chore: preserve default TLS authority for bypass-routed channels

[rahul2393]

Bypass with mTLS was creating new per-endpoint channels using the routed
endpoint as authority, which broke TLS/SNI when all routed endpoints were
expected to present the same host identity as the original endpoint.

Update GrpcChannelEndpointCache so channels created via withEndpoint(...)
reuse the default channel authority by applying overrideAuthority(defaultAuthority)
to each routed channel builder.

[rahul2393]

/gemini summary

[gemini-code-assist]

Summary of Changes

This pull request addresses a critical mTLS issue in the GrpcChannelEndpointCache where dynamically created channels for bypass-routed endpoints were incorrectly using the routed endpoint's authority instead of the default. The changes ensure that all such channels consistently apply the original default TLS authority, thereby restoring proper TLS/SNI functionality and preventing connection failures in mTLS environments.

Highlights

• mTLS/SNI Fix: Resolved an issue where bypass-routed channels incorrectly used the routed endpoint as the TLS authority, leading to TLS/SNI failures.
• Default TLS Authority Preservation: Modified GrpcChannelEndpointCache to ensure that channels created for routed endpoints explicitly reuse the default channel authority, maintaining consistent host identity.

Changelog

• google-cloud-spanner/src/main/java/com/google/cloud/spanner/spi/v1/GrpcChannelEndpointCache.java
  • Introduced a new private field defaultAuthority to store the initial channel's authority.
  • Modified the channel creation logic to explicitly override the authority of new channels with the stored defaultAuthority.
  • Added a helper method createProviderWithAuthorityOverride to encapsulate the logic for applying the authority override.
• google-cloud-spanner/src/test/java/com/google/cloud/spanner/spi/v1/GrpcChannelEndpointCacheTest.java
  • Added a new test case routedChannelsReuseDefaultAuthority to verify that routed channels correctly inherit the default authority.

Activity

• gemini-code-assist[bot] provided an initial summary of changes.
• rahul2393 requested a summary using /gemini summary.

[rahul2393]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to ensure that routed gRPC channels reuse the default authority. A new defaultAuthority field is added to GrpcChannelEndpointCache, and a createProviderWithAuthorityOverride method is implemented to override the channel builder's authority for non-default endpoints. A new test case routedChannelsReuseDefaultAuthority verifies this behavior. The reviewer suggests improving the readability and conciseness of the lambda logic within the createProviderWithAuthorityOverride method by importing ApiFunction and simplifying the channelBuilder reassignment.

[gemini-code-assist]

This new logic can be made more readable and concise with a couple of small improvements:

1. Instead of using the fully qualified name for ApiFunction, it's better to add an import at the top of the file (import com.google.api.core.ApiFunction;) and use the simple name.
2. The lambda body can be simplified by reassigning channelBuilder directly, which removes the need for the effectiveBuilder variable.

Here's a suggestion that applies both improvements:

    final com.google.api.core.ApiFunction<ManagedChannelBuilder, ManagedChannelBuilder>
        baseConfigurator = builder.getChannelConfigurator();
    builder.setChannelConfigurator(
        channelBuilder -> {
          if (baseConfigurator != null) {
            channelBuilder = baseConfigurator.apply(channelBuilder);
          }
          return channelBuilder.overrideAuthority(defaultAuthority);
        });

[rahul2393]

Valid style suggestion, but not a functional issue. The current code is correct, and using effectiveBuilder is an acceptable readability choice. This should be downgraded to a nit, not medium severity.