Examples with FilterChain io.grpc.xds.EnvoyServerProtoData.FilterChain used on opensource projects

Example 1 with FilterChain

use of io.grpc.xds.EnvoyServerProtoData.FilterChain in project grpc-java by grpc.

the class ClientXdsClient method parseServerSideListener.

@VisibleForTesting
static EnvoyServerProtoData.Listener parseServerSideListener(Listener proto, Set<String> rdsResources, TlsContextManager tlsContextManager, FilterRegistry filterRegistry, Set<String> certProviderInstances, boolean parseHttpFilter) throws ResourceInvalidException {
    if (!proto.getTrafficDirection().equals(TrafficDirection.INBOUND)) {
        throw new ResourceInvalidException("Listener " + proto.getName() + " with invalid traffic direction: " + proto.getTrafficDirection());
    }
    if (!proto.getListenerFiltersList().isEmpty()) {
        throw new ResourceInvalidException("Listener " + proto.getName() + " cannot have listener_filters");
    }
    if (proto.hasUseOriginalDst()) {
        throw new ResourceInvalidException("Listener " + proto.getName() + " cannot have use_original_dst set to true");
    }
    String address = null;
    if (proto.getAddress().hasSocketAddress()) {
        SocketAddress socketAddress = proto.getAddress().getSocketAddress();
        address = socketAddress.getAddress();
        switch(socketAddress.getPortSpecifierCase()) {
            case NAMED_PORT:
                address = address + ":" + socketAddress.getNamedPort();
                break;
            case PORT_VALUE:
                address = address + ":" + socketAddress.getPortValue();
                break;
            default:
        }
    }
    ImmutableList.Builder<FilterChain> filterChains = ImmutableList.builder();
    Set<FilterChainMatch> uniqueSet = new HashSet<>();
    for (io.envoyproxy.envoy.config.listener.v3.FilterChain fc : proto.getFilterChainsList()) {
        filterChains.add(parseFilterChain(fc, rdsResources, tlsContextManager, filterRegistry, uniqueSet, certProviderInstances, parseHttpFilter));
    }
    FilterChain defaultFilterChain = null;
    if (proto.hasDefaultFilterChain()) {
        defaultFilterChain = parseFilterChain(proto.getDefaultFilterChain(), rdsResources, tlsContextManager, filterRegistry, null, certProviderInstances, parseHttpFilter);
    }
    return EnvoyServerProtoData.Listener.create(proto.getName(), address, filterChains.build(), defaultFilterChain);
}

Example 2 with FilterChain

use of io.grpc.xds.EnvoyServerProtoData.FilterChain in project grpc-java by grpc.

the class FilterChainMatchingProtocolNegotiatorsTest method filterChain_5stepMatch.

