├── .cargo └── config.toml ├── .devcontainer └── devcontainer.json ├── .gitattributes ├── .github ├── SECURITY.md └── dependabot.yml ├── .gitignore ├── ARCHITECTURE.md ├── BUGS-AND-FEATURE-REQUESTS.md ├── CODEOWNERS ├── CONTRIBUTING.md ├── Cargo.lock ├── Cargo.toml ├── Development.md ├── LICENSE ├── Makefile ├── Makefile.core.mk ├── Makefile.overrides.mk ├── PROFILING.md ├── README.md ├── SUPPORT.md ├── benches ├── README.md ├── basic.rs └── throughput.rs ├── build.rs ├── common ├── .commonfiles.sha ├── Makefile.common.mk ├── config │ ├── .golangci.yml │ ├── .hadolint.yml │ ├── .yamllint.yml │ ├── license-lint.yml │ ├── mdl.rb │ ├── sass-lint.yml │ └── tslint.json └── scripts │ ├── check_clean_repo.sh │ ├── copyright-banner-go.txt │ ├── fix_copyright_banner.sh │ ├── format_go.sh │ ├── gobuild.sh │ ├── kind_provisioner.sh │ ├── lint_copyright_banner.sh │ ├── lint_go.sh │ ├── metallb-native.yaml │ ├── report_build_info.sh │ ├── run.sh │ ├── setup_env.sh │ └── tracing.sh ├── deny.toml ├── docker └── remote-env │ └── Dockerfile ├── examples ├── inpodserver.rs └── localhost.yaml ├── fuzz ├── .gitignore ├── Cargo.lock ├── Cargo.toml └── fuzz_targets │ ├── baggage.rs │ └── protobuf.rs ├── images ├── ztunnel-blue-on-dark.png ├── ztunnel-blue-on-dark.svg ├── ztunnel-blue-on-light.png ├── ztunnel-blue-on-light.svg ├── ztunnel-blue-on-transparent.png ├── ztunnel-blue-on-transparent.svg ├── ztunnel-dark-on-light.png ├── ztunnel-dark-on-light.svg ├── ztunnel-dark-on-transparent.png ├── ztunnel-dark-on-transparent.svg ├── ztunnel-gray-on-light.png ├── ztunnel-gray-on-light.svg ├── ztunnel-gray-on-transparent.png ├── ztunnel-gray-on-transparent.svg ├── ztunnel-light-on-blue.png └── ztunnel-light-on-blue.svg ├── proto ├── README.md ├── authorization.proto ├── citadel.proto ├── google │ └── protobuf │ │ ├── any.proto │ │ ├── duration.proto │ │ ├── empty.proto │ │ ├── struct.proto │ │ └── wrappers.proto ├── workload.proto ├── xds.proto └── zds.proto ├── scripts ├── benchtest.sh ├── local.sh ├── release.sh ├── run-cached.sh ├── test-with-coverage.sh ├── ztunnel-redirect-inpod.sh └── ztunnel-redirect.sh ├── src ├── admin.rs ├── app.rs ├── assertions.rs ├── assets │ └── dashboard.html ├── baggage.rs ├── cert_fetcher.rs ├── config.rs ├── copy.rs ├── dns.rs ├── dns │ ├── forwarder.rs │ ├── handler.rs │ ├── metrics.rs │ ├── name_util.rs │ ├── resolver.rs │ └── server.rs ├── drain.rs ├── hyper_util.rs ├── identity.rs ├── identity │ ├── auth.rs │ ├── caclient.rs │ └── manager.rs ├── inpod.rs ├── inpod │ ├── admin.rs │ ├── config.rs │ ├── metrics.rs │ ├── netns.rs │ ├── packet.rs │ ├── protocol.rs │ ├── statemanager.rs │ ├── test_helpers.rs │ └── workloadmanager.rs ├── lib.rs ├── main.rs ├── metrics.rs ├── metrics │ ├── meta.rs │ └── server.rs ├── proxy.rs ├── proxy │ ├── connection_manager.rs │ ├── h2.rs │ ├── h2 │ │ ├── client.rs │ │ └── server.rs │ ├── inbound.rs │ ├── inbound_passthrough.rs │ ├── metrics.rs │ ├── outbound.rs │ ├── pool.rs │ ├── socks5.rs │ └── util.rs ├── proxyfactory.rs ├── rbac.rs ├── readiness.rs ├── readiness │ └── server.rs ├── signal.rs ├── socket.rs ├── state.rs ├── state │ ├── policy.rs │ ├── service.rs │ └── workload.rs ├── strng.rs ├── telemetry.rs ├── test_helpers.rs ├── test_helpers │ ├── app.rs │ ├── ca.rs │ ├── dns.rs │ ├── fake-jwt │ ├── helpers.rs │ ├── hyper_tower.rs │ ├── inpod.rs │ ├── linux.rs │ ├── mesh_config.yaml │ ├── namespaced.rs │ ├── netns.rs │ ├── tcp.rs │ └── xds.rs ├── time.rs ├── tls.rs ├── tls │ ├── ca-chain.pem │ ├── ca-key.pem │ ├── ca-key2.pem │ ├── cert-chain.pem │ ├── cert.crt │ ├── cert.key │ ├── cert.pem │ ├── certificate.rs │ ├── control.rs │ ├── csr.rs │ ├── gen-certs.sh │ ├── intermediary-cert.pem │ ├── intermediary-key.pem │ ├── istiod-cert.pem │ ├── istiod-key.pem │ ├── key.pem │ ├── lib.rs │ ├── mock.rs │ ├── root-cert.pem │ ├── root-cert2.pem │ └── workload.rs ├── version.rs ├── xds.rs └── xds │ ├── client.rs │ ├── metrics.rs │ └── types.rs ├── tests ├── README.md ├── direct.rs └── namespaced.rs └── vendor └── boringssl-fips ├── include └── openssl │ ├── aead.h │ ├── aes.h │ ├── arm_arch.h │ ├── asn1.h │ ├── asn1_mac.h │ ├── asn1t.h │ ├── base.h │ ├── base64.h │ ├── bio.h │ ├── blake2.h │ ├── blowfish.h │ ├── bn.h │ ├── buf.h │ ├── buffer.h │ ├── bytestring.h │ ├── cast.h │ ├── chacha.h │ ├── cipher.h │ ├── cmac.h │ ├── conf.h │ ├── cpu.h │ ├── crypto.h │ ├── curve25519.h │ ├── des.h │ ├── dh.h │ ├── digest.h │ ├── dsa.h │ ├── dtls1.h │ ├── e_os2.h │ ├── ec.h │ ├── ec_key.h │ ├── ecdh.h │ ├── ecdsa.h │ ├── engine.h │ ├── err.h │ ├── evp.h │ ├── evp_errors.h │ ├── ex_data.h │ ├── hkdf.h │ ├── hmac.h │ ├── hrss.h │ ├── is_boringssl.h │ ├── lhash.h │ ├── md4.h │ ├── md5.h │ ├── mem.h │ ├── nid.h │ ├── obj.h │ ├── obj_mac.h │ ├── objects.h │ ├── opensslconf.h │ ├── opensslv.h │ ├── ossl_typ.h │ ├── pem.h │ ├── pkcs12.h │ ├── pkcs7.h │ ├── pkcs8.h │ ├── poly1305.h │ ├── pool.h │ ├── rand.h │ ├── rc4.h │ ├── ripemd.h │ ├── rsa.h │ ├── safestack.h │ ├── sha.h │ ├── siphash.h │ ├── span.h │ ├── srtp.h │ ├── ssl.h │ ├── ssl3.h │ ├── stack.h │ ├── thread.h │ ├── tls1.h │ ├── trust_token.h │ ├── type_check.h │ ├── x509.h │ ├── x509_vfy.h │ └── x509v3.h ├── linux_arm64 ├── Dockerfile.v1 └── lib │ ├── libcrypto.a │ └── libssl.a └── linux_x86_64 ├── Dockerfile.v1 └── lib ├── libcrypto.a └── libssl.a /.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [build] 2 | target-dir = "out/rust" 3 | [env] 4 | BORING_BSSL_FIPS_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true } 5 | BORING_BSSL_FIPS_INCLUDE_PATH = { value = "vendor/boringssl-fips/include/", force = true, relative = true } 6 | -------------------------------------------------------------------------------- /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "istio build-tools", 3 | "image": "gcr.io/istio-testing/build-tools:master-6a1c744ef226989e2d5be532282f9098f77877fd", 4 | "privileged": true, 5 | "remoteEnv": { 6 | "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", 7 | "BUILD_WITH_CONTAINER": "0", 8 | "CARGO_HOME": "/home/.cargo", 9 | "RUSTUP_HOME": "/home/.rustup" 10 | }, 11 | "features": { 12 | "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}, 13 | "ghcr.io/mpriscella/features/kind:1": {} 14 | }, 15 | "customizations": { 16 | "vscode": { 17 | "extensions": [ 18 | "golang.go", 19 | "rust-lang.rust-analyzer", 20 | "eamodio.gitlens", 21 | "zxh404.vscode-proto3", 22 | "ms-azuretools.vscode-docker", 23 | "redhat.vscode-yaml", 24 | "IBM.output-colorizer" 25 | ], 26 | "settings": { 27 | "files.eol": "\n", 28 | "go.useLanguageServer": true, 29 | "go.lintTool": "golangci-lint" 30 | } 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.descriptor linguist-generated=true 2 | *.descriptor -diff -merge 3 | *.descriptor_set linguist-generated=true 4 | *.descriptor_set -diff -merge 5 | *.pb.html linguist-generated=true 6 | *.pb.go linguist-generated=true 7 | *.gen.go linguist-generated=true 8 | *.gen.yaml linguist-generated=true 9 | *.gen.json linguist-generated=true 10 | *_pb2.py linguist-generated=true 11 | manifests/charts/**/profile*.yaml linguist-generated=true 12 | go.sum merge=union 13 | vendor/** linguist-vendored 14 | common/** linguist-vendored 15 | archive/** linquist-vendored 16 | **/vmlinux.h linquist-vendored 17 | -------------------------------------------------------------------------------- /.github/SECURITY.md: -------------------------------------------------------------------------------- 1 | Refer to [Istio Security Overview](https://github.com/istio/istio/blob/master/.github/SECURITY.md) for more details. 2 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | 2 | version: 2 3 | updates: 4 | # Maintain dependencies for GitHub Actions 5 | - package-ecosystem: "cargo" 6 | # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) 7 | directory: "/" 8 | schedule: 9 | interval: "weekly" 10 | rebase-strategy: "disabled" 11 | groups: 12 | all: 13 | applies-to: version-updates 14 | patterns: 15 | - "*" -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | out/ 2 | var/ 3 | .idea/ 4 | .vscode/ 5 | -------------------------------------------------------------------------------- /ARCHITECTURE.md: -------------------------------------------------------------------------------- 1 | # Architecture 2 | 3 | ## Threading/Runtimes 4 | 5 | Ztunnel runs two distinct async runtimes: 6 | * The "main" thread, runs a single threaded Tokio runtime for admin purposes, such as debug interfaces and XDS. This is isolated to avoid impacting the data plane. 7 | * The "worker" thread(s) run a multi-thread Tokio runtime to handle users requests. This defaults to 2 threads, but is configurable. 8 | 9 | ## Ports 10 | 11 | Ztunnel runs with the following ports: 12 | 13 | | Port | Purpose | Bound Within Pod Network Namespace | 14 | |-------|---------------------------------------|------------------------------------| 15 | | 15001 | Pod outbound traffic capture | Y | 16 | | 15006 | Pod inbound plaintext traffic capture | Y | 17 | | 15008 | Pod inbound HBONE traffic capture | Y | 18 | | 15080 | Pod outbound `socks5` traffic | Y | 19 | | 15053 | Pod outbound DNS traffic capture | Y | 20 | | 15021 | Readiness | N | 21 | | 15000 | Admin (Admin thread) (Localhost) | N | 22 | | 15020 | Metrics (Admin thread) | N | 23 | 24 | The three admin ports (Readiness, Admin, and Metrics) are intentionally split. 25 | 26 | * The readiness port ought to run on the "main" thread to ensure we are actually checking the path the data plan handles 27 | * The admin port must be only on localhost, and it should be on the admin thread for isolation 28 | * The metrics port should be on the admin thread to avoid isolation. 29 | This *could* be on the readiness port, but historically we had found that the stats query can be very expensive and lead to tail latencies in the data plane. 30 | 31 | **NOTE** Networking policy must allow inbound and outbound traffic on port 15008 for all application pods, for the ambient mesh to function. 32 | The other ports are not relevant for pod-to-pod communication within the ambient mesh, and are only used for traffic redirection and categorization 33 | within the application pod's network namespace, or for metrics/readiness scraping of the ztunnel pod itself. 34 | See the Istio documentation [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) for more details. 35 | -------------------------------------------------------------------------------- /BUGS-AND-FEATURE-REQUESTS.md: -------------------------------------------------------------------------------- 1 | # Bugs and Feature Requests 2 | 3 | You can report bugs and feature requests to the Istio team in one of three places: 4 | 5 | - [Product Bugs and Feature Requests](https://github.com/istio/istio/issues) 6 | - [Documentation Bugs and Feature Requests](https://github.com/istio/istio.io/issues) 7 | - [Community and Governance Issues](https://github.com/istio/community/issues) 8 | 9 | For security vulnerabilities, please don't report a bug (which is public) and instead follow 10 | [these procedures](https://istio.io/about/security-vulnerabilities/). 11 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @istio/wg-networking-maintainers-ztunnel 2 | /Makefile* @istio/wg-test-and-release-maintainers 3 | /*.md @istio/wg-test-and-release-maintainers 4 | /common/ @istio/wg-test-and-release-maintainers 5 | /common-protos/ @istio/wg-test-and-release-maintainers 6 | /scripts/ @istio/wg-test-and-release-maintainers 7 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribution guidelines 2 | 3 | So you want to hack on Istio? Yay! Please refer to Istio's overall 4 | [contribution guidelines](https://github.com/istio/community/blob/master/CONTRIBUTING.md) 5 | to find out how you can help. 6 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | # Copyright Istio Authors 9 | # 10 | # Licensed under the Apache License, Version 2.0 (the "License"); 11 | # you may not use this file except in compliance with the License. 12 | # You may obtain a copy of the License at 13 | # 14 | # http://www.apache.org/licenses/LICENSE-2.0 15 | # 16 | # Unless required by applicable law or agreed to in writing, software 17 | # distributed under the License is distributed on an "AS IS" BASIS, 18 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 | # See the License for the specific language governing permissions and 20 | # limitations under the License. 21 | 22 | SHELL := /usr/bin/env bash 23 | 24 | # allow optional per-repo overrides 25 | -include Makefile.overrides.mk 26 | 27 | # Set the environment variable BUILD_WITH_CONTAINER to use a container 28 | # to build the repo. The only dependencies in this mode are to have make and 29 | # docker. If you'd rather build with a local tool chain instead, you'll need to 30 | # figure out all the tools you need in your environment to make that work. 31 | export BUILD_WITH_CONTAINER ?= 0 32 | 33 | ifeq ($(BUILD_WITH_CONTAINER),1) 34 | 35 | # An export free of arguments in a Makefile places all variables in the Makefile into the 36 | # environment. This is needed to allow overrides from Makefile.overrides.mk. 37 | export 38 | 39 | RUN = ./common/scripts/run.sh 40 | 41 | MAKE_DOCKER = $(RUN) make --no-print-directory -e -f Makefile.core.mk 42 | 43 | %: 44 | @$(MAKE_DOCKER) $@ 45 | 46 | default: 47 | @$(MAKE_DOCKER) 48 | 49 | shell: 50 | @$(RUN) /bin/bash 51 | 52 | .PHONY: default shell 53 | 54 | else 55 | 56 | # If we are not in build container, we need a workaround to get environment properly set 57 | # Write to file, then include 58 | $(shell mkdir -p out) 59 | $(shell $(shell pwd)/common/scripts/setup_env.sh envfile > out/.env) 60 | include out/.env 61 | # An export free of arguments in a Makefile places all variables in the Makefile into the 62 | # environment. This behavior may be surprising to many that use shell often, which simply 63 | # displays the existing environment 64 | export 65 | 66 | export GOBIN ?= $(GOPATH)/bin 67 | include Makefile.core.mk 68 | 69 | endif 70 | -------------------------------------------------------------------------------- /Makefile.core.mk: -------------------------------------------------------------------------------- 1 | include common/Makefile.common.mk 2 | 3 | FEATURES ?= 4 | ifeq ($(TLS_MODE), boring) 5 | FEATURES:=--no-default-features -F tls-boring 6 | else ifeq ($(TLS_MODE), aws-lc) 7 | FEATURES:=--no-default-features -F tls-aws-lc 8 | else ifeq ($(TLS_MODE), openssl) 9 | FEATURES:=--no-default-features -F tls-openssl 10 | endif 11 | 12 | test: 13 | RUST_BACKTRACE=1 cargo test --benches --tests --bins $(FEATURES) 14 | 15 | coverage: 16 | FEATURES=$(FEATURES) ./scripts/test-with-coverage.sh 17 | 18 | build: 19 | cargo build $(FEATURES) 20 | 21 | # Build the inpodserver example 22 | inpodserver: 23 | cargo build --example inpodserver 24 | 25 | # Test that all important features build 26 | check-features: 27 | cargo check --no-default-features -F tls-boring 28 | cargo check --no-default-features -F tls-aws-lc 29 | cargo check --no-default-features -F tls-openssl 30 | cargo check -F jemalloc 31 | (cd fuzz; RUSTFLAGS="--cfg fuzzing" cargo check) 32 | 33 | # target in common/Makefile.common.mk doesn't handle our third party vendored files; only check golang and rust codes 34 | lint-copyright: 35 | @${FINDFILES} \( -name '*.go' -o -name '*.rs' \) \( ! \( -name '*.gen.go' -o -name '*.pb.go' -o -name '*_pb2.py' \) \) -print0 |\ 36 | ${XARGS} common/scripts/lint_copyright_banner.sh 37 | 38 | lint: lint-scripts lint-yaml lint-markdown lint-licenses lint-copyright 39 | cargo clippy --benches --tests --bins $(FEATURES) 40 | 41 | check: 42 | cargo check $(FEATURES) 43 | 44 | cve-check: 45 | cargo deny check advisories $(FEATURES) 46 | 47 | license-check: 48 | cargo deny check licenses $(FEATURES) 49 | 50 | fix: fix-copyright-banner 51 | cargo clippy --fix --allow-staged --allow-dirty $(FEATURES) 52 | cargo fmt 53 | 54 | format: 55 | cargo fmt 56 | 57 | release: 58 | ./scripts/release.sh 59 | 60 | gen: format 61 | 62 | gen-check: gen check-clean-repo 63 | 64 | presubmit: export RUSTFLAGS = -D warnings 65 | presubmit: check-features test lint gen-check 66 | 67 | clean: 68 | cargo clean $(FEATURES) 69 | 70 | rust-version: 71 | ./common/scripts/run.sh /usr/bin/rustc -vV 72 | -------------------------------------------------------------------------------- /Makefile.overrides.mk: -------------------------------------------------------------------------------- 1 | # Use the build container by default 2 | BUILD_WITH_CONTAINER ?= 1 3 | # Namespaced tests need sys_admin due to docker being overly restrictive (https://github.com/moby/moby/issues/42441) 4 | # Ironically, this gives the container more privilege than is required without. 5 | DOCKER_RUN_OPTIONS += --privileged 6 | ifeq ($(OS), Linux) 7 | DOCKER_RUN_OPTIONS += -v /fake/path/does/not/exist:/var/run/netns 8 | endif 9 | DOCKER_RUN_OPTIONS += -v /dev/null:/run/xtables.lock 10 | -------------------------------------------------------------------------------- /PROFILING.md: -------------------------------------------------------------------------------- 1 | # Profiling ztunnel 2 | 3 | ## CPU 4 | 5 | 1. Port-forward admin port (15000): 6 | 7 | ```sh 8 | k port-forward -n istio-system ztunnel-qkvdj 15000:15000 9 | ``` 10 | 11 | 1. Either open `localhost:15000` in a browser for help, or just `curl` the CPU profile: 12 | 13 | ```sh 14 | curl localhost:15000/debug/pprof/profile > profile.prof 15 | ``` 16 | 17 | 1. Observe in your tooling of choice, such as [flamegraph](https://flamegraph.com/) 18 | 19 | ## Memory 20 | 21 | 1. Build `ztunnel` with the `jemalloc` feature (disabled by default, see `Cargo.toml`) 22 | 23 | 1. Port-forward admin port (15000): 24 | 25 | ```sh 26 | k port-forward -n istio-system ztunnel-qkvdj 15000:15000 27 | ``` 28 | 29 | 1. Either open `localhost:15000` in a browser for help, or just `curl` the memory profile: 30 | 31 | ```sh 32 | curl localhost:15000/debug/pprof/heap > mem.pb.gz 33 | ``` 34 | 35 | 1. If working remotely, copy container binaries to local path for symbol resolution: 36 | 37 | ```sh 38 | # ztunnel main binary 39 | kubectl cp kube-system/ztunnel-qkvdj:/usr/local/bin/ztunnel ../../ztunnel-libs-pprof/ztunnel 40 | # stdlibs (optional) 41 | kubectl cp kube-system/ztunnel-qkvdj:/usr/lib/$BINARY_COMPILED_ARCH/ ../../ztunnel-libs-pprof/ 42 | ``` 43 | 44 | 1. Observe in your tooling of choice, such as golang's `pprof`: 45 | 46 | ```sh 47 | PPROF_BINARY_PATH=../../ztunnel-libs-pprof pprof -http=:8080 mem.pb.gz 48 | ``` 49 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | Here are some resources to help you understand and use Istio: 4 | 5 | - For in-depth information about how to use Istio, visit [istio.io](https://istio.io) 6 | - To ask questions and get assistance from our community, visit [GitHub Discussions](https://github.com/istio/istio/discussions) 7 | - To learn how to participate in our overall community, visit [our community page](https://istio.io/latest/get-involved/) 8 | -------------------------------------------------------------------------------- /common/.commonfiles.sha: -------------------------------------------------------------------------------- 1 | 2dfbf3bcd0b3c217b5d8a285472cabf492f8eae3 2 | -------------------------------------------------------------------------------- /common/config/.hadolint.yml: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | ignored: 9 | - DL3008 10 | - DL3059 11 | 12 | trustedRegistries: 13 | - gcr.io 14 | - docker.io 15 | - quay.io 16 | - "*.pkg.dev" 17 | - "cgr.dev" 18 | -------------------------------------------------------------------------------- /common/config/.yamllint.yml: -------------------------------------------------------------------------------- 1 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 2 | # 3 | # The original version of this file is located in the https://github.com/istio/common-files repo. 4 | # If you're looking at this file in a different repo and want to make a change, please go to the 5 | # common-files repo, make the change there and check it in. Then come back to this repo and run 6 | # "make update-common". 7 | 8 | rules: 9 | braces: disable 10 | brackets: disable 11 | colons: enable 12 | commas: disable 13 | comments: disable 14 | comments-indentation: disable 15 | document-end: disable 16 | document-start: disable 17 | empty-lines: disable 18 | empty-values: disable 19 | hyphens: enable 20 | indentation: disable 21 | key-duplicates: enable 22 | key-ordering: disable 23 | line-length: disable 24 | new-line-at-end-of-file: disable 25 | new-lines: enable 26 | octal-values: disable 27 | quoted-strings: disable 28 | trailing-spaces: disable 29 | truthy: disable 30 | -------------------------------------------------------------------------------- /common/config/mdl.rb: -------------------------------------------------------------------------------- 1 | all 2 | rule 'MD002', :level => 1 3 | rule 'MD007', :indent => 4 4 | rule 'MD013', :line_length => 160, :code_blocks => false, :tables => false 5 | rule 'MD026', :punctuation => ".,;:!" 