envoyproxy · RyanTheOptimist · Feb 21, 2024 · Feb 10, 2024 · Feb 14, 2024 · Feb 15, 2024
diff --git a/source/common/grpc/BUILD b/source/common/grpc/BUILD
@@ -212,6 +212,7 @@ envoy_cc_library(
         "//envoy/grpc:google_grpc_creds_interface",
         "//envoy/registry",
         "//source/common/config:datasource_lib",
+        "//source/common/runtime:runtime_lib",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
     alwayslink = LEGACY_ALWAYSLINK,

diff --git a/source/common/grpc/google_grpc_creds_impl.cc b/source/common/grpc/google_grpc_creds_impl.cc
@@ -4,6 +4,9 @@
 #include "envoy/grpc/google_grpc_creds.h"
 
 #include "source/common/config/datasource.h"
+#include "source/common/runtime/runtime_features.h"
+
+#include "grpcpp/security/tls_certificate_provider.h"
 
 namespace Envoy {
 namespace Grpc {
@@ -15,15 +18,32 @@ std::shared_ptr<grpc::ChannelCredentials> CredsUtility::getChannelCredentials(
     case envoy::config::core::v3::GrpcService::GoogleGrpc::ChannelCredentials::
         CredentialSpecifierCase::kSslCredentials: {
       const auto& ssl_credentials = google_grpc.channel_credentials().ssl_credentials();
-      const grpc::SslCredentialsOptions ssl_credentials_options = {
-          THROW_OR_RETURN_VALUE(Config::DataSource::read(ssl_credentials.root_certs(), true, api),
-                                std::string),
-          THROW_OR_RETURN_VALUE(Config::DataSource::read(ssl_credentials.private_key(), true, api),
-                                std::string),
-          THROW_OR_RETURN_VALUE(Config::DataSource::read(ssl_credentials.cert_chain(), true, api),
-                                std::string),
-      };
-      return grpc::SslCredentials(ssl_credentials_options);
+      const auto root_certs = THROW_OR_RETURN_VALUE(
+          Config::DataSource::read(ssl_credentials.root_certs(), true, api), std::string);
+      const auto private_key = THROW_OR_RETURN_VALUE(
+          Config::DataSource::read(ssl_credentials.private_key(), true, api), std::string);
+      const auto cert_chain = THROW_OR_RETURN_VALUE(
+          Config::DataSource::read(ssl_credentials.cert_chain(), true, api), std::string);
+      grpc::experimental::TlsChannelCredentialsOptions options;
+      if (!private_key.empty() || !cert_chain.empty()) {
+        options.set_certificate_provider(
+            std::make_shared<grpc::experimental::StaticDataCertificateProvider>(
+                root_certs,
+                std::vector<grpc::experimental::IdentityKeyCertPair>{{private_key, cert_chain}}));
+      } else if (!root_certs.empty()) {
+        options.set_certificate_provider(
+            std::make_shared<grpc::experimental::StaticDataCertificateProvider>(root_certs));
+      }
+      if (!root_certs.empty()) {
+        options.watch_root_certs();
+      }
+      if (!private_key.empty() || !cert_chain.empty()) {
+        options.watch_identity_key_cert_pairs();
+      }
+      if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.google_grpc_disable_tls_13")) {
+        options.set_max_tls_version(grpc_tls_version::TLS1_2);
+      }
+      return grpc::experimental::TlsCredentials(options);
     }
     case envoy::config::core::v3::GrpcService::GoogleGrpc::ChannelCredentials::
         CredentialSpecifierCase::kLocalCredentials: {
@@ -46,7 +66,11 @@ std::shared_ptr<grpc::ChannelCredentials> CredsUtility::defaultSslChannelCredent
   if (creds != nullptr) {
     return creds;
   }
-  return grpc::SslCredentials({});
+  grpc::experimental::TlsChannelCredentialsOptions options;
+  if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.google_grpc_disable_tls_13")) {
+    options.set_max_tls_version(grpc_tls_version::TLS1_2);
+  }
+  return grpc::experimental::TlsCredentials(options);
 }
 
 std::vector<std::shared_ptr<grpc::CallCredentials>>

diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
@@ -145,6 +145,10 @@ FALSE_RUNTIME_GUARD(envoy_restart_features_use_fast_protobuf_hash);
 // TODO(panting): flip this to true after some test time.
 FALSE_RUNTIME_GUARD(envoy_reloadable_features_use_config_in_happy_eyeballs);
 
+// A flag to set the maximum TLS version for google_grpc client to TLS1.2, when needed for
+// compliance restrictions.
+FALSE_RUNTIME_GUARD(envoy_reloadable_features_google_grpc_disable_tls_13);
+
 // Block of non-boolean flags. Use of int flags is deprecated. Do not add more.
 ABSL_FLAG(uint64_t, re2_max_program_size_error_level, 100, ""); // NOLINT
 ABSL_FLAG(uint64_t, re2_max_program_size_warn_level,            // NOLINT

diff --git a/test/common/grpc/BUILD b/test/common/grpc/BUILD
@@ -179,6 +179,7 @@ envoy_cc_test(
         ":grpc_client_integration_test_harness_lib",
         "//source/common/grpc:async_client_lib",
         "//source/extensions/grpc_credentials/example:config",
+        "//test/test_common:test_runtime_lib",
     ] + envoy_select_google_grpc(["//source/common/grpc:google_async_client_lib"]),
 )
 

diff --git a/test/common/grpc/grpc_client_integration_test.cc b/test/common/grpc/grpc_client_integration_test.cc
@@ -5,6 +5,7 @@
 
 #endif
 
+#include "test/test_common/test_runtime.h"
 #include "test/common/grpc/grpc_client_integration_test_harness.h"
 
 using testing::Eq;
@@ -499,6 +500,29 @@ TEST_P(GrpcSslClientIntegrationTest, BasicSslRequestWithClientCert) {
   dispatcher_helper_.runDispatcher();
 }
 
+// Validate TLS version mismatch between the client and the server.
+TEST_P(GrpcSslClientIntegrationTest, BasicSslRequestHandshakeFailure) {
+  SKIP_IF_GRPC_CLIENT(ClientType::EnvoyGrpc);
+  TestScopedRuntime scoped_runtime;
+  scoped_runtime.mergeValues({{"envoy.reloadable_features.google_grpc_disable_tls_13", "true"}});
+  use_server_tls_13_ = true;
+  initialize();
+  auto request = createRequest(empty_metadata_, false);
+  EXPECT_CALL(*request->child_span_, setTag(Eq(Tracing::Tags::get().GrpcStatusCode), Eq("13")));
+  EXPECT_CALL(*request->child_span_,
+              setTag(Eq(Tracing::Tags::get().Error), Eq(Tracing::Tags::get().True)));
+  EXPECT_CALL(*request, onFailure(Status::Internal, "", _)).WillOnce(InvokeWithoutArgs([this]() {
+    dispatcher_helper_.dispatcher_.exit();
+  }));
+  EXPECT_CALL(*request->child_span_, finishSpan());
+  FakeRawConnectionPtr fake_connection;
+  ASSERT_TRUE(fake_upstream_->waitForRawConnection(fake_connection));
+  if (fake_connection->connected()) {
+    ASSERT_TRUE(fake_connection->waitForDisconnect());
+  }
+  dispatcher_helper_.dispatcher_.run(Event::Dispatcher::RunType::Block);
+}
+
 #ifdef ENVOY_GOOGLE_GRPC
 // AccessToken credential validation tests.
 class GrpcAccessTokenClientIntegrationTest : public GrpcSslClientIntegrationTest {

diff --git a/test/common/grpc/grpc_client_integration_test_harness.h b/test/common/grpc/grpc_client_integration_test_harness.h
@@ -394,7 +394,8 @@ class GrpcClientIntegrationTest : public GrpcClientIntegrationParamTest {
 
   virtual void expectExtraHeaders(FakeStream&) {}
 
-  HelloworldRequestPtr createRequest(const TestMetadata& initial_metadata) {
+  HelloworldRequestPtr createRequest(const TestMetadata& initial_metadata,
+                                     bool expect_upstream_request = true) {
     auto request = std::make_unique<HelloworldRequest>(dispatcher_helper_);
     EXPECT_CALL(*request, onCreateInitialMetadata(_))
         .WillOnce(Invoke([&initial_metadata](Http::HeaderMap& headers) {
@@ -421,6 +422,10 @@ class GrpcClientIntegrationTest : public GrpcClientIntegrationParamTest {
                                                 active_span, Http::AsyncClient::RequestOptions());
     EXPECT_NE(request->grpc_request_, nullptr);
 
+    if (!expect_upstream_request) {
+      return request;
+    }
+
     if (!fake_connection_) {
       AssertionResult result =
           fake_upstream_->waitForHttpConnection(*dispatcher_, fake_connection_);
@@ -556,6 +561,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest {
       tls_cert->mutable_private_key()->set_filename(
           TestEnvironment::runfilesPath("test/config/integration/certs/clientkey.pem"));
     }
+
     auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ClientContextConfigImpl>(
         tls_context, factory_context_);
 
@@ -587,6 +593,13 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest {
       validation_context->mutable_trusted_ca()->set_filename(
           TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem"));
     }
+    if (use_server_tls_13_) {
+      auto* tls_params = common_tls_context->mutable_tls_params();
+      tls_params->set_tls_minimum_protocol_version(
+          envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3);
+      tls_params->set_tls_maximum_protocol_version(
+          envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_3);
+    }
 
     auto cfg = std::make_unique<Extensions::TransportSockets::Tls::ServerContextConfigImpl>(
         tls_context, factory_context_);
@@ -598,6 +611,7 @@ class GrpcSslClientIntegrationTest : public GrpcClientIntegrationTest {
   }
 
   bool use_client_cert_{};
+  bool use_server_tls_13_{false};
   testing::NiceMock<Server::Configuration::MockTransportSocketFactoryContext> factory_context_;
 };