grpc: SSL credential support for Google gRPC client. (envoyproxy#2598)

* grpc: SSL credential support for Google gRPC client.

Risk Level: Low (not in use).
Testing: new unit tests to validate SSL connections (and client certs) for all gRPC client types.
  Added SSL to ads_integration_test to validate end-to-end.

Signed-off-by: Harvey Tuch <[email protected]>

.gitignore

@@ -12,3 +12,4 @@ BROWSE
 .deps
 *.pyc
 SOURCE_VERSION
+.cache

source/common/config/BUILD

@@ -85,6 +85,16 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "datasource_lib",
+    srcs = ["datasource.cc"],
+    hdrs = ["datasource.h"],
+    deps = [
+        "//source/common/filesystem:filesystem_lib",
+        "@envoy_api//envoy/api/v2/core:base_cc",
+    ],
+)
+
 envoy_cc_library(
     name = "filter_json_lib",
     srcs = ["filter_json.cc"],

source/common/config/datasource.cc

@@ -0,0 +1,35 @@
+#include "common/config/datasource.h"
+
+#include "common/filesystem/filesystem_impl.h"
+
+#include "fmt/format.h"
+
+namespace Envoy {
+namespace Config {
+namespace DataSource {
+
+std::string read(const envoy::api::v2::core::DataSource& source, bool allow_empty) {
+  switch (source.specifier_case()) {
+  case envoy::api::v2::core::DataSource::kFilename:
+    return Filesystem::fileReadToEnd(source.filename());
+  case envoy::api::v2::core::DataSource::kInlineBytes:
+    return source.inline_bytes();
+  case envoy::api::v2::core::DataSource::kInlineString:
+    return source.inline_string();
+  default:
+    if (!allow_empty) {
+      throw EnvoyException(
+          fmt::format("Unexpected DataSource::specifier_case(): {}", source.specifier_case()));
+    }
+    return "";
+  }
+}
+
+std::string getPath(const envoy::api::v2::core::DataSource& source) {
+  return source.specifier_case() == envoy::api::v2::core::DataSource::kFilename ? source.filename()
+                                                                                : "";
+}
+
+} // namespace DataSource
+} // namespace Config
+} // namespace Envoy

source/common/config/datasource.h

@@ -0,0 +1,26 @@
+#pragma once
+
+#include "envoy/api/v2/core/base.pb.h"
+
+namespace Envoy {
+namespace Config {
+namespace DataSource {
+
+/**
+ * Read contents of the DataSource.
+ * @param source data source.
+ * @param allow_empty return an empty string if no DataSource case is specified.
+ * @return std::string with DataSource contents.
+ * @throw EnvoyException if no DataSource case is specified and !allow_empty.
+ */
+std::string read(const envoy::api::v2::core::DataSource& source, bool allow_empty);
+
+/**
+ * @param source data source.
+ * @return std::string path to DataSource if a filename, otherwise an empty string.
+ */
+std::string getPath(const envoy::api::v2::core::DataSource& source);
+
+} // namespace DataSource
+} // namespace Config
+} // namespace Envoy

source/common/grpc/BUILD

@@ -87,6 +87,7 @@ envoy_cc_library(
         "//source/common/common:linked_object",
         "//source/common/common:thread_annotations",
         "//source/common/common:thread_lib",
+        "//source/common/config:datasource_lib",
         "//source/common/tracing:http_tracer_lib",
     ],
 )

source/common/grpc/async_client_manager_impl.cc

@@ -43,6 +43,7 @@ GoogleAsyncClientFactoryImpl::GoogleAsyncClientFactoryImpl(
       scope_(scope.createScope(fmt::format("grpc.{}.", config.stat_prefix()))), config_(config) {
 #ifndef ENVOY_GOOGLE_GRPC
   UNREFERENCED_PARAMETER(tls_);
+  UNREFERENCED_PARAMETER(google_tls_slot_);
   UNREFERENCED_PARAMETER(scope_);
   UNREFERENCED_PARAMETER(config_);
   throw EnvoyException("Google C++ gRPC client is not linked");

source/common/grpc/google_async_client_impl.cc

@@ -75,6 +75,7 @@ GoogleAsyncClientImpl::GoogleAsyncClientImpl(
 }
 
 GoogleAsyncClientImpl::~GoogleAsyncClientImpl() {
+  ENVOY_LOG(debug, "Client teardown, resetting streams");
   while (!active_streams_.empty()) {
     active_streams_.front()->resetStream();
   }

source/common/grpc/google_async_client_site.cc

@@ -1,5 +1,6 @@
 // Site-specific customizations for Google gRPC client implementation.
 
