Skip to content

Commit

Permalink
xds: nack if certprovider instance name is missing in bootstrap config (
Browse files Browse the repository at this point in the history 
#4799)
  • Loading branch information
@easwars
easwars committed Sep 30, 2021
1 parent adb21c4 commit 2ae5ac1
Show file tree
Hide file tree
Showing 9 changed files with 575 additions and 49 deletions.
372 changes: 372 additions & 0 deletions xds/internal/test/xds_security_config_nack_test.go
View file
@@ -0,0 +1,372 @@
//go:build !386
// +build !386

/*
*
* Copyright 2021 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/

package xds_test

import (
"context"
"fmt"
"testing"

"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
xdscreds "google.golang.org/grpc/credentials/xds"
"google.golang.org/grpc/internal/testutils"
"google.golang.org/grpc/xds/internal/testutils/e2e"

v3corepb "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
v3tlspb "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
testpb "google.golang.org/grpc/test/grpc_testing"
)

func (s) TestUnmarshalListener_WithUpdateValidatorFunc(t *testing.T) {
const (
serviceName = "my-service-client-side-xds"
missingIdentityProviderInstance = "missing-identity-provider-instance"
missingRootProviderInstance = "missing-root-provider-instance"
)
managementServer, nodeID, bootstrapContents, resolver, cleanup1 := setupManagementServer(t)
defer cleanup1()

lis, cleanup2 := setupGRPCServer(t, bootstrapContents)
defer cleanup2()

// Grab the host and port of the server and create client side xDS
// resources corresponding to it.
host, port, err := hostPortFromListener(lis)
if err != nil {
t.Fatalf("failed to retrieve host and port of server: %v", err)
}

// Create xDS resources to be consumed on the client side. This
// includes the listener, route configuration, cluster (with
// security configuration) and endpoint resources.
resources := e2e.DefaultClientResources(e2e.ResourceParams{
DialTarget: serviceName,
NodeID: nodeID,
Host: host,
Port: port,
SecLevel: e2e.SecurityLevelMTLS,
})

tests := []struct {
name string
securityConfig *v3corepb.TransportSocket
wantErr bool
}{
{
name: "both identity and root providers are not present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.DownstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingIdentityProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingRootProviderInstance,
},
},
},
},
}),
},
},
wantErr: true,
},
{
name: "only identity provider is not present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.DownstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingIdentityProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ServerSideCertProviderInstance,
},
},
},
},
}),
},
},
wantErr: true,
},
{
name: "only root provider is not present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.DownstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ServerSideCertProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingRootProviderInstance,
},
},
},
},
}),
},
},
wantErr: true,
},
{
name: "both identity and root providers are present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.DownstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ServerSideCertProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ServerSideCertProviderInstance,
},
},
},
},
}),
},
},
wantErr: false,
},
}

ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
defer cancel()
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
// Create an inbound xDS listener resource for the server side.
inboundLis := e2e.DefaultServerListener(host, port, e2e.SecurityLevelMTLS)
for _, fc := range inboundLis.GetFilterChains() {
fc.TransportSocket = test.securityConfig
}

// Setup the management server with client and server resources.
if len(resources.Listeners) == 1 {
resources.Listeners = append(resources.Listeners, inboundLis)
} else {
resources.Listeners[1] = inboundLis
}
if err := managementServer.Update(ctx, resources); err != nil {
t.Fatal(err)
}

// Create client-side xDS credentials with an insecure fallback.
creds, err := xdscreds.NewClientCredentials(xdscreds.ClientOptions{FallbackCreds: insecure.NewCredentials()})
if err != nil {
t.Fatal(err)
}

// Create a ClientConn with the xds scheme and make an RPC.
cc, err := grpc.DialContext(ctx, fmt.Sprintf("xds:///%s", serviceName), grpc.WithTransportCredentials(creds), grpc.WithResolvers(resolver))
if err != nil {
t.Fatalf("failed to dial local test server: %v", err)
}
defer cc.Close()

