grpc_tls_certificate_distributor_test.cc
Go to the documentation of this file.
1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
18 
19 #include <deque>
20 #include <list>
21 #include <string>
22 #include <thread>
23 
24 #include <gmock/gmock.h>
25 #include <gtest/gtest.h>
26 
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
30 
31 #include "src/core/lib/slice/slice_internal.h"
32 #include "test/core/util/test_config.h"
33 #include "test/core/util/tls_utils.h"
34 
35 namespace grpc_core {
36 
37 namespace testing {
38 
39 constexpr const char* kCertName1 = "cert_1_name";
40 constexpr const char* kCertName2 = "cert_2_name";
41 constexpr const char* kRootCert1Name = "root_cert_1_name";
42 constexpr const char* kRootCert1Contents = "root_cert_1_contents";
43 constexpr const char* kRootCert2Name = "root_cert_2_name";
44 constexpr const char* kRootCert2Contents = "root_cert_2_contents";
45 constexpr const char* kIdentityCert1Name = "identity_cert_1_name";
46 constexpr const char* kIdentityCert1PrivateKey = "identity_private_key_1";
47 constexpr const char* kIdentityCert1Contents = "identity_cert_1_contents";
48 constexpr const char* kIdentityCert2Name = "identity_cert_2_name";
49 constexpr const char* kIdentityCert2PrivateKey = "identity_private_key_2";
50 constexpr const char* kIdentityCert2Contents = "identity_cert_2_contents";
51 constexpr const char* kErrorMessage = "error_message";
52 constexpr const char* kRootErrorMessage = "root_error_message";
53 constexpr const char* kIdentityErrorMessage = "identity_error_message";
54 
55 class GrpcTlsCertificateDistributorTest : public ::testing::Test {
56  protected:
57  // Forward declaration.
58  class TlsCertificatesTestWatcher;
59 
60  // CredentialInfo contains the parameters when calling OnCertificatesChanged
61  // of a watcher. When OnCertificatesChanged is invoked, we will push a
62  // CredentialInfo to the cert_update_queue of state_, and check in each test
63  // if the status updates are correct.
64  struct CredentialInfo {
65  std::string root_certs;
66  PemKeyCertPairList key_cert_pairs;
67  CredentialInfo(std::string root, PemKeyCertPairList key_cert)
68  : root_certs(std::move(root)), key_cert_pairs(std::move(key_cert)) {}
69  bool operator==(const CredentialInfo& other) const {
70  return root_certs == other.root_certs &&
71  key_cert_pairs == other.key_cert_pairs;
72  }
73  };
74 
75  // ErrorInfo contains the parameters when calling OnError of a watcher. When
76  // OnError is invoked, we will push a ErrorInfo to the error_queue of state_,
77  // and check in each test if the status updates are correct.
78  struct ErrorInfo {
79  std::string root_cert_str;
80  std::string identity_cert_str;
81  ErrorInfo(std::string root, std::string identity)
82  : root_cert_str(std::move(root)),
83  identity_cert_str(std::move(identity)) {}
84  bool operator==(const ErrorInfo& other) const {
85  return root_cert_str == other.root_cert_str &&
86  identity_cert_str == other.identity_cert_str;
87  }
88  };
89 
90  struct WatcherState {
91  TlsCertificatesTestWatcher* watcher = nullptr;
92  std::deque<CredentialInfo> cert_update_queue;
93  std::deque<ErrorInfo> error_queue;
94 
95  std::deque<CredentialInfo> GetCredentialQueue() {
96  // We move the data member value so the data member will be re-initiated
97  // with size 0, and ready for the next check.
98  return std::move(cert_update_queue);
99  }
100  std::deque<ErrorInfo> GetErrorQueue() {
101  // We move the data member value so the data member will be re-initiated
102  // with size 0, and ready for the next check.
103  return std::move(error_queue);
104  }
105  };
106 
107  class TlsCertificatesTestWatcher : public grpc_tls_certificate_distributor::
108  TlsCertificatesWatcherInterface {
109  public:
110  // ctor sets state->watcher to this.
111  explicit TlsCertificatesTestWatcher(WatcherState* state) : state_(state) {
112  state_->watcher = this;
113  }
114 
115  // dtor sets state->watcher to nullptr.
116  ~TlsCertificatesTestWatcher() override { state_->watcher = nullptr; }
117 
118  void OnCertificatesChanged(
119  absl::optional<absl::string_view> root_certs,
120  absl::optional<PemKeyCertPairList> key_cert_pairs) override {
121  std::string updated_root;
122  if (root_certs.has_value()) {
123  updated_root = std::string(*root_certs);
124  }
125  PemKeyCertPairList updated_identity;
126  if (key_cert_pairs.has_value()) {
127  updated_identity = std::move(*key_cert_pairs);
128  }
129  state_->cert_update_queue.emplace_back(std::move(updated_root),
130  std::move(updated_identity));
131  }
132 
133  void OnError(grpc_error_handle root_cert_error,
134  grpc_error_handle identity_cert_error) override {
135  GPR_ASSERT(!GRPC_ERROR_IS_NONE(root_cert_error) ||
136  !GRPC_ERROR_IS_NONE(identity_cert_error));
137  std::string root_error_str;
138  std::string identity_error_str;
139  if (!GRPC_ERROR_IS_NONE(root_cert_error)) {
140  GPR_ASSERT(grpc_error_get_str(
141  root_cert_error, GRPC_ERROR_STR_DESCRIPTION, &root_error_str));
142  }
143  if (!GRPC_ERROR_IS_NONE(identity_cert_error)) {
144  GPR_ASSERT(grpc_error_get_str(identity_cert_error,
145  GRPC_ERROR_STR_DESCRIPTION,
146  &identity_error_str));
147  }
148  state_->error_queue.emplace_back(std::move(root_error_str),
149  std::move(identity_error_str));
150  GRPC_ERROR_UNREF(root_cert_error);
151  GRPC_ERROR_UNREF(identity_cert_error);
152  }
153 
154  private:
155  WatcherState* state_;
156  };
157 
158  // CallbackStatus contains the parameters when calling watch_status_callback_
159  // of the distributor. When a particular callback is invoked, we will push a
160  // CallbackStatus to a callback_queue_, and check in each test if the status
161  // updates are correct.
