Grcov report - context_config

1

#pragma once

2

3

#include <string>

4

#include <vector>

5

6

#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"

7

#include "envoy/secret/secret_callbacks.h"

8

#include "envoy/secret/secret_provider.h"

9

#include "envoy/server/transport_socket_config.h"

10

#include "envoy/ssl/context_config.h"

11

12

#include "source/common/common/empty_string.h"

13

#include "source/common/json/json_loader.h"

14

#include "source/common/ssl/tls_certificate_config_impl.h"

15

16

namespace Envoy {

17

namespace Extensions {

18

namespace TransportSockets {

19

namespace Tls {

20

21

static const std::string INLINE_STRING = "<inline>";

22

23

struct TlsCertificateConfigProviderSharedPtrWithName {

24

  const std::string certificate_name_;

25

  Secret::TlsCertificateConfigProviderSharedPtr provider_;

26

};

27

28

struct CertificateValidationContextConfigProviderSharedPtrWithName {

29

  const std::string certificate_name_;

30

  Secret::CertificateValidationContextConfigProviderSharedPtr provider_;

31

};

32

33

class ContextConfigImpl : public virtual Ssl::ContextConfig,

34

                          public Logger::Loggable<Logger::Id::misc> {

35

public:

36

  // Ssl::ContextConfig

37

12382

  const std::string& alpnProtocols() const override { return alpn_protocols_; }

38

7087

  const std::string& cipherSuites() const override { return cipher_suites_; }

39

7085

  const std::string& ecdhCurves() const override { return ecdh_curves_; }

40

7112

  const std::string& signatureAlgorithms() const override { return signature_algorithms_; }

41

  absl::optional<envoy::extensions::transport_sockets::tls::v3::TlsParameters::CompliancePolicy>

42

6978

  compliancePolicy() const override {

43

6978

    return compliance_policy_;

44

6978

45

  // TODO(htuch): This needs to be made const again and/or zero copy and/or callers fixed.

46

  std::vector<std::reference_wrapper<const Envoy::Ssl::TlsCertificateConfig>>

47

6995

  tlsCertificates() const override {

48

6995

    std::vector<std::reference_wrapper<const Envoy::Ssl::TlsCertificateConfig>> configs;

49

6995

    configs.reserve(tls_certificate_configs_.size());

50

7038

    for (const auto& config : tls_certificate_configs_) {

51

5168

      configs.push_back(config);

52

5168

53

6995

    return configs;

54

6995

55

  const Envoy::Ssl::CertificateValidationContextConfig*

56

17532

  certificateValidationContext() const override {

57

17532

    return validation_context_config_.get();

58

17532

59

7085

  unsigned minProtocolVersion() const override { return min_protocol_version_; };

60

14097

  unsigned maxProtocolVersion() const override { return max_protocol_version_; };

61

7012

  const Network::Address::IpList& tlsKeyLogLocal() const override { return *tls_keylog_local_; };

62

7012

  const Network::Address::IpList& tlsKeyLogRemote() const override { return *tls_keylog_remote_; };

63

6988

  const std::string& tlsKeyLogPath() const override { return tls_keylog_path_; };

64

9

  AccessLog::AccessLogManager& accessLogManager() const override {

65

9

    return factory_context_.serverFactoryContext().accessLogManager();

66

9

67

68

7087

  bool isReady() const override {

69

7087

    const bool tls_is_ready =

70

7087

        (tls_certificate_providers_.empty() || !tls_certificate_configs_.empty());

71

7087

    const bool combined_cvc_is_ready =

72

7087

        (default_cvc_ == nullptr || validation_context_config_ != nullptr);

73

7087

    const bool cvc_is_ready = (certificate_validation_context_provider_.provider_ == nullptr ||

74

7087

                               default_cvc_ != nullptr || validation_context_config_ != nullptr);

75

7087

    return tls_is_ready && combined_cvc_is_ready && cvc_is_ready;

76

7087

77

78

  void setSecretUpdateCallback(std::function<absl::Status()> callback) override;

79

  Ssl::HandshakerFactoryCb createHandshaker() const override;

80

25623

  Ssl::HandshakerCapabilities capabilities() const override { return capabilities_; }

81

6979

  Ssl::SslCtxCb sslctxCb() const override { return sslctx_cb_; }

82

83

  absl::StatusOr<Ssl::CertificateValidationContextConfigPtr> getCombinedValidationContextConfig(

84

      const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext&

85

          dynamic_cvc,

86

      const std::string& name);

87

88

protected:

89

  ContextConfigImpl(const envoy::extensions::transport_sockets::tls::v3::CommonTlsContext& config,

90

                    bool auto_sni_san_match, const unsigned default_min_protocol_version,

91

                    const unsigned default_max_protocol_version,

92

                    const std::string& default_cipher_suites, const std::string& default_curves,

93

                    Server::Configuration::TransportSocketFactoryContext& factory_context,

94

                    absl::Status& creation_status);