// Make a context with a shorter timeout from the top level test
// context for cases where we expect failures.
timeout := defaultTestTimeout
if test.wantErr {
timeout = defaultTestShortTimeout
}
ctx2, cancel2 := context.WithTimeout(ctx, timeout)
defer cancel2()
client := testpb.NewTestServiceClient(cc)
if _, err := client.EmptyCall(ctx2, &testpb.Empty{}, grpc.WaitForReady(true)); (err != nil) != test.wantErr {
t.Fatalf("EmptyCall() returned err: %v, wantErr %v", err, test.wantErr)
}
})
}
}

func (s) TestUnmarshalCluster_WithUpdateValidatorFunc(t *testing.T) {
const (
serviceName = "my-service-client-side-xds"
missingIdentityProviderInstance = "missing-identity-provider-instance"
missingRootProviderInstance = "missing-root-provider-instance"
)

// setupManagementServer() sets up a bootstrap file with certificate
// provider instance names: `e2e.ServerSideCertProviderInstance` and
// `e2e.ClientSideCertProviderInstance`.
managementServer, nodeID, _, resolver, cleanup1 := setupManagementServer(t)
defer cleanup1()

port, cleanup2 := clientSetup(t, &testService{})
defer cleanup2()

// This creates a `Cluster` resource with a security config which refers to
// `e2e.ClientSideCertProviderInstance` for both root and identity certs.
resources := e2e.DefaultClientResources(e2e.ResourceParams{
DialTarget: serviceName,
NodeID: nodeID,
Host: "localhost",
Port: port,
SecLevel: e2e.SecurityLevelMTLS,
})

tests := []struct {
name string
securityConfig *v3corepb.TransportSocket
wantErr bool
}{
{
name: "both identity and root providers are not present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.UpstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingIdentityProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingRootProviderInstance,
},
},
},
},
}),
},
},
wantErr: true,
},
{
name: "only identity provider is not present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.UpstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingIdentityProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ClientSideCertProviderInstance,
},
},
},
},
}),
},
},
wantErr: true,
},
{
name: "only root provider is not present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.UpstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ClientSideCertProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: missingRootProviderInstance,
},
},
},
},
}),
},
},
wantErr: true,
},
{
name: "both identity and root providers are present in bootstrap",
securityConfig: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3tlspb.UpstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
TlsCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ClientSideCertProviderInstance,
},
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContext{
ValidationContext: &v3tlspb.CertificateValidationContext{
CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{
InstanceName: e2e.ClientSideCertProviderInstance,
},
},
},
},
}),
},
},
wantErr: false,
},
}

ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
defer cancel()
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
resources.Clusters[0].TransportSocket = test.securityConfig
if err := managementServer.Update(ctx, resources); err != nil {
t.Fatal(err)
}

cc, err := grpc.Dial(fmt.Sprintf("xds:///%s", serviceName), grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithResolvers(resolver))
if err != nil {
t.Fatalf("failed to dial local test server: %v", err)
}
defer cc.Close()

// Make a context with a shorter timeout from the top level test
// context for cases where we expect failures.
timeout := defaultTestTimeout
if test.wantErr {
timeout = defaultTestShortTimeout
}
ctx2, cancel2 := context.WithTimeout(ctx, timeout)
defer cancel2()
client := testpb.NewTestServiceClient(cc)
if _, err := client.EmptyCall(ctx2, &testpb.Empty{}, grpc.WaitForReady(true)); (err != nil) != test.wantErr {
t.Fatalf("EmptyCall() returned err: %v, wantErr %v", err, test.wantErr)
}
})
}
}
8 changes: 6 additions & 2 deletions xds/internal/xdsclient/cds_test.go
View file
Expand Up @@ -1571,9 +1571,13 @@ func (s) TestUnmarshalCluster(t *testing.T) {
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
update, md, err := UnmarshalCluster(testVersion, test.resources, nil)
opts := &UnmarshalOptions{
Version: testVersion,
Resources: test.resources,
}
update, md, err := UnmarshalCluster(opts)
if (err != nil) != test.wantErr {
t.Fatalf("UnmarshalCluster(), got err: %v, wantErr: %v", err, test.wantErr)
t.Fatalf("UnmarshalCluster(%+v), got err: %v, wantErr: %v", opts, err, test.wantErr)
}
if diff := cmp.Diff(update, test.wantUpdate, cmpOpts); diff != "" {
t.Errorf("got unexpected update, diff (-got +want): %v", diff)
Expand Down

0 comments on commit 2ae5ac1

Please sign in to comment.