LCOV - code coverage report
Current view: top level - source/extensions/transport_sockets/tls - context_config_impl.h (source / functions) Hit Total Coverage
Test: coverage.dat Lines: 0 56 0.0 %
Date: 2024-01-05 06:35:25 Functions: 0 27 0.0 % 

          Line data    Source code
       1             : #pragma once
       2             : 
       3             : #include <string>
       4             : #include <vector>
       5             : 
       6             : #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
       7             : #include "envoy/secret/secret_callbacks.h"
       8             : #include "envoy/secret/secret_provider.h"
       9             : #include "envoy/server/transport_socket_config.h"
      10             : #include "envoy/ssl/context_config.h"
      11             : 
      12             : #include "source/common/common/empty_string.h"
      13             : #include "source/common/json/json_loader.h"
      14             : #include "source/common/ssl/tls_certificate_config_impl.h"
      15             : 
      16             : namespace Envoy {
      17             : namespace Extensions {
      18             : namespace TransportSockets {
      19             : namespace Tls {
      20             : 
      21             : static const std::string INLINE_STRING = "<inline>";
      22             : 
      23             : class ContextConfigImpl : public virtual Ssl::ContextConfig {
      24             : public:
      25             :   // Ssl::ContextConfig
      26           0 :   const std::string& alpnProtocols() const override { return alpn_protocols_; }
      27           0 :   const std::string& cipherSuites() const override { return cipher_suites_; }
      28           0 :   const std::string& ecdhCurves() const override { return ecdh_curves_; }
      29           0 :   const std::string& signatureAlgorithms() const override { return signature_algorithms_; }
      30             :   // TODO(htuch): This needs to be made const again and/or zero copy and/or callers fixed.
      31             :   std::vector<std::reference_wrapper<const Envoy::Ssl::TlsCertificateConfig>>
      32           0 :   tlsCertificates() const override {
      33           0 :     std::vector<std::reference_wrapper<const Envoy::Ssl::TlsCertificateConfig>> configs;
      34           0 :     for (const auto& config : tls_certificate_configs_) {
      35           0 :       configs.push_back(config);
      36           0 :     }
      37           0 :     return configs;
      38           0 :   }
      39             :   const Envoy::Ssl::CertificateValidationContextConfig*
      40           0 :   certificateValidationContext() const override {
      41           0 :     return validation_context_config_.get();
      42           0 :   }
      43           0 :   unsigned minProtocolVersion() const override { return min_protocol_version_; };
      44           0 :   unsigned maxProtocolVersion() const override { return max_protocol_version_; };
      45           0 :   const Network::Address::IpList& tlsKeyLogLocal() const override { return *tls_keylog_local_; };
      46           0 :   const Network::Address::IpList& tlsKeyLogRemote() const override { return *tls_keylog_remote_; };
      47           0 :   const std::string& tlsKeyLogPath() const override { return tls_keylog_path_; };
      48           0 :   AccessLog::AccessLogManager& accessLogManager() const override {
      49           0 :     return factory_context_.serverFactoryContext().accessLogManager();
      50           0 :   }
      51             : 
      52           0 :   bool isReady() const override {
      53           0 :     const bool tls_is_ready =
      54           0 :         (tls_certificate_providers_.empty() || !tls_certificate_configs_.empty());
      55           0 :     const bool combined_cvc_is_ready =
      56           0 :         (default_cvc_ == nullptr || validation_context_config_ != nullptr);
      57           0 :     const bool cvc_is_ready = (certificate_validation_context_provider_ == nullptr ||
      58           0 :                                default_cvc_ != nullptr || validation_context_config_ != nullptr);
      59           0 :     return tls_is_ready && combined_cvc_is_ready && cvc_is_ready;
      60           0 :   }
      61             : 
      62             :   void setSecretUpdateCallback(std::function<void()> callback) override;
      63             :   Ssl::HandshakerFactoryCb createHandshaker() const override;
      64           0 :   Ssl::HandshakerCapabilities capabilities() const override { return capabilities_; }
      65           0 :   Ssl::SslCtxCb sslctxCb() const override { return sslctx_cb_; }
      66             : 
      67             :   Ssl::CertificateValidationContextConfigPtr getCombinedValidationContextConfig(
      68             :       const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext&
      69             :           dynamic_cvc);
      70             : 
      71             : protected:
      72             :   ContextConfigImpl(const envoy::extensions::transport_sockets::tls::v3::CommonTlsContext& config,
      73             :                     const unsigned default_min_protocol_version,
      74             :                     const unsigned default_max_protocol_version,
      75             :                     const std::string& default_cipher_suites, const std::string& default_curves,
      76             :                     Server::Configuration::TransportSocketFactoryContext& factory_context);
      77             :   Api::Api& api_;
      78             :   const Server::Options& options_;
      79             :   Singleton::Manager& singleton_manager_;
      80             : 
      81             : private:
      82             :   static unsigned tlsVersionFromProto(
      83             :       const envoy::extensions::transport_sockets::tls::v3::TlsParameters::TlsProtocol& version,
      84             :       unsigned default_version);
      85             : 
      86             :   const std::string alpn_protocols_;
      87             :   const std::string cipher_suites_;
      88             :   const std::string ecdh_curves_;
      89             :   const std::string signature_algorithms_;
      90             : 
      91             :   std::vector<Ssl::TlsCertificateConfigImpl> tls_certificate_configs_;
      92             :   Ssl::CertificateValidationContextConfigPtr validation_context_config_;
      93             :   // If certificate validation context type is combined_validation_context. default_cvc_
      94             :   // holds a copy of CombinedCertificateValidationContext::default_validation_context.
      95             :   // Otherwise, default_cvc_ is nullptr.
      96             :   std::unique_ptr<envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext>
      97             :       default_cvc_;
      98             :   std::vector<Secret::TlsCertificateConfigProviderSharedPtr> tls_certificate_providers_;
      99             :   // Handle for TLS certificate dynamic secret callback.
     100             :   std::vector<Envoy::Common::CallbackHandlePtr> tc_update_callback_handles_;
     101             :   Secret::CertificateValidationContextConfigProviderSharedPtr
     102             :       certificate_validation_context_provider_;
     103             :   // Handle for certificate validation context dynamic secret callback.
     104             :   Envoy::Common::CallbackHandlePtr cvc_update_callback_handle_;
     105             :   Envoy::Common::CallbackHandlePtr cvc_validation_callback_handle_;
     106             :   const unsigned min_protocol_version_;
     107             :   const unsigned max_protocol_version_;
     108             : 
     109             :   Ssl::HandshakerFactoryCb handshaker_factory_cb_;
     110             :   Ssl::HandshakerCapabilities capabilities_;
     111             :   Ssl::SslCtxCb sslctx_cb_;
     112             :   Server::Configuration::TransportSocketFactoryContext& factory_context_;
     113             :   const std::string tls_keylog_path_;
     114             :   std::unique_ptr<Network::Address::IpList> tls_keylog_local_;
     115             :   std::unique_ptr<Network::Address::IpList> tls_keylog_remote_;
     116             : };
     117             : 
     118             : class ClientContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::ClientContextConfig {
     119             : public:
     120             :   static const std::string DEFAULT_CIPHER_SUITES;
     121             :   static const std::string DEFAULT_CURVES;
     122             : 
     123             :   ClientContextConfigImpl(
     124             :       const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config,
     125             :       Server::Configuration::TransportSocketFactoryContext& secret_provider_context);
     126             : 
     127             :   // Ssl::ClientContextConfig
     128           0 :   const std::string& serverNameIndication() const override { return server_name_indication_; }
     129           0 :   bool allowRenegotiation() const override { return allow_renegotiation_; }
     130           0 :   size_t maxSessionKeys() const override { return max_session_keys_; }
     131           0 :   bool enforceRsaKeyUsage() const override { return enforce_rsa_key_usage_; }
     132             : 
     133             : private:
     134             :   static const unsigned DEFAULT_MIN_VERSION;
     135             :   static const unsigned DEFAULT_MAX_VERSION;
     136             : 
     137             :   const std::string server_name_indication_;
     138             :   const bool allow_renegotiation_;
     139             :   const bool enforce_rsa_key_usage_;
     140             :   const size_t max_session_keys_;
     141             : };
     142             : 
     143             : class ServerContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::ServerContextConfig {
     144             : public:
     145             :   ServerContextConfigImpl(
     146             :       const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config,
     147             :       Server::Configuration::TransportSocketFactoryContext& secret_provider_context);
     148             : 
     149             :   // Ssl::ServerContextConfig
     150           0 :   bool requireClientCertificate() const override { return require_client_certificate_; }
     151           0 :   OcspStaplePolicy ocspStaplePolicy() const override { return ocsp_staple_policy_; }
     152           0 :   const std::vector<SessionTicketKey>& sessionTicketKeys() const override {
     153           0 :     return session_ticket_keys_;
     154           0 :   }
     155           0 :   absl::optional<std::chrono::seconds> sessionTimeout() const override { return session_timeout_; }
     156             : 
     157           0 :   bool isReady() const override {
     158           0 :     const bool parent_is_ready = ContextConfigImpl::isReady();
     159           0 :     const bool session_ticket_keys_are_ready =
     160           0 :         (session_ticket_keys_provider_ == nullptr || !session_ticket_keys_.empty());
     161           0 :     return parent_is_ready && session_ticket_keys_are_ready;
     162           0 :   }
     163             : 
     164             :   void setSecretUpdateCallback(std::function<void()> callback) override;
     165           0 :   bool disableStatelessSessionResumption() const override {
     166           0 :     return disable_stateless_session_resumption_;
     167           0 :   }
     168           0 :   bool disableStatefulSessionResumption() const override {
     169           0 :     return disable_stateful_session_resumption_;
     170           0 :   }
     171             : 
     172           0 :   bool fullScanCertsOnSNIMismatch() const override { return full_scan_certs_on_sni_mismatch_; }
     173             : 
     174             : private:
     175             :   static const unsigned DEFAULT_MIN_VERSION;
     176             :   static const unsigned DEFAULT_MAX_VERSION;
     177             :   static const std::string DEFAULT_CIPHER_SUITES;
     178             :   static const std::string DEFAULT_CURVES;
     179             : 
     180             :   const bool require_client_certificate_;
     181             :   const OcspStaplePolicy ocsp_staple_policy_;
     182             :   std::vector<SessionTicketKey> session_ticket_keys_;
     183             :   const Secret::TlsSessionTicketKeysConfigProviderSharedPtr session_ticket_keys_provider_;
     184             :   Envoy::Common::CallbackHandlePtr stk_update_callback_handle_;
     185             :   Envoy::Common::CallbackHandlePtr stk_validation_callback_handle_;
     186             : 
     187             :   std::vector<ServerContextConfig::SessionTicketKey> getSessionTicketKeys(
     188             :       const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys& keys);
     189             :   ServerContextConfig::SessionTicketKey getSessionTicketKey(const std::string& key_data);
     190             :   static OcspStaplePolicy ocspStaplePolicyFromProto(
     191             :       const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext::OcspStaplePolicy&
     192             :           policy);
     193             : 
     194             :   absl::optional<std::chrono::seconds> session_timeout_;
     195             :   const bool disable_stateless_session_resumption_;
     196             :   const bool disable_stateful_session_resumption_;
     197             :   bool full_scan_certs_on_sni_mismatch_;
     198             : };
     199             : 
     200             : } // namespace Tls
     201             : } // namespace TransportSockets
     202             : } // namespace Extensions
     203             : } // namespace Envoy

Generated by: LCOV version 1.15