1 /*
2 *
3 * Copyright 2018 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/grpc_security.h>
20 #include <grpc/support/alloc.h>
21 #include <grpc/support/log.h>
22 #include <grpc/support/string_util.h>
23 #include <stdio.h>
24 #include <string.h>
25
26 #include "absl/container/inlined_vector.h"
27
28 #include "src/core/lib/channel/channel_args.h"
29 #include "src/core/lib/gpr/env.h"
30 #include "src/core/lib/gpr/string.h"
31 #include "src/core/lib/gpr/tmpfile.h"
32 #include "src/core/lib/gprpp/host_port.h"
33 #include "src/core/lib/gprpp/thd.h"
34 #include "src/core/lib/iomgr/load_file.h"
35 #include "src/core/lib/security/credentials/credentials.h"
36 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
37 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
38 #include "test/core/end2end/end2end_tests.h"
39 #include "test/core/util/port.h"
40 #include "test/core/util/test_config.h"
41
42 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
43 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
44 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
45
46 typedef absl::InlinedVector<grpc_core::Thread, 1> ThreadList;
47
48 struct fullstack_secure_fixture_data {
~fullstack_secure_fixture_datafullstack_secure_fixture_data49 ~fullstack_secure_fixture_data() {
50 for (size_t ind = 0; ind < thd_list.size(); ind++) {
51 thd_list[ind].Join();
52 }
53 }
54 std::string localaddr;
55 grpc_tls_version tls_version;
56 ThreadList thd_list;
57 };
58
chttp2_create_fixture_secure_fullstack(grpc_channel_args *,grpc_channel_args *,grpc_tls_version tls_version)59 static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack(
60 grpc_channel_args* /*client_args*/, grpc_channel_args* /*server_args*/,
61 grpc_tls_version tls_version) {
62 grpc_end2end_test_fixture f;
63 int port = grpc_pick_unused_port_or_die();
64 fullstack_secure_fixture_data* ffd = new fullstack_secure_fixture_data();
65 memset(&f, 0, sizeof(f));
66 ffd->localaddr = grpc_core::JoinHostPort("localhost", port);
67 ffd->tls_version = tls_version;
68 f.fixture_data = ffd;
69 f.cq = grpc_completion_queue_create_for_next(nullptr);
70 f.shutdown_cq = grpc_completion_queue_create_for_pluck(nullptr);
71 return f;
72 }
73
chttp2_create_fixture_secure_fullstack_tls1_2(grpc_channel_args * client_args,grpc_channel_args * server_args)74 static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack_tls1_2(
75 grpc_channel_args* client_args, grpc_channel_args* server_args) {
76 return chttp2_create_fixture_secure_fullstack(client_args, server_args,
77 grpc_tls_version::TLS1_2);
78 }
79
chttp2_create_fixture_secure_fullstack_tls1_3(grpc_channel_args * client_args,grpc_channel_args * server_args)80 static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack_tls1_3(
81 grpc_channel_args* client_args, grpc_channel_args* server_args) {
82 return chttp2_create_fixture_secure_fullstack(client_args, server_args,
83 grpc_tls_version::TLS1_3);
84 }
85
process_auth_failure(void * state,grpc_auth_context *,const grpc_metadata *,size_t,grpc_process_auth_metadata_done_cb cb,void * user_data)86 static void process_auth_failure(void* state, grpc_auth_context* /*ctx*/,
87 const grpc_metadata* /*md*/,
88 size_t /*md_count*/,
89 grpc_process_auth_metadata_done_cb cb,
90 void* user_data) {
91 GPR_ASSERT(state == nullptr);
92 cb(user_data, nullptr, 0, nullptr, 0, GRPC_STATUS_UNAUTHENTICATED, nullptr);
93 }
94
chttp2_init_client_secure_fullstack(grpc_end2end_test_fixture * f,grpc_channel_args * client_args,grpc_channel_credentials * creds)95 static void chttp2_init_client_secure_fullstack(
96 grpc_end2end_test_fixture* f, grpc_channel_args* client_args,
97 grpc_channel_credentials* creds) {
98 fullstack_secure_fixture_data* ffd =
99 static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
100 f->client = grpc_secure_channel_create(creds, ffd->localaddr.c_str(),
101 client_args, nullptr);
102 GPR_ASSERT(f->client != nullptr);
