From 3e8270bc10dfb05093c3921c78efd209bbe4d525 Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Wed, 26 Jun 2024 09:11:19 -0400 Subject: [PATCH] tls: removing exceptions from context config (#34779) Risk Level: low Testing: updated tests Docs Changes: n/a Release Notes: n/a envoyproxy/envoy-mobile#176 Signed-off-by: Alyssa Wilk --- .../network/test/postgres_integration_test.cc | 4 +- mobile/test/common/integration/test_server.cc | 4 +- .../common/integration/xds_test_server.cc | 4 +- .../quic_client_transport_socket_factory.cc | 8 +- .../quic_server_transport_socket_factory.cc | 9 +- source/common/tls/context_config_impl.cc | 172 +++++--- source/common/tls/context_config_impl.h | 32 +- .../tls/downstream_config.cc | 17 +- .../transport_sockets/tls/upstream_config.cc | 16 +- .../grpc_client_integration_test_harness.h | 4 +- .../quic_transport_socket_factory_test.cc | 5 +- test/common/tls/context_impl_test.cc | 415 +++++++++--------- test/common/tls/handshaker_factory_test.cc | 18 +- test/common/tls/ssl_socket_test.cc | 79 ++-- .../http/router/auto_sni_integration_test.cc | 2 +- .../upstream_starttls_integration_test.cc | 2 +- .../alpn_selection_integration_test.cc | 2 +- test/integration/base_integration_test.cc | 4 +- .../sds_dynamic_integration_test.cc | 2 +- test/integration/ssl_utility.cc | 12 +- test/integration/xfcc_integration_test.cc | 8 +- test/server/admin/server_info_handler_test.cc | 5 +- tools/code_format/config.yaml | 1 - 23 files changed, 443 insertions(+), 382 deletions(-) diff --git a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc index 068b2a5f4e96..b5d9430c7560 100644 --- a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc +++ b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc @@ -317,7 +317,7 @@ class UpstreamSSLBaseIntegrationTest : public PostgresBaseIntegrationTest { NiceMock mock_factory_ctx; ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(testing::ReturnRef(*api_)); - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( downstream_tls_context, mock_factory_ctx); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); Network::DownstreamTransportSocketFactoryPtr tls_context = @@ -536,7 +536,7 @@ class UpstreamAndDownstreamSSLIntegrationTest : public UpstreamSSLBaseIntegratio NiceMock mock_factory_ctx; ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(testing::ReturnRef(*api_)); - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create( upstream_tls_context, mock_factory_ctx); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); Network::UpstreamTransportSocketFactoryPtr tls_context = diff --git a/mobile/test/common/integration/test_server.cc b/mobile/test/common/integration/test_server.cc index 8d16dae38f88..cf8b6ee25cf1 100644 --- a/mobile/test/common/integration/test_server.cc +++ b/mobile/test/common/integration/test_server.cc @@ -551,8 +551,8 @@ Network::DownstreamTransportSocketFactoryPtr TestServer::createUpstreamTlsContex ctx->mutable_trusted_ca()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcacert.pem")); tls_context.mutable_common_tls_context()->add_alpn_protocols("h2"); - auto cfg = std::make_unique( - tls_context, factory_context); + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(tls_context, + factory_context); static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create( std::move(cfg), context_manager_, *upstream_stats_store->rootScope(), diff --git a/mobile/test/common/integration/xds_test_server.cc b/mobile/test/common/integration/xds_test_server.cc index 57e5f39a34af..55b42c654a01 100644 --- a/mobile/test/common/integration/xds_test_server.cc +++ b/mobile/test/common/integration/xds_test_server.cc @@ -70,8 +70,8 @@ XdsTestServer::XdsTestServer() TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem")); tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem")); - auto cfg = std::make_unique( - tls_context, factory_context_); + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(tls_context, + factory_context_); auto context = *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create( std::move(cfg), context_manager_, *stats_store_.rootScope(), std::vector{}); xds_upstream_ = std::make_unique(std::move(context), 0, version_, upstream_config_); diff --git a/source/common/quic/quic_client_transport_socket_factory.cc b/source/common/quic/quic_client_transport_socket_factory.cc index 05af0d89a19c..091c85a170c1 100644 --- a/source/common/quic/quic_client_transport_socket_factory.cc +++ b/source/common/quic/quic_client_transport_socket_factory.cc @@ -32,9 +32,11 @@ QuicClientTransportSocketConfigFactory::createTransportSocketFactory( auto quic_transport = MessageUtil::downcastAndValidate< const envoy::extensions::transport_sockets::quic::v3::QuicUpstreamTransport&>( config, context.messageValidationVisitor()); - auto client_config = std::make_unique( - quic_transport.upstream_tls_context(), context); - return QuicClientTransportSocketFactory::create(std::move(client_config), context); + absl::StatusOr> + client_config_or_error = Extensions::TransportSockets::Tls::ClientContextConfigImpl::create( + quic_transport.upstream_tls_context(), context); + RETURN_IF_NOT_OK(client_config_or_error.status()); + return QuicClientTransportSocketFactory::create(std::move(*client_config_or_error), context); } QuicClientTransportSocketFactory::QuicClientTransportSocketFactory( diff --git a/source/common/quic/quic_server_transport_socket_factory.cc b/source/common/quic/quic_server_transport_socket_factory.cc index 36c1d570b46d..7f30710c374c 100644 --- a/source/common/quic/quic_server_transport_socket_factory.cc +++ b/source/common/quic/quic_server_transport_socket_factory.cc @@ -19,11 +19,14 @@ QuicServerTransportSocketConfigFactory::createTransportSocketFactory( auto quic_transport = MessageUtil::downcastAndValidate< const envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport&>( config, context.messageValidationVisitor()); - auto server_config = std::make_unique( - quic_transport.downstream_tls_context(), context); + absl::StatusOr> + server_config_or_error = Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( + quic_transport.downstream_tls_context(), context); + RETURN_IF_NOT_OK(server_config_or_error.status()); + auto server_config = std::move(server_config_or_error.value()); // TODO(RyanTheOptimist): support TLS client authentication. if (server_config->requireClientCertificate()) { - throw EnvoyException("TLS Client Authentication is not supported over QUIC"); + return absl::InvalidArgumentError("TLS Client Authentication is not supported over QUIC"); } auto factory_or_error = QuicServerTransportSocketFactory::create( diff --git a/source/common/tls/context_config_impl.cc b/source/common/tls/context_config_impl.cc index b4617b45fbf7..cf5556dd4607 100644 --- a/source/common/tls/context_config_impl.cc +++ b/source/common/tls/context_config_impl.cc @@ -25,7 +25,8 @@ namespace { std::vector getTlsCertificateConfigProviders( const envoy::extensions::transport_sockets::tls::v3::CommonTlsContext& config, - Server::Configuration::TransportSocketFactoryContext& factory_context) { + Server::Configuration::TransportSocketFactoryContext& factory_context, + absl::Status& creation_status) { std::vector providers; if (!config.tls_certificates().empty()) { for (const auto& tls_certificate : config.tls_certificates()) { @@ -50,8 +51,9 @@ std::vector getTlsCertificateConf auto secret_provider = factory_context.secretManager().findStaticTlsCertificateProvider( sds_secret_config.name()); if (!secret_provider) { - throwEnvoyExceptionOrPanic( + creation_status = absl::InvalidArgumentError( fmt::format("Unknown static secret: {}", sds_secret_config.name())); + return {}; } providers.push_back(secret_provider); } @@ -63,7 +65,8 @@ std::vector getTlsCertificateConf Secret::CertificateValidationContextConfigProviderSharedPtr getProviderFromSds( Server::Configuration::TransportSocketFactoryContext& factory_context, - const envoy::extensions::transport_sockets::tls::v3::SdsSecretConfig& sds_secret_config) { + const envoy::extensions::transport_sockets::tls::v3::SdsSecretConfig& sds_secret_config, + absl::Status& creation_status) { if (sds_secret_config.has_sds_config()) { // Fetch dynamic secret. return factory_context.secretManager().findOrCreateCertificateValidationContextProvider( @@ -74,11 +77,11 @@ Secret::CertificateValidationContextConfigProviderSharedPtr getProviderFromSds( auto secret_provider = factory_context.secretManager().findStaticCertificateValidationContextProvider( sds_secret_config.name()); - if (!secret_provider) { - throwEnvoyExceptionOrPanic(fmt::format("Unknown static certificate validation context: {}", - sds_secret_config.name())); + if (secret_provider) { + return secret_provider; } - return secret_provider; + creation_status = absl::InvalidArgumentError( + fmt::format("Unknown static certificate validation context: {}", sds_secret_config.name())); } return nullptr; } @@ -88,7 +91,8 @@ getCertificateValidationContextConfigProvider( const envoy::extensions::transport_sockets::tls::v3::CommonTlsContext& config, Server::Configuration::TransportSocketFactoryContext& factory_context, std::unique_ptr* - default_cvc) { + default_cvc, + absl::Status& creation_status) { switch (config.validation_context_type_case()) { case envoy::extensions::transport_sockets::tls::v3::CommonTlsContext::ValidationContextTypeCase:: kValidationContext: @@ -96,7 +100,8 @@ getCertificateValidationContextConfigProvider( config.validation_context()); case envoy::extensions::transport_sockets::tls::v3::CommonTlsContext::ValidationContextTypeCase:: kValidationContextSdsSecretConfig: - return getProviderFromSds(factory_context, config.validation_context_sds_secret_config()); + return getProviderFromSds(factory_context, config.validation_context_sds_secret_config(), + creation_status); case envoy::extensions::transport_sockets::tls::v3::CommonTlsContext::ValidationContextTypeCase:: kCombinedValidationContext: { *default_cvc = std::make_unique< @@ -104,7 +109,7 @@ getCertificateValidationContextConfigProvider( config.combined_validation_context().default_validation_context()); const auto& sds_secret_config = config.combined_validation_context().validation_context_sds_secret_config(); - return getProviderFromSds(factory_context, sds_secret_config); + return getProviderFromSds(factory_context, sds_secret_config, creation_status); } default: return nullptr; @@ -113,8 +118,8 @@ getCertificateValidationContextConfigProvider( Secret::TlsSessionTicketKeysConfigProviderSharedPtr getTlsSessionTicketKeysConfigProvider( Server::Configuration::TransportSocketFactoryContext& factory_context, - const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config) { - + const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config, + absl::Status& creation_status) { switch (config.session_ticket_keys_type_case()) { case envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext:: SessionTicketKeysTypeCase::kSessionTicketKeys: @@ -133,11 +138,12 @@ Secret::TlsSessionTicketKeysConfigProviderSharedPtr getTlsSessionTicketKeysConfi auto secret_provider = factory_context.secretManager().findStaticTlsSessionTicketKeysContextProvider( sds_secret_config.name()); - if (!secret_provider) { - throwEnvoyExceptionOrPanic( - fmt::format("Unknown tls session ticket keys: {}", sds_secret_config.name())); + if (secret_provider) { + return secret_provider; } - return secret_provider; + creation_status = absl::InvalidArgumentError( + fmt::format("Unknown tls session ticket keys: {}", sds_secret_config.name())); + return nullptr; } } case envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext:: @@ -146,8 +152,10 @@ Secret::TlsSessionTicketKeysConfigProviderSharedPtr getTlsSessionTicketKeysConfi SessionTicketKeysTypeCase::SESSION_TICKET_KEYS_TYPE_NOT_SET: return nullptr; default: - throwEnvoyExceptionOrPanic(fmt::format("Unexpected case for oneof session_ticket_keys: {}", - config.session_ticket_keys_type_case())); + creation_status = + absl::InvalidArgumentError(fmt::format("Unexpected case for oneof session_ticket_keys: {}", + config.session_ticket_keys_type_case())); + return nullptr; } } @@ -168,7 +176,8 @@ ContextConfigImpl::ContextConfigImpl( const