/proc/self/cwd/source/common/secret/sds_api.h
Line | Count | Source (jump to first uncovered line) |
1 | | #pragma once |
2 | | |
3 | | #include <functional> |
4 | | |
5 | | #include "envoy/api/api.h" |
6 | | #include "envoy/config/core/v3/config_source.pb.h" |
7 | | #include "envoy/config/subscription.h" |
8 | | #include "envoy/config/subscription_factory.h" |
9 | | #include "envoy/event/dispatcher.h" |
10 | | #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" |
11 | | #include "envoy/extensions/transport_sockets/tls/v3/secret.pb.validate.h" |
12 | | #include "envoy/init/manager.h" |
13 | | #include "envoy/local_info/local_info.h" |
14 | | #include "envoy/runtime/runtime.h" |
15 | | #include "envoy/secret/secret_callbacks.h" |
16 | | #include "envoy/secret/secret_provider.h" |
17 | | #include "envoy/server/transport_socket_config.h" |
18 | | #include "envoy/service/discovery/v3/discovery.pb.h" |
19 | | #include "envoy/stats/stats.h" |
20 | | #include "envoy/upstream/cluster_manager.h" |
21 | | |
22 | | #include "source/common/common/callback_impl.h" |
23 | | #include "source/common/common/cleanup.h" |
24 | | #include "source/common/config/subscription_base.h" |
25 | | #include "source/common/config/utility.h" |
26 | | #include "source/common/config/watched_directory.h" |
27 | | #include "source/common/init/target_impl.h" |
28 | | #include "source/common/ssl/certificate_validation_context_config_impl.h" |
29 | | #include "source/common/ssl/tls_certificate_config_impl.h" |
30 | | |
31 | | namespace Envoy { |
32 | | namespace Secret { |
33 | | |
34 | | /** |
35 | | * All SDS API. @see stats_macros.h |
36 | | */ |
37 | 0 | #define ALL_SDS_API_STATS(COUNTER) COUNTER(key_rotation_failed) |
38 | | |
39 | | /** |
40 | | * Struct definition for all SDS API stats. @see stats_macros.h |
41 | | */ |
42 | | struct SdsApiStats { |
43 | | ALL_SDS_API_STATS(GENERATE_COUNTER_STRUCT) |
44 | | }; |
45 | | |
46 | | /** |
47 | | * SDS API implementation that fetches secrets from SDS server via Subscription. |
48 | | */ |
49 | | class SdsApi : public Envoy::Config::SubscriptionBase< |
50 | | envoy::extensions::transport_sockets::tls::v3::Secret> { |
51 | | public: |
52 | | struct SecretData { |
53 | | const std::string resource_name_; |
54 | | std::string version_info_; |
55 | | SystemTime last_updated_; |
56 | | }; |
57 | | |
58 | | SdsApi(envoy::config::core::v3::ConfigSource sds_config, absl::string_view sds_config_name, |
59 | | Config::SubscriptionFactory& subscription_factory, TimeSource& time_source, |
60 | | ProtobufMessage::ValidationVisitor& validation_visitor, Stats::Store& stats, |
61 | | std::function<void()> destructor_cb, Event::Dispatcher& dispatcher, Api::Api& api); |
62 | | |
63 | | SecretData secretData(); |
64 | | |
65 | | protected: |
66 | | // Ordered for hash stability. |
67 | | using FileContentMap = std::map<std::string, std::string>; |
68 | | |
69 | | // Creates new secrets. |
70 | | virtual void setSecret(const envoy::extensions::transport_sockets::tls::v3::Secret&) PURE; |
71 | | // Refresh secrets, e.g. re-resolve symlinks in secret paths. |
72 | 0 | virtual void resolveSecret(const FileContentMap& /*files*/){}; |
73 | | virtual void validateConfig(const envoy::extensions::transport_sockets::tls::v3::Secret&) PURE; |
74 | | Common::CallbackManager<> update_callback_manager_; |
75 | | |
76 | | // Config::SubscriptionCallbacks |
77 | | absl::Status onConfigUpdate(const std::vector<Config::DecodedResourceRef>& resources, |
78 | | const std::string& version_info) override; |
79 | | absl::Status onConfigUpdate(const std::vector<Config::DecodedResourceRef>& added_resources, |
80 | | const Protobuf::RepeatedPtrField<std::string>& removed_resources, |
81 | | const std::string& system_version_info) override; |
82 | | void onConfigUpdateFailed(Envoy::Config::ConfigUpdateFailureReason reason, |
83 | | const EnvoyException* e) override; |
84 | | virtual std::vector<std::string> getDataSourceFilenames() PURE; |
85 | | virtual Config::WatchedDirectory* getWatchedDirectory() PURE; |
86 | | |
87 | | void resolveDataSource(const FileContentMap& files, |
