diff --git a/xds/src/main/java/io/grpc/xds/Bootstrapper.java b/xds/src/main/java/io/grpc/xds/Bootstrapper.java index 08d11d174d..e1ba4aa176 100644 --- a/xds/src/main/java/io/grpc/xds/Bootstrapper.java +++ b/xds/src/main/java/io/grpc/xds/Bootstrapper.java @@ -84,7 +84,8 @@ public abstract class Bootstrapper { private final String pluginName; private final Map config; - CertificateProviderInfo(String pluginName, Map config) { + @VisibleForTesting + public CertificateProviderInfo(String pluginName, Map config) { this.pluginName = checkNotNull(pluginName, "pluginName"); this.config = checkNotNull(config, "config"); } @@ -135,8 +136,9 @@ public abstract class Bootstrapper { } /** Returns the cert-providers config map. */ + @Nullable public Map getCertProviders() { - return Collections.unmodifiableMap(certProviders); + return certProviders == null ? null : Collections.unmodifiableMap(certProviders); } @Nullable diff --git a/xds/src/main/java/io/grpc/xds/ClientXdsClient.java b/xds/src/main/java/io/grpc/xds/ClientXdsClient.java index 93bfeb36b3..47e73d1126 100644 --- a/xds/src/main/java/io/grpc/xds/ClientXdsClient.java +++ b/xds/src/main/java/io/grpc/xds/ClientXdsClient.java @@ -266,14 +266,20 @@ final class ClientXdsClient extends AbstractXdsClient { private LdsUpdate processServerSideListener( Listener proto, Set rdsResources, boolean parseHttpFilter) throws ResourceInvalidException { + Set certProviderInstances = null; + if (getBootstrapInfo() != null && getBootstrapInfo().getCertProviders() != null) { + certProviderInstances = getBootstrapInfo().getCertProviders().keySet(); + } return LdsUpdate.forTcpListener(parseServerSideListener( - proto, rdsResources, tlsContextManager, filterRegistry, parseHttpFilter)); + proto, rdsResources, tlsContextManager, filterRegistry, certProviderInstances, + parseHttpFilter)); } @VisibleForTesting static EnvoyServerProtoData.Listener parseServerSideListener( Listener proto, Set rdsResources, TlsContextManager tlsContextManager, - FilterRegistry filterRegistry, boolean parseHttpFilter) throws ResourceInvalidException { + FilterRegistry filterRegistry, Set certProviderInstances, boolean parseHttpFilter) + throws ResourceInvalidException { if (!proto.getTrafficDirection().equals(TrafficDirection.INBOUND)) { throw new ResourceInvalidException( "Listener " + proto.getName() + " with invalid traffic direction: " @@ -309,13 +315,13 @@ final class ClientXdsClient extends AbstractXdsClient { for (io.envoyproxy.envoy.config.listener.v3.FilterChain fc : proto.getFilterChainsList()) { filterChains.add( parseFilterChain(fc, rdsResources, tlsContextManager, filterRegistry, uniqueSet, - parseHttpFilter)); + certProviderInstances, parseHttpFilter)); } FilterChain defaultFilterChain = null; if (proto.hasDefaultFilterChain()) { defaultFilterChain = parseFilterChain( proto.getDefaultFilterChain(), rdsResources, tlsContextManager, filterRegistry, - null, parseHttpFilter); + null, certProviderInstances, parseHttpFilter); } return new EnvoyServerProtoData.Listener( @@ -326,7 +332,7 @@ final class ClientXdsClient extends AbstractXdsClient { static FilterChain parseFilterChain( io.envoyproxy.envoy.config.listener.v3.FilterChain proto, Set rdsResources, TlsContextManager tlsContextManager, FilterRegistry filterRegistry, - Set uniqueSet, boolean parseHttpFilters) + Set uniqueSet, Set certProviderInstances, boolean parseHttpFilters) throws ResourceInvalidException { io.grpc.xds.HttpConnectionManager httpConnectionManager = null; HashSet uniqueNames = new HashSet<>(); @@ -380,7 +386,7 @@ final class ClientXdsClient extends AbstractXdsClient { } downstreamTlsContext = EnvoyServerProtoData.DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( - validateDownstreamTlsContext(downstreamTlsContextProto)); + validateDownstreamTlsContext(downstreamTlsContextProto, certProviderInstances)); } String name = proto.getName(); @@ -399,13 +405,12 @@ final class ClientXdsClient extends AbstractXdsClient { } @VisibleForTesting - static io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - validateDownstreamTlsContext( - io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - downstreamTlsContext) + static DownstreamTlsContext validateDownstreamTlsContext( + DownstreamTlsContext downstreamTlsContext, Set certProviderInstances) throws ResourceInvalidException { if (downstreamTlsContext.hasCommonTlsContext()) { - validateCommonTlsContext(downstreamTlsContext.getCommonTlsContext(), true); + validateCommonTlsContext(downstreamTlsContext.getCommonTlsContext(), certProviderInstances, + true); } else { throw new ResourceInvalidException( "common-tls-context is required in downstream-tls-context"); @@ -414,22 +419,6 @@ final class ClientXdsClient extends AbstractXdsClient { throw new ResourceInvalidException( "downstream-tls-context with require-sni is not supported"); } - if (downstreamTlsContext.hasSessionTicketKeys()) { - throw new ResourceInvalidException( - "downstream-tls-context with session_ticket_keys is not supported"); - } - if (downstreamTlsContext.hasSessionTicketKeysSdsSecretConfig()) { - throw new ResourceInvalidException( - "downstream-tls-context with session_ticket_keys_sds_secret_config is not supported"); - } - if (downstreamTlsContext.hasDisableStatelessSessionResumption()) { - throw new