Line data    Source code

       1             : #pragma once
       2             : 
       3             : #include "envoy/config/core/v3/config_source.pb.h"
       4             : #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
       5             : #include "envoy/secret/secret_manager.h"
       6             : #include "envoy/secret/secret_provider.h"
       7             : #include "envoy/server/transport_socket_config.h"
       8             : #include "envoy/ssl/certificate_validation_context_config.h"
       9             : #include "envoy/ssl/tls_certificate_config.h"
      10             : 
      11             : #include "source/common/common/logger.h"
      12             : #include "source/common/secret/sds_api.h"
      13             : 
      14             : #include "absl/container/node_hash_map.h"
      15             : 
      16             : namespace Envoy {
      17             : namespace Secret {
      18             : 
      19             : class SecretManagerImpl : public SecretManager {
      20             : public:
      21             :   SecretManagerImpl(OptRef<Server::ConfigTracker> config_tracker);
      22             :   absl::Status
      23             :   addStaticSecret(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override;
      24             : 
      25             :   TlsCertificateConfigProviderSharedPtr
      26             :   findStaticTlsCertificateProvider(const std::string& name) const override;
      27             : 
      28             :   CertificateValidationContextConfigProviderSharedPtr
      29             :   findStaticCertificateValidationContextProvider(const std::string& name) const override;
      30             : 
      31             :   TlsSessionTicketKeysConfigProviderSharedPtr
      32             :   findStaticTlsSessionTicketKeysContextProvider(const std::string& name) const override;
      33             : 
      34             :   GenericSecretConfigProviderSharedPtr
      35             :   findStaticGenericSecretProvider(const std::string& name) const override;
      36             : 
      37             :   TlsCertificateConfigProviderSharedPtr createInlineTlsCertificateProvider(
      38             :       const envoy::extensions::transport_sockets::tls::v3::TlsCertificate& tls_certificate)
      39             :       override;
      40             : 
      41             :   CertificateValidationContextConfigProviderSharedPtr
      42             :   createInlineCertificateValidationContextProvider(
      43             :       const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext&
      44             :           certificate_validation_context) override;
      45             : 
      46             :   TlsSessionTicketKeysConfigProviderSharedPtr createInlineTlsSessionTicketKeysProvider(
      47             :       const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys&
      48             :           tls_session_ticket_keys) override;
      49             : 
      50             :   GenericSecretConfigProviderSharedPtr createInlineGenericSecretProvider(
      51             :       const envoy::extensions::transport_sockets::tls::v3::GenericSecret& generic_secret) override;
      52             : 
      53             :   TlsCertificateConfigProviderSharedPtr findOrCreateTlsCertificateProvider(
      54             :       const envoy::config::core::v3::ConfigSource& config_source, const std::string& config_name,
      55             :       Server::Configuration::TransportSocketFactoryContext& secret_provider_context,
      56             :       Init::Manager& init_manager) override;
      57             : 
      58             :   CertificateValidationContextConfigProviderSharedPtr
      59             :   findOrCreateCertificateValidationContextProvider(
      60             :       const envoy::config::core::v3::ConfigSource& config_source, const std::string& config_name,
      61             :       Server::Configuration::TransportSocketFactoryContext& secret_provider_context,
      62             :       Init::Manager& init_manager) override;
      63             : 
      64             :   TlsSessionTicketKeysConfigProviderSharedPtr findOrCreateTlsSessionTicketKeysContextProvider(
      65             :       const envoy::config::core::v3::ConfigSource& config_source, const std::string& config_name,
      66             :       Server::Configuration::TransportSocketFactoryContext& secret_provider_context,
      67             :       Init::Manager& init_manager) override;
      68             : 
      69             :   GenericSecretConfigProviderSharedPtr findOrCreateGenericSecretProvider(
      70             :       const envoy::config::core::v3::ConfigSource& config_source, const std::string& config_name,
      71             :       Server::Configuration::TransportSocketFactoryContext& secret_provider_context,
      72             :       Init::Manager& init_manager) override;
      73             : 
      74             : private:
      75             :   ProtobufTypes::MessagePtr dumpSecretConfigs(const Matchers::StringMatcher& name_matcher);
      76             : 
      77             :   template <class SecretType>
      78             :   class DynamicSecretProviders : public Logger::Loggable<Logger::Id::secret> {
      79             :   public:
      80             :     // Finds or creates SdsApi object.
      81             :     std::shared_ptr<SecretType>
      82             :     findOrCreate(const envoy::config::core::v3::ConfigSource& sds_config_source,
      83             :                  const std::string& config_name,
      84             :                  Server::Configuration::TransportSocketFactoryContext& secret_provider_context,
      85           0 :                  Init::Manager& init_manager) {
      86           0 :       const std::string map_key =
      87           0 :           absl::StrCat(MessageUtil::hash(sds_config_source), ".", config_name);
      88             : 
      89           0 :       std::shared_ptr<SecretType> secret_provider = dynamic_secret_providers_[map_key].lock();
      90           0 :       if (!secret_provider) {
      91             :         // SdsApi is owned by ListenerImpl and ClusterInfo which are destroyed before
      92             :         // SecretManagerImpl. It is safe to invoke this callback at the destructor of SdsApi.
      93           0 :         std::function<void()> unregister_secret_provider = [map_key, this]() {
      94           0 :           removeDynamicSecretProvider(map_key);
      95           0 :         };
      96           0 :         secret_provider = SecretType::create(secret_provider_context, sds_config_source,
      97           0 :                                              config_name, unregister_secret_provider);
      98           0 :         dynamic_secret_providers_[map_key] = secret_provider;
      99           0 :       }
     100             :       // It is important to add the init target to the manager regardless the secret provider is new
     101             :       // or existing. Different clusters / listeners can share same secret so they have to be marked
     102             :       // warming correctly.
     103             : 
     104             :       // Note that we are not using secret_provider_context's init manager because in some cases,
     105             :       // for example oauth2 filter with sds config, it could be server's init manager. In oauth2
     106             :       // filter example, if the filter config is dynamic, it could be received from xds server when
     107             :       // the server's init manager is already in the initialized state. In that situation, adding
     108             :       // init target to the initialized init manager will lead to assertion failure.
     109             :       //
     110             :       // It is expected that correct init manager will be passed to this method by the caller
     111             :       // separately.
     112           0 :       init_manager.add(*secret_provider->initTarget());
     113           0 :       return secret_provider;
     114           0 :     }
     115             : 
     116         392 :     std::vector<std::shared_ptr<SecretType>> allSecretProviders() {
     117         392 :       std::vector<std::shared_ptr<SecretType>> providers;
     118         392 :       for (const auto& secret_entry : dynamic_secret_providers_) {
     119           0 :         std::shared_ptr<SecretType> secret_provider = secret_entry.second.lock();
     120           0 :         if (secret_provider) {
     121           0 :           providers.push_back(std::move(secret_provider));
     122           0 :         }
     123           0 :       }
     124         392 :       return providers;
     125         392 :     }
     126             : 
     127             :   private:
     128             :     // Removes dynamic secret provider which has been deleted.
     129           0 :     void removeDynamicSecretProvider(const std::string& map_key) {
     130           0 :       ENVOY_LOG(debug, "Unregister secret provider. hash key: {}", map_key);
     131             : 
     132           0 :       auto num_deleted = dynamic_secret_providers_.erase(map_key);
     133           0 :       ASSERT(num_deleted == 1, "");
     134           0 :     }
     135             : 
     136             :     absl::node_hash_map<std::string, std::weak_ptr<SecretType>> dynamic_secret_providers_;
     137             :   };
     138             : 
     139             :   // Manages pairs of secret name and TlsCertificateConfigProviderSharedPtr.
     140             :   absl::node_hash_map<std::string, TlsCertificateConfigProviderSharedPtr>
     141             :       static_tls_certificate_providers_;
     142             : 
     143             :   // Manages pairs of secret name and CertificateValidationContextConfigProviderSharedPtr.
     144             :   absl::node_hash_map<std::string, CertificateValidationContextConfigProviderSharedPtr>
     145             :       static_certificate_validation_context_providers_;
     146             : 
     147             :   absl::node_hash_map<std::string, TlsSessionTicketKeysConfigProviderSharedPtr>
     148             :       static_session_ticket_keys_providers_;
     149             : 
     150             :   // Manages pairs of secret name and GenericSecretConfigProviderSharedPtr.
     151             :   absl::node_hash_map<std::string, GenericSecretConfigProviderSharedPtr>
     152             :       static_generic_secret_providers_;
     153             : 
     154             :   // map hash code of SDS config source and SdsApi object.
     155             :   DynamicSecretProviders<TlsCertificateSdsApi> certificate_providers_;
     156             :   DynamicSecretProviders<CertificateValidationContextSdsApi> validation_context_providers_;
     157             :   DynamicSecretProviders<TlsSessionTicketKeysSdsApi> session_ticket_keys_providers_;
     158             :   DynamicSecretProviders<GenericSecretSdsApi> generic_secret_providers_;
     159             : 
     160             :   Server::ConfigTracker::EntryOwnerPtr config_tracker_entry_;
     161             : };
     162             : 
     163             : } // namespace Secret
     164             : } // namespace Envoy