use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.
the class ClientXdsClient method parseNonAggregateCluster.
private static StructOrError<CdsUpdate.Builder> parseNonAggregateCluster(Cluster cluster, Set<String> edsResources, Set<String> certProviderInstances, ServerInfo serverInfo) {
String clusterName = cluster.getName();
ServerInfo lrsServerInfo = null;
Long maxConcurrentRequests = null;
UpstreamTlsContext upstreamTlsContext = null;
if (cluster.hasLrsServer()) {
if (!cluster.getLrsServer().hasSelf()) {
return StructOrError.fromError("Cluster " + clusterName + ": only support LRS for the same management server");
}
lrsServerInfo = serverInfo;
}
if (cluster.hasCircuitBreakers()) {
List<Thresholds> thresholds = cluster.getCircuitBreakers().getThresholdsList();
for (Thresholds threshold : thresholds) {
if (threshold.getPriority() != RoutingPriority.DEFAULT) {
continue;
}
if (threshold.hasMaxRequests()) {
maxConcurrentRequests = (long) threshold.getMaxRequests().getValue();
}
}
}
if (cluster.getTransportSocketMatchesCount() > 0) {
return StructOrError.fromError("Cluster " + clusterName + ": transport-socket-matches not supported.");
}
if (cluster.hasTransportSocket()) {
if (!TRANSPORT_SOCKET_NAME_TLS.equals(cluster.getTransportSocket().getName())) {
return StructOrError.fromError("transport-socket with name " + cluster.getTransportSocket().getName() + " not supported.");
}
try {
upstreamTlsContext = UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(validateUpstreamTlsContext(unpackCompatibleType(cluster.getTransportSocket().getTypedConfig(), io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext.class, TYPE_URL_UPSTREAM_TLS_CONTEXT, TYPE_URL_UPSTREAM_TLS_CONTEXT_V2), certProviderInstances));
} catch (InvalidProtocolBufferException | ResourceInvalidException e) {
return StructOrError.fromError("Cluster " + clusterName + ": malformed UpstreamTlsContext: " + e);
}
}
DiscoveryType type = cluster.getType();
if (type == DiscoveryType.EDS) {
String edsServiceName = null;
io.envoyproxy.envoy.config.cluster.v3.Cluster.EdsClusterConfig edsClusterConfig = cluster.getEdsClusterConfig();
if (!edsClusterConfig.getEdsConfig().hasAds() && !edsClusterConfig.getEdsConfig().hasSelf()) {
return StructOrError.fromError("Cluster " + clusterName + ": field eds_cluster_config must be set to indicate to use" + " EDS over ADS or self ConfigSource");
}
// If the service_name field is set, that value will be used for the EDS request.
if (!edsClusterConfig.getServiceName().isEmpty()) {
edsServiceName = edsClusterConfig.getServiceName();
edsResources.add(edsServiceName);
} else {
edsResources.add(clusterName);
}
return StructOrError.fromStruct(CdsUpdate.forEds(clusterName, edsServiceName, lrsServerInfo, maxConcurrentRequests, upstreamTlsContext));
} else if (type.equals(DiscoveryType.LOGICAL_DNS)) {
if (!cluster.hasLoadAssignment()) {
return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL_DNS clusters must have a single host");
}
ClusterLoadAssignment assignment = cluster.getLoadAssignment();
if (assignment.getEndpointsCount() != 1 || assignment.getEndpoints(0).getLbEndpointsCount() != 1) {
return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL_DNS clusters must have a single " + "locality_lb_endpoint and a single lb_endpoint");
}
io.envoyproxy.envoy.config.endpoint.v3.LbEndpoint lbEndpoint = assignment.getEndpoints(0).getLbEndpoints(0);
if (!lbEndpoint.hasEndpoint() || !lbEndpoint.getEndpoint().hasAddress() || !lbEndpoint.getEndpoint().getAddress().hasSocketAddress()) {
return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL_DNS clusters must have an endpoint with address and socket_address");
}
SocketAddress socketAddress = lbEndpoint.getEndpoint().getAddress().getSocketAddress();
if (!socketAddress.getResolverName().isEmpty()) {
return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL DNS clusters must NOT have a custom resolver name set");
}
if (socketAddress.getPortSpecifierCase() != PortSpecifierCase.PORT_VALUE) {
return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL DNS clusters socket_address must have port_value");
}
String dnsHostName = String.format("%s:%d", socketAddress.getAddress(), socketAddress.getPortValue());
return StructOrError.fromStruct(CdsUpdate.forLogicalDns(clusterName, dnsHostName, lrsServerInfo, maxConcurrentRequests, upstreamTlsContext));
}
return StructOrError.fromError("Cluster " + clusterName + ": unsupported built-in discovery type: " + type);
}
use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.
the class XdsSdsClientServerTest method requireClientAuth_noClientCert_expectException.
@Test
public void requireClientAuth_noClientCert_expectException() throws Exception {
DownstreamTlsContext downstreamTlsContext = setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, true, true);
buildServerWithTlsContext(downstreamTlsContext);
// for TLS, client only uses trustCa
UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, false);
SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */
OVERRIDE_AUTHORITY);
try {
unaryRpc(/* requestMessage= */
"buddy", blockingStub);
fail("exception expected");
} catch (StatusRuntimeException sre) {
if (sre.getCause() instanceof SSLHandshakeException) {
assertThat(sre).hasCauseThat().isInstanceOf(SSLHandshakeException.class);
assertThat(sre).hasCauseThat().hasMessageThat().contains("HANDSHAKE_FAILURE");
} else {
// Client cert verification is after handshake in TLSv1.3
assertThat(sre).hasCauseThat().hasCauseThat().isInstanceOf(SSLException.class);
assertThat(sre).hasCauseThat().hasMessageThat().contains("CERTIFICATE_REQUIRED");
}
}
}
use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.
the class XdsSdsClientServerTest method mtlsClientServer_changeServerContext_expectException.
/**
* mTLS - client auth enabled then update server certs to untrusted.
*/
@Test
public void mtlsClientServer_changeServerContext_expectException() throws Exception {
UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, true);
performMtlsTestAndGetListenerWatcher(upstreamTlsContext, "cert-instance-name2", BAD_SERVER_KEY_FILE, BAD_SERVER_PEM_FILE, CA_PEM_FILE);
DownstreamTlsContext downstreamTlsContext = CommonTlsContextTestsUtil.buildDownstreamTlsContext("cert-instance-name2", true, true);
EnvoyServerProtoData.Listener listener = buildListener("listener1", "0.0.0.0", downstreamTlsContext, tlsContextManagerForServer);
xdsClient.deliverLdsUpdate(LdsUpdate.forTcpListener(listener));
try {
SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, OVERRIDE_AUTHORITY);
assertThat(unaryRpc("buddy", blockingStub)).isEqualTo("Hello buddy");
fail("exception expected");
} catch (StatusRuntimeException sre) {
assertThat(sre).hasCauseThat().isInstanceOf(SSLHandshakeException.class);
assertThat(sre).hasCauseThat().hasMessageThat().isEqualTo("General OpenSslEngine problem");
}
}
use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.
the class XdsSdsClientServerTest method tlsClientServer_noClientAuthentication.
/**
* TLS channel - no mTLS.
*/
@Test
public void tlsClientServer_noClientAuthentication() throws Exception {
DownstreamTlsContext downstreamTlsContext = setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, false, false);
buildServerWithTlsContext(downstreamTlsContext);
// for TLS, client only needs trustCa
UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, false);
SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */
OVERRIDE_AUTHORITY);
assertThat(unaryRpc(/* requestMessage= */
"buddy", blockingStub)).isEqualTo("Hello buddy");
}
use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.
the class XdsSdsClientServerTest method mtlsClientServer_withClientAuthentication_withXdsChannelCreds.
/**
* mTLS - client auth enabled - using {@link XdsChannelCredentials} API.
*/
@Test
public void mtlsClientServer_withClientAuthentication_withXdsChannelCreds() throws Exception {
UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, true);
performMtlsTestAndGetListenerWatcher(upstreamTlsContext, null, null, null, null);
}
Aggregations