tls: move ssl connection info into SocketAddressProvider (envoyproxy#…

…17334) Part of envoyproxy#17168 Signed-off-by: He Jie Xu <hejie.xu@intel.com>
leyao-daily · Sep 30, 2021 · 18e7ce1 · 18e7ce1
1 parent 7b7cde3
commit 18e7ce1
Show file tree

Hide file tree

Showing 37 changed files with 191 additions and 214 deletions.
diff --git a/envoy/network/BUILD b/envoy/network/BUILD
@@ -116,6 +116,7 @@ envoy_cc_library(
     deps = [
         ":address_interface",
         ":io_handle_interface",
+        "//envoy/ssl:connection_interface",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )

diff --git a/envoy/network/socket.h b/envoy/network/socket.h
@@ -9,6 +9,7 @@
 #include "envoy/config/core/v3/base.pb.h"
 #include "envoy/network/address.h"
 #include "envoy/network/io_handle.h"
+#include "envoy/ssl/connection.h"
 
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
@@ -92,6 +93,12 @@ class SocketAddressProvider {
    * @param indent_level the level of indentation.
    */
   virtual void dumpState(std::ostream& os, int indent_level) const PURE;
+
+  /**
+   * @return the downstream SSL connection. This will be nullptr if the downstream
+   * connection does not use SSL.
+   */
+  virtual Ssl::ConnectionInfoConstSharedPtr sslConnection() const PURE;
 };
 
 class SocketAddressSetter : public SocketAddressProvider {
@@ -131,6 +138,11 @@ class SocketAddressSetter : public SocketAddressProvider {
    * @param id Connection ID of the downstream connection.
    **/
   virtual void setConnectionID(uint64_t id) PURE;
+
+  /**
+   * @param connection_info sets the downstream ssl connection.
+   */
+  virtual void setSslConnection(const Ssl::ConnectionInfoConstSharedPtr& ssl_connection_info) PURE;
 };
 
 using SocketAddressSetterSharedPtr = std::shared_ptr<SocketAddressSetter>;

diff --git a/envoy/stream_info/stream_info.h b/envoy/stream_info/stream_info.h
@@ -468,18 +468,6 @@ class StreamInfo {
    */
   virtual const Network::SocketAddressProvider& downstreamAddressProvider() const PURE;
 
-  /**
-   * @param connection_info sets the downstream ssl connection.
-   */
-  virtual void
-  setDownstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& ssl_connection_info) PURE;
-
-  /**
-   * @return the downstream SSL connection. This will be nullptr if the downstream
-   * connection does not use SSL.
-   */
-  virtual Ssl::ConnectionInfoConstSharedPtr downstreamSslConnection() const PURE;
-
   /**
    * @param connection_info sets the upstream ssl connection.
    */

diff --git a/source/common/formatter/substitution_formatter.cc b/source/common/formatter/substitution_formatter.cc
@@ -655,11 +655,11 @@ class StreamInfoSslConnectionInfoFieldExtractor : public StreamInfoFormatter::Fi
   StreamInfoSslConnectionInfoFieldExtractor(FieldExtractor f) : field_extractor_(f) {}
 
   absl::optional<std::string> extract(const StreamInfo::StreamInfo& stream_info) const override {
-    if (stream_info.downstreamSslConnection() == nullptr) {
+    if (stream_info.downstreamAddressProvider().sslConnection() == nullptr) {
       return absl::nullopt;
     }
 
-    const auto value = field_extractor_(*stream_info.downstreamSslConnection());
+    const auto value = field_extractor_(*stream_info.downstreamAddressProvider().sslConnection());
     if (value && value->empty()) {
       return absl::nullopt;
     }
@@ -668,11 +668,11 @@ class StreamInfoSslConnectionInfoFieldExtractor : public StreamInfoFormatter::Fi
   }
 
   ProtobufWkt::Value extractValue(const StreamInfo::StreamInfo& stream_info) const override {
-    if (stream_info.downstreamSslConnection() == nullptr) {
+    if (stream_info.downstreamAddressProvider().sslConnection() == nullptr) {
       return unspecifiedValue();
     }
 
-    const auto value = field_extractor_(*stream_info.downstreamSslConnection());
+    const auto value = field_extractor_(*stream_info.downstreamAddressProvider().sslConnection());
     if (value && value->empty()) {
       return unspecifiedValue();
     }
@@ -1335,7 +1335,8 @@ DownstreamPeerCertVStartFormatter::DownstreamPeerCertVStartFormatter(const std::
           parseFormat(token, sizeof("DOWNSTREAM_PEER_CERT_V_START(") - 1),
           std::make_unique<SystemTimeFormatter::TimeFieldExtractor>(
               [](const StreamInfo::StreamInfo& stream_info) -> absl::optional<SystemTime> {
-                const auto connection_info = stream_info.downstreamSslConnection();
+                const auto connection_info =
+                    stream_info.downstreamAddressProvider().sslConnection();
                 return connection_info != nullptr ? connection_info->validFromPeerCertificate()
                                                   : absl::optional<SystemTime>();
               })) {}
@@ -1347,7 +1348,8 @@ DownstreamPeerCertVEndFormatter::DownstreamPeerCertVEndFormatter(const std::stri
           parseFormat(token, sizeof("DOWNSTREAM_PEER_CERT_V_END(") - 1),
           std::make_unique<SystemTimeFormatter::TimeFieldExtractor>(
               [](const StreamInfo::StreamInfo& stream_info) -> absl::optional<SystemTime> {
-                const auto connection_info = stream_info.downstreamSslConnection();
+                const auto connection_info =
+                    stream_info.downstreamAddressProvider().sslConnection();
                 return connection_info != nullptr ? connection_info->expirationPeerCertificate()
                                                   : absl::optional<SystemTime>();
               })) {}

diff --git a/source/common/http/codec_client.cc b/source/common/http/codec_client.cc
@@ -86,7 +86,6 @@ RequestEncoder& CodecClient::newStream(ResponseDecoder& response_decoder) {
 void CodecClient::onEvent(Network::ConnectionEvent event) {
   if (event == Network::ConnectionEvent::Connected) {
     ENVOY_CONN_LOG(debug, "connected", *connection_);
-    connection_->streamInfo().setDownstreamSslConnection(connection_->ssl());
     connected_ = true;
   }
 

diff --git a/source/common/http/conn_manager_impl.cc b/source/common/http/conn_manager_impl.cc
@@ -664,9 +664,6 @@ ConnectionManagerImpl::ActiveStream::ActiveStream(ConnectionManagerImpl& connect
     connection_manager_.stats_.named_.downstream_rq_http1_total_.inc();
   }
 
-  filter_manager_.streamInfo().setDownstreamSslConnection(
-      connection_manager_.read_callbacks_->connection().ssl());
-
   if (connection_manager_.config_.streamIdleTimeout().count()) {
     idle_timeout_ms_ = connection_manager_.config_.streamIdleTimeout();
     stream_idle_timer_ =

diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h
@@ -626,6 +626,12 @@ class OverridableRemoteSocketAddressSetterStreamInfo : public StreamInfo::Stream
   absl::optional<uint64_t> connectionID() const override {
     return StreamInfoImpl::downstreamAddressProvider().connectionID();
   }
+  Ssl::ConnectionInfoConstSharedPtr sslConnection() const override {
+    return StreamInfoImpl::downstreamAddressProvider().sslConnection();
+  }
+  Ssl::ConnectionInfoConstSharedPtr upstreamSslConnection() const override {
+    return StreamInfoImpl::upstreamSslConnection();
+  }
   void dumpState(std::ostream& os, int indent_level) const override {
     StreamInfoImpl::dumpState(os, indent_level);
 

diff --git a/source/common/network/connection_impl.cc b/source/common/network/connection_impl.cc
@@ -99,6 +99,7 @@ ConnectionImpl::ConnectionImpl(Event::Dispatcher& dispatcher, ConnectionSocketPt
   // TODO(soulxu): generate the connection id inside the addressProvider directly,
   // then we don't need a setter or any of the optional stuff.
   socket_->addressProvider().setConnectionID(id());
+  socket_->addressProvider().setSslConnection(transport_socket_->ssl());
 }
 
 ConnectionImpl::~ConnectionImpl() {

diff --git a/source/common/network/socket_impl.h b/source/common/network/socket_impl.h
@@ -51,6 +51,10 @@ class SocketAddressSetterImpl : public SocketAddressSetter {
   }
   absl::optional<uint64_t> connectionID() const override { return connection_id_; }
   void setConnectionID(uint64_t id) override { connection_id_ = id; }
+  Ssl::ConnectionInfoConstSharedPtr sslConnection() const override { return ssl_info_; }
+  void setSslConnection(const Ssl::ConnectionInfoConstSharedPtr& ssl_connection_info) override {
+    ssl_info_ = ssl_connection_info;
+  }
 
 private:
   Address::InstanceConstSharedPtr local_address_;
@@ -59,6 +63,7 @@ class SocketAddressSetterImpl : public SocketAddressSetter {
   Address::InstanceConstSharedPtr direct_remote_address_;
   std::string server_name_;
   absl::optional<uint64_t> connection_id_;
+  Ssl::ConnectionInfoConstSharedPtr ssl_info_;
 };
 
 class SocketImpl : public virtual Socket {

diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc
@@ -502,14 +502,16 @@ bool RouteEntryImplBase::evaluateTlsContextMatch(const StreamInfo::StreamInfo& s
   const TlsContextMatchCriteria& criteria = *tlsContextMatchCriteria();
 
   if (criteria.presented().has_value()) {
-    const bool peer_presented = stream_info.downstreamSslConnection() &&
-                                stream_info.downstreamSslConnection()->peerCertificatePresented();
+    const bool peer_presented =
+        stream_info.downstreamAddressProvider().sslConnection() &&
+        stream_info.downstreamAddressProvider().sslConnection()->peerCertificatePresented();
     matches &= criteria.presented().value() == peer_presented;
   }
 
   if (criteria.validated().has_value()) {
-    const bool peer_validated = stream_info.downstreamSslConnection() &&
-                                stream_info.downstreamSslConnection()->peerCertificateValidated();
+    const bool peer_validated =
+        stream_info.downstreamAddressProvider().sslConnection() &&
+        stream_info.downstreamAddressProvider().sslConnection()->peerCertificateValidated();
     matches &= criteria.validated().value() == peer_validated;
   }
 

diff --git a/source/common/router/header_formatter.cc b/source/common/router/header_formatter.cc
@@ -224,11 +224,11 @@ parseRequestHeader(absl::string_view param) {
 StreamInfoHeaderFormatter::FieldExtractor sslConnectionInfoStringHeaderExtractor(
     std::function<std::string(const Ssl::ConnectionInfo& connection_info)> string_extractor) {
   return [string_extractor](const StreamInfo::StreamInfo& stream_info) {
-    if (stream_info.downstreamSslConnection() == nullptr) {
+    if (stream_info.downstreamAddressProvider().sslConnection() == nullptr) {
       return std::string();
     }
 
-    return string_extractor(*stream_info.downstreamSslConnection());
+    return string_extractor(*stream_info.downstreamAddressProvider().sslConnection());
   };
 }
 

diff --git a/source/common/router/router.cc b/source/common/router/router.cc
@@ -608,9 +608,9 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers,
 
   route_entry_->finalizeRequestHeaders(headers, callbacks_->streamInfo(),
                                        !config_.suppress_envoy_headers_);
-  FilterUtility::setUpstreamScheme(headers,
-                                   callbacks_->streamInfo().downstreamSslConnection() != nullptr,
-                                   host->transportSocketFactory().implementsSecureTransport());
+  FilterUtility::setUpstreamScheme(
+      headers, callbacks_->streamInfo().downstreamAddressProvider().sslConnection() != nullptr,
+      host->transportSocketFactory().implementsSecureTransport());
 
   // Ensure an http transport scheme is selected before continuing with decoding.
   ASSERT(headers.Scheme());

diff --git a/source/common/router/upstream_request.cc b/source/common/router/upstream_request.cc
@@ -417,8 +417,9 @@ void UpstreamRequest::onPoolReady(
   stream_info_.setUpstreamLocalAddress(upstream_local_address);
   parent_.callbacks()->streamInfo().setUpstreamLocalAddress(upstream_local_address);
 
-  stream_info_.setUpstreamSslConnection(info.downstreamSslConnection());
-  parent_.callbacks()->streamInfo().setUpstreamSslConnection(info.downstreamSslConnection());
+  stream_info_.setUpstreamSslConnection(info.downstreamAddressProvider().sslConnection());
+  parent_.callbacks()->streamInfo().setUpstreamSslConnection(
+      info.downstreamAddressProvider().sslConnection());
 
   if (parent_.downstreamEndStream()) {
     setupPerTryTimeout();

diff --git a/source/common/stream_info/stream_info_impl.h b/source/common/stream_info/stream_info_impl.h
@@ -197,15 +197,6 @@ struct StreamInfoImpl : public StreamInfo {
     return *downstream_address_provider_;
   }
 
-  void
-  setDownstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& connection_info) override {
-    downstream_ssl_info_ = connection_info;
-  }
-
-  Ssl::ConnectionInfoConstSharedPtr downstreamSslConnection() const override {
-    return downstream_ssl_info_;
-  }
-
   void setUpstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& connection_info) override {
     upstream_ssl_info_ = connection_info;
   }
@@ -324,7 +315,6 @@ struct StreamInfoImpl : public StreamInfo {
   uint64_t bytes_sent_{};
   Network::Address::InstanceConstSharedPtr upstream_local_address_;
   const Network::SocketAddressProviderSharedPtr downstream_address_provider_;
-  Ssl::ConnectionInfoConstSharedPtr downstream_ssl_info_;
   Ssl::ConnectionInfoConstSharedPtr upstream_ssl_info_;
   std::string requested_server_name_;
   const Http::RequestHeaderMap* request_headers_{};

diff --git a/source/common/tcp/conn_pool.cc b/source/common/tcp/conn_pool.cc
@@ -64,7 +64,6 @@ void ActiveTcpClient::onEvent(Network::ConnectionEvent event) {
   // This is also necessary for prefetch to be used with such protocols.
   if (event == Network::ConnectionEvent::Connected) {
     connection_->readDisable(true);
-    connection_->streamInfo().setDownstreamSslConnection(connection_->ssl());
   }
   Envoy::ConnectionPool::ActiveClient::onEvent(event);
   if (callbacks_) {

diff --git a/source/common/tcp/original_conn_pool.cc b/source/common/tcp/original_conn_pool.cc
@@ -225,7 +225,6 @@ void OriginalConnPoolImpl::onConnectionEvent(ActiveConn& conn, Network::Connecti
   // whether the connection is in the ready list (connected) or the pending list (failed to
   // connect).
   if (event == Network::ConnectionEvent::Connected) {
-    conn.conn_->streamInfo().setDownstreamSslConnection(conn.conn_->ssl());
     conn_connect_ms_->complete();
     processIdleConnection(conn, true, false);
   }

diff --git a/source/common/tcp_proxy/upstream.cc b/source/common/tcp_proxy/upstream.cc
@@ -185,9 +185,10 @@ void TcpConnPool::onPoolReady(Tcp::ConnectionPool::ConnectionDataPtr&& conn_data
   Network::Connection& connection = conn_data->connection();
 
   auto upstream = std::make_unique<TcpUpstream>(std::move(conn_data), upstream_callbacks_);
-  callbacks_->onGenericPoolReady(&connection.streamInfo(), std::move(upstream), host,
-                                 latched_data->connection().addressProvider().localAddress(),
-                                 latched_data->connection().streamInfo().downstreamSslConnection());
+  callbacks_->onGenericPoolReady(
+      &connection.streamInfo(), std::move(upstream), host,
+      latched_data->connection().addressProvider().localAddress(),
+      latched_data->connection().streamInfo().downstreamAddressProvider().sslConnection());
 }
 
