Search in sources :

Example 1 with FilterChainMatchingHandler

use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.

the class FilterChainMatchingProtocolNegotiatorsTest method destPortFails_returnDefaultFilterChain.

@Test
public void destPortFails_returnDefaultFilterChain() throws Exception {
    EnvoyServerProtoData.DownstreamTlsContext tlsContextWithDestPort = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
    EnvoyServerProtoData.FilterChainMatch filterChainMatchWithDestPort = EnvoyServerProtoData.FilterChainMatch.create(PORT, ImmutableList.of(), ImmutableList.of("managed-mtls"), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChainWithDestPort = EnvoyServerProtoData.FilterChain.create("filter-chain-foo", filterChainMatchWithDestPort, HTTP_CONNECTION_MANAGER, tlsContextWithDestPort, tlsContextManager);
    EnvoyServerProtoData.DownstreamTlsContext tlsContextForDefaultFilterChain = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
    EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-bar", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, tlsContextForDefaultFilterChain, tlsContextManager);
    ServerRoutingConfig routingConfig = ServerRoutingConfig.create(ImmutableList.of(createVirtualHost("virtual")), ImmutableMap.<Route, ServerInterceptor>of());
    selectorManager.updateSelector(new FilterChainSelector(ImmutableMap.of(filterChainWithDestPort, new AtomicReference<ServerRoutingConfig>(routingConfig)), defaultFilterChain.sslContextProviderSupplier(), noopConfig));
    FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
    ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
    when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
    setupChannel(LOCAL_IP, REMOTE_IP, 15000, filterChainMatchingHandler);
    pipeline.fireUserEventTriggered(event);
    channel.runPendingTasks();
    assertThat(sslSet.get()).isEqualTo(defaultFilterChain.sslContextProviderSupplier());
    assertThat(routingSettable.get()).isEqualTo(noopConfig);
    assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContextForDefaultFilterChain);
}
Also used : FilterChainSelector(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler.FilterChainSelector) ServerRoutingConfig(io.grpc.xds.XdsServerWrapper.ServerRoutingConfig) FilterChainMatchingHandler(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler) DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) ChannelHandler(io.netty.channel.ChannelHandler) FilterChain(io.grpc.xds.EnvoyServerProtoData.FilterChain) Test(org.junit.Test)

Example 2 with FilterChainMatchingHandler

use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.

the class FilterChainMatchingProtocolNegotiatorsTest method sourceTypeLocal.

@Test
public void sourceTypeLocal() throws Exception {
    ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
    when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
    EnvoyServerProtoData.DownstreamTlsContext tlsContextMatch = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
    EnvoyServerProtoData.FilterChainMatch filterChainMatchWithMatch = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChainWithMatch = EnvoyServerProtoData.FilterChain.create("filter-chain-foo", filterChainMatchWithMatch, HTTP_CONNECTION_MANAGER, tlsContextMatch, tlsContextManager);
    EnvoyServerProtoData.DownstreamTlsContext tlsContextForDefaultFilterChain = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
    EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-bar", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, tlsContextForDefaultFilterChain, tlsContextManager);
    selectorManager.updateSelector(new FilterChainSelector(ImmutableMap.of(filterChainWithMatch, noopConfig), defaultFilterChain.sslContextProviderSupplier(), randomConfig("default")));
    FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
    setupChannel(LOCAL_IP, LOCAL_IP, 15000, filterChainMatchingHandler);
    pipeline.fireUserEventTriggered(event);
    channel.runPendingTasks();
    assertThat(sslSet.get()).isEqualTo(filterChainWithMatch.sslContextProviderSupplier());
    assertThat(routingSettable.get()).isEqualTo(noopConfig);
    assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContextMatch);
}
Also used : FilterChainSelector(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler.FilterChainSelector) FilterChainMatchingHandler(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler) DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) ChannelHandler(io.netty.channel.ChannelHandler) FilterChain(io.grpc.xds.EnvoyServerProtoData.FilterChain) Test(org.junit.Test)

Example 3 with FilterChainMatchingHandler

use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.

the class FilterChainMatchingProtocolNegotiatorsTest method destPrefixRangeMatch.

