1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
20
21 #include <gmock/gmock.h>
22 #include <gtest/gtest.h>
23
24 #include <grpc/grpc_crl_provider.h>
25 #include <grpc/support/alloc.h>
26 #include <grpc/support/log.h>
27 #include <grpc/support/string_util.h>
28
29 #include "src/core/lib/config/config_vars.h"
30 #include "src/core/lib/gpr/tmpfile.h"
31 #include "src/core/lib/gprpp/crash.h"
32 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
33 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
34 #include "test/core/util/test_config.h"
35 #include "test/core/util/tls_utils.h"
36
37 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
38 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
39 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
40 #define CA_CERT_PATH_2 "src/core/tsi/test_creds/multi-domain.pem"
41 #define SERVER_CERT_PATH_2 "src/core/tsi/test_creds/server0.pem"
42 #define SERVER_KEY_PATH_2 "src/core/tsi/test_creds/server0.key"
43 #define INVALID_PATH "invalid/path"
44
45 namespace grpc_core {
46
47 namespace testing {
48
49 class GrpcTlsCredentialsOptionsTest : public ::testing::Test {
50 protected:
SetUp()51 void SetUp() override {
52 root_cert_ = GetFileContents(CA_CERT_PATH);
53 cert_chain_ = GetFileContents(SERVER_CERT_PATH);
54 private_key_ = GetFileContents(SERVER_KEY_PATH);
55 root_cert_2_ = GetFileContents(CA_CERT_PATH_2);
56 cert_chain_2_ = GetFileContents(SERVER_CERT_PATH_2);
57 private_key_2_ = GetFileContents(SERVER_KEY_PATH_2);
58 }
59
60 std::string root_cert_;
61 std::string private_key_;
62 std::string cert_chain_;
63 std::string root_cert_2_;
64 std::string private_key_2_;
65 std::string cert_chain_2_;
66 HostNameCertificateVerifier hostname_certificate_verifier_;
67 };
68
TEST_F(GrpcTlsCredentialsOptionsTest,BadTlsVersionsForChannelCredentials)69 TEST_F(GrpcTlsCredentialsOptionsTest, BadTlsVersionsForChannelCredentials) {
70 auto options = grpc_tls_credentials_options_create();
71 options->set_max_tls_version(grpc_tls_version::TLS1_2);
72 options->set_min_tls_version(grpc_tls_version::TLS1_3);
73 auto credentials = grpc_tls_credentials_create(options);
74 EXPECT_EQ(credentials, nullptr);
75 }
76
TEST_F(GrpcTlsCredentialsOptionsTest,BadTlsVersionsForServerCredentials)77 TEST_F(GrpcTlsCredentialsOptionsTest, BadTlsVersionsForServerCredentials) {
78 auto server_options = grpc_tls_credentials_options_create();
79 server_options->set_max_tls_version(grpc_tls_version::TLS1_2);
80 server_options->set_min_tls_version(grpc_tls_version::TLS1_3);
81 auto server_credentials = grpc_tls_server_credentials_create(server_options);
82 EXPECT_EQ(server_credentials, nullptr);
83 }
84
85 //
86 // Tests for Default Root Certs.
87 //
88
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsOnDefaultRootCerts)89 TEST_F(GrpcTlsCredentialsOptionsTest, ClientOptionsOnDefaultRootCerts) {
90 auto options = MakeRefCounted<grpc_tls_credentials_options>();
91 auto credentials = MakeRefCounted<TlsCredentials>(options);
92 ASSERT_NE(credentials, nullptr);
93 ChannelArgs new_args;
94 auto connector = credentials->create_security_connector(
95 nullptr, "random targets", &new_args);
96 ASSERT_NE(connector, nullptr);
97 TlsChannelSecurityConnector* tls_connector =
98 static_cast<TlsChannelSecurityConnector*>(connector.get());
99 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
100 }
101
102 //
103 // Tests for StaticDataCertificateProvider.
