1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
18
19 #include <deque>
20 #include <list>
21 #include <string>
22 #include <thread>
23
24 #include <gmock/gmock.h>
25 #include <gtest/gtest.h>
26
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
30
31 #include "src/core/lib/gprpp/crash.h"
32 #include "src/core/lib/slice/slice_internal.h"
33 #include "test/core/util/test_config.h"
34 #include "test/core/util/tls_utils.h"
35
36 namespace grpc_core {
37
38 namespace testing {
39
40 constexpr const char* kCertName1 = "cert_1_name";
41 constexpr const char* kCertName2 = "cert_2_name";
42 constexpr const char* kRootCert1Name = "root_cert_1_name";
43 constexpr const char* kRootCert1Contents = "root_cert_1_contents";
44 constexpr const char* kRootCert2Name = "root_cert_2_name";
45 constexpr const char* kRootCert2Contents = "root_cert_2_contents";
46 constexpr const char* kIdentityCert1Name = "identity_cert_1_name";
47 constexpr const char* kIdentityCert1PrivateKey = "identity_private_key_1";
48 constexpr const char* kIdentityCert1Contents = "identity_cert_1_contents";
49 constexpr const char* kIdentityCert2Name = "identity_cert_2_name";
50 constexpr const char* kIdentityCert2PrivateKey = "identity_private_key_2";
51 constexpr const char* kIdentityCert2Contents = "identity_cert_2_contents";
52 constexpr const char* kErrorMessage = "error_message";
53 constexpr const char* kRootErrorMessage = "root_error_message";
54 constexpr const char* kIdentityErrorMessage = "identity_error_message";
55
56 class GrpcTlsCertificateDistributorTest : public ::testing::Test {
57 protected:
58 // Forward declaration.
59 class TlsCertificatesTestWatcher;
60
61 // CredentialInfo contains the parameters when calling OnCertificatesChanged
62 // of a watcher. When OnCertificatesChanged is invoked, we will push a
63 // CredentialInfo to the cert_update_queue of state_, and check in each test
64 // if the status updates are correct.
65 struct CredentialInfo {
66 std::string root_certs;
67 PemKeyCertPairList key_cert_pairs;
CredentialInfogrpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo68 CredentialInfo(std::string root, PemKeyCertPairList key_cert)
69 : root_certs(std::move(root)), key_cert_pairs(std::move(key_cert)) {}
operator ==grpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo70 bool operator==(const CredentialInfo& other) const {
71 return root_certs == other.root_certs &&
72 key_cert_pairs == other.key_cert_pairs;
73 }
74 };
75
76 // ErrorInfo contains the parameters when calling OnError of a watcher. When
77 // OnError is invoked, we will push a ErrorInfo to the error_queue of state_,
78 // and check in each test if the status updates are correct.
79 struct ErrorInfo {
80 std::string root_cert_str;
81 std::string identity_cert_str;
ErrorInfogrpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo82 ErrorInfo(std::string root, std::string identity)
83 : root_cert_str(std::move(root)),
84 identity_cert_str(std::move(identity)) {}
operator ==grpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo85 bool operator==(const ErrorInfo& other) const {
86 return root_cert_str == other.root_cert_str &&
87 identity_cert_str == other.identity_cert_str;
88 }
89 };
90
91 struct WatcherState {
92 TlsCertificatesTestWatcher* watcher = nullptr;
93 std::deque<CredentialInfo> cert_update_queue;
94 std::deque<ErrorInfo> error_queue;
95
GetCredentialQueuegrpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState96 std::deque<CredentialInfo> GetCredentialQueue() {
97 // We move the data member value so the data member will be re-initiated
98 // with size 0, and ready for the next check.
99 return std::move(cert_update_queue);
100 }
GetErrorQueuegrpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState101 std::deque<ErrorInfo> GetErrorQueue() {
102 // We move the data member value so the data member will be re-initiated
103 // with size 0, and ready for the next check.
104 return std::move(error_queue);
105 }
106 };
107
108 class TlsCertificatesTestWatcher : public grpc_tls_certificate_distributor::
109 TlsCertificatesWatcherInterface {
110 public:
111 // ctor sets state->watcher to this.
TlsCertificatesTestWatcher(WatcherState * state)112 explicit TlsCertificatesTestWatcher(WatcherState* state) : state_(state) {
113 state_->watcher = this;
114 }
115
116 // dtor sets state->watcher to nullptr.
