-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add validation context provider #4264
Changes from 6 commits
fb0e921
6b61c63
1aba595
2c5d3d4
8e25759
a353a5e
7a5a793
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
#pragma once | ||
|
||
#include <string> | ||
#include <vector> | ||
|
||
#include "envoy/common/pure.h" | ||
|
||
namespace Envoy { | ||
namespace Ssl { | ||
|
||
class CertificateValidationContextConfig { | ||
public: | ||
virtual ~CertificateValidationContextConfig() {} | ||
|
||
/** | ||
* @return The CA certificate to use for peer validation. | ||
*/ | ||
virtual const std::string& caCert() const PURE; | ||
|
||
/** | ||
* @return Path of the CA certificate to use for peer validation or "<inline>" | ||
* if the CA certificate was inlined. | ||
*/ | ||
virtual const std::string& caCertPath() const PURE; | ||
|
||
/** | ||
* @return The CRL to check if a cert is revoked. | ||
*/ | ||
virtual const std::string& certificateRevocationList() const PURE; | ||
|
||
/** | ||
* @return Path of the certificate revocation list, or "<inline>" if the CRL | ||
* was inlined. | ||
*/ | ||
virtual const std::string& certificateRevocationListPath() const PURE; | ||
|
||
/** | ||
* @return The subject alt names to be verified, if enabled. Otherwise, "" | ||
*/ | ||
virtual const std::vector<std::string>& verifySubjectAltNameList() const PURE; | ||
|
||
/** | ||
* @return A list of a hex-encoded SHA-256 certificate hashes to be verified. | ||
*/ | ||
virtual const std::vector<std::string>& verifyCertificateHashList() const PURE; | ||
|
||
/** | ||
* @return A list of a hex-encoded SHA-256 SPKI hashes to be verified. | ||
*/ | ||
virtual const std::vector<std::string>& verifyCertificateSpkiList() const PURE; | ||
|
||
/** | ||
* @return whether to ignore expired certificates (both too new and too old). | ||
*/ | ||
virtual bool allowExpiredCertificate() const PURE; | ||
}; | ||
|
||
typedef std::unique_ptr<CertificateValidationContextConfig> CertificateValidationContextConfigPtr; | ||
|
||
} // namespace Ssl | ||
} // namespace Envoy |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ | |
|
||
#include "common/common/assert.h" | ||
#include "common/secret/secret_provider_impl.h" | ||
#include "common/ssl/certificate_validation_context_config_impl.h" | ||
#include "common/ssl/tls_certificate_config_impl.h" | ||
|
||
namespace Envoy { | ||
|
@@ -21,6 +22,17 @@ void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secr | |
} | ||
break; | ||
} | ||
case envoy::api::v2::auth::Secret::TypeCase::kValidationContext: { | ||
auto secret_provider = std::make_shared<CertificateValidationContextConfigProviderImpl>( | ||
secret.validation_context()); | ||
if (!static_certificate_validation_context_providers_ | ||
.insert(std::make_pair(secret.name(), secret_provider)) | ||
.second) { | ||
throw EnvoyException(fmt::format( | ||
"Duplicate static CertificateValidationContext secret name {}", secret.name())); | ||
} | ||
break; | ||
} | ||
default: | ||
throw EnvoyException("Secret type not implemented"); | ||
} | ||
|
@@ -32,10 +44,24 @@ SecretManagerImpl::findStaticTlsCertificateProvider(const std::string& name) con | |
return (secret != static_tls_certificate_providers_.end()) ? secret->second : nullptr; | ||
} | ||
|
||
CertificateValidationContextConfigProviderSharedPtr | ||
SecretManagerImpl::findStaticCertificateValidationContextProvider(const std::string& name) const { | ||
auto secret = static_certificate_validation_context_providers_.find(name); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also needs unit test. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Tests TEST_F(SecretManagerImplTest, CertificateValidationContextSecretLoadSuccess) and TEST_F(SecretManagerImplTest, DuplicateStaticCertificateValidationContextSecret) are added into secret_manager_impl_test.cc |
||
return (secret != static_certificate_validation_context_providers_.end()) ? secret->second | ||
: nullptr; | ||
} | ||
|
||
TlsCertificateConfigProviderSharedPtr SecretManagerImpl::createInlineTlsCertificateProvider( | ||
const envoy::api::v2::auth::TlsCertificate& tls_certificate) { | ||
return std::make_shared<TlsCertificateConfigProviderImpl>(tls_certificate); | ||
} | ||
|
||
CertificateValidationContextConfigProviderSharedPtr | ||
SecretManagerImpl::createInlineCertificateValidationContextProvider( | ||
const envoy::api::v2::auth::CertificateValidationContext& certificate_validation_context) { | ||
return std::make_shared<CertificateValidationContextConfigProviderImpl>( | ||
certificate_validation_context); | ||
} | ||
|
||
} // namespace Secret | ||
} // namespace Envoy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need a unit test with
EXPECT_THROW_WITH_MESSAGE
for this.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests TEST_F(SecretManagerImplTest, CertificateValidationContextSecretLoadSuccess) and TEST_F(SecretManagerImplTest, DuplicateStaticCertificateValidationContextSecret) are added into secret_manager_impl_test.cc