104 //
105
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnBothCerts)106 TEST_F(GrpcTlsCredentialsOptionsTest,
107 ClientOptionsWithStaticDataProviderOnBothCerts) {
108 auto options = MakeRefCounted<grpc_tls_credentials_options>();
109 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
110 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
111 options->set_certificate_provider(std::move(provider));
112 options->set_watch_root_cert(true);
113 options->set_watch_identity_pair(true);
114 auto credentials = MakeRefCounted<TlsCredentials>(options);
115 ASSERT_NE(credentials, nullptr);
116 ChannelArgs new_args;
117 auto connector = credentials->create_security_connector(
118 nullptr, "random targets", &new_args);
119 ASSERT_NE(connector, nullptr);
120 TlsChannelSecurityConnector* tls_connector =
121 static_cast<TlsChannelSecurityConnector*>(connector.get());
122 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
123 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
124 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
125 }
126
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnRootCerts)127 TEST_F(GrpcTlsCredentialsOptionsTest,
128 ClientOptionsWithStaticDataProviderOnRootCerts) {
129 auto options = MakeRefCounted<grpc_tls_credentials_options>();
130 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
131 root_cert_, PemKeyCertPairList());
132 options->set_certificate_provider(std::move(provider));
133 options->set_watch_root_cert(true);
134 auto credentials = MakeRefCounted<TlsCredentials>(options);
135 ASSERT_NE(credentials, nullptr);
136 ChannelArgs new_args;
137 auto connector = credentials->create_security_connector(
138 nullptr, "random targets", &new_args);
139 ASSERT_NE(connector, nullptr);
140 TlsChannelSecurityConnector* tls_connector =
141 static_cast<TlsChannelSecurityConnector*>(connector.get());
142 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
143 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
144 EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
145 }
146
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithStaticDataProviderOnNotProvidedCerts)147 TEST_F(GrpcTlsCredentialsOptionsTest,
148 ClientOptionsWithStaticDataProviderOnNotProvidedCerts) {
149 auto options = MakeRefCounted<grpc_tls_credentials_options>();
150 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
151 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
152 options->set_certificate_provider(std::move(provider));
153 options->set_watch_root_cert(true);
154 auto credentials = MakeRefCounted<TlsCredentials>(options);
155 ASSERT_NE(credentials, nullptr);
156 ChannelArgs new_args;
157 auto connector = credentials->create_security_connector(
158 nullptr, "random targets", &new_args);
159 ASSERT_NE(connector, nullptr);
160 TlsChannelSecurityConnector* tls_connector =
161 static_cast<TlsChannelSecurityConnector*>(connector.get());
162 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
163 }
164
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithDefaultRootAndStaticDataProviderOnIdentityCerts)165 TEST_F(GrpcTlsCredentialsOptionsTest,
166 ClientOptionsWithDefaultRootAndStaticDataProviderOnIdentityCerts) {
167 auto options = MakeRefCounted<grpc_tls_credentials_options>();
168 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
169 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
170 options->set_certificate_provider(std::move(provider));
171 options->set_watch_identity_pair(true);
172 auto credentials = MakeRefCounted<TlsCredentials>(options);
173 ASSERT_NE(credentials, nullptr);
174 ChannelArgs new_args;
175 auto connector = credentials->create_security_connector(
176 nullptr, "random targets", &new_args);
177 ASSERT_NE(connector, nullptr);
178 TlsChannelSecurityConnector* tls_connector =
179 static_cast<TlsChannelSecurityConnector*>(connector.get());
180 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
181 }
182
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnBothCerts)183 TEST_F(GrpcTlsCredentialsOptionsTest,
184 ServerOptionsWithStaticDataProviderOnBothCerts) {
185 auto options = MakeRefCounted<grpc_tls_credentials_options>();
186 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
187 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
188 options->set_certificate_provider(std::move(provider));
189 options->set_watch_root_cert(true);
190 options->set_watch_identity_pair(true);
191 options->set_cert_request_type(
192 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
193 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
194 ASSERT_NE(credentials, nullptr);
195 auto connector = credentials->create_security_connector(ChannelArgs());
196 ASSERT_NE(connector, nullptr);
197 TlsServerSecurityConnector* tls_connector =
198 static_cast<TlsServerSecurityConnector*>(connector.get());
199 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
200 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