~TlsCertificatesTestWatcher()117 ~TlsCertificatesTestWatcher() override { state_->watcher = nullptr; }
118
OnCertificatesChanged(absl::optional<absl::string_view> root_certs,absl::optional<PemKeyCertPairList> key_cert_pairs)119 void OnCertificatesChanged(
120 absl::optional<absl::string_view> root_certs,
121 absl::optional<PemKeyCertPairList> key_cert_pairs) override {
122 std::string updated_root;
123 if (root_certs.has_value()) {
124 updated_root = std::string(*root_certs);
125 }
126 PemKeyCertPairList updated_identity;
127 if (key_cert_pairs.has_value()) {
128 updated_identity = std::move(*key_cert_pairs);
129 }
130 state_->cert_update_queue.emplace_back(std::move(updated_root),
131 std::move(updated_identity));
132 }
133
OnError(grpc_error_handle root_cert_error,grpc_error_handle identity_cert_error)134 void OnError(grpc_error_handle root_cert_error,
135 grpc_error_handle identity_cert_error) override {
136 GPR_ASSERT(!root_cert_error.ok() || !identity_cert_error.ok());
137 std::string root_error_str;
138 std::string identity_error_str;
139 if (!root_cert_error.ok()) {
140 GPR_ASSERT(grpc_error_get_str(
141 root_cert_error, StatusStrProperty::kDescription, &root_error_str));
142 }
143 if (!identity_cert_error.ok()) {
144 GPR_ASSERT(grpc_error_get_str(identity_cert_error,
145 StatusStrProperty::kDescription,
146 &identity_error_str));
147 }
148 state_->error_queue.emplace_back(std::move(root_error_str),
149 std::move(identity_error_str));
150 }
151
152 private:
153 WatcherState* state_;
154 };
155
156 // CallbackStatus contains the parameters when calling watch_status_callback_
157 // of the distributor. When a particular callback is invoked, we will push a
158 // CallbackStatus to a callback_queue_, and check in each test if the status
159 // updates are correct.
160 struct CallbackStatus {
161 std::string cert_name;
162 bool root_being_watched;
163 bool identity_being_watched;
CallbackStatusgrpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus164 CallbackStatus(std::string name, bool root_watched, bool identity_watched)
165 : cert_name(std::move(name)),
166 root_being_watched(root_watched),
167 identity_being_watched(identity_watched) {}
operator ==grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus168 bool operator==(const CallbackStatus& other) const {
169 return cert_name == other.cert_name &&
170 root_being_watched == other.root_being_watched &&
171 identity_being_watched == other.identity_being_watched;
172 }
173 };
174
SetUp()175 void SetUp() override {
176 distributor_.SetWatchStatusCallback([this](std::string cert_name,
177 bool root_being_watched,
178 bool identity_being_watched) {
179 callback_queue_.emplace_back(std::move(cert_name), root_being_watched,
180 identity_being_watched);
181 });
182 }
183
MakeWatcher(absl::optional<std::string> root_cert_name,absl::optional<std::string> identity_cert_name)184 WatcherState* MakeWatcher(absl::optional<std::string> root_cert_name,
185 absl::optional<std::string> identity_cert_name) {
186 MutexLock lock(&mu_);
187 watchers_.emplace_back();
188 // TlsCertificatesTestWatcher ctor takes a pointer to the WatcherState.
189 // It sets WatcherState::watcher to point to itself.
190 // The TlsCertificatesTestWatcher dtor will set WatcherState::watcher back
191 // to nullptr to indicate that it's been destroyed.
192 auto watcher =
193 std::make_unique<TlsCertificatesTestWatcher>(&watchers_.back());
194 distributor_.WatchTlsCertificates(std::move(watcher),
195 std::move(root_cert_name),
196 std::move(identity_cert_name));
197 return &watchers_.back();
198 }
199
CancelWatch(WatcherState * state)200 void CancelWatch(WatcherState* state) {
201 MutexLock lock(&mu_);
202 distributor_.CancelTlsCertificatesWatch(state->watcher);
203 EXPECT_EQ(state->watcher, nullptr);
204 }
205
GetCallbackQueue()206 std::deque<CallbackStatus> GetCallbackQueue() {
207 // We move the data member value so the data member will be re-initiated
208 // with size 0, and ready for the next check.
209 return std::move(callback_queue_);
210 }
211
212 grpc_tls_certificate_distributor distributor_;
213 // Use a std::list<> here to avoid the address invalidation caused by internal
214 // reallocation of std::vector<>.
215 std::list<WatcherState> watchers_;
216 std::deque<CallbackStatus> callback_queue_;
217 // This is to make watchers_ and callback_queue_ thread-safe.
218 Mutex mu_;
219 };
220
TEST_F(GrpcTlsCertificateDistributorTest,BasicCredentialBehaviors)221 TEST_F(GrpcTlsCertificateDistributorTest, BasicCredentialBehaviors) {
222 EXPECT_FALSE(distributor_.HasRootCerts(kRootCert1Name));
223 EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert1Name));
224 // After setting the certificates to the corresponding cert names, the
225 // distributor should possess the corresponding certs.
226 distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
227 absl::nullopt);
228 EXPECT_TRUE(distributor_.HasRootCerts(kRootCert1Name));
229 distributor_.SetKeyMaterials(
230 kIdentityCert1Name, absl::nullopt,
231 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
232 EXPECT_TRUE(distributor_.HasKeyCertPairs(kIdentityCert1Name));
233 // Querying a non-existing cert name should return false.