88 | | envoy::config::core::v3::DataSource& data_source); |
89 | | |
90 | | Init::SharedTargetImpl init_target_; |
91 | | Event::Dispatcher& dispatcher_; |
92 | | Api::Api& api_; |
93 | | |
94 | | private: |
95 | | absl::Status validateUpdateSize(uint32_t added_resources_num, |
96 | | uint32_t removed_resources_num) const; |
97 | | void initialize(); |
98 | | FileContentMap loadFiles(); |
99 | | uint64_t getHashForFiles(const FileContentMap& files); |
100 | | // Invoked for filesystem watches on update. |
101 | | void onWatchUpdate(); |
102 | | SdsApiStats generateStats(Stats::Scope& scope); |
103 | | |
104 | | Stats::ScopeSharedPtr scope_; |
105 | | SdsApiStats sds_api_stats_; |
106 | | |
107 | | const envoy::config::core::v3::ConfigSource sds_config_; |
108 | | Config::SubscriptionPtr subscription_; |
109 | | const std::string sds_config_name_; |
110 | | |
111 | | uint64_t secret_hash_{0}; |
112 | | uint64_t files_hash_; |
113 | | Cleanup clean_up_; |
114 | | Config::SubscriptionFactory& subscription_factory_; |
115 | | TimeSource& time_source_; |
116 | | SecretData secret_data_; |
117 | | std::unique_ptr<Filesystem::Watcher> watcher_; |
118 | | }; |
119 | | |
120 | | class TlsCertificateSdsApi; |
121 | | class CertificateValidationContextSdsApi; |
122 | | class TlsSessionTicketKeysSdsApi; |
123 | | class GenericSecretSdsApi; |
124 | | using TlsCertificateSdsApiSharedPtr = std::shared_ptr<TlsCertificateSdsApi>; |
125 | | using CertificateValidationContextSdsApiSharedPtr = |
126 | | std::shared_ptr<CertificateValidationContextSdsApi>; |
127 | | using TlsSessionTicketKeysSdsApiSharedPtr = std::shared_ptr<TlsSessionTicketKeysSdsApi>; |
128 | | using GenericSecretSdsApiSharedPtr = std::shared_ptr<GenericSecretSdsApi>; |
129 | | |
130 | | /** |
131 | | * TlsCertificateSdsApi implementation maintains and updates dynamic TLS certificate secrets. |
132 | | */ |
133 | | class TlsCertificateSdsApi : public SdsApi, public TlsCertificateConfigProvider { |
134 | | public: |
135 | | static TlsCertificateSdsApiSharedPtr |
136 | | create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context, |
137 | | const envoy::config::core::v3::ConfigSource& sds_config, |
138 | 0 | const std::string& sds_config_name, std::function<void()> destructor_cb) { |
139 | | // We need to do this early as we invoke the subscription factory during initialization, which |
140 | | // is too late to throw. |
141 | 0 | auto& server_context = secret_provider_context.serverFactoryContext(); |
142 | 0 | THROW_IF_NOT_OK( |
143 | 0 | Config::Utility::checkLocalInfo("TlsCertificateSdsApi", server_context.localInfo())); |
144 | 0 | return std::make_shared<TlsCertificateSdsApi>( |
145 | 0 | sds_config, sds_config_name, secret_provider_context.clusterManager().subscriptionFactory(), |
146 | 0 | server_context.mainThreadDispatcher().timeSource(), |
147 | 0 | secret_provider_context.messageValidationVisitor(), server_context.serverScope().store(), |
148 | 0 | destructor_cb, server_context.mainThreadDispatcher(), server_context.api()); |
149 | 0 | } Unexecuted instantiation: Envoy::Secret::TlsCertificateSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) Unexecuted instantiation: Envoy::Secret::TlsCertificateSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) |
150 | | |
151 | | TlsCertificateSdsApi(const envoy::config::core::v3::ConfigSource& sds_config, |
152 | | const std::string& sds_config_name, |
153 | | Config::SubscriptionFactory& subscription_factory, TimeSource& time_source, |
154 | | ProtobufMessage::ValidationVisitor& validation_visitor, Stats::Store& stats, |
155 | | std::function<void()> destructor_cb, Event::Dispatcher& dispatcher, |
156 | | Api::Api& api) |
157 | | : SdsApi(sds_config, sds_config_name, subscription_factory, time_source, validation_visitor, |
158 | 0 | stats, std::move(destructor_cb), dispatcher, api) {} |
159 | | |
160 | | // SecretProvider |
161 | 0 | const envoy::extensions::transport_sockets::tls::v3::TlsCertificate* secret() const override { |
162 | 0 | return resolved_tls_certificate_secrets_.get(); |
163 | 0 | } |
