3 * Copyright 2015 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <gmock/gmock.h>
20 #include <grpc/grpc.h>
21 #include <grpc/grpc_security.h>
22 #include <grpcpp/security/credentials.h>
23 #include <grpcpp/security/server_credentials.h>
24 #include <grpcpp/security/tls_credentials_options.h>
25 #include <grpcpp/server_builder.h>
26 #include <gtest/gtest.h>
30 #include "src/core/lib/gpr/env.h"
31 #include "src/core/lib/gpr/tmpfile.h"
32 #include "src/cpp/client/secure_credentials.h"
33 #include "src/cpp/common/tls_credentials_options_util.h"
37 constexpr const char* kRootCertName = "root_cert_name";
38 constexpr const char* kRootCertContents = "root_cert_contents";
39 constexpr const char* kIdentityCertName = "identity_cert_name";
40 constexpr const char* kIdentityCertPrivateKey = "identity_private_key";
41 constexpr const char* kIdentityCertContents = "identity_cert_contents";
43 using ::grpc::experimental::StaticDataCertificateProvider;
44 using ::grpc::experimental::TlsServerAuthorizationCheckArg;
45 using ::grpc::experimental::TlsServerAuthorizationCheckConfig;
46 using ::grpc::experimental::TlsServerAuthorizationCheckInterface;
48 static void tls_server_authorization_check_callback(
49 grpc_tls_server_authorization_check_arg* arg) {
50 GPR_ASSERT(arg != nullptr);
51 std::string cb_user_data = "cb_user_data";
52 arg->cb_user_data = static_cast<void*>(gpr_strdup(cb_user_data.c_str()));
54 arg->target_name = gpr_strdup("callback_target_name");
55 arg->peer_cert = gpr_strdup("callback_peer_cert");
56 arg->status = GRPC_STATUS_OK;
57 arg->error_details->set_error_details("callback_error_details");
60 class TestTlsServerAuthorizationCheck
61 : public TlsServerAuthorizationCheckInterface {
62 int Schedule(TlsServerAuthorizationCheckArg* arg) override {
63 GPR_ASSERT(arg != nullptr);
64 std::string cb_user_data = "cb_user_data";
65 arg->set_cb_user_data(static_cast<void*>(gpr_strdup(cb_user_data.c_str())));
67 arg->set_target_name("sync_target_name");
68 arg->set_peer_cert("sync_peer_cert");
69 arg->set_status(GRPC_STATUS_OK);
70 arg->set_error_details("sync_error_details");
74 void Cancel(TlsServerAuthorizationCheckArg* arg) override {
75 GPR_ASSERT(arg != nullptr);
76 arg->set_status(GRPC_STATUS_PERMISSION_DENIED);
77 arg->set_error_details("cancelled");
86 TEST(CredentialsTest, InvalidGoogleRefreshToken) {
87 std::shared_ptr<CallCredentials> bad1 = GoogleRefreshTokenCredentials("");
88 EXPECT_EQ(static_cast<CallCredentials*>(nullptr), bad1.get());
91 TEST(CredentialsTest, DefaultCredentials) {
92 auto creds = GoogleDefaultCredentials();
95 TEST(CredentialsTest, StsCredentialsOptionsCppToCore) {
96 grpc::experimental::StsCredentialsOptions options;
97 options.token_exchange_service_uri = "https://foo.com/exchange";
98 options.resource = "resource";
99 options.audience = "audience";
100 options.scope = "scope";
101 // options.requested_token_type explicitly not set.
102 options.subject_token_path = "/foo/bar";
103 options.subject_token_type = "nice_token_type";
104 options.actor_token_path = "/foo/baz";
105 options.actor_token_type = "even_nicer_token_type";
106 grpc_sts_credentials_options core_opts =
107 grpc::experimental::StsCredentialsCppToCoreOptions(options);
108 EXPECT_EQ(options.token_exchange_service_uri,
109 core_opts.token_exchange_service_uri);
110 EXPECT_EQ(options.resource, core_opts.resource);
111 EXPECT_EQ(options.audience, core_opts.audience);
112 EXPECT_EQ(options.scope, core_opts.scope);
113 EXPECT_EQ(options.requested_token_type, core_opts.requested_token_type);
114 EXPECT_EQ(options.subject_token_path, core_opts.subject_token_path);
115 EXPECT_EQ(options.subject_token_type, core_opts.subject_token_type);
116 EXPECT_EQ(options.actor_token_path, core_opts.actor_token_path);
117 EXPECT_EQ(options.actor_token_type, core_opts.actor_token_type);
120 TEST(CredentialsTest, StsCredentialsOptionsJson) {
121 const char valid_json[] = R"(
123 "token_exchange_service_uri": "https://foo/exchange",
124 "resource": "resource",
125 "audience": "audience",
127 "requested_token_type": "requested_token_type",
128 "subject_token_path": "subject_token_path",
129 "subject_token_type": "subject_token_type",
130 "actor_token_path": "actor_token_path",
131 "actor_token_type": "actor_token_type"
133 grpc::experimental::StsCredentialsOptions options;
135 grpc::experimental::StsCredentialsOptionsFromJson(valid_json, &options)
137 EXPECT_EQ(options.token_exchange_service_uri, "https://foo/exchange");
138 EXPECT_EQ(options.resource, "resource");
139 EXPECT_EQ(options.audience, "audience");
140 EXPECT_EQ(options.scope, "scope");
141 EXPECT_EQ(options.requested_token_type, "requested_token_type");
142 EXPECT_EQ(options.subject_token_path, "subject_token_path");
143 EXPECT_EQ(options.subject_token_type, "subject_token_type");
144 EXPECT_EQ(options.actor_token_path, "actor_token_path");
145 EXPECT_EQ(options.actor_token_type, "actor_token_type");
147 const char minimum_valid_json[] = R"(
149 "token_exchange_service_uri": "https://foo/exchange",
150 "subject_token_path": "subject_token_path",
151 "subject_token_type": "subject_token_type"
153 EXPECT_TRUE(grpc::experimental::StsCredentialsOptionsFromJson(
154 minimum_valid_json, &options)
156 EXPECT_EQ(options.token_exchange_service_uri, "https://foo/exchange");
157 EXPECT_EQ(options.resource, "");
158 EXPECT_EQ(options.audience, "");
159 EXPECT_EQ(options.scope, "");
160 EXPECT_EQ(options.requested_token_type, "");
161 EXPECT_EQ(options.subject_token_path, "subject_token_path");
162 EXPECT_EQ(options.subject_token_type, "subject_token_type");
163 EXPECT_EQ(options.actor_token_path, "");
164 EXPECT_EQ(options.actor_token_type, "");
166 const char invalid_json[] = R"(
167 I'm not a valid JSON.
170 grpc::StatusCode::INVALID_ARGUMENT,
171 grpc::experimental::StsCredentialsOptionsFromJson(invalid_json, &options)
174 const char invalid_json_missing_subject_token_type[] = R"(
176 "token_exchange_service_uri": "https://foo/exchange",
177 "subject_token_path": "subject_token_path"
179 auto status = grpc::experimental::StsCredentialsOptionsFromJson(
180 invalid_json_missing_subject_token_type, &options);
181 EXPECT_EQ(grpc::StatusCode::INVALID_ARGUMENT, status.error_code());
182 EXPECT_THAT(status.error_message(),
183 ::testing::HasSubstr("subject_token_type"));
185 const char invalid_json_missing_subject_token_path[] = R"(
187 "token_exchange_service_uri": "https://foo/exchange",
188 "subject_token_type": "subject_token_type"
190 status = grpc::experimental::StsCredentialsOptionsFromJson(
191 invalid_json_missing_subject_token_path, &options);
192 EXPECT_EQ(grpc::StatusCode::INVALID_ARGUMENT, status.error_code());
193 EXPECT_THAT(status.error_message(),
194 ::testing::HasSubstr("subject_token_path"));
196 const char invalid_json_missing_token_exchange_uri[] = R"(
198 "subject_token_path": "subject_token_path",
199 "subject_token_type": "subject_token_type"
201 status = grpc::experimental::StsCredentialsOptionsFromJson(
202 invalid_json_missing_token_exchange_uri, &options);
203 EXPECT_EQ(grpc::StatusCode::INVALID_ARGUMENT, status.error_code());
204 EXPECT_THAT(status.error_message(),
205 ::testing::HasSubstr("token_exchange_service_uri"));
208 TEST(CredentialsTest, StsCredentialsOptionsFromEnv) {
209 // Unset env and check expected failure.