ResourceInvalidException( - "downstream-tls-context with disable_stateless_session_resumption is not supported"); - } - if (downstreamTlsContext.hasSessionTimeout()) { - throw new ResourceInvalidException( - "downstream-tls-context with session_timeout is not supported"); - } DownstreamTlsContext.OcspStaplePolicy ocspStaplePolicy = downstreamTlsContext .getOcspStaplePolicy(); if (ocspStaplePolicy != DownstreamTlsContext.OcspStaplePolicy.UNRECOGNIZED @@ -444,30 +433,22 @@ final class ClientXdsClient extends AbstractXdsClient { @VisibleForTesting static io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext validateUpstreamTlsContext( - io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext upstreamTlsContext) + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext upstreamTlsContext, + Set certProviderInstances) throws ResourceInvalidException { if (upstreamTlsContext.hasCommonTlsContext()) { - validateCommonTlsContext(upstreamTlsContext.getCommonTlsContext(), false); + validateCommonTlsContext(upstreamTlsContext.getCommonTlsContext(), certProviderInstances, + false); } else { throw new ResourceInvalidException("common-tls-context is required in upstream-tls-context"); } - if (!Strings.isNullOrEmpty(upstreamTlsContext.getSni())) { - throw new ResourceInvalidException("upstream-tls-context with sni is not supported"); - } - if (upstreamTlsContext.getAllowRenegotiation()) { - throw new ResourceInvalidException( - "upstream-tls-context with allow_renegotiation is not supported"); - } - if (upstreamTlsContext.hasMaxSessionKeys()) { - throw new ResourceInvalidException( - "upstream-tls-context with max_session_keys is not supported"); - } return upstreamTlsContext; } @VisibleForTesting static void validateCommonTlsContext( - CommonTlsContext commonTlsContext, boolean server) throws ResourceInvalidException { + CommonTlsContext commonTlsContext, Set certProviderInstances, boolean server) + throws ResourceInvalidException { if (commonTlsContext.hasCustomHandshaker()) { throw new ResourceInvalidException( "common-tls-context with custom_handshaker is not supported"); @@ -492,6 +473,7 @@ final class ClientXdsClient extends AbstractXdsClient { "common-tls-context with validation_context_certificate_provider_instance is not" + " supported"); } + String certInstanceName = null; if (!commonTlsContext.hasTlsCertificateCertificateProviderInstance()) { if (server) { throw new ResourceInvalidException( @@ -509,7 +491,18 @@ final class ClientXdsClient extends AbstractXdsClient { throw new ResourceInvalidException( "common-tls-context with tls_certificate_certificate_provider is not supported"); } + } else { + certInstanceName = commonTlsContext.getTlsCertificateCertificateProviderInstance() + .getInstanceName(); } + if (certInstanceName != null) { + if (certProviderInstances == null || !certProviderInstances.contains(certInstanceName)) { + throw new ResourceInvalidException( + "CertificateProvider instance name '" + certInstanceName + + "' not defined in the bootstrap file."); + } + } + String rootCaInstanceName = null; if (!commonTlsContext.hasCombinedValidationContext()) { if (!server) { throw new ResourceInvalidException( @@ -523,6 +516,8 @@ final class ClientXdsClient extends AbstractXdsClient { "validation_context_certificate_provider_instance is required in" + " combined_validation_context"); } + rootCaInstanceName = combinedCertificateValidationContext + .getValidationContextCertificateProviderInstance().getInstanceName(); if (combinedCertificateValidationContext.hasDefaultValidationContext()) { CertificateValidationContext certificateValidationContext = combinedCertificateValidationContext.getDefaultValidationContext(); @@ -530,14 +525,6 @@ final class ClientXdsClient extends AbstractXdsClient { throw new ResourceInvalidException( "match_subject_alt_names only allowed in upstream_tls_context"); } - if (certificateValidationContext.hasTrustedCa()) { - throw new ResourceInvalidException( - "trusted_ca in default_validation_context is not supported"); - } - if (certificateValidationContext.hasWatchedDirectory()) { - throw new ResourceInvalidException( - "watched_directory in default_validation_context is not supported"); - } if (certificateValidationContext.getVerifyCertificateSpkiCount() > 0) { throw new ResourceInvalidException( "verify_certificate_spki in default_validation_context is not supported"); @@ -554,23 +541,19 @@ final class ClientXdsClient extends AbstractXdsClient { if (certificateValidationContext.hasCrl()) { throw new ResourceInvalidException("crl in default_validation_context is not supported"); } - if (certificateValidationContext.getAllowExpiredCertificate()) { - throw new ResourceInvalidException( - "allow_expired_certificate in default_validation_context is not supported"); - } - CertificateValidationContext.TrustChainVerification trustChainVerification - = certificateValidationContext.getTrustChainVerification(); - if (trustChainVerification - != CertificateValidationContext.TrustChainVerification.VERIFY_TRUST_CHAIN) { - throw new ResourceInvalidException( - "Only VERIFY_TRUST_CHAIN for trust_chain_verification supported"); - } if (certificateValidationContext.hasCustomValidatorConfig()) { throw new ResourceInvalidException( "custom_validator_config in default_validation_context is not supported"); } } } + if (rootCaInstanceName != null) { + if (certProviderInstances == null || !certProviderInstances.contains(rootCaInstanceName)) { + throw new ResourceInvalidException( + "ValidationContextProvider instance name '" + rootCaInstanceName + + "' not defined in the bootstrap file."); + } + } } private static void checkForUniqueness(Set uniqueSet, @@ -1397,7 +1380,11 @@ final class ClientXdsClient extends AbstractXdsClient { // Process Cluster into CdsUpdate. CdsUpdate cdsUpdate; try { - cdsUpdate = parseCluster(cluster, retainedEdsResources); + Set certProviderInstances = null; + if (getBootstrapInfo() != null && getBootstrapInfo().getCertProviders() != null) { + certProviderInstances = getBootstrapInfo().getCertProviders().keySet(); + } + cdsUpdate = parseCluster(cluster, retainedEdsResources, certProviderInstances); } catch (ResourceInvalidException e) { errors.add( "CDS response Cluster '" + clusterName + "' validation error: " + e.getMessage()); @@ -1426,12 +1413,14 @@ final class ClientXdsClient extends AbstractXdsClient { } @VisibleForTesting - static CdsUpdate parseCluster(Cluster cluster, Set retainedEdsResources) + static CdsUpdate parseCluster(Cluster cluster, Set retainedEdsResources, + Set certProviderInstances) throws ResourceInvalidException { StructOrError structOrError; switch (cluster.getClusterDiscoveryTypeCase()) { case TYPE: - structOrError = parseNonAggregateCluster(cluster, retainedEdsResources); + structOrError = parseNonAggregateCluster(cluster, retainedEdsResources, + certProviderInstances); break; case CLUSTER_TYPE: structOrError = parseAggregateCluster(cluster); @@ -1494,7 +1483,7 @@ final class ClientXdsClient extends AbstractXdsClient { } private static StructOrError parseNonAggregateCluster( - Cluster cluster, Set edsResources) { + Cluster cluster, Set edsResources, Set certProviderInstances) { String clusterName = cluster.getName(); String lrsServerName = null; Long maxConcurrentRequests = null; @@ -1517,6 +1506,10 @@ final class ClientXdsClient extends AbstractXdsClient { } } } + if (cluster.getTransportSocketMatchesCount() > 0) { + return StructOrError.fromError("Cluster " + clusterName + + ": transport-socket-matches not supported."); + } if (cluster.hasTransportSocket()) { if (!TRANSPORT_SOCKET_NAME_TLS.equals(cluster.getTransportSocket().getName())) { return StructOrError.fromError("transport-socket with name " @@ -1527,7 +1520,8 @@ final class ClientXdsClient extends AbstractXdsClient { validateUpstreamTlsContext( unpackCompatibleType(cluster.getTransportSocket().getTypedConfig(), io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext.class, - TYPE_URL_UPSTREAM_TLS_CONTEXT, TYPE_URL_UPSTREAM_TLS_CONTEXT_V2))); + TYPE_URL_UPSTREAM_TLS_CONTEXT, TYPE_URL_UPSTREAM_TLS_CONTEXT_V2), + certProviderInstances)); } catch (InvalidProtocolBufferException | ResourceInvalidException e) { return StructOrError.fromError( "Cluster " + clusterName + ": malformed UpstreamTlsContext: " + e); diff --git a/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderClientSslContextProvider.java index 1dc7be1be3..2ee21e7db6 100644 --- a/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderClientSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderClientSslContextProvider.java @@ -32,6 +32,7 @@ import io.netty.handler.ssl.SslContextBuilder; import java.security.cert.CertStoreException; import java.security.cert.X509Certificate; import java.util.Map; +import javax.annotation.Nullable; /** A client SslContext provider using CertificateProviderInstance to fetch secrets. */ @Internal @@ -39,7 +40,7 @@ public final class CertProviderClientSslContextProvider extends CertProviderSslC private CertProviderClientSslContextProvider( Node node, - Map certProviders, + @Nullable Map certProviders, CommonTlsContext.CertificateProviderInstance certInstance, CommonTlsContext.CertificateProviderInstance rootCertInstance, CertificateValidationContext staticCertValidationContext, @@ -90,7 +91,7 @@ public final class CertProviderClientSslContextProvider extends CertProviderSslC public CertProviderClientSslContextProvider getProvider( UpstreamTlsContext upstreamTlsContext, Node node, - Map certProviders) { + @Nullable Map certProviders) { checkNotNull(upstreamTlsContext, "upstreamTlsContext"); CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext(); CommonTlsContext.CertificateProviderInstance rootCertInstance = null; diff --git a/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderServerSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderServerSslContextProvider.java index 78e825f60f..1f33e1de78 100644 --- a/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderServerSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderServerSslContextProvider.java @@ -35,6 +35,7 @@ import java.security.cert.CertStoreException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Map; +import javax.annotation.Nullable; /** A server SslContext provider using CertificateProviderInstance to fetch secrets. */ @Internal @@ -42,7 +43,7 @@ public final class CertProviderServerSslContextProvider extends CertProviderSslC private CertProviderServerSslContextProvider( Node node, - Map certProviders, + @Nullable Map certProviders, CommonTlsContext.CertificateProviderInstance certInstance, CommonTlsContext.CertificateProviderInstance