test/core/end2end/fixtures/h2_tls.cc

   1 /*
   2  *
   3  * Copyright 2018 gRPC authors.
   4  *
   5  * Licensed under the Apache License, Version 2.0 (the "License");
   6  * you may not use this file except in compliance with the License.
   7  * You may obtain a copy of the License at
   8  *
   9  *     http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  * Unless required by applicable law or agreed to in writing, software
  12  * distributed under the License is distributed on an "AS IS" BASIS,
  13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  * See the License for the specific language governing permissions and
  15  * limitations under the License.
  16  *
  17  */
  18
  19 #include "test/core/end2end/end2end_tests.h"
  20
  21 #include <stdio.h>
  22 #include <string.h>
  23
  24 #include <grpc/grpc_security.h>
  25 #include <grpc/support/alloc.h>
  26 #include <grpc/support/log.h>
  27
  28 #include <grpc/support/string_util.h>
  29 #include "src/core/lib/channel/channel_args.h"
  30 #include "src/core/lib/gpr/env.h"
  31 #include "src/core/lib/gpr/string.h"
  32 #include "src/core/lib/gpr/tmpfile.h"
  33 #include "src/core/lib/gprpp/host_port.h"
  34 #include "src/core/lib/gprpp/inlined_vector.h"
  35 #include "src/core/lib/gprpp/thd.h"
  36 #include "src/core/lib/security/credentials/credentials.h"
  37 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
  38 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
  39 #include "test/core/end2end/data/ssl_test_data.h"
  40 #include "test/core/util/port.h"
  41 #include "test/core/util/test_config.h"
  42
  43 typedef grpc_core::InlinedVector<grpc_core::Thread, 1> ThreadList;
  44
  45 struct fullstack_secure_fixture_data {
  46   ~fullstack_secure_fixture_data() {
  47     for (size_t ind = 0; ind < thd_list.size(); ind++) {
  48       thd_list[ind].Join();
  49     }
  50   }
  51   grpc_core::UniquePtr<char> localaddr;
  52   ThreadList thd_list;
  53 };
  54
  55 static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack(
  56     grpc_channel_args* /*client_args*/, grpc_channel_args* /*server_args*/) {
  57   grpc_end2end_test_fixture f;
  58   int port = grpc_pick_unused_port_or_die();
  59   fullstack_secure_fixture_data* ffd = new fullstack_secure_fixture_data();
  60   memset(&f, 0, sizeof(f));
  61   grpc_core::JoinHostPort(&ffd->localaddr, "localhost", port);
  62   f.fixture_data = ffd;
  63   f.cq = grpc_completion_queue_create_for_next(nullptr);
  64   f.shutdown_cq = grpc_completion_queue_create_for_pluck(nullptr);
  65   return f;
  66 }
  67
  68 static void process_auth_failure(void* state, grpc_auth_context* /*ctx*/,
  69                                  const grpc_metadata* /*md*/,
  70                                  size_t /*md_count*/,
  71                                  grpc_process_auth_metadata_done_cb cb,
  72                                  void* user_data) {
  73   GPR_ASSERT(state == nullptr);
  74   cb(user_data, nullptr, 0, nullptr, 0, GRPC_STATUS_UNAUTHENTICATED, nullptr);
  75 }
  76
  77 static void chttp2_init_client_secure_fullstack(
  78     grpc_end2end_test_fixture* f, grpc_channel_args* client_args,
  79     grpc_channel_credentials* creds) {
  80   fullstack_secure_fixture_data* ffd =
  81       static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
  82   f->client = grpc_secure_channel_create(creds, ffd->localaddr.get(),
  83                                          client_args, nullptr);
  84   GPR_ASSERT(f->client != nullptr);
  85   grpc_channel_credentials_release(creds);
  86 }
  87
  88 static void chttp2_init_server_secure_fullstack(
  89     grpc_end2end_test_fixture* f, grpc_channel_args* server_args,
  90     grpc_server_credentials* server_creds) {
  91   fullstack_secure_fixture_data* ffd =
  92       static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
  93   if (f->server) {
  94     grpc_server_destroy(f->server);
  95   }
  96   f->server = grpc_server_create(server_args, nullptr);
  97   grpc_server_register_completion_queue(f->server, f->cq, nullptr);
  98   GPR_ASSERT(grpc_server_add_secure_http2_port(f->server, ffd->localaddr.get(),
  99                                                server_creds));
 100   grpc_server_credentials_release(server_creds);
 101   grpc_server_start(f->server);
 102 }
 103
 104 void chttp2_tear_down_secure_fullstack(grpc_end2end_test_fixture* f) {
 105   fullstack_secure_fixture_data* ffd =
 106       static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
 107   delete ffd;
 108 }
 109
 110 // Application-provided callback for server authorization check.
 111 static void server_authz_check_cb(void* user_data) {
 112   grpc_tls_server_authorization_check_arg* check_arg =
 113       static_cast<grpc_tls_server_authorization_check_arg*>(user_data);
 114   GPR_ASSERT(check_arg != nullptr);
 115   // result = 1 indicates the server authorization check passes.
 116   // Normally, the application code should resort to mapping information
 117   // between server identity and target name to derive the result.
 118   // For this test, we directly return 1 for simplicity.
 119   check_arg->success = 1;
 120   check_arg->status = GRPC_STATUS_OK;
 121   check_arg->cb(check_arg);
 122 }
 123
 124 // Asynchronous implementation of schedule field in
 125 // grpc_server_authorization_check_config.
 126 static int server_authz_check_async(
 127     void* config_user_data, grpc_tls_server_authorization_check_arg* arg) {
 128   fullstack_secure_fixture_data* ffd =
 129       static_cast<fullstack_secure_fixture_data*>(config_user_data);
 130   ffd->thd_list.push_back(
 131       grpc_core::Thread("h2_tls_test", &server_authz_check_cb, arg));
 132   ffd->thd_list[ffd->thd_list.size() - 1].Start();
 133   return 1;
 134 }
 135
 136 // Synchronous implementation of schedule field in
 137 // grpc_tls_credential_reload_config instance that is a part of client-side
 138 // grpc_tls_credentials_options instance.
 139 static int client_cred_reload_sync(void* /*config_user_data*/,
 140                                    grpc_tls_credential_reload_arg* arg) {
 141   if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
 142     arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
 143     return 0;
 144   }
 145   grpc_ssl_pem_key_cert_pair** key_cert_pair =
 146       static_cast<grpc_ssl_pem_key_cert_pair**>(
 147           gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair*)));
 148   key_cert_pair[0] = static_cast<grpc_ssl_pem_key_cert_pair*>(
 149       gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair)));
 150   key_cert_pair[0]->private_key = gpr_strdup(test_server1_key);
 151   key_cert_pair[0]->cert_chain = gpr_strdup(test_server1_cert);
 152   if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
 153     grpc_tls_key_materials_config_set_key_materials(
 154         arg->key_materials_config, gpr_strdup(test_root_cert),
 155         (const grpc_ssl_pem_key_cert_pair**)key_cert_pair, 1);
 156   }
 157   // new credential has been reloaded.
 158   arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
 159   return 0;
 160 }
 161
 162 // Synchronous implementation of schedule field in
 163 // grpc_tls_credential_reload_config instance that is a part of server-side
 164 // grpc_tls_credentials_options instance.
 165 static int server_cred_reload_sync(void* /*config_user_data*/,
 166                                    grpc_tls_credential_reload_arg* arg) {
 167   if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
 168     arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
 169     return 0;
 170   }
 171   grpc_ssl_pem_key_cert_pair** key_cert_pair =
 172       static_cast<grpc_ssl_pem_key_cert_pair**>(
 173           gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair*)));
 174   key_cert_pair[0] = static_cast<grpc_ssl_pem_key_cert_pair*>(
 175       gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair)));
 176   key_cert_pair[0]->private_key = gpr_strdup(test_server1_key);
 177   key_cert_pair[0]->cert_chain = gpr_strdup(test_server1_cert);
 178   GPR_ASSERT(arg != nullptr);
 179   GPR_ASSERT(arg->key_materials_config != nullptr);
 180   GPR_ASSERT(arg->key_materials_config->pem_key_cert_pair_list().data() !=
 181              nullptr);
 182   if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
 183     grpc_tls_key_materials_config_set_key_materials(
 184         arg->key_materials_config, gpr_strdup(test_root_cert),
 185         (const grpc_ssl_pem_key_cert_pair**)key_cert_pair, 1);
 186   }
 187   // new credential has been reloaded.
 188   arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
 189   return 0;
 190 }
 191
 192 // Create a TLS channel credential.
 193 static grpc_channel_credentials* create_tls_channel_credentials(
 194     fullstack_secure_fixture_data* ffd) {
 195   grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
 196   /* Set credential reload config. */
 197   grpc_tls_credential_reload_config* reload_config =
 198       grpc_tls_credential_reload_config_create(nullptr, client_cred_reload_sync,
 199                                                nullptr, nullptr);
 200   grpc_tls_credentials_options_set_credential_reload_config(options,
 201                                                             reload_config);
 202   /* Set server authorization check config. */
 203   grpc_tls_server_authorization_check_config* check_config =
 204       grpc_tls_server_authorization_check_config_create(
 205           ffd, server_authz_check_async, nullptr, nullptr);
 206   grpc_tls_credentials_options_set_server_authorization_check_config(
 207       options, check_config);
 208   /* Create TLS channel credentials. */
 209   grpc_channel_credentials* creds = grpc_tls_credentials_create(options);
 210   return creds;
 211 }
 212
 213 // Create a TLS server credential.
 214 static grpc_server_credentials* create_tls_server_credentials() {
 215   grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
 216   /* Set credential reload config. */
 217   grpc_tls_credential_reload_config* reload_config =
 218       grpc_tls_credential_reload_config_create(nullptr, server_cred_reload_sync,
 219                                                nullptr, nullptr);
 220   grpc_tls_credentials_options_set_credential_reload_config(options,
 221                                                             reload_config);
 222   /* Set client certificate request type. */
 223   grpc_tls_credentials_options_set_cert_request_type(
 224       options, GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
 225   grpc_server_credentials* creds = grpc_tls_server_credentials_create(options);
 226   return creds;
 227 }
 228
 229 static void chttp2_init_client(grpc_end2end_test_fixture* f,
 230                                grpc_channel_args* client_args) {
 231   grpc_channel_credentials* ssl_creds = create_tls_channel_credentials(
 232       static_cast<fullstack_secure_fixture_data*>(f->fixture_data));
 233   grpc_arg ssl_name_override = {
 234       GRPC_ARG_STRING,
 235       const_cast<char*>(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG),
 236       {const_cast<char*>("foo.test.google.fr")}};
 237   grpc_channel_args* new_client_args =
 238       grpc_channel_args_copy_and_add(client_args, &ssl_name_override, 1);
 239   chttp2_init_client_secure_fullstack(f, new_client_args, ssl_creds);
 240   grpc_channel_args_destroy(new_client_args);
 241 }
 242
 243 static int fail_server_auth_check(grpc_channel_args* server_args) {
 244   size_t i;
 245   if (server_args == nullptr) return 0;
 246   for (i = 0; i < server_args->num_args; i++) {
 247     if (strcmp(server_args->args[i].key, FAIL_AUTH_CHECK_SERVER_ARG_NAME) ==
 248         0) {
 249       return 1;
 250     }
 251   }
 252   return 0;
 253 }
 254
 255 static void chttp2_init_server(grpc_end2end_test_fixture* f,
 256                                grpc_channel_args* server_args) {
 257   grpc_server_credentials* ssl_creds = create_tls_server_credentials();
 258   if (fail_server_auth_check(server_args)) {
 259     grpc_auth_metadata_processor processor = {process_auth_failure, nullptr,
 260                                               nullptr};
 261     grpc_server_credentials_set_auth_metadata_processor(ssl_creds, processor);
 262   }
 263   chttp2_init_server_secure_fullstack(f, server_args, ssl_creds);
 264 }
 265
 266 static grpc_end2end_test_config configs[] = {
 267     /* client sync reload async authz + server sync reload. */
 268     {"chttp2/simple_ssl_fullstack",
 269      FEATURE_MASK_SUPPORTS_DELAYED_CONNECTION |
 270          FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
 271          FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL |
 272          FEATURE_MASK_SUPPORTS_AUTHORITY_HEADER,
 273      "foo.test.google.fr", chttp2_create_fixture_secure_fullstack,
 274      chttp2_init_client, chttp2_init_server, chttp2_tear_down_secure_fullstack},
 275 };
 276
 277 int main(int argc, char** argv) {
 278   FILE* roots_file;
 279   size_t roots_size = strlen(test_root_cert);
 280   char* roots_filename;
 281   grpc::testing::TestEnvironment env(argc, argv);
 282   grpc_end2end_tests_pre_init();
 283   /* Set the SSL roots env var. */
 284   roots_file = gpr_tmpfile("chttp2_simple_ssl_fullstack_test", &roots_filename);
 285   GPR_ASSERT(roots_filename != nullptr);
 286   GPR_ASSERT(roots_file != nullptr);
 287   GPR_ASSERT(fwrite(test_root_cert, 1, roots_size, roots_file) == roots_size);
 288   fclose(roots_file);
 289   GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, roots_filename);
 290   grpc_init();
 291   for (size_t ind = 0; ind < sizeof(configs) / sizeof(*configs); ind++) {
 292     grpc_end2end_tests(argc, argv, configs[ind]);
 293   }
 294   grpc_shutdown();
 295   /* Cleanup. */
 296   remove(roots_filename);
 297   gpr_free(roots_filename);
 298   return 0;
 299 }