6 | exclude_rule 'MD013' 7 | exclude_rule 'MD014' 8 | exclude_rule 'MD030' 9 | exclude_rule 'MD032' 10 | exclude_rule 'MD033' 11 | exclude_rule 'MD041' 12 | exclude_rule 'MD046' 13 | -------------------------------------------------------------------------------- /common/config/sass-lint.yml: -------------------------------------------------------------------------------- 1 | ######################### 2 | ## Config for sass-lint 3 | ######################### 4 | # Linter Options 5 | options: 6 | # Don't merge default rules 7 | merge-default-rules: false 8 | # Raise an error if more than 50 warnings are generated 9 | max-warnings: 500 10 | # Rule Configuration 11 | rules: 12 | attribute-quotes: 13 | - 2 14 | - 15 | include: false 16 | bem-depth: 2 17 | border-zero: 2 18 | brace-style: 2 19 | class-name-format: 2 20 | clean-import-paths: 2 21 | declarations-before-nesting: 2 22 | empty-args: 2 23 | empty-line-between-blocks: 2 24 | extends-before-declarations: 2 25 | extends-before-mixins: 2 26 | final-newline: 2 27 | force-attribute-nesting: 0 28 | force-element-nesting: 0 29 | force-pseudo-nesting: 0 30 | function-name-format: 2 31 | hex-length: 0 32 | hex-notation: 2 33 | id-name-format: 2 34 | indentation: 35 | - 2 36 | - 37 | size: 4 38 | leading-zero: 39 | - 2 40 | - 41 | include: false 42 | max-file-line-count: 0 43 | max-file-length: 0 44 | mixins-before-declarations: 2 45 | no-attribute-selectors: 0 46 | no-color-hex: 0 47 | no-color-keywords: 0 48 | no-color-literals: 0 49 | no-combinators: 0 50 | no-css-comments: 2 51 | no-debug: 2 52 | no-disallowed-properties: 2 53 | no-duplicate-properties: 2 54 | no-empty-rulesets: 2 55 | no-extends: 2 56 | no-ids: 0 57 | no-invalid-hex: 2 58 | no-important: 0 59 | no-mergeable-selectors: 2 60 | no-misspelled-properties: 2 61 | no-qualifying-elements: 0 62 | no-trailing-whitespace: 2 63 | no-trailing-zero: 2 64 | no-transition-all: 0 65 | no-url-domains: 2 66 | no-url-protocols: 2 67 | no-warn: 2 68 | one-declaration-per-line: 2 69 | placeholder-in-extend: 2 70 | placeholder-name-format: 2 71 | property-sort-order: 0 72 | property-units: 2 73 | pseudo-element: 2 74 | quotes: 75 | - 2 76 | - 77 | style: double 78 | shorthand-values: 2 79 | single-line-per-selector: 0 80 | space-after-bang: 2 81 | space-after-colon: 2 82 | space-after-comma: 2 83 | space-around-operator: 2 84 | space-before-bang: 2 85 | space-before-brace: 2 86 | space-before-colon: 2 87 | space-between-parens: 2 88 | trailing-semicolon: 2 89 | url-quotes: 2 90 | variable-for-property: 91 | - 0 92 | - 93 | properties: 94 | - color 95 | - background-color 96 | - fill 97 | variable-name-format: 0 98 | zero-unit: 2 99 | -------------------------------------------------------------------------------- /common/config/tslint.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultSeverity": "error", 3 | "extends": [ 4 | "tslint:recommended" 5 | ], 6 | "rules": { 7 | "max-line-length": { 8 | "options": [160] 9 | }, 10 | "arrow-parens": false, 11 | "new-parens": true, 12 | "no-arg": true, 13 | "no-bitwise": true, 14 | "no-conditional-assignment": true, 15 | "no-consecutive-blank-lines": true, 16 | "no-console": { 17 | "severity": "warning", 18 | "options": ["debug", "info", "log", "time", "timeEnd", "trace"] 19 | }, 20 | "no-shadowed-variable": false, 21 | "eofline": false 22 | }, 23 | "jsRules": {}, 24 | "rulesDirectory": [] 25 | } -------------------------------------------------------------------------------- /common/scripts/check_clean_repo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Istio Authors 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | function write_patch_file() { 18 | if [ -z "${ARTIFACTS}" ]; then 19 | return 0 20 | fi 21 | 22 | PATCH_NAME="check-clean-repo-diff.patch" 23 | PATCH_OUT="${ARTIFACTS}/${PATCH_NAME}" 24 | git diff > "${PATCH_OUT}" 25 | 26 | [ -n "${JOB_NAME}" ] && [ -n "${BUILD_ID}" ] 27 | # shellcheck disable=SC2319 28 | IN_PROW="$?" 29 | 30 | # Don't persist large diffs (30M+) on CI 31 | LARGE_FILE="$(find "${ARTIFACTS}" -name "${PATCH_NAME}" -type 'f' -size +30M)" 32 | if [ "${IN_PROW}" -eq 0 ] && [ -n "${LARGE_FILE}" ]; then 33 | rm "${PATCH_OUT}" 34 | echo "WARNING: patch file was too large to persist ($(du -h "${PATCH_OUT}"))" 35 | return 0 36 | fi 37 | outName="artifacts/${PATCH_OUT#"${ARTIFACTS}"/}" 38 | patchFile="${PROW_ARTIFACTS_BASE:-https://gcsweb.istio.io/gcs/istio-prow}/pr-logs/pull/${REPO_OWNER}_${REPO_NAME}/${PULL_NUMBER}/${JOB_NAME}/${BUILD_ID}/${outName}" 39 | echo "You can also try applying the patch file from the build artifacts: 40 | 41 | git apply <(curl -sL \"${patchFile}\") 42 | " 43 | } 44 | 45 | if [[ -n $(git status --porcelain) ]]; then 46 | git status 47 | git diff 48 | echo "ERROR: Some files need to be updated, please run 'make gen' and include any changed files in your PR" 49 | write_patch_file 50 | exit 1 51 | fi 52 | -------------------------------------------------------------------------------- /common/scripts/copyright-banner-go.txt: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | -------------------------------------------------------------------------------- /common/scripts/fix_copyright_banner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | set -e 25 | 26 | WD=$(dirname "$0") 27 | WD=$(cd "$WD"; pwd) 28 | 29 | for fn in "$@"; do 30 | if ! grep -L -q -e "Apache License, Version 2" -e "Copyright" "${fn}"; then 31 | if [[ "${fn}" == *.go || "${fn}" == *.rs ]]; then 32 | newfile=$(cat "${WD}/copyright-banner-go.txt" "${fn}") 33 | echo "${newfile}" > "${fn}" 34 | echo "Fixing license: ${fn}" 35 | else 36 | echo "Cannot fix license: ${fn}. Unknown file type" 37 | fi 38 | fi 39 | done 40 | -------------------------------------------------------------------------------- /common/scripts/format_go.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | golangci-lint run --fix -c ./common/config/.golangci.yml 25 | -------------------------------------------------------------------------------- /common/scripts/gobuild.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors. All Rights Reserved. 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | # This script builds and version stamps the output 25 | 26 | VERBOSE=${VERBOSE:-"0"} 27 | V="" 28 | if [[ "${VERBOSE}" == "1" ]];then 29 | V="-x" 30 | set -x 31 | fi 32 | 33 | SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 34 | 35 | OUT=${1:?"output path"} 36 | shift 37 | 38 | set -e 39 | 40 | export BUILD_GOOS=${GOOS:-linux} 41 | export BUILD_GOARCH=${GOARCH:-amd64} 42 | GOBINARY=${GOBINARY:-go} 43 | GOPKG="$GOPATH/pkg" 44 | BUILDINFO=${BUILDINFO:-""} 45 | STATIC=${STATIC:-1} 46 | LDFLAGS=${LDFLAGS:--extldflags -static} 47 | GOBUILDFLAGS=${GOBUILDFLAGS:-""} 48 | # Split GOBUILDFLAGS by spaces into an array called GOBUILDFLAGS_ARRAY. 49 | IFS=' ' read -r -a GOBUILDFLAGS_ARRAY <<< "$GOBUILDFLAGS" 50 | 51 | GCFLAGS=${GCFLAGS:-} 52 | export CGO_ENABLED=${CGO_ENABLED:-0} 53 | 54 | if [[ "${STATIC}" != "1" ]];then 55 | LDFLAGS="" 56 | fi 57 | 58 | # gather buildinfo if not already provided 59 | # For a release build BUILDINFO should be produced 60 | # at the beginning of the build and used throughout 61 | if [[ -z ${BUILDINFO} ]];then 62 | BUILDINFO=$(mktemp) 63 | "${SCRIPTPATH}/report_build_info.sh" > "${BUILDINFO}" 64 | fi 65 | 66 | # BUILD LD_EXTRAFLAGS 67 | LD_EXTRAFLAGS="" 68 | 69 | while read -r line; do 70 | LD_EXTRAFLAGS="${LD_EXTRAFLAGS} -X ${line}" 71 | done < "${BUILDINFO}" 72 | 73 | OPTIMIZATION_FLAGS=(-trimpath) 74 | if [ "${DEBUG}" == "1" ]; then 75 | OPTIMIZATION_FLAGS=() 76 | fi 77 | 78 | time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \ 79 | ${V} "${GOBUILDFLAGS_ARRAY[@]}" ${GCFLAGS:+-gcflags "${GCFLAGS}"} \ 80 | -o "${OUT}" \ 81 | "${OPTIMIZATION_FLAGS[@]}" \ 82 | -pkgdir="${GOPKG}/${BUILD_GOOS}_${BUILD_GOARCH}" \ 83 | -ldflags "${LDFLAGS} ${LD_EXTRAFLAGS}" "${@}" 84 | -------------------------------------------------------------------------------- /common/scripts/lint_copyright_banner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | set -e 25 | 26 | ec=0 27 | for fn in "$@"; do 28 | if ! grep -L -q -e "Apache License, Version 2" "${fn}"; then 29 | echo "Missing license: ${fn}" 30 | ec=1 31 | fi 32 | 33 | if ! grep -L -q -e "Copyright" "${fn}"; then 34 | echo "Missing copyright: ${fn}" 35 | ec=1 36 | fi 37 | done 38 | 39 | exit $ec 40 | -------------------------------------------------------------------------------- /common/scripts/lint_go.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | GOLANGCILINT_RUN_ARGS=(--output.text.path stdout --output.junit-xml.path "${ARTIFACTS}"/junit-lint.xml) 25 | 26 | if [[ "${ARTIFACTS}" != "" ]]; then 27 | golangci-lint run -v -c ./common/config/.golangci.yml "${GOLANGCILINT_RUN_ARGS[@]}" 28 | else 29 | golangci-lint run -v -c ./common/config/.golangci.yml 30 | fi 31 | -------------------------------------------------------------------------------- /common/scripts/report_build_info.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | if BUILD_GIT_REVISION=$(git rev-parse HEAD 2> /dev/null); then 25 | if [[ -z "${IGNORE_DIRTY_TREE}" ]] && [[ -n "$(git status --porcelain 2>/dev/null)" ]]; then 26 | BUILD_GIT_REVISION=${BUILD_GIT_REVISION}"-dirty" 27 | fi 28 | else 29 | BUILD_GIT_REVISION=unknown 30 | fi 31 | 32 | # Check for local changes 33 | tree_status="Clean" 34 | if [[ -z "${IGNORE_DIRTY_TREE}" ]] && ! git diff-index --quiet HEAD --; then 35 | tree_status="Modified" 36 | fi 37 | 38 | GIT_DESCRIBE_TAG=$(git describe --tags --always) 39 | HUB=${HUB:-"docker.io/istio"} 40 | 41 | # used by common/scripts/gobuild.sh 42 | echo "istio.io/istio/pkg/version.buildVersion=${VERSION:-$BUILD_GIT_REVISION}" 43 | echo "istio.io/istio/pkg/version.buildGitRevision=${BUILD_GIT_REVISION}" 44 | echo "istio.io/istio/pkg/version.buildStatus=${tree_status}" 45 | echo "istio.io/istio/pkg/version.buildTag=${GIT_DESCRIBE_TAG}" 46 | echo "istio.io/istio/pkg/version.buildHub=${HUB}" 47 | echo "istio.io/istio/pkg/version.buildOS=${BUILD_GOOS}" 48 | echo "istio.io/istio/pkg/version.buildArch=${BUILD_GOARCH}" 49 | -------------------------------------------------------------------------------- /common/scripts/run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY 4 | # 5 | # The original version of this file is located in the https://github.com/istio/common-files repo. 6 | # If you're looking at this file in a different repo and want to make a change, please go to the 7 | # common-files repo, make the change there and check it in. Then come back to this repo and run 8 | # "make update-common". 9 | 10 | # Copyright Istio Authors 11 | # 12 | # Licensed under the Apache License, Version 2.0 (the "License"); 13 | # you may not use this file except in compliance with the License. 14 | # You may obtain a copy of the License at 15 | # 16 | # http://www.apache.org/licenses/LICENSE-2.0 17 | # 18 | # Unless required by applicable law or agreed to in writing, software 19 | # distributed under the License is distributed on an "AS IS" BASIS, 20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 | # See the License for the specific language governing permissions and 22 | # limitations under the License. 23 | 24 | set -e 25 | 26 | WD=$(dirname "$0") 27 | WD=$(cd "$WD"; pwd) 28 | 29 | export FOR_BUILD_CONTAINER=1 30 | # shellcheck disable=SC1090,SC1091 31 | source "${WD}/setup_env.sh" 32 | 33 | 34 | MOUNT_SOURCE="${MOUNT_SOURCE:-${PWD}}" 35 | MOUNT_DEST="${MOUNT_DEST:-/work}" 36 | 37 | read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}" 38 | 39 | [[ -t 0 ]] && DOCKER_RUN_OPTIONS+=("-it") 40 | [[ ${UID} -ne 0 ]] && DOCKER_RUN_OPTIONS+=(-u "${UID}:${DOCKER_GID}") 41 | 42 | # $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the 43 | # following command only 44 | # shellcheck disable=SC2086 45 | "${CONTAINER_CLI}" run \ 46 | --rm \ 47 | "${DOCKER_RUN_OPTIONS[@]}" \ 48 | --init \ 49 | --sig-proxy=true \ 50 | --cap-add=SYS_ADMIN \ 51 | ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \ 52 | -e DOCKER_HOST=${DOCKER_SOCKET_HOST:-unix:///var/run/docker.sock} \ 53 | $CONTAINER_OPTIONS \ 54 | --env-file <(env | grep -v ${ENV_BLOCKLIST}) \ 55 | -e IN_BUILD_CONTAINER=1 \ 56 | -e TZ="${TIMEZONE:-$TZ}" \ 57 | --mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \ 58 | --mount "type=volume,source=go,destination=/go" \ 59 | --mount "type=volume,source=gocache,destination=/gocache" \ 60 | --mount "type=volume,source=cache,destination=/home/.cache" \ 61 | --mount "type=volume,source=crates,destination=/home/.cargo/registry" \ 62 | --mount "type=volume,source=git-crates,destination=/home/.cargo/git" \ 63 | ${CONDITIONAL_HOST_MOUNTS} \ 64 | -w "${MOUNT_DEST}" "${IMG}" "$@" 65 | -------------------------------------------------------------------------------- /deny.toml: -------------------------------------------------------------------------------- 1 | [graph] 2 | # Test supported features and targets 3 | targets = [ 4 | { triple = "x86_64-unknown-linux-gnu" }, 5 | { triple = "aarch64-unknown-linux-gnu" }, 6 | ] 7 | features = ["tls-boring", "tls-ring", "tls-aws-lc", "tls-openssl" ] 8 | 9 | [advisories] 10 | version = 2 11 | 12 | 13 | [licenses] 14 | version = 2 15 | allow = ["Apache-2.0", 16 | "CC-BY-3.0", 17 | "ISC", 18 | "AFL-2.1", 19 | "AFL-3.0", 20 | "Artistic-1.0", 21 | "Artistic-2.0", 22 | "Apache-1.1", 23 | "BSD-1-Clause", 24 | "BSD-2-Clause", 25 | "BSD-3-Clause", 26 | "0BSD", 27 | "FTL", 28 | "LPL-1.02", 29 | "MS-PL", 30 | "MIT", 31 | "NCSA", 32 | "OpenSSL", 33 | "PHP-3.0", 34 | "TCP-wrappers", 35 | "Unicode-3.0", 36 | "W3C", 37 | "Xnet", 38 | "Zlib", 39 | "Unicode-DFS-2016"] 40 | unused-allowed-license = "allow" 41 | 42 | 43 | # Deny cannot detect ring properly. Directly assign 44 | [[licenses.clarify]] 45 | name = "ring" 46 | version = "*" 47 | expression = "MIT AND ISC AND OpenSSL" 48 | license-files = [ 49 | { path = "LICENSE", hash = 0xbd0eed23 }, 50 | ] 51 | 52 | [bans] 53 | skip = [ 54 | { crate = "rand_core", version = "0.5.1", reason = "acceptable duplicate" }, 55 | { crate = "rand", version = "0.7.3", reason = "acceptable duplicate" }, 56 | { crate = "regex-syntax", version = "0.6.29", reason = "acceptable duplicate" }, 57 | { crate = "regex-automata", version = "0.1.10", reason = "acceptable duplicate" }, 58 | { crate = "rand_chacha", version = "0.2.2", reason = "acceptable duplicate" }, 59 | { crate = "thiserror-impl", version = "1.0.69", reason = "acceptable duplicate" }, 60 | { crate = "thiserror", version = "1.0.69", reason = "acceptable duplicate" }, 61 | { crate = "base64" }, 62 | { crate = "bitflags" }, 63 | { crate = "fastrand" }, 64 | { crate = "getrandom" }, 65 | { crate = "itertools" }, 66 | { crate = "memoffset" }, 67 | { crate = "nix" }, 68 | ] 69 | 70 | [sources] 71 | 72 | allow-git = [ 73 | "https://github.com/janrueth/boring-rustls-provider", 74 | ] 75 | -------------------------------------------------------------------------------- /docker/remote-env/Dockerfile: -------------------------------------------------------------------------------- 1 | # Remote docker environment for ztunnel development. 2 | # 3 | # Build: 4 | # docker build -t ztunnel/remote-env:0.1 -f docker/remote-env/Dockerfile . 5 | # 6 | # Run: 7 | # docker run -d \ 8 | # --privileged \ 9 | # -p 127.0.0.1:2222:22 \ 10 | # --name ztunnel-dev \ 11 | # --mount type=bind,source="$PWD",target="/home/user/ztunnel" \ 12 | # ztunnel/remote-env:0.1 13 | # 14 | # Clear credentials: 15 | # ssh-keygen -f "$HOME/.ssh/known_hosts" -R "[localhost]:2222" 16 | # 17 | # stop: 18 | # docker stop ztunnel-dev 19 | # 20 | # ssh credentials (test user): 21 | # ssh user@localhost -p2222 (enter `password` on the command-line) 22 | 23 | FROM gcr.io/istio-testing/build-tools:master-65b95c3425a26e633081b2d0834cc0df6e81fd8a 24 | 25 | # - git (and git-lfs), for git operations (to e.g. push your work). 26 | # Also required for setting up your configured dotfiles in the workspace. 27 | # - sudo, while not required, is recommended to be installed, since the 28 | # workspace user (`gitpod`) is non-root and won't be able to install 29 | # and use `sudo` to install any other tools in a live workspace. 30 | RUN apt-get update && apt-get install --no-install-recommends -yq \ 31 | net-tools \ 32 | iproute2 \ 33 | iptables \ 34 | cmake \ 35 | ninja-build \ 36 | git \ 37 | sudo \ 38 | ssh \ 39 | && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* 40 | 41 | # Add the rust source code and set up the environment. 42 | RUN rustup component add rust-src 43 | ENV CARGO_HOME="/home/.cargo" 44 | ENV RUSTUP_HOME="/home/.rustup" 45 | ENV PATH=$CARGO_HOME/bin:$PATH 46 | 47 | # Create the configuration file for sshd 48 | RUN ( \ 49 | echo 'LogLevel DEBUG2'; \ 50 | echo 'PermitRootLogin yes'; \ 51 | echo 'PasswordAuthentication yes'; \ 52 | echo 'AllowTcpForwarding yes'; \ 53 | echo 'Subsystem sftp /usr/lib/openssh/sftp-server'; \ 54 | ) > /etc/ssh/sshd_remote_dev \ 55 | && mkdir /run/sshd 56 | 57 | # Add remote user with a plaintext password. 58 | ARG REMOTE_USER=user 59 | ARG REMOTE_USER_PASSWORD=password 60 | ARG REMOTE_USER_HOME=/home/$REMOTE_USER 61 | ARG REMOTE_USER_SHELL=/bin/bash 62 | ARG REMOTE_USER_LOGIN_SCRIPT=$REMOTE_USER_HOME/.bashrc 63 | ARG REMOTE_USER_ID=3333 64 | ARG REMOTE_USER_GROUPS=sudo 65 | # ignoring because the current shell doesn't support pipefail; likely want to have a better fix long term 66 | # hadolint ignore=DL4006 67 | RUN useradd -lm \ 68 | -u $REMOTE_USER_ID \ 69 | -G $REMOTE_USER_GROUPS \ 70 | -d $REMOTE_USER_HOME \ 71 | -s $REMOTE_USER_SHELL \ 72 | $REMOTE_USER \ 73 | && yes $REMOTE_USER_PASSWORD | passwd $REMOTE_USER 74 | 75 | # Set the rust environment in the remote user login script. 76 | RUN echo "export CARGO_HOME=$CARGO_HOME" >> $REMOTE_USER_LOGIN_SCRIPT 77 | RUN echo "export RUSTUP_HOME=$RUSTUP_HOME" >> $REMOTE_USER_LOGIN_SCRIPT 78 | RUN echo "export PATH=$PATH" >> $REMOTE_USER_LOGIN_SCRIPT 79 | 80 | ENV BUILD_WITH_CONTAINER=0 81 | EXPOSE 22 82 | CMD ["/usr/sbin/sshd", "-D", "-e", "-f", "/etc/ssh/sshd_remote_dev"] -------------------------------------------------------------------------------- /examples/inpodserver.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::os::fd::AsRawFd; 16 | 17 | use ztunnel::test_helpers::inpod::StartZtunnelMessage; 18 | use ztunnel::{ 19 | inpod::istio::zds::WorkloadInfo, 20 | test_helpers::inpod::{Message, start_ztunnel_server}, 21 | }; 22 | 23 | const PROXY_WORKLOAD_INFO: &str = "PROXY_WORKLOAD_INFO"; 24 | 25 | #[cfg(target_os = "linux")] 26 | #[tokio::main] 27 | async fn main() { 28 | let uds = std::env::var("INPOD_UDS").unwrap(); 29 | let pwi = match parse_proxy_workload_info() { 30 | Ok(pwi) => pwi, 31 | Err(e) => { 32 | eprintln!("Failed to parse proxy workload info: {:?}", e); 33 | return; 34 | } 35 | }; 36 | let netns = std::env::args().nth(1).unwrap(); 37 | let mut netns_base_dir = std::path::PathBuf::from("/var/run/netns"); 38 | netns_base_dir.push(netns); 39 | let netns_file = std::fs::File::open(netns_base_dir).unwrap(); 40 | 41 | let fd = netns_file.as_raw_fd(); 42 | 43 | let mut sender = start_ztunnel_server(uds.into()).await; 44 | sender 45 | .send(Message::Start(StartZtunnelMessage { 46 | uid: "uid-0".to_string(), 47 | workload_info: Some(pwi), 48 | fd, 49 | })) 50 | .await 51 | .unwrap(); 52 | sender.wait_forever().await.unwrap(); 53 | } 54 | 55 | fn parse_proxy_workload_info() -> Result { 56 | let pwi = match std::env::var(PROXY_WORKLOAD_INFO) { 57 | Ok(val) => val, 58 | Err(_) => { 59 | // Provide a default WorkloadInfo value if the environment variable is not set. 60 | return Ok(WorkloadInfo { 61 | name: "local".to_string(), 62 | namespace: "default".to_string(), 63 | service_account: "default".to_string(), 64 | }); 65 | } 66 | }; 67 | 68 | let s: Vec<&str> = pwi.splitn(3, "/").collect(); 69 | let &[ns, name, sa] = &s[..] else { 70 | return Err(Error::InvalidArgument(format!( 71 | "{PROXY_WORKLOAD_INFO} must match the format 'namespace/name/service-account' (got {s:?})" 72 | ))); 73 | }; 74 | 75 | Ok(WorkloadInfo { 76 | name: name.to_string(), 77 | namespace: ns.to_string(), 78 | service_account: sa.to_string(), 79 | }) 80 | } 81 | 82 | #[derive(thiserror::Error, Debug)] 83 | pub enum Error { 84 | #[error("invalid argument: {0}")] 85 | InvalidArgument(String), 86 | } 87 | 88 | #[cfg(not(target_os = "linux"))] 89 | fn main() {} 90 | -------------------------------------------------------------------------------- /examples/localhost.yaml: -------------------------------------------------------------------------------- 1 | # This shows an example local config for ztunnel that adds a workload for localhost. 