3 // Copyright 2020 gRPC authors.
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
9 // http://www.apache.org/licenses/LICENSE-2.0
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
19 #include <gmock/gmock.h>
20 #include <gtest/gtest.h>
22 #include "src/core/ext/xds/xds_certificate_provider.h"
23 #include "test/core/util/test_config.h"
24 #include "test/core/util/tls_utils.h"
30 constexpr const char* kRootCert1 = "root_cert_1_contents";
31 constexpr const char* kRootCert2 = "root_cert_2_contents";
32 constexpr const char* kIdentityCert1PrivateKey = "identity_private_key_1";
33 constexpr const char* kIdentityCert1 = "identity_cert_1_contents";
34 constexpr const char* kIdentityCert2PrivateKey = "identity_private_key_2";
35 constexpr const char* kIdentityCert2 = "identity_cert_2_contents";
36 constexpr const char* kRootErrorMessage = "root_error_message";
37 constexpr const char* kIdentityErrorMessage = "identity_error_message";
39 PemKeyCertPairList MakeKeyCertPairsType1() {
40 return MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1);
43 PemKeyCertPairList MakeKeyCertPairsType2() {
44 return MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2);
47 class TestCertificatesWatcher
48 : public grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface {
50 ~TestCertificatesWatcher() override {
51 GRPC_ERROR_UNREF(root_cert_error_);
52 GRPC_ERROR_UNREF(identity_cert_error_);
55 void OnCertificatesChanged(
56 absl::optional<absl::string_view> root_certs,
57 absl::optional<PemKeyCertPairList> key_cert_pairs) override {
58 if (root_certs.has_value()) {
59 if (!root_certs_.has_value() ||
60 (root_certs_.has_value() &&
61 std::string(root_certs.value()) != root_certs_.value())) {
62 GRPC_ERROR_UNREF(root_cert_error_);
63 root_cert_error_ = GRPC_ERROR_NONE;
65 root_certs_.emplace(std::string(root_certs.value()));
67 if (key_cert_pairs.has_value()) {
68 if (key_cert_pairs != key_cert_pairs_) {
69 GRPC_ERROR_UNREF(identity_cert_error_);
70 identity_cert_error_ = GRPC_ERROR_NONE;
71 key_cert_pairs_ = key_cert_pairs;
76 void OnError(grpc_error_handle root_cert_error,
77 grpc_error_handle identity_cert_error) override {
78 GRPC_ERROR_UNREF(root_cert_error_);
79 root_cert_error_ = root_cert_error;
80 GRPC_ERROR_UNREF(identity_cert_error_);
81 identity_cert_error_ = identity_cert_error;
84 const absl::optional<std::string>& root_certs() const { return root_certs_; }
86 const absl::optional<PemKeyCertPairList>& key_cert_pairs() const {
87 return key_cert_pairs_;
90 grpc_error_handle root_cert_error() const { return root_cert_error_; }
92 grpc_error_handle identity_cert_error() const { return identity_cert_error_; }
95 absl::optional<std::string> root_certs_;
96 absl::optional<PemKeyCertPairList> key_cert_pairs_;
97 grpc_error_handle root_cert_error_ = GRPC_ERROR_NONE;
98 grpc_error_handle identity_cert_error_ = GRPC_ERROR_NONE;
102 XdsCertificateProviderTest,
103 RootCertDistributorDifferentFromIdentityCertDistributorDifferentCertNames) {
104 auto root_cert_distributor =
105 MakeRefCounted<grpc_tls_certificate_distributor>();
106 auto identity_cert_distributor =
107 MakeRefCounted<grpc_tls_certificate_distributor>();
108 XdsCertificateProvider provider;
109 provider.UpdateRootCertNameAndDistributor("", "root", root_cert_distributor);
110 provider.UpdateIdentityCertNameAndDistributor("", "identity",
111 identity_cert_distributor);
112 auto* watcher = new TestCertificatesWatcher;
113 provider.distributor()->WatchTlsCertificates(
114 std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
115 EXPECT_EQ(watcher->root_certs(), absl::nullopt);
116 EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
117 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
118 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
119 // Update both root certs and identity certs
120 root_cert_distributor->SetKeyMaterials("root", kRootCert1, absl::nullopt);
121 identity_cert_distributor->SetKeyMaterials("identity", absl::nullopt,
122 MakeKeyCertPairsType1());
123 EXPECT_EQ(watcher->root_certs(), kRootCert1);
124 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
125 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
126 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
127 // Second update for just root certs
128 root_cert_distributor->SetKeyMaterials(
130 MakeKeyCertPairsType2() /* does not have an effect */);
131 EXPECT_EQ(watcher->root_certs(), kRootCert2);
132 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
133 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
134 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
135 // Second update for identity certs
136 identity_cert_distributor->SetKeyMaterials(
137 "identity", kRootCert1 /* does not have an effect */,
138 MakeKeyCertPairsType2());
139 EXPECT_EQ(watcher->root_certs(), kRootCert2);
140 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
141 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
142 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
143 // Set error for both root and identity
144 root_cert_distributor->SetErrorForCert(
145 "root", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
147 identity_cert_distributor->SetErrorForCert(
148 "identity", absl::nullopt,
149 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
150 EXPECT_EQ(watcher->root_certs(), kRootCert2);
151 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
152 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
153 ::testing::HasSubstr(kRootErrorMessage));
154 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
155 ::testing::HasSubstr(kIdentityErrorMessage));
156 // Send an update for root certs. Test that the root cert error is reset.
157 root_cert_distributor->SetKeyMaterials("root", kRootCert1, absl::nullopt);
158 EXPECT_EQ(watcher->root_certs(), kRootCert1);
159 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
160 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
161 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
162 ::testing::HasSubstr(kIdentityErrorMessage));
163 // Send an update for identity certs. Test that the identity cert error is
165 identity_cert_distributor->SetKeyMaterials("identity", absl::nullopt,
166 MakeKeyCertPairsType1());
167 EXPECT_EQ(watcher->root_certs(), kRootCert1);
168 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
169 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
170 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
173 TEST(XdsCertificateProviderTest,
174 RootCertDistributorDifferentFromIdentityCertDistributorSameCertNames) {
175 auto root_cert_distributor =
176 MakeRefCounted<grpc_tls_certificate_distributor>();
177 auto identity_cert_distributor =
178 MakeRefCounted<grpc_tls_certificate_distributor>();
179 XdsCertificateProvider provider;
180 provider.UpdateRootCertNameAndDistributor("", "test", root_cert_distributor);
181 provider.UpdateIdentityCertNameAndDistributor("", "test",
182 identity_cert_distributor);
183 auto* watcher = new TestCertificatesWatcher;
184 provider.distributor()->WatchTlsCertificates(
185 std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
186 EXPECT_EQ(watcher->root_certs(), absl::nullopt);
187 EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
188 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
189 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
190 // Update both root certs and identity certs
191 root_cert_distributor->SetKeyMaterials("test", kRootCert1, absl::nullopt);
192 identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
193 MakeKeyCertPairsType1());
194 EXPECT_EQ(watcher->root_certs(), kRootCert1);
195 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
196 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
197 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
198 // Second update for just root certs
199 root_cert_distributor->SetKeyMaterials("test", kRootCert2, absl::nullopt);
200 EXPECT_EQ(watcher->root_certs(), kRootCert2);
201 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
202 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
203 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
204 // Second update for identity certs
205 identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
206 MakeKeyCertPairsType2());
207 EXPECT_EQ(watcher->root_certs(), kRootCert2);
208 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
209 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
210 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
211 // Set error for both root and identity
212 root_cert_distributor->SetErrorForCert(
213 "test", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
215 identity_cert_distributor->SetErrorForCert(
216 "test", absl::nullopt,
217 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
218 EXPECT_EQ(watcher->root_certs(), kRootCert2);
219 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
220 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
221 ::testing::HasSubstr(kRootErrorMessage));
222 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
223 ::testing::HasSubstr(kIdentityErrorMessage));
224 // Send an update for root certs. Test that the root cert error is reset.
225 root_cert_distributor->SetKeyMaterials("test", kRootCert1, absl::nullopt);
226 EXPECT_EQ(watcher->root_certs(), kRootCert1);
227 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
228 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
229 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
230 ::testing::HasSubstr(kIdentityErrorMessage));
231 // Send an update for identity certs. Test that the identity cert error is
233 identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
234 MakeKeyCertPairsType1());
235 EXPECT_EQ(watcher->root_certs(), kRootCert1);
236 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
237 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
238 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
239 // Test update on unwatched cert name
240 identity_cert_distributor->SetKeyMaterials("identity", kRootCert2,
241 MakeKeyCertPairsType2());
242 root_cert_distributor->SetKeyMaterials("root", kRootCert1,
243 MakeKeyCertPairsType1());
246 TEST(XdsCertificateProviderTest,
247 RootCertDistributorSameAsIdentityCertDistributorDifferentCertNames) {
248 auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
249 XdsCertificateProvider provider;
250 provider.UpdateRootCertNameAndDistributor("", "root", distributor);
251 provider.UpdateIdentityCertNameAndDistributor("", "identity", distributor);
252 auto* watcher = new TestCertificatesWatcher;
253 provider.distributor()->WatchTlsCertificates(
254 std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
255 EXPECT_EQ(watcher->root_certs(), absl::nullopt);
256 EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
257 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
258 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
259 // Update both root certs and identity certs
260 distributor->SetKeyMaterials("root", kRootCert1, MakeKeyCertPairsType2());
261 distributor->SetKeyMaterials("identity", kRootCert2, MakeKeyCertPairsType1());
262 EXPECT_EQ(watcher->root_certs(), kRootCert1);
263 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
264 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
265 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
266 // Second update for just root certs
267 distributor->SetKeyMaterials("root", kRootCert2, MakeKeyCertPairsType2());
268 EXPECT_EQ(watcher->root_certs(), kRootCert2);
269 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
270 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
271 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
272 // Second update for identity certs
273 distributor->SetKeyMaterials("identity", kRootCert1, MakeKeyCertPairsType2());
274 EXPECT_EQ(watcher->root_certs(), kRootCert2);
275 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
276 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
277 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
278 // Set error for root
279 distributor->SetErrorForCert(
280 "root", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
281 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage));
282 EXPECT_EQ(watcher->root_certs(), kRootCert2);
283 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
284 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
285 ::testing::HasSubstr(kRootErrorMessage));
286 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
287 distributor->SetErrorForCert(
288 "identity", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage),
289 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
290 EXPECT_EQ(watcher->root_certs(), kRootCert2);
291 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
292 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
293 ::testing::HasSubstr(kRootErrorMessage));
294 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
295 ::testing::HasSubstr(kIdentityErrorMessage));
296 // Send an update for root
297 distributor->SetKeyMaterials("root", kRootCert1, MakeKeyCertPairsType1());
298 EXPECT_EQ(watcher->root_certs(), kRootCert1);
299 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
300 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
301 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
302 ::testing::HasSubstr(kIdentityErrorMessage));
303 // Send an update for identity
304 distributor->SetKeyMaterials("identity", kRootCert2, MakeKeyCertPairsType1());
305 EXPECT_EQ(watcher->root_certs(), kRootCert1);
306 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
307 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
308 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
311 TEST(XdsCertificateProviderTest,
312 RootCertDistributorSameAsIdentityCertDistributorSameCertNames) {
313 auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
314 XdsCertificateProvider provider;
315 provider.UpdateRootCertNameAndDistributor("", "", distributor);
316 provider.UpdateIdentityCertNameAndDistributor("", "", distributor);
317 auto* watcher = new TestCertificatesWatcher;
318 provider.distributor()->WatchTlsCertificates(
319 std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
320 EXPECT_EQ(watcher->root_certs(), absl::nullopt);
321 EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
322 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
323 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
324 // Update both root certs and identity certs
325 distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
326 EXPECT_EQ(watcher->root_certs(), kRootCert1);
327 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
328 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
329 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
330 // Second update for just root certs
331 distributor->SetKeyMaterials("", kRootCert2, absl::nullopt);
332 EXPECT_EQ(watcher->root_certs(), kRootCert2);
333 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
334 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
335 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
336 // Second update for identity certs
337 distributor->SetKeyMaterials("", absl::nullopt, MakeKeyCertPairsType2());
338 EXPECT_EQ(watcher->root_certs(), kRootCert2);
339 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
340 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
341 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
342 // Set error for root
343 distributor->SetErrorForCert(
344 "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
346 EXPECT_EQ(watcher->root_certs(), kRootCert2);
347 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
348 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
349 ::testing::HasSubstr(kRootErrorMessage));
350 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
351 // Set error for identity
352 distributor->SetErrorForCert(
354 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
355 EXPECT_EQ(watcher->root_certs(), kRootCert2);
356 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
357 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
358 ::testing::HasSubstr(kRootErrorMessage));
359 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
360 ::testing::HasSubstr(kIdentityErrorMessage));
361 // Send an update for root
362 distributor->SetKeyMaterials("", kRootCert1, absl::nullopt);
363 EXPECT_EQ(watcher->root_certs(), kRootCert1);
364 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
365 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
366 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
367 ::testing::HasSubstr(kIdentityErrorMessage));
368 // Send an update for identity
369 distributor->SetKeyMaterials("", absl::nullopt, MakeKeyCertPairsType1());
370 EXPECT_EQ(watcher->root_certs(), kRootCert1);
371 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
372 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
373 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
376 TEST(XdsCertificateProviderTest, SwapOutDistributorsMultipleTimes) {
377 auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
378 distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
379 XdsCertificateProvider provider;
380 auto* watcher = new TestCertificatesWatcher;
381 provider.distributor()->WatchTlsCertificates(
382 std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
383 // Initially there are no certificate providers.
