1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/credentials/xds/xds_credentials.h"
20
21 #include <gtest/gtest.h>
22
23 #include <grpc/grpc.h>
24
25 #include "test/core/util/test_config.h"
26
27 namespace grpc_core {
28 namespace testing {
29
30 namespace {
31
ExactMatcher(const char * string)32 StringMatcher ExactMatcher(const char* string) {
33 return StringMatcher::Create(StringMatcher::Type::kExact, string).value();
34 }
35
PrefixMatcher(const char * string,bool case_sensitive=true)36 StringMatcher PrefixMatcher(const char* string, bool case_sensitive = true) {
37 return StringMatcher::Create(StringMatcher::Type::kPrefix, string,
38 case_sensitive)
39 .value();
40 }
41
SuffixMatcher(const char * string,bool case_sensitive=true)42 StringMatcher SuffixMatcher(const char* string, bool case_sensitive = true) {
43 return StringMatcher::Create(StringMatcher::Type::kSuffix, string,
44 case_sensitive)
45 .value();
46 }
47
ContainsMatcher(const char * string,bool case_sensitive=true)48 StringMatcher ContainsMatcher(const char* string, bool case_sensitive = true) {
49 return StringMatcher::Create(StringMatcher::Type::kContains, string,
50 case_sensitive)
51 .value();
52 }
53
SafeRegexMatcher(const char * string)54 StringMatcher SafeRegexMatcher(const char* string) {
55 return StringMatcher::Create(StringMatcher::Type::kSafeRegex, string).value();
56 }
57
TEST(XdsSanMatchingTest,EmptySansList)58 TEST(XdsSanMatchingTest, EmptySansList) {
59 std::vector<const char*> sans = {};
60 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
61 sans.data(), sans.size(),
62 {ExactMatcher("a.example.com"), ExactMatcher("b.example.com")}));
63 }
64
TEST(XdsSanMatchingTest,EmptyMatchersList)65 TEST(XdsSanMatchingTest, EmptyMatchersList) {
66 std::vector<const char*> sans = {"a.example.com", "foo.example.com"};
67 EXPECT_TRUE(
68 TestOnlyXdsVerifySubjectAlternativeNames(sans.data(), sans.size(), {}));
69 }
70
TEST(XdsSanMatchingTest,ExactMatchIllegalValues)71 TEST(XdsSanMatchingTest, ExactMatchIllegalValues) {
72 std::vector<const char*> sans = {".a.example.com"};
73 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
74 sans.data(), sans.size(),
75 {ExactMatcher(""), ExactMatcher("a.example.com"),
76 ExactMatcher(".a.example.com")}));
77 sans = {""};
78 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
79 sans.data(), sans.size(),
80 {ExactMatcher(""), ExactMatcher("a.example.com"),
81 ExactMatcher(".a.example.com")}));
82 sans = {"a.example.com"};
83 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
84 sans.data(), sans.size(),
85 {ExactMatcher(""), ExactMatcher("a.example.com"),
86 ExactMatcher(".a.example.com")}));
87 }
88
TEST(XdsSanMatchingTest,ExactMatchDns)89 TEST(XdsSanMatchingTest, ExactMatchDns) {
90 std::vector<const char*> sans = {"a.example.com"};
91 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
92 sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
93 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
94 sans.data(), sans.size(), {ExactMatcher("b.example.com")}));
95 sans = {"b.example.com."};
96 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
97 sans.data(), sans.size(), {ExactMatcher("a.example.com.")}));
98 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
99 sans.data(), sans.size(), {ExactMatcher("b.example.com.")}));
100 }
101
TEST(XdsSanMatchingTest,ExactMatchWithFullyQualifiedSan)102 TEST(XdsSanMatchingTest, ExactMatchWithFullyQualifiedSan) {
103 std::vector<const char*> sans = {"a.example.com."};
104 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
105 sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
106 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
107 sans.data(), sans.size(), {ExactMatcher("b.example.com")}));
108 }
109
TEST(XdsSanMatchingTest,ExactMatchWithFullyQualifiedMatcher)110 TEST(XdsSanMatchingTest, ExactMatchWithFullyQualifiedMatcher) {
111 std::vector<const char*> sans = {"a.example.com"};
112 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
113 sans.data(), sans.size(), {ExactMatcher("a.example.com.")}));
114 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
115 sans.data(), sans.size(), {ExactMatcher("b.example.com.")}));
116 }
117
TEST(XdsSanMatchingTest,ExactMatchDnsCaseInsensitive)118 TEST(XdsSanMatchingTest, ExactMatchDnsCaseInsensitive) {
119 std::vector<const char*> sans = {"A.eXaMpLe.CoM"};
120 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
121 sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
122 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
123 sans.data(), sans.size(), {ExactMatcher("a.ExAmPlE.cOm")}));
124 }
125
