xref: /aosp_15_r20/external/grpc-grpc/test/cpp/server/credentials_test.cc (revision cc02d7e222339f7a4f6ba5f422e6413f4bd931f2) 
1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //     http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include <memory>
18 
19 #include <gtest/gtest.h>
20 
21 #include <grpc/grpc.h>
22 #include <grpc/grpc_crl_provider.h>
23 #include <grpc/grpc_security.h>
24 #include <grpcpp/security/server_credentials.h>
25 #include <grpcpp/security/tls_credentials_options.h>
26 #include <grpcpp/security/tls_crl_provider.h>
27 
28 #include "test/core/util/test_config.h"
29 #include "test/cpp/util/tls_test_utils.h"
30 
31 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
32 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
33 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
34 #define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data/crls"
35 
36 namespace {
37 
38 constexpr const char* kRootCertName = "root_cert_name";
39 constexpr const char* kRootCertContents = "root_cert_contents";
40 constexpr const char* kIdentityCertName = "identity_cert_name";
41 constexpr const char* kIdentityCertPrivateKey = "identity_private_key";
42 constexpr const char* kIdentityCertContents = "identity_cert_contents";
43 
44 using ::grpc::experimental::CreateStaticCrlProvider;
45 using ::grpc::experimental::ExternalCertificateVerifier;
46 using ::grpc::experimental::FileWatcherCertificateProvider;
47 using ::grpc::experimental::NoOpCertificateVerifier;
48 using ::grpc::experimental::StaticDataCertificateProvider;
49 using ::grpc::experimental::TlsServerCredentials;
50 using ::grpc::experimental::TlsServerCredentialsOptions;
51 
52 }  // namespace
53 
54 namespace grpc {
55 namespace testing {
56 namespace {
57 
TEST(CredentialsTest,TlsServerCredentialsWithStaticDataCertificateProviderLoadingRootAndIdentity)58 TEST(
59     CredentialsTest,
60     TlsServerCredentialsWithStaticDataCertificateProviderLoadingRootAndIdentity) {
61   experimental::IdentityKeyCertPair key_cert_pair;
62   key_cert_pair.private_key = kIdentityCertPrivateKey;
63   key_cert_pair.certificate_chain = kIdentityCertContents;
64   std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
65   identity_key_cert_pairs.emplace_back(key_cert_pair);
66   auto certificate_provider = std::make_shared<StaticDataCertificateProvider>(
67       kRootCertContents, identity_key_cert_pairs);
68   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
69   options.watch_root_certs();
70   options.set_root_cert_name(kRootCertName);
71   options.watch_identity_key_cert_pairs();
72   options.set_identity_cert_name(kIdentityCertName);
73   options.set_cert_request_type(
74       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
75   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
76   GPR_ASSERT(server_credentials.get() != nullptr);
77 }
78 
79 // ServerCredentials should always have identity credential presented.
80 // Otherwise gRPC stack will fail.
TEST(CredentialsTest,TlsServerCredentialsWithStaticDataCertificateProviderLoadingIdentityOnly)81 TEST(CredentialsTest,
82      TlsServerCredentialsWithStaticDataCertificateProviderLoadingIdentityOnly) {
83   experimental::IdentityKeyCertPair key_cert_pair;
84   key_cert_pair.private_key = kIdentityCertPrivateKey;
85   key_cert_pair.certificate_chain = kIdentityCertContents;
86   std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
87   // Adding two key_cert_pair(s) should still work.
88   identity_key_cert_pairs.emplace_back(key_cert_pair);
89   identity_key_cert_pairs.emplace_back(key_cert_pair);
90   auto certificate_provider =
91       std::make_shared<StaticDataCertificateProvider>(identity_key_cert_pairs);
92   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
93   options.watch_identity_key_cert_pairs();
94   options.set_identity_cert_name(kIdentityCertName);
95   options.set_cert_request_type(
96       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
97   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
98   GPR_ASSERT(server_credentials.get() != nullptr);
99 }
100 
TEST(CredentialsTest,TlsServerCredentialsWithFileWatcherCertificateProviderLoadingRootAndIdentity)101 TEST(
102     CredentialsTest,
103     TlsServerCredentialsWithFileWatcherCertificateProviderLoadingRootAndIdentity) {
104   auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
105       SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
106   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
107   options.watch_root_certs();
108   options.set_root_cert_name(kRootCertName);
109   options.watch_identity_key_cert_pairs();
110   options.set_identity_cert_name(kIdentityCertName);
111   options.set_cert_request_type(
112       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
113   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
114   GPR_ASSERT(server_credentials.get() != nullptr);
115 }
116 
TEST(CredentialsTest,TlsServerCredentialsWithCrlChecking)117 TEST(CredentialsTest, TlsServerCredentialsWithCrlChecking) {
118   auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
119       SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
120   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
121   options.watch_root_certs();
122   options.set_root_cert_name(kRootCertName);
123   options.watch_identity_key_cert_pairs();
124   options.set_identity_cert_name(kIdentityCertName);
125   options.set_cert_request_type(
126       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
127   options.set_crl_directory(CRL_DIR_PATH);
128   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
129   GPR_ASSERT(server_credentials.get() != nullptr);
130 }
131 
132 // ServerCredentials should always have identity credential presented.
133 // Otherwise gRPC stack will fail.
TEST(CredentialsTest,TlsServerCredentialsWithFileWatcherCertificateProviderLoadingIdentityOnly)134 TEST(
135     CredentialsTest,
136     TlsServerCredentialsWithFileWatcherCertificateProviderLoadingIdentityOnly) {
137   auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
138       SERVER_KEY_PATH, SERVER_CERT_PATH, 1);
139   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
140   options.watch_identity_key_cert_pairs();
141   options.set_identity_cert_name(kIdentityCertName);
142   options.set_cert_request_type(
143       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
144   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
145   GPR_ASSERT(server_credentials.get() != nullptr);
146 }
147 
TEST(CredentialsTest,TlsServerCredentialsWithSyncExternalVerifier)148 TEST(CredentialsTest, TlsServerCredentialsWithSyncExternalVerifier) {
149   auto verifier =
150       ExternalCertificateVerifier::Create<SyncCertificateVerifier>(true);
151   auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
152       SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
153   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
154   options.watch_root_certs();
155   options.set_root_cert_name(kRootCertName);
156   options.watch_identity_key_cert_pairs();
157   options.set_identity_cert_name(kIdentityCertName);
158   options.set_cert_request_type(
159       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
160   options.set_certificate_verifier(verifier);
161   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
162   GPR_ASSERT(server_credentials.get() != nullptr);
163 }
164 
TEST(CredentialsTest,TlsServerCredentialsWithAsyncExternalVerifier)165 TEST(CredentialsTest, TlsServerCredentialsWithAsyncExternalVerifier) {
166   auto verifier =
167       ExternalCertificateVerifier::Create<AsyncCertificateVerifier>(true);
168   auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
169       SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
170   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
171   options.watch_root_certs();
172   options.set_root_cert_name(kRootCertName);
173   options.watch_identity_key_cert_pairs();
174   options.set_identity_cert_name(kIdentityCertName);
175   options.set_cert_request_type(
176       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
177   options.set_certificate_verifier(verifier);
178   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
179   GPR_ASSERT(server_credentials.get() != nullptr);
180 }
181 
TEST(CredentialsTest,TlsServerCredentialsWithCrlProvider)182 TEST(CredentialsTest, TlsServerCredentialsWithCrlProvider) {
183   auto provider = experimental::CreateStaticCrlProvider({});
184   ASSERT_TRUE(provider.ok());
185   auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
186       SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
187   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
188   options.set_crl_provider(*provider);
189   auto channel_credentials = grpc::experimental::TlsServerCredentials(options);
190   GPR_ASSERT(channel_credentials.get() != nullptr);
191 }
192 
TEST(CredentialsTest,TlsServerCredentialsWithCrlProviderAndDirectory)193 TEST(CredentialsTest, TlsServerCredentialsWithCrlProviderAndDirectory) {
194   auto provider = experimental::CreateStaticCrlProvider({});
195   ASSERT_TRUE(provider.ok());
196   auto certificate_provider = std::make_shared<FileWatcherCertificateProvider>(
197       SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
198   grpc::experimental::TlsServerCredentialsOptions options(certificate_provider);
199   options.set_crl_directory(CRL_DIR_PATH);
200   options.set_crl_provider(*provider);
201   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
202   //   TODO(gtcooke94) - behavior might change to make this return nullptr in
203   //   the future
204   GPR_ASSERT(server_credentials != nullptr);
205 }
206 
TEST(CredentialsTest,TlsCredentialsOptionsDoesNotLeak)207 TEST(CredentialsTest, TlsCredentialsOptionsDoesNotLeak) {
208   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
209   TlsServerCredentialsOptions options(provider);
210   (void)options;
211 }
212 
TEST(CredentialsTest,MultipleOptionsOneCertificateProviderDoesNotLeak)213 TEST(CredentialsTest, MultipleOptionsOneCertificateProviderDoesNotLeak) {
214   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
215   TlsServerCredentialsOptions options_1(provider);
216   (void)options_1;
217   TlsServerCredentialsOptions options_2(provider);
218   (void)options_2;
219 }
220 
TEST(CredentialsTest,MultipleOptionsOneCertificateVerifierDoesNotLeak)221 TEST(CredentialsTest, MultipleOptionsOneCertificateVerifierDoesNotLeak) {
222   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
223   auto verifier = std::make_shared<NoOpCertificateVerifier>();
224   TlsServerCredentialsOptions options_1(provider);
225   options_1.set_certificate_verifier(verifier);
226   TlsServerCredentialsOptions options_2(provider);
227   options_2.set_certificate_verifier(verifier);
228 }
229 
TEST(CredentialsTest,MultipleOptionsOneCrlProviderDoesNotLeak)230 TEST(CredentialsTest, MultipleOptionsOneCrlProviderDoesNotLeak) {
231   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
232   auto crl_provider = CreateStaticCrlProvider(/*crls=*/{});
233   EXPECT_TRUE(crl_provider.ok());
234   TlsServerCredentialsOptions options_1(provider);
235   options_1.set_crl_provider(*crl_provider);
236   TlsServerCredentialsOptions options_2(provider);
237   options_2.set_crl_provider(*crl_provider);
238 }
239 
TEST(CredentialsTest,TlsServerCredentialsDoesNotLeak)240 TEST(CredentialsTest, TlsServerCredentialsDoesNotLeak) {
241   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
242   TlsServerCredentialsOptions options(provider);
243   auto server_creds = TlsServerCredentials(options);
244   EXPECT_NE(server_creds, nullptr);
245 }
246 
TEST(CredentialsTest,MultipleServerCredentialsOneOptionsDoesNotLeak)247 TEST(CredentialsTest, MultipleServerCredentialsOneOptionsDoesNotLeak) {
248   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
249   TlsServerCredentialsOptions options(provider);
250   auto server_creds_1 = TlsServerCredentials(options);
251   EXPECT_NE(server_creds_1, nullptr);
252   auto server_creds_2 = TlsServerCredentials(options);
253   EXPECT_NE(server_creds_2, nullptr);
254 }
255 
TEST(CredentialsTest,MultipleServerCredentialsOneCertificateVerifierDoesNotLeak)256 TEST(CredentialsTest,
257      MultipleServerCredentialsOneCertificateVerifierDoesNotLeak) {
258   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
259   TlsServerCredentialsOptions options(provider);
260   auto verifier = std::make_shared<NoOpCertificateVerifier>();
261   options.set_certificate_verifier(verifier);
262   auto server_creds_1 = TlsServerCredentials(options);
263   EXPECT_NE(server_creds_1, nullptr);
264   auto server_creds_2 = TlsServerCredentials(options);
265   EXPECT_NE(server_creds_2, nullptr);
266 }
267 
TEST(CredentialsTest,MultipleServerCredentialsOneCrlProviderDoesNotLeak)268 TEST(CredentialsTest, MultipleServerCredentialsOneCrlProviderDoesNotLeak) {
269   auto provider = std::make_shared<StaticDataCertificateProvider>("root-pem");
270   TlsServerCredentialsOptions options(provider);
271   auto crl_provider = CreateStaticCrlProvider(/*crls=*/{});
272   EXPECT_TRUE(crl_provider.ok());
273   options.set_crl_provider(*crl_provider);
274   auto server_creds_1 = TlsServerCredentials(options);
275   EXPECT_NE(server_creds_1, nullptr);
276   auto server_creds_2 = TlsServerCredentials(options);
277   EXPECT_NE(server_creds_2, nullptr);
278 }
279 
TEST(CredentialsTest,TlsServerCredentialsWithGoodMinMaxTlsVersions)280 TEST(CredentialsTest, TlsServerCredentialsWithGoodMinMaxTlsVersions) {
281   grpc::experimental::TlsServerCredentialsOptions options(
282       /*certificate_provider=*/nullptr);
283   options.set_min_tls_version(grpc_tls_version::TLS1_2);
284   options.set_max_tls_version(grpc_tls_version::TLS1_3);
285   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
286   EXPECT_NE(server_credentials, nullptr);
287 }
288 
TEST(CredentialsTest,TlsServerCredentialsWithBadMinMaxTlsVersions)289 TEST(CredentialsTest, TlsServerCredentialsWithBadMinMaxTlsVersions) {
290   grpc::experimental::TlsServerCredentialsOptions options(
291       /*certificate_provider=*/nullptr);
292   options.set_min_tls_version(grpc_tls_version::TLS1_3);
293   options.set_max_tls_version(grpc_tls_version::TLS1_2);
294   auto server_credentials = grpc::experimental::TlsServerCredentials(options);
295   EXPECT_EQ(server_credentials, nullptr);
296 }
297 
298 }  // namespace
299 }  // namespace testing
300 }  // namespace grpc
301 
main(int argc,char ** argv)302 int main(int argc, char** argv) {
303   ::testing::InitGoogleTest(&argc, argv);
304   grpc::testing::TestEnvironment env(&argc, argv);
305   int ret = RUN_ALL_TESTS();
306   return ret;
307 }
308