mirror of https://github.com/grpc/grpc-java.git
xds: Enable deprecation warnings
The security code referenced fields removed from gRFC A29 before it was finalized. Note that this fixes a bug in CommonTlsContextUtil where CombinedValidationContext was not checked. I believe this was the only location with such a bug as I audited all non-test usages of has/getValidationContext() and confirmed they have have a corresponding has/getCombinedValidationContext().
This commit is contained in:
Eric Anderson
GitHub
parent
f79ab2f16f
commit
65d0bb8a4d
|
|
@ -133,8 +133,6 @@ tasks.named("checkstyleThirdparty").configure {
|
||||||
|
|
||||||
tasks.named("compileJava").configure {
|
tasks.named("compileJava").configure {
|
||||||
it.options.compilerArgs += [
|
it.options.compilerArgs += [
|
||||||
// TODO: remove
|
|
||||||
"-Xlint:-deprecation",
|
|
||||||
// only has AutoValue annotation processor
|
// only has AutoValue annotation processor
|
||||||
"-Xlint:-processing",
|
"-Xlint:-processing",
|
||||||
]
|
]
|
||||||
|
|
|
||||||
|
|
@ -673,7 +673,7 @@ final class ClusterResolverLoadBalancer extends LoadBalancer {
|
||||||
resolutionResult.getAddressesOrError();
|
resolutionResult.getAddressesOrError();
|
||||||
if (addressesOrError.hasValue()) {
|
if (addressesOrError.hasValue()) {
|
||||||
backoffPolicy = null; // reset backoff sequence if succeeded
|
backoffPolicy = null; // reset backoff sequence if succeeded
|
||||||
for (EquivalentAddressGroup eag : resolutionResult.getAddresses()) {
|
for (EquivalentAddressGroup eag : addressesOrError.getValue()) {
|
||||||
// No weight attribute is attached, all endpoint-level LB policy should be able
|
// No weight attribute is attached, all endpoint-level LB policy should be able
|
||||||
// to handle such it.
|
// to handle such it.
|
||||||
String localityName = localityName(LOGICAL_DNS_CLUSTER_LOCALITY);
|
String localityName = localityName(LOGICAL_DNS_CLUSTER_LOCALITY);
|
||||||
|
|
|
||||||
|
|
@ -276,8 +276,13 @@ final class RbacFilter implements Filter {
|
||||||
return createSourceIpMatcher(principal.getDirectRemoteIp());
|
return createSourceIpMatcher(principal.getDirectRemoteIp());
|
||||||
case REMOTE_IP:
|
case REMOTE_IP:
|
||||||
return createSourceIpMatcher(principal.getRemoteIp());
|
return createSourceIpMatcher(principal.getRemoteIp());
|
||||||
case SOURCE_IP:
|
case SOURCE_IP: {
|
||||||
return createSourceIpMatcher(principal.getSourceIp());
|
// gRFC A41 has identical handling of source_ip as remote_ip and direct_remote_ip and
|
||||||
|
// pre-dates the deprecation.
|
||||||
|
@SuppressWarnings("deprecation")
|
||||||
|
CidrRange sourceIp = principal.getSourceIp();
|
||||||
|
return createSourceIpMatcher(sourceIp);
|
||||||
|
}
|
||||||
case HEADER:
|
case HEADER:
|
||||||
return parseHeaderMatcher(principal.getHeader());
|
return parseHeaderMatcher(principal.getHeader());
|
||||||
case NOT_ID:
|
case NOT_ID:
|
||||||
|
|
|
||||||
|
|
@ -450,15 +450,6 @@ class XdsClusterResource extends XdsResourceType<CdsUpdate> {
|
||||||
throw new ResourceInvalidException(
|
throw new ResourceInvalidException(
|
||||||
"common-tls-context with validation_context_sds_secret_config is not supported");
|
"common-tls-context with validation_context_sds_secret_config is not supported");
|
||||||
}
|
}
|
||||||
if (commonTlsContext.hasValidationContextCertificateProvider()) {
|
|
||||||
throw new ResourceInvalidException(
|
|
||||||
"common-tls-context with validation_context_certificate_provider is not supported");
|
|
||||||
}
|
|
||||||
if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
|
|
||||||
throw new ResourceInvalidException(
|
|
||||||
"common-tls-context with validation_context_certificate_provider_instance is not"
|
|
||||||
+ " supported");
|
|
||||||
}
|
|
||||||
String certInstanceName = getIdentityCertInstanceName(commonTlsContext);
|
String certInstanceName = getIdentityCertInstanceName(commonTlsContext);
|
||||||
if (certInstanceName == null) {
|
if (certInstanceName == null) {
|
||||||
if (server) {
|
if (server) {
|
||||||
|
|
@ -473,10 +464,6 @@ class XdsClusterResource extends XdsResourceType<CdsUpdate> {
|
||||||
throw new ResourceInvalidException(
|
throw new ResourceInvalidException(
|
||||||
"tls_certificate_provider_instance is unset");
|
"tls_certificate_provider_instance is unset");
|
||||||
}
|
}
|
||||||
if (commonTlsContext.hasTlsCertificateCertificateProvider()) {
|
|
||||||
throw new ResourceInvalidException(
|
|
||||||
"tls_certificate_provider_instance is unset");
|
|
||||||
}
|
|
||||||
} else if (certProviderInstances == null || !certProviderInstances.contains(certInstanceName)) {
|
} else if (certProviderInstances == null || !certProviderInstances.contains(certInstanceName)) {
|
||||||
throw new ResourceInvalidException(
|
throw new ResourceInvalidException(
|
||||||
"CertificateProvider instance name '" + certInstanceName
|
"CertificateProvider instance name '" + certInstanceName
|
||||||
|
|
@ -505,7 +492,9 @@ class XdsClusterResource extends XdsResourceType<CdsUpdate> {
|
||||||
.getDefaultValidationContext();
|
.getDefaultValidationContext();
|
||||||
}
|
}
|
||||||
if (certificateValidationContext != null) {
|
if (certificateValidationContext != null) {
|
||||||
if (certificateValidationContext.getMatchSubjectAltNamesCount() > 0 && server) {
|
@SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
|
||||||
|
int matchSubjectAltNamesCount = certificateValidationContext.getMatchSubjectAltNamesCount();
|
||||||
|
if (matchSubjectAltNamesCount > 0 && server) {
|
||||||
throw new ResourceInvalidException(
|
throw new ResourceInvalidException(
|
||||||
"match_subject_alt_names only allowed in upstream_tls_context");
|
"match_subject_alt_names only allowed in upstream_tls_context");
|
||||||
}
|
}
|
||||||
|
|
@ -536,8 +525,6 @@ class XdsClusterResource extends XdsResourceType<CdsUpdate> {
|
||||||
private static String getIdentityCertInstanceName(CommonTlsContext commonTlsContext) {
|
private static String getIdentityCertInstanceName(CommonTlsContext commonTlsContext) {
|
||||||
