Refactoring UpstreamTlsContext (#26876)

4 years ago · 35b90ac0e2
parent 47294e01f5
commit 35b90ac0e2
1 changed files with 58 additions and 51 deletions
--- a/src/core/ext/xds/xds_api.cc
+++ b/src/core/ext/xds/xds_api.cc
@ -2895,6 +2895,54 @@ grpc_error_handle RdsResponseParse(
  return GRPC_ERROR_CREATE_FROM_VECTOR("errors parsing RDS response", &errors);
 }

+grpc_error_handle UpstreamTlsContextParse(
+    const EncodingContext& context,
+    const envoy_config_core_v3_TransportSocket* transport_socket,
+    XdsApi::CommonTlsContext* common_tls_context) {
+  // Record Upstream tls context
+  absl::string_view name = UpbStringToAbsl(
+      envoy_config_core_v3_TransportSocket_name(transport_socket));
+  if (name != "envoy.transport_sockets.tls") {
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Unrecognized transport socket: ", name).c_str());
+  }
+  auto* typed_config =
+      envoy_config_core_v3_TransportSocket_typed_config(transport_socket);
+  if (typed_config != nullptr) {
+    const upb_strview encoded_upstream_tls_context =
+        google_protobuf_Any_value(typed_config);
+    auto* upstream_tls_context =
+        envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_parse(
+            encoded_upstream_tls_context.data,
+            encoded_upstream_tls_context.size, context.arena);
+    if (upstream_tls_context == nullptr) {
+      return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "Can't decode upstream tls context.");
+    }
+    auto* common_tls_context_proto =
+        envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_common_tls_context(
+            upstream_tls_context);
+    if (common_tls_context_proto != nullptr) {
+      grpc_error_handle error = CommonTlsContextParse(
+          context, common_tls_context_proto, common_tls_context);
+      if (error != GRPC_ERROR_NONE) {
+        return grpc_error_add_child(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+                                        "Error parsing UpstreamTlsContext"),
+                                    error);
+      }
+    }
+  }
+  if (common_tls_context->combined_validation_context
+          .validation_context_certificate_provider_instance.instance_name
+          .empty()) {
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        "UpstreamTlsContext: TLS configuration provided but no "
+        "validation_context_certificate_provider_instance "
+        "found.");
+  }
+  return GRPC_ERROR_NONE;
+}
+
 grpc_error_handle CdsResponseParse(
    const EncodingContext& context,
    const envoy_service_discovery_v3_DiscoveryResponse* response,
@ -3211,60 +3259,19 @@ grpc_error_handle CdsResponseParse(
      continue;
    }
    if (XdsSecurityEnabled()) {
-      // Record Upstream tls context
      auto* transport_socket =
          envoy_config_cluster_v3_Cluster_transport_socket(cluster);
      if (transport_socket != nullptr) {
-        absl::string_view name = UpbStringToAbsl(
-            envoy_config_core_v3_TransportSocket_name(transport_socket));
-        if (name != "envoy.transport_sockets.tls") {
-          errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-              absl::StrCat("Unrecognized transport socket: ", name).c_str()));
-          continue;
-        }
-        auto* typed_config =
-            envoy_config_core_v3_TransportSocket_typed_config(transport_socket);
-        if (typed_config != nullptr) {
-          const upb_strview encoded_upstream_tls_context =
-              google_protobuf_Any_value(typed_config);
-          auto* upstream_tls_context =
-              envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_parse(
-                  encoded_upstream_tls_context.data,
-                  encoded_upstream_tls_context.size, context.arena);
-          if (upstream_tls_context == nullptr) {
-            errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-                absl::StrCat(cluster_name,
-                             ": Can't decode upstream tls context.")
-                    .c_str()));
-            resource_names_failed->insert(cluster_name);
-            continue;
-          }
-          auto* common_tls_context =
-              envoy_extensions_transport_sockets_tls_v3_UpstreamTlsContext_common_tls_context(
-                  upstream_tls_context);
-          if (common_tls_context != nullptr) {
-            grpc_error_handle error = CommonTlsContextParse(
-                context, common_tls_context, &cds_update.common_tls_context);
-            if (error != GRPC_ERROR_NONE) {
-              errors.push_back(grpc_error_add_child(
-                  GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-                      absl::StrCat(cluster_name, ": error in TLS context")
-                          .c_str()),
-                  error));
-              resource_names_failed->insert(cluster_name);
-              continue;
-            }
-          }
-        }
-        if (cds_update.common_tls_context.combined_validation_context
-                .validation_context_certificate_provider_instance.instance_name
-                .empty()) {
-          errors.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
-              absl::StrCat(cluster_name,
-                           "TLS configuration provided but no "
-                           "validation_context_certificate_provider_instance "
-                           "found.")
-                  .c_str()));
+        grpc_error_handle error = UpstreamTlsContextParse(
+            context, transport_socket, &cds_update.common_tls_context);
+        if (error != GRPC_ERROR_NONE) {
+          errors.push_back(grpc_error_add_child(
+              GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+                  absl::StrCat(
+                      "Error parsing security configuration for cluster: ",
+                      cluster_name)
+                      .c_str()),
+              error));
          resource_names_failed->insert(cluster_name);
          continue;
        }