3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
21 #include <gmock/gmock.h>
22 #include <grpc/support/alloc.h>
23 #include <grpc/support/log.h>
24 #include <grpc/support/string_util.h>
25 #include <gtest/gtest.h>
29 #include "src/core/lib/iomgr/load_file.h"
30 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
31 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
32 #include "src/core/tsi/transport_security.h"
33 #include "test/core/util/test_config.h"
35 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
36 #define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
37 #define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
38 #define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
39 #define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
40 #define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
45 constexpr const char* kRootCertName = "root_cert_name";
46 constexpr const char* kIdentityCertName = "identity_cert_name";
47 constexpr const char* kErrorMessage = "error_message";
48 constexpr const char* kTargetName = "some_target";
50 class TlsSecurityConnectorTest : public ::testing::Test {
52 TlsSecurityConnectorTest() {}
53 void SetUp() override {
54 grpc_slice ca_slice_1, ca_slice_0, cert_slice_1, key_slice_1, cert_slice_0,
56 GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
57 grpc_load_file(CA_CERT_PATH, 1, &ca_slice_1)));
58 GPR_ASSERT(GRPC_LOG_IF_ERROR(
59 "load_file", grpc_load_file(CLIENT_CERT_PATH, 1, &ca_slice_0)));
60 GPR_ASSERT(GRPC_LOG_IF_ERROR(
61 "load_file", grpc_load_file(SERVER_CERT_PATH_1, 1, &cert_slice_1)));
62 GPR_ASSERT(GRPC_LOG_IF_ERROR(
63 "load_file", grpc_load_file(SERVER_KEY_PATH_1, 1, &key_slice_1)));
64 GPR_ASSERT(GRPC_LOG_IF_ERROR(
65 "load_file", grpc_load_file(SERVER_CERT_PATH_0, 1, &cert_slice_0)));
66 GPR_ASSERT(GRPC_LOG_IF_ERROR(
67 "load_file", grpc_load_file(SERVER_KEY_PATH_0, 1, &key_slice_0)));
68 root_cert_1_ = std::string(grpc_core::StringViewFromSlice(ca_slice_1));
69 root_cert_0_ = std::string(grpc_core::StringViewFromSlice(ca_slice_0));
70 std::string identity_key_1 =
71 std::string(grpc_core::StringViewFromSlice(key_slice_1));
72 std::string identity_key_0 =
73 std::string(grpc_core::StringViewFromSlice(key_slice_0));
74 std::string identity_cert_1 =
75 std::string(grpc_core::StringViewFromSlice(cert_slice_1));
76 std::string identity_cert_0 =
77 std::string(grpc_core::StringViewFromSlice(cert_slice_0));
78 identity_pairs_1_.emplace_back(identity_key_1, identity_cert_1);
79 identity_pairs_0_.emplace_back(identity_key_0, identity_cert_0);
80 grpc_slice_unref(ca_slice_1);
81 grpc_slice_unref(ca_slice_0);
82 grpc_slice_unref(cert_slice_1);
83 grpc_slice_unref(key_slice_1);
84 grpc_slice_unref(cert_slice_0);
85 grpc_slice_unref(key_slice_0);
88 void TearDown() override {}
90 std::string root_cert_1_;
91 std::string root_cert_0_;
92 grpc_core::PemKeyCertPairList identity_pairs_1_;
93 grpc_core::PemKeyCertPairList identity_pairs_0_;
96 class TlsTestCertificateProvider : public ::grpc_tls_certificate_provider {
98 explicit TlsTestCertificateProvider(
99 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor)
100 : distributor_(std::move(distributor)) {}
101 ~TlsTestCertificateProvider() override {}
102 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
108 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
111 // Tests for ChannelSecurityConnector.
112 TEST_F(TlsSecurityConnectorTest,
113 RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
114 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
115 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
116 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
117 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
119 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
120 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
121 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
122 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
123 options->set_certificate_provider(provider);
124 options->set_watch_root_cert(true);
125 options->set_watch_identity_pair(true);
126 options->set_root_cert_name(kRootCertName);
127 options->set_identity_cert_name(kIdentityCertName);
128 grpc_core::RefCountedPtr<TlsCredentials> credential =
129 grpc_core::MakeRefCounted<TlsCredentials>(options);
130 grpc_channel_args* new_args = nullptr;
131 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
132 credential->create_security_connector(nullptr, kTargetName, nullptr,
134 EXPECT_NE(connector, nullptr);
135 grpc_core::TlsChannelSecurityConnector* tls_connector =
136 static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
137 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
138 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
139 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
140 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
141 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
143 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
144 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
145 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
146 grpc_channel_args_destroy(new_args);
149 TEST_F(TlsSecurityConnectorTest,
150 SystemRootsWhenCreateChannelSecurityConnector) {
151 // Create options watching for no certificates.
152 grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
153 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
154 grpc_core::RefCountedPtr<TlsCredentials> root_credential =
155 grpc_core::MakeRefCounted<TlsCredentials>(root_options);
156 grpc_channel_args* root_new_args = nullptr;
157 grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
158 root_credential->create_security_connector(nullptr, "some_target",
159 nullptr, &root_new_args);
160 EXPECT_NE(root_connector, nullptr);
161 grpc_core::TlsChannelSecurityConnector* tls_root_connector =
162 static_cast<grpc_core::TlsChannelSecurityConnector*>(
163 root_connector.get());
164 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
165 grpc_channel_args_destroy(root_new_args);
168 TEST_F(TlsSecurityConnectorTest,
169 SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
170 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
171 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
172 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
174 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
175 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
176 // Create options only watching for identity certificates.
177 grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
178 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
179 root_options->set_certificate_provider(provider);
180 root_options->set_watch_identity_pair(true);
181 root_options->set_identity_cert_name(kIdentityCertName);
182 grpc_core::RefCountedPtr<TlsCredentials> root_credential =
183 grpc_core::MakeRefCounted<TlsCredentials>(root_options);
184 grpc_channel_args* root_new_args = nullptr;
185 grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
186 root_credential->create_security_connector(nullptr, "some_target",
187 nullptr, &root_new_args);
188 EXPECT_NE(root_connector, nullptr);
189 grpc_core::TlsChannelSecurityConnector* tls_root_connector =
190 static_cast<grpc_core::TlsChannelSecurityConnector*>(
191 root_connector.get());
192 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
193 EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
194 // If we have a root update, we shouldn't receive them in security connector,
195 // since we claimed to use default system roots.
196 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
197 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
198 EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
199 grpc_channel_args_destroy(root_new_args);
202 TEST_F(TlsSecurityConnectorTest,
203 RootCertsObtainedWhenCreateChannelSecurityConnector) {
204 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
205 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
206 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
207 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
209 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
210 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
211 // Create options only watching for root certificates.
212 grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
213 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
214 root_options->set_certificate_provider(provider);
215 root_options->set_watch_root_cert(true);
216 root_options->set_root_cert_name(kRootCertName);
217 grpc_core::RefCountedPtr<TlsCredentials> root_credential =
218 grpc_core::MakeRefCounted<TlsCredentials>(root_options);
219 grpc_channel_args* root_new_args = nullptr;
220 grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
221 root_credential->create_security_connector(nullptr, "some_target",
222 nullptr, &root_new_args);
223 EXPECT_NE(root_connector, nullptr);
224 grpc_core::TlsChannelSecurityConnector* tls_root_connector =
225 static_cast<grpc_core::TlsChannelSecurityConnector*>(
226 root_connector.get());
227 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
228 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
229 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
230 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
231 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
232 grpc_channel_args_destroy(root_new_args);
235 TEST_F(TlsSecurityConnectorTest,
236 CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
237 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
238 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
239 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
240 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
241 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
242 // Registered the options watching both certs, but only root certs are
243 // available at distributor right now.
244 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
245 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
246 options->set_certificate_provider(provider);
247 options->set_watch_root_cert(true);
248 options->set_watch_identity_pair(true);
249 options->set_root_cert_name(kRootCertName);
250 options->set_identity_cert_name(kIdentityCertName);
251 grpc_core::RefCountedPtr<TlsCredentials> credential =
252 grpc_core::MakeRefCounted<TlsCredentials>(options);
253 grpc_channel_args* new_args = nullptr;
254 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
255 credential->create_security_connector(nullptr, kTargetName, nullptr,
257 EXPECT_NE(connector, nullptr);
258 grpc_core::TlsChannelSecurityConnector* tls_connector =
259 static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
260 // The client_handshaker_factory_ shouldn't be updated.
261 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
262 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
263 // After updating the root certs, the client_handshaker_factory_ should be
265 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
267 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
268 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
269 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
270 grpc_channel_args_destroy(new_args);
273 TEST_F(TlsSecurityConnectorTest,
274 DistributorHasErrorForChannelSecurityConnector) {
275 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
276 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
277 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
278 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
280 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
281 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
282 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
283 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
284 options->set_certificate_provider(provider);
285 options->set_watch_root_cert(true);
286 options->set_watch_identity_pair(true);
287 options->set_root_cert_name(kRootCertName);
288 options->set_identity_cert_name(kIdentityCertName);
289 grpc_core::RefCountedPtr<TlsCredentials> credential =
290 grpc_core::MakeRefCounted<TlsCredentials>(options);
291 grpc_channel_args* new_args = nullptr;
292 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
293 credential->create_security_connector(nullptr, kTargetName, nullptr,
295 EXPECT_NE(connector, nullptr);
296 grpc_core::TlsChannelSecurityConnector* tls_connector =
297 static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
298 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
299 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
300 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
301 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
302 // valid credentials.
303 distributor->SetErrorForCert(
304 kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
306 distributor->SetErrorForCert(
307 kIdentityCertName, absl::nullopt,
308 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
309 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
310 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
311 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
312 grpc_channel_args_destroy(new_args);
315 TEST_F(TlsSecurityConnectorTest,
316 CreateChannelSecurityConnectorFailNoTargetName) {
317 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
318 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
319 grpc_core::RefCountedPtr<TlsCredentials> credential =
320 grpc_core::MakeRefCounted<TlsCredentials>(options);
321 grpc_channel_args* new_args = nullptr;
322 grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
323 credential->create_security_connector(nullptr, nullptr, nullptr,
325 EXPECT_EQ(connector, nullptr);
328 TEST_F(TlsSecurityConnectorTest,
329 CreateChannelSecurityConnectorFailNoCredentials) {
331 grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
332 nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>(),
333 nullptr, kTargetName, nullptr, nullptr);
334 EXPECT_EQ(connector, nullptr);
337 TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
338 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
339 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
340 grpc_core::RefCountedPtr<TlsCredentials> credential =
341 grpc_core::MakeRefCounted<TlsCredentials>(options);
343 grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
344 credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
345 EXPECT_EQ(connector, nullptr);
348 TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameSuccess) {
349 const char* target_name = "foo.test.google.fr";
351 GPR_ASSERT(tsi_construct_peer(1, &peer) == TSI_OK);
352 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
353 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, target_name,
354 &peer.properties[0]) == TSI_OK);
355 grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
356 tsi_peer_destruct(&peer);
357 EXPECT_EQ(error, GRPC_ERROR_NONE);
358 GRPC_ERROR_UNREF(error);
361 TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameFail) {
362 const char* target_name = "foo.test.google.fr";
363 const char* another_name = "bar.test.google.fr";
365 GPR_ASSERT(tsi_construct_peer(1, &peer) == TSI_OK);
366 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
367 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, another_name,
368 &peer.properties[0]) == TSI_OK);
369 grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
370 tsi_peer_destruct(&peer);
371 EXPECT_NE(error, GRPC_ERROR_NONE);
372 GRPC_ERROR_UNREF(error);
375 // Tests for ServerSecurityConnector.
376 TEST_F(TlsSecurityConnectorTest,
377 RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
378 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
379 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
380 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
381 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
383 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
384 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
385 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
386 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
387 options->set_certificate_provider(provider);
388 options->set_watch_root_cert(true);
389 options->set_watch_identity_pair(true);
390 options->set_root_cert_name(kRootCertName);
391 options->set_identity_cert_name(kIdentityCertName);
392 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
393 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
394 grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
395 credential->create_security_connector(nullptr);
396 EXPECT_NE(connector, nullptr);
397 grpc_core::TlsServerSecurityConnector* tls_connector =
398 static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
399 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
400 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
401 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
402 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
403 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
405 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
406 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
407 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
410 // Note that on server side, we don't have tests watching root certs only,
411 // because in TLS, the identity certs should always be presented. If we don't
412 // provide, it will try to load certs from some default system locations, and
413 // will hence fail on some systems.
414 TEST_F(TlsSecurityConnectorTest,
415 IdentityCertsObtainedWhenCreateServerSecurityConnector) {
416 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
417 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
418 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
419 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
421 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
422 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
423 // Create options only watching for identity certificates.
424 grpc_core::RefCountedPtr<grpc_tls_credentials_options> identity_options =
425 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
426 identity_options->set_certificate_provider(provider);
427 identity_options->set_watch_identity_pair(true);
428 identity_options->set_identity_cert_name(kIdentityCertName);
429 grpc_core::RefCountedPtr<TlsServerCredentials> identity_credential =
430 grpc_core::MakeRefCounted<TlsServerCredentials>(identity_options);
431 grpc_core::RefCountedPtr<grpc_server_security_connector> identity_connector =
432 identity_credential->create_security_connector(nullptr);
433 EXPECT_NE(identity_connector, nullptr);
434 grpc_core::TlsServerSecurityConnector* tls_identity_connector =
435 static_cast<grpc_core::TlsServerSecurityConnector*>(
436 identity_connector.get());
437 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
439 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
441 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
443 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
445 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
449 TEST_F(TlsSecurityConnectorTest,
450 CertPartiallyObtainedWhenCreateServerSecurityConnector) {
451 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
452 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
453 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
455 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
456 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
457 // Registered the options watching both certs, but only root certs are
458 // available at distributor right now.
459 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
460 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
461 options->set_certificate_provider(provider);
462 options->set_watch_root_cert(true);
463 options->set_watch_identity_pair(true);
464 options->set_root_cert_name(kRootCertName);
465 options->set_identity_cert_name(kIdentityCertName);
466 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
467 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
468 grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
469 credential->create_security_connector(nullptr);
470 EXPECT_NE(connector, nullptr);
471 grpc_core::TlsServerSecurityConnector* tls_connector =
472 static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
473 // The server_handshaker_factory_ shouldn't be updated.
474 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
475 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
476 // After updating the root certs, the server_handshaker_factory_ should be
478 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
479 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
480 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
481 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
484 TEST_F(TlsSecurityConnectorTest,
485 DistributorHasErrorForServerSecurityConnector) {
486 grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
487 grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
488 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
489 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
491 grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
492 grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
493 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
494 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
495 options->set_certificate_provider(provider);
496 options->set_watch_root_cert(true);
497 options->set_watch_identity_pair(true);
498 options->set_root_cert_name(kRootCertName);
499 options->set_identity_cert_name(kIdentityCertName);
500 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
501 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
502 grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
503 credential->create_security_connector(nullptr);
504 EXPECT_NE(connector, nullptr);
505 grpc_core::TlsServerSecurityConnector* tls_connector =
506 static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
507 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
508 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
509 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
510 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
511 // valid credentials.
512 distributor->SetErrorForCert(
513 kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
515 distributor->SetErrorForCert(
516 kIdentityCertName, absl::nullopt,
517 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
518 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
519 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
520 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
523 TEST_F(TlsSecurityConnectorTest,
524 CreateServerSecurityConnectorFailNoCredentials) {
526 grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
527 nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>());
528 EXPECT_EQ(connector, nullptr);
531 TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
532 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
533 grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
534 grpc_core::RefCountedPtr<TlsServerCredentials> credential =
535 grpc_core::MakeRefCounted<TlsServerCredentials>(options);
537 grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
538 credential, nullptr);
539 EXPECT_EQ(connector, nullptr);
542 } // namespace testing
545 int main(int argc, char** argv) {
546 grpc::testing::TestEnvironment env(argc, argv);
547 GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
548 ::testing::InitGoogleTest(&argc, argv);
550 int ret = RUN_ALL_TESTS();