+#include "common/config/datasource.h"
 #include "common/grpc/google_async_client_impl.h"
 
 #include "grpc++/channel.h"
@@ -11,8 +12,18 @@ namespace Grpc {
 
 std::shared_ptr<grpc::Channel>
 GoogleAsyncClientImpl::createChannel(const envoy::api::v2::core::GrpcService::GoogleGrpc& config) {
-  // TODO(htuch): add support for SSL, OAuth2, GCP, etc. credentials.
-  std::shared_ptr<grpc::ChannelCredentials> creds = grpc::InsecureChannelCredentials();
+  // TODO(htuch): add support for OAuth2, GCP, etc. credentials.
+  std::shared_ptr<grpc::ChannelCredentials> creds;
+  if (config.has_ssl_credentials()) {
+    const grpc::SslCredentialsOptions ssl_creds = {
+        .pem_root_certs = Config::DataSource::read(config.ssl_credentials().root_certs(), true),
+        .pem_private_key = Config::DataSource::read(config.ssl_credentials().private_key(), true),
+        .pem_cert_chain = Config::DataSource::read(config.ssl_credentials().cert_chain(), true),
+    };
+    creds = grpc::SslCredentials(ssl_creds);
+  } else {
+    creds = grpc::InsecureChannelCredentials();
+  }
   return CreateChannel(config.target_uri(), creds);
 }
 

source/common/ssl/BUILD

@@ -34,6 +34,7 @@ envoy_cc_library(
     deps = [
         "//include/envoy/ssl:context_config_interface",
         "//source/common/common:assert_lib",
+        "//source/common/config:datasource_lib",
         "//source/common/config:tls_context_json_lib",
         "//source/common/json:json_loader_lib",
         "//source/common/protobuf:utility_lib",

source/common/ssl/context_config_impl.cc

@@ -3,8 +3,8 @@
 #include <string>
 
 #include "common/common/assert.h"
+#include "common/config/datasource.h"
 #include "common/config/tls_context_json.h"
-#include "common/filesystem/filesystem_impl.h"
 #include "common/protobuf/utility.h"
 
 #include "openssl/ssl.h"
@@ -41,22 +41,28 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex
           RepeatedPtrUtil::join(config.tls_params().cipher_suites(), ":"), DEFAULT_CIPHER_SUITES)),
       ecdh_curves_(StringUtil::nonEmptyStringOrDefault(
           RepeatedPtrUtil::join(config.tls_params().ecdh_curves(), ":"), DEFAULT_ECDH_CURVES)),
-      ca_cert_(readDataSource(config.validation_context().trusted_ca(), true)),
-      ca_cert_path_(getDataSourcePath(config.validation_context().trusted_ca())),
-      certificate_revocation_list_(readDataSource(config.validation_context().crl(), true)),
-      certificate_revocation_list_path_(getDataSourcePath(config.validation_context().crl())),
-      cert_chain_(config.tls_certificates().empty()
-                      ? ""
-                      : readDataSource(config.tls_certificates()[0].certificate_chain(), true)),
-      cert_chain_path_(config.tls_certificates().empty()
-                           ? ""
-                           : getDataSourcePath(config.tls_certificates()[0].certificate_chain())),
-      private_key_(config.tls_certificates().empty()
-                       ? ""
-                       : readDataSource(config.tls_certificates()[0].private_key(), true)),
-      private_key_path_(config.tls_certificates().empty()
-                            ? ""
-                            : getDataSourcePath(config.tls_certificates()[0].private_key())),
+      ca_cert_(Config::DataSource::read(config.validation_context().trusted_ca(), true)),
+      ca_cert_path_(Config::DataSource::getPath(config.validation_context().trusted_ca())),
+      certificate_revocation_list_(
+          Config::DataSource::read(config.validation_context().crl(), true)),
+      certificate_revocation_list_path_(
+          Config::DataSource::getPath(config.validation_context().crl())),
+      cert_chain_(
+          config.tls_certificates().empty()
+              ? ""
+              : Config::DataSource::read(config.tls_certificates()[0].certificate_chain(), true)),
+      cert_chain_path_(
+          config.tls_certificates().empty()
+              ? ""
+              : Config::DataSource::getPath(config.tls_certificates()[0].certificate_chain())),
+      private_key_(
+          config.tls_certificates().empty()
+              ? ""
+              : Config::DataSource::read(config.tls_certificates()[0].private_key(), true)),
+      private_key_path_(
+          config.tls_certificates().empty()
+              ? ""
+              : Config::DataSource::getPath(config.tls_certificates()[0].private_key())),
       verify_subject_alt_name_list_(config.validation_context().verify_subject_alt_name().begin(),
                                     config.validation_context().verify_subject_alt_name().end()),
       verify_certificate_hash_(config.validation_context().verify_certificate_hash().empty()
@@ -74,30 +80,6 @@ ContextConfigImpl::ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContex
   }
 }
 
