diff --git a/.bazelrc b/.bazelrc index 03d5a5f7d48e..36a2766787ef 100644 --- a/.bazelrc +++ b/.bazelrc @@ -509,6 +509,7 @@ build:rbe-engflow --grpc_keepalive_time=30s build:rbe-engflow --remote_timeout=3600s build:rbe-engflow --bes_timeout=3600s build:rbe-engflow --bes_upload_mode=fully_async +build:rbe-engflow --nolegacy_important_outputs build:cache-envoy-engflow --google_default_credentials=false build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com diff --git a/.gitattributes b/.gitattributes index 0dd1d568f0b3..74e5a411fb82 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,8 +3,8 @@ /generated_api_shadow/envoy/** linguist-generated=true /generated_api_shadow/bazel/** linguist-generated=true *.svg binary -/test/extensions/transport_sockets/tls/test_data/aes_128_key binary -/test/extensions/transport_sockets/tls/test_data/ticket_key_* binary +/test/common/tls/test_data/aes_128_key binary +/test/common/tls/test_data/ticket_key_* binary /test/**/*_corpus/* linguist-generated=true requirements.txt binary package.lock binary diff --git a/CODEOWNERS b/CODEOWNERS index d08360957e56..487613e1eccc 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -249,9 +249,9 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123 /*/extensions/filters/http/rbac @yangminzhu @yanavlasov /*/extensions/filters/common/rbac @yangminzhu @yanavlasov # tap -/*/extensions/filters/http/tap @mattklein123 @daixiang0 -/*/extensions/common/tap @mattklein123 @daixiang0 -/*/extensions/transport_sockets/tap @mattklein123 @daixiang0 +/*/extensions/filters/http/tap @mattklein123 @xu1zhou +/*/extensions/common/tap @mattklein123 @xu1zhou +/*/extensions/transport_sockets/tap @mattklein123 @xu1zhou # local rate limit /*/extensions/filters/network/local_ratelimit @mattklein123 @wbpcode /*/extensions/filters/listener/local_ratelimit @mattklein123 @JuniorHsu diff --git a/api/envoy/config/trace/v3/zipkin.proto b/api/envoy/config/trace/v3/zipkin.proto index a9aefef0c6df..2d8f3195c31e 100644 --- a/api/envoy/config/trace/v3/zipkin.proto +++ b/api/envoy/config/trace/v3/zipkin.proto @@ -82,5 +82,10 @@ message ZipkinConfig { // If this is set to true, then the // :ref:`start_child_span of router ` // SHOULD be set to true also to ensure the correctness of trace chain. - bool split_spans_for_request = 7; + // + // Both this field and ``start_child_span`` are deprecated by the + // :ref:`spawn_upstream_span `. + // Please use that ``spawn_upstream_span`` field to control the span creation. + bool split_spans_for_request = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; } diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 480a29365830..1256a40bdc2f 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -326,6 +326,7 @@ message JwtProvider { // Add JWT claim to HTTP Header // Specify the claim name you want to copy in which HTTP header. For examples, following config: // The claim must be of type; string, int, double, bool. Array type claims are not supported + // // .. code-block:: yaml // // claim_to_headers: diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 692821ae863e..5b097fb60173 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -51,6 +51,10 @@ minor_behavior_changes: Port migration is default turned off. QUIC client connections will no longer attempt to migrate to a new port when connections is degrading. Can be manually turned on via :ref:`port_migration `. +- area: QUIC + change: | + Make each upstream connection to read as many as 32 packets in each event loop. This feature can be disabled by setting + ``envoy.reloadable_features.quic_upstream_reads_fixed_number_packets`` to false. - area: aws change: | AWS region string is now retrieved from environment and profile consistently within aws_request_signer and @@ -200,6 +204,11 @@ new_features: Added QUIC protocol option :ref:`send_disable_active_migration ` to make the server send clients a transport parameter to discourage client endpoints from active migration. +- area: quic + change: | + Added support for QUIC listeners to :ref:`choose certificates based on SNI ` and load certificates + from formats other than PEM, such as :ref:`pkcs12 `. + This behavior can be disabled with runtime flag ``envoy.restart_features.quic_handle_certs_with_shared_tls_code``. - area: ext_proc change: | implemented @@ -267,6 +276,9 @@ new_features: - area: tracing change: | Added support to configure a Dynatrace sampler for the OpenTelemetry tracer. +- area: tracing + change: | + Added User-Agent header to OTLP trace exporters according to the OpenTelemetry specification. - area: jwt_authn change: | Added @@ -278,3 +290,8 @@ deprecated: change: | deprecated runtime key ``overload.global_downstream_max_connections`` in favor of :ref:`downstream connections monitor `. +- area: tracing + change: | + deprecated :ref:`split_spans_for_request ` + in favor of :ref:`spawn_upstream_span + `. diff --git a/contrib/cryptomb/private_key_providers/test/BUILD b/contrib/cryptomb/private_key_providers/test/BUILD index 95bddf58d511..6b4c01fa3ec4 100644 --- a/contrib/cryptomb/private_key_providers/test/BUILD +++ b/contrib/cryptomb/private_key_providers/test/BUILD @@ -52,7 +52,7 @@ envoy_cc_test( deps = [ ":test_fake_factory", "//source/common/common:random_generator_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", @@ -75,7 +75,7 @@ envoy_cc_test( ], deps = [ ":test_fake_factory", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/stats:stats_mocks", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", diff --git a/contrib/cryptomb/private_key_providers/test/config_test.cc b/contrib/cryptomb/private_key_providers/test/config_test.cc index 0ac6ce5ff3aa..1c0b5d18c48a 100644 --- a/contrib/cryptomb/private_key_providers/test/config_test.cc +++ b/contrib/cryptomb/private_key_providers/test/config_test.cc @@ -1,7 +1,7 @@ #include #include "source/common/common/random_generator.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/mocks/common.h" diff --git a/contrib/cryptomb/private_key_providers/test/ops_test.cc b/contrib/cryptomb/private_key_providers/test/ops_test.cc index f25e5fcfbe84..d5f35db774b3 100644 --- a/contrib/cryptomb/private_key_providers/test/ops_test.cc +++ b/contrib/cryptomb/private_key_providers/test/ops_test.cc @@ -3,7 +3,7 @@ #include #include -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/test_common/environment.h" diff --git a/contrib/golang/filters/http/test/test_data/buffer/go.mod b/contrib/golang/filters/http/test/test_data/buffer/go.mod index 318833da2bfe..5fbd5576842b 100644 --- a/contrib/golang/filters/http/test/test_data/buffer/go.mod +++ b/contrib/golang/filters/http/test/test_data/buffer/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ diff --git a/contrib/golang/filters/http/test/test_data/echo/go.mod b/contrib/golang/filters/http/test/test_data/echo/go.mod index 9079af021fca..a6d5cd945e38 100644 --- a/contrib/golang/filters/http/test/test_data/echo/go.mod +++ b/contrib/golang/filters/http/test/test_data/echo/go.mod @@ -15,7 +15,7 @@ require ( require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ diff --git a/contrib/golang/filters/http/test/test_data/property/go.mod b/contrib/golang/filters/http/test/test_data/property/go.mod index 55ee2207f6dc..e960af90623c 100644 --- a/contrib/golang/filters/http/test/test_data/property/go.mod +++ b/contrib/golang/filters/http/test/test_data/property/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ diff --git a/contrib/golang/filters/http/test/test_data/routeconfig/go.mod b/contrib/golang/filters/http/test/test_data/routeconfig/go.mod index 9af0f126d93b..d64e1cb6e97b 100644 --- a/contrib/golang/filters/http/test/test_data/routeconfig/go.mod +++ b/contrib/golang/filters/http/test/test_data/routeconfig/go.mod @@ -15,7 +15,7 @@ require ( require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ diff --git a/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod b/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod index 5ec718d9cfc0..d43f5df99734 100644 --- a/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod +++ b/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod @@ -15,7 +15,7 @@ require ( require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ diff --git a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc index 901a9befdca7..fb47ccde35d0 100644 --- a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc +++ b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc @@ -1,7 +1,7 @@ #include "source/common/network/connection_impl.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/filters/network/common/factory_base.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/integration/fake_upstream.h" #include "test/integration/integration.h" diff --git a/contrib/qat/private_key_providers/test/BUILD b/contrib/qat/private_key_providers/test/BUILD index 136f25c8f740..85a8d16ae19a 100644 --- a/contrib/qat/private_key_providers/test/BUILD +++ b/contrib/qat/private_key_providers/test/BUILD @@ -51,7 +51,7 @@ envoy_cc_test( deps = [ ":test_fake_factory", "//source/common/common:random_generator_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", @@ -72,7 +72,7 @@ envoy_cc_test( ], deps = [ ":test_fake_factory", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", diff --git a/contrib/qat/private_key_providers/test/config_test.cc b/contrib/qat/private_key_providers/test/config_test.cc index 55542d230809..d6e2304d06cf 100644 --- a/contrib/qat/private_key_providers/test/config_test.cc +++ b/contrib/qat/private_key_providers/test/config_test.cc @@ -1,7 +1,7 @@ #include #include "source/common/common/random_generator.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/mocks/common.h" diff --git a/contrib/qat/private_key_providers/test/ops_test.cc b/contrib/qat/private_key_providers/test/ops_test.cc index 9ea47b1d172e..11cd9b35bbc2 100644 --- a/contrib/qat/private_key_providers/test/ops_test.cc +++ b/contrib/qat/private_key_providers/test/ops_test.cc @@ -3,7 +3,7 @@ #include #include -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/mocks/server/transport_socket_factory_context.h" diff --git a/docs/root/configuration/http/http_conn_man/route_matching.rst b/docs/root/configuration/http/http_conn_man/route_matching.rst index 9cd71e2b2bbb..29cb1d9d836e 100644 --- a/docs/root/configuration/http/http_conn_man/route_matching.rst +++ b/docs/root/configuration/http/http_conn_man/route_matching.rst @@ -7,8 +7,14 @@ When Envoy matches a route, it uses the following procedure: #. The HTTP request's *host* or *:authority* header is matched to a :ref:`virtual host `. -#. Each :ref:`route entry ` in the virtual host is checked, - *in order*. If there is a match, the route is used and no further route checks are made. +#. One of: + + - Each :ref:`route entry ` in the virtual host is + checked, *in order*. If there is a match, the route is used and no further route checks are made. + - The :ref:`matcher entry ` in the + virtual host is used to match a route. If there are many routes this will typically be more + efficient than the linear search of ``route``. + #. Independently, each :ref:`virtual cluster ` in the virtual host is checked, *in order*. If there is a match, the virtual cluster is used and no further virtual cluster checks are made. diff --git a/docs/root/intro/arch_overview/security/ssl.rst b/docs/root/intro/arch_overview/security/ssl.rst index 8538b163f984..79c0da9d22f9 100644 --- a/docs/root/intro/arch_overview/security/ssl.rst +++ b/docs/root/intro/arch_overview/security/ssl.rst @@ -97,8 +97,6 @@ See the reference for :ref:`UpstreamTlsContexts `. +.. _arch_overview_ssl_cert_select: + Certificate selection --------------------- diff --git a/envoy/network/BUILD b/envoy/network/BUILD index 3e7d51a07e90..230f7c065d58 100644 --- a/envoy/network/BUILD +++ b/envoy/network/BUILD @@ -58,6 +58,12 @@ envoy_cc_library( ], ) +envoy_cc_library( + name = "parent_drained_callback_registrar_interface", + hdrs = ["parent_drained_callback_registrar.h"], + deps = [":address_interface"], +) + envoy_cc_library( name = "udp_packet_writer_handler_interface", hdrs = ["udp_packet_writer_handler.h"], diff --git a/envoy/network/parent_drained_callback_registrar.h b/envoy/network/parent_drained_callback_registrar.h new file mode 100644 index 000000000000..d0ce7c9a191e --- /dev/null +++ b/envoy/network/parent_drained_callback_registrar.h @@ -0,0 +1,29 @@ +#pragma once + +#include "envoy/network/address.h" + +#include "absl/functional/any_invocable.h" + +namespace Envoy { +namespace Network { + +/** + * An interface through which a UDP listen socket, especially a QUIC socket, can + * postpone reading during hot restart until the parent instance is drained. + */ +class ParentDrainedCallbackRegistrar { +public: + /** + * @param address is the address of the listener. + * @param callback the function to call when the listener matching address is + * drained on the parent instance. + */ + virtual void registerParentDrainedCallback(const Address::InstanceConstSharedPtr& address, + absl::AnyInvocable callback) PURE; + +protected: + virtual ~ParentDrainedCallbackRegistrar() = default; +}; + +} // namespace Network +} // namespace Envoy diff --git a/envoy/network/socket.h b/envoy/network/socket.h index b83d0f213047..6091cf9fe922 100644 --- a/envoy/network/socket.h +++ b/envoy/network/socket.h @@ -542,6 +542,13 @@ class Socket { * @return the socket options stored earlier with addOption() and addOptions() calls, if any. */ virtual const OptionsSharedPtr& options() const PURE; + + /** + * @return a ParentDrainedCallbackRegistrar for UDP listen sockets during hot restart. + */ + virtual OptRef parentDrainedCallbackRegistrar() const { + return absl::nullopt; + } }; using SocketPtr = std::unique_ptr; diff --git a/envoy/server/hot_restart.h b/envoy/server/hot_restart.h index a1ce1663cde4..8e201dd65e08 100644 --- a/envoy/server/hot_restart.h +++ b/envoy/server/hot_restart.h @@ -62,6 +62,17 @@ class HotRestart { virtual void registerUdpForwardingListener(Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config) PURE; + + /** + * @return An interface on which registerParentDrainedCallback can be called during + * creation of a listener, or nullopt if there is no parent instance. + * + * If this is set, any UDP listener should start paused and only begin listening + * when the parent instance is drained; this allows draining QUIC listeners to + * catch their own packets and forward unrecognized packets to the child instance. + */ + virtual OptRef parentDrainedCallbackRegistrar() PURE; + /** * Initialize the parent logic of our restarter. Meant to be called after initialization of a * new child has begun. The hot restart implementation needs to be created early to deal with diff --git a/envoy/ssl/certificate_validation_context_config.h b/envoy/ssl/certificate_validation_context_config.h index aa0214b77a81..c9488798eb29 100644 --- a/envoy/ssl/certificate_validation_context_config.h +++ b/envoy/ssl/certificate_validation_context_config.h @@ -19,7 +19,7 @@ namespace Ssl { // // When adding or changing this interface, it is likely that a change is needed to // `DefaultCertValidator::updateDigestForSessionId` in -// `source/extensions/transport_sockets/tls/cert_validator/default_validator.cc`. +// `source/common/tls/cert_validator/default_validator.cc`. class CertificateValidationContextConfig { public: virtual ~CertificateValidationContextConfig() = default; diff --git a/envoy/ssl/context_manager.h b/envoy/ssl/context_manager.h index 73ea031a7f2e..8c7fae3707b2 100644 --- a/envoy/ssl/context_manager.h +++ b/envoy/ssl/context_manager.h @@ -12,6 +12,12 @@ namespace Envoy { namespace Ssl { +// Opaque type defined and used by the ``ServerContext``. +struct TlsContext; + +using ContextAdditionalInitFunc = + std::function; + /** * Manages all of the SSL contexts in the process */ @@ -30,7 +36,8 @@ class ContextManager { */ virtual ServerContextSharedPtr createSslServerContext(Stats::Scope& scope, const ServerContextConfig& config, - const std::vector& server_names) PURE; + const std::vector& server_names, + ContextAdditionalInitFunc additional_init) PURE; /** * @return the number of days until the next certificate being managed will expire, the value is diff --git a/examples/ext_authz/auth/grpc-service/go.mod b/examples/ext_authz/auth/grpc-service/go.mod index 3e4511aeab2c..54162c137866 100644 --- a/examples/ext_authz/auth/grpc-service/go.mod +++ b/examples/ext_authz/auth/grpc-service/go.mod @@ -6,5 +6,5 @@ require ( github.com/envoyproxy/go-control-plane v0.12.0 github.com/golang/protobuf v1.5.3 google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 - google.golang.org/grpc v1.62.0 + google.golang.org/grpc v1.62.1 ) diff --git a/examples/ext_authz/auth/grpc-service/go.sum b/examples/ext_authz/auth/grpc-service/go.sum index 513e0ac97039..8e14cc4c532e 100644 --- a/examples/ext_authz/auth/grpc-service/go.sum +++ b/examples/ext_authz/auth/grpc-service/go.sum @@ -2277,8 +2277,8 @@ google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSs google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= -google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= -google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= diff --git a/examples/golang-http/simple/go.mod b/examples/golang-http/simple/go.mod index de772564f44d..2958dc061b8f 100644 --- a/examples/golang-http/simple/go.mod +++ b/examples/golang-http/simple/go.mod @@ -7,7 +7,7 @@ go 1.20 require ( github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) require ( diff --git a/examples/golang-http/simple/go.sum b/examples/golang-http/simple/go.sum index 1e61a638aab7..0478993703bf 100644 --- a/examples/golang-http/simple/go.sum +++ b/examples/golang-http/simple/go.sum @@ -14,5 +14,5 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= diff --git a/examples/golang-network/simple/go.mod b/examples/golang-network/simple/go.mod index 17886eea7c47..b21b9c4f61c5 100644 --- a/examples/golang-network/simple/go.mod +++ b/examples/golang-network/simple/go.mod @@ -7,7 +7,7 @@ go 1.18 require ( github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) require ( diff --git a/examples/golang-network/simple/go.sum b/examples/golang-network/simple/go.sum index 1e61a638aab7..0478993703bf 100644 --- a/examples/golang-network/simple/go.sum +++ b/examples/golang-network/simple/go.sum @@ -14,5 +14,5 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= diff --git a/examples/grpc-bridge/server/go.mod b/examples/grpc-bridge/server/go.mod index 623db6c0619b..cfeda43c8779 100644 --- a/examples/grpc-bridge/server/go.mod +++ b/examples/grpc-bridge/server/go.mod @@ -4,6 +4,6 @@ go 1.13 require ( github.com/golang/protobuf v1.5.3 - golang.org/x/net v0.21.0 - google.golang.org/grpc v1.62.0 + golang.org/x/net v0.22.0 + google.golang.org/grpc v1.62.1 ) diff --git a/examples/grpc-bridge/server/go.sum b/examples/grpc-bridge/server/go.sum index 885828afce3c..c926048c9fe3 100644 --- a/examples/grpc-bridge/server/go.sum +++ b/examples/grpc-bridge/server/go.sum @@ -1538,6 +1538,7 @@ golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1667,8 +1668,9 @@ golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1812,8 +1814,9 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1833,6 +1836,7 @@ golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2278,8 +2282,8 @@ google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSs google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= -google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= -google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= diff --git a/examples/load-reporting-service/go.mod b/examples/load-reporting-service/go.mod index fbfbccbb74e0..093bc5ab41e1 100644 --- a/examples/load-reporting-service/go.mod +++ b/examples/load-reporting-service/go.mod @@ -5,5 +5,5 @@ go 1.13 require ( github.com/envoyproxy/go-control-plane v0.12.0 github.com/golang/protobuf v1.5.3 - google.golang.org/grpc v1.62.0 + google.golang.org/grpc v1.62.1 ) diff --git a/examples/load-reporting-service/go.sum b/examples/load-reporting-service/go.sum index 513e0ac97039..8e14cc4c532e 100644 --- a/examples/load-reporting-service/go.sum +++ b/examples/load-reporting-service/go.sum @@ -2277,8 +2277,8 @@ google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSs google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= -google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= -google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= diff --git a/examples/opentelemetry/Dockerfile-opentelemetry b/examples/opentelemetry/Dockerfile-opentelemetry index e1ae65ffa24b..4bad91daec4d 100644 --- a/examples/opentelemetry/Dockerfile-opentelemetry +++ b/examples/opentelemetry/Dockerfile-opentelemetry @@ -1,7 +1,7 @@ FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as otelc_curl RUN apk --update add curl -FROM otel/opentelemetry-collector:latest@sha256:246dfe93f68e489a81f17b0335ca1c8e6f37bf69eb66aa9ba3375cc1743064b6 +FROM otel/opentelemetry-collector:latest@sha256:71ac13c2a9b875b953cf6b96af6f06897ba9be07f6f9c90b10d34865853e78d2 COPY --from=otelc_curl / / diff --git a/go.mod b/go.mod index aa129ca09c2a..5cf799dce8e4 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,6 @@ module github.com/envoyproxy/envoy go 1.20 -require google.golang.org/protobuf v1.32.0 +require google.golang.org/protobuf v1.33.0 require github.com/google/go-cmp v0.5.9 // indirect diff --git a/go.sum b/go.sum index e2499aef30e4..6c0bbb169295 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,4 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= diff --git a/mobile/envoy_build_config/BUILD b/mobile/envoy_build_config/BUILD index 3c392fe389dc..b2da2c4b90b5 100644 --- a/mobile/envoy_build_config/BUILD +++ b/mobile/envoy_build_config/BUILD @@ -23,6 +23,7 @@ envoy_cc_library( "@envoy//source/common/http/matching:inputs_lib", "@envoy//source/common/network:socket_lib", "@envoy//source/common/router:upstream_codec_filter_lib", + "@envoy//source/common/tls/cert_validator:cert_validator_lib", "@envoy//source/common/upstream:default_local_address_selector_factory", "@envoy//source/common/watchdog:abort_action_config", "@envoy//source/extensions/clusters/dynamic_forward_proxy:cluster", @@ -43,7 +44,6 @@ envoy_cc_library( "@envoy//source/extensions/transport_sockets/http_11_proxy:upstream_config", "@envoy//source/extensions/transport_sockets/raw_buffer:config", "@envoy//source/extensions/transport_sockets/tls:config", - "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", "@envoy//source/extensions/upstreams/http/generic:config", "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config", "@envoy_mobile//library/common/extensions/filters/http/local_error:config", diff --git a/mobile/envoy_build_config/extension_registry.cc b/mobile/envoy_build_config/extension_registry.cc index a7d105e9766f..502ee8c04a1f 100644 --- a/mobile/envoy_build_config/extension_registry.cc +++ b/mobile/envoy_build_config/extension_registry.cc @@ -6,6 +6,7 @@ #include "source/common/network/resolver_impl.h" #include "source/common/network/socket_interface_impl.h" #include "source/common/router/upstream_codec_filter.h" +#include "source/common/tls/cert_validator/default_validator.h" #include "source/common/upstream/default_local_address_selector_factory.h" #include "source/common/watchdog/abort_action_config.h" #include "source/extensions/clusters/dynamic_forward_proxy/cluster.h" @@ -28,7 +29,6 @@ #include "source/extensions/request_id/uuid/config.h" #include "source/extensions/transport_sockets/http_11_proxy/config.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" #include "source/extensions/transport_sockets/tls/config.h" #include "source/extensions/upstreams/http/generic/config.h" @@ -63,7 +63,7 @@ #include "source/extensions/config_subscription/grpc/grpc_mux_impl.h" #include "source/extensions/config_subscription/grpc/grpc_subscription_factory.h" #include "source/extensions/config_subscription/grpc/new_grpc_mux_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/default_validator.h" #endif namespace Envoy { diff --git a/mobile/library/cc/engine_builder.cc b/mobile/library/cc/engine_builder.cc index c3437d435584..8152ccef64a4 100644 --- a/mobile/library/cc/engine_builder.cc +++ b/mobile/library/cc/engine_builder.cc @@ -149,6 +149,11 @@ EngineBuilder& EngineBuilder::addLogLevel(LogLevel log_level) { return *this; } +EngineBuilder& EngineBuilder::setLogger(envoy_logger envoy_logger) { + envoy_logger_.emplace(envoy_logger); + return *this; +} + EngineBuilder& EngineBuilder::setOnEngineRunning(std::function closure) { callbacks_->on_engine_running = std::move(closure); return *this; @@ -894,8 +899,9 @@ EngineSharedPtr EngineBuilder::build() { envoy_event_tracker null_tracker{}; - Envoy::InternalEngine* envoy_engine = - new Envoy::InternalEngine(callbacks_->asEnvoyEngineCallbacks(), null_logger, null_tracker); + Envoy::InternalEngine* envoy_engine = new Envoy::InternalEngine( + callbacks_->asEnvoyEngineCallbacks(), + (envoy_logger_.has_value()) ? *envoy_logger_ : null_logger, null_tracker); for (const auto& [name, store] : key_value_stores_) { // TODO(goaway): This leaks, but it's tied to the life of the engine. @@ -923,14 +929,14 @@ EngineSharedPtr EngineBuilder::build() { Engine* engine = new Engine(envoy_engine); - auto options = std::make_unique(); + auto options = std::make_shared(); std::unique_ptr bootstrap = generateBootstrap(); if (bootstrap) { options->setConfigProto(std::move(bootstrap)); } ENVOY_BUG(options->setLogLevel(logLevelToString(log_level_)).ok(), "invalid log level"); options->setConcurrency(1); - envoy_engine->run(std::move(options)); + envoy_engine->run(options); // we can't construct via std::make_shared // because Engine is only constructible as a friend diff --git a/mobile/library/cc/engine_builder.h b/mobile/library/cc/engine_builder.h index 8a77b8d9ad5e..746d32f6f901 100644 --- a/mobile/library/cc/engine_builder.h +++ b/mobile/library/cc/engine_builder.h @@ -126,6 +126,7 @@ class EngineBuilder { virtual ~EngineBuilder() {} EngineBuilder& addLogLevel(LogLevel log_level); + EngineBuilder& setLogger(envoy_logger envoy_logger); EngineBuilder& setOnEngineRunning(std::function closure); EngineBuilder& addConnectTimeoutSeconds(int connect_timeout_seconds); EngineBuilder& addDnsRefreshSeconds(int dns_refresh_seconds); @@ -213,6 +214,7 @@ class EngineBuilder { }; LogLevel log_level_ = LogLevel::info; + absl::optional envoy_logger_; EngineCallbacksSharedPtr callbacks_; int connect_timeout_seconds_ = 30; diff --git a/mobile/library/common/BUILD b/mobile/library/common/BUILD index b955b2db2d36..f2c47473ceaa 100644 --- a/mobile/library/common/BUILD +++ b/mobile/library/common/BUILD @@ -35,6 +35,7 @@ envoy_cc_library( "//library/common/types:c_types_lib", "@envoy//envoy/server:lifecycle_notifier_interface", "@envoy//envoy/stats:stats_interface", + "@envoy//source/common/common:thread_impl_lib_posix", "@envoy//source/common/runtime:runtime_lib", "@envoy_build_config//:extension_registry", ], diff --git a/mobile/library/common/engine_common.cc b/mobile/library/common/engine_common.cc index a7f5fb3bcfec..7cfe535ae3ec 100644 --- a/mobile/library/common/engine_common.cc +++ b/mobile/library/common/engine_common.cc @@ -67,8 +67,7 @@ class ServerLite : public Server::InstanceBase { } }; -EngineCommon::EngineCommon(std::unique_ptr&& options) - : options_(std::move(options)) { +EngineCommon::EngineCommon(std::shared_ptr options) : options_(options) { #if !defined(ENVOY_ENABLE_FULL_PROTOS) registerMobileProtoDescriptors(); diff --git a/mobile/library/common/engine_common.h b/mobile/library/common/engine_common.h index f96722c63c69..a098ac59ce72 100644 --- a/mobile/library/common/engine_common.h +++ b/mobile/library/common/engine_common.h @@ -22,7 +22,7 @@ namespace Envoy { */ class EngineCommon { public: - EngineCommon(std::unique_ptr&& options); + EngineCommon(std::shared_ptr options); bool run() { base_->runServer(); return true; @@ -41,11 +41,11 @@ class EngineCommon { Envoy::SignalAction handle_sigs_; Envoy::TerminateHandler log_on_terminate_; #endif - std::unique_ptr options_; + std::shared_ptr options_; Event::RealTimeSystem real_time_system_; // NO_CHECK_FORMAT(real_time) DefaultListenerHooks default_listener_hooks_; ProdComponentFactory prod_component_factory_; - std::unique_ptr base_; + std::shared_ptr base_; }; } // namespace Envoy diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD b/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD index 2b19aeb203f2..79553a0b1963 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD @@ -35,7 +35,10 @@ envoy_cc_library( ":c_types_lib", ":platform_bridge_cc_proto", "//library/common/system:system_helper_lib", - "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "@envoy//envoy/thread:thread_interface", + "@envoy//source/common/common:macros", + "@envoy//source/common/common:thread_impl_lib_posix", + "@envoy//source/common/tls/cert_validator:cert_validator_lib", ], ) diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/config.h b/mobile/library/common/extensions/cert_validator/platform_bridge/config.h index 87ac174c6af4..bc884fddc3ac 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/config.h +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/config.h @@ -2,7 +2,7 @@ #include "envoy/registry/registry.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/factory.h" #include "library/common/extensions/cert_validator/platform_bridge/platform_bridge.pb.h" #include "library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h" diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc index 602c0b1e4213..9860ee3cec49 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc @@ -2,7 +2,6 @@ #include #include -#include #include "library/common/data/utility.h" #include "library/common/system/system_helper.h" @@ -13,22 +12,27 @@ namespace TransportSockets { namespace Tls { PlatformBridgeCertValidator::PlatformBridgeCertValidator( - const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats) + const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + Thread::PosixThreadFactoryPtr thread_factory) : allow_untrusted_certificate_(config != nullptr && config->trustChainVerification() == envoy::extensions::transport_sockets::tls::v3:: CertificateValidationContext::ACCEPT_UNTRUSTED), - stats_(stats) { + stats_(stats), thread_factory_(std::move(thread_factory)) { ENVOY_BUG(config != nullptr && config->caCert().empty() && config->certificateRevocationList().empty(), "Invalid certificate validation context config."); } +PlatformBridgeCertValidator::PlatformBridgeCertValidator( + const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats) + : PlatformBridgeCertValidator(config, stats, Thread::PosixThreadFactory::create()) {} + PlatformBridgeCertValidator::~PlatformBridgeCertValidator() { // Wait for validation threads to finish. for (auto& [id, job] : validation_jobs_) { - if (job.validation_thread_.joinable()) { - job.validation_thread_.join(); + if (job.validation_thread_->joinable()) { + job.validation_thread_->join(); } } } @@ -84,10 +88,19 @@ ValidationResults PlatformBridgeCertValidator::doVerifyCertChain( ValidationJob job; job.result_callback_ = std::move(callback); - job.validation_thread_ = - std::thread(&verifyCertChainByPlatform, &(job.result_callback_->dispatcher()), - std::move(certs), std::string(host), std::move(subject_alt_names), this); - std::thread::id thread_id = job.validation_thread_.get_id(); + Event::Dispatcher& dispatcher = job.result_callback_->dispatcher(); + job.validation_thread_ = thread_factory_->createThread( + [this, &dispatcher, certs = std::move(certs), host = std::string(host), + subject_alt_names = std::move(subject_alt_names)]() -> void { + verifyCertChainByPlatform(&dispatcher, certs, host, subject_alt_names, this); + }, + /* options= */ absl::nullopt, /* crash_on_failure=*/false); + if (job.validation_thread_ == nullptr) { + return {ValidationResults::ValidationStatus::Failed, + Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, + "Failed creating a thread for cert chain validation."}; + } + Thread::ThreadId thread_id = job.validation_thread_->pthreadId(); validation_jobs_[thread_id] = std::move(job); return {ValidationResults::ValidationStatus::Pending, Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt}; @@ -146,7 +159,7 @@ void PlatformBridgeCertValidator::postVerifyResultAndCleanUp(bool success, std:: dispatcher->post([weak_alive_indicator, success, hostname = std::move(hostname), error = std::string(error_details), tls_alert, failure_type, - thread_id = std::this_thread::get_id(), parent]() { + thread_id = parent->thread_factory_->currentPthreadId(), parent]() { if (weak_alive_indicator.expired()) { return; } @@ -154,9 +167,10 @@ void PlatformBridgeCertValidator::postVerifyResultAndCleanUp(bool success, std:: }); } -void PlatformBridgeCertValidator::onVerificationComplete(std::thread::id thread_id, - std::string hostname, bool success, - std::string error, uint8_t tls_alert, +void PlatformBridgeCertValidator::onVerificationComplete(const Thread::ThreadId& thread_id, + const std::string& hostname, bool success, + const std::string& error, + uint8_t tls_alert, ValidationFailureType failure_type) { ENVOY_LOG(trace, "Got validation result for {} from platform", hostname); @@ -166,7 +180,7 @@ void PlatformBridgeCertValidator::onVerificationComplete(std::thread::id thread_ return; } ValidationJob& job = job_handle.mapped(); - job.validation_thread_.join(); + job.validation_thread_->join(); Ssl::ClientValidationStatus detailed_status = Envoy::Ssl::ClientValidationStatus::NotValidated; switch (failure_type) { diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h index db190635e03e..39e114be795e 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h @@ -1,8 +1,9 @@ #pragma once -#include - -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "source/common/common/macros.h" +#include "source/common/common/posix/thread_impl.h" +#include "source/common/common/thread.h" +#include "source/common/tls/cert_validator/default_validator.h" #include "absl/container/flat_hash_map.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" @@ -55,6 +56,11 @@ class PlatformBridgeCertValidator : public CertValidator, Logger::Loggable validation_jobs_; + absl::flat_hash_map validation_jobs_; std::shared_ptr alive_indicator_{new size_t(1)}; + Thread::PosixThreadFactoryPtr thread_factory_; }; } // namespace Tls diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index cb0caf553c8f..9269ba676678 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -16,9 +16,10 @@ static std::atomic current_stream_handle_{0}; envoy_stream_t InternalEngine::initStream() { return current_stream_handle_++; } InternalEngine::InternalEngine(envoy_engine_callbacks callbacks, envoy_logger logger, - envoy_event_tracker event_tracker) - : callbacks_(callbacks), logger_(logger), event_tracker_(event_tracker), - dispatcher_(std::make_unique()) { + envoy_event_tracker event_tracker, + Thread::PosixThreadFactoryPtr thread_factory) + : thread_factory_(std::move(thread_factory)), callbacks_(callbacks), logger_(logger), + event_tracker_(event_tracker), dispatcher_(std::make_unique()) { ExtensionRegistry::registerFactories(); // TODO(Augustyniak): Capturing an address of event_tracker_ and registering it in the API @@ -32,12 +33,13 @@ InternalEngine::InternalEngine(envoy_engine_callbacks callbacks, envoy_logger lo Runtime::maybeSetRuntimeGuard("envoy.reloadable_features.dfp_mixed_scheme", true); } +InternalEngine::InternalEngine(envoy_engine_callbacks callbacks, envoy_logger logger, + envoy_event_tracker event_tracker) + : InternalEngine(callbacks, logger, event_tracker, Thread::PosixThreadFactory::create()) {} + envoy_status_t InternalEngine::run(const std::string& config, const std::string& log_level) { - // Start the Envoy on the dedicated thread. Note: due to how the assignment operator works with - // std::thread, main_thread_ is the same object after this call, but its state is replaced with - // that of the temporary. The temporary object's state becomes the default state, which does - // nothing. - auto options = std::make_unique(); + // Start the Envoy on the dedicated thread. + auto options = std::make_shared(); options->setConfigYaml(config); if (!log_level.empty()) { ENVOY_BUG(options->setLogLevel(log_level).ok(), "invalid log level"); @@ -46,12 +48,17 @@ envoy_status_t InternalEngine::run(const std::string& config, const std::string& return run(std::move(options)); } -envoy_status_t InternalEngine::run(std::unique_ptr&& options) { - main_thread_ = std::thread(&InternalEngine::main, this, std::move(options)); - return ENVOY_SUCCESS; +// This function takes a `std::shared_ptr` instead of `std::unique_ptr` because `std::function` is a +// copy-constructible type, so it's not possible to move capture `std::unique_ptr` with +// `std::function`. +envoy_status_t InternalEngine::run(std::shared_ptr options) { + main_thread_ = + thread_factory_->createThread([this, options]() mutable -> void { main(options); }, + /* options= */ absl::nullopt, /* crash_on_failure= */ false); + return (main_thread_ != nullptr) ? ENVOY_SUCCESS : ENVOY_FAILURE; } -envoy_status_t InternalEngine::main(std::unique_ptr&& options) { +envoy_status_t InternalEngine::main(std::shared_ptr options) { // Using unique_ptr ensures main_common's lifespan is strictly scoped to this function. std::unique_ptr main_common; { @@ -81,7 +88,7 @@ envoy_status_t InternalEngine::main(std::unique_ptr&& op std::make_unique(log_mutex_, Logger::Registry::getSink()); } - main_common = std::make_unique(std::move(options)); + main_common = std::make_unique(options); server_ = main_common->server(); event_dispatcher_ = &server_->dispatcher(); @@ -150,8 +157,12 @@ envoy_status_t InternalEngine::terminate() { IS_ENVOY_BUG("attempted to double terminate engine"); return ENVOY_FAILURE; } + // The Engine could not be created. + if (main_thread_ == nullptr) { + return ENVOY_FAILURE; + } // If main_thread_ has finished (or hasn't started), there's nothing more to do. - if (!main_thread_.joinable()) { + if (!main_thread_->joinable()) { return ENVOY_FAILURE; } @@ -170,7 +181,7 @@ envoy_status_t InternalEngine::terminate() { dispatcher_->post([this]() { http_client_->shutdownApiListener(); }); // Exit the event loop and finish up in Engine::run(...) - if (std::this_thread::get_id() == main_thread_.get_id()) { + if (thread_factory_->currentPthreadId() == main_thread_->pthreadId()) { // TODO(goaway): figure out some way to support this. PANIC("Terminating the engine from its own main thread is currently unsupported."); } else { @@ -178,8 +189,8 @@ envoy_status_t InternalEngine::terminate() { } } // lock(_mutex) - if (std::this_thread::get_id() != main_thread_.get_id()) { - main_thread_.join(); + if (thread_factory_->currentPthreadId() != main_thread_->pthreadId()) { + main_thread_->join(); } terminated_ = true; return ENVOY_SUCCESS; @@ -265,7 +276,7 @@ void handlerStats(Stats::Store& stats, Buffer::Instance& response) { } std::string InternalEngine::dumpStats() { - if (!main_thread_.joinable()) { + if (!main_thread_->joinable()) { return ""; } diff --git a/mobile/library/common/internal_engine.h b/mobile/library/common/internal_engine.h index 0b45ae95bde1..3ac09ced5d07 100644 --- a/mobile/library/common/internal_engine.h +++ b/mobile/library/common/internal_engine.h @@ -4,6 +4,9 @@ #include "envoy/stats/store.h" #include "source/common/common/logger.h" +#include "source/common/common/macros.h" +#include "source/common/common/posix/thread_impl.h" +#include "source/common/common/thread.h" #include "absl/base/call_once.h" #include "extension_registry.h" @@ -37,7 +40,7 @@ class InternalEngine : public Logger::Loggable { * @param log_level, the log level. */ envoy_status_t run(const std::string& config, const std::string& log_level); - envoy_status_t run(std::unique_ptr&& options); + envoy_status_t run(std::shared_ptr options); /** * Immediately terminate the engine, if running. Calling this function when @@ -118,10 +121,16 @@ class InternalEngine : public Logger::Loggable { Stats::Store& getStatsStore(); private: - envoy_status_t main(std::unique_ptr&& options); + GTEST_FRIEND_CLASS(InternalEngineTest, ThreadCreationFailed); + + InternalEngine(envoy_engine_callbacks callbacks, envoy_logger logger, + envoy_event_tracker event_tracker, Thread::PosixThreadFactoryPtr thread_factory); + + envoy_status_t main(std::shared_ptr options); static void logInterfaces(absl::string_view event, std::vector& interfaces); + Thread::PosixThreadFactoryPtr thread_factory_; Event::Dispatcher* event_dispatcher_{}; Stats::ScopeSharedPtr client_scope_; Stats::StatNameSetPtr stat_name_set_; @@ -142,7 +151,7 @@ class InternalEngine : public Logger::Loggable { Server::ServerLifecycleNotifier::HandlePtr postinit_callback_handler_; // main_thread_ should be destroyed first, hence it is the last member variable. Objects with // instructions scheduled on the main_thread_ need to have a longer lifetime. - std::thread main_thread_{}; // Empty placeholder to be populated later. + Thread::PosixThreadPtr main_thread_{nullptr}; // Empty placeholder to be populated later. bool terminated_{false}; }; diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD index a0027ccd1777..d9151b35416e 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD @@ -30,6 +30,7 @@ android_library( java_library( name = "envoy_base_engine_lib", srcs = [ + "ByteBuffers.java", "EnvoyConfiguration.java", "EnvoyEngine.java", "EnvoyEngineImpl.java", diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/ByteBuffers.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/ByteBuffers.java new file mode 100644 index 000000000000..a514e4dfe07c --- /dev/null +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/ByteBuffers.java @@ -0,0 +1,17 @@ +package io.envoyproxy.envoymobile.engine; + +import java.nio.ByteBuffer; + +public class ByteBuffers { + /** + * Copies the specified `ByteBuffer` into a new `ByteBuffer`. The `ByteBuffer` created will + * be backed by `byte[]`. + */ + public static ByteBuffer copy(ByteBuffer byteBuffer) { + byte[] bytes = new byte[byteBuffer.capacity()]; + byteBuffer.get(bytes); + return ByteBuffer.wrap(bytes); + } + + private ByteBuffers() {} +} diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java index e37972fd3bb8..ed793eb86b17 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java @@ -1,10 +1,6 @@ package io.envoyproxy.envoymobile.engine; import java.nio.ByteBuffer; -import java.util.concurrent.atomic.AtomicBoolean; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; import java.util.Map; import io.envoyproxy.envoymobile.engine.types.EnvoyHTTPCallbacks; @@ -76,14 +72,15 @@ public Object onResponseTrailers(long trailerCount, long[] streamIntel) { * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object, not used for response callbacks. */ - public Object onResponseData(byte[] data, boolean endStream, long[] streamIntel) { + public Object onResponseData(ByteBuffer data, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); callbacks.getExecutor().execute(new Runnable() { public void run() { - ByteBuffer dataBuffer = ByteBuffer.wrap(data); - callbacks.onData(dataBuffer, endStream, new EnvoyStreamIntelImpl(streamIntel)); + callbacks.onData(copiedData, endStream, new EnvoyStreamIntelImpl(streamIntel)); } }); - return null; } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java index 4c1921ce26c1..162b5f53f67f 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java @@ -65,10 +65,12 @@ public Object onRequestHeaders(long headerCount, boolean endStream, long[] strea * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], pair of HTTP filter status and optional modified data. */ - public Object onRequestData(byte[] data, boolean endStream, long[] streamIntel) { - ByteBuffer dataBuffer = ByteBuffer.wrap(data); + public Object onRequestData(ByteBuffer data, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); return toJniFilterDataStatus( - filter.onRequestData(dataBuffer, endStream, new EnvoyStreamIntelImpl(streamIntel))); + filter.onRequestData(copiedData, endStream, new EnvoyStreamIntelImpl(streamIntel))); } /** @@ -108,10 +110,12 @@ public Object onResponseHeaders(long headerCount, boolean endStream, long[] stre * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], pair of HTTP filter status and optional modified data. */ - public Object onResponseData(byte[] data, boolean endStream, long[] streamIntel) { - ByteBuffer dataBuffer = ByteBuffer.wrap(data); + public Object onResponseData(ByteBuffer data, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); return toJniFilterDataStatus( - filter.onResponseData(dataBuffer, endStream, new EnvoyStreamIntelImpl(streamIntel))); + filter.onResponseData(copiedData, endStream, new EnvoyStreamIntelImpl(streamIntel))); } /** @@ -138,22 +142,24 @@ public Object onResponseTrailers(long trailerCount, long[] streamIntel) { * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], tuple of status with updated entities to be forwarded. */ - public Object onResumeRequest(long headerCount, byte[] data, long trailerCount, boolean endStream, - long[] streamIntel) { + public Object onResumeRequest(long headerCount, ByteBuffer data, long trailerCount, + boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); // Headers are optional in this call, and a negative length indicates omission. Map> headers = null; if (headerCount >= 0) { assert headerUtility.validateCount(headerCount); headers = headerUtility.retrieveHeaders(); } - ByteBuffer dataBuffer = data == null ? null : ByteBuffer.wrap(data); // Trailers are optional in this call, and a negative length indicates omission. Map> trailers = null; if (trailerCount >= 0) { assert trailerUtility.validateCount(trailerCount); trailers = trailerUtility.retrieveHeaders(); } - return toJniFilterResumeStatus(filter.onResumeRequest(headers, dataBuffer, trailers, endStream, + return toJniFilterResumeStatus(filter.onResumeRequest(headers, copiedData, trailers, endStream, new EnvoyStreamIntelImpl(streamIntel))); } @@ -167,22 +173,24 @@ public Object onResumeRequest(long headerCount, byte[] data, long trailerCount, * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], tuple of status with updated entities to be forwarded. */ - public Object onResumeResponse(long headerCount, byte[] data, long trailerCount, + public Object onResumeResponse(long headerCount, ByteBuffer data, long trailerCount, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); // Headers are optional in this call, and a negative length indicates omission. Map> headers = null; if (headerCount >= 0) { assert headerUtility.validateCount(headerCount); headers = headerUtility.retrieveHeaders(); } - ByteBuffer dataBuffer = data == null ? null : ByteBuffer.wrap(data); // Trailers are optional in this call, and a negative length indicates omission. Map> trailers = null; if (trailerCount >= 0) { assert trailerUtility.validateCount(trailerCount); trailers = trailerUtility.retrieveHeaders(); } - return toJniFilterResumeStatus(filter.onResumeResponse(headers, dataBuffer, trailers, endStream, + return toJniFilterResumeStatus(filter.onResumeResponse(headers, copiedData, trailers, endStream, new EnvoyStreamIntelImpl(streamIntel))); } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java index 17ba29d65171..06c05614cf8e 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java @@ -1,7 +1,6 @@ package io.envoyproxy.envoymobile.engine.types; import java.nio.ByteBuffer; -import java.util.concurrent.Executor; import java.util.List; import java.util.Map; diff --git a/mobile/library/jni/jni_helper.cc b/mobile/library/jni/jni_helper.cc index 44beb06fc9ca..53a145cb4969 100644 --- a/mobile/library/jni/jni_helper.cc +++ b/mobile/library/jni/jni_helper.cc @@ -189,6 +189,13 @@ void JniHelper::callStaticVoidMethod(jclass clazz, jmethodID method_id, ...) { rethrowException(); } +LocalRefUniquePtr JniHelper::newDirectByteBuffer(void* address, jlong capacity) { + LocalRefUniquePtr result(env_->NewDirectByteBuffer(address, capacity), + LocalRefDeleter(env_)); + rethrowException(); + return result; +} + jlong JniHelper::getDirectBufferCapacity(jobject buffer) { return env_->GetDirectBufferCapacity(buffer); } diff --git a/mobile/library/jni/jni_helper.h b/mobile/library/jni/jni_helper.h index 8b5f2e9e8f81..d27294a5cf12 100644 --- a/mobile/library/jni/jni_helper.h +++ b/mobile/library/jni/jni_helper.h @@ -369,6 +369,14 @@ class JniHelper { return result; } + /** + * Allocates and returns a direct `java.nio.ByteBuffer` referring to the block of memory starting + * at the memory address `address` and extending `capacity` bytes. + * + * https://docs.oracle.com/en/java/javase/17/docs/specs/jni/functions.html#newdirectbytebuffer + */ + LocalRefUniquePtr newDirectByteBuffer(void* address, jlong capacity); + /** * Returns the capacity of the memory region referenced by the given `java.nio.Buffer` object. * diff --git a/mobile/library/jni/jni_impl.cc b/mobile/library/jni/jni_impl.cc index 0e929f40246c..3146f9271002 100644 --- a/mobile/library/jni/jni_impl.cc +++ b/mobile/library/jni/jni_impl.cc @@ -343,11 +343,11 @@ static Envoy::JNI::LocalRefUniquePtr jvm_on_data(const char* metho Envoy::JNI::LocalRefUniquePtr jcls_JvmCallbackContext = jni_helper.getObjectClass(j_context); - jmethodID jmid_onData = - jni_helper.getMethodId(jcls_JvmCallbackContext.get(), method, "([BZ[J)Ljava/lang/Object;"); + jmethodID jmid_onData = jni_helper.getMethodId(jcls_JvmCallbackContext.get(), method, + "(Ljava/nio/ByteBuffer;Z[J)Ljava/lang/Object;"); - Envoy::JNI::LocalRefUniquePtr j_data = - Envoy::JNI::envoyDataToJavaByteArray(jni_helper, data); + Envoy::JNI::LocalRefUniquePtr j_data = + Envoy::JNI::envoyDataToJavaByteBuffer(jni_helper, data); Envoy::JNI::LocalRefUniquePtr j_stream_intel = Envoy::JNI::envoyStreamIntelToJavaLongArray(jni_helper, stream_intel); Envoy::JNI::LocalRefUniquePtr result = jni_helper.callObjectMethod( @@ -605,10 +605,10 @@ jvm_http_filter_on_resume(const char* method, envoy_headers* headers, envoy_data headers_length = static_cast(headers->length); passHeaders("passHeader", *headers, j_context); } - Envoy::JNI::LocalRefUniquePtr j_in_data = Envoy::JNI::LocalRefUniquePtr( + Envoy::JNI::LocalRefUniquePtr j_in_data = Envoy::JNI::LocalRefUniquePtr( nullptr, Envoy::JNI::LocalRefDeleter(jni_helper.getEnv())); if (data) { - j_in_data = Envoy::JNI::envoyDataToJavaByteArray(jni_helper, *data); + j_in_data = Envoy::JNI::envoyDataToJavaByteBuffer(jni_helper, *data); } jlong trailers_length = -1; if (trailers) { @@ -620,8 +620,8 @@ jvm_http_filter_on_resume(const char* method, envoy_headers* headers, envoy_data Envoy::JNI::LocalRefUniquePtr jcls_JvmCallbackContext = jni_helper.getObjectClass(j_context); - jmethodID jmid_onResume = - jni_helper.getMethodId(jcls_JvmCallbackContext.get(), method, "(J[BJZ[J)Ljava/lang/Object;"); + jmethodID jmid_onResume = jni_helper.getMethodId( + jcls_JvmCallbackContext.get(), method, "(JLjava/nio/ByteBuffer;JZ[J)Ljava/lang/Object;"); // Note: be careful of JVM types. Before we casted to jlong we were getting integer problems. // TODO: make this cast safer. Envoy::JNI::LocalRefUniquePtr result = jni_helper.callObjectMethod( diff --git a/mobile/library/jni/jni_utility.cc b/mobile/library/jni/jni_utility.cc index 998a57b024c9..fa5f91049e08 100644 --- a/mobile/library/jni/jni_utility.cc +++ b/mobile/library/jni/jni_utility.cc @@ -79,6 +79,11 @@ LocalRefUniquePtr envoyDataToJavaByteArray(JniHelper& jni_helper, en return j_data; } +LocalRefUniquePtr envoyDataToJavaByteBuffer(JniHelper& jni_helper, envoy_data data) { + return jni_helper.newDirectByteBuffer( + const_cast(reinterpret_cast(data.bytes)), data.length); +} + LocalRefUniquePtr envoyStreamIntelToJavaLongArray(JniHelper& jni_helper, envoy_stream_intel stream_intel) { LocalRefUniquePtr j_array = jni_helper.newLongArray(4); @@ -151,10 +156,10 @@ envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data) { return native_data; } - return javaByteBufferToEnvoyData(jni_helper, j_data, static_cast(data_length)); + return javaByteBufferToEnvoyData(jni_helper, j_data, data_length); } -envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, size_t data_length) { +envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, jlong data_length) { // Returns nullptr if the buffer is not a direct buffer. uint8_t* direct_address = jni_helper.getDirectBufferAddress(j_data); diff --git a/mobile/library/jni/jni_utility.h b/mobile/library/jni/jni_utility.h index e98233891929..01ba556fff91 100644 --- a/mobile/library/jni/jni_utility.h +++ b/mobile/library/jni/jni_utility.h @@ -57,6 +57,9 @@ envoy_data javaByteArrayToEnvoyData(JniHelper& jni_helper, jbyteArray j_data, si /** Converts from `envoy_data` to Java byte array. */ LocalRefUniquePtr envoyDataToJavaByteArray(JniHelper& jni_helper, envoy_data data); +/** Converts from `envoy_data to `java.nio.ByteBuffer`. */ +LocalRefUniquePtr envoyDataToJavaByteBuffer(JniHelper& jni_helper, envoy_data data); + /** Converts from `envoy_stream_intel` to Java long array. */ LocalRefUniquePtr envoyStreamIntelToJavaLongArray(JniHelper& jni_helper, envoy_stream_intel stream_intel); @@ -76,7 +79,7 @@ LocalRefUniquePtr envoyDataToJavaString(JniHelper& jni_helper, envoy_da envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data); /** Converts from Java `ByteBuffer` to `envoy_data` with the given length. */ -envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, size_t data_length); +envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, jlong data_length); /** Returns the pointer of conversion from Java `ByteBuffer` to `envoy_data`. */ envoy_data* javaByteBufferToEnvoyDataPtr(JniHelper& jni_helper, jobject j_data); diff --git a/mobile/test/common/BUILD b/mobile/test/common/BUILD index 91686f69ecef..d44bd610c643 100644 --- a/mobile/test/common/BUILD +++ b/mobile/test/common/BUILD @@ -32,6 +32,7 @@ envoy_cc_test( "//test/common/mocks/common:common_mocks", "//test/common/mocks/event:event_mocks", "@envoy//test/common/http:common_lib", + "@envoy//test/mocks/thread:thread_mocks", "@envoy_build_config//:test_extensions", ], ) diff --git a/mobile/test/common/engine_common_test.cc b/mobile/test/common/engine_common_test.cc index ffb511fa51a6..54a2d741ff53 100644 --- a/mobile/test/common/engine_common_test.cc +++ b/mobile/test/common/engine_common_test.cc @@ -7,7 +7,7 @@ namespace Envoy { TEST(EngineCommonTest, SignalHandlingFalse) { ExtensionRegistry::registerFactories(); - auto options = std::make_unique(); + auto options = std::make_shared(); Platform::EngineBuilder builder; options->setConfigProto(builder.generateBootstrap()); diff --git a/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD b/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD index 143630841677..1c743e436a73 100644 --- a/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD +++ b/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD @@ -12,19 +12,20 @@ envoy_extension_cc_test( name = "platform_bridge_cert_validator_test", srcs = ["platform_bridge_cert_validator_test.cc"], data = [ - "@envoy//test/extensions/transport_sockets/tls/test_data:certs", + "@envoy//test/common/tls/test_data:certs", ], extension_names = ["envoy_mobile.cert_validator.platform_bridge_cert_validator"], repository = "@envoy", deps = [ "//library/common/extensions/cert_validator/platform_bridge:config", "//test/common/mocks/common:common_mocks", - "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "@envoy//test/extensions/transport_sockets/tls:ssl_test_utils", - "@envoy//test/extensions/transport_sockets/tls/cert_validator:test_common", - "@envoy//test/extensions/transport_sockets/tls/test_data:cert_infos", + "@envoy//source/common/tls/cert_validator:cert_validator_lib", + "@envoy//test/common/tls:ssl_test_utils", + "@envoy//test/common/tls/cert_validator:test_common", + "@envoy//test/common/tls/test_data:cert_infos", "@envoy//test/mocks/event:event_mocks", "@envoy//test/mocks/ssl:ssl_mocks", + "@envoy//test/mocks/thread:thread_mocks", "@envoy//test/test_common:environment_lib", "@envoy//test/test_common:file_system_for_test_lib", "@envoy//test/test_common:test_runtime_lib", diff --git a/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc b/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc index 76f7b46a6bf2..e5e4e6391641 100644 --- a/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc +++ b/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc @@ -2,20 +2,20 @@ #include #include "source/common/buffer/buffer_impl.h" -#include "source/common/crypto/crypto_impl.h" #include "source/common/crypto/utility.h" #include "source/common/network/transport_socket_options_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" +#include "source/common/tls/stats.h" #include "test/common/mocks/common/mocks.h" #include "test/common/stats/stat_test_utility.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h" +#include "test/common/tls/cert_validator/test_common.h" +#include "test/common/tls/ssl_test_utility.h" +#include "test/common/tls/test_data/san_dns2_cert_info.h" #include "test/mocks/event/mocks.h" #include "test/mocks/ssl/mocks.h" +#include "test/mocks/thread/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" @@ -32,6 +32,7 @@ using SSLContextPtr = Envoy::CSmartPtr; using envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext; using testing::_; +using testing::ByMove; using testing::NiceMock; using testing::Return; using testing::ReturnRef; @@ -63,11 +64,12 @@ class PlatformBridgeCertValidatorTest : public testing::TestWithParam { protected: PlatformBridgeCertValidatorTest() - : api_(Api::createApiForTest()), dispatcher_(api_->allocateDispatcher("test_thread")), + : thread_factory_(Thread::PosixThreadFactory::create()), api_(Api::createApiForTest()), + dispatcher_(api_->allocateDispatcher("test_thread")), stats_(generateSslStats(*test_store_.rootScope())), ssl_ctx_(SSL_CTX_new(TLS_method())), callback_(std::make_unique()), is_server_(false), mock_validator_(std::make_unique()), - main_thread_id_(std::this_thread::get_id()), + main_thread_id_(thread_factory_->currentPthreadId()), helper_handle_(test::SystemHelperPeer::replaceSystemHelper()) { ON_CALL(helper_handle_->mock_helper(), validateCertificateChain(_, _)) .WillByDefault(WithArgs<0, 1>(Invoke(this, &PlatformBridgeCertValidatorTest::validate))); @@ -86,7 +88,7 @@ class PlatformBridgeCertValidatorTest ~PlatformBridgeCertValidatorTest() { mock_validator_.reset(); - main_thread_id_ = std::thread::id(); + main_thread_id_ = thread_factory_->currentPthreadId(); Envoy::Assert::resetEnvoyBugCountersForTest(); } @@ -104,7 +106,7 @@ class PlatformBridgeCertValidatorTest envoy_cert_validation_result validate(const std::vector& certs, absl::string_view hostname) { // Validate must be called on the worker thread, not the main thread. - EXPECT_NE(main_thread_id_, std::this_thread::get_id()); + EXPECT_NE(main_thread_id_, thread_factory_->currentPthreadId()); // Make sure the cert was converted correctly. const Buffer::InstancePtr buffer(new Buffer::OwnedImpl(certs[0])); @@ -115,10 +117,11 @@ class PlatformBridgeCertValidatorTest void cleanup() { // Validate must be called on the worker thread, not the main thread. - EXPECT_NE(main_thread_id_, std::this_thread::get_id()); + EXPECT_NE(main_thread_id_, thread_factory_->currentPthreadId()); mock_validator_->cleanup(); } + Thread::PosixThreadFactoryPtr thread_factory_; Api::ApiPtr api_; Event::DispatcherPtr dispatcher_; Stats::TestUtil::TestStore test_store_; @@ -131,7 +134,7 @@ class PlatformBridgeCertValidatorTest std::unique_ptr callback_; bool is_server_; std::unique_ptr mock_validator_; - std::thread::id main_thread_id_; + Thread::ThreadId main_thread_id_; std::unique_ptr helper_handle_; }; @@ -168,8 +171,8 @@ TEST_P(PlatformBridgeCertValidatorTest, NoCallback) { initializeConfig(); PlatformBridgeCertValidator validator(&config_, stats_); - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); std::string hostname = "www.example.com"; EXPECT_ENVOY_BUG( @@ -206,8 +209,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificate) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = "server1.