xds_certificate_provider_test.cc
Go to the documentation of this file.
1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #include "src/core/ext/xds/xds_certificate_provider.h"
20 
21 #include <gmock/gmock.h>
22 #include <gtest/gtest.h>
23 
24 #include "test/core/util/test_config.h"
25 #include "test/core/util/tls_utils.h"
26 
27 namespace grpc_core {
28 namespace testing {
29 namespace {
30 
31 constexpr const char* kRootCert1 = "root_cert_1_contents";
32 constexpr const char* kRootCert2 = "root_cert_2_contents";
33 constexpr const char* kIdentityCert1PrivateKey = "identity_private_key_1";
34 constexpr const char* kIdentityCert1 = "identity_cert_1_contents";
35 constexpr const char* kIdentityCert2PrivateKey = "identity_private_key_2";
36 constexpr const char* kIdentityCert2 = "identity_cert_2_contents";
37 constexpr const char* kRootErrorMessage = "root_error_message";
38 constexpr const char* kIdentityErrorMessage = "identity_error_message";
39 
40 PemKeyCertPairList MakeKeyCertPairsType1() {
41  return MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1);
42 }
43 
44 PemKeyCertPairList MakeKeyCertPairsType2() {
45  return MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2);
46 }
47 
48 class TestCertificatesWatcher
49  : public grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface {
50  public:
51  ~TestCertificatesWatcher() override {
52  GRPC_ERROR_UNREF(root_cert_error_);
53  GRPC_ERROR_UNREF(identity_cert_error_);
54  }
55 
56  void OnCertificatesChanged(
57  absl::optional<absl::string_view> root_certs,
58  absl::optional<PemKeyCertPairList> key_cert_pairs) override {
59  if (root_certs.has_value()) {
60  if (!root_certs_.has_value() ||
61  (root_certs_.has_value() &&
62  std::string(root_certs.value()) != root_certs_.value())) {
63  GRPC_ERROR_UNREF(root_cert_error_);
64  root_cert_error_ = GRPC_ERROR_NONE;
65  }
66  root_certs_.emplace(std::string(root_certs.value()));
67  }
68  if (key_cert_pairs.has_value()) {
69  if (key_cert_pairs != key_cert_pairs_) {
70  GRPC_ERROR_UNREF(identity_cert_error_);
71  identity_cert_error_ = GRPC_ERROR_NONE;
72  key_cert_pairs_ = key_cert_pairs;
73  }
74  }
75  }
76 
77  void OnError(grpc_error_handle root_cert_error,
78  grpc_error_handle identity_cert_error) override {
79  GRPC_ERROR_UNREF(root_cert_error_);
80  root_cert_error_ = root_cert_error;
81  GRPC_ERROR_UNREF(identity_cert_error_);
82  identity_cert_error_ = identity_cert_error;
83  }
84 
85  const absl::optional<std::string>& root_certs() const { return root_certs_; }
86 
87  const absl::optional<PemKeyCertPairList>& key_cert_pairs() const {
88  return key_cert_pairs_;
89  }
90 
91  grpc_error_handle root_cert_error() const { return root_cert_error_; }
92 
93  grpc_error_handle identity_cert_error() const { return identity_cert_error_; }
94 
95  private:
96  absl::optional<std::string> root_certs_;
97  absl::optional<PemKeyCertPairList> key_cert_pairs_;
98  grpc_error_handle root_cert_error_ = GRPC_ERROR_NONE;
99  grpc_error_handle identity_cert_error_ = GRPC_ERROR_NONE;
100 };
101 
102 TEST(
103  XdsCertificateProviderTest,
104  RootCertDistributorDifferentFromIdentityCertDistributorDifferentCertNames) {
105  auto root_cert_distributor =
106  MakeRefCounted<grpc_tls_certificate_distributor>();
107  auto identity_cert_distributor =
108  MakeRefCounted<grpc_tls_certificate_distributor>();
109  XdsCertificateProvider provider;
110  provider.UpdateRootCertNameAndDistributor("", "root", root_cert_distributor);
111  provider.UpdateIdentityCertNameAndDistributor("", "identity",
112  identity_cert_distributor);
113  auto* watcher = new TestCertificatesWatcher;
114  provider.distributor()->WatchTlsCertificates(
115  std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
116  EXPECT_EQ(watcher->root_certs(), absl::nullopt);
117  EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
118  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
119  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
120  // Update both root certs and identity certs
121  root_cert_distributor->SetKeyMaterials("root", kRootCert1, absl::nullopt);
122  identity_cert_distributor->SetKeyMaterials("identity", absl::nullopt,
123  MakeKeyCertPairsType1());
124  EXPECT_EQ(watcher->root_certs(), kRootCert1);
125  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
126  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
127  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
128  // Second update for just root certs
129  root_cert_distributor->SetKeyMaterials(
130  "root", kRootCert2,
131  MakeKeyCertPairsType2() /* does not have an effect */);
132  EXPECT_EQ(watcher->root_certs(), kRootCert2);
133  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
134  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
135  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
136  // Second update for identity certs
137  identity_cert_distributor->SetKeyMaterials(
138  "identity", kRootCert1 /* does not have an effect */,
139  MakeKeyCertPairsType2());
140  EXPECT_EQ(watcher->root_certs(), kRootCert2);
141  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
142  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
143  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
144  // Set error for both root and identity
145  root_cert_distributor->SetErrorForCert(
146  "root", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
147  absl::nullopt);
148  identity_cert_distributor->SetErrorForCert(
149  "identity", absl::nullopt,
150  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
151  EXPECT_EQ(watcher->root_certs(), kRootCert2);
152  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
153  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
154  ::testing::HasSubstr(kRootErrorMessage));
155  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
156  ::testing::HasSubstr(kIdentityErrorMessage));
157  // Send an update for root certs. Test that the root cert error is reset.
158  root_cert_distributor->SetKeyMaterials("root", kRootCert1, absl::nullopt);
159  EXPECT_EQ(watcher->root_certs(), kRootCert1);
160  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
161  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
162  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
163  ::testing::HasSubstr(kIdentityErrorMessage));
164  // Send an update for identity certs. Test that the identity cert error is
165  // reset.
166  identity_cert_distributor->SetKeyMaterials("identity", absl::nullopt,
167  MakeKeyCertPairsType1());
168  EXPECT_EQ(watcher->root_certs(), kRootCert1);
169  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
170  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
171  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
172 }
173 
174 TEST(XdsCertificateProviderTest,
175  RootCertDistributorDifferentFromIdentityCertDistributorSameCertNames) {
176  auto root_cert_distributor =
177  MakeRefCounted<grpc_tls_certificate_distributor>();
178  auto identity_cert_distributor =
179  MakeRefCounted<grpc_tls_certificate_distributor>();
180  XdsCertificateProvider provider;
181  provider.UpdateRootCertNameAndDistributor("", "test", root_cert_distributor);
182  provider.UpdateIdentityCertNameAndDistributor("", "test",
183  identity_cert_distributor);
184  auto* watcher = new TestCertificatesWatcher;
185  provider.distributor()->WatchTlsCertificates(
186  std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
187  EXPECT_EQ(watcher->root_certs(), absl::nullopt);
188  EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
189  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
190  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
191  // Update both root certs and identity certs
192  root_cert_distributor->SetKeyMaterials("test", kRootCert1, absl::nullopt);
193  identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
194  MakeKeyCertPairsType1());
195  EXPECT_EQ(watcher->root_certs(), kRootCert1);
196  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
197  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
198  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
199  // Second update for just root certs
200  root_cert_distributor->SetKeyMaterials("test", kRootCert2, absl::nullopt);
201  EXPECT_EQ(watcher->root_certs(), kRootCert2);
202  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
203  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
204  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
205  // Second update for identity certs
206  identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
207  MakeKeyCertPairsType2());
208  EXPECT_EQ(watcher->root_certs(), kRootCert2);
209  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
210  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
211  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
212  // Set error for both root and identity
213  root_cert_distributor->SetErrorForCert(
214  "test", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
215  absl::nullopt);
216  identity_cert_distributor->SetErrorForCert(
217  "test", absl::nullopt,
218  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
219  EXPECT_EQ(watcher->root_certs(), kRootCert2);
220  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
221  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
222  ::testing::HasSubstr(kRootErrorMessage));
223  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
224  ::testing::HasSubstr(kIdentityErrorMessage));
225  // Send an update for root certs. Test that the root cert error is reset.