164 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr addValidationCallback( |
165 | | std::function<absl::Status( |
166 | 0 | const envoy::extensions::transport_sockets::tls::v3::TlsCertificate&)>) override { |
167 | 0 | return nullptr; |
168 | 0 | } |
169 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr |
170 | 0 | addUpdateCallback(std::function<absl::Status()> callback) override { |
171 | 0 | if (secret()) { |
172 | 0 | THROW_IF_NOT_OK(callback()); |
173 | 0 | } |
174 | 0 | return update_callback_manager_.add(callback); |
175 | 0 | } |
176 | 0 | const Init::Target* initTarget() override { return &init_target_; } |
177 | | |
178 | | protected: |
179 | 0 | void setSecret(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override { |
180 | 0 | sds_tls_certificate_secrets_ = |
181 | 0 | std::make_unique<envoy::extensions::transport_sockets::tls::v3::TlsCertificate>( |
182 | 0 | secret.tls_certificate()); |
183 | 0 | resolved_tls_certificate_secrets_ = nullptr; |
184 | 0 | if (secret.tls_certificate().has_watched_directory()) { |
185 | 0 | watched_directory_ = std::make_unique<Config::WatchedDirectory>( |
186 | 0 | secret.tls_certificate().watched_directory(), dispatcher_); |
187 | 0 | } else { |
188 | 0 | watched_directory_.reset(); |
189 | 0 | } |
190 | 0 | } |
191 | 0 | void resolveSecret(const FileContentMap& files) override { |
192 | 0 | resolved_tls_certificate_secrets_ = |
193 | 0 | std::make_unique<envoy::extensions::transport_sockets::tls::v3::TlsCertificate>( |
194 | 0 | *sds_tls_certificate_secrets_); |
195 | | // We replace path based secrets with inlined secrets on update. |
196 | 0 | resolveDataSource(files, *resolved_tls_certificate_secrets_->mutable_certificate_chain()); |
197 | 0 | if (sds_tls_certificate_secrets_->has_private_key()) { |
198 | 0 | resolveDataSource(files, *resolved_tls_certificate_secrets_->mutable_private_key()); |
199 | 0 | } |
200 | 0 | } |
201 | 0 | void validateConfig(const envoy::extensions::transport_sockets::tls::v3::Secret&) override {} |
202 | | std::vector<std::string> getDataSourceFilenames() override; |
203 | 0 | Config::WatchedDirectory* getWatchedDirectory() override { return watched_directory_.get(); } |
204 | | |
205 | | private: |
206 | | // Path to watch for rotation. |
207 | | Config::WatchedDirectoryPtr watched_directory_; |
208 | | // TlsCertificate according to SDS source. |
209 | | TlsCertificatePtr sds_tls_certificate_secrets_; |
210 | | // TlsCertificate after reloading. Path based certificates are inlined for |
211 | | // future read consistency. |
212 | | TlsCertificatePtr resolved_tls_certificate_secrets_; |
213 | | }; |
214 | | |
215 | | /** |
216 | | * CertificateValidationContextSdsApi implementation maintains and updates dynamic certificate |
217 | | * validation context secrets. |
218 | | */ |
219 | | class CertificateValidationContextSdsApi : public SdsApi, |
220 | | public CertificateValidationContextConfigProvider { |
221 | | public: |
222 | | static CertificateValidationContextSdsApiSharedPtr |
223 | | create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context, |
224 | | const envoy::config::core::v3::ConfigSource& sds_config, |
225 | 0 | const std::string& sds_config_name, std::function<void()> destructor_cb) { |
226 | | // We need to do this early as we invoke the subscription factory during initialization, which |
227 | | // is too late to throw. |
228 | 0 | auto& server_context = secret_provider_context.serverFactoryContext(); |
229 | 0 | THROW_IF_NOT_OK(Config::Utility::checkLocalInfo("CertificateValidationContextSdsApi", |
230 | 0 | server_context.localInfo())); |
231 | 0 | return std::make_shared<CertificateValidationContextSdsApi>( |
232 | 0 | sds_config, sds_config_name, secret_provider_context.clusterManager().subscriptionFactory(), |
233 | 0 | server_context.mainThreadDispatcher().timeSource(), |
234 | 0 | secret_provider_context.messageValidationVisitor(), server_context.serverScope().store(), |
235 | 0 | destructor_cb, server_context.mainThreadDispatcher(), server_context.api()); |
