From 010d19494805688432900d8827a53f89cb02d54b Mon Sep 17 00:00:00 2001 From: Jae Kim Date: Wed, 13 Jun 2018 22:09:41 -0700 Subject: [PATCH 01/55] clusters and listeners read static secrets from Bootstrap.static_resources Signed-off-by: Jae Kim --- include/envoy/upstream/cluster_manager.h | 6 +- .../common/upstream/cluster_manager_impl.cc | 20 +++-- source/common/upstream/cluster_manager_impl.h | 10 ++- source/common/upstream/eds.cc | 2 +- source/common/upstream/eds.h | 2 +- source/common/upstream/logical_dns_cluster.h | 4 +- source/common/upstream/original_dst_cluster.h | 3 +- source/common/upstream/upstream_impl.cc | 33 ++++---- source/common/upstream/upstream_impl.h | 7 +- .../config_validation/cluster_manager.cc | 12 +-- .../config_validation/cluster_manager.h | 5 +- source/server/configuration_impl.cc | 2 +- .../upstream/cluster_manager_impl_test.cc | 75 ++++++++++--------- test/common/upstream/eds_test.cc | 4 +- .../upstream/logical_dns_cluster_test.cc | 3 +- .../upstream/original_dst_cluster_test.cc | 4 +- test/common/upstream/sds_test.cc | 4 +- test/common/upstream/upstream_impl_test.cc | 57 +++++++++----- .../config_validation/cluster_manager_test.cc | 2 +- 19 files changed, 151 insertions(+), 104 deletions(-) diff --git a/include/envoy/upstream/cluster_manager.h b/include/envoy/upstream/cluster_manager.h index f2ec6e672953..de4eda328e68 100644 --- a/include/envoy/upstream/cluster_manager.h +++ b/include/envoy/upstream/cluster_manager.h @@ -237,7 +237,8 @@ class ClusterManagerFactory { clusterManagerFromProto(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin) PURE; + AccessLog::AccessLogManager& log_manager, Server::Admin& admin, + Secret::SecretManager& secret_manager) PURE; /** * Allocate an HTTP connection pool for the host. Pools are separated by 'priority', @@ -254,7 +255,8 @@ class ClusterManagerFactory { virtual ClusterSharedPtr clusterFromProto(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api) PURE; + bool added_via_api, + Secret::SecretManager& secret_manager) PURE; /** * Create a CDS API provider from configuration proto. diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 2c28735fee4b..289ca8ed28dc 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -171,14 +171,16 @@ ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v2::Boots AccessLog::AccessLogManager& log_manager, Event::Dispatcher& main_thread_dispatcher, Server::Admin& admin, SystemTimeSource& system_time_source, - MonotonicTimeSource& monotonic_time_source) + MonotonicTimeSource& monotonic_time_source, + Secret::SecretManager& secret_manager) : factory_(factory), runtime_(runtime), stats_(stats), tls_(tls.allocateSlot()), random_(random), bind_config_(bootstrap.cluster_manager().upstream_bind_config()), local_info_(local_info), cm_stats_(generateStats(stats)), init_helper_([this](Cluster& cluster) { onClusterInit(cluster); }), config_tracker_entry_( admin.getConfigTracker().add("clusters", [this] { return dumpClusterConfigs(); })), - system_time_source_(system_time_source) { + system_time_source_(system_time_source), + secret_manager_(secret_manager) { async_client_manager_ = std::make_unique(*this, tls); const auto& cm_config = bootstrap.cluster_manager(); if (cm_config.has_outlier_detection()) { @@ -473,8 +475,8 @@ bool ClusterManagerImpl::removeCluster(const std::string& cluster_name) { void ClusterManagerImpl::loadCluster(const envoy::api::v2::Cluster& cluster, const std::string& version_info, bool added_via_api, ClusterMap& cluster_map) { - ClusterSharedPtr new_cluster = - factory_.clusterFromProto(cluster, *this, outlier_event_logger_, added_via_api); + ClusterSharedPtr new_cluster = factory_.clusterFromProto(cluster, *this, outlier_event_logger_, + added_via_api, secret_manager_); if (!added_via_api) { if (cluster_map.find(new_cluster->info()->name()) != cluster_map.end()) { @@ -954,11 +956,12 @@ ClusterManagerPtr ProdClusterManagerFactory::clusterManagerFromProto( const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, AccessLog::AccessLogManager& log_manager, - Server::Admin& admin) { + Server::Admin& admin, Secret::SecretManager& secret_manager) { return ClusterManagerPtr{new ClusterManagerImpl(bootstrap, *this, stats, tls, runtime, random, local_info, log_manager, main_thread_dispatcher_, admin, ProdSystemTimeSource::instance_, - ProdMonotonicTimeSource::instance_)}; + ProdMonotonicTimeSource::instance_, + secret_manager)}; } Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( @@ -976,10 +979,11 @@ Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( ClusterSharedPtr ProdClusterManagerFactory::clusterFromProto( const envoy::api::v2::Cluster& cluster, ClusterManager& cm, - Outlier::EventLoggerSharedPtr outlier_event_logger, bool added_via_api) { + Outlier::EventLoggerSharedPtr outlier_event_logger, bool added_via_api, + Secret::SecretManager& secret_manager) { return ClusterImplBase::create(cluster, cm, stats_, tls_, dns_resolver_, ssl_context_manager_, runtime_, random_, main_thread_dispatcher_, local_info_, - outlier_event_logger, added_via_api); + outlier_event_logger, added_via_api, secret_manager); } CdsApiPtr ProdClusterManagerFactory::createCds( diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index 4bbffe3adf22..655453bea991 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -48,14 +48,16 @@ class ProdClusterManagerFactory : public ClusterManagerFactory { clusterManagerFromProto(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin) override; + AccessLog::AccessLogManager& log_manager, Server::Admin& admin, + Secret::SecretManager& secret_manager) override; Http::ConnectionPool::InstancePtr allocateConnPool(Event::Dispatcher& dispatcher, HostConstSharedPtr host, ResourcePriority priority, Http::Protocol protocol, const Network::ConnectionSocket::OptionsSharedPtr& options) override; ClusterSharedPtr clusterFromProto(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api) override; + bool added_via_api, + Secret::SecretManager& secret_manager) override; CdsApiPtr createCds(const envoy::api::v2::core::ConfigSource& cds_config, const absl::optional& eds_config, ClusterManager& cm) override; @@ -157,7 +159,8 @@ class ClusterManagerImpl : public ClusterManager, Logger::Loggable #include +#include "envoy/secret/secret_manager.h" #include "envoy/thread_local/thread_local.h" #include "common/common/empty_string.h" @@ -31,7 +32,8 @@ class LogicalDnsCluster : public ClusterImplBase { LogicalDnsCluster(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, ThreadLocal::SlotAllocator& tls, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api); + ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, + Secret::SecretManager& secret_manager); ~LogicalDnsCluster(); diff --git a/source/common/upstream/original_dst_cluster.h b/source/common/upstream/original_dst_cluster.h index 5cb5107a3a4a..86b008426deb 100644 --- a/source/common/upstream/original_dst_cluster.h +++ b/source/common/upstream/original_dst_cluster.h @@ -25,7 +25,8 @@ class OriginalDstCluster : public ClusterImplBase { public: OriginalDstCluster(const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api); + ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, + Secret::SecretManager& secret_manager); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index ab14e685f0b2..935650164a37 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -354,15 +354,13 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, } } -ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, - Stats::Store& stats, ThreadLocal::Instance& tls, - Network::DnsResolverSharedPtr dns_resolver, - Ssl::ContextManager& ssl_context_manager, - Runtime::Loader& runtime, Runtime::RandomGenerator& random, - Event::Dispatcher& dispatcher, - const LocalInfo::LocalInfo& local_info, - Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api) { +ClusterSharedPtr ClusterImplBase::create( + const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Stats::Store& stats, + ThreadLocal::Instance& tls, Network::DnsResolverSharedPtr dns_resolver, + Ssl::ContextManager& ssl_context_manager, Runtime::Loader& runtime, + Runtime::RandomGenerator& random, Event::Dispatcher& dispatcher, + const LocalInfo::LocalInfo& local_info, Outlier::EventLoggerSharedPtr outlier_event_logger, + bool added_via_api, Secret::SecretManager& secret_manager) { std::unique_ptr new_cluster; // We make this a shared pointer to deal with the distinct ownership @@ -384,18 +382,18 @@ ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster, switch (cluster.type()) { case envoy::api::v2::Cluster::STATIC: - new_cluster.reset( - new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api)); + new_cluster.reset(new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, + added_via_api, secret_manager)); break; case envoy::api::v2::Cluster::STRICT_DNS: new_cluster.reset(new StrictDnsClusterImpl(cluster, runtime, stats, ssl_context_manager, - selected_dns_resolver, cm, dispatcher, - added_via_api)); + selected_dns_resolver, cm, dispatcher, added_via_api, + secret_manager)); break; case envoy::api::v2::Cluster::LOGICAL_DNS: new_cluster.reset(new LogicalDnsCluster(cluster, runtime, stats, ssl_context_manager, selected_dns_resolver, tls, cm, dispatcher, - added_via_api)); + added_via_api, secret_manager)); break; case envoy::api::v2::Cluster::ORIGINAL_DST: if (cluster.lb_policy() != envoy::api::v2::Cluster::ORIGINAL_DST_LB) { @@ -407,7 +405,7 @@ ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster, "cluster: cluster type 'original_dst' may not be used with lb_subset_config")); } new_cluster.reset(new OriginalDstCluster(cluster, runtime, stats, ssl_context_manager, cm, - dispatcher, added_via_api)); + dispatcher, added_via_api, secret_manager)); break; case envoy::api::v2::Cluster::EDS: if (!cluster.has_eds_cluster_config()) { @@ -416,7 +414,7 @@ ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster, // We map SDS to EDS, since EDS provides backwards compatibility with SDS. new_cluster.reset(new EdsClusterImpl(cluster, runtime, stats, ssl_context_manager, local_info, - cm, dispatcher, random, added_via_api)); + cm, dispatcher, random, added_via_api, secret_manager)); break; default: NOT_REACHED; @@ -806,7 +804,8 @@ StrictDnsClusterImpl::StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluste Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, ClusterManager& cm, Event::Dispatcher& dispatcher, - bool added_via_api) + bool added_via_api, + Secret::SecretManager& secret_manager) : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, cm.clusterManagerFactory().secretManager(), added_via_api), dns_resolver_(dns_resolver), diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 6540b8ac4ca8..5e77af10f771 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -420,7 +420,7 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable ClusterSharedPtr { - return ClusterImplBase::create(cluster, cm, stats_, tls_, dns_resolver_, - ssl_context_manager_, runtime_, random_, dispatcher_, - local_info_, outlier_event_logger, added_via_api); - })); + ON_CALL(*this, clusterFromProto_(_, _, _, _, _)) + .WillByDefault( + Invoke([&](const envoy::api::v2::Cluster& cluster, ClusterManager& cm, + Outlier::EventLoggerSharedPtr outlier_event_logger, bool added_via_api, + Secret::SecretManager& secret_manager) -> ClusterSharedPtr { + return ClusterImplBase::create( + cluster, cm, stats_, tls_, dns_resolver_, ssl_context_manager_, runtime_, random_, + dispatcher_, local_info_, outlier_event_logger, added_via_api, secret_manager); + })); } Http::ConnectionPool::InstancePtr @@ -69,8 +71,9 @@ class TestClusterManagerFactory : public ClusterManagerFactory { ClusterSharedPtr clusterFromProto(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api) override { - return clusterFromProto_(cluster, cm, outlier_event_logger, added_via_api); + bool added_via_api, + Secret::SecretManager& secret_manager) override { + return clusterFromProto_(cluster, cm, outlier_event_logger, added_via_api, secret_manager); } CdsApiPtr createCds(const envoy::api::v2::core::ConfigSource&, @@ -83,24 +86,26 @@ class TestClusterManagerFactory : public ClusterManagerFactory { clusterManagerFromProto(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin) override { - return ClusterManagerPtr{clusterManagerFromProto_(bootstrap, stats, tls, runtime, random, - local_info, log_manager, admin)}; + AccessLog::AccessLogManager& log_manager, Server::Admin& admin, + Secret::SecretManager& secret_manager) override { + return ClusterManagerPtr{clusterManagerFromProto_( + bootstrap, stats, tls, runtime, random, local_info, log_manager, admin, secret_manager)}; } Secret::SecretManager& secretManager() override { return secret_manager_; } - MOCK_METHOD8(clusterManagerFromProto_, + MOCK_METHOD9(clusterManagerFromProto_, ClusterManager*(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin)); + AccessLog::AccessLogManager& log_manager, Server::Admin& admin, + Secret::SecretManager& secret_manager)); MOCK_METHOD1(allocateConnPool_, Http::ConnectionPool::Instance*(HostConstSharedPtr host)); - MOCK_METHOD4(clusterFromProto_, + MOCK_METHOD5(clusterFromProto_, ClusterSharedPtr(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api)); + bool added_via_api, Secret::SecretManager& secret_manager)); MOCK_METHOD0(createCds_, CdsApi*()); Stats::IsolatedStoreImpl stats_; @@ -109,6 +114,7 @@ class TestClusterManagerFactory : public ClusterManagerFactory { new NiceMock}; NiceMock runtime_; NiceMock random_; + Secret::MockSecretManager secret_manager_; Ssl::ContextManagerImpl ssl_context_manager_{runtime_}; NiceMock dispatcher_; LocalInfo::MockLocalInfo local_info_; @@ -121,7 +127,7 @@ class ClusterManagerImplTest : public testing::Test { cluster_manager_.reset(new ClusterManagerImpl( bootstrap, factory_, factory_.stats_, factory_.tls_, factory_.runtime_, factory_.random_, factory_.local_info_, log_manager_, factory_.dispatcher_, admin_, system_time_source_, - monotonic_time_source_)); + monotonic_time_source_, secret_manager_)); } void checkStats(uint64_t added, uint64_t modified, uint64_t removed, uint64_t active, @@ -149,6 +155,7 @@ class ClusterManagerImplTest : public testing::Test { NiceMock admin_; NiceMock system_time_source_; NiceMock monotonic_time_source_; + Secret::MockSecretManager secret_manager_; }; envoy::config::bootstrap::v2::Bootstrap parseBootstrapFromJson(const std::string& json_string) { @@ -497,7 +504,7 @@ class ClusterManagerImplThreadAwareLbTest : public ClusterManagerImplTest { cluster1->info_->lb_type_ = lb_type; InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); create(parseBootstrapFromJson(json)); @@ -680,11 +687,11 @@ TEST_F(ClusterManagerImplTest, InitializeOrder) { // This part tests static init. InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cds_cluster)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cds_cluster)); ON_CALL(*cds_cluster, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster2)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster2)); ON_CALL(*cluster2, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Secondary)); EXPECT_CALL(factory_, createCds_()).WillOnce(Return(cds)); EXPECT_CALL(*cds, setInitializedCb(_)); @@ -711,16 +718,16 @@ TEST_F(ClusterManagerImplTest, InitializeOrder) { std::shared_ptr cluster5(new NiceMock()); cluster5->info_->name_ = "cluster5"; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster3)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster3)); ON_CALL(*cluster3, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Secondary)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster3"), "version1"); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster4)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster4)); ON_CALL(*cluster4, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*cluster4, initialize(_)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster4"), "version2"); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster5)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster5)); ON_CALL(*cluster5, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Secondary)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster5"), "version3"); @@ -835,7 +842,7 @@ TEST_F(ClusterManagerImplTest, DynamicRemoveWithLocalCluster) { std::shared_ptr foo(new NiceMock()); foo->info_->name_ = "foo"; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, false)).WillOnce(Return(foo)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, false, _)).WillOnce(Return(foo)); ON_CALL(*foo, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*foo, initialize(_)); @@ -846,7 +853,7 @@ TEST_F(ClusterManagerImplTest, DynamicRemoveWithLocalCluster) { // cluster in its load balancer. std::shared_ptr cluster1(new NiceMock()); cluster1->info_->name_ = "cluster1"; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, true)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, true, _)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*cluster1, initialize(_)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster1"), ""); @@ -892,7 +899,7 @@ TEST_F(ClusterManagerImplTest, RemoveWarmingCluster) { cluster_manager_->setInitializedCb([&]() -> void { initialized.ready(); }); std::shared_ptr cluster1(new NiceMock()); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(*cluster1, initializePhase()).Times(0); EXPECT_CALL(*cluster1, initialize(_)); EXPECT_TRUE( @@ -940,7 +947,7 @@ TEST_F(ClusterManagerImplTest, DynamicAddRemove) { cluster_manager_->addThreadLocalClusterUpdateCallbacks(*callbacks); std::shared_ptr cluster1(new NiceMock()); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(*cluster1, initializePhase()).Times(0); EXPECT_CALL(*cluster1, initialize(_)); EXPECT_CALL(*callbacks, onClusterAddOrUpdate(_)).Times(1); @@ -962,7 +969,7 @@ TEST_F(ClusterManagerImplTest, DynamicAddRemove) { std::shared_ptr cluster2(new NiceMock()); cluster2->prioritySet().getMockHostSet(0)->hosts_ = { makeTestHost(cluster2->info_, "tcp://127.0.0.1:80")}; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster2)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster2)); EXPECT_CALL(*cluster2, initializePhase()).Times(0); EXPECT_CALL(*cluster2, initialize(_)) .WillOnce(Invoke([cluster1](std::function initialize_callback) { @@ -1020,7 +1027,7 @@ TEST_F(ClusterManagerImplTest, addOrUpdateClusterStaticExists) { fmt::sprintf("{%s}", clustersJson({defaultStaticClusterJson("some_cluster")})); std::shared_ptr cluster1(new NiceMock()); InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*cluster1, initialize(_)); @@ -1064,7 +1071,7 @@ TEST_F(ClusterManagerImplTest, CloseHttpConnectionsOnHealthFailure) { { InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(outlier_detector, addChangedStateCb(_)); EXPECT_CALL(*cluster1, initialize(_)) @@ -1136,7 +1143,7 @@ TEST_F(ClusterManagerImplTest, CloseTcpConnectionsOnHealthFailure) { { InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(outlier_detector, addChangedStateCb(_)); EXPECT_CALL(*cluster1, initialize(_)) @@ -1208,7 +1215,7 @@ TEST_F(ClusterManagerImplTest, DoNotCloseTcpConnectionsOnHealthFailure) { Network::MockClientConnection* connection1 = new NiceMock(); Host::CreateConnectionData conn_info1; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(outlier_detector, addChangedStateCb(_)); EXPECT_CALL(*cluster1, initialize(_)) diff --git a/test/common/upstream/eds_test.cc b/test/common/upstream/eds_test.cc index ee7e6139444a..d69592d29e84 100644 --- a/test/common/upstream/eds_test.cc +++ b/test/common/upstream/eds_test.cc @@ -47,12 +47,14 @@ class EdsTest : public testing::Test { eds_cluster_ = parseClusterFromV2Yaml(yaml_config); Upstream::ClusterManager::ClusterInfoMap cluster_map; Upstream::MockCluster cluster; + Secret::MockSecretManager secret_manager; cluster_map.emplace("eds", cluster); EXPECT_CALL(cm_, clusters()).WillOnce(Return(cluster_map)); EXPECT_CALL(cluster, info()).Times(2); EXPECT_CALL(*cluster.info_, addedViaApi()); cluster_.reset(new EdsClusterImpl(eds_cluster_, runtime_, stats_, ssl_context_manager_, - local_info_, cm_, dispatcher_, random_, false)); + local_info_, cm_, dispatcher_, random_, false, + secret_manager)); EXPECT_EQ(Cluster::InitializePhase::Secondary, cluster_->initializePhase()); } diff --git a/test/common/upstream/logical_dns_cluster_test.cc b/test/common/upstream/logical_dns_cluster_test.cc index 6f09675f4853..a4fb442a490e 100644 --- a/test/common/upstream/logical_dns_cluster_test.cc +++ b/test/common/upstream/logical_dns_cluster_test.cc @@ -29,11 +29,12 @@ namespace Upstream { class LogicalDnsClusterTest : public testing::Test { public: void setup(const std::string& json) { + Secret::MockSecretManager secret_manager; resolve_timer_ = new Event::MockTimer(&dispatcher_); NiceMock cm; cluster_.reset(new LogicalDnsCluster(parseClusterFromJson(json), runtime_, stats_store_, ssl_context_manager_, dns_resolver_, tls_, cm, dispatcher_, - false)); + false, secret_manager)); cluster_->prioritySet().addMemberUpdateCb( [&](uint32_t, const HostVector&, const HostVector&) -> void { membership_updated_.ready(); diff --git a/test/common/upstream/original_dst_cluster_test.cc b/test/common/upstream/original_dst_cluster_test.cc index 098723c4d0dd..a3832d048e62 100644 --- a/test/common/upstream/original_dst_cluster_test.cc +++ b/test/common/upstream/original_dst_cluster_test.cc @@ -59,8 +59,10 @@ class OriginalDstClusterTest : public testing::Test { void setup(const std::string& json) { NiceMock cm; + Secret::MockSecretManager secret_manager; cluster_.reset(new OriginalDstCluster(parseClusterFromJson(json), runtime_, stats_store_, - ssl_context_manager_, cm, dispatcher_, false)); + ssl_context_manager_, cm, dispatcher_, false, + secret_manager)); cluster_->prioritySet().addMemberUpdateCb( [&](uint32_t, const HostVector&, const HostVector&) -> void { membership_updated_.ready(); diff --git a/test/common/upstream/sds_test.cc b/test/common/upstream/sds_test.cc index cd01ae7539cc..c8876ec4a483 100644 --- a/test/common/upstream/sds_test.cc +++ b/test/common/upstream/sds_test.cc @@ -58,12 +58,14 @@ class SdsTest : public testing::Test { sds_cluster_ = parseSdsClusterFromJson(raw_config, eds_config); Upstream::ClusterManager::ClusterInfoMap cluster_map; Upstream::MockCluster cluster; + Secret::MockSecretManager secret_manager; cluster_map.emplace("sds", cluster); EXPECT_CALL(cm_, clusters()).WillOnce(Return(cluster_map)); EXPECT_CALL(cluster, info()).Times(2); EXPECT_CALL(*cluster.info_, addedViaApi()); cluster_.reset(new EdsClusterImpl(sds_cluster_, runtime_, stats_, ssl_context_manager_, - local_info_, cm_, dispatcher_, random_, false)); + local_info_, cm_, dispatcher_, random_, false, + secret_manager)); EXPECT_EQ(Cluster::InitializePhase::Secondary, cluster_->initializePhase()); } diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 17888a900630..811f5f43f2ab 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -120,6 +120,7 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { NiceMock dispatcher; NiceMock runtime; ReadyWatcher initialized; + Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { @@ -141,7 +142,7 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { })); NiceMock cm; StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + dns_resolver, cm, dispatcher, false, secret_manager); cluster.initialize([&]() -> void { initialized.ready(); }); EXPECT_EQ(2UL, cluster.prioritySet().hostSetsPerPriority()[0]->hosts().size()); EXPECT_EQ(2UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -156,6 +157,7 @@ TEST(StrictDnsClusterImplTest, ZeroHostsHealthChecker) { NiceMock runtime; NiceMock cm; ReadyWatcher initialized; + Secret::MockSecretManager secret_manager; const std::string yaml = R"EOF( name: name @@ -167,7 +169,7 @@ TEST(StrictDnsClusterImplTest, ZeroHostsHealthChecker) { ResolverData resolver(*dns_resolver, dispatcher); StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + dns_resolver, cm, dispatcher, false, secret_manager); std::shared_ptr health_checker(new MockHealthChecker()); EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); @@ -188,6 +190,7 @@ TEST(StrictDnsClusterImplTest, Basic) { auto dns_resolver = std::make_shared>(); NiceMock dispatcher; NiceMock runtime; + Secret::MockSecretManager secret_manager; // gmock matches in LIFO order which is why these are swapped. ResolverData resolver2(*dns_resolver, dispatcher); @@ -225,7 +228,7 @@ TEST(StrictDnsClusterImplTest, Basic) { NiceMock cm; StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + dns_resolver, cm, dispatcher, false, secret_manager); EXPECT_CALL(runtime.snapshot_, getInteger("circuit_breakers.name.default.max_connections", 43)); EXPECT_EQ(43U, cluster.info()->resourceManager(ResourcePriority::Default).connections().max()); EXPECT_CALL(runtime.snapshot_, @@ -329,6 +332,7 @@ TEST(StrictDnsClusterImplTest, HostRemovalActiveHealthSkipped) { NiceMock dispatcher; NiceMock runtime; NiceMock cm; + Secret::MockSecretManager secret_manager; const std::string yaml = R"EOF( name: name @@ -341,7 +345,7 @@ TEST(StrictDnsClusterImplTest, HostRemovalActiveHealthSkipped) { ResolverData resolver(*dns_resolver, dispatcher); StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + dns_resolver, cm, dispatcher, false, secret_manager); std::shared_ptr health_checker(new MockHealthChecker()); EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); @@ -423,6 +427,7 @@ TEST(StaticClusterImplTest, EmptyHostname) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; + Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "staticcluster", @@ -435,7 +440,7 @@ TEST(StaticClusterImplTest, EmptyHostname) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + false, secret_manager); cluster.initialize([] {}); EXPECT_EQ(1UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -447,6 +452,7 @@ TEST(StaticClusterImplTest, AltStatName) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; + Secret::MockSecretManager secret_manager; const std::string yaml = R"EOF( name: staticcluster @@ -459,7 +465,7 @@ TEST(StaticClusterImplTest, AltStatName) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, cm, - false); + false, secret_manager); cluster.initialize([] {}); // Increment a stat and verify it is emitted with alt_stat_name cluster.info()->stats().upstream_rq_total_.inc(); @@ -470,6 +476,7 @@ TEST(StaticClusterImplTest, RingHash) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; + Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "staticcluster", @@ -482,7 +489,7 @@ TEST(StaticClusterImplTest, RingHash) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - true); + true, secret_manager); cluster.initialize([] {}); EXPECT_EQ(1UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -494,6 +501,8 @@ TEST(StaticClusterImplTest, OutlierDetector) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; + Secret::MockSecretManager secret_manager; + const std::string json = R"EOF( { "name": "addressportconfig", @@ -507,7 +516,7 @@ TEST(StaticClusterImplTest, OutlierDetector) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + false, secret_manager); Outlier::MockDetector* detector = new Outlier::MockDetector(); EXPECT_CALL(*detector, addChangedStateCb(_)); @@ -541,6 +550,7 @@ TEST(StaticClusterImplTest, HealthyStat) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; + Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "addressportconfig", @@ -554,7 +564,7 @@ TEST(StaticClusterImplTest, HealthyStat) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + false, secret_manager); Outlier::MockDetector* outlier_detector = new NiceMock(); cluster.setOutlierDetector(Outlier::DetectorSharedPtr{outlier_detector}); @@ -623,6 +633,7 @@ TEST(StaticClusterImplTest, UrlConfig) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; + Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "addressportconfig", @@ -636,7 +647,7 @@ TEST(StaticClusterImplTest, UrlConfig) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + false, secret_manager); cluster.initialize([] {}); EXPECT_EQ(1024U, cluster.info()->resourceManager(ResourcePriority::Default).connections().max()); @@ -665,6 +676,7 @@ TEST(StaticClusterImplTest, UrlConfig) { TEST(StaticClusterImplTest, UnsupportedLBType) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; + Secret::MockSecretManager secret_manager; NiceMock runtime; NiceMock cm; const std::string json = R"EOF( @@ -678,14 +690,15 @@ TEST(StaticClusterImplTest, UnsupportedLBType) { } )EOF"; - EXPECT_THROW( - StaticClusterImpl(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, false), - EnvoyException); + EXPECT_THROW(StaticClusterImpl(parseClusterFromJson(json), runtime, stats, ssl_context_manager, + cm, false, secret_manager), + EnvoyException); } TEST(StaticClusterImplTest, MalformedHostIP) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; + Secret::MockSecretManager secret_manager; NiceMock runtime; const std::string yaml = R"EOF( name: name @@ -697,7 +710,7 @@ TEST(StaticClusterImplTest, MalformedHostIP) { NiceMock cm; EXPECT_THROW_WITH_MESSAGE(StaticClusterImpl(parseClusterFromV2Yaml(yaml), runtime, stats, - ssl_context_manager, cm, false), + ssl_context_manager, cm, false, secret_manager), EnvoyException, "malformed IP address: foo.bar.com. Consider setting resolver_name or " "setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'"); @@ -738,6 +751,7 @@ TEST(ClusterDefinitionTest, BadDnsClusterConfig) { TEST(StaticClusterImplTest, SourceAddressPriority) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; + Secret::MockSecretManager secret_manager; NiceMock runtime; envoy::api::v2::Cluster config; config.set_name("staticcluster"); @@ -747,7 +761,8 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { // If the cluster manager gets a source address from the bootstrap proto, use it. NiceMock cm; cm.bind_config_.mutable_source_address()->set_address("1.2.3.5"); - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); + StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false, + secret_manager); EXPECT_EQ("1.2.3.5:0", cluster.info()->sourceAddress()->asString()); } @@ -756,7 +771,8 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { { // Verify source address from cluster config is used when present. NiceMock cm; - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); + StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false, + secret_manager); EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString()); } @@ -764,7 +780,8 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { // The source address from cluster config takes precedence over one from the bootstrap proto. NiceMock cm; cm.bind_config_.mutable_source_address()->set_address("1.2.3.5"); - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); + StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false, + secret_manager); EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString()); } } @@ -774,6 +791,7 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { TEST(ClusterImplTest, CloseConnectionsOnHostHealthFailure) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; + Secret::MockSecretManager secret_manager; auto dns_resolver = std::make_shared(); NiceMock dispatcher; NiceMock runtime; @@ -789,7 +807,7 @@ TEST(ClusterImplTest, CloseConnectionsOnHostHealthFailure) { hosts: [{ socket_address: { address: foo.bar.com, port_value: 443 }}] )EOF"; StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + dns_resolver, cm, dispatcher, false, secret_manager); EXPECT_TRUE(cluster.info()->features() & ClusterInfo::Features::CLOSE_CONNECTIONS_ON_HOST_HEALTH_FAILURE); } @@ -847,6 +865,7 @@ TEST(PrioritySet, Extend) { TEST(ClusterMetadataTest, Metadata) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; + Secret::MockSecretManager secret_manager; auto dns_resolver = std::make_shared(); NiceMock dispatcher; NiceMock runtime; @@ -866,7 +885,7 @@ TEST(ClusterMetadataTest, Metadata) { )EOF"; StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + dns_resolver, cm, dispatcher, false, secret_manager); EXPECT_EQ("test_value", Config::Metadata::metadataValue(cluster.info()->metadata(), "com.bar.foo", "baz") .string_value()); diff --git a/test/server/config_validation/cluster_manager_test.cc b/test/server/config_validation/cluster_manager_test.cc index cafd2666a4de..ffae39360a9b 100644 --- a/test/server/config_validation/cluster_manager_test.cc +++ b/test/server/config_validation/cluster_manager_test.cc @@ -40,7 +40,7 @@ TEST(ValidationClusterManagerTest, MockedMethods) { AccessLog::MockAccessLogManager log_manager; const envoy::config::bootstrap::v2::Bootstrap bootstrap; ClusterManagerPtr cluster_manager = factory.clusterManagerFromProto( - bootstrap, stats, tls, runtime, random, local_info, log_manager, admin); + bootstrap, stats, tls, runtime, random, local_info, log_manager, admin, secret_manager); EXPECT_EQ(nullptr, cluster_manager->httpConnPoolForCluster("cluster", ResourcePriority::Default, Http::Protocol::Http11, nullptr)); Host::CreateConnectionData data = cluster_manager->tcpConnForCluster("cluster", nullptr); From 262bc4817299ed2ab7512d298abae5da59f8532b Mon Sep 17 00:00:00 2001 From: Jae Kim Date: Thu, 14 Jun 2018 11:56:31 -0700 Subject: [PATCH 02/55] Added secretManager() to ClusterManagerFactory interface Signed-off-by: Jae Kim --- include/envoy/upstream/cluster_manager.h | 6 +- .../common/upstream/cluster_manager_impl.cc | 11 ++- source/common/upstream/cluster_manager_impl.h | 6 +- source/common/upstream/eds.cc | 2 +- source/common/upstream/eds.h | 2 +- source/common/upstream/logical_dns_cluster.h | 4 +- source/common/upstream/original_dst_cluster.h | 3 +- source/common/upstream/upstream_impl.cc | 38 +++++----- source/common/upstream/upstream_impl.h | 7 +- .../config_validation/cluster_manager.cc | 10 +-- .../config_validation/cluster_manager.h | 5 +- source/server/configuration_impl.cc | 2 +- .../upstream/cluster_manager_impl_test.cc | 72 +++++++++---------- test/common/upstream/eds_test.cc | 6 +- .../upstream/logical_dns_cluster_test.cc | 3 +- .../upstream/original_dst_cluster_test.cc | 4 +- test/common/upstream/sds_test.cc | 4 +- test/common/upstream/upstream_impl_test.cc | 56 +++++---------- .../config_validation/cluster_manager_test.cc | 2 +- 19 files changed, 104 insertions(+), 139 deletions(-) diff --git a/include/envoy/upstream/cluster_manager.h b/include/envoy/upstream/cluster_manager.h index de4eda328e68..f2ec6e672953 100644 --- a/include/envoy/upstream/cluster_manager.h +++ b/include/envoy/upstream/cluster_manager.h @@ -237,8 +237,7 @@ class ClusterManagerFactory { clusterManagerFromProto(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin, - Secret::SecretManager& secret_manager) PURE; + AccessLog::AccessLogManager& log_manager, Server::Admin& admin) PURE; /** * Allocate an HTTP connection pool for the host. Pools are separated by 'priority', @@ -255,8 +254,7 @@ class ClusterManagerFactory { virtual ClusterSharedPtr clusterFromProto(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api, - Secret::SecretManager& secret_manager) PURE; + bool added_via_api) PURE; /** * Create a CDS API provider from configuration proto. diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 289ca8ed28dc..5620dc719716 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -475,8 +475,8 @@ bool ClusterManagerImpl::removeCluster(const std::string& cluster_name) { void ClusterManagerImpl::loadCluster(const envoy::api::v2::Cluster& cluster, const std::string& version_info, bool added_via_api, ClusterMap& cluster_map) { - ClusterSharedPtr new_cluster = factory_.clusterFromProto(cluster, *this, outlier_event_logger_, - added_via_api, secret_manager_); + ClusterSharedPtr new_cluster = + factory_.clusterFromProto(cluster, *this, outlier_event_logger_, added_via_api); if (!added_via_api) { if (cluster_map.find(new_cluster->info()->name()) != cluster_map.end()) { @@ -956,7 +956,7 @@ ClusterManagerPtr ProdClusterManagerFactory::clusterManagerFromProto( const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, AccessLog::AccessLogManager& log_manager, - Server::Admin& admin, Secret::SecretManager& secret_manager) { + Server::Admin& admin) { return ClusterManagerPtr{new ClusterManagerImpl(bootstrap, *this, stats, tls, runtime, random, local_info, log_manager, main_thread_dispatcher_, admin, ProdSystemTimeSource::instance_, @@ -979,11 +979,10 @@ Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( ClusterSharedPtr ProdClusterManagerFactory::clusterFromProto( const envoy::api::v2::Cluster& cluster, ClusterManager& cm, - Outlier::EventLoggerSharedPtr outlier_event_logger, bool added_via_api, - Secret::SecretManager& secret_manager) { + Outlier::EventLoggerSharedPtr outlier_event_logger, bool added_via_api) { return ClusterImplBase::create(cluster, cm, stats_, tls_, dns_resolver_, ssl_context_manager_, runtime_, random_, main_thread_dispatcher_, local_info_, - outlier_event_logger, added_via_api, secret_manager); + outlier_event_logger, added_via_api); } CdsApiPtr ProdClusterManagerFactory::createCds( diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index 655453bea991..621d50f8d92a 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -48,16 +48,14 @@ class ProdClusterManagerFactory : public ClusterManagerFactory { clusterManagerFromProto(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin, - Secret::SecretManager& secret_manager) override; + AccessLog::AccessLogManager& log_manager, Server::Admin& admin) override; Http::ConnectionPool::InstancePtr allocateConnPool(Event::Dispatcher& dispatcher, HostConstSharedPtr host, ResourcePriority priority, Http::Protocol protocol, const Network::ConnectionSocket::OptionsSharedPtr& options) override; ClusterSharedPtr clusterFromProto(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api, - Secret::SecretManager& secret_manager) override; + bool added_via_api) override; CdsApiPtr createCds(const envoy::api::v2::core::ConfigSource& cds_config, const absl::optional& eds_config, ClusterManager& cm) override; diff --git a/source/common/upstream/eds.cc b/source/common/upstream/eds.cc index 728332bd68d1..6f47f4efbf55 100644 --- a/source/common/upstream/eds.cc +++ b/source/common/upstream/eds.cc @@ -21,7 +21,7 @@ EdsClusterImpl::EdsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime:: Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, const LocalInfo::LocalInfo& local_info, ClusterManager& cm, Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, - bool added_via_api, Secret::SecretManager& secret_manager) + bool added_via_api) : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, cm.clusterManagerFactory().secretManager(), added_via_api), cm_(cm), local_info_(local_info), diff --git a/source/common/upstream/eds.h b/source/common/upstream/eds.h index 8f2e40bbbb25..b47cc59034df 100644 --- a/source/common/upstream/eds.h +++ b/source/common/upstream/eds.h @@ -22,7 +22,7 @@ class EdsClusterImpl : public BaseDynamicClusterImpl, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, const LocalInfo::LocalInfo& local_info, ClusterManager& cm, Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, - bool added_via_api, Secret::SecretManager& secret_manager); + bool added_via_api); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Secondary; } diff --git a/source/common/upstream/logical_dns_cluster.h b/source/common/upstream/logical_dns_cluster.h index 7873013f59a8..138285fe24dc 100644 --- a/source/common/upstream/logical_dns_cluster.h +++ b/source/common/upstream/logical_dns_cluster.h @@ -5,7 +5,6 @@ #include #include -#include "envoy/secret/secret_manager.h" #include "envoy/thread_local/thread_local.h" #include "common/common/empty_string.h" @@ -32,8 +31,7 @@ class LogicalDnsCluster : public ClusterImplBase { LogicalDnsCluster(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, ThreadLocal::SlotAllocator& tls, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, - Secret::SecretManager& secret_manager); + ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api); ~LogicalDnsCluster(); diff --git a/source/common/upstream/original_dst_cluster.h b/source/common/upstream/original_dst_cluster.h index 86b008426deb..5cb5107a3a4a 100644 --- a/source/common/upstream/original_dst_cluster.h +++ b/source/common/upstream/original_dst_cluster.h @@ -25,8 +25,7 @@ class OriginalDstCluster : public ClusterImplBase { public: OriginalDstCluster(const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, - Secret::SecretManager& secret_manager); + ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 935650164a37..4c3ce3c92415 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -354,13 +354,15 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, } } -ClusterSharedPtr ClusterImplBase::create( - const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Stats::Store& stats, - ThreadLocal::Instance& tls, Network::DnsResolverSharedPtr dns_resolver, - Ssl::ContextManager& ssl_context_manager, Runtime::Loader& runtime, - Runtime::RandomGenerator& random, Event::Dispatcher& dispatcher, - const LocalInfo::LocalInfo& local_info, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api, Secret::SecretManager& secret_manager) { +ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, + Stats::Store& stats, ThreadLocal::Instance& tls, + Network::DnsResolverSharedPtr dns_resolver, + Ssl::ContextManager& ssl_context_manager, + Runtime::Loader& runtime, Runtime::RandomGenerator& random, + Event::Dispatcher& dispatcher, + const LocalInfo::LocalInfo& local_info, + Outlier::EventLoggerSharedPtr outlier_event_logger, + bool added_via_api) { std::unique_ptr new_cluster; // We make this a shared pointer to deal with the distinct ownership @@ -382,18 +384,18 @@ ClusterSharedPtr ClusterImplBase::create( switch (cluster.type()) { case envoy::api::v2::Cluster::STATIC: - new_cluster.reset(new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, - added_via_api, secret_manager)); + new_cluster.reset( + new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api)); break; case envoy::api::v2::Cluster::STRICT_DNS: new_cluster.reset(new StrictDnsClusterImpl(cluster, runtime, stats, ssl_context_manager, - selected_dns_resolver, cm, dispatcher, added_via_api, - secret_manager)); + selected_dns_resolver, cm, dispatcher, + added_via_api)); break; case envoy::api::v2::Cluster::LOGICAL_DNS: new_cluster.reset(new LogicalDnsCluster(cluster, runtime, stats, ssl_context_manager, selected_dns_resolver, tls, cm, dispatcher, - added_via_api, secret_manager)); + added_via_api)); break; case envoy::api::v2::Cluster::ORIGINAL_DST: if (cluster.lb_policy() != envoy::api::v2::Cluster::ORIGINAL_DST_LB) { @@ -405,7 +407,7 @@ ClusterSharedPtr ClusterImplBase::create( "cluster: cluster type 'original_dst' may not be used with lb_subset_config")); } new_cluster.reset(new OriginalDstCluster(cluster, runtime, stats, ssl_context_manager, cm, - dispatcher, added_via_api, secret_manager)); + dispatcher, added_via_api)); break; case envoy::api::v2::Cluster::EDS: if (!cluster.has_eds_cluster_config()) { @@ -414,7 +416,7 @@ ClusterSharedPtr ClusterImplBase::create( // We map SDS to EDS, since EDS provides backwards compatibility with SDS. new_cluster.reset(new EdsClusterImpl(cluster, runtime, stats, ssl_context_manager, local_info, - cm, dispatcher, random, added_via_api, secret_manager)); + cm, dispatcher, random, added_via_api)); break; default: NOT_REACHED; @@ -647,8 +649,13 @@ StaticClusterImpl::StaticClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api) +<<<<<<< HEAD : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, cm.clusterManagerFactory().secretManager(), added_via_api), +======= + : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api, + cm.clusterManagerFactory().secretManager()), +>>>>>>> Added secretManager() to ClusterManagerFactory interface initial_hosts_(new HostVector()) { for (const auto& host : cluster.hosts()) { @@ -804,8 +811,7 @@ StrictDnsClusterImpl::StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluste Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, ClusterManager& cm, Event::Dispatcher& dispatcher, - bool added_via_api, - Secret::SecretManager& secret_manager) + bool added_via_api) : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, cm.clusterManagerFactory().secretManager(), added_via_api), dns_resolver_(dns_resolver), diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 5e77af10f771..6540b8ac4ca8 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -420,7 +420,7 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable ClusterSharedPtr { - return ClusterImplBase::create( - cluster, cm, stats_, tls_, dns_resolver_, ssl_context_manager_, runtime_, random_, - dispatcher_, local_info_, outlier_event_logger, added_via_api, secret_manager); - })); + ON_CALL(*this, clusterFromProto_(_, _, _, _)) + .WillByDefault(Invoke([&](const envoy::api::v2::Cluster& cluster, ClusterManager& cm, + Outlier::EventLoggerSharedPtr outlier_event_logger, + bool added_via_api) -> ClusterSharedPtr { + return ClusterImplBase::create(cluster, cm, stats_, tls_, dns_resolver_, + ssl_context_manager_, runtime_, random_, dispatcher_, + local_info_, outlier_event_logger, added_via_api); + })); } Http::ConnectionPool::InstancePtr @@ -71,9 +69,8 @@ class TestClusterManagerFactory : public ClusterManagerFactory { ClusterSharedPtr clusterFromProto(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api, - Secret::SecretManager& secret_manager) override { - return clusterFromProto_(cluster, cm, outlier_event_logger, added_via_api, secret_manager); + bool added_via_api) override { + return clusterFromProto_(cluster, cm, outlier_event_logger, added_via_api); } CdsApiPtr createCds(const envoy::api::v2::core::ConfigSource&, @@ -86,10 +83,9 @@ class TestClusterManagerFactory : public ClusterManagerFactory { clusterManagerFromProto(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin, - Secret::SecretManager& secret_manager) override { - return ClusterManagerPtr{clusterManagerFromProto_( - bootstrap, stats, tls, runtime, random, local_info, log_manager, admin, secret_manager)}; + AccessLog::AccessLogManager& log_manager, Server::Admin& admin) override { + return ClusterManagerPtr{clusterManagerFromProto_(bootstrap, stats, tls, runtime, random, + local_info, log_manager, admin)}; } Secret::SecretManager& secretManager() override { return secret_manager_; } @@ -99,13 +95,12 @@ class TestClusterManagerFactory : public ClusterManagerFactory { Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Server::Admin& admin, - Secret::SecretManager& secret_manager)); + AccessLog::AccessLogManager& log_manager, Server::Admin& admin)); MOCK_METHOD1(allocateConnPool_, Http::ConnectionPool::Instance*(HostConstSharedPtr host)); - MOCK_METHOD5(clusterFromProto_, + MOCK_METHOD4(clusterFromProto_, ClusterSharedPtr(const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Outlier::EventLoggerSharedPtr outlier_event_logger, - bool added_via_api, Secret::SecretManager& secret_manager)); + bool added_via_api)); MOCK_METHOD0(createCds_, CdsApi*()); Stats::IsolatedStoreImpl stats_; @@ -114,7 +109,6 @@ class TestClusterManagerFactory : public ClusterManagerFactory { new NiceMock}; NiceMock runtime_; NiceMock random_; - Secret::MockSecretManager secret_manager_; Ssl::ContextManagerImpl ssl_context_manager_{runtime_}; NiceMock dispatcher_; LocalInfo::MockLocalInfo local_info_; @@ -504,7 +498,7 @@ class ClusterManagerImplThreadAwareLbTest : public ClusterManagerImplTest { cluster1->info_->lb_type_ = lb_type; InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); create(parseBootstrapFromJson(json)); @@ -687,11 +681,11 @@ TEST_F(ClusterManagerImplTest, InitializeOrder) { // This part tests static init. InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cds_cluster)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cds_cluster)); ON_CALL(*cds_cluster, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster2)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster2)); ON_CALL(*cluster2, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Secondary)); EXPECT_CALL(factory_, createCds_()).WillOnce(Return(cds)); EXPECT_CALL(*cds, setInitializedCb(_)); @@ -718,16 +712,16 @@ TEST_F(ClusterManagerImplTest, InitializeOrder) { std::shared_ptr cluster5(new NiceMock()); cluster5->info_->name_ = "cluster5"; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster3)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster3)); ON_CALL(*cluster3, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Secondary)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster3"), "version1"); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster4)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster4)); ON_CALL(*cluster4, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*cluster4, initialize(_)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster4"), "version2"); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster5)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster5)); ON_CALL(*cluster5, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Secondary)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster5"), "version3"); @@ -842,7 +836,7 @@ TEST_F(ClusterManagerImplTest, DynamicRemoveWithLocalCluster) { std::shared_ptr foo(new NiceMock()); foo->info_->name_ = "foo"; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, false, _)).WillOnce(Return(foo)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, false)).WillOnce(Return(foo)); ON_CALL(*foo, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*foo, initialize(_)); @@ -853,7 +847,7 @@ TEST_F(ClusterManagerImplTest, DynamicRemoveWithLocalCluster) { // cluster in its load balancer. std::shared_ptr cluster1(new NiceMock()); cluster1->info_->name_ = "cluster1"; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, true, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, true)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*cluster1, initialize(_)); cluster_manager_->addOrUpdateCluster(defaultStaticCluster("cluster1"), ""); @@ -899,7 +893,7 @@ TEST_F(ClusterManagerImplTest, RemoveWarmingCluster) { cluster_manager_->setInitializedCb([&]() -> void { initialized.ready(); }); std::shared_ptr cluster1(new NiceMock()); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(*cluster1, initializePhase()).Times(0); EXPECT_CALL(*cluster1, initialize(_)); EXPECT_TRUE( @@ -947,7 +941,7 @@ TEST_F(ClusterManagerImplTest, DynamicAddRemove) { cluster_manager_->addThreadLocalClusterUpdateCallbacks(*callbacks); std::shared_ptr cluster1(new NiceMock()); - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(*cluster1, initializePhase()).Times(0); EXPECT_CALL(*cluster1, initialize(_)); EXPECT_CALL(*callbacks, onClusterAddOrUpdate(_)).Times(1); @@ -969,7 +963,7 @@ TEST_F(ClusterManagerImplTest, DynamicAddRemove) { std::shared_ptr cluster2(new NiceMock()); cluster2->prioritySet().getMockHostSet(0)->hosts_ = { makeTestHost(cluster2->info_, "tcp://127.0.0.1:80")}; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster2)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster2)); EXPECT_CALL(*cluster2, initializePhase()).Times(0); EXPECT_CALL(*cluster2, initialize(_)) .WillOnce(Invoke([cluster1](std::function initialize_callback) { @@ -1027,7 +1021,7 @@ TEST_F(ClusterManagerImplTest, addOrUpdateClusterStaticExists) { fmt::sprintf("{%s}", clustersJson({defaultStaticClusterJson("some_cluster")})); std::shared_ptr cluster1(new NiceMock()); InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); ON_CALL(*cluster1, initializePhase()).WillByDefault(Return(Cluster::InitializePhase::Primary)); EXPECT_CALL(*cluster1, initialize(_)); @@ -1071,7 +1065,7 @@ TEST_F(ClusterManagerImplTest, CloseHttpConnectionsOnHealthFailure) { { InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(outlier_detector, addChangedStateCb(_)); EXPECT_CALL(*cluster1, initialize(_)) @@ -1143,7 +1137,7 @@ TEST_F(ClusterManagerImplTest, CloseTcpConnectionsOnHealthFailure) { { InSequence s; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(outlier_detector, addChangedStateCb(_)); EXPECT_CALL(*cluster1, initialize(_)) @@ -1215,7 +1209,7 @@ TEST_F(ClusterManagerImplTest, DoNotCloseTcpConnectionsOnHealthFailure) { Network::MockClientConnection* connection1 = new NiceMock(); Host::CreateConnectionData conn_info1; - EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _, _)).WillOnce(Return(cluster1)); + EXPECT_CALL(factory_, clusterFromProto_(_, _, _, _)).WillOnce(Return(cluster1)); EXPECT_CALL(health_checker, addHostCheckCompleteCb(_)); EXPECT_CALL(outlier_detector, addChangedStateCb(_)); EXPECT_CALL(*cluster1, initialize(_)) @@ -2018,4 +2012,4 @@ TEST_F(TcpKeepaliveTest, TcpKeepaliveWithAllOptions) { } // namespace } // namespace Upstream -} // namespace Envoy +} // namespace Envoy \ No newline at end of file diff --git a/test/common/upstream/eds_test.cc b/test/common/upstream/eds_test.cc index d69592d29e84..9a39541ffc5d 100644 --- a/test/common/upstream/eds_test.cc +++ b/test/common/upstream/eds_test.cc @@ -47,14 +47,12 @@ class EdsTest : public testing::Test { eds_cluster_ = parseClusterFromV2Yaml(yaml_config); Upstream::ClusterManager::ClusterInfoMap cluster_map; Upstream::MockCluster cluster; - Secret::MockSecretManager secret_manager; cluster_map.emplace("eds", cluster); EXPECT_CALL(cm_, clusters()).WillOnce(Return(cluster_map)); EXPECT_CALL(cluster, info()).Times(2); EXPECT_CALL(*cluster.info_, addedViaApi()); cluster_.reset(new EdsClusterImpl(eds_cluster_, runtime_, stats_, ssl_context_manager_, - local_info_, cm_, dispatcher_, random_, false, - secret_manager)); + local_info_, cm_, dispatcher_, random_, false)); EXPECT_EQ(Cluster::InitializePhase::Secondary, cluster_->initializePhase()); } @@ -1052,4 +1050,4 @@ TEST_F(EdsTest, MalformedIP) { } } // namespace Upstream -} // namespace Envoy +} // namespace Envoy \ No newline at end of file diff --git a/test/common/upstream/logical_dns_cluster_test.cc b/test/common/upstream/logical_dns_cluster_test.cc index a4fb442a490e..6f09675f4853 100644 --- a/test/common/upstream/logical_dns_cluster_test.cc +++ b/test/common/upstream/logical_dns_cluster_test.cc @@ -29,12 +29,11 @@ namespace Upstream { class LogicalDnsClusterTest : public testing::Test { public: void setup(const std::string& json) { - Secret::MockSecretManager secret_manager; resolve_timer_ = new Event::MockTimer(&dispatcher_); NiceMock cm; cluster_.reset(new LogicalDnsCluster(parseClusterFromJson(json), runtime_, stats_store_, ssl_context_manager_, dns_resolver_, tls_, cm, dispatcher_, - false, secret_manager)); + false)); cluster_->prioritySet().addMemberUpdateCb( [&](uint32_t, const HostVector&, const HostVector&) -> void { membership_updated_.ready(); diff --git a/test/common/upstream/original_dst_cluster_test.cc b/test/common/upstream/original_dst_cluster_test.cc index a3832d048e62..098723c4d0dd 100644 --- a/test/common/upstream/original_dst_cluster_test.cc +++ b/test/common/upstream/original_dst_cluster_test.cc @@ -59,10 +59,8 @@ class OriginalDstClusterTest : public testing::Test { void setup(const std::string& json) { NiceMock cm; - Secret::MockSecretManager secret_manager; cluster_.reset(new OriginalDstCluster(parseClusterFromJson(json), runtime_, stats_store_, - ssl_context_manager_, cm, dispatcher_, false, - secret_manager)); + ssl_context_manager_, cm, dispatcher_, false)); cluster_->prioritySet().addMemberUpdateCb( [&](uint32_t, const HostVector&, const HostVector&) -> void { membership_updated_.ready(); diff --git a/test/common/upstream/sds_test.cc b/test/common/upstream/sds_test.cc index c8876ec4a483..cd01ae7539cc 100644 --- a/test/common/upstream/sds_test.cc +++ b/test/common/upstream/sds_test.cc @@ -58,14 +58,12 @@ class SdsTest : public testing::Test { sds_cluster_ = parseSdsClusterFromJson(raw_config, eds_config); Upstream::ClusterManager::ClusterInfoMap cluster_map; Upstream::MockCluster cluster; - Secret::MockSecretManager secret_manager; cluster_map.emplace("sds", cluster); EXPECT_CALL(cm_, clusters()).WillOnce(Return(cluster_map)); EXPECT_CALL(cluster, info()).Times(2); EXPECT_CALL(*cluster.info_, addedViaApi()); cluster_.reset(new EdsClusterImpl(sds_cluster_, runtime_, stats_, ssl_context_manager_, - local_info_, cm_, dispatcher_, random_, false, - secret_manager)); + local_info_, cm_, dispatcher_, random_, false)); EXPECT_EQ(Cluster::InitializePhase::Secondary, cluster_->initializePhase()); } diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 811f5f43f2ab..abda6f9952cf 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -120,7 +120,6 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { NiceMock dispatcher; NiceMock runtime; ReadyWatcher initialized; - Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { @@ -142,7 +141,7 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { })); NiceMock cm; StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false, secret_manager); + dns_resolver, cm, dispatcher, false); cluster.initialize([&]() -> void { initialized.ready(); }); EXPECT_EQ(2UL, cluster.prioritySet().hostSetsPerPriority()[0]->hosts().size()); EXPECT_EQ(2UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -157,7 +156,6 @@ TEST(StrictDnsClusterImplTest, ZeroHostsHealthChecker) { NiceMock runtime; NiceMock cm; ReadyWatcher initialized; - Secret::MockSecretManager secret_manager; const std::string yaml = R"EOF( name: name @@ -169,7 +167,7 @@ TEST(StrictDnsClusterImplTest, ZeroHostsHealthChecker) { ResolverData resolver(*dns_resolver, dispatcher); StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false, secret_manager); + dns_resolver, cm, dispatcher, false); std::shared_ptr health_checker(new MockHealthChecker()); EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); @@ -190,7 +188,6 @@ TEST(StrictDnsClusterImplTest, Basic) { auto dns_resolver = std::make_shared>(); NiceMock dispatcher; NiceMock runtime; - Secret::MockSecretManager secret_manager; // gmock matches in LIFO order which is why these are swapped. ResolverData resolver2(*dns_resolver, dispatcher); @@ -228,7 +225,7 @@ TEST(StrictDnsClusterImplTest, Basic) { NiceMock cm; StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false, secret_manager); + dns_resolver, cm, dispatcher, false); EXPECT_CALL(runtime.snapshot_, getInteger("circuit_breakers.name.default.max_connections", 43)); EXPECT_EQ(43U, cluster.info()->resourceManager(ResourcePriority::Default).connections().max()); EXPECT_CALL(runtime.snapshot_, @@ -332,7 +329,6 @@ TEST(StrictDnsClusterImplTest, HostRemovalActiveHealthSkipped) { NiceMock dispatcher; NiceMock runtime; NiceMock cm; - Secret::MockSecretManager secret_manager; const std::string yaml = R"EOF( name: name @@ -345,7 +341,7 @@ TEST(StrictDnsClusterImplTest, HostRemovalActiveHealthSkipped) { ResolverData resolver(*dns_resolver, dispatcher); StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false, secret_manager); + dns_resolver, cm, dispatcher, false); std::shared_ptr health_checker(new MockHealthChecker()); EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); @@ -427,7 +423,6 @@ TEST(StaticClusterImplTest, EmptyHostname) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; - Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "staticcluster", @@ -440,7 +435,7 @@ TEST(StaticClusterImplTest, EmptyHostname) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false, secret_manager); + false); cluster.initialize([] {}); EXPECT_EQ(1UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -452,7 +447,6 @@ TEST(StaticClusterImplTest, AltStatName) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; - Secret::MockSecretManager secret_manager; const std::string yaml = R"EOF( name: staticcluster @@ -465,7 +459,7 @@ TEST(StaticClusterImplTest, AltStatName) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, cm, - false, secret_manager); + false); cluster.initialize([] {}); // Increment a stat and verify it is emitted with alt_stat_name cluster.info()->stats().upstream_rq_total_.inc(); @@ -476,7 +470,6 @@ TEST(StaticClusterImplTest, RingHash) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; - Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "staticcluster", @@ -489,7 +482,7 @@ TEST(StaticClusterImplTest, RingHash) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - true, secret_manager); + true); cluster.initialize([] {}); EXPECT_EQ(1UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -501,7 +494,6 @@ TEST(StaticClusterImplTest, OutlierDetector) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; - Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { @@ -516,7 +508,7 @@ TEST(StaticClusterImplTest, OutlierDetector) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false, secret_manager); + false); Outlier::MockDetector* detector = new Outlier::MockDetector(); EXPECT_CALL(*detector, addChangedStateCb(_)); @@ -550,7 +542,6 @@ TEST(StaticClusterImplTest, HealthyStat) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; - Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "addressportconfig", @@ -564,7 +555,7 @@ TEST(StaticClusterImplTest, HealthyStat) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false, secret_manager); + false); Outlier::MockDetector* outlier_detector = new NiceMock(); cluster.setOutlierDetector(Outlier::DetectorSharedPtr{outlier_detector}); @@ -633,7 +624,6 @@ TEST(StaticClusterImplTest, UrlConfig) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; - Secret::MockSecretManager secret_manager; const std::string json = R"EOF( { "name": "addressportconfig", @@ -647,7 +637,7 @@ TEST(StaticClusterImplTest, UrlConfig) { NiceMock cm; StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false, secret_manager); + false); cluster.initialize([] {}); EXPECT_EQ(1024U, cluster.info()->resourceManager(ResourcePriority::Default).connections().max()); @@ -676,7 +666,6 @@ TEST(StaticClusterImplTest, UrlConfig) { TEST(StaticClusterImplTest, UnsupportedLBType) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; - Secret::MockSecretManager secret_manager; NiceMock runtime; NiceMock cm; const std::string json = R"EOF( @@ -690,15 +679,14 @@ TEST(StaticClusterImplTest, UnsupportedLBType) { } )EOF"; - EXPECT_THROW(StaticClusterImpl(parseClusterFromJson(json), runtime, stats, ssl_context_manager, - cm, false, secret_manager), - EnvoyException); + EXPECT_THROW( + StaticClusterImpl(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, false), + EnvoyException); } TEST(StaticClusterImplTest, MalformedHostIP) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; - Secret::MockSecretManager secret_manager; NiceMock runtime; const std::string yaml = R"EOF( name: name @@ -710,7 +698,7 @@ TEST(StaticClusterImplTest, MalformedHostIP) { NiceMock cm; EXPECT_THROW_WITH_MESSAGE(StaticClusterImpl(parseClusterFromV2Yaml(yaml), runtime, stats, - ssl_context_manager, cm, false, secret_manager), + ssl_context_manager, cm, false), EnvoyException, "malformed IP address: foo.bar.com. Consider setting resolver_name or " "setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'"); @@ -751,7 +739,6 @@ TEST(ClusterDefinitionTest, BadDnsClusterConfig) { TEST(StaticClusterImplTest, SourceAddressPriority) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; - Secret::MockSecretManager secret_manager; NiceMock runtime; envoy::api::v2::Cluster config; config.set_name("staticcluster"); @@ -761,8 +748,7 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { // If the cluster manager gets a source address from the bootstrap proto, use it. NiceMock cm; cm.bind_config_.mutable_source_address()->set_address("1.2.3.5"); - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false, - secret_manager); + StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); EXPECT_EQ("1.2.3.5:0", cluster.info()->sourceAddress()->asString()); } @@ -771,8 +757,7 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { { // Verify source address from cluster config is used when present. NiceMock cm; - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false, - secret_manager); + StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString()); } @@ -780,8 +765,7 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { // The source address from cluster config takes precedence over one from the bootstrap proto. NiceMock cm; cm.bind_config_.mutable_source_address()->set_address("1.2.3.5"); - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false, - secret_manager); + StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString()); } } @@ -791,7 +775,6 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { TEST(ClusterImplTest, CloseConnectionsOnHostHealthFailure) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; - Secret::MockSecretManager secret_manager; auto dns_resolver = std::make_shared(); NiceMock dispatcher; NiceMock runtime; @@ -807,7 +790,7 @@ TEST(ClusterImplTest, CloseConnectionsOnHostHealthFailure) { hosts: [{ socket_address: { address: foo.bar.com, port_value: 443 }}] )EOF"; StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false, secret_manager); + dns_resolver, cm, dispatcher, false); EXPECT_TRUE(cluster.info()->features() & ClusterInfo::Features::CLOSE_CONNECTIONS_ON_HOST_HEALTH_FAILURE); } @@ -865,7 +848,6 @@ TEST(PrioritySet, Extend) { TEST(ClusterMetadataTest, Metadata) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; - Secret::MockSecretManager secret_manager; auto dns_resolver = std::make_shared(); NiceMock dispatcher; NiceMock runtime; @@ -885,7 +867,7 @@ TEST(ClusterMetadataTest, Metadata) { )EOF"; StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false, secret_manager); + dns_resolver, cm, dispatcher, false); EXPECT_EQ("test_value", Config::Metadata::metadataValue(cluster.info()->metadata(), "com.bar.foo", "baz") .string_value()); diff --git a/test/server/config_validation/cluster_manager_test.cc b/test/server/config_validation/cluster_manager_test.cc index ffae39360a9b..cafd2666a4de 100644 --- a/test/server/config_validation/cluster_manager_test.cc +++ b/test/server/config_validation/cluster_manager_test.cc @@ -40,7 +40,7 @@ TEST(ValidationClusterManagerTest, MockedMethods) { AccessLog::MockAccessLogManager log_manager; const envoy::config::bootstrap::v2::Bootstrap bootstrap; ClusterManagerPtr cluster_manager = factory.clusterManagerFromProto( - bootstrap, stats, tls, runtime, random, local_info, log_manager, admin, secret_manager); + bootstrap, stats, tls, runtime, random, local_info, log_manager, admin); EXPECT_EQ(nullptr, cluster_manager->httpConnPoolForCluster("cluster", ResourcePriority::Default, Http::Protocol::Http11, nullptr)); Host::CreateConnectionData data = cluster_manager->tcpConnForCluster("cluster", nullptr); From 33f25eec2dd40576e2d13a0b925c7aa9b894f95d Mon Sep 17 00:00:00 2001 From: Jae Kim Date: Thu, 14 Jun 2018 12:08:23 -0700 Subject: [PATCH 03/55] Removed unnecessary changes Signed-off-by: Jae Kim --- test/common/upstream/cluster_manager_impl_test.cc | 2 +- test/common/upstream/eds_test.cc | 2 +- test/common/upstream/upstream_impl_test.cc | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/test/common/upstream/cluster_manager_impl_test.cc b/test/common/upstream/cluster_manager_impl_test.cc index 6945ebb29ba4..daf1b0939bb9 100644 --- a/test/common/upstream/cluster_manager_impl_test.cc +++ b/test/common/upstream/cluster_manager_impl_test.cc @@ -2012,4 +2012,4 @@ TEST_F(TcpKeepaliveTest, TcpKeepaliveWithAllOptions) { } // namespace } // namespace Upstream -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/test/common/upstream/eds_test.cc b/test/common/upstream/eds_test.cc index 9a39541ffc5d..ee7e6139444a 100644 --- a/test/common/upstream/eds_test.cc +++ b/test/common/upstream/eds_test.cc @@ -1050,4 +1050,4 @@ TEST_F(EdsTest, MalformedIP) { } } // namespace Upstream -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index abda6f9952cf..17888a900630 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -494,7 +494,6 @@ TEST(StaticClusterImplTest, OutlierDetector) { Stats::IsolatedStoreImpl stats; Ssl::MockContextManager ssl_context_manager; NiceMock runtime; - const std::string json = R"EOF( { "name": "addressportconfig", From 72b29285b8641e3c07387b1bd4773f735b22b2f1 Mon Sep 17 00:00:00 2001 From: Jae Kim Date: Thu, 14 Jun 2018 14:26:12 -0700 Subject: [PATCH 04/55] Changed the location of secret_manager argument Signed-off-by: Jae Kim --- source/common/upstream/upstream_impl.cc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 4c3ce3c92415..ab14e685f0b2 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -649,13 +649,8 @@ StaticClusterImpl::StaticClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api) -<<<<<<< HEAD : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, cm.clusterManagerFactory().secretManager(), added_via_api), -======= - : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api, - cm.clusterManagerFactory().secretManager()), ->>>>>>> Added secretManager() to ClusterManagerFactory interface initial_hosts_(new HostVector()) { for (const auto& host : cluster.hosts()) { From 6ce1d9f0e3c51da96b8a3a1f870d4c7aed94ef84 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 26 Jun 2018 11:21:08 -0700 Subject: [PATCH 05/55] rebase to master Signed-off-by: JimmyCYJ --- include/envoy/secret/secret_manager.h | 20 +++- source/common/secret/BUILD | 24 ++++ source/common/secret/sds_api.cc | 62 ++++++++++ source/common/secret/sds_api.h | 45 +++++++ source/common/secret/secret_manager_impl.cc | 42 +++++-- source/common/secret/secret_manager_impl.h | 24 +++- source/common/secret/secret_manager_util.h | 37 ++++++ source/common/ssl/context_config_impl.cc | 68 +++++++++-- source/common/ssl/context_config_impl.h | 7 +- source/server/config_validation/server.cc | 2 +- source/server/configuration_impl.cc | 3 +- source/server/server.cc | 2 +- .../grpc_client_integration_test_harness.h | 8 +- test/common/secret/BUILD | 1 + .../common/secret/secret_manager_impl_test.cc | 75 ++++++++++-- test/common/ssl/BUILD | 1 + test/common/ssl/context_impl_test.cc | 112 +++++++++++------- test/common/ssl/ssl_certs_test.h | 4 +- test/common/ssl/ssl_socket_test.cc | 47 ++++---- test/integration/BUILD | 1 + test/integration/ssl_integration_test.cc | 12 +- test/integration/ssl_utility.cc | 7 +- test/integration/ssl_utility.h | 3 +- .../integration/tcp_proxy_integration_test.cc | 3 +- test/integration/xfcc_integration_test.cc | 5 +- test/integration/xfcc_integration_test.h | 4 +- test/mocks/secret/mocks.h | 10 +- test/mocks/server/mocks.cc | 2 +- test/server/configuration_impl_test.cc | 49 ++++++++ 29 files changed, 551 insertions(+), 129 deletions(-) create mode 100644 source/common/secret/sds_api.cc create mode 100644 source/common/secret/sds_api.h create mode 100644 source/common/secret/secret_manager_util.h diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index d7f978874121..bf2f472ed444 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -18,16 +18,32 @@ class SecretManager { virtual ~SecretManager() {} /** + * @param config_source_hash a hash string of normalized config source. If it is empty string, + * find secret from the static secrets. * @param secret a protobuf message of envoy::api::v2::auth::Secret. * @throw an EnvoyException if the secret is invalid or not supported. */ - virtual void addOrUpdateSecret(const envoy::api::v2::auth::Secret& secret) PURE; + virtual void addOrUpdateSecret(const std::string& config_source_hash, + const envoy::api::v2::auth::Secret& secret) PURE; /** + * @param sds_config_source_hash hash string of normalized config source. * @param name a name of the Ssl::TlsCertificateConfig. * @return the TlsCertificate secret. Returns nullptr if the secret is not found. */ - virtual const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& name) const PURE; + virtual const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& config_source_hash, + const std::string& name) const PURE; + + /** + * Add or update SDS config source. SecretManager starts downloading secrets from registered + * config source. + * + * @param sdsConfigSource a protobuf message object contains SDS config source. + * @param config_name a name that uniquely refers to the SDS config source + * @return a hash string of normalized config source + */ + virtual std::string addOrUpdateSdsService(const envoy::api::v2::core::ConfigSource& config_source, + std::string config_name) PURE; }; } // namespace Secret diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 4f1eff746d6d..90455caee6ef 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -13,9 +13,33 @@ envoy_cc_library( srcs = ["secret_manager_impl.cc"], hdrs = ["secret_manager_impl.h"], deps = [ + ":sds_api_lib", + ":secret_manager_util", "//include/envoy/secret:secret_manager_interface", "//source/common/common:minimal_logger_lib", "//source/common/ssl:tls_certificate_config_impl_lib", "@envoy_api//envoy/api/v2/auth:cert_cc", ], ) + +envoy_cc_library( + name = "secret_manager_util", + hdrs = ["secret_manager_util.h"], + deps = [ + "//source/common/json:json_loader_lib", + "@envoy_api//envoy/api/v2/core:config_source_cc", + ], +) + +envoy_cc_library( + name = "sds_api_lib", + srcs = ["sds_api.cc"], + hdrs = ["sds_api.h"], + deps = [ + ":secret_manager_util", + "//include/envoy/config:subscription_interface", + "//include/envoy/server:instance_interface", + "//source/common/config:resources_lib", + "//source/common/config:subscription_factory_lib", + ], +) diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc new file mode 100644 index 000000000000..6bb0771cf842 --- /dev/null +++ b/source/common/secret/sds_api.cc @@ -0,0 +1,62 @@ +#include "common/secret/sds_api.h" + +#include + +#include "common/config/resources.h" +#include "common/config/subscription_factory.h" +#include "common/secret/secret_manager_util.h" + +namespace Envoy { +namespace Secret { + +SdsApi::SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, + std::string sds_config_hash, std::string sds_config_name) + : server_(server), sds_config_(sds_config), sds_config_source_hash_(sds_config_hash), + sds_config_name_(sds_config_name) { + server_.initManager().registerTarget(*this); +} + +void SdsApi::initialize(std::function callback) { + initialize_callback_ = callback; + subscription_ = Envoy::Config::SubscriptionFactory::subscriptionFromConfigSource< + envoy::api::v2::auth::Secret>( + sds_config_, server_.localInfo().node(), server_.dispatcher(), server_.clusterManager(), + server_.random(), server_.stats(), /* rest_legacy_constructor */ nullptr, + "envoy.service.discovery.v2.SecretDiscoveryService.FetchSecrets", + "envoy.service.discovery.v2.SecretDiscoveryService.StreamSecrets"); + + Config::Utility::checkLocalInfo("sds", server_.localInfo()); + + subscription_->start({sds_config_name_}, *this); +} + +void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) { + for (const auto& resource : resources) { + switch (resource.type_case()) { + case envoy::api::v2::auth::Secret::kTlsCertificate: + server_.secretManager().addOrUpdateSecret(sds_config_source_hash_, resource); + break; + case envoy::api::v2::auth::Secret::kSessionTicketKeys: + NOT_IMPLEMENTED; + default: + throw EnvoyException("sds: invalid configuration"); + } + } + + runInitializeCallbackIfAny(); +} + +void SdsApi::onConfigUpdateFailed(const EnvoyException*) { + // We need to allow server startup to continue, even if we have a bad config. + runInitializeCallbackIfAny(); +} + +void SdsApi::runInitializeCallbackIfAny() { + if (initialize_callback_) { + initialize_callback_(); + initialize_callback_ = nullptr; + } +} + +} // namespace Secret +} // namespace Envoy \ No newline at end of file diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h new file mode 100644 index 000000000000..faf95bbfb2e2 --- /dev/null +++ b/source/common/secret/sds_api.h @@ -0,0 +1,45 @@ +#pragma once + +#include + +#include "envoy/api/v2/auth/cert.pb.h" +#include "envoy/api/v2/core/config_source.pb.h" +#include "envoy/config/subscription.h" +#include "envoy/server/instance.h" + +namespace Envoy { +namespace Secret { + +/** + * SDS API implementation that fetches secrets from SDS server via Subscription. + */ +class SdsApi : public Init::Target, Config::SubscriptionCallbacks { +public: + SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, + std::string sds_config_hash, std::string sds_config_name); + + // Init::Target + void initialize(std::function callback) override; + + // Config::SubscriptionCallbacks + void onConfigUpdate(const ResourceVector& resources, const std::string& version_info) override; + void onConfigUpdateFailed(const EnvoyException* e) override; + std::string resourceName(const ProtobufWkt::Any& resource) override { + return MessageUtil::anyConvert(resource).name(); + } + +private: + void runInitializeCallbackIfAny(); + + Server::Instance& server_; + const envoy::api::v2::core::ConfigSource sds_config_; + const std::string sds_config_source_hash_; + std::unique_ptr> subscription_; + std::function initialize_callback_; + std::string sds_config_name_; +}; + +typedef std::unique_ptr SdsApiPtr; + +} // namespace Secret +} // namespace Envoy \ No newline at end of file diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 3e6689a369da..40fd4ccb5473 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -2,27 +2,53 @@ #include "envoy/common/exception.h" +#include "common/secret/secret_manager_util.h" #include "common/ssl/tls_certificate_config_impl.h" namespace Envoy { namespace Secret { -void SecretManagerImpl::addOrUpdateSecret(const envoy::api::v2::auth::Secret& secret) { +void SecretManagerImpl::addOrUpdateSecret(const std::string& config_source_hash, + const envoy::api::v2::auth::Secret& secret) { switch (secret.type_case()) { - case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate: - tls_certificate_secrets_[secret.name()] = + case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate: { + std::unique_lock lhs(tls_certificate_secrets_mutex_); + tls_certificate_secrets_[config_source_hash][secret.name()] = std::make_unique(secret.tls_certificate()); - break; + } break; default: throw EnvoyException("Secret type not implemented"); } } const Ssl::TlsCertificateConfig* -SecretManagerImpl::findTlsCertificate(const std::string& name) const { - auto secret = tls_certificate_secrets_.find(name); - return (secret != tls_certificate_secrets_.end()) ? secret->second.get() : nullptr; +SecretManagerImpl::findTlsCertificate(const std::string& config_source_hash, + const std::string& name) const { + std::shared_lock lhs(tls_certificate_secrets_mutex_); + + auto config_source_it = tls_certificate_secrets_.find(config_source_hash); + if (config_source_it == tls_certificate_secrets_.end()) { + return nullptr; + } + + auto secret = config_source_it->second.find(name); + return (secret != config_source_it->second.end()) ? secret->second.get() : nullptr; +} + +std::string SecretManagerImpl::addOrUpdateSdsService( + const envoy::api::v2::core::ConfigSource& sds_config_source, std::string config_name) { + std::unique_lock lhs(sds_api_mutex_); + + auto hash = SecretManagerUtil::configSourceHash(sds_config_source); + std::string sds_apis_key = hash + config_name; + if (sds_apis_.find(sds_apis_key) != sds_apis_.end()) { + return hash; + } + + sds_apis_[sds_apis_key] = std::make_unique(server_, sds_config_source, hash, config_name); + + return hash; } } // namespace Secret -} // namespace Envoy +} // namespace Envoy \ No newline at end of file diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index b9406754a8c4..82f44ef1855e 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -1,22 +1,40 @@ #pragma once +#include #include #include "envoy/secret/secret_manager.h" +#include "envoy/server/instance.h" #include "envoy/ssl/tls_certificate_config.h" #include "common/common/logger.h" +#include "common/secret/sds_api.h" namespace Envoy { namespace Secret { class SecretManagerImpl : public SecretManager, Logger::Loggable { public: - void addOrUpdateSecret(const envoy::api::v2::auth::Secret& secret) override; - const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& name) const override; + SecretManagerImpl(Server::Instance& server) : server_(server) {} + + void addOrUpdateSecret(const std::string& config_source_hash, + const envoy::api::v2::auth::Secret& secret) override; + const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& config_source_hash, + const std::string& name) const override; + std::string addOrUpdateSdsService(const envoy::api::v2::core::ConfigSource& config_source, + std::string config_name) override; private: - std::unordered_map tls_certificate_secrets_; + Server::Instance& server_; + // map hash code of SDS config source and SdsApi object + std::unordered_map> sds_apis_; + mutable std::shared_timed_mutex sds_api_mutex_; + + // Manages pairs of name and Ssl::TlsCertificateConfig grouped by SDS config source hash. + // If SDS config source hash is empty, it is a static secret. + std::unordered_map> + tls_certificate_secrets_; + mutable std::shared_timed_mutex tls_certificate_secrets_mutex_; }; } // namespace Secret diff --git a/source/common/secret/secret_manager_util.h b/source/common/secret/secret_manager_util.h new file mode 100644 index 000000000000..d81060dcff5a --- /dev/null +++ b/source/common/secret/secret_manager_util.h @@ -0,0 +1,37 @@ +#pragma once + +#include "envoy/api/v2/core/config_source.pb.h" + +#include "common/common/fmt.h" +#include "common/json/json_loader.h" +#include "common/protobuf/protobuf.h" + +namespace Envoy { +namespace Secret { + +class SecretManagerUtil { +public: + virtual ~SecretManagerUtil() {} + + /** + * Calculate hash code of ConfigSource. To identify the same ConfigSource, calculate the hash + * code from the ConfigSource + * + * @param config_source envoy::api::v2::core::ConfigSource + * @return hash code + */ + static std::string configSourceHash(const envoy::api::v2::core::ConfigSource& config_source) { + std::string jsonstr; + if (Protobuf::util::MessageToJsonString(config_source, &jsonstr).ok()) { + auto obj = Json::Factory::loadFromString(jsonstr); + if (obj.get() != nullptr) { + return std::to_string(obj->hash()); + } + } + throw EnvoyException( + fmt::format("Invalid ConfigSource message: {}", config_source.DebugString())); + } +}; + +} // namespace Secret +} // namespace Envoy \ No newline at end of file diff --git a/source/common/ssl/context_config_impl.cc b/source/common/ssl/context_config_impl.cc index 374cd2945b50..f3fd05590330 100644 --- a/source/common/ssl/context_config_impl.cc +++ b/source/common/ssl/context_config_impl.cc @@ -3,6 +3,8 @@ #include #include +#include "envoy/ssl/tls_certificate_config.h" + #include "common/common/assert.h" #include "common/common/empty_string.h" #include "common/config/datasource.h" @@ -16,20 +18,42 @@ namespace Ssl { namespace { +std::string readSdsSecretName(const envoy::api::v2::auth::CommonTlsContext& config) { + return (!config.tls_certificate_sds_secret_configs().empty()) + ? config.tls_certificate_sds_secret_configs()[0].name() + : EMPTY_STRING; +} + +std::string readConfigSourceHash(const envoy::api::v2::auth::CommonTlsContext& config, + Secret::SecretManager& secret_manager) { + return (!config.tls_certificate_sds_secret_configs().empty() && + config.tls_certificate_sds_secret_configs()[0].has_sds_config()) + ? secret_manager.addOrUpdateSdsService( + config.tls_certificate_sds_secret_configs()[0].sds_config(), + config.tls_certificate_sds_secret_configs()[0].name()) + : EMPTY_STRING; +} + std::string readConfig( const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager, + const std::string& config_source_hash, const std::string& secret_name, const std::function& read_inline_config, - const std::function& read_secret) { + const std::function& + read_managed_secret) { if (!config.tls_certificates().empty()) { return read_inline_config(config.tls_certificates()[0]); } else if (!config.tls_certificate_sds_secret_configs().empty()) { - auto name = config.tls_certificate_sds_secret_configs()[0].name(); - const Ssl::TlsCertificateConfig* secret = secret_manager.findTlsCertificate(name); + const auto secret = secret_manager.findTlsCertificate(config_source_hash, secret_name); if (!secret) { - throw EnvoyException(fmt::format("Static secret is not defined: {}", name)); + if (config_source_hash.empty()) { + throw EnvoyException( + fmt::format("Unknown static secret: {} : {}", config_source_hash, secret_name)); + } else { + return EMPTY_STRING; + } } - return read_secret(*secret); + return read_managed_secret(*secret); } else { return EMPTY_STRING; } @@ -55,7 +79,9 @@ const std::string ContextConfigImpl::DEFAULT_ECDH_CURVES = "X25519:P-256"; ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager) - : alpn_protocols_(RepeatedPtrUtil::join(config.alpn_protocols(), ",")), + : secret_manager_(secret_manager), sds_secret_name_(readSdsSecretName(config)), + sds_config_source_hash_(readConfigSourceHash(config, secret_manager)), + alpn_protocols_(RepeatedPtrUtil::join(config.alpn_protocols(), ",")), alt_alpn_protocols_(config.deprecated_v1().alt_alpn_protocols()), cipher_suites_(StringUtil::nonEmptyStringOrDefault( RepeatedPtrUtil::join(config.tls_params().cipher_suites(), ":"), DEFAULT_CIPHER_SUITES)), @@ -68,7 +94,7 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex certificate_revocation_list_path_( Config::DataSource::getPath(config.validation_context().crl())), cert_chain_(readConfig( - config, secret_manager, + config, secret_manager, sds_config_source_hash_, sds_secret_name_, [](const envoy::api::v2::auth::TlsCertificate& tls_certificate) -> std::string { return Config::DataSource::read(tls_certificate.certificate_chain(), true); }, @@ -80,7 +106,7 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex ? "" : Config::DataSource::getPath(config.tls_certificates()[0].certificate_chain())), private_key_(readConfig( - config, secret_manager, + config, secret_manager, sds_config_source_hash_, sds_secret_name_, [](const envoy::api::v2::auth::TlsCertificate& tls_certificate) -> std::string { return Config::DataSource::read(tls_certificate.private_key(), true); }, @@ -138,6 +164,32 @@ unsigned ContextConfigImpl::tlsVersionFromProto( NOT_REACHED; } +const std::string& ContextConfigImpl::certChain() const { + if (!cert_chain_.empty()) { + return cert_chain_; + } + + auto secret = secret_manager_.findTlsCertificate(sds_config_source_hash_, sds_secret_name_); + if (!secret) { + return cert_chain_; + } + + return secret->certificateChain(); +} + +const std::string& ContextConfigImpl::privateKey() const { + if (!private_key_.empty()) { + return private_key_; + } + + auto secret = secret_manager_.findTlsCertificate(sds_config_source_hash_, sds_secret_name_); + if (!secret) { + return private_key_; + } + + return secret->privateKey(); +} + ClientContextConfigImpl::ClientContextConfigImpl( const envoy::api::v2::auth::UpstreamTlsContext& config, Secret::SecretManager& secret_manager) : ContextConfigImpl(config.common_tls_context(), secret_manager), diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index 2628f39b2e00..04e39788712d 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -33,11 +33,11 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { ? INLINE_STRING : certificate_revocation_list_path_; } - const std::string& certChain() const override { return cert_chain_; } + const std::string& certChain() const override; const std::string& certChainPath() const override { return (cert_chain_path_.empty() && !cert_chain_.empty()) ? INLINE_STRING : cert_chain_path_; } - const std::string& privateKey() const override { return private_key_; } + const std::string& privateKey() const override; const std::string& privateKeyPath() const override { return (private_key_path_.empty() && !private_key_.empty()) ? INLINE_STRING : private_key_path_; } @@ -66,6 +66,9 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { static const std::string DEFAULT_CIPHER_SUITES; static const std::string DEFAULT_ECDH_CURVES; + Secret::SecretManager& secret_manager_; + const std::string sds_secret_name_; + const std::string sds_config_source_hash_; const std::string alpn_protocols_; const std::string alt_alpn_protocols_; const std::string cipher_suites_; diff --git a/source/server/config_validation/server.cc b/source/server/config_validation/server.cc index 8dc49dc87edc..8b2ea0463378 100644 --- a/source/server/config_validation/server.cc +++ b/source/server/config_validation/server.cc @@ -79,7 +79,7 @@ void ValidationInstance::initialize(Options& options, Configuration::InitialImpl initial_config(bootstrap); thread_local_.registerThread(*dispatcher_, true); runtime_loader_ = component_factory.createRuntime(*this, initial_config); - secret_manager_.reset(new Secret::SecretManagerImpl()); + secret_manager_.reset(new Secret::SecretManagerImpl(*this)); ssl_context_manager_.reset(new Ssl::ContextManagerImpl(*runtime_loader_)); cluster_manager_factory_.reset(new Upstream::ValidationClusterManagerFactory( runtime(), stats(), threadLocal(), random(), dnsResolver(), sslContextManager(), dispatcher(), diff --git a/source/server/configuration_impl.cc b/source/server/configuration_impl.cc index 0746d48d9d6d..dd9b8b316519 100644 --- a/source/server/configuration_impl.cc +++ b/source/server/configuration_impl.cc @@ -13,6 +13,7 @@ #include "envoy/ssl/context_manager.h" #include "common/common/assert.h" +#include "common/common/empty_string.h" #include "common/common/utility.h" #include "common/config/lds_json.h" #include "common/config/utility.h" @@ -50,7 +51,7 @@ void MainImpl::initialize(const envoy::config::bootstrap::v2::Bootstrap& bootstr ENVOY_LOG(info, "loading {} static secret(s)", secrets.size()); for (ssize_t i = 0; i < secrets.size(); i++) { ENVOY_LOG(debug, "static secret #{}: {}", i, secrets[i].name()); - server.secretManager().addOrUpdateSecret(secrets[i]); + server.secretManager().addOrUpdateSecret(EMPTY_STRING, secrets[i]); } cluster_manager_ = cluster_manager_factory.clusterManagerFromProto( diff --git a/source/server/server.cc b/source/server/server.cc index 7c682ceed809..923d9c9407a9 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -55,7 +55,7 @@ InstanceImpl::InstanceImpl(Options& options, Network::Address::InstanceConstShar handler_(new ConnectionHandlerImpl(ENVOY_LOGGER(), *dispatcher_)), random_generator_(std::move(random_generator)), listener_component_factory_(*this), worker_factory_(thread_local_, *api_, hooks), - secret_manager_(new Secret::SecretManagerImpl()), + secret_manager_(new Secret::SecretManagerImpl(*this)), dns_resolver_(dispatcher_->createDnsResolver({})), access_log_manager_(*api_, *dispatcher_, access_log_lock, store), terminated_(false) { diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index f6c9c3fa152c..32759e6925ea 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -11,7 +11,7 @@ #include "test/integration/fake_upstream.h" #include "test/mocks/grpc/mocks.h" #include "test/mocks/local_info/mocks.h" -#include "test/mocks/secret/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/tracing/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/proto/helloworld.pb.h" @@ -444,7 +444,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/clientkey.pem")); } - Ssl::ClientContextConfigImpl cfg(tls_context, secret_manager_); + Ssl::ClientContextConfigImpl cfg(tls_context, server_.secretManager()); mock_cluster_info_->transport_socket_factory_ = std::make_unique(cfg, context_manager_, *stats_store_); @@ -474,7 +474,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); } - Ssl::ServerContextConfigImpl cfg(tls_context, secret_manager_); + Ssl::ServerContextConfigImpl cfg(tls_context, server_.secretManager()); static Stats::Scope* upstream_stats_store = new Stats::IsolatedStoreImpl(); return std::make_unique( @@ -482,7 +482,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { } bool use_client_cert_{}; - Secret::MockSecretManager secret_manager_; + Server::MockInstance server_; Ssl::ContextManagerImpl context_manager_{runtime_}; }; diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index c65489952a84..b7f46ff0edb7 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -16,6 +16,7 @@ envoy_cc_test( ], deps = [ "//source/common/secret:secret_manager_impl_lib", + "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", "//test/test_common:registry_lib", "//test/test_common:utility_lib", diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index a692976c4c6e..956f4518d539 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -5,6 +5,7 @@ #include "common/secret/secret_manager_impl.h" +#include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/utility.h" @@ -15,6 +16,20 @@ namespace Envoy { namespace Secret { namespace { +class MockServer : public Server::MockInstance { +public: + Init::Manager& initManager() { return initmanager_; } + +private: + class InitManager : public Init::Manager { + public: + void initialize(std::function callback); + void registerTarget(Init::Target&) override {} + }; + + InitManager initmanager_; +}; + class SecretManagerImplTest : public testing::Test {}; TEST_F(SecretManagerImplTest, SecretLoadSuccess) { @@ -32,24 +47,60 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); - std::unique_ptr secret_manager(new SecretManagerImpl()); + Server::MockInstance server; - secret_manager->addOrUpdateSecret(secret_config); + server.secretManager().addOrUpdateSecret("", secret_config); - ASSERT_EQ(secret_manager->findTlsCertificate("undefined"), nullptr); + ASSERT_EQ(server.secretManager().findTlsCertificate("", "undefined"), nullptr); - ASSERT_NE(secret_manager->findTlsCertificate("abc.com"), nullptr); + ASSERT_NE(server.secretManager().findTlsCertificate("", "abc.com"), nullptr); const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - secret_manager->findTlsCertificate("abc.com")->certificateChain()); + server.secretManager().findTlsCertificate("", "abc.com")->certificateChain()); + + const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), + server.secretManager().findTlsCertificate("", "abc.com")->privateKey()); +} + +TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { + envoy::api::v2::core::ConfigSource config_source; + envoy::api::v2::auth::Secret secret_config; + + std::string yaml = + R"EOF( +name: "abc.com" +tls_certificate: + certificate_chain: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" + )EOF"; + + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); + + MockServer server; + + std::string config_source_hash = + server.secretManager().addOrUpdateSdsService(config_source, "abc_config"); + + server.secretManager().addOrUpdateSecret(config_source_hash, secret_config); + + ASSERT_EQ(server.secretManager().findTlsCertificate(config_source_hash, "undefined"), nullptr); + + const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; + EXPECT_EQ( + TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), + server.secretManager().findTlsCertificate(config_source_hash, "abc.com")->certificateChain()); const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - secret_manager->findTlsCertificate("abc.com")->privateKey()); + server.secretManager().findTlsCertificate(config_source_hash, "abc.com")->privateKey()); } TEST_F(SecretManagerImplTest, NotImplementedException) { + envoy::api::v2::core::ConfigSource config_source; envoy::api::v2::auth::Secret secret_config; std::string yaml = @@ -62,12 +113,16 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); - std::unique_ptr secret_manager(new SecretManagerImpl()); + MockServer server; + std::unique_ptr secret_manager(new SecretManagerImpl(server)); - EXPECT_THROW_WITH_MESSAGE(secret_manager->addOrUpdateSecret(secret_config), EnvoyException, - "Secret type not implemented"); + std::string config_source_hash = + server.secretManager().addOrUpdateSdsService(config_source, "abc_config"); + EXPECT_THROW_WITH_MESSAGE( + server.secretManager().addOrUpdateSecret(config_source_hash, secret_config), EnvoyException, + "Secret type not implemented"); } } // namespace } // namespace Secret -} // namespace Envoy +} // namespace Envoy \ No newline at end of file diff --git a/test/common/ssl/BUILD b/test/common/ssl/BUILD index 8a9265f691da..746c33eacc62 100644 --- a/test/common/ssl/BUILD +++ b/test/common/ssl/BUILD @@ -62,6 +62,7 @@ envoy_cc_test( "//source/common/stats:stats_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", + "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", ], ) diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index de82f328a757..7d2d53652335 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -10,6 +10,7 @@ #include "test/common/ssl/ssl_certs_test.h" #include "test/mocks/runtime/mocks.h" #include "test/mocks/secret/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/utility.h" @@ -79,7 +80,7 @@ TEST_F(SslContextImplTest, TestCipherSuites) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, secret_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -95,7 +96,7 @@ TEST_F(SslContextImplTest, TestExpiringCert) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, secret_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -118,7 +119,7 @@ TEST_F(SslContextImplTest, TestExpiredCert) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, secret_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -136,7 +137,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, secret_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -162,7 +163,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { TEST_F(SslContextImplTest, TestNoCert) { Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString("{}"); - ClientContextConfigImpl cfg(*loader, secret_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -183,6 +184,7 @@ class SslServerContextImplTicketTest : public SslContextImplTest { } static void loadConfigV2(envoy::api::v2::auth::DownstreamTlsContext& cfg) { + Server::MockInstance server; // Must add a certificate for the config to be considered valid. envoy::api::v2::auth::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); @@ -190,16 +192,15 @@ class SslServerContextImplTicketTest : public SslContextImplTest { TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); server_cert->mutable_private_key()->set_filename( TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); - - Secret::MockSecretManager secret_manager; - ServerContextConfigImpl server_context_config(cfg, secret_manager); + ServerContextConfigImpl server_context_config(cfg, server.secretManager()); loadConfig(server_context_config); } static void loadConfigJson(const std::string& json) { + Server::MockInstance server; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); Secret::MockSecretManager secret_manager; - ServerContextConfigImpl cfg(*loader, secret_manager); + ServerContextConfigImpl cfg(*loader, server.secretManager()); loadConfig(cfg); } }; @@ -356,28 +357,28 @@ class ClientContextConfigImplTest : public SslCertsTest {}; // Validate that empty SNI (according to C string rules) fails config validation. TEST(ClientContextConfigImplTest, EmptyServerNameIndication) { envoy::api::v2::auth::UpstreamTlsContext tls_context; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; tls_context.set_sni(std::string("\000", 1)); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, secret_manager), EnvoyException, - "SNI names containing NULL-byte are not allowed"); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "SNI names containing NULL-byte are not allowed"); tls_context.set_sni(std::string("a\000b", 3)); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, secret_manager), EnvoyException, - "SNI names containing NULL-byte are not allowed"); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "SNI names containing NULL-byte are not allowed"); } // Validate that values other than a hex-encoded SHA-256 fail config validation. TEST(ClientContextConfigImplTest, InvalidCertificateHash) { envoy::api::v2::auth::UpstreamTlsContext tls_context; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; tls_context.mutable_common_tls_context() ->mutable_validation_context() // This is valid hex-encoded string, but it doesn't represent SHA-256 (80 vs 64 chars). ->add_verify_certificate_hash("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, secret_manager); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -388,12 +389,12 @@ TEST(ClientContextConfigImplTest, InvalidCertificateHash) { // Validate that values other than a base64-encoded SHA-256 fail config validation. TEST(ClientContextConfigImplTest, InvalidCertificateSpki) { envoy::api::v2::auth::UpstreamTlsContext tls_context; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; tls_context.mutable_common_tls_context() ->mutable_validation_context() // Not a base64-encoded string. ->add_verify_certificate_spki("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, secret_manager); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -405,12 +406,22 @@ TEST(ClientContextConfigImplTest, InvalidCertificateSpki) { // TODO(PiotrSikora): Support multiple TLS certificates. TEST(ClientContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::UpstreamTlsContext tls_context; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, secret_manager), EnvoyException, - "Multiple TLS certificates are not supported for client contexts"); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "Multiple TLS certificates are not supported for client contexts"); +} + +TEST(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { + envoy::api::v2::auth::UpstreamTlsContext tls_context; + Server::MockInstance server; + tls_context.mutable_common_tls_context()->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); + EXPECT_THROW_WITH_MESSAGE( + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "Multiple TLS certificates are not supported for client contexts"); } TEST(ClientContextConfigImplTest, StaticTlsCertificates) { @@ -427,8 +438,8 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); - std::unique_ptr secret_manager(new Secret::SecretManagerImpl()); - secret_manager->addOrUpdateSecret(secret_config); + Server::MockInstance server; + server.secretManager().addOrUpdateSecret("", secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -436,7 +447,7 @@ name: "abc.com" ->Add() ->set_name("abc.com"); - ClientContextConfigImpl client_context_config(tls_context, *secret_manager.get()); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), @@ -460,9 +471,8 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); - std::unique_ptr secret_manager(new Secret::SecretManagerImpl()); - - secret_manager->addOrUpdateSecret(secret_config); + Server::MockInstance server; + server.secretManager().addOrUpdateSecret("", secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -471,8 +481,8 @@ name: "abc.com" ->set_name("missing"); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, *secret_manager.get()), - EnvoyException, "Static secret is not defined: missing"); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "Unknown static secret: : missing"); } // Multiple TLS certificates are not yet supported, but one is expected for @@ -480,23 +490,37 @@ name: "abc.com" // TODO(PiotrSikora): Support multiple TLS certificates. TEST(ServerContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::DownstreamTlsContext tls_context; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl client_context_config(tls_context, secret_manager), EnvoyException, - "A single TLS certificate is required for server contexts"); + ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl client_context_config(tls_context, secret_manager), EnvoyException, - "A single TLS certificate is required for server contexts"); + ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "A single TLS certificate is required for server contexts"); +} + +TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { + Server::MockInstance server; + envoy::api::v2::auth::DownstreamTlsContext tls_context; + + EXPECT_THROW_WITH_MESSAGE( + ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "A single TLS certificate is required for server contexts"); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); + EXPECT_THROW_WITH_MESSAGE( + ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + EnvoyException, "A single TLS certificate is required for server contexts"); } // TlsCertificate messages must have a cert for servers. TEST(ServerContextImplTest, TlsCertificateNonEmpty) { envoy::api::v2::auth::DownstreamTlsContext tls_context; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; tls_context.mutable_common_tls_context()->add_tls_certificates(); - ServerContextConfigImpl client_context_config(tls_context, secret_manager); + ServerContextConfigImpl client_context_config(tls_context, server.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -509,7 +533,7 @@ TEST(ServerContextImplTest, TlsCertificateNonEmpty) { // Cannot ignore certificate expiration without a trusted CA. TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::api::v2::auth::DownstreamTlsContext tls_context; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; envoy::api::v2::auth::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -517,8 +541,8 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(true); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, secret_manager), EnvoyException, - "Certificate validity period is always ignored without trusted CA"); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + EnvoyException, "Certificate validity period is always ignored without trusted CA"); envoy::api::v2::auth::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); @@ -529,19 +553,21 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(false); - EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, secret_manager)); + EXPECT_NO_THROW( + ServerContextConfigImpl server_context_config(tls_context, server.secretManager())); server_validation_ctx->set_allow_expired_certificate(true); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, secret_manager), EnvoyException, - "Certificate validity period is always ignored without trusted CA"); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + EnvoyException, "Certificate validity period is always ignored without trusted CA"); // But once you add a trusted CA, you should be able to create the context. server_validation_ctx->mutable_trusted_ca()->set_filename( TestEnvironment::substitute("{{ test_rundir }}/test/common/ssl/test_data/ca_cert.pem")); - EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, secret_manager)); + EXPECT_NO_THROW( + ServerContextConfigImpl server_context_config(tls_context, server.secretManager())); } } // namespace Ssl diff --git a/test/common/ssl/ssl_certs_test.h b/test/common/ssl/ssl_certs_test.h index 2f09e019944a..4cdbef6c791b 100644 --- a/test/common/ssl/ssl_certs_test.h +++ b/test/common/ssl/ssl_certs_test.h @@ -1,6 +1,6 @@ #pragma once -#include "test/mocks/secret/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" #include "gtest/gtest.h" @@ -12,6 +12,6 @@ class SslCertsTest : public testing::Test { TestEnvironment::exec({TestEnvironment::runfilesPath("test/common/ssl/gen_unittest_certs.sh")}); } - Secret::MockSecretManager secret_manager_; + Server::MockInstance server_; }; } // namespace Envoy diff --git a/test/common/ssl/ssl_socket_test.cc b/test/common/ssl/ssl_socket_test.cc index 095600f02cfe..6b172a403059 100644 --- a/test/common/ssl/ssl_socket_test.cc +++ b/test/common/ssl/ssl_socket_test.cc @@ -52,10 +52,10 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ const Network::Address::IpVersion version) { Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, secret_manager); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager()); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -68,7 +68,7 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, secret_manager); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); Ssl::ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -145,7 +145,7 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, const Network::Address::IpVersion version) { Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; ContextManagerImpl manager(runtime); std::string new_session = EMPTY_STRING; @@ -154,7 +154,8 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, const auto& filter_chain = server_proto.filter_chains(0); std::vector server_names(filter_chain.filter_chain_match().server_names().begin(), filter_chain.filter_chain_match().server_names().end()); - Ssl::ServerContextConfigImpl server_ctx_config(filter_chain.tls_context(), secret_manager); + Ssl::ServerContextConfigImpl server_ctx_config(filter_chain.tls_context(), + server.secretManager()); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, server_names); @@ -165,7 +166,7 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, Network::MockConnectionHandler connection_handler; Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); - ClientContextConfigImpl client_ctx_config(client_ctx_proto, secret_manager); + ClientContextConfigImpl client_ctx_config(client_ctx_proto, server.secretManager()); ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); ClientContextPtr client_ctx(manager.createSslClientContext(stats_store, client_ctx_config)); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( @@ -1516,7 +1517,7 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, secret_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1574,7 +1575,7 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, secret_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1595,7 +1596,7 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, secret_manager_); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager()); ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -1647,7 +1648,7 @@ TEST_P(SslSocketTest, HalfClose) { TEST_P(SslSocketTest, ClientAuthMultipleCAs) { Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; std::string server_ctx_json = R"EOF( { @@ -1658,7 +1659,7 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, secret_manager); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager()); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1678,7 +1679,7 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, secret_manager); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -1735,13 +1736,13 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, const Network::Address::IpVersion ip_version) { Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; - Secret::MockSecretManager secret_manager; + Server::MockInstance server; ContextManagerImpl manager(runtime); Json::ObjectSharedPtr server_ctx_loader1 = TestEnvironment::jsonLoadFromString(server_ctx_json1); Json::ObjectSharedPtr server_ctx_loader2 = TestEnvironment::jsonLoadFromString(server_ctx_json2); - ServerContextConfigImpl server_ctx_config1(*server_ctx_loader1, secret_manager); - ServerContextConfigImpl server_ctx_config2(*server_ctx_loader2, secret_manager); + ServerContextConfigImpl server_ctx_config1(*server_ctx_loader1, server.secretManager()); + ServerContextConfigImpl server_ctx_config2(*server_ctx_loader2, server.secretManager()); Ssl::ServerSslSocketFactory server_ssl_socket_factory1(server_ctx_config1, manager, stats_store, server_names1); Ssl::ServerSslSocketFactory server_ssl_socket_factory2(server_ctx_config2, manager, stats_store, @@ -1758,7 +1759,7 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Network::ListenerPtr listener2 = dispatcher.createListener(socket2, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, secret_manager); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket1.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -2098,9 +2099,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, secret_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); Json::ObjectSharedPtr server2_ctx_loader = TestEnvironment::jsonLoadFromString(server2_ctx_json); - ServerContextConfigImpl server2_ctx_config(*server2_ctx_loader, secret_manager_); + ServerContextConfigImpl server2_ctx_config(*server2_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -2125,7 +2126,7 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, secret_manager_); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager()); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -2211,7 +2212,7 @@ TEST_P(SslSocketTest, SslError) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, secret_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -2533,7 +2534,8 @@ class SslReadBufferLimitTest : public SslCertsTest, public: void initialize() { server_ctx_loader_ = TestEnvironment::jsonLoadFromString(server_ctx_json_); - server_ctx_config_.reset(new ServerContextConfigImpl(*server_ctx_loader_, secret_manager_)); + server_ctx_config_.reset( + new ServerContextConfigImpl(*server_ctx_loader_, server_.secretManager())); manager_.reset(new ContextManagerImpl(runtime_)); server_ssl_socket_factory_.reset(new ServerSslSocketFactory( *server_ctx_config_, *manager_, stats_store_, std::vector{})); @@ -2541,7 +2543,8 @@ class SslReadBufferLimitTest : public SslCertsTest, listener_ = dispatcher_->createListener(socket_, listener_callbacks_, true, false); client_ctx_loader_ = TestEnvironment::jsonLoadFromString(client_ctx_json_); - client_ctx_config_.reset(new ClientContextConfigImpl(*client_ctx_loader_, secret_manager_)); + client_ctx_config_.reset( + new ClientContextConfigImpl(*client_ctx_loader_, server_.secretManager())); client_ssl_socket_factory_.reset( new ClientSslSocketFactory(*client_ctx_config_, *manager_, stats_store_)); diff --git a/test/integration/BUILD b/test/integration/BUILD index d750ff73d07a..d8448534c879 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -284,6 +284,7 @@ envoy_cc_test_library( "//test/common/upstream:utility_lib", "//test/config:utility_lib", "//test/mocks/buffer:buffer_mocks", + "//test/mocks/server:server_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:environment_lib", "//test/test_common:network_utility_lib", diff --git a/test/integration/ssl_integration_test.cc b/test/integration/ssl_integration_test.cc index 2cbd941cfa9a..22fcf58d46f6 100644 --- a/test/integration/ssl_integration_test.cc +++ b/test/integration/ssl_integration_test.cc @@ -35,14 +35,10 @@ void SslIntegrationTest::initialize() { context_manager_.reset(new ContextManagerImpl(*runtime_)); registerTestServerPorts({"http"}); - client_ssl_ctx_plain_ = - createClientSslTransportSocketFactory(false, false, *context_manager_, secret_manager_); - client_ssl_ctx_alpn_ = - createClientSslTransportSocketFactory(true, false, *context_manager_, secret_manager_); - client_ssl_ctx_san_ = - createClientSslTransportSocketFactory(false, true, *context_manager_, secret_manager_); - client_ssl_ctx_alpn_san_ = - createClientSslTransportSocketFactory(true, true, *context_manager_, secret_manager_); + client_ssl_ctx_plain_ = createClientSslTransportSocketFactory(false, false, *context_manager_); + client_ssl_ctx_alpn_ = createClientSslTransportSocketFactory(true, false, *context_manager_); + client_ssl_ctx_san_ = createClientSslTransportSocketFactory(false, true, *context_manager_); + client_ssl_ctx_alpn_san_ = createClientSslTransportSocketFactory(true, true, *context_manager_); } void SslIntegrationTest::TearDown() { diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 9c3d1e773b06..53316b1114ae 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -7,6 +7,7 @@ #include "common/ssl/ssl_socket.h" #include "test/integration/server.h" +#include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/network_utility.h" @@ -14,8 +15,7 @@ namespace Envoy { namespace Ssl { Network::TransportSocketFactoryPtr -createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& context_manager, - Secret::SecretManager& secret_manager) { +createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& context_manager) { const std::string json_plain = R"EOF( { "ca_cert_file": "{{ test_rundir }}/test/config/integration/certs/cacert.pem", @@ -58,8 +58,9 @@ createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& conte } else { target = san ? json_san : json_plain; } + Server::MockInstance server; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); - ClientContextConfigImpl cfg(*loader, secret_manager); + ClientContextConfigImpl cfg(*loader, server.secretManager()); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ new Ssl::ClientSslSocketFactory(cfg, context_manager, *client_stats_store)}; diff --git a/test/integration/ssl_utility.h b/test/integration/ssl_utility.h index d2ff42561bd4..c55e081a1dd4 100644 --- a/test/integration/ssl_utility.h +++ b/test/integration/ssl_utility.h @@ -9,8 +9,7 @@ namespace Envoy { namespace Ssl { Network::TransportSocketFactoryPtr -createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& context_manager, - Secret::SecretManager& secret_manager); +createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& context_manager); Network::Address::InstanceConstSharedPtr getSslAddress(const Network::Address::IpVersion& version, int port); diff --git a/test/integration/tcp_proxy_integration_test.cc b/test/integration/tcp_proxy_integration_test.cc index 64779fb89ac2..ba81779edbc1 100644 --- a/test/integration/tcp_proxy_integration_test.cc +++ b/test/integration/tcp_proxy_integration_test.cc @@ -371,8 +371,7 @@ void TcpProxySslIntegrationTest::setupConnections() { // Set up the SSl client. Network::Address::InstanceConstSharedPtr address = Ssl::getSslAddress(version_, lookupPort("tcp_proxy")); - context_ = - Ssl::createClientSslTransportSocketFactory(false, false, *context_manager_, secret_manager_); + context_ = Ssl::createClientSslTransportSocketFactory(false, false, *context_manager_); ssl_client_ = dispatcher_->createClientConnection(address, Network::Address::InstanceConstSharedPtr(), context_->createTransportSocket(), nullptr); diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index f0d4f70eda79..ed92338dd76f 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -12,6 +12,7 @@ #include "common/ssl/context_manager_impl.h" #include "common/ssl/ssl_socket.h" +#include "test/mocks/server/mocks.h" #include "test/test_common/network_utility.h" #include "test/test_common/printers.h" #include "test/test_common/utility.h" @@ -58,7 +59,7 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createClientSslContext(b target = json_tls; } Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); - Ssl::ClientContextConfigImpl cfg(*loader, secret_manager_); + Ssl::ClientContextConfigImpl cfg(*loader, server_.secretManager()); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ new Ssl::ClientSslSocketFactory(cfg, *context_manager_, *client_stats_store)}; @@ -73,7 +74,7 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createUpstreamSslContext )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - Ssl::ServerContextConfigImpl cfg(*loader, secret_manager_); + Ssl::ServerContextConfigImpl cfg(*loader, server_.secretManager()); static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return std::make_unique( cfg, *context_manager_, *upstream_stats_store, std::vector{}); diff --git a/test/integration/xfcc_integration_test.h b/test/integration/xfcc_integration_test.h index 3432313af715..3d0c81a0ad09 100644 --- a/test/integration/xfcc_integration_test.h +++ b/test/integration/xfcc_integration_test.h @@ -6,7 +6,7 @@ #include "test/integration/http_integration.h" #include "test/integration/server.h" #include "test/mocks/runtime/mocks.h" -#include "test/mocks/secret/mocks.h" +#include "test/mocks/server/mocks.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -56,7 +56,7 @@ class XfccIntegrationTest : public HttpIntegrationTest, Network::TransportSocketFactoryPtr client_tls_ssl_ctx_; Network::TransportSocketFactoryPtr client_mtls_ssl_ctx_; Network::TransportSocketFactoryPtr upstream_ssl_ctx_; - Secret::MockSecretManager secret_manager_; + Server::MockInstance server_; }; } // namespace Xfcc } // namespace Envoy diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index 1d111df74993..f7fd1233b7bb 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -14,8 +14,14 @@ class MockSecretManager : public SecretManager { MockSecretManager(); ~MockSecretManager(); - MOCK_METHOD1(addOrUpdateSecret, void(const envoy::api::v2::auth::Secret& secret)); - MOCK_CONST_METHOD1(findTlsCertificate, const Ssl::TlsCertificateConfig*(const std::string& name)); + MOCK_METHOD2(addOrUpdateSecret, void(const std::string& config_source_hash, + const envoy::api::v2::auth::Secret& secret)); + MOCK_CONST_METHOD2(findTlsCertificate, + Ssl::TlsCertificateConfig*(const std::string& config_source_hash, + const std::string& name)); + MOCK_METHOD2(addOrUpdateSdsService, + std::string(const envoy::api::v2::core::ConfigSource& config_source, + std::string config_name)); }; } // namespace Secret diff --git a/test/mocks/server/mocks.cc b/test/mocks/server/mocks.cc index bc27e777f7e2..c1d2dce8dde0 100644 --- a/test/mocks/server/mocks.cc +++ b/test/mocks/server/mocks.cc @@ -107,7 +107,7 @@ MockWorker::MockWorker() { MockWorker::~MockWorker() {} MockInstance::MockInstance() - : secret_manager_(new Secret::SecretManagerImpl()), ssl_context_manager_(runtime_loader_), + : secret_manager_(new Secret::SecretManagerImpl(*this)), ssl_context_manager_(runtime_loader_), singleton_manager_(new Singleton::ManagerImpl()) { ON_CALL(*this, threadLocal()).WillByDefault(ReturnRef(thread_local_)); ON_CALL(*this, stats()).WillByDefault(ReturnRef(stats_store_)); diff --git a/test/server/configuration_impl_test.cc b/test/server/configuration_impl_test.cc index bec9bb6d0567..8f18823df5b0 100644 --- a/test/server/configuration_impl_test.cc +++ b/test/server/configuration_impl_test.cc @@ -303,6 +303,55 @@ TEST_F(ConfigurationImplTest, StatsSinkWithNoName) { "Provided name for static registration lookup was empty."); } +TEST_F(ConfigurationImplTest, StaticSecretRead) { + std::string json = + R"EOF( + { + "listeners" : [ + { + "address": "tcp://127.0.0.1:1234", + "filters": [] + } + ], + "cluster_manager": { + "clusters": [] + }, + "admin": {"access_log_path": "/dev/null", "address": "tcp://1.2.3.4:5678"} + } + )EOF"; + + envoy::config::bootstrap::v2::Bootstrap bootstrap = TestUtility::parseBootstrapFromJson(json); + + auto secret_config = bootstrap.mutable_static_resources()->mutable_secrets()->Add(); + + std::string yaml = + R"EOF( + name: "abc.com" + tls_certificate: + certificate_chain: + filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" + private_key: + filename: "{{ test_rundir }}/test/config/integration/certs/cakey.pem" + )EOF"; + + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); + + MainImpl config; + config.initialize(bootstrap, server_, cluster_manager_factory_); + + auto secret = server_.secretManager().findTlsCertificate("", "abc.com"); + + ASSERT_NE(secret, nullptr); + + const std::string cert_pem = "{{ test_rundir }}/test/config/integration/certs/cacert.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), + secret->certificateChain()); + + const std::string key_pem = "{{ test_rundir }}/test/config/integration/certs/cakey.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), + secret->privateKey()); +} + } // namespace Configuration } // namespace Server } // namespace Envoy From d54097a402d75109134ac085cacdbcc3d37c715a Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 19 Jun 2018 15:51:46 -0700 Subject: [PATCH 06/55] fix format. Signed-off-by: JimmyCYJ --- test/common/secret/secret_manager_impl_test.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index 956f4518d539..bbda166c8181 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -29,8 +29,10 @@ class MockServer : public Server::MockInstance { InitManager initmanager_; }; +} -class SecretManagerImplTest : public testing::Test {}; +class SecretManagerImplTest : public testing::Test { +}; TEST_F(SecretManagerImplTest, SecretLoadSuccess) { envoy::api::v2::auth::Secret secret_config; From bf33dacb3e96191b6a399f9d3c719c3b941863c6 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 19 Jun 2018 16:31:45 -0700 Subject: [PATCH 07/55] fix test files. Signed-off-by: JimmyCYJ --- test/common/secret/secret_manager_impl_test.cc | 1 - test/integration/BUILD | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index bbda166c8181..ab973a637260 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -29,7 +29,6 @@ class MockServer : public Server::MockInstance { InitManager initmanager_; }; -} class SecretManagerImplTest : public testing::Test { }; diff --git a/test/integration/BUILD b/test/integration/BUILD index d8448534c879..050cabbeaca8 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -283,6 +283,7 @@ envoy_cc_test_library( "//source/server:test_hooks_lib", "//test/common/upstream:utility_lib", "//test/config:utility_lib", + "//test/mocks/server:server_mocks", "//test/mocks/buffer:buffer_mocks", "//test/mocks/server:server_mocks", "//test/mocks/upstream:upstream_mocks", From d77b1de14b55b50479388fb53802a6ec82f53607 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 19 Jun 2018 17:01:19 -0700 Subject: [PATCH 08/55] fix format. Signed-off-by: JimmyCYJ --- test/common/secret/secret_manager_impl_test.cc | 3 +-- test/integration/BUILD | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index ab973a637260..956f4518d539 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -30,8 +30,7 @@ class MockServer : public Server::MockInstance { InitManager initmanager_; }; -class SecretManagerImplTest : public testing::Test { -}; +class SecretManagerImplTest : public testing::Test {}; TEST_F(SecretManagerImplTest, SecretLoadSuccess) { envoy::api::v2::auth::Secret secret_config; diff --git a/test/integration/BUILD b/test/integration/BUILD index 050cabbeaca8..d8448534c879 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -283,7 +283,6 @@ envoy_cc_test_library( "//source/server:test_hooks_lib", "//test/common/upstream:utility_lib", "//test/config:utility_lib", - "//test/mocks/server:server_mocks", "//test/mocks/buffer:buffer_mocks", "//test/mocks/server:server_mocks", "//test/mocks/upstream:upstream_mocks", From 8fb0d2fbaaade3de5a3a0b144a6b02428228e99e Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 19 Jun 2018 18:28:45 -0700 Subject: [PATCH 09/55] fix tests. Signed-off-by: JimmyCYJ --- test/mocks/ssl/BUILD | 1 + 1 file changed, 1 insertion(+) diff --git a/test/mocks/ssl/BUILD b/test/mocks/ssl/BUILD index 39330f6db353..fd044e7726de 100644 --- a/test/mocks/ssl/BUILD +++ b/test/mocks/ssl/BUILD @@ -13,6 +13,7 @@ envoy_cc_mock( srcs = ["mocks.cc"], hdrs = ["mocks.h"], deps = [ + "//include/envoy/secret:secret_manager_interface", "//include/envoy/ssl:connection_interface", "//include/envoy/ssl:context_config_interface", "//include/envoy/ssl:context_interface", From 05e903642e80de3deaac4a8520db367b8064e2ca Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 19 Jun 2018 18:57:16 -0700 Subject: [PATCH 10/55] Minor changes SecretManager. Signed-off-by: JimmyCYJ --- source/common/secret/secret_manager_impl.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 40fd4ccb5473..637bad4cae69 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -44,7 +44,6 @@ std::string SecretManagerImpl::addOrUpdateSdsService( if (sds_apis_.find(sds_apis_key) != sds_apis_.end()) { return hash; } - sds_apis_[sds_apis_key] = std::make_unique(server_, sds_config_source, hash, config_name); return hash; From 7252eb31d4c686e15a5e4c599ecb96469843cd7a Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 20 Jun 2018 09:56:22 -0700 Subject: [PATCH 11/55] Use SdsApiPtr Signed-off-by: JimmyCYJ --- source/common/secret/secret_manager_impl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 82f44ef1855e..342b119d4242 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -27,7 +27,7 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable> sds_apis_; + std::unordered_map sds_apis_; mutable std::shared_timed_mutex sds_api_mutex_; // Manages pairs of name and Ssl::TlsCertificateConfig grouped by SDS config source hash. From 69e93356a05175dc6a50a2627f3ec6ec2a6bf67f Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 20 Jun 2018 11:16:03 -0700 Subject: [PATCH 12/55] Add period to comments. Signed-off-by: JimmyCYJ --- source/common/secret/secret_manager_impl.h | 2 +- source/common/secret/secret_manager_util.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 342b119d4242..16537202b58c 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -26,7 +26,7 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable sds_apis_; mutable std::shared_timed_mutex sds_api_mutex_; diff --git a/source/common/secret/secret_manager_util.h b/source/common/secret/secret_manager_util.h index d81060dcff5a..5571e2894386 100644 --- a/source/common/secret/secret_manager_util.h +++ b/source/common/secret/secret_manager_util.h @@ -15,10 +15,10 @@ class SecretManagerUtil { /** * Calculate hash code of ConfigSource. To identify the same ConfigSource, calculate the hash - * code from the ConfigSource + * code from the ConfigSource. * - * @param config_source envoy::api::v2::core::ConfigSource - * @return hash code + * @param config_source envoy::api::v2::core::ConfigSource. + * @return hash code. */ static std::string configSourceHash(const envoy::api::v2::core::ConfigSource& config_source) { std::string jsonstr; From 189761287dcb578a7d6ecd870440f06c6349302e Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 20 Jun 2018 11:32:58 -0700 Subject: [PATCH 13/55] Update BUILD file. Signed-off-by: JimmyCYJ --- source/common/secret/BUILD | 1 + 1 file changed, 1 insertion(+) diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 90455caee6ef..e6faac70c5e4 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -16,6 +16,7 @@ envoy_cc_library( ":sds_api_lib", ":secret_manager_util", "//include/envoy/secret:secret_manager_interface", + "//include/envoy/server:instance_interface", "//source/common/common:minimal_logger_lib", "//source/common/ssl:tls_certificate_config_impl_lib", "@envoy_api//envoy/api/v2/auth:cert_cc", From 7b87f695297f46723494edfc5cc1119513a88c24 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 27 Jun 2018 15:47:27 -0700 Subject: [PATCH 14/55] Add dynamic secret provider and let SDS api inherit this new class. Signed-off-by: JimmyCYJ --- include/envoy/secret/secret_manager.h | 39 +++--- source/common/common/logger.h | 1 + source/common/secret/BUILD | 2 + source/common/secret/sds_api.cc | 37 ++++-- source/common/secret/sds_api.h | 14 ++- source/common/secret/secret_manager_impl.cc | 28 ++--- source/common/secret/secret_manager_impl.h | 20 ++- source/common/ssl/context_config_impl.cc | 114 ++++++------------ source/common/ssl/context_config_impl.h | 8 +- source/server/configuration_impl.cc | 3 +- test/common/secret/BUILD | 1 + .../common/secret/secret_manager_impl_test.cc | 43 +++---- test/common/ssl/context_impl_test.cc | 6 +- test/mocks/secret/mocks.h | 14 +-- test/server/configuration_impl_test.cc | 2 +- 15 files changed, 156 insertions(+), 176 deletions(-) diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index bf2f472ed444..282d491509a3 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -8,42 +8,53 @@ namespace Envoy { namespace Secret { +/** + * A provider for dynamic secret. + */ +class DynamicSecretProvider { +public: + virtual ~DynamicSecretProvider() {} + + /** + * @return the TlsCertificate secret. Returns nullptr if the secret is not found. + */ + virtual const Ssl::TlsCertificateConfig* secret() const PURE; +}; + +typedef std::shared_ptr DynamicSecretProviderSharedPtr; + /** * A manager for static secrets. - * - * TODO(jaebong) Support dynamic secrets. */ class SecretManager { public: virtual ~SecretManager() {} /** - * @param config_source_hash a hash string of normalized config source. If it is empty string, - * find secret from the static secrets. + * @param config_source_hash a hash string of normalized config source for static secret. * @param secret a protobuf message of envoy::api::v2::auth::Secret. * @throw an EnvoyException if the secret is invalid or not supported. */ - virtual void addOrUpdateSecret(const std::string& config_source_hash, - const envoy::api::v2::auth::Secret& secret) PURE; + virtual void addStaticSecret(const envoy::api::v2::auth::Secret& secret) PURE; /** - * @param sds_config_source_hash hash string of normalized config source. * @param name a name of the Ssl::TlsCertificateConfig. * @return the TlsCertificate secret. Returns nullptr if the secret is not found. */ - virtual const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& config_source_hash, - const std::string& name) const PURE; + virtual const Ssl::TlsCertificateConfig* + findStaticTlsCertificate(const std::string& name) const PURE; /** - * Add or update SDS config source. SecretManager starts downloading secrets from registered + * Create a secret provider that stores dynamic secret. * config source. * - * @param sdsConfigSource a protobuf message object contains SDS config source. + * @param config_source a protobuf message object contains SDS config source. * @param config_name a name that uniquely refers to the SDS config source - * @return a hash string of normalized config source + * @return the dynamic secret provider. */ - virtual std::string addOrUpdateSdsService(const envoy::api::v2::core::ConfigSource& config_source, - std::string config_name) PURE; + virtual DynamicSecretProviderSharedPtr + createDynamicSecretProvider(const envoy::api::v2::core::ConfigSource& config_source, + std::string config_name) PURE; }; } // namespace Secret diff --git a/source/common/common/logger.h b/source/common/common/logger.h index f83063cc08c4..f5a6229d6b92 100644 --- a/source/common/common/logger.h +++ b/source/common/common/logger.h @@ -44,6 +44,7 @@ namespace Logger { FUNCTION(router) \ FUNCTION(runtime) \ FUNCTION(stats) \ + FUNCTION(secret) \ FUNCTION(testing) \ FUNCTION(thrift) \ FUNCTION(tracing) \ diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index e6faac70c5e4..448ebaf4a72a 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -40,7 +40,9 @@ envoy_cc_library( ":secret_manager_util", "//include/envoy/config:subscription_interface", "//include/envoy/server:instance_interface", + "//source/common/common:minimal_logger_lib", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", + "//source/common/ssl:tls_certificate_config_impl_lib", ], ) diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 6bb0771cf842..7b7e79c614f2 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -2,9 +2,13 @@ #include +#include "envoy/api/v2/auth/cert.pb.validate.h" + #include "common/config/resources.h" #include "common/config/subscription_factory.h" +#include "common/protobuf/utility.h" #include "common/secret/secret_manager_util.h" +#include "common/ssl/tls_certificate_config_impl.h" namespace Envoy { namespace Secret { @@ -31,19 +35,28 @@ void SdsApi::initialize(std::function callback) { } void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) { - for (const auto& resource : resources) { - switch (resource.type_case()) { - case envoy::api::v2::auth::Secret::kTlsCertificate: - server_.secretManager().addOrUpdateSecret(sds_config_source_hash_, resource); - break; - case envoy::api::v2::auth::Secret::kSessionTicketKeys: - NOT_IMPLEMENTED; - default: - throw EnvoyException("sds: invalid configuration"); - } + if (resources.empty()) { + ENVOY_LOG(debug, "Missing SDS resources for {} in onConfigUpdate()", sds_config_name_); + runInitializeCallbackIfAny(); + return; + } + if (resources.size() != 1) { + throw EnvoyException(fmt::format("Unexpected SDS secrets length: {}", resources.size())); + } + const auto& secret = resources[0]; + MessageUtil::validate(secret); + // TODO(PiotrSikora): Remove this hack once fixed internally. + if (!(secret.name() == sds_config_name_)) { + throw EnvoyException( + fmt::format("Unexpected SDS secret (expecting {}): {}", sds_config_name_, secret.name())); + } + const uint64_t new_hash = MessageUtil::hash(secret); + if (new_hash != secret_hash_ && + secret.type_case() == envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate) { + tls_certificate_secrets_ = + std::make_unique(secret.tls_certificate()); + secret_hash_ = new_hash; } - - runInitializeCallbackIfAny(); } void SdsApi::onConfigUpdateFailed(const EnvoyException*) { diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index faf95bbfb2e2..80b12f24a809 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -5,6 +5,7 @@ #include "envoy/api/v2/auth/cert.pb.h" #include "envoy/api/v2/core/config_source.pb.h" #include "envoy/config/subscription.h" +#include "envoy/secret/secret_manager.h" #include "envoy/server/instance.h" namespace Envoy { @@ -13,7 +14,10 @@ namespace Secret { /** * SDS API implementation that fetches secrets from SDS server via Subscription. */ -class SdsApi : public Init::Target, Config::SubscriptionCallbacks { +class SdsApi : public Init::Target, + public DynamicSecretProvider, + public Config::SubscriptionCallbacks, + public Logger::Loggable { public: SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_hash, std::string sds_config_name); @@ -28,6 +32,11 @@ class SdsApi : public Init::Target, Config::SubscriptionCallbacks(resource).name(); } + // DynamicSecretProvider + const Ssl::TlsCertificateConfig* secret() const override { + return tls_certificate_secrets_.get(); + } + private: void runInitializeCallbackIfAny(); @@ -37,6 +46,9 @@ class SdsApi : public Init::Target, Config::SubscriptionCallbacks> subscription_; std::function initialize_callback_; std::string sds_config_name_; + + uint64_t secret_hash_; + Ssl::TlsCertificateConfigPtr tls_certificate_secrets_; }; typedef std::unique_ptr SdsApiPtr; diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 637bad4cae69..6678ad671161 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -8,12 +8,11 @@ namespace Envoy { namespace Secret { -void SecretManagerImpl::addOrUpdateSecret(const std::string& config_source_hash, - const envoy::api::v2::auth::Secret& secret) { +void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secret) { switch (secret.type_case()) { case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate: { std::unique_lock lhs(tls_certificate_secrets_mutex_); - tls_certificate_secrets_[config_source_hash][secret.name()] = + tls_certificate_secrets_[secret.name()] = std::make_unique(secret.tls_certificate()); } break; default: @@ -22,31 +21,26 @@ void SecretManagerImpl::addOrUpdateSecret(const std::string& config_source_hash, } const Ssl::TlsCertificateConfig* -SecretManagerImpl::findTlsCertificate(const std::string& config_source_hash, - const std::string& name) const { +SecretManagerImpl::findStaticTlsCertificate(const std::string& name) const { std::shared_lock lhs(tls_certificate_secrets_mutex_); - auto config_source_it = tls_certificate_secrets_.find(config_source_hash); - if (config_source_it == tls_certificate_secrets_.end()) { - return nullptr; - } - - auto secret = config_source_it->second.find(name); - return (secret != config_source_it->second.end()) ? secret->second.get() : nullptr; + auto secret = tls_certificate_secrets_.find(name); + return (secret != tls_certificate_secrets_.end()) ? secret->second.get() : nullptr; } -std::string SecretManagerImpl::addOrUpdateSdsService( +DynamicSecretProviderSharedPtr SecretManagerImpl::createDynamicSecretProvider( const envoy::api::v2::core::ConfigSource& sds_config_source, std::string config_name) { std::unique_lock lhs(sds_api_mutex_); auto hash = SecretManagerUtil::configSourceHash(sds_config_source); std::string sds_apis_key = hash + config_name; - if (sds_apis_.find(sds_apis_key) != sds_apis_.end()) { - return hash; + auto sds_api = sds_apis_[sds_apis_key].lock(); + if (!sds_api) { + sds_api = std::make_shared(server_, sds_config_source, hash, config_name); + sds_apis_[sds_apis_key] = sds_api; } - sds_apis_[sds_apis_key] = std::make_unique(server_, sds_config_source, hash, config_name); - return hash; + return sds_api; } } // namespace Secret diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 16537202b58c..6114250f8863 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -17,23 +17,21 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable sds_apis_; + std::unordered_map> sds_apis_; mutable std::shared_timed_mutex sds_api_mutex_; - // Manages pairs of name and Ssl::TlsCertificateConfig grouped by SDS config source hash. - // If SDS config source hash is empty, it is a static secret. - std::unordered_map> - tls_certificate_secrets_; + // Manages pairs of secret name and Ssl::TlsCertificateConfig. + std::unordered_map tls_certificate_secrets_; mutable std::shared_timed_mutex tls_certificate_secrets_mutex_; }; diff --git a/source/common/ssl/context_config_impl.cc b/source/common/ssl/context_config_impl.cc index f3fd05590330..4a76573236b1 100644 --- a/source/common/ssl/context_config_impl.cc +++ b/source/common/ssl/context_config_impl.cc @@ -16,50 +16,7 @@ namespace Envoy { namespace Ssl { -namespace { - -std::string readSdsSecretName(const envoy::api::v2::auth::CommonTlsContext& config) { - return (!config.tls_certificate_sds_secret_configs().empty()) - ? config.tls_certificate_sds_secret_configs()[0].name() - : EMPTY_STRING; -} - -std::string readConfigSourceHash(const envoy::api::v2::auth::CommonTlsContext& config, - Secret::SecretManager& secret_manager) { - return (!config.tls_certificate_sds_secret_configs().empty() && - config.tls_certificate_sds_secret_configs()[0].has_sds_config()) - ? secret_manager.addOrUpdateSdsService( - config.tls_certificate_sds_secret_configs()[0].sds_config(), - config.tls_certificate_sds_secret_configs()[0].name()) - : EMPTY_STRING; -} - -std::string readConfig( - const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager, - const std::string& config_source_hash, const std::string& secret_name, - const std::function& - read_inline_config, - const std::function& - read_managed_secret) { - if (!config.tls_certificates().empty()) { - return read_inline_config(config.tls_certificates()[0]); - } else if (!config.tls_certificate_sds_secret_configs().empty()) { - const auto secret = secret_manager.findTlsCertificate(config_source_hash, secret_name); - if (!secret) { - if (config_source_hash.empty()) { - throw EnvoyException( - fmt::format("Unknown static secret: {} : {}", config_source_hash, secret_name)); - } else { - return EMPTY_STRING; - } - } - return read_managed_secret(*secret); - } else { - return EMPTY_STRING; - } -} - -} // namespace +namespace {} // namespace const std::string ContextConfigImpl::DEFAULT_CIPHER_SUITES = "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:" @@ -79,8 +36,7 @@ const std::string ContextConfigImpl::DEFAULT_ECDH_CURVES = "X25519:P-256"; ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager) - : secret_manager_(secret_manager), sds_secret_name_(readSdsSecretName(config)), - sds_config_source_hash_(readConfigSourceHash(config, secret_manager)), + : secret_manager_(secret_manager), alpn_protocols_(RepeatedPtrUtil::join(config.alpn_protocols(), ",")), alt_alpn_protocols_(config.deprecated_v1().alt_alpn_protocols()), cipher_suites_(StringUtil::nonEmptyStringOrDefault( @@ -93,26 +49,10 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex Config::DataSource::read(config.validation_context().crl(), true)), certificate_revocation_list_path_( Config::DataSource::getPath(config.validation_context().crl())), - cert_chain_(readConfig( - config, secret_manager, sds_config_source_hash_, sds_secret_name_, - [](const envoy::api::v2::auth::TlsCertificate& tls_certificate) -> std::string { - return Config::DataSource::read(tls_certificate.certificate_chain(), true); - }, - [](const Ssl::TlsCertificateConfig& secret) -> std::string { - return secret.certificateChain(); - })), cert_chain_path_( config.tls_certificates().empty() ? "" : Config::DataSource::getPath(config.tls_certificates()[0].certificate_chain())), - private_key_(readConfig( - config, secret_manager, sds_config_source_hash_, sds_secret_name_, - [](const envoy::api::v2::auth::TlsCertificate& tls_certificate) -> std::string { - return Config::DataSource::read(tls_certificate.private_key(), true); - }, - [](const Ssl::TlsCertificateConfig& secret) -> std::string { - return secret.privateKey(); - })), private_key_path_( config.tls_certificates().empty() ? "" @@ -128,6 +68,8 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex tlsVersionFromProto(config.tls_params().tls_minimum_protocol_version(), TLS1_VERSION)), max_protocol_version_( tlsVersionFromProto(config.tls_params().tls_maximum_protocol_version(), TLS1_2_VERSION)) { + readConfig(config); + if (ca_cert_.empty()) { if (!certificate_revocation_list_.empty()) { throw EnvoyException(fmt::format("Failed to load CRL from {} without trusted CA", @@ -144,6 +86,32 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex } } +void ContextConfigImpl::readConfig(const envoy::api::v2::auth::CommonTlsContext& config) { + if (!config.tls_certificates().empty()) { + cert_chain_ = Config::DataSource::read(config.tls_certificates()[0].certificate_chain(), true); + private_key_ = Config::DataSource::read(config.tls_certificates()[0].private_key(), true); + return; + } + if (!config.tls_certificate_sds_secret_configs().empty()) { + auto secret_name = config.tls_certificate_sds_secret_configs()[0].name(); + if (!config.tls_certificate_sds_secret_configs()[0].has_sds_config()) { + // static secret + const auto secret = secret_manager_.findStaticTlsCertificate(secret_name); + if (secret) { + cert_chain_ = secret->certificateChain(); + private_key_ = secret->privateKey(); + return; + } else { + throw EnvoyException(fmt::format("Unknown static secret: {}", secret_name)); + } + } else { + secret_provider_ = secret_manager_.createDynamicSecretProvider( + config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name); + return; + } + } +} + unsigned ContextConfigImpl::tlsVersionFromProto( const envoy::api::v2::auth::TlsParameters_TlsProtocol& version, unsigned default_version) { switch (version) { @@ -165,29 +133,19 @@ unsigned ContextConfigImpl::tlsVersionFromProto( } const std::string& ContextConfigImpl::certChain() const { - if (!cert_chain_.empty()) { - return cert_chain_; - } - - auto secret = secret_manager_.findTlsCertificate(sds_config_source_hash_, sds_secret_name_); - if (!secret) { - return cert_chain_; + if (secret_provider_ && secret_provider_->secret()) { + return secret_provider_->secret()->certificateChain(); } - return secret->certificateChain(); + return cert_chain_; } const std::string& ContextConfigImpl::privateKey() const { - if (!private_key_.empty()) { - return private_key_; - } - - auto secret = secret_manager_.findTlsCertificate(sds_config_source_hash_, sds_secret_name_); - if (!secret) { - return private_key_; + if (secret_provider_ && secret_provider_->secret()) { + return secret_provider_->secret()->privateKey(); } - return secret->privateKey(); + return private_key_; } ClientContextConfigImpl::ClientContextConfigImpl( diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index 04e39788712d..28570255738d 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -62,13 +62,15 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { static unsigned tlsVersionFromProto(const envoy::api::v2::auth::TlsParameters_TlsProtocol& version, unsigned default_version); + void readConfig(const envoy::api::v2::auth::CommonTlsContext& config); static const std::string DEFAULT_CIPHER_SUITES; static const std::string DEFAULT_ECDH_CURVES; Secret::SecretManager& secret_manager_; - const std::string sds_secret_name_; - const std::string sds_config_source_hash_; + Secret::DynamicSecretProviderSharedPtr secret_provider_; + std::string cert_chain_; + std::string private_key_; const std::string alpn_protocols_; const std::string alt_alpn_protocols_; const std::string cipher_suites_; @@ -77,9 +79,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { const std::string ca_cert_path_; const std::string certificate_revocation_list_; const std::string certificate_revocation_list_path_; - const std::string cert_chain_; const std::string cert_chain_path_; - const std::string private_key_; const std::string private_key_path_; const std::vector verify_subject_alt_name_list_; const std::vector verify_certificate_hash_list_; diff --git a/source/server/configuration_impl.cc b/source/server/configuration_impl.cc index dd9b8b316519..57ff50ec322a 100644 --- a/source/server/configuration_impl.cc +++ b/source/server/configuration_impl.cc @@ -13,7 +13,6 @@ #include "envoy/ssl/context_manager.h" #include "common/common/assert.h" -#include "common/common/empty_string.h" #include "common/common/utility.h" #include "common/config/lds_json.h" #include "common/config/utility.h" @@ -51,7 +50,7 @@ void MainImpl::initialize(const envoy::config::bootstrap::v2::Bootstrap& bootstr ENVOY_LOG(info, "loading {} static secret(s)", secrets.size()); for (ssize_t i = 0; i < secrets.size(); i++) { ENVOY_LOG(debug, "static secret #{}: {}", i, secrets[i].name()); - server.secretManager().addOrUpdateSecret(EMPTY_STRING, secrets[i]); + server.secretManager().addStaticSecret(secrets[i]); } cluster_manager_ = cluster_manager_factory.clusterManagerFromProto( diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index b7f46ff0edb7..e5d2c97f875b 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -15,6 +15,7 @@ envoy_cc_test( "//test/common/ssl/test_data:certs", ], deps = [ + "//source/common/secret:sds_api_lib", "//source/common/secret:secret_manager_impl_lib", "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index 956f4518d539..d5684d3c170d 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -3,6 +3,7 @@ #include "envoy/api/v2/auth/cert.pb.h" #include "envoy/common/exception.h" +#include "common/secret/sds_api.h" #include "common/secret/secret_manager_impl.h" #include "test/mocks/server/mocks.h" @@ -49,24 +50,26 @@ name: "abc.com" Server::MockInstance server; - server.secretManager().addOrUpdateSecret("", secret_config); + server.secretManager().addStaticSecret(secret_config); - ASSERT_EQ(server.secretManager().findTlsCertificate("", "undefined"), nullptr); + ASSERT_EQ(server.secretManager().findStaticTlsCertificate("undefined"), nullptr); - ASSERT_NE(server.secretManager().findTlsCertificate("", "abc.com"), nullptr); + ASSERT_NE(server.secretManager().findStaticTlsCertificate("abc.com"), nullptr); const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - server.secretManager().findTlsCertificate("", "abc.com")->certificateChain()); + server.secretManager().findStaticTlsCertificate("abc.com")->certificateChain()); const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - server.secretManager().findTlsCertificate("", "abc.com")->privateKey()); + server.secretManager().findStaticTlsCertificate("abc.com")->privateKey()); } TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { + MockServer server; envoy::api::v2::core::ConfigSource config_source; - envoy::api::v2::auth::Secret secret_config; + auto secret_provider = + server.secretManager().createDynamicSecretProvider(config_source, "abc.com"); std::string yaml = R"EOF( @@ -78,25 +81,18 @@ name: "abc.com" filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" )EOF"; - MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); - - MockServer server; - - std::string config_source_hash = - server.secretManager().addOrUpdateSdsService(config_source, "abc_config"); - - server.secretManager().addOrUpdateSecret(config_source_hash, secret_config); - - ASSERT_EQ(server.secretManager().findTlsCertificate(config_source_hash, "undefined"), nullptr); + Protobuf::RepeatedPtrField secret_resources; + auto secret_config = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); + std::dynamic_pointer_cast(secret_provider)->onConfigUpdate(secret_resources, ""); const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; - EXPECT_EQ( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - server.secretManager().findTlsCertificate(config_source_hash, "abc.com")->certificateChain()); + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), + secret_provider->secret()->certificateChain()); const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - server.secretManager().findTlsCertificate(config_source_hash, "abc.com")->privateKey()); + secret_provider->secret()->privateKey()); } TEST_F(SecretManagerImplTest, NotImplementedException) { @@ -116,11 +112,8 @@ name: "abc.com" MockServer server; std::unique_ptr secret_manager(new SecretManagerImpl(server)); - std::string config_source_hash = - server.secretManager().addOrUpdateSdsService(config_source, "abc_config"); - EXPECT_THROW_WITH_MESSAGE( - server.secretManager().addOrUpdateSecret(config_source_hash, secret_config), EnvoyException, - "Secret type not implemented"); + EXPECT_THROW_WITH_MESSAGE(server.secretManager().addStaticSecret(secret_config), EnvoyException, + "Secret type not implemented"); } } // namespace diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index 7d2d53652335..3e4a88a34ef4 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -439,7 +439,7 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); Server::MockInstance server; - server.secretManager().addOrUpdateSecret("", secret_config); + server.secretManager().addStaticSecret(secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -472,7 +472,7 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); Server::MockInstance server; - server.secretManager().addOrUpdateSecret("", secret_config); + server.secretManager().addStaticSecret(secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -482,7 +482,7 @@ name: "abc.com" EXPECT_THROW_WITH_MESSAGE( ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), - EnvoyException, "Unknown static secret: : missing"); + EnvoyException, "Unknown static secret: missing"); } // Multiple TLS certificates are not yet supported, but one is expected for diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index f7fd1233b7bb..049b952af662 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -14,14 +14,12 @@ class MockSecretManager : public SecretManager { MockSecretManager(); ~MockSecretManager(); - MOCK_METHOD2(addOrUpdateSecret, void(const std::string& config_source_hash, - const envoy::api::v2::auth::Secret& secret)); - MOCK_CONST_METHOD2(findTlsCertificate, - Ssl::TlsCertificateConfig*(const std::string& config_source_hash, - const std::string& name)); - MOCK_METHOD2(addOrUpdateSdsService, - std::string(const envoy::api::v2::core::ConfigSource& config_source, - std::string config_name)); + MOCK_METHOD1(addStaticSecret, void(const envoy::api::v2::auth::Secret& secret)); + MOCK_CONST_METHOD1(findStaticTlsCertificate, Ssl::TlsCertificateConfig*(const std::string& name)); + MOCK_METHOD2( + createDynamicSecretProvider, + DynamicSecretProviderSharedPtr(const envoy::api::v2::core::ConfigSource& config_source, + std::string config_name)); }; } // namespace Secret diff --git a/test/server/configuration_impl_test.cc b/test/server/configuration_impl_test.cc index 8f18823df5b0..e8a8ed666146 100644 --- a/test/server/configuration_impl_test.cc +++ b/test/server/configuration_impl_test.cc @@ -339,7 +339,7 @@ TEST_F(ConfigurationImplTest, StaticSecretRead) { MainImpl config; config.initialize(bootstrap, server_, cluster_manager_factory_); - auto secret = server_.secretManager().findTlsCertificate("", "abc.com"); + auto secret = server_.secretManager().findStaticTlsCertificate("abc.com"); ASSERT_NE(secret, nullptr); From 43af47e41ff2681ad73e503735ae64b5da273159 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 27 Jun 2018 16:14:07 -0700 Subject: [PATCH 15/55] fix format. Signed-off-by: JimmyCYJ --- .../common/upstream/cluster_manager_impl.cc | 29 ++++++++----------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index 5620dc719716..ea44a66b18fb 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -163,24 +163,20 @@ void ClusterManagerInitHelper::setInitializedCb(std::function callback) } } -ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, - ClusterManagerFactory& factory, Stats::Store& stats, - ThreadLocal::Instance& tls, Runtime::Loader& runtime, - Runtime::RandomGenerator& random, - const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, - Event::Dispatcher& main_thread_dispatcher, - Server::Admin& admin, SystemTimeSource& system_time_source, - MonotonicTimeSource& monotonic_time_source, - Secret::SecretManager& secret_manager) +ClusterManagerImpl::ClusterManagerImpl( + const envoy::config::bootstrap::v2::Bootstrap& bootstrap, ClusterManagerFactory& factory, + Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, + Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, + AccessLog::AccessLogManager& log_manager, Event::Dispatcher& main_thread_dispatcher, + Server::Admin& admin, SystemTimeSource& system_time_source, + MonotonicTimeSource& monotonic_time_source, Secret::SecretManager& secret_manager) : factory_(factory), runtime_(runtime), stats_(stats), tls_(tls.allocateSlot()), random_(random), bind_config_(bootstrap.cluster_manager().upstream_bind_config()), local_info_(local_info), cm_stats_(generateStats(stats)), init_helper_([this](Cluster& cluster) { onClusterInit(cluster); }), config_tracker_entry_( admin.getConfigTracker().add("clusters", [this] { return dumpClusterConfigs(); })), - system_time_source_(system_time_source), - secret_manager_(secret_manager) { + system_time_source_(system_time_source), secret_manager_(secret_manager) { async_client_manager_ = std::make_unique(*this, tls); const auto& cm_config = bootstrap.cluster_manager(); if (cm_config.has_outlier_detection()) { @@ -957,11 +953,10 @@ ClusterManagerPtr ProdClusterManagerFactory::clusterManagerFromProto( ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, AccessLog::AccessLogManager& log_manager, Server::Admin& admin) { - return ClusterManagerPtr{new ClusterManagerImpl(bootstrap, *this, stats, tls, runtime, random, - local_info, log_manager, main_thread_dispatcher_, - admin, ProdSystemTimeSource::instance_, - ProdMonotonicTimeSource::instance_, - secret_manager)}; + return ClusterManagerPtr{ + new ClusterManagerImpl(bootstrap, *this, stats, tls, runtime, random, local_info, log_manager, + main_thread_dispatcher_, admin, ProdSystemTimeSource::instance_, + ProdMonotonicTimeSource::instance_, secret_manager)}; } Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( From c55a263344b07e97f325cdb1e490a92db07b09aa Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 27 Jun 2018 16:28:40 -0700 Subject: [PATCH 16/55] Revert incorrect changes. Signed-off-by: JimmyCYJ --- .../common/upstream/cluster_manager_impl.cc | 26 ++++++++++--------- source/common/upstream/cluster_manager_impl.h | 4 +-- .../config_validation/cluster_manager.cc | 2 +- .../upstream/cluster_manager_impl_test.cc | 5 ++-- 4 files changed, 18 insertions(+), 19 deletions(-) diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc index ea44a66b18fb..2c28735fee4b 100644 --- a/source/common/upstream/cluster_manager_impl.cc +++ b/source/common/upstream/cluster_manager_impl.cc @@ -163,20 +163,22 @@ void ClusterManagerInitHelper::setInitializedCb(std::function callback) } } -ClusterManagerImpl::ClusterManagerImpl( - const envoy::config::bootstrap::v2::Bootstrap& bootstrap, ClusterManagerFactory& factory, - Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime, - Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, - AccessLog::AccessLogManager& log_manager, Event::Dispatcher& main_thread_dispatcher, - Server::Admin& admin, SystemTimeSource& system_time_source, - MonotonicTimeSource& monotonic_time_source, Secret::SecretManager& secret_manager) +ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v2::Bootstrap& bootstrap, + ClusterManagerFactory& factory, Stats::Store& stats, + ThreadLocal::Instance& tls, Runtime::Loader& runtime, + Runtime::RandomGenerator& random, + const LocalInfo::LocalInfo& local_info, + AccessLog::AccessLogManager& log_manager, + Event::Dispatcher& main_thread_dispatcher, + Server::Admin& admin, SystemTimeSource& system_time_source, + MonotonicTimeSource& monotonic_time_source) : factory_(factory), runtime_(runtime), stats_(stats), tls_(tls.allocateSlot()), random_(random), bind_config_(bootstrap.cluster_manager().upstream_bind_config()), local_info_(local_info), cm_stats_(generateStats(stats)), init_helper_([this](Cluster& cluster) { onClusterInit(cluster); }), config_tracker_entry_( admin.getConfigTracker().add("clusters", [this] { return dumpClusterConfigs(); })), - system_time_source_(system_time_source), secret_manager_(secret_manager) { + system_time_source_(system_time_source) { async_client_manager_ = std::make_unique(*this, tls); const auto& cm_config = bootstrap.cluster_manager(); if (cm_config.has_outlier_detection()) { @@ -953,10 +955,10 @@ ClusterManagerPtr ProdClusterManagerFactory::clusterManagerFromProto( ThreadLocal::Instance& tls, Runtime::Loader& runtime, Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info, AccessLog::AccessLogManager& log_manager, Server::Admin& admin) { - return ClusterManagerPtr{ - new ClusterManagerImpl(bootstrap, *this, stats, tls, runtime, random, local_info, log_manager, - main_thread_dispatcher_, admin, ProdSystemTimeSource::instance_, - ProdMonotonicTimeSource::instance_, secret_manager)}; + return ClusterManagerPtr{new ClusterManagerImpl(bootstrap, *this, stats, tls, runtime, random, + local_info, log_manager, main_thread_dispatcher_, + admin, ProdSystemTimeSource::instance_, + ProdMonotonicTimeSource::instance_)}; } Http::ConnectionPool::InstancePtr ProdClusterManagerFactory::allocateConnPool( diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h index 621d50f8d92a..4bbffe3adf22 100644 --- a/source/common/upstream/cluster_manager_impl.h +++ b/source/common/upstream/cluster_manager_impl.h @@ -157,8 +157,7 @@ class ClusterManagerImpl : public ClusterManager, Logger::Loggable admin_; NiceMock system_time_source_; NiceMock monotonic_time_source_; - Secret::MockSecretManager secret_manager_; }; envoy::config::bootstrap::v2::Bootstrap parseBootstrapFromJson(const std::string& json_string) { From 7576c58fad2afc7b9fd07a7d6b59fc725b9cafea Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 27 Jun 2018 16:39:55 -0700 Subject: [PATCH 17/55] Add missing header. Signed-off-by: JimmyCYJ --- include/envoy/http/header_map.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/envoy/http/header_map.h b/include/envoy/http/header_map.h index c85d77b53e06..b3fdc0bb8e0c 100644 --- a/include/envoy/http/header_map.h +++ b/include/envoy/http/header_map.h @@ -1,5 +1,6 @@ #pragma once +#include #include #include From 564750f811de421e4503658276f7868b42f8b5c8 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 27 Jun 2018 16:41:02 -0700 Subject: [PATCH 18/55] Add missing header. Signed-off-by: JimmyCYJ --- include/envoy/http/header_map.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/envoy/http/header_map.h b/include/envoy/http/header_map.h index b3fdc0bb8e0c..c85d77b53e06 100644 --- a/include/envoy/http/header_map.h +++ b/include/envoy/http/header_map.h @@ -1,6 +1,5 @@ #pragma once -#include #include #include From be63dabe7c33461523646ae6eb8961ecd78a340a Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Thu, 28 Jun 2018 18:07:10 -0700 Subject: [PATCH 19/55] Update SDS api interface and add tests. Signed-off-by: JimmyCYJ --- include/envoy/secret/BUILD | 11 +++++++- include/envoy/secret/secret_manager.h | 27 ++++-------------- source/common/config/BUILD | 1 + source/common/config/protobuf_link_hacks.h | 2 ++ source/common/config/resources.h | 1 + source/common/secret/sds_api.cc | 9 +++--- source/common/secret/sds_api.h | 4 +-- source/common/secret/secret_manager_impl.cc | 28 +++++++++---------- source/common/secret/secret_manager_impl.h | 15 +++++----- source/common/ssl/context_config_impl.cc | 2 +- test/common/secret/BUILD | 15 ++++++++++ .../common/secret/secret_manager_impl_test.cc | 2 +- test/common/ssl/context_impl_test.cc | 12 ++++---- test/mocks/secret/mocks.h | 10 ++++++- 14 files changed, 80 insertions(+), 59 deletions(-) diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD index c4dcf8404fd6..d430aeddafc4 100644 --- a/include/envoy/secret/BUILD +++ b/include/envoy/secret/BUILD @@ -8,11 +8,20 @@ load( envoy_package() +envoy_cc_library( + name = "dynamic_secret_provider_interface", + hdrs = ["dynamic_secret_provider.h"], + deps = [ + "//include/envoy/ssl:tls_certificate_config_interface", + ], +) + envoy_cc_library( name = "secret_manager_interface", hdrs = ["secret_manager.h"], deps = [ - "//include/envoy/ssl:tls_certificate_config_interface", + ":dynamic_secret_provider_interface", "@envoy_api//envoy/api/v2/auth:cert_cc", + "@envoy_api//envoy/api/v2/core:config_source_cc", ], ) diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index 282d491509a3..2352b50a572f 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -3,35 +3,20 @@ #include #include "envoy/api/v2/auth/cert.pb.h" +#include "envoy/secret/dynamic_secret_provider.h" #include "envoy/ssl/tls_certificate_config.h" namespace Envoy { namespace Secret { /** - * A provider for dynamic secret. - */ -class DynamicSecretProvider { -public: - virtual ~DynamicSecretProvider() {} - - /** - * @return the TlsCertificate secret. Returns nullptr if the secret is not found. - */ - virtual const Ssl::TlsCertificateConfig* secret() const PURE; -}; - -typedef std::shared_ptr DynamicSecretProviderSharedPtr; - -/** - * A manager for static secrets. + * A manager for static and dynamic secrets. */ class SecretManager { public: virtual ~SecretManager() {} /** - * @param config_source_hash a hash string of normalized config source for static secret. * @param secret a protobuf message of envoy::api::v2::auth::Secret. * @throw an EnvoyException if the secret is invalid or not supported. */ @@ -45,16 +30,16 @@ class SecretManager { findStaticTlsCertificate(const std::string& name) const PURE; /** - * Create a secret provider that stores dynamic secret. - * config source. + * Finds and returns a secret provider associated to SDS config. Create a new one + * if such provider does not exist. * * @param config_source a protobuf message object contains SDS config source. * @param config_name a name that uniquely refers to the SDS config source * @return the dynamic secret provider. */ virtual DynamicSecretProviderSharedPtr - createDynamicSecretProvider(const envoy::api::v2::core::ConfigSource& config_source, - std::string config_name) PURE; + findOrCreateDynamicSecretProvider(const envoy::api::v2::core::ConfigSource& config_source, + std::string config_name) PURE; }; } // namespace Secret diff --git a/source/common/config/BUILD b/source/common/config/BUILD index 83067aa8806e..ba821c967bd7 100644 --- a/source/common/config/BUILD +++ b/source/common/config/BUILD @@ -237,6 +237,7 @@ envoy_cc_library( hdrs = ["protobuf_link_hacks.h"], deps = [ "@envoy_api//envoy/service/discovery/v2:ads_cc", + "@envoy_api//envoy/service/discovery/v2:sds_cc", "@envoy_api//envoy/service/ratelimit/v2:rls_cc", ], ) diff --git a/source/common/config/protobuf_link_hacks.h b/source/common/config/protobuf_link_hacks.h index 6792f3e797c1..6a9284625355 100644 --- a/source/common/config/protobuf_link_hacks.h +++ b/source/common/config/protobuf_link_hacks.h @@ -1,6 +1,7 @@ #pragma once #include "envoy/service/discovery/v2/ads.pb.h" +#include "envoy/service/discovery/v2/sds.pb.h" #include "envoy/service/ratelimit/v2/rls.pb.h" namespace Envoy { @@ -9,4 +10,5 @@ namespace Envoy { // This file should be included ONLY if this hack is required. const envoy::service::discovery::v2::AdsDummy _ads_dummy; const envoy::service::ratelimit::v2::RateLimitRequest _rls_dummy; +const envoy::service::discovery::v2::SdsDummy _sds_dummy; } // namespace Envoy diff --git a/source/common/config/resources.h b/source/common/config/resources.h index 03f0c9a2efd8..69ed2d91a46d 100644 --- a/source/common/config/resources.h +++ b/source/common/config/resources.h @@ -15,6 +15,7 @@ class TypeUrlValues { const std::string Listener{"type.googleapis.com/envoy.api.v2.Listener"}; const std::string Cluster{"type.googleapis.com/envoy.api.v2.Cluster"}; const std::string ClusterLoadAssignment{"type.googleapis.com/envoy.api.v2.ClusterLoadAssignment"}; + const std::string Secret{"type.googleapis.com/envoy.api.v2.auth.Secret"}; const std::string RouteConfiguration{"type.googleapis.com/envoy.api.v2.RouteConfiguration"}; }; diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 7b7e79c614f2..eac34fee2b03 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -14,9 +14,8 @@ namespace Envoy { namespace Secret { SdsApi::SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, - std::string sds_config_hash, std::string sds_config_name) - : server_(server), sds_config_(sds_config), sds_config_source_hash_(sds_config_hash), - sds_config_name_(sds_config_name) { + std::string sds_config_name) + : server_(server), sds_config_(sds_config), sds_config_name_(sds_config_name) { server_.initManager().registerTarget(*this); } @@ -45,11 +44,11 @@ void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) } const auto& secret = resources[0]; MessageUtil::validate(secret); - // TODO(PiotrSikora): Remove this hack once fixed internally. if (!(secret.name() == sds_config_name_)) { throw EnvoyException( fmt::format("Unexpected SDS secret (expecting {}): {}", sds_config_name_, secret.name())); } + const uint64_t new_hash = MessageUtil::hash(secret); if (new_hash != secret_hash_ && secret.type_case() == envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate) { @@ -57,6 +56,8 @@ void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) std::make_unique(secret.tls_certificate()); secret_hash_ = new_hash; } + + runInitializeCallbackIfAny(); } void SdsApi::onConfigUpdateFailed(const EnvoyException*) { diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 80b12f24a809..4dee7c14ebaf 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -5,7 +5,6 @@ #include "envoy/api/v2/auth/cert.pb.h" #include "envoy/api/v2/core/config_source.pb.h" #include "envoy/config/subscription.h" -#include "envoy/secret/secret_manager.h" #include "envoy/server/instance.h" namespace Envoy { @@ -20,7 +19,7 @@ class SdsApi : public Init::Target, public Logger::Loggable { public: SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, - std::string sds_config_hash, std::string sds_config_name); + std::string sds_config_name); // Init::Target void initialize(std::function callback) override; @@ -42,7 +41,6 @@ class SdsApi : public Init::Target, Server::Instance& server_; const envoy::api::v2::core::ConfigSource sds_config_; - const std::string sds_config_source_hash_; std::unique_ptr> subscription_; std::function initialize_callback_; std::string sds_config_name_; diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 6678ad671161..64211670baee 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -11,8 +11,8 @@ namespace Secret { void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secret) { switch (secret.type_case()) { case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate: { - std::unique_lock lhs(tls_certificate_secrets_mutex_); - tls_certificate_secrets_[secret.name()] = + std::unique_lock lhs(static_tls_certificate_secrets_mutex_); + static_tls_certificate_secrets_[secret.name()] = std::make_unique(secret.tls_certificate()); } break; default: @@ -22,25 +22,25 @@ void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secr const Ssl::TlsCertificateConfig* SecretManagerImpl::findStaticTlsCertificate(const std::string& name) const { - std::shared_lock lhs(tls_certificate_secrets_mutex_); + std::shared_lock lhs(static_tls_certificate_secrets_mutex_); - auto secret = tls_certificate_secrets_.find(name); - return (secret != tls_certificate_secrets_.end()) ? secret->second.get() : nullptr; + auto secret = static_tls_certificate_secrets_.find(name); + return (secret != static_tls_certificate_secrets_.end()) ? secret->second.get() : nullptr; } -DynamicSecretProviderSharedPtr SecretManagerImpl::createDynamicSecretProvider( +DynamicSecretProviderSharedPtr SecretManagerImpl::findOrCreateDynamicSecretProvider( const envoy::api::v2::core::ConfigSource& sds_config_source, std::string config_name) { - std::unique_lock lhs(sds_api_mutex_); - auto hash = SecretManagerUtil::configSourceHash(sds_config_source); - std::string sds_apis_key = hash + config_name; - auto sds_api = sds_apis_[sds_apis_key].lock(); - if (!sds_api) { - sds_api = std::make_shared(server_, sds_config_source, hash, config_name); - sds_apis_[sds_apis_key] = sds_api; + std::string map_key = hash + config_name; + + std::unique_lock lhs(dynamic_secret_providers_mutex_); + auto dynamic_secret_provider = dynamic_secret_providers_[map_key].lock(); + if (!dynamic_secret_provider) { + dynamic_secret_provider = std::make_shared(server_, sds_config_source, config_name); + dynamic_secret_providers_[map_key] = dynamic_secret_provider; } - return sds_api; + return dynamic_secret_provider; } } // namespace Secret diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 6114250f8863..3e1b1ad89923 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -21,18 +21,19 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable> sds_apis_; - mutable std::shared_timed_mutex sds_api_mutex_; // Manages pairs of secret name and Ssl::TlsCertificateConfig. - std::unordered_map tls_certificate_secrets_; - mutable std::shared_timed_mutex tls_certificate_secrets_mutex_; + std::unordered_map static_tls_certificate_secrets_; + mutable std::shared_timed_mutex static_tls_certificate_secrets_mutex_; + + // map hash code of SDS config source and SdsApi object. + std::unordered_map> dynamic_secret_providers_; + mutable std::shared_timed_mutex dynamic_secret_providers_mutex_; }; } // namespace Secret diff --git a/source/common/ssl/context_config_impl.cc b/source/common/ssl/context_config_impl.cc index 4a76573236b1..3ced4b83a80f 100644 --- a/source/common/ssl/context_config_impl.cc +++ b/source/common/ssl/context_config_impl.cc @@ -105,7 +105,7 @@ void ContextConfigImpl::readConfig(const envoy::api::v2::auth::CommonTlsContext& throw EnvoyException(fmt::format("Unknown static secret: {}", secret_name)); } } else { - secret_provider_ = secret_manager_.createDynamicSecretProvider( + secret_provider_ = secret_manager_.findOrCreateDynamicSecretProvider( config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name); return; } diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index e5d2c97f875b..4b1ea32ee27b 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -23,3 +23,18 @@ envoy_cc_test( "//test/test_common:utility_lib", ], ) + +envoy_cc_test( + name = "sds_api_test", + srcs = ["sds_api_test.cc"], + data = [ + "//test/common/ssl/test_data:certs", + ], + deps = [ + "//source/common/secret:sds_api_lib", + "//test/mocks/server:server_mocks", + "//test/test_common:environment_lib", + "//test/test_common:registry_lib", + "//test/test_common:utility_lib", + ], +) diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index d5684d3c170d..95b5f95daa45 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -69,7 +69,7 @@ TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { MockServer server; envoy::api::v2::core::ConfigSource config_source; auto secret_provider = - server.secretManager().createDynamicSecretProvider(config_source, "abc.com"); + server.secretManager().findOrCreateDynamicSecretProvider(config_source, "abc.com"); std::string yaml = R"EOF( diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index 3e4a88a34ef4..9903a0c97eca 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -492,12 +492,12 @@ TEST(ServerContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), EnvoyException, "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), EnvoyException, "A single TLS certificate is required for server contexts"); } @@ -506,12 +506,12 @@ TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { envoy::api::v2::auth::DownstreamTlsContext tls_context; EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), EnvoyException, "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl client_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), EnvoyException, "A single TLS certificate is required for server contexts"); } @@ -520,12 +520,12 @@ TEST(ServerContextImplTest, TlsCertificateNonEmpty) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; tls_context.mutable_common_tls_context()->add_tls_certificates(); - ServerContextConfigImpl client_context_config(tls_context, server.secretManager()); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; EXPECT_THROW_WITH_MESSAGE(ServerContextPtr server_ctx(manager.createSslServerContext( - store, client_context_config, std::vector{})), + store, server_context_config, std::vector{})), EnvoyException, "Server TlsCertificates must have a certificate specified"); } diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index 049b952af662..0c6b6a02fbfa 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -17,10 +17,18 @@ class MockSecretManager : public SecretManager { MOCK_METHOD1(addStaticSecret, void(const envoy::api::v2::auth::Secret& secret)); MOCK_CONST_METHOD1(findStaticTlsCertificate, Ssl::TlsCertificateConfig*(const std::string& name)); MOCK_METHOD2( - createDynamicSecretProvider, + findOrCreateDynamicSecretProvider, DynamicSecretProviderSharedPtr(const envoy::api::v2::core::ConfigSource& config_source, std::string config_name)); }; +class MockDynamicSecretProvider : public DynamicSecretProvider { +public: + MockDynamicSecretProvider(); + ~MockDynamicSecretProvider(); + + MOCK_CONST_METHOD0(secret, const Ssl::TlsCertificateConfig*()); +}; + } // namespace Secret } // namespace Envoy From 34be4209ac277deee6343a60c8898ea14bfb6254 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Thu, 28 Jun 2018 18:07:40 -0700 Subject: [PATCH 20/55] Add tests for SdsApi. Signed-off-by: JimmyCYJ --- .../envoy/secret/dynamic_secret_provider.h | 26 ++++ test/common/secret/sds_api_test.cc | 124 ++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100644 include/envoy/secret/dynamic_secret_provider.h create mode 100644 test/common/secret/sds_api_test.cc diff --git a/include/envoy/secret/dynamic_secret_provider.h b/include/envoy/secret/dynamic_secret_provider.h new file mode 100644 index 000000000000..99f0a11db085 --- /dev/null +++ b/include/envoy/secret/dynamic_secret_provider.h @@ -0,0 +1,26 @@ +#pragma once + +#include + +#include "envoy/ssl/tls_certificate_config.h" + +namespace Envoy { +namespace Secret { + +/** + * An interface to fetch dynamic secret. + */ +class DynamicSecretProvider { +public: + virtual ~DynamicSecretProvider() {} + + /** + * @return the TlsCertificate secret. Returns nullptr if the secret is not found. + */ + virtual const Ssl::TlsCertificateConfig* secret() const PURE; +}; + +typedef std::shared_ptr DynamicSecretProviderSharedPtr; + +} // namespace Secret +} // namespace Envoy \ No newline at end of file diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc new file mode 100644 index 000000000000..0ceb09e10ee5 --- /dev/null +++ b/test/common/secret/sds_api_test.cc @@ -0,0 +1,124 @@ +#include + +#include "envoy/api/v2/auth/cert.pb.h" +#include "envoy/common/exception.h" + +#include "common/secret/sds_api.h" + +#include "test/mocks/server/mocks.h" +#include "test/test_common/environment.h" +#include "test/test_common/utility.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +namespace Envoy { +namespace Secret { +namespace { + +class MockServer : public Server::MockInstance { +public: + Init::Manager& initManager() { return initmanager_; } + +private: + class InitManager : public Init::Manager { + public: + void initialize(std::function callback); + void registerTarget(Init::Target&) override {} + }; + + InitManager initmanager_; +}; + +class SdsApiTest : public testing::Test {}; + +TEST_F(SdsApiTest, SecretUpdateSuccess) { + MockServer server; + envoy::api::v2::core::ConfigSource config_source; + SdsApi sds_api(server, config_source, "abc.com"); + + std::string yaml = + R"EOF( + name: "abc.com" + tls_certificate: + certificate_chain: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" + )EOF"; + + Protobuf::RepeatedPtrField secret_resources; + auto secret_config = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); + sds_api.onConfigUpdate(secret_resources, ""); + + const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), + sds_api.secret()->certificateChain()); + + const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), + sds_api.secret()->privateKey()); +} + +TEST_F(SdsApiTest, EmptyResource) { + MockServer server; + envoy::api::v2::core::ConfigSource config_source; + SdsApi sds_api(server, config_source, "abc.com"); + + Protobuf::RepeatedPtrField secret_resources; + sds_api.onConfigUpdate(secret_resources, ""); + EXPECT_EQ(nullptr, sds_api.secret()); +} + +TEST_F(SdsApiTest, SecretUpdateWrongSize) { + MockServer server; + envoy::api::v2::core::ConfigSource config_source; + SdsApi sds_api(server, config_source, "abc.com"); + + std::string yaml = + R"EOF( + name: "abc.com" + tls_certificate: + certificate_chain: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" + )EOF"; + + Protobuf::RepeatedPtrField secret_resources; + auto secret_config_1 = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config_1); + auto secret_config_2 = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config_2); + + EXPECT_THROW_WITH_MESSAGE(sds_api.onConfigUpdate(secret_resources, ""), EnvoyException, + "Unexpected SDS secrets length: 2"); +} + +TEST_F(SdsApiTest, SecretUpdateWrongSecretName) { + MockServer server; + envoy::api::v2::core::ConfigSource config_source; + SdsApi sds_api(server, config_source, "abc.com"); + + std::string yaml = + R"EOF( + name: "wrong.name.com" + tls_certificate: + certificate_chain: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" + )EOF"; + + Protobuf::RepeatedPtrField secret_resources; + auto secret_config = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); + + EXPECT_THROW_WITH_MESSAGE(sds_api.onConfigUpdate(secret_resources, ""), EnvoyException, + "Unexpected SDS secret (expecting abc.com): wrong.name.com"); +} + +} // namespace +} // namespace Secret +} // namespace Envoy \ No newline at end of file From 666d58f2ae1184754b9a408cb90a3a37cefc4467 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Fri, 29 Jun 2018 11:51:13 -0700 Subject: [PATCH 21/55] Add tests to context_impl_test.cc Signed-off-by: JimmyCYJ --- include/envoy/ssl/context_config.h | 11 +++ source/common/ssl/BUILD | 1 + source/common/ssl/context_config_impl.h | 9 +++ test/common/ssl/context_impl_test.cc | 96 +++++++++++++++++++++++++ 4 files changed, 117 insertions(+) diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index a56a89e903e6..a75bdd169690 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -5,6 +5,7 @@ #include #include "envoy/common/pure.h" +#include "envoy/secret/dynamic_secret_provider.h" namespace Envoy { namespace Ssl { @@ -111,6 +112,16 @@ class ContextConfig { * @return The maximum TLS protocol version to negotiate. */ virtual unsigned maxProtocolVersion() const PURE; + + /** + * @return true of the config is valid. + */ + virtual bool isValid() const PURE; + + /** + * @return the DynamicSecretProvider object. + */ + virtual Secret::DynamicSecretProvider* getDynamicSecretProvider() const PURE; }; class ClientContextConfig : public virtual ContextConfig { diff --git a/source/common/ssl/BUILD b/source/common/ssl/BUILD index 486d0da347dc..38d5540b5813 100644 --- a/source/common/ssl/BUILD +++ b/source/common/ssl/BUILD @@ -58,6 +58,7 @@ envoy_cc_library( external_deps = ["ssl"], deps = [ "//include/envoy/runtime:runtime_interface", + "//include/envoy/secret:secret_manager_interface", "//include/envoy/ssl:context_config_interface", "//include/envoy/ssl:context_interface", "//include/envoy/ssl:context_manager_interface", diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index 28570255738d..262488518a19 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -54,6 +54,15 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { unsigned minProtocolVersion() const override { return min_protocol_version_; }; unsigned maxProtocolVersion() const override { return max_protocol_version_; }; + bool isValid() const override { + // either secret_provider_ is nullptr or secret_provider_->secret() is NOT nullptr. + return !secret_provider_ || secret_provider_->secret(); + } + + Secret::DynamicSecretProvider* getDynamicSecretProvider() const override { + return secret_provider_.get(); + } + protected: ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager); diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index 9903a0c97eca..a8a948d5bd7b 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -2,6 +2,7 @@ #include #include "common/json/json_loader.h" +#include "common/secret/sds_api.h" #include "common/secret/secret_manager_impl.h" #include "common/ssl/context_config_impl.h" #include "common/ssl/context_impl.h" @@ -424,6 +425,60 @@ TEST(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { EnvoyException, "Multiple TLS certificates are not supported for client contexts"); } +class MockServer : public Server::MockInstance { +public: + Init::Manager& initManager() { return initmanager_; } + +private: + class InitManager : public Init::Manager { + public: + void initialize(std::function callback); + void registerTarget(Init::Target&) override {} + }; + + InitManager initmanager_; +}; + +TEST(ClientContextConfigImplTest, SdsConfig) { + envoy::api::v2::auth::UpstreamTlsContext tls_context; + MockServer server; + auto sds_secret_configs = + tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); + sds_secret_configs->set_name("abc.com"); + sds_secret_configs->mutable_sds_config(); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); + + // When sds secret is not downloaded, config is not valid. + EXPECT_FALSE(client_context_config.isValid()); + EXPECT_EQ("", client_context_config.certChain()); + EXPECT_EQ("", client_context_config.privateKey()); + + std::string yaml = + R"EOF( + name: "abc.com" + tls_certificate: + certificate_chain: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" + )EOF"; + + Protobuf::RepeatedPtrField secret_resources; + auto secret_config = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); + static_cast(client_context_config.getDynamicSecretProvider()) + ->onConfigUpdate(secret_resources, ""); + + // When sds secret is downloaded, config is valid. + EXPECT_TRUE(client_context_config.isValid()); + const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), + client_context_config.certChain()); + const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), + client_context_config.privateKey()); +} + TEST(ClientContextConfigImplTest, StaticTlsCertificates) { envoy::api::v2::auth::Secret secret_config; @@ -515,6 +570,47 @@ TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { EnvoyException, "A single TLS certificate is required for server contexts"); } +TEST(ServerContextConfigImplTest, SdsConfig) { + envoy::api::v2::auth::DownstreamTlsContext tls_context; + MockServer server; + + auto sds_secret_configs = + tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); + sds_secret_configs->set_name("abc.com"); + sds_secret_configs->mutable_sds_config(); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager()); + + // When sds secret is not downloaded, config is not valid. + EXPECT_FALSE(server_context_config.isValid()); + EXPECT_EQ("", server_context_config.certChain()); + EXPECT_EQ("", server_context_config.privateKey()); + + std::string yaml = + R"EOF( + name: "abc.com" + tls_certificate: + certificate_chain: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" + )EOF"; + + Protobuf::RepeatedPtrField secret_resources; + auto secret_config = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); + static_cast(server_context_config.getDynamicSecretProvider()) + ->onConfigUpdate(secret_resources, ""); + + // When sds secret is downloaded, config is valid. + EXPECT_TRUE(server_context_config.isValid()); + const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), + server_context_config.certChain()); + const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), + server_context_config.privateKey()); +} + // TlsCertificate messages must have a cert for servers. TEST(ServerContextImplTest, TlsCertificateNonEmpty) { envoy::api::v2::auth::DownstreamTlsContext tls_context; From c25f9886af84483e5431bd3c2ccfc49e6e3b442d Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 2 Jul 2018 09:15:17 -0700 Subject: [PATCH 22/55] Add one more test to cover SdsApi Signed-off-by: JimmyCYJ --- source/common/config/subscription_factory.h | 3 ++ test/common/secret/BUILD | 1 + test/common/secret/sds_api_test.cc | 39 ++++++++++++++++++++- 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/source/common/config/subscription_factory.h b/source/common/config/subscription_factory.h index f80cc09219f6..c95dc523da87 100644 --- a/source/common/config/subscription_factory.h +++ b/source/common/config/subscription_factory.h @@ -63,6 +63,9 @@ class SubscriptionFactory { *Protobuf::DescriptorPool::generated_pool()->FindMethodByName(rest_method), stats)); break; case envoy::api::v2::core::ApiConfigSource::GRPC: { + std::cout << "node addr: " << &node << "\n" + << "cm addr: " << &cm << "\n" + << "grpc cm addr: " << &cm.grpcAsyncClientManager() << std::endl; result.reset(new GrpcSubscriptionImpl( node, Config::Utility::factoryForGrpcApiConfigSource(cm.grpcAsyncClientManager(), diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index 4b1ea32ee27b..dfa698ae5d1e 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -32,6 +32,7 @@ envoy_cc_test( ], deps = [ "//source/common/secret:sds_api_lib", + "//test/mocks/grpc:grpc_mocks", "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", "//test/test_common:registry_lib", diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index 0ceb09e10ee5..e81b9b5df684 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -5,6 +5,7 @@ #include "common/secret/sds_api.h" +#include "test/mocks/grpc/mocks.h" #include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/utility.h" @@ -12,6 +13,10 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" +using ::testing::Invoke; +using ::testing::Return; +using ::testing::_; + namespace Envoy { namespace Secret { namespace { @@ -30,7 +35,39 @@ class MockServer : public Server::MockInstance { InitManager initmanager_; }; -class SdsApiTest : public testing::Test {}; +class SdsApiTest : public testing::Test { +public: + Grpc::MockAsyncClient* grpc_client_{new Grpc::MockAsyncClient}; + Grpc::MockAsyncClientFactory* factory_{new Grpc::MockAsyncClientFactory}; +}; + +TEST_F(SdsApiTest, BasicTest) { + ::testing::InSequence s; + Server::MockInstance server; + Upstream::ClusterManager::ClusterInfoMap cluster_map; + Upstream::MockCluster cluster; + cluster_map.emplace("foo_cluster", cluster); + EXPECT_CALL(server.cluster_manager_, clusters()).WillOnce(Return(cluster_map)); + EXPECT_CALL(server.init_manager_, registerTarget(_)); + + envoy::api::v2::core::ConfigSource config_source; + config_source.mutable_api_config_source()->set_api_type( + envoy::api::v2::core::ApiConfigSource::GRPC); + auto grpc_service = config_source.mutable_api_config_source()->add_grpc_services(); + grpc_service->mutable_envoy_grpc()->set_cluster_name("foo_cluster"); + SdsApi sds_api(server, config_source, "abc.com"); + + EXPECT_CALL(server.cluster_manager_, grpcAsyncClientManager()) + .WillRepeatedly(ReturnRef(server.cluster_manager_.async_client_manager_)); + EXPECT_CALL(server.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _, _)) + .WillOnce(Invoke([this](const envoy::api::v2::core::GrpcService&, Stats::Scope&, bool) { + return Grpc::AsyncClientFactoryPtr{factory_}; + })); + EXPECT_CALL(*factory_, create()).WillOnce(Invoke([this] { + return Grpc::AsyncClientPtr{grpc_client_}; + })); + server.init_manager_.initialize(); +} TEST_F(SdsApiTest, SecretUpdateSuccess) { MockServer server; From 9b92600ca7a949c640b63f3e5e3f99d779413bd5 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 2 Jul 2018 10:30:48 -0700 Subject: [PATCH 23/55] Address review comments. Signed-off-by: JimmyCYJ --- source/common/config/subscription_factory.h | 3 -- source/common/secret/BUILD | 11 ------ source/common/secret/sds_api.cc | 1 - source/common/secret/secret_manager_impl.cc | 18 ++++++++- source/common/secret/secret_manager_util.h | 37 ------------------ source/common/ssl/context_config_impl.cc | 4 +- test/common/secret/sds_api_test.cc | 42 ++++++++------------- 7 files changed, 34 insertions(+), 82 deletions(-) delete mode 100644 source/common/secret/secret_manager_util.h diff --git a/source/common/config/subscription_factory.h b/source/common/config/subscription_factory.h index c95dc523da87..f80cc09219f6 100644 --- a/source/common/config/subscription_factory.h +++ b/source/common/config/subscription_factory.h @@ -63,9 +63,6 @@ class SubscriptionFactory { *Protobuf::DescriptorPool::generated_pool()->FindMethodByName(rest_method), stats)); break; case envoy::api::v2::core::ApiConfigSource::GRPC: { - std::cout << "node addr: " << &node << "\n" - << "cm addr: " << &cm << "\n" - << "grpc cm addr: " << &cm.grpcAsyncClientManager() << std::endl; result.reset(new GrpcSubscriptionImpl( node, Config::Utility::factoryForGrpcApiConfigSource(cm.grpcAsyncClientManager(), diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 448ebaf4a72a..722e4a773387 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -14,7 +14,6 @@ envoy_cc_library( hdrs = ["secret_manager_impl.h"], deps = [ ":sds_api_lib", - ":secret_manager_util", "//include/envoy/secret:secret_manager_interface", "//include/envoy/server:instance_interface", "//source/common/common:minimal_logger_lib", @@ -23,21 +22,11 @@ envoy_cc_library( ], ) -envoy_cc_library( - name = "secret_manager_util", - hdrs = ["secret_manager_util.h"], - deps = [ - "//source/common/json:json_loader_lib", - "@envoy_api//envoy/api/v2/core:config_source_cc", - ], -) - envoy_cc_library( name = "sds_api_lib", srcs = ["sds_api.cc"], hdrs = ["sds_api.h"], deps = [ - ":secret_manager_util", "//include/envoy/config:subscription_interface", "//include/envoy/server:instance_interface", "//source/common/common:minimal_logger_lib", diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index eac34fee2b03..0eb5c08c19c2 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -7,7 +7,6 @@ #include "common/config/resources.h" #include "common/config/subscription_factory.h" #include "common/protobuf/utility.h" -#include "common/secret/secret_manager_util.h" #include "common/ssl/tls_certificate_config_impl.h" namespace Envoy { diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 64211670baee..faf7ad4b80b5 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -2,11 +2,25 @@ #include "envoy/common/exception.h" -#include "common/secret/secret_manager_util.h" #include "common/ssl/tls_certificate_config_impl.h" namespace Envoy { namespace Secret { +namespace { + +std::string configSourceHash(const envoy::api::v2::core::ConfigSource& config_source) { + std::string jsonstr; + if (Protobuf::util::MessageToJsonString(config_source, &jsonstr).ok()) { + auto obj = Json::Factory::loadFromString(jsonstr); + if (obj.get() != nullptr) { + return std::to_string(obj->hash()); + } + } + throw EnvoyException( + fmt::format("Invalid ConfigSource message: {}", config_source.DebugString())); +} + +} // namespace void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secret) { switch (secret.type_case()) { @@ -30,7 +44,7 @@ SecretManagerImpl::findStaticTlsCertificate(const std::string& name) const { DynamicSecretProviderSharedPtr SecretManagerImpl::findOrCreateDynamicSecretProvider( const envoy::api::v2::core::ConfigSource& sds_config_source, std::string config_name) { - auto hash = SecretManagerUtil::configSourceHash(sds_config_source); + auto hash = configSourceHash(sds_config_source); std::string map_key = hash + config_name; std::unique_lock lhs(dynamic_secret_providers_mutex_); diff --git a/source/common/secret/secret_manager_util.h b/source/common/secret/secret_manager_util.h deleted file mode 100644 index 5571e2894386..000000000000 --- a/source/common/secret/secret_manager_util.h +++ /dev/null @@ -1,37 +0,0 @@ -#pragma once - -#include "envoy/api/v2/core/config_source.pb.h" - -#include "common/common/fmt.h" -#include "common/json/json_loader.h" -#include "common/protobuf/protobuf.h" - -namespace Envoy { -namespace Secret { - -class SecretManagerUtil { -public: - virtual ~SecretManagerUtil() {} - - /** - * Calculate hash code of ConfigSource. To identify the same ConfigSource, calculate the hash - * code from the ConfigSource. - * - * @param config_source envoy::api::v2::core::ConfigSource. - * @return hash code. - */ - static std::string configSourceHash(const envoy::api::v2::core::ConfigSource& config_source) { - std::string jsonstr; - if (Protobuf::util::MessageToJsonString(config_source, &jsonstr).ok()) { - auto obj = Json::Factory::loadFromString(jsonstr); - if (obj.get() != nullptr) { - return std::to_string(obj->hash()); - } - } - throw EnvoyException( - fmt::format("Invalid ConfigSource message: {}", config_source.DebugString())); - } -}; - -} // namespace Secret -} // namespace Envoy \ No newline at end of file diff --git a/source/common/ssl/context_config_impl.cc b/source/common/ssl/context_config_impl.cc index 3ced4b83a80f..1a81dc10e9ec 100644 --- a/source/common/ssl/context_config_impl.cc +++ b/source/common/ssl/context_config_impl.cc @@ -68,7 +68,7 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex tlsVersionFromProto(config.tls_params().tls_minimum_protocol_version(), TLS1_VERSION)), max_protocol_version_( tlsVersionFromProto(config.tls_params().tls_maximum_protocol_version(), TLS1_2_VERSION)) { - readConfig(config); + readCertChainConfig(config); if (ca_cert_.empty()) { if (!certificate_revocation_list_.empty()) { @@ -86,7 +86,7 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex } } -void ContextConfigImpl::readConfig(const envoy::api::v2::auth::CommonTlsContext& config) { +void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config) { if (!config.tls_certificates().empty()) { cert_chain_ = Config::DataSource::read(config.tls_certificates()[0].certificate_chain(), true); private_key_ = Config::DataSource::read(config.tls_certificates()[0].private_key(), true); diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index e81b9b5df684..d56588490dc4 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -21,33 +21,16 @@ namespace Envoy { namespace Secret { namespace { -class MockServer : public Server::MockInstance { -public: - Init::Manager& initManager() { return initmanager_; } - -private: - class InitManager : public Init::Manager { - public: - void initialize(std::function callback); - void registerTarget(Init::Target&) override {} - }; - - InitManager initmanager_; -}; - class SdsApiTest : public testing::Test { public: - Grpc::MockAsyncClient* grpc_client_{new Grpc::MockAsyncClient}; - Grpc::MockAsyncClientFactory* factory_{new Grpc::MockAsyncClientFactory}; }; TEST_F(SdsApiTest, BasicTest) { ::testing::InSequence s; - Server::MockInstance server; + NiceMock server; Upstream::ClusterManager::ClusterInfoMap cluster_map; Upstream::MockCluster cluster; cluster_map.emplace("foo_cluster", cluster); - EXPECT_CALL(server.cluster_manager_, clusters()).WillOnce(Return(cluster_map)); EXPECT_CALL(server.init_manager_, registerTarget(_)); envoy::api::v2::core::ConfigSource config_source; @@ -57,21 +40,25 @@ TEST_F(SdsApiTest, BasicTest) { grpc_service->mutable_envoy_grpc()->set_cluster_name("foo_cluster"); SdsApi sds_api(server, config_source, "abc.com"); + EXPECT_CALL(server.cluster_manager_, clusters()).WillOnce(Return(cluster_map)); + Grpc::MockAsyncClient* grpc_client{new Grpc::MockAsyncClient}; + Grpc::MockAsyncClientFactory* factory{new Grpc::MockAsyncClientFactory}; EXPECT_CALL(server.cluster_manager_, grpcAsyncClientManager()) .WillRepeatedly(ReturnRef(server.cluster_manager_.async_client_manager_)); EXPECT_CALL(server.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _, _)) - .WillOnce(Invoke([this](const envoy::api::v2::core::GrpcService&, Stats::Scope&, bool) { - return Grpc::AsyncClientFactoryPtr{factory_}; + .WillOnce(Invoke([factory](const envoy::api::v2::core::GrpcService&, Stats::Scope&, bool) { + return Grpc::AsyncClientFactoryPtr{factory}; })); - EXPECT_CALL(*factory_, create()).WillOnce(Invoke([this] { - return Grpc::AsyncClientPtr{grpc_client_}; + EXPECT_CALL(*factory, create()).WillOnce(Invoke([grpc_client] { + return Grpc::AsyncClientPtr{grpc_client}; })); server.init_manager_.initialize(); } TEST_F(SdsApiTest, SecretUpdateSuccess) { - MockServer server; + Server::MockInstance server; envoy::api::v2::core::ConfigSource config_source; + EXPECT_CALL(server, initManager()); SdsApi sds_api(server, config_source, "abc.com"); std::string yaml = @@ -99,8 +86,9 @@ TEST_F(SdsApiTest, SecretUpdateSuccess) { } TEST_F(SdsApiTest, EmptyResource) { - MockServer server; + Server::MockInstance server; envoy::api::v2::core::ConfigSource config_source; + EXPECT_CALL(server, initManager()); SdsApi sds_api(server, config_source, "abc.com"); Protobuf::RepeatedPtrField secret_resources; @@ -109,8 +97,9 @@ TEST_F(SdsApiTest, EmptyResource) { } TEST_F(SdsApiTest, SecretUpdateWrongSize) { - MockServer server; + Server::MockInstance server; envoy::api::v2::core::ConfigSource config_source; + EXPECT_CALL(server, initManager()); SdsApi sds_api(server, config_source, "abc.com"); std::string yaml = @@ -134,8 +123,9 @@ TEST_F(SdsApiTest, SecretUpdateWrongSize) { } TEST_F(SdsApiTest, SecretUpdateWrongSecretName) { - MockServer server; + Server::MockInstance server; envoy::api::v2::core::ConfigSource config_source; + EXPECT_CALL(server, initManager()); SdsApi sds_api(server, config_source, "abc.com"); std::string yaml = From ffa38aee7b0b67a6b64e3b19884e451eb07bce4b Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 2 Jul 2018 10:59:27 -0700 Subject: [PATCH 24/55] Update test. Signed-off-by: JimmyCYJ --- test/common/secret/sds_api_test.cc | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index d56588490dc4..96b3cb7c2e2d 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -28,19 +28,17 @@ class SdsApiTest : public testing::Test { TEST_F(SdsApiTest, BasicTest) { ::testing::InSequence s; NiceMock server; - Upstream::ClusterManager::ClusterInfoMap cluster_map; - Upstream::MockCluster cluster; - cluster_map.emplace("foo_cluster", cluster); EXPECT_CALL(server.init_manager_, registerTarget(_)); envoy::api::v2::core::ConfigSource config_source; config_source.mutable_api_config_source()->set_api_type( envoy::api::v2::core::ApiConfigSource::GRPC); auto grpc_service = config_source.mutable_api_config_source()->add_grpc_services(); - grpc_service->mutable_envoy_grpc()->set_cluster_name("foo_cluster"); + auto google_grpc = grpc_service->mutable_google_grpc(); + google_grpc->set_target_uri("fake_address"); + google_grpc->set_stat_prefix("test"); SdsApi sds_api(server, config_source, "abc.com"); - EXPECT_CALL(server.cluster_manager_, clusters()).WillOnce(Return(cluster_map)); Grpc::MockAsyncClient* grpc_client{new Grpc::MockAsyncClient}; Grpc::MockAsyncClientFactory* factory{new Grpc::MockAsyncClientFactory}; EXPECT_CALL(server.cluster_manager_, grpcAsyncClientManager()) From 23c06190c6a2af2c9648e9876cea82bcca4c1190 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 2 Jul 2018 15:26:21 -0700 Subject: [PATCH 25/55] Update test. Signed-off-by: JimmyCYJ --- test/common/secret/BUILD | 1 + test/common/secret/sds_api_test.cc | 20 +++++++++++++------- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index dfa698ae5d1e..e99de86ba6b0 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -37,5 +37,6 @@ envoy_cc_test( "//test/test_common:environment_lib", "//test/test_common:registry_lib", "//test/test_common:utility_lib", + "@envoy_api//envoy/service/discovery/v2:sds_cc", ], ) diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index 96b3cb7c2e2d..e24044e72e54 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -2,6 +2,7 @@ #include "envoy/api/v2/auth/cert.pb.h" #include "envoy/common/exception.h" +#include "envoy/service/discovery/v2/sds.pb.h" #include "common/secret/sds_api.h" @@ -21,12 +22,11 @@ namespace Envoy { namespace Secret { namespace { -class SdsApiTest : public testing::Test { -public: -}; +class SdsApiTest : public testing::Test {}; TEST_F(SdsApiTest, BasicTest) { ::testing::InSequence s; + const envoy::service::discovery::v2::SdsDummy dummy; NiceMock server; EXPECT_CALL(server.init_manager_, registerTarget(_)); @@ -39,10 +39,8 @@ TEST_F(SdsApiTest, BasicTest) { google_grpc->set_stat_prefix("test"); SdsApi sds_api(server, config_source, "abc.com"); - Grpc::MockAsyncClient* grpc_client{new Grpc::MockAsyncClient}; - Grpc::MockAsyncClientFactory* factory{new Grpc::MockAsyncClientFactory}; - EXPECT_CALL(server.cluster_manager_, grpcAsyncClientManager()) - .WillRepeatedly(ReturnRef(server.cluster_manager_.async_client_manager_)); + NiceMock* grpc_client{new NiceMock()}; + NiceMock* factory{new NiceMock()}; EXPECT_CALL(server.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _, _)) .WillOnce(Invoke([factory](const envoy::api::v2::core::GrpcService&, Stats::Scope&, bool) { return Grpc::AsyncClientFactoryPtr{factory}; @@ -50,6 +48,14 @@ TEST_F(SdsApiTest, BasicTest) { EXPECT_CALL(*factory, create()).WillOnce(Invoke([grpc_client] { return Grpc::AsyncClientPtr{grpc_client}; })); + NiceMock async_stream; + EXPECT_CALL(*grpc_client, start(_, _)).WillOnce(Return(&async_stream)); + envoy::api::v2::DiscoveryRequest expected_request; + expected_request.mutable_node()->CopyFrom(server.local_info_.node_); + expected_request.add_resource_names("abc.com"); + expected_request.set_type_url(Config::TypeUrl::get().Secret); + EXPECT_CALL(async_stream, sendMessage(ProtoEq(expected_request), _)); + EXPECT_CALL(server.init_manager_.initialized_, ready()); server.init_manager_.initialize(); } From 22f666f70f917a5cae185b9983962e26cfbfc75e Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 2 Jul 2018 16:43:35 -0700 Subject: [PATCH 26/55] Fix compile issue. Signed-off-by: JimmyCYJ --- source/common/ssl/context_config_impl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index 262488518a19..bc128a4abbbd 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -71,7 +71,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { static unsigned tlsVersionFromProto(const envoy::api::v2::auth::TlsParameters_TlsProtocol& version, unsigned default_version); - void readConfig(const envoy::api::v2::auth::CommonTlsContext& config); + void readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config); static const std::string DEFAULT_CIPHER_SUITES; static const std::string DEFAULT_ECDH_CURVES; From 424fe4c41afb9b683350e0ef15d16f0ceb025b52 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 2 Jul 2018 17:51:39 -0700 Subject: [PATCH 27/55] Update test. Signed-off-by: JimmyCYJ --- test/common/secret/sds_api_test.cc | 7 ------- 1 file changed, 7 deletions(-) diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index e24044e72e54..10e5f837da7e 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -48,13 +48,6 @@ TEST_F(SdsApiTest, BasicTest) { EXPECT_CALL(*factory, create()).WillOnce(Invoke([grpc_client] { return Grpc::AsyncClientPtr{grpc_client}; })); - NiceMock async_stream; - EXPECT_CALL(*grpc_client, start(_, _)).WillOnce(Return(&async_stream)); - envoy::api::v2::DiscoveryRequest expected_request; - expected_request.mutable_node()->CopyFrom(server.local_info_.node_); - expected_request.add_resource_names("abc.com"); - expected_request.set_type_url(Config::TypeUrl::get().Secret); - EXPECT_CALL(async_stream, sendMessage(ProtoEq(expected_request), _)); EXPECT_CALL(server.init_manager_.initialized_, ready()); server.init_manager_.initialize(); } From 52e49355de0de27b4bbe8ab726a80e7782df1b06 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 2 Jul 2018 18:43:42 -0700 Subject: [PATCH 28/55] Update test. Signed-off-by: JimmyCYJ --- test/common/secret/secret_manager_impl_test.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index 95b5f95daa45..e559b20f4753 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -24,7 +24,6 @@ class MockServer : public Server::MockInstance { private: class InitManager : public Init::Manager { public: - void initialize(std::function callback); void registerTarget(Init::Target&) override {} }; From bab80a689f0f1ff203316b03220a648170682e26 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 3 Jul 2018 16:06:32 -0700 Subject: [PATCH 29/55] Revise per comments. Signed-off-by: JimmyCYJ --- .../envoy/secret/dynamic_secret_provider.h | 9 ++++-- include/envoy/secret/secret_manager.h | 8 ++--- include/envoy/ssl/context_config.h | 10 ------- source/common/secret/BUILD | 1 + source/common/secret/sds_api.h | 6 ++-- source/common/secret/secret_manager_impl.cc | 30 +++++-------------- source/common/secret/secret_manager_impl.h | 10 +++---- source/common/ssl/context_config_impl.cc | 4 +-- source/common/ssl/context_config_impl.h | 11 +------ .../common/secret/secret_manager_impl_test.cc | 4 +-- test/common/ssl/context_impl_test.cc | 26 ---------------- test/mocks/secret/mocks.h | 14 ++++----- 12 files changed, 36 insertions(+), 97 deletions(-) diff --git a/include/envoy/secret/dynamic_secret_provider.h b/include/envoy/secret/dynamic_secret_provider.h index 99f0a11db085..a3ccd2c772f5 100644 --- a/include/envoy/secret/dynamic_secret_provider.h +++ b/include/envoy/secret/dynamic_secret_provider.h @@ -9,10 +9,12 @@ namespace Secret { /** * An interface to fetch dynamic secret. + * + * TODO(JimmyCYJ): Support other types of secrets. */ -class DynamicSecretProvider { +class DynamicTlsCertificateSecretProvider { public: - virtual ~DynamicSecretProvider() {} + virtual ~DynamicTlsCertificateSecretProvider() {} /** * @return the TlsCertificate secret. Returns nullptr if the secret is not found. @@ -20,7 +22,8 @@ class DynamicSecretProvider { virtual const Ssl::TlsCertificateConfig* secret() const PURE; }; -typedef std::shared_ptr DynamicSecretProviderSharedPtr; +typedef std::shared_ptr + DynamicTlsCertificateSecretProviderSharedPtr; } // namespace Secret } // namespace Envoy \ No newline at end of file diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index 2352b50a572f..102f0fd7c924 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -35,11 +35,11 @@ class SecretManager { * * @param config_source a protobuf message object contains SDS config source. * @param config_name a name that uniquely refers to the SDS config source - * @return the dynamic secret provider. + * @return the dynamic tls certificate secret provider. */ - virtual DynamicSecretProviderSharedPtr - findOrCreateDynamicSecretProvider(const envoy::api::v2::core::ConfigSource& config_source, - std::string config_name) PURE; + virtual DynamicTlsCertificateSecretProviderSharedPtr + findOrCreateDynamicTlsCertificateSecretProvider( + const envoy::api::v2::core::ConfigSource& config_source, std::string config_name) PURE; }; } // namespace Secret diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index a75bdd169690..e52bfcb7b9f4 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -112,16 +112,6 @@ class ContextConfig { * @return The maximum TLS protocol version to negotiate. */ virtual unsigned maxProtocolVersion() const PURE; - - /** - * @return true of the config is valid. - */ - virtual bool isValid() const PURE; - - /** - * @return the DynamicSecretProvider object. - */ - virtual Secret::DynamicSecretProvider* getDynamicSecretProvider() const PURE; }; class ClientContextConfig : public virtual ContextConfig { diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 722e4a773387..343ed17c9e05 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -32,6 +32,7 @@ envoy_cc_library( "//source/common/common:minimal_logger_lib", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", + "//source/common/protobuf:utility_lib", "//source/common/ssl:tls_certificate_config_impl_lib", ], ) diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 4dee7c14ebaf..34b76ebb2d12 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -14,7 +14,7 @@ namespace Secret { * SDS API implementation that fetches secrets from SDS server via Subscription. */ class SdsApi : public Init::Target, - public DynamicSecretProvider, + public DynamicTlsCertificateSecretProvider, public Config::SubscriptionCallbacks, public Logger::Loggable { public: @@ -31,7 +31,7 @@ class SdsApi : public Init::Target, return MessageUtil::anyConvert(resource).name(); } - // DynamicSecretProvider + // DynamicTlsCertificateSecretProvider const Ssl::TlsCertificateConfig* secret() const override { return tls_certificate_secrets_.get(); } @@ -43,7 +43,7 @@ class SdsApi : public Init::Target, const envoy::api::v2::core::ConfigSource sds_config_; std::unique_ptr> subscription_; std::function initialize_callback_; - std::string sds_config_name_; + const std::string sds_config_name_; uint64_t secret_hash_; Ssl::TlsCertificateConfigPtr tls_certificate_secrets_; diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index faf7ad4b80b5..93e81567f293 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -2,33 +2,19 @@ #include "envoy/common/exception.h" +#include "common/protobuf/utility.h" #include "common/ssl/tls_certificate_config_impl.h" namespace Envoy { namespace Secret { -namespace { - -std::string configSourceHash(const envoy::api::v2::core::ConfigSource& config_source) { - std::string jsonstr; - if (Protobuf::util::MessageToJsonString(config_source, &jsonstr).ok()) { - auto obj = Json::Factory::loadFromString(jsonstr); - if (obj.get() != nullptr) { - return std::to_string(obj->hash()); - } - } - throw EnvoyException( - fmt::format("Invalid ConfigSource message: {}", config_source.DebugString())); -} - -} // namespace void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secret) { switch (secret.type_case()) { case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate: { - std::unique_lock lhs(static_tls_certificate_secrets_mutex_); static_tls_certificate_secrets_[secret.name()] = std::make_unique(secret.tls_certificate()); - } break; + break; + } default: throw EnvoyException("Secret type not implemented"); } @@ -36,18 +22,16 @@ void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secr const Ssl::TlsCertificateConfig* SecretManagerImpl::findStaticTlsCertificate(const std::string& name) const { - std::shared_lock lhs(static_tls_certificate_secrets_mutex_); - auto secret = static_tls_certificate_secrets_.find(name); return (secret != static_tls_certificate_secrets_.end()) ? secret->second.get() : nullptr; } -DynamicSecretProviderSharedPtr SecretManagerImpl::findOrCreateDynamicSecretProvider( +DynamicTlsCertificateSecretProviderSharedPtr +SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( const envoy::api::v2::core::ConfigSource& sds_config_source, std::string config_name) { - auto hash = configSourceHash(sds_config_source); - std::string map_key = hash + config_name; + auto hash = MessageUtil::hash(sds_config_source); + std::string map_key = std::to_string(hash) + config_name; - std::unique_lock lhs(dynamic_secret_providers_mutex_); auto dynamic_secret_provider = dynamic_secret_providers_[map_key].lock(); if (!dynamic_secret_provider) { dynamic_secret_provider = std::make_shared(server_, sds_config_source, config_name); diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 3e1b1ad89923..ec7785d12603 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -20,20 +20,18 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable static_tls_certificate_secrets_; - mutable std::shared_timed_mutex static_tls_certificate_secrets_mutex_; // map hash code of SDS config source and SdsApi object. - std::unordered_map> dynamic_secret_providers_; - mutable std::shared_timed_mutex dynamic_secret_providers_mutex_; + std::unordered_map> + dynamic_secret_providers_; }; } // namespace Secret diff --git a/source/common/ssl/context_config_impl.cc b/source/common/ssl/context_config_impl.cc index 1a81dc10e9ec..e3897b95b3ba 100644 --- a/source/common/ssl/context_config_impl.cc +++ b/source/common/ssl/context_config_impl.cc @@ -16,8 +16,6 @@ namespace Envoy { namespace Ssl { -namespace {} // namespace - const std::string ContextConfigImpl::DEFAULT_CIPHER_SUITES = "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:" "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:" @@ -105,7 +103,7 @@ void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTl throw EnvoyException(fmt::format("Unknown static secret: {}", secret_name)); } } else { - secret_provider_ = secret_manager_.findOrCreateDynamicSecretProvider( + secret_provider_ = secret_manager_.findOrCreateDynamicTlsCertificateSecretProvider( config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name); return; } diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index bc128a4abbbd..fa70ccde2a05 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -54,15 +54,6 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { unsigned minProtocolVersion() const override { return min_protocol_version_; }; unsigned maxProtocolVersion() const override { return max_protocol_version_; }; - bool isValid() const override { - // either secret_provider_ is nullptr or secret_provider_->secret() is NOT nullptr. - return !secret_provider_ || secret_provider_->secret(); - } - - Secret::DynamicSecretProvider* getDynamicSecretProvider() const override { - return secret_provider_.get(); - } - protected: ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager); @@ -77,7 +68,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { static const std::string DEFAULT_ECDH_CURVES; Secret::SecretManager& secret_manager_; - Secret::DynamicSecretProviderSharedPtr secret_provider_; + Secret::DynamicTlsCertificateSecretProviderSharedPtr secret_provider_; std::string cert_chain_; std::string private_key_; const std::string alpn_protocols_; diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index e559b20f4753..47f1a523bf42 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -67,8 +67,8 @@ name: "abc.com" TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { MockServer server; envoy::api::v2::core::ConfigSource config_source; - auto secret_provider = - server.secretManager().findOrCreateDynamicSecretProvider(config_source, "abc.com"); + auto secret_provider = server.secretManager().findOrCreateDynamicTlsCertificateSecretProvider( + config_source, "abc.com"); std::string yaml = R"EOF( diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index a8a948d5bd7b..d69c7209c8eb 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -448,8 +448,6 @@ TEST(ClientContextConfigImplTest, SdsConfig) { sds_secret_configs->mutable_sds_config(); ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); - // When sds secret is not downloaded, config is not valid. - EXPECT_FALSE(client_context_config.isValid()); EXPECT_EQ("", client_context_config.certChain()); EXPECT_EQ("", client_context_config.privateKey()); @@ -466,17 +464,6 @@ TEST(ClientContextConfigImplTest, SdsConfig) { Protobuf::RepeatedPtrField secret_resources; auto secret_config = secret_resources.Add(); MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); - static_cast(client_context_config.getDynamicSecretProvider()) - ->onConfigUpdate(secret_resources, ""); - - // When sds secret is downloaded, config is valid. - EXPECT_TRUE(client_context_config.isValid()); - const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; - EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - client_context_config.certChain()); - const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; - EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - client_context_config.privateKey()); } TEST(ClientContextConfigImplTest, StaticTlsCertificates) { @@ -580,8 +567,6 @@ TEST(ServerContextConfigImplTest, SdsConfig) { sds_secret_configs->mutable_sds_config(); ServerContextConfigImpl server_context_config(tls_context, server.secretManager()); - // When sds secret is not downloaded, config is not valid. - EXPECT_FALSE(server_context_config.isValid()); EXPECT_EQ("", server_context_config.certChain()); EXPECT_EQ("", server_context_config.privateKey()); @@ -598,17 +583,6 @@ TEST(ServerContextConfigImplTest, SdsConfig) { Protobuf::RepeatedPtrField secret_resources; auto secret_config = secret_resources.Add(); MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); - static_cast(server_context_config.getDynamicSecretProvider()) - ->onConfigUpdate(secret_resources, ""); - - // When sds secret is downloaded, config is valid. - EXPECT_TRUE(server_context_config.isValid()); - const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; - EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - server_context_config.certChain()); - const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; - EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - server_context_config.privateKey()); } // TlsCertificate messages must have a cert for servers. diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index 0c6b6a02fbfa..e8213fbb85ad 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -16,16 +16,16 @@ class MockSecretManager : public SecretManager { MOCK_METHOD1(addStaticSecret, void(const envoy::api::v2::auth::Secret& secret)); MOCK_CONST_METHOD1(findStaticTlsCertificate, Ssl::TlsCertificateConfig*(const std::string& name)); - MOCK_METHOD2( - findOrCreateDynamicSecretProvider, - DynamicSecretProviderSharedPtr(const envoy::api::v2::core::ConfigSource& config_source, - std::string config_name)); + MOCK_METHOD2(findOrCreateDynamicTlsCertificateSecretProvider, + DynamicTlsCertificateSecretProviderSharedPtr( + const envoy::api::v2::core::ConfigSource& config_source, + std::string config_name)); }; -class MockDynamicSecretProvider : public DynamicSecretProvider { +class MockDynamicTlsCertificateSecretProvider : public DynamicTlsCertificateSecretProvider { public: - MockDynamicSecretProvider(); - ~MockDynamicSecretProvider(); + MockDynamicTlsCertificateSecretProvider(); + ~MockDynamicTlsCertificateSecretProvider(); MOCK_CONST_METHOD0(secret, const Ssl::TlsCertificateConfig*()); }; From 88bccd3131a81878220f8ebbb44b79206a54aa85 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 3 Jul 2018 17:16:27 -0700 Subject: [PATCH 30/55] initialize SdsApi::secret_hash_ Signed-off-by: JimmyCYJ --- source/common/secret/sds_api.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 0eb5c08c19c2..9d6461f2d97d 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -14,7 +14,7 @@ namespace Secret { SdsApi::SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) - : server_(server), sds_config_(sds_config), sds_config_name_(sds_config_name) { + : server_(server), sds_config_(sds_config), sds_config_name_(sds_config_name), secret_hash_(0) { server_.initManager().registerTarget(*this); } From c2a3896628391bdae845d0d61ed82206e77492b6 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Thu, 5 Jul 2018 19:25:20 -0700 Subject: [PATCH 31/55] Revise per comments. Signed-off-by: JimmyCYJ --- include/envoy/secret/secret_manager.h | 2 +- include/envoy/ssl/context_config.h | 1 - source/common/secret/secret_manager_impl.cc | 2 +- source/common/secret/secret_manager_impl.h | 4 ++-- 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index 102f0fd7c924..9194a9bc6644 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -39,7 +39,7 @@ class SecretManager { */ virtual DynamicTlsCertificateSecretProviderSharedPtr findOrCreateDynamicTlsCertificateSecretProvider( - const envoy::api::v2::core::ConfigSource& config_source, std::string config_name) PURE; + const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name) PURE; }; } // namespace Secret diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index e52bfcb7b9f4..a56a89e903e6 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -5,7 +5,6 @@ #include #include "envoy/common/pure.h" -#include "envoy/secret/dynamic_secret_provider.h" namespace Envoy { namespace Ssl { diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 93e81567f293..6bb4e0d61706 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -28,7 +28,7 @@ SecretManagerImpl::findStaticTlsCertificate(const std::string& name) const { DynamicTlsCertificateSecretProviderSharedPtr SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( - const envoy::api::v2::core::ConfigSource& sds_config_source, std::string config_name) { + const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name) { auto hash = MessageUtil::hash(sds_config_source); std::string map_key = std::to_string(hash) + config_name; diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index ec7785d12603..7cc53bcb0049 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -1,6 +1,5 @@ #pragma once -#include #include #include "envoy/secret/secret_manager.h" @@ -21,7 +20,8 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable Date: Fri, 6 Jul 2018 09:58:11 -0700 Subject: [PATCH 32/55] Fix mock class Signed-off-by: JimmyCYJ --- test/mocks/secret/mocks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index e8213fbb85ad..9a2acffd9a6a 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -19,7 +19,7 @@ class MockSecretManager : public SecretManager { MOCK_METHOD2(findOrCreateDynamicTlsCertificateSecretProvider, DynamicTlsCertificateSecretProviderSharedPtr( const envoy::api::v2::core::ConfigSource& config_source, - std::string config_name)); + const std::string& config_name)); }; class MockDynamicTlsCertificateSecretProvider : public DynamicTlsCertificateSecretProvider { From ecaa20197564d10f3cb848e93a08d9487f97f3f9 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Sat, 7 Jul 2018 23:45:22 -0700 Subject: [PATCH 33/55] Add init manager into ClusterImplBase Signed-off-by: JimmyCYJ --- include/envoy/secret/BUILD | 1 + include/envoy/secret/secret_manager.h | 4 +- include/envoy/server/BUILD | 1 + .../envoy/server/transport_socket_config.h | 6 ++ source/common/secret/BUILD | 1 + source/common/secret/sds_api.cc | 4 +- source/common/secret/sds_api.h | 3 +- source/common/secret/secret_manager_impl.cc | 5 +- source/common/secret/secret_manager_impl.h | 3 +- source/common/ssl/BUILD | 1 + source/common/ssl/context_config_impl.cc | 28 +++++--- source/common/ssl/context_config_impl.h | 17 +++-- source/common/upstream/BUILD | 2 + source/common/upstream/upstream_impl.cc | 10 ++- source/common/upstream/upstream_impl.h | 12 +++- .../transport_sockets/ssl/config.cc | 6 +- .../grpc_client_integration_test_harness.h | 5 +- test/common/secret/BUILD | 1 + test/common/secret/sds_api_test.cc | 26 +++---- .../common/secret/secret_manager_impl_test.cc | 3 +- test/common/ssl/context_impl_test.cc | 67 ++++++++++++------- test/common/ssl/ssl_certs_test.h | 1 + test/common/ssl/ssl_socket_test.cc | 39 ++++++----- test/integration/BUILD | 1 + test/integration/ads_integration_test.cc | 4 +- test/integration/ssl_utility.cc | 3 +- test/integration/xfcc_integration_test.cc | 4 +- test/integration/xfcc_integration_test.h | 1 + test/mocks/secret/mocks.h | 5 +- test/mocks/server/mocks.h | 1 + 30 files changed, 171 insertions(+), 94 deletions(-) diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD index d430aeddafc4..3ed2eeb4e374 100644 --- a/include/envoy/secret/BUILD +++ b/include/envoy/secret/BUILD @@ -23,5 +23,6 @@ envoy_cc_library( ":dynamic_secret_provider_interface", "@envoy_api//envoy/api/v2/auth:cert_cc", "@envoy_api//envoy/api/v2/core:config_source_cc", + "//include/envoy/init:init_interface", ], ) diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index 9194a9bc6644..d76578667fad 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -3,6 +3,7 @@ #include #include "envoy/api/v2/auth/cert.pb.h" +#include "envoy/init/init.h" #include "envoy/secret/dynamic_secret_provider.h" #include "envoy/ssl/tls_certificate_config.h" @@ -39,7 +40,8 @@ class SecretManager { */ virtual DynamicTlsCertificateSecretProviderSharedPtr findOrCreateDynamicTlsCertificateSecretProvider( - const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name) PURE; + const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name, + Init::Manager& init_manager) PURE; }; } // namespace Secret diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD index fae78b50ab2a..2a2a02ed3df1 100644 --- a/include/envoy/server/BUILD +++ b/include/envoy/server/BUILD @@ -174,6 +174,7 @@ envoy_cc_library( name = "transport_socket_config_interface", hdrs = ["transport_socket_config.h"], deps = [ + "//include/envoy/init:init_interface", "//include/envoy/network:transport_socket_interface", "//include/envoy/secret:secret_manager_interface", "//include/envoy/ssl:context_manager_interface", diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h index 4e85386cb16d..3f59e5e67baa 100644 --- a/include/envoy/server/transport_socket_config.h +++ b/include/envoy/server/transport_socket_config.h @@ -2,6 +2,7 @@ #include +#include "envoy/init/init.h" #include "envoy/network/transport_socket.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_manager.h" @@ -33,6 +34,11 @@ class TransportSocketFactoryContext { * Return the instance of secret manager. */ virtual Secret::SecretManager& secretManager() PURE; + + /** + * Return the instance of init manager. + */ + virtual Init::Manager& initManager() PURE; }; class TransportSocketConfigFactory { diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 343ed17c9e05..e0d275a81e93 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -29,6 +29,7 @@ envoy_cc_library( deps = [ "//include/envoy/config:subscription_interface", "//include/envoy/server:instance_interface", + "//include/envoy/init:init_interface", "//source/common/common:minimal_logger_lib", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 9d6461f2d97d..efcd9c53c5bf 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -12,10 +12,10 @@ namespace Envoy { namespace Secret { -SdsApi::SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, +SdsApi::SdsApi(Server::Instance& server, Init::Manager& init_manager, const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) : server_(server), sds_config_(sds_config), sds_config_name_(sds_config_name), secret_hash_(0) { - server_.initManager().registerTarget(*this); + init_manager.registerTarget(*this); } void SdsApi::initialize(std::function callback) { diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 34b76ebb2d12..888000237a32 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -5,6 +5,7 @@ #include "envoy/api/v2/auth/cert.pb.h" #include "envoy/api/v2/core/config_source.pb.h" #include "envoy/config/subscription.h" +#include "envoy/init/init.h" #include "envoy/server/instance.h" namespace Envoy { @@ -18,7 +19,7 @@ class SdsApi : public Init::Target, public Config::SubscriptionCallbacks, public Logger::Loggable { public: - SdsApi(Server::Instance& server, const envoy::api::v2::core::ConfigSource& sds_config, + SdsApi(Server::Instance& server, Init::Manager& init_manager, const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name); // Init::Target diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 6bb4e0d61706..b51e37ee2f9a 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -28,13 +28,14 @@ SecretManagerImpl::findStaticTlsCertificate(const std::string& name) const { DynamicTlsCertificateSecretProviderSharedPtr SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( - const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name) { + const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, + Init::Manager& init_manager) { auto hash = MessageUtil::hash(sds_config_source); std::string map_key = std::to_string(hash) + config_name; auto dynamic_secret_provider = dynamic_secret_providers_[map_key].lock(); if (!dynamic_secret_provider) { - dynamic_secret_provider = std::make_shared(server_, sds_config_source, config_name); + dynamic_secret_provider = std::make_shared(server_, init_manager, sds_config_source, config_name); dynamic_secret_providers_[map_key] = dynamic_secret_provider; } diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 7cc53bcb0049..3322e3b86605 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -21,7 +21,8 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable #include "envoy/api/v2/auth/cert.pb.h" +#include "envoy/init/init.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_config.h" @@ -56,7 +57,8 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { protected: ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, - Secret::SecretManager& secret_manager); + Secret::SecretManager& secret_manager, + Init::Manager& init_manager); private: static unsigned @@ -68,6 +70,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { static const std::string DEFAULT_ECDH_CURVES; Secret::SecretManager& secret_manager_; + Init::Manager& init_manager_; Secret::DynamicTlsCertificateSecretProviderSharedPtr secret_provider_; std::string cert_chain_; std::string private_key_; @@ -92,9 +95,11 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { class ClientContextConfigImpl : public ContextConfigImpl, public ClientContextConfig { public: explicit ClientContextConfigImpl(const envoy::api::v2::auth::UpstreamTlsContext& config, - Secret::SecretManager& secret_manager); + Secret::SecretManager& secret_manager, + Init::Manager& init_manager); explicit ClientContextConfigImpl(const Json::Object& config, - Secret::SecretManager& secret_manager); + Secret::SecretManager& secret_manager, + Init::Manager& init_manager); // Ssl::ClientContextConfig const std::string& serverNameIndication() const override { return server_name_indication_; } @@ -108,9 +113,11 @@ class ClientContextConfigImpl : public ContextConfigImpl, public ClientContextCo class ServerContextConfigImpl : public ContextConfigImpl, public ServerContextConfig { public: explicit ServerContextConfigImpl(const envoy::api::v2::auth::DownstreamTlsContext& config, - Secret::SecretManager& secret_manager); + Secret::SecretManager& secret_manager, + Init::Manager& init_manager); explicit ServerContextConfigImpl(const Json::Object& config, - Secret::SecretManager& secret_manager); + Secret::SecretManager& secret_manager, + Init::Manager& init_manager); // Ssl::ServerContextConfig bool requireClientCertificate() const override { return require_client_certificate_; } diff --git a/source/common/upstream/BUILD b/source/common/upstream/BUILD index 98c6cf013810..99067e70067d 100644 --- a/source/common/upstream/BUILD +++ b/source/common/upstream/BUILD @@ -372,6 +372,7 @@ envoy_cc_library( ":outlier_detection_lib", ":resource_manager_lib", "//include/envoy/event:timer_interface", + "//include/envoy/init:init_interface", "//include/envoy/local_info:local_info_interface", "//include/envoy/network:dns_interface", "//include/envoy/runtime:runtime_interface", @@ -388,6 +389,7 @@ envoy_cc_library( "//source/common/config:metadata_lib", "//source/common/stats:stats_lib", "//source/common/upstream:locality_lib", + "//source/server:init_manager_lib", "@envoy_api//envoy/api/v2/core:base_cc", "@envoy_api//envoy/api/v2/endpoint:endpoint_cc", ], diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index ab14e685f0b2..db8cafadd46e 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -267,7 +267,8 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - Secret::SecretManager& secret_manager, bool added_via_api) + Secret::SecretManager& secret_manager, + Init::Manager& init_manager, bool added_via_api) : runtime_(runtime), name_(config.name()), type_(config.type()), max_requests_per_connection_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, max_requests_per_connection, 0)), @@ -291,7 +292,8 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, metadata_(config.metadata()), common_lb_config_(config.common_lb_config()), cluster_socket_options_(parseClusterSocketOptions(config, bind_config)), drain_connections_on_host_removal_(config.drain_connections_on_host_removal()), - secret_manager_(secret_manager) { + secret_manager_(secret_manager), + init_manager_(init_manager) { // If the cluster doesn't have a transport socket configured, override with the default transport // socket implementation based on the tls_context. We copy by value first then override if @@ -441,7 +443,7 @@ ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, Secret::SecretManager& secret_manager, bool added_via_api) : runtime_(runtime), info_(new ClusterInfoImpl(cluster, bind_config, runtime, stats, ssl_context_manager, - secret_manager, added_via_api)) { + secret_manager, sds_init_manager_, added_via_api)) { // Create the default (empty) priority set before registering callbacks to // avoid getting an update the first time it is accessed. priority_set_.getOrCreateHostSet(0); @@ -506,6 +508,8 @@ void ClusterImplBase::onPreInitComplete() { pending_initialize_health_checks_ += host_set->hosts().size(); } + sds_init_manager_.initialize([]() -> void {}); + // TODO(mattklein123): Remove this callback when done. health_checker_->addHostCheckCompleteCb([this](HostSharedPtr, HealthTransition) -> void { if (pending_initialize_health_checks_ > 0 && --pending_initialize_health_checks_ == 0) { diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 6540b8ac4ca8..a9226285edf9 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -14,6 +14,7 @@ #include "envoy/api/v2/core/base.pb.h" #include "envoy/api/v2/endpoint/endpoint.pb.h" #include "envoy/event/timer.h" +#include "envoy/init/init.h" #include "envoy/local_info/local_info.h" #include "envoy/network/dns.h" #include "envoy/runtime/runtime.h" @@ -38,6 +39,8 @@ #include "common/upstream/outlier_detection_impl.h" #include "common/upstream/resource_manager_impl.h" +#include "server/init_manager_impl.h" + namespace Envoy { namespace Upstream { @@ -313,7 +316,8 @@ class ClusterInfoImpl : public ClusterInfo, ClusterInfoImpl(const envoy::api::v2::Cluster& config, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - Secret::SecretManager& secret_manager, bool added_via_api); + Secret::SecretManager& secret_manager, Init::Manager& init_manager, + bool added_via_api); static ClusterStats generateStats(Stats::Scope& scope); static ClusterLoadReportStats generateLoadReportStats(Stats::Scope& scope); @@ -365,6 +369,8 @@ class ClusterInfoImpl : public ClusterInfo, Secret::SecretManager& secretManager() override { return secret_manager_; } + Init::Manager& initManager() override { return init_manager_; } + private: struct ResourceManagers { ResourceManagers(const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, @@ -405,6 +411,7 @@ class ClusterInfoImpl : public ClusterInfo, const Network::ConnectionSocket::OptionsSharedPtr cluster_socket_options_; const bool drain_connections_on_host_removal_; Secret::SecretManager& secret_manager_; + Init::Manager& init_manager_; }; /** @@ -474,7 +481,8 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable( message), - context.secretManager()), + context.secretManager(), + context.initManager()), context.sslContextManager(), context.statsScope()); } @@ -39,7 +40,8 @@ Network::TransportSocketFactoryPtr DownstreamSslSocketFactory::createTransportSo Ssl::ServerContextConfigImpl( MessageUtil::downcastAndValidate( message), - context.secretManager()), + context.secretManager(), + context.initManager()), context.sslContextManager(), context.statsScope(), server_names); } diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 32759e6925ea..b87184a11c40 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -444,7 +444,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/clientkey.pem")); } - Ssl::ClientContextConfigImpl cfg(tls_context, server_.secretManager()); + Ssl::ClientContextConfigImpl cfg(tls_context, server_.secretManager(), init_manager_); mock_cluster_info_->transport_socket_factory_ = std::make_unique(cfg, context_manager_, *stats_store_); @@ -474,7 +474,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); } - Ssl::ServerContextConfigImpl cfg(tls_context, server_.secretManager()); + Ssl::ServerContextConfigImpl cfg(tls_context, server_.secretManager(), init_manager_); static Stats::Scope* upstream_stats_store = new Stats::IsolatedStoreImpl(); return std::make_unique( @@ -483,6 +483,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { bool use_client_cert_{}; Server::MockInstance server_; + NiceMock init_manager_; Ssl::ContextManagerImpl context_manager_{runtime_}; }; diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index e99de86ba6b0..8815efee2891 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -33,6 +33,7 @@ envoy_cc_test( deps = [ "//source/common/secret:sds_api_lib", "//test/mocks/grpc:grpc_mocks", + "//test/mocks/init:init_mocks", "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", "//test/test_common:registry_lib", diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index 10e5f837da7e..d82b50e2ecdf 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -7,6 +7,7 @@ #include "common/secret/sds_api.h" #include "test/mocks/grpc/mocks.h" +#include "test/mocks/init/mocks.h" #include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/utility.h" @@ -28,7 +29,8 @@ TEST_F(SdsApiTest, BasicTest) { ::testing::InSequence s; const envoy::service::discovery::v2::SdsDummy dummy; NiceMock server; - EXPECT_CALL(server.init_manager_, registerTarget(_)); + NiceMock init_manager; + EXPECT_CALL(init_manager, registerTarget(_)); envoy::api::v2::core::ConfigSource config_source; config_source.mutable_api_config_source()->set_api_type( @@ -37,7 +39,7 @@ TEST_F(SdsApiTest, BasicTest) { auto google_grpc = grpc_service->mutable_google_grpc(); google_grpc->set_target_uri("fake_address"); google_grpc->set_stat_prefix("test"); - SdsApi sds_api(server, config_source, "abc.com"); + SdsApi sds_api(server, init_manager, config_source, "abc.com"); NiceMock* grpc_client{new NiceMock()}; NiceMock* factory{new NiceMock()}; @@ -48,15 +50,15 @@ TEST_F(SdsApiTest, BasicTest) { EXPECT_CALL(*factory, create()).WillOnce(Invoke([grpc_client] { return Grpc::AsyncClientPtr{grpc_client}; })); - EXPECT_CALL(server.init_manager_.initialized_, ready()); - server.init_manager_.initialize(); + EXPECT_CALL(init_manager.initialized_, ready()); + init_manager.initialize(); } TEST_F(SdsApiTest, SecretUpdateSuccess) { Server::MockInstance server; + NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - EXPECT_CALL(server, initManager()); - SdsApi sds_api(server, config_source, "abc.com"); + SdsApi sds_api(server, init_manager, config_source, "abc.com"); std::string yaml = R"EOF( @@ -84,9 +86,9 @@ TEST_F(SdsApiTest, SecretUpdateSuccess) { TEST_F(SdsApiTest, EmptyResource) { Server::MockInstance server; + NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - EXPECT_CALL(server, initManager()); - SdsApi sds_api(server, config_source, "abc.com"); + SdsApi sds_api(server, init_manager, config_source, "abc.com"); Protobuf::RepeatedPtrField secret_resources; sds_api.onConfigUpdate(secret_resources, ""); @@ -95,9 +97,9 @@ TEST_F(SdsApiTest, EmptyResource) { TEST_F(SdsApiTest, SecretUpdateWrongSize) { Server::MockInstance server; + NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - EXPECT_CALL(server, initManager()); - SdsApi sds_api(server, config_source, "abc.com"); + SdsApi sds_api(server, init_manager, config_source, "abc.com"); std::string yaml = R"EOF( @@ -121,9 +123,9 @@ TEST_F(SdsApiTest, SecretUpdateWrongSize) { TEST_F(SdsApiTest, SecretUpdateWrongSecretName) { Server::MockInstance server; + NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - EXPECT_CALL(server, initManager()); - SdsApi sds_api(server, config_source, "abc.com"); + SdsApi sds_api(server, init_manager, config_source, "abc.com"); std::string yaml = R"EOF( diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index 47f1a523bf42..09f0e5f05458 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -66,9 +66,10 @@ name: "abc.com" TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { MockServer server; + NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; auto secret_provider = server.secretManager().findOrCreateDynamicTlsCertificateSecretProvider( - config_source, "abc.com"); + config_source, "abc.com", init_manager); std::string yaml = R"EOF( diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index d69c7209c8eb..f45f65e46d4e 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -81,7 +81,7 @@ TEST_F(SslContextImplTest, TestCipherSuites) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager()); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -97,7 +97,7 @@ TEST_F(SslContextImplTest, TestExpiringCert) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager()); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -120,7 +120,7 @@ TEST_F(SslContextImplTest, TestExpiredCert) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager()); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -138,7 +138,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager()); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -164,7 +164,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { TEST_F(SslContextImplTest, TestNoCert) { Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString("{}"); - ClientContextConfigImpl cfg(*loader, server_.secretManager()); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -186,6 +186,7 @@ class SslServerContextImplTicketTest : public SslContextImplTest { static void loadConfigV2(envoy::api::v2::auth::DownstreamTlsContext& cfg) { Server::MockInstance server; + NiceMock init_manager; // Must add a certificate for the config to be considered valid. envoy::api::v2::auth::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); @@ -193,15 +194,16 @@ class SslServerContextImplTicketTest : public SslContextImplTest { TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); server_cert->mutable_private_key()->set_filename( TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); - ServerContextConfigImpl server_context_config(cfg, server.secretManager()); + ServerContextConfigImpl server_context_config(cfg, server.secretManager(), init_manager); loadConfig(server_context_config); } static void loadConfigJson(const std::string& json) { Server::MockInstance server; + NiceMock init_manager; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); Secret::MockSecretManager secret_manager; - ServerContextConfigImpl cfg(*loader, server.secretManager()); + ServerContextConfigImpl cfg(*loader, server.secretManager(), init_manager); loadConfig(cfg); } }; @@ -359,14 +361,15 @@ class ClientContextConfigImplTest : public SslCertsTest {}; TEST(ClientContextConfigImplTest, EmptyServerNameIndication) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; tls_context.set_sni(std::string("\000", 1)); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "SNI names containing NULL-byte are not allowed"); tls_context.set_sni(std::string("a\000b", 3)); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "SNI names containing NULL-byte are not allowed"); } @@ -374,12 +377,13 @@ TEST(ClientContextConfigImplTest, EmptyServerNameIndication) { TEST(ClientContextConfigImplTest, InvalidCertificateHash) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; tls_context.mutable_common_tls_context() ->mutable_validation_context() // This is valid hex-encoded string, but it doesn't represent SHA-256 (80 vs 64 chars). ->add_verify_certificate_hash("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -391,11 +395,12 @@ TEST(ClientContextConfigImplTest, InvalidCertificateHash) { TEST(ClientContextConfigImplTest, InvalidCertificateSpki) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; tls_context.mutable_common_tls_context() ->mutable_validation_context() // Not a base64-encoded string. ->add_verify_certificate_spki("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -408,20 +413,22 @@ TEST(ClientContextConfigImplTest, InvalidCertificateSpki) { TEST(ClientContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "Multiple TLS certificates are not supported for client contexts"); } TEST(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "Multiple TLS certificates are not supported for client contexts"); } @@ -442,11 +449,12 @@ class MockServer : public Server::MockInstance { TEST(ClientContextConfigImplTest, SdsConfig) { envoy::api::v2::auth::UpstreamTlsContext tls_context; MockServer server; + NiceMock init_manager; auto sds_secret_configs = tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); EXPECT_EQ("", client_context_config.certChain()); EXPECT_EQ("", client_context_config.privateKey()); @@ -481,6 +489,7 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); Server::MockInstance server; + NiceMock init_manager; server.secretManager().addStaticSecret(secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; @@ -489,7 +498,7 @@ name: "abc.com" ->Add() ->set_name("abc.com"); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), @@ -514,6 +523,7 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); Server::MockInstance server; + NiceMock init_manager; server.secretManager().addStaticSecret(secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; @@ -523,7 +533,7 @@ name: "abc.com" ->set_name("missing"); EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager()), + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "Unknown static secret: missing"); } @@ -533,39 +543,42 @@ name: "abc.com" TEST(ServerContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "A single TLS certificate is required for server contexts"); } TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { Server::MockInstance server; + NiceMock init_manager; envoy::api::v2::auth::DownstreamTlsContext tls_context; EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "A single TLS certificate is required for server contexts"); } TEST(ServerContextConfigImplTest, SdsConfig) { envoy::api::v2::auth::DownstreamTlsContext tls_context; MockServer server; + NiceMock init_manager; auto sds_secret_configs = tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager); EXPECT_EQ("", server_context_config.certChain()); EXPECT_EQ("", server_context_config.privateKey()); @@ -589,8 +602,9 @@ TEST(ServerContextConfigImplTest, SdsConfig) { TEST(ServerContextImplTest, TlsCertificateNonEmpty) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; tls_context.mutable_common_tls_context()->add_tls_certificates(); - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -604,6 +618,7 @@ TEST(ServerContextImplTest, TlsCertificateNonEmpty) { TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; + NiceMock init_manager; envoy::api::v2::auth::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -611,7 +626,7 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(true); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "Certificate validity period is always ignored without trusted CA"); envoy::api::v2::auth::TlsCertificate* server_cert = @@ -624,12 +639,12 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(false); EXPECT_NO_THROW( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager())); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager)); server_validation_ctx->set_allow_expired_certificate(true); EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager()), + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), EnvoyException, "Certificate validity period is always ignored without trusted CA"); // But once you add a trusted CA, you should be able to create the context. @@ -637,7 +652,7 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { TestEnvironment::substitute("{{ test_rundir }}/test/common/ssl/test_data/ca_cert.pem")); EXPECT_NO_THROW( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager())); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager)); } } // namespace Ssl diff --git a/test/common/ssl/ssl_certs_test.h b/test/common/ssl/ssl_certs_test.h index 4cdbef6c791b..f08134de41e9 100644 --- a/test/common/ssl/ssl_certs_test.h +++ b/test/common/ssl/ssl_certs_test.h @@ -13,5 +13,6 @@ class SslCertsTest : public testing::Test { } Server::MockInstance server_; + NiceMock init_manager_; }; } // namespace Envoy diff --git a/test/common/ssl/ssl_socket_test.cc b/test/common/ssl/ssl_socket_test.cc index 6b172a403059..70d6bca79b90 100644 --- a/test/common/ssl/ssl_socket_test.cc +++ b/test/common/ssl/ssl_socket_test.cc @@ -53,9 +53,10 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; Server::MockInstance server; + NiceMock init_manager; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager()); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager(), init_manager); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -68,7 +69,7 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), init_manager); Ssl::ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -146,6 +147,7 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; Server::MockInstance server; + NiceMock init_manager; ContextManagerImpl manager(runtime); std::string new_session = EMPTY_STRING; @@ -155,7 +157,7 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, std::vector server_names(filter_chain.filter_chain_match().server_names().begin(), filter_chain.filter_chain_match().server_names().end()); Ssl::ServerContextConfigImpl server_ctx_config(filter_chain.tls_context(), - server.secretManager()); + server.secretManager(), init_manager); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, server_names); @@ -166,7 +168,7 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, Network::MockConnectionHandler connection_handler; Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); - ClientContextConfigImpl client_ctx_config(client_ctx_proto, server.secretManager()); + ClientContextConfigImpl client_ctx_config(client_ctx_proto, server.secretManager(), init_manager); ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); ClientContextPtr client_ctx(manager.createSslClientContext(stats_store, client_ctx_config)); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( @@ -1517,7 +1519,7 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1575,7 +1577,7 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1596,7 +1598,7 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager()); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), init_manager_); ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -1659,7 +1661,7 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager()); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager(), init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1679,7 +1681,7 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), init_manager_); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -1737,12 +1739,13 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; Server::MockInstance server; + NiceMock init_manager; ContextManagerImpl manager(runtime); Json::ObjectSharedPtr server_ctx_loader1 = TestEnvironment::jsonLoadFromString(server_ctx_json1); Json::ObjectSharedPtr server_ctx_loader2 = TestEnvironment::jsonLoadFromString(server_ctx_json2); - ServerContextConfigImpl server_ctx_config1(*server_ctx_loader1, server.secretManager()); - ServerContextConfigImpl server_ctx_config2(*server_ctx_loader2, server.secretManager()); + ServerContextConfigImpl server_ctx_config1(*server_ctx_loader1, server.secretManager(), init_manager); + ServerContextConfigImpl server_ctx_config2(*server_ctx_loader2, server.secretManager(), init_manager); Ssl::ServerSslSocketFactory server_ssl_socket_factory1(server_ctx_config1, manager, stats_store, server_names1); Ssl::ServerSslSocketFactory server_ssl_socket_factory2(server_ctx_config2, manager, stats_store, @@ -1759,7 +1762,7 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Network::ListenerPtr listener2 = dispatcher.createListener(socket2, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), init_manager); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket1.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -2099,9 +2102,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); Json::ObjectSharedPtr server2_ctx_loader = TestEnvironment::jsonLoadFromString(server2_ctx_json); - ServerContextConfigImpl server2_ctx_config(*server2_ctx_loader, server_.secretManager()); + ServerContextConfigImpl server2_ctx_config(*server2_ctx_loader, server_.secretManager(), init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -2126,7 +2129,7 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager()); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), init_manager_); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -2212,7 +2215,7 @@ TEST_P(SslSocketTest, SslError) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -2535,7 +2538,7 @@ class SslReadBufferLimitTest : public SslCertsTest, void initialize() { server_ctx_loader_ = TestEnvironment::jsonLoadFromString(server_ctx_json_); server_ctx_config_.reset( - new ServerContextConfigImpl(*server_ctx_loader_, server_.secretManager())); + new ServerContextConfigImpl(*server_ctx_loader_, server_.secretManager(), init_manager_)); manager_.reset(new ContextManagerImpl(runtime_)); server_ssl_socket_factory_.reset(new ServerSslSocketFactory( *server_ctx_config_, *manager_, stats_store_, std::vector{})); @@ -2544,7 +2547,7 @@ class SslReadBufferLimitTest : public SslCertsTest, client_ctx_loader_ = TestEnvironment::jsonLoadFromString(client_ctx_json_); client_ctx_config_.reset( - new ClientContextConfigImpl(*client_ctx_loader_, server_.secretManager())); + new ClientContextConfigImpl(*client_ctx_loader_, server_.secretManager(), init_manager_)); client_ssl_socket_factory_.reset( new ClientSslSocketFactory(*client_ctx_config_, *manager_, stats_store_)); diff --git a/test/integration/BUILD b/test/integration/BUILD index d8448534c879..58b2c7a2a3aa 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -33,6 +33,7 @@ envoy_cc_test( "//source/common/ssl:ssl_socket_lib", "//source/extensions/transport_sockets/ssl:config", "//test/common/grpc:grpc_client_integration_lib", + "//test/mocks/init:init_mocks", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", "//test/test_common:network_utility_lib", diff --git a/test/integration/ads_integration_test.cc b/test/integration/ads_integration_test.cc index d348cdab997d..ddc87eff45b1 100644 --- a/test/integration/ads_integration_test.cc +++ b/test/integration/ads_integration_test.cc @@ -19,6 +19,7 @@ #include "test/common/grpc/grpc_client_integration.h" #include "test/integration/http_integration.h" #include "test/integration/utility.h" +#include "test/mocks/init/mocks.h" #include "test/mocks/runtime/mocks.h" #include "test/mocks/secret/mocks.h" #include "test/test_common/network_utility.h" @@ -86,7 +87,7 @@ class AdsIntegrationTest : public HttpIntegrationTest, public Grpc::GrpcClientIn TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem")); tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem")); - Ssl::ServerContextConfigImpl cfg(tls_context, secret_manager_); + Ssl::ServerContextConfigImpl cfg(tls_context, secret_manager_, init_manager_); static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return std::make_unique( @@ -267,6 +268,7 @@ class AdsIntegrationTest : public HttpIntegrationTest, public Grpc::GrpcClientIn Ssl::ContextManagerImpl context_manager_{runtime_}; FakeHttpConnectionPtr ads_connection_; FakeStreamPtr ads_stream_; + testing::NiceMock init_manager_; }; INSTANTIATE_TEST_CASE_P(IpVersionsClientType, AdsIntegrationTest, GRPC_CLIENT_INTEGRATION_PARAMS); diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 53316b1114ae..2d27a50bd069 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -60,7 +60,8 @@ createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& conte } Server::MockInstance server; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); - ClientContextConfigImpl cfg(*loader, server.secretManager()); + NiceMock init_manager; + ClientContextConfigImpl cfg(*loader, server.secretManager(), init_manager); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ new Ssl::ClientSslSocketFactory(cfg, context_manager, *client_stats_store)}; diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index ed92338dd76f..df036ee40a7f 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -59,7 +59,7 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createClientSslContext(b target = json_tls; } Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); - Ssl::ClientContextConfigImpl cfg(*loader, server_.secretManager()); + Ssl::ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ new Ssl::ClientSslSocketFactory(cfg, *context_manager_, *client_stats_store)}; @@ -74,7 +74,7 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createUpstreamSslContext )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - Ssl::ServerContextConfigImpl cfg(*loader, server_.secretManager()); + Ssl::ServerContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return std::make_unique( cfg, *context_manager_, *upstream_stats_store, std::vector{}); diff --git a/test/integration/xfcc_integration_test.h b/test/integration/xfcc_integration_test.h index 3d0c81a0ad09..291261bfafc2 100644 --- a/test/integration/xfcc_integration_test.h +++ b/test/integration/xfcc_integration_test.h @@ -57,6 +57,7 @@ class XfccIntegrationTest : public HttpIntegrationTest, Network::TransportSocketFactoryPtr client_mtls_ssl_ctx_; Network::TransportSocketFactoryPtr upstream_ssl_ctx_; Server::MockInstance server_; + NiceMock init_manager_; }; } // namespace Xfcc } // namespace Envoy diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index 9a2acffd9a6a..d67af4ae1aed 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -16,10 +16,11 @@ class MockSecretManager : public SecretManager { MOCK_METHOD1(addStaticSecret, void(const envoy::api::v2::auth::Secret& secret)); MOCK_CONST_METHOD1(findStaticTlsCertificate, Ssl::TlsCertificateConfig*(const std::string& name)); - MOCK_METHOD2(findOrCreateDynamicTlsCertificateSecretProvider, + MOCK_METHOD3(findOrCreateDynamicTlsCertificateSecretProvider, DynamicTlsCertificateSecretProviderSharedPtr( const envoy::api::v2::core::ConfigSource& config_source, - const std::string& config_name)); + const std::string& config_name, + Init::Manager& init_manager)); }; class MockDynamicTlsCertificateSecretProvider : public DynamicTlsCertificateSecretProvider { diff --git a/test/mocks/server/mocks.h b/test/mocks/server/mocks.h index 9bfd7e1a4568..62be87f87eaa 100644 --- a/test/mocks/server/mocks.h +++ b/test/mocks/server/mocks.h @@ -411,6 +411,7 @@ class MockTransportSocketFactoryContext : public TransportSocketFactoryContext { MOCK_METHOD0(sslContextManager, Ssl::ContextManager&()); MOCK_CONST_METHOD0(statsScope, Stats::Scope&()); + MOCK_METHOD0(initManager, Init::Manager&()); }; class MockListenerFactoryContext : public virtual MockFactoryContext, From eb9e161025793dec205ea53d6aa49446785e854e Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Sat, 7 Jul 2018 23:48:06 -0700 Subject: [PATCH 34/55] modify BUILD file. Signed-off-by: JimmyCYJ --- include/envoy/secret/BUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD index 3ed2eeb4e374..475d6b759e5d 100644 --- a/include/envoy/secret/BUILD +++ b/include/envoy/secret/BUILD @@ -21,8 +21,8 @@ envoy_cc_library( hdrs = ["secret_manager.h"], deps = [ ":dynamic_secret_provider_interface", + "//include/envoy/init:init_interface", "@envoy_api//envoy/api/v2/auth:cert_cc", "@envoy_api//envoy/api/v2/core:config_source_cc", - "//include/envoy/init:init_interface", ], ) From 84d31c6f6f38fc21560ff28ed449867b96c658fb Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Sat, 7 Jul 2018 23:51:47 -0700 Subject: [PATCH 35/55] fix format. Signed-off-by: JimmyCYJ --- .../envoy/server/transport_socket_config.h | 2 +- source/common/secret/BUILD | 2 +- source/common/secret/sds_api.cc | 4 +- source/common/secret/sds_api.h | 4 +- source/common/secret/secret_manager_impl.cc | 3 +- source/common/secret/secret_manager_impl.h | 3 +- source/common/ssl/context_config_impl.cc | 9 +- source/common/ssl/context_config_impl.h | 3 +- source/common/upstream/upstream_impl.cc | 7 +- source/common/upstream/upstream_impl.h | 2 +- .../transport_sockets/ssl/config.cc | 6 +- test/common/ssl/context_impl_test.cc | 82 ++++++++++--------- test/common/ssl/ssl_socket_test.cc | 46 +++++++---- test/mocks/secret/mocks.h | 3 +- 14 files changed, 95 insertions(+), 81 deletions(-) diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h index 3f59e5e67baa..259c4b2785ed 100644 --- a/include/envoy/server/transport_socket_config.h +++ b/include/envoy/server/transport_socket_config.h @@ -37,7 +37,7 @@ class TransportSocketFactoryContext { /** * Return the instance of init manager. - */ + */ virtual Init::Manager& initManager() PURE; }; diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index e0d275a81e93..9752f47ba02d 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -28,8 +28,8 @@ envoy_cc_library( hdrs = ["sds_api.h"], deps = [ "//include/envoy/config:subscription_interface", - "//include/envoy/server:instance_interface", "//include/envoy/init:init_interface", + "//include/envoy/server:instance_interface", "//source/common/common:minimal_logger_lib", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index efcd9c53c5bf..40c94aebca5b 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -12,8 +12,8 @@ namespace Envoy { namespace Secret { -SdsApi::SdsApi(Server::Instance& server, Init::Manager& init_manager, const envoy::api::v2::core::ConfigSource& sds_config, - std::string sds_config_name) +SdsApi::SdsApi(Server::Instance& server, Init::Manager& init_manager, + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) : server_(server), sds_config_(sds_config), sds_config_name_(sds_config_name), secret_hash_(0) { init_manager.registerTarget(*this); } diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 888000237a32..8114c6e66cef 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -19,8 +19,8 @@ class SdsApi : public Init::Target, public Config::SubscriptionCallbacks, public Logger::Loggable { public: - SdsApi(Server::Instance& server, Init::Manager& init_manager, const envoy::api::v2::core::ConfigSource& sds_config, - std::string sds_config_name); + SdsApi(Server::Instance& server, Init::Manager& init_manager, + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name); // Init::Target void initialize(std::function callback) override; diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index b51e37ee2f9a..dc983b7d55ad 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -35,7 +35,8 @@ SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( auto dynamic_secret_provider = dynamic_secret_providers_[map_key].lock(); if (!dynamic_secret_provider) { - dynamic_secret_provider = std::make_shared(server_, init_manager, sds_config_source, config_name); + dynamic_secret_provider = + std::make_shared(server_, init_manager, sds_config_source, config_name); dynamic_secret_providers_[map_key] = dynamic_secret_provider; } diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 3322e3b86605..744977436cdb 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -20,8 +20,7 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable( message), - context.secretManager(), - context.initManager()), + context.secretManager(), context.initManager()), context.sslContextManager(), context.statsScope()); } @@ -40,8 +39,7 @@ Network::TransportSocketFactoryPtr DownstreamSslSocketFactory::createTransportSo Ssl::ServerContextConfigImpl( MessageUtil::downcastAndValidate( message), - context.secretManager(), - context.initManager()), + context.secretManager(), context.initManager()), context.sslContextManager(), context.statsScope(), server_names); } diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index f45f65e46d4e..b6547453acda 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -364,13 +364,13 @@ TEST(ClientContextConfigImplTest, EmptyServerNameIndication) { NiceMock init_manager; tls_context.set_sni(std::string("\000", 1)); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "SNI names containing NULL-byte are not allowed"); + EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, "SNI names containing NULL-byte are not allowed"); tls_context.set_sni(std::string("a\000b", 3)); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "SNI names containing NULL-byte are not allowed"); + EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, "SNI names containing NULL-byte are not allowed"); } // Validate that values other than a hex-encoded SHA-256 fail config validation. @@ -416,9 +416,10 @@ TEST(ClientContextConfigImplTest, MultipleTlsCertificates) { NiceMock init_manager; tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "Multiple TLS certificates are not supported for client contexts"); + EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "Multiple TLS certificates are not supported for client contexts"); } TEST(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { @@ -427,9 +428,10 @@ TEST(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { NiceMock init_manager; tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "Multiple TLS certificates are not supported for client contexts"); + EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "Multiple TLS certificates are not supported for client contexts"); } class MockServer : public Server::MockInstance { @@ -532,9 +534,9 @@ name: "abc.com" ->Add() ->set_name("missing"); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "Unknown static secret: missing"); + EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, "Unknown static secret: missing"); } // Multiple TLS certificates are not yet supported, but one is expected for @@ -544,14 +546,16 @@ TEST(ServerContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; NiceMock init_manager; - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "A single TLS certificate is required for server contexts"); + EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "A single TLS certificate is required for server contexts"); + EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "A single TLS certificate is required for server contexts"); } TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { @@ -559,14 +563,16 @@ TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { NiceMock init_manager; envoy::api::v2::auth::DownstreamTlsContext tls_context; - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "A single TLS certificate is required for server contexts"); + EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "A single TLS certificate is required for server contexts"); + EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "A single TLS certificate is required for server contexts"); } TEST(ServerContextConfigImplTest, SdsConfig) { @@ -625,9 +631,10 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(true); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "Certificate validity period is always ignored without trusted CA"); + EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "Certificate validity period is always ignored without trusted CA"); envoy::api::v2::auth::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); @@ -638,21 +645,22 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(false); - EXPECT_NO_THROW( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager)); + EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), + init_manager)); server_validation_ctx->set_allow_expired_certificate(true); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager), - EnvoyException, "Certificate validity period is always ignored without trusted CA"); + EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( + tls_context, server.secretManager(), init_manager), + EnvoyException, + "Certificate validity period is always ignored without trusted CA"); // But once you add a trusted CA, you should be able to create the context. server_validation_ctx->mutable_trusted_ca()->set_filename( TestEnvironment::substitute("{{ test_rundir }}/test/common/ssl/test_data/ca_cert.pem")); - EXPECT_NO_THROW( - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager)); + EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), + init_manager)); } } // namespace Ssl diff --git a/test/common/ssl/ssl_socket_test.cc b/test/common/ssl/ssl_socket_test.cc index 70d6bca79b90..b6fc728eb8b9 100644 --- a/test/common/ssl/ssl_socket_test.cc +++ b/test/common/ssl/ssl_socket_test.cc @@ -56,7 +56,8 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ NiceMock init_manager; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager(), init_manager); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager(), + init_manager); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -69,7 +70,8 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), init_manager); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), + init_manager); Ssl::ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -156,8 +158,8 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, const auto& filter_chain = server_proto.filter_chains(0); std::vector server_names(filter_chain.filter_chain_match().server_names().begin(), filter_chain.filter_chain_match().server_names().end()); - Ssl::ServerContextConfigImpl server_ctx_config(filter_chain.tls_context(), - server.secretManager(), init_manager); + Ssl::ServerContextConfigImpl server_ctx_config(filter_chain.tls_context(), server.secretManager(), + init_manager); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, server_names); @@ -1519,7 +1521,8 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), + init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1577,7 +1580,8 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), + init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1598,7 +1602,8 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), init_manager_); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), + init_manager_); ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -1661,7 +1666,8 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager(), init_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager(), + init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -1681,7 +1687,8 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), init_manager_); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), + init_manager_); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -1744,8 +1751,10 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Json::ObjectSharedPtr server_ctx_loader1 = TestEnvironment::jsonLoadFromString(server_ctx_json1); Json::ObjectSharedPtr server_ctx_loader2 = TestEnvironment::jsonLoadFromString(server_ctx_json2); - ServerContextConfigImpl server_ctx_config1(*server_ctx_loader1, server.secretManager(), init_manager); - ServerContextConfigImpl server_ctx_config2(*server_ctx_loader2, server.secretManager(), init_manager); + ServerContextConfigImpl server_ctx_config1(*server_ctx_loader1, server.secretManager(), + init_manager); + ServerContextConfigImpl server_ctx_config2(*server_ctx_loader2, server.secretManager(), + init_manager); Ssl::ServerSslSocketFactory server_ssl_socket_factory1(server_ctx_config1, manager, stats_store, server_names1); Ssl::ServerSslSocketFactory server_ssl_socket_factory2(server_ctx_config2, manager, stats_store, @@ -1762,7 +1771,8 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Network::ListenerPtr listener2 = dispatcher.createListener(socket2, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), init_manager); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), + init_manager); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket1.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -2102,9 +2112,11 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), + init_manager_); Json::ObjectSharedPtr server2_ctx_loader = TestEnvironment::jsonLoadFromString(server2_ctx_json); - ServerContextConfigImpl server2_ctx_config(*server2_ctx_loader, server_.secretManager(), init_manager_); + ServerContextConfigImpl server2_ctx_config(*server2_ctx_loader, server_.secretManager(), + init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); @@ -2129,7 +2141,8 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), init_manager_); + ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), + init_manager_); ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), @@ -2215,7 +2228,8 @@ TEST_P(SslSocketTest, SslError) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), init_manager_); + ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager(), + init_manager_); ContextManagerImpl manager(runtime); Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, std::vector{}); diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index d67af4ae1aed..74fbf2646784 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -19,8 +19,7 @@ class MockSecretManager : public SecretManager { MOCK_METHOD3(findOrCreateDynamicTlsCertificateSecretProvider, DynamicTlsCertificateSecretProviderSharedPtr( const envoy::api::v2::core::ConfigSource& config_source, - const std::string& config_name, - Init::Manager& init_manager)); + const std::string& config_name, Init::Manager& init_manager)); }; class MockDynamicTlsCertificateSecretProvider : public DynamicTlsCertificateSecretProvider { From 5de5231b8e3f95543ae1d89fcb2a7c1bdecb0e12 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 9 Jul 2018 11:42:48 -0700 Subject: [PATCH 36/55] Review per comments. Signed-off-by: JimmyCYJ --- source/common/ssl/context_config_impl.cc | 9 +++++---- source/common/ssl/context_config_impl.h | 4 ++-- source/common/upstream/upstream_impl.cc | 6 ++++-- source/common/upstream/upstream_impl.h | 13 ++++++++++--- 4 files changed, 21 insertions(+), 11 deletions(-) diff --git a/source/common/ssl/context_config_impl.cc b/source/common/ssl/context_config_impl.cc index 5f4bfe24bd69..1a1905bfa6ba 100644 --- a/source/common/ssl/context_config_impl.cc +++ b/source/common/ssl/context_config_impl.cc @@ -35,7 +35,7 @@ const std::string ContextConfigImpl::DEFAULT_ECDH_CURVES = "X25519:P-256"; ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager, Init::Manager& init_manager) - : secret_manager_(secret_manager), init_manager_(init_manager), + : secret_manager_(secret_manager), alpn_protocols_(RepeatedPtrUtil::join(config.alpn_protocols(), ",")), alt_alpn_protocols_(config.deprecated_v1().alt_alpn_protocols()), cipher_suites_(StringUtil::nonEmptyStringOrDefault( @@ -67,7 +67,7 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex tlsVersionFromProto(config.tls_params().tls_minimum_protocol_version(), TLS1_VERSION)), max_protocol_version_( tlsVersionFromProto(config.tls_params().tls_maximum_protocol_version(), TLS1_2_VERSION)) { - readCertChainConfig(config); + readCertChainConfig(config, init_manager); if (ca_cert_.empty()) { if (!certificate_revocation_list_.empty()) { @@ -85,7 +85,8 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex } } -void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config) { +void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config, + Init::Manager& init_manager) { if (!config.tls_certificates().empty()) { cert_chain_ = Config::DataSource::read(config.tls_certificates()[0].certificate_chain(), true); private_key_ = Config::DataSource::read(config.tls_certificates()[0].private_key(), true); @@ -105,7 +106,7 @@ void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTl } } else { secret_provider_ = secret_manager_.findOrCreateDynamicTlsCertificateSecretProvider( - config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name, init_manager_); + config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name, init_manager); return; } } diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index aca724bab26a..eebda2b22be8 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -63,13 +63,13 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { static unsigned tlsVersionFromProto(const envoy::api::v2::auth::TlsParameters_TlsProtocol& version, unsigned default_version); - void readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config); + void readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config, + Init::Manager& init_manager); static const std::string DEFAULT_CIPHER_SUITES; static const std::string DEFAULT_ECDH_CURVES; Secret::SecretManager& secret_manager_; - Init::Manager& init_manager_; Secret::DynamicTlsCertificateSecretProviderSharedPtr secret_provider_; std::string cert_chain_; std::string private_key_; diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index e11cd1c3e1f2..9b6975d03e5a 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -496,6 +496,10 @@ void ClusterImplBase::initialize(std::function callback) { } void ClusterImplBase::onPreInitComplete() { + sds_init_manager_.initialize([this]() { onSdsInitDone(); }); +} + +void ClusterImplBase::onSdsInitDone() { // Protect against multiple calls. if (initialization_started_) { return; @@ -507,8 +511,6 @@ void ClusterImplBase::onPreInitComplete() { pending_initialize_health_checks_ += host_set->hosts().size(); } - sds_init_manager_.initialize([]() -> void {}); - // TODO(mattklein123): Remove this callback when done. health_checker_->addHostCheckCompleteCb([this](HostSharedPtr, HealthTransition) -> void { if (pending_initialize_health_checks_ > 0 && --pending_initialize_health_checks_ == 0) { diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 7a4db72d7bb4..bb25362d7e5f 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -477,12 +477,19 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable Date: Mon, 9 Jul 2018 15:19:35 -0700 Subject: [PATCH 37/55] Refactor Signed-off-by: JimmyCYJ --- source/common/upstream/upstream_impl.cc | 1 - source/common/upstream/upstream_impl.h | 10 +++--- source/server/BUILD | 8 +++++ source/server/transport_socket_config_impl.h | 38 ++++++++++++++++++++ 4 files changed, 52 insertions(+), 5 deletions(-) create mode 100644 source/server/transport_socket_config_impl.h diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 9b6975d03e5a..1a569405a24a 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -293,7 +293,6 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, cluster_socket_options_(parseClusterSocketOptions(config, bind_config)), drain_connections_on_host_removal_(config.drain_connections_on_host_removal()), secret_manager_(secret_manager), init_manager_(init_manager) { - // If the cluster doesn't have a transport socket configured, override with the default transport // socket implementation based on the tls_context. We copy by value first then override if // necessary. diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index bb25362d7e5f..a2827936160b 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -39,6 +39,7 @@ #include "common/upstream/outlier_detection_impl.h" #include "common/upstream/resource_manager_impl.h" +#include "server/transport_socket_config_impl.h" #include "server/init_manager_impl.h" namespace Envoy { @@ -310,8 +311,7 @@ class PrioritySetImpl : public PrioritySet { /** * Implementation of ClusterInfo that reads from JSON. */ -class ClusterInfoImpl : public ClusterInfo, - public Server::Configuration::TransportSocketFactoryContext { +class ClusterInfoImpl : public ClusterInfo { public: ClusterInfoImpl(const envoy::api::v2::Cluster& config, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, @@ -412,6 +412,7 @@ class ClusterInfoImpl : public ClusterInfo, const bool drain_connections_on_host_removal_; Secret::SecretManager& secret_manager_; Init::Manager& init_manager_; + Server::Configuration::TransportSocketFactoryContext factory_context_; }; /** @@ -477,8 +478,9 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable Date: Mon, 9 Jul 2018 17:49:17 -0700 Subject: [PATCH 38/55] Introduce TransportSocketFactoryContextImpl and refactor. Signed-off-by: JimmyCYJ --- source/common/upstream/BUILD | 2 +- source/common/upstream/upstream_impl.cc | 18 ++++++++++++------ source/common/upstream/upstream_impl.h | 18 ++++-------------- source/server/BUILD | 2 +- source/server/init_manager_impl.h | 3 +++ source/server/listener_manager_impl.cc | 11 +++++++---- source/server/listener_manager_impl.h | 9 ++------- source/server/transport_socket_config_impl.h | 7 +++---- 8 files changed, 33 insertions(+), 37 deletions(-) diff --git a/source/common/upstream/BUILD b/source/common/upstream/BUILD index 99067e70067d..094fe6e9ef81 100644 --- a/source/common/upstream/BUILD +++ b/source/common/upstream/BUILD @@ -376,7 +376,6 @@ envoy_cc_library( "//include/envoy/local_info:local_info_interface", "//include/envoy/network:dns_interface", "//include/envoy/runtime:runtime_interface", - "//include/envoy/server:transport_socket_config_interface", "//include/envoy/ssl:context_manager_interface", "//include/envoy/thread_local:thread_local_interface", "//include/envoy/upstream:cluster_manager_interface", @@ -390,6 +389,7 @@ envoy_cc_library( "//source/common/stats:stats_lib", "//source/common/upstream:locality_lib", "//source/server:init_manager_lib", + "//source/server:transport_socket_config_lib", "@envoy_api//envoy/api/v2/core:base_cc", "@envoy_api//envoy/api/v2/endpoint:endpoint_cc", ], diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 1a569405a24a..239dc480a8d5 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -287,12 +287,12 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, maintenance_mode_runtime_key_(fmt::format("upstream.maintenance_mode.{}", name_)), source_address_(getSourceAddress(config, bind_config)), lb_ring_hash_config_(envoy::api::v2::Cluster::RingHashLbConfig(config.ring_hash_lb_config())), - ssl_context_manager_(ssl_context_manager), added_via_api_(added_via_api), + added_via_api_(added_via_api), lb_subset_(LoadBalancerSubsetInfoImpl(config.lb_subset_config())), metadata_(config.metadata()), common_lb_config_(config.common_lb_config()), cluster_socket_options_(parseClusterSocketOptions(config, bind_config)), drain_connections_on_host_removal_(config.drain_connections_on_host_removal()), - secret_manager_(secret_manager), init_manager_(init_manager) { + factory_context_(ssl_context_manager, *stats_scope_, secret_manager, init_manager) { // If the cluster doesn't have a transport socket configured, override with the default transport // socket implementation based on the tls_context. We copy by value first then override if // necessary. @@ -311,7 +311,8 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); ProtobufTypes::MessagePtr message = Config::Utility::translateToFactoryConfig(transport_socket, config_factory); - transport_socket_factory_ = config_factory.createTransportSocketFactory(*message, *this); + transport_socket_factory_ = + config_factory.createTransportSocketFactory(*message, factory_context_); switch (config.lb_policy()) { case envoy::api::v2::Cluster::ROUND_ROBIN: @@ -439,9 +440,9 @@ ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, Secret::SecretManager& secret_manager, bool added_via_api) - : runtime_(runtime), + : runtime_(runtime), sds_init_manager_(new Server::InitManagerImpl()), info_(new ClusterInfoImpl(cluster, bind_config, runtime, stats, ssl_context_manager, - secret_manager, sds_init_manager_, added_via_api)) { + secret_manager, *sds_init_manager_.get(), added_via_api)) { // Create the default (empty) priority set before registering callbacks to // avoid getting an update the first time it is accessed. priority_set_.getOrCreateHostSet(0); @@ -495,7 +496,12 @@ void ClusterImplBase::initialize(std::function callback) { } void ClusterImplBase::onPreInitComplete() { - sds_init_manager_.initialize([this]() { onSdsInitDone(); }); + if (sds_init_manager_) { + sds_init_manager_->initialize([this]() { onSdsInitDone(); }); + sds_init_manager_.reset(); + } else { + onSdsInitDone(); + } } void ClusterImplBase::onSdsInitDone() { diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index a2827936160b..2acc9ad0ffed 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -19,7 +19,6 @@ #include "envoy/network/dns.h" #include "envoy/runtime/runtime.h" #include "envoy/secret/secret_manager.h" -#include "envoy/server/transport_socket_config.h" #include "envoy/ssl/context_manager.h" #include "envoy/thread_local/thread_local.h" #include "envoy/upstream/cluster_manager.h" @@ -39,8 +38,8 @@ #include "common/upstream/outlier_detection_impl.h" #include "common/upstream/resource_manager_impl.h" -#include "server/transport_socket_config_impl.h" #include "server/init_manager_impl.h" +#include "server/transport_socket_config_impl.h" namespace Envoy { namespace Upstream { @@ -358,19 +357,12 @@ class ClusterInfoImpl : public ClusterInfo { const LoadBalancerSubsetInfo& lbSubsetInfo() const override { return lb_subset_; } const envoy::api::v2::core::Metadata& metadata() const override { return metadata_; } - // Server::Configuration::TransportSocketFactoryContext - Ssl::ContextManager& sslContextManager() override { return ssl_context_manager_; } - const Network::ConnectionSocket::OptionsSharedPtr& clusterSocketOptions() const override { return cluster_socket_options_; }; bool drainConnectionsOnHostRemoval() const override { return drain_connections_on_host_removal_; } - Secret::SecretManager& secretManager() override { return secret_manager_; } - - Init::Manager& initManager() override { return init_manager_; } - private: struct ResourceManagers { ResourceManagers(const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, @@ -403,16 +395,13 @@ class ClusterInfoImpl : public ClusterInfo { const Network::Address::InstanceConstSharedPtr source_address_; LoadBalancerType lb_type_; absl::optional lb_ring_hash_config_; - Ssl::ContextManager& ssl_context_manager_; const bool added_via_api_; LoadBalancerSubsetInfoImpl lb_subset_; const envoy::api::v2::core::Metadata metadata_; const envoy::api::v2::Cluster::CommonLbConfig common_lb_config_; const Network::ConnectionSocket::OptionsSharedPtr cluster_socket_options_; const bool drain_connections_on_host_removal_; - Secret::SecretManager& secret_manager_; - Init::Manager& init_manager_; - Server::Configuration::TransportSocketFactoryContext factory_context_; + Server::Configuration::TransportSocketFactoryContextImpl factory_context_; }; /** @@ -491,8 +480,9 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable +#include #include "envoy/init/init.h" @@ -27,5 +28,7 @@ class InitManagerImpl : public Init::Manager { std::function callback_; }; +typedef std::unique_ptr InitManagerImplPtr; + } // namespace Server } // namespace Envoy diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index f27081dac374..0661a29868ad 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -129,7 +129,9 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, const std::st listener_tag_(parent_.factory_.nextListenerTag()), name_(name), modifiable_(modifiable), workers_started_(workers_started), hash_(hash), local_drain_manager_(parent.factory_.createDrainManager(config.drain_type())), - config_(config), version_info_(version_info) { + config_(config), version_info_(version_info), + factory_context_(parent_.server_.sslContextManager(), *listener_scope_, + parent_.server_.secretManager(), initManager()) { if (config.has_transparent()) { addListenSocketOptions(Network::SocketOptionFactory::buildIpTransparentOptions()); } @@ -233,9 +235,10 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, const std::st filter_chain_match.application_protocols().begin(), filter_chain_match.application_protocols().end()); - addFilterChain(server_names, filter_chain_match.transport_protocol(), application_protocols, - config_factory.createTransportSocketFactory(*message, *this, server_names), - parent_.factory_.createNetworkFilterFactoryList(filter_chain.filters(), *this)); + addFilterChain( + server_names, filter_chain_match.transport_protocol(), application_protocols, + config_factory.createTransportSocketFactory(*message, factory_context_, server_names), + parent_.factory_.createNetworkFilterFactoryList(filter_chain.filters(), *this)); need_tls_inspector |= filter_chain_match.transport_protocol() == "tls" || (filter_chain_match.transport_protocol().empty() && diff --git a/source/server/listener_manager_impl.h b/source/server/listener_manager_impl.h index 5349e4c319ce..8c44703e5d66 100644 --- a/source/server/listener_manager_impl.h +++ b/source/server/listener_manager_impl.h @@ -5,13 +5,13 @@ #include "envoy/server/filter_config.h" #include "envoy/server/instance.h" #include "envoy/server/listener_manager.h" -#include "envoy/server/transport_socket_config.h" #include "envoy/server/worker.h" #include "common/common/logger.h" #include "server/init_manager_impl.h" #include "server/lds_api.h" +#include "server/transport_socket_config_impl.h" namespace Envoy { namespace Server { @@ -186,7 +186,6 @@ class ListenerImpl : public Network::ListenerConfig, public Network::DrainDecision, public Network::FilterChainManager, public Network::FilterChainFactory, - public Configuration::TransportSocketFactoryContext, Logger::Loggable { public: /** @@ -297,11 +296,6 @@ class ListenerImpl : public Network::ListenerConfig, const std::vector& factories) override; bool createListenerFilterChain(Network::ListenerFilterManager& manager) override; - // Configuration::TransportSocketFactoryContext - Ssl::ContextManager& sslContextManager() override { return parent_.server_.sslContextManager(); } - Stats::Scope& statsScope() const override { return *listener_scope_; } - Secret::SecretManager& secretManager() override { return parent_.server_.secretManager(); } - SystemTime last_updated_; private: @@ -357,6 +351,7 @@ class ListenerImpl : public Network::ListenerConfig, const envoy::api::v2::Listener config_; const std::string version_info_; Network::Socket::OptionsSharedPtr listen_socket_options_; + Server::Configuration::TransportSocketFactoryContextImpl factory_context_; }; class FilterChainImpl : public Network::FilterChain { diff --git a/source/server/transport_socket_config_impl.h b/source/server/transport_socket_config_impl.h index 81dda8f4c293..4ef9df283d10 100644 --- a/source/server/transport_socket_config_impl.h +++ b/source/server/transport_socket_config_impl.h @@ -10,9 +10,8 @@ namespace Configuration { * Implementation of TransportSocketFactoryContext. */ class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { - public: - TransportSocketFactoryContextImpl(Ssl::ContextManager& context_manager, - Stats::Scope& stats_scope, +public: + TransportSocketFactoryContextImpl(Ssl::ContextManager& context_manager, Stats::Scope& stats_scope, Secret::SecretManager& secret_manager, Init::Manager& init_manager) : context_manager_(context_manager), stats_scope_(stats_scope), @@ -26,7 +25,7 @@ class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { Init::Manager& initManager() override { return init_manager_; } - private: +private: Ssl::ContextManager& context_manager_; Stats::Scope& stats_scope_; Secret::SecretManager& secret_manager_; From d5c09a52f29d82d5312ce05585a53dc8e85ded60 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 9 Jul 2018 18:50:31 -0700 Subject: [PATCH 39/55] Revise per comments. Signed-off-by: JimmyCYJ --- source/common/upstream/upstream_impl.cc | 7 ++++--- source/common/upstream/upstream_impl.h | 4 ++-- source/server/listener_manager_impl.cc | 9 +++++---- source/server/listener_manager_impl.h | 1 - 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 239dc480a8d5..dd2883673f21 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -291,8 +291,7 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, lb_subset_(LoadBalancerSubsetInfoImpl(config.lb_subset_config())), metadata_(config.metadata()), common_lb_config_(config.common_lb_config()), cluster_socket_options_(parseClusterSocketOptions(config, bind_config)), - drain_connections_on_host_removal_(config.drain_connections_on_host_removal()), - factory_context_(ssl_context_manager, *stats_scope_, secret_manager, init_manager) { + drain_connections_on_host_removal_(config.drain_connections_on_host_removal()) { // If the cluster doesn't have a transport socket configured, override with the default transport // socket implementation based on the tls_context. We copy by value first then override if // necessary. @@ -307,12 +306,14 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, } } + Server::Configuration::TransportSocketFactoryContextImpl factory_context( + ssl_context_manager, *stats_scope_, secret_manager, init_manager); auto& config_factory = Config::Utility::getAndCheckFactory< Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); ProtobufTypes::MessagePtr message = Config::Utility::translateToFactoryConfig(transport_socket, config_factory); transport_socket_factory_ = - config_factory.createTransportSocketFactory(*message, factory_context_); + config_factory.createTransportSocketFactory(*message, factory_context); switch (config.lb_policy()) { case envoy::api::v2::Cluster::ROUND_ROBIN: diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 2acc9ad0ffed..ba5cbc37dd3d 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -401,7 +401,6 @@ class ClusterInfoImpl : public ClusterInfo { const envoy::api::v2::Cluster::CommonLbConfig common_lb_config_; const Network::ConnectionSocket::OptionsSharedPtr cluster_socket_options_; const bool drain_connections_on_host_removal_; - Server::Configuration::TransportSocketFactoryContextImpl factory_context_; }; /** @@ -469,7 +468,8 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable Date: Mon, 9 Jul 2018 18:50:56 -0700 Subject: [PATCH 40/55] fix format. Signed-off-by: JimmyCYJ --- source/server/listener_manager_impl.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index 9ea5fdb1a691..f7f37caa2951 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -234,8 +234,8 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, const std::st filter_chain_match.application_protocols().end()); Server::Configuration::TransportSocketFactoryContextImpl factory_context( - parent_.server_.sslContextManager(), *listener_scope_, - parent_.server_.secretManager(), initManager()); + parent_.server_.sslContextManager(), *listener_scope_, parent_.server_.secretManager(), + initManager()); addFilterChain( server_names, filter_chain_match.transport_protocol(), application_protocols, config_factory.createTransportSocketFactory(*message, factory_context, server_names), From b2acd8d6e90aed6d4bdadfaf32a445d3d388b28a Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 10 Jul 2018 17:15:50 -0700 Subject: [PATCH 41/55] Revise per comment. Signed-off-by: JimmyCYJ --- include/envoy/secret/dynamic_secret_provider.h | 2 -- include/envoy/secret/secret_manager.h | 3 ++- source/common/secret/sds_api.cc | 4 +--- source/common/secret/secret_manager_impl.cc | 8 ++++++++ source/common/upstream/upstream_impl.cc | 12 ++++++------ source/common/upstream/upstream_impl.h | 9 ++++----- 6 files changed, 21 insertions(+), 17 deletions(-) diff --git a/include/envoy/secret/dynamic_secret_provider.h b/include/envoy/secret/dynamic_secret_provider.h index a3ccd2c772f5..60c54c522a2c 100644 --- a/include/envoy/secret/dynamic_secret_provider.h +++ b/include/envoy/secret/dynamic_secret_provider.h @@ -1,7 +1,5 @@ #pragma once -#include - #include "envoy/ssl/tls_certificate_config.h" namespace Envoy { diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index d76578667fad..d29343cdc605 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -35,7 +35,8 @@ class SecretManager { * if such provider does not exist. * * @param config_source a protobuf message object contains SDS config source. - * @param config_name a name that uniquely refers to the SDS config source + * @param config_name a name that uniquely refers to the SDS config source. + * @param init_manager an init manager that is responsible for initializing newly created secret provider. * @return the dynamic tls certificate secret provider. */ virtual DynamicTlsCertificateSecretProviderSharedPtr diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 40c94aebca5b..ec1904a66e86 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -34,9 +34,7 @@ void SdsApi::initialize(std::function callback) { void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) { if (resources.empty()) { - ENVOY_LOG(debug, "Missing SDS resources for {} in onConfigUpdate()", sds_config_name_); - runInitializeCallbackIfAny(); - return; + throw EnvoyException(fmt::format("Missing SDS resources for {} in onConfigUpdate()", sds_config_name_)); } if (resources.size() != 1) { throw EnvoyException(fmt::format("Unexpected SDS secrets length: {}", resources.size())); diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index dc983b7d55ad..0aeac5942c1e 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -40,6 +40,14 @@ SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( dynamic_secret_providers_[map_key] = dynamic_secret_provider; } + for (auto it = dynamic_secret_providers_.begin(); it != dynamic_secret_providers_.end(); ) { + if (!it->second.lock()) { + it = dynamic_secret_providers_.erase(it); + } else { + ++it; + } + } + return dynamic_secret_provider; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index dd2883673f21..c3026412a0dc 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -441,9 +441,9 @@ ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, Secret::SecretManager& secret_manager, bool added_via_api) - : runtime_(runtime), sds_init_manager_(new Server::InitManagerImpl()), + : runtime_(runtime), init_manager_(new Server::InitManagerImpl()), info_(new ClusterInfoImpl(cluster, bind_config, runtime, stats, ssl_context_manager, - secret_manager, *sds_init_manager_.get(), added_via_api)) { + secret_manager, *init_manager_.get(), added_via_api)) { // Create the default (empty) priority set before registering callbacks to // avoid getting an update the first time it is accessed. priority_set_.getOrCreateHostSet(0); @@ -497,15 +497,15 @@ void ClusterImplBase::initialize(std::function callback) { } void ClusterImplBase::onPreInitComplete() { - if (sds_init_manager_) { - sds_init_manager_->initialize([this]() { onSdsInitDone(); }); - sds_init_manager_.reset(); + if (init_manager_) { + init_manager_->initialize([this]() { onInitDone(); }); + init_manager_.reset(); } else { onSdsInitDone(); } } -void ClusterImplBase::onSdsInitDone() { +void ClusterImplBase::onInitDone() { // Protect against multiple calls. if (initialization_started_) { return; diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index ba5cbc37dd3d..3f027a10af0e 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -467,9 +467,9 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable Date: Wed, 11 Jul 2018 15:39:50 -0700 Subject: [PATCH 42/55] revise per comments. Signed-off-by: JimmyCYJ --- include/envoy/secret/secret_manager.h | 3 +- include/envoy/ssl/context_config.h | 5 ++ source/common/secret/BUILD | 1 - source/common/secret/sds_api.cc | 3 +- source/common/secret/sds_api.h | 3 +- source/common/secret/secret_manager_impl.cc | 2 +- source/common/ssl/context_config_impl.h | 5 ++ source/common/ssl/context_manager_impl.cc | 8 ++ source/common/upstream/upstream_impl.cc | 94 +++++++++++---------- source/common/upstream/upstream_impl.h | 18 ++-- source/server/init_manager_impl.h | 2 - test/common/secret/sds_api_test.cc | 5 +- test/common/ssl/context_impl_test.cc | 4 + 13 files changed, 92 insertions(+), 61 deletions(-) diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index d29343cdc605..44ebcc1501b4 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -36,7 +36,8 @@ class SecretManager { * * @param config_source a protobuf message object contains SDS config source. * @param config_name a name that uniquely refers to the SDS config source. - * @param init_manager an init manager that is responsible for initializing newly created secret provider. + * @param init_manager an init manager that is responsible for initializing newly created secret + * provider. * @return the dynamic tls certificate secret provider. */ virtual DynamicTlsCertificateSecretProviderSharedPtr diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index a56a89e903e6..966498ffe02c 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -111,6 +111,11 @@ class ContextConfig { * @return The maximum TLS protocol version to negotiate. */ virtual unsigned maxProtocolVersion() const PURE; + + /** + * @return true of the config is valid. + */ + virtual bool isValid() const PURE; }; class ClientContextConfig : public virtual ContextConfig { diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 9752f47ba02d..56f87a5f605d 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -30,7 +30,6 @@ envoy_cc_library( "//include/envoy/config:subscription_interface", "//include/envoy/init:init_interface", "//include/envoy/server:instance_interface", - "//source/common/common:minimal_logger_lib", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", "//source/common/protobuf:utility_lib", diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index ec1904a66e86..be92ba1243b6 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -34,7 +34,8 @@ void SdsApi::initialize(std::function callback) { void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) { if (resources.empty()) { - throw EnvoyException(fmt::format("Missing SDS resources for {} in onConfigUpdate()", sds_config_name_)); + throw EnvoyException( + fmt::format("Missing SDS resources for {} in onConfigUpdate()", sds_config_name_)); } if (resources.size() != 1) { throw EnvoyException(fmt::format("Unexpected SDS secrets length: {}", resources.size())); diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 8114c6e66cef..6fb4403f651f 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -16,8 +16,7 @@ namespace Secret { */ class SdsApi : public Init::Target, public DynamicTlsCertificateSecretProvider, - public Config::SubscriptionCallbacks, - public Logger::Loggable { + public Config::SubscriptionCallbacks { public: SdsApi(Server::Instance& server, Init::Manager& init_manager, const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name); diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 0aeac5942c1e..0e919989187c 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -40,7 +40,7 @@ SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( dynamic_secret_providers_[map_key] = dynamic_secret_provider; } - for (auto it = dynamic_secret_providers_.begin(); it != dynamic_secret_providers_.end(); ) { + for (auto it = dynamic_secret_providers_.begin(); it != dynamic_secret_providers_.end();) { if (!it->second.lock()) { it = dynamic_secret_providers_.erase(it); } else { diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index eebda2b22be8..805df64b026b 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -55,6 +55,11 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { unsigned minProtocolVersion() const override { return min_protocol_version_; }; unsigned maxProtocolVersion() const override { return max_protocol_version_; }; + bool isValid() const override { + // either secret_provider_ is nullptr or secret_provider_->secret() is NOT nullptr. + return !secret_provider_ || secret_provider_->secret(); + } + protected: ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, Secret::SecretManager& secret_manager, Init::Manager& init_manager); diff --git a/source/common/ssl/context_manager_impl.cc b/source/common/ssl/context_manager_impl.cc index 1c54c2f01865..ae38b005e783 100644 --- a/source/common/ssl/context_manager_impl.cc +++ b/source/common/ssl/context_manager_impl.cc @@ -22,6 +22,10 @@ void ContextManagerImpl::releaseContext(Context* context) { ClientContextPtr ContextManagerImpl::createSslClientContext(Stats::Scope& scope, const ClientContextConfig& config) { + if (!config.isValid()) { + return nullptr; + } + ClientContextPtr context(new ClientContextImpl(*this, scope, config)); std::unique_lock lock(contexts_lock_); contexts_.emplace_back(context.get()); @@ -31,6 +35,10 @@ ClientContextPtr ContextManagerImpl::createSslClientContext(Stats::Scope& scope, ServerContextPtr ContextManagerImpl::createSslServerContext(Stats::Scope& scope, const ServerContextConfig& config, const std::vector& server_names) { + if (!config.isValid()) { + return nullptr; + } + ServerContextPtr context(new ServerContextImpl(*this, scope, config, server_names, runtime_)); std::unique_lock lock(contexts_lock_); contexts_.emplace_back(context.get()); diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index c3026412a0dc..f3b6915181b7 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -265,10 +265,9 @@ ClusterLoadReportStats ClusterInfoImpl::generateLoadReportStats(Stats::Scope& sc ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, const envoy::api::v2::core::BindConfig& bind_config, - Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, - Secret::SecretManager& secret_manager, Init::Manager& init_manager, - bool added_via_api) + Runtime::Loader& runtime, + Network::TransportSocketFactoryPtr socket_factory, + Stats::Scope* stats_scope, bool added_via_api) : runtime_(runtime), name_(config.name()), type_(config.type()), max_requests_per_connection_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, max_requests_per_connection, 0)), @@ -276,12 +275,9 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, std::chrono::milliseconds(PROTOBUF_GET_MS_REQUIRED(config, connect_timeout))), per_connection_buffer_limit_bytes_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, per_connection_buffer_limit_bytes, 1024 * 1024)), - stats_scope_(stats.createScope(fmt::format( - "cluster.{}.", - config.alt_stat_name().empty() ? name_ : std::string(config.alt_stat_name())))), - stats_(generateStats(*stats_scope_)), load_report_stats_(generateLoadReportStats(load_report_stats_store_)), - features_(parseFeatures(config)), + transport_socket_factory_(std::move(socket_factory)), stats_scope_(stats_scope), + stats_(generateStats(*stats_scope_)), features_(parseFeatures(config)), http2_settings_(Http::Utility::parseHttp2Settings(config.http2_protocol_options())), resource_managers_(config, runtime, name_), maintenance_mode_runtime_key_(fmt::format("upstream.maintenance_mode.{}", name_)), @@ -292,29 +288,6 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, metadata_(config.metadata()), common_lb_config_(config.common_lb_config()), cluster_socket_options_(parseClusterSocketOptions(config, bind_config)), drain_connections_on_host_removal_(config.drain_connections_on_host_removal()) { - // If the cluster doesn't have a transport socket configured, override with the default transport - // socket implementation based on the tls_context. We copy by value first then override if - // necessary. - auto transport_socket = config.transport_socket(); - if (!config.has_transport_socket()) { - if (config.has_tls_context()) { - transport_socket.set_name(Extensions::TransportSockets::TransportSocketNames::get().TLS); - MessageUtil::jsonConvert(config.tls_context(), *transport_socket.mutable_config()); - } else { - transport_socket.set_name( - Extensions::TransportSockets::TransportSocketNames::get().RAW_BUFFER); - } - } - - Server::Configuration::TransportSocketFactoryContextImpl factory_context( - ssl_context_manager, *stats_scope_, secret_manager, init_manager); - auto& config_factory = Config::Utility::getAndCheckFactory< - Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); - ProtobufTypes::MessagePtr message = - Config::Utility::translateToFactoryConfig(transport_socket, config_factory); - transport_socket_factory_ = - config_factory.createTransportSocketFactory(*message, factory_context); - switch (config.lb_policy()) { case envoy::api::v2::Cluster::ROUND_ROBIN: lb_type_ = LoadBalancerType::RoundRobin; @@ -436,14 +409,52 @@ ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster, return std::move(new_cluster); } +Stats::ScopePtr ClusterImplBase::generateStatsScope(const envoy::api::v2::Cluster& config, + Stats::Store& stats) { + return stats.createScope(fmt::format("cluster.{}.", config.alt_stat_name().empty() + ? config.name() + : std::string(config.alt_stat_name()))); +} + +Network::TransportSocketFactoryPtr ClusterImplBase::createTransportSocketFactory( + const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, + Ssl::ContextManager& ssl_context_manager, Secret::SecretManager& secret_manager, + Init::Manager& init_manager) { + // If the cluster config doesn't have a transport socket configured, override with the default + // transport socket implementation based on the tls_context. We copy by value first then override + // if necessary. + auto transport_socket = config.transport_socket(); + if (!config.has_transport_socket()) { + if (config.has_tls_context()) { + transport_socket.set_name(Extensions::TransportSockets::TransportSocketNames::get().TLS); + MessageUtil::jsonConvert(config.tls_context(), *transport_socket.mutable_config()); + } else { + transport_socket.set_name( + Extensions::TransportSockets::TransportSocketNames::get().RAW_BUFFER); + } + } + + Server::Configuration::TransportSocketFactoryContextImpl factory_context( + ssl_context_manager, stats_scope, secret_manager, init_manager); + auto& config_factory = Config::Utility::getAndCheckFactory< + Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); + ProtobufTypes::MessagePtr message = + Config::Utility::translateToFactoryConfig(transport_socket, config_factory); + + return config_factory.createTransportSocketFactory(*message, factory_context); +} + ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, Secret::SecretManager& secret_manager, bool added_via_api) - : runtime_(runtime), init_manager_(new Server::InitManagerImpl()), - info_(new ClusterInfoImpl(cluster, bind_config, runtime, stats, ssl_context_manager, - secret_manager, *init_manager_.get(), added_via_api)) { + : runtime_(runtime), stats_scope_(generateStatsScope(cluster, stats)), + info_(new ClusterInfoImpl(cluster, bind_config, runtime, + createTransportSocketFactory(cluster, *stats_scope_.get(), + ssl_context_manager, secret_manager, + init_manager_), + stats_scope_.release(), added_via_api)) { // Create the default (empty) priority set before registering callbacks to // avoid getting an update the first time it is accessed. priority_set_.getOrCreateHostSet(0); @@ -497,21 +508,16 @@ void ClusterImplBase::initialize(std::function callback) { } void ClusterImplBase::onPreInitComplete() { - if (init_manager_) { - init_manager_->initialize([this]() { onInitDone(); }); - init_manager_.reset(); - } else { - onSdsInitDone(); - } -} - -void ClusterImplBase::onInitDone() { // Protect against multiple calls. if (initialization_started_) { return; } initialization_started_ = true; + init_manager_.initialize([this]() { onInitDone(); }); +} + +void ClusterImplBase::onInitDone() { if (health_checker_ && pending_initialize_health_checks_ == 0) { for (auto& host_set : prioritySet().hostSetsPerPriority()) { pending_initialize_health_checks_ += host_set->hosts().size(); diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 3f027a10af0e..cac63ab4e0dd 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -314,8 +314,7 @@ class ClusterInfoImpl : public ClusterInfo { public: ClusterInfoImpl(const envoy::api::v2::Cluster& config, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - Secret::SecretManager& secret_manager, Init::Manager& init_manager, + Network::TransportSocketFactoryPtr socket_factory, Stats::Scope* stats_scope, bool added_via_api); static ClusterStats generateStats(Stats::Scope& scope); @@ -383,11 +382,11 @@ class ClusterInfoImpl : public ClusterInfo { const std::chrono::milliseconds connect_timeout_; absl::optional idle_timeout_; const uint32_t per_connection_buffer_limit_bytes_; - Stats::ScopePtr stats_scope_; - mutable ClusterStats stats_; Stats::IsolatedStoreImpl load_report_stats_store_; mutable ClusterLoadReportStats load_report_stats_; Network::TransportSocketFactoryPtr transport_socket_factory_; + Stats::ScopePtr stats_scope_; + mutable ClusterStats stats_; const uint64_t features_; const Http::Http2Settings http2_settings_; mutable ResourceManagers resource_managers_; @@ -468,8 +467,7 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable callback_; }; -typedef std::unique_ptr InitManagerImplPtr; - } // namespace Server } // namespace Envoy diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index d82b50e2ecdf..dbb42844624d 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -91,8 +91,9 @@ TEST_F(SdsApiTest, EmptyResource) { SdsApi sds_api(server, init_manager, config_source, "abc.com"); Protobuf::RepeatedPtrField secret_resources; - sds_api.onConfigUpdate(secret_resources, ""); - EXPECT_EQ(nullptr, sds_api.secret()); + + EXPECT_THROW_WITH_MESSAGE(sds_api.onConfigUpdate(secret_resources, ""), EnvoyException, + "Missing SDS resources for abc.com in onConfigUpdate()"); } TEST_F(SdsApiTest, SecretUpdateWrongSize) { diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index b6547453acda..ccf9e2368e92 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -458,6 +458,8 @@ TEST(ClientContextConfigImplTest, SdsConfig) { sds_secret_configs->mutable_sds_config(); ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); + // When sds secret is not downloaded, config is not valid. + EXPECT_FALSE(client_context_config.isValid()); EXPECT_EQ("", client_context_config.certChain()); EXPECT_EQ("", client_context_config.privateKey()); @@ -586,6 +588,8 @@ TEST(ServerContextConfigImplTest, SdsConfig) { sds_secret_configs->mutable_sds_config(); ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager); + // When sds secret is not downloaded, config is not valid. + EXPECT_FALSE(server_context_config.isValid()); EXPECT_EQ("", server_context_config.certChain()); EXPECT_EQ("", server_context_config.privateKey()); From caa2b85a2217bf059b5914bf39d5c1f1d3a868d6 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 11 Jul 2018 17:17:42 -0700 Subject: [PATCH 43/55] Revise per comments. Signed-off-by: JimmyCYJ --- source/common/secret/secret_manager_impl.cc | 18 ++++++----- source/common/secret/secret_manager_impl.h | 2 ++ source/common/ssl/context_config_impl.h | 2 ++ source/common/ssl/ssl_socket.cc | 6 ++-- source/common/upstream/upstream_impl.cc | 9 ++++-- source/server/connection_handler_impl.cc | 8 +++++ .../common/secret/secret_manager_impl_test.cc | 30 ++++++++++--------- 7 files changed, 50 insertions(+), 25 deletions(-) diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 0e919989187c..27dcf416002b 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -26,6 +26,16 @@ SecretManagerImpl::findStaticTlsCertificate(const std::string& name) const { return (secret != static_tls_certificate_secrets_.end()) ? secret->second.get() : nullptr; } +void SecretManagerImpl::removeDeletedSecretProvider() { + for (auto it = dynamic_secret_providers_.begin(); it != dynamic_secret_providers_.end();) { + if (it->second.expired()) { + it = dynamic_secret_providers_.erase(it); + } else { + ++it; + } + } +} + DynamicTlsCertificateSecretProviderSharedPtr SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, @@ -40,13 +50,7 @@ SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( dynamic_secret_providers_[map_key] = dynamic_secret_provider; } - for (auto it = dynamic_secret_providers_.begin(); it != dynamic_secret_providers_.end();) { - if (!it->second.lock()) { - it = dynamic_secret_providers_.erase(it); - } else { - ++it; - } - } + removeDeletedSecretProvider(); return dynamic_secret_provider; } diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 744977436cdb..10fd42f1c701 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -24,6 +24,8 @@ class SecretManagerImpl : public SecretManager, Logger::Loggablesecret() is NOT nullptr. return !secret_provider_ || secret_provider_->secret(); diff --git a/source/common/ssl/ssl_socket.cc b/source/common/ssl/ssl_socket.cc index b433358f1653..d79f3307a7b5 100644 --- a/source/common/ssl/ssl_socket.cc +++ b/source/common/ssl/ssl_socket.cc @@ -379,7 +379,8 @@ ClientSslSocketFactory::ClientSslSocketFactory(const ClientContextConfig& config : ssl_ctx_(manager.createSslClientContext(stats_scope, config)) {} Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() const { - return std::make_unique(*ssl_ctx_, Ssl::InitialState::Client); + return ssl_ctx_ ? std::make_unique(*ssl_ctx_, Ssl::InitialState::Client) + : nullptr; } bool ClientSslSocketFactory::implementsSecureTransport() const { return true; } @@ -391,7 +392,8 @@ ServerSslSocketFactory::ServerSslSocketFactory(const ServerContextConfig& config : ssl_ctx_(manager.createSslServerContext(stats_scope, config, server_names)) {} Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() const { - return std::make_unique(*ssl_ctx_, Ssl::InitialState::Server); + return ssl_ctx_ ? std::make_unique(*ssl_ctx_, Ssl::InitialState::Server) + : nullptr; } bool ServerSslSocketFactory::implementsSecureTransport() const { return true; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index f3b6915181b7..91d4dab7e05b 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -141,9 +141,14 @@ HostImpl::createConnection(Event::Dispatcher& dispatcher, const ClusterInfo& clu connection_options = options; } + auto transport_socket = cluster.transportSocketFactory().createTransportSocket(); + if (!transport_socket) { + // TODO(JimmyCYJ) update stats. + return nullptr; + } + Network::ClientConnectionPtr connection = dispatcher.createClientConnection( - address, cluster.sourceAddress(), cluster.transportSocketFactory().createTransportSocket(), - connection_options); + address, cluster.sourceAddress(), std::move(transport_socket), connection_options); connection->setBufferLimits(cluster.perConnectionBufferLimitBytes()); return connection; } diff --git a/source/server/connection_handler_impl.cc b/source/server/connection_handler_impl.cc index 854180cd4914..10eb00667665 100644 --- a/source/server/connection_handler_impl.cc +++ b/source/server/connection_handler_impl.cc @@ -196,6 +196,14 @@ void ConnectionHandlerImpl::ActiveListener::newConnection(Network::ConnectionSoc } auto transport_socket = filter_chain->transportSocketFactory().createTransportSocket(); + if (!transport_socket) { + ENVOY_LOG_TO_LOGGER(parent_.logger_, debug, + "closing connection: transport socket was not created yet"); + // TODO(JimmyCYJ) update stats. + socket->close(); + return; + } + Network::ConnectionPtr new_connection = parent_.dispatcher_.createServerConnection(std::move(socket), std::move(transport_socket)); new_connection->setBufferLimits(config_.perConnectionBufferLimitBytes()); diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index 09f0e5f05458..403d509beb15 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -68,11 +68,12 @@ TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { MockServer server; NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - auto secret_provider = server.secretManager().findOrCreateDynamicTlsCertificateSecretProvider( - config_source, "abc.com", init_manager); + { + auto secret_provider = server.secretManager().findOrCreateDynamicTlsCertificateSecretProvider( + config_source, "abc.com", init_manager); - std::string yaml = - R"EOF( + std::string yaml = + R"EOF( name: "abc.com" tls_certificate: certificate_chain: @@ -81,18 +82,19 @@ name: "abc.com" filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" )EOF"; - Protobuf::RepeatedPtrField secret_resources; - auto secret_config = secret_resources.Add(); - MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); - std::dynamic_pointer_cast(secret_provider)->onConfigUpdate(secret_resources, ""); + Protobuf::RepeatedPtrField secret_resources; + auto secret_config = secret_resources.Add(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *secret_config); + std::dynamic_pointer_cast(secret_provider)->onConfigUpdate(secret_resources, ""); - const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; - EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - secret_provider->secret()->certificateChain()); + const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), + secret_provider->secret()->certificateChain()); - const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; - EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - secret_provider->secret()->privateKey()); + const std::string key_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem"; + EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), + secret_provider->secret()->privateKey()); + } } TEST_F(SecretManagerImplTest, NotImplementedException) { From d9ef582a4c4e6cd82b3aafe8928b93e8601fe354 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 11 Jul 2018 17:25:54 -0700 Subject: [PATCH 44/55] Revise per comments. Signed-off-by: JimmyCYJ --- include/envoy/ssl/context_config.h | 3 ++- source/common/ssl/context_config_impl.h | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index 966498ffe02c..5c4149726e74 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -113,7 +113,8 @@ class ContextConfig { virtual unsigned maxProtocolVersion() const PURE; /** - * @return true of the config is valid. + * @return true if the config is valid. Only when SDS dynamic secret is needed, but has not been + * downloaded yet, the config is invalid. */ virtual bool isValid() const PURE; }; diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index ebd7ad17d673..805df64b026b 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -55,8 +55,6 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { unsigned minProtocolVersion() const override { return min_protocol_version_; }; unsigned maxProtocolVersion() const override { return max_protocol_version_; }; - // Only when SDS dynamic secret is needed, but has not been downloaded yet, - // the config is invalid. bool isValid() const override { // either secret_provider_ is nullptr or secret_provider_->secret() is NOT nullptr. return !secret_provider_ || secret_provider_->secret(); From 380d4a71beca22d40d5c7ab8d9af64b60235b318 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Thu, 12 Jul 2018 10:01:28 -0700 Subject: [PATCH 45/55] Revise per comments. Signed-off-by: JimmyCYJ --- source/common/upstream/upstream_impl.cc | 36 +++++++++++++----------- source/common/upstream/upstream_impl.h | 10 ++----- source/server/connection_handler_impl.cc | 2 +- 3 files changed, 23 insertions(+), 25 deletions(-) diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 91d4dab7e05b..cfb7b2cce719 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -143,7 +143,7 @@ HostImpl::createConnection(Event::Dispatcher& dispatcher, const ClusterInfo& clu auto transport_socket = cluster.transportSocketFactory().createTransportSocket(); if (!transport_socket) { - // TODO(JimmyCYJ) update stats. + cluster.stats().upstream_cx_connect_fail_.inc(); return nullptr; } @@ -271,8 +271,8 @@ ClusterLoadReportStats ClusterInfoImpl::generateLoadReportStats(Stats::Scope& sc ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, - Network::TransportSocketFactoryPtr socket_factory, - Stats::Scope* stats_scope, bool added_via_api) + Network::TransportSocketFactoryPtr&& socket_factory, + Stats::ScopePtr&& stats_scope, bool added_via_api) : runtime_(runtime), name_(config.name()), type_(config.type()), max_requests_per_connection_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, max_requests_per_connection, 0)), @@ -281,7 +281,7 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, per_connection_buffer_limit_bytes_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, per_connection_buffer_limit_bytes, 1024 * 1024)), load_report_stats_(generateLoadReportStats(load_report_stats_store_)), - transport_socket_factory_(std::move(socket_factory)), stats_scope_(stats_scope), + transport_socket_factory_(std::move(socket_factory)), stats_scope_(std::move(stats_scope)), stats_(generateStats(*stats_scope_)), features_(parseFeatures(config)), http2_settings_(Http::Utility::parseHttp2Settings(config.http2_protocol_options())), resource_managers_(config, runtime, name_), @@ -414,17 +414,18 @@ ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster, return std::move(new_cluster); } -Stats::ScopePtr ClusterImplBase::generateStatsScope(const envoy::api::v2::Cluster& config, - Stats::Store& stats) { +namespace { + +Stats::ScopePtr generateStatsScope(const envoy::api::v2::Cluster& config, Stats::Store& stats) { return stats.createScope(fmt::format("cluster.{}.", config.alt_stat_name().empty() ? config.name() : std::string(config.alt_stat_name()))); } -Network::TransportSocketFactoryPtr ClusterImplBase::createTransportSocketFactory( - const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, - Ssl::ContextManager& ssl_context_manager, Secret::SecretManager& secret_manager, - Init::Manager& init_manager) { +Network::TransportSocketFactoryPtr +createTransportSocketFactory(const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, + Ssl::ContextManager& ssl_context_manager, + Secret::SecretManager& secret_manager, Init::Manager& init_manager) { // If the cluster config doesn't have a transport socket configured, override with the default // transport socket implementation based on the tls_context. We copy by value first then override // if necessary. @@ -449,17 +450,20 @@ Network::TransportSocketFactoryPtr ClusterImplBase::createTransportSocketFactory return config_factory.createTransportSocketFactory(*message, factory_context); } +} // namespace + ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, Secret::SecretManager& secret_manager, bool added_via_api) - : runtime_(runtime), stats_scope_(generateStatsScope(cluster, stats)), - info_(new ClusterInfoImpl(cluster, bind_config, runtime, - createTransportSocketFactory(cluster, *stats_scope_.get(), - ssl_context_manager, secret_manager, - init_manager_), - stats_scope_.release(), added_via_api)) { + : runtime_(runtime) { + auto stats_scope = generateStatsScope(cluster, stats); + auto socket_factory = createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, + secret_manager, init_manager_); + info_ = + std::make_unique(cluster, bind_config, runtime, std::move(socket_factory), + std::move(stats_scope), added_via_api); // Create the default (empty) priority set before registering callbacks to // avoid getting an update the first time it is accessed. priority_set_.getOrCreateHostSet(0); diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index cac63ab4e0dd..f1e03e68693a 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -314,8 +314,8 @@ class ClusterInfoImpl : public ClusterInfo { public: ClusterInfoImpl(const envoy::api::v2::Cluster& config, const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, - Network::TransportSocketFactoryPtr socket_factory, Stats::Scope* stats_scope, - bool added_via_api); + Network::TransportSocketFactoryPtr&& socket_factory, + Stats::ScopePtr&& stats_scope, bool added_via_api); static ClusterStats generateStats(Stats::Scope& scope); static ClusterLoadReportStats generateLoadReportStats(Stats::Scope& scope); @@ -480,7 +480,6 @@ class ClusterImplBase : public Cluster, protected Logger::Loggableclose(); return; } From 9207d587f4e0b7b67b1c4ba9e0c4f2f5c35f8b1c Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Thu, 12 Jul 2018 11:01:02 -0700 Subject: [PATCH 46/55] Add new stats for SDS. Signed-off-by: JimmyCYJ --- include/envoy/upstream/upstream.h | 1 + source/common/upstream/upstream_impl.cc | 2 +- source/server/connection_handler_impl.cc | 2 +- source/server/connection_handler_impl.h | 1 + 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/envoy/upstream/upstream.h b/include/envoy/upstream/upstream.h index 2e24c7543aef..718e64f5c87d 100644 --- a/include/envoy/upstream/upstream.h +++ b/include/envoy/upstream/upstream.h @@ -310,6 +310,7 @@ class PrioritySet { COUNTER (upstream_cx_http1_total) \ COUNTER (upstream_cx_http2_total) \ COUNTER (upstream_cx_connect_fail) \ + COUNTER (upstream_cx_connect_fail_by_sds) \ COUNTER (upstream_cx_connect_timeout) \ COUNTER (upstream_cx_idle_timeout) \ COUNTER (upstream_cx_connect_attempts_exceeded) \ diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 65819e5d457a..10ee0636e8f2 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -143,7 +143,7 @@ HostImpl::createConnection(Event::Dispatcher& dispatcher, const ClusterInfo& clu auto transport_socket = cluster.transportSocketFactory().createTransportSocket(); if (!transport_socket) { - cluster.stats().upstream_cx_connect_fail_.inc(); + cluster.stats().upstream_cx_connect_fail_by_sds_.inc(); return nullptr; } diff --git a/source/server/connection_handler_impl.cc b/source/server/connection_handler_impl.cc index 955106a0696a..fa5d3a328e8e 100644 --- a/source/server/connection_handler_impl.cc +++ b/source/server/connection_handler_impl.cc @@ -199,7 +199,7 @@ void ConnectionHandlerImpl::ActiveListener::newConnection(Network::ConnectionSoc if (!transport_socket) { ENVOY_LOG_TO_LOGGER(parent_.logger_, debug, "closing connection: transport socket was not created yet"); - stats_.downstream_cx_destroy_.inc(); + stats_.downstream_cx_destroy_by_sds_.inc(); socket->close(); return; } diff --git a/source/server/connection_handler_impl.h b/source/server/connection_handler_impl.h index 5d2a386022a1..01f220158e97 100644 --- a/source/server/connection_handler_impl.h +++ b/source/server/connection_handler_impl.h @@ -27,6 +27,7 @@ namespace Server { #define ALL_LISTENER_STATS(COUNTER, GAUGE, HISTOGRAM) \ COUNTER (downstream_cx_total) \ COUNTER (downstream_cx_destroy) \ + COUNTER (downstream_cx_destroy_by_sds) \ GAUGE (downstream_cx_active) \ HISTOGRAM(downstream_cx_length_ms) \ COUNTER (no_filter_chain_match) From 96eced3c01acde39f6ab2fda2843572cb4e1bcaf Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 17 Jul 2018 11:08:28 -0700 Subject: [PATCH 47/55] pass cluster manager to SdsApi. Signed-off-by: JimmyCYJ --- api/bazel/api_build_system.bzl | 4 ++ api/bazel/repositories.bzl | 3 ++ bazel/cc_configure.bzl | 7 ++- bazel/repositories.bzl | 4 +- bazel/repository_locations.bzl | 54 +++++++++---------- include/envoy/secret/BUILD | 4 ++ include/envoy/secret/secret_manager.h | 43 +++++++++++++-- include/envoy/server/BUILD | 1 + .../envoy/server/transport_socket_config.h | 9 ++-- source/common/secret/BUILD | 4 ++ source/common/secret/sds_api.cc | 21 ++++---- source/common/secret/sds_api.h | 13 +++-- source/common/secret/secret_manager_impl.cc | 32 +++++++---- source/common/secret/secret_manager_impl.h | 17 ++++-- source/common/ssl/BUILD | 2 + source/common/ssl/context_config_impl.cc | 51 +++++++++++------- source/common/ssl/context_config_impl.h | 24 ++++----- source/common/upstream/eds.cc | 3 +- source/common/upstream/logical_dns_cluster.cc | 3 +- .../common/upstream/original_dst_cluster.cc | 3 +- source/common/upstream/upstream_impl.cc | 30 +++++------ source/common/upstream/upstream_impl.h | 7 ++- .../transport_sockets/ssl/config.cc | 4 +- source/server/listener_manager_impl.cc | 2 +- source/server/transport_socket_config_impl.h | 13 +++-- tools/protodoc/protodoc.bzl | 2 +- 26 files changed, 224 insertions(+), 136 deletions(-) diff --git a/api/bazel/api_build_system.bzl b/api/bazel/api_build_system.bzl index 497d82c5ccc0..c573b1255186 100644 --- a/api/bazel/api_build_system.bzl +++ b/api/bazel/api_build_system.bzl @@ -4,9 +4,13 @@ load("@io_bazel_rules_go//proto:def.bzl", "go_grpc_library", "go_proto_library") load("@io_bazel_rules_go//go:def.bzl", "go_test") _PY_SUFFIX = "_py" + _CC_SUFFIX = "_cc" + _GO_PROTO_SUFFIX = "_go_proto" + _GO_GRPC_SUFFIX = "_go_grpc" + _GO_IMPORTPATH_PREFIX = "github.com/envoyproxy/data-plane-api/api/" def _Suffix(d, suffix): diff --git a/api/bazel/repositories.bzl b/api/bazel/repositories.bzl index ba56da977af7..49c5872890ad 100644 --- a/api/bazel/repositories.bzl +++ b/api/bazel/repositories.bzl @@ -1,6 +1,9 @@ GOOGLEAPIS_SHA = "d642131a6e6582fc226caf9893cb7fe7885b3411" # May 23, 2018 + GOGOPROTO_SHA = "1adfc126b41513cc696b209667c8656ea7aac67c" # v1.0.0 + PROMETHEUS_SHA = "99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c" # Nov 17, 2017 + OPENCENSUS_SHA = "ab82e5fdec8267dc2a726544b10af97675970847" # May 23, 2018 PGV_GIT_SHA = "f9d2b11e44149635b23a002693b76512b01ae515" diff --git a/bazel/cc_configure.bzl b/bazel/cc_configure.bzl index eb1dead6b260..3cc25e81ac50 100644 --- a/bazel/cc_configure.bzl +++ b/bazel/cc_configure.bzl @@ -1,4 +1,7 @@ -load("@bazel_tools//tools/cpp:cc_configure.bzl", _upstream_cc_autoconf_impl = "cc_autoconf_impl") +load( + "@bazel_tools//tools/cpp:cc_configure.bzl", + _upstream_cc_autoconf_impl = "cc_autoconf_impl", +) load("@bazel_tools//tools/cpp:lib_cc_configure.bzl", "get_cpu_value") load("@bazel_tools//tools/cpp:unix_cc_configure.bzl", "find_cc") @@ -82,7 +85,6 @@ def cc_autoconf_impl(repository_ctx): return _upstream_cc_autoconf_impl(repository_ctx, overriden_tools = overriden_tools) cc_autoconf = repository_rule( - implementation = cc_autoconf_impl, attrs = { "_envoy_cc_wrapper": attr.label(default = "@envoy//bazel:cc_wrapper.py"), }, @@ -118,6 +120,7 @@ cc_autoconf = repository_rule( "VS120COMNTOOLS", "VS140COMNTOOLS", ], + implementation = cc_autoconf_impl, ) def cc_configure(): diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index c85aaf358c8f..ad5853fd2997 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -105,10 +105,10 @@ def _default_envoy_build_config_impl(ctx): ctx.symlink(ctx.attr.config, "extensions_build_config.bzl") _default_envoy_build_config = repository_rule( - implementation = _default_envoy_build_config_impl, attrs = { "config": attr.label(default = "@envoy//source/extensions:extensions_build_config.bzl"), }, + implementation = _default_envoy_build_config_impl, ) def _default_envoy_api_impl(ctx): @@ -126,10 +126,10 @@ def _default_envoy_api_impl(ctx): ctx.symlink(ctx.path(ctx.attr.api).dirname.get_child(d), d) _default_envoy_api = repository_rule( - implementation = _default_envoy_api_impl, attrs = { "api": attr.label(default = "@envoy//api:BUILD"), }, + implementation = _default_envoy_api_impl, ) # Python dependencies. If these become non-trivial, we might be better off using a virtualenv to diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index d952af941cf5..f014669ace13 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -4,14 +4,10 @@ REPOSITORY_LOCATIONS = dict( commit = "2a52ce799382c87cd3119f3b44fbbebf97061ab6", # chromium-67.0.3396.62 remote = "https://github.com/google/boringssl", ), - com_google_absl = dict( - commit = "92020a042c0cd46979db9f6f0cb32783dc07765e", # 2018-06-08 - remote = "https://github.com/abseil/abseil-cpp", - ), com_github_apache_thrift = dict( sha256 = "7d59ac4fdcb2c58037ebd4a9da5f9a49e3e034bf75b3f26d9fe48ba3d8806e6b", - urls = ["https://files.pythonhosted.org/packages/c6/b4/510617906f8e0c5660e7d96fbc5585113f83ad547a3989b80297ac72a74c/thrift-0.11.0.tar.gz"], # 0.11.0 strip_prefix = "thrift-0.11.0", + urls = ["https://files.pythonhosted.org/packages/c6/b4/510617906f8e0c5660e7d96fbc5585113f83ad547a3989b80297ac72a74c/thrift-0.11.0.tar.gz"], # 0.11.0 ), com_github_bombela_backward = dict( commit = "44ae9609e860e3428cd057f7052e505b4819eb84", # 2018-02-06 @@ -43,6 +39,10 @@ REPOSITORY_LOCATIONS = dict( commit = "c0d77201039c7b119b18bc7fb991564c602dd75d", remote = "https://github.com/gcovr/gcovr", ), + com_github_google_jwt_verify = dict( + commit = "4eb9e96485b71e00d43acc7207501caafb085b4a", + remote = "https://github.com/google/jwt_verify_lib", + ), com_github_google_libprotobuf_mutator = dict( commit = "c3d2faf04a1070b0b852b0efdef81e1a81ba925e", remote = "https://github.com/google/libprotobuf-mutator", @@ -51,22 +51,6 @@ REPOSITORY_LOCATIONS = dict( commit = "bec3b5ada2c5e5d782dff0b7b5018df646b65cb0", # v1.12.0 remote = "https://github.com/grpc/grpc.git", ), - io_opentracing_cpp = dict( - commit = "3b36b084a4d7fffc196eac83203cf24dfb8696b3", # v1.4.2 - remote = "https://github.com/opentracing/opentracing-cpp", - ), - com_lightstep_tracer_cpp = dict( - commit = "ae6a6bba65f8c4d438a6a3ac855751ca8f52e1dc", - remote = "https://github.com/lightstep/lightstep-tracer-cpp", # v0.7.1 - ), - lightstep_vendored_googleapis = dict( - commit = "d6f78d948c53f3b400bb46996eb3084359914f9b", - remote = "https://github.com/google/googleapis", - ), - com_github_google_jwt_verify = dict( - commit = "4eb9e96485b71e00d43acc7207501caafb085b4a", - remote = "https://github.com/google/jwt_verify_lib", - ), com_github_nodejs_http_parser = dict( # 2018-07-20 snapshot to pick up: # A performance fix, nodejs/http-parser PR 422. @@ -87,20 +71,24 @@ REPOSITORY_LOCATIONS = dict( commit = "f54b0e47a08782a6131cc3d60f94d038fa6e0a51", # v1.1.0 remote = "https://github.com/tencent/rapidjson", ), + com_github_twitter_common_finagle_thrift = dict( + sha256 = "1e3a57d11f94f58745e6b83348ecd4fa74194618704f45444a15bc391fde497a", + strip_prefix = "twitter.common.finagle-thrift-0.3.9/src", + urls = ["https://files.pythonhosted.org/packages/f9/e7/4f80d582578f8489226370762d2cf6bc9381175d1929eba1754e03f70708/twitter.common.finagle-thrift-0.3.9.tar.gz"], # 0.3.9 + ), com_github_twitter_common_lang = dict( sha256 = "56d1d266fd4767941d11c27061a57bc1266a3342e551bde3780f9e9eb5ad0ed1", - urls = ["https://files.pythonhosted.org/packages/08/bc/d6409a813a9dccd4920a6262eb6e5889e90381453a5f58938ba4cf1d9420/twitter.common.lang-0.3.9.tar.gz"], # 0.3.9 strip_prefix = "twitter.common.lang-0.3.9/src", + urls = ["https://files.pythonhosted.org/packages/08/bc/d6409a813a9dccd4920a6262eb6e5889e90381453a5f58938ba4cf1d9420/twitter.common.lang-0.3.9.tar.gz"], # 0.3.9 ), com_github_twitter_common_rpc = dict( sha256 = "0792b63fb2fb32d970c2e9a409d3d00633190a22eb185145fe3d9067fdaa4514", - urls = ["https://files.pythonhosted.org/packages/be/97/f5f701b703d0f25fbf148992cd58d55b4d08d3db785aad209255ee67e2d0/twitter.common.rpc-0.3.9.tar.gz"], # 0.3.9 strip_prefix = "twitter.common.rpc-0.3.9/src", + urls = ["https://files.pythonhosted.org/packages/be/97/f5f701b703d0f25fbf148992cd58d55b4d08d3db785aad209255ee67e2d0/twitter.common.rpc-0.3.9.tar.gz"], # 0.3.9 ), - com_github_twitter_common_finagle_thrift = dict( - sha256 = "1e3a57d11f94f58745e6b83348ecd4fa74194618704f45444a15bc391fde497a", - urls = ["https://files.pythonhosted.org/packages/f9/e7/4f80d582578f8489226370762d2cf6bc9381175d1929eba1754e03f70708/twitter.common.finagle-thrift-0.3.9.tar.gz"], # 0.3.9 - strip_prefix = "twitter.common.finagle-thrift-0.3.9/src", + com_google_absl = dict( + commit = "92020a042c0cd46979db9f6f0cb32783dc07765e", # 2018-06-08 + remote = "https://github.com/abseil/abseil-cpp", ), com_google_googletest = dict( commit = "43863938377a9ea1399c0596269e0890b5c5515a", @@ -114,6 +102,10 @@ REPOSITORY_LOCATIONS = dict( commit = "6a4fec616ec4b20f54d5fb530808b855cb664390", remote = "https://github.com/google/protobuf", ), + com_lightstep_tracer_cpp = dict( + commit = "ae6a6bba65f8c4d438a6a3ac855751ca8f52e1dc", + remote = "https://github.com/lightstep/lightstep-tracer-cpp", # v0.7.1 + ), grpc_httpjson_transcoding = dict( commit = "05a15e4ecd0244a981fdf0348a76658def62fa9c", # 2018-05-30 remote = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding", @@ -122,6 +114,14 @@ REPOSITORY_LOCATIONS = dict( commit = "0.11.1", remote = "https://github.com/bazelbuild/rules_go", ), + io_opentracing_cpp = dict( + commit = "3b36b084a4d7fffc196eac83203cf24dfb8696b3", # v1.4.2 + remote = "https://github.com/opentracing/opentracing-cpp", + ), + lightstep_vendored_googleapis = dict( + commit = "d6f78d948c53f3b400bb46996eb3084359914f9b", + remote = "https://github.com/google/googleapis", + ), six_archive = dict( sha256 = "105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a", strip_prefix = "", diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD index 475d6b759e5d..aa500984eddb 100644 --- a/include/envoy/secret/BUILD +++ b/include/envoy/secret/BUILD @@ -21,7 +21,11 @@ envoy_cc_library( hdrs = ["secret_manager.h"], deps = [ ":dynamic_secret_provider_interface", + "//include/envoy/event:dispatcher_interface", "//include/envoy/init:init_interface", + "//include/envoy/local_info:local_info_interface", + "//include/envoy/runtime:runtime_interface", + "//include/envoy/stats:stats_interface", "@envoy_api//envoy/api/v2/auth:cert_cc", "@envoy_api//envoy/api/v2/core:config_source_cc", ], diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index 44ebcc1501b4..b245a2c3bdd4 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -3,9 +3,13 @@ #include #include "envoy/api/v2/auth/cert.pb.h" +#include "envoy/event/dispatcher.h" #include "envoy/init/init.h" +#include "envoy/local_info/local_info.h" +#include "envoy/runtime/runtime.h" #include "envoy/secret/dynamic_secret_provider.h" #include "envoy/ssl/tls_certificate_config.h" +#include "envoy/stats/stats.h" namespace Envoy { namespace Secret { @@ -17,6 +21,27 @@ class SecretManager { public: virtual ~SecretManager() {} + /** + * @return information about the local environment the server is running in. + */ + virtual const LocalInfo::LocalInfo& localInfo() PURE; + + /** + * @return Event::Dispatcher& the main thread's dispatcher. This dispatcher should be used + * for all singleton processing. + */ + virtual Event::Dispatcher& dispatcher() PURE; + + /** + * @return RandomGenerator& the random generator for the server. + */ + virtual Runtime::RandomGenerator& random() PURE; + + /** + * @return the server-wide stats store. + */ + virtual Stats::Store& stats() PURE; + /** * @param secret a protobuf message of envoy::api::v2::auth::Secret. * @throw an EnvoyException if the secret is invalid or not supported. @@ -31,19 +56,27 @@ class SecretManager { findStaticTlsCertificate(const std::string& name) const PURE; /** - * Finds and returns a secret provider associated to SDS config. Create a new one + * Finds and returns a secret provider associated to SDS config. Return nullptr * if such provider does not exist. * * @param config_source a protobuf message object contains SDS config source. * @param config_name a name that uniquely refers to the SDS config source. - * @param init_manager an init manager that is responsible for initializing newly created secret - * provider. * @return the dynamic tls certificate secret provider. */ virtual DynamicTlsCertificateSecretProviderSharedPtr - findOrCreateDynamicTlsCertificateSecretProvider( + findDynamicTlsCertificateSecretProvider(const envoy::api::v2::core::ConfigSource& config_source, + const std::string& config_name) PURE; + + /** + * Add new dynamic tls certificate secret provider into secret manager. + * + * @param config_source a protobuf message object contains SDS config source. + * @param config_name a name that uniquely refers to the SDS config source. + * @param provider the dynamic tls certificate secret provider to be added into secret manager. + */ + virtual void setDynamicTlsCertificateSecretProvider( const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name, - Init::Manager& init_manager) PURE; + DynamicTlsCertificateSecretProviderSharedPtr provider) PURE; }; } // namespace Secret diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD index 2bd98ec0f8ba..181ac1001ee7 100644 --- a/include/envoy/server/BUILD +++ b/include/envoy/server/BUILD @@ -179,6 +179,7 @@ envoy_cc_library( "//include/envoy/network:transport_socket_interface", "//include/envoy/secret:secret_manager_interface", "//include/envoy/ssl:context_manager_interface", + "//include/envoy/upstream:cluster_manager_interface", "//source/common/protobuf", ], ) diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h index 259c4b2785ed..907ab34e67fe 100644 --- a/include/envoy/server/transport_socket_config.h +++ b/include/envoy/server/transport_socket_config.h @@ -6,6 +6,7 @@ #include "envoy/network/transport_socket.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_manager.h" +#include "envoy/upstream/cluster_manager.h" #include "common/protobuf/protobuf.h" @@ -31,14 +32,14 @@ class TransportSocketFactoryContext { virtual Stats::Scope& statsScope() const PURE; /** - * Return the instance of secret manager. + * @return the instance of init manager. */ - virtual Secret::SecretManager& secretManager() PURE; + virtual Init::Manager& initManager() PURE; /** - * Return the instance of init manager. + * @return the instance of ClusterManager. */ - virtual Init::Manager& initManager() PURE; + virtual Upstream::ClusterManager& clusterManager() PURE; }; class TransportSocketConfigFactory { diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 56f87a5f605d..d02418231156 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -28,8 +28,12 @@ envoy_cc_library( hdrs = ["sds_api.h"], deps = [ "//include/envoy/config:subscription_interface", + "//include/envoy/event:dispatcher_interface", "//include/envoy/init:init_interface", + "//include/envoy/local_info:local_info_interface", + "//include/envoy/runtime:runtime_interface", "//include/envoy/server:instance_interface", + "//include/envoy/stats:stats_interface", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", "//source/common/protobuf:utility_lib", diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index be92ba1243b6..4cf715eb3b49 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -12,22 +12,23 @@ namespace Envoy { namespace Secret { -SdsApi::SdsApi(Server::Instance& server, Init::Manager& init_manager, - const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) - : server_(server), sds_config_(sds_config), sds_config_name_(sds_config_name), secret_hash_(0) { +SdsApi::SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher, + Runtime::RandomGenerator& random, Stats::Store& stats, Init::Manager& init_manager, + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name, + Upstream::ClusterManager& cluster_manager) + : sds_config_(sds_config), sds_config_name_(sds_config_name), secret_hash_(0) { init_manager.registerTarget(*this); -} - -void SdsApi::initialize(std::function callback) { - initialize_callback_ = callback; subscription_ = Envoy::Config::SubscriptionFactory::subscriptionFromConfigSource< envoy::api::v2::auth::Secret>( - sds_config_, server_.localInfo().node(), server_.dispatcher(), server_.clusterManager(), - server_.random(), server_.stats(), /* rest_legacy_constructor */ nullptr, + sds_config_, local_info.node(), dispatcher, cluster_manager, random, stats, + /* rest_legacy_constructor */ nullptr, "envoy.service.discovery.v2.SecretDiscoveryService.FetchSecrets", "envoy.service.discovery.v2.SecretDiscoveryService.StreamSecrets"); + Config::Utility::checkLocalInfo("sds", local_info); +} - Config::Utility::checkLocalInfo("sds", server_.localInfo()); +void SdsApi::initialize(std::function callback) { + initialize_callback_ = callback; subscription_->start({sds_config_name_}, *this); } diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 6fb4403f651f..14608b9532d3 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -5,8 +5,12 @@ #include "envoy/api/v2/auth/cert.pb.h" #include "envoy/api/v2/core/config_source.pb.h" #include "envoy/config/subscription.h" +#include "envoy/event/dispatcher.h" #include "envoy/init/init.h" -#include "envoy/server/instance.h" +#include "envoy/local_info/local_info.h" +#include "envoy/runtime/runtime.h" +#include "envoy/stats/stats.h" +#include "envoy/upstream/cluster_manager.h" namespace Envoy { namespace Secret { @@ -18,8 +22,10 @@ class SdsApi : public Init::Target, public DynamicTlsCertificateSecretProvider, public Config::SubscriptionCallbacks { public: - SdsApi(Server::Instance& server, Init::Manager& init_manager, - const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name); + SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher, + Runtime::RandomGenerator& random, Stats::Store& stats, Init::Manager& init_manager, + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name, + Upstream::ClusterManager& cluster_manager); // Init::Target void initialize(std::function callback) override; @@ -39,7 +45,6 @@ class SdsApi : public Init::Target, private: void runInitializeCallbackIfAny(); - Server::Instance& server_; const envoy::api::v2::core::ConfigSource sds_config_; std::unique_ptr> subscription_; std::function initialize_callback_; diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 27dcf416002b..a45e891061d5 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -36,23 +36,35 @@ void SecretManagerImpl::removeDeletedSecretProvider() { } } -DynamicTlsCertificateSecretProviderSharedPtr -SecretManagerImpl::findOrCreateDynamicTlsCertificateSecretProvider( - const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, - Init::Manager& init_manager) { +std::string SecretManagerImpl::getDynamicTlsCertificateSecretProviderHash( + const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name) { auto hash = MessageUtil::hash(sds_config_source); - std::string map_key = std::to_string(hash) + config_name; + return std::to_string(hash) + config_name; +} + +DynamicTlsCertificateSecretProviderSharedPtr +SecretManagerImpl::findDynamicTlsCertificateSecretProvider( + const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name) { + std::string map_key = getDynamicTlsCertificateSecretProviderHash(sds_config_source, config_name); + + removeDeletedSecretProvider(); auto dynamic_secret_provider = dynamic_secret_providers_[map_key].lock(); if (!dynamic_secret_provider) { - dynamic_secret_provider = - std::make_shared(server_, init_manager, sds_config_source, config_name); - dynamic_secret_providers_[map_key] = dynamic_secret_provider; + return nullptr; + } else { + return dynamic_secret_provider; } +} - removeDeletedSecretProvider(); +void SecretManagerImpl::setDynamicTlsCertificateSecretProvider( + const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, + DynamicTlsCertificateSecretProviderSharedPtr provider) { + std::string map_key = getDynamicTlsCertificateSecretProviderHash(sds_config_source, config_name); + + dynamic_secret_providers_[map_key] = provider; - return dynamic_secret_provider; + removeDeletedSecretProvider(); } } // namespace Secret diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 10fd42f1c701..5cb0f8a6696e 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -5,6 +5,7 @@ #include "envoy/secret/secret_manager.h" #include "envoy/server/instance.h" #include "envoy/ssl/tls_certificate_config.h" +#include "envoy/upstream/cluster_manager.h" #include "common/common/logger.h" #include "common/secret/sds_api.h" @@ -16,15 +17,25 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable #include +#include "envoy/secret/secret_manager.h" #include "envoy/ssl/tls_certificate_config.h" #include "common/common/assert.h" @@ -10,6 +11,7 @@ #include "common/config/datasource.h" #include "common/config/tls_context_json.h" #include "common/protobuf/utility.h" +#include "common/secret/sds_api.h" #include "openssl/ssl.h" @@ -33,9 +35,9 @@ const std::string ContextConfigImpl::DEFAULT_CIPHER_SUITES = const std::string ContextConfigImpl::DEFAULT_ECDH_CURVES = "X25519:P-256"; ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager) - : secret_manager_(secret_manager), + Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager) + : secret_manager_(cluster_manager.clusterManagerFactory().secretManager()), alpn_protocols_(RepeatedPtrUtil::join(config.alpn_protocols(), ",")), alt_alpn_protocols_(config.deprecated_v1().alt_alpn_protocols()), cipher_suites_(StringUtil::nonEmptyStringOrDefault( @@ -67,7 +69,7 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex tlsVersionFromProto(config.tls_params().tls_minimum_protocol_version(), TLS1_VERSION)), max_protocol_version_( tlsVersionFromProto(config.tls_params().tls_maximum_protocol_version(), TLS1_2_VERSION)) { - readCertChainConfig(config, init_manager); + readCertChainConfig(config, init_manager, cluster_manager); if (ca_cert_.empty()) { if (!certificate_revocation_list_.empty()) { @@ -86,7 +88,8 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex } void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config, - Init::Manager& init_manager) { + Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager) { if (!config.tls_certificates().empty()) { cert_chain_ = Config::DataSource::read(config.tls_certificates()[0].certificate_chain(), true); private_key_ = Config::DataSource::read(config.tls_certificates()[0].private_key(), true); @@ -105,8 +108,18 @@ void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTl throw EnvoyException(fmt::format("Unknown static secret: {}", secret_name)); } } else { - secret_provider_ = secret_manager_.findOrCreateDynamicTlsCertificateSecretProvider( - config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name, init_manager); + secret_provider_ = secret_manager_.findDynamicTlsCertificateSecretProvider( + config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name); + if (!secret_provider_) { + secret_provider_ = std::make_shared( + secret_manager_.localInfo(), secret_manager_.dispatcher(), secret_manager_.random(), + secret_manager_.stats(), init_manager, + config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name, + cluster_manager); + secret_manager_.setDynamicTlsCertificateSecretProvider( + config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name, + secret_provider_); + } return; } } @@ -149,9 +162,9 @@ const std::string& ContextConfigImpl::privateKey() const { } ClientContextConfigImpl::ClientContextConfigImpl( - const envoy::api::v2::auth::UpstreamTlsContext& config, Secret::SecretManager& secret_manager, - Init::Manager& init_manager) - : ContextConfigImpl(config.common_tls_context(), secret_manager, init_manager), + const envoy::api::v2::auth::UpstreamTlsContext& config, Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager) + : ContextConfigImpl(config.common_tls_context(), init_manager, cluster_manager), server_name_indication_(config.sni()), allow_renegotiation_(config.allow_renegotiation()) { // BoringSSL treats this as a C string, so embedded NULL characters will not // be handled correctly. @@ -166,20 +179,20 @@ ClientContextConfigImpl::ClientContextConfigImpl( } ClientContextConfigImpl::ClientContextConfigImpl(const Json::Object& config, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager) + Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager) : ClientContextConfigImpl( [&config] { envoy::api::v2::auth::UpstreamTlsContext upstream_tls_context; Config::TlsContextJson::translateUpstreamTlsContext(config, upstream_tls_context); return upstream_tls_context; }(), - secret_manager, init_manager) {} + init_manager, cluster_manager) {} ServerContextConfigImpl::ServerContextConfigImpl( - const envoy::api::v2::auth::DownstreamTlsContext& config, Secret::SecretManager& secret_manager, - Init::Manager& init_manager) - : ContextConfigImpl(config.common_tls_context(), secret_manager, init_manager), + const envoy::api::v2::auth::DownstreamTlsContext& config, Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager) + : ContextConfigImpl(config.common_tls_context(), init_manager, cluster_manager), require_client_certificate_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, require_client_certificate, false)), session_ticket_keys_([&config] { @@ -211,15 +224,15 @@ ServerContextConfigImpl::ServerContextConfigImpl( } ServerContextConfigImpl::ServerContextConfigImpl(const Json::Object& config, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager) + Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager) : ServerContextConfigImpl( [&config] { envoy::api::v2::auth::DownstreamTlsContext downstream_tls_context; Config::TlsContextJson::translateDownstreamTlsContext(config, downstream_tls_context); return downstream_tls_context; }(), - secret_manager, init_manager) {} + init_manager, cluster_manager) {} // Append a SessionTicketKey to keys, initializing it with key_data. // Throws if key_data is invalid. diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index 805df64b026b..b05edc5e27fb 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -7,6 +7,7 @@ #include "envoy/init/init.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_config.h" +#include "envoy/upstream/cluster_manager.h" #include "common/json/json_loader.h" @@ -62,14 +63,15 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { protected: ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, - Secret::SecretManager& secret_manager, Init::Manager& init_manager); + Init::Manager& init_manager, Upstream::ClusterManager& cluster_manager); private: static unsigned tlsVersionFromProto(const envoy::api::v2::auth::TlsParameters_TlsProtocol& version, unsigned default_version); + void readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config, - Init::Manager& init_manager); + Init::Manager& init_manager, Upstream::ClusterManager& cluster_manager); static const std::string DEFAULT_CIPHER_SUITES; static const std::string DEFAULT_ECDH_CURVES; @@ -99,11 +101,10 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { class ClientContextConfigImpl : public ContextConfigImpl, public ClientContextConfig { public: explicit ClientContextConfigImpl(const envoy::api::v2::auth::UpstreamTlsContext& config, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager); - explicit ClientContextConfigImpl(const Json::Object& config, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager); + Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager); + explicit ClientContextConfigImpl(const Json::Object& config, Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager); // Ssl::ClientContextConfig const std::string& serverNameIndication() const override { return server_name_indication_; } @@ -117,11 +118,10 @@ class ClientContextConfigImpl : public ContextConfigImpl, public ClientContextCo class ServerContextConfigImpl : public ContextConfigImpl, public ServerContextConfig { public: explicit ServerContextConfigImpl(const envoy::api::v2::auth::DownstreamTlsContext& config, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager); - explicit ServerContextConfigImpl(const Json::Object& config, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager); + Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager); + explicit ServerContextConfigImpl(const Json::Object& config, Init::Manager& init_manager, + Upstream::ClusterManager& cluster_manager); // Ssl::ServerContextConfig bool requireClientCertificate() const override { return require_client_certificate_; } diff --git a/source/common/upstream/eds.cc b/source/common/upstream/eds.cc index 4fb00c0d2e40..868df584e36f 100644 --- a/source/common/upstream/eds.cc +++ b/source/common/upstream/eds.cc @@ -22,8 +22,7 @@ EdsClusterImpl::EdsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime:: const LocalInfo::LocalInfo& local_info, ClusterManager& cm, Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, bool added_via_api) - : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, - cm.clusterManagerFactory().secretManager(), added_via_api), + : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), cm_(cm), local_info_(local_info), cluster_name_(cluster.eds_cluster_config().service_name().empty() ? cluster.name() diff --git a/source/common/upstream/logical_dns_cluster.cc b/source/common/upstream/logical_dns_cluster.cc index 75284b9c31ad..96844312523c 100644 --- a/source/common/upstream/logical_dns_cluster.cc +++ b/source/common/upstream/logical_dns_cluster.cc @@ -21,8 +21,7 @@ LogicalDnsCluster::LogicalDnsCluster(const envoy::api::v2::Cluster& cluster, Network::DnsResolverSharedPtr dns_resolver, ThreadLocal::SlotAllocator& tls, ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api) - : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, - cm.clusterManagerFactory().secretManager(), added_via_api), + : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), dns_resolver_(dns_resolver), dns_refresh_rate_ms_( std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))), diff --git a/source/common/upstream/original_dst_cluster.cc b/source/common/upstream/original_dst_cluster.cc index e00f39f9410d..d0e01a5bc851 100644 --- a/source/common/upstream/original_dst_cluster.cc +++ b/source/common/upstream/original_dst_cluster.cc @@ -126,8 +126,7 @@ OriginalDstCluster::OriginalDstCluster(const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api) - : ClusterImplBase(config, cm.bindConfig(), runtime, stats, ssl_context_manager, - cm.clusterManagerFactory().secretManager(), added_via_api), + : ClusterImplBase(config, runtime, stats, ssl_context_manager, cm, added_via_api), dispatcher_(dispatcher), cleanup_interval_ms_(std::chrono::milliseconds( PROTOBUF_GET_MS_OR_DEFAULT(config, cleanup_interval, 5000))), cleanup_timer_(dispatcher.createTimer([this]() -> void { cleanup(); })) { diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 47c6848cfda4..ef33eaeeb9ba 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -423,8 +423,8 @@ Stats::ScopePtr generateStatsScope(const envoy::api::v2::Cluster& config, Stats: Network::TransportSocketFactoryPtr createTransportSocketFactory(const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, - Ssl::ContextManager& ssl_context_manager, - Secret::SecretManager& secret_manager, Init::Manager& init_manager) { + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, + Init::Manager& init_manager) { // If the cluster config doesn't have a transport socket configured, override with the default // transport socket implementation based on the tls_context. We copy by value first then override // if necessary. @@ -440,7 +440,7 @@ createTransportSocketFactory(const envoy::api::v2::Cluster& config, Stats::Scope } Server::Configuration::TransportSocketFactoryContextImpl factory_context( - ssl_context_manager, stats_scope, secret_manager, init_manager); + ssl_context_manager, stats_scope, cm, init_manager); auto& config_factory = Config::Utility::getAndCheckFactory< Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); ProtobufTypes::MessagePtr message = @@ -451,18 +451,16 @@ createTransportSocketFactory(const envoy::api::v2::Cluster& config, Stats::Scope } // namespace -ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, - const envoy::api::v2::core::BindConfig& bind_config, - Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, - Secret::SecretManager& secret_manager, bool added_via_api) +ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, + ClusterManager& cm, bool added_via_api) : runtime_(runtime) { auto stats_scope = generateStatsScope(cluster, stats); - auto socket_factory = createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, - secret_manager, init_manager_); - info_ = - std::make_unique(cluster, bind_config, runtime, std::move(socket_factory), - std::move(stats_scope), added_via_api); + auto socket_factory = + createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, cm, init_manager_); + info_ = std::make_unique(cluster, cm.bindConfig(), runtime, + std::move(socket_factory), std::move(stats_scope), + added_via_api); // Create the default (empty) priority set before registering callbacks to // avoid getting an update the first time it is accessed. priority_set_.getOrCreateHostSet(0); @@ -783,8 +781,7 @@ StaticClusterImpl::StaticClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api) - : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, - cm.clusterManagerFactory().secretManager(), added_via_api), + : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), initial_hosts_(new HostVector()) { for (const auto& host : cluster.hosts()) { @@ -964,8 +961,7 @@ StrictDnsClusterImpl::StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluste Network::DnsResolverSharedPtr dns_resolver, ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api) - : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, - cm.clusterManagerFactory().secretManager(), added_via_api), + : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), dns_resolver_(dns_resolver), dns_refresh_rate_ms_( std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))) { diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 644f5c2bba61..b073993b30a3 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -473,10 +473,9 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable callback) override; protected: - ClusterImplBase(const envoy::api::v2::Cluster& cluster, - const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - Secret::SecretManager& secret_manager, bool added_via_api); + ClusterImplBase(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, + bool added_via_api); /** * Overridden by every concrete cluster. The cluster should do whatever pre-init is needed. E.g., diff --git a/source/extensions/transport_sockets/ssl/config.cc b/source/extensions/transport_sockets/ssl/config.cc index bc73207dc212..1d611482d40f 100644 --- a/source/extensions/transport_sockets/ssl/config.cc +++ b/source/extensions/transport_sockets/ssl/config.cc @@ -20,7 +20,7 @@ Network::TransportSocketFactoryPtr UpstreamSslSocketFactory::createTransportSock Ssl::ClientContextConfigImpl( MessageUtil::downcastAndValidate( message), - context.secretManager(), context.initManager()), + context.initManager(), context.clusterManager()), context.sslContextManager(), context.statsScope()); } @@ -39,7 +39,7 @@ Network::TransportSocketFactoryPtr DownstreamSslSocketFactory::createTransportSo Ssl::ServerContextConfigImpl( MessageUtil::downcastAndValidate( message), - context.secretManager(), context.initManager()), + context.initManager(), context.clusterManager()), context.sslContextManager(), context.statsScope(), server_names); } diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index 8e70b16d3e0d..52f26fd95cdf 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -241,7 +241,7 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, const std::st filter_chain_match.application_protocols().end()); Server::Configuration::TransportSocketFactoryContextImpl factory_context( - parent_.server_.sslContextManager(), *listener_scope_, parent_.server_.secretManager(), + parent_.server_.sslContextManager(), *listener_scope_, parent_.server_.clusterManager(), initManager()); addFilterChain(PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_chain_match, destination_port, 0), destination_ips, server_names, filter_chain_match.transport_protocol(), diff --git a/source/server/transport_socket_config_impl.h b/source/server/transport_socket_config_impl.h index 4ef9df283d10..c651e0ccad3a 100644 --- a/source/server/transport_socket_config_impl.h +++ b/source/server/transport_socket_config_impl.h @@ -12,23 +12,22 @@ namespace Configuration { class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { public: TransportSocketFactoryContextImpl(Ssl::ContextManager& context_manager, Stats::Scope& stats_scope, - Secret::SecretManager& secret_manager, - Init::Manager& init_manager) - : context_manager_(context_manager), stats_scope_(stats_scope), - secret_manager_(secret_manager), init_manager_(init_manager) {} + Upstream::ClusterManager& cm, Init::Manager& init_manager) + : context_manager_(context_manager), stats_scope_(stats_scope), cluster_manager_(cm), + init_manager_(init_manager) {} Ssl::ContextManager& sslContextManager() override { return context_manager_; } Stats::Scope& statsScope() const override { return stats_scope_; } - Secret::SecretManager& secretManager() override { return secret_manager_; } - Init::Manager& initManager() override { return init_manager_; } + Upstream::ClusterManager& clusterManager() override { return cluster_manager_; } + private: Ssl::ContextManager& context_manager_; Stats::Scope& stats_scope_; - Secret::SecretManager& secret_manager_; + Upstream::ClusterManager& cluster_manager_; Init::Manager& init_manager_; }; diff --git a/tools/protodoc/protodoc.bzl b/tools/protodoc/protodoc.bzl index c7ab5c894889..4b11e8ef3457 100644 --- a/tools/protodoc/protodoc.bzl +++ b/tools/protodoc/protodoc.bzl @@ -78,7 +78,6 @@ def _proto_doc_aspect_impl(target, ctx): return [OutputGroupInfo(rst = transitive_outputs)] proto_doc_aspect = aspect( - implementation = _proto_doc_aspect_impl, attr_aspects = ["deps"], attrs = { "_protoc": attr.label( @@ -92,4 +91,5 @@ proto_doc_aspect = aspect( cfg = "host", ), }, + implementation = _proto_doc_aspect_impl, ) From c28afcb226331a65f38e0b8f64d2381f6c38dc53 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Tue, 17 Jul 2018 14:01:56 -0700 Subject: [PATCH 48/55] move subscription back to SdsApi::initialize(). Signed-off-by: JimmyCYJ --- source/common/secret/sds_api.cc | 17 ++++++++++------- source/common/secret/sds_api.h | 5 +++++ source/common/secret/secret_manager_impl.cc | 10 +++------- source/common/secret/secret_manager_impl.h | 4 +++- source/common/ssl/BUILD | 3 +-- source/common/ssl/context_config_impl.cc | 2 +- 6 files changed, 23 insertions(+), 18 deletions(-) diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 4cf715eb3b49..4ad14b819957 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -16,19 +16,22 @@ SdsApi::SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispat Runtime::RandomGenerator& random, Stats::Store& stats, Init::Manager& init_manager, const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name, Upstream::ClusterManager& cluster_manager) - : sds_config_(sds_config), sds_config_name_(sds_config_name), secret_hash_(0) { + : local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats), + sds_config_(sds_config), sds_config_name_(sds_config_name), cluster_manager_(cluster_manager), + secret_hash_(0) { init_manager.registerTarget(*this); +} + +void SdsApi::initialize(std::function callback) { + initialize_callback_ = callback; + subscription_ = Envoy::Config::SubscriptionFactory::subscriptionFromConfigSource< envoy::api::v2::auth::Secret>( - sds_config_, local_info.node(), dispatcher, cluster_manager, random, stats, + sds_config_, local_info_.node(), dispatcher_, cluster_manager_, random_, stats_, /* rest_legacy_constructor */ nullptr, "envoy.service.discovery.v2.SecretDiscoveryService.FetchSecrets", "envoy.service.discovery.v2.SecretDiscoveryService.StreamSecrets"); - Config::Utility::checkLocalInfo("sds", local_info); -} - -void SdsApi::initialize(std::function callback) { - initialize_callback_ = callback; + Config::Utility::checkLocalInfo("sds", local_info_); subscription_->start({sds_config_name_}, *this); } diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 14608b9532d3..a08088ee0e61 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -45,10 +45,15 @@ class SdsApi : public Init::Target, private: void runInitializeCallbackIfAny(); + const LocalInfo::LocalInfo& local_info_; + Event::Dispatcher& dispatcher_; + Runtime::RandomGenerator& random_; + Stats::Store& stats_; const envoy::api::v2::core::ConfigSource sds_config_; std::unique_ptr> subscription_; std::function initialize_callback_; const std::string sds_config_name_; + Upstream::ClusterManager& cluster_manager_; uint64_t secret_hash_; Ssl::TlsCertificateConfigPtr tls_certificate_secrets_; diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index a45e891061d5..98e29e84ade9 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -37,7 +37,8 @@ void SecretManagerImpl::removeDeletedSecretProvider() { } std::string SecretManagerImpl::getDynamicTlsCertificateSecretProviderHash( - const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name) { + const envoy::api::v2::core::ConfigSource& sds_config_source, + const std::string& config_name) const { auto hash = MessageUtil::hash(sds_config_source); return std::to_string(hash) + config_name; } @@ -49,12 +50,7 @@ SecretManagerImpl::findDynamicTlsCertificateSecretProvider( removeDeletedSecretProvider(); - auto dynamic_secret_provider = dynamic_secret_providers_[map_key].lock(); - if (!dynamic_secret_provider) { - return nullptr; - } else { - return dynamic_secret_provider; - } + return dynamic_secret_providers_[map_key].lock(); } void SecretManagerImpl::setDynamicTlsCertificateSecretProvider( diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 5cb0f8a6696e..38b67d8d8a90 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -21,6 +21,7 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable #include -#include "envoy/secret/secret_manager.h" #include "envoy/ssl/tls_certificate_config.h" #include "common/common/assert.h" @@ -12,6 +11,7 @@ #include "common/config/tls_context_json.h" #include "common/protobuf/utility.h" #include "common/secret/sds_api.h" +#include "common/secret/secret_manager_impl.h" #include "openssl/ssl.h" From de01b9e99993ce93769da40405bc426382adb140 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 18 Jul 2018 17:42:22 -0700 Subject: [PATCH 49/55] Introduce DynamicTlsCertificateSecretProviderFactoryContext and DynamicTlsCertificateSecretProviderFactory. Signed-off-by: JimmyCYJ --- include/envoy/secret/BUILD | 15 ++++- include/envoy/secret/secret_manager.h | 26 ------- include/envoy/server/BUILD | 1 + .../envoy/server/transport_socket_config.h | 12 ++++ include/envoy/ssl/context_config.h | 4 ++ source/common/secret/BUILD | 11 ++- source/common/secret/sds_api.cc | 8 +-- source/common/secret/sds_api.h | 9 +-- source/common/secret/secret_manager_impl.h | 5 -- source/common/ssl/BUILD | 5 +- source/common/ssl/context_config_impl.cc | 58 +++++++--------- source/common/ssl/context_config_impl.h | 33 +++++---- source/common/ssl/ssl_socket.cc | 9 +-- source/common/ssl/ssl_socket.h | 6 +- source/common/upstream/BUILD | 3 + source/common/upstream/eds.cc | 14 ++-- source/common/upstream/eds.h | 13 ++-- source/common/upstream/logical_dns_cluster.cc | 15 +++-- source/common/upstream/logical_dns_cluster.h | 10 +-- .../common/upstream/original_dst_cluster.cc | 12 ++-- source/common/upstream/original_dst_cluster.h | 8 ++- source/common/upstream/upstream_impl.cc | 67 +++++++++++-------- source/common/upstream/upstream_impl.h | 25 ++++--- .../transport_sockets/ssl/config.cc | 19 +++--- source/server/BUILD | 2 + source/server/listener_manager_impl.cc | 7 +- source/server/transport_socket_config_impl.h | 22 +++++- .../grpc_client_integration_test_harness.h | 13 ++-- test/integration/ssl_utility.cc | 5 +- test/integration/xfcc_integration_test.cc | 9 ++- test/mocks/secret/mocks.h | 13 +++- 31 files changed, 263 insertions(+), 196 deletions(-) diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD index aa500984eddb..d8a29f376bc1 100644 --- a/include/envoy/secret/BUILD +++ b/include/envoy/secret/BUILD @@ -17,15 +17,24 @@ envoy_cc_library( ) envoy_cc_library( - name = "secret_manager_interface", - hdrs = ["secret_manager.h"], + name = "dynamic_secret_provider_factory_interface", + hdrs = ["dynamic_secret_provider_factory.h"], deps = [ ":dynamic_secret_provider_interface", "//include/envoy/event:dispatcher_interface", - "//include/envoy/init:init_interface", "//include/envoy/local_info:local_info_interface", "//include/envoy/runtime:runtime_interface", "//include/envoy/stats:stats_interface", + "//include/envoy/upstream:cluster_manager_interface", + "@envoy_api//envoy/api/v2/core:config_source_cc", + ], +) + +envoy_cc_library( + name = "secret_manager_interface", + hdrs = ["secret_manager.h"], + deps = [ + ":dynamic_secret_provider_interface", "@envoy_api//envoy/api/v2/auth:cert_cc", "@envoy_api//envoy/api/v2/core:config_source_cc", ], diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h index b245a2c3bdd4..88346f2c0794 100644 --- a/include/envoy/secret/secret_manager.h +++ b/include/envoy/secret/secret_manager.h @@ -3,13 +3,8 @@ #include #include "envoy/api/v2/auth/cert.pb.h" -#include "envoy/event/dispatcher.h" -#include "envoy/init/init.h" -#include "envoy/local_info/local_info.h" -#include "envoy/runtime/runtime.h" #include "envoy/secret/dynamic_secret_provider.h" #include "envoy/ssl/tls_certificate_config.h" -#include "envoy/stats/stats.h" namespace Envoy { namespace Secret { @@ -21,27 +16,6 @@ class SecretManager { public: virtual ~SecretManager() {} - /** - * @return information about the local environment the server is running in. - */ - virtual const LocalInfo::LocalInfo& localInfo() PURE; - - /** - * @return Event::Dispatcher& the main thread's dispatcher. This dispatcher should be used - * for all singleton processing. - */ - virtual Event::Dispatcher& dispatcher() PURE; - - /** - * @return RandomGenerator& the random generator for the server. - */ - virtual Runtime::RandomGenerator& random() PURE; - - /** - * @return the server-wide stats store. - */ - virtual Stats::Store& stats() PURE; - /** * @param secret a protobuf message of envoy::api::v2::auth::Secret. * @throw an EnvoyException if the secret is invalid or not supported. diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD index 181ac1001ee7..284288afce42 100644 --- a/include/envoy/server/BUILD +++ b/include/envoy/server/BUILD @@ -177,6 +177,7 @@ envoy_cc_library( deps = [ "//include/envoy/init:init_interface", "//include/envoy/network:transport_socket_interface", + "//include/envoy/secret:dynamic_secret_provider_factory_interface", "//include/envoy/secret:secret_manager_interface", "//include/envoy/ssl:context_manager_interface", "//include/envoy/upstream:cluster_manager_interface", diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h index 907ab34e67fe..24fdf4b145c2 100644 --- a/include/envoy/server/transport_socket_config.h +++ b/include/envoy/server/transport_socket_config.h @@ -4,6 +4,7 @@ #include "envoy/init/init.h" #include "envoy/network/transport_socket.h" +#include "envoy/secret/dynamic_secret_provider_factory.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_manager.h" #include "envoy/upstream/cluster_manager.h" @@ -36,10 +37,21 @@ class TransportSocketFactoryContext { */ virtual Init::Manager& initManager() PURE; + /** + * Return the instance of secret manager. + */ + virtual Secret::SecretManager& secretManager() PURE; + /** * @return the instance of ClusterManager. */ virtual Upstream::ClusterManager& clusterManager() PURE; + + /** + * @return the factory of dynamic tls certificate secret provider. + */ + virtual Secret::DynamicTlsCertificateSecretProviderFactory& + dynamicTlsCertificateSecretProviderFactory() PURE; }; class TransportSocketConfigFactory { diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index 5c4149726e74..51996e1c1165 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -133,6 +133,8 @@ class ClientContextConfig : public virtual ContextConfig { virtual bool allowRenegotiation() const PURE; }; +typedef std::unique_ptr ClientContextConfigPtr; + class ServerContextConfig : public virtual ContextConfig { public: struct SessionTicketKey { @@ -154,5 +156,7 @@ class ServerContextConfig : public virtual ContextConfig { virtual const std::vector& sessionTicketKeys() const PURE; }; +typedef std::unique_ptr ServerContextConfigPtr; + } // namespace Ssl } // namespace Envoy diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index d02418231156..699a2bde2535 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -32,7 +32,6 @@ envoy_cc_library( "//include/envoy/init:init_interface", "//include/envoy/local_info:local_info_interface", "//include/envoy/runtime:runtime_interface", - "//include/envoy/server:instance_interface", "//include/envoy/stats:stats_interface", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", @@ -40,3 +39,13 @@ envoy_cc_library( "//source/common/ssl:tls_certificate_config_impl_lib", ], ) + +envoy_cc_library( + name = "dynamic_secret_provider_factory_impl_lib", + hdrs = ["dynamic_secret_provider_factory_impl.h"], + deps = [ + ":sds_api_lib", + "//include/envoy/init:init_interface", + "//include/envoy/secret:dynamic_secret_provider_factory_interface", + ], +) diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 4ad14b819957..8a2c74429d1f 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -13,11 +13,11 @@ namespace Envoy { namespace Secret { SdsApi::SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher, - Runtime::RandomGenerator& random, Stats::Store& stats, Init::Manager& init_manager, - const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name, - Upstream::ClusterManager& cluster_manager) + Runtime::RandomGenerator& random, Stats::Store& stats, + Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager, + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) : local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats), - sds_config_(sds_config), sds_config_name_(sds_config_name), cluster_manager_(cluster_manager), + cluster_manager_(cluster_manager), sds_config_(sds_config), sds_config_name_(sds_config_name), secret_hash_(0) { init_manager.registerTarget(*this); } diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index a08088ee0e61..91fa0ce474c8 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -23,9 +23,9 @@ class SdsApi : public Init::Target, public Config::SubscriptionCallbacks { public: SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher, - Runtime::RandomGenerator& random, Stats::Store& stats, Init::Manager& init_manager, - const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name, - Upstream::ClusterManager& cluster_manager); + Runtime::RandomGenerator& random, Stats::Store& stats, + Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager, + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name); // Init::Target void initialize(std::function callback) override; @@ -49,11 +49,12 @@ class SdsApi : public Init::Target, Event::Dispatcher& dispatcher_; Runtime::RandomGenerator& random_; Stats::Store& stats_; + Upstream::ClusterManager& cluster_manager_; + const envoy::api::v2::core::ConfigSource sds_config_; std::unique_ptr> subscription_; std::function initialize_callback_; const std::string sds_config_name_; - Upstream::ClusterManager& cluster_manager_; uint64_t secret_hash_; Ssl::TlsCertificateConfigPtr tls_certificate_secrets_; diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 38b67d8d8a90..194458969015 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -17,11 +17,6 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable( - secret_manager_.localInfo(), secret_manager_.dispatcher(), secret_manager_.random(), - secret_manager_.stats(), init_manager, - config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name, - cluster_manager); - secret_manager_.setDynamicTlsCertificateSecretProvider( - config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name, - secret_provider_); - } return; } } @@ -162,9 +150,9 @@ const std::string& ContextConfigImpl::privateKey() const { } ClientContextConfigImpl::ClientContextConfigImpl( - const envoy::api::v2::auth::UpstreamTlsContext& config, Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager) - : ContextConfigImpl(config.common_tls_context(), init_manager, cluster_manager), + const envoy::api::v2::auth::UpstreamTlsContext& config, Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory) + : ContextConfigImpl(config.common_tls_context(), secret_manager, secret_provider_factory), server_name_indication_(config.sni()), allow_renegotiation_(config.allow_renegotiation()) { // BoringSSL treats this as a C string, so embedded NULL characters will not // be handled correctly. @@ -178,21 +166,21 @@ ClientContextConfigImpl::ClientContextConfigImpl( } } -ClientContextConfigImpl::ClientContextConfigImpl(const Json::Object& config, - Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager) +ClientContextConfigImpl::ClientContextConfigImpl( + const Json::Object& config, Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory) : ClientContextConfigImpl( [&config] { envoy::api::v2::auth::UpstreamTlsContext upstream_tls_context; Config::TlsContextJson::translateUpstreamTlsContext(config, upstream_tls_context); return upstream_tls_context; }(), - init_manager, cluster_manager) {} + secret_manager, secret_provider_factory) {} ServerContextConfigImpl::ServerContextConfigImpl( - const envoy::api::v2::auth::DownstreamTlsContext& config, Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager) - : ContextConfigImpl(config.common_tls_context(), init_manager, cluster_manager), + const envoy::api::v2::auth::DownstreamTlsContext& config, Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory) + : ContextConfigImpl(config.common_tls_context(), secret_manager, secret_provider_factory), require_client_certificate_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, require_client_certificate, false)), session_ticket_keys_([&config] { @@ -223,16 +211,16 @@ ServerContextConfigImpl::ServerContextConfigImpl( } } -ServerContextConfigImpl::ServerContextConfigImpl(const Json::Object& config, - Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager) +ServerContextConfigImpl::ServerContextConfigImpl( + const Json::Object& config, Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory) : ServerContextConfigImpl( [&config] { envoy::api::v2::auth::DownstreamTlsContext downstream_tls_context; Config::TlsContextJson::translateDownstreamTlsContext(config, downstream_tls_context); return downstream_tls_context; }(), - init_manager, cluster_manager) {} + secret_manager, secret_provider_factory) {} // Append a SessionTicketKey to keys, initializing it with key_data. // Throws if key_data is invalid. diff --git a/source/common/ssl/context_config_impl.h b/source/common/ssl/context_config_impl.h index b05edc5e27fb..3cb9bdf9e034 100644 --- a/source/common/ssl/context_config_impl.h +++ b/source/common/ssl/context_config_impl.h @@ -4,7 +4,7 @@ #include #include "envoy/api/v2/auth/cert.pb.h" -#include "envoy/init/init.h" +#include "envoy/secret/dynamic_secret_provider_factory.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_config.h" #include "envoy/upstream/cluster_manager.h" @@ -63,15 +63,17 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { protected: ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config, - Init::Manager& init_manager, Upstream::ClusterManager& cluster_manager); + Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory); private: static unsigned tlsVersionFromProto(const envoy::api::v2::auth::TlsParameters_TlsProtocol& version, unsigned default_version); - void readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config, - Init::Manager& init_manager, Upstream::ClusterManager& cluster_manager); + void + readCertChainConfig(const envoy::api::v2::auth::CommonTlsContext& config, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory); static const std::string DEFAULT_CIPHER_SUITES; static const std::string DEFAULT_ECDH_CURVES; @@ -100,11 +102,12 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { class ClientContextConfigImpl : public ContextConfigImpl, public ClientContextConfig { public: - explicit ClientContextConfigImpl(const envoy::api::v2::auth::UpstreamTlsContext& config, - Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager); - explicit ClientContextConfigImpl(const Json::Object& config, Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager); + explicit ClientContextConfigImpl( + const envoy::api::v2::auth::UpstreamTlsContext& config, Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory); + explicit ClientContextConfigImpl( + const Json::Object& config, Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory); // Ssl::ClientContextConfig const std::string& serverNameIndication() const override { return server_name_indication_; } @@ -117,11 +120,13 @@ class ClientContextConfigImpl : public ContextConfigImpl, public ClientContextCo class ServerContextConfigImpl : public ContextConfigImpl, public ServerContextConfig { public: - explicit ServerContextConfigImpl(const envoy::api::v2::auth::DownstreamTlsContext& config, - Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager); - explicit ServerContextConfigImpl(const Json::Object& config, Init::Manager& init_manager, - Upstream::ClusterManager& cluster_manager); + explicit ServerContextConfigImpl( + const envoy::api::v2::auth::DownstreamTlsContext& config, + Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory); + explicit ServerContextConfigImpl( + const Json::Object& config, Secret::SecretManager& secret_manager, + Secret::DynamicTlsCertificateSecretProviderFactory& secret_provider_factory); // Ssl::ServerContextConfig bool requireClientCertificate() const override { return require_client_certificate_; } diff --git a/source/common/ssl/ssl_socket.cc b/source/common/ssl/ssl_socket.cc index ff2d18e13ffa..3116cf2d1a03 100644 --- a/source/common/ssl/ssl_socket.cc +++ b/source/common/ssl/ssl_socket.cc @@ -382,10 +382,10 @@ std::string SslSocket::subjectLocalCertificate() const { return getSubjectFromCertificate(cert); } -ClientSslSocketFactory::ClientSslSocketFactory(const ClientContextConfig& config, +ClientSslSocketFactory::ClientSslSocketFactory(ClientContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope) - : ssl_ctx_(manager.createSslClientContext(stats_scope, config)) {} + : config_(std::move(config)), ssl_ctx_(manager.createSslClientContext(stats_scope, *config_)) {} Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() const { return ssl_ctx_ ? std::make_unique(ssl_ctx_, Ssl::InitialState::Client) @@ -394,11 +394,12 @@ Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() cons bool ClientSslSocketFactory::implementsSecureTransport() const { return true; } -ServerSslSocketFactory::ServerSslSocketFactory(const ServerContextConfig& config, +ServerSslSocketFactory::ServerSslSocketFactory(ServerContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope, const std::vector& server_names) - : ssl_ctx_(manager.createSslServerContext(stats_scope, config, server_names)) {} + : config_(std::move(config)), + ssl_ctx_(manager.createSslServerContext(stats_scope, *config_, server_names)) {} Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() const { return ssl_ctx_ ? std::make_unique(ssl_ctx_, Ssl::InitialState::Server) diff --git a/source/common/ssl/ssl_socket.h b/source/common/ssl/ssl_socket.h index 68fec106eb91..b8141158b555 100644 --- a/source/common/ssl/ssl_socket.h +++ b/source/common/ssl/ssl_socket.h @@ -69,25 +69,27 @@ class SslSocket : public Network::TransportSocket, class ClientSslSocketFactory : public Network::TransportSocketFactory { public: - ClientSslSocketFactory(const ClientContextConfig& config, Ssl::ContextManager& manager, + ClientSslSocketFactory(ClientContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope); Network::TransportSocketPtr createTransportSocket() const override; bool implementsSecureTransport() const override; private: + ClientContextConfigPtr config_; ClientContextSharedPtr ssl_ctx_; }; class ServerSslSocketFactory : public Network::TransportSocketFactory { public: - ServerSslSocketFactory(const ServerContextConfig& config, Ssl::ContextManager& manager, + ServerSslSocketFactory(ServerContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope, const std::vector& server_names); Network::TransportSocketPtr createTransportSocket() const override; bool implementsSecureTransport() const override; private: + ServerContextConfigPtr config_; ServerContextSharedPtr ssl_ctx_; }; diff --git a/source/common/upstream/BUILD b/source/common/upstream/BUILD index 4dc2592f0f51..cf34e3445e00 100644 --- a/source/common/upstream/BUILD +++ b/source/common/upstream/BUILD @@ -361,7 +361,9 @@ envoy_cc_library( "//source/common/network:utility_lib", "//source/common/protobuf", "//source/common/protobuf:utility_lib", + "//source/common/secret:dynamic_secret_provider_factory_impl_lib", "//source/extensions/transport_sockets:well_known_names", + "//source/server:transport_socket_config_lib", "@envoy_api//envoy/api/v2/core:base_cc", ], ) @@ -378,6 +380,7 @@ envoy_cc_library( "//include/envoy/local_info:local_info_interface", "//include/envoy/network:dns_interface", "//include/envoy/runtime:runtime_interface", + "//include/envoy/secret:dynamic_secret_provider_factory_interface", "//include/envoy/ssl:context_manager_interface", "//include/envoy/thread_local:thread_local_interface", "//include/envoy/upstream:cluster_manager_interface", diff --git a/source/common/upstream/eds.cc b/source/common/upstream/eds.cc index 868df584e36f..c60c8f8d170c 100644 --- a/source/common/upstream/eds.cc +++ b/source/common/upstream/eds.cc @@ -17,12 +17,14 @@ namespace Envoy { namespace Upstream { -EdsClusterImpl::EdsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - const LocalInfo::LocalInfo& local_info, ClusterManager& cm, - Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, - bool added_via_api) - : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), +EdsClusterImpl::EdsClusterImpl( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, const LocalInfo::LocalInfo& local_info, + ClusterManager& cm, Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, + bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, + std::move(secret_provider_context)), cm_(cm), local_info_(local_info), cluster_name_(cluster.eds_cluster_config().service_name().empty() ? cluster.name() diff --git a/source/common/upstream/eds.h b/source/common/upstream/eds.h index d84f02091799..b7734f316c15 100644 --- a/source/common/upstream/eds.h +++ b/source/common/upstream/eds.h @@ -4,7 +4,7 @@ #include "envoy/api/v2/eds.pb.h" #include "envoy/config/subscription.h" #include "envoy/local_info/local_info.h" -#include "envoy/secret/secret_manager.h" +#include "envoy/secret/dynamic_secret_provider_factory.h" #include "common/upstream/locality.h" #include "common/upstream/upstream_impl.h" @@ -18,11 +18,12 @@ namespace Upstream { class EdsClusterImpl : public BaseDynamicClusterImpl, Config::SubscriptionCallbacks { public: - EdsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - const LocalInfo::LocalInfo& local_info, ClusterManager& cm, - Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, - bool added_via_api); + EdsClusterImpl( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, const LocalInfo::LocalInfo& local_info, + ClusterManager& cm, Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, + bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Secondary; } diff --git a/source/common/upstream/logical_dns_cluster.cc b/source/common/upstream/logical_dns_cluster.cc index 96844312523c..3ea1838b49fa 100644 --- a/source/common/upstream/logical_dns_cluster.cc +++ b/source/common/upstream/logical_dns_cluster.cc @@ -15,13 +15,14 @@ namespace Envoy { namespace Upstream { -LogicalDnsCluster::LogicalDnsCluster(const envoy::api::v2::Cluster& cluster, - Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, - Network::DnsResolverSharedPtr dns_resolver, - ThreadLocal::SlotAllocator& tls, ClusterManager& cm, - Event::Dispatcher& dispatcher, bool added_via_api) - : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), +LogicalDnsCluster::LogicalDnsCluster( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, + ThreadLocal::SlotAllocator& tls, ClusterManager& cm, Event::Dispatcher& dispatcher, + bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, + std::move(secret_provider_context)), dns_resolver_(dns_resolver), dns_refresh_rate_ms_( std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))), diff --git a/source/common/upstream/logical_dns_cluster.h b/source/common/upstream/logical_dns_cluster.h index fa0a94955472..a1f6eb7d6e11 100644 --- a/source/common/upstream/logical_dns_cluster.h +++ b/source/common/upstream/logical_dns_cluster.h @@ -28,10 +28,12 @@ namespace Upstream { */ class LogicalDnsCluster : public ClusterImplBase { public: - LogicalDnsCluster(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - Network::DnsResolverSharedPtr dns_resolver, ThreadLocal::SlotAllocator& tls, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api); + LogicalDnsCluster( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, + ThreadLocal::SlotAllocator& tls, ClusterManager& cm, Event::Dispatcher& dispatcher, + bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context); ~LogicalDnsCluster(); diff --git a/source/common/upstream/original_dst_cluster.cc b/source/common/upstream/original_dst_cluster.cc index d0e01a5bc851..c60930778df0 100644 --- a/source/common/upstream/original_dst_cluster.cc +++ b/source/common/upstream/original_dst_cluster.cc @@ -122,11 +122,13 @@ OriginalDstCluster::LoadBalancer::requestOverrideHost(LoadBalancerContext* conte return request_host; } -OriginalDstCluster::OriginalDstCluster(const envoy::api::v2::Cluster& config, - Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, - Event::Dispatcher& dispatcher, bool added_via_api) - : ClusterImplBase(config, runtime, stats, ssl_context_manager, cm, added_via_api), +OriginalDstCluster::OriginalDstCluster( + const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Event::Dispatcher& dispatcher, + bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + : ClusterImplBase(config, runtime, stats, ssl_context_manager, cm, added_via_api, + std::move(secret_provider_context)), dispatcher_(dispatcher), cleanup_interval_ms_(std::chrono::milliseconds( PROTOBUF_GET_MS_OR_DEFAULT(config, cleanup_interval, 5000))), cleanup_timer_(dispatcher.createTimer([this]() -> void { cleanup(); })) { diff --git a/source/common/upstream/original_dst_cluster.h b/source/common/upstream/original_dst_cluster.h index 5cb5107a3a4a..b8c6be64042c 100644 --- a/source/common/upstream/original_dst_cluster.h +++ b/source/common/upstream/original_dst_cluster.h @@ -23,9 +23,11 @@ namespace Upstream { */ class OriginalDstCluster : public ClusterImplBase { public: - OriginalDstCluster(const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api); + OriginalDstCluster( + const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Event::Dispatcher& dispatcher, + bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index ef33eaeeb9ba..2157c3727c6e 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -28,11 +28,14 @@ #include "common/network/socket_option_factory.h" #include "common/protobuf/protobuf.h" #include "common/protobuf/utility.h" +#include "common/secret/dynamic_secret_provider_factory_impl.h" #include "common/upstream/eds.h" #include "common/upstream/health_checker_impl.h" #include "common/upstream/logical_dns_cluster.h" #include "common/upstream/original_dst_cluster.h" +#include "server/transport_socket_config_impl.h" + #include "extensions/transport_sockets/well_known_names.h" namespace Envoy { @@ -361,20 +364,23 @@ ClusterSharedPtr ClusterImplBase::create( selected_dns_resolver = dispatcher.createDnsResolver(resolvers); } + auto secret_provider_context = + std::make_unique( + local_info, dispatcher, random, stats, cm); switch (cluster.type()) { case envoy::api::v2::Cluster::STATIC: - new_cluster.reset( - new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api)); + new_cluster.reset(new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, + added_via_api, std::move(secret_provider_context))); break; case envoy::api::v2::Cluster::STRICT_DNS: new_cluster.reset(new StrictDnsClusterImpl(cluster, runtime, stats, ssl_context_manager, - selected_dns_resolver, cm, dispatcher, - added_via_api)); + selected_dns_resolver, cm, dispatcher, added_via_api, + std::move(secret_provider_context))); break; case envoy::api::v2::Cluster::LOGICAL_DNS: new_cluster.reset(new LogicalDnsCluster(cluster, runtime, stats, ssl_context_manager, selected_dns_resolver, tls, cm, dispatcher, - added_via_api)); + added_via_api, std::move(secret_provider_context))); break; case envoy::api::v2::Cluster::ORIGINAL_DST: if (cluster.lb_policy() != envoy::api::v2::Cluster::ORIGINAL_DST_LB) { @@ -386,7 +392,8 @@ ClusterSharedPtr ClusterImplBase::create( "cluster: cluster type 'original_dst' may not be used with lb_subset_config")); } new_cluster.reset(new OriginalDstCluster(cluster, runtime, stats, ssl_context_manager, cm, - dispatcher, added_via_api)); + dispatcher, added_via_api, + std::move(secret_provider_context))); break; case envoy::api::v2::Cluster::EDS: if (!cluster.has_eds_cluster_config()) { @@ -395,7 +402,8 @@ ClusterSharedPtr ClusterImplBase::create( // We map SDS to EDS, since EDS provides backwards compatibility with SDS. new_cluster.reset(new EdsClusterImpl(cluster, runtime, stats, ssl_context_manager, local_info, - cm, dispatcher, random, added_via_api)); + cm, dispatcher, random, added_via_api, + std::move(secret_provider_context))); break; default: NOT_REACHED_GCOVR_EXCL_LINE; @@ -421,10 +429,10 @@ Stats::ScopePtr generateStatsScope(const envoy::api::v2::Cluster& config, Stats: : std::string(config.alt_stat_name()))); } -Network::TransportSocketFactoryPtr -createTransportSocketFactory(const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, - Init::Manager& init_manager) { +Network::TransportSocketFactoryPtr createTransportSocketFactory( + const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Init::Manager& init_manager, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) { // If the cluster config doesn't have a transport socket configured, override with the default // transport socket implementation based on the tls_context. We copy by value first then override // if necessary. @@ -440,7 +448,7 @@ createTransportSocketFactory(const envoy::api::v2::Cluster& config, Stats::Scope } Server::Configuration::TransportSocketFactoryContextImpl factory_context( - ssl_context_manager, stats_scope, cm, init_manager); + ssl_context_manager, stats_scope, cm, init_manager, std::move(secret_provider_context)); auto& config_factory = Config::Utility::getAndCheckFactory< Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); ProtobufTypes::MessagePtr message = @@ -451,13 +459,15 @@ createTransportSocketFactory(const envoy::api::v2::Cluster& config, Stats::Scope } // namespace -ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - ClusterManager& cm, bool added_via_api) +ClusterImplBase::ClusterImplBase( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) : runtime_(runtime) { auto stats_scope = generateStatsScope(cluster, stats); auto socket_factory = - createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, cm, init_manager_); + createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, cm, init_manager_, + std::move(secret_provider_context)); info_ = std::make_unique(cluster, cm.bindConfig(), runtime, std::move(socket_factory), std::move(stats_scope), added_via_api); @@ -777,11 +787,12 @@ void PriorityStateManager::updateClusterPrioritySet( hosts_removed.value_or({})); } -StaticClusterImpl::StaticClusterImpl(const envoy::api::v2::Cluster& cluster, - Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, - bool added_via_api) - : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), +StaticClusterImpl::StaticClusterImpl( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, + std::move(secret_provider_context)), initial_hosts_(new HostVector()) { for (const auto& host : cluster.hosts()) { @@ -955,13 +966,13 @@ bool BaseDynamicClusterImpl::updateDynamicHostList(const HostVector& new_hosts, } } -StrictDnsClusterImpl::StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluster, - Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, - Network::DnsResolverSharedPtr dns_resolver, - ClusterManager& cm, Event::Dispatcher& dispatcher, - bool added_via_api) - : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api), +StrictDnsClusterImpl::StrictDnsClusterImpl( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, + ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, + std::move(secret_provider_context)), dns_resolver_(dns_resolver), dns_refresh_rate_ms_( std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))) { diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index b073993b30a3..05196ff2f679 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -19,6 +19,7 @@ #include "envoy/local_info/local_info.h" #include "envoy/network/dns.h" #include "envoy/runtime/runtime.h" +#include "envoy/secret/dynamic_secret_provider_factory.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_manager.h" #include "envoy/thread_local/thread_local.h" @@ -40,7 +41,6 @@ #include "common/upstream/resource_manager_impl.h" #include "server/init_manager_impl.h" -#include "server/transport_socket_config_impl.h" namespace Envoy { namespace Upstream { @@ -473,9 +473,10 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable callback) override; protected: - ClusterImplBase(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, - bool added_via_api); + ClusterImplBase( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context); /** * Overridden by every concrete cluster. The cluster should do whatever pre-init is needed. E.g., @@ -578,9 +579,10 @@ class PriorityStateManager : protected Logger::Loggable { */ class StaticClusterImpl : public ClusterImplBase { public: - StaticClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - ClusterManager& cm, bool added_via_api); + StaticClusterImpl( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } @@ -609,10 +611,11 @@ class BaseDynamicClusterImpl : public ClusterImplBase { */ class StrictDnsClusterImpl : public BaseDynamicClusterImpl { public: - StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, - Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, - Network::DnsResolverSharedPtr dns_resolver, ClusterManager& cm, - Event::Dispatcher& dispatcher, bool added_via_api); + StrictDnsClusterImpl( + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, + Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, + ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } diff --git a/source/extensions/transport_sockets/ssl/config.cc b/source/extensions/transport_sockets/ssl/config.cc index 1d611482d40f..1b4695d7401e 100644 --- a/source/extensions/transport_sockets/ssl/config.cc +++ b/source/extensions/transport_sockets/ssl/config.cc @@ -16,12 +16,13 @@ namespace SslTransport { Network::TransportSocketFactoryPtr UpstreamSslSocketFactory::createTransportSocketFactory( const Protobuf::Message& message, Server::Configuration::TransportSocketFactoryContext& context) { - return std::make_unique( - Ssl::ClientContextConfigImpl( + std::unique_ptr upstream_config = + std::make_unique( MessageUtil::downcastAndValidate( message), - context.initManager(), context.clusterManager()), - context.sslContextManager(), context.statsScope()); + context.secretManager(), context.dynamicTlsCertificateSecretProviderFactory()); + return std::make_unique( + std::move(upstream_config), context.sslContextManager(), context.statsScope()); } ProtobufTypes::MessagePtr UpstreamSslSocketFactory::createEmptyConfigProto() { @@ -35,12 +36,14 @@ static Registry::RegisterFactory& server_names) { - return std::make_unique( - Ssl::ServerContextConfigImpl( + std::unique_ptr downstream_config = + std::make_unique( MessageUtil::downcastAndValidate( message), - context.initManager(), context.clusterManager()), - context.sslContextManager(), context.statsScope(), server_names); + context.secretManager(), context.dynamicTlsCertificateSecretProviderFactory()); + return std::make_unique(std::move(downstream_config), + context.sslContextManager(), + context.statsScope(), server_names); } ProtobufTypes::MessagePtr DownstreamSslSocketFactory::createEmptyConfigProto() { diff --git a/source/server/BUILD b/source/server/BUILD index 99661f9f62f7..708ac19bd813 100644 --- a/source/server/BUILD +++ b/source/server/BUILD @@ -216,6 +216,7 @@ envoy_cc_library( "//source/common/network:socket_option_factory_lib", "//source/common/network:utility_lib", "//source/common/protobuf:utility_lib", + "//source/common/secret:dynamic_secret_provider_factory_impl_lib", "//source/common/ssl:context_config_lib", "//source/extensions/filters/listener:well_known_names", "//source/extensions/filters/network:well_known_names", @@ -340,5 +341,6 @@ envoy_cc_library( hdrs = ["transport_socket_config_impl.h"], deps = [ "//include/envoy/server:transport_socket_config_interface", + "//source/common/secret:dynamic_secret_provider_factory_impl_lib", ], ) diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index 52f26fd95cdf..13a561ff9bb9 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -14,6 +14,7 @@ #include "common/network/socket_option_factory.h" #include "common/network/utility.h" #include "common/protobuf/utility.h" +#include "common/secret/dynamic_secret_provider_factory_impl.h" #include "server/configuration_impl.h" #include "server/drain_manager_impl.h" @@ -240,9 +241,13 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, const std::st filter_chain_match.application_protocols().begin(), filter_chain_match.application_protocols().end()); + auto secret_provider_context = + std::make_unique( + parent_.server_.localInfo(), parent_.server_.dispatcher(), parent_.server_.random(), + parent_.server_.stats(), parent_.server_.clusterManager()); Server::Configuration::TransportSocketFactoryContextImpl factory_context( parent_.server_.sslContextManager(), *listener_scope_, parent_.server_.clusterManager(), - initManager()); + initManager(), std::move(secret_provider_context)); addFilterChain(PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_chain_match, destination_port, 0), destination_ips, server_names, filter_chain_match.transport_protocol(), application_protocols, diff --git a/source/server/transport_socket_config_impl.h b/source/server/transport_socket_config_impl.h index c651e0ccad3a..0c56c60054e2 100644 --- a/source/server/transport_socket_config_impl.h +++ b/source/server/transport_socket_config_impl.h @@ -2,6 +2,8 @@ #include "envoy/server/transport_socket_config.h" +#include "common/secret/dynamic_secret_provider_factory_impl.h" + namespace Envoy { namespace Server { namespace Configuration { @@ -11,10 +13,13 @@ namespace Configuration { */ class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { public: - TransportSocketFactoryContextImpl(Ssl::ContextManager& context_manager, Stats::Scope& stats_scope, - Upstream::ClusterManager& cm, Init::Manager& init_manager) + TransportSocketFactoryContextImpl( + Ssl::ContextManager& context_manager, Stats::Scope& stats_scope, Upstream::ClusterManager& cm, + Init::Manager& init_manager, + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) : context_manager_(context_manager), stats_scope_(stats_scope), cluster_manager_(cm), - init_manager_(init_manager) {} + init_manager_(init_manager), secret_provider_context_(std::move(secret_provider_context)), + secret_provider_factory_(*secret_provider_context_, init_manager_) {} Ssl::ContextManager& sslContextManager() override { return context_manager_; } @@ -24,11 +29,22 @@ class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { Upstream::ClusterManager& clusterManager() override { return cluster_manager_; } + Secret::SecretManager& secretManager() override { + return cluster_manager_.clusterManagerFactory().secretManager(); + } + + Secret::DynamicTlsCertificateSecretProviderFactory& + dynamicTlsCertificateSecretProviderFactory() override { + return secret_provider_factory_; + } + private: Ssl::ContextManager& context_manager_; Stats::Scope& stats_scope_; Upstream::ClusterManager& cluster_manager_; Init::Manager& init_manager_; + Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context_; + Secret::DynamicTlsCertificateSecretProviderFactoryImpl secret_provider_factory_; }; } // namespace Configuration diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 17ca782653e8..9e9aa54addd9 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -446,10 +446,11 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/clientkey.pem")); } - Ssl::ClientContextConfigImpl cfg(tls_context, server_.secretManager(), init_manager_); - mock_cluster_info_->transport_socket_factory_ = - std::make_unique(cfg, context_manager_, *stats_store_); + Ssl::ClientContextConfigPtr cfg = std::make_unique( + tls_context, server_.secretManager(), init_manager_); + mock_cluster_info_->transport_socket_factory_ = std::make_unique( + std::move(cfg), context_manager_, *stats_store_); ON_CALL(*mock_cluster_info_, transportSocketFactory()) .WillByDefault(ReturnRef(*mock_cluster_info_->transport_socket_factory_)); async_client_transport_socket_ = @@ -475,12 +476,12 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { validation_context->mutable_trusted_ca()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); } - - Ssl::ServerContextConfigImpl cfg(tls_context, server_.secretManager(), init_manager_); + Ssl::ServerContextConfigPtr cfg = std::make_unique( + tls_context, server_.secretManager(), init_manager_); static Stats::Scope* upstream_stats_store = new Stats::IsolatedStoreImpl(); return std::make_unique( - cfg, context_manager_, *upstream_stats_store, std::vector{}); + std::move(cfg), context_manager_, *upstream_stats_store, std::vector{}); } bool use_client_cert_{}; diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 2d27a50bd069..4f7a8c60de8a 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -61,10 +61,11 @@ createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& conte Server::MockInstance server; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); NiceMock init_manager; - ClientContextConfigImpl cfg(*loader, server.secretManager(), init_manager); + ClientContextConfigPtr cfg = + std::make_unique(*loader, server.secretManager(), init_manager); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ - new Ssl::ClientSslSocketFactory(cfg, context_manager, *client_stats_store)}; + new Ssl::ClientSslSocketFactory(std::move(cfg), context_manager, *client_stats_store)}; } Network::Address::InstanceConstSharedPtr getSslAddress(const Network::Address::IpVersion& version, diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index e990162863d4..2ea8a003b300 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -61,10 +61,12 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createClientSslContext(b target = json_tls; } Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); + Ssl::ClientContextConfigPtr cfg = std::make_unique( + *loader, server_.secretManager(), init_manager_); Ssl::ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ - new Ssl::ClientSslSocketFactory(cfg, *context_manager_, *client_stats_store)}; + new Ssl::ClientSslSocketFactory(std::move(cfg), *context_manager_, *client_stats_store)}; } Network::TransportSocketFactoryPtr XfccIntegrationTest::createUpstreamSslContext() { @@ -76,10 +78,11 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createUpstreamSslContext )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - Ssl::ServerContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); + Ssl::ServerContextConfigPtr cfg = std::make_unique( + *loader, server_.secretManager(), init_manager_); static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return std::make_unique( - cfg, *context_manager_, *upstream_stats_store, std::vector{}); + std::move(cfg), *context_manager_, *upstream_stats_store, std::vector{}); } Network::ClientConnectionPtr XfccIntegrationTest::makeClientConnection() { diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index 74fbf2646784..ba7de191e222 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -14,12 +14,21 @@ class MockSecretManager : public SecretManager { MockSecretManager(); ~MockSecretManager(); + MOCK_METHOD0(localInfo, const LocalInfo::LocalInfo&()); + MOCK_METHOD0(dispatcher, Event::Dispatcher&()); + MOCK_METHOD0(random, Runtime::RandomGenerator&()); + MOCK_METHOD0(stats, Stats::Store&()); + MOCK_METHOD1(addStaticSecret, void(const envoy::api::v2::auth::Secret& secret)); MOCK_CONST_METHOD1(findStaticTlsCertificate, Ssl::TlsCertificateConfig*(const std::string& name)); - MOCK_METHOD3(findOrCreateDynamicTlsCertificateSecretProvider, + MOCK_METHOD2(findDynamicTlsCertificateSecretProvider, DynamicTlsCertificateSecretProviderSharedPtr( const envoy::api::v2::core::ConfigSource& config_source, - const std::string& config_name, Init::Manager& init_manager)); + const std::string& config_name)); + MOCK_METHOD3(setDynamicTlsCertificateSecretProvider, + void(const envoy::api::v2::core::ConfigSource& config_source, + const std::string& config_name, + DynamicTlsCertificateSecretProviderSharedPtr provider)); }; class MockDynamicTlsCertificateSecretProvider : public DynamicTlsCertificateSecretProvider { From 3ccc5cbb651fc076c21057e9a0b9a547ffdfda2d Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Wed, 18 Jul 2018 17:47:07 -0700 Subject: [PATCH 50/55] add more file Signed-off-by: JimmyCYJ --- .../secret/dynamic_secret_provider_factory.h | 73 ++++++++++++++++++ .../dynamic_secret_provider_factory_impl.h | 75 +++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 include/envoy/secret/dynamic_secret_provider_factory.h create mode 100644 source/common/secret/dynamic_secret_provider_factory_impl.h diff --git a/include/envoy/secret/dynamic_secret_provider_factory.h b/include/envoy/secret/dynamic_secret_provider_factory.h new file mode 100644 index 000000000000..d0096335e876 --- /dev/null +++ b/include/envoy/secret/dynamic_secret_provider_factory.h @@ -0,0 +1,73 @@ +#pragma once + +#include "envoy/api/v2/core/config_source.pb.h" +#include "envoy/event/dispatcher.h" +#include "envoy/local_info/local_info.h" +#include "envoy/runtime/runtime.h" +#include "envoy/secret/dynamic_secret_provider.h" +#include "envoy/stats/stats.h" +#include "envoy/upstream/cluster_manager.h" + +namespace Envoy { +namespace Secret { + +/** + * DynamicTlsCertificateSecretProviderFactoryContext passed to + * DynamicTlsCertificateSecretProviderFactory to access resources which are needed for creating + * dynamic tls certificate secret provider. + */ +class DynamicTlsCertificateSecretProviderFactoryContext { +public: + virtual ~DynamicTlsCertificateSecretProviderFactoryContext() {} + + /** + * @return information about the local environment the server is running in. + */ + virtual const LocalInfo::LocalInfo& local_info() PURE; + + /** + * @return Event::Dispatcher& the main thread's dispatcher. + */ + virtual Event::Dispatcher& dispatcher() PURE; + + /** + * @return RandomGenerator& the random generator for the server. + */ + virtual Runtime::RandomGenerator& random() PURE; + + /** + * @return the server-wide stats store. + */ + virtual Stats::Store& stats() PURE; + + /** + * @return Upstream::ClusterManager. + */ + virtual Upstream::ClusterManager& cluster_manager() PURE; +}; + +typedef std::unique_ptr + DynamicTlsCertificateSecretProviderFactoryContextPtr; + +/** + * Factory for creating dynamic TlsCertificate secret provider. + */ +class DynamicTlsCertificateSecretProviderFactory { +public: + virtual ~DynamicTlsCertificateSecretProviderFactory() {} + + /** + * Finds and returns a secret provider associated to SDS config. Create a new one + * if such provider does not exist. + * + * @param config_source a protobuf message object contains SDS config source. + * @param config_name a name that uniquely refers to the SDS config source. + * @return the dynamic tls certificate secret provider. + */ + virtual DynamicTlsCertificateSecretProviderSharedPtr + findOrCreateDynamicTlsCertificateSecretProvider( + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) PURE; +}; + +} // namespace Secret +} // namespace Envoy \ No newline at end of file diff --git a/source/common/secret/dynamic_secret_provider_factory_impl.h b/source/common/secret/dynamic_secret_provider_factory_impl.h new file mode 100644 index 000000000000..432678ca79e4 --- /dev/null +++ b/source/common/secret/dynamic_secret_provider_factory_impl.h @@ -0,0 +1,75 @@ +#pragma once + +#include + +#include "envoy/init/init.h" +#include "envoy/secret/dynamic_secret_provider.h" +#include "envoy/secret/dynamic_secret_provider_factory.h" +#include "envoy/secret/secret_manager.h" + +#include "common/secret/sds_api.h" + +namespace Envoy { +namespace Secret { + +class DynamicTlsCertificateSecretProviderFactoryContextImpl + : public DynamicTlsCertificateSecretProviderFactoryContext { +public: + DynamicTlsCertificateSecretProviderFactoryContextImpl(const LocalInfo::LocalInfo& local_info, + Event::Dispatcher& dispatcher, + Runtime::RandomGenerator& random, + Stats::Store& stats, + Upstream::ClusterManager& cluster_manager) + : local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats), + cluster_manager_(cluster_manager), + secret_manager_(cluster_manager.clusterManagerFactory().secretManager()) {} + + const LocalInfo::LocalInfo& local_info() override { return local_info_; } + + Event::Dispatcher& dispatcher() override { return dispatcher_; } + + Runtime::RandomGenerator& random() override { return random_; } + + Stats::Store& stats() override { return stats_; } + + Upstream::ClusterManager& cluster_manager() override { return cluster_manager_; } + +private: + const LocalInfo::LocalInfo& local_info_; + Event::Dispatcher& dispatcher_; + Runtime::RandomGenerator& random_; + Stats::Store& stats_; + Upstream::ClusterManager& cluster_manager_; + Secret::SecretManager& secret_manager_; +}; + +class DynamicTlsCertificateSecretProviderFactoryImpl + : public DynamicTlsCertificateSecretProviderFactory { +public: + DynamicTlsCertificateSecretProviderFactoryImpl( + DynamicTlsCertificateSecretProviderFactoryContext& context, Init::Manager& init_manager) + : context_(context), init_manager_(init_manager) {} + + DynamicTlsCertificateSecretProviderSharedPtr findOrCreateDynamicTlsCertificateSecretProvider( + const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) override { + Secret::SecretManager& secret_manager = + context_.cluster_manager().clusterManagerFactory().secretManager(); + auto secret_provider = + secret_manager.findDynamicTlsCertificateSecretProvider(sds_config, sds_config_name); + if (!secret_provider) { + secret_provider = std::make_shared( + context_.local_info(), context_.dispatcher(), context_.random(), context_.stats(), + context_.cluster_manager(), init_manager_, sds_config, sds_config_name); + secret_manager.setDynamicTlsCertificateSecretProvider(sds_config, sds_config_name, + secret_provider); + } + return secret_provider; + } + +private: + DynamicTlsCertificateSecretProviderFactoryContext& context_; + Init::Manager& init_manager_; +}; + +} // namespace Secret +} // namespace Envoy \ No newline at end of file From d219d6229f0758b6d6a5a25528b2bfdc065c91d0 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Thu, 19 Jul 2018 12:00:47 -0700 Subject: [PATCH 51/55] pass DynamicTlsCertificateSecretProviderFactoryContext by reference. Signed-off-by: JimmyCYJ --- .../secret/dynamic_secret_provider_factory.h | 7 ++-- .../dynamic_secret_provider_factory_impl.h | 5 +-- source/common/secret/secret_manager_impl.cc | 7 ++-- source/common/secret/secret_manager_impl.h | 3 -- source/common/ssl/context_config_impl.cc | 2 +- source/common/upstream/eds.cc | 4 +-- source/common/upstream/eds.h | 2 +- source/common/upstream/logical_dns_cluster.cc | 4 +-- source/common/upstream/logical_dns_cluster.h | 2 +- .../common/upstream/original_dst_cluster.cc | 4 +-- source/common/upstream/original_dst_cluster.h | 2 +- source/common/upstream/upstream_impl.cc | 35 +++++++++---------- source/common/upstream/upstream_impl.h | 6 ++-- source/server/listener_manager_impl.cc | 9 +++-- source/server/transport_socket_config_impl.h | 8 ++--- 15 files changed, 46 insertions(+), 54 deletions(-) diff --git a/include/envoy/secret/dynamic_secret_provider_factory.h b/include/envoy/secret/dynamic_secret_provider_factory.h index d0096335e876..0241360f874d 100644 --- a/include/envoy/secret/dynamic_secret_provider_factory.h +++ b/include/envoy/secret/dynamic_secret_provider_factory.h @@ -46,9 +46,6 @@ class DynamicTlsCertificateSecretProviderFactoryContext { virtual Upstream::ClusterManager& cluster_manager() PURE; }; -typedef std::unique_ptr - DynamicTlsCertificateSecretProviderFactoryContextPtr; - /** * Factory for creating dynamic TlsCertificate secret provider. */ @@ -65,8 +62,8 @@ class DynamicTlsCertificateSecretProviderFactory { * @return the dynamic tls certificate secret provider. */ virtual DynamicTlsCertificateSecretProviderSharedPtr - findOrCreateDynamicTlsCertificateSecretProvider( - const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) PURE; + findOrCreate(const envoy::api::v2::core::ConfigSource& sds_config, + std::string sds_config_name) PURE; }; } // namespace Secret diff --git a/source/common/secret/dynamic_secret_provider_factory_impl.h b/source/common/secret/dynamic_secret_provider_factory_impl.h index 432678ca79e4..a08ca7e94865 100644 --- a/source/common/secret/dynamic_secret_provider_factory_impl.h +++ b/source/common/secret/dynamic_secret_provider_factory_impl.h @@ -50,8 +50,9 @@ class DynamicTlsCertificateSecretProviderFactoryImpl DynamicTlsCertificateSecretProviderFactoryContext& context, Init::Manager& init_manager) : context_(context), init_manager_(init_manager) {} - DynamicTlsCertificateSecretProviderSharedPtr findOrCreateDynamicTlsCertificateSecretProvider( - const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) override { + DynamicTlsCertificateSecretProviderSharedPtr + findOrCreate(const envoy::api::v2::core::ConfigSource& sds_config, + std::string sds_config_name) override { Secret::SecretManager& secret_manager = context_.cluster_manager().clusterManagerFactory().secretManager(); auto secret_provider = diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index 98e29e84ade9..36bcf639fb89 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -36,12 +36,13 @@ void SecretManagerImpl::removeDeletedSecretProvider() { } } -std::string SecretManagerImpl::getDynamicTlsCertificateSecretProviderHash( - const envoy::api::v2::core::ConfigSource& sds_config_source, - const std::string& config_name) const { +namespace { +std::string getDynamicTlsCertificateSecretProviderHash( + const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name) { auto hash = MessageUtil::hash(sds_config_source); return std::to_string(hash) + config_name; } +} // namespace DynamicTlsCertificateSecretProviderSharedPtr SecretManagerImpl::findDynamicTlsCertificateSecretProvider( diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 194458969015..e4bbf994f41e 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -30,9 +30,6 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable void { cleanup(); })) { diff --git a/source/common/upstream/original_dst_cluster.h b/source/common/upstream/original_dst_cluster.h index b8c6be64042c..01a010ff6183 100644 --- a/source/common/upstream/original_dst_cluster.h +++ b/source/common/upstream/original_dst_cluster.h @@ -27,7 +27,7 @@ class OriginalDstCluster : public ClusterImplBase { const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context); + Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 2157c3727c6e..cc3c73b44178 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -364,23 +364,22 @@ ClusterSharedPtr ClusterImplBase::create( selected_dns_resolver = dispatcher.createDnsResolver(resolvers); } - auto secret_provider_context = - std::make_unique( - local_info, dispatcher, random, stats, cm); + Secret::DynamicTlsCertificateSecretProviderFactoryContextImpl secret_provider_context( + local_info, dispatcher, random, stats, cm); switch (cluster.type()) { case envoy::api::v2::Cluster::STATIC: new_cluster.reset(new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, - added_via_api, std::move(secret_provider_context))); + added_via_api, secret_provider_context)); break; case envoy::api::v2::Cluster::STRICT_DNS: new_cluster.reset(new StrictDnsClusterImpl(cluster, runtime, stats, ssl_context_manager, selected_dns_resolver, cm, dispatcher, added_via_api, - std::move(secret_provider_context))); + secret_provider_context)); break; case envoy::api::v2::Cluster::LOGICAL_DNS: new_cluster.reset(new LogicalDnsCluster(cluster, runtime, stats, ssl_context_manager, selected_dns_resolver, tls, cm, dispatcher, - added_via_api, std::move(secret_provider_context))); + added_via_api, secret_provider_context)); break; case envoy::api::v2::Cluster::ORIGINAL_DST: if (cluster.lb_policy() != envoy::api::v2::Cluster::ORIGINAL_DST_LB) { @@ -392,8 +391,7 @@ ClusterSharedPtr ClusterImplBase::create( "cluster: cluster type 'original_dst' may not be used with lb_subset_config")); } new_cluster.reset(new OriginalDstCluster(cluster, runtime, stats, ssl_context_manager, cm, - dispatcher, added_via_api, - std::move(secret_provider_context))); + dispatcher, added_via_api, secret_provider_context)); break; case envoy::api::v2::Cluster::EDS: if (!cluster.has_eds_cluster_config()) { @@ -403,7 +401,7 @@ ClusterSharedPtr ClusterImplBase::create( // We map SDS to EDS, since EDS provides backwards compatibility with SDS. new_cluster.reset(new EdsClusterImpl(cluster, runtime, stats, ssl_context_manager, local_info, cm, dispatcher, random, added_via_api, - std::move(secret_provider_context))); + secret_provider_context)); break; default: NOT_REACHED_GCOVR_EXCL_LINE; @@ -432,7 +430,7 @@ Stats::ScopePtr generateStatsScope(const envoy::api::v2::Cluster& config, Stats: Network::TransportSocketFactoryPtr createTransportSocketFactory( const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Init::Manager& init_manager, - Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) { + Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) { // If the cluster config doesn't have a transport socket configured, override with the default // transport socket implementation based on the tls_context. We copy by value first then override // if necessary. @@ -448,7 +446,7 @@ Network::TransportSocketFactoryPtr createTransportSocketFactory( } Server::Configuration::TransportSocketFactoryContextImpl factory_context( - ssl_context_manager, stats_scope, cm, init_manager, std::move(secret_provider_context)); + ssl_context_manager, stats_scope, cm, init_manager, secret_provider_context); auto& config_factory = Config::Utility::getAndCheckFactory< Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); ProtobufTypes::MessagePtr message = @@ -462,12 +460,11 @@ Network::TransportSocketFactoryPtr createTransportSocketFactory( ClusterImplBase::ClusterImplBase( const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) : runtime_(runtime) { auto stats_scope = generateStatsScope(cluster, stats); - auto socket_factory = - createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, cm, init_manager_, - std::move(secret_provider_context)); + auto socket_factory = createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, cm, + init_manager_, secret_provider_context); info_ = std::make_unique(cluster, cm.bindConfig(), runtime, std::move(socket_factory), std::move(stats_scope), added_via_api); @@ -790,9 +787,9 @@ void PriorityStateManager::updateClusterPrioritySet( StaticClusterImpl::StaticClusterImpl( const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, - std::move(secret_provider_context)), + secret_provider_context), initial_hosts_(new HostVector()) { for (const auto& host : cluster.hosts()) { @@ -970,9 +967,9 @@ StrictDnsClusterImpl::StrictDnsClusterImpl( const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, - std::move(secret_provider_context)), + secret_provider_context), dns_resolver_(dns_resolver), dns_refresh_rate_ms_( std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))) { diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 05196ff2f679..18f51417db59 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -476,7 +476,7 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable( - parent_.server_.localInfo(), parent_.server_.dispatcher(), parent_.server_.random(), - parent_.server_.stats(), parent_.server_.clusterManager()); + Secret::DynamicTlsCertificateSecretProviderFactoryContextImpl secret_provider_context( + parent_.server_.localInfo(), parent_.server_.dispatcher(), parent_.server_.random(), + parent_.server_.stats(), parent_.server_.clusterManager()); Server::Configuration::TransportSocketFactoryContextImpl factory_context( parent_.server_.sslContextManager(), *listener_scope_, parent_.server_.clusterManager(), - initManager(), std::move(secret_provider_context)); + initManager(), secret_provider_context); addFilterChain(PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_chain_match, destination_port, 0), destination_ips, server_names, filter_chain_match.transport_protocol(), application_protocols, diff --git a/source/server/transport_socket_config_impl.h b/source/server/transport_socket_config_impl.h index 0c56c60054e2..1731fd7c0723 100644 --- a/source/server/transport_socket_config_impl.h +++ b/source/server/transport_socket_config_impl.h @@ -16,10 +16,10 @@ class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { TransportSocketFactoryContextImpl( Ssl::ContextManager& context_manager, Stats::Scope& stats_scope, Upstream::ClusterManager& cm, Init::Manager& init_manager, - Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context) + Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) : context_manager_(context_manager), stats_scope_(stats_scope), cluster_manager_(cm), - init_manager_(init_manager), secret_provider_context_(std::move(secret_provider_context)), - secret_provider_factory_(*secret_provider_context_, init_manager_) {} + init_manager_(init_manager), secret_provider_context_(secret_provider_context), + secret_provider_factory_(secret_provider_context_, init_manager_) {} Ssl::ContextManager& sslContextManager() override { return context_manager_; } @@ -43,7 +43,7 @@ class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { Stats::Scope& stats_scope_; Upstream::ClusterManager& cluster_manager_; Init::Manager& init_manager_; - Secret::DynamicTlsCertificateSecretProviderFactoryContextPtr secret_provider_context_; + Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context_; Secret::DynamicTlsCertificateSecretProviderFactoryImpl secret_provider_factory_; }; From 621b9fb2193f358bd6fc8e94fe0bbf73c61f3d34 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Fri, 20 Jul 2018 16:16:56 -0700 Subject: [PATCH 52/55] Merge DynamicTlsCertificateSecretProviderFactoryContext into TransportSocketFactoryContext. Signed-off-by: JimmyCYJ --- .../secret/dynamic_secret_provider_factory.h | 38 +---- include/envoy/server/BUILD | 4 + .../envoy/server/transport_socket_config.h | 28 +++- .../dynamic_secret_provider_factory_impl.h | 65 +++----- source/common/upstream/eds.cc | 21 +-- source/common/upstream/eds.h | 10 +- source/common/upstream/logical_dns_cluster.cc | 16 +- source/common/upstream/logical_dns_cluster.h | 11 +- .../common/upstream/original_dst_cluster.cc | 17 +-- source/common/upstream/original_dst_cluster.h | 10 +- source/common/upstream/upstream_impl.cc | 144 +++++++++--------- source/common/upstream/upstream_impl.h | 26 ++-- source/server/listener_manager_impl.cc | 7 +- source/server/transport_socket_config_impl.h | 39 +++-- 14 files changed, 206 insertions(+), 230 deletions(-) diff --git a/include/envoy/secret/dynamic_secret_provider_factory.h b/include/envoy/secret/dynamic_secret_provider_factory.h index 0241360f874d..32fa10a63f74 100644 --- a/include/envoy/secret/dynamic_secret_provider_factory.h +++ b/include/envoy/secret/dynamic_secret_provider_factory.h @@ -11,41 +11,6 @@ namespace Envoy { namespace Secret { -/** - * DynamicTlsCertificateSecretProviderFactoryContext passed to - * DynamicTlsCertificateSecretProviderFactory to access resources which are needed for creating - * dynamic tls certificate secret provider. - */ -class DynamicTlsCertificateSecretProviderFactoryContext { -public: - virtual ~DynamicTlsCertificateSecretProviderFactoryContext() {} - - /** - * @return information about the local environment the server is running in. - */ - virtual const LocalInfo::LocalInfo& local_info() PURE; - - /** - * @return Event::Dispatcher& the main thread's dispatcher. - */ - virtual Event::Dispatcher& dispatcher() PURE; - - /** - * @return RandomGenerator& the random generator for the server. - */ - virtual Runtime::RandomGenerator& random() PURE; - - /** - * @return the server-wide stats store. - */ - virtual Stats::Store& stats() PURE; - - /** - * @return Upstream::ClusterManager. - */ - virtual Upstream::ClusterManager& cluster_manager() PURE; -}; - /** * Factory for creating dynamic TlsCertificate secret provider. */ @@ -66,5 +31,8 @@ class DynamicTlsCertificateSecretProviderFactory { std::string sds_config_name) PURE; }; +typedef std::unique_ptr + DynamicTlsCertificateSecretProviderFactoryPtr; + } // namespace Secret } // namespace Envoy \ No newline at end of file diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD index 284288afce42..bc312f38a07c 100644 --- a/include/envoy/server/BUILD +++ b/include/envoy/server/BUILD @@ -175,11 +175,15 @@ envoy_cc_library( name = "transport_socket_config_interface", hdrs = ["transport_socket_config.h"], deps = [ + "//include/envoy/event:dispatcher_interface", "//include/envoy/init:init_interface", + "//include/envoy/local_info:local_info_interface", "//include/envoy/network:transport_socket_interface", + "//include/envoy/runtime:runtime_interface", "//include/envoy/secret:dynamic_secret_provider_factory_interface", "//include/envoy/secret:secret_manager_interface", "//include/envoy/ssl:context_manager_interface", + "//include/envoy/stats:stats_interface", "//include/envoy/upstream:cluster_manager_interface", "//source/common/protobuf", ], diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h index 24fdf4b145c2..c1b25ecb9b54 100644 --- a/include/envoy/server/transport_socket_config.h +++ b/include/envoy/server/transport_socket_config.h @@ -2,11 +2,15 @@ #include +#include "envoy/event/dispatcher.h" #include "envoy/init/init.h" +#include "envoy/local_info/local_info.h" #include "envoy/network/transport_socket.h" +#include "envoy/runtime/runtime.h" #include "envoy/secret/dynamic_secret_provider_factory.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_manager.h" +#include "envoy/stats/stats.h" #include "envoy/upstream/cluster_manager.h" #include "common/protobuf/protobuf.h" @@ -33,9 +37,9 @@ class TransportSocketFactoryContext { virtual Stats::Scope& statsScope() const PURE; /** - * @return the instance of init manager. + * @return the instance of ClusterManager. */ - virtual Init::Manager& initManager() PURE; + virtual Upstream::ClusterManager& clusterManager() PURE; /** * Return the instance of secret manager. @@ -43,10 +47,26 @@ class TransportSocketFactoryContext { virtual Secret::SecretManager& secretManager() PURE; /** - * @return the instance of ClusterManager. + * @return information about the local environment the server is running in. */ - virtual Upstream::ClusterManager& clusterManager() PURE; + virtual const LocalInfo::LocalInfo& local_info() PURE; + + /** + * @return Event::Dispatcher& the main thread's dispatcher. + */ + virtual Event::Dispatcher& dispatcher() PURE; + + /** + * @return RandomGenerator& the random generator for the server. + */ + virtual Envoy::Runtime::RandomGenerator& random() PURE; + + /** + * @return the server-wide stats store. + */ + virtual Stats::Store& stats() PURE; + virtual void createDynamicTlsCertificateSecretProviderFactory(Init::Manager& init_manager) PURE; /** * @return the factory of dynamic tls certificate secret provider. */ diff --git a/source/common/secret/dynamic_secret_provider_factory_impl.h b/source/common/secret/dynamic_secret_provider_factory_impl.h index a08ca7e94865..738778e4bf11 100644 --- a/source/common/secret/dynamic_secret_provider_factory_impl.h +++ b/source/common/secret/dynamic_secret_provider_factory_impl.h @@ -12,63 +12,42 @@ namespace Envoy { namespace Secret { -class DynamicTlsCertificateSecretProviderFactoryContextImpl - : public DynamicTlsCertificateSecretProviderFactoryContext { -public: - DynamicTlsCertificateSecretProviderFactoryContextImpl(const LocalInfo::LocalInfo& local_info, - Event::Dispatcher& dispatcher, - Runtime::RandomGenerator& random, - Stats::Store& stats, - Upstream::ClusterManager& cluster_manager) - : local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats), - cluster_manager_(cluster_manager), - secret_manager_(cluster_manager.clusterManagerFactory().secretManager()) {} - - const LocalInfo::LocalInfo& local_info() override { return local_info_; } - - Event::Dispatcher& dispatcher() override { return dispatcher_; } - - Runtime::RandomGenerator& random() override { return random_; } - - Stats::Store& stats() override { return stats_; } - - Upstream::ClusterManager& cluster_manager() override { return cluster_manager_; } - -private: - const LocalInfo::LocalInfo& local_info_; - Event::Dispatcher& dispatcher_; - Runtime::RandomGenerator& random_; - Stats::Store& stats_; - Upstream::ClusterManager& cluster_manager_; - Secret::SecretManager& secret_manager_; -}; - class DynamicTlsCertificateSecretProviderFactoryImpl : public DynamicTlsCertificateSecretProviderFactory { public: - DynamicTlsCertificateSecretProviderFactoryImpl( - DynamicTlsCertificateSecretProviderFactoryContext& context, Init::Manager& init_manager) - : context_(context), init_manager_(init_manager) {} + DynamicTlsCertificateSecretProviderFactoryImpl(const LocalInfo::LocalInfo& local_info, + Event::Dispatcher& dispatcher, + Runtime::RandomGenerator& random, + Stats::Store& stats, + Upstream::ClusterManager& cluster_manager, + Secret::SecretManager& secret_manager, + Init::Manager& init_manager) + : local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats), + cluster_manager_(cluster_manager), secret_manager_(secret_manager), + init_manager_(init_manager) {} DynamicTlsCertificateSecretProviderSharedPtr findOrCreate(const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name) override { - Secret::SecretManager& secret_manager = - context_.cluster_manager().clusterManagerFactory().secretManager(); auto secret_provider = - secret_manager.findDynamicTlsCertificateSecretProvider(sds_config, sds_config_name); + secret_manager_.findDynamicTlsCertificateSecretProvider(sds_config, sds_config_name); if (!secret_provider) { - secret_provider = std::make_shared( - context_.local_info(), context_.dispatcher(), context_.random(), context_.stats(), - context_.cluster_manager(), init_manager_, sds_config, sds_config_name); - secret_manager.setDynamicTlsCertificateSecretProvider(sds_config, sds_config_name, - secret_provider); + secret_provider = std::make_shared(local_info_, dispatcher_, random_, stats_, + cluster_manager_, init_manager_, + sds_config, sds_config_name); + secret_manager_.setDynamicTlsCertificateSecretProvider(sds_config, sds_config_name, + secret_provider); } return secret_provider; } private: - DynamicTlsCertificateSecretProviderFactoryContext& context_; + const LocalInfo::LocalInfo& local_info_; + Event::Dispatcher& dispatcher_; + Runtime::RandomGenerator& random_; + Stats::Store& stats_; + Upstream::ClusterManager& cluster_manager_; + Secret::SecretManager& secret_manager_; Init::Manager& init_manager_; }; diff --git a/source/common/upstream/eds.cc b/source/common/upstream/eds.cc index c2b7084de1b1..2c6d7dcd6d22 100644 --- a/source/common/upstream/eds.cc +++ b/source/common/upstream/eds.cc @@ -18,23 +18,24 @@ namespace Envoy { namespace Upstream { EdsClusterImpl::EdsClusterImpl( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, const LocalInfo::LocalInfo& local_info, - ClusterManager& cm, Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, - bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) - : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, - secret_provider_context), - cm_(cm), local_info_(local_info), + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope) + : BaseDynamicClusterImpl(cluster, runtime, added_via_api, factory_context, + std::move(stats_scope)), + cm_(factory_context.clusterManager()), local_info_(factory_context.local_info()), cluster_name_(cluster.eds_cluster_config().service_name().empty() ? cluster.name() : cluster.eds_cluster_config().service_name()) { - Config::Utility::checkLocalInfo("eds", local_info); + Config::Utility::checkLocalInfo("eds", local_info_); const auto& eds_config = cluster.eds_cluster_config().eds_config(); + Event::Dispatcher& dispatcher = factory_context.dispatcher(); + Runtime::RandomGenerator& random = factory_context.random(); + Upstream::ClusterManager& cm = factory_context.clusterManager(); subscription_ = Config::SubscriptionFactory::subscriptionFromConfigSource< envoy::api::v2::ClusterLoadAssignment>( - eds_config, local_info.node(), dispatcher, cm, random, info_->statsScope(), + eds_config, local_info_.node(), dispatcher, cm, random, info_->statsScope(), [this, &eds_config, &cm, &dispatcher, &random]() -> Config::Subscription* { return new SdsSubscription(info_->stats(), eds_config, cm, dispatcher, random); diff --git a/source/common/upstream/eds.h b/source/common/upstream/eds.h index f07ec678237f..9f8f4a1483c3 100644 --- a/source/common/upstream/eds.h +++ b/source/common/upstream/eds.h @@ -18,12 +18,10 @@ namespace Upstream { class EdsClusterImpl : public BaseDynamicClusterImpl, Config::SubscriptionCallbacks { public: - EdsClusterImpl( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, const LocalInfo::LocalInfo& local_info, - ClusterManager& cm, Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random, - bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context); + EdsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Secondary; } diff --git a/source/common/upstream/logical_dns_cluster.cc b/source/common/upstream/logical_dns_cluster.cc index 3d8b84dec52f..40f1c06088dd 100644 --- a/source/common/upstream/logical_dns_cluster.cc +++ b/source/common/upstream/logical_dns_cluster.cc @@ -16,18 +16,16 @@ namespace Envoy { namespace Upstream { LogicalDnsCluster::LogicalDnsCluster( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, - ThreadLocal::SlotAllocator& tls, ClusterManager& cm, Event::Dispatcher& dispatcher, - bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) - : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, - secret_provider_context), + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + Network::DnsResolverSharedPtr dns_resolver, ThreadLocal::SlotAllocator& tls, bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope) + : ClusterImplBase(cluster, runtime, added_via_api, factory_context, std::move(stats_scope)), dns_resolver_(dns_resolver), dns_refresh_rate_ms_( std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))), - tls_(tls.allocateSlot()), - resolve_timer_(dispatcher.createTimer([this]() -> void { startResolve(); })) { + tls_(tls.allocateSlot()), resolve_timer_(factory_context.dispatcher().createTimer( + [this]() -> void { startResolve(); })) { const auto& hosts = cluster.hosts(); if (hosts.size() != 1) { throw EnvoyException("logical_dns clusters must have a single host"); diff --git a/source/common/upstream/logical_dns_cluster.h b/source/common/upstream/logical_dns_cluster.h index 611cd630a305..665e0f75a08a 100644 --- a/source/common/upstream/logical_dns_cluster.h +++ b/source/common/upstream/logical_dns_cluster.h @@ -28,12 +28,11 @@ namespace Upstream { */ class LogicalDnsCluster : public ClusterImplBase { public: - LogicalDnsCluster( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, - ThreadLocal::SlotAllocator& tls, ClusterManager& cm, Event::Dispatcher& dispatcher, - bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context); + LogicalDnsCluster(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + Network::DnsResolverSharedPtr dns_resolver, ThreadLocal::SlotAllocator& tls, + bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope); ~LogicalDnsCluster(); diff --git a/source/common/upstream/original_dst_cluster.cc b/source/common/upstream/original_dst_cluster.cc index f28e9a4094fd..3db1e00b80c2 100644 --- a/source/common/upstream/original_dst_cluster.cc +++ b/source/common/upstream/original_dst_cluster.cc @@ -123,15 +123,14 @@ OriginalDstCluster::LoadBalancer::requestOverrideHost(LoadBalancerContext* conte } OriginalDstCluster::OriginalDstCluster( - const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Event::Dispatcher& dispatcher, - bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) - : ClusterImplBase(config, runtime, stats, ssl_context_manager, cm, added_via_api, - secret_provider_context), - dispatcher_(dispatcher), cleanup_interval_ms_(std::chrono::milliseconds( - PROTOBUF_GET_MS_OR_DEFAULT(config, cleanup_interval, 5000))), - cleanup_timer_(dispatcher.createTimer([this]() -> void { cleanup(); })) { + const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope) + : ClusterImplBase(config, runtime, added_via_api, factory_context, std::move(stats_scope)), + dispatcher_(factory_context.dispatcher()), + cleanup_interval_ms_( + std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(config, cleanup_interval, 5000))), + cleanup_timer_(dispatcher_.createTimer([this]() -> void { cleanup(); })) { cleanup_timer_->enableTimer(cleanup_interval_ms_); } diff --git a/source/common/upstream/original_dst_cluster.h b/source/common/upstream/original_dst_cluster.h index 01a010ff6183..0fece8f9af33 100644 --- a/source/common/upstream/original_dst_cluster.h +++ b/source/common/upstream/original_dst_cluster.h @@ -6,6 +6,7 @@ #include #include "envoy/secret/secret_manager.h" +#include "envoy/server/transport_socket_config.h" #include "envoy/thread_local/thread_local.h" #include "common/common/empty_string.h" @@ -23,11 +24,10 @@ namespace Upstream { */ class OriginalDstCluster : public ClusterImplBase { public: - OriginalDstCluster( - const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Event::Dispatcher& dispatcher, - bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context); + OriginalDstCluster(const envoy::api::v2::Cluster& config, Runtime::Loader& runtime, + bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index cc3c73b44178..3a9a67af73f7 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -338,6 +338,42 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config, } } +namespace { + +Stats::ScopePtr generateStatsScope(const envoy::api::v2::Cluster& config, Stats::Store& stats) { + return stats.createScope(fmt::format("cluster.{}.", config.alt_stat_name().empty() + ? config.name() + : std::string(config.alt_stat_name()))); +} + +Network::TransportSocketFactoryPtr createTransportSocketFactory( + const envoy::api::v2::Cluster& config, Init::Manager& init_manager, + Server::Configuration::TransportSocketFactoryContext& factory_context) { + // If the cluster config doesn't have a transport socket configured, override with the default + // transport socket implementation based on the tls_context. We copy by value first then override + // if necessary. + auto transport_socket = config.transport_socket(); + if (!config.has_transport_socket()) { + if (config.has_tls_context()) { + transport_socket.set_name(Extensions::TransportSockets::TransportSocketNames::get().TLS); + MessageUtil::jsonConvert(config.tls_context(), *transport_socket.mutable_config()); + } else { + transport_socket.set_name( + Extensions::TransportSockets::TransportSocketNames::get().RAW_BUFFER); + } + } + + factory_context.createDynamicTlsCertificateSecretProviderFactory(init_manager); + auto& config_factory = Config::Utility::getAndCheckFactory< + Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); + ProtobufTypes::MessagePtr message = + Config::Utility::translateToFactoryConfig(transport_socket, config_factory); + + return config_factory.createTransportSocketFactory(*message, factory_context); +} + +} // namespace + ClusterSharedPtr ClusterImplBase::create( const envoy::api::v2::Cluster& cluster, ClusterManager& cm, Stats::Store& stats, ThreadLocal::Instance& tls, Network::DnsResolverSharedPtr dns_resolver, @@ -364,22 +400,24 @@ ClusterSharedPtr ClusterImplBase::create( selected_dns_resolver = dispatcher.createDnsResolver(resolvers); } - Secret::DynamicTlsCertificateSecretProviderFactoryContextImpl secret_provider_context( - local_info, dispatcher, random, stats, cm); + auto stats_scope = generateStatsScope(cluster, stats); + Server::Configuration::TransportSocketFactoryContextImpl factory_context( + ssl_context_manager, *stats_scope, cm, local_info, dispatcher, random, stats); + switch (cluster.type()) { case envoy::api::v2::Cluster::STATIC: - new_cluster.reset(new StaticClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, - added_via_api, secret_provider_context)); + new_cluster.reset(new StaticClusterImpl(cluster, runtime, added_via_api, factory_context, + std::move(stats_scope))); break; case envoy::api::v2::Cluster::STRICT_DNS: - new_cluster.reset(new StrictDnsClusterImpl(cluster, runtime, stats, ssl_context_manager, - selected_dns_resolver, cm, dispatcher, added_via_api, - secret_provider_context)); + new_cluster.reset(new StrictDnsClusterImpl(cluster, runtime, selected_dns_resolver, + added_via_api, factory_context, + std::move(stats_scope))); break; case envoy::api::v2::Cluster::LOGICAL_DNS: - new_cluster.reset(new LogicalDnsCluster(cluster, runtime, stats, ssl_context_manager, - selected_dns_resolver, tls, cm, dispatcher, - added_via_api, secret_provider_context)); + new_cluster.reset(new LogicalDnsCluster(cluster, runtime, selected_dns_resolver, tls, + added_via_api, factory_context, + std::move(stats_scope))); break; case envoy::api::v2::Cluster::ORIGINAL_DST: if (cluster.lb_policy() != envoy::api::v2::Cluster::ORIGINAL_DST_LB) { @@ -390,8 +428,8 @@ ClusterSharedPtr ClusterImplBase::create( throw EnvoyException(fmt::format( "cluster: cluster type 'original_dst' may not be used with lb_subset_config")); } - new_cluster.reset(new OriginalDstCluster(cluster, runtime, stats, ssl_context_manager, cm, - dispatcher, added_via_api, secret_provider_context)); + new_cluster.reset(new OriginalDstCluster(cluster, runtime, added_via_api, factory_context, + std::move(stats_scope))); break; case envoy::api::v2::Cluster::EDS: if (!cluster.has_eds_cluster_config()) { @@ -399,9 +437,8 @@ ClusterSharedPtr ClusterImplBase::create( } // We map SDS to EDS, since EDS provides backwards compatibility with SDS. - new_cluster.reset(new EdsClusterImpl(cluster, runtime, stats, ssl_context_manager, local_info, - cm, dispatcher, random, added_via_api, - secret_provider_context)); + new_cluster.reset(new EdsClusterImpl(cluster, runtime, added_via_api, factory_context, + std::move(stats_scope))); break; default: NOT_REACHED_GCOVR_EXCL_LINE; @@ -419,55 +456,15 @@ ClusterSharedPtr ClusterImplBase::create( return std::move(new_cluster); } -namespace { - -Stats::ScopePtr generateStatsScope(const envoy::api::v2::Cluster& config, Stats::Store& stats) { - return stats.createScope(fmt::format("cluster.{}.", config.alt_stat_name().empty() - ? config.name() - : std::string(config.alt_stat_name()))); -} - -Network::TransportSocketFactoryPtr createTransportSocketFactory( - const envoy::api::v2::Cluster& config, Stats::Scope& stats_scope, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, Init::Manager& init_manager, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) { - // If the cluster config doesn't have a transport socket configured, override with the default - // transport socket implementation based on the tls_context. We copy by value first then override - // if necessary. - auto transport_socket = config.transport_socket(); - if (!config.has_transport_socket()) { - if (config.has_tls_context()) { - transport_socket.set_name(Extensions::TransportSockets::TransportSocketNames::get().TLS); - MessageUtil::jsonConvert(config.tls_context(), *transport_socket.mutable_config()); - } else { - transport_socket.set_name( - Extensions::TransportSockets::TransportSocketNames::get().RAW_BUFFER); - } - } - - Server::Configuration::TransportSocketFactoryContextImpl factory_context( - ssl_context_manager, stats_scope, cm, init_manager, secret_provider_context); - auto& config_factory = Config::Utility::getAndCheckFactory< - Server::Configuration::UpstreamTransportSocketConfigFactory>(transport_socket.name()); - ProtobufTypes::MessagePtr message = - Config::Utility::translateToFactoryConfig(transport_socket, config_factory); - - return config_factory.createTransportSocketFactory(*message, factory_context); -} - -} // namespace - ClusterImplBase::ClusterImplBase( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope) : runtime_(runtime) { - auto stats_scope = generateStatsScope(cluster, stats); - auto socket_factory = createTransportSocketFactory(cluster, *stats_scope, ssl_context_manager, cm, - init_manager_, secret_provider_context); - info_ = std::make_unique(cluster, cm.bindConfig(), runtime, - std::move(socket_factory), std::move(stats_scope), - added_via_api); + auto socket_factory = createTransportSocketFactory(cluster, init_manager_, factory_context); + info_ = std::make_unique(cluster, factory_context.clusterManager().bindConfig(), + runtime, std::move(socket_factory), + std::move(stats_scope), added_via_api); // Create the default (empty) priority set before registering callbacks to // avoid getting an update the first time it is accessed. priority_set_.getOrCreateHostSet(0); @@ -785,11 +782,10 @@ void PriorityStateManager::updateClusterPrioritySet( } StaticClusterImpl::StaticClusterImpl( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) - : ClusterImplBase(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, - secret_provider_context), + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope) + : ClusterImplBase(cluster, runtime, added_via_api, factory_context, std::move(stats_scope)), initial_hosts_(new HostVector()) { for (const auto& host : cluster.hosts()) { @@ -964,12 +960,12 @@ bool BaseDynamicClusterImpl::updateDynamicHostList(const HostVector& new_hosts, } StrictDnsClusterImpl::StrictDnsClusterImpl( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) - : BaseDynamicClusterImpl(cluster, runtime, stats, ssl_context_manager, cm, added_via_api, - secret_provider_context), + const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + Network::DnsResolverSharedPtr dns_resolver, bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope) + : BaseDynamicClusterImpl(cluster, runtime, added_via_api, factory_context, + std::move(stats_scope)), dns_resolver_(dns_resolver), dns_refresh_rate_ms_( std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))) { @@ -989,7 +985,7 @@ StrictDnsClusterImpl::StrictDnsClusterImpl( for (const auto& host : cluster.hosts()) { resolve_targets_.emplace_back( - new ResolveTarget(*this, dispatcher, + new ResolveTarget(*this, factory_context.dispatcher(), fmt::format("tcp://{}:{}", host.socket_address().address(), host.socket_address().port_value()))); } diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h index 18f51417db59..02e03395925e 100644 --- a/source/common/upstream/upstream_impl.h +++ b/source/common/upstream/upstream_impl.h @@ -21,6 +21,7 @@ #include "envoy/runtime/runtime.h" #include "envoy/secret/dynamic_secret_provider_factory.h" #include "envoy/secret/secret_manager.h" +#include "envoy/server/transport_socket_config.h" #include "envoy/ssl/context_manager.h" #include "envoy/thread_local/thread_local.h" #include "envoy/upstream/cluster_manager.h" @@ -473,10 +474,10 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable callback) override; protected: - ClusterImplBase( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context); + ClusterImplBase(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope); /** * Overridden by every concrete cluster. The cluster should do whatever pre-init is needed. E.g., @@ -579,10 +580,10 @@ class PriorityStateManager : protected Logger::Loggable { */ class StaticClusterImpl : public ClusterImplBase { public: - StaticClusterImpl( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, ClusterManager& cm, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context); + StaticClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } @@ -611,11 +612,10 @@ class BaseDynamicClusterImpl : public ClusterImplBase { */ class StrictDnsClusterImpl : public BaseDynamicClusterImpl { public: - StrictDnsClusterImpl( - const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, Stats::Store& stats, - Ssl::ContextManager& ssl_context_manager, Network::DnsResolverSharedPtr dns_resolver, - ClusterManager& cm, Event::Dispatcher& dispatcher, bool added_via_api, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context); + StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::Loader& runtime, + Network::DnsResolverSharedPtr dns_resolver, bool added_via_api, + Server::Configuration::TransportSocketFactoryContext& factory_context, + Stats::ScopePtr stats_scope); // Upstream::Cluster InitializePhase initializePhase() const override { return InitializePhase::Primary; } diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index 5963a48a0c50..2ba0b14b39c4 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -241,12 +241,11 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, const std::st filter_chain_match.application_protocols().begin(), filter_chain_match.application_protocols().end()); - Secret::DynamicTlsCertificateSecretProviderFactoryContextImpl secret_provider_context( - parent_.server_.localInfo(), parent_.server_.dispatcher(), parent_.server_.random(), - parent_.server_.stats(), parent_.server_.clusterManager()); Server::Configuration::TransportSocketFactoryContextImpl factory_context( parent_.server_.sslContextManager(), *listener_scope_, parent_.server_.clusterManager(), - initManager(), secret_provider_context); + parent_.server_.localInfo(), parent_.server_.dispatcher(), parent_.server_.random(), + parent_.server_.stats()); + factory_context.createDynamicTlsCertificateSecretProviderFactory(initManager()); addFilterChain(PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_chain_match, destination_port, 0), destination_ips, server_names, filter_chain_match.transport_protocol(), application_protocols, diff --git a/source/server/transport_socket_config_impl.h b/source/server/transport_socket_config_impl.h index 1731fd7c0723..48a6ff85cd9f 100644 --- a/source/server/transport_socket_config_impl.h +++ b/source/server/transport_socket_config_impl.h @@ -13,38 +13,53 @@ namespace Configuration { */ class TransportSocketFactoryContextImpl : public TransportSocketFactoryContext { public: - TransportSocketFactoryContextImpl( - Ssl::ContextManager& context_manager, Stats::Scope& stats_scope, Upstream::ClusterManager& cm, - Init::Manager& init_manager, - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context) + TransportSocketFactoryContextImpl(Ssl::ContextManager& context_manager, Stats::Scope& stats_scope, + Upstream::ClusterManager& cm, + const LocalInfo::LocalInfo& local_info, + Event::Dispatcher& dispatcher, + Envoy::Runtime::RandomGenerator& random, Stats::Store& stats) : context_manager_(context_manager), stats_scope_(stats_scope), cluster_manager_(cm), - init_manager_(init_manager), secret_provider_context_(secret_provider_context), - secret_provider_factory_(secret_provider_context_, init_manager_) {} + local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats) {} Ssl::ContextManager& sslContextManager() override { return context_manager_; } Stats::Scope& statsScope() const override { return stats_scope_; } - Init::Manager& initManager() override { return init_manager_; } - Upstream::ClusterManager& clusterManager() override { return cluster_manager_; } Secret::SecretManager& secretManager() override { return cluster_manager_.clusterManagerFactory().secretManager(); } + const LocalInfo::LocalInfo& local_info() override { return local_info_; } + + Event::Dispatcher& dispatcher() override { return dispatcher_; } + + Envoy::Runtime::RandomGenerator& random() override { return random_; } + + Stats::Store& stats() override { return stats_; } + + void createDynamicTlsCertificateSecretProviderFactory(Init::Manager& init_manager) override { + secret_provider_factory_ = + std::make_unique( + local_info_, dispatcher_, random_, stats_, cluster_manager_, secretManager(), + init_manager); + } + Secret::DynamicTlsCertificateSecretProviderFactory& dynamicTlsCertificateSecretProviderFactory() override { - return secret_provider_factory_; + return *secret_provider_factory_; } private: Ssl::ContextManager& context_manager_; Stats::Scope& stats_scope_; Upstream::ClusterManager& cluster_manager_; - Init::Manager& init_manager_; - Secret::DynamicTlsCertificateSecretProviderFactoryContext& secret_provider_context_; - Secret::DynamicTlsCertificateSecretProviderFactoryImpl secret_provider_factory_; + const LocalInfo::LocalInfo& local_info_; + Event::Dispatcher& dispatcher_; + Envoy::Runtime::RandomGenerator& random_; + Stats::Store& stats_; + Secret::DynamicTlsCertificateSecretProviderFactoryPtr secret_provider_factory_; }; } // namespace Configuration From c0f07a26f25252a53524d0373a92166d50b1d9df Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Fri, 20 Jul 2018 16:41:07 -0700 Subject: [PATCH 53/55] Remove server_ from SecretManagerImpl. Signed-off-by: JimmyCYJ --- source/common/secret/secret_manager_impl.h | 4 ---- source/server/config_validation/server.cc | 2 +- source/server/server.cc | 2 +- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index e4bbf994f41e..18329f2b2e2d 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -15,8 +15,6 @@ namespace Secret { class SecretManagerImpl : public SecretManager, Logger::Loggable { public: - SecretManagerImpl(Server::Instance& server) : server_(server) {} - void addStaticSecret(const envoy::api::v2::auth::Secret& secret) override; const Ssl::TlsCertificateConfig* findStaticTlsCertificate(const std::string& name) const override; @@ -31,8 +29,6 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable static_tls_certificate_secrets_; diff --git a/source/server/config_validation/server.cc b/source/server/config_validation/server.cc index 8b2ea0463378..8dc49dc87edc 100644 --- a/source/server/config_validation/server.cc +++ b/source/server/config_validation/server.cc @@ -79,7 +79,7 @@ void ValidationInstance::initialize(Options& options, Configuration::InitialImpl initial_config(bootstrap); thread_local_.registerThread(*dispatcher_, true); runtime_loader_ = component_factory.createRuntime(*this, initial_config); - secret_manager_.reset(new Secret::SecretManagerImpl(*this)); + secret_manager_.reset(new Secret::SecretManagerImpl()); ssl_context_manager_.reset(new Ssl::ContextManagerImpl(*runtime_loader_)); cluster_manager_factory_.reset(new Upstream::ValidationClusterManagerFactory( runtime(), stats(), threadLocal(), random(), dnsResolver(), sslContextManager(), dispatcher(), diff --git a/source/server/server.cc b/source/server/server.cc index 90b38e2e2e9e..cc53893403c7 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -55,7 +55,7 @@ InstanceImpl::InstanceImpl(Options& options, Network::Address::InstanceConstShar handler_(new ConnectionHandlerImpl(ENVOY_LOGGER(), *dispatcher_)), random_generator_(std::move(random_generator)), listener_component_factory_(*this), worker_factory_(thread_local_, *api_, hooks), - secret_manager_(new Secret::SecretManagerImpl(*this)), + secret_manager_(new Secret::SecretManagerImpl()), dns_resolver_(dispatcher_->createDnsResolver({})), access_log_manager_(*api_, *dispatcher_, access_log_lock, store), terminated_(false) { From edda28e5d4fd2c5ec69fc712a471a7326ca41998 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Mon, 23 Jul 2018 18:52:16 -0700 Subject: [PATCH 54/55] Update tests and mock objects. Signed-off-by: JimmyCYJ --- source/common/ssl/context_manager_impl.cc | 6 +- source/common/ssl/ssl_socket.cc | 6 +- source/common/upstream/upstream_impl.cc | 4 +- source/server/listener_manager_impl.cc | 10 +- .../grpc_client_integration_test_harness.h | 7 +- test/common/secret/sds_api_test.cc | 23 ++-- .../common/secret/secret_manager_impl_test.cc | 11 +- test/common/ssl/context_impl_test.cc | 91 +++++++------- test/common/ssl/ssl_certs_test.h | 4 +- test/common/ssl/ssl_socket_test.cc | 62 +++++----- test/common/upstream/BUILD | 5 + test/common/upstream/eds_test.cc | 9 +- .../upstream/logical_dns_cluster_test.cc | 11 +- .../upstream/original_dst_cluster_test.cc | 9 +- test/common/upstream/sds_test.cc | 9 +- test/common/upstream/upstream_impl_test.cc | 113 +++++++++++++----- test/integration/BUILD | 1 + test/integration/ads_integration_test.cc | 4 +- test/integration/ssl_utility.cc | 7 +- test/mocks/secret/BUILD | 1 + test/mocks/secret/mocks.cc | 8 ++ test/mocks/secret/mocks.h | 12 ++ test/mocks/server/mocks.cc | 2 +- test/mocks/server/mocks.h | 10 +- 24 files changed, 277 insertions(+), 148 deletions(-) diff --git a/source/common/ssl/context_manager_impl.cc b/source/common/ssl/context_manager_impl.cc index b503b6f0af7b..61c6c069e444 100644 --- a/source/common/ssl/context_manager_impl.cc +++ b/source/common/ssl/context_manager_impl.cc @@ -22,8 +22,8 @@ ClientContextSharedPtr ContextManagerImpl::createSslClientContext(Stats::Scope& scope, const ClientContextConfig& config) { if (!config.isValid()) { return nullptr; - } - + } + ClientContextSharedPtr context = std::make_shared(scope, config); removeEmptyContexts(); contexts_.emplace_back(context); @@ -36,7 +36,7 @@ ContextManagerImpl::createSslServerContext(Stats::Scope& scope, const ServerCont if (!config.isValid()) { return nullptr; } - + ServerContextSharedPtr context = std::make_shared(scope, config, server_names, runtime_); removeEmptyContexts(); diff --git a/source/common/ssl/ssl_socket.cc b/source/common/ssl/ssl_socket.cc index 3116cf2d1a03..c98f57cae050 100644 --- a/source/common/ssl/ssl_socket.cc +++ b/source/common/ssl/ssl_socket.cc @@ -388,8 +388,7 @@ ClientSslSocketFactory::ClientSslSocketFactory(ClientContextConfigPtr config, : config_(std::move(config)), ssl_ctx_(manager.createSslClientContext(stats_scope, *config_)) {} Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() const { - return ssl_ctx_ ? std::make_unique(ssl_ctx_, Ssl::InitialState::Client) - : nullptr; + return ssl_ctx_ ? std::make_unique(ssl_ctx_, Ssl::InitialState::Client) : nullptr; } bool ClientSslSocketFactory::implementsSecureTransport() const { return true; } @@ -402,8 +401,7 @@ ServerSslSocketFactory::ServerSslSocketFactory(ServerContextConfigPtr config, ssl_ctx_(manager.createSslServerContext(stats_scope, *config_, server_names)) {} Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() const { - return ssl_ctx_ ? std::make_unique(ssl_ctx_, Ssl::InitialState::Server) - : nullptr; + return ssl_ctx_ ? std::make_unique(ssl_ctx_, Ssl::InitialState::Server) : nullptr; } bool ServerSslSocketFactory::implementsSecureTransport() const { return true; } diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 3a9a67af73f7..c046ece7ee36 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -355,11 +355,11 @@ Network::TransportSocketFactoryPtr createTransportSocketFactory( auto transport_socket = config.transport_socket(); if (!config.has_transport_socket()) { if (config.has_tls_context()) { - transport_socket.set_name(Extensions::TransportSockets::TransportSocketNames::get().TLS); + transport_socket.set_name(Extensions::TransportSockets::TransportSocketNames::get().Tls); MessageUtil::jsonConvert(config.tls_context(), *transport_socket.mutable_config()); } else { transport_socket.set_name( - Extensions::TransportSockets::TransportSocketNames::get().RAW_BUFFER); + Extensions::TransportSockets::TransportSocketNames::get().RawBuffer); } } diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index 2ba0b14b39c4..84fcffd57197 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -246,11 +246,11 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, const std::st parent_.server_.localInfo(), parent_.server_.dispatcher(), parent_.server_.random(), parent_.server_.stats()); factory_context.createDynamicTlsCertificateSecretProviderFactory(initManager()); - addFilterChain(PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_chain_match, destination_port, 0), - destination_ips, server_names, filter_chain_match.transport_protocol(), - application_protocols, - config_factory.createTransportSocketFactory(*message, factory_context, server_names), - parent_.factory_.createNetworkFilterFactoryList(filter_chain.filters(), *this)); + addFilterChain( + PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_chain_match, destination_port, 0), destination_ips, + server_names, filter_chain_match.transport_protocol(), application_protocols, + config_factory.createTransportSocketFactory(*message, factory_context, server_names), + parent_.factory_.createNetworkFilterFactoryList(filter_chain.filters(), *this)); need_tls_inspector |= filter_chain_match.transport_protocol() == "tls" || (filter_chain_match.transport_protocol().empty() && diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 9e9aa54addd9..2fdf047f9cbd 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -11,6 +11,7 @@ #include "test/integration/fake_upstream.h" #include "test/mocks/grpc/mocks.h" #include "test/mocks/local_info/mocks.h" +#include "test/mocks/secret/mocks.h" #include "test/mocks/server/mocks.h" #include "test/mocks/tracing/mocks.h" #include "test/mocks/upstream/mocks.h" @@ -448,7 +449,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { } Ssl::ClientContextConfigPtr cfg = std::make_unique( - tls_context, server_.secretManager(), init_manager_); + tls_context, server_.secretManager(), secret_provider_factory_); mock_cluster_info_->transport_socket_factory_ = std::make_unique( std::move(cfg), context_manager_, *stats_store_); ON_CALL(*mock_cluster_info_, transportSocketFactory()) @@ -477,7 +478,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); } Ssl::ServerContextConfigPtr cfg = std::make_unique( - tls_context, server_.secretManager(), init_manager_); + tls_context, server_.secretManager(), secret_provider_factory_); static Stats::Scope* upstream_stats_store = new Stats::IsolatedStoreImpl(); return std::make_unique( @@ -488,6 +489,8 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { Server::MockInstance server_; NiceMock init_manager_; Ssl::ContextManagerImpl context_manager_{runtime_}; + testing::NiceMock + secret_provider_factory_; }; } // namespace diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index dbb42844624d..9c5b8458fab0 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -39,7 +39,8 @@ TEST_F(SdsApiTest, BasicTest) { auto google_grpc = grpc_service->mutable_google_grpc(); google_grpc->set_target_uri("fake_address"); google_grpc->set_stat_prefix("test"); - SdsApi sds_api(server, init_manager, config_source, "abc.com"); + SdsApi sds_api(server.localInfo(), server.dispatcher(), server.random(), server.stats(), + server.clusterManager(), init_manager, config_source, "abc.com"); NiceMock* grpc_client{new NiceMock()}; NiceMock* factory{new NiceMock()}; @@ -55,10 +56,11 @@ TEST_F(SdsApiTest, BasicTest) { } TEST_F(SdsApiTest, SecretUpdateSuccess) { - Server::MockInstance server; + NiceMock server; NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - SdsApi sds_api(server, init_manager, config_source, "abc.com"); + SdsApi sds_api(server.localInfo(), server.dispatcher(), server.random(), server.stats(), + server.clusterManager(), init_manager, config_source, "abc.com"); std::string yaml = R"EOF( @@ -85,10 +87,11 @@ TEST_F(SdsApiTest, SecretUpdateSuccess) { } TEST_F(SdsApiTest, EmptyResource) { - Server::MockInstance server; + NiceMock server; NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - SdsApi sds_api(server, init_manager, config_source, "abc.com"); + SdsApi sds_api(server.localInfo(), server.dispatcher(), server.random(), server.stats(), + server.clusterManager(), init_manager, config_source, "abc.com"); Protobuf::RepeatedPtrField secret_resources; @@ -97,10 +100,11 @@ TEST_F(SdsApiTest, EmptyResource) { } TEST_F(SdsApiTest, SecretUpdateWrongSize) { - Server::MockInstance server; + NiceMock server; NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - SdsApi sds_api(server, init_manager, config_source, "abc.com"); + SdsApi sds_api(server.localInfo(), server.dispatcher(), server.random(), server.stats(), + server.clusterManager(), init_manager, config_source, "abc.com"); std::string yaml = R"EOF( @@ -123,10 +127,11 @@ TEST_F(SdsApiTest, SecretUpdateWrongSize) { } TEST_F(SdsApiTest, SecretUpdateWrongSecretName) { - Server::MockInstance server; + NiceMock server; NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; - SdsApi sds_api(server, init_manager, config_source, "abc.com"); + SdsApi sds_api(server.localInfo(), server.dispatcher(), server.random(), server.stats(), + server.clusterManager(), init_manager, config_source, "abc.com"); std::string yaml = R"EOF( diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index 403d509beb15..6810aa61a345 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -65,12 +65,15 @@ name: "abc.com" } TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { - MockServer server; + NiceMock server; NiceMock init_manager; envoy::api::v2::core::ConfigSource config_source; { - auto secret_provider = server.secretManager().findOrCreateDynamicTlsCertificateSecretProvider( - config_source, "abc.com", init_manager); + auto secret_provider = std::make_shared( + server.localInfo(), server.dispatcher(), server.random(), server.stats(), + server.clusterManager(), init_manager, config_source, "abc.com"); + server.secretManager().setDynamicTlsCertificateSecretProvider(config_source, "abc.com", + secret_provider); std::string yaml = R"EOF( @@ -112,7 +115,7 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); MockServer server; - std::unique_ptr secret_manager(new SecretManagerImpl(server)); + std::unique_ptr secret_manager(new SecretManagerImpl()); EXPECT_THROW_WITH_MESSAGE(server.secretManager().addStaticSecret(secret_config), EnvoyException, "Secret type not implemented"); diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index 45aad676ca5e..3d631ffac311 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -81,7 +81,7 @@ TEST_F(SslContextImplTest, TestCipherSuites) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), secret_provider_factory_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -97,7 +97,7 @@ TEST_F(SslContextImplTest, TestExpiringCert) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), secret_provider_factory_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -120,7 +120,7 @@ TEST_F(SslContextImplTest, TestExpiredCert) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), secret_provider_factory_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -138,7 +138,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), secret_provider_factory_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -164,7 +164,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { TEST_F(SslContextImplTest, TestNoCert) { Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString("{}"); - ClientContextConfigImpl cfg(*loader, server_.secretManager(), init_manager_); + ClientContextConfigImpl cfg(*loader, server_.secretManager(), secret_provider_factory_); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -186,7 +186,8 @@ class SslServerContextImplTicketTest : public SslContextImplTest { static void loadConfigV2(envoy::api::v2::auth::DownstreamTlsContext& cfg) { Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock + secret_provider_factory; // Must add a certificate for the config to be considered valid. envoy::api::v2::auth::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); @@ -194,16 +195,18 @@ class SslServerContextImplTicketTest : public SslContextImplTest { TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); server_cert->mutable_private_key()->set_filename( TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); - ServerContextConfigImpl server_context_config(cfg, server.secretManager(), init_manager); + ServerContextConfigImpl server_context_config(cfg, server.secretManager(), + secret_provider_factory); loadConfig(server_context_config); } static void loadConfigJson(const std::string& json) { Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock + secret_provider_factory; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); Secret::MockSecretManager secret_manager; - ServerContextConfigImpl cfg(*loader, server.secretManager(), init_manager); + ServerContextConfigImpl cfg(*loader, server.secretManager(), secret_provider_factory); loadConfig(cfg); } }; @@ -361,15 +364,15 @@ class ClientContextConfigImplTest : public SslCertsTest {}; TEST(ClientContextConfigImplTest, EmptyServerNameIndication) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; tls_context.set_sni(std::string("\000", 1)); EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "SNI names containing NULL-byte are not allowed"); tls_context.set_sni(std::string("a\000b", 3)); EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "SNI names containing NULL-byte are not allowed"); } @@ -377,13 +380,14 @@ TEST(ClientContextConfigImplTest, EmptyServerNameIndication) { TEST(ClientContextConfigImplTest, InvalidCertificateHash) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; tls_context.mutable_common_tls_context() ->mutable_validation_context() // This is valid hex-encoded string, but it doesn't represent SHA-256 (80 vs 64 chars). ->add_verify_certificate_hash("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), + secret_provider_factory); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -395,12 +399,13 @@ TEST(ClientContextConfigImplTest, InvalidCertificateHash) { TEST(ClientContextConfigImplTest, InvalidCertificateSpki) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; tls_context.mutable_common_tls_context() ->mutable_validation_context() // Not a base64-encoded string. ->add_verify_certificate_spki("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), + secret_provider_factory); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -413,11 +418,11 @@ TEST(ClientContextConfigImplTest, InvalidCertificateSpki) { TEST(ClientContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "Multiple TLS certificates are not supported for client contexts"); } @@ -425,11 +430,11 @@ TEST(ClientContextConfigImplTest, MultipleTlsCertificates) { TEST(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { envoy::api::v2::auth::UpstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "Multiple TLS certificates are not supported for client contexts"); } @@ -451,12 +456,13 @@ class MockServer : public Server::MockInstance { TEST(ClientContextConfigImplTest, SdsConfig) { envoy::api::v2::auth::UpstreamTlsContext tls_context; MockServer server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; auto sds_secret_configs = tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), + secret_provider_factory); // When sds secret is not downloaded, config is not valid. EXPECT_FALSE(client_context_config.isValid()); @@ -493,7 +499,7 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; server.secretManager().addStaticSecret(secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; @@ -502,7 +508,8 @@ name: "abc.com" ->Add() ->set_name("abc.com"); - ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), init_manager); + ClientContextConfigImpl client_context_config(tls_context, server.secretManager(), + secret_provider_factory); const std::string cert_pem = "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), @@ -527,7 +534,7 @@ name: "abc.com" MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; server.secretManager().addStaticSecret(secret_config); envoy::api::v2::auth::UpstreamTlsContext tls_context; @@ -537,7 +544,7 @@ name: "abc.com" ->set_name("missing"); EXPECT_THROW_WITH_MESSAGE(ClientContextConfigImpl client_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "Unknown static secret: missing"); } @@ -547,32 +554,32 @@ name: "abc.com" TEST(ServerContextConfigImplTest, MultipleTlsCertificates) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificates(); EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "A single TLS certificate is required for server contexts"); } TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; envoy::api::v2::auth::DownstreamTlsContext tls_context; EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "A single TLS certificate is required for server contexts"); tls_context.mutable_common_tls_context()->add_tls_certificates(); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "A single TLS certificate is required for server contexts"); } @@ -580,13 +587,14 @@ TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { TEST(ServerContextConfigImplTest, SdsConfig) { envoy::api::v2::auth::DownstreamTlsContext tls_context; MockServer server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; auto sds_secret_configs = tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), + secret_provider_factory); // When sds secret is not downloaded, config is not valid. EXPECT_FALSE(server_context_config.isValid()); @@ -612,9 +620,10 @@ TEST(ServerContextConfigImplTest, SdsConfig) { TEST(ServerContextImplTest, TlsCertificateNonEmpty) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; tls_context.mutable_common_tls_context()->add_tls_certificates(); - ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), init_manager); + ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), + secret_provider_factory); Runtime::MockLoader runtime; ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; @@ -628,7 +637,7 @@ TEST(ServerContextImplTest, TlsCertificateNonEmpty) { TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::api::v2::auth::DownstreamTlsContext tls_context; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; envoy::api::v2::auth::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -636,7 +645,7 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(true); EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "Certificate validity period is always ignored without trusted CA"); @@ -650,12 +659,12 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(false); EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), - init_manager)); + secret_provider_factory)); server_validation_ctx->set_allow_expired_certificate(true); EXPECT_THROW_WITH_MESSAGE(ServerContextConfigImpl server_context_config( - tls_context, server.secretManager(), init_manager), + tls_context, server.secretManager(), secret_provider_factory), EnvoyException, "Certificate validity period is always ignored without trusted CA"); @@ -664,7 +673,7 @@ TEST(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { TestEnvironment::substitute("{{ test_rundir }}/test/common/ssl/test_data/ca_cert.pem")); EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, server.secretManager(), - init_manager)); + secret_provider_factory)); } } // namespace Ssl diff --git a/test/common/ssl/ssl_certs_test.h b/test/common/ssl/ssl_certs_test.h index f08134de41e9..87f05cd123b4 100644 --- a/test/common/ssl/ssl_certs_test.h +++ b/test/common/ssl/ssl_certs_test.h @@ -1,5 +1,6 @@ #pragma once +#include "test/mocks/secret/mocks.h" #include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" @@ -13,6 +14,7 @@ class SslCertsTest : public testing::Test { } Server::MockInstance server_; - NiceMock init_manager_; + testing::NiceMock + secret_provider_factory_; }; } // namespace Envoy diff --git a/test/common/ssl/ssl_socket_test.cc b/test/common/ssl/ssl_socket_test.cc index f036f3b63ddf..9d779ff3565c 100644 --- a/test/common/ssl/ssl_socket_test.cc +++ b/test/common/ssl/ssl_socket_test.cc @@ -53,14 +53,14 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager(), - init_manager); + ServerContextConfigPtr server_ctx_config = std::make_unique( + *server_ctx_loader, server.secretManager(), secret_provider_factory); ContextManagerImpl manager(runtime); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - std::vector{}); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, std::vector{}); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(version), nullptr, @@ -70,9 +70,10 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), - init_manager); - Ssl::ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = std::make_unique( + *client_ctx_loader, server.secretManager(), secret_provider_factory); + Ssl::ClientSslSocketFactory client_ssl_socket_factory(std::move(client_ctx_config), manager, + stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), client_ssl_socket_factory.createTransportSocket(), nullptr); @@ -150,9 +151,8 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, const std::string& expected_stats, unsigned expected_stats_value, const Network::Address::IpVersion version) { Stats::IsolatedStoreImpl stats_store; - Runtime::MockLoader runtime; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; ContextManagerImpl manager(runtime); std::string new_session = EMPTY_STRING; @@ -173,9 +173,12 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, Network::MockConnectionHandler connection_handler; Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); - ClientContextConfigImpl client_ctx_config(client_ctx_proto, server.secretManager(), init_manager); - ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); - ClientContextSharedPtr client_ctx(manager.createSslClientContext(stats_store, client_ctx_config)); + ClientContextConfigPtr client_ctx_config = std::make_unique( + client_ctx_proto, server.secretManager(), secret_provider_factory); + ClientContextSharedPtr client_ctx( + manager.createSslClientContext(stats_store, *client_ctx_config.get())); + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_ctx_config), manager, + stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), client_ssl_socket_factory.createTransportSocket(), nullptr); @@ -1621,9 +1624,10 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), - init_manager_); - ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = std::make_unique( + *client_ctx_loader, server_.secretManager(), secret_provider_factory_); + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_ctx_config), manager, + stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), client_ssl_socket_factory.createTransportSocket(), nullptr); @@ -1706,9 +1710,9 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), - init_manager_); - ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = std::make_unique( + *client_ctx_loader, server.secretManager(), secret_provider_factory_); + ClientSslSocketFactory ssl_socket_factory(std::move(client_ctx_config), manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), ssl_socket_factory.createTransportSocket(), nullptr); @@ -1765,7 +1769,7 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; Server::MockInstance server; - NiceMock init_manager; + testing::NiceMock secret_provider_factory; ContextManagerImpl manager(runtime); Json::ObjectSharedPtr server_ctx_loader1 = TestEnvironment::jsonLoadFromString(server_ctx_json1); @@ -1790,9 +1794,9 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Network::ListenerPtr listener2 = dispatcher.createListener(socket2, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager(), - init_manager); - ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = std::make_unique( + *client_ctx_loader, server.secretManager(), secret_provider_factory); + ClientSslSocketFactory ssl_socket_factory(std::move(client_ctx_config), manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket1.localAddress(), Network::Address::InstanceConstSharedPtr(), ssl_socket_factory.createTransportSocket(), nullptr); @@ -2160,9 +2164,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager(), - init_manager_); - ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = std::make_unique( + *client_ctx_loader, server_.secretManager(), secret_provider_factory_); + ClientSslSocketFactory ssl_socket_factory(std::move(client_ctx_config), manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), ssl_socket_factory.createTransportSocket(), nullptr); @@ -2601,10 +2605,10 @@ class SslReadBufferLimitTest : public SslCertsTest, client_ctx_loader_ = TestEnvironment::jsonLoadFromString(client_ctx_json_); client_ctx_config_.reset( - new ClientContextConfigImpl(*client_ctx_loader_, server_.secretManager(), init_manager_)); + new ClientContextConfigImpl(*client_ctx_loader_, server_.secretManager(), secret_provider_factory_)); client_ssl_socket_factory_.reset( - new ClientSslSocketFactory(*client_ctx_config_, *manager_, stats_store_)); + new ClientSslSocketFactory(std::move(client_ctx_config_), *manager_, stats_store_)); client_connection_ = dispatcher_->createClientConnection( socket_.localAddress(), source_address_, client_ssl_socket_factory_->createTransportSocket(), nullptr); @@ -2773,7 +2777,7 @@ class SslReadBufferLimitTest : public SslCertsTest, Network::TransportSocketFactoryPtr server_ssl_socket_factory_; Network::ListenerPtr listener_; Json::ObjectSharedPtr client_ctx_loader_; - std::unique_ptr client_ctx_config_; + ClientContextConfigPtr client_ctx_config_; ClientContextSharedPtr client_ctx_; Network::TransportSocketFactoryPtr client_ssl_socket_factory_; Network::ClientConnectionPtr client_connection_; diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 067ad5734c4b..ad0f2f759f59 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -73,6 +73,7 @@ envoy_cc_test( "//source/extensions/transport_sockets/raw_buffer:config", "//test/mocks/local_info:local_info_mocks", "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:utility_lib", @@ -174,6 +175,7 @@ envoy_cc_test( "//test/mocks:common_lib", "//test/mocks/network:network_mocks", "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", "//test/mocks/thread_local:thread_local_mocks", "//test/mocks/upstream:upstream_mocks", @@ -194,6 +196,7 @@ envoy_cc_test( "//test/mocks:common_lib", "//test/mocks/network:network_mocks", "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:utility_lib", @@ -283,6 +286,7 @@ envoy_cc_test( "//source/extensions/transport_sockets/raw_buffer:config", "//test/mocks/local_info:local_info_mocks", "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:environment_lib", @@ -328,6 +332,7 @@ envoy_cc_test( "//test/mocks:common_lib", "//test/mocks/network:network_mocks", "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:utility_lib", diff --git a/test/common/upstream/eds_test.cc b/test/common/upstream/eds_test.cc index 1d8555da7622..dc4a010b9acf 100644 --- a/test/common/upstream/eds_test.cc +++ b/test/common/upstream/eds_test.cc @@ -8,6 +8,7 @@ #include "test/common/upstream/utility.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/utility.h" @@ -51,8 +52,12 @@ class EdsTest : public testing::Test { EXPECT_CALL(cm_, clusters()).WillOnce(Return(cluster_map)); EXPECT_CALL(cluster, info()).Times(2); EXPECT_CALL(*cluster.info_, addedViaApi()); - cluster_.reset(new EdsClusterImpl(eds_cluster_, runtime_, stats_, ssl_context_manager_, - local_info_, cm_, dispatcher_, random_, false)); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm_)); + EXPECT_CALL(factory_context, stats()).WillRepeatedly(ReturnRef(stats_)); + cluster_.reset( + new EdsClusterImpl(eds_cluster_, runtime_, false, factory_context, std::move(scope))); EXPECT_EQ(Cluster::InitializePhase::Secondary, cluster_->initializePhase()); } diff --git a/test/common/upstream/logical_dns_cluster_test.cc b/test/common/upstream/logical_dns_cluster_test.cc index df74b6f1aba4..bf6b38a0ee87 100644 --- a/test/common/upstream/logical_dns_cluster_test.cc +++ b/test/common/upstream/logical_dns_cluster_test.cc @@ -11,6 +11,7 @@ #include "test/mocks/common.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/thread_local/mocks.h" #include "test/mocks/upstream/mocks.h" @@ -21,6 +22,7 @@ using testing::Invoke; using testing::NiceMock; +using testing::ReturnRef; using testing::_; namespace Envoy { @@ -31,9 +33,12 @@ class LogicalDnsClusterTest : public testing::Test { void setup(const std::string& json) { resolve_timer_ = new Event::MockTimer(&dispatcher_); NiceMock cm; - cluster_.reset(new LogicalDnsCluster(parseClusterFromJson(json), runtime_, stats_store_, - ssl_context_manager_, dns_resolver_, tls_, cm, dispatcher_, - false)); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + EXPECT_CALL(factory_context, stats()).WillRepeatedly(ReturnRef(stats_store_)); + cluster_.reset(new LogicalDnsCluster(parseClusterFromJson(json), runtime_, dns_resolver_, tls_, + false, factory_context, std::move(scope))); cluster_->prioritySet().addMemberUpdateCb( [&](uint32_t, const HostVector&, const HostVector&) -> void { membership_updated_.ready(); diff --git a/test/common/upstream/original_dst_cluster_test.cc b/test/common/upstream/original_dst_cluster_test.cc index 098723c4d0dd..917d230d0356 100644 --- a/test/common/upstream/original_dst_cluster_test.cc +++ b/test/common/upstream/original_dst_cluster_test.cc @@ -13,6 +13,7 @@ #include "test/mocks/common.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/utility.h" @@ -59,8 +60,12 @@ class OriginalDstClusterTest : public testing::Test { void setup(const std::string& json) { NiceMock cm; - cluster_.reset(new OriginalDstCluster(parseClusterFromJson(json), runtime_, stats_store_, - ssl_context_manager_, cm, dispatcher_, false)); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + EXPECT_CALL(factory_context, stats()).WillRepeatedly(ReturnRef(stats_store_)); + cluster_.reset(new OriginalDstCluster(parseClusterFromJson(json), runtime_, false, + factory_context, std::move(scope))); cluster_->prioritySet().addMemberUpdateCb( [&](uint32_t, const HostVector&, const HostVector&) -> void { membership_updated_.ready(); diff --git a/test/common/upstream/sds_test.cc b/test/common/upstream/sds_test.cc index cd01ae7539cc..30316bd23cbb 100644 --- a/test/common/upstream/sds_test.cc +++ b/test/common/upstream/sds_test.cc @@ -16,6 +16,7 @@ #include "test/common/upstream/utility.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/environment.h" @@ -30,6 +31,7 @@ using testing::InSequence; using testing::Invoke; using testing::NiceMock; using testing::Return; +using testing::ReturnRef; using testing::SaveArg; using testing::WithArg; using testing::_; @@ -62,8 +64,10 @@ class SdsTest : public testing::Test { EXPECT_CALL(cm_, clusters()).WillOnce(Return(cluster_map)); EXPECT_CALL(cluster, info()).Times(2); EXPECT_CALL(*cluster.info_, addedViaApi()); - cluster_.reset(new EdsClusterImpl(sds_cluster_, runtime_, stats_, ssl_context_manager_, - local_info_, cm_, dispatcher_, random_, false)); + Stats::ScopePtr stats_scope; + EXPECT_CALL(factory_context_, stats()).WillRepeatedly(ReturnRef(stats_)); + cluster_.reset(new EdsClusterImpl(sds_cluster_, runtime_, false, factory_context_, + std::move(stats_scope))); EXPECT_EQ(Cluster::InitializePhase::Secondary, cluster_->initializePhase()); } @@ -123,6 +127,7 @@ class SdsTest : public testing::Test { Http::MockAsyncClientRequest request_; NiceMock runtime_; NiceMock local_info_; + NiceMock factory_context_; }; TEST_F(SdsTest, Shutdown) { diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 17888a900630..ffae91948839 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -19,6 +19,7 @@ #include "test/mocks/common.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/utility.h" @@ -29,6 +30,7 @@ using testing::ContainerEq; using testing::Invoke; using testing::NiceMock; +using testing::ReturnRef; using testing::_; namespace Envoy { @@ -140,8 +142,11 @@ TEST_P(StrictDnsParamTest, ImmediateResolve) { return nullptr; })); NiceMock cm; - StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, dns_resolver, false, + factory_context, std::move(scope)); cluster.initialize([&]() -> void { initialized.ready(); }); EXPECT_EQ(2UL, cluster.prioritySet().hostSetsPerPriority()[0]->hosts().size()); EXPECT_EQ(2UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -166,8 +171,10 @@ TEST(StrictDnsClusterImplTest, ZeroHostsHealthChecker) { )EOF"; ResolverData resolver(*dns_resolver, dispatcher); - StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, dns_resolver, false, + factory_context, std::move(scope)); std::shared_ptr health_checker(new MockHealthChecker()); EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); @@ -224,8 +231,11 @@ TEST(StrictDnsClusterImplTest, Basic) { )EOF"; NiceMock cm; - StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StrictDnsClusterImpl cluster(parseClusterFromJson(json), runtime, dns_resolver, false, + factory_context, std::move(scope)); EXPECT_CALL(runtime.snapshot_, getInteger("circuit_breakers.name.default.max_connections", 43)); EXPECT_EQ(43U, cluster.info()->resourceManager(ResourcePriority::Default).connections().max()); EXPECT_CALL(runtime.snapshot_, @@ -340,8 +350,10 @@ TEST(StrictDnsClusterImplTest, HostRemovalActiveHealthSkipped) { )EOF"; ResolverData resolver(*dns_resolver, dispatcher); - StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, dns_resolver, false, + factory_context, std::move(scope)); std::shared_ptr health_checker(new MockHealthChecker()); EXPECT_CALL(*health_checker, start()); EXPECT_CALL(*health_checker, addHostCheckCompleteCb(_)); @@ -434,8 +446,11 @@ TEST(StaticClusterImplTest, EmptyHostname) { )EOF"; NiceMock cm; - StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(parseClusterFromJson(json), runtime, false, factory_context, + std::move(scope)); cluster.initialize([] {}); EXPECT_EQ(1UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -458,8 +473,11 @@ TEST(StaticClusterImplTest, AltStatName) { )EOF"; NiceMock cm; - StaticClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, cm, - false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, false, factory_context, + std::move(scope)); cluster.initialize([] {}); // Increment a stat and verify it is emitted with alt_stat_name cluster.info()->stats().upstream_rq_total_.inc(); @@ -481,8 +499,11 @@ TEST(StaticClusterImplTest, RingHash) { )EOF"; NiceMock cm; - StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - true); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(parseClusterFromJson(json), runtime, true, factory_context, + std::move(scope)); cluster.initialize([] {}); EXPECT_EQ(1UL, cluster.prioritySet().hostSetsPerPriority()[0]->healthyHosts().size()); @@ -506,8 +527,11 @@ TEST(StaticClusterImplTest, OutlierDetector) { )EOF"; NiceMock cm; - StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(parseClusterFromJson(json), runtime, false, factory_context, + std::move(scope)); Outlier::MockDetector* detector = new Outlier::MockDetector(); EXPECT_CALL(*detector, addChangedStateCb(_)); @@ -553,8 +577,11 @@ TEST(StaticClusterImplTest, HealthyStat) { )EOF"; NiceMock cm; - StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(parseClusterFromJson(json), runtime, false, factory_context, + std::move(scope)); Outlier::MockDetector* outlier_detector = new NiceMock(); cluster.setOutlierDetector(Outlier::DetectorSharedPtr{outlier_detector}); @@ -635,8 +662,11 @@ TEST(StaticClusterImplTest, UrlConfig) { )EOF"; NiceMock cm; - StaticClusterImpl cluster(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, - false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(parseClusterFromJson(json), runtime, false, factory_context, + std::move(scope)); cluster.initialize([] {}); EXPECT_EQ(1024U, cluster.info()->resourceManager(ResourcePriority::Default).connections().max()); @@ -678,9 +708,11 @@ TEST(StaticClusterImplTest, UnsupportedLBType) { } )EOF"; - EXPECT_THROW( - StaticClusterImpl(parseClusterFromJson(json), runtime, stats, ssl_context_manager, cm, false), - EnvoyException); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_THROW(StaticClusterImpl(parseClusterFromJson(json), runtime, false, factory_context, + std::move(scope)), + EnvoyException); } TEST(StaticClusterImplTest, MalformedHostIP) { @@ -696,8 +728,11 @@ TEST(StaticClusterImplTest, MalformedHostIP) { )EOF"; NiceMock cm; - EXPECT_THROW_WITH_MESSAGE(StaticClusterImpl(parseClusterFromV2Yaml(yaml), runtime, stats, - ssl_context_manager, cm, false), + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + EXPECT_THROW_WITH_MESSAGE(StaticClusterImpl(parseClusterFromV2Yaml(yaml), runtime, false, + factory_context, std::move(scope)), EnvoyException, "malformed IP address: foo.bar.com. Consider setting resolver_name or " "setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'"); @@ -747,7 +782,9 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { // If the cluster manager gets a source address from the bootstrap proto, use it. NiceMock cm; cm.bind_config_.mutable_source_address()->set_address("1.2.3.5"); - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + StaticClusterImpl cluster(config, runtime, false, factory_context, std::move(scope)); EXPECT_EQ("1.2.3.5:0", cluster.info()->sourceAddress()->asString()); } @@ -756,7 +793,10 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { { // Verify source address from cluster config is used when present. NiceMock cm; - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(config, runtime, false, factory_context, std::move(scope)); EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString()); } @@ -764,7 +804,10 @@ TEST(StaticClusterImplTest, SourceAddressPriority) { // The source address from cluster config takes precedence over one from the bootstrap proto. NiceMock cm; cm.bind_config_.mutable_source_address()->set_address("1.2.3.5"); - StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StaticClusterImpl cluster(config, runtime, false, factory_context, std::move(scope)); EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString()); } } @@ -788,8 +831,11 @@ TEST(ClusterImplTest, CloseConnectionsOnHostHealthFailure) { close_connections_on_host_health_failure: true hosts: [{ socket_address: { address: foo.bar.com, port_value: 443 }}] )EOF"; - StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, dns_resolver, false, + factory_context, std::move(scope)); EXPECT_TRUE(cluster.info()->features() & ClusterInfo::Features::CLOSE_CONNECTIONS_ON_HOST_HEALTH_FAILURE); } @@ -865,8 +911,11 @@ TEST(ClusterMetadataTest, Metadata) { value: 0.3 )EOF"; - StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, stats, ssl_context_manager, - dns_resolver, cm, dispatcher, false); + NiceMock factory_context; + Envoy::Stats::ScopePtr scope; + EXPECT_CALL(factory_context, clusterManager()).WillRepeatedly(ReturnRef(cm)); + StrictDnsClusterImpl cluster(parseClusterFromV2Yaml(yaml), runtime, dns_resolver, false, + factory_context, std::move(scope)); EXPECT_EQ("test_value", Config::Metadata::metadataValue(cluster.info()->metadata(), "com.bar.foo", "baz") .string_value()); diff --git a/test/integration/BUILD b/test/integration/BUILD index 13fd922c873f..9d1e29931f97 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -292,6 +292,7 @@ envoy_cc_test_library( "//test/common/upstream:utility_lib", "//test/config:utility_lib", "//test/mocks/buffer:buffer_mocks", + "//test/mocks/secret:secret_mocks", "//test/mocks/server:server_mocks", "//test/mocks/upstream:upstream_mocks", "//test/test_common:environment_lib", diff --git a/test/integration/ads_integration_test.cc b/test/integration/ads_integration_test.cc index 6748631ed6c1..4ad5c87eeea7 100644 --- a/test/integration/ads_integration_test.cc +++ b/test/integration/ads_integration_test.cc @@ -114,7 +114,7 @@ class AdsIntegrationTest : public AdsIntegrationBaseTest, TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem")); tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem")); - Ssl::ServerContextConfigImpl cfg(tls_context, secret_manager_, init_manager_); + Ssl::ServerContextConfigImpl cfg(tls_context, secret_manager_, secret_provider_factory_); static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return std::make_unique( @@ -294,7 +294,7 @@ class AdsIntegrationTest : public AdsIntegrationBaseTest, Runtime::MockLoader runtime_; Ssl::ContextManagerImpl context_manager_{runtime_}; FakeStreamPtr ads_stream_; - testing::NiceMock init_manager_; + testing::NiceMock secret_provider_factory_; }; INSTANTIATE_TEST_CASE_P(IpVersionsClientType, AdsIntegrationTest, GRPC_CLIENT_INTEGRATION_PARAMS); diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 4f7a8c60de8a..e958ebbb736c 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -7,6 +7,7 @@ #include "common/ssl/ssl_socket.h" #include "test/integration/server.h" +#include "test/mocks/secret/mocks.h" #include "test/mocks/server/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/network_utility.h" @@ -60,9 +61,9 @@ createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& conte } Server::MockInstance server; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); - NiceMock init_manager; - ClientContextConfigPtr cfg = - std::make_unique(*loader, server.secretManager(), init_manager); + testing::NiceMock secret_provider_factory; + ClientContextConfigPtr cfg = std::make_unique( + *loader, server.secretManager(), secret_provider_factory); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ new Ssl::ClientSslSocketFactory(std::move(cfg), context_manager, *client_stats_store)}; diff --git a/test/mocks/secret/BUILD b/test/mocks/secret/BUILD index f3d6223461cd..1af2a92ee8ae 100644 --- a/test/mocks/secret/BUILD +++ b/test/mocks/secret/BUILD @@ -13,6 +13,7 @@ envoy_cc_mock( srcs = ["mocks.cc"], hdrs = ["mocks.h"], deps = [ + "//include/envoy/secret:dynamic_secret_provider_factory_interface", "//include/envoy/secret:secret_manager_interface", "//include/envoy/ssl:tls_certificate_config_interface", ], diff --git a/test/mocks/secret/mocks.cc b/test/mocks/secret/mocks.cc index e11b7de14dde..6f356543a208 100644 --- a/test/mocks/secret/mocks.cc +++ b/test/mocks/secret/mocks.cc @@ -7,5 +7,13 @@ MockSecretManager::MockSecretManager() {} MockSecretManager::~MockSecretManager() {} +MockDynamicTlsCertificateSecretProvider::MockDynamicTlsCertificateSecretProvider() {} + +MockDynamicTlsCertificateSecretProvider::~MockDynamicTlsCertificateSecretProvider() {} + +MockDynamicTlsCertificateSecretProviderFactory::MockDynamicTlsCertificateSecretProviderFactory() {} + +MockDynamicTlsCertificateSecretProviderFactory::~MockDynamicTlsCertificateSecretProviderFactory() {} + } // namespace Secret } // namespace Envoy diff --git a/test/mocks/secret/mocks.h b/test/mocks/secret/mocks.h index ba7de191e222..bc311580e0e6 100644 --- a/test/mocks/secret/mocks.h +++ b/test/mocks/secret/mocks.h @@ -1,5 +1,6 @@ #pragma once +#include "envoy/secret/dynamic_secret_provider_factory.h" #include "envoy/secret/secret_manager.h" #include "envoy/ssl/tls_certificate_config.h" @@ -39,5 +40,16 @@ class MockDynamicTlsCertificateSecretProvider : public DynamicTlsCertificateSecr MOCK_CONST_METHOD0(secret, const Ssl::TlsCertificateConfig*()); }; +class MockDynamicTlsCertificateSecretProviderFactory + : public DynamicTlsCertificateSecretProviderFactory { +public: + MockDynamicTlsCertificateSecretProviderFactory(); + ~MockDynamicTlsCertificateSecretProviderFactory(); + + MOCK_METHOD2(findOrCreate, DynamicTlsCertificateSecretProviderSharedPtr( + const envoy::api::v2::core::ConfigSource& sds_config, + std::string sds_config_name)); +}; + } // namespace Secret } // namespace Envoy diff --git a/test/mocks/server/mocks.cc b/test/mocks/server/mocks.cc index e402d6affe16..46920ab56429 100644 --- a/test/mocks/server/mocks.cc +++ b/test/mocks/server/mocks.cc @@ -107,7 +107,7 @@ MockWorker::MockWorker() { MockWorker::~MockWorker() {} MockInstance::MockInstance() - : secret_manager_(new Secret::SecretManagerImpl(*this)), ssl_context_manager_(runtime_loader_), + : secret_manager_(new Secret::SecretManagerImpl()), ssl_context_manager_(runtime_loader_), singleton_manager_(new Singleton::ManagerImpl()) { ON_CALL(*this, threadLocal()).WillByDefault(ReturnRef(thread_local_)); ON_CALL(*this, stats()).WillByDefault(ReturnRef(stats_store_)); diff --git a/test/mocks/server/mocks.h b/test/mocks/server/mocks.h index f37f4fb64707..1c3553c336b0 100644 --- a/test/mocks/server/mocks.h +++ b/test/mocks/server/mocks.h @@ -412,7 +412,15 @@ class MockTransportSocketFactoryContext : public TransportSocketFactoryContext { MOCK_METHOD0(sslContextManager, Ssl::ContextManager&()); MOCK_CONST_METHOD0(statsScope, Stats::Scope&()); - MOCK_METHOD0(initManager, Init::Manager&()); + MOCK_METHOD0(clusterManager, Upstream::ClusterManager&()); + MOCK_METHOD0(secretManager, Secret::SecretManager&()); + MOCK_METHOD0(local_info, const LocalInfo::LocalInfo&()); + MOCK_METHOD0(dispatcher, Event::Dispatcher&()); + MOCK_METHOD0(random, Envoy::Runtime::RandomGenerator&()); + MOCK_METHOD0(stats, Stats::Store&()); + MOCK_METHOD1(createDynamicTlsCertificateSecretProviderFactory, void(Init::Manager& init_manager)); + MOCK_METHOD0(dynamicTlsCertificateSecretProviderFactory, + Secret::DynamicTlsCertificateSecretProviderFactory&()); }; class MockListenerFactoryContext : public virtual MockFactoryContext, From 7dbab598fe046d6e2f9a371f1a8427c33ada7473 Mon Sep 17 00:00:00 2001 From: JimmyCYJ Date: Thu, 26 Jul 2018 15:47:22 -0700 Subject: [PATCH 55/55] fix format. Signed-off-by: JimmyCYJ --- test/common/ssl/ssl_socket_test.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/common/ssl/ssl_socket_test.cc b/test/common/ssl/ssl_socket_test.cc index 9d779ff3565c..edddd4a3cab3 100644 --- a/test/common/ssl/ssl_socket_test.cc +++ b/test/common/ssl/ssl_socket_test.cc @@ -2604,8 +2604,8 @@ class SslReadBufferLimitTest : public SslCertsTest, listener_ = dispatcher_->createListener(socket_, listener_callbacks_, true, false); client_ctx_loader_ = TestEnvironment::jsonLoadFromString(client_ctx_json_); - client_ctx_config_.reset( - new ClientContextConfigImpl(*client_ctx_loader_, server_.secretManager(), secret_provider_factory_)); + client_ctx_config_.reset(new ClientContextConfigImpl( + *client_ctx_loader_, server_.secretManager(), secret_provider_factory_)); client_ssl_socket_factory_.reset( new ClientSslSocketFactory(std::move(client_ctx_config_), *manager_, stats_store_));