1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "src/core/lib/security/credentials/external/aws_request_signer.h"
18
19 #include <gmock/gmock.h>
20
21 #include <grpc/grpc_security.h>
22
23 #include "test/core/util/test_config.h"
24
25 namespace testing {
26
27 namespace {
28 // Test cases of Aws endpoints that the aws-sourced credentials will depend
29 // on.
30 const char* kAmzTestAccessKeyId = "ASIARD4OQDT6A77FR3CL";
31 const char* kAmzTestSecretAccessKey =
32 "Y8AfSaucF37G4PpvfguKZ3/l7Id4uocLXxX0+VTx";
33 const char* kAmzTestToken =
34 "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMiJGMEQCIH7MHX/Oy/"
35 "OB8OlLQa9GrqU1B914+iMikqWQW7vPCKlgAiA/"
36 "Lsv8Jcafn14owfxXn95FURZNKaaphj0ykpmS+Ki+"
37 "CSq0AwhlEAAaDDA3NzA3MTM5MTk5NiIMx9sAeP1ovlMTMKLjKpEDwuJQg41/"
38 "QUKx0laTZYjPlQvjwSqS3OB9P1KAXPWSLkliVMMqaHqelvMF/WO/"
39 "glv3KwuTfQsavRNs3v5pcSEm4SPO3l7mCs7KrQUHwGP0neZhIKxEXy+Ls//1C/"
40 "Bqt53NL+LSbaGv6RPHaX82laz2qElphg95aVLdYgIFY6JWV5fzyjgnhz0DQmy62/"
41 "Vi8pNcM2/"
42 "VnxeCQ8CC8dRDSt52ry2v+nc77vstuI9xV5k8mPtnaPoJDRANh0bjwY5Sdwkbp+"
43 "mGRUJBAQRlNgHUJusefXQgVKBCiyJY4w3Csd8Bgj9IyDV+"
44 "Azuy1jQqfFZWgP68LSz5bURyIjlWDQunO82stZ0BgplKKAa/"
45 "KJHBPCp8Qi6i99uy7qh76FQAqgVTsnDuU6fGpHDcsDSGoCls2HgZjZFPeOj8mmRhFk1Xqvkb"
46 "juz8V1cJk54d3gIJvQt8gD2D6yJQZecnuGWd5K2e2HohvCc8Fc9kBl1300nUJPV+k4tr/"
47 "A5R/0QfEKOZL1/"
48 "k5lf1g9CREnrM8LVkGxCgdYMxLQow1uTL+QU67AHRRSp5PhhGX4Rek+"
49 "01vdYSnJCMaPhSEgcLqDlQkhk6MPsyT91QMXcWmyO+cAZwUPwnRamFepuP4K8k2KVXs/"
50 "LIJHLELwAZ0ekyaS7CptgOqS7uaSTFG3U+vzFZLEnGvWQ7y9IPNQZ+"
51 "Dffgh4p3vF4J68y9049sI6Sr5d5wbKkcbm8hdCDHZcv4lnqohquPirLiFQ3q7B17V9krMPu3"
52 "mz1cg4Ekgcrn/"
53 "E09NTsxAqD8NcZ7C7ECom9r+"
54 "X3zkDOxaajW6hu3Az8hGlyylDaMiFfRbBJpTIlxp7jfa7CxikNgNtEKLH9iCzvuSg2vhA==";
55 const char* kAmzTestDate = "20200811T065522Z";
56
57 // Test cases derived from the Aws signature v4 test suite.
58 // https://github.com/boto/botocore/tree/master/tests/unit/auth/aws4_testsuite
59 const char* kBotoTestAccessKeyId = "AKIDEXAMPLE";
60 const char* kBotoTestSecretAccessKey =
61 "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY";
62 const char* kBotoTestToken = "";
63 const char* kBotoTestDate = "Mon, 09 Sep 2011 23:36:00 GMT";
64 } // namespace
65
66 // AWS official example from the developer doc.
