envoyproxy · alyssawilk · Feb 1, 2018 · Jan 23, 2018 · Jan 23, 2018 · Jan 26, 2018
diff --git a/include/envoy/event/dispatcher.h b/include/envoy/event/dispatcher.h
@@ -42,16 +42,18 @@ class Dispatcher {
    * Create a server connection.
    * @param socket supplies an open file descriptor and connection metadata to use for the
    *        connection. Takes ownership of the socket.
-   * @param ssl_ctx supplies the SSL context to use, if not nullptr.
+   * @param transport_socket supplies a transport socket to be used by the connection.
    * @return Network::ConnectionPtr a server connection that is owned by the caller.
    */
-  virtual Network::ConnectionPtr createServerConnection(Network::ConnectionSocketPtr&& socket,
-                                                        Ssl::Context* ssl_ctx) PURE;
+  virtual Network::ConnectionPtr
+  createServerConnection(Network::ConnectionSocketPtr&& socket,
+                         Network::TransportSocketPtr&& transport_socket) PURE;
 
   /**
    * Create a client connection.
    * @param address supplies the address to connect to.
    * @param source_address supplies an address to bind to or nullptr if no bind is necessary.
+   * @param transport_socket supplies a transport socket to be used by the connection.
    * @param options the socket options to be set on the underlying socket before anything is sent
    *        on the socket.
    * @return Network::ClientConnectionPtr a client connection that is owned by the caller.

diff --git a/include/envoy/network/listener.h b/include/envoy/network/listener.h
@@ -7,6 +7,7 @@
 #include "envoy/common/exception.h"
 #include "envoy/network/connection.h"
 #include "envoy/network/listen_socket.h"
+#include "envoy/network/transport_socket.h"
 #include "envoy/ssl/context.h"
 
 namespace Envoy {
@@ -32,9 +33,9 @@ class ListenerConfig {
   virtual ListenSocket& socket() PURE;
 
   /**
-   * @return Ssl::ServerContext* the default SSL context.
+   * @return TransportSocketFactory& the transport socket factory.
    */
-  virtual Ssl::ServerContext* defaultSslContext() PURE;
+  virtual TransportSocketFactory& transportSocketFactory() PURE;
 
   /**
    * @return bool specifies whether the listener should actually listen on the port.

diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h
@@ -33,11 +33,31 @@ class TransportSocketConfigFactory {
 public:
   virtual ~TransportSocketConfigFactory() {}
 
+  /**
+   * @return ProtobufTypes::MessagePtr create empty config proto message. The transport socket
+   *         config, which arrives in an opaque google.protobuf.Struct message, will be converted
+   *         to JSON and then parsed into this empty proto.
+   */
+  virtual ProtobufTypes::MessagePtr createEmptyConfigProto() PURE;
+
+  /**
+   * @return std::string the identifying name for a particular TransportSocketFactoryPtr
+   *         implementation produced by the factory.
+   */
+  virtual std::string name() const PURE;
+};
+
+/**
+ * Implemented by each transport socket used for upstream connections. Registered via class
+ * RegisterFactory.
+ */
+class UpstreamTransportSocketConfigFactory : public virtual TransportSocketConfigFactory {
+public:
   /**
    * Create a particular transport socket factory implementation.
    * @param config const Protobuf::Message& supplies the config message for the transport socket
    *        implementation.
-   * @param context TransportSocketFactoryContext&  supplies the transport socket's context.
+   * @param context TransportSocketFactoryContext& supplies the transport socket's context.
    * @return Network::TransportSocketFactoryPtr the transport socket factory instance. The returned
    *         TransportSocketFactoryPtr should not be nullptr.
    *
@@ -47,23 +67,40 @@ class TransportSocketConfigFactory {
   virtual Network::TransportSocketFactoryPtr
   createTransportSocketFactory(const Protobuf::Message& config,
                                TransportSocketFactoryContext& context) PURE;
+};
 
+/**
+ * Implemented by each transport socket used for downstream connections. Registered via class
+ * RegisterFactory.
+ */
+class DownstreamTransportSocketConfigFactory : public virtual TransportSocketConfigFactory {
+public:
   /**
-   * @return ProtobufTypes::MessagePtr create empty config proto message. The transport socket
-   *         config, which arrives in an opaque google.protobuf.Struct message, will be converted
-   *         to JSON and then parsed into this empty proto.
-   */
-  virtual ProtobufTypes::MessagePtr createEmptyConfigProto() PURE;
-
-  /**
-   * @return std::string the identifying name for a particular TransportSocketFactoryPtr
-   *         implementation produced by the factory.
+   * Create a particular downstream transport socket factory implementation.
+   * TODO(lizan): Revisit the parameters for SNI below when TLS sniffing and filter chain match are
+   * implemented.
+   * @param listener_name const std::string& the name of the listener.
+   * @param server_names const std::vector<std::string>& the names of the server. This parameter is
+   *        currently used by SNI implementation to know the expected server names.
+   * @param skip_ssl_context_update bool indicates whether the ssl context update should be skipped.
+   *        This parameter is currently used by SNI implementation to know whether it should perform
+   *        certificate selection.
+   * @param config const Protobuf::Message& supplies the config message for the transport socket
+   *        implementation.
+   * @param context TransportSocketFactoryContext& supplies the transport socket's context.
+   * @return Network::TransportSocketFactoryPtr the transport socket factory instance. The returned
+   *         TransportSocketFactoryPtr should not be nullptr.
+   *
+   * @throw EnvoyException if the implementation is unable to produce a factory with the provided
+   *        parameters.
    */
-  virtual std::string name() const PURE;
+  virtual Network::TransportSocketFactoryPtr
+  createTransportSocketFactory(const std::string& listener_name,
+                               const std::vector<std::string>& server_names,
+                               bool skip_ssl_context_update, const Protobuf::Message& config,
+                               TransportSocketFactoryContext& context) PURE;
 };
 
-class UpstreamTransportSocketConfigFactory : public virtual TransportSocketConfigFactory {};
-
 } // namespace Configuration
 } // namespace Server
 } // namespace Envoy
diff --git a/source/common/event/dispatcher_impl.cc b/source/common/event/dispatcher_impl.cc
@@ -73,13 +73,12 @@ void DispatcherImpl::clearDeferredDeleteList() {
   deferred_deleting_ = false;
 }
 
-Network::ConnectionPtr DispatcherImpl::createServerConnection(Network::ConnectionSocketPtr&& socket,
-                                                              Ssl::Context* ssl_ctx) {
+Network::ConnectionPtr
+DispatcherImpl::createServerConnection(Network::ConnectionSocketPtr&& socket,
+                                       Network::TransportSocketPtr&& transport_socket) {
   ASSERT(isThreadSafe());
-  return Network::ConnectionPtr{ssl_ctx
-                                    ? new Ssl::ConnectionImpl(*this, std::move(socket), true,
-                                                              *ssl_ctx, Ssl::InitialState::Server)
-                                    : new Network::ConnectionImpl(*this, std::move(socket), true)};
+  return std::make_unique<Network::ConnectionImpl>(*this, std::move(socket),
+                                                   std::move(transport_socket), true);
 }
 
 Network::ClientConnectionPtr

diff --git a/source/common/event/dispatcher_impl.h b/source/common/event/dispatcher_impl.h
@@ -33,8 +33,9 @@ class DispatcherImpl : Logger::Loggable<Logger::Id::main>, public Dispatcher {
 
   // Event::Dispatcher
   void clearDeferredDeleteList() override;
-  Network::ConnectionPtr createServerConnection(Network::ConnectionSocketPtr&& socket,
-                                                Ssl::Context* ssl_ctx) override;
+  Network::ConnectionPtr
+  createServerConnection(Network::ConnectionSocketPtr&& socket,
+                         Network::TransportSocketPtr&& transport_socket) override;
   Network::ClientConnectionPtr
   createClientConnection(Network::Address::InstanceConstSharedPtr address,
                          Network::Address::InstanceConstSharedPtr source_address,

diff --git a/source/common/ssl/ssl_socket.cc b/source/common/ssl/ssl_socket.cc
@@ -350,5 +350,20 @@ Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() cons
 
 bool ClientSslSocketFactory::implementsSecureTransport() const { return true; }
 
+ServerSslSocketFactory::ServerSslSocketFactory(const ServerContextConfig& config,
+                                               const std::string& listener_name,
+                                               const std::vector<std::string>& server_names,
+                                               bool skip_context_update,
+                                               Ssl::ContextManager& manager,
+                                               Stats::Scope& stats_scope)
+    : ssl_ctx_(manager.createSslServerContext(listener_name, server_names, stats_scope, config,
+                                              skip_context_update)) {}
+
+Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() const {
+  return std::make_unique<Ssl::SslSocket>(*ssl_ctx_, Ssl::InitialState::Server);
+}
+
+bool ServerSslSocketFactory::implementsSecureTransport() const { return true; }
+
 } // namespace Ssl
 } // namespace Envoy
diff --git a/source/common/ssl/ssl_socket.h b/source/common/ssl/ssl_socket.h
@@ -63,7 +63,19 @@ class ClientSslSocketFactory : public Network::TransportSocketFactory {
   bool implementsSecureTransport() const override;
 
 private:
-  ClientContextPtr ssl_ctx_;
+  const ClientContextPtr ssl_ctx_;
+};
+
+class ServerSslSocketFactory : public Network::TransportSocketFactory {
+public:
+  ServerSslSocketFactory(const ServerContextConfig& config, const std::string& listener_name,
+                         const std::vector<std::string>& server_names, bool skip_context_update,
+                         Ssl::ContextManager& manager, Stats::Scope& stats_scope);
+  Network::TransportSocketPtr createTransportSocket() const override;
+  bool implementsSecureTransport() const override;
+
+private:
+  const ServerContextPtr ssl_ctx_;
 };
 
 } // namespace Ssl

diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc
@@ -118,6 +118,9 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config,
       lb_subset_(LoadBalancerSubsetInfoImpl(config.lb_subset_config())),
       metadata_(config.metadata()) {
 
+  // If the cluster doesn't have transport socke configured, override with default transport
+  // socket implementation based on tls_context. We copy by value first then override if
+  // neccessary.
   auto transport_socket = config.transport_socket();
   if (!config.has_transport_socket()) {
     if (config.has_tls_context()) {

diff --git a/source/server/BUILD b/source/server/BUILD
@@ -199,6 +199,7 @@ envoy_cc_library(
         ":init_manager_lib",
         "//include/envoy/server:filter_config_interface",
         "//include/envoy/server:listener_manager_interface",
+        "//include/envoy/server:transport_socket_config_interface",
         "//include/envoy/server:worker_interface",
         "//source/common/config:utility_lib",
         "//source/common/config:well_known_names",

diff --git a/source/server/config/network/raw_buffer_socket.cc b/source/server/config/network/raw_buffer_socket.cc
@@ -9,8 +9,14 @@ namespace Server {
 namespace Configuration {
 
 Network::TransportSocketFactoryPtr
-RawBufferSocketFactory::createTransportSocketFactory(const Protobuf::Message&,
-                                                     TransportSocketFactoryContext&) {
+UpstreamRawBufferSocketFactory::createTransportSocketFactory(const Protobuf::Message&,
+                                                             TransportSocketFactoryContext&) {
+  return std::make_unique<Network::RawBufferSocketFactory>();
+}
+
+Network::TransportSocketFactoryPtr DownstreamRawBufferSocketFactory::createTransportSocketFactory(
+    const std::string&, const std::vector<std::string>&, bool, const Protobuf::Message&,
+    TransportSocketFactoryContext&) {
   return std::make_unique<Network::RawBufferSocketFactory>();
 }
 
@@ -22,6 +28,10 @@ static Registry::RegisterFactory<UpstreamRawBufferSocketFactory,
                                  UpstreamTransportSocketConfigFactory>
     upstream_registered_;
 
+static Registry::RegisterFactory<DownstreamRawBufferSocketFactory,
+                                 DownstreamTransportSocketConfigFactory>
+    downstream_registered_;
+
 } // namespace Configuration
 } // namespace Server
 } // namespace Envoy
diff --git a/source/server/config/network/raw_buffer_socket.h b/source/server/config/network/raw_buffer_socket.h
@@ -16,14 +16,26 @@ class RawBufferSocketFactory : public virtual TransportSocketConfigFactory {
 public:
   virtual ~RawBufferSocketFactory() {}
   std::string name() const override { return Config::TransportSocketNames::get().RAW_BUFFER; }
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
+};
+
+class UpstreamRawBufferSocketFactory : public UpstreamTransportSocketConfigFactory,
+                                       public RawBufferSocketFactory {
+public:
   Network::TransportSocketFactoryPtr
   createTransportSocketFactory(const Protobuf::Message& config,
                                TransportSocketFactoryContext& context) override;
-  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
 };
 
-class UpstreamRawBufferSocketFactory : public UpstreamTransportSocketConfigFactory,
-                                       public RawBufferSocketFactory {};
+class DownstreamRawBufferSocketFactory : public DownstreamTransportSocketConfigFactory,
+                                         public RawBufferSocketFactory {
+public:
+  Network::TransportSocketFactoryPtr
+  createTransportSocketFactory(const std::string& listener_name,
+                               const std::vector<std::string>& server_names,
+                               bool skip_context_update, const Protobuf::Message& config,
+                               TransportSocketFactoryContext& context) override;
+};
 
 } // namespace Configuration
 } // namespace Server

diff --git a/source/server/config/network/ssl_socket.cc b/source/server/config/network/ssl_socket.cc
@@ -30,6 +30,25 @@ ProtobufTypes::MessagePtr UpstreamSslSocketFactory::createEmptyConfigProto() {
 static Registry::RegisterFactory<UpstreamSslSocketFactory, UpstreamTransportSocketConfigFactory>
     upstream_registered_;
 
+Network::TransportSocketFactoryPtr DownstreamSslSocketFactory::createTransportSocketFactory(
+    const std::string& listener_name, const std::vector<std::string>& server_names,
+    bool skip_context_update, const Protobuf::Message& message,
+    TransportSocketFactoryContext& context) {
+  return std::make_unique<Ssl::ServerSslSocketFactory>(
+      Ssl::ServerContextConfigImpl(
+          MessageUtil::downcastAndValidate<const envoy::api::v2::auth::DownstreamTlsContext&>(
+              message)),
+      listener_name, server_names, skip_context_update, context.sslContextManager(),
+      context.statsScope());
+}
+
+ProtobufTypes::MessagePtr DownstreamSslSocketFactory::createEmptyConfigProto() {
+  return std::make_unique<envoy::api::v2::auth::DownstreamTlsContext>();
+}
+
+static Registry::RegisterFactory<DownstreamSslSocketFactory, DownstreamTransportSocketConfigFactory>
+    downstream_registered_;
+
 } // namespace Configuration
 } // namespace Server
 } // namespace Envoy
diff --git a/source/server/config/network/ssl_socket.h b/source/server/config/network/ssl_socket.h
@@ -27,6 +27,17 @@ class UpstreamSslSocketFactory : public UpstreamTransportSocketConfigFactory,
   ProtobufTypes::MessagePtr createEmptyConfigProto() override;
 };
 
+class DownstreamSslSocketFactory : public DownstreamTransportSocketConfigFactory,
+                                   public SslSocketConfigFactory {
+public:
+  Network::TransportSocketFactoryPtr
+  createTransportSocketFactory(const std::string& listener_name,
+                               const std::vector<std::string>& server_names,
+                               bool skip_context_update, const Protobuf::Message& config,
+                               TransportSocketFactoryContext& context) override;
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
+};
+
 } // namespace Configuration
 } // namespace Server
 } // namespace Envoy
diff --git a/source/server/connection_handler_impl.cc b/source/server/connection_handler_impl.cc
@@ -184,8 +184,8 @@ void ConnectionHandlerImpl::ActiveListener::onAccept(
 }
 
 void ConnectionHandlerImpl::ActiveListener::newConnection(Network::ConnectionSocketPtr&& socket) {
-  Network::ConnectionPtr new_connection =
-      parent_.dispatcher_.createServerConnection(std::move(socket), config_.defaultSslContext());
+  Network::ConnectionPtr new_connection = parent_.dispatcher_.createServerConnection(
+      std::move(socket), config_.transportSocketFactory().createTransportSocket());
   new_connection->setBufferLimits(config_.perConnectionBufferLimitBytes());
   onNewConnection(std::move(new_connection));
 }

diff --git a/source/server/http/BUILD b/source/server/http/BUILD
@@ -44,6 +44,7 @@ envoy_cc_library(
         "//source/common/http:utility_lib",
         "//source/common/http/http1:codec_lib",
         "//source/common/network:listen_socket_lib",
+        "//source/common/network:raw_buffer_socket_lib",
         "//source/common/profiler:profiler_lib",
         "//source/common/router:config_lib",
         "//source/common/upstream:host_utility_lib",

diff --git a/source/server/http/admin.h b/source/server/http/admin.h
@@ -21,6 +21,7 @@
 #include "common/http/conn_manager_impl.h"
 #include "common/http/date_provider_impl.h"
 #include "common/http/utility.h"
+#include "common/network/raw_buffer_socket.h"
 
 #include "server/config/network/http_connection_manager.h"
 
@@ -174,7 +175,9 @@ class AdminImpl : public Admin,
     // Network::ListenerConfig
     Network::FilterChainFactory& filterChainFactory() override { return parent_; }
     Network::ListenSocket& socket() override { return parent_.mutable_socket(); }
-    Ssl::ServerContext* defaultSslContext() override { return nullptr; }
+    Network::TransportSocketFactory& transportSocketFactory() override {
+      return parent_.transport_socket_factory_;
+    }
     bool bindToPort() override { return true; }
     bool handOffRestoredDestinationConnections() const override { return false; }
     uint32_t perConnectionBufferLimitBytes() override { return 0; }
@@ -192,6 +195,7 @@ class AdminImpl : public Admin,
   std::list<AccessLog::InstanceSharedPtr> access_logs_;
   const std::string profile_path_;
   Network::ListenSocketPtr socket_;
+  Network::RawBufferSocketFactory transport_socket_factory_;
   Http::ConnectionManagerStats stats_;
   Http::ConnectionManagerTracingStats tracing_stats_;
   NullRouteConfigProvider route_config_provider_;