2 | # This allows local testing by sending requests through the local ztunnel to other servers running on localhost. 3 | workloads: 4 | - uid: cluster1//v1/Pod/default/local 5 | name: local 6 | namespace: default 7 | serviceAccount: default 8 | workloadIps: ["127.0.0.1"] 9 | protocol: HBONE 10 | node: local 11 | network: "" 12 | services: 13 | "default/example.com": 14 | 80: 8080 15 | "default/example2.com": 16 | 80: 8080 17 | # Define another local address, but this one uses TCP. This allows testing HBONE and TCP with one config. 18 | - uid: cluster1//v1/Pod/default/local-tcp 19 | name: local-tcp 20 | namespace: default 21 | serviceAccount: default 22 | workloadIps: ["127.0.0.2"] 23 | protocol: TCP 24 | node: local 25 | network: "" 26 | services: 27 | "default/example.com": 28 | 80: 8080 29 | "default/example2.com": 30 | 80: 8080 31 | policies: 32 | - action: Allow 33 | rules: 34 | - - - notDestinationPorts: 35 | - 9999 36 | name: deny-9999 37 | namespace: default 38 | scope: Namespace 39 | services: 40 | - name: local 41 | namespace: default 42 | hostname: example.com 43 | vips: 44 | - /127.10.0.1 45 | ports: 46 | 80: 8080 47 | subjectAltNames: 48 | - spiffe://cluster.local/ns/default/sa/local 49 | - name: remote 50 | namespace: default 51 | hostname: example2.com 52 | vips: 53 | - remote/127.10.0.2 54 | ports: 55 | 80: 8080 56 | -------------------------------------------------------------------------------- /fuzz/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | corpus 3 | artifacts 4 | coverage 5 | -------------------------------------------------------------------------------- /fuzz/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ztunnel-fuzz" 3 | version = "0.0.0" 4 | publish = false 5 | edition = "2024" 6 | 7 | [package.metadata] 8 | cargo-fuzz = true 9 | 10 | [dependencies] 11 | hyper = "1.1" 12 | libfuzzer-sys = "0.4" 13 | prost = "0.13" 14 | anyhow = "1.0" 15 | 16 | [dependencies.ztunnel] 17 | path = ".." 18 | 19 | # Prevent this from interfering with workspaces 20 | [workspace] 21 | members = ["."] 22 | 23 | [profile.release] 24 | debug = 1 25 | 26 | [[bin]] 27 | name = "protobuf" 28 | path = "fuzz_targets/protobuf.rs" 29 | test = false 30 | doc = false 31 | 32 | [[bin]] 33 | name = "baggage" 34 | path = "fuzz_targets/baggage.rs" 35 | test = false 36 | doc = false 37 | -------------------------------------------------------------------------------- /fuzz/fuzz_targets/baggage.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #![no_main] 16 | 17 | use hyper::{HeaderMap, http::HeaderValue}; 18 | use libfuzzer_sys::fuzz_target; 19 | use ztunnel::baggage::parse_baggage_header; 20 | use ztunnel::proxy::BAGGAGE_HEADER; 21 | 22 | fuzz_target!(|data: &[u8]| { 23 | let _ = run_baggage_header_parser(data); 24 | let _ = run_forwarded_header_parser(data); 25 | }); 26 | 27 | fn run_baggage_header_parser(data: &[u8]) -> anyhow::Result<()> { 28 | let mut hm = HeaderMap::new(); 29 | hm.append(BAGGAGE_HEADER, HeaderValue::from_bytes(data)?); 30 | parse_baggage_header(hm.get_all(BAGGAGE_HEADER))?; 31 | Ok(()) 32 | } 33 | 34 | fn run_forwarded_header_parser(data: &[u8]) -> anyhow::Result<()> { 35 | let s = std::str::from_utf8(data)?; 36 | let _ = ztunnel::proxy::parse_forwarded_host(s); 37 | Ok(()) 38 | } 39 | -------------------------------------------------------------------------------- /fuzz/fuzz_targets/protobuf.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #![no_main] 16 | 17 | use libfuzzer_sys::fuzz_target; 18 | use prost::Message; 19 | use ztunnel::rbac::Authorization; 20 | use ztunnel::state::workload::Workload; 21 | use ztunnel::xds::istio::security::Authorization as XdsAuthorization; 22 | use ztunnel::xds::istio::workload::Workload as XdsWorkload; 23 | 24 | fuzz_target!(|data: &[u8]| { 25 | let _ = run_workload(data); 26 | let _ = run_rbac(data); 27 | }); 28 | 29 | fn run_workload(data: &[u8]) -> anyhow::Result<()> { 30 | Workload::try_from(XdsWorkload::decode(data)?)?; 31 | Ok(()) 32 | } 33 | 34 | fn run_rbac(data: &[u8]) -> anyhow::Result<()> { 35 | Authorization::try_from(XdsAuthorization::decode(data)?)?; 36 | Ok(()) 37 | } 38 | -------------------------------------------------------------------------------- /images/ztunnel-blue-on-dark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-blue-on-dark.png -------------------------------------------------------------------------------- /images/ztunnel-blue-on-dark.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /images/ztunnel-blue-on-light.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-blue-on-light.png -------------------------------------------------------------------------------- /images/ztunnel-blue-on-light.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /images/ztunnel-blue-on-transparent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-blue-on-transparent.png -------------------------------------------------------------------------------- /images/ztunnel-blue-on-transparent.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /images/ztunnel-dark-on-light.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-dark-on-light.png -------------------------------------------------------------------------------- /images/ztunnel-dark-on-light.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /images/ztunnel-dark-on-transparent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-dark-on-transparent.png -------------------------------------------------------------------------------- /images/ztunnel-dark-on-transparent.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /images/ztunnel-gray-on-light.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-gray-on-light.png -------------------------------------------------------------------------------- /images/ztunnel-gray-on-light.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /images/ztunnel-gray-on-transparent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-gray-on-transparent.png -------------------------------------------------------------------------------- /images/ztunnel-gray-on-transparent.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /images/ztunnel-light-on-blue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/images/ztunnel-light-on-blue.png -------------------------------------------------------------------------------- /images/ztunnel-light-on-blue.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /proto/README.md: -------------------------------------------------------------------------------- 1 | # proto 2 | 3 | The `.proto` files in this directory are manually copies from their original repos 4 | and may be edited by hand to remove fields that the zTunnel doesn't need. 5 | -------------------------------------------------------------------------------- /proto/authorization.proto: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | package istio.security; 18 | option go_package="pkg/workloadapi/security"; 19 | 20 | import "google/protobuf/empty.proto"; 21 | 22 | message Authorization { 23 | string name = 1; 24 | string namespace = 2; 25 | 26 | // Determine the scope of this RBAC policy. 27 | // If set to NAMESPACE, the 'namespace' field value will be used. 28 | Scope scope = 3; 29 | // The action to take if the request is matched with the rules. 30 | // Default is ALLOW if not specified. 31 | Action action = 4; 32 | // Set of RBAC policy rules each containing its clauses (To, From, When). 33 | // If at least one of the rules is matched the policy action will 34 | // take place. 35 | // Rules are OR-ed. 36 | repeated Rule rules = 5; 37 | } 38 | 39 | message Rule { 40 | // Clauses are AND-ed 41 | // This is a generic form of the authz policy's to, from and when 42 | repeated Clause clauses = 1; 43 | } 44 | 45 | message Clause { 46 | // The logical behavior between the matches (if there are more than one) 47 | // MatchBehavior match_behavior = 1; 48 | // Matches are OR-ed 49 | // Match is a generic form of the authz policy's expressions contained in To, From and When. 50 | repeated Match matches = 2; 51 | } 52 | 53 | message Match { 54 | // Values of specific type are OR-ed 55 | // If multiple types are set, they are AND-ed 56 | 57 | repeated StringMatch namespaces = 1; 58 | repeated StringMatch not_namespaces = 2; 59 | 60 | repeated ServiceAccountMatch service_accounts = 11; 61 | repeated ServiceAccountMatch not_service_accounts = 12; 62 | 63 | repeated StringMatch principals = 3; 64 | repeated StringMatch not_principals = 4; 65 | 66 | repeated Address source_ips = 5; 67 | repeated Address not_source_ips = 6; 68 | 69 | repeated Address destination_ips = 7; 70 | repeated Address not_destination_ips = 8; 71 | 72 | repeated uint32 destination_ports = 9; 73 | repeated uint32 not_destination_ports = 10; 74 | } 75 | 76 | message Address { 77 | bytes address = 1; 78 | uint32 length = 2; 79 | } 80 | 81 | message ServiceAccountMatch { 82 | string namespace = 1; 83 | string serviceAccount = 2; 84 | } 85 | 86 | message StringMatch { 87 | oneof match_type { 88 | // exact string match 89 | string exact = 1; 90 | // prefix-based match 91 | string prefix = 2; 92 | 93 | // suffix-based match 94 | string suffix = 3; 95 | 96 | google.protobuf.Empty presence = 4; 97 | } 98 | } 99 | 100 | enum Scope { 101 | // ALL means that the authorization policy will be applied to all workloads 102 | // in the mesh (any namespace). 103 | GLOBAL = 0; 104 | // NAMESPACE means that the policy will only be applied to workloads in a 105 | // specific namespace. 106 | NAMESPACE = 1; 107 | // WORKLOAD_SELECTOR means that the policy will only be applied to specific 108 | // workloads that were selected by their labels. 109 | WORKLOAD_SELECTOR = 2; 110 | } 111 | 112 | enum Action { 113 | // Allow the request if it matches with the rules. 114 | ALLOW = 0; 115 | // Deny the request if it matches with the rules. 116 | DENY = 1; 117 | } 118 | -------------------------------------------------------------------------------- /proto/citadel.proto: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | import "google/protobuf/struct.proto"; 18 | 19 | // Keep this package for backward compatibility. 20 | package istio.v1.auth; 21 | 22 | option go_package="istio.io/api/security/v1alpha1"; 23 | 24 | // Certificate request message. The authentication should be based on: 25 | // 1. Bearer tokens carried in the side channel; 26 | // 2. Client-side certificate via Mutual TLS handshake. 27 | // Note: the service implementation is REQUIRED to verify the authenticated caller is authorize to 28 | // all SANs in the CSR. The server side may overwrite any requested certificate field based on its 29 | // policies. 30 | message IstioCertificateRequest { 31 | // PEM-encoded certificate request. 32 | // The public key in the CSR is used to generate the certificate, 33 | // and other fields in the generated certificate may be overwritten by the CA. 34 | string csr = 1; 35 | // Optional: requested certificate validity period, in seconds. 36 | int64 validity_duration = 3; 37 | 38 | // $hide_from_docs 39 | // Optional: Opaque metadata provided by the XDS node to Istio. 40 | // Supported metadata: WorkloadName, WorkloadIP, ClusterID 41 | google.protobuf.Struct metadata = 4; 42 | } 43 | 44 | // Certificate response message. 45 | message IstioCertificateResponse { 46 | // PEM-encoded certificate chain. 47 | // The leaf cert is the first element, and the root cert is the last element. 48 | repeated string cert_chain = 1; 49 | } 50 | 51 | // Service for managing certificates issued by the CA. 52 | service IstioCertificateService { 53 | // Using provided CSR, returns a signed certificate. 54 | rpc CreateCertificate(IstioCertificateRequest) 55 | returns (IstioCertificateResponse) { 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /proto/google/protobuf/empty.proto: -------------------------------------------------------------------------------- 1 | // Protocol Buffers - Google's data interchange format 2 | // Copyright 2008 Google Inc. All rights reserved. 3 | // https://developers.google.com/protocol-buffers/ 4 | // 5 | // Redistribution and use in source and binary forms, with or without 6 | // modification, are permitted provided that the following conditions are 7 | // met: 8 | // 9 | // * Redistributions of source code must retain the above copyright 10 | // notice, this list of conditions and the following disclaimer. 11 | // * Redistributions in binary form must reproduce the above 12 | // copyright notice, this list of conditions and the following disclaimer 13 | // in the documentation and/or other materials provided with the 14 | // distribution. 15 | // * Neither the name of Google Inc. nor the names of its 16 | // contributors may be used to endorse or promote products derived from 17 | // this software without specific prior written permission. 18 | // 19 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | syntax = "proto3"; 32 | 33 | package google.protobuf; 34 | 35 | option go_package = "google.golang.org/protobuf/types/known/emptypb"; 36 | option java_package = "com.google.protobuf"; 37 | option java_outer_classname = "EmptyProto"; 38 | option java_multiple_files = true; 39 | option objc_class_prefix = "GPB"; 40 | option csharp_namespace = "Google.Protobuf.WellKnownTypes"; 41 | option cc_enable_arenas = true; 42 | 43 | // A generic empty message that you can re-use to avoid defining duplicated 44 | // empty messages in your APIs. A typical example is to use it as the request 45 | // or the response type of an API method. For instance: 46 | // 47 | // service Foo { 48 | // rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 49 | // } 50 | // 51 | message Empty {} 52 | -------------------------------------------------------------------------------- /proto/google/protobuf/struct.proto: -------------------------------------------------------------------------------- 1 | // Protocol Buffers - Google's data interchange format 2 | // Copyright 2008 Google Inc. All rights reserved. 3 | // https://developers.google.com/protocol-buffers/ 4 | // 5 | // Redistribution and use in source and binary forms, with or without 6 | // modification, are permitted provided that the following conditions are 7 | // met: 8 | // 9 | // * Redistributions of source code must retain the above copyright 10 | // notice, this list of conditions and the following disclaimer. 11 | // * Redistributions in binary form must reproduce the above 12 | // copyright notice, this list of conditions and the following disclaimer 13 | // in the documentation and/or other materials provided with the 14 | // distribution. 15 | // * Neither the name of Google Inc. nor the names of its 16 | // contributors may be used to endorse or promote products derived from 17 | // this software without specific prior written permission. 18 | // 19 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | 31 | syntax = "proto3"; 32 | 33 | package google.protobuf; 34 | 35 | option csharp_namespace = "Google.Protobuf.WellKnownTypes"; 36 | option cc_enable_arenas = true; 37 | option go_package = "google.golang.org/protobuf/types/known/structpb"; 38 | option java_package = "com.google.protobuf"; 39 | option java_outer_classname = "StructProto"; 40 | option java_multiple_files = true; 41 | option objc_class_prefix = "GPB"; 42 | 43 | // `Struct` represents a structured data value, consisting of fields 44 | // which map to dynamically typed values. In some languages, `Struct` 45 | // might be supported by a native representation. For example, in 46 | // scripting languages like JS a struct is represented as an 47 | // object. The details of that representation are described together 48 | // with the proto support for the language. 49 | // 50 | // The JSON representation for `Struct` is JSON object. 51 | message Struct { 52 | // Unordered map of dynamically typed values. 53 | map fields = 1; 54 | } 55 | 56 | // `Value` represents a dynamically typed value which can be either 57 | // null, a number, a string, a boolean, a recursive struct value, or a 58 | // list of values. A producer of value is expected to set one of these 59 | // variants. Absence of any variant indicates an error. 60 | // 61 | // The JSON representation for `Value` is JSON value. 62 | message Value { 63 | // The kind of value. 64 | oneof kind { 65 | // Represents a null value. 66 | NullValue null_value = 1; 67 | // Represents a double value. 68 | double number_value = 2; 69 | // Represents a string value. 70 | string string_value = 3; 71 | // Represents a boolean value. 72 | bool bool_value = 4; 73 | // Represents a structured value. 74 | Struct struct_value = 5; 75 | // Represents a repeated `Value`. 76 | ListValue list_value = 6; 77 | } 78 | } 79 | 80 | // `NullValue` is a singleton enumeration to represent the null value for the 81 | // `Value` type union. 82 | // 83 | // The JSON representation for `NullValue` is JSON `null`. 84 | enum NullValue { 85 | // Null value. 86 | NULL_VALUE = 0; 87 | } 88 | 89 | // `ListValue` is a wrapper around a repeated field of values. 90 | // 91 | // The JSON representation for `ListValue` is JSON array. 92 | message ListValue { 93 | // Repeated field of dynamically typed values. 94 | repeated Value values = 1; 95 | } 96 | -------------------------------------------------------------------------------- /proto/zds.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | // GRPC package - part of the URL. Service is added. 4 | // URL: /PACKAGE.SERVICE/METHOD 5 | package istio.workload.zds; 6 | 7 | option go_package="pkg/zdsapi"; 8 | 9 | enum Version { 10 | NOT_USED = 0; 11 | V1 = 1; 12 | } 13 | 14 | message ZdsHello { 15 | Version version = 1; 16 | } 17 | 18 | message WorkloadInfo { 19 | reserved "trust_domain"; // Deprecated 20 | reserved 4; 21 | string name = 1; 22 | string namespace = 2; 23 | string service_account = 3; 24 | } 25 | 26 | // Add a workload to the ztunnel. this will be accompanied by ancillary data contianing 27 | // the workload's netns file descriptor. 28 | message AddWorkload { 29 | string uid = 1; 30 | WorkloadInfo workload_info = 2; 31 | } 32 | 33 | // Keep workload that we can't find in the fd cache. This can only be sent before SnapshotSent is sent 34 | // to signal ztunnel to not delete the workload if it has it. 35 | message KeepWorkload { 36 | string uid = 1; 37 | } 38 | 39 | // Delete a workload from the ztunnel. Ztunnel should shutdown the workload's proxy. 40 | message DelWorkload { 41 | string uid = 2; 42 | } 43 | 44 | // Let ztunnel know that a full snapshot was sent. Ztunnel should reconcile its internal state 45 | // and remove internal entries that were not sent. 46 | message SnapshotSent { 47 | } 48 | 49 | // Ztunnel ack message. If error is not empty, this is an error message. 50 | message Ack { 51 | string error = 1; 52 | } 53 | 54 | /* 55 | Protocol details: 56 | on new connection from ztunnel to CNI, the CNI agent 57 | - will send all the existing payloads (that it has in its cache) to the ztunnel using AddWorkload message. 58 | - the ztunnel will send an ack for each payload (which the CNI will wait for before sending the next one). 59 | - when the CNI finishes sending the content of its current cache, a SnapshotSent message will be sent. 60 | - the ztunnel will then remove any entries from its cache that were not sent up to this point (as these entries do not exist in the CNI 61 | cache, and must have been deleted). ztunnel will ack the SnapshotSent message. 62 | - from now on, ztunnel will expect only AddWorkload and DelWorkload messages. 63 | */ 64 | 65 | // Sent from CNI to ztunnel 66 | message WorkloadRequest { 67 | oneof payload { 68 | AddWorkload add = 1; 69 | KeepWorkload keep = 5; 70 | DelWorkload del = 2; 71 | SnapshotSent snapshot_sent = 3; 72 | } 73 | } 74 | 75 | // Sent from ztunnel to CNI 76 | message WorkloadResponse { 77 | oneof payload { 78 | Ack ack = 1; 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /scripts/benchtest.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | set -eux 3 | 4 | REPORT_PATH="out/rust/criterion/" 5 | 6 | git checkout "$PULL_BASE_SHA" 7 | cargo bench -- --save-baseline master 8 | 9 | git checkout "$PULL_PULL_SHA" 10 | cargo bench -- --baseline-lenient master 11 | 12 | cp -r "$REPORT_PATH" "$ARTIFACTS" 13 | -------------------------------------------------------------------------------- /scripts/local.