grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

xds: parse Listener update as xDS v3 resource 

This is part of xDS v3 support as per go/grpc-xds-v3-support

In this PR:
- still only send v2 requests to xDS server (No v3 bootstrap or env flag support)
- parse Listener update as v3 proto
- Refactor SDS's Listener watcher to use enovy v3 API
- still parse other resources as v2 proto.
This commit is contained in:
ZHANG Dapeng 2020-07-06 10:25:46 -07:00 committed by GitHub
parent c6bd97245c
commit eaa98f8d91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 511 additions and 563 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java
View File

@ -19,7 +19,7 @@ package io.grpc.xds;
import com.google.common.annotations.VisibleForTesting;
import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.Internal;
import java.util.ArrayList;
import java.util.Collections;
@ -75,7 +75,8 @@ public final class EnvoyServerProtoData {
}
public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext upstreamTlsContext) {
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
upstreamTlsContext) {
return new UpstreamTlsContext(upstreamTlsContext.getCommonTlsContext());
}
@ -96,7 +97,8 @@ public final class EnvoyServerProtoData {
}
public static DownstreamTlsContext fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext) {
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
downstreamTlsContext) {
return new DownstreamTlsContext(downstreamTlsContext.getCommonTlsContext(),
downstreamTlsContext.hasRequireClientCertificate());
}
@ -147,7 +149,7 @@ public final class EnvoyServerProtoData {
}
static CidrRange fromEnvoyProtoCidrRange(
io.envoyproxy.envoy.api.v2.core.CidrRange proto) {
io.envoyproxy.envoy.config.core.v3.CidrRange proto) {
return new CidrRange(proto.getAddressPrefix(), proto.getPrefixLen().getValue());
}
@ -204,9 +206,9 @@ public final class EnvoyServerProtoData {
}
static FilterChainMatch fromEnvoyProtoFilterChainMatch(
io.envoyproxy.envoy.api.v2.listener.FilterChainMatch proto) {
io.envoyproxy.envoy.config.listener.v3.FilterChainMatch proto) {
List<CidrRange> prefixRanges = new ArrayList<>();
for (io.envoyproxy.envoy.api.v2.core.CidrRange range : proto.getPrefixRangesList()) {
for (io.envoyproxy.envoy.config.core.v3.CidrRange range : proto.getPrefixRangesList()) {
prefixRanges.add(CidrRange.fromEnvoyProtoCidrRange(range));
}
List<String> applicationProtocols = new ArrayList<>();
@ -266,16 +268,18 @@ public final class EnvoyServerProtoData {
static final class FilterChain {
// TODO(sanjaypujare): flatten structure by moving FilterChainMatch class members here.
private final FilterChainMatch filterChainMatch;
@Nullable
private final DownstreamTlsContext downstreamTlsContext;
@VisibleForTesting
FilterChain(FilterChainMatch filterChainMatch, DownstreamTlsContext downstreamTlsContext) {
FilterChain(
FilterChainMatch filterChainMatch, @Nullable DownstreamTlsContext downstreamTlsContext) {
this.filterChainMatch = filterChainMatch;
this.downstreamTlsContext = downstreamTlsContext;
}
static FilterChain fromEnvoyProtoFilterChain(
io.envoyproxy.envoy.api.v2.listener.FilterChain proto)
io.envoyproxy.envoy.config.listener.v3.FilterChain proto)
throws InvalidProtocolBufferException {
return new FilterChain(
FilterChainMatch.fromEnvoyProtoFilterChainMatch(proto.getFilterChainMatch()),
@ -283,23 +287,25 @@ public final class EnvoyServerProtoData {
);
}
@Nullable
private static DownstreamTlsContext getTlsContextFromFilterChain(
io.envoyproxy.envoy.api.v2.listener.FilterChain filterChain)
io.envoyproxy.envoy.config.listener.v3.FilterChain filterChain)
throws InvalidProtocolBufferException {
if (filterChain.hasTransportSocket()
&& "tls".equals(filterChain.getTransportSocket().getName())) {
Any any = filterChain.getTransportSocket().getTypedConfig();
return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.parseFrom(any.getValue()));
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext.parseFrom(
any.getValue()));
}
// TODO(sanjaypujare): remove when we move to envoy protos v3
return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(filterChain.getTlsContext());
return null;
}
public FilterChainMatch getFilterChainMatch() {
return filterChainMatch;
}
@Nullable
public DownstreamTlsContext getDownstreamTlsContext() {
return downstreamTlsContext;
}
@ -350,9 +356,9 @@ public final class EnvoyServerProtoData {
}
private static String convertEnvoyAddressToString(
io.envoyproxy.envoy.api.v2.core.Address proto) {
io.envoyproxy.envoy.config.core.v3.Address proto) {
if (proto.hasSocketAddress()) {
io.envoyproxy.envoy.api.v2.core.SocketAddress socketAddress = proto.getSocketAddress();
io.envoyproxy.envoy.config.core.v3.SocketAddress socketAddress = proto.getSocketAddress();
String address = socketAddress.getAddress();
switch (socketAddress.getPortSpecifierCase()) {
case NAMED_PORT:
@ -366,10 +372,10 @@ public final class EnvoyServerProtoData {
return null;
}
static Listener fromEnvoyProtoListener(io.envoyproxy.envoy.api.v2.Listener proto)
static Listener fromEnvoyProtoListener(io.envoyproxy.envoy.config.listener.v3.Listener proto)
throws InvalidProtocolBufferException {
List<FilterChain> filterChains = new ArrayList<>(proto.getFilterChainsCount());
for (io.envoyproxy.envoy.api.v2.listener.FilterChain filterChain :
for (io.envoyproxy.envoy.config.listener.v3.FilterChain filterChain :
proto.getFilterChainsList()) {
filterChains.add(FilterChain.fromEnvoyProtoFilterChain(filterChain));
}

