1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
20
21 #include <gmock/gmock.h>
22 #include <grpc/credentials.h>
23 #include <grpc/grpc_crl_provider.h>
24 #include <grpc/support/alloc.h>
25 #include <grpc/support/string_util.h>
26 #include <gtest/gtest.h>
27
28 #include "src/core/config/config_vars.h"
29 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
30 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
31 #include "src/core/util/crash.h"
32 #include "src/core/util/tmpfile.h"
33 #include "test/core/test_util/test_config.h"
34 #include "test/core/test_util/tls_utils.h"
35
36 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
37 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
38 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
39 #define CA_CERT_PATH_2 "src/core/tsi/test_creds/multi-domain.pem"
40 #define SERVER_CERT_PATH_2 "src/core/tsi/test_creds/server0.pem"
41 #define SERVER_KEY_PATH_2 "src/core/tsi/test_creds/server0.key"
42 #define INVALID_PATH "invalid/path"
43
44 namespace grpc_core {
45
46 namespace testing {
47
48 class GrpcTlsCredentialsOptionsTest : public ::testing::Test {
49 protected:
SetUp()50 void SetUp() override {
51 root_cert_ = GetFileContents(CA_CERT_PATH);
52 cert_chain_ = GetFileContents(SERVER_CERT_PATH);
53 private_key_ = GetFileContents(SERVER_KEY_PATH);
54 root_cert_2_ = GetFileContents(CA_CERT_PATH_2);
55 cert_chain_2_ = GetFileContents(SERVER_CERT_PATH_2);
56 private_key_2_ = GetFileContents(SERVER_KEY_PATH_2);
57 }
58
59 std::string root_cert_;
60 std::string private_key_;
61 std::string cert_chain_;
62 std::string root_cert_2_;
63 std::string private_key_2_;
64 std::string cert_chain_2_;
65 HostNameCertificateVerifier hostname_certificate_verifier_;
66 };
67
TEST_F(GrpcTlsCredentialsOptionsTest,BadTlsVersionsForChannelCredentials)68 TEST_F(GrpcTlsCredentialsOptionsTest, BadTlsVersionsForChannelCredentials) {
69 auto options = grpc_tls_credentials_options_create();
70 options->set_max_tls_version(grpc_tls_version::TLS1_2);
71 options->set_min_tls_version(grpc_tls_version::TLS1_3);
72 auto credentials = grpc_tls_credentials_create(options);
73 EXPECT_EQ(credentials, nullptr);
74 }
75
TEST_F(GrpcTlsCredentialsOptionsTest,BadTlsVersionsForServerCredentials)76 TEST_F(GrpcTlsCredentialsOptionsTest, BadTlsVersionsForServerCredentials) {
77 auto server_options = grpc_tls_credentials_options_create();
78 server_options->set_max_tls_version(grpc_tls_version::TLS1_2);
79 server_options->set_min_tls_version(grpc_tls_version::TLS1_3);
80 auto server_credentials = grpc_tls_server_credentials_create(server_options);
81 EXPECT_EQ(server_credentials, nullptr);
82 }
83
84 //
85 // Tests for Default Root Certs.
86 //
87
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsOnDefaultRootCerts)88 TEST_F(GrpcTlsCredentialsOptionsTest, ClientOptionsOnDefaultRootCerts) {
89 auto options = MakeRefCounted<grpc_tls_credentials_options>();
90 auto credentials = MakeRefCounted<TlsCredentials>(options);
91 ASSERT_NE(credentials, nullptr);
92 ChannelArgs new_args;
93 auto connector = credentials->create_security_connector(
94 nullptr, "random targets", &new_args);
95 ASSERT_NE(connector, nullptr);
96 TlsChannelSecurityConnector* tls_connector =
97 static_cast<TlsChannelSecurityConnector*>(connector.get());
98 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
99 }
100
101 //
102 // Tests for StaticDataCertificateProvider.