envoy::extensions::transport_sockets::tls::v3::CommonTlsContext& config, const unsigned default_min_protocol_version, const unsigned default_max_protocol_version, const std::string& default_cipher_suites, const std::string& default_curves, - Server::Configuration::TransportSocketFactoryContext& factory_context) + Server::Configuration::TransportSocketFactoryContext& factory_context, + absl::Status& creation_status) : api_(factory_context.serverFactoryContext().api()), options_(factory_context.serverFactoryContext().options()), singleton_manager_(factory_context.serverFactoryContext().singletonManager()), @@ -179,19 +188,21 @@ ContextConfigImpl::ContextConfigImpl( ecdh_curves_(StringUtil::nonEmptyStringOrDefault( RepeatedPtrUtil::join(config.tls_params().ecdh_curves(), ":"), default_curves)), signature_algorithms_(RepeatedPtrUtil::join(config.tls_params().signature_algorithms(), ":")), - tls_certificate_providers_(getTlsCertificateConfigProviders(config, factory_context)), - certificate_validation_context_provider_( - getCertificateValidationContextConfigProvider(config, factory_context, &default_cvc_)), + tls_certificate_providers_( + getTlsCertificateConfigProviders(config, factory_context, creation_status)), + certificate_validation_context_provider_(getCertificateValidationContextConfigProvider( + config, factory_context, &default_cvc_, creation_status)), min_protocol_version_(tlsVersionFromProto(config.tls_params().tls_minimum_protocol_version(), default_min_protocol_version)), max_protocol_version_(tlsVersionFromProto(config.tls_params().tls_maximum_protocol_version(), default_max_protocol_version)), factory_context_(factory_context), tls_keylog_path_(config.key_log().path()) { + SET_AND_RETURN_IF_NOT_OK(creation_status, creation_status); auto list_or_error = Network::Address::IpList::create(config.key_log().local_address_range()); - THROW_IF_STATUS_NOT_OK(list_or_error, throw); + SET_AND_RETURN_IF_NOT_OK(list_or_error.status(), creation_status); tls_keylog_local_ = std::move(list_or_error.value()); list_or_error = Network::Address::IpList::create(config.key_log().remote_address_range()); - THROW_IF_STATUS_NOT_OK(list_or_error, throw); + SET_AND_RETURN_IF_NOT_OK(list_or_error.status(), creation_status); tls_keylog_remote_ = std::move(list_or_error.value()); if (certificate_validation_context_provider_ != nullptr) { @@ -208,19 +219,20 @@ ContextConfigImpl::ContextConfigImpl( [this]( const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext& dynamic_cvc) { - getCombinedValidationContextConfig(dynamic_cvc); - return absl::OkStatus(); + return getCombinedValidationContextConfig(dynamic_cvc).status(); }); } // Load inlined, static or dynamic secret that's already available. if (certificate_validation_context_provider_->secret() != nullptr) { if (default_cvc_) { - validation_context_config_ = + auto context_or_error = getCombinedValidationContextConfig(*certificate_validation_context_provider_->secret()); + SET_AND_RETURN_IF_NOT_OK(context_or_error.status(), creation_status); + validation_context_config_ = std::move(*context_or_error); } else { auto config_or_status = Envoy::Ssl::CertificateValidationContextConfigImpl::create( *certificate_validation_context_provider_->secret(), api_); - THROW_IF_STATUS_NOT_OK(config_or_status, throw); + SET_AND_RETURN_IF_NOT_OK(config_or_status.status(), creation_status); validation_context_config_ = std::move(config_or_status.value()); } } @@ -229,9 +241,10 @@ ContextConfigImpl::ContextConfigImpl( if (!tls_certificate_providers_.empty()) { for (auto& provider : tls_certificate_providers_) { if (provider->secret() != nullptr) { - tls_certificate_configs_.emplace_back(THROW_OR_RETURN_VALUE( - Ssl::TlsCertificateConfigImpl::create(*provider->secret(), factory_context, api_), - std::unique_ptr)); + auto config_or_error = + Ssl::TlsCertificateConfigImpl::create(*provider->secret(), factory_context, api_); + SET_AND_RETURN_IF_NOT_OK(config_or_error.status(), creation_status); + tls_certificate_configs_.emplace_back(std::move(*config_or_error)); } } } @@ -258,7 +271,8 @@ ContextConfigImpl::ContextConfigImpl( sslctx_cb_ = handshaker_factory->sslctxCb(handshaker_factory_context); } -Ssl::CertificateValidationContextConfigPtr ContextConfigImpl::getCombinedValidationContextConfig( +absl::StatusOr +ContextConfigImpl::getCombinedValidationContextConfig( const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext& dynamic_cvc) { envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext combined_cvc = @@ -266,9 +280,7 @@ Ssl::CertificateValidationContextConfigPtr ContextConfigImpl::getCombinedValidat combined_cvc.MergeFrom(dynamic_cvc); auto config_or_status = Envoy::Ssl::CertificateValidationContextConfigImpl::create(combined_cvc, api_); - if (!config_or_status.status().ok()) { - throwEnvoyExceptionOrPanic(std::string(config_or_status.status().message())); - } + RETURN_IF_NOT_OK(config_or_status.status()); return std::move(config_or_status.value()); } @@ -282,9 +294,10 @@ void ContextConfigImpl::setSecretUpdateCallback(std::function ca for (const auto& tls_certificate_provider : tls_certificate_providers_) { auto* secret = tls_certificate_provider->secret(); if (secret != nullptr) { - tls_certificate_configs_.emplace_back(THROW_OR_RETURN_VALUE( - Ssl::TlsCertificateConfigImpl::create(*secret, factory_context_, api_), - std::unique_ptr)); + auto config_or_error = + Ssl::TlsCertificateConfigImpl::create(*secret, factory_context_, api_); + RETURN_IF_NOT_OK(config_or_error.status()); + tls_certificate_configs_.emplace_back(std::move(*config_or_error)); } } return callback(); @@ -298,8 +311,10 @@ void ContextConfigImpl::setSecretUpdateCallback(std::function ca // into default_cvc_. cvc_update_callback_handle_ = certificate_validation_context_provider_->addUpdateCallback([this, callback]() { - validation_context_config_ = getCombinedValidationContextConfig( + auto context_or_error = getCombinedValidationContextConfig( *certificate_validation_context_provider_->secret()); + RETURN_IF_NOT_OK(context_or_error.status()); + validation_context_config_ = std::move(*context_or_error); return callback(); }); } else { @@ -309,9 +324,7 @@ void ContextConfigImpl::setSecretUpdateCallback(std::function ca certificate_validation_context_provider_->addUpdateCallback([this, callback]() { auto config_or_status = Envoy::Ssl::CertificateValidationContextConfigImpl::create( *certificate_validation_context_provider_->secret(), api_); - if (!config_or_status.status().ok()) { - throwEnvoyExceptionOrPanic(std::string(config_or_status.status().message())); - } + RETURN_IF_NOT_OK(config_or_status.status()); validation_context_config_ = std::move(config_or_status.value()); return callback(); }); @@ -363,23 +376,37 @@ const std::string ClientContextConfigImpl::DEFAULT_CURVES = #endif "P-256"; +absl::StatusOr> ClientContextConfigImpl::create( + const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config, + Server::Configuration::TransportSocketFactoryContext& secret_provider_context) { + absl::Status creation_status = absl::OkStatus(); + std::unique_ptr ret = absl::WrapUnique( + new ClientContextConfigImpl(config, secret_provider_context, creation_status)); + RETURN_IF_NOT_OK(creation_status); + return ret; +} + ClientContextConfigImpl::ClientContextConfigImpl( const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config, - Server::Configuration::TransportSocketFactoryContext& factory_context) + Server::Configuration::TransportSocketFactoryContext& factory_context, + absl::Status& creation_status) : ContextConfigImpl(config.common_tls_context(), DEFAULT_MIN_VERSION, DEFAULT_MAX_VERSION, - DEFAULT_CIPHER_SUITES, DEFAULT_CURVES, factory_context), + DEFAULT_CIPHER_SUITES, DEFAULT_CURVES, factory_context, creation_status), server_name_indication_(config.sni()), allow_renegotiation_(config.allow_renegotiation()), enforce_rsa_key_usage_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, enforce_rsa_key_usage, false)), max_session_keys_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, max_session_keys, 1)) { // BoringSSL treats this as a C string, so embedded NULL characters will not // be handled correctly. if (server_name_indication_.find('\0') != std::string::npos) { - throwEnvoyExceptionOrPanic("SNI names containing NULL-byte are not allowed"); + creation_status = absl::InvalidArgumentError("SNI names containing NULL-byte are not allowed"); + return; } // TODO(PiotrSikora): Support multiple TLS certificates. if ((config.common_tls_context().tls_certificates().size() + config.common_tls_context().tls_certificate_sds_secret_configs().size()) > 1) { - throwEnvoyExceptionOrPanic("Multiple TLS certificates are not supported for client contexts"); + creation_status = absl::InvalidArgumentError( + "Multiple TLS certificates are not supported for client contexts"); + return; } } @@ -403,41 +430,55 @@ const std::string ServerContextConfigImpl::DEFAULT_CURVES = #endif "P-256"; +absl::StatusOr> ServerContextConfigImpl::create( + const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config, + Server::Configuration::TransportSocketFactoryContext& secret_provider_context) { + absl::Status creation_status = absl::OkStatus(); + std::unique_ptr ret = absl::WrapUnique( + new ServerContextConfigImpl(config, secret_provider_context, creation_status)); + RETURN_IF_NOT_OK(creation_status); + return ret; +} + ServerContextConfigImpl::ServerContextConfigImpl( const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config, - Server::Configuration::TransportSocketFactoryContext& factory_context) + Server::Configuration::TransportSocketFactoryContext& factory_context, + absl::Status& creation_status) : ContextConfigImpl(config.common_tls_context(), DEFAULT_MIN_VERSION, DEFAULT_MAX_VERSION, - DEFAULT_CIPHER_SUITES, DEFAULT_CURVES, factory_context), + DEFAULT_CIPHER_SUITES, DEFAULT_CURVES, factory_context, creation_status), require_client_certificate_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, require_client_certificate, false)), ocsp_staple_policy_(ocspStaplePolicyFromProto(config.ocsp_staple_policy())), - session_ticket_keys_provider_(getTlsSessionTicketKeysConfigProvider(factory_context, config)), + session_ticket_keys_provider_( + getTlsSessionTicketKeysConfigProvider(factory_context, config, creation_status)), disable_stateless_session_resumption_(getStatelessSessionResumptionDisabled(config)), disable_stateful_session_resumption_(config.disable_stateful_session_resumption()), full_scan_certs_on_sni_mismatch_( PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, full_scan_certs_on_sni_mismatch, false)) { - + SET_AND_RETURN_IF_NOT_OK(creation_status, creation_status); if (session_ticket_keys_provider_ != nullptr) { // Validate tls session ticket keys early to reject bad sds updates. stk_validation_callback_handle_ = session_ticket_keys_provider_->addValidationCallback( [this](const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys& keys) { - getSessionTicketKeys(keys); - return absl::OkStatus(); + return getSessionTicketKeys(keys).status(); }); // Load inlined, static or dynamic secret that's already available. if (session_ticket_keys_provider_->secret() != nullptr) { - session_ticket_keys_ = getSessionTicketKeys(*session_ticket_keys_provider_->secret()); + auto keys_or_error = getSessionTicketKeys(*session_ticket_keys_provider_->secret()); + SET_AND_RETURN_IF_NOT_OK(keys_or_error.status(), creation_status); + session_ticket_keys_ = *keys_or_error; } } if (!capabilities().provides_certificates) { if ((config.common_tls_context().tls_certificates().size() + config.common_tls_context().tls_certificate_sds_secret_configs().size()) == 0) { - throwEnvoyExceptionOrPanic("No TLS certificates found for server context"); + creation_status = absl::InvalidArgumentError("No TLS certificates found for server context"); } else if (!config.common_tls_context().tls_certificates().empty() && !config.common_tls_context().tls_certificate_sds_secret_configs().empty()) { - throwEnvoyExceptionOrPanic( + creation_status = absl::InvalidArgumentError( "SDS and non-SDS TLS certificates may not be mixed in server contexts"); + return; } } @@ -454,26 +495,31 @@ void