Add tests and fix bugs

murgatroid99 · murgatroid99 · commit 1a1024aa1ebc · 2024-10-14T15:08:49.000-07:00
diff --git a/packages/grpc-js-xds/src/xds-bootstrap.ts b/packages/grpc-js-xds/src/xds-bootstrap.ts
@@ -345,7 +345,7 @@ function validateFileWatcherPluginConfig(obj: any, instanceName: string): FileWa
   return {
     certificateFile: obj.certificate_file,
     privateKeyFile: obj.private_key_file,
-    caCertificateFile: obj.caCertificateFile,
+    caCertificateFile: obj.ca_certificate_file,
     refreshIntervalMs: durationToMs(refreshDuration)
   };
 }
diff --git a/packages/grpc-js-xds/src/xds-resource-type/listener-resource-type.ts b/packages/grpc-js-xds/src/xds-resource-type/listener-resource-type.ts
@@ -143,34 +143,46 @@ function validateFilterChain(context: XdsDecodeContext, filterChain: FilterChain
   if (filterChain.transport_socket) {
     const transportSocket = filterChain.transport_socket;
     if (transportSocket.name !== 'envoy.transport_sockets.tls') {
+      trace('Wrong transportSocket.name');
+      return false;
+    }
+    if (!transportSocket.typed_config) {
+      trace('No typed_config');
       return false;
     }
     if (transportSocket.typed_config?.type_url !== DOWNSTREAM_TLS_CONTEXT_TYPE_URL) {
+      trace(`Wrong typed_config type_url: ${transportSocket.typed_config?.type_url}`);
       return false;
     }
     const downstreamTlsContext = decodeSingleResource(DOWNSTREAM_TLS_CONTEXT_TYPE_URL, transportSocket.typed_config.value);
     if (!downstreamTlsContext.common_tls_context) {
+      trace('No common_tls_context');
       return false;
     }
     const commonTlsContext = downstreamTlsContext.common_tls_context;
     if (!commonTlsContext.tls_certificate_provider_instance) {
+      trace('No tls_certificate_provider_instance');
       return false;
     }
     if (!(commonTlsContext.tls_certificate_provider_instance.instance_name in context.bootstrap.certificateProviders)) {
+      trace('Unmatched tls_certificate_provider_instance instance_name');
       return false;
     }
     let validationContext: CertificateValidationContext__Output | null;
     switch (commonTlsContext.validation_context_type) {
       case 'validation_context_sds_secret_config':
+        trace('Unexpected validation_context_sds_secret_config')
         return false;
       case 'validation_context':
         if (!commonTlsContext.validation_context) {
+          trace('Missing validation_context');
           return false;
         }
         validationContext = commonTlsContext.validation_context;
         break;
       case 'combined_validation_context':
         if (!commonTlsContext.combined_validation_context) {
+          trace('Missing combined_validation_context')
           return false;
         }
         validationContext = commonTlsContext.combined_validation_context.default_validation_context;
@@ -179,21 +191,27 @@ function validateFilterChain(context: XdsDecodeContext, filterChain: FilterChain
         return false;
     }
     if (validationContext?.ca_certificate_provider_instance && !(validationContext.ca_certificate_provider_instance.instance_name in context.bootstrap.certificateProviders)) {
+      trace('Unmatched validationContext instance_name');
       return false;
     }
     if (downstreamTlsContext.require_client_certificate && !validationContext) {
+      trace('require_client_certificate set without validationContext');
       return false;
     }
     if (commonTlsContext.tls_params) {
+      trace('tls_params set');
       return false;
     }
     if (commonTlsContext.custom_handshaker) {
+      trace('custom_handshaker set');
       return false;
     }
     if (downstreamTlsContext.require_sni?.value) {
+      trace('require_sni set');
       return false;
     }
     if (downstreamTlsContext.ocsp_staple_policy !== 'LENIENT_STAPLING') {
+      trace('Unexpected ocsp_staple_policy');
       return false;
     }
   }
diff --git a/packages/grpc-js-xds/test/test-xds-credentials.ts b/packages/grpc-js-xds/test/test-xds-credentials.ts
@@ -75,9 +75,64 @@ describe('Server xDS Credentials', () => {
       common_tls_context: {
         tls_certificate_provider_instance: {
           instance_name: 'test_certificates'
+        },
+        validation_context: {}
+      },
+      ocsp_staple_policy: 'LENIENT_STAPLING'
+    }
+    const baseServerListener: Listener = {
+      default_filter_chain: {
+        filter_chain_match: {
+          source_type: 'SAME_IP_OR_LOOPBACK'
+        },
+        transport_socket: {
+          name: 'envoy.transport_sockets.tls',
+          typed_config: downstreamTlsContext
         }
       }
     }
+    const serverRoute = new FakeServerRoute(backend.getPort(), 'serverRoute', baseServerListener);
+    xdsServer.setRdsResource(serverRoute.getRouteConfiguration());
+    xdsServer.setLdsResource(serverRoute.getListener());
+    xdsServer.addResponseListener((typeUrl, responseState) => {
+      if (responseState.state === 'NACKED') {
+        client?.stopCalls();
+        assert.fail(`Client NACKED ${typeUrl} resource with message ${responseState.errorMessage}`);
+      }
+    });
+    const cluster = new FakeEdsCluster('cluster1', 'endpoint1', [{backends: [backend], locality:{region: 'region1'}}]);
+    const routeGroup = new FakeRouteGroup('listener1', 'route1', [{cluster: cluster}]);
+    await routeGroup.startAllBackends(xdsServer);
+    xdsServer.setEdsResource(cluster.getEndpointConfig());
+    xdsServer.setCdsResource(cluster.getClusterConfig());
+    xdsServer.setRdsResource(routeGroup.getRouteConfiguration());
+    xdsServer.setLdsResource(routeGroup.getListener());
+    client = XdsTestClient.createFromServer('listener1', xdsServer, credentials.createSsl(ca), {
+      'grpc.ssl_target_name_override': 'foo.test.google.fr',
+      'grpc.default_authority': 'foo.test.google.fr',
+    });
+    const error = await client.sendOneCallAsync();
+    assert.strictEqual(error, null);
+  });
+  it('Should use identity and CA certificates when configured', async () => {
+    const [backend] = await createBackends(1, true, new XdsServerCredentials(ServerCredentials.createInsecure()));
+    const downstreamTlsContext: DownstreamTlsContext & AnyExtension = {
+      '@type': DOWNSTREAM_TLS_CONTEXT_TYPE_URL,
+      common_tls_context: {
+        tls_certificate_provider_instance: {
+          instance_name: 'test_certificates'
+        },
+        validation_context: {
+          ca_certificate_provider_instance: {
+            instance_name: 'test_certificates'
+          }
+        }
+      },
+      ocsp_staple_policy: 'LENIENT_STAPLING',
+      require_client_certificate: {
+        value: true
+      }
+    }
     const baseServerListener: Listener = {
       default_filter_chain: {
         filter_chain_match: {
@@ -105,7 +160,10 @@ describe('Server xDS Credentials', () => {
     xdsServer.setCdsResource(cluster.getClusterConfig());
     xdsServer.setRdsResource(routeGroup.getRouteConfiguration());
     xdsServer.setLdsResource(routeGroup.getListener());
-    client = XdsTestClient.createFromServer('listener1', xdsServer, credentials.createSsl(ca));
+    client = XdsTestClient.createFromServer('listener1', xdsServer, credentials.createSsl(ca, key, cert), {
+      'grpc.ssl_target_name_override': 'foo.test.google.fr',
+      'grpc.default_authority': 'foo.test.google.fr',
+    });
     const error = await client.sendOneCallAsync();
     assert.strictEqual(error, null);
   });
diff --git a/packages/grpc-js-xds/test/xds-server.ts b/packages/grpc-js-xds/test/xds-server.ts
@@ -53,6 +53,7 @@ const loadedProtos = loadPackageDefinition(loadSync(
     'envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto',
     'envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto',
     'envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto',
+    'envoy/extensions/transport_sockets/tls/v3/tls.proto',
     'xds/type/v3/typed_struct.proto'
   ],
   {
diff --git a/packages/grpc-js/src/certificate-provider.ts b/packages/grpc-js/src/certificate-provider.ts
@@ -90,7 +90,7 @@ export class FileWatcherCertificateProvider implements CertificateProvider {
       if (!this.refreshTimer) {
         return;
       }
-      trace('File watcher read certificates certificate' + (certificateResult ? '!=' : '==') + 'null, privateKey' + (privateKeyResult ? '!=' : '==') + 'null, CA certificate' + (caCertificateResult ? '!=' : '==') + 'null');
+      trace('File watcher read certificates certificate ' + certificateResult.status + ', privateKey ' + privateKeyResult.status + ', CA certificate ' + caCertificateResult.status);
       this.lastUpdateTime = new Date();
       this.fileResultPromise = null;
       if (certificateResult.status === 'fulfilled' && privateKeyResult.status === 'fulfilled') {
diff --git a/packages/grpc-js/src/server-credentials.ts b/packages/grpc-js/src/server-credentials.ts
@@ -225,24 +225,24 @@ class CertificateProviderServerCredentials extends ServerCredentials {
   private caCertificateUpdateListener: CaCertificateUpdateListener = this.handleCaCertificateUpdate.bind(this);
   private identityCertificateUpdateListener: IdentityCertificateUpdateListener = this.handleIdentityCertitificateUpdate.bind(this);
   constructor(
-    private caCertificateProvider: CertificateProvider,
-    private identityCertificateProvider: CertificateProvider | null,
+    private identityCertificateProvider: CertificateProvider,
+    private caCertificateProvider: CertificateProvider | null,
     private requireClientCertificate: boolean
   ) {
     super();
   }
   _addWatcher(watcher: SecureContextWatcher): void {
     if (this.getWatcherCount() === 0) {
-      this.caCertificateProvider.addCaCertificateListener(this.caCertificateUpdateListener);
-      this.identityCertificateProvider?.addIdentityCertificateListener(this.identityCertificateUpdateListener);
+      this.caCertificateProvider?.addCaCertificateListener(this.caCertificateUpdateListener);
+      this.identityCertificateProvider.addIdentityCertificateListener(this.identityCertificateUpdateListener);
     }
     super._addWatcher(watcher);
   }
   _removeWatcher(watcher: SecureContextWatcher): void {
     super._removeWatcher(watcher);
     if (this.getWatcherCount() === 0) {
-      this.caCertificateProvider.removeCaCertificateListener(this.caCertificateUpdateListener);
-      this.identityCertificateProvider?.removeIdentityCertificateListener(this.identityCertificateUpdateListener);
+      this.caCertificateProvider?.removeCaCertificateListener(this.caCertificateUpdateListener);
+      this.identityCertificateProvider.removeIdentityCertificateListener(this.identityCertificateUpdateListener);
     }
   }
   _isSecure(): boolean {
@@ -279,7 +279,8 @@ class CertificateProviderServerCredentials extends ServerCredentials {
   }
 
   private finalizeUpdate() {
-    this.updateSecureContextOptions(this.calculateSecureContextOptions());
+    const secureContextOptions = this.calculateSecureContextOptions();
+    this.updateSecureContextOptions(secureContextOptions);
   }
 
   private handleCaCertificateUpdate(update: CaCertificateUpdate | null) {

Original file line number	Diff line number	Diff line change
`@@ -345,7 +345,7 @@ function validateFileWatcherPluginConfig(obj: any, instanceName: string): FileWa`
`345`	`345`	`return {`
`346`	`346`	`certificateFile: obj.certificate_file,`
`347`	`347`	`privateKeyFile: obj.private_key_file,`
`348`		`- caCertificateFile: obj.caCertificateFile,`
	`348`	`+ caCertificateFile: obj.ca_certificate_file,`
`349`	`349`	`refreshIntervalMs: durationToMs(refreshDuration)`
`350`	`350`	`};`
`351`	`351`	`}`
Original file line number	Diff line number	Diff line change
`@@ -143,34 +143,46 @@ function validateFilterChain(context: XdsDecodeContext, filterChain: FilterChain`
`143`	`143`	`if (filterChain.transport_socket) {`
`144`	`144`	`const transportSocket = filterChain.transport_socket;`
`145`	`145`	`if (transportSocket.name !== 'envoy.transport_sockets.tls') {`
	`146`	`+ trace('Wrong transportSocket.name');`
	`147`	`+ return false;`
	`148`	`+ }`
	`149`	`+ if (!transportSocket.typed_config) {`
	`150`	`+ trace('No typed_config');`
`146`	`151`	`return false;`
`147`	`152`	`}`
`148`	`153`	`if (transportSocket.typed_config?.type_url !== DOWNSTREAM_TLS_CONTEXT_TYPE_URL) {`
	`154`	+ trace(`Wrong typed_config type_url: ${transportSocket.typed_config?.type_url}`);
`149`	`155`	`return false;`
`150`	`156`	`}`
`151`	`157`	`const downstreamTlsContext = decodeSingleResource(DOWNSTREAM_TLS_CONTEXT_TYPE_URL, transportSocket.typed_config.value);`
`152`	`158`	`if (!downstreamTlsContext.common_tls_context) {`
	`159`	`+ trace('No common_tls_context');`
`153`	`160`	`return false;`
`154`	`161`	`}`
`155`	`162`	`const commonTlsContext = downstreamTlsContext.common_tls_context;`
`156`	`163`	`if (!commonTlsContext.tls_certificate_provider_instance) {`
	`164`	`+ trace('No tls_certificate_provider_instance');`
`157`	`165`	`return false;`
`158`	`166`	`}`
`159`	`167`	`if (!(commonTlsContext.tls_certificate_provider_instance.instance_name in context.bootstrap.certificateProviders)) {`
	`168`	`+ trace('Unmatched tls_certificate_provider_instance instance_name');`
`160`	`169`	`return false;`
`161`	`170`	`}`
`162`	`171`	`let validationContext: CertificateValidationContext__Output \| null;`
`163`	`172`	`switch (commonTlsContext.validation_context_type) {`
`164`	`173`	`case 'validation_context_sds_secret_config':`
	`174`	`+ trace('Unexpected validation_context_sds_secret_config')`
`165`	`175`	`return false;`
`166`	`176`	`case 'validation_context':`
`167`	`177`	`if (!commonTlsContext.validation_context) {`
	`178`	`+ trace('Missing validation_context');`
`168`	`179`	`return false;`
`169`	`180`	`}`
`170`	`181`	`validationContext = commonTlsContext.validation_context;`
`171`	`182`	`break;`
`172`	`183`	`case 'combined_validation_context':`
`173`	`184`	`if (!commonTlsContext.combined_validation_context) {`
	`185`	`+ trace('Missing combined_validation_context')`
`174`	`186`	`return false;`
`175`	`187`	`}`
`176`	`188`	`validationContext = commonTlsContext.combined_validation_context.default_validation_context;`
`@@ -179,21 +191,27 @@ function validateFilterChain(context: XdsDecodeContext, filterChain: FilterChain`
`179`	`191`	`return false;`
`180`	`192`	`}`
`181`	`193`	`if (validationContext?.ca_certificate_provider_instance && !(validationContext.ca_certificate_provider_instance.instance_name in context.bootstrap.certificateProviders)) {`
	`194`	`+ trace('Unmatched validationContext instance_name');`
`182`	`195`	`return false;`
`183`	`196`	`}`
`184`	`197`	`if (downstreamTlsContext.require_client_certificate && !validationContext) {`
	`198`	`+ trace('require_client_certificate set without validationContext');`
`185`	`199`	`return false;`
`186`	`200`	`}`
`187`	`201`	`if (commonTlsContext.tls_params) {`
	`202`	`+ trace('tls_params set');`
`188`	`203`	`return false;`
`189`	`204`	`}`
`190`	`205`	`if (commonTlsContext.custom_handshaker) {`
	`206`	`+ trace('custom_handshaker set');`
`191`	`207`	`return false;`
`192`	`208`	`}`
`193`	`209`	`if (downstreamTlsContext.require_sni?.value) {`
	`210`	`+ trace('require_sni set');`
`194`	`211`	`return false;`
`195`	`212`	`}`
`196`	`213`	`if (downstreamTlsContext.ocsp_staple_policy !== 'LENIENT_STAPLING') {`
	`214`	`+ trace('Unexpected ocsp_staple_policy');`
`197`	`215`	`return false;`
`198`	`216`	`}`
`199`	`217`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ const loadedProtos = loadPackageDefinition(loadSync(`
