diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD index d430aeddafc4..66a251688205 100644 --- a/include/envoy/secret/BUILD +++ b/include/envoy/secret/BUILD @@ -8,10 +8,16 @@ load( envoy_package() +envoy_cc_library( + name = "secret_callbacks_interface", + hdrs = ["secret_callbacks.h"], +) + envoy_cc_library( name = "dynamic_secret_provider_interface", hdrs = ["dynamic_secret_provider.h"], deps = [ + "secret_callbacks_interface", "//include/envoy/ssl:tls_certificate_config_interface", ], ) diff --git a/include/envoy/secret/dynamic_secret_provider.h b/include/envoy/secret/dynamic_secret_provider.h index 99f0a11db085..9d2111fa87f8 100644 --- a/include/envoy/secret/dynamic_secret_provider.h +++ b/include/envoy/secret/dynamic_secret_provider.h @@ -2,6 +2,7 @@ #include +#include "envoy/secret/secret_callbacks.h" #include "envoy/ssl/tls_certificate_config.h" namespace Envoy { @@ -18,9 +19,12 @@ class DynamicSecretProvider { * @return the TlsCertificate secret. Returns nullptr if the secret is not found. */ virtual const Ssl::TlsCertificateConfig* secret() const PURE; + + virtual void addUpdateCallback(SecretCallbacks& callback) PURE; + virtual void removeUpdateCallback(SecretCallbacks& callback) PURE; }; typedef std::shared_ptr DynamicSecretProviderSharedPtr; } // namespace Secret -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/include/envoy/secret/secret_callbacks.h b/include/envoy/secret/secret_callbacks.h new file mode 100644 index 000000000000..fd90b4bd636d --- /dev/null +++ b/include/envoy/secret/secret_callbacks.h @@ -0,0 +1,22 @@ +#pragma once + +#include +#include + +#include "envoy/common/pure.h" + +namespace Envoy { +namespace Secret { + +/** + * Callbacks invoked by a secret manager. + */ +class SecretCallbacks { +public: + virtual ~SecretCallbacks() {} + + virtual void onAddOrUpdateSecret() PURE; +}; + +} // namespace Secret +} // namespace Envoy diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index a75bdd169690..f3c2be3b2a6d 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -138,6 +138,8 @@ class ClientContextConfig : public virtual ContextConfig { virtual bool allowRenegotiation() const PURE; }; +typedef std::unique_ptr ClientContextConfigPtr; + class ServerContextConfig : public virtual ContextConfig { public: struct SessionTicketKey { @@ -159,5 +161,7 @@ class ServerContextConfig : public virtual ContextConfig { virtual const std::vector& sessionTicketKeys() const PURE; }; +typedef std::unique_ptr ServerContextConfigPtr; + } // namespace Ssl } // namespace Envoy diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD index 722e4a773387..0615f74b7e41 100644 --- a/source/common/secret/BUILD +++ b/source/common/secret/BUILD @@ -17,7 +17,6 @@ envoy_cc_library( "//include/envoy/secret:secret_manager_interface", "//include/envoy/server:instance_interface", "//source/common/common:minimal_logger_lib", - "//source/common/ssl:tls_certificate_config_impl_lib", "@envoy_api//envoy/api/v2/auth:cert_cc", ], ) @@ -29,7 +28,6 @@ envoy_cc_library( deps = [ "//include/envoy/config:subscription_interface", "//include/envoy/server:instance_interface", - "//source/common/common:minimal_logger_lib", "//source/common/config:resources_lib", "//source/common/config:subscription_factory_lib", "//source/common/ssl:tls_certificate_config_impl_lib", diff --git a/source/common/secret/sds_api.cc b/source/common/secret/sds_api.cc index 0eb5c08c19c2..5c9f2d998a8b 100644 --- a/source/common/secret/sds_api.cc +++ b/source/common/secret/sds_api.cc @@ -51,9 +51,19 @@ void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) const uint64_t new_hash = MessageUtil::hash(secret); if (new_hash != secret_hash_ && secret.type_case() == envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate) { - tls_certificate_secrets_ = - std::make_unique(secret.tls_certificate()); secret_hash_ = new_hash; + { + std::unique_lock lhs(secret_mutex_); + tls_certificate_secrets_ = + std::make_unique(secret.tls_certificate()); + } + + { + std::shared_lock lhs(update_callbacks_mutex_); + for (auto cb : update_callbacks_) { + cb->onAddOrUpdateSecret(); + } + } } runInitializeCallbackIfAny(); @@ -72,4 +82,4 @@ void