ServerContextConfigImpl::setSecretUpdateCallback(std::functionaddUpdateCallback([this, callback]() { - session_ticket_keys_ = getSessionTicketKeys(*session_ticket_keys_provider_->secret()); + auto keys_or_error = getSessionTicketKeys(*session_ticket_keys_provider_->secret()); + RETURN_IF_NOT_OK(keys_or_error.status()); + session_ticket_keys_ = *keys_or_error; return callback(); }); } } -std::vector +absl::StatusOr> ServerContextConfigImpl::getSessionTicketKeys( const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys& keys) { std::vector result; for (const auto& datasource : keys.keys()) { - result.emplace_back(getSessionTicketKey( - THROW_OR_RETURN_VALUE(Config::DataSource::read(datasource, false, api_), std::string))); + auto datasource_or_error = Config::DataSource::read(datasource, false, api_); + RETURN_IF_NOT_OK(datasource_or_error.status()); + auto key_or_error = getSessionTicketKey(std::move(*datasource_or_error)); + RETURN_IF_NOT_OK(key_or_error.status()); + result.emplace_back(std::move(*key_or_error)); } return result; } // Extracts a SessionTicketKey from raw binary data. // Throws if key_data is invalid. -Ssl::ServerContextConfig::SessionTicketKey +absl::StatusOr ServerContextConfigImpl::getSessionTicketKey(const std::string& key_data) { // If this changes, need to figure out how to deal with key files // that previously worked. For now, just assert so we'll notice that @@ -481,9 +527,9 @@ ServerContextConfigImpl::getSessionTicketKey(const std::string& key_data) { static_assert(sizeof(SessionTicketKey) == 80, "Input is expected to be this size"); if (key_data.size() != sizeof(SessionTicketKey)) { - throwEnvoyExceptionOrPanic(fmt::format("Incorrect TLS session ticket key length. " - "Length {}, expected length {}.", - key_data.size(), sizeof(SessionTicketKey))); + return absl::InvalidArgumentError(fmt::format("Incorrect TLS session ticket key length. " + "Length {}, expected length {}.", + key_data.size(), sizeof(SessionTicketKey))); } SessionTicketKey dst_key; diff --git a/source/common/tls/context_config_impl.h b/source/common/tls/context_config_impl.h index 27d316e5f754..9d4da38a2bc0 100644 --- a/source/common/tls/context_config_impl.h +++ b/source/common/tls/context_config_impl.h @@ -64,7 +64,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { Ssl::HandshakerCapabilities capabilities() const override { return capabilities_; } Ssl::SslCtxCb sslctxCb() const override { return sslctx_cb_; } - Ssl::CertificateValidationContextConfigPtr getCombinedValidationContextConfig( + absl::StatusOr getCombinedValidationContextConfig( const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext& dynamic_cvc); @@ -73,7 +73,8 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { const unsigned default_min_protocol_version, const unsigned default_max_protocol_version, const std::string& default_cipher_suites, const std::string& default_curves, - Server::Configuration::TransportSocketFactoryContext& factory_context); + Server::Configuration::TransportSocketFactoryContext& factory_context, + absl::Status& creation_status); Api::Api& api_; const Server::Options& options_; Singleton::Manager& singleton_manager_; @@ -121,9 +122,9 @@ class ClientContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Cli static const std::string DEFAULT_CIPHER_SUITES; static const std::string DEFAULT_CURVES; - ClientContextConfigImpl( - const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config, - Server::Configuration::TransportSocketFactoryContext& secret_provider_context); + static absl::StatusOr> + create(const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config, + Server::Configuration::TransportSocketFactoryContext& secret_provider_context); // Ssl::ClientContextConfig const std::string& serverNameIndication() const override { return server_name_indication_; } @@ -132,6 +133,11 @@ class ClientContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Cli bool enforceRsaKeyUsage() const override { return enforce_rsa_key_usage_; } private: + ClientContextConfigImpl( + const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext& config, + Server::Configuration::TransportSocketFactoryContext& secret_provider_context, + absl::Status& creation_status); + static const unsigned DEFAULT_MIN_VERSION; static const unsigned DEFAULT_MAX_VERSION; @@ -143,9 +149,9 @@ class ClientContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Cli class ServerContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::ServerContextConfig { public: - ServerContextConfigImpl( - const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config, - Server::Configuration::TransportSocketFactoryContext& secret_provider_context); + static absl::StatusOr> + create(const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config, + Server::Configuration::TransportSocketFactoryContext& secret_provider_context); // Ssl::ServerContextConfig bool requireClientCertificate() const override { return require_client_certificate_; } @@ -173,6 +179,11 @@ class ServerContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Ser bool fullScanCertsOnSNIMismatch() const override { return full_scan_certs_on_sni_mismatch_; } private: + ServerContextConfigImpl( + const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config, + Server::Configuration::TransportSocketFactoryContext& secret_provider_context, + absl::Status& creation_status); + static const unsigned DEFAULT_MIN_VERSION; static const unsigned DEFAULT_MAX_VERSION; static const std::string DEFAULT_CIPHER_SUITES; @@ -185,9 +196,10 @@ class ServerContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Ser Envoy::Common::CallbackHandlePtr stk_update_callback_handle_; Envoy::Common::CallbackHandlePtr stk_validation_callback_handle_; - std::vector getSessionTicketKeys( + absl::StatusOr> getSessionTicketKeys( const envoy::extensions::transport_sockets::tls::v3::TlsSessionTicketKeys& keys); - ServerContextConfig::SessionTicketKey getSessionTicketKey(const std::string& key_data); + absl::StatusOr + getSessionTicketKey(const std::string& key_data); static OcspStaplePolicy ocspStaplePolicyFromProto( const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext::OcspStaplePolicy& policy); diff --git a/source/extensions/transport_sockets/tls/downstream_config.cc b/source/extensions/transport_sockets/tls/downstream_config.cc index 6120fa21bfcb..81989e73d804 100644 --- a/source/extensions/transport_sockets/tls/downstream_config.cc +++ b/source/extensions/transport_sockets/tls/downstream_config.cc @@ -16,13 +16,16 @@ absl::StatusOr DownstreamSslSocketFactory::createTransportSocketFactory( const Protobuf::Message& message, Server::Configuration::TransportSocketFactoryContext& context, const std::vector& server_names) { - auto server_config = std::make_unique( - MessageUtil::downcastAndValidate< - const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext&>( - message, context.messageValidationVisitor()), - context); - return ServerSslSocketFactory::create(std::move(server_config), context.sslContextManager(), - context.statsScope(), server_names); + absl::StatusOr> server_config_or_error = + ServerContextConfigImpl::create( + MessageUtil::downcastAndValidate< + const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext&>( + message, context.messageValidationVisitor()), + context); + RETURN_IF_NOT_OK(server_config_or_error.status()); + return ServerSslSocketFactory::create(std::move(server_config_or_error.value()), + context.sslContextManager(), context.statsScope(), + server_names); } ProtobufTypes::MessagePtr DownstreamSslSocketFactory::createEmptyConfigProto() { diff --git a/source/extensions/transport_sockets/tls/upstream_config.cc b/source/extensions/transport_sockets/tls/upstream_config.cc index e959bb95c630..9f228fed09be 100644 --- a/source/extensions/transport_sockets/tls/upstream_config.cc +++ b/source/extensions/transport_sockets/tls/upstream_config.cc @@ -16,13 +16,15 @@ absl::StatusOr UpstreamSslSocketFactory::createTransportSocketFactory( const Protobuf::Message& message, Server::Configuration::TransportSocketFactoryContext& context) { - auto client_config = std::make_unique( - MessageUtil::downcastAndValidate< - const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext&>( - message, context.messageValidationVisitor()), - context); - return ClientSslSocketFactory::create(std::move(client_config), context.sslContextManager(), - context.statsScope()); + absl::StatusOr> client_config_or_error = + ClientContextConfigImpl::create( + MessageUtil::downcastAndValidate< + const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext&>( + message, context.messageValidationVisitor()), + context); + RETURN_IF_NOT_OK(client_config_or_error.status()); + return ClientSslSocketFactory::create(std::move(client_config_or_error.value()), + context.sslContextManager(), context.statsScope()); } ProtobufTypes::MessagePtr UpstreamSslSocketFactory::createEmptyConfigProto() { diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h index bb1c9ac3a721..ea010c25867c 100644 --- a/test/common/grpc/grpc_client_integration_test_harness.h +++ b/test/common/grpc/grpc_client_integration_test_harness.h @@ -603,7 +603,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { TestEnvironment::runfilesPath("test/config/integration/certs/clientkey.pem")); } - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create( tls_context, factory_context_); mock_host_description_->socket_factory_ = @@ -642,7 +642,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest { envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3); } - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( tls_context, factory_context_); static auto* upstream_stats_store = new Stats::IsolatedStoreImpl(); diff --git a/test/common/quic/quic_transport_socket_factory_test.cc b/test/common/quic/quic_transport_socket_factory_test.cc index 3453d25a9a32..07d6a6c73fd4 100644 --- a/test/common/quic/quic_transport_socket_factory_test.cc +++ b/test/common/quic/quic_transport_socket_factory_test.cc @@ -25,8 +25,9 @@ class QuicServerTransportSocketFactoryConfigTest : public Event::TestUsingSimula void verifyQuicServerTransportSocketFactory(std::string yaml, bool expect_early_data) { envoy::extensions::transport_sockets::quic::v3::QuicDownstreamTransport proto_config; TestUtility::loadFromYaml(yaml, proto_config); - Network::DownstreamTransportSocketFactoryPtr transport_socket_factory = - *config_factory_.createTransportSocketFactory(proto_config, context_, {}); + Network::DownstreamTransportSocketFactoryPtr transport_socket_factory = THROW_OR_RETURN_VALUE( + config_factory_.createTransportSocketFactory(proto_config, context_, {}), + Network::DownstreamTransportSocketFactoryPtr); EXPECT_EQ(expect_early_data, static_cast(*transport_socket_factory) .earlyDataEnabled()); diff --git a/test/common/tls/context_impl_test.cc b/test/common/tls/context_impl_test.cc index 7a737ac8ea31..13cf9bb59668 100644 --- a/test/common/tls/context_impl_test.cc +++ b/test/common/tls/context_impl_test.cc @@ -112,8 +112,10 @@ class SslContextImplTest : public SslCertsTest { }}; } void loadConfig(ServerContextConfigImpl& cfg) { - Envoy::Ssl::ServerContextSharedPtr server_ctx(*manager_.createSslServerContext( - *store_.rootScope(), cfg, std::vector{}, nullptr)); + Envoy::Ssl::ServerContextSharedPtr server_ctx( + THROW_OR_RETURN_VALUE(manager_.createSslServerContext(*store_.rootScope(), cfg, + std::vector{}, nullptr), + Ssl::ServerContextSharedPtr)); auto cleanup = cleanUpHelper(server_ctx); } @@ -131,8 +133,8 @@ TEST_F(SslContextImplTest, TestCipherSuites) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); - EXPECT_EQ(manager_.createSslClientContext(*store_.rootScope(), cfg).status().message(), + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); + EXPECT_EQ(manager_.createSslClientContext(*store_.rootScope(), *cfg).status().message(), "Failed to initialize cipher suites " "-ALL:+[AES128-SHA|BOGUS1-SHA256]:BOGUS2-SHA:AES256-SHA. The following " "ciphers were rejected when tried individually: BOGUS1-SHA256, BOGUS2-SHA"); @@ -151,9 +153,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); auto cleanup = cleanUpHelper(context); // Calculate the days until test cert expires auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); @@ -173,9 +175,9 @@ TEST_F(SslContextImplTest, TestExpiredCert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); auto cleanup = cleanUpHelper(context); EXPECT_EQ(absl::nullopt, context->daysUntilFirstCertExpires()); } @@ -195,9 +197,9 @@ TEST_F(SslContextImplTest, TestContextUpdate) { // Validate that daysUntilFirstCertExpires returns correctly when single context is available. envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(expired_yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); EXPECT_EQ(manager_.daysUntilFirstCertExpires(), absl::nullopt); const std::string expiring_yaml = R"EOF( @@ -212,10 +214,10 @@ TEST_F(SslContextImplTest, TestContextUpdate) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext expiring_context; TestUtility::loadFromYaml(TestEnvironment::substitute(expiring_yaml), expiring_context); - ClientContextConfigImpl expiring_cfg(expiring_context, factory_context_); + auto expirng_cfg = *ClientContextConfigImpl::create(expiring_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr new_context( - *manager_.createSslClientContext(*store_.rootScope(), expiring_cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *expirng_cfg)); manager_.removeContext(context); // Validate that when the context is updated, daysUntilFirstCertExpires reflects the current @@ -228,7 +230,7 @@ TEST_F(SslContextImplTest, TestContextUpdate) { // Update the context again and validate daysUntilFirstCertExpires still reflects the current // expiry. Envoy::Ssl::ClientContextSharedPtr updated_context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); manager_.removeContext(new_context); auto cleanup = cleanUpHelper(updated_context); @@ -251,10 +253,10 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); auto cleanup = cleanUpHelper(context); // This is similar to the hack above, but right now we generate the ca_cert and it expires in 15 @@ -304,10 +306,10 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithSAN) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); auto cleanup = cleanUpHelper(context); std::string ca_cert_json = absl::StrCat(R"EOF({ "path": "{{ test_rundir }}/test/common/tls/test_data/san_dns3_cert.pem", @@ -360,10 +362,10 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithIPSAN) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); auto cleanup = cleanUpHelper(context); std::string ca_cert_json = absl::StrCat(R"EOF({ "path": "{{ test_rundir }}/test/common/tls/test_data/san_ip_cert.pem", @@ -420,10 +422,10 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithExpiration) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ClientContextConfigImpl cfg(tls_context, factory_context_); + auto cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); auto cleanup = cleanUpHelper(context); std::string ca_cert_json = @@ -454,9 +456,9 @@ TEST_F(SslContextImplTest, TestGetCertInformationWithExpiration) { TEST_F(SslContextImplTest, TestNoCert) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext config; - ClientContextConfigImpl cfg(config, factory_context_); + auto cfg = *ClientContextConfigImpl::create(config, factory_context_); Envoy::Ssl::ClientContextSharedPtr context( - *manager_.createSslClientContext(*store_.rootScope(), cfg)); + *manager_.createSslClientContext(*store_.rootScope(), *cfg)); auto cleanup = cleanUpHelper(context); EXPECT_EQ(nullptr, context->getCaCertInformation()); EXPECT_TRUE(context->getCertChainInformation().empty()); @@ -478,8 +480,8 @@ TEST_F(SslContextImplTest, DuplicateRsaCertSameExactDNSSan) { filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_NO_THROW(loadConfig(server_context_config)); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_NO_THROW(loadConfig(*server_context_config)); } // Multiple RSA certificates with the same wildcard DNS SAN are allowed. @@ -498,8 +500,8 @@ TEST_F(SslContextImplTest, DuplicateRsaCertSameWildcardDNSSan) { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_NO_THROW(loadConfig(server_context_config)); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_NO_THROW(loadConfig(*server_context_config)); } // Multiple RSA certificates with different exact DNS SAN are acceptable. @@ -518,8 +520,8 @@ TEST_F(SslContextImplTest, AcceptableMultipleRsaCerts) { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_2_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_NO_THROW(loadConfig(server_context_config)); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_NO_THROW(loadConfig(*server_context_config)); } // Multiple ECDSA certificates with the same exact DNS SAN are allowed. @@ -538,8 +540,8 @@ TEST_F(SslContextImplTest, DuplicateEcdsaCert) { filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_ecdsa_p256_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_NO_THROW(loadConfig(server_context_config)); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_NO_THROW(loadConfig(*server_context_config)); } // Multiple ECDSA certificates with different DNS SAN are acceptable. @@ -558,8 +560,8 @@ TEST_F(SslContextImplTest, AcceptableMultipleEcdsaCerts) { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_2_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_NO_THROW(loadConfig(server_context_config)); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_NO_THROW(loadConfig(*server_context_config)); } // One cert which contains one of the SAN values in the CN is acceptable, because CN is not used if @@ -577,8 +579,8 @@ TEST_F(SslContextImplTest, CertDuplicatedSansAndCN) { filename: "{{ test_rundir }}/test/common/tls/test_data/san_multiple_dns_1_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_NO_THROW(loadConfig(server_context_config)); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_NO_THROW(loadConfig(*server_context_config)); } // Multiple certificates with duplicated CN is acceptable, because CN is not used if SANs are @@ -601,8 +603,8 @@ TEST_F(SslContextImplTest, MultipleCertsSansAndCN) { filename: "{{ test_rundir }}/test/common/tls/test_data/san_wildcard_dns_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_NO_THROW(loadConfig(server_context_config)); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_NO_THROW(loadConfig(*server_context_config)); } // Certificates with no subject CN and no SANs are rejected. @@ -617,24 +619,26 @@ TEST_F(SslContextImplTest, MustHaveSubjectOrSAN) { filename: "{{ test_rundir }}/test/common/tls/test_data/no_subject_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); EXPECT_THROW_WITH_REGEX( - *manager_.createSslServerContext(*store_.rootScope(), server_context_config, {}, nullptr), + *manager_.createSslServerContext(*store_.rootScope(), *server_context_config, {}, nullptr), EnvoyException, "has neither subject CN nor SAN names"); } class SslServerContextImplOcspTest : public SslContextImplTest { public: Envoy::Ssl::ServerContextSharedPtr loadConfig(ServerContextConfigImpl& cfg) { - return *manager_.createSslServerContext(*store_.rootScope(), cfg, std::vector{}, - nullptr); + return THROW_OR_RETURN_VALUE(manager_.createSslServerContext( + *store_.rootScope(), cfg, std::vector{}, nullptr), + Ssl::ServerContextSharedPtr); } Envoy::Ssl::ServerContextSharedPtr loadConfigYaml(const std::string& yaml) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ServerContextConfigImpl cfg(tls_context, factory_context_); - return loadConfig(cfg); + auto cfg = THROW_OR_RETURN_VALUE(ServerContextConfigImpl::create(tls_context, factory_context_), + std::unique_ptr); + return loadConfig(*cfg); } }; @@ -840,15 +844,18 @@ class SslServerContextImplTicketTest : public SslContextImplTest { server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( "{{ test_rundir }}/test/common/tls/test_data/unittest_key.pem")); - ServerContextConfigImpl server_context_config(cfg, factory_context_); - loadConfig(server_context_config); + auto server_context_config = + THROW_OR_RETURN_VALUE(ServerContextConfigImpl::create(cfg, factory_context_), + std::unique_ptr); + loadConfig(*server_context_config); } void loadConfigYaml(const std::string& yaml) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - ServerContextConfigImpl cfg(tls_context, factory_context_); - loadConfig(cfg); + auto cfg = THROW_OR_RETURN_VALUE(ServerContextConfigImpl::create(tls_context, factory_context_), + std::unique_ptr); + loadConfig(*cfg); } }; @@ -866,7 +873,7 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_a" filename: "{{ test_rundir }}/test/common/tls/test_data/ticket_key_b" )EOF"; - EXPECT_NO_THROW(loadConfigYaml(yaml)); + loadConfigYaml(yaml); } TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { @@ -965,14 +972,14 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySdsNotReady) { auto* sds_secret_configs = tls_context.mutable_session_ticket_keys_sds_secret_config(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); // When sds secret is not downloaded, config is not ready. - EXPECT_FALSE(server_context_config.isReady()); + EXPECT_FALSE(server_context_config->isReady()); // Set various callbacks to config. NiceMock secret_callback; - server_context_config.setSecretUpdateCallback( + server_context_config->setSecretUpdateCallback( [&secret_callback]() { return secret_callback.onAddOrUpdateSecret(); }); - server_context_config.setSecretUpdateCallback([]() { return absl::OkStatus(); }); + server_context_config->setSecretUpdateCallback([]() { return absl::OkStatus(); }); } // Validate that client context config with static TLS ticket encryption keys is created @@ -1001,10 +1008,10 @@ name: "abc.com" tls_context.mutable_session_ticket_keys_sds_secret_config()->set_name("abc.com"); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); - EXPECT_TRUE(server_context_config.isReady()); - ASSERT_EQ(server_context_config.sessionTicketKeys().size(), 2); + EXPECT_TRUE(server_context_config->isReady()); + ASSERT_EQ(server_context_config->sessionTicketKeys().size(), 2); } TEST_F(SslServerContextImplTicketTest, CRLSuccess) { @@ -1089,8 +1096,8 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_FALSE(server_context_config.disableStatelessSessionResumption()); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_FALSE(server_context_config->disableStatelessSessionResumption()); } TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabled) { @@ -1106,8 +1113,8 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_FALSE(server_context_config.disableStatelessSessionResumption()); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_FALSE(server_context_config->disableStatelessSessionResumption()); } TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { @@ -1123,8 +1130,8 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_TRUE(server_context_config.disableStatelessSessionResumption()); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_TRUE(server_context_config->disableStatelessSessionResumption()); } TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyIsConfigured) { @@ -1142,8 +1149,8 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - EXPECT_FALSE(server_context_config.disableStatelessSessionResumption()); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + EXPECT_FALSE(server_context_config->disableStatelessSessionResumption()); } class ClientContextConfigImplTest : public SslCertsTest { @@ -1166,13 +1173,11 @@ TEST_F(ClientContextConfigImplTest, EmptyServerNameIndication) { NiceMock factory_context; tls_context.set_sni(std::string("\000", 1)); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, factory_context), EnvoyException, - "SNI names containing NULL-byte are not allowed"); + EXPECT_EQ(ClientContextConfigImpl::create(tls_context, factory_context).status().message(), + "SNI names containing NULL-byte are not allowed"); tls_context.set_sni(std::string("a\000b", 3)); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, factory_context), EnvoyException, - "SNI names containing NULL-byte are not allowed"); + EXPECT_EQ(ClientContextConfigImpl::create(tls_context, factory_context).status().message(), + "SNI names containing NULL-byte are not allowed"); } // Validate that values other than a hex-encoded SHA-256 fail config validation. @@ -1184,11 +1189,12 @@ TEST_F(ClientContextConfigImplTest, InvalidCertificateHash) { // This is valid hex-encoded string, but it doesn't represent SHA-256 (80 vs 64 chars). ->add_verify_certificate_hash("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, factory_context); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context); Stats::IsolatedStoreImpl store; - EXPECT_THAT( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - testing::MatchesRegex("Invalid hex-encoded SHA-256 .