Chiebot-Mirror
/
grpc
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

xDS RBAC: remove env var protection (#31348)

Browse Source 
* xDS RBAC: remove env var protection

* fix federation server test

* fix sanity
pull/31160/head^2
Mark D. Roth 3 years ago committed by GitHub
parent 2f2662c462
commit 93433d2faf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 135 additions and 151 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      build_autogenerated.yaml
  2. 79
      src/core/ext/xds/xds_listener.cc
  3. 9
      src/core/ext/xds/xds_route_config.cc
  4. 2
      src/core/ext/xds/xds_route_config.h
  5. 93
      src/core/ext/xds/xds_server_config_fetcher.cc
  6. 1
      test/cpp/end2end/xds/BUILD
  7. 12
      test/cpp/end2end/xds/xds_core_end2end_test.cc
  8. 89
      test/cpp/end2end/xds/xds_end2end_test.cc

1
build_autogenerated.yaml generated
Unescape View File

@ -11298,7 +11298,6 @@ targets:
run: false run: false
language: c++ language: c++
headers: headers:
- test/core/util/scoped_env_var.h
- test/cpp/end2end/counted_service.h - test/cpp/end2end/counted_service.h
- test/cpp/end2end/test_service_impl.h - test/cpp/end2end/test_service_impl.h
- test/cpp/end2end/xds/no_op_http_filter.h - test/cpp/end2end/xds/no_op_http_filter.h

79
src/core/ext/xds/xds_listener.cc
Unescape View File

@ -439,49 +439,44 @@ HttpConnectionManagerParse(
XdsListenerResource::HttpConnectionManager::HttpFilter{ XdsListenerResource::HttpConnectionManager::HttpFilter{
"router", {kXdsHttpRouterFilterConfigName, Json()}}); "router", {kXdsHttpRouterFilterConfigName, Json()}});
} }
// Guarding parsing of RouteConfig on the server side with the environmental // Found inlined route_config. Parse it to find the cluster_name.
// variable since that's the first feature on the server side that will be if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_route_config(
// using this. http_connection_manager_proto)) {
if (is_client || XdsRbacEnabled()) { const envoy_config_route_v3_RouteConfiguration* route_config =
// Found inlined route_config. Parse it to find the cluster_name. envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_route_config(
if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_route_config( http_connection_manager_proto);
http_connection_manager_proto)) { auto rds_update = XdsRouteConfigResource::Parse(context, route_config);
const envoy_config_route_v3_RouteConfiguration* route_config = if (!rds_update.ok()) {
envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_route_config( errors.emplace_back(rds_update.status().message());
http_connection_manager_proto);
auto rds_update = XdsRouteConfigResource::Parse(context, route_config);
if (!rds_update.ok()) {
errors.emplace_back(rds_update.status().message());
} else {
http_connection_manager.rds_update = std::move(*rds_update);
}
} else { } else {
// Validate that RDS must be used to get the route_config dynamically. http_connection_manager.rds_update = std::move(*rds_update);
const envoy_extensions_filters_network_http_connection_manager_v3_Rds* rds = }
envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_rds( } else {
http_connection_manager_proto); // Validate that RDS must be used to get the route_config dynamically.
if (rds == nullptr) { const envoy_extensions_filters_network_http_connection_manager_v3_Rds* rds =
return GRPC_ERROR_CREATE( envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_rds(
"HttpConnectionManager neither has inlined route_config nor RDS."); http_connection_manager_proto);
} if (rds == nullptr) {
// Check that the ConfigSource specifies ADS. return GRPC_ERROR_CREATE(
const envoy_config_core_v3_ConfigSource* config_source = "HttpConnectionManager neither has inlined route_config nor RDS.");
envoy_extensions_filters_network_http_connection_manager_v3_Rds_config_source( }
rds); // Check that the ConfigSource specifies ADS.
if (config_source == nullptr) { const envoy_config_core_v3_ConfigSource* config_source =
errors.emplace_back( envoy_extensions_filters_network_http_connection_manager_v3_Rds_config_source(
"HttpConnectionManager missing config_source for RDS."); rds);
} else if (!envoy_config_core_v3_ConfigSource_has_ads(config_source) && if (config_source == nullptr) {
!envoy_config_core_v3_ConfigSource_has_self(config_source)) { errors.emplace_back(
errors.emplace_back( "HttpConnectionManager missing config_source for RDS.");
"HttpConnectionManager ConfigSource for RDS does not specify ADS " } else if (!envoy_config_core_v3_ConfigSource_has_ads(config_source) &&
"or SELF."); !envoy_config_core_v3_ConfigSource_has_self(config_source)) {
} else { errors.emplace_back(
// Get the route_config_name. "HttpConnectionManager ConfigSource for RDS does not specify ADS "
http_connection_manager.route_config_name = UpbStringToStdString( "or SELF.");
envoy_extensions_filters_network_http_connection_manager_v3_Rds_route_config_name( } else {
rds)); // Get the route_config_name.
} http_connection_manager.route_config_name = UpbStringToStdString(
envoy_extensions_filters_network_http_connection_manager_v3_Rds_route_config_name(
rds));
} }
} }
// Return result. // Return result.

9
src/core/ext/xds/xds_route_config.cc
Unescape View File

@ -74,15 +74,6 @@
namespace grpc_core { namespace grpc_core {
// TODO(yashykt): Remove once RBAC is no longer experimental
bool XdsRbacEnabled() {
auto value = GetEnv("GRPC_XDS_EXPERIMENTAL_RBAC");
if (!value.has_value()) return false;
bool parsed_value;
bool parse_succeeded = gpr_parse_bool_value(value->c_str(), &parsed_value);
return parse_succeeded && parsed_value;
}
// TODO(donnadionne): Remove once RLS is no longer experimental // TODO(donnadionne): Remove once RLS is no longer experimental
bool XdsRlsEnabled() { bool XdsRlsEnabled() {
auto value = GetEnv("GRPC_EXPERIMENTAL_XDS_RLS_LB"); auto value = GetEnv("GRPC_EXPERIMENTAL_XDS_RLS_LB");

2
src/core/ext/xds/xds_route_config.h
Unescape View File

@ -46,8 +46,6 @@
namespace grpc_core { namespace grpc_core {
bool XdsRbacEnabled();
struct XdsRouteConfigResource : public XdsResourceType::ResourceData { struct XdsRouteConfigResource : public XdsResourceType::ResourceData {
using TypedPerFilterConfig = using TypedPerFilterConfig =
std::map<std::string, XdsHttpFilterImpl::FilterConfig>; std::map<std::string, XdsHttpFilterImpl::FilterConfig>;

