From ec8d191521c3a0c83395525d508600ef3f4666fe Mon Sep 17 00:00:00 2001 From: Tomo Suzuki Date: Fri, 2 Apr 2021 12:07:29 -0400 Subject: [PATCH 1/6] Upgrading google-auth-library to 0.25.2 Fixes #8037 --- .../java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java | 2 +- build.gradle | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java b/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java index 634cc1e46de..aeafe3bd971 100644 --- a/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java +++ b/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java @@ -394,7 +394,7 @@ public void jwtAccessCredentialsInRequestMetadata() throws Exception { Map header = (Map) JsonParser.parse(jsonHeader); assertEquals("test-private-key-id", header.get("kid")); Map payload = (Map) JsonParser.parse(jsonPayload); - assertEquals("https://example.com:123/a.service", payload.get("aud")); + assertEquals("https://example.com/", payload.get("aud")); assertEquals("test-email@example.com", payload.get("iss")); assertEquals("test-email@example.com", payload.get("sub")); } diff --git a/build.gradle b/build.gradle index 56d28697f5e..6a3c70d4398 100644 --- a/build.gradle +++ b/build.gradle @@ -56,7 +56,7 @@ subprojects { nettyVersion = '4.1.52.Final' guavaVersion = '30.0-android' - googleauthVersion = '0.22.2' + googleauthVersion = '0.25.2' protobufVersion = '3.12.0' protocVersion = protobufVersion opencensusVersion = '0.28.0' From c8e02647badf606f6f7bddc9284065a6ae911818 Mon Sep 17 00:00:00 2001 From: Tomo Suzuki Date: Mon, 12 Apr 2021 10:51:44 -0400 Subject: [PATCH 2/6] Dependency override --- build.gradle | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/build.gradle b/build.gradle index 6a3c70d4398..6d9c4b71d4e 100644 --- a/build.gradle +++ b/build.gradle @@ -254,6 +254,16 @@ subprojects { dependencies.runtimeOnly project(':grpc-context') censusApiDependency 'runtimeOnly' guavaDependency 'runtimeOnly' + + // We can remove this dependency override once org.apache.httpcomponents:httpclient:4.5.13 + // is released with org.apache.httpcomponents:httpcore:4.4.14 dependency, and + // com.google.http-client:google-http-client:1.39.1 is upgraded with them. + // https://github.com/grpc/grpc-java/issues/8037 + configurations.all { + resolutionStrategy { + force 'org.apache.httpcomponents:httpcore:4.4.14' + } + } } // A util function to config perfmark dependency with transitive From dbe557f917b8af186ecc56b3a7911b8e49828784 Mon Sep 17 00:00:00 2001 From: Tomo Suzuki Date: Mon, 12 Apr 2021 13:23:15 -0400 Subject: [PATCH 3/6] google-http-java-client-jackson2 with dependency exclusions --- build.gradle | 22 ++++++++++++---------- xds/build.gradle | 7 +++++++ 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/build.gradle b/build.gradle index 6d9c4b71d4e..e27b1477144 100644 --- a/build.gradle +++ b/build.gradle @@ -57,6 +57,7 @@ subprojects { nettyVersion = '4.1.52.Final' guavaVersion = '30.0-android' googleauthVersion = '0.25.2' + googlehttpVersion = '1.39.1' protobufVersion = '3.12.0' protocVersion = protobufVersion opencensusVersion = '0.28.0' @@ -155,6 +156,7 @@ subprojects { google_api_protos: 'com.google.api.grpc:proto-google-common-protos:2.0.1', google_auth_credentials: "com.google.auth:google-auth-library-credentials:${googleauthVersion}", google_auth_oauth2_http: "com.google.auth:google-auth-library-oauth2-http:${googleauthVersion}", + google_http_client_jackson2: "com.google.http-client:google-http-client-jackson2:${googlehttpVersion}", okhttp: 'com.squareup.okhttp:okhttp:2.7.4', okio: 'com.squareup.okio:okio:1.17.5', opencensus_api: "io.opencensus:opencensus-api:${opencensusVersion}", @@ -254,16 +256,6 @@ subprojects { dependencies.runtimeOnly project(':grpc-context') censusApiDependency 'runtimeOnly' guavaDependency 'runtimeOnly' - - // We can remove this dependency override once org.apache.httpcomponents:httpclient:4.5.13 - // is released with org.apache.httpcomponents:httpcore:4.4.14 dependency, and - // com.google.http-client:google-http-client:1.39.1 is upgraded with them. - // https://github.com/grpc/grpc-java/issues/8037 - configurations.all { - resolutionStrategy { - force 'org.apache.httpcomponents:httpcore:4.4.14' - } - } } // A util function to config perfmark dependency with transitive @@ -299,6 +291,16 @@ subprojects { ])) { runtimeClasspath { resolutionStrategy.failOnVersionConflict() + + // We can remove this dependency override once org.apache.httpcomponents:httpclient:4.5.13 + // is released with org.apache.httpcomponents:httpcore:4.4.14 dependency, and + // com.google.http-client:google-http-client:1.39.1 is upgraded with them. + // https://github.com/grpc/grpc-java/issues/8037 + configurations.all { + resolutionStrategy { + force 'org.apache.httpcomponents:httpcore:4.4.14' + } + } } } } diff --git a/xds/build.gradle b/xds/build.gradle index d8462c0de54..585fea42ef4 100644 --- a/xds/build.gradle +++ b/xds/build.gradle @@ -37,6 +37,7 @@ dependencies { libraries.re2j, libraries.bouncycastle, libraries.autovalue_annotation + def nettyDependency = implementation project(':grpc-netty') implementation (libraries.opencensus_proto) { @@ -51,6 +52,12 @@ dependencies { exclude group: 'com.google.errorprone', module: 'error_prone_annotations' } + implementation (libraries.google_http_client_jackson2) { + exclude group: 'com.google.guava', module: 'guava' + exclude group: 'com.google.errorprone', module: 'error_prone_annotations' + exclude group: 'io.grpc', module: 'grpc-context' + } + testImplementation project(':grpc-core').sourceSets.test.output annotationProcessor libraries.autovalue From 26079a1bf47f8db44bd13474a50c33bcad9c6586 Mon Sep 17 00:00:00 2001 From: Tomo Suzuki Date: Fri, 16 Apr 2021 12:58:28 -0400 Subject: [PATCH 4/6] Exclusion for httpcore rather than overwriting it It's preferred to setup dependency exclusions and declare the problematic dependency as a direct dependency, because overwriting the dependency (in this case org.apache.httpcomponents:httpcore), while it may pass the checks in the build, does not have any effect in the produced pom.xml after the library is published to Maven Central. --- build.gradle | 13 +++---------- xds/build.gradle | 2 ++ 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/build.gradle b/build.gradle index e27b1477144..10010aa97cf 100644 --- a/build.gradle +++ b/build.gradle @@ -151,6 +151,7 @@ subprojects { cronet_embedded: 'org.chromium.net:cronet-embedded:66.3359.158', gson: "com.google.code.gson:gson:2.8.6", guava: "com.google.guava:guava:${guavaVersion}", + httpcore: "org.apache.httpcomponents:httpcore:4.4.14", javax_annotation: 'org.apache.tomcat:annotations-api:6.0.53', jsr305: 'com.google.code.findbugs:jsr305:3.0.2', google_api_protos: 'com.google.api.grpc:proto-google-common-protos:2.0.1', @@ -252,10 +253,12 @@ subprojects { exclude group: 'com.google.guava', module: 'guava' exclude group: 'io.grpc', module: 'grpc-context' exclude group: 'io.opencensus', module: 'opencensus-api' + exclude group: 'org.apache.httpcomponents', module: 'httpcore' } dependencies.runtimeOnly