envoyproxy · mangchiandjjoe · May 12, 2018 · May 12, 2018 · May 14, 2018 · May 14, 2018
diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD
@@ -0,0 +1,24 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "secret_interface",
+    hdrs = ["secret.h"],
+)
+
+envoy_cc_library(
+    name = "secret_manager_interface",
+    hdrs = ["secret_manager.h"],
+    deps = [
+        ":secret_interface",
+        "//source/common/json:json_loader_lib",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
+)
diff --git a/include/envoy/secret/secret.h b/include/envoy/secret/secret.h
@@ -0,0 +1,39 @@
+#pragma once
+
+#include <stdexcept>
+#include <string>
+#include <unordered_map>
+#include <vector>
+
+#include "envoy/common/exception.h"
+#include "envoy/ssl/context.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * Secret contains certificate chain and private key
+ */
+class Secret {
+public:
+  virtual ~Secret() {}
+
+  /**
+   * @return a name of the SDS secret
+   */
+  virtual const std::string& name() const PURE;
+
+  /**
+   * @return a string of certificate chain
+   */
+  virtual const std::string& certificateChain() const PURE;
+  /**
+   * @return a string of private key
+   */
+  virtual const std::string& privateKey() const PURE;
+};
+
+typedef std::shared_ptr<Secret> SecretSharedPtr;
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h
@@ -0,0 +1,38 @@
+#pragma once
+
+#include <google/protobuf/util/json_util.h>
+
+#include <iomanip>
+#include <sstream>
+#include <string>
+
+#include "envoy/secret/secret.h"
+
+#include "common/json/json_loader.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * A manager for all static secrets
+ */
+class SecretManager {
+public:
+  virtual ~SecretManager() {}
+
+  /**
+   * Add or update static secret
+   *
+   * @param secret Updated Secret
+   * @return true when successful, otherwise returns false
+   */
+  virtual bool addOrUpdateStaticSecret(const SecretSharedPtr secret) PURE;
+
+  /**
+   * @return the static secret for the given name
+   */
+  virtual const SecretSharedPtr staticSecret(const std::string& name) const PURE;
+};
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD
@@ -96,6 +96,7 @@ envoy_cc_library(
         "//include/envoy/local_info:local_info_interface",
         "//include/envoy/ratelimit:ratelimit_interface",
         "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_manager_interface",
         "//include/envoy/thread_local:thread_local_interface",
         "//include/envoy/tracing:http_tracer_interface",
@@ -172,6 +173,7 @@ envoy_cc_library(
     hdrs = ["transport_socket_config.h"],
     deps = [
         "//include/envoy/network:transport_socket_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_manager_interface",
         "//source/common/protobuf",
     ],

diff --git a/include/envoy/server/instance.h b/include/envoy/server/instance.h
@@ -11,6 +11,7 @@
 #include "envoy/network/listen_socket.h"
 #include "envoy/ratelimit/ratelimit.h"
 #include "envoy/runtime/runtime.h"
+#include "envoy/secret/secret_manager.h"
 #include "envoy/server/admin.h"
 #include "envoy/server/drain_manager.h"
 #include "envoy/server/hot_restart.h"
@@ -113,6 +114,11 @@ class Instance {
    */
   virtual ListenerManager& listenerManager() PURE;
 
+  /**
+   * @return the server's secret manager
+   */
+  virtual Secret::SecretManager& secretManager() PURE;
+
   /**
    * @return the server's CLI options.
    */

diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h
@@ -3,6 +3,7 @@
 #include <string>
 
 #include "envoy/network/transport_socket.h"
+#include "envoy/secret/secret_manager.h"
 #include "envoy/ssl/context_manager.h"
 
 #include "common/protobuf/protobuf.h"

diff --git a/include/envoy/ssl/BUILD b/include/envoy/ssl/BUILD
@@ -29,6 +29,7 @@ envoy_cc_library(
     deps = [
         ":context_config_interface",
         ":context_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/stats:stats_interface",
     ],
 )
diff --git a/include/envoy/ssl/context_manager.h b/include/envoy/ssl/context_manager.h
@@ -2,6 +2,7 @@
 
 #include <functional>
 
+#include "envoy/secret/secret_manager.h"
 #include "envoy/ssl/context.h"
 #include "envoy/ssl/context_config.h"
 #include "envoy/stats/stats.h"
@@ -38,6 +39,11 @@ class ContextManager {
    * Iterate through all currently allocated contexts.
    */
   virtual void iterateContexts(std::function<void(const Context&)> callback) PURE;
+
+  /**
+   * Return the secret manager
+   */
+  virtual Secret::SecretManager& secretManager() PURE;
 };
 
 } // namespace Ssl

diff --git a/source/common/config/bootstrap_json.cc b/source/common/config/bootstrap_json.cc
@@ -5,6 +5,7 @@
 #include "common/config/cds_json.h"
 #include "common/config/json_utility.h"
 #include "common/config/lds_json.h"
+#include "common/config/tls_context_json.h"
 #include "common/config/utility.h"
 #include "common/json/config_schemas.h"
 #include "common/protobuf/utility.h"
@@ -130,5 +131,20 @@ void BootstrapJson::translateBootstrap(const Json::Object& json_config,
   }
 }
 
+void BootstrapJson::translateStaticSecretsBootstrap(
+    const Json::Object& json_secrets, envoy::config::bootstrap::v2::Bootstrap& bootstrap) {
+
+  for (const Json::ObjectSharedPtr& secret : json_secrets.getObjectArray("secrets")) {
+    auto secret_object = bootstrap.mutable_static_resources()->mutable_secrets()->Add();
+    secret_object->set_name(secret->getString("name"));
+
+    if (secret->hasObject("tls_certificate")) {
+      TlsContextJson::translateTlsCertificate(*secret->getObject("tls_certificate"),
+                                              *secret_object->mutable_tls_certificate());
+    } else if (secret->hasObject("session_ticket_keys")) {
+    }
+  }
+}
+
 } // namespace Config
 } // namespace Envoy
diff --git a/source/common/config/bootstrap_json.h b/source/common/config/bootstrap_json.h
@@ -23,6 +23,14 @@ class BootstrapJson {
    */
   static void translateBootstrap(const Json::Object& json_config,
                                  envoy::config::bootstrap::v2::Bootstrap& bootstrap);
+
+  /**
+   * Translate static secrets to v2 envoy::config::bootstrap::v2::Bootstrap.
+   * @param json_config source static secrets.
+   * @param bootstrap destination v2 envoy::config::bootstrap::v2::Bootstrap.
+   */
+  static void translateStaticSecretsBootstrap(const Json::Object& json_secrets,
+                                              envoy::config::bootstrap::v2::Bootstrap& bootstrap);
 };
 
 } // namespace Config

diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD
@@ -0,0 +1,31 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "secret_impl_lib",
+    srcs = ["secret_impl.cc"],
+    hdrs = ["secret_impl.h"],
+    deps = [
+        "//include/envoy/secret:secret_interface",
+        "//source/common/config:datasource_lib",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
+)
+
+envoy_cc_library(
+    name = "secret_manager_impl_lib",
+    srcs = ["secret_manager_impl.cc"],
+    hdrs = ["secret_manager_impl.h"],
+    deps = [
+        ":secret_impl_lib",
+        "//include/envoy/secret:secret_manager_interface",
+        "//include/envoy/server:instance_interface",
+    ],
+)
diff --git a/source/common/secret/secret_impl.cc b/source/common/secret/secret_impl.cc
@@ -0,0 +1,17 @@
+#include "common/secret/secret_impl.h"
+
+#include <string>
+
+#include "common/common/assert.h"
+#include "common/config/datasource.h"
+
+namespace Envoy {
+namespace Secret {
+
+SecretImpl::SecretImpl(const envoy::api::v2::auth::Secret& config)
+    : name_(config.name()), certificate_chain_(Config::DataSource::read(
+                                config.tls_certificate().certificate_chain(), true)),
+      private_key_(Config::DataSource::read(config.tls_certificate().private_key(), true)) {}
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/source/common/secret/secret_impl.h b/source/common/secret/secret_impl.h
@@ -0,0 +1,28 @@
+#pragma once
+
+#include "envoy/api/v2/auth/cert.pb.h"
+#include "envoy/secret/secret.h"
+
+namespace Envoy {
+namespace Secret {
+
+typedef std::unordered_map<std::string, SecretSharedPtr> SecretSharedPtrMap;
+
+class SecretImpl : public Secret {
+public:
+  SecretImpl(const envoy::api::v2::auth::Secret& config);
+
+  const std::string& name() const override { return name_; }
+
+  const std::string& certificateChain() const override { return certificate_chain_; }
+
+  const std::string& privateKey() const override { return private_key_; }
+
+private:
+  std::string name_;
+  std::string certificate_chain_;
+  std::string private_key_;
+};
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc
@@ -0,0 +1,20 @@
+#include "common/secret/secret_manager_impl.h"
+
+#include "common/common/logger.h"
+#include "common/secret/secret_impl.h"
+
+namespace Envoy {
+namespace Secret {
+
+bool SecretManagerImpl::addOrUpdateStaticSecret(const SecretSharedPtr secret) {
+  static_secrets_[secret->name()] = secret;
+  return true;
+}
+
+const SecretSharedPtr SecretManagerImpl::staticSecret(const std::string& name) const {
+  auto static_secret = static_secrets_.find(name);
+  return (static_secret != static_secrets_.end()) ? static_secret->second : nullptr;
+}
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h
@@ -0,0 +1,29 @@
+#pragma once
+
+#include <unordered_map>
+
+#include "envoy/secret/secret.h"
+#include "envoy/secret/secret_manager.h"
+#include "envoy/server/instance.h"
+
+#include "common/common/logger.h"
+#include "common/secret/secret_impl.h"
+
+namespace Envoy {
+namespace Secret {
+
+class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::upstream> {
+public:
+  SecretManagerImpl(){};
+
+  virtual ~SecretManagerImpl() {}
+
+  bool addOrUpdateStaticSecret(const SecretSharedPtr secret) override;
+  const SecretSharedPtr staticSecret(const std::string& name) const override;
+
+private:
+  SecretSharedPtrMap static_secrets_;
+};
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/source/common/ssl/BUILD b/source/common/ssl/BUILD
@@ -33,6 +33,7 @@ envoy_cc_library(
         "ssl",
     ],
     deps = [
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_config_interface",
         "//source/common/common:assert_lib",
         "//source/common/config:datasource_lib",