Merge remote-tracking branch 'upstream/main' into stat2

Sync past mobile_docs CI failure. Signed-off-by: Raven Black <ravenblack@dropbox.com>
envoyproxy · Dec 9, 2022 · ea17a17 · ea17a17
2 parents 1498314 + 086bc86
commit ea17a17
Show file tree

Hide file tree

Showing 36 changed files with 549 additions and 449 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,32 +1,8 @@
 version: 2.1
 
-executors:
-  ubuntu-build:
-    description: "A regular build executor based on ubuntu image"
-    docker:
-    - image: envoyproxy/envoy-build-ubuntu:b0ff77ae3f25b0bf595f9b8bba46b489723ab446
-    # TODO(mattklein123): Get xlarge class enabled
-    resource_class: medium
-    working_directory: /source
-
 jobs:
-  docs:
-    executor: ubuntu-build
+  build:
+    docker:
+    - image: debian:bullseye-slim
     steps:
-    - checkout
-    - run: mobile/docs/build.sh
-    - add_ssh_keys:
-        fingerprints:
-        - "33:78:4d:5c:bd:62:2e:43:9d:79:2c:3e:dc:45:c0:98"
-    - run: mobile/docs/publish.sh
-    - store_artifacts:
-        path: generated/docs
-
-workflows:
-  version: 2
-  all:
-    jobs:
-    - docs:
-        filters:
-          tags:
-            only: /^v.*/
+    - run: echo "no circle on this branch"
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -0,0 +1,32 @@
+name: mobile_docs
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+
+jobs:
+  docs:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 20
+    container:
+      image: envoyproxy/envoy-build-ubuntu:b0ff77ae3f25b0bf595f9b8bba46b489723ab446
+    steps:
+    - uses: actions/checkout@v3
+    - name: Add safe directory
+      run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+    - name: Generate docs
+      run: mobile/docs/build.sh
+    - name: Set up deploy key
+      if: github.event.pull_request.head.repo.full_name == github.repository
+      uses: shimataro/ssh-key-action@193316a178ec055fcc7b018f7f76bbf64085c628
+      with:
+        key: ${{ secrets.ENVOY_MOBILE_WEBSITE_DEPLOY_KEY }}
+        known_hosts: unnecessary
+    - name: Publish docs
+      run: mobile/docs/publish.sh
+    - uses: actions/upload-artifact@v3
+      with:
+        name: docs
+        path: generated/docs
diff --git a/envoy/ssl/ssl_socket_extended_info.h b/envoy/ssl/ssl_socket_extended_info.h
@@ -32,11 +32,15 @@ class ValidateResultCallback {
   /**
    * Called when the asynchronous cert validation completes.
    * @param succeeded true if the validation succeeds
+   * @param detailed_status detailed status of the underlying validation. Depending on the
+   *        validation configuration, `succeeded` may be true but `detailed_status` might
+   *        indicate a failure. This detailed status can be used to inform routing
+   *        decisions.
    * @param error_details failure details, only used if the validation fails.
    * @param tls_alert the TLS error related to the failure, only used if the validation fails.
    */
-  virtual void onCertValidationResult(bool succeeded, const std::string& error_details,
-                                      uint8_t tls_alert) PURE;
+  virtual void onCertValidationResult(bool succeeded, ClientValidationStatus detailed_status,
+                                      const std::string& error_details, uint8_t tls_alert) PURE;
 };
 
 using ValidateResultCallbackPtr = std::unique_ptr<ValidateResultCallback>;

diff --git a/mobile/ci/mac_ci_setup.sh b/mobile/ci/mac_ci_setup.sh
@@ -35,12 +35,6 @@ do
     is_installed "${DEP}" || install "${DEP}"
 done
 
-if [ -n "$CIRCLECI" ]; then
-    # bazel uses jgit internally and the default circle-ci .gitconfig says to
-    # convert https://github.com to ssh://git@github.com, which jgit does not support.
-    mv ~/.gitconfig ~/.gitconfig_save
-fi
-
 ./bazelw version
 
 pip3 install slackclient

diff --git a/mobile/docs/build.sh b/mobile/docs/build.sh
@@ -11,22 +11,22 @@ set -e
 # Docs for release tags are reserved for vX.Y.Z versions.
 # vX.Y.Z.ddmmyy do not publish tagged docs.
 VERSION_NUMBER=$(cat mobile/VERSION)
-if [[ -n "$CIRCLE_TAG" ]] && [[ "${VERSION_NUMBER}" =~ ^[0-9]+\.[0-9]+\.[0-9]$ ]]
+if [[ "$GITHUB_REF_TYPE" == "tag" ]] && [[ "${VERSION_NUMBER}" =~ ^[0-9]+\.[0-9]+\.[0-9]$ ]]
 then
   # Check the git tag matches the version number in the VERSION file.
-  if [ "v${VERSION_NUMBER}" != "${CIRCLE_TAG}" ]; then
+  if [ "v${VERSION_NUMBER}" != "${GITHUB_REF_NAME}" ]; then
     echo "Given git tag does not match the VERSION file content:"
-    echo "${CIRCLE_TAG} vs $(cat mobile/VERSION)"
+    echo "${GITHUB_REF_NAME} vs $(cat mobile/VERSION)"
     exit 1
   fi
   # Check the version_history.rst contains current release version.
   grep --fixed-strings "$VERSION_NUMBER" docs/root/intro/version_history.rst \
     || (echo "Git tag not found in version_history.rst" && exit 1)
 
   # Now that we now there is a match, we can use the tag.
-  export ENVOY_DOCS_VERSION_STRING="tag-$CIRCLE_TAG"
+  export ENVOY_DOCS_VERSION_STRING="tag-$GITHUB_REF_NAME"
   export ENVOY_DOCS_RELEASE_LEVEL=tagged
-  export ENVOY_BLOB_SHA="$CIRCLE_TAG"
+  export ENVOY_BLOB_SHA="$GITHUB_REF_NAME"
 else
   BUILD_SHA=$(git rev-parse HEAD)
   export ENVOY_DOCS_VERSION_STRING="${VERSION_NUMBER}"-"${BUILD_SHA:0:6}"

diff --git a/mobile/docs/publish.sh b/mobile/docs/publish.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
-# This is run on every commit that CircleCI picks up. It assumes that docs have already been built
-# via docs/build.sh. The push behavior differs depending on the nature of the commit:
+# This is run on every commit that GitHub Actions picks up. It assumes that docs have already been
+# built via docs/build.sh. The push behavior differs depending on the nature of the commit:
 # * Tag commit (e.g. v1.6.0): pushes docs to versioned location.
 # * Main commit: pushes docs to latest. Note that envoy-mobile.github.io uses `master` rather than
 #                `main` because using `main` as the default branch currently results in 404s.
@@ -13,10 +13,10 @@ DOCS_DIR=generated/docs
 CHECKOUT_DIR=../envoy-mobile-docs
 BUILD_SHA="$(git rev-parse HEAD)"
 
-if [ -n "$CIRCLE_TAG" ]
+if [ "$GITHUB_REF_TYPE" == "tag" ]
 then
-  PUBLISH_DIR="$CHECKOUT_DIR"/docs/envoy-mobile/"$CIRCLE_TAG"
-elif [ -z "$CIRCLE_PULL_REQUEST" ] && [ "$CIRCLE_BRANCH" == "main" ]
+  PUBLISH_DIR="$CHECKOUT_DIR"/docs/envoy-mobile/"$GITHUB_REF_NAME"
+elif [ "$GITHUB_REF_NAME" == "main" ]
 then
   PUBLISH_DIR="$CHECKOUT_DIR"/docs/envoy-mobile/latest
 else

diff --git a/mobile/library/common/BUILD b/mobile/library/common/BUILD
@@ -53,7 +53,7 @@ envoy_cc_library(
         "@envoy//source/common/common:minimal_logger_lib",
         "@envoy//source/common/common:random_generator_lib",
         "@envoy//source/common/runtime:runtime_lib",
-        "@envoy//source/exe:main_common_lib",
+        "@envoy//source/exe:stripped_main_base_lib",
     ] + select({
         "@envoy//bazel:disable_signal_trace": [],
         "//conditions:default": [
@@ -67,6 +67,6 @@ envoy_cc_library(
     repository = "@envoy",
     deps = [
         ":engine_common_lib",
-        "@envoy//source/exe:envoy_main_common_lib",
+        "@envoy//source/exe:envoy_stripped_main_base_lib",
     ],
 )
diff --git a/mobile/library/common/engine_common.cc b/mobile/library/common/engine_common.cc
@@ -5,8 +5,10 @@
 
 namespace Envoy {
 
+std::string hotRestartVersion(bool) { return "disabled"; }
+
 EngineCommon::EngineCommon(int argc, const char* const* argv)
-    : options_(argc, argv, &MainCommon::hotRestartVersion, spdlog::level::info),
+    : options_(argc, argv, &hotRestartVersion, spdlog::level::info),
       base_(options_, real_time_system_, default_listener_hooks_, prod_component_factory_,
             std::make_unique<PlatformImpl>(), std::make_unique<Random::RandomGeneratorImpl>(),
             nullptr) {

diff --git a/mobile/library/common/engine_common.h b/mobile/library/common/engine_common.h
@@ -4,8 +4,8 @@
 #include "envoy/server/instance.h"
 
 #include "source/common/event/real_time_system.h"
-#include "source/exe/main_common.h"
 #include "source/exe/platform_impl.h"
+#include "source/exe/stripped_main_base.h"
 #include "source/server/listener_hooks.h"
 #include "source/server/options_impl.h"
 
@@ -18,12 +18,15 @@ namespace Envoy {
 
 /**
  * This class is used instead of Envoy::MainCommon to customize logic for the Envoy Mobile setting.
- * It largely leverages Envoy::MainCommonBase.
+ * It largely leverages Envoy::StrippedMainBase.
  */
 class EngineCommon {
 public:
   EngineCommon(int argc, const char* const* argv);
-  bool run() { return base_.run(); }
+  bool run() {
+    base_.runServer();
+    return true;
+  }
 