if (commonTlsContext.hasTlsCertificateProviderInstance()) {
|
if (commonTlsContext.hasTlsCertificateProviderInstance()) {
|
||||||
return commonTlsContext.getTlsCertificateProviderInstance().getInstanceName();
|
return commonTlsContext.getTlsCertificateProviderInstance().getInstanceName();
|
||||||
} else if (commonTlsContext.hasTlsCertificateCertificateProviderInstance()) {
|
|
||||||
return commonTlsContext.getTlsCertificateCertificateProviderInstance().getInstanceName();
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
@ -556,10 +543,6 @@ class XdsClusterResource extends XdsResourceType<CdsUpdate> {
|
||||||
.hasCaCertificateProviderInstance()) {
|
.hasCaCertificateProviderInstance()) {
|
||||||
return combinedCertificateValidationContext.getDefaultValidationContext()
|
return combinedCertificateValidationContext.getDefaultValidationContext()
|
||||||
.getCaCertificateProviderInstance().getInstanceName();
|
.getCaCertificateProviderInstance().getInstanceName();
|
||||||
} else if (combinedCertificateValidationContext
|
|
||||||
.hasValidationContextCertificateProviderInstance()) {
|
|
||||||
return combinedCertificateValidationContext
|
|
||||||
.getValidationContextCertificateProviderInstance().getInstanceName();
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
|
|
|
||||||
|
|
@ -451,8 +451,7 @@ class XdsRouteConfigureResource extends XdsResourceType<RdsUpdate> {
|
||||||
config.getHeader();
|
config.getHeader();
|
||||||
Pattern regEx = null;
|
Pattern regEx = null;
|
||||||
String regExSubstitute = null;
|
String regExSubstitute = null;
|
||||||
if (headerCfg.hasRegexRewrite() && headerCfg.getRegexRewrite().hasPattern()
|
if (headerCfg.hasRegexRewrite() && headerCfg.getRegexRewrite().hasPattern()) {
|
||||||
&& headerCfg.getRegexRewrite().getPattern().hasGoogleRe2()) {
|
|
||||||
regEx = Pattern.compile(headerCfg.getRegexRewrite().getPattern().getRegex());
|
regEx = Pattern.compile(headerCfg.getRegexRewrite().getPattern().getRegex());
|
||||||
regExSubstitute = headerCfg.getRegexRewrite().getSubstitution();
|
regExSubstitute = headerCfg.getRegexRewrite().getSubstitution();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -26,9 +26,12 @@ public final class MatcherParser {
|
||||||
io.envoyproxy.envoy.config.route.v3.HeaderMatcher proto) {
|
io.envoyproxy.envoy.config.route.v3.HeaderMatcher proto) {
|
||||||
switch (proto.getHeaderMatchSpecifierCase()) {
|
switch (proto.getHeaderMatchSpecifierCase()) {
|
||||||
case EXACT_MATCH:
|
case EXACT_MATCH:
|
||||||
|
@SuppressWarnings("deprecation") // gRFC A63: support indefinitely
|
||||||
|
String exactMatch = proto.getExactMatch();
|
||||||
return Matchers.HeaderMatcher.forExactValue(
|
return Matchers.HeaderMatcher.forExactValue(
|
||||||
proto.getName(), proto.getExactMatch(), proto.getInvertMatch());
|
proto.getName(), exactMatch, proto.getInvertMatch());
|
||||||
case SAFE_REGEX_MATCH:
|
case SAFE_REGEX_MATCH:
|
||||||
|
@SuppressWarnings("deprecation") // gRFC A63: support indefinitely
|
||||||
String rawPattern = proto.getSafeRegexMatch().getRegex();
|
String rawPattern = proto.getSafeRegexMatch().getRegex();
|
||||||
Pattern safeRegExMatch;
|
Pattern safeRegExMatch;
|
||||||
try {
|
try {
|
||||||
|
|
@ -49,14 +52,20 @@ public final class MatcherParser {
|
||||||
return Matchers.HeaderMatcher.forPresent(
|
return Matchers.HeaderMatcher.forPresent(
|
||||||
proto.getName(), proto.getPresentMatch(), proto.getInvertMatch());
|
proto.getName(), proto.getPresentMatch(), proto.getInvertMatch());
|
||||||
case PREFIX_MATCH:
|
case PREFIX_MATCH:
|
||||||
|
@SuppressWarnings("deprecation") // gRFC A63: support indefinitely
|
||||||
|
String prefixMatch = proto.getPrefixMatch();
|
||||||
return Matchers.HeaderMatcher.forPrefix(
|
return Matchers.HeaderMatcher.forPrefix(
|
||||||
proto.getName(), proto.getPrefixMatch(), proto.getInvertMatch());
|
proto.getName(), prefixMatch, proto.getInvertMatch());
|
||||||
case SUFFIX_MATCH:
|
case SUFFIX_MATCH:
|
||||||
|
@SuppressWarnings("deprecation") // gRFC A63: support indefinitely
|
||||||
|
String suffixMatch = proto.getSuffixMatch();
|
||||||
return Matchers.HeaderMatcher.forSuffix(
|
return Matchers.HeaderMatcher.forSuffix(
|
||||||
proto.getName(), proto.getSuffixMatch(), proto.getInvertMatch());
|
proto.getName(), suffixMatch, proto.getInvertMatch());
|
||||||
case CONTAINS_MATCH:
|
case CONTAINS_MATCH:
|
||||||
|
@SuppressWarnings("deprecation") // gRFC A63: support indefinitely
|
||||||
|
String containsMatch = proto.getContainsMatch();
|
||||||
return Matchers.HeaderMatcher.forContains(
|
return Matchers.HeaderMatcher.forContains(
|
||||||
proto.getName(), proto.getContainsMatch(), proto.getInvertMatch());
|
proto.getName(), containsMatch, proto.getInvertMatch());
|
||||||
case STRING_MATCH:
|
case STRING_MATCH:
|
||||||
return Matchers.HeaderMatcher.forString(
|
return Matchers.HeaderMatcher.forString(
|
||||||
proto.getName(), parseStringMatcher(proto.getStringMatch()), proto.getInvertMatch());
|
proto.getName(), parseStringMatcher(proto.getStringMatch()), proto.getInvertMatch());
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,6 @@ package io.grpc.xds.internal.security;
|
||||||
|
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
|
|
||||||
|
|
||||||
/** Class for utility functions for {@link CommonTlsContext}. */
|
/** Class for utility functions for {@link CommonTlsContext}. */
|
||||||
public final class CommonTlsContextUtil {
|
public final class CommonTlsContextUtil {
|
||||||
|
|
@ -29,22 +28,8 @@ public final class CommonTlsContextUtil {
|
||||||
if (commonTlsContext == null) {
|
if (commonTlsContext == null) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return hasIdentityCertificateProviderInstance(commonTlsContext)
|
|
||||||
|| hasCertProviderValidationContext(commonTlsContext);
|
|
||||||
}
|
|
||||||
|
|
||||||
private static boolean hasCertProviderValidationContext(CommonTlsContext commonTlsContext) {
|
|
||||||
if (commonTlsContext.hasCombinedValidationContext()) {
|
|
||||||
CombinedCertificateValidationContext combinedCertificateValidationContext =
|
|
||||||
commonTlsContext.getCombinedValidationContext();
|
|
||||||
return combinedCertificateValidationContext.hasValidationContextCertificateProviderInstance();
|
|
||||||
}
|
|
||||||
return hasValidationProviderInstance(commonTlsContext);
|
|
||||||
}
|
|
||||||
|
|
||||||
private static boolean hasIdentityCertificateProviderInstance(CommonTlsContext commonTlsContext) {
|
|
||||||
return commonTlsContext.hasTlsCertificateProviderInstance()
|
return commonTlsContext.hasTlsCertificateProviderInstance()
|
||||||
|| commonTlsContext.hasTlsCertificateCertificateProviderInstance();
|
|| hasValidationProviderInstance(commonTlsContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
private static boolean hasValidationProviderInstance(CommonTlsContext commonTlsContext) {
|
private static boolean hasValidationProviderInstance(CommonTlsContext commonTlsContext) {
|
||||||
|
|
@ -52,7 +37,9 @@ public final class CommonTlsContextUtil {
|
||||||
.hasCaCertificateProviderInstance()) {
|
.hasCaCertificateProviderInstance()) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return commonTlsContext.hasValidationContextCertificateProviderInstance();
|
return commonTlsContext.hasCombinedValidationContext()
|
||||||
|
&& commonTlsContext.getCombinedValidationContext().getDefaultValidationContext()
|
||||||
|
.hasCaCertificateProviderInstance();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -99,8 +99,6 @@ abstract class CertProviderSslContextProvider extends DynamicSslContextProvider
|
||||||
CommonTlsContext commonTlsContext) {
|
CommonTlsContext commonTlsContext) {
|
||||||
if (commonTlsContext.hasTlsCertificateProviderInstance()) {
|
if (commonTlsContext.hasTlsCertificateProviderInstance()) {
|
||||||
return CommonTlsContextUtil.convert(commonTlsContext.getTlsCertificateProviderInstance());
|
return CommonTlsContextUtil.convert(commonTlsContext.getTlsCertificateProviderInstance());
|
||||||
} else if (commonTlsContext.hasTlsCertificateCertificateProviderInstance()) {
|
|
||||||
return commonTlsContext.getTlsCertificateCertificateProviderInstance();
|
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
@ -128,15 +126,6 @@ abstract class CertProviderSslContextProvider extends DynamicSslContextProvider
|
||||||
if (certValidationContext != null && certValidationContext.hasCaCertificateProviderInstance()) {
|
if (certValidationContext != null && certValidationContext.hasCaCertificateProviderInstance()) {
|
||||||
return CommonTlsContextUtil.convert(certValidationContext.getCaCertificateProviderInstance());
|
return CommonTlsContextUtil.convert(certValidationContext.getCaCertificateProviderInstance());
|
||||||
}
|
}
|
||||||
if (commonTlsContext.hasCombinedValidationContext()) {
|
|
||||||
CommonTlsContext.CombinedCertificateValidationContext combinedValidationContext =
|
|
||||||
commonTlsContext.getCombinedValidationContext();
|
|
||||||
if (combinedValidationContext.hasValidationContextCertificateProviderInstance()) {
|
|
||||||
return combinedValidationContext.getValidationContextCertificateProviderInstance();
|
|
||||||
}
|
|
||||||
} else if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
|
|
||||||
return commonTlsContext.getValidationContextCertificateProviderInstance();
|
|
||||||
}
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -207,6 +207,7 @@ final class XdsX509TrustManager extends X509ExtendedTrustManager implements X509
|
||||||
if (certContext == null) {
|
if (certContext == null) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
|
||||||
List<StringMatcher> verifyList = certContext.getMatchSubjectAltNamesList();
|
List<StringMatcher> verifyList = certContext.getMatchSubjectAltNamesList();
|
||||||
if (verifyList.isEmpty()) {
|
if (verifyList.isEmpty()) {
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -1125,7 +1125,6 @@ public class FilterChainMatchingProtocolNegotiatorsTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void filterChainMatch_unsupportedMatchers() throws Exception {
|
public void filterChainMatch_unsupportedMatchers() throws Exception {
|
||||||
EnvoyServerProtoData.DownstreamTlsContext tlsContext1 =
|
EnvoyServerProtoData.DownstreamTlsContext tlsContext1 =
|
||||||
CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "ROOTCA");
|
CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "ROOTCA");
|
||||||
|
|
@ -1194,7 +1193,7 @@ public class FilterChainMatchingProtocolNegotiatorsTest {
|
||||||
assertThat(sslSet.get()).isEqualTo(defaultFilterChain.sslContextProviderSupplier());
|
assertThat(sslSet.get()).isEqualTo(defaultFilterChain.sslContextProviderSupplier());
|
||||||
assertThat(routingSettable.get()).isEqualTo(noopConfig);
|
assertThat(routingSettable.get()).isEqualTo(noopConfig);
|
||||||
assertThat(sslSet.get().getTlsContext().getCommonTlsContext()
|
assertThat(sslSet.get().getTlsContext().getCommonTlsContext()
|
||||||
.getTlsCertificateCertificateProviderInstance()
|
.getTlsCertificateProviderInstance()
|
||||||
.getCertificateName()).isEqualTo("CERT3");
|
.getCertificateName()).isEqualTo("CERT3");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -98,7 +98,6 @@ import io.envoyproxy.envoy.extensions.transport_sockets.http_11_proxy.v3.Http11P
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance;
|
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
|
||||||
|
|
@ -3042,35 +3041,6 @@ public class GrpcXdsClientImplDataTest {
|
||||||
XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
|
XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_validationContextCertificateProvider()
|
|
||||||
throws ResourceInvalidException {
|
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
|
||||||
.setValidationContextCertificateProvider(
|
|
||||||
CommonTlsContext.CertificateProvider.getDefaultInstance())
|
|
||||||
.build();
|
|
||||||
thrown.expect(ResourceInvalidException.class);
|
|
||||||
thrown.expectMessage(
|
|
||||||
"common-tls-context with validation_context_certificate_provider is not supported");
|
|
||||||
XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_validationContextCertificateProviderInstance()
|
|
||||||
