diff --git a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc index fb47ccde35d0..f027cfec1074 100644 --- a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc +++ b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc @@ -295,7 +295,8 @@ class UpstreamSSLBaseIntegrationTest : public PostgresBaseIntegrationTest { // The tls transport socket will be inserted into fake_upstream when // Envoy's upstream starttls transport socket is converted to secure mode. std::unique_ptr tls_context_manager = - std::make_unique(timeSystem()); + std::make_unique( + server_factory_context_); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext downstream_tls_context; @@ -527,7 +528,8 @@ class UpstreamAndDownstreamSSLIntegrationTest : public UpstreamSSLBaseIntegratio // The tls transport socket will be inserted into fake_upstream when // Envoy's upstream starttls transport socket is converted to secure mode. std::unique_ptr tls_context_manager = - std::make_unique(timeSystem()); + std::make_unique( + server_factory_context_); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext upstream_tls_context; diff --git a/envoy/server/factory_context.h b/envoy/server/factory_context.h index 8a139fbcb0c4..f6a34d53cf87 100644 --- a/envoy/server/factory_context.h +++ b/envoy/server/factory_context.h @@ -36,6 +36,11 @@ #include "source/common/protobuf/protobuf.h" namespace Envoy { + +namespace Regex { +class Engine; +} + namespace Server { namespace Configuration { @@ -129,6 +134,11 @@ class CommonFactoryContext { * @return ServerLifecycleNotifier& the lifecycle notifier for the server. */ virtual ServerLifecycleNotifier& lifecycleNotifier() PURE; + + /** + * @return the server regex engine. + */ + virtual Regex::Engine& regexEngine() PURE; }; /** diff --git a/envoy/server/instance.h b/envoy/server/instance.h index 683fef31b60d..a6fe23cd4c75 100644 --- a/envoy/server/instance.h +++ b/envoy/server/instance.h @@ -253,6 +253,11 @@ class Instance { */ virtual Configuration::StatsConfig& statsConfig() PURE; + /** + * @return the server regex engine. + */ + virtual Regex::Engine& regexEngine() PURE; + /** * @return envoy::config::bootstrap::v3::Bootstrap& the servers bootstrap configuration. */ diff --git a/envoy/ssl/context_manager.h b/envoy/ssl/context_manager.h index 8c7fae3707b2..1cd6f4054472 100644 --- a/envoy/ssl/context_manager.h +++ b/envoy/ssl/context_manager.h @@ -10,6 +10,13 @@ #include "envoy/stats/scope.h" namespace Envoy { + +namespace Server { +namespace Configuration { +class CommonFactoryContext; +} // namespace Configuration +} // namespace Server + namespace Ssl { // Opaque type defined and used by the ``ServerContext``. @@ -73,7 +80,8 @@ using ContextManagerPtr = std::unique_ptr; class ContextManagerFactory : public Config::UntypedFactory { public: ~ContextManagerFactory() override = default; - virtual ContextManagerPtr createContextManager(TimeSource& time_source) PURE; + virtual ContextManagerPtr + createContextManager(Server::Configuration::CommonFactoryContext& factory_context) PURE; // There could be only one factory thus the name is static. std::string name() const override { return "ssl_context_manager"; } diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/config.cc b/mobile/library/common/extensions/cert_validator/platform_bridge/config.cc index 223e6ff8e925..807ec2dcfef7 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/config.cc +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/config.cc @@ -9,7 +9,7 @@ namespace Tls { CertValidatorPtr PlatformBridgeCertValidatorFactory::createCertValidator( const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, - TimeSource& /*time_source*/) { + Server::Configuration::CommonFactoryContext& /*context*/) { return std::make_unique(config, stats); } diff --git a/mobile/library/common/extensions/cert_validator/platform_bridge/config.h b/mobile/library/common/extensions/cert_validator/platform_bridge/config.h index bc884fddc3ac..d070c3fc99af 100644 --- a/mobile/library/common/extensions/cert_validator/platform_bridge/config.h +++ b/mobile/library/common/extensions/cert_validator/platform_bridge/config.h @@ -15,8 +15,9 @@ namespace Tls { class PlatformBridgeCertValidatorFactory : public CertValidatorFactory, public Config::TypedFactory { public: - CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source) override; + CertValidatorPtr + createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + Server::Configuration::CommonFactoryContext& context) override; std::string name() const override { return "envoy_mobile.cert_validator.platform_bridge_cert_validator"; diff --git a/mobile/test/common/integration/BUILD b/mobile/test/common/integration/BUILD index a60cc0281793..e2fd61c2abda 100644 --- a/mobile/test/common/integration/BUILD +++ b/mobile/test/common/integration/BUILD @@ -184,6 +184,7 @@ envoy_cc_test_library( "@envoy//source/exe:process_wide_lib", "@envoy//test/integration:autonomous_upstream_lib", "@envoy//test/integration:utility_lib", + "@envoy//test/mocks/server:server_factory_context_mocks", "@envoy//test/mocks/server:transport_socket_factory_context_mocks", "@envoy//test/test_common:environment_lib", "@envoy_build_config//:extension_registry", @@ -213,6 +214,7 @@ envoy_cc_test_library( "@envoy//source/exe:process_wide_lib", "@envoy//test/integration:autonomous_upstream_lib", "@envoy//test/integration:utility_lib", + "@envoy//test/mocks/server:server_factory_context_mocks", "@envoy//test/mocks/server:transport_socket_factory_context_mocks", "@envoy//test/test_common:environment_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", diff --git a/mobile/test/common/integration/test_server.cc b/mobile/test/common/integration/test_server.cc index 5c478560fa55..6e840f9c8545 100644 --- a/mobile/test/common/integration/test_server.cc +++ b/mobile/test/common/integration/test_server.cc @@ -25,7 +25,7 @@ namespace Envoy { Network::DownstreamTransportSocketFactoryPtr TestServer::createQuicUpstreamTlsContext( testing::NiceMock& factory_context) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; - Extensions::TransportSockets::Tls::ContextManagerImpl context_manager{time_system_}; + Extensions::TransportSockets::Tls::ContextManagerImpl context_manager{server_factory_context_}; tls_context.mutable_common_tls_context()->add_alpn_protocols("h3"); envoy::extensions::transport_sockets::tls::v3::TlsCertificate* certs = tls_context.mutable_common_tls_context()->add_tls_certificates(); diff --git a/mobile/test/common/integration/test_server.h b/mobile/test/common/integration/test_server.h index dc3e7786e87e..6c7c0506b6f0 100644 --- a/mobile/test/common/integration/test_server.h +++ b/mobile/test/common/integration/test_server.h @@ -8,6 +8,7 @@ #include "envoy/extensions/transport_sockets/quic/v3/quic_transport.pb.h" #include "test/integration/autonomous_upstream.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/server/transport_socket_factory_context.h" #include "test/integration/server.h" @@ -26,6 +27,7 @@ enum class TestServerType { class TestServer : public ListenerHooks { private: testing::NiceMock factory_context_; + testing::NiceMock server_factory_context_; Stats::IsolatedStoreImpl stats_store_; Event::GlobalTimeSystem time_system_; Api::ApiPtr api_; @@ -35,7 +37,7 @@ class TestServer : public ListenerHooks { Thread::SkipAsserts skip_asserts_; ProcessWide process_wide; Thread::MutexBasicLockable lock; - Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{time_system_}; + Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{server_factory_context_}; std::unique_ptr runfiles_; // Either test_server_ will be set for test_server_type is a proxy, otherwise upstream_ will be diff --git a/mobile/test/common/integration/xds_test_server.h b/mobile/test/common/integration/xds_test_server.h index de2fa1252721..f00bc8cb4030 100644 --- a/mobile/test/common/integration/xds_test_server.h +++ b/mobile/test/common/integration/xds_test_server.h @@ -7,6 +7,7 @@ #include "test/integration/fake_upstream.h" #include "test/integration/server.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/server/transport_socket_factory_context.h" #include "test/test_common/test_time.h" @@ -36,6 +37,7 @@ class XdsTestServer { private: testing::NiceMock factory_context_; + testing::NiceMock server_factory_context_; Stats::IsolatedStoreImpl stats_store_; Event::GlobalTimeSystem time_system_; Api::ApiPtr api_; @@ -44,7 +46,7 @@ class XdsTestServer { Event::DispatcherPtr dispatcher_; FakeUpstreamConfig upstream_config_; Thread::MutexBasicLockable lock_; - Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{time_system_}; + Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{server_factory_context_}; std::unique_ptr runfiles_; std::unique_ptr xds_upstream_; FakeHttpConnectionPtr xds_connection_; diff --git a/mobile/test/common/integration/xds_test_server_interface.cc b/mobile/test/common/integration/xds_test_server_interface.cc index 12152d5d9071..d4476e768327 100644 --- a/mobile/test/common/integration/xds_test_server_interface.cc +++ b/mobile/test/common/integration/xds_test_server_interface.cc @@ -12,6 +12,10 @@ static std::weak_ptr weak_test_server_; static std::shared_ptr testServer() { return weak_test_server_.lock(); } void initXdsServer() { + // This is called via JNI from kotlin tests, and Envoy doesn't consider it a test thread + // which triggers some failures of `ASSERT_IS_MAIN_OR_TEST_THREAD()`. + Envoy::Thread::SkipAsserts skip; + Envoy::ExtensionRegistry::registerFactories(); strong_test_server_ = std::make_shared(); weak_test_server_ = strong_test_server_; diff --git a/source/common/common/matchers.cc b/source/common/common/matchers.cc index d69fe3c72822..4dded56b26f0 100644 --- a/source/common/common/matchers.cc +++ b/source/common/common/matchers.cc @@ -201,9 +201,10 @@ bool PathMatcher::match(const absl::string_view path) const { return matcher_.match(Http::PathUtil::removeQueryAndFragment(path)); } -StringMatcherPtr getExtensionStringMatcher(const ::xds::core::v3::TypedExtensionConfig& config) { +StringMatcherPtr getExtensionStringMatcher(const ::xds::core::v3::TypedExtensionConfig& config, + ThreadLocal::SlotAllocator& tls, Api::Api& api) { auto factory = Config::Utility::getAndCheckFactory(config, false); - return factory->createStringMatcher(config.typed_config()); + return factory->createStringMatcher(config.typed_config(), tls, api); } } // namespace Matchers diff --git a/source/common/common/matchers.h b/source/common/common/matchers.h index ae66633b6660..49b68c705a42 100644 --- a/source/common/common/matchers.h +++ b/source/common/common/matchers.h @@ -86,24 +86,36 @@ class UniversalStringMatcher : public StringMatcher { bool match(absl::string_view) const override { return true; } }; -StringMatcherPtr getExtensionStringMatcher(const ::xds::core::v3::TypedExtensionConfig& config); +StringMatcherPtr getExtensionStringMatcher(const ::xds::core::v3::TypedExtensionConfig& config, + ThreadLocal::SlotAllocator& tls, Api::Api& api); template -class StringMatcherImpl : public ValueMatcher, public StringMatcher { +class PrivateStringMatcherImpl : public ValueMatcher, public StringMatcher { public: - explicit StringMatcherImpl(const StringMatcherType& matcher) : matcher_(matcher) { + // TODO(ggreenway): convert all but the first parameter into + // `Server::Configuration::CommonFactoryContext`. + explicit PrivateStringMatcherImpl(const StringMatcherType& matcher, Regex::Engine* regex_engine, + ThreadLocal::SlotAllocator* tls, Api::Api* api) + : matcher_(matcher) { if (matcher.match_pattern_case() == StringMatcherType::MatchPatternCase::kSafeRegex) { if (matcher.ignore_case()) { ExceptionUtil::throwEnvoyException("ignore_case has no effect for safe_regex."); } - regex_ = Regex::Utility::parseRegex(matcher_.safe_regex()); + if (regex_engine != nullptr) { + regex_ = Regex::Utility::parseRegex(matcher_.safe_regex(), *regex_engine); + } else { + // TODO(ggreenway): remove this branch when we always have an engine. This is only + // needed to make tests not complain about dereferencing a null pointer, even though + // the reference isn't actually used. + regex_ = Regex::Utility::parseRegex(matcher_.safe_regex()); + } } else if (matcher.match_pattern_case() == StringMatcherType::MatchPatternCase::kContains) { if (matcher_.ignore_case()) { // Cache the lowercase conversion of the Contains matcher for future use lowercase_contains_match_ = absl::AsciiStrToLower(matcher_.contains()); } } else { - initialize(matcher); + initialize(matcher, tls, api); } } @@ -143,11 +155,13 @@ class StringMatcherImpl : public ValueMatcher, public StringMatcher { // overloading to only handle that case for type `envoy::type::matcher::v3::StringMatcher` to // prevent compilation errors on use of `kCustom`. - void initialize(const xds::type::matcher::v3::StringMatcher&) {} + void initialize(const xds::type::matcher::v3::StringMatcher&, ThreadLocal::SlotAllocator*, + Api::Api*) {} - void initialize(const envoy::type::matcher::v3::StringMatcher& matcher) { + void initialize(const envoy::type::matcher::v3::StringMatcher& matcher, + ThreadLocal::SlotAllocator* tls, Api::Api* api) { if (matcher.has_custom()) { - custom_ = getExtensionStringMatcher(matcher.custom()); + custom_ = getExtensionStringMatcher(matcher.custom(), *tls, *api); } } @@ -193,9 +207,34 @@ class StringMatcherImpl : public ValueMatcher, public StringMatcher { StringMatcherPtr custom_; }; +// Temporarily create two separate types with different constructors, inheriting from the same +// implementation, to make it easier to find and replace all usage of the old one. +// TODO(ggreenway): delete these two extra classes, make `PrivateStringMatcherImpl` back into +// `StringMatcherImpl`. +template +class StringMatcherImplWithContext : public PrivateStringMatcherImpl { +public: + explicit StringMatcherImplWithContext(const StringMatcherType& matcher, + Server::Configuration::CommonFactoryContext& context) + : PrivateStringMatcherImpl(matcher, &context.regexEngine(), + &context.threadLocal(), &context.api()) {} +}; + +template +class StringMatcherImpl : public PrivateStringMatcherImpl { +public: + explicit StringMatcherImpl(const StringMatcherType& matcher) + : PrivateStringMatcherImpl( + matcher, Regex::EngineSingleton::getExisting(), + InjectableSingleton::getExisting(), + InjectableSingleton::getExisting()) {} +}; + class StringMatcherExtensionFactory : public Config::TypedFactory { public: - virtual StringMatcherPtr createStringMatcher(const ProtobufWkt::Any& config) PURE; + // TODO(ggreenway): Convert all but first parameter to `CommonFactoryContext`. + virtual StringMatcherPtr createStringMatcher(const ProtobufWkt::Any& config, + ThreadLocal::SlotAllocator& tls, Api::Api& api) PURE; std::string category() const override { return "envoy.string_matcher"; } }; diff --git a/source/common/common/regex.h b/source/common/common/regex.h index 4189df75fc24..e64fcf90f2ec 100644 --- a/source/common/common/regex.h +++ b/source/common/common/regex.h @@ -79,6 +79,16 @@ class Utility { return EngineSingleton::get().matcher(matcher.regex()); } + + template + static CompiledMatcherPtr parseRegex(const RegexMatcherType& matcher, Engine& engine) { + // Fallback deprecated engine type in regex matcher. + if (matcher.has_google_re2()) { + return std::make_unique(matcher); + } + + return engine.matcher(matcher.regex()); + } }; } // namespace Regex diff --git a/source/common/tls/cert_validator/default_validator.cc b/source/common/tls/cert_validator/default_validator.cc index 8d049f7ba0c9..39319a7312b3 100644 --- a/source/common/tls/cert_validator/default_validator.cc +++ b/source/common/tls/cert_validator/default_validator.cc @@ -44,8 +44,8 @@ namespace Tls { DefaultCertValidator::DefaultCertValidator( const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, - TimeSource& time_source) - : config_(config), stats_(stats), time_source_(time_source) { + Server::Configuration::CommonFactoryContext& context) + : config_(config), stats_(stats), context_(context) { if (config_ != nullptr) { allow_untrusted_certificate_ = config_->trustChainVerification() == envoy::extensions::transport_sockets::tls::v3:: @@ -155,7 +155,7 @@ int DefaultCertValidator::initializeSslContexts(std::vector contexts, if (!cert_validation_config->subjectAltNameMatchers().empty()) { for (const envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher& matcher : cert_validation_config->subjectAltNameMatchers()) { - auto san_matcher = createStringSanMatcher(matcher); + auto san_matcher = createStringSanMatcher(matcher, context_); if (san_matcher == nullptr) { throwEnvoyExceptionOrPanic( absl::StrCat("Failed to create string SAN matcher of type ", matcher.san_type())); @@ -548,18 +548,19 @@ Envoy::Ssl::CertificateDetailsPtr DefaultCertValidator::getCaCertInformation() c if (ca_cert_ == nullptr) { return nullptr; } - return Utility::certificateDetails(ca_cert_.get(), getCaFileName(), time_source_); + return Utility::certificateDetails(ca_cert_.get(), getCaFileName(), context_.timeSource()); } absl::optional DefaultCertValidator::daysUntilFirstCertExpires() const { - return Utility::getDaysUntilExpiration(ca_cert_.get(), time_source_); + return Utility::getDaysUntilExpiration(ca_cert_.get(), context_.timeSource()); } class DefaultCertValidatorFactory : public CertValidatorFactory { public: - CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source) override { - return std::make_unique(config, stats, time_source); + CertValidatorPtr + createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + Server::Configuration::CommonFactoryContext& context) override { + return std::make_unique(config, stats, context); } std::string name() const override { return "envoy.tls.cert_validator.default"; } diff --git a/source/common/tls/cert_validator/default_validator.h b/source/common/tls/cert_validator/default_validator.h index c3e88bd09ca1..f17a01dd3d5d 100644 --- a/source/common/tls/cert_validator/default_validator.h +++ b/source/common/tls/cert_validator/default_validator.h @@ -35,7 +35,7 @@ namespace Tls { class DefaultCertValidator : public CertValidator, Logger::Loggable { public: DefaultCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source); + SslStats& stats, Server::Configuration::CommonFactoryContext& context); ~DefaultCertValidator() override = default; @@ -110,7 +110,7 @@ class DefaultCertValidator : public CertValidator, Logger::Loggable ca_cert_; diff --git a/source/common/tls/cert_validator/factory.h b/source/common/tls/cert_validator/factory.h index 40f3fc3de92b..8f6aebbd6b4c 100644 --- a/source/common/tls/cert_validator/factory.h +++ b/source/common/tls/cert_validator/factory.h @@ -21,7 +21,7 @@ class CertValidatorFactory : public Config::UntypedFactory { public: virtual CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, - TimeSource& time_source) PURE; + Server::Configuration::CommonFactoryContext& context) PURE; std::string category() const override { return "envoy.tls.cert_validator"; } }; diff --git a/source/common/tls/cert_validator/san_matcher.cc b/source/common/tls/cert_validator/san_matcher.cc index 13429c3fcdcc..0229ca1c1273 100644 --- a/source/common/tls/cert_validator/san_matcher.cc +++ b/source/common/tls/cert_validator/san_matcher.cc @@ -28,7 +28,8 @@ bool StringSanMatcher::match(const GENERAL_NAME* general_name) const { } SanMatcherPtr createStringSanMatcher( - envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher const& matcher) { + envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher const& matcher, + Server::Configuration::CommonFactoryContext& context) { // Verify that a new san type has not been added. static_assert(envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SanType_MAX == 4); @@ -36,13 +37,13 @@ SanMatcherPtr createStringSanMatcher( switch (matcher.san_type()) { PANIC_ON_PROTO_ENUM_SENTINEL_VALUES; case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::DNS: - return SanMatcherPtr{std::make_unique(GEN_DNS, matcher.matcher())}; + return SanMatcherPtr{std::make_unique(GEN_DNS, matcher.matcher(), context)}; case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::EMAIL: - return SanMatcherPtr{std::make_unique(GEN_EMAIL, matcher.matcher())}; + return SanMatcherPtr{std::make_unique(GEN_EMAIL, matcher.matcher(), context)}; case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::URI: - return SanMatcherPtr{std::make_unique(GEN_URI, matcher.matcher())}; + return SanMatcherPtr{std::make_unique(GEN_URI, matcher.matcher(), context)}; case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::IP_ADDRESS: - return SanMatcherPtr{std::make_unique(GEN_IPADD, matcher.matcher())}; + return SanMatcherPtr{std::make_unique(GEN_IPADD, matcher.matcher(), context)}; case envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SAN_TYPE_UNSPECIFIED: PANIC("unhandled value"); } diff --git a/source/common/tls/cert_validator/san_matcher.h b/source/common/tls/cert_validator/san_matcher.h index 260e9cc3075e..b9409555209e 100644 --- a/source/common/tls/cert_validator/san_matcher.h +++ b/source/common/tls/cert_validator/san_matcher.h @@ -34,16 +34,18 @@ class StringSanMatcher : public SanMatcher { public: bool match(const GENERAL_NAME* general_name) const override; ~StringSanMatcher() override = default; - StringSanMatcher(int general_name_type, envoy::type::matcher::v3::StringMatcher matcher) - : general_name_type_(general_name_type), matcher_(matcher) {} + StringSanMatcher(int general_name_type, envoy::type::matcher::v3::StringMatcher matcher, + Server::Configuration::CommonFactoryContext& context) + : general_name_type_(general_name_type), matcher_(matcher, context) {} private: const int general_name_type_; - const Matchers::StringMatcherImpl matcher_; + const Matchers::StringMatcherImplWithContext matcher_; }; SanMatcherPtr createStringSanMatcher( - const envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher& matcher); + const envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher& matcher, + Server::Configuration::CommonFactoryContext& context); } // namespace Tls } // namespace TransportSockets diff --git a/source/common/tls/context_impl.cc b/source/common/tls/context_impl.cc index 7d86c94bd5f6..2669fd8559f5 100644 --- a/source/common/tls/context_impl.cc +++ b/source/common/tls/context_impl.cc @@ -80,8 +80,9 @@ int ContextImpl::sslExtendedSocketInfoIndex() { } ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, - TimeSource& time_source, Ssl::ContextAdditionalInitFunc additional_init) - : scope_(scope), stats_(generateSslStats(scope)), time_source_(time_source), + Server::Configuration::CommonFactoryContext& factory_context, + Ssl::ContextAdditionalInitFunc additional_init) + : scope_(scope), stats_(generateSslStats(scope)), factory_context_(factory_context), tls_max_version_(config.maxProtocolVersion()), stat_name_set_(scope.symbolTable().makeSet("TransportSockets::Tls")), unknown_ssl_cipher_(stat_name_set_->add("unknown_ssl_cipher")), @@ -104,7 +105,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c } cert_validator_ = cert_validator_factory->createCertValidator( - config.certificateValidationContext(), stats_, time_source_); + config.certificateValidationContext(), stats_, factory_context_); const auto tls_certificates = config.tlsCertificates(); tls_contexts_.resize(std::max(static_cast(1), tls_certificates.size())); @@ -609,7 +610,7 @@ absl::optional ContextImpl::daysUntilFirstCertExpires() const { } for (auto& ctx : tls_contexts_) { const absl::optional tmp = - Utility::getDaysUntilExpiration(ctx.cert_chain_.get(), time_source_); + Utility::getDaysUntilExpiration(ctx.cert_chain_.get(), factory_context_.timeSource()); if (!tmp.has_value()) { return absl::nullopt; } @@ -643,7 +644,7 @@ std::vector ContextImpl::getCertChainInformat } auto detail = Utility::certificateDetails(ctx.cert_chain_.get(), ctx.getCertChainFileName(), - time_source_); + factory_context_.timeSource()); auto ocsp_resp = ctx.ocsp_response_.get(); if (ocsp_resp) { auto* ocsp_details = detail->mutable_ocsp_details(); @@ -659,8 +660,8 @@ std::vector ContextImpl::getCertChainInformat ClientContextImpl::ClientContextImpl(Stats::Scope& scope, const Envoy::Ssl::ClientContextConfig& config, - TimeSource& time_source) - : ContextImpl(scope, config, time_source, nullptr /* additional_init */), + Server::Configuration::CommonFactoryContext& factory_context) + : ContextImpl(scope, config, factory_context, nullptr /* additional_init */), server_name_indication_(config.serverNameIndication()), allow_renegotiation_(config.allowRenegotiation()), enforce_rsa_key_usage_(config.enforceRsaKeyUsage()), @@ -789,9 +790,9 @@ int ClientContextImpl::newSessionKey(SSL_SESSION* session) { ServerContextImpl::ServerContextImpl(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, const std::vector& server_names, - TimeSource& time_source, + Server::Configuration::CommonFactoryContext& factory_context, Ssl::ContextAdditionalInitFunc additional_init) - : ContextImpl(scope, config, time_source, additional_init), + : ContextImpl(scope, config, factory_context, additional_init), session_ticket_keys_(config.sessionTicketKeys()), ocsp_staple_policy_(config.ocspStaplePolicy()), full_scan_certs_on_sni_mismatch_(config.fullScanCertsOnSNIMismatch()) { @@ -888,7 +889,8 @@ ServerContextImpl::ServerContextImpl(Stats::Scope& scope, throwEnvoyExceptionOrPanic("Required OCSP response is missing from TLS context"); } } else { - auto response = std::make_unique(ocsp_resp_bytes, time_source_); + auto response = std::make_unique(ocsp_resp_bytes, + factory_context_.timeSource()); if (!response->matchesCertificate(*ctx.cert_chain_)) { throwEnvoyExceptionOrPanic("OCSP response does not match its TLS certificate"); } diff --git a/source/common/tls/context_impl.h b/source/common/tls/context_impl.h index 9bffa93a74a4..71f04229af51 100644 --- a/source/common/tls/context_impl.h +++ b/source/common/tls/context_impl.h @@ -115,7 +115,8 @@ class ContextImpl : public virtual Envoy::Ssl::Context, protected: friend class ContextImplPeer; - ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, TimeSource& time_source, + ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, + Server::Configuration::CommonFactoryContext& factory_context, Ssl::ContextAdditionalInitFunc additional_init); /** @@ -151,7 +152,7 @@ class ContextImpl : public virtual Envoy::Ssl::Context, std::vector parsed_alpn_protocols_; bssl::UniquePtr cert_chain_; std::string cert_chain_file_path_; - TimeSource& time_source_; + Server::Configuration::CommonFactoryContext& factory_context_; const unsigned tls_max_version_; mutable Stats::StatNameSetPtr stat_name_set_; const Stats::StatName unknown_ssl_cipher_; @@ -173,7 +174,7 @@ using ContextImplSharedPtr = std::shared_ptr; class ClientContextImpl : public ContextImpl, public Envoy::Ssl::ClientContext { public: ClientContextImpl(Stats::Scope& scope, const Envoy::Ssl::ClientContextConfig& config, - TimeSource& time_source); + Server::Configuration::CommonFactoryContext& factory_context); bssl::UniquePtr newSsl(const Network::TransportSocketOptionsConstSharedPtr& options) override; @@ -195,7 +196,8 @@ enum class OcspStapleAction { Staple, NoStaple, Fail, ClientNotCapable }; class ServerContextImpl : public ContextImpl, public Envoy::Ssl::ServerContext { public: ServerContextImpl(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, - const std::vector& server_names, TimeSource& time_source, + const std::vector& server_names, + Server::Configuration::CommonFactoryContext& factory_context, Ssl::ContextAdditionalInitFunc additional_init); // Select the TLS certificate context in SSL_CTX_set_select_certificate_cb() callback with diff --git a/source/common/tls/context_manager_impl.cc b/source/common/tls/context_manager_impl.cc index b76a81264e21..1c0e8d027aeb 100644 --- a/source/common/tls/context_manager_impl.cc +++ b/source/common/tls/context_manager_impl.cc @@ -15,17 +15,19 @@ namespace Extensions { namespace TransportSockets { namespace Tls { -ContextManagerImpl::ContextManagerImpl(TimeSource& time_source) : time_source_(time_source) {} +ContextManagerImpl::ContextManagerImpl(Server::Configuration::CommonFactoryContext& factory_context) + : factory_context_(factory_context) {} Envoy::Ssl::ClientContextSharedPtr ContextManagerImpl::createSslClientContext(Stats::Scope& scope, const Envoy::Ssl::ClientContextConfig& config) { + ASSERT_IS_MAIN_OR_TEST_THREAD(); if (!config.isReady()) { return nullptr; } Envoy::Ssl::ClientContextSharedPtr context = - std::make_shared(scope, config, time_source_); + std::make_shared(scope, config, factory_context_); contexts_.insert(context); return context; } @@ -33,12 +35,13 @@ ContextManagerImpl::createSslClientContext(Stats::Scope& scope, Envoy::Ssl::ServerContextSharedPtr ContextManagerImpl::createSslServerContext( Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, const std::vector& server_names, Ssl::ContextAdditionalInitFunc additional_init) { + ASSERT_IS_MAIN_OR_TEST_THREAD(); if (!config.isReady()) { return nullptr; } Envoy::Ssl::ServerContextSharedPtr context = std::make_shared( - scope, config, server_names, time_source_, std::move(additional_init)); + scope, config, server_names, factory_context_, std::move(additional_init)); contexts_.insert(context); return context; } diff --git a/source/common/tls/context_manager_impl.h b/source/common/tls/context_manager_impl.h index db72e1d308e0..31df3addd743 100644 --- a/source/common/tls/context_manager_impl.h +++ b/source/common/tls/context_manager_impl.h @@ -5,6 +5,7 @@ #include #include "envoy/common/time.h" +#include "envoy/server/factory_context.h" #include "envoy/ssl/context_manager.h" #include "envoy/ssl/private_key/private_key.h" #include "envoy/stats/scope.h" @@ -18,14 +19,13 @@ namespace Tls { /** * The SSL context manager has the following threading model: - * Contexts can be allocated via any thread (through in practice they are only allocated on the main - * thread). They can be released from any thread (and in practice are since cluster information can - * be released from any thread). Context allocation/free is a very uncommon thing so we just do a - * global lock to protect it all. + * Contexts can be allocated the main thread. They can be released from any thread (and in practice + * are since cluster information can be released from any thread). Context allocation/free is a very + * uncommon thing so we just do a global lock to protect it all. */ class ContextManagerImpl final : public Envoy::Ssl::ContextManager { public: - explicit ContextManagerImpl(TimeSource& time_source); + explicit ContextManagerImpl(Server::Configuration::CommonFactoryContext& factory_context); ~ContextManagerImpl() override = default; // Ssl::ContextManager @@ -45,7 +45,7 @@ class ContextManagerImpl final : public Envoy::Ssl::ContextManager { void removeContext(const Envoy::Ssl::ContextSharedPtr& old_context) override; private: - TimeSource& time_source_; + Server::Configuration::CommonFactoryContext& factory_context_; absl::flat_hash_set contexts_; PrivateKeyMethodManagerImpl private_key_method_manager_{}; }; diff --git a/source/extensions/string_matcher/lua/match.cc b/source/extensions/string_matcher/lua/match.cc index fd24f17f81f0..c6ee81e7022c 100644 --- a/source/extensions/string_matcher/lua/match.cc +++ b/source/extensions/string_matcher/lua/match.cc @@ -77,12 +77,11 @@ bool LuaStringMatcher::match(const absl::string_view value) const { // Lua state is not thread safe, so a state needs to be stored in thread local storage. class LuaStringMatcherThreadWrapper : public Matchers::StringMatcher { public: - LuaStringMatcherThreadWrapper(const std::string& code) { + LuaStringMatcherThreadWrapper(const std::string& code, ThreadLocal::SlotAllocator& tls) { // Validate that there are no errors while creating on the main thread. LuaStringMatcher validator(code); - tls_slot_ = ThreadLocal::TypedSlot::makeUnique( - *InjectableSingleton::getExisting()); + tls_slot_ = ThreadLocal::TypedSlot::makeUnique(tls); tls_slot_->set([code](Event::Dispatcher&) -> std::shared_ptr { return std::make_shared(code); }); @@ -95,18 +94,18 @@ class LuaStringMatcherThreadWrapper : public Matchers::StringMatcher { }; Matchers::StringMatcherPtr -LuaStringMatcherFactory::createStringMatcher(const ProtobufWkt::Any& message) { +LuaStringMatcherFactory::createStringMatcher(const ProtobufWkt::Any& message, + ThreadLocal::SlotAllocator& tls, Api::Api& api) { ::envoy::extensions::string_matcher::lua::v3::Lua config; Config::Utility::translateOpaqueConfig(message, ProtobufMessage::getStrictValidationVisitor(), config); - Api::Api* api = InjectableSingleton::getExisting(); absl::StatusOr result = Config::DataSource::read( - config.source_code(), false /* allow_empty */, *api, 0 /* max_size */); + config.source_code(), false /* allow_empty */, api, 0 /* max_size */); if (!result.ok()) { throw EnvoyException( fmt::format("Failed to get lua string matcher code from source: {}", result.status())); } - return std::make_unique(*result); + return std::make_unique(*result, tls); } ProtobufTypes::MessagePtr LuaStringMatcherFactory::createEmptyConfigProto() { diff --git a/source/extensions/string_matcher/lua/match.h b/source/extensions/string_matcher/lua/match.h index 8452a24b0832..2777bcf76220 100644 --- a/source/extensions/string_matcher/lua/match.h +++ b/source/extensions/string_matcher/lua/match.h @@ -29,7 +29,9 @@ class LuaStringMatcher : public Matchers::StringMatcher, public ThreadLocal::Thr class LuaStringMatcherFactory : public Matchers::StringMatcherExtensionFactory { public: - Matchers::StringMatcherPtr createStringMatcher(const ProtobufWkt::Any& message) override; + Matchers::StringMatcherPtr createStringMatcher(const ProtobufWkt::Any& message, + ThreadLocal::SlotAllocator& tls, + Api::Api& api) override; std::string name() const override { return "envoy.string_matcher.lua"; } ProtobufTypes::MessagePtr createEmptyConfigProto() override; }; diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 4c6f6fb3dc30..13f5011c7c01 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -31,8 +31,9 @@ namespace Tls { using SPIFFEConfig = envoy::extensions::transport_sockets::tls::v3::SPIFFECertValidatorConfig; SPIFFEValidator::SPIFFEValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source) - : stats_(stats), time_source_(time_source) { + SslStats& stats, + Server::Configuration::CommonFactoryContext& context) + : stats_(stats), time_source_(context.timeSource()) { ASSERT(config != nullptr); allow_expired_certificate_ = config->allowExpiredCertificate(); @@ -48,7 +49,7 @@ SPIFFEValidator::SPIFFEValidator(const Envoy::Ssl::CertificateValidationContextC // SAN types. See the discussion: https://github.com/envoyproxy/envoy/issues/15392 // TODO(pradeepcrao): Throw an exception when a non-URI matcher is encountered after the // deprecated field match_subject_alt_names is removed - subject_alt_name_matchers_.emplace_back(createStringSanMatcher(matcher)); + subject_alt_name_matchers_.emplace_back(createStringSanMatcher(matcher, context)); } } } @@ -310,9 +311,10 @@ Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const class SPIFFEValidatorFactory : public CertValidatorFactory { public: - CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source) override { - return std::make_unique(config, stats, time_source); + CertValidatorPtr + createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + Server::Configuration::CommonFactoryContext& context) override { + return std::make_unique(config, stats, context); } std::string name() const override { return "envoy.tls.cert_validator.spiffe"; } diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h index 4bb140dbe63b..0c8a93a80f16 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h @@ -35,7 +35,7 @@ class SPIFFEValidator : public CertValidator { SPIFFEValidator(SslStats& stats, TimeSource& time_source) : stats_(stats), time_source_(time_source){}; SPIFFEValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, - TimeSource& time_source); + Server::Configuration::CommonFactoryContext& context); ~SPIFFEValidator() override = default; // Tls::CertValidator diff --git a/source/extensions/transport_sockets/tls/config.cc b/source/extensions/transport_sockets/tls/config.cc index ec2f39b60aed..1d652c0d1545 100644 --- a/source/extensions/transport_sockets/tls/config.cc +++ b/source/extensions/transport_sockets/tls/config.cc @@ -51,8 +51,9 @@ ProtobufTypes::MessagePtr DownstreamSslSocketFactory::createEmptyConfigProto() { LEGACY_REGISTER_FACTORY(DownstreamSslSocketFactory, Server::Configuration::DownstreamTransportSocketConfigFactory, "tls"); -Ssl::ContextManagerPtr