ssl: expose upstream TLS client context config

include/envoy/network/BUILD

@@ -90,6 +90,7 @@ envoy_cc_library(
         ":io_handle_interface",
         "//include/envoy/buffer:buffer_interface",
         "//include/envoy/ssl:connection_interface",
+        "//include/envoy/ssl:context_config_interface",
     ],
 )
 

include/envoy/network/transport_socket.h

@@ -3,6 +3,7 @@
 #include "envoy/buffer/buffer.h"
 #include "envoy/common/pure.h"
 #include "envoy/network/io_handle.h"
+#include "envoy/ssl/certificate_validation_context_config.h"
 #include "envoy/ssl/connection.h"
 
 #include "absl/types/optional.h"
@@ -181,6 +182,11 @@ class TransportSocketFactory {
    */
   virtual bool implementsSecureTransport() const PURE;
 
+  /**
+   * @return CertificateValidationContextConfig the certificate validation context config.
+   */
+  virtual const Ssl::CertificateValidationContextConfig* certificateValidationContext() const PURE;
+
   /**
    * @param options for creating the transport socket
    * @return Network::TransportSocketPtr a transport socket to be passed to connection.

source/common/network/raw_buffer_socket.cc

@@ -88,5 +88,9 @@ RawBufferSocketFactory::createTransportSocket(TransportSocketOptionsSharedPtr) c
 }
 
 bool RawBufferSocketFactory::implementsSecureTransport() const { return false; }
+const Envoy::Ssl::CertificateValidationContextConfig*
+RawBufferSocketFactory::certificateValidationContext() const {
+  return nullptr;
+}
 } // namespace Network
 } // namespace Envoy

source/common/network/raw_buffer_socket.h

@@ -31,6 +31,8 @@ class RawBufferSocketFactory : public TransportSocketFactory {
   // Network::TransportSocketFactory
   TransportSocketPtr createTransportSocket(TransportSocketOptionsSharedPtr options) const override;
   bool implementsSecureTransport() const override;
+  const Envoy::Ssl::CertificateValidationContextConfig*
+  certificateValidationContext() const override;
 };
 
 } // namespace Network

source/extensions/transport_sockets/alts/tsi_socket.cc

@@ -248,6 +248,10 @@ TsiSocketFactory::TsiSocketFactory(HandshakerFactory handshaker_factory,
       handshake_validator_(std::move(handshake_validator)) {}
 
 bool TsiSocketFactory::implementsSecureTransport() const { return true; }
+const Envoy::Ssl::CertificateValidationContextConfig*
+TsiSocketFactory::certificateValidationContext() const {
+  return nullptr;
+}
 
 Network::TransportSocketPtr
 TsiSocketFactory::createTransportSocket(Network::TransportSocketOptionsSharedPtr) const {

source/extensions/transport_sockets/alts/tsi_socket.h

@@ -98,6 +98,8 @@ class TsiSocketFactory : public Network::TransportSocketFactory {
   TsiSocketFactory(HandshakerFactory handshaker_factory, HandshakeValidator handshake_validator);
 
   bool implementsSecureTransport() const override;
+  const Envoy::Ssl::CertificateValidationContextConfig*
+  certificateValidationContext() const override;
   Network::TransportSocketPtr
   createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override;
 

source/extensions/transport_sockets/tap/tap.cc

@@ -71,6 +71,11 @@ bool TapSocketFactory::implementsSecureTransport() const {
   return transport_socket_factory_->implementsSecureTransport();
 }
 
+const Envoy::Ssl::CertificateValidationContextConfig*
+TapSocketFactory::certificateValidationContext() const {
+  return transport_socket_factory_->certificateValidationContext();
+}
+
 } // namespace Tap
 } // namespace TransportSockets
 } // namespace Extensions

source/extensions/transport_sockets/tap/tap.h

@@ -46,6 +46,8 @@ class TapSocketFactory : public Network::TransportSocketFactory,
   Network::TransportSocketPtr
   createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override;
   bool implementsSecureTransport() const override;
+  const Envoy::Ssl::CertificateValidationContextConfig*
+  certificateValidationContext() const override;
 
 private:
   Network::TransportSocketFactoryPtr transport_socket_factory_;

source/extensions/transport_sockets/tls/ssl_socket.cc

@@ -415,6 +415,11 @@ Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket(
 
 bool ClientSslSocketFactory::implementsSecureTransport() const { return true; }
 
+const Envoy::Ssl::CertificateValidationContextConfig*
+ClientSslSocketFactory::certificateValidationContext() const {
+  return config_->certificateValidationContext();
+}
+
 void ClientSslSocketFactory::onAddOrUpdateSecret() {
   ENVOY_LOG(debug, "Secret is updated.");
   {
@@ -455,6 +460,11 @@ ServerSslSocketFactory::createTransportSocket(Network::TransportSocketOptionsSha
 
 bool ServerSslSocketFactory::implementsSecureTransport() const { return true; }
 
+const Envoy::Ssl::CertificateValidationContextConfig*
+ServerSslSocketFactory::certificateValidationContext() const {
+  return config_->certificateValidationContext();
+}
+
 void ServerSslSocketFactory::onAddOrUpdateSecret() {
   ENVOY_LOG(debug, "Secret is updated.");
   {

source/extensions/transport_sockets/tls/ssl_socket.h

@@ -97,6 +97,8 @@ class ClientSslSocketFactory : public Network::TransportSocketFactory,
   Network::TransportSocketPtr
   createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override;
   bool implementsSecureTransport() const override;
+  const Envoy::Ssl::CertificateValidationContextConfig*
+  certificateValidationContext() const override;
 
   // Secret::SecretCallbacks
   void onAddOrUpdateSecret() override;
@@ -121,6 +123,8 @@ class ServerSslSocketFactory : public Network::TransportSocketFactory,
   Network::TransportSocketPtr
   createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override;
   bool implementsSecureTransport() const override;
+  const Envoy::Ssl::CertificateValidationContextConfig*
+  certificateValidationContext() const override;
 
   // Secret::SecretCallbacks
   void onAddOrUpdateSecret() override;

test/mocks/network/mocks.h

@@ -382,6 +382,7 @@ class MockTransportSocketFactory : public TransportSocketFactory {
   ~MockTransportSocketFactory();
 
   MOCK_CONST_METHOD0(implementsSecureTransport, bool());
+  MOCK_CONST_METHOD0(certificateValidationContext, Ssl::CertificateValidationContextConfig*());
   MOCK_CONST_METHOD1(createTransportSocket, TransportSocketPtr(TransportSocketOptionsSharedPtr));
 };