201 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
202 }
203
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnIdentityCerts)204 TEST_F(GrpcTlsCredentialsOptionsTest,
205 ServerOptionsWithStaticDataProviderOnIdentityCerts) {
206 auto options = MakeRefCounted<grpc_tls_credentials_options>();
207 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
208 "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
209 options->set_certificate_provider(std::move(provider));
210 options->set_watch_identity_pair(true);
211 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
212 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
213 ASSERT_NE(credentials, nullptr);
214 auto connector = credentials->create_security_connector(ChannelArgs());
215 ASSERT_NE(connector, nullptr);
216 TlsServerSecurityConnector* tls_connector =
217 static_cast<TlsServerSecurityConnector*>(connector.get());
218 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
219 EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
220 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
221 }
222
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithStaticDataProviderOnNotProvidedCerts)223 TEST_F(GrpcTlsCredentialsOptionsTest,
224 ServerOptionsWithStaticDataProviderOnNotProvidedCerts) {
225 auto options = MakeRefCounted<grpc_tls_credentials_options>();
226 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
227 root_cert_, PemKeyCertPairList());
228 options->set_certificate_provider(std::move(provider));
229 options->set_watch_identity_pair(true);
230 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
231 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
232 ASSERT_NE(credentials, nullptr);
233 auto connector = credentials->create_security_connector(ChannelArgs());
234 ASSERT_NE(connector, nullptr);
235 TlsServerSecurityConnector* tls_connector =
236 static_cast<TlsServerSecurityConnector*>(connector.get());
237 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
238 }
239
240 //
241 // Tests for FileWatcherCertificateProvider.
242 //
243
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnBothCerts)244 TEST_F(GrpcTlsCredentialsOptionsTest,
245 ClientOptionsWithCertWatcherProviderOnBothCerts) {
246 auto options = MakeRefCounted<grpc_tls_credentials_options>();
247 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
248 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
249 options->set_certificate_provider(std::move(provider));
250 options->set_watch_root_cert(true);
251 options->set_watch_identity_pair(true);
252 auto credentials = MakeRefCounted<TlsCredentials>(options);
253 ASSERT_NE(credentials, nullptr);
254 ChannelArgs new_args;
255 auto connector = credentials->create_security_connector(
256 nullptr, "random targets", &new_args);
257 ASSERT_NE(connector, nullptr);
258 TlsChannelSecurityConnector* tls_connector =
259 static_cast<TlsChannelSecurityConnector*>(connector.get());
260 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
261 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
262 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
263 }
264
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnRootCerts)265 TEST_F(GrpcTlsCredentialsOptionsTest,
266 ClientOptionsWithCertWatcherProviderOnRootCerts) {
267 auto options = MakeRefCounted<grpc_tls_credentials_options>();
268 auto provider =
269 MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
270 options->set_certificate_provider(std::move(provider));
271 options->set_watch_root_cert(true);
272 auto credentials = MakeRefCounted<TlsCredentials>(options);
273 ASSERT_NE(credentials, nullptr);
274 ChannelArgs new_args;
275 auto connector = credentials->create_security_connector(
276 nullptr, "random targets", &new_args);
277 ASSERT_NE(connector, nullptr);
278 TlsChannelSecurityConnector* tls_connector =
279 static_cast<TlsChannelSecurityConnector*>(connector.get());
280 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
281 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
282 EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
283 }
284
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnNotProvidedCerts)285 TEST_F(GrpcTlsCredentialsOptionsTest,
286 ClientOptionsWithCertWatcherProviderOnNotProvidedCerts) {
287 auto options = MakeRefCounted<grpc_tls_credentials_options>();
288 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
289 SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
290 options->set_certificate_provider(std::move(provider));
291 options->set_watch_root_cert(true);
292 auto credentials = MakeRefCounted<TlsCredentials>(options);
293 ASSERT_NE(credentials, nullptr);
294 ChannelArgs new_args;
295 auto connector = credentials->create_security_connector(
296 nullptr, "random targets", &new_args);
297 ASSERT_NE(connector, nullptr);
298 TlsChannelSecurityConnector* tls_connector =
299 static_cast<TlsChannelSecurityConnector*>(connector.get());
300 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
301 }
302
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnBadTrustCerts)303 TEST_F(GrpcTlsCredentialsOptionsTest,
304 ClientOptionsWithCertWatcherProviderOnBadTrustCerts) {
305 auto options = MakeRefCounted<grpc_tls_credentials_options>();
306 auto provider =
307 MakeRefCounted<FileWatcherCertificateProvider>("", "", INVALID_PATH, 1);
308 options->set_certificate_provider(std::move(provider));
309 options->set_watch_root_cert(true);
310 auto credentials = MakeRefCounted<TlsCredentials>(options);
311 ASSERT_NE(credentials, nullptr);
312 ChannelArgs new_args;
313 auto connector = credentials->create_security_connector(
314 nullptr, "random targets", &new_args);
315 ASSERT_NE(connector, nullptr);
316 TlsChannelSecurityConnector* tls_connector =
317 static_cast<TlsChannelSecurityConnector*>(connector.get());
318 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
319 }
320
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnBothCerts)321 TEST_F(GrpcTlsCredentialsOptionsTest,
322 ServerOptionsWithCertWatcherProviderOnBothCerts) {
323 auto options = MakeRefCounted<grpc_tls_credentials_options>();
324 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
325 SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
326 options->set_certificate_provider(std::move(provider));
327 options->set_watch_root_cert(true);
328 options->set_watch_identity_pair(true);
329 options->set_cert_request_type(
330 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
331 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
332 ASSERT_NE(credentials, nullptr);
333 auto connector = credentials->create_security_connector(ChannelArgs());
334 ASSERT_NE(connector, nullptr);
335 TlsServerSecurityConnector* tls_connector =
336 static_cast<TlsServerSecurityConnector*>(connector.get());
337 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
338 EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
339 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
340 }
341
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnIdentityCerts)342 TEST_F(GrpcTlsCredentialsOptionsTest,
343 ServerOptionsWithCertWatcherProviderOnIdentityCerts) {
344 auto options = MakeRefCounted<grpc_tls_credentials_options>();
345 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
346 SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
347 options->set_certificate_provider(std::move(provider));
348 options->set_watch_identity_pair(true);
349 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
350 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
351 ASSERT_NE(credentials, nullptr);
352 auto connector = credentials->create_security_connector(ChannelArgs());
353 ASSERT_NE(connector, nullptr);
354 TlsServerSecurityConnector* tls_connector =
355 static_cast<TlsServerSecurityConnector*>(connector.get());
356 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
357 EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
358 EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
359 }
360
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnNotProvidedCerts)361 TEST_F(GrpcTlsCredentialsOptionsTest,
362 ServerOptionsWithCertWatcherProviderOnNotProvidedCerts) {
363 auto options = MakeRefCounted<grpc_tls_credentials_options>();
364 auto provider =
365 MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
366 options->set_certificate_provider(std::move(provider));
367 options->set_watch_identity_pair(true);
368 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
369 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
370 ASSERT_NE(credentials, nullptr);
371 auto connector = credentials->create_security_connector(ChannelArgs());
372 ASSERT_NE(connector, nullptr);
373 TlsServerSecurityConnector* tls_connector =
374 static_cast<TlsServerSecurityConnector*>(connector.get());
375 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
376 }
377
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithCertWatcherProviderOnBadIdentityCerts)378 TEST_F(GrpcTlsCredentialsOptionsTest,
379 ServerOptionsWithCertWatcherProviderOnBadIdentityCerts) {
380 auto options = MakeRefCounted<grpc_tls_credentials_options>();
381 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
382 INVALID_PATH, INVALID_PATH, "", 1);
383 options->set_certificate_provider(std::move(provider));
384 options->set_watch_identity_pair(true);
385 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
386 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
387 ASSERT_NE(credentials, nullptr);
388 auto connector = credentials->create_security_connector(ChannelArgs());
389 ASSERT_NE(connector, nullptr);
390 TlsServerSecurityConnector* tls_connector =
391 static_cast<TlsServerSecurityConnector*>(connector.get());
392 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
393 }
394
395 //
396 // Tests writing credential data to temporary files to test the
397 // transition behavior of the provider.