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Istio Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ZTUNNEL_REDIRECT_USER="${ZTUNNEL_REDIRECT_USER:-iptables1}" 18 | 19 | ztunnel-local-bootstrap () { 20 | pod="$(kubectl get pods -lapp=ztunnel -n istio-system -ojson | jq '.items[0]')" 21 | sa="$(<<<"${pod}" jq -r '.spec.serviceAccountName')" 22 | uid="$(<<<"${pod}" jq -r '.metadata.uid')" 23 | name="$(<<<"${pod}" jq -r '.metadata.name')" 24 | mkdir -p ./var/run/secrets/tokens ./var/run/secrets/istio 25 | kubectl create token "$sa" -n istio-system --audience=istio-ca --duration=240h --bound-object-kind Pod --bound-object-name="${name}" --bound-object-uid="${uid}" > ./var/run/secrets/tokens/istio-token 26 | kubectl -n istio-system get secret istio-ca-secret -ojsonpath='{.data.ca-cert\.pem}' | base64 -d > ./var/run/secrets/istio/root-cert.pem 27 | } 28 | 29 | redirect-to () { 30 | redirect-to-clean 31 | uid=$(id -u "${ZTUNNEL_REDIRECT_USER}") 32 | sudo iptables -t nat -I OUTPUT 1 -p tcp -m owner --uid-owner "$uid" -j REDIRECT --to-ports "${1:?port}" -m comment --comment "local-redirect-to" 33 | sudo ip6tables -t nat -I OUTPUT 1 -p tcp -m owner --uid-owner "$uid" -j REDIRECT --to-ports "${1:?port}" -m comment --comment "local-redirect-to" 34 | echo "Redirecting calls from UID $uid to ${1}" 35 | echo "Try: sudo -u ${ZTUNNEL_REDIRECT_USER} curl" 36 | } 37 | 38 | redirect-to-clean () { 39 | sudo iptables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 echo sudo iptables -t nat -D 40 | sudo iptables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 sudo iptables -t nat -D 41 | sudo ip6tables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 echo sudo ip6tables -t nat -D 42 | sudo ip6tables-save | grep '^\-A' | grep "local-redirect-to" | cut -c 4- | xargs -r -L 1 sudo ip6tables -t nat -D 43 | } 44 | 45 | redirect-user-setup() { 46 | # shellcheck disable=SC2046,SC2139,SC2006 47 | alias redirect-run="sudo -u \"${ZTUNNEL_REDIRECT_USER}\"" 48 | sudo useradd "${ZTUNNEL_REDIRECT_USER}" 49 | } 50 | 51 | -------------------------------------------------------------------------------- /scripts/release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Istio Authors 4 | 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -ex 18 | 19 | WD=$(dirname "$0") 20 | WD=$(cd "$WD" || exit; pwd) 21 | 22 | case $(uname -m) in 23 | x86_64) export ARCH=amd64;; 24 | aarch64) export ARCH=arm64 ;; 25 | *) echo "unsupported architecture"; exit 1;; 26 | esac 27 | 28 | if [[ "$TLS_MODE" == "boring" ]]; then 29 | if [[ "$ARCH" == "arm64" ]]; then 30 | # TODO(https://github.com/istio/ztunnel/issues/357) clean up this hack 31 | sed -i 's/x86_64/arm64/g' .cargo/config.toml 32 | fi 33 | cargo build --release --no-default-features -F tls-boring 34 | elif [[ "$TLS_MODE" == "aws-lc" ]]; then 35 | cargo build --release --no-default-features -F tls-aws-lc 36 | elif [[ "$TLS_MODE" == "openssl" ]]; then 37 | cargo build --release --no-default-features -F tls-openssl 38 | else 39 | cargo build --release 40 | fi 41 | 42 | SHA="$(git rev-parse --verify HEAD)" 43 | BINARY_PREFIX=${BINARY_PREFIX:-"ztunnel"} 44 | RELEASE_NAME="${BINARY_PREFIX}-${SHA}-${ARCH}" 45 | ls -lh "${WD}/../out/rust/release/ztunnel" 46 | DEST="${DEST:-gs://istio-build/ztunnel}" 47 | if [[ "$CI" == "" && "$DEST" == "gs://istio-build/ztunnel" ]]; then 48 | echo "Outside of CI, DEST must be explicitly set" 49 | exit 1 50 | fi 51 | gsutil cp "${WD}/../out/rust/release/ztunnel" "${DEST}/${RELEASE_NAME}" 52 | -------------------------------------------------------------------------------- /scripts/run-cached.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | SCRIPT_INPUT=("$@") 5 | 6 | # Function to log error and execute command 7 | function error_and_exec() { 8 | echo "Error: $1" >&2 9 | exec "${SCRIPT_INPUT[@]}" 10 | } 11 | 12 | # Check if RUST_CACHE_DIR is set 13 | if [ -z "${RUST_CACHE_DIR}" ]; then 14 | error_and_exec "RUST_CACHE_DIR is not set" "$@" 15 | fi 16 | 17 | # Check if out/ directory exists 18 | if [ -d "out" ]; then 19 | error_and_exec "out/ directory already exists" "$@" 20 | fi 21 | 22 | # Get current branch name 23 | if [ -z "${PULL_BASE_REF}" ]; then 24 | error_and_exec "Could not determine current branch" "$@" 25 | fi 26 | 27 | # Make sure we are on presubmit 28 | if [ "${JOB_TYPE}" != "presubmit" ]; then 29 | error_and_exec "Caching only available on presubmit" "$@" 30 | fi 31 | 32 | CACHE_DIR="${RUST_CACHE_DIR}/${PULL_BASE_REF}" 33 | 34 | 35 | # Strip binaries to keep things smaller 36 | cat < ~/.cargo/config.toml 37 | [target.'cfg(debug_assertions)'] 38 | rustflags = ["-C", "strip=debuginfo"] 39 | EOF 40 | # Check if branch cache exists 41 | if [ ! -d "${CACHE_DIR}" ]; then 42 | # Not an error, we may need to populate it the first time 43 | echo "Cache for branch ${PULL_BASE_REF} not found, we will populate it" >&2 44 | else 45 | echo "Found cache for branch ${PULL_BASE_REF}, copying it" >&2 46 | # Copy cache to out directory 47 | mkdir -p out 48 | cp -ar "${CACHE_DIR}" out/rust 49 | echo "Cache size: $(du -sh out/rust)" >&2 50 | fi 51 | 52 | # Run the provided command 53 | "$@" 54 | 55 | # Clean up everything except build and deps directories 56 | find out/rust -mindepth 1 -maxdepth 1 -type d \ 57 | ! -path "out/rust/debug" \ 58 | -exec rm -rf {} + 59 | 60 | find out/rust -mindepth 2 -maxdepth 2 -type d \ 61 | ! -path "out/rust/debug/build" \ 62 | ! -path "out/rust/debug/deps" \ 63 | ! -path "out/rust/debug/.fingerprint" \ 64 | -exec rm -rf {} + 65 | 66 | # Update the cache with our state 67 | tmp="${RUST_CACHE_DIR}/${RANDOM}" 68 | tmp_to_delete="${RUST_CACHE_DIR}/${RANDOM}" 69 | 70 | echo "Backing up cache" >&2 71 | 72 | # Move our cache into the volume (this is slow since its cross-filesystem) 73 | mv out/rust "${tmp}" 74 | # Move the existing cache - we would delete it now, but mv is faster than delete, so we do this later 75 | # to prevent the time period when things are down 76 | # Note: we could use `exch` here in the future, but its not in our Ubuntu version 77 | mv "${CACHE_DIR}" "${tmp_to_delete}" || true 78 | # Populate the cache with our new info 79 | mv "${tmp}" "${CACHE_DIR}" 80 | # Remove the old one 81 | rm -rf "${tmp_to_delete}" || true 82 | -------------------------------------------------------------------------------- /scripts/test-with-coverage.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # shellcheck disable=SC2046,SC2086 3 | 4 | # Copyright Istio Authors 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | 18 | set -xe 19 | 20 | ARTIFACTS="${ARTIFACTS:-out/coverage}" 21 | output_dir=$ARTIFACTS/report 22 | # Where to store merged coverage file 23 | profdata=out/coverage/ztunnel.profdata 24 | # Where to store intermediate *.profraw files 25 | profiles=out/coverage/profiles 26 | 27 | export LLVM_PROFILE_FILE="$profiles/profile_%m_%p.profraw" 28 | # Enable coverage 29 | export RUSTFLAGS="-C instrument-coverage" 30 | export RUST_BACKTRACE=1 31 | RUSTUP_DEFAULT_TOOLCHAIN="$(rustup show active-toolchain | awk '{print $1}')" 32 | RUSTUP_LLVM_BIN_PATH="${HOME}/.rustup/toolchains/${RUSTUP_DEFAULT_TOOLCHAIN}/lib/rustlib/$(arch)-unknown-linux-gnu/bin" 33 | 34 | # Clean directory 35 | rm -rf "$profdata" "$profiles" 36 | mkdir -p "$profiles" 37 | 38 | echo "Running tests" 39 | cargo test --benches --tests --bins $FEATURES 40 | 41 | # Merge profraw data 42 | echo "Merging profraw files in $profiles to $profdata" 43 | ${RUSTUP_LLVM_BIN_PATH}/llvm-profdata merge -sparse $(find "$profiles" -name '*.profraw') -o $profdata 44 | 45 | # Taken from 46 | # https://doc.rust-lang.org/rustc/instrument-coverage.html#tips-for-listing-the-binaries-automatically 47 | test_bins=$(cargo test --benches --tests --bins --no-run --message-format=json $FEATURES \ 48 | | jq -r "select(.profile.test == true) | .filenames[]" \ 49 | | grep -v dSYM -) 50 | 51 | objs="" 52 | for file in $test_bins 53 | do 54 | objs="$objs $(printf "%s %s " -object "$file")" 55 | done 56 | echo $objs 57 | 58 | echo "Publishing coverage report to $output_dir" 59 | 60 | ${RUSTUP_LLVM_BIN_PATH}/llvm-cov show \ 61 | -instr-profile="$profdata" \ 62 | $objs \ 63 | -Xdemangler=rustfilt \ 64 | -format=html \ 65 | -sources=$(find src -name '*.rs') \ 66 | -output-dir="$output_dir" 67 | -------------------------------------------------------------------------------- /scripts/ztunnel-redirect-inpod.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # shellcheck disable=SC2086 3 | # This script sets up redirection in the ztunnel network namespace for namespaced tests (tests/README.md) 4 | 5 | set -ex 6 | 7 | # CONNMARK is needed to make original src work. we set conn mark on prerouting. this is will not effect connections 8 | # from ztunnel to outside the pod, which will go on OUTPUT chain. 9 | # as we are in the pod ns, we can use whatever iptables is default. 10 | iptables-restore --wait 10 --noflush </dev/null | grep -c '^-') 14 | if [ "${num_legacy_lines}" -ge 10 ]; then 15 | mode=legacy 16 | else 17 | num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep -c '^-') 18 | if [ "${num_legacy_lines}" -gt "${num_nft_lines}" ]; then 19 | mode=legacy 20 | else 21 | if [ "${num_nft_lines}" -eq "0" ]; then 22 | mode=none 23 | else 24 | mode=nft 25 | fi 26 | fi 27 | fi 28 | IPTABLES=iptables-legacy 29 | if [ "${mode}" = "nft" ]; then 30 | IPTABLES=iptables-nft 31 | fi 32 | if [ "${mode}" = "none" ]; then 33 | IPTABLES=iptables 34 | fi 35 | set -e 36 | 37 | $IPTABLES -w -t mangle -F PREROUTING 38 | $IPTABLES -w -t nat -F OUTPUT 39 | # Redirect outbound traffic that is NOT from ztunnel (identified by mark) 40 | # We do not currently bother redirecting inbound traffic since we don't test it, but a more complete solution would. 41 | # Note: in real world, this would be a UID/GID match like sidecars. Setting mark is enabled only for testing (for now?) 42 | $IPTABLES -w -t nat -A OUTPUT -p tcp ! -o lo -m mark ! --mark $MARK -j REDIRECT --to-ports "${POD_OUTBOUND}" 43 | -------------------------------------------------------------------------------- /src/assertions.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | // Below helper functions are used to help make about the size of types. 16 | // There are some compile time ways to do this, but they don't work in the way we need for the most part; 17 | // analyzing the size of Futures which we don't have explicit declarations for. 18 | // Future size is determined by the max required stack size for the async function. This means deeply 19 | // branched code can create huge Future's, leading to high per-connection memory usage in ztunnel. 20 | // Debugging these usages can be done by `RUSTFLAGS=-Zprint-type-sizes cargo +nightly build -j 1`, 21 | // or by logging with the functions below. 22 | 23 | #[cfg(all(any(test, feature = "testing"), debug_assertions))] 24 | pub fn size_between_ref(min: usize, max: usize, t: &T) { 25 | let size = std::mem::size_of_val(t); 26 | if size < min || size > max { 27 | // If it is too small: that is good, we just want to update the assertion to be more aggressive 28 | // If it is too big: that is bad. We may need to increase the limit, or consider refactors. 29 | panic!( 30 | "type {} size is unexpected, wanted {min}..{max}, got {size}", 31 | std::any::type_name::(), 32 | ) 33 | } 34 | tracing::trace!( 35 | "type {} size is within expectations, wanted {min}..{max}, got {size}", 36 | std::any::type_name::(), 37 | ) 38 | } 39 | 40 | #[cfg(not(all(any(test, feature = "testing"), debug_assertions)))] 41 | pub fn size_between_ref(_min: usize, _max: usize, _t: &T) {} 42 | 43 | #[inline(always)] 44 | pub fn size_between(min: usize, max: usize, t: T) -> T { 45 | size_between_ref(min, max, &t); 46 | t 47 | } 48 | -------------------------------------------------------------------------------- /src/assets/dashboard.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Ztunnel Admin 5 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 |
CommandDescription
61 | 62 | 63 | -------------------------------------------------------------------------------- /src/dns.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::io; 16 | use std::net::SocketAddr; 17 | 18 | pub mod forwarder; 19 | pub mod handler; 20 | pub mod metrics; 21 | pub mod name_util; 22 | pub mod resolver; 23 | pub mod server; 24 | 25 | pub use metrics::*; 26 | pub use server::*; 27 | 28 | #[derive(thiserror::Error, Debug)] 29 | pub enum Error { 30 | #[error("failed to bind to address {0}: {1}")] 31 | Bind(SocketAddr, io::Error), 32 | 33 | #[error("io error: {0}")] 34 | Io(#[from] io::Error), 35 | 36 | #[error("{0}")] 37 | Generic(Box), 38 | } 39 | -------------------------------------------------------------------------------- /src/dns/name_util.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use hickory_proto::rr::Name; 16 | 17 | /// Returns true if the given name ends with the labels provided by the domain iterator. 18 | // TODO(nmittler): Consider upstreaming to TrustDNS. 19 | pub fn has_domain(name: &Name, domain: &Name) -> bool { 20 | if domain.is_wildcard() || name.num_labels() <= domain.num_labels() { 21 | return false; 22 | } 23 | 24 | let name_iter = name.iter(); 25 | let domain_iter = domain.iter(); 26 | 27 | // Skip ahead to the start of the domain. 28 | let num_skip = name_iter.len() - domain_iter.len(); 29 | let name_iter = name_iter.skip(num_skip); 30 | 31 | // Compare the remaining elements. 32 | name_iter.eq(domain_iter) 33 | } 34 | 35 | /// Trims the domain labels from the name. Returns `Some` if the domain was found and removed. 36 | // TODO(nmittler): Consider upstreaming to TrustDNS. 37 | pub fn trim_domain(name: &Name, domain: &Name) -> Option { 38 | if has_domain(name, domain) { 39 | // Create a Name from the labels leading up to the domain. 40 | let iter = name.iter(); 41 | let num_labels = iter.len() - domain.num_labels() as usize; 42 | let mut name = Name::from_labels(iter.take(num_labels)).unwrap(); 43 | name.set_fqdn(false); 44 | Some(name) 45 | } else { 46 | None 47 | } 48 | } 49 | 50 | #[cfg(test)] 51 | mod tests { 52 | use super::*; 53 | use crate::test_helpers::dns::n; 54 | use hickory_proto::rr::Name; 55 | 56 | #[test] 57 | fn test_has_domain() { 58 | assert!(has_domain(&n("name.ns.svc.cluster.local"), &domain())); 59 | 60 | assert!(!has_domain(&n("name.ns.a.different.domain"), &domain())); 61 | 62 | assert!(!has_domain(&n("cluster.com"), &domain())); 63 | } 64 | 65 | #[test] 66 | fn test_trim_domain() { 67 | assert_eq!( 68 | Some(n("name.ns")), 69 | trim_domain(&n("name.ns.svc.cluster.local"), &domain()) 70 | ); 71 | 72 | assert_eq!( 73 | None, 74 | trim_domain(&n("name.ns.a.different.domain"), &domain()) 75 | ); 76 | 77 | // Can't trim if nothing left. 78 | assert_eq!(None, trim_domain(&n("svc.cluster.local"), &domain())); 79 | } 80 | 81 | fn domain() -> Name { 82 | n("svc.cluster.local") 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /src/dns/resolver.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use hickory_proto::rr::Record; 16 | use hickory_resolver::lookup::Lookup; 17 | use hickory_server::authority::LookupError; 18 | use hickory_server::server::Request; 19 | use std::slice::Iter; 20 | 21 | /// Similar to a TrustDNS `Authority`, although the resulting [Answer] indicates whether 22 | /// the response is authoritative. This makes the interface generally more composable and 23 | /// better supports a proxy use case, where some responses may be authoritative and others 24 | /// may not. 25 | #[async_trait::async_trait] 26 | pub trait Resolver: Sync + Send { 27 | async fn lookup(&self, request: &Request) -> Result; 28 | } 29 | 30 | /// Answer returned by a [Resolver]. 31 | #[derive(Debug)] 32 | pub struct Answer { 33 | records: Vec, 34 | is_authoritative: bool, 35 | } 36 | 37 | impl Answer { 38 | pub fn new(records: Vec, is_authoritative: bool) -> Self { 39 | Self { 40 | records, 41 | is_authoritative, 42 | } 43 | } 44 | 45 | /// Returns an iterator over the records returned by the [Resolver]. 46 | pub fn record_iter(&self) -> RecordIter<'_> { 47 | RecordIter(self.records.iter()) 48 | } 49 | 50 | /// Indicates whether the [Resolver] is the authority for the returned records. 51 | pub fn is_authoritative(&self) -> bool { 52 | self.is_authoritative 53 | } 54 | } 55 | 56 | impl From for Answer { 57 | fn from(value: Lookup) -> Self { 58 | Self { 59 | records: value.records().to_vec(), 60 | is_authoritative: false, // Non-authoritative, since results came from upstream resolver. 61 | } 62 | } 63 | } 64 | 65 | /// Borrowed view of set of [`Record`]s returned from an [Answer]. 66 | pub struct RecordIter<'a>(Iter<'a, Record>); 67 | 68 | impl<'a> Iterator for RecordIter<'a> { 69 | type Item = &'a Record; 70 | 71 | fn next(&mut self) -> Option { 72 | self.0.next() 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /src/identity.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::tls; 16 | use std::str::Utf8Error; 17 | use std::sync::Arc; 18 | 19 | mod caclient; 20 | pub use caclient::*; 21 | 22 | pub mod manager; 23 | pub use manager::*; 24 | 25 | mod auth; 26 | use crate::state::WorkloadInfo; 27 | pub use auth::*; 28 | 29 | #[cfg(any(test, feature = "testing"))] 30 | pub mod mock { 31 | pub use super::caclient::mock::CaClient; 32 | pub use super::manager::mock::{ 33 | Config as SecretManagerConfig, new_secret_manager, new_secret_manager_cfg, 34 | }; 35 | } 36 | 37 | #[derive(thiserror::Error, Debug, Clone)] 38 | pub enum Error { 39 | #[error("failed to create CSR: {0}")] 40 | Signing(Arc), 41 | #[error("signing gRPC error ({}): {}", .0.code(), .0.message())] 42 | SigningRequest(#[from] Box), 43 | #[error("failed to process string: {0}")] 44 | Utf8(#[from] Utf8Error), 45 | #[error("did not find expected SAN: {0}")] 46 | SanError(Identity), 47 | #[error("chain returned from CA is empty for: {0}")] 48 | EmptyResponse(Identity), 49 | #[error("invalid spiffe identity: {0}")] 50 | Spiffe(String), 51 | #[error("workload is unknown: {0}")] 52 | UnknownWorkload(Arc), 53 | #[error("the identity is no longer needed")] 54 | Forgotten, 55 | #[error("BUG: identity requested {0}, but only allowed {1:?}")] 56 | BugInvalidIdentityRequest(Identity, Arc), 57 | } 58 | 59 | impl From for Error { 60 | fn from(value: tls::Error) -> Self { 61 | Error::Signing(Arc::new(value)) 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /src/identity/auth.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::io; 16 | use std::path::PathBuf; 17 | 18 | #[derive(Clone, Debug, PartialEq, Eq)] 19 | pub enum AuthSource { 20 | // JWT authentication source which contains the token file path and the cluster id. 21 | Token(PathBuf, String), 22 | // JWT authentication source which contains a static token file. 23 | // Note that this token is not refreshed, so its lifetime ought to be longer than ztunnel's 24 | StaticToken(String, String), 25 | None, 26 | } 27 | 28 | impl AuthSource { 29 | pub async fn insert_headers(&self, request: &mut http::HeaderMap) -> anyhow::Result<()> { 30 | const AUTHORIZATION: &str = "authorization"; 31 | const CLUSTER: &str = "clusterid"; 32 | match self { 33 | AuthSource::Token(path, cluster_id) => { 34 | let token = load_token(path).await.map(|mut t| { 35 | let mut bearer: Vec = b"Bearer ".to_vec(); 36 | bearer.append(&mut t); 37 | bearer 38 | })?; 39 | request.insert(AUTHORIZATION, token.try_into()?); 40 | request.insert(CLUSTER, cluster_id.try_into()?); 41 | } 42 | AuthSource::StaticToken(token, cluster_id) => { 43 | let token = { 44 | let mut bearer: Vec = b"Bearer ".to_vec(); 45 | bearer.extend_from_slice(token.as_bytes()); 46 | bearer 47 | }; 48 | request.insert(AUTHORIZATION, token.try_into()?); 49 | request.insert(CLUSTER, cluster_id.try_into()?); 50 | } 51 | AuthSource::None => {} 52 | } 53 | Ok(()) 54 | } 55 | } 56 | 57 | async fn load_token(path: &PathBuf) -> io::Result> { 58 | let t = tokio::fs::read(path).await?; 59 | 60 | if t.is_empty() { 61 | return Err(io::Error::other("token file exists, but was empty")); 62 | } 63 | Ok(t) 64 | } 65 | -------------------------------------------------------------------------------- /src/inpod.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::config as zconfig; 16 | use crate::readiness; 17 | use metrics::Metrics; 18 | use std::sync::Arc; 19 | use workloadmanager::WorkloadProxyManager; 20 | 21 | use crate::proxyfactory::ProxyFactory; 22 | 23 | use self::config::InPodConfig; 24 | 25 | pub mod admin; 26 | mod config; 27 | pub mod metrics; 28 | pub mod netns; 29 | pub mod packet; 30 | mod protocol; 31 | mod statemanager; 32 | mod workloadmanager; 33 | 34 | #[cfg(any(test, feature = "testing"))] 35 | pub mod test_helpers; 36 | 37 | pub mod istio { 38 | pub mod zds { 39 | tonic::include_proto!