234 EXPECT_FALSE(distributor_.HasRootCerts(kRootCert2Name));
235 EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert2Name));
236 }
237
TEST_F(GrpcTlsCertificateDistributorTest,UpdateCredentialsOnAnySide)238 TEST_F(GrpcTlsCertificateDistributorTest, UpdateCredentialsOnAnySide) {
239 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
240 EXPECT_THAT(GetCallbackQueue(),
241 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
242 // SetKeyMaterials should trigger watcher's OnCertificatesChanged method.
243 distributor_.SetKeyMaterials(
244 kCertName1, kRootCert1Contents,
245 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
246 EXPECT_THAT(
247 watcher_state_1->GetCredentialQueue(),
248 ::testing::ElementsAre(CredentialInfo(
249 kRootCert1Contents,
250 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
251 // Set root certs should trigger watcher's OnCertificatesChanged again.
252 distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
253 EXPECT_THAT(
254 watcher_state_1->GetCredentialQueue(),
255 ::testing::ElementsAre(CredentialInfo(
256 kRootCert2Contents,
257 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
258 // Set identity certs should trigger watcher's OnCertificatesChanged again.
259 distributor_.SetKeyMaterials(
260 kCertName1, absl::nullopt,
261 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
262 EXPECT_THAT(
263 watcher_state_1->GetCredentialQueue(),
264 ::testing::ElementsAre(CredentialInfo(
265 kRootCert2Contents,
266 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
267 CancelWatch(watcher_state_1);
268 }
269
TEST_F(GrpcTlsCertificateDistributorTest,SameIdentityNameDiffRootName)270 TEST_F(GrpcTlsCertificateDistributorTest, SameIdentityNameDiffRootName) {
271 // Register watcher 1.
272 WatcherState* watcher_state_1 =
273 MakeWatcher(kRootCert1Name, kIdentityCert1Name);
274 EXPECT_THAT(
275 GetCallbackQueue(),
276 ::testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false),
277 CallbackStatus(kIdentityCert1Name, false, true)));
278 // Register watcher 2.
279 WatcherState* watcher_state_2 =
280 MakeWatcher(kRootCert2Name, kIdentityCert1Name);
281 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
282 kRootCert2Name, true, false)));
283 // Push credential updates to kRootCert1Name and check if the status works as
284 // expected.
285 distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
286 absl::nullopt);
287 // Check the updates are delivered to watcher 1.
288 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
289 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
290 // Push credential updates to kRootCert2Name.
291 distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents,
292 absl::nullopt);
293 // Check the updates are delivered to watcher 2.
294 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
295 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
296 // Push credential updates to kIdentityCert1Name and check if the status works
297 // as expected.
298 distributor_.SetKeyMaterials(
299 kIdentityCert1Name, absl::nullopt,
300 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
301 // Check the updates are delivered to watcher 1 and watcher 2.
302 EXPECT_THAT(
303 watcher_state_1->GetCredentialQueue(),
304 ::testing::ElementsAre(CredentialInfo(
305 kRootCert1Contents,
306 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
307 EXPECT_THAT(
308 watcher_state_2->GetCredentialQueue(),
309 ::testing::ElementsAre(CredentialInfo(
310 kRootCert2Contents,
311 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
312 // Cancel watcher 1.
313 CancelWatch(watcher_state_1);
314 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
315 kRootCert1Name, false, false)));
316 // Cancel watcher 2.
317 CancelWatch(watcher_state_2);
318 EXPECT_THAT(
319 GetCallbackQueue(),
320 ::testing::ElementsAre(CallbackStatus(kRootCert2Name, false, false),
321 CallbackStatus(kIdentityCert1Name, false, false)));
322 }
323
TEST_F(GrpcTlsCertificateDistributorTest,SameRootNameDiffIdentityName)324 TEST_F(GrpcTlsCertificateDistributorTest, SameRootNameDiffIdentityName) {
325 // Register watcher 1.
326 WatcherState* watcher_state_1 =
327 MakeWatcher(kRootCert1Name, kIdentityCert1Name);
328 EXPECT_THAT(
329 GetCallbackQueue(),
330 ::testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false),
331 CallbackStatus(kIdentityCert1Name, false, true)));
332 // Register watcher 2.
333 WatcherState* watcher_state_2 =
334 MakeWatcher(kRootCert1Name, kIdentityCert2Name);
335 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
336 kIdentityCert2Name, false, true)));
337 // Push credential updates to kRootCert1Name and check if the status works as
338 // expected.
339 distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
340 absl::nullopt);
341 // Check the updates are delivered to watcher 1.
342 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
343 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
344 // Check the updates are delivered to watcher 2.
345 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
346 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
347 // Push credential updates to SetKeyMaterials.
348 distributor_.SetKeyMaterials(
349 kIdentityCert1Name, absl::nullopt,
350 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
351 // Check the updates are delivered to watcher 1.
352 EXPECT_THAT(
353 watcher_state_1->GetCredentialQueue(),
354 ::testing::ElementsAre(CredentialInfo(
355 kRootCert1Contents,
356 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
357 // Push credential updates to kIdentityCert2Name.
358 distributor_.SetKeyMaterials(
359 kIdentityCert2Name, absl::nullopt,
360 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
361 // Check the updates are delivered to watcher 2.