-const std::string ContextConfigImpl::readDataSource(const envoy::api::v2::core::DataSource& source,
-                                                    bool allow_empty) {
-  switch (source.specifier_case()) {
-  case envoy::api::v2::core::DataSource::kFilename:
-    return Filesystem::fileReadToEnd(source.filename());
-  case envoy::api::v2::core::DataSource::kInlineBytes:
-    return source.inline_bytes();
-  case envoy::api::v2::core::DataSource::kInlineString:
-    return source.inline_string();
-  default:
-    if (!allow_empty) {
-      throw EnvoyException(
-          fmt::format("Unexpected DataSource::specifier_case(): {}", source.specifier_case()));
-    }
-    return "";
-  }
-}
-
-const std::string
-ContextConfigImpl::getDataSourcePath(const envoy::api::v2::core::DataSource& source) {
-  return source.specifier_case() == envoy::api::v2::core::DataSource::kFilename ? source.filename()
-                                                                                : "";
-}
-
 unsigned ContextConfigImpl::tlsVersionFromProto(
     const envoy::api::v2::auth::TlsParameters_TlsProtocol& version, unsigned default_version) {
   switch (version) {
@@ -143,7 +125,7 @@ ServerContextConfigImpl::ServerContextConfigImpl(
         switch (config.session_ticket_keys_type_case()) {
         case envoy::api::v2::auth::DownstreamTlsContext::kSessionTicketKeys:
           for (const auto& datasource : config.session_ticket_keys().keys()) {
-            validateAndAppendKey(ret, readDataSource(datasource, false));
+            validateAndAppendKey(ret, Config::DataSource::read(datasource, false));
           }
           break;
         case envoy::api::v2::auth::DownstreamTlsContext::kSessionTicketKeysSdsSecretConfig:

source/common/ssl/context_config_impl.h

@@ -50,10 +50,6 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig {
 protected:
   ContextConfigImpl(const envoy::api::v2::auth::CommonTlsContext& config);
 
-  static const std::string readDataSource(const envoy::api::v2::core::DataSource& source,
-                                          bool allow_empty);
-  static const std::string getDataSourcePath(const envoy::api::v2::core::DataSource& source);
-
 private:
   static unsigned
   tlsVersionFromProto(const envoy::api::v2::auth::TlsParameters_TlsProtocol& version,

test/common/grpc/BUILD

@@ -81,6 +81,7 @@ envoy_cc_test_library(
 envoy_cc_test(
     name = "grpc_client_integration_test",
     srcs = ["grpc_client_integration_test.cc"],
+    data = ["//test/config/integration/certs"],
     deps = [
         ":grpc_client_integration_lib",
         "//source/common/common:enum_to_int",
@@ -89,6 +90,9 @@ envoy_cc_test(
         "//source/common/http/http2:conn_pool_lib",
         "//source/common/network:connection_lib",
         "//source/common/network:raw_buffer_socket_lib",
+        "//source/common/ssl:context_lib",
+        "//source/common/ssl:context_config_lib",
+        "//source/common/ssl:ssl_socket_lib",
         "//source/common/stats:stats_lib",
         "//test/integration:integration_lib",
         "//test/mocks/grpc:grpc_mocks",