projects / platform / upstream / grpc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 1.36.0
[platform/upstream/grpc.git] / test / core / security / tls_security_connector_test.cc
1 /*
2  *
3  * Copyright 2018 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18
19 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
20
21 #include <gmock/gmock.h>
22 #include <grpc/support/alloc.h>
23 #include <grpc/support/log.h>
24 #include <grpc/support/string_util.h>
25 #include <gtest/gtest.h>
26 #include <stdlib.h>
27 #include <string.h>
28
29 #include "src/core/lib/iomgr/load_file.h"
30 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
31 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
32 #include "src/core/tsi/transport_security.h"
33 #include "test/core/util/test_config.h"
34
35 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
36 #define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
37 #define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
38 #define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
39 #define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
40 #define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
41
42 namespace grpc {
43 namespace testing {
44
45 constexpr const char* kRootCertName = "root_cert_name";
46 constexpr const char* kIdentityCertName = "identity_cert_name";
47 constexpr const char* kErrorMessage = "error_message";
48 constexpr const char* kTargetName = "some_target";
49
50 class TlsSecurityConnectorTest : public ::testing::Test {
51  protected:
52   TlsSecurityConnectorTest() {}
53   void SetUp() override {
54     grpc_slice ca_slice_1, ca_slice_0, cert_slice_1, key_slice_1, cert_slice_0,
55         key_slice_0;
56     GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
57                                  grpc_load_file(CA_CERT_PATH, 1, &ca_slice_1)));
58     GPR_ASSERT(GRPC_LOG_IF_ERROR(
59         "load_file", grpc_load_file(CLIENT_CERT_PATH, 1, &ca_slice_0)));
60     GPR_ASSERT(GRPC_LOG_IF_ERROR(
61         "load_file", grpc_load_file(SERVER_CERT_PATH_1, 1, &cert_slice_1)));
62     GPR_ASSERT(GRPC_LOG_IF_ERROR(
63         "load_file", grpc_load_file(SERVER_KEY_PATH_1, 1, &key_slice_1)));
64     GPR_ASSERT(GRPC_LOG_IF_ERROR(
65         "load_file", grpc_load_file(SERVER_CERT_PATH_0, 1, &cert_slice_0)));
66     GPR_ASSERT(GRPC_LOG_IF_ERROR(
67         "load_file", grpc_load_file(SERVER_KEY_PATH_0, 1, &key_slice_0)));
68     root_cert_1_ = std::string(grpc_core::StringViewFromSlice(ca_slice_1));
69     root_cert_0_ = std::string(grpc_core::StringViewFromSlice(ca_slice_0));
70     std::string identity_key_1 =
71         std::string(grpc_core::StringViewFromSlice(key_slice_1));
72     std::string identity_key_0 =
73         std::string(grpc_core::StringViewFromSlice(key_slice_0));
74     std::string identity_cert_1 =
75         std::string(grpc_core::StringViewFromSlice(cert_slice_1));
76     std::string identity_cert_0 =
77         std::string(grpc_core::StringViewFromSlice(cert_slice_0));
78     identity_pairs_1_.emplace_back(identity_key_1, identity_cert_1);
79     identity_pairs_0_.emplace_back(identity_key_0, identity_cert_0);
80     grpc_slice_unref(ca_slice_1);
81     grpc_slice_unref(ca_slice_0);
82     grpc_slice_unref(cert_slice_1);
83     grpc_slice_unref(key_slice_1);
84     grpc_slice_unref(cert_slice_0);
85     grpc_slice_unref(key_slice_0);
86   }
87
88   void TearDown() override {}
89
90   std::string root_cert_1_;
91   std::string root_cert_0_;
92   grpc_core::PemKeyCertPairList identity_pairs_1_;
93   grpc_core::PemKeyCertPairList identity_pairs_0_;
94 };
95
96 class TlsTestCertificateProvider : public ::grpc_tls_certificate_provider {
97  public:
98   explicit TlsTestCertificateProvider(
99       grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor)
100       : distributor_(std::move(distributor)) {}
101   ~TlsTestCertificateProvider() override {}
102   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
103       const override {
104     return distributor_;
105   }
106
107  private:
108   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
109 };
110
111 // Tests for ChannelSecurityConnector.
