Skip to content

Commit

Permalink
cherry-pick commits to 1.34.x (#4229)
Browse files Browse the repository at this point in the history
Co-authored-by: Easwar Swaminathan <[email protected]>

This is a cherry pick of 
- encoding/proto: do not panic when types do not match (#4218)
- xds: add env var protection for client-side security (#4247)
  • Loading branch information
menghanl authored Mar 11, 2021
1 parent dc1307f commit d6e9a49
Show file tree
Hide file tree
Showing 5 changed files with 91 additions and 8 deletions.
14 changes: 12 additions & 2 deletions encoding/proto/proto.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@
package proto

import (
"fmt"

"github.com/golang/protobuf/proto"
"google.golang.org/grpc/encoding"
)
Expand All @@ -36,11 +38,19 @@ func init() {
type codec struct{}

func (codec) Marshal(v interface{}) ([]byte, error) {
return proto.Marshal(v.(proto.Message))
vv, ok := v.(proto.Message)
if !ok {
return nil, fmt.Errorf("failed to marshal, message is %T, want proto.Message", v)
}
return proto.Marshal(vv)
}

func (codec) Unmarshal(data []byte, v interface{}) error {
return proto.Unmarshal(data, v.(proto.Message))
vv, ok := v.(proto.Message)
if !ok {
return fmt.Errorf("failed to unmarshal, message is %T, want proto.Message", v)
}
return proto.Unmarshal(data, vv)
}

func (codec) Name() string {
Expand Down
2 changes: 1 addition & 1 deletion vet.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ cleanup() {
}
trap cleanup EXIT

PATH="${GOPATH}/bin:${GOROOT}/bin:${PATH}"
PATH="${HOME}/go/bin:${GOROOT}/bin:${PATH}"

if [[ "$1" = "-install" ]]; then
# Check for module support
Expand Down
59 changes: 59 additions & 0 deletions xds/internal/client/client_cds_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
anypb "github.com/golang/protobuf/ptypes/any"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"google.golang.org/grpc/xds/internal/env"
"google.golang.org/grpc/xds/internal/version"
)

Expand Down Expand Up @@ -184,7 +185,65 @@ func (s) TestValidateCluster_Success(t *testing.T) {
}
}

func (s) TestValidateClusterWithSecurityConfig_EnvVarOff(t *testing.T) {
// Turn off the env var protection for client-side security.
origClientSideSecurityEnvVar := env.ClientSideSecuritySupport
env.ClientSideSecuritySupport = false
defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }()

cluster := &v3clusterpb.Cluster{
ClusterDiscoveryType: &v3clusterpb.Cluster_Type{Type: v3clusterpb.Cluster_EDS},
EdsClusterConfig: &v3clusterpb.Cluster_EdsClusterConfig{
EdsConfig: &v3corepb.ConfigSource{
ConfigSourceSpecifier: &v3corepb.ConfigSource_Ads{
Ads: &v3corepb.AggregatedConfigSource{},
},
},
ServiceName: serviceName,
},
LbPolicy: v3clusterpb.Cluster_ROUND_ROBIN,
TransportSocket: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: &anypb.Any{
TypeUrl: version.V3UpstreamTLSContextURL,
Value: func() []byte {
tls := &v3tlspb.UpstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{
ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{
InstanceName: "rootInstance",
CertificateName: "rootCert",
},
},
},
}
mtls, _ := proto.Marshal(tls)
return mtls
}(),
},
},
},
}
wantUpdate := ClusterUpdate{
ServiceName: serviceName,
EnableLRS: false,
}
gotUpdate, err := validateCluster(cluster)
if err != nil {
t.Errorf("validateCluster() failed: %v", err)
}
if diff := cmp.Diff(wantUpdate, gotUpdate); diff != "" {
t.Errorf("validateCluster() returned unexpected diff (-want, got):\n%s", diff)
}
}

func (s) TestValidateClusterWithSecurityConfig(t *testing.T) {
// Turn on the env var protection for client-side security.
origClientSideSecurityEnvVar := env.ClientSideSecuritySupport
env.ClientSideSecuritySupport = true
defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }()

const (
identityPluginInstance = "identityPluginInstance"
identityCertName = "identityCert"
Expand Down
12 changes: 9 additions & 3 deletions xds/internal/client/client_xds.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
v3typepb "github.com/envoyproxy/go-control-plane/envoy/type/v3"
"github.com/golang/protobuf/proto"
anypb "github.com/golang/protobuf/ptypes/any"
"google.golang.org/grpc/xds/internal/env"

"google.golang.org/grpc/internal/grpclog"
"google.golang.org/grpc/xds/internal"
Expand Down Expand Up @@ -305,9 +306,14 @@ func validateCluster(cluster *v3clusterpb.Cluster) (ClusterUpdate, error) {
return emptyUpdate, fmt.Errorf("xds: unexpected lbPolicy %v in response: %+v", cluster.GetLbPolicy(), cluster)
}

sc, err := securityConfigFromCluster(cluster)
if err != nil {
return emptyUpdate, err
// Process security configuration received from the control plane iff the
// corresponding environment variable is set.
var sc *SecurityConfig
if env.ClientSideSecuritySupport {
var err error
if sc, err = securityConfigFromCluster(cluster); err != nil {
return emptyUpdate, err
}
}
return ClusterUpdate{
ServiceName: cluster.GetEdsClusterConfig().GetServiceName(),
Expand Down
12 changes: 10 additions & 2 deletions xds/internal/env/env.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ import (
)

const (
bootstrapFileNameEnv = "GRPC_XDS_BOOTSTRAP"
xdsV3SupportEnv = "GRPC_XDS_EXPERIMENTAL_V3_SUPPORT"
bootstrapFileNameEnv = "GRPC_XDS_BOOTSTRAP"
xdsV3SupportEnv = "GRPC_XDS_EXPERIMENTAL_V3_SUPPORT"
clientSideSecuritySupportEnv = "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
)

var (
Expand All @@ -39,4 +40,11 @@ var (
// done by setting the environment variable
// "GRPC_XDS_EXPERIMENTAL_V3_SUPPORT" to "true".
V3Support = strings.EqualFold(os.Getenv(xdsV3SupportEnv), "true")
// ClientSideSecuritySupport is used to control processing of security
// configuration on the client-side.
//
// Note that there is no env var protection for the server-side because we
// have a brand new API on the server-side and users explicitly need to use
// the new API to get security integration on the server.
ClientSideSecuritySupport = strings.EqualFold(os.Getenv(clientSideSecuritySupportEnv), "true")
)

0 comments on commit d6e9a49

Please sign in to comment.