grpc-js: ensure tls connection is used when requested

grpc · Apr 18, 2020 · 2c5a8b1 · 2c5a8b1
1 parent 4e61f21
commit 2c5a8b1
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 17 deletions.
diff --git a/packages/grpc-js/src/http_proxy.ts b/packages/grpc-js/src/http_proxy.ts
@@ -18,11 +18,12 @@
 import { URL } from 'url';
 import { log } from './logging';
 import { LogVerbosity } from './constants';
+import { getDefaultAuthority } from './resolver';
 import { parseTarget } from './resolver-dns';
 import { Socket } from 'net';
 import * as http from 'http';
 import * as http2 from 'http2';
-import * as tls from 'tls'
+import * as tls from 'tls';
 import * as logging from './logging';
 import {
   SubchannelAddress,
@@ -205,15 +206,23 @@ export function getProxiedConnection(
             ' through proxy ' +
             proxyAddressString
         );
-        var cts = tls.connect({
-            ...connectionOptions,
-            socket: socket
-        }, function () {
+        // The proxy is connecting to a TLS server, so upgrade
+        // this socket connection to a TLS connection.
+        if ('secureContext' in connectionOptions) {
+          const cts = tls.connect({
+              ...connectionOptions,
+              host: getDefaultAuthority(realTarget),
+              socket: socket,
+            }, () => {
+              resolve({ socket: cts, realTarget });
+            }
+          );
+        } else {
           resolve({
-            socket: cts,
+            socket,
             realTarget,
           });
-        });
+        }
       } else {
         log(
           LogVerbosity.ERROR,

diff --git a/packages/grpc-js/src/subchannel.ts b/packages/grpc-js/src/subchannel.ts
@@ -28,6 +28,7 @@ import * as logging from './logging';
 import { LogVerbosity } from './constants';
 import { getProxiedConnection, ProxyConnectionResult } from './http_proxy';
 import * as net from 'net';
+import * as tls from 'tls';
 
 const clientVersion = require('../../package.json').version;
 
@@ -299,23 +300,22 @@ export class Subchannel {
         };
         connectionOptions.servername = sslTargetNameOverride;
       }
-      if (proxyConnectionResult.socket) {
-        connectionOptions.socket = proxyConnectionResult.socket;
-      }
     }
     /* In all but the most recent versions of Node, http2.connect does not use
      * the options when establishing plaintext connections, so we need to
      * establish that connection explicitly. */
     connectionOptions.createConnection = (authority, option) => {
       if (proxyConnectionResult.socket) {
         return proxyConnectionResult.socket;
-      } else {
-        /* net.NetConnectOpts is declared in a way that is more restrictive
-         * than what net.connect will actually accept, so we use the type
-         * assertion to work around that. */
-        return net.connect(this.subchannelAddress);
+      } else if ('secureContext' in connectionOptions) {
+        return tls.connect(this.subchannelAddress);
       }
+      /* net.NetConnectOpts is declared in a way that is more restrictive
+       * than what net.connect will actually accept, so we use the type
+       * assertion to work around that. */
+      return net.connect(this.subchannelAddress);
     };
+
     connectionOptions = Object.assign(
       connectionOptions,
       this.subchannelAddress
@@ -411,7 +411,7 @@ export class Subchannel {
   }
 
   private startConnectingInternal() {
-    let connectionOptions: http2.SecureClientSessionOptions =
+    const connectionOptions: http2.SecureClientSessionOptions =
       this.credentials._getConnectionOptions() || {};
 
     if ('secureContext' in connectionOptions) {
@@ -432,7 +432,11 @@ export class Subchannel {
       }
     }
 
-    getProxiedConnection(this.subchannelAddress, this.options, connectionOptions).then(
+    getProxiedConnection(
+      this.subchannelAddress,
+      this.options,
+      connectionOptions
+    ).then(
       (result) => {
         this.createSession(result);
       },