tls: add functionality to override requested server name in the upstream cluster#4973
Conversation
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
…luster Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
| */ | ||
| virtual TransportSocketPtr createTransportSocket() const PURE; | ||
| virtual TransportSocketPtr | ||
| createTransportSocket(absl::optional<std::string> override_server_name) const PURE; |
There was a problem hiding this comment.
This should be const reference everywhere.
Thinking more, I think we would like some sort of TransportSocketOptions to passed into here, like an interface:
class TransportSocketOptions {
public:
virtual ~TransportSocketOptions();
virtual absl::optional<string> overrideServerName() const PURE;
virtual void hashKey(std::vector<uint8_t>& key) const PURE;
}
typedef std::shared_ptr<TransportSocketOptions> TransportSocketOptionsSharedPtr;
and pass TransportSocketOptionsSharedPtr around. This will help when we want to have more than override_server_name, and you can put this into FilterState as something called UpstreamTransportSocketOption.
There was a problem hiding this comment.
@lizan OK, thank you for the feedback, let me implement it.
|
Thanks @vadimeisenbergibm for extracting this. The structure looks nice though I think it can be more future proof. I re-kicked mac CI as it seems unrelated. |
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
| class ContextImpl : public virtual Context { | ||
| public: | ||
| virtual bssl::UniquePtr<SSL> newSsl() const; | ||
| virtual bssl::UniquePtr<SSL> newSsl(absl::optional<std::string> override_server_name) const; |
| TimeSource& time_source); | ||
|
|
||
| bssl::UniquePtr<SSL> newSsl() const override; | ||
| bssl::UniquePtr<SSL> newSsl(absl::optional<std::string> override_server_name) const override; |
There was a problem hiding this comment.
const ref for parameter (everywhere)
| class TransportSocketOptions { | ||
| public: | ||
| virtual ~TransportSocketOptions() {} | ||
| virtual absl::optional<std::string> overrideServerName() const PURE; |
There was a problem hiding this comment.
return a const reference for this.
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
lizan
left a comment
There was a problem hiding this comment.
The transport socket part LGTM modulo test.
| EXPECT_TRUE(transport_socket_options->overrideServerName().has_value()); | ||
| EXPECT_EQ(transport_socket_options->overrideServerName().value(), "www.example.com"); | ||
|
|
||
| (void)priority; // suppress unused warning |
There was a problem hiding this comment.
Just make the parameter unnamed. or UNREFERENCED_PARAMETER macro is for this.
There was a problem hiding this comment.
@lizan It seems lambda requires the parameters to be named. I will use UNREFERENCED_PARAMETER.
There was a problem hiding this comment.
I don't think so, lambda with unnamed parameters appears many times in the code base.
There was a problem hiding this comment.
You are right, I was probably confused by some other error before. Done.
| @@ -0,0 +1,10 @@ | |||
| #include "common/stream_info/forward_requested_server_name.h" | |||
There was a problem hiding this comment.
(cont from #4334 (comment))
I don't think this should be here and named like this. Name it "upstream_server_name" or "upstream_transport_socket_options" (if you put the class here).
The filter is not related directly to the TCP proxy. The filter specifies the intention that the SNI must be forwarded. Other filters, such as TCP proxy, can extract that information and forward the SNI.
The consumer of this is tcp_proxy, or you should make this into network namespace, as stream_info is for both L4/L7, while this is specific to transport socket / connection.
So there are three different names here:
- Forward Requested Server Name in the Stream Info, means that there is some requested server name, not necessarrily SNI, maybe requested server name from some other protocol, that must be forwarded to the upstream, not necessarily by tcp_proxy.
"forward" (i.e. propagating downstream server name to upstream) is decided by the filter setting this, this filter state doesn't imply that. Another filter can set this to arbitrary value.
The filter is not related directly to the TCP proxy. The filter specifies the intention that the SNI must be forwarded. Other filters, such as TCP proxy, can extract that information and forward the SNI.
- Override Server Name in tcp_proxy, cluster manager etc. it means that the server name of the upstream cluster must be overridden by that value. It does not specify that it is SNI and does not specify where this server name comes from.
Yes, this is right, now it is a struct named TransportSocketOptions.
There was a problem hiding this comment.
@lizan So, making that struct into the network namespace, and calling it upstream_server_name will be OK?
Should I make this upstream_transport_socket_options to hold TransportSocketOptions? My intention was to decouple Filter state objects from TransportSocketOptions. We can have different Filter State objects holding basic types as strings and different filters like tcp_proxy can compose TransportSocketOptions differently, according to their logic.
I am OK with both solutions.
There was a problem hiding this comment.
Yeah I think upstream_server_name should be OK, then we can keep every filter state small.
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
…rk/upstream_server_name Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
|
@lizan I have implemented your comments, the tests pass. |
| class TransportSocketOptions { | ||
| public: | ||
| virtual ~TransportSocketOptions() {} | ||
| virtual const absl::optional<std::string>& overrideServerName() const PURE; |
There was a problem hiding this comment.
Rename to serverNameOverride or just simply serverName; otherwise, it sounds like a mutating method vs. an option.
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
required for clang_tidy Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
htuch
left a comment
There was a problem hiding this comment.
LGTM modulo remaining comments.
|
|
||
| absl::string_view UpstreamServerName::key() { | ||
| // Construct On First Use Idiom: https://isocpp.org/wiki/faq/ctors#static-init-order-on-first-use | ||
| static const char* cstring_key = "envoy.network.upstream_server_name"; |
There was a problem hiding this comment.
You can use the existing macro for this,
envoy/source/common/common/version.cc
Line 13 in 1570696
| template <typename T> void pushScalarToByteVector(T val, std::vector<uint8_t>& bytes) { | ||
| uint8_t* byte_ptr = reinterpret_cast<uint8_t*>(&val); | ||
| for (unsigned int byte_index = 0; byte_index < sizeof val; byte_index++) { | ||
| bytes.push_back(*byte_ptr); |
There was a problem hiding this comment.
Nit: collapse two lines to bytes.push_back(*byte_ptr++);
| namespace Envoy { | ||
| template <typename T> void pushScalarToByteVector(T val, std::vector<uint8_t>& bytes) { | ||
| uint8_t* byte_ptr = reinterpret_cast<uint8_t*>(&val); | ||
| for (unsigned int byte_index = 0; byte_index < sizeof val; byte_index++) { |
There was a problem hiding this comment.
Nit: Envoy style prefers fixed type sizes, e.g. uint32_t here.
source/common/ssl/context_impl.h
Outdated
| public: | ||
| virtual bssl::UniquePtr<SSL> newSsl() const; | ||
| virtual bssl::UniquePtr<SSL> | ||
| newSsl(const absl::optional<std::string>& override_server_name) const; |
There was a problem hiding this comment.
Nit: making this argument an absl::optional<absl::string_view> (without reference) might be strictly more flexible.
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
This reverts commit 6c9128d. Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
|
@htuch I have applied your comments, all the tests pass. |
htuch
left a comment
There was a problem hiding this comment.
LGTM, one last test fix and we can merge, thanks.
| Network::MockActiveDnsQuery active_dns_query; | ||
| EXPECT_CALL(*dns_resolver, resolve(_, _, _)) | ||
| .WillRepeatedly(DoAll(SaveArg<2>(&dns_callback), Return(&active_dns_query))); | ||
| create(parseBootstrapFromJson(json)); |
There was a problem hiding this comment.
Can you switch this to v2 YAML config? v1 is deprecated and will be deleted real soon now.
Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
htuch
left a comment
There was a problem hiding this comment.
Thanks! Appreciate your patience while working through the final nits, I think this PR looks great.
|
@htuch My pleasure! Thank you for your patient reviewing. |
I think the earlier review indicated this was fine modulo test, and these LGTM.
|
@lizan if you have any further feedback, I'm thinking this will only be test related, so we can punt that to a further PR. |
* no need to submit git to google cloud; document how to invoke cloud build on local state * update latest envoy that * fix envoy compilation. see envoyproxy/envoy#4973
…sted server name, in HTTP filters similar to envoyproxy#4973 Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com>
…eam cluster (envoyproxy#4973) Add functionality to override requested server name in the upstream cluster Risk Level: medium Testing: unit tests Docs Changes: yes Release Notes: yes Related to envoyproxy#4076 Signed-off-by: Vadim Eisenberg <vadime@il.ibm.com> Signed-off-by: Fred Douglas <fredlas@google.com>
Description: add functionality to override requested server name in the upstream cluster
Risk Level: medium
Testing: unit tests
Docs Changes: yes
Release Notes: yes
Related to #4076