3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include "test/core/end2end/end2end_tests.h"
24 #include <grpc/grpc_security.h>
25 #include <grpc/support/alloc.h>
26 #include <grpc/support/log.h>
28 #include <grpc/support/string_util.h>
29 #include "src/core/lib/channel/channel_args.h"
30 #include "src/core/lib/gpr/env.h"
31 #include "src/core/lib/gpr/string.h"
32 #include "src/core/lib/gpr/tmpfile.h"
33 #include "src/core/lib/gprpp/host_port.h"
34 #include "src/core/lib/gprpp/inlined_vector.h"
35 #include "src/core/lib/gprpp/thd.h"
36 #include "src/core/lib/security/credentials/credentials.h"
37 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
38 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
39 #include "test/core/end2end/data/ssl_test_data.h"
40 #include "test/core/util/port.h"
41 #include "test/core/util/test_config.h"
43 typedef grpc_core::InlinedVector<grpc_core::Thread, 1> ThreadList;
45 struct fullstack_secure_fixture_data {
46 ~fullstack_secure_fixture_data() {
47 for (size_t ind = 0; ind < thd_list.size(); ind++) {
51 grpc_core::UniquePtr<char> localaddr;
55 static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack(
56 grpc_channel_args* /*client_args*/, grpc_channel_args* /*server_args*/) {
57 grpc_end2end_test_fixture f;
58 int port = grpc_pick_unused_port_or_die();
59 fullstack_secure_fixture_data* ffd = new fullstack_secure_fixture_data();
60 memset(&f, 0, sizeof(f));
61 grpc_core::JoinHostPort(&ffd->localaddr, "localhost", port);
63 f.cq = grpc_completion_queue_create_for_next(nullptr);
64 f.shutdown_cq = grpc_completion_queue_create_for_pluck(nullptr);
68 static void process_auth_failure(void* state, grpc_auth_context* /*ctx*/,
69 const grpc_metadata* /*md*/,
71 grpc_process_auth_metadata_done_cb cb,
73 GPR_ASSERT(state == nullptr);
74 cb(user_data, nullptr, 0, nullptr, 0, GRPC_STATUS_UNAUTHENTICATED, nullptr);
77 static void chttp2_init_client_secure_fullstack(
78 grpc_end2end_test_fixture* f, grpc_channel_args* client_args,
79 grpc_channel_credentials* creds) {
80 fullstack_secure_fixture_data* ffd =
81 static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
82 f->client = grpc_secure_channel_create(creds, ffd->localaddr.get(),
83 client_args, nullptr);
84 GPR_ASSERT(f->client != nullptr);
85 grpc_channel_credentials_release(creds);
88 static void chttp2_init_server_secure_fullstack(
89 grpc_end2end_test_fixture* f, grpc_channel_args* server_args,
90 grpc_server_credentials* server_creds) {
91 fullstack_secure_fixture_data* ffd =
92 static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
94 grpc_server_destroy(f->server);
96 f->server = grpc_server_create(server_args, nullptr);
97 grpc_server_register_completion_queue(f->server, f->cq, nullptr);
98 GPR_ASSERT(grpc_server_add_secure_http2_port(f->server, ffd->localaddr.get(),
100 grpc_server_credentials_release(server_creds);
101 grpc_server_start(f->server);
104 void chttp2_tear_down_secure_fullstack(grpc_end2end_test_fixture* f) {
105 fullstack_secure_fixture_data* ffd =
106 static_cast<fullstack_secure_fixture_data*>(f->fixture_data);
110 // Application-provided callback for server authorization check.
111 static void server_authz_check_cb(void* user_data) {
112 grpc_tls_server_authorization_check_arg* check_arg =
113 static_cast<grpc_tls_server_authorization_check_arg*>(user_data);
114 GPR_ASSERT(check_arg != nullptr);
115 // result = 1 indicates the server authorization check passes.
116 // Normally, the application code should resort to mapping information
117 // between server identity and target name to derive the result.
118 // For this test, we directly return 1 for simplicity.
119 check_arg->success = 1;
120 check_arg->status = GRPC_STATUS_OK;
121 check_arg->cb(check_arg);
124 // Asynchronous implementation of schedule field in
125 // grpc_server_authorization_check_config.
126 static int server_authz_check_async(
127 void* config_user_data, grpc_tls_server_authorization_check_arg* arg) {
128 fullstack_secure_fixture_data* ffd =
129 static_cast<fullstack_secure_fixture_data*>(config_user_data);
130 ffd->thd_list.push_back(
131 grpc_core::Thread("h2_tls_test", &server_authz_check_cb, arg));
132 ffd->thd_list[ffd->thd_list.size() - 1].Start();
136 // Synchronous implementation of schedule field in
137 // grpc_tls_credential_reload_config instance that is a part of client-side
138 // grpc_tls_credentials_options instance.
139 static int client_cred_reload_sync(void* /*config_user_data*/,
140 grpc_tls_credential_reload_arg* arg) {
141 if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
142 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
145 grpc_ssl_pem_key_cert_pair** key_cert_pair =
146 static_cast<grpc_ssl_pem_key_cert_pair**>(
147 gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair*)));
148 key_cert_pair[0] = static_cast<grpc_ssl_pem_key_cert_pair*>(
149 gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair)));
150 key_cert_pair[0]->private_key = gpr_strdup(test_server1_key);
151 key_cert_pair[0]->cert_chain = gpr_strdup(test_server1_cert);
152 if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
153 grpc_tls_key_materials_config_set_key_materials(
154 arg->key_materials_config, gpr_strdup(test_root_cert),
155 (const grpc_ssl_pem_key_cert_pair**)key_cert_pair, 1);
157 // new credential has been reloaded.
158 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
162 // Synchronous implementation of schedule field in
163 // grpc_tls_credential_reload_config instance that is a part of server-side
164 // grpc_tls_credentials_options instance.
165 static int server_cred_reload_sync(void* /*config_user_data*/,
166 grpc_tls_credential_reload_arg* arg) {
167 if (!arg->key_materials_config->pem_key_cert_pair_list().empty()) {
168 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
171 grpc_ssl_pem_key_cert_pair** key_cert_pair =
172 static_cast<grpc_ssl_pem_key_cert_pair**>(
173 gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair*)));
174 key_cert_pair[0] = static_cast<grpc_ssl_pem_key_cert_pair*>(
175 gpr_zalloc(sizeof(grpc_ssl_pem_key_cert_pair)));
176 key_cert_pair[0]->private_key = gpr_strdup(test_server1_key);
177 key_cert_pair[0]->cert_chain = gpr_strdup(test_server1_cert);
178 GPR_ASSERT(arg != nullptr);
179 GPR_ASSERT(arg->key_materials_config != nullptr);
180 GPR_ASSERT(arg->key_materials_config->pem_key_cert_pair_list().data() !=
182 if (arg->key_materials_config->pem_key_cert_pair_list().empty()) {
183 grpc_tls_key_materials_config_set_key_materials(
184 arg->key_materials_config, gpr_strdup(test_root_cert),
185 (const grpc_ssl_pem_key_cert_pair**)key_cert_pair, 1);
187 // new credential has been reloaded.
188 arg->status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
192 // Create a TLS channel credential.
193 static grpc_channel_credentials* create_tls_channel_credentials(
194 fullstack_secure_fixture_data* ffd) {
195 grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
196 /* Set credential reload config. */
197 grpc_tls_credential_reload_config* reload_config =
198 grpc_tls_credential_reload_config_create(nullptr, client_cred_reload_sync,
200 grpc_tls_credentials_options_set_credential_reload_config(options,
202 /* Set server authorization check config. */
203 grpc_tls_server_authorization_check_config* check_config =
204 grpc_tls_server_authorization_check_config_create(
205 ffd, server_authz_check_async, nullptr, nullptr);
206 grpc_tls_credentials_options_set_server_authorization_check_config(
207 options, check_config);
208 /* Create TLS channel credentials. */
209 grpc_channel_credentials* creds = grpc_tls_credentials_create(options);
213 // Create a TLS server credential.
214 static grpc_server_credentials* create_tls_server_credentials() {
215 grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
216 /* Set credential reload config. */
217 grpc_tls_credential_reload_config* reload_config =
218 grpc_tls_credential_reload_config_create(nullptr, server_cred_reload_sync,
220 grpc_tls_credentials_options_set_credential_reload_config(options,
222 /* Set client certificate request type. */
223 grpc_tls_credentials_options_set_cert_request_type(
224 options, GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
225 grpc_server_credentials* creds = grpc_tls_server_credentials_create(options);
229 static void chttp2_init_client(grpc_end2end_test_fixture* f,
230 grpc_channel_args* client_args) {
231 grpc_channel_credentials* ssl_creds = create_tls_channel_credentials(
232 static_cast<fullstack_secure_fixture_data*>(f->fixture_data));
233 grpc_arg ssl_name_override = {
235 const_cast<char*>(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG),
236 {const_cast<char*>("foo.test.google.fr")}};
237 grpc_channel_args* new_client_args =
238 grpc_channel_args_copy_and_add(client_args, &ssl_name_override, 1);
239 chttp2_init_client_secure_fullstack(f, new_client_args, ssl_creds);
240 grpc_channel_args_destroy(new_client_args);
243 static int fail_server_auth_check(grpc_channel_args* server_args) {
245 if (server_args == nullptr) return 0;
246 for (i = 0; i < server_args->num_args; i++) {
247 if (strcmp(server_args->args[i].key, FAIL_AUTH_CHECK_SERVER_ARG_NAME) ==
255 static void chttp2_init_server(grpc_end2end_test_fixture* f,
256 grpc_channel_args* server_args) {
257 grpc_server_credentials* ssl_creds = create_tls_server_credentials();
258 if (fail_server_auth_check(server_args)) {
259 grpc_auth_metadata_processor processor = {process_auth_failure, nullptr,
261 grpc_server_credentials_set_auth_metadata_processor(ssl_creds, processor);
263 chttp2_init_server_secure_fullstack(f, server_args, ssl_creds);
266 static grpc_end2end_test_config configs[] = {
267 /* client sync reload async authz + server sync reload. */
268 {"chttp2/simple_ssl_fullstack",
269 FEATURE_MASK_SUPPORTS_DELAYED_CONNECTION |
270 FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
271 FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL |
272 FEATURE_MASK_SUPPORTS_AUTHORITY_HEADER,
273 "foo.test.google.fr", chttp2_create_fixture_secure_fullstack,
274 chttp2_init_client, chttp2_init_server, chttp2_tear_down_secure_fullstack},
277 int main(int argc, char** argv) {
279 size_t roots_size = strlen(test_root_cert);
280 char* roots_filename;
281 grpc::testing::TestEnvironment env(argc, argv);
282 grpc_end2end_tests_pre_init();
283 /* Set the SSL roots env var. */
284 roots_file = gpr_tmpfile("chttp2_simple_ssl_fullstack_test", &roots_filename);
285 GPR_ASSERT(roots_filename != nullptr);
286 GPR_ASSERT(roots_file != nullptr);
287 GPR_ASSERT(fwrite(test_root_cert, 1, roots_size, roots_file) == roots_size);
289 GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, roots_filename);
291 for (size_t ind = 0; ind < sizeof(configs) / sizeof(*configs); ind++) {
292 grpc_end2end_tests(argc, argv, configs[ind]);
296 remove(roots_filename);
297 gpr_free(roots_filename);