*")); + EXPECT_THAT(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + testing::MatchesRegex("Invalid hex-encoded SHA-256 .*")); } // Validate that values other than a base64-encoded SHA-256 fail config validation. @@ -1199,11 +1205,12 @@ TEST_F(ClientContextConfigImplTest, InvalidCertificateSpki) { ->mutable_validation_context() // Not a base64-encoded string. ->add_verify_certificate_spki("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); - ClientContextConfigImpl client_context_config(tls_context, factory_context); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context); Stats::IsolatedStoreImpl store; - EXPECT_THAT( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - testing::MatchesRegex("Invalid base64-encoded SHA-256 .*")); + EXPECT_THAT(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + testing::MatchesRegex("Invalid base64-encoded SHA-256 .*")); } // Validate that 2048-bit RSA certificates load successfully. @@ -1217,9 +1224,9 @@ TEST_F(ClientContextConfigImplTest, RSA2048Cert) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; - auto context = *manager_.createSslClientContext(*store.rootScope(), client_context_config); + auto context = *manager_.createSslClientContext(*store.rootScope(), *client_context_config); auto cleanup = cleanUpHelper(context); } @@ -1234,7 +1241,7 @@ TEST_F(ClientContextConfigImplTest, RSA1024Cert) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; std::string error_msg( @@ -1245,9 +1252,10 @@ TEST_F(ClientContextConfigImplTest, RSA1024Cert) { "with 2048-bit or larger keys are supported" #endif ); - EXPECT_THAT( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - testing::MatchesRegex(error_msg)); + EXPECT_THAT(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + testing::MatchesRegex(error_msg)); } // Validate that 1024-bit RSA certificates are rejected from `pkcs12`. @@ -1259,7 +1267,7 @@ TEST_F(ClientContextConfigImplTest, RSA1024Pkcs12) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; std::string error_msg("Failed to load certificate chain from .*selfsigned_rsa_1024_certkey.p12, " @@ -1270,9 +1278,10 @@ TEST_F(ClientContextConfigImplTest, RSA1024Pkcs12) { "with 2048-bit or larger keys are supported" #endif ); - EXPECT_THAT( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - testing::MatchesRegex(error_msg)); + EXPECT_THAT(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + testing::MatchesRegex(error_msg)); } // Validate that 3072-bit RSA certificates load successfully. @@ -1286,10 +1295,10 @@ TEST_F(ClientContextConfigImplTest, RSA3072Cert) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); ContextManagerImpl manager(server_factory_context_); Stats::IsolatedStoreImpl store; - auto context = *manager_.createSslClientContext(*store.rootScope(), client_context_config); + auto context = *manager_.createSslClientContext(*store.rootScope(), *client_context_config); auto cleanup = cleanUpHelper(context); } @@ -1304,9 +1313,9 @@ TEST_F(ClientContextConfigImplTest, RSA4096Cert) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; - auto context = *manager_.createSslClientContext(*store.rootScope(), client_context_config); + auto context = *manager_.createSslClientContext(*store.rootScope(), *client_context_config); auto cleanup = cleanUpHelper(context); } @@ -1321,9 +1330,9 @@ TEST_F(ClientContextConfigImplTest, P256EcdsaCert) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; - auto context = *manager_.createSslClientContext(*store.rootScope(), client_context_config); + auto context = *manager_.createSslClientContext(*store.rootScope(), *client_context_config); auto cleanup = cleanUpHelper(context); } @@ -1338,13 +1347,14 @@ TEST_F(ClientContextConfigImplTest, NonP256EcdsaCert) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; - EXPECT_THAT( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - testing::ContainsRegex( - "Failed to load certificate chain from .*selfsigned_ecdsa_p384_cert.pem, " - "only P-256 ECDSA certificates are supported")); + EXPECT_THAT(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + testing::ContainsRegex( + "Failed to load certificate chain from .*selfsigned_ecdsa_p384_cert.pem, " + "only P-256 ECDSA certificates are supported")); } // Validate that non-P256 ECDSA certs are rejected loaded from `pkcs12`. @@ -1356,13 +1366,14 @@ TEST_F(ClientContextConfigImplTest, NonP256EcdsaPkcs12) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; - EXPECT_THAT( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - testing::ContainsRegex( - "Failed to load certificate chain from .*selfsigned_ecdsa_p384_certkey.p12, " - "only P-256 ECDSA certificates are supported")); + EXPECT_THAT(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + testing::ContainsRegex( + "Failed to load certificate chain from .*selfsigned_ecdsa_p384_certkey.p12, " + "only P-256 ECDSA certificates are supported")); } // Multiple TLS certificates are not yet supported. @@ -1379,9 +1390,8 @@ TEST_F(ClientContextConfigImplTest, MultipleTlsCertificates) { *tls_context.mutable_common_tls_context()->add_tls_certificates()); TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, factory_context_), EnvoyException, - "Multiple TLS certificates are not supported for client contexts"); + EXPECT_EQ(ClientContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Multiple TLS certificates are not supported for client contexts"); } // Validate context config does not support handling both static TLS certificate and dynamic TLS @@ -1397,9 +1407,8 @@ TEST_F(ClientContextConfigImplTest, TlsCertificatesAndSdsConfig) { TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, factory_context_), EnvoyException, - "Multiple TLS certificates are not supported for client contexts"); + EXPECT_EQ(ClientContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Multiple TLS certificates are not supported for client contexts"); } // Validate context config supports SDS, and is marked as not ready if secrets are not yet @@ -1417,14 +1426,14 @@ TEST_F(ClientContextConfigImplTest, SecretNotReady) { tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); // When sds secret is not downloaded, config is not ready. - EXPECT_FALSE(client_context_config.isReady()); + EXPECT_FALSE(client_context_config->isReady()); // Set various callbacks to config. NiceMock secret_callback; - client_context_config.setSecretUpdateCallback( + client_context_config->setSecretUpdateCallback( [&secret_callback]() { return secret_callback.onAddOrUpdateSecret(); }); - client_context_config.setSecretUpdateCallback([]() { return absl::OkStatus(); }); + client_context_config->setSecretUpdateCallback([]() { return absl::OkStatus(); }); } // Validate client context config supports SDS, and is marked as not ready if dynamic @@ -1448,14 +1457,14 @@ TEST_F(ClientContextConfigImplTest, ValidationContextNotReady) { tls_context.mutable_common_tls_context()->mutable_validation_context_sds_secret_config(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); // When sds secret is not downloaded, config is not ready. - EXPECT_FALSE(client_context_config.isReady()); + EXPECT_FALSE(client_context_config->isReady()); // Set various callbacks to config. NiceMock secret_callback; - client_context_config.setSecretUpdateCallback( + client_context_config->setSecretUpdateCallback( [&secret_callback]() { return secret_callback.onAddOrUpdateSecret(); }); - client_context_config.setSecretUpdateCallback([]() { return absl::OkStatus(); }); + client_context_config->setSecretUpdateCallback([]() { return absl::OkStatus(); }); } // Validate that client context config with static TLS certificates is created successfully. @@ -1480,14 +1489,14 @@ name: "abc.com" ->set_name("abc.com"); EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - client_context_config.tlsCertificates()[0].get().certificateChain()); + client_context_config->tlsCertificates()[0].get().certificateChain()); const std::string key_pem = "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - client_context_config.tlsCertificates()[0].get().privateKey()); + client_context_config->tlsCertificates()[0].get().privateKey()); } // Validate that client context config with password-protected TLS certificates is created @@ -1514,20 +1523,20 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedTlsCertificates) { ->set_name("abc.com"); EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); const std::string cert_pem = "{{ test_rundir " "}}/test/common/tls/test_data/password_protected_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - client_context_config.tlsCertificates()[0].get().certificateChain()); + client_context_config->tlsCertificates()[0].get().certificateChain()); const std::string key_pem = "{{ test_rundir " "}}/test/common/tls/test_data/password_protected_key.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(key_pem)), - client_context_config.tlsCertificates()[0].get().privateKey()); + client_context_config->tlsCertificates()[0].get().privateKey()); const std::string password_file = "{{ test_rundir " "}}/test/common/tls/test_data/password_protected_password.txt"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(password_file)), - client_context_config.tlsCertificates()[0].get().password()); + client_context_config->tlsCertificates()[0].get().password()); } // Validate that client context config with password-protected TLS certificates loaded from @@ -1551,16 +1560,16 @@ TEST_F(ClientContextConfigImplTest, PasswordProtectedPkcs12) { ->set_name("abc.com"); EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); const std::string cert_p12 = "{{ test_rundir " "}}/test/common/tls/test_data/password_protected_certkey.p12"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_p12)), - client_context_config.tlsCertificates()[0].get().pkcs12()); + client_context_config->tlsCertificates()[0].get().pkcs12()); const std::string password_file = "{{ test_rundir " "}}/test/common/tls/test_data/password_protected_password.txt"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(password_file)), - client_context_config.tlsCertificates()[0].get().password()); + client_context_config->tlsCertificates()[0].get().password()); } // Validate that not supplying the incorrect passphrase for password-protected `PKCS12` @@ -1583,12 +1592,13 @@ TEST_F(ClientContextConfigImplTest, PasswordWrongPkcs12) { ->set_name("abc.com"); EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; - EXPECT_EQ( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - absl::StrCat("Failed to load pkcs12 from ", pkcs12_path)); + EXPECT_EQ(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + absl::StrCat("Failed to load pkcs12 from ", pkcs12_path)); } // Validate that not supplying a passphrase for password-protected `PKCS12` @@ -1611,12 +1621,13 @@ TEST_F(ClientContextConfigImplTest, PasswordNotSuppliedPkcs12) { ->set_name("abc.com"); EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; - EXPECT_EQ( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), - absl::StrCat("Failed to load pkcs12 from ", pkcs12_path)); + EXPECT_EQ(manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), + absl::StrCat("Failed to load pkcs12 from ", pkcs12_path)); } // Validate that not supplying a passphrase for password-protected TLS certificates @@ -1642,11 +1653,13 @@ TEST_F(ClientContextConfigImplTest, PasswordNotSuppliedTlsCertificates) { ->set_name("abc.com"); EXPECT_TRUE(factory_context_.secretManager().addStaticSecret(secret_config).ok()); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::IsolatedStoreImpl store; EXPECT_THAT( - manager_.createSslClientContext(*store.rootScope(), client_context_config).status().message(), + manager_.createSslClientContext(*store.rootScope(), *client_context_config) + .status() + .message(), testing::ContainsRegex(absl::StrCat("Failed