1 /*
2 *
3 * Copyright 2020 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
20
21 #include <gmock/gmock.h>
22 #include <grpc/support/alloc.h>
23 #include <grpc/support/log.h>
24 #include <grpc/support/string_util.h>
25 #include <gtest/gtest.h>
26
27 #include "src/core/lib/gpr/tmpfile.h"
28 #include "src/core/lib/iomgr/load_file.h"
29 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
30 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
31 #include "test/core/util/test_config.h"
32 #include "test/core/util/tls_utils.h"
33
34 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
35 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
36 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
37 #define CA_CERT_PATH_2 "src/core/tsi/test_creds/multi-domain.pem"
38 #define SERVER_CERT_PATH_2 "src/core/tsi/test_creds/server0.pem"
39 #define SERVER_KEY_PATH_2 "src/core/tsi/test_creds/server0.key"
40 #define INVALID_PATH "invalid/path"
41
42 namespace grpc_core {
43
44 namespace testing {
45
46 class GrpcTlsCredentialsOptionsTest : public ::testing::Test {
47 protected:
SetUp()48 void SetUp() override {
49 root_cert_ = GetFileContents(CA_CERT_PATH);
50 cert_chain_ = GetFileContents(SERVER_CERT_PATH);
51 private_key_ = GetFileContents(SERVER_KEY_PATH);
52 root_cert_2_ = GetFileContents(CA_CERT_PATH_2);
53 cert_chain_2_ = GetFileContents(SERVER_CERT_PATH_2);
54 private_key_2_ = GetFileContents(SERVER_KEY_PATH_2);
55 }
56
57 std::string root_cert_;
58 std::string private_key_;
59 std::string cert_chain_;
60 std::string root_cert_2_;
61 std::string private_key_2_;
62 std::string cert_chain_2_;
63 };
64
TEST_F(GrpcTlsCredentialsOptionsTest,ErrorDetails)65 TEST_F(GrpcTlsCredentialsOptionsTest, ErrorDetails) {
66 grpc_tls_error_details error_details;
67 EXPECT_STREQ(error_details.error_details().c_str(), "");
68 error_details.set_error_details("test error details");
69 EXPECT_STREQ(error_details.error_details().c_str(), "test error details");
70 }
71
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsOnDefaultRootCerts)72 TEST_F(GrpcTlsCredentialsOptionsTest, ClientOptionsOnDefaultRootCerts) {
73 auto options = MakeRefCounted<grpc_tls_credentials_options>();
74 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
75 auto credentials = MakeRefCounted<TlsCredentials>(options);
76 ASSERT_NE(credentials, nullptr);
77 grpc_channel_args* new_args = nullptr;
78 auto connector = credentials->create_security_connector(
79 nullptr, "random targets", nullptr, &new_args);
80 grpc_channel_args_destroy(new_args);
81 ASSERT_NE(connector, nullptr);
82 TlsChannelSecurityConnector* tls_connector =
83 static_cast<TlsChannelSecurityConnector*>(connector.get());
84 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
85 }
86
87 // Tests for StaticDataCertificateProvider.