67 // https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
TEST(GrpcAwsRequestSignerTest,AWSOfficialExample)68 TEST(GrpcAwsRequestSignerTest, AWSOfficialExample) {
69 grpc_error_handle error;
70 grpc_core::AwsRequestSigner signer(
71 "AKIDEXAMPLE", "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", "", "GET",
72 "https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08",
73 "us-east-1", "",
74 {{"content-type", "application/x-www-form-urlencoded; charset=utf-8"},
75 {"x-amz-date", "20150830T123600Z"}},
76 &error);
77 EXPECT_EQ(error, absl::OkStatus());
78 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
79 "AWS4-HMAC-SHA256 "
80 "Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, "
81 "SignedHeaders=content-type;host;x-amz-date, "
82 "Signature="
83 "5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7");
84 }
85
TEST(GrpcAwsRequestSignerTest,GetDescribeRegions)86 TEST(GrpcAwsRequestSignerTest, GetDescribeRegions) {
87 grpc_error_handle error;
88 grpc_core::AwsRequestSigner signer(
89 kAmzTestAccessKeyId, kAmzTestSecretAccessKey, kAmzTestToken, "GET",
90 "https://"
91 "ec2.us-east-2.amazonaws.com?Action=DescribeRegions&Version=2013-10-15",
92 "us-east-2", "", {{"x-amz-date", kAmzTestDate}}, &error);
93 EXPECT_EQ(error, absl::OkStatus());
94 EXPECT_EQ(
95 signer.GetSignedRequestHeaders()["Authorization"],
96 "AWS4-HMAC-SHA256 "
97 "Credential=ASIARD4OQDT6A77FR3CL/20200811/us-east-2/ec2/aws4_request, "
98 "SignedHeaders=host;x-amz-date;x-amz-security-token, "
99 "Signature="
100 "631ea80cddfaa545fdadb120dc92c9f18166e38a5c47b50fab9fce476e022855");
101 }
102
TEST(GrpcAwsRequestSignerTest,PostGetCallerIdentity)103 TEST(GrpcAwsRequestSignerTest, PostGetCallerIdentity) {
104 grpc_error_handle error;
105 grpc_core::AwsRequestSigner signer(
106 kAmzTestAccessKeyId, kAmzTestSecretAccessKey, kAmzTestToken, "POST",
107 "https://"
108 "sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
109 "us-east-2", "", {{"x-amz-date", kAmzTestDate}}, &error);
110 EXPECT_EQ(error, absl::OkStatus());
111 EXPECT_EQ(
112 signer.GetSignedRequestHeaders()["Authorization"],
113 "AWS4-HMAC-SHA256 "
114 "Credential=ASIARD4OQDT6A77FR3CL/20200811/us-east-2/sts/aws4_request, "
115 "SignedHeaders=host;x-amz-date;x-amz-security-token, "
116 "Signature="
117 "73452984e4a880ffdc5c392355733ec3f5ba310d5e0609a89244440cadfe7a7a");
118 }
119
TEST(GrpcAwsRequestSignerTest,PostGetCallerIdentityNoToken)120 TEST(GrpcAwsRequestSignerTest, PostGetCallerIdentityNoToken) {
121 grpc_error_handle error;
122 grpc_core::AwsRequestSigner signer(
123 kAmzTestAccessKeyId, kAmzTestSecretAccessKey, "", "POST",
124 "https://"
125 "sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
126 "us-east-2", "", {{"x-amz-date", kAmzTestDate}}, &error);
127 EXPECT_EQ(error, absl::OkStatus());
128 EXPECT_EQ(
129 signer.GetSignedRequestHeaders()["Authorization"],
130 "AWS4-HMAC-SHA256 "
131 "Credential=ASIARD4OQDT6A77FR3CL/20200811/us-east-2/sts/aws4_request, "
132 "SignedHeaders=host;x-amz-date, "
133 "Signature="
134 "d095ba304919cd0d5570ba8a3787884ee78b860f268ed040ba23831d55536d56");
135 }
136
