32e2bcb1697b7c4d39f3928549b0c8bd6e7de785
[platform/upstream/grpc.git] / test / core / xds / xds_certificate_provider_test.cc
1 //
2 //
3 // Copyright 2020 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <gmock/gmock.h>
20 #include <gtest/gtest.h>
21
22 #include "src/core/ext/xds/xds_certificate_provider.h"
23 #include "test/core/util/test_config.h"
24 #include "test/core/util/tls_utils.h"
25
26 namespace grpc_core {
27 namespace testing {
28 namespace {
29
30 constexpr const char* kRootCert1 = "root_cert_1_contents";
31 constexpr const char* kRootCert2 = "root_cert_2_contents";
32 constexpr const char* kIdentityCert1PrivateKey = "identity_private_key_1";
33 constexpr const char* kIdentityCert1 = "identity_cert_1_contents";
34 constexpr const char* kIdentityCert2PrivateKey = "identity_private_key_2";
35 constexpr const char* kIdentityCert2 = "identity_cert_2_contents";
36 constexpr const char* kRootErrorMessage = "root_error_message";
37 constexpr const char* kIdentityErrorMessage = "identity_error_message";
38
39 PemKeyCertPairList MakeKeyCertPairsType1() {
40   return MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1);
41 }
42
43 PemKeyCertPairList MakeKeyCertPairsType2() {
44   return MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2);
45 }
46
47 class TestCertificatesWatcher
48     : public grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface {
49  public:
50   ~TestCertificatesWatcher() override {
51     GRPC_ERROR_UNREF(root_cert_error_);
52     GRPC_ERROR_UNREF(identity_cert_error_);
53   }
54
55   void OnCertificatesChanged(
56       absl::optional<absl::string_view> root_certs,
57       absl::optional<PemKeyCertPairList> key_cert_pairs) override {
58     if (root_certs.has_value()) {
59       if (!root_certs_.has_value() ||
60           (root_certs_.has_value() &&
61            std::string(root_certs.value()) != root_certs_.value())) {
62         GRPC_ERROR_UNREF(root_cert_error_);
63         root_cert_error_ = GRPC_ERROR_NONE;
64       }
65       root_certs_.emplace(std::string(root_certs.value()));
66     }
67     if (key_cert_pairs.has_value()) {
68       if (key_cert_pairs != key_cert_pairs_) {
69         GRPC_ERROR_UNREF(identity_cert_error_);
70         identity_cert_error_ = GRPC_ERROR_NONE;
71         key_cert_pairs_ = key_cert_pairs;
72       }
73     }
74   }
75
76   void OnError(grpc_error_handle root_cert_error,
77                grpc_error_handle identity_cert_error) override {
78     GRPC_ERROR_UNREF(root_cert_error_);
79     root_cert_error_ = root_cert_error;
80     GRPC_ERROR_UNREF(identity_cert_error_);
81     identity_cert_error_ = identity_cert_error;
82   }
83
84   const absl::optional<std::string>& root_certs() const { return root_certs_; }
85
86   const absl::optional<PemKeyCertPairList>& key_cert_pairs() const {
87     return key_cert_pairs_;
88   }
89
90   grpc_error_handle root_cert_error() const { return root_cert_error_; }
91
92   grpc_error_handle identity_cert_error() const { return identity_cert_error_; }
93
94  private:
95   absl::optional<std::string> root_certs_;
96   absl::optional<PemKeyCertPairList> key_cert_pairs_;
97   grpc_error_handle root_cert_error_ = GRPC_ERROR_NONE;
98   grpc_error_handle identity_cert_error_ = GRPC_ERROR_NONE;
99 };
100
101 TEST(
102     XdsCertificateProviderTest,
103     RootCertDistributorDifferentFromIdentityCertDistributorDifferentCertNames) {
104   auto root_cert_distributor =
105       MakeRefCounted<grpc_tls_certificate_distributor>();
106   auto identity_cert_distributor =
107       MakeRefCounted<grpc_tls_certificate_distributor>();
108   XdsCertificateProvider provider;
109   provider.UpdateRootCertNameAndDistributor("", "root", root_cert_distributor);
110   provider.UpdateIdentityCertNameAndDistributor("", "identity",
111                                                 identity_cert_distributor);
112   auto* watcher = new TestCertificatesWatcher;
113   provider.distributor()->WatchTlsCertificates(
114       std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
115   EXPECT_EQ(watcher->root_certs(), absl::nullopt);
116   EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
117   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
118   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
119   // Update both root certs and identity certs
120   root_cert_distributor->SetKeyMaterials("root", kRootCert1, absl::nullopt);
121   identity_cert_distributor->SetKeyMaterials("identity", absl::nullopt,
122                                              MakeKeyCertPairsType1());
123   EXPECT_EQ(watcher->root_certs(), kRootCert1);
124   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
125   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
126   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
127   // Second update for just root certs
128   root_cert_distributor->SetKeyMaterials(
129       "root", kRootCert2,
130       MakeKeyCertPairsType2() /* does not have an effect */);
131   EXPECT_EQ(watcher->root_certs(), kRootCert2);
132   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
133   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
134   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
135   // Second update for identity certs
136   identity_cert_distributor->SetKeyMaterials(
137       "identity", kRootCert1 /* does not have an effect */,
138       MakeKeyCertPairsType2());
139   EXPECT_EQ(watcher->root_certs(), kRootCert2);
140   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
141   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
142   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
143   // Set error for both root and identity
144   root_cert_distributor->SetErrorForCert(
145       "root", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
146       absl::nullopt);
147   identity_cert_distributor->SetErrorForCert(
148       "identity", absl::nullopt,
149       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
150   EXPECT_EQ(watcher->root_certs(), kRootCert2);
151   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
152   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
153               ::testing::HasSubstr(kRootErrorMessage));
154   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
155               ::testing::HasSubstr(kIdentityErrorMessage));
156   // Send an update for root certs. Test that the root cert error is reset.
157   root_cert_distributor->SetKeyMaterials("root", kRootCert1, absl::nullopt);
158   EXPECT_EQ(watcher->root_certs(), kRootCert1);
159   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
160   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
161   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
162               ::testing::HasSubstr(kIdentityErrorMessage));
163   // Send an update for identity certs. Test that the identity cert error is
164   // reset.
165   identity_cert_distributor->SetKeyMaterials("identity", absl::nullopt,
166                                              MakeKeyCertPairsType1());
167   EXPECT_EQ(watcher->root_certs(), kRootCert1);
168   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
169   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
170   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
171 }
172
173 TEST(XdsCertificateProviderTest,
174      RootCertDistributorDifferentFromIdentityCertDistributorSameCertNames) {
175   auto root_cert_distributor =
176       MakeRefCounted<grpc_tls_certificate_distributor>();
177   auto identity_cert_distributor =
178       MakeRefCounted<grpc_tls_certificate_distributor>();
179   XdsCertificateProvider provider;
180   provider.UpdateRootCertNameAndDistributor("", "test", root_cert_distributor);
181   provider.UpdateIdentityCertNameAndDistributor("", "test",
182                                                 identity_cert_distributor);
183   auto* watcher = new TestCertificatesWatcher;
184   provider.distributor()->WatchTlsCertificates(
185       std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
186   EXPECT_EQ(watcher->root_certs(), absl::nullopt);
187   EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
188   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
189   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
190   // Update both root certs and identity certs
191   root_cert_distributor->SetKeyMaterials("test", kRootCert1, absl::nullopt);
192   identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
193                                              MakeKeyCertPairsType1());
194   EXPECT_EQ(watcher->root_certs(), kRootCert1);
195   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
196   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
197   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
198   // Second update for just root certs
199   root_cert_distributor->SetKeyMaterials("test", kRootCert2, absl::nullopt);
200   EXPECT_EQ(watcher->root_certs(), kRootCert2);
201   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
202   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
203   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
204   // Second update for identity certs
205   identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
206                                              MakeKeyCertPairsType2());
207   EXPECT_EQ(watcher->root_certs(), kRootCert2);
208   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
209   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
210   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
211   // Set error for both root and identity
212   root_cert_distributor->SetErrorForCert(
213       "test", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
214       absl::nullopt);
215   identity_cert_distributor->SetErrorForCert(
216       "test", absl::nullopt,
217       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
218   EXPECT_EQ(watcher->root_certs(), kRootCert2);
219   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
220   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
221               ::testing::HasSubstr(kRootErrorMessage));
222   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
223               ::testing::HasSubstr(kIdentityErrorMessage));
224   // Send an update for root certs. Test that the root cert error is reset.
225   root_cert_distributor->SetKeyMaterials("test", kRootCert1, absl::nullopt);
226   EXPECT_EQ(watcher->root_certs(), kRootCert1);
227   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
228   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
229   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
230               ::testing::HasSubstr(kIdentityErrorMessage));
231   // Send an update for identity certs. Test that the identity cert error is
232   // reset.
233   identity_cert_distributor->SetKeyMaterials("test", absl::nullopt,
234                                              MakeKeyCertPairsType1());
235   EXPECT_EQ(watcher->root_certs(), kRootCert1);
236   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
237   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
238   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
239   // Test update on unwatched cert name
240   identity_cert_distributor->SetKeyMaterials("identity", kRootCert2,
241                                              MakeKeyCertPairsType2());
242   root_cert_distributor->SetKeyMaterials("root", kRootCert1,
243                                          MakeKeyCertPairsType1());
244 }
245
246 TEST(XdsCertificateProviderTest,
247      RootCertDistributorSameAsIdentityCertDistributorDifferentCertNames) {
248   auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
249   XdsCertificateProvider provider;
250   provider.UpdateRootCertNameAndDistributor("", "root", distributor);
251   provider.UpdateIdentityCertNameAndDistributor("", "identity", distributor);
252   auto* watcher = new TestCertificatesWatcher;
253   provider.distributor()->WatchTlsCertificates(
254       std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
255   EXPECT_EQ(watcher->root_certs(), absl::nullopt);
256   EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
257   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
258   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
259   // Update both root certs and identity certs
260   distributor->SetKeyMaterials("root", kRootCert1, MakeKeyCertPairsType2());
261   distributor->SetKeyMaterials("identity", kRootCert2, MakeKeyCertPairsType1());
262   EXPECT_EQ(watcher->root_certs(), kRootCert1);
263   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
264   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
265   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
266   // Second update for just root certs
267   distributor->SetKeyMaterials("root", kRootCert2, MakeKeyCertPairsType2());
268   EXPECT_EQ(watcher->root_certs(), kRootCert2);
269   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
270   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
271   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
272   // Second update for identity certs
273   distributor->SetKeyMaterials("identity", kRootCert1, MakeKeyCertPairsType2());
274   EXPECT_EQ(watcher->root_certs(), kRootCert2);
275   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
276   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
277   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
278   // Set error for root
279   distributor->SetErrorForCert(
280       "root", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
281       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage));
282   EXPECT_EQ(watcher->root_certs(), kRootCert2);
283   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
284   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
285               ::testing::HasSubstr(kRootErrorMessage));
286   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
287   distributor->SetErrorForCert(
288       "identity", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage),
289       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
290   EXPECT_EQ(watcher->root_certs(), kRootCert2);
291   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
292   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
293               ::testing::HasSubstr(kRootErrorMessage));
294   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
295               ::testing::HasSubstr(kIdentityErrorMessage));
296   // Send an update for root
297   distributor->SetKeyMaterials("root", kRootCert1, MakeKeyCertPairsType1());
298   EXPECT_EQ(watcher->root_certs(), kRootCert1);
299   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
300   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
301   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
302               ::testing::HasSubstr(kIdentityErrorMessage));
303   // Send an update for identity
304   distributor->SetKeyMaterials("identity", kRootCert2, MakeKeyCertPairsType1());
305   EXPECT_EQ(watcher->root_certs(), kRootCert1);
306   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
307   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
308   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
309 }
310
311 TEST(XdsCertificateProviderTest,
312      RootCertDistributorSameAsIdentityCertDistributorSameCertNames) {
313   auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
314   XdsCertificateProvider provider;
315   provider.UpdateRootCertNameAndDistributor("", "", distributor);
316   provider.UpdateIdentityCertNameAndDistributor("", "", distributor);
317   auto* watcher = new TestCertificatesWatcher;
318   provider.distributor()->WatchTlsCertificates(
319       std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
320   EXPECT_EQ(watcher->root_certs(), absl::nullopt);
321   EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
322   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
323   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
324   // Update both root certs and identity certs
325   distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
326   EXPECT_EQ(watcher->root_certs(), kRootCert1);
327   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
328   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
329   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
330   // Second update for just root certs
331   distributor->SetKeyMaterials("", kRootCert2, absl::nullopt);
332   EXPECT_EQ(watcher->root_certs(), kRootCert2);
333   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
334   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
335   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
336   // Second update for identity certs
337   distributor->SetKeyMaterials("", absl::nullopt, MakeKeyCertPairsType2());
338   EXPECT_EQ(watcher->root_certs(), kRootCert2);
339   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
340   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
341   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
342   // Set error for root
343   distributor->SetErrorForCert(
344       "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
345       absl::nullopt);
346   EXPECT_EQ(watcher->root_certs(), kRootCert2);
347   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
348   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
349               ::testing::HasSubstr(kRootErrorMessage));
350   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
351   // Set error for identity
352   distributor->SetErrorForCert(
353       "", absl::nullopt,
354       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
355   EXPECT_EQ(watcher->root_certs(), kRootCert2);
356   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
357   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
358               ::testing::HasSubstr(kRootErrorMessage));
359   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
360               ::testing::HasSubstr(kIdentityErrorMessage));
361   // Send an update for root
362   distributor->SetKeyMaterials("", kRootCert1, absl::nullopt);
363   EXPECT_EQ(watcher->root_certs(), kRootCert1);
364   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
365   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
366   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
367               ::testing::HasSubstr(kIdentityErrorMessage));
368   // Send an update for identity
369   distributor->SetKeyMaterials("", absl::nullopt, MakeKeyCertPairsType1());
370   EXPECT_EQ(watcher->root_certs(), kRootCert1);
371   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
372   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
373   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
374 }
375
376 TEST(XdsCertificateProviderTest, SwapOutDistributorsMultipleTimes) {
377   auto distributor = MakeRefCounted<grpc_tls_certificate_distributor>();
378   distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
379   XdsCertificateProvider provider;
380   auto* watcher = new TestCertificatesWatcher;
381   provider.distributor()->WatchTlsCertificates(
382       std::unique_ptr<TestCertificatesWatcher>(watcher), "", "");
383   // Initially there are no certificate providers.
384   EXPECT_EQ(watcher->root_certs(), absl::nullopt);
385   EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
386   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
387               ::testing::HasSubstr(
388                   "No certificate provider available for root certificates"));
389   EXPECT_THAT(
390       grpc_error_std_string(watcher->identity_cert_error()),
391       ::testing::HasSubstr(
392           "No certificate provider available for identity certificates"));
393   // Update root cert distributor.
394   provider.UpdateRootCertNameAndDistributor("", "", distributor);
395   EXPECT_EQ(watcher->root_certs(), kRootCert1);
396   EXPECT_EQ(watcher->key_cert_pairs(), absl::nullopt);
397   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
398   EXPECT_THAT(
399       grpc_error_std_string(watcher->identity_cert_error()),
400       ::testing::HasSubstr(
401           "No certificate provider available for identity certificates"));
402   // Update identity cert distributor
403   provider.UpdateIdentityCertNameAndDistributor("", "", distributor);
404   EXPECT_EQ(watcher->root_certs(), kRootCert1);
405   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
406   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
407   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
408   // Update both root and identity certs
409   distributor->SetKeyMaterials("", kRootCert2, MakeKeyCertPairsType2());
410   EXPECT_EQ(watcher->root_certs(), kRootCert2);
411   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
412   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
413   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
414   // Set error for both root and identity
415   distributor->SetErrorForCert(
416       "", GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage),
417       GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage));
418   EXPECT_EQ(watcher->root_certs(), kRootCert2);
419   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
420   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
421               ::testing::HasSubstr(kRootErrorMessage));
422   EXPECT_THAT(grpc_error_std_string(watcher->identity_cert_error()),
423               ::testing::HasSubstr(kIdentityErrorMessage));
424   // Send an update again
425   distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
426   EXPECT_EQ(watcher->root_certs(), kRootCert1);
427   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
428   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
429   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
430   // Remove root cert provider
431   provider.UpdateRootCertNameAndDistributor("", "", nullptr);
432   distributor->SetKeyMaterials("", kRootCert2, MakeKeyCertPairsType2());
433   EXPECT_EQ(watcher->root_certs(), kRootCert1);  // not updated
434   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
435   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
436               ::testing::HasSubstr(
437                   "No certificate provider available for root certificates"));
438   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
439   // Remove identity cert provider too
440   provider.UpdateIdentityCertNameAndDistributor("", "", nullptr);
441   distributor->SetKeyMaterials("", kRootCert1, MakeKeyCertPairsType1());
442   EXPECT_EQ(watcher->root_certs(), kRootCert1);
443   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());  // not updated
444   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
445               ::testing::HasSubstr(
446                   "No certificate provider available for root certificates"));
447   EXPECT_THAT(
448       grpc_error_std_string(watcher->identity_cert_error()),
449       ::testing::HasSubstr(
450           "No certificate provider available for identity certificates"));
451   // Change certificate names being watched, without any certificate updates.