("istio.workload.zds"); 40 | } 41 | } 42 | 43 | #[derive(thiserror::Error, Debug)] 44 | pub enum Error { 45 | #[error("error creating proxy {0}: {1}")] 46 | ProxyError(String, crate::proxy::Error), 47 | #[error("error receiving message: {0}")] 48 | ReceiveMessageError(String), 49 | #[error("error sending ack: {0}")] 50 | SendAckError(String), 51 | #[error("error sending nack: {0}")] 52 | SendNackError(String), 53 | #[error("protocol error: {0}")] 54 | ProtocolError(String), 55 | #[error("announce error: {0}")] 56 | AnnounceError(String), 57 | } 58 | 59 | #[derive(Debug, Clone, PartialEq, Eq, Hash, serde::Serialize)] 60 | pub struct WorkloadUid(String); 61 | 62 | impl WorkloadUid { 63 | pub fn new(uid: String) -> Self { 64 | Self(uid) 65 | } 66 | pub fn into_string(self) -> String { 67 | self.0 68 | } 69 | } 70 | 71 | #[derive(Debug)] 72 | pub struct WorkloadData { 73 | netns: std::os::fd::OwnedFd, 74 | workload_uid: WorkloadUid, 75 | workload_info: Option, 76 | } 77 | 78 | #[derive(Debug)] 79 | pub enum WorkloadMessage { 80 | AddWorkload(WorkloadData), 81 | KeepWorkload(WorkloadUid), 82 | WorkloadSnapshotSent, 83 | DelWorkload(WorkloadUid), 84 | } 85 | 86 | pub fn init_and_new( 87 | metrics: Arc, 88 | admin_server: &mut crate::admin::Service, 89 | cfg: &zconfig::Config, 90 | proxy_gen: ProxyFactory, 91 | ready: readiness::Ready, 92 | ) -> anyhow::Result { 93 | // verify that we have the permissions for the syscalls we need 94 | WorkloadProxyManager::verify_syscalls()?; 95 | let admin_handler: Arc = Default::default(); 96 | admin_server.add_handler(admin_handler.clone()); 97 | let inpod_config = crate::inpod::InPodConfig::new(cfg)?; 98 | 99 | let state_mgr = statemanager::WorkloadProxyManagerState::new( 100 | proxy_gen, 101 | inpod_config, 102 | metrics, 103 | admin_handler, 104 | ); 105 | 106 | Ok(WorkloadProxyManager::new( 107 | cfg.inpod_uds.clone(), 108 | state_mgr, 109 | ready, 110 | )?) 111 | } 112 | -------------------------------------------------------------------------------- /src/inpod/metrics.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use prometheus_client::metrics::counter::Counter; 16 | use prometheus_client::metrics::gauge::Gauge; 17 | use prometheus_client::registry::Registry; 18 | 19 | #[derive(Default)] 20 | pub struct Metrics { 21 | pub(super) active_proxy_count: Gauge, 22 | pub(super) pending_proxy_count: Gauge, 23 | pub(super) proxies_started: Counter, 24 | pub(super) proxies_stopped: Counter, 25 | } 26 | 27 | impl Metrics { 28 | pub fn new(registry: &mut Registry) -> Self { 29 | let m = Self::default(); 30 | registry.register( 31 | "active_proxy_count", 32 | "The total number current workloads with active proxies (unstable)", 33 | m.active_proxy_count.clone(), 34 | ); 35 | registry.register( 36 | "pending_proxy_count", 37 | "The total number current workloads with pending proxies (unstable)", 38 | m.pending_proxy_count.clone(), 39 | ); 40 | registry.register( 41 | "proxies_started", 42 | "The total number of proxies that were started (unstable)", 43 | m.proxies_started.clone(), 44 | ); 45 | registry.register( 46 | "proxies_stopped", 47 | "The total number of proxies that were stopped (unstable)", 48 | m.proxies_stopped.clone(), 49 | ); 50 | m 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/inpod/packet.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | // ZDS uses seqpacket unix sockets to communicate with the node agent. 16 | // It is not implemented in rust, so this provides an implementation for it. 17 | 18 | use nix::sys::socket::{ 19 | AddressFamily, SockFlag, SockType, UnixAddr, bind as nixbind, connect as nixconnect, listen, 20 | socket, 21 | }; 22 | use std::cmp; 23 | use std::os::fd::AsRawFd; 24 | use std::path::Path; 25 | use tokio::net::{UnixListener, UnixStream}; 26 | 27 | pub fn bind(path: &Path) -> std::io::Result { 28 | let socket = socket( 29 | AddressFamily::Unix, 30 | SockType::SeqPacket, 31 | SockFlag::SOCK_NONBLOCK | SockFlag::SOCK_CLOEXEC, 32 | None, 33 | )?; 34 | 35 | let addr = UnixAddr::new(path)?; 36 | 37 | nixbind(socket.as_raw_fd(), &addr)?; 38 | // Do not exceed maximum 39 | let backlog = cmp::min(1024, libc::SOMAXCONN - 1); 40 | listen(&socket, nix::sys::socket::Backlog::new(backlog)?)?; 41 | 42 | let std_socket = std::os::unix::net::UnixListener::from(socket); 43 | UnixListener::from_std(std_socket) 44 | } 45 | 46 | pub async fn connect(path: &Path) -> std::io::Result { 47 | let socket = socket( 48 | AddressFamily::Unix, 49 | SockType::SeqPacket, 50 | SockFlag::SOCK_NONBLOCK | SockFlag::SOCK_CLOEXEC, 51 | None, 52 | )?; 53 | 54 | let addr = UnixAddr::new(path)?; 55 | let res = nixconnect(socket.as_raw_fd(), &addr); 56 | // safe as we just created it, it's non blocking and listening. 57 | let std_socket = std::os::unix::net::UnixStream::from(socket); 58 | let socket = UnixStream::from_std(std_socket)?; 59 | match res { 60 | Ok(_) => {} 61 | Err(nix::errno::Errno::EAGAIN) | Err(nix::errno::Errno::EINPROGRESS) => { 62 | // from the man page: 63 | // EAGAIN For nonblocking UNIX domain sockets, the socket is nonblocking, and the connection cannot be completed immediately. 64 | // doing EINPROGRESS just in case (as that's what mio does). 65 | 66 | // The following is described in the 'man connect': 67 | // The socket is nonblocking and the connection cannot be completed immediately. ... 68 | // It is possible to select(2) or poll(2) for completion by selecting the socket for writing... 69 | // use getsockopt(2) to read the SO_ERROR option at level SOL_SOCKET to determine 70 | // whether connect() completed successfully (SO_ERROR is zero) or unsuccessfully... 71 | 72 | // wait until it is writable (i.e. connect is done) 73 | socket.writable().await?; 74 | // connect is done, check for error 75 | if let Some(e) = socket.take_error()? { 76 | return Err(e); 77 | } 78 | } 79 | Err(e) => return Err(std::io::Error::from(e)), 80 | } 81 | Ok(socket) 82 | } 83 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | pub mod admin; 16 | pub mod app; 17 | pub mod assertions; 18 | pub mod baggage; 19 | pub mod cert_fetcher; 20 | pub mod config; 21 | pub mod copy; 22 | pub mod dns; 23 | pub mod drain; 24 | pub mod hyper_util; 25 | pub mod identity; 26 | #[cfg(target_os = "linux")] 27 | pub mod inpod; 28 | pub mod metrics; 29 | pub mod proxy; 30 | pub mod proxyfactory; 31 | pub mod rbac; 32 | pub mod readiness; 33 | pub mod signal; 34 | pub mod socket; 35 | pub mod state; 36 | pub mod strng; 37 | pub mod telemetry; 38 | pub mod time; 39 | pub mod tls; 40 | pub mod version; 41 | pub mod xds; 42 | 43 | #[cfg(any(test, feature = "testing"))] 44 | pub mod test_helpers; 45 | -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | extern crate core; 16 | 17 | use std::sync::Arc; 18 | use tracing::info; 19 | use ztunnel::*; 20 | 21 | #[cfg(feature = "jemalloc")] 22 | #[cfg(feature = "jemalloc")] 23 | #[global_allocator] 24 | static ALLOC: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc; 25 | 26 | #[cfg(feature = "jemalloc")] 27 | #[allow(non_upper_case_globals)] 28 | #[unsafe(export_name = "malloc_conf")] 29 | pub static malloc_conf: &[u8] = b"prof:true,prof_active:true,lg_prof_sample:19\0"; 30 | 31 | fn main() -> anyhow::Result<()> { 32 | let _log_flush = telemetry::setup_logging(); 33 | 34 | // For now we don't need a complex CLI, so rather than pull in dependencies just use basic argv[1] 35 | match std::env::args().nth(1).as_deref() { 36 | None | Some("proxy") => (), 37 | Some("version") => return version(), 38 | Some("help") => return help(), 39 | Some(unknown) => { 40 | eprintln!("unknown command: {unknown}"); 41 | help().unwrap(); 42 | std::process::exit(1) 43 | } 44 | }; 45 | 46 | tokio::runtime::Builder::new_current_thread() 47 | .enable_all() 48 | .build() 49 | .unwrap() 50 | .block_on(async move { 51 | let config = Arc::new(config::parse_config()?); 52 | proxy(config).await 53 | }) 54 | } 55 | 56 | fn help() -> anyhow::Result<()> { 57 | let version = version::BuildInfo::new(); 58 | println!( 59 | " 60 | Istio Ztunnel ({version}) 61 | 62 | Commands: 63 | proxy (default) - Start the ztunnel proxy 64 | version - Print the version of ztunnel 65 | help - Print commands and version of ztunnel" 66 | ); 67 | Ok(()) 68 | } 69 | 70 | fn version() -> anyhow::Result<()> { 71 | println!("{}", version::BuildInfo::new()); 72 | Ok(()) 73 | } 74 | 75 | async fn proxy(cfg: Arc) -> anyhow::Result<()> { 76 | info!("version: {}", version::BuildInfo::new()); 77 | info!("running with config: {}", serde_yaml::to_string(&cfg)?); 78 | app::build(cfg).await?.wait_termination().await 79 | } 80 | -------------------------------------------------------------------------------- /src/metrics/meta.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use prometheus_client::encoding::EncodeLabelSet; 16 | use prometheus_client::metrics::family::Family; 17 | use prometheus_client::metrics::gauge::Gauge; 18 | use prometheus_client::registry::Registry; 19 | 20 | use crate::version; 21 | 22 | pub struct Metrics {} 23 | 24 | #[derive(Clone, Hash, Debug, PartialEq, Eq, EncodeLabelSet)] 25 | pub struct IstioBuildLabel { 26 | component: String, 27 | tag: String, 28 | } 29 | 30 | impl Metrics { 31 | pub fn new(registry: &mut Registry) -> Self { 32 | let build_gauge: Family = Default::default(); 33 | registry.register("build", "Istio component build info", build_gauge.clone()); 34 | 35 | let tag = version::BuildInfo::new().istio_version; 36 | // Note: tag refers to the "Istio version", not the ztunnels own tag (which is an implementation detail to Istio). 37 | build_gauge 38 | .get_or_create(&IstioBuildLabel { 39 | component: "ztunnel".to_string(), 40 | tag, 41 | }) 42 | .set(1); 43 | 44 | Self {} 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /src/proxy/util.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::io::{Error, ErrorKind}; 16 | 17 | pub fn is_runtime_shutdown(e: &Error) -> bool { 18 | if e.kind() == ErrorKind::Other 19 | && e.to_string() == "A Tokio 1.x context was found, but it is being shutdown." 20 | { 21 | return true; 22 | } 23 | false 24 | } 25 | -------------------------------------------------------------------------------- /src/readiness.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::telemetry; 16 | use std::collections::HashSet; 17 | use std::sync::{Arc, Mutex}; 18 | use tracing::info; 19 | mod server; 20 | pub use server::*; 21 | 22 | /// Ready tracks whether the process is ready. 23 | #[derive(Clone, Debug, Default)] 24 | pub struct Ready(Arc>>); 25 | 26 | impl Ready { 27 | pub fn new() -> Ready { 28 | Ready(Default::default()) 29 | } 30 | 31 | /// register_task allows a caller to add a dependency to be marked "ready". 32 | pub fn register_task(&self, name: &str) -> BlockReady { 33 | self.0.lock().unwrap().insert(name.to_string()); 34 | BlockReady { 35 | parent: self.to_owned(), 36 | name: name.to_string(), 37 | } 38 | } 39 | 40 | pub fn pending(&self) -> HashSet { 41 | self.0.lock().unwrap().clone() 42 | } 43 | } 44 | 45 | /// BlockReady blocks readiness until it is dropped. 46 | pub struct BlockReady { 47 | parent: Ready, 48 | name: String, 49 | } 50 | 51 | impl BlockReady { 52 | pub fn subtask(&self, name: &str) -> BlockReady { 53 | self.parent.register_task(name) 54 | } 55 | } 56 | 57 | impl Drop for BlockReady { 58 | fn drop(&mut self) { 59 | let mut pending = self.parent.0.lock().unwrap(); 60 | let removed = pending.remove(&self.name); 61 | debug_assert!(removed); // It is a bug to somehow remove something twice 62 | let left = pending.len(); 63 | let dur = telemetry::APPLICATION_START_TIME.elapsed(); 64 | if left == 0 { 65 | info!( 66 | "Task '{}' complete ({dur:?}), marking server ready", 67 | self.name 68 | ); 69 | } else { 70 | info!( 71 | "Task '{}' complete ({dur:?}), still awaiting {left} tasks", 72 | self.name 73 | ); 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/readiness/server.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::net::SocketAddr; 16 | use std::sync::Arc; 17 | 18 | use bytes::Bytes; 19 | use http_body_util::Full; 20 | use hyper::body::Incoming; 21 | use hyper::{Request, Response}; 22 | use itertools::Itertools; 23 | 24 | use crate::drain::DrainWatcher; 25 | use crate::hyper_util; 26 | use crate::{config, readiness}; 27 | 28 | pub struct Server { 29 | s: hyper_util::Server, 30 | ready: readiness::Ready, 31 | } 32 | 33 | impl Server { 34 | pub async fn new( 35 | config: Arc, 36 | drain_rx: DrainWatcher, 37 | ready: readiness::Ready, 38 | ) -> anyhow::Result { 39 | hyper_util::Server::::bind( 40 | "readiness", 41 | config.readiness_addr, 42 | drain_rx, 43 | ready.clone(), 44 | ) 45 | .await 46 | .map(|s| Server { s, ready }) 47 | } 48 | 49 | pub fn ready(&self) -> readiness::Ready { 50 | self.ready.clone() 51 | } 52 | 53 | pub fn address(&self) -> SocketAddr { 54 | self.s.address() 55 | } 56 | 57 | pub fn spawn(self) { 58 | self.s.spawn(|ready, req| async move { 59 | match req.uri().path() { 60 | "/healthz/ready" => Ok(handle_ready(&ready, req).await), 61 | _ => Ok(hyper_util::empty_response(hyper::StatusCode::NOT_FOUND)), 62 | } 63 | }) 64 | } 65 | } 66 | 67 | async fn handle_ready(ready: &readiness::Ready, req: Request) -> Response> { 68 | match *req.method() { 69 | hyper::Method::GET => { 70 | let pending = ready.pending(); 71 | if pending.is_empty() { 72 | return hyper_util::plaintext_response(hyper::StatusCode::OK, "ready\n".into()); 73 | } 74 | hyper_util::plaintext_response( 75 | hyper::StatusCode::INTERNAL_SERVER_ERROR, 76 | format!( 77 | "not ready, pending: {}\n", 78 | pending.into_iter().sorted().join(", ") 79 | ), 80 | ) 81 | } 82 | _ => hyper_util::empty_response(hyper::StatusCode::METHOD_NOT_ALLOWED), 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /src/signal.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | // #[async_trait::async_trait] 16 | // pub trait Shutdown { 17 | // async fn shutdown(); 18 | // } 19 | 20 | use tokio::sync::mpsc; 21 | 22 | pub struct Shutdown { 23 | shutdown_tx: mpsc::Sender<()>, 24 | shutdown_rx: mpsc::Receiver<()>, 25 | } 26 | 27 | impl Shutdown { 28 | pub fn new() -> Self { 29 | let (shutdown_tx, shutdown_rx) = mpsc::channel(1); 30 | Shutdown { 31 | shutdown_tx, 32 | shutdown_rx, 33 | } 34 | } 35 | 36 | /// Trigger returns a ShutdownTrigger which can be used to trigger a shutdown immediately 37 | pub fn trigger(&self) -> ShutdownTrigger { 38 | ShutdownTrigger { 39 | shutdown_tx: self.shutdown_tx.clone(), 40 | } 41 | } 42 | 43 | /// Wait completes when the shutdown as been triggered 44 | pub async fn wait(mut self) { 45 | imp::shutdown(&mut self.shutdown_rx).await 46 | } 47 | } 48 | 49 | impl Default for Shutdown { 50 | fn default() -> Self { 51 | Self::new() 52 | } 53 | } 54 | 55 | #[derive(Clone, Debug)] 56 | pub struct ShutdownTrigger { 57 | shutdown_tx: mpsc::Sender<()>, 58 | } 59 | 60 | impl ShutdownTrigger { 61 | pub async fn shutdown_now(&self) { 62 | let _ = self.shutdown_tx.send(()).await; 63 | } 64 | } 65 | 66 | #[cfg(unix)] 67 | mod imp { 68 | use std::process; 69 | use tokio::signal::unix::{SignalKind, signal}; 70 | use tokio::sync::mpsc::Receiver; 71 | use tracing::info; 72 | 73 | pub(super) async fn shutdown(receiver: &mut Receiver<()>) { 74 | tokio::select! { 75 | _ = watch_signal(SignalKind::interrupt(), "SIGINT") => { 76 | tokio::spawn(async move{ 77 | watch_signal(SignalKind::interrupt(), "SIGINT").await; 78 | info!("Double Ctrl+C, exit immediately"); 79 | process::exit(0); 80 | }); 81 | } 82 | _ = watch_signal(SignalKind::terminate(), "SIGTERM") => {} 83 | _ = receiver.recv() => { info!("received explicit shutdown signal")} 84 | }; 85 | } 86 | 87 | async fn watch_signal(kind: SignalKind, name: &'static str) { 88 | signal(kind) 89 | .expect("Failed to register signal handler") 90 | .recv() 91 | .await; 92 | info!("received signal {}, starting shutdown", name); 93 | } 94 | } 95 | 96 | #[cfg(not(unix))] 97 | mod imp { 98 | use tokio::sync::mpsc::Receiver; 99 | use tracing::info; 100 | 101 | pub(super) async fn shutdown(receiver: &mut Receiver<()>) { 102 | tokio::select! { 103 | _ = watch_signal() => {} 104 | _ = receiver.recv() => { info!("received explicit shutdown signal")} 105 | }; 106 | } 107 | 108 | // This isn't quite right, but close enough for windows... 109 | async fn watch_signal() { 110 | tokio::signal::windows::ctrl_c() 111 | .expect("Failed to register signal handler") 112 | .recv() 113 | .await; 114 | info!("received signal, starting shutdown"); 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /src/strng.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::fmt::Error; 16 | use std::ops::Deref; 17 | 18 | use arcstr::ArcStr; 19 | use prometheus_client::encoding::LabelValueEncoder; 20 | 21 | /// 'Strng' provides a string type that has better properties for our use case: 22 | /// * Cheap cloning (ref counting) 23 | /// * Efficient storage (8 bytes vs 24 bytes) 24 | /// * Immutable 25 | /// 26 | /// This is mostly provided by a library, ArcStr, we just provide a very thin wrapper around it 27 | /// for some flexibility. 28 | pub type Strng = ArcStr; 29 | 30 | pub const EMPTY: Strng = literal!(""); 31 | 32 | pub fn new>(s: A) -> Strng { 33 | Strng::from(s.as_ref()) 34 | } 35 | 36 | pub use arcstr::format; 37 | pub use arcstr::literal; 38 | 39 | /// RichStrng wraps Strng to let us implement arbitrary methods. How annoying. 40 | #[derive(Clone, Hash, Default, Debug, PartialEq, Eq)] 41 | pub struct RichStrng(Strng); 42 | 43 | impl prometheus_client::encoding::EncodeLabelValue for RichStrng { 44 | fn encode(&self, encoder: &mut LabelValueEncoder) -> Result<(), Error> { 45 | prometheus_client::encoding::EncodeLabelValue::encode( 46 | &>::as_ref(&self.0), 47 | encoder, 48 | ) 49 | } 50 | } 51 | 52 | impl Deref for RichStrng { 53 | type Target = Strng; 54 | 55 | fn deref(&self) -> &Self::Target { 56 | &self.0 57 | } 58 | } 59 | 60 | impl From for RichStrng 61 | where 62 | T: Into, 63 | { 64 | fn from(value: T) -> Self { 65 | RichStrng(value.into()) 66 | } 67 | } 68 | 69 | #[cfg(test)] 70 | mod test { 71 | use super::*; 72 | fn as_ref_fn>(_s: A) {} 73 | fn into_string_fn>(_s: A) {} 74 | fn string_fn(_s: String) {} 75 | fn str_fn(_s: &str) {} 76 | 77 | #[test] 78 | fn interning() { 79 | // Mostly we just thinly wrap ArcString, so just validate our assumptions about the library 80 | let a = new("abc"); 81 | let b = new("abc"); 82 | assert_eq!(std::mem::size_of::(), 8); 83 | assert_eq!(std::format!("{a}"), "abc"); 84 | assert_eq!(super::format!("{a}"), "abc"); 85 | assert_eq!(ArcStr::strong_count(&a), ArcStr::strong_count(&b)); 86 | assert_eq!(ArcStr::strong_count(&a), Some(1)); 87 | let c = a.clone(); 88 | assert_eq!(ArcStr::strong_count(&a), ArcStr::strong_count(&c)); 89 | assert_eq!(ArcStr::strong_count(&a), Some(2)); 90 | assert_eq!("abc", b.to_string()); 91 | 92 | // Compile time assertion we can call function in various ways 93 | as_ref_fn(new("abc")); 94 | into_string_fn(&*new("abc")); 95 | string_fn(a.to_string()); 96 | str_fn(&new("abc")); 97 | } 98 | } 99 | -------------------------------------------------------------------------------- /src/test_helpers/fake-jwt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c -------------------------------------------------------------------------------- /src/test_helpers/helpers.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::net::{IpAddr, SocketAddr}; 16 | use std::process::Command; 17 | use std::sync::Arc; 18 | use std::time::Instant; 19 | 20 | use once_cell::sync::Lazy; 21 | use prometheus_client::registry::Registry; 22 | use tracing::debug; 23 | 24 | use crate::metrics::sub_registry; 25 | use crate::{proxy, telemetry}; 26 | 27 | // Ensure that the `tracing` stack is only initialised once using `once_cell` 28 | static TRACING: Lazy<()> = Lazy::new(telemetry::testing::setup_test_logging); 29 | 30 | pub fn initialize_telemetry() { 31 | Lazy::force(&TRACING); 32 | } 33 | 34 | pub fn test_proxy_metrics() -> Arc { 35 | let mut registry = Registry::default(); 36 | Arc::new(proxy::Metrics::new(sub_registry(&mut registry))) 37 | } 38 | 39 | pub fn with_ip(s: SocketAddr, ip: IpAddr) -> SocketAddr { 40 | SocketAddr::new(ip, s.port()) 41 | } 42 | 43 | pub fn run_command(cmd: &str) -> anyhow::Result<()> { 44 | let now = Instant::now(); 45 | debug!("running command {cmd}"); 46 | let output = Command::new("sh").arg("-c").arg(cmd).output()?; 47 | debug!( 48 | "command complete in {:?}; code={}, stdout={}, stderr={}", 49 | now.elapsed(), 50 | output.status, 51 | std::str::from_utf8(&output.stdout)?, 52 | std::str::from_utf8(&output.stderr)? 53 | ); 54 | if !output.status.success() { 55 | anyhow::bail!( 56 | "command {} exited with code={}, stdout={}, stderr={}", 57 | cmd.chars().take(50).collect::(), 58 | output.status, 59 | std::str::from_utf8(&output.stdout)?, 60 | std::str::from_utf8(&output.stderr)? 61 | ); 62 | } 63 | Ok(()) 64 | } 65 | -------------------------------------------------------------------------------- /src/test_helpers/hyper_tower.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use pin_project_lite::pin_project; 16 | use tonic::Status; 17 | use tonic::body::Body; 18 | 19 | use tower::{BoxError, ServiceExt}; 20 | 21 | // Copied from https://github.com/hyperium/tonic/blob/34b863b1d2a204ef3dd871ec86860fc92aafb451/examples/src/tls_rustls/server.rs 22 | 23 | /// An adaptor which converts a [`tower::Service`] to a [`hyper::service::Service`]. 24 | /// 25 | /// The [`hyper::service::Service`] trait is used by hyper to handle incoming requests, 26 | /// and does not support the `poll_ready` method that is used by tower services. 27 | /// 28 | /// This is provided here because the equivalent adaptor in hyper-util does not support 29 | /// tonic::body::Body bodies. 30 | #[derive(Debug, Clone)] 31 | pub struct TowerToHyperService { 32 | service: S, 33 | } 34 | 35 | impl TowerToHyperService { 36 | /// Create a new `TowerToHyperService` from a tower service. 37 | pub fn new(service: S) -> Self { 38 | Self { service } 39 | } 40 | } 41 | 42 | impl hyper::service::Service> for TowerToHyperService 43 | where 44 | S: tower::Service> + Clone, 45 | S::Error: Into + 'static, 46 | { 47 | type Response = S::Response; 48 | type Error = BoxError; 49 | type Future = TowerToHyperServiceFuture>; 50 | 51 | fn call(&self, req: hyper::Request) -> Self::Future { 52 | use http_body_util::BodyExt; 53 | let req = 54 | req.map(|incoming| Body::new(incoming.map_err(|err| Status::from_error(err.into())))); 55 | TowerToHyperServiceFuture { 56 | future: self.service.clone().oneshot(req), 57 | } 58 | } 59 | } 60 | 61 | pin_project! { 62 | /// Future returned by [`TowerToHyperService`]. 63 | #[derive(Debug)] 64 | pub struct TowerToHyperServiceFuture 65 | where 66 | S: tower::Service, 67 | { 68 | #[pin] 69 | future: tower::util::Oneshot, 70 | } 71 | } 72 | 73 | impl std::future::Future for TowerToHyperServiceFuture 74 | where 75 | S: tower::Service, 76 | S::Error: Into + 'static, 77 | { 78 | type Output = Result; 79 | 80 | #[inline] 81 | fn poll( 82 | self: std::pin::Pin<&mut Self>, 83 | cx: &mut std::task::Context<'_>, 84 | ) -> std::task::Poll { 85 | self.project().future.poll(cx).map_err(Into::into) 86 | } 87 | } 88 | -------------------------------------------------------------------------------- /src/test_helpers/inpod.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::inpod::test_helpers::{ 16 | read_hello, read_msg, send_snap_sent, send_workload_added, send_workload_del, 17 | }; 18 | 19 | use crate::inpod::istio::zds::WorkloadInfo; 20 | use crate::test_helpers; 21 | use crate::test_helpers::MpscAckSender; 22 | use std::path::PathBuf; 23 | use tokio::io::AsyncReadExt; 24 | use tracing::{debug, info, instrument}; 25 | 26 | #[derive(Debug)] 27 | pub struct StartZtunnelMessage { 28 | pub uid: String, 29 | pub workload_info: Option, 30 | pub fd: i32, 31 | } 32 | 33 | #[derive(Debug)] 34 | pub enum Message { 35 | Start(StartZtunnelMessage), 36 | Stop(String), 37 | } 38 | 39 | #[instrument] 40 | pub async fn start_ztunnel_server(bind_path: PathBuf) -> MpscAckSender { 41 | info!("starting server"); 42 | 43 | // remove file if exists 44 | if bind_path.exists() { 45 | info!("removing existing server socket file",); 46 | std::fs::remove_file(&bind_path).expect("remove file failed"); 47 | } 48 | let (tx, mut rx) = test_helpers::mpsc_ack::(1); 49 | 50 | info!("spawning server"); 51 | tokio::task::spawn(async move { 52 | let listener = crate::inpod::packet::bind(&bind_path).expect("bind failed"); 53 | info!("waiting for connection from ztunnel server"); 54 | let (mut ztun_sock, _) = listener.accept().await.expect("accept failed"); 55 | info!("accepted connection from ztunnel server"); 56 | 57 | // read the hello message: 58 | let hello = read_hello(&mut ztun_sock).await; 59 | info!(?hello, "hello received"); 60 | 61 | // send snapshot done msg: 62 | send_snap_sent(&mut ztun_sock).await; 63 | info!("sent initial snapshot",); 64 | 65 | // receive ack from ztunnel 66 | let mut buf: [u8; 100] = [0u8; 100]; 67 | let read_amount = ztun_sock.read(&mut buf).await.unwrap(); 68 | info!("ack received, len {}", read_amount); 69 | // Now await for FDs 70 | while let Some(msg) = rx.recv().await { 71 | let uid = match msg { 72 | Message::Start(StartZtunnelMessage { 73 | uid, 74 | workload_info, 75 | fd, 76 | }) => { 77 | let orig_uid = uid.clone(); 78 | debug!(uid, %fd, "sending start message"); 79 | let uid = crate::inpod::WorkloadUid::new(uid); 80 | send_workload_added(&mut ztun_sock, uid, workload_info, fd).await; 81 | orig_uid 82 | } 83 | Message::Stop(uid) => { 84 | let orig_uid = uid.clone(); 85 | debug!(uid, "sending delete message"); 86 | let uid = crate::inpod::WorkloadUid::new(uid); 87 | send_workload_del(&mut ztun_sock, uid).await; 88 | orig_uid 89 | } 90 | }; 91 | // receive ack from ztunnel 92 | let _ = read_msg(&mut ztun_sock).await; 93 | info!(uid, "ack received"); 94 | if rx.ack().await.is_err() { 95 | // Server shut down 96 | break; 97 | } 98 | } 99 | }); 100 | tx 101 | } 102 | -------------------------------------------------------------------------------- /src/test_helpers/mesh_config.yaml: -------------------------------------------------------------------------------- 1 | defaultConfig: 2 | statsPort: 15888 3 | proxyAdminPort: 15099 4 | proxyMetadata: 5 | ISTIO_META_FOO: "foo" 6 | ISTIO_META_FOOBAR: "foobar" 7 | 8 | -------------------------------------------------------------------------------- /src/time.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::time::{Instant, SystemTime}; 16 | 17 | #[derive(Clone)] 18 | pub struct Converter { 19 | now: Instant, 20 | sys_now: SystemTime, 21 | } 22 | 23 | impl Converter { 24 | pub fn new() -> Self { 25 | Self::new_at(SystemTime::now()) 26 | } 27 | 28 | pub fn new_at(sys_now: SystemTime) -> Self { 29 | Self { 30 | sys_now, 31 | now: Instant::now(), 32 | } 33 | } 34 | 35 | pub fn system_time_to_instant(&self, t: SystemTime) -> Option { 36 | match t.duration_since(self.sys_now) { 37 | Ok(d) => Some(self.now + d), 38 | Err(_) => match self.sys_now.duration_since(t) { 39 | Ok(d) => self.now.checked_sub(d), 40 | Err(_) => panic!("time both before and after"), 41 | }, 42 | } 43 | } 44 | 45 | pub fn instant_to_system_time(&self, t: Instant) -> Option { 46 | if t > self.now { 47 | self.sys_now 48 | .checked_add(t.saturating_duration_since(self.now)) 49 | } else { 50 | self.sys_now 51 | .checked_sub(self.now.saturating_duration_since(t)) 52 | } 53 | } 54 | 55 | pub fn elapsed_nanos(&self, now: Instant) -> u128 { 56 | now.duration_since(self.now).as_nanos() 57 | } 58 | 59 | pub fn subsec_nanos(&self) -> u32 { 60 | self.sys_now 61 | .duration_since(SystemTime::UNIX_EPOCH) 62 | .unwrap() 63 | .subsec_nanos() 64 | } 65 | } 66 | 67 | impl Default for Converter { 68 | fn default() -> Self { 69 | Self::new() 70 | } 71 | } 72 | 73 | #[cfg(test)] 74 | mod tests { 75 | use std::time::{Duration, Instant}; 76 | 77 | #[test] 78 | fn test_converter() { 79 | const DELAY: Duration = Duration::from_secs(1); 80 | let conv = super::Converter::new(); 81 | let now = Instant::now(); 82 | let sys_now = conv.instant_to_system_time(now).unwrap(); 83 | let later = conv.system_time_to_instant(sys_now + DELAY); 84 | assert_eq!(later, Some(now + DELAY)); 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /src/tls.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | mod certificate; 16 | mod control; 17 | pub mod csr; 18 | mod lib; 19 | #[cfg(any(test, feature = "testing"))] 20 | pub mod mock; 21 | mod workload; 22 | 23 | use std::sync::Arc; 24 | 25 | pub use crate::tls::certificate::*; 26 | pub use crate::tls::control::*; 27 | pub use crate::tls::lib::*; 28 | pub use crate::tls::workload::*; 29 | use hyper::http::uri::InvalidUri; 30 | use rustls::server::VerifierBuilderError; 31 | 32 | #[derive(thiserror::Error, Debug)] 33 | pub enum Error { 34 | #[error("invalid root certificate: {0}")] 35 | InvalidRootCert(String), 36 | 37 | #[error("invalid uri: {0}")] 38 | InvalidUri(#[from] Arc), 39 | 40 | #[error("tls: {0}")] 41 | Tls(#[from] rustls::Error), 42 | 43 | #[error("certificate parse: {0}")] 44 | CertificateParseNomError(#[from] x509_parser::nom::Err), 45 | 46 | #[error("certificate: {0}")] 47 | CertificateError(#[from] x509_parser::error::X509Error), 48 | 49 | #[error("certificate: {0}")] 50 | CertificateParseError(String), 51 | 52 | #[error("invalid operation: {0:?}")] 53 | #[cfg(feature = "tls-boring")] 54 | SslError(#[from] boring::error::ErrorStack), 55 | 56 | #[error("invalid operation: {0:?}")] 57 | #[cfg(feature = "tls-openssl")] 58 | SslError(#[from] openssl::error::ErrorStack), 59 | 60 | #[error("invalid certificate generation: {0:?}")] 61 | #[cfg(any(feature = "tls-ring", feature = "tls-aws-lc"))] 62 | RcgenError(Arc), 63 | 64 | #[error("failed to build server verifier: {0}")] 65 | ServerVerifierBuilderError(#[from] VerifierBuilderError), 66 | 67 | #[error("invalid alt hostname: {0}")] 68 | InvalidAltHostname(#[from] rustls::pki_types::InvalidDnsNameError), 69 | } 70 | 71 | impl From for Error { 72 | fn from(err: InvalidUri) -> Self { 73 | Error::InvalidUri(Arc::new(err)) 74 | } 75 | } 76 | 77 | #[cfg(any(feature = "tls-ring", feature = "tls-aws-lc"))] 78 | impl From for Error { 79 | fn from(err: rcgen::Error) -> Self { 80 | Error::RcgenError(Arc::new(err)) 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /src/tls/ca-chain.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICxDCCAaygAwIBAgIUF33FJbMMFU4WxVyW5Ro1OtWN1AwwDQYJKoZIhvcNAQEL 3 | BQAwHzEdMBsGA1UECgwUaXN0aW9kLmNsdXN0ZXIubG9jYWwwIBcNMjMwOTE0MjEz 4 | NTUwWhgPMjI5NzA2MjkyMTM1NTBaMCwxKjAoBgNVBAMMIWRlZmF1bHQuZGVmYXVs 5 | dC5zdmMuY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN2U 6 | +HS6ztFO/QO8BPK4FC75EfeMYbCY0uaIAUmAUKCasi6axmXyzNIxQ+mb8kfmzHt6 7 | cO61JTD+c1pqgBVzK22jgbMwgbAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYD 8 | VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDcGA1UdEQQwMC6GLHNwaWZmZTov 9 | L2NsdXN0ZXIubG9jYWwvbnMvZGVmYXVsdC9zYS9kZWZhdWx0MB0GA1UdDgQWBBSA 10 | +/b6SFAwwrtFstq04mfOt8kdsTAfBgNVHSMEGDAWgBToV+5/B8qCl9hRxs5rzy5F 11 | NPKVYjANBgkqhkiG9w0BAQsFAAOCAQEAAQmA0ZHFRVgKjNi4W3NmXILRKRb2eX4q 12 | ZMXSkvksi06X04+kxbX4B4A/vFoIceT3zeTKydUFSup1qV4jRlL0iTkGuCswYBQi 13 | rZnrILwjWVfoh3lNB218VKDsaPPSX+ReGY/N50imC02ID6c99zW7Brb/Pk8cuI+G 14 | S2XQraGhntxFwQCuQAhpH1LhR4hNVU4z11YdZ+T2OP0UBmgEBVcY6LEHTW4WzT8/ 15 | hIthc12HLipE/eXT4UOTW/bZlmy+ju+Kr2e+O6s9LSzWF6D07Bx9uRkaC6GUBmFE 16 | 3BV0cKhk0UQy+R2AfUk+HnsY+mEvxBnTN+DlL6MvMVaR0pJXBTdaKQ== 17 | -----END CERTIFICATE----- 18 | -------------------------------------------------------------------------------- /src/tls/ca-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6k7qVMi/o6MKj 3 | XiwCxJ8lmv1OodoygXNV2AJsw7tN8ShGt62klbEjQG9YO1654dYuW+B+M6ZnMbvp 4 | Xg3tPMfBjfEUFdIUUOJyP6CJccX7HDV+oeJdlU0B3Cq6mWgEAnAjEZ7Gtzpj0jgX 5 | TruL3wKslKtf26/+ixtxGj9OtQjnt+VUNWpxSGrflG85Rvn4xZr1qKnVhNUGcxMU 6 | IFlrievMxdgO5yzLqrCPaaNBmiacaY+oLCh4LEIEYWncUU8M9LB5EzPipsyReItr 7 | uNsE8PWo7NDTH3fWewJoqBM4CgcJgwLXfpDdz1q6P/4adU5vRIzEGbJOwXs+VKz9 8 | PHDqzLDTAgMBAAECggEACRmgfZtri8wihi5XLjFh48cp+LZbOqBmvDajc6OeVKBh 9 | CwX1cbQdZi9D3wVSSvWxaSRxECa7xIe/9xNv0XTn91BRhF3GF9iUGudwkJOciPFo 10 | yIrjzBW2olMXQG+wC5YE2ykGWgHg1rKPqs9bxWg0rK85ppzD+kHVrlAN62xYCVkw 11 | 1a3L5vsYI9dUnYKRHmxNOHRXNru2h2/15EuLCvbObAgYjz2OUtFgnZ9gQnCDpBVD 12 | wtzYvKNq0jIvU7OZGnRDk0sFPzKZyZg3n7o2jxrUMDiPwIXSrF0GY+FkVt+XG9l2 13 | 18YSpXTOO9INLRxSIBp8+X4to/+vi2wENUwxmo4diQKBgQD48yOjBzy5bcNznOwn 14 | Bx7gNoElwJIWiCk3S7h7xiXMafjeAL6BPJbBfNmJrd32HbqEab1c4o7exD7T5zB2 15 | 9hdT0GPNuy/hGoLc7JzOXCMAt5M6zx4aTl4B5kbn+ZDegYpVP2PXcPo0Xnrci7cn 16 | /atvDJFb9Jx3FUoSAp2WxyjD6QKBgQC/3GTSw7Q6UcieAEodi93HOEgtnxCtBa1r 17 | zMaVFgvgDLSAshbD9Kcj4+mbdDLfcDxKdnxIM7IDdOmPwoTZXdU7Dr/GFOV7Xc/S 18 | ntZZrZ5mvkYqu0egY9FWxW4qYcHrWVrFHvBIx5Nh+T1Ng0AdCh2noRiGOvbh38vi 19 | 6ZwY0++FWwKBgB27VA89ZwgyTrx5Ck8i75IRkF0E4a2lN17uQSsvIAaIxXsmFZpz 20 | tQGIuqZRyIeDR2pXApGcUTnTsDk4jDY479JHuhOw/mfg9a4S6CtRH7EPO5szb0Hv 21 | CBUr/l3oFWAtkmrZ9j+ds5QbkIrUeNxi1F2f36Be12z1cvIxs8Z1JK45AoGAKSS0 22 | IlaBgbgkE23wduGVj7FMGSxxQQlkpSdmtnXh2gwfcTG/nAoNBa9MW1/RwQSqiTVb 23 | dYhQdllN9Nw77PkoTt/c1DeK9qepd3tEcDrBKztGhMdgls6RB9CSzVflY/jndDos 24 | QQ87VdlDAipRR2jx7w6m2bIvW0TIzkJWjSR1yt0CgYBw3PfOPIHSTnRMPYwobs9O 25 | Sz59BNc5vULpoFlSbBbb8KR9sNxaE0d3n/XooeH9TZ7ZZf0TfaVqs5W4wyS+znfX 26 | jrl8haEKqSTjmrgQj+fdZ2CzZp4jV9YxIKiaEfgf/5JSxdM1suXVsP1b8vscSGsZ 27 | nDmyhZ+sEBocxD5cm9e0Tg== 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /src/tls/ca-key2.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCLIZGLab2juncQ 3 | yF3RQPXcJmuktVjdTGtNICS2CKcaToYKgYAmp6VPgTXHHB/fwNMsDnQb50szTgEl 4 | LPzGT4YapgWIz9JOFyPsSoXBvraVRBxT20dFD2ARK3ilGaoDkItlu4vL9QTNbgXF 5 | ucYmZkiD2GtLtNcqFNC75tm4IJ09NywzD88IA/8RHSZLy+2yeT6OI1O/3igs66xT 6 | HQTdmqNnqxeckyxtwxUafayfk9W7xGhxHK8pFRUfvnOl/Qm56RMlQfP7FBjg4bHS 7 | wL+FfDKBLItvcwO4i8lQpya0ZsqMTtxGT11nRDH5NZMT1w6kCKTyOECJUq2nZZ9b 8 | VeeoRmdNAgMBAAECggEAE66rx5htpMYp9mSWCxaAwYRo6XvjJqlbK6W+s8bNFvZh 9 | VYak8bL5OqJZkIGcy7tcVGj2CYWCuK8SD+eJmedhng77DPPzeSsiYJjZS8OWUk74 10 | n+9PKYiniz5GWrri946g/cMWn4OZypMEO4jQrJl/LDG3WhYq8y/PKKnbhoYMoH5i 11 | ebv8YLGzzPZm0Vd3JM+wvHkd/CoAvrEWXuhvgxEXyCfpNfStrRbf3Frsk7yRrTx7 12 | KbSINMvZPemRhaBewr1mU6HWsbu2W5sm2hpe1KmABrUFvDq7ad4LcAuQc54zhdbC 13 | WkR86+QSDXhCE+ZlR3TyjfGCcsBYzWnRNVmP+liNEQKBgQC/o82IFHv3AGnWKRC3 14 | +rULXHCLqrAiVaqaW442/OjzjesFbouKzL8V8wKw+ag/4wECIm5r6ogtMIhCOVXc 15 | bQEcGbvhIF5irh/8j0CpaEctiguJTOyy9tShYxJVzOYS44NsDAIyCdQIWYOzeNWP 16 | l7aaRNs1MFf9eD4I5ATqbF5f3QKBgQC521at9CvQTDoS4MrWuV2XcVlAAjz05voh 17 | 8p7ergCEY5JLKU3k231zVVKaGns2ert6SyCNXD7xGC/Eo/9zEtG/xzoomNRfYixs 18 | czcNx/yRX/GUOWqG1SDFck5wfbrZ4jTgmhe8B2RG7t8J848dUZRb7eJ0s6gXdCW9 19 | xHprUdRmMQKBgD5XA7obp8PO357qFuUyagh7FqVobgmNQoUZ+WZL2V+5L9XBgyUw 20 | u4xhU+PMIv49UwultbPnREsm+XxJeHPPBchlWqe+RtXk/MTEuO0i3dyjhmMwoeMJ 21 | xluFheZhVAqa9hqEwYYTimT48Y3FZftjB+ShN4nS4xyyK8PqoOq9O+oFAoGAIbjF 22 | YmyiInoiM1isFQevDpJXYkDFtJ3QFqbB4p9popu6aH7HDlYwzeNWSHWzk2/zYj4N 23 | Wvi4xt/fkus6pzNr8UMBr2oDZocWjlrdS1fU4L+qwn0kcfBrsMeLqed2JqBffb0X 24 | v1sL+77Noy2Y8vXhWEiyRQBv6El/q43htGU1h5ECgYBXnJBFtYZ5J1CnFYOVGXD1 25 | Rqp0dYVEJdnwZZIVPyEPiMzpYZjUbuodwcMQyHlJzyPn2Pn60Lx+Ie/mNgkltVtl 26 | si2Di6ZLn9ok120YXRl4hufWGsA8b+cwPo72aIoAFP+K8LMRjHKGMS+XnHkX1N9/ 27 | 42G8+1ugr/men4HybDQV+w== 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /src/tls/cert-chain.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDJzCCAg+gAwIBAgIUO0x/x9PSte9fKSe5M3pkxobywaQwDQYJKoZIhvcNAQEL 3 | BQAwJTEjMCEGA1UECgwaaW50ZXJtZWRpYXJ5LmNsdXN0ZXIubG9jYWwwIBcNMjUw 4 | NDAzMjMzNTQ2WhgPMjI5OTAxMTcyMzM1NDZaMB8xHTAbBgNVBAoMFGlzdGlvZC5j 5 | bHVzdGVyLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn1FZ 6 | St2MDBoD7llOFGJU6fRgsr2Fp4lPrTetYc3pXZqD5sQZ5tZbZC+p5T0MmFdhSH/t 7 | ku0nCXUXtfIfPfP9U1IFaNrEdYtEr12NfLmpcicpRwsX3KKiBUP+2yzCs8n6snib 8 | ZBrFKoTxjcMn2zcsB6vdat1zWv54w57Ei+6VymGV/h0P4D6hwrlmeIAFuuK1mg17 9 | sNspzA+WIrpdm56KTIeFviOJsHgTtjTHbwggaNUDsPXoZemOEKOep5ajuJLjsNos 10 | sznPj/P5AwrLjKn7DKyKm3Ngx3BEGAW+4OAG/LF27or0t7kF5YpkZIMG+6lsLZVG 11 | 7VLGTa3cuCXnPACT7wIDAQABo1MwUTAdBgNVHQ4EFgQUaTYVTVwvryS92CCQoPSI 12 | V97LbW4wHwYDVR0jBBgwFoAU8WR6PMfg4DC8IS7a7D/KRYEElBQwDwYDVR0TAQH/ 13 | BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFVZyHdU5cBT53R+zmwdmI4lOG+An 14 | fKJR/nte1nKrZHYYgaQ64XsfUgyGMacSr4/7Cq0iQGXDrr+e5FX0VKPoEiAnmiRS 15 | qydz3otb8+7nMPdlKATWX7z10c9w1C81R06KHVMPUDaz0j7+LDORXCRcfWkKl2+q 16 | 9EN+ql9I8wGN41k74I7mII8eju4MTObSK26VB9NB+FssCnKSj2scZeNQNvBBvoAC 17 | 0OL06EOpi9ERcX4rDkrZZErDvM9U8wm5Ew/JrllX/G8rxj1uF1qZIse0RDKusOE/ 18 | yukKWPpvpTCphEUkqfgoTdFvCZ8na0QtPTd8oR1bzMFqnTmmPLDaJDaORg== 19 | -----END CERTIFICATE----- 20 | -----BEGIN CERTIFICATE----- 21 | MIIDIDCCAgigAwIBAgIUD2vXswowxqbs3kn3X5rAv3Y9GjYwDQYJKoZIhvcNAQEL 22 | BQAwGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDAgFw0yNTA0MDMyMzM1NDZaGA8y 23 | Mjk5MDExNzIzMzU0NlowJTEjMCEGA1UECgwaaW50ZXJtZWRpYXJ5LmNsdXN0ZXIu 24 | bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0q4HRdjaPnejM 25 | bCAgG9+ikVbfz1Bw7e04C72MtxBlK/wYWuxreN7qJtODwoRuFRsEokqVIgKVDVbD 26 | OrojbahmCZaU9h7MYMyZWK1HgZ+J2edMkoOfF0c1zvOTjwKchq1kTcB+bpZ9auC3 27 | gPrVM5IqWV0Cpw/kjcr3SE0IdqzryuUlfN64JutkNECZav+nNMwlbx97gS1HOld0 28 | lWCjKie9+d7qt0vUTh8GYR9PMr8etgJsYUrBgOo8XMwYgoqimChmJzPuf1vNT8sI 29 | sD/jrY9Ex0/v0yTkQ1ohN/w2E2/eSeAaNvo4BjZFQManD1NfpT31vrZ4Izax6LYA 30 | vkwtghVPAgMBAAGjUzBRMB0GA1UdDgQWBBTxZHo8x+DgMLwhLtrsP8pFgQSUFDAf 31 | BgNVHSMEGDAWgBRvX13YweC7LxCamC2OmD7JVdZVlDAPBgNVHRMBAf8EBTADAQH/ 32 | MA0GCSqGSIb3DQEBCwUAA4IBAQA5MvTvV9G+kaWoyDfX+fidz98SDz5q+J9WyZ/I 33 | VV5f2n7/ouZVQl3Z8WPa+PDDGuqGYFHqjAxGDt5p3Gh1m7n09eKx9pL8SKgGwC9Q 34 | W8YXmisrnb7OwYYQxVUe5Zo9KiNNsiIh+N8dtvt+4Pb0Q8xYKpX9gc+k1vtr9eOJ 35 | DKvOTkPBP5zlN9hnuHHjnEi27+/JZRXT849Br/lRO97mlFBXJaKgJKBbf/vZ1olz 36 | 86Lhu3/50GxanEuU3y3OEHB1DphmqUFd4NZx15n1QV9gbB2Yh95cD6FRImmjE+t9 37 | Z89hKT7lYVYXN7v2r3r0dRbArfbjO+pl/OchxO6os+PMnLrP 38 | -----END CERTIFICATE----- 39 | -----BEGIN CERTIFICATE----- 40 | MIIDIDCCAgigAwIBAgIURlltUum2Qm15tT9zwu2kph4vedcwDQYJKoZIhvcNAQEL 41 | BQAwGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDAgFw0yNTA0MDMyMzM1NDZaGA8y 42 | Mjk5MDExNzIzMzU0NlowGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDCCASIwDQYJ 43 | KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqTupUyL+jowqNeLALEnyWa/U6h2jKB 44 | c1XYAmzDu03xKEa3raSVsSNAb1g7Xrnh1i5b4H4zpmcxu+leDe08x8GN8RQV0hRQ 45 | 4nI/oIlxxfscNX6h4l2VTQHcKrqZaAQCcCMRnsa3OmPSOBdOu4vfAqyUq1/br/6L 46 | G3EaP061COe35VQ1anFIat+UbzlG+fjFmvWoqdWE1QZzExQgWWuJ68zF2A7nLMuq 47 | sI9po0GaJpxpj6gsKHgsQgRhadxRTwz0sHkTM+KmzJF4i2u42wTw9ajs0NMfd9Z7 48 | AmioEzgKBwmDAtd+kN3PWro//hp1Tm9EjMQZsk7Bez5UrP08cOrMsNMCAwEAAaNg 49 | MF4wHQYDVR0OBBYEFG9fXdjB4LsvEJqYLY6YPslV1lWUMB8GA1UdIwQYMBaAFG9f 50 | XdjB4LsvEJqYLY6YPslV1lWUMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIE 51 | MA0GCSqGSIb3DQEBCwUAA4IBAQCiuLS9cfCcD3CnSFmJNk+92CaEq2RlS1quvgSk 52 | vyrHY55xqLkaBmECSuBOaBOyG6VLhYO3/Nx0pDDImBXjMFe4IERDGt/A04jn5KdE 53 | Ldb+YZ9euFocOqujnrqUbLWOfkkmkwq9L1V63l+01tdERXXkFnXs8A1aRxzSdBIU 54 | +dKJjrDsmS7g+PyucDg2vYkSpLh17aNmQvwk9dO2ZoTwLqmIHFXpxe5mOvirEQ5E 55 | X/RsEoHcHTE3FRM1h0UuB5J3xzEh9zGPTp5icKguL/oPIfQuIuhZD+V5h7g7Ky5D 56 | yMUcKOIuOG6I+Kt2XijG2WyPtpXBAMrhSfZ3ebAgtZ6Iv6qv 57 | -----END CERTIFICATE----- 58 | -------------------------------------------------------------------------------- /src/tls/cert.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDXTCCAkWgAwIBAgIUKR+dap3TpKhxmpwtNLchLa7E4JEwDQYJKoZIhvcNAQEL 3 | BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT 4 | CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X 5 | DTIwMDgxNDIyMTA0OVoXDTMwMDgxMjIyMTA0OVowADCCASIwDQYJKoZIhvcNAQEB 6 | BQADggEPADCCAQoCggEBAM3y5xVP1qYDsy4DSEG7eXhQEGL/XUbXOR1kTEXTAhAk 7 | /Wo0YclowxRQuIyeXpLM+nRN2z0xDttkMRpI0m6Qb1vK43XtPkBieVm/tBSUyis+ 8 | iBV6KBOhw7ionoAlyq6tOkwL2V3siMK5LvkpeeC7lJPJamaRN19LJcnWS214bcur 9 | lq6g6+owQGb4BS4STqfiRkIciw7MHTN5vWQcNmWNT3ME19KNQGKLXPkJGJoNlq4P 10 | 98pIuO58k0mow8xESpmrJ1zOtMtUUDicXV67m8BV2xkn7YLDehfAyKsqMJjsdWB3 11 | LUlk/kFia9n/AwFz+3mMSPWe4OnRQGdtwUMuanknfSUCAwEAAaN2MHQwDgYDVR0P 12 | AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB 13 | Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v 14 | bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAO3Rcr/CEnEieuKujrQ/j 15 | ZrM5cjQckt/+NcpkXsTQaqpkARmUL23D/g3Cg3P9rfJVIfSIfN2509meX+ouDzIm 16 | JWoFW3XVFLiev18aBBO6rmLaMMMKiVOZYAYzeM8Zt/3qH8mLxNq2CQYUL8EtAd7V 17 | P1FVx6vauFqlyqPn2BWZO3CgdGyPwPRQkBUTrItcUI8OTgAFYd/Q5vQuLt82QIAl 18 | givsPvGaKEWV02tpf8PfAZDgXrFkJLeFhFd0pgf7RSIdvShNdPyyz4r9/2CqEVmc 19 | BRDyTw09OLceF0Mhi4HqcnzgVeLWvWT+yUo3FYf6kzeavK93CEdSU8c9OvQbyi9D 20 | cQ== 21 | -----END CERTIFICATE----- 22 | -----BEGIN CERTIFICATE----- 23 | MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD 24 | VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl 25 | MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD 26 | QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx 27 | OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT 28 | CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x 29 | ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC 30 | AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 31 | iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z 32 | APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K 33 | M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom 34 | ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 35 | LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T 36 | BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC 37 | AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w 38 | A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 39 | PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y 40 | 05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN 41 | Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn 42 | aFKltOc+RAjzDklcUPeG4Y6eMA== 43 | -----END CERTIFICATE----- 44 | -------------------------------------------------------------------------------- /src/tls/cert.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAzfLnFU/WpgOzLgNIQbt5eFAQYv9dRtc5HWRMRdMCECT9ajRh 3 | yWjDFFC4jJ5eksz6dE3bPTEO22QxGkjSbpBvW8rjde0+QGJ5Wb+0FJTKKz6IFXoo 4 | E6HDuKiegCXKrq06TAvZXeyIwrku+Sl54LuUk8lqZpE3X0slydZLbXhty6uWrqDr 5 | 6jBAZvgFLhJOp+JGQhyLDswdM3m9ZBw2ZY1PcwTX0o1AYotc+QkYmg2Wrg/3yki4 6 | 7nyTSajDzERKmasnXM60y1RQOJxdXrubwFXbGSftgsN6F8DIqyowmOx1YHctSWT+ 7 | QWJr2f8DAXP7eYxI9Z7g6dFAZ23BQy5qeSd9JQIDAQABAoIBAQDLs7PpGnze284A 8 | dvKjQYFWBSsQIDDsfrhZX/kpHxptSYj14TXPdzVtBKJlQ8ebP++B1fhBwCJH0gPX 9 | UawB/A6JJlZxL+Vg3YXVxY2ixcBpoYIMbDTzpg7muLF9YuPkfiapTRcElY53u57A 10 | h8urAx5kRtZc+MliEfwgdTtJ3dILnbXxGanKfi+nz9P5YuLkKzqIolbqu9ZxlJFD 11 | /V4DKITA0IootE0OhCKP0GfeA6L9z3tH2OuEn/LXl2S8FbbFCeY4ji8FQBr2icSB 12 | pXdee0gYIrvrU8G0eoE0ZV9bAGXkRhA3057HF9RqlAqhRc012s4ojbl/q4uINdWp 13 | R+UiUecJAoGBAP4Pzo+NwS054kOgSYu+NMSi63j2OJD9aeHYJT6QwVYZurTMChxx 14 | x283Da4qsCBGI37YjU5Ygd6DYc0T57GXfeka8tZQb5+v/ZvV1oIY+pVN5cp0xben 15 | Ttm0qskF2H57TmPcH5atWkW7b5CjrSo7DYFtd6jKzzoAJ9uPH4DCM5ufAoGBAM+F 16 | IRkSmzAPpiyPA1P7OlWy0vQLsNrFwZ59HOmovpQTgDLVW5Xbq+etEiAXmSvuxBU0 17 | OKiHMgGK2Pmg/vsM3mUVskrx+bDk+6GGM52feqa8N1rtxDTjamI5EHx29896jX/U 18 | HGSW+8YYVZ/jbSSneY71AO1E2INsNEi1Ei5qWTC7AoGABOdnNEwnK2lPncCNSt48 19 | BIOkiewuwVWy4oIaje+bW78ZZH3/v/bOQ65LXE5EogrYio1BhP6eWx4sGBpHQZ1L 20 | 9+DmSQ66aNmryoNBJbe3toQPaG4Clv3qvrcHCORM/nwA0lqgXXcxI+FvUNpn8EW9 21 | h/8F7UMk5tiz7EAB+qlE978CgYAJBj8UOgzpoCSX13hLlKdKxsYJuuBsAyGSZNp3 22 | BtGS2u4+R6z97Vmib5JUNvKASJfaXDUCjy6LhqA86tVr0XlyZ+ki/TbgjHSs54sj 23 | FaZdzd2SZLidnC4qK1UeNIY+TZQNtQmvDinQyYofs+IxL99HajwqFU5dGL2FU+qA 24 | fjt2tQKBgQDrnpSRmAhhGcazmNVnzF8PVJGPwY4clGKB2jo6ru57tL0QRc/N+5pJ 25 | 8boLB7CqRpC0mHpijJLKkLoJ0oVoC9jsn3e8tfVuVqbO3AfwdB+nkABQVHRxRRGt 26 | AlUeHXbjlY7OpemfK3smhLGBoOZKJVL7cKwyJc5MTPjcUgMwlwbW5w== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /src/tls/cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICxDCCAaygAwIBAgIUTO/UcyIIkBDYIrx7ynU/m+PDCSUwDQYJKoZIhvcNAQEL 3 | BQAwHzEdMBsGA1UECgwUaXN0aW9kLmNsdXN0ZXIubG9jYWwwIBcNMjUwNDAzMjMz 4 | NTQ2WhgPMjI5OTAxMTcyMzM1NDZaMCwxKjAoBgNVBAMMIWRlZmF1bHQuZGVmYXVs 5 | dC5zdmMuY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFqv 6 | YGYhgCC8mY6tKkJ4VDv0k/LxzDj7MQTx+qvnuT+6YynmNdkQYGl50Ehj6p+Yk9cS 7 | Ktr0T3Z1KaR8rkAoxbGjgbMwgbAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYD 8 | VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDcGA1UdEQQwMC6GLHNwaWZmZTov 9 | L2NsdXN0ZXIubG9jYWwvbnMvZGVmYXVsdC9zYS9kZWZhdWx0MB0GA1UdDgQWBBRj 10 | sc0YttHYwcmTYG9L5ZZkDPndbTAfBgNVHSMEGDAWgBRpNhVNXC+vJL3YIJCg9IhX 11 | 3sttbjANBgkqhkiG9w0BAQsFAAOCAQEAfLbSiwN0lRRBmcp1zDxWYlRy9YYBzM+3 12 | 5t4ESVh52R9fuaa0rdcJJEskBSfLnEuhfVthmZ2om3vaw1+V1G7Lkznhv6tIcmAZ 13 | tkiNFNVFHWTidVHTIgzTakP0bYYmPg3SDtr7zd4q9xKEnFG7jMKfOtWUGl+eys56 14 | Nezx2/3VXcKpHOqcxAs0+x0IFK7wOuiejqtKcFhJhDlx11SBwM7BVNy0UH2uDXYC 15 | N04Jho2AGyPzUvAh8cEQEuz/5nZVHJhzpEfeIWixvVmasnjEWcoTNdtp6Yp0MzOo 16 | hXriJzTdb6f+KMvvXer15CrxYCvM9vMGIhfMNrUtHlfihR5cKZvSTQ== 17 | -----END CERTIFICATE----- 18 | -------------------------------------------------------------------------------- /src/tls/gen-certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | # Specifically using RSA as this makes the signing deterministic, which is 6 | # useful for tests. 7 | 8 | if [ ! -f ca-key.pem ]; then 9 | # Only gen if doesn't exist. As some tests depend on the existing content of root cert. 10 | openssl genrsa -f4 -out ca-key.pem 11 | openssl req -x509 -new -nodes -addext "keyUsage = keyCertSign" -key "ca-key.pem" -days 100000 -out "root-cert.pem" -subj "/O=cluster.local" 12 | fi 13 | if [ ! -f ca-key2.pem ]; then 14 | # Only gen if doesn't exist. As some tests depend on the existing content of root cert. 15 | openssl genrsa -f4 -out ca-key2.pem 16 | openssl req -x509 -new -nodes -addext "keyUsage = keyCertSign" -key "ca-key2.pem" -days 100000 -out "root-cert2.pem" -subj "/O=cluster.local" 17 | fi 18 | 19 | openssl req -x509 -new -nodes -CA "root-cert.pem" -CAkey "ca-key.pem" -newkey rsa:2048 -keyout "intermediary-key.pem" -days 100000 -out "intermediary-cert.pem" -subj "/O=intermediary.cluster.local" 20 | openssl req -x509 -new -nodes -CA "intermediary-cert.pem" -CAkey "intermediary-key.pem" -newkey rsa:2048 -keyout "istiod-key.pem" -days 100000 -out "istiod-cert.pem" -subj "/O=istiod.cluster.local" 21 | 22 | 23 | if [ ! -f key.pem ]; then 24 | # Only gen if doesn't exist. As some tests depend on the existing content of the key. 25 | openssl ecparam -name prime256v1 -genkey -noout -out key.pem 26 | # Convert to more compatible format 27 | openssl pkcs8 -topk8 -in key.pem -out key.pem -nocrypt 28 | fi 29 | 30 | cat > "client.conf" < cert-chain.pem 49 | -------------------------------------------------------------------------------- /src/tls/intermediary-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDIDCCAgigAwIBAgIUD2vXswowxqbs3kn3X5rAv3Y9GjYwDQYJKoZIhvcNAQEL 3 | BQAwGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDAgFw0yNTA0MDMyMzM1NDZaGA8y 4 | Mjk5MDExNzIzMzU0NlowJTEjMCEGA1UECgwaaW50ZXJtZWRpYXJ5LmNsdXN0ZXIu 5 | bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0q4HRdjaPnejM 6 | bCAgG9+ikVbfz1Bw7e04C72MtxBlK/wYWuxreN7qJtODwoRuFRsEokqVIgKVDVbD 7 | OrojbahmCZaU9h7MYMyZWK1HgZ+J2edMkoOfF0c1zvOTjwKchq1kTcB+bpZ9auC3 8 | gPrVM5IqWV0Cpw/kjcr3SE0IdqzryuUlfN64JutkNECZav+nNMwlbx97gS1HOld0 9 | lWCjKie9+d7qt0vUTh8GYR9PMr8etgJsYUrBgOo8XMwYgoqimChmJzPuf1vNT8sI 10 | sD/jrY9Ex0/v0yTkQ1ohN/w2E2/eSeAaNvo4BjZFQManD1NfpT31vrZ4Izax6LYA 11 | vkwtghVPAgMBAAGjUzBRMB0GA1UdDgQWBBTxZHo8x+DgMLwhLtrsP8pFgQSUFDAf 12 | BgNVHSMEGDAWgBRvX13YweC7LxCamC2OmD7JVdZVlDAPBgNVHRMBAf8EBTADAQH/ 13 | MA0GCSqGSIb3DQEBCwUAA4IBAQA5MvTvV9G+kaWoyDfX+fidz98SDz5q+J9WyZ/I 14 | VV5f2n7/ouZVQl3Z8WPa+PDDGuqGYFHqjAxGDt5p3Gh1m7n09eKx9pL8SKgGwC9Q 15 | W8YXmisrnb7OwYYQxVUe5Zo9KiNNsiIh+N8dtvt+4Pb0Q8xYKpX9gc+k1vtr9eOJ 16 | DKvOTkPBP5zlN9hnuHHjnEi27+/JZRXT849Br/lRO97mlFBXJaKgJKBbf/vZ1olz 17 | 86Lhu3/50GxanEuU3y3OEHB1DphmqUFd4NZx15n1QV9gbB2Yh95cD6FRImmjE+t9 18 | Z89hKT7lYVYXN7v2r3r0dRbArfbjO+pl/OchxO6os+PMnLrP 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /src/tls/intermediary-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0q4HRdjaPnejM 3 | bCAgG9+ikVbfz1Bw7e04C72MtxBlK/wYWuxreN7qJtODwoRuFRsEokqVIgKVDVbD 4 | OrojbahmCZaU9h7MYMyZWK1HgZ+J2edMkoOfF0c1zvOTjwKchq1kTcB+bpZ9auC3 5 | gPrVM5IqWV0Cpw/kjcr3SE0IdqzryuUlfN64JutkNECZav+nNMwlbx97gS1HOld0 6 | lWCjKie9+d7qt0vUTh8GYR9PMr8etgJsYUrBgOo8XMwYgoqimChmJzPuf1vNT8sI 7 | sD/jrY9Ex0/v0yTkQ1ohN/w2E2/eSeAaNvo4BjZFQManD1NfpT31vrZ4Izax6LYA 8 | vkwtghVPAgMBAAECggEAECoOFdb9P7ExnGSKJUVJJ2rYenK6cDghUrPeNCJG0b5z 9 | MhykbWMlko6BuxaisZSq06nPgXNHBt3oJtRwxe2wNNzjv5UboU6Bz7B65FxpETTR 10 | OG0dYJT9FofbDBct9SIpjkFUmRs81KDE1TYxevS/vZE8PJoE1n6HK8OovLqdcwUQ 11 | F6uy358NgdgOMpn8sdpiZHvd0dpAOaxe3fe0XMKBuJb7FJ3XcEyt3gL1uULo0wAs 12 | LJOXfTMRt0PjUn+GhkD6rNjhETakf9Z7i6GBywUqEQ9+UUvBg5v5+tBjodOGgV5z 13 | 2vSIUK9cBzuX/+FbBoBuDaI6/NVff6rbFb4LgKT67QKBgQDk2h5x2S68NyIa5LeA 14 | +VXSSfiTF3Tr/cYsXz5ccd0LrL2ZXijnqmitZEaFWm8PwtdQxV6keHIpFtTE7C0y 15 | zQ9zIzp8sWnt9R8DkR0dzQSgUC/VYB+k8UKAF9ZDEA/uNBPjyXejWalj9ptaww0w 16 | Nre0s7cwSnf85hJ/gpweNp2SdQKBgQDKGixYbJVrfyuvwHAG/hIifRSxeGmCXYh9 17 | f6B7TGXdm4qRfcJHV4meqPznAZg3waQumKJ2v7NxhKPV6G1PuRbjxE755z03P6S+ 18 | uur68jpAb9dQnQOlWY+YDcZ4i1HW+yLrEuLd4KASAMX7Svb8gVdX9o0CUpbjN4It 19 | pbSgR5lIMwKBgAT6wgLUKPIrePCA3YVO55ElzuTUc9TWtsMsZ1z3lUm1voJhzB4O 20 | VSzAq9AnAZekM68sPDzz6ff+6S5HvUwHrjhhIdqouZdV6BDZzXpihaE/XWsVJlse 21 | bMYAvsbCyLX0KCKitZm2T7s/GG5HJDhSWHj0GB5S4H1+PBTOMLtvkMopAoGALCKb 22 | HJRZ7SfQeokj7eL+Qtnd8wPAxt92NzHv8f01IbgeArfb/Yh4XVW6JRiMDWEUYbij 23 | ghtLLLcysDwZ4xcgkI0GUjzVeYNEjwJy3mqXngrOkqQ3b5ynZyVa+mgybyhY780o 24 | DhxH2KailcZBOdNlJ6iIEsHGgchVfXJ6h6YbK1ECgYEAuXFt5+DkOTvbynoAekmb 25 | 7YGhOgiW+323/natPq236ljvRguw+eMk7hFib1J1/VwNy6jO7VbBJ04sPOLfEpW5 26 | R9KyatFbsg46EtkkDWCzlTQMpBTT2BM4bpFKENO1FUuIlFChtAaGanMfLGio+8kE 27 | /HnZonHv9pIMI8Uw1FoxwR0= 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /src/tls/istiod-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDJzCCAg+gAwIBAgIUO0x/x9PSte9fKSe5M3pkxobywaQwDQYJKoZIhvcNAQEL 3 | BQAwJTEjMCEGA1UECgwaaW50ZXJtZWRpYXJ5LmNsdXN0ZXIubG9jYWwwIBcNMjUw 4 | NDAzMjMzNTQ2WhgPMjI5OTAxMTcyMzM1NDZaMB8xHTAbBgNVBAoMFGlzdGlvZC5j 5 | bHVzdGVyLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn1FZ 6 | St2MDBoD7llOFGJU6fRgsr2Fp4lPrTetYc3pXZqD5sQZ5tZbZC+p5T0MmFdhSH/t 7 | ku0nCXUXtfIfPfP9U1IFaNrEdYtEr12NfLmpcicpRwsX3KKiBUP+2yzCs8n6snib 8 | ZBrFKoTxjcMn2zcsB6vdat1zWv54w57Ei+6VymGV/h0P4D6hwrlmeIAFuuK1mg17 9 | sNspzA+WIrpdm56KTIeFviOJsHgTtjTHbwggaNUDsPXoZemOEKOep5ajuJLjsNos 10 | sznPj/P5AwrLjKn7DKyKm3Ngx3BEGAW+4OAG/LF27or0t7kF5YpkZIMG+6lsLZVG 11 | 7VLGTa3cuCXnPACT7wIDAQABo1MwUTAdBgNVHQ4EFgQUaTYVTVwvryS92CCQoPSI 12 | V97LbW4wHwYDVR0jBBgwFoAU8WR6PMfg4DC8IS7a7D/KRYEElBQwDwYDVR0TAQH/ 13 | BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFVZyHdU5cBT53R+zmwdmI4lOG+An 14 | fKJR/nte1nKrZHYYgaQ64XsfUgyGMacSr4/7Cq0iQGXDrr+e5FX0VKPoEiAnmiRS 15 | qydz3otb8+7nMPdlKATWX7z10c9w1C81R06KHVMPUDaz0j7+LDORXCRcfWkKl2+q 16 | 9EN+ql9I8wGN41k74I7mII8eju4MTObSK26VB9NB+FssCnKSj2scZeNQNvBBvoAC 17 | 0OL06EOpi9ERcX4rDkrZZErDvM9U8wm5Ew/JrllX/G8rxj1uF1qZIse0RDKusOE/ 18 | yukKWPpvpTCphEUkqfgoTdFvCZ8na0QtPTd8oR1bzMFqnTmmPLDaJDaORg== 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /src/tls/istiod-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfUVlK3YwMGgPu 3 | WU4UYlTp9GCyvYWniU+tN61hzeldmoPmxBnm1ltkL6nlPQyYV2FIf+2S7ScJdRe1 4 | 8h898/1TUgVo2sR1i0SvXY18ualyJylHCxfcoqIFQ/7bLMKzyfqyeJtkGsUqhPGN 5 | wyfbNywHq91q3XNa/njDnsSL7pXKYZX+HQ/gPqHCuWZ4gAW64rWaDXuw2ynMD5Yi 6 | ul2bnopMh4W+I4mweBO2NMdvCCBo1QOw9ehl6Y4Qo56nlqO4kuOw2iyzOc+P8/kD 7 | CsuMqfsMrIqbc2DHcEQYBb7g4Ab8sXbuivS3uQXlimRkgwb7qWwtlUbtUsZNrdy4 8 | Jec8AJPvAgMBAAECggEALZ0BVy1qGNbj9DxOXgivLhKBEvuvBgIKtVnBAsUNAPcp 9 | t4rCrbQGk38QAemCLyWpXTP/RXcvm4YSRU3ugvLVvyK3GMe1wr+eaST8Ss7vRBcR 10 | Ot1ithE8GQzYLVE553a3F5zvRHBjreJFNGTBBwLbUND0glGn4tADrGJK/JNRAJGP 11 | OpLlf+jH9E1VDEpvTobzuMxLNAgqnOahwnxL6TcfwQNsvBZgxUMuK3LQ0IS1+75y 12 | VyFJJ1dFmY0baGLRMlgWhYHZjB+r+kq3ddG16E5EN/MYqLb2HEryxaCm7nTpnaBJ 13 | /fxFt5bV3SLJ8kn5HOtVxq7ypsn5nxVIbChUyuWfiQKBgQDTCrtLXtAk7i+bosrN 14 | dqdEqIjVzoWwTXprGMiR/rmJYMbt8ggHoj2f1tMvvNJkA0TY53U0ZvGnfG4a24iR 15 | xiOqba6VvSyagqtTAUHUtlwVHozcwiruNZBZ7kzKHfyI+SLUYxAyS4u7mhmWP7sD 16 | H0U1WFMdiDQb15uIiO89Xj7fVwKBgQDBQdEVgMCd2KzWdRdzpMNotMbr23PX0yRO 17 | i2L0v3W7/7QZVB/4rVpvFrnwAYos8xFZfOEK+nsMvEU4FSBkZ/uqPHWcn6FvjkYQ 18 | /7c3vTRl6r/fdYpcma2OPSGkVo+xXFf2unbTzmjTBgU33b2bPnK1L3Igsav60Fod 19 | NW53V1lJKQKBgHbSbP+To3eXj8B+GNcz/ht/FIPk4oqQJOPVsV/Z3lbF4VspUXIS 20 | 28V566/ODVr4KDRDpU7awyZ8vXVrs2n3+C7F0G1IdKuN9K4oYAtGnXPano7Q1+EE 21 | 0YCA1kVaOsxYEU8pc34N4N/AdLWOrlmkqo/NagaPoF8ots5Z4vFXdejDAoGAKYjA 22 | q/No8kOwGcM+kA8YJDe+DNC0W+03/117nghMAGSbS1pGKMbxCbEDsy5RiQmQcAAj 23 | yZ09tuX7pmr79DhY4SRvToMMShJ0wpCCywrx6PmD1T3Ix9ALeedvhIdKCJ9FFHTM 24 | twbEhp3jnzcb2fKY6pHQ4G/u+0+uHlrua92tBckCgYEAr5cXqSz8N49nUg+hut3g 25 | exd/J5xhA4Z4XYnDhNw4XGgkClCAPrjcb3dONUQYx2r755HreP1MgFHVPEkpo1n3 26 | RQclCfATuarDYCMyf0aR8D/1xJeZ60v7FSPRpjp1UgR6EMjNZeu/g5r69sLxqD03 27 | tlaAEAgthTTnW5EBd/flH9M= 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /src/tls/key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFleg635zDylB/sUv 3 | PHfS00Yx11F8kHnY48h4oWpYoByhRANCAARar2BmIYAgvJmOrSpCeFQ79JPy8cw4 4 | +zEE8fqr57k/umMp5jXZEGBpedBIY+qfmJPXEira9E92dSmkfK5AKMWx 5 | -----END PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /src/tls/root-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDIDCCAgigAwIBAgIURlltUum2Qm15tT9zwu2kph4vedcwDQYJKoZIhvcNAQEL 3 | BQAwGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDAgFw0yNTA0MDMyMzM1NDZaGA8y 4 | Mjk5MDExNzIzMzU0NlowGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDCCASIwDQYJ 5 | KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqTupUyL+jowqNeLALEnyWa/U6h2jKB 6 | c1XYAmzDu03xKEa3raSVsSNAb1g7Xrnh1i5b4H4zpmcxu+leDe08x8GN8RQV0hRQ 7 | 4nI/oIlxxfscNX6h4l2VTQHcKrqZaAQCcCMRnsa3OmPSOBdOu4vfAqyUq1/br/6L 8 | G3EaP061COe35VQ1anFIat+UbzlG+fjFmvWoqdWE1QZzExQgWWuJ68zF2A7nLMuq 9 | sI9po0GaJpxpj6gsKHgsQgRhadxRTwz0sHkTM+KmzJF4i2u42wTw9ajs0NMfd9Z7 10 | AmioEzgKBwmDAtd+kN3PWro//hp1Tm9EjMQZsk7Bez5UrP08cOrMsNMCAwEAAaNg 11 | MF4wHQYDVR0OBBYEFG9fXdjB4LsvEJqYLY6YPslV1lWUMB8GA1UdIwQYMBaAFG9f 12 | XdjB4LsvEJqYLY6YPslV1lWUMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIE 13 | MA0GCSqGSIb3DQEBCwUAA4IBAQCiuLS9cfCcD3CnSFmJNk+92CaEq2RlS1quvgSk 14 | vyrHY55xqLkaBmECSuBOaBOyG6VLhYO3/Nx0pDDImBXjMFe4IERDGt/A04jn5KdE 15 | Ldb+YZ9euFocOqujnrqUbLWOfkkmkwq9L1V63l+01tdERXXkFnXs8A1aRxzSdBIU 16 | +dKJjrDsmS7g+PyucDg2vYkSpLh17aNmQvwk9dO2ZoTwLqmIHFXpxe5mOvirEQ5E 17 | X/RsEoHcHTE3FRM1h0UuB5J3xzEh9zGPTp5icKguL/oPIfQuIuhZD+V5h7g7Ky5D 18 | yMUcKOIuOG6I+Kt2XijG2WyPtpXBAMrhSfZ3ebAgtZ6Iv6qv 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /src/tls/root-cert2.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDIDCCAgigAwIBAgIUZMEqB4WzwdAYjeaqZ0qzk1mT168wDQYJKoZIhvcNAQEL 3 | BQAwGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDAgFw0yNTA0MTEyMDQ4MzZaGA8y 4 | Mjk5MDEyNTIwNDgzNlowGDEWMBQGA1UECgwNY2x1c3Rlci5sb2NhbDCCASIwDQYJ 5 | KoZIhvcNAQEBBQADggEPADCCAQoCggEBAIshkYtpvaO6dxDIXdFA9dwma6S1WN1M 6 | a00gJLYIpxpOhgqBgCanpU+BNcccH9/A0ywOdBvnSzNOASUs/MZPhhqmBYjP0k4X 7 | I+xKhcG+tpVEHFPbR0UPYBEreKUZqgOQi2W7i8v1BM1uBcW5xiZmSIPYa0u01yoU 8 | 0Lvm2bggnT03LDMPzwgD/xEdJkvL7bJ5Po4jU7/eKCzrrFMdBN2ao2erF5yTLG3D 9 | FRp9rJ+T1bvEaHEcrykVFR++c6X9CbnpEyVB8/sUGODhsdLAv4V8MoEsi29zA7iL 10 | yVCnJrRmyoxO3EZPXWdEMfk1kxPXDqQIpPI4QIlSradln1tV56hGZ00CAwEAAaNg 11 | MF4wHQYDVR0OBBYEFBAYwv8Y3PQnA6oSL5W4I8F/WNYvMB8GA1UdIwQYMBaAFBAY 12 | wv8Y3PQnA6oSL5W4I8F/WNYvMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIE 13 | MA0GCSqGSIb3DQEBCwUAA4IBAQBuWx8zxrfwQAYYZ462Kp/082Q+EXiWDp6MO2yx 14 | bGnH03gesNH2audl3wHcWTYkGflgE7Pp70+JOztdAkanmTNn/xDXk1BivCgfP2fE 15 | r9t3SoCkEX0am8LBjrCNYA0QINtz4CjhT1XpBxgbBUBNUeem8FAHStQJdlOiePlw 16 | nnx841hbMZq9mZU7GDogZbbZD42TBcL01djVSC44o8+NbR455NsI6vxO8dZ6AXsl 17 | rExMF70XDkogK4R9lPs2AADsOhH1bZQuHyVTNHCj/T2nFxSGfOItXekyfKVN5ID1 18 | nlt1GD6Kjca9gQYYK1hzUEzePe16ROz3LlWuhx7pd/qsXhw7 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /src/version.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use std::env; 16 | use std::fmt; 17 | use std::fmt::{Display, Formatter}; 18 | use std::string::String; 19 | 20 | use crate::tls::CRYPTO_PROVIDER; 21 | 22 | const BUILD_VERSION: &str = env!("ZTUNNEL_BUILD_buildVersion"); 23 | const BUILD_GIT_REVISION: &str = env!("ZTUNNEL_BUILD_buildGitRevision"); 24 | const BUILD_STATUS: &str = env!("ZTUNNEL_BUILD_buildStatus"); 25 | const BUILD_RUST_VERSION: &str = env!("ZTUNNEL_BUILD_RUSTC_VERSION"); 26 | const BUILD_RUST_PROFILE: &str = env!("ZTUNNEL_BUILD_PROFILE_NAME"); 27 | 28 | #[derive(serde::Serialize, Clone, Debug, Default)] 29 | #[serde(rename_all = "camelCase")] 30 | pub struct BuildInfo { 31 | version: String, 32 | git_revision: String, 33 | rust_version: String, 34 | build_profile: String, 35 | build_status: String, 36 | pub istio_version: String, 37 | crypto_provider: String, 38 | } 39 | 40 | impl BuildInfo { 41 | pub fn new() -> Self { 42 | BuildInfo { 43 | version: BUILD_VERSION.to_string(), 44 | git_revision: BUILD_GIT_REVISION.to_string(), 45 | rust_version: BUILD_RUST_VERSION.to_string(), 46 | build_profile: BUILD_RUST_PROFILE.to_string(), 47 | build_status: BUILD_STATUS.to_string(), 48 | istio_version: env::var("ISTIO_META_ISTIO_VERSION") 49 | .unwrap_or_else(|_| "unknown".to_string()), 50 | crypto_provider: CRYPTO_PROVIDER.to_string(), 51 | } 52 | } 53 | } 54 | 55 | impl Display for BuildInfo { 56 | fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 57 | write!( 58 | f, 59 | "version.BuildInfo{{Version:\"{}\", GitRevision:\"{}\", RustVersion:\"{}\", BuildProfile:\"{}\", BuildStatus:\"{}\", IstioVersion:\"{}\", CryptoProvider:\"{}\"}}", 60 | self.version, 61 | self.git_revision, 62 | self.rust_version, 63 | self.build_profile, 64 | self.build_status, 65 | self.istio_version, 66 | self.crypto_provider, 67 | ) 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /src/xds/metrics.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue}; 16 | use prometheus_client::metrics::counter::Counter; 17 | use prometheus_client::metrics::family::Family; 18 | use prometheus_client::registry::{Registry, Unit}; 19 | 20 | use crate::metrics::Recorder; 21 | 22 | use super::service::discovery::v3::DeltaDiscoveryResponse; 23 | 24 | pub struct Metrics { 25 | pub connection_terminations: Family, 26 | pub message_types: Family, 27 | pub total_messages_size: Family, 28 | } 29 | 30 | #[derive(Clone, Hash, Debug, PartialEq, Eq, EncodeLabelSet)] 31 | pub struct ConnectionTermination { 32 | pub reason: ConnectionTerminationReason, 33 | } 34 | 35 | #[derive(Copy, Clone, Hash, Debug, PartialEq, Eq, EncodeLabelValue)] 36 | pub enum ConnectionTerminationReason { 37 | ConnectionError, 38 | Error, 39 | Reconnect, 40 | Complete, 41 | } 42 | 43 | #[derive(Clone, Debug, Hash, PartialEq, Eq, EncodeLabelSet)] 44 | pub struct TypeUrl { 45 | pub url: String, 46 | } 47 | 48 | impl Metrics { 49 | pub fn new(registry: &mut Registry) -> Self { 50 | let connection_terminations = Family::default(); 51 | registry.register( 52 | "xds_connection_terminations", 53 | "The total number of completed connections to xds server (unstable)", 54 | connection_terminations.clone(), 55 | ); 56 | 57 | let message_count = Family::default(); 58 | 59 | registry.register( 60 | "xds_message", 61 | "Total number of messages received (unstable)", 62 | message_count.clone(), 63 | ); 64 | 65 | let total_messages_size = Family::default(); 66 | 67 | registry.register_with_unit( 68 | "xds_message", 69 | "Total number of bytes received (unstable)", 70 | Unit::Bytes, 71 | total_messages_size.clone(), 72 | ); 73 | 74 | Self { 75 | connection_terminations, 76 | message_types: message_count, 77 | total_messages_size, 78 | } 79 | } 80 | } 81 | 82 | impl Recorder for Metrics { 83 | fn record(&self, reason: &ConnectionTerminationReason, count: u64) { 84 | self.connection_terminations 85 | .get_or_create(&ConnectionTermination { reason: *reason }) 86 | .inc_by(count); 87 | } 88 | } 89 | 90 | impl Recorder for Metrics { 91 | fn record(&self, response: &DeltaDiscoveryResponse, _: ()) { 92 | let type_url = TypeUrl { 93 | url: response.type_url.clone(), 94 | }; 95 | self.message_types.get_or_create(&type_url).inc(); 96 | 97 | let mut total_message_size: u64 = 0; 98 | for resource in &response.resources { 99 | total_message_size += resource 100 | .resource 101 | .as_ref() 102 | .map(|v| v.value.len()) 103 | .unwrap_or_default() as u64; 104 | } 105 | self.total_messages_size 106 | .get_or_create(&type_url) 107 | .inc_by(total_message_size); 108 | } 109 | } 110 | -------------------------------------------------------------------------------- /src/xds/types.rs: -------------------------------------------------------------------------------- 1 | // Copyright Istio Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | use crate::strng; 16 | use crate::strng::Strng; 17 | 18 | // We don't control the codegen, so disable any code warnings in the 19 | // proto modules. 20 | #[allow(warnings)] 21 | #[allow(clippy::derive_partial_eq_without_eq)] 22 | pub mod service { 23 | pub mod discovery { 24 | pub mod v3 { 25 | tonic::include_proto!("envoy.service.discovery.v3"); 26 | } 27 | } 28 | } 29 | 30 | #[allow(warnings)] 31 | #[warn(clippy::derive_partial_eq_without_eq)] 32 | pub mod istio { 33 | pub mod workload { 34 | tonic::include_proto!("istio.workload"); 35 | } 36 | pub mod security { 37 | tonic::include_proto!("istio.security"); 38 | } 39 | pub mod ca { 40 | tonic::include_proto!("istio.v1.auth"); 41 | } 42 | } 43 | 44 | pub const ADDRESS_TYPE: Strng = strng::literal!("type.googleapis.com/istio.workload.Address"); 45 | pub const AUTHORIZATION_TYPE: Strng = 46 | strng::literal!("type.googleapis.com/istio.security.Authorization"); 47 | -------------------------------------------------------------------------------- /tests/README.md: -------------------------------------------------------------------------------- 1 | # Integration tests 2 | 3 | This folder contains integration tests for ztunnel. 4 | 5 | ## Direct tests 6 | 7 | These are tests in `direct.rs`, which simply run a ztunnel in process and make assertions. 8 | This is the preferred option for most tests, if possible. 9 | 10 | Helpers are available to use a fake CA and local XDS config, to avoid reliance on components outside of `ztunnel`. 11 | 12 | For more advanced testing, see [Namespaced](#namespaced). 13 | 14 | ## Namespaced (Linux only) 15 | 16 | Many scenarios in ztunnel are reliant on being deployed in an environment with redirection in place. 17 | In order to support these, the tests in `namespaced.rs` come with a framework to run components in different network namespaces. 18 | This simulates a single node in Kubernetes. 19 | 20 | Tests can run "workloads" in a namespace, such as: 21 | 22 | ```rust 23 | manager 24 | .workload_builder("client") 25 | .on_local_node() 26 | .register()? 27 | .run(|| { ... commands run here are in a network namespace ...