1 /*
2 *
3 * Copyright 2018 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
20
21 #include <gmock/gmock.h>
22 #include <grpc/support/alloc.h>
23 #include <grpc/support/log.h>
24 #include <grpc/support/string_util.h>
25 #include <gtest/gtest.h>
26 #include <stdlib.h>
27 #include <string.h>
28
29 #include "src/core/lib/iomgr/load_file.h"
30 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
31 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
32 #include "src/core/tsi/transport_security.h"
33 #include "test/core/util/test_config.h"
34
35 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
36 #define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
37 #define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
38 #define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
39 #define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
40 #define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
41
42 namespace grpc {
43 namespace testing {
44
45 constexpr const char* kRootCertName = "root_cert_name";
46 constexpr const char* kIdentityCertName = "identity_cert_name";
47 constexpr const char* kErrorMessage = "error_message";
48 constexpr const char* kTargetName = "some_target";
49
50 class TlsSecurityConnectorTest : public ::testing::Test {
51 protected:
TlsSecurityConnectorTest()52 TlsSecurityConnectorTest() {}
SetUp()53 void SetUp() override {
54 grpc_slice ca_slice_1, ca_slice_0, cert_slice_1, key_slice_1, cert_slice_0,
55 key_slice_0;
56 GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
57 grpc_load_file(CA_CERT_PATH, 1, &ca_slice_1)));
58 GPR_ASSERT(GRPC_LOG_IF_ERROR(
59 "load_file", grpc_load_file(CLIENT_CERT_PATH, 1, &ca_slice_0)));
60 GPR_ASSERT(GRPC_LOG_IF_ERROR(
61 "load_file", grpc_load_file(SERVER_CERT_PATH_1, 1, &cert_slice_1)));
62 GPR_ASSERT(GRPC_LOG_IF_ERROR(
63 "load_file", grpc_load_file(SERVER_KEY_PATH_1, 1, &key_slice_1)));
64 GPR_ASSERT(GRPC_LOG_IF_ERROR(
65 "load_file", grpc_load_file(SERVER_CERT_PATH_0, 1, &cert_slice_0)));
66 GPR_ASSERT(GRPC_LOG_IF_ERROR(
67 "load_file", grpc_load_file(SERVER_KEY_PATH_0, 1, &key_slice_0)));
68 root_cert_1_ = std::string(grpc_core::StringViewFromSlice(ca_slice_1));
69 root_cert_0_ = std::string(grpc_core::StringViewFromSlice(ca_slice_0));
70 std::string identity_key_1 =
71 std::string(grpc_core::StringViewFromSlice(key_slice_1));
72 std::string identity_key_0 =
73 std::string(grpc_core::StringViewFromSlice(key_slice_0));
74 std::string identity_cert_1 =
75 std::string(grpc_core::StringViewFromSlice(cert_slice_1));
76 std::string identity_cert_0 =
77 std::string(grpc_core::StringViewFromSlice(cert_slice_0));
78 identity_pairs_1_.emplace_back(identity_key_1, identity_cert_1);
79 identity_pairs_0_.emplace_back(identity_key_0, identity_cert_0);
80 grpc_slice_unref(ca_slice_1);
81 grpc_slice_unref(ca_slice_0);
82 grpc_slice_unref(cert_slice_1);
83 grpc_slice_unref(key_slice_1);
84 grpc_slice_unref(cert_slice_0);
85 grpc_slice_unref(key_slice_0);
86 }
87
TearDown()88 void TearDown() override {}
89
90 std::string root_cert_1_;
91 std::string root_cert_0_;
92 grpc_core::PemKeyCertPairList identity_pairs_1_;
93 grpc_core::PemKeyCertPairList identity_pairs_0_;
94 };
95
96 class TlsTestCertificateProvider : public ::grpc_tls_certificate_provider {
97 public:
TlsTestCertificateProvider(grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor)98 explicit TlsTestCertificateProvider(
99 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor)
100 : distributor_(std::move(distributor)) {}
~TlsTestCertificateProvider()101 ~TlsTestCertificateProvider() override {}
distributor() const102 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
103 const override {
104 return distributor_;
105 }
106
107 private:
108 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
109 };
110
111 // Tests for ChannelSecurityConnector.