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -222,7 +225,7 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificate) { EXPECT_CALL(callback_ref, onCertValidationResult(true, Envoy::Ssl::ClientValidationStatus::Validated, "", 46)) .WillOnce(Invoke([this]() { - EXPECT_EQ(main_thread_id_, std::this_thread::get_id()); + EXPECT_EQ(main_thread_id_, thread_factory_->currentPthreadId()); dispatcher_->exit(); })); EXPECT_FALSE(waitForDispatcherToExit()); @@ -236,8 +239,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptySanOverrides) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = "server1.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -257,7 +260,7 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptySanOverrides) { EXPECT_CALL(callback_ref, onCertValidationResult(true, Envoy::Ssl::ClientValidationStatus::Validated, "", 46)) .WillOnce(Invoke([this]() { - EXPECT_EQ(main_thread_id_, std::this_thread::get_id()); + EXPECT_EQ(main_thread_id_, thread_factory_->currentPthreadId()); dispatcher_->exit(); })); EXPECT_FALSE(waitForDispatcherToExit()); @@ -271,8 +274,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptyHostNoOverrides) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = ""; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -292,7 +295,7 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptyHostNoOverrides) { EXPECT_CALL(callback_ref, onCertValidationResult(true, Envoy::Ssl::ClientValidationStatus::Validated, "", 46)) .WillOnce(Invoke([this]() { - EXPECT_EQ(main_thread_id_, std::this_thread::get_id()); + EXPECT_EQ(main_thread_id_, thread_factory_->currentPthreadId()); dispatcher_->exit(); })); EXPECT_FALSE(waitForDispatcherToExit()); @@ -306,8 +309,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateButInvalidSni) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = "server2.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -338,8 +341,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateSniOverride) { std::vector subject_alt_names = {"server1.example.com"}; std::string hostname = "server2.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, StrEq(subject_alt_names[0].c_str()))) .WillOnce(Return(result)); @@ -369,8 +372,8 @@ TEST_P(PlatformBridgeCertValidatorTest, DeletedWithValidationPending) { auto validator = std::make_unique(&config_, stats_); std::string hostname = "server1.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -389,6 +392,26 @@ TEST_P(PlatformBridgeCertValidatorTest, DeletedWithValidationPending) { EXPECT_TRUE(waitForDispatcherToExit()); } +TEST_P(PlatformBridgeCertValidatorTest, ThreadCreationFailed) { + initializeConfig(); + auto thread_factory = std::make_unique(); + EXPECT_CALL(*thread_factory, createThread(_, _, false)).WillOnce(Return(ByMove(nullptr))); + PlatformBridgeCertValidator validator(&config_, stats_, std::move(thread_factory)); + + std::string hostname = "server1.example.com"; + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); + auto& callback_ref = *callback_; + EXPECT_CALL(callback_ref, dispatcher()).WillRepeatedly(ReturnRef(*dispatcher_)); + + ValidationResults results = + validator.doVerifyCertChain(*cert_chain, std::move(callback_), transport_socket_options_, + *ssl_ctx_, validation_context_, is_server_, hostname); + EXPECT_EQ(ValidationResults::ValidationStatus::Failed, results.status); + EXPECT_EQ(Ssl::ClientValidationStatus::NotValidated, results.detailed_status); + EXPECT_EQ("Failed creating a thread for cert chain validation.", *results.error_details); +} + } // namespace Tls } // namespace TransportSockets } // namespace Extensions diff --git a/mobile/test/common/integration/BUILD b/mobile/test/common/integration/BUILD index eb8f61380637..a60cc0281793 100644 --- a/mobile/test/common/integration/BUILD +++ b/mobile/test/common/integration/BUILD @@ -112,9 +112,9 @@ envoy_cc_test( deps = [ ":xds_integration_test_lib", "@envoy//source/common/config:protobuf_link_hacks", + "@envoy//source/common/tls:context_config_lib", + "@envoy//source/common/tls:context_lib", "@envoy//source/extensions/transport_sockets/tls:config", - "@envoy//source/extensions/transport_sockets/tls:context_config_lib", - "@envoy//source/extensions/transport_sockets/tls:context_lib", "@envoy//test/test_common:environment_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", @@ -207,10 +207,10 @@ envoy_cc_test_library( deps = [ ":base_client_integration_test_lib", "@envoy//source/common/event:libevent_lib", + "@envoy//source/common/tls:context_config_lib", + "@envoy//source/common/tls:context_lib", + "@envoy//source/common/tls:ssl_socket_lib", "@envoy//source/exe:process_wide_lib", - "@envoy//source/extensions/transport_sockets/tls:context_config_lib", - "@envoy//source/extensions/transport_sockets/tls:context_lib", - "@envoy//source/extensions/transport_sockets/tls:ssl_socket_lib", "@envoy//test/integration:autonomous_upstream_lib", "@envoy//test/integration:utility_lib", "@envoy//test/mocks/server:transport_socket_factory_context_mocks", diff --git a/mobile/test/common/integration/client_integration_test.cc b/mobile/test/common/integration/client_integration_test.cc index a9761afeb3c5..10fc01d4c0be 100644 --- a/mobile/test/common/integration/client_integration_test.cc +++ b/mobile/test/common/integration/client_integration_test.cc @@ -1,10 +1,10 @@ #include "source/common/quic/quic_server_transport_socket_factory.h" #include "source/common/quic/server_codec_impl.h" +#include "source/common/tls/cert_validator/default_validator.h" #include "source/extensions/http/header_formatters/preserve_case/preserve_case_formatter.h" #include "source/extensions/quic/connection_id_generator/envoy_deterministic_connection_id_generator_config.h" #include "source/extensions/quic/crypto_stream/envoy_quic_crypto_server_stream.h" #include "source/extensions/quic/proof_source/envoy_quic_proof_source_factory_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" #include "source/extensions/udp_packet_writer/default/config.h" #include "test/common/integration/base_client_integration_test.h" diff --git a/mobile/test/common/integration/test_server.cc b/mobile/test/common/integration/test_server.cc index 4fda9549737b..9e43cc605fcd 100644 --- a/mobile/test/common/integration/test_server.cc +++ b/mobile/test/common/integration/test_server.cc @@ -8,11 +8,11 @@ #include "source/common/stats/allocator_impl.h" #include "source/common/stats/thread_local_store.h" #include "source/common/thread_local/thread_local_impl.h" +#include "source/common/tls/context_config_impl.h" #include "source/extensions/quic/connection_id_generator/envoy_deterministic_connection_id_generator_config.h" #include "source/extensions/quic/crypto_stream/envoy_quic_crypto_server_stream.h" #include "source/extensions/quic/proof_source/envoy_quic_proof_source_factory_impl.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" #include "source/extensions/udp_packet_writer/default/config.h" #include "source/server/hot_restart_nop_impl.h" #include "source/server/instance_impl.h" diff --git a/mobile/test/common/integration/test_server.h b/mobile/test/common/integration/test_server.h index 59cfa6bfc5df..dc3e7786e87e 100644 --- a/mobile/test/common/integration/test_server.h +++ b/mobile/test/common/integration/test_server.h @@ -1,6 +1,6 @@ #pragma once -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" // test_runner setups #include "source/exe/process_wide.h" diff --git a/mobile/test/common/integration/xds_test_server.cc b/mobile/test/common/integration/xds_test_server.cc index bec30c48c698..7cd7eed24829 100644 --- a/mobile/test/common/integration/xds_test_server.cc +++ b/mobile/test/common/integration/xds_test_server.cc @@ -5,12 +5,12 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "source/common/event/libevent.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/config_subscription/grpc/grpc_collection_subscription_factory.h" #include "source/extensions/config_subscription/grpc/grpc_mux_impl.h" #include "source/extensions/config_subscription/grpc/grpc_subscription_factory.h" #include "source/extensions/config_subscription/grpc/new_grpc_mux_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/integration/fake_upstream.h" #include "test/test_common/environment.h" diff --git a/mobile/test/common/integration/xds_test_server.h b/mobile/test/common/integration/xds_test_server.h index 95e5e4dbeed1..de2fa1252721 100644 --- a/mobile/test/common/integration/xds_test_server.h +++ b/mobile/test/common/integration/xds_test_server.h @@ -3,7 +3,7 @@ #include "envoy/api/api.h" #include "source/common/stats/isolated_store_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/integration/fake_upstream.h" #include "test/integration/server.h" diff --git a/mobile/test/common/internal_engine_test.cc b/mobile/test/common/internal_engine_test.cc index c31f8ffc72ae..93fc7b440a98 100644 --- a/mobile/test/common/internal_engine_test.cc +++ b/mobile/test/common/internal_engine_test.cc @@ -1,7 +1,10 @@ +#include + #include "source/common/common/assert.h" #include "test/common/http/common.h" #include "test/common/mocks/common/mocks.h" +#include "test/mocks/thread/mocks.h" #include "absl/synchronization/notification.h" #include "gtest/gtest.h" @@ -15,6 +18,7 @@ namespace Envoy { using testing::_; +using testing::ByMove; using testing::HasSubstr; using testing::Return; using testing::ReturnRef; @@ -112,8 +116,6 @@ struct EngineTestContext { // between the main thread and the engine thread both writing to the // Envoy::Logger::current_log_context global. struct TestEngine { - std::unique_ptr engine_; - envoy_engine_t handle() const { return reinterpret_cast(engine_.get()); } TestEngine(envoy_engine_callbacks callbacks, const std::string& level) { engine_.reset(new Envoy::InternalEngine(callbacks, {}, {})); Platform::EngineBuilder builder; @@ -122,14 +124,13 @@ struct TestEngine { engine_->run(yaml, level); } + envoy_engine_t handle() const { return reinterpret_cast(engine_.get()); } + envoy_status_t terminate() const { return engine_->terminate(); } + [[nodiscard]] bool isTerminated() const { return engine_->isTerminated(); } - ~TestEngine() { - if (!engine_->isTerminated()) { - engine_->terminate(); - } - } + std::unique_ptr engine_; }; // Transform C map to C++ map. @@ -600,4 +601,89 @@ TEST_F(InternalEngineTest, ResetConnectivityState) { ASSERT_TRUE(test_context.on_exit.WaitForNotificationWithTimeout(absl::Seconds(3))); } +TEST_F(InternalEngineTest, SetLogger) { + std::atomic logging_was_called{false}; + envoy_logger logger; + logger.log = [](envoy_log_level, envoy_data data, const void* context) { + std::atomic* logging_was_called = + const_cast*>(static_cast*>(context)); + *logging_was_called = true; + release_envoy_data(data); + }; + logger.release = envoy_noop_const_release; + logger.context = &logging_was_called; + + absl::Notification engine_running; + Platform::EngineBuilder engine_builder; + Platform::EngineSharedPtr engine = + engine_builder.addLogLevel(Platform::LogLevel::debug) + .setLogger(logger) + .setOnEngineRunning([&] { engine_running.Notify(); }) + .addNativeFilter( + "test_remote_response", + "{'@type': " + "type.googleapis.com/" + "envoymobile.extensions.filters.http.test_remote_response.TestRemoteResponse}") + .build(); + engine_running.WaitForNotification(); + + int actual_status_code = 0; + bool actual_end_stream = false; + absl::Notification stream_complete; + auto stream_prototype = engine->streamClient()->newStreamPrototype(); + auto stream = (*stream_prototype) + .setOnHeaders([&](Platform::ResponseHeadersSharedPtr headers, bool end_stream, + envoy_stream_intel) { + actual_status_code = headers->httpStatus(); + actual_end_stream = end_stream; + }) + .setOnData([&](envoy_data data, bool end_stream) { + actual_end_stream = end_stream; + release_envoy_data(data); + }) + .setOnComplete([&](envoy_stream_intel, envoy_final_stream_intel) { + stream_complete.Notify(); + }) + .setOnError([&](Platform::EnvoyErrorSharedPtr, envoy_stream_intel, + envoy_final_stream_intel) { stream_complete.Notify(); }) + .setOnCancel([&](envoy_stream_intel, envoy_final_stream_intel) { + stream_complete.Notify(); + }) + .start(); + + auto request_headers = + Platform::RequestHeadersBuilder(Platform::RequestMethod::GET, "https", "example.com", "/") + .build(); + stream->sendHeaders(std::make_shared(request_headers), true); + stream_complete.WaitForNotification(); + + EXPECT_EQ(actual_status_code, 200); + EXPECT_EQ(actual_end_stream, true); + EXPECT_TRUE(logging_was_called.load()); + EXPECT_EQ(engine->terminate(), ENVOY_SUCCESS); +} + +TEST_F(InternalEngineTest, ThreadCreationFailed) { + const std::string level = "debug"; + EngineTestContext engine_cbs_context{}; + envoy_engine_callbacks engine_cbs{[](void* context) -> void { + auto* engine_running = + static_cast(context); + engine_running->on_engine_running.Notify(); + } /*on_engine_running*/, + [](void* context) -> void { + auto* exit = static_cast(context); + exit->on_exit.Notify(); + } /*on_exit*/, + &engine_cbs_context /*context*/}; + auto thread_factory = std::make_unique(); + EXPECT_CALL(*thread_factory, createThread(_, _, false)).WillOnce(Return(ByMove(nullptr))); + std::unique_ptr engine( + new Envoy::InternalEngine(engine_cbs, {}, {}, std::move(thread_factory))); + envoy_status_t status = engine->run(BUFFERED_TEST_CONFIG, level); + EXPECT_EQ(status, ENVOY_FAILURE); + // Calling `terminate()` should not crash. + EXPECT_EQ(engine->terminate(), ENVOY_FAILURE); +} + } // namespace Envoy diff --git a/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD b/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD index 2228e7fe9a75..7aebe085cebf 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD +++ b/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD @@ -67,3 +67,23 @@ envoy_mobile_android_test( "//test/kotlin/io/envoyproxy/envoymobile/mocks:mocks_lib", ], ) + +envoy_mobile_android_test( + name = "byte_buffers_test", + srcs = [ + "ByteBuffersTest.java", + ], + associates = ["//library/kotlin/io/envoyproxy/envoymobile:envoy_interfaces_lib"], + native_deps = [ + "//test/jni:libenvoy_jni_with_test_extensions.so", + ] + select({ + "@platforms//os:macos": [ + "//test/jni:libenvoy_jni_with_test_extensions_jnilib", + ], + "//conditions:default": [], + }), + native_lib_name = "envoy_jni_with_test_extensions", + deps = [ + "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", + ], +) diff --git a/mobile/test/java/io/envoyproxy/envoymobile/engine/ByteBuffersTest.java b/mobile/test/java/io/envoyproxy/envoymobile/engine/ByteBuffersTest.java new file mode 100644 index 000000000000..8fc4d416ca73 --- /dev/null +++ b/mobile/test/java/io/envoyproxy/envoymobile/engine/ByteBuffersTest.java @@ -0,0 +1,26 @@ +package io.envoyproxy.envoymobile.engine; + +import static com.google.common.truth.Truth.assertThat; + +import androidx.test.ext.junit.runners.AndroidJUnit4; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import java.nio.ByteBuffer; + +@RunWith(AndroidJUnit4.class) +public class ByteBuffersTest { + @Test + public void testCopy() { + ByteBuffer source = ByteBuffer.allocateDirect(3); + source.put((byte)1); + source.put((byte)2); + source.put((byte)3); + source.flip(); + + ByteBuffer dest = ByteBuffers.copy(source); + source.flip(); + assertThat(dest).isEqualTo(source); + } +} diff --git a/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java b/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java index be94a93f526b..c3cc7c61cbe6 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java +++ b/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java @@ -7,6 +7,9 @@ import org.junit.runner.RunWith; import org.robolectric.RobolectricTestRunner; +import java.nio.ByteBuffer; +import java.nio.ByteOrder; + @RunWith(RobolectricTestRunner.class) public class JniHelperTest { public JniHelperTest() { System.loadLibrary("envoy_jni_helper_test"); } @@ -84,6 +87,7 @@ public static native boolean callStaticBooleanMethod(Class clazz, String name String signature); public static native void callStaticVoidMethod(Class clazz, String name, String signature); public static native Object callStaticObjectMethod(Class clazz, String name, String signature); + public static native Object newDirectByteBuffer(); //================================================================================ // Object methods used for CallMethod tests. @@ -424,4 +428,13 @@ public void testCallStaticObjectMethod() { callStaticObjectMethod(JniHelperTest.class, "staticObjectMethod", "()Ljava/lang/String;")) .isEqualTo("Hello"); } + + @Test + public void testNewDirectByteBuffer() { + ByteBuffer byteBuffer = ((ByteBuffer)newDirectByteBuffer()).order(ByteOrder.LITTLE_ENDIAN); + assertThat(byteBuffer.capacity()).isEqualTo(3); + assertThat(byteBuffer.get(0)).isEqualTo(1); + assertThat(byteBuffer.get(1)).isEqualTo(2); + assertThat(byteBuffer.get(2)).isEqualTo(3); + } } diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/ByteBuffersTest.java b/mobile/test/java/io/envoyproxy/envoymobile/utilities/ByteBuffersTest.java new file mode 100644 index 000000000000..e4d214140a6f --- /dev/null +++ b/mobile/test/java/io/envoyproxy/envoymobile/utilities/ByteBuffersTest.java @@ -0,0 +1,7 @@ +package io.envoyproxy.envoymobile.utilities; + +import org.junit.runner.RunWith; +import org.robolectric.RobolectricTestRunner; + +@RunWith(RobolectricTestRunner.class) +public class ByteBuffersTest {} diff --git a/mobile/test/jni/jni_helper_test.cc b/mobile/test/jni/jni_helper_test.cc index 2d76984b3d03..d0e66a0c7fb5 100644 --- a/mobile/test/jni/jni_helper_test.cc +++ b/mobile/test/jni/jni_helper_test.cc @@ -224,3 +224,13 @@ Java_io_envoyproxy_envoymobile_jni_JniHelperTest_callStaticObjectMethod(JNIEnv* jmethodID method_id = jni_helper.getStaticMethodId(clazz, name_ptr.get(), sig_ptr.get()); return jni_helper.callStaticObjectMethod(clazz, method_id).release(); } + +extern "C" JNIEXPORT jobject JNICALL +Java_io_envoyproxy_envoymobile_jni_JniHelperTest_newDirectByteBuffer(JNIEnv* env, jclass) { + Envoy::JNI::JniHelper jni_helper(env); + char* bytes = new char[3]; + bytes[0] = 1; + bytes[1] = 2; + bytes[2] = 3; + return jni_helper.newDirectByteBuffer(reinterpret_cast(bytes), sizeof(char) * 3).release(); +} diff --git a/source/common/common/macros.h b/source/common/common/macros.h index f2b06b84f340..75032a0f1dc0 100644 --- a/source/common/common/macros.h +++ b/source/common/common/macros.h @@ -57,4 +57,8 @@ namespace Envoy { #if (defined(__GNUC__) && !defined(__clang__)) #define GCC_COMPILER #endif + +#define GTEST_FRIEND_CLASS(test_case_name, test_name) \ + friend class test_case_name##_##test_name##_Test + } // namespace Envoy diff --git a/source/common/common/posix/thread_impl.cc b/source/common/common/posix/thread_impl.cc index e935ac53c11b..e89fb16382c3 100644 --- a/source/common/common/posix/thread_impl.cc +++ b/source/common/common/posix/thread_impl.cc @@ -1,5 +1,8 @@ +#include "source/common/common/posix/thread_impl.h" + +#include "envoy/thread/thread.h" + #include "source/common/common/assert.h" -#include "source/common/common/thread_impl.h" #include "absl/strings/str_cat.h" @@ -31,93 +34,142 @@ int64_t getCurrentThreadId() { // so we need to truncate the string_view to 15 bytes. #define PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE 16 +ThreadHandle::ThreadHandle(std::function thread_routine) + : thread_routine_(thread_routine) {} + +/** Returns the thread routine. */ +std::function& ThreadHandle::routine() { return thread_routine_; }; + +/** Returns the thread handle. */ +pthread_t& ThreadHandle::handle() { return thread_handle_; } + /** * Wrapper for a pthread thread. We don't use std::thread because it eats exceptions and leads to * unusable stack traces. */ -class ThreadImplPosix : public Thread { -public: - ThreadImplPosix(std::function thread_routine, OptionsOptConstRef options) - : thread_routine_(std::move(thread_routine)) { - if (options) { - name_ = options->name_.substr(0, PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE - 1); - } - RELEASE_ASSERT(Logger::Registry::initialized(), ""); - const int rc = pthread_create( - &thread_handle_, nullptr, - [](void* arg) -> void* { - static_cast(arg)->thread_routine_(); - return nullptr; - }, - this); - RELEASE_ASSERT(rc == 0, ""); +PosixThread::PosixThread(ThreadHandle* thread_handle, OptionsOptConstRef options) + : thread_handle_(thread_handle) { + if (options) { + name_ = options->name_.substr(0, PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE - 1); + } #if SUPPORTS_PTHREAD_NAMING - // If the name was not specified, get it from the OS. If the name was - // specified, write it into the thread, and assert that the OS sees it the - // same way. - if (name_.empty()) { - getNameFromOS(name_); + // If the name was not specified, get it from the OS. If the name was + // specified, write it into the thread, and assert that the OS sees it the + // same way. + if (name_.empty()) { + getNameFromOS(name_); + } else { + const int set_name_rc = pthread_setname_np(thread_handle_->handle(), name_.c_str()); + if (set_name_rc != 0) { + ENVOY_LOG_MISC(trace, "Error {} setting name `{}'", set_name_rc, name_); } else { - const int set_name_rc = pthread_setname_np(thread_handle_, name_.c_str()); - if (set_name_rc != 0) { - ENVOY_LOG_MISC(trace, "Error {} setting name `{}'", set_name_rc, name_); - } else { - // When compiling in debug mode, read back the thread-name from the OS, - // and verify it's what we asked for. This ensures the truncation is as - // expected, and that the OS will actually retain all the bytes of the - // name we expect. - // - // Note that the system-call to read the thread name may fail in case - // the thread exits after the call to set the name above, and before the - // call to get the name, so we can only do the assert if that call - // succeeded. - std::string check_name; - ASSERT(!getNameFromOS(check_name) || check_name == name_, - absl::StrCat("configured name=", name_, " os name=", check_name)); - } + // When compiling in debug mode, read back the thread-name from the OS, + // and verify it's what we asked for. This ensures the truncation is as + // expected, and that the OS will actually retain all the bytes of the + // name we expect. + // + // Note that the system-call to read the thread name may fail in case + // the thread exits after the call to set the name above, and before the + // call to get the name, so we can only do the assert if that call + // succeeded. + std::string check_name; + ASSERT(!getNameFromOS(check_name) || check_name == name_, + absl::StrCat("configured name=", name_, " os name=", check_name)); } -#endif } +#endif +} + +PosixThread::~PosixThread() { + ASSERT(joined_); + delete thread_handle_; +} - ~ThreadImplPosix() override { ASSERT(joined_); } +std::string PosixThread::name() const { return name_; } - std::string name() const override { return name_; } +// Thread::Thread +void PosixThread::join() { + ASSERT(!joined_); + joined_ = true; + const int rc = pthread_join(thread_handle_->handle(), nullptr); + RELEASE_ASSERT(rc == 0, ""); +} - // Thread::Thread - void join() override { - ASSERT(!joined_); - joined_ = true; - const int rc = pthread_join(thread_handle_, nullptr); - RELEASE_ASSERT(rc == 0, ""); - } +bool PosixThread::joinable() const { return !joined_; } + +ThreadId PosixThread::pthreadId() const { +#if defined(__linux__) + return ThreadId(static_cast(thread_handle_->handle())); +#elif defined(__APPLE__) + uint64_t tid; + pthread_threadid_np(thread_handle_->handle(), &tid); + return ThreadId(tid); +#else +#error "Enable and test pthread id retrieval code for you arch in pthread/thread_impl.cc" +#endif +} -private: #if SUPPORTS_PTHREAD_NAMING - // Attempts to get the name from the operating system, returning true and - // updating 'name' if successful. Note that during normal operation this - // may fail, if the thread exits prior to the system call. - bool getNameFromOS(std::string& name) { - // Verify that the name got written into the thread as expected. - char buf[PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE] = {0}; - const int get_name_rc = pthread_getname_np(thread_handle_, buf, sizeof(buf)); - name = buf; - return get_name_rc == 0; - } +// Attempts to get the name from the operating system, returning true and +// updating 'name' if successful. Note that during normal operation this +// may fail, if the thread exits prior to the system call. +bool PosixThread::getNameFromOS(std::string& name) { + // Verify that the name got written into the thread as expected. + char buf[PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE] = {0}; + const int get_name_rc = pthread_getname_np(thread_handle_->handle(), buf, sizeof(buf)); + name = buf; + return get_name_rc == 0; +} #endif - std::function thread_routine_; - pthread_t thread_handle_; - std::string name_; - bool joined_{false}; +class PosixThreadFactoryImpl : public PosixThreadFactory { +public: + ThreadPtr createThread(std::function thread_routine, + OptionsOptConstRef options) override { + return createThread(thread_routine, options, /* crash_on_failure= */ true); + }; + + PosixThreadPtr createThread(std::function thread_routine, OptionsOptConstRef options, + bool crash_on_failure) override { + auto thread_handle = new ThreadHandle(thread_routine); + const int rc = pthread_create( + &thread_handle->handle(), nullptr, + [](void* arg) -> void* { + static_cast(arg)->routine()(); + return nullptr; + }, + reinterpret_cast(thread_handle)); + if (rc != 0) { + delete thread_handle; + if (crash_on_failure) { + RELEASE_ASSERT(false, fmt::format("Unable to create a thread with return code: {}", rc)); + } else { + IS_ENVOY_BUG(fmt::format("Unable to create a thread with return code: {}", rc)); + } + return nullptr; + } + return std::make_unique(thread_handle, options); + }; + + ThreadId currentThreadId() override { return ThreadId(getCurrentThreadId()); }; + + ThreadId currentPthreadId() override { +#if defined(__linux__) + return static_cast(static_cast(pthread_self())); +#elif defined(__APPLE__) + uint64_t tid; + pthread_threadid_np(pthread_self(), &tid); + return ThreadId(tid); +#else +#error "Enable and test pthread id retrieval code for you arch in pthread/thread_impl.cc" +#endif + } }; -ThreadPtr ThreadFactoryImplPosix::createThread(std::function thread_routine, - OptionsOptConstRef options) { - return std::make_unique(thread_routine, options); +PosixThreadFactoryPtr PosixThreadFactory::create() { + return std::make_unique(); } -ThreadId ThreadFactoryImplPosix::currentThreadId() { return ThreadId(getCurrentThreadId()); } - } // namespace Thread } // namespace Envoy diff --git a/source/common/common/posix/thread_impl.h b/source/common/common/posix/thread_impl.h index 9b373ecaceb6..2201d3e61886 100644 --- a/source/common/common/posix/thread_impl.h +++ b/source/common/common/posix/thread_impl.h @@ -4,19 +4,99 @@ #include +#include "envoy/common/platform.h" #include "envoy/thread/thread.h" namespace Envoy { namespace Thread { -/** - * Implementation of ThreadFactory - */ -class ThreadFactoryImplPosix : public ThreadFactory { +class ThreadHandle { public: - // Thread::ThreadFactory - ThreadPtr createThread(std::function thread_routine, OptionsOptConstRef options) override; - ThreadId currentThreadId() override; + explicit ThreadHandle(std::function thread_routine); + + /** Returns the thread routine. */ + std::function& routine(); + + /** Returns the thread handle. */ + pthread_t& handle(); + +private: + std::function thread_routine_; + pthread_t thread_handle_; +}; + +class PosixThread : public Thread { +public: + PosixThread(ThreadHandle* thread_handle, OptionsOptConstRef options); + ~PosixThread() override; + + // Envoy::Thread + std::string name() const override; + void join() override; + + /** + * Returns true if the thread object identifies an active thread of execution, + * false otherwise. + * A thread that has finished executing code, but has not yet been joined is + * still considered an active thread of execution and is therefore joinable. + */ + bool joinable() const; + + /** + * Returns the pthread ID. The thread ID returned from this call is the same + * thread ID returned from `pthread_self()`: + * https://man7.org/linux/man-pages/man3/pthread_self.3.html + */ + ThreadId pthreadId() const; + +private: +#if SUPPORTS_PTHREAD_NAMING + // Attempts to get the name from the operating system, returning true and + // updating 'name' if successful. Note that during normal operation this + // may fail, if the thread exits prior to the system call. + bool getNameFromOS(std::string& name); +#endif + + std::function thread_routine_; + ThreadHandle* thread_handle_; + std::string name_; + bool joined_{false}; +}; + +using PosixThreadPtr = std::unique_ptr; + +class PosixThreadFactory; +using PosixThreadFactoryPtr = std::unique_ptr; + +/** An interface for POSIX `ThreadFactory` */ +class PosixThreadFactory : public ThreadFactory { +public: + // /** Creates a new instance of `PosixThreadPtr`. */ + static PosixThreadFactoryPtr create(); + + /** + * Creates a new generic thread from the specified `thread_routine`. When the + * thread cannot be created, this function will crash. + */ + ThreadPtr createThread(std::function thread_routine, OptionsOptConstRef options) PURE; + + /** + * Creates a new POSIX thread from the specified `thread_routine`. When + * `crash_on_failure` is set to true, this function will crash when the thread + * cannot be created; otherwise a `nullptr` will be returned. + */ + virtual PosixThreadPtr createThread(std::function thread_routine, + OptionsOptConstRef options, bool crash_on_failure) PURE; + + /** + * On Linux, `currentThreadId()` uses `gettid()` and it returns the kernel + * thread ID. The thread ID returned from this call is not the same as the + * thread ID returned from `currentPThreadId()`. + */ + ThreadId currentThreadId() PURE; + + /** Returns the current pthread ID. It uses `pthread_self()`. */ + virtual ThreadId currentPthreadId() PURE; }; } // namespace Thread diff --git a/source/common/grpc/codec.cc b/source/common/grpc/codec.cc index 668258642a68..eb24b4918407 100644 --- a/source/common/grpc/codec.cc +++ b/source/common/grpc/codec.cc @@ -32,13 +32,17 @@ void Encoder::prependFrameHeader(uint8_t flags, Buffer::Instance& buffer, uint32 } bool Decoder::decode(Buffer::Instance& input, std::vector& output) { + // Make sure those flags are set to initial state. decoding_error_ = false; + is_frame_oversized_ = false; output_ = &output; inspect(input); output_ = nullptr; - if (decoding_error_) { + + if (decoding_error_ || is_frame_oversized_) { return false; } + input.drain(input.length()); return true; } @@ -102,6 +106,12 @@ uint64_t FrameInspector::inspect(const Buffer::Instance& data) { case State::FhLen3: length_as_bytes_[3] = c; length_ = absl::big_endian::Load32(length_as_bytes_); + // Compares the frame length against maximum length when `max_frame_length_` is configured, + if (max_frame_length_ != 0 && length_ > max_frame_length_) { + // Set the flag to indicate the over-limit error and return. + is_frame_oversized_ = true; + return delta; + } frameDataStart(); if (length_ == 0) { frameDataEnd(); diff --git a/source/common/grpc/codec.h b/source/common/grpc/codec.h index 6140442fb84c..3b6692c96a97 100644 --- a/source/common/grpc/codec.h +++ b/source/common/grpc/codec.h @@ -113,6 +113,11 @@ class FrameInspector { uint8_t length_as_bytes_[4]; }; uint64_t count_{0}; + // Default value 0 means there is no limitation on maximum frame length. + uint32_t max_frame_length_{0}; + // When `max_frame_length_` is configured, this flag will be true if frame length is larger than + // `max_frame_length_`. + bool is_frame_oversized_{false}; }; class Decoder : public FrameInspector { @@ -134,6 +139,9 @@ class Decoder : public FrameInspector { // Indicates whether it has buffered any partial data. bool hasBufferedData() const { return state_ != State::FhFlag; } + // Configures the maximum frame length. + void setMaxFrameLength(uint32_t max_frame_length) { max_frame_length_ = max_frame_length; } + protected: bool frameStart(uint8_t) override; void frameDataStart() override; diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index 4c1420575eb5..4c94c32b2c7c 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -609,7 +609,8 @@ void ConnectionManagerImpl::onEvent(Network::ConnectionEvent event) { // NOTE: In the case where a local close comes from outside the filter, this will cause any // stream closures to increment remote close stats. We should do better here in the future, // via the pre-close callback mentioned above. - doConnectionClose(absl::nullopt, absl::nullopt, details); + doConnectionClose(absl::nullopt, StreamInfo::CoreResponseFlag::DownstreamConnectionTermination, + details); } } @@ -958,12 +959,6 @@ ConnectionManagerImpl::ActiveStream::ActiveStream(ConnectionManagerImpl& connect void ConnectionManagerImpl::ActiveStream::completeRequest() { filter_manager_.streamInfo().onRequestComplete(); - if (connection_manager_.remote_close_) { - filter_manager_.streamInfo().setResponseCodeDetails( - StreamInfo::ResponseCodeDetails::get().DownstreamRemoteDisconnect); - filter_manager_.streamInfo().setResponseFlag( - StreamInfo::CoreResponseFlag::DownstreamConnectionTermination); - } connection_manager_.stats_.named_.downstream_rq_active_.dec(); if (filter_manager_.streamInfo().healthCheck()) { connection_manager_.config_.tracingStats().health_check_.inc(); diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 14be4b296129..c76d8bb8be9d 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -1330,7 +1330,8 @@ Utility::AuthorityAttributes Utility::parseAuthority(absl::string_view host) { return {is_ip_address, host_to_resolve, port}; } -void Utility::validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy) { +absl::Status +Utility::validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy) { if (retry_policy.has_retry_back_off()) { const auto& core_back_off = retry_policy.retry_back_off(); @@ -1339,9 +1340,11 @@ void Utility::validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy PROTOBUF_GET_MS_OR_DEFAULT(core_back_off, max_interval, base_interval_ms * 10); if (max_interval_ms < base_interval_ms) { - throwEnvoyExceptionOrPanic("max_interval must be greater than or equal to the base_interval"); + return absl::InvalidArgumentError( + "max_interval must be greater than or equal to the base_interval"); } } + return absl::OkStatus(); } envoy::config::route::v3::RetryPolicy diff --git a/source/common/http/utility.h b/source/common/http/utility.h index 6a05a5ea589c..5d155eb17358 100644 --- a/source/common/http/utility.h +++ b/source/common/http/utility.h @@ -674,11 +674,10 @@ struct AuthorityAttributes { AuthorityAttributes parseAuthority(absl::string_view host); /** - * It validates RetryPolicy defined in core api. It should be called at the main thread as - * it may throw exception. + * It validates RetryPolicy defined in core api. It will return an error status if invalid. * @param retry_policy core retry policy */ -void validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy); +absl::Status validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy); /** * It returns RetryPolicy defined in core api to route api. diff --git a/source/common/listener_manager/listener_manager_impl.cc b/source/common/listener_manager/listener_manager_impl.cc index 853087d0b1bf..930378a94b94 100644 --- a/source/common/listener_manager/listener_manager_impl.cc +++ b/source/common/listener_manager/listener_manager_impl.cc @@ -321,7 +321,10 @@ Network::SocketSharedPtr ProdListenerComponentFactory::createListenSocket( if (socket_type == Network::Socket::Type::Stream) { return std::make_shared(std::move(io_handle), address, options); } else { - return std::make_shared(std::move(io_handle), address, options); + auto socket = std::make_shared( + std::move(io_handle), address, options, + server_.hotRestart().parentDrainedCallbackRegistrar()); + return socket; } } } diff --git a/source/common/network/BUILD b/source/common/network/BUILD index c563ca21428b..53ca953779a4 100644 --- a/source/common/network/BUILD +++ b/source/common/network/BUILD @@ -344,6 +344,7 @@ envoy_cc_library( "//envoy/event:file_event_interface", "//envoy/network:exception_interface", "//envoy/network:listener_interface", + "//envoy/network:parent_drained_callback_registrar_interface", "//envoy/runtime:runtime_interface", "//envoy/stats:stats_interface", "//envoy/stats:stats_macros", diff --git a/source/common/network/listen_socket_impl.h b/source/common/network/listen_socket_impl.h index 1a365c65d1a3..753dfa53d380 100644 --- a/source/common/network/listen_socket_impl.h +++ b/source/common/network/listen_socket_impl.h @@ -68,12 +68,19 @@ template class NetworkListenSocket : public ListenSocketImpl { } } - NetworkListenSocket(IoHandlePtr&& io_handle, const Address::InstanceConstSharedPtr& address, - const Network::Socket::OptionsSharedPtr& options) - : ListenSocketImpl(std::move(io_handle), address) { + NetworkListenSocket( + IoHandlePtr&& io_handle, const Address::InstanceConstSharedPtr& address, + const Network::Socket::OptionsSharedPtr& options, + OptRef parent_drained_callback_registrar = absl::nullopt) + : ListenSocketImpl(std::move(io_handle), address), + parent_drained_callback_registrar_(parent_drained_callback_registrar) { setListenSocketOptions(options); } + OptRef parentDrainedCallbackRegistrar() const override { + return parent_drained_callback_registrar_; + } + Socket::Type socketType() const override { return T::type; } SocketPtr duplicate() override { @@ -110,6 +117,12 @@ template class NetworkListenSocket : public ListenSocketImpl { } protected: + // Usually a socket when initialized starts listening for ready-to-read or ready-to-write events; + // for a QUIC socket during hot restart this is undesirable as the parent instance needs to + // receive all packets; in that case this interface is set, and listening won't begin until the + // callback is called. + OptRef parent_drained_callback_registrar_; + void setPrebindSocketOptions() { // On Windows, SO_REUSEADDR does not restrict subsequent bind calls when there is a listener as // on Linux and later BSD socket stacks. diff --git a/source/common/network/udp_listener_impl.cc b/source/common/network/udp_listener_impl.cc index 62c5b273db96..a184eaae7036 100644 --- a/source/common/network/udp_listener_impl.cc +++ b/source/common/network/udp_listener_impl.cc @@ -9,6 +9,7 @@ #include "envoy/common/platform.h" #include "envoy/config/core/v3/base.pb.h" #include "envoy/network/exception.h" +#include "envoy/network/parent_drained_callback_registrar.h" #include "source/common/api/os_sys_calls_impl.h" #include "source/common/common/assert.h" @@ -34,9 +35,34 @@ UdpListenerImpl::UdpListenerImpl(Event::Dispatcher& dispatcher, SocketSharedPtr : BaseListenerImpl(dispatcher, std::move(socket)), cb_(cb), time_source_(time_source), // Default prefer_gro to false for downstream server traffic. config_(config, false) { + parent_drained_callback_registrar_ = socket_->parentDrainedCallbackRegistrar(); socket_->ioHandle().initializeFileEvent( dispatcher, [this](uint32_t events) -> void { onSocketEvent(events); }, - Event::PlatformDefaultTriggerType, Event::FileReadyType::Read | Event::FileReadyType::Write); + Event::PlatformDefaultTriggerType, paused() ? 0 : events_when_unpaused_); + if (paused()) { + parent_drained_callback_registrar_->registerParentDrainedCallback( + socket_->connectionInfoProvider().localAddress(), + [this, &dispatcher, alive = std::weak_ptr(destruction_checker_)]() { + dispatcher.post([this, alive = std::move(alive)]() { + auto still_alive = alive.lock(); + if (still_alive != nullptr) { + unpause(); + } + }); + }); + } +} + +void UdpListenerImpl::unpause() { + // Remove the paused state so enable will actually start listening to events. + parent_drained_callback_registrar_ = absl::nullopt; + if (events_when_unpaused_ != 0) { + // Start listening to events. + enable(); + // There may have already been events while this instance was ignoring them, + // so try reading immediately. + activateRead(); + } } UdpListenerImpl::~UdpListenerImpl() { socket_->ioHandle().resetFileEvents(); } @@ -44,10 +70,18 @@ UdpListenerImpl::~UdpListenerImpl() { socket_->ioHandle().resetFileEvents(); } void UdpListenerImpl::disable() { disableEvent(); } void UdpListenerImpl::enable() { - socket_->ioHandle().enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write); + events_when_unpaused_ = Event::FileReadyType::Read | Event::FileReadyType::Write; + if (!paused()) { + socket_->ioHandle().enableFileEvents(events_when_unpaused_); + } } -void UdpListenerImpl::disableEvent() { socket_->ioHandle().enableFileEvents(0); } +void UdpListenerImpl::disableEvent() { + events_when_unpaused_ = 0; + if (!paused()) { + socket_->ioHandle().enableFileEvents(0); + } +} void UdpListenerImpl::onSocketEvent(short flags) { ASSERT((flags & (Event::FileReadyType::Read | Event::FileReadyType::Write))); diff --git a/source/common/network/udp_listener_impl.h b/source/common/network/udp_listener_impl.h index 723c3c74de75..244f93f3923b 100644 --- a/source/common/network/udp_listener_impl.h +++ b/source/common/network/udp_listener_impl.h @@ -26,6 +26,8 @@ class UdpListenerImpl : public BaseListenerImpl, TimeSource& time_source, const envoy::config::core::v3::UdpSocketConfig& config); ~UdpListenerImpl() override; uint32_t packetsDropped() { return packets_dropped_; } + bool paused() const { return parent_drained_callback_registrar_ != absl::nullopt; } + void unpause(); // Network::Listener void disable() override; @@ -63,6 +65,10 @@ class UdpListenerImpl : public BaseListenerImpl, TimeSource& time_source_; const ResolvedUdpSocketConfig config_; + OptRef parent_drained_callback_registrar_; + // Taking a weak_ptr to this lets us detect if the listener has been destroyed. + std::shared_ptr destruction_checker_ = std::make_shared(true); + uint32_t events_when_unpaused_ = Event::FileReadyType::Read | Event::FileReadyType::Write; }; class UdpListenerWorkerRouterImpl : public UdpListenerWorkerRouter { diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc index 6e9f3188d244..eb7bb2a72951 100644 --- a/source/common/network/utility.cc +++ b/source/common/network/utility.cc @@ -583,16 +583,17 @@ void passPayloadToProcessor(uint64_t bytes_read, Buffer::InstancePtr buffer, Address::InstanceConstSharedPtr peer_addess, Address::InstanceConstSharedPtr local_address, UdpPacketProcessor& udp_packet_processor, MonotonicTime receive_time) { - RELEASE_ASSERT( - peer_addess != nullptr, - fmt::format("Unable to get remote address on the socket bount to local address: {} ", - local_address->asString())); + ENVOY_BUG(peer_addess != nullptr, + fmt::format("Unable to get remote address on the socket bound to local address: {}.", + (local_address == nullptr ? "unknown" : local_address->asString()))); // Unix domain sockets are not supported - RELEASE_ASSERT(peer_addess->type() == Address::Type::Ip, - fmt::format("Unsupported remote address: {} local address: {}, receive size: " - "{}", - peer_addess->asString(), local_address->asString(), bytes_read)); + ENVOY_BUG(peer_addess != nullptr && peer_addess->type() == Address::Type::Ip, + fmt::format("Unsupported remote address: {} local address: {}, receive size: " + "{}", + peer_addess->asString(), + (local_address == nullptr ? "unknown" : local_address->asString()), + bytes_read)); udp_packet_processor.processPacket(std::move(local_address), std::move(peer_addess), std::move(buffer), receive_time); } diff --git a/source/common/quic/BUILD b/source/common/quic/BUILD index 6f0315c59fea..2b9890ed086f 100644 --- a/source/common/quic/BUILD +++ b/source/common/quic/BUILD @@ -139,7 +139,7 @@ envoy_cc_library( ":envoy_quic_proof_verifier_base_lib", ":envoy_quic_utils_lib", ":quic_ssl_connection_info_lib", - "//source/extensions/transport_sockets/tls:context_lib", + "//source/common/tls:context_lib", ], ) @@ -180,8 +180,8 @@ envoy_cc_library( "//envoy/http:codec_interface", "//envoy/http:persistent_quic_info_interface", "//envoy/registry", + "//source/common/tls:ssl_socket_lib", "//source/extensions/quic/crypto_stream:envoy_quic_crypto_client_stream_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", ], ) @@ -228,7 +228,7 @@ envoy_cc_library( external_deps = ["ssl"], tags = ["nofips"], deps = [ - "//source/extensions/transport_sockets/tls:connection_info_impl_base_lib", + "//source/common/tls:connection_info_impl_base_lib", "@com_github_google_quiche//:quic_core_session_lib", ], ) @@ -460,8 +460,8 @@ envoy_cc_library( "//envoy/ssl:context_config_interface", "//source/common/common:assert_lib", "//source/common/network:transport_socket_options_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:ssl_socket_lib", "@com_github_google_quiche//:quic_core_crypto_crypto_handshake_lib", "@envoy_api//envoy/extensions/transport_sockets/quic/v3:pkg_cc_proto", ], @@ -485,8 +485,8 @@ envoy_cc_library( "//envoy/ssl:context_config_interface", "//source/common/common:assert_lib", "//source/common/network:transport_socket_options_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:ssl_socket_lib", "@com_github_google_quiche//:quic_core_crypto_crypto_handshake_lib", "@envoy_api//envoy/extensions/transport_sockets/quic/v3:pkg_cc_proto", ], diff --git a/source/common/quic/client_connection_factory_impl.h b/source/common/quic/client_connection_factory_impl.h index 5a5aa9158a93..b247c61bc54a 100644 --- a/source/common/quic/client_connection_factory_impl.h +++ b/source/common/quic/client_connection_factory_impl.h @@ -9,8 +9,8 @@ #include "source/common/quic/envoy_quic_client_session.h" #include "source/common/quic/envoy_quic_connection_helper.h" #include "source/common/quic/envoy_quic_utils.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/quic/crypto_stream/envoy_quic_crypto_client_stream.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "quiche/quic/core/quic_utils.h" diff --git a/source/common/quic/envoy_quic_client_connection.cc b/source/common/quic/envoy_quic_client_connection.cc index 9890990091ca..aa17972506f5 100644 --- a/source/common/quic/envoy_quic_client_connection.cc +++ b/source/common/quic/envoy_quic_client_connection.cc @@ -69,7 +69,27 @@ void EnvoyQuicClientConnection::processPacket( quic::QuicTime::Delta::FromMicroseconds( std::chrono::duration_cast(receive_time.time_since_epoch()) .count()); + ASSERT(peer_address != nullptr && buffer != nullptr); ASSERT(buffer->getRawSlices().size() == 1); + if (local_address == nullptr) { + // Quic doesn't know how to handle packets without destination address. Drop them here. + if (buffer->length() > 0) { + ++num_packets_with_unknown_dst_address_; + std::string error_message = fmt::format( + "Unable to get destination address. Address family {}. Have{} pending path validation. " + "self_address is{} initialized.", + (peer_address->ip()->version() == Network::Address::IpVersion::v4 ? "v4" : "v6"), + (HasPendingPathValidation() ? "" : " no"), + (self_address().IsInitialized() ? "" : " not")); + ENVOY_CONN_LOG(error, error_message, *this); + if (num_packets_with_unknown_dst_address_ > 10) { + // If too many packets are without destination addresses, close the connection. + CloseConnection(quic::QUIC_PACKET_READ_ERROR, error_message, + quic::ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET); + } + } + return; + } Buffer::RawSlice slice = buffer->frontSlice(); quic::QuicReceivedPacket packet(reinterpret_cast(slice.mem_), slice.len_, timestamp, /*owns_buffer=*/false, /*ttl=*/0, /*ttl_valid=*/false, diff --git a/source/common/quic/envoy_quic_client_connection.h b/source/common/quic/envoy_quic_client_connection.h index d8b917e0f4dd..43cbc0d12901 100644 --- a/source/common/quic/envoy_quic_client_connection.h +++ b/source/common/quic/envoy_quic_client_connection.h @@ -80,7 +80,9 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, // TODO(mattklein123): Emit a stat for this. } size_t numPacketsExpectedPerEventLoop() const override { - if (delegate_.has_value()) { + if (!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.quic_upstream_reads_fixed_number_packets") && + delegate_.has_value()) { return delegate_->numPacketsExpectedPerEventLoop(); } return DEFAULT_PACKETS_TO_READ_PER_CONNECTION; @@ -147,6 +149,7 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, Event::Dispatcher& dispatcher_; bool migrate_port_on_path_degrading_{false}; uint8_t num_socket_switches_{0}; + size_t num_packets_with_unknown_dst_address_{0}; }; } // namespace Quic diff --git a/source/common/quic/envoy_quic_proof_source.cc b/source/common/quic/envoy_quic_proof_source.cc index 337ef148d1b9..9670dba204e3 100644 --- a/source/common/quic/envoy_quic_proof_source.cc +++ b/source/common/quic/envoy_quic_proof_source.cc @@ -6,6 +6,7 @@ #include "source/common/quic/envoy_quic_utils.h" #include "source/common/quic/quic_io_handle_wrapper.h" +#include "source/common/runtime/runtime_features.h" #include "source/common/stream_info/stream_info_impl.h" #include "openssl/bytestring.h" @@ -18,11 +19,25 @@ quiche::QuicheReferenceCountedPointer EnvoyQuicProofSource::GetCertChain(const quic::QuicSocketAddress& server_address, const quic::QuicSocketAddress& client_address, const std::string& hostname, bool* cert_matched_sni) { - // TODO(DavidSchinazi) parse the certificate to correctly fill in |cert_matched_sni|. + + // Ensure this is set even in error paths. *cert_matched_sni = false; - CertConfigWithFilterChain res = - getTlsCertConfigAndFilterChain(server_address, client_address, hostname); + auto res = getTransportSocketAndFilterChain(server_address, client_address, hostname); + if (!res.has_value()) { + return nullptr; + } + + if (!res->transport_socket_factory_.handleCertsWithSharedTlsCode()) { + return legacyGetCertChain(*res); + } + + return getTlsCertAndFilterChain(*res, hostname, cert_matched_sni).cert_; +} + +quiche::QuicheReferenceCountedPointer +EnvoyQuicProofSource::legacyGetCertChain(const TransportSocketFactoryWithFilterChain& data) { + LegacyCertConfigWithFilterChain res = legacyGetTlsCertConfigAndFilterChain(data); absl::optional> cert_config_ref = res.cert_config_; if (!cert_config_ref.has_value()) { @@ -56,8 +71,49 @@ void EnvoyQuicProofSource::signPayload( const quic::QuicSocketAddress& server_address, const quic::QuicSocketAddress& client_address, const std::string& hostname, uint16_t signature_algorithm, absl::string_view in, std::unique_ptr callback) { - CertConfigWithFilterChain res = - getTlsCertConfigAndFilterChain(server_address, client_address, hostname); + auto data = getTransportSocketAndFilterChain(server_address, client_address, hostname); + if (!data.has_value()) { + ENVOY_LOG(warn, "No matching filter chain found for handshake."); + callback->Run(false, "", nullptr); + return; + } + + if (!data->transport_socket_factory_.handleCertsWithSharedTlsCode()) { + return legacySignPayload(*data, signature_algorithm, in, std::move(callback)); + } + + CertWithFilterChain res = + getTlsCertAndFilterChain(*data, hostname, nullptr /* cert_matched_sni */); + if (res.private_key_ == nullptr) { + ENVOY_LOG(warn, "No matching filter chain found for handshake."); + callback->Run(false, "", nullptr); + return; + } + + // Verify the signature algorithm is as expected. + std::string error_details; + int sign_alg = + deduceSignatureAlgorithmFromPublicKey(res.private_key_->private_key(), &error_details); + if (sign_alg != signature_algorithm) { + ENVOY_LOG(warn, + fmt::format("The signature algorithm {} from the private key is not expected: {}", + sign_alg, error_details)); + callback->Run(false, "", nullptr); + return; + } + + // Sign. + std::string sig = res.private_key_->Sign(in, signature_algorithm); + bool success = !sig.empty(); + ASSERT(res.filter_chain_.has_value()); + callback->Run(success, sig, + std::make_unique(res.filter_chain_.value().get())); +} + +void EnvoyQuicProofSource::legacySignPayload( + const TransportSocketFactoryWithFilterChain& data, uint16_t signature_algorithm, + absl::string_view in, std::unique_ptr callback) { + LegacyCertConfigWithFilterChain res = legacyGetTlsCertConfigAndFilterChain(data); absl::optional> cert_config_ref = res.cert_config_; if (!cert_config_ref.has_value()) { @@ -95,10 +151,39 @@ void EnvoyQuicProofSource::signPayload( std::make_unique(res.filter_chain_.value().get())); } -EnvoyQuicProofSource::CertConfigWithFilterChain -EnvoyQuicProofSource::getTlsCertConfigAndFilterChain(const quic::QuicSocketAddress& server_address, - const quic::QuicSocketAddress& client_address, - const std::string& hostname) { +EnvoyQuicProofSource::CertWithFilterChain +EnvoyQuicProofSource::getTlsCertAndFilterChain(const TransportSocketFactoryWithFilterChain& data, + const std::string& hostname, + bool* cert_matched_sni) { + auto [cert, key] = + data.transport_socket_factory_.getTlsCertificateAndKey(hostname, cert_matched_sni); + if (cert == nullptr || key == nullptr) { + ENVOY_LOG(warn, "No certificate is configured in transport socket config."); + return {}; + } + return {std::move(cert), std::move(key), data.filter_chain_}; +} + +EnvoyQuicProofSource::LegacyCertConfigWithFilterChain +EnvoyQuicProofSource::legacyGetTlsCertConfigAndFilterChain( + const TransportSocketFactoryWithFilterChain& data) { + + std::vector> tls_cert_configs = + data.transport_socket_factory_.legacyGetTlsCertificates(); + if (tls_cert_configs.empty()) { + ENVOY_LOG(warn, "No certificate is configured in transport socket config."); + return {absl::nullopt, absl::nullopt}; + } + // Only return the first TLS cert config. + // TODO(danzh) Choose based on supported cipher suites in TLS1.3 CHLO and prefer EC + // certs if supported. + return {tls_cert_configs[0].get(), data.filter_chain_}; +} + +absl::optional +EnvoyQuicProofSource::getTransportSocketAndFilterChain( + const quic::QuicSocketAddress& server_address, const quic::QuicSocketAddress& client_address, + const std::string& hostname) { ENVOY_LOG(trace, "Getting cert chain for {}", hostname); // TODO(danzh) modify QUICHE to make quic session or ALPN accessible to avoid hard-coded ALPN. Network::ConnectionSocketPtr connection_socket = createServerConnectionSocket( @@ -111,23 +196,13 @@ EnvoyQuicProofSource::getTlsCertConfigAndFilterChain(const quic::QuicSocketAddre if (filter_chain == nullptr) { listener_stats_.no_filter_chain_match_.inc(); ENVOY_LOG(warn, "No matching filter chain found for handshake."); - return {absl::nullopt, absl::nullopt}; + return {}; } ENVOY_LOG(trace, "Got a matching cert chain {}", filter_chain->name()); auto& transport_socket_factory = dynamic_cast(filter_chain->transportSocketFactory()); - - std::vector> tls_cert_configs = - transport_socket_factory.getTlsCertificates(); - if (tls_cert_configs.empty()) { - ENVOY_LOG(warn, "No certificate is configured in transport socket config."); - return {absl::nullopt, absl::nullopt}; - } - // Only return the first TLS cert config. - // TODO(danzh) Choose based on supported cipher suites in TLS1.3 CHLO and prefer EC - // certs if supported. - return {tls_cert_configs[0].get(), *filter_chain}; + return TransportSocketFactoryWithFilterChain{transport_socket_factory, *filter_chain}; } void EnvoyQuicProofSource::updateFilterChainManager( diff --git a/source/common/quic/envoy_quic_proof_source.h b/source/common/quic/envoy_quic_proof_source.h index d47ab9ba7bb3..e950b982445b 100644 --- a/source/common/quic/envoy_quic_proof_source.h +++ b/source/common/quic/envoy_quic_proof_source.h @@ -34,15 +34,38 @@ class EnvoyQuicProofSource : public EnvoyQuicProofSourceBase { std::unique_ptr callback) override; private: - struct CertConfigWithFilterChain { + struct TransportSocketFactoryWithFilterChain { + const QuicServerTransportSocketFactory& transport_socket_factory_; + const Network::FilterChain& filter_chain_; + }; + + quiche::QuicheReferenceCountedPointer + legacyGetCertChain(const TransportSocketFactoryWithFilterChain& data); + void legacySignPayload(const TransportSocketFactoryWithFilterChain& data, + uint16_t signature_algorithm, absl::string_view in, + std::unique_ptr callback); + + struct CertWithFilterChain { + quiche::QuicheReferenceCountedPointer cert_; + std::shared_ptr private_key_; + absl::optional> filter_chain_; + }; + + CertWithFilterChain getTlsCertAndFilterChain(const TransportSocketFactoryWithFilterChain& data, + const std::string& hostname, bool* cert_matched_sni); + + struct LegacyCertConfigWithFilterChain { absl::optional> cert_config_; absl::optional> filter_chain_; }; - CertConfigWithFilterChain - getTlsCertConfigAndFilterChain(const quic::QuicSocketAddress& server_address, - const quic::QuicSocketAddress& client_address, - const std::string& hostname); + LegacyCertConfigWithFilterChain + legacyGetTlsCertConfigAndFilterChain(const TransportSocketFactoryWithFilterChain& data); + + absl::optional + getTransportSocketAndFilterChain(const quic::QuicSocketAddress& server_address, + const quic::QuicSocketAddress& client_address, + const std::string& hostname); Network::Socket& listen_socket_; Network::FilterChainManager* filter_chain_manager_{nullptr}; diff --git a/source/common/quic/envoy_quic_proof_verifier.cc b/source/common/quic/envoy_quic_proof_verifier.cc index 93c206be91dd..78bc355589ff 100644 --- a/source/common/quic/envoy_quic_proof_verifier.cc +++ b/source/common/quic/envoy_quic_proof_verifier.cc @@ -7,7 +7,7 @@ #include "source/common/quic/envoy_quic_utils.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include "quiche/quic/core/crypto/certificate_view.h" diff --git a/source/common/quic/envoy_quic_proof_verifier.h b/source/common/quic/envoy_quic_proof_verifier.h index fc03fbca15d0..b42e9841a709 100644 --- a/source/common/quic/envoy_quic_proof_verifier.h +++ b/source/common/quic/envoy_quic_proof_verifier.h @@ -4,7 +4,7 @@ #include "source/common/quic/envoy_quic_proof_verifier_base.h" #include "source/common/quic/quic_ssl_connection_info.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" namespace Envoy { namespace Quic { diff --git a/source/common/quic/quic_client_transport_socket_factory.cc b/source/common/quic/quic_client_transport_socket_factory.cc index 3b90ee46143e..e95abb81918b 100644 --- a/source/common/quic/quic_client_transport_socket_factory.cc +++ b/source/common/quic/quic_client_transport_socket_factory.cc @@ -6,7 +6,7 @@ #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "quiche/quic/core/crypto/quic_client_session_cache.h" diff --git a/source/common/quic/quic_server_transport_socket_factory.cc b/source/common/quic/quic_server_transport_socket_factory.cc index 8054a65ab306..901327e7118e 100644 --- a/source/common/quic/quic_server_transport_socket_factory.cc +++ b/source/common/quic/quic_server_transport_socket_factory.cc @@ -4,8 +4,9 @@ #include "envoy/extensions/transport_sockets/quic/v3/quic_transport.pb.validate.h" +#include "source/common/quic/envoy_quic_utils.