transport: set and respect HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE

[lyuxuan]

• Add DialOption(WithMaxHeaderListSize) and ServerOption(MaxHeaderListSize) to set the max header list size that peer should respect. Configuring these two options results in sending the SETTINGS_MAX_HEADER_LIST_SIZE setting inside the initial settings frame. And at the same time, the framer is configured to omit header fields after peer's header list size hitting the limit.
  Note: framer uses the max header list size to configure hpack decoder max string length( link). While a stream exceeding the header list size limit leads to reset stream, exceeding the max string length for hpack decoder will lead to connection close.

• Issues:

  • 8KB defualt limit will potentially break some users, however, other languages implementation all enforce this limit. Our current implicit setting is 16MB (by golang http2 package), and I am setting that explicitly now.

  • As suggested here, https://http2.github.io/http2-spec/#rfc.section.10.5.1, it is better to send a HTTP 431 code rather than a reset stream, as peer will know better about what is happening.

  • A potential behavior change for user who sends >16MB metadata: before we return truncated metadata silently, now we will fail the RPC. It's a bug fix.

fix #1291

[MakMukhi]

How about if we just take address of s, since it's already a copy?

[lyuxuan]

done

[MakMukhi]

Same thing here.

[lyuxuan]

done

[MakMukhi]

if e.httpHandler {

[lyuxuan]

done

[MakMukhi]

Should we put all connection-level defaults together? They all live here right now https://github.com/grpc/grpc-go/blob/master/transport/flowcontrol.go#L50 but I don't think some of them belong in a file called flowcontrol.go

[lyuxuan]

Yeah, I was considering whether the default should be inside flowcontol.go, and decided that probably not. How about I go ahead and make a defaults.go to have all the defaults in one place?

[MakMukhi]

Should we update createHeaderFields to record the total size so that we don't have to loop over all fields again?

[lyuxuan]

It will benefit users that their peers enforce a header list size limit, but will add overhead to the case that peers don't have a limit.

[MakMukhi]

decodeResponseHeader is supposed to be used on the client side. Perhaps, rename the function to something more appropriate since it's being used on the server as well.

[MakMukhi]

Alternatively, add the if frame.Truncated check right at the beginning of this function itself.

[lyuxuan]

Changed to decodeHeader.
Tried to move if frame.Truncated, but it seems to only save an declaration for a decodeState variable, but complicates the code substantially, e.g. add redundant code for error handling, have to specialize for server and client.

[MakMukhi]

Is it better to return an error or merely log it and still try and parse the header that we got?

[lyuxuan]

The header would be incomplete and I am not sure what will happen if we return an incomplete header to grpc and the user.

[MakMukhi]

Should we also do this check while writing trailer?

[lyuxuan]

Yes, I think we should. I was under the wrong impression that WriteHeader is the centralized space for both headers and trailers.

[MakMukhi]

Same thing; perhaps the headerFrame should have a field to record size.

[lyuxuan]

Adding a size field would add overhead to non limit case.

[MakMukhi]

Only relevant to the server side: Should Framer.MaxHeaderListSize be set only after fist settings' ack is received?
The other side might start with an unlimited MaxHeaderListSize(https://tools.ietf.org/html/rfc7540#section-6.5.2) and start sending header frames before our settings frame is received by it.

[lyuxuan]

Yes, I would like to do that in a separate PR, as things like max concurrent streams may also need this behavior.

[lyuxuan]

Offline discussion decides that at current stage, enforcement after ack will not be necessary and add complexity to the code.

[MakMukhi]

executeAndPut has this check because put calls it with a nil argument.