112 TEST_F(TlsSecurityConnectorTest,
113        RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
114   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
115       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
116   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
117   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
118                                identity_pairs_0_);
119   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
120       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
121   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
122       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
123   options->set_certificate_provider(provider);
124   options->set_watch_root_cert(true);
125   options->set_watch_identity_pair(true);
126   options->set_root_cert_name(kRootCertName);
127   options->set_identity_cert_name(kIdentityCertName);
128   grpc_core::RefCountedPtr<TlsCredentials> credential =
129       grpc_core::MakeRefCounted<TlsCredentials>(options);
130   grpc_channel_args* new_args = nullptr;
131   grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
132       credential->create_security_connector(nullptr, kTargetName, nullptr,
133                                             &new_args);
134   EXPECT_NE(connector, nullptr);
135   grpc_core::TlsChannelSecurityConnector* tls_connector =
136       static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
137   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
138   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
139   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
140   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
141   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
142                                identity_pairs_1_);
143   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
144   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
145   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
146   grpc_channel_args_destroy(new_args);
147 }
148
149 TEST_F(TlsSecurityConnectorTest,
150        SystemRootsWhenCreateChannelSecurityConnector) {
151   // Create options watching for no certificates.
152   grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
153       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
154   grpc_core::RefCountedPtr<TlsCredentials> root_credential =
155       grpc_core::MakeRefCounted<TlsCredentials>(root_options);
156   grpc_channel_args* root_new_args = nullptr;
157   grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
158       root_credential->create_security_connector(nullptr, "some_target",
159                                                  nullptr, &root_new_args);
160   EXPECT_NE(root_connector, nullptr);
161   grpc_core::TlsChannelSecurityConnector* tls_root_connector =
162       static_cast<grpc_core::TlsChannelSecurityConnector*>(
163           root_connector.get());
164   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
165   grpc_channel_args_destroy(root_new_args);
166 }
167
168 TEST_F(TlsSecurityConnectorTest,
169        SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
170   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
171       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
172   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
173                                identity_pairs_0_);
174   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
175       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
176   // Create options only watching for identity certificates.
177   grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
178       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
179   root_options->set_certificate_provider(provider);
180   root_options->set_watch_identity_pair(true);
181   root_options->set_identity_cert_name(kIdentityCertName);
182   grpc_core::RefCountedPtr<TlsCredentials> root_credential =
183       grpc_core::MakeRefCounted<TlsCredentials>(root_options);
184   grpc_channel_args* root_new_args = nullptr;
185   grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
186       root_credential->create_security_connector(nullptr, "some_target",
187                                                  nullptr, &root_new_args);
188   EXPECT_NE(root_connector, nullptr);
189   grpc_core::TlsChannelSecurityConnector* tls_root_connector =
190       static_cast<grpc_core::TlsChannelSecurityConnector*>(
191           root_connector.get());
192   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
193   EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
194   // If we have a root update, we shouldn't receive them in security connector,
195   // since we claimed to use default system roots.
196   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
197   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
198   EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
199   grpc_channel_args_destroy(root_new_args);
200 }
201
202 TEST_F(TlsSecurityConnectorTest,
203        RootCertsObtainedWhenCreateChannelSecurityConnector) {
204   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
205       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
206   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
207   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
208                                identity_pairs_0_);
209   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
210       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
211   // Create options only watching for root certificates.
212   grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
213       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
214   root_options->set_certificate_provider(provider);
215   root_options->set_watch_root_cert(true);
216   root_options->set_root_cert_name(kRootCertName);
217   grpc_core::RefCountedPtr<TlsCredentials> root_credential =
218       grpc_core::MakeRefCounted<TlsCredentials>(root_options);
219   grpc_channel_args* root_new_args = nullptr;
220   grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
221       root_credential->create_security_connector(nullptr, "some_target",
222                                                  nullptr, &root_new_args);
223   EXPECT_NE(root_connector, nullptr);
224   grpc_core::TlsChannelSecurityConnector* tls_root_connector =
225       static_cast<grpc_core::TlsChannelSecurityConnector*>(
226           root_connector.get());
227   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
228   EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
229   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
230   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
231   EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
232   grpc_channel_args_destroy(root_new_args);
233 }
234
235 TEST_F(TlsSecurityConnectorTest,
236        CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
237   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
238       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
239   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
240   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
241       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
242   // Registered the options watching both certs, but only root certs are
243   // available at distributor right now.
244   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
245       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
246   options->set_certificate_provider(provider);
247   options->set_watch_root_cert(true);
248   options->set_watch_identity_pair(true);
249   options->set_root_cert_name(kRootCertName);
250   options->set_identity_cert_name(kIdentityCertName);
251   grpc_core::RefCountedPtr<TlsCredentials> credential =
252       grpc_core::MakeRefCounted<TlsCredentials>(options);
253   grpc_channel_args* new_args = nullptr;
254   grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
255       credential->create_security_connector(nullptr, kTargetName, nullptr,
256                                             &new_args);
257   EXPECT_NE(connector, nullptr);
258   grpc_core::TlsChannelSecurityConnector* tls_connector =
259       static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
260   // The client_handshaker_factory_ shouldn't be updated.
261   EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
262   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
263   // After updating the root certs, the client_handshaker_factory_ should be
264   // updated.
