diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 2e0712c2b0a46..4c8ffad7f07a7 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -894,13 +894,7 @@ Network::TransportSocketFactoryPtr createTransportSocketFactory( // if necessary. auto transport_socket = config.transport_socket(); if (!config.has_transport_socket()) { - if (config.has_hidden_envoy_deprecated_tls_context()) { - transport_socket.set_name("envoy.transport_sockets.tls"); - transport_socket.mutable_typed_config()->PackFrom( - config.hidden_envoy_deprecated_tls_context()); - } else { - transport_socket.set_name("envoy.transport_sockets.raw_buffer"); - } + transport_socket.set_name("envoy.transport_sockets.raw_buffer"); } auto& config_factory = Config::Utility::getAndCheckFactory< diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc index 6650a021ebaf8..ef8d2c89c641a 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc +++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc @@ -24,15 +24,7 @@ Cluster::Cluster( added_via_api, factory_context.dispatcher().timeSource()), dns_cache_manager_(cache_manager_factory.get()), dns_cache_(dns_cache_manager_->getCache(config.dns_cache_config())), - update_callbacks_handle_(dns_cache_->addUpdateCallbacks(*this)), local_info_(local_info) { - // Block certain TLS context parameters that don't make sense on a cluster-wide scale. We will - // support these parameters dynamically in the future. This is not an exhaustive list of - // parameters that don't make sense but should be the most obvious ones that a user might set - // in error. - if (!cluster.hidden_envoy_deprecated_tls_context().sni().empty()) { - throw EnvoyException("dynamic_forward_proxy cluster cannot configure 'sni'"); - } -} + update_callbacks_handle_(dns_cache_->addUpdateCallbacks(*this)), local_info_(local_info) {} void Cluster::startPreInit() { // If we are attaching to a pre-populated cache we need to initialize our hosts. diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index d339a6cae5bc5..2c8118437951c 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -941,13 +941,7 @@ Network::DrainableFilterChainSharedPtr ListenerFilterChainFactoryBuilder::buildF // We copy by value first then override if necessary. auto transport_socket = filter_chain.transport_socket(); if (!filter_chain.has_transport_socket()) { - if (filter_chain.has_hidden_envoy_deprecated_tls_context()) { - transport_socket.set_name("envoy.transport_sockets.tls"); - transport_socket.mutable_typed_config()->PackFrom( - filter_chain.hidden_envoy_deprecated_tls_context()); - } else { - transport_socket.set_name("envoy.transport_sockets.raw_buffer"); - } + transport_socket.set_name("envoy.transport_sockets.raw_buffer"); } auto& config_factory = Config::Utility::getAndCheckFactory< diff --git a/test/config/utility.cc b/test/config/utility.cc index 10ad584efcbc3..820f2c60d82a8 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -807,14 +807,8 @@ void ConfigHelper::finalize(const std::vector& ports) { for (int j = 0; j < listener->filter_chains_size(); ++j) { if (tap_path) { auto* filter_chain = listener->mutable_filter_chains(j); - const bool has_tls = filter_chain->has_hidden_envoy_deprecated_tls_context(); - const Protobuf::Message* tls_config = nullptr; - if (has_tls) { - tls_config = &filter_chain->hidden_envoy_deprecated_tls_context(); - filter_chain->clear_hidden_envoy_deprecated_tls_context(); - } setTapTransportSocket(tap_path.value(), fmt::format("listener_{}_{}", i, j), - *filter_chain->mutable_transport_socket(), tls_config); + *filter_chain->mutable_transport_socket()); } } } @@ -849,14 +843,8 @@ void ConfigHelper::finalize(const std::vector& ports) { } if (tap_path) { - const bool has_tls = cluster->has_hidden_envoy_deprecated_tls_context(); - const Protobuf::Message* tls_config = nullptr; - if (has_tls) { - tls_config = &cluster->hidden_envoy_deprecated_tls_context(); - cluster->clear_hidden_envoy_deprecated_tls_context(); - } setTapTransportSocket(tap_path.value(), absl::StrCat("cluster_", i), - *cluster->mutable_transport_socket(), tls_config); + *cluster->mutable_transport_socket()); } } ASSERT(skip_port_usage_validation_ || port_idx == ports.size() || eds_hosts || @@ -876,17 +864,13 @@ void ConfigHelper::finalize(const std::vector& ports) { finalized_ = true; } -void ConfigHelper::setTapTransportSocket(const std::string& tap_path, const std::string& type, - envoy::config::core::v3::TransportSocket& transport_socket, - const Protobuf::Message* tls_config) { +void ConfigHelper::setTapTransportSocket( + const std::string& tap_path, const std::string& type, + envoy::config::core::v3::TransportSocket& transport_socket) { // Determine inner transport socket. envoy::config::core::v3::TransportSocket inner_transport_socket; if (!transport_socket.name().empty()) { - RELEASE_ASSERT(!tls_config, ""); inner_transport_socket.MergeFrom(transport_socket); - } else if (tls_config) { - inner_transport_socket.set_name("envoy.transport_sockets.tls"); - inner_transport_socket.mutable_typed_config()->PackFrom(*tls_config); } else { inner_transport_socket.set_name("envoy.transport_sockets.raw_buffer"); } diff --git a/test/config/utility.h b/test/config/utility.h index 17d634eb1cafb..1c764f11ee21e 100644 --- a/test/config/utility.h +++ b/test/config/utility.h @@ -374,8 +374,7 @@ class ConfigHelper { // Configure a tap transport socket for a cluster/filter chain. void setTapTransportSocket(const std::string& tap_path, const std::string& type, - envoy::config::core::v3::TransportSocket& transport_socket, - const Protobuf::Message* tls_config); + envoy::config::core::v3::TransportSocket& transport_socket); // The bootstrap proto Envoy will start up with. envoy::config::bootstrap::v3::Bootstrap bootstrap_; diff --git a/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc b/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc index 2f0550321a85a..595be9f596d86 100644 --- a/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc +++ b/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc @@ -234,30 +234,6 @@ class ClusterFactoryTest : public testing::Test { Server::MockOptions options_; }; -// Verify that using 'sni' causes a failure. -TEST_F(ClusterFactoryTest, DEPRECATED_FEATURE_TEST(InvalidSNI)) { - TestDeprecatedV2Api _deprecated_v2_api; - const std::string yaml_config = TestEnvironment::substitute(R"EOF( -name: name -connect_timeout: 0.25s -cluster_type: - name: dynamic_forward_proxy - typed_config: - "@type": type.googleapis.com/envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig - dns_cache_config: - name: foo -tls_context: - sni: api.lyft.com - common_tls_context: - validation_context: - trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" -)EOF"); - - EXPECT_THROW_WITH_MESSAGE(createCluster(yaml_config, false), EnvoyException, - "dynamic_forward_proxy cluster cannot configure 'sni'"); -} - TEST_F(ClusterFactoryTest, InvalidUpstreamHttpProtocolOptions) { const std::string yaml_config = TestEnvironment::substitute(R"EOF( name: name diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 61812d034b551..1c4cb541fae78 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -49,6 +49,7 @@ #include "test/test_common/utility.h" #include "absl/strings/str_replace.h" +#include "absl/types/optional.h" #include "gmock/gmock.h" #include "gtest/gtest.h" #include "openssl/ssl.h" @@ -617,8 +618,14 @@ void testUtilV2(const TestUtilOptionsV2& options) { server_factory_context; ON_CALL(server_factory_context, api()).WillByDefault(ReturnRef(*server_api)); - auto server_cfg = std::make_unique( - filter_chain.hidden_envoy_deprecated_tls_context(), server_factory_context); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; + const envoy::config::core::v3::TransportSocket& transport_socket = + filter_chain.transport_socket(); + ASSERT(transport_socket.has_typed_config()); + transport_socket.typed_config().UnpackTo(&tls_context); + + auto server_cfg = std::make_unique(tls_context, server_factory_context); + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, server_stats_store, server_names); @@ -779,26 +786,48 @@ void testUtilV2(const TestUtilOptionsV2& options) { } } -// Configure the listener with unittest{cert,key}.pem and ca_cert.pem. -// Configure the client with expired_san_uri_{cert,key}.pem +void updateFilterChain( + const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& tls_context, + envoy::config::listener::v3::FilterChain& filter_chain) { + filter_chain.mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); +} + +struct OptionalServerConfig { + absl::optional cert_hash{}; + absl::optional trusted_ca{}; + absl::optional allow_expired_cert{}; +}; + void configureServerAndExpiredClientCertificate( envoy::config::listener::v3::Listener& listener, - envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client) { + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client, + const OptionalServerConfig& server_config) { envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); + if (server_config.trusted_ca.has_value()) { + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute(server_config.trusted_ca.value())); + } else { + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + } + if (server_config.allow_expired_cert.has_value()) { + server_validation_ctx->set_allow_expired_certificate(server_config.allow_expired_cert.value()); + } + if (server_config.cert_hash.has_value()) { + server_validation_ctx->add_verify_certificate_hash(server_config.cert_hash.value()); + } + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); @@ -809,6 +838,16 @@ void configureServerAndExpiredClientCertificate( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem")); } +TestUtilOptionsV2 createProtocolTestOptions( + const envoy::config::listener::v3::Listener& listener, + const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client_ctx, + Network::Address::IpVersion version, std::string protocol) { + std::string stats = "ssl.versions." + protocol; + TestUtilOptionsV2 options(listener, client_ctx, true, version); + options.setExpectedServerStats(stats).setExpectedClientStats(stats); + return options.setExpectedProtocolVersion(protocol); +} + } // namespace class SslSocketTest : public SslCertsTest, @@ -885,10 +924,9 @@ TEST_P(SslSocketTest, GetCertDigestInvalidFiles) { TEST_P(SslSocketTest, GetCertDigestInline) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); // From test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem. server_cert->mutable_certificate_chain()->set_inline_bytes( @@ -900,15 +938,17 @@ TEST_P(SslSocketTest, GetCertDigestInline) { TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"))); + envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); // From test/extensions/transport_sockets/tls/test_data/ca_certificates.pem. - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context() - ->mutable_trusted_ca() - ->set_inline_bytes(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + server_validation_ctx->mutable_trusted_ca()->set_inline_bytes( + TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); + updateFilterChain(tls_context, *filter_chain); + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_ctx; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client_ctx.mutable_common_tls_context()->add_tls_certificates(); @@ -1515,7 +1555,7 @@ TEST_P(SslSocketTest, FailedClientCertificateDefaultExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); + configureServerAndExpiredClientCertificate(listener, client, /*server_config=*/{}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1528,13 +1568,9 @@ TEST_P(SslSocketTest, FailedClientCertificateExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context() - ->set_allow_expired_certificate(false); + OptionalServerConfig server_config; + server_config.allow_expired_cert = false; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1546,13 +1582,9 @@ TEST_P(SslSocketTest, ClientCertificateExpirationAllowedVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context() - ->set_allow_expired_certificate(true); + OptionalServerConfig server_config; + server_config.allow_expired_cert = true; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, true, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1564,17 +1596,10 @@ TEST_P(SslSocketTest, FailedClientCertAllowExpiredBadHashVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); - - server_validation_ctx->set_allow_expired_certificate(true); - server_validation_ctx->add_verify_certificate_hash( - "0000000000000000000000000000000000000000000000000000000000000000"); + OptionalServerConfig server_config; + server_config.allow_expired_cert = true; + server_config.cert_hash = "0000000000000000000000000000000000000000000000000000000000000000"; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -1587,19 +1612,12 @@ TEST_P(SslSocketTest, FailedClientCertAllowServerExpiredWrongCAVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); - - server_validation_ctx->set_allow_expired_certificate(true); - - // This fake CA was not used to sign the client's certificate. - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + OptionalServerConfig server_config; + server_config.allow_expired_cert = true; + // Fake CA is not used to sign the client's certificate. + server_config.trusted_ca = "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1663,23 +1681,22 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { TEST_P(SslSocketTest, ClientCertificateHashListVerification) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1701,21 +1718,20 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1858,10 +1874,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { TEST_P(SslSocketTest, CertificatesWithPassword) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); @@ -1872,14 +1888,14 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1907,22 +1923,23 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1944,20 +1961,19 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1979,22 +1995,21 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, false, GetParam()); @@ -2009,20 +2024,19 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2038,22 +2052,21 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2075,20 +2088,19 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2110,22 +2122,21 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2146,24 +2157,23 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2185,22 +2195,21 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2222,23 +2231,22 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2254,21 +2262,20 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2284,23 +2291,22 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2322,21 +2328,20 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2358,23 +2363,22 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -3836,31 +3840,18 @@ TEST_P(SslSocketTest, SslError) { EXPECT_EQ(1UL, server_stats_store.counter("ssl.connection_error").value()); } -static TestUtilOptionsV2 createProtocolTestOptions( - const envoy::config::listener::v3::Listener& listener, - const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client_ctx, - Network::Address::IpVersion version, std::string protocol) { - std::string stats = "ssl.versions." + protocol; - TestUtilOptionsV2 options(listener, client_ctx, true, version); - options.setExpectedServerStats(stats).setExpectedClientStats(stats); - return options.setExpectedProtocolVersion(protocol); -} - TEST_P(SslSocketTest, ProtocolVersions) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_tls_params(); + tls_context.mutable_common_tls_context()->mutable_tls_params(); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -3870,6 +3861,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { // so enable them to avoid false positives. client_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); + updateFilterChain(tls_context, *filter_chain); // Connection using defaults (client & server) succeeds, negotiating TLSv1.2. TestUtilOptionsV2 tls_v1_2_test_options = @@ -3945,6 +3937,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3960,6 +3953,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3975,6 +3969,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); + updateFilterChain(tls_context, *filter_chain); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3984,6 +3979,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); + updateFilterChain(tls_context, *filter_chain); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3993,6 +3989,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4002,6 +3999,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + updateFilterChain(tls_context, *filter_chain); testUtilV2(error_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4011,6 +4009,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4024,6 +4023,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4039,6 +4039,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4049,16 +4050,16 @@ TEST_P(SslSocketTest, ProtocolVersions) { TEST_P(SslSocketTest, ALPN) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = - filter_chain->mutable_hidden_envoy_deprecated_tls_context()->mutable_common_tls_context(); + tls_context.mutable_common_tls_context(); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* client_ctx = @@ -4076,6 +4077,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. server_ctx->add_alpn_protocols("test"); + updateFilterChain(tls_context, *filter_chain); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); @@ -4088,6 +4090,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test" ALPN, "test" ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); + updateFilterChain(tls_context, *filter_chain); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4099,6 +4102,7 @@ TEST_P(SslSocketTest, ALPN) { client.set_allow_renegotiation(true); client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); + updateFilterChain(tls_context, *filter_chain); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4109,6 +4113,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test2" ALPN, no ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test2"); + updateFilterChain(tls_context, *filter_chain); testUtilV2(test_options); client_ctx->clear_alpn_protocols(); server_ctx->clear_alpn_protocols(); @@ -4122,18 +4127,15 @@ TEST_P(SslSocketTest, ALPN) { TEST_P(SslSocketTest, CipherSuites) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; + envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_tls_params(); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4151,8 +4153,11 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects with one of the supported cipher suites, connection succeeds. std::string common_cipher_suite = "ECDHE-RSA-CHACHA20-POLY1305"; client_params->add_cipher_suites(common_cipher_suite); + envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = + tls_context.mutable_common_tls_context()->mutable_tls_params(); server_params->add_cipher_suites(common_cipher_suite); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 cipher_test_options(listener, client, true, GetParam()); cipher_test_options.setExpectedCiphersuite(common_cipher_suite); std::string stats = "ssl.ciphers." + common_cipher_suite; @@ -4164,6 +4169,7 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects with unsupported cipher suite, connection fails. client_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); server_params->add_cipher_suites("ECDHE-RSA-CHACHA20-POLY1305"); + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4172,10 +4178,11 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects to a server offering only deprecated cipher suites, connection