TEST(XdsSanMatchingTest,ExactMatchMultipleSansMultipleMatchers)126 TEST(XdsSanMatchingTest, ExactMatchMultipleSansMultipleMatchers) {
127 std::vector<const char*> sans = {"a.example.com", "foo.example.com",
128 "b.example.com"};
129 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
130 sans.data(), sans.size(),
131 {ExactMatcher("abc.example.com"), ExactMatcher("foo.example.com"),
132 ExactMatcher("xyz.example.com")}));
133 }
134
TEST(XdsSanMatchingTest,ExactMatchWildCard)135 TEST(XdsSanMatchingTest, ExactMatchWildCard) {
136 std::vector<const char*> sans = {"*.example.com"};
137 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
138 sans.data(), sans.size(), {ExactMatcher("a.example.com")}));
139 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
140 sans.data(), sans.size(), {ExactMatcher("fOo.ExAmPlE.cOm")}));
141 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
142 sans.data(), sans.size(), {ExactMatcher("BaR.eXaMpLe.CoM")}));
143 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
144 sans.data(), sans.size(), {ExactMatcher(".example.com")}));
145 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
146 sans.data(), sans.size(), {ExactMatcher("example.com")}));
147 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
148 sans.data(), sans.size(), {ExactMatcher("foo.bar.com")}));
149 }
150
TEST(XdsSanMatchingTest,ExactMatchWildCardDoesNotMatchSingleLabelDomain)151 TEST(XdsSanMatchingTest, ExactMatchWildCardDoesNotMatchSingleLabelDomain) {
152 std::vector<const char*> sans = {"*"};
153 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
154 sans.data(), sans.size(), {ExactMatcher("abc")}));
155 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
156 sans.data(), sans.size(), {ExactMatcher("abc.com.")}));
157 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
158 sans.data(), sans.size(), {ExactMatcher("bar.baz.com")}));
159 sans = {"*."};
160 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
161 sans.data(), sans.size(), {ExactMatcher("abc")}));
162 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
163 sans.data(), sans.size(), {ExactMatcher("abc.com.")}));
164 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
165 sans.data(), sans.size(), {ExactMatcher("bar.baz.com")}));
166 }
167
TEST(XdsSanMatchingTest,ExactMatchAsteriskOnlyPermittedInLeftMostDomainName)168 TEST(XdsSanMatchingTest, ExactMatchAsteriskOnlyPermittedInLeftMostDomainName) {
169 std::vector<const char*> sans = {"*.example.*.com"};
170 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
171 sans.data(), sans.size(), {ExactMatcher("abc.example.xyz.com")}));
172 sans = {"*.exam*ple.com"};
173 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
174 sans.data(), sans.size(), {ExactMatcher("abc.example.com")}));
175 }
176
TEST(XdsSanMatchingTest,ExactMatchAsteriskMustBeOnlyCharacterInLeftMostDomainName)177 TEST(XdsSanMatchingTest,
178 ExactMatchAsteriskMustBeOnlyCharacterInLeftMostDomainName) {
179 std::vector<const char*> sans = {"*c.example.com"};
180 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
181 sans.data(), sans.size(), {ExactMatcher("abc.example.com")}));
182 }
183
TEST(XdsSanMatchingTest,ExactMatchAsteriskMatchingAcrossDomainLabelsNotPermitted)184 TEST(XdsSanMatchingTest,
185 ExactMatchAsteriskMatchingAcrossDomainLabelsNotPermitted) {
186 std::vector<const char*> sans = {"*.com"};
187 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
188 sans.data(), sans.size(), {ExactMatcher("abc.example.com")}));
189 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
190 sans.data(), sans.size(), {ExactMatcher("foo.bar.baz.com")}));
191 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
192 sans.data(), sans.size(), {ExactMatcher("abc.com")}));
193 }
194
TEST(XdsSanMatchingTest,PrefixMatch)195 TEST(XdsSanMatchingTest, PrefixMatch) {
196 std::vector<const char*> sans = {"abc.com"};
197 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(sans.data(), sans.size(),
198 {PrefixMatcher("abc")}));
199 sans = {"AbC.CoM"};
200 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
201 sans.data(), sans.size(), {PrefixMatcher("abc")}));
202 sans = {"xyz.com"};
203 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
204 sans.data(), sans.size(), {PrefixMatcher("abc")}));
205 }
206
TEST(XdsSanMatchingTest,PrefixMatchIgnoreCase)207 TEST(XdsSanMatchingTest, PrefixMatchIgnoreCase) {
208 std::vector<const char*> sans = {"aBc.cOm"};
209 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
210 sans.data(), sans.size(),
211 {PrefixMatcher("AbC", false /* case_sensitive */)}));
212 sans = {"abc.com"};
