From 43b31031cf37189c4b54ac70d7898d27a75df914 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Wed, 28 Jul 2021 11:24:08 -0400 Subject: [PATCH] runtime: removing envoy.reloadable_features.check_ocsp_policy Signed-off-by: Alyssa Wilk --- docs/root/version_history/current.rst | 1 + source/common/runtime/runtime_features.cc | 1 - .../transport_sockets/tls/context_impl.cc | 5 -- .../transport_sockets/tls/ssl_socket_test.cc | 63 ------------------- 4 files changed, 1 insertion(+), 69 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 0a4f5b399f64f..243facceaed48 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -49,6 +49,7 @@ Removed Config or Runtime * http: removed ``envoy.reloadable_features.http_upstream_wait_connect_response`` runtime guard and legacy code paths. * http: removed ``envoy.reloadable_features.allow_preconnect`` runtime guard and legacy code paths. * listener: removed ``envoy.reloadable_features.disable_tls_inspector_injection`` runtime guard and legacy code paths. +* ocsp: removed ``envoy.reloadable_features.check_ocsp_policy deprecation`` runtime guard and legacy code paths. New Features ------------ diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 11d268f22c7c4..b828b76476f19 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -59,7 +59,6 @@ constexpr const char* runtime_features[] = { "envoy.reloadable_features.add_and_validate_scheme_header", "envoy.reloadable_features.allow_response_for_timeout", "envoy.reloadable_features.check_unsupported_typed_per_filter_config", - "envoy.reloadable_features.check_ocsp_policy", "envoy.reloadable_features.correct_scheme_and_xfp", "envoy.reloadable_features.disable_tls_inspector_injection", "envoy.reloadable_features.dont_add_content_length_for_bodiless_requests", diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc index abb59d986111b..ae36610004e8e 100644 --- a/source/extensions/transport_sockets/tls/context_impl.cc +++ b/source/extensions/transport_sockets/tls/context_impl.cc @@ -1047,11 +1047,6 @@ OcspStapleAction ServerContextImpl::ocspStapleAction(const TlsContext& ctx, } auto& response = ctx.ocsp_response_; - if (!Runtime::runtimeFeatureEnabled("envoy.reloadable_features.check_ocsp_policy")) { - // Expiration check is disabled. Proceed as if the policy is LenientStapling and the response - // is not expired. - return response ? OcspStapleAction::Staple : OcspStapleAction::NoStaple; - } auto policy = ocsp_staple_policy_; if (ctx.is_must_staple_) { diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 0e501606c5658..db3ccd7c25202 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -5811,69 +5811,6 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) testUtil(test_options.setExpectedServerStats("ssl.ocsp_staple_failed").enableOcspStapling()); } -TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidationOff) { - const std::string server_ctx_yaml = R"EOF( - common_tls_context: - tls_certificates: - - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" - private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" - ocsp_staple: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" - ocsp_staple_policy: must_staple - )EOF"; - - const std::string client_ctx_yaml = R"EOF( - common_tls_context: - tls_params: - cipher_suites: - - TLS_RSA_WITH_AES_128_GCM_SHA256 -)EOF"; - - TestScopedRuntime scoped_runtime; - Runtime::LoaderSingleton::getExisting()->mergeValues( - {{"envoy.reloadable_features.check_ocsp_policy", "false"}}); - - TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = - "{{ test_rundir " - "}}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der"; - std::string expected_response = - TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); - testUtil(test_options.enableOcspStapling() - .setExpectedServerStats("ssl.ocsp_staple_responses") - .setExpectedOcspResponse(expected_response)); -} - -TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertNoValidationNoResponse) { - const std::string server_ctx_yaml = R"EOF( - common_tls_context: - tls_certificates: - - certificate_chain: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" - private_key: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" - ocsp_staple_policy: lenient_stapling - )EOF"; - - const std::string client_ctx_yaml = R"EOF( - common_tls_context: - tls_params: - cipher_suites: - - TLS_RSA_WITH_AES_128_GCM_SHA256 -)EOF"; - - TestScopedRuntime scoped_runtime; - Runtime::LoaderSingleton::getExisting()->mergeValues( - {{"envoy.reloadable_features.require_ocsp_response_for_must_staple_certs", "false"}, - {"envoy.reloadable_features.check_ocsp_policy", "false"}}); - TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - testUtil(test_options.setExpectedServerStats("ssl.ocsp_staple_omitted") - .enableOcspStapling() - .setExpectedOcspResponse("")); -} - TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) { const std::string server_ctx_yaml = R"EOF( common_tls_context: