This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.2.x by this push:
new dcb51cf0c Cleanup SNIConfig (#8892)
dcb51cf0c is described below
commit dcb51cf0cec0a93a40c853713df107ccaa2e1b76
Author: Masaori Koshiba <[email protected]>
AuthorDate: Thu Jun 9 12:59:14 2022 +0900
Cleanup SNIConfig (#8892)
(cherry picked from commit 12801c966e5710d818287e79a7a977e837bfddc6)
---
iocore/net/P_SSLSNI.h | 101 ++++++++++++++--------------------------
iocore/net/SSLNetVConnection.cc | 10 ++--
iocore/net/SSLSNIConfig.cc | 99 ++++++++++++++++++++++++++++-----------
proxy/http/HttpSM.cc | 2 +-
proxy/http/PreWarmManager.cc | 4 +-
5 files changed, 115 insertions(+), 101 deletions(-)
diff --git a/iocore/net/P_SSLSNI.h b/iocore/net/P_SSLSNI.h
index dbc1cc276..2d25982ce 100644
--- a/iocore/net/P_SSLSNI.h
+++ b/iocore/net/P_SSLSNI.h
@@ -37,22 +37,19 @@
#include "ProxyConfig.h"
#include "P_SNIActionPerformer.h"
-#include "tscore/MatcherUtils.h"
#include "YamlSNIConfig.h"
// Properties for the next hop server
struct NextHopProperty {
- std::string client_cert_file;
// full path to client cert file for lookup
- std::string client_key_file;
// full path to client key file for lookup
- YamlSNIConfig::Policy verifyServerPolicy =
YamlSNIConfig::Policy::UNSET; // whether to verify the next hop
- YamlSNIConfig::Property verifyServerProperties =
YamlSNIConfig::Property::UNSET; // what to verify on the next hop
-
- NextHopProperty() {}
+ std::string client_cert_file;
// full path to client cert file for lookup
+ std::string client_key_file;
// full path to client key file for lookup
+ YamlSNIConfig::Policy verify_server_policy =
YamlSNIConfig::Policy::UNSET; // whether to verify the next hop
+ YamlSNIConfig::Property verify_server_properties =
YamlSNIConfig::Property::UNSET; // what to verify on the next hop
};
-using actionVector = std::vector<std::unique_ptr<ActionItem>>;
+using ActionVector = std::vector<std::unique_ptr<ActionItem>>;
-struct pcreFreer {
+struct PcreFreer {
void
operator()(void *p)
{
@@ -60,85 +57,55 @@ struct pcreFreer {
}
};
-struct namedElement {
-public:
- namedElement() {}
-
- namedElement &
- operator=(namedElement &&other)
- {
- if (this != &other) {
- match = std::move(other.match);
- }
- return *this;
- }
- namedElement(namedElement &&other) { *this = std::move(other); }
+struct NamedElement {
+ NamedElement() {}
- void
- setGlobName(std::string name)
- {
- std::string::size_type pos = 0;
- while ((pos = name.find('.', pos)) != std::string::npos) {
- name.replace(pos, 1, "\\.");
- pos += 2;
- }
- pos = 0;
- while ((pos = name.find('*', pos)) != std::string::npos) {
- name.replace(pos, 1, "(.{0,})");
- }
- Debug("ssl_sni", "Regexed fqdn=%s", name.c_str());
- setRegexName(name);
- }
+ NamedElement(NamedElement &&other);
+ NamedElement &operator=(NamedElement &&other);
- void
- setRegexName(const std::string ®exName)
- {
- const char *err_ptr;
- int err_offset = 0;
- if (!regexName.empty()) {
- match.reset(pcre_compile(regexName.c_str(), PCRE_ANCHORED |
PCRE_CASELESS, &err_ptr, &err_offset, nullptr));
- }
- }
+ void set_glob_name(std::string name);
+ void set_regex_name(const std::string ®ex_name);
- std::unique_ptr<pcre, pcreFreer> match;
+ std::unique_ptr<pcre, PcreFreer> match;
};
-struct actionElement : public namedElement {
-public:
- actionVector actions;
+struct ActionElement : public NamedElement {
+ ActionVector actions;
};
-struct NextHopItem : public namedElement {
-public:
+struct NextHopItem : public NamedElement {
NextHopProperty prop;
};
-typedef std::vector<actionElement> SNIList;
-typedef std::vector<NextHopItem> NextHopPropertyList;
+using SNIList = std::vector<ActionElement>;
+using NextHopPropertyList = std::vector<NextHopItem>;
struct SNIConfigParams : public ConfigInfo {
+ SNIConfigParams() = default;
+ ~SNIConfigParams() override;
+
+ const NextHopProperty *get_property_config(const std::string &servername)
const;
+ int initialize();
+ void load_sni_config();
+ std::pair<const ActionVector *, ActionItem::Context> get(std::string_view
servername) const;
+
SNIList sni_action_list;
NextHopPropertyList next_hop_list;
- YamlSNIConfig Y_sni;
- const NextHopProperty *getPropertyConfig(const std::string &servername)
const;
- SNIConfigParams();
- ~SNIConfigParams() override;
- void cleanup();
- int Initialize();
- void loadSNIConfig();
- std::pair<const actionVector *, ActionItem::Context> get(std::string_view
servername) const;
+ YamlSNIConfig yaml_sni;
};
-struct SNIConfig {
+class SNIConfig
+{
+public:
+ using scoped_config = ConfigProcessor::scoped_config<SNIConfig,
SNIConfigParams>;
+
static void startup();
static void reconfigure();
static SNIConfigParams *acquire();
static void release(SNIConfigParams *params);
- typedef ConfigProcessor::scoped_config<SNIConfig, SNIConfigParams>
scoped_config;
-
- static bool TestClientAction(const char *servername, const IpEndpoint &ep,
int &enforcement_policy);
+ static bool test_client_action(const char *servername, const IpEndpoint &ep,
int &enforcement_policy);
private:
- static int configid;
+ static int _configid;
};
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index cbfa779fe..51f2d76c8 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1094,7 +1094,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
ats_ip_ntop(this->get_remote_addr(), buff, INET6_ADDRSTRLEN);
serverKey = buff;
}
- auto nps = sniParam->getPropertyConfig(serverKey);
+ auto nps = sniParam->get_property_config(serverKey);
shared_SSL_CTX sharedCTX = nullptr;
SSL_CTX *clientCTX = nullptr;
@@ -1129,16 +1129,16 @@ SSLNetVConnection::sslStartHandShake(int event, int
&err)
if (options.verifyServerPolicy != YamlSNIConfig::Policy::UNSET) {
// Stay with conf-override version as the highest priority
- } else if (nps && nps->verifyServerPolicy !=
YamlSNIConfig::Policy::UNSET) {
- options.verifyServerPolicy = nps->verifyServerPolicy;
+ } else if (nps && nps->verify_server_policy !=
YamlSNIConfig::Policy::UNSET) {
+ options.verifyServerPolicy = nps->verify_server_policy;
} else {
options.verifyServerPolicy = params->verifyServerPolicy;
}
if (options.verifyServerProperties != YamlSNIConfig::Property::UNSET) {
// Stay with conf-override version as the highest priority
- } else if (nps && nps->verifyServerProperties !=
YamlSNIConfig::Property::UNSET) {
- options.verifyServerProperties = nps->verifyServerProperties;
+ } else if (nps && nps->verify_server_properties !=
YamlSNIConfig::Property::UNSET) {
+ options.verifyServerProperties = nps->verify_server_properties;
} else {
options.verifyServerProperties = params->verifyServerProperties;
}
diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc
index b7938dcd7..e810f87cf 100644
--- a/iocore/net/SSLSNIConfig.cc
+++ b/iocore/net/SSLSNIConfig.cc
@@ -36,16 +36,64 @@
#include "tscore/Diags.h"
#include "tscore/SimpleTokenizer.h"
#include "tscore/ink_memory.h"
-#include "tscpp/util/TextView.h"
#include "tscore/I_Layout.h"
+
+#include "tscpp/util/TextView.h"
+
#include <sstream>
#include <utility>
#include <pcre.h>
static constexpr int OVECSIZE{30};
+////
+// NamedElement
+//
+NamedElement::NamedElement(NamedElement &&other)
+{
+ *this = std::move(other);
+}
+
+NamedElement &
+NamedElement::operator=(NamedElement &&other)
+{
+ if (this != &other) {
+ match = std::move(other.match);
+ }
+ return *this;
+}
+
+void
+NamedElement::set_glob_name(std::string name)
+{
+ std::string::size_type pos = 0;
+ while ((pos = name.find('.', pos)) != std::string::npos) {
+ name.replace(pos, 1, "\\.");
+ pos += 2;
+ }
+ pos = 0;
+ while ((pos = name.find('*', pos)) != std::string::npos) {
+ name.replace(pos, 1, "(.{0,})");
+ }
+ Debug("ssl_sni", "Regexed fqdn=%s", name.c_str());
+ set_regex_name(name);
+}
+
+void
+NamedElement::set_regex_name(const std::string ®ex_name)
+{
+ const char *err_ptr;
+ int err_offset = 0;
+ if (!regex_name.empty()) {
+ match.reset(pcre_compile(regex_name.c_str(), PCRE_ANCHORED |
PCRE_CASELESS, &err_ptr, &err_offset, nullptr));
+ }
+}
+
+////
+// SNIConfigParams
+//
const NextHopProperty *
-SNIConfigParams::getPropertyConfig(const std::string &servername) const
+SNIConfigParams::get_property_config(const std::string &servername) const
{
const NextHopProperty *nps = nullptr;
for (auto &&item : next_hop_list) {
@@ -59,11 +107,11 @@ SNIConfigParams::getPropertyConfig(const std::string
&servername) const
}
void
-SNIConfigParams::loadSNIConfig()
+SNIConfigParams::load_sni_config()
{
- for (auto &item : Y_sni.items) {
+ for (auto &item : yaml_sni.items) {
auto ai = sni_action_list.emplace(sni_action_list.end());
- ai->setGlobName(item.fqdn);
+ ai->set_glob_name(item.fqdn);
Debug("ssl", "name: %s", item.fqdn.data());
// set SNI based actions to be called in the ssl_servername_only callback
@@ -107,17 +155,13 @@ SNIConfigParams::loadSNIConfig()
params->getCTX(nps->prop.client_cert_file, nps->prop.client_key_file,
params->clientCACertFilename, params->clientCACertPath);
}
- nps->setGlobName(item.fqdn);
- nps->prop.verifyServerPolicy = item.verify_server_policy;
- nps->prop.verifyServerProperties = item.verify_server_properties;
+ nps->set_glob_name(item.fqdn);
+ nps->prop.verify_server_policy = item.verify_server_policy;
+ nps->prop.verify_server_properties = item.verify_server_properties;
} // end for
}
-int SNIConfig::configid = 0;
-/*definition of member functions of SNIConfigParams*/
-SNIConfigParams::SNIConfigParams() {}
-
-std::pair<const actionVector *, ActionItem::Context>
+std::pair<const ActionVector *, ActionItem::Context>
SNIConfigParams::get(std::string_view servername) const
{
int ovector[OVECSIZE];
@@ -158,7 +202,7 @@ SNIConfigParams::get(std::string_view servername) const
}
int
-SNIConfigParams::Initialize()
+SNIConfigParams::initialize()
{
std::string sni_filename =
RecConfigReadConfigPath("proxy.config.ssl.servername.filename");
@@ -171,8 +215,8 @@ SNIConfigParams::Initialize()
return 1;
}
- YamlSNIConfig Y_sni_tmp;
- ts::Errata zret = Y_sni_tmp.loader(sni_filename);
+ YamlSNIConfig yaml_sni_tmp;
+ ts::Errata zret = yaml_sni_tmp.loader(sni_filename);
if (!zret.isOK()) {
std::stringstream errMsg;
errMsg << zret;
@@ -183,9 +227,9 @@ SNIConfigParams::Initialize()
}
return 1;
}
- Y_sni = std::move(Y_sni_tmp);
+ yaml_sni = std::move(yaml_sni_tmp);
- loadSNIConfig();
+ load_sni_config();
Note("%s finished loading", sni_filename.c_str());
return 0;
@@ -196,7 +240,11 @@ SNIConfigParams::~SNIConfigParams()
// sni_action_list and next_hop_list should cleanup with the params object
}
-/*definition of member functions of SNIConfig*/
+////
+// SNIConfig
+//
+int SNIConfig::_configid = 0;
+
void
SNIConfig::startup()
{
@@ -209,8 +257,8 @@ SNIConfig::reconfigure()
Debug("ssl", "Reload SNI file");
SNIConfigParams *params = new SNIConfigParams;
- params->Initialize();
- configid = configProcessor.set(configid, params);
+ params->initialize();
+ _configid = configProcessor.set(_configid, params);
prewarmManager.reconfigure();
}
@@ -218,22 +266,21 @@ SNIConfig::reconfigure()
SNIConfigParams *
SNIConfig::acquire()
{
- return (SNIConfigParams *)configProcessor.get(configid);
+ return static_cast<SNIConfigParams *>(configProcessor.get(_configid));
}
void
SNIConfig::release(SNIConfigParams *params)
{
- configProcessor.release(configid, params);
+ configProcessor.release(_configid, params);
}
-// See if any of the client-side actions would trigger for this combination of
servername and
-// client IP
+// See if any of the client-side actions would trigger for this combination of
servername and client IP
// host_sni_policy is an in/out parameter. It starts with the global policy
from the records.config
// setting proxy.config.http.host_sni_policy and is possibly overridden if the
sni policy
// contains a host_sni_policy entry
bool
-SNIConfig::TestClientAction(const char *servername, const IpEndpoint &ep, int
&host_sni_policy)
+SNIConfig::test_client_action(const char *servername, const IpEndpoint &ep,
int &host_sni_policy)
{
bool retval = false;
SNIConfig::scoped_config params;
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 55a656d4a..e65365c66 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -4191,7 +4191,7 @@ HttpSM::check_sni_host()
NetVConnection *netvc = ua_txn->get_netvc();
if (netvc) {
IpEndpoint ip = netvc->get_remote_endpoint();
- if (SNIConfig::TestClientAction(std::string{host_name,
static_cast<size_t>(host_len)}.c_str(), ip, host_sni_policy) &&
+ if (SNIConfig::test_client_action(std::string{host_name,
static_cast<size_t>(host_len)}.c_str(), ip, host_sni_policy) &&
host_sni_policy > 0) {
// In a SNI/Host mismatch where the Host would have triggered SNI
policy, mark the transaction
// to be considered for rejection after the remap phase passes.
Gives the opportunity to conf_remap
diff --git a/proxy/http/PreWarmManager.cc b/proxy/http/PreWarmManager.cc
index 50427a83e..930d71ed7 100644
--- a/proxy/http/PreWarmManager.cc
+++ b/proxy/http/PreWarmManager.cc
@@ -1015,7 +1015,7 @@ PreWarmManager::reconfigure()
bool is_prewarm_enabled = prewarm_conf->enabled;
SNIConfig::scoped_config sni_conf;
- for (const auto &item : sni_conf->Y_sni.items) {
+ for (const auto &item : sni_conf->yaml_sni.items) {
if (item.tunnel_prewarm == YamlSNIConfig::TunnelPreWarm::ENABLED) {
is_prewarm_enabled = true;
break;
@@ -1064,7 +1064,7 @@ PreWarmManager::_parse_sni_conf(PreWarm::ParsedSNIConf
&parsed_conf, const SNICo
{
PreWarmConfig::scoped_config prewarm_conf;
- for (const auto &item : sni_conf->Y_sni.items) {
+ for (const auto &item : sni_conf->yaml_sni.items) {
if (item.tunnel_type != SNIRoutingType::FORWARD && item.tunnel_type !=
SNIRoutingType::PARTIAL_BLIND) {
continue;
}
