1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <grpc/credentials.h>
20 #include <grpc/grpc.h>
21 #include <grpc/grpc_security.h>
22 #include <grpc/status.h>
23
24 #include <memory>
25
26 #include "absl/log/log.h"
27 #include "absl/types/optional.h"
28 #include "gtest/gtest.h"
29 #include "src/core/lib/channel/channel_args.h"
30 #include "src/core/lib/security/credentials/credentials.h"
31 #include "src/core/util/time.h"
32 #include "test/core/end2end/end2end_tests.h"
33
34 namespace grpc_core {
35 namespace {
36
37 const char iam_token[] = "token";
38 const char iam_selector[] = "selector";
39 const char overridden_iam_token[] = "overridden_token";
40 const char overridden_iam_selector[] = "overridden_selector";
41 const char fake_md_key[] = "fake_key";
42 const char fake_md_value[] = "fake_value";
43 const char overridden_fake_md_key[] = "overridden_fake_key";
44 const char overridden_fake_md_value[] = "overridden_fake_value";
45
PrintAuthContext(bool is_client,const grpc_auth_context * ctx)46 void PrintAuthContext(bool is_client, const grpc_auth_context* ctx) {
47 const grpc_auth_property* p;
48 grpc_auth_property_iterator it;
49 LOG(INFO) << (is_client ? "client" : "server") << " peer:";
50 LOG(INFO) << "\tauthenticated: "
51 << (grpc_auth_context_peer_is_authenticated(ctx) ? "YES" : "NO");
52 it = grpc_auth_context_peer_identity(ctx);
53 while ((p = grpc_auth_property_iterator_next(&it)) != nullptr) {
54 LOG(INFO) << "\t\t" << p->name << ": " << p->value;
55 }
56 LOG(INFO) << "\tall properties:";
57 it = grpc_auth_context_property_iterator(ctx);
58 while ((p = grpc_auth_property_iterator_next(&it)) != nullptr) {
59 LOG(INFO) << "\t\t" << p->name << ": " << p->value;
60 }
61 }
62
TestRequestResponseWithPayloadAndCallCreds(CoreEnd2endTest & test,bool use_secure_call_creds)63 void TestRequestResponseWithPayloadAndCallCreds(CoreEnd2endTest& test,
64 bool use_secure_call_creds) {
65 auto c = test.NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
66 grpc_call_credentials* creds;
67 if (use_secure_call_creds) {
68 creds =
69 grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
70 } else {
71 creds = grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
72 }
73 EXPECT_NE(creds, nullptr);
74 c.SetCredentials(creds);
75 IncomingMetadata server_initial_metadata;
76 IncomingMessage server_message;
77 IncomingStatusOnClient server_status;
78 c.NewBatch(1)
79 .SendInitialMetadata({})
80 .SendMessage("hello world")
81 .SendCloseFromClient()
82 .RecvInitialMetadata(server_initial_metadata)
83 .RecvMessage(server_message)
84 .RecvStatusOnClient(server_status);
85 auto s = test.RequestCall(101);
86 test.Expect(101, true);
87 test.Step();
88 PrintAuthContext(false, s.GetAuthContext().get());
89 PrintAuthContext(true, c.GetAuthContext().get());
90 // Cannot set creds on the server call object.
91 EXPECT_NE(grpc_call_set_credentials(s.c_call(), nullptr), GRPC_CALL_OK);
92 IncomingMessage client_message;
93 s.NewBatch(102).SendInitialMetadata({}).RecvMessage(client_message);
94 test.Expect(102, true);
95 test.Step();
96 IncomingCloseOnServer client_close;
97 s.NewBatch(103)
98 .RecvCloseOnServer(client_close)
99 .SendMessage("hello you")
100 .SendStatusFromServer(GRPC_STATUS_OK, "xyz", {});
101 test.Expect(103, true);
102 test.Expect(1, true);
103 test.Step();
104 EXPECT_EQ(server_status.status(), GRPC_STATUS_OK);
105 EXPECT_EQ(server_status.message(), "xyz");
106 EXPECT_EQ(s.method(), "/foo");
107 EXPECT_FALSE(client_close.was_cancelled());
108 EXPECT_EQ(client_message.payload(), "hello world");
109 EXPECT_EQ(server_message.payload(), "hello you");
110 if (use_secure_call_creds) {
111 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
112 iam_token);
113 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
114 iam_selector);
115 } else {
116 EXPECT_EQ(s.GetInitialMetadata(fake_md_key), fake_md_value);
117 }
118 }
119
TestRequestResponseWithPayloadAndOverriddenCallCreds(CoreEnd2endTest & test,bool use_secure_call_creds)120 void TestRequestResponseWithPayloadAndOverriddenCallCreds(
121 CoreEnd2endTest& test, bool use_secure_call_creds) {
122 auto c = test.NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
123 grpc_call_credentials* creds;
124 if (use_secure_call_creds) {
125 creds =
126 grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
127 } else {
128 creds = grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
129 }
130 EXPECT_NE(creds, nullptr);
131 c.SetCredentials(creds);
132 if (use_secure_call_creds) {
133 creds = grpc_google_iam_credentials_create(
134 overridden_iam_token, overridden_iam_selector, nullptr);
135 } else {
136 creds = grpc_md_only_test_credentials_create(overridden_fake_md_key,
137 overridden_fake_md_value);
138 }
139 c.SetCredentials(creds);
140 IncomingMetadata server_initial_metadata;
141 IncomingMessage server_message;
142 IncomingStatusOnClient server_status;
143 c.NewBatch(1)
144 .SendInitialMetadata({})
145 .SendMessage("hello world")
146 .SendCloseFromClient()
147 .RecvInitialMetadata(server_initial_metadata)
148 .RecvMessage(server_message)
149 .RecvStatusOnClient(server_status);
150 auto s = test.RequestCall(101);
151 test.Expect(101, true);
152 test.Step();
153 PrintAuthContext(false, s.GetAuthContext().get());
154 PrintAuthContext(true, c.GetAuthContext().get());
155 // Cannot set creds on the server call object.
