1 //
2 //
3 // Copyright 2023 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 #include <gmock/gmock.h>
19 #include <grpc/grpc_security.h>
20 #include <grpcpp/channel.h>
21 #include <grpcpp/client_context.h>
22 #include <grpcpp/create_channel.h>
23 #include <grpcpp/security/tls_certificate_verifier.h>
24 #include <grpcpp/security/tls_credentials_options.h>
25 #include <grpcpp/server.h>
26 #include <grpcpp/server_builder.h>
27 #include <gtest/gtest.h>
28
29 #include <memory>
30
31 #include "absl/log/log.h"
32 #include "absl/synchronization/notification.h"
33 #include "test/core/test_util/port.h"
34 #include "test/core/test_util/test_config.h"
35 #include "test/core/test_util/tls_utils.h"
36 #include "test/cpp/end2end/test_service_impl.h"
37
38 namespace grpc {
39 namespace testing {
40 namespace {
41
42 using ::grpc::experimental::ExternalCertificateVerifier;
43 using ::grpc::experimental::TlsChannelCredentialsOptions;
44
45 constexpr char kCaCertPath[] = "src/core/tsi/test_creds/ca.pem";
46 constexpr char kServerCertPath[] = "src/core/tsi/test_creds/server1.pem";
47 constexpr char kServerKeyPath[] = "src/core/tsi/test_creds/server1.key";
48 constexpr char kMessage[] = "Hello";
49
50 class NoOpCertificateVerifier : public ExternalCertificateVerifier {
51 public:
52 ~NoOpCertificateVerifier() override = default;
53
Verify(grpc::experimental::TlsCustomVerificationCheckRequest *,std::function<void (grpc::Status)>,grpc::Status * sync_status)54 bool Verify(grpc::experimental::TlsCustomVerificationCheckRequest*,
55 std::function<void(grpc::Status)>,
56 grpc::Status* sync_status) override {
57 *sync_status = grpc::Status(grpc::StatusCode::OK, "");
58 return true;
59 }
60
Cancel(grpc::experimental::TlsCustomVerificationCheckRequest *)61 void Cancel(grpc::experimental::TlsCustomVerificationCheckRequest*) override {
62 }
63 };
64
65 class TlsCredentialsTest : public ::testing::Test {
66 protected:
RunServer(absl::Notification * notification)67 void RunServer(absl::Notification* notification) {
68 std::string root_cert = grpc_core::testing::GetFileContents(kCaCertPath);
69 grpc::SslServerCredentialsOptions::PemKeyCertPair key_cert_pair = {
70 grpc_core::testing::GetFileContents(kServerKeyPath),
71 grpc_core::testing::GetFileContents(kServerCertPath)};
72 grpc::SslServerCredentialsOptions ssl_options;
73 ssl_options.pem_key_cert_pairs.push_back(key_cert_pair);
74 ssl_options.pem_root_certs = root_cert;
75
76 grpc::ServerBuilder builder;
77 TestServiceImpl service_;
78
79 builder
80 .AddListeningPort(server_addr_, grpc::SslServerCredentials(ssl_options))
81 .RegisterService(&service_);
82 server_ = builder.BuildAndStart();
83 notification->Notify();
84 server_->Wait();
85 }
86
TearDown()87 void TearDown() override {
88 if (server_ != nullptr) {
89 server_->Shutdown();
90 server_thread_->join();
91 delete server_thread_;
92 }
93 }
94
95 TestServiceImpl service_;
96 std::unique_ptr<Server> server_ = nullptr;
97 std::thread* server_thread_ = nullptr;
98 std::string server_addr_;
99 };
100
101 // NOLINTNEXTLINE(clang-diagnostic-unused-function)
DoRpc(const std::string & server_addr,const TlsChannelCredentialsOptions & tls_options)102 void DoRpc(const std::string& server_addr,
103 const TlsChannelCredentialsOptions& tls_options) {
104 std::shared_ptr<Channel> channel =
105 grpc::CreateChannel(server_addr, TlsCredentials(tls_options));
106
107 auto stub = grpc::testing::EchoTestService::NewStub(channel);
108 grpc::testing::EchoRequest request;
109 grpc::testing::EchoResponse response;
110 request.set_message(kMessage);
111 ClientContext context;
112 context.set_deadline(grpc_timeout_seconds_to_deadline(/*time_s=*/10));
113 grpc::Status result = stub->Echo(&context, request, &response);
114 EXPECT_TRUE(result.ok());
115 if (!result.ok()) {
116 LOG(ERROR) << "Echo failed: " << result.error_code() << ", "
117 << result.error_message() << ", " << result.error_details();
118 }
119 EXPECT_EQ(response.message(), kMessage);
120 }
121
122 // TODO(gregorycooke) - failing with OpenSSL1.0.2
123 #if OPENSSL_VERSION_NUMBER >= 0x10100000
124 // How do we test that skipping server certificate verification works as
125 // expected? Give the server credentials that chain up to a custom CA (that does
126 // not belong to the default or OS trust store), do not configure the client to
127 // have this CA in its trust store, and attempt to establish a connection
128 // between the client and server.
TEST_F(TlsCredentialsTest,SkipServerCertificateVerification)129 TEST_F(TlsCredentialsTest, SkipServerCertificateVerification) {
130 server_addr_ = absl::StrCat("localhost:",
131 std::to_string(grpc_pick_unused_port_or_die()));
132 absl::Notification notification;
133 server_thread_ = new std::thread([&]() { RunServer(¬ification); });
134 notification.WaitForNotification();
135
136 TlsChannelCredentialsOptions tls_options;
137 tls_options.set_certificate_verifier(
138 ExternalCertificateVerifier::Create<NoOpCertificateVerifier>());
139 tls_options.set_check_call_host(/*check_call_host=*/false);
140 tls_options.set_verify_server_certs(/*verify_server_certs=*/false);
141
142 DoRpc(server_addr_, tls_options);
143 }
144 #endif // OPENSSL_VERSION_NUMBER >= 0x10100000
145
146 } // namespace
147 } // namespace testing
148 } // namespace grpc
149
main(int argc,char ** argv)150 int main(int argc, char** argv) {
151 grpc::testing::TestEnvironment env(&argc, argv);
152 ::testing::InitGoogleTest(&argc, argv);
153 int ret = RUN_ALL_TESTS();
154 return ret;
155 }
156