grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

xds: parse Listener update as xDS v3 resource 

This is part of xDS v3 support as per go/grpc-xds-v3-support

In this PR:
- still only send v2 requests to xDS server (No v3 bootstrap or env flag support)
- parse Listener update as v3 proto
- Refactor SDS's Listener watcher to use enovy v3 API
- still parse other resources as v2 proto.
This commit is contained in:
ZHANG Dapeng 2020-07-06 10:25:46 -07:00 committed by GitHub
parent c6bd97245c
commit eaa98f8d91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 511 additions and 563 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java
View File

@ -19,7 +19,7 @@ package io.grpc.xds;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import com.google.protobuf.Any; import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.InvalidProtocolBufferException;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.Internal; import io.grpc.Internal;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
@ -75,7 +75,8 @@ public final class EnvoyServerProtoData {
} }
public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext( public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext upstreamTlsContext) { io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
upstreamTlsContext) {
return new UpstreamTlsContext(upstreamTlsContext.getCommonTlsContext()); return new UpstreamTlsContext(upstreamTlsContext.getCommonTlsContext());
} }
@ -96,7 +97,8 @@ public final class EnvoyServerProtoData {
} }
public static DownstreamTlsContext fromEnvoyProtoDownstreamTlsContext( public static DownstreamTlsContext fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext) { io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
downstreamTlsContext) {
return new DownstreamTlsContext(downstreamTlsContext.getCommonTlsContext(), return new DownstreamTlsContext(downstreamTlsContext.getCommonTlsContext(),
downstreamTlsContext.hasRequireClientCertificate()); downstreamTlsContext.hasRequireClientCertificate());
} }
@ -147,7 +149,7 @@ public final class EnvoyServerProtoData {
} }
static CidrRange fromEnvoyProtoCidrRange( static CidrRange fromEnvoyProtoCidrRange(
io.envoyproxy.envoy.api.v2.core.CidrRange proto) { io.envoyproxy.envoy.config.core.v3.CidrRange proto) {
return new CidrRange(proto.getAddressPrefix(), proto.getPrefixLen().getValue()); return new CidrRange(proto.getAddressPrefix(), proto.getPrefixLen().getValue());
} }
@ -204,9 +206,9 @@ public final class EnvoyServerProtoData {
} }
static FilterChainMatch fromEnvoyProtoFilterChainMatch( static FilterChainMatch fromEnvoyProtoFilterChainMatch(
io.envoyproxy.envoy.api.v2.listener.FilterChainMatch proto) { io.envoyproxy.envoy.config.listener.v3.FilterChainMatch proto) {
List<CidrRange> prefixRanges = new ArrayList<>(); List<CidrRange> prefixRanges = new ArrayList<>();
for (io.envoyproxy.envoy.api.v2.core.CidrRange range : proto.getPrefixRangesList()) { for (io.envoyproxy.envoy.config.core.v3.CidrRange range : proto.getPrefixRangesList()) {
prefixRanges.add(CidrRange.fromEnvoyProtoCidrRange(range)); prefixRanges.add(CidrRange.fromEnvoyProtoCidrRange(range));
} }
List<String> applicationProtocols = new ArrayList<>(); List<String> applicationProtocols = new ArrayList<>();
@ -266,16 +268,18 @@ public final class EnvoyServerProtoData {
static final class FilterChain { static final class FilterChain {
// TODO(sanjaypujare): flatten structure by moving FilterChainMatch class members here. // TODO(sanjaypujare): flatten structure by moving FilterChainMatch class members here.
private final FilterChainMatch filterChainMatch; private final FilterChainMatch filterChainMatch;
@Nullable
private final DownstreamTlsContext downstreamTlsContext; private final DownstreamTlsContext downstreamTlsContext;
@VisibleForTesting @VisibleForTesting
FilterChain(FilterChainMatch filterChainMatch, DownstreamTlsContext downstreamTlsContext) { FilterChain(
FilterChainMatch filterChainMatch, @Nullable DownstreamTlsContext downstreamTlsContext) {
this.filterChainMatch = filterChainMatch; this.filterChainMatch = filterChainMatch;
this.downstreamTlsContext = downstreamTlsContext; this.downstreamTlsContext = downstreamTlsContext;
} }
static FilterChain fromEnvoyProtoFilterChain( static FilterChain fromEnvoyProtoFilterChain(
io.envoyproxy.envoy.api.v2.listener.FilterChain proto) io.envoyproxy.envoy.config.listener.v3.FilterChain proto)
throws InvalidProtocolBufferException { throws InvalidProtocolBufferException {
return new FilterChain( return new FilterChain(
FilterChainMatch.fromEnvoyProtoFilterChainMatch(proto.getFilterChainMatch()), FilterChainMatch.fromEnvoyProtoFilterChainMatch(proto.getFilterChainMatch()),
@ -283,23 +287,25 @@ public final class EnvoyServerProtoData {
); );
} }
@Nullable
private static DownstreamTlsContext getTlsContextFromFilterChain( private static DownstreamTlsContext getTlsContextFromFilterChain(
io.envoyproxy.envoy.api.v2.listener.FilterChain filterChain) io.envoyproxy.envoy.config.listener.v3.FilterChain filterChain)
throws InvalidProtocolBufferException { throws InvalidProtocolBufferException {
if (filterChain.hasTransportSocket() if (filterChain.hasTransportSocket()
&& "tls".equals(filterChain.getTransportSocket().getName())) { && "tls".equals(filterChain.getTransportSocket().getName())) {
Any any = filterChain.getTransportSocket().getTypedConfig(); Any any = filterChain.getTransportSocket().getTypedConfig();
return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.parseFrom(any.getValue())); io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext.parseFrom(
any.getValue()));
} }
// TODO(sanjaypujare): remove when we move to envoy protos v3 return null;
return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(filterChain.getTlsContext());
} }
public FilterChainMatch getFilterChainMatch() { public FilterChainMatch getFilterChainMatch() {
return filterChainMatch; return filterChainMatch;
} }
@Nullable
public DownstreamTlsContext getDownstreamTlsContext() { public DownstreamTlsContext getDownstreamTlsContext() {
return downstreamTlsContext; return downstreamTlsContext;
} }
@ -350,9 +356,9 @@ public final class EnvoyServerProtoData {
} }
private static String convertEnvoyAddressToString( private static String convertEnvoyAddressToString(
io.envoyproxy.envoy.api.v2.core.Address proto) { io.envoyproxy.envoy.config.core.v3.Address proto) {
if (proto.hasSocketAddress()) { if (proto.hasSocketAddress()) {
io.envoyproxy.envoy.api.v2.core.SocketAddress socketAddress = proto.getSocketAddress(); io.envoyproxy.envoy.config.core.v3.SocketAddress socketAddress = proto.getSocketAddress();
String address = socketAddress.getAddress(); String address = socketAddress.getAddress();
switch (socketAddress.getPortSpecifierCase()) { switch (socketAddress.getPortSpecifierCase()) {
case NAMED_PORT: case NAMED_PORT:
@ -366,10 +372,10 @@ public final class EnvoyServerProtoData {
return null; return null;
} }
static Listener fromEnvoyProtoListener(io.envoyproxy.envoy.api.v2.Listener proto) static Listener fromEnvoyProtoListener(io.envoyproxy.envoy.config.listener.v3.Listener proto)
throws InvalidProtocolBufferException { throws InvalidProtocolBufferException {
List<FilterChain> filterChains = new ArrayList<>(proto.getFilterChainsCount()); List<FilterChain> filterChains = new ArrayList<>(proto.getFilterChainsCount());
for (io.envoyproxy.envoy.api.v2.listener.FilterChain filterChain : for (io.envoyproxy.envoy.config.listener.v3.FilterChain filterChain :
proto.getFilterChainsList()) { proto.getFilterChainsList()) {
filterChains.add(FilterChain.fromEnvoyProtoFilterChain(filterChain)); filterChains.add(FilterChain.fromEnvoyProtoFilterChain(filterChain));
} }

60
xds/src/main/java/io/grpc/xds/XdsClientImpl.java
View File

@ -39,17 +39,17 @@ import io.envoyproxy.envoy.api.v2.Cluster.LbPolicy;
import io.envoyproxy.envoy.api.v2.ClusterLoadAssignment; import io.envoyproxy.envoy.api.v2.ClusterLoadAssignment;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest; import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.DiscoveryResponse; import io.envoyproxy.envoy.api.v2.DiscoveryResponse;
import io.envoyproxy.envoy.api.v2.Listener;
import io.envoyproxy.envoy.api.v2.RouteConfiguration; import io.envoyproxy.envoy.api.v2.RouteConfiguration;
import io.envoyproxy.envoy.api.v2.core.Address;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.api.v2.core.SocketAddress; import io.envoyproxy.envoy.api.v2.core.SocketAddress;
import io.envoyproxy.envoy.api.v2.listener.FilterChain;
import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch;
import io.envoyproxy.envoy.api.v2.route.Route; import io.envoyproxy.envoy.api.v2.route.Route;
import io.envoyproxy.envoy.api.v2.route.VirtualHost; import io.envoyproxy.envoy.api.v2.route.VirtualHost;
import io.envoyproxy.envoy.config.core.v3.Address;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds;
import io.envoyproxy.envoy.config.listener.v3.FilterChain;
import io.envoyproxy.envoy.config.listener.v3.FilterChainMatch;
import io.envoyproxy.envoy.config.listener.v3.Listener;
import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc; import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc;
import io.grpc.InternalLogId; import io.grpc.InternalLogId;
import io.grpc.ManagedChannel; import io.grpc.ManagedChannel;
@ -86,7 +86,9 @@ final class XdsClientImpl extends XdsClient {
static final int INITIAL_RESOURCE_FETCH_TIMEOUT_SEC = 15; static final int INITIAL_RESOURCE_FETCH_TIMEOUT_SEC = 15;
@VisibleForTesting @VisibleForTesting
static final String ADS_TYPE_URL_LDS = "type.googleapis.com/envoy.api.v2.Listener"; static final String ADS_TYPE_URL_LDS_V2 = "type.googleapis.com/envoy.api.v2.Listener";
private static final String ADS_TYPE_URL_LDS =
"type.googleapis.com/envoy.config.listener.v3.Listener";
@VisibleForTesting @VisibleForTesting
static final String ADS_TYPE_URL_RDS = static final String ADS_TYPE_URL_RDS =
"type.googleapis.com/envoy.api.v2.RouteConfiguration"; "type.googleapis.com/envoy.api.v2.RouteConfiguration";
@ -263,7 +265,7 @@ final class XdsClientImpl extends XdsClient {
if (adsStream == null) { if (adsStream == null) {
startRpcStream(); startRpcStream();
} }
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName)); adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName));
ldsRespTimer = ldsRespTimer =
syncContext syncContext
.schedule( .schedule(
@ -438,7 +440,7 @@ final class XdsClientImpl extends XdsClient {
startRpcStream(); startRpcStream();
} }
updateNodeMetadataForListenerRequest(port); updateNodeMetadataForListenerRequest(port);
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.<String>of()); adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of());
ldsRespTimer = ldsRespTimer =
syncContext syncContext
.schedule( .schedule(
@ -452,8 +454,8 @@ final class XdsClientImpl extends XdsClient {
.putFields("TRAFFICDIRECTOR_PROXYLESS", .putFields("TRAFFICDIRECTOR_PROXYLESS",
Value.newBuilder().setStringValue("1").build()) Value.newBuilder().setStringValue("1").build())
.build(); .build();
Address listeningAddress = io.envoyproxy.envoy.api.v2.core.Address listeningAddress =
Address.newBuilder() io.envoyproxy.envoy.api.v2.core.Address.newBuilder()
.setSocketAddress( .setSocketAddress(
SocketAddress.newBuilder().setAddress("0.0.0.0").setPortValue(port).build()) SocketAddress.newBuilder().setAddress("0.0.0.0").setPortValue(port).build())
.build(); .build();
@ -553,6 +555,9 @@ final class XdsClientImpl extends XdsClient {
List<String> listenerNames = new ArrayList<>(ldsResponse.getResourcesCount()); List<String> listenerNames = new ArrayList<>(ldsResponse.getResourcesCount());
try { try {
for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) { for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) {
if (res.getTypeUrl().equals(ADS_TYPE_URL_LDS_V2)) {
res = res.toBuilder().setTypeUrl(ADS_TYPE_URL_LDS).build();
}
Listener listener = res.unpack(Listener.class); Listener listener = res.unpack(Listener.class);
listeners.add(listener); listeners.add(listener);
listenerNames.add(listener.getName()); listenerNames.add(listener.getName());
@ -560,7 +565,7 @@ final class XdsClientImpl extends XdsClient {
} catch (InvalidProtocolBufferException e) { } catch (InvalidProtocolBufferException e) {
logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e); logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e);
adsStream.sendNackRequest( adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return; return;
} }
@ -581,7 +586,7 @@ final class XdsClientImpl extends XdsClient {
XdsLogLevel.WARNING, XdsLogLevel.WARNING,
"Failed to unpack HttpConnectionManagers in Listeners of LDS response {0}", e); "Failed to unpack HttpConnectionManagers in Listeners of LDS response {0}", e);
adsStream.sendNackRequest( adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return; return;
} }
@ -627,11 +632,11 @@ final class XdsClientImpl extends XdsClient {
if (errorMessage != null) { if (errorMessage != null) {
adsStream.sendNackRequest( adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo(), errorMessage); ldsResponse.getVersionInfo(), errorMessage);
return; return;
} }
adsStream.sendAckRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName), adsStream.sendAckRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName),
ldsResponse.getVersionInfo()); ldsResponse.getVersionInfo());
if (routes != null || rdsRouteConfigName != null) { if (routes != null || rdsRouteConfigName != null) {
@ -681,6 +686,9 @@ final class XdsClientImpl extends XdsClient {
logger.log(XdsLogLevel.DEBUG, "Listener count: {0}", ldsResponse.getResourcesCount()); logger.log(XdsLogLevel.DEBUG, "Listener count: {0}", ldsResponse.getResourcesCount());
try { try {
for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) { for (com.google.protobuf.Any res : ldsResponse.getResourcesList()) {
if (res.getTypeUrl().equals(ADS_TYPE_URL_LDS_V2)) {
res = res.toBuilder().setTypeUrl(ADS_TYPE_URL_LDS).build();
}
Listener listener = res.unpack(Listener.class); Listener listener = res.unpack(Listener.class);
logger.log(XdsLogLevel.DEBUG, "Found listener {0}", listener.toString()); logger.log(XdsLogLevel.DEBUG, "Found listener {0}", listener.toString());
if (isRequestedListener(listener)) { if (isRequestedListener(listener)) {
@ -691,7 +699,7 @@ final class XdsClientImpl extends XdsClient {
} catch (InvalidProtocolBufferException e) { } catch (InvalidProtocolBufferException e) {
logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e); logger.log(XdsLogLevel.WARNING, "Failed to unpack Listeners in LDS response {0}", e);
adsStream.sendNackRequest( adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.<String>of(), ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of(),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return; return;
} }
@ -708,7 +716,7 @@ final class XdsClientImpl extends XdsClient {
} catch (InvalidProtocolBufferException e) { } catch (InvalidProtocolBufferException e) {
logger.log(XdsLogLevel.WARNING, "Failed to unpack Listener in LDS response {0}", e); logger.log(XdsLogLevel.WARNING, "Failed to unpack Listener in LDS response {0}", e);
adsStream.sendNackRequest( adsStream.sendNackRequest(
ADS_TYPE_URL_LDS, ImmutableList.<String>of(), ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of(),
ldsResponse.getVersionInfo(), "Malformed LDS response: " + e); ldsResponse.getVersionInfo(), "Malformed LDS response: " + e);
return; return;
} }
@ -717,7 +725,7 @@ final class XdsClientImpl extends XdsClient {
listenerWatcher.onResourceDoesNotExist(":" + listenerPort); listenerWatcher.onResourceDoesNotExist(":" + listenerPort);
} }
} }
adsStream.sendAckRequest(ADS_TYPE_URL_LDS, ImmutableList.<String>of(), adsStream.sendAckRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of(),
ldsResponse.getVersionInfo()); ldsResponse.getVersionInfo());
if (listenerUpdate != null) { if (listenerUpdate != null) {
listenerWatcher.onListenerChanged(listenerUpdate); listenerWatcher.onListenerChanged(listenerUpdate);
@ -1073,15 +1081,16 @@ final class XdsClientImpl extends XdsClient {
} }
} }
@Nullable
private static UpstreamTlsContext getTlsContextFromCluster(Cluster cluster) private static UpstreamTlsContext getTlsContextFromCluster(Cluster cluster)
throws InvalidProtocolBufferException { throws InvalidProtocolBufferException {
if (cluster.hasTransportSocket() && "tls".equals(cluster.getTransportSocket().getName())) { if (cluster.hasTransportSocket() && "tls".equals(cluster.getTransportSocket().getName())) {
Any any = cluster.getTransportSocket().getTypedConfig(); Any any = cluster.getTransportSocket().getTypedConfig();
return UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext( return UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext.parseFrom(any.getValue())); io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext.parseFrom(
any.getValue()));
} }
// TODO(sanjaypujare): remove when we move to envoy protos v3 return null;
return UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(cluster.getTlsContext());
} }
/** /**
@ -1219,7 +1228,7 @@ final class XdsClientImpl extends XdsClient {
public void run() { public void run() {
startRpcStream(); startRpcStream();
if (configWatcher != null) { if (configWatcher != null) {
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.of(ldsResourceName)); adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.of(ldsResourceName));
ldsRespTimer = ldsRespTimer =
syncContext syncContext
.schedule( .schedule(
@ -1227,7 +1236,7 @@ final class XdsClientImpl extends XdsClient {
INITIAL_RESOURCE_FETCH_TIMEOUT_SEC, TimeUnit.SECONDS, timeService); INITIAL_RESOURCE_FETCH_TIMEOUT_SEC, TimeUnit.SECONDS, timeService);
} }
if (listenerWatcher != null) { if (listenerWatcher != null) {
adsStream.sendXdsRequest(ADS_TYPE_URL_LDS, ImmutableList.<String>of()); adsStream.sendXdsRequest(ADS_TYPE_URL_LDS_V2, ImmutableList.<String>of());
ldsRespTimer = ldsRespTimer =
syncContext syncContext
.schedule( .schedule(
@ -1315,7 +1324,7 @@ final class XdsClientImpl extends XdsClient {
// used for management server to identify which response the client is ACKing/NACking. // used for management server to identify which response the client is ACKing/NACking.
// To avoid confusion, client-initiated requests will always use the nonce in // To avoid confusion, client-initiated requests will always use the nonce in
// most recently received responses of each resource type. // most recently received responses of each resource type.
if (typeUrl.equals(ADS_TYPE_URL_LDS)) { if (typeUrl.equals(ADS_TYPE_URL_LDS_V2) || typeUrl.equals(ADS_TYPE_URL_LDS)) {
ldsRespNonce = response.getNonce(); ldsRespNonce = response.getNonce();
handleLdsResponse(response); handleLdsResponse(response);
} else if (typeUrl.equals(ADS_TYPE_URL_RDS)) { } else if (typeUrl.equals(ADS_TYPE_URL_RDS)) {
@ -1428,7 +1437,7 @@ final class XdsClientImpl extends XdsClient {
checkState(requestWriter != null, "ADS stream has not been started"); checkState(requestWriter != null, "ADS stream has not been started");
String version = ""; String version = "";
String nonce = ""; String nonce = "";
if (typeUrl.equals(ADS_TYPE_URL_LDS)) { if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) {
version = ldsVersion; version = ldsVersion;
nonce = ldsRespNonce; nonce = ldsRespNonce;
logger.log(XdsLogLevel.INFO, "Sending LDS request for resources: {0}", resourceNames); logger.log(XdsLogLevel.INFO, "Sending LDS request for resources: {0}", resourceNames);
@ -1469,7 +1478,7 @@ final class XdsClientImpl extends XdsClient {
String versionInfo) { String versionInfo) {
checkState(requestWriter != null, "ADS stream has not been started"); checkState(requestWriter != null, "ADS stream has not been started");
String nonce = ""; String nonce = "";
if (typeUrl.equals(ADS_TYPE_URL_LDS)) { if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) {
ldsVersion = versionInfo; ldsVersion = versionInfo;
nonce = ldsRespNonce; nonce = ldsRespNonce;
} else if (typeUrl.equals(ADS_TYPE_URL_RDS)) { } else if (typeUrl.equals(ADS_TYPE_URL_RDS)) {
@ -1504,7 +1513,7 @@ final class XdsClientImpl extends XdsClient {
checkState(requestWriter != null, "ADS stream has not been started"); checkState(requestWriter != null, "ADS stream has not been started");
String versionInfo = ""; String versionInfo = "";
String nonce = ""; String nonce = "";
if (typeUrl.equals(ADS_TYPE_URL_LDS)) { if (typeUrl.equals(ADS_TYPE_URL_LDS_V2)) {
versionInfo = ldsVersion; versionInfo = ldsVersion;
nonce = ldsRespNonce; nonce = ldsRespNonce;
logger.log( logger.log(
@ -1717,6 +1726,7 @@ final class XdsClientImpl extends XdsClient {
com.google.protobuf.TypeRegistry registry = com.google.protobuf.TypeRegistry registry =
com.google.protobuf.TypeRegistry.newBuilder() com.google.protobuf.TypeRegistry.newBuilder()
.add(Listener.getDescriptor()) .add(Listener.getDescriptor())
.add(io.envoyproxy.envoy.api.v2.Listener.getDescriptor())
.add(HttpConnectionManager.getDescriptor()) .add(HttpConnectionManager.getDescriptor())
.add(RouteConfiguration.getDescriptor()) .add(RouteConfiguration.getDescriptor())
.add(Cluster.getDescriptor()) .add(Cluster.getDescriptor())

10
xds/src/main/java/io/grpc/xds/internal/sds/CommonTlsContextUtil.java
View File

@ -20,11 +20,11 @@ import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState; import static com.google.common.base.Preconditions.checkState;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.config.core.v3.DataSource.SpecifierCase;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.ValidationContextTypeCase; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.ValidationContextTypeCase;
import io.envoyproxy.envoy.api.v2.core.DataSource.SpecifierCase; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import javax.annotation.Nullable; import javax.annotation.Nullable;
/** Class for utility functions for {@link CommonTlsContext}. */ /** Class for utility functions for {@link CommonTlsContext}. */

14
xds/src/main/java/io/grpc/xds/internal/sds/FileBasedPluginCredential.java
View File

@ -27,6 +27,7 @@ import com.google.protobuf.Value;
// TODO(sanjaypujare): remove dependency on envoy data types. // TODO(sanjaypujare): remove dependency on envoy data types.
import io.envoyproxy.envoy.api.v2.core.DataSource; import io.envoyproxy.envoy.api.v2.core.DataSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin; import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.grpc.CallCredentials; import io.grpc.CallCredentials;
import io.grpc.Metadata; import io.grpc.Metadata;
import io.grpc.Status; import io.grpc.Status;
@ -77,6 +78,19 @@ final class FileBasedPluginCredential extends CallCredentials {
secretData = buildDataSourceFromConfigStruct(value.getStructValue()); secretData = buildDataSourceFromConfigStruct(value.getStructValue());
} }
FileBasedPluginCredential(
GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin metadataCredentialsFromPlugin) {
checkNotNull(metadataCredentialsFromPlugin, "metadataCredentialsFromPlugin");
checkArgument(
PLUGIN_NAME.equals(metadataCredentialsFromPlugin.getName()),
"plugin name should be %s", PLUGIN_NAME);
// FIXME(#7166): real implementation
headerKey = DEFAULT_HEADER_KEY;
headerPrefix = "";
secretData = null;
}
private static DataSource buildDataSourceFromConfigStruct(Struct secretValueStruct) { private static DataSource buildDataSourceFromConfigStruct(Struct secretValueStruct) {
checkNotNull(secretValueStruct, "secretValueStruct"); checkNotNull(secretValueStruct, "secretValueStruct");
if (secretValueStruct.containsFields(FILENAME)) { if (secretValueStruct.containsFields(FILENAME)) {

14
xds/src/main/java/io/grpc/xds/internal/sds/SdsClient.java
View File

@ -28,14 +28,14 @@ import com.google.protobuf.Struct;
import com.google.protobuf.Value; import com.google.protobuf.Value;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest; import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.DiscoveryResponse; import io.envoyproxy.envoy.api.v2.DiscoveryResponse;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource.ApiType;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource.ApiType;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc; import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc;
import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc.SecretDiscoveryServiceStub; import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc.SecretDiscoveryServiceStub;
import io.grpc.CallCredentials; import io.grpc.CallCredentials;

8
xds/src/main/java/io/grpc/xds/internal/sds/SdsClientSslContextProvider.java
View File

@ -18,11 +18,11 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkNotNull;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.netty.GrpcSslContexts; import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory; import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;

6
xds/src/main/java/io/grpc/xds/internal/sds/SdsServerSslContextProvider.java
View File

@ -18,10 +18,10 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkNotNull;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.netty.GrpcSslContexts; import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslContextBuilder;

10
xds/src/main/java/io/grpc/xds/internal/sds/SdsSslContextProvider.java
View File

@ -19,12 +19,12 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState; import static com.google.common.base.Preconditions.checkState;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.Status; import io.grpc.Status;
import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext; import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
import io.netty.handler.ssl.ApplicationProtocolConfig; import io.netty.handler.ssl.ApplicationProtocolConfig;

6
xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeClientSslContextProvider.java
View File

@ -22,9 +22,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateCertificateC
import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate; import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.netty.GrpcSslContexts; import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory; import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;

6
xds/src/main/java/io/grpc/xds/internal/sds/SecretVolumeServerSslContextProvider.java
View File

@ -22,9 +22,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateCertificateC
import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate; import static io.grpc.xds.internal.sds.CommonTlsContextUtil.validateTlsCertificate;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.netty.GrpcSslContexts; import io.grpc.netty.GrpcSslContexts;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContext;

4
xds/src/main/java/io/grpc/xds/internal/sds/SslContextProvider.java
View File

@ -19,8 +19,8 @@ package io.grpc.xds.internal.sds;
import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState; import static com.google.common.base.Preconditions.checkState;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext; import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;

4
xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactory.java
View File

@ -21,8 +21,8 @@ import static com.google.common.base.Preconditions.checkState;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.config.core.v3.DataSource.SpecifierCase;
import io.envoyproxy.envoy.api.v2.core.DataSource.SpecifierCase; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.xds.internal.sds.TlsContextManagerImpl; import io.grpc.xds.internal.sds.TlsContextManagerImpl;
import io.netty.handler.ssl.util.SimpleTrustManagerFactory; import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import java.io.File; import java.io.File;

10
xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java
View File

@ -20,7 +20,8 @@ import static com.google.common.base.Preconditions.checkNotNull;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Ascii; import com.google.common.base.Ascii;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import java.net.Socket; import java.net.Socket;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException; import java.security.cert.CertificateParsingException;
@ -199,6 +200,7 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509
} }
// logic from Envoy::Extensions::TransportSockets::Tls::ContextImpl::verifySubjectAltName // logic from Envoy::Extensions::TransportSockets::Tls::ContextImpl::verifySubjectAltName
@SuppressWarnings("UnusedMethod") // TODO(#7166): support StringMatcher list.
private static void verifySubjectAltNameInLeaf(X509Certificate cert, List<String> verifyList) private static void verifySubjectAltNameInLeaf(X509Certificate cert, List<String> verifyList)
throws CertificateException { throws CertificateException {
Collection<List<?>> names = cert.getSubjectAlternativeNames(); Collection<List<?>> names = cert.getSubjectAlternativeNames();
@ -223,7 +225,7 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509
if (certContext == null) { if (certContext == null) {
return; return;
} }
List<String> verifyList = certContext.getVerifySubjectAltNameList(); List<StringMatcher> verifyList = certContext.getMatchSubjectAltNamesList();
if (verifyList.isEmpty()) { if (verifyList.isEmpty()) {
return; return;
} }
@ -231,7 +233,9 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509
throw new CertificateException("Peer certificate(s) missing"); throw new CertificateException("Peer certificate(s) missing");
} }
// verify SANs only in the top cert (leaf cert) // verify SANs only in the top cert (leaf cert)
verifySubjectAltNameInLeaf(peerCertChain[0], verifyList); // v2 version: verifySubjectAltNameInLeaf(peerCertChain[0], verifyList);
// TODO(#7166): Implement v3 version.
throw new UnsupportedOperationException();
} }
@Override @Override

81
xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java
View File

@ -21,15 +21,15 @@ import static com.google.common.truth.Truth.assertThat;
import com.google.protobuf.Any; import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException; import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.UInt32Value; import com.google.protobuf.UInt32Value;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.config.core.v3.Address;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; import io.envoyproxy.envoy.config.core.v3.CidrRange;
import io.envoyproxy.envoy.api.v2.core.Address; import io.envoyproxy.envoy.config.core.v3.SocketAddress;
import io.envoyproxy.envoy.api.v2.core.CidrRange; import io.envoyproxy.envoy.config.core.v3.TransportSocket;
import io.envoyproxy.envoy.api.v2.core.SocketAddress; import io.envoyproxy.envoy.config.listener.v3.Filter;
import io.envoyproxy.envoy.api.v2.core.TransportSocket; import io.envoyproxy.envoy.config.listener.v3.FilterChain;
import io.envoyproxy.envoy.api.v2.listener.Filter; import io.envoyproxy.envoy.config.listener.v3.FilterChainMatch;
import io.envoyproxy.envoy.api.v2.listener.FilterChain; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import io.grpc.xds.EnvoyServerProtoData.Listener; import io.grpc.xds.EnvoyServerProtoData.Listener;
import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil; import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil;
@ -51,8 +51,8 @@ public class EnvoyServerProtoDataTest {
.setSocketAddress( .setSocketAddress(
SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build()) SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build())
.build(); .build();
io.envoyproxy.envoy.api.v2.Listener listener = io.envoyproxy.envoy.config.listener.v3.Listener listener =
io.envoyproxy.envoy.api.v2.Listener.newBuilder() io.envoyproxy.envoy.config.listener.v3.Listener.newBuilder()
.setName("8000") .setName("8000")
.setAddress(address) .setAddress(address)
.addFilterChains(createOutFilter()) .addFilterChains(createOutFilter())
@ -73,8 +73,7 @@ public class EnvoyServerProtoDataTest {
assertThat(outFilterChainMatch.getApplicationProtocols()).isEmpty(); assertThat(outFilterChainMatch.getApplicationProtocols()).isEmpty();
assertThat(outFilterChainMatch.getPrefixRanges()).isEmpty(); assertThat(outFilterChainMatch.getPrefixRanges()).isEmpty();
assertThat(outFilter.getDownstreamTlsContext()) assertThat(outFilter.getDownstreamTlsContext())
.isEqualTo(DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( .isNull();
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance()));
EnvoyServerProtoData.FilterChain inFilter = filterChains.get(1); EnvoyServerProtoData.FilterChain inFilter = filterChains.get(1);
assertThat(inFilter).isNotNull(); assertThat(inFilter).isNotNull();
@ -93,33 +92,6 @@ public class EnvoyServerProtoDataTest {
assertThat(tlsCertSdsConfigs.get(0).getName()).isEqualTo("google-sds-config-default"); assertThat(tlsCertSdsConfigs.get(0).getName()).isEqualTo("google-sds-config-default");
} }
// TODO(sanjaypujare): remove when we move to envoy protos v3
@Test
public void listener_convertFromDeprecatedListenerProto() throws InvalidProtocolBufferException {
Address address =
Address.newBuilder()
.setSocketAddress(
SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build())
.build();
io.envoyproxy.envoy.api.v2.Listener listener =
io.envoyproxy.envoy.api.v2.Listener.newBuilder()
.setName("8000")
.setAddress(address)
.addFilterChains(createDeprecatedInFilter())
.build();
Listener xdsListener = Listener.fromEnvoyProtoListener(listener);
List<EnvoyServerProtoData.FilterChain> filterChains = xdsListener.getFilterChains();
assertThat(filterChains).hasSize(1);
EnvoyServerProtoData.FilterChain inFilter = filterChains.get(0);
DownstreamTlsContext inFilterTlsContext = inFilter.getDownstreamTlsContext();
assertThat(inFilterTlsContext.getCommonTlsContext()).isNotNull();
CommonTlsContext commonTlsContext = inFilterTlsContext.getCommonTlsContext();
List<SdsSecretConfig> tlsCertSdsConfigs = commonTlsContext
.getTlsCertificateSdsSecretConfigsList();
assertThat(tlsCertSdsConfigs).hasSize(1);
assertThat(tlsCertSdsConfigs.get(0).getName()).isEqualTo("google-sds-config-default");
}
private static FilterChain createOutFilter() { private static FilterChain createOutFilter() {
FilterChain filterChain = FilterChain filterChain =
FilterChain.newBuilder() FilterChain.newBuilder()
@ -147,7 +119,9 @@ public class EnvoyServerProtoDataTest {
.addApplicationProtocols("managed-mtls") .addApplicationProtocols("managed-mtls")
.build()) .build())
.setTransportSocket(TransportSocket.newBuilder().setName("tls") .setTransportSocket(TransportSocket.newBuilder().setName("tls")
.setTypedConfig(Any.pack(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext())) .setTypedConfig(
Any.pack(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext(
"google-sds-config-default", "ROOTCA")))
.build()) .build())
.addFilters(Filter.newBuilder() .addFilters(Filter.newBuilder()
.setName("envoy.http_connection_manager") .setName("envoy.http_connection_manager")
@ -159,29 +133,4 @@ public class EnvoyServerProtoDataTest {
.build(); .build();
return filterChain; return filterChain;
} }
// TODO(sanjaypujare): remove when we move to envoy protos v3
@SuppressWarnings("deprecation")
private static FilterChain createDeprecatedInFilter() {
FilterChain filterChain =
FilterChain.newBuilder()
.setFilterChainMatch(
FilterChainMatch.newBuilder()
.setDestinationPort(UInt32Value.of(8000))
.addPrefixRanges(CidrRange.newBuilder()
.setAddressPrefix("10.20.0.15")
.setPrefixLen(UInt32Value.of(32)).build())
.addApplicationProtocols("managed-mtls")
.build())
.setTlsContext(CommonTlsContextTestsUtil.buildTestDownstreamTlsContext())
.addFilters(Filter.newBuilder()
.setName("envoy.http_connection_manager")
.setTypedConfig(Any.newBuilder()
.setTypeUrl(
"type.googleapis.com/envoy.config.filter.network.http_connection_manager"
+ ".v2.HttpConnectionManager"))
.build())
.build();
return filterChain;
}
} }

167
xds/src/test/java/io/grpc/xds/XdsClientImplTest.java
View File

@ -19,7 +19,6 @@ package io.grpc.xds;
import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth.assertThat;
import static io.grpc.xds.XdsClientTestHelper.buildCluster; import static io.grpc.xds.XdsClientTestHelper.buildCluster;
import static io.grpc.xds.XdsClientTestHelper.buildClusterLoadAssignment; import static io.grpc.xds.XdsClientTestHelper.buildClusterLoadAssignment;
import static io.grpc.xds.XdsClientTestHelper.buildDeprecatedSecureCluster;
import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryRequest; import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryRequest;
import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryResponse; import static io.grpc.xds.XdsClientTestHelper.buildDiscoveryResponse;
import static io.grpc.xds.XdsClientTestHelper.buildDropOverload; import static io.grpc.xds.XdsClientTestHelper.buildDropOverload;
@ -70,6 +69,7 @@ import io.envoyproxy.envoy.api.v2.route.VirtualHost;
import io.envoyproxy.envoy.api.v2.route.WeightedCluster; import io.envoyproxy.envoy.api.v2.route.WeightedCluster;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.Rds;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase; import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase;
import io.envoyproxy.envoy.service.load_stats.v2.LoadReportingServiceGrpc.LoadReportingServiceImplBase; import io.envoyproxy.envoy.service.load_stats.v2.LoadReportingServiceGrpc.LoadReportingServiceImplBase;
import io.envoyproxy.envoy.service.load_stats.v2.LoadStatsRequest; import io.envoyproxy.envoy.service.load_stats.v2.LoadStatsRequest;
@ -336,7 +336,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
@ -360,13 +360,13 @@ public class XdsClientImplTest {
"cluster-baz.googleapis.com")))) "cluster-baz.googleapis.com"))))
.build())))); .build()))));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class)); verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class));
verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY); verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY);
@ -392,7 +392,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
RouteConfiguration routeConfig = RouteConfiguration routeConfig =
@ -408,14 +408,14 @@ public class XdsClientImplTest {
Any.pack(buildListener(TARGET_AUTHORITY, /* matching resource */ Any.pack(buildListener(TARGET_AUTHORITY, /* matching resource */
Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build())))); Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build()))));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an NACK LDS request. // Client sends an NACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext( .onNext(
argThat(new DiscoveryRequestMatcher("", TARGET_AUTHORITY, argThat(new DiscoveryRequestMatcher("", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class)); verify(configWatcher, never()).onConfigChanged(any(ConfigUpdate.class));
verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY); verify(configWatcher, never()).onResourceDoesNotExist(TARGET_AUTHORITY);
@ -441,7 +441,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
ScheduledTask ldsRespTimer = ScheduledTask ldsRespTimer =
Iterables.getOnlyElement( Iterables.getOnlyElement(
fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)); fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER));
@ -480,7 +480,7 @@ public class XdsClientImplTest {
"some cluster")))) "some cluster"))))
.build())))); .build()))));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
assertThat(ldsRespTimer.isCancelled()).isTrue(); assertThat(ldsRespTimer.isCancelled()).isTrue();
@ -488,7 +488,7 @@ public class XdsClientImplTest {
// Client sends an ACK request. // Client sends an ACK request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
ArgumentCaptor<ConfigUpdate> configUpdateCaptor = ArgumentCaptor.forClass(null); ArgumentCaptor<ConfigUpdate> configUpdateCaptor = ArgumentCaptor.forClass(null);
verify(configWatcher).onConfigChanged(configUpdateCaptor.capture()); verify(configWatcher).onConfigChanged(configUpdateCaptor.capture());
@ -514,7 +514,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
Rds rdsConfig = Rds rdsConfig =
Rds.newBuilder() Rds.newBuilder()
@ -528,13 +528,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sends an (first) RDS request. // Client sends an (first) RDS request.
verify(requestObserver) verify(requestObserver)
@ -600,7 +600,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -665,7 +665,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -784,7 +784,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -850,7 +850,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted) // Client sends an ACK LDS request and an RDS request for "route-foo.googleapis.com". (Omitted)
@ -905,7 +905,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server sends back an LDS response containing a RouteConfiguration for the // Management server sends back an LDS response containing a RouteConfiguration for the
// requested Listener directly in-line. // requested Listener directly in-line.
@ -924,13 +924,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Cluster name is resolved and notified to config watcher. // Cluster name is resolved and notified to config watcher.
ArgumentCaptor<ConfigUpdate> configUpdateCaptor = ArgumentCaptor.forClass(null); ArgumentCaptor<ConfigUpdate> configUpdateCaptor = ArgumentCaptor.forClass(null);
@ -953,13 +953,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRouteConfig(routeConfig).build())))
); );
response = response =
buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0001"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001")));
// Updated cluster name is notified to config watcher. // Updated cluster name is notified to config watcher.
configUpdateCaptor = ArgumentCaptor.forClass(null); configUpdateCaptor = ArgumentCaptor.forClass(null);
@ -982,13 +982,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
response = response =
buildDiscoveryResponse("2", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0002"); buildDiscoveryResponse("2", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0002");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "2", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "2", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0002"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0002")));
// Client sends an (first) RDS request. // Client sends an (first) RDS request.
verify(requestObserver) verify(requestObserver)
@ -1046,7 +1046,7 @@ public class XdsClientImplTest {
// Management server sends back an LDS response indicating all Listener resources are removed. // Management server sends back an LDS response indicating all Listener resources are removed.
response = response =
buildDiscoveryResponse("3", ImmutableList.<Any>of(), buildDiscoveryResponse("3", ImmutableList.<Any>of(),
XdsClientImpl.ADS_TYPE_URL_LDS, "0003"); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0003");
responseObserver.onNext(response); responseObserver.onNext(response);
verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY); verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY);
@ -1071,7 +1071,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management sends back an LDS response telling client to do RDS. // Management sends back an LDS response telling client to do RDS.
Rds rdsConfig = Rds rdsConfig =
@ -1087,13 +1087,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sends an (first) RDS request. // Client sends an (first) RDS request.
verify(requestObserver) verify(requestObserver)
@ -1173,7 +1173,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management sends back an LDS response telling client to do RDS. // Management sends back an LDS response telling client to do RDS.
Rds rdsConfig = Rds rdsConfig =
@ -1189,13 +1189,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sends an (first) RDS request. // Client sends an (first) RDS request.
verify(requestObserver) verify(requestObserver)
@ -1229,13 +1229,13 @@ public class XdsClientImplTest {
// in-use by client) removed as the RouteConfiguration it references to is absent. // in-use by client) removed as the RouteConfiguration it references to is absent.
response = response =
buildDiscoveryResponse("1", ImmutableList.<com.google.protobuf.Any>of(), // empty buildDiscoveryResponse("1", ImmutableList.<com.google.protobuf.Any>of(), // empty
XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sent an ACK LDS request. // Client sent an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "1", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0001"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001")));
verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY); verify(configWatcher).onResourceDoesNotExist(TARGET_AUTHORITY);
} }
@ -1264,7 +1264,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an (first) RDS request. // Client sends an (first) RDS request.
@ -1293,7 +1293,7 @@ public class XdsClientImplTest {
TARGET_AUTHORITY, /* matching resource */ TARGET_AUTHORITY, /* matching resource */
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
response = buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); response = buildDiscoveryResponse("1", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sent a new RDS request with updated resource name. // Client sent a new RDS request with updated resource name.
@ -1453,45 +1453,20 @@ public class XdsClientImplTest {
ArgumentCaptor<ClusterUpdate> clusterUpdateCaptor = ArgumentCaptor.forClass(null); ArgumentCaptor<ClusterUpdate> clusterUpdateCaptor = ArgumentCaptor.forClass(null);
verify(clusterWatcher, times(1)).onClusterChanged(clusterUpdateCaptor.capture()); verify(clusterWatcher, times(1)).onClusterChanged(clusterUpdateCaptor.capture());
ClusterUpdate clusterUpdate = clusterUpdateCaptor.getValue(); ClusterUpdate clusterUpdate = clusterUpdateCaptor.getValue();
assertThat(clusterUpdate.getUpstreamTlsContext()) EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext = clusterUpdate
.isEqualTo( .getUpstreamTlsContext();
EnvoyServerProtoData.UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext( SdsSecretConfig validationContextSdsSecretConfig = upstreamTlsContext.getCommonTlsContext()
testUpstreamTlsContext)); .getValidationContextSdsSecretConfig();
} assertThat(validationContextSdsSecretConfig.getName()).isEqualTo("secret1");
assertThat(
/** Iterables.getOnlyElement(
* CDS response containing UpstreamTlsContext for a cluster in a deprecated field. validationContextSdsSecretConfig
*/ .getSdsConfig()
// TODO(sanjaypujare): remove once we move to envoy proto v3 .getApiConfigSource()
@Test .getGrpcServicesList())
public void cdsResponseWithDeprecatedUpstreamTlsContext() { .getGoogleGrpc()
xdsClient.watchClusterData("cluster-foo.googleapis.com", clusterWatcher); .getTargetUri())
StreamObserver<DiscoveryResponse> responseObserver = responseObservers.poll(); .isEqualTo("unix:/var/uds2");
StreamObserver<DiscoveryRequest> requestObserver = requestObservers.poll();
// Management server sends back CDS response with UpstreamTlsContext.
UpstreamTlsContext testUpstreamTlsContext =
buildUpstreamTlsContext("secret1", "unix:/var/uds2");
List<Any> clusters = ImmutableList.of(
Any.pack(buildCluster("cluster-bar.googleapis.com", null, false)),
Any.pack(buildDeprecatedSecureCluster("cluster-foo.googleapis.com",
"eds-cluster-foo.googleapis.com", true, testUpstreamTlsContext)),
Any.pack(buildCluster("cluster-baz.googleapis.com", null, false)));
DiscoveryResponse response =
buildDiscoveryResponse("0", clusters, XdsClientImpl.ADS_TYPE_URL_CDS, "0000");
responseObserver.onNext(response);
// Client sent an ACK CDS request.
verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", "cluster-foo.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, "0000")));
ArgumentCaptor<ClusterUpdate> clusterUpdateCaptor = ArgumentCaptor.forClass(null);
verify(clusterWatcher, times(1)).onClusterChanged(clusterUpdateCaptor.capture());
ClusterUpdate clusterUpdate = clusterUpdateCaptor.getValue();
assertThat(clusterUpdate.getUpstreamTlsContext())
.isEqualTo(
EnvoyServerProtoData.UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(
testUpstreamTlsContext));
} }
@Test @Test
@ -2594,7 +2569,7 @@ public class XdsClientImplTest {
// Client sends an LDS request for the host name (with port) to management server. // Client sends an LDS request for the host name (with port) to management server.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server closes the RPC stream immediately. // Management server closes the RPC stream immediately.
responseObserver.onCompleted(); responseObserver.onCompleted();
@ -2614,7 +2589,7 @@ public class XdsClientImplTest {
// Client retried by sending an LDS request. // Client retried by sending an LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server closes the RPC stream with an error. // Management server closes the RPC stream with an error.
responseObserver.onError(Status.UNAVAILABLE.asException()); responseObserver.onError(Status.UNAVAILABLE.asException());
@ -2634,7 +2609,7 @@ public class XdsClientImplTest {
// Client retried again by sending an LDS. // Client retried again by sending an LDS.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server responses with a listener for the requested resource. // Management server responses with a listener for the requested resource.
Rds rdsConfig = Rds rdsConfig =
@ -2649,13 +2624,13 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse ldsResponse = DiscoveryResponse ldsResponse =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(ldsResponse); responseObserver.onNext(ldsResponse);
// Client sent back an ACK LDS request. // Client sent back an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "0", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
// Client sent an RDS request based on the received listener. // Client sent an RDS request based on the received listener.
verify(requestObserver) verify(requestObserver)
@ -2674,7 +2649,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// RPC stream closed immediately // RPC stream closed immediately
responseObserver.onError(Status.UNKNOWN.asException()); responseObserver.onError(Status.UNKNOWN.asException());
@ -2691,7 +2666,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server sends an LDS response. // Management server sends an LDS response.
responseObserver.onNext(ldsResponse); responseObserver.onNext(ldsResponse);
@ -2726,7 +2701,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verifyNoMoreInteractions(backoffPolicyProvider, backoffPolicy1, backoffPolicy2); verifyNoMoreInteractions(backoffPolicyProvider, backoffPolicy1, backoffPolicy2);
} }
@ -2788,7 +2763,7 @@ public class XdsClientImplTest {
// Retry resumes requests for all wanted resources. // Retry resumes requests for all wanted resources.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2817,7 +2792,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2846,7 +2821,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2879,7 +2854,7 @@ public class XdsClientImplTest {
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2907,7 +2882,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2952,7 +2927,7 @@ public class XdsClientImplTest {
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server becomes unreachable. // Management server becomes unreachable.
responseObserver.onError(Status.UNAVAILABLE.asException()); responseObserver.onError(Status.UNAVAILABLE.asException());
@ -2973,7 +2948,7 @@ public class XdsClientImplTest {
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -2997,7 +2972,7 @@ public class XdsClientImplTest {
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -3040,7 +3015,7 @@ public class XdsClientImplTest {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -3067,7 +3042,7 @@ public class XdsClientImplTest {
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, .onNext(eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verify(requestObserver, never()) verify(requestObserver, never())
.onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com", .onNext(eq(buildDiscoveryRequest(NODE, "", "cluster.googleapis.com",
XdsClientImpl.ADS_TYPE_URL_CDS, ""))); XdsClientImpl.ADS_TYPE_URL_CDS, "")));
@ -3107,7 +3082,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted). // Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted).
@ -3139,7 +3114,7 @@ public class XdsClientImplTest {
// Client resumed requests and management server sends back LDS resources again. // Client resumed requests and management server sends back LDS resources again.
verify(requestObserver).onNext( verify(requestObserver).onNext(
eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY, eq(buildDiscoveryRequest(NODE, "", TARGET_AUTHORITY,
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted). // Client sent an RDS request for resource "route-foo.googleapis.com" (Omitted).
@ -3279,7 +3254,7 @@ public class XdsClientImplTest {
Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))) Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))
); );
DiscoveryResponse ldsResponse = DiscoveryResponse ldsResponse =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(ldsResponse); responseObserver.onNext(ldsResponse);
// Client sent an LDS ACK request and an RDS request for resource // Client sent an LDS ACK request and an RDS request for resource
@ -3486,7 +3461,7 @@ public class XdsClientImplTest {
"cluster.googleapis.com")))) "cluster.googleapis.com"))))
.build())))); .build()))));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
String expectedString = "{\n" String expectedString = "{\n"
+ " \"versionInfo\": \"0\",\n" + " \"versionInfo\": \"0\",\n"

125
xds/src/test/java/io/grpc/xds/XdsClientImplTestForListener.java
View File

@ -53,6 +53,7 @@ import io.envoyproxy.envoy.api.v2.listener.Filter;
import io.envoyproxy.envoy.api.v2.listener.FilterChain; import io.envoyproxy.envoy.api.v2.listener.FilterChain;
import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch; import io.envoyproxy.envoy.api.v2.listener.FilterChainMatch;
import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager; import io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase; import io.envoyproxy.envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase;
import io.grpc.Context; import io.grpc.Context;
import io.grpc.Context.CancellationListener; import io.grpc.Context.CancellationListener;
@ -308,7 +309,7 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name // Client sends an LDS request with null in lds resource name
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
List<Any> listeners = ImmutableList.of( List<Any> listeners = ImmutableList.of(
@ -331,13 +332,13 @@ public class XdsClientImplTestForListener {
"cluster-baz.googleapis.com")))) "cluster-baz.googleapis.com"))))
.build())))); .build()))));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT); verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT);
@ -357,14 +358,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name // Client sends an LDS request with null in lds resource name
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()), .setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", // Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"), "ROOTCA"),
buildTestFilter("envoy.http_connection_manager")); buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of( List<Any> listeners = ImmutableList.of(
@ -382,13 +384,13 @@ public class XdsClientImplTestForListener {
filterChainInbound filterChainInbound
))); )));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT); verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT);
@ -408,14 +410,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name // Client sends an LDS request with null in lds resource name
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()), .setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", // Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"), "ROOTCA"),
buildTestFilter("envoy.http_connection_manager")); buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of( List<Any> listeners = ImmutableList.of(
@ -433,13 +436,13 @@ public class XdsClientImplTestForListener {
filterChainInbound filterChainInbound
))); )));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
ArgumentCaptor<ListenerUpdate> listenerUpdateCaptor = ArgumentCaptor.forClass(null); ArgumentCaptor<ListenerUpdate> listenerUpdateCaptor = ArgumentCaptor.forClass(null);
verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture()); verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture());
@ -447,11 +450,28 @@ public class XdsClientImplTestForListener {
EnvoyServerProtoData.Listener listener = configUpdate.getListener(); EnvoyServerProtoData.Listener listener = configUpdate.getListener();
assertThat(listener.getName()).isEqualTo(LISTENER_NAME); assertThat(listener.getName()).isEqualTo(LISTENER_NAME);
assertThat(listener.getAddress()).isEqualTo("0.0.0.0:" + PORT); assertThat(listener.getAddress()).isEqualTo("0.0.0.0:" + PORT);
EnvoyServerProtoData.FilterChain[] expected = new EnvoyServerProtoData.FilterChain[]{ assertThat(listener.getFilterChains()).hasSize(2);
EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainOutbound), EnvoyServerProtoData.FilterChain filterChainOutboundInListenerUpdate
EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainInbound) = listener.getFilterChains().get(0);
}; assertThat(filterChainOutboundInListenerUpdate.getFilterChainMatch().getDestinationPort())
assertThat(listener.getFilterChains()).isEqualTo(Arrays.asList(expected)); .isEqualTo(8000);
EnvoyServerProtoData.FilterChain filterChainInboundInListenerUpdate
= listener.getFilterChains().get(1);
EnvoyServerProtoData.FilterChainMatch inBoundfilterChainMatch =
filterChainInboundInListenerUpdate.getFilterChainMatch();
assertThat(inBoundfilterChainMatch.getDestinationPort()).isEqualTo(PORT);
assertThat(inBoundfilterChainMatch.getPrefixRanges()).containsExactly(
new EnvoyServerProtoData.CidrRange(LOCAL_IP, 32));
CommonTlsContext downstreamCommonTlsContext =
filterChainInboundInListenerUpdate.getDownstreamTlsContext().getCommonTlsContext();
assertThat(downstreamCommonTlsContext.getTlsCertificateSdsSecretConfigs(0).getName())
.isEqualTo("google-sds-config-default");
assertThat(
downstreamCommonTlsContext
.getCombinedValidationContext()
.getValidationContextSdsSecretConfig()
.getName())
.isEqualTo("ROOTCA");
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).isEmpty(); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).isEmpty();
} }
@ -465,14 +485,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name // Client sends an LDS request with null in lds resource name
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()), .setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", // Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"), "ROOTCA"),
buildTestFilter("envoy.http_connection_manager")); buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of( List<Any> listeners = ImmutableList.of(
@ -490,13 +511,13 @@ public class XdsClientImplTestForListener {
filterChainInbound filterChainInbound
))); )));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
ArgumentCaptor<ListenerUpdate> listenerUpdateCaptor = ArgumentCaptor.forClass(null); ArgumentCaptor<ListenerUpdate> listenerUpdateCaptor = ArgumentCaptor.forClass(null);
verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture()); verify(listenerWatcher, times(1)).onListenerChanged(listenerUpdateCaptor.capture());
@ -505,7 +526,7 @@ public class XdsClientImplTestForListener {
final FilterChain filterChainNewInbound = buildFilterChain(buildFilterChainMatch(PORT, final FilterChain filterChainNewInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()), .setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default1", CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default1",
"ROOTCA2"), "ROOTCA2"),
buildTestFilter("envoy.http_connection_manager")); buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners1 = ImmutableList.of( List<Any> listeners1 = ImmutableList.of(
@ -513,13 +534,13 @@ public class XdsClientImplTestForListener {
filterChainNewInbound filterChainNewInbound
))); )));
DiscoveryResponse response1 = DiscoveryResponse response1 =
buildDiscoveryResponse("1", listeners1, XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); buildDiscoveryResponse("1", listeners1, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response1); responseObserver.onNext(response1);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "1", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "1",
XdsClientImpl.ADS_TYPE_URL_LDS, "0001"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001")));
// Updated listener is notified to config watcher. // Updated listener is notified to config watcher.
listenerUpdateCaptor = ArgumentCaptor.forClass(null); listenerUpdateCaptor = ArgumentCaptor.forClass(null);
@ -527,10 +548,23 @@ public class XdsClientImplTestForListener {
ListenerUpdate configUpdate = listenerUpdateCaptor.getValue(); ListenerUpdate configUpdate = listenerUpdateCaptor.getValue();
EnvoyServerProtoData.Listener listener = configUpdate.getListener(); EnvoyServerProtoData.Listener listener = configUpdate.getListener();
assertThat(listener.getName()).isEqualTo(LISTENER_NAME); assertThat(listener.getName()).isEqualTo(LISTENER_NAME);
EnvoyServerProtoData.FilterChain[] expected = new EnvoyServerProtoData.FilterChain[]{ assertThat(listener.getFilterChains()).hasSize(1);
EnvoyServerProtoData.FilterChain.fromEnvoyProtoFilterChain(filterChainNewInbound) EnvoyServerProtoData.FilterChain filterChain =
}; Iterables.getOnlyElement(listener.getFilterChains());
assertThat(listener.getFilterChains()).isEqualTo(Arrays.asList(expected)); EnvoyServerProtoData.FilterChainMatch filterChainMatch = filterChain.getFilterChainMatch();
assertThat(filterChainMatch.getDestinationPort()).isEqualTo(PORT);
assertThat(filterChainMatch.getPrefixRanges()).containsExactly(
new EnvoyServerProtoData.CidrRange(LOCAL_IP, 32));
CommonTlsContext downstreamCommonTlsContext =
filterChain.getDownstreamTlsContext().getCommonTlsContext();
assertThat(downstreamCommonTlsContext.getTlsCertificateSdsSecretConfigs(0).getName())
.isEqualTo("google-sds-config-default1");
assertThat(
downstreamCommonTlsContext
.getCombinedValidationContext()
.getValidationContextSdsSecretConfig()
.getName())
.isEqualTo("ROOTCA2");
} }
/** /**
@ -547,14 +581,15 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name // Client sends an LDS request with null in lds resource name
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(PORT, final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(DIFFERENT_IP) CidrRange.newBuilder().setAddressPrefix(DIFFERENT_IP)
.setPrefixLen(UInt32Value.of(32)).build()), .setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", // Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"), "ROOTCA"),
buildTestFilter("envoy.http_connection_manager")); buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of( List<Any> listeners = ImmutableList.of(
@ -572,13 +607,13 @@ public class XdsClientImplTestForListener {
filterChainOutbound filterChainOutbound
))); )));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onError(any(Status.class)); verify(listenerWatcher, never()).onError(any(Status.class));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
@ -594,7 +629,7 @@ public class XdsClientImplTestForListener {
// Client sends an LDS request with null in lds resource name // Client sends an LDS request with null in lds resource name
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1); assertThat(fakeClock.getPendingTasks(LISTENER_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).hasSize(1);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(8000), null);
@ -602,7 +637,8 @@ public class XdsClientImplTestForListener {
PORT + 1, // add 1 to mismatch PORT + 1, // add 1 to mismatch
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()), .setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", // Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"), "ROOTCA"),
buildTestFilter("envoy.http_connection_manager")); buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of( List<Any> listeners = ImmutableList.of(
@ -620,13 +656,13 @@ public class XdsClientImplTestForListener {
filterChainOutbound filterChainOutbound
))); )));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sends an ACK LDS request. // Client sends an ACK LDS request.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "0",
XdsClientImpl.ADS_TYPE_URL_LDS, "0000"))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000")));
verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class)); verify(listenerWatcher, never()).onListenerChanged(any(ListenerUpdate.class));
verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT); verify(listenerWatcher, never()).onResourceDoesNotExist(":" + PORT);
@ -655,13 +691,14 @@ public class XdsClientImplTestForListener {
StreamObserver<DiscoveryRequest> requestObserver = requestObservers.poll(); StreamObserver<DiscoveryRequest> requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null); final FilterChain filterChainOutbound = buildFilterChain(buildFilterChainMatch(8000), null);
final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT, final FilterChain filterChainInbound = buildFilterChain(buildFilterChainMatch(PORT,
CidrRange.newBuilder().setAddressPrefix(LOCAL_IP) CidrRange.newBuilder().setAddressPrefix(LOCAL_IP)
.setPrefixLen(UInt32Value.of(32)).build()), .setPrefixLen(UInt32Value.of(32)).build()),
CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", // Server is still speaking xds v2.
CommonTlsContextTestsUtil.buildTestDownstreamTlsContextV2("google-sds-config-default",
"ROOTCA"), "ROOTCA"),
buildTestFilter("envoy.http_connection_manager")); buildTestFilter("envoy.http_connection_manager"));
List<Any> listeners = ImmutableList.of( List<Any> listeners = ImmutableList.of(
@ -670,7 +707,7 @@ public class XdsClientImplTestForListener {
filterChainInbound filterChainInbound
))); )));
DiscoveryResponse response = DiscoveryResponse response =
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000"); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000");
responseObserver.onNext(response); responseObserver.onNext(response);
ArgumentCaptor<Status> statusCaptor = ArgumentCaptor.forClass(null); ArgumentCaptor<Status> statusCaptor = ArgumentCaptor.forClass(null);
@ -691,7 +728,7 @@ public class XdsClientImplTestForListener {
// Retry resumes requests for all wanted resources. // Retry resumes requests for all wanted resources.
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server becomes unreachable. // Management server becomes unreachable.
responseObserver.onError(Status.UNAVAILABLE.asException()); responseObserver.onError(Status.UNAVAILABLE.asException());
@ -710,7 +747,7 @@ public class XdsClientImplTestForListener {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server is still not reachable. // Management server is still not reachable.
responseObserver.onError(Status.UNAVAILABLE.asException()); responseObserver.onError(Status.UNAVAILABLE.asException());
@ -729,11 +766,11 @@ public class XdsClientImplTestForListener {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server sends back a LDS response. // Management server sends back a LDS response.
response = buildDiscoveryResponse("1", listeners, response = buildDiscoveryResponse("1", listeners,
XdsClientImpl.ADS_TYPE_URL_LDS, "0001"); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0001");
responseObserver.onNext(response); responseObserver.onNext(response);
// Client sent an LDS ACK request (Omitted). // Client sent an LDS ACK request (Omitted).
@ -752,7 +789,7 @@ public class XdsClientImplTestForListener {
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
// Management server becomes unreachable again. // Management server becomes unreachable again.
responseObserver.onError(Status.UNAVAILABLE.asException()); responseObserver.onError(Status.UNAVAILABLE.asException());
@ -770,7 +807,7 @@ public class XdsClientImplTestForListener {
requestObserver = requestObservers.poll(); requestObserver = requestObservers.poll();
verify(requestObserver) verify(requestObserver)
.onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "", .onNext(eq(buildDiscoveryRequest(getNodeToVerify(), "",
XdsClientImpl.ADS_TYPE_URL_LDS, ""))); XdsClientImpl.ADS_TYPE_URL_LDS_V2, "")));
verifyNoMoreInteractions(mockedDiscoveryService, backoffPolicyProvider, backoffPolicy1, verifyNoMoreInteractions(mockedDiscoveryService, backoffPolicyProvider, backoffPolicy1,
backoffPolicy2); backoffPolicy2);

25
xds/src/test/java/io/grpc/xds/XdsClientTestHelper.java
View File

@ -150,31 +150,6 @@ class XdsClientTestHelper {
return clusterBuilder.build(); return clusterBuilder.build();
} }
// TODO(sanjaypujare): remove once we move to envoy proto v3
@SuppressWarnings("deprecation")
static Cluster buildDeprecatedSecureCluster(String clusterName, @Nullable String edsServiceName,
boolean enableLrs, @Nullable UpstreamTlsContext upstreamTlsContext) {
Cluster.Builder clusterBuilder = Cluster.newBuilder();
clusterBuilder.setName(clusterName);
clusterBuilder.setType(DiscoveryType.EDS);
EdsClusterConfig.Builder edsClusterConfigBuilder = EdsClusterConfig.newBuilder();
edsClusterConfigBuilder.setEdsConfig(
ConfigSource.newBuilder().setAds(AggregatedConfigSource.getDefaultInstance()));
if (edsServiceName != null) {
edsClusterConfigBuilder.setServiceName(edsServiceName);
}
clusterBuilder.setEdsClusterConfig(edsClusterConfigBuilder);
clusterBuilder.setLbPolicy(LbPolicy.ROUND_ROBIN);
if (enableLrs) {
clusterBuilder.setLrsServer(
ConfigSource.newBuilder().setSelf(SelfConfigSource.getDefaultInstance()));
}
if (upstreamTlsContext != null) {
clusterBuilder.setTlsContext(upstreamTlsContext);
}
return clusterBuilder.build();
}
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
static ClusterLoadAssignment buildClusterLoadAssignment(String clusterName, static ClusterLoadAssignment buildClusterLoadAssignment(String clusterName,
List<io.envoyproxy.envoy.api.v2.endpoint.LocalityLbEndpoints> localityLbEndpoints, List<io.envoyproxy.envoy.api.v2.endpoint.LocalityLbEndpoints> localityLbEndpoints,

6
xds/src/test/java/io/grpc/xds/XdsNameResolverIntegrationTest.java
View File

@ -399,7 +399,7 @@ public class XdsNameResolverIntegrationTest {
List<Any> listeners = List<Any> listeners =
ImmutableList.of(Any.pack(buildListener(AUTHORITY, Any.pack(httpConnectionManager)))); ImmutableList.of(Any.pack(buildListener(AUTHORITY, Any.pack(httpConnectionManager))));
responseObserver.onNext( responseObserver.onNext(
buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS, "0000")); buildDiscoveryResponse("0", listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, "0000"));
verify(mockListener).onResult(resolutionResultCaptor.capture()); verify(mockListener).onResult(resolutionResultCaptor.capture());
ResolutionResult result = resolutionResultCaptor.getValue(); ResolutionResult result = resolutionResultCaptor.getValue();
@ -551,7 +551,7 @@ public class XdsNameResolverIntegrationTest {
ImmutableList.of(host), // exact match ImmutableList.of(host), // exact match
clusterName)))) clusterName))))
.build())))); .build()))));
return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS, nonce); return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, nonce);
} }
/** /**
@ -573,7 +573,7 @@ public class XdsNameResolverIntegrationTest {
Any.pack( Any.pack(
buildListener( buildListener(
host, Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build())))); host, Any.pack(HttpConnectionManager.newBuilder().setRds(rdsConfig).build()))));
return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS, nonce); return buildDiscoveryResponse(versionInfo, listeners, XdsClientImpl.ADS_TYPE_URL_LDS_V2, nonce);
} }
/** /**

3
xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java
View File

@ -104,7 +104,8 @@ public class XdsSdsClientServerTest {
public void plaintextClientServer_withDefaultTlsContext() throws IOException, URISyntaxException { public void plaintextClientServer_withDefaultTlsContext() throws IOException, URISyntaxException {
DownstreamTlsContext defaultTlsContext = DownstreamTlsContext defaultTlsContext =
EnvoyServerProtoData.DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( EnvoyServerProtoData.DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance()); io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
.getDefaultInstance());
buildServerWithTlsContext(/* downstreamTlsContext= */ defaultTlsContext); buildServerWithTlsContext(/* downstreamTlsContext= */ defaultTlsContext);
SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =

2
xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java
View File

@ -21,7 +21,7 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;

177
xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java
View File

@ -18,14 +18,20 @@ package io.grpc.xds.internal.sds;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.protobuf.BoolValue; import com.google.protobuf.BoolValue;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import com.google.protobuf.Struct;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import com.google.protobuf.Value;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext; import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext; import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig; import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.core.DataSource; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.internal.testing.TestUtils; import io.grpc.internal.testing.TestUtils;
import io.grpc.xds.EnvoyServerProtoData; import io.grpc.xds.EnvoyServerProtoData;
import java.io.IOException; import java.io.IOException;
@ -48,18 +54,82 @@ public class CommonTlsContextTestsUtil {
public static final String BAD_CLIENT_PEM_FILE = "badclient.pem"; public static final String BAD_CLIENT_PEM_FILE = "badclient.pem";
public static final String BAD_CLIENT_KEY_FILE = "badclient.key"; public static final String BAD_CLIENT_KEY_FILE = "badclient.key";
static SdsSecretConfig buildSdsSecretConfig(String name, String targetUri, String channelType) { static io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig buildSdsSecretConfigV2(
String name, String targetUri, String channelType) {
io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig = null;
if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) {
sdsSecretConfig =
io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig.newBuilder()
.setName(name)
.setSdsConfig(buildConfigSourceV2(targetUri, channelType))
.build();
}
return sdsSecretConfig;
}
private static SdsSecretConfig
buildSdsSecretConfig(String name, String targetUri, String channelType) {
SdsSecretConfig sdsSecretConfig = null; SdsSecretConfig sdsSecretConfig = null;
if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) { if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) {
sdsSecretConfig = sdsSecretConfig =
SdsSecretConfig.newBuilder() SdsSecretConfig.newBuilder()
.setName(name) .setName(name)
.setSdsConfig(SdsClientTest.buildConfigSource(targetUri, channelType)) .setSdsConfig(buildConfigSource(targetUri, channelType))
.build(); .build();
} }
return sdsSecretConfig; return sdsSecretConfig;
} }
/**
* Builds a {@link io.envoyproxy.envoy.api.v2.core.ConfigSource} for the given targetUri.
*
* @param channelType specifying "inproc" creates an Inprocess channel for testing.
*/
private static io.envoyproxy.envoy.api.v2.core.ConfigSource buildConfigSourceV2(
String targetUri, String channelType) {
io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.Builder googleGrpcBuilder =
io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.newBuilder().setTargetUri(targetUri);
if (channelType != null) {
Struct.Builder structBuilder = Struct.newBuilder();
structBuilder.putFields(
"channelType", Value.newBuilder().setStringValue(channelType).build());
googleGrpcBuilder.setConfig(structBuilder.build());
}
return io.envoyproxy.envoy.api.v2.core.ConfigSource.newBuilder()
.setApiConfigSource(
io.envoyproxy.envoy.api.v2.core.ApiConfigSource.newBuilder()
.setApiType(io.envoyproxy.envoy.api.v2.core.ApiConfigSource.ApiType.GRPC)
.addGrpcServices(
io.envoyproxy.envoy.api.v2.core.GrpcService.newBuilder()
.setGoogleGrpc(googleGrpcBuilder.build())
.build())
.build())
.build();
}
/**
* Builds a {@link ConfigSource} for the given targetUri.
*
* @param channelType specifying "inproc" creates an Inprocess channel for testing.
*/
private static ConfigSource buildConfigSource(String targetUri, String channelType) {
GrpcService.GoogleGrpc.Builder googleGrpcBuilder =
GrpcService.GoogleGrpc.newBuilder().setTargetUri(targetUri);
if (channelType != null) {
Struct.Builder structBuilder = Struct.newBuilder();
structBuilder.putFields(
"channelType", Value.newBuilder().setStringValue(channelType).build());
googleGrpcBuilder.setConfig(structBuilder.build());
}
return ConfigSource.newBuilder()
.setApiConfigSource(
ApiConfigSource.newBuilder()
.setApiType(ApiConfigSource.ApiType.GRPC)
.addGrpcServices(GrpcService.newBuilder().setGoogleGrpc(googleGrpcBuilder))
.build())
.build();
}
static CommonTlsContext buildCommonTlsContextFromSdsConfigForValidationContext( static CommonTlsContext buildCommonTlsContextFromSdsConfigForValidationContext(
String name, String targetUri, String privateKey, String certChain) { String name, String targetUri, String privateKey, String certChain) {
SdsSecretConfig sdsSecretConfig = SdsSecretConfig sdsSecretConfig =
@ -97,12 +167,57 @@ public class CommonTlsContextTestsUtil {
/** takes additional values and creates CombinedCertificateValidationContext as needed. */ /** takes additional values and creates CombinedCertificateValidationContext as needed. */
@SuppressWarnings("deprecation") @SuppressWarnings("deprecation")
static io.envoyproxy.envoy.api.v2.auth.CommonTlsContext
buildCommonTlsContextWithAdditionalValuesV2(
String certName,
String certTargetUri,
String validationContextName,
String validationContextTargetUri,
Iterable<String> verifySubjectAltNames,
Iterable<String> alpnNames,
String channelType) {
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.Builder builder =
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.newBuilder();
io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig =
buildSdsSecretConfigV2(certName, certTargetUri, channelType);
if (sdsSecretConfig != null) {
builder.addTlsCertificateSdsSecretConfigs(sdsSecretConfig);
}
sdsSecretConfig =
buildSdsSecretConfigV2(validationContextName, validationContextTargetUri, channelType);
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext certValidationContext =
verifySubjectAltNames == null ? null
: io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.newBuilder()
.addAllVerifySubjectAltName(verifySubjectAltNames).build();
if (sdsSecretConfig != null && certValidationContext != null) {
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext.Builder
combinedBuilder =
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext
.newBuilder()
.setDefaultValidationContext(certValidationContext)
.setValidationContextSdsSecretConfig(sdsSecretConfig);
builder.setCombinedValidationContext(combinedBuilder);
} else if (sdsSecretConfig != null) {
builder.setValidationContextSdsSecretConfig(sdsSecretConfig);
} else if (certValidationContext != null) {
builder.setValidationContext(certValidationContext);
}
if (alpnNames != null) {
builder.addAllAlpnProtocols(alpnNames);
}
return builder.build();
}
/** takes additional values and creates CombinedCertificateValidationContext as needed. */
static CommonTlsContext buildCommonTlsContextWithAdditionalValues( static CommonTlsContext buildCommonTlsContextWithAdditionalValues(
String certName, String certName,
String certTargetUri, String certTargetUri,
String validationContextName, String validationContextName,
String validationContextTargetUri, String validationContextTargetUri,
Iterable<String> verifySubjectAltNames, Iterable<StringMatcher> matchSubjectAltNames,
Iterable<String> alpnNames, Iterable<String> alpnNames,
String channelType) { String channelType) {
@ -115,10 +230,11 @@ public class CommonTlsContextTestsUtil {
sdsSecretConfig = sdsSecretConfig =
buildSdsSecretConfig(validationContextName, validationContextTargetUri, channelType); buildSdsSecretConfig(validationContextName, validationContextTargetUri, channelType);
CertificateValidationContext certValidationContext = CertificateValidationContext certValidationContext =
verifySubjectAltNames == null ? null matchSubjectAltNames == null
? null
: CertificateValidationContext.newBuilder() : CertificateValidationContext.newBuilder()
.addAllVerifySubjectAltName(verifySubjectAltNames).build(); .addAllMatchSubjectAltNames(matchSubjectAltNames)
.build();
if (sdsSecretConfig != null && certValidationContext != null) { if (sdsSecretConfig != null && certValidationContext != null) {
CombinedCertificateValidationContext.Builder combinedBuilder = CombinedCertificateValidationContext.Builder combinedBuilder =
CombinedCertificateValidationContext.newBuilder() CombinedCertificateValidationContext.newBuilder()
@ -136,6 +252,18 @@ public class CommonTlsContextTestsUtil {
return builder.build(); return builder.build();
} }
/** Helper method to build DownstreamTlsContext for multiple test classes. */
static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext buildDownstreamTlsContextV2(
io.envoyproxy.envoy.api.v2.auth.CommonTlsContext commonTlsContext,
boolean requireClientCert) {
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext =
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.newBuilder()
.setCommonTlsContext(commonTlsContext)
.setRequireClientCertificate(BoolValue.of(requireClientCert))
.build();
return downstreamTlsContext;
}
/** Helper method to build DownstreamTlsContext for multiple test classes. */ /** Helper method to build DownstreamTlsContext for multiple test classes. */
static DownstreamTlsContext buildDownstreamTlsContext( static DownstreamTlsContext buildDownstreamTlsContext(
CommonTlsContext commonTlsContext, boolean requireClientCert) { CommonTlsContext commonTlsContext, boolean requireClientCert) {
@ -154,9 +282,19 @@ public class CommonTlsContextTestsUtil {
buildDownstreamTlsContext(commonTlsContext, requireClientCert)); buildDownstreamTlsContext(commonTlsContext, requireClientCert));
} }
/** Helper method for creating DownstreamTlsContext values for tests. */ /** Helper method for creating DownstreamTlsContext values with names. */
public static DownstreamTlsContext buildTestDownstreamTlsContext() { public static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext
return buildTestDownstreamTlsContext("google-sds-config-default", "ROOTCA"); buildTestDownstreamTlsContextV2(String certName, String validationContextName) {
return buildDownstreamTlsContextV2(
buildCommonTlsContextWithAdditionalValuesV2(
certName,
"unix:/var/run/sds/uds_path",
validationContextName,
"unix:/var/run/sds/uds_path",
Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"),
Arrays.asList("managed-tls"),
null),
/* requireClientCert= */ false);
} }
/** Helper method for creating DownstreamTlsContext values with names. */ /** Helper method for creating DownstreamTlsContext values with names. */
@ -168,7 +306,10 @@ public class CommonTlsContextTestsUtil {
"unix:/var/run/sds/uds_path", "unix:/var/run/sds/uds_path",
validationContextName, validationContextName,
"unix:/var/run/sds/uds_path", "unix:/var/run/sds/uds_path",
Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"), Arrays.asList(
StringMatcher.newBuilder()
.setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob")
.build()),
Arrays.asList("managed-tls"), Arrays.asList("managed-tls"),
null), null),
/* requireClientCert= */ false); /* requireClientCert= */ false);

22
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientFileBasedMetadataTest.java
View File

@ -27,22 +27,23 @@ import com.google.common.io.Files;
import com.google.common.util.concurrent.MoreExecutors; import com.google.common.util.concurrent.MoreExecutors;
import com.google.protobuf.Struct; import com.google.protobuf.Struct;
import com.google.protobuf.Value; import com.google.protobuf.Value;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.grpc.Metadata; import io.grpc.Metadata;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import org.junit.After; import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Ignore;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.TemporaryFolder; import org.junit.rules.TemporaryFolder;
@ -51,6 +52,7 @@ import org.junit.runners.JUnit4;
/** Unit tests for {@link SdsClient} and {@link FileBasedPluginCredential}. */ /** Unit tests for {@link SdsClient} and {@link FileBasedPluginCredential}. */
@RunWith(JUnit4.class) @RunWith(JUnit4.class)
@Ignore // FIXME(#7166): fix the test when FileBasedPluginCredential for xds V3 is implemented.
public class SdsClientFileBasedMetadataTest { public class SdsClientFileBasedMetadataTest {
/** /**
@ -110,7 +112,7 @@ public class SdsClientFileBasedMetadataTest {
MetadataCredentialsFromPlugin.Builder metadataCredBuilder = MetadataCredentialsFromPlugin.Builder metadataCredBuilder =
MetadataCredentialsFromPlugin.newBuilder().setName(pluginName); MetadataCredentialsFromPlugin.newBuilder().setName(pluginName);
metadataCredBuilder.setConfig(configStructBuilder); // metadataCredBuilder.setConfig(configStructBuilder);
CallCredentials.Builder callCredBuilder = CallCredentials.Builder callCredBuilder =
CallCredentials.newBuilder().setFromPlugin(metadataCredBuilder); CallCredentials.newBuilder().setFromPlugin(metadataCredBuilder);

18
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientTest.java
View File

@ -37,16 +37,16 @@ import com.google.protobuf.ByteString;
import com.google.protobuf.Struct; import com.google.protobuf.Struct;
import com.google.protobuf.Value; import com.google.protobuf.Value;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest; import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.DataSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.config.core.v3.GrpcService.GoogleGrpc;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.Status; import io.grpc.Status;
import io.grpc.Status.Code; import io.grpc.Status.Code;
import io.grpc.internal.testing.TestUtils; import io.grpc.internal.testing.TestUtils;

6
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsFileBasedMetadataTest.java
View File

@ -24,9 +24,9 @@ import static org.mockito.Mockito.mock;
import com.google.common.io.Files; import com.google.common.io.Files;
import com.google.common.util.concurrent.MoreExecutors; import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.netty.channel.epoll.Epoll; import io.netty.channel.epoll.Epoll;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
@ -35,6 +35,7 @@ import java.util.concurrent.TimeUnit;
import org.junit.After; import org.junit.After;
import org.junit.Assume; import org.junit.Assume;
import org.junit.Before; import org.junit.Before;
import org.junit.Ignore;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.TemporaryFolder; import org.junit.rules.TemporaryFolder;
@ -43,6 +44,7 @@ import org.junit.runners.JUnit4;
/** Unit tests for {@link SdsClient} & {@link FileBasedPluginCredential} using UDS transport. */ /** Unit tests for {@link SdsClient} & {@link FileBasedPluginCredential} using UDS transport. */
@RunWith(JUnit4.class) @RunWith(JUnit4.class)
@Ignore // FIXME(#7166): fix the test when FileBasedPluginCredential for xds V3 is implemented
public class SdsClientUdsFileBasedMetadataTest { public class SdsClientUdsFileBasedMetadataTest {
private static final String SDSCLIENT_TEST_SOCKET = "/tmp/sdsclient-test.socket"; private static final String SDSCLIENT_TEST_SOCKET = "/tmp/sdsclient-test.socket";

10
xds/src/test/java/io/grpc/xds/internal/sds/SdsClientUdsTest.java
View File

@ -28,12 +28,12 @@ import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import com.google.common.util.concurrent.MoreExecutors; import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.envoyproxy.envoy.api.v2.auth.Secret;
import io.envoyproxy.envoy.api.v2.core.ApiConfigSource;
import io.envoyproxy.envoy.api.v2.core.ConfigSource;
import io.envoyproxy.envoy.api.v2.core.GrpcService;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.config.core.v3.ApiConfigSource;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.GrpcService;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.netty.channel.epoll.Epoll; import io.netty.channel.epoll.Epoll;
import java.io.IOException; import java.io.IOException;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;

21
xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java
View File

@ -29,10 +29,10 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.core.DataSource; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.grpc.Attributes; import io.grpc.Attributes;
import io.grpc.internal.testing.TestUtils; import io.grpc.internal.testing.TestUtils;
import io.grpc.netty.GrpcHttp2ConnectionHandler; import io.grpc.netty.GrpcHttp2ConnectionHandler;
@ -102,10 +102,12 @@ public class SdsProtocolNegotiatorsTest {
/** Builds DownstreamTlsContext from commonTlsContext. */ /** Builds DownstreamTlsContext from commonTlsContext. */
private static DownstreamTlsContext buildDownstreamTlsContext(CommonTlsContext commonTlsContext) { private static DownstreamTlsContext buildDownstreamTlsContext(CommonTlsContext commonTlsContext) {
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext = io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.newBuilder() downstreamTlsContext =
.setCommonTlsContext(commonTlsContext) io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
.build(); .newBuilder()
.setCommonTlsContext(commonTlsContext)
.build();
return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(downstreamTlsContext); return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(downstreamTlsContext);
} }
@ -255,7 +257,8 @@ public class SdsProtocolNegotiatorsTest {
pipeline = channel.pipeline(); pipeline = channel.pipeline();
DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext downstreamTlsContext =
DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext( DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(
io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.getDefaultInstance()); io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
.getDefaultInstance());
XdsClientWrapperForServerSds xdsClientWrapperForServerSds = XdsClientWrapperForServerSds xdsClientWrapperForServerSds =
XdsClientWrapperForServerSdsTest.createXdsClientWrapperForServerSds( XdsClientWrapperForServerSdsTest.createXdsClientWrapperForServerSds(

28
xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java
View File

@ -29,8 +29,9 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import com.google.common.util.concurrent.MoreExecutors; import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.envoyproxy.envoy.api.v2.core.Node; import io.envoyproxy.envoy.api.v2.core.Node;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.Status.Code; import io.grpc.Status.Code;
import java.io.IOException; import java.io.IOException;
import java.util.Arrays; import java.util.Arrays;
@ -66,7 +67,7 @@ public class SdsSslContextProviderTest {
private SdsClientSslContextProvider getSdsClientSslContextProvider( private SdsClientSslContextProvider getSdsClientSslContextProvider(
String certName, String certName,
String validationContextName, String validationContextName,
Iterable<String> verifySubjectAltNames, Iterable<StringMatcher> matchSubjectAltNames,
Iterable<String> alpnProtocols) Iterable<String> alpnProtocols)
throws IOException { throws IOException {
@ -76,7 +77,7 @@ public class SdsSslContextProviderTest {
/* certTargetUri= */ "inproc", /* certTargetUri= */ "inproc",
validationContextName, validationContextName,
/* validationContextTargetUri= */ "inproc", /* validationContextTargetUri= */ "inproc",
verifySubjectAltNames, matchSubjectAltNames,
alpnProtocols, alpnProtocols,
/* channelType= */ "inproc"); /* channelType= */ "inproc");
@ -91,7 +92,7 @@ public class SdsSslContextProviderTest {
private SdsServerSslContextProvider getSdsServerSslContextProvider( private SdsServerSslContextProvider getSdsServerSslContextProvider(
String certName, String certName,
String validationContextName, String validationContextName,
Iterable<String> verifySubjectAltNames, Iterable<StringMatcher> matchSubjectAltNames,
Iterable<String> alpnProtocols) Iterable<String> alpnProtocols)
throws IOException { throws IOException {
@ -101,7 +102,7 @@ public class SdsSslContextProviderTest {
/* certTargetUri= */ "inproc", /* certTargetUri= */ "inproc",
validationContextName, validationContextName,
/* validationContextTargetUri= */ "inproc", /* validationContextTargetUri= */ "inproc",
verifySubjectAltNames, matchSubjectAltNames,
alpnProtocols, alpnProtocols,
/* channelType= */ "inproc"); /* channelType= */ "inproc");
@ -139,7 +140,7 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider( getSdsClientSslContextProvider(
/* certName= */ "cert1", /* certName= */ "cert1",
/* validationContextName= */ "valid1", /* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null, /* matchSubjectAltNames= */ null,
/* alpnProtocols= */ null); /* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider); SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -156,7 +157,7 @@ public class SdsSslContextProviderTest {
getSdsServerSslContextProvider( getSdsServerSslContextProvider(
/* certName= */ "cert1", /* certName= */ "cert1",
/* validationContextName= */ null, /* validationContextName= */ null,
/* verifySubjectAltNames= */ null, /* matchSubjectAltNames= */ null,
/* alpnProtocols= */ null); /* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider); SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -173,7 +174,7 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider( getSdsClientSslContextProvider(
/* certName= */ null, /* certName= */ null,
/* validationContextName= */ "valid1", /* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null, /* matchSubjectAltNames= */ null,
null); null);
SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider); SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -190,7 +191,7 @@ public class SdsSslContextProviderTest {
getSdsServerSslContextProvider( getSdsServerSslContextProvider(
/* certName= */ null, /* certName= */ null,
/* validationContextName= */ "valid1", /* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null, /* matchSubjectAltNames= */ null,
/* alpnProtocols= */ null); /* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider); SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -215,7 +216,10 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider( getSdsClientSslContextProvider(
/* certName= */ "cert1", /* certName= */ "cert1",
/* validationContextName= */ "valid1", /* validationContextName= */ "valid1",
Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"), Arrays.asList(
StringMatcher.newBuilder()
.setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob")
.build()),
/* alpnProtocols= */ null); /* alpnProtocols= */ null);
SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.TestCallback testCallback =
@ -234,7 +238,7 @@ public class SdsSslContextProviderTest {
getSdsClientSslContextProvider( getSdsClientSslContextProvider(
/* certName= */ "cert1", /* certName= */ "cert1",
/* validationContextName= */ "valid1", /* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null, /* matchSubjectAltNames= */ null,
/* alpnProtocols= */ Arrays.asList("managed-mtls", "h2")); /* alpnProtocols= */ Arrays.asList("managed-mtls", "h2"));
SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider); SecretVolumeSslContextProviderTest.getValueThruCallback(provider);
@ -254,7 +258,7 @@ public class SdsSslContextProviderTest {
getSdsServerSslContextProvider( getSdsServerSslContextProvider(
/* certName= */ "cert1", /* certName= */ "cert1",
/* validationContextName= */ "valid1", /* validationContextName= */ "valid1",
/* verifySubjectAltNames= */ null, /* matchSubjectAltNames= */ null,
/* alpnProtocols= */ Arrays.asList("managed-mtls", "h2")); /* alpnProtocols= */ Arrays.asList("managed-mtls", "h2"));
SecretVolumeSslContextProviderTest.TestCallback testCallback = SecretVolumeSslContextProviderTest.TestCallback testCallback =
SecretVolumeSslContextProviderTest.getValueThruCallback(provider); SecretVolumeSslContextProviderTest.getValueThruCallback(provider);

6
xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java
View File

@ -24,9 +24,9 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FI
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import com.google.common.util.concurrent.MoreExecutors; import com.google.common.util.concurrent.MoreExecutors;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.api.v2.auth.TlsCertificate; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.api.v2.core.DataSource; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContext;
import java.io.IOException; import java.io.IOException;
import java.security.cert.CertStoreException; import java.security.cert.CertStoreException;

2
xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java
View File

@ -21,7 +21,7 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import io.envoyproxy.envoy.api.v2.auth.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;

2
xds/src/test/java/io/grpc/xds/internal/sds/TestSdsServer.java
View File

@ -25,7 +25,7 @@ import com.google.protobuf.ByteString;
import com.google.protobuf.ProtocolStringList; import com.google.protobuf.ProtocolStringList;
import io.envoyproxy.envoy.api.v2.DiscoveryRequest; import io.envoyproxy.envoy.api.v2.DiscoveryRequest;
import io.envoyproxy.envoy.api.v2.DiscoveryResponse; import io.envoyproxy.envoy.api.v2.DiscoveryResponse;
import io.envoyproxy.envoy.api.v2.auth.Secret; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.Secret;
import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc; import io.envoyproxy.envoy.service.discovery.v2.SecretDiscoveryServiceGrpc;
import io.grpc.ForwardingServerCall.SimpleForwardingServerCall; import io.grpc.ForwardingServerCall.SimpleForwardingServerCall;
import io.grpc.Metadata; import io.grpc.Metadata;

4
xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsTrustManagerFactoryTest.java
View File

@ -24,8 +24,8 @@ import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import com.google.protobuf.ByteString; import com.google.protobuf.ByteString;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.api.v2.core.DataSource; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.internal.testing.TestUtils; import io.grpc.internal.testing.TestUtils;
import java.io.IOException; import java.io.IOException;
import java.security.cert.CertStoreException; import java.security.cert.CertStoreException;

179
xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java
View File

@ -19,7 +19,6 @@ package io.grpc.xds.internal.sds.trust;
import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth.assertThat;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.BAD_SERVER_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.BAD_SERVER_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import static org.mockito.Mockito.CALLS_REAL_METHODS; import static org.mockito.Mockito.CALLS_REAL_METHODS;
@ -29,9 +28,8 @@ import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.internal.testing.TestUtils; import io.grpc.internal.testing.TestUtils;
import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
import java.security.cert.CertStoreException; import java.security.cert.CertStoreException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
@ -53,6 +51,7 @@ import sun.security.validator.ValidatorException;
/** /**
* Unit tests for {@link SdsX509TrustManager}. * Unit tests for {@link SdsX509TrustManager}.
*/ */
// TODO(#7166): add more tests when xds v3 is implemented.
@RunWith(JUnit4.class) @RunWith(JUnit4.class)
public class SdsX509TrustManagerTest { public class SdsX509TrustManagerTest {
@ -84,180 +83,6 @@ public class SdsX509TrustManagerTest {
trustManager.verifySubjectAltNameInChain(certs); trustManager.verifySubjectAltNameInChain(certs);
} }
@Test
@SuppressWarnings("deprecation")
public void missingPeerCerts() throws CertificateException, FileNotFoundException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
try {
trustManager.verifySubjectAltNameInChain(null);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing");
}
}
@Test
@SuppressWarnings("deprecation")
public void emptyArrayPeerCerts() throws CertificateException, FileNotFoundException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
try {
trustManager.verifySubjectAltNameInChain(new X509Certificate[0]);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing");
}
}
@Test
@SuppressWarnings("deprecation")
public void noSansInPeerCerts() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(CLIENT_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test
@SuppressWarnings("deprecation")
public void oneSanInPeerCertsVerifies() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("waterzooi.test.google.be")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void oneSanInPeerCertsVerifiesMultipleVerifySans()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("waterzooi.test.google.be")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void oneSanInPeerCertsNotFoundException()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder().addVerifySubjectAltName("x.foo.com").build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test
@SuppressWarnings("deprecation")
public void wildcardSanInPeerCertsVerifiesMultipleVerifySans()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("abc.test.youtube.com") // should match *.test.youtube.com
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void wildcardSanInPeerCertsVerifiesMultipleVerifySans1()
throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("abc.test.google.fr") // should match *.test.google.fr
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void wildcardSanInPeerCertsSubdomainMismatch()
throws CertificateException, IOException {
// 2. Asterisk (*) cannot match across domain name labels.
// For example, *.example.com matches test.example.com but does not match
// sub.test.example.com.
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("sub.abc.test.youtube.com")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test
@SuppressWarnings("deprecation")
public void oneIpAddressInPeerCertsVerifies() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("192.168.1.3")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
trustManager.verifySubjectAltNameInChain(certs);
}
@Test
@SuppressWarnings("deprecation")
public void oneIpAddressInPeerCertsMismatch() throws CertificateException, IOException {
CertificateValidationContext certContext =
CertificateValidationContext.newBuilder()
.addVerifySubjectAltName("x.foo.com")
.addVerifySubjectAltName("192.168.2.3")
.build();
trustManager = new SdsX509TrustManager(certContext, mockDelegate);
X509Certificate[] certs =
CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
try {
trustManager.verifySubjectAltNameInChain(certs);
fail("no exception thrown");
} catch (CertificateException expected) {
assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
}
}
@Test @Test
public void checkServerTrustedSslEngine() public void checkServerTrustedSslEngine()
throws CertificateException, IOException, CertStoreException { throws CertificateException, IOException, CertStoreException {