1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
18
19 #include <gmock/gmock.h>
20 #include <grpc/support/alloc.h>
21 #include <grpc/support/string_util.h>
22 #include <gtest/gtest.h>
23
24 #include <deque>
25 #include <list>
26 #include <string>
27 #include <thread>
28
29 #include "absl/log/check.h"
30 #include "src/core/lib/slice/slice_internal.h"
31 #include "src/core/util/crash.h"
32 #include "test/core/test_util/test_config.h"
33 #include "test/core/test_util/tls_utils.h"
34
35 namespace grpc_core {
36
37 namespace testing {
38
39 constexpr const char* kCertName1 = "cert_1_name";
40 constexpr const char* kCertName2 = "cert_2_name";
41 constexpr const char* kRootCert1Name = "root_cert_1_name";
42 constexpr const char* kRootCert1Contents = "root_cert_1_contents";
43 constexpr const char* kRootCert2Name = "root_cert_2_name";
44 constexpr const char* kRootCert2Contents = "root_cert_2_contents";
45 constexpr const char* kIdentityCert1Name = "identity_cert_1_name";
46 constexpr const char* kIdentityCert1PrivateKey = "identity_private_key_1";
47 constexpr const char* kIdentityCert1Contents = "identity_cert_1_contents";
48 constexpr const char* kIdentityCert2Name = "identity_cert_2_name";
49 constexpr const char* kIdentityCert2PrivateKey = "identity_private_key_2";
50 constexpr const char* kIdentityCert2Contents = "identity_cert_2_contents";
51 constexpr const char* kErrorMessage = "error_message";
52 constexpr const char* kRootErrorMessage = "root_error_message";
53 constexpr const char* kIdentityErrorMessage = "identity_error_message";
54
55 class GrpcTlsCertificateDistributorTest : public ::testing::Test {
56 protected:
57 // Forward declaration.
58 class TlsCertificatesTestWatcher;
59
60 // CredentialInfo contains the parameters when calling OnCertificatesChanged
61 // of a watcher. When OnCertificatesChanged is invoked, we will push a
62 // CredentialInfo to the cert_update_queue of state_, and check in each test
63 // if the status updates are correct.
64 struct CredentialInfo {
65 std::string root_certs;
66 PemKeyCertPairList key_cert_pairs;
CredentialInfogrpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo67 CredentialInfo(std::string root, PemKeyCertPairList key_cert)
68 : root_certs(std::move(root)), key_cert_pairs(std::move(key_cert)) {}
operator ==grpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo69 bool operator==(const CredentialInfo& other) const {
70 return root_certs == other.root_certs &&
71 key_cert_pairs == other.key_cert_pairs;
72 }
73 };
74
75 // ErrorInfo contains the parameters when calling OnError of a watcher. When
76 // OnError is invoked, we will push a ErrorInfo to the error_queue of state_,
77 // and check in each test if the status updates are correct.
78 struct ErrorInfo {
79 std::string root_cert_str;
80 std::string identity_cert_str;
ErrorInfogrpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo81 ErrorInfo(std::string root, std::string identity)
82 : root_cert_str(std::move(root)),
83 identity_cert_str(std::move(identity)) {}
operator ==grpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo84 bool operator==(const ErrorInfo& other) const {
85 return root_cert_str == other.root_cert_str &&
86 identity_cert_str == other.identity_cert_str;
87 }
88 };
89
90 struct WatcherState {
91 TlsCertificatesTestWatcher* watcher = nullptr;
92 std::deque<CredentialInfo> cert_update_queue;
93 std::deque<ErrorInfo> error_queue;
94
GetCredentialQueuegrpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState95 std::deque<CredentialInfo> GetCredentialQueue() {
96 // We move the data member value so the data member will be re-initiated
97 // with size 0, and ready for the next check.
98 return std::move(cert_update_queue);
99 }
GetErrorQueuegrpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState100 std::deque<ErrorInfo> GetErrorQueue() {
101 // We move the data member value so the data member will be re-initiated
102 // with size 0, and ready for the next check.
103 return std::move(error_queue);
104 }
105 };
106
107 class TlsCertificatesTestWatcher : public grpc_tls_certificate_distributor::
108 TlsCertificatesWatcherInterface {
109 public:
110 // ctor sets state->watcher to this.
TlsCertificatesTestWatcher(WatcherState * state)111 explicit TlsCertificatesTestWatcher(WatcherState* state) : state_(state) {
112 state_->watcher = this;
113 }
114
115 // dtor sets state->watcher to nullptr.
