xref: /aosp_15_r20/external/grpc-grpc/test/core/security/tls_security_connector_test.cc (revision cc02d7e222339f7a4f6ba5f422e6413f4bd931f2)
1 //
2 //
3 // Copyright 2018 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
20 
21 #include <stdlib.h>
22 #include <string.h>
23 
24 #include <gmock/gmock.h>
25 #include <gtest/gtest.h>
26 
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
30 
31 #include "src/core/lib/channel/channel_args.h"
32 #include "src/core/lib/config/config_vars.h"
33 #include "src/core/lib/gprpp/crash.h"
34 #include "src/core/lib/gprpp/unique_type_name.h"
35 #include "src/core/lib/security/context/security_context.h"
36 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
37 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
38 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
39 #include "src/core/tsi/transport_security.h"
40 #include "test/core/util/test_config.h"
41 #include "test/core/util/tls_utils.h"
42 
43 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
44 #define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
45 #define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
46 #define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
47 #define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
48 #define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
49 
50 namespace grpc_core {
51 namespace testing {
52 
53 constexpr const char* kRootCertName = "root_cert_name";
54 constexpr const char* kIdentityCertName = "identity_cert_name";
55 constexpr const char* kErrorMessage = "error_message";
56 constexpr const char* kTargetName = "foo.bar.com:443";
57 
58 class TlsSecurityConnectorTest : public ::testing::Test {
59  protected:
TlsSecurityConnectorTest()60   TlsSecurityConnectorTest() {}
61 
SetUp()62   void SetUp() override {
63     root_cert_1_ = testing::GetFileContents(CA_CERT_PATH);
64     root_cert_0_ = testing::GetFileContents(CLIENT_CERT_PATH);
65     identity_pairs_1_.emplace_back(
66         testing::GetFileContents(SERVER_KEY_PATH_1),
67         testing::GetFileContents(SERVER_CERT_PATH_1));
68     identity_pairs_0_.emplace_back(
69         testing::GetFileContents(SERVER_KEY_PATH_0),
70         testing::GetFileContents(SERVER_CERT_PATH_0));
71   }
72 
VerifyExpectedErrorCallback(void * arg,grpc_error_handle error)73   static void VerifyExpectedErrorCallback(void* arg, grpc_error_handle error) {
74     const char* expected_error_msg = static_cast<const char*>(arg);
75     if (expected_error_msg == nullptr) {
76       EXPECT_EQ(error, absl::OkStatus());
77     } else {
78       EXPECT_EQ(GetErrorMsg(error), expected_error_msg);
79     }
80   }
81 
GetErrorMsg(grpc_error_handle error)82   static std::string GetErrorMsg(grpc_error_handle error) {
83     std::string error_str;
84     GPR_ASSERT(
85         grpc_error_get_str(error, StatusStrProperty::kDescription, &error_str));
86     return error_str;
87   }
88 
89   std::string root_cert_1_;
90   std::string root_cert_0_;
91   PemKeyCertPairList identity_pairs_1_;
92   PemKeyCertPairList identity_pairs_0_;
93   HostNameCertificateVerifier hostname_certificate_verifier_;
94 };
95 
96 class TlsTestCertificateProvider : public grpc_tls_certificate_provider {
97  public:
TlsTestCertificateProvider(RefCountedPtr<grpc_tls_certificate_distributor> distributor)98   explicit TlsTestCertificateProvider(
99       RefCountedPtr<grpc_tls_certificate_distributor> distributor)
100       : distributor_(std::move(distributor)) {}
~TlsTestCertificateProvider()101   ~TlsTestCertificateProvider() override {}
distributor() const102   RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
103     return distributor_;
104   }
105 
type() const106   UniqueTypeName type() const override {
107     static UniqueTypeName::Factory kFactory("tls_test");
108     return kFactory.Create();
109   }
110 
111  private:
CompareImpl(const grpc_tls_certificate_provider * other) const112   int CompareImpl(const grpc_tls_certificate_provider* other) const override {
113     // TODO(yashykt): Maybe do something better here.
114     return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
115                         other);
116   }
117 
118   RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
119 };
120 
121 //
122 // Tests for Certificate Providers in ChannelSecurityConnector.