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)112 TEST_F(TlsSecurityConnectorTest,
113 RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
114 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
115 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
116 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
117 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
118 identity_pairs_0_);
119 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
120 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
121 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
122 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
123 options->set_certificate_provider(provider);
124 options->set_watch_root_cert(true);
125 options->set_watch_identity_pair(true);
126 options->set_root_cert_name(kRootCertName);
127 options->set_identity_cert_name(kIdentityCertName);
128 grpc_core::RefCountedPtr<TlsCredentials> credential =
129 grpc_core::MakeRefCounted<TlsCredentials>(options);
130 grpc_channel_args* new_args = nullptr;
131 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
132 credential->create_security_connector(nullptr, kTargetName, nullptr,
133 &new_args);
134 EXPECT_NE(connector, nullptr);
135 grpc_core::TlsChannelSecurityConnector* tls_connector =
136 static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
137 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
138 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
139 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
140 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
141 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
142 identity_pairs_1_);
143 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
144 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
145 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
146 grpc_channel_args_destroy(new_args);
147 }
148
TEST_F(TlsSecurityConnectorTest,SystemRootsWhenCreateChannelSecurityConnector)149 TEST_F(TlsSecurityConnectorTest,
150 SystemRootsWhenCreateChannelSecurityConnector) {
151 // Create options watching for no certificates.
152 grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
153 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
154 grpc_core::RefCountedPtr<TlsCredentials> root_credential =
155 grpc_core::MakeRefCounted<TlsCredentials>(root_options);
156 grpc_channel_args* root_new_args = nullptr;
157 grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
158 root_credential->create_security_connector(nullptr, "some_target",
159 nullptr, &root_new_args);
160 EXPECT_NE(root_connector, nullptr);
161 grpc_core::TlsChannelSecurityConnector* tls_root_connector =
162 static_cast<grpc_core::TlsChannelSecurityConnector*>(
163 root_connector.get());
164 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
165 grpc_channel_args_destroy(root_new_args);
166 }
167
TEST_F(TlsSecurityConnectorTest,SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)168 TEST_F(TlsSecurityConnectorTest,
169 SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
170 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
171 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
172 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
173 identity_pairs_0_);
174 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
175 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
176 // Create options only watching for identity certificates.
177 grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
178 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
179 root_options->set_certificate_provider(provider);
180 root_options->set_watch_identity_pair(true);
181 root_options->set_identity_cert_name(kIdentityCertName);
182 grpc_core::RefCountedPtr<TlsCredentials> root_credential =
183 grpc_core::MakeRefCounted<TlsCredentials>(root_options);
184 grpc_channel_args* root_new_args = nullptr;
185 grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
186 root_credential->create_security_connector(nullptr, "some_target",
187 nullptr, &root_new_args);
188 EXPECT_NE(root_connector, nullptr);
189 grpc_core::TlsChannelSecurityConnector* tls_root_connector =
190 static_cast<grpc_core::TlsChannelSecurityConnector*>(
191 root_connector.get());
192 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
193 EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
194 // If we have a root update, we shouldn't receive them in security connector,
195 // since we claimed to use default system roots.
196 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
197 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
198 EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
199 grpc_channel_args_destroy(root_new_args);
200 }
201
TEST_F(TlsSecurityConnectorTest,RootCertsObtainedWhenCreateChannelSecurityConnector)202 TEST_F(TlsSecurityConnectorTest,
203 RootCertsObtainedWhenCreateChannelSecurityConnector) {
204 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
205 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
206 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
207 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
208 identity_pairs_0_);
209 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
210 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
211 // Create options only watching for root certificates.
212 grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
213 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
214 root_options->set_certificate_provider(provider);
215 root_options->set_watch_root_cert(true);
216 root_options->set_root_cert_name(kRootCertName);
217 grpc_core::RefCountedPtr<TlsCredentials> root_credential =
218 grpc_core::MakeRefCounted<TlsCredentials>(root_options);
219 grpc_channel_args* root_new_args = nullptr;
220 grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
221 root_credential->create_security_connector(nullptr, "some_target",
222 nullptr, &root_new_args);
223 EXPECT_NE(root_connector, nullptr);
224 grpc_core::TlsChannelSecurityConnector* tls_root_connector =
225 static_cast<grpc_core::TlsChannelSecurityConnector*>(
226 root_connector.get());
227 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
228 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
229 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
230 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
231 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
232 grpc_channel_args_destroy(root_new_args);
233 }
234
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateChannelSecurityConnector)235 TEST_F(TlsSecurityConnectorTest,
236 CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
237 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
238 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
239 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
240 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
241 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
242 // Registered the options watching both certs, but only root certs are
243 // available at distributor right now.
244 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
245 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
246 options->set_certificate_provider(provider);
247 options->set_watch_root_cert(true);
248 options->set_watch_identity_pair(true);
249 options->set_root_cert_name(kRootCertName);
250 options->set_identity_cert_name(kIdentityCertName);
251 grpc_core::RefCountedPtr<TlsCredentials> credential =
252 grpc_core::MakeRefCounted<TlsCredentials>(options);
253 grpc_channel_args* new_args = nullptr;
254 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
255 credential->create_security_connector(nullptr, kTargetName, nullptr,
256 &new_args);
257 EXPECT_NE(connector, nullptr);
258 grpc_core::TlsChannelSecurityConnector* tls_connector =
259 static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
260 // The client_handshaker_factory_ shouldn't be updated.
