grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

xds: reorder processing of tlsContext to prioritize CertProviderInstance (#7592)

This commit is contained in:
sanjaypujare 2020-11-04 12:57:20 -08:00 committed by GitHub
parent d52b359631
commit d7764d7e32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 109 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
xds/src/main/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactory.java
View File

@ -51,7 +51,19 @@ final class ClientSslContextProviderFactory
checkNotNull( checkNotNull(
upstreamTlsContext.getCommonTlsContext(), upstreamTlsContext.getCommonTlsContext(),
"upstreamTlsContext should have CommonTlsContext"); "upstreamTlsContext should have CommonTlsContext");
if (CommonTlsContextUtil.hasAllSecretsUsingFilename(upstreamTlsContext.getCommonTlsContext())) { if (CommonTlsContextUtil.hasCertProviderInstance(
upstreamTlsContext.getCommonTlsContext())) {
try {
Bootstrapper.BootstrapInfo bootstrapInfo = bootstrapper.readBootstrap();
return certProviderClientSslContextProviderFactory.getProvider(
upstreamTlsContext,
bootstrapInfo.getNode().toEnvoyProtoNode(),
bootstrapInfo.getCertProviders());
} catch (XdsInitializationException e) {
throw new RuntimeException(e);
}
} else if (CommonTlsContextUtil.hasAllSecretsUsingFilename(
upstreamTlsContext.getCommonTlsContext())) {
return SecretVolumeClientSslContextProvider.getProvider(upstreamTlsContext); return SecretVolumeClientSslContextProvider.getProvider(upstreamTlsContext);
} else if (CommonTlsContextUtil.hasAllSecretsUsingSds( } else if (CommonTlsContextUtil.hasAllSecretsUsingSds(
upstreamTlsContext.getCommonTlsContext())) { upstreamTlsContext.getCommonTlsContext())) {
@ -67,17 +79,6 @@ final class ClientSslContextProviderFactory
} catch (XdsInitializationException e) { } catch (XdsInitializationException e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} else if (CommonTlsContextUtil.hasCertProviderInstance(
upstreamTlsContext.getCommonTlsContext())) {
try {
Bootstrapper.BootstrapInfo bootstrapInfo = bootstrapper.readBootstrap();
return certProviderClientSslContextProviderFactory.getProvider(
upstreamTlsContext,
bootstrapInfo.getNode().toEnvoyProtoNode(),
bootstrapInfo.getCertProviders());
} catch (XdsInitializationException e) {
throw new RuntimeException(e);
}
} }
throw new UnsupportedOperationException("Unsupported configurations in UpstreamTlsContext!"); throw new UnsupportedOperationException("Unsupported configurations in UpstreamTlsContext!");
} }

24
xds/src/main/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactory.java
View File

@ -52,7 +52,18 @@ final class ServerSslContextProviderFactory
checkNotNull( checkNotNull(
downstreamTlsContext.getCommonTlsContext(), downstreamTlsContext.getCommonTlsContext(),
"downstreamTlsContext should have CommonTlsContext"); "downstreamTlsContext should have CommonTlsContext");
if (CommonTlsContextUtil.hasAllSecretsUsingFilename( if (CommonTlsContextUtil.hasCertProviderInstance(
downstreamTlsContext.getCommonTlsContext())) {
try {
Bootstrapper.BootstrapInfo bootstrapInfo = bootstrapper.readBootstrap();
return certProviderServerSslContextProviderFactory.getProvider(
downstreamTlsContext,
bootstrapInfo.getNode().toEnvoyProtoNode(),
bootstrapInfo.getCertProviders());
} catch (XdsInitializationException e) {
throw new RuntimeException(e);
}
} else if (CommonTlsContextUtil.hasAllSecretsUsingFilename(
downstreamTlsContext.getCommonTlsContext())) { downstreamTlsContext.getCommonTlsContext())) {
return SecretVolumeServerSslContextProvider.getProvider(downstreamTlsContext); return SecretVolumeServerSslContextProvider.getProvider(downstreamTlsContext);
} else if (CommonTlsContextUtil.hasAllSecretsUsingSds( } else if (CommonTlsContextUtil.hasAllSecretsUsingSds(
@ -69,17 +80,6 @@ final class ServerSslContextProviderFactory
} catch (XdsInitializationException e) { } catch (XdsInitializationException e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} else if (CommonTlsContextUtil.hasCertProviderInstance(
downstreamTlsContext.getCommonTlsContext())) {
try {
Bootstrapper.BootstrapInfo bootstrapInfo = bootstrapper.readBootstrap();
return certProviderServerSslContextProviderFactory.getProvider(
downstreamTlsContext,
bootstrapInfo.getNode().toEnvoyProtoNode(),
bootstrapInfo.getCertProviders());
} catch (XdsInitializationException e) {
throw new RuntimeException(e);
}
} }
throw new UnsupportedOperationException("Unsupported configurations in DownstreamTlsContext!"); throw new UnsupportedOperationException("Unsupported configurations in DownstreamTlsContext!");
} }

52
xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java
View File

@ -26,8 +26,10 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import com.google.common.collect.ImmutableSet; import com.google.common.collect.ImmutableSet;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher; import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.xds.Bootstrapper; import io.grpc.xds.Bootstrapper;
import io.grpc.xds.CommonBootstrapperTestUtils; import io.grpc.xds.CommonBootstrapperTestUtils;
@ -139,6 +141,33 @@ public class ClientSslContextProviderFactoryTest {
verifyWatcher(sslContextProvider, watcherCaptor[0]); verifyWatcher(sslContextProvider, watcherCaptor[0]);
} }
@Test
public void bothPresent_expectCertProviderClientSslContextProvider()
throws XdsInitializationException {
final CertificateProvider.DistributorWatcher[] watcherCaptor =
new CertificateProvider.DistributorWatcher[1];
createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
UpstreamTlsContext upstreamTlsContext =
CommonTlsContextTestsUtil.buildUpstreamTlsContextForCertProviderInstance(
"gcp_id",
"cert-default",
"gcp_id",
"root-default",
/* alpnProtocols= */ null,
/* staticCertValidationContext= */ null);
CommonTlsContext.Builder builder = upstreamTlsContext.getCommonTlsContext().toBuilder();
builder = addFilenames(builder, "foo.pem", "foo.key", "root.pem");
upstreamTlsContext = new UpstreamTlsContext(builder.build());
Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
when(bootstrapper.readBootstrap()).thenReturn(bootstrapInfo);
SslContextProvider sslContextProvider =
clientSslContextProviderFactory.create(upstreamTlsContext);
assertThat(sslContextProvider).isInstanceOf(CertProviderClientSslContextProvider.class);
verifyWatcher(sslContextProvider, watcherCaptor[0]);
}
@Test @Test
public void createCertProviderClientSslContextProvider_onlyRootCert() public void createCertProviderClientSslContextProvider_onlyRootCert()
throws XdsInitializationException { throws XdsInitializationException {
@ -301,4 +330,27 @@ public class ClientSslContextProviderFactoryTest {
assertThat(watcherCaptor.getDownstreamWatchers().iterator().next()) assertThat(watcherCaptor.getDownstreamWatchers().iterator().next())
.isSameInstanceAs(sslContextProvider); .isSameInstanceAs(sslContextProvider);
} }
static CommonTlsContext.Builder addFilenames(
CommonTlsContext.Builder builder, String certChain, String privateKey, String trustCa) {
TlsCertificate tlsCert =
TlsCertificate.newBuilder()
.setCertificateChain(DataSource.newBuilder().setFilename(certChain))
.setPrivateKey(DataSource.newBuilder().setFilename(privateKey))
.build();
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.setTrustedCa(DataSource.newBuilder().setFilename(trustCa))
.build();
CommonTlsContext.CertificateProviderInstance certificateProviderInstance =
builder.getValidationContextCertificateProviderInstance();
CommonTlsContext.CombinedCertificateValidationContext.Builder combinedBuilder =
CommonTlsContext.CombinedCertificateValidationContext.newBuilder();
combinedBuilder
.setDefaultValidationContext(certContext)
.setValidationContextCertificateProviderInstance(certificateProviderInstance);
return builder
.addTlsCertificates(tlsCert)
.setCombinedValidationContext(combinedBuilder.build());
}
} }

32
xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java
View File

@ -31,6 +31,7 @@ import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher; import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.xds.Bootstrapper; import io.grpc.xds.Bootstrapper;
import io.grpc.xds.CommonBootstrapperTestUtils; import io.grpc.xds.CommonBootstrapperTestUtils;
import io.grpc.xds.EnvoyServerProtoData;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.grpc.xds.XdsInitializationException; import io.grpc.xds.XdsInitializationException;
import io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider; import io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider;
@ -136,6 +137,37 @@ public class ServerSslContextProviderFactoryTest {
verifyWatcher(sslContextProvider, watcherCaptor[0]); verifyWatcher(sslContextProvider, watcherCaptor[0]);
} }
@Test
public void bothPresent_expectCertProviderServerSslContextProvider()
throws XdsInitializationException {
final CertificateProvider.DistributorWatcher[] watcherCaptor =
new CertificateProvider.DistributorWatcher[1];
createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
DownstreamTlsContext downstreamTlsContext =
CommonTlsContextTestsUtil.buildDownstreamTlsContextForCertProviderInstance(
"gcp_id",
"cert-default",
"gcp_id",
"root-default",
/* alpnProtocols= */ null,
/* staticCertValidationContext= */ null,
/* requireClientCert= */ true);
CommonTlsContext.Builder builder = downstreamTlsContext.getCommonTlsContext().toBuilder();
builder =
ClientSslContextProviderFactoryTest.addFilenames(builder, "foo.pem", "foo.key", "root.pem");
downstreamTlsContext =
new EnvoyServerProtoData.DownstreamTlsContext(
builder.build(), downstreamTlsContext.isRequireClientCertificate());
Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
when(bootstrapper.readBootstrap()).thenReturn(bootstrapInfo);
SslContextProvider sslContextProvider =
serverSslContextProviderFactory.create(downstreamTlsContext);
assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
verifyWatcher(sslContextProvider, watcherCaptor[0]);
}
@Test @Test
public void createCertProviderServerSslContextProvider_onlyCertInstance() public void createCertProviderServerSslContextProvider_onlyCertInstance()
throws XdsInitializationException { throws XdsInitializationException {