From 185a6e9a972a7d940a86607ace5bcc114880c90c Mon Sep 17 00:00:00 2001 From: botengyao Date: Mon, 4 Mar 2024 20:37:10 -0500 Subject: [PATCH 01/34] hcm: add downstream termination flag (#32627) hcm: add downstream termination flag Set the DownstreamConnectionTermination flag when getting remote and local close. Signed-off-by: Boteng Yao --- source/common/http/conn_manager_impl.cc | 9 ++---- test/common/http/conn_manager_impl_test_2.cc | 29 +++++++++++++++++++- test/integration/integration_test.cc | 18 ++++++++++++ 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc index 4c1420575eb5..4c94c32b2c7c 100644 --- a/source/common/http/conn_manager_impl.cc +++ b/source/common/http/conn_manager_impl.cc @@ -609,7 +609,8 @@ void ConnectionManagerImpl::onEvent(Network::ConnectionEvent event) { // NOTE: In the case where a local close comes from outside the filter, this will cause any // stream closures to increment remote close stats. We should do better here in the future, // via the pre-close callback mentioned above. - doConnectionClose(absl::nullopt, absl::nullopt, details); + doConnectionClose(absl::nullopt, StreamInfo::CoreResponseFlag::DownstreamConnectionTermination, + details); } } @@ -958,12 +959,6 @@ ConnectionManagerImpl::ActiveStream::ActiveStream(ConnectionManagerImpl& connect void ConnectionManagerImpl::ActiveStream::completeRequest() { filter_manager_.streamInfo().onRequestComplete(); - if (connection_manager_.remote_close_) { - filter_manager_.streamInfo().setResponseCodeDetails( - StreamInfo::ResponseCodeDetails::get().DownstreamRemoteDisconnect); - filter_manager_.streamInfo().setResponseFlag( - StreamInfo::CoreResponseFlag::DownstreamConnectionTermination); - } connection_manager_.stats_.named_.downstream_rq_active_.dec(); if (filter_manager_.streamInfo().healthCheck()) { connection_manager_.config_.tracingStats().health_check_.inc(); diff --git a/test/common/http/conn_manager_impl_test_2.cc b/test/common/http/conn_manager_impl_test_2.cc index 83b3971523f7..da84e5a6a04b 100644 --- a/test/common/http/conn_manager_impl_test_2.cc +++ b/test/common/http/conn_manager_impl_test_2.cc @@ -1534,7 +1534,9 @@ TEST_F(HttpConnectionManagerImplTest, HitFilterWatermarkLimits) { EXPECT_CALL(*log_handler_, log(_, _)) .WillOnce(Invoke( [](const Formatter::HttpFormatterContext&, const StreamInfo::StreamInfo& stream_info) { - EXPECT_FALSE(stream_info.hasAnyResponseFlag()); + EXPECT_TRUE(stream_info.hasAnyResponseFlag()); + EXPECT_TRUE(stream_info.hasResponseFlag( + StreamInfo::CoreResponseFlag::DownstreamConnectionTermination)); })); expectOnDestroy(); @@ -1566,6 +1568,31 @@ TEST_F(HttpConnectionManagerImplTest, HitRequestBufferLimits) { doRemoteClose(); } +TEST_F(HttpConnectionManagerImplTest, DownstreamConnectionTermination) { + std::shared_ptr handler(new NiceMock()); + access_logs_ = {handler}; + + setup(false, ""); + EXPECT_CALL(*handler, log(_, _)) + .WillOnce(Invoke( + [](const Formatter::HttpFormatterContext&, const StreamInfo::StreamInfo& stream_info) { + EXPECT_FALSE(stream_info.responseCode()); + EXPECT_TRUE(stream_info.hasAnyResponseFlag()); + EXPECT_TRUE(stream_info.hasResponseFlag( + StreamInfo::CoreResponseFlag::DownstreamConnectionTermination)); + })); + + // Start the request + EXPECT_CALL(*codec_, dispatch(_)).WillOnce(Invoke([&](Buffer::Instance&) -> Http::Status { + decoder_ = &conn_manager_->newStream(response_encoder_); + return Http::okStatus(); + })); + + Buffer::OwnedImpl fake_input("hello"); + conn_manager_->onData(fake_input, false); + filter_callbacks_.connection_.raiseEvent(Network::ConnectionEvent::LocalClose); +} + // Return 413 from an intermediate filter and make sure we don't continue the filter chain. TEST_F(HttpConnectionManagerImplTest, HitRequestBufferLimitsIntermediateFilter) { { diff --git a/test/integration/integration_test.cc b/test/integration/integration_test.cc index c25269f59eda..56f3196f385b 100644 --- a/test/integration/integration_test.cc +++ b/test/integration/integration_test.cc @@ -1077,6 +1077,24 @@ TEST_P(IntegrationTest, MissingDelimiter) { EXPECT_THAT(log, Not(HasSubstr("DC"))); } +TEST_P(IntegrationTest, ConnectionTermination) { + useAccessLog("%RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS%"); + initialize(); + std::string response; + auto tcp_client = makeTcpConnection(lookupPort("http")); + ASSERT_TRUE(tcp_client->write("GET / HTTP/1.1\r\nHost: host\r\n\r\n")); + + FakeRawConnectionPtr fake_upstream_connection; + ASSERT_TRUE(fake_upstreams_[0]->waitForRawConnection(fake_upstream_connection)); + std::string data; + ASSERT_TRUE(fake_upstream_connection->waitForData( + FakeRawConnection::waitForInexactMatch("\r\n\r\n"), &data)); + tcp_client->close(); + std::string log = waitForAccessLog(access_log_name_); + EXPECT_THAT(log, HasSubstr("DC")); + EXPECT_THAT(log, HasSubstr("downstream_remote_disconnect")); +} + TEST_P(IntegrationTest, InvalidCharacterInFirstline) { initialize(); std::string response; From afd8162d2f7738918e37d885880962e1791fb5b1 Mon Sep 17 00:00:00 2001 From: code Date: Tue, 5 Mar 2024 09:48:56 +0800 Subject: [PATCH 02/34] zipkin: deprecate split_spans_for_request by the unified spawn_upstream_span (#32672) * zipkin: deprecate split_spans_for_request by the unified spawn_upstream_span Signed-off-by: wbpcode * change log Signed-off-by: wbpcode * fix format of change log Signed-off-by: wbpcode --------- Signed-off-by: wbpcode --- api/envoy/config/trace/v3/zipkin.proto | 7 +- changelogs/current.yaml | 5 + .../extensions/tracers/zipkin/span_context.h | 2 +- source/extensions/tracers/zipkin/tracer.cc | 65 ++++---- source/extensions/tracers/zipkin/tracer.h | 3 +- test/extensions/tracers/zipkin/tracer_test.cc | 151 +++++++++++++++++- 6 files changed, 195 insertions(+), 38 deletions(-) diff --git a/api/envoy/config/trace/v3/zipkin.proto b/api/envoy/config/trace/v3/zipkin.proto index a9aefef0c6df..2d8f3195c31e 100644 --- a/api/envoy/config/trace/v3/zipkin.proto +++ b/api/envoy/config/trace/v3/zipkin.proto @@ -82,5 +82,10 @@ message ZipkinConfig { // If this is set to true, then the // :ref:`start_child_span of router ` // SHOULD be set to true also to ensure the correctness of trace chain. - bool split_spans_for_request = 7; + // + // Both this field and ``start_child_span`` are deprecated by the + // :ref:`spawn_upstream_span `. + // Please use that ``spawn_upstream_span`` field to control the span creation. + bool split_spans_for_request = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; } diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 33a8bd26ac12..0d030992c559 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -273,3 +273,8 @@ deprecated: change: | deprecated runtime key ``overload.global_downstream_max_connections`` in favor of :ref:`downstream connections monitor `. +- area: tracing + change: | + deprecated :ref:`split_spans_for_request ` + in favor of :ref:`spawn_upstream_span + `. diff --git a/source/extensions/tracers/zipkin/span_context.h b/source/extensions/tracers/zipkin/span_context.h index a2cf74394964..b1dfa3168743 100644 --- a/source/extensions/tracers/zipkin/span_context.h +++ b/source/extensions/tracers/zipkin/span_context.h @@ -77,7 +77,7 @@ class SpanContext { bool sampled() const { return sampled_; } /** - * @return the inner context flag. + * @return the inner context flag. True if this context is created base on the inner span. */ bool innerContext() const { return inner_context_; } diff --git a/source/extensions/tracers/zipkin/tracer.cc b/source/extensions/tracers/zipkin/tracer.cc index 00dfae6a808f..0ab5b01273bc 100644 --- a/source/extensions/tracers/zipkin/tracer.cc +++ b/source/extensions/tracers/zipkin/tracer.cc @@ -12,22 +12,46 @@ namespace Extensions { namespace Tracers { namespace Zipkin { +/** + * @param spawn_child_span whether the Envoy will spawn a child span for the request. This + * means that the Envoy will be treated as an independent hop in the trace chain. + * See + * https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/observability/tracing#different-modes-of-envoy + * for more details. + * @param upstream whether the span is span for an upstream request. + * @param direction the direction of the traffic that the span is for. Egress means + * the span is for an outgoing request, and Ingress means the span is for an incoming request. + */ +Annotation getAnnotation(bool spawn_child_span, bool upstream, Tracing::OperationName direction) { + Annotation annotation; + if (spawn_child_span) { + // Spawn child span is set to true and Envoy should be treated as an independent hop in the + // trace chain. Determine the span type based on the request type. + + // Create server span for downstream request and client span for upstream request. + annotation.setValue(upstream ? CLIENT_SEND : SERVER_RECV); + } else { + // Spawn child span is set to false and Envoy should not be treated as an independent hop in the + // trace chain. Determine the span type based on the traffic direction. + + // Create server span for inbound sidecar and client span for outbound sidecar. + annotation.setValue(direction == Tracing::OperationName::Egress ? CLIENT_SEND : SERVER_RECV); + } + + return annotation; +} + SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span_name, SystemTime timestamp) { // Build the endpoint Endpoint ep(service_name_, address_); - // Build the CS annotation - Annotation cs; + // Build the CS annotation. + // No previous context then this must be span created for downstream request for now. + Annotation cs = getAnnotation(split_spans_for_request_ || config.spawnUpstreamSpan(), false, + config.operationName()); cs.setEndpoint(std::move(ep)); - if (split_spans_for_request_) { - // No previous context then this must be span created for downstream request. Server span will - // be created for downstream request when split_spans_for_request is set to true - cs.setValue(SERVER_RECV); - } else { - cs.setValue(config.operationName() == Tracing::OperationName::Egress ? CLIENT_SEND - : SERVER_RECV); - } + // Create an all-new span, with no parent id SpanPtr span_ptr = std::make_unique(time_source_); span_ptr->setName(span_name); @@ -59,7 +83,9 @@ SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span_name, SystemTime timestamp, const SpanContext& previous_context) { SpanPtr span_ptr = std::make_unique(time_source_); - Annotation annotation; + // If the previous context is inner context then this span is span for upstream request. + Annotation annotation = getAnnotation(split_spans_for_request_ || config.spawnUpstreamSpan(), + previous_context.innerContext(), config.operationName()); uint64_t timestamp_micro; timestamp_micro = @@ -67,23 +93,6 @@ SpanPtr Tracer::startSpan(const Tracing::Config& config, const std::string& span span_ptr->setName(span_name); - // Set the span's kind (client or server) - if (split_spans_for_request_) { - // If the previous context is an inner context then this span must be a span created for an - // upstream request. A client span will be created for an upstream request. - if (previous_context.innerContext()) { - annotation.setValue(CLIENT_SEND); - } else { - annotation.setValue(SERVER_RECV); - } - } else { - if (config.operationName() == Tracing::OperationName::Egress) { - annotation.setValue(CLIENT_SEND); - } else { - annotation.setValue(SERVER_RECV); - } - } - // Set the span's id and parent id if (annotation.value() == CLIENT_SEND || !shared_span_context_) { // We need to create a new span that is a child of the previous span; no shared context diff --git a/source/extensions/tracers/zipkin/tracer.h b/source/extensions/tracers/zipkin/tracer.h index a0672b6bc682..6b8fa780014d 100644 --- a/source/extensions/tracers/zipkin/tracer.h +++ b/source/extensions/tracers/zipkin/tracer.h @@ -61,7 +61,8 @@ class Tracer : public TracerInterface { */ Tracer(const std::string& service_name, Network::Address::InstanceConstSharedPtr address, Random::RandomGenerator& random_generator, const bool trace_id_128bit, - const bool shared_span_context, TimeSource& time_source, bool split_spans_for_request) + const bool shared_span_context, TimeSource& time_source, + bool split_spans_for_request = false) : service_name_(service_name), address_(address), reporter_(nullptr), random_generator_(random_generator), trace_id_128bit_(trace_id_128bit), shared_span_context_(shared_span_context), time_source_(time_source), diff --git a/test/extensions/tracers/zipkin/tracer_test.cc b/test/extensions/tracers/zipkin/tracer_test.cc index 3446992ea2f8..4a374e571a09 100644 --- a/test/extensions/tracers/zipkin/tracer_test.cc +++ b/test/extensions/tracers/zipkin/tracer_test.cc @@ -45,7 +45,7 @@ TEST_F(ZipkinTracerTest, SpanCreation) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); NiceMock config; @@ -229,6 +229,7 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; + // Set 'split_spans_for_request' to true. Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, true); SystemTime timestamp = time_system_.systemTime(); @@ -360,11 +361,147 @@ TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxy) { EXPECT_FALSE(server_side_shared_context_span->isSetDuration()); } +TEST_F(ZipkinTracerTest, SpanCreationWithIndependentProxyByTracingConfig) { + Network::Address::InstanceConstSharedPtr addr = + Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); + NiceMock random_generator; + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); + SystemTime timestamp = time_system_.systemTime(); + + NiceMock config; + ON_CALL(config, spawnUpstreamSpan()).WillByDefault(Return(true)); + + // ============== + // Test the creation of a root span. If the independent proxy is set to true, the + // downstream span will be server span. + // ============== + ON_CALL(random_generator, random()).WillByDefault(Return(1000)); + time_system_.advanceTimeWait(std::chrono::milliseconds(1)); + SpanPtr root_span = tracer.startSpan(config, "my_span", timestamp); + + EXPECT_EQ("my_span", root_span->name()); + EXPECT_NE(0LL, root_span->startTime()); + EXPECT_NE(0ULL, root_span->traceId()); // trace id must be set + EXPECT_FALSE(root_span->isSetTraceIdHigh()); // by default, should be using 64 bit trace id + EXPECT_EQ(root_span->traceId(), root_span->id()); // span id and trace id must be the same + EXPECT_FALSE(root_span->isSetParentId()); // no parent set + // span's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + root_span->timestamp()); + + // A SR annotation must have been added + EXPECT_EQ(1ULL, root_span->annotations().size()); + Annotation ann = root_span->annotations()[0]; + EXPECT_EQ(SERVER_RECV, ann.value()); + // annotation's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + ann.timestamp()); + EXPECT_TRUE(ann.isSetEndpoint()); + Endpoint endpoint = ann.endpoint(); + EXPECT_EQ("my_service_name", endpoint.serviceName()); + + // The tracer must have been properly set + EXPECT_EQ(dynamic_cast(&tracer), root_span->tracer()); + + // Duration is not set at span-creation time + EXPECT_FALSE(root_span->isSetDuration()); + + // ============== + // Test the creation of a upstream span. If the independent proxy is set to true, + // the upstream span will be client span. + // ============== + + ON_CALL(random_generator, random()).WillByDefault(Return(2000)); + SpanContext root_span_context(*root_span); + SpanPtr child_span = tracer.startSpan(config, "my_child_span", timestamp, root_span_context); + + EXPECT_EQ("my_child_span", child_span->name()); + EXPECT_NE(0LL, child_span->startTime()); + + // trace id must be retained + EXPECT_NE(0ULL, child_span->traceId()); + EXPECT_EQ(root_span_context.traceId(), child_span->traceId()); + + // span id and trace id must NOT be the same + EXPECT_NE(child_span->traceId(), child_span->id()); + + // parent should be the previous span + EXPECT_TRUE(child_span->isSetParentId()); + EXPECT_EQ(root_span_context.id(), child_span->parentId()); + + // span's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + child_span->timestamp()); + + // A CS annotation must have been added + EXPECT_EQ(1ULL, child_span->annotations().size()); + ann = child_span->annotations()[0]; + EXPECT_EQ(CLIENT_SEND, ann.value()); + // Annotation's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + ann.timestamp()); + EXPECT_TRUE(ann.isSetEndpoint()); + endpoint = ann.endpoint(); + EXPECT_EQ("my_service_name", endpoint.serviceName()); + + // The tracer must have been properly set + EXPECT_EQ(dynamic_cast(&tracer), child_span->tracer()); + + // Duration is not set at span-creation time + EXPECT_FALSE(child_span->isSetDuration()); + + // ============== + // Test the downstream span with parent context and the shared context is enabled. If the + // independent proxy is set to true, the downstream span will be server span. + // ============== + SpanContext child_span_context(*child_span, false); + SpanPtr server_side_shared_context_span = + tracer.startSpan(config, "my_span", timestamp, child_span_context); + + EXPECT_NE(0LL, server_side_shared_context_span->startTime()); + + EXPECT_EQ("my_span", server_side_shared_context_span->name()); + + // trace id must be the same in the CS and SR sides + EXPECT_EQ(child_span_context.traceId(), server_side_shared_context_span->traceId()); + + // span id must be the same in the CS and SR sides + EXPECT_EQ(child_span_context.id(), server_side_shared_context_span->id()); + + // The parent should be the same as in the CS side. + EXPECT_TRUE(server_side_shared_context_span->isSetParentId()); + + // span timestamp should not be set (it was set in the CS side) + EXPECT_FALSE(server_side_shared_context_span->isSetTimestamp()); + + // An SR annotation must have been added + EXPECT_EQ(1ULL, server_side_shared_context_span->annotations().size()); + ann = server_side_shared_context_span->annotations()[0]; + EXPECT_EQ(SERVER_RECV, ann.value()); + // annotation's timestamp must be set + EXPECT_EQ( + std::chrono::duration_cast(timestamp.time_since_epoch()).count(), + ann.timestamp()); + EXPECT_TRUE(ann.isSetEndpoint()); + endpoint = ann.endpoint(); + EXPECT_EQ("my_service_name", endpoint.serviceName()); + + // The tracer must have been properly set + EXPECT_EQ(dynamic_cast(&tracer), server_side_shared_context_span->tracer()); + + // Duration is not set at span-creation time + EXPECT_FALSE(server_side_shared_context_span->isSetDuration()); +} + TEST_F(ZipkinTracerTest, FinishSpan) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); // ============== @@ -447,7 +584,7 @@ TEST_F(ZipkinTracerTest, FinishNotSampledSpan) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); // ============== @@ -475,7 +612,7 @@ TEST_F(ZipkinTracerTest, SpanSampledPropagatedToChild) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, false, true, time_system_); SystemTime timestamp = time_system_.systemTime(); NiceMock config; @@ -503,7 +640,7 @@ TEST_F(ZipkinTracerTest, RootSpan128bitTraceId) { Network::Address::InstanceConstSharedPtr addr = Network::Utility::parseInternetAddressAndPort("127.0.0.1:9000"); NiceMock random_generator; - Tracer tracer("my_service_name", addr, random_generator, true, true, time_system_, false); + Tracer tracer("my_service_name", addr, random_generator, true, true, time_system_); SystemTime timestamp = time_system_.systemTime(); NiceMock config; @@ -560,8 +697,8 @@ TEST_F(ZipkinTracerTest, NotSharedSpanContext) { NiceMock random_generator; const bool shared_span_context = false; - Tracer tracer("my_service_name", addr, random_generator, false, shared_span_context, time_system_, - false); + Tracer tracer("my_service_name", addr, random_generator, false, shared_span_context, + time_system_); const SystemTime timestamp = time_system_.systemTime(); NiceMock config; From be5e93d543fdc306d56b0997faf8b57fd2fca977 Mon Sep 17 00:00:00 2001 From: Fredy Wijaya Date: Mon, 4 Mar 2024 20:51:52 -0600 Subject: [PATCH 03/34] mobile: Implement setLogger in the C++ API (#32695) Signed-off-by: Fredy Wijaya --- mobile/library/cc/engine_builder.cc | 10 +++- mobile/library/cc/engine_builder.h | 2 + mobile/test/common/internal_engine_test.cc | 64 ++++++++++++++++++++++ 3 files changed, 74 insertions(+), 2 deletions(-) diff --git a/mobile/library/cc/engine_builder.cc b/mobile/library/cc/engine_builder.cc index c3437d435584..74a66e6a4dfb 100644 --- a/mobile/library/cc/engine_builder.cc +++ b/mobile/library/cc/engine_builder.cc @@ -149,6 +149,11 @@ EngineBuilder& EngineBuilder::addLogLevel(LogLevel log_level) { return *this; } +EngineBuilder& EngineBuilder::setLogger(envoy_logger envoy_logger) { + envoy_logger_.emplace(envoy_logger); + return *this; +} + EngineBuilder& EngineBuilder::setOnEngineRunning(std::function closure) { callbacks_->on_engine_running = std::move(closure); return *this; @@ -894,8 +899,9 @@ EngineSharedPtr EngineBuilder::build() { envoy_event_tracker null_tracker{}; - Envoy::InternalEngine* envoy_engine = - new Envoy::InternalEngine(callbacks_->asEnvoyEngineCallbacks(), null_logger, null_tracker); + Envoy::InternalEngine* envoy_engine = new Envoy::InternalEngine( + callbacks_->asEnvoyEngineCallbacks(), + (envoy_logger_.has_value()) ? *envoy_logger_ : null_logger, null_tracker); for (const auto& [name, store] : key_value_stores_) { // TODO(goaway): This leaks, but it's tied to the life of the engine. diff --git a/mobile/library/cc/engine_builder.h b/mobile/library/cc/engine_builder.h index 8a77b8d9ad5e..746d32f6f901 100644 --- a/mobile/library/cc/engine_builder.h +++ b/mobile/library/cc/engine_builder.h @@ -126,6 +126,7 @@ class EngineBuilder { virtual ~EngineBuilder() {} EngineBuilder& addLogLevel(LogLevel log_level); + EngineBuilder& setLogger(envoy_logger envoy_logger); EngineBuilder& setOnEngineRunning(std::function closure); EngineBuilder& addConnectTimeoutSeconds(int connect_timeout_seconds); EngineBuilder& addDnsRefreshSeconds(int dns_refresh_seconds); @@ -213,6 +214,7 @@ class EngineBuilder { }; LogLevel log_level_ = LogLevel::info; + absl::optional envoy_logger_; EngineCallbacksSharedPtr callbacks_; int connect_timeout_seconds_ = 30; diff --git a/mobile/test/common/internal_engine_test.cc b/mobile/test/common/internal_engine_test.cc index c31f8ffc72ae..22e91ac3094c 100644 --- a/mobile/test/common/internal_engine_test.cc +++ b/mobile/test/common/internal_engine_test.cc @@ -1,3 +1,5 @@ +#include + #include "source/common/common/assert.h" #include "test/common/http/common.h" @@ -600,4 +602,66 @@ TEST_F(InternalEngineTest, ResetConnectivityState) { ASSERT_TRUE(test_context.on_exit.WaitForNotificationWithTimeout(absl::Seconds(3))); } +TEST_F(InternalEngineTest, SetLogger) { + std::atomic logging_was_called{false}; + envoy_logger logger; + logger.log = [](envoy_log_level, envoy_data data, const void* context) { + std::atomic* logging_was_called = + const_cast*>(static_cast*>(context)); + *logging_was_called = true; + release_envoy_data(data); + }; + logger.release = envoy_noop_const_release; + logger.context = &logging_was_called; + + absl::Notification engine_running; + Platform::EngineBuilder engine_builder; + Platform::EngineSharedPtr engine = + engine_builder.addLogLevel(Platform::LogLevel::debug) + .setLogger(logger) + .setOnEngineRunning([&] { engine_running.Notify(); }) + .addNativeFilter( + "test_remote_response", + "{'@type': " + "type.googleapis.com/" + "envoymobile.extensions.filters.http.test_remote_response.TestRemoteResponse}") + .build(); + engine_running.WaitForNotification(); + + int actual_status_code = 0; + bool actual_end_stream = false; + absl::Notification stream_complete; + auto stream_prototype = engine->streamClient()->newStreamPrototype(); + auto stream = (*stream_prototype) + .setOnHeaders([&](Platform::ResponseHeadersSharedPtr headers, bool end_stream, + envoy_stream_intel) { + actual_status_code = headers->httpStatus(); + actual_end_stream = end_stream; + }) + .setOnData([&](envoy_data data, bool end_stream) { + actual_end_stream = end_stream; + release_envoy_data(data); + }) + .setOnComplete([&](envoy_stream_intel, envoy_final_stream_intel) { + stream_complete.Notify(); + }) + .setOnError([&](Platform::EnvoyErrorSharedPtr, envoy_stream_intel, + envoy_final_stream_intel) { stream_complete.Notify(); }) + .setOnCancel([&](envoy_stream_intel, envoy_final_stream_intel) { + stream_complete.Notify(); + }) + .start(); + + auto request_headers = + Platform::RequestHeadersBuilder(Platform::RequestMethod::GET, "https", "example.com", "/") + .build(); + stream->sendHeaders(std::make_shared(request_headers), true); + stream_complete.WaitForNotification(); + + EXPECT_EQ(actual_status_code, 200); + EXPECT_EQ(actual_end_stream, true); + EXPECT_TRUE(logging_was_called.load()); + EXPECT_EQ(engine->terminate(), ENVOY_SUCCESS); +} + } // namespace Envoy From adec51be96bb0a1e40ecd4e0f0f84d9942b0a4af Mon Sep 17 00:00:00 2001 From: Tianyu <72890320+tyxia@users.noreply.github.com> Date: Tue, 5 Mar 2024 00:43:23 -0500 Subject: [PATCH 04/34] ext_proc: Validate route re-pick and routing/path header mutation (#32530) SetHostHeaderRoutingSucceeded : ext_proc triggers route re-pick and set host header to match the domain of virtual host in routing configuration. This makes routing to upstream successful. SetHostHeaderRoutingFailed: ext_proc triggers route re-pick but set host header to wrong header that doesn't match the virtual host domain in routing configuration. This makes routing to upstream failed since no route is found. GetAndSetPathHeader: when allow_all_routing is false, path header is updated successfully but routing header mutation(e.g., host, method, scheme) are failed Signed-off-by: tyxia --- .../ext_proc/ext_proc_integration_test.cc | 159 ++++++++++++++++++ 1 file changed, 159 insertions(+) diff --git a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc index 02efb17e237b..a2f94aa7b692 100644 --- a/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc +++ b/test/extensions/filters/http/ext_proc/ext_proc_integration_test.cc @@ -809,6 +809,165 @@ TEST_P(ExtProcIntegrationTest, GetAndSetHeaders) { verifyDownstreamResponse(*response, 200); } +TEST_P(ExtProcIntegrationTest, SetHostHeaderRoutingSucceeded) { + proto_config_.mutable_mutation_rules()->mutable_allow_all_routing()->set_value(true); + initializeConfig(); + std::string vhost_domain = "new_host"; + config_helper_.addConfigModifier([&vhost_domain](HttpConnectionManager& cm) { + // Set up vhost domain. + auto* vhost = cm.mutable_route_config()->mutable_virtual_hosts()->Mutable(0); + vhost->set_name("vhost"); + vhost->clear_domains(); + vhost->add_domains(vhost_domain); + }); + + HttpIntegrationTest::initialize(); + + auto response = sendDownstreamRequest(absl::nullopt); + processRequestHeadersMessage( + *grpc_upstreams_[0], true, + [&vhost_domain](const HttpHeaders& headers, HeadersResponse& headers_resp) { + Http::TestRequestHeaderMapImpl expected_request_headers{{":scheme", "http"}, + {":method", "GET"}, + {"host", "host"}, + {":path", "/"}, + {"x-forwarded-proto", "http"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_request_headers)); + + auto response_header_mutation = headers_resp.mutable_response()->mutable_header_mutation(); + + // Set host header to match the domain of virtual host in routing configuration. + auto* mut = response_header_mutation->add_set_headers(); + mut->mutable_header()->set_key(":authority"); + mut->mutable_header()->set_value(vhost_domain); + + // Clear the route cache to trigger the route re-pick. + headers_resp.mutable_response()->set_clear_route_cache(true); + return true; + }); + + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); + + // Host header is updated when `allow_all_routing` mutation rule is true. + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":authority", "new_host")); + + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); + upstream_request_->encodeData(100, true); + + processResponseHeadersMessage( + *grpc_upstreams_[0], false, [](const HttpHeaders& headers, HeadersResponse&) { + Http::TestRequestHeaderMapImpl expected_response_headers{{":status", "200"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_response_headers)); + return true; + }); + + verifyDownstreamResponse(*response, 200); +} + +TEST_P(ExtProcIntegrationTest, SetHostHeaderRoutingFailed) { + proto_config_.mutable_mutation_rules()->mutable_allow_all_routing()->set_value(true); + initializeConfig(); + // Set up the route config. + std::string vhost_domain = "new_host"; + config_helper_.addConfigModifier([&vhost_domain](HttpConnectionManager& cm) { + // Set up vhost domain. + auto* vhost = cm.mutable_route_config()->mutable_virtual_hosts()->Mutable(0); + vhost->set_name("vhost"); + vhost->clear_domains(); + vhost->add_domains(vhost_domain); + }); + + HttpIntegrationTest::initialize(); + + auto response = sendDownstreamRequest(absl::nullopt); + processRequestHeadersMessage( + *grpc_upstreams_[0], true, [](const HttpHeaders& headers, HeadersResponse& headers_resp) { + Http::TestRequestHeaderMapImpl expected_request_headers{{":scheme", "http"}, + {":method", "GET"}, + {"host", "host"}, + {":path", "/"}, + {"x-forwarded-proto", "http"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_request_headers)); + + auto response_header_mutation = headers_resp.mutable_response()->mutable_header_mutation(); + + // Set host header to the wrong value that doesn't match the domain of virtual host in route + // configuration. + auto* mut1 = response_header_mutation->add_set_headers(); + mut1->mutable_header()->set_key(":authority"); + mut1->mutable_header()->set_value("wrong_host"); + + // Clear the route cache to trigger the route re-pick. + headers_resp.mutable_response()->set_clear_route_cache(true); + return true; + }); + + // The routing to upstream is expected to fail and 500 is returned to downstream client, since no + // route is found for mismatched vhost. + verifyDownstreamResponse(*response, 500); +} + +TEST_P(ExtProcIntegrationTest, GetAndSetPathHeader) { + initializeConfig(); + HttpIntegrationTest::initialize(); + + auto response = sendDownstreamRequest(absl::nullopt); + + processRequestHeadersMessage( + *grpc_upstreams_[0], true, [](const HttpHeaders& headers, HeadersResponse& headers_resp) { + Http::TestRequestHeaderMapImpl expected_request_headers{{":scheme", "http"}, + {":method", "GET"}, + {"host", "host"}, + {":path", "/"}, + {"x-forwarded-proto", "http"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_request_headers)); + + auto response_header_mutation = headers_resp.mutable_response()->mutable_header_mutation(); + auto* mut1 = response_header_mutation->add_set_headers(); + mut1->mutable_header()->set_key(":path"); + mut1->mutable_header()->set_value("/mutated_path/bluh"); + + auto* mut2 = response_header_mutation->add_set_headers(); + mut2->mutable_header()->set_key(":scheme"); + mut2->mutable_header()->set_value("https"); + + auto* mut3 = response_header_mutation->add_set_headers(); + mut3->mutable_header()->set_key(":authority"); + mut3->mutable_header()->set_value("new_host"); + + auto* mut4 = response_header_mutation->add_set_headers(); + mut4->mutable_header()->set_key(":method"); + mut4->mutable_header()->set_value("POST"); + return true; + }); + + ASSERT_TRUE(fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_)); + ASSERT_TRUE(fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_)); + ASSERT_TRUE(upstream_request_->waitForEndStream(*dispatcher_)); + + // Path header is updated. + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":path", "/mutated_path/bluh")); + // Routing headers are not updated by ext_proc when `allow_all_routing` mutation rule is false + // (default value). + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":scheme", "http")); + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":authority", "host")); + EXPECT_THAT(upstream_request_->headers(), SingleHeaderValueIs(":method", "GET")); + + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, false); + upstream_request_->encodeData(100, true); + + processResponseHeadersMessage( + *grpc_upstreams_[0], false, [](const HttpHeaders& headers, HeadersResponse&) { + Http::TestRequestHeaderMapImpl expected_response_headers{{":status", "200"}}; + EXPECT_THAT(headers.headers(), HeaderProtosEqual(expected_response_headers)); + return true; + }); + + verifyDownstreamResponse(*response, 200); +} + TEST_P(ExtProcIntegrationTest, GetAndSetHeadersWithLogging) { ConfigOptions config_option = {}; config_option.add_logging_filter = true; From d5950a5afbca0f124211bbbceca2f28648dd56b9 Mon Sep 17 00:00:00 2001 From: Jens Date: Tue, 5 Mar 2024 09:39:14 +0100 Subject: [PATCH 05/34] docs: render extensions.filters.http.jwt_authn.v3.JwtProvider#claim_to_headers yaml example (#32626) Signed-off-by: Jens --- api/envoy/extensions/filters/http/jwt_authn/v3/config.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 7d5ae25a027a..d8bfd7d16e7e 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -311,6 +311,7 @@ message JwtProvider { // Add JWT claim to HTTP Header // Specify the claim name you want to copy in which HTTP header. For examples, following config: // The claim must be of type; string, int, double, bool. Array type claims are not supported + // // .. code-block:: yaml // // claim_to_headers: From ddd8a78067bc95b7b4dd6887371cb2e95d1ab8e1 Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Tue, 5 Mar 2024 09:07:10 -0500 Subject: [PATCH 06/34] http: moving http utilities to use statusor (#32603) Signed-off-by: Alyssa Wilk --- source/common/http/utility.cc | 7 +++++-- source/common/http/utility.h | 5 ++--- source/extensions/filters/http/gcp_authn/filter_config.cc | 2 +- source/extensions/filters/http/jwt_authn/jwks_cache.cc | 3 ++- test/common/http/utility_test.cc | 4 ++-- tools/code_format/config.yaml | 1 - 6 files changed, 12 insertions(+), 10 deletions(-) diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 14be4b296129..c76d8bb8be9d 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -1330,7 +1330,8 @@ Utility::AuthorityAttributes Utility::parseAuthority(absl::string_view host) { return {is_ip_address, host_to_resolve, port}; } -void Utility::validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy) { +absl::Status +Utility::validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy) { if (retry_policy.has_retry_back_off()) { const auto& core_back_off = retry_policy.retry_back_off(); @@ -1339,9 +1340,11 @@ void Utility::validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy PROTOBUF_GET_MS_OR_DEFAULT(core_back_off, max_interval, base_interval_ms * 10); if (max_interval_ms < base_interval_ms) { - throwEnvoyExceptionOrPanic("max_interval must be greater than or equal to the base_interval"); + return absl::InvalidArgumentError( + "max_interval must be greater than or equal to the base_interval"); } } + return absl::OkStatus(); } envoy::config::route::v3::RetryPolicy diff --git a/source/common/http/utility.h b/source/common/http/utility.h index 6a05a5ea589c..5d155eb17358 100644 --- a/source/common/http/utility.h +++ b/source/common/http/utility.h @@ -674,11 +674,10 @@ struct AuthorityAttributes { AuthorityAttributes parseAuthority(absl::string_view host); /** - * It validates RetryPolicy defined in core api. It should be called at the main thread as - * it may throw exception. + * It validates RetryPolicy defined in core api. It will return an error status if invalid. * @param retry_policy core retry policy */ -void validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy); +absl::Status validateCoreRetryPolicy(const envoy::config::core::v3::RetryPolicy& retry_policy); /** * It returns RetryPolicy defined in core api to route api. diff --git a/source/extensions/filters/http/gcp_authn/filter_config.cc b/source/extensions/filters/http/gcp_authn/filter_config.cc index e6a31e0cc6f2..4a5cbd2317cf 100644 --- a/source/extensions/filters/http/gcp_authn/filter_config.cc +++ b/source/extensions/filters/http/gcp_authn/filter_config.cc @@ -25,7 +25,7 @@ Http::FilterFactoryCb GcpAuthnFilterFactory::createFilterFactoryFromProtoTyped( // config.retry_policy has an invalid case that could not be validated by the // proto validation annotation. It has to be validated by the code. if (config.has_retry_policy()) { - Http::Utility::validateCoreRetryPolicy(config.retry_policy()); + THROW_IF_NOT_OK(Http::Utility::validateCoreRetryPolicy(config.retry_policy())); } FilterConfigSharedPtr filter_config = diff --git a/source/extensions/filters/http/jwt_authn/jwks_cache.cc b/source/extensions/filters/http/jwt_authn/jwks_cache.cc index 924e62cfc935..01c1daa11493 100644 --- a/source/extensions/filters/http/jwt_authn/jwks_cache.cc +++ b/source/extensions/filters/http/jwt_authn/jwks_cache.cc @@ -36,7 +36,8 @@ class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable Date: Tue, 5 Mar 2024 14:25:50 +0000 Subject: [PATCH 07/34] mobile/ci: Add `--nolegacy_important_outputs` (#32699) Signed-off-by: Ryan Northey --- .bazelrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.bazelrc b/.bazelrc index 03d5a5f7d48e..36a2766787ef 100644 --- a/.bazelrc +++ b/.bazelrc @@ -509,6 +509,7 @@ build:rbe-engflow --grpc_keepalive_time=30s build:rbe-engflow --remote_timeout=3600s build:rbe-engflow --bes_timeout=3600s build:rbe-engflow --bes_upload_mode=fully_async +build:rbe-engflow --nolegacy_important_outputs build:cache-envoy-engflow --google_default_credentials=false build:cache-envoy-engflow --remote_cache=grpcs://morganite.cluster.engflow.com From 8003a96802138b573abd358f920e3dc5405dfa1e Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Tue, 5 Mar 2024 09:31:32 -0500 Subject: [PATCH 08/34] tls: move out of extensions (#32368) Risk Level: low: code move Testing: n/a Docs Changes: n/a Release Notes: n/a #31113 Signed-off-by: Alyssa Wilk --- .gitattributes | 4 +- .../cryptomb/private_key_providers/test/BUILD | 4 +- .../private_key_providers/test/config_test.cc | 2 +- .../private_key_providers/test/ops_test.cc | 2 +- .../network/test/postgres_integration_test.cc | 4 +- contrib/qat/private_key_providers/test/BUILD | 4 +- .../private_key_providers/test/config_test.cc | 2 +- .../private_key_providers/test/ops_test.cc | 2 +- .../certificate_validation_context_config.h | 2 +- mobile/envoy_build_config/BUILD | 2 +- .../envoy_build_config/extension_registry.cc | 4 +- .../cert_validator/platform_bridge/BUILD | 2 +- .../cert_validator/platform_bridge/config.h | 2 +- .../platform_bridge_cert_validator.h | 2 +- .../cert_validator/platform_bridge/BUILD | 10 +- .../platform_bridge_cert_validator_test.cc | 40 +- mobile/test/common/integration/BUILD | 10 +- .../integration/client_integration_test.cc | 2 +- mobile/test/common/integration/test_server.cc | 2 +- mobile/test/common/integration/test_server.h | 2 +- .../common/integration/xds_test_server.cc | 4 +- .../test/common/integration/xds_test_server.h | 2 +- source/common/quic/BUILD | 14 +- .../quic/client_connection_factory_impl.h | 2 +- .../common/quic/envoy_quic_proof_verifier.cc | 2 +- .../common/quic/envoy_quic_proof_verifier.h | 2 +- .../quic_client_transport_socket_factory.cc | 2 +- .../quic_server_transport_socket_factory.cc | 2 +- .../quic_server_transport_socket_factory.h | 2 +- source/common/quic/quic_ssl_connection_info.h | 2 +- .../quic/quic_transport_socket_factory.cc | 2 +- .../quic/quic_transport_socket_factory.h | 2 +- source/common/tls/BUILD | 215 +++ .../tls/cert_validator/BUILD | 8 +- .../tls/cert_validator/cert_validator.h | 2 +- .../tls/cert_validator/default_validator.cc | 12 +- .../tls/cert_validator/default_validator.h | 6 +- .../tls/cert_validator/factory.cc | 2 +- .../tls/cert_validator/factory.h | 4 +- .../tls/cert_validator/san_matcher.cc | 4 +- .../tls/cert_validator/san_matcher.h | 2 +- .../tls/cert_validator/utility.cc | 2 +- .../tls/cert_validator/utility.h | 0 .../tls/connection_info_impl_base.cc | 2 +- .../tls/connection_info_impl_base.h | 2 +- .../tls/context_config_impl.cc | 4 +- .../tls/context_config_impl.h | 0 .../tls/context_impl.cc | 8 +- .../tls/context_impl.h | 8 +- .../tls/context_manager_impl.cc | 4 +- .../tls/context_manager_impl.h | 2 +- .../tls/io_handle_bio.cc | 2 +- .../tls/io_handle_bio.h | 0 .../tls/ocsp/BUILD | 6 +- .../tls/ocsp/asn1_utility.cc | 2 +- .../tls/ocsp/asn1_utility.h | 0 .../tls/ocsp/ocsp.cc | 6 +- .../tls/ocsp/ocsp.h | 0 .../tls/private_key/BUILD | 4 +- .../private_key/private_key_manager_impl.cc | 2 +- .../private_key/private_key_manager_impl.h | 0 .../tls/ssl_handshaker.cc | 4 +- .../tls/ssl_handshaker.h | 4 +- .../tls/ssl_socket.cc | 8 +- .../tls/ssl_socket.h | 6 +- .../transport_sockets => common}/tls/stats.cc | 2 +- .../transport_sockets => common}/tls/stats.h | 0 .../tls/utility.cc | 2 +- .../tls/utility.h | 0 .../clusters/dynamic_forward_proxy/BUILD | 2 +- .../clusters/dynamic_forward_proxy/cluster.cc | 4 +- source/extensions/transport_sockets/tap/BUILD | 4 + source/extensions/transport_sockets/tls/BUILD | 192 +- .../tls/cert_validator/spiffe/BUILD | 6 +- .../cert_validator/spiffe/spiffe_validator.cc | 8 +- .../cert_validator/spiffe/spiffe_validator.h | 6 +- .../transport_sockets/tls/config.cc | 4 +- .../grpc_client_integration_test_harness.h | 4 +- test/common/listener_manager/BUILD | 8 +- .../filter_chain_benchmark_test.cc | 18 +- .../filter_chain_manager_impl_test.cc | 8 +- .../listener_manager_impl_quic_only_test.cc | 48 +- .../listener_manager_impl_test.cc | 230 +-- test/common/quic/BUILD | 10 +- .../quic/envoy_quic_proof_source_test.cc | 2 +- .../quic/envoy_quic_proof_verifier_test.cc | 4 +- test/common/quic/platform/BUILD | 4 +- .../quic/platform/quic_platform_test.cc | 2 +- .../quic_transport_socket_factory_test.cc | 24 +- test/common/secret/BUILD | 4 +- test/common/secret/sds_api_test.cc | 49 +- .../common/secret/secret_manager_impl_test.cc | 53 +- .../transport_sockets => common}/tls/BUILD | 52 +- .../tls/cert_validator/BUILD | 18 +- .../default_validator_integration_test.cc | 2 +- .../default_validator_integration_test.h | 0 .../cert_validator/default_validator_test.cc | 78 +- .../tls/cert_validator/factory_test.cc | 4 +- .../tls/cert_validator/san_matcher_test.cc | 2 +- .../tls/cert_validator/test_common.h | 0 .../cert_validator/timed_cert_validator.cc | 2 +- .../tls/cert_validator/timed_cert_validator.h | 4 +- .../tls/context_impl_test.cc | 470 +++-- .../tls/handshaker_factory_test.cc | 8 +- .../tls/handshaker_test.cc | 8 +- .../tls/integration/BUILD | 8 +- .../tls/integration/sni_to_header_filter.cc | 0 .../tls/integration/ssl_integration_test.cc | 12 +- .../tls/integration/ssl_integration_test.h | 0 .../tls/io_handle_bio_test.cc | 2 +- .../tls/ocsp/BUILD | 14 +- .../tls/ocsp/asn1_utility_test.cc | 2 +- .../tls/ocsp/ocsp_test.cc | 10 +- .../tls/ocsp/test_data/BUILD | 0 .../tls/ocsp/test_data/README.md | 0 .../tls/ocsp/test_data/ca_cert.pem | 0 .../tls/ocsp/test_data/ca_key.pem | 0 .../tls/ocsp/test_data/certs.sh | 0 .../tls/ocsp/test_data/ecdsa_cert.pem | 0 .../tls/ocsp/test_data/ecdsa_key.pem | 0 .../tls/ocsp/test_data/ecdsa_ocsp_req.der | Bin .../tls/ocsp/test_data/ecdsa_ocsp_resp.der | Bin .../tls/ocsp/test_data/good_cert.pem | 0 .../tls/ocsp/test_data/good_key.pem | 0 .../tls/ocsp/test_data/good_ocsp_req.der | Bin .../tls/ocsp/test_data/good_ocsp_resp.der | Bin .../ocsp/test_data/good_ocsp_resp_details.txt | 0 .../ocsp/test_data/intermediate_ca_cert.pem | 0 .../ocsp/test_data/intermediate_ca_key.pem | 0 .../ocsp/test_data/multiple_cert_ocsp_req.der | Bin .../test_data/multiple_cert_ocsp_resp.der | Bin .../test_data/responder_key_hash_ocsp_req.der | Bin .../responder_key_hash_ocsp_resp.der | Bin .../tls/ocsp/test_data/revoked_cert.pem | 0 .../tls/ocsp/test_data/revoked_key.pem | 0 .../tls/ocsp/test_data/revoked_ocsp_req.der | Bin .../tls/ocsp/test_data/revoked_ocsp_resp.der | Bin .../tls/ocsp/test_data/unknown_ocsp_req.der | Bin .../tls/ocsp/test_data/unknown_ocsp_resp.der | Bin .../tls/ssl_certs_test.h | 0 .../tls/ssl_socket_test.cc | 1567 ++++++++--------- .../tls/ssl_test_utility.h | 0 .../tls/test_data/BUILD | 0 .../tls/test_data/README.md | 0 .../tls/test_data/aes_128_key | 0 .../tls/test_data/bad_rsa_key_usage_cert.cfg | 0 .../tls/test_data/bad_rsa_key_usage_cert.pem | 0 .../test_data/bad_rsa_key_usage_cert_info.h | 0 .../tls/test_data/bad_rsa_key_usage_key.pem | 0 .../tls/test_data/ca_cert.cfg | 0 .../tls/test_data/ca_cert.crl | 0 .../tls/test_data/ca_cert.pem | 0 .../tls/test_data/ca_cert_info.h | 0 .../tls/test_data/ca_cert_with_crl.pem | 0 .../tls/test_data/ca_certificates.pem | 0 .../tls/test_data/ca_key.pem | 0 .../tls/test_data/certs.sh | 0 .../tls/test_data/expired_cert.pem | 0 .../tls/test_data/expired_cert_info.h | 0 .../tls/test_data/expired_key.pem | 0 .../tls/test_data/expired_san_uri_cert.pem | 0 .../tls/test_data/expired_san_uri_cert_info.h | 0 .../tls/test_data/expired_san_uri_key.pem | 0 .../tls/test_data/expired_spiffe_san_cert.pem | 0 .../test_data/expired_spiffe_san_cert_info.h | 0 .../test_data/expired_spiffe_san_cert_key.pem | 0 .../tls/test_data/expired_spiffe_san_key.pem | 0 .../tls/test_data/extensions_cert.cfg | 0 .../tls/test_data/extensions_cert.pem | 0 .../tls/test_data/extensions_cert_info.h | 0 .../tls/test_data/extensions_key.pem | 0 .../tls/test_data/fake_ca_cert.cfg | 0 .../tls/test_data/fake_ca_cert.pem | 0 .../tls/test_data/fake_ca_cert_info.h | 0 .../tls/test_data/fake_ca_key.pem | 0 .../tls/test_data/i1_cert.cfg | 0 .../tls/test_data/i2_cert.cfg | 0 .../tls/test_data/i3_cert.cfg | 0 .../tls/test_data/i4_cert.cfg | 0 .../tls/test_data/intermediate_ca_cert.cfg | 0 .../tls/test_data/intermediate_ca_cert.crl | 0 .../tls/test_data/intermediate_ca_cert.pem | 0 .../test_data/intermediate_ca_cert_chain.crl | 0 .../test_data/intermediate_ca_cert_chain.pem | 0 .../intermediate_ca_cert_chain_with_crl.pem | 0 ...ermediate_ca_cert_chain_with_crl_chain.pem | 0 .../tls/test_data/intermediate_ca_cert_info.h | 0 .../tls/test_data/intermediate_ca_key.pem | 0 .../tls/test_data/keyusage_cert_sign_cert.cfg | 0 .../tls/test_data/keyusage_cert_sign_cert.pem | 0 .../test_data/keyusage_cert_sign_cert_info.h | 0 .../tls/test_data/keyusage_cert_sign_key.pem | 0 .../tls/test_data/keyusage_crl_sign_cert.cfg | 0 .../tls/test_data/keyusage_crl_sign_cert.pem | 0 .../test_data/keyusage_crl_sign_cert_info.h | 0 .../tls/test_data/keyusage_crl_sign_key.pem | 0 .../tls/test_data/long_validity_cert.pem | 0 .../tls/test_data/long_validity_cert_info.h | 0 .../tls/test_data/long_validity_key.pem | 0 .../tls/test_data/no_san_cert.cfg | 0 .../tls/test_data/no_san_cert.pem | 0 .../tls/test_data/no_san_cert_info.h | 0 .../tls/test_data/no_san_chain.pem | 0 .../tls/test_data/no_san_cn_cert.cfg | 0 .../tls/test_data/no_san_cn_cert.pem | 0 .../tls/test_data/no_san_cn_cert_info.h | 0 .../tls/test_data/no_san_cn_key.pem | 0 .../tls/test_data/no_san_key.pem | 0 .../tls/test_data/no_subject_cert.cfg | 0 .../tls/test_data/no_subject_cert.pem | 0 .../tls/test_data/no_subject_cert_info.h | 0 .../tls/test_data/no_subject_key.pem | 0 .../tls/test_data/non_spiffe_san_cert.cfg | 0 .../tls/test_data/non_spiffe_san_cert.pem | 0 .../tls/test_data/non_spiffe_san_cert_info.h | 0 .../tls/test_data/non_spiffe_san_key.pem | 0 .../tls/test_data/not_a_crl.crl | 0 .../tls/test_data/password_protected_cert.pem | 0 .../test_data/password_protected_cert_info.h | 0 .../test_data/password_protected_certkey.p12 | Bin .../tls/test_data/password_protected_key.pem | 0 .../test_data/password_protected_password.txt | 0 .../tls/test_data/san_dns2_cert.pem | 0 .../tls/test_data/san_dns2_cert_info.h | 0 .../tls/test_data/san_dns2_key.pem | 0 .../tls/test_data/san_dns3_cert.pem | 0 .../tls/test_data/san_dns3_cert_info.h | 0 .../tls/test_data/san_dns3_certkeychain.p12 | Bin .../tls/test_data/san_dns3_chain.pem | 0 .../tls/test_data/san_dns3_key.pem | 0 .../tls/test_data/san_dns4_cert.pem | 0 .../tls/test_data/san_dns4_cert_info.h | 0 .../tls/test_data/san_dns4_key.pem | 0 .../tls/test_data/san_dns_cert.cfg | 0 .../tls/test_data/san_dns_cert.pem | 0 .../tls/test_data/san_dns_cert_info.h | 0 .../tls/test_data/san_dns_ecdsa_1_cert.pem | 0 .../tls/test_data/san_dns_ecdsa_1_cert_info.h | 0 .../tls/test_data/san_dns_ecdsa_1_key.pem | 0 .../tls/test_data/san_dns_ecdsa_2_cert.pem | 0 .../tls/test_data/san_dns_ecdsa_2_cert_info.h | 0 .../tls/test_data/san_dns_ecdsa_2_key.pem | 0 .../tls/test_data/san_dns_key.pem | 0 .../tls/test_data/san_dns_rsa_1_cert.pem | 0 .../tls/test_data/san_dns_rsa_1_cert_info.h | 0 .../tls/test_data/san_dns_rsa_1_cert_key.pem | 0 .../tls/test_data/san_dns_rsa_1_key.pem | 0 .../tls/test_data/san_dns_rsa_2_cert.pem | 0 .../tls/test_data/san_dns_rsa_2_cert_info.h | 0 .../tls/test_data/san_dns_rsa_2_key.pem | 0 .../tls/test_data/san_dns_server1_cert.cfg | 0 .../tls/test_data/san_dns_server2_cert.cfg | 0 .../tls/test_data/san_ip_cert.cfg | 0 .../tls/test_data/san_ip_cert.pem | 0 .../tls/test_data/san_ip_cert_info.h | 0 .../tls/test_data/san_ip_chain.pem | 0 .../tls/test_data/san_ip_key.pem | 0 .../tls/test_data/san_multiple_dns_1_cert.cfg | 0 .../tls/test_data/san_multiple_dns_1_cert.pem | 0 .../test_data/san_multiple_dns_1_cert_info.h | 0 .../tls/test_data/san_multiple_dns_1_key.pem | 0 .../tls/test_data/san_multiple_dns_cert.cfg | 0 .../tls/test_data/san_multiple_dns_cert.pem | 0 .../test_data/san_multiple_dns_cert_info.h | 0 .../tls/test_data/san_multiple_dns_key.pem | 0 .../tls/test_data/san_only_dns_cert.cfg | 0 .../tls/test_data/san_only_dns_cert.pem | 0 .../tls/test_data/san_only_dns_cert_info.h | 0 .../tls/test_data/san_only_dns_key.pem | 0 .../tls/test_data/san_uri_cert.cfg | 0 .../tls/test_data/san_uri_cert.pem | 0 .../tls/test_data/san_uri_cert_info.h | 0 .../tls/test_data/san_uri_key.pem | 0 .../tls/test_data/san_wildcard_dns_cert.cfg | 0 .../tls/test_data/san_wildcard_dns_cert.pem | 0 .../test_data/san_wildcard_dns_cert_info.h | 0 .../tls/test_data/san_wildcard_dns_key.pem | 0 .../tls/test_data/selfsigned2_cert.pem | 0 .../tls/test_data/selfsigned2_cert_info.h | 0 .../test_data/selfsigned2_ecdsa_p256_cert.pem | 0 .../selfsigned2_ecdsa_p256_cert_info.h | 0 .../tls/test_data/selfsigned_cert.cfg | 0 .../tls/test_data/selfsigned_cert.pem | 0 .../tls/test_data/selfsigned_cert_info.h | 0 .../test_data/selfsigned_ecdsa_p256_cert.pem | 0 .../selfsigned_ecdsa_p256_cert_info.h | 0 .../test_data/selfsigned_ecdsa_p256_key.pem | 0 .../test_data/selfsigned_ecdsa_p384_cert.pem | 0 .../selfsigned_ecdsa_p384_cert_info.h | 0 .../selfsigned_ecdsa_p384_certkey.p12 | Bin .../test_data/selfsigned_ecdsa_p384_key.pem | 0 .../tls/test_data/selfsigned_key.pem | 0 .../test_data/selfsigned_rsa_1024_cert.pem | 0 .../test_data/selfsigned_rsa_1024_cert_info.h | 0 .../test_data/selfsigned_rsa_1024_certkey.p12 | Bin .../tls/test_data/selfsigned_rsa_1024_key.pem | 0 .../test_data/selfsigned_rsa_3072_cert.pem | 0 .../test_data/selfsigned_rsa_3072_cert_info.h | 0 .../tls/test_data/selfsigned_rsa_3072_key.pem | 0 .../test_data/selfsigned_rsa_4096_cert.pem | 0 .../test_data/selfsigned_rsa_4096_cert_info.h | 0 .../tls/test_data/selfsigned_rsa_4096_key.pem | 0 .../tls/test_data/spiffe_san_cert.cfg | 0 .../tls/test_data/spiffe_san_cert.pem | 0 .../tls/test_data/spiffe_san_cert_info.h | 0 .../tls/test_data/spiffe_san_key.pem | 0 ...spiffe_san_signed_by_intermediate_cert.pem | 0 ...ffe_san_signed_by_intermediate_cert_info.h | 0 .../spiffe_san_signed_by_intermediate_key.pem | 0 .../tls/test_data/test_long_cert_chain.pem | 0 .../tls/test_data/test_random_cert.pem | 0 .../tls/test_data/ticket_key_a | 0 .../tls/test_data/ticket_key_b | 0 .../tls/test_data/ticket_key_wrong_len | 0 .../tls/test_data/unittest_cert.cfg | 0 .../tls/test_data/unittest_cert.pem | 0 .../tls/test_data/unittest_cert_info.h | 0 .../tls/test_data/unittest_key.pem | 0 .../tls/test_private_key_method_provider.cc | 2 +- .../tls/test_private_key_method_provider.h | 0 .../tls/tls_throughput_benchmark.cc | 8 +- .../tls/utility_test.cc | 60 +- test/common/upstream/BUILD | 6 +- test/common/upstream/hds_test.cc | 2 +- test/common/upstream/test_cluster_manager.h | 2 +- test/common/upstream/upstream_impl_test.cc | 48 +- test/extensions/access_loggers/grpc/BUILD | 4 +- .../tcp_grpc_access_log_integration_test.cc | 4 +- .../clusters/dynamic_forward_proxy/BUILD | 2 +- .../filter_integration_test.cc | 4 +- .../proxy_filter_integration_test.cc | 4 +- .../http/router/auto_sni_integration_test.cc | 4 +- .../filters/listener/tls_inspector/BUILD | 4 +- .../tls_inspector_integration_test.cc | 4 +- .../proxy_filter_integration_test.cc | 4 +- ...ected_resource_monitor_integration_test.cc | 2 +- .../upstream_starttls_integration_test.cc | 4 +- .../tls/cert_validator/spiffe/BUILD | 8 +- .../spiffe_validator_integration_test.cc | 8 +- .../spiffe/spiffe_validator_test.cc | 112 +- test/integration/BUILD | 34 +- .../alpn_selection_integration_test.cc | 6 +- test/integration/base_integration_test.cc | 4 +- test/integration/base_integration_test.h | 2 +- test/integration/http_integration.cc | 6 +- .../integration/quic_http_integration_test.cc | 4 +- .../sds_dynamic_integration_test.cc | 8 +- .../sds_static_integration_test.cc | 4 +- test/integration/ssl_utility.cc | 10 +- test/integration/ssl_utility.h | 2 +- .../integration/tcp_proxy_integration_test.cc | 2 +- test/integration/xfcc_integration_test.cc | 6 +- test/mocks/server/BUILD | 2 +- test/mocks/server/factory_context.h | 2 +- test/mocks/server/listener_factory_context.h | 2 +- test/mocks/server/server_factory_context.h | 2 +- test/per_file_coverage.sh | 6 +- test/server/admin/BUILD | 2 +- test/server/admin/server_info_handler_test.cc | 2 +- test/server/config_validation/BUILD | 2 +- .../config_validation/cluster_manager_test.cc | 2 +- tools/code_format/config.yaml | 3 + 362 files changed, 1922 insertions(+), 1921 deletions(-) create mode 100644 source/common/tls/BUILD rename source/{extensions/transport_sockets => common}/tls/cert_validator/BUILD (88%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/cert_validator.h (98%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/default_validator.cc (98%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/default_validator.h (95%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/factory.cc (87%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/factory.h (85%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/san_matcher.cc (94%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/san_matcher.h (95%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/utility.cc (94%) rename source/{extensions/transport_sockets => common}/tls/cert_validator/utility.h (100%) rename source/{extensions/transport_sockets => common}/tls/connection_info_impl_base.cc (99%) rename source/{extensions/transport_sockets => common}/tls/connection_info_impl_base.h (98%) rename source/{extensions/transport_sockets => common}/tls/context_config_impl.cc (99%) rename source/{extensions/transport_sockets => common}/tls/context_config_impl.h (100%) rename source/{extensions/transport_sockets => common}/tls/context_impl.cc (99%) rename source/{extensions/transport_sockets => common}/tls/context_impl.h (96%) rename source/{extensions/transport_sockets => common}/tls/context_manager_impl.cc (95%) rename source/{extensions/transport_sockets => common}/tls/context_manager_impl.h (95%) rename source/{extensions/transport_sockets => common}/tls/io_handle_bio.cc (97%) rename source/{extensions/transport_sockets => common}/tls/io_handle_bio.h (100%) rename source/{extensions/transport_sockets => common}/tls/ocsp/BUILD (84%) rename source/{extensions/transport_sockets => common}/tls/ocsp/asn1_utility.cc (98%) rename source/{extensions/transport_sockets => common}/tls/ocsp/asn1_utility.h (100%) rename source/{extensions/transport_sockets => common}/tls/ocsp/ocsp.cc (98%) rename source/{extensions/transport_sockets => common}/tls/ocsp/ocsp.h (100%) rename source/{extensions/transport_sockets => common}/tls/private_key/BUILD (90%) rename source/{extensions/transport_sockets => common}/tls/private_key/private_key_manager_impl.cc (91%) rename source/{extensions/transport_sockets => common}/tls/private_key/private_key_manager_impl.h (100%) rename source/{extensions/transport_sockets => common}/tls/ssl_handshaker.cc (96%) rename source/{extensions/transport_sockets => common}/tls/ssl_handshaker.h (97%) rename source/{extensions/transport_sockets => common}/tls/ssl_socket.cc (98%) rename source/{extensions/transport_sockets => common}/tls/ssl_socket.h (96%) rename source/{extensions/transport_sockets => common}/tls/stats.cc (89%) rename source/{extensions/transport_sockets => common}/tls/stats.h (100%) rename source/{extensions/transport_sockets => common}/tls/utility.cc (99%) rename source/{extensions/transport_sockets => common}/tls/utility.h (100%) rename test/{extensions/transport_sockets => common}/tls/BUILD (77%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/BUILD (72%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/default_validator_integration_test.cc (99%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/default_validator_integration_test.h (100%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/default_validator_test.cc (84%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/factory_test.cc (83%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/san_matcher_test.cc (97%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/test_common.h (100%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/timed_cert_validator.cc (97%) rename test/{extensions/transport_sockets => common}/tls/cert_validator/timed_cert_validator.h (95%) rename test/{extensions/transport_sockets => common}/tls/context_impl_test.cc (79%) rename test/{extensions/transport_sockets => common}/tls/handshaker_factory_test.cc (97%) rename test/{extensions/transport_sockets => common}/tls/handshaker_test.cc (96%) rename test/{extensions/transport_sockets => common}/tls/integration/BUILD (88%) rename test/{extensions/transport_sockets => common}/tls/integration/sni_to_header_filter.cc (100%) rename test/{extensions/transport_sockets => common}/tls/integration/ssl_integration_test.cc (99%) rename test/{extensions/transport_sockets => common}/tls/integration/ssl_integration_test.h (100%) rename test/{extensions/transport_sockets => common}/tls/io_handle_bio_test.cc (94%) rename test/{extensions/transport_sockets => common}/tls/ocsp/BUILD (57%) rename test/{extensions/transport_sockets => common}/tls/ocsp/asn1_utility_test.cc (99%) rename test/{extensions/transport_sockets => common}/tls/ocsp/ocsp_test.cc (96%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/BUILD (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/README.md (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/ca_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/ca_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/certs.sh (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/ecdsa_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/ecdsa_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/ecdsa_ocsp_req.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/ecdsa_ocsp_resp.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/good_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/good_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/good_ocsp_req.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/good_ocsp_resp.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/good_ocsp_resp_details.txt (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/intermediate_ca_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/intermediate_ca_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/multiple_cert_ocsp_req.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/multiple_cert_ocsp_resp.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/responder_key_hash_ocsp_req.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/revoked_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/revoked_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/revoked_ocsp_req.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/revoked_ocsp_resp.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/unknown_ocsp_req.der (100%) rename test/{extensions/transport_sockets => common}/tls/ocsp/test_data/unknown_ocsp_resp.der (100%) rename test/{extensions/transport_sockets => common}/tls/ssl_certs_test.h (100%) rename test/{extensions/transport_sockets => common}/tls/ssl_socket_test.cc (78%) rename test/{extensions/transport_sockets => common}/tls/ssl_test_utility.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/BUILD (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/README.md (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/aes_128_key (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/bad_rsa_key_usage_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/bad_rsa_key_usage_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/bad_rsa_key_usage_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/bad_rsa_key_usage_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ca_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ca_cert.crl (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ca_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ca_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ca_cert_with_crl.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ca_certificates.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ca_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/certs.sh (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_san_uri_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_san_uri_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_san_uri_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_spiffe_san_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_spiffe_san_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_spiffe_san_cert_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/expired_spiffe_san_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/extensions_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/extensions_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/extensions_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/extensions_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/fake_ca_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/fake_ca_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/fake_ca_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/fake_ca_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/i1_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/i2_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/i3_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/i4_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert.crl (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert_chain.crl (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert_chain.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert_chain_with_crl.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/intermediate_ca_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_cert_sign_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_cert_sign_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_cert_sign_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_cert_sign_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_crl_sign_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_crl_sign_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_crl_sign_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/keyusage_crl_sign_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/long_validity_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/long_validity_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/long_validity_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_chain.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_cn_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_cn_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_cn_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_cn_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_san_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_subject_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_subject_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_subject_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/no_subject_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/non_spiffe_san_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/non_spiffe_san_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/non_spiffe_san_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/non_spiffe_san_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/not_a_crl.crl (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/password_protected_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/password_protected_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/password_protected_certkey.p12 (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/password_protected_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/password_protected_password.txt (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns2_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns2_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns2_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns3_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns3_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns3_certkeychain.p12 (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns3_chain.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns3_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns4_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns4_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns4_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_ecdsa_1_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_ecdsa_1_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_ecdsa_1_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_ecdsa_2_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_ecdsa_2_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_ecdsa_2_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_rsa_1_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_rsa_1_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_rsa_1_cert_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_rsa_1_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_rsa_2_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_rsa_2_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_rsa_2_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_server1_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_dns_server2_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_ip_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_ip_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_ip_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_ip_chain.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_ip_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_1_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_1_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_1_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_1_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_multiple_dns_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_only_dns_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_only_dns_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_only_dns_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_only_dns_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_uri_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_uri_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_uri_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_uri_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_wildcard_dns_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_wildcard_dns_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_wildcard_dns_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/san_wildcard_dns_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned2_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned2_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned2_ecdsa_p256_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_ecdsa_p256_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_ecdsa_p256_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_ecdsa_p256_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_ecdsa_p384_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_ecdsa_p384_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_ecdsa_p384_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_1024_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_1024_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_1024_certkey.p12 (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_1024_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_3072_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_3072_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_3072_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_4096_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_4096_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/selfsigned_rsa_4096_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/spiffe_san_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/spiffe_san_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/spiffe_san_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/spiffe_san_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/spiffe_san_signed_by_intermediate_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/test_long_cert_chain.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/test_random_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ticket_key_a (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ticket_key_b (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/ticket_key_wrong_len (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/unittest_cert.cfg (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/unittest_cert.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/unittest_cert_info.h (100%) rename test/{extensions/transport_sockets => common}/tls/test_data/unittest_key.pem (100%) rename test/{extensions/transport_sockets => common}/tls/test_private_key_method_provider.cc (99%) rename test/{extensions/transport_sockets => common}/tls/test_private_key_method_provider.h (100%) rename test/{extensions/transport_sockets => common}/tls/tls_throughput_benchmark.cc (96%) rename test/{extensions/transport_sockets => common}/tls/utility_test.cc (76%) diff --git a/.gitattributes b/.gitattributes index 0dd1d568f0b3..74e5a411fb82 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,8 +3,8 @@ /generated_api_shadow/envoy/** linguist-generated=true /generated_api_shadow/bazel/** linguist-generated=true *.svg binary -/test/extensions/transport_sockets/tls/test_data/aes_128_key binary -/test/extensions/transport_sockets/tls/test_data/ticket_key_* binary +/test/common/tls/test_data/aes_128_key binary +/test/common/tls/test_data/ticket_key_* binary /test/**/*_corpus/* linguist-generated=true requirements.txt binary package.lock binary diff --git a/contrib/cryptomb/private_key_providers/test/BUILD b/contrib/cryptomb/private_key_providers/test/BUILD index 95bddf58d511..6b4c01fa3ec4 100644 --- a/contrib/cryptomb/private_key_providers/test/BUILD +++ b/contrib/cryptomb/private_key_providers/test/BUILD @@ -52,7 +52,7 @@ envoy_cc_test( deps = [ ":test_fake_factory", "//source/common/common:random_generator_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", @@ -75,7 +75,7 @@ envoy_cc_test( ], deps = [ ":test_fake_factory", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/stats:stats_mocks", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", diff --git a/contrib/cryptomb/private_key_providers/test/config_test.cc b/contrib/cryptomb/private_key_providers/test/config_test.cc index 0ac6ce5ff3aa..1c0b5d18c48a 100644 --- a/contrib/cryptomb/private_key_providers/test/config_test.cc +++ b/contrib/cryptomb/private_key_providers/test/config_test.cc @@ -1,7 +1,7 @@ #include #include "source/common/common/random_generator.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/mocks/common.h" diff --git a/contrib/cryptomb/private_key_providers/test/ops_test.cc b/contrib/cryptomb/private_key_providers/test/ops_test.cc index f25e5fcfbe84..d5f35db774b3 100644 --- a/contrib/cryptomb/private_key_providers/test/ops_test.cc +++ b/contrib/cryptomb/private_key_providers/test/ops_test.cc @@ -3,7 +3,7 @@ #include #include -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/test_common/environment.h" diff --git a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc index 901a9befdca7..fb47ccde35d0 100644 --- a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc +++ b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc @@ -1,7 +1,7 @@ #include "source/common/network/connection_impl.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/filters/network/common/factory_base.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/integration/fake_upstream.h" #include "test/integration/integration.h" diff --git a/contrib/qat/private_key_providers/test/BUILD b/contrib/qat/private_key_providers/test/BUILD index 136f25c8f740..85a8d16ae19a 100644 --- a/contrib/qat/private_key_providers/test/BUILD +++ b/contrib/qat/private_key_providers/test/BUILD @@ -51,7 +51,7 @@ envoy_cc_test( deps = [ ":test_fake_factory", "//source/common/common:random_generator_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/server:server_mocks", "//test/mocks/ssl:ssl_mocks", @@ -72,7 +72,7 @@ envoy_cc_test( ], deps = [ ":test_fake_factory", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", + "//source/common/tls/private_key:private_key_manager_lib", "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", diff --git a/contrib/qat/private_key_providers/test/config_test.cc b/contrib/qat/private_key_providers/test/config_test.cc index 55542d230809..d6e2304d06cf 100644 --- a/contrib/qat/private_key_providers/test/config_test.cc +++ b/contrib/qat/private_key_providers/test/config_test.cc @@ -1,7 +1,7 @@ #include #include "source/common/common/random_generator.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/mocks/common.h" diff --git a/contrib/qat/private_key_providers/test/ops_test.cc b/contrib/qat/private_key_providers/test/ops_test.cc index 9ea47b1d172e..11cd9b35bbc2 100644 --- a/contrib/qat/private_key_providers/test/ops_test.cc +++ b/contrib/qat/private_key_providers/test/ops_test.cc @@ -3,7 +3,7 @@ #include #include -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/mocks/server/transport_socket_factory_context.h" diff --git a/envoy/ssl/certificate_validation_context_config.h b/envoy/ssl/certificate_validation_context_config.h index aa0214b77a81..c9488798eb29 100644 --- a/envoy/ssl/certificate_validation_context_config.h +++ b/envoy/ssl/certificate_validation_context_config.h @@ -19,7 +19,7 @@ namespace Ssl { // // When adding or changing this interface, it is likely that a change is needed to // `DefaultCertValidator::updateDigestForSessionId` in -// `source/extensions/transport_sockets/tls/cert_validator/default_validator.cc`. +// `source/common/tls/cert_validator/default_validator.cc`. class CertificateValidationContextConfig { public: virtual ~CertificateValidationContextConfig() = default; diff --git a/mobile/envoy_build_config/BUILD b/mobile/envoy_build_config/BUILD index 3c392fe389dc..b2da2c4b90b5 100644 --- a/mobile/envoy_build_config/BUILD +++ b/mobile/envoy_build_config/BUILD @@ -23,6 +23,7 @@ envoy_cc_library( "@envoy//source/common/http/matching:inputs_lib", "@envoy//source/common/network:socket_lib", "@envoy//source/common/router:upstream_codec_filter_lib", + "@envoy//source/common/tls/cert_validator:cert_validator_lib", "@envoy//source/common/upstream:default_local_address_selector_factory", "@envoy//source/common/watchdog:abort_action_config", "@envoy//source/extensions/clusters/dynamic_forward_proxy:cluster", @@ -43,7 +44,6 @@ envoy_cc_library( "@envoy//source/extensions/transport_sockets/http_11_proxy:upstream_config", "@envoy//source/extensions/transport_sockets/raw_buffer:config", "@envoy//source/extensions/transport_sockets/tls:config", - "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", "@envoy//source/extensions/upstreams/http/generic:config", "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config", "@envoy_mobile//library/common/extensions/filters/http/local_error:config", diff --git a/mobile/envoy_build_config/extension_registry.cc b/mobile/envoy_build_config/extension_registry.cc index a7d105e9766f..502ee8c04a1f 100644 --- a/mobile/envoy_build_config/extension_registry.cc +++ b/mobile/envoy_build_config/extension_registry.cc @@ -6,6 +6,7 @@ #include "source/common/network/resolver_impl.h" #include "source/common/network/socket_interface_impl.h" #include "source/common/router/upstream_codec_filter.h" +#include "source/common/tls/cert_validator/default_validator.h" #include "source/common/upstream/default_local_address_selector_factory.h" #include "source/common/watchdog/abort_action_config.h" #include "source/extensions/clusters/dynamic_forward_proxy/cluster.h" @@ -28,7 +29,6 @@ #include "source/extensions/request_id/uuid/config.h" #include "source/extensions/transport_sockets/http_11_proxy/config.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" #include "source/extensions/transport_sockets/tls/config.h" #include "source/extensions/upstreams/http/generic/config.h" @@ -63,7 +63,7 @@ #include "source/extensions/config_subscription/grpc/grpc_mux_impl.h" #include "source/extensions/config_subscription/grpc/grpc_subscription_factory.h" #include "source/extensions/config_subscription/grpc/new_grpc_mux_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/default_validator.h" #endif namespace Envoy { diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD b/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD index 2b19aeb203f2..bf2371bba072 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD @@ -35,7 +35,7 @@ envoy_cc_library( ":c_types_lib", ":platform_bridge_cc_proto", "//library/common/system:system_helper_lib", - "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "@envoy//source/common/tls/cert_validator:cert_validator_lib", ], ) diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/config.h b/mobile/library/common/extensions/cert_validator/platform_bridge/config.h index 87ac174c6af4..bc884fddc3ac 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/config.h +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/config.h @@ -2,7 +2,7 @@ #include "envoy/registry/registry.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/factory.h" #include "library/common/extensions/cert_validator/platform_bridge/platform_bridge.pb.h" #include "library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h" diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h index db190635e03e..42587bbb546c 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h @@ -2,7 +2,7 @@ #include -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/default_validator.h" #include "absl/container/flat_hash_map.h" #include "library/common/extensions/cert_validator/platform_bridge/c_types.h" diff --git a/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD b/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD index 143630841677..2956e5eeed83 100644 --- a/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD +++ b/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD @@ -12,17 +12,17 @@ envoy_extension_cc_test( name = "platform_bridge_cert_validator_test", srcs = ["platform_bridge_cert_validator_test.cc"], data = [ - "@envoy//test/extensions/transport_sockets/tls/test_data:certs", + "@envoy//test/common/tls/test_data:certs", ], extension_names = ["envoy_mobile.cert_validator.platform_bridge_cert_validator"], repository = "@envoy", deps = [ "//library/common/extensions/cert_validator/platform_bridge:config", "//test/common/mocks/common:common_mocks", - "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "@envoy//test/extensions/transport_sockets/tls:ssl_test_utils", - "@envoy//test/extensions/transport_sockets/tls/cert_validator:test_common", - "@envoy//test/extensions/transport_sockets/tls/test_data:cert_infos", + "@envoy//source/common/tls/cert_validator:cert_validator_lib", + "@envoy//test/common/tls:ssl_test_utils", + "@envoy//test/common/tls/cert_validator:test_common", + "@envoy//test/common/tls/test_data:cert_infos", "@envoy//test/mocks/event:event_mocks", "@envoy//test/mocks/ssl:ssl_mocks", "@envoy//test/test_common:environment_lib", diff --git a/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc b/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc index 76f7b46a6bf2..2d05403d394a 100644 --- a/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc +++ b/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc @@ -5,15 +5,15 @@ #include "source/common/crypto/crypto_impl.h" #include "source/common/crypto/utility.h" #include "source/common/network/transport_socket_options_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" +#include "source/common/tls/stats.h" #include "test/common/mocks/common/mocks.h" #include "test/common/stats/stat_test_utility.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h" +#include "test/common/tls/cert_validator/test_common.h" +#include "test/common/tls/ssl_test_utility.h" +#include "test/common/tls/test_data/san_dns2_cert_info.h" #include "test/mocks/event/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/test_common/environment.h" @@ -168,8 +168,8 @@ TEST_P(PlatformBridgeCertValidatorTest, NoCallback) { initializeConfig(); PlatformBridgeCertValidator validator(&config_, stats_); - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); std::string hostname = "www.example.com"; EXPECT_ENVOY_BUG( @@ -206,8 +206,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificate) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = "server1.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -236,8 +236,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptySanOverrides) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = "server1.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -271,8 +271,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptyHostNoOverrides) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = ""; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -306,8 +306,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateButInvalidSni) { PlatformBridgeCertValidator validator(&config_, stats_); std::string hostname = "server2.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); @@ -338,8 +338,8 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateSniOverride) { std::vector subject_alt_names = {"server1.example.com"}; std::string hostname = "server2.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, StrEq(subject_alt_names[0].c_str()))) .WillOnce(Return(result)); @@ -369,8 +369,8 @@ TEST_P(PlatformBridgeCertValidatorTest, DeletedWithValidationPending) { auto validator = std::make_unique(&config_, stats_); std::string hostname = "server1.example.com"; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); envoy_cert_validation_result result = {ENVOY_SUCCESS, 0, NULL}; EXPECT_CALL(*mock_validator_, validate(_, _)).WillOnce(Return(result)); EXPECT_CALL(*mock_validator_, cleanup()); diff --git a/mobile/test/common/integration/BUILD b/mobile/test/common/integration/BUILD index eb8f61380637..a60cc0281793 100644 --- a/mobile/test/common/integration/BUILD +++ b/mobile/test/common/integration/BUILD @@ -112,9 +112,9 @@ envoy_cc_test( deps = [ ":xds_integration_test_lib", "@envoy//source/common/config:protobuf_link_hacks", + "@envoy//source/common/tls:context_config_lib", + "@envoy//source/common/tls:context_lib", "@envoy//source/extensions/transport_sockets/tls:config", - "@envoy//source/extensions/transport_sockets/tls:context_config_lib", - "@envoy//source/extensions/transport_sockets/tls:context_lib", "@envoy//test/test_common:environment_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", @@ -207,10 +207,10 @@ envoy_cc_test_library( deps = [ ":base_client_integration_test_lib", "@envoy//source/common/event:libevent_lib", + "@envoy//source/common/tls:context_config_lib", + "@envoy//source/common/tls:context_lib", + "@envoy//source/common/tls:ssl_socket_lib", "@envoy//source/exe:process_wide_lib", - "@envoy//source/extensions/transport_sockets/tls:context_config_lib", - "@envoy//source/extensions/transport_sockets/tls:context_lib", - "@envoy//source/extensions/transport_sockets/tls:ssl_socket_lib", "@envoy//test/integration:autonomous_upstream_lib", "@envoy//test/integration:utility_lib", "@envoy//test/mocks/server:transport_socket_factory_context_mocks", diff --git a/mobile/test/common/integration/client_integration_test.cc b/mobile/test/common/integration/client_integration_test.cc index a9761afeb3c5..10fc01d4c0be 100644 --- a/mobile/test/common/integration/client_integration_test.cc +++ b/mobile/test/common/integration/client_integration_test.cc @@ -1,10 +1,10 @@ #include "source/common/quic/quic_server_transport_socket_factory.h" #include "source/common/quic/server_codec_impl.h" +#include "source/common/tls/cert_validator/default_validator.h" #include "source/extensions/http/header_formatters/preserve_case/preserve_case_formatter.h" #include "source/extensions/quic/connection_id_generator/envoy_deterministic_connection_id_generator_config.h" #include "source/extensions/quic/crypto_stream/envoy_quic_crypto_server_stream.h" #include "source/extensions/quic/proof_source/envoy_quic_proof_source_factory_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" #include "source/extensions/udp_packet_writer/default/config.h" #include "test/common/integration/base_client_integration_test.h" diff --git a/mobile/test/common/integration/test_server.cc b/mobile/test/common/integration/test_server.cc index 4fda9549737b..9e43cc605fcd 100644 --- a/mobile/test/common/integration/test_server.cc +++ b/mobile/test/common/integration/test_server.cc @@ -8,11 +8,11 @@ #include "source/common/stats/allocator_impl.h" #include "source/common/stats/thread_local_store.h" #include "source/common/thread_local/thread_local_impl.h" +#include "source/common/tls/context_config_impl.h" #include "source/extensions/quic/connection_id_generator/envoy_deterministic_connection_id_generator_config.h" #include "source/extensions/quic/crypto_stream/envoy_quic_crypto_server_stream.h" #include "source/extensions/quic/proof_source/envoy_quic_proof_source_factory_impl.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" #include "source/extensions/udp_packet_writer/default/config.h" #include "source/server/hot_restart_nop_impl.h" #include "source/server/instance_impl.h" diff --git a/mobile/test/common/integration/test_server.h b/mobile/test/common/integration/test_server.h index 59cfa6bfc5df..dc3e7786e87e 100644 --- a/mobile/test/common/integration/test_server.h +++ b/mobile/test/common/integration/test_server.h @@ -1,6 +1,6 @@ #pragma once -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" // test_runner setups #include "source/exe/process_wide.h" diff --git a/mobile/test/common/integration/xds_test_server.cc b/mobile/test/common/integration/xds_test_server.cc index bec30c48c698..7cd7eed24829 100644 --- a/mobile/test/common/integration/xds_test_server.cc +++ b/mobile/test/common/integration/xds_test_server.cc @@ -5,12 +5,12 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "source/common/event/libevent.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/config_subscription/grpc/grpc_collection_subscription_factory.h" #include "source/extensions/config_subscription/grpc/grpc_mux_impl.h" #include "source/extensions/config_subscription/grpc/grpc_subscription_factory.h" #include "source/extensions/config_subscription/grpc/new_grpc_mux_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/integration/fake_upstream.h" #include "test/test_common/environment.h" diff --git a/mobile/test/common/integration/xds_test_server.h b/mobile/test/common/integration/xds_test_server.h index 95e5e4dbeed1..de2fa1252721 100644 --- a/mobile/test/common/integration/xds_test_server.h +++ b/mobile/test/common/integration/xds_test_server.h @@ -3,7 +3,7 @@ #include "envoy/api/api.h" #include "source/common/stats/isolated_store_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/integration/fake_upstream.h" #include "test/integration/server.h" diff --git a/source/common/quic/BUILD b/source/common/quic/BUILD index 6f0315c59fea..2b9890ed086f 100644 --- a/source/common/quic/BUILD +++ b/source/common/quic/BUILD @@ -139,7 +139,7 @@ envoy_cc_library( ":envoy_quic_proof_verifier_base_lib", ":envoy_quic_utils_lib", ":quic_ssl_connection_info_lib", - "//source/extensions/transport_sockets/tls:context_lib", + "//source/common/tls:context_lib", ], ) @@ -180,8 +180,8 @@ envoy_cc_library( "//envoy/http:codec_interface", "//envoy/http:persistent_quic_info_interface", "//envoy/registry", + "//source/common/tls:ssl_socket_lib", "//source/extensions/quic/crypto_stream:envoy_quic_crypto_client_stream_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", ], ) @@ -228,7 +228,7 @@ envoy_cc_library( external_deps = ["ssl"], tags = ["nofips"], deps = [ - "//source/extensions/transport_sockets/tls:connection_info_impl_base_lib", + "//source/common/tls:connection_info_impl_base_lib", "@com_github_google_quiche//:quic_core_session_lib", ], ) @@ -460,8 +460,8 @@ envoy_cc_library( "//envoy/ssl:context_config_interface", "//source/common/common:assert_lib", "//source/common/network:transport_socket_options_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:ssl_socket_lib", "@com_github_google_quiche//:quic_core_crypto_crypto_handshake_lib", "@envoy_api//envoy/extensions/transport_sockets/quic/v3:pkg_cc_proto", ], @@ -485,8 +485,8 @@ envoy_cc_library( "//envoy/ssl:context_config_interface", "//source/common/common:assert_lib", "//source/common/network:transport_socket_options_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:ssl_socket_lib", "@com_github_google_quiche//:quic_core_crypto_crypto_handshake_lib", "@envoy_api//envoy/extensions/transport_sockets/quic/v3:pkg_cc_proto", ], diff --git a/source/common/quic/client_connection_factory_impl.h b/source/common/quic/client_connection_factory_impl.h index 5a5aa9158a93..b247c61bc54a 100644 --- a/source/common/quic/client_connection_factory_impl.h +++ b/source/common/quic/client_connection_factory_impl.h @@ -9,8 +9,8 @@ #include "source/common/quic/envoy_quic_client_session.h" #include "source/common/quic/envoy_quic_connection_helper.h" #include "source/common/quic/envoy_quic_utils.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/quic/crypto_stream/envoy_quic_crypto_client_stream.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "quiche/quic/core/quic_utils.h" diff --git a/source/common/quic/envoy_quic_proof_verifier.cc b/source/common/quic/envoy_quic_proof_verifier.cc index 93c206be91dd..78bc355589ff 100644 --- a/source/common/quic/envoy_quic_proof_verifier.cc +++ b/source/common/quic/envoy_quic_proof_verifier.cc @@ -7,7 +7,7 @@ #include "source/common/quic/envoy_quic_utils.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include "quiche/quic/core/crypto/certificate_view.h" diff --git a/source/common/quic/envoy_quic_proof_verifier.h b/source/common/quic/envoy_quic_proof_verifier.h index fc03fbca15d0..b42e9841a709 100644 --- a/source/common/quic/envoy_quic_proof_verifier.h +++ b/source/common/quic/envoy_quic_proof_verifier.h @@ -4,7 +4,7 @@ #include "source/common/quic/envoy_quic_proof_verifier_base.h" #include "source/common/quic/quic_ssl_connection_info.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" namespace Envoy { namespace Quic { diff --git a/source/common/quic/quic_client_transport_socket_factory.cc b/source/common/quic/quic_client_transport_socket_factory.cc index 3b90ee46143e..e95abb81918b 100644 --- a/source/common/quic/quic_client_transport_socket_factory.cc +++ b/source/common/quic/quic_client_transport_socket_factory.cc @@ -6,7 +6,7 @@ #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "quiche/quic/core/crypto/quic_client_session_cache.h" diff --git a/source/common/quic/quic_server_transport_socket_factory.cc b/source/common/quic/quic_server_transport_socket_factory.cc index 8054a65ab306..bd39254630d6 100644 --- a/source/common/quic/quic_server_transport_socket_factory.cc +++ b/source/common/quic/quic_server_transport_socket_factory.cc @@ -5,7 +5,7 @@ #include "envoy/extensions/transport_sockets/quic/v3/quic_transport.pb.validate.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" namespace Envoy { namespace Quic { diff --git a/source/common/quic/quic_server_transport_socket_factory.h b/source/common/quic/quic_server_transport_socket_factory.h index bb64ec76e9af..6be4a64029d1 100644 --- a/source/common/quic/quic_server_transport_socket_factory.h +++ b/source/common/quic/quic_server_transport_socket_factory.h @@ -8,7 +8,7 @@ #include "source/common/common/assert.h" #include "source/common/network/transport_socket_options_impl.h" #include "source/common/quic/quic_transport_socket_factory.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" namespace Envoy { namespace Quic { diff --git a/source/common/quic/quic_ssl_connection_info.h b/source/common/quic/quic_ssl_connection_info.h index 2efcc27ad509..f8aba5bcbdc1 100644 --- a/source/common/quic/quic_ssl_connection_info.h +++ b/source/common/quic/quic_ssl_connection_info.h @@ -1,7 +1,7 @@ #pragma once #include "source/common/common/empty_string.h" -#include "source/extensions/transport_sockets/tls/connection_info_impl_base.h" +#include "source/common/tls/connection_info_impl_base.h" #include "quiche/quic/core/quic_session.h" diff --git a/source/common/quic/quic_transport_socket_factory.cc b/source/common/quic/quic_transport_socket_factory.cc index 3893dde4b6e7..716b1b7d9090 100644 --- a/source/common/quic/quic_transport_socket_factory.cc +++ b/source/common/quic/quic_transport_socket_factory.cc @@ -6,7 +6,7 @@ #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "quiche/quic/core/crypto/quic_client_session_cache.h" diff --git a/source/common/quic/quic_transport_socket_factory.h b/source/common/quic/quic_transport_socket_factory.h index d01bce40dc02..938a9d2fa61d 100644 --- a/source/common/quic/quic_transport_socket_factory.h +++ b/source/common/quic/quic_transport_socket_factory.h @@ -7,7 +7,7 @@ #include "source/common/common/assert.h" #include "source/common/network/transport_socket_options_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" #include "quiche/quic/core/crypto/quic_crypto_client_config.h" diff --git a/source/common/tls/BUILD b/source/common/tls/BUILD new file mode 100644 index 000000000000..15a3c06c69f8 --- /dev/null +++ b/source/common/tls/BUILD @@ -0,0 +1,215 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_library", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +# Built-in TLS connection transport socket. + +envoy_package() + +envoy_cc_library( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + # TLS is core functionality. + visibility = ["//visibility:public"], + deps = [ + ":ssl_socket_lib", + "//envoy/network:transport_socket_interface", + "//envoy/registry", + "//envoy/server:transport_socket_config_interface", + ], + alwayslink = 1, +) + +envoy_cc_library( + name = "connection_info_impl_base_lib", + srcs = ["connection_info_impl_base.cc"], + hdrs = ["connection_info_impl_base.h"], + external_deps = ["ssl"], + visibility = ["//visibility:public"], + deps = [ + ":context_lib", + ":utility_lib", + "//source/common/common:assert_lib", + "//source/common/common:minimal_logger_lib", + ], +) + +envoy_cc_library( + name = "ssl_handshaker_lib", + srcs = ["ssl_handshaker.cc"], + hdrs = ["ssl_handshaker.h"], + deps = [ + ":connection_info_impl_base_lib", + ":context_lib", + ":utility_lib", + "//envoy/network:connection_interface", + "//envoy/network:transport_socket_interface", + "//envoy/ssl:handshaker_interface", + "//envoy/ssl:ssl_socket_extended_info_interface", + "//envoy/ssl:ssl_socket_state", + "//envoy/ssl/private_key:private_key_callbacks_interface", + "//envoy/ssl/private_key:private_key_interface", + "//envoy/stats:stats_macros", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:minimal_logger_lib", + "//source/common/common:thread_annotations", + "//source/common/http:headers_lib", + ], +) + +envoy_cc_library( + name = "io_handle_bio_lib", + srcs = ["io_handle_bio.cc"], + hdrs = ["io_handle_bio.h"], + external_deps = ["ssl"], + deps = [ + "//envoy/buffer:buffer_interface", + "//envoy/network:io_handle_interface", + ], +) + +envoy_cc_library( + name = "ssl_socket_lib", + srcs = ["ssl_socket.cc"], + hdrs = ["ssl_socket.h"], + external_deps = [ + "abseil_hash", + "abseil_node_hash_map", + "abseil_optional", + "abseil_synchronization", + "ssl", + ], + # TLS is core functionality. + visibility = ["//visibility:public"], + deps = [ + ":context_config_lib", + ":context_lib", + ":io_handle_bio_lib", + ":ssl_handshaker_lib", + ":utility_lib", + "//envoy/network:connection_interface", + "//envoy/network:transport_socket_interface", + "//envoy/ssl:handshaker_interface", + "//envoy/ssl:ssl_socket_extended_info_interface", + "//envoy/ssl:ssl_socket_state", + "//envoy/ssl/private_key:private_key_callbacks_interface", + "//envoy/ssl/private_key:private_key_interface", + "//envoy/stats:stats_macros", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:minimal_logger_lib", + "//source/common/common:thread_annotations", + "//source/common/http:headers_lib", + "//source/common/network:transport_socket_options_lib", + ], +) + +envoy_cc_library( + name = "context_config_lib", + srcs = ["context_config_impl.cc"], + hdrs = ["context_config_impl.h"], + external_deps = [ + "ssl", + ], + # TLS is core functionality. + visibility = ["//visibility:public"], + deps = [ + ":ssl_handshaker_lib", + "//envoy/secret:secret_callbacks_interface", + "//envoy/secret:secret_provider_interface", + "//envoy/server:transport_socket_config_interface", + "//envoy/ssl:context_config_interface", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:matchers_lib", + "//source/common/config:datasource_lib", + "//source/common/json:json_loader_lib", + "//source/common/protobuf:utility_lib", + "//source/common/secret:sds_api_lib", + "//source/common/ssl:certificate_validation_context_config_impl_lib", + "//source/common/ssl:tls_certificate_config_impl_lib", + "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", + ], +) + +envoy_cc_library( + name = "context_lib", + srcs = [ + "context_impl.cc", + "context_manager_impl.cc", + ], + hdrs = [ + "context_impl.h", + "context_manager_impl.h", + ], + external_deps = [ + "abseil_node_hash_set", + "abseil_synchronization", + "ssl", + ], + # TLS is core functionality. + visibility = ["//visibility:public"], + deps = [ + ":stats_lib", + ":utility_lib", + "//envoy/ssl:context_config_interface", + "//envoy/ssl:context_interface", + "//envoy/ssl:context_manager_interface", + "//envoy/ssl:ssl_socket_extended_info_interface", + "//envoy/ssl/private_key:private_key_interface", + "//envoy/stats:stats_interface", + "//envoy/stats:stats_macros", + "//source/common/common:assert_lib", + "//source/common/common:base64_lib", + "//source/common/common:hex_lib", + "//source/common/common:utility_lib", + "//source/common/network:address_lib", + "//source/common/network:cidr_range_lib", + "//source/common/protobuf:utility_lib", + "//source/common/runtime:runtime_features_lib", + "//source/common/stats:symbol_table_lib", + "//source/common/stats:utility_lib", + "//source/common/tls/cert_validator:cert_validator_lib", + "//source/common/tls/ocsp:ocsp_lib", + "//source/common/tls/private_key:private_key_manager_lib", + "@envoy_api//envoy/admin/v3:pkg_cc_proto", + "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto", + ], +) + +envoy_cc_library( + name = "stats_lib", + srcs = ["stats.cc"], + hdrs = ["stats.h"], + external_deps = [ + "ssl", + ], + deps = [ + "//envoy/stats:stats_interface", + "//envoy/stats:stats_macros", + "//source/common/stats:symbol_table_lib", + "//source/common/stats:utility_lib", + ], +) + +envoy_cc_library( + name = "utility_lib", + srcs = ["utility.cc"], + hdrs = ["utility.h"], + external_deps = [ + "ssl", + ], + deps = [ + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:safe_memcpy_lib", + "//source/common/common:utility_lib", + "//source/common/network:address_lib", + ], +) diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/common/tls/cert_validator/BUILD similarity index 88% rename from source/extensions/transport_sockets/tls/cert_validator/BUILD rename to source/common/tls/cert_validator/BUILD index 5abc18bc2595..f0b1b69e8fd9 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/common/tls/cert_validator/BUILD @@ -1,12 +1,12 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", - "envoy_extension_package", + "envoy_package", ) licenses(["notice"]) # Apache 2 -envoy_extension_package() +envoy_package() envoy_cc_library( name = "cert_validator_lib", @@ -42,8 +42,8 @@ envoy_cc_library( "//source/common/config:utility_lib", "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", - "//source/extensions/transport_sockets/tls:stats_lib", - "//source/extensions/transport_sockets/tls:utility_lib", + "//source/common/tls:stats_lib", + "//source/common/tls:utility_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto", diff --git a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h b/source/common/tls/cert_validator/cert_validator.h similarity index 98% rename from source/extensions/transport_sockets/tls/cert_validator/cert_validator.h rename to source/common/tls/cert_validator/cert_validator.h index 0b3de46c8ffd..b941014309be 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h +++ b/source/common/tls/cert_validator/cert_validator.h @@ -15,7 +15,7 @@ #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/stats.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/common/tls/cert_validator/default_validator.cc similarity index 98% rename from source/extensions/transport_sockets/tls/cert_validator/default_validator.cc rename to source/common/tls/cert_validator/default_validator.cc index 138578d1b839..8d049f7ba0c9 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/common/tls/cert_validator/default_validator.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/default_validator.h" #include #include @@ -27,11 +27,11 @@ #include "source/common/runtime/runtime_features.h" #include "source/common/stats/symbol_table.h" #include "source/common/stats/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" -#include "source/extensions/transport_sockets/tls/cert_validator/utility.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/utility.h" +#include "source/common/tls/stats.h" +#include "source/common/tls/utility.h" #include "absl/synchronization/mutex.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h b/source/common/tls/cert_validator/default_validator.h similarity index 95% rename from source/extensions/transport_sockets/tls/cert_validator/default_validator.h rename to source/common/tls/cert_validator/default_validator.h index 704af90c1053..c3e88bd09ca1 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h +++ b/source/common/tls/cert_validator/default_validator.h @@ -19,9 +19,9 @@ #include "source/common/common/logger.h" #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" +#include "source/common/tls/stats.h" #include "absl/synchronization/mutex.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.cc b/source/common/tls/cert_validator/factory.cc similarity index 87% rename from source/extensions/transport_sockets/tls/cert_validator/factory.cc rename to source/common/tls/cert_validator/factory.cc index b17d5b338536..318b414d3e92 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.cc +++ b/source/common/tls/cert_validator/factory.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/factory.h" #include "envoy/ssl/context_config.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.h b/source/common/tls/cert_validator/factory.h similarity index 85% rename from source/extensions/transport_sockets/tls/cert_validator/factory.h rename to source/common/tls/cert_validator/factory.h index 9a951e943150..40f3fc3de92b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.h +++ b/source/common/tls/cert_validator/factory.h @@ -5,8 +5,8 @@ #include "envoy/ssl/context_config.h" #include "source/common/common/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/stats.h" #include "absl/strings/string_view.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.cc b/source/common/tls/cert_validator/san_matcher.cc similarity index 94% rename from source/extensions/transport_sockets/tls/cert_validator/san_matcher.cc rename to source/common/tls/cert_validator/san_matcher.cc index 0c5dc0a77bd1..13429c3fcdcc 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.cc +++ b/source/common/tls/cert_validator/san_matcher.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" +#include "source/common/tls/cert_validator/san_matcher.h" #include @@ -7,7 +7,7 @@ #include "envoy/registry/registry.h" #include "envoy/ssl/certificate_validation_context_config.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.h b/source/common/tls/cert_validator/san_matcher.h similarity index 95% rename from source/extensions/transport_sockets/tls/cert_validator/san_matcher.h rename to source/common/tls/cert_validator/san_matcher.h index 5c2141f4b570..260e9cc3075e 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/san_matcher.h +++ b/source/common/tls/cert_validator/san_matcher.h @@ -10,7 +10,7 @@ #include "source/common/common/hash.h" #include "source/common/common/matchers.h" #include "source/common/protobuf/protobuf.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/utility.cc b/source/common/tls/cert_validator/utility.cc similarity index 94% rename from source/extensions/transport_sockets/tls/cert_validator/utility.cc rename to source/common/tls/cert_validator/utility.cc index 150a05406076..3080239fada2 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/utility.cc +++ b/source/common/tls/cert_validator/utility.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/cert_validator/utility.h" +#include "source/common/tls/cert_validator/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/cert_validator/utility.h b/source/common/tls/cert_validator/utility.h similarity index 100% rename from source/extensions/transport_sockets/tls/cert_validator/utility.h rename to source/common/tls/cert_validator/utility.h diff --git a/source/extensions/transport_sockets/tls/connection_info_impl_base.cc b/source/common/tls/connection_info_impl_base.cc similarity index 99% rename from source/extensions/transport_sockets/tls/connection_info_impl_base.cc rename to source/common/tls/connection_info_impl_base.cc index 13d556bfc604..5ae15002163d 100644 --- a/source/extensions/transport_sockets/tls/connection_info_impl_base.cc +++ b/source/common/tls/connection_info_impl_base.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/connection_info_impl_base.h" +#include "source/common/tls/connection_info_impl_base.h" #include "source/common/common/hex.h" diff --git a/source/extensions/transport_sockets/tls/connection_info_impl_base.h b/source/common/tls/connection_info_impl_base.h similarity index 98% rename from source/extensions/transport_sockets/tls/connection_info_impl_base.h rename to source/common/tls/connection_info_impl_base.h index 82dba73bea9a..8bcacdb80f7f 100644 --- a/source/extensions/transport_sockets/tls/connection_info_impl_base.h +++ b/source/common/tls/connection_info_impl_base.h @@ -5,7 +5,7 @@ #include "envoy/ssl/connection.h" #include "source/common/common/logger.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include "absl/types/optional.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/context_config_impl.cc b/source/common/tls/context_config_impl.cc similarity index 99% rename from source/extensions/transport_sockets/tls/context_config_impl.cc rename to source/common/tls/context_config_impl.cc index b71736a12153..77be4ba6b4a4 100644 --- a/source/extensions/transport_sockets/tls/context_config_impl.cc +++ b/source/common/tls/context_config_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include #include @@ -12,7 +12,7 @@ #include "source/common/protobuf/utility.h" #include "source/common/secret/sds_api.h" #include "source/common/ssl/certificate_validation_context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_handshaker.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/context_config_impl.h b/source/common/tls/context_config_impl.h similarity index 100% rename from source/extensions/transport_sockets/tls/context_config_impl.h rename to source/common/tls/context_config_impl.h diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/common/tls/context_impl.cc similarity index 99% rename from source/extensions/transport_sockets/tls/context_impl.cc rename to source/common/tls/context_impl.cc index 7a5209258dab..d106cdecaa26 100644 --- a/source/extensions/transport_sockets/tls/context_impl.cc +++ b/source/common/tls/context_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" #include @@ -26,9 +26,9 @@ #include "source/common/protobuf/utility.h" #include "source/common/runtime/runtime_features.h" #include "source/common/stats/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/cert_validator/factory.h" +#include "source/common/tls/stats.h" +#include "source/common/tls/utility.h" #include "absl/container/node_hash_set.h" #include "absl/strings/match.h" diff --git a/source/extensions/transport_sockets/tls/context_impl.h b/source/common/tls/context_impl.h similarity index 96% rename from source/extensions/transport_sockets/tls/context_impl.h rename to source/common/tls/context_impl.h index 6f034afd6b35..17e385d72630 100644 --- a/source/extensions/transport_sockets/tls/context_impl.h +++ b/source/common/tls/context_impl.h @@ -19,10 +19,10 @@ #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ocsp/ocsp.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ocsp/ocsp.h" +#include "source/common/tls/stats.h" #include "absl/synchronization/mutex.h" #include "openssl/ssl.h" diff --git a/source/extensions/transport_sockets/tls/context_manager_impl.cc b/source/common/tls/context_manager_impl.cc similarity index 95% rename from source/extensions/transport_sockets/tls/context_manager_impl.cc rename to source/common/tls/context_manager_impl.cc index 4544ec7a1580..b36d132f43df 100644 --- a/source/extensions/transport_sockets/tls/context_manager_impl.cc +++ b/source/common/tls/context_manager_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include #include @@ -8,7 +8,7 @@ #include "envoy/stats/scope.h" #include "source/common/common/assert.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/context_manager_impl.h b/source/common/tls/context_manager_impl.h similarity index 95% rename from source/extensions/transport_sockets/tls/context_manager_impl.h rename to source/common/tls/context_manager_impl.h index d7386f1d1988..0870c8968073 100644 --- a/source/extensions/transport_sockets/tls/context_manager_impl.h +++ b/source/common/tls/context_manager_impl.h @@ -9,7 +9,7 @@ #include "envoy/ssl/private_key/private_key.h" #include "envoy/stats/scope.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/io_handle_bio.cc b/source/common/tls/io_handle_bio.cc similarity index 97% rename from source/extensions/transport_sockets/tls/io_handle_bio.cc rename to source/common/tls/io_handle_bio.cc index f5faf5fec27b..5222c3143d95 100644 --- a/source/extensions/transport_sockets/tls/io_handle_bio.cc +++ b/source/common/tls/io_handle_bio.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/io_handle_bio.h" +#include "source/common/tls/io_handle_bio.h" #include "envoy/buffer/buffer.h" #include "envoy/network/io_handle.h" diff --git a/source/extensions/transport_sockets/tls/io_handle_bio.h b/source/common/tls/io_handle_bio.h similarity index 100% rename from source/extensions/transport_sockets/tls/io_handle_bio.h rename to source/common/tls/io_handle_bio.h diff --git a/source/extensions/transport_sockets/tls/ocsp/BUILD b/source/common/tls/ocsp/BUILD similarity index 84% rename from source/extensions/transport_sockets/tls/ocsp/BUILD rename to source/common/tls/ocsp/BUILD index 70b250cffe15..dad9dadb7522 100644 --- a/source/extensions/transport_sockets/tls/ocsp/BUILD +++ b/source/common/tls/ocsp/BUILD @@ -1,12 +1,12 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", - "envoy_extension_package", + "envoy_package", ) licenses(["notice"]) # Apache 2 -envoy_extension_package() +envoy_package() envoy_cc_library( name = "ocsp_lib", @@ -17,7 +17,7 @@ envoy_cc_library( ":asn1_utility_lib", "//envoy/common:time_interface", "//envoy/ssl:context_config_interface", - "//source/extensions/transport_sockets/tls:utility_lib", + "//source/common/tls:utility_lib", ], ) diff --git a/source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc b/source/common/tls/ocsp/asn1_utility.cc similarity index 98% rename from source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc rename to source/common/tls/ocsp/asn1_utility.cc index e152cf8d0f1f..5e1c606978af 100644 --- a/source/extensions/transport_sockets/tls/ocsp/asn1_utility.cc +++ b/source/common/tls/ocsp/asn1_utility.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/ocsp/asn1_utility.h" +#include "source/common/tls/ocsp/asn1_utility.h" #include "source/common/common/c_smart_ptr.h" diff --git a/source/extensions/transport_sockets/tls/ocsp/asn1_utility.h b/source/common/tls/ocsp/asn1_utility.h similarity index 100% rename from source/extensions/transport_sockets/tls/ocsp/asn1_utility.h rename to source/common/tls/ocsp/asn1_utility.h diff --git a/source/extensions/transport_sockets/tls/ocsp/ocsp.cc b/source/common/tls/ocsp/ocsp.cc similarity index 98% rename from source/extensions/transport_sockets/tls/ocsp/ocsp.cc rename to source/common/tls/ocsp/ocsp.cc index bfa0ee6523d6..d1c3a99daaa9 100644 --- a/source/extensions/transport_sockets/tls/ocsp/ocsp.cc +++ b/source/common/tls/ocsp/ocsp.cc @@ -1,8 +1,8 @@ -#include "source/extensions/transport_sockets/tls/ocsp/ocsp.h" +#include "source/common/tls/ocsp/ocsp.h" #include "source/common/common/utility.h" -#include "source/extensions/transport_sockets/tls/ocsp/asn1_utility.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/ocsp/asn1_utility.h" +#include "source/common/tls/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tls/ocsp/ocsp.h b/source/common/tls/ocsp/ocsp.h similarity index 100% rename from source/extensions/transport_sockets/tls/ocsp/ocsp.h rename to source/common/tls/ocsp/ocsp.h diff --git a/source/extensions/transport_sockets/tls/private_key/BUILD b/source/common/tls/private_key/BUILD similarity index 90% rename from source/extensions/transport_sockets/tls/private_key/BUILD rename to source/common/tls/private_key/BUILD index 3d9a42a78c76..85f1388e0b5e 100644 --- a/source/extensions/transport_sockets/tls/private_key/BUILD +++ b/source/common/tls/private_key/BUILD @@ -1,12 +1,12 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_library", - "envoy_extension_package", + "envoy_package", ) licenses(["notice"]) # Apache 2 -envoy_extension_package() +envoy_package() envoy_cc_library( name = "private_key_manager_lib", diff --git a/source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.cc b/source/common/tls/private_key/private_key_manager_impl.cc similarity index 91% rename from source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.cc rename to source/common/tls/private_key/private_key_manager_impl.cc index f886beeaa96e..93ccbc622d5b 100644 --- a/source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.cc +++ b/source/common/tls/private_key/private_key_manager_impl.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "envoy/registry/registry.h" diff --git a/source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h b/source/common/tls/private_key/private_key_manager_impl.h similarity index 100% rename from source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h rename to source/common/tls/private_key/private_key_manager_impl.h diff --git a/source/extensions/transport_sockets/tls/ssl_handshaker.cc b/source/common/tls/ssl_handshaker.cc similarity index 96% rename from source/extensions/transport_sockets/tls/ssl_handshaker.cc rename to source/common/tls/ssl_handshaker.cc index b0bcca7dbbf5..ab2c6f1fc0f8 100644 --- a/source/extensions/transport_sockets/tls/ssl_handshaker.cc +++ b/source/common/tls/ssl_handshaker.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_handshaker.h" #include "envoy/stats/scope.h" @@ -6,7 +6,7 @@ #include "source/common/common/empty_string.h" #include "source/common/http/headers.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" using Envoy::Network::PostIoAction; diff --git a/source/extensions/transport_sockets/tls/ssl_handshaker.h b/source/common/tls/ssl_handshaker.h similarity index 97% rename from source/extensions/transport_sockets/tls/ssl_handshaker.h rename to source/common/tls/ssl_handshaker.h index 4203ffac9462..3e5c63125b5f 100644 --- a/source/extensions/transport_sockets/tls/ssl_handshaker.h +++ b/source/common/tls/ssl_handshaker.h @@ -16,8 +16,8 @@ #include "envoy/stats/stats_macros.h" #include "source/common/common/logger.h" -#include "source/extensions/transport_sockets/tls/connection_info_impl_base.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/connection_info_impl_base.h" +#include "source/common/tls/utility.h" #include "absl/container/node_hash_map.h" #include "absl/synchronization/mutex.h" diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/common/tls/ssl_socket.cc similarity index 98% rename from source/extensions/transport_sockets/tls/ssl_socket.cc rename to source/common/tls/ssl_socket.cc index bc56bca6b417..12f7e5c091cd 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.cc +++ b/source/common/tls/ssl_socket.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" #include "envoy/stats/scope.h" @@ -7,9 +7,9 @@ #include "source/common/common/hex.h" #include "source/common/http/headers.h" #include "source/common/runtime/runtime_features.h" -#include "source/extensions/transport_sockets/tls/io_handle_bio.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/io_handle_bio.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/utility.h" #include "absl/strings/str_replace.h" #include "openssl/err.h" diff --git a/source/extensions/transport_sockets/tls/ssl_socket.h b/source/common/tls/ssl_socket.h similarity index 96% rename from source/extensions/transport_sockets/tls/ssl_socket.h rename to source/common/tls/ssl_socket.h index ea9213ffe6d1..2e4392c5cdd2 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.h +++ b/source/common/tls/ssl_socket.h @@ -15,9 +15,9 @@ #include "source/common/common/logger.h" #include "source/common/network/transport_socket_options_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/utility.h" #include "absl/container/node_hash_map.h" #include "absl/synchronization/mutex.h" diff --git a/source/extensions/transport_sockets/tls/stats.cc b/source/common/tls/stats.cc similarity index 89% rename from source/extensions/transport_sockets/tls/stats.cc rename to source/common/tls/stats.cc index 5a5cdc86c054..c4c5e320ce34 100644 --- a/source/extensions/transport_sockets/tls/stats.cc +++ b/source/common/tls/stats.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/stats.h" #include "envoy/stats/scope.h" #include "envoy/stats/stats_macros.h" diff --git a/source/extensions/transport_sockets/tls/stats.h b/source/common/tls/stats.h similarity index 100% rename from source/extensions/transport_sockets/tls/stats.h rename to source/common/tls/stats.h diff --git a/source/extensions/transport_sockets/tls/utility.cc b/source/common/tls/utility.cc similarity index 99% rename from source/extensions/transport_sockets/tls/utility.cc rename to source/common/tls/utility.cc index 766044f22666..672f075e6d26 100644 --- a/source/extensions/transport_sockets/tls/utility.cc +++ b/source/common/tls/utility.cc @@ -1,4 +1,4 @@ -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" #include diff --git a/source/extensions/transport_sockets/tls/utility.h b/source/common/tls/utility.h similarity index 100% rename from source/extensions/transport_sockets/tls/utility.h rename to source/common/tls/utility.h diff --git a/source/extensions/clusters/dynamic_forward_proxy/BUILD b/source/extensions/clusters/dynamic_forward_proxy/BUILD index d4377bb1abc5..477411c9e7a5 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/BUILD +++ b/source/extensions/clusters/dynamic_forward_proxy/BUILD @@ -17,12 +17,12 @@ envoy_cc_extension( "//source/common/network:transport_socket_options_lib", "//source/common/router:string_accessor_lib", "//source/common/stream_info:uint32_accessor_lib", + "//source/common/tls/cert_validator:cert_validator_lib", "//source/common/upstream:cluster_factory_lib", "//source/extensions/clusters/common:logical_host_lib", "//source/extensions/common/dynamic_forward_proxy:cluster_store", "//source/extensions/common/dynamic_forward_proxy:dns_cache_interface", "//source/extensions/common/dynamic_forward_proxy:dns_cache_manager_impl", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", "@envoy_api//envoy/config/cluster/v3:pkg_cc_proto", "@envoy_api//envoy/config/endpoint/v3:pkg_cc_proto", "@envoy_api//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg_cc_proto", diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc index 4ce4077521cf..c616f8dbfa99 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc +++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc @@ -12,9 +12,9 @@ #include "source/common/network/transport_socket_options_impl.h" #include "source/common/router/string_accessor_impl.h" #include "source/common/stream_info/uint32_accessor_impl.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/utility.h" #include "source/extensions/common/dynamic_forward_proxy/dns_cache_manager_impl.h" -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/utility.h" namespace Envoy { namespace Extensions { diff --git a/source/extensions/transport_sockets/tap/BUILD b/source/extensions/transport_sockets/tap/BUILD index 043f881df364..849529f9ac95 100644 --- a/source/extensions/transport_sockets/tap/BUILD +++ b/source/extensions/transport_sockets/tap/BUILD @@ -52,6 +52,10 @@ envoy_cc_extension( name = "config", srcs = envoy_select_admin_functionality(["config.cc"]), hdrs = envoy_select_admin_functionality(["config.h"]), + extra_visibility = [ + # test needs refactor + "//test/common/tls:__subpackages__", + ], deps = [ ":tap_config_impl", ":tap_lib", diff --git a/source/extensions/transport_sockets/tls/BUILD b/source/extensions/transport_sockets/tls/BUILD index 8758719e9990..3ce74ef46a9a 100644 --- a/source/extensions/transport_sockets/tls/BUILD +++ b/source/extensions/transport_sockets/tls/BUILD @@ -1,7 +1,6 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_extension", - "envoy_cc_library", "envoy_extension_package", ) @@ -18,199 +17,10 @@ envoy_cc_extension( # TLS is core functionality. visibility = ["//visibility:public"], deps = [ - ":ssl_socket_lib", "//envoy/network:transport_socket_interface", "//envoy/registry", "//envoy/server:transport_socket_config_interface", + "//source/common/tls:ssl_socket_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], ) - -envoy_cc_library( - name = "connection_info_impl_base_lib", - srcs = ["connection_info_impl_base.cc"], - hdrs = ["connection_info_impl_base.h"], - external_deps = ["ssl"], - visibility = ["//visibility:public"], - deps = [ - ":context_lib", - ":utility_lib", - "//source/common/common:assert_lib", - "//source/common/common:minimal_logger_lib", - ], -) - -envoy_cc_library( - name = "ssl_handshaker_lib", - srcs = ["ssl_handshaker.cc"], - hdrs = ["ssl_handshaker.h"], - deps = [ - ":connection_info_impl_base_lib", - ":context_lib", - ":utility_lib", - "//envoy/network:connection_interface", - "//envoy/network:transport_socket_interface", - "//envoy/ssl:handshaker_interface", - "//envoy/ssl:ssl_socket_extended_info_interface", - "//envoy/ssl:ssl_socket_state", - "//envoy/ssl/private_key:private_key_callbacks_interface", - "//envoy/ssl/private_key:private_key_interface", - "//envoy/stats:stats_macros", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:minimal_logger_lib", - "//source/common/common:thread_annotations", - "//source/common/http:headers_lib", - ], -) - -envoy_cc_library( - name = "io_handle_bio_lib", - srcs = ["io_handle_bio.cc"], - hdrs = ["io_handle_bio.h"], - external_deps = ["ssl"], - deps = [ - "//envoy/buffer:buffer_interface", - "//envoy/network:io_handle_interface", - ], -) - -envoy_cc_library( - name = "ssl_socket_lib", - srcs = ["ssl_socket.cc"], - hdrs = ["ssl_socket.h"], - external_deps = [ - "abseil_hash", - "abseil_node_hash_map", - "abseil_optional", - "abseil_synchronization", - "ssl", - ], - # TLS is core functionality. - visibility = ["//visibility:public"], - deps = [ - ":context_config_lib", - ":context_lib", - ":io_handle_bio_lib", - ":ssl_handshaker_lib", - ":utility_lib", - "//envoy/network:connection_interface", - "//envoy/network:transport_socket_interface", - "//envoy/ssl:handshaker_interface", - "//envoy/ssl:ssl_socket_extended_info_interface", - "//envoy/ssl:ssl_socket_state", - "//envoy/ssl/private_key:private_key_callbacks_interface", - "//envoy/ssl/private_key:private_key_interface", - "//envoy/stats:stats_macros", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:minimal_logger_lib", - "//source/common/common:thread_annotations", - "//source/common/http:headers_lib", - "//source/common/network:transport_socket_options_lib", - ], -) - -envoy_cc_library( - name = "context_config_lib", - srcs = ["context_config_impl.cc"], - hdrs = ["context_config_impl.h"], - external_deps = [ - "ssl", - ], - # TLS is core functionality. - visibility = ["//visibility:public"], - deps = [ - ":ssl_handshaker_lib", - "//envoy/secret:secret_callbacks_interface", - "//envoy/secret:secret_provider_interface", - "//envoy/server:transport_socket_config_interface", - "//envoy/ssl:context_config_interface", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:matchers_lib", - "//source/common/config:datasource_lib", - "//source/common/json:json_loader_lib", - "//source/common/protobuf:utility_lib", - "//source/common/secret:sds_api_lib", - "//source/common/ssl:certificate_validation_context_config_impl_lib", - "//source/common/ssl:tls_certificate_config_impl_lib", - "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", - ], -) - -envoy_cc_library( - name = "context_lib", - srcs = [ - "context_impl.cc", - "context_manager_impl.cc", - ], - hdrs = [ - "context_impl.h", - "context_manager_impl.h", - ], - external_deps = [ - "abseil_node_hash_set", - "abseil_synchronization", - "ssl", - ], - # TLS is core functionality. - visibility = ["//visibility:public"], - deps = [ - ":stats_lib", - ":utility_lib", - "//envoy/ssl:context_config_interface", - "//envoy/ssl:context_interface", - "//envoy/ssl:context_manager_interface", - "//envoy/ssl:ssl_socket_extended_info_interface", - "//envoy/ssl/private_key:private_key_interface", - "//envoy/stats:stats_interface", - "//envoy/stats:stats_macros", - "//source/common/common:assert_lib", - "//source/common/common:base64_lib", - "//source/common/common:hex_lib", - "//source/common/common:utility_lib", - "//source/common/network:address_lib", - "//source/common/network:cidr_range_lib", - "//source/common/protobuf:utility_lib", - "//source/common/runtime:runtime_features_lib", - "//source/common/stats:symbol_table_lib", - "//source/common/stats:utility_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//source/extensions/transport_sockets/tls/ocsp:ocsp_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", - "@envoy_api//envoy/admin/v3:pkg_cc_proto", - "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto", - ], -) - -envoy_cc_library( - name = "stats_lib", - srcs = ["stats.cc"], - hdrs = ["stats.h"], - external_deps = [ - "ssl", - ], - deps = [ - "//envoy/stats:stats_interface", - "//envoy/stats:stats_macros", - "//source/common/stats:symbol_table_lib", - "//source/common/stats:utility_lib", - ], -) - -envoy_cc_library( - name = "utility_lib", - srcs = ["utility.cc"], - hdrs = ["utility.h"], - external_deps = [ - "ssl", - ], - deps = [ - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:safe_memcpy_lib", - "//source/common/common:utility_lib", - "//source/common/network:address_lib", - ], -) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD index 82f6860d86d7..72f5fedd2d7b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -33,9 +33,9 @@ envoy_cc_extension( "//source/common/config:utility_lib", "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", - "//source/extensions/transport_sockets/tls:stats_lib", - "//source/extensions/transport_sockets/tls:utility_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/common/tls:stats_lib", + "//source/common/tls:utility_lib", + "//source/common/tls/cert_validator:cert_validator_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 5ae1ebde5c55..4c6f6fb3dc30 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -15,10 +15,10 @@ #include "source/common/config/utility.h" #include "source/common/protobuf/message_validator_impl.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" -#include "source/extensions/transport_sockets/tls/cert_validator/utility.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/utility.h" +#include "source/common/tls/stats.h" +#include "source/common/tls/utility.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h index 3850fa5533be..4bb140dbe63b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h @@ -16,9 +16,9 @@ #include "source/common/common/c_smart_ptr.h" #include "source/common/common/matchers.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/cert_validator/cert_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" -#include "source/extensions/transport_sockets/tls/stats.h" +#include "source/common/tls/cert_validator/cert_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" +#include "source/common/tls/stats.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/config.cc b/source/extensions/transport_sockets/tls/config.cc index f2612251584d..ec2f39b60aed 100644 --- a/source/extensions/transport_sockets/tls/config.cc +++ b/source/extensions/transport_sockets/tls/config.cc @@ -4,8 +4,8 @@ #include "envoy/extensions/transport_sockets/tls/v3/tls.pb.validate.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" namespace Envoy { namespace Extensions { diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 799bd4f8da4b..27baab111f4f 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -26,8 +26,8 @@ #include "source/common/router/upstream_codec_filter.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/common/grpc/utility.h" diff --git a/test/common/listener_manager/BUILD b/test/common/listener_manager/BUILD index dd452238d0b4..bdfc813a9527 100644 --- a/test/common/listener_manager/BUILD +++ b/test/common/listener_manager/BUILD @@ -39,7 +39,7 @@ envoy_cc_test( envoy_cc_test_library( name = "listener_manager_impl_test_lib", hdrs = ["listener_manager_impl_test.h"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], deps = [ ":config_cc_proto", "//source/common/init:manager_lib", @@ -80,6 +80,7 @@ envoy_cc_test( "//source/common/network:utility_lib", "//source/common/protobuf", "//source/common/router:string_accessor_lib", + "//source/common/tls:ssl_socket_lib", "//source/extensions/filters/listener/original_dst:config", "//source/extensions/filters/listener/proxy_protocol:config", "//source/extensions/filters/listener/tls_inspector:config", @@ -90,7 +91,6 @@ envoy_cc_test( "//source/extensions/request_id/uuid:config", "//source/extensions/transport_sockets/raw_buffer:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "//test/integration/filters:test_listener_filter_lib", "//test/server:utility_lib", "//test/test_common:network_utility_lib", @@ -126,7 +126,7 @@ envoy_cc_test( envoy_cc_test( name = "filter_chain_manager_impl_test", srcs = ["filter_chain_manager_impl_test.cc"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], deps = [ "//source/common/api:os_sys_calls_lib", "//source/common/config:metadata_lib", @@ -137,11 +137,11 @@ envoy_cc_test( "//source/common/network:socket_option_lib", "//source/common/network:utility_lib", "//source/common/protobuf", + "//source/common/tls:ssl_socket_lib", "//source/extensions/filters/network/http_connection_manager:config", "//source/extensions/matching/network/common:inputs_lib", "//source/extensions/transport_sockets/raw_buffer:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "//test/mocks/network:network_mocks", "//test/mocks/server:drain_manager_mocks", "//test/mocks/server:factory_context_mocks", diff --git a/test/common/listener_manager/filter_chain_benchmark_test.cc b/test/common/listener_manager/filter_chain_benchmark_test.cc index 16f711af4e2b..63728fd57435 100644 --- a/test/common/listener_manager/filter_chain_benchmark_test.cc +++ b/test/common/listener_manager/filter_chain_benchmark_test.cc @@ -155,11 +155,11 @@ const char YamlHeader[] = R"EOF( "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a")EOF"; + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a")EOF"; const char YamlSingleServer[] = R"EOF( - filter_chain_match: server_names: "server1.example.com" @@ -170,11 +170,11 @@ const char YamlSingleServer[] = R"EOF( "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a")EOF"; + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a")EOF"; const char YamlSingleDstPortTop[] = R"EOF( - filter_chain_match: destination_port: )EOF"; @@ -185,11 +185,11 @@ const char YamlSingleDstPortBottom[] = R"EOF( "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a")EOF"; + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a")EOF"; } // namespace class FilterChainBenchmarkFixture : public ::benchmark::Fixture { diff --git a/test/common/listener_manager/filter_chain_manager_impl_test.cc b/test/common/listener_manager/filter_chain_manager_impl_test.cc index 1d42fc5e4ec8..316a11ebbb20 100644 --- a/test/common/listener_manager/filter_chain_manager_impl_test.cc +++ b/test/common/listener_manager/filter_chain_manager_impl_test.cc @@ -19,7 +19,7 @@ #include "source/common/network/socket_option_impl.h" #include "source/common/network/utility.h" #include "source/common/protobuf/protobuf.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/ssl_socket.h" #include "source/server/configuration_impl.h" #include "test/mocks/network/mocks.h" @@ -128,11 +128,11 @@ class FilterChainManagerImplTest : public testing::TestWithParam { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string filter_chain_matcher = R"EOF( matcher_tree: diff --git a/test/common/listener_manager/listener_manager_impl_quic_only_test.cc b/test/common/listener_manager/listener_manager_impl_quic_only_test.cc index 67b334f46ddd..93ebdabddb41 100644 --- a/test/common/listener_manager/listener_manager_impl_quic_only_test.cc +++ b/test/common/listener_manager/listener_manager_impl_quic_only_test.cc @@ -61,12 +61,12 @@ std::string getBasicConfig() { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -274,12 +274,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithExplictConnection common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -433,12 +433,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithWrongTransportSoc common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -482,12 +482,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithWrongCodec) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -546,12 +546,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithNetworkFilterAfte common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -604,12 +604,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithConnectionBalence common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -667,12 +667,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithBadServerPreferre common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -731,12 +731,12 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryWithBadServerPreferre common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost diff --git a/test/common/listener_manager/listener_manager_impl_test.cc b/test/common/listener_manager/listener_manager_impl_test.cc index c7d883f53d05..a3db944e6203 100644 --- a/test/common/listener_manager/listener_manager_impl_test.cc +++ b/test/common/listener_manager/listener_manager_impl_test.cc @@ -24,10 +24,10 @@ #include "source/common/network/utility.h" #include "source/common/protobuf/protobuf.h" #include "source/common/router/string_accessor_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/common/matcher/trie_matcher.h" #include "source/extensions/filters/listener/original_dst/original_dst.h" #include "source/extensions/filters/listener/tls_inspector/tls_inspector.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/common/listener_manager/config.pb.h" #include "test/common/listener_manager/config.pb.validate.h" @@ -433,12 +433,12 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsTransportSocket) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_subject_alt_names: exact: localhost exact: 127.0.0.1 @@ -3374,8 +3374,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithDestinationP "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3440,8 +3440,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithDirectSource "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3512,8 +3512,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithDestinationI "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3585,8 +3585,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3662,8 +3662,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithServerNamesM "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3734,8 +3734,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithTransportPro "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3863,8 +3863,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithApplicationP "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -3930,8 +3930,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourceTypeMa "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4011,8 +4011,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourceIpMatc "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4097,8 +4097,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourceIpv6Ma "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4162,8 +4162,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, SingleFilterChainWithSourcePortMa "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4228,8 +4228,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithSourceTyp "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: application_protocols: "http/1.1" source_type: EXTERNAL @@ -4240,8 +4240,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithSourceTyp "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: source_type: ANY name: baz @@ -4251,8 +4251,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithSourceTyp "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4375,8 +4375,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: destination_port: 8080 name: bar @@ -4386,8 +4386,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: destination_port: 8081 name: baz @@ -4397,8 +4397,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4495,8 +4495,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: prefix_ranges: { address_prefix: 192.168.0.1, prefix_len: 32 } name: bar @@ -4506,8 +4506,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: prefix_ranges: { address_prefix: 192.168.0.0, prefix_len: 16 } name: baz @@ -4517,8 +4517,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDestinati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4633,8 +4633,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDirectSou "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } - filter_chain_match: direct_source_prefix_ranges: { address_prefix: 192.168.0.1, prefix_len: 32 } name: bar @@ -4644,8 +4644,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDirectSou "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } - filter_chain_match: direct_source_prefix_ranges: { address_prefix: 192.168.0.0, prefix_len: 16 } name: baz @@ -4655,8 +4655,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDirectSou "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -4764,11 +4764,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithServerNam "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "server1.example.com" transport_socket: @@ -4777,11 +4777,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithServerNam "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "*.com" transport_socket: @@ -4790,11 +4790,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithServerNam "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF", Network::Address::IpVersion::v4); @@ -4868,8 +4868,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithTransport "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -5016,8 +5016,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithApplicati "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); if (use_matcher_) { @@ -5094,8 +5094,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithMultipleR "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5156,11 +5156,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDifferent "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "www.example.com" name: bar @@ -5170,11 +5170,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MultipleFilterChainsWithDifferent "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF", Network::Address::IpVersion::v4); @@ -5203,11 +5203,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - filter_chain_match: server_names: "www.example.com" name: bar @@ -5217,8 +5217,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5442,11 +5442,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, MatcherFilterChainWithDuplicateNa TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInline) { const std::string cert = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem")); - const std::string pkey = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem")); - const std::string ca = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem")); + const std::string pkey = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem")); + const std::string ca = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); const std::string yaml = absl::StrCat(R"EOF( address: socket_address: { address: 127.0.0.1, port_value: 1234 } @@ -5475,7 +5475,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInline) { TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateChainInlinePrivateKeyFilename) { const std::string cert = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem")); const std::string yaml = TestEnvironment::substitute(absl::StrCat(R"EOF( address: socket_address: { address: 127.0.0.1, port_value: 1234 } @@ -5487,7 +5487,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateChainInlinePrivateK "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + - private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } certificate_chain: { inline_string: ")EOF", absl::CEscape(cert), R"EOF(" } )EOF"), @@ -5511,7 +5511,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateIncomplete) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5532,7 +5532,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidCertificateC common_tls_context: tls_certificates: - certificate_chain: { inline_string: "invalid" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -5541,8 +5541,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidCertificateC } TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidIntermediateCA) { - const std::string leaf = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem")); + const std::string leaf = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem")); const std::string yaml = TestEnvironment::substitute( absl::StrCat( R"EOF( @@ -5559,7 +5559,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidIntermediate - certificate_chain: { inline_string: ")EOF", absl::CEscape(leaf), R"EOF(\n-----BEGIN CERTIFICATE-----\nDEFINITELY_INVALID_CERTIFICATE\n-----END CERTIFICATE-----" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } )EOF"), Network::Address::IpVersion::v4); @@ -5579,7 +5579,7 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidPrivateKey) "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } private_key: { inline_string: "invalid" } )EOF", Network::Address::IpVersion::v4); @@ -5601,8 +5601,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateInvalidTrustedCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" } validation_context: trusted_ca: { inline_string: "invalid" } )EOF", @@ -5624,8 +5624,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, TlsCertificateCertPrivateKeyMisma "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" } )EOF", Network::Address::IpVersion::v4); @@ -6535,11 +6535,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLFilename) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } - crl: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } + crl: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" } )EOF", Network::Address::IpVersion::v4); @@ -6550,8 +6550,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLFilename) { } TEST_P(ListenerManagerImplWithRealFiltersTest, CRLInline) { - const std::string crl = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl")); + const std::string crl = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl")); const std::string yaml = TestEnvironment::substitute(absl::StrCat(R"EOF( address: socket_address: { address: 127.0.0.1, port_value: 1234 } @@ -6563,10 +6563,10 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLInline) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } crl: { inline_string: ")EOF", absl::CEscape(crl), R"EOF(" } )EOF"), @@ -6590,10 +6590,10 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, InvalidCRLInline) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } crl: { inline_string: "-----BEGIN X509 CRL-----\nTOTALLY_NOT_A_CRL_HERE\n-----END X509 CRL-----\n" } )EOF", Network::Address::IpVersion::v4); @@ -6614,10 +6614,10 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, CRLWithNoCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - crl: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" } + crl: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" } )EOF", Network::Address::IpVersion::v4); @@ -6637,8 +6637,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, VerifySanWithNoCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: match_subject_alt_names: exact: "spiffe://lyft.com/testclient" @@ -6663,8 +6663,8 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, VerifyIgnoreExpirationWithNoCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: allow_expired_certificate: true )EOF", @@ -6687,11 +6687,11 @@ TEST_P(ListenerManagerImplWithRealFiltersTest, VerifyIgnoreExpirationWithCA) { "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - - certificate_chain: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" } - private_key: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" } + - certificate_chain: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" } + private_key: { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" } validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF", Network::Address::IpVersion::v4); diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index 0d9444d28b12..474e73c9cdac 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -62,7 +62,7 @@ envoy_cc_test( ":test_utils_lib", "//source/common/quic:envoy_quic_proof_source_lib", "//source/common/quic:envoy_quic_proof_verifier_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/mocks/network:network_mocks", "//test/mocks/ssl:ssl_mocks", "@com_github_google_quiche//:quic_core_versions_lib", @@ -103,9 +103,9 @@ envoy_cc_test( deps = [ ":test_utils_lib", "//source/common/quic:envoy_quic_proof_verifier_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/common/config:dummy_config_proto_cc_proto", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", + "//test/common/tls/cert_validator:timed_cert_validator", "//test/mocks/event:event_mocks", "//test/mocks/ssl:ssl_mocks", "@com_github_google_quiche//:quic_test_tools_test_certificates_lib", @@ -360,13 +360,13 @@ envoy_cc_test( name = "quic_transport_socket_factory_test", srcs = ["quic_transport_socket_factory_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], tags = ["nofips"], deps = [ "//source/common/quic:quic_server_transport_socket_factory_lib", "//source/common/quic:quic_transport_socket_factory_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/mocks/server:transport_socket_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", "//test/test_common:environment_lib", diff --git a/test/common/quic/envoy_quic_proof_source_test.cc b/test/common/quic/envoy_quic_proof_source_test.cc index 2c6bcc991cf8..b671a7fc81ef 100644 --- a/test/common/quic/envoy_quic_proof_source_test.cc +++ b/test/common/quic/envoy_quic_proof_source_test.cc @@ -5,7 +5,7 @@ #include "source/common/quic/envoy_quic_proof_source.h" #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/quic/envoy_quic_utils.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/common/quic/test_utils.h" #include "test/mocks/network/mocks.h" diff --git a/test/common/quic/envoy_quic_proof_verifier_test.cc b/test/common/quic/envoy_quic_proof_verifier_test.cc index c7eef7189ac1..ab12465385eb 100644 --- a/test/common/quic/envoy_quic_proof_verifier_test.cc +++ b/test/common/quic/envoy_quic_proof_verifier_test.cc @@ -3,11 +3,11 @@ #include "source/common/network/transport_socket_options_impl.h" #include "source/common/quic/envoy_quic_proof_verifier.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/common/config/dummy_config.pb.h" #include "test/common/quic/test_utils.h" -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include "test/mocks/event/mocks.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/stats/mocks.h" diff --git a/test/common/quic/platform/BUILD b/test/common/quic/platform/BUILD index 3c500de5c7bf..ef8fc42c9864 100644 --- a/test/common/quic/platform/BUILD +++ b/test/common/quic/platform/BUILD @@ -22,7 +22,7 @@ envoy_cc_test( "//bazel:windows_x86_64": [], "//conditions:default": ["-Wno-unused-parameter"], }), - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], external_deps = ["quiche_quic_platform"], tags = ["nofips"], deps = [ @@ -30,7 +30,7 @@ envoy_cc_test( "//source/common/quic/platform:quiche_flags_impl_lib", "//test/common/buffer:utility_lib", "//test/common/stats:stat_test_utility_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//test/common/tls:ssl_test_utils", "//test/mocks/api:api_mocks", "//test/test_common:logging_lib", "//test/test_common:threadsafe_singleton_injector_lib", diff --git a/test/common/quic/platform/quic_platform_test.cc b/test/common/quic/platform/quic_platform_test.cc index 2f3f8682c84a..19fcbc392864 100644 --- a/test/common/quic/platform/quic_platform_test.cc +++ b/test/common/quic/platform/quic_platform_test.cc @@ -14,7 +14,7 @@ #include "test/common/buffer/utility.h" #include "test/common/stats/stat_test_utility.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/mocks/api/mocks.h" #include "test/test_common/logging.h" #include "test/test_common/network_utility.h" diff --git a/test/common/quic/quic_transport_socket_factory_test.cc b/test/common/quic/quic_transport_socket_factory_test.cc index 154cfb59afea..678b8a1731ef 100644 --- a/test/common/quic/quic_transport_socket_factory_test.cc +++ b/test/common/quic/quic_transport_socket_factory_test.cc @@ -45,12 +45,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, EarlyDataEnabledByDefault) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"); verifyQuicServerTransportSocketFactory(yaml, true); @@ -62,12 +62,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, EarlyDataExplicitlyDisabled) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" enable_early_data: value: false )EOF"); @@ -81,12 +81,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, EarlyDataExplicitlyEnabled) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" enable_early_data: value: true )EOF"); @@ -101,12 +101,12 @@ TEST_F(QuicServerTransportSocketFactoryConfigTest, ClientAuthUnsupported) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"); EXPECT_THROW_WITH_MESSAGE(verifyQuicServerTransportSocketFactory(yaml, true), EnvoyException, "TLS Client Authentication is not supported over QUIC"); diff --git a/test/common/secret/BUILD b/test/common/secret/BUILD index 597306d5d7d5..1dc9ddf8bcfd 100644 --- a/test/common/secret/BUILD +++ b/test/common/secret/BUILD @@ -18,7 +18,7 @@ envoy_cc_test( name = "secret_manager_impl_test", srcs = ["secret_manager_impl_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ ":private_key_provider_proto_cc_proto", @@ -45,7 +45,7 @@ envoy_cc_test( name = "sds_api_test", srcs = ["sds_api_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ "//source/common/secret:sds_api_lib", diff --git a/test/common/secret/sds_api_test.cc b/test/common/secret/sds_api_test.cc index 2cb819a4c02a..edc3327cbfb9 100644 --- a/test/common/secret/sds_api_test.cc +++ b/test/common/secret/sds_api_test.cc @@ -92,9 +92,9 @@ TEST_F(SdsApiTest, InitManagerInitialised) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; const std::string sds_config_path = TestEnvironment::writeStringToFileForTest( @@ -167,9 +167,9 @@ TEST_F(SdsApiTest, DynamicTlsCertificateUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -180,13 +180,11 @@ TEST_F(SdsApiTest, DynamicTlsCertificateUpdateSuccess) { testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config(*sds_api.secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -579,9 +577,9 @@ TEST_F(SdsApiTest, DeltaUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -594,13 +592,11 @@ TEST_F(SdsApiTest, DeltaUpdateSuccess) { testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config(*sds_api.secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -623,7 +619,7 @@ TEST_F(SdsApiTest, DynamicCertificateValidationContextUpdateSuccess) { R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; @@ -636,8 +632,7 @@ TEST_F(SdsApiTest, DynamicCertificateValidationContextUpdateSuccess) { auto cvc_config = Ssl::CertificateValidationContextConfigImpl::create(*sds_api.secret(), *api_).value(); - const std::string ca_cert = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string ca_cert = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ca_cert)), cvc_config->caCert()); } @@ -682,8 +677,8 @@ TEST_F(SdsApiTest, DefaultCertificateValidationContextTest) { typed_secret.set_name("abc.com"); auto* dynamic_cvc = typed_secret.mutable_validation_context(); dynamic_cvc->set_allow_expired_certificate(false); - dynamic_cvc->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + dynamic_cvc->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); auto* san_matcher = dynamic_cvc->add_match_typed_subject_alt_names(); san_matcher->mutable_matcher()->set_exact("second san"); san_matcher->set_san_type( @@ -716,8 +711,7 @@ TEST_F(SdsApiTest, DefaultCertificateValidationContextTest) { // field. EXPECT_TRUE(cvc_config->allowExpiredCertificate()); // Verify that singular fields are overwritten. - const std::string ca_cert = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string ca_cert = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ca_cert)), cvc_config->caCert()); // Verify that repeated fields are concatenated. @@ -778,7 +772,7 @@ TEST_F(SdsApiTest, GenericSecretSdsApiTest) { name: "encryption_key" generic_secret: secret: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key" + filename: "{{ test_rundir }}/test/common/tls/test_data/aes_128_key" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -790,8 +784,7 @@ name: "encryption_key" const envoy::extensions::transport_sockets::tls::v3::GenericSecret generic_secret( *sds_api.secret()); - const std::string secret_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key"; + const std::string secret_path = "{{ test_rundir }}/test/common/tls/test_data/aes_128_key"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(secret_path)), Config::DataSource::read(generic_secret.secret(), true, *api_).value()); } @@ -824,9 +817,9 @@ TEST_F(SdsApiTest, SecretUpdateWrongSize) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; @@ -858,9 +851,9 @@ TEST_F(SdsApiTest, SecretUpdateWrongSecretName) { name: "wrong.name.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index cbd8e21277aa..1529a4c1d290 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -71,9 +71,9 @@ TEST_F(SecretManagerImplTest, TlsCertificateSecretLoadSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); SecretManagerPtr secret_manager(new SecretManagerImpl(config_tracker_)); @@ -85,13 +85,11 @@ name: "abc.com" testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config( *secret_manager->findStaticTlsCertificateProvider("abc.com")->secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -105,9 +103,9 @@ TEST_F(SecretManagerImplTest, DuplicateStaticTlsCertificateSecret) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); SecretManagerPtr secret_manager(new SecretManagerImpl(config_tracker_)); @@ -125,7 +123,7 @@ TEST_F(SecretManagerImplTest, CertificateValidationContextSecretLoadSuccess) { R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -139,8 +137,7 @@ TEST_F(SecretManagerImplTest, CertificateValidationContextSecretLoadSuccess) { *secret_manager->findStaticCertificateValidationContextProvider("abc.com")->secret(), *api_) .value(); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), cvc_config->caCert()); } @@ -153,7 +150,7 @@ TEST_F(SecretManagerImplTest, DuplicateStaticCertificateValidationContextSecret) R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -174,7 +171,7 @@ TEST_F(SecretManagerImplTest, SessionTicketKeysLoadSuccess) { name: "abc.com" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keys.bin" + - filename: "{{ test_rundir }}/test/common/tls/test_data/keys.bin" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -188,8 +185,7 @@ name: "abc.com" const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys session_ticket_keys( *secret_manager->findStaticTlsSessionTicketKeysContextProvider("abc.com")->secret()); - const std::string keys_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keys.bin"; + const std::string keys_path = "{{ test_rundir }}/test/common/tls/test_data/keys.bin"; EXPECT_EQ(session_ticket_keys.keys_size(), 1); EXPECT_EQ(session_ticket_keys.keys()[0].filename(), TestEnvironment::substitute(keys_path)); } @@ -203,7 +199,7 @@ TEST_F(SecretManagerImplTest, DuplicateSessionTicketKeysSecret) { name: "abc.com" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keys.bin" + - filename: "{{ test_rundir }}/test/common/tls/test_data/keys.bin" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -227,7 +223,7 @@ TEST_F(SecretManagerImplTest, GenericSecretLoadSuccess) { name: "encryption_key" generic_secret: secret: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key" + filename: "{{ test_rundir }}/test/common/tls/test_data/aes_128_key" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret); EXPECT_TRUE(secret_manager->addStaticSecret(secret).ok()); @@ -237,8 +233,7 @@ name: "encryption_key" const envoy::extensions::transport_sockets::tls::v3::GenericSecret generic_secret( *secret_manager->findStaticGenericSecretProvider("encryption_key")->secret()); - const std::string secret_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key"; + const std::string secret_path = "{{ test_rundir }}/test/common/tls/test_data/aes_128_key"; EXPECT_EQ(generic_secret.secret().filename(), TestEnvironment::substitute(secret_path)); } @@ -252,7 +247,7 @@ TEST_F(SecretManagerImplTest, DuplicateGenericSecret) { name: "encryption_key" generic_secret: secret: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/aes_128_key" + filename: "{{ test_rundir }}/test/common/tls/test_data/aes_128_key" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret); EXPECT_TRUE(secret_manager->addStaticSecret(secret).ok()); @@ -375,9 +370,9 @@ TEST_F(SecretManagerImplTest, SdsDynamicSecretUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::Secret typed_secret; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), typed_secret); @@ -388,12 +383,10 @@ name: "abc.com" .ok()); testing::NiceMock ctx; Ssl::TlsCertificateConfigImpl tls_config(*secret_provider->secret(), ctx, *api_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), tls_config.certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), tls_config.privateKey()); } @@ -578,7 +571,7 @@ name: "abc.com.validation" name: "abc.com.stek" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - inline_string: "DUMMY_INLINE_STRING" - inline_bytes: "RFVNTVlfSU5MSU5FX0JZVEVT" )EOF"; @@ -1015,7 +1008,7 @@ TEST_F(SecretManagerImplTest, ConfigDumpHandlerStaticSessionTicketsContext) { name: "abc.com.stek" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" - inline_string: "DUMMY_INLINE_STRING" - inline_bytes: "RFVNTVlfSU5MSU5FX0JZVEVT" )EOF"; @@ -1098,7 +1091,7 @@ TEST_F(SecretManagerImplTest, SdsDynamicSecretPrivateKeyProviderUpdateSuccess) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: @@ -1140,7 +1133,7 @@ TEST_F(SecretManagerImplTest, DeprecatedSanMatcher) { R"EOF( name: "abc.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true match_subject_alt_names: exact: "example.foo" diff --git a/test/extensions/transport_sockets/tls/BUILD b/test/common/tls/BUILD similarity index 77% rename from test/extensions/transport_sockets/tls/BUILD rename to test/common/tls/BUILD index 7ba751cbf0f2..99487d65309e 100644 --- a/test/extensions/transport_sockets/tls/BUILD +++ b/test/common/tls/BUILD @@ -26,8 +26,8 @@ envoy_cc_test( # TODO(mattklein123): We should consolidate all of our test certs in a single place as # right now we have a bunch of duplication which is confusing. "//test/config/integration/certs", - "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/ocsp/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = ["ssl"], deps = [ @@ -45,13 +45,13 @@ envoy_cc_test( "//source/common/stats:isolated_store_lib", "//source/common/stats:stats_lib", "//source/common/stream_info:stream_info_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", - "//source/extensions/transport_sockets/tls:utility_lib", - "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", - "//test/extensions/transport_sockets/tls/test_data:cert_infos", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_socket_lib", + "//source/common/tls:utility_lib", + "//source/common/tls/private_key:private_key_manager_lib", + "//test/common/tls/cert_validator:timed_cert_validator", + "//test/common/tls/test_data:cert_infos", "//test/mocks/buffer:buffer_mocks", "//test/mocks/init:init_mocks", "//test/mocks/local_info:local_info_mocks", @@ -79,8 +79,8 @@ envoy_cc_test( "context_impl_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/ocsp/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ "ssl_certs_test_lib", @@ -89,9 +89,9 @@ envoy_cc_test( "//source/common/json:json_loader_lib", "//source/common/stats:isolated_store_lib", "//source/common/stats:stats_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//test/extensions/transport_sockets/tls/test_data:cert_infos", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//test/common/tls/test_data:cert_infos", "//test/mocks/init:init_mocks", "//test/mocks/local_info:local_info_mocks", "//test/mocks/runtime:runtime_mocks", @@ -112,7 +112,7 @@ envoy_cc_test( external_deps = ["ssl"], deps = [ ":ssl_test_utils", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:ssl_socket_lib", "//test/mocks/network:io_handle_mocks", ], ) @@ -123,13 +123,13 @@ envoy_cc_test( "utility_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = ["ssl"], deps = [ ":ssl_test_utils", - "//source/extensions/transport_sockets/tls:utility_lib", - "//test/extensions/transport_sockets/tls/test_data:cert_infos", + "//source/common/tls:utility_lib", + "//test/common/tls/test_data:cert_infos", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", ], @@ -141,7 +141,7 @@ envoy_cc_test_library( "ssl_test_utility.h", ], deps = [ - "//source/extensions/transport_sockets/tls:utility_lib", + "//source/common/tls:utility_lib", "//test/test_common:environment_lib", ], ) @@ -171,14 +171,14 @@ envoy_cc_test( name = "handshaker_test", srcs = ["handshaker_test.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = ["ssl"], deps = [ ":ssl_socket_test", ":ssl_test_utils", "//source/common/stream_info:stream_info_lib", - "//source/extensions/transport_sockets/tls:ssl_handshaker_lib", + "//source/common/tls:ssl_handshaker_lib", "//test/mocks/buffer:buffer_mocks", "//test/mocks/network:network_mocks", "//test/mocks/runtime:runtime_mocks", @@ -193,10 +193,10 @@ envoy_cc_test( srcs = ["handshaker_factory_test.cc"], deps = [ "//source/common/stream_info:stream_info_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_handshaker_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_handshaker_lib", + "//source/common/tls:ssl_socket_lib", "//source/server:process_context_lib", "//test/mocks/buffer:buffer_mocks", "//test/mocks/network:network_mocks", @@ -214,7 +214,7 @@ envoy_cc_benchmark_binary( name = "tls_throughput_benchmark", srcs = ["tls_throughput_benchmark.cc"], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], external_deps = [ "benchmark", diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/common/tls/cert_validator/BUILD similarity index 72% rename from test/extensions/transport_sockets/tls/cert_validator/BUILD rename to test/common/tls/cert_validator/BUILD index 0a6f835d2c9d..f0b243a980d3 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/common/tls/cert_validator/BUILD @@ -15,12 +15,12 @@ envoy_cc_test( "default_validator_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], deps = [ - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", - "//test/extensions/transport_sockets/tls/cert_validator:test_common", + "//source/common/tls/cert_validator:cert_validator_lib", + "//test/common/tls:ssl_test_utils", + "//test/common/tls/cert_validator:test_common", "//test/test_common:environment_lib", "//test/test_common:test_runtime_lib", ], @@ -32,8 +32,8 @@ envoy_cc_test( "factory_test.cc", ], deps = [ - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//test/extensions/transport_sockets/tls/cert_validator:test_common", + "//source/common/tls/cert_validator:cert_validator_lib", + "//test/common/tls/cert_validator:test_common", ], ) @@ -55,7 +55,7 @@ envoy_cc_test( ], deps = [ "//source/common/protobuf:utility_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/common/tls/cert_validator:cert_validator_lib", "//test/test_common:utility_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], @@ -73,8 +73,8 @@ envoy_cc_test( "default_validator_integration_test.cc", ], data = [ + "//test/common/tls/test_data:certs", "//test/config/integration/certs", - "//test/extensions/transport_sockets/tls/test_data:certs", ], deps = [ ":default_validator_integration_test_lib", @@ -91,6 +91,6 @@ envoy_cc_test_library( "timed_cert_validator.h", ], deps = [ - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/common/tls/cert_validator:cert_validator_lib", ], ) diff --git a/test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.cc b/test/common/tls/cert_validator/default_validator_integration_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.cc rename to test/common/tls/cert_validator/default_validator_integration_test.cc index 3e9717b0391d..a76e87ed04fd 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.cc +++ b/test/common/tls/cert_validator/default_validator_integration_test.cc @@ -2,7 +2,7 @@ #include -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/integration/integration.h" #include "test/test_common/test_runtime.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.h b/test/common/tls/cert_validator/default_validator_integration_test.h similarity index 100% rename from test/extensions/transport_sockets/tls/cert_validator/default_validator_integration_test.h rename to test/common/tls/cert_validator/default_validator_integration_test.h diff --git a/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc b/test/common/tls/cert_validator/default_validator_test.cc similarity index 84% rename from test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc rename to test/common/tls/cert_validator/default_validator_test.cc index 707a9f15af50..0fa44d2d6053 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc +++ b/test/common/tls/cert_validator/default_validator_test.cc @@ -1,11 +1,11 @@ #include #include -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/san_matcher.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/cert_validator/test_common.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/test_common/environment.h" #include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" @@ -26,16 +26,16 @@ using X509StorePtr = CSmartPtr; using SSLContextPtr = CSmartPtr; TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameDNSMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); std::vector verify_subject_alt_name_list = {"server1.example.com", "server2.example.com"}; EXPECT_TRUE(DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDNSMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector subject_alt_name_matchers; @@ -45,8 +45,8 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDNSMatched) { } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameIncorrectTypeMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector subject_alt_name_matchers; @@ -56,9 +56,9 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameIncorrectTypeMatched) { } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameWildcardDNSMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.set_exact("api.example.com"); std::vector subject_alt_name_matchers; @@ -69,9 +69,9 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameWildcardDNSMatched) { TEST(DefaultCertValidatorTest, TestMultiLevelMatch) { // san_multiple_dns_cert matches *.example.com - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.set_exact("foo.api.example.com"); std::vector subject_alt_name_matchers; @@ -81,25 +81,25 @@ TEST(DefaultCertValidatorTest, TestMultiLevelMatch) { } TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameURIMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); std::vector verify_subject_alt_name_list = {"spiffe://lyft.com/fake-team", "spiffe://lyft.com/test-team"}; EXPECT_TRUE(DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestVerifySubjectAltMultiDomain) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); std::vector verify_subject_alt_name_list = {"https://a.www.example.com"}; EXPECT_FALSE( DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameURIMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw(spiffe://lyft.com/[^/]*-team)raw")); std::vector subject_alt_name_matchers; @@ -109,16 +109,16 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameURIMatched) { } TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameNotMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); std::vector verify_subject_alt_name_list = {"foo", "bar"}; EXPECT_FALSE( DefaultCertValidator::verifySubjectAltName(cert.get(), verify_subject_alt_name_list)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameNotMatched) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example\.net)raw")); std::vector subject_alt_name_matchers; @@ -142,8 +142,8 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithSANMatcher) { /*CertificateValidationContextConfig=*/nullptr, stats, Event::GlobalTimeSystem().timeSystem()); - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector san_matchers; @@ -210,8 +210,8 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithEmptyCertChain) { } TEST(DefaultCertValidatorTest, NoSanInCert) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example\.net)raw")); std::vector subject_alt_name_matchers; @@ -227,20 +227,20 @@ TEST(DefaultCertValidatorTest, WithVerifyDepth) { envoy::config::core::v3::TypedExtensionConfig typed_conf; std::vector san_matchers{}; - bssl::UniquePtr cert_chain = readCertChainFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/test_long_cert_chain.pem")); + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/test_long_cert_chain.pem")); bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/test_random_cert.pem")); - bssl::UniquePtr ca_cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/test_random_cert.pem")); + bssl::UniquePtr ca_cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); // Create the default validator object. // Config includes ca_cert and the verify-depth. // Set verify depth < 3, so verification fails. ( There are 3 intermediate certs ) - std::string ca_cert_str(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + std::string ca_cert_str( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); TestCertificateValidationContextConfigPtr test_config = std::make_unique(typed_conf, false, san_matchers, ca_cert_str, 2); diff --git a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc b/test/common/tls/cert_validator/factory_test.cc similarity index 83% rename from test/extensions/transport_sockets/tls/cert_validator/factory_test.cc rename to test/common/tls/cert_validator/factory_test.cc index 94cf5e7063fa..de8d34a562c8 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc +++ b/test/common/tls/cert_validator/factory_test.cc @@ -1,8 +1,8 @@ #include -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/factory.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" +#include "test/common/tls/cert_validator/test_common.h" #include "gtest/gtest.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/san_matcher_test.cc b/test/common/tls/cert_validator/san_matcher_test.cc similarity index 97% rename from test/extensions/transport_sockets/tls/cert_validator/san_matcher_test.cc rename to test/common/tls/cert_validator/san_matcher_test.cc index 860281aba8c9..11f67e467119 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/san_matcher_test.cc +++ b/test/common/tls/cert_validator/san_matcher_test.cc @@ -2,7 +2,7 @@ #include "source/common/protobuf/message_validator_impl.h" #include "source/common/protobuf/utility.h" -#include "source/extensions/transport_sockets/tls/cert_validator/san_matcher.h" +#include "source/common/tls/cert_validator/san_matcher.h" #include "test/test_common/utility.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/test_common.h b/test/common/tls/cert_validator/test_common.h similarity index 100% rename from test/extensions/transport_sockets/tls/cert_validator/test_common.h rename to test/common/tls/cert_validator/test_common.h diff --git a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.cc b/test/common/tls/cert_validator/timed_cert_validator.cc similarity index 97% rename from test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.cc rename to test/common/tls/cert_validator/timed_cert_validator.cc index 4f3f73420f4a..3e8afa59300e 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.cc +++ b/test/common/tls/cert_validator/timed_cert_validator.cc @@ -1,4 +1,4 @@ -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include diff --git a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h b/test/common/tls/cert_validator/timed_cert_validator.h similarity index 95% rename from test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h rename to test/common/tls/cert_validator/timed_cert_validator.h index f6074e81b61a..45a57fc5eda2 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h +++ b/test/common/tls/cert_validator/timed_cert_validator.h @@ -5,8 +5,8 @@ #include #include -#include "source/extensions/transport_sockets/tls/cert_validator/default_validator.h" -#include "source/extensions/transport_sockets/tls/cert_validator/factory.h" +#include "source/common/tls/cert_validator/default_validator.h" +#include "source/common/tls/cert_validator/factory.h" namespace Envoy { namespace Extensions { diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/common/tls/context_impl_test.cc similarity index 79% rename from test/extensions/transport_sockets/tls/context_impl_test.cc rename to test/common/tls/context_impl_test.cc index 11a441051229..4de6f9a81df4 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/common/tls/context_impl_test.cc @@ -10,16 +10,16 @@ #include "source/common/json/json_loader.h" #include "source/common/secret/sds_api.h" #include "source/common/stats/isolated_store_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/utility.h" - -#include "test/extensions/transport_sockets/tls/ssl_certs_test.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" -#include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/utility.h" + +#include "test/common/tls/ssl_certs_test.h" +#include "test/common/tls/ssl_test_utility.h" +#include "test/common/tls/test_data/no_san_cert_info.h" +#include "test/common/tls/test_data/san_dns3_cert_info.h" +#include "test/common/tls/test_data/san_ip_cert_info.h" +#include "test/common/tls/test_data/unittest_cert_info.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/secret/mocks.h" @@ -144,9 +144,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -167,9 +167,9 @@ TEST_F(SslContextImplTest, TestExpiredCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -188,9 +188,9 @@ TEST_F(SslContextImplTest, TestContextUpdate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/expired_key.pem" )EOF"; // Validate that daysUntilFirstCertExpires returns correctly when single context is available. @@ -205,9 +205,9 @@ TEST_F(SslContextImplTest, TestContextUpdate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext expiring_context; @@ -242,12 +242,12 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -265,7 +265,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { // serial number with // every build. For cert_chain output, we check only for the certificate path. std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem", "serial_number": ")EOF", TEST_NO_SAN_CERT_SERIAL, R"EOF(", "subject_alt_names": [], @@ -273,7 +273,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem", } )EOF"; @@ -295,12 +295,12 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -311,7 +311,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithSAN) { manager_.createSslClientContext(*store_.rootScope(), cfg)); auto cleanup = cleanUpHelper(context); std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem", "serial_number": ")EOF", TEST_SAN_DNS3_CERT_SERIAL, R"EOF(", "subject_alt_names": [ @@ -323,7 +323,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithSAN) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem", } )EOF"; @@ -351,12 +351,12 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithIPSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -367,7 +367,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithIPSAN) { manager_.createSslClientContext(*store_.rootScope(), cfg)); auto cleanup = cleanUpHelper(context); std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem", "serial_number": ")EOF", TEST_SAN_IP_CERT_SERIAL, R"EOF(", "subject_alt_names": [ @@ -379,7 +379,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithIPSAN) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_ip_chain.pem", } )EOF"; @@ -411,12 +411,12 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithExpiration) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -429,7 +429,7 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithExpiration) { std::string ca_cert_json = absl::StrCat(R"EOF({ - "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem", + "path": "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem", "serial_number": ")EOF", TEST_SAN_DNS3_CERT_SERIAL, R"EOF(", "subject_alt_names": [ @@ -470,13 +470,13 @@ TEST_F(SslContextImplTest, DuplicateRsaCertSameExactDNSSan) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -490,13 +490,13 @@ TEST_F(SslContextImplTest, DuplicateRsaCertSameWildcardDNSSan) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -510,13 +510,13 @@ TEST_F(SslContextImplTest, AcceptableMultipleRsaCerts) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -530,13 +530,13 @@ TEST_F(SslContextImplTest, DuplicateEcdsaCert) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned2_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -550,13 +550,13 @@ TEST_F(SslContextImplTest, AcceptableMultipleEcdsaCerts) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -573,9 +573,9 @@ TEST_F(SslContextImplTest, CertDuplicatedSansAndCN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -593,13 +593,13 @@ TEST_F(SslContextImplTest, MultipleCertsSansAndCN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cn_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cn_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cn_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_wildcard_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_wildcard_dns_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -613,9 +613,9 @@ TEST_F(SslContextImplTest, MustHaveSubjectOrSAN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_subject_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_subject_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_subject_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_subject_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); @@ -643,11 +643,11 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; auto context = loadConfigYaml(tls_context_yaml); @@ -656,15 +656,15 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { TEST_F(SslServerContextImplOcspTest, TestInlineBytesOcspStapleConfigLoads) { auto der_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der")); + "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der")); auto base64_response = Base64::encode(der_response.c_str(), der_response.length(), true); const std::string tls_context_yaml = fmt::format(R"EOF( common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -680,9 +680,9 @@ TEST_F(SslServerContextImplOcspTest, TestInlineStringOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_string: "abcd" ocsp_staple_policy: must_staple @@ -697,11 +697,11 @@ TEST_F(SslServerContextImplOcspTest, TestMismatchedOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -714,9 +714,9 @@ TEST_F(SslServerContextImplOcspTest, TestStaplingRequiredWithoutStapleConfigFail common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: must_staple )EOF"; @@ -738,9 +738,9 @@ TEST_F(SslServerContextImplOcspTest, TestUnsuccessfulOcspResponseConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -756,9 +756,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleConfigFails) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -771,11 +771,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -786,11 +786,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { constexpr absl::string_view this_update = "This Update: "; constexpr absl::string_view next_update = "Next Update: "; - auto ocsp_text_details = absl::StrSplit( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt")), - '\n'); + auto ocsp_text_details = + absl::StrSplit(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/common/tls/ocsp/test_data/good_ocsp_resp_details.txt")), + '\n'); std::string valid_from, expiration; for (const auto& detail : ocsp_text_details) { std::string::size_type pos = detail.find(this_update); @@ -836,9 +836,9 @@ class SslServerContextImplTicketTest : public SslContextImplTest { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); ServerContextConfigImpl server_context_config(cfg, factory_context_); loadConfig(server_context_config); @@ -858,13 +858,13 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF"; EXPECT_NO_THROW(loadConfigYaml(yaml)); } @@ -875,13 +875,13 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_wrong_len" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_wrong_len" )EOF"; EXPECT_THROW(loadConfigYaml(yaml), EnvoyException); } @@ -891,12 +891,12 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidCannotRead) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/this_file_does_not_exist" + filename: "{{ test_rundir }}/test/common/tls/test_data/this_file_does_not_exist" )EOF"; EXPECT_THROW(loadConfigYaml(yaml), std::exception); } @@ -947,9 +947,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySdsNotReady) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); NiceMock local_info; NiceMock dispatcher; @@ -984,8 +984,8 @@ TEST_F(SslServerContextImplTicketTest, StaticTickeyKey) { name: "abc.com" session_ticket_keys: keys: - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" - - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" + - filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -995,9 +995,9 @@ name: "abc.com" envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); tls_context.mutable_session_ticket_keys_sds_secret_config()->set_name("abc.com"); @@ -1012,14 +1012,14 @@ TEST_F(SslServerContextImplTicketTest, CRLSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; EXPECT_NO_THROW(loadConfigYaml(yaml)); } @@ -1029,14 +1029,14 @@ TEST_F(SslServerContextImplTicketTest, CRLInvalid) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/not_a_crl.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/not_a_crl.crl" )EOF"; EXPECT_THROW_WITH_REGEX(loadConfigYaml(yaml), EnvoyException, "^Failed to load CRL from .*/not_a_crl.crl$"); @@ -1047,12 +1047,12 @@ TEST_F(SslServerContextImplTicketTest, CRLWithNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/not_a_crl.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/not_a_crl.crl" )EOF"; EXPECT_THROW_WITH_REGEX(loadConfigYaml(yaml), EnvoyException, "^Failed to load CRL from .* without trusted CA$"); @@ -1063,9 +1063,9 @@ TEST_F(SslServerContextImplTicketTest, VerifySanWithNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: match_typed_subject_alt_names: - san_type: URI @@ -1083,9 +1083,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1099,9 +1099,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1116,9 +1116,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1133,12 +1133,12 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1211,9 +1211,9 @@ TEST_F(ClientContextConfigImplTest, RSA2048Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1228,9 +1228,9 @@ TEST_F(ClientContextConfigImplTest, RSA1024Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_1024_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_1024_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1255,7 +1255,7 @@ TEST_F(ClientContextConfigImplTest, RSA1024Pkcs12) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_certkey.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_1024_certkey.p12" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1280,9 +1280,9 @@ TEST_F(ClientContextConfigImplTest, RSA3072Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_3072_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_3072_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1299,9 +1299,9 @@ TEST_F(ClientContextConfigImplTest, RSA4096Cert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_4096_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_rsa_4096_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1316,9 +1316,9 @@ TEST_F(ClientContextConfigImplTest, P256EcdsaCert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1333,9 +1333,9 @@ TEST_F(ClientContextConfigImplTest, NonP256EcdsaCert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p384_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p384_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1352,7 +1352,7 @@ TEST_F(ClientContextConfigImplTest, NonP256EcdsaPkcs12) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_certkey.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p384_certkey.p12" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1370,9 +1370,9 @@ TEST_F(ClientContextConfigImplTest, MultipleTlsCertificates) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1389,9 +1389,9 @@ TEST_F(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1433,9 +1433,9 @@ TEST_F(ClientContextConfigImplTest, ValidationContextNotReady) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); NiceMock local_info; NiceMock init_manager; NiceMock dispatcher; @@ -1465,9 +1465,9 @@ TEST_F(ClientContextConfigImplTest, StaticTlsCertificates) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -1481,12 +1481,10 @@ name: "abc.com" EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), client_context_config.tlsCertificates()[0].get().certificateChain()); - const std::string key_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"; + const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), client_context_config.tlsCertificates()[0].get().privateKey()); } @@ -1498,15 +1496,15 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedTlsCertificates) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - tls_certificate->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - tls_certificate->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem")); - tls_certificate->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + tls_certificate->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + tls_certificate->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem")); + tls_certificate->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -1517,19 +1515,16 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedTlsCertificates) { EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_pem = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem"; + const std::string cert_pem = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), client_context_config.tlsCertificates()[0].get().certificateChain()); - const std::string key_pem = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem"; + const std::string key_pem = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), client_context_config.tlsCertificates()[0].get().privateKey()); - const std::string password_file = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"; + const std::string password_file = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(password_file)), client_context_config.tlsCertificates()[0].get().password()); } @@ -1541,12 +1536,12 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedPkcs12) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - tls_certificate->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12")); - tls_certificate->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + tls_certificate->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12")); + tls_certificate->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; tls_context.mutable_common_tls_context() @@ -1557,14 +1552,12 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedPkcs12) { EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_p12 = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12"; + const std::string cert_p12 = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_p12)), client_context_config.tlsCertificates()[0].get().pkcs12()); - const std::string password_file = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"; + const std::string password_file = "{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(password_file)), client_context_config.tlsCertificates()[0].get().password()); } @@ -1576,9 +1569,9 @@ TEST_F(ClientContextConfigImplTest, PasswordWrongPkcs12) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - const std::string pkcs12_path = TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12"); + const std::string pkcs12_path = + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12"); tls_certificate->mutable_pkcs12()->set_filename(pkcs12_path); tls_certificate->mutable_password()->set_inline_string("WrongPassword"); @@ -1604,9 +1597,9 @@ TEST_F(ClientContextConfigImplTest, PasswordNotSuppliedPkcs12) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - const std::string pkcs12_path = TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12"); + const std::string pkcs12_path = + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12"); tls_certificate->mutable_pkcs12()->set_filename(pkcs12_path); // Don't supply the password. @@ -1632,12 +1625,12 @@ TEST_F(ClientContextConfigImplTest, PasswordNotSuppliedTlsCertificates) { secret_config.set_name("abc.com"); auto* tls_certificate = secret_config.mutable_tls_certificate(); - tls_certificate->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - const std::string private_key_path = TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem"); + tls_certificate->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + const std::string private_key_path = + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem"); tls_certificate->mutable_private_key()->set_filename(private_key_path); // Don't supply the password. @@ -1664,9 +1657,9 @@ TEST_F(ClientContextConfigImplTest, StaticCertificateValidationContext) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), tls_certificate_secret_config); @@ -1676,7 +1669,7 @@ TEST_F(ClientContextConfigImplTest, StaticCertificateValidationContext) { const std::string certificate_validation_context_yaml = R"EOF( name: "def.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(certificate_validation_context_yaml), @@ -1695,8 +1688,7 @@ TEST_F(ClientContextConfigImplTest, StaticCertificateValidationContext) { ->set_name("def.com"); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - const std::string cert_pem = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"; + const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), client_context_config.certificateValidationContext()->caCert()); } @@ -1710,9 +1702,9 @@ TEST_F(ClientContextConfigImplTest, MissingStaticSecretTlsCertificates) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), secret_config); @@ -1738,9 +1730,9 @@ TEST_F(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) { name: "abc.com" tls_certificate: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), tls_certificate_secret_config); @@ -1750,7 +1742,7 @@ TEST_F(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) { const std::string certificate_validation_context_yaml = R"EOF( name: "def.com" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(certificate_validation_context_yaml), @@ -1782,15 +1774,15 @@ TEST_F(ServerContextConfigImplTest, MultipleTlsCertificates) { "No TLS certificates found for server context"); const std::string rsa_tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; const std::string ecdsa_tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(rsa_tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1810,9 +1802,9 @@ TEST_F(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { "No TLS certificates found for server context"); const std::string tls_certificate_yaml = R"EOF( certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); @@ -1874,9 +1866,9 @@ TEST_F(ServerContextConfigImplTest, ValidationContextNotReady) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem")); NiceMock local_info; NiceMock init_manager; NiceMock dispatcher; @@ -1928,10 +1920,10 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); server_validation_ctx->set_allow_expired_certificate(false); @@ -1944,8 +1936,8 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { "Certificate validity period is always ignored without trusted CA"); // But once you add a trusted CA, you should be able to create the context. - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, factory_context_)); } @@ -1961,7 +1953,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProvider) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -1986,7 +1978,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProviderFallbac common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2021,7 +2013,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoMethod) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2053,7 +2045,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2081,9 +2073,9 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodFallback) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" private_key_provider: provider_name: mock_provider typed_config: @@ -2109,11 +2101,11 @@ TEST_F(ServerContextConfigImplTest, DeprecatedSanMatcher) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" validation_context: - trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" } + trusted_ca: { filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" } allow_expired_certificate: true match_typed_subject_alt_names: - san_type: DNS @@ -2155,7 +2147,7 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndMethod) { common_tls_context: tls_certificates: - pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_certkeychain.p12" private_key_provider: provider_name: mock_provider typed_config: @@ -2175,9 +2167,9 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndKey) { common_tls_context: tls_certificates: - pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_certkeychain.p12" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); EXPECT_THROW_WITH_MESSAGE( @@ -2191,9 +2183,9 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndCertChain) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" pkcs12: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_certkeychain.p12" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); EXPECT_THROW_WITH_MESSAGE( @@ -2236,9 +2228,9 @@ class SslContextStatsTest : public SslContextImplTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; }; diff --git a/test/extensions/transport_sockets/tls/handshaker_factory_test.cc b/test/common/tls/handshaker_factory_test.cc similarity index 97% rename from test/extensions/transport_sockets/tls/handshaker_factory_test.cc rename to test/common/tls/handshaker_factory_test.cc index 64b5e9d0f05d..4fbd63093ccb 100644 --- a/test/extensions/transport_sockets/tls/handshaker_factory_test.cc +++ b/test/common/tls/handshaker_factory_test.cc @@ -5,10 +5,10 @@ #include "envoy/ssl/handshaker.h" #include "source/common/stream_info/stream_info_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_socket.h" #include "source/server/process_context_impl.h" #include "test/mocks/network/connection.h" diff --git a/test/extensions/transport_sockets/tls/handshaker_test.cc b/test/common/tls/handshaker_test.cc similarity index 96% rename from test/extensions/transport_sockets/tls/handshaker_test.cc rename to test/common/tls/handshaker_test.cc index e29304bce10a..ad8caa5bd36a 100644 --- a/test/extensions/transport_sockets/tls/handshaker_test.cc +++ b/test/common/tls/handshaker_test.cc @@ -4,9 +4,9 @@ #include "envoy/ssl/handshaker.h" #include "source/common/stream_info/stream_info_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_handshaker.h" -#include "test/extensions/transport_sockets/tls/ssl_certs_test.h" +#include "test/common/tls/ssl_certs_test.h" #include "test/mocks/network/connection.h" #include "gmock/gmock.h" @@ -84,7 +84,7 @@ class HandshakerTest : public SslCertsTest { // Read in key.pem and return a new private key. bssl::UniquePtr makeKey() { std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); std::string passphrase = ""; bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); @@ -99,7 +99,7 @@ class HandshakerTest : public SslCertsTest { // Read in cert.pem and return a certificate. bssl::UniquePtr makeCert() { std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); uint8_t* data = nullptr; diff --git a/test/extensions/transport_sockets/tls/integration/BUILD b/test/common/tls/integration/BUILD similarity index 88% rename from test/extensions/transport_sockets/tls/integration/BUILD rename to test/common/tls/integration/BUILD index 37013e4df2e4..a8dc565d34cb 100644 --- a/test/extensions/transport_sockets/tls/integration/BUILD +++ b/test/common/tls/integration/BUILD @@ -31,12 +31,12 @@ envoy_cc_test( "//source/common/event:dispatcher_lib", "//source/common/network:connection_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_handshaker_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_handshaker_lib", "//test/common/config:dummy_config_proto_cc_proto", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", + "//test/common/tls/cert_validator:timed_cert_validator", "//test/integration:http_integration_lib", "//test/integration/filters:stream_info_to_headers_filter_lib", "//test/mocks/secret:secret_mocks", diff --git a/test/extensions/transport_sockets/tls/integration/sni_to_header_filter.cc b/test/common/tls/integration/sni_to_header_filter.cc similarity index 100% rename from test/extensions/transport_sockets/tls/integration/sni_to_header_filter.cc rename to test/common/tls/integration/sni_to_header_filter.cc diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc b/test/common/tls/integration/ssl_integration_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc rename to test/common/tls/integration/ssl_integration_test.cc index 99d0d42e3953..885494ce1f33 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc +++ b/test/common/tls/integration/ssl_integration_test.cc @@ -11,14 +11,14 @@ #include "source/common/event/dispatcher_impl.h" #include "source/common/network/connection_impl.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_handshaker.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_handshaker.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/config/dummy_config.pb.h" -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include "test/integration/autonomous_upstream.h" #include "test/integration/integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.h b/test/common/tls/integration/ssl_integration_test.h similarity index 100% rename from test/extensions/transport_sockets/tls/integration/ssl_integration_test.h rename to test/common/tls/integration/ssl_integration_test.h diff --git a/test/extensions/transport_sockets/tls/io_handle_bio_test.cc b/test/common/tls/io_handle_bio_test.cc similarity index 94% rename from test/extensions/transport_sockets/tls/io_handle_bio_test.cc rename to test/common/tls/io_handle_bio_test.cc index 8c9600b7b71d..f37349051913 100644 --- a/test/extensions/transport_sockets/tls/io_handle_bio_test.cc +++ b/test/common/tls/io_handle_bio_test.cc @@ -1,5 +1,5 @@ #include "source/common/network/io_socket_error_impl.h" -#include "source/extensions/transport_sockets/tls/io_handle_bio.h" +#include "source/common/tls/io_handle_bio.h" #include "test/mocks/network/io_handle.h" diff --git a/test/extensions/transport_sockets/tls/ocsp/BUILD b/test/common/tls/ocsp/BUILD similarity index 57% rename from test/extensions/transport_sockets/tls/ocsp/BUILD rename to test/common/tls/ocsp/BUILD index 262bec36ab5c..369cdbf86d86 100644 --- a/test/extensions/transport_sockets/tls/ocsp/BUILD +++ b/test/common/tls/ocsp/BUILD @@ -14,15 +14,15 @@ envoy_cc_test( "ocsp_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", + "//test/common/tls/ocsp/test_data:certs", ], external_deps = ["ssl"], deps = [ "//source/common/filesystem:filesystem_lib", - "//source/extensions/transport_sockets/tls:utility_lib", - "//source/extensions/transport_sockets/tls/ocsp:ocsp_lib", - "//test/extensions/transport_sockets/tls:ssl_socket_test", - "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//source/common/tls:utility_lib", + "//source/common/tls/ocsp:ocsp_lib", + "//test/common/tls:ssl_socket_test", + "//test/common/tls:ssl_test_utils", "//test/test_common:environment_lib", "//test/test_common:logging_lib", "//test/test_common:simulated_time_system_lib", @@ -36,7 +36,7 @@ envoy_cc_test( ], external_deps = ["ssl"], deps = [ - "//source/extensions/transport_sockets/tls/ocsp:asn1_utility_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//source/common/tls/ocsp:asn1_utility_lib", + "//test/common/tls:ssl_test_utils", ], ) diff --git a/test/extensions/transport_sockets/tls/ocsp/asn1_utility_test.cc b/test/common/tls/ocsp/asn1_utility_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/ocsp/asn1_utility_test.cc rename to test/common/tls/ocsp/asn1_utility_test.cc index a26da0956948..3d3cbcaed6a7 100644 --- a/test/extensions/transport_sockets/tls/ocsp/asn1_utility_test.cc +++ b/test/common/tls/ocsp/asn1_utility_test.cc @@ -1,6 +1,6 @@ #include -#include "source/extensions/transport_sockets/tls/ocsp/asn1_utility.h" +#include "source/common/tls/ocsp/asn1_utility.h" #include "test/test_common/utility.h" diff --git a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc b/test/common/tls/ocsp/ocsp_test.cc similarity index 96% rename from test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc rename to test/common/tls/ocsp/ocsp_test.cc index fc52fd9571ce..51cc0a7aabe9 100644 --- a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc +++ b/test/common/tls/ocsp/ocsp_test.cc @@ -1,8 +1,8 @@ #include "source/common/filesystem/filesystem_impl.h" -#include "source/extensions/transport_sockets/tls/ocsp/ocsp.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/ocsp/ocsp.h" +#include "source/common/tls/utility.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/test_common/environment.h" #include "test/test_common/logging.h" #include "test/test_common/simulated_time_system.h" @@ -25,8 +25,8 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility; class OcspFullResponseParsingTest : public testing::Test { public: std::string fullPath(std::string filename) { - return TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename); + return TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/ocsp/test_data/" + + filename); } std::vector readFile(std::string filename) { diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD b/test/common/tls/ocsp/test_data/BUILD similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/BUILD rename to test/common/tls/ocsp/test_data/BUILD diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/README.md b/test/common/tls/ocsp/test_data/README.md similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/README.md rename to test/common/tls/ocsp/test_data/README.md diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem b/test/common/tls/ocsp/test_data/ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem rename to test/common/tls/ocsp/test_data/ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem b/test/common/tls/ocsp/test_data/ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem rename to test/common/tls/ocsp/test_data/ca_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh b/test/common/tls/ocsp/test_data/certs.sh similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh rename to test/common/tls/ocsp/test_data/certs.sh diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem b/test/common/tls/ocsp/test_data/ecdsa_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem rename to test/common/tls/ocsp/test_data/ecdsa_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem b/test/common/tls/ocsp/test_data/ecdsa_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem rename to test/common/tls/ocsp/test_data/ecdsa_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der b/test/common/tls/ocsp/test_data/ecdsa_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der rename to test/common/tls/ocsp/test_data/ecdsa_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der b/test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der rename to test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem b/test/common/tls/ocsp/test_data/good_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem rename to test/common/tls/ocsp/test_data/good_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem b/test/common/tls/ocsp/test_data/good_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem rename to test/common/tls/ocsp/test_data/good_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der b/test/common/tls/ocsp/test_data/good_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der rename to test/common/tls/ocsp/test_data/good_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der b/test/common/tls/ocsp/test_data/good_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der rename to test/common/tls/ocsp/test_data/good_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt b/test/common/tls/ocsp/test_data/good_ocsp_resp_details.txt similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt rename to test/common/tls/ocsp/test_data/good_ocsp_resp_details.txt diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem b/test/common/tls/ocsp/test_data/intermediate_ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem rename to test/common/tls/ocsp/test_data/intermediate_ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem b/test/common/tls/ocsp/test_data/intermediate_ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem rename to test/common/tls/ocsp/test_data/intermediate_ca_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der b/test/common/tls/ocsp/test_data/multiple_cert_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der rename to test/common/tls/ocsp/test_data/multiple_cert_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der b/test/common/tls/ocsp/test_data/multiple_cert_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der rename to test/common/tls/ocsp/test_data/multiple_cert_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der b/test/common/tls/ocsp/test_data/responder_key_hash_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der rename to test/common/tls/ocsp/test_data/responder_key_hash_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der b/test/common/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der rename to test/common/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem b/test/common/tls/ocsp/test_data/revoked_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem rename to test/common/tls/ocsp/test_data/revoked_cert.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem b/test/common/tls/ocsp/test_data/revoked_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem rename to test/common/tls/ocsp/test_data/revoked_key.pem diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der b/test/common/tls/ocsp/test_data/revoked_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der rename to test/common/tls/ocsp/test_data/revoked_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der b/test/common/tls/ocsp/test_data/revoked_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der rename to test/common/tls/ocsp/test_data/revoked_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der b/test/common/tls/ocsp/test_data/unknown_ocsp_req.