452   provider.UpdateRootCertNameAndDistributor("", "root", distributor);
453   provider.UpdateIdentityCertNameAndDistributor("", "identity", distributor);
454   EXPECT_EQ(watcher->root_certs(), kRootCert1);
455   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
456   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
457               ::testing::HasSubstr(
458                   "No certificate provider available for root certificates"));
459   EXPECT_THAT(
460       grpc_error_std_string(watcher->identity_cert_error()),
461       ::testing::HasSubstr(
462           "No certificate provider available for identity certificates"));
463   // Send out certificate updates.
464   distributor->SetKeyMaterials("root", kRootCert2, absl::nullopt);
465   distributor->SetKeyMaterials("identity", absl::nullopt,
466                                MakeKeyCertPairsType1());
467   EXPECT_EQ(watcher->root_certs(), kRootCert2);
468   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
469   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
470   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
471   // Swap in new certificate distributors with different certificate names and
472   // existing updates.
473   auto root_cert_distributor =
474       MakeRefCounted<grpc_tls_certificate_distributor>();
475   auto identity_cert_distributor =
476       MakeRefCounted<grpc_tls_certificate_distributor>();
477   provider.UpdateRootCertNameAndDistributor("", "root", root_cert_distributor);
478   provider.UpdateIdentityCertNameAndDistributor("", "identity",
479                                                 identity_cert_distributor);
480   EXPECT_EQ(watcher->root_certs(), kRootCert2);
481   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
482   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
483   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
484   // Change certificate names without any certificate updates.
485   provider.UpdateRootCertNameAndDistributor("", "test", root_cert_distributor);
486   provider.UpdateIdentityCertNameAndDistributor("", "test",
487                                                 identity_cert_distributor);
488   EXPECT_EQ(watcher->root_certs(), kRootCert2);
489   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType1());
490   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
491   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
492   // Send out certificate updates.
493   root_cert_distributor->SetKeyMaterials("test", kRootCert1,
494                                          MakeKeyCertPairsType1());
495   identity_cert_distributor->SetKeyMaterials("test", kRootCert2,
496                                              MakeKeyCertPairsType2());
497   EXPECT_EQ(watcher->root_certs(), kRootCert1);
498   EXPECT_EQ(watcher->key_cert_pairs(), MakeKeyCertPairsType2());
499   EXPECT_EQ(watcher->root_cert_error(), GRPC_ERROR_NONE);
500   EXPECT_EQ(watcher->identity_cert_error(), GRPC_ERROR_NONE);
501 }
502
503 TEST(XdsCertificateProviderTest, MultipleCertNames) {
504   XdsCertificateProvider provider;
505   // Start watch for "test1".  There are no underlying distributors for
506   // that cert name, so it will return an error.
507   auto* watcher1 = new TestCertificatesWatcher;
508   provider.distributor()->WatchTlsCertificates(
509       std::unique_ptr<TestCertificatesWatcher>(watcher1), "test1", "test1");
510   EXPECT_EQ(watcher1->root_certs(), absl::nullopt);
511   EXPECT_EQ(watcher1->key_cert_pairs(), absl::nullopt);
512   EXPECT_THAT(grpc_error_std_string(watcher1->root_cert_error()),
513               ::testing::HasSubstr(
514                   "No certificate provider available for root certificates"));
515   EXPECT_THAT(
516       grpc_error_std_string(watcher1->identity_cert_error()),
517       ::testing::HasSubstr(
518           "No certificate provider available for identity certificates"));
519   // Add distributor for "test1".  This will return data to the watcher.
520   auto cert_distributor1 = MakeRefCounted<grpc_tls_certificate_distributor>();
521   cert_distributor1->SetKeyMaterials("root", kRootCert1, absl::nullopt);
522   cert_distributor1->SetKeyMaterials("identity", absl::nullopt,
523                                      MakeKeyCertPairsType1());
524   provider.UpdateRootCertNameAndDistributor("test1", "root", cert_distributor1);
525   provider.UpdateIdentityCertNameAndDistributor("test1", "identity",
526                                                 cert_distributor1);
527   EXPECT_EQ(watcher1->root_certs(), kRootCert1);
528   EXPECT_EQ(watcher1->key_cert_pairs(), MakeKeyCertPairsType1());
529   EXPECT_EQ(watcher1->root_cert_error(), GRPC_ERROR_NONE);
530   EXPECT_EQ(watcher1->identity_cert_error(), GRPC_ERROR_NONE);
531   // Add distributor for "test2".
532   auto cert_distributor2 = MakeRefCounted<grpc_tls_certificate_distributor>();
533   cert_distributor2->SetKeyMaterials("root2", kRootCert2, absl::nullopt);
534   cert_distributor2->SetKeyMaterials("identity2", absl::nullopt,
535                                      MakeKeyCertPairsType2());
536   provider.UpdateRootCertNameAndDistributor("test2", "root2",
537                                             cert_distributor2);
538   provider.UpdateIdentityCertNameAndDistributor("test2", "identity2",
539                                                 cert_distributor2);
540   // Add watcher for "test2".  This one should return data immediately.
541   auto* watcher2 = new TestCertificatesWatcher;
542   provider.distributor()->WatchTlsCertificates(
543       std::unique_ptr<TestCertificatesWatcher>(watcher2), "test2", "test2");
544   EXPECT_EQ(watcher2->root_certs(), kRootCert2);
545   EXPECT_EQ(watcher2->key_cert_pairs(), MakeKeyCertPairsType2());
546   EXPECT_EQ(watcher2->root_cert_error(), GRPC_ERROR_NONE);
547   EXPECT_EQ(watcher2->identity_cert_error(), GRPC_ERROR_NONE);
548   // The presence of "test2" should not affect "test1".
549   EXPECT_EQ(watcher1->root_certs(), kRootCert1);
550   EXPECT_EQ(watcher1->key_cert_pairs(), MakeKeyCertPairsType1());
551   EXPECT_EQ(watcher1->root_cert_error(), GRPC_ERROR_NONE);
552   EXPECT_EQ(watcher1->identity_cert_error(), GRPC_ERROR_NONE);
553 }
554
555 TEST(XdsCertificateProviderTest, UnknownCertName) {
556   XdsCertificateProvider provider;
557   auto* watcher = new TestCertificatesWatcher;
558   provider.distributor()->WatchTlsCertificates(
559       std::unique_ptr<TestCertificatesWatcher>(watcher), "test", "test");
560   EXPECT_THAT(grpc_error_std_string(watcher->root_cert_error()),
561               ::testing::HasSubstr(
562                   "No certificate provider available for root certificates"));
563   EXPECT_THAT(
564       grpc_error_std_string(watcher->identity_cert_error()),
565       ::testing::HasSubstr(
566           "No certificate provider available for identity certificates"));
567 }
568
569 }  // namespace
570 }  // namespace testing
571 }  // namespace grpc_core
572
573 int main(int argc, char** argv) {
574   ::testing::InitGoogleTest(&argc, argv);
575   grpc::testing::TestEnvironment env(argc, argv);
576   grpc_init();
577   auto result = RUN_ALL_TESTS();
578   grpc_shutdown();
579   return result;
580 }