103 //
104
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnBothCerts)105 TEST_F(GrpcTlsCredentialsOptionsTest,
106 ClientOptionsWithStaticDataProviderOnBothCerts) {
107 auto options = MakeRefCounted<grpc_tls_credentials_options>();
108 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
109 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
110 options->set_certificate_provider(std::move(provider));
111 options->set_watch_root_cert(true);
112 options->set_watch_identity_pair(true);
113 auto credentials = MakeRefCounted<TlsCredentials>(options);
114 ASSERT_NE(credentials, nullptr);
115 ChannelArgs new_args;
116 auto connector = credentials->create_security_connector(
117 nullptr, "random targets", &new_args);
118 ASSERT_NE(connector, nullptr);
119 TlsChannelSecurityConnector* tls_connector =
120 static_cast<TlsChannelSecurityConnector*>(connector.get());
121 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
122 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
123 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
124 }
125
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnRootCerts)126 TEST_F(GrpcTlsCredentialsOptionsTest,
127 ClientOptionsWithStaticDataProviderOnRootCerts) {
128 auto options = MakeRefCounted<grpc_tls_credentials_options>();
129 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
130 root_cert_, PemKeyCertPairList());
131 options->set_certificate_provider(std::move(provider));
132 options->set_watch_root_cert(true);
133 auto credentials = MakeRefCounted<TlsCredentials>(options);
134 ASSERT_NE(credentials, nullptr);
135 ChannelArgs new_args;
136 auto connector = credentials->create_security_connector(
137 nullptr, "random targets", &new_args);
138 ASSERT_NE(connector, nullptr);
139 TlsChannelSecurityConnector* tls_connector =
140 static_cast<TlsChannelSecurityConnector*>(connector.get());
141 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
142 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
143 EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
144 }
145
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnNotProvidedCerts)146 TEST_F(GrpcTlsCredentialsOptionsTest,
147 ClientOptionsWithStaticDataProviderOnNotProvidedCerts) {
148 auto options = MakeRefCounted<grpc_tls_credentials_options>();
149 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
150 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
151 options->set_certificate_provider(std::move(provider));
152 options->set_watch_root_cert(true);
153 auto credentials = MakeRefCounted<TlsCredentials>(options);
154 ASSERT_NE(credentials, nullptr);
155 ChannelArgs new_args;
156 auto connector = credentials->create_security_connector(
157 nullptr, "random targets", &new_args);
158 ASSERT_NE(connector, nullptr);
159 TlsChannelSecurityConnector* tls_connector =
160 static_cast<TlsChannelSecurityConnector*>(connector.get());
161 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
162 }
163
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithDefaultRootAndStaticDataProviderOnIdentityCerts)164 TEST_F(GrpcTlsCredentialsOptionsTest,
165 ClientOptionsWithDefaultRootAndStaticDataProviderOnIdentityCerts) {
166 auto options = MakeRefCounted<grpc_tls_credentials_options>();
167 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
168 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
169 options->set_certificate_provider(std::move(provider));
170 options->set_watch_identity_pair(true);
171 auto credentials = MakeRefCounted<TlsCredentials>(options);
172 ASSERT_NE(credentials, nullptr);
173 ChannelArgs new_args;
174 auto connector = credentials->create_security_connector(
175 nullptr, "random targets", &new_args);
176 ASSERT_NE(connector, nullptr);
177 TlsChannelSecurityConnector* tls_connector =
178 static_cast<TlsChannelSecurityConnector*>(connector.get());
179 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
180 }
181
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnBothCerts)182 TEST_F(GrpcTlsCredentialsOptionsTest,
183 ServerOptionsWithStaticDataProviderOnBothCerts) {
184 auto options = MakeRefCounted<grpc_tls_credentials_options>();
185 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
186 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
187 options->set_certificate_provider(std::move(provider));
188 options->set_watch_root_cert(true);
189 options->set_watch_identity_pair(true);
190 options->set_cert_request_type(
191 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
192 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
193 ASSERT_NE(credentials, nullptr);
194 auto connector = credentials->create_security_connector(ChannelArgs());
195 ASSERT_NE(connector, nullptr);
196 TlsServerSecurityConnector* tls_connector =
197 static_cast<TlsServerSecurityConnector*>(connector.get());
198 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
199 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
200 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
201 }
202
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnIdentityCerts)203 TEST_F(GrpcTlsCredentialsOptionsTest,
204 ServerOptionsWithStaticDataProviderOnIdentityCerts) {
205 auto options = MakeRefCounted<grpc_tls_credentials_options>();
206 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
207 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
208 options->set_certificate_provider(std::move(provider));
209 options->set_watch_identity_pair(true);
210 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
211 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
212 ASSERT_NE(credentials, nullptr);
213 auto connector = credentials->create_security_connector(ChannelArgs());
214 ASSERT_NE(connector, nullptr);
215 TlsServerSecurityConnector* tls_connector =
216 static_cast<TlsServerSecurityConnector*>(connector.get());
217 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
218 EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
219 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
220 }
221
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnNotProvidedCerts)222 TEST_F(GrpcTlsCredentialsOptionsTest,
223 ServerOptionsWithStaticDataProviderOnNotProvidedCerts) {
224 auto options = MakeRefCounted<grpc_tls_credentials_options>();
225 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
226 root_cert_, PemKeyCertPairList());
227 options->set_certificate_provider(std::move(provider));
228 options->set_watch_identity_pair(true);
229 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
230 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
231 ASSERT_NE(credentials, nullptr);
232 auto connector = credentials->create_security_connector(ChannelArgs());
233 ASSERT_NE(connector, nullptr);
234 TlsServerSecurityConnector* tls_connector =
235 static_cast<TlsServerSecurityConnector*>(connector.get());
236 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
237 }
238
239 //
240 // Tests for FileWatcherCertificateProvider.