throws ResourceInvalidException {
|
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
|
||||||
.setValidationContextCertificateProviderInstance(
|
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.build();
|
|
||||||
thrown.expect(ResourceInvalidException.class);
|
|
||||||
thrown.expectMessage(
|
|
||||||
"common-tls-context with validation_context_certificate_provider_instance is not "
|
|
||||||
+ "supported");
|
|
||||||
XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void validateCommonTlsContext_tlsCertificateProviderInstance_isRequiredForServer()
|
public void validateCommonTlsContext_tlsCertificateProviderInstance_isRequiredForServer()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
|
|
@ -3083,36 +3053,33 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_tlsNewCertificateProviderInstance()
|
public void validateCommonTlsContext_tlsNewCertificateProviderInstance()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setTlsCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(
|
||||||
CertificateProviderPluginInstance.newBuilder().setInstanceName("name1").build())
|
CertificateProviderPluginInstance.newBuilder().setInstanceName("name1"))
|
||||||
.build();
|
.build();
|
||||||
XdsClusterResource
|
XdsClusterResource
|
||||||
.validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), true);
|
.validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_tlsCertificateProviderInstance()
|
public void validateCommonTlsContext_tlsCertificateProviderInstance()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(
|
||||||
CertificateProviderInstance.newBuilder().setInstanceName("name1").build())
|
CertificateProviderPluginInstance.newBuilder().setInstanceName("name1"))
|
||||||
.build();
|
.build();
|
||||||
XdsClusterResource
|
XdsClusterResource
|
||||||
.validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), true);
|
.validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_tlsCertificateProviderInstance_absentInBootstrapFile()
|
public void validateCommonTlsContext_tlsCertificateProviderInstance_absentInBootstrapFile()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(
|
||||||
CertificateProviderInstance.newBuilder().setInstanceName("bad-name").build())
|
CertificateProviderPluginInstance.newBuilder().setInstanceName("bad-name"))
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage(
|
thrown.expectMessage(
|
||||||
|
|
@ -3122,15 +3089,14 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_validationContextProviderInstance()
|
public void validateCommonTlsContext_validationContextProviderInstance()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
CertificateProviderInstance.newBuilder().setInstanceName("name1").build())
|
.setCaCertificateProviderInstance(CertificateProviderPluginInstance.newBuilder()
|
||||||
.build())
|
.setInstanceName("name1"))))
|
||||||
.build();
|
.build();
|
||||||
XdsClusterResource
|
XdsClusterResource
|
||||||
.validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), false);
|
.validateCommonTlsContext(commonTlsContext, ImmutableSet.of("name1", "name2"), false);
|
||||||
|
|
@ -3218,15 +3184,14 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_validationContextProviderInstance_absentInBootstrapFile()
|
public void validateCommonTlsContext_validationContextProviderInstance_absentInBootstrapFile()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
CertificateProviderInstance.newBuilder().setInstanceName("bad-name").build())
|
.setCaCertificateProviderInstance(CertificateProviderPluginInstance.newBuilder()
|
||||||
.build())
|
.setInstanceName("bad-name"))))
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage(
|
thrown.expectMessage(
|
||||||
|
|
@ -3258,20 +3223,6 @@ public class GrpcXdsClientImplDataTest {
|
||||||
XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
|
XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_tlsCertificateCertificateProvider()
|
|
||||||
throws ResourceInvalidException {
|
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
|
||||||
.setTlsCertificateCertificateProvider(
|
|
||||||
CommonTlsContext.CertificateProvider.getDefaultInstance())
|
|
||||||
.build();
|
|
||||||
thrown.expect(ResourceInvalidException.class);
|
|
||||||
thrown.expectMessage(
|
|
||||||
"tls_certificate_provider_instance is unset");
|
|
||||||
XdsClusterResource.validateCommonTlsContext(commonTlsContext, null, false);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void validateCommonTlsContext_combinedValidationContext_isRequiredForClient()
|
public void validateCommonTlsContext_combinedValidationContext_isRequiredForClient()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
|
|
@ -3304,13 +3255,13 @@ public class GrpcXdsClientImplDataTest {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CombinedCertificateValidationContext.newBuilder()
|
CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
|
||||||
CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
|
.setCaCertificateProviderInstance(
|
||||||
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.addMatchSubjectAltNames(StringMatcher.newBuilder().setExact("foo.com").build())
|
.addMatchSubjectAltNames(StringMatcher.newBuilder().setExact("foo.com").build())
|
||||||
.build()))
|
.build()))
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(
|
||||||
CertificateProviderInstance.getDefaultInstance())
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage("match_subject_alt_names only allowed in upstream_tls_context");
|
thrown.expectMessage("match_subject_alt_names only allowed in upstream_tls_context");
|
||||||
|
|
@ -3318,18 +3269,16 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_combinedValContextWithDefaultValContextVerifyCertSpki()
|
public void validateCommonTlsContext_combinedValContextWithDefaultValContextVerifyCertSpki()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
.setCaCertificateProviderInstance(
|
||||||
.setDefaultValidationContext(
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
CertificateValidationContext.newBuilder().addVerifyCertificateSpki("foo")))
|
.addVerifyCertificateSpki("foo")))
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage("verify_certificate_spki in default_validation_context is not "
|
thrown.expectMessage("verify_certificate_spki in default_validation_context is not "
|
||||||
|
|
@ -3338,18 +3287,16 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_combinedValContextWithDefaultValContextVerifyCertHash()
|
public void validateCommonTlsContext_combinedValContextWithDefaultValContextVerifyCertHash()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
.setCaCertificateProviderInstance(
|
||||||
.setDefaultValidationContext(
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
CertificateValidationContext.newBuilder().addVerifyCertificateHash("foo")))
|
.addVerifyCertificateHash("foo")))
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage("verify_certificate_hash in default_validation_context is not "
|
thrown.expectMessage("verify_certificate_hash in default_validation_context is not "
|
||||||
|
|
@ -3358,18 +3305,17 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_combinedValContextDfltValContextRequireSignedCertTimestamp()
|
public void validateCommonTlsContext_combinedValContextDfltValContextRequireSignedCertTimestamp()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
|
.setCaCertificateProviderInstance(
|
||||||
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.setRequireSignedCertificateTimestamp(BoolValue.of(true))))
|
.setRequireSignedCertificateTimestamp(BoolValue.of(true))))
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage(
|
thrown.expectMessage(
|
||||||
|
|
@ -3379,18 +3325,16 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_combinedValidationContextWithDefaultValidationContextCrl()
|
public void validateCommonTlsContext_combinedValidationContextWithDefaultValidationContextCrl()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
|
.setCaCertificateProviderInstance(
|
||||||
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.setCrl(DataSource.getDefaultInstance())))
|
.setCrl(DataSource.getDefaultInstance())))
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage("crl in default_validation_context is not supported");
|
thrown.expectMessage("crl in default_validation_context is not supported");
|
||||||
|
|
@ -3398,18 +3342,16 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateCommonTlsContext_combinedValContextWithDfltValContextCustomValidatorConfig()
|
public void validateCommonTlsContext_combinedValContextWithDfltValContextCustomValidatorConfig()
|
||||||
throws ResourceInvalidException {
|
throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
|
.setCaCertificateProviderInstance(
|
||||||
|
CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.setCustomValidatorConfig(TypedExtensionConfig.getDefaultInstance())))
|
.setCustomValidatorConfig(TypedExtensionConfig.getDefaultInstance())))
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
.setTlsCertificateProviderInstance(CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
|
||||||
.build();
|
.build();
|
||||||
thrown.expect(ResourceInvalidException.class);
|
thrown.expect(ResourceInvalidException.class);
|
||||||
thrown.expectMessage("custom_validator_config in default_validation_context is not "
|
thrown.expectMessage("custom_validator_config in default_validation_context is not "
|
||||||
|
|
@ -3426,15 +3368,14 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateDownstreamTlsContext_hasRequireSni() throws ResourceInvalidException {
|
public void validateDownstreamTlsContext_hasRequireSni() throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance()))
|
.setCaCertificateProviderInstance(
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
CertificateProviderPluginInstance.getDefaultInstance())))
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
.setTlsCertificateProviderInstance(CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.build();
|
.build();
|
||||||
DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder()
|
DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder()
|
||||||
.setCommonTlsContext(commonTlsContext)
|
.setCommonTlsContext(commonTlsContext)
|
||||||
|
|
@ -3446,15 +3387,14 @@ public class GrpcXdsClientImplDataTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void validateDownstreamTlsContext_hasOcspStaplePolicy() throws ResourceInvalidException {
|
public void validateDownstreamTlsContext_hasOcspStaplePolicy() throws ResourceInvalidException {
|
||||||
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
|
||||||
.setCombinedValidationContext(
|
.setCombinedValidationContext(
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance()))
|
.setCaCertificateProviderInstance(
|
||||||
.setTlsCertificateCertificateProviderInstance(
|
CertificateProviderPluginInstance.getDefaultInstance())))
|
||||||
CommonTlsContext.CertificateProviderInstance.getDefaultInstance())
|
.setTlsCertificateProviderInstance(CertificateProviderPluginInstance.getDefaultInstance())
|
||||||
.build();
|
.build();
|
||||||
DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder()
|
DownstreamTlsContext downstreamTlsContext = DownstreamTlsContext.newBuilder()
|
||||||
.setCommonTlsContext(commonTlsContext)
|
.setCommonTlsContext(commonTlsContext)
|
||||||
|
|
|
||||||
|
|
@ -47,7 +47,6 @@ import io.envoyproxy.envoy.config.route.v3.FilterConfig;
|
||||||
import io.envoyproxy.envoy.config.route.v3.WeightedCluster;
|
import io.envoyproxy.envoy.config.route.v3.WeightedCluster;
|
||||||
import io.envoyproxy.envoy.extensions.filters.http.router.v3.Router;
|
import io.envoyproxy.envoy.extensions.filters.http.router.v3.Router;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
|
|
||||||
import io.grpc.BindableService;
|
import io.grpc.BindableService;
|
||||||
import io.grpc.ChannelCredentials;
|
import io.grpc.ChannelCredentials;
|
||||||
import io.grpc.Context;
|
import io.grpc.Context;
|
||||||
|
|
@ -2245,7 +2244,6 @@ public abstract class GrpcXdsClientImplTestBase {
|
||||||
* CDS response containing UpstreamTlsContext for a cluster.
|
* CDS response containing UpstreamTlsContext for a cluster.
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void cdsResponseWithUpstreamTlsContext() {
|
public void cdsResponseWithUpstreamTlsContext() {
|
||||||
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
||||||
cdsResourceWatcher);
|
cdsResourceWatcher);
|
||||||
|
|
@ -2269,9 +2267,9 @@ public abstract class GrpcXdsClientImplTestBase {
|
||||||
verify(cdsResourceWatcher, times(1))
|
verify(cdsResourceWatcher, times(1))
|
||||||
.onChanged(cdsUpdateCaptor.capture());
|
.onChanged(cdsUpdateCaptor.capture());
|
||||||
CdsUpdate cdsUpdate = cdsUpdateCaptor.getValue();
|
CdsUpdate cdsUpdate = cdsUpdateCaptor.getValue();
|
||||||
CommonTlsContext.CertificateProviderInstance certificateProviderInstance =
|
CertificateProviderPluginInstance certificateProviderInstance =
|
||||||
cdsUpdate.upstreamTlsContext().getCommonTlsContext().getCombinedValidationContext()
|
cdsUpdate.upstreamTlsContext().getCommonTlsContext().getCombinedValidationContext()
|
||||||
.getValidationContextCertificateProviderInstance();
|
.getDefaultValidationContext().getCaCertificateProviderInstance();
|
||||||
assertThat(certificateProviderInstance.getInstanceName()).isEqualTo("cert-instance-name");
|
assertThat(certificateProviderInstance.getInstanceName()).isEqualTo("cert-instance-name");
|
||||||
assertThat(certificateProviderInstance.getCertificateName()).isEqualTo("cert1");
|
assertThat(certificateProviderInstance.getCertificateName()).isEqualTo("cert1");
|
||||||
verifyResourceMetadataAcked(CDS, CDS_RESOURCE, clusterEds, VERSION_1, TIME_INCREMENT);
|
verifyResourceMetadataAcked(CDS, CDS_RESOURCE, clusterEds, VERSION_1, TIME_INCREMENT);
|
||||||
|
|
@ -2282,7 +2280,6 @@ public abstract class GrpcXdsClientImplTestBase {
|
||||||
* CDS response containing new UpstreamTlsContext for a cluster.
|
* CDS response containing new UpstreamTlsContext for a cluster.
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void cdsResponseWithNewUpstreamTlsContext() {
|
public void cdsResponseWithNewUpstreamTlsContext() {
|
||||||
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
||||||
cdsResourceWatcher);
|
cdsResourceWatcher);
|
||||||
|
|
@ -2344,7 +2341,6 @@ public abstract class GrpcXdsClientImplTestBase {
|
||||||
* CDS response containing OutlierDetection for a cluster.
|
* CDS response containing OutlierDetection for a cluster.
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void cdsResponseWithOutlierDetection() {
|
public void cdsResponseWithOutlierDetection() {
|
||||||
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
||||||
cdsResourceWatcher);
|
cdsResourceWatcher);
|
||||||
|
|
@ -2413,7 +2409,6 @@ public abstract class GrpcXdsClientImplTestBase {
|
||||||
* CDS response containing OutlierDetection for a cluster.
|
* CDS response containing OutlierDetection for a cluster.
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void cdsResponseWithInvalidOutlierDetectionNacks() {
|
public void cdsResponseWithInvalidOutlierDetectionNacks() {
|
||||||
|
|
||||||
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
DiscoveryRpcCall call = startResourceWatcher(XdsClusterResource.getInstance(), CDS_RESOURCE,
|
||||||
|
|
|
||||||
|
|
@ -613,18 +613,15 @@ public class GrpcXdsClientImplV3Test extends GrpcXdsClientImplTestBase {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
protected Message buildUpstreamTlsContext(String instanceName, String certName) {
|
protected Message buildUpstreamTlsContext(String instanceName, String certName) {
|
||||||
CommonTlsContext.Builder commonTlsContextBuilder = CommonTlsContext.newBuilder();
|
CommonTlsContext.Builder commonTlsContextBuilder = CommonTlsContext.newBuilder();
|
||||||
if (instanceName != null && certName != null) {
|
if (instanceName != null && certName != null) {
|
||||||
CommonTlsContext.CertificateProviderInstance providerInstance =
|
|
||||||
CommonTlsContext.CertificateProviderInstance.newBuilder()
|
|
||||||
.setInstanceName(instanceName)
|
|
||||||
.setCertificateName(certName)
|
|
||||||
.build();
|
|
||||||
CommonTlsContext.CombinedCertificateValidationContext combined =
|
CommonTlsContext.CombinedCertificateValidationContext combined =
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
|
||||||
.setValidationContextCertificateProviderInstance(providerInstance)
|
.setDefaultValidationContext(CertificateValidationContext.newBuilder()
|
||||||
|
.setCaCertificateProviderInstance(CertificateProviderPluginInstance.newBuilder()
|
||||||
|
.setInstanceName(instanceName)
|
||||||
|
.setCertificateName(certName)))
|
||||||
.build();
|
.build();
|
||||||
commonTlsContextBuilder.setCombinedValidationContext(combined);
|
commonTlsContextBuilder.setCombinedValidationContext(combined);
|
||||||
}
|
}
|
||||||
|
|
@ -751,7 +748,6 @@ public class GrpcXdsClientImplV3Test extends GrpcXdsClientImplTestBase {
|
||||||
.build();
|
.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
@Override
|
@Override
|
||||||
protected FilterChain buildFilterChain(
|
protected FilterChain buildFilterChain(
|
||||||
List<String> alpn, Message tlsContext, String transportSocketName,
|
List<String> alpn, Message tlsContext, String transportSocketName,
|
||||||
|
|
|
||||||
|
|
@ -317,7 +317,6 @@ public class ClientSslContextProviderFactoryTest {
|
||||||
.isSameInstanceAs(sslContextProvider);
|
.isSameInstanceAs(sslContextProvider);
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
static CommonTlsContext.Builder addFilenames(
|
static CommonTlsContext.Builder addFilenames(
|
||||||
CommonTlsContext.Builder builder, String certChain, String privateKey, String trustCa) {
|
CommonTlsContext.Builder builder, String certChain, String privateKey, String trustCa) {
|
||||||
TlsCertificate tlsCert =
|
TlsCertificate tlsCert =
|
||||||
|
|
@ -329,13 +328,10 @@ public class ClientSslContextProviderFactoryTest {
|
||||||
CertificateValidationContext.newBuilder()
|
CertificateValidationContext.newBuilder()
|
||||||
.setTrustedCa(DataSource.newBuilder().setFilename(trustCa))
|
.setTrustedCa(DataSource.newBuilder().setFilename(trustCa))
|
||||||
.build();
|
.build();
|
||||||
CommonTlsContext.CertificateProviderInstance certificateProviderInstance =
|
|
||||||
builder.getValidationContextCertificateProviderInstance();
|
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.Builder combinedBuilder =
|
CommonTlsContext.CombinedCertificateValidationContext.Builder combinedBuilder =
|
||||||
CommonTlsContext.CombinedCertificateValidationContext.newBuilder();
|
CommonTlsContext.CombinedCertificateValidationContext.newBuilder();
|
||||||
combinedBuilder
|
combinedBuilder
|
||||||
.setDefaultValidationContext(certContext)
|
.setDefaultValidationContext(certContext);
|
||||||
.setValidationContextCertificateProviderInstance(certificateProviderInstance);
|
|
||||||
return builder
|
return builder
|
||||||
.addTlsCertificates(tlsCert)
|
.addTlsCertificates(tlsCert)
|
||||||
.setCombinedValidationContext(combinedBuilder.build());
|
.setCombinedValidationContext(combinedBuilder.build());
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,6 @@ import com.google.protobuf.BoolValue;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance;
|
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext;
|
||||||
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext;
|
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext;
|
||||||
|
|
@ -63,48 +62,26 @@ public class CommonTlsContextTestsUtil {
|
||||||
public static final String BAD_CLIENT_KEY_FILE = "badclient.key";
|
public static final String BAD_CLIENT_KEY_FILE = "badclient.key";
|
||||||
|
|
||||||
/** takes additional values and creates CombinedCertificateValidationContext as needed. */
|
/** takes additional values and creates CombinedCertificateValidationContext as needed. */
|
||||||
@SuppressWarnings("deprecation")
|
private static CommonTlsContext buildCommonTlsContextWithAdditionalValues(
|
||||||
static CommonTlsContext buildCommonTlsContextWithAdditionalValues(
|
|
||||||
String certInstanceName, String certName,
|
String certInstanceName, String certName,
|
||||||
String validationContextCertInstanceName, String validationContextCertName,
|
String validationContextCertInstanceName, String validationContextCertName,
|
||||||
Iterable<StringMatcher> matchSubjectAltNames,
|
Iterable<StringMatcher> matchSubjectAltNames,
|
||||||
Iterable<String> alpnNames) {
|
Iterable<String> alpnNames) {
|
||||||
|
@SuppressWarnings("deprecation") // gRFC A29 predates match_typed_subject_alt_names
|
||||||
CommonTlsContext.Builder builder = CommonTlsContext.newBuilder();
|
CertificateValidationContext.Builder certificateValidationContextBuilder
|
||||||
|
= CertificateValidationContext.newBuilder()
|
||||||
CertificateProviderInstance certificateProviderInstance = CertificateProviderInstance
|
.addAllMatchSubjectAltNames(matchSubjectAltNames);
|
||||||
.newBuilder().setInstanceName(certInstanceName).setCertificateName(certName).build();
|
return CommonTlsContext.newBuilder()
|
||||||
if (certificateProviderInstance != null) {
|
.setTlsCertificateProviderInstance(CertificateProviderPluginInstance.newBuilder()
|
||||||
builder.setTlsCertificateCertificateProviderInstance(certificateProviderInstance);
|
.setInstanceName(certInstanceName)
|
||||||
}
|
.setCertificateName(certName))
|
||||||
CertificateProviderInstance validationCertificateProviderInstance =
|
.setCombinedValidationContext(CombinedCertificateValidationContext.newBuilder()
|
||||||
CertificateProviderInstance.newBuilder().setInstanceName(validationContextCertInstanceName)
|
.setDefaultValidationContext(certificateValidationContextBuilder
|
||||||
.setCertificateName(validationContextCertName).build();
|
.setCaCertificateProviderInstance(CertificateProviderPluginInstance.newBuilder()
|
||||||
CertificateValidationContext certValidationContext =
|
.setInstanceName(validationContextCertInstanceName)
|
||||||
matchSubjectAltNames == null
|
.setCertificateName(validationContextCertName))))
|
||||||
? null
|
.addAllAlpnProtocols(alpnNames)
|
||||||
: CertificateValidationContext.newBuilder()
|
.build();
|
||||||
.addAllMatchSubjectAltNames(matchSubjectAltNames)
|
|
||||||
.build();
|
|
||||||
if (validationCertificateProviderInstance != null) {
|
|
||||||
CombinedCertificateValidationContext.Builder combinedBuilder =
|
|
||||||
CombinedCertificateValidationContext.newBuilder()
|
|
||||||
.setValidationContextCertificateProviderInstance(
|
|
||||||
validationCertificateProviderInstance);
|
|
||||||
if (certValidationContext != null) {
|
|
||||||
combinedBuilder = combinedBuilder.setDefaultValidationContext(certValidationContext);
|
|
||||||
}
|
|
||||||
builder.setCombinedValidationContext(combinedBuilder);
|
|
||||||
} else if (validationCertificateProviderInstance != null) {
|
|
||||||
builder
|
|
||||||
.setValidationContextCertificateProviderInstance(validationCertificateProviderInstance);
|
|
||||||
} else if (certValidationContext != null) {
|
|
||||||
builder.setValidationContext(certValidationContext);
|
|
||||||
}
|
|
||||||
if (alpnNames != null) {
|
|
||||||
builder.addAllAlpnProtocols(alpnNames);
|
|
||||||
}
|
|
||||||
return builder.build();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Helper method to build DownstreamTlsContext for multiple test classes. */
|
/** Helper method to build DownstreamTlsContext for multiple test classes. */
|
||||||
|
|
@ -152,7 +129,7 @@ public class CommonTlsContextTestsUtil {
|
||||||
useSans ? Arrays.asList(
|
useSans ? Arrays.asList(
|
||||||
StringMatcher.newBuilder()
|
StringMatcher.newBuilder()
|
||||||
.setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob")
|
.setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob")
|
||||||
.build()) : null,
|
.build()) : Arrays.asList(),
|
||||||
Arrays.asList("managed-tls"));
|
Arrays.asList("managed-tls"));
|
||||||
}
|
}
|
||||||
return buildDownstreamTlsContext(commonTlsContext, /* requireClientCert= */ false);
|
return buildDownstreamTlsContext(commonTlsContext, /* requireClientCert= */ false);
|
||||||
|
|
@ -199,7 +176,6 @@ public class CommonTlsContextTestsUtil {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
private static CommonTlsContext buildCommonTlsContextForCertProviderInstance(
|
private static CommonTlsContext buildCommonTlsContextForCertProviderInstance(
|
||||||
String certInstanceName,
|
String certInstanceName,
|
||||||
String certName,
|
String certName,
|
||||||
|
|
@ -210,10 +186,10 @@ public class CommonTlsContextTestsUtil {
|
||||||
CommonTlsContext.Builder builder = CommonTlsContext.newBuilder();
|
CommonTlsContext.Builder builder = CommonTlsContext.newBuilder();
|
||||||
if (certInstanceName != null) {
|
if (certInstanceName != null) {
|
||||||
builder =
|
builder =
|
||||||
builder.setTlsCertificateCertificateProviderInstance(
|
builder.setTlsCertificateProviderInstance(
|
||||||
CommonTlsContext.CertificateProviderInstance.newBuilder()
|
CertificateProviderPluginInstance.newBuilder()
|
||||||
.setInstanceName(certInstanceName)
|
.setInstanceName(certInstanceName)
|
||||||
.setCertificateName(certName));
|
.setCertificateName(certName));
|
||||||
}
|
}
|
||||||
builder =
|
builder =
|
||||||
addCertificateValidationContext(
|
addCertificateValidationContext(
|
||||||
|
|
@ -248,35 +224,28 @@ public class CommonTlsContextTestsUtil {
|
||||||
return builder.build();
|
return builder.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
private static CommonTlsContext.Builder addCertificateValidationContext(
|
private static CommonTlsContext.Builder addCertificateValidationContext(
|
||||||
CommonTlsContext.Builder builder,
|
CommonTlsContext.Builder builder,
|
||||||
String rootInstanceName,
|
String rootInstanceName,
|
||||||
String rootCertName,
|
String rootCertName,
|
||||||
CertificateValidationContext staticCertValidationContext) {
|
CertificateValidationContext staticCertValidationContext) {
|
||||||
CertificateProviderInstance providerInstance = null;
|
if (staticCertValidationContext == null && rootInstanceName == null) {
|
||||||
|
return builder;
|
||||||
|
}
|
||||||
|
CertificateValidationContext.Builder contextBuilder;
|
||||||
|
if (staticCertValidationContext == null) {
|
||||||
|
contextBuilder = CertificateValidationContext.newBuilder();
|
||||||
|
} else {
|
||||||
|
contextBuilder = staticCertValidationContext.toBuilder();
|
||||||
|
}
|
||||||
if (rootInstanceName != null) {
|
if (rootInstanceName != null) {
|
||||||
providerInstance = CertificateProviderInstance.newBuilder()
|
contextBuilder.setCaCertificateProviderInstance(CertificateProviderPluginInstance.newBuilder()
|
||||||
.setInstanceName(rootInstanceName)
|
.setInstanceName(rootInstanceName)
|
||||||
.setCertificateName(rootCertName)
|
.setCertificateName(rootCertName));
|
||||||
.build();
|
builder.setValidationContext(contextBuilder.build());
|
||||||
}
|
}
|
||||||
if (providerInstance != null) {
|
return builder.setCombinedValidationContext(CombinedCertificateValidationContext.newBuilder()
|
||||||
builder = builder.setValidationContextCertificateProviderInstance(providerInstance);
|
.setDefaultValidationContext(contextBuilder));
|
||||||
}
|
|
||||||
CombinedCertificateValidationContext.Builder combined =
|
|
||||||
CombinedCertificateValidationContext.newBuilder();
|
|
||||||
if (providerInstance != null) {
|
|
||||||
combined = combined.setValidationContextCertificateProviderInstance(providerInstance);
|
|
||||||
}
|
|
||||||
if (staticCertValidationContext != null) {
|
|
||||||
combined = combined.setDefaultValidationContext(staticCertValidationContext);
|
|
||||||
}
|
|
||||||
if (combined.hasValidationContextCertificateProviderInstance()
|
|
||||||
|| combined.hasDefaultValidationContext()) {
|
|
||||||
builder = builder.setCombinedValidationContext(combined.build());
|
|
||||||
}
|
|
||||||
return builder;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static CommonTlsContext.Builder addNewCertificateValidationContext(
|
private static CommonTlsContext.Builder addNewCertificateValidationContext(
|
||||||
|
|
|
||||||
|
|
@ -123,7 +123,6 @@ public class CertificateProviderStoreTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void onePluginSameConfig_sameInstance() {
|
public void onePluginSameConfig_sameInstance() {
|
||||||
registerPlugin("plugin1");
|
registerPlugin("plugin1");
|
||||||
CertificateProvider.Watcher mockWatcher1 = mock(CertificateProvider.Watcher.class);
|
CertificateProvider.Watcher mockWatcher1 = mock(CertificateProvider.Watcher.class);
|
||||||
|
|
@ -167,7 +166,6 @@ public class CertificateProviderStoreTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
public void onePluginSameConfig_secondWatcherAfterFirstNotify() {
|
public void onePluginSameConfig_secondWatcherAfterFirstNotify() {
|
||||||
registerPlugin("plugin1");
|
registerPlugin("plugin1");
|
||||||
CertificateProvider.Watcher mockWatcher1 = mock(CertificateProvider.Watcher.class);
|
CertificateProvider.Watcher mockWatcher1 = mock(CertificateProvider.Watcher.class);
|
||||||
|
|
@ -275,7 +273,6 @@ public class CertificateProviderStoreTest {
|
||||||
mockWatcher1, handle1, certProviderProvider1, mockWatcher2, handle2, certProviderProvider2);
|
mockWatcher1, handle1, certProviderProvider1, mockWatcher2, handle2, certProviderProvider2);
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
private static void checkDifferentInstances(
|
private static void checkDifferentInstances(
|
||||||
CertificateProvider.Watcher mockWatcher1,
|
CertificateProvider.Watcher mockWatcher1,
|
||||||
CertificateProviderStore.Handle handle1,
|
CertificateProviderStore.Handle handle1,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue