xDS RBAC: remove env var protection (#31348)

* xDS RBAC: remove env var protection * fix federation server test * fix sanity
2 years ago · 93433d2faf
parent 2f2662c462
commit 93433d2faf
8 changed files with 135 additions and 151 deletions
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@ -11298,7 +11298,6 @@ targets:
  run: false
  language: c++
  headers:
-  - test/core/util/scoped_env_var.h
  - test/cpp/end2end/counted_service.h
  - test/cpp/end2end/test_service_impl.h
  - test/cpp/end2end/xds/no_op_http_filter.h
--- a/src/core/ext/xds/xds_listener.cc
+++ b/src/core/ext/xds/xds_listener.cc
@ -439,49 +439,44 @@ HttpConnectionManagerParse(
        XdsListenerResource::HttpConnectionManager::HttpFilter{
            "router", {kXdsHttpRouterFilterConfigName, Json()}});
  }
-  // Guarding parsing of RouteConfig on the server side with the environmental
-  // variable since that's the first feature on the server side that will be
-  // using this.
-  if (is_client || XdsRbacEnabled()) {
-    // Found inlined route_config. Parse it to find the cluster_name.
-    if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_route_config(
-            http_connection_manager_proto)) {
-      const envoy_config_route_v3_RouteConfiguration* route_config =
-          envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_route_config(
-              http_connection_manager_proto);
-      auto rds_update = XdsRouteConfigResource::Parse(context, route_config);
-      if (!rds_update.ok()) {
-        errors.emplace_back(rds_update.status().message());
-      } else {
-        http_connection_manager.rds_update = std::move(*rds_update);
-      }
+  // Found inlined route_config. Parse it to find the cluster_name.
+  if (envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_has_route_config(
+          http_connection_manager_proto)) {
+    const envoy_config_route_v3_RouteConfiguration* route_config =
+        envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_route_config(
+            http_connection_manager_proto);
+    auto rds_update = XdsRouteConfigResource::Parse(context, route_config);
+    if (!rds_update.ok()) {
+      errors.emplace_back(rds_update.status().message());
    } else {
-      // Validate that RDS must be used to get the route_config dynamically.
-      const envoy_extensions_filters_network_http_connection_manager_v3_Rds* rds =
-          envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_rds(
-              http_connection_manager_proto);
-      if (rds == nullptr) {
-        return GRPC_ERROR_CREATE(
-            "HttpConnectionManager neither has inlined route_config nor RDS.");
-      }
-      // Check that the ConfigSource specifies ADS.
-      const envoy_config_core_v3_ConfigSource* config_source =
-          envoy_extensions_filters_network_http_connection_manager_v3_Rds_config_source(
-              rds);
-      if (config_source == nullptr) {
-        errors.emplace_back(
-            "HttpConnectionManager missing config_source for RDS.");
-      } else if (!envoy_config_core_v3_ConfigSource_has_ads(config_source) &&
-                 !envoy_config_core_v3_ConfigSource_has_self(config_source)) {
-        errors.emplace_back(
-            "HttpConnectionManager ConfigSource for RDS does not specify ADS "
-            "or SELF.");
-      } else {
-        // Get the route_config_name.
-        http_connection_manager.route_config_name = UpbStringToStdString(
-            envoy_extensions_filters_network_http_connection_manager_v3_Rds_route_config_name(
-                rds));
-      }
+      http_connection_manager.rds_update = std::move(*rds_update);
+    }
+  } else {
+    // Validate that RDS must be used to get the route_config dynamically.
+    const envoy_extensions_filters_network_http_connection_manager_v3_Rds* rds =
+        envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_rds(
+            http_connection_manager_proto);
+    if (rds == nullptr) {
+      return GRPC_ERROR_CREATE(
+          "HttpConnectionManager neither has inlined route_config nor RDS.");
+    }
+    // Check that the ConfigSource specifies ADS.
+    const envoy_config_core_v3_ConfigSource* config_source =
+        envoy_extensions_filters_network_http_connection_manager_v3_Rds_config_source(
+            rds);
+    if (config_source == nullptr) {
+      errors.emplace_back(
+          "HttpConnectionManager missing config_source for RDS.");
+    } else if (!envoy_config_core_v3_ConfigSource_has_ads(config_source) &&
+               !envoy_config_core_v3_ConfigSource_has_self(config_source)) {
+      errors.emplace_back(
+          "HttpConnectionManager ConfigSource for RDS does not specify ADS "
+          "or SELF.");
+    } else {
+      // Get the route_config_name.
+      http_connection_manager.route_config_name = UpbStringToStdString(
+          envoy_extensions_filters_network_http_connection_manager_v3_Rds_route_config_name(
+              rds));
    }
  }
  // Return result.
--- a/src/core/ext/xds/xds_route_config.cc
+++ b/src/core/ext/xds/xds_route_config.cc
@ -74,15 +74,6 @@

 namespace grpc_core {

-// TODO(yashykt): Remove once RBAC is no longer experimental
-bool XdsRbacEnabled() {
-  auto value = GetEnv("GRPC_XDS_EXPERIMENTAL_RBAC");
-  if (!value.has_value()) return false;
-  bool parsed_value;
-  bool parse_succeeded = gpr_parse_bool_value(value->c_str(), &parsed_value);
-  return parse_succeeded && parsed_value;
-}
-
 // TODO(donnadionne): Remove once RLS is no longer experimental
 bool XdsRlsEnabled() {
  auto value = GetEnv("GRPC_EXPERIMENTAL_XDS_RLS_LB");
--- a/src/core/ext/xds/xds_route_config.h
+++ b/src/core/ext/xds/xds_route_config.h
@ -46,8 +46,6 @@

 namespace grpc_core {

-bool XdsRbacEnabled();
-
 struct XdsRouteConfigResource : public XdsResourceType::ResourceData {
  using TypedPerFilterConfig =
      std::map<std::string, XdsHttpFilterImpl::FilterConfig>;
--- a/src/core/ext/xds/xds_server_config_fetcher.cc
+++ b/src/core/ext/xds/xds_server_config_fetcher.cc
@ -568,12 +568,7 @@ void XdsServerConfigFetcher::ListenerWatcher::OnResourceChanged(
            filter_chain_match_manager_->default_filter_chain())) {
    pending_filter_chain_match_manager_ =
        std::move(new_filter_chain_match_manager);
-    if (XdsRbacEnabled()) {
-      pending_filter_chain_match_manager_->StartRdsWatch(Ref());
-    } else {
-      PendingFilterChainMatchManagerReadyLocked(
-          pending_filter_chain_match_manager_.get());
-    }
+    pending_filter_chain_match_manager_->StartRdsWatch(Ref());
  }
 }

@ -1060,52 +1055,50 @@ absl::StatusOr<ChannelArgs> XdsServerConfigFetcher::ListenerWatcher::
  RefCountedPtr<ServerConfigSelectorProvider> server_config_selector_provider;
  RefCountedPtr<XdsChannelStackModifier> channel_stack_modifier;
  RefCountedPtr<XdsCertificateProvider> xds_certificate_provider;
-  // Add config selector filter
-  if (XdsRbacEnabled()) {
-    std::vector<const grpc_channel_filter*> filters;
-    // Iterate the list of HTTP filters in reverse since in Core, received data
-    // flows *up* the stack.
-    for (const auto& http_filter :
-         filter_chain->http_connection_manager.http_filters) {
-      // Find filter.  This is guaranteed to succeed, because it's checked
-      // at config validation time in the XdsApi code.
-      const XdsHttpFilterImpl* filter_impl =
-          XdsHttpFilterRegistry::GetFilterForType(
-              http_filter.config.config_proto_type_name);
-      GPR_ASSERT(filter_impl != nullptr);
-      // Some filters like the router filter are no-op filters and do not have
-      // an implementation.
-      if (filter_impl->channel_filter() != nullptr) {
-        filters.push_back(filter_impl->channel_filter());
-      }
-    }
-    filters.push_back(&kServerConfigSelectorFilter);
-    channel_stack_modifier =
-        MakeRefCounted<XdsChannelStackModifier>(std::move(filters));
-    if (filter_chain->http_connection_manager.rds_update.has_value()) {
-      server_config_selector_provider =
-          MakeRefCounted<StaticXdsServerConfigSelectorProvider>(
-              filter_chain->http_connection_manager.rds_update.value(),
-              filter_chain->http_connection_manager.http_filters);
-    } else {
-      absl::StatusOr<XdsRouteConfigResource> initial_resource;
-      {
-        MutexLock lock(&mu_);
-        initial_resource =
-            rds_map_[filter_chain->http_connection_manager.route_config_name]
-                .rds_update.value();
-      }
-      server_config_selector_provider =
-          MakeRefCounted<DynamicXdsServerConfigSelectorProvider>(
-              xds_client_->Ref(DEBUG_LOCATION,
-                               "DynamicXdsServerConfigSelectorProvider"),
-              filter_chain->http_connection_manager.route_config_name,
-              std::move(initial_resource),
-              filter_chain->http_connection_manager.http_filters);
+  // Add config selector filter.
+  std::vector<const grpc_channel_filter*> filters;
+  // Iterate the list of HTTP filters in reverse since in Core, received data
+  // flows *up* the stack.
+  for (const auto& http_filter :
+       filter_chain->http_connection_manager.http_filters) {
+    // Find filter.  This is guaranteed to succeed, because it's checked
+    // at config validation time in the XdsApi code.
+    const XdsHttpFilterImpl* filter_impl =
+        XdsHttpFilterRegistry::GetFilterForType(
+            http_filter.config.config_proto_type_name);
+    GPR_ASSERT(filter_impl != nullptr);
+    // Some filters like the router filter are no-op filters and do not have
+    // an implementation.
+    if (filter_impl->channel_filter() != nullptr) {
+      filters.push_back(filter_impl->channel_filter());
    }
-    args = args.SetObject(server_config_selector_provider)
-               .SetObject(channel_stack_modifier);
  }
+  filters.push_back(&kServerConfigSelectorFilter);
+  channel_stack_modifier =
+      MakeRefCounted<XdsChannelStackModifier>(std::move(filters));
+  if (filter_chain->http_connection_manager.rds_update.has_value()) {
+    server_config_selector_provider =
+        MakeRefCounted<StaticXdsServerConfigSelectorProvider>(
+            filter_chain->http_connection_manager.rds_update.value(),
+            filter_chain->http_connection_manager.http_filters);
+  } else {
+    absl::StatusOr<XdsRouteConfigResource> initial_resource;
+    {
+      MutexLock lock(&mu_);
+      initial_resource =
+          rds_map_[filter_chain->http_connection_manager.route_config_name]
+              .rds_update.value();
+    }
+    server_config_selector_provider =
+        MakeRefCounted<DynamicXdsServerConfigSelectorProvider>(
+            xds_client_->Ref(DEBUG_LOCATION,
+                             "DynamicXdsServerConfigSelectorProvider"),
+            filter_chain->http_connection_manager.route_config_name,
+            std::move(initial_resource),
+            filter_chain->http_connection_manager.http_filters);
+  }
+  args = args.SetObject(server_config_selector_provider)
+             .SetObject(channel_stack_modifier);
  // Add XdsCertificateProvider if credentials are xDS.
  auto* server_creds = args.GetObject<grpc_server_credentials>();
  if (server_creds != nullptr &&
--- a/test/cpp/end2end/xds/BUILD
+++ b/test/cpp/end2end/xds/BUILD
@ -140,7 +140,6 @@ grpc_cc_test(
        "//src/proto/grpc/testing/xds/v3:router_proto",
        "//src/proto/grpc/testing/xds/v3:tls_proto",
        "//test/core/util:grpc_test_util",
-        "//test/core/util:scoped_env_var",
        "//test/cpp/util:test_config",
        "//test/cpp/util:test_util",
        "//test/cpp/util:tls_test_utils",
--- a/test/cpp/end2end/xds/xds_core_end2end_test.cc
+++ b/test/cpp/end2end/xds/xds_core_end2end_test.cc
@ -1079,6 +1079,9 @@ TEST_P(XdsFederationTest, FederationServer) {
  const char* kNewRouteConfigName =
      "xdstp://xds.example.com/envoy.config.route.v3.RouteConfiguration/"
      "new_route_config_name";
+  const char* kNewServerRouteConfigName =
+      "xdstp://xds.example.com/envoy.config.route.v3.RouteConfiguration/"
+      "new_server_route_config_name";
  const char* kNewEdsServiceName =
      "xdstp://xds.example.com/envoy.config.endpoint.v3.ClusterLoadAssignment/"
      "new_edsservice_name";
@ -1107,7 +1110,7 @@ TEST_P(XdsFederationTest, FederationServer) {
  new_cluster.mutable_eds_cluster_config()->set_service_name(
      kNewEdsServiceName);
  authority_balancer_->ads_service()->SetCdsResource(new_cluster);
-  // New Route
+  // New RouteConfig
  RouteConfiguration new_route_config = default_route_config_;
  new_route_config.set_name(kNewRouteConfigName);
  new_route_config.mutable_virtual_hosts(0)
@ -1119,6 +1122,9 @@ TEST_P(XdsFederationTest, FederationServer) {
  listener.set_name(kNewListenerName);
  SetListenerAndRouteConfiguration(authority_balancer_.get(), listener,
                                   new_route_config);
+  // New Server RouteConfig
+  RouteConfiguration new_server_route_config = default_server_route_config_;
+  new_server_route_config.set_name(kNewServerRouteConfigName);
  // New Server Listeners
  for (int port : GetBackendPorts()) {
    Listener server_listener = default_server_listener_;
@ -1128,7 +1134,9 @@ TEST_P(XdsFederationTest, FederationServer) {
        "?psm_project_id=1234"));
    server_listener.mutable_address()->mutable_socket_address()->set_port_value(
        port);
-    authority_balancer_->ads_service()->SetLdsResource(server_listener);
+    SetListenerAndRouteConfiguration(authority_balancer_.get(), server_listener,
+                                     new_server_route_config,
+                                     ServerHcmAccessor());
  }
  WaitForAllBackends(DEBUG_LOCATION);
 }
--- a/test/cpp/end2end/xds/xds_end2end_test.cc
+++ b/test/cpp/end2end/xds/xds_end2end_test.cc
@ -105,7 +105,6 @@
 #include "src/proto/grpc/testing/xds/v3/router.grpc.pb.h"
 #include "src/proto/grpc/testing/xds/v3/tls.grpc.pb.h"
 #include "test/core/util/port.h"
-#include "test/core/util/scoped_env_var.h"
 #include "test/core/util/test_config.h"
 #include "test/cpp/end2end/xds/no_op_http_filter.h"
 #include "test/cpp/end2end/xds/xds_end2end_test_lib.h"
@ -132,8 +131,6 @@ using ::grpc::experimental::ExternalCertificateVerifier;
 using ::grpc::experimental::IdentityKeyCertPair;
 using ::grpc::experimental::StaticDataCertificateProvider;

-using ::grpc_core::testing::ScopedExperimentalEnvVar;
-
 constexpr char kClientCertPath[] = "src/core/tsi/test_creds/client.pem";
 constexpr char kClientKeyPath[] = "src/core/tsi/test_creds/client.key";
 constexpr char kBadClientCertPath[] = "src/core/tsi/test_creds/badclient.pem";
@ -1827,7 +1824,16 @@ TEST_P(XdsEnabledServerStatusNotificationTest,
  }
 }

-using XdsServerFilterChainMatchTest = XdsServerSecurityTest;
+class XdsServerFilterChainMatchTest : public XdsServerSecurityTest {
+ public:
+  HttpConnectionManager GetHttpConnectionManager(const Listener& listener) {
+    HttpConnectionManager http_connection_manager =
+        ServerHcmAccessor().Unpack(listener);
+    *http_connection_manager.mutable_route_config() =
+        default_server_route_config_;
+    return http_connection_manager;
+  }
+};

 TEST_P(XdsServerFilterChainMatchTest,
       DefaultFilterChainUsedWhenNoFilterChainMentioned) {
@ -1841,7 +1847,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add a filter chain that will never get matched
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()
      ->mutable_destination_port()
      ->set_value(8080);
@ -1858,7 +1864,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with destination port that should never get matched
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()
      ->mutable_destination_port()
      ->set_value(8080);
@ -1877,7 +1883,7 @@ TEST_P(XdsServerFilterChainMatchTest, FilterChainsWithServerNamesDontMatch) {
  // Add filter chain with server name that should never get matched
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_server_names("server_name");
  listener.clear_default_filter_chain();
  balancer_->ads_service()->SetLdsResource(
@ -1895,7 +1901,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with transport protocol "tls" that should never match
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_transport_protocol("tls");
  listener.clear_default_filter_chain();
  balancer_->ads_service()->SetLdsResource(
@ -1913,7 +1919,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with application protocol that should never get matched
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_application_protocols("h2");
  listener.clear_default_filter_chain();
  balancer_->ads_service()->SetLdsResource(
@ -1931,14 +1937,14 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with "raw_buffer" transport protocol
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_transport_protocol(
      "raw_buffer");
  // Add another filter chain with no transport protocol set but application
  // protocol set (fails match)
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_application_protocols("h2");
  listener.clear_default_filter_chain();
  balancer_->ads_service()->SetLdsResource(
@ -1956,7 +1962,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // mentioned. (Prefix range is matched first.)
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  auto* prefix_range =
      filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
  prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -1970,7 +1976,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // the highest match, it should be chosen.
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  prefix_range =
      filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
  prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -1983,7 +1989,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // 30)
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  prefix_range =
      filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
  prefix_range->set_address_prefix("192.168.1.1");
@ -1992,7 +1998,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add another filter chain with no prefix range mentioned
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_server_names("server_name");
  listener.clear_default_filter_chain();
  balancer_->ads_service()->SetLdsResource(
@ -2009,7 +2015,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with the local source type (best match)
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_source_type(
      FilterChainMatch::SAME_IP_OR_LOOPBACK);
  // Add filter chain with the external source type but bad source port.
@ -2017,7 +2023,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // because it is already being used by a backend.
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_source_type(
      FilterChainMatch::EXTERNAL);
  filter_chain->mutable_filter_chain_match()->add_source_ports(
@ -2025,7 +2031,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with the default source type (ANY) but bad source port.
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_source_ports(
      backends_[0]->port());
  listener.clear_default_filter_chain();
@ -2046,7 +2052,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // is already being used by a backend.
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  auto* source_prefix_range =
      filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
  source_prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2061,7 +2067,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // 24 is the highest match, it should be chosen.
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  source_prefix_range =
      filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
  source_prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2074,7 +2080,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // length 30) and bad source port
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  source_prefix_range =
      filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
  source_prefix_range->set_address_prefix("192.168.1.1");
@ -2085,7 +2091,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // source port
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_source_ports(
      backends_[0]->port());
  listener.clear_default_filter_chain();
@ -2102,7 +2108,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  Listener listener = default_server_listener_;
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  // Since we don't know which port will be used by the channel, just add all
  // ports except for 0.
  for (int i = 1; i < 65536; i++) {
@ -2112,7 +2118,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // DownstreamTlsContext configuration.
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  auto* transport_socket = filter_chain->mutable_transport_socket();
  transport_socket->set_name("envoy.transport_sockets.tls");
  DownstreamTlsContext downstream_tls_context;
@ -2134,11 +2140,11 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchNacked) {
  // Add filter chain
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  // Add a duplicate filter chain
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
                                             backends_[0]->port(),
                                             default_server_route_config_);
@ -2156,7 +2162,7 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnPrefixRangesNacked) {
  // Add filter chain with prefix range
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  auto* prefix_range =
      filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
  prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2168,7 +2174,7 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnPrefixRangesNacked) {
  // Add a filter chain with a duplicate prefix range entry
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  prefix_range =
      filter_chain->mutable_filter_chain_match()->add_prefix_ranges();
  prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2205,14 +2211,14 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnTransportProtocolNacked) {
  // Add filter chain with "raw_buffer" transport protocol
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_transport_protocol(
      "raw_buffer");
  // Add a duplicate filter chain with the same "raw_buffer" transport
  // protocol entry
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_transport_protocol(
      "raw_buffer");
  SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
@ -2232,13 +2238,13 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnLocalSourceTypeNacked) {
  // Add filter chain with the local source type
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_source_type(
      FilterChainMatch::SAME_IP_OR_LOOPBACK);
  // Add a duplicate filter chain with the same local source type entry
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_source_type(
      FilterChainMatch::SAME_IP_OR_LOOPBACK);
  SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
@ -2259,13 +2265,13 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with the external source type
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_source_type(
      FilterChainMatch::EXTERNAL);
  // Add a duplicate filter chain with the same external source type entry
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->set_source_type(
      FilterChainMatch::EXTERNAL);
  SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
@ -2286,7 +2292,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add filter chain with source prefix range
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  auto* prefix_range =
      filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
  prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2298,7 +2304,7 @@ TEST_P(XdsServerFilterChainMatchTest,
  // Add a filter chain with a duplicate source prefix range entry
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  prefix_range =
      filter_chain->mutable_filter_chain_match()->add_source_prefix_ranges();
  prefix_range->set_address_prefix(ipv6_only_ ? "::1" : "127.0.0.1");
@ -2336,12 +2342,12 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnSourcePortNacked) {
  // Add filter chain with the external source type
  auto* filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_source_ports(8080);
  // Add a duplicate filter chain with the same source port entry
  filter_chain = listener.add_filter_chains();
  filter_chain->add_filters()->mutable_typed_config()->PackFrom(
-      ServerHcmAccessor().Unpack(listener));
+      GetHttpConnectionManager(listener));
  filter_chain->mutable_filter_chain_match()->add_source_ports(8080);
  SetServerListenerNameAndRouteConfiguration(balancer_.get(), listener,
                                             backends_[0]->port(),
@ -2355,12 +2361,7 @@ TEST_P(XdsServerFilterChainMatchTest, DuplicateMatchOnSourcePortNacked) {
                           "filter chain: {source_ports={8080}}"));
 }

-class XdsServerRdsTest : public XdsEnabledServerStatusNotificationTest {
- protected:
-  XdsServerRdsTest() : env_var_("GRPC_XDS_EXPERIMENTAL_RBAC") {}
-
-  ScopedExperimentalEnvVar env_var_;
-};
+using XdsServerRdsTest = XdsEnabledServerStatusNotificationTest;

 TEST_P(XdsServerRdsTest, Basic) {
  backends_[0]->Start();