Example 6 with DownstreamTlsContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext in project grpc-java by grpc.
the class ServerSslContextProviderFactoryTest method createCertProviderServerSslContextProvider_withStaticContext.
@Test
public void createCertProviderServerSslContextProvider_withStaticContext() throws XdsInitializationException {
final CertificateProvider.DistributorWatcher[] watcherCaptor = new CertificateProvider.DistributorWatcher[1];
createAndRegisterProviderProvider(certificateProviderRegistry, watcherCaptor, "testca", 0);
CertificateValidationContext staticCertValidationContext = CertificateValidationContext.newBuilder().addAllMatchSubjectAltNames(ImmutableSet.of(StringMatcher.newBuilder().setExact("foo").build(), StringMatcher.newBuilder().setExact("bar").build())).build();
DownstreamTlsContext downstreamTlsContext = CommonTlsContextTestsUtil.buildDownstreamTlsContextForCertProviderInstance("gcp_id", "cert-default", "gcp_id", "root-default", /* alpnProtocols= */
null, staticCertValidationContext, /* requireClientCert= */
true);
Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
serverSslContextProviderFactory = new ServerSslContextProviderFactory(bootstrapInfo, certProviderServerSslContextProviderFactory);
SslContextProvider sslContextProvider = serverSslContextProviderFactory.create(downstreamTlsContext);
assertThat(sslContextProvider).isInstanceOf(CertProviderServerSslContextProvider.class);
verifyWatcher(sslContextProvider, watcherCaptor[0]);
}
Also used :
Bootstrapper(io.grpc.xds.Bootstrapper)
DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)
CertProviderServerSslContextProvider(io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider)
CertificateValidationContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)
Test(org.junit.Test)
Example 7 with DownstreamTlsContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext in project grpc-java by grpc.
the class ClientXdsClientDataTest method validateDownstreamTlsContext_hasRequireSni.
@Test
@SuppressWarnings("deprecation")
public void validateDownstreamTlsContext_hasRequireSni() throws ResourceInvalidException {
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder().setCombinedValidationContext(CommonTlsContext.CombinedCertificateValidationContext.newBuilder().setValidationContextCertificateProviderInstance(CommonTlsContext.CertificateProviderInstance.getDefaultInstance())).setTlsCertificateCertificateProviderInstance(CommonTlsContext.CertificateProviderInstance.getDefaultInstance()).build();
DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder().setCommonTlsContext(commonTlsContext).setRequireSni(BoolValue.of(true)).build();
thrown.expect(ResourceInvalidException.class);
thrown.expectMessage("downstream-tls-context with require-sni is not supported");
ClientXdsClient.validateDownstreamTlsContext(downstreamTlsContext, ImmutableSet.of(""));
}
Also used :
DownstreamTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext)
CommonTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)
Test(org.junit.Test)
Example 8 with DownstreamTlsContext
use of io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext in project grpc-java by grpc.
the class ClientXdsClient method parseFilterChain.
@VisibleForTesting
static FilterChain parseFilterChain(io.envoyproxy.envoy.config.listener.v3.FilterChain proto, Set<String> rdsResources, TlsContextManager tlsContextManager, FilterRegistry filterRegistry, Set<FilterChainMatch> uniqueSet, Set<String> certProviderInstances, boolean parseHttpFilters) throws ResourceInvalidException {
if (proto.getFiltersCount() != 1) {
throw new ResourceInvalidException("FilterChain " + proto.getName() + " should contain exact one HttpConnectionManager filter");
}
io.envoyproxy.envoy.config.listener.v3.Filter filter = proto.getFiltersList().get(0);
if (!filter.hasTypedConfig()) {
throw new ResourceInvalidException("FilterChain " + proto.getName() + " contains filter " + filter.getName() + " without typed_config");
}
Any any = filter.getTypedConfig();
// HttpConnectionManager is the only supported network filter at the moment.
if (!any.getTypeUrl().equals(TYPE_URL_HTTP_CONNECTION_MANAGER)) {
throw new ResourceInvalidException("FilterChain " + proto.getName() + " contains filter " + filter.getName() + " with unsupported typed_config type " + any.getTypeUrl());
}
HttpConnectionManager hcmProto;
try {
hcmProto = any.unpack(HttpConnectionManager.class);
} catch (InvalidProtocolBufferException e) {
throw new ResourceInvalidException("FilterChain " + proto.getName() + " with filter " + filter.getName() + " failed to unpack message", e);
}
io.grpc.xds.HttpConnectionManager httpConnectionManager = parseHttpConnectionManager(hcmProto, rdsResources, filterRegistry, parseHttpFilters, false);
EnvoyServerProtoData.DownstreamTlsContext downstreamTlsContext = null;
if (proto.hasTransportSocket()) {
if (!TRANSPORT_SOCKET_NAME_TLS.equals(proto.getTransportSocket().getName())) {
throw new ResourceInvalidException("transport-socket with name " + proto.getTransportSocket().getName() + " not supported.");
}
DownstreamTlsContext downstreamTlsContextProto;
try {
downstreamTlsContextProto = proto.getTransportSocket().getTypedConfig().unpack(DownstreamTlsContext.class);
} catch (InvalidProtocolBufferException e) {
throw new ResourceInvalidException("FilterChain " + proto.getName() + " failed to unpack message", e);
}
downstreamTlsContext = EnvoyServerProtoData.DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(validateDownstreamTlsContext(downstreamTlsContextProto, certProviderInstances));
}
FilterChainMatch filterChainMatch = parseFilterChainMatch(proto.getFilterChainMatch());
checkForUniqueness(uniqueSet, filterChainMatch);
return FilterChain.create(proto.getName(), filterChainMatch, httpConnectionManager, downstreamTlsContext, tlsContextManager);
}
Also used :
DownstreamTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext)
InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException)
Any(com.google.protobuf.Any)
FilterChainMatch(io.grpc.xds.EnvoyServerProtoData.FilterChainMatch)
HttpConnectionManager(io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Aggregations
Test (org.junit.Test)6
CommonTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)4
DownstreamTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext)4
DownstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)4
Bootstrapper (io.grpc.xds.Bootstrapper)3
CertProviderServerSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider)3
CertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
Any (com.google.protobuf.Any)1
InvalidProtocolBufferException (com.google.protobuf.InvalidProtocolBufferException)1
HttpConnectionManager (io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager)1
EnvoyServerProtoData (io.grpc.xds.EnvoyServerProtoData)1
FilterChainMatch (io.grpc.xds.EnvoyServerProtoData.FilterChainMatch)1
