/proc/self/cwd/test/integration/ssl_utility.cc

Source (jump to first uncovered line)
#include "test/integration/ssl_utility.h"

#include "envoy/extensions/transport_sockets/quic/v3/quic_transport.pb.h"

#include "source/common/http/utility.h"
#include "source/common/json/json_loader.h"
#include "source/common/network/utility.h"
#include "source/common/tls/client_ssl_socket.h"
#include "source/common/tls/context_manager_impl.h"
#include "source/common/tls/server_context_config_impl.h"
#include "source/common/tls/server_ssl_socket.h"

#include "test/config/utility.h"
#include "test/integration/server.h"
#include "test/mocks/server/transport_socket_factory_context.h"
#include "test/test_common/environment.h"
#include "test/test_common/network_utility.h"

#include "gtest/gtest.h"

using testing::ReturnRef;

namespace Envoy {
namespace Ssl {

void initializeUpstreamTlsContextConfig(
    const ClientSslTransportOptions& options,
    envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& tls_context,
    bool connect_to_upstream) {
  const std::string rundir = TestEnvironment::runfilesDirectory();
  if (connect_to_upstream) {
    tls_context.mutable_common_tls_context()
        ->mutable_validation_context()
        ->mutable_trusted_ca()
        ->set_filename(rundir + "/test/config/integration/certs/upstreamcacert.pem");
    tls_context.set_sni("foo.lyft.com");
    return;
  }

  tls_context.mutable_common_tls_context()
      ->mutable_validation_context()
      ->mutable_trusted_ca()
      ->set_filename(rundir + "/test/config/integration/certs/cacert.pem");
  auto* certs = tls_context.mutable_common_tls_context()->add_tls_certificates();
  std::string chain;
  std::string key;
  if (options.client_ecdsa_cert_) {
    chain = rundir + "/test/config/integration/certs/client_ecdsacert.pem";
    key = rundir + "/test/config/integration/certs/client_ecdsakey.pem";
  } else if (options.use_expired_spiffe_cert_) {
    chain = rundir + "/test/common/tls/test_data/expired_spiffe_san_cert.pem";
    key = rundir + "/test/common/tls/test_data/expired_spiffe_san_key.pem";
  } else if (options.client_with_intermediate_cert_) {
    chain = rundir + "/test/config/integration/certs/client2_chain.pem";
    key = rundir + "/test/config/integration/certs/client2key.pem";
  } else {
    chain = rundir + "/test/config/integration/certs/clientcert.pem";
    key = rundir + "/test/config/integration/certs/clientkey.pem";
  }
  certs->mutable_certificate_chain()->set_filename(chain);
  certs->mutable_private_key()->set_filename(key);

  auto* common_context = tls_context.mutable_common_tls_context();

  if (options.alpn_) {
    common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http2);
    common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http11);
    common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http3);
  }
  if (!options.san_.empty()) {
    envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher* matcher =
        common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
    matcher->mutable_matcher()->set_exact(options.san_);
    matcher->set_san_type(
        envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::DNS);
    matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
    matcher->mutable_matcher()->set_exact(options.san_);
    matcher->set_san_type(
        envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::URI);
    matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
    matcher->mutable_matcher()->set_exact(options.san_);
    matcher->set_san_type(
        envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::EMAIL);
    matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
    matcher->mutable_matcher()->set_exact(options.san_);
    matcher->set_san_type(
        envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::IP_ADDRESS);
  }
  for (const std::string& cipher_suite : options.cipher_suites_) {
    common_context->mutable_tls_params()->add_cipher_suites(cipher_suite);
  }
  for (const std::string& algorithm : options.sigalgs_) {
    common_context->mutable_tls_params()->add_signature_algorithms(algorithm);
  }
  if (!options.sni_.empty()) {
    tls_context.set_sni(options.sni_);
  }
  if (options.custom_validator_config_) {
    *common_context->mutable_validation_context()->mutable_custom_validator_config() =
        *options.custom_validator_config_;
  }

  common_context->mutable_tls_params()->set_tls_minimum_protocol_version(options.tls_version_);
  common_context->mutable_tls_params()->set_tls_maximum_protocol_version(options.tls_version_);
}

Network::UpstreamTransportSocketFactoryPtr
createClientSslTransportSocketFactory(const ClientSslTransportOptions& options,
                                      ContextManager& context_manager, Api::Api& api) {
  envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context;
  initializeUpstreamTlsContextConfig(options, tls_context);

  NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
  ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api));
  auto cfg = *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(tls_context,
                                                                                 mock_factory_ctx);
  static auto* client_stats_store = new Stats::TestIsolatedStoreImpl();
  return Network::UpstreamTransportSocketFactoryPtr{
      THROW_OR_RETURN_VALUE(Extensions::TransportSockets::Tls::ClientSslSocketFactory::create(
                                std::move(cfg), context_manager, *client_stats_store->rootScope()),
                            Network::UpstreamTransportSocketFactoryPtr)};
}

Network::DownstreamTransportSocketFactoryPtr
createUpstreamSslContext(ContextManager& context_manager, Api::Api& api, bool use_http3) {
  envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context;
  ConfigHelper::initializeTls({}, *tls_context.mutable_common_tls_context(), use_http3);

  NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
  ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api));
  auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(
      tls_context, mock_factory_ctx, false);

  static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl();
  if (!use_http3) {
    return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create(
        std::move(cfg), context_manager, *upstream_stats_store->rootScope(),
        std::vector<std::string>{});
  }
  envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport quic_config;
  quic_config.mutable_downstream_tls_context()->MergeFrom(tls_context);
  ON_CALL(mock_factory_ctx, statsScope())
      .WillByDefault(ReturnRef(*upstream_stats_store->rootScope()));
  ON_CALL(mock_factory_ctx, sslContextManager()).WillByDefault(ReturnRef(context_manager));

  std::vector<std::string> server_names;
  auto& config_factory = Config::Utility::getAndCheckFactoryByName<
      Server::Configuration::DownstreamTransportSocketConfigFactory>(
      "envoy.transport_sockets.quic");
  return *config_factory.createTransportSocketFactory(quic_config, mock_factory_ctx, server_names);
}

Network::DownstreamTransportSocketFactoryPtr createFakeUpstreamSslContext(
    const std::string& upstream_cert_name, ContextManager& context_manager,
    Server::Configuration::TransportSocketFactoryContext& factory_context) {
  envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context;
  auto* common_tls_context = tls_context.mutable_common_tls_context();
  auto* tls_cert = common_tls_context->add_tls_certificates();
  tls_cert->mutable_certificate_chain()->set_filename(TestEnvironment::runfilesPath(
      fmt::format("test/config/integration/certs/{}cert.pem", upstream_cert_name)));
  tls_cert->mutable_private_key()->set_filename(TestEnvironment::runfilesPath(
      fmt::format("test/config/integration/certs/{}key.pem", upstream_cert_name)));

  auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(
      tls_context, factory_context, false);

  static auto* upstream_stats_store = new Stats::IsolatedStoreImpl();
  return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create(
      std::move(cfg), context_manager, *upstream_stats_store->rootScope(),
      std::vector<std::string>{});
}
Network::Address::InstanceConstSharedPtr getSslAddress(const Network::Address::IpVersion& version,
                                                       int port) {
  std::string url =
      "tcp://" + Network::Test::getLoopbackAddressUrlString(version) + ":" + std::to_string(port);
  return *Network::Utility::resolveUrl(url);
}