SslContextManagerFactory::createContextManager(TimeSource& time_source) { - return std::make_unique(time_source); +Ssl::ContextManagerPtr SslContextManagerFactory::createContextManager( + Server::Configuration::CommonFactoryContext& factory_context) { + return std::make_unique(factory_context); } static Envoy::Registry::RegisterInternalFactory(admin()->getConfigTracker()); - ssl_context_manager_ = createContextManager("ssl_context_manager", api_->timeSource()); + ssl_context_manager_ = createContextManager("ssl_context_manager", server_contexts_); cluster_manager_factory_ = std::make_unique( server_contexts_, stats(), threadLocal(), http_context_, [this]() -> Network::DnsResolverSharedPtr { return this->dnsResolver(); }, diff --git a/source/server/config_validation/server.h b/source/server/config_validation/server.h index fc301751e57d..9f1bb41c031d 100644 --- a/source/server/config_validation/server.h +++ b/source/server/config_validation/server.h @@ -123,6 +123,7 @@ class ValidationInstance final : Logger::Loggable, bool enableReusePortDefault() override { return true; } Configuration::StatsConfig& statsConfig() override { return config_.statsConfig(); } + Regex::Engine& regexEngine() override { return *regex_engine_; } envoy::config::bootstrap::v3::Bootstrap& bootstrap() override { return bootstrap_; } Configuration::ServerFactoryContext& serverFactoryContext() override { return server_contexts_; } Configuration::TransportSocketFactoryContext& transportSocketFactoryContext() override { @@ -194,6 +195,7 @@ class ValidationInstance final : Logger::Loggable, Filter::TcpListenerFilterConfigProviderManagerImpl tcp_listener_config_provider_manager_; Server::DrainManagerPtr drain_manager_; HotRestartNopImpl nop_hot_restart_; + Regex::EnginePtr regex_engine_; }; } // namespace Server diff --git a/source/server/server.cc b/source/server/server.cc index 1bd625cd09dc..a570ccf16cce 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -749,7 +749,7 @@ absl::Status InstanceBase::initializeOrThrow(Network::Address::InstanceConstShar } // Once we have runtime we can initialize the SSL context manager. - ssl_context_manager_ = createContextManager("ssl_context_manager", time_source_); + ssl_context_manager_ = createContextManager("ssl_context_manager", server_contexts_); cluster_manager_factory_ = std::make_unique( serverFactoryContext(), stats_store_, thread_local_, http_context_, diff --git a/source/server/server.h b/source/server/server.h index 3afd1348aaba..0d4d76bc97f1 100644 --- a/source/server/server.h +++ b/source/server/server.h @@ -197,6 +197,7 @@ class ServerFactoryContextImpl : public Configuration::ServerFactoryContext, ProcessContextOptRef processContext() override { return server_.processContext(); } Envoy::Server::DrainManager& drainManager() override { return server_.drainManager(); } ServerLifecycleNotifier& lifecycleNotifier() override { return server_.lifecycleNotifier(); } + Regex::Engine& regexEngine() override { return server_.regexEngine(); } Configuration::StatsConfig& statsConfig() override { return server_.statsConfig(); } envoy::config::bootstrap::v3::Bootstrap& bootstrap() override { return server_.bootstrap(); } OverloadManager& overloadManager() override { return server_.overloadManager(); } @@ -292,6 +293,7 @@ class InstanceBase : Logger::Loggable, TimeSource& timeSource() override { return time_source_; } void flushStats() override; Configuration::StatsConfig& statsConfig() override { return config_.statsConfig(); } + Regex::Engine& regexEngine() override { return *regex_engine_; } envoy::config::bootstrap::v3::Bootstrap& bootstrap() override { return bootstrap_; } Configuration::ServerFactoryContext& serverFactoryContext() override { return server_contexts_; } Configuration::TransportSocketFactoryContext& transportSocketFactoryContext() override { diff --git a/source/server/ssl_context_manager.cc b/source/server/ssl_context_manager.cc index 8a9fec347dee..fadc32283163 100644 --- a/source/server/ssl_context_manager.cc +++ b/source/server/ssl_context_manager.cc @@ -49,12 +49,13 @@ class SslContextManagerNoTlsStub final : public Envoy::Ssl::ContextManager { } }; -Ssl::ContextManagerPtr createContextManager(const std::string& factory_name, - TimeSource& time_source) { +Ssl::ContextManagerPtr +createContextManager(const std::string& factory_name, + Server::Configuration::CommonFactoryContext& factory_context) { Ssl::ContextManagerFactory* factory = Registry::FactoryRegistry::getFactory(factory_name); if (factory != nullptr) { - return factory->createContextManager(time_source); + return factory->createContextManager(factory_context); } return std::make_unique(); diff --git a/source/server/ssl_context_manager.h b/source/server/ssl_context_manager.h index 4b618e6e64f4..c296955703fe 100644 --- a/source/server/ssl_context_manager.h +++ b/source/server/ssl_context_manager.h @@ -6,8 +6,9 @@ namespace Envoy { namespace Server { -Ssl::ContextManagerPtr createContextManager(const std::string& factory_name, - TimeSource& time_source); +Ssl::ContextManagerPtr +createContextManager(const std::string& factory_name, + Server::Configuration::CommonFactoryContext& factory_context); } // namespace Server } // namespace Envoy diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index 27baab111f4f..0b52d9c55e82 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -510,7 +510,8 @@ class GrpcClientIntegrationTest : public GrpcClientIntegrationParamTest { Upstream::MockClusterManager cm_; NiceMock local_info_; Runtime::MockLoader runtime_; - Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{test_time_.timeSystem()}; + testing::NiceMock server_factory_context_; + Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{server_factory_context_}; NiceMock random_; Http::AsyncClientPtr http_async_client_; Http::ConnectionPool::InstancePtr http_conn_pool_; diff --git a/test/common/quic/BUILD b/test/common/quic/BUILD index b488b190353d..19437fb2be92 100644 --- a/test/common/quic/BUILD +++ b/test/common/quic/BUILD @@ -64,6 +64,7 @@ envoy_cc_test( "//source/common/quic:envoy_quic_proof_verifier_lib", "//source/common/tls:context_config_lib", "//test/mocks/network:network_mocks", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", "//test/test_common:test_runtime_lib", "@com_github_google_quiche//:quic_core_versions_lib", @@ -108,6 +109,7 @@ envoy_cc_test( "//test/common/config:dummy_config_proto_cc_proto", "//test/common/tls/cert_validator:timed_cert_validator", "//test/mocks/event:event_mocks", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", "@com_github_google_quiche//:quic_test_tools_test_certificates_lib", ], diff --git a/test/common/quic/envoy_quic_proof_source_test.cc b/test/common/quic/envoy_quic_proof_source_test.cc index a6814a40c52d..afe1e521378e 100644 --- a/test/common/quic/envoy_quic_proof_source_test.cc +++ b/test/common/quic/envoy_quic_proof_source_test.cc @@ -9,6 +9,7 @@ #include "test/common/quic/test_utils.h" #include "test/mocks/network/mocks.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/ssl/mocks.h" #include "test/test_common/test_runtime.h" @@ -71,7 +72,7 @@ class SignatureVerifier { const absl::optional nullopt = absl::nullopt; ON_CALL(cert_validation_ctx_config_, customValidatorConfig()).WillByDefault(ReturnRef(nullopt)); auto context = std::make_shared( - *store_.rootScope(), client_context_config_, time_system_); + *store_.rootScope(), client_context_config_, server_factory_context_); ON_CALL(verify_context_, dispatcher()).WillByDefault(ReturnRef(dispatcher_)); ON_CALL(verify_context_, transportSocketOptions()) .WillByDefault(ReturnRef(transport_socket_options_)); @@ -105,6 +106,7 @@ class SignatureVerifier { NiceMock store_; Event::GlobalTimeSystem time_system_; NiceMock client_context_config_; + NiceMock server_factory_context_; NiceMock cert_validation_ctx_config_; std::unique_ptr verifier_; NiceMock tls_context_manager_; @@ -224,7 +226,8 @@ class EnvoyQuicProofSourceTest : public ::testing::Test { Network::MockFilterChainManager filter_chain_manager_; Network::MockListenSocket listen_socket_; testing::NiceMock listener_config_; - Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{time_system_}; + Server::Configuration::MockServerFactoryContext factory_context_; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{factory_context_}; Ssl::MockServerContextConfig* mock_context_config_; std::function secret_update_callback_; std::unique_ptr transport_socket_factory_; @@ -391,7 +394,9 @@ class LegacyEnvoyQuicProofSourceTest : public ::testing::Test { Network::MockFilterChainManager filter_chain_manager_; Network::MockListenSocket listen_socket_; testing::NiceMock listener_config_; - Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{time_system_}; + testing::NiceMock server_factory_context_; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{ + server_factory_context_}; Ssl::MockServerContextConfig* mock_context_config_; std::unique_ptr transport_socket_factory_; Ssl::MockTlsCertificateConfig tls_cert_config_; diff --git a/test/common/quic/envoy_quic_proof_verifier_test.cc b/test/common/quic/envoy_quic_proof_verifier_test.cc index ab12465385eb..97b5bd52724a 100644 --- a/test/common/quic/envoy_quic_proof_verifier_test.cc +++ b/test/common/quic/envoy_quic_proof_verifier_test.cc @@ -9,6 +9,7 @@ #include "test/common/quic/test_utils.h" #include "test/common/tls/cert_validator/timed_cert_validator.h" #include "test/mocks/event/mocks.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/stats/mocks.h" #include "test/test_common/test_time.h" @@ -80,7 +81,7 @@ class EnvoyQuicProofVerifierTest : public testing::Test { EXPECT_CALL(cert_validation_ctx_config_, customValidatorConfig()) .WillRepeatedly(ReturnRef(custom_validator_config_)); auto context = std::make_shared( - *store_.rootScope(), client_context_config_, time_system_); + *store_.rootScope(), client_context_config_, factory_context_); verifier_ = std::make_unique(std::move(context)); } @@ -98,7 +99,7 @@ class EnvoyQuicProofVerifierTest : public testing::Test { absl::optional custom_validator_config_{ absl::nullopt}; NiceMock store_; - Event::GlobalTimeSystem time_system_; + Server::Configuration::MockServerFactoryContext factory_context_; NiceMock client_context_config_; Ssl::MockCertificateValidationContextConfig cert_validation_ctx_config_; std::unique_ptr verifier_; diff --git a/test/common/tls/cert_validator/BUILD b/test/common/tls/cert_validator/BUILD index f0b243a980d3..76c9d63dc831 100644 --- a/test/common/tls/cert_validator/BUILD +++ b/test/common/tls/cert_validator/BUILD @@ -21,6 +21,7 @@ envoy_cc_test( "//source/common/tls/cert_validator:cert_validator_lib", "//test/common/tls:ssl_test_utils", "//test/common/tls/cert_validator:test_common", + "//test/mocks/server:server_factory_context_mocks", "//test/test_common:environment_lib", "//test/test_common:test_runtime_lib", ], @@ -56,6 +57,7 @@ envoy_cc_test( deps = [ "//source/common/protobuf:utility_lib", "//source/common/tls/cert_validator:cert_validator_lib", + "//test/mocks/server:server_factory_context_mocks", "//test/test_common:utility_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], diff --git a/test/common/tls/cert_validator/default_validator_integration_test.cc b/test/common/tls/cert_validator/default_validator_integration_test.cc index a76e87ed04fd..ac5b3232863f 100644 --- a/test/common/tls/cert_validator/default_validator_integration_test.cc +++ b/test/common/tls/cert_validator/default_validator_integration_test.cc @@ -14,8 +14,8 @@ namespace Ssl { void SslCertValidatorIntegrationTest::initialize() { HttpIntegrationTest::initialize(); - context_manager_ = - std::make_unique(timeSystem()); + context_manager_ = std::make_unique( + factory_context_.serverFactoryContext()); registerTestServerPorts({"http"}); test_server_->counter(listenerStatPrefix("ssl.fail_verify_error"))->reset(); diff --git a/test/common/tls/cert_validator/default_validator_test.cc b/test/common/tls/cert_validator/default_validator_test.cc index 0fa44d2d6053..aff9ed58697d 100644 --- a/test/common/tls/cert_validator/default_validator_test.cc +++ b/test/common/tls/cert_validator/default_validator_test.cc @@ -6,6 +6,7 @@ #include "test/common/tls/cert_validator/test_common.h" #include "test/common/tls/ssl_test_utility.h" +#include "test/mocks/server/server_factory_context.h" #include "test/test_common/environment.h" #include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" @@ -34,28 +35,34 @@ TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameDNSMatched) { } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameDNSMatched) { + NiceMock context; + bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector subject_alt_name_matchers; subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_DNS, matcher)}); + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameIncorrectTypeMatched) { + NiceMock context; + bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector subject_alt_name_matchers; subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_URI, matcher)}); + SanMatcherPtr{std::make_unique(GEN_URI, matcher, context)}); EXPECT_FALSE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameWildcardDNSMatched) { + NiceMock context; + bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir " "}}/test/common/tls/test_data/san_multiple_dns_cert.pem")); @@ -63,11 +70,13 @@ TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameWildcardDNSMatched) { matcher.set_exact("api.example.com"); std::vector subject_alt_name_matchers; subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_DNS, matcher)}); + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } TEST(DefaultCertValidatorTest, TestMultiLevelMatch) { + NiceMock context; + // san_multiple_dns_cert matches *.example.com bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir " @@ -76,7 +85,7 @@ TEST(DefaultCertValidatorTest, TestMultiLevelMatch) { matcher.set_exact("foo.api.example.com"); std::vector subject_alt_name_matchers; subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_DNS, matcher)}); + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); EXPECT_FALSE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } @@ -98,13 +107,15 @@ TEST(DefaultCertValidatorTest, TestVerifySubjectAltMultiDomain) { } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameURIMatched) { + NiceMock context; + bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_uri_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw(spiffe://lyft.com/[^/]*-team)raw")); std::vector subject_alt_name_matchers; subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_URI, matcher)}); + SanMatcherPtr{std::make_unique(GEN_URI, matcher, context)}); EXPECT_TRUE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } @@ -117,37 +128,40 @@ TEST(DefaultCertValidatorTest, TestVerifySubjectAltNameNotMatched) { } TEST(DefaultCertValidatorTest, TestMatchSubjectAltNameNotMatched) { + NiceMock context; + bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example\.net)raw")); std::vector subject_alt_name_matchers; subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_DNS, matcher)}); + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_IPADD, matcher)}); + SanMatcherPtr{std::make_unique(GEN_IPADD, matcher, context)}); subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_URI, matcher)}); + SanMatcherPtr{std::make_unique(GEN_URI, matcher, context)}); subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_EMAIL, matcher)}); + SanMatcherPtr{std::make_unique(GEN_EMAIL, matcher, context)}); EXPECT_FALSE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } TEST(DefaultCertValidatorTest, TestCertificateVerificationWithSANMatcher) { + NiceMock context; Stats::TestUtil::TestStore test_store; SslStats stats = generateSslStats(*test_store.rootScope()); // Create the default validator object. auto default_validator = std::make_unique( - /*CertificateValidationContextConfig=*/nullptr, stats, - Event::GlobalTimeSystem().timeSystem()); + /*CertificateValidationContextConfig=*/nullptr, stats, context); bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/san_dns_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example.com)raw")); std::vector san_matchers; - san_matchers.push_back(SanMatcherPtr{std::make_unique(GEN_DNS, matcher)}); + san_matchers.push_back( + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); // Verify the certificate with correct SAN regex matcher. EXPECT_EQ(default_validator->verifyCertificate(cert.get(), /*verify_san_list=*/{}, san_matchers, nullptr, nullptr), @@ -157,7 +171,7 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithSANMatcher) { matcher.MergeFrom(TestUtility::createExactMatcher("hello.example.com")); std::vector invalid_san_matchers; invalid_san_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_DNS, matcher)}); + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); std::string error; // Verify the certificate with incorrect SAN exact matcher. EXPECT_EQ(default_validator->verifyCertificate(cert.get(), /*verify_san_list=*/{}, @@ -167,13 +181,13 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithSANMatcher) { } TEST(DefaultCertValidatorTest, TestCertificateVerificationWithNoValidationContext) { + NiceMock context; Stats::TestUtil::TestStore test_store; SslStats stats = generateSslStats(*test_store.rootScope()); // Create the default validator object. auto default_validator = std::make_unique( - /*CertificateValidationContextConfig=*/nullptr, stats, - Event::GlobalTimeSystem().timeSystem()); + /*CertificateValidationContextConfig=*/nullptr, stats, context); EXPECT_EQ(default_validator->verifyCertificate(/*cert=*/nullptr, /*verify_san_list=*/{}, /*subject_alt_name_matchers=*/{}, nullptr, @@ -191,13 +205,13 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithNoValidationContex } TEST(DefaultCertValidatorTest, TestCertificateVerificationWithEmptyCertChain) { + NiceMock context; Stats::TestUtil::TestStore test_store; SslStats stats = generateSslStats(*test_store.rootScope()); // Create the default validator object. auto default_validator = std::make_unique( - /*CertificateValidationContextConfig=*/nullptr, stats, - Event::GlobalTimeSystem().timeSystem()); + /*CertificateValidationContextConfig=*/nullptr, stats, context); SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); bssl::UniquePtr cert_chain(sk_X509_new_null()); @@ -210,18 +224,20 @@ TEST(DefaultCertValidatorTest, TestCertificateVerificationWithEmptyCertChain) { } TEST(DefaultCertValidatorTest, NoSanInCert) { + NiceMock context; + bssl::UniquePtr cert = readCertFromFile( TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/fake_ca_cert.pem")); envoy::type::matcher::v3::StringMatcher matcher; matcher.MergeFrom(TestUtility::createRegexMatcher(R"raw([^.]*\.example\.net)raw")); std::vector subject_alt_name_matchers; subject_alt_name_matchers.push_back( - SanMatcherPtr{std::make_unique(GEN_DNS, matcher)}); + SanMatcherPtr{std::make_unique(GEN_DNS, matcher, context)}); EXPECT_FALSE(DefaultCertValidator::matchSubjectAltName(cert.get(), subject_alt_name_matchers)); } TEST(DefaultCertValidatorTest, WithVerifyDepth) { - + NiceMock context; Stats::TestUtil::TestStore test_store; SslStats stats = generateSslStats(*test_store.rootScope()); envoy::config::core::v3::TypedExtensionConfig typed_conf; @@ -245,8 +261,8 @@ TEST(DefaultCertValidatorTest, WithVerifyDepth) { std::make_unique(typed_conf, false, san_matchers, ca_cert_str, 2); auto default_validator = - std::make_unique( - test_config.get(), stats, Event::GlobalTimeSystem().timeSystem()); + std::make_unique(test_config.get(), + stats, context); STACK_OF(X509)* intermediates = cert_chain.get(); SSLContextPtr ssl_ctx = SSL_CTX_new(TLS_method()); @@ -266,7 +282,7 @@ TEST(DefaultCertValidatorTest, WithVerifyDepth) { test_config = std::make_unique(typed_conf, false, san_matchers, ca_cert_str); default_validator = std::make_unique( - test_config.get(), stats, Event::GlobalTimeSystem().timeSystem()); + test_config.get(), stats, context); // Re-initialize context ssl_ctx = SSL_CTX_new(TLS_method()); @@ -321,6 +337,8 @@ class MockCertificateValidationContextConfig : public Ssl::CertificateValidation }; TEST(DefaultCertValidatorTest, TestUnexpectedSanMatcherType) { + NiceMock context; + auto mock_context_config = std::make_unique(); EXPECT_CALL(*mock_context_config.get(), trustChainVerification()) .WillRepeatedly(testing::Return(envoy::extensions::transport_sockets::tls::v3:: @@ -329,14 +347,16 @@ TEST(DefaultCertValidatorTest, TestUnexpectedSanMatcherType) { std::vector(); Stats::TestUtil::TestStore store; auto ssl_stats = generateSslStats(*store.rootScope()); - auto validator = std::make_unique(mock_context_config.get(), ssl_stats, - Event::GlobalTimeSystem().timeSystem()); + auto validator = + std::make_unique(mock_context_config.get(), ssl_stats, context); auto ctx = std::vector(); EXPECT_THROW_WITH_REGEX(validator->initializeSslContexts(ctx, false), EnvoyException, "Failed to create string SAN matcher of type.*"); } TEST(DefaultCertValidatorTest, TestInitializeSslContextFailure) { + NiceMock context; + auto mock_context_config = std::make_unique( "-----BEGIN CERTIFICATE-----\nincomplete payload"); EXPECT_CALL(*mock_context_config.get(), trustChainVerification()) @@ -345,8 +365,8 @@ TEST(DefaultCertValidatorTest, TestInitializeSslContextFailure) { Stats::TestUtil::TestStore store; auto ssl_stats = generateSslStats(*store.rootScope()); - auto validator = std::make_unique(mock_context_config.get(), ssl_stats, - Event::GlobalTimeSystem().timeSystem()); + auto validator = + std::make_unique(mock_context_config.get(), ssl_stats, context); auto ctx = std::vector(); EXPECT_THROW_WITH_REGEX(validator->initializeSslContexts(ctx, false), EnvoyException, "Failed to load trusted CA certificates from.*"); diff --git a/test/common/tls/cert_validator/san_matcher_test.cc b/test/common/tls/cert_validator/san_matcher_test.cc index 11f67e467119..3b330866a379 100644 --- a/test/common/tls/cert_validator/san_matcher_test.cc +++ b/test/common/tls/cert_validator/san_matcher_test.cc @@ -4,6 +4,7 @@ #include "source/common/protobuf/utility.h" #include "source/common/tls/cert_validator/san_matcher.h" +#include "test/mocks/server/server_factory_context.h" #include "test/test_common/utility.h" #include "gmock/gmock.h" @@ -16,6 +17,8 @@ namespace Tls { // Verify that we get a valid string san matcher for all valid san types. TEST(SanMatcherConfigTest, TestValidSanType) { + NiceMock context; + // Iterate over all san type enums. for (envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SanType san_type = envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::SanType_MIN; @@ -29,9 +32,9 @@ TEST(SanMatcherConfigTest, TestValidSanType) { san_matcher.set_san_type(san_type); if (san_type == envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher:: SAN_TYPE_UNSPECIFIED) { - EXPECT_DEATH(createStringSanMatcher(san_matcher), "unhandled value"); + EXPECT_DEATH(createStringSanMatcher(san_matcher, context), "unhandled value"); } else { - const SanMatcherPtr matcher = createStringSanMatcher(san_matcher); + const SanMatcherPtr matcher = createStringSanMatcher(san_matcher, context); EXPECT_NE(matcher.get(), nullptr); // Verify that the message is valid. TestUtility::validate(san_matcher); @@ -40,6 +43,7 @@ TEST(SanMatcherConfigTest, TestValidSanType) { } TEST(SanMatcherConfigTest, UnspecifiedSanType) { + NiceMock context; envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher san_matcher; san_matcher.mutable_matcher()->set_exact("foo.example"); // Do not set san_type @@ -54,7 +58,7 @@ TEST(SanMatcherConfigTest, UnspecifiedSanType) { static_cast( static_cast(123)); san_matcher.set_san_type(san_type); - EXPECT_EQ(createStringSanMatcher(san_matcher), nullptr); + EXPECT_EQ(createStringSanMatcher(san_matcher, context), nullptr); } } // namespace Tls diff --git a/test/common/tls/cert_validator/timed_cert_validator.h b/test/common/tls/cert_validator/timed_cert_validator.h index 45a57fc5eda2..2ea320d87af2 100644 --- a/test/common/tls/cert_validator/timed_cert_validator.h +++ b/test/common/tls/cert_validator/timed_cert_validator.h @@ -18,8 +18,9 @@ class TimedCertValidator : public DefaultCertValidator { public: TimedCertValidator(std::chrono::milliseconds validation_time_out_ms, const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, - TimeSource& time_source, absl::optional