}) 28 | ``` 29 | 30 | For more information, see the docs under `WorkloadManager`. 31 | 32 | Running these tests requires root. To run tests under sudo, `make test-root` can be used. 33 | When not running as root, the tests are skipped. 34 | Warning: rust doesn't allow reporting a test was skipped, so it just appears to pass; in CI we enforce it always runs as root to avoid missing tests. 35 | 36 | If namespaces get in a broken state, they can be cleaned up with: 37 | 38 | ```shell 39 | ip -j netns ls | jq -r '.[].name' | grep '^test_' | xargs -n1 sudo ip netns del 40 | ``` 41 | 42 | ## Kubernetes 43 | 44 | Tests run in a full Kubernetes environment are handled in [`istio/istio`](https://github.com/istio/istio). 45 | This repo only runs a standalone `ztunnel` tests. 46 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/asn1_mac.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2016, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "asn1.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/blake2.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_BLAKE2_H 16 | #define OPENSSL_HEADER_BLAKE2_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | #define BLAKE2B256_DIGEST_LENGTH (256 / 8) 26 | #define BLAKE2B_CBLOCK 128 27 | 28 | struct blake2b_state_st { 29 | uint64_t h[8]; 30 | uint64_t t_low, t_high; 31 | union { 32 | uint8_t bytes[BLAKE2B_CBLOCK]; 33 | uint64_t words[16]; 34 | } block; 35 | size_t block_used; 36 | }; 37 | 38 | // BLAKE2B256_Init initialises |b2b| to perform a BLAKE2b-256 hash. There are no 39 | // pointers inside |b2b| thus release of |b2b| is purely managed by the caller. 40 | OPENSSL_EXPORT void BLAKE2B256_Init(BLAKE2B_CTX *b2b); 41 | 42 | // BLAKE2B256_Update appends |len| bytes from |data| to the digest being 43 | // calculated by |b2b|. 44 | OPENSSL_EXPORT void BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *data, 45 | size_t len); 46 | 47 | // BLAKE2B256_Final completes the digest calculated by |b2b| and writes 48 | // |BLAKE2B256_DIGEST_LENGTH| bytes to |out|. 49 | OPENSSL_EXPORT void BLAKE2B256_Final(uint8_t out[BLAKE2B256_DIGEST_LENGTH], 50 | BLAKE2B_CTX *b2b); 51 | 52 | // BLAKE2B256 writes the BLAKE2b-256 digset of |len| bytes from |data| to 53 | // |out|. 54 | OPENSSL_EXPORT void BLAKE2B256(const uint8_t *data, size_t len, 55 | uint8_t out[BLAKE2B256_DIGEST_LENGTH]); 56 | 57 | 58 | #if defined(__cplusplus) 59 | } // extern C 60 | #endif 61 | 62 | #endif // OPENSSL_HEADER_BLAKE2_H 63 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/buffer.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "buf.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/chacha.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_CHACHA_H 16 | #define OPENSSL_HEADER_CHACHA_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | // ChaCha20. 25 | // 26 | // ChaCha20 is a stream cipher. See https://tools.ietf.org/html/rfc8439. 27 | 28 | 29 | // CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and 30 | // nonce and writes the result to |out|. If |in| and |out| alias, they must be 31 | // equal. The initial block counter is specified by |counter|. 32 | OPENSSL_EXPORT void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, 33 | size_t in_len, const uint8_t key[32], 34 | const uint8_t nonce[12], uint32_t counter); 35 | 36 | 37 | #if defined(__cplusplus) 38 | } // extern C 39 | #endif 40 | 41 | #endif // OPENSSL_HEADER_CHACHA_H 42 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/cmac.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_CMAC_H 16 | #define OPENSSL_HEADER_CMAC_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // CMAC. 26 | // 27 | // CMAC is a MAC based on AES-CBC and defined in 28 | // https://tools.ietf.org/html/rfc4493#section-2.3. 29 | 30 | 31 | // One-shot functions. 32 | 33 | // AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of 34 | // |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select 35 | // between AES-128 and AES-256. It returns one on success or zero on error. 36 | OPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len, 37 | const uint8_t *in, size_t in_len); 38 | 39 | 40 | // Incremental interface. 41 | 42 | // CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on 43 | // error. 44 | OPENSSL_EXPORT CMAC_CTX *CMAC_CTX_new(void); 45 | 46 | // CMAC_CTX_free frees a |CMAC_CTX|. 47 | OPENSSL_EXPORT void CMAC_CTX_free(CMAC_CTX *ctx); 48 | 49 | // CMAC_CTX_copy sets |out| to be a duplicate of the current state |in|. It 50 | // returns one on success and zero on error. 51 | OPENSSL_EXPORT int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in); 52 | 53 | // CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC 54 | // only specifies the use of AES-128 thus |key_len| should be 16 and |cipher| 55 | // should be |EVP_aes_128_cbc()|. However, this implementation also supports 56 | // AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The 57 | // |engine| argument is ignored. 58 | // 59 | // It returns one on success or zero on error. 60 | OPENSSL_EXPORT int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len, 61 | const EVP_CIPHER *cipher, ENGINE *engine); 62 | 63 | 64 | // CMAC_Reset resets |ctx| so that a fresh message can be authenticated. 65 | OPENSSL_EXPORT int CMAC_Reset(CMAC_CTX *ctx); 66 | 67 | // CMAC_Update processes |in_len| bytes of message from |in|. It returns one on 68 | // success or zero on error. 69 | OPENSSL_EXPORT int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len); 70 | 71 | // CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes 72 | // of authenticator to it. It returns one on success or zero on error. 73 | OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len); 74 | 75 | 76 | #if defined(__cplusplus) 77 | } // extern C 78 | 79 | extern "C++" { 80 | 81 | BSSL_NAMESPACE_BEGIN 82 | 83 | BORINGSSL_MAKE_DELETER(CMAC_CTX, CMAC_CTX_free) 84 | 85 | BSSL_NAMESPACE_END 86 | 87 | } // extern C++ 88 | 89 | #endif 90 | 91 | #endif // OPENSSL_HEADER_CMAC_H 92 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/dtls1.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/e_os2.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2018, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/hkdf.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_HKDF_H 16 | #define OPENSSL_HEADER_HKDF_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // HKDF. 26 | 27 | 28 | // HKDF computes HKDF (as specified by RFC 5869) of initial keying material 29 | // |secret| with |salt| and |info| using |digest|, and outputs |out_len| bytes 30 | // to |out_key|. It returns one on success and zero on error. 31 | // 32 | // HKDF is an Extract-and-Expand algorithm. It does not do any key stretching, 33 | // and as such, is not suited to be used alone to generate a key from a 34 | // password. 35 | OPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, 36 | const uint8_t *secret, size_t secret_len, 37 | const uint8_t *salt, size_t salt_len, 38 | const uint8_t *info, size_t info_len); 39 | 40 | // HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from initial 41 | // keying material |secret| and salt |salt| using |digest|, and outputs 42 | // |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|. 43 | // It returns one on success and zero on error. 44 | OPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len, 45 | const EVP_MD *digest, const uint8_t *secret, 46 | size_t secret_len, const uint8_t *salt, 47 | size_t salt_len); 48 | 49 | // HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of length 50 | // |out_len| from the PRK |prk| and info |info| using |digest|, and outputs 51 | // the result to |out_key|. It returns one on success and zero on error. 52 | OPENSSL_EXPORT int HKDF_expand(uint8_t *out_key, size_t out_len, 53 | const EVP_MD *digest, const uint8_t *prk, 54 | size_t prk_len, const uint8_t *info, 55 | size_t info_len); 56 | 57 | 58 | #if defined(__cplusplus) 59 | } // extern C 60 | #endif 61 | 62 | #define HKDF_R_OUTPUT_TOO_LARGE 100 63 | 64 | #endif // OPENSSL_HEADER_HKDF_H 65 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/is_boringssl.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2017, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | // This header is provided in order to catch include path errors in consuming 16 | // BoringSSL. 17 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/obj_mac.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2016, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "nid.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/objects.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "obj.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/opensslconf.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #ifndef OPENSSL_HEADER_OPENSSLCONF_H 19 | #define OPENSSL_HEADER_OPENSSLCONF_H 20 | 21 | 22 | #define OPENSSL_NO_ASYNC 23 | #define OPENSSL_NO_BF 24 | #define OPENSSL_NO_BLAKE2 25 | #define OPENSSL_NO_BUF_FREELISTS 26 | #define OPENSSL_NO_CAMELLIA 27 | #define OPENSSL_NO_CAPIENG 28 | #define OPENSSL_NO_CAST 29 | #define OPENSSL_NO_CMS 30 | #define OPENSSL_NO_COMP 31 | #define OPENSSL_NO_CT 32 | #define OPENSSL_NO_DANE 33 | #define OPENSSL_NO_DEPRECATED 34 | #define OPENSSL_NO_DGRAM 35 | #define OPENSSL_NO_DYNAMIC_ENGINE 36 | #define OPENSSL_NO_EC_NISTP_64_GCC_128 37 | #define OPENSSL_NO_EC2M 38 | #define OPENSSL_NO_EGD 39 | #define OPENSSL_NO_ENGINE 40 | #define OPENSSL_NO_GMP 41 | #define OPENSSL_NO_GOST 42 | #define OPENSSL_NO_HEARTBEATS 43 | #define OPENSSL_NO_HW 44 | #define OPENSSL_NO_IDEA 45 | #define OPENSSL_NO_JPAKE 46 | #define OPENSSL_NO_KRB5 47 | #define OPENSSL_NO_MD2 48 | #define OPENSSL_NO_MDC2 49 | #define OPENSSL_NO_OCB 50 | #define OPENSSL_NO_OCSP 51 | #define OPENSSL_NO_RC2 52 | #define OPENSSL_NO_RC5 53 | #define OPENSSL_NO_RFC3779 54 | #define OPENSSL_NO_RIPEMD 55 | #define OPENSSL_NO_RMD160 56 | #define OPENSSL_NO_SCTP 57 | #define OPENSSL_NO_SEED 58 | #define OPENSSL_NO_SM2 59 | #define OPENSSL_NO_SM3 60 | #define OPENSSL_NO_SM4 61 | #define OPENSSL_NO_SRP 62 | #define OPENSSL_NO_SSL2 63 | #define OPENSSL_NO_SSL3 64 | #define OPENSSL_NO_SSL3_METHOD 65 | #define OPENSSL_NO_STATIC_ENGINE 66 | #define OPENSSL_NO_STORE 67 | #define OPENSSL_NO_WHIRLPOOL 68 | 69 | 70 | #endif // OPENSSL_HEADER_OPENSSLCONF_H 71 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/opensslv.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "crypto.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/ossl_typ.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "base.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/pkcs12.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "pkcs8.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/poly1305.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_POLY1305_H 16 | #define OPENSSL_HEADER_POLY1305_H 17 | 18 | #include 19 | 20 | #ifdef __cplusplus 21 | extern "C" { 22 | #endif 23 | 24 | 25 | typedef uint8_t poly1305_state[512]; 26 | 27 | // CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an 28 | // authentication tag with the one-time key |key|. Note that |key| is a 29 | // one-time key and therefore there is no `reset' method because that would 30 | // enable several messages to be authenticated with the same key. 31 | OPENSSL_EXPORT void CRYPTO_poly1305_init(poly1305_state *state, 32 | const uint8_t key[32]); 33 | 34 | // CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called 35 | // zero or more times after poly1305_init. 36 | OPENSSL_EXPORT void CRYPTO_poly1305_update(poly1305_state *state, 37 | const uint8_t *in, size_t in_len); 38 | 39 | // CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16 40 | // byte authentication tag to |mac|. 41 | OPENSSL_EXPORT void CRYPTO_poly1305_finish(poly1305_state *state, 42 | uint8_t mac[16]); 43 | 44 | 45 | #if defined(__cplusplus) 46 | } // extern C 47 | #endif 48 | 49 | #endif // OPENSSL_HEADER_POLY1305_H 50 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/safestack.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2014, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/siphash.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2019, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | #ifndef OPENSSL_HEADER_SIPHASH_H 16 | #define OPENSSL_HEADER_SIPHASH_H 17 | 18 | #include 19 | 20 | #if defined(__cplusplus) 21 | extern "C" { 22 | #endif 23 | 24 | 25 | // SipHash is a fast, secure PRF that is often used for hash tables. 26 | 27 | 28 | // SIPHASH_24 implements SipHash-2-4. See https://131002.net/siphash/siphash.pdf 29 | OPENSSL_EXPORT uint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input, 30 | size_t input_len); 31 | 32 | 33 | #if defined(__cplusplus) 34 | } // extern C 35 | #endif 36 | 37 | #endif // OPENSSL_HEADER_SIPHASH_H 38 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/include/openssl/srtp.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2015, Google Inc. 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted, provided that the above 5 | * copyright notice and this permission notice appear in all copies. 6 | * 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 | 15 | /* This header is provided in order to make compiling against code that expects 16 | OpenSSL easier. */ 17 | 18 | #include "ssl.h" 19 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_arm64/Dockerfile.v1: -------------------------------------------------------------------------------- 1 | # Dockerfile for the image used to pre-compile the FIPS-compliant boringssl library 2 | # We use this because the latest FIPS-certified boringssl build requires an old 3 | # clang version that we don't want to use in our general toolchain. 4 | 5 | # Pull base image. 6 | FROM ubuntu:18.04 7 | 8 | RUN apt-get update 9 | RUN apt-get install -y curl build-essential software-properties-common tar wget xz-utils unzip gcc-8 g++-8 10 | 11 | RUN add-apt-repository ppa:ubuntu-toolchain-r/test 12 | RUN apt update 13 | RUN apt-get install -y --only-upgrade libstdc++6 14 | 15 | # Install CMake v3.20.1. 16 | RUN wget https://github.com/Kitware/CMake/releases/download/v3.20.1/cmake-3.20.1-linux-aarch64.tar.gz 17 | RUN tar -xvf cmake-3.20.1-linux-aarch64.tar.gz 18 | ENV PATH=$PWD/cmake-3.20.1-linux-aarch64/bin:$PATH 19 | 20 | # Install Go v1.16.5. 21 | RUN wget https://go.dev/dl/go1.16.5.linux-arm64.tar.gz 22 | RUN tar -xvf go1.16.5.linux-arm64.tar.gz 23 | ENV PATH=$PWD/go/bin:$PATH 24 | ENV GOROOT=$PWD/go 25 | 26 | # Install Clang v12.0.0. 27 | RUN wget https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.0/clang+llvm-12.0.0-aarch64-linux-gnu.tar.xz 28 | RUN tar -xvf clang+llvm-12.0.0-aarch64-linux-gnu.tar.xz 29 | RUN ln -s clang clang+llvm-12.0.0-aarch64-linux-gnu/bin/clang++-12 30 | ENV PATH=$PWD/clang+llvm-12.0.0-aarch64-linux-gnu/bin:$PATH 31 | ENV LD_LIBRARY_PATH=$PWD/clang+llvm-12.0.0-aarch64-linux-gnu/lib:$LD_LIBRARY_PATH 32 | 33 | # Install Ninja v1.10.2. - newest release has/will have arm64 binaries but currently 34 | # does not, and this 2020 release does not, so build it ourselves 35 | RUN wget https://github.com/ninja-build/ninja/archive/refs/tags/v1.10.2.tar.gz 36 | RUN mkdir ninja 37 | RUN tar -xvf v1.10.2.tar.gz -C ninja --strip-components=1 38 | RUN cd ninja && \ 39 | cmake -Bbuild-cmake && \ 40 | cmake --build build-cmake 41 | ENV PATH=$PWD/ninja/build-cmake:$PATH 42 | 43 | RUN echo "$(ldd --version)" 44 | RUN clang --version 45 | # Verify required versions of the tools in $PATH. 46 | # https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf 47 | RUN if [ "`clang --version | head -1 | awk '{print $3}'`" != "12.0.0" ]; then echo "Clang version doesn't match."; exit 1; fi 48 | RUN if [ "`go version | awk '{print $3}'`" != "go1.16.5" ]; then echo "Go version doesn't match."; exit 1; fi 49 | RUN if [ "`ninja --version`" != "1.10.2" ]; then echo "Ninja version doesn't match."; exit 1; fi 50 | RUN if [ "`cmake --version | head -1 | awk '{print $3}'`" != "3.20.1" ]; then echo "CMake version doesn't match."; exit 1; fi 51 | 52 | # Force -fPIC to allow linking Rust libraries against BoringCrypto. 53 | ENV CFLAGS="-fPIC" 54 | ENV CXXFLAGS="-fPIC" 55 | 56 | # Build BoringCrypto. 57 | RUN wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 58 | RUN echo "a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2 boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz" | sha256sum --check 59 | RUN tar xf boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 60 | RUN printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain 61 | RUN cd boringssl \ 62 | && mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release .. \ 63 | && ninja \ 64 | && ./crypto/crypto_test \ 65 | && if [ "`./tool/bssl isfips`" = "1" ]; then echo "FIPS check succeeded."; else echo "FIPS check failed."; exit 1; fi 66 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_arm64/lib/libcrypto.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/vendor/boringssl-fips/linux_arm64/lib/libcrypto.a -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_arm64/lib/libssl.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/vendor/boringssl-fips/linux_arm64/lib/libssl.a -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_x86_64/Dockerfile.v1: -------------------------------------------------------------------------------- 1 | # Dockerfile for the image used to pre-compile the FIPS-compliant boringssl library 2 | # We use this because the latest FIPS-certified boringssl build requires an old 3 | # clang version that we don't want to use in our general toolchain. 4 | 5 | # Pull base image. 6 | FROM ubuntu:18.04 7 | 8 | RUN apt-get update 9 | RUN apt-get install -y curl build-essential software-properties-common tar wget xz-utils unzip 10 | 11 | # Install CMake v3.20.1. 12 | RUN wget https://github.com/Kitware/CMake/releases/download/v3.20.1/cmake-3.20.1-linux-x86_64.tar.gz 13 | RUN tar -xvf cmake-3.20.1-linux-x86_64.tar.gz 14 | ENV PATH=$PWD/cmake-3.20.1-linux-x86_64/bin:$PATH 15 | 16 | # Install Go v1.16.5. 17 | RUN wget https://go.dev/dl/go1.16.5.linux-amd64.tar.gz 18 | RUN tar -xvf go1.16.5.linux-amd64.tar.gz 19 | ENV PATH=$PWD/go/bin:$PATH 20 | ENV GOROOT=$PWD/go 21 | 22 | # Install Clang v12.0.0. 23 | RUN wget https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.0/clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz 24 | RUN tar -xvf clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz 25 | RUN ln -s clang clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04/bin/clang++-12 26 | ENV PATH=$PWD/clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04/bin:$PATH 27 | ENV LD_LIBRARY_PATH=$PWD/clang+llvm-12.0.0-x86_64-linux-gnu-ubuntu-16.04/lib:$LD_LIBRARY_PATH 28 | 29 | # Install Ninja v1.10.2. 30 | RUN wget https://github.com/ninja-build/ninja/releases/download/v1.10.2/ninja-linux.zip 31 | RUN mkdir ninja 32 | RUN unzip -o ninja-linux.zip -d ninja 33 | ENV PATH=$PWD/ninja:$PATH 34 | 35 | # Verify required versions of the tools in $PATH. 36 | # https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf 37 | RUN if [ "`clang --version | head -1 | awk '{print $3}'`" != "12.0.0" ]; then echo "Clang version doesn't match."; exit 1; fi 38 | RUN if [ "`go version | awk '{print $3}'`" != "go1.16.5" ]; then echo "Go version doesn't match."; exit 1; fi 39 | RUN if [ "`ninja --version`" != "1.10.2" ]; then echo "Ninja version doesn't match."; exit 1; fi 40 | RUN if [ "`cmake --version | head -1 | awk '{print $3}'`" != "3.20.1" ]; then echo "CMake version doesn't match."; exit 1; fi 41 | 42 | # Force -fPIC to allow linking Rust libraries against BoringCrypto. 43 | ENV CFLAGS="-fPIC" 44 | ENV CXXFLAGS="-fPIC" 45 | 46 | # Build BoringCrypto. 47 | RUN wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 48 | RUN echo "a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2 boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz" | sha256sum --check 49 | RUN tar xf boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz 50 | RUN printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain 51 | RUN cd boringssl \ 52 | && mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release .. \ 53 | && ninja \ 54 | && ./crypto/crypto_test \ 55 | && if [ "`./tool/bssl isfips`" = "1" ]; then echo "FIPS check succeeded."; else echo "FIPS check failed."; exit 1; fi 56 | -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_x86_64/lib/libcrypto.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/vendor/boringssl-fips/linux_x86_64/lib/libcrypto.a -------------------------------------------------------------------------------- /vendor/boringssl-fips/linux_x86_64/lib/libssl.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/istio/ztunnel/d6d3b606ed35110e26ef068c07dac6376b6f900b/vendor/boringssl-fips/linux_x86_64/lib/libssl.a --------------------------------------------------------------------------------