162  struct CallbackStatus {
163  std::string cert_name;
164  bool root_being_watched;
165  bool identity_being_watched;
166  CallbackStatus(std::string name, bool root_watched, bool identity_watched)
167  : cert_name(std::move(name)),
168  root_being_watched(root_watched),
169  identity_being_watched(identity_watched) {}
170  bool operator==(const CallbackStatus& other) const {
171  return cert_name == other.cert_name &&
172  root_being_watched == other.root_being_watched &&
173  identity_being_watched == other.identity_being_watched;
174  }
175  };
176 
177  void SetUp() override {
178  distributor_.SetWatchStatusCallback([this](std::string cert_name,
179  bool root_being_watched,
180  bool identity_being_watched) {
181  callback_queue_.emplace_back(std::move(cert_name), root_being_watched,
182  identity_being_watched);
183  });
184  }
185 
186  WatcherState* MakeWatcher(absl::optional<std::string> root_cert_name,
187  absl::optional<std::string> identity_cert_name) {
188  MutexLock lock(&mu_);
189  watchers_.emplace_back();
190  // TlsCertificatesTestWatcher ctor takes a pointer to the WatcherState.
191  // It sets WatcherState::watcher to point to itself.
192  // The TlsCertificatesTestWatcher dtor will set WatcherState::watcher back
193  // to nullptr to indicate that it's been destroyed.
194  auto watcher =
195  absl::make_unique<TlsCertificatesTestWatcher>(&watchers_.back());
196  distributor_.WatchTlsCertificates(std::move(watcher),
197  std::move(root_cert_name),
198  std::move(identity_cert_name));
199  return &watchers_.back();
200  }
201 
202  void CancelWatch(WatcherState* state) {
203  MutexLock lock(&mu_);
204  distributor_.CancelTlsCertificatesWatch(state->watcher);
205  EXPECT_EQ(state->watcher, nullptr);
206  }
207 
208  std::deque<CallbackStatus> GetCallbackQueue() {
209  // We move the data member value so the data member will be re-initiated
210  // with size 0, and ready for the next check.
211  return std::move(callback_queue_);
212  }
213 
214  grpc_tls_certificate_distributor distributor_;
215  // Use a std::list<> here to avoid the address invalidation caused by internal
216  // reallocation of std::vector<>.
217  std::list<WatcherState> watchers_;
218  std::deque<CallbackStatus> callback_queue_;
219  // This is to make watchers_ and callback_queue_ thread-safe.
220  Mutex mu_;
221 };
222 
223 TEST_F(GrpcTlsCertificateDistributorTest, BasicCredentialBehaviors) {
224  EXPECT_FALSE(distributor_.HasRootCerts(kRootCert1Name));
225  EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert1Name));
226  // After setting the certificates to the corresponding cert names, the
227  // distributor should possess the corresponding certs.
228  distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
229  absl::nullopt);
230  EXPECT_TRUE(distributor_.HasRootCerts(kRootCert1Name));
231  distributor_.SetKeyMaterials(
232  kIdentityCert1Name, absl::nullopt,
233  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
234  EXPECT_TRUE(distributor_.HasKeyCertPairs(kIdentityCert1Name));
235  // Querying a non-existing cert name should return false.
236  EXPECT_FALSE(distributor_.HasRootCerts(kRootCert2Name));
237  EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert2Name));
238 }
239 
240 TEST_F(GrpcTlsCertificateDistributorTest, UpdateCredentialsOnAnySide) {
241  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
242  EXPECT_THAT(GetCallbackQueue(),
243  ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
244  // SetKeyMaterials should trigger watcher's OnCertificatesChanged method.
245  distributor_.SetKeyMaterials(
246  kCertName1, kRootCert1Contents,
247  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
248  EXPECT_THAT(
249  watcher_state_1->GetCredentialQueue(),
250  ::testing::ElementsAre(CredentialInfo(
251  kRootCert1Contents,
252  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
253  // Set root certs should trigger watcher's OnCertificatesChanged again.
254  distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
255  EXPECT_THAT(
256  watcher_state_1->GetCredentialQueue(),
257  ::testing::ElementsAre(CredentialInfo(
258  kRootCert2Contents,
259  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
260  // Set identity certs should trigger watcher's OnCertificatesChanged again.
261  distributor_.SetKeyMaterials(
262  kCertName1, absl::nullopt,
263  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
264  EXPECT_THAT(
265  watcher_state_1->GetCredentialQueue(),
266  ::testing::ElementsAre(CredentialInfo(
267  kRootCert2Contents,
268  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
269  CancelWatch(watcher_state_1);
270 }
271 
272 TEST_F(GrpcTlsCertificateDistributorTest, SameIdentityNameDiffRootName) {
273  // Register watcher 1.
274  WatcherState* watcher_state_1 =
275  MakeWatcher(kRootCert1Name, kIdentityCert1Name);
276  EXPECT_THAT(
277  GetCallbackQueue(),
278  ::testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false),
279  CallbackStatus(kIdentityCert1Name, false, true)));
280  // Register watcher 2.
281  WatcherState* watcher_state_2 =
282  MakeWatcher(kRootCert2Name, kIdentityCert1Name);
283  EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
284  kRootCert2Name, true, false)));
285  // Push credential updates to kRootCert1Name and check if the status works as
286  // expected.
287  distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
288  absl::nullopt);
289  // Check the updates are delivered to watcher 1.
290  EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
291  ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
292  // Push credential updates to kRootCert2Name.
293  distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents,
294  absl::nullopt);
295  // Check the updates are delivered to watcher 2.
296  EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
297  ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
298  // Push credential updates to kIdentityCert1Name and check if the status works
299  // as expected.
300  distributor_.SetKeyMaterials(
301  kIdentityCert1Name, absl::nullopt,
302  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
303  // Check the updates are delivered to watcher 1 and watcher 2.
304  EXPECT_THAT(
305  watcher_state_1->GetCredentialQueue(),
306  ::testing::ElementsAre(CredentialInfo(
307  kRootCert1Contents,
308  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
309  EXPECT_THAT(
310  watcher_state_2->GetCredentialQueue(),
311  ::testing::ElementsAre(CredentialInfo(
312  kRootCert2Contents,
313  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
314  // Cancel watcher 1.
315  CancelWatch(watcher_state_1);
316  EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
317  kRootCert1Name, false, false)));
318  // Cancel watcher 2.