210 gpr_unsetenv("STS_CREDENTIALS");
211 grpc::experimental::StsCredentialsOptions options;
212 auto status = grpc::experimental::StsCredentialsOptionsFromEnv(&options);
213 EXPECT_EQ(grpc::StatusCode::NOT_FOUND, status.error_code());
215 // Set env and check for success.
216 const char valid_json[] = R"(
218 "token_exchange_service_uri": "https://foo/exchange",
219 "subject_token_path": "subject_token_path",
220 "subject_token_type": "subject_token_type"
222 char* creds_file_name;
223 FILE* creds_file = gpr_tmpfile("sts_creds_options", &creds_file_name);
224 ASSERT_NE(creds_file_name, nullptr);
225 ASSERT_NE(creds_file, nullptr);
226 ASSERT_EQ(sizeof(valid_json),
227 fwrite(valid_json, 1, sizeof(valid_json), creds_file));
229 gpr_setenv("STS_CREDENTIALS", creds_file_name);
230 gpr_free(creds_file_name);
231 status = grpc::experimental::StsCredentialsOptionsFromEnv(&options);
232 EXPECT_TRUE(status.ok());
233 EXPECT_EQ(options.token_exchange_service_uri, "https://foo/exchange");
234 EXPECT_EQ(options.resource, "");
235 EXPECT_EQ(options.audience, "");
236 EXPECT_EQ(options.scope, "");
237 EXPECT_EQ(options.requested_token_type, "");
238 EXPECT_EQ(options.subject_token_path, "subject_token_path");
239 EXPECT_EQ(options.subject_token_type, "subject_token_type");
240 EXPECT_EQ(options.actor_token_path, "");
241 EXPECT_EQ(options.actor_token_type, "");
244 gpr_unsetenv("STS_CREDENTIALS");
247 TEST(CredentialsTest, TlsServerAuthorizationCheckArgCallback) {
248 grpc_tls_server_authorization_check_arg* c_arg =
249 new grpc_tls_server_authorization_check_arg;
250 c_arg->cb = tls_server_authorization_check_callback;
251 c_arg->context = nullptr;
252 c_arg->error_details = new grpc_tls_error_details();
253 TlsServerAuthorizationCheckArg* arg =
254 new TlsServerAuthorizationCheckArg(c_arg);
255 arg->set_cb_user_data(nullptr);
257 arg->set_target_name("target_name");
258 arg->set_peer_cert("peer_cert");
259 arg->set_status(GRPC_STATUS_UNAUTHENTICATED);
260 arg->set_error_details("error_details");
261 const char* target_name_before_callback = c_arg->target_name;
262 const char* peer_cert_before_callback = c_arg->peer_cert;
264 arg->OnServerAuthorizationCheckDoneCallback();
265 EXPECT_STREQ(static_cast<char*>(arg->cb_user_data()), "cb_user_data");
266 gpr_free(arg->cb_user_data());
267 EXPECT_EQ(arg->success(), 1);
268 EXPECT_STREQ(arg->target_name().c_str(), "callback_target_name");
269 EXPECT_STREQ(arg->peer_cert().c_str(), "callback_peer_cert");
270 EXPECT_EQ(arg->status(), GRPC_STATUS_OK);
271 EXPECT_STREQ(arg->error_details().c_str(), "callback_error_details");
274 gpr_free(const_cast<char*>(target_name_before_callback));
275 gpr_free(const_cast<char*>(peer_cert_before_callback));
276 gpr_free(const_cast<char*>(c_arg->target_name));
277 gpr_free(const_cast<char*>(c_arg->peer_cert));
278 delete c_arg->error_details;
283 TEST(CredentialsTest, TlsServerAuthorizationCheckConfigSchedule) {
284 std::shared_ptr<TestTlsServerAuthorizationCheck>
285 test_server_authorization_check(new TestTlsServerAuthorizationCheck());
286 TlsServerAuthorizationCheckConfig config(test_server_authorization_check);
287 grpc_tls_server_authorization_check_arg* c_arg =
288 new grpc_tls_server_authorization_check_arg();