~TlsCertificatesTestWatcher()116 ~TlsCertificatesTestWatcher() override { state_->watcher = nullptr; }
117
OnCertificatesChanged(absl::optional<absl::string_view> root_certs,absl::optional<PemKeyCertPairList> key_cert_pairs)118 void OnCertificatesChanged(
119 absl::optional<absl::string_view> root_certs,
120 absl::optional<PemKeyCertPairList> key_cert_pairs) override {
121 std::string updated_root;
122 if (root_certs.has_value()) {
123 updated_root = std::string(*root_certs);
124 }
125 PemKeyCertPairList updated_identity;
126 if (key_cert_pairs.has_value()) {
127 updated_identity = std::move(*key_cert_pairs);
128 }
129 state_->cert_update_queue.emplace_back(std::move(updated_root),
130 std::move(updated_identity));
131 }
132
OnError(grpc_error_handle root_cert_error,grpc_error_handle identity_cert_error)133 void OnError(grpc_error_handle root_cert_error,
134 grpc_error_handle identity_cert_error) override {
135 CHECK(!root_cert_error.ok() || !identity_cert_error.ok());
136 std::string root_error_str;
137 std::string identity_error_str;
138 if (!root_cert_error.ok()) {
139 CHECK(grpc_error_get_str(
140 root_cert_error, StatusStrProperty::kDescription, &root_error_str));
141 }
142 if (!identity_cert_error.ok()) {
143 CHECK(grpc_error_get_str(identity_cert_error,
144 StatusStrProperty::kDescription,
145 &identity_error_str));
146 }
147 state_->error_queue.emplace_back(std::move(root_error_str),
148 std::move(identity_error_str));
149 }
150
151 private:
152 WatcherState* state_;
153 };
154
155 // CallbackStatus contains the parameters when calling watch_status_callback_
156 // of the distributor. When a particular callback is invoked, we will push a
157 // CallbackStatus to a callback_queue_, and check in each test if the status
158 // updates are correct.
159 struct CallbackStatus {
160 std::string cert_name;
161 bool root_being_watched;
162 bool identity_being_watched;
CallbackStatusgrpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus163 CallbackStatus(std::string name, bool root_watched, bool identity_watched)
164 : cert_name(std::move(name)),
165 root_being_watched(root_watched),
166 identity_being_watched(identity_watched) {}
operator ==grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus167 bool operator==(const CallbackStatus& other) const {
168 return cert_name == other.cert_name &&
169 root_being_watched == other.root_being_watched &&
170 identity_being_watched == other.identity_being_watched;
171 }
172 };
173
SetUp()174 void SetUp() override {
175 distributor_.SetWatchStatusCallback([this](std::string cert_name,
176 bool root_being_watched,
177 bool identity_being_watched) {
178 callback_queue_.emplace_back(std::move(cert_name), root_being_watched,
179 identity_being_watched);
180 });
181 }
182
MakeWatcher(absl::optional<std::string> root_cert_name,absl::optional<std::string> identity_cert_name)183 WatcherState* MakeWatcher(absl::optional<std::string> root_cert_name,
184 absl::optional<std::string> identity_cert_name) {
185 MutexLock lock(&mu_);
186 watchers_.emplace_back();
187 // TlsCertificatesTestWatcher ctor takes a pointer to the WatcherState.
188 // It sets WatcherState::watcher to point to itself.
189 // The TlsCertificatesTestWatcher dtor will set WatcherState::watcher back
190 // to nullptr to indicate that it's been destroyed.
191 auto watcher =
192 std::make_unique<TlsCertificatesTestWatcher>(&watchers_.back());
193 distributor_.WatchTlsCertificates(std::move(watcher),
194 std::move(root_cert_name),
195 std::move(identity_cert_name));
196 return &watchers_.back();
197 }
198
CancelWatch(WatcherState * state)199 void CancelWatch(WatcherState* state) {
200 MutexLock lock(&mu_);
201 distributor_.CancelTlsCertificatesWatch(state->watcher);
202 EXPECT_EQ(state->watcher, nullptr);
203 }
204
GetCallbackQueue()205 std::deque<CallbackStatus> GetCallbackQueue() {
206 // We move the data member value so the data member will be re-initiated
207 // with size 0, and ready for the next check.
208 return std::move(callback_queue_);
209 }
210
211 grpc_tls_certificate_distributor distributor_;
212 // Use a std::list<> here to avoid the address invalidation caused by internal
213 // reallocation of std::vector<>.
214 std::list<WatcherState> watchers_;
215 std::deque<CallbackStatus> callback_queue_;
216 // This is to make watchers_ and callback_queue_ thread-safe.
217 Mutex mu_;
218 };
219
TEST_F(GrpcTlsCertificateDistributorTest,BasicCredentialBehaviors)220 TEST_F(GrpcTlsCertificateDistributorTest, BasicCredentialBehaviors) {
221 EXPECT_FALSE(distributor_.HasRootCerts(kRootCert1Name));
222 EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert1Name));
223 // After setting the certificates to the corresponding cert names, the
224 // distributor should possess the corresponding certs.
225 distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
226 absl::nullopt);
227 EXPECT_TRUE(distributor_.HasRootCerts(kRootCert1Name));
228 distributor_.SetKeyMaterials(
229 kIdentityCert1Name, absl::nullopt,
230 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
231 EXPECT_TRUE(distributor_.HasKeyCertPairs(kIdentityCert1Name));
232 // Querying a non-existing cert name should return false.