103 grpc_channel_credentials_release(creds);
104 }
105
chttp2_init_server_secure_fullstack(grpc_end2end_test_fixture * f,grpc_channel_args * server_args,grpc_server_credentials * server_creds)106 static void chttp2_init_server_secure_fullstack(
107 grpc_end2end_test_fixture* f, grpc_channel_args* server_args,
108 grpc_server_credentials* server_creds) {
109 fullstack_secure_fixture_data* ffd =
110 static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
111 if (f->server) {
112 grpc_server_destroy(f->server);
113 }
114 f->server = grpc_server_create(server_args, nullptr);
115 grpc_server_register_completion_queue(f->server, f->cq, nullptr);
116 GPR_ASSERT(grpc_server_add_secure_http2_port(
117 f->server, ffd->localaddr.c_str(), server_creds));
118 grpc_server_credentials_release(server_creds);
119 grpc_server_start(f->server);
120 }
121
chttp2_tear_down_secure_fullstack(grpc_end2end_test_fixture * f)122 void chttp2_tear_down_secure_fullstack(grpc_end2end_test_fixture* f) {
123 fullstack_secure_fixture_data* ffd =
124 static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
125 delete ffd;
126 }
127
128 // Application-provided callback for server authorization check.
server_authz_check_cb(void * user_data)129 static void server_authz_check_cb(void* user_data) {
130 grpc_tls_server_authorization_check_arg* check_arg =
131 static_cast<grpc_tls_server_authorization_check_arg*>(user_data);
132 GPR_ASSERT(check_arg != nullptr);
133 // result = 1 indicates the server authorization check passes.
134 // Normally, the application code should resort to mapping information
135 // between server identity and target name to derive the result.
136 // For this test, we directly return 1 for simplicity.
137 check_arg->success = 1;
138 check_arg->status = GRPC_STATUS_OK;
139 check_arg->cb(check_arg);
140 }
141
142 // Asynchronous implementation of schedule field in
143 // grpc_server_authorization_check_config.
server_authz_check_async(void * config_user_data,grpc_tls_server_authorization_check_arg * arg)144 static int server_authz_check_async(
145 void* config_user_data, grpc_tls_server_authorization_check_arg* arg) {
146 fullstack_secure_fixture_data* ffd =
147 static_cast<fullstack_secure_fixture_data*>(config_user_data);
148 ffd->thd_list.push_back(
149 grpc_core::Thread("h2_tls_test", &server_authz_check_cb, arg));
150 ffd->thd_list[ffd->thd_list.size() - 1].Start();
151 return 1;
152 }
153
154 // Synchronous implementation of schedule field in
155 // grpc_tls_credential_reload_config instance that is a part of client-side
156 // grpc_tls_credentials_options instance.
client_cred_reload_sync(void *,grpc_tls_credential_reload_arg * arg)157 static int client_cred_reload_sync(void* /*config_user_data*/,
158 grpc_tls_credential_reload_arg* arg) {
159 if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
160 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
161 return 0;
162 }
163 grpc_slice ca_slice, cert_slice, key_slice;
164 GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
165 grpc_load_file(CA_CERT_PATH, 1, &ca_slice)));
166 GPR_ASSERT(GRPC_LOG_IF_ERROR(
167 "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
168 GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
169 grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
170 const char* ca_cert =
171 reinterpret_cast<const char*> GRPC_SLICE_START_PTR(ca_slice);
172 const char* server_cert =
173 reinterpret_cast<const char*> GRPC_SLICE_START_PTR(cert_slice);
174 const char* server_key =
175 reinterpret_cast<const char*> GRPC_SLICE_START_PTR(key_slice);
176 grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {server_key, server_cert};
177 if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
178 const auto* pem_key_cert_pair_ptr = &pem_key_cert_pair;
179 grpc_tls_key_materials_config_set_key_materials(
180 arg->key_materials_config, ca_cert, &pem_key_cert_pair_ptr, 1);
181 }
182 // new credential has been reloaded.