`53`	`53`	`'envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto',`
`54`	`54`	`'envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto',`
`55`	`55`	`'envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto',`
	`56`	`+ 'envoy/extensions/transport_sockets/tls/v3/tls.proto',`
`56`	`57`	`'xds/type/v3/typed_struct.proto'`
`57`	`58`	`],`
`58`	`59`	`{`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ export class FileWatcherCertificateProvider implements CertificateProvider {`
`90`	`90`	`if (!this.refreshTimer) {`
`91`	`91`	`return;`
`92`	`92`	`}`
`93`		`- trace('File watcher read certificates certificate' + (certificateResult ? '!=' : '==') + 'null, privateKey' + (privateKeyResult ? '!=' : '==') + 'null, CA certificate' + (caCertificateResult ? '!=' : '==') + 'null');`
	`93`	`+ trace('File watcher read certificates certificate ' + certificateResult.status + ', privateKey ' + privateKeyResult.status + ', CA certificate ' + caCertificateResult.status);`
`94`	`94`	`this.lastUpdateTime = new Date();`
`95`	`95`	`this.fileResultPromise = null;`
`96`	`96`	`if (certificateResult.status === 'fulfilled' && privateKeyResult.status === 'fulfilled') {`
Original file line number	Diff line number	Diff line change
`@@ -225,24 +225,24 @@ class CertificateProviderServerCredentials extends ServerCredentials {`
`225`	`225`	`private caCertificateUpdateListener: CaCertificateUpdateListener = this.handleCaCertificateUpdate.bind(this);`
`226`	`226`	`private identityCertificateUpdateListener: IdentityCertificateUpdateListener = this.handleIdentityCertitificateUpdate.bind(this);`
`227`	`227`	`constructor(`
`228`		`- private caCertificateProvider: CertificateProvider,`
`229`		`- private identityCertificateProvider: CertificateProvider \| null,`
	`228`	`+ private identityCertificateProvider: CertificateProvider,`
	`229`	`+ private caCertificateProvider: CertificateProvider \| null,`
`230`	`230`	`private requireClientCertificate: boolean`
`231`	`231`	`) {`
`232`	`232`	`super();`
`233`	`233`	`}`
`234`	`234`	`_addWatcher(watcher: SecureContextWatcher): void {`
`235`	`235`	`if (this.getWatcherCount() === 0) {`
`236`		`- this.caCertificateProvider.addCaCertificateListener(this.caCertificateUpdateListener);`
`237`		`- this.identityCertificateProvider?.addIdentityCertificateListener(this.identityCertificateUpdateListener);`
	`236`	`+ this.caCertificateProvider?.addCaCertificateListener(this.caCertificateUpdateListener);`
	`237`	`+ this.identityCertificateProvider.addIdentityCertificateListener(this.identityCertificateUpdateListener);`
`238`	`238`	`}`
`239`	`239`	`super._addWatcher(watcher);`
`240`	`240`	`}`
`241`	`241`	`_removeWatcher(watcher: SecureContextWatcher): void {`
`242`	`242`	`super._removeWatcher(watcher);`
`243`	`243`	`if (this.getWatcherCount() === 0) {`
`244`		`- this.caCertificateProvider.removeCaCertificateListener(this.caCertificateUpdateListener);`
`245`		`- this.identityCertificateProvider?.removeIdentityCertificateListener(this.identityCertificateUpdateListener);`
	`244`	`+ this.caCertificateProvider?.removeCaCertificateListener(this.caCertificateUpdateListener);`
	`245`	`+ this.identityCertificateProvider.removeIdentityCertificateListener(this.identityCertificateUpdateListener);`
`246`	`246`	`}`
`247`	`247`	`}`
`248`	`248`	`_isSecure(): boolean {`
`@@ -279,7 +279,8 @@ class CertificateProviderServerCredentials extends ServerCredentials {`
`279`	`279`	`}`
`280`	`280`
`281`	`281`	`private finalizeUpdate() {`
`282`		`- this.updateSecureContextOptions(this.calculateSecureContextOptions());`
	`282`	`+ const secureContextOptions = this.calculateSecureContextOptions();`
	`283`	`+ this.updateSecureContextOptions(secureContextOptions);`
`283`	`284`	`}`
`284`	`285`
`285`	`286`	`private handleCaCertificateUpdate(update: CaCertificateUpdate \| null) {`