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" namespace Envoy { namespace Quic { @@ -13,7 +14,7 @@ namespace Quic { Network::DownstreamTransportSocketFactoryPtr QuicServerTransportSocketConfigFactory::createTransportSocketFactory( const Protobuf::Message& config, Server::Configuration::TransportSocketFactoryContext& context, - const std::vector& /*server_names*/) { + const std::vector& server_names) { auto quic_transport = MessageUtil::downcastAndValidate< const envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport&>( config, context.messageValidationVisitor()); @@ -26,11 +27,90 @@ QuicServerTransportSocketConfigFactory::createTransportSocketFactory( auto factory = std::make_unique( PROTOBUF_GET_WRAPPED_OR_DEFAULT(quic_transport, enable_early_data, true), - context.statsScope(), std::move(server_config)); + context.statsScope(), std::move(server_config), context.sslContextManager(), server_names); factory->initialize(); return factory; } +namespace { +void initializeQuicCertAndKey(Ssl::TlsContext& context, + const Ssl::TlsCertificateConfig& /*cert_config*/) { + // Convert the certificate chain loaded into the context into PEM, as that is what the QUICHE + // API expects. By using the version already loaded, instead of loading it from the source, + // we can reuse all the code that loads from different formats, allows using passwords on the key, + // etc. + std::vector chain; + auto process_one_cert = [&](X509* cert) { + bssl::UniquePtr bio(BIO_new(BIO_s_mem())); + int result = PEM_write_bio_X509(bio.get(), cert); + ASSERT(result == 1); + BUF_MEM* buf_mem = nullptr; + result = BIO_get_mem_ptr(bio.get(), &buf_mem); + std::string cert_str(buf_mem->data, buf_mem->length); + std::istringstream pem_stream(cert_str); + auto pem_result = quic::ReadNextPemMessage(&pem_stream); + if (pem_result.status != quic::PemReadResult::Status::kOk) { + throwEnvoyExceptionOrPanic( + "Error loading certificate in QUIC context: error from ReadNextPemMessage"); + } + chain.push_back(std::move(pem_result.contents)); + }; + + process_one_cert(SSL_CTX_get0_certificate(context.ssl_ctx_.get())); + + STACK_OF(X509)* chain_stack = nullptr; + int result = SSL_CTX_get0_chain_certs(context.ssl_ctx_.get(), &chain_stack); + ASSERT(result == 1); + for (size_t i = 0; i < sk_X509_num(chain_stack); i++) { + process_one_cert(sk_X509_value(chain_stack, i)); + } + + quiche::QuicheReferenceCountedPointer cert_chain( + new quic::ProofSource::Chain(chain)); + + std::string error_details; + bssl::UniquePtr pub_key(X509_get_pubkey(context.cert_chain_.get())); + int sign_alg = deduceSignatureAlgorithmFromPublicKey(pub_key.get(), &error_details); + if (sign_alg == 0) { + throwEnvoyExceptionOrPanic( + absl::StrCat("Failed to deduce signature algorithm from public key: ", error_details)); + } + + context.quic_cert_ = std::move(cert_chain); + + bssl::UniquePtr privateKey( + bssl::UpRef(SSL_CTX_get0_privatekey(context.ssl_ctx_.get()))); + std::unique_ptr pem_key = + std::make_unique(std::move(privateKey)); + if (pem_key == nullptr) { + throwEnvoyExceptionOrPanic("Failed to load QUIC private key."); + } + + context.quic_private_key_ = std::move(pem_key); +} +} // namespace + +QuicServerTransportSocketFactory::QuicServerTransportSocketFactory( + bool enable_early_data, Stats::Scope& scope, Ssl::ServerContextConfigPtr config, + Envoy::Ssl::ContextManager& manager, const std::vector& server_names) + : QuicTransportSocketFactoryBase(scope, "server"), + handle_certs_with_shared_tls_code_(Runtime::runtimeFeatureEnabled( + "envoy.restart_features.quic_handle_certs_with_shared_tls_code")), + manager_(manager), stats_scope_(scope), config_(std::move(config)), + server_names_(server_names), + ssl_ctx_(handle_certs_with_shared_tls_code_ ? createSslServerContext() : nullptr), + enable_early_data_(enable_early_data) {} + +QuicServerTransportSocketFactory::~QuicServerTransportSocketFactory() { + manager_.removeContext(ssl_ctx_); +} + +Envoy::Ssl::ServerContextSharedPtr +QuicServerTransportSocketFactory::createSslServerContext() const { + return manager_.createSslServerContext(stats_scope_, *config_, server_names_, + initializeQuicCertAndKey); +} + ProtobufTypes::MessagePtr QuicServerTransportSocketConfigFactory::createEmptyConfigProto() { return std::make_unique< envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport>(); @@ -46,6 +126,49 @@ void QuicServerTransportSocketFactory::initialize() { } } +std::pair, + std::shared_ptr> +QuicServerTransportSocketFactory::getTlsCertificateAndKey(absl::string_view sni, + bool* cert_matched_sni) const { + // onSecretUpdated() could be invoked in the middle of checking the existence of , and using, + // ssl_ctx. Capture ssl_ctx_ into a local variable so that we check and use the same ssl_ctx. + Envoy::Ssl::ServerContextSharedPtr ssl_ctx; + { + absl::ReaderMutexLock l(&ssl_ctx_mu_); + ssl_ctx = ssl_ctx_; + } + if (!ssl_ctx) { + ENVOY_LOG(warn, "SDS hasn't finished updating Ssl context config yet."); + stats_.downstream_context_secrets_not_ready_.inc(); + *cert_matched_sni = false; + return {}; + } + auto ctx = + std::dynamic_pointer_cast(ssl_ctx); + auto [tls_context, ocsp_staple_action] = ctx->findTlsContext( + sni, true /* TODO: ecdsa_capable */, false /* TODO: ocsp_capable */, cert_matched_sni); + + // Thread safety note: accessing the tls_context requires holding a shared_ptr to the ``ssl_ctx``. + // Both of these members are themselves reference counted, so it is safe to use them after + // ``ssl_ctx`` goes out of scope after the function returns. + return {tls_context.quic_cert_, tls_context.quic_private_key_}; +} + +void QuicServerTransportSocketFactory::onSecretUpdated() { + ENVOY_LOG(debug, "Secret is updated."); + + if (handle_certs_with_shared_tls_code_) { + auto ctx = createSslServerContext(); + { + absl::WriterMutexLock l(&ssl_ctx_mu_); + std::swap(ctx, ssl_ctx_); + } + manager_.removeContext(ctx); + } + + stats_.context_config_update_by_sds_.inc(); +} + REGISTER_FACTORY(QuicServerTransportSocketConfigFactory, Server::Configuration::DownstreamTransportSocketConfigFactory); diff --git a/source/common/quic/quic_server_transport_socket_factory.h b/source/common/quic/quic_server_transport_socket_factory.h index bb64ec76e9af..eaf93fac49ae 100644 --- a/source/common/quic/quic_server_transport_socket_factory.h +++ b/source/common/quic/quic_server_transport_socket_factory.h @@ -8,7 +8,7 @@ #include "source/common/common/assert.h" #include "source/common/network/transport_socket_options_impl.h" #include "source/common/quic/quic_transport_socket_factory.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" namespace Envoy { namespace Quic { @@ -19,9 +19,10 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock public QuicTransportSocketFactoryBase { public: QuicServerTransportSocketFactory(bool enable_early_data, Stats::Scope& store, - Ssl::ServerContextConfigPtr config) - : QuicTransportSocketFactoryBase(store, "server"), config_(std::move(config)), - enable_early_data_(enable_early_data) {} + Ssl::ServerContextConfigPtr config, + Envoy::Ssl::ContextManager& manager, + const std::vector& server_names); + ~QuicServerTransportSocketFactory() override; // Network::DownstreamTransportSocketFactory Network::TransportSocketPtr createDownstreamTransportSocket() const override { @@ -31,9 +32,13 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock void initialize() override; + std::pair, + std::shared_ptr> + getTlsCertificateAndKey(absl::string_view sni, bool* cert_matched_sni) const; + // Return TLS certificates if the context config is ready. std::vector> - getTlsCertificates() const { + legacyGetTlsCertificates() const { if (!config_->isReady()) { ENVOY_LOG(warn, "SDS hasn't finished updating Ssl context config yet."); stats_.downstream_context_secrets_not_ready_.inc(); @@ -44,11 +49,21 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock bool earlyDataEnabled() const { return enable_early_data_; } + bool handleCertsWithSharedTlsCode() const { return handle_certs_with_shared_tls_code_; } + protected: - void onSecretUpdated() override { stats_.context_config_update_by_sds_.inc(); } + void onSecretUpdated() override; private: + Envoy::Ssl::ServerContextSharedPtr createSslServerContext() const; + + const bool handle_certs_with_shared_tls_code_; + Envoy::Ssl::ContextManager& manager_; + Stats::Scope& stats_scope_; Ssl::ServerContextConfigPtr config_; + const std::vector server_names_; + mutable absl::Mutex ssl_ctx_mu_; + Envoy::Ssl::ServerContextSharedPtr ssl_ctx_ ABSL_GUARDED_BY(ssl_ctx_mu_); bool enable_early_data_; }; diff --git a/source/common/quic/quic_ssl_connection_info.h b/source/common/quic/quic_ssl_connection_info.h index 2efcc27ad509..f8aba5bcbdc1 100644 --- a/source/common/quic/quic_ssl_connection_info.h +++ b/source/common/quic/quic_ssl_connection_info.h @@ -1,7 +1,7 @@ #pragma once #include "source/common/common/empty_string.h" -#include "source/extensions/transport_sockets/tls/connection_info_impl_base.h" +#include "source/common/tls/connection_info_impl_base.h" #include "quiche/quic/core/quic_session.h" diff --git a/source/common/quic/quic_transport_socket_factory.cc b/source/common/quic/quic_transport_socket_factory.cc index 3893dde4b6e7..716b1b7d9090 100644 --- a/source/common/quic/quic_transport_socket_factory.cc +++ b/source/common/quic/quic_transport_socket_factory.cc @@ -6,7 +6,7 @@ #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "quiche/quic/core/crypto/quic_client_session_cache.h" diff --git a/source/common/quic/quic_transport_socket_factory.h b/source/common/quic/quic_transport_socket_factory.h index d01bce40dc02..938a9d2fa61d 100644 --- a/source/common/quic/quic_transport_socket_factory.h +++ b/source/common/quic/quic_transport_socket_factory.h @@ -7,7 +7,7 @@ #include "source/common/common/assert.h" #include "source/common/network/transport_socket_options_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" #include "quiche/quic/core/crypto/quic_crypto_client_config.h" diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 528b1e993ffa..f709e7a24984 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -81,6 +81,7 @@ RUNTIME_GUARD(envoy_reloadable_features_quic_fix_filter_manager_uaf); // Ignore the automated "remove this flag" issue: we should keep this for 1 year. Confirm with // @danzh2010 or @RyanTheOptimist before removing. RUNTIME_GUARD(envoy_reloadable_features_quic_send_server_preferred_address_to_all_clients); +RUNTIME_GUARD(envoy_reloadable_features_quic_upstream_reads_fixed_number_packets); RUNTIME_GUARD(envoy_reloadable_features_sanitize_te); RUNTIME_GUARD(envoy_reloadable_features_send_header_raw_value); RUNTIME_GUARD(envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request); @@ -102,6 +103,7 @@ RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_grpc_header_before_log_grpc_status); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_restart_features_allow_client_socket_creation_failure); +RUNTIME_GUARD(envoy_restart_features_quic_handle_certs_with_shared_tls_code); RUNTIME_GUARD(envoy_restart_features_send_goaway_for_premature_rst_streams); RUNTIME_GUARD(envoy_restart_features_udp_read_normalize_addresses); RUNTIME_GUARD(envoy_restart_features_use_eds_cache_for_ads); @@ -127,8 +129,6 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_always_use_v6); FALSE_RUNTIME_GUARD(envoy_reloadable_features_refresh_rtt_after_request); // TODO(danzh) false deprecate it once QUICHE has its own enable/disable flag. FALSE_RUNTIME_GUARD(envoy_reloadable_features_quic_reject_all); -// TODO(steveWang) flip this to true after this is verified in prod. -FALSE_RUNTIME_GUARD(envoy_reloadable_features_quiche_use_mem_slice_releasor_api); // TODO(suniltheta): Once the newly added http async technique is stabilized move it under // RUNTIME_GUARD so that this option becomes default enabled. Once this option proves effective // remove the feature flag and remove code path that relies on old technique to fetch credentials diff --git a/source/common/tls/BUILD b/source/common/tls/BUILD new file mode 100644 index 000000000000..d78ea0bf7dd8 --- /dev/null +++ b/source/common/tls/BUILD @@ -0,0 +1,201 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_library", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +# Built-in TLS connection transport socket. + +envoy_package() + +envoy_cc_library( + name = "connection_info_impl_base_lib", + srcs = ["connection_info_impl_base.cc"], + hdrs = ["connection_info_impl_base.h"], + external_deps = ["ssl"], + visibility = ["//visibility:public"], + deps = [ + ":context_lib", + ":utility_lib", + "//source/common/common:assert_lib", + "//source/common/common:minimal_logger_lib", + ], +) + +envoy_cc_library( + name = "ssl_handshaker_lib", + srcs = ["ssl_handshaker.cc"], + hdrs = ["ssl_handshaker.h"], + deps = [ + ":connection_info_impl_base_lib", + ":context_lib", + ":utility_lib", + "//envoy/network:connection_interface", + "//envoy/network:transport_socket_interface", + "//envoy/ssl:handshaker_interface", + "//envoy/ssl:ssl_socket_extended_info_interface", + "//envoy/ssl:ssl_socket_state", + "//envoy/ssl/private_key:private_key_callbacks_interface", + "//envoy/ssl/private_key:private_key_interface", + "//envoy/stats:stats_macros", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:minimal_logger_lib", + "//source/common/common:thread_annotations", + "//source/common/http:headers_lib", + ], +) + +envoy_cc_library( + name = "io_handle_bio_lib", + srcs = ["io_handle_bio.cc"], + hdrs = ["io_handle_bio.h"], + external_deps = ["ssl"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/network:io_handle_interface", + ], +) + +envoy_cc_library( + name = "ssl_socket_lib", + srcs = ["ssl_socket.cc"], + hdrs = ["ssl_socket.h"], + external_deps = [ + "abseil_hash", + "abseil_node_hash_map", + "abseil_optional", + "abseil_synchronization", + "ssl", + ], + # TLS is core functionality. + visibility = ["//visibility:public"], + deps = [ + ":context_config_lib", + ":context_lib", + ":io_handle_bio_lib", + ":ssl_handshaker_lib", + ":utility_lib", + "//envoy/network:connection_interface", + "//envoy/network:transport_socket_interface", + "//envoy/ssl:handshaker_interface", + "//envoy/ssl:ssl_socket_extended_info_interface", + "//envoy/ssl:ssl_socket_state", + "//envoy/ssl/private_key:private_key_callbacks_interface", + "//envoy/ssl/private_key:private_key_interface", + "//envoy/stats:stats_macros", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:minimal_logger_lib", + "//source/common/common:thread_annotations", + "//source/common/http:headers_lib", + "//source/common/network:transport_socket_options_lib", + ], +) + +envoy_cc_library( + name = "context_config_lib", + srcs = ["context_config_impl.cc"], + hdrs = ["context_config_impl.h"], + external_deps = [ + "ssl", + ], + # TLS is core functionality. + visibility = ["//visibility:public"], + deps = [ + ":ssl_handshaker_lib", + "//envoy/secret:secret_callbacks_interface", + "//envoy/secret:secret_provider_interface", + "//envoy/server:transport_socket_config_interface", + "//envoy/ssl:context_config_interface", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:matchers_lib", + "//source/common/config:datasource_lib", + "//source/common/json:json_loader_lib", + "//source/common/protobuf:utility_lib", + "//source/common/secret:sds_api_lib", + "//source/common/ssl:certificate_validation_context_config_impl_lib", + "//source/common/ssl:tls_certificate_config_impl_lib", + "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", + ], +) + +envoy_cc_library( + name = "context_lib", + srcs = [ + "context_impl.cc", + "context_manager_impl.cc", + ], + hdrs = [ + "context_impl.h", + "context_manager_impl.h", + ], + external_deps = [ + "abseil_node_hash_set", + "abseil_synchronization", + "ssl", + ], + # TLS is core functionality. + visibility = ["//visibility:public"], + deps = [ + ":stats_lib", + ":utility_lib", + "//envoy/ssl:context_config_interface", + "//envoy/ssl:context_interface", + "//envoy/ssl:context_manager_interface", + "//envoy/ssl:ssl_socket_extended_info_interface", + "//envoy/ssl/private_key:private_key_interface", + "//envoy/stats:stats_interface", + "//envoy/stats:stats_macros", + "//source/common/common:assert_lib", + "//source/common/common:base64_lib", + "//source/common/common:hex_lib", + "//source/common/common:utility_lib", + "//source/common/network:address_lib", + "//source/common/network:cidr_range_lib", + "//source/common/protobuf:utility_lib", + "//source/common/runtime:runtime_features_lib", + "//source/common/stats:symbol_table_lib", + "//source/common/stats:utility_lib", + "//source/common/tls/cert_validator:cert_validator_lib", + "//source/common/tls/ocsp:ocsp_lib", + "//source/common/tls/private_key:private_key_manager_lib", + "@com_github_google_quiche//:quic_core_crypto_proof_source_lib", + "@envoy_api//envoy/admin/v3:pkg_cc_proto", + "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto", + ], +) + +envoy_cc_library( + name = "stats_lib", + srcs = ["stats.cc"], + hdrs = ["stats.h"], + external_deps = [ + "ssl", + ], + deps = [ + "//envoy/stats:stats_interface", + "//envoy/stats:stats_macros", + "//source/common/stats:symbol_table_lib", + "//source/common/stats:utility_lib", + ], +) + +envoy_cc_library( + name = "utility_lib", + srcs = ["utility.cc"], + hdrs = ["utility.h"], + external_deps = [ + "ssl", + ], + deps = [ + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:safe_memcpy_lib", + "//source/common/common:utility_lib", + "//source/common/network:address_lib", + ], +) diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/common/tls/cert_validator/BUILD similarity index 88% rename from source/extensions/transport_sockets/tls/cert_validator/BUILD rename to source/common/tls/cert_validator/BUILD index 5abc18bc2595..f0b1b69e8fd9 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/common/tls/cert_validator/BUILD @@ -1,12 +1,12 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", - "envoy_extension_package", + "envoy_package", ) licenses(["notice"]) # Apache 2 -envoy_extension_package() +envoy_package() envoy_cc_library( name = "cert_validator_lib", @@ -42,8 +42,8 @@ envoy_cc_library( "//source/common/config:utility_lib", "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", - "//source/extensions/transport_sockets/tls:stats_lib", - "//source/extensions/transport_sockets/tls:utility_lib", + "//source/common/tls:stats_lib", + "//source/common/tls:utility_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto", diff --git a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h b/source/common/tls/cert_validator/cert_validator.h similarity index 98% rename from source/extensions/transport_sockets/tls/cert_validator/cert_validator.h rename to source/common/tls/cert_validator/cert_validator.h index 0b3de46c8ffd..b941014309be 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h +++ b/source/common/tls/cert_validator/cert_validator.h @@ -15,7 +15,7 @@ #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/stats.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/common/tls/cert_validator/default_validator.cc similarity index 98% rename from source/extensions/transport_sockets/tls/cert_validator/default_validator.cc rename to source/common/tls/cert_validator/default_validator.cc index 138578d1b839..8d049f7ba0c9 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/common/tls/cert_validator/default_validator.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/default_validator.h" #include #include @@ -27,11 +27,11 @@ #include "source/common/runtime/runtime_features.h" #include "source/common/stats/symbol_table.h" #include "source/common/stats/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" -#include "source/extensions/transport_sockets/tls/cert_validator/utility.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/utility.h" +#include "source/common/tls/stats.h" +#include "source/common/tls/utility.h" #include "absl/synchronization/mutex.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h b/source/common/tls/cert_validator/default_validator.h similarity index 95% rename from source/extensions/transport_sockets/tls/cert_validator/default_validator.h rename to source/common/tls/cert_validator/default_validator.h index 704af90c1053..c3e88bd09ca1 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h +++ b/source/common/tls/cert_validator/default_validator.h @@ -19,9 +19,9 @@ #include "source/common/common/logger.h" #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" +#include "source/common/tls/stats.h" #include "absl/synchronization/mutex.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.cc b/source/common/tls/cert_validator/factory.cc similarity index 87% rename from source/extensions/transport_sockets/tls/cert_validator/factory.cc rename to source/common/tls/cert_validator/factory.cc index b17d5b338536..318b414d3e92 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.cc +++ b/source/common/tls/cert_validator/factory.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/factory.h" #include "envoy/ssl/context_config.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.h b/source/common/tls/cert_validator/factory.h similarity index 85% rename from source/extensions/transport_sockets/tls/cert_validator/factory.h rename to source/common/tls/cert_validator/factory.h index 9a951e943150..40f3fc3de92b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.h +++ b/source/common/tls/cert_validator/factory.h @@ -5,8 +5,8 @@ #include "envoy/ssl/context_config.h" #include "source/common/common/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/stats.h" #include "absl/strings/string_view.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.cc b/source/common/tls/cert_validator/san_matcher.cc similarity index 94% rename from source/extensions/transport_sockets/tls/cert_validator/san_matcher.cc rename to source/common/tls/cert_validator/san_matcher.cc index 0c5dc0a77bd1..13429c3fcdcc 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.cc +++ b/source/common/tls/cert_validator/san_matcher.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" +#include "source/common/tls/cert_validator/san_matcher.h" #include @@ -7,7 +7,7 @@ #include "envoy/registry/registry.h" #include "envoy/ssl/certificate_validation_context_config.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.h b/source/common/tls/cert_validator/san_matcher.h similarity index 95% rename from source/extensions/transport_sockets/tls/cert_validator/san_matcher.h rename to source/common/tls/cert_validator/san_matcher.h index 5c2141f4b570..260e9cc3075e 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.h +++ b/source/common/tls/cert_validator/san_matcher.h @@ -10,7 +10,7 @@ #include "source/common/common/hash.h" #include "source/common/common/matchers.h" #include "source/common/protobuf/protobuf.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/utility.cc b/source/common/tls/cert_validator/utility.cc similarity index 94% rename from source/extensions/transport_sockets/tls/cert_validator/utility.cc rename to source/common/tls/cert_validator/utility.cc index 150a05406076..3080239fada2 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/utility.cc +++ b/source/common/tls/cert_validator/utility.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/utility.h" +#include "source/common/tls/cert_validator/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/cert_validator/utility.h b/source/common/tls/cert_validator/utility.h similarity index 100% rename from source/extensions/transport_sockets/tls/cert_validator/utility.h rename to source/common/tls/cert_validator/utility.h diff --git a/source/extensions/transport_sockets/tls/connection_info_impl_base.cc b/source/common/tls/connection_info_impl_base.cc similarity index 99% rename from source/extensions/transport_sockets/tls/connection_info_impl_base.cc rename to source/common/tls/connection_info_impl_base.cc index 13d556bfc604..5ae15002163d 100644 --- a/source/extensions/transport_sockets/tls/connection_info_impl_base.cc +++ b/source/common/tls/connection_info_impl_base.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/connection_info_impl_base.h" +#include "source/common/tls/connection_info_impl_base.h" #include "source/common/common/hex.h" diff --git a/source/extensions/transport_sockets/tls/connection_info_impl_base.h b/source/common/tls/connection_info_impl_base.h similarity index 98% rename from source/extensions/transport_sockets/tls/connection_info_impl_base.h rename to source/common/tls/connection_info_impl_base.h index 82dba73bea9a..8bcacdb80f7f 100644 --- a/source/extensions/transport_sockets/tls/connection_info_impl_base.h +++ b/source/common/tls/connection_info_impl_base.h @@ -5,7 +5,7 @@ #include "envoy/ssl/connection.h" #include "source/common/common/logger.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include "absl/types/optional.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/context_config_impl.cc b/source/common/tls/context_config_impl.cc similarity index 99% rename from source/extensions/transport_sockets/tls/context_config_impl.cc rename to source/common/tls/context_config_impl.cc index b71736a12153..77be4ba6b4a4 100644 --- a/source/extensions/transport_sockets/tls/context_config_impl.cc +++ b/source/common/tls/context_config_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include #include @@ -12,7 +12,7 @@ #include "source/common/protobuf/utility.h" #include "source/common/secret/sds_api.h" #include "source/common/ssl/certificate_validation_context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_handshaker.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/context_config_impl.h b/source/common/tls/context_config_impl.h similarity index 100% rename from source/extensions/transport_sockets/tls/context_config_impl.h rename to source/common/tls/context_config_impl.h diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/common/tls/context_impl.cc similarity index 96% rename from source/extensions/transport_sockets/tls/context_impl.cc rename to source/common/tls/context_impl.cc index 7a5209258dab..7d86c94bd5f6 100644 --- a/source/extensions/transport_sockets/tls/context_impl.cc +++ b/source/common/tls/context_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" #include @@ -26,9 +26,9 @@ #include "source/common/protobuf/utility.h" #include "source/common/runtime/runtime_features.h" #include "source/common/stats/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/cert_validator/factory.h" +#include "source/common/tls/stats.h" +#include "source/common/tls/utility.h" #include "absl/container/node_hash_set.h" #include "absl/strings/match.h" @@ -40,10 +40,6 @@ #include "openssl/rand.h" namespace Envoy { -namespace Extensions { -namespace TransportSockets { -namespace Tls { - namespace { bool cbsContainsU16(CBS& cbs, uint16_t n) { @@ -71,6 +67,10 @@ void logSslErrorChain() { } // namespace +namespace Extensions { +namespace TransportSockets { +namespace Tls { + int ContextImpl::sslExtendedSocketInfoIndex() { CONSTRUCT_ON_FIRST_USE(int, []() -> int { int ssl_context_index = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr); @@ -80,7 +80,7 @@ int ContextImpl::sslExtendedSocketInfoIndex() { } ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, - TimeSource& time_source) + TimeSource& time_source, Ssl::ContextAdditionalInitFunc additional_init) : scope_(scope), stats_(generateSslStats(scope)), time_source_(time_source), tls_max_version_(config.maxProtocolVersion()), stat_name_set_(scope.symbolTable().makeSet("TransportSockets::Tls")), @@ -292,6 +292,10 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c ctx.loadPrivateKey(tls_certificate.privateKey(), tls_certificate.privateKeyPath(), tls_certificate.password()); } + + if (additional_init != nullptr) { + additional_init(ctx, tls_certificate); + } } } @@ -323,7 +327,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c // Use the SSL library to iterate over the configured ciphers. // // Note that if a negotiated cipher suite is outside of this set, we'll issue an ENVOY_BUG. - for (TlsContext& tls_context : tls_contexts_) { + for (Ssl::TlsContext& tls_context : tls_contexts_) { for (const SSL_CIPHER* cipher : SSL_CTX_get_ciphers(tls_context.ssl_ctx_.get())) { stat_name_set_->rememberBuiltin(SSL_CIPHER_get_name(cipher)); } @@ -372,7 +376,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c // As late as possible, run the custom SSL_CTX configuration callback on each // SSL_CTX, if set. if (auto sslctx_cb = config.sslctxCb(); sslctx_cb) { - for (TlsContext& ctx : tls_contexts_) { + for (Ssl::TlsContext& ctx : tls_contexts_) { sslctx_cb(ctx.ssl_ctx_.get()); } } @@ -656,7 +660,7 @@ std::vector ContextImpl::getCertChainInformat ClientContextImpl::ClientContextImpl(Stats::Scope& scope, const Envoy::Ssl::ClientContextConfig& config, TimeSource& time_source) - : ContextImpl(scope, config, time_source), + : ContextImpl(scope, config, time_source, nullptr /* additional_init */), server_name_indication_(config.serverNameIndication()), allow_renegotiation_(config.allowRenegotiation()), enforce_rsa_key_usage_(config.enforceRsaKeyUsage()), @@ -785,8 +789,10 @@ int ClientContextImpl::newSessionKey(SSL_SESSION* session) { ServerContextImpl::ServerContextImpl(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, const std::vector& server_names, - TimeSource& time_source) - : ContextImpl(scope, config, time_source), session_ticket_keys_(config.sessionTicketKeys()), + TimeSource& time_source, + Ssl::ContextAdditionalInitFunc additional_init) + : ContextImpl(scope, config, time_source, additional_init), + session_ticket_keys_(config.sessionTicketKeys()), ocsp_staple_policy_(config.ocspStaplePolicy()), full_scan_certs_on_sni_mismatch_(config.fullScanCertsOnSNIMismatch()) { if (config.tlsCertificates().empty() && !config.capabilities().provides_certificates) { @@ -891,7 +897,7 @@ ServerContextImpl::ServerContextImpl(Stats::Scope& scope, } } -void ServerContextImpl::populateServerNamesMap(TlsContext& ctx, int pkey_id) { +void ServerContextImpl::populateServerNamesMap(Ssl::TlsContext& ctx, int pkey_id) { if (ctx.cert_chain_ == nullptr) { return; } @@ -913,7 +919,7 @@ void ServerContextImpl::populateServerNamesMap(TlsContext& ctx, int pkey_id) { // implemented. return; } - sn_match->second.emplace(std::pair>(pkey_id, ctx)); + sn_match->second.emplace(std::pair>(pkey_id, ctx)); }; bssl::UniquePtr san_names(static_cast( @@ -1193,7 +1199,7 @@ bool ServerContextImpl::isClientOcspCapable(const SSL_CLIENT_HELLO* ssl_client_h return false; } -OcspStapleAction ServerContextImpl::ocspStapleAction(const TlsContext& ctx, +OcspStapleAction ServerContextImpl::ocspStapleAction(const Ssl::TlsContext& ctx, bool client_ocsp_capable) { if (!client_ocsp_capable) { return OcspStapleAction::ClientNotCapable; @@ -1235,20 +1241,22 @@ OcspStapleAction ServerContextImpl::ocspStapleAction(const TlsContext& ctx, PANIC_DUE_TO_CORRUPT_ENUM; } -enum ssl_select_cert_result_t -ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { - const bool client_ecdsa_capable = isClientEcdsaCapable(ssl_client_hello); - const bool client_ocsp_capable = isClientOcspCapable(ssl_client_hello); - absl::string_view sni = absl::NullSafeStringView( - SSL_get_servername(ssl_client_hello->ssl, TLSEXT_NAMETYPE_host_name)); +std::pair +ServerContextImpl::findTlsContext(absl::string_view sni, bool client_ecdsa_capable, + bool client_ocsp_capable, bool* cert_matched_sni) { + bool unused = false; + if (cert_matched_sni == nullptr) { + // Avoid need for nullptr checks when this is set. + cert_matched_sni = &unused; + } // selected_ctx represents the final selected certificate, it should meet all requirements or pick - // a candidate - const TlsContext* selected_ctx = nullptr; - const TlsContext* candidate_ctx = nullptr; + // a candidate. + const Ssl::TlsContext* selected_ctx = nullptr; + const Ssl::TlsContext* candidate_ctx = nullptr; OcspStapleAction ocsp_staple_action; - auto selected = [&](const TlsContext& ctx) -> bool { + auto selected = [&](const Ssl::TlsContext& ctx) -> bool { auto action = ocspStapleAction(ctx, client_ocsp_capable); if (action == OcspStapleAction::Fail) { // The selected ctx must adhere to OCSP policy @@ -1311,6 +1319,7 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { select_from_map(wildcard); } } + *cert_matched_sni = (selected_ctx != nullptr || candidate_ctx != nullptr); tail_select(full_scan_certs_on_sni_mismatch_); } // Full scan certs if SNI is not provided by client; @@ -1329,10 +1338,24 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { tail_select(false); } + ASSERT(selected_ctx != nullptr); + return {*selected_ctx, ocsp_staple_action}; +} + +enum ssl_select_cert_result_t +ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { + absl::string_view sni = absl::NullSafeStringView( + SSL_get_servername(ssl_client_hello->ssl, TLSEXT_NAMETYPE_host_name)); + const bool client_ecdsa_capable = isClientEcdsaCapable(ssl_client_hello); + const bool client_ocsp_capable = isClientOcspCapable(ssl_client_hello); + + auto [selected_ctx, ocsp_staple_action] = + findTlsContext(sni, client_ecdsa_capable, client_ocsp_capable, nullptr); + // Apply the selected context. This must be done before OCSP stapling below // since applying the context can remove the previously-set OCSP response. // This will only return NULL if memory allocation fails. - RELEASE_ASSERT(SSL_set_SSL_CTX(ssl_client_hello->ssl, selected_ctx->ssl_ctx_.get()) != nullptr, + RELEASE_ASSERT(SSL_set_SSL_CTX(ssl_client_hello->ssl, selected_ctx.ssl_ctx_.get()) != nullptr, ""); if (client_ocsp_capable) { @@ -1342,9 +1365,9 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { switch (ocsp_staple_action) { case OcspStapleAction::Staple: { // We avoid setting the OCSP response if the client didn't request it, but doing so is safe. - RELEASE_ASSERT(selected_ctx->ocsp_response_, + RELEASE_ASSERT(selected_ctx.ocsp_response_, "OCSP response must be present under OcspStapleAction::Staple"); - auto& resp_bytes = selected_ctx->ocsp_response_->rawBytes(); + auto& resp_bytes = selected_ctx.ocsp_response_->rawBytes(); int rc = SSL_set_ocsp_response(ssl_client_hello->ssl, resp_bytes.data(), resp_bytes.size()); RELEASE_ASSERT(rc != 0, ""); stats_.ocsp_staple_responses_.inc(); @@ -1362,6 +1385,31 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { return ssl_select_cert_success; } +ValidationResults ContextImpl::customVerifyCertChainForQuic( + STACK_OF(X509)& cert_chain, Ssl::ValidateResultCallbackPtr callback, bool is_server, + const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options, + const CertValidator::ExtraValidationContext& validation_context, const std::string& host_name) { + ASSERT(!tls_contexts_.empty()); + // It doesn't matter which SSL context is used, because they share the same cert validation + // config. + SSL_CTX* ssl_ctx = tls_contexts_[0].ssl_ctx_.get(); + if (SSL_CTX_get_verify_mode(ssl_ctx) == SSL_VERIFY_NONE) { + // Skip validation if the TLS is configured SSL_VERIFY_NONE. + return {ValidationResults::ValidationStatus::Successful, + Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt}; + } + ValidationResults result = + cert_validator_->doVerifyCertChain(cert_chain, std::move(callback), transport_socket_options, + *ssl_ctx, validation_context, is_server, host_name); + return result; +} + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions + +namespace Ssl { + bool TlsContext::isCipherEnabled(uint16_t cipher_id, uint16_t client_version) { const SSL_CIPHER* c = SSL_get_cipher_by_value(cipher_id); if (c == nullptr) { @@ -1382,25 +1430,6 @@ bool TlsContext::isCipherEnabled(uint16_t cipher_id, uint16_t client_version) { return false; } -ValidationResults ContextImpl::customVerifyCertChainForQuic( - STACK_OF(X509)& cert_chain, Ssl::ValidateResultCallbackPtr callback, bool is_server, - const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options, - const CertValidator::ExtraValidationContext& validation_context, const std::string& host_name) { - ASSERT(!tls_contexts_.empty()); - // It doesn't matter which SSL context is used, because they share the same cert validation - // config. - SSL_CTX* ssl_ctx = tls_contexts_[0].ssl_ctx_.get(); - if (SSL_CTX_get_verify_mode(ssl_ctx) == SSL_VERIFY_NONE) { - // Skip validation if the TLS is configured SSL_VERIFY_NONE. - return {ValidationResults::ValidationStatus::Successful, - Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt}; - } - ValidationResults result = - cert_validator_->doVerifyCertChain(cert_chain, std::move(callback), transport_socket_options, - *ssl_ctx, validation_context, is_server, host_name); - return result; -} - void TlsContext::loadCertificateChain(const std::string& data, const std::string& data_path) { cert_chain_file_path_ = data_path; bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(data.data()), data.size())); @@ -1443,9 +1472,9 @@ void TlsContext::loadPrivateKey(const std::string& data, const std::string& data !password.empty() ? const_cast(password.c_str()) : nullptr)); if (pkey == nullptr || !SSL_CTX_use_PrivateKey(ssl_ctx_.get(), pkey.get())) { - throwEnvoyExceptionOrPanic(fmt::format("Failed to load private key from {}, Cause: {}", - data_path, - Utility::getLastCryptoError().value_or("unknown"))); + throwEnvoyExceptionOrPanic(fmt::format( + "Failed to load private key from {}, Cause: {}", data_path, + Extensions::TransportSockets::Tls::Utility::getLastCryptoError().value_or("unknown"))); } checkPrivateKey(pkey, data_path); @@ -1482,9 +1511,9 @@ void TlsContext::loadPkcs12(const std::string& data, const std::string& data_pat throwEnvoyExceptionOrPanic(absl::StrCat("Failed to load certificate from ", data_path)); } if (temp_private_key == nullptr || !SSL_CTX_use_PrivateKey(ssl_ctx_.get(), pkey.get())) { - throwEnvoyExceptionOrPanic(fmt::format("Failed to load private key from {}, Cause: {}", - data_path, - Utility::getLastCryptoError().value_or("unknown"))); + throwEnvoyExceptionOrPanic(fmt::format( + "Failed to load private key from {}, Cause: {}", data_path, + Extensions::TransportSockets::Tls::Utility::getLastCryptoError().value_or("unknown"))); } checkPrivateKey(pkey, data_path); @@ -1518,7 +1547,5 @@ void TlsContext::checkPrivateKey(const bssl::UniquePtr& pkey, #endif } -} // namespace Tls -} // namespace TransportSockets -} // namespace Extensions +} // namespace Ssl } // namespace Envoy diff --git a/source/extensions/transport_sockets/tls/context_impl.h b/source/common/tls/context_impl.h similarity index 84% rename from source/extensions/transport_sockets/tls/context_impl.h rename to source/common/tls/context_impl.h index 6f034afd6b35..9bffa93a74a4 100644 --- a/source/extensions/transport_sockets/tls/context_impl.h +++ b/source/common/tls/context_impl.h @@ -19,23 +19,25 @@ #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ocsp/ocsp.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ocsp/ocsp.h" +#include "source/common/tls/stats.h" #include "absl/synchronization/mutex.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" +#ifdef ENVOY_ENABLE_QUIC +#include "quiche/quic/core/crypto/proof_source.h" +#endif + namespace Envoy { #ifndef OPENSSL_IS_BORINGSSL #error Envoy requires BoringSSL #endif -namespace Extensions { -namespace TransportSockets { -namespace Tls { +namespace Ssl { struct TlsContext { // Each certificate specified for the context has its own SSL_CTX. `SSL_CTXs` @@ -45,11 +47,16 @@ struct TlsContext { bssl::UniquePtr ssl_ctx_; bssl::UniquePtr cert_chain_; std::string cert_chain_file_path_; - Ocsp::OcspResponseWrapperPtr ocsp_response_; + Extensions::TransportSockets::Tls::Ocsp::OcspResponseWrapperPtr ocsp_response_; bool is_ecdsa_{}; bool is_must_staple_{}; Ssl::PrivateKeyMethodProviderSharedPtr private_key_method_provider_{}; +#ifdef ENVOY_ENABLE_QUIC + quiche::QuicheReferenceCountedPointer quic_cert_; + std::shared_ptr quic_private_key_; +#endif + std::string getCertChainFileName() const { return cert_chain_file_path_; }; bool isCipherEnabled(uint16_t cipher_id, uint16_t client_version); Envoy::Ssl::PrivateKeyMethodProviderSharedPtr getPrivateKeyMethodProvider() { @@ -62,6 +69,11 @@ struct TlsContext { const std::string& password); void checkPrivateKey(const bssl::UniquePtr& pkey, const std::string& key_path); }; +} // namespace Ssl + +namespace Extensions { +namespace TransportSockets { +namespace Tls { class ContextImpl : public virtual Envoy::Ssl::Context, protected Logger::Loggable { @@ -103,8 +115,8 @@ class ContextImpl : public virtual Envoy::Ssl::Context, protected: friend class ContextImplPeer; - ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, - TimeSource& time_source); + ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, TimeSource& time_source, + Ssl::ContextAdditionalInitFunc additional_init); /** * The global SSL-library index used for storing a pointer to the context @@ -126,13 +138,13 @@ class ContextImpl : public virtual Envoy::Ssl::Context, Envoy::Ssl::SslExtendedSocketInfo* extended_socket_info, const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options, SSL* ssl); - void populateServerNamesMap(TlsContext& ctx, const int pkey_id); + void populateServerNamesMap(Ssl::TlsContext& ctx, const int pkey_id); // This is always non-empty, with the first context used for all new SSL // objects. For server contexts, once we have ClientHello, we // potentially switch to a different CertificateContext based on certificate // selection. - std::vector tls_contexts_; + std::vector tls_contexts_; CertValidatorPtr cert_validator_; Stats::Scope& scope_; SslStats stats_; @@ -183,23 +195,31 @@ enum class OcspStapleAction { Staple, NoStaple, Fail, ClientNotCapable }; class ServerContextImpl : public ContextImpl, public Envoy::Ssl::ServerContext { public: ServerContextImpl(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, - const std::vector& server_names, TimeSource& time_source); + const std::vector& server_names, TimeSource& time_source, + Ssl::ContextAdditionalInitFunc additional_init); // Select the TLS certificate context in SSL_CTX_set_select_certificate_cb() callback with // ClientHello details. This is made public for use by custom TLS extensions who want to // manually create and use this as a client hello callback. enum ssl_select_cert_result_t selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello); + // Finds the best matching context. The returned context will have the same lifetime as + // this ``ServerContextImpl``. + std::pair findTlsContext(absl::string_view sni, + bool client_ecdsa_capable, + bool client_ocsp_capable, + bool* cert_matched_sni); + private: // Currently, at most one certificate of a given key type may be specified for each exact // server name or wildcard domain name. - using PkeyTypesMap = absl::flat_hash_map>; + using PkeyTypesMap = absl::flat_hash_map>; // Both exact server names and wildcard domains are part of the same map, in which wildcard // domains are prefixed with "." (i.e. ".example.com" for "*.example.com") to differentiate // between exact and wildcard entries. using ServerNamesMap = absl::flat_hash_map; - void populateServerNamesMap(TlsContext& ctx, const int pkey_id); + void populateServerNamesMap(Ssl::TlsContext& ctx, const int pkey_id); using SessionContextID = std::array; @@ -209,7 +229,7 @@ class ServerContextImpl : public ContextImpl, public Envoy::Ssl::ServerContext { HMAC_CTX* hmac_ctx, int encrypt); bool isClientEcdsaCapable(const SSL_CLIENT_HELLO* ssl_client_hello); bool isClientOcspCapable(const SSL_CLIENT_HELLO* ssl_client_hello); - OcspStapleAction ocspStapleAction(const TlsContext& ctx, bool client_ocsp_capable); + OcspStapleAction ocspStapleAction(const Ssl::TlsContext& ctx, bool client_ocsp_capable); SessionContextID generateHashForSessionContextId(const std::vector& server_names); diff --git a/source/extensions/transport_sockets/tls/context_manager_impl.cc b/source/common/tls/context_manager_impl.cc similarity index 81% rename from source/extensions/transport_sockets/tls/context_manager_impl.cc rename to source/common/tls/context_manager_impl.cc index 4544ec7a1580..b76a81264e21 100644 --- a/source/extensions/transport_sockets/tls/context_manager_impl.cc +++ b/source/common/tls/context_manager_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include #include @@ -8,7 +8,7 @@ #include "envoy/stats/scope.h" #include "source/common/common/assert.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" namespace Envoy { namespace Extensions { @@ -30,16 +30,15 @@ ContextManagerImpl::createSslClientContext(Stats::Scope& scope, return context; } -Envoy::Ssl::ServerContextSharedPtr -ContextManagerImpl::createSslServerContext(Stats::Scope& scope, - const Envoy::Ssl::ServerContextConfig& config, - const std::vector& server_names) { +Envoy::Ssl::ServerContextSharedPtr ContextManagerImpl::createSslServerContext( + Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, + const std::vector& server_names, Ssl::ContextAdditionalInitFunc additional_init) { if (!config.isReady()) { return nullptr; } - Envoy::Ssl::ServerContextSharedPtr context = - std::make_shared(scope, config, server_names, time_source_); + Envoy::Ssl::ServerContextSharedPtr context = std::make_shared( + scope, config, server_names, time_source_, std::move(additional_init)); contexts_.insert(context); return context; } diff --git a/source/extensions/transport_sockets/tls/context_manager_impl.h b/source/common/tls/context_manager_impl.h similarity index 92% rename from source/extensions/transport_sockets/tls/context_manager_impl.h rename to source/common/tls/context_manager_impl.h index d7386f1d1988..db72e1d308e0 100644 --- a/source/extensions/transport_sockets/tls/context_manager_impl.h +++ b/source/common/tls/context_manager_impl.h @@ -9,7 +9,7 @@ #include "envoy/ssl/private_key/private_key.h" #include "envoy/stats/scope.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" namespace Envoy { namespace Extensions { @@ -34,7 +34,8 @@ class ContextManagerImpl final : public Envoy::Ssl::ContextManager { const Envoy::Ssl::ClientContextConfig& config) override; Ssl::ServerContextSharedPtr createSslServerContext(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, - const std::vector& server_names) override; + const std::vector& server_names, + Ssl::ContextAdditionalInitFunc additional_init) override; absl::optional daysUntilFirstCertExpires() const override; absl::optional secondsUntilFirstOcspResponseExpires() const override; void iterateContexts(std::function callback) override; diff --git a/source/extensions/transport_sockets/tls/io_handle_bio.cc b/source/common/tls/io_handle_bio.cc similarity index 97% rename from source/extensions/transport_sockets/tls/io_handle_bio.cc rename to source/common/tls/io_handle_bio.cc index f5faf5fec27b..5222c3143d95 100644 --- a/source/extensions/transport_sockets/tls/io_handle_bio.cc +++ b/source/common/tls/io_handle_bio.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/io_handle_bio.h" +#include "source/common/tls/io_handle_bio.h" #include "envoy/buffer/buffer.h" #include "envoy/network/io_handle.h" diff --git a/source/extensions/transport_sockets/tls/io_handle_bio.h b/source/common/tls/io_handle_bio.h similarity index 100% rename from source/extensions/transport_sockets/tls/io_handle_bio.h rename to source/common/tls/io_handle_bio.h diff --git a/source/extensions/transport_sockets/tls/ocsp/BUILD b/source/common/tls/ocsp/BUILD similarity index 84% rename from source/extensions/transport_sockets/tls/ocsp/BUILD rename to source/common/tls/ocsp/BUILD index 70b250cffe15..dad9dadb7522 100644 --- a/source/extensions/transport_sockets/tls/ocsp/BUILD +++ b/source/common/tls/ocsp/BUILD @@ -1,12 +1,12 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", - "envoy_extension_package", + "envoy_package", ) licenses(["notice"]) # Apache 2 -envoy_extension_package() +envoy_package() envoy_cc_library( name = "ocsp_lib", @@ -17,7 +17,7 @@ envoy_cc_library( ":asn1_utility_lib", "//envoy/common:time_interface", "//envoy/ssl:context_config_interface", - "//source/extensions/transport_sockets/tls:utility_lib", + "//source/common/tls:utility_lib", ], ) diff --git a/source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc b/source/common/tls/ocsp/asn1_utility.cc similarity index 98% rename from source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc rename to source/common/tls/ocsp/asn1_utility.cc index e152cf8d0f1f..5e1c606978af 100644 --- a/source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc +++ b/source/common/tls/ocsp/asn1_utility.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/ocsp/asn1_utility.h" +#include "source/common/tls/ocsp/asn1_utility.h" #include "source/common/common/c_smart_ptr.h" diff --git a/source/extensions/transport_sockets/tls/ocsp/asn1_utility.h b/source/common/tls/ocsp/asn1_utility.h similarity index 100% rename from source/extensions/transport_sockets/tls/ocsp/asn1_utility.h rename to source/common/tls/ocsp/asn1_utility.h diff --git a/source/extensions/transport_sockets/tls/ocsp/ocsp.cc b/source/common/tls/ocsp/ocsp.cc similarity index 98% rename from source/extensions/transport_sockets/tls/ocsp/ocsp.cc rename to source/common/tls/ocsp/ocsp.cc index bfa0ee6523d6..d1c3a99daaa9 100644 --- a/source/extensions/transport_sockets/tls/ocsp/ocsp.cc +++ b/source/common/tls/ocsp/ocsp.cc @@ -1,8 +1,8 @@ -#include "source/extensions/transport_sockets/tls/ocsp/ocsp.h" +#include "source/common/tls/ocsp/ocsp.h" #include "source/common/common/utility.h" -#include "source/extensions/transport_sockets/tls/ocsp/asn1_utility.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/ocsp/asn1_utility.h" +#include "source/common/tls/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/ocsp/ocsp.h b/source/common/tls/ocsp/ocsp.h similarity index 100% rename from source/extensions/transport_sockets/tls/ocsp/ocsp.h rename to source/common/tls/ocsp/ocsp.h diff --git a/source/extensions/transport_sockets/tls/private_key/BUILD b/source/common/tls/private_key/BUILD similarity index 90% rename from source/extensions/transport_sockets/tls/private_key/BUILD rename to source/common/tls/private_key/BUILD index 3d9a42a78c76..85f1388e0b5e 100644 --- a/source/extensions/transport_sockets/tls/private_key/BUILD +++ b/source/common/tls/private_key/BUILD @@ -1,12 +1,12 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", - "envoy_extension_package", + "envoy_package", ) licenses(["notice"]) # Apache 2 -envoy_extension_package() +envoy_package() envoy_cc_library( name = "private_key_manager_lib", diff --git a/source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.cc b/source/common/tls/private_key/private_key_manager_impl.cc similarity index 91% rename from source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.cc rename to source/common/tls/private_key/private_key_manager_impl.cc index f886beeaa96e..93ccbc622d5b 100644 --- a/source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.cc +++ b/source/common/tls/private_key/private_key_manager_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "envoy/registry/registry.h" diff --git a/source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h b/source/common/tls/private_key/private_key_manager_impl.h similarity index 100% rename from source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h rename to source/common/tls/private_key/private_key_manager_impl.h diff --git a/source/extensions/transport_sockets/tls/ssl_handshaker.cc b/source/common/tls/ssl_handshaker.cc similarity index 96% rename from source/extensions/transport_sockets/tls/ssl_handshaker.cc rename to source/common/tls/ssl_handshaker.cc index b0bcca7dbbf5..ab2c6f1fc0f8 100644 --- a/source/extensions/transport_sockets/tls/ssl_handshaker.cc +++ b/source/common/tls/ssl_handshaker.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_handshaker.h" #include "envoy/stats/scope.h" @@ -6,7 +6,7 @@ #include "source/common/common/empty_string.h" #include "source/common/http/headers.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" using Envoy::Network::PostIoAction; diff --git a/source/extensions/transport_sockets/tls/ssl_handshaker.h b/source/common/tls/ssl_handshaker.h similarity index 97% rename from source/extensions/transport_sockets/tls/ssl_handshaker.h rename to source/common/tls/ssl_handshaker.h index 4203ffac9462..3e5c63125b5f 100644 --- a/source/extensions/transport_sockets/tls/ssl_handshaker.h +++ b/source/common/tls/ssl_handshaker.h @@ -16,8 +16,8 @@ #include "envoy/stats/stats_macros.h" #include "source/common/common/logger.h" -#include "source/extensions/transport_sockets/tls/connection_info_impl_base.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/connection_info_impl_base.h" +#include "source/common/tls/utility.h" #include "absl/container/node_hash_map.h" #include "absl/synchronization/mutex.h" diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/common/tls/ssl_socket.cc similarity index 98% rename from source/extensions/transport_sockets/tls/ssl_socket.cc rename to source/common/tls/ssl_socket.cc index bc56bca6b417..02111ead0094 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.cc +++ b/source/common/tls/ssl_socket.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" #include "envoy/stats/scope.h" @@ -7,9 +7,9 @@ #include "source/common/common/hex.h" #include "source/common/http/headers.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/io_handle_bio.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/io_handle_bio.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/utility.h" #include "absl/strings/str_replace.h" #include "openssl/err.h" @@ -429,7 +429,7 @@ ServerSslSocketFactory::ServerSslSocketFactory(Envoy::Ssl::ServerContextConfigPt const std::vector& server_names) : manager_(manager), stats_scope_(stats_scope), stats_(generateStats("server", stats_scope)), config_(std::move(config)), server_names_(server_names), - ssl_ctx_(manager_.createSslServerContext(stats_scope_, *config_, server_names_)) { + ssl_ctx_(manager_.createSslServerContext(stats_scope_, *config_, server_names_, nullptr)) { config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); }); } @@ -463,7 +463,7 @@ bool ServerSslSocketFactory::implementsSecureTransport() const { return true; } void ServerSslSocketFactory::onAddOrUpdateSecret() { ENVOY_LOG(debug, "Secret is updated."); - auto ctx = manager_.createSslServerContext(stats_scope_, *config_, server_names_); + auto ctx = manager_.createSslServerContext(stats_scope_, *config_, server_names_, nullptr); { absl::WriterMutexLock l(&ssl_ctx_mu_); std::swap(ctx, ssl_ctx_); diff --git a/source/extensions/transport_sockets/tls/ssl_socket.h b/source/common/tls/ssl_socket.h similarity index 96% rename from source/extensions/transport_sockets/tls/ssl_socket.h rename to source/common/tls/ssl_socket.h index ea9213ffe6d1..2e4392c5cdd2 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.h +++ b/source/common/tls/ssl_socket.h @@ -15,9 +15,9 @@ #include "source/common/common/logger.h" #include "source/common/network/transport_socket_options_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/utility.h" #include "absl/container/node_hash_map.h" #include "absl/synchronization/mutex.h" diff --git a/source/extensions/transport_sockets/tls/stats.cc b/source/common/tls/stats.cc similarity index 89% rename from source/extensions/transport_sockets/tls/stats.cc rename to source/common/tls/stats.cc index 5a5cdc86c054..c4c5e320ce34 100644 --- a/source/extensions/transport_sockets/tls/stats.cc +++ b/source/common/tls/stats.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/stats.h" #include "envoy/stats/scope.h" #include "envoy/stats/stats_macros.h" diff --git a/source/extensions/transport_sockets/tls/stats.h b/source/common/tls/stats.h similarity index 100% rename from source/extensions/transport_sockets/tls/stats.h rename to source/common/tls/stats.h diff --git a/source/extensions/transport_sockets/tls/utility.cc b/source/common/tls/utility.cc similarity index 99% rename from source/extensions/transport_sockets/tls/utility.cc rename to source/common/tls/utility.cc index 766044f22666..672f075e6d26 100644 --- a/source/extensions/transport_sockets/tls/utility.cc +++ b/source/common/tls/utility.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include diff --git a/source/extensions/transport_sockets/tls/utility.h b/source/common/tls/utility.h similarity index 100% rename from source/extensions/transport_sockets/tls/utility.h rename to source/common/tls/utility.h diff --git a/source/exe/linux/platform_impl.cc b/source/exe/linux/platform_impl.cc index a1c04243eb77..63de62b11936 100644 --- a/source/exe/linux/platform_impl.cc +++ b/source/exe/linux/platform_impl.cc @@ -11,7 +11,7 @@ namespace Envoy { PlatformImpl::PlatformImpl() - : thread_factory_(std::make_unique()), + : thread_factory_(Thread::PosixThreadFactory::create()), file_system_(std::make_unique()) {} PlatformImpl::~PlatformImpl() = default; diff --git a/source/exe/posix/platform_impl.cc b/source/exe/posix/platform_impl.cc index 391d3be940ae..4eae6bee3b10 100644 --- a/source/exe/posix/platform_impl.cc +++ b/source/exe/posix/platform_impl.cc @@ -5,7 +5,7 @@ namespace Envoy { PlatformImpl::PlatformImpl() - : thread_factory_(std::make_unique()), + : thread_factory_(Thread::PosixThreadFactory::create()), file_system_(std::make_unique()) {} PlatformImpl::~PlatformImpl() = default; diff --git a/source/extensions/clusters/dynamic_forward_proxy/BUILD b/source/extensions/clusters/dynamic_forward_proxy/BUILD index d4377bb1abc5..477411c9e7a5 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/BUILD +++ b/source/extensions/clusters/dynamic_forward_proxy/BUILD @@ -17,12 +17,12 @@ envoy_cc_extension( "//source/common/network:transport_socket_options_lib", "//source/common/router:string_accessor_lib", "//source/common/stream_info:uint32_accessor_lib", + "//source/common/tls/cert_validator:cert_validator_lib", "//source/common/upstream:cluster_factory_lib", "//source/extensions/clusters/common:logical_host_lib", "//source/extensions/common/dynamic_forward_proxy:cluster_store", "//source/extensions/common/dynamic_forward_proxy:dns_cache_interface", "//source/extensions/common/dynamic_forward_proxy:dns_cache_manager_impl", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", "@envoy_api//envoy/config/endpoint/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg_cc_proto", diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc index 4ce4077521cf..c616f8dbfa99 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc +++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc @@ -12,9 +12,9 @@ #include "source/common/network/transport_socket_options_impl.h" #include "source/common/router/string_accessor_impl.h" #include "source/common/stream_info/uint32_accessor_impl.