rootCertInstance, CertificateValidationContext staticCertValidationContext, @@ -93,7 +94,7 @@ public final class CertProviderServerSslContextProvider extends CertProviderSslC public CertProviderServerSslContextProvider getProvider( DownstreamTlsContext downstreamTlsContext, Node node, - Map certProviders) { + @Nullable Map certProviders) { checkNotNull(downstreamTlsContext, "downstreamTlsContext"); CommonTlsContext commonTlsContext = downstreamTlsContext.getCommonTlsContext(); CommonTlsContext.CertificateProviderInstance rootCertInstance = null; diff --git a/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderSslContextProvider.java index eef5ee551e..1af9e1670d 100644 --- a/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/certprovider/CertProviderSslContextProvider.java @@ -42,7 +42,7 @@ abstract class CertProviderSslContextProvider extends DynamicSslContextProvider protected CertProviderSslContextProvider( Node node, - Map certProviders, + @Nullable Map certProviders, CertificateProviderInstance certInstance, CertificateProviderInstance rootCertInstance, CertificateValidationContext staticCertValidationContext, @@ -56,8 +56,8 @@ abstract class CertProviderSslContextProvider extends DynamicSslContextProvider certInstanceName = certInstance.getInstanceName(); CertificateProviderInfo certProviderInstanceConfig = getCertProviderConfig(certProviders, certInstanceName); - certHandle = - certificateProviderStore.createOrGetProvider( + certHandle = certProviderInstanceConfig == null ? null + : certificateProviderStore.createOrGetProvider( certInstance.getCertificateName(), certProviderInstanceConfig.getPluginName(), certProviderInstanceConfig.getConfig(), @@ -71,8 +71,8 @@ abstract class CertProviderSslContextProvider extends DynamicSslContextProvider && !rootCertInstance.getInstanceName().equals(certInstanceName)) { CertificateProviderInfo certProviderInstanceConfig = getCertProviderConfig(certProviders, rootCertInstance.getInstanceName()); - rootCertHandle = - certificateProviderStore.createOrGetProvider( + rootCertHandle = certProviderInstanceConfig == null ? null + : certificateProviderStore.createOrGetProvider( rootCertInstance.getCertificateName(), certProviderInstanceConfig.getPluginName(), certProviderInstanceConfig.getConfig(), @@ -84,8 +84,8 @@ abstract class CertProviderSslContextProvider extends DynamicSslContextProvider } private static CertificateProviderInfo getCertProviderConfig( - Map certProviders, String pluginInstanceName) { - return certProviders.get(pluginInstanceName); + @Nullable Map certProviders, String pluginInstanceName) { + return certProviders != null ? certProviders.get(pluginInstanceName) : null; } @Override diff --git a/xds/src/test/java/io/grpc/xds/ClientXdsClientDataTest.java b/xds/src/test/java/io/grpc/xds/ClientXdsClientDataTest.java index 60ce2befe4..77320be9d2 100644 --- a/xds/src/test/java/io/grpc/xds/ClientXdsClientDataTest.java +++ b/xds/src/test/java/io/grpc/xds/ClientXdsClientDataTest.java @@ -19,9 +19,9 @@ package io.grpc.xds; import static com.google.common.truth.Truth.assertThat; import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; import com.google.protobuf.Any; import com.google.protobuf.BoolValue; -import com.google.protobuf.Duration; import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.StringValue; import com.google.protobuf.UInt32Value; @@ -46,7 +46,6 @@ import io.envoyproxy.envoy.config.core.v3.SocketAddress; import io.envoyproxy.envoy.config.core.v3.TrafficDirection; import io.envoyproxy.envoy.config.core.v3.TransportSocket; import io.envoyproxy.envoy.config.core.v3.TypedExtensionConfig; -import io.envoyproxy.envoy.config.core.v3.WatchedDirectory; import io.envoyproxy.envoy.config.endpoint.v3.Endpoint; import io.envoyproxy.envoy.config.listener.v3.Filter; import io.envoyproxy.envoy.config.listener.v3.FilterChain; @@ -86,7 +85,6 @@ import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsCont import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsParameters; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsSessionTicketKeys; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext; import io.envoyproxy.envoy.type.matcher.v3.RegexMatchAndSubstitute; import io.envoyproxy.envoy.type.matcher.v3.RegexMatcher; @@ -1130,7 +1128,7 @@ public class ClientXdsClientDataTest { .setLbPolicy(LbPolicy.RING_HASH) .build(); - CdsUpdate update = ClientXdsClient.parseCluster(cluster, new HashSet()); + CdsUpdate update = ClientXdsClient.parseCluster(cluster, new HashSet(), null); assertThat(update.lbPolicy()).isEqualTo(CdsUpdate.LbPolicy.RING_HASH); assertThat(update.minRingSize()) .isEqualTo(ClientXdsClient.DEFAULT_RING_HASH_LB_POLICY_MIN_RING_SIZE); @@ -1138,6 +1136,28 @@ public class ClientXdsClientDataTest { .isEqualTo(ClientXdsClient.DEFAULT_RING_HASH_LB_POLICY_MAX_RING_SIZE); } + @Test + public void parseCluster_transportSocketMatches_exception() throws ResourceInvalidException { + Cluster cluster = Cluster.newBuilder() + .setName("cluster-foo.googleapis.com") + .setType(DiscoveryType.EDS) + .setEdsClusterConfig( + EdsClusterConfig.newBuilder() + .setEdsConfig( + ConfigSource.newBuilder() + .setAds(AggregatedConfigSource.getDefaultInstance())) + .setServiceName("service-foo.googleapis.com")) + .setLbPolicy(LbPolicy.ROUND_ROBIN) + .addTransportSocketMatches( + Cluster.TransportSocketMatch.newBuilder().setName("match1").build()) + .build(); + + thrown.expect(ResourceInvalidException.class); + thrown.expectMessage( + "Cluster