grpc_tls_credentials_options_test.cc
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2020 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
20 
21 #include <gmock/gmock.h>
22 #include <gtest/gtest.h>
23 
24 #include <grpc/support/alloc.h>
25 #include <grpc/support/log.h>
26 #include <grpc/support/string_util.h>
27 
28 #include "src/core/lib/gpr/tmpfile.h"
29 #include "src/core/lib/iomgr/load_file.h"
30 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
31 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
32 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
33 #include "test/core/util/test_config.h"
34 #include "test/core/util/tls_utils.h"
35 
36 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
37 #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem"
38 #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key"
39 #define CA_CERT_PATH_2 "src/core/tsi/test_creds/multi-domain.pem"
40 #define SERVER_CERT_PATH_2 "src/core/tsi/test_creds/server0.pem"
41 #define SERVER_KEY_PATH_2 "src/core/tsi/test_creds/server0.key"
42 #define INVALID_PATH "invalid/path"
43 
44 namespace grpc_core {
45 
46 namespace testing {
47 
48 class GrpcTlsCredentialsOptionsTest : public ::testing::Test {
49  protected:
50  void SetUp() override {
51  root_cert_ = GetFileContents(CA_CERT_PATH);
52  cert_chain_ = GetFileContents(SERVER_CERT_PATH);
53  private_key_ = GetFileContents(SERVER_KEY_PATH);
54  root_cert_2_ = GetFileContents(CA_CERT_PATH_2);
55  cert_chain_2_ = GetFileContents(SERVER_CERT_PATH_2);
56  private_key_2_ = GetFileContents(SERVER_KEY_PATH_2);
57  }
58 
59  std::string root_cert_;
60  std::string private_key_;
61  std::string cert_chain_;
62  std::string root_cert_2_;
63  std::string private_key_2_;
64  std::string cert_chain_2_;
65  HostNameCertificateVerifier hostname_certificate_verifier_;
66 };
67 
68 //
69 // Tests for Default Root Certs.
70 //
71 
72 TEST_F(GrpcTlsCredentialsOptionsTest, ClientOptionsOnDefaultRootCerts) {
73  auto options = MakeRefCounted<grpc_tls_credentials_options>();
74  auto credentials = MakeRefCounted<TlsCredentials>(options);
75  ASSERT_NE(credentials, nullptr);
76  grpc_channel_args* new_args = nullptr;
77  auto connector = credentials->create_security_connector(
78  nullptr, "random targets", nullptr, &new_args);
79  grpc_channel_args_destroy(new_args);
80  ASSERT_NE(connector, nullptr);
81  TlsChannelSecurityConnector* tls_connector =
82  static_cast<TlsChannelSecurityConnector*>(connector.get());
83  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
84 }
85 
86 //
87 // Tests for StaticDataCertificateProvider.
88 //
89 
90 TEST_F(GrpcTlsCredentialsOptionsTest,
91  ClientOptionsWithStaticDataProviderOnBothCerts) {
92  auto options = MakeRefCounted<grpc_tls_credentials_options>();
93  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
94  root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
95  options->set_certificate_provider(std::move(provider));
96  options->set_watch_root_cert(true);
97  options->set_watch_identity_pair(true);
98  auto credentials = MakeRefCounted<TlsCredentials>(options);
99  ASSERT_NE(credentials, nullptr);
100  grpc_channel_args* new_args = nullptr;
101  auto connector = credentials->create_security_connector(
102  nullptr, "random targets", nullptr, &new_args);
103  grpc_channel_args_destroy(new_args);
104  ASSERT_NE(connector, nullptr);
105  TlsChannelSecurityConnector* tls_connector =
106  static_cast<TlsChannelSecurityConnector*>(connector.get());
107  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
108  EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
109  EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
110 }
111 
112 TEST_F(GrpcTlsCredentialsOptionsTest,
113  ClientOptionsWithStaticDataProviderOnRootCerts) {
114  auto options = MakeRefCounted<grpc_tls_credentials_options>();
115  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
116  root_cert_, PemKeyCertPairList());
117  options->set_certificate_provider(std::move(provider));
118  options->set_watch_root_cert(true);
119  auto credentials = MakeRefCounted<TlsCredentials>(options);
120  ASSERT_NE(credentials, nullptr);
121  grpc_channel_args* new_args = nullptr;
122  auto connector = credentials->create_security_connector(
123  nullptr, "random targets", nullptr, &new_args);
124  grpc_channel_args_destroy(new_args);
125  ASSERT_NE(connector, nullptr);
126  TlsChannelSecurityConnector* tls_connector =
127  static_cast<TlsChannelSecurityConnector*>(connector.get());
128  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
129  EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
130  EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
131 }
132 
133 TEST_F(GrpcTlsCredentialsOptionsTest,
134  ClientOptionsWithStaticDataProviderOnNotProvidedCerts) {
135  auto options = MakeRefCounted<grpc_tls_credentials_options>();
136  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
137  "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
138  options->set_certificate_provider(std::move(provider));
139  options->set_watch_root_cert(true);
140  auto credentials = MakeRefCounted<TlsCredentials>(options);
141  ASSERT_NE(credentials, nullptr);
142  grpc_channel_args* new_args = nullptr;
143  auto connector = credentials->create_security_connector(
144  nullptr, "random targets", nullptr, &new_args);
145  grpc_channel_args_destroy(new_args);
146  ASSERT_NE(connector, nullptr);
147  TlsChannelSecurityConnector* tls_connector =
148  static_cast<TlsChannelSecurityConnector*>(connector.get());
149  EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
150 }
151 
152 TEST_F(GrpcTlsCredentialsOptionsTest,
153  ClientOptionsWithDefaultRootAndStaticDataProviderOnIdentityCerts) {
154  auto options = MakeRefCounted<grpc_tls_credentials_options>();
155  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
156  "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
157  options->set_certificate_provider(std::move(provider));
158  options->set_watch_identity_pair(true);
159  auto credentials = MakeRefCounted<TlsCredentials>(options);
160  ASSERT_NE(credentials, nullptr);
161  grpc_channel_args* new_args = nullptr;
162  auto connector = credentials->create_security_connector(
163  nullptr, "random targets", nullptr, &new_args);
164  grpc_channel_args_destroy(new_args);
165  ASSERT_NE(connector, nullptr);
166  TlsChannelSecurityConnector* tls_connector =
167  static_cast<TlsChannelSecurityConnector*>(connector.get());
168  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
169 }
170 
171 TEST_F(GrpcTlsCredentialsOptionsTest,
172  ServerOptionsWithStaticDataProviderOnBothCerts) {
173  auto options = MakeRefCounted<grpc_tls_credentials_options>();
174  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
175  root_cert_, MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
176  options->set_certificate_provider(std::move(provider));
177  options->set_watch_root_cert(true);
178  options->set_watch_identity_pair(true);
179  options->set_cert_request_type(
180  GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
181  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
182  ASSERT_NE(credentials, nullptr);
183  auto connector = credentials->create_security_connector(nullptr);
184  ASSERT_NE(connector, nullptr);
185  TlsServerSecurityConnector* tls_connector =
186  static_cast<TlsServerSecurityConnector*>(connector.get());
187  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
188  EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
189  EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
190 }
191 
192 TEST_F(GrpcTlsCredentialsOptionsTest,
193  ServerOptionsWithStaticDataProviderOnIdentityCerts) {
194  auto options = MakeRefCounted<grpc_tls_credentials_options>();
195  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
196  "", MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
197  options->set_certificate_provider(std::move(provider));
198  options->set_watch_identity_pair(true);
199  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
200  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
201  ASSERT_NE(credentials, nullptr);
202  auto connector = credentials->create_security_connector(nullptr);
203  ASSERT_NE(connector, nullptr);
204  TlsServerSecurityConnector* tls_connector =
205  static_cast<TlsServerSecurityConnector*>(connector.get());
206  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
207  EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
208  EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
209 }
210 
211 TEST_F(GrpcTlsCredentialsOptionsTest,
212  ServerOptionsWithStaticDataProviderOnNotProvidedCerts) {
213  auto options = MakeRefCounted<grpc_tls_credentials_options>();
214  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
215  root_cert_, PemKeyCertPairList());
216  options->set_certificate_provider(std::move(provider));
217  options->set_watch_identity_pair(true);
218  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
219  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
220  ASSERT_NE(credentials, nullptr);
221  auto connector = credentials->create_security_connector(nullptr);
222  ASSERT_NE(connector, nullptr);
223  TlsServerSecurityConnector* tls_connector =
224  static_cast<TlsServerSecurityConnector*>(connector.get());
225  EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
226 }
227 
228 //
229 // Tests for FileWatcherCertificateProvider.