265   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
266                                identity_pairs_0_);
267   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
268   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
269   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
270   grpc_channel_args_destroy(new_args);
271 }
272
273 TEST_F(TlsSecurityConnectorTest,
274        DistributorHasErrorForChannelSecurityConnector) {
275   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
276       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
277   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
278   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
279                                identity_pairs_0_);
280   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
281       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
282   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
283       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
284   options->set_certificate_provider(provider);
285   options->set_watch_root_cert(true);
286   options->set_watch_identity_pair(true);
287   options->set_root_cert_name(kRootCertName);
288   options->set_identity_cert_name(kIdentityCertName);
289   grpc_core::RefCountedPtr<TlsCredentials> credential =
290       grpc_core::MakeRefCounted<TlsCredentials>(options);
291   grpc_channel_args* new_args = nullptr;
292   grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
293       credential->create_security_connector(nullptr, kTargetName, nullptr,
294                                             &new_args);
295   EXPECT_NE(connector, nullptr);
296   grpc_core::TlsChannelSecurityConnector* tls_connector =
297       static_cast<grpc_core::TlsChannelSecurityConnector*>(connector.get());
298   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
299   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
300   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
301   // Calling SetErrorForCert on distributor shouldn't invalidate the previous
302   // valid credentials.
303   distributor->SetErrorForCert(
304       kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
305       absl::nullopt);
306   distributor->SetErrorForCert(
307       kIdentityCertName, absl::nullopt,
308       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
309   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
310   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
311   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
312   grpc_channel_args_destroy(new_args);
313 }
314
315 TEST_F(TlsSecurityConnectorTest,
316        CreateChannelSecurityConnectorFailNoTargetName) {
317   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
318       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
319   grpc_core::RefCountedPtr<TlsCredentials> credential =
320       grpc_core::MakeRefCounted<TlsCredentials>(options);
321   grpc_channel_args* new_args = nullptr;
322   grpc_core::RefCountedPtr<grpc_channel_security_connector> connector =
323       credential->create_security_connector(nullptr, nullptr, nullptr,
324                                             &new_args);
325   EXPECT_EQ(connector, nullptr);
326 }
327
328 TEST_F(TlsSecurityConnectorTest,
329        CreateChannelSecurityConnectorFailNoCredentials) {
330   auto connector =
331       grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
332           nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>(),
333           nullptr, kTargetName, nullptr, nullptr);
334   EXPECT_EQ(connector, nullptr);
335 }
336
337 TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
338   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
339       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
340   grpc_core::RefCountedPtr<TlsCredentials> credential =
341       grpc_core::MakeRefCounted<TlsCredentials>(options);
342   auto connector =
343       grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
344           credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
345   EXPECT_EQ(connector, nullptr);
346 }
347
348 TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameSuccess) {
349   const char* target_name = "foo.test.google.fr";
350   tsi_peer peer;
351   GPR_ASSERT(tsi_construct_peer(1, &peer) == TSI_OK);
352   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
353                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, target_name,
354                  &peer.properties[0]) == TSI_OK);
355   grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
356   tsi_peer_destruct(&peer);
357   EXPECT_EQ(error, GRPC_ERROR_NONE);
358   GRPC_ERROR_UNREF(error);
359 }
360
361 TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameFail) {
362   const char* target_name = "foo.test.google.fr";
363   const char* another_name = "bar.test.google.fr";
364   tsi_peer peer;
365   GPR_ASSERT(tsi_construct_peer(1, &peer) == TSI_OK);
366   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
367                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, another_name,
368                  &peer.properties[0]) == TSI_OK);
369   grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
370   tsi_peer_destruct(&peer);
371   EXPECT_NE(error, GRPC_ERROR_NONE);
372   GRPC_ERROR_UNREF(error);
373 }
374
375 // Tests for ServerSecurityConnector.
376 TEST_F(TlsSecurityConnectorTest,
377        RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
378   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
379       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
380   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
381   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
382                                identity_pairs_0_);
383   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
384       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
385   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
386       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
387   options->set_certificate_provider(provider);
388   options->set_watch_root_cert(true);
389   options->set_watch_identity_pair(true);
390   options->set_root_cert_name(kRootCertName);
391   options->set_identity_cert_name(kIdentityCertName);
392   grpc_core::RefCountedPtr<TlsServerCredentials> credential =
393       grpc_core::MakeRefCounted<TlsServerCredentials>(options);
394   grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
395       credential->create_security_connector(nullptr);
396   EXPECT_NE(connector, nullptr);
397   grpc_core::TlsServerSecurityConnector* tls_connector =
398       static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
399   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
400   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
401   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
402   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
403   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
404                                identity_pairs_1_);
405   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
406   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
407   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
408 }
409
410 // Note that on server side, we don't have tests watching root certs only,
411 // because in TLS, the identity certs should always be presented. If we don't
412 // provide, it will try to load certs from some default system locations, and
413 // will hence fail on some systems.
414 TEST_F(TlsSecurityConnectorTest,
415        IdentityCertsObtainedWhenCreateServerSecurityConnector) {
416   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
417       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
418   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
419   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
420                                identity_pairs_0_);
421   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
422       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
423   // Create options only watching for identity certificates.
424   grpc_core::RefCountedPtr<grpc_tls_credentials_options> identity_options =
425       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
426   identity_options->set_certificate_provider(provider);
427   identity_options->set_watch_identity_pair(true);
428   identity_options->set_identity_cert_name(kIdentityCertName);
429   grpc_core::RefCountedPtr<TlsServerCredentials> identity_credential =
430       grpc_core::MakeRefCounted<TlsServerCredentials>(identity_options);
431   grpc_core::RefCountedPtr<grpc_server_security_connector> identity_connector =
432       identity_credential->create_security_connector(nullptr);
433   EXPECT_NE(identity_connector, nullptr);
434   grpc_core::TlsServerSecurityConnector* tls_identity_connector =
435       static_cast<grpc_core::TlsServerSecurityConnector*>(
436           identity_connector.get());
437   EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
438             nullptr);
439   EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
440             identity_pairs_0_);
441   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
442                                identity_pairs_1_);
443   EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
444             nullptr);
445   EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
446             identity_pairs_1_);
447 }
448
449 TEST_F(TlsSecurityConnectorTest,
450        CertPartiallyObtainedWhenCreateServerSecurityConnector) {
451   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
452       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
453   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
454                                identity_pairs_0_);
455   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
456       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
457   // Registered the options watching both certs, but only root certs are
458   // available at distributor right now.
459   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
460       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
461   options->set_certificate_provider(provider);
462   options->set_watch_root_cert(true);
463   options->set_watch_identity_pair(true);
464   options->set_root_cert_name(kRootCertName);
465   options->set_identity_cert_name(kIdentityCertName);
466   grpc_core::RefCountedPtr<TlsServerCredentials> credential =
467       grpc_core::MakeRefCounted<TlsServerCredentials>(options);
468   grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
469       credential->create_security_connector(nullptr);
470   EXPECT_NE(connector, nullptr);
471   grpc_core::TlsServerSecurityConnector* tls_connector =
472       static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
473   // The server_handshaker_factory_ shouldn't be updated.
474   EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
475   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
476   // After updating the root certs, the server_handshaker_factory_ should be
477   // updated.
478   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
479   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
480   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
481   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
482 }
483
484 TEST_F(TlsSecurityConnectorTest,
485        DistributorHasErrorForServerSecurityConnector) {
486   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
487       grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
488   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
489   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
490                                identity_pairs_0_);
491   grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
492       grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
493   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
494       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
495   options->set_certificate_provider(provider);
496   options->set_watch_root_cert(true);
497   options->set_watch_identity_pair(true);
498   options->set_root_cert_name(kRootCertName);
499   options->set_identity_cert_name(kIdentityCertName);
500   grpc_core::RefCountedPtr<TlsServerCredentials> credential =
501       grpc_core::MakeRefCounted<TlsServerCredentials>(options);
502   grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
503       credential->create_security_connector(nullptr);
504   EXPECT_NE(connector, nullptr);
505   grpc_core::TlsServerSecurityConnector* tls_connector =
506       static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
507   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
508   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
509   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
510   // Calling SetErrorForCert on distributor shouldn't invalidate the previous
511   // valid credentials.
512   distributor->SetErrorForCert(
513       kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
514       absl::nullopt);
515   distributor->SetErrorForCert(
516       kIdentityCertName, absl::nullopt,
517       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
518   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
519   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
520   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
521 }
522
523 TEST_F(TlsSecurityConnectorTest,
524        CreateServerSecurityConnectorFailNoCredentials) {
525   auto connector =
526       grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
527           nullptr, grpc_core::MakeRefCounted<grpc_tls_credentials_options>());
528   EXPECT_EQ(connector, nullptr);
529 }
530
531 TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
532   grpc_core::RefCountedPtr<grpc_tls_credentials_options> options =
533       grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
534   grpc_core::RefCountedPtr<TlsServerCredentials> credential =
535       grpc_core::MakeRefCounted<TlsServerCredentials>(options);
536   auto connector =
537       grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
538           credential, nullptr);
539   EXPECT_EQ(connector, nullptr);
540 }
541
542 }  // namespace testing
543 }  // namespace grpc
544
545 int main(int argc, char** argv) {
546   grpc::testing::TestEnvironment env(argc, argv);
547   GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
548   ::testing::InitGoogleTest(&argc, argv);
549   grpc_init();
550   int ret = RUN_ALL_TESTS();
551   grpc_shutdown();
552   return ret;
553 }
Domain: System / Base;