project(':grpc-context') censusApiDependency 'runtimeOnly' guavaDependency 'runtimeOnly' + dependencies.runtimeOnly libraries.httpcore } // A util function to config perfmark dependency with transitive @@ -291,16 +294,6 @@ subprojects { ])) { runtimeClasspath { resolutionStrategy.failOnVersionConflict() - - // We can remove this dependency override once org.apache.httpcomponents:httpclient:4.5.13 - // is released with org.apache.httpcomponents:httpcore:4.4.14 dependency, and - // com.google.http-client:google-http-client:1.39.1 is upgraded with them. - // https://github.com/grpc/grpc-java/issues/8037 - configurations.all { - resolutionStrategy { - force 'org.apache.httpcomponents:httpcore:4.4.14' - } - } } } } diff --git a/xds/build.gradle b/xds/build.gradle index 585fea42ef4..f1ab4bd3608 100644 --- a/xds/build.gradle +++ b/xds/build.gradle @@ -56,7 +56,9 @@ dependencies { exclude group: 'com.google.guava', module: 'guava' exclude group: 'com.google.errorprone', module: 'error_prone_annotations' exclude group: 'io.grpc', module: 'grpc-context' + exclude group: 'org.apache.httpcomponents', module: 'httpcore' } + runtimeOnly libraries.httpcore testImplementation project(':grpc-core').sourceSets.test.output From b19fc9415be6c60eab186067f6ad70fa280d6c17 Mon Sep 17 00:00:00 2001 From: Eric Anderson Date: Fri, 16 Apr 2021 12:45:37 -0700 Subject: [PATCH 5/6] Allow both old and new behavior from google-auth-library-java --- .../io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java b/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java index aeafe3bd971..ee5713bfd27 100644 --- a/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java +++ b/auth/src/test/java/io/grpc/auth/GoogleAuthLibraryCallCredentialsTest.java @@ -394,7 +394,11 @@ public void jwtAccessCredentialsInRequestMetadata() throws Exception { Map header = (Map) JsonParser.parse(jsonHeader); assertEquals("test-private-key-id", header.get("kid")); Map payload = (Map) JsonParser.parse(jsonPayload); - assertEquals("https://example.com/", payload.get("aud")); + // google-auth-library-java 0.25.2 began stripping the grpc service name from the audience. + // Allow tests to pass with both the old and new versions for a while to avoid an atomic upgrade + // everywhere google-auth-library-java is used. + assertTrue("https://example.com/".equals(payload.get("aud")) + || "https://example.com:123/a.service".equals(payload.get("aud"))); assertEquals("test-email@example.com", payload.get("iss")); assertEquals("test-email@example.com", payload.get("sub")); } From 009f6f5e14296d8f7161e40df6f565d13c20150e Mon Sep 17 00:00:00 2001 From: Tomo Suzuki Date: Fri, 16 Apr 2021 15:53:58 -0400 Subject: [PATCH 6/6] Excluding junit from google-http-client-jackson2 Google-http-client-jackson2 depends on jackson-core. Jackson-core depends on junit (with test scope). If we don't exclude the junit dependency, :grpc-all:dependencies (unexpectedly) fails to resolve dependencies. Details: https://github.com/grpc/grpc-java/pull/8078#issuecomment-821522542 --- xds/build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/xds/build.gradle b/xds/build.gradle index f1ab4bd3608..1f09b8c987a 100644 --- a/xds/build.gradle +++ b/xds/build.gradle @@ -57,6 +57,7 @@ dependencies { exclude group: 'com.google.errorprone', module: 'error_prone_annotations' exclude group: 'io.grpc', module: 'grpc-context' exclude group: 'org.apache.httpcomponents', module: 'httpcore' + exclude group: 'junit', module: 'junit' } runtimeOnly libraries.httpcore