362 EXPECT_THAT(
363 watcher_state_2->GetCredentialQueue(),
364 ::testing::ElementsAre(CredentialInfo(
365 kRootCert1Contents,
366 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
367 // Cancel watcher 1.
368 CancelWatch(watcher_state_1);
369 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
370 kIdentityCert1Name, false, false)));
371 // Cancel watcher 2.
372 CancelWatch(watcher_state_2);
373 EXPECT_THAT(
374 GetCallbackQueue(),
375 ::testing::ElementsAre(CallbackStatus(kRootCert1Name, false, false),
376 CallbackStatus(kIdentityCert2Name, false, false)));
377 }
378
TEST_F(GrpcTlsCertificateDistributorTest,AddAndCancelFirstWatcherForSameRootAndIdentityCertName)379 TEST_F(GrpcTlsCertificateDistributorTest,
380 AddAndCancelFirstWatcherForSameRootAndIdentityCertName) {
381 // Register watcher 1 watching kCertName1 for both root and identity certs.
382 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
383 EXPECT_THAT(GetCallbackQueue(),
384 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
385 // Push credential updates to kCertName1 and check if the status works as
386 // expected.
387 distributor_.SetKeyMaterials(
388 kCertName1, kRootCert1Contents,
389 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
390 // Check the updates are delivered to watcher 1.
391 EXPECT_THAT(
392 watcher_state_1->GetCredentialQueue(),
393 ::testing::ElementsAre(CredentialInfo(
394 kRootCert1Contents,
395 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
396 // Cancel watcher 1.
397 CancelWatch(watcher_state_1);
398 EXPECT_THAT(GetCallbackQueue(),
399 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
400 }
401
TEST_F(GrpcTlsCertificateDistributorTest,AddAndCancelFirstWatcherForIdentityCertNameWithRootBeingWatched)402 TEST_F(GrpcTlsCertificateDistributorTest,
403 AddAndCancelFirstWatcherForIdentityCertNameWithRootBeingWatched) {
404 // Register watcher 1 watching kCertName1 for root certs.
405 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
406 EXPECT_THAT(GetCallbackQueue(),
407 ::testing::ElementsAre(CallbackStatus(kCertName1, true, false)));
408 // Register watcher 2 watching kCertName1 for identity certs.
409 WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1);
410 EXPECT_THAT(GetCallbackQueue(),
411 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
412 // Push credential updates to kCertName1 and check if the status works as
413 // expected.
414 distributor_.SetKeyMaterials(
415 kCertName1, kRootCert1Contents,
416 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
417 // Check the updates are delivered to watcher 1.
418 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
419 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
420 // Check the updates are delivered to watcher 2.
421 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
422 ::testing::ElementsAre(CredentialInfo(
423 "", MakeCertKeyPairs(kIdentityCert1PrivateKey,
424 kIdentityCert1Contents))));
425 // Push root cert updates to kCertName1.
426 distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
427 // Check the updates are delivered to watcher 1.
428 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
429 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
430 // Check the updates are not delivered to watcher 2.
431 EXPECT_THAT(watcher_state_2->GetCredentialQueue(), ::testing::ElementsAre());
432 // Push identity cert updates to kCertName1.
433 distributor_.SetKeyMaterials(
434 kCertName1, absl::nullopt,
435 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
436 // Check the updates are not delivered to watcher 1.
437 EXPECT_THAT(watcher_state_1->GetCredentialQueue(), ::testing::ElementsAre());
438 // Check the updates are delivered to watcher 2.
439 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
440 ::testing::ElementsAre(CredentialInfo(
441 "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
442 kIdentityCert2Contents))));
443 watcher_state_2->cert_update_queue.clear();
444 // Cancel watcher 2.
445 CancelWatch(watcher_state_2);
446 EXPECT_THAT(GetCallbackQueue(),
447 ::testing::ElementsAre(CallbackStatus(kCertName1, true, false)));
448 // Cancel watcher 1.
449 CancelWatch(watcher_state_1);
450 EXPECT_THAT(GetCallbackQueue(),
451 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
452 }
453
TEST_F(GrpcTlsCertificateDistributorTest,AddAndCancelFirstWatcherForRootCertNameWithIdentityBeingWatched)454 TEST_F(GrpcTlsCertificateDistributorTest,
455 AddAndCancelFirstWatcherForRootCertNameWithIdentityBeingWatched) {
456 // Register watcher 1 watching kCertName1 for identity certs.
457 WatcherState* watcher_state_1 = MakeWatcher(absl::nullopt, kCertName1);
458 EXPECT_THAT(GetCallbackQueue(),
459 ::testing::ElementsAre(CallbackStatus(kCertName1, false, true)));
460 // Register watcher 2 watching kCertName1 for root certs.
461 WatcherState* watcher_state_2 = MakeWatcher(kCertName1, absl::nullopt);
462 EXPECT_THAT(GetCallbackQueue(),
463 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
464 // Push credential updates to kCertName1 and check if the status works as
465 // expected.
466 distributor_.SetKeyMaterials(
467 kCertName1, kRootCert1Contents,
468 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
469 // Check the updates are delivered to watcher 1.
470 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
471 ::testing::ElementsAre(CredentialInfo(
472 "", MakeCertKeyPairs(kIdentityCert1PrivateKey,
473 kIdentityCert1Contents))));
474 // Check the updates are delivered to watcher 2.
475 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
476 ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
477 // Push root cert updates to kCertName1.
478 distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
479 // Check the updates are delivered to watcher 2.
480 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
481 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
482 // Check the updates are not delivered to watcher 1.
483 EXPECT_THAT(watcher_state_1->GetCredentialQueue(), ::testing::ElementsAre());
484 // Push identity cert updates to kCertName1.
485 distributor_.SetKeyMaterials(
486 kCertName1, absl::nullopt,
487 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
488 // Check the updates are not delivered to watcher 2.
489 EXPECT_THAT(watcher_state_2->GetCredentialQueue(), ::testing::ElementsAre());
490 // Check the updates are delivered to watcher 1.
491 EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
492 ::testing::ElementsAre(CredentialInfo(
493 "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
494 kIdentityCert2Contents))));
495 // Cancel watcher 2.
496 CancelWatch(watcher_state_2);
497 EXPECT_THAT(GetCallbackQueue(),
498 ::testing::ElementsAre(CallbackStatus(kCertName1, false, true)));
499 // Cancel watcher 1.
500 CancelWatch(watcher_state_1);
501 EXPECT_THAT(GetCallbackQueue(),
502 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
503 }
504
TEST_F(GrpcTlsCertificateDistributorTest,RemoveAllWatchersForCertNameAndAddAgain)505 TEST_F(GrpcTlsCertificateDistributorTest,
506 RemoveAllWatchersForCertNameAndAddAgain) {
507 // Register watcher 1 and watcher 2 watching kCertName1 for root and identity
508 // certs.
509 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
510 EXPECT_THAT(GetCallbackQueue(),
511 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
512 WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1);
513 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
514 // Push credential updates to kCertName1.
515 distributor_.SetKeyMaterials(
516 kCertName1, kRootCert1Contents,
517 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
518 // Cancel watcher 2.
519 CancelWatch(watcher_state_2);
520 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
521 // Cancel watcher 1.
522 CancelWatch(watcher_state_1);
523 EXPECT_THAT(GetCallbackQueue(),
524 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
525 // Register watcher 3 watching kCertName for root and identity certs.
526 WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName1);
527 EXPECT_THAT(GetCallbackQueue(),
528 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
529 // Push credential updates to kCertName1.
530 distributor_.SetKeyMaterials(
531 kCertName1, kRootCert2Contents,
532 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
533 // Check the updates are delivered to watcher 3.
534 EXPECT_THAT(
535 watcher_state_3->GetCredentialQueue(),
536 ::testing::ElementsAre(CredentialInfo(
537 kRootCert2Contents,
538 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
539 // Cancel watcher 3.
540 CancelWatch(watcher_state_3);
541 EXPECT_THAT(GetCallbackQueue(),
542 ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
543 }
544
TEST_F(GrpcTlsCertificateDistributorTest,ResetCallbackToNull)545 TEST_F(GrpcTlsCertificateDistributorTest, ResetCallbackToNull) {
546 // Register watcher 1 watching kCertName1 for root and identity certs.
547 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
548 EXPECT_THAT(GetCallbackQueue(),
549 ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
550 // Reset callback to nullptr.
551 distributor_.SetWatchStatusCallback(nullptr);
552 // Cancel watcher 1 shouldn't trigger any callback.
553 CancelWatch(watcher_state_1);
554 EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
555 }
556
TEST_F(GrpcTlsCertificateDistributorTest,SetKeyMaterialsInCallback)557 TEST_F(GrpcTlsCertificateDistributorTest, SetKeyMaterialsInCallback) {
558 distributor_.SetWatchStatusCallback([this](std::string cert_name,
559 bool /*root_being_watched*/,
560 bool /*identity_being_watched*/) {
561 distributor_.SetKeyMaterials(
562 cert_name, kRootCert1Contents,
563 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
564 });
565 auto verify_function = [this](std::string cert_name) {
566 WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name);
567 // Check the updates are delivered to watcher 1.
568 EXPECT_THAT(
569 watcher_state_1->GetCredentialQueue(),
570 ::testing::ElementsAre(CredentialInfo(
571 kRootCert1Contents, MakeCertKeyPairs(kIdentityCert1PrivateKey,
572 kIdentityCert1Contents))));
573 CancelWatch(watcher_state_1);
574 };
575 // Start 10 threads that will register a watcher to a new cert name, verify
576 // the key materials being set, and then cancel the watcher, to make sure the
577 // lock mechanism in the distributor is safe.
578 std::vector<std::thread> threads;
579 threads.reserve(10);
580 for (int i = 0; i < 10; ++i) {
581 threads.emplace_back(verify_function, std::to_string(i));
582 }
583 for (auto& th : threads) {
584 th.join();
585 }
586 }
587
TEST_F(GrpcTlsCertificateDistributorTest,WatchACertInfoWithValidCredentials)588 TEST_F(GrpcTlsCertificateDistributorTest, WatchACertInfoWithValidCredentials) {
589 // Push credential updates to kCertName1.
590 distributor_.SetKeyMaterials(
591 kCertName1, kRootCert1Contents,
592 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
593 // Push root credential updates to kCertName2.
594 distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents,
595 absl::nullopt);
596 // Push identity credential updates to kCertName2.
597 distributor_.SetKeyMaterials(
598 kIdentityCert2Name, absl::nullopt,
599 MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
600 // Register watcher 1.
601 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
602 // watcher 1 should receive the credentials right away.
603 EXPECT_THAT(
604 watcher_state_1->GetCredentialQueue(),
605 ::testing::ElementsAre(CredentialInfo(
606 kRootCert1Contents,
607 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
608 CancelWatch(watcher_state_1);
609 // Register watcher 2.
610 WatcherState* watcher_state_2 = MakeWatcher(kRootCert2Name, absl::nullopt);
611 // watcher 2 should receive the root credentials right away.
612 EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
613 ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
614 // Register watcher 3.
615 WatcherState* watcher_state_3 =
616 MakeWatcher(absl::nullopt, kIdentityCert2Name);
617 // watcher 3 should received the identity credentials right away.
618 EXPECT_THAT(watcher_state_3->GetCredentialQueue(),
619 ::testing::ElementsAre(CredentialInfo(
620 "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
621 kIdentityCert2Contents))));
622 CancelWatch(watcher_state_2);
623 CancelWatch(watcher_state_3);
624 }
625
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertForBothRootAndIdentity)626 TEST_F(GrpcTlsCertificateDistributorTest,
627 SetErrorForCertForBothRootAndIdentity) {
628 // Register watcher 1.
629 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
630 // Calling SetErrorForCert on both cert names should only call one OnError
631 // on watcher 1.
632 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
633 GRPC_ERROR_CREATE(kIdentityErrorMessage));
634 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
635 ::testing::ElementsAre(
636 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
637 // Calling SetErrorForCert on root cert name should call OnError
638 // on watcher 1 again.
639 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kErrorMessage),
640 absl::nullopt);
641 EXPECT_THAT(
642 watcher_state_1->GetErrorQueue(),
643 ::testing::ElementsAre(ErrorInfo(kErrorMessage, kIdentityErrorMessage)));
644 // Calling SetErrorForCert on identity cert name should call OnError
645 // on watcher 1 again.
646 distributor_.SetErrorForCert(kCertName1, absl::nullopt,
647 GRPC_ERROR_CREATE(kErrorMessage));
648 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
649 ::testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage)));
650 distributor_.CancelTlsCertificatesWatch(watcher_state_1->watcher);
651 EXPECT_EQ(watcher_state_1->watcher, nullptr);
652 }
653
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertForRootOrIdentity)654 TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertForRootOrIdentity) {
655 // Register watcher 1.
656 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
657 // Calling SetErrorForCert on root name should only call one OnError
658 // on watcher 1.
659 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
660 absl::nullopt);
661 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
662 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
663 // Calling SetErrorForCert on identity name should do nothing.
664 distributor_.SetErrorForCert(kCertName1, absl::nullopt,
665 GRPC_ERROR_CREATE(kIdentityErrorMessage));
666 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
667 // Calling SetErrorForCert on both names should still get one OnError call.
668 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
669 GRPC_ERROR_CREATE(kIdentityErrorMessage));
670 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
671 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
672 CancelWatch(watcher_state_1);
673 // Register watcher 2.
674 WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1);
675 // Calling SetErrorForCert on identity name should only call one OnError
676 // on watcher 2.
677 distributor_.SetErrorForCert(kCertName1, absl::nullopt,
678 GRPC_ERROR_CREATE(kIdentityErrorMessage));
679 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
680 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
681 // Calling SetErrorForCert on root name should do nothing.
682 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
683 absl::nullopt);
684 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
685 // Calling SetErrorForCert on both names should still get one OnError call.
686 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
687 GRPC_ERROR_CREATE(kIdentityErrorMessage));
688 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
689 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
690 CancelWatch(watcher_state_2);
691 }
692
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForIdentityNameWithPreexistingErrorForRootName)693 TEST_F(GrpcTlsCertificateDistributorTest,
694 SetErrorForIdentityNameWithPreexistingErrorForRootName) {
695 // SetErrorForCert for kCertName1.
696 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
697 GRPC_ERROR_CREATE(kIdentityErrorMessage));
698 // Register watcher 1 for kCertName1 as root and kCertName2 as identity.
699 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2);
700 // Should trigger OnError call right away since kCertName1 has error.
701 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
702 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
703 // Calling SetErrorForCert on kCertName2 should trigger OnError with both
704 // errors, because kCertName1 also has error.