236 | 0 | } Unexecuted instantiation: Envoy::Secret::CertificateValidationContextSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) Unexecuted instantiation: Envoy::Secret::CertificateValidationContextSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) |
237 | | CertificateValidationContextSdsApi(const envoy::config::core::v3::ConfigSource& sds_config, |
238 | | const std::string& sds_config_name, |
239 | | Config::SubscriptionFactory& subscription_factory, |
240 | | TimeSource& time_source, |
241 | | ProtobufMessage::ValidationVisitor& validation_visitor, |
242 | | Stats::Store& stats, std::function<void()> destructor_cb, |
243 | | Event::Dispatcher& dispatcher, Api::Api& api) |
244 | | : SdsApi(sds_config, sds_config_name, subscription_factory, time_source, validation_visitor, |
245 | 0 | stats, std::move(destructor_cb), dispatcher, api) {} |
246 | | |
247 | | // SecretProvider |
248 | | const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* |
249 | 0 | secret() const override { |
250 | 0 | return resolved_certificate_validation_context_secrets_.get(); |
251 | 0 | } |
252 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr |
253 | 0 | addUpdateCallback(std::function<absl::Status()> callback) override { |
254 | 0 | if (secret()) { |
255 | 0 | THROW_IF_NOT_OK(callback()); |
256 | 0 | } |
257 | 0 | return update_callback_manager_.add(callback); |
258 | 0 | } |
259 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr addValidationCallback( |
260 | | std::function<absl::Status( |
261 | | const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext&)> |
262 | 0 | callback) override { |
263 | 0 | return validation_callback_manager_.add(callback); |
264 | 0 | } |
265 | 0 | const Init::Target* initTarget() override { return &init_target_; } |
266 | | |
267 | | protected: |
268 | 0 | void setSecret(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override { |
269 | 0 | sds_certificate_validation_context_secrets_ = std::make_unique< |
270 | 0 | envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext>( |
271 | 0 | secret.validation_context()); |
272 | 0 | resolved_certificate_validation_context_secrets_ = nullptr; |
273 | 0 | if (secret.validation_context().has_watched_directory()) { |
274 | 0 | watched_directory_ = std::make_unique<Config::WatchedDirectory>( |
275 | 0 | secret.validation_context().watched_directory(), dispatcher_); |
276 | 0 | } else { |
277 | 0 | watched_directory_.reset(); |
278 | 0 | } |
279 | 0 | } |
280 | | |
281 | 0 | void resolveSecret(const FileContentMap& files) override { |
282 | | // Copy existing CertificateValidationContext. |
283 | 0 | resolved_certificate_validation_context_secrets_ = std::make_unique< |
284 | 0 | envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext>( |
285 | 0 | *sds_certificate_validation_context_secrets_); |
286 | | // We replace path based secrets with inlined secrets on update. |
287 | 0 | resolveDataSource(files, |
288 | 0 | *resolved_certificate_validation_context_secrets_->mutable_trusted_ca()); |
289 | 0 | if (sds_certificate_validation_context_secrets_->has_crl()) { |
290 | 0 | resolveDataSource(files, *resolved_certificate_validation_context_secrets_->mutable_crl()); |
291 | 0 | } |
292 | 0 | } |
293 | | |
294 | | void |
295 | 0 | validateConfig(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override { |
296 | 0 | THROW_IF_NOT_OK(validation_callback_manager_.runCallbacks(secret.validation_context())); |
297 | 0 | } |
298 | | std::vector<std::string> getDataSourceFilenames() override; |
299 | 0 | Config::WatchedDirectory* getWatchedDirectory() override { return watched_directory_.get(); } |
300 | | |
301 | | private: |
302 | | // Directory to watch for rotation. |
303 | | Config::WatchedDirectoryPtr watched_directory_; |
304 | | // CertificateValidationContext according to SDS source; |
305 | | CertificateValidationContextPtr sds_certificate_validation_context_secrets_; |
306 | | // CertificateValidationContext after resolving paths via watched_directory_. |
307 | | CertificateValidationContextPtr resolved_certificate_validation_context_secrets_; |
308 | | // Path based certificates are inlined for future read consistency. |
309 | | Common::CallbackManager< |