SdsApi::runInitializeCallbackIfAny() { } } // namespace Secret -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/source/common/secret/sds_api.h b/source/common/secret/sds_api.h index 4dee7c14ebaf..005e4c5edc1b 100644 --- a/source/common/secret/sds_api.h +++ b/source/common/secret/sds_api.h @@ -1,10 +1,12 @@ #pragma once #include +#include #include "envoy/api/v2/auth/cert.pb.h" #include "envoy/api/v2/core/config_source.pb.h" #include "envoy/config/subscription.h" +#include "envoy/secret/dynamic_secret_provider.h" #include "envoy/server/instance.h" namespace Envoy { @@ -33,9 +35,19 @@ class SdsApi : public Init::Target, // DynamicSecretProvider const Ssl::TlsCertificateConfig* secret() const override { + std::shared_lock lhs(secret_mutex_); return tls_certificate_secrets_.get(); } + void addUpdateCallback(SecretCallbacks& callback) override { + std::unique_lock lhs(update_callbacks_mutex_); + update_callbacks_.push_back(&callback); + } + void removeUpdateCallback(SecretCallbacks& callback) override { + std::unique_lock lhs(update_callbacks_mutex_); + update_callbacks_.remove(&callback); + } + private: void runInitializeCallbackIfAny(); @@ -45,11 +57,15 @@ class SdsApi : public Init::Target, std::function initialize_callback_; std::string sds_config_name_; - uint64_t secret_hash_; + std::size_t secret_hash_{}; Ssl::TlsCertificateConfigPtr tls_certificate_secrets_; + mutable std::shared_timed_mutex secret_mutex_; + + std::list update_callbacks_; + mutable std::shared_timed_mutex update_callbacks_mutex_; }; typedef std::unique_ptr SdsApiPtr; } // namespace Secret -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc index faf7ad4b80b5..d6092c91fa0f 100644 --- a/source/common/secret/secret_manager_impl.cc +++ b/source/common/secret/secret_manager_impl.cc @@ -58,4 +58,4 @@ DynamicSecretProviderSharedPtr SecretManagerImpl::findOrCreateDynamicSecretProvi } } // namespace Secret -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h index 3e1b1ad89923..7e6ad3fda68b 100644 --- a/source/common/secret/secret_manager_impl.h +++ b/source/common/secret/secret_manager_impl.h @@ -18,6 +18,7 @@ class SecretManagerImpl : public SecretManager, Logger::LoggablecertificateChain(); private_key_ = secret->privateKey(); @@ -106,7 +106,7 @@ void ContextConfigImpl::readCertChainConfig(const envoy::api::v2::auth::CommonTl } } else { secret_provider_ = secret_manager_.findOrCreateDynamicSecretProvider( - config.tls_certificate_sds_secret_configs()[0].sds_config(), secret_name); + secret_config.sds_config(), secret_name); return; } } @@ -136,7 +136,6 @@ const std::string& ContextConfigImpl::certChain() const { if (secret_provider_ && secret_provider_->secret()) { return secret_provider_->secret()->certificateChain(); } - return cert_chain_; } @@ -144,7 +143,6 @@ const std::string& ContextConfigImpl::privateKey() const { if (secret_provider_ && secret_provider_->secret()) { return secret_provider_->secret()->privateKey(); } - return private_key_; } diff --git a/source/common/ssl/context_manager_impl.cc b/source/common/ssl/context_manager_impl.cc index e3d8e2a6ae26..4e41564c89da 100644 --- a/source/common/ssl/context_manager_impl.cc +++ b/source/common/ssl/context_manager_impl.cc @@ -22,6 +22,10 @@ void ContextManagerImpl::removeContext(Context* context) { ClientContextSharedPtr ContextManagerImpl::createSslClientContext(Stats::Scope& scope, const ClientContextConfig& config) { + if (!config.isValid()) { + return nullptr; + } + ClientContextSharedPtr context(new ClientContextImpl(*this, scope, config)); std::unique_lock lock(contexts_lock_); contexts_.emplace_back(context.get()); @@ -31,6 +35,10 @@ ContextManagerImpl::createSslClientContext(Stats::Scope& scope, const ClientCont ServerContextSharedPtr ContextManagerImpl::createSslServerContext(Stats::Scope& scope, const ServerContextConfig& config, const std::vector& server_names) { + if (!config.isValid()) { + return nullptr; + } + ServerContextSharedPtr context( new ServerContextImpl(*this, scope, config, server_names, runtime_)); std::unique_lock lock(contexts_lock_); diff --git a/source/common/ssl/ssl_socket.cc b/source/common/ssl/ssl_socket.cc index 6d8847d289ba..4452a6290dac 100644 --- a/source/common/ssl/ssl_socket.cc +++ b/source/common/ssl/ssl_socket.cc @@ -373,12 +373,24 @@ std::string SslSocket::subjectLocalCertificate() const { return getSubjectFromCertificate(cert); } -ClientSslSocketFactory::ClientSslSocketFactory(const ClientContextConfig& config, +ClientSslSocketFactory::ClientSslSocketFactory(ClientContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope) - : manager_(manager), ssl_ctx_(manager.createSslClientContext(stats_scope, config)) {} + : manager_(manager), stats_scope_(stats_scope), config_(std::move(config)), + ssl_ctx_(manager.createSslClientContext(stats_scope, *config_)) { + if (config_->getDynamicSecretProvider()) { + config_->getDynamicSecretProvider()->addUpdateCallback(*this); + } +} -ClientSslSocketFactory::~ClientSslSocketFactory() { manager_.removeContext(ssl_ctx_.get()); } +ClientSslSocketFactory::~ClientSslSocketFactory() { + if (ssl_ctx_) { + manager_.removeContext(ssl_ctx_.get()); + } + if (config_->getDynamicSecretProvider()) { + config_->getDynamicSecretProvider()->removeUpdateCallback(*this); + } +} Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() const { return std::make_unique(ssl_ctx_, Ssl::InitialState::Client); @@ -386,14 +398,34 @@ Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() cons bool ClientSslSocketFactory::implementsSecureTransport() const { return true; } -ServerSslSocketFactory::ServerSslSocketFactory(const ServerContextConfig& config, +void ClientSslSocketFactory::onAddOrUpdateSecret() { + if (ssl_ctx_) { + ENVOY_LOG(debug, "listener socket updated"); + manager_.removeContext(ssl_ctx_.get()); + } + ssl_ctx_ = manager_.createSslClientContext(stats_scope_, *config_); +} + +ServerSslSocketFactory::ServerSslSocketFactory(ServerContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope, const std::vector& server_names) - : manager_(manager), - ssl_ctx_(manager.createSslServerContext(stats_scope, config, server_names)) {} + : manager_(manager), stats_scope_(stats_scope), config_(std::move(config)), + ssl_ctx_(manager.createSslServerContext(stats_scope, *config_, server_names)), + server_names_(server_names) { + if (config_->getDynamicSecretProvider()) { + config_->getDynamicSecretProvider()->addUpdateCallback(*this); + } +} -ServerSslSocketFactory::~ServerSslSocketFactory() { manager_.removeContext(ssl_ctx_.get()); } +ServerSslSocketFactory::~ServerSslSocketFactory() { + if (ssl_ctx_) { + manager_.removeContext(ssl_ctx_.get()); + } + if (config_->getDynamicSecretProvider()) { + config_->getDynamicSecretProvider()->removeUpdateCallback(*this); + } +} Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() const { return std::make_unique(ssl_ctx_, Ssl::InitialState::Server); @@ -401,5 +433,13 @@ Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() cons bool ServerSslSocketFactory::implementsSecureTransport() const { return true; } +void ServerSslSocketFactory::onAddOrUpdateSecret() { + if (ssl_ctx_) { + ENVOY_LOG(debug, "listener socket updated"); + manager_.removeContext(ssl_ctx_.get()); + } + ssl_ctx_ = manager_.createSslServerContext(stats_scope_, *config_, server_names_); +} + } // namespace Ssl } // namespace Envoy diff --git a/source/common/ssl/ssl_socket.h b/source/common/ssl/ssl_socket.h index e4682d71b129..d76221298006 100644 --- a/source/common/ssl/ssl_socket.h +++ b/source/common/ssl/ssl_socket.h @@ -5,6 +5,7 @@ #include "envoy/network/connection.h" #include "envoy/network/transport_socket.h" +#include "envoy/secret/secret_callbacks.h" #include "common/common/logger.h" #include "common/ssl/context_impl.h" @@ -64,33 +65,52 @@ class SslSocket : public Network::TransportSocket, mutable std::string cached_url_encoded_pem_encoded_peer_certificate_; }; -class ClientSslSocketFactory : public Network::TransportSocketFactory { +class ClientSslSocketFactory : public Network::TransportSocketFactory, + public Secret::SecretCallbacks, + Logger::Loggable { public: - ClientSslSocketFactory(const ClientContextConfig& config, Ssl::ContextManager& manager, + ClientSslSocketFactory(ClientContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope); - ~ClientSslSocketFactory(); + virtual ~ClientSslSocketFactory(); Network::TransportSocketPtr createTransportSocket() const override; bool implementsSecureTransport() const override; + // Secret::SecretCallbacks + void onAddOrUpdateSecret() override; + private: Ssl::ContextManager& manager_; + Stats::Scope& stats_scope_; + ClientContextConfigPtr config_; ClientContextSharedPtr ssl_ctx_; }; -class ServerSslSocketFactory : public Network::TransportSocketFactory { +typedef std::unique_ptr ClientContextConfigPtr; + +class ServerSslSocketFactory : public Network::TransportSocketFactory, + public Secret::SecretCallbacks, + Logger::Loggable { public: - ServerSslSocketFactory(const ServerContextConfig& config, Ssl::ContextManager& manager, + ServerSslSocketFactory(ServerContextConfigPtr config, Ssl::ContextManager& manager, Stats::Scope& stats_scope, const std::vector& server_names); - ~ServerSslSocketFactory(); + virtual ~ServerSslSocketFactory(); Network::TransportSocketPtr createTransportSocket() const override; bool implementsSecureTransport() const override; + // Secret::SecretCallbacks + void onAddOrUpdateSecret() override; + private: Ssl::ContextManager& manager_; + Stats::Scope& stats_scope_; + ServerContextConfigPtr config_; ServerContextSharedPtr ssl_ctx_; + const std::vector server_names_; }; +typedef std::unique_ptr ServerContextConfigPtr; + } // namespace Ssl } // namespace Envoy diff --git a/source/common/ssl/tls_certificate_config_impl.cc b/source/common/ssl/tls_certificate_config_impl.cc index 4f0afeb49733..dabe97a1e4fc 100644 --- a/source/common/ssl/tls_certificate_config_impl.cc +++ b/source/common/ssl/tls_certificate_config_impl.cc @@ -1,5 +1,7 @@ #include "common/ssl/tls_certificate_config_impl.h" +#include + #include "envoy/common/exception.h" #include "common/config/datasource.h" diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc index ab14e685f0b2..c4f49fb85b06 100644 --- a/source/common/upstream/upstream_impl.cc +++ b/source/common/upstream/upstream_impl.cc @@ -141,9 +141,13 @@ HostImpl::createConnection(Event::Dispatcher& dispatcher, const ClusterInfo& clu connection_options = options; } + auto transport_socket = cluster.transportSocketFactory().createTransportSocket(); + if (!transport_socket) { + return nullptr; + } + Network::ClientConnectionPtr connection = dispatcher.createClientConnection( - address, cluster.sourceAddress(), cluster.transportSocketFactory().createTransportSocket(), - connection_options); + address, cluster.sourceAddress(), std::move(transport_socket), connection_options); connection->setBufferLimits(cluster.perConnectionBufferLimitBytes()); return connection; } diff --git a/source/extensions/transport_sockets/ssl/config.cc b/source/extensions/transport_sockets/ssl/config.cc index c0c0feec1970..d665eb45f20d 100644 --- a/source/extensions/transport_sockets/ssl/config.cc +++ b/source/extensions/transport_sockets/ssl/config.cc @@ -16,12 +16,14 @@ namespace SslTransport { Network::TransportSocketFactoryPtr UpstreamSslSocketFactory::createTransportSocketFactory( const Protobuf::Message& message, Server::Configuration::TransportSocketFactoryContext& context) { - return std::make_unique( - Ssl::ClientContextConfigImpl( + std::unique_ptr upstream_config = + std::make_unique( MessageUtil::downcastAndValidate( message), - context.secretManager()), - context.sslContextManager(), context.statsScope()); + context.secretManager()); + + return std::make_unique( + std::move(upstream_config), context.sslContextManager(), context.statsScope()); } ProtobufTypes::MessagePtr UpstreamSslSocketFactory::createEmptyConfigProto() { @@ -35,12 +37,15 @@ static Registry::RegisterFactory& server_names) { - return std::make_unique( - Ssl::ServerContextConfigImpl( + std::unique_ptr downstream_config = + std::make_unique( MessageUtil::downcastAndValidate( message), - context.secretManager()), - context.sslContextManager(), context.statsScope(), server_names); + context.secretManager()); + + return std::make_unique(std::move(downstream_config), + context.sslContextManager(), + context.statsScope(), server_names); } ProtobufTypes::MessagePtr DownstreamSslSocketFactory::createEmptyConfigProto() { diff --git a/source/server/connection_handler_impl.cc b/source/server/connection_handler_impl.cc index 854180cd4914..e2dd241c35fc 100644 --- a/source/server/connection_handler_impl.cc +++ b/source/server/connection_handler_impl.cc @@ -196,6 +196,14 @@ void ConnectionHandlerImpl::ActiveListener::newConnection(Network::ConnectionSoc } auto transport_socket = filter_chain->transportSocketFactory().createTransportSocket(); + if (!transport_socket) { + ENVOY_LOG_TO_LOGGER(parent_.logger_, debug, + "closing connection: transport socket was not created yet"); + // TODO(jaebong) update stats + socket->close(); + return; + } + Network::ConnectionPtr new_connection = parent_.dispatcher_.createServerConnection(std::move(socket), std::move(transport_socket)); new_connection->setBufferLimits(config_.perConnectionBufferLimitBytes()); diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 32759e6925ea..afc37a8d9a6f 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -444,10 +444,11 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/clientkey.pem")); } - Ssl::ClientContextConfigImpl cfg(tls_context, server_.secretManager()); + Ssl::ClientContextConfigPtr cfg = + std::make_unique(tls_context, server_.secretManager()); - mock_cluster_info_->transport_socket_factory_ = - std::make_unique(cfg, context_manager_, *stats_store_); + mock_cluster_info_->transport_socket_factory_ = std::make_unique( + std::move(cfg), context_manager_, *stats_store_); ON_CALL(*mock_cluster_info_, transportSocketFactory()) .WillByDefault(ReturnRef(*mock_cluster_info_->transport_socket_factory_)); async_client_transport_socket_ = @@ -474,11 +475,12 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); } - Ssl::ServerContextConfigImpl cfg(tls_context, server_.secretManager()); + Ssl::ServerContextConfigPtr cfg = + std::make_unique(tls_context, server_.secretManager()); static Stats::Scope* upstream_stats_store = new Stats::IsolatedStoreImpl(); return std::make_unique( - cfg, context_manager_, *upstream_stats_store, std::vector{}); + std::move(cfg), context_manager_, *upstream_stats_store, std::vector{}); } bool use_client_cert_{}; diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc index d638d699ac8d..ab90f5dd8678 100644 --- a/test/common/ssl/context_impl_test.cc +++ b/test/common/ssl/context_impl_test.cc @@ -621,7 +621,7 @@ TEST(ServerContextImplTest, TlsCertificateNonEmpty) { ContextManagerImpl manager(runtime); Stats::IsolatedStoreImpl store; EXPECT_THROW_WITH_MESSAGE(ServerContextSharedPtr server_ctx(manager.createSslServerContext( - store, client_context_config, std::vector{})), + store, server_context_config, std::vector{})), EnvoyException, "Server TlsCertificates must have a certificate specified"); } diff --git a/test/common/ssl/ssl_socket_test.cc b/test/common/ssl/ssl_socket_test.cc index 8a0ad0ffaf7f..34c2d052c41e 100644 --- a/test/common/ssl/ssl_socket_test.cc +++ b/test/common/ssl/ssl_socket_test.cc @@ -55,10 +55,11 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Server::MockInstance server; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager()); + ServerContextConfigPtr server_ctx_config = + std::make_unique(*server_ctx_loader, server.secretManager()); ContextManagerImpl manager(runtime); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - std::vector{}); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, std::vector{}); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(version), nullptr, @@ -68,8 +69,10 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); - Ssl::ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = + std::make_unique(*client_ctx_loader, server.secretManager()); + Ssl::ClientSslSocketFactory client_ssl_socket_factory(std::move(client_ctx_config), manager, + stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), client_ssl_socket_factory.createTransportSocket(), nullptr); @@ -154,10 +157,10 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, const auto& filter_chain = server_proto.filter_chains(0); std::vector server_names(filter_chain.filter_chain_match().server_names().begin(), filter_chain.filter_chain_match().server_names().end()); - Ssl::ServerContextConfigImpl server_ctx_config(filter_chain.tls_context(), - server.secretManager()); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - server_names); + Ssl::ServerContextConfigPtr server_ctx_config = std::make_unique( + filter_chain.tls_context(), server.secretManager()); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, server_names); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(version), nullptr, @@ -166,9 +169,12 @@ const std::string testUtilV2(const envoy::api::v2::Listener& server_proto, Network::MockConnectionHandler connection_handler; Network::ListenerPtr listener = dispatcher.createListener(socket, callbacks, true, false); - ClientContextConfigImpl client_ctx_config(client_ctx_proto, server.secretManager()); - ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); - ClientContextSharedPtr client_ctx(manager.createSslClientContext(stats_store, client_ctx_config)); + ClientContextConfigPtr client_ctx_config = + std::make_unique(client_ctx_proto, server.secretManager()); + ClientContextSharedPtr client_ctx( + manager.createSslClientContext(stats_store, *client_ctx_config)); + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_ctx_config), manager, + stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), client_ssl_socket_factory.createTransportSocket(), nullptr); @@ -1517,10 +1523,11 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigPtr server_ctx_config = + std::make_unique(*server_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - std::vector{}); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, std::vector{}); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, @@ -1575,10 +1582,11 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigPtr server_ctx_config = + std::make_unique(*server_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - std::vector{}); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, std::vector{}); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, @@ -1596,8 +1604,10 @@ TEST_P(SslSocketTest, HalfClose) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager()); - ClientSslSocketFactory client_ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = + std::make_unique(*client_ctx_loader, server_.secretManager()); + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_ctx_config), manager, + stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), client_ssl_socket_factory.createTransportSocket(), nullptr); @@ -1659,10 +1669,11 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server.secretManager()); + ServerContextConfigPtr server_ctx_config = + std::make_unique(*server_ctx_loader, server.secretManager()); ContextManagerImpl manager(runtime); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - std::vector{}); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, std::vector{}); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, @@ -1679,8 +1690,9 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); - ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = + std::make_unique(*client_ctx_loader, server.secretManager()); + ClientSslSocketFactory ssl_socket_factory(std::move(client_ctx_config), manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), ssl_socket_factory.createTransportSocket(), nullptr); @@ -1741,12 +1753,14 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Json::ObjectSharedPtr server_ctx_loader1 = TestEnvironment::jsonLoadFromString(server_ctx_json1); Json::ObjectSharedPtr server_ctx_loader2 = TestEnvironment::jsonLoadFromString(server_ctx_json2); - ServerContextConfigImpl server_ctx_config1(*server_ctx_loader1, server.secretManager()); - ServerContextConfigImpl server_ctx_config2(*server_ctx_loader2, server.secretManager()); - Ssl::ServerSslSocketFactory server_ssl_socket_factory1(server_ctx_config1, manager, stats_store, - server_names1); - Ssl::ServerSslSocketFactory server_ssl_socket_factory2(server_ctx_config2, manager, stats_store, - server_names2); + ServerContextConfigPtr server_ctx_config1 = + std::make_unique(*server_ctx_loader1, server.secretManager()); + ServerContextConfigPtr server_ctx_config2 = + std::make_unique(*server_ctx_loader2, server.secretManager()); + Ssl::ServerSslSocketFactory server_ssl_socket_factory1(std::move(server_ctx_config1), manager, + stats_store, server_names1); + Ssl::ServerSslSocketFactory server_ssl_socket_factory2(std::move(server_ctx_config2), manager, + stats_store, server_names2); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket1(Network::Test::getCanonicalLoopbackAddress(ip_version), nullptr, @@ -1759,8 +1773,9 @@ void testTicketSessionResumption(const std::string& server_ctx_json1, Network::ListenerPtr listener2 = dispatcher.createListener(socket2, callbacks, true, false); Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server.secretManager()); - ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = + std::make_unique(*client_ctx_loader, server.secretManager()); + ClientSslSocketFactory ssl_socket_factory(std::move(client_ctx_config), manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket1.localAddress(), Network::Address::InstanceConstSharedPtr(), ssl_socket_factory.createTransportSocket(), nullptr); @@ -2099,14 +2114,16 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigPtr server_ctx_config = + std::make_unique(*server_ctx_loader, server_.secretManager()); Json::ObjectSharedPtr server2_ctx_loader = TestEnvironment::jsonLoadFromString(server2_ctx_json); - ServerContextConfigImpl server2_ctx_config(*server2_ctx_loader, server_.secretManager()); + ServerContextConfigPtr server2_ctx_config = + std::make_unique(*server2_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - std::vector{}); - Ssl::ServerSslSocketFactory server2_ssl_socket_factory(server2_ctx_config, manager, stats_store, - std::vector{}); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, std::vector{}); + Ssl::ServerSslSocketFactory server2_ssl_socket_factory(std::move(server2_ctx_config), manager, + stats_store, std::vector{}); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, @@ -2126,8 +2143,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { )EOF"; Json::ObjectSharedPtr client_ctx_loader = TestEnvironment::jsonLoadFromString(client_ctx_json); - ClientContextConfigImpl client_ctx_config(*client_ctx_loader, server_.secretManager()); - ClientSslSocketFactory ssl_socket_factory(client_ctx_config, manager, stats_store); + ClientContextConfigPtr client_ctx_config = + std::make_unique(*client_ctx_loader, server_.secretManager()); + ClientSslSocketFactory ssl_socket_factory(std::move(client_ctx_config), manager, stats_store); Network::ClientConnectionPtr client_connection = dispatcher.createClientConnection( socket.localAddress(), Network::Address::InstanceConstSharedPtr(), ssl_socket_factory.createTransportSocket(), nullptr); @@ -2212,10 +2230,11 @@ TEST_P(SslSocketTest, SslError) { )EOF"; Json::ObjectSharedPtr server_ctx_loader = TestEnvironment::jsonLoadFromString(server_ctx_json); - ServerContextConfigImpl server_ctx_config(*server_ctx_loader, server_.secretManager()); + ServerContextConfigPtr server_ctx_config = + std::make_unique(*server_ctx_loader, server_.secretManager()); ContextManagerImpl manager(runtime); - Ssl::ServerSslSocketFactory server_ssl_socket_factory(server_ctx_config, manager, stats_store, - std::vector{}); + Ssl::ServerSslSocketFactory server_ssl_socket_factory(std::move(server_ctx_config), manager, + stats_store, std::vector{}); Event::DispatcherImpl dispatcher; Network::TcpListenSocket socket(Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, @@ -2534,20 +2553,22 @@ class SslReadBufferLimitTest : public SslCertsTest, public: void initialize() { server_ctx_loader_ = TestEnvironment::jsonLoadFromString(server_ctx_json_); - server_ctx_config_.reset( - new ServerContextConfigImpl(*server_ctx_loader_, server_.secretManager())); + ServerContextConfigPtr server_ctx_config; + ClientContextConfigPtr client_ctx_config; + server_ctx_config = + std::make_unique(*server_ctx_loader_, server_.secretManager()); manager_.reset(new ContextManagerImpl(runtime_)); server_ssl_socket_factory_.reset(new ServerSslSocketFactory( - *server_ctx_config_, *manager_, stats_store_, std::vector{})); + std::move(server_ctx_config), *manager_, stats_store_, std::vector{})); listener_ = dispatcher_->createListener(socket_, listener_callbacks_, true, false); client_ctx_loader_ = TestEnvironment::jsonLoadFromString(client_ctx_json_); - client_ctx_config_.reset( - new