diff --git a/encoding/proto/proto.go b/encoding/proto/proto.go index e1230fdd358a..3009b35afe7d 100644 --- a/encoding/proto/proto.go +++ b/encoding/proto/proto.go @@ -21,6 +21,8 @@ package proto import ( + "fmt" + "github.com/golang/protobuf/proto" "google.golang.org/grpc/encoding" ) @@ -36,11 +38,19 @@ func init() { type codec struct{} func (codec) Marshal(v interface{}) ([]byte, error) { - return proto.Marshal(v.(proto.Message)) + vv, ok := v.(proto.Message) + if !ok { + return nil, fmt.Errorf("failed to marshal, message is %T, want proto.Message", v) + } + return proto.Marshal(vv) } func (codec) Unmarshal(data []byte, v interface{}) error { - return proto.Unmarshal(data, v.(proto.Message)) + vv, ok := v.(proto.Message) + if !ok { + return fmt.Errorf("failed to unmarshal, message is %T, want proto.Message", v) + } + return proto.Unmarshal(data, vv) } func (codec) Name() string { diff --git a/vet.sh b/vet.sh index b41df6dc8607..4012b051d8de 100755 --- a/vet.sh +++ b/vet.sh @@ -28,7 +28,7 @@ cleanup() { } trap cleanup EXIT -PATH="${GOPATH}/bin:${GOROOT}/bin:${PATH}" +PATH="${HOME}/go/bin:${GOROOT}/bin:${PATH}" if [[ "$1" = "-install" ]]; then # Check for module support diff --git a/xds/internal/client/client_cds_test.go b/xds/internal/client/client_cds_test.go index 6cba7ef12a08..a8ec41165ba2 100644 --- a/xds/internal/client/client_cds_test.go +++ b/xds/internal/client/client_cds_test.go @@ -31,6 +31,7 @@ import ( anypb "github.com/golang/protobuf/ptypes/any" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" + "google.golang.org/grpc/xds/internal/env" "google.golang.org/grpc/xds/internal/version" ) @@ -184,7 +185,65 @@ func (s) TestValidateCluster_Success(t *testing.T) { } } +func (s) TestValidateClusterWithSecurityConfig_EnvVarOff(t *testing.T) { + // Turn off the env var protection for client-side security. + origClientSideSecurityEnvVar := env.ClientSideSecuritySupport + env.ClientSideSecuritySupport = false + defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }() + + cluster := &v3clusterpb.Cluster{ + ClusterDiscoveryType: &v3clusterpb.Cluster_Type{Type: v3clusterpb.Cluster_EDS}, + EdsClusterConfig: &v3clusterpb.Cluster_EdsClusterConfig{ + EdsConfig: &v3corepb.ConfigSource{ + ConfigSourceSpecifier: &v3corepb.ConfigSource_Ads{ + Ads: &v3corepb.AggregatedConfigSource{}, + }, + }, + ServiceName: serviceName, + }, + LbPolicy: v3clusterpb.Cluster_ROUND_ROBIN, + TransportSocket: &v3corepb.TransportSocket{ + Name: "envoy.transport_sockets.tls", + ConfigType: &v3corepb.TransportSocket_TypedConfig{ + TypedConfig: &anypb.Any{ + TypeUrl: version.V3UpstreamTLSContextURL, + Value: func() []byte { + tls := &v3tlspb.UpstreamTlsContext{ + CommonTlsContext: &v3tlspb.CommonTlsContext{ + ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{ + ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ + InstanceName: "rootInstance", + CertificateName: "rootCert", + }, + }, + }, + } + mtls, _ := proto.Marshal(tls) + return mtls + }(), + }, + }, + }, + } + wantUpdate := ClusterUpdate{ + ServiceName: serviceName, + EnableLRS: false, + } + gotUpdate, err := validateCluster(cluster) + if err != nil { + t.Errorf("validateCluster() failed: %v", err) + } + if diff := cmp.Diff(wantUpdate, gotUpdate); diff != "" { + t.Errorf("validateCluster() returned unexpected diff (-want, got):\n%s", diff) + } +} + func (s) TestValidateClusterWithSecurityConfig(t *testing.T) { + // Turn on the env var protection for client-side security. + origClientSideSecurityEnvVar := env.ClientSideSecuritySupport + env.ClientSideSecuritySupport = true + defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }() + const ( identityPluginInstance = "identityPluginInstance" identityCertName = "identityCert" diff --git a/xds/internal/client/client_xds.go b/xds/internal/client/client_xds.go index af25ce226bd4..0d36a50d5c02 100644 --- a/xds/internal/client/client_xds.go +++ b/xds/internal/client/client_xds.go @@ -33,6 +33,7 @@ import ( v3typepb "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/golang/protobuf/proto" anypb "github.com/golang/protobuf/ptypes/any" + "google.golang.org/grpc/xds/internal/env" "google.golang.org/grpc/internal/grpclog" "google.golang.org/grpc/xds/internal" @@ -305,9 +306,14 @@ func validateCluster(cluster *v3clusterpb.Cluster) (ClusterUpdate, error) { return emptyUpdate, fmt.Errorf("xds: unexpected lbPolicy %v in response: %+v", cluster.GetLbPolicy(), cluster) } - sc, err := securityConfigFromCluster(cluster) - if err != nil { - return emptyUpdate, err + // Process security configuration received from the control plane iff the + // corresponding environment variable is set. + var sc *SecurityConfig + if env.ClientSideSecuritySupport { + var err error + if sc, err = securityConfigFromCluster(cluster); err != nil { + return emptyUpdate, err + } } return ClusterUpdate{ ServiceName: cluster.GetEdsClusterConfig().GetServiceName(), diff --git a/xds/internal/env/env.go b/xds/internal/env/env.go index 3b338eae05fd..26b97ec32a49 100644 --- a/xds/internal/env/env.go +++ b/xds/internal/env/env.go @@ -26,8 +26,9 @@ import ( ) const ( - bootstrapFileNameEnv = "GRPC_XDS_BOOTSTRAP" - xdsV3SupportEnv = "GRPC_XDS_EXPERIMENTAL_V3_SUPPORT" + bootstrapFileNameEnv = "GRPC_XDS_BOOTSTRAP" + xdsV3SupportEnv = "GRPC_XDS_EXPERIMENTAL_V3_SUPPORT" + clientSideSecuritySupportEnv = "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" ) var ( @@ -39,4 +40,11 @@ var ( // done by setting the environment variable // "GRPC_XDS_EXPERIMENTAL_V3_SUPPORT" to "true". V3Support = strings.EqualFold(os.Getenv(xdsV3SupportEnv), "true") + // ClientSideSecuritySupport is used to control processing of security + // configuration on the client-side. + // + // Note that there is no env var protection for the server-side because we + // have a brand new API on the server-side and users explicitly need to use + // the new API to get security integration on the server. + ClientSideSecuritySupport = strings.EqualFold(os.Getenv(clientSideSecuritySupportEnv), "true") )