expected_host_name) - : DefaultCertValidator(config, stats, time_source), + Server::Configuration::CommonFactoryContext& context, + absl::optional expected_host_name) + : DefaultCertValidator(config, stats, context), validation_time_out_ms_(validation_time_out_ms), expected_host_name_(expected_host_name) {} ValidationResults @@ -49,10 +50,11 @@ class TimedCertValidator : public DefaultCertValidator { class TimedCertValidatorFactory : public CertValidatorFactory { public: - CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source) override { + CertValidatorPtr + createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + Server::Configuration::CommonFactoryContext& context) override { auto validator = std::make_unique(validation_time_out_ms_, config, stats, - time_source, expected_host_name_); + context, expected_host_name_); if (expected_peer_address_.has_value()) { validator->setExpectedPeerAddress(expected_peer_address_.value()); } diff --git a/test/common/tls/context_impl_test.cc b/test/common/tls/context_impl_test.cc index dadbae2c6f7b..faa1414733d7 100644 --- a/test/common/tls/context_impl_test.cc +++ b/test/common/tls/context_impl_test.cc @@ -118,8 +118,8 @@ class SslContextImplTest : public SslCertsTest { } protected: - Event::SimulatedTimeSystem time_system_; - ContextManagerImpl manager_{time_system_}; + NiceMock server_factory_context_; + ContextManagerImpl manager_{server_factory_context_}; }; TEST_F(SslContextImplTest, TestCipherSuites) { @@ -1157,8 +1157,8 @@ class ClientContextConfigImplTest : public SslCertsTest { }}; } - Event::SimulatedTimeSystem time_system_; - ContextManagerImpl manager_{time_system_}; + NiceMock server_factory_context_; + ContextManagerImpl manager_{server_factory_context_}; }; // Validate that empty SNI (according to C string rules) fails config validation. @@ -1288,8 +1288,7 @@ TEST_F(ClientContextConfigImplTest, RSA3072Cert) { TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); ClientContextConfigImpl client_context_config(tls_context, factory_context_); - Event::SimulatedTimeSystem time_system; - ContextManagerImpl manager(time_system); + ContextManagerImpl manager(server_factory_context_); Stats::IsolatedStoreImpl store; auto context = manager_.createSslClientContext(*store.rootScope(), client_context_config); auto cleanup = cleanUpHelper(context); @@ -1765,7 +1764,10 @@ TEST_F(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) { "Unknown static certificate validation context: missing"); } -class ServerContextConfigImplTest : public SslCertsTest {}; +class ServerContextConfigImplTest : public SslCertsTest { +public: + NiceMock server_factory_context_; +}; // Multiple TLS certificates are supported. TEST_F(ServerContextConfigImplTest, MultipleTlsCertificates) { @@ -1896,8 +1898,7 @@ TEST_F(ServerContextConfigImplTest, TlsCertificateNonEmpty) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; tls_context.mutable_common_tls_context()->add_tls_certificates(); ServerContextConfigImpl client_context_config(tls_context, factory_context_); - Event::SimulatedTimeSystem time_system; - ContextManagerImpl manager(time_system); + ContextManagerImpl manager(server_factory_context_); Stats::IsolatedStoreImpl store; EXPECT_THROW_WITH_MESSAGE( Envoy::Ssl::ServerContextSharedPtr server_ctx(manager.createSslServerContext( @@ -2002,8 +2003,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoMethod) { NiceMock private_key_method_manager; auto private_key_method_provider_ptr = std::make_shared>(); - Event::SimulatedTimeSystem time_system; - ContextManagerImpl manager(time_system); + ContextManagerImpl manager(server_factory_context_); EXPECT_CALL(factory_context_, sslContextManager()).WillOnce(ReturnRef(context_manager)); EXPECT_CALL(context_manager, privateKeyMethodManager()) .WillOnce(ReturnRef(private_key_method_manager)); @@ -2201,8 +2201,8 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndCertChain) { class TestContextImpl : public ContextImpl { public: TestContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config, - TimeSource& time_source) - : ContextImpl(scope, config, time_source, nullptr), pool_(scope.symbolTable()), + Server::Configuration::ServerFactoryContext& factory_context) + : ContextImpl(scope, config, factory_context, nullptr), pool_(scope.symbolTable()), fallback_(pool_.add("fallback")) {} void incCounter(absl::string_view name, absl::string_view value) { @@ -2220,7 +2220,7 @@ class SslContextStatsTest : public SslContextImplTest { client_context_config_ = std::make_unique(tls_context_, factory_context_); context_ = std::make_unique(*store_.rootScope(), *client_context_config_, - time_system_); + server_factory_context_); } Stats::TestUtil::TestStore store_; diff --git a/test/common/tls/handshaker_factory_test.cc b/test/common/tls/handshaker_factory_test.cc index f60113708590..e161b5eea047 100644 --- a/test/common/tls/handshaker_factory_test.cc +++ b/test/common/tls/handshaker_factory_test.cc @@ -92,8 +92,8 @@ class HandshakerFactoryImplForTest class HandshakerFactoryTest : public testing::Test { protected: HandshakerFactoryTest() - : context_manager_( - std::make_unique(time_system_)), + : context_manager_(std::make_unique( + server_factory_context_)), registered_factory_(handshaker_factory_) { scoped_runtime_.mergeValues( {{"envoy.reloadable_features.no_extension_lookup_by_name", "false"}}); @@ -111,7 +111,7 @@ class HandshakerFactoryTest : public testing::Test { return SSL_get_SSL_CTX(ssl); } - Event::GlobalTimeSystem time_system_; + NiceMock server_factory_context_; Stats::IsolatedStoreImpl stats_store_; std::unique_ptr context_manager_; HandshakerFactoryImplForTest handshaker_factory_; @@ -248,8 +248,8 @@ class HandshakerFactoryImplForDownstreamTest class HandshakerFactoryDownstreamTest : public testing::Test { protected: HandshakerFactoryDownstreamTest() - : context_manager_( - std::make_unique(time_system_)) { + : context_manager_(std::make_unique( + server_factory_context_)) { scoped_runtime_.mergeValues( {{"envoy.reloadable_features.no_extension_lookup_by_name", "false"}}); } @@ -262,7 +262,7 @@ class HandshakerFactoryDownstreamTest : public testing::Test { return SSL_get_SSL_CTX(ssl); } - Event::GlobalTimeSystem time_system_; + NiceMock server_factory_context_; Stats::IsolatedStoreImpl stats_store_; std::unique_ptr context_manager_; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context_; diff --git a/test/common/tls/integration/ssl_integration_test.cc b/test/common/tls/integration/ssl_integration_test.cc index 885494ce1f33..ffae471e9e90 100644 --- a/test/common/tls/integration/ssl_integration_test.cc +++ b/test/common/tls/integration/ssl_integration_test.cc @@ -66,8 +66,8 @@ void SslIntegrationTestBase::initialize() { HttpIntegrationTest::initialize(); - context_manager_ = - std::make_unique(timeSystem()); + context_manager_ = std::make_unique( + server_factory_context_); registerTestServerPorts({"http"}); } diff --git a/test/common/tls/ssl_socket_test.cc b/test/common/tls/ssl_socket_test.cc index b72f7ad6596b..dc231f41eaad 100644 --- a/test/common/tls/ssl_socket_test.cc +++ b/test/common/tls/ssl_socket_test.cc @@ -47,6 +47,7 @@ #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" #include "test/mocks/secret/mocks.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/server/transport_socket_factory_context.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/stats/mocks.h" @@ -346,8 +347,9 @@ void testUtil(const TestUtilOptions& options) { Api::ApiPtr server_api = Api::createApiForTest(server_stats_store, time_system); NiceMock runtime; testing::NiceMock - server_factory_context; - ON_CALL(server_factory_context.server_context_, api()).WillByDefault(ReturnRef(*server_api)); + transport_socket_factory_context; + ON_CALL(transport_socket_factory_context.server_context_, api()) + .WillByDefault(ReturnRef(*server_api)); // For private key method testing. NiceMock context_manager; @@ -356,7 +358,7 @@ void testUtil(const TestUtilOptions& options) { test_private_key_method_factory(test_factory); PrivateKeyMethodManagerImpl private_key_method_manager; if (options.expectedPrivateKeyMethod()) { - EXPECT_CALL(server_factory_context, sslContextManager()) + EXPECT_CALL(transport_socket_factory_context, sslContextManager()) .WillOnce(ReturnRef(context_manager)) .WillRepeatedly(ReturnRef(context_manager)); EXPECT_CALL(context_manager, privateKeyMethodManager()) @@ -367,9 +369,10 @@ void testUtil(const TestUtilOptions& options) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(options.serverCtxYaml()), server_tls_context); - auto server_cfg = - std::make_unique(server_tls_context, server_factory_context); - ContextManagerImpl manager(*time_system); + auto server_cfg = std::make_unique(server_tls_context, + transport_socket_factory_context); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Event::DispatcherPtr dispatcher = server_api->allocateDispatcher("test_thread"); ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -707,7 +710,10 @@ class TestUtilOptionsV2 : public TestUtilOptionsBase { void testUtilV2(const TestUtilOptionsV2& options) { Event::SimulatedTimeSystem time_system; - ContextManagerImpl manager(*time_system); + NiceMock + transport_socket_factory_context; + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); // SNI-based selection logic isn't happening in SslSocket anymore. ASSERT(options.listener().filter_chains().size() == 1); @@ -716,10 +722,9 @@ void testUtilV2(const TestUtilOptionsV2& options) { filter_chain.filter_chain_match().server_names().end()); Stats::TestUtil::TestStore server_stats_store; Api::ApiPtr server_api = Api::createApiForTest(server_stats_store, time_system); - testing::NiceMock - server_factory_context; NiceMock runtime; - ON_CALL(server_factory_context.server_context_, api()).WillByDefault(ReturnRef(*server_api)); + ON_CALL(transport_socket_factory_context.server_context_, api()) + .WillByDefault(ReturnRef(*server_api)); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; const envoy::config::core::v3::TransportSocket& transport_socket = @@ -727,7 +732,8 @@ void testUtilV2(const TestUtilOptionsV2& options) { ASSERT(transport_socket.has_typed_config()); transport_socket.typed_config().UnpackTo(&tls_context); - auto server_cfg = std::make_unique(tls_context, server_factory_context); + auto server_cfg = + std::make_unique(tls_context, transport_socket_factory_context); ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, *server_stats_store.rootScope(), server_names); @@ -1016,7 +1022,8 @@ TEST_P(SslSocketTest, ServerTransportSocketOptions) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), tls_context); auto server_cfg = std::make_unique(tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); auto ssl_socket = server_ssl_socket_factory.createDownstreamTransportSocket(); @@ -3065,7 +3072,8 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), tls_context); auto server_cfg = std::make_unique(tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -3124,7 +3132,8 @@ TEST_P(SslSocketTest, HalfClose) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); auto server_cfg = std::make_unique(server_tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -3209,7 +3218,8 @@ TEST_P(SslSocketTest, ShutdownWithCloseNotify) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); auto server_cfg = std::make_unique(server_tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -3300,7 +3310,8 @@ TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); auto server_cfg = std::make_unique(server_tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -3407,7 +3418,8 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); auto server_cfg = std::make_unique(server_tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -3489,24 +3501,26 @@ void testTicketSessionResumption(const std::string& server_ctx_yaml1, const Network::Address::IpVersion ip_version, const uint32_t expected_lifetime_hint = 0) { Event::SimulatedTimeSystem time_system; - ContextManagerImpl manager(*time_system); + NiceMock + transport_socket_factory_context; + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; Api::ApiPtr server_api = Api::createApiForTest(server_stats_store, time_system); NiceMock runtime; - testing::NiceMock - server_factory_context; - ON_CALL(server_factory_context.server_context_, api()).WillByDefault(ReturnRef(*server_api)); + ON_CALL(transport_socket_factory_context.server_context_, api()) + .WillByDefault(ReturnRef(*server_api)); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context1; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml1), server_tls_context1); - auto server_cfg1 = - std::make_unique(server_tls_context1, server_factory_context); + auto server_cfg1 = std::make_unique(server_tls_context1, + transport_socket_factory_context); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context2; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml2), server_tls_context2); - auto server_cfg2 = - std::make_unique(server_tls_context2, server_factory_context); + auto server_cfg2 = std::make_unique(server_tls_context2, + transport_socket_factory_context); ServerSslSocketFactory server_ssl_socket_factory1(std::move(server_cfg1), manager, *server_stats_store.rootScope(), server_names1); ServerSslSocketFactory server_ssl_socket_factory2(std::move(server_cfg2), manager, @@ -3647,19 +3661,21 @@ void testSupportForSessionResumption(const std::string& server_ctx_yaml, bool expect_stateful, const Network::Address::IpVersion ip_version) { Event::SimulatedTimeSystem time_system; - ContextManagerImpl manager(*time_system); + NiceMock + transport_socket_factory_context; + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::IsolatedStoreImpl server_stats_store; Api::ApiPtr server_api = Api::createApiForTest(server_stats_store, time_system); NiceMock runtime; - testing::NiceMock - server_factory_context; - ON_CALL(server_factory_context.server_context_, api()).WillByDefault(ReturnRef(*server_api)); + ON_CALL(transport_socket_factory_context.server_context_, api()) + .WillByDefault(ReturnRef(*server_api)); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); - auto server_cfg = - std::make_unique(server_tls_context, server_factory_context); + auto server_cfg = std::make_unique(server_tls_context, + transport_socket_factory_context); ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, *server_stats_store.rootScope(), {}); @@ -4305,7 +4321,8 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context2; TestUtility::loadFromYaml(TestEnvironment::substitute(server2_ctx_yaml), tls_context2); auto server2_cfg = std::make_unique(tls_context2, factory_context_); - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -4422,18 +4439,20 @@ void SslSocketTest::testClientSessionResumption(const std::string& server_ctx_ya const Network::Address::IpVersion version) { InSequence s; - ContextManagerImpl manager(time_system_); + NiceMock server_factory_context; + ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; Api::ApiPtr server_api = Api::createApiForTest(server_stats_store, time_system_); testing::NiceMock - server_factory_context; - ON_CALL(server_factory_context.server_context_, api()).WillByDefault(ReturnRef(*server_api)); + transport_socket_factory_context; + ON_CALL(transport_socket_factory_context.server_context_, api()) + .WillByDefault(ReturnRef(*server_api)); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_ctx_proto; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_ctx_proto); auto server_cfg = - std::make_unique(server_ctx_proto, server_factory_context); + std::make_unique(server_ctx_proto, transport_socket_factory_context); ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -4698,7 +4717,7 @@ TEST_P(SslSocketTest, SslError) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), tls_context); auto server_cfg = std::make_unique(tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + ContextManagerImpl manager(factory_context_.serverFactoryContext()); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -5230,7 +5249,7 @@ TEST_P(SslSocketTest, SetSignatureAlgorithms) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); auto server_cfg = std::make_unique(server_tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + ContextManagerImpl manager(factory_context_.serverFactoryContext()); Stats::TestUtil::TestStore server_stats_store; ServerSslSocketFactory server_ssl_socket_factory( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -5845,7 +5864,7 @@ TEST_P(SslSocketTest, DownstreamNotReadySslSocket) { EXPECT_TRUE(server_cfg->tlsCertificates().empty()); EXPECT_FALSE(server_cfg->isReady()); - ContextManagerImpl manager(time_system_); + ContextManagerImpl manager(factory_context_.serverFactoryContext()); ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, *factory_context_.store_.rootScope(), std::vector{}); @@ -5883,7 +5902,7 @@ TEST_P(SslSocketTest, UpstreamNotReadySslSocket) { EXPECT_TRUE(client_cfg->tlsCertificates().empty()); EXPECT_FALSE(client_cfg->isReady()); - ContextManagerImpl manager(time_system_); + ContextManagerImpl manager(factory_context_.serverFactoryContext()); ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, *factory_context_.store_.rootScope()); auto transport_socket = client_ssl_socket_factory.createTransportSocket(nullptr, nullptr); @@ -5911,7 +5930,7 @@ TEST_P(SslSocketTest, TestTransportSocketCallback) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; auto client_cfg = std::make_unique(tls_context, factory_context_); - ContextManagerImpl manager(time_system_); + ContextManagerImpl manager(factory_context_.serverFactoryContext()); ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, *factory_context_.store_.rootScope()); @@ -5935,7 +5954,7 @@ class SslReadBufferLimitTest : public SslSocketTest { downstream_tls_context_); auto server_cfg = std::make_unique(downstream_tls_context_, factory_context_); - manager_ = std::make_unique(time_system_); + manager_ = std::make_unique(factory_context_.serverFactoryContext()); server_ssl_socket_factory_ = std::make_unique( std::move(server_cfg), *manager_, *server_stats_store_.rootScope(), std::vector{}); diff --git a/test/common/upstream/hds_test.cc b/test/common/upstream/hds_test.cc index 82acb9d72e8d..c58700be552a 100644 --- a/test/common/upstream/hds_test.cc +++ b/test/common/upstream/hds_test.cc @@ -61,8 +61,7 @@ class HdsTest : public testing::Test { HdsTest() : retry_timer_(new Event::MockTimer()), server_response_timer_(new Event::MockTimer()), async_client_(new Grpc::MockAsyncClient()), - api_(Api::createApiForTest(stats_store_, random_)), - ssl_context_manager_(api_->timeSource()) { + api_(Api::createApiForTest(stats_store_, random_)), ssl_context_manager_(server_context_) { ON_CALL(server_context_, api()).WillByDefault(ReturnRef(*api_)); node_.set_id("hds-node"); } diff --git a/test/common/upstream/test_cluster_manager.h b/test/common/upstream/test_cluster_manager.h index eb110f9d672e..a8e232eacb9e 100644 --- a/test/common/upstream/test_cluster_manager.h +++ b/test/common/upstream/test_cluster_manager.h @@ -146,8 +146,7 @@ class TestClusterManagerFactory : public ClusterManagerFactory { new NiceMock}; NiceMock& runtime_ = server_context_.runtime_loader_; NiceMock& dispatcher_ = server_context_.dispatcher_; - Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{ - dispatcher_.timeSource()}; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_{server_context_}; NiceMock& local_info_ = server_context_.local_info_; NiceMock& admin_ = server_context_.admin_; NiceMock secret_manager_; diff --git a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc index 90d2e7acde2a..1b7e15d0ffe0 100644 --- a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc +++ b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc @@ -143,8 +143,8 @@ class TcpGrpcAccessLogIntegrationTest : public Grpc::GrpcClientIntegrationParamT const Ssl::ClientSslTransportOptions& ssl_options = {}, const std::string& curves_list = "") { // Set up the SSL client. - context_manager_ = - std::make_unique(timeSystem()); + context_manager_ = std::make_unique( + server_factory_context_); Network::Address::InstanceConstSharedPtr address = Ssl::getSslAddress(version_, lookupPort("tcp_proxy")); context_ = Ssl::createClientSslTransportSocketFactory(ssl_options, *context_manager_, *api_); diff --git a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc index 78b57390d80d..aa2279c70839 100644 --- a/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc +++ b/test/extensions/filters/listener/tls_inspector/tls_inspector_integration_test.cc @@ -90,8 +90,8 @@ class TlsInspectorIntegrationTest : public testing::TestWithParam(timeSystem()); + context_manager_ = std::make_unique( + server_factory_context_); } void setupConnections(bool listener_filter_disabled, bool expect_connection_open, bool ssl_client, diff --git a/test/extensions/string_matcher/lua/lua_test.cc b/test/extensions/string_matcher/lua/lua_test.cc index 4e834e0d6d71..3842b89f3469 100644 --- a/test/extensions/string_matcher/lua/lua_test.cc +++ b/test/extensions/string_matcher/lua/lua_test.cc @@ -88,21 +88,20 @@ TEST(LuaStringMatcher, LuaStdLib) { } TEST(LuaStringMatcher, NoCode) { - ScopedInjectableLoader api_inject(std::make_unique()); - ScopedInjectableLoader tls_inject( - std::make_unique()); + Api::MockApi api; + ThreadLocal::MockInstance tls; LuaStringMatcherFactory factory; ::envoy::extensions::string_matcher::lua::v3::Lua empty_config; ProtobufWkt::Any any; any.PackFrom(empty_config); - EXPECT_THROW_WITH_MESSAGE(factory.createStringMatcher(any), EnvoyException, + EXPECT_THROW_WITH_MESSAGE(factory.createStringMatcher(any, tls, api), EnvoyException, "Failed to get lua string matcher code from source: INVALID_ARGUMENT: " "Unexpected DataSource::specifier_case(): 0"); empty_config.mutable_source_code()->set_inline_string(""); any.PackFrom(empty_config); - EXPECT_THROW_WITH_MESSAGE(factory.createStringMatcher(any), EnvoyException, + EXPECT_THROW_WITH_MESSAGE(factory.createStringMatcher(any, tls, api), EnvoyException, "Failed to get lua string matcher code from source: INVALID_ARGUMENT: " "DataSource cannot be empty"); } diff --git a/test/extensions/transport_sockets/starttls/starttls_integration_test.cc b/test/extensions/transport_sockets/starttls/starttls_integration_test.cc index cb2564e38286..01a27199c184 100644 --- a/test/extensions/transport_sockets/starttls/starttls_integration_test.cc +++ b/test/extensions/transport_sockets/starttls/starttls_integration_test.cc @@ -208,8 +208,8 @@ void StartTlsIntegrationTest::initialize() { factory->createTransportSocketFactory(*config, factory_context_)}; // Setup factories and contexts for tls transport socket. - tls_context_manager_ = - std::make_unique(timeSystem()); + tls_context_manager_ = std::make_unique( + server_factory_context_); tls_context_ = Ssl::createClientSslTransportSocketFactory({}, *tls_context_manager_, *api_); payload_reader_ = std::make_shared(*dispatcher_); diff --git a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc index f3efba23db8d..b106d0043f30 100644 --- a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc +++ b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc @@ -249,8 +249,8 @@ void StartTlsIntegrationTest::initialize() { // Setup factory and context for tls transport socket. // The tls transport socket will be inserted into fake_upstream when // upstream starttls transport socket is converted to secure mode. - tls_context_manager_ = - std::make_unique(timeSystem()); + tls_context_manager_ = std::make_unique( + server_factory_context_); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext downstream_tls_context; diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD index 9f9644768aee..c95555b9be37 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -25,6 +25,7 @@ envoy_extension_cc_test( "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", "//test/common/tls:ssl_test_utils", "//test/common/tls/cert_validator:test_common", + "//test/mocks/server:server_factory_context_mocks", "//test/test_common:environment_lib", "//test/test_common:simulated_time_system_lib", "//test/test_common:test_runtime_lib", diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc index 1806d0985ed1..db9af217a43b 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test.cc @@ -21,8 +21,8 @@ void SslSPIFFECertValidatorIntegrationTest::initialize() { .setAllowExpiredCertificate(allow_expired_cert_)); HttpIntegrationTest::initialize(); - context_manager_ = - std::make_unique(timeSystem()); + context_manager_ = std::make_unique( + server_factory_context_); registerTestServerPorts({"http"}); } diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index 51cc1ad97016..327298a3efe6 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -13,6 +13,7 @@ #include "test/common/tls/cert_validator/test_common.h" #include "test/common/tls/ssl_test_utility.h" +#include "test/mocks/server/server_factory_context.h" #include "test/test_common/environment.h" #include "test/test_common/simulated_time_system.h" #include "test/test_common/test_runtime.h" @@ -44,7 +45,8 @@ class TestSPIFFEValidator : public testing::Test { TestUtility::loadFromYaml(yaml, typed_conf); config_ = std::make_unique( typed_conf, allow_expired_certificate_, san_matchers_); - validator_ = std::make_unique(config_.get(), stats_, time_source); + ON_CALL(factory_context_, timeSource()).WillByDefault(testing::ReturnRef(time_source)); + validator_ = std::make_unique(config_.get(), stats_, factory_context_); } void initialize(std::string yaml) { @@ -52,8 +54,7 @@ class TestSPIFFEValidator : public testing::Test { TestUtility::loadFromYaml(yaml, typed_conf); config_ = std::make_unique( typed_conf, allow_expired_certificate_, san_matchers_); - validator_ = - std::make_unique(config_.get(), stats_, config_->api().timeSource()); + validator_ = std::make_unique(config_.get(), stats_, factory_context_); }; void initialize() { validator_ = std::make_unique(stats_, time_system_); } @@ -90,6 +91,7 @@ class TestSPIFFEValidator : public testing::Test { }; private: + NiceMock factory_context_; bool allow_expired_certificate_{false}; TestCertificateValidationContextConfigPtr config_; std::vector san_matchers_{}; diff --git a/test/integration/base_integration_test.h b/test/integration/base_integration_test.h index 1f1df3f7c765..c5eb1129d41b 100644 --- a/test/integration/base_integration_test.h +++ b/test/integration/base_integration_test.h @@ -525,7 +525,8 @@ class BaseIntegrationTest : protected Logger::Loggable { createUpstreamTlsContext(const FakeUpstreamConfig& upstream_config); testing::NiceMock thread_local_; testing::NiceMock factory_context_; - Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{timeSystem()}; + testing::NiceMock server_factory_context_; + Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{server_factory_context_}; // The fake upstreams_ are created using the context_manager, so make sure // they are destroyed before it is. diff --git a/test/integration/sds_static_integration_test.cc b/test/integration/sds_static_integration_test.cc index 49d42c1eb6c2..0e63eb3d4267 100644 --- a/test/integration/sds_static_integration_test.cc +++ b/test/integration/sds_static_integration_test.cc @@ -89,7 +89,7 @@ class SdsStaticDownstreamIntegrationTest } private: - Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{timeSystem()}; + Extensions::TransportSockets::Tls::ContextManagerImpl context_manager_{server_factory_context_}; Network::UpstreamTransportSocketFactoryPtr client_ssl_ctx_; }; @@ -148,7 +148,7 @@ class SdsStaticUpstreamIntegrationTest : public testing::TestWithParam(timeSystem()); + context_manager_ = std::make_unique( + server_factory_context_); payload_reader_ = std::make_shared(*dispatcher_); } diff --git a/test/integration/utility.cc b/test/integration/utility.cc index 3d06c513d7fa..85019c6f45c2 100644 --- a/test/integration/utility.cc +++ b/test/integration/utility.cc @@ -239,7 +239,8 @@ IntegrationUtil::makeSingleRequest(const Network::Address::InstanceConstSharedPt #ifdef ENVOY_ENABLE_QUIC testing::NiceMock threadlocal; - Extensions::TransportSockets::Tls::ContextManagerImpl manager(time_system); + NiceMock server_factory_context; + Extensions::TransportSockets::Tls::ContextManagerImpl manager(server_factory_context); Network::UpstreamTransportSocketFactoryPtr transport_socket_factory = createQuicUpstreamTransportSocketFactory(api, mock_stats_store, manager, threadlocal, "spiffe://lyft.com/backend-team"); diff --git a/test/integration/xds_integration_test.cc b/test/integration/xds_integration_test.cc index 5435bb17d55e..497c0e6522fa 100644 --- a/test/integration/xds_integration_test.cc +++ b/test/integration/xds_integration_test.cc @@ -193,7 +193,7 @@ class LdsInplaceUpdateTcpProxyIntegrationTest BaseIntegrationTest::initialize(); context_manager_ = std::make_unique( - BaseIntegrationTest::timeSystem()); + server_factory_context_); context_ = Ssl::createClientSslTransportSocketFactory({}, *context_manager_, *api_); } @@ -462,8 +462,8 @@ class LdsInplaceUpdateHttpIntegrationTest BaseIntegrationTest::initialize(); - context_manager_ = - std::make_unique(timeSystem()); + context_manager_ = std::make_unique( + server_factory_context_); context_ = Ssl::createClientSslTransportSocketFactory({}, *context_manager_, *api_); address_ = Ssl::getSslAddress(version_, lookupPort("http")); } diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index eeec6cf876b5..689611d5345a 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -169,8 +169,8 @@ void XfccIntegrationTest::initialize() { config_helper_.addSslConfig(); } - context_manager_ = - std::make_unique(timeSystem()); + context_manager_ = std::make_unique( + server_factory_context_); client_tls_ssl_ctx_ = createClientSslContext(false); client_mtls_ssl_ctx_ = createClientSslContext(true); HttpIntegrationTest::initialize(); diff --git a/test/mocks/server/instance.cc b/test/mocks/server/instance.cc index e40b1e125331..eca664bd89a8 100644 --- a/test/mocks/server/instance.cc +++ b/test/mocks/server/instance.cc @@ -13,7 +13,7 @@ using ::testing::ReturnRef; MockInstance::MockInstance() : secret_manager_(std::make_unique(admin_.getConfigTracker())), - cluster_manager_(timeSource()), ssl_context_manager_(timeSource()), + cluster_manager_(timeSource()), singleton_manager_(new Singleton::ManagerImpl(Thread::threadFactoryForTest())), grpc_context_(stats_store_.symbolTable()), http_context_(stats_store_.symbolTable()), router_context_(stats_store_.symbolTable()), quic_stat_names_(stats_store_.symbolTable()), @@ -21,7 +21,8 @@ MockInstance::MockInstance() server_factory_context_( std::make_shared>()), transport_socket_factory_context_( - std::make_shared>()) { + std::make_shared>()), + ssl_context_manager_(*server_factory_context_) { ON_CALL(*this, threadLocal()).WillByDefault(ReturnRef(thread_local_)); ON_CALL(*this, stats()).WillByDefault(ReturnRef(stats_store_)); ON_CALL(*this, grpcContext()).WillByDefault(ReturnRef(grpc_context_)); diff --git a/test/mocks/server/instance.h b/test/mocks/server/instance.h index a8561d534b9c..de109c9c5a97 100644 --- a/test/mocks/server/instance.h +++ b/test/mocks/server/instance.h @@ -52,6 +52,7 @@ class MockInstance : public Instance { MOCK_METHOD(ThreadLocal::Instance&, threadLocal, ()); MOCK_METHOD(LocalInfo::LocalInfo&, localInfo, (), (const)); MOCK_METHOD(Configuration::StatsConfig&, statsConfig, (), ()); + MOCK_METHOD(Regex::Engine&, regexEngine, ()); MOCK_METHOD(void, flushStats, ()); MOCK_METHOD(ProtobufMessage::ValidationContext&, messageValidationContext, ()); MOCK_METHOD(Configuration::ServerFactoryContext&, serverFactoryContext, ()); @@ -78,7 +79,6 @@ class MockInstance : public Instance { testing::NiceMock cluster_manager_; Thread::MutexBasicLockable access_log_lock_; testing::NiceMock runtime_loader_; - Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_; testing::NiceMock dispatcher_; testing::NiceMock drain_manager_; testing::NiceMock access_log_manager_; @@ -101,6 +101,7 @@ class MockInstance : public Instance { server_factory_context_; std::shared_ptr> transport_socket_factory_context_; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager_; }; } // namespace Server diff --git a/test/mocks/server/server_factory_context.h b/test/mocks/server/server_factory_context.h index 7e69dbad447e..128afe221c26 100644 --- a/test/mocks/server/server_factory_context.h +++ b/test/mocks/server/server_factory_context.h @@ -79,6 +79,7 @@ class MockServerFactoryContext : public virtual ServerFactoryContext { MOCK_METHOD(Server::DrainManager&, drainManager, ()); MOCK_METHOD(Init::Manager&, initManager, ()); MOCK_METHOD(ServerLifecycleNotifier&, lifecycleNotifier, ()); + Regex::Engine& regexEngine() override { return regex_engine_; } MOCK_METHOD(StatsConfig&, statsConfig, (), ()); MOCK_METHOD(AccessLog::AccessLogManager&, accessLogManager, (), ()); MOCK_METHOD(OverloadManager&, overloadManager, ()); @@ -107,6 +108,7 @@ class MockServerFactoryContext : public virtual ServerFactoryContext { Router::ContextImpl router_context_; envoy::config::bootstrap::v3::Bootstrap bootstrap_; testing::NiceMock options_; + Regex::GoogleReEngine regex_engine_; }; class MockGenericFactoryContext : public GenericFactoryContext { @@ -155,6 +157,7 @@ class StatelessMockServerFactoryContext : public virtual ServerFactoryContext { MOCK_METHOD(Server::DrainManager&, drainManager, ()); MOCK_METHOD(Init::Manager&, initManager, ()); MOCK_METHOD(ServerLifecycleNotifier&, lifecycleNotifier, ()); + MOCK_METHOD(Regex::Engine&, regexEngine, ()); MOCK_METHOD(StatsConfig&, statsConfig, (), ()); MOCK_METHOD(AccessLog::AccessLogManager&, accessLogManager, (), ()); MOCK_METHOD(OverloadManager&, overloadManager, ()); diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index 5ab396837967..cd8604d486dc 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -62,7 +62,7 @@ declare -a KNOWN_LOW_COVERAGE=( "source/extensions/listener_managers/validation_listener_manager:70.5" "source/extensions/watchdog/profile_action:83.3" "source/server:91.0" # flaky: be careful adjusting. See https://github.com/envoyproxy/envoy/issues/15239 -"source/server/config_validation:89.2" +"source/server/config_validation:88.9" "source/extensions/health_checkers:96.0" "source/extensions/health_checkers/http:93.9" "source/extensions/health_checkers/grpc:92.0" diff --git a/test/server/BUILD b/test/server/BUILD index 9cceee1474dc..2938f1dd3429 100644 --- a/test/server/BUILD +++ b/test/server/BUILD @@ -368,6 +368,7 @@ envoy_cc_test( srcs = ["ssl_context_manager_test.cc"], deps = [ "//source/server:ssl_context_manager_lib", + "//test/mocks/server:server_factory_context_mocks", "//test/mocks/ssl:ssl_mocks", "//test/mocks/stats:stats_mocks", "//test/test_common:simulated_time_system_lib", diff --git a/test/server/config_validation/cluster_manager_test.cc b/test/server/config_validation/cluster_manager_test.cc index 02442808b230..12db1d70e553 100644 --- a/test/server/config_validation/cluster_manager_test.cc +++ b/test/server/config_validation/cluster_manager_test.cc @@ -40,7 +40,8 @@ TEST(ValidationClusterManagerTest, MockedMethods) { testing::NiceMock secret_manager; auto dns_resolver = std::make_shared>(); - Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager{api->timeSource()}; + Extensions::TransportSockets::Tls::ContextManagerImpl ssl_context_manager{ + *server.server_factory_context_}; Http::ContextImpl http_context(stats_store.symbolTable()); Quic::QuicStatNames quic_stat_names(stats_store.symbolTable()); diff --git a/test/server/ssl_context_manager_test.cc b/test/server/ssl_context_manager_test.cc index dbe2bdc8db6e..4a651e61dc31 100644 --- a/test/server/ssl_context_manager_test.cc +++ b/test/server/ssl_context_manager_test.cc @@ -2,9 +2,9 @@ #include "source/server/ssl_context_manager.h" +#include "test/mocks/server/server_factory_context.h" #include "test/mocks/ssl/mocks.h" #include "test/mocks/stats/mocks.h" -#include "test/test_common/simulated_time_system.h" #include "test/test_common/utility.h" #include "gtest/gtest.h" @@ -14,14 +14,15 @@ namespace Server { namespace { TEST(SslContextManager, createStub) { - Event::SimulatedTimeSystem time_system; Stats::MockStore store; Stats::Scope& scope(*store.rootScope()); Ssl::MockClientContextConfig client_config; Ssl::MockServerContextConfig server_config; std::vector server_names; + NiceMock server_factory_context; - Ssl::ContextManagerPtr manager = createContextManager("fake_factory_name", time_system); + Ssl::ContextManagerPtr manager = + createContextManager("fake_factory_name", server_factory_context); // Check we've created a stub, not real manager. EXPECT_EQ(manager->daysUntilFirstCertExpires().value(), std::numeric_limits::max());