261 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
262 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
263 // After updating the root certs, the client_handshaker_factory_ should be
264 // updated.
265 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
266 identity_pairs_0_);
267 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
268 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
269 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
270 grpc_channel_args_destroy(new_args);
271 }
272
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForChannelSecurityConnector)273 TEST_F(TlsSecurityConnectorTest,
274 DistributorHasErrorForChannelSecurityConnector) {
275 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
276 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
277 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
278 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
279 identity_pairs_0_);
280 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
281 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
282 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
283 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
284 options->set_certificate_provider(provider);
285 options->set_watch_root_cert(true);
286 options->set_watch_identity_pair(true);
287 options->set_root_cert_name(kRootCertName);
288 options->set_identity_cert_name(kIdentityCertName);
289 grpc_core::RefCountedPtr<TlsCredentials> credential =
290 grpc_core::MakeRefCounted<TlsCredentials>(options);
291 grpc_channel_args* new_args = nullptr;
292 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
293 credential->create_security_connector(nullptr, kTargetName, nullptr,
294 &new_args);
295 EXPECT_NE(connector, nullptr);
296 grpc_core::TlsChannelSecurityConnector* tls_connector =
297 static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
298 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
299 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
300 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
301 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
302 // valid credentials.
303 distributor->SetErrorForCert(
304 kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
305 absl::nullopt);
306 distributor->SetErrorForCert(
307 kIdentityCertName, absl::nullopt,
308 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
309 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
310 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
311 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
312 grpc_channel_args_destroy(new_args);
313 }
314
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoTargetName)315 TEST_F(TlsSecurityConnectorTest,
316 CreateChannelSecurityConnectorFailNoTargetName) {
317 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
318 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
319 grpc_core::RefCountedPtr<TlsCredentials> credential =
320 grpc_core::MakeRefCounted<TlsCredentials>(options);
321 grpc_channel_args* new_args = nullptr;
322 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
323 credential->create_security_connector(nullptr, nullptr, nullptr,
324 &new_args);
325 EXPECT_EQ(connector, nullptr);
326 }
327
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoCredentials)328 TEST_F(TlsSecurityConnectorTest,
329 CreateChannelSecurityConnectorFailNoCredentials) {
330 auto connector =
331 grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
332 nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>(),
333 nullptr, kTargetName, nullptr, nullptr);
334 EXPECT_EQ(connector, nullptr);
335 }
336
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoOptions)337 TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
338 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
339 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
340 grpc_core::RefCountedPtr<TlsCredentials> credential =
341 grpc_core::MakeRefCounted<TlsCredentials>(options);
342 auto connector =
343 grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
344 credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
345 EXPECT_EQ(connector, nullptr);
346 }
347
TEST_F(TlsSecurityConnectorTest,TlsCheckHostNameSuccess)348 TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameSuccess) {
349 const char* target_name = "foo.test.google.fr";
350 tsi_peer peer;
351 GPR_ASSERT(tsi_construct_peer(1, &peer) == TSI_OK);
352 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
353 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, target_name,
354 &peer.properties[0]) == TSI_OK);
355 grpc_error_handle error =
356 grpc_core::internal::TlsCheckHostName(target_name, &peer);
357 tsi_peer_destruct(&peer);
358 EXPECT_EQ(error, GRPC_ERROR_NONE);
359 GRPC_ERROR_UNREF(error);
360 }
361
TEST_F(TlsSecurityConnectorTest,TlsCheckHostNameFail)362 TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameFail) {
363 const char* target_name = "foo.test.google.fr";
364 const char* another_name = "bar.test.google.fr";
365 tsi_peer peer;
366 GPR_ASSERT(tsi_construct_peer(1, &peer) == TSI_OK);
367 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
368 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, another_name,
369 &peer.properties[0]) == TSI_OK);
370 grpc_error_handle error =
371 grpc_core::internal::TlsCheckHostName(target_name, &peer);
372 tsi_peer_destruct(&peer);
373 EXPECT_NE(error, GRPC_ERROR_NONE);
374 GRPC_ERROR_UNREF(error);
375 }
376
377 // Tests for ServerSecurityConnector.
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector)378 TEST_F(TlsSecurityConnectorTest,
379 RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
380 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
381 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
382 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
383 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
384 identity_pairs_0_);
385 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
386 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
387 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
388 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
389 options->set_certificate_provider(provider);
390 options->set_watch_root_cert(true);
391 options->set_watch_identity_pair(true);
392 options->set_root_cert_name(kRootCertName);
393 options->set_identity_cert_name(kIdentityCertName);
394 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
395 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
396 grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
397 credential->create_security_connector(nullptr);
398 EXPECT_NE(connector, nullptr);
399 grpc_core::TlsServerSecurityConnector* tls_connector =
400 static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
401 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
402 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
403 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
404 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
405 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
406 identity_pairs_1_);
407 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
408 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
409 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
410 }
411
412 // Note that on server side, we don't have tests watching root certs only,
413 // because in TLS, the identity certs should always be presented. If we don't
414 // provide, it will try to load certs from some default system locations, and
415 // will hence fail on some systems.
TEST_F(TlsSecurityConnectorTest,IdentityCertsObtainedWhenCreateServerSecurityConnector)416 TEST_F(TlsSecurityConnectorTest,
417 IdentityCertsObtainedWhenCreateServerSecurityConnector) {
418 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
419 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
420 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
421 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
422 identity_pairs_0_);
423 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
424 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
425 // Create options only watching for identity certificates.
426 grpc_core::RefCountedPtr<grpc_tls_credentials_options> identity_options =
427 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
428 identity_options->set_certificate_provider(provider);
429 identity_options->set_watch_identity_pair(true);
430 identity_options->set_identity_cert_name(kIdentityCertName);
431 grpc_core::RefCountedPtr<TlsServerCredentials> identity_credential =
432 grpc_core::MakeRefCounted<TlsServerCredentials>(identity_options);
433 grpc_core::RefCountedPtr<grpc_server_security_connector> identity_connector =
434 identity_credential->create_security_connector(nullptr);
435 EXPECT_NE(identity_connector, nullptr);
436 grpc_core::TlsServerSecurityConnector* tls_identity_connector =
437 static_cast<grpc_core::TlsServerSecurityConnector*>(
438 identity_connector.get());
439 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
440 nullptr);
441 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
442 identity_pairs_0_);
443 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
444 identity_pairs_1_);
445 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
446 nullptr);
447 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
448 identity_pairs_1_);
449 }
450
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateServerSecurityConnector)451 TEST_F(TlsSecurityConnectorTest,
452 CertPartiallyObtainedWhenCreateServerSecurityConnector) {
453 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
454 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
455 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
456 identity_pairs_0_);
457 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
458 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
459 // Registered the options watching both certs, but only root certs are
460 // available at distributor right now.
461 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
462 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
463 options->set_certificate_provider(provider);
464 options->set_watch_root_cert(true);
465 options->set_watch_identity_pair(true);
466 options->set_root_cert_name(kRootCertName);
467 options->set_identity_cert_name(kIdentityCertName);
468 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
469 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
470 grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
471 credential->create_security_connector(nullptr);
472 EXPECT_NE(connector, nullptr);
473 grpc_core::TlsServerSecurityConnector* tls_connector =
474 static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
475 // The server_handshaker_factory_ shouldn't be updated.
476 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
477 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
478 // After updating the root certs, the server_handshaker_factory_ should be
479 // updated.
480 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
481 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
482 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
483 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
484 }
485
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForServerSecurityConnector)486 TEST_F(TlsSecurityConnectorTest,
487 DistributorHasErrorForServerSecurityConnector) {
488 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
489 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
490 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
491 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
492 identity_pairs_0_);
493 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
494 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
495 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
496 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
497 options->set_certificate_provider(provider);
498 options->set_watch_root_cert(true);
499 options->set_watch_identity_pair(true);
500 options->set_root_cert_name(kRootCertName);
501 options->set_identity_cert_name(kIdentityCertName);
502 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
503 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
504 grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
505 credential->create_security_connector(nullptr);
506 EXPECT_NE(connector, nullptr);
507 grpc_core::TlsServerSecurityConnector* tls_connector =
508 static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
509 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
510 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
511 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
512 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
513 // valid credentials.
514 distributor->SetErrorForCert(
515 kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
516 absl::nullopt);
517 distributor->SetErrorForCert(
518 kIdentityCertName, absl::nullopt,
519 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
520 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
521 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
522 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
523 }
524
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoCredentials)525 TEST_F(TlsSecurityConnectorTest,
526 CreateServerSecurityConnectorFailNoCredentials) {
527 auto connector =
528 grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
529 nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>());
530 EXPECT_EQ(connector, nullptr);
531 }
532
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoOptions)533 TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
534 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
535 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
536 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
537 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
538 auto connector =
539 grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
540 credential, nullptr);
541 EXPECT_EQ(connector, nullptr);
542 }
543
544 } // namespace testing
545 } // namespace grpc
546
main(int argc,char ** argv)547 int main(int argc, char** argv) {
548 grpc::testing::TestEnvironment env(argc, argv);
549 GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
550 ::testing::InitGoogleTest(&argc, argv);
551 grpc_init();
552 int ret = RUN_ALL_TESTS();
553 grpc_shutdown();
554 return ret;
555 }
556