From 0aca25c52b3e619f0c7a7bc4d29129f1adfd21ee Mon Sep 17 00:00:00 2001 From: Rei Shimizu Date: Thu, 3 Dec 2020 23:45:26 +0900 Subject: [PATCH 01/11] backport to 1.16: http: fixing a bug with IPv6 hosts (#14238) Fixing a bug where HTTP parser offsets for IPv6 hosts did not include [] and Envoy assumed it did. This results in mis-parsing addresses for IPv6 CONNECT requests and IPv6 hosts in fully URLs over HTTP/1.1 Risk Level: low Testing: new unit, integration tests Docs Changes: n/a Release Notes: inline Signed-off-by: Shikugawa Co-authored-by: alyssawilk --- docs/root/version_history/current.rst | 1 + source/common/http/utility.cc | 47 +++++++++++++++---- test/common/http/utility_test.cc | 32 +++++++++++-- .../proxy_filter_integration_test.cc | 3 +- test/integration/integration_test.cc | 36 ++++++++++++++ 5 files changed, 105 insertions(+), 14 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index fe8888262ead9..5cc6b6157af5b 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -13,6 +13,7 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * examples: examples use v3 configs. +* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. * listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. * proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. * proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 8869e6bb5a2a1..9dcf07691c00d 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -228,6 +228,30 @@ namespace Http { static const char kDefaultPath[] = "/"; +// If http_parser encounters an IP address [address] as the host it will set the offset and +// length to point to 'address' rather than '[address]'. Fix this by adjusting the offset +// and length to include the brackets. +// @param absolute_url the absolute URL. This is usually of the form // http://host/path +// but may be host:port for CONNECT requests +// @param offset the offset for the first character of the host. For IPv6 hosts +// this will point to the first character inside the brackets and will be +// adjusted to point at the brackets +// @param len the length of the host-and-port field. For IPv6 hosts this will +// not include the brackets and will be adjusted to do so. +bool maybeAdjustForIpv6(absl::string_view absolute_url, uint64_t& offset, uint64_t& len) { + // According to https://tools.ietf.org/html/rfc3986#section-3.2.2 the only way a hostname + // may begin with '[' is if it's an ipv6 address. + if (offset == 0 || *(absolute_url.data() + offset - 1) != '[') { + return false; + } + // Start one character sooner and end one character later. + offset--; + len += 2; + // HTTP parser ensures that any [ has a closing ] + ASSERT(absolute_url.length() >= offset + len); + return true; +} + bool Utility::Url::initialize(absl::string_view absolute_url, bool is_connect) { struct http_parser_url u; http_parser_url_init(&u); @@ -244,20 +268,27 @@ bool Utility::Url::initialize(absl::string_view absolute_url, bool is_connect) { scheme_ = absl::string_view(absolute_url.data() + u.field_data[UF_SCHEMA].off, u.field_data[UF_SCHEMA].len); - uint16_t authority_len = u.field_data[UF_HOST].len; + uint64_t authority_len = u.field_data[UF_HOST].len; if ((u.field_set & (1 << UF_PORT)) == (1 << UF_PORT)) { authority_len = authority_len + u.field_data[UF_PORT].len + 1; } - host_and_port_ = - absl::string_view(absolute_url.data() + u.field_data[UF_HOST].off, authority_len); + + uint64_t authority_beginning = u.field_data[UF_HOST].off; + const bool is_ipv6 = maybeAdjustForIpv6(absolute_url, authority_beginning, authority_len); + host_and_port_ = absl::string_view(absolute_url.data() + authority_beginning, authority_len); + if (is_ipv6 && !parseAuthority(host_and_port_).is_ip_address_) { + return false; + } // RFC allows the absolute-uri to not end in /, but the absolute path form - // must start with - uint64_t path_len = absolute_url.length() - (u.field_data[UF_HOST].off + hostAndPort().length()); - if (path_len > 0) { - uint64_t path_beginning = u.field_data[UF_HOST].off + hostAndPort().length(); - path_and_query_params_ = absl::string_view(absolute_url.data() + path_beginning, path_len); + // must start with. Determine if there's a non-zero path, and if so determine + // the length of the path, query params etc. + uint64_t path_etc_len = absolute_url.length() - (authority_beginning + hostAndPort().length()); + if (path_etc_len > 0) { + uint64_t path_beginning = authority_beginning + hostAndPort().length(); + path_and_query_params_ = absl::string_view(absolute_url.data() + path_beginning, path_etc_len); } else if (!is_connect) { + ASSERT((u.field_set & (1 << UF_PATH)) == 0); path_and_query_params_ = absl::string_view(kDefaultPath, 1); } return true; diff --git a/test/common/http/utility_test.cc b/test/common/http/utility_test.cc index 87dabd8f087a9..9185ac4dc76f7 100644 --- a/test/common/http/utility_test.cc +++ b/test/common/http/utility_test.cc @@ -1251,6 +1251,9 @@ TEST(Url, ParsingFails) { EXPECT_FALSE(url.initialize("random_scheme://host.com/path", false)); EXPECT_FALSE(url.initialize("http://www.foo.com", true)); EXPECT_FALSE(url.initialize("foo.com", true)); + EXPECT_FALSE(url.initialize("http://[notaddress]:80/?query=param", false)); + EXPECT_FALSE(url.initialize("http://[1::z::2]:80/?query=param", false)); + EXPECT_FALSE(url.initialize("http://1.2.3.4:65536/?query=param", false)); } void validateUrl(absl::string_view raw_url, absl::string_view expected_scheme, @@ -1262,12 +1265,17 @@ void validateUrl(absl::string_view raw_url, absl::string_view expected_scheme, EXPECT_EQ(url.pathAndQueryParams(), expected_path); } -void validateConnectUrl(absl::string_view raw_url, absl::string_view expected_host_port) { +void validateConnectUrl(absl::string_view raw_url) { Utility::Url url; ASSERT_TRUE(url.initialize(raw_url, true)) << "Failed to initialize " << raw_url; EXPECT_TRUE(url.scheme().empty()); EXPECT_TRUE(url.pathAndQueryParams().empty()); - EXPECT_EQ(url.hostAndPort(), expected_host_port); + EXPECT_EQ(url.hostAndPort(), raw_url); +} + +void invalidConnectUrl(absl::string_view raw_url) { + Utility::Url url; + ASSERT_FALSE(url.initialize(raw_url, true)) << "Unexpectedly initialized " << raw_url; } TEST(Url, ParsingTest) { @@ -1302,6 +1310,14 @@ TEST(Url, ParsingTest) { validateUrl("http://www.host.com:80/?query=param", "http", "www.host.com:80", "/?query=param"); validateUrl("http://www.host.com/?query=param", "http", "www.host.com", "/?query=param"); + // Test with an ipv4 host address. + validateUrl("http://1.2.3.4/?query=param", "http", "1.2.3.4", "/?query=param"); + validateUrl("http://1.2.3.4:80/?query=param", "http", "1.2.3.4:80", "/?query=param"); + + // Test with an ipv6 address + validateUrl("http://[1::2:3]/?query=param", "http", "[1::2:3]", "/?query=param"); + validateUrl("http://[1::2:3]:80/?query=param", "http", "[1::2:3]:80", "/?query=param"); + // Test url with query parameter but without slash validateUrl("http://www.host.com:80?query=param", "http", "www.host.com:80", "?query=param"); validateUrl("http://www.host.com?query=param", "http", "www.host.com", "?query=param"); @@ -1324,8 +1340,16 @@ TEST(Url, ParsingTest) { } TEST(Url, ParsingForConnectTest) { - validateConnectUrl("host.com:443", "host.com:443"); - validateConnectUrl("host.com:80", "host.com:80"); + validateConnectUrl("host.com:443"); + validateConnectUrl("host.com:80"); + validateConnectUrl("1.2.3.4:80"); + validateConnectUrl("[1:2::3:4]:80"); + + invalidConnectUrl("[::12345678]:80"); + invalidConnectUrl("[1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1]:80"); + invalidConnectUrl("[1:1]:80"); + invalidConnectUrl("[:::]:80"); + invalidConnectUrl("[::1::]:80"); } void validatePercentEncodingEncodeDecode(absl::string_view source, diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index e6e1e53ab4d57..8079e78a660c5 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -287,8 +287,7 @@ TEST_P(ProxyFilterIntegrationTest, UpstreamTlsWithIpHost) { {":method", "POST"}, {":path", "/test/long/url"}, {":scheme", "http"}, - {":authority", fmt::format("{}:{}", Network::Test::getLoopbackAddressUrlString(GetParam()), - fake_upstreams_[0]->localAddress()->ip()->port())}}; + {":authority", fake_upstreams_[0]->localAddress()->asString()}}; auto response = codec_client_->makeHeaderOnlyRequest(request_headers); waitForNextUpstreamRequest(); diff --git a/test/integration/integration_test.cc b/test/integration/integration_test.cc index 594f5ac656c5d..eb6f4a8328ef9 100644 --- a/test/integration/integration_test.cc +++ b/test/integration/integration_test.cc @@ -902,6 +902,41 @@ TEST_P(IntegrationTest, AbsolutePath) { EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); } +// Make that both IPv4 and IPv6 hosts match when using relative and absolute URLs. +TEST_P(IntegrationTest, TestHostWithAddress) { + useAccessLog("%REQ(Host)%\n"); + std::string address_string; + if (GetParam() == Network::Address::IpVersion::v4) { + address_string = TestUtility::getIpv4Loopback(); + } else { + address_string = "[::1]"; + } + + auto host = config_helper_.createVirtualHost(address_string.c_str(), "/"); + host.set_require_tls(envoy::config::route::v3::VirtualHost::ALL); + config_helper_.addVirtualHost(host); + + initialize(); + std::string response; + + // Test absolute URL with ipv6. + sendRawHttpAndWaitForResponse( + lookupPort("http"), absl::StrCat("GET http://", address_string, " HTTP/1.1\r\n\r\n").c_str(), + &response, true); + EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); + EXPECT_THAT(waitForAccessLog(access_log_name_), HasSubstr(address_string)); + + // Test normal IPv6 request as well. + response.clear(); + sendRawHttpAndWaitForResponse( + lookupPort("http"), + absl::StrCat("GET / HTTP/1.1\r\nHost: ", address_string, "\r\n\r\n").c_str(), &response, + true); + EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); +} + TEST_P(IntegrationTest, AbsolutePathWithPort) { // Configure www.namewithport.com:1234 to send a redirect, and ensure the redirect is // encountered via absolute URL with a port. @@ -914,6 +949,7 @@ TEST_P(IntegrationTest, AbsolutePathWithPort) { lookupPort("http"), "GET http://www.namewithport.com:1234 HTTP/1.1\r\nHost: host\r\n\r\n", &response, true); EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); } TEST_P(IntegrationTest, AbsolutePathWithoutPort) { From e8b009160e794daff21f55f65ef0903700370ca7 Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Sat, 5 Dec 2020 10:52:56 -0500 Subject: [PATCH 02/11] backport to 1.16: vrp: allow supervisord to open its log file (#14066) (#14279) Commit Message: Allow supervisord to open its log file Additional Description: Change the default location of the log file and give supervisord permissions to write to it. Risk Level: low Testing: built image locally Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Konradi Signed-off-by: Christoph Pakulski --- ci/Dockerfile-envoy-google-vrp | 3 +++ configs/google-vrp/supervisor.conf | 1 + docs/root/version_history/current.rst | 1 + 3 files changed, 5 insertions(+) diff --git a/ci/Dockerfile-envoy-google-vrp b/ci/Dockerfile-envoy-google-vrp index 802e148851e06..abc84f1269aba 100644 --- a/ci/Dockerfile-envoy-google-vrp +++ b/ci/Dockerfile-envoy-google-vrp @@ -16,6 +16,9 @@ ADD configs/google-vrp/supervisor.conf /etc/supervisor.conf ADD test/config/integration/certs/serverkey.pem /etc/envoy/certs/serverkey.pem ADD test/config/integration/certs/servercert.pem /etc/envoy/certs/servercert.pem # ADD %local envoy bin% /usr/local/bin/envoy +RUN chmod 777 /var/log/supervisor +RUN chmod a+r /etc/supervisor.conf /etc/envoy/* /etc/envoy/certs/* +RUN chmod a+rx /usr/local/bin/launch_envoy.sh EXPOSE 10000 EXPOSE 10001 diff --git a/configs/google-vrp/supervisor.conf b/configs/google-vrp/supervisor.conf index e019581d079c2..1e1d09f336602 100644 --- a/configs/google-vrp/supervisor.conf +++ b/configs/google-vrp/supervisor.conf @@ -1,5 +1,6 @@ [supervisord] nodaemon=true +logfile=/var/log/supervisor/supervisord.log [program:envoy-edge] command=launch_envoy.sh -c /etc/envoy/envoy-edge.yaml %(ENV_ENVOY_EDGE_EXTRA_ARGS)s diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 5cc6b6157af5b..299de78b83f84 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -19,6 +19,7 @@ Bug Fixes * proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. * tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. * udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. +* vrp: allow supervisord to open its log file. Removed Config or Runtime ------------------------- From e98e41a8e168af7acae8079fc0cd68155f699aa3 Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Mon, 7 Dec 2020 20:17:40 -0500 Subject: [PATCH 03/11] Closing release 1.16.2. (#14308) Signed-off-by: Christoph Pakulski --- VERSION | 2 +- docs/root/version_history/current.rst | 11 ++----- docs/root/version_history/v1.16.1.rst | 31 +++++++++++++++++++ docs/root/version_history/version_history.rst | 1 + 4 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 docs/root/version_history/v1.16.1.rst diff --git a/VERSION b/VERSION index 41c11ffb730cf..4a02d2c3170bd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.16.1 +1.16.2 diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 299de78b83f84..b1af2497d4bda 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -1,5 +1,5 @@ -1.16.1 (November 20, 2020) -========================== +1.16.2 (December 7, 2020) +========================= Incompatible Behavior Changes ----------------------------- @@ -12,13 +12,8 @@ Minor Behavior Changes Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* -* examples: examples use v3 configs. + * http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. -* listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. -* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. -* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. -* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. -* udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. * vrp: allow supervisord to open its log file. Removed Config or Runtime diff --git a/docs/root/version_history/v1.16.1.rst b/docs/root/version_history/v1.16.1.rst new file mode 100644 index 0000000000000..18ffb805e2b9b --- /dev/null +++ b/docs/root/version_history/v1.16.1.rst @@ -0,0 +1,31 @@ +1.16.1 (November 20, 2020) +========================== + +Incompatible Behavior Changes +----------------------------- +*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* + +Minor Behavior Changes +---------------------- +*Changes that may cause incompatibilities for some users, but should not for most* + +Bug Fixes +--------- +*Changes expected to improve the state of the world and are unlikely to have negative effects* + +* examples: examples use v3 configs. +* listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. +* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. +* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. +* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. +* udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. + +Removed Config or Runtime +------------------------- +*Normally occurs at the end of the* :ref:`deprecation period ` + +New Features +------------ + +Deprecated +---------- diff --git a/docs/root/version_history/version_history.rst b/docs/root/version_history/version_history.rst index 453bda753f1ff..c01875afafcc5 100644 --- a/docs/root/version_history/version_history.rst +++ b/docs/root/version_history/version_history.rst @@ -7,6 +7,7 @@ Version history :titlesonly: current + v1.16.1 v1.16.0 v1.15.2 v1.15.1 From 9c117fbe1e01e5de8f7177ca44d15d6c1f061d1a Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Tue, 8 Dec 2020 19:51:06 -0500 Subject: [PATCH 04/11] Kick-off rel 1.16.3. (#14321) Signed-off-by: Christoph Pakulski --- VERSION | 2 +- docs/root/version_history/current.rst | 7 ++--- docs/root/version_history/v1.16.2.rst | 27 +++++++++++++++++++ docs/root/version_history/version_history.rst | 1 + 4 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 docs/root/version_history/v1.16.2.rst diff --git a/VERSION b/VERSION index 4a02d2c3170bd..17008736ca0b0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.16.2 +1.16.3-dev diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index b1af2497d4bda..7a589a9f34fe8 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -1,5 +1,5 @@ -1.16.2 (December 7, 2020) -========================= +1.16.3 (Pending) +================ Incompatible Behavior Changes ----------------------------- @@ -13,9 +13,6 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* -* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. -* vrp: allow supervisord to open its log file. - Removed Config or Runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/docs/root/version_history/v1.16.2.rst b/docs/root/version_history/v1.16.2.rst new file mode 100644 index 0000000000000..b1af2497d4bda --- /dev/null +++ b/docs/root/version_history/v1.16.2.rst @@ -0,0 +1,27 @@ +1.16.2 (December 7, 2020) +========================= + +Incompatible Behavior Changes +----------------------------- +*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* + +Minor Behavior Changes +---------------------- +*Changes that may cause incompatibilities for some users, but should not for most* + +Bug Fixes +--------- +*Changes expected to improve the state of the world and are unlikely to have negative effects* + +* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. +* vrp: allow supervisord to open its log file. + +Removed Config or Runtime +------------------------- +*Normally occurs at the end of the* :ref:`deprecation period ` + +New Features +------------ + +Deprecated +---------- diff --git a/docs/root/version_history/version_history.rst b/docs/root/version_history/version_history.rst index c01875afafcc5..55bdaf928aeb7 100644 --- a/docs/root/version_history/version_history.rst +++ b/docs/root/version_history/version_history.rst @@ -7,6 +7,7 @@ Version history :titlesonly: current + v1.16.2 v1.16.1 v1.16.0 v1.15.2 From db0ae3de6635d649cc75bf71a1f95c8118d9b9ef Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Mon, 21 Dec 2020 22:17:28 -0500 Subject: [PATCH 05/11] lua: reset downstream_ssl_connection in StreamInfoWrapper when object is marked dead by Lua GC (#14092) (#14449) Co-authored-by: Marcin Falkowski --- docs/root/version_history/current.rst | 2 ++ source/extensions/filters/http/lua/wrappers.h | 5 ++- .../filters/http/lua/lua_filter_test.cc | 31 ++++++++++++++++++- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 7a589a9f34fe8..1d3a13b0a4557 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -13,6 +13,8 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* +* lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). + Removed Config or Runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/extensions/filters/http/lua/wrappers.h b/source/extensions/filters/http/lua/wrappers.h index 89f7cb6d2d243..ad3890971a915 100644 --- a/source/extensions/filters/http/lua/wrappers.h +++ b/source/extensions/filters/http/lua/wrappers.h @@ -207,7 +207,10 @@ class StreamInfoWrapper : public Filters::Common::Lua::BaseLuaObject dynamic_metadata_wrapper_; diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc index ac4ab95140375..6d7f77e988582 100644 --- a/test/extensions/filters/http/lua/lua_filter_test.cc +++ b/test/extensions/filters/http/lua/lua_filter_test.cc @@ -1881,7 +1881,7 @@ TEST_F(LuaHttpFilterTest, InspectStreamInfoDowstreamSslConnection) { Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; - auto connection_info = std::make_shared(); + const auto connection_info = std::make_shared(); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); EXPECT_CALL(stream_info_, downstreamSslConnection()).WillRepeatedly(Return(connection_info)); @@ -1989,6 +1989,35 @@ TEST_F(LuaHttpFilterTest, InspectStreamInfoDowstreamSslConnectionOnPlainConnecti EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); } +// Should survive from multiple streamInfo():downstreamSslConnection() calls. +// This is a regression test for #14091. +TEST_F(LuaHttpFilterTest, SurviveMultipleDownstreamSslConnectionCalls) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + if request_handle:streamInfo():downstreamSslConnection() ~= nil then + request_handle:logTrace("downstreamSslConnection is present") + end + end + )EOF"}; + + setup(SCRIPT); + + const auto connection_info = std::make_shared(); + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); + EXPECT_CALL(stream_info_, downstreamSslConnection()).WillRepeatedly(Return(connection_info)); + + for (uint64_t i = 0; i < 200; i++) { + EXPECT_CALL(*filter_, + scriptLog(spdlog::level::trace, StrEq("downstreamSslConnection is present"))); + + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); + + filter_->onDestroy(); + setupFilter(); + } +} + TEST_F(LuaHttpFilterTest, ImportPublicKey) { const std::string SCRIPT{R"EOF( function string.fromhex(str) From 15f02f0c1e95eb08ab8a8a2393ac39a0f265ec92 Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Mon, 28 Dec 2020 20:02:29 -0500 Subject: [PATCH 06/11] backport to 1.16: tls: fix detection of the upstream connection close event. (#13858) (#14452) Fixes #13856. This change also contains the following backports: - build: Fix some unused variable warnings (#13987) - test: Check in all TLS test certs (#13702) Signed-off-by: Piotr Sikora Signed-off-by: Christoph Pakulski --- docs/root/version_history/current.rst | 1 + include/envoy/registry/registry.h | 1 + source/common/config/new_grpc_mux_impl.cc | 1 + source/common/init/manager_impl.cc | 1 + source/common/router/scoped_rds.cc | 1 + .../transport_sockets/tls/ssl_handshaker.h | 2 +- .../transport_sockets/tls/ssl_socket.cc | 10 +- source/server/admin/config_dump_handler.cc | 3 + source/server/filter_chain_manager_impl.cc | 4 + test/extensions/transport_sockets/tls/BUILD | 15 +- .../tls/context_impl_test.cc | 124 ++--- .../tls/gen_unittest_certs.sh | 55 -- .../transport_sockets/tls/handshaker_test.cc | 8 +- .../transport_sockets/tls/ocsp/BUILD | 11 +- .../transport_sockets/tls/ocsp/ocsp_test.cc | 12 +- .../tls/ocsp/test_data/BUILD | 13 + .../tls/ocsp/test_data/README.md | 30 ++ .../tls/ocsp/test_data/ca_cert.pem | 23 + .../tls/ocsp/test_data/ca_key.pem | 27 + .../certs.sh} | 46 +- .../tls/ocsp/test_data/ecdsa_cert.pem | 16 + .../tls/ocsp/test_data/ecdsa_key.pem | 8 + .../tls/ocsp/test_data/ecdsa_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/ecdsa_ocsp_resp.der | Bin 0 -> 1559 bytes .../tls/ocsp/test_data/good_cert.pem | 20 + .../tls/ocsp/test_data/good_key.pem | 27 + .../tls/ocsp/test_data/good_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/good_ocsp_resp.der | Bin 0 -> 1579 bytes .../ocsp/test_data/good_ocsp_resp_details.txt | 118 +++++ .../ocsp/test_data/intermediate_ca_cert.pem | 25 + .../ocsp/test_data/intermediate_ca_key.pem | 27 + .../ocsp/test_data/multiple_cert_ocsp_req.der | Bin 0 -> 171 bytes .../test_data/multiple_cert_ocsp_resp.der | Bin 0 -> 1660 bytes .../test_data/responder_key_hash_ocsp_req.der | Bin 0 -> 106 bytes .../responder_key_hash_ocsp_resp.der | Bin 0 -> 1466 bytes .../tls/ocsp/test_data/revoked_cert.pem | 21 + .../tls/ocsp/test_data/revoked_key.pem | 27 + .../tls/ocsp/test_data/revoked_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/revoked_ocsp_resp.der | Bin 0 -> 1577 bytes .../tls/ocsp/test_data/unknown_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/unknown_ocsp_resp.der | Bin 0 -> 1686 bytes .../transport_sockets/tls/ssl_certs_test.h | 8 - .../transport_sockets/tls/ssl_socket_test.cc | 491 ++++++++++++------ .../transport_sockets/tls/test_data/certs.sh | 4 + .../tls/test_data/unittest_cert.cfg | 23 + .../tls/test_data/unittest_cert.pem | 23 + .../tls/test_data/unittest_cert_info.h | 8 + .../tls/test_data/unittest_key.pem | 27 + 48 files changed, 921 insertions(+), 340 deletions(-) delete mode 100755 test/extensions/transport_sockets/tls/gen_unittest_certs.sh create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/BUILD create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/README.md create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem rename test/extensions/transport_sockets/tls/ocsp/{gen_unittest_ocsp_data.sh => test_data/certs.sh} (86%) create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_key.pem diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 1d3a13b0a4557..ce19f6f7fbcaf 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -14,6 +14,7 @@ Bug Fixes *Changes expected to improve the state of the world and are unlikely to have negative effects* * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). +* tls: fix detection of the upstream connection close event. Removed Config or Runtime ------------------------- diff --git a/include/envoy/registry/registry.h b/include/envoy/registry/registry.h index b526860360747..b90e86ca52f3a 100644 --- a/include/envoy/registry/registry.h +++ b/include/envoy/registry/registry.h @@ -346,6 +346,7 @@ template class FactoryRegistry : public Logger::Loggable>(); for (const auto& [factory_name, factory] : factories()) { + UNREFERENCED_PARAMETER(factory_name); if (factory == nullptr) { continue; } diff --git a/source/common/config/new_grpc_mux_impl.cc b/source/common/config/new_grpc_mux_impl.cc index 0015a26899710..50bfc07e08e47 100644 --- a/source/common/config/new_grpc_mux_impl.cc +++ b/source/common/config/new_grpc_mux_impl.cc @@ -90,6 +90,7 @@ void NewGrpcMuxImpl::onDiscoveryResponse( void NewGrpcMuxImpl::onStreamEstablished() { for (auto& [type_url, subscription] : subscriptions_) { + UNREFERENCED_PARAMETER(type_url); subscription->sub_state_.markStreamFresh(); } trySendDiscoveryRequests(); diff --git a/source/common/init/manager_impl.cc b/source/common/init/manager_impl.cc index 650203fabbea5..1440dd726414f 100644 --- a/source/common/init/manager_impl.cc +++ b/source/common/init/manager_impl.cc @@ -71,6 +71,7 @@ void ManagerImpl::dumpUnreadyTargets(envoy::admin::v3::UnreadyTargetsDumps& unre auto& message = *unready_targets_dumps.mutable_unready_targets_dumps()->Add(); message.set_name(name_); for (const auto& [target_name, count] : target_names_count_) { + UNREFERENCED_PARAMETER(count); message.add_target_names(target_name); } } diff --git a/source/common/router/scoped_rds.cc b/source/common/router/scoped_rds.cc index d9ca4781e7b5d..17613814efea3 100644 --- a/source/common/router/scoped_rds.cc +++ b/source/common/router/scoped_rds.cc @@ -427,6 +427,7 @@ ScopedRdsConfigSubscription::detectUpdateConflictAndCleanupRemoved( absl::flat_hash_map scope_name_by_hash = scope_name_by_hash_; absl::erase_if(scope_name_by_hash, [&updated_or_removed_scopes](const auto& key_name) { auto const& [key, name] = key_name; + UNREFERENCED_PARAMETER(key); return updated_or_removed_scopes.contains(name); }); absl::flat_hash_map diff --git a/source/extensions/transport_sockets/tls/ssl_handshaker.h b/source/extensions/transport_sockets/tls/ssl_handshaker.h index 8eaec861a8f13..50090f6f43a74 100644 --- a/source/extensions/transport_sockets/tls/ssl_handshaker.h +++ b/source/extensions/transport_sockets/tls/ssl_handshaker.h @@ -67,7 +67,7 @@ class SslHandshakerImpl : public Ssl::ConnectionInfo, public Ssl::Handshaker { // Ssl::Handshaker Network::PostIoAction doHandshake() override; - Ssl::SocketState state() { return state_; } + Ssl::SocketState state() const { return state_; } void setState(Ssl::SocketState state) { state_ = state; } SSL* ssl() const { return ssl_.get(); } Ssl::HandshakeCallbacks* handshakeCallbacks() { return handshake_callbacks_; } diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/extensions/transport_sockets/tls/ssl_socket.cc index 4854684430963..f004947630406 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.cc +++ b/source/extensions/transport_sockets/tls/ssl_socket.cc @@ -140,10 +140,18 @@ Network::IoResult SslSocket::doRead(Buffer::Instance& read_buffer) { case SSL_ERROR_WANT_READ: break; case SSL_ERROR_ZERO_RETURN: + // Graceful shutdown using close_notify TLS alert. end_stream = true; break; + case SSL_ERROR_SYSCALL: + if (result.error_.value() == 0) { + // Non-graceful shutdown by closing the underlying socket. + end_stream = true; + break; + } + FALLTHRU; case SSL_ERROR_WANT_WRITE: - // Renegotiation has started. We don't handle renegotiation so just fall through. + // Renegotiation has started. We don't handle renegotiation so just fall through. default: drainErrorQueue(); action = PostIoAction::Close; diff --git a/source/server/admin/config_dump_handler.cc b/source/server/admin/config_dump_handler.cc index dbfd13a01e2ec..9e1d54e9d3e9b 100644 --- a/source/server/admin/config_dump_handler.cc +++ b/source/server/admin/config_dump_handler.cc @@ -155,6 +155,7 @@ ConfigDumpHandler::addResourceToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -200,6 +201,7 @@ void ConfigDumpHandler::addAllConfigToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -220,6 +222,7 @@ ProtobufTypes::MessagePtr ConfigDumpHandler::dumpEndpointConfigs() const { auto endpoint_config_dump = std::make_unique(); for (const auto& [name, cluster_ref] : server_.clusterManager().clusters()) { + UNREFERENCED_PARAMETER(name); const Upstream::Cluster& cluster = cluster_ref.get(); Upstream::ClusterInfoConstSharedPtr cluster_info = cluster.info(); envoy::config::endpoint::v3::ClusterLoadAssignment cluster_load_assignment; diff --git a/source/server/filter_chain_manager_impl.cc b/source/server/filter_chain_manager_impl.cc index 0de4282f33147..29d47d8be53cd 100644 --- a/source/server/filter_chain_manager_impl.cc +++ b/source/server/filter_chain_manager_impl.cc @@ -555,6 +555,7 @@ const Network::FilterChain* FilterChainManagerImpl::findFilterChainForSourceIpAn void FilterChainManagerImpl::convertIPsToTries() { for (auto& [destination_port, destination_ips_pair] : destination_ports_map_) { + UNREFERENCED_PARAMETER(destination_port); // These variables are used as we build up the destination CIDRs used for the trie. auto& [destination_ips_map, destination_ips_trie] = destination_ips_pair; std::vector>> @@ -568,8 +569,11 @@ void FilterChainManagerImpl::convertIPsToTries() { // We need to get access to all of the source IP strings so that we can convert them into // a trie like we did for the destination IPs above. for (auto& [server_name, transport_protocols_map] : *server_names_map_ptr) { + UNREFERENCED_PARAMETER(server_name); for (auto& [transport_protocol, application_protocols_map] : transport_protocols_map) { + UNREFERENCED_PARAMETER(transport_protocol); for (auto& [application_protocol, source_arrays] : application_protocols_map) { + UNREFERENCED_PARAMETER(application_protocol); for (auto& [source_ips_map, source_ips_trie] : source_arrays) { std::vector< std::pair>> diff --git a/test/extensions/transport_sockets/tls/BUILD b/test/extensions/transport_sockets/tls/BUILD index 48a456162df3b..f5b04d38100d1 100644 --- a/test/extensions/transport_sockets/tls/BUILD +++ b/test/extensions/transport_sockets/tls/BUILD @@ -16,12 +16,11 @@ envoy_cc_test( "ssl_socket_test.cc", ], data = [ - "gen_unittest_certs.sh", # TODO(mattklein123): We should consolidate all of our test certs in a single place as # right now we have a bunch of duplication which is confusing. "//test/config/integration/certs", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", ], external_deps = ["ssl"], shard_count = 4, @@ -74,12 +73,9 @@ envoy_cc_test( "ssl_certs_test.h", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], - # Fails intermittantly on local build - tags = ["flaky_on_windows"], deps = [ ":ssl_test_utils", "//source/common/common:base64_lib", @@ -121,8 +117,6 @@ envoy_cc_test( "utility_test.cc", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], @@ -171,14 +165,9 @@ envoy_cc_test( name = "handshaker_test", srcs = ["handshaker_test.cc"], data = [ - "gen_unittest_certs.sh", - "//test/config/integration/certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], - # TODO(sunjayBhatia): Diagnose openssl DLL load issue on Windows - # See: https://github.com/envoyproxy/envoy/pull/13276 - tags = ["flaky_on_windows"], deps = [ ":ssl_socket_test", ":ssl_test_utils", diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/extensions/transport_sockets/tls/context_impl_test.cc index 0307ebb2daef9..9e1f377807223 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/extensions/transport_sockets/tls/context_impl_test.cc @@ -20,6 +20,7 @@ #include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h" +#include "test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/secret/mocks.h" @@ -261,9 +262,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -272,12 +273,10 @@ TEST_F(SslContextImplTest, TestExpiringCert) { ClientContextConfigImpl cfg(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context(manager_.createSslClientContext(store_, cfg)); - // This is a total hack, but right now we generate the cert and it expires in 15 days only in the - // first second that it's valid. This can become invalid and then cause slower tests to fail. - // Optimally we would make the cert valid for 15 days and 23 hours, but that is not easy to do - // with the command line so we have this for now. Good enough. - EXPECT_TRUE(15 == context->daysUntilFirstCertExpires() || - 14 == context->daysUntilFirstCertExpires()); + // Calculate the days until test cert expires + auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); + int64_t days_until_expiry = absl::ToInt64Hours(cert_expiry - absl::Now()) / 24; + EXPECT_EQ(context->daysUntilFirstCertExpires(), days_until_expiry); } TEST_F(SslContextImplTest, TestExpiredCert) { @@ -302,9 +301,9 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" @@ -330,7 +329,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_tmpdir }}/unittestcert.pem", + "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem", } )EOF"; @@ -591,27 +590,27 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; loadConfigYaml(tls_context_yaml); } TEST_F(SslServerContextImplOcspTest, TestInlineBytesOcspStapleConfigLoads) { - auto der_response = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der")); + auto der_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der")); auto base64_response = Base64::encode(der_response.c_str(), der_response.length(), true); const std::string tls_context_yaml = fmt::format(R"EOF( common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -626,9 +625,9 @@ TEST_F(SslServerContextImplOcspTest, TestInlineStringOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_string: "abcd" ocsp_staple_policy: must_staple @@ -643,11 +642,11 @@ TEST_F(SslServerContextImplOcspTest, TestMismatchedOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -660,9 +659,9 @@ TEST_F(SslServerContextImplOcspTest, TestStaplingRequiredWithoutStapleConfigFail common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: must_staple )EOF"; @@ -684,9 +683,9 @@ TEST_F(SslServerContextImplOcspTest, TestUnsuccessfulOcspResponseConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -702,9 +701,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleConfigFails) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -717,9 +716,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleFeatureFlagO common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -734,11 +733,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -748,12 +747,13 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { constexpr absl::string_view this_update = "This Update: "; constexpr absl::string_view next_update = "Next Update: "; - auto ocsp_text_details = - absl::StrSplit(TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute( - "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp_details.txt"), - true), - '\n'); + auto ocsp_text_details = absl::StrSplit( + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt"), + true), + '\n'); std::string valid_from, expiration; for (const auto& detail : ocsp_text_details) { std::string::size_type pos = detail.find(this_update); @@ -797,10 +797,10 @@ class SslServerContextImplTicketTest : public SslContextImplTest { // Must add a certificate for the config to be considered valid. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); ServerContextConfigImpl server_context_config(cfg, factory_context_); loadConfig(server_context_config); @@ -821,9 +821,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -838,9 +838,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -854,9 +854,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidCannotRead) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/this_file_does_not_exist" @@ -1045,9 +1045,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1061,9 +1061,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1078,9 +1078,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1095,9 +1095,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -1750,10 +1750,10 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); server_validation_ctx->set_allow_expired_certificate(false); diff --git a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh b/test/extensions/transport_sockets/tls/gen_unittest_certs.sh deleted file mode 100755 index fe731e85cd70b..0000000000000 --- a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash -# -# Create a test certificate with a 15-day expiration for SSL tests. - -set -e - -TEST_CERT_DIR="${TEST_TMPDIR}" - -mkdir -p "${TEST_CERT_DIR}" - -export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf -(cat << EOF -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 -EOF -) > "${OPENSSL_CONF}" - -openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 2048 -openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \ - -sha256 < makeKey() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); std::string passphrase = ""; bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); @@ -97,8 +97,8 @@ class HandshakerTest : public SslCertsTest { // Read in cert.pem and return a certificate. bssl::UniquePtr makeCert() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); uint8_t* data = nullptr; diff --git a/test/extensions/transport_sockets/tls/ocsp/BUILD b/test/extensions/transport_sockets/tls/ocsp/BUILD index c6947269be4d1..262bec36ab5c6 100644 --- a/test/extensions/transport_sockets/tls/ocsp/BUILD +++ b/test/extensions/transport_sockets/tls/ocsp/BUILD @@ -14,13 +14,9 @@ envoy_cc_test( "ocsp_test.cc", ], data = [ - ":gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", ], external_deps = ["ssl"], - # TODO: Diagnose intermittent failure on Windows; this script uses the - # locally deployed openssl for test cert creation and manipulation, rather - # than envoy's current build of the most current openssl tool - tags = ["flaky_on_windows"], deps = [ "//source/common/filesystem:filesystem_lib", "//source/extensions/transport_sockets/tls:utility_lib", @@ -44,8 +40,3 @@ envoy_cc_test( "//test/extensions/transport_sockets/tls:ssl_test_utils", ], ) - -filegroup( - name = "gen_ocsp_data", - srcs = ["gen_unittest_ocsp_data.sh"], -) diff --git a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc index 70f24ccaa15e5..78e813060d867 100644 --- a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc +++ b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc @@ -25,13 +25,9 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility; class OcspFullResponseParsingTest : public testing::Test { public: - static void SetUpTestSuite() { // NOLINT(readability-identifier-naming) - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")}); - } - std::string fullPath(std::string filename) { - return TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/" + filename); + return TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename); } std::vector readFile(std::string filename) { @@ -88,8 +84,8 @@ TEST_F(OcspFullResponseParsingTest, UnknownCertTest) { } TEST_F(OcspFullResponseParsingTest, ExpiredResponseTest) { - auto next_week = time_system_.systemTime() + std::chrono::hours(8 * 24); - time_system_.setSystemTime(next_week); + auto ten_years_forward = time_system_.systemTime() + std::chrono::hours(24 * 365 * 10); + time_system_.setSystemTime(ten_years_forward); setup("good_ocsp_resp.der"); // nextUpdate is present but in the past EXPECT_TRUE(response_->isExpired()); diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD new file mode 100644 index 0000000000000..e55e87fb10111 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD @@ -0,0 +1,13 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +filegroup( + name = "certs", + srcs = glob(["*"]), +) diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/README.md b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md new file mode 100644 index 0000000000000..ad1c6777eb3ae --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md @@ -0,0 +1,30 @@ +# What are the identities, certificates and keys +There are 8 identities: +- **CA**: Certificate Authority for all fixtures in this directory. It has the + self-signed certificate *ca_cert.pem*. *ca_key.pem* is its private key. +- **Intermediate CA**: Intermediate Certificate Authority, signed by the **CA**. + It has the certificate *intermediate_ca_cert.pem". *intermediate_ca_key.pem* + is its private key. +- **Good** It has the certificate *good_cert.pem*, signed by the **CA**. An OCSP + request is included in *good_ocsp_req.der* and a "good" OCSP response is included in *good_ocsp_resp.der*. OCSP response details are included as + *good_ocsp_resp_details.txt*. +- **Responder Key Hash** An OCSP request and response pair for the **Good** cert + with responder key hash replacing the name in *responder_key_hash_ocsp_req.der* + and *responder_key_hash_ocsp_resp.der* +- **Revoked** It has the revoked certificate *revoked_key.pem*, signed by the + **CA**. A corresponding OCSP request and revoked response are included in + *revoked_ocsp_req.der* and *revoked_ocsp_resp.der*. +- **Unknown** An OCSP request and unknown status response is generated in + *unknown_ocsp_req.der* and *unknown_ocsp_resp.der* as the **Good** certificate + is signed by **CA** not **Intermediate CA**. +- **ECDSA** A cert (*ecdsa_cert.pem*) signed by **CA** with ECDSA key + (*ecdsa_key.pem*) and OCSP response (*ecdsa_ocsp_resp.der*). +- **Multiple Cert OCSP Response** A multi-cert OCSP request and response are + generated with **CA** as the signer for the **Good** and **Revoked** certs in + *multiple_cert_ocsp_req.der* and *multiple_cert_ocsp_resp.der*. + +# How to update certificates +**certs.sh** has the commands to generate all files. Running certs.sh directly +will cause all files to be regenerated. So if you want to regenerate a +particular file, please copy the corresponding commands from certs.sh and +execute them in command line. diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem new file mode 100644 index 0000000000000..d456c26f505f5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem new file mode 100644 index 0000000000000..888feabbec1be --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcF +ZBG9QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9k +iADDdsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4v +c9Qk+WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFf +HzOCx2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7 +Uw9EgBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABAoIBAGofrH3ETSAxM+XZ +MRE3AnWB6SV9EXZ9Msjh++AsVQcRdnbyU+St9uHaT06W++Hqweodg/N7AvqdJy9W +WqihEWMnCXKGrgjdMsFhDEuD2djJ/xVdHqvPioSn0w2p8egRWHHg4PwWNTNYqGwo +qqh4vUTqRwhtqBpRp6CxCYjE1SpdrbDb9CxFZoJ1alQdJWNGO6Vq0/plVB3mU1DE +ziuCi2N1vARvm4Uxg33ul0Vo3qzW/4fL1Nzo5tto9s8TxkWGsjwXFr3RnbpcAeg1 +Uy7tvkIioh0VqJ+z1PmQiX/COqNbaWIJUKTnpPomuHIzlTohFobVACLtysDALuTs +Lv2Zb4UCgYEA90fSuA0mIvRwpYscoy7NPFYPpwz5X3/4fSOfDC5gBU3Cuxvtufj3 +8lL3kuFoCE14cSdrye2udKSsydGFn1TInwa5cLgRzO2qXWHupvfoHu24FQ1WiYrG +0BW+O8TA1W6IEBgibO1YtohNjbnII+GjfP8ZaBJH7rl2QJuG70bDJYcCgYEA46mJ +vGllEDnd7QCB3z7gqMSxBCicQ9ASWy/yNMsgikb8ULcCYnCqLvwxlkDWgrq2GaPy +0kJh1q27MSWxjXFDeiG9/PQAWZ1sy/rru3TRbhAA+5rRxqfLZlNkg0C9nZA9BEmP +vIToCUlz1iw94Wrg43zk95ou1WuOfN4WVkyDNgMCgYBbyB/RSqgeD0aEW1b8xpFM +1NCoe2tP5ArSP9d3yPrA3TTrCBm7jkpRejQEI3/enQqYTT53y62WA81Sd182XVy9 +kdxglyGcQ5aZZJEVDizs1eUegz3cfVL/xyI9wvCkB4ufFaYpcgscbQkEErHTh5uL ++I9wjmB+nf3jSxbRVx11nwKBgDVOMArmnpxDAFyK3t3XyiCaFVyE6bnTEUk6m7qS +ySa3YkK/5xYHjUF9GVs2CUQI1bSBN8zVcDUk7oyeZ8lXeNYy6lo9A4v4GU5VjTaS +LqtXofNHl9Cs3yoxYnp9ASjQagkD9FzOvcnW4gGG0GJkdQ2u46m59zdPfMht88r3 +FU3jAoGBANNq2l4RpKrs3X/XS34mbugvCw1EqGV0Bqj+RBFLchouE2ignd1KYt/o +O23NchL4pOIuBCo+IaukCgmDm+m378EubTZjwRIYAJNqS/Xu1rMBBihAl6NadVuZ +Nsr6+U9Uqbx/t8bUdhQ3RDexQ42x+GelGwSfXKfF+NJx1zj8lOUu +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh similarity index 86% rename from test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh rename to test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh index dad80edca9a1c..042fd74ca5245 100755 --- a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh @@ -4,23 +4,21 @@ set -e +readonly DEFAULT_VALIDITY_DAYS=${DEFAULT_VALIDITY_DAYS:-730} +readonly HERE=$(cd "$(dirname "$0")" && pwd) + +cd "$HERE" || exit 1 trap cleanup EXIT + cleanup() { - rm -f ./*_index* - rm -f ./*.csr - rm -f ./*.cnf - rm -f ./*_serial* + rm -f ./*.cnf + rm -f ./*.csr + rm -f ./*_index* + rm -f ./*_serial* + rm -f ./*.srl + rm -f ./100*.pem } -[[ -z "${TEST_TMPDIR}" ]] && TEST_TMPDIR="$(cd "$(dirname "$0")" && pwd)" - -TEST_OCSP_DIR="${TEST_TMPDIR}/ocsp_test_data" -mkdir -p "${TEST_OCSP_DIR}" - -rm -f "${TEST_OCSP_DIR}"/* - -cd "$TEST_OCSP_DIR" || exit 1 - ################################################## # Make the configuration file ################################################## @@ -55,17 +53,17 @@ commonName_max = 64 default_ca = CA_default [ CA_default ] -dir = ${TEST_OCSP_DIR} -certs = ${TEST_OCSP_DIR} -new_certs_dir = ${TEST_OCSP_DIR} -serial = ${TEST_OCSP_DIR} -database = ${TEST_OCSP_DIR}/$2_index.txt -serial = ${TEST_OCSP_DIR}/$2_serial +dir = ${HERE} +certs = ${HERE} +new_certs_dir = ${HERE} +serial = ${HERE} +database = ${HERE}/$2_index.txt +serial = ${HERE}/$2_serial -private_key = ${TEST_OCSP_DIR}/$2_key.pem -certificate = ${TEST_OCSP_DIR}/$2_cert.pem +private_key = ${HERE}/$2_key.pem +certificate = ${HERE}/$2_cert.pem -default_days = 375 +default_days = ${DEFAULT_VALIDITY_DAYS} default_md = sha256 preserve = no policy = policy_default @@ -102,7 +100,7 @@ generate_ca() { -config "${1}.cnf" -batch -sha256 openssl x509 -req \ -in "${1}_cert.csr" -signkey "${1}_key.pem" -out "${1}_cert.pem" \ - -extensions v3_ca -extfile "${1}.cnf" "${extra_args[@]}" + -extensions v3_ca -extfile "${1}.cnf" -days "${DEFAULT_VALIDITY_DAYS}" "${extra_args[@]}" } # $1= $2= $3=[req args] @@ -153,7 +151,7 @@ generate_ca intermediate_ca ca # Generate valid cert and OCSP response generate_config good ca generate_rsa_cert good ca -generate_ocsp_response good ca good -ndays 7 +generate_ocsp_response good ca good -ndays "${DEFAULT_VALIDITY_DAYS}" dump_ocsp_details good ca # Generate OCSP response with the responder key hash instead of name diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem new file mode 100644 index 0000000000000..724ea898ea248 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICdzCCAV8CAhACMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTNaFw0yMjEwMjIwMjU3NTNaMFwxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ4wDAYDVQQDDAVlY2RzYTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABBH5TFHZK1e7SPtmeTESrQD/Kce4uLKz+on7qlHOd2D4yNoI62TyXMq/ +o6660I5SJVIEIueDZdh/ocVezGYuUt8wDQYJKoZIhvcNAQELBQADggEBAD5jqxzW +76B6WOLJlRTWpAKv2L7CdtRjV2inNvS7n+NOSQllP9IfHGM9qEHM7xvDymLZb/TR +tOcpUENLJVOmRsjs90cy21Nc8ZkRFBhJOPggTTL3PpkM2sYmsSBzjDvkvqrH+hY3 +FTGAdgDaIf9gBeI61Ind/z6lqcE7yJlVtTvKVYPC0MFtzBS44I92x7g5htTzfEv7 +rO866GmsiG+b/w/d8TCHOt1L+gyk3BbAbBOI3DkZt/UtUpev8ZXKEjigcpxHy+Je +BLDYq6S7RPPtkPk+z8Iz3HRmyykvrckU2kjcTdqY8KygCgFBZETIYsk5d1CJxGcV +gDVhAiuki1Lwuzo= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem new file mode 100644 index 0000000000000..8fac462fe37b8 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOShXROw7kmo0cMJgNQ8rdZfjceLh+KMocrzYIqphTYYoAoGCCqGSM49 +AwEHoUQDQgAEEflMUdkrV7tI+2Z5MRKtAP8px7i4srP6ifuqUc53YPjI2gjrZPJc +yr+jrrrQjlIlUgQi54Nl2H+hxV7MZi5S3w== +-----END EC PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..6769a837244d56ca8d0de3380c69d521a84447e3 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7T!G^*Hf*=kD50`UdPG(wuQC?=Ep_qXPNRXX}H#jj*!L2AUFFCU~Ip2`ifEy&v z#lzxLnO0&bX&?^ba`Om)xC*X$>6v+{sYRK2=`cH(d6<$DCHRdDj0_A7jDVD>xv6oK zL6AX!fi=(-tlE6cOj4{2EFxk@*&0@GZtFKt?_90y-|ua(;Xw|Ih(v|+lX*)5pJlsQ zxku?%Mdnqsh%qqn7L5dK+!