230 //
231 
232 TEST_F(GrpcTlsCredentialsOptionsTest,
233  ClientOptionsWithCertWatcherProviderOnBothCerts) {
234  auto options = MakeRefCounted<grpc_tls_credentials_options>();
235  auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
236  SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
237  options->set_certificate_provider(std::move(provider));
238  options->set_watch_root_cert(true);
239  options->set_watch_identity_pair(true);
240  auto credentials = MakeRefCounted<TlsCredentials>(options);
241  ASSERT_NE(credentials, nullptr);
242  grpc_channel_args* new_args = nullptr;
243  auto connector = credentials->create_security_connector(
244  nullptr, "random targets", nullptr, &new_args);
245  grpc_channel_args_destroy(new_args);
246  ASSERT_NE(connector, nullptr);
247  TlsChannelSecurityConnector* tls_connector =
248  static_cast<TlsChannelSecurityConnector*>(connector.get());
249  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
250  EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
251  EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
252 }
253 
254 TEST_F(GrpcTlsCredentialsOptionsTest,
255  ClientOptionsWithCertWatcherProviderOnRootCerts) {
256  auto options = MakeRefCounted<grpc_tls_credentials_options>();
257  auto provider =
258  MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
259  options->set_certificate_provider(std::move(provider));
260  options->set_watch_root_cert(true);
261  auto credentials = MakeRefCounted<TlsCredentials>(options);
262  ASSERT_NE(credentials, nullptr);
263  grpc_channel_args* new_args = nullptr;
264  auto connector = credentials->create_security_connector(
265  nullptr, "random targets", nullptr, &new_args);
266  grpc_channel_args_destroy(new_args);
267  ASSERT_NE(connector, nullptr);
268  TlsChannelSecurityConnector* tls_connector =
269  static_cast<TlsChannelSecurityConnector*>(connector.get());
270  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
271  EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
272  EXPECT_FALSE(tls_connector->KeyCertPairListForTesting().has_value());
273 }
274 
275 TEST_F(GrpcTlsCredentialsOptionsTest,
276  ClientOptionsWithCertWatcherProviderOnNotProvidedCerts) {
277  auto options = MakeRefCounted<grpc_tls_credentials_options>();
278  auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
279  SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
280  options->set_certificate_provider(std::move(provider));
281  options->set_watch_root_cert(true);
282  auto credentials = MakeRefCounted<TlsCredentials>(options);
283  ASSERT_NE(credentials, nullptr);
284  grpc_channel_args* new_args = nullptr;
285  auto connector = credentials->create_security_connector(
286  nullptr, "random targets", nullptr, &new_args);
287  grpc_channel_args_destroy(new_args);
288  ASSERT_NE(connector, nullptr);
289  TlsChannelSecurityConnector* tls_connector =
290  static_cast<TlsChannelSecurityConnector*>(connector.get());
291  EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
292 }
293 
294 TEST_F(GrpcTlsCredentialsOptionsTest,
295  ClientOptionsWithCertWatcherProviderOnBadTrustCerts) {
296  auto options = MakeRefCounted<grpc_tls_credentials_options>();
297  auto provider =
298  MakeRefCounted<FileWatcherCertificateProvider>("", "", INVALID_PATH, 1);
299  options->set_certificate_provider(std::move(provider));
300  options->set_watch_root_cert(true);
301  auto credentials = MakeRefCounted<TlsCredentials>(options);
302  ASSERT_NE(credentials, nullptr);
303  grpc_channel_args* new_args = nullptr;
304  auto connector = credentials->create_security_connector(
305  nullptr, "random targets", nullptr, &new_args);
306  grpc_channel_args_destroy(new_args);
307  ASSERT_NE(connector, nullptr);
308  TlsChannelSecurityConnector* tls_connector =
309  static_cast<TlsChannelSecurityConnector*>(connector.get());
310  EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
311 }
312 
313 TEST_F(GrpcTlsCredentialsOptionsTest,
314  ServerOptionsWithCertWatcherProviderOnBothCerts) {
315  auto options = MakeRefCounted<grpc_tls_credentials_options>();
316  auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
317  SERVER_KEY_PATH, SERVER_CERT_PATH, CA_CERT_PATH, 1);
318  options->set_certificate_provider(std::move(provider));
319  options->set_watch_root_cert(true);
320  options->set_watch_identity_pair(true);
321  options->set_cert_request_type(
322  GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
323  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
324  ASSERT_NE(credentials, nullptr);
325  auto connector = credentials->create_security_connector(nullptr);
326  ASSERT_NE(connector, nullptr);
327  TlsServerSecurityConnector* tls_connector =
328  static_cast<TlsServerSecurityConnector*>(connector.get());
329  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
330  EXPECT_TRUE(tls_connector->RootCertsForTesting().has_value());
331  EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
332 }
333 
334 TEST_F(GrpcTlsCredentialsOptionsTest,
335  ServerOptionsWithCertWatcherProviderOnIdentityCerts) {
336  auto options = MakeRefCounted<grpc_tls_credentials_options>();
337  auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
338  SERVER_KEY_PATH, SERVER_CERT_PATH, "", 1);
339  options->set_certificate_provider(std::move(provider));
340  options->set_watch_identity_pair(true);
341  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
342  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
343  ASSERT_NE(credentials, nullptr);
344  auto connector = credentials->create_security_connector(nullptr);
345  ASSERT_NE(connector, nullptr);
346  TlsServerSecurityConnector* tls_connector =
347  static_cast<TlsServerSecurityConnector*>(connector.get());
348  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
349  EXPECT_FALSE(tls_connector->RootCertsForTesting().has_value());
350  EXPECT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
351 }
352 
353 TEST_F(GrpcTlsCredentialsOptionsTest,
354  ServerOptionsWithCertWatcherProviderOnNotProvidedCerts) {
355  auto options = MakeRefCounted<grpc_tls_credentials_options>();
356  auto provider =
357  MakeRefCounted<FileWatcherCertificateProvider>("", "", CA_CERT_PATH, 1);
358  options->set_certificate_provider(std::move(provider));
359  options->set_watch_identity_pair(true);
360  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
361  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
362  ASSERT_NE(credentials, nullptr);
363  auto connector = credentials->create_security_connector(nullptr);
364  ASSERT_NE(connector, nullptr);
365  TlsServerSecurityConnector* tls_connector =
366  static_cast<TlsServerSecurityConnector*>(connector.get());
367  EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
368 }
369 
370 TEST_F(GrpcTlsCredentialsOptionsTest,
371  ServerOptionsWithCertWatcherProviderOnBadIdentityCerts) {
372  auto options = MakeRefCounted<grpc_tls_credentials_options>();
373  auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
374  INVALID_PATH, INVALID_PATH, "", 1);
375  options->set_certificate_provider(std::move(provider));
376  options->set_watch_identity_pair(true);
377  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
378  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
379  ASSERT_NE(credentials, nullptr);
380  auto connector = credentials->create_security_connector(nullptr);
381  ASSERT_NE(connector, nullptr);
382  TlsServerSecurityConnector* tls_connector =
383  static_cast<TlsServerSecurityConnector*>(connector.get());
384  EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
385 }
386 
387 //
388 // Tests writing credential data to temporary files to test the
389 // transition behavior of the provider.
390 //
391 
392 TEST_F(GrpcTlsCredentialsOptionsTest,
393  ClientOptionsWithCertWatcherProviderOnCertificateRefreshed) {
394  // Create temporary files and copy cert data into them.
395  TmpFile tmp_root_cert(root_cert_);
396  TmpFile tmp_identity_key(private_key_);
397  TmpFile tmp_identity_cert(cert_chain_);
398  // Create ClientOptions using FileWatcherCertificateProvider.
399  auto options = MakeRefCounted<grpc_tls_credentials_options>();
400  auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
401  tmp_identity_key.name(), tmp_identity_cert.name(), tmp_root_cert.name(),
402  1);
403  options->set_certificate_provider(std::move(provider));
404  options->set_watch_root_cert(true);
405  options->set_watch_identity_pair(true);
406  auto credentials = MakeRefCounted<TlsCredentials>(options);
407  ASSERT_NE(credentials, nullptr);
408  grpc_channel_args* new_args = nullptr;
409  auto connector = credentials->create_security_connector(
410  nullptr, "random targets", nullptr, &new_args);
411  grpc_channel_args_destroy(new_args);
412  ASSERT_NE(connector, nullptr);
413  TlsChannelSecurityConnector* tls_connector =
414  static_cast<TlsChannelSecurityConnector*>(connector.get());
415  // Expect to see the credential data.
416  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
417  ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
418  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
419  ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
420  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
421  MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
422  // Copy new data to files.
423  // TODO(ZhenLian): right now it is not completely atomic. Use the real atomic
424  // update when the directory renaming is added in gpr.
425  tmp_root_cert.RewriteFile(root_cert_2_);
426  tmp_identity_key.RewriteFile(private_key_2_);
427  tmp_identity_cert.RewriteFile(cert_chain_2_);
428  // Wait 2 seconds for the provider's refresh thread to read the updated files.
429  gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
430  gpr_time_from_seconds(2, GPR_TIMESPAN)));
431  // Expect to see new credential data loaded by the security connector.
432  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
433  ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
434  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_2_);
435  ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
436  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
437  MakeCertKeyPairs(private_key_2_.c_str(), cert_chain_2_.c_str()));
438 }
439 
440 TEST_F(GrpcTlsCredentialsOptionsTest,
441  ClientOptionsWithCertWatcherProviderOnDeletedFiles) {
442  // Create temporary files and copy cert data into it.
443  auto tmp_root_cert = absl::make_unique<TmpFile>(root_cert_);
444  auto tmp_identity_key = absl::make_unique<TmpFile>(private_key_);
445  auto tmp_identity_cert = absl::make_unique<TmpFile>(cert_chain_);
446  // Create ClientOptions using FileWatcherCertificateProvider.
447  auto options = MakeRefCounted<grpc_tls_credentials_options>();
448  auto provider = MakeRefCounted<FileWatcherCertificateProvider>(
449  tmp_identity_key->name(), tmp_identity_cert->name(),
450  tmp_root_cert->name(), 1);
451  options->set_certificate_provider(std::move(provider));
452  options->set_watch_root_cert(true);
453  options->set_watch_identity_pair(true);
454  auto credentials = MakeRefCounted<TlsCredentials>(options);
455  ASSERT_NE(credentials, nullptr);
456  grpc_channel_args* new_args = nullptr;
457  auto connector = credentials->create_security_connector(
458  nullptr, "random targets", nullptr, &new_args);
459  grpc_channel_args_destroy(new_args);
460  ASSERT_NE(connector, nullptr);
461  TlsChannelSecurityConnector* tls_connector =
462  static_cast<TlsChannelSecurityConnector*>(connector.get());
463  // The initial data is all good, so we expect to have successful credential
464  // updates.
465  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
466  ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
467  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
468  ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
469  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
470  MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
471  // Delete TmpFile objects, which will remove the corresponding files.
472  tmp_root_cert.reset();
473  tmp_identity_key.reset();
474  tmp_identity_cert.reset();
475  // Wait 2 seconds for the provider's refresh thread to read the deleted files.
476  gpr_sleep_until(gpr_time_add(gpr_now(GPR_CLOCK_MONOTONIC),
477  gpr_time_from_seconds(2, GPR_TIMESPAN)));
478  // It's a bit hard to test if errors are sent to the security connector,
479  // because the security connector simply logs the error. We will see the err
480  // messages if we open the log.
481  // The old certs should still being used.
