1 //
2 //
3 // Copyright 2018 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #ifndef GRPC_TEST_CORE_END2END_FIXTURES_H2_TLS_COMMON_H
20 #define GRPC_TEST_CORE_END2END_FIXTURES_H2_TLS_COMMON_H
21
22 #include <stdint.h>
23 #include <string.h>
24
25 #include <string>
26
27 #include "absl/strings/string_view.h"
28
29 #include <grpc/grpc.h>
30 #include <grpc/grpc_security.h>
31 #include <grpc/grpc_security_constants.h>
32 #include <grpc/impl/channel_arg_names.h>
33 #include <grpc/slice.h>
34 #include <grpc/status.h>
35 #include <grpc/support/log.h>
36
37 #include "src/core/lib/channel/channel_args.h"
38 #include "src/core/lib/iomgr/error.h"
39 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
40 #include "src/core/lib/slice/slice_internal.h"
41 #include "test/core/end2end/end2end_tests.h"
42 #include "test/core/end2end/fixtures/secure_fixture.h"
43 #include "test/core/util/tls_utils.h"
44
45 // For normal TLS connections.
46 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
47 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
48 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
49
50 struct SecurityPrimitives {
51 enum ProviderType { STATIC_PROVIDER = 0, FILE_PROVIDER = 1 } provider_type;
52 enum VerifierType {
53 EXTERNAL_SYNC_VERIFIER = 0,
54 EXTERNAL_ASYNC_VERIFIER = 1,
55 HOSTNAME_VERIFIER = 2
56 } verifier_type;
57 enum TlsVersion { V_12 = 0, V_13 = 1 } tls_version;
58 };
59
process_auth_failure(void * state,grpc_auth_context *,const grpc_metadata *,size_t,grpc_process_auth_metadata_done_cb cb,void * user_data)60 inline void process_auth_failure(void* state, grpc_auth_context* /*ctx*/,
61 const grpc_metadata* /*md*/,
62 size_t /*md_count*/,
63 grpc_process_auth_metadata_done_cb cb,
64 void* user_data) {
65 GPR_ASSERT(state == nullptr);
66 cb(user_data, nullptr, 0, nullptr, 0, GRPC_STATUS_UNAUTHENTICATED, nullptr);
67 }
68
69 class TlsFixture : public SecureFixture {
70 public:
TlsFixture(SecurityPrimitives::TlsVersion tls_version,SecurityPrimitives::ProviderType provider_type,SecurityPrimitives::VerifierType verifier_type)71 TlsFixture(SecurityPrimitives::TlsVersion tls_version,
72 SecurityPrimitives::ProviderType provider_type,
73 SecurityPrimitives::VerifierType verifier_type) {
74 switch (tls_version) {
75 case SecurityPrimitives::TlsVersion::V_12: {
76 tls_version_ = grpc_tls_version::TLS1_2;
77 break;
78 }
79 case SecurityPrimitives::TlsVersion::V_13: {
80 tls_version_ = grpc_tls_version::TLS1_3;
81 break;
82 }
83 }
84 switch (provider_type) {
85 case SecurityPrimitives::ProviderType::STATIC_PROVIDER: {
86 std::string root_cert =
87 grpc_core::testing::GetFileContents(CA_CERT_PATH);
88 std::string identity_cert =
89 grpc_core::testing::GetFileContents(SERVER_CERT_PATH);
90 std::string private_key =
91 grpc_core::testing::GetFileContents(SERVER_KEY_PATH);
92 grpc_tls_identity_pairs* client_pairs =
93 grpc_tls_identity_pairs_create();
94 grpc_tls_identity_pairs_add_pair(client_pairs, private_key.c_str(),
95 identity_cert.c_str());
96 client_provider_ = grpc_tls_certificate_provider_static_data_create(
97 root_cert.c_str(), client_pairs);
98 grpc_tls_identity_pairs* server_pairs =
99 grpc_tls_identity_pairs_create();
100 grpc_tls_identity_pairs_add_pair(server_pairs, private_key.c_str(),
101 identity_cert.c_str());
102 server_provider_ = grpc_tls_certificate_provider_static_data_create(
103 root_cert.c_str(), server_pairs);
104 break;
105 }
106 case SecurityPrimitives::ProviderType::FILE_PROVIDER: {
107 client_provider_ = grpc_tls_certificate_provider_file_watcher_create(
108 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
109 server_provider_ = grpc_tls_certificate_provider_file_watcher_create(
110 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
111 break;
112 }
113 }
114 switch (verifier_type) {
115 case SecurityPrimitives::VerifierType::EXTERNAL_SYNC_VERIFIER: {
116 auto* client_sync_verifier =
117 new grpc_core::testing::SyncExternalVerifier(true);
118 client_verifier_ = grpc_tls_certificate_verifier_external_create(
119 client_sync_verifier->base());
120 auto* server_sync_verifier =
121 new grpc_core::testing::SyncExternalVerifier(true);
122 server_verifier_ = grpc_tls_certificate_verifier_external_create(
123 server_sync_verifier->base());
124 check_call_host_ = false;
125 break;
126 }
127 case SecurityPrimitives::VerifierType::EXTERNAL_ASYNC_VERIFIER: {
128 auto* client_async_verifier =
129 new grpc_core::testing::AsyncExternalVerifier(true);
130 client_verifier_ = grpc_tls_certificate_verifier_external_create(
131 client_async_verifier->base());
132 auto* server_async_verifier =
133 new grpc_core::testing::AsyncExternalVerifier(true);
134 server_verifier_ = grpc_tls_certificate_verifier_external_create(
135 server_async_verifier->base());
136 check_call_host_ = false;
137 break;
138 }
139 case SecurityPrimitives::VerifierType::HOSTNAME_VERIFIER: {
140 client_verifier_ = grpc_tls_certificate_verifier_host_name_create();
141 // Hostname verifier couldn't be applied to the server side, so we will
142 // use sync external verifier here.
143 auto* server_async_verifier =
144 new grpc_core::testing::AsyncExternalVerifier(true);
145 server_verifier_ = grpc_tls_certificate_verifier_external_create(
146 server_async_verifier->base());
147 break;
148 }
149 }
150 }
~TlsFixture()151 ~TlsFixture() override {
152 grpc_tls_certificate_provider_release(client_provider_);
153 grpc_tls_certificate_provider_release(server_provider_);
154 grpc_tls_certificate_verifier_release(client_verifier_);
155 grpc_tls_certificate_verifier_release(server_verifier_);
156 }
157
158 private:
MutateClientArgs(grpc_core::ChannelArgs args)159 grpc_core::ChannelArgs MutateClientArgs(
160 grpc_core::ChannelArgs args) override {
161 return args.Set(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, "foo.test.google.fr");
162 }
163
MakeClientCreds(const grpc_core::ChannelArgs &)164 grpc_channel_credentials* MakeClientCreds(
165 const grpc_core::ChannelArgs&) override {
166 grpc_tls_credentials_options* options =
167 grpc_tls_credentials_options_create();
168 grpc_tls_credentials_options_set_verify_server_cert(
169 options, 1 /* = verify server certs */);
170 options->set_min_tls_version(tls_version_);
171 options->set_max_tls_version(tls_version_);
172 // Set credential provider.
173 grpc_tls_credentials_options_set_certificate_provider(options,
174 client_provider_);
175 grpc_tls_credentials_options_watch_root_certs(options);
176 grpc_tls_credentials_options_watch_identity_key_cert_pairs(options);
177 // Set credential verifier.
178 grpc_tls_credentials_options_set_certificate_verifier(options,
179 client_verifier_);
180 grpc_tls_credentials_options_set_check_call_host(options, check_call_host_);
181 // Create TLS channel credentials.
182 grpc_channel_credentials* creds = grpc_tls_credentials_create(options);
183 return creds;
184 }
185
MakeServerCreds(const grpc_core::ChannelArgs & args)186 grpc_server_credentials* MakeServerCreds(
187 const grpc_core::ChannelArgs& args) override {
188 grpc_tls_credentials_options* options =
189 grpc_tls_credentials_options_create();
190 options->set_min_tls_version(tls_version_);
191 options->set_max_tls_version(tls_version_);
192 // Set credential provider.
193 grpc_tls_credentials_options_set_certificate_provider(options,
194 server_provider_);
195 grpc_tls_credentials_options_watch_root_certs(options);
196 grpc_tls_credentials_options_watch_identity_key_cert_pairs(options);
197 // Set client certificate request type.
198 grpc_tls_credentials_options_set_cert_request_type(
199 options, GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
200 // Set credential verifier.
201 grpc_tls_credentials_options_set_certificate_verifier(options,
202 server_verifier_);
203 grpc_server_credentials* creds =
204 grpc_tls_server_credentials_create(options);
205 if (args.Contains(FAIL_AUTH_CHECK_SERVER_ARG_NAME)) {
206 grpc_auth_metadata_processor processor = {process_auth_failure, nullptr,
207 nullptr};
208 grpc_server_credentials_set_auth_metadata_processor(creds, processor);
209 }
210 return creds;
211 }
212
213 grpc_tls_version tls_version_;
214 grpc_tls_certificate_provider* client_provider_ = nullptr;
215 grpc_tls_certificate_provider* server_provider_ = nullptr;
216 grpc_tls_certificate_verifier* client_verifier_ = nullptr;
217 grpc_tls_certificate_verifier* server_verifier_ = nullptr;
218 bool check_call_host_ = true;
219 };
220
221 static const uint32_t kH2TLSFeatureMask =
222 FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
223 FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL | FEATURE_MASK_IS_HTTP2;
224
225 #endif // GRPC_TEST_CORE_END2END_FIXTURES_H2_TLS_COMMON_H
226