1 //
2 //
3 // Copyright 2023 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 #include <memory>
19
20 #include <gmock/gmock.h>
21 #include <gtest/gtest.h>
22
23 #include "absl/synchronization/notification.h"
24
25 #include <grpc/grpc_security.h>
26 #include <grpcpp/channel.h>
27 #include <grpcpp/client_context.h>
28 #include <grpcpp/create_channel.h>
29 #include <grpcpp/security/tls_certificate_verifier.h>
30 #include <grpcpp/security/tls_credentials_options.h>
31 #include <grpcpp/server.h>
32 #include <grpcpp/server_builder.h>
33
34 #include "test/core/util/port.h"
35 #include "test/core/util/test_config.h"
36 #include "test/core/util/tls_utils.h"
37 #include "test/cpp/end2end/test_service_impl.h"
38
39 namespace grpc {
40 namespace testing {
41 namespace {
42
43 using ::grpc::experimental::ExternalCertificateVerifier;
44 using ::grpc::experimental::TlsChannelCredentialsOptions;
45
46 constexpr char kCaCertPath[] = "src/core/tsi/test_creds/ca.pem";
47 constexpr char kServerCertPath[] = "src/core/tsi/test_creds/server1.pem";
48 constexpr char kServerKeyPath[] = "src/core/tsi/test_creds/server1.key";
49 constexpr char kMessage[] = "Hello";
50
51 class NoOpCertificateVerifier : public ExternalCertificateVerifier {
52 public:
53 ~NoOpCertificateVerifier() override = default;
54
Verify(grpc::experimental::TlsCustomVerificationCheckRequest *,std::function<void (grpc::Status)>,grpc::Status * sync_status)55 bool Verify(grpc::experimental::TlsCustomVerificationCheckRequest*,
56 std::function<void(grpc::Status)>,
57 grpc::Status* sync_status) override {
58 *sync_status = grpc::Status(grpc::StatusCode::OK, "");
59 return true;
60 }
61
Cancel(grpc::experimental::TlsCustomVerificationCheckRequest *)62 void Cancel(grpc::experimental::TlsCustomVerificationCheckRequest*) override {
63 }
64 };
65
66 class TlsCredentialsTest : public ::testing::Test {
67 protected:
RunServer(absl::Notification * notification)68 void RunServer(absl::Notification* notification) {
69 std::string root_cert = grpc_core::testing::GetFileContents(kCaCertPath);
70 grpc::SslServerCredentialsOptions::PemKeyCertPair key_cert_pair = {
71 grpc_core::testing::GetFileContents(kServerKeyPath),
72 grpc_core::testing::GetFileContents(kServerCertPath)};
73 grpc::SslServerCredentialsOptions ssl_options;
74 ssl_options.pem_key_cert_pairs.push_back(key_cert_pair);
75 ssl_options.pem_root_certs = root_cert;
76
77 grpc::ServerBuilder builder;
78 TestServiceImpl service_;
79
80 builder
81 .AddListeningPort(server_addr_, grpc::SslServerCredentials(ssl_options))
82 .RegisterService(&service_);
83 server_ = builder.BuildAndStart();
84 notification->Notify();
85 server_->Wait();
86 }
87
TearDown()88 void TearDown() override {
89 if (server_ != nullptr) {
90 server_->Shutdown();
91 server_thread_->join();
92 delete server_thread_;
93 }
94 }
95
96 TestServiceImpl service_;
97 std::unique_ptr<Server> server_ = nullptr;
98 std::thread* server_thread_ = nullptr;
99 std::string server_addr_;
100 };
101
102 // NOLINTNEXTLINE(clang-diagnostic-unused-function)
DoRpc(const std::string & server_addr,const TlsChannelCredentialsOptions & tls_options)103 void DoRpc(const std::string& server_addr,
104 const TlsChannelCredentialsOptions& tls_options) {
105 std::shared_ptr<Channel> channel =
106 grpc::CreateChannel(server_addr, TlsCredentials(tls_options));
107
108 auto stub = grpc::testing::EchoTestService::NewStub(channel);
109 grpc::testing::EchoRequest request;
110 grpc::testing::EchoResponse response;
111 request.set_message(kMessage);
112 ClientContext context;
113 context.set_deadline(grpc_timeout_seconds_to_deadline(/*time_s=*/10));
114 grpc::Status result = stub->Echo(&context, request, &response);
115 EXPECT_TRUE(result.ok());
116 if (!result.ok()) {
117 gpr_log(GPR_ERROR, "Echo failed: %d, %s, %s",
118 static_cast<int>(result.error_code()),
119 result.error_message().c_str(), result.error_details().c_str());
120 }
121 EXPECT_EQ(response.message(), kMessage);
122 }
123
124 // TODO(gregorycooke) - failing with OpenSSL1.0.2
125 #if OPENSSL_VERSION_NUMBER >= 0x10100000
126 // How do we test that skipping server certificate verification works as
127 // expected? Give the server credentials that chain up to a custom CA (that does
128 // not belong to the default or OS trust store), do not configure the client to
129 // have this CA in its trust store, and attempt to establish a connection
130 // between the client and server.
TEST_F(TlsCredentialsTest,SkipServerCertificateVerification)131 TEST_F(TlsCredentialsTest, SkipServerCertificateVerification) {
132 server_addr_ = absl::StrCat("localhost:",
133 std::to_string(grpc_pick_unused_port_or_die()));
134 absl::Notification notification;
135 server_thread_ = new std::thread([&]() { RunServer(¬ification); });
136 notification.WaitForNotification();
137
138 TlsChannelCredentialsOptions tls_options;
139 tls_options.set_certificate_verifier(
140 ExternalCertificateVerifier::Create<NoOpCertificateVerifier>());
141 tls_options.set_check_call_host(/*check_call_host=*/false);
142 tls_options.set_verify_server_certs(/*verify_server_certs=*/false);
143
144 DoRpc(server_addr_, tls_options);
145 }
146 #endif // OPENSSL_VERSION_NUMBER >= 0x10100000
147
148 } // namespace
149 } // namespace testing
150 } // namespace grpc
151
main(int argc,char ** argv)152 int main(int argc, char** argv) {
153 grpc::testing::TestEnvironment env(&argc, argv);
154 ::testing::InitGoogleTest(&argc, argv);
155 int ret = RUN_ALL_TESTS();
156 return ret;
157 }
158