diff --git a/xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java b/xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java index d2647a505b..cf2877b49a 100644 --- a/xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java +++ b/xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java @@ -19,7 +19,7 @@ package io.grpc.xds; import com.google.common.annotations.VisibleForTesting; import com.google.protobuf.Any; import com.google.protobuf.InvalidProtocolBufferException; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; import io.grpc.Internal; import java.util.ArrayList; import java.util.Collections; @@ -75,7 +75,8 @@ public final class EnvoyServerProtoData { } public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext( - io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext upstreamTlsContext) { + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + upstreamTlsContext) { return new UpstreamTlsContext(upstreamTlsContext.getCommonTlsContext()); } @@ -96,7 +97,8 @@ public final class EnvoyServerProtoData { } public static DownstreamTlsContext fromEnvoyProtoDownstreamTlsContext( - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext) { + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + downstreamTlsContext) { return new DownstreamTlsContext(downstreamTlsContext.getCommonTlsContext(), downstreamTlsContext.hasRequireClientCertificate()); } @@ -147,7 +149,7 @@ public final class EnvoyServerProtoData { } static CidrRange fromEnvoyProtoCidrRange( - io.envoyproxy.envoy.api.v2.core.CidrRange proto) { + io.envoyproxy.envoy.config.core.v3.CidrRange proto) { return new CidrRange(proto.getAddressPrefix(), proto.getPrefixLen().getValue()); } @@ -204,9 +206,9 @@ public final class EnvoyServerProtoData { } static FilterChainMatch fromEnvoyProtoFilterChainMatch( - io.envoyproxy.envoy.api.v2.listener.FilterChainMatch proto) { + io.envoyproxy.envoy.config.listener.v3.FilterChainMatch proto) { List prefixRanges = new ArrayList<>(); - for (io.envoyproxy.envoy.api.v2.core.CidrRange range : proto.getPrefixRangesList()) { + for (io.envoyproxy.envoy.config.core.v3.CidrRange range : proto.getPrefixRangesList()) { prefixRanges.add(CidrRange.fromEnvoyProtoCidrRange(range)); } List applicationProtocols = new ArrayList<>(); @@ -266,16 +268,18 @@ public final class EnvoyServerProtoData { static final class FilterChain { // TODO(sanjaypujare): flatten structure by moving FilterChainMatch class members here. private final FilterChainMatch filterChainMatch; + @Nullable private final DownstreamTlsContext downstreamTlsContext; @VisibleForTesting - FilterChain(FilterChainMatch filterChainMatch, DownstreamTlsContext downstreamTlsContext) { + FilterChain( + FilterChainMatch filterChainMatch, @Nullable DownstreamTlsContext downstreamTlsContext) { this.filterChainMatch = filterChainMatch; this.downstreamTlsContext = downstreamTlsContext; } static FilterChain fromEnvoyProtoFilterChain( - io.envoyproxy.envoy.api.v2.listener.FilterChain proto) + io.envoyproxy.envoy.config.listener.v3.FilterChain proto) throws InvalidProtocolBufferException { return new FilterChain( FilterChainMatch.fromEnvoyProtoFilterChainMatch(proto.getFilterChainMatch()), @@ -283,23 +287,25 @@ public final class EnvoyServerProtoData { ); } + @Nullable private static DownstreamTlsContext getTlsContextFromFilterChain( - io.envoyproxy.envoy.api.v2.listener.FilterChain filterChain) + io.envoyproxy.envoy.config.listener.v3.FilterChain filterChain) throws InvalidProtocolBufferException { if (filterChain.hasTransportSocket() && "tls".equals(filterChain.getTransportSocket().getName())) { Any any = filterChain.getTransportSocket().getTypedConfig(); return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.parseFrom(any.getValue())); + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext.parseFrom( + any.getValue())); } - // TODO(sanjaypujare): remove when we move to envoy protos v3 - return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(filterChain.getTlsContext()); + return null; } public FilterChainMatch getFilterChainMatch() { return filterChainMatch; } + @Nullable public DownstreamTlsContext getDownstreamTlsContext() { return downstreamTlsContext; } @@ -350,9 +356,9 @@ public final class EnvoyServerProtoData { } private static String convertEnvoyAddressToString( - io.envoyproxy.envoy.api.v2.core.Address proto) { + io.envoyproxy.envoy.config.core.v3.Address proto) { if (proto.hasSocketAddress()) { - io.envoyproxy.envoy.api.v2.core.SocketAddress socketAddress = proto.getSocketAddress(); + io.envoyproxy.envoy.config.core.v3.SocketAddress socketAddress = proto.getSocketAddress(); String address = socketAddress.getAddress(); switch (socketAddress.getPortSpecifierCase()) { case NAMED_PORT: @@ -366,10 +372,10 @@ public final class EnvoyServerProtoData { return null; } - static Listener fromEnvoyProtoListener(io.envoyproxy.envoy.api.v2.Listener proto) + static Listener fromEnvoyProtoListener(io.envoyproxy.envoy.config.listener.v3.Listener proto) throws InvalidProtocolBufferException { List filterChains = new ArrayList<>(proto.getFilterChainsCount()); - for (io.envoyproxy.envoy.api.v2.listener.FilterChain filterChain : + for (io.envoyproxy.envoy.config.listener.v3.FilterChain filterChain : proto.getFilterChainsList()) { filterChains.add(FilterChain.fromEnvoyProtoFilterChain(filterChain)); } diff --git a/xds/src/main/java/io/grpc/xds/XdsClientImpl.java b/xds/src/main/java/io/grpc/xds/XdsClientImpl.java index e3ae9d9f58..383eee7bcc 100644 --- a/xds/src/main/java/io/grpc/xds/XdsClientImpl.java +++ b/xds/src/main/java/io/grpc/xds/XdsClientImpl.java @@ -39,17 +39,17 @@ import io.envoyproxy.envoy.api.v2.Cluster.LbPolicy; import io.envoyproxy.envoy.api.v2.ClusterLoadAssignment; import io.envoyproxy.envoy.api.v2.DiscoveryRequest; import io.envoyproxy.envoy.api.v2.DiscoveryResponse; -import io.envoyproxy.envoy.api.v2.Listener; import io.envoyproxy.envoy.api.v2.RouteConfiguration; -import io.envoyproxy.envoy.api.v2.core.Address; import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.SocketAddress; -import io.envoyproxy.envoy.api.v2.listener.FilterChain; -import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch; import io.envoyproxy.envoy.api.v2.route.Route; import io.envoyproxy.envoy.api.v2.route.VirtualHost; +import io.envoyproxy.envoy.config.core.v3.Address; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds; +import io.envoyproxy.envoy.config.listener.v3.FilterChain; +import io.envoyproxy.envoy.config.listener.v3.FilterChainMatch; +import io.envoyproxy.envoy.config.listener.v3.Listener; import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc; import io.grpc.InternalLogId; import io.grpc.ManagedChannel; @@ -86,7 +86,9 @@ final class XdsClientImpl extends XdsClient { static final int INITIAL_RESOURCE_FETCH_TIMEOUT_SEC = 15; @VisibleForTesting - static final String ADS_TYPE_URL_LDS = "type.googleapis.com/envoy.api.v2.Listener"; + static final String ADS_TYPE_URL_LDS_V2 = "type.googleapis.com/envoy.api.v2.Listener"; + private static final String ADS_TYPE_URL_LDS = + "type.googleapis.com/envoy.config.listener.v3.Listener"; @VisibleForTesting static final String ADS_TYPE_URL_RDS = "type.googleapis.com/envoy.api.v2.RouteConfiguration"; @@ -263,7 +265,7 @@ final class XdsClientImpl extends XdsClient { if (adsStream == null) { startRpcStream(); } - adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName)); + adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName)); ldsRespTimer = syncContext .schedule( @@ -438,7 +440,7 @@ final class XdsClientImpl extends XdsClient { startRpcStream(); } updateNodeMetadataForListenerRequest(port); - adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of()); + adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of()); ldsRespTimer = syncContext .schedule( @@ -452,8 +454,8 @@ final class XdsClientImpl extends XdsClient { .putFields("TRAFFICDIRECTOR_PROXYLESS", Value.newBuilder().setStringValue("1").build()) .build(); - Address listeningAddress = - Address.newBuilder() + io.envoyproxy.envoy.api.v2.core.Address listeningAddress = + io.envoyproxy.envoy.api.v2.core.Address.newBuilder() .setSocketAddress( SocketAddress.newBuilder().setAddress("0.0.0.0").setPortValue(port).build()) .build(); @@ -553,6 +555,9 @@ final class XdsClientImpl extends XdsClient { List listenerNames = new ArrayList<>(ldsResponse.getResourcesCount()); try { for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) { + if (res.getTypeUrl().equals(ADS_TYPE_URL_LDS_V2)) { + res = res.toBuilder().setTypeUrl(ADS_TYPE_URL_LDS).build(); + } Listener listener = res.unpack(Listener.class); listeners.add(listener); listenerNames.add(listener.getName()); @@ -560,7 +565,7 @@ final class XdsClientImpl extends XdsClient { } catch (InvalidProtocolBufferException e) { logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e); adsStream.sendNackRequest( - ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), + ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName), ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); return; } @@ -581,7 +586,7 @@ final class XdsClientImpl extends XdsClient { XdsLogLevel.WARNING, "Failed to unpack HttpConnectionManagers in Listeners of LDS response {0}", e); adsStream.sendNackRequest( - ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), + ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName), ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); return; } @@ -627,11 +632,11 @@ final class XdsClientImpl extends XdsClient { if (errorMessage != null) { adsStream.sendNackRequest( - ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), + ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName), ldsResponse.getVersionInfo(), errorMessage); return; } - adsStream.sendAckRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), + adsStream.sendAckRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName), ldsResponse.getVersionInfo()); if (routes != null || rdsRouteConfigName != null) { @@ -681,6 +686,9 @@ final class XdsClientImpl extends XdsClient { logger.log(XdsLogLevel.DEBUG, "Listener count: {0}", ldsResponse.getResourcesCount()); try { for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) { + if (res.getTypeUrl().equals(ADS_TYPE_URL_LDS_V2)) { + res = res.toBuilder().setTypeUrl(ADS_TYPE_URL_LDS).build(); + } Listener listener = res.unpack(Listener.class); logger.log(XdsLogLevel.DEBUG, "Found listener {0}", listener.toString()); if (isRequestedListener(listener)) { @@ -691,7 +699,7 @@ final class XdsClientImpl extends XdsClient { } catch (InvalidProtocolBufferException e) { logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e); adsStream.sendNackRequest( - ADS_TYPE_URL_LDS, ImmutableList.of(), + ADS_TYPE_URL_LDS_V2, ImmutableList.of(), ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); return; } @@ -708,7 +716,7 @@ final class XdsClientImpl extends XdsClient { } catch (InvalidProtocolBufferException e) { logger.log(XdsLogLevel.WARNING, "Failed to unpack Listener in LDS response {0}", e); adsStream.sendNackRequest( - ADS_TYPE_URL_LDS, ImmutableList.of(), + ADS_TYPE_URL_LDS_V2, ImmutableList.of(), ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); return; } @@ -717,7 +725,7 @@ final class XdsClientImpl extends XdsClient { listenerWatcher.onResourceDoesNotExist(":" + listenerPort); } } - adsStream.sendAckRequest(ADS_TYPE_URL_LDS, ImmutableList.of(), + adsStream.sendAckRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(), ldsResponse.getVersionInfo()); if (listenerUpdate != null) { listenerWatcher.onListenerChanged(listenerUpdate); @@ -1073,15 +1081,16 @@ final class XdsClientImpl extends XdsClient { } } + @Nullable private static UpstreamTlsContext getTlsContextFromCluster(Cluster cluster) throws InvalidProtocolBufferException { if (cluster.hasTransportSocket() && "tls".equals(cluster.getTransportSocket().getName())) { Any any = cluster.getTransportSocket().getTypedConfig(); return UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext( - io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext.parseFrom(any.getValue())); + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext.parseFrom( + any.getValue())); } - // TODO(sanjaypujare): remove when we move to envoy protos v3 - return UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(cluster.getTlsContext()); + return null; } /** @@ -1219,7 +1228,7 @@ final class XdsClientImpl extends XdsClient { public void run() { startRpcStream(); if (configWatcher != null) { - adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName)); + adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName)); ldsRespTimer = syncContext .schedule( @@ -1227,7 +1236,7 @@ final class XdsClientImpl extends XdsClient { INITIAL_RESOURCE_FETCH_TIMEOUT_SEC, TimeUnit.SECONDS, timeService); } if (listenerWatcher != null) { - adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of()); + adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of()); ldsRespTimer = syncContext .schedule( @@ -1315,7 +1324,7 @@ final class XdsClientImpl extends XdsClient { // used for management server to identify which response the client is ACKing/NACking. // To avoid confusion, client-initiated requests will always use the nonce in // most recently received responses of each resource type. - if (typeUrl.equals(ADS_TYPE_URL_LDS)) { + if (typeUrl.equals(ADS_TYPE_URL_LDS_V2) || typeUrl.equals(ADS_TYPE_URL_LDS)) { ldsRespNonce = response.getNonce(); handleLdsResponse(response); } else if (typeUrl.equals(ADS_TYPE_URL_RDS)) { @@ -1428,7 +1437,7 @@ final class XdsClientImpl extends XdsClient { checkState(requestWriter != null, "ADS stream has not been started"); String version = ""; String nonce = ""; - if (typeUrl.equals(ADS_TYPE_URL_LDS)) { + if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) { version = ldsVersion; nonce = ldsRespNonce; logger.log(XdsLogLevel.INFO, "Sending LDS request for resources: {0}", resourceNames); @@ -1469,7 +1478,7 @@ final class XdsClientImpl extends XdsClient { String versionInfo) { checkState(requestWriter != null, "ADS stream has not been started"); String nonce = ""; - if (typeUrl.equals(ADS_TYPE_URL_LDS)) { + if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) { ldsVersion = versionInfo; nonce = ldsRespNonce; } else if (typeUrl.equals(ADS_TYPE_URL_RDS)) { @@ -1504,7 +1513,7 @@ final class XdsClientImpl extends XdsClient { checkState(requestWriter != null, "ADS stream has not been started"); String versionInfo = ""; String nonce = ""; - if (typeUrl.equals(ADS_TYPE_URL_LDS)) { + if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) { versionInfo = ldsVersion; nonce = ldsRespNonce; logger.log( @@ -1717,6 +1726,7 @@ final class XdsClientImpl extends XdsClient { com.google.protobuf.TypeRegistry registry = com.google.protobuf.TypeRegistry.newBuilder() .add(Listener.getDescriptor()) + .add(io.envoyproxy.envoy.api.v2.Listener.getDescriptor()) .add(HttpConnectionManager.getDescriptor()) .add(RouteConfiguration.getDescriptor()) .add(Cluster.getDescriptor()) diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/CommonTlsContextUtil.java b/xds/src/main/java/io/grpc/xds/internal/sds/CommonTlsContextUtil.java index daf375d2b3..54dd0e7117 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/CommonTlsContextUtil.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/CommonTlsContextUtil.java @@ -20,11 +20,11 @@ import static com.google.common.base.Preconditions.checkArgument; import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkState; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.ValidationContextTypeCase; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; -import io.envoyproxy.envoy.api.v2.core.DataSource.SpecifierCase; +import io.envoyproxy.envoy.config.core.v3.DataSource.SpecifierCase; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.ValidationContextTypeCase; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import javax.annotation.Nullable; /** Class for utility functions for {@link CommonTlsContext}. */ diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/FileBasedPluginCredential.java b/xds/src/main/java/io/grpc/xds/internal/sds/FileBasedPluginCredential.java index 3f08f34ce8..c022c52327 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/FileBasedPluginCredential.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/FileBasedPluginCredential.java @@ -27,6 +27,7 @@ import com.google.protobuf.Value; // TODO(sanjaypujare): remove dependency on envoy data types. import io.envoyproxy.envoy.api.v2.core.DataSource; import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc; import io.grpc.CallCredentials; import io.grpc.Metadata; import io.grpc.Status; @@ -77,6 +78,19 @@ final class FileBasedPluginCredential extends CallCredentials { secretData = buildDataSourceFromConfigStruct(value.getStructValue()); } + FileBasedPluginCredential( + GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin metadataCredentialsFromPlugin) { + checkNotNull(metadataCredentialsFromPlugin, "metadataCredentialsFromPlugin"); + checkArgument( + PLUGIN_NAME.equals(metadataCredentialsFromPlugin.getName()), + "plugin name should be %s", PLUGIN_NAME); + + // FIXME(#7166): real implementation + headerKey = DEFAULT_HEADER_KEY; + headerPrefix = ""; + secretData = null; + } + private static DataSource buildDataSourceFromConfigStruct(Struct secretValueStruct) { checkNotNull(secretValueStruct, "secretValueStruct"); if (secretValueStruct.containsFields(FILENAME)) { diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/SdsClient.java b/xds/src/main/java/io/grpc/xds/internal/sds/SdsClient.java index 426d07559e..bc86d9b864 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/SdsClient.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/SdsClient.java @@ -28,14 +28,14 @@ import com.google.protobuf.Struct; import com.google.protobuf.Value; import io.envoyproxy.envoy.api.v2.DiscoveryRequest; import io.envoyproxy.envoy.api.v2.DiscoveryResponse; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.auth.Secret; -import io.envoyproxy.envoy.api.v2.core.ApiConfigSource; -import io.envoyproxy.envoy.api.v2.core.ApiConfigSource.ApiType; -import io.envoyproxy.envoy.api.v2.core.ConfigSource; -import io.envoyproxy.envoy.api.v2.core.GrpcService; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.config.core.v3.ApiConfigSource; +import io.envoyproxy.envoy.config.core.v3.ApiConfigSource.ApiType; +import io.envoyproxy.envoy.config.core.v3.ConfigSource; +import io.envoyproxy.envoy.config.core.v3.GrpcService; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret; import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc; import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc.SecretDiscoveryServiceStub; import io.grpc.CallCredentials; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/SdsClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/sds/SdsClientSslContextProvider.java index 38c58849b0..943d205fbf 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/SdsClientSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/SdsClientSslContextProvider.java @@ -18,11 +18,11 @@ package io.grpc.xds.internal.sds; import static com.google.common.base.Preconditions.checkNotNull; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; import io.grpc.netty.GrpcSslContexts; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/SdsServerSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/sds/SdsServerSslContextProvider.java index 36bbc1d983..7d31f8f5c8 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/SdsServerSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/SdsServerSslContextProvider.java @@ -18,10 +18,10 @@ package io.grpc.xds.internal.sds; import static com.google.common.base.Preconditions.checkNotNull; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; import io.grpc.netty.GrpcSslContexts; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.netty.handler.ssl.SslContextBuilder; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/SdsSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/sds/SdsSslContextProvider.java index ad04397e61..6eb75b066a 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/SdsSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/SdsSslContextProvider.java @@ -19,12 +19,12 @@ package io.grpc.xds.internal.sds; import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkState; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.auth.Secret; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.grpc.Status; import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext; import io.netty.handler.ssl.ApplicationProtocolConfig; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeClientSslContextProvider.java index 7f91b36519..f2ea0546c8 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeClientSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeClientSslContextProvider.java @@ -22,9 +22,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateCertificateC import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate; import com.google.common.annotations.VisibleForTesting; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.grpc.netty.GrpcSslContexts; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeServerSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeServerSslContextProvider.java index 92a491c808..05afb1f4cb 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeServerSslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeServerSslContextProvider.java @@ -22,9 +22,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateCertificateC import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate; import com.google.common.annotations.VisibleForTesting; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.grpc.netty.GrpcSslContexts; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.netty.handler.ssl.SslContext; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/SslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/sds/SslContextProvider.java index 35b3940be9..9c319dde87 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/SslContextProvider.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/SslContextProvider.java @@ -19,8 +19,8 @@ package io.grpc.xds.internal.sds; import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkState; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactory.java b/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactory.java index e88e6aa7e3..b495570573 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactory.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactory.java @@ -21,8 +21,8 @@ import static com.google.common.base.Preconditions.checkState; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Strings; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.core.DataSource.SpecifierCase; +import io.envoyproxy.envoy.config.core.v3.DataSource.SpecifierCase; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; import io.grpc.xds.internal.sds.TlsContextManagerImpl; import io.netty.handler.ssl.util.SimpleTrustManagerFactory; import java.io.File; diff --git a/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java b/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java index c106886566..bb23a59bb7 100644 --- a/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java +++ b/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java @@ -20,7 +20,8 @@ import static com.google.common.base.Preconditions.checkNotNull; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Ascii; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.type.matcher.v3.StringMatcher; import java.net.Socket; import java.security.cert.CertificateException; import java.security.cert.CertificateParsingException; @@ -199,6 +200,7 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509 } // logic from Envoy::Extensions::TransportSockets::Tls::ContextImpl::verifySubjectAltName + @SuppressWarnings("UnusedMethod") // TODO(#7166): support StringMatcher list. private static void verifySubjectAltNameInLeaf(X509Certificate cert, List verifyList) throws CertificateException { Collection> names = cert.getSubjectAlternativeNames(); @@ -223,7 +225,7 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509 if (certContext == null) { return; } - List verifyList = certContext.getVerifySubjectAltNameList(); + List verifyList = certContext.getMatchSubjectAltNamesList(); if (verifyList.isEmpty()) { return; } @@ -231,7 +233,9 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509 throw new CertificateException("Peer certificate(s) missing"); } // verify SANs only in the top cert (leaf cert) - verifySubjectAltNameInLeaf(peerCertChain[0], verifyList); + // v2 version: verifySubjectAltNameInLeaf(peerCertChain[0], verifyList); + // TODO(#7166): Implement v3 version. + throw new UnsupportedOperationException(); } @Override diff --git a/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java b/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java index b5d141e3f4..7ca1adf7a7 100644 --- a/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java +++ b/xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java @@ -21,15 +21,15 @@ import static com.google.common.truth.Truth.assertThat; import com.google.protobuf.Any; import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.UInt32Value; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.core.Address; -import io.envoyproxy.envoy.api.v2.core.CidrRange; -import io.envoyproxy.envoy.api.v2.core.SocketAddress; -import io.envoyproxy.envoy.api.v2.core.TransportSocket; -import io.envoyproxy.envoy.api.v2.listener.Filter; -import io.envoyproxy.envoy.api.v2.listener.FilterChain; -import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch; +import io.envoyproxy.envoy.config.core.v3.Address; +import io.envoyproxy.envoy.config.core.v3.CidrRange; +import io.envoyproxy.envoy.config.core.v3.SocketAddress; +import io.envoyproxy.envoy.config.core.v3.TransportSocket; +import io.envoyproxy.envoy.config.listener.v3.Filter; +import io.envoyproxy.envoy.config.listener.v3.FilterChain; +import io.envoyproxy.envoy.config.listener.v3.FilterChainMatch; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.Listener; import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil; @@ -51,8 +51,8 @@ public class EnvoyServerProtoDataTest { .setSocketAddress( SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build()) .build(); - io.envoyproxy.envoy.api.v2.Listener listener = - io.envoyproxy.envoy.api.v2.Listener.newBuilder() + io.envoyproxy.envoy.config.listener.v3.Listener listener = + io.envoyproxy.envoy.config.listener.v3.Listener.newBuilder() .setName("8000") .setAddress(address) .addFilterChains(createOutFilter()) @@ -73,8 +73,7 @@ public class EnvoyServerProtoDataTest { assertThat(outFilterChainMatch.getApplicationProtocols()).isEmpty(); assertThat(outFilterChainMatch.getPrefixRanges()).isEmpty(); assertThat(outFilter.getDownstreamTlsContext()) - .isEqualTo(DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance())); + .isNull(); EnvoyServerProtoData.FilterChain inFilter = filterChains.get(1); assertThat(inFilter).isNotNull(); @@ -93,33 +92,6 @@ public class EnvoyServerProtoDataTest { assertThat(tlsCertSdsConfigs.get(0).getName()).isEqualTo("google-sds-config-default"); } - // TODO(sanjaypujare): remove when we move to envoy protos v3 - @Test - public void listener_convertFromDeprecatedListenerProto() throws InvalidProtocolBufferException { - Address address = - Address.newBuilder() - .setSocketAddress( - SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build()) - .build(); - io.envoyproxy.envoy.api.v2.Listener listener = - io.envoyproxy.envoy.api.v2.Listener.newBuilder() - .setName("8000") - .setAddress(address) - .addFilterChains(createDeprecatedInFilter()) - .build(); - Listener xdsListener = Listener.fromEnvoyProtoListener(listener); - List filterChains = xdsListener.getFilterChains(); - assertThat(filterChains).hasSize(1); - EnvoyServerProtoData.FilterChain inFilter = filterChains.get(0); - DownstreamTlsContext inFilterTlsContext = inFilter.getDownstreamTlsContext(); - assertThat(inFilterTlsContext.getCommonTlsContext()).isNotNull(); - CommonTlsContext commonTlsContext = inFilterTlsContext.getCommonTlsContext(); - List tlsCertSdsConfigs = commonTlsContext - .getTlsCertificateSdsSecretConfigsList(); - assertThat(tlsCertSdsConfigs).hasSize(1); - assertThat(tlsCertSdsConfigs.get(0).getName()).isEqualTo("google-sds-config-default"); - } - private static FilterChain createOutFilter() { FilterChain filterChain = FilterChain.newBuilder() @@ -147,7 +119,9 @@ public class EnvoyServerProtoDataTest { .addApplicationProtocols("managed-mtls") .build()) .setTransportSocket(TransportSocket.newBuilder().setName("tls") - .setTypedConfig(Any.pack(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext())) + .setTypedConfig( + Any.pack(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext( + "google-sds-config-default", "ROOTCA"))) .build()) .addFilters(Filter.newBuilder() .setName("envoy.http_connection_manager") @@ -159,29 +133,4 @@ public class EnvoyServerProtoDataTest { .build(); return filterChain; } - - // TODO(sanjaypujare): remove when we move to envoy protos v3 - @SuppressWarnings("deprecation") - private static FilterChain createDeprecatedInFilter() { - FilterChain filterChain = - FilterChain.newBuilder() - .setFilterChainMatch( - FilterChainMatch.newBuilder() - .setDestinationPort(UInt32Value.of(8000)) - .addPrefixRanges(CidrRange.newBuilder() - .setAddressPrefix("10.20.0.15") - .setPrefixLen(UInt32Value.of(32)).build()) - .addApplicationProtocols("managed-mtls") - .build()) - .setTlsContext(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext()) - .addFilters(Filter.newBuilder() - .setName("envoy.http_connection_manager") - .setTypedConfig(Any.newBuilder() - .setTypeUrl( - "type.googleapis.com/envoy.config.filter.network.http_connection_manager" - + ".v2.HttpConnectionManager")) - .build()) - .build(); - return filterChain; - } } diff --git a/xds/src/test/java/io/grpc/xds/XdsClientImplTest.java b/xds/src/test/java/io/grpc/xds/XdsClientImplTest.java index 571ff9d895..9dc310af40 100644 --- a/xds/src/test/java/io/grpc/xds/XdsClientImplTest.java +++ b/xds/src/test/java/io/grpc/xds/XdsClientImplTest.java @@ -19,7 +19,6 @@ package io.grpc.xds; import static com.google.common.truth.Truth.assertThat; import static io.grpc.xds.XdsClientTestHelper.buildCluster; import static io.grpc.xds.XdsClientTestHelper.buildClusterLoadAssignment; -import static io.grpc.xds.XdsClientTestHelper.buildDeprecatedSecureCluster; import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryRequest; import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryResponse; import static io.grpc.xds.XdsClientTestHelper.buildDropOverload; @@ -70,6 +69,7 @@ import io.envoyproxy.envoy.api.v2.route.VirtualHost; import io.envoyproxy.envoy.api.v2.route.WeightedCluster; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase; import io.envoyproxy.envoy.service.load_stats.v2.LoadReportingServiceGrpc.LoadReportingServiceImplBase; import io.envoyproxy.envoy.service.load_stats.v2.LoadStatsRequest; @@ -336,7 +336,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); @@ -360,13 +360,13 @@ public class XdsClientImplTest { "cluster-baz.googleapis.com")))) .build())))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class)); verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY); @@ -392,7 +392,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); RouteConfiguration routeConfig = @@ -408,14 +408,14 @@ public class XdsClientImplTest { Any.pack(buildListener(TARGET_AUTHORITY, /* matching resource */ Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build())))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an NACK LDS request. verify(requestObserver) .onNext( argThat(new DiscoveryRequestMatcher("", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class)); verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY); @@ -441,7 +441,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); ScheduledTask ldsRespTimer = Iterables.getOnlyElement( fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)); @@ -480,7 +480,7 @@ public class XdsClientImplTest { "some cluster")))) .build())))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); assertThat(ldsRespTimer.isCancelled()).isTrue(); @@ -488,7 +488,7 @@ public class XdsClientImplTest { // Client sends an ACK request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); ArgumentCaptor configUpdateCaptor = ArgumentCaptor.forClass(null); verify(configWatcher).onConfigChanged(configUpdateCaptor.capture()); @@ -514,7 +514,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); Rds rdsConfig = Rds.newBuilder() @@ -528,13 +528,13 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); // Client sends an (first) RDS request. verify(requestObserver) @@ -600,7 +600,7 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) @@ -665,7 +665,7 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) @@ -784,7 +784,7 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) @@ -850,7 +850,7 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) @@ -905,7 +905,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server sends back an LDS response containing a RouteConfiguration for the // requested Listener directly in-line. @@ -924,13 +924,13 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); // Cluster name is resolved and notified to config watcher. ArgumentCaptor configUpdateCaptor = ArgumentCaptor.forClass(null); @@ -953,13 +953,13 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build()))) ); response = - buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); + buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0001"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"))); // Updated cluster name is notified to config watcher. configUpdateCaptor = ArgumentCaptor.forClass(null); @@ -982,13 +982,13 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); response = - buildDiscoveryResponse("2", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0002"); + buildDiscoveryResponse("2", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0002"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "2", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0002"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0002"))); // Client sends an (first) RDS request. verify(requestObserver) @@ -1046,7 +1046,7 @@ public class XdsClientImplTest { // Management server sends back an LDS response indicating all Listener resources are removed. response = buildDiscoveryResponse("3", ImmutableList.of(), - XdsClientImpl.ADS_TYPE_URL_LDS, "0003"); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0003"); responseObserver.onNext(response); verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY); @@ -1071,7 +1071,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management sends back an LDS response telling client to do RDS. Rds rdsConfig = @@ -1087,13 +1087,13 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); // Client sends an (first) RDS request. verify(requestObserver) @@ -1173,7 +1173,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management sends back an LDS response telling client to do RDS. Rds rdsConfig = @@ -1189,13 +1189,13 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); // Client sends an (first) RDS request. verify(requestObserver) @@ -1229,13 +1229,13 @@ public class XdsClientImplTest { // in-use by client) removed as the RouteConfiguration it references to is absent. response = buildDiscoveryResponse("1", ImmutableList.of(), // empty - XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"); responseObserver.onNext(response); // Client sent an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0001"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"))); verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY); } @@ -1264,7 +1264,7 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an (first) RDS request. @@ -1293,7 +1293,7 @@ public class XdsClientImplTest { TARGET_AUTHORITY, /* matching resource */ Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); - response = buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); + response = buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"); responseObserver.onNext(response); // Client sent a new RDS request with updated resource name. @@ -1453,45 +1453,20 @@ public class XdsClientImplTest { ArgumentCaptor clusterUpdateCaptor = ArgumentCaptor.forClass(null); verify(clusterWatcher, times(1)).onClusterChanged(clusterUpdateCaptor.capture()); ClusterUpdate clusterUpdate = clusterUpdateCaptor.getValue(); - assertThat(clusterUpdate.getUpstreamTlsContext()) - .isEqualTo( - EnvoyServerProtoData.UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext( - testUpstreamTlsContext)); - } - - /** - * CDS response containing UpstreamTlsContext for a cluster in a deprecated field. - */ - // TODO(sanjaypujare): remove once we move to envoy proto v3 - @Test - public void cdsResponseWithDeprecatedUpstreamTlsContext() { - xdsClient.watchClusterData("cluster-foo.googleapis.com", clusterWatcher); - StreamObserver responseObserver = responseObservers.poll(); - StreamObserver requestObserver = requestObservers.poll(); - - // Management server sends back CDS response with UpstreamTlsContext. - UpstreamTlsContext testUpstreamTlsContext = - buildUpstreamTlsContext("secret1", "unix:/var/uds2"); - List clusters = ImmutableList.of( - Any.pack(buildCluster("cluster-bar.googleapis.com", null, false)), - Any.pack(buildDeprecatedSecureCluster("cluster-foo.googleapis.com", - "eds-cluster-foo.googleapis.com", true, testUpstreamTlsContext)), - Any.pack(buildCluster("cluster-baz.googleapis.com", null, false))); - DiscoveryResponse response = - buildDiscoveryResponse("0", clusters, XdsClientImpl.ADS_TYPE_URL_CDS, "0000"); - responseObserver.onNext(response); - - // Client sent an ACK CDS request. - verify(requestObserver) - .onNext(eq(buildDiscoveryRequest(NODE, "0", "cluster-foo.googleapis.com", - XdsClientImpl.ADS_TYPE_URL_CDS, "0000"))); - ArgumentCaptor clusterUpdateCaptor = ArgumentCaptor.forClass(null); - verify(clusterWatcher, times(1)).onClusterChanged(clusterUpdateCaptor.capture()); - ClusterUpdate clusterUpdate = clusterUpdateCaptor.getValue(); - assertThat(clusterUpdate.getUpstreamTlsContext()) - .isEqualTo( - EnvoyServerProtoData.UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext( - testUpstreamTlsContext)); + EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext = clusterUpdate + .getUpstreamTlsContext(); + SdsSecretConfig validationContextSdsSecretConfig = upstreamTlsContext.getCommonTlsContext() + .getValidationContextSdsSecretConfig(); + assertThat(validationContextSdsSecretConfig.getName()).isEqualTo("secret1"); + assertThat( + Iterables.getOnlyElement( + validationContextSdsSecretConfig + .getSdsConfig() + .getApiConfigSource() + .getGrpcServicesList()) + .getGoogleGrpc() + .getTargetUri()) + .isEqualTo("unix:/var/uds2"); } @Test @@ -2594,7 +2569,7 @@ public class XdsClientImplTest { // Client sends an LDS request for the host name (with port) to management server. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server closes the RPC stream immediately. responseObserver.onCompleted(); @@ -2614,7 +2589,7 @@ public class XdsClientImplTest { // Client retried by sending an LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server closes the RPC stream with an error. responseObserver.onError(Status.UNAVAILABLE.asException()); @@ -2634,7 +2609,7 @@ public class XdsClientImplTest { // Client retried again by sending an LDS. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server responses with a listener for the requested resource. Rds rdsConfig = @@ -2649,13 +2624,13 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse ldsResponse = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(ldsResponse); // Client sent back an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); // Client sent an RDS request based on the received listener. verify(requestObserver) @@ -2674,7 +2649,7 @@ public class XdsClientImplTest { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // RPC stream closed immediately responseObserver.onError(Status.UNKNOWN.asException()); @@ -2691,7 +2666,7 @@ public class XdsClientImplTest { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server sends an LDS response. responseObserver.onNext(ldsResponse); @@ -2726,7 +2701,7 @@ public class XdsClientImplTest { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verifyNoMoreInteractions(backoffPolicyProvider, backoffPolicy1, backoffPolicy2); } @@ -2788,7 +2763,7 @@ public class XdsClientImplTest { // Retry resumes requests for all wanted resources. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -2817,7 +2792,7 @@ public class XdsClientImplTest { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -2846,7 +2821,7 @@ public class XdsClientImplTest { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -2879,7 +2854,7 @@ public class XdsClientImplTest { verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -2907,7 +2882,7 @@ public class XdsClientImplTest { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -2952,7 +2927,7 @@ public class XdsClientImplTest { verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server becomes unreachable. responseObserver.onError(Status.UNAVAILABLE.asException()); @@ -2973,7 +2948,7 @@ public class XdsClientImplTest { verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -2997,7 +2972,7 @@ public class XdsClientImplTest { verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -3040,7 +3015,7 @@ public class XdsClientImplTest { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -3067,7 +3042,7 @@ public class XdsClientImplTest { verify(requestObserver) .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verify(requestObserver, never()) .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", XdsClientImpl.ADS_TYPE_URL_CDS, ""))); @@ -3107,7 +3082,7 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted). @@ -3139,7 +3114,7 @@ public class XdsClientImplTest { // Client resumed requests and management server sends back LDS resources again. verify(requestObserver).onNext( eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); responseObserver.onNext(response); // Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted). @@ -3279,7 +3254,7 @@ public class XdsClientImplTest { Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) ); DiscoveryResponse ldsResponse = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(ldsResponse); // Client sent an LDS ACK request and an RDS request for resource @@ -3486,7 +3461,7 @@ public class XdsClientImplTest { "cluster.googleapis.com")))) .build())))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); String expectedString = "{\n" + " \"versionInfo\": \"0\",\n" diff --git a/xds/src/test/java/io/grpc/xds/XdsClientImplTestForListener.java b/xds/src/test/java/io/grpc/xds/XdsClientImplTestForListener.java index e65fd1bd30..fed260b7b1 100644 --- a/xds/src/test/java/io/grpc/xds/XdsClientImplTestForListener.java +++ b/xds/src/test/java/io/grpc/xds/XdsClientImplTestForListener.java @@ -53,6 +53,7 @@ import io.envoyproxy.envoy.api.v2.listener.Filter; import io.envoyproxy.envoy.api.v2.listener.FilterChain; import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase; import io.grpc.Context; import io.grpc.Context.CancellationListener; @@ -308,7 +309,7 @@ public class XdsClientImplTestForListener { // Client sends an LDS request with null in lds resource name verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); List listeners = ImmutableList.of( @@ -331,13 +332,13 @@ public class XdsClientImplTestForListener { "cluster-baz.googleapis.com")))) .build())))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT); @@ -357,14 +358,15 @@ public class XdsClientImplTestForListener { // Client sends an LDS request with null in lds resource name verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) .setPrefixLen(UInt32Value.of(32)).build()), - CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", + // Server is still speaking xds v2. + CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default", "ROOTCA"), buildTestFilter("envoy.http_connection_manager")); List listeners = ImmutableList.of( @@ -382,13 +384,13 @@ public class XdsClientImplTestForListener { filterChainInbound ))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT); @@ -408,14 +410,15 @@ public class XdsClientImplTestForListener { // Client sends an LDS request with null in lds resource name verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) .setPrefixLen(UInt32Value.of(32)).build()), - CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", + // Server is still speaking xds v2. + CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default", "ROOTCA"), buildTestFilter("envoy.http_connection_manager")); List listeners = ImmutableList.of( @@ -433,13 +436,13 @@ public class XdsClientImplTestForListener { filterChainInbound ))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); ArgumentCaptor listenerUpdateCaptor = ArgumentCaptor.forClass(null); verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture()); @@ -447,11 +450,28 @@ public class XdsClientImplTestForListener { EnvoyServerProtoData.Listener listener = configUpdate.getListener(); assertThat(listener.getName()).isEqualTo(LISTENER_NAME); assertThat(listener.getAddress()).isEqualTo("0.0.0.0:" + PORT); - EnvoyServerProtoData.FilterChain[] expected = new EnvoyServerProtoData.FilterChain[]{ - EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainOutbound), - EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainInbound) - }; - assertThat(listener.getFilterChains()).isEqualTo(Arrays.asList(expected)); + assertThat(listener.getFilterChains()).hasSize(2); + EnvoyServerProtoData.FilterChain filterChainOutboundInListenerUpdate + = listener.getFilterChains().get(0); + assertThat(filterChainOutboundInListenerUpdate.getFilterChainMatch().getDestinationPort()) + .isEqualTo(8000); + EnvoyServerProtoData.FilterChain filterChainInboundInListenerUpdate + = listener.getFilterChains().get(1); + EnvoyServerProtoData.FilterChainMatch inBoundfilterChainMatch = + filterChainInboundInListenerUpdate.getFilterChainMatch(); + assertThat(inBoundfilterChainMatch.getDestinationPort()).isEqualTo(PORT); + assertThat(inBoundfilterChainMatch.getPrefixRanges()).containsExactly( + new EnvoyServerProtoData.CidrRange(LOCAL_IP, 32)); + CommonTlsContext downstreamCommonTlsContext = + filterChainInboundInListenerUpdate.getDownstreamTlsContext().getCommonTlsContext(); + assertThat(downstreamCommonTlsContext.getTlsCertificateSdsSecretConfigs(0).getName()) + .isEqualTo("google-sds-config-default"); + assertThat( + downstreamCommonTlsContext + .getCombinedValidationContext() + .getValidationContextSdsSecretConfig() + .getName()) + .isEqualTo("ROOTCA"); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).isEmpty(); } @@ -465,14 +485,15 @@ public class XdsClientImplTestForListener { // Client sends an LDS request with null in lds resource name verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) .setPrefixLen(UInt32Value.of(32)).build()), - CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", + // Server is still speaking xds v2. + CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default", "ROOTCA"), buildTestFilter("envoy.http_connection_manager")); List listeners = ImmutableList.of( @@ -490,13 +511,13 @@ public class XdsClientImplTestForListener { filterChainInbound ))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); ArgumentCaptor listenerUpdateCaptor = ArgumentCaptor.forClass(null); verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture()); @@ -505,7 +526,7 @@ public class XdsClientImplTestForListener { final FilterChain filterChainNewInbound = buildFilterChain(buildFilterChainMatch(PORT, CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) .setPrefixLen(UInt32Value.of(32)).build()), - CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default1", + CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default1", "ROOTCA2"), buildTestFilter("envoy.http_connection_manager")); List listeners1 = ImmutableList.of( @@ -513,13 +534,13 @@ public class XdsClientImplTestForListener { filterChainNewInbound ))); DiscoveryResponse response1 = - buildDiscoveryResponse("1", listeners1, XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); + buildDiscoveryResponse("1", listeners1, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"); responseObserver.onNext(response1); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "1", - XdsClientImpl.ADS_TYPE_URL_LDS, "0001"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"))); // Updated listener is notified to config watcher. listenerUpdateCaptor = ArgumentCaptor.forClass(null); @@ -527,10 +548,23 @@ public class XdsClientImplTestForListener { ListenerUpdate configUpdate = listenerUpdateCaptor.getValue(); EnvoyServerProtoData.Listener listener = configUpdate.getListener(); assertThat(listener.getName()).isEqualTo(LISTENER_NAME); - EnvoyServerProtoData.FilterChain[] expected = new EnvoyServerProtoData.FilterChain[]{ - EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainNewInbound) - }; - assertThat(listener.getFilterChains()).isEqualTo(Arrays.asList(expected)); + assertThat(listener.getFilterChains()).hasSize(1); + EnvoyServerProtoData.FilterChain filterChain = + Iterables.getOnlyElement(listener.getFilterChains()); + EnvoyServerProtoData.FilterChainMatch filterChainMatch = filterChain.getFilterChainMatch(); + assertThat(filterChainMatch.getDestinationPort()).isEqualTo(PORT); + assertThat(filterChainMatch.getPrefixRanges()).containsExactly( + new EnvoyServerProtoData.CidrRange(LOCAL_IP, 32)); + CommonTlsContext downstreamCommonTlsContext = + filterChain.getDownstreamTlsContext().getCommonTlsContext(); + assertThat(downstreamCommonTlsContext.getTlsCertificateSdsSecretConfigs(0).getName()) + .isEqualTo("google-sds-config-default1"); + assertThat( + downstreamCommonTlsContext + .getCombinedValidationContext() + .getValidationContextSdsSecretConfig() + .getName()) + .isEqualTo("ROOTCA2"); } /** @@ -547,14 +581,15 @@ public class XdsClientImplTestForListener { // Client sends an LDS request with null in lds resource name verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(PORT, CidrRange.newBuilder().setAddressPrefix(DIFFERENT_IP) .setPrefixLen(UInt32Value.of(32)).build()), - CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", + // Server is still speaking xds v2. + CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default", "ROOTCA"), buildTestFilter("envoy.http_connection_manager")); List listeners = ImmutableList.of( @@ -572,13 +607,13 @@ public class XdsClientImplTestForListener { filterChainOutbound ))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); verify(listenerWatcher, never()).onError(any(Status.class)); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); @@ -594,7 +629,7 @@ public class XdsClientImplTestForListener { // Client sends an LDS request with null in lds resource name verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null); @@ -602,7 +637,8 @@ public class XdsClientImplTestForListener { PORT + 1, // add 1 to mismatch CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) .setPrefixLen(UInt32Value.of(32)).build()), - CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", + // Server is still speaking xds v2. + CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default", "ROOTCA"), buildTestFilter("envoy.http_connection_manager")); List listeners = ImmutableList.of( @@ -620,13 +656,13 @@ public class XdsClientImplTestForListener { filterChainOutbound ))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); // Client sends an ACK LDS request. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", - XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"))); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT); @@ -655,13 +691,14 @@ public class XdsClientImplTestForListener { StreamObserver requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) .setPrefixLen(UInt32Value.of(32)).build()), - CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", + // Server is still speaking xds v2. + CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default", "ROOTCA"), buildTestFilter("envoy.http_connection_manager")); List listeners = ImmutableList.of( @@ -670,7 +707,7 @@ public class XdsClientImplTestForListener { filterChainInbound ))); DiscoveryResponse response = - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"); responseObserver.onNext(response); ArgumentCaptor statusCaptor = ArgumentCaptor.forClass(null); @@ -691,7 +728,7 @@ public class XdsClientImplTestForListener { // Retry resumes requests for all wanted resources. verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server becomes unreachable. responseObserver.onError(Status.UNAVAILABLE.asException()); @@ -710,7 +747,7 @@ public class XdsClientImplTestForListener { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server is still not reachable. responseObserver.onError(Status.UNAVAILABLE.asException()); @@ -729,11 +766,11 @@ public class XdsClientImplTestForListener { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server sends back a LDS response. response = buildDiscoveryResponse("1", listeners, - XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001"); responseObserver.onNext(response); // Client sent an LDS ACK request (Omitted). @@ -752,7 +789,7 @@ public class XdsClientImplTestForListener { verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); // Management server becomes unreachable again. responseObserver.onError(Status.UNAVAILABLE.asException()); @@ -770,7 +807,7 @@ public class XdsClientImplTestForListener { requestObserver = requestObservers.poll(); verify(requestObserver) .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", - XdsClientImpl.ADS_TYPE_URL_LDS, ""))); + XdsClientImpl.ADS_TYPE_URL_LDS_V2, ""))); verifyNoMoreInteractions(mockedDiscoveryService, backoffPolicyProvider, backoffPolicy1, backoffPolicy2); diff --git a/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java b/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java index 8f5326ffa1..fff1eabcec 100644 --- a/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java +++ b/xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java @@ -150,31 +150,6 @@ class XdsClientTestHelper { return clusterBuilder.build(); } - // TODO(sanjaypujare): remove once we move to envoy proto v3 - @SuppressWarnings("deprecation") - static Cluster buildDeprecatedSecureCluster(String clusterName, @Nullable String edsServiceName, - boolean enableLrs, @Nullable UpstreamTlsContext upstreamTlsContext) { - Cluster.Builder clusterBuilder = Cluster.newBuilder(); - clusterBuilder.setName(clusterName); - clusterBuilder.setType(DiscoveryType.EDS); - EdsClusterConfig.Builder edsClusterConfigBuilder = EdsClusterConfig.newBuilder(); - edsClusterConfigBuilder.setEdsConfig( - ConfigSource.newBuilder().setAds(AggregatedConfigSource.getDefaultInstance())); - if (edsServiceName != null) { - edsClusterConfigBuilder.setServiceName(edsServiceName); - } - clusterBuilder.setEdsClusterConfig(edsClusterConfigBuilder); - clusterBuilder.setLbPolicy(LbPolicy.ROUND_ROBIN); - if (enableLrs) { - clusterBuilder.setLrsServer( - ConfigSource.newBuilder().setSelf(SelfConfigSource.getDefaultInstance())); - } - if (upstreamTlsContext != null) { - clusterBuilder.setTlsContext(upstreamTlsContext); - } - return clusterBuilder.build(); - } - @SuppressWarnings("deprecation") static ClusterLoadAssignment buildClusterLoadAssignment(String clusterName, List localityLbEndpoints, diff --git a/xds/src/test/java/io/grpc/xds/XdsNameResolverIntegrationTest.java b/xds/src/test/java/io/grpc/xds/XdsNameResolverIntegrationTest.java index 619fd3c4e0..e92d0c4105 100644 --- a/xds/src/test/java/io/grpc/xds/XdsNameResolverIntegrationTest.java +++ b/xds/src/test/java/io/grpc/xds/XdsNameResolverIntegrationTest.java @@ -399,7 +399,7 @@ public class XdsNameResolverIntegrationTest { List listeners = ImmutableList.of(Any.pack(buildListener(AUTHORITY, Any.pack(httpConnectionManager)))); responseObserver.onNext( - buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000")); + buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")); verify(mockListener).onResult(resolutionResultCaptor.capture()); ResolutionResult result = resolutionResultCaptor.getValue(); @@ -551,7 +551,7 @@ public class XdsNameResolverIntegrationTest { ImmutableList.of(host), // exact match clusterName)))) .build())))); - return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS, nonce); + return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, nonce); } /** @@ -573,7 +573,7 @@ public class XdsNameResolverIntegrationTest { Any.pack( buildListener( host, Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))); - return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS, nonce); + return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, nonce); } /** diff --git a/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java index d00522358a..346d19398c 100644 --- a/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java +++ b/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java @@ -104,7 +104,8 @@ public class XdsSdsClientServerTest { public void plaintextClientServer_withDefaultTlsContext() throws IOException, URISyntaxException { DownstreamTlsContext defaultTlsContext = EnvoyServerProtoData.DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance()); + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + .getDefaultInstance()); buildServerWithTlsContext(/* downstreamTlsContext= */ defaultTlsContext); SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java index b0b7641e54..5a481bebe9 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java @@ -21,7 +21,7 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import org.junit.Assert; import org.junit.Test; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java index 1bcd984ac7..86f4c2ffeb 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java @@ -18,14 +18,20 @@ package io.grpc.xds.internal.sds; import com.google.common.base.Strings; import com.google.protobuf.BoolValue; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; -import io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext; -import io.envoyproxy.envoy.api.v2.core.DataSource; +import com.google.protobuf.Struct; +import com.google.protobuf.Value; +import io.envoyproxy.envoy.config.core.v3.ApiConfigSource; +import io.envoyproxy.envoy.config.core.v3.ConfigSource; +import io.envoyproxy.envoy.config.core.v3.DataSource; +import io.envoyproxy.envoy.config.core.v3.GrpcService; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext; +import io.envoyproxy.envoy.type.matcher.v3.StringMatcher; import io.grpc.internal.testing.TestUtils; import io.grpc.xds.EnvoyServerProtoData; import java.io.IOException; @@ -48,18 +54,82 @@ public class CommonTlsContextTestsUtil { public static final String BAD_CLIENT_PEM_FILE = "badclient.pem"; public static final String BAD_CLIENT_KEY_FILE = "badclient.key"; - static SdsSecretConfig buildSdsSecretConfig(String name, String targetUri, String channelType) { + static io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig buildSdsSecretConfigV2( + String name, String targetUri, String channelType) { + io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig = null; + if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) { + sdsSecretConfig = + io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig.newBuilder() + .setName(name) + .setSdsConfig(buildConfigSourceV2(targetUri, channelType)) + .build(); + } + return sdsSecretConfig; + } + + private static SdsSecretConfig + buildSdsSecretConfig(String name, String targetUri, String channelType) { SdsSecretConfig sdsSecretConfig = null; if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) { sdsSecretConfig = SdsSecretConfig.newBuilder() .setName(name) - .setSdsConfig(SdsClientTest.buildConfigSource(targetUri, channelType)) + .setSdsConfig(buildConfigSource(targetUri, channelType)) .build(); } return sdsSecretConfig; } + /** + * Builds a {@link io.envoyproxy.envoy.api.v2.core.ConfigSource} for the given targetUri. + * + * @param channelType specifying "inproc" creates an Inprocess channel for testing. + */ + private static io.envoyproxy.envoy.api.v2.core.ConfigSource buildConfigSourceV2( + String targetUri, String channelType) { + io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.Builder googleGrpcBuilder = + io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.newBuilder().setTargetUri(targetUri); + if (channelType != null) { + Struct.Builder structBuilder = Struct.newBuilder(); + structBuilder.putFields( + "channelType", Value.newBuilder().setStringValue(channelType).build()); + googleGrpcBuilder.setConfig(structBuilder.build()); + } + return io.envoyproxy.envoy.api.v2.core.ConfigSource.newBuilder() + .setApiConfigSource( + io.envoyproxy.envoy.api.v2.core.ApiConfigSource.newBuilder() + .setApiType(io.envoyproxy.envoy.api.v2.core.ApiConfigSource.ApiType.GRPC) + .addGrpcServices( + io.envoyproxy.envoy.api.v2.core.GrpcService.newBuilder() + .setGoogleGrpc(googleGrpcBuilder.build()) + .build()) + .build()) + .build(); + } + + /** + * Builds a {@link ConfigSource} for the given targetUri. + * + * @param channelType specifying "inproc" creates an Inprocess channel for testing. + */ + private static ConfigSource buildConfigSource(String targetUri, String channelType) { + GrpcService.GoogleGrpc.Builder googleGrpcBuilder = + GrpcService.GoogleGrpc.newBuilder().setTargetUri(targetUri); + if (channelType != null) { + Struct.Builder structBuilder = Struct.newBuilder(); + structBuilder.putFields( + "channelType", Value.newBuilder().setStringValue(channelType).build()); + googleGrpcBuilder.setConfig(structBuilder.build()); + } + return ConfigSource.newBuilder() + .setApiConfigSource( + ApiConfigSource.newBuilder() + .setApiType(ApiConfigSource.ApiType.GRPC) + .addGrpcServices(GrpcService.newBuilder().setGoogleGrpc(googleGrpcBuilder)) + .build()) + .build(); + } + static CommonTlsContext buildCommonTlsContextFromSdsConfigForValidationContext( String name, String targetUri, String privateKey, String certChain) { SdsSecretConfig sdsSecretConfig = @@ -97,12 +167,57 @@ public class CommonTlsContextTestsUtil { /** takes additional values and creates CombinedCertificateValidationContext as needed. */ @SuppressWarnings("deprecation") + static io.envoyproxy.envoy.api.v2.auth.CommonTlsContext + buildCommonTlsContextWithAdditionalValuesV2( + String certName, + String certTargetUri, + String validationContextName, + String validationContextTargetUri, + Iterable verifySubjectAltNames, + Iterable alpnNames, + String channelType) { + + io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.Builder builder = + io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.newBuilder(); + + io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig = + buildSdsSecretConfigV2(certName, certTargetUri, channelType); + if (sdsSecretConfig != null) { + builder.addTlsCertificateSdsSecretConfigs(sdsSecretConfig); + } + sdsSecretConfig = + buildSdsSecretConfigV2(validationContextName, validationContextTargetUri, channelType); + io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext certValidationContext = + verifySubjectAltNames == null ? null + : io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.newBuilder() + .addAllVerifySubjectAltName(verifySubjectAltNames).build(); + + if (sdsSecretConfig != null && certValidationContext != null) { + io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext.Builder + combinedBuilder = + io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext + .newBuilder() + .setDefaultValidationContext(certValidationContext) + .setValidationContextSdsSecretConfig(sdsSecretConfig); + builder.setCombinedValidationContext(combinedBuilder); + } else if (sdsSecretConfig != null) { + builder.setValidationContextSdsSecretConfig(sdsSecretConfig); + } else if (certValidationContext != null) { + builder.setValidationContext(certValidationContext); + } + if (alpnNames != null) { + builder.addAllAlpnProtocols(alpnNames); + } + return builder.build(); + } + + /** takes additional values and creates CombinedCertificateValidationContext as needed. */ static CommonTlsContext buildCommonTlsContextWithAdditionalValues( String certName, String certTargetUri, String validationContextName, String validationContextTargetUri, - Iterable verifySubjectAltNames, + Iterable matchSubjectAltNames, Iterable alpnNames, String channelType) { @@ -115,10 +230,11 @@ public class CommonTlsContextTestsUtil { sdsSecretConfig = buildSdsSecretConfig(validationContextName, validationContextTargetUri, channelType); CertificateValidationContext certValidationContext = - verifySubjectAltNames == null ? null + matchSubjectAltNames == null + ? null : CertificateValidationContext.newBuilder() - .addAllVerifySubjectAltName(verifySubjectAltNames).build(); - + .addAllMatchSubjectAltNames(matchSubjectAltNames) + .build(); if (sdsSecretConfig != null && certValidationContext != null) { CombinedCertificateValidationContext.Builder combinedBuilder = CombinedCertificateValidationContext.newBuilder() @@ -136,6 +252,18 @@ public class CommonTlsContextTestsUtil { return builder.build(); } + /** Helper method to build DownstreamTlsContext for multiple test classes. */ + static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext buildDownstreamTlsContextV2( + io.envoyproxy.envoy.api.v2.auth.CommonTlsContext commonTlsContext, + boolean requireClientCert) { + io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext = + io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.newBuilder() + .setCommonTlsContext(commonTlsContext) + .setRequireClientCertificate(BoolValue.of(requireClientCert)) + .build(); + return downstreamTlsContext; + } + /** Helper method to build DownstreamTlsContext for multiple test classes. */ static DownstreamTlsContext buildDownstreamTlsContext( CommonTlsContext commonTlsContext, boolean requireClientCert) { @@ -154,9 +282,19 @@ public class CommonTlsContextTestsUtil { buildDownstreamTlsContext(commonTlsContext, requireClientCert)); } - /** Helper method for creating DownstreamTlsContext values for tests. */ - public static DownstreamTlsContext buildTestDownstreamTlsContext() { - return buildTestDownstreamTlsContext("google-sds-config-default", "ROOTCA"); + /** Helper method for creating DownstreamTlsContext values with names. */ + public static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext + buildTestDownstreamTlsContextV2(String certName, String validationContextName) { + return buildDownstreamTlsContextV2( + buildCommonTlsContextWithAdditionalValuesV2( + certName, + "unix:/var/run/sds/uds_path", + validationContextName, + "unix:/var/run/sds/uds_path", + Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"), + Arrays.asList("managed-tls"), + null), + /* requireClientCert= */ false); } /** Helper method for creating DownstreamTlsContext values with names. */ @@ -168,7 +306,10 @@ public class CommonTlsContextTestsUtil { "unix:/var/run/sds/uds_path", validationContextName, "unix:/var/run/sds/uds_path", - Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"), + Arrays.asList( + StringMatcher.newBuilder() + .setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob") + .build()), Arrays.asList("managed-tls"), null), /* requireClientCert= */ false); diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java index 6d84b9fca9..b5a0eb03b6 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java @@ -27,22 +27,23 @@ import com.google.common.io.Files; import com.google.common.util.concurrent.MoreExecutors; import com.google.protobuf.Struct; import com.google.protobuf.Value; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.core.ApiConfigSource; -import io.envoyproxy.envoy.api.v2.core.ConfigSource; -import io.envoyproxy.envoy.api.v2.core.GrpcService; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.config.core.v3.ApiConfigSource; +import io.envoyproxy.envoy.config.core.v3.ConfigSource; +import io.envoyproxy.envoy.config.core.v3.GrpcService; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; import io.grpc.Metadata; import java.io.File; import java.io.IOException; import java.nio.charset.StandardCharsets; import org.junit.After; import org.junit.Before; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -51,6 +52,7 @@ import org.junit.runners.JUnit4; /** Unit tests for {@link SdsClient} and {@link FileBasedPluginCredential}. */ @RunWith(JUnit4.class) +@Ignore // FIXME(#7166): fix the test when FileBasedPluginCredential for xds V3 is implemented. public class SdsClientFileBasedMetadataTest { /** @@ -110,7 +112,7 @@ public class SdsClientFileBasedMetadataTest { MetadataCredentialsFromPlugin.Builder metadataCredBuilder = MetadataCredentialsFromPlugin.newBuilder().setName(pluginName); - metadataCredBuilder.setConfig(configStructBuilder); + // metadataCredBuilder.setConfig(configStructBuilder); CallCredentials.Builder callCredBuilder = CallCredentials.newBuilder().setFromPlugin(metadataCredBuilder); diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientTest.java index da5c0c1bc3..a41681eb95 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientTest.java @@ -37,16 +37,16 @@ import com.google.protobuf.ByteString; import com.google.protobuf.Struct; import com.google.protobuf.Value; import io.envoyproxy.envoy.api.v2.DiscoveryRequest; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.auth.Secret; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; -import io.envoyproxy.envoy.api.v2.core.ApiConfigSource; -import io.envoyproxy.envoy.api.v2.core.ConfigSource; -import io.envoyproxy.envoy.api.v2.core.DataSource; -import io.envoyproxy.envoy.api.v2.core.GrpcService; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.config.core.v3.ApiConfigSource; +import io.envoyproxy.envoy.config.core.v3.ConfigSource; +import io.envoyproxy.envoy.config.core.v3.DataSource; +import io.envoyproxy.envoy.config.core.v3.GrpcService; +import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.grpc.Status; import io.grpc.Status.Code; import io.grpc.internal.testing.TestUtils; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsFileBasedMetadataTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsFileBasedMetadataTest.java index 25fe4cf6fd..f1fdc87d72 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsFileBasedMetadataTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsFileBasedMetadataTest.java @@ -24,9 +24,9 @@ import static org.mockito.Mockito.mock; import com.google.common.io.Files; import com.google.common.util.concurrent.MoreExecutors; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.core.ConfigSource; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.config.core.v3.ConfigSource; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; import io.netty.channel.epoll.Epoll; import java.io.File; import java.io.IOException; @@ -35,6 +35,7 @@ import java.util.concurrent.TimeUnit; import org.junit.After; import org.junit.Assume; import org.junit.Before; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -43,6 +44,7 @@ import org.junit.runners.JUnit4; /** Unit tests for {@link SdsClient} & {@link FileBasedPluginCredential} using UDS transport. */ @RunWith(JUnit4.class) +@Ignore // FIXME(#7166): fix the test when FileBasedPluginCredential for xds V3 is implemented public class SdsClientUdsFileBasedMetadataTest { private static final String SDSCLIENT_TEST_SOCKET = "/tmp/sdsclient-test.socket"; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsTest.java index 9f5431f6a0..72250e6f14 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsTest.java @@ -28,12 +28,12 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import com.google.common.util.concurrent.MoreExecutors; -import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; -import io.envoyproxy.envoy.api.v2.auth.Secret; -import io.envoyproxy.envoy.api.v2.core.ApiConfigSource; -import io.envoyproxy.envoy.api.v2.core.ConfigSource; -import io.envoyproxy.envoy.api.v2.core.GrpcService; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.config.core.v3.ApiConfigSource; +import io.envoyproxy.envoy.config.core.v3.ConfigSource; +import io.envoyproxy.envoy.config.core.v3.GrpcService; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret; import io.netty.channel.epoll.Epoll; import java.io.IOException; import java.util.concurrent.TimeUnit; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java index b4291c636d..688f4a4520 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java @@ -29,10 +29,10 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; import com.google.common.base.Strings; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; -import io.envoyproxy.envoy.api.v2.core.DataSource; +import io.envoyproxy.envoy.config.core.v3.DataSource; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.grpc.Attributes; import io.grpc.internal.testing.TestUtils; import io.grpc.netty.GrpcHttp2ConnectionHandler; @@ -102,10 +102,12 @@ public class SdsProtocolNegotiatorsTest { /** Builds DownstreamTlsContext from commonTlsContext. */ private static DownstreamTlsContext buildDownstreamTlsContext(CommonTlsContext commonTlsContext) { - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext = - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .build(); + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + downstreamTlsContext = + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + .newBuilder() + .setCommonTlsContext(commonTlsContext) + .build(); return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(downstreamTlsContext); } @@ -255,7 +257,8 @@ public class SdsProtocolNegotiatorsTest { pipeline = channel.pipeline(); DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance()); + io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + .getDefaultInstance()); XdsClientWrapperForServerSds xdsClientWrapperForServerSds = XdsClientWrapperForServerSdsTest.createXdsClientWrapperForServerSds( diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java index 4b8b232bbf..62779ec0a9 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java @@ -29,8 +29,9 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; import com.google.common.util.concurrent.MoreExecutors; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.api.v2.core.Node; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; +import io.envoyproxy.envoy.type.matcher.v3.StringMatcher; import io.grpc.Status.Code; import java.io.IOException; import java.util.Arrays; @@ -66,7 +67,7 @@ public class SdsSslContextProviderTest { private SdsClientSslContextProvider getSdsClientSslContextProvider( String certName, String validationContextName, - Iterable verifySubjectAltNames, + Iterable matchSubjectAltNames, Iterable alpnProtocols) throws IOException { @@ -76,7 +77,7 @@ public class SdsSslContextProviderTest { /* certTargetUri= */ "inproc", validationContextName, /* validationContextTargetUri= */ "inproc", - verifySubjectAltNames, + matchSubjectAltNames, alpnProtocols, /* channelType= */ "inproc"); @@ -91,7 +92,7 @@ public class SdsSslContextProviderTest { private SdsServerSslContextProvider getSdsServerSslContextProvider( String certName, String validationContextName, - Iterable verifySubjectAltNames, + Iterable matchSubjectAltNames, Iterable alpnProtocols) throws IOException { @@ -101,7 +102,7 @@ public class SdsSslContextProviderTest { /* certTargetUri= */ "inproc", validationContextName, /* validationContextTargetUri= */ "inproc", - verifySubjectAltNames, + matchSubjectAltNames, alpnProtocols, /* channelType= */ "inproc"); @@ -139,7 +140,7 @@ public class SdsSslContextProviderTest { getSdsClientSslContextProvider( /* certName= */ "cert1", /* validationContextName= */ "valid1", - /* verifySubjectAltNames= */ null, + /* matchSubjectAltNames= */ null, /* alpnProtocols= */ null); SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.getValueThruCallback(provider); @@ -156,7 +157,7 @@ public class SdsSslContextProviderTest { getSdsServerSslContextProvider( /* certName= */ "cert1", /* validationContextName= */ null, - /* verifySubjectAltNames= */ null, + /* matchSubjectAltNames= */ null, /* alpnProtocols= */ null); SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.getValueThruCallback(provider); @@ -173,7 +174,7 @@ public class SdsSslContextProviderTest { getSdsClientSslContextProvider( /* certName= */ null, /* validationContextName= */ "valid1", - /* verifySubjectAltNames= */ null, + /* matchSubjectAltNames= */ null, null); SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.getValueThruCallback(provider); @@ -190,7 +191,7 @@ public class SdsSslContextProviderTest { getSdsServerSslContextProvider( /* certName= */ null, /* validationContextName= */ "valid1", - /* verifySubjectAltNames= */ null, + /* matchSubjectAltNames= */ null, /* alpnProtocols= */ null); SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.getValueThruCallback(provider); @@ -215,7 +216,10 @@ public class SdsSslContextProviderTest { getSdsClientSslContextProvider( /* certName= */ "cert1", /* validationContextName= */ "valid1", - Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"), + Arrays.asList( + StringMatcher.newBuilder() + .setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob") + .build()), /* alpnProtocols= */ null); SecretVolumeSslContextProviderTest.TestCallback testCallback = @@ -234,7 +238,7 @@ public class SdsSslContextProviderTest { getSdsClientSslContextProvider( /* certName= */ "cert1", /* validationContextName= */ "valid1", - /* verifySubjectAltNames= */ null, + /* matchSubjectAltNames= */ null, /* alpnProtocols= */ Arrays.asList("managed-mtls", "h2")); SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.getValueThruCallback(provider); @@ -254,7 +258,7 @@ public class SdsSslContextProviderTest { getSdsServerSslContextProvider( /* certName= */ "cert1", /* validationContextName= */ "valid1", - /* verifySubjectAltNames= */ null, + /* matchSubjectAltNames= */ null, /* alpnProtocols= */ Arrays.asList("managed-mtls", "h2")); SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.getValueThruCallback(provider); diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java index 7b7ec6b6c5..551b8a7f6d 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java @@ -24,9 +24,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FI import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import com.google.common.util.concurrent.MoreExecutors; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; -import io.envoyproxy.envoy.api.v2.core.DataSource; +import io.envoyproxy.envoy.config.core.v3.DataSource; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.netty.handler.ssl.SslContext; import java.io.IOException; import java.security.cert.CertStoreException; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java index 29a688a9f8..46acd6e033 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java @@ -21,7 +21,7 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; -import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import org.junit.Assert; import org.junit.Test; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/TestSdsServer.java b/xds/src/test/java/io/grpc/xds/internal/sds/TestSdsServer.java index 7e1eb148d2..e0f47c8787 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/TestSdsServer.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/TestSdsServer.java @@ -25,7 +25,7 @@ import com.google.protobuf.ByteString; import com.google.protobuf.ProtocolStringList; import io.envoyproxy.envoy.api.v2.DiscoveryRequest; import io.envoyproxy.envoy.api.v2.DiscoveryResponse; -import io.envoyproxy.envoy.api.v2.auth.Secret; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret; import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc; import io.grpc.ForwardingServerCall.SimpleForwardingServerCall; import io.grpc.Metadata; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactoryTest.java index 72baa2df9e..53ab963eb1 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactoryTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactoryTest.java @@ -24,8 +24,8 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import com.google.protobuf.ByteString; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; -import io.envoyproxy.envoy.api.v2.core.DataSource; +import io.envoyproxy.envoy.config.core.v3.DataSource; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; import io.grpc.internal.testing.TestUtils; import java.io.IOException; import java.security.cert.CertStoreException; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java index 66ad6f8ad6..a738f44cdd 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java @@ -19,7 +19,6 @@ package io.grpc.xds.internal.sds.trust; import static com.google.common.truth.Truth.assertThat; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.BAD_SERVER_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import static org.junit.Assert.fail; import static org.mockito.Mockito.CALLS_REAL_METHODS; @@ -29,9 +28,8 @@ import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; -import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; +import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; import io.grpc.internal.testing.TestUtils; -import java.io.FileNotFoundException; import java.io.IOException; import java.security.cert.CertStoreException; import java.security.cert.CertificateException; @@ -53,6 +51,7 @@ import sun.security.validator.ValidatorException; /** * Unit tests for {@link SdsX509TrustManager}. */ +// TODO(#7166): add more tests when xds v3 is implemented. @RunWith(JUnit4.class) public class SdsX509TrustManagerTest { @@ -84,180 +83,6 @@ public class SdsX509TrustManagerTest { trustManager.verifySubjectAltNameInChain(certs); } - @Test - @SuppressWarnings("deprecation") - public void missingPeerCerts() throws CertificateException, FileNotFoundException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - try { - trustManager.verifySubjectAltNameInChain(null); - fail("no exception thrown"); - } catch (CertificateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing"); - } - } - - @Test - @SuppressWarnings("deprecation") - public void emptyArrayPeerCerts() throws CertificateException, FileNotFoundException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - try { - trustManager.verifySubjectAltNameInChain(new X509Certificate[0]); - fail("no exception thrown"); - } catch (CertificateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing"); - } - } - - @Test - @SuppressWarnings("deprecation") - public void noSansInPeerCerts() throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(CLIENT_PEM_FILE)); - try { - trustManager.verifySubjectAltNameInChain(certs); - fail("no exception thrown"); - } catch (CertificateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); - } - } - - @Test - @SuppressWarnings("deprecation") - public void oneSanInPeerCertsVerifies() throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .addVerifySubjectAltName("waterzooi.test.google.be") - .build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - trustManager.verifySubjectAltNameInChain(certs); - } - - @Test - @SuppressWarnings("deprecation") - public void oneSanInPeerCertsVerifiesMultipleVerifySans() - throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .addVerifySubjectAltName("x.foo.com") - .addVerifySubjectAltName("waterzooi.test.google.be") - .build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - trustManager.verifySubjectAltNameInChain(certs); - } - - @Test - @SuppressWarnings("deprecation") - public void oneSanInPeerCertsNotFoundException() - throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder().addVerifySubjectAltName("x.foo.com").build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - try { - trustManager.verifySubjectAltNameInChain(certs); - fail("no exception thrown"); - } catch (CertificateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); - } - } - - @Test - @SuppressWarnings("deprecation") - public void wildcardSanInPeerCertsVerifiesMultipleVerifySans() - throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .addVerifySubjectAltName("x.foo.com") - .addVerifySubjectAltName("abc.test.youtube.com") // should match *.test.youtube.com - .build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - trustManager.verifySubjectAltNameInChain(certs); - } - - @Test - @SuppressWarnings("deprecation") - public void wildcardSanInPeerCertsVerifiesMultipleVerifySans1() - throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .addVerifySubjectAltName("x.foo.com") - .addVerifySubjectAltName("abc.test.google.fr") // should match *.test.google.fr - .build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - trustManager.verifySubjectAltNameInChain(certs); - } - - @Test - @SuppressWarnings("deprecation") - public void wildcardSanInPeerCertsSubdomainMismatch() - throws CertificateException, IOException { - // 2. Asterisk (*) cannot match across domain name labels. - // For example, *.example.com matches test.example.com but does not match - // sub.test.example.com. - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .addVerifySubjectAltName("sub.abc.test.youtube.com") - .build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - try { - trustManager.verifySubjectAltNameInChain(certs); - fail("no exception thrown"); - } catch (CertificateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); - } - } - - @Test - @SuppressWarnings("deprecation") - public void oneIpAddressInPeerCertsVerifies() throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .addVerifySubjectAltName("x.foo.com") - .addVerifySubjectAltName("192.168.1.3") - .build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - trustManager.verifySubjectAltNameInChain(certs); - } - - @Test - @SuppressWarnings("deprecation") - public void oneIpAddressInPeerCertsMismatch() throws CertificateException, IOException { - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .addVerifySubjectAltName("x.foo.com") - .addVerifySubjectAltName("192.168.2.3") - .build(); - trustManager = new SdsX509TrustManager(certContext, mockDelegate); - X509Certificate[] certs = - CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE)); - try { - trustManager.verifySubjectAltNameInChain(certs); - fail("no exception thrown"); - } catch (CertificateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); - } - } - @Test public void checkServerTrustedSslEngine() throws CertificateException, IOException, CertStoreException {