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/utility.h" #include "source/extensions/common/dynamic_forward_proxy/dns_cache_manager_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/filters/http/gcp_authn/filter_config.cc b/source/extensions/filters/http/gcp_authn/filter_config.cc index e6a31e0cc6f2..4a5cbd2317cf 100644 --- a/source/extensions/filters/http/gcp_authn/filter_config.cc +++ b/source/extensions/filters/http/gcp_authn/filter_config.cc @@ -25,7 +25,7 @@ Http::FilterFactoryCb GcpAuthnFilterFactory::createFilterFactoryFromProtoTyped( // config.retry_policy has an invalid case that could not be validated by the // proto validation annotation. It has to be validated by the code. if (config.has_retry_policy()) { - Http::Utility::validateCoreRetryPolicy(config.retry_policy()); + THROW_IF_NOT_OK(Http::Utility::validateCoreRetryPolicy(config.retry_policy())); } FilterConfigSharedPtr filter_config = diff --git a/source/extensions/filters/http/jwt_authn/jwks_cache.cc b/source/extensions/filters/http/jwt_authn/jwks_cache.cc index 9df261ce2a4b..053d662e36d9 100644 --- a/source/extensions/filters/http/jwt_authn/jwks_cache.cc +++ b/source/extensions/filters/http/jwt_authn/jwks_cache.cc @@ -39,7 +39,8 @@ class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable(flag_data.value()); + + if (opcode == OpCodes::CreateTtl) { + absl::StatusOr ttl = helper_.peekInt64(data, offset); + EMIT_DECODER_ERR_AND_RETURN_INVALID_ARG_ERR_IF_STATUS_NOT_OK(ttl, opcode, + ttl.status().message()); + } + status = callbacks_.onCreateRequest(path.value(), flags, opcode); EMIT_DECODER_ERR_AND_RETURN_IF_STATUS_NOT_OK(status, opcode); diff --git a/source/extensions/tracers/opentelemetry/BUILD b/source/extensions/tracers/opentelemetry/BUILD index a4ee2ed5e51b..2ffdab91f527 100644 --- a/source/extensions/tracers/opentelemetry/BUILD +++ b/source/extensions/tracers/opentelemetry/BUILD @@ -59,10 +59,12 @@ envoy_cc_library( srcs = [ "grpc_trace_exporter.cc", "http_trace_exporter.cc", + "otlp_utils.cc", ], hdrs = [ "grpc_trace_exporter.h", "http_trace_exporter.h", + "otlp_utils.h", "trace_exporter.h", ], deps = [ @@ -75,6 +77,7 @@ envoy_cc_library( "//source/common/http:utility_lib", "//source/common/protobuf", "//source/common/tracing:trace_context_lib", + "//source/common/version:version_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@opentelemetry_proto//:trace_cc_proto", ], diff --git a/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h b/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h index b35823b851ba..974ac704f9f0 100644 --- a/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h +++ b/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h @@ -4,6 +4,7 @@ #include "source/common/common/logger.h" #include "source/common/grpc/typed_async_client.h" +#include "source/extensions/tracers/opentelemetry/otlp_utils.h" #include "source/extensions/tracers/opentelemetry/trace_exporter.h" #include "opentelemetry/proto/collector/trace/v1/trace_service.pb.h" @@ -30,7 +31,9 @@ class OpenTelemetryGrpcTraceExporterClient : Logger::Loggable&&) diff --git a/source/extensions/tracers/opentelemetry/http_trace_exporter.cc b/source/extensions/tracers/opentelemetry/http_trace_exporter.cc index b1fb4efdc9c1..1ff2d2c7c867 100644 --- a/source/extensions/tracers/opentelemetry/http_trace_exporter.cc +++ b/source/extensions/tracers/opentelemetry/http_trace_exporter.cc @@ -8,6 +8,7 @@ #include "source/common/common/enum_to_int.h" #include "source/common/common/logger.h" #include "source/common/protobuf/protobuf.h" +#include "source/extensions/tracers/opentelemetry/otlp_utils.h" namespace Envoy { namespace Extensions { @@ -50,6 +51,10 @@ bool OpenTelemetryHttpTraceExporter::log(const ExportTraceServiceRequest& reques message->headers().setReferenceMethod(Http::Headers::get().MethodValues.Post); message->headers().setReferenceContentType(Http::Headers::get().ContentTypeValues.Protobuf); + // User-Agent header follows the OTLP specification: + // https://github.com/open-telemetry/opentelemetry-specification/blob/v1.30.0/specification/protocol/exporter.md#user-agent + message->headers().setReferenceUserAgent(OtlpUtils::getOtlpUserAgentHeader()); + // Add all custom headers to the request. for (const auto& header_pair : parsed_headers_to_add_) { message->headers().setReference(header_pair.first, header_pair.second); diff --git a/source/extensions/tracers/opentelemetry/otlp_utils.cc b/source/extensions/tracers/opentelemetry/otlp_utils.cc new file mode 100644 index 000000000000..1ce8c53af803 --- /dev/null +++ b/source/extensions/tracers/opentelemetry/otlp_utils.cc @@ -0,0 +1,22 @@ +#include "source/extensions/tracers/opentelemetry/otlp_utils.h" + +#include + +#include "source/common/common/fmt.h" +#include "source/common/common/macros.h" +#include "source/common/version/version.h" + +namespace Envoy { +namespace Extensions { +namespace Tracers { +namespace OpenTelemetry { + +const std::string& OtlpUtils::getOtlpUserAgentHeader() { + CONSTRUCT_ON_FIRST_USE(std::string, + fmt::format("OTel-OTLP-Exporter-Envoy/{}", Envoy::VersionInfo::version())); +} + +} // namespace OpenTelemetry +} // namespace Tracers +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/tracers/opentelemetry/otlp_utils.h b/source/extensions/tracers/opentelemetry/otlp_utils.h new file mode 100644 index 000000000000..32e18a0e2f99 --- /dev/null +++ b/source/extensions/tracers/opentelemetry/otlp_utils.h @@ -0,0 +1,29 @@ +#pragma once + +#include + +namespace Envoy { +namespace Extensions { +namespace Tracers { +namespace OpenTelemetry { + +/** + * Contains utility functions for Otel + */ +class OtlpUtils { + +public: + /** + * @brief Get the User-Agent header value to be used on the OTLP exporter request. + * + * The header value is compliant with the OpenTelemetry specification. See: + * https://github.com/open-telemetry/opentelemetry-specification/blob/v1.30.0/specification/protocol/exporter.md#user-agent + * @return std::string The User-Agent for the OTLP exporters in Envoy. + */ + static const std::string& getOtlpUserAgentHeader(); +}; + +} // namespace OpenTelemetry +} // namespace Tracers +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/tracers/zipkin/span_context.h b/source/extensions/tracers/zipkin/span_context.h index a2cf74394964..b1dfa3168743 100644 --- a/source/extensions/tracers/zipkin/span_context.h +++ b/source/extensions/tracers/zipkin/span_context.h @@ -77,7 +77,7 @@ class SpanContext { bool sampled() const { return sampled_; } /** - * @return the inner context flag. + * @return the inner context flag. True if this context is created base on the inner span. */ bool innerContext() const { return inner_context_; } diff --git a/source/extensions/tracers/zipkin/tracer.cc b/source/extensions/tracers/zipkin/tracer.cc index 00dfae6a808f..0ab5b01273bc 100644 --- a/source/extensions/tracers/zipkin/tracer.cc +++ b/source/extensions/tracers/zipkin/tracer.cc @@ -12,22 +12,46 @@ namespace Extensions { namespace Tracers { namespace Zipkin { +/** + * @param spawn_child_span whether the Envoy will spawn a child span for the request. This + * means that the Envoy will be treated as an independent hop in the trace chain. + * See + * https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/observability/tracing#different-modes-of-envoy + * for more details. + * @param upstream whether the span is span for an upstream request. + * @param direction the direction of the traffic that the span is for. Egress means + * the span is for an outgoing request, and Ingress means the span is for an incoming request. + */ +Annotation getAnnotation(bool spawn_child_span, bool upstream, Tracing::OperationName direction) { + Annotation annotation; + if (spawn_child_span) { + // Spawn child span is set to true and Envoy should be treated as an independent hop in the + // trace chain. Determine the span type based on the request type. + + // Create server span for downstream request and client span for upstream request. + annotation.setValue(upstream ? CLIENT_SEND : SERVER_RECV); + } else { + // Spawn child span is set to false and Envoy should not be treated as an independent hop in the + // trace chain. Determine the span type based on the traffic direction. + + // Create server span for inbound sidecar and client span for outbound sidecar. + annotation.setValue(direction == Tracing::OperationName::Egress ? CLIENT_SEND : SERVER_RECV); + } + + return annotation; +} + SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span_name, SystemTime timestamp) { // Build the endpoint Endpoint ep(service_name_, address_); - // Build the CS annotation - Annotation cs; + // Build the CS annotation. + // No previous context then this must be span created for downstream request for now. + Annotation cs = getAnnotation(split_spans_for_request_ || config.spawnUpstreamSpan(), false, + config.operationName()); cs.setEndpoint(std::move(ep)); - if (split_spans_for_request_) { - // No previous context then this must be span created for downstream request. Server span will - // be created for downstream request when split_spans_for_request is set to true - cs.setValue(SERVER_RECV); - } else { - cs.setValue(config.operationName() == Tracing::OperationName::Egress ? CLIENT_SEND - : SERVER_RECV); - } + // Create an all-new span, with no parent id SpanPtr span_ptr = std::make_unique(time_source_); span_ptr->setName(span_name); @@ -59,7 +83,9 @@ SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span_name, SystemTime timestamp, const SpanContext& previous_context) { SpanPtr span_ptr = std::make_unique(time_source_); - Annotation annotation; + // If the previous context is inner context then this span is span for upstream request. + Annotation annotation = getAnnotation(split_spans_for_request_ || config.spawnUpstreamSpan(), + previous_context.innerContext(), config.operationName()); uint64_t timestamp_micro; timestamp_micro = @@ -67,23 +93,6 @@ SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span span_ptr->setName(span_name); - // Set the span's kind (client or server) - if (split_spans_for_request_) { - // If the previous context is an inner context then this span must be a span created for an - // upstream request. A client span will be created for an upstream request. - if (previous_context.innerContext()) { - annotation.setValue(CLIENT_SEND); - } else { - annotation.setValue(SERVER_RECV); - } - } else { - if (config.operationName() == Tracing::OperationName::Egress) { - annotation.setValue(CLIENT_SEND); - } else { - annotation.setValue(SERVER_RECV); - } - } - // Set the span's id and parent id if (annotation.value() == CLIENT_SEND || !shared_span_context_) { // We need to create a new span that is a child of the previous span; no shared context diff --git a/source/extensions/tracers/zipkin/tracer.h b/source/extensions/tracers/zipkin/tracer.h index a0672b6bc682..6b8fa780014d 100644 --- a/source/extensions/tracers/zipkin/tracer.h +++ b/source/extensions/tracers/zipkin/tracer.h @@ -61,7 +61,8 @@ class Tracer : public TracerInterface { */ Tracer(const std::string& service_name, Network::Address::InstanceConstSharedPtr address, Random::RandomGenerator& random_generator, const bool trace_id_128bit, - const bool shared_span_context, TimeSource& time_source, bool split_spans_for_request) + const bool shared_span_context, TimeSource& time_source, + bool split_spans_for_request = false) : service_name_(service_name), address_(address), reporter_(nullptr), random_generator_(random_generator), trace_id_128bit_(trace_id_128bit), shared_span_context_(shared_span_context), time_source_(time_source), diff --git a/source/extensions/transport_sockets/tap/BUILD b/source/extensions/transport_sockets/tap/BUILD index 043f881df364..849529f9ac95 100644 --- a/source/extensions/transport_sockets/tap/BUILD +++ b/source/extensions/transport_sockets/tap/BUILD @@ -52,6 +52,10 @@ envoy_cc_extension( name = "config", srcs = envoy_select_admin_functionality(["config.cc"]), hdrs = envoy_select_admin_functionality(["config.h"]), + extra_visibility = [ + # test needs refactor + "//test/common/tls:__subpackages__", + ], deps = [ ":tap_config_impl", ":tap_lib", diff --git a/source/extensions/transport_sockets/tls/BUILD b/source/extensions/transport_sockets/tls/BUILD index 8758719e9990..3ce74ef46a9a 100644 --- a/source/extensions/transport_sockets/tls/BUILD +++ b/source/extensions/transport_sockets/tls/BUILD @@ -1,7 +1,6 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_extension", - "envoy_cc_library", "envoy_extension_package", ) @@ -18,199 +17,10 @@ envoy_cc_extension( # TLS is core functionality. visibility = ["//visibility:public"], deps = [ - ":ssl_socket_lib", "//envoy/network:transport_socket_interface", "//envoy/registry", "//envoy/server:transport_socket_config_interface", + "//source/common/tls:ssl_socket_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], ) - -envoy_cc_library( - name = "connection_info_impl_base_lib", - srcs = ["connection_info_impl_base.cc"], - hdrs = ["connection_info_impl_base.h"], - external_deps = ["ssl"], - visibility = ["//visibility:public"], - deps = [ - ":context_lib", - ":utility_lib", - "//source/common/common:assert_lib", - "//source/common/common:minimal_logger_lib", - ], -) - -envoy_cc_library( - name = "ssl_handshaker_lib", - srcs = ["ssl_handshaker.cc"], - hdrs = ["ssl_handshaker.h"], - deps = [ - ":connection_info_impl_base_lib", - ":context_lib", - ":utility_lib", - "//envoy/network:connection_interface", - "//envoy/network:transport_socket_interface", - "//envoy/ssl:handshaker_interface", - "//envoy/ssl:ssl_socket_extended_info_interface", - "//envoy/ssl:ssl_socket_state", - "//envoy/ssl/private_key:private_key_callbacks_interface", - "//envoy/ssl/private_key:private_key_interface", - "//envoy/stats:stats_macros", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:minimal_logger_lib", - "//source/common/common:thread_annotations", - "//source/common/http:headers_lib", - ], -) - -envoy_cc_library( - name = "io_handle_bio_lib", - srcs = ["io_handle_bio.cc"], - hdrs = ["io_handle_bio.h"], - external_deps = ["ssl"], - deps = [ - "//envoy/buffer:buffer_interface", - "//envoy/network:io_handle_interface", - ], -) - -envoy_cc_library( - name = "ssl_socket_lib", - srcs = ["ssl_socket.cc"], - hdrs = ["ssl_socket.h"], - external_deps = [ - "abseil_hash", - "abseil_node_hash_map", - "abseil_optional", - "abseil_synchronization", - "ssl", - ], - # TLS is core functionality. - visibility = ["//visibility:public"], - deps = [ - ":context_config_lib", - ":context_lib", - ":io_handle_bio_lib", - ":ssl_handshaker_lib", - ":utility_lib", - "//envoy/network:connection_interface", - "//envoy/network:transport_socket_interface", - "//envoy/ssl:handshaker_interface", - "//envoy/ssl:ssl_socket_extended_info_interface", - "//envoy/ssl:ssl_socket_state", - "//envoy/ssl/private_key:private_key_callbacks_interface", - "//envoy/ssl/private_key:private_key_interface", - "//envoy/stats:stats_macros", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:minimal_logger_lib", - "//source/common/common:thread_annotations", - "//source/common/http:headers_lib", - "//source/common/network:transport_socket_options_lib", - ], -) - -envoy_cc_library( - name = "context_config_lib", - srcs = ["context_config_impl.cc"], - hdrs = ["context_config_impl.h"], - external_deps = [ - "ssl", - ], - # TLS is core functionality. - visibility = ["//visibility:public"], - deps = [ - ":ssl_handshaker_lib", - "//envoy/secret:secret_callbacks_interface", - "//envoy/secret:secret_provider_interface", - "//envoy/server:transport_socket_config_interface", - "//envoy/ssl:context_config_interface", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:matchers_lib", - "//source/common/config:datasource_lib", - "//source/common/json:json_loader_lib", - "//source/common/protobuf:utility_lib", - "//source/common/secret:sds_api_lib", - "//source/common/ssl:certificate_validation_context_config_impl_lib", - "//source/common/ssl:tls_certificate_config_impl_lib", - "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", - ], -) - -envoy_cc_library( - name = "context_lib", - srcs = [ - "context_impl.cc", - "context_manager_impl.cc", - ], - hdrs = [ - "context_impl.h", - "context_manager_impl.h", - ], - external_deps = [ - "abseil_node_hash_set", - "abseil_synchronization", - "ssl", - ], - # TLS is core functionality. - visibility = ["//visibility:public"], - deps = [ - ":stats_lib", - ":utility_lib", - "//envoy/ssl:context_config_interface", - "//envoy/ssl:context_interface", - "//envoy/ssl:context_manager_interface", - "//envoy/ssl:ssl_socket_extended_info_interface", - "//envoy/ssl/private_key:private_key_interface", - "//envoy/stats:stats_interface", - "//envoy/stats:stats_macros", - "//source/common/common:assert_lib", - "//source/common/common:base64_lib", - "//source/common/common:hex_lib", - "//source/common/common:utility_lib", - "//source/common/network:address_lib", - "//source/common/network:cidr_range_lib", - "//source/common/protobuf:utility_lib", - "//source/common/runtime:runtime_features_lib", - "//source/common/stats:symbol_table_lib", - "//source/common/stats:utility_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//source/extensions/transport_sockets/tls/ocsp:ocsp_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", - "@envoy_api//envoy/admin/v3:pkg_cc_proto", - "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto", - ], -) - -envoy_cc_library( - name = "stats_lib", - srcs = ["stats.cc"], - hdrs = ["stats.h"], - external_deps = [ - "ssl", - ], - deps = [ - "//envoy/stats:stats_interface", - "//envoy/stats:stats_macros", - "//source/common/stats:symbol_table_lib", - "//source/common/stats:utility_lib", - ], -) - -envoy_cc_library( - name = "utility_lib", - srcs = ["utility.cc"], - hdrs = ["utility.h"], - external_deps = [ - "ssl", - ], - deps = [ - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:safe_memcpy_lib", - "//source/common/common:utility_lib", - "//source/common/network:address_lib", - ], -) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD index 82f6860d86d7..72f5fedd2d7b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -33,9 +33,9 @@ envoy_cc_extension( "//source/common/config:utility_lib", "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", - "//source/extensions/transport_sockets/tls:stats_lib", - "//source/extensions/transport_sockets/tls:utility_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/common/tls:stats_lib", + "//source/common/tls:utility_lib", + "//source/common/tls/cert_validator:cert_validator_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 5ae1ebde5c55..4c6f6fb3dc30 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -15,10 +15,10 @@ #include "source/common/config/utility.h" #include "source/common/protobuf/message_validator_impl.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" -#include "source/extensions/transport_sockets/tls/cert_validator/utility.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/utility.h" +#include "source/common/tls/stats.h" +#include "source/common/tls/utility.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h index 3850fa5533be..4bb140dbe63b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h @@ -16,9 +16,9 @@ #include "source/common/common/c_smart_ptr.h" #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" +#include "source/common/tls/stats.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/config.cc b/source/extensions/transport_sockets/tls/config.cc index f2612251584d..ec2f39b60aed 100644 --- a/source/extensions/transport_sockets/tls/config.cc +++ b/source/extensions/transport_sockets/tls/config.cc @@ -4,8 +4,8 @@ #include "envoy/extensions/transport_sockets/tls/v3/tls.pb.validate.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" namespace Envoy { namespace Extensions { diff --git a/source/server/BUILD b/source/server/BUILD index 7ee402750e1f..f656303df03e 100644 --- a/source/server/BUILD +++ b/source/server/BUILD @@ -187,6 +187,7 @@ envoy_cc_library( hdrs = envoy_select_hot_restart(["hot_restarting_child.h"]), deps = [ ":hot_restarting_base", + "//envoy/network:parent_drained_callback_registrar_interface", "//source/common/stats:stat_merger_lib", ], ) diff --git a/source/server/hot_restart_impl.cc b/source/server/hot_restart_impl.cc index 417bb4a5f2f3..6e2377c9c6f0 100644 --- a/source/server/hot_restart_impl.cc +++ b/source/server/hot_restart_impl.cc @@ -124,6 +124,10 @@ void HotRestartImpl::registerUdpForwardingListener( as_child_.registerUdpForwardingListener(address, listener_config); } +OptRef HotRestartImpl::parentDrainedCallbackRegistrar() { + return as_child_; +} + void HotRestartImpl::initialize(Event::Dispatcher& dispatcher, Server::Instance& server) { as_parent_.initialize(dispatcher, server); as_child_.initialize(dispatcher); diff --git a/source/server/hot_restart_impl.h b/source/server/hot_restart_impl.h index ace7d41321d9..9a22b6f3ec13 100644 --- a/source/server/hot_restart_impl.h +++ b/source/server/hot_restart_impl.h @@ -106,6 +106,7 @@ class HotRestartImpl : public HotRestart { void registerUdpForwardingListener( Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config) override; + OptRef parentDrainedCallbackRegistrar() override; void initialize(Event::Dispatcher& dispatcher, Server::Instance& server) override; absl::optional sendParentAdminShutdownRequest() override; void sendParentTerminateRequest() override; diff --git a/source/server/hot_restart_nop_impl.h b/source/server/hot_restart_nop_impl.h index 99f006083937..031cf1e4613b 100644 --- a/source/server/hot_restart_nop_impl.h +++ b/source/server/hot_restart_nop_impl.h @@ -20,6 +20,9 @@ class HotRestartNopImpl : public Server::HotRestart { int duplicateParentListenSocket(const std::string&, uint32_t) override { return -1; } void registerUdpForwardingListener(Network::Address::InstanceConstSharedPtr, std::shared_ptr) override {} + OptRef parentDrainedCallbackRegistrar() override { + return absl::nullopt; + } void initialize(Event::Dispatcher&, Server::Instance&) override {} absl::optional sendParentAdminShutdownRequest() override { return absl::nullopt; diff --git a/source/server/hot_restarting_child.cc b/source/server/hot_restarting_child.cc index 0d842a2755eb..a7173fd6ce65 100644 --- a/source/server/hot_restarting_child.cc +++ b/source/server/hot_restarting_child.cc @@ -46,9 +46,12 @@ HotRestartingChild::UdpForwardingContext::getListenerForDestination( return it->second; } +// If restart_epoch is 0 there is no parent, so it's effectively already +// drained and terminated. HotRestartingChild::HotRestartingChild(int base_id, int restart_epoch, const std::string& socket_path, mode_t socket_mode) - : HotRestartingBase(base_id), restart_epoch_(restart_epoch) { + : HotRestartingBase(base_id), restart_epoch_(restart_epoch), + parent_terminated_(restart_epoch == 0), parent_drained_(restart_epoch == 0) { main_rpc_stream_.initDomainSocketAddress(&parent_address_); std::string socket_path_udp = socket_path + "_udp"; udp_forwarding_rpc_stream_.initDomainSocketAddress(&parent_address_udp_forwarding_); @@ -102,7 +105,7 @@ void HotRestartingChild::onForwardedUdpPacket(uint32_t worker_index, Network::Ud int HotRestartingChild::duplicateParentListenSocket(const std::string& address, uint32_t worker_index) { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return -1; } @@ -121,7 +124,7 @@ int HotRestartingChild::duplicateParentListenSocket(const std::string& address, } std::unique_ptr HotRestartingChild::getParentStats() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return nullptr; } @@ -138,7 +141,7 @@ std::unique_ptr HotRestartingChild::getParentStats() { } void HotRestartingChild::drainParentListeners() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return; } // No reply expected. @@ -154,9 +157,29 @@ void HotRestartingChild::registerUdpForwardingListener( udp_forwarding_context_.registerListener(address, listener_config); } +void HotRestartingChild::registerParentDrainedCallback( + const Network::Address::InstanceConstSharedPtr& address, absl::AnyInvocable callback) { + absl::MutexLock lock(®istry_mu_); + if (parent_drained_) { + callback(); + } else { + on_drained_actions_.emplace(address->asString(), std::move(callback)); + } +} + +void HotRestartingChild::allDrainsImplicitlyComplete() { + absl::MutexLock lock(®istry_mu_); + for (auto& drain_action : on_drained_actions_) { + // Call the callback. + std::move(drain_action.second)(); + } + on_drained_actions_.clear(); + parent_drained_ = true; +} + absl::optional HotRestartingChild::sendParentAdminShutdownRequest() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return absl::nullopt; } @@ -176,9 +199,11 @@ HotRestartingChild::sendParentAdminShutdownRequest() { } void HotRestartingChild::sendParentTerminateRequest() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return; } + allDrainsImplicitlyComplete(); + HotRestartMessage wrapped_request; wrapped_request.mutable_request()->mutable_terminate(); main_rpc_stream_.sendHotRestartMessage(parent_address_, wrapped_request); @@ -186,15 +211,17 @@ void HotRestartingChild::sendParentTerminateRequest() { // Note that the 'generation' counter needs to retain the contribution from // the parent. - stat_merger_->retainParentGaugeValue(hot_restart_generation_stat_name_); + if (stat_merger_ != nullptr) { + stat_merger_->retainParentGaugeValue(hot_restart_generation_stat_name_); - // Now it is safe to forget our stat transferral state. - // - // This destruction is actually important far beyond memory efficiency. The - // scope-based temporary counter logic relies on the StatMerger getting - // destroyed once hot restart's stat merging is all done. (See stat_merger.h - // for details). - stat_merger_.reset(); + // Now it is safe to forget our stat transferral state. + // + // This destruction is actually important far beyond memory efficiency. The + // scope-based temporary counter logic relies on the StatMerger getting + // destroyed once hot restart's stat merging is all done. (See stat_merger.h + // for details). + stat_merger_.reset(); + } } void HotRestartingChild::mergeParentStats(Stats::Store& stats_store, diff --git a/source/server/hot_restarting_child.h b/source/server/hot_restarting_child.h index 7f61dfc59f55..77365b56ae15 100644 --- a/source/server/hot_restarting_child.h +++ b/source/server/hot_restarting_child.h @@ -1,5 +1,6 @@ #pragma once +#include "envoy/network/parent_drained_callback_registrar.h" #include "envoy/server/instance.h" #include "source/common/stats/stat_merger.h" @@ -11,7 +12,8 @@ namespace Server { /** * The child half of hot restarting. Issues requests and commands to the parent. */ -class HotRestartingChild : public HotRestartingBase { +class HotRestartingChild : public HotRestartingBase, + public Network::ParentDrainedCallbackRegistrar { public: // A structure to record the set of registered UDP listeners keyed on their addresses, // to support QUIC packet forwarding. @@ -42,7 +44,7 @@ class HotRestartingChild : public HotRestartingBase { HotRestartingChild(int base_id, int restart_epoch, const std::string& socket_path, mode_t socket_mode); - ~HotRestartingChild() = default; + ~HotRestartingChild() override = default; void initialize(Event::Dispatcher& dispatcher); void shutdown(); @@ -50,6 +52,9 @@ class HotRestartingChild : public HotRestartingBase { int duplicateParentListenSocket(const std::string& address, uint32_t worker_index); void registerUdpForwardingListener(Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config); + // From Network::ParentDrainedCallbackRegistrar. + void registerParentDrainedCallback(const Network::Address::InstanceConstSharedPtr& addr, + absl::AnyInvocable action) override; std::unique_ptr getParentStats(); void drainParentListeners(); absl::optional sendParentAdminShutdownRequest(); @@ -60,15 +65,23 @@ class HotRestartingChild : public HotRestartingBase { protected: void onSocketEventUdpForwarding(); void onForwardedUdpPacket(uint32_t worker_index, Network::UdpRecvData&& data); + // When call to terminate parent is sent, or parent is already terminated, + void allDrainsImplicitlyComplete(); private: friend class HotRestartUdpForwardingTestHelper; + absl::Mutex registry_mu_; const int restart_epoch_; - bool parent_terminated_{}; + bool parent_terminated_; + bool parent_drained_ ABSL_GUARDED_BY(registry_mu_); sockaddr_un parent_address_; sockaddr_un parent_address_udp_forwarding_; std::unique_ptr stat_merger_{}; Stats::StatName hot_restart_generation_stat_name_; + // There are multiple listener instances per address that must all be reactivated + // when the parent is drained, so a multimap is used to contain them. + std::unordered_multimap> + on_drained_actions_ ABSL_GUARDED_BY(registry_mu_); Event::FileEventPtr socket_event_udp_forwarding_; UdpForwardingContext udp_forwarding_context_; }; diff --git a/source/server/ssl_context_manager.cc b/source/server/ssl_context_manager.cc index d3b8df9d17f5..8a9fec347dee 100644 --- a/source/server/ssl_context_manager.cc +++ b/source/server/ssl_context_manager.cc @@ -20,10 +20,9 @@ class SslContextManagerNoTlsStub final : public Envoy::Ssl::ContextManager { throwException(); } - Ssl::ServerContextSharedPtr - createSslServerContext(Stats::Scope& /* scope */, - const Envoy::Ssl::ServerContextConfig& /* config */, - const std::vector& /* server_names */) override { + Ssl::ServerContextSharedPtr createSslServerContext( + Stats::Scope& /* scope */, const Envoy::Ssl::ServerContextConfig& /* config */, + const std::vector& /* server_names */, Ssl::ContextAdditionalInitFunc) override { throwException(); } diff --git a/test/common/common/thread_test.cc b/test/common/common/thread_test.cc index 8cfc1c6ac771..8c8a28f7d3d9 100644 --- a/test/common/common/thread_test.cc +++ b/test/common/common/thread_test.cc @@ -1,5 +1,9 @@ #include +#if defined(__linux__) || defined(__APPLE__) +#include "source/common/common/posix/thread_impl.h" +#endif + #include "source/common/common/thread.h" #include "source/common/common/thread_synchronizer.h" @@ -246,6 +250,30 @@ TEST_F(ThreadAsyncPtrTest, NameNotSpecifiedWait) { thread->join(); } +#if defined(__linux__) || defined(__APPLE__) +TEST(PosixThreadTest, PThreadId) { + auto thread_factory = PosixThreadFactory::create(); + ThreadId thread_id; + auto thread = + thread_factory->createThread([&]() { thread_id = thread_factory->currentPthreadId(); }, + /* options= */ absl::nullopt, /* crash_on_failure= */ false); + thread->join(); + + EXPECT_EQ(thread->pthreadId(), thread_id); + EXPECT_NE(thread->pthreadId(), thread_factory->currentThreadId()); +} + +TEST(PosixThreadTest, Joinable) { + auto thread_factory = PosixThreadFactory::create(); + auto thread = thread_factory->createThread([&]() {}, /* options= */ absl::nullopt, + /* crash_on_failure= */ true); + + EXPECT_TRUE(thread->joinable()); + thread->join(); + EXPECT_FALSE(thread->joinable()); +} +#endif + } // namespace } // namespace Thread } // namespace Envoy diff --git a/test/common/grpc/codec_test.cc b/test/common/grpc/codec_test.cc index c028559bc828..ce722bdd5c09 100644 --- a/test/common/grpc/codec_test.cc +++ b/test/common/grpc/codec_test.cc @@ -221,6 +221,107 @@ TEST(GrpcCodecTest, decodeMultipleFrame) { } } +TEST(GrpcCodecTest, decodeSingleFrameOverLimit) { + helloworld::HelloRequest request; + std::string test_str = std::string(64 * 1024, 'a'); + request.set_name(test_str); + + Buffer::OwnedImpl buffer; + std::array header; + Encoder encoder; + encoder.newFrame(GRPC_FH_DEFAULT, request.ByteSize(), header); + buffer.add(header.data(), 5); + buffer.add(request.SerializeAsString()); + size_t size = buffer.length(); + + std::vector frames; + // Configure decoder with 32kb max_frame_length. + Decoder decoder; + decoder.setMaxFrameLength(32 * 1024); + + // The decoder doesn't successfully decode due to oversized frame. + EXPECT_FALSE(decoder.decode(buffer, frames)); + EXPECT_EQ(buffer.length(), size); +} + +TEST(GrpcCodecTest, decodeSingleFrameWithMultiBuffersOverLimit) { + std::vector buffers(2); + std::array header; + + uint32_t max_length = 32 * 1024; + uint32_t single_buffer_length = 18 * 1024; + std::string req_str = std::string(single_buffer_length, 'a'); + + // First buffer is valid (i.e. within total_frame_length limit). + helloworld::HelloRequest request; + request.set_name(req_str); + // Second buffer itself is valid but results in the total frame size exceeding the limit. + helloworld::HelloRequest request_2; + request_2.set_name(req_str); + + Encoder encoder; + // Total frame consists of two buffers, request and request_2. + encoder.newFrame(GRPC_FH_DEFAULT, request.ByteSize() + request_2.ByteSize(), header); + + buffers[0].add(header.data(), 5); + buffers[0].add(request.SerializeAsString()); + buffers[1].add(header.data(), 5); + buffers[1].add(request_2.SerializeAsString()); + + size_t size = buffers[0].length() + buffers[1].length(); + std::vector frames = {}; + Decoder decoder; + decoder.setMaxFrameLength(max_length); + + // Both decoding attempts failed due to the total frame size exceeding the limit. + for (uint32_t i = 0; i < buffers.size(); ++i) { + EXPECT_FALSE(decoder.decode(buffers[i], frames)); + } + + EXPECT_EQ(frames.size(), 0); + // Buffer does not get drained due to it returning false. + EXPECT_EQ(buffers[0].length() + buffers[1].length(), size); +} + +TEST(GrpcCodecTest, decodeMultipleFramesOverLimit) { + Buffer::OwnedImpl buffer; + std::array header; + Encoder encoder; + + // First frame is valid (i.e. within max_frame_length limit). + helloworld::HelloRequest request; + request.set_name("hello"); + encoder.newFrame(GRPC_FH_DEFAULT, request.ByteSize(), header); + buffer.add(header.data(), 5); + buffer.add(request.SerializeAsString()); + + // Second frame is invalid (i.e. exceeds max_frame_length). + helloworld::HelloRequest overlimit_request; + std::string test_str = std::string(64 * 1024, 'a'); + overlimit_request.set_name(test_str); + encoder.newFrame(GRPC_FH_DEFAULT, overlimit_request.ByteSize(), header); + buffer.add(header.data(), 5); + buffer.add(overlimit_request.SerializeAsString()); + + size_t size = buffer.length(); + + std::vector frames; + Decoder decoder; + decoder.setMaxFrameLength(32 * 1024); + + EXPECT_FALSE(decoder.decode(buffer, frames)); + // When the decoder doesn't successfully decode, it puts valid frames up until + // an oversized frame into output frame vector. + ASSERT_EQ(frames.size(), 1); + // First frame is successfully decoded. + EXPECT_EQ(frames[0].length_, request.ByteSize()); + // Buffer does not get drained due to it returning false. + EXPECT_EQ(buffer.length(), size); + // Only part of the buffer represented a valid frame. Thus, the frame length should not equal the + // buffer length. + EXPECT_NE(frames[0].length_, size); +} + TEST(GrpcCodecTest, FrameInspectorTest) { { Buffer::OwnedImpl buffer; diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 799bd4f8da4b..27baab111f4f 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -26,8 +26,8 @@ #include "source/common/router/upstream_codec_filter.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/common/grpc/utility.h" diff --git a/test/common/http/conn_manager_impl_test_2.cc b/test/common/http/conn_manager_impl_test_2.cc index 83b3971523f7..da84e5a6a04b 100644 --- a/test/common/http/conn_manager_impl_test_2.cc +++ b/test/common/http/conn_manager_impl_test_2.cc @@ -1534,7 +1534,9 @@ TEST_F(HttpConnectionManagerImplTest, HitFilterWatermarkLimits) { EXPECT_CALL(*log_handler_, log(_, _)) .WillOnce(Invoke( [](const Formatter::HttpFormatterContext&, const StreamInfo::StreamInfo& stream_info) { - EXPECT_FALSE(stream_info.hasAnyResponseFlag()); + EXPECT_TRUE(stream_info.hasAnyResponseFlag()); + EXPECT_TRUE(stream_info.hasResponseFlag( + StreamInfo::CoreResponseFlag::DownstreamConnectionTermination)); })); expectOnDestroy(); @@ -1566,6 +1568,31 @@ TEST_F(HttpConnectionManagerImplTest, HitRequestBufferLimits) { doRemoteClose(); } +TEST_F(HttpConnectionManagerImplTest, DownstreamConnectionTermination) { + std::shared_ptr handler(new NiceMock()); + access_logs_ = {handler}; + + setup(false, ""); + EXPECT_CALL(*handler, log(_, _)) + .WillOnce(Invoke( + [](const Formatter::HttpFormatterContext&, const StreamInfo::StreamInfo& stream_info) { + EXPECT_FALSE(stream_info.responseCode()); + EXPECT_TRUE(stream_info.hasAnyResponseFlag()); + EXPECT_TRUE(stream_info.hasResponseFlag( + StreamInfo::CoreResponseFlag::DownstreamConnectionTermination)); + })); + + // Start the request + EXPECT_CALL(*codec_, dispatch(_)).WillOnce(Invoke([&](Buffer::Instance&) -> Http::Status { + decoder_ = &conn_manager_->newStream(response_encoder_); + return Http::okStatus(); + })); + + Buffer::OwnedImpl fake_input("hello"); + conn_manager_->onData(fake_input, false); + filter_callbacks_.connection_.raiseEvent(Network::ConnectionEvent::LocalClose); +} + // Return 413 from an intermediate filter and make sure we don't continue the filter chain. TEST_F(HttpConnectionManagerImplTest, HitRequestBufferLimitsIntermediateFilter) { { diff --git a/test/common/http/utility_test.cc b/test/common/http/utility_test.cc index 35b67cd93329..24c27fa8cdaf 100644 --- a/test/common/http/utility_test.cc +++ b/test/common/http/utility_test.cc @@ -1347,8 +1347,8 @@ num_retries: 10 envoy::config::core::v3::RetryPolicy core_retry_policy2; TestUtility::loadFromYaml(core_policy2, core_retry_policy2); - EXPECT_THROW_WITH_MESSAGE(Utility::validateCoreRetryPolicy(core_retry_policy2), EnvoyException, - "max_interval must be greater than or equal to the base_interval"); + EXPECT_EQ(Utility::validateCoreRetryPolicy(core_retry_policy2).message(), + "max_interval must be greater than or equal to the base_interval"); } // Validates TE header is stripped if it contains an unsupported value diff --git a/test/common/listener_manager/BUILD b/test/common/listener_manager/BUILD index dd452238d0b4..bdfc813a9527 100644 --- a/test/common/listener_manager/BUILD +++ b/test/common/listener_manager/BUILD @@ -39,7 +39,7 @@ envoy_cc_test( envoy_cc_test_library( name = "listener_manager_impl_test_lib", hdrs = ["listener_manager_impl_test.h"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], deps = [ ":config_cc_proto", "//source/common/init:manager_lib", @@ -80,6 +80,7 @@ envoy_cc_test( "//source/common/network:utility_lib", "//source/common/protobuf", "//source/common/router:string_accessor_lib", + "//source/common/tls:ssl_socket_lib", "//source/extensions/filters/listener/original_dst:config", "//source/extensions/filters/listener/proxy_protocol:config", "//source/extensions/filters/listener/tls_inspector:config", @@ -90,7 +91,6 @@ envoy_cc_test( "//source/extensions/request_id/uuid:config", "//source/extensions/transport_sockets/raw_buffer:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "//test/integration/filters:test_listener_filter_lib", "//test/server:utility_lib", "//test/test_common:network_utility_lib", @@ -126,7 +126,7 @@ envoy_cc_test( envoy_cc_test( name = "filter_chain_manager_impl_test", srcs = ["filter_chain_manager_impl_test.cc"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], deps = [ "//source/common/api:os_sys_calls_lib", "//source/common/config:metadata_lib", @@ -137,11 +137,11 @@ envoy_cc_test( "//source/common/network:socket_option_lib", "//source/common/network:utility_lib", "//source/common/protobuf", + "//source/common/tls:ssl_socket_lib", "//source/extensions/filters/network/http_connection_manager:config", "//source/extensions/matching/network/common:inputs_lib", "//source/extensions/transport_sockets/raw_buffer:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "//test/mocks/network:network_mocks", "//test/mocks/server:drain_manager_mocks", "//test/mocks/server:factory_context_mocks", diff --git a/test/common/listener_manager/filter_chain_benchmark_test.cc b/test/common/listener_manager/filter_chain_benchmark_test.cc index 16f711af4e2b..63728fd57435 100644 --- a/test/common/listener_manager/filter_chain_benchmark_test.cc +++ b/test/common/listener_manager/filter_chain_benchmark_test.cc @@ -155,11 +155,11 @@ const char YamlHeader[] = R"EOF( "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a")EOF"; + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a")EOF"; const char YamlSingleServer[] = R"EOF( - filter_chain_match: server_names: "server1.example.com" @@ -170,11 +170,11 @@ const char YamlSingleServer[] = R"EOF( "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a")EOF"; + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a")EOF"; const char YamlSingleDstPortTop[] = R"EOF( - filter_chain_match: destination_port: )EOF"; @@ -185,11 +185,11 @@ const char YamlSingleDstPortBottom[] = R"EOF( "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a")EOF"; + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a")EOF"; } // namespace class FilterChainBenchmarkFixture : public ::benchmark::Fixture { diff --git a/test/common/listener_manager/filter_chain_manager_impl_test.cc b/test/common/listener_manager/filter_chain_manager_impl_test.cc index 1d42fc5e4ec8..316a11ebbb20 100644 --- a/test/common/listener_manager/filter_chain_manager_impl_test.cc +++ b/test/common/listener_manager/filter_chain_manager_impl_test.cc @@ -19,7 +19,7 @@ #include "source/common/network/socket_option_impl.h" #include "source/common/network/utility.h" #include "source/common/protobuf/protobuf.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" #include "source/server/configuration_impl.h" #include "test/mocks/network/mocks.h" @@ -128,11 +128,11 @@ class FilterChainManagerImplTest : public testing::TestWithParam { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string filter_chain_matcher = R"EOF( matcher_tree: diff --git a/test/common/listener_manager/listener_manager_impl_quic_only_test.cc b/test/common/listener_manager/listener_manager_impl_quic_only_test.cc index 67b334f46ddd..e38af489d6fa 100644 --- a/test/common/listener_manager/listener_manager_impl_quic_only_test.cc +++ b/test/common/listener_manager/listener_manager_impl_quic_only_test.cc @@ -61,12 +61,12 @@ std::string getBasicConfig() { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -166,7 +166,9 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryAndSslContext) { auto& quic_socket_factory = dynamic_cast( filter_chain->transportSocketFactory()); EXPECT_TRUE(quic_socket_factory.implementsSecureTransport()); - EXPECT_FALSE(quic_socket_factory.getTlsCertificates().empty()); + auto [cert, key] = quic_socket_factory.getTlsCertificateAndKey("", nullptr); + EXPECT_TRUE(cert != nullptr); + EXPECT_TRUE(key != nullptr); EXPECT_TRUE(listener_factory_.socket_->socket_is_open_); // Stop listening shouldn't close the socket. @@ -274,12 +276,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithExplictConnection common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -433,12 +435,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithWrongTransportSoc common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -482,12 +484,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithWrongCodec) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -546,12 +548,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithNetworkFilterAfte common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -604,12 +606,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithConnectionBalence common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -667,12 +669,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithBadServerPreferre common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -731,12 +733,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithBadServerPreferre common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index c7d883f53d05..a3db944e6203 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -24,10 +24,10 @@ #include "source/common/network/utility.h" #include "source/common/protobuf/protobuf.h" #include "source/common/router/string_accessor_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/common/matcher/trie_matcher.h" #include "source/extensions/filters/listener/original_dst/original_dst.h" #include "source/extensions/filters/listener/tls_inspector/tls_inspector.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/common/listener_manager/config.pb.h" #include "test/common/listener_manager/config.pb.validate.h" @@ -433,12 +433,12 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsTransportSocket) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_subject_alt_names: exact: localhost exact: 127.0.0.1 @@ -3374,8 +3374,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithDestinationP "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3440,8 +3440,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithDirectSource "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3512,8 +3512,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithDestinationI "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3585,8 +3585,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3662,8 +3662,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithServerNamesM "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3734,8 +3734,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithTransportPro "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3863,8 +3863,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithApplicationP "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3930,8 +3930,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourceTypeMa "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4011,8 +4011,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourceIpMatc "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4097,8 +4097,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourceIpv6Ma "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4162,8 +4162,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourcePortMa "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4228,8 +4228,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithSourceTyp "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: application_protocols: "http/1.1" source_type: EXTERNAL @@ -4240,8 +4240,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithSourceTyp "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: source_type: ANY name: baz @@ -4251,8 +4251,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithSourceTyp "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4375,8 +4375,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: destination_port: 8080 name: bar @@ -4386,8 +4386,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: destination_port: 8081 name: baz @@ -4397,8 +4397,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4495,8 +4495,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: prefix_ranges: { address_prefix: 192.168.0.1, prefix_len: 32 } name: bar @@ -4506,8 +4506,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: prefix_ranges: { address_prefix: 192.168.0.0, prefix_len: 16 } name: baz @@ -4517,8 +4517,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4633,8 +4633,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDirectSou "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: direct_source_prefix_ranges: { address_prefix: 192.168.0.1, prefix_len: 32 } name: bar @@ -4644,8 +4644,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDirectSou "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: direct_source_prefix_ranges: { address_prefix: 192.168.0.0, prefix_len: 16 } name: baz @@ -4655,8 +4655,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDirectSou "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4764,11 +4764,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithServerNam "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "server1.example.com" transport_socket: @@ -4777,11 +4777,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithServerNam "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "*.com" transport_socket: @@ -4790,11 +4790,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithServerNam "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF", Network::Address::IpVersion::v4); @@ -4868,8 +4868,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithTransport "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -5016,8 +5016,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithApplicati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -5094,8 +5094,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithMultipleR "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5156,11 +5156,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDifferent "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "www.example.com" name: bar @@ -5170,11 +5170,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDifferent "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF", Network::Address::IpVersion::v4); @@ -5203,11 +5203,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "www.example.com" name: bar @@ -5217,8 +5217,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5442,11 +5442,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MatcherFilterChainWithDuplicateNa TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInline) { const std::string cert = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem")); - const std::string pkey = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem")); - const std::string ca = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem")); + const std::string pkey = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem")); + const std::string ca = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); const std::string yaml = absl::StrCat(R"EOF( address: socket_address: { address: 127.0.0.1, port_value: 1234 } @@ -5475,7 +5475,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInline) { TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateChainInlinePrivateKeyFilename) { const std::string cert = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem")); const std::string yaml = TestEnvironment::substitute(absl::StrCat(R"EOF( address: socket_address: { address: 127.0.0.1, port_value: 1234 } @@ -5487,7 +5487,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateChainInlinePrivateK "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + - private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } certificate_chain: { inline_string: ")EOF", absl::CEscape(cert), R"EOF(" } )EOF"), @@ -5511,7 +5511,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateIncomplete) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5532,7 +5532,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidCertificateC common_tls_context: tls_certificates: - certificate_chain: { inline_string: "invalid" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5541,8 +5541,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidCertificateC } TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidIntermediateCA) { - const std::string leaf = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem")); + const std::string leaf = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem")); const std::string yaml = TestEnvironment::substitute( absl::StrCat( R"EOF( @@ -5559,7 +5559,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidIntermediate - certificate_chain: { inline_string: ")EOF", absl::CEscape(leaf), R"EOF(\n-----BEGIN CERTIFICATE-----\nDEFINITELY_INVALID_CERTIFICATE\n-----END CERTIFICATE-----" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } )EOF"), Network::Address::IpVersion::v4); @@ -5579,7 +5579,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidPrivateKey) "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } private_key: { inline_string: "invalid" } )EOF", Network::Address::IpVersion::v4); @@ -5601,8 +5601,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidTrustedCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } validation_context: trusted_ca: { inline_string: "invalid" } )EOF", @@ -5624,8 +5624,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateCertPrivateKeyMisma "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -6535,11 +6535,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLFilename) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } - crl: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } + crl: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" } )EOF", Network::Address::IpVersion::v4); @@ -6550,8 +6550,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLFilename) { } TEST_P(ListenerManagerImplWithRealFiltersTest, CRLInline) { - const std::string crl = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl")); + const std::string crl = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl")); const std::string yaml = TestEnvironment::substitute(absl::StrCat(R"EOF( address: socket_address: { address: 127.0.0.1, port_value: 1234 } @@ -6563,10 +6563,10 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLInline) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } crl: { inline_string: ")EOF", absl::CEscape(crl), R"EOF(" } )EOF"), @@ -6590,10 +6590,10 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, InvalidCRLInline) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } crl: { inline_string: "-----BEGIN X509 CRL-----\nTOTALLY_NOT_A_CRL_HERE\n-----END X509 CRL-----\n" } )EOF", Network::Address::IpVersion::v4); @@ -6614,10 +6614,10 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLWithNoCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - crl: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" } + crl: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" } )EOF", Network::Address::IpVersion::v4); @@ -6637,8 +6637,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, VerifySanWithNoCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: match_subject_alt_names: exact: "spiffe://lyft.com/testclient" @@ -6663,8 +6663,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, VerifyIgnoreExpirationWithNoCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: allow_expired_certificate: true )EOF", @@ -6687,11 +6687,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, VerifyIgnoreExpirationWithCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF", Network::Address::IpVersion::v4); diff --git a/test/common/network/BUILD b/test/common/network/BUILD index ea59472db9b6..9e4c1c2e8205 100644 --- a/test/common/network/BUILD +++ b/test/common/network/BUILD @@ -249,6 +249,7 @@ envoy_cc_test( "//source/common/network:utility_lib", "//source/common/stats:stats_lib", "//test/common/network:listener_impl_test_base_lib", + "//test/mocks/network:mock_parent_drained_callback_registrar", "//test/mocks/network:network_mocks", "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", diff --git a/test/common/network/udp_listener_impl_batch_writer_test.cc b/test/common/network/udp_listener_impl_batch_writer_test.cc index 39b69e86c02a..35156dbd6a83 100644 --- a/test/common/network/udp_listener_impl_batch_writer_test.cc +++ b/test/common/network/udp_listener_impl_batch_writer_test.cc @@ -61,6 +61,7 @@ size_t getPacketLength(const msghdr* msg) { class UdpListenerImplBatchWriterTest : public UdpListenerImplTestBase { public: void SetUp() override { + UdpListenerImplTestBase::setup(); // Set listening socket options and set UdpGsoBatchWriter server_socket_->addOptions(SocketOptionFactory::buildIpPacketInfoOptions()); server_socket_->addOptions(SocketOptionFactory::buildRxQueueOverFlowOptions()); diff --git a/test/common/network/udp_listener_impl_test.cc b/test/common/network/udp_listener_impl_test.cc index 18810ca7467a..6df91c150355 100644 --- a/test/common/network/udp_listener_impl_test.cc +++ b/test/common/network/udp_listener_impl_test.cc @@ -16,6 +16,7 @@ #include "test/common/network/udp_listener_impl_test_base.h" #include "test/mocks/api/mocks.h" +#include "test/mocks/network/mock_parent_drained_callback_registrar.h" #include "test/mocks/network/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/network_utility.h" @@ -52,6 +53,7 @@ class OverrideOsSysCallsImpl : public Api::OsSysCallsImpl { class UdpListenerImplTest : public UdpListenerImplTestBase { public: void setup(bool prefer_gro = false) { + UdpListenerImplTestBase::setup(); ON_CALL(override_syscall_, supportsUdpGro()).WillByDefault(Return(false)); // Return the real version by default. ON_CALL(override_syscall_, supportsMmsg()) @@ -385,6 +387,106 @@ TEST_P(UdpListenerImplTest, UdpListenerEnableDisable) { dispatcher_->run(Event::Dispatcher::RunType::Block); } +class HotRestartedUdpListenerImplTest : public UdpListenerImplTest { +public: + void SetUp() override { +#ifdef WIN32 + GTEST_SKIP() << "Hot restart is not supported on Windows."; +#endif + } + void setup() { + io_handle_ = &useHotRestartSocket(registrar_); + // File event should be created listening to no events (i.e. disabled). + EXPECT_CALL(*io_handle_, createFileEvent_(_, _, _, 0)); + // Parent drained callback should be registered when the listener is created. + // We capture the callback so we can simulate "drain complete". + EXPECT_CALL(registrar_, registerParentDrainedCallback(_, _)) + .WillOnce( + [this](const Address::InstanceConstSharedPtr&, absl::AnyInvocable callback) { + parent_drained_callback_ = std::move(callback); + }); + UdpListenerImplTest::setup(); + testing::Mock::VerifyAndClearExpectations(®istrar_); + } + +protected: + MockParentDrainedCallbackRegistrar registrar_; + MockIoHandle* io_handle_; + absl::AnyInvocable parent_drained_callback_; +}; + +INSTANTIATE_TEST_SUITE_P(IpVersions, HotRestartedUdpListenerImplTest, + testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + TestUtility::ipTestParamsToString); + +/** + * During hot restart, while the parent instance is draining, a quic udp + * listener (created with a parent_drained_callback_registrar) should not + * be reading packets, regardless of enable/disable calls. + * It should begin reading packets after drain completes. + */ +TEST_P(HotRestartedUdpListenerImplTest, EnableAndDisableDuringParentDrainShouldDoNothing) { + setup(); + // Enabling and disabling listener should *not* trigger any + // event actions on the io_handle, because of listener being paused + // while draining. + EXPECT_CALL(*io_handle_, enableFileEvents(_)).Times(0); + listener_->disable(); + listener_->enable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Ending parent drain should cause io_handle to go into reading mode. + EXPECT_CALL(*io_handle_, + enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write)); + EXPECT_CALL(*io_handle_, activateFileEvents(Event::FileReadyType::Read)); + std::move(parent_drained_callback_)(); + dispatcher_->run(Event::Dispatcher::RunType::Block); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Enabling and disabling once unpaused should update io_handle. + EXPECT_CALL(*io_handle_, enableFileEvents(0)); + listener_->disable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); + EXPECT_CALL(*io_handle_, + enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write)); + listener_->enable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); +} + +/** + * Mostly the same as EnableAndDisableDuringParentDrainShouldDoNothing, but in disabled state when + * drain ends. + */ +TEST_P(HotRestartedUdpListenerImplTest, EndingParentDrainedWhileDisabledShouldNotStartReading) { + setup(); + // Enabling and disabling listener should *not* trigger any + // event actions on the io_handle, because of listener being paused + // while draining. + EXPECT_CALL(*io_handle_, enableFileEvents(_)).Times(0); + listener_->enable(); + listener_->disable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Ending drain should not trigger any event changes because the last state + // of the listener was disabled. + std::move(parent_drained_callback_)(); + dispatcher_->run(Event::Dispatcher::RunType::Block); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Enabling after unpaused should set io_handle to reading/writing. + EXPECT_CALL(*io_handle_, + enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write)); + listener_->enable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); +} + +TEST_P(HotRestartedUdpListenerImplTest, + ParentDrainedCallbackAfterListenerDestroyedShouldDoNothing) { + setup(); + EXPECT_CALL(*io_handle_, enableFileEvents(_)).Times(0); + listener_ = nullptr; + // Signaling end-of-drain after the listener was destroyed should do nothing. + std::move(parent_drained_callback_)(); + dispatcher_->run(Event::Dispatcher::RunType::Block); + // At this point io_handle should be an invalid reference. +} + /** * Tests UDP listener's error callback. */ diff --git a/test/common/network/udp_listener_impl_test_base.h b/test/common/network/udp_listener_impl_test_base.h index 112f89d68dc3..9b7636e13ae8 100644 --- a/test/common/network/udp_listener_impl_test_base.h +++ b/test/common/network/udp_listener_impl_test_base.h @@ -31,13 +31,24 @@ namespace Envoy { namespace Network { class UdpListenerImplTestBase : public ListenerImplTestBase { -public: - UdpListenerImplTestBase() - : server_socket_(createServerSocket(true)), send_to_addr_(getServerLoopbackAddress()) { +protected: + MockIoHandle& + useHotRestartSocket(OptRef parent_drained_callback_registrar) { + auto io_handle = std::make_unique>(); + MockIoHandle& ret = *io_handle; + server_socket_ = createServerSocketFromExistingHandle(std::move(io_handle), + parent_drained_callback_registrar); + return ret; + } + + void setup() { + if (server_socket_ == nullptr) { + server_socket_ = createServerSocket(true); + } + send_to_addr_ = Address::InstanceConstSharedPtr(getServerLoopbackAddress()); time_system_.advanceTimeWait(std::chrono::milliseconds(100)); } -protected: Address::Instance* getServerLoopbackAddress() { if (version_ == Address::IpVersion::v4) { return new Address::Ipv4Instance( @@ -60,6 +71,14 @@ class UdpListenerImplTestBase : public ListenerImplTestBase { bind); } + SocketSharedPtr createServerSocketFromExistingHandle( + IoHandlePtr&& io_handle, + OptRef parent_drained_callback_registrar) { + return std::make_shared( + std::move(io_handle), Network::Test::getCanonicalLoopbackAddress(version_), + SocketOptionFactory::buildIpFreebindOptions(), parent_drained_callback_registrar); + } + Address::InstanceConstSharedPtr getNonDefaultSourceAddress() { // Use a self address that is unlikely to be picked by source address discovery // algorithm if not specified in recvmsg/recvmmsg. Port is not taken into diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index 0d9444d28b12..6c0fff13ff16 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -62,9 +62,10 @@ envoy_cc_test( ":test_utils_lib", "//source/common/quic:envoy_quic_proof_source_lib", "//source/common/quic:envoy_quic_proof_verifier_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/mocks/network:network_mocks", "//test/mocks/ssl:ssl_mocks", + "//test/test_common:test_runtime_lib", "@com_github_google_quiche//:quic_core_versions_lib", "@com_github_google_quiche//:quic_test_tools_test_certificates_lib", ], @@ -103,9 +104,9 @@ envoy_cc_test( deps = [ ":test_utils_lib", "//source/common/quic:envoy_quic_proof_verifier_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/common/config:dummy_config_proto_cc_proto", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", + "//test/common/tls/cert_validator:timed_cert_validator", "//test/mocks/event:event_mocks", "//test/mocks/ssl:ssl_mocks", "@com_github_google_quiche//:quic_test_tools_test_certificates_lib", @@ -127,7 +128,6 @@ envoy_cc_test( "//test/mocks/http:http_mocks", "//test/mocks/http:stream_decoder_mock", "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", "@com_github_google_quiche//:quic_test_tools_qpack_qpack_test_utils_lib", @@ -149,7 +149,6 @@ envoy_cc_test( "//test/mocks/http:http_mocks", "//test/mocks/http:stream_decoder_mock", "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", "@com_github_google_quiche//:quic_test_tools_qpack_qpack_test_utils_lib", @@ -360,13 +359,13 @@ envoy_cc_test( name = "quic_transport_socket_factory_test", srcs = ["quic_transport_socket_factory_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], tags = ["nofips"], deps = [ "//source/common/quic:quic_server_transport_socket_factory_lib", "//source/common/quic:quic_transport_socket_factory_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/mocks/server:transport_socket_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", "//test/test_common:environment_lib", diff --git a/test/common/quic/active_quic_listener_test.cc b/test/common/quic/active_quic_listener_test.cc index 6c58ae781cf4..1ba2e8d21664 100644 --- a/test/common/quic/active_quic_listener_test.cc +++ b/test/common/quic/active_quic_listener_test.cc @@ -112,7 +112,8 @@ class ActiveQuicListenerTest : public testing::TestWithParam>()), + std::make_unique>(), + ssl_context_manager_, {}), quic_version_(quic::CurrentSupportedHttp3Versions()[0]), quic_stat_names_(listener_config_.listenerScope().symbolTable()) {} @@ -328,6 +329,7 @@ class ActiveQuicListenerTest : public testing::TestWithParam udp_listener_config_; NiceMock listener_config_; NiceMock udp_packet_writer_factory_; + NiceMock ssl_context_manager_; quic::QuicConfig quic_config_; Server::ConnectionHandlerImpl connection_handler_; std::unique_ptr quic_listener_; diff --git a/test/common/quic/envoy_quic_client_session_test.cc b/test/common/quic/envoy_quic_client_session_test.cc index 23a105888b10..1a97687d2118 100644 --- a/test/common/quic/envoy_quic_client_session_test.cc +++ b/test/common/quic/envoy_quic_client_session_test.cc @@ -428,6 +428,28 @@ TEST_P(EnvoyQuicClientSessionTest, VerifyContextAbortOnFlushWriteBuffer) { "unexpectedly reached"); } +TEST_P(EnvoyQuicClientSessionTest, HandlePacketsWithoutDestinationAddress) { + // Build a STATELESS_RESET packet. + std::unique_ptr stateless_reset_packet = + quic::QuicFramer::BuildIetfStatelessResetPacket( + quic::test::TestConnectionId(), /*received_packet_length*/ 1200, + quic::QuicUtils::GenerateStatelessResetToken(quic::test::TestConnectionId())); + EXPECT_CALL(network_connection_callbacks_, onEvent(Network::ConnectionEvent::LocalClose)) + .Times(0); + for (size_t i = 0; i < 9; ++i) { + auto buffer = std::make_unique(stateless_reset_packet->data(), + stateless_reset_packet->length()); + quic_connection_->processPacket(nullptr, peer_addr_, std::move(buffer), + time_system_.monotonicTime()); + } + EXPECT_CALL(network_connection_callbacks_, onEvent(Network::ConnectionEvent::LocalClose)) + .Times(0); + auto buffer = std::make_unique(stateless_reset_packet->data(), + stateless_reset_packet->length()); + quic_connection_->processPacket(nullptr, peer_addr_, std::move(buffer), + time_system_.monotonicTime()); +} + // Tests that receiving a STATELESS_RESET packet on the probing socket doesn't cause crash. TEST_P(EnvoyQuicClientSessionTest, StatelessResetOnProbingSocket) { quic::QuicNewConnectionIdFrame frame; diff --git a/test/common/quic/envoy_quic_client_stream_test.cc b/test/common/quic/envoy_quic_client_stream_test.cc index 7daf1fe0db1c..b579c6962130 100644 --- a/test/common/quic/envoy_quic_client_stream_test.cc +++ b/test/common/quic/envoy_quic_client_stream_test.cc @@ -8,7 +8,6 @@ #include "test/mocks/http/mocks.h" #include "test/mocks/http/stream_decoder.h" #include "test/mocks/network/mocks.h" -#include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -249,10 +248,6 @@ TEST_F(EnvoyQuicClientStreamTest, PostRequestAndResponse) { } TEST_F(EnvoyQuicClientStreamTest, PostRequestAndResponseWithMemSliceReleasor) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.quiche_use_mem_slice_releasor_api", "true"}}); - EXPECT_EQ(absl::nullopt, quic_stream_->http1StreamEncoderOptions()); const auto result = quic_stream_->encodeHeaders(request_headers_, false); EXPECT_TRUE(result.ok()); diff --git a/test/common/quic/envoy_quic_dispatcher_test.cc b/test/common/quic/envoy_quic_dispatcher_test.cc index e14c36d09d9b..fb016b442b86 100644 --- a/test/common/quic/envoy_quic_dispatcher_test.cc +++ b/test/common/quic/envoy_quic_dispatcher_test.cc @@ -77,7 +77,8 @@ class EnvoyQuicDispatcherTest : public testing::TestWithParam>()) { + std::make_unique>(), + ssl_context_manager_, {}) { auto writer = new testing::NiceMock(); envoy_quic_dispatcher_.InitializeWithWriter(writer); EXPECT_CALL(*writer, WritePacket(_, _, _, _, _, _)) @@ -252,6 +253,7 @@ class EnvoyQuicDispatcherTest : public testing::TestWithParam ssl_context_manager_; QuicServerTransportSocketFactory transport_socket_factory_; }; diff --git a/test/common/quic/envoy_quic_proof_source_test.cc b/test/common/quic/envoy_quic_proof_source_test.cc index 2c6bcc991cf8..a6814a40c52d 100644 --- a/test/common/quic/envoy_quic_proof_source_test.cc +++ b/test/common/quic/envoy_quic_proof_source_test.cc @@ -5,11 +5,12 @@ #include "source/common/quic/envoy_quic_proof_source.h" #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/quic/envoy_quic_utils.