384 EXPECT_EQ(watcher->root_certs(), absl::nullopt);
385 EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
386 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
387 ::testing::HasSubstr(
388 "No certificate provider available for root certificates"));
390 grpc_error_std_string(watcher->identity_cert_error()),
391 ::testing::HasSubstr(
392 "No certificate provider available for identity certificates"));
393 // Update root cert distributor.
394 provider.UpdateRootCertNameAndDistributor("", "", distributor);
395 EXPECT_EQ(watcher->root_certs(), kRootCert1);
396 EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
397 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
399 grpc_error_std_string(watcher->identity_cert_error()),
400 ::testing::HasSubstr(
401 "No certificate provider available for identity certificates"));
402 // Update identity cert distributor
403 provider.UpdateIdentityCertNameAndDistributor("", "", distributor);
404 EXPECT_EQ(watcher->root_certs(), kRootCert1);
405 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
406 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
407 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
408 // Update both root and identity certs
409 distributor->SetKeyMaterials("", kRootCert2, MakeKeyCertPairsType2());
410 EXPECT_EQ(watcher->root_certs(), kRootCert2);
411 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
412 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
413 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
414 // Set error for both root and identity
415 distributor->SetErrorForCert(
416 "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
417 GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
418 EXPECT_EQ(watcher->root_certs(), kRootCert2);
419 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
420 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
421 ::testing::HasSubstr(kRootErrorMessage));
422 EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
423 ::testing::HasSubstr(kIdentityErrorMessage));
424 // Send an update again
425 distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
426 EXPECT_EQ(watcher->root_certs(), kRootCert1);
427 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
428 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
429 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
430 // Remove root cert provider
431 provider.UpdateRootCertNameAndDistributor("", "", nullptr);
432 distributor->SetKeyMaterials("", kRootCert2, MakeKeyCertPairsType2());
433 EXPECT_EQ(watcher->root_certs(), kRootCert1); // not updated
434 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
435 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
436 ::testing::HasSubstr(
437 "No certificate provider available for root certificates"));
438 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
439 // Remove identity cert provider too
440 provider.UpdateIdentityCertNameAndDistributor("", "", nullptr);
441 distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
442 EXPECT_EQ(watcher->root_certs(), kRootCert1);
443 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2()); // not updated
444 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
445 ::testing::HasSubstr(
446 "No certificate provider available for root certificates"));
448 grpc_error_std_string(watcher->identity_cert_error()),
449 ::testing::HasSubstr(
450 "No certificate provider available for identity certificates"));
451 // Change certificate names being watched, without any certificate updates.
452 provider.UpdateRootCertNameAndDistributor("", "root", distributor);
453 provider.UpdateIdentityCertNameAndDistributor("", "identity", distributor);
454 EXPECT_EQ(watcher->root_certs(), kRootCert1);
455 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
456 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
457 ::testing::HasSubstr(
458 "No certificate provider available for root certificates"));
460 grpc_error_std_string(watcher->identity_cert_error()),
461 ::testing::HasSubstr(
462 "No certificate provider available for identity certificates"));
463 // Send out certificate updates.
464 distributor->SetKeyMaterials("root", kRootCert2, absl::nullopt);
465 distributor->SetKeyMaterials("identity", absl::nullopt,
466 MakeKeyCertPairsType1());
467 EXPECT_EQ(watcher->root_certs(), kRootCert2);
468 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
469 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
470 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
471 // Swap in new certificate distributors with different certificate names and
473 auto root_cert_distributor =
474 MakeRefCounted<grpc_tls_certificate_distributor>();
475 auto identity_cert_distributor =
476 MakeRefCounted<grpc_tls_certificate_distributor>();
477 provider.UpdateRootCertNameAndDistributor("", "root", root_cert_distributor);
478 provider.UpdateIdentityCertNameAndDistributor("", "identity",
479 identity_cert_distributor);
480 EXPECT_EQ(watcher->root_certs(), kRootCert2);
481 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
482 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
483 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
484 // Change certificate names without any certificate updates.
485 provider.UpdateRootCertNameAndDistributor("", "test", root_cert_distributor);
486 provider.UpdateIdentityCertNameAndDistributor("", "test",
487 identity_cert_distributor);
488 EXPECT_EQ(watcher->root_certs(), kRootCert2);
489 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
490 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
491 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
492 // Send out certificate updates.
493 root_cert_distributor->SetKeyMaterials("test", kRootCert1,
494 MakeKeyCertPairsType1());
495 identity_cert_distributor->SetKeyMaterials("test", kRootCert2,
496 MakeKeyCertPairsType2());
497 EXPECT_EQ(watcher->root_certs(), kRootCert1);
498 EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
499 EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
500 EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
503 TEST(XdsCertificateProviderTest, MultipleCertNames) {
504 XdsCertificateProvider provider;
505 // Start watch for "test1". There are no underlying distributors for
506 // that cert name, so it will return an error.
507 auto* watcher1 = new TestCertificatesWatcher;
508 provider.distributor()->WatchTlsCertificates(
509 std::unique_ptr<TestCertificatesWatcher>(watcher1), "test1", "test1");
510 EXPECT_EQ(watcher1->root_certs(), absl::nullopt);
511 EXPECT_EQ(watcher1->key_cert_pairs(), absl::nullopt);
512 EXPECT_THAT(grpc_error_std_string(watcher1->root_cert_error()),
513 ::testing::HasSubstr(
514 "No certificate provider available for root certificates"));
516 grpc_error_std_string(watcher1->identity_cert_error()),
517 ::testing::HasSubstr(
518 "No certificate provider available for identity certificates"));
519 // Add distributor for "test1". This will return data to the watcher.
520 auto cert_distributor1 = MakeRefCounted<grpc_tls_certificate_distributor>();
521 cert_distributor1->SetKeyMaterials("root", kRootCert1, absl::nullopt);
522 cert_distributor1->SetKeyMaterials("identity", absl::nullopt,
523 MakeKeyCertPairsType1());
524 provider.UpdateRootCertNameAndDistributor("test1", "root", cert_distributor1);
525 provider.UpdateIdentityCertNameAndDistributor("test1", "identity",
527 EXPECT_EQ(watcher1->root_certs(), kRootCert1);
528 EXPECT_EQ(watcher1->key_cert_pairs(), MakeKeyCertPairsType1());
529 EXPECT_EQ(watcher1->root_cert_error(), GRPC_ERROR_NONE);
530 EXPECT_EQ(watcher1->identity_cert_error(), GRPC_ERROR_NONE);
531 // Add distributor for "test2".
532 auto cert_distributor2 = MakeRefCounted<grpc_tls_certificate_distributor>();
533 cert_distributor2->SetKeyMaterials("root2", kRootCert2, absl::nullopt);
534 cert_distributor2->SetKeyMaterials("identity2", absl::nullopt,
535 MakeKeyCertPairsType2());
536 provider.UpdateRootCertNameAndDistributor("test2", "root2",
538 provider.UpdateIdentityCertNameAndDistributor("test2", "identity2",
540 // Add watcher for "test2". This one should return data immediately.
541 auto* watcher2 = new TestCertificatesWatcher;
542 provider.distributor()->WatchTlsCertificates(
543 std::unique_ptr<TestCertificatesWatcher>(watcher2), "test2", "test2");
544 EXPECT_EQ(watcher2->root_certs(), kRootCert2);
545 EXPECT_EQ(watcher2->key_cert_pairs(), MakeKeyCertPairsType2());
546 EXPECT_EQ(watcher2->root_cert_error(), GRPC_ERROR_NONE);
547 EXPECT_EQ(watcher2->identity_cert_error(), GRPC_ERROR_NONE);
548 // The presence of "test2" should not affect "test1".
549 EXPECT_EQ(watcher1->root_certs(), kRootCert1);
550 EXPECT_EQ(watcher1->key_cert_pairs(), MakeKeyCertPairsType1());
551 EXPECT_EQ(watcher1->root_cert_error(), GRPC_ERROR_NONE);
552 EXPECT_EQ(watcher1->identity_cert_error(), GRPC_ERROR_NONE);
555 TEST(XdsCertificateProviderTest, UnknownCertName) {
556 XdsCertificateProvider provider;
557 auto* watcher = new TestCertificatesWatcher;
558 provider.distributor()->WatchTlsCertificates(
559 std::unique_ptr<TestCertificatesWatcher>(watcher), "test", "test");
560 EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
561 ::testing::HasSubstr(
562 "No certificate provider available for root certificates"));
564 grpc_error_std_string(watcher->identity_cert_error()),
565 ::testing::HasSubstr(
566 "No certificate provider available for identity certificates"));
570 } // namespace testing
571 } // namespace grpc_core
573 int main(int argc, char** argv) {
574 ::testing::InitGoogleTest(&argc, argv);
575 grpc::testing::TestEnvironment env(argc, argv);
577 auto result = RUN_ALL_TESTS();