to load private key from ", private_key_path))); } @@ -1687,11 +1700,11 @@ TEST_F(ClientContextConfigImplTest, StaticCertificateValidationContext) { tls_context.mutable_common_tls_context() ->mutable_validation_context_sds_secret_config() ->set_name("def.com"); - ClientContextConfigImpl client_context_config(tls_context, factory_context_); + auto client_context_config = *ClientContextConfigImpl::create(tls_context, factory_context_); const std::string cert_pem = "{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem"; EXPECT_EQ(TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(cert_pem)), - client_context_config.certificateValidationContext()->caCert()); + client_context_config->certificateValidationContext()->caCert()); } // Validate that constructor of client context config throws an exception when static TLS @@ -1718,9 +1731,8 @@ name: "abc.com" ->Add() ->set_name("missing"); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, factory_context_), EnvoyException, - "Unknown static secret: missing"); + EXPECT_EQ(ClientContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Unknown static secret: missing"); } // Validate that constructor of client context config throws an exception when static certificate @@ -1760,9 +1772,8 @@ TEST_F(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) { tls_context.mutable_common_tls_context() ->mutable_validation_context_sds_secret_config() ->set_name("missing"); - EXPECT_THROW_WITH_MESSAGE( - ClientContextConfigImpl client_context_config(tls_context, factory_context_), EnvoyException, - "Unknown static certificate validation context: missing"); + EXPECT_EQ(ClientContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Unknown static certificate validation context: missing"); } class ServerContextConfigImplTest : public SslCertsTest { @@ -1773,9 +1784,8 @@ class ServerContextConfigImplTest : public SslCertsTest { // Multiple TLS certificates are supported. TEST_F(ServerContextConfigImplTest, MultipleTlsCertificates) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl client_context_config(tls_context, factory_context_), EnvoyException, - "No TLS certificates found for server context"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "No TLS certificates found for server context"); const std::string rsa_tls_certificate_yaml = R"EOF( certificate_chain: filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" @@ -1792,8 +1802,8 @@ TEST_F(ServerContextConfigImplTest, MultipleTlsCertificates) { *tls_context.mutable_common_tls_context()->add_tls_certificates()); TestUtility::loadFromYaml(TestEnvironment::substitute(ecdsa_tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); - auto tls_certs = server_context_config.tlsCertificates(); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); + auto tls_certs = server_context_config->tlsCertificates(); ASSERT_EQ(2, tls_certs.size()); EXPECT_THAT(tls_certs[0].get().privateKeyPath(), EndsWith("selfsigned_key.pem")); EXPECT_THAT(tls_certs[1].get().privateKeyPath(), EndsWith("selfsigned_ecdsa_p256_key.pem")); @@ -1801,9 +1811,8 @@ TEST_F(ServerContextConfigImplTest, MultipleTlsCertificates) { TEST_F(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "No TLS certificates found for server context"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "No TLS certificates found for server context"); const std::string tls_certificate_yaml = R"EOF( certificate_chain: filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_cert.pem" @@ -1813,9 +1822,8 @@ TEST_F(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { TestUtility::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), *tls_context.mutable_common_tls_context()->add_tls_certificates()); tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "SDS and non-SDS TLS certificates may not be mixed in server contexts"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "SDS and non-SDS TLS certificates may not be mixed in server contexts"); } TEST_F(ServerContextConfigImplTest, SdsConfigNoName) { @@ -1853,14 +1861,14 @@ TEST_F(ServerContextConfigImplTest, SecretNotReady) { tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); // When sds secret is not downloaded, config is not ready. - EXPECT_FALSE(server_context_config.isReady()); + EXPECT_FALSE(server_context_config->isReady()); // Set various callbacks to config. NiceMock secret_callback; - server_context_config.setSecretUpdateCallback( + server_context_config->setSecretUpdateCallback( [&secret_callback]() { return secret_callback.onAddOrUpdateSecret(); }); - server_context_config.setSecretUpdateCallback([]() { return absl::OkStatus(); }); + server_context_config->setSecretUpdateCallback([]() { return absl::OkStatus(); }); } // Validate server context config supports SDS, and is marked as not ready if dynamic @@ -1884,26 +1892,26 @@ TEST_F(ServerContextConfigImplTest, ValidationContextNotReady) { tls_context.mutable_common_tls_context()->mutable_validation_context_sds_secret_config(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); // When sds secret is not downloaded, config is not ready. - EXPECT_FALSE(server_context_config.isReady()); + EXPECT_FALSE(server_context_config->isReady()); // Set various callbacks to config. NiceMock secret_callback; - server_context_config.setSecretUpdateCallback( + server_context_config->setSecretUpdateCallback( [&secret_callback]() { return secret_callback.onAddOrUpdateSecret(); }); - server_context_config.setSecretUpdateCallback([]() { return absl::OkStatus(); }); + server_context_config->setSecretUpdateCallback([]() { return absl::OkStatus(); }); } // TlsCertificate messages must have a cert for servers. TEST_F(ServerContextConfigImplTest, TlsCertificateNonEmpty) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; tls_context.mutable_common_tls_context()->add_tls_certificates(); - ServerContextConfigImpl client_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); ContextManagerImpl manager(server_factory_context_); Stats::IsolatedStoreImpl store; EXPECT_THROW_WITH_MESSAGE( Envoy::Ssl::ServerContextSharedPtr server_ctx(*manager.createSslServerContext( - *store.rootScope(), client_context_config, std::vector{}, nullptr)), + *store.rootScope(), *server_context_config, std::vector{}, nullptr)), EnvoyException, "Server TlsCertificates must have a certificate specified"); } @@ -1917,9 +1925,8 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(true); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "Certificate validity period is always ignored without trusted CA"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Certificate validity period is always ignored without trusted CA"); envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); @@ -1930,19 +1937,20 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { server_validation_ctx->set_allow_expired_certificate(false); - EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, factory_context_)); + EXPECT_NO_THROW(auto server_context_config = + *ServerContextConfigImpl::create(tls_context, factory_context_)); server_validation_ctx->set_allow_expired_certificate(true); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "Certificate validity period is always ignored without trusted CA"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Certificate validity period is always ignored without trusted CA"); // But once you add a trusted CA, you should be able to create the context. server_validation_ctx->mutable_trusted_ca()->set_filename( TestEnvironment::substitute("{{ test_rundir }}/test/common/tls/test_data/ca_cert.pem")); - EXPECT_NO_THROW(ServerContextConfigImpl server_context_config(tls_context, factory_context_)); + EXPECT_NO_THROW(auto server_context_config = + *ServerContextConfigImpl::create(tls_context, factory_context_)); } TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProvider) { @@ -1965,9 +1973,8 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProvider) { test_value: 100 )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - EXPECT_THROW_WITH_REGEX( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "Failed to load private key provider: mock_provider"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Failed to load private key provider: mock_provider"); } TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProviderFallback) { @@ -1991,9 +1998,8 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoProviderFallbac fallback: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - EXPECT_THROW_WITH_REGEX( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "Failed to load private key provider: mock_provider"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Failed to load private key provider: mock_provider"); } TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoMethod) { @@ -2024,10 +2030,10 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureNoMethod) { test_value: 100 )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); EXPECT_THROW_WITH_MESSAGE( Envoy::Ssl::ServerContextSharedPtr server_ctx(*manager.createSslServerContext( - *store.rootScope(), server_context_config, std::vector{}, nullptr)), + *store.rootScope(), *server_context_config, std::vector{}, nullptr)), EnvoyException, "Failed to get BoringSSL private key method from provider"); } @@ -2056,7 +2062,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadSuccess) { test_value: 100 )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); } TEST_F(ServerContextConfigImplTest, PrivateKeyMethodFallback) { @@ -2087,7 +2093,7 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodFallback) { fallback: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - ServerContextConfigImpl server_context_config(tls_context, factory_context_); + auto server_context_config = *ServerContextConfigImpl::create(tls_context, factory_context_); } // Test that if both typed and untyped matchers for sans are specified, we @@ -2118,21 +2124,18 @@ TEST_F(ServerContextConfigImplTest, DeprecatedSanMatcher) { )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context); - absl::optional server_context_config; + std::unique_ptr server_context_config; EXPECT_LOG_CONTAINS("warning", "Ignoring match_subject_alt_names as match_typed_subject_alt_names is also " "specified, and the former is deprecated.", - server_context_config.emplace(tls_context, factory_context_)); + server_context_config = + *ServerContextConfigImpl::create(tls_context, factory_context_)); + EXPECT_EQ(server_context_config->certificateValidationContext()->subjectAltNameMatchers().size(), + 1); EXPECT_EQ( - server_context_config.value().certificateValidationContext()->subjectAltNameMatchers().size(), - 1); - EXPECT_EQ(server_context_config.value() - .certificateValidationContext() - ->subjectAltNameMatchers()[0] - .san_type(), - envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::DNS); - EXPECT_EQ(server_context_config.value() - .certificateValidationContext() + server_context_config->certificateValidationContext()->subjectAltNameMatchers()[0].san_type(), + envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::DNS); + EXPECT_EQ(server_context_config->certificateValidationContext() ->subjectAltNameMatchers()[0] .matcher() .exact(), @@ -2158,9 +2161,8 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndMethod) { test_value: 100 )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "Certificate configuration can't have both pkcs12 and private_key_provider"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Certificate configuration can't have both pkcs12 and private_key_provider"); } TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndKey) { @@ -2174,9 +2176,8 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndKey) { filename: "{{ test_rundir }}/test/common/tls/test_data/selfsigned_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "Certificate configuration can't have both pkcs12 and private_key"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Certificate configuration can't have both pkcs12 and private_key"); } TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndCertChain) { @@ -2190,9 +2191,8 @@ TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndCertChain) { filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns3_certkeychain.p12" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); - EXPECT_THROW_WITH_MESSAGE( - ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException, - "Certificate configuration can't have both pkcs12 and certificate_chain"); + EXPECT_EQ(ServerContextConfigImpl::create(tls_context, factory_context_).status().message(), + "Certificate configuration can't have both pkcs12 and certificate_chain"); } // TODO: test throw from additional_init @@ -2219,8 +2219,7 @@ class SslContextStatsTest : public SslContextImplTest { protected: SslContextStatsTest() { TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context_); - client_context_config_ = - std::make_unique(tls_context_, factory_context_); + client_context_config_ = *ClientContextConfigImpl::create(tls_context_, factory_context_); absl::Status creation_status = absl::OkStatus(); context_ = std::make_unique(*store_.rootScope(), *client_context_config_, server_factory_context_, creation_status); diff --git a/test/common/tls/handshaker_factory_test.cc b/test/common/tls/handshaker_factory_test.cc index 31b4cd3ecabf..7d41c6ab6fd8 100644 --- a/test/common/tls/handshaker_factory_test.cc +++ b/test/common/tls/handshaker_factory_test.cc @@ -135,8 +135,8 @@ TEST_F(HandshakerFactoryTest, SetMockFunctionCb) { auto socket_factory = *Extensions::TransportSockets::Tls::ClientSslSocketFactory::create( /*config=*/ - std::make_unique( - tls_context_, mock_factory_ctx), + *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(tls_context_, + mock_factory_ctx), *context_manager_, *stats_store_.rootScope()); std::unique_ptr socket = @@ -161,8 +161,8 @@ TEST_F(HandshakerFactoryTest, SetSpecificSslCtxOption) { auto socket_factory = *Extensions::TransportSockets::Tls::ClientSslSocketFactory::create( /*config=*/ - std::make_unique( - tls_context_, mock_factory_ctx), + *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(tls_context_, + mock_factory_ctx), *context_manager_, *stats_store_.rootScope()); std::unique_ptr socket = @@ -199,8 +199,8 @@ TEST_F(HandshakerFactoryTest, HandshakerContextProvidesObjectsFromParentContext) auto socket_factory = *Extensions::TransportSockets::Tls::ClientSslSocketFactory::create( /*config=*/ - std::make_unique( - tls_context_, mock_factory_ctx), + *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(tls_context_, + mock_factory_ctx), *context_manager_, *stats_store_.rootScope()); std::unique_ptr socket = @@ -295,11 +295,11 @@ TEST_F(HandshakerFactoryDownstreamTest, ServerHandshakerProvidesCertificates) { EXPECT_CALL(mock_factory_ctx.api_, processContext()) .WillRepeatedly(Return(std::reference_wrapper(*process_context_impl))); - Extensions::TransportSockets::Tls::ServerContextConfigImpl server_context_config( + auto server_context_config = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( tls_context_, mock_factory_ctx); - EXPECT_TRUE(server_context_config.isReady()); + EXPECT_TRUE(server_context_config->isReady()); EXPECT_NO_THROW(*context_manager_->createSslServerContext( - *stats_store_.rootScope(), server_context_config, std::vector{}, nullptr)); + *stats_store_.rootScope(), *server_context_config, std::vector{}, nullptr)); } } // namespace diff --git a/test/common/tls/ssl_socket_test.cc b/test/common/tls/ssl_socket_test.cc index 3745da9111d8..83be0e83c8c8 100644 --- a/test/common/tls/ssl_socket_test.cc +++ b/test/common/tls/ssl_socket_test.cc @@ -370,8 +370,8 @@ void testUtil(const TestUtilOptions& options) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(options.serverCtxYaml()), server_tls_context); - auto server_cfg = std::make_unique(server_tls_context, - transport_socket_factory_context); + auto server_cfg = + *ServerContextConfigImpl::create(server_tls_context, transport_socket_factory_context); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); Event::DispatcherPtr dispatcher = server_api->allocateDispatcher("test_thread"); @@ -397,8 +397,7 @@ void testUtil(const TestUtilOptions& options) { client_factory_context; ON_CALL(client_factory_context.server_context_, api()).WillByDefault(ReturnRef(*client_api)); - auto client_cfg = - std::make_unique(client_tls_context, client_factory_context); + auto client_cfg = *ClientContextConfigImpl::create(client_tls_context, client_factory_context); auto client_ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); Network::ClientConnectionPtr client_connection = dispatcher->createClientConnection( @@ -733,8 +732,7 @@ void testUtilV2(const TestUtilOptionsV2& options) { ASSERT(transport_socket.has_typed_config()); transport_socket.typed_config().UnpackTo(&tls_context); - auto server_cfg = - std::make_unique(tls_context, transport_socket_factory_context); + auto server_cfg = *ServerContextConfigImpl::create(tls_context, transport_socket_factory_context); auto factory_or_error = ServerSslSocketFactory::create( std::move(server_cfg), manager, *server_stats_store.rootScope(), server_names); @@ -758,7 +756,7 @@ void testUtilV2(const TestUtilOptionsV2& options) { ON_CALL(client_factory_context.server_context_, api()).WillByDefault(ReturnRef(*client_api)); auto client_cfg = - std::make_unique(options.clientCtxProto(), client_factory_context); + *ClientContextConfigImpl::create(options.clientCtxProto(), client_factory_context); auto client_factory_or_error = ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); THROW_IF_NOT_OK(client_factory_or_error.status()); @@ -1028,7 +1026,7 @@ TEST_P(SslSocketTest, ServerTransportSocketOptions) { ; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), tls_context); - auto server_cfg = std::make_unique(tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(tls_context, factory_context_); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); auto server_ssl_socket_factory = @@ -3035,7 +3033,7 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), tls_context); - auto server_cfg = std::make_unique(tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(tls_context, factory_context_); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; @@ -3095,7 +3093,7 @@ TEST_P(SslSocketTest, HalfClose) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); - auto server_cfg = std::make_unique(server_tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(server_tls_context, factory_context_); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; @@ -3118,7 +3116,7 @@ TEST_P(SslSocketTest, HalfClose) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::TestUtil::TestStore client_stats_store; auto client_ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); @@ -3181,7 +3179,7 @@ TEST_P(SslSocketTest, ShutdownWithCloseNotify) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); - auto server_cfg = std::make_unique(server_tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(server_tls_context, factory_context_); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; @@ -3204,7 +3202,7 @@ TEST_P(SslSocketTest, ShutdownWithCloseNotify) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::TestUtil::TestStore client_stats_store; auto client_ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); @@ -3273,7 +3271,7 @@ TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); - auto server_cfg = std::make_unique(server_tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(server_tls_context, factory_context_); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; @@ -3296,7 +3294,7 @@ TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::TestUtil::TestStore client_stats_store; auto client_ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); @@ -3381,7 +3379,7 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); - auto server_cfg = std::make_unique(server_tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(server_tls_context, factory_context_); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; @@ -3407,7 +3405,7 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::TestUtil::TestStore client_stats_store; auto ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); @@ -3478,13 +3476,13 @@ void testTicketSessionResumption(const std::string& server_ctx_yaml1, envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context1; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml1), server_tls_context1); - auto server_cfg1 = std::make_unique(server_tls_context1, - transport_socket_factory_context); + auto server_cfg1 = + *ServerContextConfigImpl::create(server_tls_context1, transport_socket_factory_context); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context2; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml2), server_tls_context2); - auto server_cfg2 = std::make_unique(server_tls_context2, - transport_socket_factory_context); + auto server_cfg2 = + *ServerContextConfigImpl::create(server_tls_context2, transport_socket_factory_context); auto server_ssl_socket_factory1 = *ServerSslSocketFactory::create( std::move(server_cfg1), manager, *server_stats_store.rootScope(), server_names1); auto server_ssl_socket_factory2 = *ServerSslSocketFactory::create( @@ -3514,8 +3512,7 @@ void testTicketSessionResumption(const std::string& server_ctx_yaml1, client_factory_context; ON_CALL(client_factory_context.server_context_, api()).WillByDefault(ReturnRef(*client_api)); - auto client_cfg = - std::make_unique(client_tls_context, client_factory_context); + auto client_cfg = *ClientContextConfigImpl::create(client_tls_context, client_factory_context); auto ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); Network::ClientConnectionPtr client_connection = dispatcher->createClientConnection( @@ -3640,8 +3637,8 @@ void testSupportForSessionResumption(const std::string& server_ctx_yaml, envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); - auto server_cfg = std::make_unique(server_tls_context, - transport_socket_factory_context); + auto server_cfg = + *ServerContextConfigImpl::create(server_tls_context, transport_socket_factory_context); auto server_ssl_socket_factory = *ServerSslSocketFactory::create( std::move(server_cfg), manager, *server_stats_store.rootScope(), {}); @@ -3664,8 +3661,7 @@ void testSupportForSessionResumption(const std::string& server_ctx_yaml, client_factory_context; ON_CALL(client_factory_context.server_context_, api()).WillByDefault(ReturnRef(*client_api)); - auto client_cfg = - std::make_unique(client_tls_context, client_factory_context); + auto client_cfg = *ClientContextConfigImpl::create(client_tls_context, client_factory_context); auto ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); Network::ClientConnectionPtr client_connection = dispatcher->createClientConnection( @@ -4284,10 +4280,10 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context1; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), tls_context1); - auto server_cfg = std::make_unique(tls_context1, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(tls_context1, factory_context_); envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context2; TestUtility::loadFromYaml(TestEnvironment::substitute(server2_ctx_yaml), tls_context2); - auto server2_cfg = std::make_unique(tls_context2, factory_context_); + auto server2_cfg = *ServerContextConfigImpl::create(tls_context2, factory_context_); NiceMock server_factory_context; ContextManagerImpl manager(server_factory_context); Stats::TestUtil::TestStore server_stats_store; @@ -4319,7 +4315,7 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::TestUtil::TestStore client_stats_store; auto ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); @@ -4419,7 +4415,7 @@ void SslSocketTest::testClientSessionResumption(const std::string& server_ctx_ya envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_ctx_proto; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_ctx_proto); auto server_cfg = - std::make_unique(server_ctx_proto, transport_socket_factory_context); + *ServerContextConfigImpl::create(server_ctx_proto, transport_socket_factory_context); auto server_ssl_socket_factory = *ServerSslSocketFactory::create( std::move(server_cfg), manager, *server_stats_store.rootScope(), std::vector{}); @@ -4445,8 +4441,7 @@ void SslSocketTest::testClientSessionResumption(const std::string& server_ctx_ya