482  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
483  ASSERT_TRUE(tls_connector->RootCertsForTesting().has_value());
484  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_);
485  ASSERT_TRUE(tls_connector->KeyCertPairListForTesting().has_value());
486  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(),
487  MakeCertKeyPairs(private_key_.c_str(), cert_chain_.c_str()));
488 }
489 
490 //
491 // Tests for ExternalCertificateVerifier.
492 // It will only test the creation of security connector, so the actual verify
493 // logic is not invoked.
494 //
495 
496 TEST_F(GrpcTlsCredentialsOptionsTest, ClientOptionsWithExternalVerifier) {
497  auto* sync_verifier_ = new SyncExternalVerifier(true);
498  ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
499  auto options = MakeRefCounted<grpc_tls_credentials_options>();
500  options->set_verify_server_cert(true);
501  options->set_certificate_verifier(core_external_verifier.Ref());
502  options->set_check_call_host(false);
503  auto credentials = MakeRefCounted<TlsCredentials>(options);
504  ASSERT_NE(credentials, nullptr);
505  grpc_channel_args* new_args = nullptr;
506  auto connector = credentials->create_security_connector(
507  nullptr, "random targets", nullptr, &new_args);
508  grpc_channel_args_destroy(new_args);
509  ASSERT_NE(connector, nullptr);
510  TlsChannelSecurityConnector* tls_connector =
511  static_cast<TlsChannelSecurityConnector*>(connector.get());
512  EXPECT_NE(tls_connector, nullptr);
513 }
514 
515 TEST_F(GrpcTlsCredentialsOptionsTest, ServerOptionsWithExternalVerifier) {
516  auto* sync_verifier_ = new SyncExternalVerifier(true);
517  ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
518  auto options = MakeRefCounted<grpc_tls_credentials_options>();
519  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
520  options->set_certificate_verifier(core_external_verifier.Ref());
521  // On server side we have to set the provider providing identity certs.
522  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
523  root_cert_, PemKeyCertPairList());
524  options->set_certificate_provider(std::move(provider));
525  options->set_watch_identity_pair(true);
526  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
527  ASSERT_NE(credentials, nullptr);
528  auto connector = credentials->create_security_connector(nullptr);
529  ASSERT_NE(connector, nullptr);
530  TlsServerSecurityConnector* tls_connector =
531  static_cast<TlsServerSecurityConnector*>(connector.get());
532  EXPECT_NE(tls_connector, nullptr);
533 }
534 
535 //
536 // Tests for HostnameCertificateVerifier.
537 //
538 
539 TEST_F(GrpcTlsCredentialsOptionsTest,
540  ClientOptionsWithHostnameCertificateVerifier) {
541  auto options = MakeRefCounted<grpc_tls_credentials_options>();
542  options->set_verify_server_cert(true);
543  options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
544  auto credentials = MakeRefCounted<TlsCredentials>(options);
545  ASSERT_NE(credentials, nullptr);
546  grpc_channel_args* new_args = nullptr;
547  auto connector = credentials->create_security_connector(
548  nullptr, "random targets", nullptr, &new_args);
549  grpc_channel_args_destroy(new_args);
550  ASSERT_NE(connector, nullptr);
551  TlsChannelSecurityConnector* tls_connector =
552  static_cast<TlsChannelSecurityConnector*>(connector.get());
553  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
554 }
555 
556 TEST_F(GrpcTlsCredentialsOptionsTest,
557  ServerOptionsWithHostnameCertificateVerifier) {
558  auto options = MakeRefCounted<grpc_tls_credentials_options>();
559  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
560  options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
561  // On server side we have to set the provider providing identity certs.
562  auto provider = MakeRefCounted<StaticDataCertificateProvider>(
563  root_cert_, PemKeyCertPairList());
564  options->set_certificate_provider(std::move(provider));
565  options->set_watch_identity_pair(true);
566  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
567  ASSERT_NE(credentials, nullptr);
568  auto connector = credentials->create_security_connector(nullptr);
569  ASSERT_NE(connector, nullptr);
570  TlsServerSecurityConnector* tls_connector =
571  static_cast<TlsServerSecurityConnector*>(connector.get());
572  EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
573 }
574 
575 } // namespace testing
576 
577 } // namespace grpc_core
578 
579 int main(int argc, char** argv) {
580  grpc::testing::TestEnvironment env(&argc, argv);
581  GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
582  ::testing::InitGoogleTest(&argc, argv);
583  grpc_init();
584  int ret = RUN_ALL_TESTS();
585  grpc_shutdown();
586  return ret;
587 }
EXPECT_FALSE
#define EXPECT_FALSE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1970
grpc_core::testing::TmpFile
Definition: test/core/util/tls_utils.h:27
GPR_TIMESPAN
@ GPR_TIMESPAN
Definition: gpr_types.h:45
testing
Definition: aws_request_signer_test.cc:25
ASSERT_NE
#define ASSERT_NE(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2060
tls_credentials.h
log.h
grpc_core::testing::SyncExternalVerifier
Definition: test/core/util/tls_utils.h:58
grpc_core::testing::MakeCertKeyPairs
PemKeyCertPairList MakeCertKeyPairs(absl::string_view private_key, absl::string_view certs)
Definition: test/core/util/tls_utils.cc:60
tls_utils.h
generate.env
env
Definition: generate.py:37
grpc_core::testing::GrpcTlsCredentialsOptionsTest::cert_chain_2_
std::string cert_chain_2_
Definition: grpc_tls_credentials_options_test.cc:64
load_file.h
grpc_core::testing::GrpcTlsCredentialsOptionsTest::root_cert_2_
std::string root_cert_2_
Definition: grpc_tls_credentials_options_test.cc:62
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::testing::GrpcTlsCredentialsOptionsTest::private_key_2_
std::string private_key_2_
Definition: grpc_tls_credentials_options_test.cc:63
SERVER_CERT_PATH
#define SERVER_CERT_PATH
Definition: grpc_tls_credentials_options_test.cc:37
options
double_dict options[]
Definition: capstone_test.c:55
grpc_core::TlsChannelSecurityConnector
Definition: tls_security_connector.h:56
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
grpc_core::ExternalCertificateVerifier
Definition: grpc_tls_certificate_verifier.h:82
grpc_core::TlsServerSecurityConnector::KeyCertPairListForTesting
const absl::optional< PemKeyCertPairList > & KeyCertPairListForTesting()
Definition: tls_security_connector.h:213
grpc_core::TlsServerSecurityConnector
Definition: tls_security_connector.h:177
grpc_core::testing::TEST_F
TEST_F(ServiceConfigTest, ErrorCheck1)
Definition: service_config_test.cc:192
grpc_channel_args
Definition: grpc_types.h:132
grpc_core::testing::GrpcTlsCredentialsOptionsTest::root_cert_
std::string root_cert_
Definition: grpc_tls_credentials_options_test.cc:59
testing::Test
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:402
grpc_core::testing::TmpFile::RewriteFile
void RewriteFile(absl::string_view data)
Definition: test/core/util/tls_utils.cc:37
EXPECT_EQ
#define EXPECT_EQ(a, b)
Definition: iomgr/time_averaged_stats_test.cc:27
grpc_core::TlsServerSecurityConnector::ServerHandshakerFactoryForTesting
tsi_ssl_server_handshaker_factory * ServerHandshakerFactoryForTesting()
Definition: tls_security_connector.h:203
string_util.h
root_cert_
std::string root_cert_
Definition: xds_end2end_test.cc:415
INVALID_PATH
#define INVALID_PATH
Definition: grpc_tls_credentials_options_test.cc:42
CA_CERT_PATH
#define CA_CERT_PATH
Definition: grpc_tls_credentials_options_test.cc:36
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
grpc_core::HostNameCertificateVerifier
Definition: grpc_tls_certificate_verifier.h:148
absl::optional::has_value
constexpr bool has_value() const noexcept
Definition: abseil-cpp/absl/types/optional.h:461
EXPECT_NE
#define EXPECT_NE(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2028
grpc_core::TlsChannelSecurityConnector::RootCertsForTesting
absl::optional< absl::string_view > RootCertsForTesting()
Definition: tls_security_connector.h:98
gpr_sleep_until
GPRAPI void gpr_sleep_until(gpr_timespec until)
tmpfile.h
grpc_channel_args_destroy
void grpc_channel_args_destroy(grpc_channel_args *a)
Definition: channel_args.cc:360
GPR_CLOCK_MONOTONIC
@ GPR_CLOCK_MONOTONIC
Definition: gpr_types.h:36
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
ssl_utils_config.h
gpr_now
GPRAPI gpr_timespec gpr_now(gpr_clock_type clock)
GPR_GLOBAL_CONFIG_SET
#define GPR_GLOBAL_CONFIG_SET(name, value)
Definition: global_config_generic.h:26
grpc_core::testing::TmpFile::name
const std::string & name()
Definition: test/core/util/tls_utils.h:34
grpc_core::testing::GrpcTlsCredentialsOptionsTest::private_key_
std::string private_key_
Definition: grpc_tls_credentials_options_test.cc:60
test_config.h
SERVER_KEY_PATH
#define SERVER_KEY_PATH
Definition: grpc_tls_credentials_options_test.cc:38
grpc_core::TlsServerSecurityConnector::RootCertsForTesting
const absl::optional< absl::string_view > & RootCertsForTesting()
Definition: tls_security_connector.h:208
SERVER_KEY_PATH_2
#define SERVER_KEY_PATH_2
Definition: grpc_tls_credentials_options_test.cc:41
grpc_core::testing::GrpcTlsCredentialsOptionsTest
Definition: grpc_tls_credentials_options_test.cc:48
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
grpc_tls_credentials_options.h
gpr_time_add
GPRAPI gpr_timespec gpr_time_add(gpr_timespec a, gpr_timespec b)
Definition: src/core/lib/gpr/time.cc:135
grpc_core::PemKeyCertPairList
std::vector< PemKeyCertPair > PemKeyCertPairList
Definition: ssl_utils.h:183
GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE
@ GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE
Definition: grpc_security_constants.h:84
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
alloc.h
grpc::testing::TestEnvironment
Definition: test/core/util/test_config.h:54
grpc_core::testing::GrpcTlsCredentialsOptionsTest::SetUp
void SetUp() override
Definition: grpc_tls_credentials_options_test.cc:50
ASSERT_TRUE
#define ASSERT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1973
grpc_core::TlsChannelSecurityConnector::ClientHandshakerFactoryForTesting
tsi_ssl_client_handshaker_factory * ClientHandshakerFactoryForTesting()
Definition: tls_security_connector.h:93
grpc_core::testing::GrpcTlsCredentialsOptionsTest::cert_chain_
std::string cert_chain_
Definition: grpc_tls_credentials_options_test.cc:61
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:1967
main
int main(int argc, char **argv)
Definition: grpc_tls_credentials_options_test.cc:579
tls_security_connector.h
CA_CERT_PATH_2
#define CA_CERT_PATH_2
Definition: grpc_tls_credentials_options_test.cc:39
GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
@ GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
Definition: grpc_security_constants.h:125
grpc_init
GRPCAPI void grpc_init(void)
Definition: init.cc:146
grpc_core::testing::GetFileContents
std::string GetFileContents(const char *path)
Definition: test/core/util/tls_utils.cc:68
SERVER_CERT_PATH_2
#define SERVER_CERT_PATH_2
Definition: grpc_tls_credentials_options_test.cc:40
grpc_shutdown
GRPCAPI void grpc_shutdown(void)
Definition: init.cc:209
grpc_core::RefCounted::Ref
RefCountedPtr< Child > Ref() GRPC_MUST_USE_RESULT
Definition: ref_counted.h:287
grpc_core::TlsChannelSecurityConnector::KeyCertPairListForTesting
absl::optional< PemKeyCertPairList > KeyCertPairListForTesting()
Definition: tls_security_connector.h:103
gpr_time_from_seconds
GPRAPI gpr_timespec gpr_time_from_seconds(int64_t s, gpr_clock_type clock_type)
Definition: src/core/lib/gpr/time.cc:123
grpc_core::testing::GrpcTlsCredentialsOptionsTest::hostname_certificate_verifier_
HostNameCertificateVerifier hostname_certificate_verifier_
Definition: grpc_tls_credentials_options_test.cc:65

grpc
Author(s):
autogenerated on Fri May 16 2025 02:58:45