrorInfo	NON_SSL_ERROR_INFO

Constructor Summary

Constructors

Constructor	Description
ControllerGrpcSslSessionInterceptor()

Method Summary

Modifier and Type	Method	Description
<ReqT, RespT> io.grpc.ServerCall.Listener<ReqT>	interceptCall(io.grpc.ServerCall<ReqT,RespT> serverCall, io.grpc.Metadata metadata, io.grpc.ServerCallHandler<ReqT,RespT> serverCallHandler)	Intercepts a gRPC call to enforce SSL/TLS requirements and propagate SSL-related attributes into the gRPC Context.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

NON_SSL_ERROR_INFO

protected static final VeniceControllerGrpcErrorInfo NON_SSL_ERROR_INFO

NON_SSL_CONNECTION_ERROR

protected static final io.grpc.StatusRuntimeException NON_SSL_CONNECTION_ERROR

Constructor Details

ControllerGrpcSslSessionInterceptor

public ControllerGrpcSslSessionInterceptor()

Method Details

interceptCall

public <ReqT,
RespT>
io.grpc.ServerCall.Listener<ReqT> interceptCall(io.grpc.ServerCall<ReqT,RespT> serverCall,
 io.grpc.Metadata metadata,
 io.grpc.ServerCallHandler<ReqT,RespT> serverCallHandler)

Intercepts a gRPC call to enforce SSL/TLS requirements and propagate SSL-related attributes into the gRPC Context. This ensures that only secure connections with valid client certificates proceed further in the call chain.

The method performs the following steps:

• Extracts the remote address from the server call attributes.
• Validates the presence of an SSL session. If absent, the call is closed with an UNAUTHENTICATED status.
• Attempts to extract the client certificate from the SSL session. If extraction fails, the call is closed with an UNAUTHENTICATED status.
• Creates a new Context containing the client certificate and remote address, and passes it to the downstream handlers.

Specified by:

interceptCall in interface io.grpc.ServerInterceptor

Type Parameters:

ReqT - The request type of the gRPC method.

RespT - The response type of the gRPC method.

Parameters:

serverCall - The gRPC server call being intercepted.

metadata - The metadata associated with the call, containing headers and other request data.

serverCallHandler - The downstream handler that processes the call if validation passes.

Returns:

A ServerCall.Listener for handling the intercepted call, or a no-op listener if the call is terminated early due to validation failure.