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/common/quic/test_utils.h" #include "test/mocks/network/mocks.h" #include "test/mocks/ssl/mocks.h" +#include "test/test_common/test_runtime.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -19,6 +20,7 @@ using testing::Invoke; using testing::Return; using testing::ReturnRef; +using testing::SaveArg; namespace Envoy { @@ -141,6 +143,193 @@ class TestSignatureCallback : public quic::ProofSource::SignatureCallback { class EnvoyQuicProofSourceTest : public ::testing::Test { public: EnvoyQuicProofSourceTest() + : server_address_(quic::QuicIpAddress::Loopback4(), 12345), + client_address_(quic::QuicIpAddress::Loopback4(), 54321), + mock_context_config_(new NiceMock()), + listener_stats_({ALL_LISTENER_STATS(POOL_COUNTER(listener_config_.listenerScope()), + POOL_GAUGE(listener_config_.listenerScope()), + POOL_HISTOGRAM(listener_config_.listenerScope()))}), + proof_source_(listen_socket_, filter_chain_manager_, listener_stats_, time_system_) { + EXPECT_CALL(*mock_context_config_, setSecretUpdateCallback(_)) + .Times(testing::AtLeast(1u)) + .WillRepeatedly(SaveArg<0>(&secret_update_callback_)); + EXPECT_CALL(*mock_context_config_, alpnProtocols()).WillRepeatedly(ReturnRef(alpn_)); + transport_socket_factory_ = std::make_unique( + true, listener_config_.listenerScope(), + std::unique_ptr(mock_context_config_), ssl_context_manager_, + std::vector{}); + transport_socket_factory_->initialize(); + EXPECT_CALL(filter_chain_, name()).WillRepeatedly(Return("")); + } + + void expectCertChainAndPrivateKey(const std::string& cert, bool expect_private_key, + bool expect_fail_to_load = false) { + int times = -1; + if (expect_fail_to_load) { + times = 0; + } else if (expect_private_key) { + times = 2; + } else { + times = 1; + } + EXPECT_CALL(listen_socket_, ioHandle()).Times(times); + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillRepeatedly(Invoke( + [&](const Network::ConnectionSocket& connection_socket, const StreamInfo::StreamInfo&) { + EXPECT_EQ(*quicAddressToEnvoyAddressInstance(server_address_), + *connection_socket.connectionInfoProvider().localAddress()); + EXPECT_EQ(*quicAddressToEnvoyAddressInstance(client_address_), + *connection_socket.connectionInfoProvider().remoteAddress()); + EXPECT_EQ("quic", connection_socket.detectedTransportProtocol()); + EXPECT_EQ("h3", connection_socket.requestedApplicationProtocols()[0]); + return &filter_chain_; + })); + EXPECT_CALL(filter_chain_, transportSocketFactory()) + .WillRepeatedly(ReturnRef(*transport_socket_factory_)); + + EXPECT_CALL(*mock_context_config_, isReady()).WillRepeatedly(Return(true)); + std::vector> tls_cert_configs{ + std::reference_wrapper(tls_cert_config_)}; + EXPECT_CALL(*mock_context_config_, tlsCertificates()).WillRepeatedly(Return(tls_cert_configs)); + EXPECT_CALL(tls_cert_config_, pkcs12()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + EXPECT_CALL(tls_cert_config_, certificateChainPath()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + EXPECT_CALL(tls_cert_config_, privateKeyMethod()).WillRepeatedly(Return(nullptr)); + EXPECT_CALL(tls_cert_config_, privateKeyPath()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + EXPECT_CALL(tls_cert_config_, password()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + static const std::vector ocsp_staple; + EXPECT_CALL(tls_cert_config_, ocspStaple()).WillRepeatedly(ReturnRef(ocsp_staple)); + EXPECT_CALL(tls_cert_config_, certificateChain()) + .Times(testing::AtLeast(1)) + .WillRepeatedly(ReturnRef(cert)); + if (expect_private_key) { + EXPECT_CALL(tls_cert_config_, privateKey()) + .Times(testing::AtLeast(1)) + .WillRepeatedly(ReturnRef(pkey_)); + } + ASSERT_TRUE(secret_update_callback_ != nullptr); + secret_update_callback_(); + } + +protected: + Event::GlobalTimeSystem time_system_; + std::string hostname_{"www.fake.com"}; + quic::QuicSocketAddress server_address_; + quic::QuicSocketAddress client_address_; + quic::QuicTransportVersion version_{quic::QUIC_VERSION_UNSUPPORTED}; + absl::string_view chlo_hash_{"aaaaa"}; + std::string server_config_{"Server Config"}; + std::string expected_certs_{quic::test::kTestCertificateChainPem}; + std::string pkey_{quic::test::kTestCertificatePrivateKeyPem}; + Network::MockFilterChain filter_chain_; + Network::MockFilterChainManager filter_chain_manager_; + Network::MockListenSocket listen_socket_; + testing::NiceMock listener_config_; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{time_system_}; + Ssl::MockServerContextConfig* mock_context_config_; + std::function secret_update_callback_; + std::unique_ptr transport_socket_factory_; + Ssl::MockTlsCertificateConfig tls_cert_config_; + Server::ListenerStats listener_stats_; + EnvoyQuicProofSource proof_source_; + std::string alpn_{"h3"}; +}; + +TEST_F(EnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { + expectCertChainAndPrivateKey(expected_certs_, true); + bool cert_matched_sni; + quiche::QuicheReferenceCountedPointer chain = + proof_source_.GetCertChain(server_address_, client_address_, hostname_, &cert_matched_sni); + EXPECT_EQ(2, chain->certs.size()); + + std::string error_details; + bssl::UniquePtr cert = parseDERCertificate(chain->certs[0], &error_details); + EXPECT_NE(cert, nullptr); + bssl::UniquePtr pub_key(X509_get_pubkey(cert.get())); + int sign_alg = deduceSignatureAlgorithmFromPublicKey(pub_key.get(), &error_details); + EXPECT_EQ(sign_alg, SSL_SIGN_RSA_PSS_RSAE_SHA256); + std::string signature; + proof_source_.ComputeTlsSignature( + server_address_, client_address_, hostname_, SSL_SIGN_RSA_PSS_RSAE_SHA256, "payload", + std::make_unique(true, filter_chain_, signature)); + SignatureVerifier verifier; + verifier.verifyCertsAndSignature(chain, "payload", signature); +} + +TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { + // No filter chain. + EXPECT_CALL(listen_socket_, ioHandle()).Times(2); + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { + return nullptr; + })); + bool cert_matched_sni; + EXPECT_EQ(nullptr, proof_source_.GetCertChain(server_address_, client_address_, hostname_, + &cert_matched_sni)); + + // Cert not ready. + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { + return &filter_chain_; + })); + EXPECT_CALL(filter_chain_, transportSocketFactory()) + .WillOnce(ReturnRef(*transport_socket_factory_)); + EXPECT_EQ(nullptr, proof_source_.GetCertChain(server_address_, client_address_, hostname_, + &cert_matched_sni)); +} + +TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { + std::string invalid_cert{R"(-----BEGIN CERTIFICATE----- + invalid certificate + -----END CERTIFICATE-----)"}; + EXPECT_THROW_WITH_MESSAGE(expectCertChainAndPrivateKey(invalid_cert, false, true), EnvoyException, + "Failed to load certificate chain from "); +} + +TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidPublicKeyInCert) { + // This is a valid cert with RSA public key. But we don't support RSA key with + // length < 1024. + std::string cert_with_rsa_1024{R"(-----BEGIN CERTIFICATE----- +MIIC2jCCAkOgAwIBAgIUDBHEwlCvLGh3w0O8VwIW+CjYXY8wDQYJKoZIhvcNAQEL +BQAwfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMRIwEAYDVQQHDAlDYW1icmlk +Z2UxDzANBgNVBAoMBkdvb2dsZTEOMAwGA1UECwwFZW52b3kxDTALBgNVBAMMBHRl +c3QxHzAdBgkqhkiG9w0BCQEWEGRhbnpoQGdvb2dsZS5jb20wHhcNMjAwODA0MTg1 +OTQ4WhcNMjEwODA0MTg1OTQ4WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUEx +EjAQBgNVBAcMCUNhbWJyaWRnZTEPMA0GA1UECgwGR29vZ2xlMQ4wDAYDVQQLDAVl +bnZveTENMAsGA1UEAwwEdGVzdDEfMB0GCSqGSIb3DQEJARYQZGFuemhAZ29vZ2xl +LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAykCZNjxws+sNfnp18nsp ++7LN81J/RSwAHLkGnwEtd3OxSUuiCYHgYlyuEAwJdf99+SaFrgcA4LvYJ/Mhm/fZ +msnpfsAvoQ49+ax0fm1x56ii4KgNiu9iFsWwwVmkHkgjlRcRsmhr4WeIf14Yvpqs +JNsbNVSCZ4GLQ2V6BqIHlhcCAwEAAaNTMFEwHQYDVR0OBBYEFDO1KPYcdRmeKDvL +H2Yzj8el2Xe1MB8GA1UdIwQYMBaAFDO1KPYcdRmeKDvLH2Yzj8el2Xe1MA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAnwWVmwSK9TDml7oHGBavzOC1 +f/lOd5zz2e7Tu2pUtx1sX1tlKph1D0ANpJwxRV78R2hjmynLSl7h4Ual9NMubqkD +x96rVeUbRJ/qU4//nNM/XQa9vIAIcTZ0jFhmb0c3R4rmoqqC3vkSDwtaE5yuS5T4 +GUy+n0vQNB0cXGzgcGI= +-----END CERTIFICATE-----)"}; + EXPECT_THROW_WITH_MESSAGE(expectCertChainAndPrivateKey(cert_with_rsa_1024, false, true), + EnvoyException, + "Failed to load certificate chain from , only RSA certificates with " + "2048-bit or larger keys are supported"); +} + +TEST_F(EnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { + EXPECT_CALL(listen_socket_, ioHandle()); + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { + return nullptr; + })); + + std::string signature; + proof_source_.ComputeTlsSignature( + server_address_, client_address_, hostname_, SSL_SIGN_RSA_PSS_RSAE_SHA256, "payload", + std::make_unique(false, filter_chain_, signature)); +} + +// Test with `envoy.restart_features.quic_handle_certs_with_shared_tls_code` set to false. This +// has different expectations, so the old tests are kept here verbatim. +class LegacyEnvoyQuicProofSourceTest : public ::testing::Test { +public: + LegacyEnvoyQuicProofSourceTest() : server_address_(quic::QuicIpAddress::Loopback4(), 12345), client_address_(quic::QuicIpAddress::Loopback4(), 54321), mock_context_config_(new Ssl::MockServerContextConfig()), @@ -148,11 +337,15 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { POOL_GAUGE(listener_config_.listenerScope()), POOL_HISTOGRAM(listener_config_.listenerScope()))}), proof_source_(listen_socket_, filter_chain_manager_, listener_stats_, time_system_) { + scoped_runtime_.mergeValues( + {{"envoy.restart_features.quic_handle_certs_with_shared_tls_code", "false"}}); + EXPECT_CALL(*mock_context_config_, setSecretUpdateCallback(_)).Times(testing::AtLeast(1u)); EXPECT_CALL(*mock_context_config_, alpnProtocols()).WillRepeatedly(ReturnRef(alpn_)); transport_socket_factory_ = std::make_unique( true, listener_config_.listenerScope(), - std::unique_ptr(mock_context_config_)); + std::unique_ptr(mock_context_config_), ssl_context_manager_, + std::vector{}); transport_socket_factory_->initialize(); EXPECT_CALL(filter_chain_, name()).WillRepeatedly(Return("")); } @@ -184,6 +377,8 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { } protected: + TestScopedRuntime scoped_runtime_; + Event::GlobalTimeSystem time_system_; std::string hostname_{"www.fake.com"}; quic::QuicSocketAddress server_address_; quic::QuicSocketAddress client_address_; @@ -196,16 +391,16 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { Network::MockFilterChainManager filter_chain_manager_; Network::MockListenSocket listen_socket_; testing::NiceMock listener_config_; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{time_system_}; Ssl::MockServerContextConfig* mock_context_config_; std::unique_ptr transport_socket_factory_; Ssl::MockTlsCertificateConfig tls_cert_config_; Server::ListenerStats listener_stats_; - Event::GlobalTimeSystem time_system_; EnvoyQuicProofSource proof_source_; std::string alpn_{"h3"}; }; -TEST_F(EnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { +TEST_F(LegacyEnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { expectCertChainAndPrivateKey(expected_certs_, true); bool cert_matched_sni; quiche::QuicheReferenceCountedPointer chain = @@ -226,7 +421,7 @@ TEST_F(EnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { verifier.verifyCertsAndSignature(chain, "payload", signature); } -TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { +TEST_F(LegacyEnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { // No filter chain. EXPECT_CALL(listen_socket_, ioHandle()).Times(3); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) @@ -269,7 +464,7 @@ TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { &cert_matched_sni)); } -TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { +TEST_F(LegacyEnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { std::string invalid_cert{R"(-----BEGIN CERTIFICATE----- invalid certificate -----END CERTIFICATE-----)"}; @@ -279,7 +474,7 @@ TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { &cert_matched_sni)); } -TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidPublicKeyInCert) { +TEST_F(LegacyEnvoyQuicProofSourceTest, GetCertChainFailInvalidPublicKeyInCert) { // This is a valid cert with RSA public key. But we don't support RSA key with // length < 1024. std::string cert_with_rsa_1024{R"(-----BEGIN CERTIFICATE----- @@ -306,7 +501,7 @@ GUy+n0vQNB0cXGzgcGI= &cert_matched_sni)); } -TEST_F(EnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { +TEST_F(LegacyEnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { EXPECT_CALL(listen_socket_, ioHandle()); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { @@ -319,7 +514,7 @@ TEST_F(EnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { std::make_unique(false, filter_chain_, signature)); } -TEST_F(EnvoyQuicProofSourceTest, UnexpectedPrivateKey) { +TEST_F(LegacyEnvoyQuicProofSourceTest, UnexpectedPrivateKey) { EXPECT_CALL(listen_socket_, ioHandle()); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { @@ -355,7 +550,7 @@ qGm130brdD+1U1EJnEFmleLZ/W6mEi3MxcKpWOpTqQ== std::make_unique(false, filter_chain_, signature)); } -TEST_F(EnvoyQuicProofSourceTest, InvalidPrivateKey) { +TEST_F(LegacyEnvoyQuicProofSourceTest, InvalidPrivateKey) { EXPECT_CALL(listen_socket_, ioHandle()); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { diff --git a/test/common/quic/envoy_quic_proof_verifier_test.cc b/test/common/quic/envoy_quic_proof_verifier_test.cc index c7eef7189ac1..ab12465385eb 100644 --- a/test/common/quic/envoy_quic_proof_verifier_test.cc +++ b/test/common/quic/envoy_quic_proof_verifier_test.cc @@ -3,11 +3,11 @@ #include "source/common/network/transport_socket_options_impl.h" #include "source/common/quic/envoy_quic_proof_verifier.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/common/config/dummy_config.pb.h" #include "test/common/quic/test_utils.h" -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include "test/mocks/event/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/stats/mocks.h" diff --git a/test/common/quic/envoy_quic_server_stream_test.cc b/test/common/quic/envoy_quic_server_stream_test.cc index 5f976e56ba57..51f1e01045e9 100644 --- a/test/common/quic/envoy_quic_server_stream_test.cc +++ b/test/common/quic/envoy_quic_server_stream_test.cc @@ -15,7 +15,6 @@ #include "test/mocks/http/mocks.h" #include "test/mocks/http/stream_decoder.h" #include "test/mocks/network/mocks.h" -#include "test/test_common/test_runtime.h" #include "test/test_common/test_time.h" #include "test/test_common/utility.h" @@ -287,10 +286,6 @@ TEST_F(EnvoyQuicServerStreamTest, PostRequestAndResponse) { } TEST_F(EnvoyQuicServerStreamTest, PostRequestAndResponseWithMemSliceReleasor) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.quiche_use_mem_slice_releasor_api", "true"}}); - EXPECT_EQ(absl::nullopt, quic_stream_->http1StreamEncoderOptions()); receiveRequest(request_body_, true, request_body_.size() * 2); quic_stream_->encodeHeaders(response_headers_, /*end_stream=*/false); diff --git a/test/common/quic/platform/BUILD b/test/common/quic/platform/BUILD index 3c500de5c7bf..ef8fc42c9864 100644 --- a/test/common/quic/platform/BUILD +++ b/test/common/quic/platform/BUILD @@ -22,7 +22,7 @@ envoy_cc_test( "//bazel:windows_x86_64": [], "//conditions:default": ["-Wno-unused-parameter"], }), - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], external_deps = ["quiche_quic_platform"], tags = ["nofips"], deps = [ @@ -30,7 +30,7 @@ envoy_cc_test( "//source/common/quic/platform:quiche_flags_impl_lib", "//test/common/buffer:utility_lib", "//test/common/stats:stat_test_utility_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//test/common/tls:ssl_test_utils", "//test/mocks/api:api_mocks", "//test/test_common:logging_lib", "//test/test_common:threadsafe_singleton_injector_lib", diff --git a/test/common/quic/platform/quic_platform_test.cc b/test/common/quic/platform/quic_platform_test.cc index 2f3f8682c84a..19fcbc392864 100644 --- a/test/common/quic/platform/quic_platform_test.cc +++ b/test/common/quic/platform/quic_platform_test.cc @@ -14,7 +14,7 @@ #include "test/common/buffer/utility.h" #include "test/common/stats/stat_test_utility.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/mocks/api/mocks.h" #include "test/test_common/logging.h" #include "test/test_common/network_utility.h" diff --git a/test/common/quic/quic_transport_socket_factory_test.cc b/test/common/quic/quic_transport_socket_factory_test.cc index 154cfb59afea..678b8a1731ef 100644 --- a/test/common/quic/quic_transport_socket_factory_test.cc +++ b/test/common/quic/quic_transport_socket_factory_test.cc @@ -45,12 +45,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, EarlyDataEnabledByDefault) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"); verifyQuicServerTransportSocketFactory(yaml, true); @@ -62,12 +62,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, EarlyDataExplicitlyDisabled) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" enable_early_data: value: false )EOF"); @@ -81,12 +81,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, EarlyDataExplicitlyEnabled) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" enable_early_data: value: true )EOF"); @@ -101,12 +101,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, ClientAuthUnsupported) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"); EXPECT_THROW_WITH_MESSAGE(verifyQuicServerTransportSocketFactory(yaml, true), EnvoyException, "TLS Client Authentication is not supported over QUIC"); diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index 597306d5d7d5..1dc9ddf8bcfd 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -18,7 +18,7 @@ envoy_cc_test( name = "secret_manager_impl_test", srcs = ["secret_manager_impl_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ ":private_key_provider_proto_cc_proto", @@ -45,7 +45,7 @@ envoy_cc_test( name = "sds_api_test", srcs = ["sds_api_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ "//source/common/secret:sds_api_lib", diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index 2cb819a4c02a..edc3327cbfb9 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -92,9 +92,9 @@ TEST_F(SdsApiTest, InitManagerInitialised) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; const std::string sds_config_path = TestEnvironment::writeStringToFileForTest( @@ -167,9 +167,9 @@ TEST_F(SdsApiTest, DynamicTlsCertificateUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -180,13 +180,11 @@ TEST_F(SdsApiTest, DynamicTlsCertificateUpdateSuccess) { testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config(*sds_api.secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -579,9 +577,9 @@ TEST_F(SdsApiTest, DeltaUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -594,13 +592,11 @@ TEST_F(SdsApiTest, DeltaUpdateSuccess) { testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config(*sds_api.secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -623,7 +619,7 @@ TEST_F(SdsApiTest, DynamicCertificateValidationContextUpdateSuccess) { R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; @@ -636,8 +632,7 @@ TEST_F(SdsApiTest, DynamicCertificateValidationContextUpdateSuccess) { auto cvc_config = Ssl::CertificateValidationContextConfigImpl::create(*sds_api.secret(), *api_).value(); - const std::string ca_cert = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string ca_cert = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ca_cert)), cvc_config->caCert()); } @@ -682,8 +677,8 @@ TEST_F(SdsApiTest, DefaultCertificateValidationContextTest) { typed_secret.set_name("abc.com"); auto* dynamic_cvc = typed_secret.mutable_validation_context(); dynamic_cvc->set_allow_expired_certificate(false); - dynamic_cvc->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + dynamic_cvc->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); auto* san_matcher = dynamic_cvc->add_match_typed_subject_alt_names(); san_matcher->mutable_matcher()->set_exact("second san"); san_matcher->set_san_type( @@ -716,8 +711,7 @@ TEST_F(SdsApiTest, DefaultCertificateValidationContextTest) { // field. EXPECT_TRUE(cvc_config->allowExpiredCertificate()); // Verify that singular fields are overwritten. - const std::string ca_cert = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string ca_cert = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ca_cert)), cvc_config->caCert()); // Verify that repeated fields are concatenated. @@ -778,7 +772,7 @@ TEST_F(SdsApiTest, GenericSecretSdsApiTest) { name: "encryption_key" generic_secret: secret: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key" + filename: "{{ test_rundir }}/test/common/tls/test_data/aes_128_key" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -790,8 +784,7 @@ name: "encryption_key" const envoy::extensions::transport_sockets::tls::v3::GenericSecret generic_secret( *sds_api.secret()); - const std::string secret_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key"; + const std::string secret_path = "{{ test_rundir }}/test/common/tls/test_data/aes_128_key"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(secret_path)), Config::DataSource::read(generic_secret.secret(), true, *api_).value()); } @@ -824,9 +817,9 @@ TEST_F(SdsApiTest, SecretUpdateWrongSize) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; @@ -858,9 +851,9 @@ TEST_F(SdsApiTest, SecretUpdateWrongSecretName) { name: "wrong.name.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index cbd8e21277aa..1529a4c1d290 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -71,9 +71,9 @@ TEST_F(SecretManagerImplTest, TlsCertificateSecretLoadSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); SecretManagerPtr secret_manager(new SecretManagerImpl(config_tracker_)); @@ -85,13 +85,11 @@ name: "abc.com" testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config( *secret_manager->findStaticTlsCertificateProvider("abc.com")->secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -105,9 +103,9 @@ TEST_F(SecretManagerImplTest, DuplicateStaticTlsCertificateSecret) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); SecretManagerPtr secret_manager(new SecretManagerImpl(config_tracker_)); @@ -125,7 +123,7 @@ TEST_F(SecretManagerImplTest, CertificateValidationContextSecretLoadSuccess) { R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -139,8 +137,7 @@ TEST_F(SecretManagerImplTest, CertificateValidationContextSecretLoadSuccess) { *secret_manager->findStaticCertificateValidationContextProvider("abc.com")->secret(), *api_) .value(); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), cvc_config->caCert()); } @@ -153,7 +150,7 @@ TEST_F(SecretManagerImplTest, DuplicateStaticCertificateValidationContextSecret) R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -174,7 +171,7 @@ TEST_F(SecretManagerImplTest, SessionTicketKeysLoadSuccess) { name: "abc.com" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keys.bin" + - filename: "{{ test_rundir }}/test/common/tls/test_data/keys.bin" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -188,8 +185,7 @@ name: "abc.com" const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys session_ticket_keys( *secret_manager->findStaticTlsSessionTicketKeysContextProvider("abc.com")->secret()); - const std::string keys_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keys.bin"; + const std::string keys_path = "{{ test_rundir }}/test/common/tls/test_data/keys.bin"; EXPECT_EQ(session_ticket_keys.keys_size(), 1); EXPECT_EQ(session_ticket_keys.keys()[0].filename(), TestEnvironment::substitute(keys_path)); } @@ -203,7 +199,7 @@ TEST_F(SecretManagerImplTest, DuplicateSessionTicketKeysSecret) { name: "abc.com" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keys.bin" + - filename: "{{ test_rundir }}/test/common/tls/test_data/keys.bin" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -227,7 +223,7 @@ TEST_F(SecretManagerImplTest, GenericSecretLoadSuccess) { name: "encryption_key" generic_secret: secret: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key" + filename: "{{ test_rundir }}/test/common/tls/test_data/aes_128_key" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret); EXPECT_TRUE(secret_manager->addStaticSecret(secret).ok()); @@ -237,8 +233,7 @@ name: "encryption_key" const envoy::extensions::transport_sockets::tls::v3::GenericSecret generic_secret( *secret_manager->findStaticGenericSecretProvider("encryption_key")->secret()); - const std::string secret_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key"; + const std::string secret_path = "{{ test_rundir }}/test/common/tls/test_data/aes_128_key"; EXPECT_EQ(generic_secret.secret().filename(), TestEnvironment::substitute(secret_path)); } @@ -252,7 +247,7 @@ TEST_F(SecretManagerImplTest, DuplicateGenericSecret) { name: "encryption_key" generic_secret: secret: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key" + filename: "{{ test_rundir }}/test/common/tls/test_data/aes_128_key" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret); EXPECT_TRUE(secret_manager->addStaticSecret(secret).ok()); @@ -375,9 +370,9 @@ TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -388,12 +383,10 @@ name: "abc.com" .ok()); testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config(*secret_provider->secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -578,7 +571,7 @@ name: "abc.com.validation" name: "abc.com.stek" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - inline_string: "DUMMY_INLINE_STRING" - inline_bytes: "RFVNTVlfSU5MSU5FX0JZVEVT" )EOF"; @@ -1015,7 +1008,7 @@ TEST_F(SecretManagerImplTest, ConfigDumpHandlerStaticSessionTicketsContext) { name: "abc.com.stek" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - inline_string: "DUMMY_INLINE_STRING" - inline_bytes: "RFVNTVlfSU5MSU5FX0JZVEVT" )EOF"; @@ -1098,7 +1091,7 @@ TEST_F(SecretManagerImplTest, SdsDynamicSecretPrivateKeyProviderUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: @@ -1140,7 +1133,7 @@ TEST_F(SecretManagerImplTest, DeprecatedSanMatcher) { R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true match_subject_alt_names: exact: "example.foo" diff --git a/test/extensions/transport_sockets/tls/BUILD b/test/common/tls/BUILD similarity index 77% rename from test/extensions/transport_sockets/tls/BUILD rename to test/common/tls/BUILD index 7ba751cbf0f2..99487d65309e 100644 --- a/test/extensions/transport_sockets/tls/BUILD +++ b/test/common/tls/BUILD @@ -26,8 +26,8 @@ envoy_cc_test( # TODO(mattklein123): We should consolidate all of our test certs in a single place as # right now we have a bunch of duplication which is confusing. "//test/config/integration/certs", - "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/ocsp/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = ["ssl"], deps = [ @@ -45,13 +45,13 @@ envoy_cc_test( "//source/common/stats:isolated_store_lib", "//source/common/stats:stats_lib", "//source/common/stream_info:stream_info_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", - "//source/extensions/transport_sockets/tls:utility_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", - "//test/extensions/transport_sockets/tls/test_data:cert_infos", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_socket_lib", + "//source/common/tls:utility_lib", + "//source/common/tls/private_key:private_key_manager_lib", + "//test/common/tls/cert_validator:timed_cert_validator", + "//test/common/tls/test_data:cert_infos", "//test/mocks/buffer:buffer_mocks", "//test/mocks/init:init_mocks", "//test/mocks/local_info:local_info_mocks", @@ -79,8 +79,8 @@ envoy_cc_test( "context_impl_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/ocsp/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ "ssl_certs_test_lib", @@ -89,9 +89,9 @@ envoy_cc_test( "//source/common/json:json_loader_lib", "//source/common/stats:isolated_store_lib", "//source/common/stats:stats_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//test/extensions/transport_sockets/tls/test_data:cert_infos", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//test/common/tls/test_data:cert_infos", "//test/mocks/init:init_mocks", "//test/mocks/local_info:local_info_mocks", "//test/mocks/runtime:runtime_mocks", @@ -112,7 +112,7 @@ envoy_cc_test( external_deps = ["ssl"], deps = [ ":ssl_test_utils", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:ssl_socket_lib", "//test/mocks/network:io_handle_mocks", ], ) @@ -123,13 +123,13 @@ envoy_cc_test( "utility_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = ["ssl"], deps = [ ":ssl_test_utils", - "//source/extensions/transport_sockets/tls:utility_lib", - "//test/extensions/transport_sockets/tls/test_data:cert_infos", + "//source/common/tls:utility_lib", + "//test/common/tls/test_data:cert_infos", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", ], @@ -141,7 +141,7 @@ envoy_cc_test_library( "ssl_test_utility.h", ], deps = [ - "//source/extensions/transport_sockets/tls:utility_lib", + "//source/common/tls:utility_lib", "//test/test_common:environment_lib", ], ) @@ -171,14 +171,14 @@ envoy_cc_test( name = "handshaker_test", srcs = ["handshaker_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = ["ssl"], deps = [ ":ssl_socket_test", ":ssl_test_utils", "//source/common/stream_info:stream_info_lib", - "//source/extensions/transport_sockets/tls:ssl_handshaker_lib", + "//source/common/tls:ssl_handshaker_lib", "//test/mocks/buffer:buffer_mocks", "//test/mocks/network:network_mocks", "//test/mocks/runtime:runtime_mocks", @@ -193,10 +193,10 @@ envoy_cc_test( srcs = ["handshaker_factory_test.cc"], deps = [ "//source/common/stream_info:stream_info_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_handshaker_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_handshaker_lib", + "//source/common/tls:ssl_socket_lib", "//source/server:process_context_lib", "//test/mocks/buffer:buffer_mocks", "//test/mocks/network:network_mocks", @@ -214,7 +214,7 @@ envoy_cc_benchmark_binary( name = "tls_throughput_benchmark", srcs = ["tls_throughput_benchmark.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = [ "benchmark", diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/common/tls/cert_validator/BUILD similarity index 72% rename from test/extensions/transport_sockets/tls/cert_validator/BUILD rename to test/common/tls/cert_validator/BUILD index 0a6f835d2c9d..f0b243a980d3 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/common/tls/cert_validator/BUILD @@ -15,12 +15,12 @@ envoy_cc_test( "default_validator_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", - "//test/extensions/transport_sockets/tls/cert_validator:test_common", + "//source/common/tls/cert_validator:cert_validator_lib", + "//test/common/tls:ssl_test_utils", + "//test/common/tls/cert_validator:test_common", "//test/test_common:environment_lib", "//test/test_common:test_runtime_lib", ], @@ -32,8 +32,8 @@ envoy_cc_test( "factory_test.cc", ], deps = [ - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//test/extensions/transport_sockets/tls/cert_validator:test_common", + "//source/common/tls/cert_validator:cert_validator_lib", + "//test/common/tls/cert_validator:test_common", ], ) @@ -55,7 +55,7 @@ envoy_cc_test( ], deps = [ "//source/common/protobuf:utility_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/common/tls/cert_validator:cert_validator_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], @@ -73,8 +73,8 @@ envoy_cc_test( "default_validator_integration_test.cc", ], data = [ + "//test/common/tls/test_data:certs", "//test/config/integration/certs", - "//test/extensions/transport_sockets/tls/test_data:certs", ], deps = [ ":default_validator_integration_test_lib", @@ -91,6 +91,6 @@ envoy_cc_test_library( "timed_cert_validator.h", ], deps = [ - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/common/tls/cert_validator:cert_validator_lib", ], ) diff --git a/test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.cc b/test/common/tls/cert_validator/default_validator_integration_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.cc rename to test/common/tls/cert_validator/default_validator_integration_test.cc index 3e9717b0391d..a76e87ed04fd 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.cc +++ b/test/common/tls/cert_validator/default_validator_integration_test.cc @@ -2,7 +2,7 @@ #include -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/integration/integration.h" #include "test/test_common/test_runtime.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.h b/test/common/tls/cert_validator/default_validator_integration_test.h similarity index 100% rename from test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.h rename to test/common/tls/cert_validator/default_validator_integration_test.h diff --git a/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc b/test/common/tls/cert_validator/default_validator_test.cc similarity index 84% rename from test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc rename to test/common/tls/cert_validator/default_validator_test.cc index 707a9f15af50..0fa44d2d6053 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc +++ b/test/common/tls/cert_validator/default_validator_test.cc @@ -1,11 +1,11 @@ #include #include -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/cert_validator/test_common.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/test_common/environment.h" #include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" @@ -26,16 +26,16 @@ using X509StorePtr = CSmartPtr; using SSLContextPtr = CSmartPtr; TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameDNSMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); std::vector verify_subject_alt_name_list = {"server1.example.com", "server2.example.com"}; EXPECT_TRUE(DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDNSMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector subject_alt_name_matchers; @@ -45,8 +45,8 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDNSMatched) { } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameIncorrectTypeMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector subject_alt_name_matchers; @@ -56,9 +56,9 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameIncorrectTypeMatched) { } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameWildcardDNSMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.set_exact("api.example.com"); std::vector subject_alt_name_matchers; @@ -69,9 +69,9 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameWildcardDNSMatched) { TEST(DefaultCertValidatorTest, TestMultiLevelMatch) { // san_multiple_dns_cert matches *.example.com - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.set_exact("foo.api.example.com"); std::vector subject_alt_name_matchers; @@ -81,25 +81,25 @@ TEST(DefaultCertValidatorTest, TestMultiLevelMatch) { } TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameURIMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); std::vector verify_subject_alt_name_list = {"spiffe://lyft.com/fake-team", "spiffe://lyft.com/test-team"}; EXPECT_TRUE(DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestVerifySubjectAltMultiDomain) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); std::vector verify_subject_alt_name_list = {"https://a.www.example.com"}; EXPECT_FALSE( DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameURIMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw(spiffe://lyft.com/[^/]*-team)raw")); std::vector subject_alt_name_matchers; @@ -109,16 +109,16 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameURIMatched) { } TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameNotMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); std::vector verify_subject_alt_name_list = {"foo", "bar"}; EXPECT_FALSE( DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameNotMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example\.net)raw")); std::vector subject_alt_name_matchers; @@ -142,8 +142,8 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithSANMatcher) { /*CertificateValidationContextConfig=*/nullptr, stats, Event::GlobalTimeSystem().timeSystem()); - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector san_matchers; @@ -210,8 +210,8 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithEmptyCertChain) { } TEST(DefaultCertValidatorTest, NoSanInCert) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example\.net)raw")); std::vector subject_alt_name_matchers; @@ -227,20 +227,20 @@ TEST(DefaultCertValidatorTest, WithVerifyDepth) { envoy::config::core::v3::TypedExtensionConfig typed_conf; std::vector san_matchers{}; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/test_long_cert_chain.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/test_long_cert_chain.pem")); bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/test_random_cert.pem")); - bssl::UniquePtr ca_cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/test_random_cert.pem")); + bssl::UniquePtr ca_cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); // Create the default validator object. // Config includes ca_cert and the verify-depth. // Set verify depth < 3, so verification fails. ( There are 3 intermediate certs ) - std::string ca_cert_str(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + std::string ca_cert_str( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); TestCertificateValidationContextConfigPtr test_config = std::make_unique(typed_conf, false, san_matchers, ca_cert_str, 2); diff --git a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc b/test/common/tls/cert_validator/factory_test.cc similarity index 83% rename from test/extensions/transport_sockets/tls/cert_validator/factory_test.cc rename to test/common/tls/cert_validator/factory_test.cc index 94cf5e7063fa..de8d34a562c8 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc +++ b/test/common/tls/cert_validator/factory_test.cc @@ -1,8 +1,8 @@ #include -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/factory.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" +#include "test/common/tls/cert_validator/test_common.h" #include "gtest/gtest.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/san_matcher_test.cc b/test/common/tls/cert_validator/san_matcher_test.cc similarity index 97% rename from test/extensions/transport_sockets/tls/cert_validator/san_matcher_test.cc rename to test/common/tls/cert_validator/san_matcher_test.cc index 860281aba8c9..11f67e467119 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/san_matcher_test.cc +++ b/test/common/tls/cert_validator/san_matcher_test.cc @@ -2,7 +2,7 @@ #include "source/common/protobuf/message_validator_impl.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" +#include "source/common/tls/cert_validator/san_matcher.h" #include "test/test_common/utility.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/test_common.h b/test/common/tls/cert_validator/test_common.h similarity index 100% rename from test/extensions/transport_sockets/tls/cert_validator/test_common.h rename to test/common/tls/cert_validator/test_common.h diff --git a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.cc b/test/common/tls/cert_validator/timed_cert_validator.cc similarity index 97% rename from test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.cc rename to test/common/tls/cert_validator/timed_cert_validator.cc index 4f3f73420f4a..3e8afa59300e 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.cc +++ b/test/common/tls/cert_validator/timed_cert_validator.cc @@ -1,4 +1,4 @@ -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include diff --git a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h b/test/common/tls/cert_validator/timed_cert_validator.h similarity index 95% rename from test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h rename to test/common/tls/cert_validator/timed_cert_validator.h index f6074e81b61a..45a57fc5eda2 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h +++ b/test/common/tls/cert_validator/timed_cert_validator.h @@ -5,8 +5,8 @@ #include #include -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/factory.h" namespace Envoy { namespace Extensions { diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/common/tls/context_impl_test.cc similarity index 79% rename from test/extensions/transport_sockets/tls/context_impl_test.cc rename to test/common/tls/context_impl_test.cc index 11a441051229..dadbae2c6f7b 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/common/tls/context_impl_test.cc @@ -10,16 +10,16 @@ #include "source/common/json/json_loader.h" #include "source/common/secret/sds_api.h" #include "source/common/stats/isolated_store_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/utility.h" - -#include "test/extensions/transport_sockets/tls/ssl_certs_test.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" -#include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/utility.h" + +#include "test/common/tls/ssl_certs_test.h" +#include "test/common/tls/ssl_test_utility.h" +#include "test/common/tls/test_data/no_san_cert_info.h" +#include "test/common/tls/test_data/san_dns3_cert_info.h" +#include "test/common/tls/test_data/san_ip_cert_info.h" +#include "test/common/tls/test_data/unittest_cert_info.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/secret/mocks.h" @@ -112,8 +112,8 @@ class SslContextImplTest : public SslCertsTest { }}; } void loadConfig(ServerContextConfigImpl& cfg) { - Envoy::Ssl::ServerContextSharedPtr server_ctx( - manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{})); + Envoy::Ssl::ServerContextSharedPtr server_ctx(manager_.createSslServerContext( + *store_.rootScope(), cfg, std::vector{}, nullptr)); auto cleanup = cleanUpHelper(server_ctx); } @@ -144,9 +144,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -167,9 +167,9 @@ TEST_F(SslContextImplTest, TestExpiredCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -188,9 +188,9 @@ TEST_F(SslContextImplTest, TestContextUpdate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_key.pem" )EOF"; // Validate that daysUntilFirstCertExpires returns correctly when single context is available. @@ -205,9 +205,9 @@ TEST_F(SslContextImplTest, TestContextUpdate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext expiring_context; @@ -242,12 +242,12 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -265,7 +265,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { // serial number with // every build. For cert_chain output, we check only for the certificate path. std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem", "serial_number": ")EOF", TEST_NO_SAN_CERT_SERIAL, R"EOF(", "subject_alt_names": [], @@ -273,7 +273,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem", } )EOF"; @@ -295,12 +295,12 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -311,7 +311,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithSAN) { manager_.createSslClientContext(*store_.rootScope(), cfg)); auto cleanup = cleanUpHelper(context); std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem", "serial_number": ")EOF", TEST_SAN_DNS3_CERT_SERIAL, R"EOF(", "subject_alt_names": [ @@ -323,7 +323,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithSAN) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem", } )EOF"; @@ -351,12 +351,12 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithIPSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -367,7 +367,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithIPSAN) { manager_.createSslClientContext(*store_.rootScope(), cfg)); auto cleanup = cleanUpHelper(context); std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem", "serial_number": ")EOF", TEST_SAN_IP_CERT_SERIAL, R"EOF(", "subject_alt_names": [ @@ -379,7 +379,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithIPSAN) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_ip_chain.pem", } )EOF"; @@ -411,12 +411,12 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithExpiration) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -429,7 +429,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithExpiration) { std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem", "serial_number": ")EOF", TEST_SAN_DNS3_CERT_SERIAL, R"EOF(", "subject_alt_names": [ @@ -470,13 +470,13 @@ TEST_F(SslContextImplTest, DuplicateRsaCertSameExactDNSSan) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -490,13 +490,13 @@ TEST_F(SslContextImplTest, DuplicateRsaCertSameWildcardDNSSan) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -510,13 +510,13 @@ TEST_F(SslContextImplTest, AcceptableMultipleRsaCerts) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -530,13 +530,13 @@ TEST_F(SslContextImplTest, DuplicateEcdsaCert) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned2_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -550,13 +550,13 @@ TEST_F(SslContextImplTest, AcceptableMultipleEcdsaCerts) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -573,9 +573,9 @@ TEST_F(SslContextImplTest, CertDuplicatedSansAndCN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -593,13 +593,13 @@ TEST_F(SslContextImplTest, MultipleCertsSansAndCN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cn_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cn_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cn_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_wildcard_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_wildcard_dns_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -613,21 +613,22 @@ TEST_F(SslContextImplTest, MustHaveSubjectOrSAN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_subject_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_subject_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_subject_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_subject_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); EXPECT_THROW_WITH_REGEX( - manager_.createSslServerContext(*store_.rootScope(), server_context_config, {}), + manager_.createSslServerContext(*store_.rootScope(), server_context_config, {}, nullptr), EnvoyException, "has neither subject CN nor SAN names"); } class SslServerContextImplOcspTest : public SslContextImplTest { public: Envoy::Ssl::ServerContextSharedPtr loadConfig(ServerContextConfigImpl& cfg) { - return manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{}); + return manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{}, + nullptr); } Envoy::Ssl::ServerContextSharedPtr loadConfigYaml(const std::string& yaml) { @@ -643,11 +644,11 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; auto context = loadConfigYaml(tls_context_yaml); @@ -656,15 +657,15 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { TEST_F(SslServerContextImplOcspTest, TestInlineBytesOcspStapleConfigLoads) { auto der_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der")); + "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der")); auto base64_response = Base64::encode(der_response.c_str(), der_response.length(), true); const std::string tls_context_yaml = fmt::format(R"EOF( common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -680,9 +681,9 @@ TEST_F(SslServerContextImplOcspTest, TestInlineStringOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_string: "abcd" ocsp_staple_policy: must_staple @@ -697,11 +698,11 @@ TEST_F(SslServerContextImplOcspTest, TestMismatchedOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -714,9 +715,9 @@ TEST_F(SslServerContextImplOcspTest, TestStaplingRequiredWithoutStapleConfigFail common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: must_staple )EOF"; @@ -738,9 +739,9 @@ TEST_F(SslServerContextImplOcspTest, TestUnsuccessfulOcspResponseConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -756,9 +757,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleConfigFails) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -771,11 +772,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -786,11 +787,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { constexpr absl::string_view this_update = "This Update: "; constexpr absl::string_view next_update = "Next Update: "; - auto ocsp_text_details = absl::StrSplit( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt")), - '\n'); + auto ocsp_text_details = + absl::StrSplit(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/common/tls/ocsp/test_data/good_ocsp_resp_details.txt")), + '\n'); std::string valid_from, expiration; for (const auto& detail : ocsp_text_details) { std::string::size_type pos = detail.find(this_update); @@ -826,8 +827,8 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { class SslServerContextImplTicketTest : public SslContextImplTest { public: void loadConfig(ServerContextConfigImpl& cfg) { - Envoy::Ssl::ServerContextSharedPtr server_ctx( - manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{})); + Envoy::Ssl::ServerContextSharedPtr server_ctx(manager_.createSslServerContext( + *store_.rootScope(), cfg, std::vector{}, nullptr)); auto cleanup = cleanUpHelper(server_ctx); } @@ -836,9 +837,9 @@ class SslServerContextImplTicketTest : public SslContextImplTest { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); ServerContextConfigImpl server_context_config(cfg, factory_context_); loadConfig(server_context_config); @@ -858,13 +859,13 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF"; EXPECT_NO_THROW(loadConfigYaml(yaml)); } @@ -875,13 +876,13 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_wrong_len" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_wrong_len" )EOF"; EXPECT_THROW(loadConfigYaml(yaml), EnvoyException); } @@ -891,12 +892,12 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidCannotRead) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/this_file_does_not_exist" + filename: "{{ test_rundir }}/test/common/tls/test_data/this_file_does_not_exist" )EOF"; EXPECT_THROW(loadConfigYaml(yaml), std::exception); } @@ -947,9 +948,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySdsNotReady) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); NiceMock local_info; NiceMock dispatcher; @@ -984,8 +985,8 @@ TEST_F(SslServerContextImplTicketTest, StaticTickeyKey) { name: "abc.com" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -995,9 +996,9 @@ name: "abc.com" envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); tls_context.mutable_session_ticket_keys_sds_secret_config()->set_name("abc.com"); @@ -1012,14 +1013,14 @@ TEST_F(SslServerContextImplTicketTest, CRLSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; EXPECT_NO_THROW(loadConfigYaml(yaml)); } @@ -1029,14 +1030,14 @@ TEST_F(SslServerContextImplTicketTest, CRLInvalid) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/not_a_crl.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/not_a_crl.crl" )EOF"; EXPECT_THROW_WITH_REGEX(loadConfigYaml(yaml), EnvoyException, "^Failed to load CRL from .*/not_a_crl.crl$"); @@ -1047,12 +1048,12 @@ TEST_F(SslServerContextImplTicketTest, CRLWithNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/not_a_crl.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/not_a_crl.crl" )EOF"; EXPECT_THROW_WITH_REGEX(loadConfigYaml(yaml), EnvoyException, "^Failed to load CRL from .* without trusted CA$"); @@ -1063,9 +1064,9 @@ TEST_F(SslServerContextImplTicketTest, VerifySanWithNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: match_typed_subject_alt_names: - san_type: URI @@ -1083,9 +1084,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1099,9 +1100,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1116,9 +1117,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1133,12 +1134,12 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1211,9 +1212,9 @@ TEST_F(ClientContextConfigImplTest, RSA2048Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1228,9 +1229,9 @@ TEST_F(ClientContextConfigImplTest, RSA1024Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_1024_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_1024_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1255,7 +1256,7 @@ TEST_F(ClientContextConfigImplTest, RSA1024Pkcs12) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_certkey.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_1024_certkey.p12" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1280,9 +1281,9 @@ TEST_F(ClientContextConfigImplTest, RSA3072Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_3072_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_3072_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1299,9 +1300,9 @@ TEST_F(ClientContextConfigImplTest, RSA4096Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_4096_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_4096_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1316,9 +1317,9 @@ TEST_F(ClientContextConfigImplTest, P256EcdsaCert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1333,9 +1334,9 @@ TEST_F(ClientContextConfigImplTest, NonP256EcdsaCert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p384_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p384_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1352,7 +1353,7 @@ TEST_F(ClientContextConfigImplTest, NonP256EcdsaPkcs12) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_certkey.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p384_certkey.p12" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1370,9 +1371,9 @@ TEST_F(ClientContextConfigImplTest, MultipleTlsCertificates) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1389,9 +1390,9 @@ TEST_F(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1433,9 +1434,9 @@ TEST_F(ClientContextConfigImplTest, ValidationContextNotReady) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); NiceMock local_info; NiceMock init_manager; NiceMock dispatcher; @@ -1465,9 +1466,9 @@ TEST_F(ClientContextConfigImplTest, StaticTlsCertificates) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -1481,12 +1482,10 @@ name: "abc.com" EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), client_context_config.tlsCertificates()[0].get().certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), client_context_config.tlsCertificates()[0].get().privateKey()); } @@ -1498,15 +1497,15 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedTlsCertificates) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - tls_certificate->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - tls_certificate->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem")); - tls_certificate->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + tls_certificate->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + tls_certificate->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem")); + tls_certificate->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -1517,19 +1516,16 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedTlsCertificates) { EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_pem = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem"; + const std::string cert_pem = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), client_context_config.tlsCertificates()[0].get().certificateChain()); - const std::string key_pem = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem"; + const std::string key_pem = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), client_context_config.tlsCertificates()[0].get().privateKey()); - const std::string password_file = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"; + const std::string password_file = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(password_file)), client_context_config.tlsCertificates()[0].get().password()); } @@ -1541,12 +1537,12 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedPkcs12) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - tls_certificate->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12")); - tls_certificate->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + tls_certificate->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12")); + tls_certificate->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -1557,14 +1553,12 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedPkcs12) { EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_p12 = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12"; + const std::string cert_p12 = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_p12)), client_context_config.tlsCertificates()[0].get().pkcs12()); - const std::string password_file = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"; + const std::string password_file = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(password_file)), client_context_config.tlsCertificates()[0].get().password()); } @@ -1576,9 +1570,9 @@ TEST_F(ClientContextConfigImplTest, PasswordWrongPkcs12) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - const std::string pkcs12_path = TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12"); + const std::string pkcs12_path = + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12"); tls_certificate->mutable_pkcs12()->set_filename(pkcs12_path); tls_certificate->mutable_password()->set_inline_string("WrongPassword"); @@ -1604,9 +1598,9 @@ TEST_F(ClientContextConfigImplTest, PasswordNotSuppliedPkcs12) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - const std::string pkcs12_path = TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12"); + const std::string pkcs12_path = + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12"); tls_certificate->mutable_pkcs12()->set_filename(pkcs12_path); // Don't supply the password. @@ -1632,12 +1626,12 @@ TEST_F(ClientContextConfigImplTest, PasswordNotSuppliedTlsCertificates) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - tls_certificate->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - const std::string private_key_path = TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem"); + tls_certificate->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + const std::string private_key_path = + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem"); tls_certificate->mutable_private_key()->set_filename(private_key_path); // Don't supply the password. @@ -1664,9 +1658,9 @@ TEST_F(ClientContextConfigImplTest, StaticCertificateValidationContext) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), tls_certificate_secret_config); @@ -1676,7 +1670,7 @@ TEST_F(ClientContextConfigImplTest, StaticCertificateValidationContext) { const std::string certificate_validation_context_yaml = R"EOF( name: "def.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(certificate_validation_context_yaml), @@ -1695,8 +1689,7 @@ TEST_F(ClientContextConfigImplTest, StaticCertificateValidationContext) { ->set_name("def.com"); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), client_context_config.certificateValidationContext()->caCert()); } @@ -1710,9 +1703,9 @@ TEST_F(ClientContextConfigImplTest, MissingStaticSecretTlsCertificates) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -1738,9 +1731,9 @@ TEST_F(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), tls_certificate_secret_config); @@ -1750,7 +1743,7 @@ TEST_F(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) { const std::string certificate_validation_context_yaml = R"EOF( name: "def.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(certificate_validation_context_yaml), @@ -1782,15 +1775,15 @@ TEST_F(ServerContextConfigImplTest, MultipleTlsCertificates) { "No TLS certificates found for server context"); const std::string rsa_tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; const std::string ecdsa_tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(rsa_tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1810,9 +1803,9 @@ TEST_F(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { "No TLS certificates found for server context"); const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1874,9 +1867,9 @@ TEST_F(ServerContextConfigImplTest, ValidationContextNotReady) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); NiceMock local_info; NiceMock init_manager; NiceMock dispatcher; @@ -1908,7 +1901,7 @@ TEST_F(ServerContextConfigImplTest, TlsCertificateNonEmpty) { Stats::IsolatedStoreImpl store; EXPECT_THROW_WITH_MESSAGE( Envoy::Ssl::ServerContextSharedPtr server_ctx(manager.createSslServerContext( - *store.rootScope(), client_context_config, std::vector{})), + *store.rootScope(), client_context_config, std::vector{}, nullptr)), EnvoyException, "Server TlsCertificates must have a certificate specified"); } @@ -1928,10 +1921,10 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); server_validation_ctx->set_allow_expired_certificate(false); @@ -1944,8 +1937,8 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { "Certificate validity period is always ignored without trusted CA"); // But once you add a trusted CA, you should be able to create the context. - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, factory_context_)); } @@ -1961,7 +1954,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProvider) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -1986,7 +1979,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProviderFallbac common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2021,7 +2014,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoMethod) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2033,7 +2026,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoMethod) { ServerContextConfigImpl server_context_config(tls_context, factory_context_); EXPECT_THROW_WITH_MESSAGE( Envoy::Ssl::ServerContextSharedPtr server_ctx(manager.createSslServerContext( - *store.rootScope(), server_context_config, std::vector{})), + *store.rootScope(), server_context_config, std::vector{}, nullptr)), EnvoyException, "Failed to get BoringSSL private key method from provider"); } @@ -2053,7 +2046,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2081,9 +2074,9 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodFallback) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2109,11 +2102,11 @@ TEST_F(ServerContextConfigImplTest, DeprecatedSanMatcher) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true match_typed_subject_alt_names: - san_type: DNS @@ -2155,7 +2148,7 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndMethod) { common_tls_context: tls_certificates: - pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_certkeychain.p12" private_key_provider: provider_name: mock_provider typed_config: @@ -2175,9 +2168,9 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndKey) { common_tls_context: tls_certificates: - pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_certkeychain.p12" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); EXPECT_THROW_WITH_MESSAGE( @@ -2191,9 +2184,9 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndCertChain) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_certkeychain.p12" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); EXPECT_THROW_WITH_MESSAGE( @@ -2201,13 +2194,15 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndCertChain) { "Certificate configuration can't have both pkcs12 and certificate_chain"); } +// TODO: test throw from additional_init + // Subclass ContextImpl so we can instantiate directly from tests, despite the // constructor being protected. class TestContextImpl : public ContextImpl { public: TestContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, TimeSource& time_source) - : ContextImpl(scope, config, time_source), pool_(scope.symbolTable()), + : ContextImpl(scope, config, time_source, nullptr), pool_(scope.symbolTable()), fallback_(pool_.add("fallback")) {} void incCounter(absl::string_view name, absl::string_view value) { @@ -2236,9 +2231,9 @@ class SslContextStatsTest : public SslContextImplTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; }; diff --git a/test/extensions/transport_sockets/tls/handshaker_factory_test.cc b/test/common/tls/handshaker_factory_test.cc similarity index 97% rename from test/extensions/transport_sockets/tls/handshaker_factory_test.cc rename to test/common/tls/handshaker_factory_test.cc index 64b5e9d0f05d..f60113708590 100644 --- a/test/extensions/transport_sockets/tls/handshaker_factory_test.cc +++ b/test/common/tls/handshaker_factory_test.cc @@ -5,10 +5,10 @@ #include "envoy/ssl/handshaker.h" #include "source/common/stream_info/stream_info_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_socket.h" #include "source/server/process_context_impl.h" #include "test/mocks/network/connection.h" @@ -296,7 +296,7 @@ TEST_F(HandshakerFactoryDownstreamTest, ServerHandshakerProvidesCertificates) { tls_context_, mock_factory_ctx); EXPECT_TRUE(server_context_config.isReady()); EXPECT_NO_THROW(context_manager_->createSslServerContext( - *stats_store_.rootScope(), server_context_config, std::vector{})); + *stats_store_.rootScope(), server_context_config, std::vector{}, nullptr)); } } // namespace diff --git a/test/extensions/transport_sockets/tls/handshaker_test.cc b/test/common/tls/handshaker_test.cc similarity index 96% rename from test/extensions/transport_sockets/tls/handshaker_test.cc rename to test/common/tls/handshaker_test.cc index e29304bce10a..ad8caa5bd36a 100644 --- a/test/extensions/transport_sockets/tls/handshaker_test.cc +++ b/test/common/tls/handshaker_test.cc @@ -4,9 +4,9 @@ #include "envoy/ssl/handshaker.h" #include "source/common/stream_info/stream_info_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_handshaker.h" -#include "test/extensions/transport_sockets/tls/ssl_certs_test.h" +#include "test/common/tls/ssl_certs_test.h" #include "test/mocks/network/connection.h" #include "gmock/gmock.h" @@ -84,7 +84,7 @@ class HandshakerTest : public SslCertsTest { // Read in key.pem and return a new private key. bssl::UniquePtr makeKey() { std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); std::string passphrase = ""; bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); @@ -99,7 +99,7 @@ class HandshakerTest : public SslCertsTest { // Read in cert.pem and return a certificate. bssl::UniquePtr makeCert() { std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); uint8_t* data = nullptr; diff --git a/test/extensions/transport_sockets/tls/integration/BUILD b/test/common/tls/integration/BUILD similarity index 88% rename from test/extensions/transport_sockets/tls/integration/BUILD rename to test/common/tls/integration/BUILD index 37013e4df2e4..a8dc565d34cb 100644 --- a/test/extensions/transport_sockets/tls/integration/BUILD +++ b/test/common/tls/integration/BUILD @@ -31,12 +31,12 @@ envoy_cc_test( "//source/common/event:dispatcher_lib", "//source/common/network:connection_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_handshaker_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_handshaker_lib", "//test/common/config:dummy_config_proto_cc_proto", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", + "//test/common/tls/cert_validator:timed_cert_validator", "//test/integration:http_integration_lib", "//test/integration/filters:stream_info_to_headers_filter_lib", "//test/mocks/secret:secret_mocks", diff --git a/test/extensions/transport_sockets/tls/integration/sni_to_header_filter.cc b/test/common/tls/integration/sni_to_header_filter.cc similarity index 100% rename from test/extensions/transport_sockets/tls/integration/sni_to_header_filter.cc rename to test/common/tls/integration/sni_to_header_filter.cc diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc b/test/common/tls/integration/ssl_integration_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc rename to test/common/tls/integration/ssl_integration_test.cc index 99d0d42e3953..885494ce1f33 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc +++ b/test/common/tls/integration/ssl_integration_test.cc @@ -11,14 +11,14 @@ #include "source/common/event/dispatcher_impl.h" #include "source/common/network/connection_impl.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/config/dummy_config.pb.h" -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include "test/integration/autonomous_upstream.h" #include "test/integration/integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.h b/test/common/tls/integration/ssl_integration_test.h similarity index 100% rename from test/extensions/transport_sockets/tls/integration/ssl_integration_test.h rename to test/common/tls/integration/ssl_integration_test.h diff --git a/test/extensions/transport_sockets/tls/io_handle_bio_test.cc b/test/common/tls/io_handle_bio_test.cc similarity index 94% rename from test/extensions/transport_sockets/tls/io_handle_bio_test.cc rename to test/common/tls/io_handle_bio_test.cc index 8c9600b7b71d..f37349051913 100644 --- a/test/extensions/transport_sockets/tls/io_handle_bio_test.cc +++ b/test/common/tls/io_handle_bio_test.cc @@ -1,5 +1,5 @@ #include "source/common/network/io_socket_error_impl.h" -#include "source/extensions/transport_sockets/tls/io_handle_bio.h" +#include "source/common/tls/io_handle_bio.h" #include "test/mocks/network/io_handle.h" diff --git a/test/extensions/transport_sockets/tls/ocsp/BUILD b/test/common/tls/ocsp/BUILD similarity index 57% rename from test/extensions/transport_sockets/tls/ocsp/BUILD rename to test/common/tls/ocsp/BUILD index 262bec36ab5c..369cdbf86d86 100644 --- a/test/extensions/transport_sockets/tls/ocsp/BUILD +++ b/test/common/tls/ocsp/BUILD @@ -14,15 +14,15 @@ envoy_cc_test( "ocsp_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", + "//test/common/tls/ocsp/test_data:certs", ], external_deps = ["ssl"], deps = [ "//source/common/filesystem:filesystem_lib", - "//source/extensions/transport_sockets/tls:utility_lib", - "//source/extensions/transport_sockets/tls/ocsp:ocsp_lib", - "//test/extensions/transport_sockets/tls:ssl_socket_test", - "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//source/common/tls:utility_lib", + "//source/common/tls/ocsp:ocsp_lib", + "//test/common/tls:ssl_socket_test", + "//test/common/tls:ssl_test_utils", "//test/test_common:environment_lib", "//test/test_common:logging_lib", "//test/test_common:simulated_time_system_lib", @@ -36,7 +36,7 @@ envoy_cc_test( ], external_deps = ["ssl"], deps = [ - "//source/extensions/transport_sockets/tls/ocsp:asn1_utility_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//source/common/tls/ocsp:asn1_utility_lib", + "//test/common/tls:ssl_test_utils", ], ) diff --git a/test/extensions/transport_sockets/tls/ocsp/asn1_utility_test.cc b/test/common/tls/ocsp/asn1_utility_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/ocsp/asn1_utility_test.cc rename to test/common/tls/ocsp/asn1_utility_test.cc index a26da0956948..3d3cbcaed6a7 100644 --- a/test/extensions/transport_sockets/tls/ocsp/asn1_utility_test.cc +++ b/test/common/tls/ocsp/asn1_utility_test.cc @@ -1,6 +1,6 @@ #include -#include "source/extensions/transport_sockets/tls/ocsp/asn1_utility.h" +#include "source/common/tls/ocsp/asn1_utility.h" #include "test/test_common/utility.h" diff --git a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc b/test/common/tls/ocsp/ocsp_test.cc similarity index 96% rename from test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc rename to test/common/tls/ocsp/ocsp_test.cc index fc52fd9571ce..51cc0a7aabe9 100644 --- a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc +++ b/test/common/tls/ocsp/ocsp_test.cc @@ -1,8 +1,8 @@ #include "source/common/filesystem/filesystem_impl.h" -#include "source/extensions/transport_sockets/tls/ocsp/ocsp.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/ocsp/ocsp.h" +#include "source/common/tls/utility.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/test_common/environment.h" #include "test/test_common/logging.h" #include "test/test_common/simulated_time_system.h" @@ -25,8 +25,8 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility; class OcspFullResponseParsingTest : public testing::Test { public: std::string fullPath(std::string filename) { - return TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename); + return TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/ocsp/test_data/" + + filename); } std::vector readFile(std::string filename) { diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD b/test/common/tls/ocsp/test_data/BUILD similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/BUILD rename to test/common/tls/ocsp/test_data/BUILD diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/README.md b/test/common/tls/ocsp/test_data/README.md similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/README.md rename to test/common/tls/ocsp/test_data/README.md diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem b/test/common/tls/ocsp/test_data/ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem rename to test/common/tls/ocsp/test_data/ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem b/test/common/tls/ocsp/test_data/ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem rename to test/common/tls/ocsp/test_data/ca_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh b/test/common/tls/ocsp/test_data/certs.sh similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh rename to test/common/tls/ocsp/test_data/certs.sh diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem b/test/common/tls/ocsp/test_data/ecdsa_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem rename to test/common/tls/ocsp/test_data/ecdsa_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem b/test/common/tls/ocsp/test_data/ecdsa_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem rename to test/common/tls/ocsp/test_data/ecdsa_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der b/test/common/tls/ocsp/test_data/ecdsa_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der rename to test/common/tls/ocsp/test_data/ecdsa_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der b/test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der rename to test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem b/test/common/tls/ocsp/test_data/good_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem rename to test/common/tls/ocsp/test_data/good_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem b/test/common/tls/ocsp/test_data/good_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem rename to test/common/tls/ocsp/test_data/good_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der b/test/common/tls/ocsp/test_data/good_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der rename to test/common/tls/ocsp/test_data/good_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der b/test/common/tls/ocsp/test_data/good_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der rename to test/common/tls/ocsp/test_data/good_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt b/test/common/tls/ocsp/test_data/good_ocsp_resp_details.txt similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt rename to test/common/tls/ocsp/test_data/good_ocsp_resp_details.txt diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem b/test/common/tls/ocsp/test_data/intermediate_ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem rename to test/common/tls/ocsp/test_data/intermediate_ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem b/test/common/tls/ocsp/test_data/intermediate_ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem rename to test/common/tls/ocsp/test_data/intermediate_ca_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der b/test/common/tls/ocsp/test_data/multiple_cert_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der rename to test/common/tls/ocsp/test_data/multiple_cert_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der b/test/common/tls/ocsp/test_data/multiple_cert_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der rename to test/common/tls/ocsp/test_data/multiple_cert_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der b/test/common/tls/ocsp/test_data/responder_key_hash_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der rename to test/common/tls/ocsp/test_data/responder_key_hash_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der b/test/common/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der rename to test/common/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem b/test/common/tls/ocsp/test_data/revoked_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem rename to test/common/tls/ocsp/test_data/revoked_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem b/test/common/tls/ocsp/test_data/revoked_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem rename to test/common/tls/ocsp/test_data/revoked_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der b/test/common/tls/ocsp/test_data/revoked_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der rename to test/common/tls/ocsp/test_data/revoked_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der b/test/common/tls/ocsp/test_data/revoked_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der rename to test/common/tls/ocsp/test_data/revoked_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der b/test/common/tls/ocsp/test_data/unknown_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der rename to test/common/tls/ocsp/test_data/unknown_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der b/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der rename to test/common/tls/ocsp/test_data/unknown_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ssl_certs_test.h b/test/common/tls/ssl_certs_test.h similarity index 100% rename from test/extensions/transport_sockets/tls/ssl_certs_test.h rename to test/common/tls/ssl_certs_test.h diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/common/tls/ssl_socket_test.cc similarity index 78% rename from test/extensions/transport_sockets/tls/ssl_socket_test.cc rename to test/common/tls/ssl_socket_test.cc index ff73e213ff7e..b72f7ad6596b 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/common/tls/ssl_socket_test.cc @@ -17,29 +17,29 @@ #include "source/common/network/transport_socket_options_impl.h" #include "source/common/network/utility.h" #include "source/common/stream_info/stream_info_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" - -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" -#include "test/extensions/transport_sockets/tls/ssl_certs_test.h" -#include "test/extensions/transport_sockets/tls/test_data/ca_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/extensions_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/password_protected_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns4_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_uri_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_private_key_method_provider.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/ssl_socket.h" + +#include "test/common/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/ssl_certs_test.h" +#include "test/common/tls/test_data/ca_cert_info.h" +#include "test/common/tls/test_data/extensions_cert_info.h" +#include "test/common/tls/test_data/no_san_cert_info.h" +#include "test/common/tls/test_data/password_protected_cert_info.h" +#include "test/common/tls/test_data/san_dns2_cert_info.h" +#include "test/common/tls/test_data/san_dns3_cert_info.h" +#include "test/common/tls/test_data/san_dns4_cert_info.h" +#include "test/common/tls/test_data/san_dns_cert_info.h" +#include "test/common/tls/test_data/san_dns_ecdsa_1_cert_info.h" +#include "test/common/tls/test_data/san_dns_rsa_1_cert_info.h" +#include "test/common/tls/test_data/san_dns_rsa_2_cert_info.h" +#include "test/common/tls/test_data/san_multiple_dns_1_cert_info.h" +#include "test/common/tls/test_data/san_multiple_dns_cert_info.h" +#include "test/common/tls/test_data/san_uri_cert_info.h" +#include "test/common/tls/test_data/selfsigned_ecdsa_p256_cert_info.h" +#include "test/common/tls/test_private_key_method_provider.h" #include "test/mocks/buffer/mocks.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" @@ -923,10 +923,10 @@ void configureServerAndExpiredClientCertificate( envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = @@ -935,8 +935,8 @@ void configureServerAndExpiredClientCertificate( server_validation_ctx->mutable_trusted_ca()->set_filename( TestEnvironment::substitute(server_config.trusted_ca.value())); } else { - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); } if (server_config.allow_expired_cert.has_value()) { server_validation_ctx->set_allow_expired_certificate(server_config.allow_expired_cert.value()); @@ -948,11 +948,11 @@ void configureServerAndExpiredClientCertificate( envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/expired_san_uri_cert.pem")); client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/expired_san_uri_key.pem")); } TestUtilOptionsV2 createProtocolTestOptions( @@ -1005,12 +1005,12 @@ TEST_P(SslSocketTest, ServerTransportSocketOptions) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; ; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -1032,21 +1032,21 @@ TEST_P(SslSocketTest, GetCertDigest) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1065,12 +1065,12 @@ TEST_P(SslSocketTest, GetCertDigestInvalidFiles) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1086,24 +1086,23 @@ TEST_P(SslSocketTest, GetCertDigestInline) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem. + // From test/common/tls/test_data/san_dns_cert.pem. server_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_dns_key.pem. - server_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"))); + // From test/common/tls/test_data/san_dns_key.pem. + server_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem"))); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - // From test/extensions/transport_sockets/tls/test_data/ca_certificates.pem. + // From test/common/tls/test_data/ca_certificates.pem. server_validation_ctx->mutable_trusted_ca()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/ca_certificates.pem"))); updateFilterChain(tls_context, *filter_chain); @@ -1111,15 +1110,14 @@ TEST_P(SslSocketTest, GetCertDigestInline) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client_ctx.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem. + // From test/common/tls/test_data/san_uri_cert.pem. client_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_uri_key.pem. - client_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem"))); + // From test/common/tls/test_data/san_uri_key.pem. + client_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem"))); TestUtilOptionsV2 test_options(listener, client_ctx, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1133,24 +1131,23 @@ TEST_P(SslSocketTest, GetCertDigestInlineWithIpSanClientCerts) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem. + // From test/common/tls/test_data/san_dns_cert.pem. server_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_dns_key.pem. - server_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"))); + // From test/common/tls/test_data/san_dns_key.pem. + server_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem"))); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - // From test/extensions/transport_sockets/tls/test_data/ca_certificates.pem. + // From test/common/tls/test_data/ca_certificates.pem. server_validation_ctx->mutable_trusted_ca()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/ca_certificates.pem"))); updateFilterChain(tls_context, *filter_chain); @@ -1158,15 +1155,14 @@ TEST_P(SslSocketTest, GetCertDigestInlineWithIpSanClientCerts) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client_ctx.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem. + // From test/common/tls/test_data/san_ip_cert.pem. client_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_ip_key.pem. - client_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem"))); + // From test/common/tls/test_data/san_ip_key.pem. + client_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_ip_key.pem"))); TestUtilOptionsV2 test_options(listener, client_ctx, true, version_); testUtilV2(test_options.setExpectedClientCertIpSans({"1.1.1.1"}) @@ -1178,21 +1174,21 @@ TEST_P(SslSocketTest, GetCertDigestServerCertWithIntermediateCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1206,21 +1202,21 @@ TEST_P(SslSocketTest, GetCertDigestServerCertWithoutCommonName) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_only_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_only_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_only_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1234,21 +1230,21 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - san_type: URI matcher: @@ -1317,21 +1313,21 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; // The SAN field only has DNS, expect "" for uriSanPeerCertificate(). @@ -1348,9 +1344,9 @@ TEST_P(SslSocketTest, NoCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1379,17 +1375,17 @@ TEST_P(SslSocketTest, MultiCertPreferEcdsaWithoutSni) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1414,17 +1410,17 @@ TEST_P(SslSocketTest, MultiCertPreferExactSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1451,13 +1447,13 @@ TEST_P(SslSocketTest, MultiCertPreferFirstCertWithSAN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1483,13 +1479,13 @@ TEST_P(SslSocketTest, MultiCertPreferFirstCertWithSAN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1516,13 +1512,13 @@ TEST_P(SslSocketTest, MultiCertWildcardSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1548,13 +1544,13 @@ TEST_P(SslSocketTest, MultiCertWildcardSniMismatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1582,25 +1578,25 @@ TEST_P(SslSocketTest, MultiCertPreferEcdsaOnSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1625,21 +1621,21 @@ TEST_P(SslSocketTest, MultiCertPickRSAOnSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1668,17 +1664,17 @@ TEST_P(SslSocketTest, MultiCertWithFullScanDisabledOnSniMismatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1709,17 +1705,17 @@ TEST_P(SslSocketTest, MultiCertPreferEcdsaWithFullScanEnabledOnSniMismatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1745,9 +1741,9 @@ TEST_P(SslSocketTest, CertWithNotECCapable) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, false, version_); @@ -1762,21 +1758,21 @@ TEST_P(SslSocketTest, GetUriWithLocalUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1789,21 +1785,21 @@ TEST_P(SslSocketTest, GetSubjectsWithBothCerts) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -1822,28 +1818,27 @@ TEST_P(SslSocketTest, GetPeerCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); - std::string expected_peer_cert = - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); + std::string expected_peer_cert = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); testUtil(test_options.setExpectedSerialNumber(TEST_NO_SAN_CERT_SERIAL) .setExpectedPeerIssuer( "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US") @@ -1859,29 +1854,28 @@ TEST_P(SslSocketTest, GetPeerCertAcceptUntrusted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" trust_chain_verification: ACCEPT_UNTRUSTED require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); - std::string expected_peer_cert = - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); + std::string expected_peer_cert = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); testUtil(test_options.setExpectedSerialNumber(TEST_NO_SAN_CERT_SERIAL) .setExpectedPeerIssuer( "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US") @@ -1901,12 +1895,12 @@ TEST_P(SslSocketTest, NoCertUntrustedNotPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" trust_chain_verification: VERIFY_TRUST_CHAIN verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000" )EOF"; @@ -1924,12 +1918,12 @@ TEST_P(SslSocketTest, NoCertUntrustedPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" trust_chain_verification: ACCEPT_UNTRUSTED verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000" )EOF"; @@ -1945,29 +1939,28 @@ TEST_P(SslSocketTest, GetPeerCertChain) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); - std::string expected_peer_cert_chain = - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/no_san_chain.pem")); + std::string expected_peer_cert_chain = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/no_san_chain.pem")); testUtil(test_options.setExpectedSerialNumber(TEST_NO_SAN_CERT_SERIAL) .setExpectedPeerCertChain(expected_peer_cert_chain)); } @@ -1977,21 +1970,21 @@ TEST_P(SslSocketTest, GetIssueExpireTimesPeerCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -2009,12 +2002,12 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -2027,21 +2020,21 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, false, version_); @@ -2058,12 +2051,12 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - san_type: DNS matcher: @@ -2079,21 +2072,21 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - san_type: DNS matcher: @@ -2109,21 +2102,21 @@ TEST_P(SslSocketTest, X509ExtensionsCertificateSerialNumber) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -2197,7 +2190,7 @@ TEST_P(SslSocketTest, FailedClientCertAllowServerExpiredWrongCAVerification) { server_config.allow_expired_cert = true; // Fake CA is not used to sign the client's certificate. server_config.trusted_ca = "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"; + "}}/test/common/tls/test_data/fake_ca_cert.pem"; configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, version_); @@ -2210,21 +2203,21 @@ TEST_P(SslSocketTest, ClientCertificateHashVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2238,18 +2231,18 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2265,15 +2258,15 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); @@ -2282,10 +2275,10 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2302,10 +2295,10 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2317,10 +2310,10 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2340,12 +2333,12 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoClientCertificate common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2362,9 +2355,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCANoClientCertifi common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2378,21 +2371,21 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongClientCertific common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2405,18 +2398,18 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCAWrongClientCert common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2430,21 +2423,21 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2460,20 +2453,20 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem")); - server_cert->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem")); + server_cert->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); @@ -2482,16 +2475,15 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem")); - client_cert->mutable_password()->set_inline_string( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"))); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem")); + client_cert->mutable_password()->set_inline_string(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"))); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2509,17 +2501,17 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12")); - server_cert->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + server_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12")); + server_cert->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); @@ -2528,13 +2520,12 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12")); - client_cert->mutable_password()->set_inline_string( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"))); + client_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12")); + client_cert->mutable_password()->set_inline_string(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"))); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2552,14 +2543,14 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithoutPassword) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12")); + server_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_dns3_certkeychain.p12")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_DNS3_CERT_256_HASH); @@ -2568,9 +2559,9 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithoutPassword) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12")); + client_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_dns3_certkeychain.p12")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedServerCertDigest(TEST_SAN_DNS3_CERT_256_HASH)); @@ -2587,16 +2578,16 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2604,10 +2595,10 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2624,10 +2615,10 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2638,10 +2629,10 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2658,15 +2649,15 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2687,10 +2678,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2715,15 +2706,15 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2731,10 +2722,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -2751,10 +2742,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2765,10 +2756,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -2785,15 +2776,15 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2801,10 +2792,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedTransportFailureReasonContains("TLSV1_ALERT_UNKNOWN_CA")); @@ -2820,15 +2811,15 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); @@ -2838,10 +2829,10 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2858,10 +2849,10 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2874,10 +2865,10 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2894,15 +2885,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); @@ -2925,10 +2916,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2954,15 +2945,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); @@ -2971,10 +2962,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -2991,10 +2982,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -3006,10 +2997,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -3026,15 +3017,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); @@ -3043,10 +3034,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedTransportFailureReasonContains("TLSV1_ALERT_UNKNOWN_CA")); @@ -3063,12 +3054,12 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -3122,12 +3113,12 @@ TEST_P(SslSocketTest, HalfClose) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3207,12 +3198,12 @@ TEST_P(SslSocketTest, ShutdownWithCloseNotify) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3298,12 +3289,12 @@ TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3405,12 +3396,12 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3433,9 +3424,9 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -3748,12 +3739,12 @@ TEST_P(SslSocketTest, TicketSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3772,12 +3763,12 @@ TEST_P(SslSocketTest, TicketSessionResumptionCustomTimeout) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" session_timeout: 2307s )EOF"; @@ -3794,24 +3785,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionWithClientCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml, {}, server_ctx_yaml, {}, client_ctx_yaml, true, @@ -3823,25 +3814,25 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3857,24 +3848,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3892,24 +3883,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerNames) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; std::vector server_names1 = {"server1.example.com"}; @@ -3928,16 +3919,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertHash) { const std::string server_ctx_yaml1 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: - ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -3945,16 +3936,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertHash) { const std::string server_ctx_yaml2 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: - "0000000000000000000000000000000000000000000000000000000000000000" - ")EOF", @@ -3964,9 +3955,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertHash) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml1, {}, server_ctx_yaml1, {}, client_ctx_yaml, true, @@ -3981,16 +3972,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertSpki) { const std::string server_ctx_yaml1 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_spki: - ")EOF", TEST_SAN_URI_CERT_SPKI, "\""); @@ -3998,16 +3989,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertSpki) { const std::string server_ctx_yaml2 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_spki: - "NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=" - ")EOF", @@ -4017,9 +4008,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertSpki) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml1, {}, server_ctx_yaml1, {}, client_ctx_yaml, true, @@ -4034,16 +4025,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentMatchSAN) { const std::string server_ctx_yaml1 = R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_subject_alt_names: - exact: "spiffe://lyft.com/test-team" )EOF"; @@ -4051,16 +4042,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentMatchSAN) { const std::string server_ctx_yaml2 = R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_subject_alt_names: - prefix: "spiffe://lyft.com/test-team" ")EOF"; @@ -4069,9 +4060,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentMatchSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml1, {}, server_ctx_yaml1, {}, client_ctx_yaml, true, @@ -4087,24 +4078,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4122,24 +4113,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerCertIntermediateCA) common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4157,24 +4148,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerCertDifferentSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4190,9 +4181,9 @@ TEST_P(SslSocketTest, SessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true disable_stateful_session_resumption: true )EOF"; @@ -4209,9 +4200,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; @@ -4227,9 +4218,9 @@ TEST_P(SslSocketTest, StatefulSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateful_session_resumption: true )EOF"; @@ -4245,9 +4236,9 @@ TEST_P(SslSocketTest, SessionResumptionEnabledExplicitly) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false disable_stateful_session_resumption: false )EOF"; @@ -4264,9 +4255,9 @@ TEST_P(SslSocketTest, SessionResumptionEnabledByDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4283,12 +4274,12 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -4296,16 +4287,16 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" require_client_certificate: true session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context1; @@ -4336,9 +4327,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -4581,9 +4572,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4602,9 +4593,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4624,9 +4615,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4649,9 +4640,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4674,9 +4665,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4695,12 +4686,12 @@ TEST_P(SslSocketTest, SslError) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" verify_certificate_hash: "7B:0C:3F:0D:97:0E:FC:16:70:11:7A:0C:35:75:54:6B:17:AB:CF:20:D8:AA:A0:ED:87:08:0F:FB:60:4C:40:77" )EOF"; @@ -4755,10 +4746,10 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = tls_context.mutable_common_tls_context()->mutable_tls_params(); @@ -4961,10 +4952,10 @@ TEST_P(SslSocketTest, ALPN) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = tls_context.mutable_common_tls_context(); updateFilterChain(tls_context, *filter_chain); @@ -5039,10 +5030,10 @@ TEST_P(SslSocketTest, CipherSuites) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5115,10 +5106,10 @@ TEST_P(SslSocketTest, EcdhCurves) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = tls_context.mutable_common_tls_context()->mutable_tls_params(); updateFilterChain(tls_context, *filter_chain); @@ -5184,27 +5175,27 @@ TEST_P(SslSocketTest, SignatureAlgorithms) { server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); // Server ECDSA certificate. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); // Connection using defaults (client & server) succeeds. TestUtilOptionsV2 algorithm_test_options(listener, client, true, version_); @@ -5228,12 +5219,12 @@ TEST_P(SslSocketTest, SetSignatureAlgorithms) { - ecdsa_secp256r1_sha256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -5261,9 +5252,9 @@ TEST_P(SslSocketTest, SetSignatureAlgorithms) { - ecdsa_secp256r1_sha256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -5342,9 +5333,9 @@ TEST_P(SslSocketTest, SetSignatureAlgorithmsFailure) { - invalid_sigalg_name tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -5365,14 +5356,14 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; // This should fail, since the certificate has been revoked. @@ -5380,9 +5371,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; TestUtilOptions revoked_test_options(revoked_client_ctx_yaml, server_ctx_yaml, false, version_); @@ -5394,9 +5385,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" )EOF"; TestUtilOptions successful_test_options(successful_client_ctx_yaml, server_ctx_yaml, true, @@ -5410,12 +5401,12 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" )EOF"; // This should fail, since the certificate has been revoked. @@ -5423,9 +5414,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; TestUtilOptions revoked_test_options(revoked_client_ctx_yaml, server_ctx_yaml, false, version_); @@ -5437,9 +5428,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" )EOF"; TestUtilOptions successful_test_options(successful_client_ctx_yaml, server_ctx_yaml, true, version_); @@ -5461,14 +5452,14 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain.crl" )EOF"; // This should fail, since the crl chain is incomplete. @@ -5486,14 +5477,14 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert.crl" )EOF"; // This should fail, since the certificate has been revoked. @@ -5501,9 +5492,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" )EOF"; // This should succeed, since the certificate has not been revoked. @@ -5511,9 +5502,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_key.pem" )EOF"; // Ensure that incomplete crl chains fail with revoked certificates. @@ -5553,12 +5544,12 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" )EOF"; // This should fail, since the crl chain is incomplete. @@ -5574,12 +5565,12 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" )EOF"; // This should fail, since the certificate has been revoked. @@ -5587,9 +5578,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" )EOF"; // This should succeed, since the certificate has not been revoked. @@ -5597,9 +5588,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_key.pem" )EOF"; // Ensure that incomplete crl chains fail with revoked certificates. @@ -5641,12 +5632,12 @@ TEST_P(SslSocketTest, NotRevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" only_verify_leaf_cert_crl: true )EOF"; @@ -5655,9 +5646,9 @@ TEST_P(SslSocketTest, NotRevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_key.pem" )EOF"; TestUtilOptions complete_unrevoked_test_options(unrevoked_client_ctx_yaml, @@ -5680,12 +5671,12 @@ TEST_P(SslSocketTest, RevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" only_verify_leaf_cert_crl: true )EOF"; @@ -5694,9 +5685,9 @@ TEST_P(SslSocketTest, RevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" )EOF"; TestUtilOptions complete_revoked_test_options(revoked_client_ctx_yaml, incomplete_server_ctx_yaml, @@ -5712,10 +5703,10 @@ TEST_P(SslSocketTest, GetRequestedServerName) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5731,10 +5722,10 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5754,10 +5745,10 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5776,10 +5767,10 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, true, version_); @@ -6107,21 +6098,21 @@ class SslReadBufferLimitTest : public SslSocketTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; const std::string client_ctx_yaml_ = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; NiceMock runtime_; @@ -6260,21 +6251,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6297,21 +6288,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: false mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6331,21 +6322,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6368,21 +6359,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncDecryptSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6405,15 +6396,15 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderFallbackSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa @@ -6421,9 +6412,9 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderFallbackSuccess) { fallback: true validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6443,22 +6434,22 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false crypto_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6478,22 +6469,22 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true crypto_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6513,21 +6504,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6550,21 +6541,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderDecryptFailure) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6584,21 +6575,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign async_method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6622,21 +6613,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptCompleteFailure) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt async_method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6672,20 +6663,20 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -6712,24 +6703,24 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertFail) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -6757,13 +6748,13 @@ TEST_P(SslSocketTest, EcdsaPrivateKeyProviderSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign mode: ecdsa )EOF"; @@ -6792,25 +6783,25 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false async_method_error: true mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign mode: ecdsa )EOF"; @@ -6836,24 +6827,24 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertFail) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign async_method_error: true mode: ecdsa @@ -6870,31 +6861,31 @@ TEST_P(SslSocketTest, PrivateKeyProviderWithCertValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" expected_operation: sign sync_mode: false mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -6912,11 +6903,11 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -6929,7 +6920,7 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); std::string ocsp_response_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; + "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); @@ -6946,11 +6937,11 @@ TEST_P(SslSocketTest, TestNoOcspStapleWhenNotEnabledOnClient) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -6972,11 +6963,11 @@ TEST_P(SslSocketTest, TestOcspStapleOmittedOnSkipStaplingAndResponseExpired) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -6998,11 +6989,11 @@ TEST_P(SslSocketTest, TestConnectionFailsOnStapleRequiredAndOcspExpired) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -7024,9 +7015,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsWhenRejectOnExpiredNoOcspResponse) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: strict_stapling )EOF"; @@ -7048,11 +7039,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenRejectOnExpiredAndResponseExpired) - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: strict_stapling )EOF"; @@ -7075,11 +7066,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -7102,17 +7093,17 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -7125,7 +7116,7 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) )EOF"; std::string ocsp_response_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; + "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -7142,17 +7133,17 @@ TEST_P(SslSocketTest, TestConnectionFailsOnMultipleCertificatesNonePassOcspPolic - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_ocsp_resp.der" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -7178,9 +7169,9 @@ TEST_P(SslSocketTest, Sni) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -7192,12 +7183,12 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorSucceeds) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" custom_validator_config: name: "envoy.tls.cert_validator.timed_cert_validator" sni: "example.com" @@ -7207,12 +7198,12 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorSucceeds) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" custom_validator_config: name: "envoy.tls.cert_validator.timed_cert_validator" )EOF"; @@ -7235,14 +7226,14 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorFails) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" custom_validator_config: name: "envoy.tls.cert_validator.timed_cert_validator" )EOF"; @@ -7252,9 +7243,9 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorFails) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; auto* cert_validator_factory = Registry::FactoryRegistry::getFactory( "envoy.tls.cert_validator.timed_cert_validator"); @@ -7275,12 +7266,12 @@ TEST_P(SslSocketTest, RsaKeyUsageVerificationEnforcementOff) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = server_tls_context.mutable_common_tls_context()->add_tls_certificates(); // Bad server certificate to cause the mismatch between TLS usage and key usage. - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_key.pem")); updateFilterChain(server_tls_context, *filter_chain); @@ -7305,12 +7296,12 @@ TEST_P(SslSocketTest, RsaKeyUsageVerificationEnforcementOn) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = server_tls_context.mutable_common_tls_context()->add_tls_certificates(); // Bad server certificate to cause the mismatch between TLS usage and key usage. - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_key.pem")); updateFilterChain(server_tls_context, *filter_chain); diff --git a/test/extensions/transport_sockets/tls/ssl_test_utility.h b/test/common/tls/ssl_test_utility.h similarity index 100% rename from test/extensions/transport_sockets/tls/ssl_test_utility.h rename to test/common/tls/ssl_test_utility.h diff --git a/test/extensions/transport_sockets/tls/test_data/BUILD b/test/common/tls/test_data/BUILD similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/BUILD rename to test/common/tls/test_data/BUILD diff --git a/test/extensions/transport_sockets/tls/test_data/README.md b/test/common/tls/test_data/README.md similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/README.md rename to test/common/tls/test_data/README.md diff --git a/test/extensions/transport_sockets/tls/test_data/aes_128_key b/test/common/tls/test_data/aes_128_key similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/aes_128_key rename to test/common/tls/test_data/aes_128_key diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.cfg b/test/common/tls/test_data/bad_rsa_key_usage_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.cfg rename to test/common/tls/test_data/bad_rsa_key_usage_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem b/test/common/tls/test_data/bad_rsa_key_usage_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem rename to test/common/tls/test_data/bad_rsa_key_usage_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert_info.h b/test/common/tls/test_data/bad_rsa_key_usage_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert_info.h rename to test/common/tls/test_data/bad_rsa_key_usage_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem b/test/common/tls/test_data/bad_rsa_key_usage_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem rename to test/common/tls/test_data/bad_rsa_key_usage_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert.cfg b/test/common/tls/test_data/ca_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert.cfg rename to test/common/tls/test_data/ca_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert.crl b/test/common/tls/test_data/ca_cert.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert.crl rename to test/common/tls/test_data/ca_cert.crl diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert.pem b/test/common/tls/test_data/ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert.pem rename to test/common/tls/test_data/ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert_info.h b/test/common/tls/test_data/ca_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert_info.h rename to test/common/tls/test_data/ca_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem b/test/common/tls/test_data/ca_cert_with_crl.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem rename to test/common/tls/test_data/ca_cert_with_crl.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem b/test/common/tls/test_data/ca_certificates.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_certificates.pem rename to test/common/tls/test_data/ca_certificates.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_key.pem b/test/common/tls/test_data/ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_key.pem rename to test/common/tls/test_data/ca_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/common/tls/test_data/certs.sh similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/certs.sh rename to test/common/tls/test_data/certs.sh diff --git a/test/extensions/transport_sockets/tls/test_data/expired_cert.pem b/test/common/tls/test_data/expired_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_cert.pem rename to test/common/tls/test_data/expired_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_cert_info.h b/test/common/tls/test_data/expired_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_cert_info.h rename to test/common/tls/test_data/expired_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/expired_key.pem b/test/common/tls/test_data/expired_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_key.pem rename to test/common/tls/test_data/expired_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert.pem b/test/common/tls/test_data/expired_san_uri_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert.pem rename to test/common/tls/test_data/expired_san_uri_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert_info.h b/test/common/tls/test_data/expired_san_uri_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert_info.h rename to test/common/tls/test_data/expired_san_uri_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem b/test/common/tls/test_data/expired_san_uri_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem rename to test/common/tls/test_data/expired_san_uri_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem b/test/common/tls/test_data/expired_spiffe_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem rename to test/common/tls/test_data/expired_spiffe_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_info.h b/test/common/tls/test_data/expired_spiffe_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_info.h rename to test/common/tls/test_data/expired_spiffe_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_key.pem b/test/common/tls/test_data/expired_spiffe_san_cert_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_key.pem rename to test/common/tls/test_data/expired_spiffe_san_cert_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_key.pem b/test/common/tls/test_data/expired_spiffe_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_key.pem rename to test/common/tls/test_data/expired_spiffe_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_cert.cfg b/test/common/tls/test_data/extensions_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_cert.cfg rename to test/common/tls/test_data/extensions_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem b/test/common/tls/test_data/extensions_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_cert.pem rename to test/common/tls/test_data/extensions_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_cert_info.h b/test/common/tls/test_data/extensions_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_cert_info.h rename to test/common/tls/test_data/extensions_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_key.pem b/test/common/tls/test_data/extensions_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_key.pem rename to test/common/tls/test_data/extensions_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.cfg b/test/common/tls/test_data/fake_ca_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_cert.cfg rename to test/common/tls/test_data/fake_ca_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem b/test/common/tls/test_data/fake_ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem rename to test/common/tls/test_data/fake_ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_cert_info.h b/test/common/tls/test_data/fake_ca_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_cert_info.h rename to test/common/tls/test_data/fake_ca_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_key.pem b/test/common/tls/test_data/fake_ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_key.pem rename to test/common/tls/test_data/fake_ca_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/i1_cert.cfg b/test/common/tls/test_data/i1_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i1_cert.cfg rename to test/common/tls/test_data/i1_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/i2_cert.cfg b/test/common/tls/test_data/i2_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i2_cert.cfg rename to test/common/tls/test_data/i2_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/i3_cert.cfg b/test/common/tls/test_data/i3_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i3_cert.cfg rename to test/common/tls/test_data/i3_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/i4_cert.cfg b/test/common/tls/test_data/i4_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i4_cert.cfg rename to test/common/tls/test_data/i4_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.cfg b/test/common/tls/test_data/intermediate_ca_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.cfg rename to test/common/tls/test_data/intermediate_ca_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.crl b/test/common/tls/test_data/intermediate_ca_cert.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.crl rename to test/common/tls/test_data/intermediate_ca_cert.crl diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem b/test/common/tls/test_data/intermediate_ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem rename to test/common/tls/test_data/intermediate_ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.crl b/test/common/tls/test_data/intermediate_ca_cert_chain.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.crl rename to test/common/tls/test_data/intermediate_ca_cert_chain.crl diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem b/test/common/tls/test_data/intermediate_ca_cert_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem rename to test/common/tls/test_data/intermediate_ca_cert_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem b/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem rename to test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem b/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem rename to test/common/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_info.h b/test/common/tls/test_data/intermediate_ca_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_info.h rename to test/common/tls/test_data/intermediate_ca_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_key.pem b/test/common/tls/test_data/intermediate_ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_key.pem rename to test/common/tls/test_data/intermediate_ca_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg b/test/common/tls/test_data/keyusage_cert_sign_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg rename to test/common/tls/test_data/keyusage_cert_sign_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem b/test/common/tls/test_data/keyusage_cert_sign_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem rename to test/common/tls/test_data/keyusage_cert_sign_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h b/test/common/tls/test_data/keyusage_cert_sign_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h rename to test/common/tls/test_data/keyusage_cert_sign_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem b/test/common/tls/test_data/keyusage_cert_sign_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem rename to test/common/tls/test_data/keyusage_cert_sign_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg b/test/common/tls/test_data/keyusage_crl_sign_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg rename to test/common/tls/test_data/keyusage_crl_sign_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem b/test/common/tls/test_data/keyusage_crl_sign_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem rename to test/common/tls/test_data/keyusage_crl_sign_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h b/test/common/tls/test_data/keyusage_crl_sign_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h rename to test/common/tls/test_data/keyusage_crl_sign_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem b/test/common/tls/test_data/keyusage_crl_sign_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem rename to test/common/tls/test_data/keyusage_crl_sign_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/long_validity_cert.pem b/test/common/tls/test_data/long_validity_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/long_validity_cert.pem rename to test/common/tls/test_data/long_validity_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/long_validity_cert_info.h b/test/common/tls/test_data/long_validity_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/long_validity_cert_info.h rename to test/common/tls/test_data/long_validity_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/long_validity_key.pem b/test/common/tls/test_data/long_validity_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/long_validity_key.pem rename to test/common/tls/test_data/long_validity_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cert.cfg b/test/common/tls/test_data/no_san_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cert.cfg rename to test/common/tls/test_data/no_san_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem b/test/common/tls/test_data/no_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cert.pem rename to test/common/tls/test_data/no_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h b/test/common/tls/test_data/no_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h rename to test/common/tls/test_data/no_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_chain.pem b/test/common/tls/test_data/no_san_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_chain.pem rename to test/common/tls/test_data/no_san_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.cfg b/test/common/tls/test_data/no_san_cn_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.cfg rename to test/common/tls/test_data/no_san_cn_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.pem b/test/common/tls/test_data/no_san_cn_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.pem rename to test/common/tls/test_data/no_san_cn_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert_info.h b/test/common/tls/test_data/no_san_cn_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_cert_info.h rename to test/common/tls/test_data/no_san_cn_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_key.pem b/test/common/tls/test_data/no_san_cn_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_key.pem rename to test/common/tls/test_data/no_san_cn_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_key.pem b/test/common/tls/test_data/no_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_key.pem rename to test/common/tls/test_data/no_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_cert.cfg b/test/common/tls/test_data/no_subject_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_cert.cfg rename to test/common/tls/test_data/no_subject_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_cert.pem b/test/common/tls/test_data/no_subject_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_cert.pem rename to test/common/tls/test_data/no_subject_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_cert_info.h b/test/common/tls/test_data/no_subject_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_cert_info.h rename to test/common/tls/test_data/no_subject_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_key.pem b/test/common/tls/test_data/no_subject_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_key.pem rename to test/common/tls/test_data/no_subject_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg b/test/common/tls/test_data/non_spiffe_san_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg rename to test/common/tls/test_data/non_spiffe_san_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem b/test/common/tls/test_data/non_spiffe_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem rename to test/common/tls/test_data/non_spiffe_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h b/test/common/tls/test_data/non_spiffe_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h rename to test/common/tls/test_data/non_spiffe_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem b/test/common/tls/test_data/non_spiffe_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem rename to test/common/tls/test_data/non_spiffe_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/not_a_crl.crl b/test/common/tls/test_data/not_a_crl.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/not_a_crl.crl rename to test/common/tls/test_data/not_a_crl.crl diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem b/test/common/tls/test_data/password_protected_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem rename to test/common/tls/test_data/password_protected_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_cert_info.h b/test/common/tls/test_data/password_protected_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_cert_info.h rename to test/common/tls/test_data/password_protected_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12 b/test/common/tls/test_data/password_protected_certkey.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12 rename to test/common/tls/test_data/password_protected_certkey.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem b/test/common/tls/test_data/password_protected_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_key.pem rename to test/common/tls/test_data/password_protected_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt b/test/common/tls/test_data/password_protected_password.txt similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_password.txt rename to test/common/tls/test_data/password_protected_password.txt diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem b/test/common/tls/test_data/san_dns2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem rename to test/common/tls/test_data/san_dns2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h b/test/common/tls/test_data/san_dns2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h rename to test/common/tls/test_data/san_dns2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem b/test/common/tls/test_data/san_dns2_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem rename to test/common/tls/test_data/san_dns2_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem b/test/common/tls/test_data/san_dns3_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem rename to test/common/tls/test_data/san_dns3_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h b/test/common/tls/test_data/san_dns3_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h rename to test/common/tls/test_data/san_dns3_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12 b/test/common/tls/test_data/san_dns3_certkeychain.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12 rename to test/common/tls/test_data/san_dns3_certkeychain.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem b/test/common/tls/test_data/san_dns3_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem rename to test/common/tls/test_data/san_dns3_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem b/test/common/tls/test_data/san_dns3_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem rename to test/common/tls/test_data/san_dns3_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem b/test/common/tls/test_data/san_dns4_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem rename to test/common/tls/test_data/san_dns4_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns4_cert_info.h b/test/common/tls/test_data/san_dns4_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns4_cert_info.h rename to test/common/tls/test_data/san_dns4_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem b/test/common/tls/test_data/san_dns4_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem rename to test/common/tls/test_data/san_dns4_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_cert.cfg b/test/common/tls/test_data/san_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_cert.cfg rename to test/common/tls/test_data/san_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem b/test/common/tls/test_data/san_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem rename to test/common/tls/test_data/san_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h b/test/common/tls/test_data/san_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h rename to test/common/tls/test_data/san_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem b/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem rename to test/common/tls/test_data/san_dns_ecdsa_1_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert_info.h b/test/common/tls/test_data/san_dns_ecdsa_1_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert_info.h rename to test/common/tls/test_data/san_dns_ecdsa_1_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem b/test/common/tls/test_data/san_dns_ecdsa_1_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem rename to test/common/tls/test_data/san_dns_ecdsa_1_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem b/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem rename to test/common/tls/test_data/san_dns_ecdsa_2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert_info.h b/test/common/tls/test_data/san_dns_ecdsa_2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert_info.h rename to test/common/tls/test_data/san_dns_ecdsa_2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem b/test/common/tls/test_data/san_dns_ecdsa_2_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem rename to test/common/tls/test_data/san_dns_ecdsa_2_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem b/test/common/tls/test_data/san_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_key.pem rename to test/common/tls/test_data/san_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem b/test/common/tls/test_data/san_dns_rsa_1_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem rename to test/common/tls/test_data/san_dns_rsa_1_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_info.h b/test/common/tls/test_data/san_dns_rsa_1_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_info.h rename to test/common/tls/test_data/san_dns_rsa_1_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_key.pem b/test/common/tls/test_data/san_dns_rsa_1_cert_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_key.pem rename to test/common/tls/test_data/san_dns_rsa_1_cert_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem b/test/common/tls/test_data/san_dns_rsa_1_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem rename to test/common/tls/test_data/san_dns_rsa_1_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem b/test/common/tls/test_data/san_dns_rsa_2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem rename to test/common/tls/test_data/san_dns_rsa_2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert_info.h b/test/common/tls/test_data/san_dns_rsa_2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert_info.h rename to test/common/tls/test_data/san_dns_rsa_2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem b/test/common/tls/test_data/san_dns_rsa_2_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem rename to test/common/tls/test_data/san_dns_rsa_2_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_server1_cert.cfg b/test/common/tls/test_data/san_dns_server1_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_server1_cert.cfg rename to test/common/tls/test_data/san_dns_server1_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_server2_cert.cfg b/test/common/tls/test_data/san_dns_server2_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_server2_cert.cfg rename to test/common/tls/test_data/san_dns_server2_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_cert.cfg b/test/common/tls/test_data/san_ip_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_cert.cfg rename to test/common/tls/test_data/san_ip_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem b/test/common/tls/test_data/san_ip_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem rename to test/common/tls/test_data/san_ip_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h b/test/common/tls/test_data/san_ip_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h rename to test/common/tls/test_data/san_ip_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem b/test/common/tls/test_data/san_ip_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem rename to test/common/tls/test_data/san_ip_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem b/test/common/tls/test_data/san_ip_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_key.pem rename to test/common/tls/test_data/san_ip_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.cfg b/test/common/tls/test_data/san_multiple_dns_1_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.cfg rename to test/common/tls/test_data/san_multiple_dns_1_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem b/test/common/tls/test_data/san_multiple_dns_1_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem rename to test/common/tls/test_data/san_multiple_dns_1_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert_info.h b/test/common/tls/test_data/san_multiple_dns_1_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert_info.h rename to test/common/tls/test_data/san_multiple_dns_1_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem b/test/common/tls/test_data/san_multiple_dns_1_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem rename to test/common/tls/test_data/san_multiple_dns_1_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.cfg b/test/common/tls/test_data/san_multiple_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.cfg rename to test/common/tls/test_data/san_multiple_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem b/test/common/tls/test_data/san_multiple_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem rename to test/common/tls/test_data/san_multiple_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert_info.h b/test/common/tls/test_data/san_multiple_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert_info.h rename to test/common/tls/test_data/san_multiple_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem b/test/common/tls/test_data/san_multiple_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem rename to test/common/tls/test_data/san_multiple_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.cfg b/test/common/tls/test_data/san_only_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.cfg rename to test/common/tls/test_data/san_only_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.pem b/test/common/tls/test_data/san_only_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.pem rename to test/common/tls/test_data/san_only_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert_info.h b/test/common/tls/test_data/san_only_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_cert_info.h rename to test/common/tls/test_data/san_only_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_key.pem b/test/common/tls/test_data/san_only_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_key.pem rename to test/common/tls/test_data/san_only_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_cert.cfg b/test/common/tls/test_data/san_uri_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_cert.cfg rename to test/common/tls/test_data/san_uri_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem b/test/common/tls/test_data/san_uri_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem rename to test/common/tls/test_data/san_uri_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_cert_info.h b/test/common/tls/test_data/san_uri_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_cert_info.h rename to test/common/tls/test_data/san_uri_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem b/test/common/tls/test_data/san_uri_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_key.pem rename to test/common/tls/test_data/san_uri_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.cfg b/test/common/tls/test_data/san_wildcard_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.cfg rename to test/common/tls/test_data/san_wildcard_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.pem b/test/common/tls/test_data/san_wildcard_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.pem rename to test/common/tls/test_data/san_wildcard_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert_info.h b/test/common/tls/test_data/san_wildcard_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert_info.h rename to test/common/tls/test_data/san_wildcard_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_key.pem b/test/common/tls/test_data/san_wildcard_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_key.pem rename to test/common/tls/test_data/san_wildcard_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_cert.pem b/test/common/tls/test_data/selfsigned2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_cert.pem rename to test/common/tls/test_data/selfsigned2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_cert_info.h b/test/common/tls/test_data/selfsigned2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_cert_info.h rename to test/common/tls/test_data/selfsigned2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert.pem b/test/common/tls/test_data/selfsigned2_ecdsa_p256_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert.pem rename to test/common/tls/test_data/selfsigned2_ecdsa_p256_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h b/test/common/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h rename to test/common/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.cfg b/test/common/tls/test_data/selfsigned_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_cert.cfg rename to test/common/tls/test_data/selfsigned_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem b/test/common/tls/test_data/selfsigned_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem rename to test/common/tls/test_data/selfsigned_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_cert_info.h b/test/common/tls/test_data/selfsigned_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_cert_info.h rename to test/common/tls/test_data/selfsigned_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem b/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert_info.h b/test/common/tls/test_data/selfsigned_ecdsa_p256_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert_info.h rename to test/common/tls/test_data/selfsigned_ecdsa_p256_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem b/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert.pem b/test/common/tls/test_data/selfsigned_ecdsa_p384_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p384_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert_info.h b/test/common/tls/test_data/selfsigned_ecdsa_p384_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert_info.h rename to test/common/tls/test_data/selfsigned_ecdsa_p384_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 b/test/common/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 rename to test/common/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_key.pem b/test/common/tls/test_data/selfsigned_ecdsa_p384_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_key.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p384_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem b/test/common/tls/test_data/selfsigned_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem rename to test/common/tls/test_data/selfsigned_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert.pem b/test/common/tls/test_data/selfsigned_rsa_1024_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert.pem rename to test/common/tls/test_data/selfsigned_rsa_1024_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert_info.h b/test/common/tls/test_data/selfsigned_rsa_1024_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert_info.h rename to test/common/tls/test_data/selfsigned_rsa_1024_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_certkey.p12 b/test/common/tls/test_data/selfsigned_rsa_1024_certkey.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_certkey.p12 rename to test/common/tls/test_data/selfsigned_rsa_1024_certkey.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_key.pem b/test/common/tls/test_data/selfsigned_rsa_1024_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_key.pem rename to test/common/tls/test_data/selfsigned_rsa_1024_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert.pem b/test/common/tls/test_data/selfsigned_rsa_3072_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert.pem rename to test/common/tls/test_data/selfsigned_rsa_3072_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert_info.h b/test/common/tls/test_data/selfsigned_rsa_3072_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert_info.h rename to test/common/tls/test_data/selfsigned_rsa_3072_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_key.pem b/test/common/tls/test_data/selfsigned_rsa_3072_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_key.pem rename to test/common/tls/test_data/selfsigned_rsa_3072_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert.pem b/test/common/tls/test_data/selfsigned_rsa_4096_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert.pem rename to test/common/tls/test_data/selfsigned_rsa_4096_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert_info.h b/test/common/tls/test_data/selfsigned_rsa_4096_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert_info.h rename to test/common/tls/test_data/selfsigned_rsa_4096_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_key.pem b/test/common/tls/test_data/selfsigned_rsa_4096_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_key.pem rename to test/common/tls/test_data/selfsigned_rsa_4096_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg b/test/common/tls/test_data/spiffe_san_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg rename to test/common/tls/test_data/spiffe_san_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem b/test/common/tls/test_data/spiffe_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem rename to test/common/tls/test_data/spiffe_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h b/test/common/tls/test_data/spiffe_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h rename to test/common/tls/test_data/spiffe_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem b/test/common/tls/test_data/spiffe_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem rename to test/common/tls/test_data/spiffe_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem b/test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem rename to test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h b/test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h rename to test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem b/test/common/tls/test_data/spiffe_san_signed_by_intermediate_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem rename to test/common/tls/test_data/spiffe_san_signed_by_intermediate_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/test_long_cert_chain.pem b/test/common/tls/test_data/test_long_cert_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/test_long_cert_chain.pem rename to test/common/tls/test_data/test_long_cert_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/test_random_cert.pem b/test/common/tls/test_data/test_random_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/test_random_cert.pem rename to test/common/tls/test_data/test_random_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ticket_key_a b/test/common/tls/test_data/ticket_key_a similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ticket_key_a rename to test/common/tls/test_data/ticket_key_a diff --git a/test/extensions/transport_sockets/tls/test_data/ticket_key_b b/test/common/tls/test_data/ticket_key_b similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ticket_key_b rename to test/common/tls/test_data/ticket_key_b diff --git a/test/extensions/transport_sockets/tls/test_data/ticket_key_wrong_len b/test/common/tls/test_data/ticket_key_wrong_len similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ticket_key_wrong_len rename to test/common/tls/test_data/ticket_key_wrong_len diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg b/test/common/tls/test_data/unittest_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg rename to test/common/tls/test_data/unittest_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem b/test/common/tls/test_data/unittest_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_cert.pem rename to test/common/tls/test_data/unittest_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h b/test/common/tls/test_data/unittest_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h rename to test/common/tls/test_data/unittest_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_key.pem b/test/common/tls/test_data/unittest_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_key.pem rename to test/common/tls/test_data/unittest_key.pem diff --git a/test/extensions/transport_sockets/tls/test_private_key_method_provider.cc b/test/common/tls/test_private_key_method_provider.cc similarity index 99% rename from test/extensions/transport_sockets/tls/test_private_key_method_provider.cc rename to test/common/tls/test_private_key_method_provider.cc index 2145b173b75a..242e634f671e 100644 --- a/test/extensions/transport_sockets/tls/test_private_key_method_provider.cc +++ b/test/common/tls/test_private_key_method_provider.cc @@ -1,4 +1,4 @@ -#include "test/extensions/transport_sockets/tls/test_private_key_method_provider.h" +#include "test/common/tls/test_private_key_method_provider.h" #include diff --git a/test/extensions/transport_sockets/tls/test_private_key_method_provider.h b/test/common/tls/test_private_key_method_provider.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_private_key_method_provider.h rename to test/common/tls/test_private_key_method_provider.h diff --git a/test/extensions/transport_sockets/tls/tls_throughput_benchmark.cc b/test/common/tls/tls_throughput_benchmark.cc similarity index 96% rename from test/extensions/transport_sockets/tls/tls_throughput_benchmark.cc rename to test/common/tls/tls_throughput_benchmark.cc index 690909fb9ac6..b2b67779ecd6 100644 --- a/test/extensions/transport_sockets/tls/tls_throughput_benchmark.cc +++ b/test/common/tls/tls_throughput_benchmark.cc @@ -75,10 +75,10 @@ static void testThroughput(benchmark::State& state) { bssl::UniquePtr server_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); - std::string cert_path = TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem"); - std::string key_path = TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"); + std::string cert_path = + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem"); + std::string key_path = + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem"); auto err = SSL_CTX_use_certificate_file(server_ctx.get(), cert_path.c_str(), SSL_FILETYPE_PEM); drainErrorQueue(); RELEASE_ASSERT(err > 0, "SSL_CTX_use_certificate_file"); diff --git a/test/extensions/transport_sockets/tls/utility_test.cc b/test/common/tls/utility_test.cc similarity index 76% rename from test/extensions/transport_sockets/tls/utility_test.cc rename to test/common/tls/utility_test.cc index e2707bb40935..005ca1fe58ca 100644 --- a/test/extensions/transport_sockets/tls/utility_test.cc +++ b/test/common/tls/utility_test.cc @@ -3,11 +3,11 @@ #include #include "source/common/common/c_smart_ptr.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" -#include "test/extensions/transport_sockets/tls/test_data/long_validity_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h" +#include "test/common/tls/ssl_test_utility.h" +#include "test/common/tls/test_data/long_validity_cert_info.h" +#include "test/common/tls/test_data/san_dns_cert_info.h" #include "test/test_common/environment.h" #include "test/test_common/simulated_time_system.h" #include "test/test_common/utility.h" @@ -59,65 +59,65 @@ TEST(UtilityTest, TestDnsNameMatching) { } TEST(UtilityTest, TestGetSubjectAlternateNamesWithDNS) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_DNS); EXPECT_EQ(1, subject_alt_names.size()); } TEST(UtilityTest, TestMultipleGetSubjectAlternateNamesWithDNS) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_DNS); EXPECT_EQ(2, subject_alt_names.size()); } TEST(UtilityTest, TestGetSubjectAlternateNamesWithUri) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_URI); EXPECT_EQ(1, subject_alt_names.size()); } TEST(UtilityTest, TestGetSubjectAlternateNamesWithEmail) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_EMAIL); EXPECT_EQ(1, subject_alt_names.size()); EXPECT_EQ("envoy@example.com", subject_alt_names.front()); } TEST(UtilityTest, TestGetSubjectAlternateNamesWithNoSAN) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); const auto& uri_subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_URI); EXPECT_EQ(0, uri_subject_alt_names.size()); } TEST(UtilityTest, TestGetSubject) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); EXPECT_EQ("CN=Test Server,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", Utility::getSubjectFromCertificate(*cert)); } TEST(UtilityTest, TestGetIssuer) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); EXPECT_EQ("CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", Utility::getIssuerFromCertificate(*cert)); } TEST(UtilityTest, TestGetSerialNumber) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); EXPECT_EQ(TEST_SAN_DNS_CERT_SERIAL, Utility::getSerialNumberFromCertificate(*cert)); } TEST(UtilityTest, TestDaysUntilExpiration) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); // Set a known date (2033-05-18 03:33:20 UTC) so that we get fixed output from this test. const time_t known_date_time = 2000000000; Event::SimulatedTimeSystem time_source; @@ -133,16 +133,16 @@ TEST(UtilityTest, TestDaysUntilExpirationWithNull) { } TEST(UtilityTest, TestValidFrom) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); const std::string formatted = TestUtility::formatTime(Utility::getValidFrom(*cert), "%b %e %H:%M:%S %Y GMT"); EXPECT_EQ(TEST_SAN_DNS_CERT_NOT_BEFORE, formatted); } TEST(UtilityTest, TestExpirationTime) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); const std::string formatted = TestUtility::formatTime(Utility::getExpirationTime(*cert), "%b %e %H:%M:%S %Y GMT"); EXPECT_EQ(TEST_SAN_DNS_CERT_NOT_AFTER, formatted); @@ -150,7 +150,7 @@ TEST(UtilityTest, TestExpirationTime) { TEST(UtilityTest, TestLongExpirationTime) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/long_validity_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/long_validity_cert.pem")); const std::string formatted = TestUtility::formatTime(Utility::getExpirationTime(*cert), "%b %e %H:%M:%S %Y GMT"); EXPECT_EQ(TEST_LONG_VALIDITY_CERT_NOT_AFTER, formatted); @@ -171,7 +171,7 @@ TEST(UtilityTest, GetLastCryptoError) { TEST(UtilityTest, TestGetCertificationExtensionValue) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); EXPECT_EQ("\xc\x9Something", Utility::getCertificateExtensionValue(*cert, "1.2.3.4.5.6.7.8")); EXPECT_EQ("\x30\x3\x1\x1\xFF", Utility::getCertificateExtensionValue(*cert, "1.2.3.4.5.6.7.9")); EXPECT_EQ("", Utility::getCertificateExtensionValue(*cert, "1.2.3.4.5.6.7.10")); @@ -198,8 +198,8 @@ TEST(UtilityTest, SslErrorDescriptionTest) { } TEST(UtilityTest, TestGetX509ErrorInfo) { - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); X509StorePtr ssl_ctx = X509_STORE_new(); EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 6301b964332a..ba3f67aad44f 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -381,13 +381,13 @@ envoy_cc_test( name = "hds_test", srcs = ["hds_test.cc"], deps = [ + "//source/common/tls:context_lib", "//source/common/upstream:health_discovery_service_lib", "//source/common/upstream:transport_socket_match_lib", "//source/extensions/health_checkers/grpc:health_checker_lib", "//source/extensions/health_checkers/http:health_checker_lib", "//source/extensions/health_checkers/tcp:health_checker_lib", "//source/extensions/transport_sockets/raw_buffer:config", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/access_log:access_log_mocks", "//test/mocks/event:event_mocks", "//test/mocks/grpc:grpc_mocks", @@ -521,7 +521,7 @@ envoy_cc_test( envoy_cc_test( name = "upstream_impl_test", srcs = ["upstream_impl_test.cc"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], deps = [ ":utility_lib", ":test_local_address_selector", @@ -607,10 +607,10 @@ envoy_cc_test_library( "//source/common/network:utility_lib", "//source/common/protobuf:utility_lib", "//source/common/stats:stats_lib", + "//source/common/tls:context_lib", "//source/common/upstream:cluster_factory_lib", "//source/common/upstream:cluster_manager_lib", "//source/extensions/transport_sockets/raw_buffer:config", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/stats:stat_test_utility_lib", "//test/integration/clusters:custom_static_cluster", "//test/mocks/access_log:access_log_mocks", diff --git a/test/common/upstream/hds_test.cc b/test/common/upstream/hds_test.cc index e6430bdc9cba..82acb9d72e8d 100644 --- a/test/common/upstream/hds_test.cc +++ b/test/common/upstream/hds_test.cc @@ -7,11 +7,11 @@ #include "source/common/protobuf/protobuf.h" #include "source/common/singleton/manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "source/common/upstream/health_discovery_service.h" #include "source/common/upstream/transport_socket_match_impl.h" #include "source/extensions/health_checkers/common/health_checker_base_impl.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" #include "test/mocks/access_log/mocks.h" #include "test/mocks/event/mocks.h" diff --git a/test/common/upstream/test_cluster_manager.h b/test/common/upstream/test_cluster_manager.h index 71f8629430f5..eb110f9d672e 100644 --- a/test/common/upstream/test_cluster_manager.h +++ b/test/common/upstream/test_cluster_manager.h @@ -19,9 +19,9 @@ #include "source/common/network/utility.h" #include "source/common/protobuf/utility.h" #include "source/common/singleton/manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "source/common/upstream/cluster_factory_impl.h" #include "source/common/upstream/cluster_manager_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/common/upstream/utility.h" diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 1d13955a2ca8..eaf4416cb0f4 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -4865,12 +4865,12 @@ TEST_F(ClusterInfoImplTest, Http3) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -4946,12 +4946,12 @@ TEST_F(ClusterInfoImplTest, Http3WithHttp11WrappedSocket) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5024,12 +5024,12 @@ TEST_F(ClusterInfoImplTest, Http3BadConfig) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5073,12 +5073,12 @@ TEST_F(ClusterInfoImplTest, Http3Auto) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5136,12 +5136,12 @@ TEST_F(ClusterInfoImplTest, UseDownstreamHttpProtocolWithoutDowngrade) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5222,12 +5222,12 @@ TEST_F(ClusterInfoImplTest, Http2Auto) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5320,12 +5320,12 @@ TEST_F(ClusterInfoImplTest, Http2AutoWithNonAlpnMatcher) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5382,12 +5382,12 @@ TEST_F(ClusterInfoImplTest, Http2AutoWithNonAlpnMatcherAndValidationOff) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost diff --git a/test/extensions/access_loggers/grpc/BUILD b/test/extensions/access_loggers/grpc/BUILD index caffcbb34d23..c755d069980b 100644 --- a/test/extensions/access_loggers/grpc/BUILD +++ b/test/extensions/access_loggers/grpc/BUILD @@ -131,6 +131,8 @@ envoy_extension_cc_test( "//source/common/buffer:zero_copy_input_stream_lib", "//source/common/grpc:codec_lib", "//source/common/grpc:common_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/grpc:http_config", "//source/extensions/access_loggers/grpc:tcp_config", "//source/extensions/filters/listener/tls_inspector:config", @@ -138,8 +140,6 @@ envoy_extension_cc_test( "//source/extensions/filters/network/echo:config", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/grpc:grpc_client_integration_lib", "//test/integration:http_integration_lib", "//test/test_common:utility_lib", diff --git a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc index 8c7c0de44c14..90d2e7acde2a 100644 --- a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc +++ b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc @@ -11,10 +11,10 @@ #include "source/common/buffer/zero_copy_input_stream_impl.h" #include "source/common/grpc/codec.h" #include "source/common/grpc/common.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/common/version/version.h" #include "source/extensions/filters/listener/tls_inspector/tls_inspector.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/integration/http_integration.h" diff --git a/test/extensions/clusters/dynamic_forward_proxy/BUILD b/test/extensions/clusters/dynamic_forward_proxy/BUILD index 1527806a0f0f..ea44e9c9c618 100644 --- a/test/extensions/clusters/dynamic_forward_proxy/BUILD +++ b/test/extensions/clusters/dynamic_forward_proxy/BUILD @@ -14,7 +14,7 @@ envoy_package() envoy_extension_cc_test( name = "cluster_test", srcs = ["cluster_test.cc"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], extension_names = ["envoy.filters.http.dynamic_forward_proxy"], deps = [ "//source/common/router:string_accessor_lib", diff --git a/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc b/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc index 2f38ff058105..233703771731 100644 --- a/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc +++ b/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc @@ -6,8 +6,8 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "source/common/http/http_server_properties_cache_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" #include "test/integration/http_protocol_integration.h" diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index 1193b7379c07..497ea0f582c4 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -3,8 +3,8 @@ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index a7b48eb4f768..b324ef1ac08f 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -24,6 +24,22 @@ namespace Envoy { using Headers = std::vector>; +struct GrpcInitializeConfigOpts { + bool disable_with_metadata = false; + bool failure_mode_allow = false; + uint64_t timeout_ms = 300'000; // 5 minutes. +}; + +struct WaitForSuccessfulUpstreamResponseOpts { + // Fields of type Headers must be set at initialization. + const Headers headers_to_add = {}; + const Headers headers_to_append = {}; + const Headers headers_to_remove = {}; + const Http::TestRequestHeaderMapImpl new_headers_from_upstream = {}; + const Http::TestRequestHeaderMapImpl headers_to_append_multiple = {}; + bool failure_mode_allowed_header = false; +}; + class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, public HttpIntegrationTest { public: @@ -35,9 +51,9 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, addFakeUpstream(Http::CodecType::HTTP2); } - void initializeConfig(bool disable_with_metadata = false, bool failure_mode_allow = false) { - config_helper_.addConfigModifier([this, disable_with_metadata, failure_mode_allow]( - envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + void initializeConfig(GrpcInitializeConfigOpts opts = {}) { + config_helper_.addConfigModifier([this, + opts](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* ext_authz_cluster = bootstrap.mutable_static_resources()->add_clusters(); ext_authz_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); ext_authz_cluster->set_name("ext_authz_cluster"); @@ -47,10 +63,14 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, setGrpcService(*proto_config_.mutable_grpc_service(), "ext_authz_cluster", fake_upstreams_.back()->localAddress()); + // Override timeout if needed. + *proto_config_.mutable_grpc_service()->mutable_timeout() = + Protobuf::util::TimeUtil::MillisecondsToDuration(opts.timeout_ms); + proto_config_.mutable_filter_enabled()->set_runtime_key("envoy.ext_authz.enable"); proto_config_.mutable_filter_enabled()->mutable_default_value()->set_numerator(100); proto_config_.set_bootstrap_metadata_labels_key("labels"); - if (disable_with_metadata) { + if (opts.disable_with_metadata) { // Disable the ext_authz filter with metadata matcher that never matches. auto* metadata = proto_config_.mutable_filter_enabled_metadata(); metadata->set_filter("xyz.abc"); @@ -61,7 +81,8 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, proto_config_.mutable_deny_at_disable()->mutable_default_value()->set_value(false); proto_config_.set_transport_api_version(envoy::config::core::v3::ApiVersion::V3); - proto_config_.set_failure_mode_allow(failure_mode_allow); + proto_config_.set_failure_mode_allow(opts.failure_mode_allow); + proto_config_.set_failure_mode_allow_header_add(opts.failure_mode_allow); // Add labels and verify they are passed. std::map labels; @@ -196,13 +217,8 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, RELEASE_ASSERT(result, result.message()); } - void waitForSuccessfulUpstreamResponse( - const std::string& expected_response_code, const Headers& headers_to_add = Headers{}, - const Headers& headers_to_append = Headers{}, const Headers& headers_to_remove = Headers{}, - const Http::TestRequestHeaderMapImpl& new_headers_from_upstream = - Http::TestRequestHeaderMapImpl{}, - const Http::TestRequestHeaderMapImpl& headers_to_append_multiple = - Http::TestRequestHeaderMapImpl{}) { + void waitForSuccessfulUpstreamResponse(const std::string& expected_response_code, + WaitForSuccessfulUpstreamResponseOpts opts = {}) { AssertionResult result = fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_); RELEASE_ASSERT(result, result.message()); @@ -218,7 +234,12 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, false); upstream_request_->encodeData(response_size_, true); - for (const auto& header_to_add : headers_to_add) { + if (opts.failure_mode_allowed_header) { + EXPECT_THAT(upstream_request_->headers(), + Http::HeaderValueOf("x-envoy-auth-failure-mode-allowed", "true")); + } + + for (const auto& header_to_add : opts.headers_to_add) { EXPECT_THAT(upstream_request_->headers(), Http::HeaderValueOf(header_to_add.first, header_to_add.second)); // For headers_to_add (with append = false), the original request headers have no "-replaced" @@ -226,7 +247,7 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, EXPECT_TRUE(absl::EndsWith(header_to_add.second, "-replaced")); } - for (const auto& header_to_append : headers_to_append) { + for (const auto& header_to_append : opts.headers_to_append) { // The current behavior of appending is using the "appendCopy", which ALWAYS combines entries // with the same key into one key, and the values are separated by "," (regardless it is an // inline-header or not). In addition to that, it only applies to the existing headers (the @@ -247,23 +268,23 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, EXPECT_EQ(2, values.size()); } - if (!new_headers_from_upstream.empty()) { + if (!opts.new_headers_from_upstream.empty()) { // new_headers_from_upstream has append = true. The current implementation ignores to set // multiple headers that are not present in the original request headers. In order to add // headers with the same key multiple times, setting response headers with append = false and // append = true is required. - EXPECT_THAT(new_headers_from_upstream, + EXPECT_THAT(opts.new_headers_from_upstream, Not(Http::IsSubsetOfHeaders(upstream_request_->headers()))); } - if (!headers_to_append_multiple.empty()) { + if (!opts.headers_to_append_multiple.empty()) { // headers_to_append_multiple has append = false for the first entry of multiple entries, and // append = true for the rest entries. EXPECT_THAT(upstream_request_->headers(), Http::HeaderValueOf("multiple", "multiple-first,multiple-second")); } - for (const auto& header_to_remove : headers_to_remove) { + for (const auto& header_to_remove : opts.headers_to_remove) { // The headers that were originally present in the request have now been removed. EXPECT_TRUE( upstream_request_->headers().get(Http::LowerCaseString{header_to_remove.first}).empty()); @@ -430,16 +451,20 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, sendExtAuthzResponse(updated_headers_to_add, updated_headers_to_append, headers_to_remove, new_headers_from_upstream, headers_to_append_multiple, Headers{}); - waitForSuccessfulUpstreamResponse("200", updated_headers_to_add, updated_headers_to_append, - headers_to_remove, new_headers_from_upstream, - headers_to_append_multiple); + WaitForSuccessfulUpstreamResponseOpts opts{ + updated_headers_to_add, updated_headers_to_append, headers_to_remove, + new_headers_from_upstream, headers_to_append_multiple, + }; + waitForSuccessfulUpstreamResponse("200", opts); cleanup(); } void expectFilterDisableCheck(bool deny_at_disable, bool disable_with_metadata, const std::string& expected_status) { - initializeConfig(disable_with_metadata); + GrpcInitializeConfigOpts opts; + opts.disable_with_metadata = disable_with_metadata; + initializeConfig(opts); setDenyAtDisableRuntimeConfig(deny_at_disable, disable_with_metadata); setDownstreamProtocol(Http::CodecType::HTTP2); HttpIntegrationTest::initialize(); @@ -550,7 +575,9 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, .get(Http::LowerCaseString(std::string("regex-fool")))[0] ->value() .getStringView()); + } + void sendExtAuthzResponse() { // Send back authorization response with "baz" and "bat" headers. // Also add multiple values "append-foo" and "append-bar" for key "x-append-bat". // Also tell Envoy to remove "remove-me" header before sending to upstream. @@ -575,8 +602,9 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, cleanupUpstreamAndDownstream(); } - void initializeConfig(bool legacy_allowed_headers = true) { - config_helper_.addConfigModifier([this, legacy_allowed_headers]( + void initializeConfig(bool legacy_allowed_headers = true, bool failure_mode_allow = true, + uint64_t timeout_ms = 300) { + config_helper_.addConfigModifier([this, legacy_allowed_headers, failure_mode_allow, timeout_ms]( envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* ext_authz_cluster = bootstrap.mutable_static_resources()->add_clusters(); ext_authz_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); @@ -587,6 +615,11 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, } else { TestUtility::loadFromYaml(default_config_, proto_config_); } + proto_config_.set_failure_mode_allow(failure_mode_allow); + proto_config_.set_failure_mode_allow_header_add(failure_mode_allow); + proto_config_.mutable_http_service()->mutable_server_uri()->mutable_timeout()->CopyFrom( + Protobuf::util::TimeUtil::MillisecondsToDuration(timeout_ms)); + envoy::config::listener::v3::Filter ext_authz_filter; ext_authz_filter.set_name("envoy.filters.http.ext_authz"); ext_authz_filter.mutable_typed_config()->PackFrom(proto_config_); @@ -602,6 +635,7 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); AssertionResult result = fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_); @@ -663,7 +697,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, server_uri: uri: "ext_authz:9000" cluster: "ext_authz" - timeout: 300s authorization_request: allowed_headers: @@ -684,8 +717,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, patterns: - exact: bat - prefix: x-append - - failure_mode_allow: true )EOF"; const std::string default_config_ = R"EOF( transport_api_version: V3 @@ -702,7 +733,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, server_uri: uri: "ext_authz:9000" cluster: "ext_authz" - timeout: 300s authorization_response: allowed_upstream_headers: patterns: @@ -712,7 +742,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, patterns: - exact: bat - prefix: x-append - failure_mode_allow: true with_request_body: max_request_bytes: 1024 allow_partial_message: true @@ -871,9 +900,61 @@ TEST_P(ExtAuthzGrpcIntegrationTest, DownstreamHeadersOnSuccess) { cleanup(); } +TEST_P(ExtAuthzGrpcIntegrationTest, TimeoutFailClosed) { + GrpcInitializeConfigOpts opts; + opts.failure_mode_allow = false; + opts.timeout_ms = 10; + initializeConfig(opts); + + // Use h1, set up the test. + setDownstreamProtocol(Http::CodecType::HTTP1); + HttpIntegrationTest::initialize(); + + // Start a client connection and request. + initiateClientConnection(0); + + // Wait for the ext_authz request as a result of the client request. + waitForExtAuthzRequest(expectedCheckRequest(Http::CodecType::HTTP1)); + + // Do not sendExtAuthzResponse(). Envoy should reject the request after 1 second. + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_TRUE(response_->complete()); + EXPECT_EQ("403", response_->headers().getStatusValue()); // Unauthorized status. + + cleanup(); +} + +TEST_P(ExtAuthzGrpcIntegrationTest, TimeoutFailOpen) { + GrpcInitializeConfigOpts init_opts; + init_opts.failure_mode_allow = true; + init_opts.timeout_ms = 10; + initializeConfig(init_opts); + + // Use h1, set up the test. + setDownstreamProtocol(Http::CodecType::HTTP1); + HttpIntegrationTest::initialize(); + + // Start a client connection and request. + initiateClientConnection(0); + + // Wait for the ext_authz request as a result of the client request. + waitForExtAuthzRequest(expectedCheckRequest(Http::CodecType::HTTP1)); + + // Do not sendExtAuthzResponse(). Envoy should eventually proxy the request upstream as if the + // authz service approved the request. + WaitForSuccessfulUpstreamResponseOpts upstream_opts; + upstream_opts.failure_mode_allowed_header = true; + waitForSuccessfulUpstreamResponse("200", upstream_opts); + + cleanup(); +} + TEST_P(ExtAuthzGrpcIntegrationTest, FailureModeAllowNonUtf8) { // Set up ext_authz filter. - initializeConfig(false, true); + GrpcInitializeConfigOpts opts; + opts.disable_with_metadata = false; + opts.failure_mode_allow = true; + initializeConfig(opts); // Use h1, set up the test. setDownstreamProtocol(Http::CodecType::HTTP1); @@ -955,6 +1036,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, DEPRECATED_FEATURE_TEST(LegacyDirectReponse) HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -976,6 +1058,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, DEPRECATED_FEATURE_TEST(LegacyRedirectRespon HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -1043,6 +1126,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, DirectReponse) { HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -1064,6 +1148,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, RedirectResponse) { HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -1071,6 +1156,47 @@ TEST_P(ExtAuthzHttpIntegrationTest, RedirectResponse) { EXPECT_EQ("http://host/redirect", response_->headers().getLocationValue()); } +TEST_P(ExtAuthzHttpIntegrationTest, TimeoutFailClosed) { + initializeConfig(false, /*failure_mode_allow=*/false, /*timeout_ms=*/10); + HttpIntegrationTest::initialize(); + initiateClientConnection(); + waitForExtAuthzRequest(); + + // Do not sendExtAuthzResponse(). Envoy should reject the request after 1 second. + ASSERT_TRUE(response_->waitForEndStream(Envoy::Seconds(10))); + EXPECT_TRUE(response_->complete()); + EXPECT_EQ("403", response_->headers().getStatusValue()); // Unauthorized status. + + cleanup(); +} + +TEST_P(ExtAuthzHttpIntegrationTest, TimeoutFailOpen) { + initializeConfig(false, /*failure_mode_allow=*/true, /*timeout_ms=*/10); + HttpIntegrationTest::initialize(); + initiateClientConnection(); + waitForExtAuthzRequest(); + + // Do not sendExtAuthzResponse(). Envoy should eventually proxy the request upstream as if the + // authz service approved the request. + AssertionResult result = + fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_); + RELEASE_ASSERT(result, result.message()); + result = fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_); + RELEASE_ASSERT(result, result.message()); + result = upstream_request_->waitForEndStream(*dispatcher_); + RELEASE_ASSERT(result, result.message()); + + EXPECT_THAT(upstream_request_->headers(), + Http::HeaderValueOf("x-envoy-auth-failure-mode-allowed", "true")); + + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_TRUE(response_->complete()); + EXPECT_EQ("200", response_->headers().getStatusValue()); + + cleanup(); +} + class ExtAuthzLocalReplyIntegrationTest : public HttpIntegrationTest, public TestWithParam { public: diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 02efb17e237b..a2f94aa7b692 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -809,6 +809,165 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeaders) { verifyDownstreamResponse(*response, 200); } +TEST_P(ExtProcIntegrationTest, SetHostHeaderRoutingSucceeded) { + proto_config_.mutable_mutation_rules()->mutable_allow_all_routing()->set_value(true); + initializeConfig(); + std::string vhost_domain = "new_host"; + config_helper_.addConfigModifier([&vhost_domain](HttpConnectionManager& cm) { + // Set up vhost domain. + auto* vhost = cm.mutable_route_config()->mutable_virtual_hosts()->Mutable(0); + vhost->set_name("vhost"); + vhost->clear_domains(); + vhost->add_domains(vhost_domain); + }); + + HttpIntegrationTest::initialize(); + + auto response = sendDownstreamRequest(absl::nullopt); + processRequestHeadersMessage( + *grpc_upstreams_[0], true, + [&vhost_domain](const HttpHeaders& headers, HeadersResponse& headers_resp) { + Http::TestRequestHeaderMapImpl expected_request_headers{{":scheme", "http"}, + {":method", "GET"}, + {"host", "host"}, + {":path", "/"}, + {"x-forwarded-proto", "http"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_request_headers)); + + auto response_header_mutation = headers_resp.mutable_response()->mutable_header_mutation(); + + // Set host header to match the domain of virtual host in routing configuration. + auto* mut = response_header_mutation->add_set_headers(); + mut->mutable_header()->set_key(":authority"); + mut->mutable_header()->set_value(vhost_domain); + + // Clear the route cache to trigger the route re-pick. + headers_resp.mutable_response()->set_clear_route_cache(true); + return true; + }); + + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); + + // Host header is updated when `allow_all_routing` mutation rule is true. + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":authority", "new_host")); + + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); + upstream_request_->encodeData(100, true); + + processResponseHeadersMessage( + *grpc_upstreams_[0], false, [](const HttpHeaders& headers, HeadersResponse&) { + Http::TestRequestHeaderMapImpl expected_response_headers{{":status", "200"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_response_headers)); + return true; + }); + + verifyDownstreamResponse(*response, 200); +} + +TEST_P(ExtProcIntegrationTest, SetHostHeaderRoutingFailed) { + proto_config_.mutable_mutation_rules()->mutable_allow_all_routing()->set_value(true); + initializeConfig(); + // Set up the route config. + std::string vhost_domain = "new_host"; + config_helper_.addConfigModifier([&vhost_domain](HttpConnectionManager& cm) { + // Set up vhost domain. + auto* vhost = cm.mutable_route_config()->mutable_virtual_hosts()->Mutable(0); + vhost->set_name("vhost"); + vhost->clear_domains(); + vhost->add_domains(vhost_domain); + }); + + HttpIntegrationTest::initialize(); + + auto response = sendDownstreamRequest(absl::nullopt); + processRequestHeadersMessage( + *grpc_upstreams_[0], true, [](const HttpHeaders& headers, HeadersResponse& headers_resp) { + Http::TestRequestHeaderMapImpl expected_request_headers{{":scheme", "http"}, + {":method", "GET"}, + {"host", "host"}, + {":path", "/"}, + {"x-forwarded-proto", "http"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_request_headers)); + + auto response_header_mutation = headers_resp.mutable_response()->mutable_header_mutation(); + + // Set host header to the wrong value that doesn't match the domain of virtual host in route + // configuration. + auto* mut1 = response_header_mutation->add_set_headers(); + mut1->mutable_header()->set_key(":authority"); + mut1->mutable_header()->set_value("wrong_host"); + + // Clear the route cache to trigger the route re-pick. + headers_resp.mutable_response()->set_clear_route_cache(true); + return true; + }); + + // The routing to upstream is expected to fail and 500 is returned to downstream client, since no + // route is found for mismatched vhost. + verifyDownstreamResponse(*response, 500); +} + +TEST_P(ExtProcIntegrationTest, GetAndSetPathHeader) { + initializeConfig(); + HttpIntegrationTest::initialize(); + + auto response = sendDownstreamRequest(absl::nullopt); + + processRequestHeadersMessage( + *grpc_upstreams_[0], true, [](const HttpHeaders& headers, HeadersResponse& headers_resp) { + Http::TestRequestHeaderMapImpl expected_request_headers{{":scheme", "http"}, + {":method", "GET"}, + {"host", "host"}, + {":path", "/"}, + {"x-forwarded-proto", "http"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_request_headers)); + + auto response_header_mutation = headers_resp.mutable_response()->mutable_header_mutation(); + auto* mut1 = response_header_mutation->add_set_headers(); + mut1->mutable_header()->set_key(":path"); + mut1->mutable_header()->set_value("/mutated_path/bluh"); + + auto* mut2 = response_header_mutation->add_set_headers(); + mut2->mutable_header()->set_key(":scheme"); + mut2->mutable_header()->set_value("https"); + + auto* mut3 = response_header_mutation->add_set_headers(); + mut3->mutable_header()->set_key(":authority"); + mut3->mutable_header()->set_value("new_host"); + + auto* mut4 = response_header_mutation->add_set_headers(); + mut4->mutable_header()->set_key(":method"); + mut4->mutable_header()->set_value("POST"); + return true; + }); + + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); + + // Path header is updated. + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":path", "/mutated_path/bluh")); + // Routing headers are not updated by ext_proc when `allow_all_routing` mutation rule is false + // (default value). + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":scheme", "http")); + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":authority", "host")); + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":method", "GET")); + + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); + upstream_request_->encodeData(100, true); + + processResponseHeadersMessage( + *grpc_upstreams_[0], false, [](const HttpHeaders& headers, HeadersResponse&) { + Http::TestRequestHeaderMapImpl expected_response_headers{{":status", "200"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_response_headers)); + return true; + }); + + verifyDownstreamResponse(*response, 200); +} + TEST_P(ExtProcIntegrationTest, GetAndSetHeadersWithLogging) { ConfigOptions config_option = {}; config_option.add_logging_filter = true; diff --git a/test/extensions/filters/http/router/auto_sni_integration_test.cc b/test/extensions/filters/http/router/auto_sni_integration_test.cc index 405a8d8c2a77..fe495f34e340 100644 --- a/test/extensions/filters/http/router/auto_sni_integration_test.cc +++ b/test/extensions/filters/http/router/auto_sni_integration_test.cc @@ -5,8 +5,8 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "envoy/upstream/upstream.