/proc/self/cwd/test/integration/ssl_utility.cc
Line | Count | Source (jump to first uncovered line) |
1 | | #include "test/integration/ssl_utility.h" |
2 | | |
3 | | #include "envoy/extensions/transport_sockets/quic/v3/quic_transport.pb.h" |
4 | | |
5 | | #include "source/common/http/utility.h" |
6 | | #include "source/common/json/json_loader.h" |
7 | | #include "source/common/network/utility.h" |
8 | | #include "source/extensions/transport_sockets/tls/context_config_impl.h" |
9 | | #include "source/extensions/transport_sockets/tls/context_manager_impl.h" |
10 | | #include "source/extensions/transport_sockets/tls/ssl_socket.h" |
11 | | |
12 | | #include "test/config/utility.h" |
13 | | #include "test/integration/server.h" |
14 | | #include "test/mocks/server/transport_socket_factory_context.h" |
15 | | #include "test/test_common/environment.h" |
16 | | #include "test/test_common/network_utility.h" |
17 | | |
18 | | #include "gtest/gtest.h" |
19 | | |
20 | | using testing::ReturnRef; |
21 | | |
22 | | namespace Envoy { |
23 | | namespace Ssl { |
24 | | |
25 | | void initializeUpstreamTlsContextConfig( |
26 | | const ClientSslTransportOptions& options, |
27 | 0 | envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& tls_context) { |
28 | 0 | const std::string rundir = TestEnvironment::runfilesDirectory(); |
29 | 0 | tls_context.mutable_common_tls_context() |
30 | 0 | ->mutable_validation_context() |
31 | 0 | ->mutable_trusted_ca() |
32 | 0 | ->set_filename(rundir + "/test/config/integration/certs/cacert.pem"); |
33 | 0 | auto* certs = tls_context.mutable_common_tls_context()->add_tls_certificates(); |
34 | 0 | std::string chain; |
35 | 0 | std::string key; |
36 | 0 | if (options.client_ecdsa_cert_) { |
37 | 0 | chain = rundir + "/test/config/integration/certs/client_ecdsacert.pem"; |
38 | 0 | key = rundir + "/test/config/integration/certs/client_ecdsakey.pem"; |
39 | 0 | } else if (options.use_expired_spiffe_cert_) { |
40 | 0 | chain = rundir + "/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_cert.pem"; |
41 | 0 | key = rundir + "/test/extensions/transport_sockets/tls/test_data/expired_spiffe_san_key.pem"; |
42 | 0 | } else if (options.client_with_intermediate_cert_) { |
43 | 0 | chain = rundir + "/test/config/integration/certs/client2_chain.pem"; |
44 | 0 | key = rundir + "/test/config/integration/certs/client2key.pem"; |
45 | 0 | } else { |
46 | 0 | chain = rundir + "/test/config/integration/certs/clientcert.pem"; |
47 | 0 | key = rundir + "/test/config/integration/certs/clientkey.pem"; |
48 | 0 | } |
49 | 0 | certs->mutable_certificate_chain()->set_filename(chain); |
50 | 0 | certs->mutable_private_key()->set_filename(key); |
51 | |
|
52 | 0 | auto* common_context = tls_context.mutable_common_tls_context(); |
53 | |
|
54 | 0 | if (options.alpn_) { |
55 | 0 | common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http2); |
56 | 0 | common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http11); |
57 | 0 | common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http3); |
58 | 0 | } |
59 | 0 | if (!options.san_.empty()) { |
60 | 0 | envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher* matcher = |
61 | 0 | common_context->mutable_validation_context()->add_match_typed_subject_alt_names(); |
62 | 0 | matcher->mutable_matcher()->set_exact(options.san_); |
63 | 0 | matcher->set_san_type( |
64 | 0 | envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::DNS); |
65 | 0 | matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names(); |
66 | 0 | matcher->mutable_matcher()->set_exact(options.san_); |
67 | 0 | matcher->set_san_type( |
68 | 0 | envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::URI); |
69 | 0 | matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names(); |
70 | 0 | matcher->mutable_matcher()->set_exact(options.san_); |
71 | 0 | matcher->set_san_type( |
72 | 0 | envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::EMAIL); |
73 | 0 | matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names(); |
74 | 0 | matcher->mutable_matcher()->set_exact(options.san_); |
75 | 0 | matcher->set_san_type( |
76 | 0 | envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::IP_ADDRESS); |
77 | 0 | } |
78 | 0 | for (const std::string& cipher_suite : options.cipher_suites_) { |
79 | 0 | common_context->mutable_tls_params()->add_cipher_suites(cipher_suite); |
80 | 0 | } |
81 | 0 | for (const std::string& algorithm : options.sigalgs_) { |
82 | 0 | common_context->mutable_tls_params()->add_signature_algorithms(algorithm); |
83 | 0 | } |
84 | 0 | if (!options.sni_.empty()) { |
85 | 0 | tls_context.set_sni(options.sni_); |
86 | 0 | } |
87 | 0 | if (options.custom_validator_config_) { |
88 | 0 | common_context->mutable_validation_context()->set_allocated_custom_validator_config( |
89 | 0 | options.custom_validator_config_); |
90 | 0 | } |
91 | |
|
92 | 0 | common_context->mutable_tls_params()->set_tls_minimum_protocol_version(options.tls_version_); |
93 | 0 | common_context->mutable_tls_params()->set_tls_maximum_protocol_version(options.tls_version_); |
94 | 0 | } |
95 | | |
96 | | Network::UpstreamTransportSocketFactoryPtr |
97 | | createClientSslTransportSocketFactory(const ClientSslTransportOptions& options, |
98 | 0 | ContextManager& context_manager, Api::Api& api) { |
99 | 0 | envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; |
100 | 0 | initializeUpstreamTlsContextConfig(options, tls_context); |
101 | |
|
102 | 0 | NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx; |
103 | 0 | ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api)); |
104 | 0 | auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ClientContextConfigImpl>( |
105 | 0 | tls_context, mock_factory_ctx); |
106 | 0 | static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); |
107 | 0 | return Network::UpstreamTransportSocketFactoryPtr{ |
108 | 0 | new Extensions::TransportSockets::Tls::ClientSslSocketFactory( |
109 | 0 | std::move(cfg), context_manager, *client_stats_store->rootScope())}; |
110 | 0 | } |
111 | | |
112 | | Network::DownstreamTransportSocketFactoryPtr |
113 | 0 | createUpstreamSslContext(ContextManager& context_manager, Api::Api& api, bool use_http3) { |
114 | 0 | envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; |
115 | 0 | ConfigHelper::initializeTls({}, *tls_context.mutable_common_tls_context()); |
116 | |
|
117 | 0 | NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx; |
118 | 0 | ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api)); |
119 | 0 | auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>( |
120 | 0 | tls_context, mock_factory_ctx); |
121 | |
|
122 | 0 | static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); |
123 | 0 | if (!use_http3) { |
124 | 0 | return std::make_unique<Extensions::TransportSockets::Tls::ServerSslSocketFactory>( |
125 | 0 | std::move(cfg), context_manager, *upstream_stats_store->rootScope(), |
126 | 0 | std::vector<std::string>{}); |
127 | 0 | } |
128 | 0 | envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport quic_config; |
129 | 0 | quic_config.mutable_downstream_tls_context()->MergeFrom(tls_context); |
130 | |
|
131 | 0 | std::vector<std::string> server_names; |
132 | 0 | auto& config_factory = Config::Utility::getAndCheckFactoryByName< |
133 | 0 | Server::Configuration::DownstreamTransportSocketConfigFactory>( |
134 | 0 | "envoy.transport_sockets.quic"); |
135 | 0 | return config_factory.createTransportSocketFactory(quic_config, mock_factory_ctx, server_names); |
136 | 0 | } |
137 | | |
138 | | Network::DownstreamTransportSocketFactoryPtr createFakeUpstreamSslContext( |
139 | | const std::string& upstream_cert_name, ContextManager& context_manager, |
140 | 0 | Server::Configuration::TransportSocketFactoryContext& factory_context) { |
141 | 0 | envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; |
142 | 0 | auto* common_tls_context = tls_context.mutable_common_tls_context(); |
143 | 0 | auto* tls_cert = common_tls_context->add_tls_certificates(); |
144 | 0 | tls_cert->mutable_certificate_chain()->set_filename(TestEnvironment::runfilesPath( |
145 | 0 | fmt::format("test/config/integration/certs/{}cert.pem", upstream_cert_name))); |
146 | 0 | tls_cert->mutable_private_key()->set_filename(TestEnvironment::runfilesPath( |
147 | 0 | fmt::format("test/config/integration/certs/{}key.pem", upstream_cert_name))); |
148 | |
|
149 | 0 | auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>( |
150 | 0 | tls_context, factory_context); |
151 | |
|
152 | 0 | static auto* upstream_stats_store = new Stats::IsolatedStoreImpl(); |
153 | 0 | return std::make_unique<Extensions::TransportSockets::Tls::ServerSslSocketFactory>( |
154 | 0 | std::move(cfg), context_manager, *upstream_stats_store->rootScope(), |
155 | 0 | std::vector<std::string>{}); |
156 | 0 | } |
157 | | Network::Address::InstanceConstSharedPtr getSslAddress(const Network::Address::IpVersion& version, |
158 | 0 | int port) { |
159 | 0 | std::string url = |
160 | 0 | "tcp://" + Network::Test::getLoopbackAddressUrlString(version) + ":" + std::to_string(port); |
161 | 0 | return Network::Utility::resolveUrl(url); |
162 | 0 | } |
163 | | |
164 | | } // namespace Ssl |
165 | | } // namespace Envoy |