398 //
399
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnCertificateRefreshed)400 TEST_F(GrpcTlsCredentialsOptionsTest,
401 ClientOptionsWithCertWatcherProviderOnCertificateRefreshed) {
402 // Create temporary files and copy cert data into them.
403 TmpFile tmp_root_cert(root_cert_);
404 TmpFile tmp_identity_key(private_key_);
405 TmpFile tmp_identity_cert(cert_chain_);
406 // Create ClientOptions using FileWatcherCertificateProvider.
407 auto options = MakeRefCounted<grpc_tls_credentials_options>();
408 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
409 tmp_identity_key.name(), tmp_identity_cert.name(), tmp_root_cert.name(),
410 1);
411 options->set_certificate_provider(std::move(provider));
412 options->set_watch_root_cert(true);
413 options->set_watch_identity_pair(true);
414 auto credentials = MakeRefCounted<TlsCredentials>(options);
415 ASSERT_NE(credentials, nullptr);
416 ChannelArgs new_args;
417 auto connector = credentials->create_security_connector(
418 nullptr, "random targets", &new_args);
419 ASSERT_NE(connector, nullptr);
420 TlsChannelSecurityConnector* tls_connector =
421 static_cast<TlsChannelSecurityConnector*>(connector.get());
422 // Expect to see the credential data.
423 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
424 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
425 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
426 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
427 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
428 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
429 // Copy new data to files.
430 // TODO(ZhenLian): right now it is not completely atomic. Use the real atomic
431 // update when the directory renaming is added in gpr.
432 tmp_root_cert.RewriteFile(root_cert_2_);
433 tmp_identity_key.RewriteFile(private_key_2_);
434 tmp_identity_cert.RewriteFile(cert_chain_2_);
435 // Wait 10 seconds for the provider's refresh thread to read the updated
436 // files.
437 gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
438 gpr_time_from_seconds(10, GPR_TIMESPAN)));
439 // Expect to see new credential data loaded by the security connector.
440 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
441 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
442 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_2_);
443 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
444 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
445 MakeCertKeyPairs(private_key_2_.c_str(), cert_chain_2_.c_str()));
446 }
447
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithCertWatcherProviderOnDeletedFiles)448 TEST_F(GrpcTlsCredentialsOptionsTest,
449 ClientOptionsWithCertWatcherProviderOnDeletedFiles) {
450 // Create temporary files and copy cert data into it.
451 auto tmp_root_cert = std::make_unique<TmpFile>(root_cert_);
452 auto tmp_identity_key = std::make_unique<TmpFile>(private_key_);
453 auto tmp_identity_cert = std::make_unique<TmpFile>(cert_chain_);
454 // Create ClientOptions using FileWatcherCertificateProvider.
455 auto options = MakeRefCounted<grpc_tls_credentials_options>();
456 auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
457 tmp_identity_key->name(), tmp_identity_cert->name(),
458 tmp_root_cert->name(), 1);
459 options->set_certificate_provider(std::move(provider));
460 options->set_watch_root_cert(true);
461 options->set_watch_identity_pair(true);
462 auto credentials = MakeRefCounted<TlsCredentials>(options);
463 ASSERT_NE(credentials, nullptr);
464 ChannelArgs new_args;
465 auto connector = credentials->create_security_connector(
466 nullptr, "random targets", &new_args);
467 ASSERT_NE(connector, nullptr);
468 TlsChannelSecurityConnector* tls_connector =
469 static_cast<TlsChannelSecurityConnector*>(connector.get());
470 // The initial data is all good, so we expect to have successful credential
471 // updates.
472 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
473 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
474 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
475 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
476 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
477 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
478 // Delete TmpFile objects, which will remove the corresponding files.
479 tmp_root_cert.reset();
480 tmp_identity_key.reset();
481 tmp_identity_cert.reset();
482 // Wait 10 seconds for the provider's refresh thread to read the deleted
483 // files.
484 gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
485 gpr_time_from_seconds(10, GPR_TIMESPAN)));
486 // It's a bit hard to test if errors are sent to the security connector,
487 // because the security connector simply logs the error. We will see the err
488 // messages if we open the log.
489 // The old certs should still being used.
490 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
491 ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
492 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
493 ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
494 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
495 MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
496 }
497
498 //
499 // Tests for ExternalCertificateVerifier.
500 // It will only test the creation of security connector, so the actual verify
501 // logic is not invoked.
502 //
503
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithExternalVerifier)504 TEST_F(GrpcTlsCredentialsOptionsTest, ClientOptionsWithExternalVerifier) {
505 auto* sync_verifier_ = new SyncExternalVerifier(true);
506 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
507 auto options = MakeRefCounted<grpc_tls_credentials_options>();
508 options->set_verify_server_cert(true);
509 options->set_certificate_verifier(core_external_verifier.Ref());
510 options->set_check_call_host(false);
511 auto credentials = MakeRefCounted<TlsCredentials>(options);
512 ASSERT_NE(credentials, nullptr);
513 ChannelArgs new_args;
514 auto connector = credentials->create_security_connector(
515 nullptr, "random targets", &new_args);
516 ASSERT_NE(connector, nullptr);
517 TlsChannelSecurityConnector* tls_connector =
518 static_cast<TlsChannelSecurityConnector*>(connector.get());
519 EXPECT_NE(tls_connector, nullptr);
520 }
521
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithExternalVerifier)522 TEST_F(GrpcTlsCredentialsOptionsTest, ServerOptionsWithExternalVerifier) {
523 auto* sync_verifier_ = new SyncExternalVerifier(true);
524 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
525 auto options = MakeRefCounted<grpc_tls_credentials_options>();
526 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
527 options->set_certificate_verifier(core_external_verifier.Ref());
528 // On server side we have to set the provider providing identity certs.
529 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
530 root_cert_, PemKeyCertPairList());
531 options->set_certificate_provider(std::move(provider));
532 options->set_watch_identity_pair(true);
533 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
534 ASSERT_NE(credentials, nullptr);
535 auto connector = credentials->create_security_connector(ChannelArgs());
536 ASSERT_NE(connector, nullptr);
537 TlsServerSecurityConnector* tls_connector =
538 static_cast<TlsServerSecurityConnector*>(connector.get());
539 EXPECT_NE(tls_connector, nullptr);
540 }
541
542 //
543 // Tests for HostnameCertificateVerifier.