fails. server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); + updateFilterChain(tls_context, *filter_chain); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); server_params->clear_cipher_suites(); - + updateFilterChain(tls_context, *filter_chain); // Verify that ECDHE-RSA-CHACHA20-POLY1305 is not offered by default in FIPS builds. client_params->add_cipher_suites(common_cipher_suite); #ifdef BORINGSSL_FIPS @@ -4189,18 +4196,16 @@ TEST_P(SslSocketTest, CipherSuites) { TEST_P(SslSocketTest, EcdhCurves) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_tls_params(); + tls_context.mutable_common_tls_context()->mutable_tls_params(); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4220,6 +4225,7 @@ TEST_P(SslSocketTest, EcdhCurves) { server_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 ecdh_curves_test_options(listener, client, true, GetParam()); std::string stats = "ssl.curves.X25519"; ecdh_curves_test_options.setExpectedServerStats(stats).setExpectedClientStats(stats); @@ -4232,7 +4238,7 @@ TEST_P(SslSocketTest, EcdhCurves) { client_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4244,6 +4250,7 @@ TEST_P(SslSocketTest, EcdhCurves) { // Verify that X25519 is not offered by default in FIPS builds. client_params->add_ecdh_curves("X25519"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); + updateFilterChain(tls_context, *filter_chain); #ifdef BORINGSSL_FIPS testUtilV2(error_test_options); #else @@ -4256,23 +4263,23 @@ TEST_P(SslSocketTest, EcdhCurves) { TEST_P(SslSocketTest, SignatureAlgorithms) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); // Server ECDSA certificate. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. @@ -4558,14 +4565,15 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { TEST_P(SslSocketTest, GetRequestedServerName) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4577,14 +4585,14 @@ TEST_P(SslSocketTest, GetRequestedServerName) { TEST_P(SslSocketTest, OverrideRequestedServerName) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4600,14 +4608,14 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -4621,26 +4629,28 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) TEST_P(SslSocketTest, OverrideApplicationProtocols) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = - filter_chain->mutable_hidden_envoy_deprecated_tls_context()->mutable_common_tls_context(); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, true, GetParam()); // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. + envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = + tls_context.mutable_common_tls_context(); server_ctx->add_alpn_protocols("test"); + updateFilterChain(tls_context, *filter_chain); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); // Override client side ALPN, "test" ALPN is used. server_ctx->add_alpn_protocols("test"); + updateFilterChain(tls_context, *filter_chain); auto transport_socket_options = std::make_shared( "", std::vector{}, std::vector{"foo", "test", "bar"}); @@ -4674,6 +4684,7 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { // Note that the server prefers "test" over "bar", but since the client only configures "bar", // the resulting ALPN will be "bar" even though "test" is included in the fallback. server_ctx->add_alpn_protocols("bar"); + updateFilterChain(tls_context, *filter_chain); client.mutable_common_tls_context()->add_alpn_protocols("bar"); testUtilV2(test_options.setExpectedALPNProtocol("bar").setTransportSocketOptions( transport_socket_options)); diff --git a/test/server/listener_manager_impl_test.cc b/test/server/listener_manager_impl_test.cc index 489bca559ace7..6622cbe101469 100644 --- a/test/server/listener_manager_impl_test.cc +++ b/test/server/listener_manager_impl_test.cc @@ -279,42 +279,6 @@ TEST_F(ListenerManagerImplWithRealFiltersTest, EXPECT_TRUE(filter_chain->transportSocketFactory().implementsSecureTransport()); } -TEST_F(ListenerManagerImplWithRealFiltersTest, DEPRECATED_FEATURE_TEST(TlsContext)) { - const std::string yaml = TestEnvironment::substitute(R"EOF( -address: - socket_address: - address: 127.0.0.1 - port_value: 1234 -filter_chains: -- filters: [] - transport_socket: - name: tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" - private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" - validation_context: - trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - match_subject_alt_names: - exact: localhost - exact: 127.0.0.1 - )EOF", - Network::Address::IpVersion::v4); - - EXPECT_CALL(listener_factory_, createListenSocket(_, _, _, {true})); - manager_->addOrUpdateListener(parseListenerFromV3Yaml(yaml), "", true); - EXPECT_EQ(1U, manager_->listeners().size()); - - auto filter_chain = findFilterChain(1234, "127.0.0.1", "", "tls", {}, "8.8.8.8", 111); - ASSERT_NE(filter_chain, nullptr); - EXPECT_TRUE(filter_chain->transportSocketFactory().implementsSecureTransport()); -} - TEST_F(ListenerManagerImplWithRealFiltersTest, TransportSocketConnectTimeout) { const std::string yaml = R"EOF( address: