diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index f6fe87ae0cf90..a6d417c26f6ee 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -68,14 +68,18 @@ class SdsApi : public Init::Target, Cleanup clean_up_; }; -typedef std::shared_ptr SdsApiSharedPtr; +class TlsCertificateSdsApi; +class CertificateValidationContextSdsApi; +typedef std::shared_ptr TlsCertificateSdsApiSharedPtr; +typedef std::shared_ptr + CertificateValidationContextSdsApiSharedPtr; /** * TlsCertificateSdsApi implementation maintains and updates dynamic TLS certificate secrets. */ class TlsCertificateSdsApi : public SdsApi, public TlsCertificateConfigProvider { public: - static SdsApiSharedPtr + static TlsCertificateSdsApiSharedPtr create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context, const envoy::api::v2::core::ConfigSource& sds_config, const std::string& sds_config_name, std::function destructor_cb) { @@ -119,7 +123,7 @@ class TlsCertificateSdsApi : public SdsApi, public TlsCertificateConfigProvider class CertificateValidationContextSdsApi : public SdsApi, public CertificateValidationContextConfigProvider { public: - static SdsApiSharedPtr + static CertificateValidationContextSdsApiSharedPtr create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context, const envoy::api::v2::core::ConfigSource& sds_config, const std::string& sds_config_name, std::function destructor_cb) { diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index a8a95a75e20b6..aed0c374255c4 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -64,59 +64,19 @@ SecretManagerImpl::createInlineCertificateValidationContextProvider( certificate_validation_context); } -void SecretManagerImpl::removeDynamicSecretProvider(const std::string& map_key) { - ENVOY_LOG(debug, "Unregister secret provider. hash key: {}", map_key); - - auto num_deleted = dynamic_secret_providers_.erase(map_key); - ASSERT(num_deleted == 1, ""); -} - -SdsApiSharedPtr SecretManagerImpl::findOrCreate( - const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, - std::function unregister_secret_provider)> create_fn) { - const std::string map_key = sds_config_source.SerializeAsString() + config_name; - - SdsApiSharedPtr secret_provider = dynamic_secret_providers_[map_key].lock(); - if (!secret_provider) { - // SdsApi is owned by ListenerImpl and ClusterInfo which are destroyed before - // SecretManagerImpl. It is safe to invoke this callback at the destructor of SdsApi. - std::function unregister_secret_provider = [map_key, this]() { - removeDynamicSecretProvider(map_key); - }; - - secret_provider = create_fn(unregister_secret_provider); - dynamic_secret_providers_[map_key] = secret_provider; - } - return secret_provider; -} - TlsCertificateConfigProviderSharedPtr SecretManagerImpl::findOrCreateTlsCertificateProvider( const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, Server::Configuration::TransportSocketFactoryContext& secret_provider_context) { - auto create_fn = [&secret_provider_context, &sds_config_source, &config_name]( - std::function unregister_secret_provider) -> SdsApiSharedPtr { - ASSERT(secret_provider_context.initManager() != nullptr); - return TlsCertificateSdsApi::create(secret_provider_context, sds_config_source, config_name, - unregister_secret_provider); - }; - SdsApiSharedPtr secret_provider = findOrCreate(sds_config_source, config_name, create_fn); - - return std::dynamic_pointer_cast(secret_provider); + return certificate_providers_.findOrCreate(sds_config_source, config_name, + secret_provider_context); } CertificateValidationContextConfigProviderSharedPtr SecretManagerImpl::findOrCreateCertificateValidationContextProvider( const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, Server::Configuration::TransportSocketFactoryContext& secret_provider_context) { - auto create_fn = [&secret_provider_context, &sds_config_source, &config_name]( - std::function unregister_secret_provider) -> SdsApiSharedPtr { - ASSERT(secret_provider_context.initManager() != nullptr); - return CertificateValidationContextSdsApi::create(secret_provider_context, sds_config_source, - config_name, unregister_secret_provider); - }; - SdsApiSharedPtr secret_provider = findOrCreate(sds_config_source, config_name, create_fn); - - return std::dynamic_pointer_cast(secret_provider); + return validation_context_providers_.findOrCreate(sds_config_source, config_name, + secret_provider_context); } } // namespace Secret diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 85c89cf861d8b..7c00c7ea98a52 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -14,7 +14,7 @@ namespace Envoy { namespace Secret { -class SecretManagerImpl : public SecretManager, Logger::Loggable { +class SecretManagerImpl : public SecretManager { public: void addStaticSecret(const envoy::api::v2::auth::Secret& secret) override; @@ -42,12 +42,42 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable unregister_secret_provider)> create_fn); + template + class DynamicSecretProviders : public Logger::Loggable { + public: + // Finds or creates SdsApi object. + std::shared_ptr + findOrCreate(const envoy::api::v2::core::ConfigSource& sds_config_source, + const std::string& config_name, + Server::Configuration::TransportSocketFactoryContext& secret_provider_context) { + const std::string map_key = sds_config_source.SerializeAsString() + config_name; + + std::shared_ptr secret_provider = dynamic_secret_providers_[map_key].lock(); + if (!secret_provider) { + // SdsApi is owned by ListenerImpl and ClusterInfo which are destroyed before + // SecretManagerImpl. It is safe to invoke this callback at the destructor of SdsApi. + std::function unregister_secret_provider = [map_key, this]() { + removeDynamicSecretProvider(map_key); + }; + ASSERT(secret_provider_context.initManager() != nullptr); + secret_provider = SecretType::create(secret_provider_context, sds_config_source, + config_name, unregister_secret_provider); + dynamic_secret_providers_[map_key] = secret_provider; + } + return secret_provider; + } + + private: + // Removes dynamic secret provider which has been deleted. + void removeDynamicSecretProvider(const std::string& map_key) { + ENVOY_LOG(debug, "Unregister secret provider. hash key: {}", map_key); + + auto num_deleted = dynamic_secret_providers_.erase(map_key); + ASSERT(num_deleted == 1, ""); + } + + std::unordered_map> dynamic_secret_providers_; + }; // Manages pairs of secret name and TlsCertificateConfigProviderSharedPtr. std::unordered_map @@ -58,7 +88,8 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable> dynamic_secret_providers_; + DynamicSecretProviders certificate_providers_; + DynamicSecretProviders validation_context_providers_; }; } // namespace Secret