544 //
545
TEST_F(GrpcTlsCredentialsOptionsTest,ClientOptionsWithHostnameCertificateVerifier)546 TEST_F(GrpcTlsCredentialsOptionsTest,
547 ClientOptionsWithHostnameCertificateVerifier) {
548 auto options = MakeRefCounted<grpc_tls_credentials_options>();
549 options->set_verify_server_cert(true);
550 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
551 auto credentials = MakeRefCounted<TlsCredentials>(options);
552 ASSERT_NE(credentials, nullptr);
553 ChannelArgs new_args;
554 auto connector = credentials->create_security_connector(
555 nullptr, "random targets", &new_args);
556 ASSERT_NE(connector, nullptr);
557 TlsChannelSecurityConnector* tls_connector =
558 static_cast<TlsChannelSecurityConnector*>(connector.get());
559 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
560 }
561
TEST_F(GrpcTlsCredentialsOptionsTest,ServerOptionsWithHostnameCertificateVerifier)562 TEST_F(GrpcTlsCredentialsOptionsTest,
563 ServerOptionsWithHostnameCertificateVerifier) {
564 auto options = MakeRefCounted<grpc_tls_credentials_options>();
565 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
566 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
567 // On server side we have to set the provider providing identity certs.
568 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
569 root_cert_, PemKeyCertPairList());
570 options->set_certificate_provider(std::move(provider));
571 options->set_watch_identity_pair(true);
572 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
573 ASSERT_NE(credentials, nullptr);
574 auto connector = credentials->create_security_connector(ChannelArgs());
575 ASSERT_NE(connector, nullptr);
576 TlsServerSecurityConnector* tls_connector =
577 static_cast<TlsServerSecurityConnector*>(connector.get());
578 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
579 }
580
TEST_F(GrpcTlsCredentialsOptionsTest,CrlProvider)581 TEST_F(GrpcTlsCredentialsOptionsTest, CrlProvider) {
582 auto options = MakeRefCounted<grpc_tls_credentials_options>();
583 auto provider = experimental::CreateStaticCrlProvider({});
584 ASSERT_TRUE(provider.ok());
585 options->set_crl_provider(std::move(*provider));
586 auto credentials = MakeRefCounted<TlsCredentials>(options);
587 ASSERT_NE(credentials, nullptr);
588 ChannelArgs new_args;
589 auto connector = credentials->create_security_connector(
590 nullptr, "random targets", &new_args);
591 ASSERT_NE(connector, nullptr);
592 TlsChannelSecurityConnector* tls_connector =
593 static_cast<TlsChannelSecurityConnector*>(connector.get());
594 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
595 }
596
TEST_F(GrpcTlsCredentialsOptionsTest,CrlProviderWithServerCredentials)597 TEST_F(GrpcTlsCredentialsOptionsTest, CrlProviderWithServerCredentials) {
598 auto options = MakeRefCounted<grpc_tls_credentials_options>();
599 auto provider = MakeRefCounted<StaticDataCertificateProvider>(
600 root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
601 options->set_certificate_provider(std::move(provider));
602 options->set_watch_root_cert(true);
603 options->set_watch_identity_pair(true);
604 options->set_cert_request_type(
605 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
606 auto crl_provider = experimental::CreateStaticCrlProvider({});
607 ASSERT_TRUE(crl_provider.ok());
608 options->set_crl_provider(std::move(*crl_provider));
609 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
610 ASSERT_NE(credentials, nullptr);
611 ChannelArgs new_args;
612 auto connector = credentials->create_security_connector(new_args);
613 ASSERT_NE(connector, nullptr);
614 TlsServerSecurityConnector* tls_connector =
615 static_cast<TlsServerSecurityConnector*>(connector.get());
616 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
617 }
618
619 } // namespace testing
620
621 } // namespace grpc_core
622
main(int argc,char ** argv)623 int main(int argc, char** argv) {
624 grpc::testing::TestEnvironment env(&argc, argv);
625 grpc_core::ConfigVars::Overrides overrides;
626 overrides.default_ssl_roots_file_path = CA_CERT_PATH;
627 grpc_core::ConfigVars::SetOverrides(overrides);
628 ::testing::InitGoogleTest(&argc, argv);
629 grpc_init();
630 int ret = RUN_ALL_TESTS();
631 grpc_shutdown();
632 return ret;
633 }
634