319  CancelWatch(watcher_state_2);
320  EXPECT_THAT(
321  GetCallbackQueue(),
322  ::testing::ElementsAre(CallbackStatus(kRootCert2Name, false, false),
323  CallbackStatus(kIdentityCert1Name, false, false)));
324 }
325 
326 TEST_F(GrpcTlsCertificateDistributorTest, SameRootNameDiffIdentityName) {
327  // Register watcher 1.
328  WatcherState* watcher_state_1 =
329  MakeWatcher(kRootCert1Name, kIdentityCert1Name);
330  EXPECT_THAT(
331  GetCallbackQueue(),
332  ::testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false),
333  CallbackStatus(kIdentityCert1Name, false, true)));
334  // Register watcher 2.
335  WatcherState* watcher_state_2 =
336  MakeWatcher(kRootCert1Name, kIdentityCert2Name);
337  EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
338  kIdentityCert2Name, false, true)));
339  // Push credential updates to kRootCert1Name and check if the status works as
340  // expected.
341  distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents,
342  absl::nullopt);
343  // Check the updates are delivered to watcher 1.
344  EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
345  ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
346  // Check the updates are delivered to watcher 2.
347  EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
348  ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
349  // Push credential updates to SetKeyMaterials.
350  distributor_.SetKeyMaterials(
351  kIdentityCert1Name, absl::nullopt,
352  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
353  // Check the updates are delivered to watcher 1.
354  EXPECT_THAT(
355  watcher_state_1->GetCredentialQueue(),
356  ::testing::ElementsAre(CredentialInfo(
357  kRootCert1Contents,
358  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
359  // Push credential updates to kIdentityCert2Name.
360  distributor_.SetKeyMaterials(
361  kIdentityCert2Name, absl::nullopt,
362  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
363  // Check the updates are delivered to watcher 2.
364  EXPECT_THAT(
365  watcher_state_2->GetCredentialQueue(),
366  ::testing::ElementsAre(CredentialInfo(
367  kRootCert1Contents,
368  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
369  // Cancel watcher 1.
370  CancelWatch(watcher_state_1);
371  EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre(CallbackStatus(
372  kIdentityCert1Name, false, false)));
373  // Cancel watcher 2.
374  CancelWatch(watcher_state_2);
375  EXPECT_THAT(
376  GetCallbackQueue(),
377  ::testing::ElementsAre(CallbackStatus(kRootCert1Name, false, false),
378  CallbackStatus(kIdentityCert2Name, false, false)));
379 }
380 
381 TEST_F(GrpcTlsCertificateDistributorTest,
382  AddAndCancelFirstWatcherForSameRootAndIdentityCertName) {
383  // Register watcher 1 watching kCertName1 for both root and identity certs.
384  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
385  EXPECT_THAT(GetCallbackQueue(),
386  ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
387  // Push credential updates to kCertName1 and check if the status works as
388  // expected.
389  distributor_.SetKeyMaterials(
390  kCertName1, kRootCert1Contents,
391  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
392  // Check the updates are delivered to watcher 1.
393  EXPECT_THAT(
394  watcher_state_1->GetCredentialQueue(),
395  ::testing::ElementsAre(CredentialInfo(
396  kRootCert1Contents,
397  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
398  // Cancel watcher 1.
399  CancelWatch(watcher_state_1);
400  EXPECT_THAT(GetCallbackQueue(),
401  ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
402 }
403 
404 TEST_F(GrpcTlsCertificateDistributorTest,
405  AddAndCancelFirstWatcherForIdentityCertNameWithRootBeingWatched) {
406  // Register watcher 1 watching kCertName1 for root certs.
407  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
408  EXPECT_THAT(GetCallbackQueue(),
409  ::testing::ElementsAre(CallbackStatus(kCertName1, true, false)));
410  // Register watcher 2 watching kCertName1 for identity certs.
411  WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1);
412  EXPECT_THAT(GetCallbackQueue(),
413  ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
414  // Push credential updates to kCertName1 and check if the status works as
415  // expected.
416  distributor_.SetKeyMaterials(
417  kCertName1, kRootCert1Contents,
418  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
419  // Check the updates are delivered to watcher 1.
420  EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
421  ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
422  // Check the updates are delivered to watcher 2.
423  EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
424  ::testing::ElementsAre(CredentialInfo(
425  "", MakeCertKeyPairs(kIdentityCert1PrivateKey,
426  kIdentityCert1Contents))));
427  // Push root cert updates to kCertName1.
428  distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
429  // Check the updates are delivered to watcher 1.
430  EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
431  ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
432  // Check the updates are not delivered to watcher 2.
433  EXPECT_THAT(watcher_state_2->GetCredentialQueue(), ::testing::ElementsAre());
434  // Push identity cert updates to kCertName1.
435  distributor_.SetKeyMaterials(
436  kCertName1, absl::nullopt,
437  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
438  // Check the updates are not delivered to watcher 1.
439  EXPECT_THAT(watcher_state_1->GetCredentialQueue(), ::testing::ElementsAre());
440  // Check the updates are delivered to watcher 2.
441  EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
442  ::testing::ElementsAre(CredentialInfo(
443  "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
444  kIdentityCert2Contents))));
445  watcher_state_2->cert_update_queue.clear();
446  // Cancel watcher 2.
447  CancelWatch(watcher_state_2);
448  EXPECT_THAT(GetCallbackQueue(),
449  ::testing::ElementsAre(CallbackStatus(kCertName1, true, false)));
450  // Cancel watcher 1.
451  CancelWatch(watcher_state_1);
452  EXPECT_THAT(GetCallbackQueue(),
453  ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
454 }
455 
456 TEST_F(GrpcTlsCertificateDistributorTest,
457  AddAndCancelFirstWatcherForRootCertNameWithIdentityBeingWatched) {
458  // Register watcher 1 watching kCertName1 for identity certs.
459  WatcherState* watcher_state_1 = MakeWatcher(absl::nullopt, kCertName1);
460  EXPECT_THAT(GetCallbackQueue(),
461  ::testing::ElementsAre(CallbackStatus(kCertName1, false, true)));
462  // Register watcher 2 watching kCertName1 for root certs.
463  WatcherState* watcher_state_2 = MakeWatcher(kCertName1, absl::nullopt);
464  EXPECT_THAT(GetCallbackQueue(),
465  ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
466  // Push credential updates to kCertName1 and check if the status works as
467  // expected.
468  distributor_.SetKeyMaterials(
469  kCertName1, kRootCert1Contents,
470  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
471  // Check the updates are delivered to watcher 1.