233 EXPECT_FALSE(distributor_.HasRootCerts(kRootCert2Name));
234 EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert2Name));
235 }
236
TEST_F(GrpcTlsCertificateDistributorTest,UpdateCredentialsOnAnySide)237 TEST_F(GrpcTlsCertificateDistributorTest, UpdateCredentialsOnAnySide) {
238 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
239 EXPECT_THAT(GetCallbackQueue(),
240 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
241 // SetKeyMaterials should trigger watcher's OnCertificatesChanged method.
242 distributor_.SetKeyMaterials(
243 kCertName1, kRootCert1Contents,
244 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
245 EXPECT_THAT(
246 watcher_state_1->GetCredentialQueue(),
247 ::testing::ElementsAre(CredentialInfo(
248 kRootCert1Contents,
249 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
250 // Set root certs should trigger watcher's OnCertificatesChanged again.
251 distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
252 EXPECT_THAT(
253 watcher_state_1->GetCredentialQueue(),
254 ::testing::ElementsAre(CredentialInfo(
255 kRootCert2Contents,
256 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
257 // Set identity certs should trigger watcher's OnCertificatesChanged again.
258 distributor_.SetKeyMaterials(
259 kCertName1, absl::nullopt,
260 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
261 EXPECT_THAT(
262 watcher_state_1->GetCredentialQueue(),
263 ::testing::ElementsAre(CredentialInfo(
264 kRootCert2Contents,
265 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
266 CancelWatch(watcher_state_1);
267 }
268
TEST_F(GrpcTlsCertificateDistributorTest,SameIdentityNameDiffRootName)269 TEST_F(GrpcTlsCertificateDistributorTest, SameIdentityNameDiffRootName) {
270 // Register watcher 1.
271 WatcherState* watcher_state_1 =
272 MakeWatcher(kRootCert1Name, kIdentityCert1Name);
273 EXPECT_THAT(
274 GetCallbackQueue(),
275 ::testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false),
276 CallbackStatus(kIdentityCert1Name, false, true)));
277 // Register watcher 2.
278 WatcherState* watcher_state_2 =
279 MakeWatcher(kRootCert2Name, kIdentityCert1Name);
280 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
281 kRootCert2Name, true, false)));
282 // Push credential updates to kRootCert1Name and check if the status works as
283 // expected.
284 distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
285 absl::nullopt);
286 // Check the updates are delivered to watcher 1.
287 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
288 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
289 // Push credential updates to kRootCert2Name.
290 distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents,
291 absl::nullopt);
292 // Check the updates are delivered to watcher 2.
293 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
294 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
295 // Push credential updates to kIdentityCert1Name and check if the status works
296 // as expected.
297 distributor_.SetKeyMaterials(
298 kIdentityCert1Name, absl::nullopt,
299 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
300 // Check the updates are delivered to watcher 1 and watcher 2.
301 EXPECT_THAT(
302 watcher_state_1->GetCredentialQueue(),
303 ::testing::ElementsAre(CredentialInfo(
304 kRootCert1Contents,
305 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
306 EXPECT_THAT(
307 watcher_state_2->GetCredentialQueue(),
308 ::testing::ElementsAre(CredentialInfo(
309 kRootCert2Contents,
310 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
311 // Cancel watcher 1.
312 CancelWatch(watcher_state_1);
313 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
314 kRootCert1Name, false, false)));
315 // Cancel watcher 2.
316 CancelWatch(watcher_state_2);
317 EXPECT_THAT(
318 GetCallbackQueue(),
319 ::testing::ElementsAre(CallbackStatus(kRootCert2Name, false, false),
320 CallbackStatus(kIdentityCert1Name, false, false)));
321 }
322
TEST_F(GrpcTlsCertificateDistributorTest,SameRootNameDiffIdentityName)323 TEST_F(GrpcTlsCertificateDistributorTest, SameRootNameDiffIdentityName) {
324 // Register watcher 1.
325 WatcherState* watcher_state_1 =
326 MakeWatcher(kRootCert1Name, kIdentityCert1Name);
327 EXPECT_THAT(
328 GetCallbackQueue(),
329 ::testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false),
330 CallbackStatus(kIdentityCert1Name, false, true)));
331 // Register watcher 2.
332 WatcherState* watcher_state_2 =
333 MakeWatcher(kRootCert1Name, kIdentityCert2Name);
334 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
335 kIdentityCert2Name, false, true)));
336 // Push credential updates to kRootCert1Name and check if the status works as
337 // expected.
338 distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
339 absl::nullopt);
340 // Check the updates are delivered to watcher 1.
341 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
342 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
343 // Check the updates are delivered to watcher 2.
344 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
345 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
346 // Push credential updates to SetKeyMaterials.
347 distributor_.SetKeyMaterials(
348 kIdentityCert1Name, absl::nullopt,
349 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
350 // Check the updates are delivered to watcher 1.
351 EXPECT_THAT(
352 watcher_state_1->GetCredentialQueue(),
353 ::testing::ElementsAre(CredentialInfo(
354 kRootCert1Contents,
355 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
356 // Push credential updates to kIdentityCert2Name.
