From 9eccba2be4a1fcdd7f777d8c160e8d98bcd5bc54 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Sat, 26 Jun 2021 15:28:31 +0000 Subject: [PATCH 01/11] remove tls context Signed-off-by: Tianyu Xia --- .bazelrc | 14 + source/common/upstream/upstream_impl.cc | 6 - .../clusters/dynamic_forward_proxy/cluster.cc | 13 - source/server/listener_manager_impl.cc | 6 - test/config/utility.cc | 23 +- test/config/utility.h | 3 +- .../dynamic_forward_proxy/cluster_test.cc | 50 -- .../transport_sockets/tls/ssl_socket_test.cc | 433 ++++++++++-------- test/server/listener_manager_impl_test.cc | 36 -- 9 files changed, 248 insertions(+), 336 deletions(-) diff --git a/.bazelrc b/.bazelrc index 225246fbea40f..636912b795476 100644 --- a/.bazelrc +++ b/.bazelrc @@ -16,6 +16,7 @@ build --host_force_python=PY3 build --host_javabase=@bazel_tools//tools/jdk:remote_jdk11 build --javabase=@bazel_tools//tools/jdk:remote_jdk11 build --enable_platform_specific_config +build --extra_toolchains=@rules_python//python:autodetecting_toolchain_nonstrict # Enable position independent code (this is the default on macOS and Windows) # (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421) @@ -380,6 +381,19 @@ build:windows --features=fully_static_link build:windows --features=static_link_msvcrt build:windows --dynamic_mode=off +build --google_credentials=/usr/local/google/home/tyxia/.config/gcloud/application_default_credentials.json + +# GCP remote cache +build --remote_instance_name=projects/envoy-rbe/instances/default_instance +build --remote_cache=grpcs://remotebuildexecution.googleapis.com + +# GCP remote execution +build:remote --remote_executor=grpcs://remotebuildexecution.googleapis.com +build:remote --jobs=200 +build:remote --config=rbe-toolchain-clang-libc++ +build:remote --config=remote-ci +build:remote --remote_download_outputs=minimal + try-import %workspace%/clang.bazelrc try-import %workspace%/user.bazelrc try-import %workspace%/local_tsan.bazelrc diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index d710972e00311..e9508f3bd1b25 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -894,13 +894,7 @@ Network::TransportSocketFactoryPtr createTransportSocketFactory( // if necessary. auto transport_socket = config.transport_socket(); if (!config.has_transport_socket()) { - if (config.has_hidden_envoy_deprecated_tls_context()) { - transport_socket.set_name("envoy.transport_sockets.tls"); - transport_socket.mutable_typed_config()->PackFrom( - config.hidden_envoy_deprecated_tls_context()); - } else { transport_socket.set_name("envoy.transport_sockets.raw_buffer"); - } } auto& config_factory = Config::Utility::getAndCheckFactory< diff --git a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc index 335bb2a8c9a86..fc543eb3edcff 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/cluster.cc +++ b/source/extensions/clusters/dynamic_forward_proxy/cluster.cc @@ -25,19 +25,6 @@ Cluster::Cluster( dns_cache_manager_(cache_manager_factory.get()), dns_cache_(dns_cache_manager_->getCache(config.dns_cache_config())), update_callbacks_handle_(dns_cache_->addUpdateCallbacks(*this)), local_info_(local_info) { - // Block certain TLS context parameters that don't make sense on a cluster-wide scale. We will - // support these parameters dynamically in the future. This is not an exhaustive list of - // parameters that don't make sense but should be the most obvious ones that a user might set - // in error. - if (!cluster.hidden_envoy_deprecated_tls_context().sni().empty() || - !cluster.hidden_envoy_deprecated_tls_context() - .common_tls_context() - .validation_context() - .hidden_envoy_deprecated_verify_subject_alt_name() - .empty()) { - throw EnvoyException( - "dynamic_forward_proxy cluster cannot configure 'sni' or 'verify_subject_alt_name'"); - } } void Cluster::startPreInit() { diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index ca25b2ad23b18..ea88a3a4e6770 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -940,13 +940,7 @@ Network::DrainableFilterChainSharedPtr ListenerFilterChainFactoryBuilder::buildF // We copy by value first then override if necessary. auto transport_socket = filter_chain.transport_socket(); if (!filter_chain.has_transport_socket()) { - if (filter_chain.has_hidden_envoy_deprecated_tls_context()) { - transport_socket.set_name("envoy.transport_sockets.tls"); - transport_socket.mutable_typed_config()->PackFrom( - filter_chain.hidden_envoy_deprecated_tls_context()); - } else { transport_socket.set_name("envoy.transport_sockets.raw_buffer"); - } } auto& config_factory = Config::Utility::getAndCheckFactory< diff --git a/test/config/utility.cc b/test/config/utility.cc index 10ad584efcbc3..aebab5cb88c50 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -807,14 +807,8 @@ void ConfigHelper::finalize(const std::vector& ports) { for (int j = 0; j < listener->filter_chains_size(); ++j) { if (tap_path) { auto* filter_chain = listener->mutable_filter_chains(j); - const bool has_tls = filter_chain->has_hidden_envoy_deprecated_tls_context(); - const Protobuf::Message* tls_config = nullptr; - if (has_tls) { - tls_config = &filter_chain->hidden_envoy_deprecated_tls_context(); - filter_chain->clear_hidden_envoy_deprecated_tls_context(); - } setTapTransportSocket(tap_path.value(), fmt::format("listener_{}_{}", i, j), - *filter_chain->mutable_transport_socket(), tls_config); + *filter_chain->mutable_transport_socket()); } } } @@ -849,14 +843,8 @@ void ConfigHelper::finalize(const std::vector& ports) { } if (tap_path) { - const bool has_tls = cluster->has_hidden_envoy_deprecated_tls_context(); - const Protobuf::Message* tls_config = nullptr; - if (has_tls) { - tls_config = &cluster->hidden_envoy_deprecated_tls_context(); - cluster->clear_hidden_envoy_deprecated_tls_context(); - } setTapTransportSocket(tap_path.value(), absl::StrCat("cluster_", i), - *cluster->mutable_transport_socket(), tls_config); + *cluster->mutable_transport_socket()); } } ASSERT(skip_port_usage_validation_ || port_idx == ports.size() || eds_hosts || @@ -877,16 +865,11 @@ void ConfigHelper::finalize(const std::vector& ports) { } void ConfigHelper::setTapTransportSocket(const std::string& tap_path, const std::string& type, - envoy::config::core::v3::TransportSocket& transport_socket, - const Protobuf::Message* tls_config) { + envoy::config::core::v3::TransportSocket& transport_socket) { // Determine inner transport socket. envoy::config::core::v3::TransportSocket inner_transport_socket; if (!transport_socket.name().empty()) { - RELEASE_ASSERT(!tls_config, ""); inner_transport_socket.MergeFrom(transport_socket); - } else if (tls_config) { - inner_transport_socket.set_name("envoy.transport_sockets.tls"); - inner_transport_socket.mutable_typed_config()->PackFrom(*tls_config); } else { inner_transport_socket.set_name("envoy.transport_sockets.raw_buffer"); } diff --git a/test/config/utility.h b/test/config/utility.h index 17d634eb1cafb..1c764f11ee21e 100644 --- a/test/config/utility.h +++ b/test/config/utility.h @@ -374,8 +374,7 @@ class ConfigHelper { // Configure a tap transport socket for a cluster/filter chain. void setTapTransportSocket(const std::string& tap_path, const std::string& type, - envoy::config::core::v3::TransportSocket& transport_socket, - const Protobuf::Message* tls_config); + envoy::config::core::v3::TransportSocket& transport_socket); // The bootstrap proto Envoy will start up with. envoy::config::bootstrap::v3::Bootstrap bootstrap_; diff --git a/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc b/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc index 0544523a3be1f..595be9f596d86 100644 --- a/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc +++ b/test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc @@ -234,56 +234,6 @@ class ClusterFactoryTest : public testing::Test { Server::MockOptions options_; }; -// Verify that using 'sni' causes a failure. -TEST_F(ClusterFactoryTest, DEPRECATED_FEATURE_TEST(InvalidSNI)) { - TestDeprecatedV2Api _deprecated_v2_api; - const std::string yaml_config = TestEnvironment::substitute(R"EOF( -name: name -connect_timeout: 0.25s -cluster_type: - name: dynamic_forward_proxy - typed_config: - "@type": type.googleapis.com/envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig - dns_cache_config: - name: foo -tls_context: - sni: api.lyft.com - common_tls_context: - validation_context: - trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" -)EOF"); - - EXPECT_THROW_WITH_MESSAGE( - createCluster(yaml_config, false), EnvoyException, - "dynamic_forward_proxy cluster cannot configure 'sni' or 'verify_subject_alt_name'"); -} - -// Verify that using 'verify_subject_alt_name' causes a failure. -TEST_F(ClusterFactoryTest, DEPRECATED_FEATURE_TEST(InvalidVerifySubjectAltName)) { - TestDeprecatedV2Api _deprecated_v2_api; - const std::string yaml_config = TestEnvironment::substitute(R"EOF( -name: name -connect_timeout: 0.25s -cluster_type: - name: dynamic_forward_proxy - typed_config: - "@type": type.googleapis.com/envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig - dns_cache_config: - name: foo -tls_context: - common_tls_context: - validation_context: - trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - verify_subject_alt_name: [api.lyft.com] -)EOF"); - - EXPECT_THROW_WITH_MESSAGE( - createCluster(yaml_config, false), EnvoyException, - "dynamic_forward_proxy cluster cannot configure 'sni' or 'verify_subject_alt_name'"); -} - TEST_F(ClusterFactoryTest, InvalidUpstreamHttpProtocolOptions) { const std::string yaml_config = TestEnvironment::substitute(R"EOF( name: name diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 432216c5daa09..affdac7f10caa 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -49,6 +49,7 @@ #include "test/test_common/utility.h" #include "absl/strings/str_replace.h" +#include "absl/types/optional.h" #include "gmock/gmock.h" #include "gtest/gtest.h" #include "openssl/ssl.h" @@ -617,8 +618,14 @@ void testUtilV2(const TestUtilOptionsV2& options) { server_factory_context; ON_CALL(server_factory_context, api()).WillByDefault(ReturnRef(*server_api)); - auto server_cfg = std::make_unique( - filter_chain.hidden_envoy_deprecated_tls_context(), server_factory_context); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; + const envoy::config::core::v3::TransportSocket& transport_socket = filter_chain.transport_socket(); + if (transport_socket.has_typed_config()) { + transport_socket.typed_config().UnpackTo(&tls_context); + } + + auto server_cfg = std::make_unique(tls_context, server_factory_context); + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, server_stats_store, server_names); @@ -778,27 +785,86 @@ void testUtilV2(const TestUtilOptionsV2& options) { EXPECT_NE("", server_connection->transportFailureReason()); } } +enum class SpecifierCase { + kFilename = 1, + kInlineBytes = 2, + // kInlineString = 3, +}; + +template +void configureServerCertificate(envoy::config::listener::v3::FilterChain* filter_chain, + const std::string& cert_chain, + const std::string& private_key, + const std::string& trusted_ca, + const std::string& cert_hash_1, + const std::string& cert_hash_2, + const std::string& cert_spki) { + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; + envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = + tls_context.mutable_common_tls_context()->add_tls_certificates(); + envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + + switch (specifier_case) { + case SpecifierCase::kFilename: + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute(cert_chain)); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute(private_key)); + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute(trusted_ca)); + break; + case SpecifierCase::kInlineBytes: + server_cert->mutable_certificate_chain()->set_inline_bytes( + TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_chain))); + server_cert->mutable_private_key()->set_inline_bytes( + TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(private_key))); + server_validation_ctx->mutable_trusted_ca()->set_inline_bytes(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(trusted_ca))); + break; + default: + break; + } + server_validation_ctx->add_verify_certificate_hash(cert_hash_1); + server_validation_ctx->add_verify_certificate_hash(cert_hash_2); + server_validation_ctx->add_verify_certificate_spki(cert_spki); + + + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); +} + +struct OptionalServerConfig { + absl::optional allow_expired_certificate = {}; + absl::optional cert_hash = {}; + absl::optional trusted_ca = {}; +}; -// Configure the listener with unittest{cert,key}.pem and ca_cert.pem. -// Configure the client with expired_san_uri_{cert,key}.pem void configureServerAndExpiredClientCertificate( envoy::config::listener::v3::Listener& listener, - envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client) { + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client, const OptionalServerConfig& server_config = {}) { + envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); + envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + + if (server_config.trusted_ca.has_value()) { + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( + server_config.trusted_ca.value())); + } else { + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + } + if (server_config.allow_expired_certificate.has_value()) { + server_validation_ctx->set_allow_expired_certificate(server_config.allow_expired_certificate.value()); + } + if (server_config.cert_hash.has_value()) { + server_validation_ctx->add_verify_certificate_hash(server_config.cert_hash.value()); + } + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); @@ -885,10 +951,9 @@ TEST_P(SslSocketTest, GetCertDigestInvalidFiles) { TEST_P(SslSocketTest, GetCertDigestInline) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); // From test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem. server_cert->mutable_certificate_chain()->set_inline_bytes( @@ -900,15 +965,16 @@ TEST_P(SslSocketTest, GetCertDigestInline) { TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"))); + envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); // From test/extensions/transport_sockets/tls/test_data/ca_certificates.pem. - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context() - ->mutable_trusted_ca() + server_validation_ctx->mutable_trusted_ca() ->set_inline_bytes(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_ctx; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client_ctx.mutable_common_tls_context()->add_tls_certificates(); @@ -1528,13 +1594,7 @@ TEST_P(SslSocketTest, FailedClientCertificateExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context() - ->set_allow_expired_certificate(false); + configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = false}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1546,13 +1606,7 @@ TEST_P(SslSocketTest, ClientCertificateExpirationAllowedVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context() - ->set_allow_expired_certificate(true); + configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = true}); TestUtilOptionsV2 test_options(listener, client, true, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1564,17 +1618,7 @@ TEST_P(SslSocketTest, FailedClientCertAllowExpiredBadHashVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); - - server_validation_ctx->set_allow_expired_certificate(true); - server_validation_ctx->add_verify_certificate_hash( - "0000000000000000000000000000000000000000000000000000000000000000"); + configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = true, .cert_hash = "0000000000000000000000000000000000000000000000000000000000000000"}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -1587,19 +1631,8 @@ TEST_P(SslSocketTest, FailedClientCertAllowServerExpiredWrongCAVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); - - envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = listener.mutable_filter_chains(0) - ->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); - - server_validation_ctx->set_allow_expired_certificate(true); - - // This fake CA was not used to sign the client's certificate. - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); + // Fake CA is not used to sign the client's certificate. + configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = true, .trusted_ca = "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1663,23 +1696,21 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { TEST_P(SslSocketTest, ClientCertificateHashListVerification) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1701,21 +1732,19 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1858,10 +1887,10 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { TEST_P(SslSocketTest, CertificatesWithPassword) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/password_protected_cert.pem")); @@ -1872,14 +1901,13 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1907,22 +1935,22 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1944,20 +1972,18 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1979,22 +2005,20 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, false, GetParam()); @@ -2009,20 +2033,18 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2038,22 +2060,20 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2075,20 +2095,18 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2110,22 +2128,20 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2146,24 +2162,22 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2185,22 +2199,20 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2222,23 +2234,21 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2254,21 +2264,19 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2284,23 +2292,21 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2322,21 +2328,19 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongClientCertificate) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2358,23 +2362,21 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -3849,18 +3851,15 @@ static TestUtilOptionsV2 createProtocolTestOptions( TEST_P(SslSocketTest, ProtocolVersions) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_tls_params(); + tls_context.mutable_common_tls_context()->mutable_tls_params(); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -3870,6 +3869,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { // so enable them to avoid false positives. client_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); // Connection using defaults (client & server) succeeds, negotiating TLSv1.2. TestUtilOptionsV2 tls_v1_2_test_options = @@ -3945,6 +3945,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3960,6 +3961,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3975,6 +3977,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3984,6 +3987,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3993,6 +3997,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4002,6 +4007,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(error_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4011,6 +4017,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4024,6 +4031,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4039,6 +4047,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4049,16 +4058,16 @@ TEST_P(SslSocketTest, ProtocolVersions) { TEST_P(SslSocketTest, ALPN) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = - filter_chain->mutable_hidden_envoy_deprecated_tls_context()->mutable_common_tls_context(); + envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* + server_ctx = tls_context.mutable_common_tls_context(); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* client_ctx = @@ -4076,6 +4085,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. server_ctx->add_alpn_protocols("test"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); @@ -4088,6 +4098,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test" ALPN, "test" ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4099,6 +4110,7 @@ TEST_P(SslSocketTest, ALPN) { client.set_allow_renegotiation(true); client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4109,6 +4121,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test2" ALPN, no ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test2"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(test_options); client_ctx->clear_alpn_protocols(); server_ctx->clear_alpn_protocols(); @@ -4122,18 +4135,21 @@ TEST_P(SslSocketTest, ALPN) { TEST_P(SslSocketTest, CipherSuites) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; + // TODO(tyxia) Pointer like solution + // auto* tls_context_ptr = filter_chain->mutable_transport_socket()->mutable_typed_config(); + // // ASSERT_TRUE(tls_context_ptr->Is()); + // auto tls_context = + // MessageUtil::anyConvert( + // *tls_context_ptr); + envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_tls_params(); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4151,8 +4167,12 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects with one of the supported cipher suites, connection succeeds. std::string common_cipher_suite = "ECDHE-RSA-CHACHA20-POLY1305"; client_params->add_cipher_suites(common_cipher_suite); + envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = + tls_context.mutable_common_tls_context() + ->mutable_tls_params(); server_params->add_cipher_suites(common_cipher_suite); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); + //filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); TestUtilOptionsV2 cipher_test_options(listener, client, true, GetParam()); cipher_test_options.setExpectedCiphersuite(common_cipher_suite); std::string stats = "ssl.ciphers." + common_cipher_suite; @@ -4164,6 +4184,7 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects with unsupported cipher suite, connection fails. client_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); server_params->add_cipher_suites("ECDHE-RSA-CHACHA20-POLY1305"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4172,10 +4193,11 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects to a server offering only deprecated cipher suites, connection fails. server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); server_params->clear_cipher_suites(); - + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); // Verify that ECDHE-RSA-CHACHA20-POLY1305 is not offered by default in FIPS builds. client_params->add_cipher_suites(common_cipher_suite); #ifdef BORINGSSL_FIPS @@ -4189,18 +4211,17 @@ TEST_P(SslSocketTest, CipherSuites) { TEST_P(SslSocketTest, EcdhCurves) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() + tls_context.mutable_common_tls_context() ->mutable_tls_params(); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4220,6 +4241,7 @@ TEST_P(SslSocketTest, EcdhCurves) { server_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); TestUtilOptionsV2 ecdh_curves_test_options(listener, client, true, GetParam()); std::string stats = "ssl.curves.X25519"; ecdh_curves_test_options.setExpectedServerStats(stats).setExpectedClientStats(stats); @@ -4232,7 +4254,7 @@ TEST_P(SslSocketTest, EcdhCurves) { client_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4244,6 +4266,7 @@ TEST_P(SslSocketTest, EcdhCurves) { // Verify that X25519 is not offered by default in FIPS builds. client_params->add_ecdh_curves("X25519"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); #ifdef BORINGSSL_FIPS testUtilV2(error_test_options); #else @@ -4256,23 +4279,22 @@ TEST_P(SslSocketTest, EcdhCurves) { TEST_P(SslSocketTest, SignatureAlgorithms) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->mutable_validation_context(); + server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); // Server ECDSA certificate. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. @@ -4558,14 +4580,15 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { TEST_P(SslSocketTest, GetRequestedServerName) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4577,14 +4600,14 @@ TEST_P(SslSocketTest, GetRequestedServerName) { TEST_P(SslSocketTest, OverrideRequestedServerName) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4600,14 +4623,14 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -4621,26 +4644,29 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) TEST_P(SslSocketTest, OverrideApplicationProtocols) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - filter_chain->mutable_hidden_envoy_deprecated_tls_context() - ->mutable_common_tls_context() - ->add_tls_certificates(); + tls_context.mutable_common_tls_context()->add_tls_certificates(); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = - filter_chain->mutable_hidden_envoy_deprecated_tls_context()->mutable_common_tls_context(); + tls_context.mutable_common_tls_context(); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, true, GetParam()); // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. server_ctx->add_alpn_protocols("test"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); // Override client side ALPN, "test" ALPN is used. server_ctx->add_alpn_protocols("test"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); auto transport_socket_options = std::make_shared( "", std::vector{}, std::vector{"foo", "test", "bar"}); @@ -4674,6 +4700,7 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { // Note that the server prefers "test" over "bar", but since the client only configures "bar", // the resulting ALPN will be "bar" even though "test" is included in the fallback. server_ctx->add_alpn_protocols("bar"); + filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); client.mutable_common_tls_context()->add_alpn_protocols("bar"); testUtilV2(test_options.setExpectedALPNProtocol("bar").setTransportSocketOptions( transport_socket_options)); diff --git a/test/server/listener_manager_impl_test.cc b/test/server/listener_manager_impl_test.cc index e8fc4bb106168..eefb7406a6501 100644 --- a/test/server/listener_manager_impl_test.cc +++ b/test/server/listener_manager_impl_test.cc @@ -279,42 +279,6 @@ TEST_F(ListenerManagerImplWithRealFiltersTest, EXPECT_TRUE(filter_chain->transportSocketFactory().implementsSecureTransport()); } -TEST_F(ListenerManagerImplWithRealFiltersTest, DEPRECATED_FEATURE_TEST(TlsContext)) { - const std::string yaml = TestEnvironment::substitute(R"EOF( -address: - socket_address: - address: 127.0.0.1 - port_value: 1234 -filter_chains: -- filters: [] - transport_socket: - name: tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - tls_certificates: - - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem" - private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_key.pem" - validation_context: - trusted_ca: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - match_subject_alt_names: - exact: localhost - exact: 127.0.0.1 - )EOF", - Network::Address::IpVersion::v4); - - EXPECT_CALL(listener_factory_, createListenSocket(_, _, _, {true})); - manager_->addOrUpdateListener(parseListenerFromV3Yaml(yaml), "", true); - EXPECT_EQ(1U, manager_->listeners().size()); - - auto filter_chain = findFilterChain(1234, "127.0.0.1", "", "tls", {}, "8.8.8.8", 111); - ASSERT_NE(filter_chain, nullptr); - EXPECT_TRUE(filter_chain->transportSocketFactory().implementsSecureTransport()); -} - TEST_F(ListenerManagerImplWithRealFiltersTest, TransportSocketConnectTimeout) { const std::string yaml = R"EOF( address: From 1951d599efe8e965b5cd97a6fc8f5053ced56699 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Sun, 27 Jun 2021 02:11:28 +0000 Subject: [PATCH 02/11] Deprecate tls_context in listener and cluster in favor of transport socket Signed-off-by: Tianyu Xia --- .bazelrc | 14 - source/common/upstream/upstream_impl.cc | 2 +- source/server/listener_manager_impl.cc | 2 +- test/config/utility.cc | 5 +- .../transport_sockets/tls/ssl_socket_test.cc | 289 +++++++++--------- 5 files changed, 156 insertions(+), 156 deletions(-) diff --git a/.bazelrc b/.bazelrc index 2fe7de34bef19..7d5c4ce1e86bf 100644 --- a/.bazelrc +++ b/.bazelrc @@ -19,7 +19,6 @@ build --host_force_python=PY3 build --host_javabase=@bazel_tools//tools/jdk:remote_jdk11 build --javabase=@bazel_tools//tools/jdk:remote_jdk11 build --enable_platform_specific_config -build --extra_toolchains=@rules_python//python:autodetecting_toolchain_nonstrict # Enable position independent code (this is the default on macOS and Windows) # (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421) @@ -384,19 +383,6 @@ build:windows --features=fully_static_link build:windows --features=static_link_msvcrt build:windows --dynamic_mode=off -build --google_credentials=/usr/local/google/home/tyxia/.config/gcloud/application_default_credentials.json - -# GCP remote cache -build --remote_instance_name=projects/envoy-rbe/instances/default_instance -build --remote_cache=grpcs://remotebuildexecution.googleapis.com - -# GCP remote execution -build:remote --remote_executor=grpcs://remotebuildexecution.googleapis.com -build:remote --jobs=200 -build:remote --config=rbe-toolchain-clang-libc++ -build:remote --config=remote-ci -build:remote --remote_download_outputs=minimal - try-import %workspace%/clang.bazelrc try-import %workspace%/user.bazelrc try-import %workspace%/local_tsan.bazelrc diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index 353ab28affc9e..4c8ffad7f07a7 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -894,7 +894,7 @@ Network::TransportSocketFactoryPtr createTransportSocketFactory( // if necessary. auto transport_socket = config.transport_socket(); if (!config.has_transport_socket()) { - transport_socket.set_name("envoy.transport_sockets.raw_buffer"); + transport_socket.set_name("envoy.transport_sockets.raw_buffer"); } auto& config_factory = Config::Utility::getAndCheckFactory< diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc index ea88a3a4e6770..ab5754409dae1 100644 --- a/source/server/listener_manager_impl.cc +++ b/source/server/listener_manager_impl.cc @@ -940,7 +940,7 @@ Network::DrainableFilterChainSharedPtr ListenerFilterChainFactoryBuilder::buildF // We copy by value first then override if necessary. auto transport_socket = filter_chain.transport_socket(); if (!filter_chain.has_transport_socket()) { - transport_socket.set_name("envoy.transport_sockets.raw_buffer"); + transport_socket.set_name("envoy.transport_sockets.raw_buffer"); } auto& config_factory = Config::Utility::getAndCheckFactory< diff --git a/test/config/utility.cc b/test/config/utility.cc index aebab5cb88c50..820f2c60d82a8 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -864,8 +864,9 @@ void ConfigHelper::finalize(const std::vector& ports) { finalized_ = true; } -void ConfigHelper::setTapTransportSocket(const std::string& tap_path, const std::string& type, - envoy::config::core::v3::TransportSocket& transport_socket) { +void ConfigHelper::setTapTransportSocket( + const std::string& tap_path, const std::string& type, + envoy::config::core::v3::TransportSocket& transport_socket) { // Determine inner transport socket. envoy::config::core::v3::TransportSocket inner_transport_socket; if (!transport_socket.name().empty()) { diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 4702543e225e3..a9927dff8ee30 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -619,10 +619,10 @@ void testUtilV2(const TestUtilOptionsV2& options) { ON_CALL(server_factory_context, api()).WillByDefault(ReturnRef(*server_api)); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; - const envoy::config::core::v3::TransportSocket& transport_socket = filter_chain.transport_socket(); - if (transport_socket.has_typed_config()) { - transport_socket.typed_config().UnpackTo(&tls_context); - } + const envoy::config::core::v3::TransportSocket& transport_socket = + filter_chain.transport_socket(); + ASSERT(transport_socket.has_typed_config()); + transport_socket.typed_config().UnpackTo(&tls_context); auto server_cfg = std::make_unique(tls_context, server_factory_context); @@ -785,59 +785,23 @@ void testUtilV2(const TestUtilOptionsV2& options) { EXPECT_NE("", server_connection->transportFailureReason()); } } -enum class SpecifierCase { - kFilename = 1, - kInlineBytes = 2, - // kInlineString = 3, -}; - -template -void configureServerCertificate(envoy::config::listener::v3::FilterChain* filter_chain, - const std::string& cert_chain, - const std::string& private_key, - const std::string& trusted_ca, - const std::string& cert_hash_1, - const std::string& cert_hash_2, - const std::string& cert_spki) { - envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; - envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = - tls_context.mutable_common_tls_context()->add_tls_certificates(); - envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - - switch (specifier_case) { - case SpecifierCase::kFilename: - server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute(cert_chain)); - server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute(private_key)); - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute(trusted_ca)); - break; - case SpecifierCase::kInlineBytes: - server_cert->mutable_certificate_chain()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_chain))); - server_cert->mutable_private_key()->set_inline_bytes( - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(private_key))); - server_validation_ctx->mutable_trusted_ca()->set_inline_bytes(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(trusted_ca))); - break; - default: - break; - } - server_validation_ctx->add_verify_certificate_hash(cert_hash_1); - server_validation_ctx->add_verify_certificate_hash(cert_hash_2); - server_validation_ctx->add_verify_certificate_spki(cert_spki); - +void updateFilterChain( + envoy::config::listener::v3::FilterChain* filter_chain, + const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& tls_context) { filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); } struct OptionalServerConfig { - absl::optional allow_expired_certificate = {}; + absl::optional allow_expired_cert = {}; absl::optional cert_hash = {}; absl::optional trusted_ca = {}; }; void configureServerAndExpiredClientCertificate( envoy::config::listener::v3::Listener& listener, - envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client, const OptionalServerConfig& server_config = {}) { + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client, + const OptionalServerConfig& server_config = {}) { envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -849,22 +813,23 @@ void configureServerAndExpiredClientCertificate( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); - + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); if (server_config.trusted_ca.has_value()) { - server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - server_config.trusted_ca.value())); + server_validation_ctx->mutable_trusted_ca()->set_filename( + TestEnvironment::substitute(server_config.trusted_ca.value())); } else { server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); } - if (server_config.allow_expired_certificate.has_value()) { - server_validation_ctx->set_allow_expired_certificate(server_config.allow_expired_certificate.value()); + if (server_config.allow_expired_cert.has_value()) { + server_validation_ctx->set_allow_expired_certificate(server_config.allow_expired_cert.value()); } if (server_config.cert_hash.has_value()) { server_validation_ctx->add_verify_certificate_hash(server_config.cert_hash.value()); } - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); @@ -966,14 +931,16 @@ TEST_P(SslSocketTest, GetCertDigestInline) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem"))); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); // From test/extensions/transport_sockets/tls/test_data/ca_certificates.pem. - server_validation_ctx->mutable_trusted_ca() - ->set_inline_bytes(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + server_validation_ctx->mutable_trusted_ca()->set_inline_bytes( + TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_ctx; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1594,7 +1561,7 @@ TEST_P(SslSocketTest, FailedClientCertificateExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = false}); + configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig{false}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1606,7 +1573,7 @@ TEST_P(SslSocketTest, ClientCertificateExpirationAllowedVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = true}); + configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig{true}); TestUtilOptionsV2 test_options(listener, client, true, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1618,7 +1585,11 @@ TEST_P(SslSocketTest, FailedClientCertAllowExpiredBadHashVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = true, .cert_hash = "0000000000000000000000000000000000000000000000000000000000000000"}); + configureServerAndExpiredClientCertificate( + listener, client, + OptionalServerConfig{.allow_expired_cert = true, + .cert_hash = + "0000000000000000000000000000000000000000000000000000000000000000"}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -1632,7 +1603,12 @@ TEST_P(SslSocketTest, FailedClientCertAllowServerExpiredWrongCAVerification) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Fake CA is not used to sign the client's certificate. - configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig {.allow_expired_certificate = true, .trusted_ca = "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"}); + configureServerAndExpiredClientCertificate( + listener, client, + OptionalServerConfig{ + .allow_expired_cert = true, + .trusted_ca = "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1704,13 +1680,15 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1740,11 +1718,13 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1901,13 +1881,15 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/password_protected_password.txt")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1944,13 +1926,15 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1980,10 +1964,12 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2013,12 +1999,14 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, false, GetParam()); @@ -2041,10 +2029,12 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2068,12 +2058,14 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2103,10 +2095,12 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2136,12 +2130,14 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2170,14 +2166,16 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2207,12 +2205,14 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2242,13 +2242,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2272,11 +2274,13 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2300,13 +2304,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2336,11 +2342,13 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2370,13 +2378,15 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -3869,7 +3879,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { // so enable them to avoid false positives. client_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); // Connection using defaults (client & server) succeeds, negotiating TLSv1.2. TestUtilOptionsV2 tls_v1_2_test_options = @@ -3945,7 +3955,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3961,7 +3971,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3977,7 +3987,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3987,7 +3997,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3997,7 +4007,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4007,7 +4017,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(error_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4017,7 +4027,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4031,7 +4041,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4047,7 +4057,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4065,9 +4075,9 @@ TEST_P(SslSocketTest, ALPN) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* - server_ctx = tls_context.mutable_common_tls_context(); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = + tls_context.mutable_common_tls_context(); + updateFilterChain(filter_chain, tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* client_ctx = @@ -4085,7 +4095,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. server_ctx->add_alpn_protocols("test"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); @@ -4098,7 +4108,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test" ALPN, "test" ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4110,7 +4120,7 @@ TEST_P(SslSocketTest, ALPN) { client.set_allow_renegotiation(true); client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4121,7 +4131,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test2" ALPN, no ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test2"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(test_options); client_ctx->clear_alpn_protocols(); server_ctx->clear_alpn_protocols(); @@ -4138,7 +4148,8 @@ TEST_P(SslSocketTest, CipherSuites) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; // TODO(tyxia) Pointer like solution // auto* tls_context_ptr = filter_chain->mutable_transport_socket()->mutable_typed_config(); - // // ASSERT_TRUE(tls_context_ptr->Is()); + // // + // ASSERT_TRUE(tls_context_ptr->Is()); // auto tls_context = // MessageUtil::anyConvert( // *tls_context_ptr); @@ -4149,7 +4160,7 @@ TEST_P(SslSocketTest, CipherSuites) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4168,11 +4179,10 @@ TEST_P(SslSocketTest, CipherSuites) { std::string common_cipher_suite = "ECDHE-RSA-CHACHA20-POLY1305"; client_params->add_cipher_suites(common_cipher_suite); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - tls_context.mutable_common_tls_context() - ->mutable_tls_params(); + tls_context.mutable_common_tls_context()->mutable_tls_params(); server_params->add_cipher_suites(common_cipher_suite); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - //filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + // updateFilterChain(filter_chain, tls_context); TestUtilOptionsV2 cipher_test_options(listener, client, true, GetParam()); cipher_test_options.setExpectedCiphersuite(common_cipher_suite); std::string stats = "ssl.ciphers." + common_cipher_suite; @@ -4184,7 +4194,7 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects with unsupported cipher suite, connection fails. client_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); server_params->add_cipher_suites("ECDHE-RSA-CHACHA20-POLY1305"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4193,11 +4203,11 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects to a server offering only deprecated cipher suites, connection fails. server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); server_params->clear_cipher_suites(); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); // Verify that ECDHE-RSA-CHACHA20-POLY1305 is not offered by default in FIPS builds. client_params->add_cipher_suites(common_cipher_suite); #ifdef BORINGSSL_FIPS @@ -4219,9 +4229,8 @@ TEST_P(SslSocketTest, EcdhCurves) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = - tls_context.mutable_common_tls_context() - ->mutable_tls_params(); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + tls_context.mutable_common_tls_context()->mutable_tls_params(); + updateFilterChain(filter_chain, tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4241,7 +4250,7 @@ TEST_P(SslSocketTest, EcdhCurves) { server_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); TestUtilOptionsV2 ecdh_curves_test_options(listener, client, true, GetParam()); std::string stats = "ssl.curves.X25519"; ecdh_curves_test_options.setExpectedServerStats(stats).setExpectedClientStats(stats); @@ -4254,7 +4263,7 @@ TEST_P(SslSocketTest, EcdhCurves) { client_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4266,7 +4275,7 @@ TEST_P(SslSocketTest, EcdhCurves) { // Verify that X25519 is not offered by default in FIPS builds. client_params->add_ecdh_curves("X25519"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); #ifdef BORINGSSL_FIPS testUtilV2(error_test_options); #else @@ -4281,7 +4290,8 @@ TEST_P(SslSocketTest, SignatureAlgorithms) { envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* - server_validation_ctx = tls_context.mutable_common_tls_context()->mutable_validation_context(); + server_validation_ctx = + tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->mutable_trusted_ca()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); @@ -4294,7 +4304,8 @@ TEST_P(SslSocketTest, SignatureAlgorithms) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. @@ -4588,7 +4599,8 @@ TEST_P(SslSocketTest, GetRequestedServerName) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4607,7 +4619,8 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4630,7 +4643,8 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); + ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -4652,21 +4666,20 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = - tls_context.mutable_common_tls_context(); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, true, GetParam()); // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. + envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = + tls_context.mutable_common_tls_context(); server_ctx->add_alpn_protocols("test"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); // Override client side ALPN, "test" ALPN is used. server_ctx->add_alpn_protocols("test"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); auto transport_socket_options = std::make_shared( "", std::vector{}, std::vector{"foo", "test", "bar"}); @@ -4700,7 +4713,7 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { // Note that the server prefers "test" over "bar", but since the client only configures "bar", // the resulting ALPN will be "bar" even though "test" is included in the fallback. server_ctx->add_alpn_protocols("bar"); - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + updateFilterChain(filter_chain, tls_context); client.mutable_common_tls_context()->add_alpn_protocols("bar"); testUtilV2(test_options.setExpectedALPNProtocol("bar").setTransportSocketOptions( transport_socket_options)); From 9193e33bd6070aeccd222d5304969815e5c595a7 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Sun, 27 Jun 2021 02:21:50 +0000 Subject: [PATCH 03/11] fix typo Signed-off-by: Tianyu Xia --- test/extensions/transport_sockets/tls/ssl_socket_test.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index a9927dff8ee30..8fd8f8725f65d 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -829,7 +829,6 @@ void configureServerAndExpiredClientCertificate( server_validation_ctx->add_verify_certificate_hash(server_config.cert_hash.value()); } updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); From 8f5d2bf0d610ca7a731e16c644d7ad3ca7c9a6ab Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Sun, 27 Jun 2021 02:34:32 +0000 Subject: [PATCH 04/11] format Signed-off-by: Tianyu Xia --- test/extensions/transport_sockets/tls/ssl_socket_test.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 8fd8f8725f65d..7434cbcadab85 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -1560,7 +1560,8 @@ TEST_P(SslSocketTest, FailedClientCertificateExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig{false}); + configureServerAndExpiredClientCertificate(listener, client, + OptionalServerConfig{.allow_expired_cert = false}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1572,7 +1573,8 @@ TEST_P(SslSocketTest, ClientCertificateExpirationAllowedVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client, OptionalServerConfig{true}); + configureServerAndExpiredClientCertificate(listener, client, + OptionalServerConfig{.allow_expired_cert = true}); TestUtilOptionsV2 test_options(listener, client, true, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") From 498bf8f00348ff73d19477ba6ded16a23982e36d Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Sun, 27 Jun 2021 02:47:29 +0000 Subject: [PATCH 05/11] format Signed-off-by: Tianyu Xia --- .../transport_sockets/tls/ssl_socket_test.cc | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 7434cbcadab85..81197ac6dafa9 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -939,7 +939,6 @@ TEST_P(SslSocketTest, GetCertDigestInline) { "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_ctx; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1689,7 +1688,6 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1725,7 +1723,6 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1890,7 +1887,6 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1935,7 +1931,6 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1970,7 +1965,6 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2007,7 +2001,6 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, false, GetParam()); @@ -2035,7 +2028,6 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2066,7 +2058,6 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2101,7 +2092,6 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2138,7 +2128,6 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2176,7 +2165,6 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2213,7 +2201,6 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2251,7 +2238,6 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2281,7 +2267,6 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2313,7 +2298,6 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2349,7 +2333,6 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2387,7 +2370,6 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -4306,7 +4288,6 @@ TEST_P(SslSocketTest, SignatureAlgorithms) { "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. @@ -4601,7 +4582,6 @@ TEST_P(SslSocketTest, GetRequestedServerName) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4621,7 +4601,6 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4645,7 +4624,6 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); updateFilterChain(filter_chain, tls_context); - ; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; From de9f5dfe13af6ce0ea5c76bd090819224d9d28d3 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Sun, 27 Jun 2021 13:34:15 +0000 Subject: [PATCH 06/11] Envoy code style disallows designated initializers:( Signed-off-by: Tianyu Xia --- .../transport_sockets/tls/ssl_socket_test.cc | 40 ++++++++----------- 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 81197ac6dafa9..9e082adee40db 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -793,9 +793,9 @@ void updateFilterChain( } struct OptionalServerConfig { - absl::optional allow_expired_cert = {}; absl::optional cert_hash = {}; absl::optional trusted_ca = {}; + absl::optional allow_expired_cert = {}; }; void configureServerAndExpiredClientCertificate( @@ -1559,8 +1559,9 @@ TEST_P(SslSocketTest, FailedClientCertificateExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client, - OptionalServerConfig{.allow_expired_cert = false}); + OptionalServerConfig server_config = {}; + server_config.allow_expired_cert = false; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1572,8 +1573,9 @@ TEST_P(SslSocketTest, ClientCertificateExpirationAllowedVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client, - OptionalServerConfig{.allow_expired_cert = true}); + OptionalServerConfig server_config = {}; + server_config.allow_expired_cert = true; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, true, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1585,11 +1587,10 @@ TEST_P(SslSocketTest, FailedClientCertAllowExpiredBadHashVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate( - listener, client, - OptionalServerConfig{.allow_expired_cert = true, - .cert_hash = - "0000000000000000000000000000000000000000000000000000000000000000"}); + OptionalServerConfig server_config = {}; + server_config.allow_expired_cert = true; + server_config.cert_hash = "0000000000000000000000000000000000000000000000000000000000000000"; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedServerStats("ssl.fail_verify_cert_hash") @@ -1602,13 +1603,12 @@ TEST_P(SslSocketTest, FailedClientCertAllowServerExpiredWrongCAVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; + OptionalServerConfig server_config = {}; + server_config.allow_expired_cert = true; // Fake CA is not used to sign the client's certificate. - configureServerAndExpiredClientCertificate( - listener, client, - OptionalServerConfig{ - .allow_expired_cert = true, - .trusted_ca = "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"}); + server_config.trusted_ca = "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem"; + configureServerAndExpiredClientCertificate(listener, client, server_config); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -4129,13 +4129,6 @@ TEST_P(SslSocketTest, CipherSuites) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; - // TODO(tyxia) Pointer like solution - // auto* tls_context_ptr = filter_chain->mutable_transport_socket()->mutable_typed_config(); - // // - // ASSERT_TRUE(tls_context_ptr->Is()); - // auto tls_context = - // MessageUtil::anyConvert( - // *tls_context_ptr); envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); @@ -4165,7 +4158,6 @@ TEST_P(SslSocketTest, CipherSuites) { tls_context.mutable_common_tls_context()->mutable_tls_params(); server_params->add_cipher_suites(common_cipher_suite); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - // updateFilterChain(filter_chain, tls_context); TestUtilOptionsV2 cipher_test_options(listener, client, true, GetParam()); cipher_test_options.setExpectedCiphersuite(common_cipher_suite); std::string stats = "ssl.ciphers." + common_cipher_suite; From 54b026e81eae0b86309ef5c02c655253f6377fa4 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Sun, 27 Jun 2021 16:07:39 +0000 Subject: [PATCH 07/11] fix CI Signed-off-by: Tianyu Xia --- test/extensions/transport_sockets/tls/ssl_socket_test.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 9e082adee40db..033cdc83aa96d 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -4158,6 +4158,7 @@ TEST_P(SslSocketTest, CipherSuites) { tls_context.mutable_common_tls_context()->mutable_tls_params(); server_params->add_cipher_suites(common_cipher_suite); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); + updateFilterChain(filter_chain, tls_context); TestUtilOptionsV2 cipher_test_options(listener, client, true, GetParam()); cipher_test_options.setExpectedCiphersuite(common_cipher_suite); std::string stats = "ssl.ciphers." + common_cipher_suite; From 10763d62c3f5cebc541a52f0503fe486211b2b74 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Mon, 28 Jun 2021 14:59:09 +0000 Subject: [PATCH 08/11] Tweak code per styple guide: put all input-only parameters before any output parameters and remove default arg Signed-off-by: Tianyu Xia --- .../transport_sockets/tls/ssl_socket_test.cc | 108 +++++++++--------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 033cdc83aa96d..e5bd118389759 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -787,8 +787,8 @@ void testUtilV2(const TestUtilOptionsV2& options) { } void updateFilterChain( - envoy::config::listener::v3::FilterChain* filter_chain, - const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& tls_context) { + const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& tls_context, + envoy::config::listener::v3::FilterChain* filter_chain) { filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); } @@ -801,7 +801,7 @@ struct OptionalServerConfig { void configureServerAndExpiredClientCertificate( envoy::config::listener::v3::Listener& listener, envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client, - const OptionalServerConfig& server_config = {}) { + const OptionalServerConfig& server_config) { envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -828,7 +828,7 @@ void configureServerAndExpiredClientCertificate( if (server_config.cert_hash.has_value()) { server_validation_ctx->add_verify_certificate_hash(server_config.cert_hash.value()); } - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); @@ -938,7 +938,7 @@ TEST_P(SslSocketTest, GetCertDigestInline) { "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_ctx; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1546,7 +1546,7 @@ TEST_P(SslSocketTest, FailedClientCertificateDefaultExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - configureServerAndExpiredClientCertificate(listener, client); + configureServerAndExpiredClientCertificate(listener, client, /*server_config=*/{}); TestUtilOptionsV2 test_options(listener, client, false, GetParam()); testUtilV2(test_options.setExpectedClientCertUri("spiffe://lyft.com/test-team") @@ -1687,7 +1687,7 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1722,7 +1722,7 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1886,7 +1886,7 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1930,7 +1930,7 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1964,7 +1964,7 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2000,7 +2000,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, false, GetParam()); @@ -2027,7 +2027,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2057,7 +2057,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2091,7 +2091,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2127,7 +2127,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2164,7 +2164,7 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2200,7 +2200,7 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2237,7 +2237,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2266,7 +2266,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2297,7 +2297,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2332,7 +2332,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2369,7 +2369,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -3862,7 +3862,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { // so enable them to avoid false positives. client_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); // Connection using defaults (client & server) succeeds, negotiating TLSv1.2. TestUtilOptionsV2 tls_v1_2_test_options = @@ -3938,7 +3938,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3954,7 +3954,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3970,7 +3970,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3980,7 +3980,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3990,7 +3990,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4000,7 +4000,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(error_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4010,7 +4010,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4024,7 +4024,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4040,7 +4040,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4060,7 +4060,7 @@ TEST_P(SslSocketTest, ALPN) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = tls_context.mutable_common_tls_context(); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* client_ctx = @@ -4078,7 +4078,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. server_ctx->add_alpn_protocols("test"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); @@ -4091,7 +4091,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test" ALPN, "test" ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4103,7 +4103,7 @@ TEST_P(SslSocketTest, ALPN) { client.set_allow_renegotiation(true); client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4114,7 +4114,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test2" ALPN, no ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test2"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(test_options); client_ctx->clear_alpn_protocols(); server_ctx->clear_alpn_protocols(); @@ -4136,7 +4136,7 @@ TEST_P(SslSocketTest, CipherSuites) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4158,7 +4158,7 @@ TEST_P(SslSocketTest, CipherSuites) { tls_context.mutable_common_tls_context()->mutable_tls_params(); server_params->add_cipher_suites(common_cipher_suite); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); TestUtilOptionsV2 cipher_test_options(listener, client, true, GetParam()); cipher_test_options.setExpectedCiphersuite(common_cipher_suite); std::string stats = "ssl.ciphers." + common_cipher_suite; @@ -4170,7 +4170,7 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects with unsupported cipher suite, connection fails. client_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); server_params->add_cipher_suites("ECDHE-RSA-CHACHA20-POLY1305"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4179,11 +4179,11 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects to a server offering only deprecated cipher suites, connection fails. server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); server_params->clear_cipher_suites(); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); // Verify that ECDHE-RSA-CHACHA20-POLY1305 is not offered by default in FIPS builds. client_params->add_cipher_suites(common_cipher_suite); #ifdef BORINGSSL_FIPS @@ -4206,7 +4206,7 @@ TEST_P(SslSocketTest, EcdhCurves) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = tls_context.mutable_common_tls_context()->mutable_tls_params(); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4226,7 +4226,7 @@ TEST_P(SslSocketTest, EcdhCurves) { server_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); TestUtilOptionsV2 ecdh_curves_test_options(listener, client, true, GetParam()); std::string stats = "ssl.curves.X25519"; ecdh_curves_test_options.setExpectedServerStats(stats).setExpectedClientStats(stats); @@ -4239,7 +4239,7 @@ TEST_P(SslSocketTest, EcdhCurves) { client_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4251,7 +4251,7 @@ TEST_P(SslSocketTest, EcdhCurves) { // Verify that X25519 is not offered by default in FIPS builds. client_params->add_ecdh_curves("X25519"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); #ifdef BORINGSSL_FIPS testUtilV2(error_test_options); #else @@ -4280,7 +4280,7 @@ TEST_P(SslSocketTest, SignatureAlgorithms) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. @@ -4574,7 +4574,7 @@ TEST_P(SslSocketTest, GetRequestedServerName) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4593,7 +4593,7 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4616,7 +4616,7 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -4646,12 +4646,12 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = tls_context.mutable_common_tls_context(); server_ctx->add_alpn_protocols("test"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); // Override client side ALPN, "test" ALPN is used. server_ctx->add_alpn_protocols("test"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); auto transport_socket_options = std::make_shared( "", std::vector{}, std::vector{"foo", "test", "bar"}); @@ -4685,7 +4685,7 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { // Note that the server prefers "test" over "bar", but since the client only configures "bar", // the resulting ALPN will be "bar" even though "test" is included in the fallback. server_ctx->add_alpn_protocols("bar"); - updateFilterChain(filter_chain, tls_context); + updateFilterChain(tls_context, filter_chain); client.mutable_common_tls_context()->add_alpn_protocols("bar"); testUtilV2(test_options.setExpectedALPNProtocol("bar").setTransportSocketOptions( transport_socket_options)); From acc83f93c0695157fbf45d6bed67ed1cdea8401a Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Tue, 29 Jun 2021 19:24:40 +0000 Subject: [PATCH 09/11] update per review Signed-off-by: Tianyu Xia --- .../transport_sockets/tls/ssl_socket_test.cc | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index e5bd118389759..1e1a1d95caead 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -793,16 +793,15 @@ void updateFilterChain( } struct OptionalServerConfig { - absl::optional cert_hash = {}; - absl::optional trusted_ca = {}; - absl::optional allow_expired_cert = {}; + absl::optional cert_hash{}; + absl::optional trusted_ca{}; + absl::optional allow_expired_cert{}; }; void configureServerAndExpiredClientCertificate( envoy::config::listener::v3::Listener& listener, envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client, const OptionalServerConfig& server_config) { - envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = @@ -1559,7 +1558,7 @@ TEST_P(SslSocketTest, FailedClientCertificateExpirationVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - OptionalServerConfig server_config = {}; + OptionalServerConfig server_config; server_config.allow_expired_cert = false; configureServerAndExpiredClientCertificate(listener, client, server_config); @@ -1573,7 +1572,7 @@ TEST_P(SslSocketTest, ClientCertificateExpirationAllowedVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - OptionalServerConfig server_config = {}; + OptionalServerConfig server_config; server_config.allow_expired_cert = true; configureServerAndExpiredClientCertificate(listener, client, server_config); @@ -1587,7 +1586,7 @@ TEST_P(SslSocketTest, FailedClientCertAllowExpiredBadHashVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - OptionalServerConfig server_config = {}; + OptionalServerConfig server_config; server_config.allow_expired_cert = true; server_config.cert_hash = "0000000000000000000000000000000000000000000000000000000000000000"; configureServerAndExpiredClientCertificate(listener, client, server_config); @@ -1603,7 +1602,7 @@ TEST_P(SslSocketTest, FailedClientCertAllowServerExpiredWrongCAVerification) { envoy::config::listener::v3::Listener listener; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; - OptionalServerConfig server_config = {}; + OptionalServerConfig server_config; server_config.allow_expired_cert = true; // Fake CA is not used to sign the client's certificate. server_config.trusted_ca = "{{ test_rundir " From aff0e40877c47f3a3b53a7252d3059eb0295e9f0 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Wed, 30 Jun 2021 03:05:19 +0000 Subject: [PATCH 10/11] use unnamed namespace over static Signed-off-by: Tianyu Xia --- .../transport_sockets/tls/ssl_socket_test.cc | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 1e1a1d95caead..9a5498a64a608 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -838,6 +838,16 @@ void configureServerAndExpiredClientCertificate( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/expired_san_uri_key.pem")); } +TestUtilOptionsV2 createProtocolTestOptions( + const envoy::config::listener::v3::Listener& listener, + const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client_ctx, + Network::Address::IpVersion version, std::string protocol) { + std::string stats = "ssl.versions." + protocol; + TestUtilOptionsV2 options(listener, client_ctx, true, version); + options.setExpectedServerStats(stats).setExpectedClientStats(stats); + return options.setExpectedProtocolVersion(protocol); +} + } // namespace class SslSocketTest : public SslCertsTest, @@ -3830,16 +3840,6 @@ TEST_P(SslSocketTest, SslError) { EXPECT_EQ(1UL, server_stats_store.counter("ssl.connection_error").value()); } -static TestUtilOptionsV2 createProtocolTestOptions( - const envoy::config::listener::v3::Listener& listener, - const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& client_ctx, - Network::Address::IpVersion version, std::string protocol) { - std::string stats = "ssl.versions." + protocol; - TestUtilOptionsV2 options(listener, client_ctx, true, version); - options.setExpectedServerStats(stats).setExpectedClientStats(stats); - return options.setExpectedProtocolVersion(protocol); -} - TEST_P(SslSocketTest, ProtocolVersions) { envoy::config::listener::v3::Listener listener; envoy::config::listener::v3::FilterChain* filter_chain = listener.add_filter_chains(); From 552a55388f5bad1209c8979c8bf0411c21302724 Mon Sep 17 00:00:00 2001 From: Tianyu Xia Date: Thu, 1 Jul 2021 14:36:40 +0000 Subject: [PATCH 11/11] style guide Signed-off-by: Tianyu Xia --- .../transport_sockets/tls/ssl_socket_test.cc | 104 +++++++++--------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 9a5498a64a608..1c4cb541fae78 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -788,8 +788,8 @@ void testUtilV2(const TestUtilOptionsV2& options) { void updateFilterChain( const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& tls_context, - envoy::config::listener::v3::FilterChain* filter_chain) { - filter_chain->mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); + envoy::config::listener::v3::FilterChain& filter_chain) { + filter_chain.mutable_transport_socket()->mutable_typed_config()->PackFrom(tls_context); } struct OptionalServerConfig { @@ -827,7 +827,7 @@ void configureServerAndExpiredClientCertificate( if (server_config.cert_hash.has_value()) { server_validation_ctx->add_verify_certificate_hash(server_config.cert_hash.value()); } - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = client.mutable_common_tls_context()->add_tls_certificates(); @@ -947,7 +947,7 @@ TEST_P(SslSocketTest, GetCertDigestInline) { "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem"))); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_ctx; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1696,7 +1696,7 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerification) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1731,7 +1731,7 @@ TEST_P(SslSocketTest, ClientCertificateHashListVerificationNoCA) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_SAN_URI_CERT_256_HASH); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1895,7 +1895,7 @@ TEST_P(SslSocketTest, CertificatesWithPassword) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_hash(TEST_PASSWORD_PROTECTED_CERT_256_HASH); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1939,7 +1939,7 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerification) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -1973,7 +1973,7 @@ TEST_P(SslSocketTest, ClientCertificateSpkiVerificationNoCA) { tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2009,7 +2009,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoClientCertificate "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; TestUtilOptionsV2 test_options(listener, client, false, GetParam()); @@ -2036,7 +2036,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCANoClientCertifi tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2066,7 +2066,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongClientCertific "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2100,7 +2100,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationNoCAWrongClientCert tls_context.mutable_common_tls_context()->mutable_validation_context(); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2136,7 +2136,7 @@ TEST_P(SslSocketTest, FailedClientCertificateSpkiVerificationWrongCA) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem")); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2173,7 +2173,7 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerification) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2209,7 +2209,7 @@ TEST_P(SslSocketTest, ClientCertificateHashAndSpkiVerificationNoCA) { "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_DNS_CERT_SPKI); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2246,7 +2246,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoClientCert server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2275,7 +2275,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCANoClient server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -2306,7 +2306,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongClientC server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2341,7 +2341,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationNoCAWrongCli server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -2378,7 +2378,7 @@ TEST_P(SslSocketTest, FailedClientCertificateHashAndSpkiVerificationWrongCA) { server_validation_ctx->add_verify_certificate_hash( "0000000000000000000000000000000000000000000000000000000000000000"); server_validation_ctx->add_verify_certificate_spki(TEST_SAN_URI_CERT_SPKI); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsCertificate* client_cert = @@ -3861,7 +3861,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { // so enable them to avoid false positives. client_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); // Connection using defaults (client & server) succeeds, negotiating TLSv1.2. TestUtilOptionsV2 tls_v1_2_test_options = @@ -3937,7 +3937,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3953,7 +3953,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -3969,7 +3969,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3979,7 +3979,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_1); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3989,7 +3989,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -3999,7 +3999,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(error_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4009,7 +4009,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_2_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); @@ -4023,7 +4023,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_0); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4039,7 +4039,7 @@ TEST_P(SslSocketTest, ProtocolVersions) { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); server_params->set_tls_maximum_protocol_version( envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(tls_v1_3_test_options); client_params->clear_tls_minimum_protocol_version(); client_params->clear_tls_maximum_protocol_version(); @@ -4059,7 +4059,7 @@ TEST_P(SslSocketTest, ALPN) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = tls_context.mutable_common_tls_context(); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* client_ctx = @@ -4077,7 +4077,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects without ALPN to a server with "test" ALPN, no ALPN is negotiated. server_ctx->add_alpn_protocols("test"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); @@ -4090,7 +4090,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test" ALPN, "test" ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4102,7 +4102,7 @@ TEST_P(SslSocketTest, ALPN) { client.set_allow_renegotiation(true); client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); test_options.setExpectedALPNProtocol("test"); testUtilV2(test_options); test_options.setExpectedALPNProtocol(""); @@ -4113,7 +4113,7 @@ TEST_P(SslSocketTest, ALPN) { // Client connects with "test" ALPN to a server with "test2" ALPN, no ALPN is negotiated. client_ctx->add_alpn_protocols("test"); server_ctx->add_alpn_protocols("test2"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(test_options); client_ctx->clear_alpn_protocols(); server_ctx->clear_alpn_protocols(); @@ -4135,7 +4135,7 @@ TEST_P(SslSocketTest, CipherSuites) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4157,7 +4157,7 @@ TEST_P(SslSocketTest, CipherSuites) { tls_context.mutable_common_tls_context()->mutable_tls_params(); server_params->add_cipher_suites(common_cipher_suite); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 cipher_test_options(listener, client, true, GetParam()); cipher_test_options.setExpectedCiphersuite(common_cipher_suite); std::string stats = "ssl.ciphers." + common_cipher_suite; @@ -4169,7 +4169,7 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects with unsupported cipher suite, connection fails. client_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); server_params->add_cipher_suites("ECDHE-RSA-CHACHA20-POLY1305"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4178,11 +4178,11 @@ TEST_P(SslSocketTest, CipherSuites) { // Client connects to a server offering only deprecated cipher suites, connection fails. server_params->add_cipher_suites("ECDHE-RSA-AES128-SHA"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); server_params->clear_cipher_suites(); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); // Verify that ECDHE-RSA-CHACHA20-POLY1305 is not offered by default in FIPS builds. client_params->add_cipher_suites(common_cipher_suite); #ifdef BORINGSSL_FIPS @@ -4205,7 +4205,7 @@ TEST_P(SslSocketTest, EcdhCurves) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); envoy::extensions::transport_sockets::tls::v3::TlsParameters* server_params = tls_context.mutable_common_tls_context()->mutable_tls_params(); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; envoy::extensions::transport_sockets::tls::v3::TlsParameters* client_params = @@ -4225,7 +4225,7 @@ TEST_P(SslSocketTest, EcdhCurves) { server_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 ecdh_curves_test_options(listener, client, true, GetParam()); std::string stats = "ssl.curves.X25519"; ecdh_curves_test_options.setExpectedServerStats(stats).setExpectedClientStats(stats); @@ -4238,7 +4238,7 @@ TEST_P(SslSocketTest, EcdhCurves) { client_params->add_ecdh_curves("X25519"); server_params->add_ecdh_curves("P-256"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); TestUtilOptionsV2 error_test_options(listener, client, false, GetParam()); error_test_options.setExpectedServerStats("ssl.connection_error"); testUtilV2(error_test_options); @@ -4250,7 +4250,7 @@ TEST_P(SslSocketTest, EcdhCurves) { // Verify that X25519 is not offered by default in FIPS builds. client_params->add_ecdh_curves("X25519"); server_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); #ifdef BORINGSSL_FIPS testUtilV2(error_test_options); #else @@ -4279,7 +4279,7 @@ TEST_P(SslSocketTest, SignatureAlgorithms) { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/selfsigned_ecdsa_p256_key.pem")); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; // Client RSA certificate. @@ -4573,7 +4573,7 @@ TEST_P(SslSocketTest, GetRequestedServerName) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4592,7 +4592,7 @@ TEST_P(SslSocketTest, OverrideRequestedServerName) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; client.set_sni("lyft.com"); @@ -4615,7 +4615,7 @@ TEST_P(SslSocketTest, OverrideRequestedServerNameWithoutSniInUpstreamTlsContext) "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_cert.pem")); server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_dns_key.pem")); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client; @@ -4645,12 +4645,12 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { envoy::extensions::transport_sockets::tls::v3::CommonTlsContext* server_ctx = tls_context.mutable_common_tls_context(); server_ctx->add_alpn_protocols("test"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); testUtilV2(test_options); server_ctx->clear_alpn_protocols(); // Override client side ALPN, "test" ALPN is used. server_ctx->add_alpn_protocols("test"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); auto transport_socket_options = std::make_shared( "", std::vector{}, std::vector{"foo", "test", "bar"}); @@ -4684,7 +4684,7 @@ TEST_P(SslSocketTest, OverrideApplicationProtocols) { // Note that the server prefers "test" over "bar", but since the client only configures "bar", // the resulting ALPN will be "bar" even though "test" is included in the fallback. server_ctx->add_alpn_protocols("bar"); - updateFilterChain(tls_context, filter_chain); + updateFilterChain(tls_context, *filter_chain); client.mutable_common_tls_context()->add_alpn_protocols("bar"); testUtilV2(test_options.setExpectedALPNProtocol("bar").setTransportSocketOptions( transport_socket_options));