Address review

Author: josephnoir

Package.swift

@@ -71,7 +71,7 @@ let dependencies: [Package.Dependency] = [
 
 // This adds some build settings which allow us to map "@available(gRPCSwiftNIOTransport 2.x, *)" to
 // the appropriate OS platforms.
-let nextMinorVersion = 1
+let nextMinorVersion = 2
 let availabilitySettings: [SwiftSetting] = (0 ... nextMinorVersion).map { minor in
   let name = "gRPCSwiftNIOTransport"
   let version = "2.\(minor)"

Sources/GRPCNIOTransportHTTP2Posix/Config+TLS.swift

@@ -15,7 +15,7 @@
  */
 
 private import GRPCCore
-public import NIO
+public import NIOCore
 public import NIOCertificateReloading
 public import NIOSSL
 
@@ -170,10 +170,13 @@ extension HTTP2ServerTransport.Posix.TransportSecurity {
 
     /// Override the certificate verification with a custom callback that must return the verified certificate chain on success.
     /// Note: The callback is only used when `clientCertificateVerification` is *not* set to `noVerification`!
+    @available(gRPCSwiftNIOTransport 2.2, *)
     public var customVerificationCallback:
       (
-        @Sendable ([NIOSSLCertificate], EventLoopPromise<NIOSSLVerificationResultWithMetadata>) ->
-          Void
+        @Sendable (
+          _ certificates: [NIOSSLCertificate],
+          _ promise: EventLoopPromise<NIOSSLVerificationResultWithMetadata>
+        ) -> Void
       )?
 
     /// Create a new HTTP2 NIO Posix server transport TLS config.

Sources/GRPCNIOTransportHTTP2Posix/HTTP2ServerTransport+Posix.swift

@@ -67,12 +67,16 @@ extension HTTP2ServerTransport {
         serverQuiescingHelper: ServerQuiescingHelper
       ) async throws -> NIOAsyncChannel<AcceptedChannel, Never> {
         let sslContext: NIOSSLContext?
-        let tlsConfiguration: HTTP2ServerTransport.Posix.TransportSecurity.TLS?
+        let customVerificationCallback: (
+          @Sendable (
+            [NIOSSLCertificate], EventLoopPromise<NIOSSLVerificationResultWithMetadata>
+          ) -> Void
+        )?
 
         switch self.transportSecurity.wrapped {
         case .plaintext:
           sslContext = nil
-          tlsConfiguration = nil
+          customVerificationCallback = nil
         case .tls(let tlsConfig):
           do {
             sslContext = try NIOSSLContext(configuration: TLSConfiguration(tlsConfig))
@@ -83,7 +87,7 @@ extension HTTP2ServerTransport {
               cause: error
             )
           }
-          tlsConfiguration = tlsConfig
+          customVerificationCallback = tlsConfig.customVerificationCallback
         }
 
         let serverChannel = try await ServerBootstrap(group: eventLoopGroup)
@@ -102,7 +106,7 @@ extension HTTP2ServerTransport {
           .bind(to: address) { channel in
             channel.eventLoop.makeCompletedFuture {
               if let sslContext {
-                if let callback = tlsConfiguration?.customVerificationCallback {
+                if let callback = customVerificationCallback {
                   try channel.pipeline.syncOperations.addHandler(
                     NIOSSLServerHandler(
                       context: sslContext,
@@ -197,11 +201,10 @@ extension HTTP2ServerTransport {
     }
 
     public func listen(
-      streamHandler:
-        @escaping @Sendable (
-          _ stream: RPCStream<Inbound, Outbound>,
-          _ context: ServerContext
-        ) async -> Void
+      streamHandler: @escaping @Sendable (
+        _ stream: RPCStream<Inbound, Outbound>,
+        _ context: ServerContext
+      ) async -> Void
     ) async throws {
       try await self.underlyingTransport.listen(streamHandler: streamHandler)
     }

Tests/GRPCNIOTransportHTTP2Tests/HTTP2TransportTLSEnabledTests.swift

@@ -18,7 +18,7 @@ import Foundation
 import GRPCCore
 import GRPCNIOTransportHTTP2Posix
 import GRPCNIOTransportHTTP2TransportServices
-import NIO
+import NIOCore
 import NIOSSL
 import SwiftASN1
 import Testing
@@ -192,15 +192,18 @@ struct HTTP2TransportTLSEnabledTests {
   func testRPC_mTLS_customVerificationCallback_OK() async throws {
     // Create a new certificate chain that has 4 certificate/key pairs: root, intermediate, client, server
     let certificateChain = try CertificateChain()
+    let certificatesExpectedInCallback = [certificateChain.client.certificate]
     let filePaths = try certificateChain.writeToTemp()
+
     let clientConfig = self.makeMTLSClientConfig(
       certificatePath: filePaths.clientCert,
       keyPath: filePaths.clientKey,
       trustRootsPath: filePaths.trustRoots,
       serverHostname: CertificateChain.serverName
     )
-    let expectedCertificates = [certificateChain.client.certificate]
-    try await confirmation { confirmation in
+    
+    // The confirmation lets us check that the callback is used.
+    try await confirmation(expectedCount: 1) { confirmation in
       let serverConfig = self.makeMTLSServerConfigWithCallback(
         certificatePath: filePaths.serverCert,
         keyPath: filePaths.serverKey,
@@ -209,12 +212,15 @@ struct HTTP2TransportTLSEnabledTests {
         let presentedCertificates = certificates.map {
           try! Certificate(derEncoded: $0.toDERBytes())
         }
-        #expect(expectedCertificates == presentedCertificates)
+        #expect(certificatesExpectedInCallback == presentedCertificates)
+        // "Verify" the chain and set the certificate.
         promise.succeed(
           .certificateVerified(VerificationMetadata(ValidatedCertificateChain(certificates)))
         )
+        // This should be called once.
         confirmation.confirm()
       }
+
       // Run the test
       try await self.withClientAndServer(
         clientConfig: clientConfig,
@@ -234,14 +240,17 @@ struct HTTP2TransportTLSEnabledTests {
   {
     // Create a new certificate chain that has 4 certificate/key pairs: root, intermediate, client, server
     let certificateChain = try CertificateChain()
+    let certificatesExpectedInCallback = [certificateChain.client.certificate]
     let filePaths = try certificateChain.writeToTemp()
+
     let clientConfig = self.makeMTLSClientConfig(
       certificatePath: filePaths.clientCert,
       keyPath: filePaths.clientKey,
       trustRootsPath: filePaths.trustRoots,
       serverHostname: CertificateChain.serverName
     )
-    let expectedCertificates = [certificateChain.client.certificate]
+
+    // The confirmation lets us check that the callback is not used.
     try await confirmation(expectedCount: 0) { confirmation in
       let serverConfig = self.makeMTLSServerConfigWithCallback(
         certificatePath: filePaths.serverCert,
@@ -252,13 +261,15 @@ struct HTTP2TransportTLSEnabledTests {
         let presentedCertificates = certificates.map {
           try! Certificate(derEncoded: $0.toDERBytes())
         }
-        #expect(expectedCertificates == presentedCertificates)
+        #expect(certificatesExpectedInCallback == presentedCertificates)
+        // "Verify" the chain and set the certificate.
         promise.succeed(
           .certificateVerified(VerificationMetadata(ValidatedCertificateChain(certificates)))
         )
-        // We expect this never to be called. The call count should stay at 0.
+        // We expect this never to be called.
         confirmation()
       }
+
       // Run the test
       try await self.withClientAndServer(
         clientConfig: clientConfig,
@@ -277,14 +288,17 @@ struct HTTP2TransportTLSEnabledTests {
   func testRPC_mTLS_customVerificationCallback_Failure() async throws {
     // Create a new certificate chain that has 4 certificate/key pairs: root, intermediate, client, server
     let certificateChain = try CertificateChain()
+    let certificatesExpectedInCallback = [certificateChain.client.certificate]
     let filePaths = try certificateChain.writeToTemp()
+
     let clientConfig = self.makeMTLSClientConfig(
       certificatePath: filePaths.clientCert,
       keyPath: filePaths.clientKey,
       trustRootsPath: filePaths.trustRoots,
       serverHostname: CertificateChain.serverName
     )
-    let expectedCertificates = [certificateChain.client.certificate]
+
+    // The confirmation lets us check that the callback is used.
     await confirmation { confirmation in
       let serverConfig = self.makeMTLSServerConfigWithCallback(
         certificatePath: filePaths.serverCert,
@@ -294,11 +308,12 @@ struct HTTP2TransportTLSEnabledTests {
         let presentedCertificates = certificates.map {
           try! Certificate(derEncoded: $0.toDERBytes())
         }
-        #expect(expectedCertificates == presentedCertificates)
+        #expect(certificatesExpectedInCallback == presentedCertificates)
         // We are failing the certificate check here by propagating ".failed"!
         promise.succeed(.failed)
         confirmation.confirm()
       }
+
       // Run the test
       await #expect {
         try await self.withClientAndServer(
@@ -308,13 +323,15 @@ struct HTTP2TransportTLSEnabledTests {
           try await self.executeUnaryRPC(control: control)
         }
       } throws: { error in
+        // Check root error ...
         let rootError = try #require(error as? RPCError)
         #expect(rootError.code == .unavailable)
-
         #expect(
           rootError.message
             == "The server accepted the TCP connection but closed the connection before completing the HTTP/2 connection preface."
         )
+
+        // ... and the its cause.
         let sslError = try #require(rootError.cause as? BoringSSLError)
         switch sslError {
         case .sslError: