forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssl_utility.cc
126 lines (107 loc) · 5.58 KB
/
ssl_utility.cc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#include "test/integration/ssl_utility.h"
#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
#include "common/http/utility.h"
#include "common/json/json_loader.h"
#include "common/network/utility.h"
#include "extensions/transport_sockets/tls/context_config_impl.h"
#include "extensions/transport_sockets/tls/context_manager_impl.h"
#include "extensions/transport_sockets/tls/ssl_socket.h"
#include "test/config/utility.h"
#include "test/integration/server.h"
#include "test/mocks/server/transport_socket_factory_context.h"
#include "test/test_common/environment.h"
#include "test/test_common/network_utility.h"
#include "gtest/gtest.h"
using testing::ReturnRef;
namespace Envoy {
namespace Ssl {
Network::TransportSocketFactoryPtr
createClientSslTransportSocketFactory(const ClientSslTransportOptions& options,
ContextManager& context_manager, Api::Api& api) {
std::string yaml_plain = R"EOF(
common_tls_context:
validation_context:
trusted_ca:
filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem"
)EOF";
if (options.client_ecdsa_cert_) {
yaml_plain += R"EOF(
tls_certificates:
certificate_chain:
filename: "{{ test_rundir }}/test/config/integration/certs/client_ecdsacert.pem"
private_key:
filename: "{{ test_rundir }}/test/config/integration/certs/client_ecdsakey.pem"
)EOF";
} else {
yaml_plain += R"EOF(
tls_certificates:
certificate_chain:
filename: "{{ test_rundir }}/test/config/integration/certs/clientcert.pem"
private_key:
filename: "{{ test_rundir }}/test/config/integration/certs/clientkey.pem"
)EOF";
}
envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context;
TestUtility::loadFromYaml(TestEnvironment::substitute(yaml_plain), tls_context);
auto* common_context = tls_context.mutable_common_tls_context();
if (options.alpn_) {
common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http2);
common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http11);
}
if (options.san_) {
common_context->mutable_validation_context()
->add_hidden_envoy_deprecated_verify_subject_alt_name("spiffe://lyft.com/backend-team");
}
for (const std::string& cipher_suite : options.cipher_suites_) {
common_context->mutable_tls_params()->add_cipher_suites(cipher_suite);
}
if (!options.sni_.empty()) {
tls_context.set_sni(options.sni_);
}
common_context->mutable_tls_params()->set_tls_minimum_protocol_version(options.tls_version_);
common_context->mutable_tls_params()->set_tls_maximum_protocol_version(options.tls_version_);
NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
ON_CALL(mock_factory_ctx, api()).WillByDefault(ReturnRef(api));
auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ClientContextConfigImpl>(
tls_context, options.sigalgs_, mock_factory_ctx);
static auto* client_stats_store = new Stats::TestIsolatedStoreImpl();
return Network::TransportSocketFactoryPtr{
new Extensions::TransportSockets::Tls::ClientSslSocketFactory(std::move(cfg), context_manager,
*client_stats_store)};
}
Network::TransportSocketFactoryPtr createUpstreamSslContext(ContextManager& context_manager,
Api::Api& api) {
envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context;
ConfigHelper::initializeTls({}, *tls_context.mutable_common_tls_context());
NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
ON_CALL(mock_factory_ctx, api()).WillByDefault(ReturnRef(api));
auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>(
tls_context, mock_factory_ctx);
static Stats::Scope* upstream_stats_store = new Stats::TestIsolatedStoreImpl();
return std::make_unique<Extensions::TransportSockets::Tls::ServerSslSocketFactory>(
std::move(cfg), context_manager, *upstream_stats_store, std::vector<std::string>{});
}
Network::TransportSocketFactoryPtr createFakeUpstreamSslContext(
const std::string& upstream_cert_name, ContextManager& context_manager,
Server::Configuration::TransportSocketFactoryContext& factory_context) {
envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context;
auto* common_tls_context = tls_context.mutable_common_tls_context();
auto* tls_cert = common_tls_context->add_tls_certificates();
tls_cert->mutable_certificate_chain()->set_filename(TestEnvironment::runfilesPath(
fmt::format("test/config/integration/certs/{}cert.pem", upstream_cert_name)));
tls_cert->mutable_private_key()->set_filename(TestEnvironment::runfilesPath(
fmt::format("test/config/integration/certs/{}key.pem", upstream_cert_name)));
auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>(
tls_context, factory_context);
static Stats::Scope* upstream_stats_store = new Stats::IsolatedStoreImpl();
return std::make_unique<Extensions::TransportSockets::Tls::ServerSslSocketFactory>(
std::move(cfg), context_manager, *upstream_stats_store, std::vector<std::string>{});
}
Network::Address::InstanceConstSharedPtr getSslAddress(const Network::Address::IpVersion& version,
int port) {
std::string url =
"tcp://" + Network::Test::getLoopbackAddressUrlString(version) + ":" + std::to_string(port);
return Network::Utility::resolveUrl(url);
}
} // namespace Ssl
} // namespace Envoy