tls: make server options available to the handshaker factory

envoy/ssl/BUILD

@@ -85,5 +85,6 @@ envoy_cc_library(
         "//envoy/network:connection_interface",
         "//envoy/network:post_io_action_interface",
         "//envoy/protobuf:message_validator_interface",
+        "//envoy/server:options_interface",
     ],
 )

envoy/ssl/handshaker.h

@@ -5,6 +5,7 @@
 #include "envoy/network/connection.h"
 #include "envoy/network/post_io_action.h"
 #include "envoy/protobuf/message_validator.h"
+#include "envoy/server/options.h"
 
 #include "openssl/ssl.h"
 
@@ -63,6 +64,11 @@ class HandshakerFactoryContext {
 public:
   virtual ~HandshakerFactoryContext() = default;
 
+  /**
+   * @return reference to the server options
+   */
+  virtual const Server::Options& options() const PURE;
+
   /**
    * @return reference to the Api object
    */

source/extensions/transport_sockets/tls/context_config_impl.cc

@@ -169,7 +169,7 @@ ContextConfigImpl::ContextConfigImpl(
     const unsigned default_min_protocol_version, const unsigned default_max_protocol_version,
     const std::string& default_cipher_suites, const std::string& default_curves,
     Server::Configuration::TransportSocketFactoryContext& factory_context)
-    : api_(factory_context.api()),
+    : api_(factory_context.api()), options_(factory_context.options()),
       alpn_protocols_(RepeatedPtrUtil::join(config.alpn_protocols(), ",")),
       cipher_suites_(StringUtil::nonEmptyStringOrDefault(
           RepeatedPtrUtil::join(config.tls_params().cipher_suites(), ":"), default_cipher_suites)),
@@ -218,7 +218,7 @@ ContextConfigImpl::ContextConfigImpl(
     }
   }
 
-  HandshakerFactoryContextImpl handshaker_factory_context(api_, alpn_protocols_);
+  HandshakerFactoryContextImpl handshaker_factory_context(api_, options_, alpn_protocols_);
   Ssl::HandshakerFactory* handshaker_factory;
   if (config.has_custom_handshaker()) {
     // If a custom handshaker is configured, derive the factory from the config.

source/extensions/transport_sockets/tls/context_config_impl.h

@@ -68,6 +68,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig {
                     const std::string& default_cipher_suites, const std::string& default_curves,
                     Server::Configuration::TransportSocketFactoryContext& factory_context);
   Api::Api& api_;
+  const Server::Options& options_;
 
 private:
   static unsigned tlsVersionFromProto(

source/extensions/transport_sockets/tls/ssl_handshaker.h

@@ -6,6 +6,7 @@
 #include "envoy/network/connection.h"
 #include "envoy/network/transport_socket.h"
 #include "envoy/secret/secret_callbacks.h"
+#include "envoy/server/options.h"
 #include "envoy/ssl/handshaker.h"
 #include "envoy/ssl/private_key/private_key_callbacks.h"
 #include "envoy/ssl/ssl_socket_extended_info.h"
@@ -100,15 +101,18 @@ using SslHandshakerImplSharedPtr = std::shared_ptr<SslHandshakerImpl>;
 
 class HandshakerFactoryContextImpl : public Ssl::HandshakerFactoryContext {
 public:
-  HandshakerFactoryContextImpl(Api::Api& api, absl::string_view alpn_protocols)
-      : api_(api), alpn_protocols_(alpn_protocols) {}
+  HandshakerFactoryContextImpl(Api::Api& api, const Server::Options& options,
+                               absl::string_view alpn_protocols)
+      : api_(api), options_(options), alpn_protocols_(alpn_protocols) {}
 
   // HandshakerFactoryContext
   Api::Api& api() override { return api_; }
+  const Server::Options& options() const override { return options_; }
   absl::string_view alpnProtocols() const override { return alpn_protocols_; }
 
 private:
   Api::Api& api_;
+  const Server::Options& options_;
   const std::string alpn_protocols_;
 };
 

test/extensions/transport_sockets/tls/handshaker_factory_test.cc

@@ -26,6 +26,11 @@ namespace TransportSockets {
 namespace Tls {
 namespace {
 
+using ::testing::MockFunction;
+using ::testing::Ref;
+using ::testing::Return;
+using ::testing::WithArg;
+
 // Test-only custom process object which accepts an `SslCtxCb` for in-test SSL_CTX
 // manipulation.
 class CustomProcessObjectForTest : public ProcessObject {
@@ -48,14 +53,38 @@ class CustomProcessObjectForTest : public ProcessObject {
 // case, using a process context to modify the SSL_CTX.
 class HandshakerFactoryImplForTest
     : public Extensions::TransportSockets::Tls::HandshakerFactoryImpl {
-  std::string name() const override { return "envoy.testonly_handshaker"; }
+public:
+  using CreateHandshakerHook =
+      std::function<void(const Protobuf::Message&, Ssl::HandshakerFactoryContext&,
+                         ProtobufMessage::ValidationVisitor&)>;
+
+  static constexpr char kFactoryName[] = "envoy.testonly_handshaker";
+
+  std::string name() const override { return kFactoryName; }
+
+  Ssl::HandshakerFactoryCb
+  createHandshakerCb(const Protobuf::Message& message, Ssl::HandshakerFactoryContext& context,
+                     ProtobufMessage::ValidationVisitor& validation_visitor) override {
+    if (handshaker_cb_) {
+      handshaker_cb_(message, context, validation_visitor);
+    }
+
+    // The default HandshakerImpl doesn't take a config or use the HandshakerFactoryContext.
+    return [](bssl::UniquePtr<SSL> ssl, int ssl_extended_socket_info_index,
+              Ssl::HandshakeCallbacks* handshake_callbacks) {
+      return std::make_shared<SslHandshakerImpl>(std::move(ssl), ssl_extended_socket_info_index,
+                                                 handshake_callbacks);
+    };
+  }
 
   Ssl::SslCtxCb sslctxCb(Ssl::HandshakerFactoryContext& handshaker_factory_context) const override {
     // Get process object, cast to custom process object, and return custom
     // callback.
     return CustomProcessObjectForTest::get(handshaker_factory_context.api().processContext())
         ->getSslCtxCb();
   }
+
+  CreateHandshakerHook handshaker_cb_;
 };
 
 class HandshakerFactoryTest : public testing::Test {
@@ -65,9 +94,9 @@ class HandshakerFactoryTest : public testing::Test {
             std::make_unique<Extensions::TransportSockets::Tls::ContextManagerImpl>(time_system_)),
         registered_factory_(handshaker_factory_) {
     // UpstreamTlsContext proto expects to use the newly-registered handshaker.
-    envoy::config::core::v3::TypedExtensionConfig* custom_handshaker_ =
+    envoy::config::core::v3::TypedExtensionConfig* custom_handshaker =
         tls_context_.mutable_common_tls_context()->mutable_custom_handshaker();
-    custom_handshaker_->set_name("envoy.testonly_handshaker");
+    custom_handshaker->set_name(HandshakerFactoryImplForTest::kFactoryName);
   }
 
   // Helper for downcasting a socket to a test socket so we can examine its
@@ -87,7 +116,7 @@ class HandshakerFactoryTest : public testing::Test {
 };
 
 TEST_F(HandshakerFactoryTest, SetMockFunctionCb) {
-  testing::MockFunction<void(SSL_CTX*)> cb;
+  MockFunction<void(SSL_CTX*)> cb;
   EXPECT_CALL(cb, Call);
 
   CustomProcessObjectForTest custom_process_object_for_test(cb.AsStdFunction());
@@ -96,8 +125,7 @@ TEST_F(HandshakerFactoryTest, SetMockFunctionCb) {
 
   NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
   EXPECT_CALL(mock_factory_ctx.api_, processContext())
-      .WillRepeatedly(
-          testing::Return(std::reference_wrapper<Envoy::ProcessContext>(*process_context_impl)));
+      .WillRepeatedly(Return(std::reference_wrapper<Envoy::ProcessContext>(*process_context_impl)));
 
   Extensions::TransportSockets::Tls::ClientSslSocketFactory socket_factory(
       /*config=*/
@@ -122,8 +150,7 @@ TEST_F(HandshakerFactoryTest, SetSpecificSslCtxOption) {
 
   NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
   EXPECT_CALL(mock_factory_ctx.api_, processContext())
-      .WillRepeatedly(
-          testing::Return(std::reference_wrapper<Envoy::ProcessContext>(*process_context_impl)));
+      .WillRepeatedly(Return(std::reference_wrapper<Envoy::ProcessContext>(*process_context_impl)));
 
   Extensions::TransportSockets::Tls::ClientSslSocketFactory socket_factory(
       /*config=*/
@@ -140,6 +167,36 @@ TEST_F(HandshakerFactoryTest, SetSpecificSslCtxOption) {
   EXPECT_TRUE(SSL_CTX_get_options(ssl_ctx) & SSL_OP_NO_TLSv1);
 }
 
+TEST_F(HandshakerFactoryTest, HandshakerContextProvidesObjectsFromParentContext) {
+  CustomProcessObjectForTest custom_process_object_for_test(
+      /*cb=*/[](SSL_CTX* ssl_ctx) { SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); });
+  auto process_context_impl = std::make_unique<Envoy::ProcessContextImpl>(
+      static_cast<Envoy::ProcessObject&>(custom_process_object_for_test));
+
+  NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
+  EXPECT_CALL(mock_factory_ctx.api_, processContext())
+      .WillRepeatedly(Return(std::reference_wrapper<Envoy::ProcessContext>(*process_context_impl)));
+
+  MockFunction<HandshakerFactoryImplForTest::CreateHandshakerHook> mock_factory_cb;
+  handshaker_factory_.handshaker_cb_ = mock_factory_cb.AsStdFunction();
+
+  EXPECT_CALL(mock_factory_cb, Call)
+      .WillOnce(WithArg<1>([&](Ssl::HandshakerFactoryContext& context) {
+        // Check that the objects available via the context are the same ones
+        // provided to the parent context.
+        EXPECT_THAT(context.api(), Ref(mock_factory_ctx.api_));
+        EXPECT_THAT(context.options(), Ref(mock_factory_ctx.options_));
+      }));
+
+  Extensions::TransportSockets::Tls::ClientSslSocketFactory socket_factory(
+      /*config=*/
+      std::make_unique<Extensions::TransportSockets::Tls::ClientContextConfigImpl>(
+          tls_context_, "", mock_factory_ctx),
+      *context_manager_, stats_store_);
+
+  std::unique_ptr<Network::TransportSocket> socket = socket_factory.createTransportSocket(nullptr);
+}
+
 } // namespace
 } // namespace Tls
 } // namespace TransportSockets

test/mocks/server/BUILD

@@ -244,6 +244,7 @@ envoy_cc_mock(
         "//source/common/secret:secret_manager_impl_lib",
         "//test/mocks/api:api_mocks",
         "//test/mocks/server:config_tracker_mocks",
+        "//test/mocks/server:options_mocks",
         "//test/mocks/ssl:ssl_mocks",
         "//test/mocks/upstream:cluster_manager_mocks",
     ],

test/mocks/server/transport_socket_factory_context.cc

@@ -19,6 +19,7 @@ MockTransportSocketFactoryContext::MockTransportSocketFactoryContext()
       .WillByDefault(ReturnRef(ProtobufMessage::getStrictValidationVisitor()));
   ON_CALL(*this, sslContextManager()).WillByDefault(ReturnRef(context_manager_));
   ON_CALL(*this, scope()).WillByDefault(ReturnRef(store_));
+  ON_CALL(*this, options()).WillByDefault(ReturnRef(options_));
 }
 
 MockTransportSocketFactoryContext::~MockTransportSocketFactoryContext() = default;

test/mocks/server/transport_socket_factory_context.h

@@ -5,6 +5,7 @@
 #include "source/common/secret/secret_manager_impl.h"
 
 #include "test/mocks/api/mocks.h"
+#include "test/mocks/server/options.h"
 #include "test/mocks/ssl/mocks.h"
 #include "test/mocks/stats/mocks.h"
 #include "test/mocks/upstream/cluster_manager.h"
@@ -42,6 +43,7 @@ class MockTransportSocketFactoryContext : public TransportSocketFactoryContext {
   testing::NiceMock<MockConfigTracker> config_tracker_;
   testing::NiceMock<Ssl::MockContextManager> context_manager_;
   testing::NiceMock<Stats::MockStore> store_;
+  testing::NiceMock<Server::MockOptions> options_;
   std::unique_ptr<Secret::SecretManager> secret_manager_;
 };
 } // namespace Configuration