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der rename to test/common/tls/ocsp/test_data/unknown_ocsp_req.der diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der b/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der similarity index 100% rename from test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der rename to test/common/tls/ocsp/test_data/unknown_ocsp_resp.der diff --git a/test/extensions/transport_sockets/tls/ssl_certs_test.h b/test/common/tls/ssl_certs_test.h similarity index 100% rename from test/extensions/transport_sockets/tls/ssl_certs_test.h rename to test/common/tls/ssl_certs_test.h diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/common/tls/ssl_socket_test.cc similarity index 78% rename from test/extensions/transport_sockets/tls/ssl_socket_test.cc rename to test/common/tls/ssl_socket_test.cc index ff73e213ff7e..b72f7ad6596b 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/common/tls/ssl_socket_test.cc @@ -17,29 +17,29 @@ #include "source/common/network/transport_socket_options_impl.h" #include "source/common/network/utility.h" #include "source/common/stream_info/stream_info_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" - -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" -#include "test/extensions/transport_sockets/tls/ssl_certs_test.h" -#include "test/extensions/transport_sockets/tls/test_data/ca_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/extensions_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/password_protected_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns4_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_uri_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_private_key_method_provider.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/private_key/private_key_manager_impl.h" +#include "source/common/tls/ssl_socket.h" + +#include "test/common/tls/cert_validator/timed_cert_validator.h" +#include "test/common/tls/ssl_certs_test.h" +#include "test/common/tls/test_data/ca_cert_info.h" +#include "test/common/tls/test_data/extensions_cert_info.h" +#include "test/common/tls/test_data/no_san_cert_info.h" +#include "test/common/tls/test_data/password_protected_cert_info.h" +#include "test/common/tls/test_data/san_dns2_cert_info.h" +#include "test/common/tls/test_data/san_dns3_cert_info.h" +#include "test/common/tls/test_data/san_dns4_cert_info.h" +#include "test/common/tls/test_data/san_dns_cert_info.h" +#include "test/common/tls/test_data/san_dns_ecdsa_1_cert_info.h" +#include "test/common/tls/test_data/san_dns_rsa_1_cert_info.h" +#include "test/common/tls/test_data/san_dns_rsa_2_cert_info.h" +#include "test/common/tls/test_data/san_multiple_dns_1_cert_info.h" +#include "test/common/tls/test_data/san_multiple_dns_cert_info.h" +#include "test/common/tls/test_data/san_uri_cert_info.h" +#include "test/common/tls/test_data/selfsigned_ecdsa_p256_cert_info.h" +#include "test/common/tls/test_private_key_method_provider.h" #include "test/mocks/buffer/mocks.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" @@ -923,10 +923,10 @@ void configureServerAndExpiredClientCertificate( envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = @@ -935,8 +935,8 @@ void configureServerAndExpiredClientCertificate( server_validation_ctx->mutable_trusted_ca()->set_filename( TestEnvironment::substitute(server_config.trusted_ca.value())); } else { - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); } if (server_config.allow_expired_cert.has_value()) { server_validation_ctx->set_allow_expired_certificate(server_config.allow_expired_cert.value()); @@ -948,11 +948,11 @@ void configureServerAndExpiredClientCertificate( envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/expired_san_uri_cert.pem")); client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem")); + "{{ test_rundir }}/test/common/tls/test_data/expired_san_uri_key.pem")); } TestUtilOptionsV2 createProtocolTestOptions( @@ -1005,12 +1005,12 @@ TEST_P(SslSocketTest, ServerTransportSocketOptions) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; ; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -1032,21 +1032,21 @@ TEST_P(SslSocketTest, GetCertDigest) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1065,12 +1065,12 @@ TEST_P(SslSocketTest, GetCertDigestInvalidFiles) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1086,24 +1086,23 @@ TEST_P(SslSocketTest, GetCertDigestInline) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem. + // From test/common/tls/test_data/san_dns_cert.pem. server_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_dns_key.pem. - server_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"))); + // From test/common/tls/test_data/san_dns_key.pem. + server_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem"))); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - // From test/extensions/transport_sockets/tls/test_data/ca_certificates.pem. + // From test/common/tls/test_data/ca_certificates.pem. server_validation_ctx->mutable_trusted_ca()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/ca_certificates.pem"))); updateFilterChain(tls_context, *filter_chain); @@ -1111,15 +1110,14 @@ TEST_P(SslSocketTest, GetCertDigestInline) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client_ctx.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem. + // From test/common/tls/test_data/san_uri_cert.pem. client_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_uri_key.pem. - client_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem"))); + // From test/common/tls/test_data/san_uri_key.pem. + client_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem"))); TestUtilOptionsV2 test_options(listener, client_ctx, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1133,24 +1131,23 @@ TEST_P(SslSocketTest, GetCertDigestInlineWithIpSanClientCerts) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem. + // From test/common/tls/test_data/san_dns_cert.pem. server_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_dns_key.pem. - server_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"))); + // From test/common/tls/test_data/san_dns_key.pem. + server_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem"))); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - // From test/extensions/transport_sockets/tls/test_data/ca_certificates.pem. + // From test/common/tls/test_data/ca_certificates.pem. server_validation_ctx->mutable_trusted_ca()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/ca_certificates.pem"))); updateFilterChain(tls_context, *filter_chain); @@ -1158,15 +1155,14 @@ TEST_P(SslSocketTest, GetCertDigestInlineWithIpSanClientCerts) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client_ctx.mutable_common_tls_context()->add_tls_certificates(); - // From test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem. + // From test/common/tls/test_data/san_ip_cert.pem. client_cert->mutable_certificate_chain()->set_inline_bytes( TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem"))); + "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem"))); - // From test/extensions/transport_sockets/tls/test_data/san_ip_key.pem. - client_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem"))); + // From test/common/tls/test_data/san_ip_key.pem. + client_cert->mutable_private_key()->set_inline_bytes(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_ip_key.pem"))); TestUtilOptionsV2 test_options(listener, client_ctx, true, version_); testUtilV2(test_options.setExpectedClientCertIpSans({"1.1.1.1"}) @@ -1178,21 +1174,21 @@ TEST_P(SslSocketTest, GetCertDigestServerCertWithIntermediateCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1206,21 +1202,21 @@ TEST_P(SslSocketTest, GetCertDigestServerCertWithoutCommonName) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_only_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_only_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_only_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1234,21 +1230,21 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - san_type: URI matcher: @@ -1317,21 +1313,21 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; // The SAN field only has DNS, expect "" for uriSanPeerCertificate(). @@ -1348,9 +1344,9 @@ TEST_P(SslSocketTest, NoCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1379,17 +1375,17 @@ TEST_P(SslSocketTest, MultiCertPreferEcdsaWithoutSni) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1414,17 +1410,17 @@ TEST_P(SslSocketTest, MultiCertPreferExactSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1451,13 +1447,13 @@ TEST_P(SslSocketTest, MultiCertPreferFirstCertWithSAN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1483,13 +1479,13 @@ TEST_P(SslSocketTest, MultiCertPreferFirstCertWithSAN) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1516,13 +1512,13 @@ TEST_P(SslSocketTest, MultiCertWildcardSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1548,13 +1544,13 @@ TEST_P(SslSocketTest, MultiCertWildcardSniMismatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1582,25 +1578,25 @@ TEST_P(SslSocketTest, MultiCertPreferEcdsaOnSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1625,21 +1621,21 @@ TEST_P(SslSocketTest, MultiCertPickRSAOnSniMatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1668,17 +1664,17 @@ TEST_P(SslSocketTest, MultiCertWithFullScanDisabledOnSniMismatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1709,17 +1705,17 @@ TEST_P(SslSocketTest, MultiCertPreferEcdsaWithFullScanEnabledOnSniMismatch) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1745,9 +1741,9 @@ TEST_P(SslSocketTest, CertWithNotECCapable) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, false, version_); @@ -1762,21 +1758,21 @@ TEST_P(SslSocketTest, GetUriWithLocalUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -1789,21 +1785,21 @@ TEST_P(SslSocketTest, GetSubjectsWithBothCerts) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -1822,28 +1818,27 @@ TEST_P(SslSocketTest, GetPeerCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); - std::string expected_peer_cert = - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); + std::string expected_peer_cert = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); testUtil(test_options.setExpectedSerialNumber(TEST_NO_SAN_CERT_SERIAL) .setExpectedPeerIssuer( "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US") @@ -1859,29 +1854,28 @@ TEST_P(SslSocketTest, GetPeerCertAcceptUntrusted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" trust_chain_verification: ACCEPT_UNTRUSTED require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); - std::string expected_peer_cert = - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); + std::string expected_peer_cert = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); testUtil(test_options.setExpectedSerialNumber(TEST_NO_SAN_CERT_SERIAL) .setExpectedPeerIssuer( "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US") @@ -1901,12 +1895,12 @@ TEST_P(SslSocketTest, NoCertUntrustedNotPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" trust_chain_verification: VERIFY_TRUST_CHAIN verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000" )EOF"; @@ -1924,12 +1918,12 @@ TEST_P(SslSocketTest, NoCertUntrustedPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" trust_chain_verification: ACCEPT_UNTRUSTED verify_certificate_hash: "0000000000000000000000000000000000000000000000000000000000000000" )EOF"; @@ -1945,29 +1939,28 @@ TEST_P(SslSocketTest, GetPeerCertChain) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); - std::string expected_peer_cert_chain = - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/no_san_chain.pem")); + std::string expected_peer_cert_chain = TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/no_san_chain.pem")); testUtil(test_options.setExpectedSerialNumber(TEST_NO_SAN_CERT_SERIAL) .setExpectedPeerCertChain(expected_peer_cert_chain)); } @@ -1977,21 +1970,21 @@ TEST_P(SslSocketTest, GetIssueExpireTimesPeerCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -2009,12 +2002,12 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -2027,21 +2020,21 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, false, version_); @@ -2058,12 +2051,12 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - san_type: DNS matcher: @@ -2079,21 +2072,21 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - san_type: DNS matcher: @@ -2109,21 +2102,21 @@ TEST_P(SslSocketTest, X509ExtensionsCertificateSerialNumber) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_key.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/extensions_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -2197,7 +2190,7 @@ TEST_P(SslSocketTest, FailedClientCertAllowServerExpiredWrongCAVerification) { server_config.allow_expired_cert = true; // Fake CA is not used to sign the client's certificate. server_config.trusted_ca = "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"; + "}}/test/common/tls/test_data/fake_ca_cert.pem"; configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, version_); @@ -2210,21 +2203,21 @@ TEST_P(SslSocketTest, ClientCertificateHashVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2238,18 +2231,18 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2265,15 +2258,15 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); @@ -2282,10 +2275,10 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2302,10 +2295,10 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2317,10 +2310,10 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2340,12 +2333,12 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoClientCertificate common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2362,9 +2355,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCANoClientCertifi common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2378,21 +2371,21 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongClientCertific common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2405,18 +2398,18 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCAWrongClientCert common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2430,21 +2423,21 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; const std::string server_ctx_yaml = absl::StrCat(R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -2460,20 +2453,20 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem")); - server_cert->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem")); + server_cert->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); @@ -2482,16 +2475,15 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem")); - client_cert->mutable_password()->set_inline_string( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"))); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_key.pem")); + client_cert->mutable_password()->set_inline_string(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"))); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2509,17 +2501,17 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12")); - server_cert->mutable_password()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); + server_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12")); + server_cert->mutable_password()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); @@ -2528,13 +2520,12 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithPassword) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12")); - client_cert->mutable_password()->set_inline_string( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt"))); + client_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_certkey.p12")); + client_cert->mutable_password()->set_inline_string(TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/password_protected_password.txt"))); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2552,14 +2543,14 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithoutPassword) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12")); + server_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_dns3_certkeychain.p12")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_DNS3_CERT_256_HASH); @@ -2568,9 +2559,9 @@ TEST_P(SslSocketTest, Pkcs12CertificatesWithoutPassword) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_pkcs12()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12")); + client_cert->mutable_pkcs12()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_dns3_certkeychain.p12")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedServerCertDigest(TEST_SAN_DNS3_CERT_256_HASH)); @@ -2587,16 +2578,16 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2604,10 +2595,10 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2624,10 +2615,10 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2638,10 +2629,10 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2658,15 +2649,15 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2687,10 +2678,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2715,15 +2706,15 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2731,10 +2722,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -2751,10 +2742,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2765,10 +2756,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -2785,15 +2776,15 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(tls_context, *filter_chain); @@ -2801,10 +2792,10 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedTransportFailureReasonContains("TLSV1_ALERT_UNKNOWN_CA")); @@ -2820,15 +2811,15 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); @@ -2838,10 +2829,10 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2858,10 +2849,10 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2874,10 +2865,10 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, true, version_); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -2894,15 +2885,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); @@ -2925,10 +2916,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -2954,15 +2945,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); @@ -2971,10 +2962,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -2991,10 +2982,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); @@ -3006,10 +2997,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -3026,15 +3017,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); @@ -3043,10 +3034,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); TestUtilOptionsV2 test_options(listener, client, false, version_); testUtilV2(test_options.setExpectedTransportFailureReasonContains("TLSV1_ALERT_UNKNOWN_CA")); @@ -3063,12 +3054,12 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -3122,12 +3113,12 @@ TEST_P(SslSocketTest, HalfClose) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3207,12 +3198,12 @@ TEST_P(SslSocketTest, ShutdownWithCloseNotify) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3298,12 +3289,12 @@ TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3405,12 +3396,12 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_certificates.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -3433,9 +3424,9 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -3748,12 +3739,12 @@ TEST_P(SslSocketTest, TicketSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3772,12 +3763,12 @@ TEST_P(SslSocketTest, TicketSessionResumptionCustomTimeout) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" session_timeout: 2307s )EOF"; @@ -3794,24 +3785,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionWithClientCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml, {}, server_ctx_yaml, {}, client_ctx_yaml, true, @@ -3823,25 +3814,25 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3857,24 +3848,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3892,24 +3883,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerNames) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; std::vector server_names1 = {"server1.example.com"}; @@ -3928,16 +3919,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertHash) { const std::string server_ctx_yaml1 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: - ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -3945,16 +3936,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertHash) { const std::string server_ctx_yaml2 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_hash: - "0000000000000000000000000000000000000000000000000000000000000000" - ")EOF", @@ -3964,9 +3955,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertHash) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml1, {}, server_ctx_yaml1, {}, client_ctx_yaml, true, @@ -3981,16 +3972,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertSpki) { const std::string server_ctx_yaml1 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_spki: - ")EOF", TEST_SAN_URI_CERT_SPKI, "\""); @@ -3998,16 +3989,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertSpki) { const std::string server_ctx_yaml2 = absl::StrCat(R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" verify_certificate_spki: - "NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=" - ")EOF", @@ -4017,9 +4008,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentVerifyCertSpki) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml1, {}, server_ctx_yaml1, {}, client_ctx_yaml, true, @@ -4034,16 +4025,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentMatchSAN) { const std::string server_ctx_yaml1 = R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_subject_alt_names: - exact: "spiffe://lyft.com/test-team" )EOF"; @@ -4051,16 +4042,16 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentMatchSAN) { const std::string server_ctx_yaml2 = R"EOF( session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_subject_alt_names: - prefix: "spiffe://lyft.com/test-team" ")EOF"; @@ -4069,9 +4060,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentMatchSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" )EOF"; testTicketSessionResumption(server_ctx_yaml1, {}, server_ctx_yaml1, {}, client_ctx_yaml, true, @@ -4087,24 +4078,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4122,24 +4113,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerCertIntermediateCA) common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4157,24 +4148,24 @@ TEST_P(SslSocketTest, TicketSessionResumptionDifferentServerCertDifferentSAN) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string server_ctx_yaml2 = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_key.pem" session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4190,9 +4181,9 @@ TEST_P(SslSocketTest, SessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true disable_stateful_session_resumption: true )EOF"; @@ -4209,9 +4200,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; @@ -4227,9 +4218,9 @@ TEST_P(SslSocketTest, StatefulSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateful_session_resumption: true )EOF"; @@ -4245,9 +4236,9 @@ TEST_P(SslSocketTest, SessionResumptionEnabledExplicitly) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false disable_stateful_session_resumption: false )EOF"; @@ -4264,9 +4255,9 @@ TEST_P(SslSocketTest, SessionResumptionEnabledByDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4283,12 +4274,12 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" require_client_certificate: true )EOF"; @@ -4296,16 +4287,16 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" require_client_certificate: true session_ticket_keys: keys: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" + filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context1; @@ -4336,9 +4327,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -4581,9 +4572,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4602,9 +4593,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4624,9 +4615,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4649,9 +4640,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4674,9 +4665,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -4695,12 +4686,12 @@ TEST_P(SslSocketTest, SslError) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" verify_certificate_hash: "7B:0C:3F:0D:97:0E:FC:16:70:11:7A:0C:35:75:54:6B:17:AB:CF:20:D8:AA:A0:ED:87:08:0F:FB:60:4C:40:77" )EOF"; @@ -4755,10 +4746,10 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = tls_context.mutable_common_tls_context()->mutable_tls_params(); @@ -4961,10 +4952,10 @@ TEST_P(SslSocketTest, ALPN) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = tls_context.mutable_common_tls_context(); updateFilterChain(tls_context, *filter_chain); @@ -5039,10 +5030,10 @@ TEST_P(SslSocketTest, CipherSuites) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5115,10 +5106,10 @@ TEST_P(SslSocketTest, EcdhCurves) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = tls_context.mutable_common_tls_context()->mutable_tls_params(); updateFilterChain(tls_context, *filter_chain); @@ -5184,27 +5175,27 @@ TEST_P(SslSocketTest, SignatureAlgorithms) { server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); // Server ECDSA certificate. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); - client_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); - client_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem")); + client_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); + client_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem")); // Connection using defaults (client & server) succeeds. TestUtilOptionsV2 algorithm_test_options(listener, client, true, version_); @@ -5228,12 +5219,12 @@ TEST_P(SslSocketTest, SetSignatureAlgorithms) { - ecdsa_secp256r1_sha256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; @@ -5261,9 +5252,9 @@ TEST_P(SslSocketTest, SetSignatureAlgorithms) { - ecdsa_secp256r1_sha256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -5342,9 +5333,9 @@ TEST_P(SslSocketTest, SetSignatureAlgorithmsFailure) { - invalid_sigalg_name tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -5365,14 +5356,14 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; // This should fail, since the certificate has been revoked. @@ -5380,9 +5371,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; TestUtilOptions revoked_test_options(revoked_client_ctx_yaml, server_ctx_yaml, false, version_); @@ -5394,9 +5385,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" )EOF"; TestUtilOptions successful_test_options(successful_client_ctx_yaml, server_ctx_yaml, true, @@ -5410,12 +5401,12 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" )EOF"; // This should fail, since the certificate has been revoked. @@ -5423,9 +5414,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; TestUtilOptions revoked_test_options(revoked_client_ctx_yaml, server_ctx_yaml, false, version_); @@ -5437,9 +5428,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns2_key.pem" )EOF"; TestUtilOptions successful_test_options(successful_client_ctx_yaml, server_ctx_yaml, true, version_); @@ -5461,14 +5452,14 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain.crl" )EOF"; // This should fail, since the crl chain is incomplete. @@ -5486,14 +5477,14 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert.crl" )EOF"; // This should fail, since the certificate has been revoked. @@ -5501,9 +5492,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" )EOF"; // This should succeed, since the certificate has not been revoked. @@ -5511,9 +5502,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_key.pem" )EOF"; // Ensure that incomplete crl chains fail with revoked certificates. @@ -5553,12 +5544,12 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" )EOF"; // This should fail, since the crl chain is incomplete. @@ -5574,12 +5565,12 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" )EOF"; // This should fail, since the certificate has been revoked. @@ -5587,9 +5578,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" )EOF"; // This should succeed, since the certificate has not been revoked. @@ -5597,9 +5588,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_key.pem" )EOF"; // Ensure that incomplete crl chains fail with revoked certificates. @@ -5641,12 +5632,12 @@ TEST_P(SslSocketTest, NotRevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" only_verify_leaf_cert_crl: true )EOF"; @@ -5655,9 +5646,9 @@ TEST_P(SslSocketTest, NotRevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns4_key.pem" )EOF"; TestUtilOptions complete_unrevoked_test_options(unrevoked_client_ctx_yaml, @@ -5680,12 +5671,12 @@ TEST_P(SslSocketTest, RevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" only_verify_leaf_cert_crl: true )EOF"; @@ -5694,9 +5685,9 @@ TEST_P(SslSocketTest, RevokedLeafCertificateOnlyLeafCRLValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" )EOF"; TestUtilOptions complete_revoked_test_options(revoked_client_ctx_yaml, incomplete_server_ctx_yaml, @@ -5712,10 +5703,10 @@ TEST_P(SslSocketTest, GetRequestedServerName) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5731,10 +5722,10 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5754,10 +5745,10 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -5776,10 +5767,10 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, true, version_); @@ -6107,21 +6098,21 @@ class SslReadBufferLimitTest : public SslSocketTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; const std::string client_ctx_yaml_ = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" )EOF"; NiceMock runtime_; @@ -6260,21 +6251,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6297,21 +6288,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: false mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6331,21 +6322,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6368,21 +6359,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncDecryptSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6405,15 +6396,15 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderFallbackSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa @@ -6421,9 +6412,9 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderFallbackSuccess) { fallback: true validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string successful_client_ctx_yaml = R"EOF( common_tls_context: @@ -6443,22 +6434,22 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false crypto_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6478,22 +6469,22 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true crypto_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6513,21 +6504,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6550,21 +6541,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderDecryptFailure) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6584,21 +6575,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign async_method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6622,21 +6613,21 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptCompleteFailure) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: decrypt async_method_error: true mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" )EOF"; const std::string failing_client_ctx_yaml = R"EOF( common_tls_context: @@ -6672,20 +6663,20 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -6712,24 +6703,24 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertFail) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -6757,13 +6748,13 @@ TEST_P(SslSocketTest, EcdsaPrivateKeyProviderSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign mode: ecdsa )EOF"; @@ -6792,25 +6783,25 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false async_method_error: true mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign mode: ecdsa )EOF"; @@ -6836,24 +6827,24 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertFail) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" expected_operation: sign async_method_error: true mode: ecdsa @@ -6870,31 +6861,31 @@ TEST_P(SslSocketTest, PrivateKeyProviderWithCertValidation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + private_key_file: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" expected_operation: sign sync_mode: false mode: rsa validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -6912,11 +6903,11 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -6929,7 +6920,7 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); std::string ocsp_response_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; + "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); @@ -6946,11 +6937,11 @@ TEST_P(SslSocketTest, TestNoOcspStapleWhenNotEnabledOnClient) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -6972,11 +6963,11 @@ TEST_P(SslSocketTest, TestOcspStapleOmittedOnSkipStaplingAndResponseExpired) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -6998,11 +6989,11 @@ TEST_P(SslSocketTest, TestConnectionFailsOnStapleRequiredAndOcspExpired) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -7024,9 +7015,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsWhenRejectOnExpiredNoOcspResponse) { - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: strict_stapling )EOF"; @@ -7048,11 +7039,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenRejectOnExpiredAndResponseExpired) - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: strict_stapling )EOF"; @@ -7075,11 +7066,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -7102,17 +7093,17 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -7125,7 +7116,7 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) )EOF"; std::string ocsp_response_path = - "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; + "{{ test_rundir }}/test/common/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -7142,17 +7133,17 @@ TEST_P(SslSocketTest, TestConnectionFailsOnMultipleCertificatesNonePassOcspPolic - TLS_RSA_WITH_AES_128_GCM_SHA256 tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/revoked_ocsp_resp.der" - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/common/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -7178,9 +7169,9 @@ TEST_P(SslSocketTest, Sni) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_); @@ -7192,12 +7183,12 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorSucceeds) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" custom_validator_config: name: "envoy.tls.cert_validator.timed_cert_validator" sni: "example.com" @@ -7207,12 +7198,12 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorSucceeds) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_chain.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" custom_validator_config: name: "envoy.tls.cert_validator.timed_cert_validator" )EOF"; @@ -7235,14 +7226,14 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorFails) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" crl: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.crl" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.crl" custom_validator_config: name: "envoy.tls.cert_validator.timed_cert_validator" )EOF"; @@ -7252,9 +7243,9 @@ TEST_P(SslSocketTest, AsyncCustomCertValidatorFails) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem" )EOF"; auto* cert_validator_factory = Registry::FactoryRegistry::getFactory( "envoy.tls.cert_validator.timed_cert_validator"); @@ -7275,12 +7266,12 @@ TEST_P(SslSocketTest, RsaKeyUsageVerificationEnforcementOff) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = server_tls_context.mutable_common_tls_context()->add_tls_certificates(); // Bad server certificate to cause the mismatch between TLS usage and key usage. - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_key.pem")); updateFilterChain(server_tls_context, *filter_chain); @@ -7305,12 +7296,12 @@ TEST_P(SslSocketTest, RsaKeyUsageVerificationEnforcementOn) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = server_tls_context.mutable_common_tls_context()->add_tls_certificates(); // Bad server certificate to cause the mismatch between TLS usage and key usage. - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem")); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem")); + server_cert->mutable_certificate_chain()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_cert.pem")); + server_cert->mutable_private_key()->set_filename( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/bad_rsa_key_usage_key.pem")); updateFilterChain(server_tls_context, *filter_chain); diff --git a/test/extensions/transport_sockets/tls/ssl_test_utility.h b/test/common/tls/ssl_test_utility.h similarity index 100% rename from test/extensions/transport_sockets/tls/ssl_test_utility.h rename to test/common/tls/ssl_test_utility.h diff --git a/test/extensions/transport_sockets/tls/test_data/BUILD b/test/common/tls/test_data/BUILD similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/BUILD rename to test/common/tls/test_data/BUILD diff --git a/test/extensions/transport_sockets/tls/test_data/README.md b/test/common/tls/test_data/README.md similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/README.md rename to test/common/tls/test_data/README.md diff --git a/test/extensions/transport_sockets/tls/test_data/aes_128_key b/test/common/tls/test_data/aes_128_key similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/aes_128_key rename to test/common/tls/test_data/aes_128_key diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.cfg b/test/common/tls/test_data/bad_rsa_key_usage_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.cfg rename to test/common/tls/test_data/bad_rsa_key_usage_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem b/test/common/tls/test_data/bad_rsa_key_usage_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert.pem rename to test/common/tls/test_data/bad_rsa_key_usage_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert_info.h b/test/common/tls/test_data/bad_rsa_key_usage_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_cert_info.h rename to test/common/tls/test_data/bad_rsa_key_usage_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem b/test/common/tls/test_data/bad_rsa_key_usage_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/bad_rsa_key_usage_key.pem rename to test/common/tls/test_data/bad_rsa_key_usage_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert.cfg b/test/common/tls/test_data/ca_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert.cfg rename to test/common/tls/test_data/ca_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert.crl b/test/common/tls/test_data/ca_cert.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert.crl rename to test/common/tls/test_data/ca_cert.crl diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert.pem b/test/common/tls/test_data/ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert.pem rename to test/common/tls/test_data/ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert_info.h b/test/common/tls/test_data/ca_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert_info.h rename to test/common/tls/test_data/ca_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem b/test/common/tls/test_data/ca_cert_with_crl.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem rename to test/common/tls/test_data/ca_cert_with_crl.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem b/test/common/tls/test_data/ca_certificates.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_certificates.pem rename to test/common/tls/test_data/ca_certificates.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ca_key.pem b/test/common/tls/test_data/ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ca_key.pem rename to test/common/tls/test_data/ca_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/common/tls/test_data/certs.sh similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/certs.sh rename to test/common/tls/test_data/certs.sh diff --git a/test/extensions/transport_sockets/tls/test_data/expired_cert.pem b/test/common/tls/test_data/expired_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_cert.pem rename to test/common/tls/test_data/expired_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_cert_info.h b/test/common/tls/test_data/expired_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_cert_info.h rename to test/common/tls/test_data/expired_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/expired_key.pem b/test/common/tls/test_data/expired_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_key.pem rename to test/common/tls/test_data/expired_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert.pem b/test/common/tls/test_data/expired_san_uri_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert.pem rename to test/common/tls/test_data/expired_san_uri_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert_info.h b/test/common/tls/test_data/expired_san_uri_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_san_uri_cert_info.h rename to test/common/tls/test_data/expired_san_uri_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem b/test/common/tls/test_data/expired_san_uri_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem rename to test/common/tls/test_data/expired_san_uri_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem b/test/common/tls/test_data/expired_spiffe_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem rename to test/common/tls/test_data/expired_spiffe_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_info.h b/test/common/tls/test_data/expired_spiffe_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_info.h rename to test/common/tls/test_data/expired_spiffe_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_key.pem b/test/common/tls/test_data/expired_spiffe_san_cert_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert_key.pem rename to test/common/tls/test_data/expired_spiffe_san_cert_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_key.pem b/test/common/tls/test_data/expired_spiffe_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_key.pem rename to test/common/tls/test_data/expired_spiffe_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_cert.cfg b/test/common/tls/test_data/extensions_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_cert.cfg rename to test/common/tls/test_data/extensions_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem b/test/common/tls/test_data/extensions_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_cert.pem rename to test/common/tls/test_data/extensions_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_cert_info.h b/test/common/tls/test_data/extensions_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_cert_info.h rename to test/common/tls/test_data/extensions_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/extensions_key.pem b/test/common/tls/test_data/extensions_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/extensions_key.pem rename to test/common/tls/test_data/extensions_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.cfg b/test/common/tls/test_data/fake_ca_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_cert.cfg rename to test/common/tls/test_data/fake_ca_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem b/test/common/tls/test_data/fake_ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem rename to test/common/tls/test_data/fake_ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_cert_info.h b/test/common/tls/test_data/fake_ca_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_cert_info.h rename to test/common/tls/test_data/fake_ca_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/fake_ca_key.pem b/test/common/tls/test_data/fake_ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/fake_ca_key.pem rename to test/common/tls/test_data/fake_ca_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/i1_cert.cfg b/test/common/tls/test_data/i1_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i1_cert.cfg rename to test/common/tls/test_data/i1_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/i2_cert.cfg b/test/common/tls/test_data/i2_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i2_cert.cfg rename to test/common/tls/test_data/i2_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/i3_cert.cfg b/test/common/tls/test_data/i3_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i3_cert.cfg rename to test/common/tls/test_data/i3_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/i4_cert.cfg b/test/common/tls/test_data/i4_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/i4_cert.cfg rename to test/common/tls/test_data/i4_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.cfg b/test/common/tls/test_data/intermediate_ca_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.cfg rename to test/common/tls/test_data/intermediate_ca_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.crl b/test/common/tls/test_data/intermediate_ca_cert.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.crl rename to test/common/tls/test_data/intermediate_ca_cert.crl diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem b/test/common/tls/test_data/intermediate_ca_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem rename to test/common/tls/test_data/intermediate_ca_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.crl b/test/common/tls/test_data/intermediate_ca_cert_chain.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.crl rename to test/common/tls/test_data/intermediate_ca_cert_chain.crl diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem b/test/common/tls/test_data/intermediate_ca_cert_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem rename to test/common/tls/test_data/intermediate_ca_cert_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem b/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem rename to test/common/tls/test_data/intermediate_ca_cert_chain_with_crl.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem b/test/common/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem rename to test/common/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_info.h b/test/common/tls/test_data/intermediate_ca_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_info.h rename to test/common/tls/test_data/intermediate_ca_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/intermediate_ca_key.pem b/test/common/tls/test_data/intermediate_ca_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/intermediate_ca_key.pem rename to test/common/tls/test_data/intermediate_ca_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg b/test/common/tls/test_data/keyusage_cert_sign_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg rename to test/common/tls/test_data/keyusage_cert_sign_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem b/test/common/tls/test_data/keyusage_cert_sign_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem rename to test/common/tls/test_data/keyusage_cert_sign_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h b/test/common/tls/test_data/keyusage_cert_sign_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h rename to test/common/tls/test_data/keyusage_cert_sign_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem b/test/common/tls/test_data/keyusage_cert_sign_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem rename to test/common/tls/test_data/keyusage_cert_sign_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg b/test/common/tls/test_data/keyusage_crl_sign_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg rename to test/common/tls/test_data/keyusage_crl_sign_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem b/test/common/tls/test_data/keyusage_crl_sign_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem rename to test/common/tls/test_data/keyusage_crl_sign_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h b/test/common/tls/test_data/keyusage_crl_sign_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h rename to test/common/tls/test_data/keyusage_crl_sign_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem b/test/common/tls/test_data/keyusage_crl_sign_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem rename to test/common/tls/test_data/keyusage_crl_sign_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/long_validity_cert.pem b/test/common/tls/test_data/long_validity_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/long_validity_cert.pem rename to test/common/tls/test_data/long_validity_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/long_validity_cert_info.h b/test/common/tls/test_data/long_validity_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/long_validity_cert_info.h rename to test/common/tls/test_data/long_validity_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/long_validity_key.pem b/test/common/tls/test_data/long_validity_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/long_validity_key.pem rename to test/common/tls/test_data/long_validity_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cert.cfg b/test/common/tls/test_data/no_san_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cert.cfg rename to test/common/tls/test_data/no_san_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem b/test/common/tls/test_data/no_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cert.pem rename to test/common/tls/test_data/no_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h b/test/common/tls/test_data/no_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h rename to test/common/tls/test_data/no_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_chain.pem b/test/common/tls/test_data/no_san_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_chain.pem rename to test/common/tls/test_data/no_san_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.cfg b/test/common/tls/test_data/no_san_cn_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.cfg rename to test/common/tls/test_data/no_san_cn_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.pem b/test/common/tls/test_data/no_san_cn_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_cert.pem rename to test/common/tls/test_data/no_san_cn_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_cert_info.h b/test/common/tls/test_data/no_san_cn_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_cert_info.h rename to test/common/tls/test_data/no_san_cn_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_cn_key.pem b/test/common/tls/test_data/no_san_cn_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_cn_key.pem rename to test/common/tls/test_data/no_san_cn_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_san_key.pem b/test/common/tls/test_data/no_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_san_key.pem rename to test/common/tls/test_data/no_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_cert.cfg b/test/common/tls/test_data/no_subject_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_cert.cfg rename to test/common/tls/test_data/no_subject_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_cert.pem b/test/common/tls/test_data/no_subject_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_cert.pem rename to test/common/tls/test_data/no_subject_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_cert_info.h b/test/common/tls/test_data/no_subject_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_cert_info.h rename to test/common/tls/test_data/no_subject_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/no_subject_key.pem b/test/common/tls/test_data/no_subject_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/no_subject_key.pem rename to test/common/tls/test_data/no_subject_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg b/test/common/tls/test_data/non_spiffe_san_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg rename to test/common/tls/test_data/non_spiffe_san_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem b/test/common/tls/test_data/non_spiffe_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem rename to test/common/tls/test_data/non_spiffe_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h b/test/common/tls/test_data/non_spiffe_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h rename to test/common/tls/test_data/non_spiffe_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem b/test/common/tls/test_data/non_spiffe_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem rename to test/common/tls/test_data/non_spiffe_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/not_a_crl.crl b/test/common/tls/test_data/not_a_crl.crl similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/not_a_crl.crl rename to test/common/tls/test_data/not_a_crl.crl diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem b/test/common/tls/test_data/password_protected_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem rename to test/common/tls/test_data/password_protected_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_cert_info.h b/test/common/tls/test_data/password_protected_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_cert_info.h rename to test/common/tls/test_data/password_protected_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12 b/test/common/tls/test_data/password_protected_certkey.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_certkey.p12 rename to test/common/tls/test_data/password_protected_certkey.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_key.pem b/test/common/tls/test_data/password_protected_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_key.pem rename to test/common/tls/test_data/password_protected_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt b/test/common/tls/test_data/password_protected_password.txt similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/password_protected_password.txt rename to test/common/tls/test_data/password_protected_password.txt diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem b/test/common/tls/test_data/san_dns2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns2_cert.pem rename to test/common/tls/test_data/san_dns2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h b/test/common/tls/test_data/san_dns2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns2_cert_info.h rename to test/common/tls/test_data/san_dns2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem b/test/common/tls/test_data/san_dns2_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem rename to test/common/tls/test_data/san_dns2_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem b/test/common/tls/test_data/san_dns3_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_cert.pem rename to test/common/tls/test_data/san_dns3_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h b/test/common/tls/test_data/san_dns3_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h rename to test/common/tls/test_data/san_dns3_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12 b/test/common/tls/test_data/san_dns3_certkeychain.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_certkeychain.p12 rename to test/common/tls/test_data/san_dns3_certkeychain.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem b/test/common/tls/test_data/san_dns3_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_chain.pem rename to test/common/tls/test_data/san_dns3_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem b/test/common/tls/test_data/san_dns3_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns3_key.pem rename to test/common/tls/test_data/san_dns3_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem b/test/common/tls/test_data/san_dns4_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns4_cert.pem rename to test/common/tls/test_data/san_dns4_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns4_cert_info.h b/test/common/tls/test_data/san_dns4_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns4_cert_info.h rename to test/common/tls/test_data/san_dns4_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem b/test/common/tls/test_data/san_dns4_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns4_key.pem rename to test/common/tls/test_data/san_dns4_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_cert.cfg b/test/common/tls/test_data/san_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_cert.cfg rename to test/common/tls/test_data/san_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem b/test/common/tls/test_data/san_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem rename to test/common/tls/test_data/san_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h b/test/common/tls/test_data/san_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h rename to test/common/tls/test_data/san_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem b/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert.pem rename to test/common/tls/test_data/san_dns_ecdsa_1_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert_info.h b/test/common/tls/test_data/san_dns_ecdsa_1_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_cert_info.h rename to test/common/tls/test_data/san_dns_ecdsa_1_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem b/test/common/tls/test_data/san_dns_ecdsa_1_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_1_key.pem rename to test/common/tls/test_data/san_dns_ecdsa_1_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem b/test/common/tls/test_data/san_dns_ecdsa_2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert.pem rename to test/common/tls/test_data/san_dns_ecdsa_2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert_info.h b/test/common/tls/test_data/san_dns_ecdsa_2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_cert_info.h rename to test/common/tls/test_data/san_dns_ecdsa_2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem b/test/common/tls/test_data/san_dns_ecdsa_2_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_ecdsa_2_key.pem rename to test/common/tls/test_data/san_dns_ecdsa_2_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem b/test/common/tls/test_data/san_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_key.pem rename to test/common/tls/test_data/san_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem b/test/common/tls/test_data/san_dns_rsa_1_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert.pem rename to test/common/tls/test_data/san_dns_rsa_1_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_info.h b/test/common/tls/test_data/san_dns_rsa_1_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_info.h rename to test/common/tls/test_data/san_dns_rsa_1_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_key.pem b/test/common/tls/test_data/san_dns_rsa_1_cert_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_cert_key.pem rename to test/common/tls/test_data/san_dns_rsa_1_cert_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem b/test/common/tls/test_data/san_dns_rsa_1_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_1_key.pem rename to test/common/tls/test_data/san_dns_rsa_1_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem b/test/common/tls/test_data/san_dns_rsa_2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert.pem rename to test/common/tls/test_data/san_dns_rsa_2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert_info.h b/test/common/tls/test_data/san_dns_rsa_2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_cert_info.h rename to test/common/tls/test_data/san_dns_rsa_2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem b/test/common/tls/test_data/san_dns_rsa_2_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_rsa_2_key.pem rename to test/common/tls/test_data/san_dns_rsa_2_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_server1_cert.cfg b/test/common/tls/test_data/san_dns_server1_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_server1_cert.cfg rename to test/common/tls/test_data/san_dns_server1_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_dns_server2_cert.cfg b/test/common/tls/test_data/san_dns_server2_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_dns_server2_cert.cfg rename to test/common/tls/test_data/san_dns_server2_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_cert.cfg b/test/common/tls/test_data/san_ip_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_cert.cfg rename to test/common/tls/test_data/san_ip_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem b/test/common/tls/test_data/san_ip_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_cert.pem rename to test/common/tls/test_data/san_ip_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h b/test/common/tls/test_data/san_ip_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h rename to test/common/tls/test_data/san_ip_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem b/test/common/tls/test_data/san_ip_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_chain.pem rename to test/common/tls/test_data/san_ip_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_ip_key.pem b/test/common/tls/test_data/san_ip_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_ip_key.pem rename to test/common/tls/test_data/san_ip_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.cfg b/test/common/tls/test_data/san_multiple_dns_1_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.cfg rename to test/common/tls/test_data/san_multiple_dns_1_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem b/test/common/tls/test_data/san_multiple_dns_1_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert.pem rename to test/common/tls/test_data/san_multiple_dns_1_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert_info.h b/test/common/tls/test_data/san_multiple_dns_1_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_cert_info.h rename to test/common/tls/test_data/san_multiple_dns_1_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem b/test/common/tls/test_data/san_multiple_dns_1_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_1_key.pem rename to test/common/tls/test_data/san_multiple_dns_1_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.cfg b/test/common/tls/test_data/san_multiple_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.cfg rename to test/common/tls/test_data/san_multiple_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem b/test/common/tls/test_data/san_multiple_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem rename to test/common/tls/test_data/san_multiple_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert_info.h b/test/common/tls/test_data/san_multiple_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert_info.h rename to test/common/tls/test_data/san_multiple_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem b/test/common/tls/test_data/san_multiple_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_multiple_dns_key.pem rename to test/common/tls/test_data/san_multiple_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.cfg b/test/common/tls/test_data/san_only_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.cfg rename to test/common/tls/test_data/san_only_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.pem b/test/common/tls/test_data/san_only_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_cert.pem rename to test/common/tls/test_data/san_only_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_cert_info.h b/test/common/tls/test_data/san_only_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_cert_info.h rename to test/common/tls/test_data/san_only_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_only_dns_key.pem b/test/common/tls/test_data/san_only_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_only_dns_key.pem rename to test/common/tls/test_data/san_only_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_cert.cfg b/test/common/tls/test_data/san_uri_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_cert.cfg rename to test/common/tls/test_data/san_uri_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem b/test/common/tls/test_data/san_uri_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem rename to test/common/tls/test_data/san_uri_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_cert_info.h b/test/common/tls/test_data/san_uri_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_cert_info.h rename to test/common/tls/test_data/san_uri_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem b/test/common/tls/test_data/san_uri_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_uri_key.pem rename to test/common/tls/test_data/san_uri_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.cfg b/test/common/tls/test_data/san_wildcard_dns_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.cfg rename to test/common/tls/test_data/san_wildcard_dns_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.pem b/test/common/tls/test_data/san_wildcard_dns_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert.pem rename to test/common/tls/test_data/san_wildcard_dns_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert_info.h b/test/common/tls/test_data/san_wildcard_dns_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_cert_info.h rename to test/common/tls/test_data/san_wildcard_dns_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_key.pem b/test/common/tls/test_data/san_wildcard_dns_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/san_wildcard_dns_key.pem rename to test/common/tls/test_data/san_wildcard_dns_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_cert.pem b/test/common/tls/test_data/selfsigned2_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_cert.pem rename to test/common/tls/test_data/selfsigned2_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_cert_info.h b/test/common/tls/test_data/selfsigned2_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_cert_info.h rename to test/common/tls/test_data/selfsigned2_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert.pem b/test/common/tls/test_data/selfsigned2_ecdsa_p256_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert.pem rename to test/common/tls/test_data/selfsigned2_ecdsa_p256_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h b/test/common/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h rename to test/common/tls/test_data/selfsigned2_ecdsa_p256_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.cfg b/test/common/tls/test_data/selfsigned_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_cert.cfg rename to test/common/tls/test_data/selfsigned_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem b/test/common/tls/test_data/selfsigned_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem rename to test/common/tls/test_data/selfsigned_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_cert_info.h b/test/common/tls/test_data/selfsigned_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_cert_info.h rename to test/common/tls/test_data/selfsigned_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem b/test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p256_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert_info.h b/test/common/tls/test_data/selfsigned_ecdsa_p256_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert_info.h rename to test/common/tls/test_data/selfsigned_ecdsa_p256_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem b/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert.pem b/test/common/tls/test_data/selfsigned_ecdsa_p384_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p384_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert_info.h b/test/common/tls/test_data/selfsigned_ecdsa_p384_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_cert_info.h rename to test/common/tls/test_data/selfsigned_ecdsa_p384_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 b/test/common/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 rename to test/common/tls/test_data/selfsigned_ecdsa_p384_certkey.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_key.pem b/test/common/tls/test_data/selfsigned_ecdsa_p384_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p384_key.pem rename to test/common/tls/test_data/selfsigned_ecdsa_p384_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem b/test/common/tls/test_data/selfsigned_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem rename to test/common/tls/test_data/selfsigned_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert.pem b/test/common/tls/test_data/selfsigned_rsa_1024_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert.pem rename to test/common/tls/test_data/selfsigned_rsa_1024_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert_info.h b/test/common/tls/test_data/selfsigned_rsa_1024_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_cert_info.h rename to test/common/tls/test_data/selfsigned_rsa_1024_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_certkey.p12 b/test/common/tls/test_data/selfsigned_rsa_1024_certkey.p12 similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_certkey.p12 rename to test/common/tls/test_data/selfsigned_rsa_1024_certkey.p12 diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_key.pem b/test/common/tls/test_data/selfsigned_rsa_1024_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_1024_key.pem rename to test/common/tls/test_data/selfsigned_rsa_1024_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert.pem b/test/common/tls/test_data/selfsigned_rsa_3072_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert.pem rename to test/common/tls/test_data/selfsigned_rsa_3072_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert_info.h b/test/common/tls/test_data/selfsigned_rsa_3072_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_cert_info.h rename to test/common/tls/test_data/selfsigned_rsa_3072_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_key.pem b/test/common/tls/test_data/selfsigned_rsa_3072_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_3072_key.pem rename to test/common/tls/test_data/selfsigned_rsa_3072_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert.pem b/test/common/tls/test_data/selfsigned_rsa_4096_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert.pem rename to test/common/tls/test_data/selfsigned_rsa_4096_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert_info.h b/test/common/tls/test_data/selfsigned_rsa_4096_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_cert_info.h rename to test/common/tls/test_data/selfsigned_rsa_4096_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_key.pem b/test/common/tls/test_data/selfsigned_rsa_4096_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/selfsigned_rsa_4096_key.pem rename to test/common/tls/test_data/selfsigned_rsa_4096_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg b/test/common/tls/test_data/spiffe_san_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg rename to test/common/tls/test_data/spiffe_san_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem b/test/common/tls/test_data/spiffe_san_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem rename to test/common/tls/test_data/spiffe_san_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h b/test/common/tls/test_data/spiffe_san_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h rename to test/common/tls/test_data/spiffe_san_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem b/test/common/tls/test_data/spiffe_san_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem rename to test/common/tls/test_data/spiffe_san_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem b/test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem rename to test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h b/test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h rename to test/common/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem b/test/common/tls/test_data/spiffe_san_signed_by_intermediate_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem rename to test/common/tls/test_data/spiffe_san_signed_by_intermediate_key.pem diff --git a/test/extensions/transport_sockets/tls/test_data/test_long_cert_chain.pem b/test/common/tls/test_data/test_long_cert_chain.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/test_long_cert_chain.pem rename to test/common/tls/test_data/test_long_cert_chain.pem diff --git a/test/extensions/transport_sockets/tls/test_data/test_random_cert.pem b/test/common/tls/test_data/test_random_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/test_random_cert.pem rename to test/common/tls/test_data/test_random_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/ticket_key_a b/test/common/tls/test_data/ticket_key_a similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ticket_key_a rename to test/common/tls/test_data/ticket_key_a diff --git a/test/extensions/transport_sockets/tls/test_data/ticket_key_b b/test/common/tls/test_data/ticket_key_b similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ticket_key_b rename to test/common/tls/test_data/ticket_key_b diff --git a/test/extensions/transport_sockets/tls/test_data/ticket_key_wrong_len b/test/common/tls/test_data/ticket_key_wrong_len similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/ticket_key_wrong_len rename to test/common/tls/test_data/ticket_key_wrong_len diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg b/test/common/tls/test_data/unittest_cert.cfg similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg rename to test/common/tls/test_data/unittest_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem b/test/common/tls/test_data/unittest_cert.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_cert.pem rename to test/common/tls/test_data/unittest_cert.pem diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h b/test/common/tls/test_data/unittest_cert_info.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h rename to test/common/tls/test_data/unittest_cert_info.h diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_key.pem b/test/common/tls/test_data/unittest_key.pem similarity index 100% rename from test/extensions/transport_sockets/tls/test_data/unittest_key.pem rename to test/common/tls/test_data/unittest_key.pem diff --git a/test/extensions/transport_sockets/tls/test_private_key_method_provider.cc b/test/common/tls/test_private_key_method_provider.cc similarity index 99% rename from test/extensions/transport_sockets/tls/test_private_key_method_provider.cc rename to test/common/tls/test_private_key_method_provider.cc index 2145b173b75a..242e634f671e 100644 --- a/test/extensions/transport_sockets/tls/test_private_key_method_provider.cc +++ b/test/common/tls/test_private_key_method_provider.cc @@ -1,4 +1,4 @@ -#include "test/extensions/transport_sockets/tls/test_private_key_method_provider.h" +#include "test/common/tls/test_private_key_method_provider.h" #include diff --git a/test/extensions/transport_sockets/tls/test_private_key_method_provider.h b/test/common/tls/test_private_key_method_provider.h similarity index 100% rename from test/extensions/transport_sockets/tls/test_private_key_method_provider.h rename to test/common/tls/test_private_key_method_provider.h diff --git a/test/extensions/transport_sockets/tls/tls_throughput_benchmark.cc b/test/common/tls/tls_throughput_benchmark.cc similarity index 96% rename from test/extensions/transport_sockets/tls/tls_throughput_benchmark.cc rename to test/common/tls/tls_throughput_benchmark.cc index 690909fb9ac6..b2b67779ecd6 100644 --- a/test/extensions/transport_sockets/tls/tls_throughput_benchmark.cc +++ b/test/common/tls/tls_throughput_benchmark.cc @@ -75,10 +75,10 @@ static void testThroughput(benchmark::State& state) { bssl::UniquePtr server_ctx(SSL_CTX_new(TLS_method())); bssl::UniquePtr client_ctx(SSL_CTX_new(TLS_method())); - std::string cert_path = TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem"); - std::string key_path = TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"); + std::string cert_path = + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem"); + std::string key_path = + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_key.pem"); auto err = SSL_CTX_use_certificate_file(server_ctx.get(), cert_path.c_str(), SSL_FILETYPE_PEM); drainErrorQueue(); RELEASE_ASSERT(err > 0, "SSL_CTX_use_certificate_file"); diff --git a/test/extensions/transport_sockets/tls/utility_test.cc b/test/common/tls/utility_test.cc similarity index 76% rename from test/extensions/transport_sockets/tls/utility_test.cc rename to test/common/tls/utility_test.cc index e2707bb40935..005ca1fe58ca 100644 --- a/test/extensions/transport_sockets/tls/utility_test.cc +++ b/test/common/tls/utility_test.cc @@ -3,11 +3,11 @@ #include #include "source/common/common/c_smart_ptr.h" -#include "source/extensions/transport_sockets/tls/utility.h" +#include "source/common/tls/utility.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" -#include "test/extensions/transport_sockets/tls/test_data/long_validity_cert_info.h" -#include "test/extensions/transport_sockets/tls/test_data/san_dns_cert_info.h" +#include "test/common/tls/ssl_test_utility.h" +#include "test/common/tls/test_data/long_validity_cert_info.h" +#include "test/common/tls/test_data/san_dns_cert_info.h" #include "test/test_common/environment.h" #include "test/test_common/simulated_time_system.h" #include "test/test_common/utility.h" @@ -59,65 +59,65 @@ TEST(UtilityTest, TestDnsNameMatching) { } TEST(UtilityTest, TestGetSubjectAlternateNamesWithDNS) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_DNS); EXPECT_EQ(1, subject_alt_names.size()); } TEST(UtilityTest, TestMultipleGetSubjectAlternateNamesWithDNS) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/san_multiple_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_DNS); EXPECT_EQ(2, subject_alt_names.size()); } TEST(UtilityTest, TestGetSubjectAlternateNamesWithUri) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_URI); EXPECT_EQ(1, subject_alt_names.size()); } TEST(UtilityTest, TestGetSubjectAlternateNamesWithEmail) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); const auto& subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_EMAIL); EXPECT_EQ(1, subject_alt_names.size()); EXPECT_EQ("envoy@example.com", subject_alt_names.front()); } TEST(UtilityTest, TestGetSubjectAlternateNamesWithNoSAN) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem")); const auto& uri_subject_alt_names = Utility::getSubjectAltNames(*cert, GEN_URI); EXPECT_EQ(0, uri_subject_alt_names.size()); } TEST(UtilityTest, TestGetSubject) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); EXPECT_EQ("CN=Test Server,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", Utility::getSubjectFromCertificate(*cert)); } TEST(UtilityTest, TestGetIssuer) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); EXPECT_EQ("CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", Utility::getIssuerFromCertificate(*cert)); } TEST(UtilityTest, TestGetSerialNumber) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); EXPECT_EQ(TEST_SAN_DNS_CERT_SERIAL, Utility::getSerialNumberFromCertificate(*cert)); } TEST(UtilityTest, TestDaysUntilExpiration) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); // Set a known date (2033-05-18 03:33:20 UTC) so that we get fixed output from this test. const time_t known_date_time = 2000000000; Event::SimulatedTimeSystem time_source; @@ -133,16 +133,16 @@ TEST(UtilityTest, TestDaysUntilExpirationWithNull) { } TEST(UtilityTest, TestValidFrom) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); const std::string formatted = TestUtility::formatTime(Utility::getValidFrom(*cert), "%b %e %H:%M:%S %Y GMT"); EXPECT_EQ(TEST_SAN_DNS_CERT_NOT_BEFORE, formatted); } TEST(UtilityTest, TestExpirationTime) { - bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + bssl::UniquePtr cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); const std::string formatted = TestUtility::formatTime(Utility::getExpirationTime(*cert), "%b %e %H:%M:%S %Y GMT"); EXPECT_EQ(TEST_SAN_DNS_CERT_NOT_AFTER, formatted); @@ -150,7 +150,7 @@ TEST(UtilityTest, TestExpirationTime) { TEST(UtilityTest, TestLongExpirationTime) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/long_validity_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/long_validity_cert.pem")); const std::string formatted = TestUtility::formatTime(Utility::getExpirationTime(*cert), "%b %e %H:%M:%S %Y GMT"); EXPECT_EQ(TEST_LONG_VALIDITY_CERT_NOT_AFTER, formatted); @@ -171,7 +171,7 @@ TEST(UtilityTest, GetLastCryptoError) { TEST(UtilityTest, TestGetCertificationExtensionValue) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); EXPECT_EQ("\xc\x9Something", Utility::getCertificateExtensionValue(*cert, "1.2.3.4.5.6.7.8")); EXPECT_EQ("\x30\x3\x1\x1\xFF", Utility::getCertificateExtensionValue(*cert, "1.2.3.4.5.6.7.9")); EXPECT_EQ("", Utility::getCertificateExtensionValue(*cert, "1.2.3.4.5.6.7.10")); @@ -198,8 +198,8 @@ TEST(UtilityTest, SslErrorDescriptionTest) { } TEST(UtilityTest, TestGetX509ErrorInfo) { - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); X509StorePtr ssl_ctx = X509_STORE_new(); EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD index 6301b964332a..ba3f67aad44f 100644 --- a/test/common/upstream/BUILD +++ b/test/common/upstream/BUILD @@ -381,13 +381,13 @@ envoy_cc_test( name = "hds_test", srcs = ["hds_test.cc"], deps = [ + "//source/common/tls:context_lib", "//source/common/upstream:health_discovery_service_lib", "//source/common/upstream:transport_socket_match_lib", "//source/extensions/health_checkers/grpc:health_checker_lib", "//source/extensions/health_checkers/http:health_checker_lib", "//source/extensions/health_checkers/tcp:health_checker_lib", "//source/extensions/transport_sockets/raw_buffer:config", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/access_log:access_log_mocks", "//test/mocks/event:event_mocks", "//test/mocks/grpc:grpc_mocks", @@ -521,7 +521,7 @@ envoy_cc_test( envoy_cc_test( name = "upstream_impl_test", srcs = ["upstream_impl_test.cc"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], deps = [ ":utility_lib", ":test_local_address_selector", @@ -607,10 +607,10 @@ envoy_cc_test_library( "//source/common/network:utility_lib", "//source/common/protobuf:utility_lib", "//source/common/stats:stats_lib", + "//source/common/tls:context_lib", "//source/common/upstream:cluster_factory_lib", "//source/common/upstream:cluster_manager_lib", "//source/extensions/transport_sockets/raw_buffer:config", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/stats:stat_test_utility_lib", "//test/integration/clusters:custom_static_cluster", "//test/mocks/access_log:access_log_mocks", diff --git a/test/common/upstream/hds_test.cc b/test/common/upstream/hds_test.cc index e6430bdc9cba..82acb9d72e8d 100644 --- a/test/common/upstream/hds_test.cc +++ b/test/common/upstream/hds_test.cc @@ -7,11 +7,11 @@ #include "source/common/protobuf/protobuf.h" #include "source/common/singleton/manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "source/common/upstream/health_discovery_service.h" #include "source/common/upstream/transport_socket_match_impl.h" #include "source/extensions/health_checkers/common/health_checker_base_impl.h" #include "source/extensions/transport_sockets/raw_buffer/config.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" #include "test/mocks/access_log/mocks.h" #include "test/mocks/event/mocks.h" diff --git a/test/common/upstream/test_cluster_manager.h b/test/common/upstream/test_cluster_manager.h index 71f8629430f5..eb110f9d672e 100644 --- a/test/common/upstream/test_cluster_manager.h +++ b/test/common/upstream/test_cluster_manager.h @@ -19,9 +19,9 @@ #include "source/common/network/utility.h" #include "source/common/protobuf/utility.h" #include "source/common/singleton/manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "source/common/upstream/cluster_factory_impl.h" #include "source/common/upstream/cluster_manager_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" #include "test/common/stats/stat_test_utility.h" #include "test/common/upstream/utility.h" diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc index 1d13955a2ca8..eaf4416cb0f4 100644 --- a/test/common/upstream/upstream_impl_test.cc +++ b/test/common/upstream/upstream_impl_test.cc @@ -4865,12 +4865,12 @@ TEST_F(ClusterInfoImplTest, Http3) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -4946,12 +4946,12 @@ TEST_F(ClusterInfoImplTest, Http3WithHttp11WrappedSocket) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5024,12 +5024,12 @@ TEST_F(ClusterInfoImplTest, Http3BadConfig) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5073,12 +5073,12 @@ TEST_F(ClusterInfoImplTest, Http3Auto) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5136,12 +5136,12 @@ TEST_F(ClusterInfoImplTest, UseDownstreamHttpProtocolWithoutDowngrade) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5222,12 +5222,12 @@ TEST_F(ClusterInfoImplTest, Http2Auto) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5320,12 +5320,12 @@ TEST_F(ClusterInfoImplTest, Http2AutoWithNonAlpnMatcher) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost @@ -5382,12 +5382,12 @@ TEST_F(ClusterInfoImplTest, Http2AutoWithNonAlpnMatcherAndValidationOff) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem" private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/san_uri_key.pem" validation_context: trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" match_typed_subject_alt_names: - matcher: exact: localhost diff --git a/test/extensions/access_loggers/grpc/BUILD b/test/extensions/access_loggers/grpc/BUILD index caffcbb34d23..c755d069980b 100644 --- a/test/extensions/access_loggers/grpc/BUILD +++ b/test/extensions/access_loggers/grpc/BUILD @@ -131,6 +131,8 @@ envoy_extension_cc_test( "//source/common/buffer:zero_copy_input_stream_lib", "//source/common/grpc:codec_lib", "//source/common/grpc:common_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/grpc:http_config", "//source/extensions/access_loggers/grpc:tcp_config", "//source/extensions/filters/listener/tls_inspector:config", @@ -138,8 +140,6 @@ envoy_extension_cc_test( "//source/extensions/filters/network/echo:config", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/grpc:grpc_client_integration_lib", "//test/integration:http_integration_lib", "//test/test_common:utility_lib", diff --git a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc index 8c7c0de44c14..90d2e7acde2a 100644 --- a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc +++ b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc @@ -11,10 +11,10 @@ #include "source/common/buffer/zero_copy_input_stream_impl.h" #include "source/common/grpc/codec.h" #include "source/common/grpc/common.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/common/version/version.h" #include "source/extensions/filters/listener/tls_inspector/tls_inspector.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/integration/http_integration.h" diff --git a/test/extensions/clusters/dynamic_forward_proxy/BUILD b/test/extensions/clusters/dynamic_forward_proxy/BUILD index 1527806a0f0f..ea44e9c9c618 100644 --- a/test/extensions/clusters/dynamic_forward_proxy/BUILD +++ b/test/extensions/clusters/dynamic_forward_proxy/BUILD @@ -14,7 +14,7 @@ envoy_package() envoy_extension_cc_test( name = "cluster_test", srcs = ["cluster_test.cc"], - data = ["//test/extensions/transport_sockets/tls/test_data:certs"], + data = ["//test/common/tls/test_data:certs"], extension_names = ["envoy.filters.http.dynamic_forward_proxy"], deps = [ "//source/common/router:string_accessor_lib", diff --git a/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc b/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc index 2f38ff058105..233703771731 100644 --- a/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc +++ b/test/extensions/filters/http/alternate_protocols_cache/filter_integration_test.cc @@ -6,8 +6,8 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "source/common/http/http_server_properties_cache_impl.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" #include "test/integration/http_protocol_integration.h" diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index 1193b7379c07..497ea0f582c4 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -3,8 +3,8 @@ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/filters/http/router/auto_sni_integration_test.cc b/test/extensions/filters/http/router/auto_sni_integration_test.cc index 405a8d8c2a77..fe495f34e340 100644 --- a/test/extensions/filters/http/router/auto_sni_integration_test.cc +++ b/test/extensions/filters/http/router/auto_sni_integration_test.cc @@ -5,8 +5,8 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "envoy/upstream/upstream.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" diff --git a/test/extensions/filters/listener/tls_inspector/BUILD b/test/extensions/filters/listener/tls_inspector/BUILD index 8c2ef09bdddf..a843e2a574f6 100644 --- a/test/extensions/filters/listener/tls_inspector/BUILD +++ b/test/extensions/filters/listener/tls_inspector/BUILD @@ -104,13 +104,13 @@ envoy_cc_test( "//source/common/event:dispatcher_includes", "//source/common/event:dispatcher_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/file:config", "//source/extensions/filters/listener/tls_inspector:config", "//source/extensions/filters/listener/tls_inspector:tls_inspector_lib", "//source/extensions/filters/network/echo:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/integration:integration_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index ce4a9809b41b..78b57390d80d 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -8,9 +8,9 @@ #include "source/common/config/api_version.h" #include "source/common/network/raw_buffer_socket.h" #include "source/common/network/utility.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/filters/listener/tls_inspector/tls_inspector.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/integration/integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc index ff177bd7720e..f801f805ab79 100644 --- a/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/network/sni_dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -3,8 +3,8 @@ #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" #include "test/integration/ssl_utility.h" diff --git a/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc b/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc index d9be99300106..815da8ab3230 100644 --- a/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc +++ b/test/extensions/resource_monitors/injected_resource/injected_resource_monitor_integration_test.cc @@ -6,7 +6,7 @@ #include "envoy/config/overload/v3/overload.pb.h" #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/config/utility.h" diff --git a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc index dee7ca351132..f3efba23db8d 100644 --- a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc +++ b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc @@ -2,10 +2,10 @@ #include "envoy/server/filter_config.h" #include "source/common/network/connection_impl.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/extensions/filters/network/common/factory_base.h" #include "source/extensions/transport_sockets/starttls/starttls_socket.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" #include "test/config/utility.h" #include "test/extensions/transport_sockets/starttls/starttls_integration_test.pb.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD index 470fae0034f0..9f9644768aee 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -18,13 +18,13 @@ envoy_extension_cc_test( "spiffe_validator_test.cc", ], data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", + "//test/common/tls/test_data:certs", ], extension_names = ["envoy.tls.cert_validator.spiffe"], deps = [ "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", - "//test/extensions/transport_sockets/tls:ssl_test_utils", - "//test/extensions/transport_sockets/tls/cert_validator:test_common", + "//test/common/tls:ssl_test_utils", + "//test/common/tls/cert_validator:test_common", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", "//test/test_common:test_runtime_lib", @@ -42,8 +42,8 @@ envoy_extension_cc_test( size = "large", srcs = ["spiffe_validator_integration_test.cc"], data = [ + "//test/common/tls/test_data:certs", "//test/config/integration/certs", - "//test/extensions/transport_sockets/tls/test_data:certs", ], extension_names = ["envoy.tls.cert_validator.spiffe"], # Broken until bazel 5.0.0 fix to shorten resulting paths for SymInitialize() failure diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc index e289c8bd418e..1806d0985ed1 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc @@ -2,7 +2,7 @@ #include -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/integration/integration.h" @@ -114,7 +114,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), *typed_conf); custom_validator_config_ = typed_conf; @@ -200,7 +200,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), *typed_conf); custom_validator_config_ = typed_conf; @@ -257,7 +257,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem" - name: example.com trust_bundle: filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index c6a06acab352..51cc1ad97016 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -8,11 +8,11 @@ #include "source/common/common/c_smart_ptr.h" #include "source/common/event/real_time_system.h" +#include "source/common/tls/stats.h" #include "source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h" -#include "source/extensions/transport_sockets/tls/stats.h" -#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h" -#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/common/tls/cert_validator/test_common.h" +#include "test/common/tls/ssl_test_utility.h" #include "test/test_common/environment.h" #include "test/test_common/simulated_time_system.h" #include "test/test_common/test_runtime.h" @@ -122,10 +122,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" )EOF")), EnvoyException, "Multiple trust bundles are given for one trust domain for hello.com"); @@ -138,7 +138,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert_with_crl.pem" )EOF")); EXPECT_EQ(1, validator().trustBundleStores().size()); @@ -153,10 +153,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: hello.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" - name: k8s-west.example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/keyusage_crl_sign_cert.pem" )EOF")); EXPECT_EQ(2, validator().trustBundleStores().size()); @@ -177,25 +177,25 @@ TEST(SPIFFEValidator, TestExtractTrustDomain) { TEST(SPIFFEValidator, TestCertificatePrecheck) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints: CA:True, - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage has keyCertSign "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem")); + "}}/test/common/tls/test_data/keyusage_cert_sign_cert.pem")); EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage has cRLSign "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem")); + "}}/test/common/tls/test_data/keyusage_crl_sign_cert.pem")); EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage does not have keyCertSign and cRLSign // should be considered valid (i.e. return 1). - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); EXPECT_TRUE(SPIFFEValidator::certificatePrecheck(cert.get())); } @@ -210,18 +210,18 @@ TEST_F(TestSPIFFEValidator, TestGetTrustBundleStore) { // No SAN auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); // Non-SPIFFE SAN - cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem")); + cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/non_spiffe_san_cert.pem")); EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); // SPIFFE SAN cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); // Trust bundle not provided. EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); @@ -248,7 +248,7 @@ TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainPrecheckFailure) { initialize(); bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints: CA:True - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); TestSslExtendedSocketInfo info; SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); bssl::UniquePtr cert_chain(sk_X509_new_null()); @@ -269,7 +269,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr store = X509_STORE_new(); @@ -278,7 +278,7 @@ name: envoy.tls.cert_validator.spiffe { // Trust domain matches so should be accepted. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -291,7 +291,7 @@ name: envoy.tls.cert_validator.spiffe { // Different trust domain so should be rejected. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -303,7 +303,7 @@ name: envoy.tls.cert_validator.spiffe { // Does not have san. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -324,10 +324,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr store = X509_STORE_new(); @@ -337,7 +337,7 @@ name: envoy.tls.cert_validator.spiffe { // Trust domain matches so should be accepted. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -349,7 +349,7 @@ name: envoy.tls.cert_validator.spiffe { auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -361,9 +361,9 @@ name: envoy.tls.cert_validator.spiffe { // Trust domain matches but it has expired. - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/expired_spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -376,7 +376,7 @@ name: envoy.tls.cert_validator.spiffe { // Does not have san. auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + "{{ test_rundir }}/test/common/tls/test_data/extensions_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Failed, @@ -398,7 +398,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr store = X509_STORE_new(); @@ -406,9 +406,9 @@ name: envoy.tls.cert_validator.spiffe TestSslExtendedSocketInfo info; // Trust domain matches and it has expired but allow_expired_certificate is true, so this // should be accepted. - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir " + "}}/test/common/tls/test_data/expired_spiffe_san_cert.pem")); bssl::UniquePtr cert_chain(sk_X509_new_null()); sk_X509_push(cert_chain.get(), cert.release()); EXPECT_EQ(ValidationResults::ValidationStatus::Successful, @@ -428,14 +428,14 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"); X509StorePtr store = X509_STORE_new(); SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); // URI SAN = spiffe://lyft.com/test-team - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + auto cert = readCertFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), store.get(), cert.get(), nullptr)); bssl::UniquePtr cert_chain(sk_X509_new_null()); @@ -476,17 +476,17 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); TestSslExtendedSocketInfo info; // Chain contains workload, intermediate, and ca cert, so it should be accepted. - auto cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/" - "spiffe_san_signed_by_intermediate_cert.pem")); - auto intermediate_ca_cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/" - "intermediate_ca_cert.pem")); + auto cert = + readCertFromFile(TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/" + "spiffe_san_signed_by_intermediate_cert.pem")); + auto intermediate_ca_cert = + readCertFromFile(TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/" + "intermediate_ca_cert.pem")); SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); bssl::UniquePtr cert_chain(sk_X509_new_null()); @@ -523,7 +523,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); { @@ -566,7 +566,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); { @@ -599,10 +599,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF")); auto actual = validator().getCaCertInformation(); @@ -623,10 +623,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/intermediate_ca_cert.pem" )EOF"), time_system); EXPECT_EQ(19956, validator().daysUntilFirstCertExpires().value()); @@ -647,7 +647,7 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" )EOF"), time_system); @@ -663,13 +663,13 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" - name: foo.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), time_system); @@ -706,10 +706,10 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem" )EOF"), time_system); uint8_t hash_buffer[EVP_MAX_MD_SIZE]; diff --git a/test/integration/BUILD b/test/integration/BUILD index b29e7d22c976..1fb893b6787a 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -937,9 +937,9 @@ envoy_cc_test_library( "//envoy/event:timer_interface", "//source/common/common:thread_annotations", "//source/common/network:socket_option_lib", + "//source/common/tls:context_lib", "//source/extensions/filters/http/router:config", "//source/extensions/filters/network/http_connection_manager:config", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/http/http2:http2_frame", "//test/common/upstream:utility_lib", "//test/integration/filters:add_body_filter_config_lib", @@ -1112,6 +1112,9 @@ envoy_cc_test_library( ":utility_lib", "//source/common/common:thread_lib", "//source/common/config:api_version_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", + "//source/common/tls:ssl_socket_lib", "//source/extensions/clusters/eds:eds_lib", "//source/extensions/clusters/static:static_cluster_lib", "//source/extensions/config_subscription/grpc:grpc_collection_subscription_lib", @@ -1123,9 +1126,6 @@ envoy_cc_test_library( "//source/extensions/load_balancing_policies/round_robin:config", "//source/extensions/network/dns_resolver/cares:config", "//source/extensions/request_id/uuid:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls:ssl_socket_lib", "//source/server:process_context_lib", "//source/server:proto_descriptors_lib", "//test/common/grpc:grpc_client_integration_lib", @@ -1200,8 +1200,8 @@ envoy_cc_test_library( "//source/common/stats:allocator_lib", "//source/common/stats:isolated_store_lib", "//source/common/thread_local:thread_local_lib", + "//source/common/tls:context_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_lib", "//source/server:drain_manager_lib", "//source/server:hot_restart_nop_lib", "//source/server:listener_hooks_lib", @@ -1645,9 +1645,9 @@ envoy_cc_test( "//source/common/event:dispatcher_lib", "//source/common/network:connection_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/secret:secret_mocks", "//test/test_common:utility_lib", "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto", @@ -1681,12 +1681,12 @@ envoy_cc_test( "//source/common/event:dispatcher_lib", "//source/common/network:connection_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/grpc:grpc_client_integration_lib", + "//test/common/tls:test_private_key_method_provider_test_lib", "//test/config/integration/certs:certs_info", - "//test/extensions/transport_sockets/tls:test_private_key_method_provider_test_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", "//test/test_common:resources_lib", @@ -1751,13 +1751,13 @@ envoy_cc_test( "//source/common/event:dispatcher_includes", "//source/common/event:dispatcher_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/file:config", "//source/extensions/filters/network/common:factory_base_lib", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/load_balancing_policies/subset:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", "//test/test_common:registry_lib", @@ -1786,13 +1786,13 @@ envoy_cc_test( "//source/common/event:dispatcher_includes", "//source/common/event:dispatcher_lib", "//source/common/network:utility_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/access_loggers/file:config", "//source/extensions/filters/network/common:factory_base_lib", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/load_balancing_policies/subset:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/mocks/runtime:runtime_mocks", "//test/mocks/secret:secret_mocks", "//test/test_common:registry_lib", @@ -1975,11 +1975,11 @@ envoy_cc_test( deps = [ ":http_integration_lib", ":http_protocol_integration_lib", + "//source/common/tls:context_config_lib", + "//source/common/tls:context_lib", "//source/extensions/filters/network/tcp_proxy:config", "//source/extensions/matching/network/application_protocol:config", "//source/extensions/transport_sockets/tls:config", - "//source/extensions/transport_sockets/tls:context_config_lib", - "//source/extensions/transport_sockets/tls:context_lib", "//test/common/grpc:grpc_client_integration_lib", "//test/integration/filters:test_listener_filter_lib", "//test/test_common:environment_lib", @@ -2400,7 +2400,7 @@ envoy_cc_test( deps = envoy_select_enable_http3([ "//source/extensions/quic/server_preferred_address:fixed_server_preferred_address_config_factory_config", "//test/common/config:dummy_config_proto_cc_proto", - "//test/extensions/transport_sockets/tls/cert_validator:timed_cert_validator", + "//test/common/tls/cert_validator:timed_cert_validator", ":http_integration_lib", ":socket_interface_swap_lib", "//source/common/quic:client_connection_factory_lib", diff --git a/test/integration/alpn_selection_integration_test.cc b/test/integration/alpn_selection_integration_test.cc index b1b081cb7265..ed4bdef8ee0d 100644 --- a/test/integration/alpn_selection_integration_test.cc +++ b/test/integration/alpn_selection_integration_test.cc @@ -3,9 +3,9 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "source/common/http/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/integration/http_integration.h" diff --git a/test/integration/base_integration_test.cc b/test/integration/base_integration_test.cc index 23b216c0d2a6..4f28efb606ba 100644 --- a/test/integration/base_integration_test.cc +++ b/test/integration/base_integration_test.cc @@ -18,8 +18,8 @@ #include "source/common/common/assert.h" #include "source/common/event/libevent.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/ssl_socket.h" #include "source/server/proto_descriptors.h" #include "test/integration/utility.h" diff --git a/test/integration/base_integration_test.h b/test/integration/base_integration_test.h index 33f1a755567d..1f1df3f7c765 100644 --- a/test/integration/base_integration_test.h +++ b/test/integration/base_integration_test.h @@ -9,7 +9,7 @@ #include "envoy/server/process_context.h" #include "envoy/service/discovery/v3/discovery.pb.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/config/utility.h" diff --git a/test/integration/http_integration.cc b/test/integration/http_integration.cc index e639caa7eeca..c25103ffabb0 100644 --- a/test/integration/http_integration.cc +++ b/test/integration/http_integration.cc @@ -32,9 +32,9 @@ #include "source/common/quic/quic_client_transport_socket_factory.h" #endif -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/upstream/utility.h" #include "test/integration/autonomous_upstream.h" diff --git a/test/integration/quic_http_integration_test.cc b/test/integration/quic_http_integration_test.cc index 80c5c117e4bb..7f9afc898cd6 100644 --- a/test/integration/quic_http_integration_test.cc +++ b/test/integration/quic_http_integration_test.cc @@ -20,14 +20,14 @@ #include "source/common/quic/envoy_quic_proof_verifier.h" #include "source/common/quic/envoy_quic_utils.h" #include "source/common/quic/quic_client_transport_socket_factory.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/common/config/dummy_config.pb.h" #include "test/common/quic/test_utils.h" +#include "test/common/tls/cert_validator/timed_cert_validator.h" #include "test/common/upstream/utility.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/config/utility.h" -#include "test/extensions/transport_sockets/tls/cert_validator/timed_cert_validator.h" #include "test/integration/filters/test_listener_filter.h" #include "test/integration/filters/test_listener_filter.pb.h" #include "test/integration/http_integration.h" diff --git a/test/integration/sds_dynamic_integration_test.cc b/test/integration/sds_dynamic_integration_test.cc index 92929dbf74bf..c3b8cb52fb89 100644 --- a/test/integration/sds_dynamic_integration_test.cc +++ b/test/integration/sds_dynamic_integration_test.cc @@ -19,15 +19,15 @@ #include "source/common/quic/client_connection_factory_impl.h" #endif -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/common/grpc/grpc_client_integration.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/config/integration/certs/servercert_info.h" #include "test/config/integration/certs/server2cert_info.h" -#include "test/extensions/transport_sockets/tls/test_private_key_method_provider.h" +#include "test/common/tls/test_private_key_method_provider.h" #include "test/integration/http_integration.h" #include "test/integration/server.h" #include "test/integration/ssl_utility.h" diff --git a/test/integration/sds_static_integration_test.cc b/test/integration/sds_static_integration_test.cc index 8fa8418e5a42..49d42c1eb6c2 100644 --- a/test/integration/sds_static_integration_test.cc +++ b/test/integration/sds_static_integration_test.cc @@ -9,8 +9,8 @@ #include "source/common/event/dispatcher_impl.h" #include "source/common/network/connection_impl.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/config/integration/certs/clientcert_hash.h" #include "test/integration/http_integration.h" diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 0c4ae2e6dfd8..f0ea65b76261 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -5,9 +5,9 @@ #include "source/common/http/utility.h" #include "source/common/json/json_loader.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/config/utility.h" #include "test/integration/server.h" @@ -37,8 +37,8 @@ void initializeUpstreamTlsContextConfig( chain = rundir + "/test/config/integration/certs/client_ecdsacert.pem"; key = rundir + "/test/config/integration/certs/client_ecdsakey.pem"; } else if (options.use_expired_spiffe_cert_) { - chain = rundir + "/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem"; - key = rundir + "/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_key.pem"; + chain = rundir + "/test/common/tls/test_data/expired_spiffe_san_cert.pem"; + key = rundir + "/test/common/tls/test_data/expired_spiffe_san_key.pem"; } else if (options.client_with_intermediate_cert_) { chain = rundir + "/test/config/integration/certs/client2_chain.pem"; key = rundir + "/test/config/integration/certs/client2key.pem"; diff --git a/test/integration/ssl_utility.h b/test/integration/ssl_utility.h index 3187b3b0e2ad..2c1565fc6c8a 100644 --- a/test/integration/ssl_utility.h +++ b/test/integration/ssl_utility.h @@ -7,7 +7,7 @@ #include "envoy/secret/secret_manager.h" #include "envoy/ssl/context_manager.h" -#include "source/extensions/transport_sockets/tls/context_impl.h" +#include "source/common/tls/context_impl.h" namespace Envoy { namespace Ssl { diff --git a/test/integration/tcp_proxy_integration_test.cc b/test/integration/tcp_proxy_integration_test.cc index 90ad072b819a..f383cc5b5eca 100644 --- a/test/integration/tcp_proxy_integration_test.cc +++ b/test/integration/tcp_proxy_integration_test.cc @@ -12,8 +12,8 @@ #include "source/common/config/api_version.h" #include "source/common/network/utility.h" +#include "source/common/tls/context_manager_impl.h" #include "source/extensions/filters/network/common/factory_base.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" #include "test/integration/fake_access_log.h" #include "test/integration/ssl_utility.h" diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index e227f40a387c..eeec6cf876b5 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -12,9 +12,9 @@ #include "source/common/event/dispatcher_impl.h" #include "source/common/http/header_map_impl.h" #include "source/common/network/utility.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" -#include "source/extensions/transport_sockets/tls/ssl_socket.h" +#include "source/common/tls/context_config_impl.h" +#include "source/common/tls/context_manager_impl.h" +#include "source/common/tls/ssl_socket.h" #include "test/test_common/network_utility.h" #include "test/test_common/printers.h" diff --git a/test/mocks/server/BUILD b/test/mocks/server/BUILD index 554313ac5267..7fe3818ab7fa 100644 --- a/test/mocks/server/BUILD +++ b/test/mocks/server/BUILD @@ -216,7 +216,7 @@ envoy_cc_mock( "//source/common/secret:secret_manager_impl_lib", "//source/common/singleton:manager_impl_lib", "//source/common/stats:stats_lib", - "//source/extensions/transport_sockets/tls:context_lib", + "//source/common/tls:context_lib", "//test/mocks/access_log:access_log_mocks", "//test/mocks/api:api_mocks", "//test/mocks/http:http_mocks", diff --git a/test/mocks/server/factory_context.h b/test/mocks/server/factory_context.h index 594afca75f48..3d273cd89d18 100644 --- a/test/mocks/server/factory_context.h +++ b/test/mocks/server/factory_context.h @@ -3,7 +3,7 @@ #include "envoy/server/configuration.h" #include "source/common/router/context_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "admin.h" #include "drain_manager.h" diff --git a/test/mocks/server/listener_factory_context.h b/test/mocks/server/listener_factory_context.h index 10fbe1e21705..3d5b6197f042 100644 --- a/test/mocks/server/listener_factory_context.h +++ b/test/mocks/server/listener_factory_context.h @@ -3,7 +3,7 @@ #include "envoy/server/configuration.h" #include "envoy/server/listener_manager.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "admin.h" #include "drain_manager.h" diff --git a/test/mocks/server/server_factory_context.h b/test/mocks/server/server_factory_context.h index 9c8d754227aa..7e69dbad447e 100644 --- a/test/mocks/server/server_factory_context.h +++ b/test/mocks/server/server_factory_context.h @@ -7,7 +7,7 @@ #include "source/common/quic/quic_stat_names.h" #include "source/common/router/context_impl.h" #include "source/common/stats/symbol_table.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "test/mocks/access_log/mocks.h" #include "test/mocks/api/mocks.h" diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index 9759ec2c2658..4a0e5fc32502 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -51,9 +51,9 @@ declare -a KNOWN_LOW_COVERAGE=( "source/extensions/tracers/opencensus:94.0" "source/extensions/tracers/zipkin:95.8" "source/extensions/transport_sockets:95.8" -"source/extensions/transport_sockets/tls:95.0" -"source/extensions/transport_sockets/tls/cert_validator:95.2" -"source/extensions/transport_sockets/tls/private_key:88.9" +"source/common/tls:94.9" +"source/common/tls/cert_validator:94.2" +"source/common/tls/private_key:88.9" "source/extensions/wasm_runtime/wamr:0.0" # Not enabled in coverage build "source/extensions/wasm_runtime/wasmtime:0.0" # Not enabled in coverage build "source/extensions/wasm_runtime/wavm:0.0" # Not enabled in coverage build diff --git a/test/server/admin/BUILD b/test/server/admin/BUILD index 8e7c6ecce89f..8c39988f9557 100644 --- a/test/server/admin/BUILD +++ b/test/server/admin/BUILD @@ -216,7 +216,7 @@ envoy_cc_test( srcs = envoy_select_admin_functionality(["server_info_handler_test.cc"]), deps = [ ":admin_instance_lib", - "//source/extensions/transport_sockets/tls:context_config_lib", + "//source/common/tls:context_config_lib", "//test/test_common:logging_lib", "//test/test_common:test_runtime_lib", "@envoy_api//envoy/admin/v3:pkg_cc_proto", diff --git a/test/server/admin/server_info_handler_test.cc b/test/server/admin/server_info_handler_test.cc index 3de415bd2f8c..68b21f335750 100644 --- a/test/server/admin/server_info_handler_test.cc +++ b/test/server/admin/server_info_handler_test.cc @@ -1,6 +1,6 @@ #include "envoy/admin/v3/memory.pb.h" -#include "source/extensions/transport_sockets/tls/context_config_impl.h" +#include "source/common/tls/context_config_impl.h" #include "test/server/admin/admin_instance.h" #include "test/test_common/logging.h" diff --git a/test/server/config_validation/BUILD b/test/server/config_validation/BUILD index 22184df662cc..6d838b121c91 100644 --- a/test/server/config_validation/BUILD +++ b/test/server/config_validation/BUILD @@ -15,7 +15,7 @@ envoy_cc_test( "//source/common/api:api_lib", "//source/common/singleton:manager_impl_lib", "//source/common/stats:stats_lib", - "//source/extensions/transport_sockets/tls:context_lib", + "//source/common/tls:context_lib", "//source/server/config_validation:cluster_manager_lib", "//source/server/config_validation:dns_lib", "//test/mocks/access_log:access_log_mocks", diff --git a/test/server/config_validation/cluster_manager_test.cc b/test/server/config_validation/cluster_manager_test.cc index 10323e4b3c07..02442808b230 100644 --- a/test/server/config_validation/cluster_manager_test.cc +++ b/test/server/config_validation/cluster_manager_test.cc @@ -6,7 +6,7 @@ #include "source/common/grpc/context_impl.h" #include "source/common/http/context_impl.h" #include "source/common/singleton/manager_impl.h" -#include "source/extensions/transport_sockets/tls/context_manager_impl.h" +#include "source/common/tls/context_manager_impl.h" #include "source/server/config_validation/cluster_manager.h" #include "test/mocks/access_log/mocks.h" diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml index 8a13f9946fda..907c8965fd0d 100644 --- a/tools/code_format/config.yaml +++ b/tools/code_format/config.yaml @@ -170,6 +170,8 @@ paths: - source/common/ssl/certificate_validation_context_config_impl.cc - source/common/grpc/google_grpc_creds_impl.cc - source/common/local_reply/local_reply.cc + - source/common/tls/context_impl.cc + - source/common/tls/context_config_impl.cc # Only one C++ file should instantiate grpc_init grpc_init: @@ -391,6 +393,7 @@ visibility_excludes: - source/extensions/filters/network/common/BUILD - source/extensions/http/header_validators/envoy_default/BUILD - source/extensions/transport_sockets/common/BUILD +- source/extensions/transport_sockets/tap/BUILD - source/extensions/udp_packet_writer/default/BUILD - source/extensions/udp_packet_writer/gso/BUILD - source/extensions/path/uri_template_lib/BUILD From 9e683d2bb6f492fd2e818ef4aaceb007ce79742f Mon Sep 17 00:00:00 2001 From: danzh Date: Tue, 5 Mar 2024 09:55:33 -0500 Subject: [PATCH 09/34] quic: upstream connections read 32 packets per loop (#32693) Commit Message: change the current behavior from reading up to 16 * number of in-flight requests to reading 32 packets per-connection. Risk Level: low, HTTP/3 upstream is in Alpha now Testing: existing tests pass Docs Changes: N/A Release Notes: Yes Platform Specific Features: N/A Runtime guard: envoy.reloadable_features.quic_upstream_reads_fixed_number_packets Signed-off-by: Dan Zhang --- changelogs/current.yaml | 4 ++++ source/common/quic/envoy_quic_client_connection.h | 4 +++- source/common/runtime/runtime_features.cc | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 0d030992c559..5d8b1cacfc71 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -51,6 +51,10 @@ minor_behavior_changes: Port migration is default turned off. QUIC client connections will no longer attempt to migrate to a new port when connections is degrading. Can be manually turned on via :ref:`port_migration `. +- area: QUIC + change: | + Make each upstream connection to read as many as 32 packets in each event loop. This feature can be disabled by setting + ``envoy.reloadable_features.quic_upstream_reads_fixed_number_packets`` to false. - area: aws change: | AWS region string is now retrieved from environment and profile consistently within aws_request_signer and diff --git a/source/common/quic/envoy_quic_client_connection.h b/source/common/quic/envoy_quic_client_connection.h index d8b917e0f4dd..ece2c43c7747 100644 --- a/source/common/quic/envoy_quic_client_connection.h +++ b/source/common/quic/envoy_quic_client_connection.h @@ -80,7 +80,9 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, // TODO(mattklein123): Emit a stat for this. } size_t numPacketsExpectedPerEventLoop() const override { - if (delegate_.has_value()) { + if (!Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.quic_upstream_reads_fixed_number_packets") && + delegate_.has_value()) { return delegate_->numPacketsExpectedPerEventLoop(); } return DEFAULT_PACKETS_TO_READ_PER_CONNECTION; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 528b1e993ffa..73998c11e30f 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -81,6 +81,7 @@ RUNTIME_GUARD(envoy_reloadable_features_quic_fix_filter_manager_uaf); // Ignore the automated "remove this flag" issue: we should keep this for 1 year. Confirm with // @danzh2010 or @RyanTheOptimist before removing. RUNTIME_GUARD(envoy_reloadable_features_quic_send_server_preferred_address_to_all_clients); +RUNTIME_GUARD(envoy_reloadable_features_quic_upstream_reads_fixed_number_packets); RUNTIME_GUARD(envoy_reloadable_features_sanitize_te); RUNTIME_GUARD(envoy_reloadable_features_send_header_raw_value); RUNTIME_GUARD(envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request); From f26361e8838a1e7193f59f7d630a005621c38e94 Mon Sep 17 00:00:00 2001 From: danzh Date: Tue, 5 Mar 2024 11:24:45 -0500 Subject: [PATCH 10/34] quic: handle incoming packets with unknown destination address (#32691) Commit Message: QUIC client sockets always enable socket options to read destination address of the incoming UDP packets. But in some cases, the address is not returned via the system call, recvmsg or recvmmsg. In such case, Quic connection should drop the packets. And if there are a lot of such packets, the connection should be closed with detailed error sent to the server. Risk Level: n/a Testing: n/a Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Dan Zhang Co-authored-by: Dan Zhang --- source/common/network/utility.cc | 17 +++++++------- .../quic/envoy_quic_client_connection.cc | 20 +++++++++++++++++ .../quic/envoy_quic_client_connection.h | 1 + .../quic/envoy_quic_client_session_test.cc | 22 +++++++++++++++++++ 4 files changed, 52 insertions(+), 8 deletions(-) diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc index 6e9f3188d244..eb7bb2a72951 100644 --- a/source/common/network/utility.cc +++ b/source/common/network/utility.cc @@ -583,16 +583,17 @@ void passPayloadToProcessor(uint64_t bytes_read, Buffer::InstancePtr buffer, Address::InstanceConstSharedPtr peer_addess, Address::InstanceConstSharedPtr local_address, UdpPacketProcessor& udp_packet_processor, MonotonicTime receive_time) { - RELEASE_ASSERT( - peer_addess != nullptr, - fmt::format("Unable to get remote address on the socket bount to local address: {} ", - local_address->asString())); + ENVOY_BUG(peer_addess != nullptr, + fmt::format("Unable to get remote address on the socket bound to local address: {}.", + (local_address == nullptr ? "unknown" : local_address->asString()))); // Unix domain sockets are not supported - RELEASE_ASSERT(peer_addess->type() == Address::Type::Ip, - fmt::format("Unsupported remote address: {} local address: {}, receive size: " - "{}", - peer_addess->asString(), local_address->asString(), bytes_read)); + ENVOY_BUG(peer_addess != nullptr && peer_addess->type() == Address::Type::Ip, + fmt::format("Unsupported remote address: {} local address: {}, receive size: " + "{}", + peer_addess->asString(), + (local_address == nullptr ? "unknown" : local_address->asString()), + bytes_read)); udp_packet_processor.processPacket(std::move(local_address), std::move(peer_addess), std::move(buffer), receive_time); } diff --git a/source/common/quic/envoy_quic_client_connection.cc b/source/common/quic/envoy_quic_client_connection.cc index 9890990091ca..aa17972506f5 100644 --- a/source/common/quic/envoy_quic_client_connection.cc +++ b/source/common/quic/envoy_quic_client_connection.cc @@ -69,7 +69,27 @@ void EnvoyQuicClientConnection::processPacket( quic::QuicTime::Delta::FromMicroseconds( std::chrono::duration_cast(receive_time.time_since_epoch()) .count()); + ASSERT(peer_address != nullptr && buffer != nullptr); ASSERT(buffer->getRawSlices().size() == 1); + if (local_address == nullptr) { + // Quic doesn't know how to handle packets without destination address. Drop them here. + if (buffer->length() > 0) { + ++num_packets_with_unknown_dst_address_; + std::string error_message = fmt::format( + "Unable to get destination address. Address family {}. Have{} pending path validation. " + "self_address is{} initialized.", + (peer_address->ip()->version() == Network::Address::IpVersion::v4 ? "v4" : "v6"), + (HasPendingPathValidation() ? "" : " no"), + (self_address().IsInitialized() ? "" : " not")); + ENVOY_CONN_LOG(error, error_message, *this); + if (num_packets_with_unknown_dst_address_ > 10) { + // If too many packets are without destination addresses, close the connection. + CloseConnection(quic::QUIC_PACKET_READ_ERROR, error_message, + quic::ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET); + } + } + return; + } Buffer::RawSlice slice = buffer->frontSlice(); quic::QuicReceivedPacket packet(reinterpret_cast(slice.mem_), slice.len_, timestamp, /*owns_buffer=*/false, /*ttl=*/0, /*ttl_valid=*/false, diff --git a/source/common/quic/envoy_quic_client_connection.h b/source/common/quic/envoy_quic_client_connection.h index ece2c43c7747..43cbc0d12901 100644 --- a/source/common/quic/envoy_quic_client_connection.h +++ b/source/common/quic/envoy_quic_client_connection.h @@ -149,6 +149,7 @@ class EnvoyQuicClientConnection : public quic::QuicConnection, Event::Dispatcher& dispatcher_; bool migrate_port_on_path_degrading_{false}; uint8_t num_socket_switches_{0}; + size_t num_packets_with_unknown_dst_address_{0}; }; } // namespace Quic diff --git a/test/common/quic/envoy_quic_client_session_test.cc b/test/common/quic/envoy_quic_client_session_test.cc index 23a105888b10..1a97687d2118 100644 --- a/test/common/quic/envoy_quic_client_session_test.cc +++ b/test/common/quic/envoy_quic_client_session_test.cc @@ -428,6 +428,28 @@ TEST_P(EnvoyQuicClientSessionTest, VerifyContextAbortOnFlushWriteBuffer) { "unexpectedly reached"); } +TEST_P(EnvoyQuicClientSessionTest, HandlePacketsWithoutDestinationAddress) { + // Build a STATELESS_RESET packet. + std::unique_ptr stateless_reset_packet = + quic::QuicFramer::BuildIetfStatelessResetPacket( + quic::test::TestConnectionId(), /*received_packet_length*/ 1200, + quic::QuicUtils::GenerateStatelessResetToken(quic::test::TestConnectionId())); + EXPECT_CALL(network_connection_callbacks_, onEvent(Network::ConnectionEvent::LocalClose)) + .Times(0); + for (size_t i = 0; i < 9; ++i) { + auto buffer = std::make_unique(stateless_reset_packet->data(), + stateless_reset_packet->length()); + quic_connection_->processPacket(nullptr, peer_addr_, std::move(buffer), + time_system_.monotonicTime()); + } + EXPECT_CALL(network_connection_callbacks_, onEvent(Network::ConnectionEvent::LocalClose)) + .Times(0); + auto buffer = std::make_unique(stateless_reset_packet->data(), + stateless_reset_packet->length()); + quic_connection_->processPacket(nullptr, peer_addr_, std::move(buffer), + time_system_.monotonicTime()); +} + // Tests that receiving a STATELESS_RESET packet on the probing socket doesn't cause crash. TEST_P(EnvoyQuicClientSessionTest, StatelessResetOnProbingSocket) { quic::QuicNewConnectionIdFrame frame; From 99b55265038c4cb065692346bd1d2d656f9111e2 Mon Sep 17 00:00:00 2001 From: Zhewei Hu Date: Tue, 5 Mar 2024 09:56:56 -0800 Subject: [PATCH 11/34] [ZK filter] Fix CreateTTL request parse (#32478) Signed-off-by: Zhewei Hu --- .../network/zookeeper_proxy/decoder.cc | 7 +++ .../network/zookeeper_proxy/filter_test.cc | 52 +++++++++++++++---- 2 files changed, 49 insertions(+), 10 deletions(-) diff --git a/source/extensions/filters/network/zookeeper_proxy/decoder.cc b/source/extensions/filters/network/zookeeper_proxy/decoder.cc index 58303e75cd31..231e31453161 100644 --- a/source/extensions/filters/network/zookeeper_proxy/decoder.cc +++ b/source/extensions/filters/network/zookeeper_proxy/decoder.cc @@ -473,6 +473,13 @@ absl::Status DecoderImpl::parseCreateRequest(Buffer::Instance& data, uint64_t& o flag_data.status().message()); const CreateFlags flags = static_cast(flag_data.value()); + + if (opcode == OpCodes::CreateTtl) { + absl::StatusOr ttl = helper_.peekInt64(data, offset); + EMIT_DECODER_ERR_AND_RETURN_INVALID_ARG_ERR_IF_STATUS_NOT_OK(ttl, opcode, + ttl.status().message()); + } + status = callbacks_.onCreateRequest(path.value(), flags, opcode); EMIT_DECODER_ERR_AND_RETURN_IF_STATUS_NOT_OK(status, opcode); diff --git a/test/extensions/filters/network/zookeeper_proxy/filter_test.cc b/test/extensions/filters/network/zookeeper_proxy/filter_test.cc index 823f1e43a721..4136112f463b 100644 --- a/test/extensions/filters/network/zookeeper_proxy/filter_test.cc +++ b/test/extensions/filters/network/zookeeper_proxy/filter_test.cc @@ -296,8 +296,13 @@ class ZooKeeperFilterTest : public testing::Test { const int32_t opcode = enumToSignedInt(OpCodes::Create)) const { Buffer::OwnedImpl buffer; + int32_t min_len = 24; + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + min_len = 32; + } + if (!txn) { - buffer.writeBEInt(24 + path.length() + data.length()); + buffer.writeBEInt(min_len + path.length() + data.length()); buffer.writeBEInt(xid); buffer.writeBEInt(opcode); } @@ -311,6 +316,11 @@ class ZooKeeperFilterTest : public testing::Test { // Flags. buffer.writeBEInt(create_flag_val); + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + // Ttl. + buffer.writeBEInt(3000); + } + return buffer; } @@ -319,8 +329,13 @@ class ZooKeeperFilterTest : public testing::Test { const int32_t opcode = enumToSignedInt(OpCodes::Create)) const { Buffer::OwnedImpl buffer; + int32_t min_len = 24; + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + min_len = 32; + } + if (!txn) { - buffer.writeBEInt(24 + path.length()); + buffer.writeBEInt(min_len + path.length()); buffer.writeBEInt(1000); buffer.writeBEInt(opcode); } @@ -334,6 +349,11 @@ class ZooKeeperFilterTest : public testing::Test { // Flags. buffer.writeBEInt(create_flag_val); + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + // Ttl. + buffer.writeBEInt(3000); + } + return buffer; } @@ -342,15 +362,20 @@ class ZooKeeperFilterTest : public testing::Test { const int32_t xid = 1000, const int32_t opcode = enumToSignedInt(OpCodes::Create)) const { Buffer::OwnedImpl buffer; + int32_t min_len = 24; + if (opcode == enumToSignedInt(OpCodes::CreateTtl)) { + min_len = 32; + } + if (!txn) { - buffer.writeBEInt(24 + path.length() + data.length()); + buffer.writeBEInt(min_len + path.length() + data.length()); buffer.writeBEInt(xid); buffer.writeBEInt(opcode); } addString(buffer, path); addString(buffer, data); - // Deliberately not adding acls and flags to the buffer. + // Deliberately not adding acls, flags (and/or ttl) to the buffer. return buffer; } @@ -368,7 +393,8 @@ class ZooKeeperFilterTest : public testing::Test { addString(buffer, path); addString(buffer, data); - // Deliberately not adding acls and flags to the buffer and change the length accordingly. + // Deliberately not adding acls, flags (and/or ttl) to the buffer and change the length + // accordingly. return buffer; } @@ -586,14 +612,20 @@ class ZooKeeperFilterTest : public testing::Test { break; } + int32_t rq_bytes = 35; + if (opcode == OpCodes::CreateTtl) { + rq_bytes = 43; + } + expectSetDynamicMetadata( {{{"opname", opname}, {"path", "/foo"}, {"create_type", createFlagsToString(flag)}}, - {{"bytes", "35"}}}); + {{"bytes", std::to_string(rq_bytes)}}}); EXPECT_EQ(Envoy::Network::FilterStatus::Continue, filter_->onData(data, false)); EXPECT_EQ(1UL, store_.counter(absl::StrCat("test.zookeeper.", opname, "_rq")).value()); - EXPECT_EQ(35UL, config_->stats().request_bytes_.value()); - EXPECT_EQ(35UL, store_.counter(absl::StrCat("test.zookeeper.", opname, "_rq_bytes")).value()); + EXPECT_EQ(static_cast(rq_bytes), config_->stats().request_bytes_.value()); + EXPECT_EQ(static_cast(rq_bytes), + store_.counter(absl::StrCat("test.zookeeper.", opname, "_rq_bytes")).value()); EXPECT_EQ(0UL, config_->stats().decoder_error_.value()); EXPECT_EQ(0UL, store_.counter(absl::StrCat("test.zookeeper.", opname, "_decoder_error")).value()); @@ -1319,8 +1351,8 @@ TEST_F(ZooKeeperFilterTest, MultiRequest) { EXPECT_EQ(Envoy::Network::FilterStatus::Continue, filter_->onData(data, false)); EXPECT_EQ(1UL, config_->stats().multi_rq_.value()); - EXPECT_EQ(266UL, config_->stats().request_bytes_.value()); - EXPECT_EQ(266UL, config_->stats().multi_rq_bytes_.value()); + EXPECT_EQ(274UL, config_->stats().request_bytes_.value()); + EXPECT_EQ(274UL, config_->stats().multi_rq_bytes_.value()); EXPECT_EQ(1UL, config_->stats().create_rq_.value()); EXPECT_EQ(1UL, config_->stats().create2_rq_.value()); EXPECT_EQ(1UL, config_->stats().createcontainer_rq_.value()); From 7c06873b8d882ec3484e1e9f24b4ecd18bf898f1 Mon Sep 17 00:00:00 2001 From: Raven Black Date: Tue, 5 Mar 2024 17:00:10 -0500 Subject: [PATCH 12/34] Add matcher to route documentation (#32713) * Add matcher to route documentation --------- Signed-off-by: Raven Black --- .../http/http_conn_man/route_matching.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/root/configuration/http/http_conn_man/route_matching.rst b/docs/root/configuration/http/http_conn_man/route_matching.rst index 9cd71e2b2bbb..29cb1d9d836e 100644 --- a/docs/root/configuration/http/http_conn_man/route_matching.rst +++ b/docs/root/configuration/http/http_conn_man/route_matching.rst @@ -7,8 +7,14 @@ When Envoy matches a route, it uses the following procedure: #. The HTTP request's *host* or *:authority* header is matched to a :ref:`virtual host `. -#. Each :ref:`route entry ` in the virtual host is checked, - *in order*. If there is a match, the route is used and no further route checks are made. +#. One of: + + - Each :ref:`route entry ` in the virtual host is + checked, *in order*. If there is a match, the route is used and no further route checks are made. + - The :ref:`matcher entry ` in the + virtual host is used to match a route. If there are many routes this will typically be more + efficient than the linear search of ``route``. + #. Independently, each :ref:`virtual cluster ` in the virtual host is checked, *in order*. If there is a match, the virtual cluster is used and no further virtual cluster checks are made. From 3ba5d5d7b6743a91d6dd970a138bbc1cf6d9235c Mon Sep 17 00:00:00 2001 From: Raven Black Date: Tue, 5 Mar 2024 17:35:33 -0500 Subject: [PATCH 13/34] QUIC hot restart part 6 - child instance pauses listening until parent is drained (second try) (#32664) Signed-off-by: Raven Black --- envoy/network/BUILD | 6 ++ .../parent_drained_callback_registrar.h | 29 +++++ envoy/network/socket.h | 7 ++ envoy/server/hot_restart.h | 11 ++ .../listener_manager/listener_manager_impl.cc | 5 +- source/common/network/BUILD | 1 + source/common/network/listen_socket_impl.h | 19 +++- source/common/network/udp_listener_impl.cc | 40 ++++++- source/common/network/udp_listener_impl.h | 6 ++ source/server/BUILD | 1 + source/server/hot_restart_impl.cc | 4 + source/server/hot_restart_impl.h | 1 + source/server/hot_restart_nop_impl.h | 3 + source/server/hot_restarting_child.cc | 55 +++++++--- source/server/hot_restarting_child.h | 19 +++- test/common/network/BUILD | 1 + .../udp_listener_impl_batch_writer_test.cc | 1 + test/common/network/udp_listener_impl_test.cc | 102 ++++++++++++++++++ .../network/udp_listener_impl_test_base.h | 27 ++++- .../python/hotrestart_handoff_test.py | 2 +- test/mocks/network/BUILD | 6 ++ .../mock_parent_drained_callback_registrar.h | 18 ++++ test/mocks/server/hot_restart.h | 2 + test/server/hot_restart_impl_test.cc | 8 ++ test/server/hot_restarting_child_test.cc | 35 ++++++ 25 files changed, 380 insertions(+), 29 deletions(-) create mode 100644 envoy/network/parent_drained_callback_registrar.h create mode 100644 test/mocks/network/mock_parent_drained_callback_registrar.h diff --git a/envoy/network/BUILD b/envoy/network/BUILD index 3e7d51a07e90..230f7c065d58 100644 --- a/envoy/network/BUILD +++ b/envoy/network/BUILD @@ -58,6 +58,12 @@ envoy_cc_library( ], ) +envoy_cc_library( + name = "parent_drained_callback_registrar_interface", + hdrs = ["parent_drained_callback_registrar.h"], + deps = [":address_interface"], +) + envoy_cc_library( name = "udp_packet_writer_handler_interface", hdrs = ["udp_packet_writer_handler.h"], diff --git a/envoy/network/parent_drained_callback_registrar.h b/envoy/network/parent_drained_callback_registrar.h new file mode 100644 index 000000000000..d0ce7c9a191e --- /dev/null +++ b/envoy/network/parent_drained_callback_registrar.h @@ -0,0 +1,29 @@ +#pragma once + +#include "envoy/network/address.h" + +#include "absl/functional/any_invocable.h" + +namespace Envoy { +namespace Network { + +/** + * An interface through which a UDP listen socket, especially a QUIC socket, can + * postpone reading during hot restart until the parent instance is drained. + */ +class ParentDrainedCallbackRegistrar { +public: + /** + * @param address is the address of the listener. + * @param callback the function to call when the listener matching address is + * drained on the parent instance. + */ + virtual void registerParentDrainedCallback(const Address::InstanceConstSharedPtr& address, + absl::AnyInvocable callback) PURE; + +protected: + virtual ~ParentDrainedCallbackRegistrar() = default; +}; + +} // namespace Network +} // namespace Envoy diff --git a/envoy/network/socket.h b/envoy/network/socket.h index b83d0f213047..6091cf9fe922 100644 --- a/envoy/network/socket.h +++ b/envoy/network/socket.h @@ -542,6 +542,13 @@ class Socket { * @return the socket options stored earlier with addOption() and addOptions() calls, if any. */ virtual const OptionsSharedPtr& options() const PURE; + + /** + * @return a ParentDrainedCallbackRegistrar for UDP listen sockets during hot restart. + */ + virtual OptRef parentDrainedCallbackRegistrar() const { + return absl::nullopt; + } }; using SocketPtr = std::unique_ptr; diff --git a/envoy/server/hot_restart.h b/envoy/server/hot_restart.h index a1ce1663cde4..8e201dd65e08 100644 --- a/envoy/server/hot_restart.h +++ b/envoy/server/hot_restart.h @@ -62,6 +62,17 @@ class HotRestart { virtual void registerUdpForwardingListener(Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config) PURE; + + /** + * @return An interface on which registerParentDrainedCallback can be called during + * creation of a listener, or nullopt if there is no parent instance. + * + * If this is set, any UDP listener should start paused and only begin listening + * when the parent instance is drained; this allows draining QUIC listeners to + * catch their own packets and forward unrecognized packets to the child instance. + */ + virtual OptRef parentDrainedCallbackRegistrar() PURE; + /** * Initialize the parent logic of our restarter. Meant to be called after initialization of a * new child has begun. The hot restart implementation needs to be created early to deal with diff --git a/source/common/listener_manager/listener_manager_impl.cc b/source/common/listener_manager/listener_manager_impl.cc index 853087d0b1bf..930378a94b94 100644 --- a/source/common/listener_manager/listener_manager_impl.cc +++ b/source/common/listener_manager/listener_manager_impl.cc @@ -321,7 +321,10 @@ Network::SocketSharedPtr ProdListenerComponentFactory::createListenSocket( if (socket_type == Network::Socket::Type::Stream) { return std::make_shared(std::move(io_handle), address, options); } else { - return std::make_shared(std::move(io_handle), address, options); + auto socket = std::make_shared( + std::move(io_handle), address, options, + server_.hotRestart().parentDrainedCallbackRegistrar()); + return socket; } } } diff --git a/source/common/network/BUILD b/source/common/network/BUILD index c563ca21428b..53ca953779a4 100644 --- a/source/common/network/BUILD +++ b/source/common/network/BUILD @@ -344,6 +344,7 @@ envoy_cc_library( "//envoy/event:file_event_interface", "//envoy/network:exception_interface", "//envoy/network:listener_interface", + "//envoy/network:parent_drained_callback_registrar_interface", "//envoy/runtime:runtime_interface", "//envoy/stats:stats_interface", "//envoy/stats:stats_macros", diff --git a/source/common/network/listen_socket_impl.h b/source/common/network/listen_socket_impl.h index 1a365c65d1a3..753dfa53d380 100644 --- a/source/common/network/listen_socket_impl.h +++ b/source/common/network/listen_socket_impl.h @@ -68,12 +68,19 @@ template class NetworkListenSocket : public ListenSocketImpl { } } - NetworkListenSocket(IoHandlePtr&& io_handle, const Address::InstanceConstSharedPtr& address, - const Network::Socket::OptionsSharedPtr& options) - : ListenSocketImpl(std::move(io_handle), address) { + NetworkListenSocket( + IoHandlePtr&& io_handle, const Address::InstanceConstSharedPtr& address, + const Network::Socket::OptionsSharedPtr& options, + OptRef parent_drained_callback_registrar = absl::nullopt) + : ListenSocketImpl(std::move(io_handle), address), + parent_drained_callback_registrar_(parent_drained_callback_registrar) { setListenSocketOptions(options); } + OptRef parentDrainedCallbackRegistrar() const override { + return parent_drained_callback_registrar_; + } + Socket::Type socketType() const override { return T::type; } SocketPtr duplicate() override { @@ -110,6 +117,12 @@ template class NetworkListenSocket : public ListenSocketImpl { } protected: + // Usually a socket when initialized starts listening for ready-to-read or ready-to-write events; + // for a QUIC socket during hot restart this is undesirable as the parent instance needs to + // receive all packets; in that case this interface is set, and listening won't begin until the + // callback is called. + OptRef parent_drained_callback_registrar_; + void setPrebindSocketOptions() { // On Windows, SO_REUSEADDR does not restrict subsequent bind calls when there is a listener as // on Linux and later BSD socket stacks. diff --git a/source/common/network/udp_listener_impl.cc b/source/common/network/udp_listener_impl.cc index 62c5b273db96..a184eaae7036 100644 --- a/source/common/network/udp_listener_impl.cc +++ b/source/common/network/udp_listener_impl.cc @@ -9,6 +9,7 @@ #include "envoy/common/platform.h" #include "envoy/config/core/v3/base.pb.h" #include "envoy/network/exception.h" +#include "envoy/network/parent_drained_callback_registrar.h" #include "source/common/api/os_sys_calls_impl.h" #include "source/common/common/assert.h" @@ -34,9 +35,34 @@ UdpListenerImpl::UdpListenerImpl(Event::Dispatcher& dispatcher, SocketSharedPtr : BaseListenerImpl(dispatcher, std::move(socket)), cb_(cb), time_source_(time_source), // Default prefer_gro to false for downstream server traffic. config_(config, false) { + parent_drained_callback_registrar_ = socket_->parentDrainedCallbackRegistrar(); socket_->ioHandle().initializeFileEvent( dispatcher, [this](uint32_t events) -> void { onSocketEvent(events); }, - Event::PlatformDefaultTriggerType, Event::FileReadyType::Read | Event::FileReadyType::Write); + Event::PlatformDefaultTriggerType, paused() ? 