241 //
242
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnBothCerts)243 TEST_F(GrpcTlsCredentialsOptionsTest,
244 ClientOptionsWithCertWatcherProviderOnBothCerts) {
245 auto options = MakeRefCounted<grpc_tls_credentials_options>();
246 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
247 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
248 options->set_certificate_provider(std::move(provider));
249 options->set_watch_root_cert(true);
250 options->set_watch_identity_pair(true);
251 auto credentials = MakeRefCounted<TlsCredentials>(options);
252 ASSERT_NE(credentials, nullptr);
253 ChannelArgs new_args;
254 auto connector = credentials->create_security_connector(
255 nullptr, "random targets", &new_args);
256 ASSERT_NE(connector, nullptr);
257 TlsChannelSecurityConnector* tls_connector =
258 static_cast<TlsChannelSecurityConnector*>(connector.get());
259 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
260 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
261 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
262 }
263
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnRootCerts)264 TEST_F(GrpcTlsCredentialsOptionsTest,
265 ClientOptionsWithCertWatcherProviderOnRootCerts) {
266 auto options = MakeRefCounted<grpc_tls_credentials_options>();
267 auto provider =
268 MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
269 options->set_certificate_provider(std::move(provider));
270 options->set_watch_root_cert(true);
271 auto credentials = MakeRefCounted<TlsCredentials>(options);
272 ASSERT_NE(credentials, nullptr);
273 ChannelArgs new_args;
274 auto connector = credentials->create_security_connector(
275 nullptr, "random targets", &new_args);
276 ASSERT_NE(connector, nullptr);
277 TlsChannelSecurityConnector* tls_connector =
278 static_cast<TlsChannelSecurityConnector*>(connector.get());
279 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
280 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
281 EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
282 }
283
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnNotProvidedCerts)284 TEST_F(GrpcTlsCredentialsOptionsTest,
285 ClientOptionsWithCertWatcherProviderOnNotProvidedCerts) {
286 auto options = MakeRefCounted<grpc_tls_credentials_options>();
287 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
288 SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
289 options->set_certificate_provider(std::move(provider));
290 options->set_watch_root_cert(true);
291 auto credentials = MakeRefCounted<TlsCredentials>(options);
292 ASSERT_NE(credentials, nullptr);
293 ChannelArgs new_args;
294 auto connector = credentials->create_security_connector(
295 nullptr, "random targets", &new_args);
296 ASSERT_NE(connector, nullptr);
297 TlsChannelSecurityConnector* tls_connector =
298 static_cast<TlsChannelSecurityConnector*>(connector.get());
299 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
300 }
301
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnBadTrustCerts)302 TEST_F(GrpcTlsCredentialsOptionsTest,
303 ClientOptionsWithCertWatcherProviderOnBadTrustCerts) {
304 auto options = MakeRefCounted<grpc_tls_credentials_options>();
305 auto provider =
306 MakeRefCounted<FileWatcherCertificateProvider>("", "", INVALID_PATH, 1);
307 options->set_certificate_provider(std::move(provider));
308 options->set_watch_root_cert(true);
309 auto credentials = MakeRefCounted<TlsCredentials>(options);
310 ASSERT_NE(credentials, nullptr);
311 ChannelArgs new_args;
312 auto connector = credentials->create_security_connector(
313 nullptr, "random targets", &new_args);
314 ASSERT_NE(connector, nullptr);
315 TlsChannelSecurityConnector* tls_connector =
316 static_cast<TlsChannelSecurityConnector*>(connector.get());
317 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
318 }
319
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnBothCerts)320 TEST_F(GrpcTlsCredentialsOptionsTest,
321 ServerOptionsWithCertWatcherProviderOnBothCerts) {
322 auto options = MakeRefCounted<grpc_tls_credentials_options>();
323 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
324 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
325 options->set_certificate_provider(std::move(provider));
326 options->set_watch_root_cert(true);
327 options->set_watch_identity_pair(true);
328 options->set_cert_request_type(
329 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
330 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
331 ASSERT_NE(credentials, nullptr);
332 auto connector = credentials->create_security_connector(ChannelArgs());
333 ASSERT_NE(connector, nullptr);
334 TlsServerSecurityConnector* tls_connector =
335 static_cast<TlsServerSecurityConnector*>(connector.get());
336 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
337 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
338 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
339 }
340
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnIdentityCerts)341 TEST_F(GrpcTlsCredentialsOptionsTest,
342 ServerOptionsWithCertWatcherProviderOnIdentityCerts) {
343 auto options = MakeRefCounted<grpc_tls_credentials_options>();
344 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
345 SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
346 options->set_certificate_provider(std::move(provider));
347 options->set_watch_identity_pair(true);
348 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
349 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
350 ASSERT_NE(credentials, nullptr);
351 auto connector = credentials->create_security_connector(ChannelArgs());
352 ASSERT_NE(connector, nullptr);
353 TlsServerSecurityConnector* tls_connector =
354 static_cast<TlsServerSecurityConnector*>(connector.get());
355 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
356 EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
357 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
358 }
359
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnNotProvidedCerts)360 TEST_F(GrpcTlsCredentialsOptionsTest,
361 ServerOptionsWithCertWatcherProviderOnNotProvidedCerts) {
362 auto options = MakeRefCounted<grpc_tls_credentials_options>();
363 auto provider =
364 MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
365 options->set_certificate_provider(std::move(provider));
366 options->set_watch_identity_pair(true);
367 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
368 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
369 ASSERT_NE(credentials, nullptr);
370 auto connector = credentials->create_security_connector(ChannelArgs());
371 ASSERT_NE(connector, nullptr);
372 TlsServerSecurityConnector* tls_connector =
373 static_cast<TlsServerSecurityConnector*>(connector.get());
374 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
375 }
376
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnBadIdentityCerts)377 TEST_F(GrpcTlsCredentialsOptionsTest,
378 ServerOptionsWithCertWatcherProviderOnBadIdentityCerts) {
379 auto options = MakeRefCounted<grpc_tls_credentials_options>();
380 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
381 INVALID_PATH, INVALID_PATH, "", 1);
382 options->set_certificate_provider(std::move(provider));
383 options->set_watch_identity_pair(true);
384 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
385 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
386 ASSERT_NE(credentials, nullptr);
387 auto connector = credentials->create_security_connector(ChannelArgs());
388 ASSERT_NE(connector, nullptr);
389 TlsServerSecurityConnector* tls_connector =
390 static_cast<TlsServerSecurityConnector*>(connector.get());
391 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
392 }
393
394 //
395 // Tests writing credential data to temporary files to test the
396 // transition behavior of the provider.
397 //
398
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnCertificateRefreshed)399 TEST_F(GrpcTlsCredentialsOptionsTest,
400 ClientOptionsWithCertWatcherProviderOnCertificateRefreshed) {
401 // Create temporary files and copy cert data into them.
402 TmpFile tmp_root_cert(root_cert_);
403 TmpFile tmp_identity_key(private_key_);
404 TmpFile tmp_identity_cert(cert_chain_);
405 // Create ClientOptions using FileWatcherCertificateProvider.
406 auto options = MakeRefCounted<grpc_tls_credentials_options>();
407 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
408 tmp_identity_key.name(), tmp_identity_cert.name(), tmp_root_cert.name(),
409 1);
410 options->set_certificate_provider(std::move(provider));
411 options->set_watch_root_cert(true);
412 options->set_watch_identity_pair(true);
413 auto credentials = MakeRefCounted<TlsCredentials>(options);
414 ASSERT_NE(credentials, nullptr);
415 ChannelArgs new_args;
416 auto connector = credentials->create_security_connector(
417 nullptr, "random targets", &new_args);
418 ASSERT_NE(connector, nullptr);
419 TlsChannelSecurityConnector* tls_connector =
420 static_cast<TlsChannelSecurityConnector*>(connector.get());
421 // Expect to see the credential data.
422 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
423 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
424 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
425 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
426 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
427 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
428 // Copy new data to files.
429 // TODO(ZhenLian): right now it is not completely atomic. Use the real atomic
430 // update when the directory renaming is added in gpr.
431 tmp_root_cert.RewriteFile(root_cert_2_);
432 tmp_identity_key.RewriteFile(private_key_2_);
433 tmp_identity_cert.RewriteFile(cert_chain_2_);
434 // Wait 10 seconds for the provider's refresh thread to read the updated
435 // files.
436 gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
437 gpr_time_from_seconds(10, GPR_TIMESPAN)));
438 // Expect to see new credential data loaded by the security connector.
439 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
440 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
441 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_2_);
442 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
443 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
444 MakeCertKeyPairs(private_key_2_.c_str(), cert_chain_2_.c_str()));
445 }
446
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnDeletedFiles)447 TEST_F(GrpcTlsCredentialsOptionsTest,
448 ClientOptionsWithCertWatcherProviderOnDeletedFiles) {
449 // Create temporary files and copy cert data into it.
450 auto tmp_root_cert = std::make_unique<TmpFile>(root_cert_);
451 auto tmp_identity_key = std::make_unique<TmpFile>(private_key_);
452 auto tmp_identity_cert = std::make_unique<TmpFile>(cert_chain_);
453 // Create ClientOptions using FileWatcherCertificateProvider.
454 auto options = MakeRefCounted<grpc_tls_credentials_options>();
455 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
456 tmp_identity_key->name(), tmp_identity_cert->name(),
457 tmp_root_cert->name(), 1);
458 options->set_certificate_provider(std::move(provider));
459 options->set_watch_root_cert(true);
460 options->set_watch_identity_pair(true);
461 auto credentials = MakeRefCounted<TlsCredentials>(options);
462 ASSERT_NE(credentials, nullptr);
463 ChannelArgs new_args;
464 auto connector = credentials->create_security_connector(
465 nullptr, "random targets", &new_args);
466 ASSERT_NE(connector, nullptr);
467 TlsChannelSecurityConnector* tls_connector =
468 static_cast<TlsChannelSecurityConnector*>(connector.get());
469 // The initial data is all good, so we expect to have successful credential
470 // updates.
471 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
472 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
473 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
474 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
475 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
476 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
477 // Delete TmpFile objects, which will remove the corresponding files.
478 tmp_root_cert.reset();
479 tmp_identity_key.reset();
480 tmp_identity_cert.reset();
481 // Wait 10 seconds for the provider's refresh thread to read the deleted
482 // files.
483 gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
484 gpr_time_from_seconds(10, GPR_TIMESPAN)));
485 // It's a bit hard to test if errors are sent to the security connector,
486 // because the security connector simply logs the error. We will see the err
487 // messages if we open the log.
488 // The old certs should still being used.
489 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
490 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
491 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
492 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
493 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
494 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
495 }
496
497 //
498 // Tests for ExternalCertificateVerifier.
499 // It will only test the creation of security connector, so the actual verify
500 // logic is not invoked.
501 //
502
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithExternalVerifier)503 TEST_F(GrpcTlsCredentialsOptionsTest, ClientOptionsWithExternalVerifier) {
504 auto* sync_verifier_ = new SyncExternalVerifier(true);
505 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
506 auto options = MakeRefCounted<grpc_tls_credentials_options>();
507 options->set_verify_server_cert(true);
508 options->set_certificate_verifier(core_external_verifier.Ref());
509 options->set_check_call_host(false);
510 auto credentials = MakeRefCounted<TlsCredentials>(options);
511 ASSERT_NE(credentials, nullptr);
512 ChannelArgs new_args;
513 auto connector = credentials->create_security_connector(
514 nullptr, "random targets", &new_args);
515 ASSERT_NE(connector, nullptr);
516 TlsChannelSecurityConnector* tls_connector =
517 static_cast<TlsChannelSecurityConnector*>(connector.get());
518 EXPECT_NE(tls_connector, nullptr);
519 }
520
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithExternalVerifier)521 TEST_F(GrpcTlsCredentialsOptionsTest, ServerOptionsWithExternalVerifier) {
522 auto* sync_verifier_ = new SyncExternalVerifier(true);
523 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
524 auto options = MakeRefCounted<grpc_tls_credentials_options>();
525 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
526 options->set_certificate_verifier(core_external_verifier.Ref());
527 // On server side we have to set the provider providing identity certs.
528 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
529 root_cert_, PemKeyCertPairList());
530 options->set_certificate_provider(std::move(provider));
531 options->set_watch_identity_pair(true);
532 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
533 ASSERT_NE(credentials, nullptr);
534 auto connector = credentials->create_security_connector(ChannelArgs());
535 ASSERT_NE(connector, nullptr);
536 TlsServerSecurityConnector* tls_connector =
537 static_cast<TlsServerSecurityConnector*>(connector.get());
538 EXPECT_NE(tls_connector, nullptr);
539 }
540
541 //
542 // Tests for HostnameCertificateVerifier.
543 //
544
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithHostnameCertificateVerifier)545 TEST_F(GrpcTlsCredentialsOptionsTest,
546 ClientOptionsWithHostnameCertificateVerifier) {
547 auto options = MakeRefCounted<grpc_tls_credentials_options>();
548 options->set_verify_server_cert(true);
549 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
550 auto credentials = MakeRefCounted<TlsCredentials>(options);
551 ASSERT_NE(credentials, nullptr);
552 ChannelArgs new_args;
553 auto connector = credentials->create_security_connector(
554 nullptr, "random targets", &new_args);
555 ASSERT_NE(connector, nullptr);
556 TlsChannelSecurityConnector* tls_connector =
557 static_cast<TlsChannelSecurityConnector*>(connector.get());
558 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
559 }
560
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithHostnameCertificateVerifier)561 TEST_F(GrpcTlsCredentialsOptionsTest,
562 ServerOptionsWithHostnameCertificateVerifier) {
563 auto options = MakeRefCounted<grpc_tls_credentials_options>();
564 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
565 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
566 // On server side we have to set the provider providing identity certs.
567 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
568 root_cert_, PemKeyCertPairList());
569 options->set_certificate_provider(std::move(provider));
570 options->set_watch_identity_pair(true);
571 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
572 ASSERT_NE(credentials, nullptr);
573 auto connector = credentials->create_security_connector(ChannelArgs());
574 ASSERT_NE(connector, nullptr);
575 TlsServerSecurityConnector* tls_connector =
576 static_cast<TlsServerSecurityConnector*>(connector.get());
577 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
578 }
579
TEST_F(GrpcTlsCredentialsOptionsTest,CrlProvider)580 TEST_F(GrpcTlsCredentialsOptionsTest, CrlProvider) {
581 auto options = MakeRefCounted<grpc_tls_credentials_options>();
582 auto provider = experimental::CreateStaticCrlProvider({});
583 ASSERT_TRUE(provider.ok());
584 options->set_crl_provider(std::move(*provider));
585 auto credentials = MakeRefCounted<TlsCredentials>(options);
586 ASSERT_NE(credentials, nullptr);
587 ChannelArgs new_args;
588 auto connector = credentials->create_security_connector(
589 nullptr, "random targets", &new_args);
590 ASSERT_NE(connector, nullptr);
591 TlsChannelSecurityConnector* tls_connector =
592 static_cast<TlsChannelSecurityConnector*>(connector.get());
593 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
594 }
595
TEST_F(GrpcTlsCredentialsOptionsTest,CrlProviderWithServerCredentials)596 TEST_F(GrpcTlsCredentialsOptionsTest, CrlProviderWithServerCredentials) {
597 auto options = MakeRefCounted<grpc_tls_credentials_options>();
598 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
599 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
600 options->set_certificate_provider(std::move(provider));
601 options->set_watch_root_cert(true);
602 options->set_watch_identity_pair(true);
603 options->set_cert_request_type(
604 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
605 auto crl_provider = experimental::CreateStaticCrlProvider({});
606 ASSERT_TRUE(crl_provider.ok());
607 options->set_crl_provider(std::move(*crl_provider));
608 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
609 ASSERT_NE(credentials, nullptr);
610 ChannelArgs new_args;
611 auto connector = credentials->create_security_connector(new_args);
612 ASSERT_NE(connector, nullptr);
613 TlsServerSecurityConnector* tls_connector =
614 static_cast<TlsServerSecurityConnector*>(connector.get());
615 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
616 }
617
618 } // namespace testing
619
620 } // namespace grpc_core
621
main(int argc,char ** argv)622 int main(int argc, char** argv) {
623 grpc::testing::TestEnvironment env(&argc, argv);
624 grpc_core::ConfigVars::Overrides overrides;
625 overrides.default_ssl_roots_file_path = CA_CERT_PATH;
626 grpc_core::ConfigVars::SetOverrides(overrides);
627 ::testing::InitGoogleTest(&argc, argv);
628 grpc_init();
629 int ret = RUN_ALL_TESTS();
630 grpc_shutdown();
631 return ret;
632 }
633