} // namespace Ssl
} // namespace Envoy

Line	Count	Source (jump to first uncovered line)
1		#include "test/integration/ssl_utility.h"
2
3		#include "envoy/extensions/transport_sockets/quic/v3/quic_transport.pb.h"
4
5		#include "source/common/http/utility.h"
6		#include "source/common/json/json_loader.h"
7		#include "source/common/network/utility.h"
8		#include "source/common/tls/client_ssl_socket.h"
9		#include "source/common/tls/context_manager_impl.h"
10		#include "source/common/tls/server_context_config_impl.h"
11		#include "source/common/tls/server_ssl_socket.h"
12
13		#include "test/config/utility.h"
14		#include "test/integration/server.h"
15		#include "test/mocks/server/transport_socket_factory_context.h"
16		#include "test/test_common/environment.h"
17		#include "test/test_common/network_utility.h"
18
19		#include "gtest/gtest.h"
20
21		using testing::ReturnRef;
22
23		namespace Envoy {
24		namespace Ssl {
25
26		void initializeUpstreamTlsContextConfig(
27		const ClientSslTransportOptions& options,
28		envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& tls_context,
29	0	bool connect_to_upstream) {
30	0	const std::string rundir = TestEnvironment::runfilesDirectory();
31	0	if (connect_to_upstream) {
32	0	tls_context.mutable_common_tls_context()
33	0	->mutable_validation_context()
34	0	->mutable_trusted_ca()
35	0	->set_filename(rundir + "/test/config/integration/certs/upstreamcacert.pem");
36	0	tls_context.set_sni("foo.lyft.com");
37	0	return;
38	0	}
39
40	0	tls_context.mutable_common_tls_context()
41	0	->mutable_validation_context()
42	0	->mutable_trusted_ca()
43	0	->set_filename(rundir + "/test/config/integration/certs/cacert.pem");
44	0	auto* certs = tls_context.mutable_common_tls_context()->add_tls_certificates();
45	0	std::string chain;
46	0	std::string key;
47	0	if (options.client_ecdsa_cert_) {
48	0	chain = rundir + "/test/config/integration/certs/client_ecdsacert.pem";
49	0	key = rundir + "/test/config/integration/certs/client_ecdsakey.pem";
50	0	} else if (options.use_expired_spiffe_cert_) {
51	0	chain = rundir + "/test/common/tls/test_data/expired_spiffe_san_cert.pem";
52	0	key = rundir + "/test/common/tls/test_data/expired_spiffe_san_key.pem";
53	0	} else if (options.client_with_intermediate_cert_) {
54	0	chain = rundir + "/test/config/integration/certs/client2_chain.pem";
55	0	key = rundir + "/test/config/integration/certs/client2key.pem";
56	0	} else {
57	0	chain = rundir + "/test/config/integration/certs/clientcert.pem";
58	0	key = rundir + "/test/config/integration/certs/clientkey.pem";
59	0	}
60	0	certs->mutable_certificate_chain()->set_filename(chain);
61	0	certs->mutable_private_key()->set_filename(key);
62
63	0	auto* common_context = tls_context.mutable_common_tls_context();
64
65	0	if (options.alpn_) {
66	0	common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http2);
67	0	common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http11);
68	0	common_context->add_alpn_protocols(Http::Utility::AlpnNames::get().Http3);
69	0	}
70	0	if (!options.san_.empty()) {
71	0	envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher* matcher =
72	0	common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
73	0	matcher->mutable_matcher()->set_exact(options.san_);
74	0	matcher->set_san_type(
75	0	envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::DNS);
76	0	matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
77	0	matcher->mutable_matcher()->set_exact(options.san_);
78	0	matcher->set_san_type(
79	0	envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::URI);
80	0	matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
81	0	matcher->mutable_matcher()->set_exact(options.san_);
82	0	matcher->set_san_type(
83	0	envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::EMAIL);
84	0	matcher = common_context->mutable_validation_context()->add_match_typed_subject_alt_names();
85	0	matcher->mutable_matcher()->set_exact(options.san_);
86	0	matcher->set_san_type(
87	0	envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::IP_ADDRESS);
88	0	}
89	0	for (const std::string& cipher_suite : options.cipher_suites_) {
90	0	common_context->mutable_tls_params()->add_cipher_suites(cipher_suite);
91	0	}
92	0	for (const std::string& algorithm : options.sigalgs_) {
93	0	common_context->mutable_tls_params()->add_signature_algorithms(algorithm);
94	0	}
95	0	if (!options.sni_.empty()) {
96	0	tls_context.set_sni(options.sni_);
97	0	}
98	0	if (options.custom_validator_config_) {
99	0	*common_context->mutable_validation_context()->mutable_custom_validator_config() =
100	0	*options.custom_validator_config_;
101	0	}
102
103	0	common_context->mutable_tls_params()->set_tls_minimum_protocol_version(options.tls_version_);
104	0	common_context->mutable_tls_params()->set_tls_maximum_protocol_version(options.tls_version_);
105	0	}
106
107		Network::UpstreamTransportSocketFactoryPtr
108		createClientSslTransportSocketFactory(const ClientSslTransportOptions& options,
109	0	ContextManager& context_manager, Api::Api& api) {
110	0	envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context;
111	0	initializeUpstreamTlsContextConfig(options, tls_context);
112
113	0	NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
114	0	ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api));
115	0	auto cfg = *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(tls_context,
116	0	mock_factory_ctx);
117	0	static auto* client_stats_store = new Stats::TestIsolatedStoreImpl();
118	0	return Network::UpstreamTransportSocketFactoryPtr{
119	0	THROW_OR_RETURN_VALUE(Extensions::TransportSockets::Tls::ClientSslSocketFactory::create(
120	0	std::move(cfg), context_manager, *client_stats_store->rootScope()),
121	0	Network::UpstreamTransportSocketFactoryPtr)};
122	0	}
123
124		Network::DownstreamTransportSocketFactoryPtr
125	0	createUpstreamSslContext(ContextManager& context_manager, Api::Api& api, bool use_http3) {
126	0	envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context;
127	0	ConfigHelper::initializeTls({}, *tls_context.mutable_common_tls_context(), use_http3);
128
129	0	NiceMock<Server::Configuration::MockTransportSocketFactoryContext> mock_factory_ctx;
130	0	ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api));
131	0	auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(
132	0	tls_context, mock_factory_ctx, false);
133
134	0	static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl();
135	0	if (!use_http3) {
136	0	return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create(
137	0	std::move(cfg), context_manager, *upstream_stats_store->rootScope(),
138	0	std::vector<std::string>{});
139	0	}
140	0	envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport quic_config;
141	0	quic_config.mutable_downstream_tls_context()->MergeFrom(tls_context);
142	0	ON_CALL(mock_factory_ctx, statsScope())
143	0	.WillByDefault(ReturnRef(*upstream_stats_store->rootScope()));
144	0	ON_CALL(mock_factory_ctx, sslContextManager()).WillByDefault(ReturnRef(context_manager));
145
146	0	std::vector<std::string> server_names;
147	0	auto& config_factory = Config::Utility::getAndCheckFactoryByName<
148	0	Server::Configuration::DownstreamTransportSocketConfigFactory>(
149	0	"envoy.transport_sockets.quic");
150	0	return *config_factory.createTransportSocketFactory(quic_config, mock_factory_ctx, server_names);
151	0	}
152
153		Network::DownstreamTransportSocketFactoryPtr createFakeUpstreamSslContext(
154		const std::string& upstream_cert_name, ContextManager& context_manager,
155	0	Server::Configuration::TransportSocketFactoryContext& factory_context) {
156	0	envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context;
157	0	auto* common_tls_context = tls_context.mutable_common_tls_context();
158	0	auto* tls_cert = common_tls_context->add_tls_certificates();
159	0	tls_cert->mutable_certificate_chain()->set_filename(TestEnvironment::runfilesPath(
160	0	fmt::format("test/config/integration/certs/{}cert.pem", upstream_cert_name)));
161	0	tls_cert->mutable_private_key()->set_filename(TestEnvironment::runfilesPath(
162	0	fmt::format("test/config/integration/certs/{}key.pem", upstream_cert_name)));
163
164	0	auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(
165	0	tls_context, factory_context, false);
166
167	0	static auto* upstream_stats_store = new Stats::IsolatedStoreImpl();
168	0	return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create(
169	0	std::move(cfg), context_manager, *upstream_stats_store->rootScope(),
170	0	std::vector<std::string>{});
171	0	}
172		Network::Address::InstanceConstSharedPtr getSslAddress(const Network::Address::IpVersion& version,
173	0	int port) {
174	0	std::string url =
175	0	"tcp://" + Network::Test::getLoopbackAddressUrlString(version) + ":" + std::to_string(port);
176	0	return *Network::Utility::resolveUrl(url);
177	0	}
178
179		} // namespace Ssl
180		} // namespace Envoy

Coverage Report

Created: 2024-09-19 09:45