client_factory_context; ON_CALL(client_factory_context.server_context_, api()).WillByDefault(ReturnRef(*client_api)); - auto client_cfg = - std::make_unique(client_ctx_proto, client_factory_context); + auto client_cfg = *ClientContextConfigImpl::create(client_ctx_proto, client_factory_context); auto client_ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); Network::ClientConnectionPtr client_connection = dispatcher->createClientConnection( @@ -4683,7 +4678,7 @@ TEST_P(SslSocketTest, SslError) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), tls_context); - auto server_cfg = std::make_unique(tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(tls_context, factory_context_); ContextManagerImpl manager(factory_context_.serverFactoryContext()); Stats::TestUtil::TestStore server_stats_store; auto server_ssl_socket_factory = *ServerSslSocketFactory::create( @@ -5215,7 +5210,7 @@ TEST_P(SslSocketTest, SetSignatureAlgorithms) { envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); - auto server_cfg = std::make_unique(server_tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(server_tls_context, factory_context_); ContextManagerImpl manager(factory_context_.serverFactoryContext()); Stats::TestUtil::TestStore server_stats_store; auto server_ssl_socket_factory = *ServerSslSocketFactory::create( @@ -5245,7 +5240,7 @@ TEST_P(SslSocketTest, SetSignatureAlgorithms) { envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); Stats::TestUtil::TestStore client_stats_store; auto ssl_socket_factory = *ClientSslSocketFactory::create(std::move(client_cfg), manager, *client_stats_store.rootScope()); @@ -5827,7 +5822,7 @@ TEST_P(SslSocketTest, DownstreamNotReadySslSocket) { tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - auto server_cfg = std::make_unique(tls_context, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(tls_context, factory_context_); EXPECT_TRUE(server_cfg->tlsCertificates().empty()); EXPECT_FALSE(server_cfg->isReady()); @@ -5865,7 +5860,7 @@ TEST_P(SslSocketTest, UpstreamNotReadySslSocket) { tls_context.mutable_common_tls_context()->mutable_tls_certificate_sds_secret_configs()->Add(); sds_secret_configs->set_name("abc.com"); sds_secret_configs->mutable_sds_config(); - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); EXPECT_TRUE(client_cfg->tlsCertificates().empty()); EXPECT_FALSE(client_cfg->isReady()); @@ -5895,7 +5890,7 @@ TEST_P(SslSocketTest, TestTransportSocketCallback) { ON_CALL(factory_context_.server_context_, localInfo()).WillByDefault(ReturnRef(local_info)); envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; - auto client_cfg = std::make_unique(tls_context, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(tls_context, factory_context_); ContextManagerImpl manager(factory_context_.serverFactoryContext()); auto client_ssl_socket_factory = *ClientSslSocketFactory::create( @@ -5919,8 +5914,7 @@ class SslReadBufferLimitTest : public SslSocketTest { void initialize() { TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml_), downstream_tls_context_); - auto server_cfg = - std::make_unique(downstream_tls_context_, factory_context_); + auto server_cfg = *ServerContextConfigImpl::create(downstream_tls_context_, factory_context_); manager_ = std::make_unique(factory_context_.serverFactoryContext()); server_ssl_socket_factory_ = *ServerSslSocketFactory::create(std::move(server_cfg), *manager_, *server_stats_store_.rootScope(), @@ -5934,8 +5928,7 @@ class SslReadBufferLimitTest : public SslSocketTest { overload_state, *dispatcher_); TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml_), upstream_tls_context_); - auto client_cfg = - std::make_unique(upstream_tls_context_, factory_context_); + auto client_cfg = *ClientContextConfigImpl::create(upstream_tls_context_, factory_context_); client_ssl_socket_factory_ = *ClientSslSocketFactory::create(std::move(client_cfg), *manager_, *client_stats_store_.rootScope()); diff --git a/test/extensions/filters/http/router/auto_sni_integration_test.cc b/test/extensions/filters/http/router/auto_sni_integration_test.cc index b0470af32138..13f57383d664 100644 --- a/test/extensions/filters/http/router/auto_sni_integration_test.cc +++ b/test/extensions/filters/http/router/auto_sni_integration_test.cc @@ -59,7 +59,7 @@ class AutoSniIntegrationTest : public testing::TestWithParammutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem")); - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( tls_context, factory_context_); static auto* upstream_stats_store = new Stats::IsolatedStoreImpl(); diff --git a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc index 0e8b2092ef58..dd063ea05ab3 100644 --- a/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc +++ b/test/extensions/transport_sockets/starttls/upstream_starttls_integration_test.cc @@ -270,7 +270,7 @@ void StartTlsIntegrationTest::initialize() { NiceMock mock_factory_ctx; ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(testing::ReturnRef(*api_)); - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( downstream_tls_context, mock_factory_ctx); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); tls_context_ = Network::DownstreamTransportSocketFactoryPtr{ diff --git a/test/integration/alpn_selection_integration_test.cc b/test/integration/alpn_selection_integration_test.cc index 95a8bf90dee9..53b88fc5b6c9 100644 --- a/test/integration/alpn_selection_integration_test.cc +++ b/test/integration/alpn_selection_integration_test.cc @@ -68,7 +68,7 @@ require_client_certificate: true TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem"), TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); TestUtility::loadFromYaml(yaml, tls_context); - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( tls_context, factory_context_); static auto* upstream_stats_store = new Stats::IsolatedStoreImpl(); return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create( diff --git a/test/integration/base_integration_test.cc b/test/integration/base_integration_test.cc index bb25adebb9da..68168923f1ec 100644 --- a/test/integration/base_integration_test.cc +++ b/test/integration/base_integration_test.cc @@ -152,7 +152,7 @@ BaseIntegrationTest::createUpstreamTlsContext(const FakeUpstreamConfig& upstream tls_context.mutable_common_tls_context()->add_alpn_protocols("http/1.1"); } if (upstream_config.upstream_protocol_ != Http::CodecType::HTTP3) { - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( tls_context, factory_context_); static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create( @@ -580,7 +580,7 @@ void BaseIntegrationTest::createXdsUpstream() { TestEnvironment::runfilesPath("test/config/integration/certs/upstreamcert.pem")); tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem")); - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( tls_context, factory_context_); upstream_stats_store_ = std::make_unique(); diff --git a/test/integration/sds_dynamic_integration_test.cc b/test/integration/sds_dynamic_integration_test.cc index f8d97daea053..8e2e444a4a2e 100644 --- a/test/integration/sds_dynamic_integration_test.cc +++ b/test/integration/sds_dynamic_integration_test.cc @@ -711,7 +711,7 @@ class SdsDynamicDownstreamCertValidationContextTest : public SdsDynamicDownstrea tls_certificate->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/clientkey.pem")); - auto cfg = std::make_unique( + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create( tls_context, factory_context_); static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return Extensions::TransportSockets::Tls::ServerSslSocketFactory::create( diff --git a/test/integration/ssl_utility.cc b/test/integration/ssl_utility.cc index 73aa5984629e..fdc3220ff859 100644 --- a/test/integration/ssl_utility.cc +++ b/test/integration/ssl_utility.cc @@ -102,8 +102,8 @@ createClientSslTransportSocketFactory(const ClientSslTransportOptions& options, NiceMock mock_factory_ctx; ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api)); - auto cfg = std::make_unique( - tls_context, mock_factory_ctx); + auto cfg = *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(tls_context, + mock_factory_ctx); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::UpstreamTransportSocketFactoryPtr{ THROW_OR_RETURN_VALUE(Extensions::TransportSockets::Tls::ClientSslSocketFactory::create( @@ -118,8 +118,8 @@ createUpstreamSslContext(ContextManager& context_manager, Api::Api& api, bool us NiceMock mock_factory_ctx; ON_CALL(mock_factory_ctx.server_context_, api()).WillByDefault(ReturnRef(api)); - auto cfg = std::make_unique( - tls_context, mock_factory_ctx); + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(tls_context, + mock_factory_ctx); static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); if (!use_http3) { @@ -151,8 +151,8 @@ Network::DownstreamTransportSocketFactoryPtr createFakeUpstreamSslContext( tls_cert->mutable_private_key()->set_filename(TestEnvironment::runfilesPath( fmt::format("test/config/integration/certs/{}key.pem", upstream_cert_name))); - auto cfg = std::make_unique( - tls_context, factory_context); + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(tls_context, + factory_context); static auto* upstream_stats_store = new Stats::IsolatedStoreImpl(); return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create( diff --git a/test/integration/xfcc_integration_test.cc b/test/integration/xfcc_integration_test.cc index 2e372708afa9..c0889988e364 100644 --- a/test/integration/xfcc_integration_test.cc +++ b/test/integration/xfcc_integration_test.cc @@ -95,8 +95,8 @@ Network::UpstreamTransportSocketFactoryPtr XfccIntegrationTest::createClientSslC } envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext config; TestUtility::loadFromYaml(TestEnvironment::substitute(target), config); - auto cfg = std::make_unique( - config, factory_context_); + auto cfg = + *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(config, factory_context_); static auto* client_stats_store = new Stats::TestIsolatedStoreImpl(); return Network::UpstreamTransportSocketFactoryPtr{ *Extensions::TransportSockets::Tls::ClientSslSocketFactory::create( @@ -112,8 +112,8 @@ Network::DownstreamTransportSocketFactoryPtr XfccIntegrationTest::createUpstream tls_cert->mutable_private_key()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/upstreamkey.pem")); - auto cfg = std::make_unique( - tls_context, factory_context_); + auto cfg = *Extensions::TransportSockets::Tls::ServerContextConfigImpl::create(tls_context, + factory_context_); static auto* upstream_stats_store = new Stats::TestIsolatedStoreImpl(); return *Extensions::TransportSockets::Tls::ServerSslSocketFactory::create( std::move(cfg), *context_manager_, *(upstream_stats_store->rootScope()), diff --git a/test/server/admin/server_info_handler_test.cc b/test/server/admin/server_info_handler_test.cc index 50424080ca5a..371dccd68d0b 100644 --- a/test/server/admin/server_info_handler_test.cc +++ b/test/server/admin/server_info_handler_test.cc @@ -25,10 +25,11 @@ TEST_P(AdminInstanceTest, ContextThatReturnsNullCertDetails) { // Setup a context that returns null cert details. testing::NiceMock factory_context; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext config; - Extensions::TransportSockets::Tls::ClientContextConfigImpl cfg(config, factory_context); + auto cfg = + *Extensions::TransportSockets::Tls::ClientContextConfigImpl::create(config, factory_context); Stats::IsolatedStoreImpl store; Envoy::Ssl::ClientContextSharedPtr client_ctx( - *server_.sslContextManager().createSslClientContext(*store.rootScope(), cfg)); + *server_.sslContextManager().createSslClientContext(*store.rootScope(), *cfg)); const std::string expected_empty_json = R"EOF({ "certificates": [ diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml index 4519fd6fb8cd..67e1aa75e783 100644 --- a/tools/code_format/config.yaml +++ b/tools/code_format/config.yaml @@ -152,7 +152,6 @@ paths: - source/common/grpc/google_grpc_creds_impl.cc - source/common/local_reply/local_reply.cc - source/common/tls/server_context_impl.cc - - source/common/tls/context_config_impl.cc - source/common/config/watched_directory.cc - source/server/drain_manager_impl.cc - source/common/router/rds_impl.cc