289 c_arg->error_details = new grpc_tls_error_details();
290 c_arg->context = nullptr;
291 TlsServerAuthorizationCheckArg* arg =
292 new TlsServerAuthorizationCheckArg(c_arg);
293 arg->set_cb_user_data(nullptr);
295 arg->set_target_name("target_name");
296 arg->set_peer_cert("peer_cert");
297 arg->set_status(GRPC_STATUS_PERMISSION_DENIED);
298 arg->set_error_details("error_details");
299 const char* target_name_before_schedule = c_arg->target_name;
300 const char* peer_cert_before_schedule = c_arg->peer_cert;
302 int schedule_output = config.Schedule(arg);
303 EXPECT_EQ(schedule_output, 1);
304 EXPECT_STREQ(static_cast<char*>(arg->cb_user_data()), "cb_user_data");
305 EXPECT_EQ(arg->success(), 1);
306 EXPECT_STREQ(arg->target_name().c_str(), "sync_target_name");
307 EXPECT_STREQ(arg->peer_cert().c_str(), "sync_peer_cert");
308 EXPECT_EQ(arg->status(), GRPC_STATUS_OK);
309 EXPECT_STREQ(arg->error_details().c_str(), "sync_error_details");
312 gpr_free(arg->cb_user_data());
313 gpr_free(const_cast<char*>(target_name_before_schedule));
314 gpr_free(const_cast<char*>(peer_cert_before_schedule));
315 gpr_free(const_cast<char*>(c_arg->target_name));
316 gpr_free(const_cast<char*>(c_arg->peer_cert));
317 delete c_arg->error_details;
318 if (c_arg->destroy_context != nullptr) {
319 c_arg->destroy_context(c_arg->context);
324 TEST(CredentialsTest, TlsServerAuthorizationCheckConfigCppToC) {
325 std::shared_ptr<TestTlsServerAuthorizationCheck>
326 test_server_authorization_check(new TestTlsServerAuthorizationCheck());
327 TlsServerAuthorizationCheckConfig config(test_server_authorization_check);
328 grpc_tls_server_authorization_check_arg c_arg;
329 c_arg.cb = tls_server_authorization_check_callback;
330 c_arg.cb_user_data = nullptr;
332 c_arg.target_name = "target_name";
333 c_arg.peer_cert = "peer_cert";
334 c_arg.status = GRPC_STATUS_UNAUTHENTICATED;
335 c_arg.error_details = new grpc_tls_error_details();
336 c_arg.error_details->set_error_details("error_details");
337 c_arg.config = config.c_config();
338 c_arg.context = nullptr;
339 int c_schedule_output = (c_arg.config)->Schedule(&c_arg);
340 EXPECT_EQ(c_schedule_output, 1);
341 EXPECT_STREQ(static_cast<char*>(c_arg.cb_user_data), "cb_user_data");
342 EXPECT_EQ(c_arg.success, 1);
343 EXPECT_STREQ(c_arg.target_name, "sync_target_name");
344 EXPECT_STREQ(c_arg.peer_cert, "sync_peer_cert");
345 EXPECT_EQ(c_arg.status, GRPC_STATUS_OK);
346 EXPECT_STREQ(c_arg.error_details->error_details().c_str(),
347 "sync_error_details");
350 gpr_free(c_arg.cb_user_data);
351 c_arg.destroy_context(c_arg.context);
352 delete c_arg.error_details;
353 gpr_free(const_cast<char*>(c_arg.target_name));
354 gpr_free(const_cast<char*>(c_arg.peer_cert));
359 TlsChannelCredentialsWithStaticDataCertificateProviderLoadingRootAndIdentity) {
360 experimental::IdentityKeyCertPair key_cert_pair;
361 key_cert_pair.private_key = kIdentityCertPrivateKey;
362 key_cert_pair.certificate_chain = kIdentityCertContents;
363 std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs;
364 identity_key_cert_pairs.emplace_back(key_cert_pair);
365 auto certificate_provider = std::make_shared<StaticDataCertificateProvider>(
366 kRootCertContents, identity_key_cert_pairs);
367 auto test_server_authorization_check =
368 std::make_shared<TestTlsServerAuthorizationCheck>();
369 auto server_authorization_check_config =
370 std::make_shared<TlsServerAuthorizationCheckConfig>(
371 test_server_authorization_check);
372 grpc::experimental::TlsChannelCredentialsOptions options(
373 certificate_provider);
374 options.watch_root_certs();
375 options.set_root_cert_name(kRootCertName);
376 options.watch_identity_key_cert_pairs();
377 options.set_identity_cert_name(kIdentityCertName);
378 options.set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
379 options.set_server_authorization_check_config(
380 server_authorization_check_config);
381 auto channel_credentials = grpc::experimental::TlsCredentials(options);
382 GPR_ASSERT(channel_credentials.get() != nullptr);
385 // ChannelCredentials should always have root credential presented.
386 // Otherwise the system root certificates will be loaded, which will cause
387 // failure in some tests under MacOS/Windows.
388 TEST(CredentialsTest,
389 TlsChannelCredentialsWithStaticDataCertificateProviderLoadingRootOnly) {
390 auto certificate_provider =
391 std::make_shared<StaticDataCertificateProvider>(kRootCertContents);
392 auto test_server_authorization_check =
393 std::make_shared<TestTlsServerAuthorizationCheck>();
394 auto server_authorization_check_config =
395 std::make_shared<TlsServerAuthorizationCheckConfig>(
396 test_server_authorization_check);
397 GPR_ASSERT(certificate_provider != nullptr);
398 GPR_ASSERT(certificate_provider->c_provider() != nullptr);
399 grpc::experimental::TlsChannelCredentialsOptions options(
400 certificate_provider);
401 options.watch_root_certs();
402 options.set_root_cert_name(kRootCertName);
403 options.set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
404 options.set_server_authorization_check_config(
405 server_authorization_check_config);
406 auto channel_credentials = grpc::experimental::TlsCredentials(options);
407 GPR_ASSERT(channel_credentials.get() != nullptr);
410 TEST(CredentialsTest, TlsServerAuthorizationCheckConfigErrorMessages) {
411 std::shared_ptr<TlsServerAuthorizationCheckConfig> config(
412 new TlsServerAuthorizationCheckConfig(nullptr));
413 grpc_tls_server_authorization_check_arg* c_arg =
414 new grpc_tls_server_authorization_check_arg;
415 c_arg->error_details = new grpc_tls_error_details();
416 c_arg->context = nullptr;
417 TlsServerAuthorizationCheckArg* arg =
418 new TlsServerAuthorizationCheckArg(c_arg);
419 int schedule_output = config->Schedule(arg);
421 EXPECT_EQ(schedule_output, 1);
422 EXPECT_EQ(arg->status(), GRPC_STATUS_NOT_FOUND);
424 arg->error_details().c_str(),
425 "the interface of the server authorization check config is nullptr");
427 arg->set_status(GRPC_STATUS_OK);
429 EXPECT_EQ(arg->status(), GRPC_STATUS_NOT_FOUND);
431 arg->error_details().c_str(),
432 "the interface of the server authorization check config is nullptr");
435 delete c_arg->error_details;
436 if (c_arg->destroy_context != nullptr) {
437 c_arg->destroy_context(c_arg->context);
443 } // namespace testing
446 int main(int argc, char** argv) {
447 ::testing::InitGoogleTest(&argc, argv);
448 int ret = RUN_ALL_TESTS();