226  root_cert_distributor->SetKeyMaterials("test", kRootCert1, absl::nullopt);
227  EXPECT_EQ(watcher->root_certs(), kRootCert1);
228  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
229  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
230  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
231  ::testing::HasSubstr(kIdentityErrorMessage));
232  // Send an update for identity certs. Test that the identity cert error is
233  // reset.
234  identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
235  MakeKeyCertPairsType1());
236  EXPECT_EQ(watcher->root_certs(), kRootCert1);
237  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
238  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
239  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
240  // Test update on unwatched cert name
241  identity_cert_distributor->SetKeyMaterials("identity", kRootCert2,
242  MakeKeyCertPairsType2());
243  root_cert_distributor->SetKeyMaterials("root", kRootCert1,
244  MakeKeyCertPairsType1());
245 }
246 
247 TEST(XdsCertificateProviderTest,
248  RootCertDistributorSameAsIdentityCertDistributorDifferentCertNames) {
249  auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
250  XdsCertificateProvider provider;
251  provider.UpdateRootCertNameAndDistributor("", "root", distributor);
252  provider.UpdateIdentityCertNameAndDistributor("", "identity", distributor);
253  auto* watcher = new TestCertificatesWatcher;
254  provider.distributor()->WatchTlsCertificates(
255  std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
256  EXPECT_EQ(watcher->root_certs(), absl::nullopt);
257  EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
258  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
259  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
260  // Update both root certs and identity certs
261  distributor->SetKeyMaterials("root", kRootCert1, MakeKeyCertPairsType2());
262  distributor->SetKeyMaterials("identity", kRootCert2, MakeKeyCertPairsType1());
263  EXPECT_EQ(watcher->root_certs(), kRootCert1);
264  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
265  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
266  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
267  // Second update for just root certs
268  distributor->SetKeyMaterials("root", kRootCert2, MakeKeyCertPairsType2());
269  EXPECT_EQ(watcher->root_certs(), kRootCert2);
270  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
271  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
272  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
273  // Second update for identity certs
274  distributor->SetKeyMaterials("identity", kRootCert1, MakeKeyCertPairsType2());
275  EXPECT_EQ(watcher->root_certs(), kRootCert2);
276  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
277  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
278  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
279  // Set error for root
280  distributor->SetErrorForCert(
281  "root", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
282  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage));
283  EXPECT_EQ(watcher->root_certs(), kRootCert2);
284  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
285  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
286  ::testing::HasSubstr(kRootErrorMessage));
287  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
288  distributor->SetErrorForCert(
289  "identity", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage),
290  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
291  EXPECT_EQ(watcher->root_certs(), kRootCert2);
292  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
293  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
294  ::testing::HasSubstr(kRootErrorMessage));
295  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
296  ::testing::HasSubstr(kIdentityErrorMessage));
297  // Send an update for root
298  distributor->SetKeyMaterials("root", kRootCert1, MakeKeyCertPairsType1());
299  EXPECT_EQ(watcher->root_certs(), kRootCert1);
300  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
301  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
302  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
303  ::testing::HasSubstr(kIdentityErrorMessage));
304  // Send an update for identity
305  distributor->SetKeyMaterials("identity", kRootCert2, MakeKeyCertPairsType1());
306  EXPECT_EQ(watcher->root_certs(), kRootCert1);
307  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
308  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
309  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
310 }
311 
312 TEST(XdsCertificateProviderTest,
313  RootCertDistributorSameAsIdentityCertDistributorSameCertNames) {
314  auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
315  XdsCertificateProvider provider;
316  provider.UpdateRootCertNameAndDistributor("", "", distributor);
317  provider.UpdateIdentityCertNameAndDistributor("", "", distributor);
318  auto* watcher = new TestCertificatesWatcher;
319  provider.distributor()->WatchTlsCertificates(
320  std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
321  EXPECT_EQ(watcher->root_certs(), absl::nullopt);
322  EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
323  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
324  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
325  // Update both root certs and identity certs
326  distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
327  EXPECT_EQ(watcher->root_certs(), kRootCert1);
328  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
329  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
330  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
331  // Second update for just root certs
332  distributor->SetKeyMaterials("", kRootCert2, absl::nullopt);
333  EXPECT_EQ(watcher->root_certs(), kRootCert2);
334  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
335  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
336  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
337  // Second update for identity certs
338  distributor->SetKeyMaterials("", absl::nullopt, MakeKeyCertPairsType2());
339  EXPECT_EQ(watcher->root_certs(), kRootCert2);
340  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
341  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
342  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
343  // Set error for root
344  distributor->SetErrorForCert(
345  "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
346  absl::nullopt);
347  EXPECT_EQ(watcher->root_certs(), kRootCert2);
348  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
349  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
350  ::testing::HasSubstr(kRootErrorMessage));
351  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
352  // Set error for identity
353  distributor->SetErrorForCert(
354  "", absl::nullopt,
355  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
356  EXPECT_EQ(watcher->root_certs(), kRootCert2);
357  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
358  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
359  ::testing::HasSubstr(kRootErrorMessage));
360  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
361  ::testing::HasSubstr(kIdentityErrorMessage));
362  // Send an update for root
363  distributor->SetKeyMaterials("", kRootCert1, absl::nullopt);
364  EXPECT_EQ(watcher->root_certs(), kRootCert1);
365  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
366  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
367  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
368  ::testing::HasSubstr(kIdentityErrorMessage));
369  // Send an update for identity
370  distributor->SetKeyMaterials("", absl::nullopt, MakeKeyCertPairsType1());
371  EXPECT_EQ(watcher->root_certs(), kRootCert1);
372  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
373  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
374  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
375 }
376 
377 TEST(XdsCertificateProviderTest, SwapOutDistributorsMultipleTimes) {
378  auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
379  distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
380  XdsCertificateProvider provider;
381  auto* watcher = new TestCertificatesWatcher;
382  provider.distributor()->WatchTlsCertificates(
383  std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
384  // Initially there are no certificate providers.
385  EXPECT_EQ(watcher->root_certs(), absl::nullopt);
386  EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
387  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
388  ::testing::HasSubstr(
389  "No certificate provider available for root certificates"));
390  EXPECT_THAT(
391  grpc_error_std_string(watcher->identity_cert_error()),
392  ::testing::HasSubstr(
393  "No certificate provider available for identity certificates"));
394  // Update root cert distributor.
395  provider.UpdateRootCertNameAndDistributor("", "", distributor);
396  EXPECT_EQ(watcher->root_certs(), kRootCert1);
397  EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
398  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
399  EXPECT_THAT(
400  grpc_error_std_string(watcher->identity_cert_error()),
401  ::testing::HasSubstr(
402  "No certificate provider available for identity certificates"));
403  // Update identity cert distributor
404  provider.UpdateIdentityCertNameAndDistributor("", "", distributor);
405  EXPECT_EQ(watcher->root_certs(), kRootCert1);
406  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
407  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
408  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
409  // Update both root and identity certs
410  distributor->SetKeyMaterials("", kRootCert2, MakeKeyCertPairsType2());
411  EXPECT_EQ(watcher->root_certs(), kRootCert2);
412  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
413  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
414  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
415  // Set error for both root and identity
416  distributor->SetErrorForCert(
417  "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
418  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
419  EXPECT_EQ(watcher->root_certs(), kRootCert2);
420  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
421  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
422  ::testing::HasSubstr(kRootErrorMessage));
423  EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
424  ::testing::HasSubstr(kIdentityErrorMessage));
425  // Send an update again
426  distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
427  EXPECT_EQ(watcher->root_certs(), kRootCert1);
428  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
429  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
430  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
431  // Remove root cert provider
432  provider.UpdateRootCertNameAndDistributor("", "", nullptr);
433  distributor->SetKeyMaterials("", kRootCert2, MakeKeyCertPairsType2());
434  EXPECT_EQ(watcher->root_certs(), kRootCert1); // not updated
435  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
436  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
437  ::testing::HasSubstr(
438  "No certificate provider available for root certificates"));
439  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
440  // Remove identity cert provider too
441  provider.UpdateIdentityCertNameAndDistributor("", "", nullptr);
442  distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
443  EXPECT_EQ(watcher->root_certs(), kRootCert1);
444  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2()); // not updated
445  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
446  ::testing::HasSubstr(
447  "No certificate provider available for root certificates"));
448  EXPECT_THAT(
449  grpc_error_std_string(watcher->identity_cert_error()),
450  ::testing::HasSubstr(
451  "No certificate provider available for identity certificates"));
452  // Change certificate names being watched, without any certificate updates.
453  provider.UpdateRootCertNameAndDistributor("", "root", distributor);
454  provider.UpdateIdentityCertNameAndDistributor("", "identity", distributor);
455  EXPECT_EQ(watcher->root_certs(), kRootCert1);
456  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
457  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
458  ::testing::HasSubstr(
459  "No certificate provider available for root certificates"));
460  EXPECT_THAT(
461  grpc_error_std_string(watcher->identity_cert_error()),
462  ::testing::HasSubstr(
463  "No certificate provider available for identity certificates"));
464  // Send out certificate updates.
465  distributor->SetKeyMaterials("root", kRootCert2, absl::nullopt);
466  distributor->SetKeyMaterials("identity", absl::nullopt,
467  MakeKeyCertPairsType1());
468  EXPECT_EQ(watcher->root_certs(), kRootCert2);
469  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
470  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
471  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
472  // Swap in new certificate distributors with different certificate names and
473  // existing updates.
474  auto root_cert_distributor =
475  MakeRefCounted<grpc_tls_certificate_distributor>();
476  auto identity_cert_distributor =
477  MakeRefCounted<grpc_tls_certificate_distributor>();
478  provider.UpdateRootCertNameAndDistributor("", "root", root_cert_distributor);
479  provider.UpdateIdentityCertNameAndDistributor("", "identity",
480  identity_cert_distributor);
481  EXPECT_EQ(watcher->root_certs(), kRootCert2);
482  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
483  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
484  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
485  // Change certificate names without any certificate updates.
486  provider.UpdateRootCertNameAndDistributor("", "test", root_cert_distributor);
487  provider.UpdateIdentityCertNameAndDistributor("", "test",
488  identity_cert_distributor);
489  EXPECT_EQ(watcher->root_certs(), kRootCert2);
490  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
491  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
492  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
493  // Send out certificate updates.
494  root_cert_distributor->SetKeyMaterials("test", kRootCert1,
495  MakeKeyCertPairsType1());
496  identity_cert_distributor->SetKeyMaterials("test", kRootCert2,
497  MakeKeyCertPairsType2());
498  EXPECT_EQ(watcher->root_certs(), kRootCert1);
499  EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
500  EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
501  EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
502 }
503 
504 TEST(XdsCertificateProviderTest, MultipleCertNames) {
505  XdsCertificateProvider provider;
506  // Start watch for "test1". There are no underlying distributors for
507  // that cert name, so it will return an error.