183 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
184 grpc_slice_unref(cert_slice);
185 grpc_slice_unref(key_slice);
186 grpc_slice_unref(ca_slice);
187 return 0;
188 }
189
190 // Synchronous implementation of schedule field in
191 // grpc_tls_credential_reload_config instance that is a part of server-side
192 // grpc_tls_credentials_options instance.
server_cred_reload_sync(void *,grpc_tls_credential_reload_arg * arg)193 static int server_cred_reload_sync(void* /*config_user_data*/,
194 grpc_tls_credential_reload_arg* arg) {
195 if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
196 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
197 return 0;
198 }
199 grpc_slice ca_slice, cert_slice, key_slice;
200 GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
201 grpc_load_file(CA_CERT_PATH, 1, &ca_slice)));
202 GPR_ASSERT(GRPC_LOG_IF_ERROR(
203 "load_file", grpc_load_file(SERVER_CERT_PATH, 1, &cert_slice)));
204 GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
205 grpc_load_file(SERVER_KEY_PATH, 1, &key_slice)));
206 const char* ca_cert =
207 reinterpret_cast<const char*> GRPC_SLICE_START_PTR(ca_slice);
208 const char* server_cert =
209 reinterpret_cast<const char*> GRPC_SLICE_START_PTR(cert_slice);
210 const char* server_key =
211 reinterpret_cast<const char*> GRPC_SLICE_START_PTR(key_slice);
212 grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {server_key, server_cert};
213 GPR_ASSERT(arg != nullptr);
214 GPR_ASSERT(arg->key_materials_config != nullptr);
215 GPR_ASSERT(arg->key_materials_config->pem_key_cert_pair_list().data() !=
216 nullptr);
217 if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
218 const auto* pem_key_cert_pair_ptr = &pem_key_cert_pair;
219 grpc_tls_key_materials_config_set_key_materials(
220 arg->key_materials_config, ca_cert, &pem_key_cert_pair_ptr, 1);
221 }
222 // new credential has been reloaded.
223 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
224 grpc_slice_unref(cert_slice);
225 grpc_slice_unref(key_slice);
226 grpc_slice_unref(ca_slice);
227 return 0;
228 }
229
230 // Create a TLS channel credential.
create_tls_channel_credentials(fullstack_secure_fixture_data * ffd)231 static grpc_channel_credentials* create_tls_channel_credentials(
232 fullstack_secure_fixture_data* ffd) {
233 grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
234 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
235 options->set_min_tls_version(ffd->tls_version);
236 options->set_max_tls_version(ffd->tls_version);
237 /* Set credential reload config. */
238 grpc_tls_credential_reload_config* reload_config =
239 grpc_tls_credential_reload_config_create(nullptr, client_cred_reload_sync,
240 nullptr, nullptr);
241 grpc_tls_credentials_options_set_credential_reload_config(options,
242 reload_config);
243 /* Set server authorization check config. */
244 grpc_tls_server_authorization_check_config* check_config =
245 grpc_tls_server_authorization_check_config_create(
246 ffd, server_authz_check_async, nullptr, nullptr);
247 grpc_tls_credentials_options_set_server_authorization_check_config(
248 options, check_config);
249 /* Create TLS channel credentials. */
250 grpc_channel_credentials* creds = grpc_tls_credentials_create(options);
251 return creds;
252 }
253
254 // Create a TLS server credential.