TEST(GrpcAwsRequestSignerTest,GetHost)137 TEST(GrpcAwsRequestSignerTest, GetHost) {
138 grpc_error_handle error;
139 grpc_core::AwsRequestSigner signer(kBotoTestAccessKeyId,
140 kBotoTestSecretAccessKey, kBotoTestToken,
141 "GET", "https://host.foo.com", "us-east-1",
142 "", {{"date", kBotoTestDate}}, &error);
143 EXPECT_EQ(error, absl::OkStatus());
144 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
145 "AWS4-HMAC-SHA256 "
146 "Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, "
147 "SignedHeaders=date;host, "
148 "Signature="
149 "b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470");
150 }
151
TEST(GrpcAwsRequestSignerTest,GetHostDuplicateQueryParam)152 TEST(GrpcAwsRequestSignerTest, GetHostDuplicateQueryParam) {
153 grpc_error_handle error;
154 grpc_core::AwsRequestSigner signer(
155 kBotoTestAccessKeyId, kBotoTestSecretAccessKey, kBotoTestToken, "GET",
156 "https://host.foo.com/?foo=Zoo&foo=aha", "us-east-1", "",
157 {{"date", kBotoTestDate}}, &error);
158 EXPECT_EQ(error, absl::OkStatus());
159 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
160 "AWS4-HMAC-SHA256 "
161 "Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, "
162 "SignedHeaders=date;host, "
163 "Signature="
164 "be7148d34ebccdc6423b19085378aa0bee970bdc61d144bd1a8c48c33079ab09");
165 }
166
TEST(GrpcAwsRequestSignerTest,PostWithUpperCaseHeaderKey)167 TEST(GrpcAwsRequestSignerTest, PostWithUpperCaseHeaderKey) {
168 grpc_error_handle error;
169 grpc_core::AwsRequestSigner signer(
170 kBotoTestAccessKeyId, kBotoTestSecretAccessKey, kBotoTestToken, "POST",
171 "https://host.foo.com/", "us-east-1", "",
172 {{"date", kBotoTestDate}, {"ZOO", "zoobar"}}, &error);
173 EXPECT_EQ(error, absl::OkStatus());
174 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
175 "AWS4-HMAC-SHA256 "
176 "Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, "
177 "SignedHeaders=date;host;zoo, "
178 "Signature="
179 "b7a95a52518abbca0964a999a880429ab734f35ebbf1235bd79a5de87756dc4a");
180 }
181
TEST(GrpcAwsRequestSignerTest,PostWithUpperCaseHeaderValue)182 TEST(GrpcAwsRequestSignerTest, PostWithUpperCaseHeaderValue) {
183 grpc_error_handle error;
184 grpc_core::AwsRequestSigner signer(
185 kBotoTestAccessKeyId, kBotoTestSecretAccessKey, kBotoTestToken, "POST",
186 "https://host.foo.com/", "us-east-1", "",
187 {{"date", kBotoTestDate}, {"zoo", "ZOOBAR"}}, &error);
188 EXPECT_EQ(error, absl::OkStatus());
189 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
190 "AWS4-HMAC-SHA256 "
191 "Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, "
192 "SignedHeaders=date;host;zoo, "
193 "Signature="
194 "273313af9d0c265c531e11db70bbd653f3ba074c1009239e8559d3987039cad7");
195 }
196
TEST(GrpcAwsRequestSignerTest,SignPostWithHeader)197 TEST(GrpcAwsRequestSignerTest, SignPostWithHeader) {
198 grpc_error_handle error;
199 grpc_core::AwsRequestSigner signer(
200 kBotoTestAccessKeyId, kBotoTestSecretAccessKey, kBotoTestToken, "POST",
201 "https://host.foo.com/", "us-east-1", "",
202 {{"date", kBotoTestDate}, {"p", "phfft"}}, &error);
203 EXPECT_EQ(error, absl::OkStatus());
204 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
205 "AWS4-HMAC-SHA256 "
206 "Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, "
207 "SignedHeaders=date;host;p, "
208 "Signature="
209 "debf546796015d6f6ded8626f5ce98597c33b47b9164cf6b17b4642036fcb592");
210 }
211
TEST(GrpcAwsRequestSignerTest,PostWithBodyNoCustomHeaders)212 TEST(GrpcAwsRequestSignerTest, PostWithBodyNoCustomHeaders) {
213 grpc_error_handle error;
214 grpc_core::AwsRequestSigner signer(
215 kBotoTestAccessKeyId, kBotoTestSecretAccessKey, kBotoTestToken, "POST",
216 "https://host.foo.com/", "us-east-1", "foo=bar",
217 {{"date", kBotoTestDate},
218 {"Content-Type", "application/x-www-form-urlencoded"}},
219 &error);
220 EXPECT_EQ(error, absl::OkStatus());
221 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
222 "AWS4-HMAC-SHA256 "
223 "Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, "
224 "SignedHeaders=content-type;date;host, "
225 "Signature="
226 "5a15b22cf462f047318703b92e6f4f38884e4a7ab7b1d6426ca46a8bd1c26cbc");
227 }
228
TEST(GrpcAwsRequestSignerTest,SignPostWithQueryString)229 TEST(GrpcAwsRequestSignerTest, SignPostWithQueryString) {
230 grpc_error_handle error;
231 grpc_core::AwsRequestSigner signer(
232 kBotoTestAccessKeyId, kBotoTestSecretAccessKey, kBotoTestToken, "POST",
233 "https://host.foo.com/?foo=bar", "us-east-1", "",
234 {{"date", kBotoTestDate}}, &error);
235 EXPECT_EQ(error, absl::OkStatus());
236 EXPECT_EQ(signer.GetSignedRequestHeaders()["Authorization"],
237 "AWS4-HMAC-SHA256 "
238 "Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, "
239 "SignedHeaders=date;host, "
240 "Signature="
241 "b6e3b79003ce0743a491606ba1035a804593b0efb1e20a11cba83f8c25a57a92");
242 }
243
TEST(GrpcAwsRequestSignerTest,InvalidUrl)244 TEST(GrpcAwsRequestSignerTest, InvalidUrl) {
245 grpc_error_handle error;
246 grpc_core::AwsRequestSigner signer("access_key_id", "secret_access_key",
247 "token", "POST", "invalid_url",
248 "us-east-1", "", {}, &error);
249 std::string actual_error_description;
250 GPR_ASSERT(grpc_error_get_str(error,
251 grpc_core::StatusStrProperty::kDescription,
252 &actual_error_description));
253 EXPECT_EQ(actual_error_description, "Invalid Aws request url.");
254 }
255
TEST(GrpcAwsRequestSignerTest,DuplicateRequestDate)256 TEST(GrpcAwsRequestSignerTest, DuplicateRequestDate) {
257 grpc_error_handle error;
258 grpc_core::AwsRequestSigner signer(
259 "access_key_id", "secret_access_key", "token", "POST", "invalid_url",
260 "us-east-1", "", {{"date", kBotoTestDate}, {"x-amz-date", kAmzTestDate}},
261 &error);
262 std::string actual_error_description;
263 GPR_ASSERT(grpc_error_get_str(error,
264 grpc_core::StatusStrProperty::kDescription,
265 &actual_error_description));
266 EXPECT_EQ(actual_error_description,
267 "Only one of {date, x-amz-date} can be specified, not both.");
268 }
269
270 } // namespace testing
271
main(int argc,char ** argv)272 int main(int argc, char** argv) {
273 grpc::testing::TestEnvironment env(&argc, argv);
274 ::testing::InitGoogleTest(&argc, argv);
275 grpc_init();
276 int ret = RUN_ALL_TESTS();
277 grpc_shutdown();
278 return ret;
279 }
280