• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 //
3 // Copyright 2019 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #include <grpcpp/security/alts_context.h>
20 #include <grpcpp/security/alts_util.h>
21 #include <grpcpp/security/auth_context.h>
22 #include <gtest/gtest.h>
23 
24 #include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
25 #include "src/cpp/common/secure_auth_context.h"
26 #include "src/proto/grpc/gcp/altscontext.upb.h"
27 #include "test/core/test_util/test_config.h"
28 #include "test/cpp/util/string_ref_helper.h"
29 #include "upb/mem/arena.hpp"
30 
31 namespace grpc {
32 namespace {
33 
TEST(AltsUtilTest,NullAuthContext)34 TEST(AltsUtilTest, NullAuthContext) {
35   std::unique_ptr<experimental::AltsContext> alts_context =
36       experimental::GetAltsContextFromAuthContext(nullptr);
37   EXPECT_EQ(alts_context, nullptr);
38 }
39 
TEST(AltsUtilTest,EmptyAuthContext)40 TEST(AltsUtilTest, EmptyAuthContext) {
41   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
42       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
43   const std::shared_ptr<AuthContext> auth_context(
44       new SecureAuthContext(ctx.get()));
45   std::unique_ptr<experimental::AltsContext> alts_context =
46       experimental::GetAltsContextFromAuthContext(auth_context);
47   EXPECT_EQ(alts_context, nullptr);
48 }
49 
TEST(AltsUtilTest,AuthContextWithMoreThanOneAltsContext)50 TEST(AltsUtilTest, AuthContextWithMoreThanOneAltsContext) {
51   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
52       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
53   const std::shared_ptr<AuthContext> auth_context(
54       new SecureAuthContext(ctx.get()));
55   ctx.reset();
56   auth_context->AddProperty(TSI_ALTS_CONTEXT, "context1");
57   auth_context->AddProperty(TSI_ALTS_CONTEXT, "context2");
58   std::unique_ptr<experimental::AltsContext> alts_context =
59       experimental::GetAltsContextFromAuthContext(auth_context);
60   EXPECT_EQ(alts_context, nullptr);
61 }
62 
TEST(AltsUtilTest,AuthContextWithBadAltsContext)63 TEST(AltsUtilTest, AuthContextWithBadAltsContext) {
64   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
65       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
66   const std::shared_ptr<AuthContext> auth_context(
67       new SecureAuthContext(ctx.get()));
68   ctx.reset();
69   auth_context->AddProperty(TSI_ALTS_CONTEXT,
70                             "bad context string serialization");
71   std::unique_ptr<experimental::AltsContext> alts_context =
72       experimental::GetAltsContextFromAuthContext(auth_context);
73   EXPECT_EQ(alts_context, nullptr);
74 }
75 
TEST(AltsUtilTest,AuthContextWithGoodAltsContextWithoutRpcVersions)76 TEST(AltsUtilTest, AuthContextWithGoodAltsContextWithoutRpcVersions) {
77   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
78       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
79   const std::shared_ptr<AuthContext> auth_context(
80       new SecureAuthContext(ctx.get()));
81   ctx.reset();
82   std::string expected_ap("application protocol");
83   std::string expected_rp("record protocol");
84   std::string expected_peer("peer");
85   std::string expected_local("local");
86   std::string expected_peer_attributes_key("peer");
87   std::string expected_peer_attributes_value("attributes");
88   grpc_security_level expected_sl = GRPC_INTEGRITY_ONLY;
89   upb::Arena context_arena;
90   grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr());
91   grpc_gcp_AltsContext_set_application_protocol(
92       context,
93       upb_StringView_FromDataAndSize(expected_ap.data(), expected_ap.length()));
94   grpc_gcp_AltsContext_set_record_protocol(
95       context,
96       upb_StringView_FromDataAndSize(expected_rp.data(), expected_rp.length()));
97   grpc_gcp_AltsContext_set_security_level(context, expected_sl);
98   grpc_gcp_AltsContext_set_peer_service_account(
99       context, upb_StringView_FromDataAndSize(expected_peer.data(),
100                                               expected_peer.length()));
101   grpc_gcp_AltsContext_set_local_service_account(
102       context, upb_StringView_FromDataAndSize(expected_local.data(),
103                                               expected_local.length()));
104   grpc_gcp_AltsContext_peer_attributes_set(
105       context,
106       upb_StringView_FromDataAndSize(expected_peer_attributes_key.data(),
107                                      expected_peer_attributes_key.length()),
108       upb_StringView_FromDataAndSize(expected_peer_attributes_value.data(),
109                                      expected_peer_attributes_value.length()),
110       context_arena.ptr());
111   size_t serialized_ctx_length;
112   char* serialized_ctx = grpc_gcp_AltsContext_serialize(
113       context, context_arena.ptr(), &serialized_ctx_length);
114   EXPECT_NE(serialized_ctx, nullptr);
115   auth_context->AddProperty(TSI_ALTS_CONTEXT,
116                             string(serialized_ctx, serialized_ctx_length));
117   std::unique_ptr<experimental::AltsContext> alts_context =
118       experimental::GetAltsContextFromAuthContext(auth_context);
119   EXPECT_NE(alts_context, nullptr);
120   EXPECT_EQ(expected_ap, alts_context->application_protocol());
121   EXPECT_EQ(expected_rp, alts_context->record_protocol());
122   EXPECT_EQ(expected_peer, alts_context->peer_service_account());
123   EXPECT_EQ(expected_local, alts_context->local_service_account());
124   EXPECT_EQ(expected_sl, alts_context->security_level());
125   // all rpc versions should be 0 if not set
126   experimental::AltsContext::RpcProtocolVersions rpc_protocol_versions =
127       alts_context->peer_rpc_versions();
128   EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.major_version);
129   EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.minor_version);
130   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.major_version);
131   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.minor_version);
132   EXPECT_EQ(expected_peer_attributes_value,
133             alts_context->peer_attributes().at(expected_peer_attributes_key));
134 }
135 
TEST(AltsUtilTest,AuthContextWithGoodAltsContext)136 TEST(AltsUtilTest, AuthContextWithGoodAltsContext) {
137   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
138       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
139   const std::shared_ptr<AuthContext> auth_context(
140       new SecureAuthContext(ctx.get()));
141   ctx.reset();
142   upb::Arena context_arena;
143   grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr());
144   upb::Arena versions_arena;
145   grpc_gcp_RpcProtocolVersions* versions =
146       grpc_gcp_RpcProtocolVersions_new(versions_arena.ptr());
147   upb::Arena max_major_version_arena;
148   grpc_gcp_RpcProtocolVersions_Version* version =
149       grpc_gcp_RpcProtocolVersions_Version_new(max_major_version_arena.ptr());
150   grpc_gcp_RpcProtocolVersions_Version_set_major(version, 10);
151   grpc_gcp_RpcProtocolVersions_set_max_rpc_version(versions, version);
152   grpc_gcp_AltsContext_set_peer_rpc_versions(context, versions);
153   size_t serialized_ctx_length;
154   char* serialized_ctx = grpc_gcp_AltsContext_serialize(
155       context, context_arena.ptr(), &serialized_ctx_length);
156   EXPECT_NE(serialized_ctx, nullptr);
157   auth_context->AddProperty(TSI_ALTS_CONTEXT,
158                             string(serialized_ctx, serialized_ctx_length));
159   std::unique_ptr<experimental::AltsContext> alts_context =
160       experimental::GetAltsContextFromAuthContext(auth_context);
161   EXPECT_NE(alts_context, nullptr);
162   EXPECT_EQ("", alts_context->application_protocol());
163   EXPECT_EQ("", alts_context->record_protocol());
164   EXPECT_EQ("", alts_context->peer_service_account());
165   EXPECT_EQ("", alts_context->local_service_account());
166   EXPECT_EQ(GRPC_SECURITY_NONE, alts_context->security_level());
167   experimental::AltsContext::RpcProtocolVersions rpc_protocol_versions =
168       alts_context->peer_rpc_versions();
169   EXPECT_EQ(10, rpc_protocol_versions.max_rpc_version.major_version);
170   EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.minor_version);
171   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.major_version);
172   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.minor_version);
173 }
174 
TEST(AltsUtilTest,AltsClientAuthzCheck)175 TEST(AltsUtilTest, AltsClientAuthzCheck) {
176   // AltsClientAuthzCheck function should return a permission denied error on
177   // the bad_auth_context, whose internal ALTS context does not exist
178   const std::shared_ptr<AuthContext> bad_auth_context(
179       new SecureAuthContext(nullptr));
180   std::vector<std::string> service_accounts{"client"};
181   grpc::Status status =
182       experimental::AltsClientAuthzCheck(bad_auth_context, service_accounts);
183   EXPECT_EQ(grpc::StatusCode::PERMISSION_DENIED, status.error_code());
184   // AltsClientAuthzCheck function should function normally when the peer name
185   // in ALTS context is listed in service_accounts
186   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
187       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
188   const std::shared_ptr<AuthContext> auth_context(
189       new SecureAuthContext(ctx.get()));
190   ctx.reset();
191   std::string peer("good_client");
192   std::vector<std::string> good_service_accounts{"good_client",
193                                                  "good_client_1"};
194   std::vector<std::string> bad_service_accounts{"bad_client", "bad_client_1"};
195   upb::Arena context_arena;
196   grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr());
197   grpc_gcp_AltsContext_set_peer_service_account(
198       context, upb_StringView_FromDataAndSize(peer.data(), peer.length()));
199   size_t serialized_ctx_length;
200   char* serialized_ctx = grpc_gcp_AltsContext_serialize(
201       context, context_arena.ptr(), &serialized_ctx_length);
202   EXPECT_NE(serialized_ctx, nullptr);
203   auth_context->AddProperty(TSI_ALTS_CONTEXT,
204                             string(serialized_ctx, serialized_ctx_length));
205   grpc::Status good_status =
206       experimental::AltsClientAuthzCheck(auth_context, good_service_accounts);
207   EXPECT_TRUE(good_status.ok());
208   grpc::Status bad_status =
209       experimental::AltsClientAuthzCheck(auth_context, bad_service_accounts);
210   EXPECT_EQ(grpc::StatusCode::PERMISSION_DENIED, bad_status.error_code());
211 }
212 
213 }  // namespace
214 }  // namespace grpc
215 
main(int argc,char ** argv)216 int main(int argc, char** argv) {
217   grpc::testing::TestEnvironment env(&argc, argv);
218   ::testing::InitGoogleTest(&argc, argv);
219   return RUN_ALL_TESTS();
220 }
221