60
xds/src/main/java/io/grpc/xds/XdsClientImpl.java
View File

@ -39,17 +39,17 @@ import io.envoyproxy.envoy.api.v2.Cluster.LbPolicy;
import io.envoyproxy.envoy.api.v2.ClusterLoadAssignment;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.DiscoveryResponse;
import io.envoyproxy.envoy.api.v2.Listener;
import io.envoyproxy.envoy.api.v2.RouteConfiguration;
import io.envoyproxy.envoy.api.v2.core.Address;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.api.v2.core.SocketAddress;
import io.envoyproxy.envoy.api.v2.listener.FilterChain;
import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch;
import io.envoyproxy.envoy.api.v2.route.Route;
import io.envoyproxy.envoy.api.v2.route.VirtualHost;
import io.envoyproxy.envoy.config.core.v3.Address;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds;
import io.envoyproxy.envoy.config.listener.v3.FilterChain;
import io.envoyproxy.envoy.config.listener.v3.FilterChainMatch;
import io.envoyproxy.envoy.config.listener.v3.Listener;
import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc;
import io.grpc.InternalLogId;
import io.grpc.ManagedChannel;
@ -86,7 +86,9 @@ final class XdsClientImpl extends XdsClient {
static final int INITIAL_RESOURCE_FETCH_TIMEOUT_SEC = 15;
@VisibleForTesting
static final String ADS_TYPE_URL_LDS = "type.googleapis.com/envoy.api.v2.Listener";
static final String ADS_TYPE_URL_LDS_V2 = "type.googleapis.com/envoy.api.v2.Listener";
private static final String ADS_TYPE_URL_LDS =
"type.googleapis.com/envoy.config.listener.v3.Listener";
@VisibleForTesting
static final String ADS_TYPE_URL_RDS =
"type.googleapis.com/envoy.api.v2.RouteConfiguration";
@ -263,7 +265,7 @@ final class XdsClientImpl extends XdsClient {
if (adsStream == null) {
startRpcStream();
}
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName));
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName));
ldsRespTimer =
syncContext
.schedule(
@ -438,7 +440,7 @@ final class XdsClientImpl extends XdsClient {
startRpcStream();
}
updateNodeMetadataForListenerRequest(port);
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.<String>of());
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of());
ldsRespTimer =
syncContext
.schedule(
@ -452,8 +454,8 @@ final class XdsClientImpl extends XdsClient {
.putFields("TRAFFICDIRECTOR_PROXYLESS",
Value.newBuilder().setStringValue("1").build())
.build();
Address listeningAddress =
Address.newBuilder()
io.envoyproxy.envoy.api.v2.core.Address listeningAddress =
io.envoyproxy.envoy.api.v2.core.Address.newBuilder()
.setSocketAddress(
SocketAddress.newBuilder().setAddress("0.0.0.0").setPortValue(port).build())
.build();
@ -553,6 +555,9 @@ final class XdsClientImpl extends XdsClient {
List<String> listenerNames = new ArrayList<>(ldsResponse.getResourcesCount());
try {
for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) {
if (res.getTypeUrl().equals(ADS_TYPE_URL_LDS_V2)) {
res = res.toBuilder().setTypeUrl(ADS_TYPE_URL_LDS).build();
}
Listener listener = res.unpack(Listener.class);
listeners.add(listener);
listenerNames.add(listener.getName());
@ -560,7 +565,7 @@ final class XdsClientImpl extends XdsClient {
} catch (InvalidProtocolBufferException e) {
logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e);
adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName),
ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return;
}
@ -581,7 +586,7 @@ final class XdsClientImpl extends XdsClient {
XdsLogLevel.WARNING,
"Failed to unpack HttpConnectionManagers in Listeners of LDS response {0}", e);
adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName),
ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return;
}
@ -627,11 +632,11 @@ final class XdsClientImpl extends XdsClient {
if (errorMessage != null) {
adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName),
ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo(), errorMessage);
return;
}
adsStream.sendAckRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName),
adsStream.sendAckRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo());
if (routes != null || rdsRouteConfigName != null) {
@ -681,6 +686,9 @@ final class XdsClientImpl extends XdsClient {
logger.log(XdsLogLevel.DEBUG, "Listener count: {0}", ldsResponse.getResourcesCount());
try {
for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) {
if (res.getTypeUrl().equals(ADS_TYPE_URL_LDS_V2)) {
res = res.toBuilder().setTypeUrl(ADS_TYPE_URL_LDS).build();
}
Listener listener = res.unpack(Listener.class);
logger.log(XdsLogLevel.DEBUG, "Found listener {0}", listener.toString());
if (isRequestedListener(listener)) {
@ -691,7 +699,7 @@ final class XdsClientImpl extends XdsClient {
} catch (InvalidProtocolBufferException e) {
logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e);
adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.<String>of(),
ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of(),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return;
}
@ -708,7 +716,7 @@ final class XdsClientImpl extends XdsClient {
} catch (InvalidProtocolBufferException e) {
logger.log(XdsLogLevel.WARNING, "Failed to unpack Listener in LDS response {0}", e);
adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.<String>of(),
ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of(),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return;
}
@ -717,7 +725,7 @@ final class XdsClientImpl extends XdsClient {
listenerWatcher.onResourceDoesNotExist(":" + listenerPort);
}
}
adsStream.sendAckRequest(ADS_TYPE_URL_LDS, ImmutableList.<String>of(),
adsStream.sendAckRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of(),
ldsResponse.getVersionInfo());
if (listenerUpdate != null) {
listenerWatcher.onListenerChanged(listenerUpdate);
@ -1073,15 +1081,16 @@ final class XdsClientImpl extends XdsClient {
}
}
@Nullable
private static UpstreamTlsContext getTlsContextFromCluster(Cluster cluster)
throws InvalidProtocolBufferException {
if (cluster.hasTransportSocket() && "tls".equals(cluster.getTransportSocket().getName())) {
Any any = cluster.getTransportSocket().getTypedConfig();
return UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext.parseFrom(any.getValue()));
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext.parseFrom(
any.getValue()));
}
// TODO(sanjaypujare): remove when we move to envoy protos v3
return UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(cluster.getTlsContext());
return null;
}
/**
@ -1219,7 +1228,7 @@ final class XdsClientImpl extends XdsClient {
public void run() {
startRpcStream();
if (configWatcher != null) {
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName));
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName));
ldsRespTimer =
syncContext
.schedule(
@ -1227,7 +1236,7 @@ final class XdsClientImpl extends XdsClient {
INITIAL_RESOURCE_FETCH_TIMEOUT_SEC, TimeUnit.SECONDS, timeService);
}
if (listenerWatcher != null) {
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.<String>of());
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of());
ldsRespTimer =
syncContext
.schedule(
@ -1315,7 +1324,7 @@ final class XdsClientImpl extends XdsClient {
// used for management server to identify which response the client is ACKing/NACking.
// To avoid confusion, client-initiated requests will always use the nonce in
// most recently received responses of each resource type.
if (typeUrl.equals(ADS_TYPE_URL_LDS)) {
if (typeUrl.equals(ADS_TYPE_URL_LDS_V2) || typeUrl.equals(ADS_TYPE_URL_LDS)) {
ldsRespNonce = response.getNonce();
handleLdsResponse(response);
} else if (typeUrl.equals(ADS_TYPE_URL_RDS)) {
@ -1428,7 +1437,7 @@ final class XdsClientImpl extends XdsClient {
checkState(requestWriter != null, "ADS stream has not been started");
String version = "";
String nonce = "";
if (typeUrl.equals(ADS_TYPE_URL_LDS)) {
if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) {
version = ldsVersion;
nonce = ldsRespNonce;
logger.log(XdsLogLevel.INFO, "Sending LDS request for resources: {0}", resourceNames);
@ -1469,7 +1478,7 @@ final class XdsClientImpl extends XdsClient {
String versionInfo) {
checkState(requestWriter != null, "ADS stream has not been started");
String nonce = "";
if (typeUrl.equals(ADS_TYPE_URL_LDS)) {
if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) {
ldsVersion = versionInfo;
nonce = ldsRespNonce;
} else if (typeUrl.equals(ADS_TYPE_URL_RDS)) {
@ -1504,7 +1513,7 @@ final class XdsClientImpl extends XdsClient {
checkState(requestWriter != null, "ADS stream has not been started");
String versionInfo = "";
String nonce = "";
if (typeUrl.equals(ADS_TYPE_URL_LDS)) {
if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) {
versionInfo = ldsVersion;
nonce = ldsRespNonce;
logger.log(
@ -1717,6 +1726,7 @@ final class XdsClientImpl extends XdsClient {
com.google.protobuf.TypeRegistry registry =
com.google.protobuf.TypeRegistry.newBuilder()
.add(Listener.getDescriptor())
.add(io.envoyproxy.envoy.api.v2.Listener.getDescriptor())
.add(HttpConnectionManager.getDescriptor())
.add(RouteConfiguration.getDescriptor())
.add(Cluster.getDescriptor())

10
xds/src/main/java/io/grpc/xds/internal/sds/CommonTlsContextUtil.java
View File

@ -20,11 +20,11 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.ValidationContextTypeCase;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.core.DataSource.SpecifierCase;
import io.envoyproxy.envoy.config.core.v3.DataSource.SpecifierCase;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.ValidationContextTypeCase;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import javax.annotation.Nullable;
/** Class for utility functions for {@link CommonTlsContext}. */

14
xds/src/main/java/io/grpc/xds/internal/sds/FileBasedPluginCredential.java
View File