   /**
    * @return a pointer to the server instance, or nullptr if initialized into
@@ -38,13 +41,12 @@ class EngineCommon {
   Envoy::SignalAction handle_sigs_;
   Envoy::TerminateHandler log_on_terminate_;
 #endif
-
   Thread::MainThread register_main_thread_;
   Envoy::OptionsImpl options_;
   Event::RealTimeSystem real_time_system_; // NO_CHECK_FORMAT(real_time)
   DefaultListenerHooks default_listener_hooks_;
   ProdComponentFactory prod_component_factory_;
-  MainCommonBase base_;
+  StrippedMainBase base_;
 };
 
 } // namespace Envoy
diff --git a/...ibrary/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc b/...ibrary/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.cc
@@ -35,28 +35,22 @@ PlatformBridgeCertValidator::~PlatformBridgeCertValidator() {
 
 ValidationResults PlatformBridgeCertValidator::doVerifyCertChain(
     STACK_OF(X509) & cert_chain, Ssl::ValidateResultCallbackPtr callback,
-    Ssl::SslExtendedSocketInfo* ssl_extended_info,
     const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options,
     SSL_CTX& /*ssl_ctx*/, const CertValidator::ExtraValidationContext& /*validation_context*/,
     bool is_server, absl::string_view hostname) {
   ASSERT(!is_server);
   if (sk_X509_num(&cert_chain) == 0) {
-    if (ssl_extended_info) {
-      ssl_extended_info->setCertificateValidationStatus(
-          Envoy::Ssl::ClientValidationStatus::NotValidated);
-    }
     const char* error = "verify cert chain failed: empty cert chain.";
     stats_.fail_verify_error_.inc();
     ENVOY_LOG(debug, error);
-    return {ValidationResults::ValidationStatus::Failed, absl::nullopt, error};
-  }
-  if (callback == nullptr) {
-    callback = ssl_extended_info->createValidateResultCallback();
+    return {ValidationResults::ValidationStatus::Failed,
+            Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, error};
   }
   if (callback == nullptr) {
     IS_ENVOY_BUG("No callback specified");
     const char* error = "verify cert chain failed: no callback specified.";
-    return {ValidationResults::ValidationStatus::Failed, absl::nullopt, error};
+    return {ValidationResults::ValidationStatus::Failed,
+            Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, error};
   }
 
   std::vector<envoy_data> certs;
@@ -94,8 +88,8 @@ ValidationResults PlatformBridgeCertValidator::doVerifyCertChain(
                                        std::string(host), std::move(subject_alt_names), this);
   std::thread::id thread_id = job.validation_thread_.get_id();
   validation_jobs_[thread_id] = std::move(job);
-
-  return {ValidationResults::ValidationStatus::Pending, absl::nullopt, absl::nullopt};
+  return {ValidationResults::ValidationStatus::Pending,
+          Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt};
 }
 
 void PlatformBridgeCertValidator::verifyCertChainByPlatform(
@@ -172,17 +166,21 @@ void PlatformBridgeCertValidator::onVerificationComplete(std::thread::id thread_
   ValidationJob& job = job_handle.mapped();
   job.validation_thread_.join();
 
+  Ssl::ClientValidationStatus detailed_status = Envoy::Ssl::ClientValidationStatus::NotValidated;
   switch (failure_type) {
   case ValidationFailureType::SUCCESS:
+    detailed_status = Envoy::Ssl::ClientValidationStatus::Validated;
     break;
   case ValidationFailureType::FAIL_VERIFY_ERROR:
+    detailed_status = Envoy::Ssl::ClientValidationStatus::Failed;
     stats_.fail_verify_error_.inc();
   case ValidationFailureType::FAIL_VERIFY_SAN:
+    detailed_status = Envoy::Ssl::ClientValidationStatus::Failed;
     stats_.fail_verify_san_.inc();
   }
 
-  job.result_callback_->onCertValidationResult(allow_untrusted_certificate_ || success, error,
-                                               tls_alert);
+  job.result_callback_->onCertValidationResult(allow_untrusted_certificate_ || success,
+                                               detailed_status, error, tls_alert);
   ENVOY_LOG(trace,
             "Finished platform cert validation for {}, post result callback to network thread",
             hostname);

diff --git a/...library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h b/...library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h
@@ -52,7 +52,6 @@ class PlatformBridgeCertValidator : public CertValidator, Logger::Loggable<Logge
   // Overridden to call into platform extension API asynchronously.
   ValidationResults
   doVerifyCertChain(STACK_OF(X509) & cert_chain, Ssl::ValidateResultCallbackPtr callback,
-                    Ssl::SslExtendedSocketInfo* ssl_extended_info,
                     const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options,
                     SSL_CTX& ssl_ctx,
                     const CertValidator::ExtraValidationContext& validation_context, bool is_server,