-R;cF%qAr^rHD);=_6yGekwk7c50(%Jt170>x ztu~Lg@4SqR+^h`DO^l2THFuZn=Sh2;c-Z`s{LIrl5B2w$^~>K@JN70`B9cq^;*rnH zC4UVs7ae!yWjcXYXH?7yEA)XD2zlmFy^0E@K2;UBNtGcR1c;LLmX zlhNl#0$C*|-)i0It?vCLeDT$(K+zbEFFoC6yIPYz)rtJN-D<$QpL?-hmFiNv+0i>I zZk&6>_2Bz$cAl2cE9WS%yk=LpYpcS$YqjixCg$4)P0ZJU__9G0)9wY#OpHuSB3ifQ zins8u7u>Dla>3){@7T!WU&YaaZvc{#ft)xmQc^OE0&rGuAWIDGCd1)x9o>O=C5;VQIb|(+J=AIBNO;oZdg|cy^(#QWVPx1e5Uw|598&Hn~o>=d=jdw zSA6p0=Dc}^s-KS@%e0hTrkR#nm{nomRJ5D>;8y>|#ydCZq@3^C9nA02AhfdY!lr9a z>SoxQ?y0Sg&y=5*A?oJwYAO>mBLm~&WP?NlSzu`)%f}*yJ!1oNFHl;UMZ!R=0c*}T z;0GxXW@P-&!fL<_qzw2#0{kEW7GSDvLyiVm_TE(K9(MS-@V)r%w~G%q2tJ%4bV(ocQf zxAzzP)~IU~D@l*GSh#eR!AY;xFbfsXmU4KDW#+X+`dz z(93RImM`Gee(nFm+|#;q75jMjY+a^qJ=t32SN81Q^NG{C*w6KU;}zX={(;N%W3Tls z4zd;Qd@^VM@};Ieb=DV-2~YSs>7C2O@AKq4x-UMt`!nFaaFkn$J|FwO((A6XZBs46 rE2F+M?Ayxn#Qf?}8KdCy^6o_iW?F_bU%!`ZvQduE3Q2yU&GQ`q&e|~o literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem new file mode 100644 index 0000000000000..4c25d638be7cc --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAikCAhAAMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTJaFw0yMjEwMjIwMjU3NTJaMFsxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ0wCwYDVQQDDARnb29kMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQBD2wITti7SV7hHMKjeB4vv9HrpYHe58LkthZWHAWfcV4usdQl8/R/pe6xp +vbda1dPkDOL3h9DWXb3OtDxZszk/muQ2O3IMzkm3RdOYK4TxiyhRiilYI8nOHCNS +/nzl2TGdoaHMYNKDopJaSuWo78ojcI6y/xJHSJFFHTazHrcLZsoanqYNUh352E1U +j7x8b0h6KB2ODeUa2z8g4sMqTexSDDKz4ND9vfoSPn02mG/3RuVsIxX5F1LNCP5W +RfxRA4uDR3/FSmWAHRPDpdh1NfNDZyh1yXlEyJS2XhuKUCDfCMqHYrxOfgQs6f+2 +d1z/R2EV8f4bBFxyL0nfOuo2J4+u +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem new file mode 100644 index 0000000000000..5a6e6a2a14638 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABAoIBAQCqpOtPVSvE+iqK +VAwIs5rSVoHo8p4Cty2dsTfzA6CGijmscon2t0oHwjyak9LyfWaiR9uk3e8KXFAW +zE1QDq5umj1Ufrw+3+U0xB4xMiSfRcbV/LCPARO5VARm8rmzqEPRctVfsmtYFs9M +Y+O4Ky/SFriUUdgNjbdtvhobqV67dWIxATeYET0ayACgeJITcfH4XaAdQt5LJbDI +qemCu3hvvc4qqk0Ad/nqCl+B0D8/zWuyX5bKnNw+1g868VCFskdGiM7uZTZIXBja +6N3VBv6dENebcX+j9t+RxtOIRMm5ndFGzAq50ylKKiw5M/hRHxgHb0l7OF1Ud2Jw +QSumpj8pAoGBAPh6VgAvEHRECDHUs+RscNcrhTTJF/A787rx/7kJMHxVMlr3GPvv +clxhK7GquFEpYlB6+R+otWvfowq7F+sEGutepfgI0vp0QriwziVQw1xg4lnfK4TR +uKLmL/wQGEIMi4G2n8RacYGSGGl39mmRchCEeYWHV+P0j7ss7SkJ3WNVAoGBAO4L +YiV1TBpmD+3cWZh0BEvjYQePmFoLdFypd/tOZYL9jhtiCIV7uDPUwTe8UCPrLpUi +XPHp9Sfhoo0gLGQVxHowHaDQBUnzo+LzdMPu8YlJv1okH0rkdwQ355yAVgTVz3sv +XTJtVGnSLmA/BthLMrFJfn5Sbus/c3vNgw7Cu3IXAoGAPSEDpVnux1uxVGkKtKiE +/jqDs9/BFuX46UX97oy3M+9VyxE9QUXAMb/qGvRwEe+Hc1s9jK9ZqqdDGjG7CaNh +6APJ+wJYvSr6+yrsHDwJQ+HF7ew8bZmWveS5a16eSSmC7K98ELdbc0/414Geyovw +ruWYa+RHGBqjfZ3o3o7Bu10CgYEAt9GyiJp7micWRefSiBeO+cssMlqAm4gc4zE6 +paV0XiLOifa5/dn79IpmalPQzuvdnOxcObMgzRtAGxqtLNxiTLi7KGN6shCija7S +jDsH6aw5R7J9N6gU//zrrb6sri8teUKqBTbH6K+VgF0rO/tVufG27HVbke39j6yz +d8KIXSECgYB3JaYxWdoxptUvpqITvIBRNEfhNVrxzdGz95EcS6RqmG7UxJlTN2Yk +LKZ9pIOD43QQ3i5D2cF6XN4BCSZ+wRVzOt43RP8DUMgbLzLf8h9N/6cQGEbFqtlb +9x5wTSPF7VRJY+ToSnnBWyFRPLkwm9u1VpeBIUa3bGDDbV/SdJIeUg== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..f5d7e4150fe3b8b53638a51f19d59260531ed227 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7$Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;JzK zq#7g}SOZ}Jx1QUx8i@=XGhLiYbNw@ zu|}%_FB_*;n@8JsUPeZ4RtDxKMn;Bh`gM1=zK(wOO#aI6`bg7zn+&yrylNY}-qhYX zQ#C2E_9K((Nu9T^-iRDr(O==h==F^K|DQxY>s@Krj%MeU*SvqVY+Gr&h{?uMruVgZ zi({iTA0_x%t~)0c|K4=|xvLNPe|`znW&dH}6EkgBLK^#ns#j}v6}*z_-@j9B%F1S8 z@q)zf7Jh8SQns6!yd|3!dp)dSzwvkb#4s_{wwEjZFFkZR@5H-}x5{<1Ue+!32>Bx4 z#J9PKCzyHa;te)_p(XF8UHiU?S-M^&@!_4f*B0{%Gd1zP-TQXeYQ3HdlHX4DMXt?w zWs+|kJFR%L-Tegu*VagUTP^f&uBjuhiT|yF!+y0vZVQ^2ZyPi*UkBpL22D)67cet1 zGBJs0-Igof!oOZ{w~EUJkB`4&BaeR-M+?3INL>bU;=D+y%Pn*#eRFME}nbVaH%P%d84yt&V-(CCCrtr83+CAc|It%J_%<{ z5!~yrWbXDY3UeC5x3A)3dc3Y?vA1a|*LqWz2bs?8LS7mQs^`>QGaso;4!Ad8Kc$1= zaM{spi-Yf9Og&-nU18BJzOZ+T4rE4b`uO_K>m|8z{ER#9p1oIEwqbw9A_I3h{o*Ss zKaG_Q(W2mK)X;LT_ZBC|PYfKc6Z7;=_1(J^{-xH)g0q3Y+O$1*KtmuaS@7G_l#I2G;YKDgC?vGLALIw|M7b_esjGzhKi zyRhlnle!tUrh96u<1^)_Wr(_Yyqe0y%*epFIN2c4Ko(el$nvp>VbANp+zXUeW|1%u zYrt9<81RD>2s1MNXJIv922uumAOU`m01GhHwjoCYEPHRNbPqfHT=-sm_uIvX8w4Lt zGm}53=GLN9`kdhw3lzI3?m_EGAbnzE+m{cFfMxR?| zm$V}HPv~VgF3T5iYrppYVeV<&xr%)}e6}uAx1MaR@+*6G@A<@OUF_%jzwwIhIsd?A z`mxvg76;i1cRrc3fB8~VpE~Oc$Al+*o%GIS;`e#-9o-k7-2EAFUpUGwMW2s-U+Hz% w*|w<`;gwO}8TM^ud18L`sEkqYd3pDu0y8bcnXlhVHrXggXoV!d(B}CL01N~(mH+?% literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt new file mode 100644 index 0000000000000..312a01481fd52 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt @@ -0,0 +1,118 @@ +OCSP Response Data: + OCSP Response Status: successful (0x0) + Response Type: Basic OCSP Response + Version: 1 (0x0) + Responder Id: C = US, ST = California, L = San Francisco, O = Lyft, OU = Lyft Engineering, CN = ca + Produced At: Oct 22 02:57:52 2020 GMT + Responses: + Certificate ID: + Hash Algorithm: sha1 + Issuer Name Hash: 16C50680A809B68F302789AB234F8F4B30B0E06C + Issuer Key Hash: 187843E49EA451E66B463A475A2D7A596E788416 + Serial Number: 1000 + Cert Status: good + This Update: Oct 22 02:57:52 2020 GMT + Next Update: Oct 22 02:57:52 2022 GMT + + Response Extensions: + OCSP Nonce: + 04109C5C7305A9C99B599CAD3612F1A32885 + Signature Algorithm: sha256WithRSAEncryption + b6:2f:7e:dd:b5:eb:5b:e6:e6:1f:d4:fb:7f:59:35:de:b2:31: + 2a:52:4a:7d:81:8a:ec:7d:dc:cc:7a:92:61:7d:f1:02:25:c9: + 2c:ed:ea:ec:14:c1:a8:8f:78:44:01:4a:e6:07:ff:fc:61:0e: + 3b:ba:66:d6:c5:6b:6d:77:7c:ef:ea:a6:b6:75:87:14:34:b1: + 75:02:ef:7d:6e:a3:5d:5b:29:e2:60:4e:39:ae:ce:1a:5f:ef: + 35:9f:ce:d5:e1:0f:f9:f4:51:2d:07:f8:38:4c:5c:96:ba:60: + 66:07:e0:7a:ea:ac:ba:70:ea:1a:8f:bf:b9:26:94:a9:83:13: + 17:70:61:f7:38:4e:06:73:1a:3d:b3:02:4b:19:82:a3:4a:e1: + 7c:07:d8:fd:b7:91:56:16:25:86:e9:a8:ff:a5:c2:cb:6e:c8: + ee:b1:da:77:2d:6a:e9:7e:a5:48:54:f4:1f:82:0e:b3:72:0c: + 53:03:95:a3:b0:3c:4e:55:74:ee:96:d6:f7:b2:03:1b:7f:24: + 61:e1:dc:ed:d6:a3:0d:13:02:82:0d:ed:bd:ed:ba:ab:2e:8c: + d0:19:f6:c9:8e:59:ad:68:ea:34:6f:33:5d:96:73:b3:3e:df: + a0:10:d6:ac:18:f6:ab:12:fe:9d:35:41:0d:34:4f:da:70:c3: + 4e:7d:52:46 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:db:1e:73:b4:0f:af:11:bb:24:44:d0:48:f1:fb:5d:59:c7:f5:17 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Validity + Not Before: Oct 22 02:57:51 2020 GMT + Not After : Oct 22 02:57:51 2022 GMT + Subject: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:db:e8:73:4e:bd:7a:d1:ce:e6:80:d2:82:52:83: + b1:43:29:6c:90:8c:f6:74:03:79:85:68:c1:4f:7f: + 0c:f0:21:85:e4:57:05:64:11:bd:40:a4:9d:b7:b4: + 20:9c:80:57:b7:aa:0e:02:e3:ae:7c:a3:4b:35:65: + 0a:af:35:44:e0:69:43:87:12:4a:28:20:25:ce:27: + 45:69:e2:24:93:50:de:9f:2f:64:88:00:c3:76:c5: + 6b:38:c1:ef:e8:95:c8:30:f7:20:a2:da:0e:56:ee: + a2:c0:69:58:b2:f1:eb:fc:eb:a4:6d:1e:0f:01:b8: + dd:cd:de:75:76:b0:bf:68:a2:30:47:1e:2f:73:d4: + 24:f9:62:ad:55:78:c9:29:07:2c:cb:17:84:29:fa: + ce:26:5a:19:3a:4a:2b:31:fd:87:59:60:0e:04:d8: + 3b:78:12:ec:1d:e4:22:3a:b2:cf:9f:02:5f:d1:e1: + 5f:1f:33:82:c7:60:4c:f2:12:7e:7f:21:e4:f8:d9: + 9e:9e:31:25:f3:c5:c6:69:39:1d:a6:29:66:65:71: + 6a:78:30:42:72:bb:0b:c1:b5:4f:a3:33:b9:b2:2c: + 64:cf:8a:bb:53:0f:44:80:12:a9:8e:d0:b2:d6:e4: + 7e:98:3d:35:bc:7d:7b:5f:69:1f:96:68:15:46:48: + ea:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + X509v3 Authority Key Identifier: + keyid:18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + b2:79:47:56:c3:e7:13:de:5f:8b:ed:a3:c3:80:11:e1:96:36: + 1f:ce:26:46:84:a7:c2:4e:96:59:c1:97:0b:38:bd:85:51:b2: + 8e:37:ea:45:d1:d9:25:0d:5d:5d:b7:08:2f:bc:7f:4d:d6:88: + 29:2f:6b:ba:cb:4c:12:1a:f4:dc:20:fc:5d:75:f2:8e:4b:db: + bf:70:fb:28:7e:81:16:74:67:5b:38:a1:bf:9f:6f:38:88:d2: + c0:3f:35:43:a6:b5:d4:76:48:4e:58:35:e1:dd:02:d1:fa:03: + 56:1a:8e:08:b1:4c:da:36:d2:2a:59:bf:90:8d:07:33:76:6f: + 10:46:87:d6:ff:e1:6d:cb:2d:9d:21:8e:0c:0e:3d:44:95:b5: + c9:85:7a:4e:76:e6:de:e7:91:96:8a:07:ce:8f:f6:0d:15:bc: + cf:e0:44:97:c6:eb:2f:38:c1:06:71:b9:e4:9c:bf:a7:a5:35: + 4c:7e:3b:d0:c6:13:90:f5:92:ee:44:91:f7:9e:1f:88:8b:d1: + e4:dd:f9:50:df:13:5a:46:64:2f:0e:07:be:75:d7:45:9b:3d: + 65:38:57:79:5a:f7:00:be:b5:04:e4:37:d5:c5:1c:32:53:cf: + 1f:47:72:70:36:2a:31:99:eb:ef:19:82:3c:23:58:2a:54:63: + e8:2b:0c:f7 +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem new file mode 100644 index 0000000000000..f9f104f8d05c7 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIUCmwXC1yqJjKspOZeS0lbJsJomIMwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxGDAWBgNVBAMMD2ludGVybWVkaWF0ZV9jYTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKI2heFAYYMEzvOJ7WVjvkczC3Vf/zo1WS5n +uN2LMO7Rgkbo+XENakPud7L7EN13ySIcjh65s9qq0cqaAbLzjgYoU6av8IufU2rh +pgpoNIU7X8dKlImlIBGytARa9qIblnsinDLhfly78yw/gWU83h+QPWYwhXBeDMMc +Wzo6MvZyZ1IgvdLmue8zcCKYA12YkXRnljG2sp8kstKWh4A8wMfUyE+bVkyr8qTk +Scslqnzx62y3UovwRzaRw8wusq3Vj/MSR4BLlbWRxiAIQr3IwswBphqNif3T7RQw +0IdB/OKfKtt3le4LNES1QZtRpB1seYRNgMXiL8zVJmbsp6hRphUCAwEAAaOBxTCB +wjAdBgNVHQ4EFgQU/d1VXIK/EJrCj1MuJa71mxNR1LwwHwYDVR0jBBgwFoAU/d1V +XIK/EJrCj1MuJa71mxNR1LwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFP3dVVyCvxCawo9TLiWu9ZsTUdS8MB8GA1UdIwQYMBaAFBh4 +Q+SepFHma0Y6R1otellueIQWMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAt1udv9BBzcmErW0JjBAZajzoY0QwVqusZ +j11ex6LNI1rnFomVk+76QQJCeAR4rWeMJBfA9UmAtHVXZuLcQDDL5yTgAnBmSmJR +18kS8KQg8V7AjtmIcx5uZgC2KZYsFx5qp3hGpqLyrN2ZvdeDFacNVWEtb2eVIIky +yy/UsmZr5STI3OU0k12fexiS/yh6G0XFvoecdxCoOvEp+EiLzCmwLRq/1q7CUbeO +woHCUHnwpGZi4PsFF9HkyM5KYgorMM0F+LWR1sVUtxSR6fWLZ0TTFi4NbLupD34S +yFXm0VYhXwV7mVVigQg2/A76PqmSXcSmvSvT43G+u3syc4kbxKLz +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem new file mode 100644 index 0000000000000..f8347a1701365 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAojaF4UBhgwTO84ntZWO+RzMLdV//OjVZLme43Ysw7tGCRuj5 +cQ1qQ+53svsQ3XfJIhyOHrmz2qrRypoBsvOOBihTpq/wi59TauGmCmg0hTtfx0qU +iaUgEbK0BFr2ohuWeyKcMuF+XLvzLD+BZTzeH5A9ZjCFcF4MwxxbOjoy9nJnUiC9 +0ua57zNwIpgDXZiRdGeWMbaynySy0paHgDzAx9TIT5tWTKvypORJyyWqfPHrbLdS +i/BHNpHDzC6yrdWP8xJHgEuVtZHGIAhCvcjCzAGmGo2J/dPtFDDQh0H84p8q23eV +7gs0RLVBm1GkHWx5hE2AxeIvzNUmZuynqFGmFQIDAQABAoIBAQCQG3wIxtdaPDVW +qpwaTOhH/JMbbXMi1S4rSb40I2oPYFUqheLEirRzMTFp8h3jgn1PLqsbpMKhaswB +/5uuzSzJT54xIXDDuYG0HE8UQ8sU6dCHDjyzo9y/nFDM5brh/TxMnEzD7wwBen/o +OWrM86wpwkypskV5tDQGSfTJ39ZSlZoaHS4/ih88JG2OTQXx7wi5U6s6Qkk1vuNA +prkqj6F6Y73qwiCuwtccEu3GDJiUjVAj7uFTOlpOBzT+2elraq16Y3DmfJ3aljp7 +pqTboytXYHixQ2x081WBv8Iy/flZP3HYe6ms2N5l27vd/tg3f2+p/WIrRolmOqwP +wHtR1oZBAoGBAM1tJ896YZXrLM9CBNcoAue8VhsipqvO8SodP0x5LRCqfnanoNPE +qFW8PwC0g/tGgAl5eA5iBbLOkaEuW1nxudSidlRBxYQ6lZjebscv9Mqe+P3RJd9y +Dv0te/I0lua7ElAUXTw4yGQ6/USr+kLlvOzBLWhbj3BQa4OCXsb5fFMNAoGBAMol +3+2l3G0BEFaXfGv2CRAR58KHA48lOHaIiSnNrWpnsXm4Fr2oYvvPDh5auulToeK3 +9DjfMhyPmgrCIbeHCVt01gvFU/NAGb79Xw21NQPREVhwZY6P4sFb5coO9E2jiESl +7PSaHtuLx8G6AwcIx8xjh+Fuy9ZfirfAB9g/h30pAoGBAMLMGY4zXMpPIkS/M9vb +AzZAb953c1lEeYgYB+g6mDNPmXBm8KkfuQjj41KF2wmyBsP1PZVV+lVecNZJITMf +d7pc/JxVajlDXIyDkMStgxGIwk/dvm4uuGv4b6pzmAzfpDPvu6HZrpztGzG9ayl4 +tThEzwxAlrpIaEtimwFPn0cZAoGAdD0lL61BO/jxoSlIpXf7rB7vqr8iP8zCU/6d +CMm5X0czGW/Ou8445N0iHDhF5Gdv3kOzDoThduToSilpY/QlYE6lymz0ohqI83cU +knhRfNlaZQV0kG6SkGc8klzZBE/1yquyvtBk0A/nlLFWjlPxN8k/2FRyp9mWlaS5 +nhKh4UkCgYBMCtGuPwmSYU6jI1AhygvEWNeN9U9GNH+C7hbDxtYtppjN/7ZUUIIn +kKceZAWbkZlItoOfVVSQLs8IZ5m5Q2g0rOb9/oVmtnK8bPYE16i0gk3VgOKQh+wv +q1Oqidvs4edxeI2sDe9w+Qw8qUo14+Uux7KMAlDrtB42gP5BQOWh0w== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..02da216fd77a34c5b39a173db82577e42f992c0a GIT binary patch literal 171 zcmXqLTw&0-)S%A5*1+0;lZ{oIkC{n|m4QV>>?m8q3eIi)2I`%wmHqp@4K_T;VG)t2 zaDFmxN#L_=H!Jrj-KxmEiWV^@CIJS@v@XXDgnV`ODzH(+F95n>Uz_vOL) RAHo~!t+>n!rSEd~0RW^QGEe{j literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der new file mode 100644 index 0000000000000000000000000000000000000000..e6af4d98fe86587fa311139739e63645581efaca GIT binary patch literal 1660 zcmXqLVyoa{WLVI|R%p<~mdnPe&Bn;e%5K2O$kN0X2Na4jXktuWSZq*e$Zf#M#vIDR zCd?EXY$$9X2;y+?a5*RDWTxd8$Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;J(M zG;TErFt7$XgH@Z4nMsP3fki~@C|kn{&Tah$>Yb~V{rkNQHay5-5s|2Hell-K;InKu zEB7efs>r;G7BMC!0fq(!OhXeXF_CehAexCrQD_3jQ45s~6bXf4Hjf^7F5s9iO*qw^+J4eL9mGoU{9p&cpnvH+EX}B>obO zUzfaG4WocuBY5gH zj2Z|hH8Cn72Mi-PUGXyjvoseID1qI6QS7(3>f*U)4VRjNnm0OY=1l1MR>EA_nsLy- zp67#N>yvQS6v4d?OXhChqA;f+eETXsrpN1Q7JHkfa;-OYd64PcF65=5pn6W-HS>|m z_8{U+yUUi7oxq=Y4yB!EcSaMzNCgXp4pW=jU5=TsmNH>bz|0l`;>%2-AmmnJ)ff z4wLHR*ywZ1?2=aG{t3P8#%1{eZtd6pKg>O?J6ExfhtJk!>eiF3Reoj9?meG4t&9C! z|2JOIJ?9^|Oh5Ko-{K%!;m#*>_Ag&*>QiTZ;h6A*uan-nO#D7izN7o%le<3y?h8k` zrRejq?<>9TI@>nYBD^x{JHx)MEKkg@9+fc)J}>WHRA8oMIP>*;$tD}+2(6Ih7ur1E E0TydUZU6uP literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..71d48a2acc5a09cfd178681ebc87a5e2790cc779 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7uNSmZ8k<$R(1nMMwTYlIY6Nq291jriLr=CR5(AGwvTur}aiW7XzkW|CrMU=a~J%GR)g zb6dZGdgp3o|9)?S4G(g#o5sW>z|g>eVdg?*14RRQgu|FvgjfXL{C!q;;YwJ+qJ!)W z5hXVs8t}4lYPET^edlFlg6sM-pG&R{N;_u2MeH^eEG-AfNwd-z+@Haq(NYkz(l#ZA}fv zV1>+<6;GUfrgZWbF4)s=|9qif+p2m-Bhyz0jI-iyzP65i*65oUB7N?Ca>J%+uGh;W zu3bB)d0u?4+e3jHT$!$pTbq{Yt(eYjTIH&vbZnEy!EG;CyQ);{_1@1Y)!4PKi6P1T z@DBIc_pU#=zd!41{aG_s5r?N!pZ=0<_vShN?5t{a*v+jAnwW1JG%;TX;>!k2OuH8_ zGchtTiD=!HE8fDtUU0XH%LR{*zhfhhe-%dyK7&F-ZeS!bhqAB|o|$N=`J86X!)rN`_HDt`R(C8Ac6+lbRTnkOPJhoUZs8 z44N3Zm_P~a_KRY_y;T>_J!`ns6x6)YSuc4dL5Y@i9GKSF_mLG?i<;smp^*=XN144F%P6>aLlOR3-=9o3EeJ!Em_jXtu?{ z_b;ZNF!-*p=oVktyF~{wBQ||}{pak6SavQLz(Hl3f(6o2tyyu5MK@dTewLUr|u zPk!8-H_uS@^U-6Oma@w<(^3nwDh!;8c5@%x>c7}{=O&$$^If}x`CS@>R`y-kbnQvq z3|rGZwbk*N^3yUz-8^1RWnyMzU|gJRkZ2$ajAB_n797O{F!utbm02VV#2T=cBL@5+ z1;UJs|5;cKn1Pf5A4q^7B)|epwQb1J0L$K+D&4~lKNr3i-~D#+;ReBn)6C@0skyZ* zKjb$p^5ArCi@mLZoBGUOxn8`f${QQIokM?5z3;USP5ta$r+tK^zT8px6I=SJ&-?cN zg5Mf-jbbI~(H0B$&(F8$xOBkY)Op#~D`g&j5vC9CGF|+|946JrvC-$2*(I&W{S$iG zjmz={+}f}Gf0%n(cdlX|51*~e)U795tNhBI-FrT9S{M7d{%^dZd(J;_nSSiGzQsYd z!ktg%>|egr)Thq+!ZG0qUnjkDnfQI4d`I`iCwG4a+!u~=OVQ_J-&cCwb+&D)MR;Y@ pcZPjiS)Q0*Jt|`qd|uwYsK89iaOUgxl1($Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;JzK zBpW0eSOZWFMiy8 z%V{z3eXPyShcgZ<9$u=hxt{ax5f8zj+GU&Hzu3DzA#w4sv%zKBnJF)Ho-O@!m-Wo% zTNQWwxzBk8CYdokU05kQz4@5P{e9PW{XE6H$Jp=5Y>9*mQ`%Ilzgst$SUg{T^I`Yf z<$El9zSX5Bv+Vm7e_-wp$FBU%PSgLM`=!D@@3E+PTH0#App3u8*ZC8=-?tf_y4hyA zztwuL*F@O`(-JgW({ERf*U)4VRjNnm0OY=1l1MR>EA_nsLy-p67#N>yvQS6v4d? zOXhChqA;f+eETXsrpN1Q7JHkfa;-OYd64PcF65=5pn6W-HS>|m4bV(ocQf zxAzzP)~IU~D@l*GSh#eR!AY;xFbfsXmU4KDW#+X+`dz z(93RImM`Gee(nFm+|#;q75jMjY+a^qJ=t32SN81Q^NG{C*w6KU;}zX={(;N%W3Tls z4zd;Qd@^VM@};Ieb=DV-2~YSs>7C2O@AKq4x-UMt`!nFaaFkn$J|FwO((A6XZBs46 rE2F+M?Ayxn#Qf?}8KdCy^6o_iW?F_bU%!`ZvQduE3Q2yU&GQ`q{!BG3 literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..a81d57b98f99badc7f8e09bec0c54ff56323219e GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z{oPeug1-=&!jDrfC9d_G6H(N>0s;^Kq9ZUNFdqg9D+U1t1qUzz0t6BS5b>?X-BICg MWtKXX+b^ge-DF@P!2kdN literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der new file mode 100644 index 0000000000000000000000000000000000000000..e3ebdc126fcc5849c7895dc47e817972604cf712 GIT binary patch literal 1686 zcmXqLVw=Rp$grS^t=pi9t(}cin~jl`mEC}mk)?^P0w`2s(8S2Qu(83Q&XC)HlZ`o) zg-w_#G}utsKoG>?;Nfyk%*jm4FUreIG!!!s0SU76@CGO5DYz9S<|StqC+8dT8gPTe zxp-K7D$_~~B@M(uTy7o#5Ldx9FFi9aHMJ-+FWpeWKnx_s%)_6VSCU$ko0^iDSdto_ zoG8I>WME`qXkY}SOwCP=q6~rz0t~EyPGZ&OV`h?KWnd8zJIdCuf^%EHfqLg^W&eI} zgAEUISVaEb4UK8qFEHy+f3TkFy05c^1F!61ViI6zV!$wSp|XLZfjlA*m{^2Z1U{}k zb~o^0Ug|Wfskil4$lo>KW#iOp^Jx3d%gD&h%D~*j$jIQsfBbkvQ0k#+7Sk0so`0rR z+x26wc}AK&Pnuw~tXv7p*H>8^D%S{nmF%{D>GmyW-q+4 zoQLOd?yqgOFWIx0bK?)U)$y~HTW`!UD_!~OdJy-l1>2VjXRc}dGxyiQ+guL0T^EiW z=H4W@*=*v<2t)gK+**5`*=$7e)47irUI|+EM@c7O&+GDLwzy{|HqJ^_cYZ3(;6D21 zX0yEbt=!bLcQ2%6b_jL+ZxQJUIK1Opjo>NEFlwNaIxxp6A%_wpIFa!)0L8hOK&fq!S?fcG#AcRrpF7{CChv1M z<}Qu@Z)F;(m%ig}x52xMO>QrK7V>5}zboJLTi|Z_NhO&+xt*JDt-5$>7UQPReQX-R z%hrGBo*$g`a2Z#INvn1Iajz+zOBDn+ZDEP}wn%zfwbC4;hjlT#KkL{xrrO+-pJ1D2 z&{`13b66(Y%F5_lQF@TV-b>GRzBevVn!y}9V`54AG{bG1=BsSFG_AeC=D_hQC;VrJ z`Ki*zvHu3Noy-jPc_J0;~Z}6VFb>cAv4yU~*4xM3KCe_>d z_wrj2gA47Be;&=(x?Mi?9k+?gR>#?aOJs8@TYMXiKGHvPRW0q!@)d#0M46Zw85kEg z9yMq@WFQMHE@b&w#IWacU}gqNE3*KLl?JQ@fdM~AfiNTEe->5)W*}w22NK{139tYY zaT_TXNK`mKnYSeHS+<*%dz5ZfWL`y!7-0*r6eqgZp67oNC@xCWj&@3BVT4FOU2ss9u@HeUp*VPl!m80y5nGQ`nk#jrh+uD zq`>PZg+44%_!xJf?`B7_TwWT(HqB`|;&NHbE8LbX`n2Zm%)Qr}MVIr2ChF#=PgUqN zI<0?YQ(E>@l@oWKnoN$JUoA1|zebg`>(PDfbIJu)Sbfy|;n96YbAztb{%h+F1#a&< z)OaYM^23s}qzAuQ#VyNDyuN@89E;8}u*Y0$e%VK)GIlEW#*9n~n seReTSF`l)0W@u6)huI&#Uv?`e#U5Fmutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() ->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() @@ -1003,9 +1003,9 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1077,9 +1077,9 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1099,9 +1099,9 @@ TEST_P(SslSocketTest, NoCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -1287,9 +1287,9 @@ TEST_P(SslSocketTest, NoCertUntrustedNotPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -1395,9 +1395,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1422,9 +1422,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1443,9 +1443,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1470,9 +1470,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1620,9 +1620,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1648,9 +1648,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1743,9 +1743,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoClientCertificate common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1765,9 +1765,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCANoClientCertifi common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1790,9 +1790,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongClientCertific common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1817,9 +1817,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCAWrongClientCert common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1842,9 +1842,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -2399,9 +2399,9 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2456,9 +2456,9 @@ TEST_P(SslSocketTest, HalfClose) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2534,14 +2534,193 @@ TEST_P(SslSocketTest, HalfClose) { dispatcher_->run(Event::Dispatcher::RunType::Block); } +TEST_P(SslSocketTest, ShutdownWithCloseNotify) { + const std::string server_ctx_yaml = R"EOF( + common_tls_context: + tls_certificates: + certificate_chain: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + validation_context: + trusted_ca: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" +)EOF"; + + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); + auto server_cfg = std::make_unique(server_tls_context, factory_context_); + ContextManagerImpl manager(time_system_); + Stats::TestUtil::TestStore server_stats_store; + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, + server_stats_store, std::vector{}); + + auto socket = std::make_shared( + Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, true); + Network::MockTcpListenerCallbacks listener_callbacks; + Network::MockConnectionHandler connection_handler; + Network::ListenerPtr listener = + dispatcher_->createListener(socket, listener_callbacks, true, ENVOY_TCP_BACKLOG_SIZE); + std::shared_ptr server_read_filter(new Network::MockReadFilter()); + std::shared_ptr client_read_filter(new Network::MockReadFilter()); + + const std::string client_ctx_yaml = R"EOF( + common_tls_context: + )EOF"; + + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); + auto client_cfg = std::make_unique(tls_context, factory_context_); + Stats::TestUtil::TestStore client_stats_store; + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, + client_stats_store); + Network::ClientConnectionPtr client_connection = dispatcher_->createClientConnection( + socket->localAddress(), Network::Address::InstanceConstSharedPtr(), + client_ssl_socket_factory.createTransportSocket(nullptr), nullptr); + Network::MockConnectionCallbacks client_connection_callbacks; + client_connection->enableHalfClose(true); + client_connection->addReadFilter(client_read_filter); + client_connection->addConnectionCallbacks(client_connection_callbacks); + client_connection->connect(); + + Network::ConnectionPtr server_connection; + Network::MockConnectionCallbacks server_connection_callbacks; + EXPECT_CALL(listener_callbacks, onAccept_(_)) + .WillOnce(Invoke([&](Network::ConnectionSocketPtr& socket) -> void { + server_connection = dispatcher_->createServerConnection( + std::move(socket), server_ssl_socket_factory.createTransportSocket(nullptr), + stream_info_); + server_connection->enableHalfClose(true); + server_connection->addReadFilter(server_read_filter); + server_connection->addConnectionCallbacks(server_connection_callbacks); + })); + EXPECT_CALL(*server_read_filter, onNewConnection()); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + Buffer::OwnedImpl data("hello"); + server_connection->write(data, true); + EXPECT_EQ(data.length(), 0); + })); + + EXPECT_CALL(*client_read_filter, onNewConnection()) + .WillOnce(Return(Network::FilterStatus::Continue)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)); + EXPECT_CALL(*client_read_filter, onData(BufferStringEqual("hello"), true)) + .WillOnce(Invoke([&](Buffer::Instance& read_buffer, bool) -> Network::FilterStatus { + read_buffer.drain(read_buffer.length()); + client_connection->close(Network::ConnectionCloseType::NoFlush); + return Network::FilterStatus::StopIteration; + })); + EXPECT_CALL(*server_read_filter, onData(_, true)); + + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::RemoteClose)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + server_connection->close(Network::ConnectionCloseType::NoFlush); + dispatcher_->exit(); + })); + + dispatcher_->run(Event::Dispatcher::RunType::Block); +} + +TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { + const std::string server_ctx_yaml = R"EOF( + common_tls_context: + tls_certificates: + certificate_chain: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + validation_context: + trusted_ca: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" +)EOF"; + + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); + auto server_cfg = std::make_unique(server_tls_context, factory_context_); + ContextManagerImpl manager(time_system_); + Stats::TestUtil::TestStore server_stats_store; + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, + server_stats_store, std::vector{}); + + auto socket = std::make_shared( + Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, true); + Network::MockTcpListenerCallbacks listener_callbacks; + Network::MockConnectionHandler connection_handler; + Network::ListenerPtr listener = + dispatcher_->createListener(socket, listener_callbacks, true, ENVOY_TCP_BACKLOG_SIZE); + std::shared_ptr server_read_filter(new Network::MockReadFilter()); + std::shared_ptr client_read_filter(new Network::MockReadFilter()); + + const std::string client_ctx_yaml = R"EOF( + common_tls_context: + )EOF"; + + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); + auto client_cfg = std::make_unique(tls_context, factory_context_); + Stats::TestUtil::TestStore client_stats_store; + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, + client_stats_store); + Network::ClientConnectionPtr client_connection = dispatcher_->createClientConnection( + socket->localAddress(), Network::Address::InstanceConstSharedPtr(), + client_ssl_socket_factory.createTransportSocket(nullptr), nullptr); + Network::MockConnectionCallbacks client_connection_callbacks; + client_connection->enableHalfClose(true); + client_connection->addReadFilter(client_read_filter); + client_connection->addConnectionCallbacks(client_connection_callbacks); + client_connection->connect(); + + Network::ConnectionPtr server_connection; + Network::MockConnectionCallbacks server_connection_callbacks; + EXPECT_CALL(listener_callbacks, onAccept_(_)) + .WillOnce(Invoke([&](Network::ConnectionSocketPtr& socket) -> void { + server_connection = dispatcher_->createServerConnection( + std::move(socket), server_ssl_socket_factory.createTransportSocket(nullptr), + stream_info_); + server_connection->enableHalfClose(true); + server_connection->addReadFilter(server_read_filter); + server_connection->addConnectionCallbacks(server_connection_callbacks); + })); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + Buffer::OwnedImpl data("hello"); + server_connection->write(data, false); + EXPECT_EQ(data.length(), 0); + // Close