93
src/core/ext/xds/xds_server_config_fetcher.cc
Unescape View File

@ -568,12 +568,7 @@ void XdsServerConfigFetcher::ListenerWatcher::OnResourceChanged(
filter_chain_match_manager_->default_filter_chain())) { filter_chain_match_manager_->default_filter_chain())) {
pending_filter_chain_match_manager_ = pending_filter_chain_match_manager_ =
std::move(new_filter_chain_match_manager); std::move(new_filter_chain_match_manager);
if (XdsRbacEnabled()) { pending_filter_chain_match_manager_->StartRdsWatch(Ref());
pending_filter_chain_match_manager_->StartRdsWatch(Ref());
} else {
PendingFilterChainMatchManagerReadyLocked(
pending_filter_chain_match_manager_.get());
}
} }
} }
@ -1060,52 +1055,50 @@ absl::StatusOr<ChannelArgs> XdsServerConfigFetcher::ListenerWatcher::
RefCountedPtr<ServerConfigSelectorProvider> server_config_selector_provider; RefCountedPtr<ServerConfigSelectorProvider> server_config_selector_provider;
RefCountedPtr<XdsChannelStackModifier> channel_stack_modifier; RefCountedPtr<XdsChannelStackModifier> channel_stack_modifier;
RefCountedPtr<XdsCertificateProvider> xds_certificate_provider; RefCountedPtr<XdsCertificateProvider> xds_certificate_provider;
// Add config selector filter // Add config selector filter.
if (XdsRbacEnabled()) { std::vector<const grpc_channel_filter*> filters;
std::vector<const grpc_channel_filter*> filters; // Iterate the list of HTTP filters in reverse since in Core, received data
// Iterate the list of HTTP filters in reverse since in Core, received data // flows *up* the stack.
// flows *up* the stack. for (const auto& http_filter :
for (const auto& http_filter : filter_chain->http_connection_manager.http_filters) {
filter_chain->http_connection_manager.http_filters) { // Find filter. This is guaranteed to succeed, because it's checked
// Find filter. This is guaranteed to succeed, because it's checked // at config validation time in the XdsApi code.
// at config validation time in the XdsApi code. const XdsHttpFilterImpl* filter_impl =
const XdsHttpFilterImpl* filter_impl = XdsHttpFilterRegistry::GetFilterForType(
XdsHttpFilterRegistry::GetFilterForType( http_filter.config.config_proto_type_name);
http_filter.config.config_proto_type_name); GPR_ASSERT(filter_impl != nullptr);
GPR_ASSERT(filter_impl != nullptr); // Some filters like the router filter are no-op filters and do not have
// Some filters like the router filter are no-op filters and do not have // an implementation.
// an implementation. if (filter_impl->channel_filter() != nullptr) {
if (filter_impl->channel_filter() != nullptr) { filters.push_back(filter_impl->channel_filter());
filters.push_back(filter_impl->channel_filter());
}
}
filters.push_back(&kServerConfigSelectorFilter);
channel_stack_modifier =
MakeRefCounted<XdsChannelStackModifier>(std::move(filters));
if (filter_chain->http_connection_manager.rds_update.has_value()) {
server_config_selector_provider =
MakeRefCounted<StaticXdsServerConfigSelectorProvider>(
filter_chain->http_connection_manager.rds_update.value(),
filter_chain->http_connection_manager.http_filters);
} else {
absl::StatusOr<XdsRouteConfigResource> initial_resource;
{
MutexLock lock(&mu_);
initial_resource =
rds_map_[filter_chain->http_connection_manager.route_config_name]
.rds_update.value();
}
server_config_selector_provider =
MakeRefCounted<DynamicXdsServerConfigSelectorProvider>(
xds_client_->Ref(DEBUG_LOCATION,
"DynamicXdsServerConfigSelectorProvider"),
filter_chain->http_connection_manager.route_config_name,
std::move(initial_resource),
filter_chain->http_connection_manager.http_filters);
} }
args = args.SetObject(server_config_selector_provider)
.SetObject(channel_stack_modifier);
} }
filters.push_back(&kServerConfigSelectorFilter);
channel_stack_modifier =
MakeRefCounted<XdsChannelStackModifier>(std::move(filters));
if (filter_chain->http_connection_manager.rds_update.has_value()) {
server_config_selector_provider =
MakeRefCounted<StaticXdsServerConfigSelectorProvider>(
filter_chain->http_connection_manager.rds_update.value(),
filter_chain->http_connection_manager.http_filters);
} else {
absl::StatusOr<XdsRouteConfigResource> initial_resource;
{
MutexLock lock(&mu_);
initial_resource =
rds_map_[filter_chain->http_connection_manager.route_config_name]
.rds_update.value();
}
server_config_selector_provider =
MakeRefCounted<DynamicXdsServerConfigSelectorProvider>(
xds_client_->Ref(DEBUG_LOCATION,
"DynamicXdsServerConfigSelectorProvider"),
filter_chain->http_connection_manager.route_config_name,
std::move(initial_resource),
filter_chain->http_connection_manager.http_filters);
}
args = args.SetObject(server_config_selector_provider)
.SetObject(channel_stack_modifier);
// Add XdsCertificateProvider if credentials are xDS. // Add XdsCertificateProvider if credentials are xDS.
auto* server_creds = args.GetObject<grpc_server_credentials>(); auto* server_creds = args.GetObject<grpc_server_credentials>();
if (server_creds != nullptr && if (server_creds != nullptr &&

1
test/cpp/end2end/xds/BUILD
Unescape View File

@ -140,7 +140,6 @@ grpc_cc_test(
"//src/proto/grpc/testing/xds/v3:router_proto", "//src/proto/grpc/testing/xds/v3:router_proto",
"//src/proto/grpc/testing/xds/v3:tls_proto", "//src/proto/grpc/testing/xds/v3:tls_proto",
"//test/core/util:grpc_test_util", "//test/core/util:grpc_test_util",
"//test/core/util:scoped_env_var",
"//test/cpp/util:test_config", "//test/cpp/util:test_config",
"//test/cpp/util:test_util", "//test/cpp/util:test_util",
"//test/cpp/util:tls_test_utils", "//test/cpp/util:tls_test_utils",

12
test/cpp/end2end/xds/xds_core_end2end_test.cc
Unescape View File

@ -1079,6 +1079,9 @@ TEST_P(XdsFederationTest, FederationServer) {
const char* kNewRouteConfigName = const char* kNewRouteConfigName =
"xdstp://xds.example.com/envoy.config.route.v3.RouteConfiguration/" "xdstp://xds.example.com/envoy.config.route.v3.RouteConfiguration/"
"new_route_config_name"; "new_route_config_name";
const char* kNewServerRouteConfigName =
"xdstp://xds.example.com/envoy.config.route.v3.RouteConfiguration/"
"new_server_route_config_name";
const char* kNewEdsServiceName = const char* kNewEdsServiceName =
"xdstp://xds.example.com/envoy.config.endpoint.v3.ClusterLoadAssignment/" "xdstp://xds.example.com/envoy.config.endpoint.v3.ClusterLoadAssignment/"
"new_edsservice_name"; "new_edsservice_name";
@ -1107,7 +1110,7 @@ TEST_P(XdsFederationTest, FederationServer) {
new_cluster.mutable_eds_cluster_config()->set_service_name( new_cluster.mutable_eds_cluster_config()->set_service_name(
kNewEdsServiceName); kNewEdsServiceName);
authority_balancer_->ads_service()->SetCdsResource(new_cluster); authority_balancer_->ads_service()->SetCdsResource(new_cluster);
// New Route // New RouteConfig
RouteConfiguration new_route_config = default_route_config_; RouteConfiguration new_route_config = default_route_config_;
new_route_config.set_name(kNewRouteConfigName); new_route_config.set_name(kNewRouteConfigName);
new_route_config.mutable_virtual_hosts(0) new_route_config.mutable_virtual_hosts(0)
@ -1119,6 +1122,9 @@ TEST_P(XdsFederationTest, FederationServer) {
listener.set_name(kNewListenerName); listener.set_name(kNewListenerName);
SetListenerAndRouteConfiguration(authority_balancer_.get(), listener, SetListenerAndRouteConfiguration(authority_balancer_.get(), listener,
new_route_config); new_route_config);
// New Server RouteConfig
RouteConfiguration new_server_route_config = default_server_route_config_;
new_server_route_config.set_name(kNewServerRouteConfigName);
// New Server Listeners // New Server Listeners
for (int port : GetBackendPorts()) { for (int port : GetBackendPorts()) {
Listener server_listener = default_server_listener_; Listener server_listener = default_server_listener_;
@ -1128,7 +1134,9 @@ TEST_P(XdsFederationTest, FederationServer) {
"?psm_project_id=1234")); "?psm_project_id=1234"));
server_listener.mutable_address()->mutable_socket_address()->set_port_value( server_listener.mutable_address()->mutable_socket_address()->set_port_value(
port); port);
authority_balancer_->ads_service()->SetLdsResource(server_listener); SetListenerAndRouteConfiguration(authority_balancer_.get(), server_listener,
new_server_route_config,
ServerHcmAccessor());
} }
WaitForAllBackends(DEBUG_LOCATION); WaitForAllBackends(DEBUG_LOCATION);
} }

89
test/cpp/end2end/xds/xds_end2end_test.cc
Unescape View File

@ -105,7 +105,6 @@
#include "src/proto/grpc/testing/xds/v3/router.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/router.grpc.pb.h"
#include "src/proto/grpc/testing/xds/v3/tls.grpc.pb.h" #include "src/proto/grpc/testing/xds/v3/tls.grpc.pb.h"
#include "test/core/util/port.h" #include "test/core/util/port.h"
#include "test/core/util/scoped_env_var.h"
#include "test/core/util/test_config.h" #include "test/core/util/test_config.h"
#include "test/cpp/end2end/xds/no_op_http_filter.h" #include "test/cpp/end2end/xds/no_op_http_filter.h"
#include "test/cpp/end2end/xds/xds_end2end_test_lib.h" #include "test/cpp/end2end/xds/xds_end2end_test_lib.h"
@ -132,8 +131,6 @@ using ::grpc::experimental::ExternalCertificateVerifier;
using ::grpc::experimental::IdentityKeyCertPair; using ::grpc::experimental::IdentityKeyCertPair;
using ::grpc::experimental::StaticDataCertificateProvider; using ::grpc::experimental::StaticDataCertificateProvider;
using ::grpc_core::testing::ScopedExperimentalEnvVar;
constexpr char kClientCertPath[] = "src/core/tsi/test_creds/client.pem"; constexpr char kClientCertPath[] = "src/core/tsi/test_creds/client.pem";
constexpr char kClientKeyPath[] = "src/core/tsi/test_creds/client.key"; constexpr char kClientKeyPath[] = "src/core/tsi/test_creds/client.key";
constexpr char kBadClientCertPath[] = "src/core/tsi/test_creds/badclient.pem"; constexpr char kBadClientCertPath[] = "src/core/tsi/test_creds/badclient.pem";
@ -1827,7 +1824,16 @@ TEST_P(XdsEnabledServerStatusNotificationTest,
} }
} }
using XdsServerFilterChainMatchTest = XdsServerSecurityTest; class XdsServerFilterChainMatchTest : public XdsServerSecurityTest {
public:
HttpConnectionManager GetHttpConnectionManager(const Listener& listener) {
HttpConnectionManager http_connection_manager =
ServerHcmAccessor().Unpack(listener);
*http_connection_manager.mutable_route_config() =
default_server_route_config_;
return http_connection_manager;
}
};
TEST_P(XdsServerFilterChainMatchTest, TEST_P(XdsServerFilterChainMatchTest,
DefaultFilterChainUsedWhenNoFilterChainMentioned) { DefaultFilterChainUsedWhenNoFilterChainMentioned) {
@ -1841,7 +1847,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add a filter chain that will never get matched // Add a filter chain that will never get matched
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match() filter_chain->mutable_filter_chain_match()
->mutable_destination_port() ->mutable_destination_port()
->set_value(8080); ->set_value(8080);
@ -1858,7 +1864,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with destination port that should never get matched // Add filter chain with destination port that should never get matched
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match() filter_chain->mutable_filter_chain_match()
->mutable_destination_port() ->mutable_destination_port()
->set_value(8080); ->set_value(8080);
@ -1877,7 +1883,7 @@ TEST_P(XdsServerFilterChainMatchTest, FilterChainsWithServerNamesDontMatch) {
// Add filter chain with server name that should never get matched // Add filter chain with server name that should never get matched
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_server_names("server_name"); filter_chain->mutable_filter_chain_match()->add_server_names("server_name");
listener.clear_default_filter_chain(); listener.clear_default_filter_chain();
balancer_->ads_service()->SetLdsResource( balancer_->ads_service()->SetLdsResource(
@ -1895,7 +1901,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with transport protocol "tls" that should never match // Add filter chain with transport protocol "tls" that should never match
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_transport_protocol("tls"); filter_chain->mutable_filter_chain_match()->set_transport_protocol("tls");
listener.clear_default_filter_chain(); listener.clear_default_filter_chain();
balancer_->ads_service()->SetLdsResource( balancer_->ads_service()->SetLdsResource(
@ -1913,7 +1919,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with application protocol that should never get matched // Add filter chain with application protocol that should never get matched
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_application_protocols("h2"); filter_chain->mutable_filter_chain_match()->add_application_protocols("h2");
listener.clear_default_filter_chain(); listener.clear_default_filter_chain();
balancer_->ads_service()->SetLdsResource( balancer_->ads_service()->SetLdsResource(
@ -1931,14 +1937,14 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with "raw_buffer" transport protocol // Add filter chain with "raw_buffer" transport protocol
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_transport_protocol( filter_chain->mutable_filter_chain_match()->set_transport_protocol(
"raw_buffer"); "raw_buffer");
// Add another filter chain with no transport protocol set but application // Add another filter chain with no transport protocol set but application
// protocol set (fails match) // protocol set (fails match)
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_application_protocols("h2"); filter_chain->mutable_filter_chain_match()->add_application_protocols("h2");
listener.clear_default_filter_chain(); listener.clear_default_filter_chain();
balancer_->ads_service()->SetLdsResource( balancer_->ads_service()->SetLdsResource(
@ -1956,7 +1962,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// mentioned. (Prefix range is matched first.) // mentioned. (Prefix range is matched first.)
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
auto* prefix_range = auto* prefix_range =
filter_chain->mutable_filter_chain_match()->add_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -1970,7 +1976,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// the highest match, it should be chosen. // the highest match, it should be chosen.
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
prefix_range = prefix_range =
filter_chain->mutable_filter_chain_match()->add_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -1983,7 +1989,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// 30) // 30)
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
prefix_range = prefix_range =
filter_chain->mutable_filter_chain_match()->add_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
prefix_range->set_address_prefix("192.168.1.1"); prefix_range->set_address_prefix("192.168.1.1");
@ -1992,7 +1998,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add another filter chain with no prefix range mentioned // Add another filter chain with no prefix range mentioned
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_server_names("server_name"); filter_chain->mutable_filter_chain_match()->add_server_names("server_name");
listener.clear_default_filter_chain(); listener.clear_default_filter_chain();
balancer_->ads_service()->SetLdsResource( balancer_->ads_service()->SetLdsResource(
@ -2009,7 +2015,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with the local source type (best match) // Add filter chain with the local source type (best match)
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_source_type( filter_chain->mutable_filter_chain_match()->set_source_type(
FilterChainMatch::SAME_IP_OR_LOOPBACK); FilterChainMatch::SAME_IP_OR_LOOPBACK);
// Add filter chain with the external source type but bad source port. // Add filter chain with the external source type but bad source port.
@ -2017,7 +2023,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// because it is already being used by a backend. // because it is already being used by a backend.
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_source_type( filter_chain->mutable_filter_chain_match()->set_source_type(
FilterChainMatch::EXTERNAL); FilterChainMatch::EXTERNAL);
filter_chain->mutable_filter_chain_match()->add_source_ports( filter_chain->mutable_filter_chain_match()->add_source_ports(
@ -2025,7 +2031,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with the default source type (ANY) but bad source port. // Add filter chain with the default source type (ANY) but bad source port.
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_source_ports( filter_chain->mutable_filter_chain_match()->add_source_ports(
backends_[0]->port()); backends_[0]->port());
listener.clear_default_filter_chain(); listener.clear_default_filter_chain();
@ -2046,7 +2052,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// is already being used by a backend. // is already being used by a backend.
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
auto* source_prefix_range = auto* source_prefix_range =
filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
source_prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); source_prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2061,7 +2067,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// 24 is the highest match, it should be chosen. // 24 is the highest match, it should be chosen.
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
source_prefix_range = source_prefix_range =
filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
source_prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); source_prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2074,7 +2080,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// length 30) and bad source port // length 30) and bad source port
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
source_prefix_range = source_prefix_range =
filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
source_prefix_range->set_address_prefix("192.168.1.1"); source_prefix_range->set_address_prefix("192.168.1.1");
@ -2085,7 +2091,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// source port // source port
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_source_ports( filter_chain->mutable_filter_chain_match()->add_source_ports(
backends_[0]->port()); backends_[0]->port());
listener.clear_default_filter_chain(); listener.clear_default_filter_chain();
@ -2102,7 +2108,7 @@ TEST_P(XdsServerFilterChainMatchTest,
Listener listener = default_server_listener_; Listener listener = default_server_listener_;
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
// Since we don't know which port will be used by the channel, just add all // Since we don't know which port will be used by the channel, just add all
// ports except for 0. // ports except for 0.
for (int i = 1; i < 65536; i++) { for (int i = 1; i < 65536; i++) {
@ -2112,7 +2118,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// DownstreamTlsContext configuration. // DownstreamTlsContext configuration.
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
auto* transport_socket = filter_chain->mutable_transport_socket(); auto* transport_socket = filter_chain->mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
DownstreamTlsContext downstream_tls_context; DownstreamTlsContext downstream_tls_context;
@ -2134,11 +2140,11 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchNacked) {
// Add filter chain // Add filter chain
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
// Add a duplicate filter chain // Add a duplicate filter chain
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener, SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
backends_[0]->port(), backends_[0]->port(),
default_server_route_config_); default_server_route_config_);
@ -2156,7 +2162,7 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnPrefixRangesNacked) {
// Add filter chain with prefix range // Add filter chain with prefix range
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
auto* prefix_range = auto* prefix_range =
filter_chain->mutable_filter_chain_match()->add_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2168,7 +2174,7 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnPrefixRangesNacked) {
// Add a filter chain with a duplicate prefix range entry // Add a filter chain with a duplicate prefix range entry
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
prefix_range = prefix_range =
filter_chain->mutable_filter_chain_match()->add_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2205,14 +2211,14 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnTransportProtocolNacked) {
// Add filter chain with "raw_buffer" transport protocol // Add filter chain with "raw_buffer" transport protocol
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_transport_protocol( filter_chain->mutable_filter_chain_match()->set_transport_protocol(
"raw_buffer"); "raw_buffer");
// Add a duplicate filter chain with the same "raw_buffer" transport // Add a duplicate filter chain with the same "raw_buffer" transport
// protocol entry // protocol entry
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_transport_protocol( filter_chain->mutable_filter_chain_match()->set_transport_protocol(
"raw_buffer"); "raw_buffer");
SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener, SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
@ -2232,13 +2238,13 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnLocalSourceTypeNacked) {
// Add filter chain with the local source type // Add filter chain with the local source type
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_source_type( filter_chain->mutable_filter_chain_match()->set_source_type(
FilterChainMatch::SAME_IP_OR_LOOPBACK); FilterChainMatch::SAME_IP_OR_LOOPBACK);
// Add a duplicate filter chain with the same local source type entry // Add a duplicate filter chain with the same local source type entry
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_source_type( filter_chain->mutable_filter_chain_match()->set_source_type(
FilterChainMatch::SAME_IP_OR_LOOPBACK); FilterChainMatch::SAME_IP_OR_LOOPBACK);
SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener, SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
@ -2259,13 +2265,13 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with the external source type // Add filter chain with the external source type
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_source_type( filter_chain->mutable_filter_chain_match()->set_source_type(
FilterChainMatch::EXTERNAL); FilterChainMatch::EXTERNAL);
// Add a duplicate filter chain with the same external source type entry // Add a duplicate filter chain with the same external source type entry
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->set_source_type( filter_chain->mutable_filter_chain_match()->set_source_type(
FilterChainMatch::EXTERNAL); FilterChainMatch::EXTERNAL);
SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener, SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
@ -2286,7 +2292,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add filter chain with source prefix range // Add filter chain with source prefix range
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
auto* prefix_range = auto* prefix_range =
filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2298,7 +2304,7 @@ TEST_P(XdsServerFilterChainMatchTest,
// Add a filter chain with a duplicate source prefix range entry // Add a filter chain with a duplicate source prefix range entry
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
prefix_range = prefix_range =
filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges(); filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1"); prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2336,12 +2342,12 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnSourcePortNacked) {
// Add filter chain with the external source type // Add filter chain with the external source type
auto* filter_chain = listener.add_filter_chains(); auto* filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_source_ports(8080); filter_chain->mutable_filter_chain_match()->add_source_ports(8080);
// Add a duplicate filter chain with the same source port entry // Add a duplicate filter chain with the same source port entry
filter_chain = listener.add_filter_chains(); filter_chain = listener.add_filter_chains();
filter_chain->add_filters()->mutable_typed_config()->PackFrom( filter_chain->add_filters()->mutable_typed_config()->PackFrom(
ServerHcmAccessor().Unpack(listener)); GetHttpConnectionManager(listener));
filter_chain->mutable_filter_chain_match()->add_source_ports(8080); filter_chain->mutable_filter_chain_match()->add_source_ports(8080);
SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener, SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
backends_[0]->port(), backends_[0]->port(),
@ -2355,12 +2361,7 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnSourcePortNacked) {
"filter chain: {source_ports={8080}}")); "filter chain: {source_ports={8080}}"));
} }
class XdsServerRdsTest : public XdsEnabledServerStatusNotificationTest { using XdsServerRdsTest = XdsEnabledServerStatusNotificationTest;
protected:
XdsServerRdsTest() : env_var_("GRPC_XDS_EXPERIMENTAL_RBAC") {}
ScopedExperimentalEnvVar env_var_;
};
TEST_P(XdsServerRdsTest, Basic) { TEST_P(XdsServerRdsTest, Basic) {
backends_[0]->Start(); backends_[0]->Start();

Write Preview
Loading…
Cancel
Save