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnBothCerts)88 TEST_F(GrpcTlsCredentialsOptionsTest,
89 ClientOptionsWithStaticDataProviderOnBothCerts) {
90 auto options = MakeRefCounted<grpc_tls_credentials_options>();
91 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
92 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
93 options->set_certificate_provider(std::move(provider));
94 options->set_watch_root_cert(true);
95 options->set_watch_identity_pair(true);
96 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
97 auto credentials = MakeRefCounted<TlsCredentials>(options);
98 ASSERT_NE(credentials, nullptr);
99 grpc_channel_args* new_args = nullptr;
100 auto connector = credentials->create_security_connector(
101 nullptr, "random targets", nullptr, &new_args);
102 grpc_channel_args_destroy(new_args);
103 ASSERT_NE(connector, nullptr);
104 TlsChannelSecurityConnector* tls_connector =
105 static_cast<TlsChannelSecurityConnector*>(connector.get());
106 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
107 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
108 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
109 }
110
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnRootCerts)111 TEST_F(GrpcTlsCredentialsOptionsTest,
112 ClientOptionsWithStaticDataProviderOnRootCerts) {
113 auto options = MakeRefCounted<grpc_tls_credentials_options>();
114 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
115 root_cert_, PemKeyCertPairList());
116 options->set_certificate_provider(std::move(provider));
117 options->set_watch_root_cert(true);
118 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
119 auto credentials = MakeRefCounted<TlsCredentials>(options);
120 ASSERT_NE(credentials, nullptr);
121 grpc_channel_args* new_args = nullptr;
122 auto connector = credentials->create_security_connector(
123 nullptr, "random targets", nullptr, &new_args);
124 grpc_channel_args_destroy(new_args);
125 ASSERT_NE(connector, nullptr);
126 TlsChannelSecurityConnector* tls_connector =
127 static_cast<TlsChannelSecurityConnector*>(connector.get());
128 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
129 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
130 EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
131 }
132
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnNotProvidedCerts)133 TEST_F(GrpcTlsCredentialsOptionsTest,
134 ClientOptionsWithStaticDataProviderOnNotProvidedCerts) {
135 auto options = MakeRefCounted<grpc_tls_credentials_options>();
136 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
137 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
138 options->set_certificate_provider(std::move(provider));
139 options->set_watch_root_cert(true);
140 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
141 auto credentials = MakeRefCounted<TlsCredentials>(options);
142 ASSERT_NE(credentials, nullptr);
143 grpc_channel_args* new_args = nullptr;
144 auto connector = credentials->create_security_connector(
145 nullptr, "random targets", nullptr, &new_args);
146 grpc_channel_args_destroy(new_args);
147 ASSERT_NE(connector, nullptr);
148 TlsChannelSecurityConnector* tls_connector =
149 static_cast<TlsChannelSecurityConnector*>(connector.get());
150 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
151 }
152
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithDefaultRootAndStaticDataProviderOnIdentityCerts)153 TEST_F(GrpcTlsCredentialsOptionsTest,
154 ClientOptionsWithDefaultRootAndStaticDataProviderOnIdentityCerts) {
155 auto options = MakeRefCounted<grpc_tls_credentials_options>();
156 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
157 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
158 options->set_certificate_provider(std::move(provider));
159 options->set_watch_identity_pair(true);
160 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
161 auto credentials = MakeRefCounted<TlsCredentials>(options);
162 ASSERT_NE(credentials, nullptr);
163 grpc_channel_args* new_args = nullptr;
164 auto connector = credentials->create_security_connector(
165 nullptr, "random targets", nullptr, &new_args);
166 grpc_channel_args_destroy(new_args);
167 ASSERT_NE(connector, nullptr);
168 TlsChannelSecurityConnector* tls_connector =
169 static_cast<TlsChannelSecurityConnector*>(connector.get());
170 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
171 }
172
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnBothCerts)173 TEST_F(GrpcTlsCredentialsOptionsTest,
174 ServerOptionsWithStaticDataProviderOnBothCerts) {
175 auto options = MakeRefCounted<grpc_tls_credentials_options>();
176 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
177 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
178 options->set_certificate_provider(std::move(provider));
179 options->set_watch_root_cert(true);
180 options->set_watch_identity_pair(true);
181 options->set_cert_request_type(
182 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
183 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
184 ASSERT_NE(credentials, nullptr);
185 auto connector = credentials->create_security_connector(nullptr);
186 ASSERT_NE(connector, nullptr);
187 TlsServerSecurityConnector* tls_connector =
188 static_cast<TlsServerSecurityConnector*>(connector.get());
189 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
190 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
191 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
192 }
193
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnIdentityCerts)194 TEST_F(GrpcTlsCredentialsOptionsTest,
195 ServerOptionsWithStaticDataProviderOnIdentityCerts) {
196 auto options = MakeRefCounted<grpc_tls_credentials_options>();
197 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
198 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
199 options->set_certificate_provider(std::move(provider));
200 options->set_watch_identity_pair(true);
201 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
202 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
203 ASSERT_NE(credentials, nullptr);
204 auto connector = credentials->create_security_connector(nullptr);
205 ASSERT_NE(connector, nullptr);
206 TlsServerSecurityConnector* tls_connector =
207 static_cast<TlsServerSecurityConnector*>(connector.get());
208 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
209 EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
210 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
211 }
212
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnNotProvidedCerts)213 TEST_F(GrpcTlsCredentialsOptionsTest,
214 ServerOptionsWithStaticDataProviderOnNotProvidedCerts) {
215 auto options = MakeRefCounted<grpc_tls_credentials_options>();
216 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
217 root_cert_, PemKeyCertPairList());
218 options->set_certificate_provider(std::move(provider));
219 options->set_watch_identity_pair(true);
220 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
221 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
222 ASSERT_NE(credentials, nullptr);
223 auto connector = credentials->create_security_connector(nullptr);
224 ASSERT_NE(connector, nullptr);
225 TlsServerSecurityConnector* tls_connector =
226 static_cast<TlsServerSecurityConnector*>(connector.get());
227 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
228 }
229
230 // Tests for FileWatcherCertificateProvider.
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnBothCerts)231 TEST_F(GrpcTlsCredentialsOptionsTest,
232 ClientOptionsWithCertWatcherProviderOnBothCerts) {
233 auto options = MakeRefCounted<grpc_tls_credentials_options>();
234 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
235 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
236 options->set_certificate_provider(std::move(provider));
237 options->set_watch_root_cert(true);
238 options->set_watch_identity_pair(true);
239 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
240 auto credentials = MakeRefCounted<TlsCredentials>(options);
241 ASSERT_NE(credentials, nullptr);
242 grpc_channel_args* new_args = nullptr;
243 auto connector = credentials->create_security_connector(
244 nullptr, "random targets", nullptr, &new_args);
245 grpc_channel_args_destroy(new_args);
246 ASSERT_NE(connector, nullptr);
247 TlsChannelSecurityConnector* tls_connector =
248 static_cast<TlsChannelSecurityConnector*>(connector.get());
249 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
250 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
251 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
252 }
253
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnRootCerts)254 TEST_F(GrpcTlsCredentialsOptionsTest,
255 ClientOptionsWithCertWatcherProviderOnRootCerts) {
256 auto options = MakeRefCounted<grpc_tls_credentials_options>();
257 auto provider =
258 MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
259 options->set_certificate_provider(std::move(provider));
260 options->set_watch_root_cert(true);
261 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
262 auto credentials = MakeRefCounted<TlsCredentials>(options);
263 ASSERT_NE(credentials, nullptr);
264 grpc_channel_args* new_args = nullptr;
265 auto connector = credentials->create_security_connector(
266 nullptr, "random targets", nullptr, &new_args);
267 grpc_channel_args_destroy(new_args);
268 ASSERT_NE(connector, nullptr);
269 TlsChannelSecurityConnector* tls_connector =
270 static_cast<TlsChannelSecurityConnector*>(connector.get());
271 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
272 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
273 EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
274 }
275
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnNotProvidedCerts)276 TEST_F(GrpcTlsCredentialsOptionsTest,
277 ClientOptionsWithCertWatcherProviderOnNotProvidedCerts) {
278 auto options = MakeRefCounted<grpc_tls_credentials_options>();
279 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
280 SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
281 options->set_certificate_provider(std::move(provider));
282 options->set_watch_root_cert(true);
283 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
284 auto credentials = MakeRefCounted<TlsCredentials>(options);
285 ASSERT_NE(credentials, nullptr);
286 grpc_channel_args* new_args = nullptr;
287 auto connector = credentials->create_security_connector(
288 nullptr, "random targets", nullptr, &new_args);
289 grpc_channel_args_destroy(new_args);
290 ASSERT_NE(connector, nullptr);
291 TlsChannelSecurityConnector* tls_connector =
292 static_cast<TlsChannelSecurityConnector*>(connector.get());
293 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
294 }
295
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnBadTrustCerts)296 TEST_F(GrpcTlsCredentialsOptionsTest,
297 ClientOptionsWithCertWatcherProviderOnBadTrustCerts) {
298 auto options = MakeRefCounted<grpc_tls_credentials_options>();
299 auto provider =
300 MakeRefCounted<FileWatcherCertificateProvider>("", "", INVALID_PATH, 1);
301 options->set_certificate_provider(std::move(provider));
302 options->set_watch_root_cert(true);
303 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
304 auto credentials = MakeRefCounted<TlsCredentials>(options);
305 ASSERT_NE(credentials, nullptr);
306 grpc_channel_args* new_args = nullptr;
307 auto connector = credentials->create_security_connector(
308 nullptr, "random targets", nullptr, &new_args);
309 grpc_channel_args_destroy(new_args);
310 ASSERT_NE(connector, nullptr);
311 TlsChannelSecurityConnector* tls_connector =
312 static_cast<TlsChannelSecurityConnector*>(connector.get());
313 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
314 }
315
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnBothCerts)316 TEST_F(GrpcTlsCredentialsOptionsTest,
317 ServerOptionsWithCertWatcherProviderOnBothCerts) {
318 auto options = MakeRefCounted<grpc_tls_credentials_options>();
319 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
320 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
321 options->set_certificate_provider(std::move(provider));
322 options->set_watch_root_cert(true);
323 options->set_watch_identity_pair(true);
324 options->set_cert_request_type(
325 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
326 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
327 ASSERT_NE(credentials, nullptr);
328 auto connector = credentials->create_security_connector(nullptr);
329 ASSERT_NE(connector, nullptr);
330 TlsServerSecurityConnector* tls_connector =
331 static_cast<TlsServerSecurityConnector*>(connector.get());
332 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
333 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
334 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
335 }
336
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnIdentityCerts)337 TEST_F(GrpcTlsCredentialsOptionsTest,
338 ServerOptionsWithCertWatcherProviderOnIdentityCerts) {
339 auto options = MakeRefCounted<grpc_tls_credentials_options>();
340 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
341 SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
342 options->set_certificate_provider(std::move(provider));
343 options->set_watch_identity_pair(true);
344 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
345 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
346 ASSERT_NE(credentials, nullptr);
347 auto connector = credentials->create_security_connector(nullptr);
348 ASSERT_NE(connector, nullptr);
349 TlsServerSecurityConnector* tls_connector =
350 static_cast<TlsServerSecurityConnector*>(connector.get());
351 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
352 EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
353 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
354 }
355
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnNotProvidedCerts)356 TEST_F(GrpcTlsCredentialsOptionsTest,
357 ServerOptionsWithCertWatcherProviderOnNotProvidedCerts) {
358 auto options = MakeRefCounted<grpc_tls_credentials_options>();
359 auto provider =
360 MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
361 options->set_certificate_provider(std::move(provider));
362 options->set_watch_identity_pair(true);
363 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
364 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
365 ASSERT_NE(credentials, nullptr);
366 auto connector = credentials->create_security_connector(nullptr);
367 ASSERT_NE(connector, nullptr);
368 TlsServerSecurityConnector* tls_connector =
369 static_cast<TlsServerSecurityConnector*>(connector.get());
370 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
371 }
372
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnBadIdentityCerts)373 TEST_F(GrpcTlsCredentialsOptionsTest,
374 ServerOptionsWithCertWatcherProviderOnBadIdentityCerts) {
375 auto options = MakeRefCounted<grpc_tls_credentials_options>();
376 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
377 INVALID_PATH, INVALID_PATH, "", 1);
378 options->set_certificate_provider(std::move(provider));
379 options->set_watch_identity_pair(true);
380 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
381 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
382 ASSERT_NE(credentials, nullptr);
383 auto connector = credentials->create_security_connector(nullptr);
384 ASSERT_NE(connector, nullptr);
385 TlsServerSecurityConnector* tls_connector =
386 static_cast<TlsServerSecurityConnector*>(connector.get());
387 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
388 }
389
390 // The following tests write credential data to temporary files to test the
391 // transition behavior of the provider.
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnCertificateRefreshed)392 TEST_F(GrpcTlsCredentialsOptionsTest,
393 ClientOptionsWithCertWatcherProviderOnCertificateRefreshed) {
394 // Create temporary files and copy cert data into them.
395 TmpFile tmp_root_cert(root_cert_);
396 TmpFile tmp_identity_key(private_key_);
397 TmpFile tmp_identity_cert(cert_chain_);
398 // Create ClientOptions using FileWatcherCertificateProvider.
399 auto options = MakeRefCounted<grpc_tls_credentials_options>();
400 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
401 tmp_identity_key.name(), tmp_identity_cert.name(), tmp_root_cert.name(),
402 1);
403 options->set_certificate_provider(std::move(provider));
404 options->set_watch_root_cert(true);
405 options->set_watch_identity_pair(true);
406 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
407 auto credentials = MakeRefCounted<TlsCredentials>(options);
408 ASSERT_NE(credentials, nullptr);
409 grpc_channel_args* new_args = nullptr;
410 auto connector = credentials->create_security_connector(
411 nullptr, "random targets", nullptr, &new_args);
412 grpc_channel_args_destroy(new_args);
413 ASSERT_NE(connector, nullptr);
414 TlsChannelSecurityConnector* tls_connector =
415 static_cast<TlsChannelSecurityConnector*>(connector.get());
416 // Expect to see the credential data.
417 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
418 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
419 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
420 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
421 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
422 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
423 // Copy new data to files.
424 // TODO(ZhenLian): right now it is not completely atomic. Use the real atomic
425 // update when the directory renaming is added in gpr.
426 tmp_root_cert.RewriteFile(root_cert_2_);
427 tmp_identity_key.RewriteFile(private_key_2_);
428 tmp_identity_cert.RewriteFile(cert_chain_2_);
429 // Wait 2 seconds for the provider's refresh thread to read the updated files.
430 gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
431 gpr_time_from_seconds(2, GPR_TIMESPAN)));
432 // Expect to see new credential data loaded by the security connector.
433 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
434 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
435 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_2_);
436 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
437 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
438 MakeCertKeyPairs(private_key_2_.c_str(), cert_chain_2_.c_str()));
439 }
440
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnDeletedFiles)441 TEST_F(GrpcTlsCredentialsOptionsTest,
442 ClientOptionsWithCertWatcherProviderOnDeletedFiles) {
443 // Create temporary files and copy cert data into it.
444 auto tmp_root_cert = absl::make_unique<TmpFile>(root_cert_);
445 auto tmp_identity_key = absl::make_unique<TmpFile>(private_key_);
446 auto tmp_identity_cert = absl::make_unique<TmpFile>(cert_chain_);
447 // Create ClientOptions using FileWatcherCertificateProvider.
448 auto options = MakeRefCounted<grpc_tls_credentials_options>();
449 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
450 tmp_identity_key->name(), tmp_identity_cert->name(),
451 tmp_root_cert->name(), 1);
452 options->set_certificate_provider(std::move(provider));
453 options->set_watch_root_cert(true);
454 options->set_watch_identity_pair(true);
455 options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
456 auto credentials = MakeRefCounted<TlsCredentials>(options);
457 ASSERT_NE(credentials, nullptr);
458 grpc_channel_args* new_args = nullptr;
459 auto connector = credentials->create_security_connector(
460 nullptr, "random targets", nullptr, &new_args);
461 grpc_channel_args_destroy(new_args);
462 ASSERT_NE(connector, nullptr);
463 TlsChannelSecurityConnector* tls_connector =
464 static_cast<TlsChannelSecurityConnector*>(connector.get());
465 // The initial data is all good, so we expect to have successful credential
466 // updates.
467 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
468 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
469 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
470 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
471 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
472 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
473 // Delete TmpFile objects, which will remove the corresponding files.
474 tmp_root_cert.reset();
475 tmp_identity_key.reset();
476 tmp_identity_cert.reset();
477 // Wait 2 seconds for the provider's refresh thread to read the deleted files.
478 gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
479 gpr_time_from_seconds(2, GPR_TIMESPAN)));
480 // It's a bit hard to test if errors are sent to the security connector,
481 // because the security connector simply logs the error. We will see the err
482 // messages if we open the log.
483 // The old certs should still being used.
484 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
485 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
486 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
487 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
488 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
489 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
490 }
491
492 } // namespace testing
493
494 } // namespace grpc_core
495
main(int argc,char ** argv)496 int main(int argc, char** argv) {
497 grpc::testing::TestEnvironment env(argc, argv);
498 GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
499 ::testing::InitGoogleTest(&argc, argv);
500 grpc_init();
501 int ret = RUN_ALL_TESTS();
502 grpc_shutdown();
503 return ret;
504 }
505