@ -27,6 +27,7 @@ import com.google.protobuf.Value;
// TODO(sanjaypujare): remove dependency on envoy data types.
import io.envoyproxy.envoy.api.v2.core.DataSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.grpc.CallCredentials;
import io.grpc.Metadata;
import io.grpc.Status;
@ -77,6 +78,19 @@ final class FileBasedPluginCredential extends CallCredentials {
secretData = buildDataSourceFromConfigStruct(value.getStructValue());
}
FileBasedPluginCredential(
GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin metadataCredentialsFromPlugin) {
checkNotNull(metadataCredentialsFromPlugin, "metadataCredentialsFromPlugin");
checkArgument(
PLUGIN_NAME.equals(metadataCredentialsFromPlugin.getName()),
"plugin name should be %s", PLUGIN_NAME);
// FIXME(#7166): real implementation
headerKey = DEFAULT_HEADER_KEY;
headerPrefix = "";
secretData = null;
}
private static DataSource buildDataSourceFromConfigStruct(Struct secretValueStruct) {
checkNotNull(secretValueStruct, "secretValueStruct");
if (secretValueStruct.containsFields(FILENAME)) {

14
xds/src/main/java/io/grpc/xds/internal/sds/SdsClient.java
View File

@ -28,14 +28,14 @@ import com.google.protobuf.Struct;
import com.google.protobuf.Value;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.DiscoveryResponse;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource.ApiType;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource.ApiType;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc;
import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc.SecretDiscoveryServiceStub;
import io.grpc.CallCredentials;

8
xds/src/main/java/io/grpc/xds/internal/sds/SdsClientSslContextProvider.java
View File

@ -18,11 +18,11 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;

6
xds/src/main/java/io/grpc/xds/internal/sds/SdsServerSslContextProvider.java
View File

@ -18,10 +18,10 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.netty.handler.ssl.SslContextBuilder;

10
xds/src/main/java/io/grpc/xds/internal/sds/SdsSslContextProvider.java
View File

@ -19,12 +19,12 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.Status;
import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
import io.netty.handler.ssl.ApplicationProtocolConfig;

6
xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeClientSslContextProvider.java
View File

@ -22,9 +22,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateCertificateC
import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate;
import com.google.common.annotations.VisibleForTesting;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;

6
xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeServerSslContextProvider.java
View File

@ -22,9 +22,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateCertificateC
import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate;
import com.google.common.annotations.VisibleForTesting;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.netty.handler.ssl.SslContext;

4
xds/src/main/java/io/grpc/xds/internal/sds/SslContextProvider.java
View File

@ -19,8 +19,8 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;

4
xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactory.java
View File

@ -21,8 +21,8 @@ import static com.google.common.base.Preconditions.checkState;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.core.DataSource.SpecifierCase;
import io.envoyproxy.envoy.config.core.v3.DataSource.SpecifierCase;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.xds.internal.sds.TlsContextManagerImpl;
import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import java.io.File;

10
xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java
View File

@ -20,7 +20,8 @@ import static com.google.common.base.Preconditions.checkNotNull;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Ascii;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
@ -199,6 +200,7 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509
}
// logic from Envoy::Extensions::TransportSockets::Tls::ContextImpl::verifySubjectAltName
@SuppressWarnings("UnusedMethod") // TODO(#7166): support StringMatcher list.
private static void verifySubjectAltNameInLeaf(X509Certificate cert, List<String> verifyList)
throws CertificateException {
Collection<List<?>> names = cert.getSubjectAlternativeNames();
@ -223,7 +225,7 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509
if (certContext == null) {
return;
}
List<String> verifyList = certContext.getVerifySubjectAltNameList();
List<StringMatcher> verifyList = certContext.getMatchSubjectAltNamesList();
if (verifyList.isEmpty()) {
return;
}
@ -231,7 +233,9 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509
throw new CertificateException("Peer certificate(s) missing");
}
// verify SANs only in the top cert (leaf cert)
verifySubjectAltNameInLeaf(peerCertChain[0], verifyList);
// v2 version: verifySubjectAltNameInLeaf(peerCertChain[0], verifyList);
// TODO(#7166): Implement v3 version.
throw new UnsupportedOperationException();
}
@Override

81
xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java
View File

@ -21,15 +21,15 @@ import static com.google.common.truth.Truth.assertThat;
import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.UInt32Value;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.Address;
import io.envoyproxy.envoy.api.v2.core.CidrRange;
import io.envoyproxy.envoy.api.v2.core.SocketAddress;
import io.envoyproxy.envoy.api.v2.core.TransportSocket;
import io.envoyproxy.envoy.api.v2.listener.Filter;
import io.envoyproxy.envoy.api.v2.listener.FilterChain;
import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch;
import io.envoyproxy.envoy.config.core.v3.Address;
import io.envoyproxy.envoy.config.core.v3.CidrRange;
import io.envoyproxy.envoy.config.core.v3.SocketAddress;
import io.envoyproxy.envoy.config.core.v3.TransportSocket;
import io.envoyproxy.envoy.config.listener.v3.Filter;
import io.envoyproxy.envoy.config.listener.v3.FilterChain;
import io.envoyproxy.envoy.config.listener.v3.FilterChainMatch;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.grpc.xds.EnvoyServerProtoData.Listener;
import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil;
@ -51,8 +51,8 @@ public class EnvoyServerProtoDataTest {
.setSocketAddress(
SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build())
.build();
io.envoyproxy.envoy.api.v2.Listener listener =
io.envoyproxy.envoy.api.v2.Listener.newBuilder()
io.envoyproxy.envoy.config.listener.v3.Listener listener =
io.envoyproxy.envoy.config.listener.v3.Listener.newBuilder()
.setName("8000")
.setAddress(address)
.addFilterChains(createOutFilter())
@ -73,8 +73,7 @@ public class EnvoyServerProtoDataTest {
assertThat(outFilterChainMatch.getApplicationProtocols()).isEmpty();
assertThat(outFilterChainMatch.getPrefixRanges()).isEmpty();
assertThat(outFilter.getDownstreamTlsContext())
.isEqualTo(DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance()));
.isNull();
EnvoyServerProtoData.FilterChain inFilter = filterChains.get(1);
assertThat(inFilter).isNotNull();
@ -93,33 +92,6 @@ public class EnvoyServerProtoDataTest {
assertThat(tlsCertSdsConfigs.get(0).getName()).isEqualTo("google-sds-config-default");
}
// TODO(sanjaypujare): remove when we move to envoy protos v3
@Test
public void listener_convertFromDeprecatedListenerProto() throws InvalidProtocolBufferException {
Address address =
Address.newBuilder()
.setSocketAddress(
SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build())
.build();
io.envoyproxy.envoy.api.v2.Listener listener =
io.envoyproxy.envoy.api.v2.Listener.newBuilder()
.setName("8000")
.setAddress(address)
.addFilterChains(createDeprecatedInFilter())
.build();
Listener xdsListener = Listener.fromEnvoyProtoListener(listener);
List<EnvoyServerProtoData.FilterChain> filterChains = xdsListener.getFilterChains();
assertThat(filterChains).hasSize(1);
EnvoyServerProtoData.FilterChain inFilter = filterChains.get(0);
DownstreamTlsContext inFilterTlsContext = inFilter.getDownstreamTlsContext();
assertThat(inFilterTlsContext.getCommonTlsContext()).isNotNull();
CommonTlsContext commonTlsContext = inFilterTlsContext.getCommonTlsContext();
List<SdsSecretConfig> tlsCertSdsConfigs = commonTlsContext
.getTlsCertificateSdsSecretConfigsList();
assertThat(tlsCertSdsConfigs).hasSize(1);
assertThat(tlsCertSdsConfigs.get(0).getName()).isEqualTo("google-sds-config-default");
}
private static FilterChain createOutFilter() {
FilterChain filterChain =
FilterChain.newBuilder()
@ -147,7 +119,9 @@ public class EnvoyServerProtoDataTest {
.addApplicationProtocols("managed-mtls")
.build())
.setTransportSocket(TransportSocket.newBuilder().setName("tls")
.setTypedConfig(Any.pack(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext()))
.setTypedConfig(
Any.pack(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext(
"google-sds-config-default", "ROOTCA")))
.build())
.addFilters(Filter.newBuilder()
.setName("envoy.http_connection_manager")
@ -159,29 +133,4 @@ public class EnvoyServerProtoDataTest {
.build();
return filterChain;
}
// TODO(sanjaypujare): remove when we move to envoy protos v3
@SuppressWarnings("deprecation")
private static FilterChain createDeprecatedInFilter() {
FilterChain filterChain =
FilterChain.newBuilder()
.setFilterChainMatch(
FilterChainMatch.newBuilder()
.setDestinationPort(UInt32Value.of(8000))
.addPrefixRanges(CidrRange.newBuilder()
.setAddressPrefix("10.20.0.15")
.setPrefixLen(UInt32Value.of(32)).build())
.addApplicationProtocols("managed-mtls")
.build())
.setTlsContext(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext())
.addFilters(Filter.newBuilder()
.setName("envoy.http_connection_manager")
.setTypedConfig(Any.newBuilder()
.setTypeUrl(
"type.googleapis.com/envoy.config.filter.network.http_connection_manager"
+ ".v2.HttpConnectionManager"))
.build())
.build();
return filterChain;
}
}

