diff --git a/api/envoy/config/transport_socket/alts/v2alpha/BUILD b/api/envoy/config/transport_socket/alts/v2alpha/BUILD new file mode 100644 index 000000000000..03934075485a --- /dev/null +++ b/api/envoy/config/transport_socket/alts/v2alpha/BUILD @@ -0,0 +1,11 @@ +load("//bazel:api_build_system.bzl", "api_proto_library") + +licenses(["notice"]) # Apache 2 + +api_proto_library( + name = "alts", + srcs = ["alts.proto"], + deps = [ + "//envoy/api/v2/core:base", + ], +) diff --git a/api/envoy/config/transport_socket/alts/v2alpha/alts.proto b/api/envoy/config/transport_socket/alts/v2alpha/alts.proto new file mode 100644 index 000000000000..770ce3be5769 --- /dev/null +++ b/api/envoy/config/transport_socket/alts/v2alpha/alts.proto @@ -0,0 +1,20 @@ +syntax = "proto3"; + +package envoy.config.transport_socket.alts.v2alpha; +option go_package = "v2"; + +// [#protodoc-title: ALTS] + +import "validate/validate.proto"; + +// Configuration for ALTS transport socket. This provides Google's ALTS protocol to Envoy. +// https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/ +message Alts { + // The location of a handshaker service, this is usually 169.254.169.254:8080 + // on GCE + string handshaker_service = 1 [(validate.rules).string.min_bytes = 1]; + + // The acceptable service accounts from peer, peers not in the list will be rejected in the + // handshake validation step. If empty, no validation will be performed. + repeated string peer_service_accounts = 2; +} diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 176b499da27b..bd6625d61923 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -495,6 +495,14 @@ def _com_google_protobuf(): name = "protobuf", actual = "@com_google_protobuf//:protobuf", ) + native.bind( + name = "protobuf_clib", + actual = "@com_google_protobuf//:protoc_lib", + ) + native.bind( + name = "protocol_compiler", + actual = "@com_google_protobuf//:protoc", + ) native.bind( name = "protoc", actual = "@com_google_protobuf_cc//:protoc", @@ -527,6 +535,11 @@ def _com_github_grpc_grpc(): actual = "@envoy//bazel:grpc_health_proto", ) + native.bind( + name = "grpc_alts_fake_handshaker_server", + actual = "@com_github_grpc_grpc//test/core/tsi/alts/fake_handshaker:fake_handshaker_lib", + ) + def _com_github_nanopb_nanopb(): _repository_impl( name = "com_github_nanopb_nanopb", diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index e4078aad7953..7272802a378d 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -52,9 +52,10 @@ REPOSITORY_LOCATIONS = dict( remote = "https://github.com/google/libprotobuf-mutator", ), com_github_grpc_grpc = dict( - sha256 = "013cc34f3c51c0f87e059a12ea203087a7a15dca2e453295345e1d02e2b9634b", - strip_prefix = "grpc-1.15.0", - urls = ["https://github.com/grpc/grpc/archive/v1.15.0.tar.gz"], + # TODO(lizan): Use release once new version released. + sha256 = "c3954b27d7cd44265b9f5eff423c115f7ccd00f871c0f5162957fc6c77d23b23", + strip_prefix = "grpc-4b1aa50e37c8e5bc1e4319b16827c8ff4507abc1", + urls = ["https://github.com/grpc/grpc/archive/4b1aa50e37c8e5bc1e4319b16827c8ff4507abc1.tar.gz"], ), com_github_nanopb_nanopb = dict( # From: https://github.com/grpc/grpc/blob/v1.14.0/bazel/grpc_deps.bzl#L123 diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index f3d7f9ef60d2..ac3f4e494e92 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -106,8 +106,7 @@ EXTENSIONS = { # Transport sockets # - # TODO(lizan): switch to config target once a transport socket exists - "envoy.transport_sockets.alts": "//source/extensions/transport_sockets/alts:tsi_handshaker", + "envoy.transport_sockets.alts": "//source/extensions/transport_sockets/alts:config", "envoy.transport_sockets.capture": "//source/extensions/transport_sockets/capture:config", # Retry host predicates diff --git a/source/extensions/transport_sockets/alts/BUILD b/source/extensions/transport_sockets/alts/BUILD index 8f7df7a46a13..73a9f4763974 100644 --- a/source/extensions/transport_sockets/alts/BUILD +++ b/source/extensions/transport_sockets/alts/BUILD @@ -1,6 +1,7 @@ licenses(["notice"]) # Apache 2 -# TODO(lizan): Add link to docs when it is ready. +# ALTS transport socket. This provides Google's ALTS protocol support in GCP to Envoy. +# https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/ load( "//bazel:envoy_build_system.bzl", @@ -24,6 +25,24 @@ envoy_cc_library( ], ) +envoy_cc_library( + name = "config", + srcs = [ + "config.cc", + ], + hdrs = [ + "config.h", + ], + deps = [ + ":tsi_handshaker", + ":tsi_socket", + "//include/envoy/registry", + "//include/envoy/server:transport_socket_config_interface", + "//source/extensions/transport_sockets:well_known_names", + "@envoy_api//envoy/config/transport_socket/alts/v2alpha:alts_cc", + ], +) + envoy_cc_library( name = "tsi_frame_protector", srcs = [ diff --git a/source/extensions/transport_sockets/alts/config.cc b/source/extensions/transport_sockets/alts/config.cc new file mode 100644 index 000000000000..4cb10d04328e --- /dev/null +++ b/source/extensions/transport_sockets/alts/config.cc @@ -0,0 +1,151 @@ +#include "extensions/transport_sockets/alts/config.h" + +#include "envoy/config/transport_socket/alts/v2alpha/alts.pb.h" +#include "envoy/config/transport_socket/alts/v2alpha/alts.pb.validate.h" +#include "envoy/registry/registry.h" +#include "envoy/server/transport_socket_config.h" + +#include "common/common/assert.h" +#include "common/protobuf/protobuf.h" +#include "common/protobuf/utility.h" + +#include "extensions/transport_sockets/alts/grpc_tsi.h" +#include "extensions/transport_sockets/alts/tsi_socket.h" + +#include "absl/strings/str_join.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Alts { + +// smart pointer for grpc_alts_credentials_options that will be automatically freed. +typedef CSmartPtr + GrpcAltsCredentialsOptionsPtr; + +namespace { + +// Returns true if the peer's service account is found in peers, otherwise +// returns false and fills out err with an error message. +bool doValidate(const tsi_peer& peer, const std::unordered_set& peers, + std::string& err) { + for (size_t i = 0; i < peer.property_count; ++i) { + const std::string name = std::string(peer.properties[i].name); + const std::string value = + std::string(peer.properties[i].value.data, peer.properties[i].value.length); + if (name.compare(TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY) == 0 && + peers.find(value) != peers.end()) { + return true; + } + } + + err = + "Couldn't find peer's service account in peer_service_accounts: " + absl::StrJoin(peers, ","); + return false; +} + +} // namespace + +ProtobufTypes::MessagePtr AltsTransportSocketConfigFactory::createEmptyConfigProto() { + return std::make_unique(); +} + +Network::TransportSocketFactoryPtr +UpstreamAltsTransportSocketConfigFactory::createTransportSocketFactory( + const Protobuf::Message& message, Server::Configuration::TransportSocketFactoryContext&) { + auto config = + MessageUtil::downcastAndValidate( + message); + + std::string handshaker_service = config.handshaker_service(); + const auto& peer_service_accounts = config.peer_service_accounts(); + std::unordered_set peers(peer_service_accounts.cbegin(), + peer_service_accounts.cend()); + + HandshakeValidator validator; + // Skip validation if peers is empty. + if (!peers.empty()) { + validator = [peers](const tsi_peer& peer, std::string& err) { + return doValidate(peer, peers, err); + }; + } + + HandshakerFactory factory = + [handshaker_service](Event::Dispatcher& dispatcher, + const Network::Address::InstanceConstSharedPtr&, + const Network::Address::InstanceConstSharedPtr&) -> TsiHandshakerPtr { + GrpcAltsCredentialsOptionsPtr options{grpc_alts_credentials_client_options_create()}; + + tsi_handshaker* handshaker = nullptr; + // Specifying target name as empty since TSI won't take care of validating peer identity + // in this use case. The validation will be performed by TsiSocket with the validator. + tsi_result status = alts_tsi_handshaker_create(options.get(), "", handshaker_service.c_str(), + true /* is_client */, &handshaker); + CHandshakerPtr handshaker_ptr{handshaker}; + + if (status != TSI_OK) { + ENVOY_LOG_MISC(warn, "Cannot create ATLS client handshaker, status: {}", status); + return nullptr; + } + + return std::make_unique(std::move(handshaker_ptr), dispatcher); + }; + + return std::make_unique(factory, validator); +} + +Network::TransportSocketFactoryPtr +DownstreamAltsTransportSocketConfigFactory::createTransportSocketFactory( + const Protobuf::Message& message, Server::Configuration::TransportSocketFactoryContext&, + const std::vector&) { + auto config = + MessageUtil::downcastAndValidate( + message); + + const std::string handshaker_service = config.handshaker_service(); + const auto& peer_service_accounts = config.peer_service_accounts(); + std::unordered_set peers(peer_service_accounts.cbegin(), + peer_service_accounts.cend()); + + HandshakeValidator validator; + // Skip validation if peers is empty. + if (!peers.empty()) { + validator = [peers](const tsi_peer& peer, std::string& err) { + return doValidate(peer, peers, err); + }; + } + + HandshakerFactory factory = + [handshaker_service](Event::Dispatcher& dispatcher, + const Network::Address::InstanceConstSharedPtr&, + const Network::Address::InstanceConstSharedPtr&) -> TsiHandshakerPtr { + GrpcAltsCredentialsOptionsPtr options{grpc_alts_credentials_server_options_create()}; + + tsi_handshaker* handshaker = nullptr; + tsi_result status = alts_tsi_handshaker_create( + options.get(), nullptr, handshaker_service.c_str(), false /* is_client */, &handshaker); + CHandshakerPtr handshaker_ptr{handshaker}; + + if (status != TSI_OK) { + ENVOY_LOG_MISC(warn, "Cannot create ATLS server handshaker, status: {}", status); + return nullptr; + } + + return std::make_unique(std::move(handshaker_ptr), dispatcher); + }; + + return std::make_unique(factory, validator); +} + +static Registry::RegisterFactory + upstream_registered_; + +static Registry::RegisterFactory + downstream_registered_; + +} // namespace Alts +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/transport_sockets/alts/config.h b/source/extensions/transport_sockets/alts/config.h new file mode 100644 index 000000000000..adec81d3faec --- /dev/null +++ b/source/extensions/transport_sockets/alts/config.h @@ -0,0 +1,42 @@ +#pragma once + +#include "envoy/server/transport_socket_config.h" + +#include "extensions/transport_sockets/well_known_names.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Alts { + +// ALTS config registry +class AltsTransportSocketConfigFactory + : public virtual Server::Configuration::TransportSocketConfigFactory { +public: + ProtobufTypes::MessagePtr createEmptyConfigProto() override; + std::string name() const override { return TransportSocketNames::get().Alts; } +}; + +class UpstreamAltsTransportSocketConfigFactory + : public AltsTransportSocketConfigFactory, + public Server::Configuration::UpstreamTransportSocketConfigFactory { +public: + Network::TransportSocketFactoryPtr + createTransportSocketFactory(const Protobuf::Message&, + Server::Configuration::TransportSocketFactoryContext&) override; +}; + +class DownstreamAltsTransportSocketConfigFactory + : public AltsTransportSocketConfigFactory, + public Server::Configuration::DownstreamTransportSocketConfigFactory { +public: + Network::TransportSocketFactoryPtr + createTransportSocketFactory(const Protobuf::Message&, + Server::Configuration::TransportSocketFactoryContext&, + const std::vector&) override; +}; + +} // namespace Alts +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/transport_sockets/alts/tsi_socket.cc b/source/extensions/transport_sockets/alts/tsi_socket.cc index c20887f46dc0..f3c77cd00fef 100644 --- a/source/extensions/transport_sockets/alts/tsi_socket.cc +++ b/source/extensions/transport_sockets/alts/tsi_socket.cc @@ -38,14 +38,7 @@ Network::PostIoAction TsiSocket::doHandshake() { ASSERT(!handshake_complete_); ENVOY_CONN_LOG(debug, "TSI: doHandshake", callbacks_->connection()); - if (!handshaker_) { - handshaker_ = handshaker_factory_(callbacks_->connection().dispatcher(), - callbacks_->connection().localAddress(), - callbacks_->connection().remoteAddress()); - handshaker_->setHandshakerCallbacks(*this); - } - - if (!handshaker_next_calling_) { + if (!handshaker_next_calling_ && raw_read_buffer_.length() > 0) { doHandshakeNext(); } return Network::PostIoAction::KeepOpen; @@ -54,6 +47,20 @@ Network::PostIoAction TsiSocket::doHandshake() { void TsiSocket::doHandshakeNext() { ENVOY_CONN_LOG(debug, "TSI: doHandshake next: received: {}", callbacks_->connection(), raw_read_buffer_.length()); + + if (!handshaker_) { + handshaker_ = handshaker_factory_(callbacks_->connection().dispatcher(), + callbacks_->connection().localAddress(), + callbacks_->connection().remoteAddress()); + if (!handshaker_) { + ENVOY_CONN_LOG(warn, "TSI: failed to create handshaker", callbacks_->connection()); + callbacks_->connection().close(Network::ConnectionCloseType::NoFlush); + return; + } + + handshaker_->setHandshakerCallbacks(*this); + } + handshaker_next_calling_ = true; Buffer::OwnedImpl handshaker_buffer; handshaker_buffer.move(raw_read_buffer_); @@ -212,12 +219,16 @@ Network::IoResult TsiSocket::doWrite(Buffer::Instance& buffer, bool end_stream) } void TsiSocket::closeSocket(Network::ConnectionEvent) { + ENVOY_CONN_LOG(debug, "TSI: closing socket", callbacks_->connection()); if (handshaker_) { handshaker_.release()->deferredDelete(); } } -void TsiSocket::onConnected() { ASSERT(!handshake_complete_); } +void TsiSocket::onConnected() { + ASSERT(!handshake_complete_); + doHandshakeNext(); +} void TsiSocket::onNextDone(NextResultPtr&& result) { handshaker_next_calling_ = false; diff --git a/source/extensions/transport_sockets/well_known_names.h b/source/extensions/transport_sockets/well_known_names.h index 0cf096fe30e4..64c813dd6923 100644 --- a/source/extensions/transport_sockets/well_known_names.h +++ b/source/extensions/transport_sockets/well_known_names.h @@ -12,6 +12,7 @@ namespace TransportSockets { */ class TransportSocketNameValues { public: + const std::string Alts = "envoy.transport_sockets.alts"; const std::string Capture = "envoy.transport_sockets.capture"; const std::string RawBuffer = "raw_buffer"; const std::string Tls = "tls"; diff --git a/test/extensions/transport_sockets/alts/BUILD b/test/extensions/transport_sockets/alts/BUILD index 590d74bced42..dcd348a31178 100644 --- a/test/extensions/transport_sockets/alts/BUILD +++ b/test/extensions/transport_sockets/alts/BUILD @@ -11,6 +11,18 @@ load( envoy_package() +envoy_extension_cc_test( + name = "config_test", + srcs = ["config_test.cc"], + extension_name = "envoy.transport_sockets.alts", + deps = [ + "//source/extensions/transport_sockets/alts:config", + "//test/mocks/event:event_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/server:server_mocks", + ], +) + envoy_extension_cc_test( name = "tsi_frame_protector_test", srcs = ["tsi_frame_protector_test.cc"], @@ -55,3 +67,25 @@ envoy_extension_cc_test( "//test/mocks/network:network_mocks", ], ) + +envoy_extension_cc_test( + name = "alts_integration_test", + srcs = [ + "alts_integration_test.cc", + ], + extension_name = "envoy.transport_sockets.alts", + external_deps = [ + "grpc_alts_fake_handshaker_server", + ], + deps = [ + "//source/common/event:dispatcher_includes", + "//source/common/event:dispatcher_lib", + "//source/common/network:connection_lib", + "//source/common/network:utility_lib", + "//source/extensions/transport_sockets/alts:config", + "//test/integration:http_integration_lib", + "//test/mocks/runtime:runtime_mocks", + "//test/mocks/secret:secret_mocks", + "//test/test_common:utility_lib", + ], +) diff --git a/test/extensions/transport_sockets/alts/alts_integration_test.cc b/test/extensions/transport_sockets/alts/alts_integration_test.cc new file mode 100644 index 000000000000..d83914a8ceb9 --- /dev/null +++ b/test/extensions/transport_sockets/alts/alts_integration_test.cc @@ -0,0 +1,136 @@ +#include "common/common/thread.h" + +#include "extensions/transport_sockets/alts/config.h" + +#include "test/core/tsi/alts/fake_handshaker/fake_handshaker_server.h" +#include "test/integration/http_integration.h" +#include "test/integration/integration.h" +#include "test/integration/server.h" +#include "test/integration/utility.h" +#include "test/mocks/server/mocks.h" +#include "test/test_common/network_utility.h" +#include "test/test_common/utility.h" + +#include "absl/strings/match.h" +#include "absl/strings/str_cat.h" +#include "gmock/gmock.h" +#include "grpcpp/grpcpp.h" +#include "grpcpp/impl/codegen/service_type.h" +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Alts { + +class AltsIntegrationTest : public HttpIntegrationTest, + public testing::TestWithParam { +public: + AltsIntegrationTest() + : HttpIntegrationTest(Http::CodecClient::Type::HTTP1, GetParam(), realTime()) {} + + void initialize() override; + void SetUp() override; + void TearDown() override; + + Network::ClientConnectionPtr makeAltsConnection(); + std::string fakeHandshakerServerAddress(); + + Thread::ThreadPtr fake_handshaker_server_thread_; + std::unique_ptr fake_handshaker_server_; + ConditionalInitializer fake_handshaker_server_ci_; + int fake_handshaker_server_port_{}; + Network::TransportSocketFactoryPtr client_alts_; +}; + +std::string AltsIntegrationTest::fakeHandshakerServerAddress() { + return absl::StrCat(Network::Test::getLoopbackAddressUrlString(version_), ":", + std::to_string(fake_handshaker_server_port_)); +} + +void AltsIntegrationTest::initialize() { + config_helper_.addConfigModifier([this](envoy::config::bootstrap::v2::Bootstrap& bootstrap) { + auto transport_socket = bootstrap.mutable_static_resources() + ->mutable_listeners(0) + ->mutable_filter_chains(0) + ->mutable_transport_socket(); + const std::string yaml = R"EOF( + name: envoy.transport_sockets.alts + config: + peer_service_accounts: [peer_identity] + handshaker_service: ")EOF" + + fakeHandshakerServerAddress() + "\""; + + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *transport_socket); + }); + HttpIntegrationTest::initialize(); + registerTestServerPorts({"http"}); +} + +void AltsIntegrationTest::SetUp() { + fake_handshaker_server_thread_ = std::make_unique([this]() { + std::unique_ptr service = grpc::gcp::CreateFakeHandshakerService(); + + std::string server_address = Network::Test::getLoopbackAddressUrlString(version_) + ":0"; + grpc::ServerBuilder builder; + builder.AddListeningPort(server_address, grpc::InsecureServerCredentials(), + &fake_handshaker_server_port_); + builder.RegisterService(service.get()); + + fake_handshaker_server_ = builder.BuildAndStart(); + fake_handshaker_server_ci_.setReady(); + fake_handshaker_server_->Wait(); + }); + + fake_handshaker_server_ci_.waitReady(); + + const std::string yaml = + absl::StrCat("handshaker_service: \"", fakeHandshakerServerAddress(), "\""); + + NiceMock mock_factory_ctx; + UpstreamAltsTransportSocketConfigFactory factory; + + ProtobufTypes::MessagePtr config = factory.createEmptyConfigProto(); + MessageUtil::loadFromYaml(TestEnvironment::substitute(yaml), *config); + + ENVOY_LOG_MISC(info, "{}", config->DebugString()); + + client_alts_ = factory.createTransportSocketFactory(*config, mock_factory_ctx); +} +void AltsIntegrationTest::TearDown() { + HttpIntegrationTest::cleanupUpstreamAndDownstream(); + dispatcher_->clearDeferredDeleteList(); + if (fake_handshaker_server_ != nullptr) { + fake_handshaker_server_->Shutdown(); + } + fake_handshaker_server_thread_->join(); +} + +Network::Address::InstanceConstSharedPtr getAddress(const Network::Address::IpVersion& version, + int port) { + std::string url = + "tcp://" + Network::Test::getLoopbackAddressUrlString(version) + ":" + std::to_string(port); + return Network::Utility::resolveUrl(url); +} + +Network::ClientConnectionPtr AltsIntegrationTest::makeAltsConnection() { + Network::Address::InstanceConstSharedPtr address = getAddress(version_, lookupPort("http")); + return