create_tls_server_credentials(fullstack_secure_fixture_data * ffd)255 static grpc_server_credentials* create_tls_server_credentials(
256 fullstack_secure_fixture_data* ffd) {
257 grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
258 options->set_min_tls_version(ffd->tls_version);
259 options->set_max_tls_version(ffd->tls_version);
260 /* Set credential reload config. */
261 grpc_tls_credential_reload_config* reload_config =
262 grpc_tls_credential_reload_config_create(nullptr, server_cred_reload_sync,
263 nullptr, nullptr);
264 grpc_tls_credentials_options_set_credential_reload_config(options,
265 reload_config);
266 /* Set client certificate request type. */
267 grpc_tls_credentials_options_set_cert_request_type(
268 options, GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
269 grpc_server_credentials* creds = grpc_tls_server_credentials_create(options);
270 return creds;
271 }
272
chttp2_init_client(grpc_end2end_test_fixture * f,grpc_channel_args * client_args)273 static void chttp2_init_client(grpc_end2end_test_fixture* f,
274 grpc_channel_args* client_args) {
275 grpc_channel_credentials* ssl_creds = create_tls_channel_credentials(
276 static_cast<fullstack_secure_fixture_data*>(f->fixture_data));
277 grpc_arg ssl_name_override = {
278 GRPC_ARG_STRING,
279 const_cast<char*>(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG),
280 {const_cast<char*>("foo.test.google.fr")}};
281 grpc_channel_args* new_client_args =
282 grpc_channel_args_copy_and_add(client_args, &ssl_name_override, 1);
283 chttp2_init_client_secure_fullstack(f, new_client_args, ssl_creds);
284 grpc_channel_args_destroy(new_client_args);
285 }
286
fail_server_auth_check(grpc_channel_args * server_args)287 static int fail_server_auth_check(grpc_channel_args* server_args) {
288 size_t i;
289 if (server_args == nullptr) return 0;
290 for (i = 0; i < server_args->num_args; i++) {
291 if (strcmp(server_args->args[i].key, FAIL_AUTH_CHECK_SERVER_ARG_NAME) ==
292 0) {
293 return 1;
294 }
295 }
296 return 0;
297 }
298
chttp2_init_server(grpc_end2end_test_fixture * f,grpc_channel_args * server_args)299 static void chttp2_init_server(grpc_end2end_test_fixture* f,
300 grpc_channel_args* server_args) {
301 grpc_server_credentials* ssl_creds = create_tls_server_credentials(
302 static_cast<fullstack_secure_fixture_data*>(f->fixture_data));
303 if (fail_server_auth_check(server_args)) {
304 grpc_auth_metadata_processor processor = {process_auth_failure, nullptr,
305 nullptr};
306 grpc_server_credentials_set_auth_metadata_processor(ssl_creds, processor);
307 }
308 chttp2_init_server_secure_fullstack(f, server_args, ssl_creds);
309 }
310
311 static grpc_end2end_test_config configs[] = {
312 /* client sync reload async authz + server sync reload. */
313 {"chttp2/simple_ssl_fullstack_tls1_2",
314 FEATURE_MASK_SUPPORTS_DELAYED_CONNECTION |
315 FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
316 FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL |
317 FEATURE_MASK_SUPPORTS_AUTHORITY_HEADER,
318 "foo.test.google.fr", chttp2_create_fixture_secure_fullstack_tls1_2,
319 chttp2_init_client, chttp2_init_server, chttp2_tear_down_secure_fullstack},
320 {"chttp2/simple_ssl_fullstack_tls1_3",
321 FEATURE_MASK_SUPPORTS_DELAYED_CONNECTION |
322 FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
323 FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL |
324 FEATURE_MASK_SUPPORTS_AUTHORITY_HEADER,
325 "foo.test.google.fr", chttp2_create_fixture_secure_fullstack_tls1_3,
326 chttp2_init_client, chttp2_init_server, chttp2_tear_down_secure_fullstack},
327 };
328
main(int argc,char ** argv)329 int main(int argc, char** argv) {
330 grpc::testing::TestEnvironment env(argc, argv);
331 grpc_end2end_tests_pre_init();
332 GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
333 grpc_init();
334 for (size_t ind = 0; ind < sizeof(configs) / sizeof(*configs); ind++) {
335 grpc_end2end_tests(argc, argv, configs[ind]);
336 }
337 grpc_shutdown();
338 return 0;
339 }
340