123 //
124 
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)125 TEST_F(TlsSecurityConnectorTest,
126        RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
127   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
128       MakeRefCounted<grpc_tls_certificate_distributor>();
129   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
130   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
131                                identity_pairs_0_);
132   RefCountedPtr<grpc_tls_certificate_provider> provider =
133       MakeRefCounted<TlsTestCertificateProvider>(distributor);
134   RefCountedPtr<grpc_tls_credentials_options> options =
135       MakeRefCounted<grpc_tls_credentials_options>();
136   options->set_certificate_provider(provider);
137   options->set_watch_root_cert(true);
138   options->set_watch_identity_pair(true);
139   options->set_root_cert_name(kRootCertName);
140   options->set_identity_cert_name(kIdentityCertName);
141   RefCountedPtr<TlsCredentials> credential =
142       MakeRefCounted<TlsCredentials>(options);
143   ChannelArgs new_args;
144   RefCountedPtr<grpc_channel_security_connector> connector =
145       credential->create_security_connector(nullptr, kTargetName, &new_args);
146   EXPECT_NE(connector, nullptr);
147   TlsChannelSecurityConnector* tls_connector =
148       static_cast<TlsChannelSecurityConnector*>(connector.get());
149   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
150   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
151   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
152   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
153   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
154                                identity_pairs_1_);
155   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
156   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
157   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
158 }
159 
TEST_F(TlsSecurityConnectorTest,SystemRootsWhenCreateChannelSecurityConnector)160 TEST_F(TlsSecurityConnectorTest,
161        SystemRootsWhenCreateChannelSecurityConnector) {
162   // Create options watching for no certificates.
163   RefCountedPtr<grpc_tls_credentials_options> root_options =
164       MakeRefCounted<grpc_tls_credentials_options>();
165   RefCountedPtr<TlsCredentials> root_credential =
166       MakeRefCounted<TlsCredentials>(root_options);
167   ChannelArgs root_new_args;
168   RefCountedPtr<grpc_channel_security_connector> root_connector =
169       root_credential->create_security_connector(nullptr, "some_target",
170                                                  &root_new_args);
171   EXPECT_NE(root_connector, nullptr);
172   TlsChannelSecurityConnector* tls_root_connector =
173       static_cast<TlsChannelSecurityConnector*>(root_connector.get());
174   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
175 }
176 
TEST_F(TlsSecurityConnectorTest,SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)177 TEST_F(TlsSecurityConnectorTest,
178        SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
179   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
180       MakeRefCounted<grpc_tls_certificate_distributor>();
181   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
182                                identity_pairs_0_);
183   RefCountedPtr<grpc_tls_certificate_provider> provider =
184       MakeRefCounted<TlsTestCertificateProvider>(distributor);
185   // Create options only watching for identity certificates.
186   RefCountedPtr<grpc_tls_credentials_options> root_options =
187       MakeRefCounted<grpc_tls_credentials_options>();
188   root_options->set_certificate_provider(provider);
189   root_options->set_watch_identity_pair(true);
190   root_options->set_identity_cert_name(kIdentityCertName);
191   RefCountedPtr<TlsCredentials> root_credential =
192       MakeRefCounted<TlsCredentials>(root_options);
193   ChannelArgs root_new_args;
194   RefCountedPtr<grpc_channel_security_connector> root_connector =
195       root_credential->create_security_connector(nullptr, "some_target",
196                                                  &root_new_args);
197   EXPECT_NE(root_connector, nullptr);
198   TlsChannelSecurityConnector* tls_root_connector =
199       static_cast<TlsChannelSecurityConnector*>(root_connector.get());
200   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
201   EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
202   // If we have a root update, we shouldn't receive them in security connector,
203   // since we claimed to use default system roots.
204   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
205   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
206   EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
207 }
208 
TEST_F(TlsSecurityConnectorTest,RootCertsObtainedWhenCreateChannelSecurityConnector)209 TEST_F(TlsSecurityConnectorTest,
210        RootCertsObtainedWhenCreateChannelSecurityConnector) {
211   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
212       MakeRefCounted<grpc_tls_certificate_distributor>();
213   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
214   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
215                                identity_pairs_0_);
216   RefCountedPtr<grpc_tls_certificate_provider> provider =
217       MakeRefCounted<TlsTestCertificateProvider>(distributor);
218   // Create options only watching for root certificates.
219   RefCountedPtr<grpc_tls_credentials_options> root_options =
220       MakeRefCounted<grpc_tls_credentials_options>();
221   root_options->set_certificate_provider(provider);
222   root_options->set_watch_root_cert(true);
223   root_options->set_root_cert_name(kRootCertName);
224   RefCountedPtr<TlsCredentials> root_credential =
225       MakeRefCounted<TlsCredentials>(root_options);
226   ChannelArgs root_new_args;
227   RefCountedPtr<grpc_channel_security_connector> root_connector =
228       root_credential->create_security_connector(nullptr, "some_target",
229                                                  &root_new_args);
230   EXPECT_NE(root_connector, nullptr);
231   TlsChannelSecurityConnector* tls_root_connector =
232       static_cast<TlsChannelSecurityConnector*>(root_connector.get());
233   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
234   EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
235   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
236   EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
237   EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
238 }
239 
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateChannelSecurityConnector)240 TEST_F(TlsSecurityConnectorTest,
241        CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
242   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
243       MakeRefCounted<grpc_tls_certificate_distributor>();
244   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
245   RefCountedPtr<grpc_tls_certificate_provider> provider =
246       MakeRefCounted<TlsTestCertificateProvider>(distributor);
247   // Registered the options watching both certs, but only root certs are
248   // available at distributor right now.
249   RefCountedPtr<grpc_tls_credentials_options> options =
250       MakeRefCounted<grpc_tls_credentials_options>();
251   options->set_certificate_provider(provider);
252   options->set_watch_root_cert(true);
253   options->set_watch_identity_pair(true);
254   options->set_root_cert_name(kRootCertName);
255   options->set_identity_cert_name(kIdentityCertName);
256   RefCountedPtr<TlsCredentials> credential =
257       MakeRefCounted<TlsCredentials>(options);
258   ChannelArgs new_args;
259   RefCountedPtr<grpc_channel_security_connector> connector =
260       credential->create_security_connector(nullptr, kTargetName, &new_args);
261   EXPECT_NE(connector, nullptr);
262   TlsChannelSecurityConnector* tls_connector =
263       static_cast<TlsChannelSecurityConnector*>(connector.get());
264   // The client_handshaker_factory_ shouldn't be updated.
265   EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
266   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
267   // After updating the root certs, the client_handshaker_factory_ should be
268   // updated.
269   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
270                                identity_pairs_0_);
271   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
272   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
273   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
274 }
275 
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForChannelSecurityConnector)276 TEST_F(TlsSecurityConnectorTest,
277        DistributorHasErrorForChannelSecurityConnector) {
278   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
279       MakeRefCounted<grpc_tls_certificate_distributor>();
280   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
281   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
282                                identity_pairs_0_);
283   RefCountedPtr<grpc_tls_certificate_provider> provider =
284       MakeRefCounted<TlsTestCertificateProvider>(distributor);
285   RefCountedPtr<grpc_tls_credentials_options> options =
286       MakeRefCounted<grpc_tls_credentials_options>();
287   options->set_certificate_provider(provider);
288   options->set_watch_root_cert(true);
289   options->set_watch_identity_pair(true);
290   options->set_root_cert_name(kRootCertName);
291   options->set_identity_cert_name(kIdentityCertName);
292   RefCountedPtr<TlsCredentials> credential =
293       MakeRefCounted<TlsCredentials>(options);
294   ChannelArgs new_args;
295   RefCountedPtr<grpc_channel_security_connector> connector =
296       credential->create_security_connector(nullptr, kTargetName, &new_args);
297   EXPECT_NE(connector, nullptr);
298   TlsChannelSecurityConnector* tls_connector =
299       static_cast<TlsChannelSecurityConnector*>(connector.get());
300   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
301   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
302   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
303   // Calling SetErrorForCert on distributor shouldn't invalidate the previous
304   // valid credentials.
305   distributor->SetErrorForCert(kRootCertName, GRPC_ERROR_CREATE(kErrorMessage),
306                                absl::nullopt);
307   distributor->SetErrorForCert(kIdentityCertName, absl::nullopt,
308                                GRPC_ERROR_CREATE(kErrorMessage));
309   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
310   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
311   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
312 }
313 
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoTargetName)314 TEST_F(TlsSecurityConnectorTest,
315        CreateChannelSecurityConnectorFailNoTargetName) {
316   RefCountedPtr<grpc_tls_credentials_options> options =
317       MakeRefCounted<grpc_tls_credentials_options>();
318   RefCountedPtr<TlsCredentials> credential =
319       MakeRefCounted<TlsCredentials>(options);
320   ChannelArgs new_args;
321   RefCountedPtr<grpc_channel_security_connector> connector =
322       credential->create_security_connector(nullptr, nullptr, &new_args);
323   EXPECT_EQ(connector, nullptr);
324 }
325 
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoCredentials)326 TEST_F(TlsSecurityConnectorTest,
327        CreateChannelSecurityConnectorFailNoCredentials) {
328   auto connector =
329       TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
330           nullptr, MakeRefCounted<grpc_tls_credentials_options>(), nullptr,
331           kTargetName, nullptr, nullptr);
332   EXPECT_EQ(connector, nullptr);
333 }
334 
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoOptions)335 TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
336   RefCountedPtr<grpc_tls_credentials_options> options =
337       MakeRefCounted<grpc_tls_credentials_options>();
338   RefCountedPtr<TlsCredentials> credential =
339       MakeRefCounted<TlsCredentials>(options);
340   auto connector =
341       TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
342           credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
343   EXPECT_EQ(connector, nullptr);
344 }
345 
346 //
347 // Tests for Certificate Verifier in ChannelSecurityConnector.
348 //
349 
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithSyncExternalVerifierSucceeds)350 TEST_F(TlsSecurityConnectorTest,
351        ChannelSecurityConnectorWithSyncExternalVerifierSucceeds) {
352   auto* sync_verifier_ = new SyncExternalVerifier(true);
353   ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
354   RefCountedPtr<grpc_tls_credentials_options> options =
355       MakeRefCounted<grpc_tls_credentials_options>();
356   options->set_verify_server_cert(true);
357   options->set_certificate_verifier(core_external_verifier.Ref());
358   options->set_check_call_host(false);
359   RefCountedPtr<TlsCredentials> credential =
360       MakeRefCounted<TlsCredentials>(options);
361   ChannelArgs new_args;
362   RefCountedPtr<grpc_channel_security_connector> connector =
363       credential->create_security_connector(nullptr, kTargetName, &new_args);
364   EXPECT_NE(connector, nullptr);
365   TlsChannelSecurityConnector* tls_connector =
366       static_cast<TlsChannelSecurityConnector*>(connector.get());
367   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
368   // Construct a basic TSI Peer.
369   tsi_peer peer;
370   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
371   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
372                                                 "h2", strlen("h2"),
373                                                 &peer.properties[0]) == TSI_OK);
374   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
375                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
376                  &peer.properties[1]) == TSI_OK);
377   RefCountedPtr<grpc_auth_context> auth_context;
378   ExecCtx exec_ctx;
379   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
380       VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
381   ChannelArgs args;
382   tls_connector->check_peer(peer, nullptr, args, &auth_context,
383                             on_peer_checked);
384 }
385 
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithSyncExternalVerifierFails)386 TEST_F(TlsSecurityConnectorTest,
387        ChannelSecurityConnectorWithSyncExternalVerifierFails) {
388   auto* sync_verifier_ = new SyncExternalVerifier(false);
389   ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
390   RefCountedPtr<grpc_tls_credentials_options> options =
391       MakeRefCounted<grpc_tls_credentials_options>();
392   options->set_verify_server_cert(true);
393   options->set_certificate_verifier(core_external_verifier.Ref());
394   options->set_check_call_host(false);
395   RefCountedPtr<TlsCredentials> credential =
396       MakeRefCounted<TlsCredentials>(options);
397   ChannelArgs new_args;
398   RefCountedPtr<grpc_channel_security_connector> connector =
399       credential->create_security_connector(nullptr, kTargetName, &new_args);
400   EXPECT_NE(connector, nullptr);
401   TlsChannelSecurityConnector* tls_connector =
402       static_cast<TlsChannelSecurityConnector*>(connector.get());
403   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
404   // Construct a basic TSI Peer.
405   tsi_peer peer;
406   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
407   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
408                                                 "h2", strlen("h2"),
409                                                 &peer.properties[0]) == TSI_OK);
410   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
411                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
412                  &peer.properties[1]) == TSI_OK);
413   RefCountedPtr<grpc_auth_context> auth_context;
414   const char* expected_error_msg =
415       "Custom verification check failed with error: UNAUTHENTICATED: "
416       "SyncExternalVerifier failed";
417   ExecCtx exec_ctx;
418   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
419       VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
420       grpc_schedule_on_exec_ctx);
421   tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
422                             on_peer_checked);
423 }
424 
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorSucceedsOnSameCredentials)425 TEST_F(TlsSecurityConnectorTest,
426        CompareChannelSecurityConnectorSucceedsOnSameCredentials) {
427   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
428       MakeRefCounted<grpc_tls_certificate_distributor>();
429   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
430   RefCountedPtr<grpc_tls_certificate_provider> provider =
431       MakeRefCounted<TlsTestCertificateProvider>(distributor);
432   auto options = MakeRefCounted<grpc_tls_credentials_options>();
433   options->set_certificate_provider(provider);
434   options->set_watch_root_cert(true);
435   options->set_root_cert_name(kRootCertName);
436   RefCountedPtr<TlsCredentials> credential =
437       MakeRefCounted<TlsCredentials>(options);
438   ChannelArgs connector_args;
439   ChannelArgs other_connector_args;
440   RefCountedPtr<grpc_channel_security_connector> connector =
441       credential->create_security_connector(nullptr, kTargetName,
442                                             &connector_args);
443   RefCountedPtr<grpc_channel_security_connector> other_connector =
444       credential->create_security_connector(nullptr, kTargetName,
445                                             &other_connector_args);
446   // Comparing the equality of security connectors generated from the same
447   // channel credentials with same settings should succeed.