310 | | const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext&> |
311 | | validation_callback_manager_; |
312 | | }; |
313 | | |
314 | | /** |
315 | | * TlsSessionTicketKeysSdsApi implementation maintains and updates dynamic tls session ticket keys |
316 | | * secrets. |
317 | | */ |
318 | | class TlsSessionTicketKeysSdsApi : public SdsApi, public TlsSessionTicketKeysConfigProvider { |
319 | | public: |
320 | | static TlsSessionTicketKeysSdsApiSharedPtr |
321 | | create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context, |
322 | | const envoy::config::core::v3::ConfigSource& sds_config, |
323 | 0 | const std::string& sds_config_name, std::function<void()> destructor_cb) { |
324 | | // We need to do this early as we invoke the subscription factory during initialization, which |
325 | | // is too late to throw. |
326 | 0 | auto& server_context = secret_provider_context.serverFactoryContext(); |
327 | 0 | THROW_IF_NOT_OK( |
328 | 0 | Config::Utility::checkLocalInfo("TlsSessionTicketKeysSdsApi", server_context.localInfo())); |
329 | 0 | return std::make_shared<TlsSessionTicketKeysSdsApi>( |
330 | 0 | sds_config, sds_config_name, secret_provider_context.clusterManager().subscriptionFactory(), |
331 | 0 | server_context.mainThreadDispatcher().timeSource(), |
332 | 0 | secret_provider_context.messageValidationVisitor(), server_context.serverScope().store(), |
333 | 0 | destructor_cb, server_context.mainThreadDispatcher(), server_context.api()); |
334 | 0 | } Unexecuted instantiation: Envoy::Secret::TlsSessionTicketKeysSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) Unexecuted instantiation: Envoy::Secret::TlsSessionTicketKeysSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) |
335 | | |
336 | | TlsSessionTicketKeysSdsApi(const envoy::config::core::v3::ConfigSource& sds_config, |
337 | | const std::string& sds_config_name, |
338 | | Config::SubscriptionFactory& subscription_factory, |
339 | | TimeSource& time_source, |
340 | | ProtobufMessage::ValidationVisitor& validation_visitor, |
341 | | Stats::Store& stats, std::function<void()> destructor_cb, |
342 | | Event::Dispatcher& dispatcher, Api::Api& api) |
343 | | : SdsApi(sds_config, sds_config_name, subscription_factory, time_source, validation_visitor, |
344 | 0 | stats, std::move(destructor_cb), dispatcher, api) {} |
345 | | |
346 | | // SecretProvider |
347 | | const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys* |
348 | 0 | secret() const override { |
349 | 0 | return tls_session_ticket_keys_.get(); |
350 | 0 | } |
351 | | |
352 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr |
353 | 0 | addUpdateCallback(std::function<absl::Status()> callback) override { |
354 | 0 | if (secret()) { |
355 | 0 | THROW_IF_NOT_OK(callback()); |
356 | 0 | } |
357 | 0 | return update_callback_manager_.add(callback); |
358 | 0 | } |
359 | | |
360 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr addValidationCallback( |
361 | | std::function< |
362 | | absl::Status(const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys&)> |
363 | 0 | callback) override { |
364 | 0 | return validation_callback_manager_.add(callback); |
365 | 0 | } |
366 | 0 | const Init::Target* initTarget() override { return &init_target_; } |
367 | | |
368 | | protected: |
369 | 0 | void setSecret(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override { |
370 | 0 | tls_session_ticket_keys_ = |
371 | 0 | std::make_unique<envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys>( |
372 | 0 | secret.session_ticket_keys()); |
373 | 0 | } |
374 | | |
375 | | void |
376 | 0 | validateConfig(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override { |
377 | 0 | THROW_IF_NOT_OK(validation_callback_manager_.runCallbacks(secret.session_ticket_keys())); |
378 | 0 | } |
379 | | std::vector<std::string> getDataSourceFilenames() override; |
380 | 0 | Config::WatchedDirectory* getWatchedDirectory() override { return nullptr; } |
381 | | |
382 | | private: |
383 | | Secret::TlsSessionTicketKeysPtr tls_session_ticket_keys_; |
384 | | Common::CallbackManager< |
385 | | const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys&> |
386 | | validation_callback_manager_; |
387 | | }; |
388 | | |
389 | | /** |
390 | | * GenericSecretSdsApi implementation maintains and updates dynamic generic secret. |
391 | | */ |
392 | | class GenericSecretSdsApi : public SdsApi, public GenericSecretConfigProvider { |
393 | | public: |
394 | | static GenericSecretSdsApiSharedPtr |
395 | | create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context, |
396 | | const envoy::config::core::v3::ConfigSource& sds_config, |
397 | 0 | const std::string& sds_config_name, std::function<void()> destructor_cb) { |
398 | | // We need to do this early as we invoke the subscription factory during initialization, which |
399 | | // is too late to throw. |
400 | 0 | auto& server_context = secret_provider_context.serverFactoryContext(); |
401 | 0 | THROW_IF_NOT_OK( |
402 | 0 | Config::Utility::checkLocalInfo("GenericSecretSdsApi", server_context.localInfo())); |
403 | 0 | return std::make_shared<GenericSecretSdsApi>( |
404 | 0 | sds_config, sds_config_name, secret_provider_context.clusterManager().subscriptionFactory(), |
405 | 0 | server_context.mainThreadDispatcher().timeSource(), |
406 | 0 | secret_provider_context.messageValidationVisitor(), server_context.serverScope().store(), |
407 | 0 | destructor_cb, server_context.mainThreadDispatcher(), server_context.api()); |
408 | 0 | } Unexecuted instantiation: Envoy::Secret::GenericSecretSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) Unexecuted instantiation: Envoy::Secret::GenericSecretSdsApi::create(Envoy::Server::Configuration::TransportSocketFactoryContext&, envoy::config::core::v3::ConfigSource const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::function<void ()>) |
409 | | |
410 | | GenericSecretSdsApi(const envoy::config::core::v3::ConfigSource& sds_config, |
411 | | const std::string& sds_config_name, |
412 | | Config::SubscriptionFactory& subscription_factory, TimeSource& time_source, |
413 | | ProtobufMessage::ValidationVisitor& validation_visitor, Stats::Store& stats, |
414 | | std::function<void()> destructor_cb, Event::Dispatcher& dispatcher, |
415 | | Api::Api& api) |
416 | | : SdsApi(sds_config, sds_config_name, subscription_factory, time_source, validation_visitor, |
417 | 0 | stats, std::move(destructor_cb), dispatcher, api) {} |
418 | | |
419 | | // SecretProvider |
420 | 0 | const envoy::extensions::transport_sockets::tls::v3::GenericSecret* secret() const override { |
421 | 0 | return generic_secret_.get(); |
422 | 0 | } |
423 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr |
424 | 0 | addUpdateCallback(std::function<absl::Status()> callback) override { |
425 | 0 | return update_callback_manager_.add(callback); |
426 | 0 | } |
427 | | ABSL_MUST_USE_RESULT Common::CallbackHandlePtr |
428 | | addValidationCallback(std::function<absl::Status( |
429 | | const envoy::extensions::transport_sockets::tls::v3::GenericSecret&)> |
430 | 0 | callback) override { |
431 | 0 | return validation_callback_manager_.add(callback); |
432 | 0 | } |
433 | 0 | const Init::Target* initTarget() override { return &init_target_; } |
434 | | |
435 | | protected: |
436 | 0 | void setSecret(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override { |
437 | 0 | generic_secret_ = |
438 | 0 | std::make_unique<envoy::extensions::transport_sockets::tls::v3::GenericSecret>( |
439 | 0 | secret.generic_secret()); |
440 | 0 | } |
441 | | void |
442 | 0 | validateConfig(const envoy::extensions::transport_sockets::tls::v3::Secret& secret) override { |
443 | 0 | THROW_IF_NOT_OK(validation_callback_manager_.runCallbacks(secret.generic_secret())); |
444 | 0 | } |
445 | | std::vector<std::string> getDataSourceFilenames() override; |
446 | 0 | Config::WatchedDirectory* getWatchedDirectory() override { return nullptr; } |
447 | | |
448 | | private: |
449 | | GenericSecretPtr generic_secret_; |
450 | | Common::CallbackManager<const envoy::extensions::transport_sockets::tls::v3::GenericSecret&> |
451 | | validation_callback_manager_; |
452 | | }; |
453 | | |
454 | | } // namespace Secret |
455 | | } // namespace Envoy |