ClientContextConfigImpl(*client_ctx_loader_, server_.secretManager())); + client_ctx_config = + std::make_unique(*client_ctx_loader_, server_.secretManager()); client_ssl_socket_factory_.reset( - new ClientSslSocketFactory(*client_ctx_config_, *manager_, stats_store_)); + new ClientSslSocketFactory(std::move(client_ctx_config), *manager_, stats_store_)); client_connection_ = dispatcher_->createClientConnection( socket_.localAddress(), source_address_, client_ssl_socket_factory_->createTransportSocket(), nullptr); @@ -2711,12 +2732,10 @@ class SslReadBufferLimitTest : public SslCertsTest, )EOF"; Runtime::MockLoader runtime_; Json::ObjectSharedPtr server_ctx_loader_; - std::unique_ptr server_ctx_config_; std::unique_ptr manager_; Network::TransportSocketFactoryPtr server_ssl_socket_factory_; Network::ListenerPtr listener_; Json::ObjectSharedPtr client_ctx_loader_; - std::unique_ptr client_ctx_config_; ClientContextSharedPtr client_ctx_; Network::TransportSocketFactoryPtr client_ssl_socket_factory_; Network::ClientConnectionPtr client_connection_; diff --git a/test/integration/ads_integration_test.cc b/test/integration/ads_integration_test.cc index d348cdab997d..866724448255 100644 --- a/test/integration/ads_integration_test.cc +++ b/test/integration/ads_integration_test.cc @@ -86,11 +86,12 @@ class AdsIntegrationTest : public HttpIntegrationTest, public Grpc::GrpcClientIn TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem")); tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem")); - Ssl::ServerContextConfigImpl cfg(tls_context, secret_manager_); + Ssl::ServerContextConfigPtr cfg = + std::make_unique(tls_context, secret_manager_); static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return std::make_unique( - cfg, context_manager_, *upstream_stats_store, std::vector{}); + std::move(cfg), context_manager_, *upstream_stats_store, std::vector{}); } AssertionResult diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 53316b1114ae..9347a801140f 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -60,10 +60,11 @@ createClientSslTransportSocketFactory(bool alpn, bool san, ContextManager& conte } Server::MockInstance server; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); - ClientContextConfigImpl cfg(*loader, server.secretManager()); + ClientContextConfigPtr cfg = + std::make_unique(*loader, server.secretManager()); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ - new Ssl::ClientSslSocketFactory(cfg, context_manager, *client_stats_store)}; + new Ssl::ClientSslSocketFactory(std::move(cfg), context_manager, *client_stats_store)}; } Network::Address::InstanceConstSharedPtr getSslAddress(const Network::Address::IpVersion& version, diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index c49a87f84368..3fe8cdfa8b6b 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -61,10 +61,11 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createClientSslContext(b target = json_tls; } Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(target); - Ssl::ClientContextConfigImpl cfg(*loader, server_.secretManager()); + Ssl::ClientContextConfigPtr cfg = + std::make_unique(*loader, server_.secretManager()); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::TransportSocketFactoryPtr{ - new Ssl::ClientSslSocketFactory(cfg, *context_manager_, *client_stats_store)}; + new Ssl::ClientSslSocketFactory(std::move(cfg), *context_manager_, *client_stats_store)}; } Network::TransportSocketFactoryPtr XfccIntegrationTest::createUpstreamSslContext() { @@ -76,10 +77,11 @@ Network::TransportSocketFactoryPtr XfccIntegrationTest::createUpstreamSslContext )EOF"; Json::ObjectSharedPtr loader = TestEnvironment::jsonLoadFromString(json); - Ssl::ServerContextConfigImpl cfg(*loader, server_.secretManager()); + Ssl::ServerContextConfigPtr cfg = + std::make_unique(*loader, server_.secretManager()); static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return std::make_unique( - cfg, *context_manager_, *upstream_stats_store, std::vector{}); + std::move(cfg), *context_manager_, *upstream_stats_store, std::vector{}); } Network::ClientConnectionPtr XfccIntegrationTest::makeClientConnection() {