Search in sources :

Example 21 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method plaintextServer_tlsClient_expectException.

@Test
public void plaintextServer_tlsClient_expectException() throws Exception {
    buildServerWithTlsContext(/* downstreamTlsContext= */
    null);
    // for TLS, client only needs trustCa
    UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(CLIENT_KEY_FILE, CLIENT_PEM_FILE, false);
    SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */
    OVERRIDE_AUTHORITY);
    try {
        unaryRpc("buddy", blockingStub);
        fail("exception expected");
    } catch (StatusRuntimeException sre) {
        assertThat(sre).hasCauseThat().isInstanceOf(NotSslRecordException.class);
        assertThat(sre).hasCauseThat().hasMessageThat().contains("not an SSL/TLS record");
    }
}
Also used : NotSslRecordException(io.netty.handler.ssl.NotSslRecordException) UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) StatusRuntimeException(io.grpc.StatusRuntimeException) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) Test(org.junit.Test)

Example 22 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method noClientAuth_sendBadClientCert_passes.

@Test
public void noClientAuth_sendBadClientCert_passes() throws Exception {
    DownstreamTlsContext downstreamTlsContext = setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, false, false);
    buildServerWithTlsContext(downstreamTlsContext);
    UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(BAD_CLIENT_KEY_FILE, BAD_CLIENT_PEM_FILE, true);
    SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */
    OVERRIDE_AUTHORITY);
    assertThat(unaryRpc("buddy", blockingStub)).isEqualTo("Hello buddy");
}
Also used : DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) SimpleServiceGrpc(io.grpc.testing.protobuf.SimpleServiceGrpc) Test(org.junit.Test)

Example 23 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class XdsSdsClientServerTest method mtls_badClientCert_expectException.

@Test
public void mtls_badClientCert_expectException() throws Exception {
    UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext(BAD_CLIENT_KEY_FILE, BAD_CLIENT_PEM_FILE, true);
    try {
        performMtlsTestAndGetListenerWatcher(upstreamTlsContext, null, null, null, null);
        fail("exception expected");
    } catch (StatusRuntimeException sre) {
        if (sre.getCause() instanceof SSLHandshakeException) {
            assertThat(sre).hasCauseThat().isInstanceOf(SSLHandshakeException.class);
            assertThat(sre).hasCauseThat().hasMessageThat().contains("HANDSHAKE_FAILURE");
        } else {
            // Client cert verification is after handshake in TLSv1.3
            assertThat(sre).hasCauseThat().hasCauseThat().isInstanceOf(SSLException.class);
            assertThat(sre).hasCauseThat().hasMessageThat().contains("CERTIFICATE_REQUIRED");
        }
    }
}
Also used : UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) StatusRuntimeException(io.grpc.StatusRuntimeException) SSLException(javax.net.ssl.SSLException) SSLHandshakeException(javax.net.ssl.SSLHandshakeException) Test(org.junit.Test)

Example 24 with UpstreamTlsContext

use of io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext in project grpc-java by grpc.

the class ClusterImplLoadBalancerTest method subtest_endpointAddressesAttachedWithTlsConfig.

private void subtest_endpointAddressesAttachedWithTlsConfig(boolean enableSecurity) {
    UpstreamTlsContext upstreamTlsContext = CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true);
    LoadBalancerProvider weightedTargetProvider = new WeightedTargetLoadBalancerProvider();
    WeightedTargetConfig weightedTargetConfig = buildWeightedTargetConfig(ImmutableMap.of(locality, 10));
    ClusterImplConfig config = new ClusterImplConfig(CLUSTER, EDS_SERVICE_NAME, LRS_SERVER_INFO, null, Collections.<DropOverload>emptyList(), new PolicySelection(weightedTargetProvider, weightedTargetConfig), upstreamTlsContext);
    // One locality with two endpoints.
    EquivalentAddressGroup endpoint1 = makeAddress("endpoint-addr1", locality);
    EquivalentAddressGroup endpoint2 = makeAddress("endpoint-addr2", locality);
    deliverAddressesAndConfig(Arrays.asList(endpoint1, endpoint2), config);
    // one leaf balancer
    assertThat(downstreamBalancers).hasSize(1);
    FakeLoadBalancer leafBalancer = Iterables.getOnlyElement(downstreamBalancers);
    assertThat(leafBalancer.name).isEqualTo("round_robin");
    // Simulates leaf load balancer creating subchannels.
    CreateSubchannelArgs args = CreateSubchannelArgs.newBuilder().setAddresses(leafBalancer.addresses).build();
    Subchannel subchannel = leafBalancer.helper.createSubchannel(args);
    for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
        SslContextProviderSupplier supplier = eag.getAttributes().get(InternalXdsAttributes.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER);
        if (enableSecurity) {
            assertThat(supplier.getTlsContext()).isEqualTo(upstreamTlsContext);
        } else {
            assertThat(supplier).isNull();
        }
    }
    // Removes UpstreamTlsContext from the config.
    config = new ClusterImplConfig(CLUSTER, EDS_SERVICE_NAME, LRS_SERVER_INFO, null, Collections.<DropOverload>emptyList(), new PolicySelection(weightedTargetProvider, weightedTargetConfig), null);
    deliverAddressesAndConfig(Arrays.asList(endpoint1, endpoint2), config);
    assertThat(Iterables.getOnlyElement(downstreamBalancers)).isSameInstanceAs(leafBalancer);
    // creates new connections
    subchannel = leafBalancer.helper.createSubchannel(args);
    for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
        assertThat(eag.getAttributes().get(InternalXdsAttributes.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER)).isNull();
    }
    // Config with a new UpstreamTlsContext.
    upstreamTlsContext = CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe1", true);
    config = new ClusterImplConfig(CLUSTER, EDS_SERVICE_NAME, LRS_SERVER_INFO, null, Collections.<DropOverload>emptyList(), new PolicySelection(weightedTargetProvider, weightedTargetConfig), upstreamTlsContext);
    deliverAddressesAndConfig(Arrays.asList(endpoint1, endpoint2), config);
    assertThat(Iterables.getOnlyElement(downstreamBalancers)).isSameInstanceAs(leafBalancer);
    // creates new connections
    subchannel = leafBalancer.helper.createSubchannel(args);
    for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
        SslContextProviderSupplier supplier = eag.getAttributes().get(InternalXdsAttributes.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER);
        if (enableSecurity) {
            assertThat(supplier.isShutdown()).isFalse();
            assertThat(supplier.getTlsContext()).isEqualTo(upstreamTlsContext);
        } else {
            assertThat(supplier).isNull();
        }
    }
    loadBalancer.shutdown();
    for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
        SslContextProviderSupplier supplier = eag.getAttributes().get(InternalXdsAttributes.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER);
        if (enableSecurity) {
            assertThat(supplier.isShutdown()).isTrue();
        }
    }
    loadBalancer = null;
}
Also used : CreateSubchannelArgs(io.grpc.LoadBalancer.CreateSubchannelArgs) EquivalentAddressGroup(io.grpc.EquivalentAddressGroup) Subchannel(io.grpc.LoadBalancer.Subchannel) UpstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext) LoadBalancerProvider(io.grpc.LoadBalancerProvider) DropOverload(io.grpc.xds.Endpoints.DropOverload) WeightedTargetConfig(io.grpc.xds.WeightedTargetLoadBalancerProvider.WeightedTargetConfig) WeightedPolicySelection(io.grpc.xds.WeightedTargetLoadBalancerProvider.WeightedPolicySelection) PolicySelection(io.grpc.internal.ServiceConfigUtil.PolicySelection) ClusterImplConfig(io.grpc.xds.ClusterImplLoadBalancerProvider.ClusterImplConfig) SslContextProviderSupplier(io.grpc.xds.internal.sds.SslContextProviderSupplier)

Aggregations

UpstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext)24 Test (org.junit.Test)21 Bootstrapper (io.grpc.xds.Bootstrapper)11 CertProviderClientSslContextProvider (io.grpc.xds.internal.certprovider.CertProviderClientSslContextProvider)7 SimpleServiceGrpc (io.grpc.testing.protobuf.SimpleServiceGrpc)5 StatusRuntimeException (io.grpc.StatusRuntimeException)4 DownstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)4 CertificateValidationContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext)3 SSLHandshakeException (javax.net.ssl.SSLHandshakeException)3 CommonTlsContext (io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext)2 FakeClock (io.grpc.internal.FakeClock)2 ClientSdsHandler (io.grpc.xds.internal.sds.SdsProtocolNegotiators.ClientSdsHandler)2 SslContext (io.netty.handler.ssl.SslContext)2 SSLException (javax.net.ssl.SSLException)2 InvalidProtocolBufferException (com.google.protobuf.InvalidProtocolBufferException)1 Thresholds (io.envoyproxy.envoy.config.cluster.v3.CircuitBreakers.Thresholds)1 Cluster (io.envoyproxy.envoy.config.cluster.v3.Cluster)1 DiscoveryType (io.envoyproxy.envoy.config.cluster.v3.Cluster.DiscoveryType)1 SocketAddress (io.envoyproxy.envoy.config.core.v3.SocketAddress)1 ClusterLoadAssignment (io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment)1