@Test
public void destPrefixRangeMatch() throws Exception {
    EnvoyServerProtoData.DownstreamTlsContext tlsContextMatch = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
    EnvoyServerProtoData.FilterChainMatch filterChainMatchWithMatch = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 24)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChainWithMatch = EnvoyServerProtoData.FilterChain.create("filter-chain-foo", filterChainMatchWithMatch, HTTP_CONNECTION_MANAGER, tlsContextMatch, tlsContextManager);
    EnvoyServerProtoData.DownstreamTlsContext tlsContextForDefaultFilterChain = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
    EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-bar", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, tlsContextForDefaultFilterChain, tlsContextManager);
    selectorManager.updateSelector(new FilterChainSelector(ImmutableMap.of(filterChainWithMatch, noopConfig), defaultFilterChain.sslContextProviderSupplier(), randomConfig("no-match")));
    FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
    ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
    when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
    setupChannel(LOCAL_IP, REMOTE_IP, 15000, filterChainMatchingHandler);
    pipeline.fireUserEventTriggered(event);
    channel.runPendingTasks();
    assertThat(sslSet.get()).isEqualTo(filterChainWithMatch.sslContextProviderSupplier());
    assertThat(routingSettable.get()).isEqualTo(noopConfig);
    assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContextMatch);
}
Also used : FilterChainSelector(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler.FilterChainSelector) FilterChainMatchingHandler(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler) DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) ChannelHandler(io.netty.channel.ChannelHandler) FilterChain(io.grpc.xds.EnvoyServerProtoData.FilterChain) Test(org.junit.Test)

Example 4 with FilterChainMatchingHandler

use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.

the class FilterChainMatchingProtocolNegotiatorsTest method noFilterChainMatch_noDefaultSslContext.

@Test
public void noFilterChainMatch_noDefaultSslContext() {
    selectorManager.updateSelector(new FilterChainSelector(new HashMap<FilterChain, AtomicReference<ServerRoutingConfig>>(), null, new AtomicReference<ServerRoutingConfig>()));
    FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
    setupChannel("172.168.1.1", "172.168.2.2", 90, filterChainMatchingHandler);
    channelHandlerCtx = pipeline.context(filterChainMatchingHandler);
    assertThat(channelHandlerCtx).isNotNull();
    assertThat(channel.closeFuture().isDone()).isFalse();
    pipeline.fireUserEventTriggered(event);
    channel.runPendingTasks();
    assertThat(channel.closeFuture().isDone()).isTrue();
}
Also used : FilterChainSelector(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler.FilterChainSelector) ServerRoutingConfig(io.grpc.xds.XdsServerWrapper.ServerRoutingConfig) FilterChainMatchingHandler(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler) HashMap(java.util.HashMap) AtomicReference(java.util.concurrent.atomic.AtomicReference) Test(org.junit.Test)

Example 5 with FilterChainMatchingHandler

use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.

the class FilterChainMatchingProtocolNegotiatorsTest method filterChain_5stepMatch.