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" diff --git a/test/extensions/filters/listener/tls_inspector/BUILD b/test/extensions/filters/listener/tls_inspector/BUILD index 8c2ef09bdddf..a843e2a574f6 100644 --- a/test/extensions/filters/listener/tls_inspector/BUILD +++ b/test/extensions/filters/listener/tls_inspector/BUILD @@ -104,13 +104,13 @@ envoy_cc_test( "//source/common/event:dispatcher_includes", "//source/common/event:dispatcher_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/file:config", "//source/extensions/filters/listener/tls_inspector:config", "//source/extensions/filters/listener/tls_inspector:tls_inspector_lib", "//source/extensions/filters/network/echo:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/integration:integration_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index ce4a9809b41b..78b57390d80d 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -8,9 +8,9 @@ #include "source/common/config/api_version.h" #include "source/common/network/raw_buffer_socket.h" #include "source/common/network/utility.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/filters/listener/tls_inspector/tls_inspector.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/integration/integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc index ff177bd7720e..f801f805ab79 100644 --- a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -3,8 +3,8 @@ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/filters/network/zookeeper_proxy/filter_test.cc b/test/extensions/filters/network/zookeeper_proxy/filter_test.cc index 823f1e43a721..4136112f463b 100644 --- a/test/extensions/filters/network/zookeeper_proxy/filter_test.cc +++ b/test/extensions/filters/network/zookeeper_proxy/filter_test.cc @@ -296,8 +296,13 @@ class ZooKeeperFilterTest : public testing::Test { const int32_t opcode = enumToSignedInt(OpCodes::Create)) const { Buffer::OwnedImpl buffer; + int32_t min_len = 24; + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + min_len = 32; + } + if (!txn) { - buffer.writeBEInt(24 + path.length() + data.length()); + buffer.writeBEInt(min_len + path.length() + data.length()); buffer.writeBEInt(xid); buffer.writeBEInt(opcode); } @@ -311,6 +316,11 @@ class ZooKeeperFilterTest : public testing::Test { // Flags. buffer.writeBEInt(create_flag_val); + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + // Ttl. + buffer.writeBEInt(3000); + } + return buffer; } @@ -319,8 +329,13 @@ class ZooKeeperFilterTest : public testing::Test { const int32_t opcode = enumToSignedInt(OpCodes::Create)) const { Buffer::OwnedImpl buffer; + int32_t min_len = 24; + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + min_len = 32; + } + if (!txn) { - buffer.writeBEInt(24 + path.length()); + buffer.writeBEInt(min_len + path.length()); buffer.writeBEInt(1000); buffer.writeBEInt(opcode); } @@ -334,6 +349,11 @@ class ZooKeeperFilterTest : public testing::Test { // Flags. buffer.writeBEInt(create_flag_val); + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + // Ttl. + buffer.writeBEInt(3000); + } + return buffer; } @@ -342,15 +362,20 @@ class ZooKeeperFilterTest : public testing::Test { const int32_t xid = 1000, const int32_t opcode = enumToSignedInt(OpCodes::Create)) const { Buffer::OwnedImpl buffer; + int32_t min_len = 24; + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + min_len = 32; + } + if (!txn) { - buffer.writeBEInt(24 + path.length() + data.length()); + buffer.writeBEInt(min_len + path.length() + data.length()); buffer.writeBEInt(xid); buffer.writeBEInt(opcode); } addString(buffer, path); addString(buffer, data); - // Deliberately not adding acls and flags to the buffer. + // Deliberately not adding acls, flags (and/or ttl) to the buffer. return buffer; } @@ -368,7 +393,8 @@ class ZooKeeperFilterTest : public testing::Test { addString(buffer, path); addString(buffer, data); - // Deliberately not adding acls and flags to the buffer and change the length accordingly. + // Deliberately not adding acls, flags (and/or ttl) to the buffer and change the length + // accordingly. return buffer; } @@ -586,14 +612,20 @@ class ZooKeeperFilterTest : public testing::Test { break; } + int32_t rq_bytes = 35; + if (opcode == OpCodes::CreateTtl) { + rq_bytes = 43; + } + expectSetDynamicMetadata( {{{"opname", opname}, {"path", "/foo"}, {"create_type", createFlagsToString(flag)}}, - {{"bytes", "35"}}}); + {{"bytes", std::to_string(rq_bytes)}}}); EXPECT_EQ(Envoy::Network::FilterStatus::Continue, filter_->onData(data, false)); EXPECT_EQ(1UL, store_.counter(absl::StrCat("test.zookeeper.", opname, "_rq")).value()); - EXPECT_EQ(35UL, config_->stats().request_bytes_.value()); - EXPECT_EQ(35UL, store_.counter(absl::StrCat("test.zookeeper.", opname, "_rq_bytes")).value()); + EXPECT_EQ(static_cast(rq_bytes), config_->stats().request_bytes_.value()); + EXPECT_EQ(static_cast(rq_bytes), + store_.counter(absl::StrCat("test.zookeeper.", opname, "_rq_bytes")).value()); EXPECT_EQ(0UL, config_->stats().decoder_error_.value()); EXPECT_EQ(0UL, store_.counter(absl::StrCat("test.zookeeper.", opname, "_decoder_error")).value()); @@ -1319,8 +1351,8 @@ TEST_F(ZooKeeperFilterTest, MultiRequest) { EXPECT_EQ(Envoy::Network::FilterStatus::Continue, filter_->onData(data, false)); EXPECT_EQ(1UL, config_->stats().multi_rq_.value()); - EXPECT_EQ(266UL, config_->stats().request_bytes_.value()); - EXPECT_EQ(266UL, config_->stats().multi_rq_bytes_.value()); + EXPECT_EQ(274UL, config_->stats().request_bytes_.value()); + EXPECT_EQ(274UL, config_->stats().multi_rq_bytes_.value()); EXPECT_EQ(1UL, config_->stats().create_rq_.value()); EXPECT_EQ(1UL, config_->stats().create2_rq_.value()); EXPECT_EQ(1UL, config_->stats().createcontainer_rq_.value()); diff --git a/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc b/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc index d9be99300106..815da8ab3230 100644 --- a/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc +++ b/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc @@ -6,7 +6,7 @@ #include "envoy/config/overload/v3/overload.pb.h" #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/config/utility.h" diff --git a/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc b/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc index 84db740d5ebf..5858269fd9e4 100644 --- a/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc +++ b/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc @@ -1,6 +1,7 @@ #include #include "source/common/buffer/zero_copy_input_stream_impl.h" +#include "source/common/version/version.h" #include "source/extensions/tracers/opentelemetry/grpc_trace_exporter.h" #include "test/mocks/common.h" @@ -70,6 +71,11 @@ TEST_F(OpenTelemetryGrpcTraceExporterTest, CreateExporterAndExportSpan) { span.set_name("test"); *request.add_resource_spans()->add_scope_spans()->add_spans() = span; EXPECT_TRUE(exporter.log(request)); + + Http::TestRequestHeaderMapImpl metadata; + callbacks_->onCreateInitialMetadata(metadata); + EXPECT_EQ(metadata.getUserAgentValue(), + "OTel-OTLP-Exporter-Envoy/" + Envoy::VersionInfo::version()); } TEST_F(OpenTelemetryGrpcTraceExporterTest, NoExportWithHighWatermark) { diff --git a/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc b/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc index b6d5702c27e5..3674f4fec219 100644 --- a/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc +++ b/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc @@ -1,6 +1,7 @@ #include #include "source/common/buffer/zero_copy_input_stream_impl.h" +#include "source/common/version/version.h" #include "source/extensions/tracers/opentelemetry/http_trace_exporter.h" #include "test/mocks/common.h" @@ -78,6 +79,8 @@ TEST_F(OpenTelemetryHttpTraceExporterTest, CreateExporterAndExportSpan) { callback = &callbacks; EXPECT_EQ(Http::Headers::get().MethodValues.Post, message->headers().getMethodValue()); + EXPECT_EQ(message->headers().getUserAgentValue(), + "OTel-OTLP-Exporter-Envoy/" + Envoy::VersionInfo::version()); EXPECT_EQ(Http::Headers::get().ContentTypeValues.Protobuf, message->headers().getContentTypeValue()); diff --git a/test/extensions/tracers/zipkin/tracer_test.cc b/test/extensions/tracers/zipkin/tracer_test.cc index 3446992ea2f8..4a374e571a09 100644 --- a/test/extensions/tracers/zipkin/tracer_test.cc +++ b/test/extensions/tracers/zipkin/tracer_test.cc @@ -45,7 +45,7 @@ TEST_F(ZipkinTracerTest, SpanCreation) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); NiceMock config; @@ -229,6 +229,7 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; + // Set 'split_spans_for_request' to true. Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, true); SystemTime timestamp = time_system_.systemTime(); @@ -360,11 +361,147 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { EXPECT_FALSE(server_side_shared_context_span->isSetDuration()); } +TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxyByTracingConfig) { + Network::Address::InstanceConstSharedPtr addr = + Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); + NiceMock random_generator; + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); + SystemTime timestamp = time_system_.systemTime(); + + NiceMock config; + ON_CALL(config, spawnUpstreamSpan()).WillByDefault(Return(true)); + + // ============== + // Test the creation of a root span. If the independent proxy is set to true, the + // downstream span will be server span. + // ============== + ON_CALL(random_generator, random()).WillByDefault(Return(1000)); + time_system_.advanceTimeWait(std::chrono::milliseconds(1)); + SpanPtr root_span = tracer.startSpan(config, "my_span", timestamp); + + EXPECT_EQ("my_span", root_span->name()); + EXPECT_NE(0LL, root_span->startTime()); + EXPECT_NE(0ULL, root_span->traceId()); // trace id must be set + EXPECT_FALSE(root_span->isSetTraceIdHigh()); // by default, should be using 64 bit trace id + EXPECT_EQ(root_span->traceId(), root_span->id()); // span id and trace id must be the same + EXPECT_FALSE(root_span->isSetParentId()); // no parent set + // span's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + root_span->timestamp()); + + // A SR annotation must have been added + EXPECT_EQ(1ULL, root_span->annotations().size()); + Annotation ann = root_span->annotations()[0]; + EXPECT_EQ(SERVER_RECV, ann.value()); + // annotation's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + ann.timestamp()); + EXPECT_TRUE(ann.isSetEndpoint()); + Endpoint endpoint = ann.endpoint(); + EXPECT_EQ("my_service_name", endpoint.serviceName()); + + // The tracer must have been properly set + EXPECT_EQ(dynamic_cast(&tracer), root_span->tracer()); + + // Duration is not set at span-creation time + EXPECT_FALSE(root_span->isSetDuration()); + + // ============== + // Test the creation of a upstream span. If the independent proxy is set to true, + // the upstream span will be client span. + // ============== + + ON_CALL(random_generator, random()).WillByDefault(Return(2000)); + SpanContext root_span_context(*root_span); + SpanPtr child_span = tracer.startSpan(config, "my_child_span", timestamp, root_span_context); + + EXPECT_EQ("my_child_span", child_span->name()); + EXPECT_NE(0LL, child_span->startTime()); + + // trace id must be retained + EXPECT_NE(0ULL, child_span->traceId()); + EXPECT_EQ(root_span_context.traceId(), child_span->traceId()); + + // span id and trace id must NOT be the same + EXPECT_NE(child_span->traceId(), child_span->id()); + + // parent should be the previous span + EXPECT_TRUE(child_span->isSetParentId()); + EXPECT_EQ(root_span_context.id(), child_span->parentId()); + + // span's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + child_span->timestamp()); + + // A CS annotation must have been added + EXPECT_EQ(1ULL, child_span->annotations().size()); + ann = child_span->annotations()[0]; + EXPECT_EQ(CLIENT_SEND, ann.value()); + // Annotation's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + ann.timestamp()); + EXPECT_TRUE(ann.isSetEndpoint()); + endpoint = ann.endpoint(); + EXPECT_EQ("my_service_name", endpoint.serviceName()); + + // The tracer must have been properly set + EXPECT_EQ(dynamic_cast(&tracer), child_span->tracer()); + + // Duration is not set at span-creation time + EXPECT_FALSE(child_span->isSetDuration()); + + // ============== + // Test the downstream span with parent context and the shared context is enabled. If the + // independent proxy is set to true, the downstream span will be server span. + // ============== + SpanContext child_span_context(*child_span, false); + SpanPtr server_side_shared_context_span = + tracer.startSpan(config, "my_span", timestamp, child_span_context); + + EXPECT_NE(0LL, server_side_shared_context_span->startTime()); + + EXPECT_EQ("my_span", server_side_shared_context_span->name()); + + // trace id must be the same in the CS and SR sides + EXPECT_EQ(child_span_context.traceId(), server_side_shared_context_span->traceId()); + + // span id must be the same in the CS and SR sides + EXPECT_EQ(child_span_context.id(), server_side_shared_context_span->id()); + + // The parent should be the same as in the CS side. + EXPECT_TRUE(server_side_shared_context_span->isSetParentId()); + + // span timestamp should not be set (it was set in the CS side) + EXPECT_FALSE(server_side_shared_context_span->isSetTimestamp()); + + // An SR annotation must have been added + EXPECT_EQ(1ULL, server_side_shared_context_span->annotations().size()); + ann = server_side_shared_context_span->annotations()[0]; + EXPECT_EQ(SERVER_RECV, ann.value()); + // annotation's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + ann.timestamp()); + EXPECT_TRUE(ann.isSetEndpoint()); + endpoint = ann.endpoint(); + EXPECT_EQ("my_service_name", endpoint.serviceName()); + + // The tracer must have been properly set + EXPECT_EQ(dynamic_cast(&tracer), server_side_shared_context_span->tracer()); + + // Duration is not set at span-creation time + EXPECT_FALSE(server_side_shared_context_span->isSetDuration()); +} + TEST_F(ZipkinTracerTest, FinishSpan) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); // ============== @@ -447,7 +584,7 @@ TEST_F(ZipkinTracerTest, FinishNotSampledSpan) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); // ============== @@ -475,7 +612,7 @@ TEST_F(ZipkinTracerTest, SpanSampledPropagatedToChild) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); NiceMock config; @@ -503,7 +640,7 @@ TEST_F(ZipkinTracerTest, RootSpan128bitTraceId) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, true, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, true, true, time_system_); SystemTime timestamp = time_system_.systemTime(); NiceMock config; @@ -560,8 +697,8 @@ TEST_F(ZipkinTracerTest, NotSharedSpanContext) { NiceMock random_generator; const bool shared_span_context = false; - Tracer tracer("my_service_name", addr, random_generator, false, shared_span_context, time_system_, - false); + Tracer tracer("my_service_name", addr, random_generator, false, shared_span_context, + time_system_); const SystemTime timestamp = time_system_.systemTime(); NiceMock config; diff --git a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc index dee7ca351132..f3efba23db8d 100644 --- a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc +++ b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc @@ -2,10 +2,10 @@ #include "envoy/server/filter_config.h" #include "source/common/network/connection_impl.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/filters/network/common/factory_base.h" #include "source/extensions/transport_sockets/starttls/starttls_socket.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/config/utility.h" #include "test/extensions/transport_sockets/starttls/starttls_integration_test.pb.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD index 470fae0034f0..9f9644768aee 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -18,13 +18,13 @@ envoy_extension_cc_test( "spiffe_validator_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], extension_names = ["envoy.tls.cert_validator.spiffe"], deps = [ "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", - "//test/extensions/transport_sockets/tls:ssl_test_utils", - "//test/extensions/transport_sockets/tls/cert_validator:test_common", + "//test/common/tls:ssl_test_utils", + "//test/common/tls/cert_validator:test_common", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", "//test/test_common:test_runtime_lib", @@ -42,8 +42,8 @@ envoy_extension_cc_test( size = "large", srcs = ["spiffe_validator_integration_test.cc"], data = [ + "//test/common/tls/test_data:certs", "//test/config/integration/certs", - "//test/extensions/transport_sockets/tls/test_data:certs", ], extension_names = ["envoy.tls.cert_validator.spiffe"], # Broken until bazel 5.0.0 fix to shorten resulting paths for SymInitialize() failure diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc index e289c8bd418e..1806d0985ed1 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc @@ -2,7 +2,7 @@ #include -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/integration/integration.h" @@ -114,7 +114,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), *typed_conf); custom_validator_config_ = typed_conf; @@ -200,7 +200,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), *typed_conf); custom_validator_config_ = typed_conf; @@ -257,7 +257,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" - name: example.com trust_bundle: filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index c6a06acab352..51cc1ad97016 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -8,11 +8,11 @@ #include "source/common/common/c_smart_ptr.h" #include "source/common/event/real_time_system.h" +#include "source/common/tls/stats.h" #include "source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/cert_validator/test_common.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/test_common/environment.h" #include "test/test_common/simulated_time_system.h" #include "test/test_common/test_runtime.h" @@ -122,10 +122,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" )EOF")), EnvoyException, "Multiple trust bundles are given for one trust domain for hello.com"); @@ -138,7 +138,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" )EOF")); EXPECT_EQ(1, validator().trustBundleStores().size()); @@ -153,10 +153,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" - name: k8s-west.example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/keyusage_crl_sign_cert.pem" )EOF")); EXPECT_EQ(2, validator().trustBundleStores().size()); @@ -177,25 +177,25 @@ TEST(SPIFFEValidator, TestExtractTrustDomain) { TEST(SPIFFEValidator, TestCertificatePrecheck) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints: CA:True, - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage has keyCertSign "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem")); + "}}/test/common/tls/test_data/keyusage_cert_sign_cert.pem")); EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage has cRLSign "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem")); + "}}/test/common/tls/test_data/keyusage_crl_sign_cert.pem")); EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage does not have keyCertSign and cRLSign // should be considered valid (i.e. return 1). - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); EXPECT_TRUE(SPIFFEValidator::certificatePrecheck(cert.get())); } @@ -210,18 +210,18 @@ TEST_F(TestSPIFFEValidator, TestGetTrustBundleStore) { // No SAN auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); // Non-SPIFFE SAN - cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem")); + cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/non_spiffe_san_cert.pem")); EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); // SPIFFE SAN cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); // Trust bundle not provided. EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); @@ -248,7 +248,7 @@ TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainPrecheckFailure) { initialize(); bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints: CA:True - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); TestSslExtendedSocketInfo info; SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); bssl::UniquePtr cert_chain(sk_X509_new_null()); @@ -269,7 +269,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr store = X509_STORE_new(); @@ -278,7 +278,7 @@ name: envoy.tls.cert_validator.spiffe { // Trust domain matches so should be accepted. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -291,7 +291,7 @@ name: envoy.tls.cert_validator.spiffe { // Different trust domain so should be rejected. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -303,7 +303,7 @@ name: envoy.tls.cert_validator.spiffe { // Does not have san. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -324,10 +324,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr store = X509_STORE_new(); @@ -337,7 +337,7 @@ name: envoy.tls.cert_validator.spiffe { // Trust domain matches so should be accepted. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -349,7 +349,7 @@ name: envoy.tls.cert_validator.spiffe { auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -361,9 +361,9 @@ name: envoy.tls.cert_validator.spiffe { // Trust domain matches but it has expired. - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/expired_spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -376,7 +376,7 @@ name: envoy.tls.cert_validator.spiffe { // Does not have san. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -398,7 +398,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr store = X509_STORE_new(); @@ -406,9 +406,9 @@ name: envoy.tls.cert_validator.spiffe TestSslExtendedSocketInfo info; // Trust domain matches and it has expired but allow_expired_certificate is true, so this // should be accepted. - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/expired_spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -428,14 +428,14 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"); X509StorePtr store = X509_STORE_new(); SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); // URI SAN = spiffe://lyft.com/test-team - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), store.get(), cert.get(), nullptr)); bssl::UniquePtr cert_chain(sk_X509_new_null()); @@ -476,17 +476,17 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); TestSslExtendedSocketInfo info; // Chain contains workload, intermediate, and ca cert, so it should be accepted. - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/" - "spiffe_san_signed_by_intermediate_cert.pem")); - auto intermediate_ca_cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/" - "intermediate_ca_cert.pem")); + auto cert = + readCertFromFile(TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/" + "spiffe_san_signed_by_intermediate_cert.pem")); + auto intermediate_ca_cert = + readCertFromFile(TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/" + "intermediate_ca_cert.pem")); SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); bssl::UniquePtr cert_chain(sk_X509_new_null()); @@ -523,7 +523,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); { @@ -566,7 +566,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); { @@ -599,10 +599,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); auto actual = validator().getCaCertInformation(); @@ -623,10 +623,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert.pem" )EOF"), time_system); EXPECT_EQ(19956, validator().daysUntilFirstCertExpires().value()); @@ -647,7 +647,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" )EOF"), time_system); @@ -663,13 +663,13 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" - name: foo.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), time_system); @@ -706,10 +706,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), time_system); uint8_t hash_buffer[EVP_MAX_MD_SIZE]; diff --git a/test/integration/BUILD b/test/integration/BUILD index b29e7d22c976..2f8c863a06fa 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -356,6 +356,7 @@ envoy_cc_test_binary( "//source/extensions/load_balancing_policies/random:config", "//source/extensions/load_balancing_policies/ring_hash:config", "//source/extensions/load_balancing_policies/round_robin:config", + "//source/extensions/transport_sockets/tls:config", ], ) @@ -937,9 +938,9 @@ envoy_cc_test_library( "//envoy/event:timer_interface", "//source/common/common:thread_annotations", "//source/common/network:socket_option_lib", + "//source/common/tls:context_lib", "//source/extensions/filters/http/router:config", "//source/extensions/filters/network/http_connection_manager:config", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/http/http2:http2_frame", "//test/common/upstream:utility_lib", "//test/integration/filters:add_body_filter_config_lib", @@ -1112,6 +1113,9 @@ envoy_cc_test_library( ":utility_lib", "//source/common/common:thread_lib", "//source/common/config:api_version_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_socket_lib", "//source/extensions/clusters/eds:eds_lib", "//source/extensions/clusters/static:static_cluster_lib", "//source/extensions/config_subscription/grpc:grpc_collection_subscription_lib", @@ -1123,9 +1127,6 @@ envoy_cc_test_library( "//source/extensions/load_balancing_policies/round_robin:config", "//source/extensions/network/dns_resolver/cares:config", "//source/extensions/request_id/uuid:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "//source/server:process_context_lib", "//source/server:proto_descriptors_lib", "//test/common/grpc:grpc_client_integration_lib", @@ -1200,8 +1201,8 @@ envoy_cc_test_library( "//source/common/stats:allocator_lib", "//source/common/stats:isolated_store_lib", "//source/common/thread_local:thread_local_lib", + "//source/common/tls:context_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_lib", "//source/server:drain_manager_lib", "//source/server:hot_restart_nop_lib", "//source/server:listener_hooks_lib", @@ -1645,9 +1646,9 @@ envoy_cc_test( "//source/common/event:dispatcher_lib", "//source/common/network:connection_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/secret:secret_mocks", "//test/test_common:utility_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", @@ -1681,12 +1682,12 @@ envoy_cc_test( "//source/common/event:dispatcher_lib", "//source/common/network:connection_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/grpc:grpc_client_integration_lib", + "//test/common/tls:test_private_key_method_provider_test_lib", "//test/config/integration/certs:certs_info", - "//test/extensions/transport_sockets/tls:test_private_key_method_provider_test_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", "//test/test_common:resources_lib", @@ -1751,13 +1752,13 @@ envoy_cc_test( "//source/common/event:dispatcher_includes", "//source/common/event:dispatcher_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/file:config", "//source/extensions/filters/network/common:factory_base_lib", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/load_balancing_policies/subset:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", "//test/test_common:registry_lib", @@ -1786,13 +1787,13 @@ envoy_cc_test( "//source/common/event:dispatcher_includes", "//source/common/event:dispatcher_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/file:config", "//source/extensions/filters/network/common:factory_base_lib", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/load_balancing_policies/subset:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", "//test/test_common:registry_lib", @@ -1975,11 +1976,11 @@ envoy_cc_test( deps = [ ":http_integration_lib", ":http_protocol_integration_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/matching/network/application_protocol:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/grpc:grpc_client_integration_lib", "//test/integration/filters:test_listener_filter_lib", "//test/test_common:environment_lib", @@ -2400,7 +2401,7 @@ envoy_cc_test( deps = envoy_select_enable_http3([ "//source/extensions/quic/server_preferred_address:fixed_server_preferred_address_config_factory_config", "//test/common/config:dummy_config_proto_cc_proto", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", + "//test/common/tls/cert_validator:timed_cert_validator", ":http_integration_lib", ":socket_interface_swap_lib", "//source/common/quic:client_connection_factory_lib", diff --git a/test/integration/alpn_selection_integration_test.cc b/test/integration/alpn_selection_integration_test.cc index b1b081cb7265..ed4bdef8ee0d 100644 --- a/test/integration/alpn_selection_integration_test.cc +++ b/test/integration/alpn_selection_integration_test.cc @@ -3,9 +3,9 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "source/common/http/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" diff --git a/test/integration/base_integration_test.cc b/test/integration/base_integration_test.cc index 23b216c0d2a6..13295850af25 100644 --- a/test/integration/base_integration_test.cc +++ b/test/integration/base_integration_test.cc @@ -18,8 +18,8 @@ #include "source/common/common/assert.h" #include "source/common/event/libevent.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/server/proto_descriptors.h" #include "test/integration/utility.h" @@ -74,6 +74,7 @@ BaseIntegrationTest::BaseIntegrationTest(const InstanceConstSharedPtrFn& upstrea })); ON_CALL(factory_context_.server_context_, api()).WillByDefault(ReturnRef(*api_)); ON_CALL(factory_context_, statsScope()).WillByDefault(ReturnRef(*stats_store_.rootScope())); + ON_CALL(factory_context_, sslContextManager()).WillByDefault(ReturnRef(context_manager_)); ON_CALL(factory_context_.server_context_, threadLocal()).WillByDefault(ReturnRef(thread_local_)); #ifndef ENVOY_ADMIN_FUNCTIONALITY diff --git a/test/integration/base_integration_test.h b/test/integration/base_integration_test.h index 33f1a755567d..1f1df3f7c765 100644 --- a/test/integration/base_integration_test.h +++ b/test/integration/base_integration_test.h @@ -9,7 +9,7 @@ #include "envoy/server/process_context.h" #include "envoy/service/discovery/v3/discovery.pb.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/config/utility.h" diff --git a/test/integration/http_integration.cc b/test/integration/http_integration.cc index e639caa7eeca..c25103ffabb0 100644 --- a/test/integration/http_integration.cc +++ b/test/integration/http_integration.cc @@ -32,9 +32,9 @@ #include "source/common/quic/quic_client_transport_socket_factory.h" #endif -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/upstream/utility.h" #include "test/integration/autonomous_upstream.h" diff --git a/test/integration/integration_test.cc b/test/integration/integration_test.cc index c25269f59eda..56f3196f385b 100644 --- a/test/integration/integration_test.cc +++ b/test/integration/integration_test.cc @@ -1077,6 +1077,24 @@ TEST_P(IntegrationTest, MissingDelimiter) { EXPECT_THAT(log, Not(HasSubstr("DC"))); } +TEST_P(IntegrationTest, ConnectionTermination) { + useAccessLog("%RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS%"); + initialize(); + std::string response; + auto tcp_client = makeTcpConnection(lookupPort("http")); + ASSERT_TRUE(tcp_client->write("GET / HTTP/1.1\r\nHost: host\r\n\r\n")); + + FakeRawConnectionPtr fake_upstream_connection; + ASSERT_TRUE(fake_upstreams_[0]->waitForRawConnection(fake_upstream_connection)); + std::string data; + ASSERT_TRUE(fake_upstream_connection->waitForData( + FakeRawConnection::waitForInexactMatch("\r\n\r\n"), &data)); + tcp_client->close(); + std::string log = waitForAccessLog(access_log_name_); + EXPECT_THAT(log, HasSubstr("DC")); + EXPECT_THAT(log, HasSubstr("downstream_remote_disconnect")); +} + TEST_P(IntegrationTest, InvalidCharacterInFirstline) { initialize(); std::string response; diff --git a/test/integration/python/hotrestart_handoff_test.py b/test/integration/python/hotrestart_handoff_test.py index 7d975bd7dda7..dcbbb5a8ba1e 100644 --- a/test/integration/python/hotrestart_handoff_test.py +++ b/test/integration/python/hotrestart_handoff_test.py @@ -304,7 +304,7 @@ async def _wait_for_envoy_epoch(i: int): pass await asyncio.sleep(0.2) # Envoy instance with expected restart_epoch should have started up - assert expected_substring in response, f"server_info={response}" + assert expected_substring in response, f"expected_substring={expected_substring}, server_info={response}" class IntegrationTest(unittest.IsolatedAsyncioTestCase): diff --git a/test/integration/quic_http_integration_test.cc b/test/integration/quic_http_integration_test.cc index 80c5c117e4bb..af3420839050 100644 --- a/test/integration/quic_http_integration_test.cc +++ b/test/integration/quic_http_integration_test.cc @@ -20,14 +20,14 @@ #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/quic/envoy_quic_utils.h" #include "source/common/quic/quic_client_transport_socket_factory.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/common/config/dummy_config.pb.h" #include "test/common/quic/test_utils.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include "test/common/upstream/utility.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/config/utility.h" -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" #include "test/integration/filters/test_listener_filter.h" #include "test/integration/filters/test_listener_filter.pb.h" #include "test/integration/http_integration.h" @@ -746,6 +746,12 @@ TEST_P(QuicHttpIntegrationTest, EarlyDataDisabled) { codec_client_->close(); } +TEST_P(QuicHttpIntegrationTest, LegacyCertLoadingAndSelection) { + config_helper_.addRuntimeOverride("envoy.restart_features.quic_handle_certs_with_shared_tls_code", + "false"); + testMultipleQuicConnections(); +} + // Not only test multiple quic connections, but disconnect and reconnect to // trigger resumption. TEST_P(QuicHttpIntegrationTest, MultipleUpstreamQuicConnections) { diff --git a/test/integration/sds_dynamic_integration_test.cc b/test/integration/sds_dynamic_integration_test.cc index 92929dbf74bf..c3b8cb52fb89 100644 --- a/test/integration/sds_dynamic_integration_test.cc +++ b/test/integration/sds_dynamic_integration_test.cc @@ -19,15 +19,15 @@ #include "source/common/quic/client_connection_factory_impl.h" #endif -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/config/integration/certs/servercert_info.h" #include "test/config/integration/certs/server2cert_info.h" -#include "test/extensions/transport_sockets/tls/test_private_key_method_provider.h" +#include "test/common/tls/test_private_key_method_provider.h" #include "test/integration/http_integration.h" #include "test/integration/server.h" #include "test/integration/ssl_utility.h" diff --git a/test/integration/sds_static_integration_test.cc b/test/integration/sds_static_integration_test.cc index 8fa8418e5a42..49d42c1eb6c2 100644 --- a/test/integration/sds_static_integration_test.cc +++ b/test/integration/sds_static_integration_test.cc @@ -9,8 +9,8 @@ #include "source/common/event/dispatcher_impl.h" #include "source/common/network/connection_impl.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/integration/http_integration.h" diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 0c4ae2e6dfd8..de35d4e3da51 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -5,9 +5,9 @@ #include "source/common/http/utility.h" #include "source/common/json/json_loader.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/config/utility.h" #include "test/integration/server.h" @@ -37,8 +37,8 @@ void initializeUpstreamTlsContextConfig( chain = rundir + "/test/config/integration/certs/client_ecdsacert.pem"; key = rundir + "/test/config/integration/certs/client_ecdsakey.pem"; } else if (options.use_expired_spiffe_cert_) { - chain = rundir + "/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem"; - key = rundir + "/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_key.pem"; + chain = rundir + "/test/common/tls/test_data/expired_spiffe_san_cert.pem"; + key = rundir + "/test/common/tls/test_data/expired_spiffe_san_key.pem"; } else if (options.client_with_intermediate_cert_) { chain = rundir + "/test/config/integration/certs/client2_chain.pem"; key = rundir + "/test/config/integration/certs/client2key.pem"; @@ -127,6 +127,9 @@ createUpstreamSslContext(ContextManager& context_manager, Api::Api& api, bool us } envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport quic_config; quic_config.mutable_downstream_tls_context()->MergeFrom(tls_context); + ON_CALL(mock_factory_ctx, statsScope()) + .WillByDefault(ReturnRef(*upstream_stats_store->rootScope())); + ON_CALL(mock_factory_ctx, sslContextManager()).WillByDefault(ReturnRef(context_manager)); std::vector server_names; auto& config_factory = Config::Utility::getAndCheckFactoryByName< diff --git a/test/integration/ssl_utility.h b/test/integration/ssl_utility.h index 3187b3b0e2ad..2c1565fc6c8a 100644 --- a/test/integration/ssl_utility.h +++ b/test/integration/ssl_utility.h @@ -7,7 +7,7 @@ #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_manager.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" namespace Envoy { namespace Ssl { diff --git a/test/integration/tcp_proxy_integration_test.cc b/test/integration/tcp_proxy_integration_test.cc index 90ad072b819a..f383cc5b5eca 100644 --- a/test/integration/tcp_proxy_integration_test.cc +++ b/test/integration/tcp_proxy_integration_test.cc @@ -12,8 +12,8 @@ #include "source/common/config/api_version.h" #include "source/common/network/utility.h" +#include "source/common/tls/context_manager_impl.h" #include "source/extensions/filters/network/common/factory_base.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" #include "test/integration/fake_access_log.h" #include "test/integration/ssl_utility.h" diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index e227f40a387c..eeec6cf876b5 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -12,9 +12,9 @@ #include "source/common/event/dispatcher_impl.h" #include "source/common/http/header_map_impl.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/test_common/network_utility.h" #include "test/test_common/printers.h" diff --git a/test/mocks/network/BUILD b/test/mocks/network/BUILD index 82b5ef8c79f1..73c9854193a3 100644 --- a/test/mocks/network/BUILD +++ b/test/mocks/network/BUILD @@ -42,6 +42,12 @@ envoy_cc_mock( ], ) +envoy_cc_mock( + name = "mock_parent_drained_callback_registrar", + hdrs = ["mock_parent_drained_callback_registrar.h"], + deps = ["//envoy/network:parent_drained_callback_registrar_interface"], +) + envoy_cc_mock( name = "network_mocks", srcs = ["mocks.cc"], diff --git a/test/mocks/network/mock_parent_drained_callback_registrar.h b/test/mocks/network/mock_parent_drained_callback_registrar.h new file mode 100644 index 000000000000..ae82b52d31f6 --- /dev/null +++ b/test/mocks/network/mock_parent_drained_callback_registrar.h @@ -0,0 +1,18 @@ +#pragma once + +#include "envoy/network/parent_drained_callback_registrar.h" + +#include "gmock/gmock.h" + +namespace Envoy { +namespace Network { + +class MockParentDrainedCallbackRegistrar : public ParentDrainedCallbackRegistrar { +public: + MOCK_METHOD(void, registerParentDrainedCallback, + (const Address::InstanceConstSharedPtr& address, + absl::AnyInvocable callback)); +}; + +} // namespace Network +} // namespace Envoy diff --git a/test/mocks/server/BUILD b/test/mocks/server/BUILD index 554313ac5267..7fe3818ab7fa 100644 --- a/test/mocks/server/BUILD +++ b/test/mocks/server/BUILD @@ -216,7 +216,7 @@ envoy_cc_mock( "//source/common/secret:secret_manager_impl_lib", "//source/common/singleton:manager_impl_lib", "//source/common/stats:stats_lib", - "//source/extensions/transport_sockets/tls:context_lib", + "//source/common/tls:context_lib", "//test/mocks/access_log:access_log_mocks", "//test/mocks/api:api_mocks", "//test/mocks/http:http_mocks", diff --git a/test/mocks/server/factory_context.h b/test/mocks/server/factory_context.h index 594afca75f48..3d273cd89d18 100644 --- a/test/mocks/server/factory_context.h +++ b/test/mocks/server/factory_context.h @@ -3,7 +3,7 @@ #include "envoy/server/configuration.h" #include "source/common/router/context_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "admin.h" #include "drain_manager.h" diff --git a/test/mocks/server/hot_restart.h b/test/mocks/server/hot_restart.h index c83142692c06..99bfa3ccbb0c 100644 --- a/test/mocks/server/hot_restart.h +++ b/test/mocks/server/hot_restart.h @@ -20,6 +20,8 @@ class MockHotRestart : public HotRestart { MOCK_METHOD(void, registerUdpForwardingListener, (Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config)); + MOCK_METHOD(OptRef, parentDrainedCallbackRegistrar, ()); + MOCK_METHOD(void, whenDrainComplete, (absl::string_view addr, absl::AnyInvocable action)); MOCK_METHOD(void, initialize, (Event::Dispatcher & dispatcher, Server::Instance& server)); MOCK_METHOD(absl::optional, sendParentAdminShutdownRequest, ()); MOCK_METHOD(void, sendParentTerminateRequest, ()); diff --git a/test/mocks/server/listener_factory_context.h b/test/mocks/server/listener_factory_context.h index 10fbe1e21705..3d5b6197f042 100644 --- a/test/mocks/server/listener_factory_context.h +++ b/test/mocks/server/listener_factory_context.h @@ -3,7 +3,7 @@ #include "envoy/server/configuration.h" #include "envoy/server/listener_manager.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "admin.h" #include "drain_manager.h" diff --git a/test/mocks/server/server_factory_context.h b/test/mocks/server/server_factory_context.h index 9c8d754227aa..7e69dbad447e 100644 --- a/test/mocks/server/server_factory_context.h +++ b/test/mocks/server/server_factory_context.h @@ -7,7 +7,7 @@ #include "source/common/quic/quic_stat_names.h" #include "source/common/router/context_impl.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/mocks/access_log/mocks.h" #include "test/mocks/api/mocks.h" diff --git a/test/mocks/ssl/mocks.cc b/test/mocks/ssl/mocks.cc index fd274c0679d0..792686eaa9f3 100644 --- a/test/mocks/ssl/mocks.cc +++ b/test/mocks/ssl/mocks.cc @@ -27,7 +27,19 @@ MockClientContextConfig::MockClientContextConfig() { } MockClientContextConfig::~MockClientContextConfig() = default; -MockServerContextConfig::MockServerContextConfig() = default; +MockServerContextConfig::MockServerContextConfig() { + capabilities_.provides_ciphers_and_curves = true; + capabilities_.provides_sigalgs = true; + + ON_CALL(*this, cipherSuites()).WillByDefault(testing::ReturnRef(ciphers_)); + ON_CALL(*this, capabilities()).WillByDefault(testing::Return(capabilities_)); + ON_CALL(*this, alpnProtocols()).WillByDefault(testing::ReturnRef(alpn_)); + ON_CALL(*this, signatureAlgorithms()).WillByDefault(testing::ReturnRef(sigalgs_)); + ON_CALL(*this, sessionTicketKeys()).WillByDefault(testing::ReturnRef(ticket_keys_)); + ON_CALL(*this, tlsKeyLogLocal()).WillByDefault(testing::ReturnRef(iplist_)); + ON_CALL(*this, tlsKeyLogRemote()).WillByDefault(testing::ReturnRef(iplist_)); + ON_CALL(*this, tlsKeyLogPath()).WillByDefault(testing::ReturnRef(path_)); +} MockServerContextConfig::~MockServerContextConfig() = default; MockPrivateKeyMethodManager::MockPrivateKeyMethodManager() = default; diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h index a7e85351b41e..9aa51fdd9658 100644 --- a/test/mocks/ssl/mocks.h +++ b/test/mocks/ssl/mocks.h @@ -28,7 +28,8 @@ class MockContextManager : public ContextManager { (Stats::Scope & scope, const ClientContextConfig& config)); MOCK_METHOD(ServerContextSharedPtr, createSslServerContext, (Stats::Scope & stats, const ServerContextConfig& config, - const std::vector& server_names)); + const std::vector& server_names, + ContextAdditionalInitFunc additional_init)); MOCK_METHOD(absl::optional, daysUntilFirstCertExpires, (), (const)); MOCK_METHOD(absl::optional, secondsUntilFirstOcspResponseExpires, (), (const)); MOCK_METHOD(void, iterateContexts, (std::function callback)); @@ -148,6 +149,14 @@ class MockServerContextConfig : public ServerContextConfig { MOCK_METHOD(const std::string&, tlsKeyLogPath, (), (const)); MOCK_METHOD(AccessLog::AccessLogManager&, accessLogManager, (), (const)); MOCK_METHOD(bool, fullScanCertsOnSNIMismatch, (), (const)); + + Ssl::HandshakerCapabilities capabilities_; + std::string ciphers_{"RSA"}; + std::string alpn_{""}; + std::string sigalgs_{""}; + Network::Address::IpList iplist_; + std::string path_; + std::vector ticket_keys_; }; class MockTlsCertificateConfig : public TlsCertificateConfig { diff --git a/test/mocks/thread/BUILD b/test/mocks/thread/BUILD new file mode 100644 index 000000000000..62f26f23abd7 --- /dev/null +++ b/test/mocks/thread/BUILD @@ -0,0 +1,18 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_mock", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_cc_mock( + name = "thread_mocks", + hdrs = ["mocks.h"], + deps = [ + "//envoy/thread:thread_interface", + "//source/common/common:thread_lib", + ], +) diff --git a/test/mocks/thread/mocks.h b/test/mocks/thread/mocks.h new file mode 100644 index 000000000000..9593a01b478b --- /dev/null +++ b/test/mocks/thread/mocks.h @@ -0,0 +1,30 @@ +#pragma once + +#include "envoy/thread/thread.h" + +#if defined(__linux__) || defined(__APPLE__) +#include "source/common/common/posix/thread_impl.h" +#endif + +namespace Envoy { +namespace Thread { + +class MockThreadFactory : public ThreadFactory { +public: + MOCK_METHOD(ThreadPtr, createThread, (std::function, OptionsOptConstRef)); + MOCK_METHOD(ThreadId, currentThreadId, ()); +}; + +#if defined(__linux__) || defined(__APPLE__) +class MockPosixThreadFactory : public PosixThreadFactory { +public: + MOCK_METHOD(ThreadPtr, createThread, (std::function, OptionsOptConstRef)); + MOCK_METHOD(PosixThreadPtr, createThread, + (std::function, OptionsOptConstRef, bool crash_on_failure)); + MOCK_METHOD(ThreadId, currentThreadId, ()); + MOCK_METHOD(ThreadId, currentPthreadId, ()); +}; +#endif + +} // namespace Thread +} // namespace Envoy diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index 9759ec2c2658..cd8f977a61fb 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -6,6 +6,7 @@ declare -a KNOWN_LOW_COVERAGE=( "source/common:95.9" # TODO(#32149): increase this once io_uring is tested. "source/common/api:84.5" # flaky due to posix: be careful adjusting "source/common/api/posix:83.8" # flaky (accept failover non-deterministic): be careful adjusting +"source/common/common/posix:88.8" # No easy way to test pthread_create failure. "source/common/config:95.4" "source/common/crypto:95.5" "source/common/event:95.0" # Emulated edge events guards don't report LCOV @@ -16,7 +17,7 @@ declare -a KNOWN_LOW_COVERAGE=( "source/common/matcher:94.6" "source/common/network:94.4" # Flaky, `activateFileEvents`, `startSecureTransport` and `ioctl`, listener_socket do not always report LCOV "source/common/network/dns_resolver:91.4" # A few lines of MacOS code not tested in linux scripts. Tested in MacOS scripts -"source/common/quic:93.4" +"source/common/quic:93.3" "source/common/secret:95.1" "source/common/signal:87.2" # Death tests don't report LCOV "source/common/thread:0.0" # Death tests don't report LCOV @@ -51,9 +52,9 @@ declare -a KNOWN_LOW_COVERAGE=( "source/extensions/tracers/opencensus:94.0" "source/extensions/tracers/zipkin:95.8" "source/extensions/transport_sockets:95.8" -"source/extensions/transport_sockets/tls:95.0" -"source/extensions/transport_sockets/tls/cert_validator:95.2" -"source/extensions/transport_sockets/tls/private_key:88.9" +"source/common/tls:94.9" +"source/common/tls/cert_validator:94.2" +"source/common/tls/private_key:88.9" "source/extensions/wasm_runtime/wamr:0.0" # Not enabled in coverage build "source/extensions/wasm_runtime/wasmtime:0.0" # Not enabled in coverage build "source/extensions/wasm_runtime/wavm:0.0" # Not enabled in coverage build diff --git a/test/server/admin/BUILD b/test/server/admin/BUILD index 8e7c6ecce89f..8c39988f9557 100644 --- a/test/server/admin/BUILD +++ b/test/server/admin/BUILD @@ -216,7 +216,7 @@ envoy_cc_test( srcs = envoy_select_admin_functionality(["server_info_handler_test.cc"]), deps = [ ":admin_instance_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/test_common:logging_lib", "//test/test_common:test_runtime_lib", "@envoy_api//envoy/admin/v3:pkg_cc_proto", diff --git a/test/server/admin/server_info_handler_test.cc b/test/server/admin/server_info_handler_test.cc index 3de415bd2f8c..68b21f335750 100644 --- a/test/server/admin/server_info_handler_test.cc +++ b/test/server/admin/server_info_handler_test.cc @@ -1,6 +1,6 @@ #include "envoy/admin/v3/memory.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/server/admin/admin_instance.h" #include "test/test_common/logging.h" diff --git a/test/server/config_validation/BUILD b/test/server/config_validation/BUILD index 22184df662cc..6d838b121c91 100644 --- a/test/server/config_validation/BUILD +++ b/test/server/config_validation/BUILD @@ -15,7 +15,7 @@ envoy_cc_test( "//source/common/api:api_lib", "//source/common/singleton:manager_impl_lib", "//source/common/stats:stats_lib", - "//source/extensions/transport_sockets/tls:context_lib", + "//source/common/tls:context_lib", "//source/server/config_validation:cluster_manager_lib", "//source/server/config_validation:dns_lib", "//test/mocks/access_log:access_log_mocks", diff --git a/test/server/config_validation/cluster_manager_test.cc b/test/server/config_validation/cluster_manager_test.cc index 10323e4b3c07..02442808b230 100644 --- a/test/server/config_validation/cluster_manager_test.cc +++ b/test/server/config_validation/cluster_manager_test.cc @@ -6,7 +6,7 @@ #include "source/common/grpc/context_impl.h" #include "source/common/http/context_impl.h" #include "source/common/singleton/manager_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "source/server/config_validation/cluster_manager.h" #include "test/mocks/access_log/mocks.h" diff --git a/test/server/hot_restart_impl_test.cc b/test/server/hot_restart_impl_test.cc index 81baf88181b5..28e1427564e1 100644 --- a/test/server/hot_restart_impl_test.cc +++ b/test/server/hot_restart_impl_test.cc @@ -87,6 +87,14 @@ class HotRestartImplTest : public testing::Test { std::unique_ptr hot_restart_; }; +TEST_F(HotRestartImplTest, ParentDrainedCallbackRegistrarIsSetAndCanBeCalled) { + setup(); + OptRef registrar = + hot_restart_->parentDrainedCallbackRegistrar(); + ASSERT_TRUE(registrar.has_value()); + registrar->registerParentDrainedCallback(test_addresses_.ipv4_test_addr_, []() {}); +} + TEST_F(HotRestartImplTest, VersionString) { // Tests that the version-string will be consistent and HOT_RESTART_VERSION, // between multiple instantiations. diff --git a/test/server/hot_restarting_child_test.cc b/test/server/hot_restarting_child_test.cc index f2455034f054..d16653d6454a 100644 --- a/test/server/hot_restarting_child_test.cc +++ b/test/server/hot_restarting_child_test.cc @@ -67,6 +67,11 @@ class FakeHotRestartingParent : public HotRestartingBase { }); udp_forwarding_rpc_stream_.sendHotRestartMessage(child_address_udp_forwarding_, message); } + void expectParentTerminateMessages() { + EXPECT_CALL(os_sys_calls_, sendmsg(_, _, _)).WillOnce([](int, const msghdr* msg, int) { + return Api::SysCallSizeResult{static_cast(msg->msg_iov[0].iov_len), 0}; + }); + } Api::MockOsSysCalls& os_sys_calls_; Event::FileReadyCb udp_file_ready_callback_; sockaddr_un child_address_udp_forwarding_; @@ -100,6 +105,36 @@ class HotRestartingChildTest : public testing::Test { std::unique_ptr hot_restarting_child_; }; +TEST_F(HotRestartingChildTest, ParentDrainedCallbacksAreCalled) { + auto test_listener_addr = Network::Utility::resolveUrl("udp://127.0.0.1:1234"); + auto test_listener_addr2 = Network::Utility::resolveUrl("udp://127.0.0.1:1235"); + testing::MockFunction callback1; + testing::MockFunction callback2; + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr, + callback1.AsStdFunction()); + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr2, + callback2.AsStdFunction()); + EXPECT_CALL(callback1, Call()); + EXPECT_CALL(callback2, Call()); + fake_parent_->expectParentTerminateMessages(); + hot_restarting_child_->sendParentTerminateRequest(); +} + +TEST_F(HotRestartingChildTest, ParentDrainedCallbacksAreCalledImmediatelyWhenAlreadyDrained) { + auto test_listener_addr = Network::Utility::resolveUrl("udp://127.0.0.1:1234"); + auto test_listener_addr2 = Network::Utility::resolveUrl("udp://127.0.0.1:1235"); + testing::MockFunction callback1; + testing::MockFunction callback2; + fake_parent_->expectParentTerminateMessages(); + hot_restarting_child_->sendParentTerminateRequest(); + EXPECT_CALL(callback1, Call()); + EXPECT_CALL(callback2, Call()); + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr, + callback1.AsStdFunction()); + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr2, + callback2.AsStdFunction()); +} + TEST_F(HotRestartingChildTest, LogsErrorOnReplyMessageInUdpStream) { envoy::HotRestartMessage msg; msg.mutable_reply(); diff --git a/test/server/ssl_context_manager_test.cc b/test/server/ssl_context_manager_test.cc index 928fbb124b9b..dbe2bdc8db6e 100644 --- a/test/server/ssl_context_manager_test.cc +++ b/test/server/ssl_context_manager_test.cc @@ -28,8 +28,9 @@ TEST(SslContextManager, createStub) { EXPECT_EQ(manager->secondsUntilFirstOcspResponseExpires(), absl::nullopt); EXPECT_THROW_WITH_MESSAGE(manager->createSslClientContext(scope, client_config), EnvoyException, "SSL is not supported in this configuration"); - EXPECT_THROW_WITH_MESSAGE(manager->createSslServerContext(scope, server_config, server_names), - EnvoyException, "SSL is not supported in this configuration"); + EXPECT_THROW_WITH_MESSAGE( + manager->createSslServerContext(scope, server_config, server_names, nullptr), EnvoyException, + "SSL is not supported in this configuration"); EXPECT_NO_THROW(manager->iterateContexts([](const Envoy::Ssl::Context&) -> void {})); } diff --git a/test/test_common/thread_factory_for_test.cc b/test/test_common/thread_factory_for_test.cc index 55c4d84ed12b..0d1c2db9cae6 100644 --- a/test/test_common/thread_factory_for_test.cc +++ b/test/test_common/thread_factory_for_test.cc @@ -9,7 +9,7 @@ ThreadFactory& threadFactoryForTest() { #ifdef WIN32 static auto* thread_factory = new ThreadFactoryImplWin32(); #else - static auto* thread_factory = new ThreadFactoryImplPosix(); + static auto* thread_factory = PosixThreadFactory::create().release(); #endif return *thread_factory; } diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml index 7da3e054be32..907c8965fd0d 100644 --- a/tools/code_format/config.yaml +++ b/tools/code_format/config.yaml @@ -119,7 +119,6 @@ paths: - source/common/stats/tag_extractor_impl.cc - source/common/stats/tag_producer_impl.cc - source/common/http/http2/codec_impl.cc - - source/common/http/utility.cc - source/common/http/hash_policy.cc - source/common/http/conn_manager_utility.cc - source/common/http/match_delegate/config.cc @@ -171,6 +170,8 @@ paths: - source/common/ssl/certificate_validation_context_config_impl.cc - source/common/grpc/google_grpc_creds_impl.cc - source/common/local_reply/local_reply.cc + - source/common/tls/context_impl.cc + - source/common/tls/context_config_impl.cc # Only one C++ file should instantiate grpc_init grpc_init: @@ -392,6 +393,7 @@ visibility_excludes: - source/extensions/filters/network/common/BUILD - source/extensions/http/header_validators/envoy_default/BUILD - source/extensions/transport_sockets/common/BUILD +- source/extensions/transport_sockets/tap/BUILD - source/extensions/udp_packet_writer/default/BUILD - source/extensions/udp_packet_writer/gso/BUILD - source/extensions/path/uri_template_lib/BUILD diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 7f66087cef02..15e00c4ff5cf 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -881,6 +881,7 @@ iteratively javascript jitter jittered +joinable js kafka keepalive