95

  Api::Api& api_;

96

  const Server::Options& options_;

97

  Singleton::Manager& singleton_manager_;

98

  Server::ServerLifecycleNotifier& lifecycle_notifier_;

99

  const bool auto_sni_san_match_;

100

101

private:

102

  static unsigned tlsVersionFromProto(

103

      const envoy::extensions::transport_sockets::tls::v3::TlsParameters::TlsProtocol& version,

104

      unsigned default_version);

105

106

  const std::string alpn_protocols_;

107

  const std::string cipher_suites_;

108

  const std::string ecdh_curves_;

109

  const std::string signature_algorithms_;

110

111

  std::vector<Ssl::TlsCertificateConfigImpl> tls_certificate_configs_;

112

  Ssl::CertificateValidationContextConfigPtr validation_context_config_;

113

  // If certificate validation context type is combined_validation_context. default_cvc_

114

  // holds a copy of CombinedCertificateValidationContext::default_validation_context.

115

  // Otherwise, default_cvc_ is nullptr.

116

  std::unique_ptr<envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext>

117

      default_cvc_;

118

  std::vector<TlsCertificateConfigProviderSharedPtrWithName> tls_certificate_providers_;

119

  // Handle for TLS certificate dynamic secret callback.

120

  std::vector<Envoy::Common::CallbackHandlePtr> tc_update_callback_handles_;

121

  CertificateValidationContextConfigProviderSharedPtrWithName

122

      certificate_validation_context_provider_;

123

  // Handle for certificate validation context dynamic secret callback.

124

  Envoy::Common::CallbackHandlePtr cvc_update_callback_handle_;

125

  Envoy::Common::CallbackHandlePtr cvc_validation_callback_handle_;

126

  const unsigned min_protocol_version_;

127

  const unsigned max_protocol_version_;

128

129

  Ssl::HandshakerFactoryCb handshaker_factory_cb_;

130

  Ssl::HandshakerCapabilities capabilities_;

131

  Ssl::SslCtxCb sslctx_cb_;

132

  Server::Configuration::TransportSocketFactoryContext& factory_context_;

133

  const std::string tls_keylog_path_;

134

  std::unique_ptr<Network::Address::IpList> tls_keylog_local_;

135

  std::unique_ptr<Network::Address::IpList> tls_keylog_remote_;

136

  const absl::optional<

137

      envoy::extensions::transport_sockets::tls::v3::TlsParameters::CompliancePolicy>

138

      compliance_policy_;

139

};

140

141

class ClientContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::ClientContextConfig {

142

public:

143

  static const std::string DEFAULT_CIPHER_SUITES;

144

  static const std::string DEFAULT_CIPHER_SUITES_FIPS;

145

  static const std::string DEFAULT_CURVES;

146

  static const std::string DEFAULT_CURVES_FIPS;

147

148

  static absl::StatusOr<std::unique_ptr<ClientContextConfigImpl>>

149

  create(const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config,

150

         Server::Configuration::TransportSocketFactoryContext& secret_provider_context);

151

152

  // Ssl::ClientContextConfig

153

7208

  const std::string& serverNameIndication() const override { return server_name_indication_; }

154

3502

  bool autoHostServerNameIndication() const override { return auto_host_sni_; }

155

3483

  bool autoSniSanMatch() const override { return auto_sni_san_match_; }

156

3502

  bool allowRenegotiation() const override { return allow_renegotiation_; }

157

3502

  size_t maxSessionKeys() const override { return max_session_keys_; }

158

3502

  bool enforceRsaKeyUsage() const override { return enforce_rsa_key_usage_; }

159

  void setSecretUpdateCallback(std::function<absl::Status()> callback) override;

160

  OptRef<Ssl::UpstreamTlsCertificateSelectorFactory>

161

5660

  tlsCertificateSelectorFactory() const override {

162

5660

    return tls_certificate_selector_factory_ ? makeOptRef(*tls_certificate_selector_factory_)

163

5660

                                             : absl::nullopt;

164

5660

165

166

private:

167

  ClientContextConfigImpl(

168

      const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config,

169

      Server::Configuration::TransportSocketFactoryContext& secret_provider_context,

170

      absl::Status& creation_status);

171

172

  static const unsigned DEFAULT_MIN_VERSION;

173

  static const unsigned DEFAULT_MAX_VERSION;

174

175

  const std::string server_name_indication_;

176

  const bool auto_host_sni_ : 1;

177

  const bool allow_renegotiation_ : 1;

178

  const bool enforce_rsa_key_usage_ : 1;

179

  const size_t max_session_keys_;

180

  // Certificate selector contains a reference to this context so should be destroyed first.

181

  Ssl::UpstreamTlsCertificateSelectorFactoryPtr tls_certificate_selector_factory_;

182

};

183

184

} // namespace Tls

185

} // namespace TransportSockets

186

} // namespace Extensions

187

} // namespace Envoy