Open acidghost opened 5 years ago
@acidghost this seems pretty reasonable to me. let me see if I can pull in our local expert too. would you be interested in making this PR if we approve it?
@mosesn for sure I can try to tackle it! I already have an idea (or at least I think I do) of the parts that need to be changed (com.twitter.finagle.netty4.ssl.server.SslServerVerificationHandler
and com.twitter.finagle.netty3.ssl.server.SslServerConnectHandler
).
Hi @acidghost. This is a very reasonable change, and I think it improves the existing functionality. We didn't make it Future
-based originally because we didn't need the functionality based on how our credentials and authorization metadata are distributed internally.
My only request here would be to try to do the client side as well at the same time. I would like the two APIs to stay in sync. Thanks.
@acidghost alright, go for it!
In cases where the
SslServerSessionVerifier
needs the result of aFuture
before returning aBoolean
, the user is required to block (Await
).Expected behavior
Ideally
SslServerSessionVerifier.apply
should return aFuture[Boolean]
so that the user is not required toAwait
for a future value and the netty thread doesn't block.Actual behavior
Suppose
SslServerSessionVerifier.apply
makes a call to an external service (e.g. a finagle HTTP client) and needs data from the reply in order to verify the SSL session. In this case the user is required toAwait.result
over that future in order to return a plainBoolean
.Steps to reproduce the behavior
Here's a toy project: https://github.com/acidghost/microservices-finagle/blob/56f9e50fb24b9a7a81f28ef9d177112df5ec5c2f/users/src/main/scala/users/Main.scala#L47. In the code,
consul.authorize
parses the peer certificate with BouncyCastle and then makes an HTTP request to the local consul agent (https://www.consul.io/docs/connect/native.html) using a finagle HTTP client.