dispatcher_->createClientConnection(address, Network::Address::InstanceConstSharedPtr(), + client_alts_->createTransportSocket(), nullptr); +} + +INSTANTIATE_TEST_CASE_P(IpVersions, AltsIntegrationTest, + testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + TestUtility::ipTestParamsToString); + +TEST_P(AltsIntegrationTest, RouterRequestAndResponseWithBodyNoBuffer) { + ConnectionCreationFunction creator = [this]() -> Network::ClientConnectionPtr { + return makeAltsConnection(); + }; + testRouterRequestAndResponseWithBody(1024, 512, false, &creator); +} + +} // namespace Alts +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/transport_sockets/alts/config_test.cc b/test/extensions/transport_sockets/alts/config_test.cc new file mode 100644 index 000000000000..ec73769e2547 --- /dev/null +++ b/test/extensions/transport_sockets/alts/config_test.cc @@ -0,0 +1,61 @@ +#include "envoy/config/transport_socket/alts/v2alpha/alts.pb.validate.h" + +#include "common/protobuf/protobuf.h" + +#include "extensions/transport_sockets/alts/config.h" + +#include "test/mocks/server/mocks.h" + +#include "gmock/gmock.h" +#include "gtest/gtest.h" + +using Envoy::Server::Configuration::MockTransportSocketFactoryContext; +using testing::_; +using testing::Invoke; +using testing::StrictMock; + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Alts { + +TEST(UpstreamAltsConfigTest, CreateSocketFactory) { + MockTransportSocketFactoryContext factory_context; + UpstreamAltsTransportSocketConfigFactory factory; + + ProtobufTypes::MessagePtr config = factory.createEmptyConfigProto(); + + std::string yaml = R"EOF( + handshaker_service: 169.254.169.254:8080 + peer_service_accounts: ["server-sa"] + )EOF"; + MessageUtil::loadFromYaml(yaml, *config); + + auto socket_factory = factory.createTransportSocketFactory(*config, factory_context); + + EXPECT_NE(nullptr, socket_factory); + EXPECT_TRUE(socket_factory->implementsSecureTransport()); +} + +TEST(DownstreamAltsConfigTest, CreateSocketFactory) { + MockTransportSocketFactoryContext factory_context; + DownstreamAltsTransportSocketConfigFactory factory; + + ProtobufTypes::MessagePtr config = factory.createEmptyConfigProto(); + + std::string yaml = R"EOF( + handshaker_service: 169.254.169.254:8080 + peer_service_accounts: ["server-sa"] + )EOF"; + MessageUtil::loadFromYaml(yaml, *config); + + auto socket_factory = factory.createTransportSocketFactory(*config, factory_context, {}); + + EXPECT_NE(nullptr, socket_factory); + EXPECT_TRUE(socket_factory->implementsSecureTransport()); +} + +} // namespace Alts +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/test/extensions/transport_sockets/alts/tsi_socket_test.cc b/test/extensions/transport_sockets/alts/tsi_socket_test.cc index 69ad81494f4c..d80b3dfccb65 100644 --- a/test/extensions/transport_sockets/alts/tsi_socket_test.cc +++ b/test/extensions/transport_sockets/alts/tsi_socket_test.cc @@ -89,10 +89,8 @@ class TsiSocketTest : public testing::Test { })); client_.tsi_socket_->setTransportSocketCallbacks(client_.callbacks_); - client_.tsi_socket_->onConnected(); server_.tsi_socket_->setTransportSocketCallbacks(server_.callbacks_); - server_.tsi_socket_->onConnected(); } void expectIoResult(Network::IoResult expected, Network::IoResult actual) { @@ -119,6 +117,7 @@ class TsiSocketTest : public testing::Test { void doFakeInitHandshake() { EXPECT_CALL(*client_.raw_socket_, doWrite(_, false)); + client_.tsi_socket_->onConnected(); expectIoResult({Network::PostIoAction::KeepOpen, 0UL, false}, client_.tsi_socket_->doWrite(client_.write_buffer_, false)); EXPECT_EQ(makeFakeTsiFrame("CLIENT_INIT"), client_to_server_.toString()); @@ -357,8 +356,7 @@ TEST_F(TsiSocketTest, HandshakeWithInternalError) { EXPECT_CALL(client_.callbacks_.connection_, close(Network::ConnectionCloseType::NoFlush)); // doWrite won't immediately fail, but it will result connection close. - expectIoResult({Network::PostIoAction::KeepOpen, 0UL, false}, - client_.tsi_socket_->doWrite(client_.write_buffer_, false)); + client_.tsi_socket_->onConnected(); raw_handshaker->vtable = vtable; }