213 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
214 sans.data(), sans.size(),
215 {PrefixMatcher("AbC", false /* case_sensitive */)}));
216 sans = {"xyz.com"};
217 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
218 sans.data(), sans.size(),
219 {PrefixMatcher("AbC", false /* case_sensitive */)}));
220 }
221
TEST(XdsSanMatchingTest,SuffixMatch)222 TEST(XdsSanMatchingTest, SuffixMatch) {
223 std::vector<const char*> sans = {"abc.com"};
224 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
225 sans.data(), sans.size(), {SuffixMatcher(".com")}));
226 sans = {"AbC.CoM"};
227 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
228 sans.data(), sans.size(), {SuffixMatcher(".com")}));
229 sans = {"abc.xyz"};
230 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
231 sans.data(), sans.size(), {SuffixMatcher(".com")}));
232 }
233
TEST(XdsSanMatchingTest,SuffixMatchIgnoreCase)234 TEST(XdsSanMatchingTest, SuffixMatchIgnoreCase) {
235 std::vector<const char*> sans = {"abc.com"};
236 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
237 sans.data(), sans.size(),
238 {SuffixMatcher(".CoM", false /* case_sensitive */)}));
239 sans = {"AbC.cOm"};
240 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
241 sans.data(), sans.size(),
242 {SuffixMatcher(".CoM", false /* case_sensitive */)}));
243 sans = {"abc.xyz"};
244 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
245 sans.data(), sans.size(),
246 {SuffixMatcher(".CoM", false /* case_sensitive */)}));
247 }
248
TEST(XdsSanMatchingTest,ContainsMatch)249 TEST(XdsSanMatchingTest, ContainsMatch) {
250 std::vector<const char*> sans = {"abc.com"};
251 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
252 sans.data(), sans.size(), {ContainsMatcher("abc")}));
253 sans = {"xyz.abc.com"};
254 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
255 sans.data(), sans.size(), {ContainsMatcher("abc")}));
256 sans = {"foo.AbC.com"};
257 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
258 sans.data(), sans.size(), {ContainsMatcher("abc")}));
259 }
260
TEST(XdsSanMatchingTest,ContainsMatchIgnoresCase)261 TEST(XdsSanMatchingTest, ContainsMatchIgnoresCase) {
262 std::vector<const char*> sans = {"abc.com"};
263 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
264 sans.data(), sans.size(),
265 {ContainsMatcher("AbC", false /* case_sensitive */)}));
266 sans = {"xyz.abc.com"};
267 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
268 sans.data(), sans.size(),
269 {ContainsMatcher("AbC", false /* case_sensitive */)}));
270 sans = {"foo.aBc.com"};
271 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
272 sans.data(), sans.size(),
273 {ContainsMatcher("AbC", false /* case_sensitive */)}));
274 sans = {"foo.Ab.com"};
275 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
276 sans.data(), sans.size(),
277 {ContainsMatcher("AbC", false /* case_sensitive */)}));
278 }
279
TEST(XdsSanMatchingTest,RegexMatch)280 TEST(XdsSanMatchingTest, RegexMatch) {
281 std::vector<const char*> sans = {"abc.example.com"};
282 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
283 sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
284 sans = {"xyz.example.com"};
285 EXPECT_TRUE(TestOnlyXdsVerifySubjectAlternativeNames(
286 sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
287 sans = {"foo.example.com"};
288 EXPECT_FALSE(TestOnlyXdsVerifySubjectAlternativeNames(
289 sans.data(), sans.size(), {SafeRegexMatcher("(abc|xyz).example.com")}));
290 }
291
TEST(XdsCertificateVerifierTest,CompareSuccess)292 TEST(XdsCertificateVerifierTest, CompareSuccess) {
293 XdsCertificateVerifier verifier_1(nullptr);
294 XdsCertificateVerifier verifier_2(nullptr);
295 EXPECT_EQ(verifier_1.Compare(&verifier_2), 0);
296 EXPECT_EQ(verifier_2.Compare(&verifier_1), 0);
297 }
298
TEST(XdsCertificateVerifierTest,CompareFailureDifferentCertificateProviders)299 TEST(XdsCertificateVerifierTest, CompareFailureDifferentCertificateProviders) {
300 XdsCertificateVerifier verifier_1(
301 MakeRefCounted<XdsCertificateProvider>(nullptr, "", nullptr, "", false));
302 XdsCertificateVerifier verifier_2(
303 MakeRefCounted<XdsCertificateProvider>(nullptr, "", nullptr, "", false));
304 EXPECT_NE(verifier_1.Compare(&verifier_2), 0);
305 EXPECT_NE(verifier_2.Compare(&verifier_1), 0);
306 }
307
308 } // namespace
309
310 } // namespace testing
311 } // namespace grpc_core
312
main(int argc,char ** argv)313 int main(int argc, char** argv) {
314 ::testing::InitGoogleTest(&argc, argv);
315 grpc::testing::TestEnvironment env(&argc, argv);
316 grpc_init();
317 auto result = RUN_ALL_TESTS();
318 grpc_shutdown();
319 return result;
320 }
321