705 distributor_.SetErrorForCert(kCertName2, absl::nullopt,
706 GRPC_ERROR_CREATE(kIdentityErrorMessage));
707 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
708 ::testing::ElementsAre(
709 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
710 CancelWatch(watcher_state_1);
711 }
712
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertForRootNameWithSameNameForIdentityErrored)713 TEST_F(GrpcTlsCertificateDistributorTest,
714 SetErrorForCertForRootNameWithSameNameForIdentityErrored) {
715 // SetErrorForCert for kCertName1.
716 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
717 GRPC_ERROR_CREATE(kIdentityErrorMessage));
718 // Register watcher 1 for kCertName2 as root and kCertName1 as identity.
719 WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1);
720 // Should trigger OnError call right away since kCertName2 has error.
721 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
722 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
723 // Calling SetErrorForCert on kCertName2 should trigger OnError with both
724 // errors, because kCertName1 also has error.
725 distributor_.SetErrorForCert(kCertName2, GRPC_ERROR_CREATE(kRootErrorMessage),
726 absl::nullopt);
727 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
728 ::testing::ElementsAre(
729 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
730 CancelWatch(watcher_state_1);
731 }
732
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForIdentityNameWithoutErrorForRootName)733 TEST_F(GrpcTlsCertificateDistributorTest,
734 SetErrorForIdentityNameWithoutErrorForRootName) {
735 // Register watcher 1 for kCertName1 as root and kCertName2 as identity.
736 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2);
737 // Should not trigger OnError.
738 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
739 // Calling SetErrorForCert on kCertName2 should trigger OnError.
740 distributor_.SetErrorForCert(kCertName2, absl::nullopt,
741 GRPC_ERROR_CREATE(kIdentityErrorMessage));
742 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
743 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
744 CancelWatch(watcher_state_1);
745 // Register watcher 2 for kCertName2 as identity and a non-existing name
746 // kRootCert1Name as root.
747 WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, kCertName2);
748 // Should not trigger OnError.
749 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
750 // Calling SetErrorForCert on kCertName2 should trigger OnError.
751 distributor_.SetErrorForCert(kCertName2, absl::nullopt,
752 GRPC_ERROR_CREATE(kIdentityErrorMessage));
753 EXPECT_THAT(watcher_state_2->error_queue,
754 ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
755 CancelWatch(watcher_state_2);
756 }
757
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForRootNameWithPreexistingErrorForIdentityName)758 TEST_F(GrpcTlsCertificateDistributorTest,
759 SetErrorForRootNameWithPreexistingErrorForIdentityName) {
760 WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1);
761 // Should not trigger OnError.
762 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
763 // Calling SetErrorForCert on kCertName2 should trigger OnError.
764 distributor_.SetErrorForCert(kCertName2, GRPC_ERROR_CREATE(kRootErrorMessage),
765 absl::nullopt);
766 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
767 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
768 CancelWatch(watcher_state_1);
769 // Register watcher 2 for kCertName2 as root and a non-existing name
770 // kIdentityCert1Name as identity.
771 WatcherState* watcher_state_2 = MakeWatcher(kCertName2, kIdentityCert1Name);
772 // Should not trigger OnError.
773 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
774 // Calling SetErrorForCert on kCertName2 should trigger OnError.
775 distributor_.SetErrorForCert(kCertName2, GRPC_ERROR_CREATE(kRootErrorMessage),
776 absl::nullopt);
777 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
778 ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
779 CancelWatch(watcher_state_2);
780 }
781
TEST_F(GrpcTlsCertificateDistributorTest,CancelTheLastWatcherOnAnErroredCertInfo)782 TEST_F(GrpcTlsCertificateDistributorTest,
783 CancelTheLastWatcherOnAnErroredCertInfo) {
784 // Register watcher 1.
785 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
786 // Calling SetErrorForCert on both cert names should only call one OnError
787 // on watcher 1.
788 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
789 GRPC_ERROR_CREATE(kIdentityErrorMessage));
790 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
791 ::testing::ElementsAre(
792 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
793 // When watcher 1 is removed, the cert info entry should be removed.
794 CancelWatch(watcher_state_1);
795 // Register watcher 2 on the same cert name.
796 WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1);
797 // Should not trigger OnError call on watcher 2 right away.
798 EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
799 CancelWatch(watcher_state_2);
800 }
801
TEST_F(GrpcTlsCertificateDistributorTest,WatchErroredCertInfoWithValidCredentialData)802 TEST_F(GrpcTlsCertificateDistributorTest,
803 WatchErroredCertInfoWithValidCredentialData) {
804 // Push credential updates to kCertName1.
805 distributor_.SetKeyMaterials(
806 kCertName1, kRootCert1Contents,
807 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
808 // Calling SetErrorForCert on both cert names.
809 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
810 GRPC_ERROR_CREATE(kIdentityErrorMessage));
811 // Register watcher 1.
812 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
813 // watcher 1 should receive both the old credentials and the error right away.
814 EXPECT_THAT(
815 watcher_state_1->GetCredentialQueue(),
816 ::testing::ElementsAre(CredentialInfo(
817 kRootCert1Contents,
818 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
819 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
820 ::testing::ElementsAre(
821 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
822 CancelWatch(watcher_state_1);
823 }
824
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertThenSuccessfulCredentialUpdates)825 TEST_F(GrpcTlsCertificateDistributorTest,
826 SetErrorForCertThenSuccessfulCredentialUpdates) {
827 // Calling SetErrorForCert on both cert names.
828 distributor_.SetErrorForCert(kCertName1, GRPC_ERROR_CREATE(kRootErrorMessage),
829 GRPC_ERROR_CREATE(kIdentityErrorMessage));
830 // Push credential updates to kCertName1.
831 distributor_.SetKeyMaterials(
832 kCertName1, kRootCert1Contents,
833 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
834 // Register watcher 1.
835 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
836 // watcher 1 should only receive credential updates without any error, because
837 // the previous error is wiped out by a successful update.
838 EXPECT_THAT(
839 watcher_state_1->GetCredentialQueue(),
840 ::testing::ElementsAre(CredentialInfo(
841 kRootCert1Contents,
842 MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
843 EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
844 CancelWatch(watcher_state_1);
845 }
846
TEST_F(GrpcTlsCertificateDistributorTest,WatchCertInfoThenInvokeSetError)847 TEST_F(GrpcTlsCertificateDistributorTest, WatchCertInfoThenInvokeSetError) {
848 // Register watcher 1.
849 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
850 // Register watcher 2.
851 WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, absl::nullopt);
852 // Register watcher 3.
853 WatcherState* watcher_state_3 =
854 MakeWatcher(absl::nullopt, kIdentityCert1Name);
855 distributor_.SetError(GRPC_ERROR_CREATE(kErrorMessage));
856 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
857 ::testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage)));
858 EXPECT_THAT(watcher_state_2->GetErrorQueue(),
859 ::testing::ElementsAre(ErrorInfo(kErrorMessage, "")));
860 EXPECT_THAT(watcher_state_3->GetErrorQueue(),
861 ::testing::ElementsAre(ErrorInfo("", kErrorMessage)));
862 CancelWatch(watcher_state_1);
863 CancelWatch(watcher_state_2);
864 CancelWatch(watcher_state_3);
865 }
866
TEST_F(GrpcTlsCertificateDistributorTest,WatchErroredCertInfoBySetError)867 TEST_F(GrpcTlsCertificateDistributorTest, WatchErroredCertInfoBySetError) {
868 // Register watcher 1 watching kCertName1 as root.
869 WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
870 // Register watcher 2 watching kCertName2 as identity.
871 WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName2);
872 // Call SetError and then cancel all watchers.
873 distributor_.SetError(GRPC_ERROR_CREATE(kErrorMessage));
874 CancelWatch(watcher_state_1);
875 CancelWatch(watcher_state_2);
876 // Register watcher 3 watching kCertName1 as root and kCertName2 as identity
877 // should not get the error updates.
878 WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName2);
879 EXPECT_THAT(watcher_state_3->GetErrorQueue(), ::testing::ElementsAre());
880 CancelWatch(watcher_state_3);
881 // Register watcher 4 watching kCertName2 as root and kCertName1 as identity
882 // should not get the error updates.
883 WatcherState* watcher_state_4 = MakeWatcher(kCertName2, kCertName1);
884 EXPECT_THAT(watcher_state_4->GetErrorQueue(), ::testing::ElementsAre());
885 CancelWatch(watcher_state_4);
886 }
887
TEST_F(GrpcTlsCertificateDistributorTest,SetErrorForCertInCallback)888 TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertInCallback) {
889 distributor_.SetWatchStatusCallback([this](std::string cert_name,
890 bool /*root_being_watched*/,
891 bool /*identity_being_watched*/) {
892 this->distributor_.SetErrorForCert(
893 cert_name, GRPC_ERROR_CREATE(kRootErrorMessage),
894 GRPC_ERROR_CREATE(kIdentityErrorMessage));
895 });
896 auto verify_function = [this](std::string cert_name) {
897 WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name);
898 // Check the errors are delivered to watcher 1.
899 EXPECT_THAT(watcher_state_1->GetErrorQueue(),
900 ::testing::ElementsAre(
901 ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
902 CancelWatch(watcher_state_1);
903 };
904 // Start 1000 threads that will register a watcher to a new cert name, verify
905 // the key materials being set, and then cancel the watcher, to make sure the
906 // lock mechanism in the distributor is safe.
907 std::vector<std::thread> threads;
908 threads.reserve(1000);
909 for (int i = 0; i < 1000; ++i) {
910 threads.emplace_back(verify_function, std::to_string(i));
911 }
912 for (auto& th : threads) {
913 th.join();
914 }
915 }
916
917 } // namespace testing
918
919 } // namespace grpc_core
920
main(int argc,char ** argv)921 int main(int argc, char** argv) {
922 grpc::testing::TestEnvironment env(&argc, argv);
923 ::testing::InitGoogleTest(&argc, argv);
924 grpc_init();
925 int ret = RUN_ALL_TESTS();
926 grpc_shutdown();
927 return ret;
928 }
929