Search in sources :

Example 16 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class ClientXdsClient method parseNonAggregateCluster.

private static StructOrError<CdsUpdate.Builder> parseNonAggregateCluster(Cluster cluster, Set<String> edsResources, Set<String> certProviderInstances, ServerInfo serverInfo) {
    String clusterName = cluster.getName();
    ServerInfo lrsServerInfo = null;
    Long maxConcurrentRequests = null;
    UpstreamTlsContext upstreamTlsContext = null;
    if (cluster.hasLrsServer()) {
        if (!cluster.getLrsServer().hasSelf()) {
            return StructOrError.fromError("Cluster " + clusterName + ": only support LRS for the same management server");
        }
        lrsServerInfo = serverInfo;
    }
    if (cluster.hasCircuitBreakers()) {
        List<Thresholds> thresholds = cluster.getCircuitBreakers().getThresholdsList();
        for (Thresholds threshold : thresholds) {
            if (threshold.getPriority() != RoutingPriority.DEFAULT) {
                continue;
            }
            if (threshold.hasMaxRequests()) {
                maxConcurrentRequests = (long) threshold.getMaxRequests().getValue();
            }
        }
    }
    if (cluster.getTransportSocketMatchesCount() > 0) {
        return StructOrError.fromError("Cluster " + clusterName + ": transport-socket-matches not supported.");
    }
    if (cluster.hasTransportSocket()) {
        if (!TRANSPORT_SOCKET_NAME_TLS.equals(cluster.getTransportSocket().getName())) {
            return StructOrError.fromError("transport-socket with name " + cluster.getTransportSocket().getName() + " not supported.");
        }
        try {
            upstreamTlsContext = UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(validateUpstreamTlsContext(unpackCompatibleType(cluster.getTransportSocket().getTypedConfig(), io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext.class, TYPE_URL_UPSTREAM_TLS_CONTEXT, TYPE_URL_UPSTREAM_TLS_CONTEXT_V2), certProviderInstances));
        } catch (InvalidProtocolBufferException | ResourceInvalidException e) {
            return StructOrError.fromError("Cluster " + clusterName + ": malformed UpstreamTlsContext: " + e);
        }
    }
    DiscoveryType type = cluster.getType();
    if (type == DiscoveryType.EDS) {
        String edsServiceName = null;
        io.envoyproxy.envoy.config.cluster.v3.Cluster.EdsClusterConfig edsClusterConfig = cluster.getEdsClusterConfig();
        if (!edsClusterConfig.getEdsConfig().hasAds() && !edsClusterConfig.getEdsConfig().hasSelf()) {
            return StructOrError.fromError("Cluster " + clusterName + ": field eds_cluster_config must be set to indicate to use" + " EDS over ADS or self ConfigSource");
        }
        // If the service_name field is set, that value will be used for the EDS request.
        if (!edsClusterConfig.getServiceName().isEmpty()) {
            edsServiceName = edsClusterConfig.getServiceName();
            edsResources.add(edsServiceName);
        } else {
            edsResources.add(clusterName);
        }
        return StructOrError.fromStruct(CdsUpdate.forEds(clusterName, edsServiceName, lrsServerInfo, maxConcurrentRequests, upstreamTlsContext));
    } else if (type.equals(DiscoveryType.LOGICAL_DNS)) {
        if (!cluster.hasLoadAssignment()) {
            return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL_DNS clusters must have a single host");
        }
        ClusterLoadAssignment assignment = cluster.getLoadAssignment();
        if (assignment.getEndpointsCount() != 1 || assignment.getEndpoints(0).getLbEndpointsCount() != 1) {
            return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL_DNS clusters must have a single " + "locality_lb_endpoint and a single lb_endpoint");
        }
        io.envoyproxy.envoy.config.endpoint.v3.LbEndpoint lbEndpoint = assignment.getEndpoints(0).getLbEndpoints(0);
        if (!lbEndpoint.hasEndpoint() || !lbEndpoint.getEndpoint().hasAddress() || !lbEndpoint.getEndpoint().getAddress().hasSocketAddress()) {
            return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL_DNS clusters must have an endpoint with address and socket_address");
        }
        SocketAddress socketAddress = lbEndpoint.getEndpoint().getAddress().getSocketAddress();
        if (!socketAddress.getResolverName().isEmpty()) {
            return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL DNS clusters must NOT have a custom resolver name set");
        }
        if (socketAddress.getPortSpecifierCase() != PortSpecifierCase.PORT_VALUE) {
            return StructOrError.fromError("Cluster " + clusterName + ": LOGICAL DNS clusters socket_address must have port_value");
        }
        String dnsHostName = String.format("%s:%d", socketAddress.getAddress(), socketAddress.getPortValue());
        return StructOrError.fromStruct(CdsUpdate.forLogicalDns(clusterName, dnsHostName, lrsServerInfo, maxConcurrentRequests, upstreamTlsContext));
    }
    return StructOrError.fromError("Cluster " + clusterName + ": unsupported built-in discovery type: " + type);
}
Also used : Thresholds(io.envoyproxy.envoy.config.cluster.v3.CircuitBreakers.Thresholds) ServerInfo(io.grpc.xds.Bootstrapper.ServerInfo) UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) Cluster(io.envoyproxy.envoy.config.cluster.v3.Cluster) LbEndpoint(io.grpc.xds.Endpoints.LbEndpoint) ClusterLoadAssignment(io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment) DiscoveryType(io.envoyproxy.envoy.config.cluster.v3.Cluster.DiscoveryType) SocketAddress(io.envoyproxy.envoy.config.core.v3.SocketAddress) InetSocketAddress(java.net.InetSocketAddress)

Example 17 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method requireClientAuth_noClientCert_expectException.

@Test
public void requireClientAuth_noClientCert_expectException() throws Exception {
    DownstreamTlsContext downstreamTlsContext = setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, true, true);
    buildServerWithTlsContext(downstreamTlsContext);
    // for TLS, client only uses trustCa
    UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, false);
    SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */
    OVERRIDE_AUTHORITY);
    try {
        unaryRpc(/* requestMessage= */
        "buddy", blockingStub);
        fail("exception expected");
    } catch (StatusRuntimeException sre) {
        if (sre.getCause() instanceof SSLHandshakeException) {
            assertThat(sre).hasCauseThat().isInstanceOf(SSLHandshakeException.class);
            assertThat(sre).hasCauseThat().hasMessageThat().contains("HANDSHAKE_FAILURE");
        } else {
            // Client cert verification is after handshake in TLSv1.3
            assertThat(sre).hasCauseThat().hasCauseThat().isInstanceOf(SSLException.class);
            assertThat(sre).hasCauseThat().hasMessageThat().contains("CERTIFICATE_REQUIRED");
        }
    }
}
Also used : DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) StatusRuntimeException(io.grpc.StatusRuntimeException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) SSLException(javax.net.ssl.SSLException) SSLHandshakeException(javax.net.ssl.SSLHandshakeException) Test(org.junit.Test)

Example 18 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method mtlsClientServer_changeServerContext_expectException.

/**
 * mTLS - client auth enabled then update server certs to untrusted.
 */
@Test
public void mtlsClientServer_changeServerContext_expectException() throws Exception {
    UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, true);
    performMtlsTestAndGetListenerWatcher(upstreamTlsContext, "cert-instance-name2", BAD_SERVER_KEY_FILE, BAD_SERVER_PEM_FILE, CA_PEM_FILE);
    DownstreamTlsContext downstreamTlsContext = CommonTlsContextTestsUtil.buildDownstreamTlsContext("cert-instance-name2", true, true);
    EnvoyServerProtoData.Listener listener = buildListener("listener1", "0.0.0.0", downstreamTlsContext, tlsContextManagerForServer);
    xdsClient.deliverLdsUpdate(LdsUpdate.forTcpListener(listener));
    try {
        SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, OVERRIDE_AUTHORITY);
        assertThat(unaryRpc("buddy", blockingStub)).isEqualTo("Hello buddy");
        fail("exception expected");
    } catch (StatusRuntimeException sre) {
        assertThat(sre).hasCauseThat().isInstanceOf(SSLHandshakeException.class);
        assertThat(sre).hasCauseThat().hasMessageThat().isEqualTo("General OpenSslEngine problem");
    }
}
Also used : UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) StatusRuntimeException(io.grpc.StatusRuntimeException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) SSLHandshakeException(javax.net.ssl.SSLHandshakeException) Test(org.junit.Test)

Example 19 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method tlsClientServer_noClientAuthentication.

/**
 * TLS channel - no mTLS.
 */
@Test
public void tlsClientServer_noClientAuthentication() throws Exception {
    DownstreamTlsContext downstreamTlsContext = setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, false, false);
    buildServerWithTlsContext(downstreamTlsContext);
    // for TLS, client only needs trustCa
    UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, false);
    SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */
    OVERRIDE_AUTHORITY);
    assertThat(unaryRpc(/* requestMessage= */
    "buddy", blockingStub)).isEqualTo("Hello buddy");
}
Also used : DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) Test(org.junit.Test)

Example 20 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method mtlsClientServer_withClientAuthentication_withXdsChannelCreds.

/**
 * mTLS - client auth enabled - using {@link XdsChannelCredentials} API.
 */
@Test
public void mtlsClientServer_withClientAuthentication_withXdsChannelCreds() throws Exception {
    UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, true);
    performMtlsTestAndGetListenerWatcher(upstreamTlsContext, null, null, null, null);
}
Also used : UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) Test(org.junit.Test)

Aggregations

UpstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)24 Test (org.junit.Test)21 Bootstrapper (io.grpc.xds.Bootstrapper)11 CertProviderClientSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)7 SimpleServiceGrpc (io.grpc.testing.protobuf.SimpleServiceGrpc)5 StatusRuntimeException (io.grpc.StatusRuntimeException)4 DownstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)4 CertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)3 SSLHandshakeException (javax.net.ssl.SSLHandshakeException)3 CommonTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)2 FakeClock (io.grpc.internal.FakeClock)2 ClientSdsHandler (io.grpc.xds.internal.sds.SdsProtocolNegotiators.ClientSdsHandler)2 SslContext (io.netty.handler.ssl.SslContext)2 SSLException (javax.net.ssl.SSLException)2 InvalidProtocolBufferException (com.google.protobuf.InvalidProtocolBufferException)1 Thresholds (io.envoyproxy.envoy.config.cluster.v3.CircuitBreakers.Thresholds)1 Cluster (io.envoyproxy.envoy.config.cluster.v3.Cluster)1 DiscoveryType (io.envoyproxy.envoy.config.cluster.v3.Cluster.DiscoveryType)1 SocketAddress (io.envoyproxy.envoy.config.core.v3.SocketAddress)1 ClusterLoadAssignment (io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment)1