1 //
2 //
3 // Copyright 2018 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #ifndef GRPC_TEST_CORE_END2END_FIXTURES_H2_TLS_COMMON_H
20 #define GRPC_TEST_CORE_END2END_FIXTURES_H2_TLS_COMMON_H
21
22 #include <grpc/credentials.h>
23 #include <grpc/grpc.h>
24 #include <grpc/grpc_security.h>
25 #include <grpc/grpc_security_constants.h>
26 #include <grpc/impl/channel_arg_names.h>
27 #include <grpc/slice.h>
28 #include <grpc/status.h>
29 #include <stdint.h>
30 #include <string.h>
31
32 #include <string>
33
34 #include "absl/log/check.h"
35 #include "absl/strings/string_view.h"
36 #include "src/core/lib/channel/channel_args.h"
37 #include "src/core/lib/iomgr/error.h"
38 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
39 #include "src/core/lib/slice/slice_internal.h"
40 #include "test/core/end2end/end2end_tests.h"
41 #include "test/core/end2end/fixtures/secure_fixture.h"
42 #include "test/core/test_util/tls_utils.h"
43
44 // For normal TLS connections.
45 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
46 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
47 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
48
49 struct SecurityPrimitives {
50 enum ProviderType { STATIC_PROVIDER = 0, FILE_PROVIDER = 1 } provider_type;
51 enum VerifierType {
52 EXTERNAL_SYNC_VERIFIER = 0,
53 EXTERNAL_ASYNC_VERIFIER = 1,
54 HOSTNAME_VERIFIER = 2
55 } verifier_type;
56 enum TlsVersion { V_12 = 0, V_13 = 1 } tls_version;
57 };
58
process_auth_failure(void * state,grpc_auth_context *,const grpc_metadata *,size_t,grpc_process_auth_metadata_done_cb cb,void * user_data)59 inline void process_auth_failure(void* state, grpc_auth_context* /*ctx*/,
60 const grpc_metadata* /*md*/,
61 size_t /*md_count*/,
62 grpc_process_auth_metadata_done_cb cb,
63 void* user_data) {
64 CHECK_EQ(state, nullptr);
65 cb(user_data, nullptr, 0, nullptr, 0, GRPC_STATUS_UNAUTHENTICATED, nullptr);
66 }
67
68 class TlsFixture : public SecureFixture {
69 public:
TlsFixture(SecurityPrimitives::TlsVersion tls_version,SecurityPrimitives::ProviderType provider_type,SecurityPrimitives::VerifierType verifier_type)70 TlsFixture(SecurityPrimitives::TlsVersion tls_version,
71 SecurityPrimitives::ProviderType provider_type,
72 SecurityPrimitives::VerifierType verifier_type) {
73 switch (tls_version) {
74 case SecurityPrimitives::TlsVersion::V_12: {
75 tls_version_ = grpc_tls_version::TLS1_2;
76 break;
77 }
78 case SecurityPrimitives::TlsVersion::V_13: {
79 tls_version_ = grpc_tls_version::TLS1_3;
80 break;
81 }
82 }
83 switch (provider_type) {
84 case SecurityPrimitives::ProviderType::STATIC_PROVIDER: {
85 std::string root_cert =
86 grpc_core::testing::GetFileContents(CA_CERT_PATH);
87 std::string identity_cert =
88 grpc_core::testing::GetFileContents(SERVER_CERT_PATH);
89 std::string private_key =
90 grpc_core::testing::GetFileContents(SERVER_KEY_PATH);
91 grpc_tls_identity_pairs* client_pairs =
92 grpc_tls_identity_pairs_create();
93 grpc_tls_identity_pairs_add_pair(client_pairs, private_key.c_str(),
94 identity_cert.c_str());
95 client_provider_ = grpc_tls_certificate_provider_static_data_create(
96 root_cert.c_str(), client_pairs);
97 grpc_tls_identity_pairs* server_pairs =
98 grpc_tls_identity_pairs_create();
99 grpc_tls_identity_pairs_add_pair(server_pairs, private_key.c_str(),
100 identity_cert.c_str());
101 server_provider_ = grpc_tls_certificate_provider_static_data_create(
102 root_cert.c_str(), server_pairs);
103 break;
104 }
105 case SecurityPrimitives::ProviderType::FILE_PROVIDER: {
106 client_provider_ = grpc_tls_certificate_provider_file_watcher_create(
107 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
108 server_provider_ = grpc_tls_certificate_provider_file_watcher_create(
109 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
110 break;
111 }
112 }
113 switch (verifier_type) {
114 case SecurityPrimitives::VerifierType::EXTERNAL_SYNC_VERIFIER: {
115 auto* client_sync_verifier =
116 new grpc_core::testing::SyncExternalVerifier(true);
117 client_verifier_ = grpc_tls_certificate_verifier_external_create(
118 client_sync_verifier->base());
119 auto* server_sync_verifier =
120 new grpc_core::testing::SyncExternalVerifier(true);
121 server_verifier_ = grpc_tls_certificate_verifier_external_create(
122 server_sync_verifier->base());
123 check_call_host_ = false;
124 break;
125 }
126 case SecurityPrimitives::VerifierType::EXTERNAL_ASYNC_VERIFIER: {
127 auto* client_async_verifier =
128 new grpc_core::testing::AsyncExternalVerifier(true);
129 client_verifier_ = grpc_tls_certificate_verifier_external_create(
130 client_async_verifier->base());
131 auto* server_async_verifier =
132 new grpc_core::testing::AsyncExternalVerifier(true);
133 server_verifier_ = grpc_tls_certificate_verifier_external_create(
134 server_async_verifier->base());
135 check_call_host_ = false;
136 break;
137 }
138 case SecurityPrimitives::VerifierType::HOSTNAME_VERIFIER: {
139 client_verifier_ = grpc_tls_certificate_verifier_host_name_create();
140 // Hostname verifier couldn't be applied to the server side, so we will
141 // use sync external verifier here.
142 auto* server_async_verifier =
143 new grpc_core::testing::AsyncExternalVerifier(true);
144 server_verifier_ = grpc_tls_certificate_verifier_external_create(
145 server_async_verifier->base());
146 break;
147 }
148 }
149 }
~TlsFixture()150 ~TlsFixture() override {
151 grpc_tls_certificate_provider_release(client_provider_);
152 grpc_tls_certificate_provider_release(server_provider_);
153 grpc_tls_certificate_verifier_release(client_verifier_);
154 grpc_tls_certificate_verifier_release(server_verifier_);
155 }
156
157 private:
MutateClientArgs(grpc_core::ChannelArgs args)158 grpc_core::ChannelArgs MutateClientArgs(
159 grpc_core::ChannelArgs args) override {
160 return args.Set(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, "foo.test.google.fr");
161 }
162
MakeClientCreds(const grpc_core::ChannelArgs &)163 grpc_channel_credentials* MakeClientCreds(
164 const grpc_core::ChannelArgs&) override {
165 grpc_tls_credentials_options* options =
166 grpc_tls_credentials_options_create();
167 grpc_tls_credentials_options_set_verify_server_cert(
168 options, 1 /* = verify server certs */);
169 options->set_min_tls_version(tls_version_);
170 options->set_max_tls_version(tls_version_);
171 // Set credential provider.
172 grpc_tls_credentials_options_set_certificate_provider(options,
173 client_provider_);
174 grpc_tls_credentials_options_watch_root_certs(options);
175 grpc_tls_credentials_options_watch_identity_key_cert_pairs(options);
176 // Set credential verifier.
177 grpc_tls_credentials_options_set_certificate_verifier(options,
178 client_verifier_);
179 grpc_tls_credentials_options_set_check_call_host(options, check_call_host_);
180 // Create TLS channel credentials.
181 grpc_channel_credentials* creds = grpc_tls_credentials_create(options);
182 return creds;
183 }
184
MakeServerCreds(const grpc_core::ChannelArgs & args)185 grpc_server_credentials* MakeServerCreds(
186 const grpc_core::ChannelArgs& args) override {
187 grpc_tls_credentials_options* options =
188 grpc_tls_credentials_options_create();
189 options->set_min_tls_version(tls_version_);
190 options->set_max_tls_version(tls_version_);
191 // Set credential provider.
192 grpc_tls_credentials_options_set_certificate_provider(options,
193 server_provider_);
194 grpc_tls_credentials_options_watch_root_certs(options);
195 grpc_tls_credentials_options_watch_identity_key_cert_pairs(options);
196 // Set client certificate request type.
197 grpc_tls_credentials_options_set_cert_request_type(
198 options, GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
199 // Set credential verifier.
200 grpc_tls_credentials_options_set_certificate_verifier(options,
201 server_verifier_);
202 grpc_server_credentials* creds =
203 grpc_tls_server_credentials_create(options);
204 if (args.Contains(FAIL_AUTH_CHECK_SERVER_ARG_NAME)) {
205 grpc_auth_metadata_processor processor = {process_auth_failure, nullptr,
206 nullptr};
207 grpc_server_credentials_set_auth_metadata_processor(creds, processor);
208 }
209 return creds;
210 }
211
212 grpc_tls_version tls_version_;
213 grpc_tls_certificate_provider* client_provider_ = nullptr;
214 grpc_tls_certificate_provider* server_provider_ = nullptr;
215 grpc_tls_certificate_verifier* client_verifier_ = nullptr;
216 grpc_tls_certificate_verifier* server_verifier_ = nullptr;
217 bool check_call_host_ = true;
218 };
219
220 static const uint32_t kH2TLSFeatureMask =
221 FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
222 FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL | FEATURE_MASK_IS_HTTP2;
223
224 #endif // GRPC_TEST_CORE_END2END_FIXTURES_H2_TLS_COMMON_H
225