167
xds/src/test/java/io/grpc/xds/XdsClientImplTest.java
View File

@ -19,7 +19,6 @@ package io.grpc.xds;
import static com.google.common.truth.Truth.assertThat;
import static io.grpc.xds.XdsClientTestHelper.buildCluster;
import static io.grpc.xds.XdsClientTestHelper.buildClusterLoadAssignment;
import static io.grpc.xds.XdsClientTestHelper.buildDeprecatedSecureCluster;
import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryRequest;
import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryResponse;
import static io.grpc.xds.XdsClientTestHelper.buildDropOverload;
@ -70,6 +69,7 @@ import io.envoyproxy.envoy.api.v2.route.VirtualHost;
import io.envoyproxy.envoy.api.v2.route.WeightedCluster;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase;
import io.envoyproxy.envoy.service.load_stats.v2.LoadReportingServiceGrpc.LoadReportingServiceImplBase;
import io.envoyproxy.envoy.service.load_stats.v2.LoadStatsRequest;
@ -336,7 +336,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
@ -360,13 +360,13 @@ public class XdsClientImplTest {
"cluster-baz.googleapis.com"))))
.build()))));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class));
verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY);
@ -392,7 +392,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
RouteConfiguration routeConfig =
@ -408,14 +408,14 @@ public class XdsClientImplTest {
Any.pack(buildListener(TARGET_AUTHORITY, /* matching resource */
Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build()))));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an NACK LDS request.
verify(requestObserver)
.onNext(
argThat(new DiscoveryRequestMatcher("", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class));
verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY);
@ -441,7 +441,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
ScheduledTask ldsRespTimer =
Iterables.getOnlyElement(
fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER));
@ -480,7 +480,7 @@ public class XdsClientImplTest {
"some cluster"))))
.build()))));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
assertThat(ldsRespTimer.isCancelled()).isTrue();
@ -488,7 +488,7 @@ public class XdsClientImplTest {
// Client sends an ACK request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
ArgumentCaptor<ConfigUpdate> configUpdateCaptor = ArgumentCaptor.forClass(null);
verify(configWatcher).onConfigChanged(configUpdateCaptor.capture());
@ -514,7 +514,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
Rds rdsConfig =
Rds.newBuilder()
@ -528,13 +528,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sends an (first) RDS request.
verify(requestObserver)
@ -600,7 +600,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -665,7 +665,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -784,7 +784,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -850,7 +850,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -905,7 +905,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server sends back an LDS response containing a RouteConfiguration for the
// requested Listener directly in-line.
@ -924,13 +924,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Cluster name is resolved and notified to config watcher.
ArgumentCaptor<ConfigUpdate> configUpdateCaptor = ArgumentCaptor.forClass(null);
@ -953,13 +953,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build())))
);
response =
buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0001");
buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0001")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001")));
// Updated cluster name is notified to config watcher.
configUpdateCaptor = ArgumentCaptor.forClass(null);
@ -982,13 +982,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
response =
buildDiscoveryResponse("2", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0002");
buildDiscoveryResponse("2", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0002");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "2", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0002")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0002")));
// Client sends an (first) RDS request.
verify(requestObserver)
@ -1046,7 +1046,7 @@ public class XdsClientImplTest {
// Management server sends back an LDS response indicating all Listener resources are removed.
response =
buildDiscoveryResponse("3", ImmutableList.<Any>of(),
XdsClientImpl.ADS_TYPE_URL_LDS, "0003");
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0003");
responseObserver.onNext(response);
verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY);
@ -1071,7 +1071,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management sends back an LDS response telling client to do RDS.
Rds rdsConfig =
@ -1087,13 +1087,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sends an (first) RDS request.
verify(requestObserver)
@ -1173,7 +1173,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management sends back an LDS response telling client to do RDS.
Rds rdsConfig =
@ -1189,13 +1189,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sends an (first) RDS request.
verify(requestObserver)
@ -1229,13 +1229,13 @@ public class XdsClientImplTest {
// in-use by client) removed as the RouteConfiguration it references to is absent.
response =
buildDiscoveryResponse("1", ImmutableList.<com.google.protobuf.Any>of(), // empty
XdsClientImpl.ADS_TYPE_URL_LDS, "0001");
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response);
// Client sent an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0001")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001")));
verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY);
}
@ -1264,7 +1264,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an (first) RDS request.
@ -1293,7 +1293,7 @@ public class XdsClientImplTest {
TARGET_AUTHORITY, /* matching resource */
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
response = buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0001");
response = buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response);
// Client sent a new RDS request with updated resource name.
@ -1453,45 +1453,20 @@ public class XdsClientImplTest {
ArgumentCaptor<ClusterUpdate> clusterUpdateCaptor = ArgumentCaptor.forClass(null);
verify(clusterWatcher, times(1)).onClusterChanged(clusterUpdateCaptor.capture());
ClusterUpdate clusterUpdate = clusterUpdateCaptor.getValue();
assertThat(clusterUpdate.getUpstreamTlsContext())
.isEqualTo(
EnvoyServerProtoData.UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(
testUpstreamTlsContext));
}
/**
* CDS response containing UpstreamTlsContext for a cluster in a deprecated field.
*/
// TODO(sanjaypujare): remove once we move to envoy proto v3
@Test
public void cdsResponseWithDeprecatedUpstreamTlsContext() {
xdsClient.watchClusterData("cluster-foo.googleapis.com", clusterWatcher);
StreamObserver<DiscoveryResponse> responseObserver = responseObservers.poll();
StreamObserver<DiscoveryRequest> requestObserver = requestObservers.poll();
// Management server sends back CDS response with UpstreamTlsContext.
UpstreamTlsContext testUpstreamTlsContext =
buildUpstreamTlsContext("secret1", "unix:/var/uds2");
List<Any> clusters = ImmutableList.of(
Any.pack(buildCluster("cluster-bar.googleapis.com", null, false)),
Any.pack(buildDeprecatedSecureCluster("cluster-foo.googleapis.com",
"eds-cluster-foo.googleapis.com", true, testUpstreamTlsContext)),
Any.pack(buildCluster("cluster-baz.googleapis.com", null, false)));
DiscoveryResponse response =
buildDiscoveryResponse("0", clusters, XdsClientImpl.ADS_TYPE_URL_CDS, "0000");
responseObserver.onNext(response);
// Client sent an ACK CDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", "cluster-foo.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "0000")));
ArgumentCaptor<ClusterUpdate> clusterUpdateCaptor = ArgumentCaptor.forClass(null);
verify(clusterWatcher, times(1)).onClusterChanged(clusterUpdateCaptor.capture());
ClusterUpdate clusterUpdate = clusterUpdateCaptor.getValue();
assertThat(clusterUpdate.getUpstreamTlsContext())
.isEqualTo(
EnvoyServerProtoData.UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(
testUpstreamTlsContext));
EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext = clusterUpdate
.getUpstreamTlsContext();
SdsSecretConfig validationContextSdsSecretConfig = upstreamTlsContext.getCommonTlsContext()
.getValidationContextSdsSecretConfig();
assertThat(validationContextSdsSecretConfig.getName()).isEqualTo("secret1");
assertThat(
Iterables.getOnlyElement(
validationContextSdsSecretConfig
.getSdsConfig()
.getApiConfigSource()
.getGrpcServicesList())
.getGoogleGrpc()
.getTargetUri())
.isEqualTo("unix:/var/uds2");
}
@Test
@ -2594,7 +2569,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server closes the RPC stream immediately.
responseObserver.onCompleted();
@ -2614,7 +2589,7 @@ public class XdsClientImplTest {
// Client retried by sending an LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server closes the RPC stream with an error.
responseObserver.onError(Status.UNAVAILABLE.asException());
@ -2634,7 +2609,7 @@ public class XdsClientImplTest {
// Client retried again by sending an LDS.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server responses with a listener for the requested resource.
Rds rdsConfig =
@ -2649,13 +2624,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse ldsResponse =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(ldsResponse);
// Client sent back an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sent an RDS request based on the received listener.
verify(requestObserver)
@ -2674,7 +2649,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// RPC stream closed immediately
responseObserver.onError(Status.UNKNOWN.asException());
@ -2691,7 +2666,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server sends an LDS response.
responseObserver.onNext(ldsResponse);
@ -2726,7 +2701,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verifyNoMoreInteractions(backoffPolicyProvider, backoffPolicy1, backoffPolicy2);
}
@ -2788,7 +2763,7 @@ public class XdsClientImplTest {
// Retry resumes requests for all wanted resources.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2817,7 +2792,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2846,7 +2821,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2879,7 +2854,7 @@ public class XdsClientImplTest {
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2907,7 +2882,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2952,7 +2927,7 @@ public class XdsClientImplTest {
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server becomes unreachable.
responseObserver.onError(Status.UNAVAILABLE.asException());
@ -2973,7 +2948,7 @@ public class XdsClientImplTest {
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2997,7 +2972,7 @@ public class XdsClientImplTest {
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -3040,7 +3015,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -3067,7 +3042,7 @@ public class XdsClientImplTest {
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver, never())
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -3107,7 +3082,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted).
@ -3139,7 +3114,7 @@ public class XdsClientImplTest {
// Client resumed requests and management server sends back LDS resources again.
verify(requestObserver).onNext(
eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
responseObserver.onNext(response);
// Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted).
@ -3279,7 +3254,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
);
DiscoveryResponse ldsResponse =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(ldsResponse);
// Client sent an LDS ACK request and an RDS request for resource
@ -3486,7 +3461,7 @@ public class XdsClientImplTest {
"cluster.googleapis.com"))))
.build()))));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
String expectedString = "{\n"
+ " \"versionInfo\": \"0\",\n"

125
xds/src/test/java/io/grpc/xds/XdsClientImplTestForListener.java
View File

@ -53,6 +53,7 @@ import io.envoyproxy.envoy.api.v2.listener.Filter;
import io.envoyproxy.envoy.api.v2.listener.FilterChain;
import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase;
import io.grpc.Context;
import io.grpc.Context.CancellationListener;
@ -308,7 +309,7 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
List<Any> listeners = ImmutableList.of(
@ -331,13 +332,13 @@ public class XdsClientImplTestForListener {
"cluster-baz.googleapis.com"))))
.build()))));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT);
@ -357,14 +358,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default",
// Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"),
buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of(
@ -382,13 +384,13 @@ public class XdsClientImplTestForListener {
filterChainInbound
)));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT);
@ -408,14 +410,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default",
// Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"),
buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of(
@ -433,13 +436,13 @@ public class XdsClientImplTestForListener {
filterChainInbound
)));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
ArgumentCaptor<ListenerUpdate> listenerUpdateCaptor = ArgumentCaptor.forClass(null);
verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture());
@ -447,11 +450,28 @@ public class XdsClientImplTestForListener {
EnvoyServerProtoData.Listener listener = configUpdate.getListener();
assertThat(listener.getName()).isEqualTo(LISTENER_NAME);
assertThat(listener.getAddress()).isEqualTo("0.0.0.0:" + PORT);
EnvoyServerProtoData.FilterChain[] expected = new EnvoyServerProtoData.FilterChain[]{
EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainOutbound),
EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainInbound)
};
assertThat(listener.getFilterChains()).isEqualTo(Arrays.asList(expected));
assertThat(listener.getFilterChains()).hasSize(2);
EnvoyServerProtoData.FilterChain filterChainOutboundInListenerUpdate
= listener.getFilterChains().get(0);
assertThat(filterChainOutboundInListenerUpdate.getFilterChainMatch().getDestinationPort())
.isEqualTo(8000);
EnvoyServerProtoData.FilterChain filterChainInboundInListenerUpdate
= listener.getFilterChains().get(1);
EnvoyServerProtoData.FilterChainMatch inBoundfilterChainMatch =
filterChainInboundInListenerUpdate.getFilterChainMatch();
assertThat(inBoundfilterChainMatch.getDestinationPort()).isEqualTo(PORT);
assertThat(inBoundfilterChainMatch.getPrefixRanges()).containsExactly(
new EnvoyServerProtoData.CidrRange(LOCAL_IP, 32));
CommonTlsContext downstreamCommonTlsContext =
filterChainInboundInListenerUpdate.getDownstreamTlsContext().getCommonTlsContext();
assertThat(downstreamCommonTlsContext.getTlsCertificateSdsSecretConfigs(0).getName())
.isEqualTo("google-sds-config-default");
assertThat(
downstreamCommonTlsContext
.getCombinedValidationContext()
.getValidationContextSdsSecretConfig()
.getName())
.isEqualTo("ROOTCA");
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).isEmpty();
}
@ -465,14 +485,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default",
// Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"),
buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of(
@ -490,13 +511,13 @@ public class XdsClientImplTestForListener {
filterChainInbound
)));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
ArgumentCaptor<ListenerUpdate> listenerUpdateCaptor = ArgumentCaptor.forClass(null);
verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture());
@ -505,7 +526,7 @@ public class XdsClientImplTestForListener {
final FilterChain filterChainNewInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default1",
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default1",
"ROOTCA2"),
buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners1 = ImmutableList.of(
@ -513,13 +534,13 @@ public class XdsClientImplTestForListener {
filterChainNewInbound
)));
DiscoveryResponse response1 =
buildDiscoveryResponse("1", listeners1, XdsClientImpl.ADS_TYPE_URL_LDS, "0001");
buildDiscoveryResponse("1", listeners1, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response1);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "1",
XdsClientImpl.ADS_TYPE_URL_LDS, "0001")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001")));
// Updated listener is notified to config watcher.
listenerUpdateCaptor = ArgumentCaptor.forClass(null);
@ -527,10 +548,23 @@ public class XdsClientImplTestForListener {
ListenerUpdate configUpdate = listenerUpdateCaptor.getValue();
EnvoyServerProtoData.Listener listener = configUpdate.getListener();
assertThat(listener.getName()).isEqualTo(LISTENER_NAME);
EnvoyServerProtoData.FilterChain[] expected = new EnvoyServerProtoData.FilterChain[]{
EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainNewInbound)
};
assertThat(listener.getFilterChains()).isEqualTo(Arrays.asList(expected));
assertThat(listener.getFilterChains()).hasSize(1);
EnvoyServerProtoData.FilterChain filterChain =
Iterables.getOnlyElement(listener.getFilterChains());
EnvoyServerProtoData.FilterChainMatch filterChainMatch = filterChain.getFilterChainMatch();
assertThat(filterChainMatch.getDestinationPort()).isEqualTo(PORT);
assertThat(filterChainMatch.getPrefixRanges()).containsExactly(
new EnvoyServerProtoData.CidrRange(LOCAL_IP, 32));
CommonTlsContext downstreamCommonTlsContext =
filterChain.getDownstreamTlsContext().getCommonTlsContext();
assertThat(downstreamCommonTlsContext.getTlsCertificateSdsSecretConfigs(0).getName())
.isEqualTo("google-sds-config-default1");
assertThat(
downstreamCommonTlsContext
.getCombinedValidationContext()
.getValidationContextSdsSecretConfig()
.getName())
.isEqualTo("ROOTCA2");
}
/**
@ -547,14 +581,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(DIFFERENT_IP)
.setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default",
// Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"),
buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of(
@ -572,13 +607,13 @@ public class XdsClientImplTestForListener {
filterChainOutbound
)));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onError(any(Status.class));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
@ -594,7 +629,7 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null);
@ -602,7 +637,8 @@ public class XdsClientImplTestForListener {
PORT + 1, // add 1 to mismatch
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default",
// Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"),
buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of(
@ -620,13 +656,13 @@ public class XdsClientImplTestForListener {
filterChainOutbound
)));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
// Client sends an ACK LDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT);
@ -655,13 +691,14 @@ public class XdsClientImplTestForListener {
StreamObserver<DiscoveryRequest> requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default",
// Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"),
buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of(
@ -670,7 +707,7 @@ public class XdsClientImplTestForListener {
filterChainInbound
)));
DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000");
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response);
ArgumentCaptor<Status> statusCaptor = ArgumentCaptor.forClass(null);
@ -691,7 +728,7 @@ public class XdsClientImplTestForListener {
// Retry resumes requests for all wanted resources.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server becomes unreachable.
responseObserver.onError(Status.UNAVAILABLE.asException());
@ -710,7 +747,7 @@ public class XdsClientImplTestForListener {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server is still not reachable.
responseObserver.onError(Status.UNAVAILABLE.asException());
@ -729,11 +766,11 @@ public class XdsClientImplTestForListener {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server sends back a LDS response.
response = buildDiscoveryResponse("1", listeners,
XdsClientImpl.ADS_TYPE_URL_LDS, "0001");
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response);
// Client sent an LDS ACK request (Omitted).
@ -752,7 +789,7 @@ public class XdsClientImplTestForListener {
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server becomes unreachable again.
responseObserver.onError(Status.UNAVAILABLE.asException());
@ -770,7 +807,7 @@ public class XdsClientImplTestForListener {
requestObserver = requestObservers.poll();
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, "")));
XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verifyNoMoreInteractions(mockedDiscoveryService, backoffPolicyProvider, backoffPolicy1,
backoffPolicy2);

25
xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java
View File

@ -150,31 +150,6 @@ class XdsClientTestHelper {
return clusterBuilder.build();
}
// TODO(sanjaypujare): remove once we move to envoy proto v3
@SuppressWarnings("deprecation")
static Cluster buildDeprecatedSecureCluster(String clusterName, @Nullable String edsServiceName,
boolean enableLrs, @Nullable UpstreamTlsContext upstreamTlsContext) {
Cluster.Builder clusterBuilder = Cluster.newBuilder();
clusterBuilder.setName(clusterName);
clusterBuilder.setType(DiscoveryType.EDS);
EdsClusterConfig.Builder edsClusterConfigBuilder = EdsClusterConfig.newBuilder();
edsClusterConfigBuilder.setEdsConfig(
ConfigSource.newBuilder().setAds(AggregatedConfigSource.getDefaultInstance()));
if (edsServiceName != null) {
edsClusterConfigBuilder.setServiceName(edsServiceName);
}
clusterBuilder.setEdsClusterConfig(edsClusterConfigBuilder);
clusterBuilder.setLbPolicy(LbPolicy.ROUND_ROBIN);
if (enableLrs) {
clusterBuilder.setLrsServer(
ConfigSource.newBuilder().setSelf(SelfConfigSource.getDefaultInstance()));
}
if (upstreamTlsContext != null) {
clusterBuilder.setTlsContext(upstreamTlsContext);
}
return clusterBuilder.build();
}
@SuppressWarnings("deprecation")
static ClusterLoadAssignment buildClusterLoadAssignment(String clusterName,
List<io.envoyproxy.envoy.api.v2.endpoint.LocalityLbEndpoints> localityLbEndpoints,

6
xds/src/test/java/io/grpc/xds/XdsNameResolverIntegrationTest.java
View File

@ -399,7 +399,7 @@ public class XdsNameResolverIntegrationTest {
List<Any> listeners =
ImmutableList.of(Any.pack(buildListener(AUTHORITY, Any.pack(httpConnectionManager))));
responseObserver.onNext(
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"));
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"));
verify(mockListener).onResult(resolutionResultCaptor.capture());
ResolutionResult result = resolutionResultCaptor.getValue();
@ -551,7 +551,7 @@ public class XdsNameResolverIntegrationTest {
ImmutableList.of(host), // exact match
clusterName))))
.build()))));
return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS, nonce);
return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, nonce);
}
/**
@ -573,7 +573,7 @@ public class XdsNameResolverIntegrationTest {
Any.pack(
buildListener(
host, Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))));
return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS, nonce);
return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, nonce);
}
/**

3
xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java
View File

@ -104,7 +104,8 @@ public class XdsSdsClientServerTest {
public void plaintextClientServer_withDefaultTlsContext() throws IOException, URISyntaxException {
DownstreamTlsContext defaultTlsContext =
EnvoyServerProtoData.DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance());
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
.getDefaultInstance());
buildServerWithTlsContext(/* downstreamTlsContext= */ defaultTlsContext);
SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =

2
xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java
View File

@ -21,7 +21,7 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
import org.junit.Assert;
import org.junit.Test;

177
xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java
View File

@ -18,14 +18,20 @@ package io.grpc.xds.internal.sds;
import com.google.common.base.Strings;
import com.google.protobuf.BoolValue;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext;
import io.envoyproxy.envoy.api.v2.core.DataSource;
import com.google.protobuf.Struct;
import com.google.protobuf.Value;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.internal.testing.TestUtils;
import io.grpc.xds.EnvoyServerProtoData;
import java.io.IOException;
@ -48,18 +54,82 @@ public class CommonTlsContextTestsUtil {
public static final String BAD_CLIENT_PEM_FILE = "badclient.pem";
public static final String BAD_CLIENT_KEY_FILE = "badclient.key";
static SdsSecretConfig buildSdsSecretConfig(String name, String targetUri, String channelType) {
static io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig buildSdsSecretConfigV2(
String name, String targetUri, String channelType) {
io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig = null;
if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) {
sdsSecretConfig =
io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig.newBuilder()
.setName(name)
.setSdsConfig(buildConfigSourceV2(targetUri, channelType))
.build();
}
return sdsSecretConfig;
}
private static SdsSecretConfig
buildSdsSecretConfig(String name, String targetUri, String channelType) {
SdsSecretConfig sdsSecretConfig = null;
if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) {
sdsSecretConfig =
SdsSecretConfig.newBuilder()
.setName(name)
.setSdsConfig(SdsClientTest.buildConfigSource(targetUri, channelType))
.setSdsConfig(buildConfigSource(targetUri, channelType))
.build();
}
return sdsSecretConfig;
}
/**
* Builds a {@link io.envoyproxy.envoy.api.v2.core.ConfigSource} for the given targetUri.
*
* @param channelType specifying "inproc" creates an Inprocess channel for testing.
*/
private static io.envoyproxy.envoy.api.v2.core.ConfigSource buildConfigSourceV2(
String targetUri, String channelType) {
io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.Builder googleGrpcBuilder =
io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.newBuilder().setTargetUri(targetUri);
if (channelType != null) {
Struct.Builder structBuilder = Struct.newBuilder();
structBuilder.putFields(
"channelType", Value.newBuilder().setStringValue(channelType).build());
googleGrpcBuilder.setConfig(structBuilder.build());
}
return io.envoyproxy.envoy.api.v2.core.ConfigSource.newBuilder()
.setApiConfigSource(
io.envoyproxy.envoy.api.v2.core.ApiConfigSource.newBuilder()
.setApiType(io.envoyproxy.envoy.api.v2.core.ApiConfigSource.ApiType.GRPC)
.addGrpcServices(
io.envoyproxy.envoy.api.v2.core.GrpcService.newBuilder()
.setGoogleGrpc(googleGrpcBuilder.build())
.build())
.build())
.build();
}
/**
* Builds a {@link ConfigSource} for the given targetUri.
*
* @param channelType specifying "inproc" creates an Inprocess channel for testing.
*/
private static ConfigSource buildConfigSource(String targetUri, String channelType) {
GrpcService.GoogleGrpc.Builder googleGrpcBuilder =
GrpcService.GoogleGrpc.newBuilder().setTargetUri(targetUri);
if (channelType != null) {
Struct.Builder structBuilder = Struct.newBuilder();
structBuilder.putFields(
"channelType", Value.newBuilder().setStringValue(channelType).build());
googleGrpcBuilder.setConfig(structBuilder.build());
}
return ConfigSource.newBuilder()
.setApiConfigSource(
ApiConfigSource.newBuilder()
.setApiType(ApiConfigSource.ApiType.GRPC)
.addGrpcServices(GrpcService.newBuilder().setGoogleGrpc(googleGrpcBuilder))
.build())
.build();
}
static CommonTlsContext buildCommonTlsContextFromSdsConfigForValidationContext(
String name, String targetUri, String privateKey, String certChain) {
SdsSecretConfig sdsSecretConfig =
@ -97,12 +167,57 @@ public class CommonTlsContextTestsUtil {
/** takes additional values and creates CombinedCertificateValidationContext as needed. */
@SuppressWarnings("deprecation")
static io.envoyproxy.envoy.api.v2.auth.CommonTlsContext
buildCommonTlsContextWithAdditionalValuesV2(
String certName,
String certTargetUri,
String validationContextName,
String validationContextTargetUri,
Iterable<String> verifySubjectAltNames,
Iterable<String> alpnNames,
String channelType) {
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.Builder builder =
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.newBuilder();
io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig =
buildSdsSecretConfigV2(certName, certTargetUri, channelType);
if (sdsSecretConfig != null) {
builder.addTlsCertificateSdsSecretConfigs(sdsSecretConfig);
}
sdsSecretConfig =
buildSdsSecretConfigV2(validationContextName, validationContextTargetUri, channelType);
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext certValidationContext =
verifySubjectAltNames == null ? null
: io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.newBuilder()
.addAllVerifySubjectAltName(verifySubjectAltNames).build();
if (sdsSecretConfig != null && certValidationContext != null) {
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext.Builder
combinedBuilder =
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext
.newBuilder()
.setDefaultValidationContext(certValidationContext)
.setValidationContextSdsSecretConfig(sdsSecretConfig);
builder.setCombinedValidationContext(combinedBuilder);
} else if (sdsSecretConfig != null) {
builder.setValidationContextSdsSecretConfig(sdsSecretConfig);
} else if (certValidationContext != null) {
builder.setValidationContext(certValidationContext);
}
if (alpnNames != null) {
builder.addAllAlpnProtocols(alpnNames);
}
return builder.build();
}
/** takes additional values and creates CombinedCertificateValidationContext as needed. */
static CommonTlsContext buildCommonTlsContextWithAdditionalValues(
String certName,
String certTargetUri,
String validationContextName,
String validationContextTargetUri,
Iterable<String> verifySubjectAltNames,
Iterable<StringMatcher> matchSubjectAltNames,
Iterable<String> alpnNames,
String channelType) {
@ -115,10 +230,11 @@ public class CommonTlsContextTestsUtil {
sdsSecretConfig =
buildSdsSecretConfig(validationContextName, validationContextTargetUri, channelType);
CertificateValidationContext certValidationContext =
verifySubjectAltNames == null ? null
matchSubjectAltNames == null
? null
: CertificateValidationContext.newBuilder()
.addAllVerifySubjectAltName(verifySubjectAltNames).build();
.addAllMatchSubjectAltNames(matchSubjectAltNames)
.build();
if (sdsSecretConfig != null && certValidationContext != null) {
CombinedCertificateValidationContext.Builder combinedBuilder =
CombinedCertificateValidationContext.newBuilder()
@ -136,6 +252,18 @@ public class CommonTlsContextTestsUtil {
return builder.build();
}
/** Helper method to build DownstreamTlsContext for multiple test classes. */
static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext buildDownstreamTlsContextV2(
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext commonTlsContext,
boolean requireClientCert) {
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext =
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.newBuilder()
.setCommonTlsContext(commonTlsContext)
.setRequireClientCertificate(BoolValue.of(requireClientCert))
.build();
return downstreamTlsContext;
}
/** Helper method to build DownstreamTlsContext for multiple test classes. */
static DownstreamTlsContext buildDownstreamTlsContext(
CommonTlsContext commonTlsContext, boolean requireClientCert) {
@ -154,9 +282,19 @@ public class CommonTlsContextTestsUtil {
buildDownstreamTlsContext(commonTlsContext, requireClientCert));
}
/** Helper method for creating DownstreamTlsContext values for tests. */
public static DownstreamTlsContext buildTestDownstreamTlsContext() {
return buildTestDownstreamTlsContext("google-sds-config-default", "ROOTCA");
/** Helper method for creating DownstreamTlsContext values with names. */
public static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext
buildTestDownstreamTlsContextV2(String certName, String validationContextName) {
return buildDownstreamTlsContextV2(
buildCommonTlsContextWithAdditionalValuesV2(
certName,
"unix:/var/run/sds/uds_path",
validationContextName,
"unix:/var/run/sds/uds_path",
Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"),
Arrays.asList("managed-tls"),
null),
/* requireClientCert= */ false);
}
/** Helper method for creating DownstreamTlsContext values with names. */
@ -168,7 +306,10 @@ public class CommonTlsContextTestsUtil {
"unix:/var/run/sds/uds_path",
validationContextName,
"unix:/var/run/sds/uds_path",
Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"),
Arrays.asList(
StringMatcher.newBuilder()
.setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob")
.build()),
Arrays.asList("managed-tls"),
null),
/* requireClientCert= */ false);

22
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java
View File

@ -27,22 +27,23 @@ import com.google.common.io.Files;
import com.google.common.util.concurrent.MoreExecutors;
import com.google.protobuf.Struct;
import com.google.protobuf.Value;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.Metadata;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import org.junit.After;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
@ -51,6 +52,7 @@ import org.junit.runners.JUnit4;
/** Unit tests for {@link SdsClient} and {@link FileBasedPluginCredential}. */
@RunWith(JUnit4.class)
@Ignore // FIXME(#7166): fix the test when FileBasedPluginCredential for xds V3 is implemented.
public class SdsClientFileBasedMetadataTest {
/**
@ -110,7 +112,7 @@ public class SdsClientFileBasedMetadataTest {
MetadataCredentialsFromPlugin.Builder metadataCredBuilder =
MetadataCredentialsFromPlugin.newBuilder().setName(pluginName);
metadataCredBuilder.setConfig(configStructBuilder);
// metadataCredBuilder.setConfig(configStructBuilder);
CallCredentials.Builder callCredBuilder =
CallCredentials.newBuilder().setFromPlugin(metadataCredBuilder);

18
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientTest.java
View File

@ -37,16 +37,16 @@ import com.google.protobuf.ByteString;
import com.google.protobuf.Struct;
import com.google.protobuf.Value;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.DataSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.Status;
import io.grpc.Status.Code;
import io.grpc.internal.testing.TestUtils;

6
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsFileBasedMetadataTest.java
View File

@ -24,9 +24,9 @@ import static org.mockito.Mockito.mock;
import com.google.common.io.Files;
import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.netty.channel.epoll.Epoll;
import java.io.File;
import java.io.IOException;
@ -35,6 +35,7 @@ import java.util.concurrent.TimeUnit;
import org.junit.After;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
@ -43,6 +44,7 @@ import org.junit.runners.JUnit4;
/** Unit tests for {@link SdsClient} & {@link FileBasedPluginCredential} using UDS transport. */
@RunWith(JUnit4.class)
@Ignore // FIXME(#7166): fix the test when FileBasedPluginCredential for xds V3 is implemented
public class SdsClientUdsFileBasedMetadataTest {
private static final String SDSCLIENT_TEST_SOCKET = "/tmp/sdsclient-test.socket";

10
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsTest.java
View File

@ -28,12 +28,12 @@ import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.netty.channel.epoll.Epoll;
import java.io.IOException;
import java.util.concurrent.TimeUnit;

21
xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java
View File

@ -29,10 +29,10 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import com.google.common.base.Strings;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.core.DataSource;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.Attributes;
import io.grpc.internal.testing.TestUtils;
import io.grpc.netty.GrpcHttp2ConnectionHandler;
@ -102,10 +102,12 @@ public class SdsProtocolNegotiatorsTest {
/** Builds DownstreamTlsContext from commonTlsContext. */
private static DownstreamTlsContext buildDownstreamTlsContext(CommonTlsContext commonTlsContext) {
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext =
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.newBuilder()
.setCommonTlsContext(commonTlsContext)
.build();
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
downstreamTlsContext =
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
.newBuilder()
.setCommonTlsContext(commonTlsContext)
.build();
return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(downstreamTlsContext);
}
@ -255,7 +257,8 @@ public class SdsProtocolNegotiatorsTest {
pipeline = channel.pipeline();
DownstreamTlsContext downstreamTlsContext =
DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance());
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
.getDefaultInstance());
XdsClientWrapperForServerSds xdsClientWrapperForServerSds =
XdsClientWrapperForServerSdsTest.createXdsClientWrapperForServerSds(

28
xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java
View File

@ -29,8 +29,9 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.Status.Code;
import java.io.IOException;
import java.util.Arrays;
@ -66,7 +67,7 @@ public class SdsSslContextProviderTest {
private SdsClientSslContextProvider getSdsClientSslContextProvider(
String certName,
String validationContextName,
Iterable<String> verifySubjectAltNames,
Iterable<StringMatcher> matchSubjectAltNames,
Iterable<String> alpnProtocols)
throws IOException {
@ -76,7 +77,7 @@ public class SdsSslContextProviderTest {
/* certTargetUri= */ "inproc",
validationContextName,
/* validationContextTargetUri= */ "inproc",
verifySubjectAltNames,
matchSubjectAltNames,
alpnProtocols,
/* channelType= */ "inproc");
@ -91,7 +92,7 @@ public class SdsSslContextProviderTest {
private SdsServerSslContextProvider getSdsServerSslContextProvider(
String certName,
String validationContextName,
Iterable<String> verifySubjectAltNames,
Iterable<StringMatcher> matchSubjectAltNames,
Iterable<String> alpnProtocols)
throws IOException {
@ -101,7 +102,7 @@ public class SdsSslContextProviderTest {
/* certTargetUri= */ "inproc",
validationContextName,
/* validationContextTargetUri= */ "inproc",
verifySubjectAltNames,
matchSubjectAltNames,
alpnProtocols,
/* channelType= */ "inproc");
@ -139,7 +140,7 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider(
/* certName= */ "cert1",
/* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null,
/* matchSubjectAltNames= */ null,
/* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -156,7 +157,7 @@ public class SdsSslContextProviderTest {
getSdsServerSslContextProvider(
/* certName= */ "cert1",
/* validationContextName= */ null,
/* verifySubjectAltNames= */ null,
/* matchSubjectAltNames= */ null,
/* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -173,7 +174,7 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider(
/* certName= */ null,
/* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null,
/* matchSubjectAltNames= */ null,
null);
SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -190,7 +191,7 @@ public class SdsSslContextProviderTest {
getSdsServerSslContextProvider(
/* certName= */ null,
/* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null,
/* matchSubjectAltNames= */ null,
/* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -215,7 +216,10 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider(
/* certName= */ "cert1",
/* validationContextName= */ "valid1",
Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"),
Arrays.asList(
StringMatcher.newBuilder()
.setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob")
.build()),
/* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback =
@ -234,7 +238,7 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider(
/* certName= */ "cert1",
/* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null,
/* matchSubjectAltNames= */ null,
/* alpnProtocols= */ Arrays.asList("managed-mtls", "h2"));
SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -254,7 +258,7 @@ public class SdsSslContextProviderTest {
getSdsServerSslContextProvider(
/* certName= */ "cert1",
/* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null,
/* matchSubjectAltNames= */ null,
/* alpnProtocols= */ Arrays.asList("managed-mtls", "h2"));
SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider);

6
xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java
View File

@ -24,9 +24,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FI
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.core.DataSource;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.netty.handler.ssl.SslContext;
import java.io.IOException;
import java.security.cert.CertStoreException;

2
xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java
View File

@ -21,7 +21,7 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import org.junit.Assert;
import org.junit.Test;

2
xds/src/test/java/io/grpc/xds/internal/sds/TestSdsServer.java
View File

@ -25,7 +25,7 @@ import com.google.protobuf.ByteString;
import com.google.protobuf.ProtocolStringList;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.DiscoveryResponse;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc;
import io.grpc.ForwardingServerCall.SimpleForwardingServerCall;
import io.grpc.Metadata;

4
xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactoryTest.java
View File

@ -24,8 +24,8 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import com.google.protobuf.ByteString;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.core.DataSource;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.internal.testing.TestUtils;
import java.io.IOException;
import java.security.cert.CertStoreException;

179
xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java
View File

@ -19,7 +19,6 @@ package io.grpc.xds.internal.sds.trust;
import static com.google.common.truth.Truth.assertThat;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.BAD_SERVER_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import static org.junit.Assert.fail;
import static org.mockito.Mockito.CALLS_REAL_METHODS;
@ -29,9 +28,8 @@ import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.internal.testing.TestUtils;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
@ -53,6 +51,7 @@ import sun.security.validator.ValidatorException;
/**
* Unit tests for {@link SdsX509TrustManager}.
*/
// TODO(#7166): add more tests when xds v3 is implemented.
@RunWith(JUnit4.class)
public class SdsX509TrustManagerTest {
@ -84,180 +83,6 @@ public class SdsX509TrustManagerTest {
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void missingPeerCerts() throws CertificateException, FileNotFoundException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
try {
trustManager.verifySubjectAltNameInChain(null);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing");
}
}
@Test
@SuppressWarnings("deprecation")
public void emptyArrayPeerCerts() throws CertificateException, FileNotFoundException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
try {
trustManager.verifySubjectAltNameInChain(new X509Certificate[0]);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing");
}
}
@Test
@SuppressWarnings("deprecation")
public void noSansInPeerCerts() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(CLIENT_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test
@SuppressWarnings("deprecation")
public void oneSanInPeerCertsVerifies() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("waterzooi.test.google.be")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void oneSanInPeerCertsVerifiesMultipleVerifySans()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("waterzooi.test.google.be")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void oneSanInPeerCertsNotFoundException()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("x.foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test
@SuppressWarnings("deprecation")
public void wildcardSanInPeerCertsVerifiesMultipleVerifySans()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("abc.test.youtube.com") // should match *.test.youtube.com
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void wildcardSanInPeerCertsVerifiesMultipleVerifySans1()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("abc.test.google.fr") // should match *.test.google.fr
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void wildcardSanInPeerCertsSubdomainMismatch()
throws CertificateException, IOException {
// 2. Asterisk (*) cannot match across domain name labels.
// For example, *.example.com matches test.example.com but does not match
// sub.test.example.com.
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("sub.abc.test.youtube.com")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test
@SuppressWarnings("deprecation")
public void oneIpAddressInPeerCertsVerifies() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("192.168.1.3")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void oneIpAddressInPeerCertsMismatch() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("192.168.2.3")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test
public void checkServerTrustedSslEngine()
throws CertificateException, IOException, CertStoreException {