/**
 * Create 6 filterChains: - 1st filter chain has dest port & specific prefix range but is
 * eliminated due to dest port - 5 advance to next step: 1 is eliminated due to being less
 * specific than the remaining 4. - 4 advance to 3rd step: source type external eliminates one
 * with local source_type. - 3 advance to 4th step: more specific 2 get picked based on
 * source-prefix range. - 5th step: out of 2 one with matching source port gets picked
 */
@Test
public void filterChain_5stepMatch() throws Exception {
    EnvoyServerProtoData.DownstreamTlsContext tlsContext1 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext2 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext3 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT3", "VA3");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext4 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT4", "VA4");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext5 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT5", "VA5");
    EnvoyServerProtoData.DownstreamTlsContext tlsContext6 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT6", "VA6");
    // has dest port and specific prefix ranges: gets eliminated in step 1
    EnvoyServerProtoData.FilterChainMatch filterChainMatch1 = EnvoyServerProtoData.FilterChainMatch.create(PORT, ImmutableList.of(), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create(REMOTE_IP, 32)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain1 = EnvoyServerProtoData.FilterChain.create("filter-chain-1", filterChainMatch1, HTTP_CONNECTION_MANAGER, tlsContext1, tlsContextManager);
    // next 5 use prefix range: 4 with prefixLen of 30 and last one with 29
    // has single prefix range: and less specific source prefix range: gets eliminated in step 4
    EnvoyServerProtoData.FilterChainMatch filterChainMatch2 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.0.0", 16)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain2 = EnvoyServerProtoData.FilterChain.create("filter-chain-2", filterChainMatch2, HTTP_CONNECTION_MANAGER, tlsContext2, tlsContextManager);
    // has prefix ranges with one not matching and source type local: gets eliminated in step 3
    EnvoyServerProtoData.FilterChainMatch filterChainMatch3 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("192.168.2.0", 24), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain3 = EnvoyServerProtoData.FilterChain.create("filter-chain-3", filterChainMatch3, HTTP_CONNECTION_MANAGER, tlsContext3, tlsContextManager);
    // has prefix ranges with both matching and source type external but non matching source port:
    // gets eliminated in step 5
    EnvoyServerProtoData.FilterChainMatch filterChainMatch4 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.0.0", 16), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.2.0", 24)), EnvoyServerProtoData.ConnectionSourceType.EXTERNAL, ImmutableList.of(16000, 9000), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain4 = EnvoyServerProtoData.FilterChain.create("filter-chain-4", filterChainMatch4, HTTP_CONNECTION_MANAGER, tlsContext4, tlsContextManager);
    // has prefix ranges with both matching and source type external and matching source port: this
    // gets selected
    EnvoyServerProtoData.FilterChainMatch filterChainMatch5 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.0.0", 16), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.2.0", 24), EnvoyServerProtoData.CidrRange.create("192.168.2.0", 24)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(15000, 8000), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain5 = EnvoyServerProtoData.FilterChain.create("filter-chain-5", filterChainMatch5, HTTP_CONNECTION_MANAGER, tlsContext5, tlsContextManager);
    // has prefix range with prefixLen of 29: gets eliminated in step 2
    EnvoyServerProtoData.FilterChainMatch filterChainMatch6 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 29)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
    EnvoyServerProtoData.FilterChain filterChain6 = EnvoyServerProtoData.FilterChain.create("filter-chain-6", filterChainMatch6, HTTP_CONNECTION_MANAGER, tlsContext6, tlsContextManager);
    EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-7", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, null, tlsContextManager);
    Map<FilterChain, AtomicReference<ServerRoutingConfig>> map = new HashMap<>();
    map.put(filterChain1, randomConfig("1"));
    map.put(filterChain2, randomConfig("2"));
    map.put(filterChain3, randomConfig("3"));
    map.put(filterChain4, randomConfig("4"));
    map.put(filterChain5, noopConfig);
    map.put(filterChain6, randomConfig("6"));
    selectorManager.updateSelector(new FilterChainSelector(map, defaultFilterChain.sslContextProviderSupplier(), randomConfig("default")));
    FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
    ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
    when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
    setupChannel(LOCAL_IP, REMOTE_IP, 15000, filterChainMatchingHandler);
    pipeline.fireUserEventTriggered(event);
    channel.runPendingTasks();
    assertThat(sslSet.get()).isEqualTo(filterChain5.sslContextProviderSupplier());
    assertThat(routingSettable.get()).isEqualTo(noopConfig);
    assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContext5);
}
Also used : FilterChainSelector(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler.FilterChainSelector) FilterChainMatchingHandler(io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler) HashMap(java.util.HashMap) DownstreamTlsContext(io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext) FilterChain(io.grpc.xds.EnvoyServerProtoData.FilterChain) AtomicReference(java.util.concurrent.atomic.AtomicReference) ChannelHandler(io.netty.channel.ChannelHandler) FilterChain(io.grpc.xds.EnvoyServerProtoData.FilterChain) Test(org.junit.Test)

Aggregations

FilterChainMatchingHandler (io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler)21 FilterChainSelector (io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler.FilterChainSelector)20 ChannelHandler (io.netty.channel.ChannelHandler)20 Test (org.junit.Test)20 DownstreamTlsContext (io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext)17 FilterChain (io.grpc.xds.EnvoyServerProtoData.FilterChain)17 ServerRoutingConfig (io.grpc.xds.XdsServerWrapper.ServerRoutingConfig)4 HashMap (java.util.HashMap)4 AtomicReference (java.util.concurrent.atomic.AtomicReference)4 ChannelHandlerContext (io.netty.channel.ChannelHandlerContext)3 ChannelInboundHandlerAdapter (io.netty.channel.ChannelInboundHandlerAdapter)3 InternalProtocolNegotiationEvent (io.grpc.netty.InternalProtocolNegotiationEvent)2 ProtocolNegotiationEvent (io.grpc.netty.ProtocolNegotiationEvent)2 SslContextProviderSupplier (io.grpc.xds.internal.sds.SslContextProviderSupplier)2 GrpcHttp2ConnectionHandler (io.grpc.netty.GrpcHttp2ConnectionHandler)1 ProtocolNegotiator (io.grpc.netty.InternalProtocolNegotiator.ProtocolNegotiator)1