508  auto* watcher1 = new TestCertificatesWatcher;
509  provider.distributor()->WatchTlsCertificates(
510  std::unique_ptr<TestCertificatesWatcher>(watcher1), "test1", "test1");
511  EXPECT_EQ(watcher1->root_certs(), absl::nullopt);
512  EXPECT_EQ(watcher1->key_cert_pairs(), absl::nullopt);
513  EXPECT_THAT(grpc_error_std_string(watcher1->root_cert_error()),
514  ::testing::HasSubstr(
515  "No certificate provider available for root certificates"));
516  EXPECT_THAT(
517  grpc_error_std_string(watcher1->identity_cert_error()),
518  ::testing::HasSubstr(
519  "No certificate provider available for identity certificates"));
520  // Add distributor for "test1". This will return data to the watcher.
521  auto cert_distributor1 = MakeRefCounted<grpc_tls_certificate_distributor>();
522  cert_distributor1->SetKeyMaterials("root", kRootCert1, absl::nullopt);
523  cert_distributor1->SetKeyMaterials("identity", absl::nullopt,
524  MakeKeyCertPairsType1());
525  provider.UpdateRootCertNameAndDistributor("test1", "root", cert_distributor1);
526  provider.UpdateIdentityCertNameAndDistributor("test1", "identity",
527  cert_distributor1);
528  EXPECT_EQ(watcher1->root_certs(), kRootCert1);
529  EXPECT_EQ(watcher1->key_cert_pairs(), MakeKeyCertPairsType1());
530  EXPECT_EQ(watcher1->root_cert_error(), GRPC_ERROR_NONE);
531  EXPECT_EQ(watcher1->identity_cert_error(), GRPC_ERROR_NONE);
532  // Add distributor for "test2".
533  auto cert_distributor2 = MakeRefCounted<grpc_tls_certificate_distributor>();
534  cert_distributor2->SetKeyMaterials("root2", kRootCert2, absl::nullopt);
535  cert_distributor2->SetKeyMaterials("identity2", absl::nullopt,
536  MakeKeyCertPairsType2());
537  provider.UpdateRootCertNameAndDistributor("test2", "root2",
538  cert_distributor2);
539  provider.UpdateIdentityCertNameAndDistributor("test2", "identity2",
540  cert_distributor2);
541  // Add watcher for "test2". This one should return data immediately.
542  auto* watcher2 = new TestCertificatesWatcher;
543  provider.distributor()->WatchTlsCertificates(
544  std::unique_ptr<TestCertificatesWatcher>(watcher2), "test2", "test2");
545  EXPECT_EQ(watcher2->root_certs(), kRootCert2);
546  EXPECT_EQ(watcher2->key_cert_pairs(), MakeKeyCertPairsType2());
547  EXPECT_EQ(watcher2->root_cert_error(), GRPC_ERROR_NONE);
548  EXPECT_EQ(watcher2->identity_cert_error(), GRPC_ERROR_NONE);
549  // The presence of "test2" should not affect "test1".
550  EXPECT_EQ(watcher1->root_certs(), kRootCert1);
551  EXPECT_EQ(watcher1->key_cert_pairs(), MakeKeyCertPairsType1());
552  EXPECT_EQ(watcher1->root_cert_error(), GRPC_ERROR_NONE);
553  EXPECT_EQ(watcher1->identity_cert_error(), GRPC_ERROR_NONE);
554 }
555 
556 TEST(XdsCertificateProviderTest, UnknownCertName) {
557  XdsCertificateProvider provider;
558  auto* watcher = new TestCertificatesWatcher;
559  provider.distributor()->WatchTlsCertificates(
560  std::unique_ptr<TestCertificatesWatcher>(watcher), "test", "test");
561  EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
562  ::testing::HasSubstr(
563  "No certificate provider available for root certificates"));
564  EXPECT_THAT(
565  grpc_error_std_string(watcher->identity_cert_error()),
566  ::testing::HasSubstr(
567  "No certificate provider available for identity certificates"));
568 }
569 
570 } // namespace
571 } // namespace testing
572 } // namespace grpc_core
573 
574 int main(int argc, char** argv) {
575  ::testing::InitGoogleTest(&argc, argv);
576  grpc::testing::TestEnvironment env(&argc, argv);
577  grpc_init();
578  auto result = RUN_ALL_TESTS();