156 EXPECT_NE(grpc_call_set_credentials(s.c_call(), nullptr), GRPC_CALL_OK);
157 IncomingMessage client_message;
158 s.NewBatch(102).SendInitialMetadata({}).RecvMessage(client_message);
159 test.Expect(102, true);
160 test.Step();
161 IncomingCloseOnServer client_close;
162 s.NewBatch(103)
163 .RecvCloseOnServer(client_close)
164 .SendMessage("hello you")
165 .SendStatusFromServer(GRPC_STATUS_OK, "xyz", {});
166 test.Expect(103, true);
167 test.Expect(1, true);
168 test.Step();
169 EXPECT_EQ(server_status.status(), GRPC_STATUS_OK);
170 EXPECT_EQ(server_status.message(), "xyz");
171 EXPECT_EQ(s.method(), "/foo");
172 EXPECT_FALSE(client_close.was_cancelled());
173 EXPECT_EQ(client_message.payload(), "hello world");
174 EXPECT_EQ(server_message.payload(), "hello you");
175 if (use_secure_call_creds) {
176 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
177 overridden_iam_token);
178 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
179 overridden_iam_selector);
180 } else {
181 EXPECT_EQ(s.GetInitialMetadata(overridden_fake_md_key),
182 overridden_fake_md_value);
183 }
184 }
185
TestRequestResponseWithPayloadAndDeletedCallCreds(CoreEnd2endTest & test,bool use_secure_call_creds)186 void TestRequestResponseWithPayloadAndDeletedCallCreds(
187 CoreEnd2endTest& test, bool use_secure_call_creds) {
188 auto c = test.NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
189 grpc_call_credentials* creds;
190 if (use_secure_call_creds) {
191 creds =
192 grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
193 } else {
194 creds = grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
195 }
196 EXPECT_NE(creds, nullptr);
197 c.SetCredentials(creds);
198 c.SetCredentials(nullptr);
199 IncomingMetadata server_initial_metadata;
200 IncomingMessage server_message;
201 IncomingStatusOnClient server_status;
202 c.NewBatch(1)
203 .SendInitialMetadata({})
204 .SendMessage("hello world")
205 .SendCloseFromClient()
206 .RecvInitialMetadata(server_initial_metadata)
207 .RecvMessage(server_message)
208 .RecvStatusOnClient(server_status);
209 auto s = test.RequestCall(101);
210 test.Expect(101, true);
211 test.Step();
212 PrintAuthContext(false, s.GetAuthContext().get());
213 PrintAuthContext(true, c.GetAuthContext().get());
214 // Cannot set creds on the server call object.
215 EXPECT_NE(grpc_call_set_credentials(s.c_call(), nullptr), GRPC_CALL_OK);
216 IncomingMessage client_message;
217 s.NewBatch(102).SendInitialMetadata({}).RecvMessage(client_message);
218 test.Expect(102, true);
219 test.Step();
220 IncomingCloseOnServer client_close;
221 s.NewBatch(103)
222 .RecvCloseOnServer(client_close)
223 .SendMessage("hello you")
224 .SendStatusFromServer(GRPC_STATUS_OK, "xyz", {});
225 test.Expect(103, true);
226 test.Expect(1, true);
227 test.Step();
228 EXPECT_EQ(server_status.status(), GRPC_STATUS_OK);
229 EXPECT_EQ(server_status.message(), "xyz");
230 EXPECT_EQ(s.method(), "/foo");
231 EXPECT_FALSE(client_close.was_cancelled());
232 EXPECT_EQ(client_message.payload(), "hello world");
233 EXPECT_EQ(server_message.payload(), "hello you");
234 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
235 absl::nullopt);
236 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
237 absl::nullopt);
238 EXPECT_EQ(s.GetInitialMetadata(fake_md_key), absl::nullopt);
239 }
240
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestWithServerRejectingClientCreds)241 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
242 RequestWithServerRejectingClientCreds) {
243 InitClient(ChannelArgs());
244 InitServer(ChannelArgs().Set(FAIL_AUTH_CHECK_SERVER_ARG_NAME, true));
245 auto c = NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
246 auto* creds =
247 grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
248 EXPECT_NE(creds, nullptr);
249 c.SetCredentials(creds);
250 IncomingMetadata server_initial_metadata;
251 IncomingMessage server_message;
252 IncomingStatusOnClient server_status;
253 c.NewBatch(1)
254 .SendInitialMetadata({})
255 .SendMessage("hello world")
256 .SendCloseFromClient()
257 .RecvInitialMetadata(server_initial_metadata)
258 .RecvMessage(server_message)
259 .RecvStatusOnClient(server_status);
260 Expect(1, true);
261 Step();
262 EXPECT_EQ(server_status.status(), GRPC_STATUS_UNAUTHENTICATED);
263 }
264
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndCallCreds)265 CORE_END2END_TEST(PerCallCredsTest, RequestResponseWithPayloadAndCallCreds) {
266 if (IsLocalConnectorSecureEnabled()) {
267 SKIP_IF_LOCAL_TCP_CREDS();
268 }
269 TestRequestResponseWithPayloadAndCallCreds(*this, true);
270 }
271
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndOverriddenCallCreds)272 CORE_END2END_TEST(PerCallCredsTest,
273 RequestResponseWithPayloadAndOverriddenCallCreds) {
274 if (IsLocalConnectorSecureEnabled()) {
275 SKIP_IF_LOCAL_TCP_CREDS();
276 }
277 TestRequestResponseWithPayloadAndOverriddenCallCreds(*this, true);
278 }
279
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndDeletedCallCreds)280 CORE_END2END_TEST(PerCallCredsTest,
281 RequestResponseWithPayloadAndDeletedCallCreds) {
282 TestRequestResponseWithPayloadAndDeletedCallCreds(*this, true);
283 }
284
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndInsecureCallCreds)285 CORE_END2END_TEST(PerCallCredsTest,
286 RequestResponseWithPayloadAndInsecureCallCreds) {
287 TestRequestResponseWithPayloadAndCallCreds(*this, false);
288 }
289
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndOverriddenInsecureCallCreds)290 CORE_END2END_TEST(PerCallCredsTest,
291 RequestResponseWithPayloadAndOverriddenInsecureCallCreds) {
292 TestRequestResponseWithPayloadAndOverriddenCallCreds(*this, false);
293 }
294
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndDeletedInsecureCallCreds)295 CORE_END2END_TEST(PerCallCredsTest,
296 RequestResponseWithPayloadAndDeletedInsecureCallCreds) {
297 TestRequestResponseWithPayloadAndDeletedCallCreds(*this, false);
298 }
299
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestResponseWithPayloadAndInsecureCallCreds)300 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
301 RequestResponseWithPayloadAndInsecureCallCreds) {
302 TestRequestResponseWithPayloadAndCallCreds(*this, false);
303 }
304
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestResponseWithPayloadAndOverriddenInsecureCallCreds)305 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
306 RequestResponseWithPayloadAndOverriddenInsecureCallCreds) {
307 TestRequestResponseWithPayloadAndOverriddenCallCreds(*this, false);
308 }
309
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestResponseWithPayloadAndDeletedInsecureCallCreds)310 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
311 RequestResponseWithPayloadAndDeletedInsecureCallCreds) {
312 TestRequestResponseWithPayloadAndDeletedCallCreds(*this, false);
313 }
314
CORE_END2END_TEST(PerCallCredsOnInsecureTest,FailToSendCallCreds)315 CORE_END2END_TEST(PerCallCredsOnInsecureTest, FailToSendCallCreds) {
316 auto c = NewClientCall("/foo").Timeout(Duration::Seconds(5)).Create();
317 grpc_call_credentials* creds;
318 creds = grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
319 EXPECT_NE(creds, nullptr);
320 c.SetCredentials(creds);
321 IncomingMetadata server_initial_metadata;
322 IncomingMessage server_message;
323 IncomingStatusOnClient server_status;
324 c.NewBatch(1)
325 .SendInitialMetadata({})
326 .SendMessage("hello world")
327 .SendCloseFromClient()
328 .RecvInitialMetadata(server_initial_metadata)
329 .RecvMessage(server_message)
330 .RecvStatusOnClient(server_status);
331 // Expect the call to fail since the channel credentials did not satisfy the
332 // minimum security level requirements.
333 Expect(1, true);
334 Step();
335 EXPECT_EQ(server_status.status(), GRPC_STATUS_UNAUTHENTICATED);
336 }
337
338 } // namespace
339 } // namespace grpc_core
340