use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.
the class FilterChainMatchingProtocolNegotiatorsTest method destPortFails_returnDefaultFilterChain.
@Test
public void destPortFails_returnDefaultFilterChain() throws Exception {
EnvoyServerProtoData.DownstreamTlsContext tlsContextWithDestPort = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
EnvoyServerProtoData.FilterChainMatch filterChainMatchWithDestPort = EnvoyServerProtoData.FilterChainMatch.create(PORT, ImmutableList.of(), ImmutableList.of("managed-mtls"), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChainWithDestPort = EnvoyServerProtoData.FilterChain.create("filter-chain-foo", filterChainMatchWithDestPort, HTTP_CONNECTION_MANAGER, tlsContextWithDestPort, tlsContextManager);
EnvoyServerProtoData.DownstreamTlsContext tlsContextForDefaultFilterChain = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-bar", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, tlsContextForDefaultFilterChain, tlsContextManager);
ServerRoutingConfig routingConfig = ServerRoutingConfig.create(ImmutableList.of(createVirtualHost("virtual")), ImmutableMap.<Route, ServerInterceptor>of());
selectorManager.updateSelector(new FilterChainSelector(ImmutableMap.of(filterChainWithDestPort, new AtomicReference<ServerRoutingConfig>(routingConfig)), defaultFilterChain.sslContextProviderSupplier(), noopConfig));
FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
setupChannel(LOCAL_IP, REMOTE_IP, 15000, filterChainMatchingHandler);
pipeline.fireUserEventTriggered(event);
channel.runPendingTasks();
assertThat(sslSet.get()).isEqualTo(defaultFilterChain.sslContextProviderSupplier());
assertThat(routingSettable.get()).isEqualTo(noopConfig);
assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContextForDefaultFilterChain);
}
use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.
the class FilterChainMatchingProtocolNegotiatorsTest method sourceTypeLocal.
@Test
public void sourceTypeLocal() throws Exception {
ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
EnvoyServerProtoData.DownstreamTlsContext tlsContextMatch = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
EnvoyServerProtoData.FilterChainMatch filterChainMatchWithMatch = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK, ImmutableList.of(), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChainWithMatch = EnvoyServerProtoData.FilterChain.create("filter-chain-foo", filterChainMatchWithMatch, HTTP_CONNECTION_MANAGER, tlsContextMatch, tlsContextManager);
EnvoyServerProtoData.DownstreamTlsContext tlsContextForDefaultFilterChain = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-bar", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, tlsContextForDefaultFilterChain, tlsContextManager);
selectorManager.updateSelector(new FilterChainSelector(ImmutableMap.of(filterChainWithMatch, noopConfig), defaultFilterChain.sslContextProviderSupplier(), randomConfig("default")));
FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
setupChannel(LOCAL_IP, LOCAL_IP, 15000, filterChainMatchingHandler);
pipeline.fireUserEventTriggered(event);
channel.runPendingTasks();
assertThat(sslSet.get()).isEqualTo(filterChainWithMatch.sslContextProviderSupplier());
assertThat(routingSettable.get()).isEqualTo(noopConfig);
assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContextMatch);
}
use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.
the class FilterChainMatchingProtocolNegotiatorsTest method destPrefixRangeMatch.
@Test
public void destPrefixRangeMatch() throws Exception {
EnvoyServerProtoData.DownstreamTlsContext tlsContextMatch = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
EnvoyServerProtoData.FilterChainMatch filterChainMatchWithMatch = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 24)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChainWithMatch = EnvoyServerProtoData.FilterChain.create("filter-chain-foo", filterChainMatchWithMatch, HTTP_CONNECTION_MANAGER, tlsContextMatch, tlsContextManager);
EnvoyServerProtoData.DownstreamTlsContext tlsContextForDefaultFilterChain = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-bar", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, tlsContextForDefaultFilterChain, tlsContextManager);
selectorManager.updateSelector(new FilterChainSelector(ImmutableMap.of(filterChainWithMatch, noopConfig), defaultFilterChain.sslContextProviderSupplier(), randomConfig("no-match")));
FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
setupChannel(LOCAL_IP, REMOTE_IP, 15000, filterChainMatchingHandler);
pipeline.fireUserEventTriggered(event);
channel.runPendingTasks();
assertThat(sslSet.get()).isEqualTo(filterChainWithMatch.sslContextProviderSupplier());
assertThat(routingSettable.get()).isEqualTo(noopConfig);
assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContextMatch);
}
use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.
the class FilterChainMatchingProtocolNegotiatorsTest method noFilterChainMatch_noDefaultSslContext.
@Test
public void noFilterChainMatch_noDefaultSslContext() {
selectorManager.updateSelector(new FilterChainSelector(new HashMap<FilterChain, AtomicReference<ServerRoutingConfig>>(), null, new AtomicReference<ServerRoutingConfig>()));
FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
setupChannel("172.168.1.1", "172.168.2.2", 90, filterChainMatchingHandler);
channelHandlerCtx = pipeline.context(filterChainMatchingHandler);
assertThat(channelHandlerCtx).isNotNull();
assertThat(channel.closeFuture().isDone()).isFalse();
pipeline.fireUserEventTriggered(event);
channel.runPendingTasks();
assertThat(channel.closeFuture().isDone()).isTrue();
}
use of io.grpc.xds.FilterChainMatchingProtocolNegotiators.FilterChainMatchingHandler in project grpc-java by grpc.
the class FilterChainMatchingProtocolNegotiatorsTest method filterChain_5stepMatch.
/**
* Create 6 filterChains: - 1st filter chain has dest port & specific prefix range but is
* eliminated due to dest port - 5 advance to next step: 1 is eliminated due to being less
* specific than the remaining 4. - 4 advance to 3rd step: source type external eliminates one
* with local source_type. - 3 advance to 4th step: more specific 2 get picked based on
* source-prefix range. - 5th step: out of 2 one with matching source port gets picked
*/
@Test
public void filterChain_5stepMatch() throws Exception {
EnvoyServerProtoData.DownstreamTlsContext tlsContext1 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
EnvoyServerProtoData.DownstreamTlsContext tlsContext2 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
EnvoyServerProtoData.DownstreamTlsContext tlsContext3 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT3", "VA3");
EnvoyServerProtoData.DownstreamTlsContext tlsContext4 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT4", "VA4");
EnvoyServerProtoData.DownstreamTlsContext tlsContext5 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT5", "VA5");
EnvoyServerProtoData.DownstreamTlsContext tlsContext6 = CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT6", "VA6");
// has dest port and specific prefix ranges: gets eliminated in step 1
EnvoyServerProtoData.FilterChainMatch filterChainMatch1 = EnvoyServerProtoData.FilterChainMatch.create(PORT, ImmutableList.of(), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create(REMOTE_IP, 32)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChain1 = EnvoyServerProtoData.FilterChain.create("filter-chain-1", filterChainMatch1, HTTP_CONNECTION_MANAGER, tlsContext1, tlsContextManager);
// next 5 use prefix range: 4 with prefixLen of 30 and last one with 29
// has single prefix range: and less specific source prefix range: gets eliminated in step 4
EnvoyServerProtoData.FilterChainMatch filterChainMatch2 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.0.0", 16)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChain2 = EnvoyServerProtoData.FilterChain.create("filter-chain-2", filterChainMatch2, HTTP_CONNECTION_MANAGER, tlsContext2, tlsContextManager);
// has prefix ranges with one not matching and source type local: gets eliminated in step 3
EnvoyServerProtoData.FilterChainMatch filterChainMatch3 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("192.168.2.0", 24), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK, ImmutableList.of(), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChain3 = EnvoyServerProtoData.FilterChain.create("filter-chain-3", filterChainMatch3, HTTP_CONNECTION_MANAGER, tlsContext3, tlsContextManager);
// has prefix ranges with both matching and source type external but non matching source port:
// gets eliminated in step 5
EnvoyServerProtoData.FilterChainMatch filterChainMatch4 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.0.0", 16), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.2.0", 24)), EnvoyServerProtoData.ConnectionSourceType.EXTERNAL, ImmutableList.of(16000, 9000), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChain4 = EnvoyServerProtoData.FilterChain.create("filter-chain-4", filterChainMatch4, HTTP_CONNECTION_MANAGER, tlsContext4, tlsContextManager);
// has prefix ranges with both matching and source type external and matching source port: this
// gets selected
EnvoyServerProtoData.FilterChainMatch filterChainMatch5 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.0.0", 16), EnvoyServerProtoData.CidrRange.create("10.1.2.0", 30)), ImmutableList.of(), ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.4.2.0", 24), EnvoyServerProtoData.CidrRange.create("192.168.2.0", 24)), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(15000, 8000), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChain5 = EnvoyServerProtoData.FilterChain.create("filter-chain-5", filterChainMatch5, HTTP_CONNECTION_MANAGER, tlsContext5, tlsContextManager);
// has prefix range with prefixLen of 29: gets eliminated in step 2
EnvoyServerProtoData.FilterChainMatch filterChainMatch6 = EnvoyServerProtoData.FilterChainMatch.create(0, ImmutableList.of(EnvoyServerProtoData.CidrRange.create("10.1.2.0", 29)), ImmutableList.of(), ImmutableList.of(), EnvoyServerProtoData.ConnectionSourceType.ANY, ImmutableList.of(), ImmutableList.of(), "");
EnvoyServerProtoData.FilterChain filterChain6 = EnvoyServerProtoData.FilterChain.create("filter-chain-6", filterChainMatch6, HTTP_CONNECTION_MANAGER, tlsContext6, tlsContextManager);
EnvoyServerProtoData.FilterChain defaultFilterChain = EnvoyServerProtoData.FilterChain.create("filter-chain-7", DEFAULT_FILTER_CHAIN_MATCH, HTTP_CONNECTION_MANAGER, null, tlsContextManager);
Map<FilterChain, AtomicReference<ServerRoutingConfig>> map = new HashMap<>();
map.put(filterChain1, randomConfig("1"));
map.put(filterChain2, randomConfig("2"));
map.put(filterChain3, randomConfig("3"));
map.put(filterChain4, randomConfig("4"));
map.put(filterChain5, noopConfig);
map.put(filterChain6, randomConfig("6"));
selectorManager.updateSelector(new FilterChainSelector(map, defaultFilterChain.sslContextProviderSupplier(), randomConfig("default")));
FilterChainMatchingHandler filterChainMatchingHandler = new FilterChainMatchingHandler(grpcHandler, selectorManager, mockDelegate);
ChannelHandler next = captureAttrHandler(sslSet, routingSettable);
when(mockDelegate.newHandler(grpcHandler)).thenReturn(next);
setupChannel(LOCAL_IP, REMOTE_IP, 15000, filterChainMatchingHandler);
pipeline.fireUserEventTriggered(event);
channel.runPendingTasks();
assertThat(sslSet.get()).isEqualTo(filterChain5.sslContextProviderSupplier());
assertThat(routingSettable.get()).isEqualTo(noopConfig);
assertThat(sslSet.get().getTlsContext()).isSameInstanceAs(tlsContext5);
}
Aggregations