 HttpConnPool::HttpConnPool(Upstream::ThreadLocalCluster& thread_local_cluster,
@@ -233,8 +234,8 @@ void HttpConnPool::onPoolReady(Http::RequestEncoder& request_encoder,
   upstream_handle_ = nullptr;
   upstream_->setRequestEncoder(request_encoder,
                                host->transportSocketFactory().implementsSecureTransport());
-  upstream_->setConnPoolCallbacks(
-      std::make_unique<HttpConnPool::Callbacks>(*this, host, info.downstreamSslConnection()));
+  upstream_->setConnPoolCallbacks(std::make_unique<HttpConnPool::Callbacks>(
+      *this, host, info.downstreamAddressProvider().sslConnection()));
 }
 
 void HttpConnPool::onGenericPoolReady(Upstream::HostDescriptionConstSharedPtr& host,

diff --git a/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc b/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc
@@ -166,10 +166,10 @@ void Utility::extractCommonAccessLogProperties(
         *stream_info.downstreamAddressProvider().localAddress(),
         *common_access_log.mutable_downstream_local_address());
   }
-  if (stream_info.downstreamSslConnection() != nullptr) {
+  if (stream_info.downstreamAddressProvider().sslConnection() != nullptr) {
     auto* tls_properties = common_access_log.mutable_tls_properties();
     const Ssl::ConnectionInfoConstSharedPtr downstream_ssl_connection =
-        stream_info.downstreamSslConnection();
+        stream_info.downstreamAddressProvider().sslConnection();
 
     tls_properties->set_tls_sni_hostname(
         std::string(stream_info.downstreamAddressProvider().requestedServerName()));

diff --git a/source/extensions/filters/common/expr/context.cc b/source/extensions/filters/common/expr/context.cc
@@ -181,8 +181,9 @@ absl::optional<CelValue> ConnectionWrapper::operator[](CelValue key) const {
   }
   auto value = key.StringOrDie().value();
   if (value == MTLS) {
-    return CelValue::CreateBool(info_.downstreamSslConnection() != nullptr &&
-                                info_.downstreamSslConnection()->peerCertificatePresented());
+    return CelValue::CreateBool(
+        info_.downstreamAddressProvider().sslConnection() != nullptr &&
+        info_.downstreamAddressProvider().sslConnection()->peerCertificatePresented());
   } else if (value == RequestedServerName) {
     return CelValue::CreateStringView(info_.downstreamAddressProvider().requestedServerName());
   } else if (value == ID) {
@@ -198,7 +199,7 @@ absl::optional<CelValue> ConnectionWrapper::operator[](CelValue key) const {
     return {};
   }
 
-  auto ssl_info = info_.downstreamSslConnection();
+  auto ssl_info = info_.downstreamAddressProvider().sslConnection();
   if (ssl_info != nullptr) {
     return extractSslInfo(*ssl_info, value);
   }

diff --git a/source/extensions/filters/http/lua/wrappers.cc b/source/extensions/filters/http/lua/wrappers.cc
@@ -114,7 +114,7 @@ int StreamInfoWrapper::luaDynamicMetadata(lua_State* state) {
 }
 
 int StreamInfoWrapper::luaDownstreamSslConnection(lua_State* state) {
-  const auto& ssl = stream_info_.downstreamSslConnection();
+  const auto& ssl = stream_info_.downstreamAddressProvider().sslConnection();
   if (ssl != nullptr) {
     if (downstream_ssl_connection_.get() != nullptr) {
       downstream_ssl_connection_.pushStack();

diff --git a/source/server/active_stream_listener_base.cc b/source/server/active_stream_listener_base.cc
@@ -41,7 +41,6 @@ void ActiveStreamListenerBase::newConnection(Network::ConnectionSocketPtr&& sock
   }
   stream_info->setFilterChainName(filter_chain->name());
   auto transport_socket = filter_chain->transportSocketFactory().createTransportSocket(nullptr);
-  stream_info->setDownstreamSslConnection(transport_socket->ssl());
   auto server_conn_ptr = dispatcher().createServerConnection(
       std::move(socket), std::move(transport_socket), *stream_info);
   if (const auto timeout = filter_chain->transportSocketConnectTimeout();