0 : events_when_unpaused_); + if (paused()) { + parent_drained_callback_registrar_->registerParentDrainedCallback( + socket_->connectionInfoProvider().localAddress(), + [this, &dispatcher, alive = std::weak_ptr(destruction_checker_)]() { + dispatcher.post([this, alive = std::move(alive)]() { + auto still_alive = alive.lock(); + if (still_alive != nullptr) { + unpause(); + } + }); + }); + } +} + +void UdpListenerImpl::unpause() { + // Remove the paused state so enable will actually start listening to events. + parent_drained_callback_registrar_ = absl::nullopt; + if (events_when_unpaused_ != 0) { + // Start listening to events. + enable(); + // There may have already been events while this instance was ignoring them, + // so try reading immediately. + activateRead(); + } } UdpListenerImpl::~UdpListenerImpl() { socket_->ioHandle().resetFileEvents(); } @@ -44,10 +70,18 @@ UdpListenerImpl::~UdpListenerImpl() { socket_->ioHandle().resetFileEvents(); } void UdpListenerImpl::disable() { disableEvent(); } void UdpListenerImpl::enable() { - socket_->ioHandle().enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write); + events_when_unpaused_ = Event::FileReadyType::Read | Event::FileReadyType::Write; + if (!paused()) { + socket_->ioHandle().enableFileEvents(events_when_unpaused_); + } } -void UdpListenerImpl::disableEvent() { socket_->ioHandle().enableFileEvents(0); } +void UdpListenerImpl::disableEvent() { + events_when_unpaused_ = 0; + if (!paused()) { + socket_->ioHandle().enableFileEvents(0); + } +} void UdpListenerImpl::onSocketEvent(short flags) { ASSERT((flags & (Event::FileReadyType::Read | Event::FileReadyType::Write))); diff --git a/source/common/network/udp_listener_impl.h b/source/common/network/udp_listener_impl.h index 723c3c74de75..244f93f3923b 100644 --- a/source/common/network/udp_listener_impl.h +++ b/source/common/network/udp_listener_impl.h @@ -26,6 +26,8 @@ class UdpListenerImpl : public BaseListenerImpl, TimeSource& time_source, const envoy::config::core::v3::UdpSocketConfig& config); ~UdpListenerImpl() override; uint32_t packetsDropped() { return packets_dropped_; } + bool paused() const { return parent_drained_callback_registrar_ != absl::nullopt; } + void unpause(); // Network::Listener void disable() override; @@ -63,6 +65,10 @@ class UdpListenerImpl : public BaseListenerImpl, TimeSource& time_source_; const ResolvedUdpSocketConfig config_; + OptRef parent_drained_callback_registrar_; + // Taking a weak_ptr to this lets us detect if the listener has been destroyed. + std::shared_ptr destruction_checker_ = std::make_shared(true); + uint32_t events_when_unpaused_ = Event::FileReadyType::Read | Event::FileReadyType::Write; }; class UdpListenerWorkerRouterImpl : public UdpListenerWorkerRouter { diff --git a/source/server/BUILD b/source/server/BUILD index 7ee402750e1f..f656303df03e 100644 --- a/source/server/BUILD +++ b/source/server/BUILD @@ -187,6 +187,7 @@ envoy_cc_library( hdrs = envoy_select_hot_restart(["hot_restarting_child.h"]), deps = [ ":hot_restarting_base", + "//envoy/network:parent_drained_callback_registrar_interface", "//source/common/stats:stat_merger_lib", ], ) diff --git a/source/server/hot_restart_impl.cc b/source/server/hot_restart_impl.cc index 417bb4a5f2f3..6e2377c9c6f0 100644 --- a/source/server/hot_restart_impl.cc +++ b/source/server/hot_restart_impl.cc @@ -124,6 +124,10 @@ void HotRestartImpl::registerUdpForwardingListener( as_child_.registerUdpForwardingListener(address, listener_config); } +OptRef HotRestartImpl::parentDrainedCallbackRegistrar() { + return as_child_; +} + void HotRestartImpl::initialize(Event::Dispatcher& dispatcher, Server::Instance& server) { as_parent_.initialize(dispatcher, server); as_child_.initialize(dispatcher); diff --git a/source/server/hot_restart_impl.h b/source/server/hot_restart_impl.h index ace7d41321d9..9a22b6f3ec13 100644 --- a/source/server/hot_restart_impl.h +++ b/source/server/hot_restart_impl.h @@ -106,6 +106,7 @@ class HotRestartImpl : public HotRestart { void registerUdpForwardingListener( Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config) override; + OptRef parentDrainedCallbackRegistrar() override; void initialize(Event::Dispatcher& dispatcher, Server::Instance& server) override; absl::optional sendParentAdminShutdownRequest() override; void sendParentTerminateRequest() override; diff --git a/source/server/hot_restart_nop_impl.h b/source/server/hot_restart_nop_impl.h index 99f006083937..031cf1e4613b 100644 --- a/source/server/hot_restart_nop_impl.h +++ b/source/server/hot_restart_nop_impl.h @@ -20,6 +20,9 @@ class HotRestartNopImpl : public Server::HotRestart { int duplicateParentListenSocket(const std::string&, uint32_t) override { return -1; } void registerUdpForwardingListener(Network::Address::InstanceConstSharedPtr, std::shared_ptr) override {} + OptRef parentDrainedCallbackRegistrar() override { + return absl::nullopt; + } void initialize(Event::Dispatcher&, Server::Instance&) override {} absl::optional sendParentAdminShutdownRequest() override { return absl::nullopt; diff --git a/source/server/hot_restarting_child.cc b/source/server/hot_restarting_child.cc index 0d842a2755eb..a7173fd6ce65 100644 --- a/source/server/hot_restarting_child.cc +++ b/source/server/hot_restarting_child.cc @@ -46,9 +46,12 @@ HotRestartingChild::UdpForwardingContext::getListenerForDestination( return it->second; } +// If restart_epoch is 0 there is no parent, so it's effectively already +// drained and terminated. HotRestartingChild::HotRestartingChild(int base_id, int restart_epoch, const std::string& socket_path, mode_t socket_mode) - : HotRestartingBase(base_id), restart_epoch_(restart_epoch) { + : HotRestartingBase(base_id), restart_epoch_(restart_epoch), + parent_terminated_(restart_epoch == 0), parent_drained_(restart_epoch == 0) { main_rpc_stream_.initDomainSocketAddress(&parent_address_); std::string socket_path_udp = socket_path + "_udp"; udp_forwarding_rpc_stream_.initDomainSocketAddress(&parent_address_udp_forwarding_); @@ -102,7 +105,7 @@ void HotRestartingChild::onForwardedUdpPacket(uint32_t worker_index, Network::Ud int HotRestartingChild::duplicateParentListenSocket(const std::string& address, uint32_t worker_index) { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return -1; } @@ -121,7 +124,7 @@ int HotRestartingChild::duplicateParentListenSocket(const std::string& address, } std::unique_ptr HotRestartingChild::getParentStats() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return nullptr; } @@ -138,7 +141,7 @@ std::unique_ptr HotRestartingChild::getParentStats() { } void HotRestartingChild::drainParentListeners() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return; } // No reply expected. @@ -154,9 +157,29 @@ void HotRestartingChild::registerUdpForwardingListener( udp_forwarding_context_.registerListener(address, listener_config); } +void HotRestartingChild::registerParentDrainedCallback( + const Network::Address::InstanceConstSharedPtr& address, absl::AnyInvocable callback) { + absl::MutexLock lock(®istry_mu_); + if (parent_drained_) { + callback(); + } else { + on_drained_actions_.emplace(address->asString(), std::move(callback)); + } +} + +void HotRestartingChild::allDrainsImplicitlyComplete() { + absl::MutexLock lock(®istry_mu_); + for (auto& drain_action : on_drained_actions_) { + // Call the callback. + std::move(drain_action.second)(); + } + on_drained_actions_.clear(); + parent_drained_ = true; +} + absl::optional HotRestartingChild::sendParentAdminShutdownRequest() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return absl::nullopt; } @@ -176,9 +199,11 @@ HotRestartingChild::sendParentAdminShutdownRequest() { } void HotRestartingChild::sendParentTerminateRequest() { - if (restart_epoch_ == 0 || parent_terminated_) { + if (parent_terminated_) { return; } + allDrainsImplicitlyComplete(); + HotRestartMessage wrapped_request; wrapped_request.mutable_request()->mutable_terminate(); main_rpc_stream_.sendHotRestartMessage(parent_address_, wrapped_request); @@ -186,15 +211,17 @@ void HotRestartingChild::sendParentTerminateRequest() { // Note that the 'generation' counter needs to retain the contribution from // the parent. - stat_merger_->retainParentGaugeValue(hot_restart_generation_stat_name_); + if (stat_merger_ != nullptr) { + stat_merger_->retainParentGaugeValue(hot_restart_generation_stat_name_); - // Now it is safe to forget our stat transferral state. - // - // This destruction is actually important far beyond memory efficiency. The - // scope-based temporary counter logic relies on the StatMerger getting - // destroyed once hot restart's stat merging is all done. (See stat_merger.h - // for details). - stat_merger_.reset(); + // Now it is safe to forget our stat transferral state. + // + // This destruction is actually important far beyond memory efficiency. The + // scope-based temporary counter logic relies on the StatMerger getting + // destroyed once hot restart's stat merging is all done. (See stat_merger.h + // for details). + stat_merger_.reset(); + } } void HotRestartingChild::mergeParentStats(Stats::Store& stats_store, diff --git a/source/server/hot_restarting_child.h b/source/server/hot_restarting_child.h index 7f61dfc59f55..77365b56ae15 100644 --- a/source/server/hot_restarting_child.h +++ b/source/server/hot_restarting_child.h @@ -1,5 +1,6 @@ #pragma once +#include "envoy/network/parent_drained_callback_registrar.h" #include "envoy/server/instance.h" #include "source/common/stats/stat_merger.h" @@ -11,7 +12,8 @@ namespace Server { /** * The child half of hot restarting. Issues requests and commands to the parent. */ -class HotRestartingChild : public HotRestartingBase { +class HotRestartingChild : public HotRestartingBase, + public Network::ParentDrainedCallbackRegistrar { public: // A structure to record the set of registered UDP listeners keyed on their addresses, // to support QUIC packet forwarding. @@ -42,7 +44,7 @@ class HotRestartingChild : public HotRestartingBase { HotRestartingChild(int base_id, int restart_epoch, const std::string& socket_path, mode_t socket_mode); - ~HotRestartingChild() = default; + ~HotRestartingChild() override = default; void initialize(Event::Dispatcher& dispatcher); void shutdown(); @@ -50,6 +52,9 @@ class HotRestartingChild : public HotRestartingBase { int duplicateParentListenSocket(const std::string& address, uint32_t worker_index); void registerUdpForwardingListener(Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config); + // From Network::ParentDrainedCallbackRegistrar. + void registerParentDrainedCallback(const Network::Address::InstanceConstSharedPtr& addr, + absl::AnyInvocable action) override; std::unique_ptr getParentStats(); void drainParentListeners(); absl::optional sendParentAdminShutdownRequest(); @@ -60,15 +65,23 @@ class HotRestartingChild : public HotRestartingBase { protected: void onSocketEventUdpForwarding(); void onForwardedUdpPacket(uint32_t worker_index, Network::UdpRecvData&& data); + // When call to terminate parent is sent, or parent is already terminated, + void allDrainsImplicitlyComplete(); private: friend class HotRestartUdpForwardingTestHelper; + absl::Mutex registry_mu_; const int restart_epoch_; - bool parent_terminated_{}; + bool parent_terminated_; + bool parent_drained_ ABSL_GUARDED_BY(registry_mu_); sockaddr_un parent_address_; sockaddr_un parent_address_udp_forwarding_; std::unique_ptr stat_merger_{}; Stats::StatName hot_restart_generation_stat_name_; + // There are multiple listener instances per address that must all be reactivated + // when the parent is drained, so a multimap is used to contain them. + std::unordered_multimap> + on_drained_actions_ ABSL_GUARDED_BY(registry_mu_); Event::FileEventPtr socket_event_udp_forwarding_; UdpForwardingContext udp_forwarding_context_; }; diff --git a/test/common/network/BUILD b/test/common/network/BUILD index ea59472db9b6..9e4c1c2e8205 100644 --- a/test/common/network/BUILD +++ b/test/common/network/BUILD @@ -249,6 +249,7 @@ envoy_cc_test( "//source/common/network:utility_lib", "//source/common/stats:stats_lib", "//test/common/network:listener_impl_test_base_lib", + "//test/mocks/network:mock_parent_drained_callback_registrar", "//test/mocks/network:network_mocks", "//test/mocks/server:server_mocks", "//test/test_common:environment_lib", diff --git a/test/common/network/udp_listener_impl_batch_writer_test.cc b/test/common/network/udp_listener_impl_batch_writer_test.cc index 39b69e86c02a..35156dbd6a83 100644 --- a/test/common/network/udp_listener_impl_batch_writer_test.cc +++ b/test/common/network/udp_listener_impl_batch_writer_test.cc @@ -61,6 +61,7 @@ size_t getPacketLength(const msghdr* msg) { class UdpListenerImplBatchWriterTest : public UdpListenerImplTestBase { public: void SetUp() override { + UdpListenerImplTestBase::setup(); // Set listening socket options and set UdpGsoBatchWriter server_socket_->addOptions(SocketOptionFactory::buildIpPacketInfoOptions()); server_socket_->addOptions(SocketOptionFactory::buildRxQueueOverFlowOptions()); diff --git a/test/common/network/udp_listener_impl_test.cc b/test/common/network/udp_listener_impl_test.cc index 18810ca7467a..6df91c150355 100644 --- a/test/common/network/udp_listener_impl_test.cc +++ b/test/common/network/udp_listener_impl_test.cc @@ -16,6 +16,7 @@ #include "test/common/network/udp_listener_impl_test_base.h" #include "test/mocks/api/mocks.h" +#include "test/mocks/network/mock_parent_drained_callback_registrar.h" #include "test/mocks/network/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/network_utility.h" @@ -52,6 +53,7 @@ class OverrideOsSysCallsImpl : public Api::OsSysCallsImpl { class UdpListenerImplTest : public UdpListenerImplTestBase { public: void setup(bool prefer_gro = false) { + UdpListenerImplTestBase::setup(); ON_CALL(override_syscall_, supportsUdpGro()).WillByDefault(Return(false)); // Return the real version by default. ON_CALL(override_syscall_, supportsMmsg()) @@ -385,6 +387,106 @@ TEST_P(UdpListenerImplTest, UdpListenerEnableDisable) { dispatcher_->run(Event::Dispatcher::RunType::Block); } +class HotRestartedUdpListenerImplTest : public UdpListenerImplTest { +public: + void SetUp() override { +#ifdef WIN32 + GTEST_SKIP() << "Hot restart is not supported on Windows."; +#endif + } + void setup() { + io_handle_ = &useHotRestartSocket(registrar_); + // File event should be created listening to no events (i.e. disabled). + EXPECT_CALL(*io_handle_, createFileEvent_(_, _, _, 0)); + // Parent drained callback should be registered when the listener is created. + // We capture the callback so we can simulate "drain complete". + EXPECT_CALL(registrar_, registerParentDrainedCallback(_, _)) + .WillOnce( + [this](const Address::InstanceConstSharedPtr&, absl::AnyInvocable callback) { + parent_drained_callback_ = std::move(callback); + }); + UdpListenerImplTest::setup(); + testing::Mock::VerifyAndClearExpectations(®istrar_); + } + +protected: + MockParentDrainedCallbackRegistrar registrar_; + MockIoHandle* io_handle_; + absl::AnyInvocable parent_drained_callback_; +}; + +INSTANTIATE_TEST_SUITE_P(IpVersions, HotRestartedUdpListenerImplTest, + testing::ValuesIn(TestEnvironment::getIpVersionsForTest()), + TestUtility::ipTestParamsToString); + +/** + * During hot restart, while the parent instance is draining, a quic udp + * listener (created with a parent_drained_callback_registrar) should not + * be reading packets, regardless of enable/disable calls. + * It should begin reading packets after drain completes. + */ +TEST_P(HotRestartedUdpListenerImplTest, EnableAndDisableDuringParentDrainShouldDoNothing) { + setup(); + // Enabling and disabling listener should *not* trigger any + // event actions on the io_handle, because of listener being paused + // while draining. + EXPECT_CALL(*io_handle_, enableFileEvents(_)).Times(0); + listener_->disable(); + listener_->enable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Ending parent drain should cause io_handle to go into reading mode. + EXPECT_CALL(*io_handle_, + enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write)); + EXPECT_CALL(*io_handle_, activateFileEvents(Event::FileReadyType::Read)); + std::move(parent_drained_callback_)(); + dispatcher_->run(Event::Dispatcher::RunType::Block); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Enabling and disabling once unpaused should update io_handle. + EXPECT_CALL(*io_handle_, enableFileEvents(0)); + listener_->disable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); + EXPECT_CALL(*io_handle_, + enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write)); + listener_->enable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); +} + +/** + * Mostly the same as EnableAndDisableDuringParentDrainShouldDoNothing, but in disabled state when + * drain ends. + */ +TEST_P(HotRestartedUdpListenerImplTest, EndingParentDrainedWhileDisabledShouldNotStartReading) { + setup(); + // Enabling and disabling listener should *not* trigger any + // event actions on the io_handle, because of listener being paused + // while draining. + EXPECT_CALL(*io_handle_, enableFileEvents(_)).Times(0); + listener_->enable(); + listener_->disable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Ending drain should not trigger any event changes because the last state + // of the listener was disabled. + std::move(parent_drained_callback_)(); + dispatcher_->run(Event::Dispatcher::RunType::Block); + testing::Mock::VerifyAndClearExpectations(io_handle_); + // Enabling after unpaused should set io_handle to reading/writing. + EXPECT_CALL(*io_handle_, + enableFileEvents(Event::FileReadyType::Read | Event::FileReadyType::Write)); + listener_->enable(); + testing::Mock::VerifyAndClearExpectations(io_handle_); +} + +TEST_P(HotRestartedUdpListenerImplTest, + ParentDrainedCallbackAfterListenerDestroyedShouldDoNothing) { + setup(); + EXPECT_CALL(*io_handle_, enableFileEvents(_)).Times(0); + listener_ = nullptr; + // Signaling end-of-drain after the listener was destroyed should do nothing. + std::move(parent_drained_callback_)(); + dispatcher_->run(Event::Dispatcher::RunType::Block); + // At this point io_handle should be an invalid reference. +} + /** * Tests UDP listener's error callback. */ diff --git a/test/common/network/udp_listener_impl_test_base.h b/test/common/network/udp_listener_impl_test_base.h index 112f89d68dc3..9b7636e13ae8 100644 --- a/test/common/network/udp_listener_impl_test_base.h +++ b/test/common/network/udp_listener_impl_test_base.h @@ -31,13 +31,24 @@ namespace Envoy { namespace Network { class UdpListenerImplTestBase : public ListenerImplTestBase { -public: - UdpListenerImplTestBase() - : server_socket_(createServerSocket(true)), send_to_addr_(getServerLoopbackAddress()) { +protected: + MockIoHandle& + useHotRestartSocket(OptRef parent_drained_callback_registrar) { + auto io_handle = std::make_unique>(); + MockIoHandle& ret = *io_handle; + server_socket_ = createServerSocketFromExistingHandle(std::move(io_handle), + parent_drained_callback_registrar); + return ret; + } + + void setup() { + if (server_socket_ == nullptr) { + server_socket_ = createServerSocket(true); + } + send_to_addr_ = Address::InstanceConstSharedPtr(getServerLoopbackAddress()); time_system_.advanceTimeWait(std::chrono::milliseconds(100)); } -protected: Address::Instance* getServerLoopbackAddress() { if (version_ == Address::IpVersion::v4) { return new Address::Ipv4Instance( @@ -60,6 +71,14 @@ class UdpListenerImplTestBase : public ListenerImplTestBase { bind); } + SocketSharedPtr createServerSocketFromExistingHandle( + IoHandlePtr&& io_handle, + OptRef parent_drained_callback_registrar) { + return std::make_shared( + std::move(io_handle), Network::Test::getCanonicalLoopbackAddress(version_), + SocketOptionFactory::buildIpFreebindOptions(), parent_drained_callback_registrar); + } + Address::InstanceConstSharedPtr getNonDefaultSourceAddress() { // Use a self address that is unlikely to be picked by source address discovery // algorithm if not specified in recvmsg/recvmmsg. Port is not taken into diff --git a/test/integration/python/hotrestart_handoff_test.py b/test/integration/python/hotrestart_handoff_test.py index 7d975bd7dda7..dcbbb5a8ba1e 100644 --- a/test/integration/python/hotrestart_handoff_test.py +++ b/test/integration/python/hotrestart_handoff_test.py @@ -304,7 +304,7 @@ async def _wait_for_envoy_epoch(i: int): pass await asyncio.sleep(0.2) # Envoy instance with expected restart_epoch should have started up - assert expected_substring in response, f"server_info={response}" + assert expected_substring in response, f"expected_substring={expected_substring}, server_info={response}" class IntegrationTest(unittest.IsolatedAsyncioTestCase): diff --git a/test/mocks/network/BUILD b/test/mocks/network/BUILD index 82b5ef8c79f1..73c9854193a3 100644 --- a/test/mocks/network/BUILD +++ b/test/mocks/network/BUILD @@ -42,6 +42,12 @@ envoy_cc_mock( ], ) +envoy_cc_mock( + name = "mock_parent_drained_callback_registrar", + hdrs = ["mock_parent_drained_callback_registrar.h"], + deps = ["//envoy/network:parent_drained_callback_registrar_interface"], +) + envoy_cc_mock( name = "network_mocks", srcs = ["mocks.cc"], diff --git a/test/mocks/network/mock_parent_drained_callback_registrar.h b/test/mocks/network/mock_parent_drained_callback_registrar.h new file mode 100644 index 000000000000..ae82b52d31f6 --- /dev/null +++ b/test/mocks/network/mock_parent_drained_callback_registrar.h @@ -0,0 +1,18 @@ +#pragma once + +#include "envoy/network/parent_drained_callback_registrar.h" + +#include "gmock/gmock.h" + +namespace Envoy { +namespace Network { + +class MockParentDrainedCallbackRegistrar : public ParentDrainedCallbackRegistrar { +public: + MOCK_METHOD(void, registerParentDrainedCallback, + (const Address::InstanceConstSharedPtr& address, + absl::AnyInvocable callback)); +}; + +} // namespace Network +} // namespace Envoy diff --git a/test/mocks/server/hot_restart.h b/test/mocks/server/hot_restart.h index c83142692c06..99bfa3ccbb0c 100644 --- a/test/mocks/server/hot_restart.h +++ b/test/mocks/server/hot_restart.h @@ -20,6 +20,8 @@ class MockHotRestart : public HotRestart { MOCK_METHOD(void, registerUdpForwardingListener, (Network::Address::InstanceConstSharedPtr address, std::shared_ptr listener_config)); + MOCK_METHOD(OptRef, parentDrainedCallbackRegistrar, ()); + MOCK_METHOD(void, whenDrainComplete, (absl::string_view addr, absl::AnyInvocable action)); MOCK_METHOD(void, initialize, (Event::Dispatcher & dispatcher, Server::Instance& server)); MOCK_METHOD(absl::optional, sendParentAdminShutdownRequest, ()); MOCK_METHOD(void, sendParentTerminateRequest, ()); diff --git a/test/server/hot_restart_impl_test.cc b/test/server/hot_restart_impl_test.cc index 81baf88181b5..28e1427564e1 100644 --- a/test/server/hot_restart_impl_test.cc +++ b/test/server/hot_restart_impl_test.cc @@ -87,6 +87,14 @@ class HotRestartImplTest : public testing::Test { std::unique_ptr hot_restart_; }; +TEST_F(HotRestartImplTest, ParentDrainedCallbackRegistrarIsSetAndCanBeCalled) { + setup(); + OptRef registrar = + hot_restart_->parentDrainedCallbackRegistrar(); + ASSERT_TRUE(registrar.has_value()); + registrar->registerParentDrainedCallback(test_addresses_.ipv4_test_addr_, []() {}); +} + TEST_F(HotRestartImplTest, VersionString) { // Tests that the version-string will be consistent and HOT_RESTART_VERSION, // between multiple instantiations. diff --git a/test/server/hot_restarting_child_test.cc b/test/server/hot_restarting_child_test.cc index f2455034f054..d16653d6454a 100644 --- a/test/server/hot_restarting_child_test.cc +++ b/test/server/hot_restarting_child_test.cc @@ -67,6 +67,11 @@ class FakeHotRestartingParent : public HotRestartingBase { }); udp_forwarding_rpc_stream_.sendHotRestartMessage(child_address_udp_forwarding_, message); } + void expectParentTerminateMessages() { + EXPECT_CALL(os_sys_calls_, sendmsg(_, _, _)).WillOnce([](int, const msghdr* msg, int) { + return Api::SysCallSizeResult{static_cast(msg->msg_iov[0].iov_len), 0}; + }); + } Api::MockOsSysCalls& os_sys_calls_; Event::FileReadyCb udp_file_ready_callback_; sockaddr_un child_address_udp_forwarding_; @@ -100,6 +105,36 @@ class HotRestartingChildTest : public testing::Test { std::unique_ptr hot_restarting_child_; }; +TEST_F(HotRestartingChildTest, ParentDrainedCallbacksAreCalled) { + auto test_listener_addr = Network::Utility::resolveUrl("udp://127.0.0.1:1234"); + auto test_listener_addr2 = Network::Utility::resolveUrl("udp://127.0.0.1:1235"); + testing::MockFunction callback1; + testing::MockFunction callback2; + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr, + callback1.AsStdFunction()); + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr2, + callback2.AsStdFunction()); + EXPECT_CALL(callback1, Call()); + EXPECT_CALL(callback2, Call()); + fake_parent_->expectParentTerminateMessages(); + hot_restarting_child_->sendParentTerminateRequest(); +} + +TEST_F(HotRestartingChildTest, ParentDrainedCallbacksAreCalledImmediatelyWhenAlreadyDrained) { + auto test_listener_addr = Network::Utility::resolveUrl("udp://127.0.0.1:1234"); + auto test_listener_addr2 = Network::Utility::resolveUrl("udp://127.0.0.1:1235"); + testing::MockFunction callback1; + testing::MockFunction callback2; + fake_parent_->expectParentTerminateMessages(); + hot_restarting_child_->sendParentTerminateRequest(); + EXPECT_CALL(callback1, Call()); + EXPECT_CALL(callback2, Call()); + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr, + callback1.AsStdFunction()); + hot_restarting_child_->registerParentDrainedCallback(test_listener_addr2, + callback2.AsStdFunction()); +} + TEST_F(HotRestartingChildTest, LogsErrorOnReplyMessageInUdpStream) { envoy::HotRestartMessage msg; msg.mutable_reply(); From bc2279bdf3dd80306edb326e2ab76911109f2c82 Mon Sep 17 00:00:00 2001 From: "Antonio V. Leonti" <53806445+antoniovleonti@users.noreply.github.com> Date: Tue, 5 Mar 2024 17:36:25 -0500 Subject: [PATCH 14/34] Add integration tests for ext_authz timeout (#32507) Signed-off-by: Antonio Leonti --- .../ext_authz/ext_authz_integration_test.cc | 186 +++++++++++++++--- 1 file changed, 156 insertions(+), 30 deletions(-) diff --git a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc index a7b48eb4f768..b324ef1ac08f 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_integration_test.cc @@ -24,6 +24,22 @@ namespace Envoy { using Headers = std::vector>; +struct GrpcInitializeConfigOpts { + bool disable_with_metadata = false; + bool failure_mode_allow = false; + uint64_t timeout_ms = 300'000; // 5 minutes. +}; + +struct WaitForSuccessfulUpstreamResponseOpts { + // Fields of type Headers must be set at initialization. + const Headers headers_to_add = {}; + const Headers headers_to_append = {}; + const Headers headers_to_remove = {}; + const Http::TestRequestHeaderMapImpl new_headers_from_upstream = {}; + const Http::TestRequestHeaderMapImpl headers_to_append_multiple = {}; + bool failure_mode_allowed_header = false; +}; + class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, public HttpIntegrationTest { public: @@ -35,9 +51,9 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, addFakeUpstream(Http::CodecType::HTTP2); } - void initializeConfig(bool disable_with_metadata = false, bool failure_mode_allow = false) { - config_helper_.addConfigModifier([this, disable_with_metadata, failure_mode_allow]( - envoy::config::bootstrap::v3::Bootstrap& bootstrap) { + void initializeConfig(GrpcInitializeConfigOpts opts = {}) { + config_helper_.addConfigModifier([this, + opts](envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* ext_authz_cluster = bootstrap.mutable_static_resources()->add_clusters(); ext_authz_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); ext_authz_cluster->set_name("ext_authz_cluster"); @@ -47,10 +63,14 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, setGrpcService(*proto_config_.mutable_grpc_service(), "ext_authz_cluster", fake_upstreams_.back()->localAddress()); + // Override timeout if needed. + *proto_config_.mutable_grpc_service()->mutable_timeout() = + Protobuf::util::TimeUtil::MillisecondsToDuration(opts.timeout_ms); + proto_config_.mutable_filter_enabled()->set_runtime_key("envoy.ext_authz.enable"); proto_config_.mutable_filter_enabled()->mutable_default_value()->set_numerator(100); proto_config_.set_bootstrap_metadata_labels_key("labels"); - if (disable_with_metadata) { + if (opts.disable_with_metadata) { // Disable the ext_authz filter with metadata matcher that never matches. auto* metadata = proto_config_.mutable_filter_enabled_metadata(); metadata->set_filter("xyz.abc"); @@ -61,7 +81,8 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, proto_config_.mutable_deny_at_disable()->mutable_default_value()->set_value(false); proto_config_.set_transport_api_version(envoy::config::core::v3::ApiVersion::V3); - proto_config_.set_failure_mode_allow(failure_mode_allow); + proto_config_.set_failure_mode_allow(opts.failure_mode_allow); + proto_config_.set_failure_mode_allow_header_add(opts.failure_mode_allow); // Add labels and verify they are passed. std::map labels; @@ -196,13 +217,8 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, RELEASE_ASSERT(result, result.message()); } - void waitForSuccessfulUpstreamResponse( - const std::string& expected_response_code, const Headers& headers_to_add = Headers{}, - const Headers& headers_to_append = Headers{}, const Headers& headers_to_remove = Headers{}, - const Http::TestRequestHeaderMapImpl& new_headers_from_upstream = - Http::TestRequestHeaderMapImpl{}, - const Http::TestRequestHeaderMapImpl& headers_to_append_multiple = - Http::TestRequestHeaderMapImpl{}) { + void waitForSuccessfulUpstreamResponse(const std::string& expected_response_code, + WaitForSuccessfulUpstreamResponseOpts opts = {}) { AssertionResult result = fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_); RELEASE_ASSERT(result, result.message()); @@ -218,7 +234,12 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, false); upstream_request_->encodeData(response_size_, true); - for (const auto& header_to_add : headers_to_add) { + if (opts.failure_mode_allowed_header) { + EXPECT_THAT(upstream_request_->headers(), + Http::HeaderValueOf("x-envoy-auth-failure-mode-allowed", "true")); + } + + for (const auto& header_to_add : opts.headers_to_add) { EXPECT_THAT(upstream_request_->headers(), Http::HeaderValueOf(header_to_add.first, header_to_add.second)); // For headers_to_add (with append = false), the original request headers have no "-replaced" @@ -226,7 +247,7 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, EXPECT_TRUE(absl::EndsWith(header_to_add.second, "-replaced")); } - for (const auto& header_to_append : headers_to_append) { + for (const auto& header_to_append : opts.headers_to_append) { // The current behavior of appending is using the "appendCopy", which ALWAYS combines entries // with the same key into one key, and the values are separated by "," (regardless it is an // inline-header or not). In addition to that, it only applies to the existing headers (the @@ -247,23 +268,23 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, EXPECT_EQ(2, values.size()); } - if (!new_headers_from_upstream.empty()) { + if (!opts.new_headers_from_upstream.empty()) { // new_headers_from_upstream has append = true. The current implementation ignores to set // multiple headers that are not present in the original request headers. In order to add // headers with the same key multiple times, setting response headers with append = false and // append = true is required. - EXPECT_THAT(new_headers_from_upstream, + EXPECT_THAT(opts.new_headers_from_upstream, Not(Http::IsSubsetOfHeaders(upstream_request_->headers()))); } - if (!headers_to_append_multiple.empty()) { + if (!opts.headers_to_append_multiple.empty()) { // headers_to_append_multiple has append = false for the first entry of multiple entries, and // append = true for the rest entries. EXPECT_THAT(upstream_request_->headers(), Http::HeaderValueOf("multiple", "multiple-first,multiple-second")); } - for (const auto& header_to_remove : headers_to_remove) { + for (const auto& header_to_remove : opts.headers_to_remove) { // The headers that were originally present in the request have now been removed. EXPECT_TRUE( upstream_request_->headers().get(Http::LowerCaseString{header_to_remove.first}).empty()); @@ -430,16 +451,20 @@ class ExtAuthzGrpcIntegrationTest : public Grpc::GrpcClientIntegrationParamTest, sendExtAuthzResponse(updated_headers_to_add, updated_headers_to_append, headers_to_remove, new_headers_from_upstream, headers_to_append_multiple, Headers{}); - waitForSuccessfulUpstreamResponse("200", updated_headers_to_add, updated_headers_to_append, - headers_to_remove, new_headers_from_upstream, - headers_to_append_multiple); + WaitForSuccessfulUpstreamResponseOpts opts{ + updated_headers_to_add, updated_headers_to_append, headers_to_remove, + new_headers_from_upstream, headers_to_append_multiple, + }; + waitForSuccessfulUpstreamResponse("200", opts); cleanup(); } void expectFilterDisableCheck(bool deny_at_disable, bool disable_with_metadata, const std::string& expected_status) { - initializeConfig(disable_with_metadata); + GrpcInitializeConfigOpts opts; + opts.disable_with_metadata = disable_with_metadata; + initializeConfig(opts); setDenyAtDisableRuntimeConfig(deny_at_disable, disable_with_metadata); setDownstreamProtocol(Http::CodecType::HTTP2); HttpIntegrationTest::initialize(); @@ -550,7 +575,9 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, .get(Http::LowerCaseString(std::string("regex-fool")))[0] ->value() .getStringView()); + } + void sendExtAuthzResponse() { // Send back authorization response with "baz" and "bat" headers. // Also add multiple values "append-foo" and "append-bar" for key "x-append-bat". // Also tell Envoy to remove "remove-me" header before sending to upstream. @@ -575,8 +602,9 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, cleanupUpstreamAndDownstream(); } - void initializeConfig(bool legacy_allowed_headers = true) { - config_helper_.addConfigModifier([this, legacy_allowed_headers]( + void initializeConfig(bool legacy_allowed_headers = true, bool failure_mode_allow = true, + uint64_t timeout_ms = 300) { + config_helper_.addConfigModifier([this, legacy_allowed_headers, failure_mode_allow, timeout_ms]( envoy::config::bootstrap::v3::Bootstrap& bootstrap) { auto* ext_authz_cluster = bootstrap.mutable_static_resources()->add_clusters(); ext_authz_cluster->MergeFrom(bootstrap.static_resources().clusters()[0]); @@ -587,6 +615,11 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, } else { TestUtility::loadFromYaml(default_config_, proto_config_); } + proto_config_.set_failure_mode_allow(failure_mode_allow); + proto_config_.set_failure_mode_allow_header_add(failure_mode_allow); + proto_config_.mutable_http_service()->mutable_server_uri()->mutable_timeout()->CopyFrom( + Protobuf::util::TimeUtil::MillisecondsToDuration(timeout_ms)); + envoy::config::listener::v3::Filter ext_authz_filter; ext_authz_filter.set_name("envoy.filters.http.ext_authz"); ext_authz_filter.mutable_typed_config()->PackFrom(proto_config_); @@ -602,6 +635,7 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); AssertionResult result = fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_); @@ -663,7 +697,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, server_uri: uri: "ext_authz:9000" cluster: "ext_authz" - timeout: 300s authorization_request: allowed_headers: @@ -684,8 +717,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, patterns: - exact: bat - prefix: x-append - - failure_mode_allow: true )EOF"; const std::string default_config_ = R"EOF( transport_api_version: V3 @@ -702,7 +733,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, server_uri: uri: "ext_authz:9000" cluster: "ext_authz" - timeout: 300s authorization_response: allowed_upstream_headers: patterns: @@ -712,7 +742,6 @@ class ExtAuthzHttpIntegrationTest : public HttpIntegrationTest, patterns: - exact: bat - prefix: x-append - failure_mode_allow: true with_request_body: max_request_bytes: 1024 allow_partial_message: true @@ -871,9 +900,61 @@ TEST_P(ExtAuthzGrpcIntegrationTest, DownstreamHeadersOnSuccess) { cleanup(); } +TEST_P(ExtAuthzGrpcIntegrationTest, TimeoutFailClosed) { + GrpcInitializeConfigOpts opts; + opts.failure_mode_allow = false; + opts.timeout_ms = 10; + initializeConfig(opts); + + // Use h1, set up the test. + setDownstreamProtocol(Http::CodecType::HTTP1); + HttpIntegrationTest::initialize(); + + // Start a client connection and request. + initiateClientConnection(0); + + // Wait for the ext_authz request as a result of the client request. + waitForExtAuthzRequest(expectedCheckRequest(Http::CodecType::HTTP1)); + + // Do not sendExtAuthzResponse(). Envoy should reject the request after 1 second. + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_TRUE(response_->complete()); + EXPECT_EQ("403", response_->headers().getStatusValue()); // Unauthorized status. + + cleanup(); +} + +TEST_P(ExtAuthzGrpcIntegrationTest, TimeoutFailOpen) { + GrpcInitializeConfigOpts init_opts; + init_opts.failure_mode_allow = true; + init_opts.timeout_ms = 10; + initializeConfig(init_opts); + + // Use h1, set up the test. + setDownstreamProtocol(Http::CodecType::HTTP1); + HttpIntegrationTest::initialize(); + + // Start a client connection and request. + initiateClientConnection(0); + + // Wait for the ext_authz request as a result of the client request. + waitForExtAuthzRequest(expectedCheckRequest(Http::CodecType::HTTP1)); + + // Do not sendExtAuthzResponse(). Envoy should eventually proxy the request upstream as if the + // authz service approved the request. + WaitForSuccessfulUpstreamResponseOpts upstream_opts; + upstream_opts.failure_mode_allowed_header = true; + waitForSuccessfulUpstreamResponse("200", upstream_opts); + + cleanup(); +} + TEST_P(ExtAuthzGrpcIntegrationTest, FailureModeAllowNonUtf8) { // Set up ext_authz filter. - initializeConfig(false, true); + GrpcInitializeConfigOpts opts; + opts.disable_with_metadata = false; + opts.failure_mode_allow = true; + initializeConfig(opts); // Use h1, set up the test. setDownstreamProtocol(Http::CodecType::HTTP1); @@ -955,6 +1036,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, DEPRECATED_FEATURE_TEST(LegacyDirectReponse) HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -976,6 +1058,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, DEPRECATED_FEATURE_TEST(LegacyRedirectRespon HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -1043,6 +1126,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, DirectReponse) { HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -1064,6 +1148,7 @@ TEST_P(ExtAuthzHttpIntegrationTest, RedirectResponse) { HttpIntegrationTest::initialize(); initiateClientConnection(); waitForExtAuthzRequest(); + sendExtAuthzResponse(); ASSERT_TRUE(response_->waitForEndStream()); EXPECT_TRUE(response_->complete()); @@ -1071,6 +1156,47 @@ TEST_P(ExtAuthzHttpIntegrationTest, RedirectResponse) { EXPECT_EQ("http://host/redirect", response_->headers().getLocationValue()); } +TEST_P(ExtAuthzHttpIntegrationTest, TimeoutFailClosed) { + initializeConfig(false, /*failure_mode_allow=*/false, /*timeout_ms=*/10); + HttpIntegrationTest::initialize(); + initiateClientConnection(); + waitForExtAuthzRequest(); + + // Do not sendExtAuthzResponse(). Envoy should reject the request after 1 second. + ASSERT_TRUE(response_->waitForEndStream(Envoy::Seconds(10))); + EXPECT_TRUE(response_->complete()); + EXPECT_EQ("403", response_->headers().getStatusValue()); // Unauthorized status. + + cleanup(); +} + +TEST_P(ExtAuthzHttpIntegrationTest, TimeoutFailOpen) { + initializeConfig(false, /*failure_mode_allow=*/true, /*timeout_ms=*/10); + HttpIntegrationTest::initialize(); + initiateClientConnection(); + waitForExtAuthzRequest(); + + // Do not sendExtAuthzResponse(). Envoy should eventually proxy the request upstream as if the + // authz service approved the request. + AssertionResult result = + fake_upstreams_[0]->waitForHttpConnection(*dispatcher_, fake_upstream_connection_); + RELEASE_ASSERT(result, result.message()); + result = fake_upstream_connection_->waitForNewStream(*dispatcher_, upstream_request_); + RELEASE_ASSERT(result, result.message()); + result = upstream_request_->waitForEndStream(*dispatcher_); + RELEASE_ASSERT(result, result.message()); + + EXPECT_THAT(upstream_request_->headers(), + Http::HeaderValueOf("x-envoy-auth-failure-mode-allowed", "true")); + + upstream_request_->encodeHeaders(Http::TestResponseHeaderMapImpl{{":status", "200"}}, true); + ASSERT_TRUE(response_->waitForEndStream()); + EXPECT_TRUE(response_->complete()); + EXPECT_EQ("200", response_->headers().getStatusValue()); + + cleanup(); +} + class ExtAuthzLocalReplyIntegrationTest : public HttpIntegrationTest, public TestWithParam { public: From de5ab65a54e54129775b06931a9b4621c2657cde Mon Sep 17 00:00:00 2001 From: Greg Greenway Date: Tue, 5 Mar 2024 21:03:31 -0800 Subject: [PATCH 15/34] build: remove incorrect cc_library after tls code move (#32714) --- source/common/tls/BUILD | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/source/common/tls/BUILD b/source/common/tls/BUILD index 15a3c06c69f8..ba75941b4864 100644 --- a/source/common/tls/BUILD +++ b/source/common/tls/BUILD @@ -10,21 +10,6 @@ licenses(["notice"]) # Apache 2 envoy_package() -envoy_cc_library( - name = "config", - srcs = ["config.cc"], - hdrs = ["config.h"], - # TLS is core functionality. - visibility = ["//visibility:public"], - deps = [ - ":ssl_socket_lib", - "//envoy/network:transport_socket_interface", - "//envoy/registry", - "//envoy/server:transport_socket_config_interface", - ], - alwayslink = 1, -) - envoy_cc_library( name = "connection_info_impl_base_lib", srcs = ["connection_info_impl_base.cc"], From cbefd8c84edbf9e39daa6f598619ca41ec486894 Mon Sep 17 00:00:00 2001 From: Joao Grassi <5938087+joaopgrassi@users.noreply.github.com> Date: Wed, 6 Mar 2024 07:41:11 +0100 Subject: [PATCH 16/34] opentelemetrytracer: Add User-Agent header to OTLP trace exporters (#32659) Additional Description: The OpenTelemetry specification defines that OTLP exporters should emit the User-Agent header to help identify the the source/exporter. This PR adds such header to both the OTLP gRPC and HTTP exporters. Risk Level: Low Testing: Unit tests Docs Changes: N/A Release Notes: Added Signed-off-by: Joao Grassi <5938087+joaopgrassi@users.noreply.github.com> --- changelogs/current.yaml | 3 ++ source/extensions/tracers/opentelemetry/BUILD | 3 ++ .../opentelemetry/grpc_trace_exporter.h | 5 +++- .../opentelemetry/http_trace_exporter.cc | 5 ++++ .../tracers/opentelemetry/otlp_utils.cc | 22 ++++++++++++++ .../tracers/opentelemetry/otlp_utils.h | 29 +++++++++++++++++++ .../opentelemetry/grpc_trace_exporter_test.cc | 6 ++++ .../opentelemetry/http_trace_exporter_test.cc | 3 ++ 8 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 source/extensions/tracers/opentelemetry/otlp_utils.cc create mode 100644 source/extensions/tracers/opentelemetry/otlp_utils.h diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 5d8b1cacfc71..25562acfb615 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -271,6 +271,9 @@ new_features: - area: tracing change: | Added support to configure a Dynatrace sampler for the OpenTelemetry tracer. +- area: tracing + change: | + Added User-Agent header to OTLP trace exporters according to the OpenTelemetry specification. deprecated: - area: listener diff --git a/source/extensions/tracers/opentelemetry/BUILD b/source/extensions/tracers/opentelemetry/BUILD index a4ee2ed5e51b..2ffdab91f527 100644 --- a/source/extensions/tracers/opentelemetry/BUILD +++ b/source/extensions/tracers/opentelemetry/BUILD @@ -59,10 +59,12 @@ envoy_cc_library( srcs = [ "grpc_trace_exporter.cc", "http_trace_exporter.cc", + "otlp_utils.cc", ], hdrs = [ "grpc_trace_exporter.h", "http_trace_exporter.h", + "otlp_utils.h", "trace_exporter.h", ], deps = [ @@ -75,6 +77,7 @@ envoy_cc_library( "//source/common/http:utility_lib", "//source/common/protobuf", "//source/common/tracing:trace_context_lib", + "//source/common/version:version_lib", "@envoy_api//envoy/config/core/v3:pkg_cc_proto", "@opentelemetry_proto//:trace_cc_proto", ], diff --git a/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h b/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h index b35823b851ba..974ac704f9f0 100644 --- a/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h +++ b/source/extensions/tracers/opentelemetry/grpc_trace_exporter.h @@ -4,6 +4,7 @@ #include "source/common/common/logger.h" #include "source/common/grpc/typed_async_client.h" +#include "source/extensions/tracers/opentelemetry/otlp_utils.h" #include "source/extensions/tracers/opentelemetry/trace_exporter.h" #include "opentelemetry/proto/collector/trace/v1/trace_service.pb.h" @@ -30,7 +31,9 @@ class OpenTelemetryGrpcTraceExporterClient : Logger::Loggable&&) diff --git a/source/extensions/tracers/opentelemetry/http_trace_exporter.cc b/source/extensions/tracers/opentelemetry/http_trace_exporter.cc index b1fb4efdc9c1..1ff2d2c7c867 100644 --- a/source/extensions/tracers/opentelemetry/http_trace_exporter.cc +++ b/source/extensions/tracers/opentelemetry/http_trace_exporter.cc @@ -8,6 +8,7 @@ #include "source/common/common/enum_to_int.h" #include "source/common/common/logger.h" #include "source/common/protobuf/protobuf.h" +#include "source/extensions/tracers/opentelemetry/otlp_utils.h" namespace Envoy { namespace Extensions { @@ -50,6 +51,10 @@ bool OpenTelemetryHttpTraceExporter::log(const ExportTraceServiceRequest& reques message->headers().setReferenceMethod(Http::Headers::get().MethodValues.Post); message->headers().setReferenceContentType(Http::Headers::get().ContentTypeValues.Protobuf); + // User-Agent header follows the OTLP specification: + // https://github.com/open-telemetry/opentelemetry-specification/blob/v1.30.0/specification/protocol/exporter.md#user-agent + message->headers().setReferenceUserAgent(OtlpUtils::getOtlpUserAgentHeader()); + // Add all custom headers to the request. for (const auto& header_pair : parsed_headers_to_add_) { message->headers().setReference(header_pair.first, header_pair.second); diff --git a/source/extensions/tracers/opentelemetry/otlp_utils.cc b/source/extensions/tracers/opentelemetry/otlp_utils.cc new file mode 100644 index 000000000000..1ce8c53af803 --- /dev/null +++ b/source/extensions/tracers/opentelemetry/otlp_utils.cc @@ -0,0 +1,22 @@ +#include "source/extensions/tracers/opentelemetry/otlp_utils.h" + +#include + +#include "source/common/common/fmt.h" +#include "source/common/common/macros.h" +#include "source/common/version/version.h" + +namespace Envoy { +namespace Extensions { +namespace Tracers { +namespace OpenTelemetry { + +const std::string& OtlpUtils::getOtlpUserAgentHeader() { + CONSTRUCT_ON_FIRST_USE(std::string, + fmt::format("OTel-OTLP-Exporter-Envoy/{}", Envoy::VersionInfo::version())); +} + +} // namespace OpenTelemetry +} // namespace Tracers +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/tracers/opentelemetry/otlp_utils.h b/source/extensions/tracers/opentelemetry/otlp_utils.h new file mode 100644 index 000000000000..32e18a0e2f99 --- /dev/null +++ b/source/extensions/tracers/opentelemetry/otlp_utils.h @@ -0,0 +1,29 @@ +#pragma once + +#include + +namespace Envoy { +namespace Extensions { +namespace Tracers { +namespace OpenTelemetry { + +/** + * Contains utility functions for Otel + */ +class OtlpUtils { + +public: + /** + * @brief Get the User-Agent header value to be used on the OTLP exporter request. + * + * The header value is compliant with the OpenTelemetry specification. See: + * https://github.com/open-telemetry/opentelemetry-specification/blob/v1.30.0/specification/protocol/exporter.md#user-agent + * @return std::string The User-Agent for the OTLP exporters in Envoy. + */ + static const std::string& getOtlpUserAgentHeader(); +}; + +} // namespace OpenTelemetry +} // namespace Tracers +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc b/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc index 84db740d5ebf..5858269fd9e4 100644 --- a/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc +++ b/test/extensions/tracers/opentelemetry/grpc_trace_exporter_test.cc @@ -1,6 +1,7 @@ #include #include "source/common/buffer/zero_copy_input_stream_impl.h" +#include "source/common/version/version.h" #include "source/extensions/tracers/opentelemetry/grpc_trace_exporter.h" #include "test/mocks/common.h" @@ -70,6 +71,11 @@ TEST_F(OpenTelemetryGrpcTraceExporterTest, CreateExporterAndExportSpan) { span.set_name("test"); *request.add_resource_spans()->add_scope_spans()->add_spans() = span; EXPECT_TRUE(exporter.log(request)); + + Http::TestRequestHeaderMapImpl metadata; + callbacks_->onCreateInitialMetadata(metadata); + EXPECT_EQ(metadata.getUserAgentValue(), + "OTel-OTLP-Exporter-Envoy/" + Envoy::VersionInfo::version()); } TEST_F(OpenTelemetryGrpcTraceExporterTest, NoExportWithHighWatermark) { diff --git a/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc b/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc index b6d5702c27e5..3674f4fec219 100644 --- a/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc +++ b/test/extensions/tracers/opentelemetry/http_trace_exporter_test.cc @@ -1,6 +1,7 @@ #include #include "source/common/buffer/zero_copy_input_stream_impl.h" +#include "source/common/version/version.h" #include "source/extensions/tracers/opentelemetry/http_trace_exporter.h" #include "test/mocks/common.h" @@ -78,6 +79,8 @@ TEST_F(OpenTelemetryHttpTraceExporterTest, CreateExporterAndExportSpan) { callback = &callbacks; EXPECT_EQ(Http::Headers::get().MethodValues.Post, message->headers().getMethodValue()); + EXPECT_EQ(message->headers().getUserAgentValue(), + "OTel-OTLP-Exporter-Envoy/" + Envoy::VersionInfo::version()); EXPECT_EQ(Http::Headers::get().ContentTypeValues.Protobuf, message->headers().getContentTypeValue()); From e2c5d6127dfe0ceb77e0a1d68581bc6a0d2f88a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:39:20 +0000 Subject: [PATCH 17/34] build(deps): bump the examples-golang-http group in /examples/golang-http/simple with 1 update (#32729) build(deps): bump the examples-golang-http group Bumps the examples-golang-http group in /examples/golang-http/simple with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: examples-golang-http ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/golang-http/simple/go.mod | 2 +- examples/golang-http/simple/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/golang-http/simple/go.mod b/examples/golang-http/simple/go.mod index de772564f44d..2958dc061b8f 100644 --- a/examples/golang-http/simple/go.mod +++ b/examples/golang-http/simple/go.mod @@ -7,7 +7,7 @@ go 1.20 require ( github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) require ( diff --git a/examples/golang-http/simple/go.sum b/examples/golang-http/simple/go.sum index 1e61a638aab7..0478993703bf 100644 --- a/examples/golang-http/simple/go.sum +++ b/examples/golang-http/simple/go.sum @@ -14,5 +14,5 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= From 1d20fd037e1effdf2dbdaa9789ffdf505083dfee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:39:29 +0000 Subject: [PATCH 18/34] build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/buffer with 1 update (#32727) build(deps): bump the contrib-golang group Bumps the contrib-golang group in /contrib/golang/filters/http/test/test_data/buffer with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: contrib-golang ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- contrib/golang/filters/http/test/test_data/buffer/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/golang/filters/http/test/test_data/buffer/go.mod b/contrib/golang/filters/http/test/test_data/buffer/go.mod index 318833da2bfe..5fbd5576842b 100644 --- a/contrib/golang/filters/http/test/test_data/buffer/go.mod +++ b/contrib/golang/filters/http/test/test_data/buffer/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ From eea9cd19bcac3c6dfa4c6951da31be96d24b8ca9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:39:39 +0000 Subject: [PATCH 19/34] build(deps): bump the examples-load-reporting group in /examples/load-reporting-service with 1 update (#32726) build(deps): bump the examples-load-reporting group Bumps the examples-load-reporting group in /examples/load-reporting-service with 1 update: [google.golang.org/grpc](https://github.com/grpc/grpc-go). Updates `google.golang.org/grpc` from 1.62.0 to 1.62.1 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.62.0...v1.62.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch dependency-group: examples-load-reporting ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/load-reporting-service/go.mod | 2 +- examples/load-reporting-service/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/load-reporting-service/go.mod b/examples/load-reporting-service/go.mod index fbfbccbb74e0..093bc5ab41e1 100644 --- a/examples/load-reporting-service/go.mod +++ b/examples/load-reporting-service/go.mod @@ -5,5 +5,5 @@ go 1.13 require ( github.com/envoyproxy/go-control-plane v0.12.0 github.com/golang/protobuf v1.5.3 - google.golang.org/grpc v1.62.0 + google.golang.org/grpc v1.62.1 ) diff --git a/examples/load-reporting-service/go.sum b/examples/load-reporting-service/go.sum index 513e0ac97039..8e14cc4c532e 100644 --- a/examples/load-reporting-service/go.sum +++ b/examples/load-reporting-service/go.sum @@ -2277,8 +2277,8 @@ google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSs google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= -google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= -google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From 7216c2e708a1306f845d9c9ea933215bbf1aa000 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:39:49 +0000 Subject: [PATCH 20/34] build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/routeconfig with 1 update (#32724) build(deps): bump the contrib-golang group Bumps the contrib-golang group in /contrib/golang/filters/http/test/test_data/routeconfig with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: contrib-golang ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- contrib/golang/filters/http/test/test_data/routeconfig/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/golang/filters/http/test/test_data/routeconfig/go.mod b/contrib/golang/filters/http/test/test_data/routeconfig/go.mod index 9af0f126d93b..d64e1cb6e97b 100644 --- a/contrib/golang/filters/http/test/test_data/routeconfig/go.mod +++ b/contrib/golang/filters/http/test/test_data/routeconfig/go.mod @@ -15,7 +15,7 @@ require ( require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ From 272ccff8a05df47d8cfc8f25a8f547f0ff8037c6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:40:00 +0000 Subject: [PATCH 21/34] build(deps): bump the examples-ext-authz group in /examples/ext_authz/auth/grpc-service with 1 update (#32723) build(deps): bump the examples-ext-authz group Bumps the examples-ext-authz group in /examples/ext_authz/auth/grpc-service with 1 update: [google.golang.org/grpc](https://github.com/grpc/grpc-go). Updates `google.golang.org/grpc` from 1.62.0 to 1.62.1 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.62.0...v1.62.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch dependency-group: examples-ext-authz ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/ext_authz/auth/grpc-service/go.mod | 2 +- examples/ext_authz/auth/grpc-service/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/ext_authz/auth/grpc-service/go.mod b/examples/ext_authz/auth/grpc-service/go.mod index 3e4511aeab2c..54162c137866 100644 --- a/examples/ext_authz/auth/grpc-service/go.mod +++ b/examples/ext_authz/auth/grpc-service/go.mod @@ -6,5 +6,5 @@ require ( github.com/envoyproxy/go-control-plane v0.12.0 github.com/golang/protobuf v1.5.3 google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 - google.golang.org/grpc v1.62.0 + google.golang.org/grpc v1.62.1 ) diff --git a/examples/ext_authz/auth/grpc-service/go.sum b/examples/ext_authz/auth/grpc-service/go.sum index 513e0ac97039..8e14cc4c532e 100644 --- a/examples/ext_authz/auth/grpc-service/go.sum +++ b/examples/ext_authz/auth/grpc-service/go.sum @@ -2277,8 +2277,8 @@ google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSs google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= -google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= -google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From a38966d5d7dd98db1fd1db584c576cd568fd389f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:40:13 +0000 Subject: [PATCH 22/34] build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/echo with 1 update (#32722) build(deps): bump the contrib-golang group Bumps the contrib-golang group in /contrib/golang/filters/http/test/test_data/echo with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: contrib-golang ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- contrib/golang/filters/http/test/test_data/echo/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/golang/filters/http/test/test_data/echo/go.mod b/contrib/golang/filters/http/test/test_data/echo/go.mod index 9079af021fca..a6d5cd945e38 100644 --- a/contrib/golang/filters/http/test/test_data/echo/go.mod +++ b/contrib/golang/filters/http/test/test_data/echo/go.mod @@ -15,7 +15,7 @@ require ( require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ From 51f9f90de57c56a5dc7af570d519d0449bcf7418 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:40:24 +0000 Subject: [PATCH 23/34] build(deps): bump the contrib-golang group in /contrib/golang/router/cluster_specifier/test/test_data/simple with 1 update (#32721) build(deps): bump the contrib-golang group Bumps the contrib-golang group in /contrib/golang/router/cluster_specifier/test/test_data/simple with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: contrib-golang ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../router/cluster_specifier/test/test_data/simple/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod b/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod index 5ec718d9cfc0..d43f5df99734 100644 --- a/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod +++ b/contrib/golang/router/cluster_specifier/test/test_data/simple/go.mod @@ -15,7 +15,7 @@ require ( require ( github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect github.com/golang/protobuf v1.5.3 // indirect - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ From 2557cbef4929b03684fc37cfe10ae882e2c7111a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:40:38 +0000 Subject: [PATCH 24/34] build(deps): bump the examples-grpc-bridge group in /examples/grpc-bridge/server with 2 updates (#32720) build(deps): bump the examples-grpc-bridge group Bumps the examples-grpc-bridge group in /examples/grpc-bridge/server with 2 updates: [golang.org/x/net](https://github.com/golang/net) and [google.golang.org/grpc](https://github.com/grpc/grpc-go). Updates `golang.org/x/net` from 0.21.0 to 0.22.0 - [Commits](https://github.com/golang/net/compare/v0.21.0...v0.22.0) Updates `google.golang.org/grpc` from 1.62.0 to 1.62.1 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.62.0...v1.62.1) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: examples-grpc-bridge - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch dependency-group: examples-grpc-bridge ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/grpc-bridge/server/go.mod | 4 ++-- examples/grpc-bridge/server/go.sum | 12 ++++++++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/examples/grpc-bridge/server/go.mod b/examples/grpc-bridge/server/go.mod index 623db6c0619b..cfeda43c8779 100644 --- a/examples/grpc-bridge/server/go.mod +++ b/examples/grpc-bridge/server/go.mod @@ -4,6 +4,6 @@ go 1.13 require ( github.com/golang/protobuf v1.5.3 - golang.org/x/net v0.21.0 - google.golang.org/grpc v1.62.0 + golang.org/x/net v0.22.0 + google.golang.org/grpc v1.62.1 ) diff --git a/examples/grpc-bridge/server/go.sum b/examples/grpc-bridge/server/go.sum index 885828afce3c..c926048c9fe3 100644 --- a/examples/grpc-bridge/server/go.sum +++ b/examples/grpc-bridge/server/go.sum @@ -1538,6 +1538,7 @@ golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1667,8 +1668,9 @@ golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1812,8 +1814,9 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1833,6 +1836,7 @@ golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2278,8 +2282,8 @@ google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSs google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= -google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= -google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From 5598a91f97e444147c897a0168ee6b79838d1bcd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:42:22 +0000 Subject: [PATCH 25/34] build(deps): bump otel/opentelemetry-collector from `246dfe9` to `71ac13c` in /examples/opentelemetry (#32730) build(deps): bump otel/opentelemetry-collector Bumps otel/opentelemetry-collector from `246dfe9` to `71ac13c`. --- updated-dependencies: - dependency-name: otel/opentelemetry-collector dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/opentelemetry/Dockerfile-opentelemetry | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/opentelemetry/Dockerfile-opentelemetry b/examples/opentelemetry/Dockerfile-opentelemetry index e1ae65ffa24b..4bad91daec4d 100644 --- a/examples/opentelemetry/Dockerfile-opentelemetry +++ b/examples/opentelemetry/Dockerfile-opentelemetry @@ -1,7 +1,7 @@ FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as otelc_curl RUN apk --update add curl -FROM otel/opentelemetry-collector:latest@sha256:246dfe93f68e489a81f17b0335ca1c8e6f37bf69eb66aa9ba3375cc1743064b6 +FROM otel/opentelemetry-collector:latest@sha256:71ac13c2a9b875b953cf6b96af6f06897ba9be07f6f9c90b10d34865853e78d2 COPY --from=otelc_curl / / From dd8961ea91c514ec47c89a09a86850aaf1a522c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:42:31 +0000 Subject: [PATCH 26/34] build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /contrib/golang/filters/http/test/test_data/property (#32731) build(deps): bump google.golang.org/protobuf Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- contrib/golang/filters/http/test/test_data/property/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/golang/filters/http/test/test_data/property/go.mod b/contrib/golang/filters/http/test/test_data/property/go.mod index 55ee2207f6dc..e960af90623c 100644 --- a/contrib/golang/filters/http/test/test_data/property/go.mod +++ b/contrib/golang/filters/http/test/test_data/property/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) replace github.com/envoyproxy/envoy => ../../../../../../../ From 3ffc64c722f2b1d589e46bccf7a26d42a8e0bcc8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:42:42 +0000 Subject: [PATCH 27/34] build(deps): bump the examples-golang-network group in /examples/golang-network/simple with 1 update (#32732) build(deps): bump the examples-golang-network group Bumps the examples-golang-network group in /examples/golang-network/simple with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: examples-golang-network ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/golang-network/simple/go.mod | 2 +- examples/golang-network/simple/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/golang-network/simple/go.mod b/examples/golang-network/simple/go.mod index 17886eea7c47..b21b9c4f61c5 100644 --- a/examples/golang-network/simple/go.mod +++ b/examples/golang-network/simple/go.mod @@ -7,7 +7,7 @@ go 1.18 require ( github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa github.com/envoyproxy/envoy v1.24.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) require ( diff --git a/examples/golang-network/simple/go.sum b/examples/golang-network/simple/go.sum index 1e61a638aab7..0478993703bf 100644 --- a/examples/golang-network/simple/go.sum +++ b/examples/golang-network/simple/go.sum @@ -14,5 +14,5 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= From 7ec38965279e20407370a142c97398ed8c7fe6f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 12:25:27 +0000 Subject: [PATCH 28/34] build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#32728) Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index aa129ca09c2a..5cf799dce8e4 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,6 @@ module github.com/envoyproxy/envoy go 1.20 -require google.golang.org/protobuf v1.32.0 +require google.golang.org/protobuf v1.33.0 require github.com/google/go-cmp v0.5.9 // indirect diff --git a/go.sum b/go.sum index e2499aef30e4..6c0bbb169295 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,4 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= From 4fa98b22110b27cdff02577bdf5d0d06163a66fa Mon Sep 17 00:00:00 2001 From: Tianyu <72890320+tyxia@users.noreply.github.com> Date: Wed, 6 Mar 2024 10:09:24 -0500 Subject: [PATCH 29/34] grpc: Add support for max frame length in gPRC frame decoding (#32511) --------- Signed-off-by: tyxia --- source/common/grpc/codec.cc | 12 +++- source/common/grpc/codec.h | 8 +++ test/common/grpc/codec_test.cc | 101 +++++++++++++++++++++++++++++++++ 3 files changed, 120 insertions(+), 1 deletion(-) diff --git a/source/common/grpc/codec.cc b/source/common/grpc/codec.cc index 668258642a68..eb24b4918407 100644 --- a/source/common/grpc/codec.cc +++ b/source/common/grpc/codec.cc @@ -32,13 +32,17 @@ void Encoder::prependFrameHeader(uint8_t flags, Buffer::Instance& buffer, uint32 } bool Decoder::decode(Buffer::Instance& input, std::vector& output) { + // Make sure those flags are set to initial state. decoding_error_ = false; + is_frame_oversized_ = false; output_ = &output; inspect(input); output_ = nullptr; - if (decoding_error_) { + + if (decoding_error_ || is_frame_oversized_) { return false; } + input.drain(input.length()); return true; } @@ -102,6 +106,12 @@ uint64_t FrameInspector::inspect(const Buffer::Instance& data) { case State::FhLen3: length_as_bytes_[3] = c; length_ = absl::big_endian::Load32(length_as_bytes_); + // Compares the frame length against maximum length when `max_frame_length_` is configured, + if (max_frame_length_ != 0 && length_ > max_frame_length_) { + // Set the flag to indicate the over-limit error and return. + is_frame_oversized_ = true; + return delta; + } frameDataStart(); if (length_ == 0) { frameDataEnd(); diff --git a/source/common/grpc/codec.h b/source/common/grpc/codec.h index 6140442fb84c..3b6692c96a97 100644 --- a/source/common/grpc/codec.h +++ b/source/common/grpc/codec.h @@ -113,6 +113,11 @@ class FrameInspector { uint8_t length_as_bytes_[4]; }; uint64_t count_{0}; + // Default value 0 means there is no limitation on maximum frame length. + uint32_t max_frame_length_{0}; + // When `max_frame_length_` is configured, this flag will be true if frame length is larger than + // `max_frame_length_`. + bool is_frame_oversized_{false}; }; class Decoder : public FrameInspector { @@ -134,6 +139,9 @@ class Decoder : public FrameInspector { // Indicates whether it has buffered any partial data. bool hasBufferedData() const { return state_ != State::FhFlag; } + // Configures the maximum frame length. + void setMaxFrameLength(uint32_t max_frame_length) { max_frame_length_ = max_frame_length; } + protected: bool frameStart(uint8_t) override; void frameDataStart() override; diff --git a/test/common/grpc/codec_test.cc b/test/common/grpc/codec_test.cc index c028559bc828..ce722bdd5c09 100644 --- a/test/common/grpc/codec_test.cc +++ b/test/common/grpc/codec_test.cc @@ -221,6 +221,107 @@ TEST(GrpcCodecTest, decodeMultipleFrame) { } } +TEST(GrpcCodecTest, decodeSingleFrameOverLimit) { + helloworld::HelloRequest request; + std::string test_str = std::string(64 * 1024, 'a'); + request.set_name(test_str); + + Buffer::OwnedImpl buffer; + std::array header; + Encoder encoder; + encoder.newFrame(GRPC_FH_DEFAULT, request.ByteSize(), header); + buffer.add(header.data(), 5); + buffer.add(request.SerializeAsString()); + size_t size = buffer.length(); + + std::vector frames; + // Configure decoder with 32kb max_frame_length. + Decoder decoder; + decoder.setMaxFrameLength(32 * 1024); + + // The decoder doesn't successfully decode due to oversized frame. + EXPECT_FALSE(decoder.decode(buffer, frames)); + EXPECT_EQ(buffer.length(), size); +} + +TEST(GrpcCodecTest, decodeSingleFrameWithMultiBuffersOverLimit) { + std::vector buffers(2); + std::array header; + + uint32_t max_length = 32 * 1024; + uint32_t single_buffer_length = 18 * 1024; + std::string req_str = std::string(single_buffer_length, 'a'); + + // First buffer is valid (i.e. within total_frame_length limit). + helloworld::HelloRequest request; + request.set_name(req_str); + // Second buffer itself is valid but results in the total frame size exceeding the limit. + helloworld::HelloRequest request_2; + request_2.set_name(req_str); + + Encoder encoder; + // Total frame consists of two buffers, request and request_2. + encoder.newFrame(GRPC_FH_DEFAULT, request.ByteSize() + request_2.ByteSize(), header); + + buffers[0].add(header.data(), 5); + buffers[0].add(request.SerializeAsString()); + buffers[1].add(header.data(), 5); + buffers[1].add(request_2.SerializeAsString()); + + size_t size = buffers[0].length() + buffers[1].length(); + std::vector frames = {}; + Decoder decoder; + decoder.setMaxFrameLength(max_length); + + // Both decoding attempts failed due to the total frame size exceeding the limit. + for (uint32_t i = 0; i < buffers.size(); ++i) { + EXPECT_FALSE(decoder.decode(buffers[i], frames)); + } + + EXPECT_EQ(frames.size(), 0); + // Buffer does not get drained due to it returning false. + EXPECT_EQ(buffers[0].length() + buffers[1].length(), size); +} + +TEST(GrpcCodecTest, decodeMultipleFramesOverLimit) { + Buffer::OwnedImpl buffer; + std::array header; + Encoder encoder; + + // First frame is valid (i.e. within max_frame_length limit). + helloworld::HelloRequest request; + request.set_name("hello"); + encoder.newFrame(GRPC_FH_DEFAULT, request.ByteSize(), header); + buffer.add(header.data(), 5); + buffer.add(request.SerializeAsString()); + + // Second frame is invalid (i.e. exceeds max_frame_length). + helloworld::HelloRequest overlimit_request; + std::string test_str = std::string(64 * 1024, 'a'); + overlimit_request.set_name(test_str); + encoder.newFrame(GRPC_FH_DEFAULT, overlimit_request.ByteSize(), header); + buffer.add(header.data(), 5); + buffer.add(overlimit_request.SerializeAsString()); + + size_t size = buffer.length(); + + std::vector frames; + Decoder decoder; + decoder.setMaxFrameLength(32 * 1024); + + EXPECT_FALSE(decoder.decode(buffer, frames)); + // When the decoder doesn't successfully decode, it puts valid frames up until + // an oversized frame into output frame vector. + ASSERT_EQ(frames.size(), 1); + // First frame is successfully decoded. + EXPECT_EQ(frames[0].length_, request.ByteSize()); + // Buffer does not get drained due to it returning false. + EXPECT_EQ(buffer.length(), size); + // Only part of the buffer represented a valid frame. Thus, the frame length should not equal the + // buffer length. + EXPECT_NE(frames[0].length_, size); +} + TEST(GrpcCodecTest, FrameInspectorTest) { { Buffer::OwnedImpl buffer; From 4af52310675fbaf7d1e05cf89134332421c8ba2e Mon Sep 17 00:00:00 2001 From: Fredy Wijaya Date: Wed, 6 Mar 2024 09:49:02 -0600 Subject: [PATCH 30/34] mobile: Replace std::thread with Envoy::Thread::PosixThread (#32610) This PR replaces the use of std::thread with Envoy::Thread::PosixThread (backed by pthread). The reason for this change is because std::thread may throw an exception and when exceptions are disabled, it will crash the program. For some certain code, such as the cert validation, it should not crash the program when a thread cannot be created, but it should return an error instead. This PR also refactors the POSIX thread wrapper implementation and exposes the APIs via Envoy::Thread::PosixThreadFactory and Envoy::Thread::PosixThread so that they can be used directly by Envoy Mobile since Envoy Mobile only supports Android and iOS and those OSes support POSIX. The Envoy::Thread::PosixThread has additional functions not available in Envoy::Thread::Thread, such as pthreadId() and joinable() to make the migration from std::thread to Envoy::Thread::PosixThread easier. The Envoy::PosixThread::pthreadId() is especially useful for doing a comparison with Envoy::PosixThreadFactory::currentPthreadId(). Signed-off-by: Fredy Wijaya --- mobile/library/cc/engine_builder.cc | 4 +- mobile/library/common/BUILD | 1 + mobile/library/common/engine_common.cc | 3 +- mobile/library/common/engine_common.h | 6 +- .../cert_validator/platform_bridge/BUILD | 3 + .../platform_bridge_cert_validator.cc | 42 ++-- .../platform_bridge_cert_validator.h | 19 +- mobile/library/common/internal_engine.cc | 47 +++-- mobile/library/common/internal_engine.h | 15 +- mobile/test/common/BUILD | 1 + mobile/test/common/engine_common_test.cc | 2 +- .../cert_validator/platform_bridge/BUILD | 1 + .../platform_bridge_cert_validator_test.cc | 43 +++- mobile/test/common/internal_engine_test.cc | 36 +++- source/common/common/macros.h | 4 + source/common/common/posix/thread_impl.cc | 190 +++++++++++------- source/common/common/posix/thread_impl.h | 94 ++++++++- source/exe/linux/platform_impl.cc | 2 +- source/exe/posix/platform_impl.cc | 2 +- test/common/common/thread_test.cc | 28 +++ test/mocks/thread/BUILD | 18 ++ test/mocks/thread/mocks.h | 30 +++ test/per_file_coverage.sh | 1 + test/test_common/thread_factory_for_test.cc | 2 +- tools/spelling/spelling_dictionary.txt | 1 + 25 files changed, 450 insertions(+), 145 deletions(-) create mode 100644 test/mocks/thread/BUILD create mode 100644 test/mocks/thread/mocks.h diff --git a/mobile/library/cc/engine_builder.cc b/mobile/library/cc/engine_builder.cc index 74a66e6a4dfb..8152ccef64a4 100644 --- a/mobile/library/cc/engine_builder.cc +++ b/mobile/library/cc/engine_builder.cc @@ -929,14 +929,14 @@ EngineSharedPtr EngineBuilder::build() { Engine* engine = new Engine(envoy_engine); - auto options = std::make_unique(); + auto options = std::make_shared(); std::unique_ptr bootstrap = generateBootstrap(); if (bootstrap) { options->setConfigProto(std::move(bootstrap)); } ENVOY_BUG(options->setLogLevel(logLevelToString(log_level_)).ok(), "invalid log level"); options->setConcurrency(1); - envoy_engine->run(std::move(options)); + envoy_engine->run(options); // we can't construct via std::make_shared // because Engine is only constructible as a friend diff --git a/mobile/library/common/BUILD b/mobile/library/common/BUILD index b955b2db2d36..f2c47473ceaa 100644 --- a/mobile/library/common/BUILD +++ b/mobile/library/common/BUILD @@ -35,6 +35,7 @@ envoy_cc_library( "//library/common/types:c_types_lib", "@envoy//envoy/server:lifecycle_notifier_interface", "@envoy//envoy/stats:stats_interface", + "@envoy//source/common/common:thread_impl_lib_posix", "@envoy//source/common/runtime:runtime_lib", "@envoy_build_config//:extension_registry", ], diff --git a/mobile/library/common/engine_common.cc b/mobile/library/common/engine_common.cc index a7f5fb3bcfec..7cfe535ae3ec 100644 --- a/mobile/library/common/engine_common.cc +++ b/mobile/library/common/engine_common.cc @@ -67,8 +67,7 @@ class ServerLite : public Server::InstanceBase { } }; -EngineCommon::EngineCommon(std::unique_ptr&& options) - : options_(std::move(options)) { +EngineCommon::EngineCommon(std::shared_ptr options) : options_(options) { #if !defined(ENVOY_ENABLE_FULL_PROTOS) registerMobileProtoDescriptors(); diff --git a/mobile/library/common/engine_common.h b/mobile/library/common/engine_common.h index f96722c63c69..a098ac59ce72 100644 --- a/mobile/library/common/engine_common.h +++ b/mobile/library/common/engine_common.h @@ -22,7 +22,7 @@ namespace Envoy { */ class EngineCommon { public: - EngineCommon(std::unique_ptr&& options); + EngineCommon(std::shared_ptr options); bool run() { base_->runServer(); return true; @@ -41,11 +41,11 @@ class EngineCommon { Envoy::SignalAction handle_sigs_; Envoy::TerminateHandler log_on_terminate_; #endif - std::unique_ptr options_; + std::shared_ptr options_; Event::RealTimeSystem real_time_system_; // NO_CHECK_FORMAT(real_time) DefaultListenerHooks default_listener_hooks_; ProdComponentFactory prod_component_factory_; - std::unique_ptr base_; + std::shared_ptr base_; }; } // namespace Envoy diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD b/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD index bf2371bba072..79553a0b1963 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/BUILD @@ -35,6 +35,9 @@ envoy_cc_library( ":c_types_lib", ":platform_bridge_cc_proto", "//library/common/system:system_helper_lib", + "@envoy//envoy/thread:thread_interface", + "@envoy//source/common/common:macros", + "@envoy//source/common/common:thread_impl_lib_posix", "@envoy//source/common/tls/cert_validator:cert_validator_lib", ], ) diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc index 602c0b1e4213..9860ee3cec49 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc @@ -2,7 +2,6 @@ #include #include -#include #include "library/common/data/utility.h" #include "library/common/system/system_helper.h" @@ -13,22 +12,27 @@ namespace TransportSockets { namespace Tls { PlatformBridgeCertValidator::PlatformBridgeCertValidator( - const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats) + const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + Thread::PosixThreadFactoryPtr thread_factory) : allow_untrusted_certificate_(config != nullptr && config->trustChainVerification() == envoy::extensions::transport_sockets::tls::v3:: CertificateValidationContext::ACCEPT_UNTRUSTED), - stats_(stats) { + stats_(stats), thread_factory_(std::move(thread_factory)) { ENVOY_BUG(config != nullptr && config->caCert().empty() && config->certificateRevocationList().empty(), "Invalid certificate validation context config."); } +PlatformBridgeCertValidator::PlatformBridgeCertValidator( + const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats) + : PlatformBridgeCertValidator(config, stats, Thread::PosixThreadFactory::create()) {} + PlatformBridgeCertValidator::~PlatformBridgeCertValidator() { // Wait for validation threads to finish. for (auto& [id, job] : validation_jobs_) { - if (job.validation_thread_.joinable()) { - job.validation_thread_.join(); + if (job.validation_thread_->joinable()) { + job.validation_thread_->join(); } } } @@ -84,10 +88,19 @@ ValidationResults PlatformBridgeCertValidator::doVerifyCertChain( ValidationJob job; job.result_callback_ = std::move(callback); - job.validation_thread_ = - std::thread(&verifyCertChainByPlatform, &(job.result_callback_->dispatcher()), - std::move(certs), std::string(host), std::move(subject_alt_names), this); - std::thread::id thread_id = job.validation_thread_.get_id(); + Event::Dispatcher& dispatcher = job.result_callback_->dispatcher(); + job.validation_thread_ = thread_factory_->createThread( + [this, &dispatcher, certs = std::move(certs), host = std::string(host), + subject_alt_names = std::move(subject_alt_names)]() -> void { + verifyCertChainByPlatform(&dispatcher, certs, host, subject_alt_names, this); + }, + /* options= */ absl::nullopt, /* crash_on_failure=*/false); + if (job.validation_thread_ == nullptr) { + return {ValidationResults::ValidationStatus::Failed, + Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, + "Failed creating a thread for cert chain validation."}; + } + Thread::ThreadId thread_id = job.validation_thread_->pthreadId(); validation_jobs_[thread_id] = std::move(job); return {ValidationResults::ValidationStatus::Pending, Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt}; @@ -146,7 +159,7 @@ void PlatformBridgeCertValidator::postVerifyResultAndCleanUp(bool success, std:: dispatcher->post([weak_alive_indicator, success, hostname = std::move(hostname), error = std::string(error_details), tls_alert, failure_type, - thread_id = std::this_thread::get_id(), parent]() { + thread_id = parent->thread_factory_->currentPthreadId(), parent]() { if (weak_alive_indicator.expired()) { return; } @@ -154,9 +167,10 @@ void PlatformBridgeCertValidator::postVerifyResultAndCleanUp(bool success, std:: }); } -void PlatformBridgeCertValidator::onVerificationComplete(std::thread::id thread_id, - std::string hostname, bool success, - std::string error, uint8_t tls_alert, +void PlatformBridgeCertValidator::onVerificationComplete(const Thread::ThreadId& thread_id, + const std::string& hostname, bool success, + const std::string& error, + uint8_t tls_alert, ValidationFailureType failure_type) { ENVOY_LOG(trace, "Got validation result for {} from platform", hostname); @@ -166,7 +180,7 @@ void PlatformBridgeCertValidator::onVerificationComplete(std::thread::id thread_ return; } ValidationJob& job = job_handle.mapped(); - job.validation_thread_.join(); + job.validation_thread_->join(); Ssl::ClientValidationStatus detailed_status = Envoy::Ssl::ClientValidationStatus::NotValidated; switch (failure_type) { diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h index 42587bbb546c..39e114be795e 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h @@ -1,7 +1,8 @@ #pragma once -#include - +#include "source/common/common/macros.h" +#include "source/common/common/posix/thread_impl.h" +#include "source/common/common/thread.h" #include "source/common/tls/cert_validator/default_validator.h" #include "absl/container/flat_hash_map.h" @@ -55,6 +56,11 @@ class PlatformBridgeCertValidator : public CertValidator, Logger::Loggable validation_jobs_; + absl::flat_hash_map validation_jobs_; std::shared_ptr alive_indicator_{new size_t(1)}; + Thread::PosixThreadFactoryPtr thread_factory_; }; } // namespace Tls diff --git a/mobile/library/common/internal_engine.cc b/mobile/library/common/internal_engine.cc index cb0caf553c8f..9269ba676678 100644 --- a/mobile/library/common/internal_engine.cc +++ b/mobile/library/common/internal_engine.cc @@ -16,9 +16,10 @@ static std::atomic current_stream_handle_{0}; envoy_stream_t InternalEngine::initStream() { return current_stream_handle_++; } InternalEngine::InternalEngine(envoy_engine_callbacks callbacks, envoy_logger logger, - envoy_event_tracker event_tracker) - : callbacks_(callbacks), logger_(logger), event_tracker_(event_tracker), - dispatcher_(std::make_unique()) { + envoy_event_tracker event_tracker, + Thread::PosixThreadFactoryPtr thread_factory) + : thread_factory_(std::move(thread_factory)), callbacks_(callbacks), logger_(logger), + event_tracker_(event_tracker), dispatcher_(std::make_unique()) { ExtensionRegistry::registerFactories(); // TODO(Augustyniak): Capturing an address of event_tracker_ and registering it in the API @@ -32,12 +33,13 @@ InternalEngine::InternalEngine(envoy_engine_callbacks callbacks, envoy_logger lo Runtime::maybeSetRuntimeGuard("envoy.reloadable_features.dfp_mixed_scheme", true); } +InternalEngine::InternalEngine(envoy_engine_callbacks callbacks, envoy_logger logger, + envoy_event_tracker event_tracker) + : InternalEngine(callbacks, logger, event_tracker, Thread::PosixThreadFactory::create()) {} + envoy_status_t InternalEngine::run(const std::string& config, const std::string& log_level) { - // Start the Envoy on the dedicated thread. Note: due to how the assignment operator works with - // std::thread, main_thread_ is the same object after this call, but its state is replaced with - // that of the temporary. The temporary object's state becomes the default state, which does - // nothing. - auto options = std::make_unique(); + // Start the Envoy on the dedicated thread. + auto options = std::make_shared(); options->setConfigYaml(config); if (!log_level.empty()) { ENVOY_BUG(options->setLogLevel(log_level).ok(), "invalid log level"); @@ -46,12 +48,17 @@ envoy_status_t InternalEngine::run(const std::string& config, const std::string& return run(std::move(options)); } -envoy_status_t InternalEngine::run(std::unique_ptr&& options) { - main_thread_ = std::thread(&InternalEngine::main, this, std::move(options)); - return ENVOY_SUCCESS; +// This function takes a `std::shared_ptr` instead of `std::unique_ptr` because `std::function` is a +// copy-constructible type, so it's not possible to move capture `std::unique_ptr` with +// `std::function`. +envoy_status_t InternalEngine::run(std::shared_ptr options) { + main_thread_ = + thread_factory_->createThread([this, options]() mutable -> void { main(options); }, + /* options= */ absl::nullopt, /* crash_on_failure= */ false); + return (main_thread_ != nullptr) ? ENVOY_SUCCESS : ENVOY_FAILURE; } -envoy_status_t InternalEngine::main(std::unique_ptr&& options) { +envoy_status_t InternalEngine::main(std::shared_ptr options) { // Using unique_ptr ensures main_common's lifespan is strictly scoped to this function. std::unique_ptr main_common; { @@ -81,7 +88,7 @@ envoy_status_t InternalEngine::main(std::unique_ptr&& op std::make_unique(log_mutex_, Logger::Registry::getSink()); } - main_common = std::make_unique(std::move(options)); + main_common = std::make_unique(options); server_ = main_common->server(); event_dispatcher_ = &server_->dispatcher(); @@ -150,8 +157,12 @@ envoy_status_t InternalEngine::terminate() { IS_ENVOY_BUG("attempted to double terminate engine"); return ENVOY_FAILURE; } + // The Engine could not be created. + if (main_thread_ == nullptr) { + return ENVOY_FAILURE; + } // If main_thread_ has finished (or hasn't started), there's nothing more to do. - if (!main_thread_.joinable()) { + if (!main_thread_->joinable()) { return ENVOY_FAILURE; } @@ -170,7 +181,7 @@ envoy_status_t InternalEngine::terminate() { dispatcher_->post([this]() { http_client_->shutdownApiListener(); }); // Exit the event loop and finish up in Engine::run(...) - if (std::this_thread::get_id() == main_thread_.get_id()) { + if (thread_factory_->currentPthreadId() == main_thread_->pthreadId()) { // TODO(goaway): figure out some way to support this. PANIC("Terminating the engine from its own main thread is currently unsupported."); } else { @@ -178,8 +189,8 @@ envoy_status_t InternalEngine::terminate() { } } // lock(_mutex) - if (std::this_thread::get_id() != main_thread_.get_id()) { - main_thread_.join(); + if (thread_factory_->currentPthreadId() != main_thread_->pthreadId()) { + main_thread_->join(); } terminated_ = true; return ENVOY_SUCCESS; @@ -265,7 +276,7 @@ void handlerStats(Stats::Store& stats, Buffer::Instance& response) { } std::string InternalEngine::dumpStats() { - if (!main_thread_.joinable()) { + if (!main_thread_->joinable()) { return ""; } diff --git a/mobile/library/common/internal_engine.h b/mobile/library/common/internal_engine.h index 0b45ae95bde1..3ac09ced5d07 100644 --- a/mobile/library/common/internal_engine.h +++ b/mobile/library/common/internal_engine.h @@ -4,6 +4,9 @@ #include "envoy/stats/store.h" #include "source/common/common/logger.h" +#include "source/common/common/macros.h" +#include "source/common/common/posix/thread_impl.h" +#include "source/common/common/thread.h" #include "absl/base/call_once.h" #include "extension_registry.h" @@ -37,7 +40,7 @@ class InternalEngine : public Logger::Loggable { * @param log_level, the log level. */ envoy_status_t run(const std::string& config, const std::string& log_level); - envoy_status_t run(std::unique_ptr&& options); + envoy_status_t run(std::shared_ptr options); /** * Immediately terminate the engine, if running. Calling this function when @@ -118,10 +121,16 @@ class InternalEngine : public Logger::Loggable { Stats::Store& getStatsStore(); private: - envoy_status_t main(std::unique_ptr&& options); + GTEST_FRIEND_CLASS(InternalEngineTest, ThreadCreationFailed); + + InternalEngine(envoy_engine_callbacks callbacks, envoy_logger logger, + envoy_event_tracker event_tracker, Thread::PosixThreadFactoryPtr thread_factory); + + envoy_status_t main(std::shared_ptr options); static void logInterfaces(absl::string_view event, std::vector& interfaces); + Thread::PosixThreadFactoryPtr thread_factory_; Event::Dispatcher* event_dispatcher_{}; Stats::ScopeSharedPtr client_scope_; Stats::StatNameSetPtr stat_name_set_; @@ -142,7 +151,7 @@ class InternalEngine : public Logger::Loggable { Server::ServerLifecycleNotifier::HandlePtr postinit_callback_handler_; // main_thread_ should be destroyed first, hence it is the last member variable. Objects with // instructions scheduled on the main_thread_ need to have a longer lifetime. - std::thread main_thread_{}; // Empty placeholder to be populated later. + Thread::PosixThreadPtr main_thread_{nullptr}; // Empty placeholder to be populated later. bool terminated_{false}; }; diff --git a/mobile/test/common/BUILD b/mobile/test/common/BUILD index 91686f69ecef..d44bd610c643 100644 --- a/mobile/test/common/BUILD +++ b/mobile/test/common/BUILD @@ -32,6 +32,7 @@ envoy_cc_test( "//test/common/mocks/common:common_mocks", "//test/common/mocks/event:event_mocks", "@envoy//test/common/http:common_lib", + "@envoy//test/mocks/thread:thread_mocks", "@envoy_build_config//:test_extensions", ], ) diff --git a/mobile/test/common/engine_common_test.cc b/mobile/test/common/engine_common_test.cc index ffb511fa51a6..54a2d741ff53 100644 --- a/mobile/test/common/engine_common_test.cc +++ b/mobile/test/common/engine_common_test.cc @@ -7,7 +7,7 @@ namespace Envoy { TEST(EngineCommonTest, SignalHandlingFalse) { ExtensionRegistry::registerFactories(); - auto options = std::make_unique(); + auto options = std::make_shared(); Platform::EngineBuilder builder; options->setConfigProto(builder.generateBootstrap()); diff --git a/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD b/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD index 2956e5eeed83..1c743e436a73 100644 --- a/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD +++ b/mobile/test/common/extensions/cert_validator/platform_bridge/BUILD @@ -25,6 +25,7 @@ envoy_extension_cc_test( "@envoy//test/common/tls/test_data:cert_infos", "@envoy//test/mocks/event:event_mocks", "@envoy//test/mocks/ssl:ssl_mocks", + "@envoy//test/mocks/thread:thread_mocks", "@envoy//test/test_common:environment_lib", "@envoy//test/test_common:file_system_for_test_lib", "@envoy//test/test_common:test_runtime_lib", diff --git a/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc b/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc index 2d05403d394a..e5e4e6391641 100644 --- a/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc +++ b/mobile/test/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator_test.cc @@ -2,7 +2,6 @@ #include #include "source/common/buffer/buffer_impl.h" -#include "source/common/crypto/crypto_impl.h" #include "source/common/crypto/utility.h" #include "source/common/network/transport_socket_options_impl.h" #include "source/common/tls/cert_validator/default_validator.h" @@ -16,6 +15,7 @@ #include "test/common/tls/test_data/san_dns2_cert_info.h" #include "test/mocks/event/mocks.h" #include "test/mocks/ssl/mocks.h" +#include "test/mocks/thread/mocks.h" #include "test/test_common/environment.h" #include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" @@ -32,6 +32,7 @@ using SSLContextPtr = Envoy::CSmartPtr; using envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext; using testing::_; +using testing::ByMove; using testing::NiceMock; using testing::Return; using testing::ReturnRef; @@ -63,11 +64,12 @@ class PlatformBridgeCertValidatorTest : public testing::TestWithParam { protected: PlatformBridgeCertValidatorTest() - : api_(Api::createApiForTest()), dispatcher_(api_->allocateDispatcher("test_thread")), + : thread_factory_(Thread::PosixThreadFactory::create()), api_(Api::createApiForTest()), + dispatcher_(api_->allocateDispatcher("test_thread")), stats_(generateSslStats(*test_store_.rootScope())), ssl_ctx_(SSL_CTX_new(TLS_method())), callback_(std::make_unique()), is_server_(false), mock_validator_(std::make_unique()), - main_thread_id_(std::this_thread::get_id()), + main_thread_id_(thread_factory_->currentPthreadId()), helper_handle_(test::SystemHelperPeer::replaceSystemHelper()) { ON_CALL(helper_handle_->mock_helper(), validateCertificateChain(_, _)) .WillByDefault(WithArgs<0, 1>(Invoke(this, &PlatformBridgeCertValidatorTest::validate))); @@ -86,7 +88,7 @@ class PlatformBridgeCertValidatorTest ~PlatformBridgeCertValidatorTest() { mock_validator_.reset(); - main_thread_id_ = std::thread::id(); + main_thread_id_ = thread_factory_->currentPthreadId(); Envoy::Assert::resetEnvoyBugCountersForTest(); } @@ -104,7 +106,7 @@ class PlatformBridgeCertValidatorTest envoy_cert_validation_result validate(const std::vector& certs, absl::string_view hostname) { // Validate must be called on the worker thread, not the main thread. - EXPECT_NE(main_thread_id_, std::this_thread::get_id()); + EXPECT_NE(main_thread_id_, thread_factory_->currentPthreadId()); // Make sure the cert was converted correctly. const Buffer::InstancePtr buffer(new Buffer::OwnedImpl(certs[0])); @@ -115,10 +117,11 @@ class PlatformBridgeCertValidatorTest void cleanup() { // Validate must be called on the worker thread, not the main thread. - EXPECT_NE(main_thread_id_, std::this_thread::get_id()); + EXPECT_NE(main_thread_id_, thread_factory_->currentPthreadId()); mock_validator_->cleanup(); } + Thread::PosixThreadFactoryPtr thread_factory_; Api::ApiPtr api_; Event::DispatcherPtr dispatcher_; Stats::TestUtil::TestStore test_store_; @@ -131,7 +134,7 @@ class PlatformBridgeCertValidatorTest std::unique_ptr callback_; bool is_server_; std::unique_ptr mock_validator_; - std::thread::id main_thread_id_; + Thread::ThreadId main_thread_id_; std::unique_ptr helper_handle_; }; @@ -222,7 +225,7 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificate) { EXPECT_CALL(callback_ref, onCertValidationResult(true, Envoy::Ssl::ClientValidationStatus::Validated, "", 46)) .WillOnce(Invoke([this]() { - EXPECT_EQ(main_thread_id_, std::this_thread::get_id()); + EXPECT_EQ(main_thread_id_, thread_factory_->currentPthreadId()); dispatcher_->exit(); })); EXPECT_FALSE(waitForDispatcherToExit()); @@ -257,7 +260,7 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptySanOverrides) { EXPECT_CALL(callback_ref, onCertValidationResult(true, Envoy::Ssl::ClientValidationStatus::Validated, "", 46)) .WillOnce(Invoke([this]() { - EXPECT_EQ(main_thread_id_, std::this_thread::get_id()); + EXPECT_EQ(main_thread_id_, thread_factory_->currentPthreadId()); dispatcher_->exit(); })); EXPECT_FALSE(waitForDispatcherToExit()); @@ -292,7 +295,7 @@ TEST_P(PlatformBridgeCertValidatorTest, ValidCertificateEmptyHostNoOverrides) { EXPECT_CALL(callback_ref, onCertValidationResult(true, Envoy::Ssl::ClientValidationStatus::Validated, "", 46)) .WillOnce(Invoke([this]() { - EXPECT_EQ(main_thread_id_, std::this_thread::get_id()); + EXPECT_EQ(main_thread_id_, thread_factory_->currentPthreadId()); dispatcher_->exit(); })); EXPECT_FALSE(waitForDispatcherToExit()); @@ -389,6 +392,26 @@ TEST_P(PlatformBridgeCertValidatorTest, DeletedWithValidationPending) { EXPECT_TRUE(waitForDispatcherToExit()); } +TEST_P(PlatformBridgeCertValidatorTest, ThreadCreationFailed) { + initializeConfig(); + auto thread_factory = std::make_unique(); + EXPECT_CALL(*thread_factory, createThread(_, _, false)).WillOnce(Return(ByMove(nullptr))); + PlatformBridgeCertValidator validator(&config_, stats_, std::move(thread_factory)); + + std::string hostname = "server1.example.com"; + bssl::UniquePtr cert_chain = readCertChainFromFile( + TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns2_cert.pem")); + auto& callback_ref = *callback_; + EXPECT_CALL(callback_ref, dispatcher()).WillRepeatedly(ReturnRef(*dispatcher_)); + + ValidationResults results = + validator.doVerifyCertChain(*cert_chain, std::move(callback_), transport_socket_options_, + *ssl_ctx_, validation_context_, is_server_, hostname); + EXPECT_EQ(ValidationResults::ValidationStatus::Failed, results.status); + EXPECT_EQ(Ssl::ClientValidationStatus::NotValidated, results.detailed_status); + EXPECT_EQ("Failed creating a thread for cert chain validation.", *results.error_details); +} + } // namespace Tls } // namespace TransportSockets } // namespace Extensions diff --git a/mobile/test/common/internal_engine_test.cc b/mobile/test/common/internal_engine_test.cc index 22e91ac3094c..93fc7b440a98 100644 --- a/mobile/test/common/internal_engine_test.cc +++ b/mobile/test/common/internal_engine_test.cc @@ -4,6 +4,7 @@ #include "test/common/http/common.h" #include "test/common/mocks/common/mocks.h" +#include "test/mocks/thread/mocks.h" #include "absl/synchronization/notification.h" #include "gtest/gtest.h" @@ -17,6 +18,7 @@ namespace Envoy { using testing::_; +using testing::ByMove; using testing::HasSubstr; using testing::Return; using testing::ReturnRef; @@ -114,8 +116,6 @@ struct EngineTestContext { // between the main thread and the engine thread both writing to the // Envoy::Logger::current_log_context global. struct TestEngine { - std::unique_ptr engine_; - envoy_engine_t handle() const { return reinterpret_cast(engine_.get()); } TestEngine(envoy_engine_callbacks callbacks, const std::string& level) { engine_.reset(new Envoy::InternalEngine(callbacks, {}, {})); Platform::EngineBuilder builder; @@ -124,14 +124,13 @@ struct TestEngine { engine_->run(yaml, level); } + envoy_engine_t handle() const { return reinterpret_cast(engine_.get()); } + envoy_status_t terminate() const { return engine_->terminate(); } + [[nodiscard]] bool isTerminated() const { return engine_->isTerminated(); } - ~TestEngine() { - if (!engine_->isTerminated()) { - engine_->terminate(); - } - } + std::unique_ptr engine_; }; // Transform C map to C++ map. @@ -664,4 +663,27 @@ TEST_F(InternalEngineTest, SetLogger) { EXPECT_EQ(engine->terminate(), ENVOY_SUCCESS); } +TEST_F(InternalEngineTest, ThreadCreationFailed) { + const std::string level = "debug"; + EngineTestContext engine_cbs_context{}; + envoy_engine_callbacks engine_cbs{[](void* context) -> void { + auto* engine_running = + static_cast(context); + engine_running->on_engine_running.Notify(); + } /*on_engine_running*/, + [](void* context) -> void { + auto* exit = static_cast(context); + exit->on_exit.Notify(); + } /*on_exit*/, + &engine_cbs_context /*context*/}; + auto thread_factory = std::make_unique(); + EXPECT_CALL(*thread_factory, createThread(_, _, false)).WillOnce(Return(ByMove(nullptr))); + std::unique_ptr engine( + new Envoy::InternalEngine(engine_cbs, {}, {}, std::move(thread_factory))); + envoy_status_t status = engine->run(BUFFERED_TEST_CONFIG, level); + EXPECT_EQ(status, ENVOY_FAILURE); + // Calling `terminate()` should not crash. + EXPECT_EQ(engine->terminate(), ENVOY_FAILURE); +} + } // namespace Envoy diff --git a/source/common/common/macros.h b/source/common/common/macros.h index f2b06b84f340..75032a0f1dc0 100644 --- a/source/common/common/macros.h +++ b/source/common/common/macros.h @@ -57,4 +57,8 @@ namespace Envoy { #if (defined(__GNUC__) && !defined(__clang__)) #define GCC_COMPILER #endif + +#define GTEST_FRIEND_CLASS(test_case_name, test_name) \ + friend class test_case_name##_##test_name##_Test + } // namespace Envoy diff --git a/source/common/common/posix/thread_impl.cc b/source/common/common/posix/thread_impl.cc index e935ac53c11b..e89fb16382c3 100644 --- a/source/common/common/posix/thread_impl.cc +++ b/source/common/common/posix/thread_impl.cc @@ -1,5 +1,8 @@ +#include "source/common/common/posix/thread_impl.h" + +#include "envoy/thread/thread.h" + #include "source/common/common/assert.h" -#include "source/common/common/thread_impl.h" #include "absl/strings/str_cat.h" @@ -31,93 +34,142 @@ int64_t getCurrentThreadId() { // so we need to truncate the string_view to 15 bytes. #define PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE 16 +ThreadHandle::ThreadHandle(std::function thread_routine) + : thread_routine_(thread_routine) {} + +/** Returns the thread routine. */ +std::function& ThreadHandle::routine() { return thread_routine_; }; + +/** Returns the thread handle. */ +pthread_t& ThreadHandle::handle() { return thread_handle_; } + /** * Wrapper for a pthread thread. We don't use std::thread because it eats exceptions and leads to * unusable stack traces. */ -class ThreadImplPosix : public Thread { -public: - ThreadImplPosix(std::function thread_routine, OptionsOptConstRef options) - : thread_routine_(std::move(thread_routine)) { - if (options) { - name_ = options->name_.substr(0, PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE - 1); - } - RELEASE_ASSERT(Logger::Registry::initialized(), ""); - const int rc = pthread_create( - &thread_handle_, nullptr, - [](void* arg) -> void* { - static_cast(arg)->thread_routine_(); - return nullptr; - }, - this); - RELEASE_ASSERT(rc == 0, ""); +PosixThread::PosixThread(ThreadHandle* thread_handle, OptionsOptConstRef options) + : thread_handle_(thread_handle) { + if (options) { + name_ = options->name_.substr(0, PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE - 1); + } #if SUPPORTS_PTHREAD_NAMING - // If the name was not specified, get it from the OS. If the name was - // specified, write it into the thread, and assert that the OS sees it the - // same way. - if (name_.empty()) { - getNameFromOS(name_); + // If the name was not specified, get it from the OS. If the name was + // specified, write it into the thread, and assert that the OS sees it the + // same way. + if (name_.empty()) { + getNameFromOS(name_); + } else { + const int set_name_rc = pthread_setname_np(thread_handle_->handle(), name_.c_str()); + if (set_name_rc != 0) { + ENVOY_LOG_MISC(trace, "Error {} setting name `{}'", set_name_rc, name_); } else { - const int set_name_rc = pthread_setname_np(thread_handle_, name_.c_str()); - if (set_name_rc != 0) { - ENVOY_LOG_MISC(trace, "Error {} setting name `{}'", set_name_rc, name_); - } else { - // When compiling in debug mode, read back the thread-name from the OS, - // and verify it's what we asked for. This ensures the truncation is as - // expected, and that the OS will actually retain all the bytes of the - // name we expect. - // - // Note that the system-call to read the thread name may fail in case - // the thread exits after the call to set the name above, and before the - // call to get the name, so we can only do the assert if that call - // succeeded. - std::string check_name; - ASSERT(!getNameFromOS(check_name) || check_name == name_, - absl::StrCat("configured name=", name_, " os name=", check_name)); - } + // When compiling in debug mode, read back the thread-name from the OS, + // and verify it's what we asked for. This ensures the truncation is as + // expected, and that the OS will actually retain all the bytes of the + // name we expect. + // + // Note that the system-call to read the thread name may fail in case + // the thread exits after the call to set the name above, and before the + // call to get the name, so we can only do the assert if that call + // succeeded. + std::string check_name; + ASSERT(!getNameFromOS(check_name) || check_name == name_, + absl::StrCat("configured name=", name_, " os name=", check_name)); } -#endif } +#endif +} + +PosixThread::~PosixThread() { + ASSERT(joined_); + delete thread_handle_; +} - ~ThreadImplPosix() override { ASSERT(joined_); } +std::string PosixThread::name() const { return name_; } - std::string name() const override { return name_; } +// Thread::Thread +void PosixThread::join() { + ASSERT(!joined_); + joined_ = true; + const int rc = pthread_join(thread_handle_->handle(), nullptr); + RELEASE_ASSERT(rc == 0, ""); +} - // Thread::Thread - void join() override { - ASSERT(!joined_); - joined_ = true; - const int rc = pthread_join(thread_handle_, nullptr); - RELEASE_ASSERT(rc == 0, ""); - } +bool PosixThread::joinable() const { return !joined_; } + +ThreadId PosixThread::pthreadId() const { +#if defined(__linux__) + return ThreadId(static_cast(thread_handle_->handle())); +#elif defined(__APPLE__) + uint64_t tid; + pthread_threadid_np(thread_handle_->handle(), &tid); + return ThreadId(tid); +#else +#error "Enable and test pthread id retrieval code for you arch in pthread/thread_impl.cc" +#endif +} -private: #if SUPPORTS_PTHREAD_NAMING - // Attempts to get the name from the operating system, returning true and - // updating 'name' if successful. Note that during normal operation this - // may fail, if the thread exits prior to the system call. - bool getNameFromOS(std::string& name) { - // Verify that the name got written into the thread as expected. - char buf[PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE] = {0}; - const int get_name_rc = pthread_getname_np(thread_handle_, buf, sizeof(buf)); - name = buf; - return get_name_rc == 0; - } +// Attempts to get the name from the operating system, returning true and +// updating 'name' if successful. Note that during normal operation this +// may fail, if the thread exits prior to the system call. +bool PosixThread::getNameFromOS(std::string& name) { + // Verify that the name got written into the thread as expected. + char buf[PTHREAD_MAX_THREADNAME_LEN_INCLUDING_NULL_BYTE] = {0}; + const int get_name_rc = pthread_getname_np(thread_handle_->handle(), buf, sizeof(buf)); + name = buf; + return get_name_rc == 0; +} #endif - std::function thread_routine_; - pthread_t thread_handle_; - std::string name_; - bool joined_{false}; +class PosixThreadFactoryImpl : public PosixThreadFactory { +public: + ThreadPtr createThread(std::function thread_routine, + OptionsOptConstRef options) override { + return createThread(thread_routine, options, /* crash_on_failure= */ true); + }; + + PosixThreadPtr createThread(std::function thread_routine, OptionsOptConstRef options, + bool crash_on_failure) override { + auto thread_handle = new ThreadHandle(thread_routine); + const int rc = pthread_create( + &thread_handle->handle(), nullptr, + [](void* arg) -> void* { + static_cast(arg)->routine()(); + return nullptr; + }, + reinterpret_cast(thread_handle)); + if (rc != 0) { + delete thread_handle; + if (crash_on_failure) { + RELEASE_ASSERT(false, fmt::format("Unable to create a thread with return code: {}", rc)); + } else { + IS_ENVOY_BUG(fmt::format("Unable to create a thread with return code: {}", rc)); + } + return nullptr; + } + return std::make_unique(thread_handle, options); + }; + + ThreadId currentThreadId() override { return ThreadId(getCurrentThreadId()); }; + + ThreadId currentPthreadId() override { +#if defined(__linux__) + return static_cast(static_cast(pthread_self())); +#elif defined(__APPLE__) + uint64_t tid; + pthread_threadid_np(pthread_self(), &tid); + return ThreadId(tid); +#else +#error "Enable and test pthread id retrieval code for you arch in pthread/thread_impl.cc" +#endif + } }; -ThreadPtr ThreadFactoryImplPosix::createThread(std::function thread_routine, - OptionsOptConstRef options) { - return std::make_unique(thread_routine, options); +PosixThreadFactoryPtr PosixThreadFactory::create() { + return std::make_unique(); } -ThreadId ThreadFactoryImplPosix::currentThreadId() { return ThreadId(getCurrentThreadId()); } - } // namespace Thread } // namespace Envoy diff --git a/source/common/common/posix/thread_impl.h b/source/common/common/posix/thread_impl.h index 9b373ecaceb6..2201d3e61886 100644 --- a/source/common/common/posix/thread_impl.h +++ b/source/common/common/posix/thread_impl.h @@ -4,19 +4,99 @@ #include +#include "envoy/common/platform.h" #include "envoy/thread/thread.h" namespace Envoy { namespace Thread { -/** - * Implementation of ThreadFactory - */ -class ThreadFactoryImplPosix : public ThreadFactory { +class ThreadHandle { public: - // Thread::ThreadFactory - ThreadPtr createThread(std::function thread_routine, OptionsOptConstRef options) override; - ThreadId currentThreadId() override; + explicit ThreadHandle(std::function thread_routine); + + /** Returns the thread routine. */ + std::function& routine(); + + /** Returns the thread handle. */ + pthread_t& handle(); + +private: + std::function thread_routine_; + pthread_t thread_handle_; +}; + +class PosixThread : public Thread { +public: + PosixThread(ThreadHandle* thread_handle, OptionsOptConstRef options); + ~PosixThread() override; + + // Envoy::Thread + std::string name() const override; + void join() override; + + /** + * Returns true if the thread object identifies an active thread of execution, + * false otherwise. + * A thread that has finished executing code, but has not yet been joined is + * still considered an active thread of execution and is therefore joinable. + */ + bool joinable() const; + + /** + * Returns the pthread ID. The thread ID returned from this call is the same + * thread ID returned from `pthread_self()`: + * https://man7.org/linux/man-pages/man3/pthread_self.3.html + */ + ThreadId pthreadId() const; + +private: +#if SUPPORTS_PTHREAD_NAMING + // Attempts to get the name from the operating system, returning true and + // updating 'name' if successful. Note that during normal operation this + // may fail, if the thread exits prior to the system call. + bool getNameFromOS(std::string& name); +#endif + + std::function thread_routine_; + ThreadHandle* thread_handle_; + std::string name_; + bool joined_{false}; +}; + +using PosixThreadPtr = std::unique_ptr; + +class PosixThreadFactory; +using PosixThreadFactoryPtr = std::unique_ptr; + +/** An interface for POSIX `ThreadFactory` */ +class PosixThreadFactory : public ThreadFactory { +public: + // /** Creates a new instance of `PosixThreadPtr`. */ + static PosixThreadFactoryPtr create(); + + /** + * Creates a new generic thread from the specified `thread_routine`. When the + * thread cannot be created, this function will crash. + */ + ThreadPtr createThread(std::function thread_routine, OptionsOptConstRef options) PURE; + + /** + * Creates a new POSIX thread from the specified `thread_routine`. When + * `crash_on_failure` is set to true, this function will crash when the thread + * cannot be created; otherwise a `nullptr` will be returned. + */ + virtual PosixThreadPtr createThread(std::function thread_routine, + OptionsOptConstRef options, bool crash_on_failure) PURE; + + /** + * On Linux, `currentThreadId()` uses `gettid()` and it returns the kernel + * thread ID. The thread ID returned from this call is not the same as the + * thread ID returned from `currentPThreadId()`. + */ + ThreadId currentThreadId() PURE; + + /** Returns the current pthread ID. It uses `pthread_self()`. */ + virtual ThreadId currentPthreadId() PURE; }; } // namespace Thread diff --git a/source/exe/linux/platform_impl.cc b/source/exe/linux/platform_impl.cc index a1c04243eb77..63de62b11936 100644 --- a/source/exe/linux/platform_impl.cc +++ b/source/exe/linux/platform_impl.cc @@ -11,7 +11,7 @@ namespace Envoy { PlatformImpl::PlatformImpl() - : thread_factory_(std::make_unique()), + : thread_factory_(Thread::PosixThreadFactory::create()), file_system_(std::make_unique()) {} PlatformImpl::~PlatformImpl() = default; diff --git a/source/exe/posix/platform_impl.cc b/source/exe/posix/platform_impl.cc index 391d3be940ae..4eae6bee3b10 100644 --- a/source/exe/posix/platform_impl.cc +++ b/source/exe/posix/platform_impl.cc @@ -5,7 +5,7 @@ namespace Envoy { PlatformImpl::PlatformImpl() - : thread_factory_(std::make_unique()), + : thread_factory_(Thread::PosixThreadFactory::create()), file_system_(std::make_unique()) {} PlatformImpl::~PlatformImpl() = default; diff --git a/test/common/common/thread_test.cc b/test/common/common/thread_test.cc index 8cfc1c6ac771..8c8a28f7d3d9 100644 --- a/test/common/common/thread_test.cc +++ b/test/common/common/thread_test.cc @@ -1,5 +1,9 @@ #include +#if defined(__linux__) || defined(__APPLE__) +#include "source/common/common/posix/thread_impl.h" +#endif + #include "source/common/common/thread.h" #include "source/common/common/thread_synchronizer.h" @@ -246,6 +250,30 @@ TEST_F(ThreadAsyncPtrTest, NameNotSpecifiedWait) { thread->join(); } +#if defined(__linux__) || defined(__APPLE__) +TEST(PosixThreadTest, PThreadId) { + auto thread_factory = PosixThreadFactory::create(); + ThreadId thread_id; + auto thread = + thread_factory->createThread([&]() { thread_id = thread_factory->currentPthreadId(); }, + /* options= */ absl::nullopt, /* crash_on_failure= */ false); + thread->join(); + + EXPECT_EQ(thread->pthreadId(), thread_id); + EXPECT_NE(thread->pthreadId(), thread_factory->currentThreadId()); +} + +TEST(PosixThreadTest, Joinable) { + auto thread_factory = PosixThreadFactory::create(); + auto thread = thread_factory->createThread([&]() {}, /* options= */ absl::nullopt, + /* crash_on_failure= */ true); + + EXPECT_TRUE(thread->joinable()); + thread->join(); + EXPECT_FALSE(thread->joinable()); +} +#endif + } // namespace } // namespace Thread } // namespace Envoy diff --git a/test/mocks/thread/BUILD b/test/mocks/thread/BUILD new file mode 100644 index 000000000000..62f26f23abd7 --- /dev/null +++ b/test/mocks/thread/BUILD @@ -0,0 +1,18 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_mock", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_cc_mock( + name = "thread_mocks", + hdrs = ["mocks.h"], + deps = [ + "//envoy/thread:thread_interface", + "//source/common/common:thread_lib", + ], +) diff --git a/test/mocks/thread/mocks.h b/test/mocks/thread/mocks.h new file mode 100644 index 000000000000..9593a01b478b --- /dev/null +++ b/test/mocks/thread/mocks.h @@ -0,0 +1,30 @@ +#pragma once + +#include "envoy/thread/thread.h" + +#if defined(__linux__) || defined(__APPLE__) +#include "source/common/common/posix/thread_impl.h" +#endif + +namespace Envoy { +namespace Thread { + +class MockThreadFactory : public ThreadFactory { +public: + MOCK_METHOD(ThreadPtr, createThread, (std::function, OptionsOptConstRef)); + MOCK_METHOD(ThreadId, currentThreadId, ()); +}; + +#if defined(__linux__) || defined(__APPLE__) +class MockPosixThreadFactory : public PosixThreadFactory { +public: + MOCK_METHOD(ThreadPtr, createThread, (std::function, OptionsOptConstRef)); + MOCK_METHOD(PosixThreadPtr, createThread, + (std::function, OptionsOptConstRef, bool crash_on_failure)); + MOCK_METHOD(ThreadId, currentThreadId, ()); + MOCK_METHOD(ThreadId, currentPthreadId, ()); +}; +#endif + +} // namespace Thread +} // namespace Envoy diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index 4a0e5fc32502..7f02290a378e 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -6,6 +6,7 @@ declare -a KNOWN_LOW_COVERAGE=( "source/common:95.9" # TODO(#32149): increase this once io_uring is tested. "source/common/api:84.5" # flaky due to posix: be careful adjusting "source/common/api/posix:83.8" # flaky (accept failover non-deterministic): be careful adjusting +"source/common/common/posix:88.8" # No easy way to test pthread_create failure. "source/common/config:95.4" "source/common/crypto:95.5" "source/common/event:95.0" # Emulated edge events guards don't report LCOV diff --git a/test/test_common/thread_factory_for_test.cc b/test/test_common/thread_factory_for_test.cc index 55c4d84ed12b..0d1c2db9cae6 100644 --- a/test/test_common/thread_factory_for_test.cc +++ b/test/test_common/thread_factory_for_test.cc @@ -9,7 +9,7 @@ ThreadFactory& threadFactoryForTest() { #ifdef WIN32 static auto* thread_factory = new ThreadFactoryImplWin32(); #else - static auto* thread_factory = new ThreadFactoryImplPosix(); + static auto* thread_factory = PosixThreadFactory::create().release(); #endif return *thread_factory; } diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 7f66087cef02..15e00c4ff5cf 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -881,6 +881,7 @@ iteratively javascript jitter jittered +joinable js kafka keepalive From d82b5a02befbff3b2119b309e865f7b44d207907 Mon Sep 17 00:00:00 2001 From: Greg Greenway Date: Wed, 6 Mar 2024 07:59:49 -0800 Subject: [PATCH 31/34] quic: support cert selection by SNI, non-PEM formats (#32260) This brings feature parity between quic and non-quic TLS use for certificate selection and loading. Signed-off-by: Greg Greenway --- changelogs/current.yaml | 5 + .../root/intro/arch_overview/security/ssl.rst | 4 +- envoy/ssl/context_manager.h | 9 +- source/common/quic/envoy_quic_proof_source.cc | 117 ++++++++-- source/common/quic/envoy_quic_proof_source.h | 33 ++- .../quic_server_transport_socket_factory.cc | 127 ++++++++++- .../quic_server_transport_socket_factory.h | 25 +- source/common/runtime/runtime_features.cc | 1 + source/common/tls/BUILD | 1 + source/common/tls/context_impl.cc | 135 ++++++----- source/common/tls/context_impl.h | 44 +++- source/common/tls/context_manager_impl.cc | 11 +- source/common/tls/context_manager_impl.h | 3 +- source/common/tls/ssl_socket.cc | 4 +- source/server/ssl_context_manager.cc | 7 +- .../listener_manager_impl_quic_only_test.cc | 4 +- test/common/quic/BUILD | 1 + test/common/quic/active_quic_listener_test.cc | 4 +- .../common/quic/envoy_quic_dispatcher_test.cc | 4 +- .../quic/envoy_quic_proof_source_test.cc | 213 +++++++++++++++++- test/common/tls/context_impl_test.cc | 21 +- test/common/tls/handshaker_factory_test.cc | 2 +- test/integration/BUILD | 1 + test/integration/base_integration_test.cc | 1 + .../integration/quic_http_integration_test.cc | 6 + test/integration/ssl_utility.cc | 3 + test/mocks/ssl/mocks.cc | 14 +- test/mocks/ssl/mocks.h | 11 +- test/per_file_coverage.sh | 2 +- test/server/ssl_context_manager_test.cc | 5 +- 30 files changed, 676 insertions(+), 142 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 25562acfb615..908a14404ccd 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -204,6 +204,11 @@ new_features: Added QUIC protocol option :ref:`send_disable_active_migration ` to make the server send clients a transport parameter to discourage client endpoints from active migration. +- area: quic + change: | + Added support for QUIC listeners to :ref:`choose certificates based on SNI ` and load certificates + from formats other than PEM, such as :ref:`pkcs12 `. + This behavior can be disabled with runtime flag ``envoy.restart_features.quic_handle_certs_with_shared_tls_code``. - area: ext_proc change: | implemented diff --git a/docs/root/intro/arch_overview/security/ssl.rst b/docs/root/intro/arch_overview/security/ssl.rst index 8538b163f984..79c0da9d22f9 100644 --- a/docs/root/intro/arch_overview/security/ssl.rst +++ b/docs/root/intro/arch_overview/security/ssl.rst @@ -97,8 +97,6 @@ See the reference for :ref:`UpstreamTlsContexts `. +.. _arch_overview_ssl_cert_select: + Certificate selection --------------------- diff --git a/envoy/ssl/context_manager.h b/envoy/ssl/context_manager.h index 73ea031a7f2e..8c7fae3707b2 100644 --- a/envoy/ssl/context_manager.h +++ b/envoy/ssl/context_manager.h @@ -12,6 +12,12 @@ namespace Envoy { namespace Ssl { +// Opaque type defined and used by the ``ServerContext``. +struct TlsContext; + +using ContextAdditionalInitFunc = + std::function; + /** * Manages all of the SSL contexts in the process */ @@ -30,7 +36,8 @@ class ContextManager { */ virtual ServerContextSharedPtr createSslServerContext(Stats::Scope& scope, const ServerContextConfig& config, - const std::vector& server_names) PURE; + const std::vector& server_names, + ContextAdditionalInitFunc additional_init) PURE; /** * @return the number of days until the next certificate being managed will expire, the value is diff --git a/source/common/quic/envoy_quic_proof_source.cc b/source/common/quic/envoy_quic_proof_source.cc index 337ef148d1b9..9670dba204e3 100644 --- a/source/common/quic/envoy_quic_proof_source.cc +++ b/source/common/quic/envoy_quic_proof_source.cc @@ -6,6 +6,7 @@ #include "source/common/quic/envoy_quic_utils.h" #include "source/common/quic/quic_io_handle_wrapper.h" +#include "source/common/runtime/runtime_features.h" #include "source/common/stream_info/stream_info_impl.h" #include "openssl/bytestring.h" @@ -18,11 +19,25 @@ quiche::QuicheReferenceCountedPointer EnvoyQuicProofSource::GetCertChain(const quic::QuicSocketAddress& server_address, const quic::QuicSocketAddress& client_address, const std::string& hostname, bool* cert_matched_sni) { - // TODO(DavidSchinazi) parse the certificate to correctly fill in |cert_matched_sni|. + + // Ensure this is set even in error paths. *cert_matched_sni = false; - CertConfigWithFilterChain res = - getTlsCertConfigAndFilterChain(server_address, client_address, hostname); + auto res = getTransportSocketAndFilterChain(server_address, client_address, hostname); + if (!res.has_value()) { + return nullptr; + } + + if (!res->transport_socket_factory_.handleCertsWithSharedTlsCode()) { + return legacyGetCertChain(*res); + } + + return getTlsCertAndFilterChain(*res, hostname, cert_matched_sni).cert_; +} + +quiche::QuicheReferenceCountedPointer +EnvoyQuicProofSource::legacyGetCertChain(const TransportSocketFactoryWithFilterChain& data) { + LegacyCertConfigWithFilterChain res = legacyGetTlsCertConfigAndFilterChain(data); absl::optional> cert_config_ref = res.cert_config_; if (!cert_config_ref.has_value()) { @@ -56,8 +71,49 @@ void EnvoyQuicProofSource::signPayload( const quic::QuicSocketAddress& server_address, const quic::QuicSocketAddress& client_address, const std::string& hostname, uint16_t signature_algorithm, absl::string_view in, std::unique_ptr callback) { - CertConfigWithFilterChain res = - getTlsCertConfigAndFilterChain(server_address, client_address, hostname); + auto data = getTransportSocketAndFilterChain(server_address, client_address, hostname); + if (!data.has_value()) { + ENVOY_LOG(warn, "No matching filter chain found for handshake."); + callback->Run(false, "", nullptr); + return; + } + + if (!data->transport_socket_factory_.handleCertsWithSharedTlsCode()) { + return legacySignPayload(*data, signature_algorithm, in, std::move(callback)); + } + + CertWithFilterChain res = + getTlsCertAndFilterChain(*data, hostname, nullptr /* cert_matched_sni */); + if (res.private_key_ == nullptr) { + ENVOY_LOG(warn, "No matching filter chain found for handshake."); + callback->Run(false, "", nullptr); + return; + } + + // Verify the signature algorithm is as expected. + std::string error_details; + int sign_alg = + deduceSignatureAlgorithmFromPublicKey(res.private_key_->private_key(), &error_details); + if (sign_alg != signature_algorithm) { + ENVOY_LOG(warn, + fmt::format("The signature algorithm {} from the private key is not expected: {}", + sign_alg, error_details)); + callback->Run(false, "", nullptr); + return; + } + + // Sign. + std::string sig = res.private_key_->Sign(in, signature_algorithm); + bool success = !sig.empty(); + ASSERT(res.filter_chain_.has_value()); + callback->Run(success, sig, + std::make_unique(res.filter_chain_.value().get())); +} + +void EnvoyQuicProofSource::legacySignPayload( + const TransportSocketFactoryWithFilterChain& data, uint16_t signature_algorithm, + absl::string_view in, std::unique_ptr callback) { + LegacyCertConfigWithFilterChain res = legacyGetTlsCertConfigAndFilterChain(data); absl::optional> cert_config_ref = res.cert_config_; if (!cert_config_ref.has_value()) { @@ -95,10 +151,39 @@ void EnvoyQuicProofSource::signPayload( std::make_unique(res.filter_chain_.value().get())); } -EnvoyQuicProofSource::CertConfigWithFilterChain -EnvoyQuicProofSource::getTlsCertConfigAndFilterChain(const quic::QuicSocketAddress& server_address, - const quic::QuicSocketAddress& client_address, - const std::string& hostname) { +EnvoyQuicProofSource::CertWithFilterChain +EnvoyQuicProofSource::getTlsCertAndFilterChain(const TransportSocketFactoryWithFilterChain& data, + const std::string& hostname, + bool* cert_matched_sni) { + auto [cert, key] = + data.transport_socket_factory_.getTlsCertificateAndKey(hostname, cert_matched_sni); + if (cert == nullptr || key == nullptr) { + ENVOY_LOG(warn, "No certificate is configured in transport socket config."); + return {}; + } + return {std::move(cert), std::move(key), data.filter_chain_}; +} + +EnvoyQuicProofSource::LegacyCertConfigWithFilterChain +EnvoyQuicProofSource::legacyGetTlsCertConfigAndFilterChain( + const TransportSocketFactoryWithFilterChain& data) { + + std::vector> tls_cert_configs = + data.transport_socket_factory_.legacyGetTlsCertificates(); + if (tls_cert_configs.empty()) { + ENVOY_LOG(warn, "No certificate is configured in transport socket config."); + return {absl::nullopt, absl::nullopt}; + } + // Only return the first TLS cert config. + // TODO(danzh) Choose based on supported cipher suites in TLS1.3 CHLO and prefer EC + // certs if supported. + return {tls_cert_configs[0].get(), data.filter_chain_}; +} + +absl::optional +EnvoyQuicProofSource::getTransportSocketAndFilterChain( + const quic::QuicSocketAddress& server_address, const quic::QuicSocketAddress& client_address, + const std::string& hostname) { ENVOY_LOG(trace, "Getting cert chain for {}", hostname); // TODO(danzh) modify QUICHE to make quic session or ALPN accessible to avoid hard-coded ALPN. Network::ConnectionSocketPtr connection_socket = createServerConnectionSocket( @@ -111,23 +196,13 @@ EnvoyQuicProofSource::getTlsCertConfigAndFilterChain(const quic::QuicSocketAddre if (filter_chain == nullptr) { listener_stats_.no_filter_chain_match_.inc(); ENVOY_LOG(warn, "No matching filter chain found for handshake."); - return {absl::nullopt, absl::nullopt}; + return {}; } ENVOY_LOG(trace, "Got a matching cert chain {}", filter_chain->name()); auto& transport_socket_factory = dynamic_cast(filter_chain->transportSocketFactory()); - - std::vector> tls_cert_configs = - transport_socket_factory.getTlsCertificates(); - if (tls_cert_configs.empty()) { - ENVOY_LOG(warn, "No certificate is configured in transport socket config."); - return {absl::nullopt, absl::nullopt}; - } - // Only return the first TLS cert config. - // TODO(danzh) Choose based on supported cipher suites in TLS1.3 CHLO and prefer EC - // certs if supported. - return {tls_cert_configs[0].get(), *filter_chain}; + return TransportSocketFactoryWithFilterChain{transport_socket_factory, *filter_chain}; } void EnvoyQuicProofSource::updateFilterChainManager( diff --git a/source/common/quic/envoy_quic_proof_source.h b/source/common/quic/envoy_quic_proof_source.h index d47ab9ba7bb3..e950b982445b 100644 --- a/source/common/quic/envoy_quic_proof_source.h +++ b/source/common/quic/envoy_quic_proof_source.h @@ -34,15 +34,38 @@ class EnvoyQuicProofSource : public EnvoyQuicProofSourceBase { std::unique_ptr callback) override; private: - struct CertConfigWithFilterChain { + struct TransportSocketFactoryWithFilterChain { + const QuicServerTransportSocketFactory& transport_socket_factory_; + const Network::FilterChain& filter_chain_; + }; + + quiche::QuicheReferenceCountedPointer + legacyGetCertChain(const TransportSocketFactoryWithFilterChain& data); + void legacySignPayload(const TransportSocketFactoryWithFilterChain& data, + uint16_t signature_algorithm, absl::string_view in, + std::unique_ptr callback); + + struct CertWithFilterChain { + quiche::QuicheReferenceCountedPointer cert_; + std::shared_ptr private_key_; + absl::optional> filter_chain_; + }; + + CertWithFilterChain getTlsCertAndFilterChain(const TransportSocketFactoryWithFilterChain& data, + const std::string& hostname, bool* cert_matched_sni); + + struct LegacyCertConfigWithFilterChain { absl::optional> cert_config_; absl::optional> filter_chain_; }; - CertConfigWithFilterChain - getTlsCertConfigAndFilterChain(const quic::QuicSocketAddress& server_address, - const quic::QuicSocketAddress& client_address, - const std::string& hostname); + LegacyCertConfigWithFilterChain + legacyGetTlsCertConfigAndFilterChain(const TransportSocketFactoryWithFilterChain& data); + + absl::optional + getTransportSocketAndFilterChain(const quic::QuicSocketAddress& server_address, + const quic::QuicSocketAddress& client_address, + const std::string& hostname); Network::Socket& listen_socket_; Network::FilterChainManager* filter_chain_manager_{nullptr}; diff --git a/source/common/quic/quic_server_transport_socket_factory.cc b/source/common/quic/quic_server_transport_socket_factory.cc index bd39254630d6..901327e7118e 100644 --- a/source/common/quic/quic_server_transport_socket_factory.cc +++ b/source/common/quic/quic_server_transport_socket_factory.cc @@ -4,6 +4,7 @@ #include "envoy/extensions/transport_sockets/quic/v3/quic_transport.pb.validate.h" +#include "source/common/quic/envoy_quic_utils.h" #include "source/common/runtime/runtime_features.h" #include "source/common/tls/context_config_impl.h" @@ -13,7 +14,7 @@ namespace Quic { Network::DownstreamTransportSocketFactoryPtr QuicServerTransportSocketConfigFactory::createTransportSocketFactory( const Protobuf::Message& config, Server::Configuration::TransportSocketFactoryContext& context, - const std::vector& /*server_names*/) { + const std::vector& server_names) { auto quic_transport = MessageUtil::downcastAndValidate< const envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport&>( config, context.messageValidationVisitor()); @@ -26,11 +27,90 @@ QuicServerTransportSocketConfigFactory::createTransportSocketFactory( auto factory = std::make_unique( PROTOBUF_GET_WRAPPED_OR_DEFAULT(quic_transport, enable_early_data, true), - context.statsScope(), std::move(server_config)); + context.statsScope(), std::move(server_config), context.sslContextManager(), server_names); factory->initialize(); return factory; } +namespace { +void initializeQuicCertAndKey(Ssl::TlsContext& context, + const Ssl::TlsCertificateConfig& /*cert_config*/) { + // Convert the certificate chain loaded into the context into PEM, as that is what the QUICHE + // API expects. By using the version already loaded, instead of loading it from the source, + // we can reuse all the code that loads from different formats, allows using passwords on the key, + // etc. + std::vector chain; + auto process_one_cert = [&](X509* cert) { + bssl::UniquePtr bio(BIO_new(BIO_s_mem())); + int result = PEM_write_bio_X509(bio.get(), cert); + ASSERT(result == 1); + BUF_MEM* buf_mem = nullptr; + result = BIO_get_mem_ptr(bio.get(), &buf_mem); + std::string cert_str(buf_mem->data, buf_mem->length); + std::istringstream pem_stream(cert_str); + auto pem_result = quic::ReadNextPemMessage(&pem_stream); + if (pem_result.status != quic::PemReadResult::Status::kOk) { + throwEnvoyExceptionOrPanic( + "Error loading certificate in QUIC context: error from ReadNextPemMessage"); + } + chain.push_back(std::move(pem_result.contents)); + }; + + process_one_cert(SSL_CTX_get0_certificate(context.ssl_ctx_.get())); + + STACK_OF(X509)* chain_stack = nullptr; + int result = SSL_CTX_get0_chain_certs(context.ssl_ctx_.get(), &chain_stack); + ASSERT(result == 1); + for (size_t i = 0; i < sk_X509_num(chain_stack); i++) { + process_one_cert(sk_X509_value(chain_stack, i)); + } + + quiche::QuicheReferenceCountedPointer cert_chain( + new quic::ProofSource::Chain(chain)); + + std::string error_details; + bssl::UniquePtr pub_key(X509_get_pubkey(context.cert_chain_.get())); + int sign_alg = deduceSignatureAlgorithmFromPublicKey(pub_key.get(), &error_details); + if (sign_alg == 0) { + throwEnvoyExceptionOrPanic( + absl::StrCat("Failed to deduce signature algorithm from public key: ", error_details)); + } + + context.quic_cert_ = std::move(cert_chain); + + bssl::UniquePtr privateKey( + bssl::UpRef(SSL_CTX_get0_privatekey(context.ssl_ctx_.get()))); + std::unique_ptr pem_key = + std::make_unique(std::move(privateKey)); + if (pem_key == nullptr) { + throwEnvoyExceptionOrPanic("Failed to load QUIC private key."); + } + + context.quic_private_key_ = std::move(pem_key); +} +} // namespace + +QuicServerTransportSocketFactory::QuicServerTransportSocketFactory( + bool enable_early_data, Stats::Scope& scope, Ssl::ServerContextConfigPtr config, + Envoy::Ssl::ContextManager& manager, const std::vector& server_names) + : QuicTransportSocketFactoryBase(scope, "server"), + handle_certs_with_shared_tls_code_(Runtime::runtimeFeatureEnabled( + "envoy.restart_features.quic_handle_certs_with_shared_tls_code")), + manager_(manager), stats_scope_(scope), config_(std::move(config)), + server_names_(server_names), + ssl_ctx_(handle_certs_with_shared_tls_code_ ? createSslServerContext() : nullptr), + enable_early_data_(enable_early_data) {} + +QuicServerTransportSocketFactory::~QuicServerTransportSocketFactory() { + manager_.removeContext(ssl_ctx_); +} + +Envoy::Ssl::ServerContextSharedPtr +QuicServerTransportSocketFactory::createSslServerContext() const { + return manager_.createSslServerContext(stats_scope_, *config_, server_names_, + initializeQuicCertAndKey); +} + ProtobufTypes::MessagePtr QuicServerTransportSocketConfigFactory::createEmptyConfigProto() { return std::make_unique< envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport>(); @@ -46,6 +126,49 @@ void QuicServerTransportSocketFactory::initialize() { } } +std::pair, + std::shared_ptr> +QuicServerTransportSocketFactory::getTlsCertificateAndKey(absl::string_view sni, + bool* cert_matched_sni) const { + // onSecretUpdated() could be invoked in the middle of checking the existence of , and using, + // ssl_ctx. Capture ssl_ctx_ into a local variable so that we check and use the same ssl_ctx. + Envoy::Ssl::ServerContextSharedPtr ssl_ctx; + { + absl::ReaderMutexLock l(&ssl_ctx_mu_); + ssl_ctx = ssl_ctx_; + } + if (!ssl_ctx) { + ENVOY_LOG(warn, "SDS hasn't finished updating Ssl context config yet."); + stats_.downstream_context_secrets_not_ready_.inc(); + *cert_matched_sni = false; + return {}; + } + auto ctx = + std::dynamic_pointer_cast(ssl_ctx); + auto [tls_context, ocsp_staple_action] = ctx->findTlsContext( + sni, true /* TODO: ecdsa_capable */, false /* TODO: ocsp_capable */, cert_matched_sni); + + // Thread safety note: accessing the tls_context requires holding a shared_ptr to the ``ssl_ctx``. + // Both of these members are themselves reference counted, so it is safe to use them after + // ``ssl_ctx`` goes out of scope after the function returns. + return {tls_context.quic_cert_, tls_context.quic_private_key_}; +} + +void QuicServerTransportSocketFactory::onSecretUpdated() { + ENVOY_LOG(debug, "Secret is updated."); + + if (handle_certs_with_shared_tls_code_) { + auto ctx = createSslServerContext(); + { + absl::WriterMutexLock l(&ssl_ctx_mu_); + std::swap(ctx, ssl_ctx_); + } + manager_.removeContext(ctx); + } + + stats_.context_config_update_by_sds_.inc(); +} + REGISTER_FACTORY(QuicServerTransportSocketConfigFactory, Server::Configuration::DownstreamTransportSocketConfigFactory); diff --git a/source/common/quic/quic_server_transport_socket_factory.h b/source/common/quic/quic_server_transport_socket_factory.h index 6be4a64029d1..eaf93fac49ae 100644 --- a/source/common/quic/quic_server_transport_socket_factory.h +++ b/source/common/quic/quic_server_transport_socket_factory.h @@ -19,9 +19,10 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock public QuicTransportSocketFactoryBase { public: QuicServerTransportSocketFactory(bool enable_early_data, Stats::Scope& store, - Ssl::ServerContextConfigPtr config) - : QuicTransportSocketFactoryBase(store, "server"), config_(std::move(config)), - enable_early_data_(enable_early_data) {} + Ssl::ServerContextConfigPtr config, + Envoy::Ssl::ContextManager& manager, + const std::vector& server_names); + ~QuicServerTransportSocketFactory() override; // Network::DownstreamTransportSocketFactory Network::TransportSocketPtr createDownstreamTransportSocket() const override { @@ -31,9 +32,13 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock void initialize() override; + std::pair, + std::shared_ptr> + getTlsCertificateAndKey(absl::string_view sni, bool* cert_matched_sni) const; + // Return TLS certificates if the context config is ready. std::vector> - getTlsCertificates() const { + legacyGetTlsCertificates() const { if (!config_->isReady()) { ENVOY_LOG(warn, "SDS hasn't finished updating Ssl context config yet."); stats_.downstream_context_secrets_not_ready_.inc(); @@ -44,11 +49,21 @@ class QuicServerTransportSocketFactory : public Network::DownstreamTransportSock bool earlyDataEnabled() const { return enable_early_data_; } + bool handleCertsWithSharedTlsCode() const { return handle_certs_with_shared_tls_code_; } + protected: - void onSecretUpdated() override { stats_.context_config_update_by_sds_.inc(); } + void onSecretUpdated() override; private: + Envoy::Ssl::ServerContextSharedPtr createSslServerContext() const; + + const bool handle_certs_with_shared_tls_code_; + Envoy::Ssl::ContextManager& manager_; + Stats::Scope& stats_scope_; Ssl::ServerContextConfigPtr config_; + const std::vector server_names_; + mutable absl::Mutex ssl_ctx_mu_; + Envoy::Ssl::ServerContextSharedPtr ssl_ctx_ ABSL_GUARDED_BY(ssl_ctx_mu_); bool enable_early_data_; }; diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 73998c11e30f..79b6470b49fb 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -103,6 +103,7 @@ RUNTIME_GUARD(envoy_reloadable_features_validate_connect); RUNTIME_GUARD(envoy_reloadable_features_validate_grpc_header_before_log_grpc_status); RUNTIME_GUARD(envoy_reloadable_features_validate_upstream_headers); RUNTIME_GUARD(envoy_restart_features_allow_client_socket_creation_failure); +RUNTIME_GUARD(envoy_restart_features_quic_handle_certs_with_shared_tls_code); RUNTIME_GUARD(envoy_restart_features_send_goaway_for_premature_rst_streams); RUNTIME_GUARD(envoy_restart_features_udp_read_normalize_addresses); RUNTIME_GUARD(envoy_restart_features_use_eds_cache_for_ads); diff --git a/source/common/tls/BUILD b/source/common/tls/BUILD index ba75941b4864..d78ea0bf7dd8 100644 --- a/source/common/tls/BUILD +++ b/source/common/tls/BUILD @@ -163,6 +163,7 @@ envoy_cc_library( "//source/common/tls/cert_validator:cert_validator_lib", "//source/common/tls/ocsp:ocsp_lib", "//source/common/tls/private_key:private_key_manager_lib", + "@com_github_google_quiche//:quic_core_crypto_proof_source_lib", "@envoy_api//envoy/admin/v3:pkg_cc_proto", "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto", ], diff --git a/source/common/tls/context_impl.cc b/source/common/tls/context_impl.cc index d106cdecaa26..7d86c94bd5f6 100644 --- a/source/common/tls/context_impl.cc +++ b/source/common/tls/context_impl.cc @@ -40,10 +40,6 @@ #include "openssl/rand.h" namespace Envoy { -namespace Extensions { -namespace TransportSockets { -namespace Tls { - namespace { bool cbsContainsU16(CBS& cbs, uint16_t n) { @@ -71,6 +67,10 @@ void logSslErrorChain() { } // namespace +namespace Extensions { +namespace TransportSockets { +namespace Tls { + int ContextImpl::sslExtendedSocketInfoIndex() { CONSTRUCT_ON_FIRST_USE(int, []() -> int { int ssl_context_index = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr); @@ -80,7 +80,7 @@ int ContextImpl::sslExtendedSocketInfoIndex() { } ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, - TimeSource& time_source) + TimeSource& time_source, Ssl::ContextAdditionalInitFunc additional_init) : scope_(scope), stats_(generateSslStats(scope)), time_source_(time_source), tls_max_version_(config.maxProtocolVersion()), stat_name_set_(scope.symbolTable().makeSet("TransportSockets::Tls")), @@ -292,6 +292,10 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c ctx.loadPrivateKey(tls_certificate.privateKey(), tls_certificate.privateKeyPath(), tls_certificate.password()); } + + if (additional_init != nullptr) { + additional_init(ctx, tls_certificate); + } } } @@ -323,7 +327,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c // Use the SSL library to iterate over the configured ciphers. // // Note that if a negotiated cipher suite is outside of this set, we'll issue an ENVOY_BUG. - for (TlsContext& tls_context : tls_contexts_) { + for (Ssl::TlsContext& tls_context : tls_contexts_) { for (const SSL_CIPHER* cipher : SSL_CTX_get_ciphers(tls_context.ssl_ctx_.get())) { stat_name_set_->rememberBuiltin(SSL_CIPHER_get_name(cipher)); } @@ -372,7 +376,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c // As late as possible, run the custom SSL_CTX configuration callback on each // SSL_CTX, if set. if (auto sslctx_cb = config.sslctxCb(); sslctx_cb) { - for (TlsContext& ctx : tls_contexts_) { + for (Ssl::TlsContext& ctx : tls_contexts_) { sslctx_cb(ctx.ssl_ctx_.get()); } } @@ -656,7 +660,7 @@ std::vector ContextImpl::getCertChainInformat ClientContextImpl::ClientContextImpl(Stats::Scope& scope, const Envoy::Ssl::ClientContextConfig& config, TimeSource& time_source) - : ContextImpl(scope, config, time_source), + : ContextImpl(scope, config, time_source, nullptr /* additional_init */), server_name_indication_(config.serverNameIndication()), allow_renegotiation_(config.allowRenegotiation()), enforce_rsa_key_usage_(config.enforceRsaKeyUsage()), @@ -785,8 +789,10 @@ int ClientContextImpl::newSessionKey(SSL_SESSION* session) { ServerContextImpl::ServerContextImpl(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, const std::vector& server_names, - TimeSource& time_source) - : ContextImpl(scope, config, time_source), session_ticket_keys_(config.sessionTicketKeys()), + TimeSource& time_source, + Ssl::ContextAdditionalInitFunc additional_init) + : ContextImpl(scope, config, time_source, additional_init), + session_ticket_keys_(config.sessionTicketKeys()), ocsp_staple_policy_(config.ocspStaplePolicy()), full_scan_certs_on_sni_mismatch_(config.fullScanCertsOnSNIMismatch()) { if (config.tlsCertificates().empty() && !config.capabilities().provides_certificates) { @@ -891,7 +897,7 @@ ServerContextImpl::ServerContextImpl(Stats::Scope& scope, } } -void ServerContextImpl::populateServerNamesMap(TlsContext& ctx, int pkey_id) { +void ServerContextImpl::populateServerNamesMap(Ssl::TlsContext& ctx, int pkey_id) { if (ctx.cert_chain_ == nullptr) { return; } @@ -913,7 +919,7 @@ void ServerContextImpl::populateServerNamesMap(TlsContext& ctx, int pkey_id) { // implemented. return; } - sn_match->second.emplace(std::pair>(pkey_id, ctx)); + sn_match->second.emplace(std::pair>(pkey_id, ctx)); }; bssl::UniquePtr san_names(static_cast( @@ -1193,7 +1199,7 @@ bool ServerContextImpl::isClientOcspCapable(const SSL_CLIENT_HELLO* ssl_client_h return false; } -OcspStapleAction ServerContextImpl::ocspStapleAction(const TlsContext& ctx, +OcspStapleAction ServerContextImpl::ocspStapleAction(const Ssl::TlsContext& ctx, bool client_ocsp_capable) { if (!client_ocsp_capable) { return OcspStapleAction::ClientNotCapable; @@ -1235,20 +1241,22 @@ OcspStapleAction ServerContextImpl::ocspStapleAction(const TlsContext& ctx, PANIC_DUE_TO_CORRUPT_ENUM; } -enum ssl_select_cert_result_t -ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { - const bool client_ecdsa_capable = isClientEcdsaCapable(ssl_client_hello); - const bool client_ocsp_capable = isClientOcspCapable(ssl_client_hello); - absl::string_view sni = absl::NullSafeStringView( - SSL_get_servername(ssl_client_hello->ssl, TLSEXT_NAMETYPE_host_name)); +std::pair +ServerContextImpl::findTlsContext(absl::string_view sni, bool client_ecdsa_capable, + bool client_ocsp_capable, bool* cert_matched_sni) { + bool unused = false; + if (cert_matched_sni == nullptr) { + // Avoid need for nullptr checks when this is set. + cert_matched_sni = &unused; + } // selected_ctx represents the final selected certificate, it should meet all requirements or pick - // a candidate - const TlsContext* selected_ctx = nullptr; - const TlsContext* candidate_ctx = nullptr; + // a candidate. + const Ssl::TlsContext* selected_ctx = nullptr; + const Ssl::TlsContext* candidate_ctx = nullptr; OcspStapleAction ocsp_staple_action; - auto selected = [&](const TlsContext& ctx) -> bool { + auto selected = [&](const Ssl::TlsContext& ctx) -> bool { auto action = ocspStapleAction(ctx, client_ocsp_capable); if (action == OcspStapleAction::Fail) { // The selected ctx must adhere to OCSP policy @@ -1311,6 +1319,7 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { select_from_map(wildcard); } } + *cert_matched_sni = (selected_ctx != nullptr || candidate_ctx != nullptr); tail_select(full_scan_certs_on_sni_mismatch_); } // Full scan certs if SNI is not provided by client; @@ -1329,10 +1338,24 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { tail_select(false); } + ASSERT(selected_ctx != nullptr); + return {*selected_ctx, ocsp_staple_action}; +} + +enum ssl_select_cert_result_t +ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { + absl::string_view sni = absl::NullSafeStringView( + SSL_get_servername(ssl_client_hello->ssl, TLSEXT_NAMETYPE_host_name)); + const bool client_ecdsa_capable = isClientEcdsaCapable(ssl_client_hello); + const bool client_ocsp_capable = isClientOcspCapable(ssl_client_hello); + + auto [selected_ctx, ocsp_staple_action] = + findTlsContext(sni, client_ecdsa_capable, client_ocsp_capable, nullptr); + // Apply the selected context. This must be done before OCSP stapling below // since applying the context can remove the previously-set OCSP response. // This will only return NULL if memory allocation fails. - RELEASE_ASSERT(SSL_set_SSL_CTX(ssl_client_hello->ssl, selected_ctx->ssl_ctx_.get()) != nullptr, + RELEASE_ASSERT(SSL_set_SSL_CTX(ssl_client_hello->ssl, selected_ctx.ssl_ctx_.get()) != nullptr, ""); if (client_ocsp_capable) { @@ -1342,9 +1365,9 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { switch (ocsp_staple_action) { case OcspStapleAction::Staple: { // We avoid setting the OCSP response if the client didn't request it, but doing so is safe. - RELEASE_ASSERT(selected_ctx->ocsp_response_, + RELEASE_ASSERT(selected_ctx.ocsp_response_, "OCSP response must be present under OcspStapleAction::Staple"); - auto& resp_bytes = selected_ctx->ocsp_response_->rawBytes(); + auto& resp_bytes = selected_ctx.ocsp_response_->rawBytes(); int rc = SSL_set_ocsp_response(ssl_client_hello->ssl, resp_bytes.data(), resp_bytes.size()); RELEASE_ASSERT(rc != 0, ""); stats_.ocsp_staple_responses_.inc(); @@ -1362,6 +1385,31 @@ ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) { return ssl_select_cert_success; } +ValidationResults ContextImpl::customVerifyCertChainForQuic( + STACK_OF(X509)& cert_chain, Ssl::ValidateResultCallbackPtr callback, bool is_server, + const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options, + const CertValidator::ExtraValidationContext& validation_context, const std::string& host_name) { + ASSERT(!tls_contexts_.empty()); + // It doesn't matter which SSL context is used, because they share the same cert validation + // config. + SSL_CTX* ssl_ctx = tls_contexts_[0].ssl_ctx_.get(); + if (SSL_CTX_get_verify_mode(ssl_ctx) == SSL_VERIFY_NONE) { + // Skip validation if the TLS is configured SSL_VERIFY_NONE. + return {ValidationResults::ValidationStatus::Successful, + Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt}; + } + ValidationResults result = + cert_validator_->doVerifyCertChain(cert_chain, std::move(callback), transport_socket_options, + *ssl_ctx, validation_context, is_server, host_name); + return result; +} + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions + +namespace Ssl { + bool TlsContext::isCipherEnabled(uint16_t cipher_id, uint16_t client_version) { const SSL_CIPHER* c = SSL_get_cipher_by_value(cipher_id); if (c == nullptr) { @@ -1382,25 +1430,6 @@ bool TlsContext::isCipherEnabled(uint16_t cipher_id, uint16_t client_version) { return false; } -ValidationResults ContextImpl::customVerifyCertChainForQuic( - STACK_OF(X509)& cert_chain, Ssl::ValidateResultCallbackPtr callback, bool is_server, - const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options, - const CertValidator::ExtraValidationContext& validation_context, const std::string& host_name) { - ASSERT(!tls_contexts_.empty()); - // It doesn't matter which SSL context is used, because they share the same cert validation - // config. - SSL_CTX* ssl_ctx = tls_contexts_[0].ssl_ctx_.get(); - if (SSL_CTX_get_verify_mode(ssl_ctx) == SSL_VERIFY_NONE) { - // Skip validation if the TLS is configured SSL_VERIFY_NONE. - return {ValidationResults::ValidationStatus::Successful, - Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt}; - } - ValidationResults result = - cert_validator_->doVerifyCertChain(cert_chain, std::move(callback), transport_socket_options, - *ssl_ctx, validation_context, is_server, host_name); - return result; -} - void TlsContext::loadCertificateChain(const std::string& data, const std::string& data_path) { cert_chain_file_path_ = data_path; bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(data.data()), data.size())); @@ -1443,9 +1472,9 @@ void TlsContext::loadPrivateKey(const std::string& data, const std::string& data !password.empty() ? const_cast(password.c_str()) : nullptr)); if (pkey == nullptr || !SSL_CTX_use_PrivateKey(ssl_ctx_.get(), pkey.get())) { - throwEnvoyExceptionOrPanic(fmt::format("Failed to load private key from {}, Cause: {}", - data_path, - Utility::getLastCryptoError().value_or("unknown"))); + throwEnvoyExceptionOrPanic(fmt::format( + "Failed to load private key from {}, Cause: {}", data_path, + Extensions::TransportSockets::Tls::Utility::getLastCryptoError().value_or("unknown"))); } checkPrivateKey(pkey, data_path); @@ -1482,9 +1511,9 @@ void TlsContext::loadPkcs12(const std::string& data, const std::string& data_pat throwEnvoyExceptionOrPanic(absl::StrCat("Failed to load certificate from ", data_path)); } if (temp_private_key == nullptr || !SSL_CTX_use_PrivateKey(ssl_ctx_.get(), pkey.get())) { - throwEnvoyExceptionOrPanic(fmt::format("Failed to load private key from {}, Cause: {}", - data_path, - Utility::getLastCryptoError().value_or("unknown"))); + throwEnvoyExceptionOrPanic(fmt::format( + "Failed to load private key from {}, Cause: {}", data_path, + Extensions::TransportSockets::Tls::Utility::getLastCryptoError().value_or("unknown"))); } checkPrivateKey(pkey, data_path); @@ -1518,7 +1547,5 @@ void TlsContext::checkPrivateKey(const bssl::UniquePtr& pkey, #endif } -} // namespace Tls -} // namespace TransportSockets -} // namespace Extensions +} // namespace Ssl } // namespace Envoy diff --git a/source/common/tls/context_impl.h b/source/common/tls/context_impl.h index 17e385d72630..9bffa93a74a4 100644 --- a/source/common/tls/context_impl.h +++ b/source/common/tls/context_impl.h @@ -28,14 +28,16 @@ #include "openssl/ssl.h" #include "openssl/x509v3.h" +#ifdef ENVOY_ENABLE_QUIC +#include "quiche/quic/core/crypto/proof_source.h" +#endif + namespace Envoy { #ifndef OPENSSL_IS_BORINGSSL #error Envoy requires BoringSSL #endif -namespace Extensions { -namespace TransportSockets { -namespace Tls { +namespace Ssl { struct TlsContext { // Each certificate specified for the context has its own SSL_CTX. `SSL_CTXs` @@ -45,11 +47,16 @@ struct TlsContext { bssl::UniquePtr ssl_ctx_; bssl::UniquePtr cert_chain_; std::string cert_chain_file_path_; - Ocsp::OcspResponseWrapperPtr ocsp_response_; + Extensions::TransportSockets::Tls::Ocsp::OcspResponseWrapperPtr ocsp_response_; bool is_ecdsa_{}; bool is_must_staple_{}; Ssl::PrivateKeyMethodProviderSharedPtr private_key_method_provider_{}; +#ifdef ENVOY_ENABLE_QUIC + quiche::QuicheReferenceCountedPointer quic_cert_; + std::shared_ptr quic_private_key_; +#endif + std::string getCertChainFileName() const { return cert_chain_file_path_; }; bool isCipherEnabled(uint16_t cipher_id, uint16_t client_version); Envoy::Ssl::PrivateKeyMethodProviderSharedPtr getPrivateKeyMethodProvider() { @@ -62,6 +69,11 @@ struct TlsContext { const std::string& password); void checkPrivateKey(const bssl::UniquePtr& pkey, const std::string& key_path); }; +} // namespace Ssl + +namespace Extensions { +namespace TransportSockets { +namespace Tls { class ContextImpl : public virtual Envoy::Ssl::Context, protected Logger::Loggable { @@ -103,8 +115,8 @@ class ContextImpl : public virtual Envoy::Ssl::Context, protected: friend class ContextImplPeer; - ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, - TimeSource& time_source); + ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, TimeSource& time_source, + Ssl::ContextAdditionalInitFunc additional_init); /** * The global SSL-library index used for storing a pointer to the context @@ -126,13 +138,13 @@ class ContextImpl : public virtual Envoy::Ssl::Context, Envoy::Ssl::SslExtendedSocketInfo* extended_socket_info, const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options, SSL* ssl); - void populateServerNamesMap(TlsContext& ctx, const int pkey_id); + void populateServerNamesMap(Ssl::TlsContext& ctx, const int pkey_id); // This is always non-empty, with the first context used for all new SSL // objects. For server contexts, once we have ClientHello, we // potentially switch to a different CertificateContext based on certificate // selection. - std::vector tls_contexts_; + std::vector tls_contexts_; CertValidatorPtr cert_validator_; Stats::Scope& scope_; SslStats stats_; @@ -183,23 +195,31 @@ enum class OcspStapleAction { Staple, NoStaple, Fail, ClientNotCapable }; class ServerContextImpl : public ContextImpl, public Envoy::Ssl::ServerContext { public: ServerContextImpl(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, - const std::vector& server_names, TimeSource& time_source); + const std::vector& server_names, TimeSource& time_source, + Ssl::ContextAdditionalInitFunc additional_init); // Select the TLS certificate context in SSL_CTX_set_select_certificate_cb() callback with // ClientHello details. This is made public for use by custom TLS extensions who want to // manually create and use this as a client hello callback. enum ssl_select_cert_result_t selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello); + // Finds the best matching context. The returned context will have the same lifetime as + // this ``ServerContextImpl``. + std::pair findTlsContext(absl::string_view sni, + bool client_ecdsa_capable, + bool client_ocsp_capable, + bool* cert_matched_sni); + private: // Currently, at most one certificate of a given key type may be specified for each exact // server name or wildcard domain name. - using PkeyTypesMap = absl::flat_hash_map>; + using PkeyTypesMap = absl::flat_hash_map>; // Both exact server names and wildcard domains are part of the same map, in which wildcard // domains are prefixed with "." (i.e. ".example.com" for "*.example.com") to differentiate // between exact and wildcard entries. using ServerNamesMap = absl::flat_hash_map; - void populateServerNamesMap(TlsContext& ctx, const int pkey_id); + void populateServerNamesMap(Ssl::TlsContext& ctx, const int pkey_id); using SessionContextID = std::array; @@ -209,7 +229,7 @@ class ServerContextImpl : public ContextImpl, public Envoy::Ssl::ServerContext { HMAC_CTX* hmac_ctx, int encrypt); bool isClientEcdsaCapable(const SSL_CLIENT_HELLO* ssl_client_hello); bool isClientOcspCapable(const SSL_CLIENT_HELLO* ssl_client_hello); - OcspStapleAction ocspStapleAction(const TlsContext& ctx, bool client_ocsp_capable); + OcspStapleAction ocspStapleAction(const Ssl::TlsContext& ctx, bool client_ocsp_capable); SessionContextID generateHashForSessionContextId(const std::vector& server_names); diff --git a/source/common/tls/context_manager_impl.cc b/source/common/tls/context_manager_impl.cc index b36d132f43df..b76a81264e21 100644 --- a/source/common/tls/context_manager_impl.cc +++ b/source/common/tls/context_manager_impl.cc @@ -30,16 +30,15 @@ ContextManagerImpl::createSslClientContext(Stats::Scope& scope, return context; } -Envoy::Ssl::ServerContextSharedPtr -ContextManagerImpl::createSslServerContext(Stats::Scope& scope, - const Envoy::Ssl::ServerContextConfig& config, - const std::vector& server_names) { +Envoy::Ssl::ServerContextSharedPtr ContextManagerImpl::createSslServerContext( + Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, + const std::vector& server_names, Ssl::ContextAdditionalInitFunc additional_init) { if (!config.isReady()) { return nullptr; } - Envoy::Ssl::ServerContextSharedPtr context = - std::make_shared(scope, config, server_names, time_source_); + Envoy::Ssl::ServerContextSharedPtr context = std::make_shared( + scope, config, server_names, time_source_, std::move(additional_init)); contexts_.insert(context); return context; } diff --git a/source/common/tls/context_manager_impl.h b/source/common/tls/context_manager_impl.h index 0870c8968073..db72e1d308e0 100644 --- a/source/common/tls/context_manager_impl.h +++ b/source/common/tls/context_manager_impl.h @@ -34,7 +34,8 @@ class ContextManagerImpl final : public Envoy::Ssl::ContextManager { const Envoy::Ssl::ClientContextConfig& config) override; Ssl::ServerContextSharedPtr createSslServerContext(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, - const std::vector& server_names) override; + const std::vector& server_names, + Ssl::ContextAdditionalInitFunc additional_init) override; absl::optional daysUntilFirstCertExpires() const override; absl::optional secondsUntilFirstOcspResponseExpires() const override; void iterateContexts(std::function callback) override; diff --git a/source/common/tls/ssl_socket.cc b/source/common/tls/ssl_socket.cc index 12f7e5c091cd..02111ead0094 100644 --- a/source/common/tls/ssl_socket.cc +++ b/source/common/tls/ssl_socket.cc @@ -429,7 +429,7 @@ ServerSslSocketFactory::ServerSslSocketFactory(Envoy::Ssl::ServerContextConfigPt const std::vector& server_names) : manager_(manager), stats_scope_(stats_scope), stats_(generateStats("server", stats_scope)), config_(std::move(config)), server_names_(server_names), - ssl_ctx_(manager_.createSslServerContext(stats_scope_, *config_, server_names_)) { + ssl_ctx_(manager_.createSslServerContext(stats_scope_, *config_, server_names_, nullptr)) { config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); }); } @@ -463,7 +463,7 @@ bool ServerSslSocketFactory::implementsSecureTransport() const { return true; } void ServerSslSocketFactory::onAddOrUpdateSecret() { ENVOY_LOG(debug, "Secret is updated."); - auto ctx = manager_.createSslServerContext(stats_scope_, *config_, server_names_); + auto ctx = manager_.createSslServerContext(stats_scope_, *config_, server_names_, nullptr); { absl::WriterMutexLock l(&ssl_ctx_mu_); std::swap(ctx, ssl_ctx_); diff --git a/source/server/ssl_context_manager.cc b/source/server/ssl_context_manager.cc index d3b8df9d17f5..8a9fec347dee 100644 --- a/source/server/ssl_context_manager.cc +++ b/source/server/ssl_context_manager.cc @@ -20,10 +20,9 @@ class SslContextManagerNoTlsStub final : public Envoy::Ssl::ContextManager { throwException(); } - Ssl::ServerContextSharedPtr - createSslServerContext(Stats::Scope& /* scope */, - const Envoy::Ssl::ServerContextConfig& /* config */, - const std::vector& /* server_names */) override { + Ssl::ServerContextSharedPtr createSslServerContext( + Stats::Scope& /* scope */, const Envoy::Ssl::ServerContextConfig& /* config */, + const std::vector& /* server_names */, Ssl::ContextAdditionalInitFunc) override { throwException(); } diff --git a/test/common/listener_manager/listener_manager_impl_quic_only_test.cc b/test/common/listener_manager/listener_manager_impl_quic_only_test.cc index 93ebdabddb41..e38af489d6fa 100644 --- a/test/common/listener_manager/listener_manager_impl_quic_only_test.cc +++ b/test/common/listener_manager/listener_manager_impl_quic_only_test.cc @@ -166,7 +166,9 @@ TEST_P(ListenerManagerImplQuicOnlyTest, QuicListenerFactoryAndSslContext) { auto& quic_socket_factory = dynamic_cast( filter_chain->transportSocketFactory()); EXPECT_TRUE(quic_socket_factory.implementsSecureTransport()); - EXPECT_FALSE(quic_socket_factory.getTlsCertificates().empty()); + auto [cert, key] = quic_socket_factory.getTlsCertificateAndKey("", nullptr); + EXPECT_TRUE(cert != nullptr); + EXPECT_TRUE(key != nullptr); EXPECT_TRUE(listener_factory_.socket_->socket_is_open_); // Stop listening shouldn't close the socket. diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index 474e73c9cdac..13cb63c6c5ee 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -65,6 +65,7 @@ envoy_cc_test( "//source/common/tls:context_config_lib", "//test/mocks/network:network_mocks", "//test/mocks/ssl:ssl_mocks", + "//test/test_common:test_runtime_lib", "@com_github_google_quiche//:quic_core_versions_lib", "@com_github_google_quiche//:quic_test_tools_test_certificates_lib", ], diff --git a/test/common/quic/active_quic_listener_test.cc b/test/common/quic/active_quic_listener_test.cc index 6c58ae781cf4..1ba2e8d21664 100644 --- a/test/common/quic/active_quic_listener_test.cc +++ b/test/common/quic/active_quic_listener_test.cc @@ -112,7 +112,8 @@ class ActiveQuicListenerTest : public testing::TestWithParam>()), + std::make_unique>(), + ssl_context_manager_, {}), quic_version_(quic::CurrentSupportedHttp3Versions()[0]), quic_stat_names_(listener_config_.listenerScope().symbolTable()) {} @@ -328,6 +329,7 @@ class ActiveQuicListenerTest : public testing::TestWithParam udp_listener_config_; NiceMock listener_config_; NiceMock udp_packet_writer_factory_; + NiceMock ssl_context_manager_; quic::QuicConfig quic_config_; Server::ConnectionHandlerImpl connection_handler_; std::unique_ptr quic_listener_; diff --git a/test/common/quic/envoy_quic_dispatcher_test.cc b/test/common/quic/envoy_quic_dispatcher_test.cc index e14c36d09d9b..fb016b442b86 100644 --- a/test/common/quic/envoy_quic_dispatcher_test.cc +++ b/test/common/quic/envoy_quic_dispatcher_test.cc @@ -77,7 +77,8 @@ class EnvoyQuicDispatcherTest : public testing::TestWithParam>()) { + std::make_unique>(), + ssl_context_manager_, {}) { auto writer = new testing::NiceMock(); envoy_quic_dispatcher_.InitializeWithWriter(writer); EXPECT_CALL(*writer, WritePacket(_, _, _, _, _, _)) @@ -252,6 +253,7 @@ class EnvoyQuicDispatcherTest : public testing::TestWithParam ssl_context_manager_; QuicServerTransportSocketFactory transport_socket_factory_; }; diff --git a/test/common/quic/envoy_quic_proof_source_test.cc b/test/common/quic/envoy_quic_proof_source_test.cc index b671a7fc81ef..a6814a40c52d 100644 --- a/test/common/quic/envoy_quic_proof_source_test.cc +++ b/test/common/quic/envoy_quic_proof_source_test.cc @@ -10,6 +10,7 @@ #include "test/common/quic/test_utils.h" #include "test/mocks/network/mocks.h" #include "test/mocks/ssl/mocks.h" +#include "test/test_common/test_runtime.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -19,6 +20,7 @@ using testing::Invoke; using testing::Return; using testing::ReturnRef; +using testing::SaveArg; namespace Envoy { @@ -141,6 +143,193 @@ class TestSignatureCallback : public quic::ProofSource::SignatureCallback { class EnvoyQuicProofSourceTest : public ::testing::Test { public: EnvoyQuicProofSourceTest() + : server_address_(quic::QuicIpAddress::Loopback4(), 12345), + client_address_(quic::QuicIpAddress::Loopback4(), 54321), + mock_context_config_(new NiceMock()), + listener_stats_({ALL_LISTENER_STATS(POOL_COUNTER(listener_config_.listenerScope()), + POOL_GAUGE(listener_config_.listenerScope()), + POOL_HISTOGRAM(listener_config_.listenerScope()))}), + proof_source_(listen_socket_, filter_chain_manager_, listener_stats_, time_system_) { + EXPECT_CALL(*mock_context_config_, setSecretUpdateCallback(_)) + .Times(testing::AtLeast(1u)) + .WillRepeatedly(SaveArg<0>(&secret_update_callback_)); + EXPECT_CALL(*mock_context_config_, alpnProtocols()).WillRepeatedly(ReturnRef(alpn_)); + transport_socket_factory_ = std::make_unique( + true, listener_config_.listenerScope(), + std::unique_ptr(mock_context_config_), ssl_context_manager_, + std::vector{}); + transport_socket_factory_->initialize(); + EXPECT_CALL(filter_chain_, name()).WillRepeatedly(Return("")); + } + + void expectCertChainAndPrivateKey(const std::string& cert, bool expect_private_key, + bool expect_fail_to_load = false) { + int times = -1; + if (expect_fail_to_load) { + times = 0; + } else if (expect_private_key) { + times = 2; + } else { + times = 1; + } + EXPECT_CALL(listen_socket_, ioHandle()).Times(times); + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillRepeatedly(Invoke( + [&](const Network::ConnectionSocket& connection_socket, const StreamInfo::StreamInfo&) { + EXPECT_EQ(*quicAddressToEnvoyAddressInstance(server_address_), + *connection_socket.connectionInfoProvider().localAddress()); + EXPECT_EQ(*quicAddressToEnvoyAddressInstance(client_address_), + *connection_socket.connectionInfoProvider().remoteAddress()); + EXPECT_EQ("quic", connection_socket.detectedTransportProtocol()); + EXPECT_EQ("h3", connection_socket.requestedApplicationProtocols()[0]); + return &filter_chain_; + })); + EXPECT_CALL(filter_chain_, transportSocketFactory()) + .WillRepeatedly(ReturnRef(*transport_socket_factory_)); + + EXPECT_CALL(*mock_context_config_, isReady()).WillRepeatedly(Return(true)); + std::vector> tls_cert_configs{ + std::reference_wrapper(tls_cert_config_)}; + EXPECT_CALL(*mock_context_config_, tlsCertificates()).WillRepeatedly(Return(tls_cert_configs)); + EXPECT_CALL(tls_cert_config_, pkcs12()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + EXPECT_CALL(tls_cert_config_, certificateChainPath()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + EXPECT_CALL(tls_cert_config_, privateKeyMethod()).WillRepeatedly(Return(nullptr)); + EXPECT_CALL(tls_cert_config_, privateKeyPath()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + EXPECT_CALL(tls_cert_config_, password()).WillRepeatedly(ReturnRef(EMPTY_STRING)); + static const std::vector ocsp_staple; + EXPECT_CALL(tls_cert_config_, ocspStaple()).WillRepeatedly(ReturnRef(ocsp_staple)); + EXPECT_CALL(tls_cert_config_, certificateChain()) + .Times(testing::AtLeast(1)) + .WillRepeatedly(ReturnRef(cert)); + if (expect_private_key) { + EXPECT_CALL(tls_cert_config_, privateKey()) + .Times(testing::AtLeast(1)) + .WillRepeatedly(ReturnRef(pkey_)); + } + ASSERT_TRUE(secret_update_callback_ != nullptr); + secret_update_callback_(); + } + +protected: + Event::GlobalTimeSystem time_system_; + std::string hostname_{"www.fake.com"}; + quic::QuicSocketAddress server_address_; + quic::QuicSocketAddress client_address_; + quic::QuicTransportVersion version_{quic::QUIC_VERSION_UNSUPPORTED}; + absl::string_view chlo_hash_{"aaaaa"}; + std::string server_config_{"Server Config"}; + std::string expected_certs_{quic::test::kTestCertificateChainPem}; + std::string pkey_{quic::test::kTestCertificatePrivateKeyPem}; + Network::MockFilterChain filter_chain_; + Network::MockFilterChainManager filter_chain_manager_; + Network::MockListenSocket listen_socket_; + testing::NiceMock listener_config_; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{time_system_}; + Ssl::MockServerContextConfig* mock_context_config_; + std::function secret_update_callback_; + std::unique_ptr transport_socket_factory_; + Ssl::MockTlsCertificateConfig tls_cert_config_; + Server::ListenerStats listener_stats_; + EnvoyQuicProofSource proof_source_; + std::string alpn_{"h3"}; +}; + +TEST_F(EnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { + expectCertChainAndPrivateKey(expected_certs_, true); + bool cert_matched_sni; + quiche::QuicheReferenceCountedPointer chain = + proof_source_.GetCertChain(server_address_, client_address_, hostname_, &cert_matched_sni); + EXPECT_EQ(2, chain->certs.size()); + + std::string error_details; + bssl::UniquePtr cert = parseDERCertificate(chain->certs[0], &error_details); + EXPECT_NE(cert, nullptr); + bssl::UniquePtr pub_key(X509_get_pubkey(cert.get())); + int sign_alg = deduceSignatureAlgorithmFromPublicKey(pub_key.get(), &error_details); + EXPECT_EQ(sign_alg, SSL_SIGN_RSA_PSS_RSAE_SHA256); + std::string signature; + proof_source_.ComputeTlsSignature( + server_address_, client_address_, hostname_, SSL_SIGN_RSA_PSS_RSAE_SHA256, "payload", + std::make_unique(true, filter_chain_, signature)); + SignatureVerifier verifier; + verifier.verifyCertsAndSignature(chain, "payload", signature); +} + +TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { + // No filter chain. + EXPECT_CALL(listen_socket_, ioHandle()).Times(2); + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { + return nullptr; + })); + bool cert_matched_sni; + EXPECT_EQ(nullptr, proof_source_.GetCertChain(server_address_, client_address_, hostname_, + &cert_matched_sni)); + + // Cert not ready. + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { + return &filter_chain_; + })); + EXPECT_CALL(filter_chain_, transportSocketFactory()) + .WillOnce(ReturnRef(*transport_socket_factory_)); + EXPECT_EQ(nullptr, proof_source_.GetCertChain(server_address_, client_address_, hostname_, + &cert_matched_sni)); +} + +TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { + std::string invalid_cert{R"(-----BEGIN CERTIFICATE----- + invalid certificate + -----END CERTIFICATE-----)"}; + EXPECT_THROW_WITH_MESSAGE(expectCertChainAndPrivateKey(invalid_cert, false, true), EnvoyException, + "Failed to load certificate chain from "); +} + +TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidPublicKeyInCert) { + // This is a valid cert with RSA public key. But we don't support RSA key with + // length < 1024. + std::string cert_with_rsa_1024{R"(-----BEGIN CERTIFICATE----- +MIIC2jCCAkOgAwIBAgIUDBHEwlCvLGh3w0O8VwIW+CjYXY8wDQYJKoZIhvcNAQEL +BQAwfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMRIwEAYDVQQHDAlDYW1icmlk +Z2UxDzANBgNVBAoMBkdvb2dsZTEOMAwGA1UECwwFZW52b3kxDTALBgNVBAMMBHRl +c3QxHzAdBgkqhkiG9w0BCQEWEGRhbnpoQGdvb2dsZS5jb20wHhcNMjAwODA0MTg1 +OTQ4WhcNMjEwODA0MTg1OTQ4WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUEx +EjAQBgNVBAcMCUNhbWJyaWRnZTEPMA0GA1UECgwGR29vZ2xlMQ4wDAYDVQQLDAVl +bnZveTENMAsGA1UEAwwEdGVzdDEfMB0GCSqGSIb3DQEJARYQZGFuemhAZ29vZ2xl +LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAykCZNjxws+sNfnp18nsp ++7LN81J/RSwAHLkGnwEtd3OxSUuiCYHgYlyuEAwJdf99+SaFrgcA4LvYJ/Mhm/fZ +msnpfsAvoQ49+ax0fm1x56ii4KgNiu9iFsWwwVmkHkgjlRcRsmhr4WeIf14Yvpqs +JNsbNVSCZ4GLQ2V6BqIHlhcCAwEAAaNTMFEwHQYDVR0OBBYEFDO1KPYcdRmeKDvL +H2Yzj8el2Xe1MB8GA1UdIwQYMBaAFDO1KPYcdRmeKDvLH2Yzj8el2Xe1MA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAnwWVmwSK9TDml7oHGBavzOC1 +f/lOd5zz2e7Tu2pUtx1sX1tlKph1D0ANpJwxRV78R2hjmynLSl7h4Ual9NMubqkD +x96rVeUbRJ/qU4//nNM/XQa9vIAIcTZ0jFhmb0c3R4rmoqqC3vkSDwtaE5yuS5T4 +GUy+n0vQNB0cXGzgcGI= +-----END CERTIFICATE-----)"}; + EXPECT_THROW_WITH_MESSAGE(expectCertChainAndPrivateKey(cert_with_rsa_1024, false, true), + EnvoyException, + "Failed to load certificate chain from , only RSA certificates with " + "2048-bit or larger keys are supported"); +} + +TEST_F(EnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { + EXPECT_CALL(listen_socket_, ioHandle()); + EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) + .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { + return nullptr; + })); + + std::string signature; + proof_source_.ComputeTlsSignature( + server_address_, client_address_, hostname_, SSL_SIGN_RSA_PSS_RSAE_SHA256, "payload", + std::make_unique(false, filter_chain_, signature)); +} + +// Test with `envoy.restart_features.quic_handle_certs_with_shared_tls_code` set to false. This +// has different expectations, so the old tests are kept here verbatim. +class LegacyEnvoyQuicProofSourceTest : public ::testing::Test { +public: + LegacyEnvoyQuicProofSourceTest() : server_address_(quic::QuicIpAddress::Loopback4(), 12345), client_address_(quic::QuicIpAddress::Loopback4(), 54321), mock_context_config_(new Ssl::MockServerContextConfig()), @@ -148,11 +337,15 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { POOL_GAUGE(listener_config_.listenerScope()), POOL_HISTOGRAM(listener_config_.listenerScope()))}), proof_source_(listen_socket_, filter_chain_manager_, listener_stats_, time_system_) { + scoped_runtime_.mergeValues( + {{"envoy.restart_features.quic_handle_certs_with_shared_tls_code", "false"}}); + EXPECT_CALL(*mock_context_config_, setSecretUpdateCallback(_)).Times(testing::AtLeast(1u)); EXPECT_CALL(*mock_context_config_, alpnProtocols()).WillRepeatedly(ReturnRef(alpn_)); transport_socket_factory_ = std::make_unique( true, listener_config_.listenerScope(), - std::unique_ptr(mock_context_config_)); + std::unique_ptr(mock_context_config_), ssl_context_manager_, + std::vector{}); transport_socket_factory_->initialize(); EXPECT_CALL(filter_chain_, name()).WillRepeatedly(Return("")); } @@ -184,6 +377,8 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { } protected: + TestScopedRuntime scoped_runtime_; + Event::GlobalTimeSystem time_system_; std::string hostname_{"www.fake.com"}; quic::QuicSocketAddress server_address_; quic::QuicSocketAddress client_address_; @@ -196,16 +391,16 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { Network::MockFilterChainManager filter_chain_manager_; Network::MockListenSocket listen_socket_; testing::NiceMock listener_config_; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{time_system_}; Ssl::MockServerContextConfig* mock_context_config_; std::unique_ptr transport_socket_factory_; Ssl::MockTlsCertificateConfig tls_cert_config_; Server::ListenerStats listener_stats_; - Event::GlobalTimeSystem time_system_; EnvoyQuicProofSource proof_source_; std::string alpn_{"h3"}; }; -TEST_F(EnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { +TEST_F(LegacyEnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { expectCertChainAndPrivateKey(expected_certs_, true); bool cert_matched_sni; quiche::QuicheReferenceCountedPointer chain = @@ -226,7 +421,7 @@ TEST_F(EnvoyQuicProofSourceTest, TestGetCerChainAndSignatureAndVerify) { verifier.verifyCertsAndSignature(chain, "payload", signature); } -TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { +TEST_F(LegacyEnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { // No filter chain. EXPECT_CALL(listen_socket_, ioHandle()).Times(3); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) @@ -269,7 +464,7 @@ TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailBadConfig) { &cert_matched_sni)); } -TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { +TEST_F(LegacyEnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { std::string invalid_cert{R"(-----BEGIN CERTIFICATE----- invalid certificate -----END CERTIFICATE-----)"}; @@ -279,7 +474,7 @@ TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidCert) { &cert_matched_sni)); } -TEST_F(EnvoyQuicProofSourceTest, GetCertChainFailInvalidPublicKeyInCert) { +TEST_F(LegacyEnvoyQuicProofSourceTest, GetCertChainFailInvalidPublicKeyInCert) { // This is a valid cert with RSA public key. But we don't support RSA key with // length < 1024. std::string cert_with_rsa_1024{R"(-----BEGIN CERTIFICATE----- @@ -306,7 +501,7 @@ GUy+n0vQNB0cXGzgcGI= &cert_matched_sni)); } -TEST_F(EnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { +TEST_F(LegacyEnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { EXPECT_CALL(listen_socket_, ioHandle()); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { @@ -319,7 +514,7 @@ TEST_F(EnvoyQuicProofSourceTest, ComputeSignatureFailNoFilterChain) { std::make_unique(false, filter_chain_, signature)); } -TEST_F(EnvoyQuicProofSourceTest, UnexpectedPrivateKey) { +TEST_F(LegacyEnvoyQuicProofSourceTest, UnexpectedPrivateKey) { EXPECT_CALL(listen_socket_, ioHandle()); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { @@ -355,7 +550,7 @@ qGm130brdD+1U1EJnEFmleLZ/W6mEi3MxcKpWOpTqQ== std::make_unique(false, filter_chain_, signature)); } -TEST_F(EnvoyQuicProofSourceTest, InvalidPrivateKey) { +TEST_F(LegacyEnvoyQuicProofSourceTest, InvalidPrivateKey) { EXPECT_CALL(listen_socket_, ioHandle()); EXPECT_CALL(filter_chain_manager_, findFilterChain(_, _)) .WillOnce(Invoke([&](const Network::ConnectionSocket&, const StreamInfo::StreamInfo&) { diff --git a/test/common/tls/context_impl_test.cc b/test/common/tls/context_impl_test.cc index 4de6f9a81df4..dadbae2c6f7b 100644 --- a/test/common/tls/context_impl_test.cc +++ b/test/common/tls/context_impl_test.cc @@ -112,8 +112,8 @@ class SslContextImplTest : public SslCertsTest { }}; } void loadConfig(ServerContextConfigImpl& cfg) { - Envoy::Ssl::ServerContextSharedPtr server_ctx( - manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{})); + Envoy::Ssl::ServerContextSharedPtr server_ctx(manager_.createSslServerContext( + *store_.rootScope(), cfg, std::vector{}, nullptr)); auto cleanup = cleanUpHelper(server_ctx); } @@ -620,14 +620,15 @@ TEST_F(SslContextImplTest, MustHaveSubjectOrSAN) { TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); ServerContextConfigImpl server_context_config(tls_context, factory_context_); EXPECT_THROW_WITH_REGEX( - manager_.createSslServerContext(*store_.rootScope(), server_context_config, {}), + manager_.createSslServerContext(*store_.rootScope(), server_context_config, {}, nullptr), EnvoyException, "has neither subject CN nor SAN names"); } class SslServerContextImplOcspTest : public SslContextImplTest { public: Envoy::Ssl::ServerContextSharedPtr loadConfig(ServerContextConfigImpl& cfg) { - return manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{}); + return manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{}, + nullptr); } Envoy::Ssl::ServerContextSharedPtr loadConfigYaml(const std::string& yaml) { @@ -826,8 +827,8 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { class SslServerContextImplTicketTest : public SslContextImplTest { public: void loadConfig(ServerContextConfigImpl& cfg) { - Envoy::Ssl::ServerContextSharedPtr server_ctx( - manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{})); + Envoy::Ssl::ServerContextSharedPtr server_ctx(manager_.createSslServerContext( + *store_.rootScope(), cfg, std::vector{}, nullptr)); auto cleanup = cleanUpHelper(server_ctx); } @@ -1900,7 +1901,7 @@ TEST_F(ServerContextConfigImplTest, TlsCertificateNonEmpty) { Stats::IsolatedStoreImpl store; EXPECT_THROW_WITH_MESSAGE( Envoy::Ssl::ServerContextSharedPtr server_ctx(manager.createSslServerContext( - *store.rootScope(), client_context_config, std::vector{})), + *store.rootScope(), client_context_config, std::vector{}, nullptr)), EnvoyException, "Server TlsCertificates must have a certificate specified"); } @@ -2025,7 +2026,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoMethod) { ServerContextConfigImpl server_context_config(tls_context, factory_context_); EXPECT_THROW_WITH_MESSAGE( Envoy::Ssl::ServerContextSharedPtr server_ctx(manager.createSslServerContext( - *store.rootScope(), server_context_config, std::vector{})), + *store.rootScope(), server_context_config, std::vector{}, nullptr)), EnvoyException, "Failed to get BoringSSL private key method from provider"); } @@ -2193,13 +2194,15 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndCertChain) { "Certificate configuration can't have both pkcs12 and certificate_chain"); } +// TODO: test throw from additional_init + // Subclass ContextImpl so we can instantiate directly from tests, despite the // constructor being protected. class TestContextImpl : public ContextImpl { public: TestContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, TimeSource& time_source) - : ContextImpl(scope, config, time_source), pool_(scope.symbolTable()), + : ContextImpl(scope, config, time_source, nullptr), pool_(scope.symbolTable()), fallback_(pool_.add("fallback")) {} void incCounter(absl::string_view name, absl::string_view value) { diff --git a/test/common/tls/handshaker_factory_test.cc b/test/common/tls/handshaker_factory_test.cc index 4fbd63093ccb..f60113708590 100644 --- a/test/common/tls/handshaker_factory_test.cc +++ b/test/common/tls/handshaker_factory_test.cc @@ -296,7 +296,7 @@ TEST_F(HandshakerFactoryDownstreamTest, ServerHandshakerProvidesCertificates) { tls_context_, mock_factory_ctx); EXPECT_TRUE(server_context_config.isReady()); EXPECT_NO_THROW(context_manager_->createSslServerContext( - *stats_store_.rootScope(), server_context_config, std::vector{})); + *stats_store_.rootScope(), server_context_config, std::vector{}, nullptr)); } } // namespace diff --git a/test/integration/BUILD b/test/integration/BUILD index 1fb893b6787a..2f8c863a06fa 100644 --- a/test/integration/BUILD +++ b/test/integration/BUILD @@ -356,6 +356,7 @@ envoy_cc_test_binary( "//source/extensions/load_balancing_policies/random:config", "//source/extensions/load_balancing_policies/ring_hash:config", "//source/extensions/load_balancing_policies/round_robin:config", + "//source/extensions/transport_sockets/tls:config", ], ) diff --git a/test/integration/base_integration_test.cc b/test/integration/base_integration_test.cc index 4f28efb606ba..13295850af25 100644 --- a/test/integration/base_integration_test.cc +++ b/test/integration/base_integration_test.cc @@ -74,6 +74,7 @@ BaseIntegrationTest::BaseIntegrationTest(const InstanceConstSharedPtrFn& upstrea })); ON_CALL(factory_context_.server_context_, api()).WillByDefault(ReturnRef(*api_)); ON_CALL(factory_context_, statsScope()).WillByDefault(ReturnRef(*stats_store_.rootScope())); + ON_CALL(factory_context_, sslContextManager()).WillByDefault(ReturnRef(context_manager_)); ON_CALL(factory_context_.server_context_, threadLocal()).WillByDefault(ReturnRef(thread_local_)); #ifndef ENVOY_ADMIN_FUNCTIONALITY diff --git a/test/integration/quic_http_integration_test.cc b/test/integration/quic_http_integration_test.cc index 7f9afc898cd6..af3420839050 100644 --- a/test/integration/quic_http_integration_test.cc +++ b/test/integration/quic_http_integration_test.cc @@ -746,6 +746,12 @@ TEST_P(QuicHttpIntegrationTest, EarlyDataDisabled) { codec_client_->close(); } +TEST_P(QuicHttpIntegrationTest, LegacyCertLoadingAndSelection) { + config_helper_.addRuntimeOverride("envoy.restart_features.quic_handle_certs_with_shared_tls_code", + "false"); + testMultipleQuicConnections(); +} + // Not only test multiple quic connections, but disconnect and reconnect to // trigger resumption. TEST_P(QuicHttpIntegrationTest, MultipleUpstreamQuicConnections) { diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index f0ea65b76261..de35d4e3da51 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -127,6 +127,9 @@ createUpstreamSslContext(ContextManager& context_manager, Api::Api& api, bool us } envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport quic_config; quic_config.mutable_downstream_tls_context()->MergeFrom(tls_context); + ON_CALL(mock_factory_ctx, statsScope()) + .WillByDefault(ReturnRef(*upstream_stats_store->rootScope())); + ON_CALL(mock_factory_ctx, sslContextManager()).WillByDefault(ReturnRef(context_manager)); std::vector server_names; auto& config_factory = Config::Utility::getAndCheckFactoryByName< diff --git a/test/mocks/ssl/mocks.cc b/test/mocks/ssl/mocks.cc index fd274c0679d0..792686eaa9f3 100644 --- a/test/mocks/ssl/mocks.cc +++ b/test/mocks/ssl/mocks.cc @@ -27,7 +27,19 @@ MockClientContextConfig::MockClientContextConfig() { } MockClientContextConfig::~MockClientContextConfig() = default; -MockServerContextConfig::MockServerContextConfig() = default; +MockServerContextConfig::MockServerContextConfig() { + capabilities_.provides_ciphers_and_curves = true; + capabilities_.provides_sigalgs = true; + + ON_CALL(*this, cipherSuites()).WillByDefault(testing::ReturnRef(ciphers_)); + ON_CALL(*this, capabilities()).WillByDefault(testing::Return(capabilities_)); + ON_CALL(*this, alpnProtocols()).WillByDefault(testing::ReturnRef(alpn_)); + ON_CALL(*this, signatureAlgorithms()).WillByDefault(testing::ReturnRef(sigalgs_)); + ON_CALL(*this, sessionTicketKeys()).WillByDefault(testing::ReturnRef(ticket_keys_)); + ON_CALL(*this, tlsKeyLogLocal()).WillByDefault(testing::ReturnRef(iplist_)); + ON_CALL(*this, tlsKeyLogRemote()).WillByDefault(testing::ReturnRef(iplist_)); + ON_CALL(*this, tlsKeyLogPath()).WillByDefault(testing::ReturnRef(path_)); +} MockServerContextConfig::~MockServerContextConfig() = default; MockPrivateKeyMethodManager::MockPrivateKeyMethodManager() = default; diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h index a7e85351b41e..9aa51fdd9658 100644 --- a/test/mocks/ssl/mocks.h +++ b/test/mocks/ssl/mocks.h @@ -28,7 +28,8 @@ class MockContextManager : public ContextManager { (Stats::Scope & scope, const ClientContextConfig& config)); MOCK_METHOD(ServerContextSharedPtr, createSslServerContext, (Stats::Scope & stats, const ServerContextConfig& config, - const std::vector& server_names)); + const std::vector& server_names, + ContextAdditionalInitFunc additional_init)); MOCK_METHOD(absl::optional, daysUntilFirstCertExpires, (), (const)); MOCK_METHOD(absl::optional, secondsUntilFirstOcspResponseExpires, (), (const)); MOCK_METHOD(void, iterateContexts, (std::function callback)); @@ -148,6 +149,14 @@ class MockServerContextConfig : public ServerContextConfig { MOCK_METHOD(const std::string&, tlsKeyLogPath, (), (const)); MOCK_METHOD(AccessLog::AccessLogManager&, accessLogManager, (), (const)); MOCK_METHOD(bool, fullScanCertsOnSNIMismatch, (), (const)); + + Ssl::HandshakerCapabilities capabilities_; + std::string ciphers_{"RSA"}; + std::string alpn_{""}; + std::string sigalgs_{""}; + Network::Address::IpList iplist_; + std::string path_; + std::vector ticket_keys_; }; class MockTlsCertificateConfig : public TlsCertificateConfig { diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index 7f02290a378e..cd8f977a61fb 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -17,7 +17,7 @@ declare -a KNOWN_LOW_COVERAGE=( "source/common/matcher:94.6" "source/common/network:94.4" # Flaky, `activateFileEvents`, `startSecureTransport` and `ioctl`, listener_socket do not always report LCOV "source/common/network/dns_resolver:91.4" # A few lines of MacOS code not tested in linux scripts. Tested in MacOS scripts -"source/common/quic:93.4" +"source/common/quic:93.3" "source/common/secret:95.1" "source/common/signal:87.2" # Death tests don't report LCOV "source/common/thread:0.0" # Death tests don't report LCOV diff --git a/test/server/ssl_context_manager_test.cc b/test/server/ssl_context_manager_test.cc index 928fbb124b9b..dbe2bdc8db6e 100644 --- a/test/server/ssl_context_manager_test.cc +++ b/test/server/ssl_context_manager_test.cc @@ -28,8 +28,9 @@ TEST(SslContextManager, createStub) { EXPECT_EQ(manager->secondsUntilFirstOcspResponseExpires(), absl::nullopt); EXPECT_THROW_WITH_MESSAGE(manager->createSslClientContext(scope, client_config), EnvoyException, "SSL is not supported in this configuration"); - EXPECT_THROW_WITH_MESSAGE(manager->createSslServerContext(scope, server_config, server_names), - EnvoyException, "SSL is not supported in this configuration"); + EXPECT_THROW_WITH_MESSAGE( + manager->createSslServerContext(scope, server_config, server_names, nullptr), EnvoyException, + "SSL is not supported in this configuration"); EXPECT_NO_THROW(manager->iterateContexts([](const Envoy::Ssl::Context&) -> void {})); } From 5fc7662fb807b5ad0e882532857d102bb5c705df Mon Sep 17 00:00:00 2001 From: Fredy Wijaya Date: Wed, 6 Mar 2024 11:07:11 -0600 Subject: [PATCH 32/34] mobile: Use direct ByteBuffer to pass data between C++ and Java (#32715) Signed-off-by: Fredy Wijaya --- .../io/envoyproxy/envoymobile/engine/BUILD | 1 + .../envoymobile/engine/ByteBuffers.java | 17 ++++++++++ .../engine/JvmCallbackContext.java | 13 +++---- .../envoymobile/engine/JvmFilterContext.java | 34 ++++++++++++------- .../engine/types/EnvoyHTTPFilter.java | 1 - mobile/library/jni/jni_helper.cc | 7 ++++ mobile/library/jni/jni_helper.h | 8 +++++ mobile/library/jni/jni_impl.cc | 16 ++++----- mobile/library/jni/jni_utility.cc | 9 +++-- mobile/library/jni/jni_utility.h | 5 ++- .../io/envoyproxy/envoymobile/engine/BUILD | 20 +++++++++++ .../envoymobile/engine/ByteBuffersTest.java | 26 ++++++++++++++ .../envoymobile/jni/JniHelperTest.java | 13 +++++++ .../utilities/ByteBuffersTest.java | 7 ++++ mobile/test/jni/jni_helper_test.cc | 10 ++++++ 15 files changed, 154 insertions(+), 33 deletions(-) create mode 100644 mobile/library/java/io/envoyproxy/envoymobile/engine/ByteBuffers.java create mode 100644 mobile/test/java/io/envoyproxy/envoymobile/engine/ByteBuffersTest.java create mode 100644 mobile/test/java/io/envoyproxy/envoymobile/utilities/ByteBuffersTest.java diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD index a0027ccd1777..d9151b35416e 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/BUILD @@ -30,6 +30,7 @@ android_library( java_library( name = "envoy_base_engine_lib", srcs = [ + "ByteBuffers.java", "EnvoyConfiguration.java", "EnvoyEngine.java", "EnvoyEngineImpl.java", diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/ByteBuffers.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/ByteBuffers.java new file mode 100644 index 000000000000..a514e4dfe07c --- /dev/null +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/ByteBuffers.java @@ -0,0 +1,17 @@ +package io.envoyproxy.envoymobile.engine; + +import java.nio.ByteBuffer; + +public class ByteBuffers { + /** + * Copies the specified `ByteBuffer` into a new `ByteBuffer`. The `ByteBuffer` created will + * be backed by `byte[]`. + */ + public static ByteBuffer copy(ByteBuffer byteBuffer) { + byte[] bytes = new byte[byteBuffer.capacity()]; + byteBuffer.get(bytes); + return ByteBuffer.wrap(bytes); + } + + private ByteBuffers() {} +} diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java index e37972fd3bb8..ed793eb86b17 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmCallbackContext.java @@ -1,10 +1,6 @@ package io.envoyproxy.envoymobile.engine; import java.nio.ByteBuffer; -import java.util.concurrent.atomic.AtomicBoolean; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; import java.util.Map; import io.envoyproxy.envoymobile.engine.types.EnvoyHTTPCallbacks; @@ -76,14 +72,15 @@ public Object onResponseTrailers(long trailerCount, long[] streamIntel) { * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object, not used for response callbacks. */ - public Object onResponseData(byte[] data, boolean endStream, long[] streamIntel) { + public Object onResponseData(ByteBuffer data, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); callbacks.getExecutor().execute(new Runnable() { public void run() { - ByteBuffer dataBuffer = ByteBuffer.wrap(data); - callbacks.onData(dataBuffer, endStream, new EnvoyStreamIntelImpl(streamIntel)); + callbacks.onData(copiedData, endStream, new EnvoyStreamIntelImpl(streamIntel)); } }); - return null; } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java index 4c1921ce26c1..162b5f53f67f 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/JvmFilterContext.java @@ -65,10 +65,12 @@ public Object onRequestHeaders(long headerCount, boolean endStream, long[] strea * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], pair of HTTP filter status and optional modified data. */ - public Object onRequestData(byte[] data, boolean endStream, long[] streamIntel) { - ByteBuffer dataBuffer = ByteBuffer.wrap(data); + public Object onRequestData(ByteBuffer data, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); return toJniFilterDataStatus( - filter.onRequestData(dataBuffer, endStream, new EnvoyStreamIntelImpl(streamIntel))); + filter.onRequestData(copiedData, endStream, new EnvoyStreamIntelImpl(streamIntel))); } /** @@ -108,10 +110,12 @@ public Object onResponseHeaders(long headerCount, boolean endStream, long[] stre * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], pair of HTTP filter status and optional modified data. */ - public Object onResponseData(byte[] data, boolean endStream, long[] streamIntel) { - ByteBuffer dataBuffer = ByteBuffer.wrap(data); + public Object onResponseData(ByteBuffer data, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); return toJniFilterDataStatus( - filter.onResponseData(dataBuffer, endStream, new EnvoyStreamIntelImpl(streamIntel))); + filter.onResponseData(copiedData, endStream, new EnvoyStreamIntelImpl(streamIntel))); } /** @@ -138,22 +142,24 @@ public Object onResponseTrailers(long trailerCount, long[] streamIntel) { * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], tuple of status with updated entities to be forwarded. */ - public Object onResumeRequest(long headerCount, byte[] data, long trailerCount, boolean endStream, - long[] streamIntel) { + public Object onResumeRequest(long headerCount, ByteBuffer data, long trailerCount, + boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); // Headers are optional in this call, and a negative length indicates omission. Map> headers = null; if (headerCount >= 0) { assert headerUtility.validateCount(headerCount); headers = headerUtility.retrieveHeaders(); } - ByteBuffer dataBuffer = data == null ? null : ByteBuffer.wrap(data); // Trailers are optional in this call, and a negative length indicates omission. Map> trailers = null; if (trailerCount >= 0) { assert trailerUtility.validateCount(trailerCount); trailers = trailerUtility.retrieveHeaders(); } - return toJniFilterResumeStatus(filter.onResumeRequest(headers, dataBuffer, trailers, endStream, + return toJniFilterResumeStatus(filter.onResumeRequest(headers, copiedData, trailers, endStream, new EnvoyStreamIntelImpl(streamIntel))); } @@ -167,22 +173,24 @@ public Object onResumeRequest(long headerCount, byte[] data, long trailerCount, * @param streamIntel, internal HTTP stream metrics, context, and other details. * @return Object[], tuple of status with updated entities to be forwarded. */ - public Object onResumeResponse(long headerCount, byte[] data, long trailerCount, + public Object onResumeResponse(long headerCount, ByteBuffer data, long trailerCount, boolean endStream, long[] streamIntel) { + // Create a copy of the `data` because the `data` uses direct `ByteBuffer` and the `data` will + // be destroyed after calling this callback. + ByteBuffer copiedData = ByteBuffers.copy(data); // Headers are optional in this call, and a negative length indicates omission. Map> headers = null; if (headerCount >= 0) { assert headerUtility.validateCount(headerCount); headers = headerUtility.retrieveHeaders(); } - ByteBuffer dataBuffer = data == null ? null : ByteBuffer.wrap(data); // Trailers are optional in this call, and a negative length indicates omission. Map> trailers = null; if (trailerCount >= 0) { assert trailerUtility.validateCount(trailerCount); trailers = trailerUtility.retrieveHeaders(); } - return toJniFilterResumeStatus(filter.onResumeResponse(headers, dataBuffer, trailers, endStream, + return toJniFilterResumeStatus(filter.onResumeResponse(headers, copiedData, trailers, endStream, new EnvoyStreamIntelImpl(streamIntel))); } diff --git a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java index 17ba29d65171..06c05614cf8e 100644 --- a/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java +++ b/mobile/library/java/io/envoyproxy/envoymobile/engine/types/EnvoyHTTPFilter.java @@ -1,7 +1,6 @@ package io.envoyproxy.envoymobile.engine.types; import java.nio.ByteBuffer; -import java.util.concurrent.Executor; import java.util.List; import java.util.Map; diff --git a/mobile/library/jni/jni_helper.cc b/mobile/library/jni/jni_helper.cc index 44beb06fc9ca..53a145cb4969 100644 --- a/mobile/library/jni/jni_helper.cc +++ b/mobile/library/jni/jni_helper.cc @@ -189,6 +189,13 @@ void JniHelper::callStaticVoidMethod(jclass clazz, jmethodID method_id, ...) { rethrowException(); } +LocalRefUniquePtr JniHelper::newDirectByteBuffer(void* address, jlong capacity) { + LocalRefUniquePtr result(env_->NewDirectByteBuffer(address, capacity), + LocalRefDeleter(env_)); + rethrowException(); + return result; +} + jlong JniHelper::getDirectBufferCapacity(jobject buffer) { return env_->GetDirectBufferCapacity(buffer); } diff --git a/mobile/library/jni/jni_helper.h b/mobile/library/jni/jni_helper.h index 8b5f2e9e8f81..d27294a5cf12 100644 --- a/mobile/library/jni/jni_helper.h +++ b/mobile/library/jni/jni_helper.h @@ -369,6 +369,14 @@ class JniHelper { return result; } + /** + * Allocates and returns a direct `java.nio.ByteBuffer` referring to the block of memory starting + * at the memory address `address` and extending `capacity` bytes. + * + * https://docs.oracle.com/en/java/javase/17/docs/specs/jni/functions.html#newdirectbytebuffer + */ + LocalRefUniquePtr newDirectByteBuffer(void* address, jlong capacity); + /** * Returns the capacity of the memory region referenced by the given `java.nio.Buffer` object. * diff --git a/mobile/library/jni/jni_impl.cc b/mobile/library/jni/jni_impl.cc index 0e929f40246c..3146f9271002 100644 --- a/mobile/library/jni/jni_impl.cc +++ b/mobile/library/jni/jni_impl.cc @@ -343,11 +343,11 @@ static Envoy::JNI::LocalRefUniquePtr jvm_on_data(const char* metho Envoy::JNI::LocalRefUniquePtr jcls_JvmCallbackContext = jni_helper.getObjectClass(j_context); - jmethodID jmid_onData = - jni_helper.getMethodId(jcls_JvmCallbackContext.get(), method, "([BZ[J)Ljava/lang/Object;"); + jmethodID jmid_onData = jni_helper.getMethodId(jcls_JvmCallbackContext.get(), method, + "(Ljava/nio/ByteBuffer;Z[J)Ljava/lang/Object;"); - Envoy::JNI::LocalRefUniquePtr j_data = - Envoy::JNI::envoyDataToJavaByteArray(jni_helper, data); + Envoy::JNI::LocalRefUniquePtr j_data = + Envoy::JNI::envoyDataToJavaByteBuffer(jni_helper, data); Envoy::JNI::LocalRefUniquePtr j_stream_intel = Envoy::JNI::envoyStreamIntelToJavaLongArray(jni_helper, stream_intel); Envoy::JNI::LocalRefUniquePtr result = jni_helper.callObjectMethod( @@ -605,10 +605,10 @@ jvm_http_filter_on_resume(const char* method, envoy_headers* headers, envoy_data headers_length = static_cast(headers->length); passHeaders("passHeader", *headers, j_context); } - Envoy::JNI::LocalRefUniquePtr j_in_data = Envoy::JNI::LocalRefUniquePtr( + Envoy::JNI::LocalRefUniquePtr j_in_data = Envoy::JNI::LocalRefUniquePtr( nullptr, Envoy::JNI::LocalRefDeleter(jni_helper.getEnv())); if (data) { - j_in_data = Envoy::JNI::envoyDataToJavaByteArray(jni_helper, *data); + j_in_data = Envoy::JNI::envoyDataToJavaByteBuffer(jni_helper, *data); } jlong trailers_length = -1; if (trailers) { @@ -620,8 +620,8 @@ jvm_http_filter_on_resume(const char* method, envoy_headers* headers, envoy_data Envoy::JNI::LocalRefUniquePtr jcls_JvmCallbackContext = jni_helper.getObjectClass(j_context); - jmethodID jmid_onResume = - jni_helper.getMethodId(jcls_JvmCallbackContext.get(), method, "(J[BJZ[J)Ljava/lang/Object;"); + jmethodID jmid_onResume = jni_helper.getMethodId( + jcls_JvmCallbackContext.get(), method, "(JLjava/nio/ByteBuffer;JZ[J)Ljava/lang/Object;"); // Note: be careful of JVM types. Before we casted to jlong we were getting integer problems. // TODO: make this cast safer. Envoy::JNI::LocalRefUniquePtr result = jni_helper.callObjectMethod( diff --git a/mobile/library/jni/jni_utility.cc b/mobile/library/jni/jni_utility.cc index 998a57b024c9..fa5f91049e08 100644 --- a/mobile/library/jni/jni_utility.cc +++ b/mobile/library/jni/jni_utility.cc @@ -79,6 +79,11 @@ LocalRefUniquePtr envoyDataToJavaByteArray(JniHelper& jni_helper, en return j_data; } +LocalRefUniquePtr envoyDataToJavaByteBuffer(JniHelper& jni_helper, envoy_data data) { + return jni_helper.newDirectByteBuffer( + const_cast(reinterpret_cast(data.bytes)), data.length); +} + LocalRefUniquePtr envoyStreamIntelToJavaLongArray(JniHelper& jni_helper, envoy_stream_intel stream_intel) { LocalRefUniquePtr j_array = jni_helper.newLongArray(4); @@ -151,10 +156,10 @@ envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data) { return native_data; } - return javaByteBufferToEnvoyData(jni_helper, j_data, static_cast(data_length)); + return javaByteBufferToEnvoyData(jni_helper, j_data, data_length); } -envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, size_t data_length) { +envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, jlong data_length) { // Returns nullptr if the buffer is not a direct buffer. uint8_t* direct_address = jni_helper.getDirectBufferAddress(j_data); diff --git a/mobile/library/jni/jni_utility.h b/mobile/library/jni/jni_utility.h index e98233891929..01ba556fff91 100644 --- a/mobile/library/jni/jni_utility.h +++ b/mobile/library/jni/jni_utility.h @@ -57,6 +57,9 @@ envoy_data javaByteArrayToEnvoyData(JniHelper& jni_helper, jbyteArray j_data, si /** Converts from `envoy_data` to Java byte array. */ LocalRefUniquePtr envoyDataToJavaByteArray(JniHelper& jni_helper, envoy_data data); +/** Converts from `envoy_data to `java.nio.ByteBuffer`. */ +LocalRefUniquePtr envoyDataToJavaByteBuffer(JniHelper& jni_helper, envoy_data data); + /** Converts from `envoy_stream_intel` to Java long array. */ LocalRefUniquePtr envoyStreamIntelToJavaLongArray(JniHelper& jni_helper, envoy_stream_intel stream_intel); @@ -76,7 +79,7 @@ LocalRefUniquePtr envoyDataToJavaString(JniHelper& jni_helper, envoy_da envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data); /** Converts from Java `ByteBuffer` to `envoy_data` with the given length. */ -envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, size_t data_length); +envoy_data javaByteBufferToEnvoyData(JniHelper& jni_helper, jobject j_data, jlong data_length); /** Returns the pointer of conversion from Java `ByteBuffer` to `envoy_data`. */ envoy_data* javaByteBufferToEnvoyDataPtr(JniHelper& jni_helper, jobject j_data); diff --git a/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD b/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD index 2228e7fe9a75..7aebe085cebf 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD +++ b/mobile/test/java/io/envoyproxy/envoymobile/engine/BUILD @@ -67,3 +67,23 @@ envoy_mobile_android_test( "//test/kotlin/io/envoyproxy/envoymobile/mocks:mocks_lib", ], ) + +envoy_mobile_android_test( + name = "byte_buffers_test", + srcs = [ + "ByteBuffersTest.java", + ], + associates = ["//library/kotlin/io/envoyproxy/envoymobile:envoy_interfaces_lib"], + native_deps = [ + "//test/jni:libenvoy_jni_with_test_extensions.so", + ] + select({ + "@platforms//os:macos": [ + "//test/jni:libenvoy_jni_with_test_extensions_jnilib", + ], + "//conditions:default": [], + }), + native_lib_name = "envoy_jni_with_test_extensions", + deps = [ + "//library/java/io/envoyproxy/envoymobile/engine:envoy_base_engine_lib", + ], +) diff --git a/mobile/test/java/io/envoyproxy/envoymobile/engine/ByteBuffersTest.java b/mobile/test/java/io/envoyproxy/envoymobile/engine/ByteBuffersTest.java new file mode 100644 index 000000000000..8fc4d416ca73 --- /dev/null +++ b/mobile/test/java/io/envoyproxy/envoymobile/engine/ByteBuffersTest.java @@ -0,0 +1,26 @@ +package io.envoyproxy.envoymobile.engine; + +import static com.google.common.truth.Truth.assertThat; + +import androidx.test.ext.junit.runners.AndroidJUnit4; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import java.nio.ByteBuffer; + +@RunWith(AndroidJUnit4.class) +public class ByteBuffersTest { + @Test + public void testCopy() { + ByteBuffer source = ByteBuffer.allocateDirect(3); + source.put((byte)1); + source.put((byte)2); + source.put((byte)3); + source.flip(); + + ByteBuffer dest = ByteBuffers.copy(source); + source.flip(); + assertThat(dest).isEqualTo(source); + } +} diff --git a/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java b/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java index be94a93f526b..c3cc7c61cbe6 100644 --- a/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java +++ b/mobile/test/java/io/envoyproxy/envoymobile/jni/JniHelperTest.java @@ -7,6 +7,9 @@ import org.junit.runner.RunWith; import org.robolectric.RobolectricTestRunner; +import java.nio.ByteBuffer; +import java.nio.ByteOrder; + @RunWith(RobolectricTestRunner.class) public class JniHelperTest { public JniHelperTest() { System.loadLibrary("envoy_jni_helper_test"); } @@ -84,6 +87,7 @@ public static native boolean callStaticBooleanMethod(Class clazz, String name String signature); public static native void callStaticVoidMethod(Class clazz, String name, String signature); public static native Object callStaticObjectMethod(Class clazz, String name, String signature); + public static native Object newDirectByteBuffer(); //================================================================================ // Object methods used for CallMethod tests. @@ -424,4 +428,13 @@ public void testCallStaticObjectMethod() { callStaticObjectMethod(JniHelperTest.class, "staticObjectMethod", "()Ljava/lang/String;")) .isEqualTo("Hello"); } + + @Test + public void testNewDirectByteBuffer() { + ByteBuffer byteBuffer = ((ByteBuffer)newDirectByteBuffer()).order(ByteOrder.LITTLE_ENDIAN); + assertThat(byteBuffer.capacity()).isEqualTo(3); + assertThat(byteBuffer.get(0)).isEqualTo(1); + assertThat(byteBuffer.get(1)).isEqualTo(2); + assertThat(byteBuffer.get(2)).isEqualTo(3); + } } diff --git a/mobile/test/java/io/envoyproxy/envoymobile/utilities/ByteBuffersTest.java b/mobile/test/java/io/envoyproxy/envoymobile/utilities/ByteBuffersTest.java new file mode 100644 index 000000000000..e4d214140a6f --- /dev/null +++ b/mobile/test/java/io/envoyproxy/envoymobile/utilities/ByteBuffersTest.java @@ -0,0 +1,7 @@ +package io.envoyproxy.envoymobile.utilities; + +import org.junit.runner.RunWith; +import org.robolectric.RobolectricTestRunner; + +@RunWith(RobolectricTestRunner.class) +public class ByteBuffersTest {} diff --git a/mobile/test/jni/jni_helper_test.cc b/mobile/test/jni/jni_helper_test.cc index 2d76984b3d03..d0e66a0c7fb5 100644 --- a/mobile/test/jni/jni_helper_test.cc +++ b/mobile/test/jni/jni_helper_test.cc @@ -224,3 +224,13 @@ Java_io_envoyproxy_envoymobile_jni_JniHelperTest_callStaticObjectMethod(JNIEnv* jmethodID method_id = jni_helper.getStaticMethodId(clazz, name_ptr.get(), sig_ptr.get()); return jni_helper.callStaticObjectMethod(clazz, method_id).release(); } + +extern "C" JNIEXPORT jobject JNICALL +Java_io_envoyproxy_envoymobile_jni_JniHelperTest_newDirectByteBuffer(JNIEnv* env, jclass) { + Envoy::JNI::JniHelper jni_helper(env); + char* bytes = new char[3]; + bytes[0] = 1; + bytes[1] = 2; + bytes[2] = 3; + return jni_helper.newDirectByteBuffer(reinterpret_cast(bytes), sizeof(char) * 3).release(); +} From 90846c65d584205530e450389fe25e4b63a1d69c Mon Sep 17 00:00:00 2001 From: Steve Wang <794155+steveWang@users.noreply.github.com> Date: Wed, 6 Mar 2024 14:33:57 -0500 Subject: [PATCH 33/34] Delete unused runtime flag. (#32739) envoy.reloadable_features.quiche_use_mem_slice_releasor_api is no longer used as of #32570. Signed-off-by: Steve Wang --- source/common/runtime/runtime_features.cc | 2 -- test/common/quic/BUILD | 2 -- test/common/quic/envoy_quic_client_stream_test.cc | 5 ----- test/common/quic/envoy_quic_server_stream_test.cc | 5 ----- 4 files changed, 14 deletions(-) diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 79b6470b49fb..f709e7a24984 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -129,8 +129,6 @@ FALSE_RUNTIME_GUARD(envoy_reloadable_features_always_use_v6); FALSE_RUNTIME_GUARD(envoy_reloadable_features_refresh_rtt_after_request); // TODO(danzh) false deprecate it once QUICHE has its own enable/disable flag. FALSE_RUNTIME_GUARD(envoy_reloadable_features_quic_reject_all); -// TODO(steveWang) flip this to true after this is verified in prod. -FALSE_RUNTIME_GUARD(envoy_reloadable_features_quiche_use_mem_slice_releasor_api); // TODO(suniltheta): Once the newly added http async technique is stabilized move it under // RUNTIME_GUARD so that this option becomes default enabled. Once this option proves effective // remove the feature flag and remove code path that relies on old technique to fetch credentials diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index 13cb63c6c5ee..6c0fff13ff16 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -128,7 +128,6 @@ envoy_cc_test( "//test/mocks/http:http_mocks", "//test/mocks/http:stream_decoder_mock", "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", "@com_github_google_quiche//:quic_test_tools_qpack_qpack_test_utils_lib", @@ -150,7 +149,6 @@ envoy_cc_test( "//test/mocks/http:http_mocks", "//test/mocks/http:stream_decoder_mock", "//test/mocks/network:network_mocks", - "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", "@com_github_google_quiche//:quic_core_http_spdy_session_lib", "@com_github_google_quiche//:quic_test_tools_qpack_qpack_test_utils_lib", diff --git a/test/common/quic/envoy_quic_client_stream_test.cc b/test/common/quic/envoy_quic_client_stream_test.cc index 7daf1fe0db1c..b579c6962130 100644 --- a/test/common/quic/envoy_quic_client_stream_test.cc +++ b/test/common/quic/envoy_quic_client_stream_test.cc @@ -8,7 +8,6 @@ #include "test/mocks/http/mocks.h" #include "test/mocks/http/stream_decoder.h" #include "test/mocks/network/mocks.h" -#include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -249,10 +248,6 @@ TEST_F(EnvoyQuicClientStreamTest, PostRequestAndResponse) { } TEST_F(EnvoyQuicClientStreamTest, PostRequestAndResponseWithMemSliceReleasor) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.quiche_use_mem_slice_releasor_api", "true"}}); - EXPECT_EQ(absl::nullopt, quic_stream_->http1StreamEncoderOptions()); const auto result = quic_stream_->encodeHeaders(request_headers_, false); EXPECT_TRUE(result.ok()); diff --git a/test/common/quic/envoy_quic_server_stream_test.cc b/test/common/quic/envoy_quic_server_stream_test.cc index 5f976e56ba57..51f1e01045e9 100644 --- a/test/common/quic/envoy_quic_server_stream_test.cc +++ b/test/common/quic/envoy_quic_server_stream_test.cc @@ -15,7 +15,6 @@ #include "test/mocks/http/mocks.h" #include "test/mocks/http/stream_decoder.h" #include "test/mocks/network/mocks.h" -#include "test/test_common/test_runtime.h" #include "test/test_common/test_time.h" #include "test/test_common/utility.h" @@ -287,10 +286,6 @@ TEST_F(EnvoyQuicServerStreamTest, PostRequestAndResponse) { } TEST_F(EnvoyQuicServerStreamTest, PostRequestAndResponseWithMemSliceReleasor) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues( - {{"envoy.reloadable_features.quiche_use_mem_slice_releasor_api", "true"}}); - EXPECT_EQ(absl::nullopt, quic_stream_->http1StreamEncoderOptions()); receiveRequest(request_body_, true, request_body_.size() * 2); quic_stream_->encodeHeaders(response_headers_, /*end_stream=*/false); From 517f253b3b2ca7fb75ad5a5bc8d386f02081f96a Mon Sep 17 00:00:00 2001 From: Loong Dai Date: Thu, 7 Mar 2024 04:19:19 +0800 Subject: [PATCH 34/34] update CODEOWNER (#32457) Signed-off-by: Loong --- CODEOWNERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index d08360957e56..487613e1eccc 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -249,9 +249,9 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123 /*/extensions/filters/http/rbac @yangminzhu @yanavlasov /*/extensions/filters/common/rbac @yangminzhu @yanavlasov # tap -/*/extensions/filters/http/tap @mattklein123 @daixiang0 -/*/extensions/common/tap @mattklein123 @daixiang0 -/*/extensions/transport_sockets/tap @mattklein123 @daixiang0 +/*/extensions/filters/http/tap @mattklein123 @xu1zhou +/*/extensions/common/tap @mattklein123 @xu1zhou +/*/extensions/transport_sockets/tap @mattklein123 @xu1zhou # local rate limit /*/extensions/filters/network/local_ratelimit @mattklein123 @wbpcode /*/extensions/filters/listener/local_ratelimit @mattklein123 @JuniorHsu