579  grpc_shutdown();
580  return result;
581 }
_gevent_test_main.result
result
Definition: _gevent_test_main.py:96
testing
Definition: aws_request_signer_test.cc:25
GRPC_ERROR_NONE
#define GRPC_ERROR_NONE
Definition: error.h:234
grpc_core::testing::MakeCertKeyPairs
PemKeyCertPairList MakeCertKeyPairs(absl::string_view private_key, absl::string_view certs)
Definition: test/core/util/tls_utils.cc:60
main
int main(int argc, char **argv)
Definition: xds_certificate_provider_test.cc:574
tls_utils.h
generate.env
env
Definition: generate.py:37
EXPECT_THAT
#define EXPECT_THAT(value, matcher)
grpc_core
Definition: call_metric_recorder.h:31
identity_cert_error_
grpc_error_handle identity_cert_error_
Definition: xds_certificate_provider_test.cc:99
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
grpc_core::testing::kIdentityCert1PrivateKey
constexpr const char * kIdentityCert1PrivateKey
Definition: grpc_tls_certificate_distributor_test.cc:46
root_cert_error_
grpc_error_handle root_cert_error_
Definition: xds_certificate_provider_test.cc:98
grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface
Definition: grpc_tls_certificate_distributor.h:47
grpc_core::testing::kRootErrorMessage
constexpr const char * kRootErrorMessage
Definition: grpc_tls_certificate_distributor_test.cc:52
EXPECT_EQ
#define EXPECT_EQ(a, b)
Definition: iomgr/time_averaged_stats_test.cc:27
absl::optional::has_value
constexpr bool has_value() const noexcept
Definition: abseil-cpp/absl/types/optional.h:461
grpc_core::testing::kIdentityCert2PrivateKey
constexpr const char * kIdentityCert2PrivateKey
Definition: grpc_tls_certificate_distributor_test.cc:49
grpc_core::testing::kIdentityErrorMessage
constexpr const char * kIdentityErrorMessage
Definition: grpc_tls_certificate_distributor_test.cc:53
absl::optional< absl::string_view >
gen_settings_ids.OnError
OnError
Definition: gen_settings_ids.py:27
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
GRPC_ERROR_CREATE_FROM_STATIC_STRING
#define GRPC_ERROR_CREATE_FROM_STATIC_STRING(desc)
Definition: error.h:291
test_config.h
absl::optional::value
constexpr const T & value() const &
Definition: abseil-cpp/absl/types/optional.h:475
key_cert_pairs_
absl::optional< PemKeyCertPairList > key_cert_pairs_
Definition: xds_certificate_provider_test.cc:97
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
grpc_error_std_string
std::string grpc_error_std_string(grpc_error_handle error)
Definition: error.cc:944
grpc_core::PemKeyCertPairList
std::vector< PemKeyCertPair > PemKeyCertPairList
Definition: ssl_utils.h:183
grpc::testing::TestEnvironment
Definition: test/core/util/test_config.h:54
GRPC_ERROR_UNREF
#define GRPC_ERROR_UNREF(err)
Definition: error.h:262
watcher
ClusterWatcher * watcher
Definition: cds.cc:148
grpc_core::testing::TEST
TEST(ServiceConfigParserTest, DoubleRegistration)
Definition: service_config_test.cc:448
xds_certificate_provider.h
grpc_init
GRPCAPI void grpc_init(void)
Definition: init.cc:146
grpc_error
Definition: error_internal.h:42
testing::HasSubstr
PolymorphicMatcher< internal::HasSubstrMatcher< internal::string > > HasSubstr(const internal::string &substring)
Definition: cares/cares/test/gmock-1.8.0/gmock/gmock.h:8803
grpc_shutdown
GRPCAPI void grpc_shutdown(void)
Definition: init.cc:209
root_certs_
absl::optional< std::string > root_certs_
Definition: xds_certificate_provider_test.cc:96
absl::optional::emplace
T & emplace(Args &&... args)
Definition: abseil-cpp/absl/types/optional.h:360

grpc
Author(s):
autogenerated on Fri May 16 2025 03:00:57