/**
 * Create 6 filterChains: - 1st filter chain has dest port & specific prefix range but is
 * eliminated due to dest port - 5 advance to next step: 1 is eliminated due to being less
 * specific than the remaining 4. - 4 advance to 3rd step: source type external eliminates one
 * with local source_type. - 3 advance to 4th step: more specific 2 get picked based on
 * source-prefix range. - 5th step: out of 2 one with matching source port gets picked
 */
@Test
public void filterChain_5stepMatch() throws Exception {
    EnvoyServerProtoData.DownstreamTlsContext tlsContext1 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext2 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext3 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT3", "VA3");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext4 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT4", "VA4");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext5 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT5", "VA5");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext6 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT6", "VA6");
    // has dest port and specific prefix ranges: gets eliminated in step 1
    EnvoyServerProtoData.FilterChainMatch filterChainMatch1 = EnvoyServerProtoData.FilterChainMatch.create(PORT, ImmutableList.of(), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create(REMOTE_IP, 32)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain1 = EnvoyServerProtoData.FilterChain.create("filter-chain-1", filterChainMatch1, HTTP_CONNECTION_MANAGER, tlsContext1, tlsContextManager);
    // next 5 use prefix range: 4 with prefixLen of 30 and last one with 29
    // has single prefix range: and less specific source prefix range: gets eliminated in step 4
    EnvoyServerProtoData.FilterChainMatch filterChainMatch2 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.0.0", 16)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain2 = EnvoyServerProtoData.FilterChain.create("filter-chain-2", filterChainMatch2, HTTP_CONNECTION_MANAGER, tlsContext2, tlsContextManager);
    // has prefix ranges with one not matching and source type local: gets eliminated in step 3
    EnvoyServerProtoData.FilterChainMatch filterChainMatch3 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("192.168.2.0", 24), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain3 = EnvoyServerProtoData.FilterChain.create("filter-chain-3", filterChainMatch3, HTTP_CONNECTION_MANAGER, tlsContext3, tlsContextManager);
    // has prefix ranges with both matching and source type external but non matching source port:
    // gets eliminated in step 5
    EnvoyServerProtoData.FilterChainMatch filterChainMatch4 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.0.0", 16), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.2.0", 24)), EnvoyServerProtoData.ConnectionSourceType.EXTERNAL, ImmutableList.of(16000, 9000), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain4 = EnvoyServerProtoData.FilterChain.create("filter-chain-4", filterChainMatch4, HTTP_CONNECTION_MANAGER, tlsContext4, tlsContextManager);
    // has prefix ranges with both matching and source type external and matching source port: this
    // gets selected
    EnvoyServerProtoData.FilterChainMatch filterChainMatch5 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.0.0", 16), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.2.0", 24), EnvoyServerProtoData.CidrRange.create("192.168.2.0", 24)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(15000, 8000), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain5 = EnvoyServerProtoData.FilterChain.create("filter-chain-5", filterChainMatch5, HTTP_CONNECTION_MANAGER, tlsContext5, tlsContextManager);
    // has prefix range with prefixLen of 29: gets eliminated in step 2
    EnvoyServerProtoData.FilterChainMatch filterChainMatch6 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 29)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain6 = EnvoyServerProtoData.FilterChain.create("filter-chain-6", filterChainMatch6, HTTP_CONNECTION_MANAGER, tlsContext6, tlsContextManager);
    EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-7", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, null, tlsContextManager);
    Map<FilterChain, AtomicReference<ServerRoutingConfig>> map = new HashMap<>();
    map.put(filterChain1, randomConfig("1"));
    map.put(filterChain2, randomConfig("2"));
    map.put(filterChain3, randomConfig("3"));
    map.put(filterChain4, randomConfig("4"));
    map.put(filterChain5, noopConfig);
    map.put(filterChain6, randomConfig("6"));
    selectorManager.updateSelector(new FilterChainSelector(map, defaultFilterChain.sslContextProviderSupplier(), randomConfig("default")));
    FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
    ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
    when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
    setupChannel(LOCAL_IP, REMOTE_IP, 15000, filterChainMatchingHandler);
    pipeline.fireUserEventTriggered(event);
    channel.runPendingTasks();
    assertThat(sslSet.get()).isEqualTo(filterChain5.sslContextProviderSupplier());
    assertThat(routingSettable.get()).isEqualTo(noopConfig);
    assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContext5);
}

Example 3 with FilterChain

use of io.grpc.xds.EnvoyServerProtoData.FilterChain in project grpc-java by grpc.

the class ClientXdsClientTestBase method rdsResourcesDeletedByLdsTcpListener.

@Test
public void rdsResourcesDeletedByLdsTcpListener() {
    Assume.assumeTrue(useProtocolV3());
    xdsClient.watchLdsResource(LISTENER_RESOURCE, ldsResourceWatcher);
    xdsClient.watchRdsResource(RDS_RESOURCE, rdsResourceWatcher);
    verifyResourceMetadataRequested(LDS, LISTENER_RESOURCE);
    verifyResourceMetadataRequested(RDS, RDS_RESOURCE);
    verifySubscribedResourcesMetadataSizes(1, 0, 1, 0);
    Message hcmFilter = mf.buildHttpConnectionManagerFilter(RDS_RESOURCE, null, Collections.singletonList(mf.buildTerminalFilter()));
    Message downstreamTlsContext = CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", "ROOTCA", false);
    Message filterChain = mf.buildFilterChain(Collections.<String>emptyList(), downstreamTlsContext, "envoy.transport_sockets.tls", hcmFilter);
    Any packedListener = Any.pack(mf.buildListenerWithFilterChain(LISTENER_RESOURCE, 7000, "0.0.0.0", filterChain));
    // Simulates receiving the requested LDS resource as a TCP listener with a filter chain
    // referencing RDS_RESOURCE.
    DiscoveryRpcCall call = resourceDiscoveryCalls.poll();
    call.sendResponse(LDS, packedListener, VERSION_1, "0000");
    verify(ldsResourceWatcher).onChanged(ldsUpdateCaptor.capture());
    assertThat(ldsUpdateCaptor.getValue().listener().filterChains()).hasSize(1);
    FilterChain parsedFilterChain = Iterables.getOnlyElement(ldsUpdateCaptor.getValue().listener().filterChains());
    assertThat(parsedFilterChain.httpConnectionManager().rdsName()).isEqualTo(RDS_RESOURCE);
    verifyResourceMetadataAcked(LDS, LISTENER_RESOURCE, packedListener, VERSION_1, TIME_INCREMENT);
    verifyResourceMetadataRequested(RDS, RDS_RESOURCE);
    verifySubscribedResourcesMetadataSizes(1, 0, 1, 0);
    // Simulates receiving the requested RDS resource.
    call.sendResponse(RDS, testRouteConfig, VERSION_1, "0000");
    verify(rdsResourceWatcher).onChanged(rdsUpdateCaptor.capture());
    assertThat(rdsUpdateCaptor.getValue().virtualHosts).hasSize(VHOST_SIZE);
    verifyResourceMetadataAcked(RDS, RDS_RESOURCE, testRouteConfig, VERSION_1, TIME_INCREMENT * 2);
    // Simulates receiving an updated version of the requested LDS resource as a TCP listener
    // with a filter chain containing inlined RouteConfiguration.
    hcmFilter = mf.buildHttpConnectionManagerFilter(null, mf.buildRouteConfiguration("route-bar.googleapis.com", mf.buildOpaqueVirtualHosts(VHOST_SIZE)), Collections.singletonList(mf.buildTerminalFilter()));
    filterChain = mf.buildFilterChain(Collections.<String>emptyList(), downstreamTlsContext, "envoy.transport_sockets.tls", hcmFilter);
    packedListener = Any.pack(mf.buildListenerWithFilterChain(LISTENER_RESOURCE, 7000, "0.0.0.0", filterChain));
    call.sendResponse(LDS, packedListener, VERSION_2, "0001");
    verify(ldsResourceWatcher, times(2)).onChanged(ldsUpdateCaptor.capture());
    assertThat(ldsUpdateCaptor.getValue().listener().filterChains()).hasSize(1);
    parsedFilterChain = Iterables.getOnlyElement(ldsUpdateCaptor.getValue().listener().filterChains());
    assertThat(parsedFilterChain.httpConnectionManager().virtualHosts()).hasSize(VHOST_SIZE);
    verify(rdsResourceWatcher).onResourceDoesNotExist(RDS_RESOURCE);
    verifyResourceMetadataDoesNotExist(RDS, RDS_RESOURCE);
    verifyResourceMetadataAcked(LDS, LISTENER_RESOURCE, packedListener, VERSION_2, TIME_INCREMENT * 3);
    verifySubscribedResourcesMetadataSizes(1, 0, 1, 0);
}

Example 4 with FilterChain

use of io.grpc.xds.EnvoyServerProtoData.FilterChain in project grpc-java by grpc.

the class ClientXdsClientTestBase method serverSideListenerFound.

@Test
public void serverSideListenerFound() {
    Assume.assumeTrue(useProtocolV3());
    ClientXdsClientTestBase.DiscoveryRpcCall call = startResourceWatcher(LDS, LISTENER_RESOURCE, ldsResourceWatcher);
    Message hcmFilter = mf.buildHttpConnectionManagerFilter("route-foo.googleapis.com", null, Collections.singletonList(mf.buildTerminalFilter()));
    Message downstreamTlsContext = CommonTlsContextTestsUtil.buildTestDownstreamTlsContext("google-sds-config-default", "ROOTCA", false);
    Message filterChain = mf.buildFilterChain(Collections.<String>emptyList(), downstreamTlsContext, "envoy.transport_sockets.tls", hcmFilter);
    Message listener = mf.buildListenerWithFilterChain(LISTENER_RESOURCE, 7000, "0.0.0.0", filterChain);
    List<Any> listeners = ImmutableList.of(Any.pack(listener));
    call.sendResponse(ResourceType.LDS, listeners, "0", "0000");
    // Client sends an ACK LDS request.
    call.verifyRequest(ResourceType.LDS, Collections.singletonList(LISTENER_RESOURCE), "0", "0000", NODE);
    verify(ldsResourceWatcher).onChanged(ldsUpdateCaptor.capture());
    EnvoyServerProtoData.Listener parsedListener = ldsUpdateCaptor.getValue().listener();
    assertThat(parsedListener.name()).isEqualTo(LISTENER_RESOURCE);
    assertThat(parsedListener.address()).isEqualTo("0.0.0.0:7000");
    assertThat(parsedListener.defaultFilterChain()).isNull();
    assertThat(parsedListener.filterChains()).hasSize(1);
    FilterChain parsedFilterChain = Iterables.getOnlyElement(parsedListener.filterChains());
    assertThat(parsedFilterChain.filterChainMatch().applicationProtocols()).isEmpty();
    assertThat(parsedFilterChain.httpConnectionManager().rdsName()).isEqualTo("route-foo.googleapis.com");
    assertThat(parsedFilterChain.httpConnectionManager().httpFilterConfigs().get(0).filterConfig).isEqualTo(RouterFilter.ROUTER_CONFIG);
    assertThat(fakeClock.getPendingTasks(LDS_RESOURCE_FETCH_TIMEOUT_TASK_FILTER)).isEmpty();
}

Example 5 with FilterChain

use of io.grpc.xds.EnvoyServerProtoData.FilterChain in project grpc-java by grpc.

the class XdsServerWrapperTest method buildInterceptor_rds.

@Test
@SuppressWarnings("unchecked")
public void buildInterceptor_rds() throws Exception {
    final SettableFuture<Server> start = SettableFuture.create();
    Executors.newSingleThreadExecutor().execute(new Runnable() {

        @Override
        public void run() {
            try {
                start.set(xdsServerWrapper.start());
            } catch (Exception ex) {
                start.setException(ex);
            }
        }
    });
    xdsClient.ldsResource.get(5, TimeUnit.SECONDS);
    Filter filter = mock(Filter.class, withSettings().extraInterfaces(ServerInterceptorBuilder.class));
    when(filter.typeUrls()).thenReturn(new String[] { "filter-type-url" });
    filterRegistry.register(filter);
    FilterConfig f0 = mock(FilterConfig.class);
    FilterConfig f0Override = mock(FilterConfig.class);
    when(f0.typeUrl()).thenReturn("filter-type-url");
    final List<Integer> interceptorTrace = new ArrayList<>();
    ServerInterceptor interceptor0 = new ServerInterceptor() {

        @Override
        public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
            interceptorTrace.add(0);
            return next.startCall(call, headers);
        }
    };
    ServerInterceptor interceptor1 = new ServerInterceptor() {

        @Override
        public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
            interceptorTrace.add(1);
            return next.startCall(call, headers);
        }
    };
    when(((ServerInterceptorBuilder) filter).buildServerInterceptor(f0, null)).thenReturn(interceptor0);
    when(((ServerInterceptorBuilder) filter).buildServerInterceptor(f0, f0Override)).thenReturn(interceptor1);
    RouteMatch routeMatch = RouteMatch.create(PathMatcher.fromPath("/FooService/barMethod", true), Collections.<HeaderMatcher>emptyList(), null);
    HttpConnectionManager rdsHcm = HttpConnectionManager.forRdsName(0L, "r0", Arrays.asList(new NamedFilterConfig("filter-config-name-0", f0), new NamedFilterConfig("filter-config-name-1", f0)));
    EnvoyServerProtoData.FilterChain filterChain = createFilterChain("filter-chain-0", rdsHcm);
    xdsClient.deliverLdsUpdate(Collections.singletonList(filterChain), null);
    Route route = Route.forAction(routeMatch, null, ImmutableMap.<String, FilterConfig>of());
    VirtualHost virtualHost = VirtualHost.create("v1", Collections.singletonList("foo.google.com"), Arrays.asList(route), ImmutableMap.of("filter-config-name-0", f0Override));
    xdsClient.rdsCount.await(5, TimeUnit.SECONDS);
    xdsClient.deliverRdsUpdate("r0", Collections.singletonList(virtualHost));
    start.get(5000, TimeUnit.MILLISECONDS);
    verify(mockServer).start();
    assertThat(selectorManager.getSelectorToUpdateSelector().getRoutingConfigs().size()).isEqualTo(1);
    ServerInterceptor realInterceptor = selectorManager.getSelectorToUpdateSelector().getRoutingConfigs().get(filterChain).get().interceptors().get(route);
    assertThat(realInterceptor).isNotNull();
    ServerCall<Void, Void> serverCall = mock(ServerCall.class);
    ServerCallHandler<Void, Void> mockNext = mock(ServerCallHandler.class);
    final ServerCall.Listener<Void> listener = new ServerCall.Listener<Void>() {
    };
    when(mockNext.startCall(any(ServerCall.class), any(Metadata.class))).thenReturn(listener);
    realInterceptor.interceptCall(serverCall, new Metadata(), mockNext);
    assertThat(interceptorTrace).isEqualTo(Arrays.asList(1, 0));
    verify(mockNext).startCall(eq(serverCall), any(Metadata.class));
    virtualHost = VirtualHost.create("v1", Collections.singletonList("foo.google.com"), Arrays.asList(route), ImmutableMap.<String, FilterConfig>of());
    xdsClient.deliverRdsUpdate("r0", Collections.singletonList(virtualHost));
    realInterceptor = selectorManager.getSelectorToUpdateSelector().getRoutingConfigs().get(filterChain).get().interceptors().get(route);
    assertThat(realInterceptor).isNotNull();
    interceptorTrace.clear();
    realInterceptor.interceptCall(serverCall, new Metadata(), mockNext);
    assertThat(interceptorTrace).isEqualTo(Arrays.asList(0, 0));
    verify(mockNext, times(2)).startCall(eq(serverCall), any(Metadata.class));
    xdsClient.rdsWatchers.get("r0").onResourceDoesNotExist("r0");
    assertThat(selectorManager.getSelectorToUpdateSelector().getRoutingConfigs().get(filterChain).get()).isEqualTo(noopConfig);
}