472  EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
473  ::testing::ElementsAre(CredentialInfo(
474  "", MakeCertKeyPairs(kIdentityCert1PrivateKey,
475  kIdentityCert1Contents))));
476  // Check the updates are delivered to watcher 2.
477  EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
478  ::testing::ElementsAre(CredentialInfo(kRootCert1Contents, {})));
479  // Push root cert updates to kCertName1.
480  distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt);
481  // Check the updates are delivered to watcher 2.
482  EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
483  ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
484  // Check the updates are not delivered to watcher 1.
485  EXPECT_THAT(watcher_state_1->GetCredentialQueue(), ::testing::ElementsAre());
486  // Push identity cert updates to kCertName1.
487  distributor_.SetKeyMaterials(
488  kCertName1, absl::nullopt,
489  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
490  // Check the updates are not delivered to watcher 2.
491  EXPECT_THAT(watcher_state_2->GetCredentialQueue(), ::testing::ElementsAre());
492  // Check the updates are delivered to watcher 1.
493  EXPECT_THAT(watcher_state_1->GetCredentialQueue(),
494  ::testing::ElementsAre(CredentialInfo(
495  "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
496  kIdentityCert2Contents))));
497  // Cancel watcher 2.
498  CancelWatch(watcher_state_2);
499  EXPECT_THAT(GetCallbackQueue(),
500  ::testing::ElementsAre(CallbackStatus(kCertName1, false, true)));
501  // Cancel watcher 1.
502  CancelWatch(watcher_state_1);
503  EXPECT_THAT(GetCallbackQueue(),
504  ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
505 }
506 
507 TEST_F(GrpcTlsCertificateDistributorTest,
508  RemoveAllWatchersForCertNameAndAddAgain) {
509  // Register watcher 1 and watcher 2 watching kCertName1 for root and identity
510  // certs.
511  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
512  EXPECT_THAT(GetCallbackQueue(),
513  ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
514  WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1);
515  EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
516  // Push credential updates to kCertName1.
517  distributor_.SetKeyMaterials(
518  kCertName1, kRootCert1Contents,
519  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
520  // Cancel watcher 2.
521  CancelWatch(watcher_state_2);
522  EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
523  // Cancel watcher 1.
524  CancelWatch(watcher_state_1);
525  EXPECT_THAT(GetCallbackQueue(),
526  ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
527  // Register watcher 3 watching kCertName for root and identity certs.
528  WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName1);
529  EXPECT_THAT(GetCallbackQueue(),
530  ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
531  // Push credential updates to kCertName1.
532  distributor_.SetKeyMaterials(
533  kCertName1, kRootCert2Contents,
534  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
535  // Check the updates are delivered to watcher 3.
536  EXPECT_THAT(
537  watcher_state_3->GetCredentialQueue(),
538  ::testing::ElementsAre(CredentialInfo(
539  kRootCert2Contents,
540  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents))));
541  // Cancel watcher 3.
542  CancelWatch(watcher_state_3);
543  EXPECT_THAT(GetCallbackQueue(),
544  ::testing::ElementsAre(CallbackStatus(kCertName1, false, false)));
545 }
546 
547 TEST_F(GrpcTlsCertificateDistributorTest, ResetCallbackToNull) {
548  // Register watcher 1 watching kCertName1 for root and identity certs.
549  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
550  EXPECT_THAT(GetCallbackQueue(),
551  ::testing::ElementsAre(CallbackStatus(kCertName1, true, true)));
552  // Reset callback to nullptr.
553  distributor_.SetWatchStatusCallback(nullptr);
554  // Cancel watcher 1 shouldn't trigger any callback.
555  CancelWatch(watcher_state_1);
556  EXPECT_THAT(GetCallbackQueue(), ::testing::ElementsAre());
557 }
558 
559 TEST_F(GrpcTlsCertificateDistributorTest, SetKeyMaterialsInCallback) {
560  distributor_.SetWatchStatusCallback([this](std::string cert_name,
561  bool /*root_being_watched*/,
562  bool /*identity_being_watched*/) {
563  distributor_.SetKeyMaterials(
564  cert_name, kRootCert1Contents,
565  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
566  });
567  auto verify_function = [this](std::string cert_name) {
568  WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name);
569  // Check the updates are delivered to watcher 1.
570  EXPECT_THAT(
571  watcher_state_1->GetCredentialQueue(),
572  ::testing::ElementsAre(CredentialInfo(
573  kRootCert1Contents, MakeCertKeyPairs(kIdentityCert1PrivateKey,
574  kIdentityCert1Contents))));
575  CancelWatch(watcher_state_1);
576  };
577  // Start 1000 threads that will register a watcher to a new cert name, verify
578  // the key materials being set, and then cancel the watcher, to make sure the
579  // lock mechanism in the distributor is safe.
580  std::vector<std::thread> threads;
581  threads.reserve(1000);
582  for (int i = 0; i < 1000; ++i) {
583  threads.emplace_back(verify_function, std::to_string(i));
584  }
585  for (auto& th : threads) {
586  th.join();
587  }
588 }
589 
590 TEST_F(GrpcTlsCertificateDistributorTest, WatchACertInfoWithValidCredentials) {
591  // Push credential updates to kCertName1.
592  distributor_.SetKeyMaterials(
593  kCertName1, kRootCert1Contents,
594  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
595  // Push root credential updates to kCertName2.
596  distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents,
597  absl::nullopt);
598  // Push identity credential updates to kCertName2.
599  distributor_.SetKeyMaterials(
600  kIdentityCert2Name, absl::nullopt,
601  MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents));
602  // Register watcher 1.
603  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
604  // watcher 1 should receive the credentials right away.
605  EXPECT_THAT(
606  watcher_state_1->GetCredentialQueue(),
607  ::testing::ElementsAre(CredentialInfo(
608  kRootCert1Contents,
609  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
610  CancelWatch(watcher_state_1);
611  // Register watcher 2.
612  WatcherState* watcher_state_2 = MakeWatcher(kRootCert2Name, absl::nullopt);
613  // watcher 2 should receive the root credentials right away.
614  EXPECT_THAT(watcher_state_2->GetCredentialQueue(),
615  ::testing::ElementsAre(CredentialInfo(kRootCert2Contents, {})));
616  // Register watcher 3.
617  WatcherState* watcher_state_3 =
618  MakeWatcher(absl::nullopt, kIdentityCert2Name);
619  // watcher 3 should received the identity credentials right away.
620  EXPECT_THAT(watcher_state_3->GetCredentialQueue(),
621  ::testing::ElementsAre(CredentialInfo(
622  "", MakeCertKeyPairs(kIdentityCert2PrivateKey,
623  kIdentityCert2Contents))));
624  CancelWatch(watcher_state_2);
625  CancelWatch(watcher_state_3);
626 }
627 
628 TEST_F(GrpcTlsCertificateDistributorTest,
629  SetErrorForCertForBothRootAndIdentity) {
630  // Register watcher 1.
631  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
632  // Calling SetErrorForCert on both cert names should only call one OnError
633  // on watcher 1.
634  distributor_.SetErrorForCert(
635  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
636  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
637  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
638  ::testing::ElementsAre(
639  ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
640  // Calling SetErrorForCert on root cert name should call OnError
641  // on watcher 1 again.
642  distributor_.SetErrorForCert(
643  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
644  absl::nullopt);
645  EXPECT_THAT(
646  watcher_state_1->GetErrorQueue(),
647  ::testing::ElementsAre(ErrorInfo(kErrorMessage, kIdentityErrorMessage)));
648  // Calling SetErrorForCert on identity cert name should call OnError
649  // on watcher 1 again.
650  distributor_.SetErrorForCert(
651  kCertName1, absl::nullopt,
652  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
653  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
654  ::testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage)));
655  distributor_.CancelTlsCertificatesWatch(watcher_state_1->watcher);
656  EXPECT_EQ(watcher_state_1->watcher, nullptr);
657 }
658 
659 TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertForRootOrIdentity) {
660  // Register watcher 1.
661  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
662  // Calling SetErrorForCert on root name should only call one OnError
663  // on watcher 1.
664  distributor_.SetErrorForCert(
665  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
666  absl::nullopt);
667  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
668  ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
669  // Calling SetErrorForCert on identity name should do nothing.
670  distributor_.SetErrorForCert(
671  kCertName1, absl::nullopt,
672  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
673  EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
674  // Calling SetErrorForCert on both names should still get one OnError call.
675  distributor_.SetErrorForCert(
676  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
677  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
678  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
679  ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
680  CancelWatch(watcher_state_1);
681  // Register watcher 2.
682  WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1);
683  // Calling SetErrorForCert on identity name should only call one OnError
684  // on watcher 2.
685  distributor_.SetErrorForCert(
686  kCertName1, absl::nullopt,
687  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
688  EXPECT_THAT(watcher_state_2->GetErrorQueue(),
689  ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
690  // Calling SetErrorForCert on root name should do nothing.
691  distributor_.SetErrorForCert(
692  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
693  absl::nullopt);
694  EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
695  // Calling SetErrorForCert on both names should still get one OnError call.
696  distributor_.SetErrorForCert(
697  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
698  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
699  EXPECT_THAT(watcher_state_2->GetErrorQueue(),
700  ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
701  CancelWatch(watcher_state_2);
702 }
703 
704 TEST_F(GrpcTlsCertificateDistributorTest,
705  SetErrorForIdentityNameWithPreexistingErrorForRootName) {
706  // SetErrorForCert for kCertName1.
707  distributor_.SetErrorForCert(
708  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
709  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
710  // Register watcher 1 for kCertName1 as root and kCertName2 as identity.
711  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2);
712  // Should trigger OnError call right away since kCertName1 has error.
713  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
714  ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
715  // Calling SetErrorForCert on kCertName2 should trigger OnError with both
716  // errors, because kCertName1 also has error.
717  distributor_.SetErrorForCert(
718  kCertName2, absl::nullopt,
719  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
720  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
721  ::testing::ElementsAre(
722  ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
723  CancelWatch(watcher_state_1);
724 }
725 
726 TEST_F(GrpcTlsCertificateDistributorTest,
727  SetErrorForCertForRootNameWithSameNameForIdentityErrored) {
728  // SetErrorForCert for kCertName1.
729  distributor_.SetErrorForCert(
730  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
731  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
732  // Register watcher 1 for kCertName2 as root and kCertName1 as identity.
733  WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1);
734  // Should trigger OnError call right away since kCertName2 has error.
735  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
736  ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
737  // Calling SetErrorForCert on kCertName2 should trigger OnError with both
738  // errors, because kCertName1 also has error.
739  distributor_.SetErrorForCert(
740  kCertName2, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
741  absl::nullopt);
742  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
743  ::testing::ElementsAre(
744  ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
745  CancelWatch(watcher_state_1);
746 }
747 
748 TEST_F(GrpcTlsCertificateDistributorTest,
749  SetErrorForIdentityNameWithoutErrorForRootName) {
750  // Register watcher 1 for kCertName1 as root and kCertName2 as identity.
751  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2);
752  // Should not trigger OnError.
753  EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
754  // Calling SetErrorForCert on kCertName2 should trigger OnError.
755  distributor_.SetErrorForCert(
756  kCertName2, absl::nullopt,
757  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
758  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
759  ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
760  CancelWatch(watcher_state_1);
761  // Register watcher 2 for kCertName2 as identity and a non-existing name
762  // kRootCert1Name as root.
763  WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, kCertName2);
764  // Should not trigger OnError.
765  EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
766  // Calling SetErrorForCert on kCertName2 should trigger OnError.
767  distributor_.SetErrorForCert(
768  kCertName2, absl::nullopt,
769  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
770  EXPECT_THAT(watcher_state_2->error_queue,
771  ::testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage)));
772  CancelWatch(watcher_state_2);
773 }
774 
775 TEST_F(GrpcTlsCertificateDistributorTest,
776  SetErrorForRootNameWithPreexistingErrorForIdentityName) {
777  WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1);
778  // Should not trigger OnError.
779  EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
780  // Calling SetErrorForCert on kCertName2 should trigger OnError.
781  distributor_.SetErrorForCert(
782  kCertName2, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
783  absl::nullopt);
784  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
785  ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
786  CancelWatch(watcher_state_1);
787  // Register watcher 2 for kCertName2 as root and a non-existing name
788  // kIdentityCert1Name as identity.
789  WatcherState* watcher_state_2 = MakeWatcher(kCertName2, kIdentityCert1Name);
790  // Should not trigger OnError.
791  EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
792  // Calling SetErrorForCert on kCertName2 should trigger OnError.
793  distributor_.SetErrorForCert(
794  kCertName2, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
795  absl::nullopt);
796  EXPECT_THAT(watcher_state_2->GetErrorQueue(),
797  ::testing::ElementsAre(ErrorInfo(kRootErrorMessage, "")));
798  CancelWatch(watcher_state_2);
799 }
800 
801 TEST_F(GrpcTlsCertificateDistributorTest,
802  CancelTheLastWatcherOnAnErroredCertInfo) {
803  // Register watcher 1.
804  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
805  // Calling SetErrorForCert on both cert names should only call one OnError
806  // on watcher 1.
807  distributor_.SetErrorForCert(
808  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
809  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
810  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
811  ::testing::ElementsAre(
812  ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
813  // When watcher 1 is removed, the cert info entry should be removed.
814  CancelWatch(watcher_state_1);
815  // Register watcher 2 on the same cert name.
816  WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1);
817  // Should not trigger OnError call on watcher 2 right away.
818  EXPECT_THAT(watcher_state_2->GetErrorQueue(), ::testing::ElementsAre());
819  CancelWatch(watcher_state_2);
820 }
821 
822 TEST_F(GrpcTlsCertificateDistributorTest,
823  WatchErroredCertInfoWithValidCredentialData) {
824  // Push credential updates to kCertName1.
825  distributor_.SetKeyMaterials(
826  kCertName1, kRootCert1Contents,
827  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
828  // Calling SetErrorForCert on both cert names.
829  distributor_.SetErrorForCert(
830  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
831  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
832  // Register watcher 1.
833  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
834  // watcher 1 should receive both the old credentials and the error right away.
835  EXPECT_THAT(
836  watcher_state_1->GetCredentialQueue(),
837  ::testing::ElementsAre(CredentialInfo(
838  kRootCert1Contents,
839  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
840  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
841  ::testing::ElementsAre(
842  ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
843  CancelWatch(watcher_state_1);
844 }
845 
846 TEST_F(GrpcTlsCertificateDistributorTest,
847  SetErrorForCertThenSuccessfulCredentialUpdates) {
848  // Calling SetErrorForCert on both cert names.
849  distributor_.SetErrorForCert(
850  kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
851  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
852  // Push credential updates to kCertName1.
853  distributor_.SetKeyMaterials(
854  kCertName1, kRootCert1Contents,
855  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents));
856  // Register watcher 1.
857  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
858  // watcher 1 should only receive credential updates without any error, because
859  // the previous error is wiped out by a successful update.
860  EXPECT_THAT(
861  watcher_state_1->GetCredentialQueue(),
862  ::testing::ElementsAre(CredentialInfo(
863  kRootCert1Contents,
864  MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents))));
865  EXPECT_THAT(watcher_state_1->GetErrorQueue(), ::testing::ElementsAre());
866  CancelWatch(watcher_state_1);
867 }
868 
869 TEST_F(GrpcTlsCertificateDistributorTest, WatchCertInfoThenInvokeSetError) {
870  // Register watcher 1.
871  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1);
872  // Register watcher 2.
873  WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, absl::nullopt);
874  // Register watcher 3.
875  WatcherState* watcher_state_3 =
876  MakeWatcher(absl::nullopt, kIdentityCert1Name);
877  distributor_.SetError(GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
878  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
879  ::testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage)));
880  EXPECT_THAT(watcher_state_2->GetErrorQueue(),
881  ::testing::ElementsAre(ErrorInfo(kErrorMessage, "")));
882  EXPECT_THAT(watcher_state_3->GetErrorQueue(),
883  ::testing::ElementsAre(ErrorInfo("", kErrorMessage)));
884  CancelWatch(watcher_state_1);
885  CancelWatch(watcher_state_2);
886  CancelWatch(watcher_state_3);
887 }
888 
889 TEST_F(GrpcTlsCertificateDistributorTest, WatchErroredCertInfoBySetError) {
890  // Register watcher 1 watching kCertName1 as root.
891  WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt);
892  // Register watcher 2 watching kCertName2 as identity.
893  WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName2);
894  // Call SetError and then cancel all watchers.
895  distributor_.SetError(GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
896  CancelWatch(watcher_state_1);
897  CancelWatch(watcher_state_2);
898  // Register watcher 3 watching kCertName1 as root and kCertName2 as identity
899  // should not get the error updates.
900  WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName2);
901  EXPECT_THAT(watcher_state_3->GetErrorQueue(), ::testing::ElementsAre());
902  CancelWatch(watcher_state_3);
903  // Register watcher 4 watching kCertName2 as root and kCertName1 as identity
904  // should not get the error updates.
905  WatcherState* watcher_state_4 = MakeWatcher(kCertName2, kCertName1);
906  EXPECT_THAT(watcher_state_4->GetErrorQueue(), ::testing::ElementsAre());
907  CancelWatch(watcher_state_4);
908 }
909 
910 TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertInCallback) {
911  distributor_.SetWatchStatusCallback([this](std::string cert_name,
912  bool /*root_being_watched*/,
913  bool /*identity_being_watched*/) {
914  this->distributor_.SetErrorForCert(
915  cert_name, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
916  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
917  });
918  auto verify_function = [this](std::string cert_name) {
919  WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name);
920  // Check the errors are delivered to watcher 1.
921  EXPECT_THAT(watcher_state_1->GetErrorQueue(),
922  ::testing::ElementsAre(
923  ErrorInfo(kRootErrorMessage, kIdentityErrorMessage)));
924  CancelWatch(watcher_state_1);
925  };
926  // Start 1000 threads that will register a watcher to a new cert name, verify
927  // the key materials being set, and then cancel the watcher, to make sure the
928  // lock mechanism in the distributor is safe.
929  std::vector<std::thread> threads;
930  threads.reserve(1000);
931  for (int i = 0; i < 1000; ++i) {
932  threads.emplace_back(verify_function, std::to_string(i));
933  }
934  for (auto& th : threads) {
935  th.join();
936  }
937 }
938 
939 } // namespace testing
940 
941 } // namespace grpc_core
942 
943 int main(int argc, char** argv) {
944  grpc::testing::TestEnvironment env(&argc, argv);
945  ::testing::InitGoogleTest(&argc, argv);
946  grpc_init();
947  int ret = RUN_ALL_TESTS();
948  grpc_shutdown();
949  return ret;
950 }
EXPECT_FALSE
#define EXPECT_FALSE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1970
grpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState::cert_update_queue
std::deque< CredentialInfo > cert_update_queue
Definition: grpc_tls_certificate_distributor_test.cc:92
grpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo
Definition: grpc_tls_certificate_distributor_test.cc:78
grpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo
Definition: grpc_tls_certificate_distributor_test.cc:64
grpc_core::testing::GrpcTlsCertificateDistributorTest::mu_
Mutex mu_
Definition: grpc_tls_certificate_distributor_test.cc:220
testing
Definition: aws_request_signer_test.cc:25
grpc_core::testing::GrpcTlsCertificateDistributorTest::TlsCertificatesTestWatcher::OnCertificatesChanged
void OnCertificatesChanged(absl::optional< absl::string_view > root_certs, absl::optional< PemKeyCertPairList > key_cert_pairs) override
Definition: grpc_tls_certificate_distributor_test.cc:118
log.h
grpc_core::testing::MakeCertKeyPairs
PemKeyCertPairList MakeCertKeyPairs(absl::string_view private_key, absl::string_view certs)
Definition: test/core/util/tls_utils.cc:60
grpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState::GetCredentialQueue
std::deque< CredentialInfo > GetCredentialQueue()
Definition: grpc_tls_certificate_distributor_test.cc:95
tls_utils.h
generate.env
env
Definition: generate.py:37
grpc_tls_certificate_distributor.h
grpc_core::testing::GrpcTlsCertificateDistributorTest::SetUp
void SetUp() override
Definition: grpc_tls_certificate_distributor_test.cc:177
grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus::root_being_watched
bool root_being_watched
Definition: grpc_tls_certificate_distributor_test.cc:164
grpc_core::testing::GrpcTlsCertificateDistributorTest::distributor_
grpc_tls_certificate_distributor distributor_
Definition: grpc_tls_certificate_distributor_test.cc:214
EXPECT_THAT
#define EXPECT_THAT(value, matcher)
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::MutexLock
Definition: src/core/lib/gprpp/sync.h:88
grpc_core::testing::GrpcTlsCertificateDistributorTest::CancelWatch
void CancelWatch(WatcherState *state)
Definition: grpc_tls_certificate_distributor_test.cc:202
grpc_core::testing::kRootCert2Name
constexpr const char * kRootCert2Name
Definition: grpc_tls_certificate_distributor_test.cc:43
grpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState::watcher
TlsCertificatesTestWatcher * watcher
Definition: grpc_tls_certificate_distributor_test.cc:91
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
grpc_core::testing::kIdentityCert1PrivateKey
constexpr const char * kIdentityCert1PrivateKey
Definition: grpc_tls_certificate_distributor_test.cc:46
grpc_tls_certificate_distributor
Definition: grpc_tls_certificate_distributor.h:43
grpc_core::testing::kRootCert1Contents
constexpr const char * kRootCert1Contents
Definition: grpc_tls_certificate_distributor_test.cc:42
setup.name
name
Definition: setup.py:542
grpc_core::testing::GrpcTlsCertificateDistributorTest::TlsCertificatesTestWatcher::state_
WatcherState * state_
Definition: grpc_tls_certificate_distributor_test.cc:155
grpc_core::testing::kCertName2
constexpr const char * kCertName2
Definition: grpc_tls_certificate_distributor_test.cc:40
grpc_core::testing::TEST_F
TEST_F(ServiceConfigTest, ErrorCheck1)
Definition: service_config_test.cc:192
grpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo::root_certs
std::string root_certs
Definition: grpc_tls_certificate_distributor_test.cc:65
grpc_core::testing::kRootCert1Name
constexpr const char * kRootCert1Name
Definition: grpc_tls_certificate_distributor_test.cc:41
grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus::CallbackStatus
CallbackStatus(std::string name, bool root_watched, bool identity_watched)
Definition: grpc_tls_certificate_distributor_test.cc:166
GRPC_ERROR_STR_DESCRIPTION
@ GRPC_ERROR_STR_DESCRIPTION
top-level textual description of this error
Definition: error.h:106
grpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo::ErrorInfo
ErrorInfo(std::string root, std::string identity)
Definition: grpc_tls_certificate_distributor_test.cc:81
grpc_core::testing::kRootErrorMessage
constexpr const char * kRootErrorMessage
Definition: grpc_tls_certificate_distributor_test.cc:52
threads
static uv_thread_t * threads
Definition: threadpool.c:38
grpc_core::testing::kIdentityCert2Contents
constexpr const char * kIdentityCert2Contents
Definition: grpc_tls_certificate_distributor_test.cc:50
testing::Test
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:402
grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus::identity_being_watched
bool identity_being_watched
Definition: grpc_tls_certificate_distributor_test.cc:165
grpc_tls_certificate_distributor::WatchTlsCertificates
void WatchTlsCertificates(std::unique_ptr< TlsCertificatesWatcherInterface > watcher, absl::optional< std::string > root_cert_name, absl::optional< std::string > identity_cert_name)
Definition: grpc_tls_certificate_distributor.cc:176
grpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo::operator==
bool operator==(const ErrorInfo &other) const
Definition: grpc_tls_certificate_distributor_test.cc:84
EXPECT_EQ
#define EXPECT_EQ(a, b)
Definition: iomgr/time_averaged_stats_test.cc:27
testing::ElementsAre
internal::ElementsAreMatcher< ::testing::tuple<> > ElementsAre()
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:13040
grpc_core::testing::GrpcTlsCertificateDistributorTest::TlsCertificatesTestWatcher::OnError
void OnError(grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) override
Definition: grpc_tls_certificate_distributor_test.cc:133
string_util.h
grpc_core::testing::GrpcTlsCertificateDistributorTest::TlsCertificatesTestWatcher
Definition: grpc_tls_certificate_distributor_test.cc:107
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
GPR_ASSERT
#define GPR_ASSERT(x)
Definition: include/grpc/impl/codegen/log.h:94
absl::optional::has_value
constexpr bool has_value() const noexcept
Definition: abseil-cpp/absl/types/optional.h:461
root
RefCountedPtr< grpc_tls_certificate_provider > root
Definition: xds_server_config_fetcher.cc:223
grpc_core::testing::kIdentityCert2PrivateKey
constexpr const char * kIdentityCert2PrivateKey
Definition: grpc_tls_certificate_distributor_test.cc:49
grpc_core::testing::kIdentityErrorMessage
constexpr const char * kIdentityErrorMessage
Definition: grpc_tls_certificate_distributor_test.cc:53
grpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo::operator==
bool operator==(const CredentialInfo &other) const
Definition: grpc_tls_certificate_distributor_test.cc:69
grpc_core::testing::kIdentityCert1Contents
constexpr const char * kIdentityCert1Contents
Definition: grpc_tls_certificate_distributor_test.cc:47
absl::optional< absl::string_view >
slice_internal.h
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
distributor_
grpc_core::RefCountedPtr< grpc_tls_certificate_distributor > distributor_
Definition: xds_end2end_test.cc:216
grpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo::root_cert_str
std::string root_cert_str
Definition: grpc_tls_certificate_distributor_test.cc:79
GRPC_ERROR_CREATE_FROM_STATIC_STRING
#define GRPC_ERROR_CREATE_FROM_STATIC_STRING(desc)
Definition: error.h:291
grpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo::CredentialInfo
CredentialInfo(std::string root, PemKeyCertPairList key_cert)
Definition: grpc_tls_certificate_distributor_test.cc:67
grpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState
Definition: grpc_tls_certificate_distributor_test.cc:90
grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus::operator==
bool operator==(const CallbackStatus &other) const
Definition: grpc_tls_certificate_distributor_test.cc:170
test_config.h
grpc_core::Mutex
Definition: src/core/lib/gprpp/sync.h:61
grpc_tls_certificate_distributor::CancelTlsCertificatesWatch
void CancelTlsCertificatesWatch(TlsCertificatesWatcherInterface *watcher)
Definition: grpc_tls_certificate_distributor.cc:264
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
grpc_core::testing::GrpcTlsCertificateDistributorTest::callback_queue_
std::deque< CallbackStatus > callback_queue_
Definition: grpc_tls_certificate_distributor_test.cc:218
grpc_core::testing::GrpcTlsCertificateDistributorTest
Definition: grpc_tls_certificate_distributor_test.cc:55
grpc_core::testing::GrpcTlsCertificateDistributorTest::ErrorInfo::identity_cert_str
std::string identity_cert_str
Definition: grpc_tls_certificate_distributor_test.cc:80
grpc_core::testing::kErrorMessage
constexpr const char * kErrorMessage
Definition: grpc_tls_certificate_distributor_test.cc:51
grpc_core::testing::GrpcTlsCertificateDistributorTest::CredentialInfo::key_cert_pairs
PemKeyCertPairList key_cert_pairs
Definition: grpc_tls_certificate_distributor_test.cc:66
grpc_core::testing::kRootCert2Contents
constexpr const char * kRootCert2Contents
Definition: grpc_tls_certificate_distributor_test.cc:44
grpc_core::PemKeyCertPairList
std::vector< PemKeyCertPair > PemKeyCertPairList
Definition: ssl_utils.h:183
grpc_core::testing::GrpcTlsCertificateDistributorTest::MakeWatcher
WatcherState * MakeWatcher(absl::optional< std::string > root_cert_name, absl::optional< std::string > identity_cert_name)
Definition: grpc_tls_certificate_distributor_test.cc:186
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
alloc.h
grpc_core::testing::GrpcTlsCertificateDistributorTest::TlsCertificatesTestWatcher::TlsCertificatesTestWatcher
TlsCertificatesTestWatcher(WatcherState *state)
Definition: grpc_tls_certificate_distributor_test.cc:111
std
Definition: grpcpp/impl/codegen/async_unary_call.h:407
grpc::testing::TestEnvironment
Definition: test/core/util/test_config.h:54
grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus::cert_name
std::string cert_name
Definition: grpc_tls_certificate_distributor_test.cc:163
state
Definition: bloaty/third_party/zlib/contrib/blast/blast.c:41
main
int main(int argc, char **argv)
Definition: grpc_tls_certificate_distributor_test.cc:943
GRPC_ERROR_UNREF
#define GRPC_ERROR_UNREF(err)
Definition: error.h:262
grpc_core::testing::GrpcTlsCertificateDistributorTest::CallbackStatus
Definition: grpc_tls_certificate_distributor_test.cc:162
watcher
ClusterWatcher * watcher
Definition: cds.cc:148
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1967
grpc_core::testing::kCertName1
constexpr const char * kCertName1
Definition: grpc_tls_certificate_distributor_test.cc:39
grpc_core::testing::GrpcTlsCertificateDistributorTest::watchers_
std::list< WatcherState > watchers_
Definition: grpc_tls_certificate_distributor_test.cc:217
grpc_core::testing::GrpcTlsCertificateDistributorTest::GetCallbackQueue
std::deque< CallbackStatus > GetCallbackQueue()
Definition: grpc_tls_certificate_distributor_test.cc:208
grpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState::error_queue
std::deque< ErrorInfo > error_queue
Definition: grpc_tls_certificate_distributor_test.cc:93
grpc_error_get_str
bool grpc_error_get_str(grpc_error_handle err, grpc_error_strs which, std::string *s)
Returns false if the specified string is not set.
Definition: error.cc:659
grpc_init
GRPCAPI void grpc_init(void)
Definition: init.cc:146
grpc_error
Definition: error_internal.h:42
grpc_core::testing::GrpcTlsCertificateDistributorTest::TlsCertificatesTestWatcher::~TlsCertificatesTestWatcher
~TlsCertificatesTestWatcher() override
Definition: grpc_tls_certificate_distributor_test.cc:116
grpc_core::testing::GrpcTlsCertificateDistributorTest::WatcherState::GetErrorQueue
std::deque< ErrorInfo > GetErrorQueue()
Definition: grpc_tls_certificate_distributor_test.cc:100
grpc_core::testing::kIdentityCert1Name
constexpr const char * kIdentityCert1Name
Definition: grpc_tls_certificate_distributor_test.cc:45
to_string
static bool to_string(zval *from)
Definition: protobuf/php/ext/google/protobuf/convert.c:333
grpc_core::testing::kIdentityCert2Name
constexpr const char * kIdentityCert2Name
Definition: grpc_tls_certificate_distributor_test.cc:48
grpc_shutdown
GRPCAPI void grpc_shutdown(void)
Definition: init.cc:209
grpc_tls_certificate_distributor::SetWatchStatusCallback
void SetWatchStatusCallback(std::function< void(std::string, bool, bool)> callback)
Definition: grpc_tls_certificate_distributor.h:133
i
uint64_t i
Definition: abseil-cpp/absl/container/btree_benchmark.cc:230
GRPC_ERROR_IS_NONE
#define GRPC_ERROR_IS_NONE(err)
Definition: error.h:241

grpc
Author(s):
autogenerated on Fri May 16 2025 02:58:45