1 // Copyright 2015 gRPC authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef GRPC_TEST_CORE_END2END_FIXTURES_H2_SSL_CRED_RELOAD_FIXTURE_H 16 #define GRPC_TEST_CORE_END2END_FIXTURES_H2_SSL_CRED_RELOAD_FIXTURE_H 17 18 #include <stddef.h> 19 20 #include <grpc/grpc.h> 21 #include <grpc/grpc_security.h> 22 #include <grpc/grpc_security_constants.h> 23 #include <grpc/impl/channel_arg_names.h> 24 #include <grpc/slice.h> 25 #include <grpc/status.h> 26 #include <grpc/support/log.h> 27 28 #include "src/core/lib/channel/channel_args.h" 29 #include "src/core/lib/iomgr/error.h" 30 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h" 31 #include "test/core/end2end/end2end_tests.h" 32 #include "test/core/end2end/fixtures/secure_fixture.h" 33 #include "test/core/util/tls_utils.h" 34 35 class SslCredReloadFixture : public SecureFixture { 36 public: SslCredReloadFixture(grpc_tls_version tls_version)37 explicit SslCredReloadFixture(grpc_tls_version tls_version) 38 : tls_version_(tls_version) {} 39 CaCertPath()40 static const char* CaCertPath() { return "src/core/tsi/test_creds/ca.pem"; } CertPath()41 static const char* CertPath() { 42 return "src/core/tsi/test_creds/server1.pem"; 43 } KeyPath()44 static const char* KeyPath() { return "src/core/tsi/test_creds/server1.key"; } 45 46 private: MutateClientArgs(grpc_core::ChannelArgs args)47 grpc_core::ChannelArgs MutateClientArgs( 48 grpc_core::ChannelArgs args) override { 49 return args.Set(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, "foo.test.google.fr"); 50 } MakeClientCreds(const grpc_core::ChannelArgs &)51 grpc_channel_credentials* MakeClientCreds( 52 const grpc_core::ChannelArgs&) override { 53 grpc_channel_credentials* ssl_creds = 54 grpc_ssl_credentials_create(nullptr, nullptr, nullptr, nullptr); 55 if (ssl_creds != nullptr) { 56 // Set the min and max TLS version. 57 grpc_ssl_credentials* creds = 58 reinterpret_cast<grpc_ssl_credentials*>(ssl_creds); 59 creds->set_min_tls_version(tls_version_); 60 creds->set_max_tls_version(tls_version_); 61 } 62 return ssl_creds; 63 } MakeServerCreds(const grpc_core::ChannelArgs & args)64 grpc_server_credentials* MakeServerCreds( 65 const grpc_core::ChannelArgs& args) override { 66 server_credential_reloaded_ = false; 67 grpc_ssl_server_credentials_options* options = 68 grpc_ssl_server_credentials_create_options_using_config_fetcher( 69 GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, 70 ssl_server_certificate_config_callback, this); 71 grpc_server_credentials* ssl_creds = 72 grpc_ssl_server_credentials_create_with_options(options); 73 if (ssl_creds != nullptr) { 74 // Set the min and max TLS version. 75 grpc_ssl_server_credentials* creds = 76 reinterpret_cast<grpc_ssl_server_credentials*>(ssl_creds); 77 creds->set_min_tls_version(tls_version_); 78 creds->set_max_tls_version(tls_version_); 79 } 80 if (args.Contains(FAIL_AUTH_CHECK_SERVER_ARG_NAME)) { 81 grpc_auth_metadata_processor processor = {process_auth_failure, nullptr, 82 nullptr}; 83 grpc_server_credentials_set_auth_metadata_processor(ssl_creds, processor); 84 } 85 return ssl_creds; 86 } 87 process_auth_failure(void * state,grpc_auth_context *,const grpc_metadata *,size_t,grpc_process_auth_metadata_done_cb cb,void * user_data)88 static void process_auth_failure(void* state, grpc_auth_context* /*ctx*/, 89 const grpc_metadata* /*md*/, 90 size_t /*md_count*/, 91 grpc_process_auth_metadata_done_cb cb, 92 void* user_data) { 93 GPR_ASSERT(state == nullptr); 94 cb(user_data, nullptr, 0, nullptr, 0, GRPC_STATUS_UNAUTHENTICATED, nullptr); 95 } 96 SslServerCertificateConfigCallback(grpc_ssl_server_certificate_config ** config)97 grpc_ssl_certificate_config_reload_status SslServerCertificateConfigCallback( 98 grpc_ssl_server_certificate_config** config) { 99 if (config == nullptr) { 100 return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL; 101 } 102 if (!server_credential_reloaded_) { 103 std::string ca_cert = grpc_core::testing::GetFileContents(CaCertPath()); 104 std::string server_cert = grpc_core::testing::GetFileContents(CertPath()); 105 std::string server_key = grpc_core::testing::GetFileContents(KeyPath()); 106 grpc_ssl_pem_key_cert_pair pem_key_cert_pair = {server_key.c_str(), 107 server_cert.c_str()}; 108 *config = grpc_ssl_server_certificate_config_create( 109 ca_cert.c_str(), &pem_key_cert_pair, 1); 110 server_credential_reloaded_ = true; 111 return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW; 112 } else { 113 return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED; 114 } 115 } 116 117 static grpc_ssl_certificate_config_reload_status ssl_server_certificate_config_callback(void * user_data,grpc_ssl_server_certificate_config ** config)118 ssl_server_certificate_config_callback( 119 void* user_data, grpc_ssl_server_certificate_config** config) { 120 return static_cast<SslCredReloadFixture*>(user_data) 121 ->SslServerCertificateConfigCallback(config); 122 } 123 124 grpc_tls_version tls_version_; 125 bool server_credential_reloaded_ = false; 126 }; 127 128 #endif // GRPC_TEST_CORE_END2END_FIXTURES_H2_SSL_CRED_RELOAD_FIXTURE_H 129