From f5a1a3e0924e108b07e3760efe8d17422b17ac13 Mon Sep 17 00:00:00 2001
From: Kuat Yessenov <kuat@google.com>
Date: Sat, 10 Feb 2024 00:43:39 +0000
Subject: [PATCH] google_grpc: add a runtime flag to disable TLSv1.3

Change-Id: Id88723a81d4b1586bf12be6f4dc7a81ae7b0d9c4
Signed-off-by: Kuat Yessenov <kuat@google.com>
---
 source/common/grpc/BUILD                     |  1 +
 source/common/grpc/google_grpc_creds_impl.cc | 38 ++++++++++++++++----
 source/common/runtime/runtime_features.cc    |  4 +++
 3 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/source/common/grpc/BUILD b/source/common/grpc/BUILD
index 9ab2790a7c1c..6fa6e2a21c8d 100644
--- a/source/common/grpc/BUILD
+++ b/source/common/grpc/BUILD
@@ -212,6 +212,7 @@ envoy_cc_library(
         "//envoy/grpc:google_grpc_creds_interface",
         "//envoy/registry",
         "//source/common/config:datasource_lib",
+        "//source/common/runtime:runtime_lib",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
     alwayslink = LEGACY_ALWAYSLINK,
diff --git a/source/common/grpc/google_grpc_creds_impl.cc b/source/common/grpc/google_grpc_creds_impl.cc
index ae49d3257a7f..5aa2ea91fd8a 100644
--- a/source/common/grpc/google_grpc_creds_impl.cc
+++ b/source/common/grpc/google_grpc_creds_impl.cc
@@ -4,6 +4,9 @@
 #include "envoy/grpc/google_grpc_creds.h"
 
 #include "source/common/config/datasource.h"
+#include "source/common/runtime/runtime_features.h"
+
+#include "grpcpp/security/tls_certificate_provider.h"
 
 namespace Envoy {
 namespace Grpc {
@@ -15,12 +18,29 @@ std::shared_ptr<grpc::ChannelCredentials> CredsUtility::getChannelCredentials(
     case envoy::config::core::v3::GrpcService::GoogleGrpc::ChannelCredentials::
         CredentialSpecifierCase::kSslCredentials: {
       const auto& ssl_credentials = google_grpc.channel_credentials().ssl_credentials();
-      const grpc::SslCredentialsOptions ssl_credentials_options = {
-          Config::DataSource::read(ssl_credentials.root_certs(), true, api),
-          Config::DataSource::read(ssl_credentials.private_key(), true, api),
-          Config::DataSource::read(ssl_credentials.cert_chain(), true, api),
-      };
-      return grpc::SslCredentials(ssl_credentials_options);
+      const auto root_certs = Config::DataSource::read(ssl_credentials.root_certs(), true, api);
+      const auto private_key = Config::DataSource::read(ssl_credentials.private_key(), true, api);
+      const auto cert_chain = Config::DataSource::read(ssl_credentials.cert_chain(), true, api);
+      grpc::experimental::TlsChannelCredentialsOptions options;
+      if (!private_key.empty() || !cert_chain.empty()) {
+        options.set_certificate_provider(
+            std::make_shared<grpc::experimental::StaticDataCertificateProvider>(
+                root_certs,
+                std::vector<grpc::experimental::IdentityKeyCertPair>{{private_key, cert_chain}}));
+      } else if (!root_certs.empty()) {
+        options.set_certificate_provider(
+            std::make_shared<grpc::experimental::StaticDataCertificateProvider>(root_certs));
+      }
+      if (!root_certs.empty()) {
+        options.watch_root_certs();
+      }
+      if (!private_key.empty() || !cert_chain.empty()) {
+        options.watch_identity_key_cert_pairs();
+      }
+      if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.google_grpc_disable_tls_13")) {
+        options.set_max_tls_version(grpc_tls_version::TLS1_2);
+      }
+      return grpc::experimental::TlsCredentials(options);
     }
     case envoy::config::core::v3::GrpcService::GoogleGrpc::ChannelCredentials::
         CredentialSpecifierCase::kLocalCredentials: {
@@ -43,7 +63,11 @@ std::shared_ptr<grpc::ChannelCredentials> CredsUtility::defaultSslChannelCredent
   if (creds != nullptr) {
     return creds;
   }
-  return grpc::SslCredentials({});
+  grpc::experimental::TlsChannelCredentialsOptions options;
+  if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.google_grpc_disable_tls_13")) {
+    options.set_max_tls_version(grpc_tls_version::TLS1_2);
+  }
+  return grpc::experimental::TlsCredentials(options);
 }
 
 std::vector<std::shared_ptr<grpc::CallCredentials>>
diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
index 593f6857027d..3090f52298f4 100644
--- a/source/common/runtime/runtime_features.cc
+++ b/source/common/runtime/runtime_features.cc
@@ -141,6 +141,10 @@ FALSE_RUNTIME_GUARD(envoy_restart_features_use_fast_protobuf_hash);
 // TODO(panting): flip this to true after some test time.
 FALSE_RUNTIME_GUARD(envoy_reloadable_features_use_config_in_happy_eyeballs);
 
+// A flag to set the maximum TLS version for google_grpc client to TLS1.2, when needed for
+// compliance restrictions.
+FALSE_RUNTIME_GUARD(envoy_reloadable_features_google_grpc_disable_tls_13);
+
 // Block of non-boolean flags. Use of int flags is deprecated. Do not add more.
 ABSL_FLAG(uint64_t, re2_max_program_size_error_level, 100, ""); // NOLINT
 ABSL_FLAG(uint64_t, re2_max_program_size_warn_level,            // NOLINT