357 distributor_.SetKeyMaterials(
358 kIdentityCert2Name, absl::nullopt,
359 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
360 // Check the updates are delivered to watcher 2.
361 EXPECT_THAT(
362 watcher_state_2->GetCredentialQueue(),
363 ::testing::ElementsAre(CredentialInfo(
364 kRootCert1Contents,
365 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
366 // Cancel watcher 1.
367 CancelWatch(watcher_state_1);
368 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
369 kIdentityCert1Name, false, false)));
370 // Cancel watcher 2.
371 CancelWatch(watcher_state_2);
372 EXPECT_THAT(
373 GetCallbackQueue(),
374 ::testing::ElementsAre(CallbackStatus(kRootCert1Name, false, false),
375 CallbackStatus(kIdentityCert2Name, false, false)));
376 }
377
TEST_F(GrpcTlsCertificateDistributorTest,AddAndCancelFirstWatcherForSameRootAndIdentityCertName)378 TEST_F(GrpcTlsCertificateDistributorTest,
379 AddAndCancelFirstWatcherForSameRootAndIdentityCertName) {
380 // Register watcher 1 watching kCertName1 for both root and identity certs.
381 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
382 EXPECT_THAT(GetCallbackQueue(),
383 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
384 // Push credential updates to kCertName1 and check if the status works as
385 // expected.
386 distributor_.SetKeyMaterials(
387 kCertName1, kRootCert1Contents,
388 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
389 // Check the updates are delivered to watcher 1.
390 EXPECT_THAT(
391 watcher_state_1->GetCredentialQueue(),
392 ::testing::ElementsAre(CredentialInfo(
393 kRootCert1Contents,
394 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
395 // Cancel watcher 1.
396 CancelWatch(watcher_state_1);
397 EXPECT_THAT(GetCallbackQueue(),
398 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
399 }
400
TEST_F(GrpcTlsCertificateDistributorTest,AddAndCancelFirstWatcherForIdentityCertNameWithRootBeingWatched)401 TEST_F(GrpcTlsCertificateDistributorTest,
402 AddAndCancelFirstWatcherForIdentityCertNameWithRootBeingWatched) {
403 // Register watcher 1 watching kCertName1 for root certs.
404 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
405 EXPECT_THAT(GetCallbackQueue(),
406 ::testing::ElementsAre(CallbackStatus(kCertName1, true, false)));
407 // Register watcher 2 watching kCertName1 for identity certs.
408 WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1);
409 EXPECT_THAT(GetCallbackQueue(),
410 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
411 // Push credential updates to kCertName1 and check if the status works as
412 // expected.
413 distributor_.SetKeyMaterials(
414 kCertName1, kRootCert1Contents,
415 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
416 // Check the updates are delivered to watcher 1.
417 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
418 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
419 // Check the updates are delivered to watcher 2.
420 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
421 ::testing::ElementsAre(CredentialInfo(
422 "", MakeCertKeyPairs(kIdentityCert1PrivateKey,
423 kIdentityCert1Contents))));
424 // Push root cert updates to kCertName1.
425 distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
426 // Check the updates are delivered to watcher 1.
427 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
428 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
429 // Check the updates are not delivered to watcher 2.
430 EXPECT_THAT(watcher_state_2->GetCredentialQueue(), ::testing::ElementsAre());
431 // Push identity cert updates to kCertName1.
432 distributor_.SetKeyMaterials(
433 kCertName1, absl::nullopt,
434 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
435 // Check the updates are not delivered to watcher 1.
436 EXPECT_THAT(watcher_state_1->GetCredentialQueue(), ::testing::ElementsAre());
437 // Check the updates are delivered to watcher 2.
438 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
439 ::testing::ElementsAre(CredentialInfo(
440 "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
441 kIdentityCert2Contents))));
442 watcher_state_2->cert_update_queue.clear();
443 // Cancel watcher 2.
444 CancelWatch(watcher_state_2);
445 EXPECT_THAT(GetCallbackQueue(),
446 ::testing::ElementsAre(CallbackStatus(kCertName1, true, false)));
447 // Cancel watcher 1.
448 CancelWatch(watcher_state_1);
449 EXPECT_THAT(GetCallbackQueue(),
450 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
451 }
452
TEST_F(GrpcTlsCertificateDistributorTest,AddAndCancelFirstWatcherForRootCertNameWithIdentityBeingWatched)453 TEST_F(GrpcTlsCertificateDistributorTest,
454 AddAndCancelFirstWatcherForRootCertNameWithIdentityBeingWatched) {
455 // Register watcher 1 watching kCertName1 for identity certs.
456 WatcherState* watcher_state_1 = MakeWatcher(absl::nullopt, kCertName1);
457 EXPECT_THAT(GetCallbackQueue(),
458 ::testing::ElementsAre(CallbackStatus(kCertName1, false, true)));
459 // Register watcher 2 watching kCertName1 for root certs.
460 WatcherState* watcher_state_2 = MakeWatcher(kCertName1, absl::nullopt);
461 EXPECT_THAT(GetCallbackQueue(),
462 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
463 // Push credential updates to kCertName1 and check if the status works as
464 // expected.
465 distributor_.SetKeyMaterials(
466 kCertName1, kRootCert1Contents,
467 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
468 // Check the updates are delivered to watcher 1.
469 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
470 ::testing::ElementsAre(CredentialInfo(
471 "", MakeCertKeyPairs(kIdentityCert1PrivateKey,
472 kIdentityCert1Contents))));
473 // Check the updates are delivered to watcher 2.
474 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
475 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
476 // Push root cert updates to kCertName1.
477 distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
478 // Check the updates are delivered to watcher 2.
479 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
480 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
481 // Check the updates are not delivered to watcher 1.
482 EXPECT_THAT(watcher_state_1->GetCredentialQueue(), ::testing::ElementsAre());
483 // Push identity cert updates to kCertName1.
484 distributor_.SetKeyMaterials(
485 kCertName1, absl::nullopt,
486 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
487 // Check the updates are not delivered to watcher 2.
488 EXPECT_THAT(watcher_state_2->GetCredentialQueue(), ::testing::ElementsAre());
489 // Check the updates are delivered to watcher 1.
490 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
491 ::testing::ElementsAre(CredentialInfo(
492 "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
493 kIdentityCert2Contents))));
494 // Cancel watcher 2.
495 CancelWatch(watcher_state_2);
496 EXPECT_THAT(GetCallbackQueue(),
497 ::testing::ElementsAre(CallbackStatus(kCertName1, false, true)));
498 // Cancel watcher 1.
499 CancelWatch(watcher_state_1);
500 EXPECT_THAT(GetCallbackQueue(),
501 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
502 }
503
TEST_F(GrpcTlsCertificateDistributorTest,RemoveAllWatchersForCertNameAndAddAgain)504 TEST_F(GrpcTlsCertificateDistributorTest,
505 RemoveAllWatchersForCertNameAndAddAgain) {
506 // Register watcher 1 and watcher 2 watching kCertName1 for root and identity
507 // certs.
508 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
509 EXPECT_THAT(GetCallbackQueue(),
510 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
511 WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1);
512 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
513 // Push credential updates to kCertName1.
514 distributor_.SetKeyMaterials(
515 kCertName1, kRootCert1Contents,
516 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
517 // Cancel watcher 2.
518 CancelWatch(watcher_state_2);
519 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
520 // Cancel watcher 1.
521 CancelWatch(watcher_state_1);
522 EXPECT_THAT(GetCallbackQueue(),
523 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
524 // Register watcher 3 watching kCertName for root and identity certs.
525 WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName1);
526 EXPECT_THAT(GetCallbackQueue(),
527 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
528 // Push credential updates to kCertName1.
529 distributor_.SetKeyMaterials(
530 kCertName1, kRootCert2Contents,
531 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
532 // Check the updates are delivered to watcher 3.
533 EXPECT_THAT(
534 watcher_state_3->GetCredentialQueue(),
535 ::testing::ElementsAre(CredentialInfo(
536 kRootCert2Contents,
537 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
538 // Cancel watcher 3.
539 CancelWatch(watcher_state_3);
540 EXPECT_THAT(GetCallbackQueue(),
541 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
542 }
543
TEST_F(GrpcTlsCertificateDistributorTest,ResetCallbackToNull)544 TEST_F(GrpcTlsCertificateDistributorTest, ResetCallbackToNull) {
545 // Register watcher 1 watching kCertName1 for root and identity certs.
546 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
547 EXPECT_THAT(GetCallbackQueue(),
548 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
549 // Reset callback to nullptr.
550 distributor_.SetWatchStatusCallback(nullptr);
551 // Cancel watcher 1 shouldn't trigger any callback.
552 CancelWatch(watcher_state_1);
553 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
554 }
555
TEST_F(GrpcTlsCertificateDistributorTest,SetKeyMaterialsInCallback)556 TEST_F(GrpcTlsCertificateDistributorTest, SetKeyMaterialsInCallback) {
557 distributor_.SetWatchStatusCallback([this](std::string cert_name,
558 bool /*root_being_watched*/,
559 bool /*identity_being_watched*/) {
560 distributor_.SetKeyMaterials(
561 cert_name, kRootCert1Contents,
562 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
563 });
564 auto verify_function = [this](std::string cert_name) {
565 WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name);
566 // Check the updates are delivered to watcher 1.
567 EXPECT_THAT(
568 watcher_state_1->GetCredentialQueue(),
569 ::testing::ElementsAre(CredentialInfo(
570 kRootCert1Contents, MakeCertKeyPairs(kIdentityCert1PrivateKey,
571 kIdentityCert1Contents))));
572 CancelWatch(watcher_state_1);
573 };
574 // Start 10 threads that will register a watcher to a new cert name, verify
575 // the key materials being set, and then cancel the watcher, to make sure the
576 // lock mechanism in the distributor is safe.
577 std::vector<std::thread> threads;
578 threads.reserve(10);
579 for (int i = 0; i < 10; ++i) {
580 threads.emplace_back(verify_function, std::to_string(i));
581 }
582 for (auto& th : threads) {
583 th.join();
584 }
585 }
586
TEST_F(GrpcTlsCertificateDistributorTest,WatchACertInfoWithValidCredentials)587 TEST_F(GrpcTlsCertificateDistributorTest, WatchACertInfoWithValidCredentials) {
588 // Push credential updates to kCertName1.
589 distributor_.SetKeyMaterials(
590 kCertName1, kRootCert1Contents,
591 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
592 // Push root credential updates to kCertName2.
593 distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents,
594 absl::nullopt);
595 // Push identity credential updates to kCertName2.
596 distributor_.SetKeyMaterials(
597 kIdentityCert2Name, absl::nullopt,
598 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
599 // Register watcher 1.
600 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
601 // watcher 1 should receive the credentials right away.
602 EXPECT_THAT(
603 watcher_state_1->GetCredentialQueue(),
604 ::testing::ElementsAre(CredentialInfo(
605 kRootCert1Contents,
606 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
607 CancelWatch(watcher_state_1);
608 // Register watcher 2.
609 WatcherState* watcher_state_2 = MakeWatcher(kRootCert2Name, absl::nullopt);
610 // watcher 2 should receive the root credentials right away.
611 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
612 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
613 // Register watcher 3.
614 WatcherState* watcher_state_3 =
615 MakeWatcher(absl::nullopt, kIdentityCert2Name);
616 // watcher 3 should received the identity credentials right away.
617 EXPECT_THAT(watcher_state_3->GetCredentialQueue(),
618 ::testing::ElementsAre(CredentialInfo(
619 "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
620 kIdentityCert2Contents))));
621 CancelWatch(watcher_state_2);
622 CancelWatch(watcher_state_3);
623 }
624
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertForBothRootAndIdentity)625 TEST_F(GrpcTlsCertificateDistributorTest,
626 SetErrorForCertForBothRootAndIdentity) {
627 // Register watcher 1.
628 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
629 // Calling SetErrorForCert on both cert names should only call one OnError
630 // on watcher 1.
631 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
632 GRPC_ERROR_CREATE(kIdentityErrorMessage));
633 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
634 ::testing::ElementsAre(
635 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
636 // Calling SetErrorForCert on root cert name should call OnError
637 // on watcher 1 again.
638 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kErrorMessage),
639 absl::nullopt);
640 EXPECT_THAT(
641 watcher_state_1->GetErrorQueue(),
642 ::testing::ElementsAre(ErrorInfo(kErrorMessage, kIdentityErrorMessage)));
643 // Calling SetErrorForCert on identity cert name should call OnError
644 // on watcher 1 again.
645 distributor_.SetErrorForCert(kCertName1, absl::nullopt,
646 GRPC_ERROR_CREATE(kErrorMessage));
647 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
648 ::testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage)));
649 distributor_.CancelTlsCertificatesWatch(watcher_state_1->watcher);
650 EXPECT_EQ(watcher_state_1->watcher, nullptr);
651 }
652
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertForRootOrIdentity)653 TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertForRootOrIdentity) {
654 // Register watcher 1.
655 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
656 // Calling SetErrorForCert on root name should only call one OnError
657 // on watcher 1.
658 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
659 absl::nullopt);
660 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
661 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
662 // Calling SetErrorForCert on identity name should do nothing.
663 distributor_.SetErrorForCert(kCertName1, absl::nullopt,
664 GRPC_ERROR_CREATE(kIdentityErrorMessage));
665 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
666 // Calling SetErrorForCert on both names should still get one OnError call.
667 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
668 GRPC_ERROR_CREATE(kIdentityErrorMessage));
669 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
670 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
671 CancelWatch(watcher_state_1);
672 // Register watcher 2.
673 WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1);
674 // Calling SetErrorForCert on identity name should only call one OnError
675 // on watcher 2.
676 distributor_.SetErrorForCert(kCertName1, absl::nullopt,
677 GRPC_ERROR_CREATE(kIdentityErrorMessage));
678 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
679 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
680 // Calling SetErrorForCert on root name should do nothing.
681 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
682 absl::nullopt);
683 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
684 // Calling SetErrorForCert on both names should still get one OnError call.
685 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
686 GRPC_ERROR_CREATE(kIdentityErrorMessage));
687 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
688 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
689 CancelWatch(watcher_state_2);
690 }
691
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForIdentityNameWithPreexistingErrorForRootName)692 TEST_F(GrpcTlsCertificateDistributorTest,
693 SetErrorForIdentityNameWithPreexistingErrorForRootName) {
694 // SetErrorForCert for kCertName1.
695 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
696 GRPC_ERROR_CREATE(kIdentityErrorMessage));
697 // Register watcher 1 for kCertName1 as root and kCertName2 as identity.
698 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2);
699 // Should trigger OnError call right away since kCertName1 has error.
700 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
701 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
702 // Calling SetErrorForCert on kCertName2 should trigger OnError with both
703 // errors, because kCertName1 also has error.
704 distributor_.SetErrorForCert(kCertName2, absl::nullopt,
705 GRPC_ERROR_CREATE(kIdentityErrorMessage));
706 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
707 ::testing::ElementsAre(
708 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
709 CancelWatch(watcher_state_1);
710 }
711
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertForRootNameWithSameNameForIdentityErrored)712 TEST_F(GrpcTlsCertificateDistributorTest,
713 SetErrorForCertForRootNameWithSameNameForIdentityErrored) {
714 // SetErrorForCert for kCertName1.
715 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
716 GRPC_ERROR_CREATE(kIdentityErrorMessage));
717 // Register watcher 1 for kCertName2 as root and kCertName1 as identity.
718 WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1);
719 // Should trigger OnError call right away since kCertName2 has error.
720 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
721 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
722 // Calling SetErrorForCert on kCertName2 should trigger OnError with both
723 // errors, because kCertName1 also has error.
724 distributor_.SetErrorForCert(kCertName2, GRPC_ERROR_CREATE(kRootErrorMessage),
725 absl::nullopt);
726 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
727 ::testing::ElementsAre(
728 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
729 CancelWatch(watcher_state_1);
730 }
731
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForIdentityNameWithoutErrorForRootName)732 TEST_F(GrpcTlsCertificateDistributorTest,
733 SetErrorForIdentityNameWithoutErrorForRootName) {
734 // Register watcher 1 for kCertName1 as root and kCertName2 as identity.
735 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2);
736 // Should not trigger OnError.
737 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
738 // Calling SetErrorForCert on kCertName2 should trigger OnError.
739 distributor_.SetErrorForCert(kCertName2, absl::nullopt,
740 GRPC_ERROR_CREATE(kIdentityErrorMessage));
741 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
742 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
743 CancelWatch(watcher_state_1);
744 // Register watcher 2 for kCertName2 as identity and a non-existing name
745 // kRootCert1Name as root.
746 WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, kCertName2);
747 // Should not trigger OnError.
748 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
749 // Calling SetErrorForCert on kCertName2 should trigger OnError.
750 distributor_.SetErrorForCert(kCertName2, absl::nullopt,
751 GRPC_ERROR_CREATE(kIdentityErrorMessage));
752 EXPECT_THAT(watcher_state_2->error_queue,
753 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
754 CancelWatch(watcher_state_2);
755 }
756
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForRootNameWithPreexistingErrorForIdentityName)757 TEST_F(GrpcTlsCertificateDistributorTest,
758 SetErrorForRootNameWithPreexistingErrorForIdentityName) {
759 WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1);
760 // Should not trigger OnError.
761 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
762 // Calling SetErrorForCert on kCertName2 should trigger OnError.
763 distributor_.SetErrorForCert(kCertName2, GRPC_ERROR_CREATE(kRootErrorMessage),
764 absl::nullopt);
765 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
766 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
767 CancelWatch(watcher_state_1);
768 // Register watcher 2 for kCertName2 as root and a non-existing name
769 // kIdentityCert1Name as identity.
770 WatcherState* watcher_state_2 = MakeWatcher(kCertName2, kIdentityCert1Name);
771 // Should not trigger OnError.
772 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
773 // Calling SetErrorForCert on kCertName2 should trigger OnError.
774 distributor_.SetErrorForCert(kCertName2, GRPC_ERROR_CREATE(kRootErrorMessage),
775 absl::nullopt);
776 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
777 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
778 CancelWatch(watcher_state_2);
779 }
780
TEST_F(GrpcTlsCertificateDistributorTest,CancelTheLastWatcherOnAnErroredCertInfo)781 TEST_F(GrpcTlsCertificateDistributorTest,
782 CancelTheLastWatcherOnAnErroredCertInfo) {
783 // Register watcher 1.
784 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
785 // Calling SetErrorForCert on both cert names should only call one OnError
786 // on watcher 1.
787 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
788 GRPC_ERROR_CREATE(kIdentityErrorMessage));
789 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
790 ::testing::ElementsAre(
791 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
792 // When watcher 1 is removed, the cert info entry should be removed.
793 CancelWatch(watcher_state_1);
794 // Register watcher 2 on the same cert name.
795 WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1);
796 // Should not trigger OnError call on watcher 2 right away.
797 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
798 CancelWatch(watcher_state_2);
799 }
800
TEST_F(GrpcTlsCertificateDistributorTest,WatchErroredCertInfoWithValidCredentialData)801 TEST_F(GrpcTlsCertificateDistributorTest,
802 WatchErroredCertInfoWithValidCredentialData) {
803 // Push credential updates to kCertName1.
804 distributor_.SetKeyMaterials(
805 kCertName1, kRootCert1Contents,
806 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
807 // Calling SetErrorForCert on both cert names.
808 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
809 GRPC_ERROR_CREATE(kIdentityErrorMessage));
810 // Register watcher 1.
811 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
812 // watcher 1 should receive both the old credentials and the error right away.
813 EXPECT_THAT(
814 watcher_state_1->GetCredentialQueue(),
815 ::testing::ElementsAre(CredentialInfo(
816 kRootCert1Contents,
817 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
818 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
819 ::testing::ElementsAre(
820 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
821 CancelWatch(watcher_state_1);
822 }
823
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertThenSuccessfulCredentialUpdates)824 TEST_F(GrpcTlsCertificateDistributorTest,
825 SetErrorForCertThenSuccessfulCredentialUpdates) {
826 // Calling SetErrorForCert on both cert names.
827 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
828 GRPC_ERROR_CREATE(kIdentityErrorMessage));
829 // Push credential updates to kCertName1.
830 distributor_.SetKeyMaterials(
831 kCertName1, kRootCert1Contents,
832 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
833 // Register watcher 1.
834 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
835 // watcher 1 should only receive credential updates without any error, because
836 // the previous error is wiped out by a successful update.
837 EXPECT_THAT(
838 watcher_state_1->GetCredentialQueue(),
839 ::testing::ElementsAre(CredentialInfo(
840 kRootCert1Contents,
841 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
842 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
843 CancelWatch(watcher_state_1);
844 }
845
TEST_F(GrpcTlsCertificateDistributorTest,WatchCertInfoThenInvokeSetError)846 TEST_F(GrpcTlsCertificateDistributorTest, WatchCertInfoThenInvokeSetError) {
847 // Register watcher 1.
848 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
849 // Register watcher 2.
850 WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, absl::nullopt);
851 // Register watcher 3.
852 WatcherState* watcher_state_3 =
853 MakeWatcher(absl::nullopt, kIdentityCert1Name);
854 distributor_.SetError(GRPC_ERROR_CREATE(kErrorMessage));
855 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
856 ::testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage)));
857 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
858 ::testing::ElementsAre(ErrorInfo(kErrorMessage, "")));
859 EXPECT_THAT(watcher_state_3->GetErrorQueue(),
860 ::testing::ElementsAre(ErrorInfo("", kErrorMessage)));
861 CancelWatch(watcher_state_1);
862 CancelWatch(watcher_state_2);
863 CancelWatch(watcher_state_3);
864 }
865
TEST_F(GrpcTlsCertificateDistributorTest,WatchErroredCertInfoBySetError)866 TEST_F(GrpcTlsCertificateDistributorTest, WatchErroredCertInfoBySetError) {
867 // Register watcher 1 watching kCertName1 as root.
868 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
869 // Register watcher 2 watching kCertName2 as identity.
870 WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName2);
871 // Call SetError and then cancel all watchers.
872 distributor_.SetError(GRPC_ERROR_CREATE(kErrorMessage));
873 CancelWatch(watcher_state_1);
874 CancelWatch(watcher_state_2);
875 // Register watcher 3 watching kCertName1 as root and kCertName2 as identity
876 // should not get the error updates.
877 WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName2);
878 EXPECT_THAT(watcher_state_3->GetErrorQueue(), ::testing::ElementsAre());
879 CancelWatch(watcher_state_3);
880 // Register watcher 4 watching kCertName2 as root and kCertName1 as identity
881 // should not get the error updates.
882 WatcherState* watcher_state_4 = MakeWatcher(kCertName2, kCertName1);
883 EXPECT_THAT(watcher_state_4->GetErrorQueue(), ::testing::ElementsAre());
884 CancelWatch(watcher_state_4);
885 }
886
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertInCallback)887 TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertInCallback) {
888 distributor_.SetWatchStatusCallback([this](std::string cert_name,
889 bool /*root_being_watched*/,
890 bool /*identity_being_watched*/) {
891 this->distributor_.SetErrorForCert(
892 cert_name, GRPC_ERROR_CREATE(kRootErrorMessage),
893 GRPC_ERROR_CREATE(kIdentityErrorMessage));
894 });
895 auto verify_function = [this](std::string cert_name) {
896 WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name);
897 // Check the errors are delivered to watcher 1.
898 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
899 ::testing::ElementsAre(
900 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
901 CancelWatch(watcher_state_1);
902 };
903 // Start 1000 threads that will register a watcher to a new cert name, verify
904 // the key materials being set, and then cancel the watcher, to make sure the
905 // lock mechanism in the distributor is safe.
906 std::vector<std::thread> threads;
907 threads.reserve(1000);
908 for (int i = 0; i < 1000; ++i) {
909 threads.emplace_back(verify_function, std::to_string(i));
910 }
911 for (auto& th : threads) {
912 th.join();
913 }
914 }
915
916 } // namespace testing
917
918 } // namespace grpc_core
919
main(int argc,char ** argv)920 int main(int argc, char** argv) {
921 grpc::testing::TestEnvironment env(&argc, argv);
922 ::testing::InitGoogleTest(&argc, argv);
923 grpc_init();
924 int ret = RUN_ALL_TESTS();
925 grpc_shutdown();
926 return ret;
927 }
928