without sending close_notify alert. + const SslHandshakerImpl* ssl_socket = + dynamic_cast(server_connection->ssl().get()); + EXPECT_EQ(ssl_socket->state(), Ssl::SocketState::HandshakeComplete); + SSL_set_quiet_shutdown(ssl_socket->ssl(), 1); + server_connection->close(Network::ConnectionCloseType::NoFlush); + })); + + EXPECT_CALL(*client_read_filter, onNewConnection()) + .WillOnce(Return(Network::FilterStatus::Continue)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)); + EXPECT_CALL(*client_read_filter, onData(BufferStringEqual("hello"), true)) + .WillOnce(Invoke([&](Buffer::Instance& read_buffer, bool) -> Network::FilterStatus { + read_buffer.drain(read_buffer.length()); + client_connection->close(Network::ConnectionCloseType::NoFlush); + return Network::FilterStatus::StopIteration; + })); + + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { dispatcher_->exit(); })); + + dispatcher_->run(Event::Dispatcher::RunType::Block); +} + TEST_P(SslSocketTest, ClientAuthMultipleCAs) { const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2856,9 +3035,9 @@ TEST_P(SslSocketTest, TicketSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2880,9 +3059,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionCustomTimeout) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2902,9 +3081,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWithClientCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -2931,9 +3110,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2943,9 +3122,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -2965,9 +3144,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2977,9 +3156,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -3140,9 +3319,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; @@ -3158,9 +3337,9 @@ TEST_P(SslSocketTest, SatelessSessionResumptionEnabledExplicitly) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; @@ -3176,9 +3355,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionEnabledByDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3195,9 +3374,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -3208,9 +3387,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -3482,9 +3661,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3503,9 +3682,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3525,9 +3704,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3550,9 +3729,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3575,9 +3754,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3596,9 +3775,9 @@ TEST_P(SslSocketTest, SslError) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -4103,9 +4282,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4147,9 +4326,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" @@ -4197,9 +4376,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4222,9 +4401,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4286,9 +4465,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" @@ -4307,9 +4486,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" @@ -4735,9 +4914,9 @@ class SslReadBufferLimitTest : public SslSocketTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4884,13 +5063,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -4918,13 +5097,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: false mode: rsa @@ -4952,13 +5131,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true mode: rsa @@ -4986,13 +5165,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa @@ -5020,13 +5199,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false crypto_error: true @@ -5055,13 +5234,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true crypto_error: true @@ -5090,13 +5269,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign method_error: true mode: rsa @@ -5124,13 +5303,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderDecryptFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt method_error: true mode: rsa @@ -5158,13 +5337,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign async_method_error: true mode: rsa @@ -5193,13 +5372,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt async_method_error: true mode: rsa @@ -5247,7 +5426,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5287,7 +5466,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5367,7 +5546,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false async_method_error: true @@ -5411,7 +5590,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5438,11 +5617,11 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5454,7 +5633,8 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); @@ -5468,11 +5648,11 @@ TEST_P(SslSocketTest, TestNoOcspStapleWhenNotEnabledOnClient) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5491,11 +5671,11 @@ TEST_P(SslSocketTest, TestOcspStapleOmittedOnSkipStaplingAndResponseExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5514,11 +5694,11 @@ TEST_P(SslSocketTest, TestConnectionFailsOnStapleRequiredAndOcspExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5537,9 +5717,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsWhenRejectOnExpiredNoOcspResponse) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: strict_stapling )EOF"; @@ -5558,11 +5738,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenRejectOnExpiredAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: strict_stapling )EOF"; @@ -5582,11 +5762,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5606,11 +5786,11 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5626,7 +5806,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio {{"envoy.reloadable_features.check_ocsp_policy", "false"}}); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); testUtil(test_options.enableOcspStapling() @@ -5639,9 +5821,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertNoValidationNoRespo common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5667,17 +5849,17 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5689,7 +5871,8 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) - TLS_RSA_WITH_AES_128_GCM_SHA256 )EOF"; - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -5703,17 +5886,17 @@ TEST_P(SslSocketTest, TestConnectionFailsOnMultipleCertificatesNonePassOcspPolic common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index d3ad086c98d4e..b1155f18d9fe0 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -256,3 +256,7 @@ openssl rand 79 > ticket_key_wrong_len # Generate a certificate with no subject CN and no altnames. generate_rsa_key no_subject generate_x509_cert_nosubject no_subject ca + +# Generate unit test certificate +generate_rsa_key unittest +generate_selfsigned_x509_cert unittest diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg new file mode 100644 index 0000000000000..2e485f9fa0c56 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg @@ -0,0 +1,23 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName = US +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Unit Test CA +commonName_default = Unit Test CA +commonName_max = 64 +emailAddress = unittest@lyft.com +emailAddress_default = unittest@lyft.com +emailAddress_max = 64 diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem new file mode 100644 index 0000000000000..6ff804b3e4de5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqsCFFhdk4KsJ1P+AdrZbrUMmzyfNxrPMA0GCSqGSIb3DQEBCwUAMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTAeFw0yMDEwMjEyMzA3NThaFw0yMjEwMjEyMzA3NThaMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL93 +hRLp1s4yNZHUzG+ofX13rgNfiRC9pFVJt4aZYldh440+ZfQDotPsQCaa1Nm+zPHz +leZCxWfRVK82VGWmVy3PLExzuMr8Ar/ypwvQXxnCaZAeIYd1e917LM21jHu/CfV8 +VLF1ZtrknowZWoCll1CarmYDkQfYDSk+RcQo8XIkLeYV5JHbGK7jGoDMYmBO2Gdp +XW4FpVi9vb7pRUfUu3ot0q1SCYGew+YrwT3yWteku66nw8cutIQEbEo00OI8wbHG +Vuh7yY8bTdBS9r4rsQpOCSm6k5a1eKPpv8CfJdKyuXDbx2gbvFjFF6hjgp8+LCE2 +0GpLvf0VMxOVf9XZE/cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAt9aJc3imaGQD +1+c81ZiItdBpFJRLuO1MHmXgwJUnouJz4uT+KFkDbThaABg/L3Q/s0boWy+u9S5s +ae8FcFvniMUBIjKzkizw6ZI6xTG6VMPDTklwWxNrNEzIBkNrcUkje/X/reyi56B+ +cbjpRJ8j0joV6xqBMFn+qMPIvAMSDJD4lMnjSxGZliDIlPvuk96RVNlF8Y18d/6G +ThWuVgN3CyoG+JXs2sSGbqLzWCnB8zgU0VN7CZZu4yh/cE9uNc0z5M66Adrh4eJl +pO/WWWxXHxIveRtH7DV9vhWE78KJRCcIec5Ta+X1evX1beKiNZd/5Elkyb613hTJ +lCkcOlSebQ== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h new file mode 100644 index 0000000000000..bc725d6e6b4ee --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_UNITTEST_CERT_256_HASH[] = + "36c86c016f8b243b681a094c11d394ac06edac336a3ece479a1b2eeb455b1492"; +constexpr char TEST_UNITTEST_CERT_1_HASH[] = "82be621a0f4b6046365496788befbe2e95977eb1"; +constexpr char TEST_UNITTEST_CERT_SPKI[] = "eWpfAfOA1JddINxIW/64Lc6XHpeo0u9IHx6dE42p9jw="; +constexpr char TEST_UNITTEST_CERT_SERIAL[] = "585d9382ac2753fe01dad96eb50c9b3c9f371acf"; +constexpr char TEST_UNITTEST_CERT_NOT_BEFORE[] = "Oct 21 23:07:58 2020 GMT"; +constexpr char TEST_UNITTEST_CERT_NOT_AFTER[] = "Oct 21 23:07:58 2022 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_key.pem b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem new file mode 100644 index 0000000000000..dd3456d15fb62 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAv3eFEunWzjI1kdTMb6h9fXeuA1+JEL2kVUm3hpliV2HjjT5l +9AOi0+xAJprU2b7M8fOV5kLFZ9FUrzZUZaZXLc8sTHO4yvwCv/KnC9BfGcJpkB4h +h3V73XsszbWMe78J9XxUsXVm2uSejBlagKWXUJquZgORB9gNKT5FxCjxciQt5hXk +kdsYruMagMxiYE7YZ2ldbgWlWL29vulFR9S7ei3SrVIJgZ7D5ivBPfJa16S7rqfD +xy60hARsSjTQ4jzBscZW6HvJjxtN0FL2viuxCk4JKbqTlrV4o+m/wJ8l0rK5cNvH +aBu8WMUXqGOCnz4sITbQaku9/RUzE5V/1dkT9wIDAQABAoIBAFZlFAMIyQiZ11pK +b0Ui/h0TV83l2e9X40Mo1EtEAv/zB77AHTkSOvLtc7T3wHvQgKHcjBMupezGpDO7 +jDGh8UyWYyLMROIy/Pqn/4BxMbhp5UBGmFKLTK0P25OnDBD6jv/abkz08MhsyK3m +8tOB5NlWMsONcG/dqXKmysxMvUYHDMlF3Re5PmvyWVKpclqYxWWXRSAy/FygSUPN +bCwKSv1QXytNefkN7n/G8WaGLU52pff3HMpt4JwTl5rnOiPRZGowFPJnNgO9uW85 +Rj620Db+MZzmJvTeSkxgpIUYUuDtgrvARYa+4y0Lajl4EHkCKg0YYzXbDPORFQ3M +WwN9LqECgYEA8B5I/lYU2QNyIlHjXx2KeKArCriL5sd0KCBHgcE586wyVb5vonET +ovNq8IH+2F4h8d+gbkzoQ2oGYsmM1AiCoxkio6c2KgAUHBbpGfjf92zSDirqBTqg +xha25eXElbu44EkiDWxpy944LkFlNiCLb9+5yqyfqqyixvxRtSBWtAsCgYEAzCF2 +WFn73i7zBNA/6yjodLUXy0BUjL38WV4HU3WDEbPp28e/+NLoWXH/B9BH950J+EGI +LPwjpk6ODhYeMknsdzYV8X5RkOuft7B0yrrdInN+vtIlvZmRd47esuJTcnj3zuUB +2B4TkmWUFf6kLn+TXwLB0wbsj9ieZMJzQkdSx0UCgYEAlBjJwnyLTTHv4jUJfK+2 +qSF4ips6RnN8NAd8sw3fVWg+f13+cn01tEpYCdDTwtWEMC9SPtWWZ4XsPF+9SUWa +dUfacn9+S7dSr+R9jvROBsgKYoybW/BGGwcFdZQahJOMumDA7PCR7Bi6I+VXrGO0 +PKMLb3K648SofPxA1OsGLvMCgYEAqzOhYuZNRIIR1cam5R6RH1jGlPPmNYgdvgIL +mOakv9Mp3ud/zTtuHZ5rK212/mhZ9TlY8YmiiJe3sn7AYqL3TOAytTChTi8f7Fp1 +CZaBYqSE95uehY7nnuNXSaZiIE7uXzpYOp63AYBqG6xOnKTov7W7Q7a57sbZyV4A +duUEuxUCgYEAnxFo8ln1H2QcxQS/y8l8r4MRXj9weDhlp/eXtfgd8JiJ5m+E6r+D +tr2wg6Q92ertogdaMvXiPfi/5qiTqsJvTahqx1E2WYRHxywkfbte1a/3bGNxe3Gr +bba7Pd1JXwJ1s8ahB7yoS/xyYLSl5fmE3N14j8wwkmtv1q3TNstmg3Y= +-----END RSA PRIVATE KEY----- From 08c9c49a46fcbf153919f8aef7f403569b378654 Mon Sep 17 00:00:00 2001 From: Taylor Barrella Date: Thu, 14 Jan 2021 16:04:29 -0800 Subject: [PATCH 07/11] backport to 1.16: aggregate cluster: fix TLS init issue (#14456) Additional Description: Based on #14388 Risk Level: Low Testing: Build and run the repro from #14119 without crashing, `bazel test test/extensions/clusters/aggregate:cluster_test` Docs Changes: N/A Release Notes: #14119 Signed-off-by: Taylor Barrella --- docs/root/version_history/current.rst | 1 + source/extensions/clusters/aggregate/cluster.cc | 4 +++- test/mocks/thread_local/mocks.h | 9 ++++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index ce19f6f7fbcaf..97285daa7e90b 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -13,6 +13,7 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* +* aggregate cluster: fixed a crash due to a TLS initialization issue. * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). * tls: fix detection of the upstream connection close event. diff --git a/source/extensions/clusters/aggregate/cluster.cc b/source/extensions/clusters/aggregate/cluster.cc index 958c678d02024..2042ffe866a9b 100644 --- a/source/extensions/clusters/aggregate/cluster.cc +++ b/source/extensions/clusters/aggregate/cluster.cc @@ -20,7 +20,9 @@ Cluster::Cluster(const envoy::config::cluster::v3::Cluster& cluster, : Upstream::ClusterImplBase(cluster, runtime, factory_context, std::move(stats_scope), added_via_api), cluster_manager_(cluster_manager), runtime_(runtime), random_(random), - tls_(tls.allocateSlot()), clusters_(config.clusters().begin(), config.clusters().end()) {} + tls_(tls.allocateSlot()), clusters_(config.clusters().begin(), config.clusters().end()) { + tls_->set([](Event::Dispatcher&) { return nullptr; }); +} PriorityContextPtr Cluster::linearizePrioritySet(const std::function& skip_predicate) { diff --git a/test/mocks/thread_local/mocks.h b/test/mocks/thread_local/mocks.h index dc6518c5068a9..b3cdd0cc55393 100644 --- a/test/mocks/thread_local/mocks.h +++ b/test/mocks/thread_local/mocks.h @@ -58,17 +58,23 @@ class MockInstance : public Instance { } // ThreadLocal::Slot - ThreadLocalObjectSharedPtr get() override { return parent_.data_[index_]; } + ThreadLocalObjectSharedPtr get() override { + EXPECT_TRUE(was_set_); + return parent_.data_[index_]; + } bool currentThreadRegistered() override { return parent_.registered_; } void runOnAllThreads(const UpdateCb& cb) override { + EXPECT_TRUE(was_set_); parent_.runOnAllThreads([cb, this]() { parent_.data_[index_] = cb(parent_.data_[index_]); }); } void runOnAllThreads(const UpdateCb& cb, Event::PostCb main_callback) override { + EXPECT_TRUE(was_set_); parent_.runOnAllThreads([cb, this]() { parent_.data_[index_] = cb(parent_.data_[index_]); }, main_callback); } void set(InitializeCb cb) override { + was_set_ = true; if (parent_.defer_data) { parent_.deferred_data_[index_] = cb; } else { @@ -78,6 +84,7 @@ class MockInstance : public Instance { MockInstance& parent_; const uint32_t index_; + bool was_set_{}; // set() must be called before other functions. }; void call() { From 55c8686d4321d0d11a8f5f16c13ef0934588e4f6 Mon Sep 17 00:00:00 2001 From: Rei Shimizu Date: Mon, 8 Feb 2021 13:54:58 +0900 Subject: [PATCH 08/11] backport 1.16: ci: fix docs tag build (#14761) * ci: fix docs tag build Signed-off-by: Lizan Zhou * review Signed-off-by: Shikugawa * add versionversion Signed-off-by: Shikugawa * add versionversion Signed-off-by: Shikugawa * add versionversion Signed-off-by: Shikugawa * add versionversion Signed-off-by: Shikugawa * master -> main Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * ci: fix CodeQL-build by removing deprecated set-env command (#14046) Signed-off-by: Taylor Barrella Signed-off-by: Shikugawa * deps: Add more SHAs to configs and kafka requirements.txt (#14887) Signed-off-by: Dhi Aurrahman Signed-off-by: Shikugawa Co-authored-by: Lizan Zhou Co-authored-by: Taylor Barrella Co-authored-by: Dhi Aurrahman --- .azure-pipelines/pipelines.yml | 1 + .github/workflows/codeql-push.yml | 4 +++- .github/workflows/get_build_targets.sh | 2 +- ci/filter_example_setup.sh | 1 + configs/requirements.txt | 4 +++- source/extensions/filters/network/kafka/requirements.txt | 4 +++- 6 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml index e60c04242b8d8..1f32c23ffc5d2 100644 --- a/.azure-pipelines/pipelines.yml +++ b/.azure-pipelines/pipelines.yml @@ -53,6 +53,7 @@ stages: - script: ci/run_envoy_docker.sh 'ci/do_ci.sh docs' workingDirectory: $(Build.SourcesDirectory) env: + AZP_BRANCH: $(Build.SourceBranch) ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory) BAZEL_REMOTE_CACHE: grpcs://remotebuildexecution.googleapis.com BAZEL_REMOTE_INSTANCE: projects/envoy-ci/instances/default_instance diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index d6110bbddca2c..fbe091a90ec00 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -24,7 +24,9 @@ jobs: - name: Get build targets run: | . .github/workflows/get_build_targets.sh - echo ::set-env name=BUILD_TARGETS::$(echo $BUILD_TARGETS_LOCAL) + echo 'BUILD_TARGETS<> $GITHUB_ENV + echo $BUILD_TARGETS_LOCAL >> $GITHUB_ENV + echo 'EOF' >> $GITHUB_ENV # If this run was triggered by a pull request event, then checkout # the head of the pull request instead of the merge commit. - run: git checkout HEAD^2 diff --git a/.github/workflows/get_build_targets.sh b/.github/workflows/get_build_targets.sh index c8d63b8dad8c1..eaca403c4daae 100755 --- a/.github/workflows/get_build_targets.sh +++ b/.github/workflows/get_build_targets.sh @@ -23,6 +23,6 @@ function get_targets() { } # Fetching the upstream HEAD to compare with and stored in FETCH_HEAD. -git fetch https://github.com/envoyproxy/envoy.git master 2>/dev/null +git fetch https://github.com/envoyproxy/envoy.git main 2>/dev/null export BUILD_TARGETS_LOCAL=$(echo $(get_targets)) diff --git a/ci/filter_example_setup.sh b/ci/filter_example_setup.sh index 0fd954bf2319a..fb25eb2100091 100644 --- a/ci/filter_example_setup.sh +++ b/ci/filter_example_setup.sh @@ -25,6 +25,7 @@ sed -e "s|{ENVOY_SRCDIR}|${ENVOY_SRCDIR}|" "${ENVOY_SRCDIR}"/ci/WORKSPACE.filter mkdir -p "${ENVOY_FILTER_EXAMPLE_SRCDIR}"/bazel ln -sf "${ENVOY_SRCDIR}"/bazel/get_workspace_status "${ENVOY_FILTER_EXAMPLE_SRCDIR}"/bazel/ cp -f "${ENVOY_SRCDIR}"/.bazelrc "${ENVOY_FILTER_EXAMPLE_SRCDIR}"/ +cp -f --remove-destination "${ENVOY_SRCDIR}"/.bazelversion "${ENVOY_FILTER_EXAMPLE_SRCDIR}"/ cp -f "$(bazel info workspace)"/*.bazelrc "${ENVOY_FILTER_EXAMPLE_SRCDIR}"/ export FILTER_WORKSPACE_SET=1 diff --git a/configs/requirements.txt b/configs/requirements.txt index 07e1fe994fc33..1977ddd0bd3ad 100644 --- a/configs/requirements.txt +++ b/configs/requirements.txt @@ -34,4 +34,6 @@ MarkupSafe==1.1.1 \ --hash=sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f \ --hash=sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2 \ --hash=sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7 \ - --hash=sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be + --hash=sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be \ + --hash=sha256:d73a845f227b0bfe8a7455ee623525ee656a9e2e749e4742706d80a6065d5e2c + diff --git a/source/extensions/filters/network/kafka/requirements.txt b/source/extensions/filters/network/kafka/requirements.txt index 07e1fe994fc33..1977ddd0bd3ad 100644 --- a/source/extensions/filters/network/kafka/requirements.txt +++ b/source/extensions/filters/network/kafka/requirements.txt @@ -34,4 +34,6 @@ MarkupSafe==1.1.1 \ --hash=sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f \ --hash=sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2 \ --hash=sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7 \ - --hash=sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be + --hash=sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be \ + --hash=sha256:d73a845f227b0bfe8a7455ee623525ee656a9e2e749e4742706d80a6065d5e2c + From 7d45fe9476df971bd04f2c8e58ee19b879f806b3 Mon Sep 17 00:00:00 2001 From: Rei Shimizu Date: Fri, 12 Feb 2021 02:56:38 +0900 Subject: [PATCH 09/11] backport 1.16: scaled range timer: guard against queue deletion during timer fire (#14799) (#15007) Fix a potential use-after-free error in ScaledRangeTimerManagerImpl by adding a processing_timers_ flag to the timer queues that is set during onQueueTimerFired processing. This flag is checked when a timer is removed to ensure that the timer's queue isn't deleted while it is in a callback triggered by onQueueTimerFired. Signed-off-by: Craig Radcliffe Signed-off-by: Shikugawa --- docs/root/version_history/current.rst | 1 + .../event/scaled_range_timer_manager.cc | 8 ++- .../common/event/scaled_range_timer_manager.h | 4 ++ .../event/scaled_range_timer_manager_test.cc | 50 +++++++++++++++++++ 4 files changed, 62 insertions(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 97285daa7e90b..28bf35fa34413 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -15,6 +15,7 @@ Bug Fixes * aggregate cluster: fixed a crash due to a TLS initialization issue. * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). +* overload: fix a bug that can cause use-after-free when one scaled timer disables another one with the same duration. * tls: fix detection of the upstream connection close event. Removed Config or Runtime diff --git a/source/common/event/scaled_range_timer_manager.cc b/source/common/event/scaled_range_timer_manager.cc index 10ac02b713cda..e90b0cc59c919 100644 --- a/source/common/event/scaled_range_timer_manager.cc +++ b/source/common/event/scaled_range_timer_manager.cc @@ -208,7 +208,11 @@ void ScaledRangeTimerManager::removeTimer(ScalingTimerHandle handle) { handle.queue_.range_timers_.erase(handle.iterator_); // Don't keep around empty queues if (handle.queue_.range_timers_.empty()) { - queues_.erase(handle.queue_); + // Skip erasing the queue if we're in the middle of processing timers for the queue. The + // queue will be erased in `onQueueTimerFired` after the queue entries have been processed. + if (!handle.queue_.processing_timers_) { + queues_.erase(handle.queue_); + } return; } @@ -238,12 +242,14 @@ void ScaledRangeTimerManager::onQueueTimerFired(Queue& queue) { // Pop and trigger timers until the one at the front isn't supposed to have expired yet (given the // current scale factor). + queue.processing_timers_ = true; while (!timers.empty() && computeTriggerTime(timers.front(), queue.duration_, scale_factor_) <= now) { auto item = std::move(queue.range_timers_.front()); queue.range_timers_.pop_front(); item.timer_.trigger(); } + queue.processing_timers_ = false; if (queue.range_timers_.empty()) { // Maintain the invariant that queues are never empty. diff --git a/source/common/event/scaled_range_timer_manager.h b/source/common/event/scaled_range_timer_manager.h index 1fbd51c8c86ee..db24c5a7d556d 100644 --- a/source/common/event/scaled_range_timer_manager.h +++ b/source/common/event/scaled_range_timer_manager.h @@ -81,6 +81,10 @@ class ScaledRangeTimerManager { // 2) on expiration // 3) when the scale factor changes const TimerPtr timer_; + + // A flag indicating whether the queue is currently processing timers. Used to guard against + // queue deletion during timer processing. + bool processing_timers_{false}; }; /** diff --git a/test/common/event/scaled_range_timer_manager_test.cc b/test/common/event/scaled_range_timer_manager_test.cc index ff9bcab087726..f0a6d2edab3f2 100644 --- a/test/common/event/scaled_range_timer_manager_test.cc +++ b/test/common/event/scaled_range_timer_manager_test.cc @@ -147,6 +147,56 @@ TEST_F(ScaledRangeTimerManagerTest, DisableWhileScalingMax) { simTime().advanceTimeAndRun(std::chrono::seconds(100), dispatcher_, Dispatcher::RunType::Block); } +TEST_F(ScaledRangeTimerManagerTest, InCallbackDisableLastTimerInSameQueue) { + ScaledRangeTimerManager manager(dispatcher_); + + MockFunction callback1; + auto timer1 = manager.createTimer(callback1.AsStdFunction()); + MockFunction callback2; + auto timer2 = manager.createTimer(callback2.AsStdFunction()); + + timer1->enableTimer(std::chrono::seconds(0), std::chrono::seconds(95)); + timer2->enableTimer(std::chrono::seconds(5), std::chrono::seconds(100)); + + simTime().advanceTimeAndRun(std::chrono::seconds(5), dispatcher_, Dispatcher::RunType::Block); + + EXPECT_TRUE(timer1->enabled()); + EXPECT_TRUE(timer2->enabled()); + + EXPECT_CALL(callback1, Call).WillOnce(Invoke([&]() { + timer2->disableTimer(); + timer2.reset(); + })); + + // Run the dispatcher to make sure nothing happens when it's not supposed to. + simTime().advanceTimeAndRun(std::chrono::seconds(100), dispatcher_, Dispatcher::RunType::Block); +} + +TEST_F(ScaledRangeTimerManagerTest, InCallbackDisableTimerInOtherQueue) { + ScaledRangeTimerManager manager(dispatcher_); + + MockFunction callback1; + auto timer1 = manager.createTimer(callback1.AsStdFunction()); + MockFunction callback2; + auto timer2 = manager.createTimer(callback2.AsStdFunction()); + + timer1->enableTimer(std::chrono::seconds(5), std::chrono::seconds(95)); + timer2->enableTimer(std::chrono::seconds(5), std::chrono::seconds(100)); + + simTime().advanceTimeAndRun(std::chrono::seconds(5), dispatcher_, Dispatcher::RunType::Block); + + EXPECT_TRUE(timer1->enabled()); + EXPECT_TRUE(timer2->enabled()); + + EXPECT_CALL(callback1, Call).WillOnce(Invoke([&]() { + timer2->disableTimer(); + timer2.reset(); + })); + + // Run the dispatcher to make sure nothing happens when it's not supposed to. + simTime().advanceTimeAndRun(std::chrono::seconds(100), dispatcher_, Dispatcher::RunType::Block); +} + TEST_F(ScaledRangeTimerManagerTest, DisableWithZeroMinTime) { ScaledRangeTimerManager manager(dispatcher_); From d63826718b0d7be7cabf499c5bd733d03da6a626 Mon Sep 17 00:00:00 2001 From: Rei Shimizu Date: Tue, 2 Mar 2021 08:29:36 +0900 Subject: [PATCH 10/11] backport 1.16: master -> main (#15221) Signed-off-by: Shikugawa Co-authored-by: Matt Klein --- .azure-pipelines/pipelines.yml | 2 +- .bazelrc | 2 +- .../non--crash-security--bug.md | 4 +-- .github/workflows/get_build_targets.sh | 2 +- CONTRIBUTING.md | 14 ++++---- DEPENDENCY_POLICY.md | 4 +-- DEVELOPER.md | 31 +++++++++--------- EXTENSION_POLICY.md | 8 ++--- GOVERNANCE.md | 8 ++--- PULL_REQUEST_TEMPLATE.md | 2 +- README.md | 4 +-- RELEASES.md | 12 +++---- SECURITY.md | 16 +++++----- api/API_VERSIONING.md | 4 +-- api/CONTRIBUTING.md | 2 +- api/README.md | 4 +-- api/envoy/api/v2/core/protocol.proto | 2 +- api/envoy/config/core/v3/protocol.proto | 2 +- api/envoy/config/core/v4alpha/protocol.proto | 2 +- bazel/EXTERNAL_DEPS.md | 4 +-- bazel/PPROF.md | 4 +-- bazel/README.md | 14 ++++---- ci/README.md | 16 +++++----- ci/api_mirror.sh | 4 +-- ci/docker_ci.sh | 14 ++++---- ci/filter_example_mirror.sh | 4 +-- ci/go_mirror.sh | 2 +- docs/README.md | 4 +-- docs/publish.sh | 4 +-- docs/root/version_history/v1.11.0.rst | 2 +- docs/root/version_history/v1.14.0.rst | 2 +- docs/root/version_history/v1.4.0.rst | 2 +- docs/root/version_history/v1.8.0.rst | 16 +++++----- docs/root/version_history/v1.9.0.rst | 10 +++--- docs/root/version_history/version_history.rst | 2 +- .../grpc-bridge/docker-compose-protos.yaml | 2 +- .../envoy/api/v2/core/protocol.proto | 2 +- .../envoy/config/core/v3/protocol.proto | 2 +- .../envoy/config/core/v4alpha/protocol.proto | 2 +- include/envoy/http/filter.h | 2 +- security/email-templates.md | 6 ++-- security/postmortems/cve-2019-15225.md | 2 +- security/postmortems/cve-2019-9900.md | 2 +- source/common/config/config_provider_impl.h | 2 +- source/common/http/utility.cc | 2 +- source/common/stats/thread_local_store.h | 2 +- source/common/stats/utility.h | 8 ++--- source/docs/network_filter_fuzzing.md | 32 +++++++++---------- source/docs/repokitteh.md | 6 ++-- source/docs/stats.md | 17 +++++----- test/README.md | 8 ++--- test/common/upstream/health_check_fuzz.cc | 2 +- .../filters/network/common/fuzz/README.md | 4 +-- test/integration/stats_integration_test.cc | 4 +-- tools/api/generate_go_protobuf.py | 2 +- tools/git/last_github_commit.sh | 4 +-- tools/proto_format/proto_sync.py | 2 +- 57 files changed, 171 insertions(+), 173 deletions(-) diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml index 1f32c23ffc5d2..4babd9df8d0d6 100644 --- a/.azure-pipelines/pipelines.yml +++ b/.azure-pipelines/pipelines.yml @@ -1,7 +1,7 @@ trigger: branches: include: - - "master" + - "main" - "release/v*" tags: include: diff --git a/.bazelrc b/.bazelrc index dae08913379f4..7f26a625ada4b 100644 --- a/.bazelrc +++ b/.bazelrc @@ -226,7 +226,7 @@ build:remote-clang-cl --config=clang-cl build:remote-clang-cl --config=rbe-toolchain-clang-cl # Docker sandbox -# NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/master/toolchains/rbe_toolchains_config.bzl#L8 +# NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8 build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:b480535e8423b5fd7c102fd30c92f4785519e33a build:docker-sandbox --spawn_strategy=docker build:docker-sandbox --strategy=Javac=docker diff --git a/.github/ISSUE_TEMPLATE/non--crash-security--bug.md b/.github/ISSUE_TEMPLATE/non--crash-security--bug.md index 15c784680ecfc..5b80df378a022 100644 --- a/.github/ISSUE_TEMPLATE/non--crash-security--bug.md +++ b/.github/ISSUE_TEMPLATE/non--crash-security--bug.md @@ -22,7 +22,7 @@ returned, etc. > Include sample requests, environment, etc. All data and inputs required to reproduce the bug. ->**Note**: The [Envoy_collect tool](https://github.com/envoyproxy/envoy/blob/master/tools/envoy_collect/README.md) +>**Note**: The [Envoy_collect tool](https://github.com/envoyproxy/envoy/blob/main/tools/envoy_collect/README.md) gathers a tarball with debug logs, config and the following admin endpoints: /stats, /clusters and /server_info. Please note if there are privacy concerns, sanitize the data prior to sharing the tarball/pasting. @@ -46,4 +46,4 @@ sharing. *Call Stack*: > If the Envoy binary is crashing, a call stack is **required**. -Please refer to the [Bazel Stack trace documentation](https://github.com/envoyproxy/envoy/tree/master/bazel#stack-trace-symbol-resolution). +Please refer to the [Bazel Stack trace documentation](https://github.com/envoyproxy/envoy/tree/main/bazel#stack-trace-symbol-resolution). diff --git a/.github/workflows/get_build_targets.sh b/.github/workflows/get_build_targets.sh index eaca403c4daae..180ec67040b1e 100755 --- a/.github/workflows/get_build_targets.sh +++ b/.github/workflows/get_build_targets.sh @@ -6,7 +6,7 @@ readonly SEARCH_FOLDER="//source/common/..." set -e -o pipefail function get_targets() { - # Comparing the PR HEAD with the upstream master HEAD. + # Comparing the PR HEAD with the upstream main HEAD. git diff --name-only HEAD FETCH_HEAD | while IFS= read -r line do # Only targets under those folders. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1bef2955c288e..03eda5c52f071 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -47,7 +47,7 @@ versioning guidelines: * Features may be marked as deprecated in a given versioned API at any point in time, but this may only be done when a replacement implementation and configuration path is available in Envoy on - master. Deprecators must implement a conversion from the deprecated configuration to the latest + main. Deprecators must implement a conversion from the deprecated configuration to the latest `vNalpha` (with the deprecated field) that Envoy uses internally. A field may be deprecated if this tool would be able to perform the conversion. For example, removing a field to describe HTTP/2 window settings is valid if a more comprehensive HTTP/2 protocol options field is being @@ -72,7 +72,7 @@ versioning guidelines: config ([example](configs/using_deprecated_config.v2.yaml)). Finally, following the deprecation of the API major version where the field was first marked deprecated, the entire implementation code will be removed from the Envoy implementation. -* This policy means that organizations deploying master should have some time to get ready for +* This policy means that organizations deploying main should have some time to get ready for breaking changes at the next major API version. This is typically a window of at least 12 months or until the organization moves to the next major API version. * The breaking change policy also applies to source level extensions (e.g., filters). Code that @@ -143,7 +143,7 @@ versioning guidelines: * If your PR involves any changes to [envoy-filter-example](https://github.com/envoyproxy/envoy-filter-example) (for example making a new branch so that CI can pass) it is your responsibility to follow through with merging those - changes back to master once the CI dance is done. + changes back to main once the CI dance is done. * If your PR is a high risk change, the reviewer may ask that you runtime guard it. See the section on runtime guarding below. @@ -188,18 +188,18 @@ maintainer's discretion. Generally all runtime guarded features will be set true release is cut. Old code paths for refactors can be cleaned up after a release and there has been some production run time. Old code for behavioral changes will be deprecated after six months. Runtime features are set true by default by inclusion in -[source/common/runtime/runtime_features.cc](https://github.com/envoyproxy/envoy/blob/master/source/common/runtime/runtime_features.cc) +[source/common/runtime/runtime_features.cc](https://github.com/envoyproxy/envoy/blob/main/source/common/runtime/runtime_features.cc) There are four suggested options for testing new runtime features: -1. Create a per-test Runtime::LoaderSingleton as done in [DeprecatedFieldsTest.IndividualFieldDisallowedWithRuntimeOverride](https://github.com/envoyproxy/envoy/blob/master/test/common/protobuf/utility_test.cc) +1. Create a per-test Runtime::LoaderSingleton as done in [DeprecatedFieldsTest.IndividualFieldDisallowedWithRuntimeOverride](https://github.com/envoyproxy/envoy/blob/main/test/common/protobuf/utility_test.cc) 2. Create a [parameterized test](https://github.com/google/googletest/blob/master/googletest/docs/advanced.md#how-to-write-value-parameterized-tests) where the set up of the test sets the new runtime value explicitly to GetParam() as outlined in (1). 3. Set up integration tests with custom runtime defaults as documented in the - [integration test README](https://github.com/envoyproxy/envoy/blob/master/test/integration/README.md) + [integration test README](https://github.com/envoyproxy/envoy/blob/main/test/integration/README.md) 4. Run a given unit test with the new runtime value explicitly set true or false as done - for [runtime_flag_override_test](https://github.com/envoyproxy/envoy/blob/master/test/common/runtime/BUILD) + for [runtime_flag_override_test](https://github.com/envoyproxy/envoy/blob/main/test/common/runtime/BUILD) Runtime code is held to the same standard as regular Envoy code, so both the old path and the new should have 100% coverage both with the feature defaulting true diff --git a/DEPENDENCY_POLICY.md b/DEPENDENCY_POLICY.md index 4101e9bed9daf..c17acd4347ba0 100644 --- a/DEPENDENCY_POLICY.md +++ b/DEPENDENCY_POLICY.md @@ -40,7 +40,7 @@ Dependency declarations must: and `urls` to reference the version. If you need to reference version `X.Y.Z` as `X_Y_Z`, this may appear in a string as `{underscore_version}`, similarly for `X-Y-Z` you can use `{dash_version}`. -* Versions should prefer release versions over master branch GitHub SHA tarballs. A comment is +* Versions should prefer release versions over main branch GitHub SHA tarballs. A comment is necessary if the latter is used. This comment should contain the reason that a non-release version is being used. * Provide accurate entries for `use_category`. Please think carefully about whether there are data @@ -94,7 +94,7 @@ basis: * Extension [CODEOWNERS](CODEOWNERS) should update extension specific dependencies. -Where possible, we prefer the latest release version for external dependencies, rather than master +Where possible, we prefer the latest release version for external dependencies, rather than main branch GitHub SHA tarballs. ## Dependency patches diff --git a/DEVELOPER.md b/DEVELOPER.md index 465644c0e02ce..a3bc00b1a067c 100644 --- a/DEVELOPER.md +++ b/DEVELOPER.md @@ -1,38 +1,37 @@ # Developer documentation -Envoy is built using the Bazel build system. CircleCI builds, tests, and runs coverage against all pull requests and the master branch. +Envoy is built using the Bazel build system. CircleCI builds, tests, and runs coverage against all pull requests and the main branch. -To get started building Envoy locally, see the [Bazel quick start](https://github.com/envoyproxy/envoy/blob/master/bazel/README.md#quick-start-bazel-build-for-developers). -To run tests, there are Bazel [targets](https://github.com/envoyproxy/envoy/blob/master/bazel/README.md#testing-envoy-with-bazel) for Google Test. -To generate a coverage report, there is a [coverage build script](https://github.com/envoyproxy/envoy/blob/master/bazel/README.md#coverage-builds). +To get started building Envoy locally, see the [Bazel quick start](https://github.com/envoyproxy/envoy/blob/main/bazel/README.md#quick-start-bazel-build-for-developers). +To run tests, there are Bazel [targets](https://github.com/envoyproxy/envoy/blob/main/bazel/README.md#testing-envoy-with-bazel) for Google Test. +To generate a coverage report, there is a [coverage build script](https://github.com/envoyproxy/envoy/blob/main/bazel/README.md#coverage-builds). -If you plan to contribute to Envoy, you may find it useful to install the Envoy [development support toolchain](https://github.com/envoyproxy/envoy/blob/master/support/README.md), which helps automate parts of the development process, particularly those involving code review. +If you plan to contribute to Envoy, you may find it useful to install the Envoy [development support toolchain](https://github.com/envoyproxy/envoy/blob/main/support/README.md), which helps automate parts of the development process, particularly those involving code review. Below is a list of additional documentation to aid the development process: - [General build and installation documentation](https://www.envoyproxy.io/docs/envoy/latest/install/install) -- [Building and testing Envoy with Bazel](https://github.com/envoyproxy/envoy/blob/master/bazel/README.md) +- [Building and testing Envoy with Bazel](https://github.com/envoyproxy/envoy/blob/main/bazel/README.md) -- [Managing external dependencies with Bazel](https://github.com/envoyproxy/envoy/blob/master/bazel/EXTERNAL_DEPS.md) +- [Managing external dependencies with Bazel](https://github.com/envoyproxy/envoy/blob/main/bazel/EXTERNAL_DEPS.md) -- [Guide to Envoy Bazel rules (managing `BUILD` files)](https://github.com/envoyproxy/envoy/blob/master/bazel/DEVELOPER.md) +- [Guide to Envoy Bazel rules (managing `BUILD` files)](https://github.com/envoyproxy/envoy/blob/main/bazel/DEVELOPER.md) -- [Using Docker for building and testing](https://github.com/envoyproxy/envoy/tree/master/ci) +- [Using Docker for building and testing](https://github.com/envoyproxy/envoy/tree/main/ci) -- [Guide to contributing to Envoy](https://github.com/envoyproxy/envoy/blob/master/CONTRIBUTING.md) +- [Guide to contributing to Envoy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md) -- [Overview of Envoy's testing frameworks](https://github.com/envoyproxy/envoy/blob/master/test/README.md) +- [Overview of Envoy's testing frameworks](https://github.com/envoyproxy/envoy/blob/main/test/README.md) -- [Overview of how to write integration tests for new code](https://github.com/envoyproxy/envoy/blob/master/test/integration/README.md) +- [Overview of how to write integration tests for new code](https://github.com/envoyproxy/envoy/blob/main/test/integration/README.md) - [Envoy filter example project (how to consume and extend Envoy as a submodule)](https://github.com/envoyproxy/envoy-filter-example) -- [Performance testing Envoy with `tcmalloc`/`pprof`](https://github.com/envoyproxy/envoy/blob/master/bazel/PPROF.md) +- [Performance testing Envoy with `tcmalloc`/`pprof`](https://github.com/envoyproxy/envoy/blob/main/bazel/PPROF.md) And some documents on components of Envoy architecture: -- [Envoy flow control](https://github.com/envoyproxy/envoy/blob/master/source/docs/flow_control.md) - -- [Envoy's subset load balancer](https://github.com/envoyproxy/envoy/blob/master/source/docs/subset_load_balancer.md) +- [Envoy flow control](https://github.com/envoyproxy/envoy/blob/main/source/docs/flow_control.md) +- [Envoy's subset load balancer](https://github.com/envoyproxy/envoy/blob/main/source/docs/subset_load_balancer.md) diff --git a/EXTENSION_POLICY.md b/EXTENSION_POLICY.md index 0063a2a2139c4..24503c44c042b 100644 --- a/EXTENSION_POLICY.md +++ b/EXTENSION_POLICY.md @@ -15,7 +15,7 @@ The following procedure will be used when proposing new extensions for inclusion 2. All extensions must be sponsored by an existing maintainer. Sponsorship means that the maintainer will shepherd the extension through design/code reviews. Maintainers can self-sponsor extensions if they are going to write them, shepherd them, and maintain them. - + Sponsorship serves two purposes: * It ensures that the extension will ultimately meet the Envoy quality bar. * It makes sure that incentives are aligned and that extensions are not added to the repo without @@ -24,7 +24,7 @@ The following procedure will be used when proposing new extensions for inclusion *If sponsorship cannot be found from an existing maintainer, an organization can consider [doing the work to become a maintainer](./GOVERNANCE.md#process-for-becoming-a-maintainer) in order to be able to self-sponsor extensions.* - + 3. Each extension must have two reviewers proposed for reviewing PRs to the extension. Neither of the reviewers must be a senior maintainer. Existing maintainers (including the sponsor) and other contributors can count towards this number. The initial reviewers will be codified in the @@ -88,7 +88,7 @@ The `security_posture` is one of: * `unknown`: This is functionally equivalent to `requires_trusted_downstream_and_upstream`, but acts as a placeholder to allow us to identify extensions that need classifying. * `data_plane_agnostic`: Not relevant to data plane threats, e.g. stats sinks. - + An assessment of a robust security posture for an extension is subject to the following guidelines: * Does the extension have fuzz coverage? If it's only receiving fuzzing @@ -105,7 +105,7 @@ An assessment of a robust security posture for an extension is subject to the fo * Does the extension have active [CODEOWNERS](CODEOWNERS) who are willing to vouch for the robustness of the extension? * Is the extension absent a [low coverage - exception](https://github.com/envoyproxy/envoy/blob/master/test/per_file_coverage.sh#L5)? + exception](https://github.com/envoyproxy/envoy/blob/main/test/per_file_coverage.sh#L5)? The current stability and security posture of all extensions can be seen [here](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#core-and-extensions). diff --git a/GOVERNANCE.md b/GOVERNANCE.md index 767605eda2205..83b076adfbf8a 100644 --- a/GOVERNANCE.md +++ b/GOVERNANCE.md @@ -38,7 +38,7 @@ The areas of specialization listed in [OWNERS.md](OWNERS.md) can be used to help with routing an issue/question to the right person. * Triage build issues - file issues for known flaky builds or bugs, and either fix or find someone - to fix any master build breakages. + to fix any main build breakages. * During GitHub issue triage, apply all applicable [labels](https://github.com/envoyproxy/envoy/labels) to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply is somewhat subjective so just use your best judgment. A few of the most important labels that are @@ -77,7 +77,7 @@ or you can subscribe to the iCal feed [here](webcal://kubernetes.app.opsgenie.co "is:open is:issue milestone:[current milestone]" and either hold off until they are fixed or bump them to the next milestone. * Begin marshalling the ongoing PR flow in this repo. Ask maintainers to hold off merging any - particularly risky PRs until after the release is tagged. This is because we aim for master to be + particularly risky PRs until after the release is tagged. This is because we aim for main to be at release candidate quality at all times. * Do a final check of the [release notes](docs/root/version_history/current.rst): * Make any needed corrections (grammar, punctuation, formatting, etc.). @@ -89,7 +89,7 @@ or you can subscribe to the iCal feed [here](webcal://kubernetes.app.opsgenie.co "1.6.0". * Update the [RELEASES](RELEASES.md) doc with the relevant dates. * Get a review and merge. -* Wait for tests to pass on [master](https://dev.azure.com/cncf/envoy/_build). +* Wait for tests to pass on [main](https://dev.azure.com/cncf/envoy/_build). * Create a [tagged release](https://github.com/envoyproxy/envoy/releases). The release should start with "v" and be followed by the version number. E.g., "v1.6.0". **This must match the [VERSION](VERSION).** @@ -104,7 +104,7 @@ or you can subscribe to the iCal feed [here](webcal://kubernetes.app.opsgenie.co * Make sure we tweet the new release: either have Matt do it or email social@cncf.io and ask them to do an Envoy account post. * Do a new PR to setup the next version - * Update [VERSION](VERSION) to the next development release. E.g., "1.7.0-dev". + * Update [VERSION](VERSION) to the next development release. E.g., "1.7.0-dev". * `git mv docs/root/version_history/current.rst docs/root/version_history/v1.6.0.rst`, filling in the previous release version number in the filename, and add an entry for the new file in the `toctree` in [version_history.rst](docs/root/version_history/version_history.rst). diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md index 5a1545aacd7a1..083ea68ea7402 100644 --- a/PULL_REQUEST_TEMPLATE.md +++ b/PULL_REQUEST_TEMPLATE.md @@ -10,7 +10,7 @@ Thank you in advance for helping to keep Envoy secure. --> For an explanation of how to fill out the fields, please see the relevant section -in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/master/PULL_REQUESTS.md) +in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) Commit Message: Additional Description: diff --git a/README.md b/README.md index 3705c4e5bd55b..84697256efd1a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![Envoy Logo](https://github.com/envoyproxy/artwork/blob/master/PNG/Envoy_Logo_Final_PANTONE.png) +![Envoy Logo](https://github.com/envoyproxy/artwork/blob/main/PNG/Envoy_Logo_Final_PANTONE.png) [Cloud-native high-performance edge/middle/service proxy](https://www.envoyproxy.io/) @@ -66,7 +66,7 @@ have prior experience. To get started: * [Beginner issues](https://github.com/envoyproxy/envoy/issues?q=is%3Aopen+is%3Aissue+label%3Abeginner) * [Build/test quick start using docker](ci#building-and-running-tests-as-a-developer) * [Developer guide](DEVELOPER.md) -* Consider installing the Envoy [development support toolchain](https://github.com/envoyproxy/envoy/blob/master/support/README.md), which helps automate parts of the development process, particularly those involving code review. +* Consider installing the Envoy [development support toolchain](https://github.com/envoyproxy/envoy/blob/main/support/README.md), which helps automate parts of the development process, particularly those involving code review. * Please make sure that you let us know if you are working on an issue so we don't duplicate work! ## Community Meeting diff --git a/RELEASES.md b/RELEASES.md index 0a58aa22c4c28..b32e815c63cb1 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -2,7 +2,7 @@ ## Active development -Active development is happening on the `master` branch, and a new version is released from it +Active development is happening on the `main` branch, and a new version is released from it at the end of each quarter. ## Stable releases @@ -10,23 +10,23 @@ at the end of each quarter. Stable releases of Envoy include: * Extended maintenance window (any version released in the last 12 months). -* Security fixes backported from the `master` branch (including those deemed not worthy +* Security fixes backported from the `main` branch (including those deemed not worthy of creating a CVE). -* Stability fixes backported from the `master` branch (anything that can result in a crash, +* Stability fixes backported from the `main` branch (anything that can result in a crash, including crashes triggered by a trusted control plane). * Bugfixes, deemed worthwhile by the maintainers of stable releases. ### Hand-off Hand-off to the maintainers of stable releases happens after Envoy maintainers release a new -version from the `master` branch by creating a `vX.Y.0` tag and a corresponding `release/vX.Y` +version from the `main` branch by creating a `vX.Y.0` tag and a corresponding `release/vX.Y` branch, with merge permissions given to the release manager of stable releases, and CI configured to execute tests on it. ### Security releases Critical security fixes are owned by the Envoy security team, which provides fixes for the -`master` branch, and the latest release branch. Once those fixes are ready, the maintainers +`main` branch, and the latest release branch. Once those fixes are ready, the maintainers of stable releases backport them to the remaining supported stable releases. ### Backports @@ -37,7 +37,7 @@ by adding the `backport/review` or `backport/approved` label (this can be done u `/backport` command). Changes nominated by the change author and/or members of the Envoy community are evaluated for backporting on a case-by-case basis, and require approval from either the release manager of stable release, Envoy maintainers, or Envoy security team. Once approved, those fixes -are backported from the `master` branch to all supported stable branches by the maintainers of +are backported from the `main` branch to all supported stable branches by the maintainers of stable releases. New stable versions from non-critical security fixes are released on a regular schedule, initially aiming for the bi-weekly releases. diff --git a/SECURITY.md b/SECURITY.md index 34138877e6b30..53b4de82b7802 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -63,31 +63,31 @@ score >= 4; see below). If the fix relies on another upstream project's disclosu will adjust the process as well. We will work with the upstream project to fit their timeline and best protect our users. -### Released versions and master branch +### Released versions and main branch If the vulnerability affects the last point release version, e.g. 1.10, then the full security release process described in this document will be activated. A security point release will be -created for 1.10, e.g. 1.10.1, together with a fix to master if necessary. Older point releases, +created for 1.10, e.g. 1.10.1, together with a fix to main if necessary. Older point releases, e.g. 1.9, are not supported by the Envoy project and will not have any security release created. -If a security vulnerability affects only these older versions but not master or the last supported +If a security vulnerability affects only these older versions but not main or the last supported point release, the Envoy security team will share this information with the private distributor list, following the standard embargo process, but not create a security release. After the embargo expires, the vulnerability will be described as a GitHub issue. A CVE will be filed if warranted by severity. -If a vulnerability does not affect any point release but only master, additional caveats apply: +If a vulnerability does not affect any point release but only main, additional caveats apply: * If the issue is detected and a fix is available within 7 days of the introduction of the vulnerability, or the issue is deemed a low severity vulnerability by the Envoy maintainer and - security teams, the fix will be publicly reviewed and landed on master. If the severity is at least + security teams, the fix will be publicly reviewed and landed on main. If the severity is at least medium or at maintainer discretion a courtesy e-mail will be sent to envoy-users@googlegroups.com, envoy-dev@googlegroups.com, envoy-security-announce@googlegroups.com and cncf-envoy-distributors-announce@lists.cncf.io. * If the vulnerability has been in existence for more than 7 days and is medium or higher, we will activate the security release process. -We advise distributors and operators working from the master branch to allow at least 5 days soak +We advise distributors and operators working from the main branch to allow at least 5 days soak time after cutting a binary release before distribution or rollout, to allow time for our fuzzers to detect issues during their execution on ClusterFuzz. A soak period of 7 days provides an even stronger guarantee, since we will invoke the security release process for medium or higher severity issues @@ -181,7 +181,7 @@ patches, understand exact mitigation steps, etc. should be reserved for remotely exploitable or privilege escalation issues. Otherwise, this process can be skipped. - The Fix Lead will email the patches to cncf-envoy-distributors-announce@lists.cncf.io so - distributors can prepare builds to be available to users on the day of the issue's announcement. Any + distributors can prepare builds to be available to users on the day of the issue's announcement. Any patches against main will be updated and resent weekly. Distributors should read about the [Private Distributors List](#private-distributors-list) to find out the requirements for being added to this list. @@ -193,7 +193,7 @@ patches, understand exact mitigation steps, etc. - The maintainers will create a new patch release branch from the latest patch release tag + the fix from the security branch. As a practical example if v1.5.3 is the latest patch release in Envoy.git a new branch will be created called v1.5.4 which includes only patches required to fix the issue. -- The Fix Lead will cherry-pick the patches onto the master branch and all relevant release branches. +- The Fix Lead will cherry-pick the patches onto the main branch and all relevant release branches. The Fix Team will LGTM and merge. Maintainers will merge these PRs as quickly as possible. Changes shouldn't be made to the commits even for a typo in the CHANGELOG as this will change the git sha of the commits leading to confusion and potentially conflicts as the fix is cherry-picked around diff --git a/api/API_VERSIONING.md b/api/API_VERSIONING.md index 25e80aaa8407d..c045e7d5ce4e4 100644 --- a/api/API_VERSIONING.md +++ b/api/API_VERSIONING.md @@ -102,7 +102,7 @@ Envoy will support at most three major versions of any API package at all times: for the next stable major version. This is only generated when the current stable major version requires a breaking change at the next cycle, e.g. a deprecation or field rename. This release candidate is mechanically generated via the - [protoxform](https://github.com/envoyproxy/envoy/tree/master/tools/protoxform) tool from the + [protoxform](https://github.com/envoyproxy/envoy/tree/main/tools/protoxform) tool from the current stable major version, making use of annotations such as `deprecated = true`. This is not a human editable artifact. @@ -158,7 +158,7 @@ methods, depending on whether the change is mechanical or manual. ## Mechanical breaking changes Field deprecations, renames, etc. are mechanical changes that are supported by the -[protoxform](https://github.com/envoyproxy/envoy/tree/master/tools/protoxform) tool. These are +[protoxform](https://github.com/envoyproxy/envoy/tree/main/tools/protoxform) tool. These are guided by [annotations](STYLE.md#api-annotations). ## Manual breaking changes diff --git a/api/CONTRIBUTING.md b/api/CONTRIBUTING.md index 773248f2e2ea6..01d7da43e9fdc 100644 --- a/api/CONTRIBUTING.md +++ b/api/CONTRIBUTING.md @@ -9,7 +9,7 @@ changes. They may be as part of a larger implementation PR. Please follow the st process for validating build/test sanity of `api/` before submitting a PR. *Note: New .proto files should be added to -[BUILD](https://github.com/envoyproxy/envoy/blob/master/api/versioning/BUILD) in order to get the RSTs generated.* +[BUILD](https://github.com/envoyproxy/envoy/blob/main/api/versioning/BUILD) in order to get the RSTs generated.* ## Documentation changes diff --git a/api/README.md b/api/README.md index 95f49ba58e4dd..6e899513e8d6f 100644 --- a/api/README.md +++ b/api/README.md @@ -9,9 +9,9 @@ blog post for more information on the universal data plane concept. # Repository structure The API tree can be found at two locations: -* https://github.com/envoyproxy/envoy/tree/master/api - canonical read/write home for the APIs. +* https://github.com/envoyproxy/envoy/tree/main/api - canonical read/write home for the APIs. * https://github.com/envoyproxy/data-plane-api - read-only mirror of - https://github.com/envoyproxy/envoy/tree/master/api, providing the ability to consume the data + https://github.com/envoyproxy/envoy/tree/main/api, providing the ability to consume the data plane APIs without the Envoy implementation. # Further API reading diff --git a/api/envoy/api/v2/core/protocol.proto b/api/envoy/api/v2/core/protocol.proto index 9c47e388ee1af..ae1a86424cf07 100644 --- a/api/envoy/api/v2/core/protocol.proto +++ b/api/envoy/api/v2/core/protocol.proto @@ -201,7 +201,7 @@ message Http2ProtocolOptions { // Still under implementation. DO NOT USE. // // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/master/source/docs/h2_metadata.md) for more + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more // information. bool allow_metadata = 6; diff --git a/api/envoy/config/core/v3/protocol.proto b/api/envoy/config/core/v3/protocol.proto index 17a6955d6851c..cb3179fd50aec 100644 --- a/api/envoy/config/core/v3/protocol.proto +++ b/api/envoy/config/core/v3/protocol.proto @@ -262,7 +262,7 @@ message Http2ProtocolOptions { // Still under implementation. DO NOT USE. // // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/master/source/docs/h2_metadata.md) for more + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more // information. bool allow_metadata = 6; diff --git a/api/envoy/config/core/v4alpha/protocol.proto b/api/envoy/config/core/v4alpha/protocol.proto index 807488cef49d8..aad7fbf47d393 100644 --- a/api/envoy/config/core/v4alpha/protocol.proto +++ b/api/envoy/config/core/v4alpha/protocol.proto @@ -269,7 +269,7 @@ message Http2ProtocolOptions { // Still under implementation. DO NOT USE. // // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/master/source/docs/h2_metadata.md) for more + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more // information. bool allow_metadata = 6; diff --git a/bazel/EXTERNAL_DEPS.md b/bazel/EXTERNAL_DEPS.md index 4f66ef80eac8b..02ba28e30674a 100644 --- a/bazel/EXTERNAL_DEPS.md +++ b/bazel/EXTERNAL_DEPS.md @@ -78,7 +78,7 @@ documentation for further references. # Updating an external dependency version 1. Update the corresponding entry in -[the repository locations file.](https://github.com/envoyproxy/envoy/blob/master/bazel/repository_locations.bzl) +[the repository locations file.](https://github.com/envoyproxy/envoy/blob/main/bazel/repository_locations.bzl) 2. `bazel test //test/...` # Overriding an external dependency temporarily @@ -88,7 +88,7 @@ specifying Bazel option [`--override_repository`](https://docs.bazel.build/versions/master/command-line-reference.html) to point to a local copy. The option can used multiple times to override multiple dependencies. The name of the dependency can be found in -[the repository locations file.](https://github.com/envoyproxy/envoy/blob/master/bazel/repository_locations.bzl) +[the repository locations file.](https://github.com/envoyproxy/envoy/blob/main/bazel/repository_locations.bzl) The path of the local copy has to be absolute path. For repositories built by `envoy_cmake_external()` in `bazel/foreign_cc/BUILD`, diff --git a/bazel/PPROF.md b/bazel/PPROF.md index 97e1c0541181d..689520a11c0b3 100644 --- a/bazel/PPROF.md +++ b/bazel/PPROF.md @@ -8,7 +8,7 @@ specific place yourself. Static linking is already available (because of a `HeapProfilerDump()` call inside -[`Envoy::Profiler::Heap::stopProfiler())`](https://github.com/envoyproxy/envoy/blob/master/source/common/profiler/profiler.cc#L32-L39)). +[`Envoy::Profiler::Heap::stopProfiler())`](https://github.com/envoyproxy/envoy/blob/main/source/common/profiler/profiler.cc#L32-L39)). ### Compiling a statically-linked Envoy @@ -61,7 +61,7 @@ is controlled by `ProfilerStart()`/`ProfilerStop()`, and the [Gperftools Heap Profiler](https://gperftools.github.io/gperftools/heapprofile.html) is controlled by `HeapProfilerStart()`, `HeapProfilerStop()` and `HeapProfilerDump()`. -These functions are wrapped by Envoy objects defined in [`source/common/profiler/profiler.h`](https://github.com/envoyproxy/envoy/blob/master/source/common/profiler/profiler.h)). +These functions are wrapped by Envoy objects defined in [`source/common/profiler/profiler.h`](https://github.com/envoyproxy/envoy/blob/main/source/common/profiler/profiler.h)). To enable profiling programmatically: diff --git a/bazel/README.md b/bazel/README.md index 36e8f7ebc3247..59f6d466f6011 100644 --- a/bazel/README.md +++ b/bazel/README.md @@ -40,13 +40,13 @@ independently sourced, the following steps should be followed: This section describes how to and what dependencies to install to get started building Envoy with Bazel. If you would rather use a pre-build Docker image with required tools installed, skip to [this section](#building-envoy-with-the-ci-docker-image). -As a developer convenience, a [WORKSPACE](https://github.com/envoyproxy/envoy/blob/master/WORKSPACE) and +As a developer convenience, a [WORKSPACE](https://github.com/envoyproxy/envoy/blob/main/WORKSPACE) and [rules for building a recent -version](https://github.com/envoyproxy/envoy/blob/master/bazel/repositories.bzl) of the various Envoy +version](https://github.com/envoyproxy/envoy/blob/main/bazel/repositories.bzl) of the various Envoy dependencies are provided. These are provided as is, they are only suitable for development and testing purposes. The specific versions of the Envoy dependencies used in this build may not be up-to-date with the latest security patches. See -[this doc](https://github.com/envoyproxy/envoy/blob/master/bazel/EXTERNAL_DEPS.md#updating-an-external-dependency-version) +[this doc](https://github.com/envoyproxy/envoy/blob/main/bazel/EXTERNAL_DEPS.md#updating-an-external-dependency-version) for how to update or override dependencies. 1. Install external dependencies. @@ -239,7 +239,7 @@ MSYS2 or Git bash), run: ./ci/run_envoy_docker.sh './ci/windows_ci_steps.sh' ``` -See also the [documentation](https://github.com/envoyproxy/envoy/tree/master/ci) for developer use of the +See also the [documentation](https://github.com/envoyproxy/envoy/tree/main/ci) for developer use of the CI Docker image. ## Building Envoy with Remote Execution @@ -331,7 +331,7 @@ bazel test //test/... An individual test target can be run with a more specific Bazel [label](https://bazel.build/versions/master/docs/build-ref.html#Labels), e.g. to build and run only the units tests in -[test/common/http/async_client_impl_test.cc](https://github.com/envoyproxy/envoy/blob/master/test/common/http/async_client_impl_test.cc): +[test/common/http/async_client_impl_test.cc](https://github.com/envoyproxy/envoy/blob/main/test/common/http/async_client_impl_test.cc): ``` bazel test //test/common/http:async_client_impl_test @@ -730,8 +730,8 @@ need to navigate down and open "coverage.html" but then you can navigate per nor have seen some issues with seeing the artifacts tab. If you can't see it, log out of Circle, and then log back in and it should start working. -The latest coverage report for master is available -[here](https://storage.googleapis.com/envoy-postsubmit/master/coverage/index.html). The latest fuzz coverage report for master is available [here](https://storage.googleapis.com/envoy-postsubmit/master/fuzz_coverage/index.html). +The latest coverage report for main is available +[here](https://storage.googleapis.com/envoy-postsubmit/main/coverage/index.html). The latest fuzz coverage report for main is available [here](https://storage.googleapis.com/envoy-postsubmit/main/fuzz_coverage/index.html). It's also possible to specialize the coverage build to a specified test or test dir. This is useful when doing things like exploring the coverage of a fuzzer over its corpus. This can be done by diff --git a/ci/README.md b/ci/README.md index 54dbaef534fe5..aed383c05d2e7 100644 --- a/ci/README.md +++ b/ci/README.md @@ -6,24 +6,24 @@ and an image based on Windows2019. ## Ubuntu Envoy image The Ubuntu based Envoy Docker image at [`envoyproxy/envoy-build:`](https://hub.docker.com/r/envoyproxy/envoy-build/) is used for CircleCI checks, -where `` is specified in [`envoy_build_sha.sh`](https://github.com/envoyproxy/envoy/blob/master/ci/envoy_build_sha.sh). Developers -may work with the latest build image SHA in [envoy-build-tools](https://github.com/envoyproxy/envoy-build-tools/blob/master/toolchains/rbe_toolchains_config.bzl#L8) +where `` is specified in [`envoy_build_sha.sh`](https://github.com/envoyproxy/envoy/blob/main/ci/envoy_build_sha.sh). Developers +may work with the latest build image SHA in [envoy-build-tools](https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8) repo to provide a self-contained environment for building Envoy binaries and running tests that reflects the latest built Ubuntu Envoy image. Moreover, the Docker image at [`envoyproxy/envoy-dev:`](https://hub.docker.com/r/envoyproxy/envoy-dev/) is an image that has an Envoy binary at `/usr/local/bin/envoy`. -The `` corresponds to the master commit at which the binary was compiled. Lastly, `envoyproxy/envoy-dev:latest` contains an Envoy -binary built from the latest tip of master that passed tests. +The `` corresponds to the main commit at which the binary was compiled. Lastly, `envoyproxy/envoy-dev:latest` contains an Envoy +binary built from the latest tip of main that passed tests. ## Alpine Envoy image Minimal images based on Alpine Linux allow for quicker deployment of Envoy. Two Alpine based images are built, one with an Envoy binary with debug (`envoyproxy/envoy-alpine-debug`) symbols and one stripped of them (`envoyproxy/envoy-alpine`). Both images are pushed with two different tags: `` and `latest`. Parallel to the Ubuntu images above, `` corresponds to the -master commit at which the binary was compiled, and `latest` corresponds to a binary built from the latest tip of master that passed tests. +main commit at which the binary was compiled, and `latest` corresponds to a binary built from the latest tip of main that passed tests. ## Windows 2019 Envoy image The Windows 2019 based Envoy Docker image at [`envoyproxy/envoy-build-windows2019:`](https://hub.docker.com/r/envoyproxy/envoy-build-windows2019/) -is used for CI checks, where `` is specified in [`envoy_build_sha.sh`](https://github.com/envoyproxy/envoy/blob/master/ci/envoy_build_sha.sh). +is used for CI checks, where `` is specified in [`envoy_build_sha.sh`](https://github.com/envoyproxy/envoy/blob/main/ci/envoy_build_sha.sh). Developers may work with the most recent `envoyproxy/envoy-build-windows2019` image to provide a self-contained environment for building Envoy binaries and running tests that reflects the latest built Windows 2019 Envoy image. @@ -44,7 +44,7 @@ We use the Clang compiler for all Linux CI runs with tests. We have an additiona # C++ standard library As of November 2019 after [#8859](https://github.com/envoyproxy/envoy/pull/8859) the official released binary is -[linked against libc++ on Linux](https://github.com/envoyproxy/envoy/blob/master/bazel/README.md#linking-against-libc-on-linux). +[linked against libc++ on Linux](https://github.com/envoyproxy/envoy/blob/main/bazel/README.md#linking-against-libc-on-linux). To override the C++ standard library in your build, set environment variable `ENVOY_STDLIB` to `libstdc++` or `libc++` and run `./ci/do_ci.sh` as described below. @@ -98,7 +98,7 @@ For a debug version of the Envoy binary you can run: The build artifact can be found in `/tmp/envoy-docker-build/envoy/source/exe/envoy-debug` (or wherever `$ENVOY_DOCKER_BUILD_DIR` points). -To leverage a [bazel remote cache](https://github.com/envoyproxy/envoy/tree/master/bazel#advanced-caching-setup) add the http_remote_cache endpoint to +To leverage a [bazel remote cache](https://github.com/envoyproxy/envoy/tree/main/bazel#advanced-caching-setup) add the http_remote_cache endpoint to the BAZEL_BUILD_EXTRA_OPTIONS environment variable ```bash diff --git a/ci/api_mirror.sh b/ci/api_mirror.sh index 03e8ab85d80cb..8a3022b724318 100755 --- a/ci/api_mirror.sh +++ b/ci/api_mirror.sh @@ -3,8 +3,8 @@ set -e CHECKOUT_DIR=../data-plane-api -MAIN_BRANCH="refs/heads/master" -API_MAIN_BRANCH="master" +MAIN_BRANCH="refs/heads/main" +API_MAIN_BRANCH="main" if [[ "${AZP_BRANCH}" == "${MAIN_BRANCH}" ]]; then echo "Cloning..." diff --git a/ci/docker_ci.sh b/ci/docker_ci.sh index 1488ea726f988..f83e1f281a581 100755 --- a/ci/docker_ci.sh +++ b/ci/docker_ci.sh @@ -89,11 +89,11 @@ push_images() { docker push "${BUILD_TAG}" } -MASTER_BRANCH="refs/heads/master" +MAIN_BRANCH="refs/heads/main" RELEASE_BRANCH_REGEX="^refs/heads/release/v.*" RELEASE_TAG_REGEX="^refs/tags/v.*" -# For master builds and release branch builds use the dev repo. Otherwise we assume it's a tag and +# For main builds and release branch builds use the dev repo. Otherwise we assume it's a tag and # we push to the primary repo. if [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then IMAGE_POSTFIX="" @@ -126,11 +126,11 @@ ENVOY_DOCKER_TAR="${ENVOY_DOCKER_IMAGE_DIRECTORY}/envoy-docker-images.tar.xz" echo "Saving built images to ${ENVOY_DOCKER_TAR}." docker save "${IMAGES_TO_SAVE[@]}" | xz -T0 -2 >"${ENVOY_DOCKER_TAR}" -# Only push images for master builds, release branch builds, and tag builds. -if [[ "${AZP_BRANCH}" != "${MASTER_BRANCH}" ]] && +# Only push images for main builds, release branch builds, and tag builds. +if [[ "${AZP_BRANCH}" != "${MAIN_BRANCH}" ]] && ! [[ "${AZP_BRANCH}" =~ ${RELEASE_BRANCH_REGEX} ]] && ! [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then - echo 'Ignoring non-master branch or tag for docker push.' + echo 'Ignoring non-main branch or tag for docker push.' exit 0 fi @@ -139,8 +139,8 @@ docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD" for BUILD_TYPE in "${BUILD_TYPES[@]}"; do push_images "${BUILD_TYPE}" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${IMAGE_NAME}" - # Only push latest on master builds. - if [[ "${AZP_BRANCH}" == "${MASTER_BRANCH}" ]]; then + # Only push latest on main builds. + if [[ "${AZP_BRANCH}" == "${MAIN_BRANCH}" ]]; then docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${IMAGE_NAME}" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest" push_images "${BUILD_TYPE}" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest" fi diff --git a/ci/filter_example_mirror.sh b/ci/filter_example_mirror.sh index 8602b1677e4b9..a511227714035 100755 --- a/ci/filter_example_mirror.sh +++ b/ci/filter_example_mirror.sh @@ -4,8 +4,8 @@ set -e ENVOY_SRCDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")/../" && pwd) CHECKOUT_DIR=../envoy-filter-example -MAIN_BRANCH="refs/heads/master" -FILTER_EXAMPLE_MAIN_BRANCH="master" +MAIN_BRANCH="refs/heads/main" +FILTER_EXAMPLE_MAIN_BRANCH="main" if [[ "${AZP_BRANCH}" == "${MAIN_BRANCH}" ]]; then echo "Cloning..." diff --git a/ci/go_mirror.sh b/ci/go_mirror.sh index 63f96d0d79697..96743eef62620 100755 --- a/ci/go_mirror.sh +++ b/ci/go_mirror.sh @@ -2,7 +2,7 @@ set -e -MAIN_BRANCH="refs/heads/master" +MAIN_BRANCH="refs/heads/main" # shellcheck source=ci/setup_cache.sh . "$(dirname "$0")"/setup_cache.sh diff --git a/docs/README.md b/docs/README.md index 216e7bafcbade..d4ba08334fb94 100644 --- a/docs/README.md +++ b/docs/README.md @@ -6,7 +6,7 @@ In both cases, the generated output can be found in `generated/docs`. ## Building in an existing Envoy development environment -If you have an [existing Envoy development environment](https://github.com/envoyproxy/envoy/tree/master/bazel#quick-start-bazel-build-for-developers), you should have the necessary dependencies and requirements and be able to build the documentation directly. +If you have an [existing Envoy development environment](https://github.com/envoyproxy/envoy/tree/main/bazel#quick-start-bazel-build-for-developers), you should have the necessary dependencies and requirements and be able to build the documentation directly. ```bash ./docs/build.sh @@ -48,7 +48,7 @@ To do this: 1. The docs are published to [docs/envoy/latest](https://github.com/envoyproxy/envoyproxy.github.io/tree/master/docs/envoy/latest) on every commit to master. This process is handled by CircleCI with the - [`publish.sh`](https://github.com/envoyproxy/envoy/blob/master/docs/publish.sh) script. + [`publish.sh`](https://github.com/envoyproxy/envoy/blob/main/docs/publish.sh) script. 2. The docs are published to [docs/envoy](https://github.com/envoyproxy/envoyproxy.github.io/tree/master/docs/envoy) in a directory named after every tagged commit in this repo. Thus, on every tagged release there diff --git a/docs/publish.sh b/docs/publish.sh index c56e9bb31066f..9ff9684d7003a 100755 --- a/docs/publish.sh +++ b/docs/publish.sh @@ -13,7 +13,7 @@ DOCS_DIR=generated/docs CHECKOUT_DIR=envoy-docs BUILD_SHA=$(git rev-parse HEAD) -MAIN_BRANCH="refs/heads/master" +MAIN_BRANCH="refs/heads/main" RELEASE_TAG_REGEX="^refs/tags/v.*" if [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then @@ -25,7 +25,7 @@ else exit 0 fi -DOCS_MAIN_BRANCH="master" +DOCS_MAIN_BRANCH="main" echo 'cloning' git clone git@github.com:envoyproxy/envoyproxy.github.io "${CHECKOUT_DIR}" -b "${DOCS_MAIN_BRANCH}" --depth 1 diff --git a/docs/root/version_history/v1.11.0.rst b/docs/root/version_history/v1.11.0.rst index 1bc4051b7da4a..10b48736b2db3 100644 --- a/docs/root/version_history/v1.11.0.rst +++ b/docs/root/version_history/v1.11.0.rst @@ -80,7 +80,7 @@ Changes * runtime: :ref:`Runtime Discovery Service (RTDS) ` support added to layered runtime configuration. * sandbox: added :ref:`CSRF sandbox `. * server: ``--define manual_stamp=manual_stamp`` was added to allow server stamping outside of binary rules. - more info in the `bazel docs `_. + more info in the `bazel docs `_. * server: added :ref:`server state ` statistic. * server: added :ref:`initialization_time_ms` statistic. * subset: added :ref:`list_as_any` option to diff --git a/docs/root/version_history/v1.14.0.rst b/docs/root/version_history/v1.14.0.rst index 2db9566c6788d..649a34d1cce34 100644 --- a/docs/root/version_history/v1.14.0.rst +++ b/docs/root/version_history/v1.14.0.rst @@ -187,6 +187,6 @@ Deprecated and the previous default can be enabled until the end of the deprecation period by enabling runtime feature `envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default`. * The :ref:`source_ip ` field in - `RBAC `_ has been deprecated + `RBAC `_ has been deprecated in favor of :ref:`direct_remote_ip ` and :ref:`remote_ip `. diff --git a/docs/root/version_history/v1.4.0.rst b/docs/root/version_history/v1.4.0.rst index f940deb1b5a65..fb81055386273 100644 --- a/docs/root/version_history/v1.4.0.rst +++ b/docs/root/version_history/v1.4.0.rst @@ -56,7 +56,7 @@ Deprecated * The following log macros have been deprecated: `log_trace`, `log_debug`, `conn_log`, `conn_log_info`, `conn_log_debug`, `conn_log_trace`, `stream_log`, `stream_log_info`, `stream_log_debug`, `stream_log_trace`. For replacements, please see - `logger.h `_. + `logger.h `_. * The connectionId() and ssl() callbacks of StreamFilterCallbacks have been deprecated and replaced with a more general connection() callback, which, when not returning a nullptr, can be used to get the connection id and SSL connection from the returned Connection object pointer. diff --git a/docs/root/version_history/v1.8.0.rst b/docs/root/version_history/v1.8.0.rst index 5f05f5d7d8eb1..e99c0e2c459c5 100644 --- a/docs/root/version_history/v1.8.0.rst +++ b/docs/root/version_history/v1.8.0.rst @@ -106,24 +106,24 @@ Deprecated * Use of the legacy `ratelimit.proto `_ is deprecated, in favor of the proto defined in - `date-plane-api `_ + `date-plane-api `_ Prior to 1.8.0, Envoy can use either proto to send client requests to a ratelimit server with the use of the - `use_data_plane_proto` boolean flag in the `ratelimit configuration `_. + `use_data_plane_proto` boolean flag in the `ratelimit configuration `_. However, when using the deprecated client a warning is logged. * Use of the --v2-config-only flag. * Use of both `use_websocket` and `websocket_config` in - `route.proto `_ + `route.proto `_ is deprecated. Please use the new `upgrade_configs` in the - `HttpConnectionManager `_ + `HttpConnectionManager `_ instead. -* Use of the integer `percent` field in `FaultDelay `_ - and in `FaultAbort `_ is deprecated in favor +* Use of the integer `percent` field in `FaultDelay `_ + and in `FaultAbort `_ is deprecated in favor of the new `FractionalPercent` based `percentage` field. * Setting hosts via `hosts` field in `Cluster` is deprecated. Use `load_assignment` instead. * Use of `response_headers_to_*` and `request_headers_to_add` are deprecated at the `RouteAction` level. Please use the configuration options at the `Route` level. * Use of `runtime` in `RouteMatch`, found in - `route.proto `_. + `route.proto `_. Set the `runtime_fraction` field instead. -* Use of the string `user` field in `Authenticated` in `rbac.proto `_ +* Use of the string `user` field in `Authenticated` in `rbac.proto `_ is deprecated in favor of the new `StringMatcher` based `principal_name` field. diff --git a/docs/root/version_history/v1.9.0.rst b/docs/root/version_history/v1.9.0.rst index 54cd1e4783360..12614ca1497b0 100644 --- a/docs/root/version_history/v1.9.0.rst +++ b/docs/root/version_history/v1.9.0.rst @@ -102,12 +102,12 @@ Changes Deprecated ---------- -* Order of execution of the network write filter chain has been reversed. Prior to this release cycle it was incorrect, see `#4599 `_. In the 1.9.0 release cycle we introduced `bugfix_reverse_write_filter_order` in `lds.proto `_ to temporarily support both old and new behaviors. Note this boolean field is deprecated. -* Order of execution of the HTTP encoder filter chain has been reversed. Prior to this release cycle it was incorrect, see `#4599 `_. In the 1.9.0 release cycle we introduced `bugfix_reverse_encode_order` in `http_connection_manager.proto `_ to temporarily support both old and new behaviors. Note this boolean field is deprecated. +* Order of execution of the network write filter chain has been reversed. Prior to this release cycle it was incorrect, see `#4599 `_. In the 1.9.0 release cycle we introduced `bugfix_reverse_write_filter_order` in `lds.proto `_ to temporarily support both old and new behaviors. Note this boolean field is deprecated. +* Order of execution of the HTTP encoder filter chain has been reversed. Prior to this release cycle it was incorrect, see `#4599 `_. In the 1.9.0 release cycle we introduced `bugfix_reverse_encode_order` in `http_connection_manager.proto `_ to temporarily support both old and new behaviors. Note this boolean field is deprecated. * Use of the v1 REST_LEGACY ApiConfigSource is deprecated. * Use of std::hash in the ring hash load balancer is deprecated. -* Use of `rate_limit_service` configuration in the `bootstrap configuration `_ is deprecated. +* Use of `rate_limit_service` configuration in the `bootstrap configuration `_ is deprecated. * Use of `runtime_key` in `RequestMirrorPolicy`, found in - `route.proto `_ + `route.proto `_ is deprecated. Set the `runtime_fraction` field instead. -* Use of buffer filter `max_request_time` is deprecated in favor of the request timeout found in `HttpConnectionManager `_ +* Use of buffer filter `max_request_time` is deprecated in favor of the request timeout found in `HttpConnectionManager `_ diff --git a/docs/root/version_history/version_history.rst b/docs/root/version_history/version_history.rst index 55bdaf928aeb7..57ca4d1b22c60 100644 --- a/docs/root/version_history/version_history.rst +++ b/docs/root/version_history/version_history.rst @@ -56,7 +56,7 @@ Deprecation Policy ^^^^^^^^^^^^^^^^^^ As of release 1.3.0, Envoy will follow a -`Breaking Change Policy `_. +`Breaking Change Policy `_. Features in the deprecated list for each version have been DEPRECATED and will be removed in the specified release cycle. A logged warning diff --git a/examples/grpc-bridge/docker-compose-protos.yaml b/examples/grpc-bridge/docker-compose-protos.yaml index 42da7d7407c73..543fe4bf5aca7 100644 --- a/examples/grpc-bridge/docker-compose-protos.yaml +++ b/examples/grpc-bridge/docker-compose-protos.yaml @@ -1,7 +1,7 @@ version: "3.7" # This is the conversion from a script to a dockerized version of the script -# https://github.com/envoyproxy/envoy/blob/master/examples/grpc-bridge/service/script/gen +# https://github.com/envoyproxy/envoy/blob/main/examples/grpc-bridge/service/script/gen services: # $ docker run -ti -v $(pwd):/protos -v $(pwd)/stubs:/stubs grpc/go protoc --go_out=plugins=grpc:/stubs -I/protos /protos/kv.proto diff --git a/generated_api_shadow/envoy/api/v2/core/protocol.proto b/generated_api_shadow/envoy/api/v2/core/protocol.proto index 9c47e388ee1af..ae1a86424cf07 100644 --- a/generated_api_shadow/envoy/api/v2/core/protocol.proto +++ b/generated_api_shadow/envoy/api/v2/core/protocol.proto @@ -201,7 +201,7 @@ message Http2ProtocolOptions { // Still under implementation. DO NOT USE. // // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/master/source/docs/h2_metadata.md) for more + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more // information. bool allow_metadata = 6; diff --git a/generated_api_shadow/envoy/config/core/v3/protocol.proto b/generated_api_shadow/envoy/config/core/v3/protocol.proto index 17a6955d6851c..cb3179fd50aec 100644 --- a/generated_api_shadow/envoy/config/core/v3/protocol.proto +++ b/generated_api_shadow/envoy/config/core/v3/protocol.proto @@ -262,7 +262,7 @@ message Http2ProtocolOptions { // Still under implementation. DO NOT USE. // // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/master/source/docs/h2_metadata.md) for more + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more // information. bool allow_metadata = 6; diff --git a/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto b/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto index 885972885ebc1..61d3fbe27e906 100644 --- a/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto +++ b/generated_api_shadow/envoy/config/core/v4alpha/protocol.proto @@ -265,7 +265,7 @@ message Http2ProtocolOptions { // Still under implementation. DO NOT USE. // // Allows metadata. See [metadata - // docs](https://github.com/envoyproxy/envoy/blob/master/source/docs/h2_metadata.md) for more + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more // information. bool allow_metadata = 6; diff --git a/include/envoy/http/filter.h b/include/envoy/http/filter.h index 26e58c65858b7..7131a488e2230 100644 --- a/include/envoy/http/filter.h +++ b/include/envoy/http/filter.h @@ -47,7 +47,7 @@ enum class FilterHeadersStatus { // injectDecodedDataToFilterChain()/injectEncodedDataToFilterChain(), possibly multiple times // if the body needs to be divided into several chunks. The filter may need to handle // watermark events when injecting a body, see: - // https://github.com/envoyproxy/envoy/blob/master/source/docs/flow_control.md. + // https://github.com/envoyproxy/envoy/blob/main/source/docs/flow_control.md. // // The last call to inject data MUST have end_stream set to true to conclude the stream. // If the filter cannot provide a body the stream should be reset. diff --git a/security/email-templates.md b/security/email-templates.md index ec76e6d827487..3e6c178978661 100644 --- a/security/email-templates.md +++ b/security/email-templates.md @@ -36,14 +36,14 @@ Hello Envoy Distributors, The Envoy security team would like to provide advanced notice to the Envoy Private Distributors List of some details on the pending Envoy $VERSION security release, following the process described at -https://github.com/envoyproxy/envoy/blob/master/SECURITY.md. +https://github.com/envoyproxy/envoy/blob/main/SECURITY.md. This release will be made available on the $ORDINALDAY of $MONTH $YEAR at $PDTHOUR PDT ($GMTHOUR GMT). This release will fix $NUMDEFECTS security defect(s). The highest rated security defect is considered $SEVERITY severity. Below we provide details of these vulnerabilities under our embargo policy -(https://github.com/envoyproxy/envoy/blob/master/SECURITY.md#embargo-policy). +(https://github.com/envoyproxy/envoy/blob/main/SECURITY.md#embargo-policy). This information should be treated as confidential until public release by the Envoy maintainers on the Envoy GitHub. @@ -86,7 +86,7 @@ As a reminder, these patches are under embargo until $ORDINALDAY of $MONTH $YEAR at $PDTHOUR PDT ($GMTHOUR GMT). The information below should be treated as confidential and shared only on a need-to-know basis. The rules outline in our embargo policy -(https://github.com/envoyproxy/envoy/blob/master/SECURITY.md#embargo-policy) +(https://github.com/envoyproxy/envoy/blob/main/SECURITY.md#embargo-policy) still apply, and it is extremely important that any communication related to these CVEs are not forwarded further. diff --git a/security/postmortems/cve-2019-15225.md b/security/postmortems/cve-2019-15225.md index 1fbd027278229..7b3635ca70c15 100644 --- a/security/postmortems/cve-2019-15225.md +++ b/security/postmortems/cve-2019-15225.md @@ -130,7 +130,7 @@ amplify the effect of the O(n^2) process enough to produce a timeout. * The fixes for CVE-2019-15226 were straightforward and localized. * The security release occurred on time and followed the guidelines established in - https://github.com/envoyproxy/envoy/blob/master/SECURITY.md + https://github.com/envoyproxy/envoy/blob/main/SECURITY.md ### What went wrong diff --git a/security/postmortems/cve-2019-9900.md b/security/postmortems/cve-2019-9900.md index d6b6d38af5792..2766d1a647bae 100644 --- a/security/postmortems/cve-2019-9900.md +++ b/security/postmortems/cve-2019-9900.md @@ -303,7 +303,7 @@ All times US/Pacific number of users. 2019-04-04: -* 15:41 The Envoy master branch was frozen to prepare for the security release. PRs were rebased +* 15:41 The Envoy main branch was frozen to prepare for the security release. PRs were rebased against master and prepared for the release push. * 18:33 Envoy security team was contacted by a distributor who had noticed public visibility of binary images with the fix patch by other vendors. After discussion, we agreed on a general diff --git a/source/common/config/config_provider_impl.h b/source/common/config/config_provider_impl.h index 144332fe23b0f..21fa926b2116d 100644 --- a/source/common/config/config_provider_impl.h +++ b/source/common/config/config_provider_impl.h @@ -35,7 +35,7 @@ namespace Config { // and/or stream/request (if required by the configuration being processed). // // Dynamic configuration is distributed via xDS APIs (see -// https://github.com/envoyproxy/data-plane-api/blob/master/xds_protocol.rst). The framework exposed +// https://github.com/envoyproxy/data-plane-api/blob/main/xds_protocol.rst). The framework exposed // by these classes simplifies creation of client xDS implementations following a shared ownership // model, where according to the config source specification, a config subscription, config protos // received over the subscription and the subsequent config "implementation" (i.e., data structures diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 9dcf07691c00d..6aa003c6200ae 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -554,7 +554,7 @@ void Utility::sendLocalReply(const bool& is_reset, const EncodeFunctions& encode // TODO(dio): Probably it is worth to consider caching the encoded message based on gRPC // status. // JsonFormatter adds a '\n' at the end. For header value, it should be removed. - // https://github.com/envoyproxy/envoy/blob/master/source/common/formatter/substitution_formatter.cc#L129 + // https://github.com/envoyproxy/envoy/blob/main/source/common/formatter/substitution_formatter.cc#L129 if (body_text[body_text.length() - 1] == '\n') { body_text = body_text.substr(0, body_text.length() - 1); } diff --git a/source/common/stats/thread_local_store.h b/source/common/stats/thread_local_store.h index 8ef60df207bac..9c9cd4bbefd69 100644 --- a/source/common/stats/thread_local_store.h +++ b/source/common/stats/thread_local_store.h @@ -141,7 +141,7 @@ using ParentHistogramImplSharedPtr = RefcountPtr; /** * Store implementation with thread local caching. For design details see - * https://github.com/envoyproxy/envoy/blob/master/source/docs/stats.md + * https://github.com/envoyproxy/envoy/blob/main/source/docs/stats.md */ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRoot { public: diff --git a/source/common/stats/utility.h b/source/common/stats/utility.h index dab8ba396c19b..c00026ee16f2d 100644 --- a/source/common/stats/utility.h +++ b/source/common/stats/utility.h @@ -68,7 +68,7 @@ class Utility { * Creates a counter from a vector of tokens which are used to create the * name. The tokens can be specified as DynamicName or StatName. For * tokens specified as DynamicName, a dynamic StatName will be created. See - * https://github.com/envoyproxy/envoy/blob/master/source/docs/stats.md#dynamic-stat-tokens + * https://github.com/envoyproxy/envoy/blob/main/source/docs/stats.md#dynamic-stat-tokens * for more detail on why symbolic StatNames are preferred when possible. * * See also counterFromStatNames, which is slightly faster but does not allow @@ -101,7 +101,7 @@ class Utility { * Creates a gauge from a vector of tokens which are used to create the * name. The tokens can be specified as DynamicName or StatName. For * tokens specified as DynamicName, a dynamic StatName will be created. See - * https://github.com/envoyproxy/envoy/blob/master/source/docs/stats.md#dynamic-stat-tokens + * https://github.com/envoyproxy/envoy/blob/main/source/docs/stats.md#dynamic-stat-tokens * for more detail on why symbolic StatNames are preferred when possible. * * See also gaugeFromStatNames, which is slightly faster but does not allow @@ -138,7 +138,7 @@ class Utility { * Creates a histogram from a vector of tokens which are used to create the * name. The tokens can be specified as DynamicName or StatName. For * tokens specified as DynamicName, a dynamic StatName will be created. See - * https://github.com/envoyproxy/envoy/blob/master/source/docs/stats.md#dynamic-stat-tokens + * https://github.com/envoyproxy/envoy/blob/main/source/docs/stats.md#dynamic-stat-tokens * for more detail on why symbolic StatNames are preferred when possible. * * See also histogramFromStatNames, which is slightly faster but does not allow @@ -175,7 +175,7 @@ class Utility { * Creates a TextReadout from a vector of tokens which are used to create the * name. The tokens can be specified as DynamicName or StatName. For * tokens specified as DynamicName, a dynamic StatName will be created. See - * https://github.com/envoyproxy/envoy/blob/master/source/docs/stats.md#dynamic-stat-tokens + * https://github.com/envoyproxy/envoy/blob/main/source/docs/stats.md#dynamic-stat-tokens * for more detail on why symbolic StatNames are preferred when possible. * * See also TextReadoutFromStatNames, which is slightly faster but does not allow diff --git a/source/docs/network_filter_fuzzing.md b/source/docs/network_filter_fuzzing.md index 1777c77767745..8e40210cac24e 100644 --- a/source/docs/network_filter_fuzzing.md +++ b/source/docs/network_filter_fuzzing.md @@ -1,17 +1,17 @@ # Generic network-level filter fuzzers overview -Network filters need to be fuzzed. Filters come in two flavors, each with their own fuzzer. Read filters should be added into the [Generic ReadFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_readfilter_fuzz_test.cc). Write Filters should added into the [Generic WriteFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc). Some filters are both raed and write filters: They should be added into both fuzzers. +Network filters need to be fuzzed. Filters come in two flavors, each with their own fuzzer. Read filters should be added into the [Generic ReadFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_readfilter_fuzz_test.cc). Write Filters should added into the [Generic WriteFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc). Some filters are both raed and write filters: They should be added into both fuzzers. Before adding the new filter into the fuzzers, please make sure the filter is designed to accept untrusted inputs, or ready to be hardened to accept untrusted inputs. # Add a new ReadFilter into Generic Readfilter Fuzzer ## Step1. Make sure the filter can be linked into the fuzzer -There are two ways to link it into the fuzzer. -* [Recommended] In the file [extensions_build_config.bzl](https://github.com/envoyproxy/envoy/blob/master/source/extensions/extensions_build_config.bzl), the name of the filter should have a prefix `envoy.filters.network`. If it has such a prefix, the filter will be automatically linked into Generic ReadFilter Fuzzer. -* [Not recommended]If for some reasons the filter's name doesn't have such a prefix, the config of the filter must be added into the `deps` field of `network_readfilter_fuzz_test` module in the file [BUILD](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/BUILD). +There are two ways to link it into the fuzzer. +* [Recommended] In the file [extensions_build_config.bzl](https://github.com/envoyproxy/envoy/blob/main/source/extensions/extensions_build_config.bzl), the name of the filter should have a prefix `envoy.filters.network`. If it has such a prefix, the filter will be automatically linked into Generic ReadFilter Fuzzer. +* [Not recommended]If for some reasons the filter's name doesn't have such a prefix, the config of the filter must be added into the `deps` field of `network_readfilter_fuzz_test` module in the file [BUILD](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/BUILD). ### Step2. Add the filter name into supported_filter_names -In [uber_per_readfilter.cc](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc), add the filter name into the vector `supported_filter_names` in method `UberFilterFuzzer::filterNames()`. +In [uber_per_readfilter.cc](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc), add the filter name into the vector `supported_filter_names` in method `UberFilterFuzzer::filterNames()`. ``` const std::vector supported_filter_names = { ... @@ -22,7 +22,7 @@ NetworkFilterNames::get().ExtAuthorization, NetworkFilterNames::get().TheNewFilt # Add a new WriteFilter into Generic Writefilter Fuzzer ## Step 1. Make sure the filter can be linked into the fuzzer -For WriteFilter, the config of the filter must be added into the `deps` field of `network_writefilter_fuzz_test` module in the file [BUILD](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/BUILD). +For WriteFilter, the config of the filter must be added into the `deps` field of `network_writefilter_fuzz_test` module in the file [BUILD](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/BUILD). ``` envoy_cc_fuzz_test( name = "network_writefilter_fuzz_test", @@ -43,7 +43,7 @@ envoy_cc_fuzz_test( ) ``` ## Step 2. Add the filter name into supported_filter_names -In [uber_per_writefilter.cc](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/uber_per_writefilter.cc), add the filter name into the vector `supported_filter_names` in method `UberWriteFilterFuzzer::filterNames()`. +In [uber_per_writefilter.cc](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/uber_per_writefilter.cc), add the filter name into the vector `supported_filter_names` in method `UberWriteFilterFuzzer::filterNames()`. ``` const std::vector supported_filter_names = { ... @@ -54,8 +54,8 @@ const std::vector supported_filter_names = { # Add test cases into corpus Good test cases can provide good examples for fuzzers to find more paths in the code, increase the coverage and help find bugs more efficiently. -Each test case is a file under the folder [network_readfilter_corpus](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_readfilter_corpus) or [network_writefilter_corpus](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_writefilter_corpus). It consists of two parts: `config` and `actions`. -`config` is the protobuf to instantiate a filter, and `actions` are sequences of actions to take in order to test the filter. +Each test case is a file under the folder [network_readfilter_corpus](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_readfilter_corpus) or [network_writefilter_corpus](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_writefilter_corpus). It consists of two parts: `config` and `actions`. +`config` is the protobuf to instantiate a filter, and `actions` are sequences of actions to take in order to test the filter. An example for testing MongoProxy filter: ``` config { @@ -80,14 +80,14 @@ actions { } } ``` -* `config.name` is the name of the filter. -* `config.typed_config.type_url` is the type url of the filter config API. +* `config.name` is the name of the filter. +* `config.typed_config.type_url` is the type url of the filter config API. * `config.typed_config.value` is the serialized string of the config protobuf, and in C++ we can call`config.SerializeAsString()` to obtain this. This string may contain special characters. Recommend using octal or hexadecimal sequence for the string. * `actions.on_data.data` (or `actions.on_write.data`) is the buffer parameter `data`(in string format) for testing ReadFilter's method onData() (or for testing WriteFilter's method onWrite()). This string may contain special characters. Recommend using octal or hexadecimal sequence for the string. * `actions.on_data.end_stream` (or `actions.on_write.end_stream`) is the bool parameter `end_stream` for testing ReadFilter's method onData() (or for testing WriteFilter's method onWrite()). * `actions.on_new_connection` is an action to call `onNewConnection` method of a ReadFilter. * `actions.advance_time.milliseconds` is the duration in milliseconds for the simulatedSystemTime to advance by. -For more details, see the APIs for [ReadFilter Fuzz Testcase](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_readfilter_fuzz.proto) and [WriteFilter Fuzz Testcase](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz.proto). +For more details, see the APIs for [ReadFilter Fuzz Testcase](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_readfilter_fuzz.proto) and [WriteFilter Fuzz Testcase](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz.proto). ## Convert a unit test case to a fuzz test case manually This section explains an approach to generate a corpus from unit tests. It is an optional step for users who want to generate the highest possible coverage. @@ -105,12 +105,12 @@ static std::string toOct(const std::string& source, const std::string& info) { } ``` In the unit test code, we temporarily add a function(finally we will remove it) like the above one. -Then we can fill in `config.typed_config.value` with the value returned or printed by -```toOct(config.SerializeAsString(), "config serialized string: ")``` +Then we can fill in `config.typed_config.value` with the value returned or printed by +```toOct(config.SerializeAsString(), "config serialized string: ")``` where `config` is the config protobuf in a unit test case. -We can also fill in `actions.on_data.data` or `actions.on_write.data` with the value returned or printed by -```toOct(buffer.toString(), "buffer:")``` +We can also fill in `actions.on_data.data` or `actions.on_write.data` with the value returned or printed by +```toOct(buffer.toString(), "buffer:")``` where `buffer` is the buffer to pass to `onData()` or `onWrite()` in a unit test case. Please note that the two fuzzers use the "real input" for fuzzers. If you are using a mock decoder and pass an empty buffer to onData(), that test case won't help cover much code in the fuzzers(but the config protobuf is still helpful). diff --git a/source/docs/repokitteh.md b/source/docs/repokitteh.md index 1d2b747bdacba..5997332b600f4 100644 --- a/source/docs/repokitteh.md +++ b/source/docs/repokitteh.md @@ -8,7 +8,7 @@ The application is installed on specific GitHub repositories and interacts with these by receiving webhooks and making GitHub API calls. A root `repokitteh.star` script tells the application what to do based on the webhook received. ## Integration with Envoy -The file [repokitteh.star](https://github.com/envoyproxy/envoy/blob/master/repokitteh.star), which resides in the root of the Envoy repository tells RepoKitteh what functionality to use. The file is written in the [Starlark language](https://github.com/bazelbuild/starlark/), which is a Python dialect with well defined threading and hermeticity guarantees. +The file [repokitteh.star](https://github.com/envoyproxy/envoy/blob/main/repokitteh.star), which resides in the root of the Envoy repository tells RepoKitteh what functionality to use. The file is written in the [Starlark language](https://github.com/bazelbuild/starlark/), which is a Python dialect with well defined threading and hermeticity guarantees. For example, the statement ``` @@ -75,7 +75,7 @@ Sets the label `waiting:any` on a PR. When a new commit is pushed or any comment [Demo PR](https://github.com/envoyproxy/envoybot/pull/15) -### [CircleCI Retest](https://github.com/repokitteh/modules/blob/master/circleci.star) +### [CircleCI Retest](https://github.com/repokitteh/modules/blob/main/circleci.star) Restart failed CircleCI tests. Example: @@ -86,7 +86,7 @@ Restarts all failed CircleCI tests, as reported in the commit statuses. [Demo PR](https://github.com/envoyproxy/envoy/pull/12613#issuecomment-676141200) -### [Azure Pipelines Retest](https://github.com/envoyproxy/envoy/blob/master/ci/repokitteh/modules/azure_pipelines.star) +### [Azure Pipelines Retest](https://github.com/envoyproxy/envoy/blob/main/ci/repokitteh/modules/azure_pipelines.star) Restart failed Azure pipelines. Example: diff --git a/source/docs/stats.md b/source/docs/stats.md index 418a04f628d74..20c702ca7c106 100644 --- a/source/docs/stats.md +++ b/source/docs/stats.md @@ -25,7 +25,7 @@ https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 for details. This requires lock-free access to stats on the fast path -- when proxying requests. For stats, this is implemented in -[ThreadLocalStore](https://github.com/envoyproxy/envoy/blob/master/source/common/stats/thread_local_store.h), supporting the following features: +[ThreadLocalStore](https://github.com/envoyproxy/envoy/blob/main/source/common/stats/thread_local_store.h), supporting the following features: * Thread local per scope stat caching. * Overlapping scopes with proper reference counting (2 scopes with the same name will point to @@ -94,12 +94,12 @@ maintain data continuity as scopes are re-created during operation. Stat names are replicated in several places in various forms. * Held with the stat values, in `CounterImpl`, `GaugeImpl` and `TextReadoutImpl`, which are defined in - [allocator_impl.cc](https://github.com/envoyproxy/envoy/blob/master/source/common/stats/allocator_impl.cc) - * In [MetricImpl](https://github.com/envoyproxy/envoy/blob/master/source/common/stats/metric_impl.h) + [allocator_impl.cc](https://github.com/envoyproxy/envoy/blob/main/source/common/stats/allocator_impl.cc) + * In [MetricImpl](https://github.com/envoyproxy/envoy/blob/main/source/common/stats/metric_impl.h) in a transformed state, with tags extracted into vectors of name/value strings. * In static strings across the codebase where stats are referenced * In a [set of - regexes](https://github.com/envoyproxy/envoy/blob/master/source/common/config/well_known_names.cc) + regexes](https://github.com/envoyproxy/envoy/blob/main/source/common/config/well_known_names.cc) used to perform tag extraction. There are stat maps in `ThreadLocalStore` for capturing all stats in a scope, @@ -127,7 +127,7 @@ The transformation between flattened string and symbolized form is CPU-intensive at scale. It requires parsing, encoding, and lookups in a shared map, which must be mutex-protected. To avoid adding latency and CPU overhead while serving requests, the tokens can be symbolized and saved in context classes, such as -[Http::CodeStatsImpl](https://github.com/envoyproxy/envoy/blob/master/source/common/http/codes.h). +[Http::CodeStatsImpl](https://github.com/envoyproxy/envoy/blob/main/source/common/http/codes.h). Symbolization can occur on startup or when new hosts or clusters are configured dynamically. Users of stats that are allocated dynamically per cluster, host, etc, must explicitly store partial stat-names their class instances, which later @@ -184,7 +184,7 @@ showing the memory layout for a few scenarios of constructing and joining symbol There are several ways to create hot-path contention looking up stats by name, and there is no bulletproof way to prevent it from occurring. - * The [stats macros](https://github.com/envoyproxy/envoy/blob/master/include/envoy/stats/stats_macros.h) may be used in a data structure which is constructed in response to requests. + * The [stats macros](https://github.com/envoyproxy/envoy/blob/main/include/envoy/stats/stats_macros.h) may be used in a data structure which is constructed in response to requests. * An explicit symbol-table lookup, via `StatNamePool` or `StatNameSet` can be made in the hot path. @@ -208,7 +208,7 @@ SymbolTableImpl::Encoding | | Helper class for incrementally encoding strings in StatName | | Provides an API and a view into a StatName (dynamic orsymbolized). Like absl::string_view, the backing store must be separately maintained. StatNameStorageBase | | Holds storage (an array of bytes) for a dynamic or symbolized StatName StatNameStorage | StatNameStorageBase | Holds storage for a symbolized StatName. Must be explicitly freed (not just destructed). -StatNameManagedStorage | StatNameStorage | Like StatNameStorage, but is 8 bytes larger, and can be destructed without free(). +StatNameManagedStorage | StatNameStorage | Like StatNameStorage, but is 8 bytes larger, and can be destructed without free(). StatNameDynamicStorage | StatNameStorageBase | Holds StatName storage for a dynamic (not symbolized) StatName. StatNamePool | | Holds backing store for any number of symbolized StatNames. StatNameDynamicPool | | Holds backing store for any number of dynamic StatNames. @@ -249,7 +249,7 @@ deployments with O(10k) clusters or hosts. To improve visibility for this memory growth, there are [memory-usage integration -tests](https://github.com/envoyproxy/envoy/blob/master/test/integration/stats_integration_test.cc). +tests](https://github.com/envoyproxy/envoy/blob/main/test/integration/stats_integration_test.cc). If a PR fails the tests in that file due to unexpected memory consumption, it gives the author and reviewer an opportunity to consider the cost/value of the @@ -266,4 +266,3 @@ Developers trying to can iterate through changes in these tests locally with: bazel test -c opt --test_env=ENVOY_MEMORY_TEST_EXACT=true \ test/integration:stats_integration_test ``` - diff --git a/test/README.md b/test/README.md index 2746efe98c8db..85f12625902f1 100644 --- a/test/README.md +++ b/test/README.md @@ -10,7 +10,7 @@ various classes, macros, and matchers that Envoy uses from those frameworks. Envoy contains an integration testing framework, for testing downstream-Envoy-upstream communication. -[See the framework's README for more information.](https://github.com/envoyproxy/envoy/blob/master/test/integration/README.md) +[See the framework's README for more information.](https://github.com/envoyproxy/envoy/blob/main/test/integration/README.md) ## Custom matchers @@ -93,7 +93,7 @@ EXPECT_THAT(response->headers(), IsSupersetOfHeaders(required_headers)); ## Controlling time in tests In Envoy production code, time and timers are managed via -[`Event::TimeSystem`](https://github.com/envoyproxy/envoy/blob/master/include/envoy/event/timer.h), +[`Event::TimeSystem`](https://github.com/envoyproxy/envoy/blob/main/include/envoy/event/timer.h), which provides a mechanism for querying the time and setting up time-based callbacks. Bypassing this abstraction in Envoy code is flagged as a format violation in CI. @@ -127,7 +127,7 @@ Envoy uses [Google Benchmark](https://github.com/google/benchmark/) for microbenchmarks. There are custom bazel rules, `envoy_cc_benchmark_binary` and `envoy_benchmark_test`, to execute them locally and in CI environments respectively. `envoy_benchmark_test` rules call the benchmark binary from a -[script](https://github.com/envoyproxy/envoy/blob/master/bazel/test_for_benchmark_wrapper.sh) +[script](https://github.com/envoyproxy/envoy/blob/main/bazel/test_for_benchmark_wrapper.sh) which runs the benchmark with a minimal number of iterations and skipping expensive benchmarks to quickly verify that the binary is able to run to completion. In order to collect meaningful bechmarks, `bazel run -c opt` the @@ -135,4 +135,4 @@ benchmark binary target on a quiescent machine. If you would like to detect when your benchmark test is running under the wrapper, call -[`Envoy::benchmark::skipExpensiveBechmarks()`](https://github.com/envoyproxy/envoy/blob/master/test/benchmark/main.h). +[`Envoy::benchmark::skipExpensiveBechmarks()`](https://github.com/envoyproxy/envoy/blob/main/test/benchmark/main.h). diff --git a/test/common/upstream/health_check_fuzz.cc b/test/common/upstream/health_check_fuzz.cc index fa21636cb3356..bc22066325443 100644 --- a/test/common/upstream/health_check_fuzz.cc +++ b/test/common/upstream/health_check_fuzz.cc @@ -296,7 +296,7 @@ void TcpHealthCheckFuzz::raiseEvent(const Network::ConnectionEvent& event_type, } // In the specific case of: - // https://github.com/envoyproxy/envoy/blob/master/source/common/upstream/health_checker_impl.cc#L489 + // https://github.com/envoyproxy/envoy/blob/main/source/common/upstream/health_checker_impl.cc#L489 // This blows away client, should create a new one if (event_type == Network::ConnectionEvent::Connected && empty_response_) { ENVOY_LOG_MISC(trace, "Will create client from connected event and empty response."); diff --git a/test/extensions/filters/network/common/fuzz/README.md b/test/extensions/filters/network/common/fuzz/README.md index 21181c8402a4f..d35fb5d92dbcf 100644 --- a/test/extensions/filters/network/common/fuzz/README.md +++ b/test/extensions/filters/network/common/fuzz/README.md @@ -1,2 +1,2 @@ -Network filters need to be fuzzed. Filters come in two flavors, each with their own fuzzer. Read filters should be added into the [Generic ReadFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_readfilter_fuzz_test.cc). Write Filters should added into the [Generic WriteFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/master/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc). Some filters are both raed and write filters: They should be added into both fuzzers. -To add a new filter into generic network level filter fuzzers, see the [doc](https://github.com/envoyproxy/envoy/blob/master/source/docs/network_filter_fuzzing.md). \ No newline at end of file +Network filters need to be fuzzed. Filters come in two flavors, each with their own fuzzer. Read filters should be added into the [Generic ReadFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_readfilter_fuzz_test.cc). Write Filters should added into the [Generic WriteFilter Fuzzer](https://github.com/envoyproxy/envoy/blob/main/test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc). Some filters are both raed and write filters: They should be added into both fuzzers. +To add a new filter into generic network level filter fuzzers, see the [doc](https://github.com/envoyproxy/envoy/blob/main/source/docs/network_filter_fuzzing.md). \ No newline at end of file diff --git a/test/integration/stats_integration_test.cc b/test/integration/stats_integration_test.cc index c264096681f38..1683a3db13dc6 100644 --- a/test/integration/stats_integration_test.cc +++ b/test/integration/stats_integration_test.cc @@ -279,7 +279,7 @@ TEST_P(ClusterMemoryTestRunner, MemoryLargeClusterSize) { // vary. // // If you encounter a failure here, please see - // https://github.com/envoyproxy/envoy/blob/master/source/docs/stats.md#stats-memory-tests + // https://github.com/envoyproxy/envoy/blob/main/source/docs/stats.md#stats-memory-tests // for details on how to fix. // // We only run the exact test for ipv6 because ipv4 in some cases may allocate a @@ -325,7 +325,7 @@ TEST_P(ClusterMemoryTestRunner, MemoryLargeHostSizeWithStats) { // at the logs. // // If you encounter a failure here, please see - // https://github.com/envoyproxy/envoy/blob/master/source/docs/stats.md#stats-memory-tests + // https://github.com/envoyproxy/envoy/blob/main/source/docs/stats.md#stats-memory-tests // for details on how to fix. // // We only run the exact test for ipv6 because ipv4 in some cases may allocate a diff --git a/tools/api/generate_go_protobuf.py b/tools/api/generate_go_protobuf.py index 5b25de2dbb0a4..23ef195c84cd9 100755 --- a/tools/api/generate_go_protobuf.py +++ b/tools/api/generate_go_protobuf.py @@ -16,7 +16,7 @@ IMPORT_BASE = 'github.com/envoyproxy/go-control-plane' OUTPUT_BASE = 'build_go' REPO_BASE = 'go-control-plane' -BRANCH = 'master' +BRANCH = 'main' MIRROR_MSG = 'Mirrored from envoyproxy/envoy @ ' USER_NAME = 'go-control-plane(Azure Pipelines)' USER_EMAIL = 'go-control-plane@users.noreply.github.com' diff --git a/tools/git/last_github_commit.sh b/tools/git/last_github_commit.sh index 9746d259ac3ba..2ca2fb0fda29e 100755 --- a/tools/git/last_github_commit.sh +++ b/tools/git/last_github_commit.sh @@ -1,8 +1,8 @@ #!/bin/bash -# Looking back from HEAD, find the first commit that was merged onto master by GitHub. This is +# Looking back from HEAD, find the first commit that was merged onto main by GitHub. This is # likely the last non-local change on a given branch. There may be some exceptions for this -# heuristic, e.g. when patches are manually merged for security fixes on master, but this is very +# heuristic, e.g. when patches are manually merged for security fixes on main, but this is very # rare. git rev-list --no-merges --committer="GitHub " --max-count=1 HEAD diff --git a/tools/proto_format/proto_sync.py b/tools/proto_format/proto_sync.py index 47d95871833d2..ccba28eb718d3 100755 --- a/tools/proto_format/proto_sync.py +++ b/tools/proto_format/proto_sync.py @@ -433,7 +433,7 @@ def Sync(api_root, mode, labels, shadow): if deleted_files: print('The following files will be deleted: %s' % sorted(deleted_files)) print( - 'If this is not intended, please see https://github.com/envoyproxy/envoy/blob/master/api/STYLE.md#adding-an-extension-configuration-to-the-api.' + 'If this is not intended, please see https://github.com/envoyproxy/envoy/blob/main/api/STYLE.md#adding-an-extension-configuration-to-the-api.' ) if input('Delete files? [yN] ').strip().lower() == 'y': subprocess.run(['patch', '-p1'], input=diff, cwd=str(api_root_path.resolve())) From d753c8ef017c8c8d59f001b4ec4f75b711553a0b Mon Sep 17 00:00:00 2001 From: Rei Shimizu Date: Wed, 3 Mar 2021 23:46:18 +0900 Subject: [PATCH 11/11] backport 1.16: http: reinstating prior connect timeout behavior (#15233) #10854 inadvertently changed the behavior of connect timeouts. This reinstates prior behavior. Risk Level: Low (reinstating prior behavior) Testing: added regression test Docs Changes: n/a Release Notes: inline Signed-off-by: Shikugawa Co-authored-by: alyssawilk --- docs/root/version_history/current.rst | 2 + source/common/router/upstream_request.cc | 7 ++- source/common/runtime/runtime_features.cc | 1 + test/common/router/router_test.cc | 70 +++++++++++++++++++++++ 4 files changed, 79 insertions(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 28bf35fa34413..f3d04e7ae2e97 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -14,6 +14,8 @@ Bug Fixes *Changes expected to improve the state of the world and are unlikely to have negative effects* * aggregate cluster: fixed a crash due to a TLS initialization issue. +* http: reverting a behavioral change where upstream connect timeouts were temporarily treated differently from other connection failures. The change back to the original behavior can be temporarily reverted by setting `envoy.reloadable_features.treat_upstream_connect_timeout_as_connect_failure` to false. + * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). * overload: fix a bug that can cause use-after-free when one scaled timer disables another one with the same duration. * tls: fix detection of the upstream connection close event. diff --git a/source/common/router/upstream_request.cc b/source/common/router/upstream_request.cc index 5722deb78372c..4e0ffbd392752 100644 --- a/source/common/router/upstream_request.cc +++ b/source/common/router/upstream_request.cc @@ -340,7 +340,12 @@ void UpstreamRequest::onPoolFailure(ConnectionPool::PoolFailureReason reason, reset_reason = Http::StreamResetReason::ConnectionFailure; break; case ConnectionPool::PoolFailureReason::Timeout: - reset_reason = Http::StreamResetReason::LocalReset; + if (Runtime::runtimeFeatureEnabled( + "envoy.reloadable_features.treat_upstream_connect_timeout_as_connect_failure")) { + reset_reason = Http::StreamResetReason::ConnectionFailure; + } else { + reset_reason = Http::StreamResetReason::LocalReset; + } } // Mimic an upstream reset. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 56a7eb8189cbb..35c1b8585a111 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -89,6 +89,7 @@ constexpr const char* runtime_features[] = { "envoy.reloadable_features.stop_faking_paths", "envoy.reloadable_features.strict_1xx_and_204_response_headers", "envoy.reloadable_features.tls_use_io_handle_bio", + "envoy.reloadable_features.treat_upstream_connect_timeout_as_connect_failure", "envoy.reloadable_features.unify_grpc_handling", "envoy.restart_features.use_apple_api_for_dns_lookups", }; diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index f739a2c857eee..54365731d78f8 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -510,6 +510,76 @@ TEST_F(RouterTest, PoolFailureWithPriority) { "upstream_reset_before_response_started{connection failure,tls version mismatch}"); } +TEST_F(RouterTest, PoolFailureDueToConnectTimeout) { + ON_CALL(callbacks_.route_->route_entry_, priority()) + .WillByDefault(Return(Upstream::ResourcePriority::High)); + EXPECT_CALL(cm_, httpConnPoolForCluster(_, Upstream::ResourcePriority::High, _, &router_)); + EXPECT_CALL(cm_.conn_pool_, newStream(_, _)) + .WillOnce(Invoke([&](Http::StreamDecoder&, Http::ConnectionPool::Callbacks& callbacks) + -> Http::ConnectionPool::Cancellable* { + callbacks.onPoolFailure(ConnectionPool::PoolFailureReason::Timeout, "connect_timeout", + cm_.conn_pool_.host_); + return nullptr; + })); + + Http::TestResponseHeaderMapImpl response_headers{ + {":status", "503"}, {"content-length", "134"}, {"content-type", "text/plain"}}; + EXPECT_CALL(callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), false)); + EXPECT_CALL(callbacks_, encodeData(_, true)); + EXPECT_CALL(callbacks_.stream_info_, + setResponseFlag(StreamInfo::ResponseFlag::UpstreamConnectionFailure)); + EXPECT_CALL(callbacks_.stream_info_, onUpstreamHostSelected(_)) + .WillOnce(Invoke([&](const Upstream::HostDescriptionConstSharedPtr host) -> void { + EXPECT_EQ(host_address_, host->address()); + })); + + Http::TestRequestHeaderMapImpl headers; + HttpTestUtility::addDefaultHeaders(headers); + router_.decodeHeaders(headers, true); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); + // Pool failure, so upstream request was not initiated. + EXPECT_EQ(0U, + callbacks_.route_->route_entry_.virtual_cluster_.stats().upstream_rq_total_.value()); + EXPECT_EQ(callbacks_.details(), + "upstream_reset_before_response_started{connection failure,connect_timeout}"); +} + +TEST_F(RouterTest, PoolFailureDueToConnectTimeoutLegacy) { + TestScopedRuntime scoped_runtime; + Runtime::LoaderSingleton::getExisting()->mergeValues( + {{"envoy.reloadable_features.treat_upstream_connect_timeout_as_connect_failure", "false"}}); + ON_CALL(callbacks_.route_->route_entry_, priority()) + .WillByDefault(Return(Upstream::ResourcePriority::High)); + EXPECT_CALL(cm_, httpConnPoolForCluster(_, Upstream::ResourcePriority::High, _, &router_)); + EXPECT_CALL(cm_.conn_pool_, newStream(_, _)) + .WillOnce(Invoke([&](Http::StreamDecoder&, Http::ConnectionPool::Callbacks& callbacks) + -> Http::ConnectionPool::Cancellable* { + callbacks.onPoolFailure(ConnectionPool::PoolFailureReason::Timeout, "connect_timeout", + cm_.conn_pool_.host_); + return nullptr; + })); + + Http::TestResponseHeaderMapImpl response_headers{ + {":status", "503"}, {"content-length", "127"}, {"content-type", "text/plain"}}; + EXPECT_CALL(callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), false)); + EXPECT_CALL(callbacks_, encodeData(_, true)); + EXPECT_CALL(callbacks_.stream_info_, setResponseFlag(StreamInfo::ResponseFlag::LocalReset)); + EXPECT_CALL(callbacks_.stream_info_, onUpstreamHostSelected(_)) + .WillOnce(Invoke([&](const Upstream::HostDescriptionConstSharedPtr host) -> void { + EXPECT_EQ(host_address_, host->address()); + })); + + Http::TestRequestHeaderMapImpl headers; + HttpTestUtility::addDefaultHeaders(headers); + router_.decodeHeaders(headers, true); + EXPECT_TRUE(verifyHostUpstreamStats(0, 1)); + // Pool failure, so upstream request was not initiated. + EXPECT_EQ(0U, + callbacks_.route_->route_entry_.virtual_cluster_.stats().upstream_rq_total_.value()); + EXPECT_EQ(callbacks_.details(), + "upstream_reset_before_response_started{local reset,connect_timeout}"); +} + TEST_F(RouterTest, Http1Upstream) { EXPECT_CALL(cm_, httpConnPoolForCluster(_, _, absl::optional(), _)); EXPECT_CALL(cm_.conn_pool_, newStream(_, _)).WillOnce(Return(&cancellable_));