cluster-foo.googleapis.com: transport-socket-matches not supported."); + ClientXdsClient.parseCluster(cluster, new HashSet(), null); + } + @Test public void parseCluster_ringHashLbPolicy_invalidRingSizeConfig_minGreaterThanMax() throws ResourceInvalidException { @@ -1160,7 +1180,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("Cluster cluster-foo.googleapis.com: invalid ring_hash_lb_config"); - ClientXdsClient.parseCluster(cluster, new HashSet()); + ClientXdsClient.parseCluster(cluster, new HashSet(), null); } @Test @@ -1187,7 +1207,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("Cluster cluster-foo.googleapis.com: invalid ring_hash_lb_config"); - ClientXdsClient.parseCluster(cluster, new HashSet()); + ClientXdsClient.parseCluster(cluster, new HashSet(), null); } @Test @@ -1200,7 +1220,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("Listener listener1 with invalid traffic direction: OUTBOUND"); ClientXdsClient.parseServerSideListener( - listener, new HashSet(), null, filterRegistry, true /* does not matter */); + listener, new HashSet(), null, filterRegistry, null, true /* does not matter */); } @Test @@ -1214,7 +1234,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("Listener listener1 cannot have listener_filters"); ClientXdsClient.parseServerSideListener( - listener, new HashSet(), null, filterRegistry, true /* does not matter */); + listener, new HashSet(), null, filterRegistry, null, true /* does not matter */); } @Test @@ -1228,7 +1248,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("Listener listener1 cannot have use_original_dst set to true"); ClientXdsClient.parseServerSideListener( - listener, new HashSet(), null, filterRegistry, true /* does not matter */); + listener, new HashSet(), null, filterRegistry, null, true /* does not matter */); } @Test @@ -1275,7 +1295,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("Found duplicate matcher:"); ClientXdsClient.parseServerSideListener( - listener, new HashSet(), null, filterRegistry, true /* does not matter */); + listener, new HashSet(), null, filterRegistry, null, true /* does not matter */); } @Test @@ -1322,7 +1342,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("Found duplicate matcher:"); ClientXdsClient.parseServerSideListener( - listener, new HashSet(), null, filterRegistry, true /* does not matter */); + listener, new HashSet(), null, filterRegistry, null, true /* does not matter */); } @Test @@ -1369,7 +1389,7 @@ public class ClientXdsClientDataTest { .addAllFilterChains(Arrays.asList(filterChain1, filterChain2)) .build(); ClientXdsClient.parseServerSideListener( - listener, new HashSet(), null, filterRegistry, true /* does not matter */); + listener, new HashSet(), null, filterRegistry, null, true /* does not matter */); } @Test @@ -1384,7 +1404,8 @@ public class ClientXdsClientDataTest { thrown.expectMessage( "FilterChain filter-chain-foo missing required HttpConnectionManager filter"); ClientXdsClient.parseFilterChain( - filterChain, new HashSet(), null, filterRegistry, null, true /* does not matter */); + filterChain, new HashSet(), null, filterRegistry, null, null, + true /* does not matter */); } @Test @@ -1402,7 +1423,8 @@ public class ClientXdsClientDataTest { thrown.expectMessage( "FilterChain filter-chain-foo with duplicated filter: envoy.http_connection_manager"); ClientXdsClient.parseFilterChain( - filterChain, new HashSet(), null, filterRegistry, null, true /* does not matter */); + filterChain, new HashSet(), null, filterRegistry, null, null, + true /* does not matter */); } @Test @@ -1420,7 +1442,8 @@ public class ClientXdsClientDataTest { "FilterChain filter-chain-foo contains filter envoy.http_connection_manager " + "without typed_config"); ClientXdsClient.parseFilterChain( - filterChain, new HashSet(), null, filterRegistry, null, true /* does not matter */); + filterChain, new HashSet(), null, filterRegistry, null, null, + true /* does not matter */); } @Test @@ -1442,7 +1465,8 @@ public class ClientXdsClientDataTest { "FilterChain filter-chain-foo contains filter unsupported with unsupported " + "typed_config type unsupported-type-url"); ClientXdsClient.parseFilterChain( - filterChain, new HashSet(), null, filterRegistry, null, true /* does not matter */); + filterChain, new HashSet(), null, filterRegistry, null, null, + true /* does not matter */); } @Test @@ -1468,10 +1492,10 @@ public class ClientXdsClientDataTest { EnvoyServerProtoData.FilterChain parsedFilterChain1 = ClientXdsClient.parseFilterChain( filterChain1, new HashSet(), null, filterRegistry, null, - true /* does not matter */); + null, true /* does not matter */); EnvoyServerProtoData.FilterChain parsedFilterChain2 = ClientXdsClient.parseFilterChain( filterChain2, new HashSet(), null, filterRegistry, null, - true /* does not matter */); + null, true /* does not matter */); assertThat(parsedFilterChain1.getName()).isNotEqualTo(parsedFilterChain2.getName()); } @@ -1483,7 +1507,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("common-tls-context with tls_params is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1493,7 +1517,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("common-tls-context with custom_handshaker is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1503,7 +1527,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("common-tls-context with validation_context is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1515,7 +1539,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage( "common-tls-context with validation_context_sds_secret_config is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1528,7 +1552,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage( "common-tls-context with validation_context_certificate_provider is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1542,7 +1566,7 @@ public class ClientXdsClientDataTest { thrown.expectMessage( "common-tls-context with validation_context_certificate_provider_instance is not " + "supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1553,9 +1577,66 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage( "tls_certificate_certificate_provider_instance is required in downstream-tls-context"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, true); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, true); } + @Test + public void validateCommonTlsContext_tlsCertificateProviderInstance() + throws ResourceInvalidException { + CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() + .setTlsCertificateCertificateProviderInstance( + CertificateProviderInstance.newBuilder().setInstanceName("name1").build()) + .build(); + ClientXdsClient + .validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), true); + } + + @Test + public void validateCommonTlsContext_tlsCertificateProviderInstance_absentInBootstrapFile() + throws ResourceInvalidException { + CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() + .setTlsCertificateCertificateProviderInstance( + CertificateProviderInstance.newBuilder().setInstanceName("bad-name").build()) + .build(); + thrown.expect(ResourceInvalidException.class); + thrown.expectMessage( + "CertificateProvider instance name 'bad-name' not defined in the bootstrap file."); + ClientXdsClient + .validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), true); + } + + @Test + public void validateCommonTlsContext_validationContextProviderInstance() + throws ResourceInvalidException { + CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() + .setCombinedValidationContext( + CommonTlsContext.CombinedCertificateValidationContext.newBuilder() + .setValidationContextCertificateProviderInstance( + CertificateProviderInstance.newBuilder().setInstanceName("name1").build()) + .build()) + .build(); + ClientXdsClient + .validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), false); + } + + @Test + public void validateCommonTlsContext_validationContextProviderInstance_absentInBootstrapFile() + throws ResourceInvalidException { + CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() + .setCombinedValidationContext( + CommonTlsContext.CombinedCertificateValidationContext.newBuilder() + .setValidationContextCertificateProviderInstance( + CertificateProviderInstance.newBuilder().setInstanceName("bad-name").build()) + .build()) + .build(); + thrown.expect(ResourceInvalidException.class); + thrown.expectMessage( + "ValidationContextProvider instance name 'bad-name' not defined in the bootstrap file."); + ClientXdsClient + .validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), false); + } + + @Test public void validateCommonTlsContext_tlsCertificatesCount() throws ResourceInvalidException { CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() @@ -1563,7 +1644,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("common-tls-context with tls_certificates is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1575,7 +1656,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage( "common-tls-context with tls_certificate_sds_secret_configs is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1588,7 +1669,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage( "common-tls-context with tls_certificate_certificate_provider is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1598,7 +1679,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("combined_validation_context is required in upstream-tls-context"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1612,7 +1693,7 @@ public class ClientXdsClientDataTest { thrown.expectMessage( "validation_context_certificate_provider_instance is required in " + "combined_validation_context"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, null, false); } @Test @@ -1631,43 +1712,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("match_subject_alt_names only allowed in upstream_tls_context"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, true); - } - - @Test - public void validateCommonTlsContext_combinedValContextWithDefaultValidationContextTrustedCa() - throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .setDefaultValidationContext(CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.getDefaultInstance()))) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("trusted_ca in default_validation_context is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); - } - - @Test - public void validateCommonTlsContext_combinedValContextWithDefaultValContextWatchedDirectory() - throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .setDefaultValidationContext(CertificateValidationContext.newBuilder() - .setWatchedDirectory(WatchedDirectory.getDefaultInstance()))) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("watched_directory in default_validation_context is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, ImmutableSet.of(""), true); } @Test @@ -1686,7 +1731,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("verify_certificate_spki in default_validation_context is not " + "supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, ImmutableSet.of(""), false); } @Test @@ -1705,7 +1750,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("verify_certificate_hash in default_validation_context is not " + "supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, ImmutableSet.of(""), false); } @Test @@ -1725,7 +1770,7 @@ public class ClientXdsClientDataTest { thrown.expectMessage( "require_signed_certificate_timestamp in default_validation_context is not " + "supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, ImmutableSet.of(""), false); } @Test @@ -1743,46 +1788,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("crl in default_validation_context is not supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); - } - - @Test - public void validateCommonTlsContext_combinedValContextWithDefaultValContextAllowExpiredCert() - throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .setDefaultValidationContext( - CertificateValidationContext.newBuilder().setAllowExpiredCertificate(true))) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown - .expectMessage("allow_expired_certificate in default_validation_context is not " - + "supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); - } - - @Test - public void validateCommonTlsContext_combinedValContextWithDfltValContextTrustChainVerification() - throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .setDefaultValidationContext(CertificateValidationContext.newBuilder() - .setTrustChainVerification( - CertificateValidationContext.TrustChainVerification.ACCEPT_UNTRUSTED))) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("Only VERIFY_TRUST_CHAIN for trust_chain_verification supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, ImmutableSet.of(""), false); } @Test @@ -1801,7 +1807,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage("custom_validator_config in default_validation_context is not " + "supported"); - ClientXdsClient.validateCommonTlsContext(commonTlsContext, false); + ClientXdsClient.validateCommonTlsContext(commonTlsContext, ImmutableSet.of(""), false); } @Test @@ -1809,7 +1815,7 @@ public class ClientXdsClientDataTest { DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.getDefaultInstance(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("common-tls-context is required in downstream-tls-context"); - ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext); + ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext, null); } @Test @@ -1828,87 +1834,7 @@ public class ClientXdsClientDataTest { .build(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("downstream-tls-context with require-sni is not supported"); - ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext); - } - - @Test - public void validateDownstreamTlsContext_hasSessionTikcetKeys() throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance())) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setSessionTicketKeys(TlsSessionTicketKeys.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("downstream-tls-context with session_ticket_keys is not supported"); - ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext); - } - - @Test - public void validateDownstreamTlsContext_hasSessionTikcetKeysSdsSecretConfig() - throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance())) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setSessionTicketKeysSdsSecretConfig(SdsSecretConfig.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage( - "downstream-tls-context with session_ticket_keys_sds_secret_config is not supported"); - ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext); - } - - @Test - public void validateDownstreamTlsContext_hasDisableStatelessSessionResumption() - throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance())) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setDisableStatelessSessionResumption(true) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage( - "downstream-tls-context with disable_stateless_session_resumption is not supported"); - ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext); - } - - @Test - public void validateDownstreamTlsContext_hasSessionTimeout() throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance())) - .setTlsCertificateCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance()) - .build(); - DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setSessionTimeout(Duration.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("downstream-tls-context with session_timeout is not supported"); - ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext); + ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext, ImmutableSet.of("")); } @Test @@ -1928,7 +1854,7 @@ public class ClientXdsClientDataTest { thrown.expect(ResourceInvalidException.class); thrown.expectMessage( "downstream-tls-context with ocsp_staple_policy value STRICT_STAPLING is not supported"); - ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext); + ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext, ImmutableSet.of("")); } @Test @@ -1936,58 +1862,7 @@ public class ClientXdsClientDataTest { UpstreamTlsContext upstreamTlsContext = UpstreamTlsContext.getDefaultInstance(); thrown.expect(ResourceInvalidException.class); thrown.expectMessage("common-tls-context is required in upstream-tls-context"); - ClientXdsClient.validateUpstreamTlsContext(upstreamTlsContext); - } - - @Test - public void validateUpstreamTlsContext_sni() throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance())) - .build(); - UpstreamTlsContext upstreamTlsContext = UpstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setSni("foo") - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("upstream-tls-context with sni is not supported"); - ClientXdsClient.validateUpstreamTlsContext(upstreamTlsContext); - } - - @Test - public void validateUpstreamTlsContext_allowRenegotiation() throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance())) - .build(); - UpstreamTlsContext upstreamTlsContext = UpstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setAllowRenegotiation(true) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("upstream-tls-context with allow_renegotiation is not supported"); - ClientXdsClient.validateUpstreamTlsContext(upstreamTlsContext); - } - - @Test - public void validateUpstreamTlsContext_maxSessionKeys() throws ResourceInvalidException { - CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder() - .setCombinedValidationContext( - CommonTlsContext.CombinedCertificateValidationContext.newBuilder() - .setValidationContextCertificateProviderInstance( - CommonTlsContext.CertificateProviderInstance.getDefaultInstance())) - .build(); - UpstreamTlsContext upstreamTlsContext = UpstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setMaxSessionKeys(UInt32Value.getDefaultInstance()) - .build(); - thrown.expect(ResourceInvalidException.class); - thrown.expectMessage("upstream-tls-context with max_session_keys is not supported"); - ClientXdsClient.validateUpstreamTlsContext(upstreamTlsContext); + ClientXdsClient.validateUpstreamTlsContext(upstreamTlsContext, null); } private static Filter buildHttpConnectionManagerFilter(HttpFilter... httpFilters) { diff --git a/xds/src/test/java/io/grpc/xds/ClientXdsClientTestBase.java b/xds/src/test/java/io/grpc/xds/ClientXdsClientTestBase.java index 913eb208ad..7889277299 100644 --- a/xds/src/test/java/io/grpc/xds/ClientXdsClientTestBase.java +++ b/xds/src/test/java/io/grpc/xds/ClientXdsClientTestBase.java @@ -56,6 +56,7 @@ import io.grpc.internal.FakeClock.TaskFilter; import io.grpc.internal.TimeProvider; import io.grpc.testing.GrpcCleanupRule; import io.grpc.xds.AbstractXdsClient.ResourceType; +import io.grpc.xds.Bootstrapper.CertificateProviderInfo; import io.grpc.xds.Endpoints.DropOverload; import io.grpc.xds.Endpoints.LbEndpoint; import io.grpc.xds.Endpoints.LocalityLbEndpoints; @@ -273,7 +274,8 @@ public abstract class ClientXdsClientTestBase { new Bootstrapper.ServerInfo( SERVER_URI, InsecureChannelCredentials.create(), useProtocolV3())), EnvoyProtoData.Node.newBuilder().build(), - null, + ImmutableMap.of("cert-instance-name", + new CertificateProviderInfo("file-watcher", ImmutableMap.of())), null); xdsClient = new ClientXdsClient( @@ -1327,7 +1329,8 @@ public abstract class ClientXdsClientTestBase { Any clusterEds = Any.pack(mf.buildEdsCluster(CDS_RESOURCE, "eds-cluster-foo.googleapis.com", "round_robin", null, true, - mf.buildUpstreamTlsContext("secret1", "cert1"), "envoy.transport_sockets.tls", null)); + mf.buildUpstreamTlsContext("cert-instance-name", "cert1"), + "envoy.transport_sockets.tls", null)); List clusters = ImmutableList.of( Any.pack(mf.buildLogicalDnsCluster("cluster-bar.googleapis.com", "dns-service-bar.googleapis.com", 443, "round_robin", null, false, null, null)), @@ -1343,7 +1346,7 @@ public abstract class ClientXdsClientTestBase { CommonTlsContext.CertificateProviderInstance certificateProviderInstance = cdsUpdate.upstreamTlsContext().getCommonTlsContext().getCombinedValidationContext() .getValidationContextCertificateProviderInstance(); - assertThat(certificateProviderInstance.getInstanceName()).isEqualTo("secret1"); + assertThat(certificateProviderInstance.getInstanceName()).isEqualTo("cert-instance-name"); assertThat(certificateProviderInstance.getCertificateName()).isEqualTo("cert1"); verifyResourceMetadataAcked(CDS, CDS_RESOURCE, clusterEds, VERSION_1, TIME_INCREMENT); verifySubscribedResourcesMetadataSizes(0, 1, 0, 0); diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java index 2914e5f393..2918ce5622 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java @@ -146,7 +146,7 @@ public class CommonTlsContextTestsUtil { if (certName != null || validationContextCertName != null || useSans) { commonTlsContext = buildCommonTlsContextWithAdditionalValues( "cert-instance-name", certName, - "val-cert-instance-name", validationContextCertName, + "cert-instance-name", validationContextCertName, useSans ? Arrays.asList( StringMatcher.newBuilder() .setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob")