Examples with DownstreamTlsContext io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext used on opensource projects

Example 1 with DownstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method tlsServer_plaintextClient_expectException.

@Test
public void tlsServer_plaintextClient_expectException() throws Exception {
    DownstreamTlsContext downstreamTlsContext = setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, false, false);
    buildServerWithTlsContext(downstreamTlsContext);
    SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(/* upstreamTlsContext= */
    null, /* overrideAuthority= */
    null);
    try {
        unaryRpc("buddy", blockingStub);
        fail("exception expected");
    } catch (StatusRuntimeException sre) {
        assertThat(sre.getStatus().getCode()).isEqualTo(Status.UNAVAILABLE.getCode());
        assertThat(sre.getStatus().getDescription()).contains("Network closed");
    }
}

Example 2 with DownstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext in project grpc-java by grpc.

the class SslContextProvider method setClientAuthValues.

protected void setClientAuthValues(SslContextBuilder sslContextBuilder, SdsTrustManagerFactory sdsTrustManagerFactory) throws CertificateException, IOException, CertStoreException {
    DownstreamTlsContext downstreamTlsContext = getDownstreamTlsContext();
    if (sdsTrustManagerFactory != null) {
        sslContextBuilder.trustManager(sdsTrustManagerFactory);
        sslContextBuilder.clientAuth(downstreamTlsContext.isRequireClientCertificate() ? ClientAuth.REQUIRE : ClientAuth.OPTIONAL);
    } else {
        sslContextBuilder.clientAuth(ClientAuth.NONE);
    }
}

Example 3 with DownstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext in project grpc-java by grpc.

the class TlsContextManagerImpl method findOrCreateServerSslContextProvider.

@Override
public SslContextProvider findOrCreateServerSslContextProvider(DownstreamTlsContext downstreamTlsContext) {
    checkNotNull(downstreamTlsContext, "downstreamTlsContext");
    CommonTlsContext.Builder builder = downstreamTlsContext.getCommonTlsContext().toBuilder();
    downstreamTlsContext = new DownstreamTlsContext(builder.build(), downstreamTlsContext.isRequireClientCertificate());
    return mapForServers.get(downstreamTlsContext);
}

Example 4 with DownstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext in project grpc-java by grpc.

the class SdsProtocolNegotiatorsTest method serverSdsHandler_addLast.

@Test
public void serverSdsHandler_addLast() throws InterruptedException, TimeoutException, ExecutionException {
    FakeClock executor = new FakeClock();
    CommonCertProviderTestUtils.register(executor);
    // we need InetSocketAddress instead of EmbeddedSocketAddress as localAddress for this test
    channel = new EmbeddedChannel() {

        @Override
        public SocketAddress localAddress() {
            return new InetSocketAddress("172.168.1.1", 80);
        }

        @Override
        public SocketAddress remoteAddress() {
            return new InetSocketAddress("172.168.2.2", 90);
        }
    };
    pipeline = channel.pipeline();
    Bootstrapper.BootstrapInfo bootstrapInfoForServer = CommonBootstrapperTestUtils.buildBootstrapInfo("google_cloud_private_spiffe-server", SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, CA_PEM_FILE, null, null, null, null);
    DownstreamTlsContext downstreamTlsContext = CommonTlsContextTestsUtil.buildDownstreamTlsContext("google_cloud_private_spiffe-server", true, true);
    TlsContextManagerImpl tlsContextManager = new TlsContextManagerImpl(bootstrapInfoForServer);
    SdsProtocolNegotiators.HandlerPickerHandler handlerPickerHandler = new SdsProtocolNegotiators.HandlerPickerHandler(grpcHandler, InternalProtocolNegotiators.serverPlaintext());
    pipeline.addLast(handlerPickerHandler);
    channelHandlerCtx = pipeline.context(handlerPickerHandler);
    // should find HandlerPickerHandler
    assertThat(channelHandlerCtx).isNotNull();
    // kick off protocol negotiation: should replace HandlerPickerHandler with ServerSdsHandler
    ProtocolNegotiationEvent event = InternalProtocolNegotiationEvent.getDefault();
    Attributes attr = InternalProtocolNegotiationEvent.getAttributes(event).toBuilder().set(ATTR_SERVER_SSL_CONTEXT_PROVIDER_SUPPLIER, new SslContextProviderSupplier(downstreamTlsContext, tlsContextManager)).build();
    pipeline.fireUserEventTriggered(InternalProtocolNegotiationEvent.withAttributes(event, attr));
    channelHandlerCtx = pipeline.context(handlerPickerHandler);
    assertThat(channelHandlerCtx).isNull();
    channelHandlerCtx = pipeline.context(SdsProtocolNegotiators.ServerSdsHandler.class);
    assertThat(channelHandlerCtx).isNotNull();
    SslContextProviderSupplier sslContextProviderSupplier = new SslContextProviderSupplier(downstreamTlsContext, tlsContextManager);
    final SettableFuture<Object> future = SettableFuture.create();
    sslContextProviderSupplier.updateSslContext(new SslContextProvider.Callback(MoreExecutors.directExecutor()) {

        @Override
        public void updateSecret(SslContext sslContext) {
            future.set(sslContext);
        }

        @Override
        protected void onException(Throwable throwable) {
            future.set(throwable);
        }
    });
    // need this for tasks to execute on eventLoop
    channel.runPendingTasks();
    assertThat(executor.runDueTasks()).isEqualTo(1);
    Object fromFuture = future.get(2, TimeUnit.SECONDS);
    assertThat(fromFuture).isInstanceOf(SslContext.class);
    channel.runPendingTasks();
    channelHandlerCtx = pipeline.context(SdsProtocolNegotiators.ServerSdsHandler.class);
    assertThat(channelHandlerCtx).isNull();
    // pipeline should only have SslHandler and ServerTlsHandler
    Iterator<Map.Entry<String, ChannelHandler>> iterator = pipeline.iterator();
    assertThat(iterator.next().getValue()).isInstanceOf(SslHandler.class);
    // ProtocolNegotiators.ServerTlsHandler.class is not accessible, get canonical name
    assertThat(iterator.next().getValue().getClass().getCanonicalName()).contains("ProtocolNegotiators.ServerTlsHandler");
    CommonCertProviderTestUtils.register0();
}

Example 5 with DownstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext in project grpc-java by grpc.

the class ServerSslContextProviderFactoryTest method createNewCertProviderServerSslContextProvider_withSans.

@Test
public void createNewCertProviderServerSslContextProvider_withSans() throws XdsInitializationException {
    final CertificateProvider.DistributorWatcher[] watcherCaptor = new CertificateProvider.DistributorWatcher[2];
    createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
    createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "file_watcher", 1);
    CertificateValidationContext staticCertValidationContext = CertificateValidationContext.newBuilder().addAllMatchSubjectAltNames(ImmutableSet.of(StringMatcher.newBuilder().setExact("foo").build(), StringMatcher.newBuilder().setExact("bar").build())).build();
    DownstreamTlsContext downstreamTlsContext = CommonTlsContextTestsUtil.buildNewDownstreamTlsContextForCertProviderInstance("gcp_id", "cert-default", "file_provider", "root-default", /* alpnProtocols= */
    null, staticCertValidationContext, /* requireClientCert= */
    true);
    Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
    serverSslContextProviderFactory = new ServerSslContextProviderFactory(bootstrapInfo, certProviderServerSslContextProviderFactory);
    SslContextProvider sslContextProvider = serverSslContextProviderFactory.create(downstreamTlsContext);
    assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
    verifyWatcher(sslContextProvider, watcherCaptor[0]);
    verifyWatcher(sslContextProvider, watcherCaptor[1]);
}