448   EXPECT_EQ(connector->cmp(other_connector.get()), 0);
449 }
450 
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentChannelCredentials)451 TEST_F(TlsSecurityConnectorTest,
452        CompareChannelSecurityConnectorFailsOnDifferentChannelCredentials) {
453   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
454       MakeRefCounted<grpc_tls_certificate_distributor>();
455   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
456   RefCountedPtr<grpc_tls_certificate_provider> provider =
457       MakeRefCounted<TlsTestCertificateProvider>(distributor);
458   auto options = MakeRefCounted<grpc_tls_credentials_options>();
459   options->set_certificate_provider(provider);
460   options->set_watch_root_cert(true);
461   options->set_root_cert_name(kRootCertName);
462   RefCountedPtr<TlsCredentials> credential =
463       MakeRefCounted<TlsCredentials>(options);
464   ChannelArgs connector_args;
465   RefCountedPtr<grpc_channel_security_connector> connector =
466       credential->create_security_connector(nullptr, kTargetName,
467                                             &connector_args);
468   auto other_options = MakeRefCounted<grpc_tls_credentials_options>();
469   other_options->set_certificate_provider(provider);
470   other_options->set_watch_root_cert(true);
471   other_options->set_root_cert_name(kRootCertName);
472   other_options->set_watch_identity_pair(true);
473   RefCountedPtr<TlsCredentials> other_credential =
474       MakeRefCounted<TlsCredentials>(other_options);
475   ChannelArgs other_connector_args;
476   RefCountedPtr<grpc_channel_security_connector> other_connector =
477       other_credential->create_security_connector(nullptr, kTargetName,
478                                                   &other_connector_args);
479   // Comparing the equality of security connectors generated from different
480   // channel credentials should fail.
481   EXPECT_NE(connector->cmp(other_connector.get()), 0);
482 }
483 
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentCallCredentials)484 TEST_F(TlsSecurityConnectorTest,
485        CompareChannelSecurityConnectorFailsOnDifferentCallCredentials) {
486   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
487       MakeRefCounted<grpc_tls_certificate_distributor>();
488   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
489   RefCountedPtr<grpc_tls_certificate_provider> provider =
490       MakeRefCounted<TlsTestCertificateProvider>(distributor);
491   auto options = MakeRefCounted<grpc_tls_credentials_options>();
492   options->set_certificate_provider(provider);
493   options->set_watch_root_cert(true);
494   options->set_root_cert_name(kRootCertName);
495   RefCountedPtr<TlsCredentials> credential =
496       MakeRefCounted<TlsCredentials>(options);
497   ChannelArgs connector_args;
498   RefCountedPtr<grpc_channel_security_connector> connector =
499       credential->create_security_connector(nullptr, kTargetName,
500                                             &connector_args);
501   grpc_call_credentials* call_creds =
502       grpc_md_only_test_credentials_create("", "");
503   ChannelArgs other_connector_args;
504   RefCountedPtr<grpc_channel_security_connector> other_connector =
505       credential->create_security_connector(
506           RefCountedPtr<grpc_call_credentials>(call_creds), kTargetName,
507           &other_connector_args);
508   // Comparing the equality of security connectors generated with different call
509   // credentials should fail.
510   EXPECT_NE(connector->cmp(other_connector.get()), 0);
511 }
512 
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentTargetNames)513 TEST_F(TlsSecurityConnectorTest,
514        CompareChannelSecurityConnectorFailsOnDifferentTargetNames) {
515   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
516       MakeRefCounted<grpc_tls_certificate_distributor>();
517   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
518   RefCountedPtr<grpc_tls_certificate_provider> provider =
519       MakeRefCounted<TlsTestCertificateProvider>(distributor);
520   auto options = MakeRefCounted<grpc_tls_credentials_options>();
521   options->set_certificate_provider(provider);
522   options->set_watch_root_cert(true);
523   options->set_root_cert_name(kRootCertName);
524   RefCountedPtr<TlsCredentials> credential =
525       MakeRefCounted<TlsCredentials>(options);
526   ChannelArgs connector_args;
527   ChannelArgs other_connector_args;
528   RefCountedPtr<grpc_channel_security_connector> connector =
529       credential->create_security_connector(nullptr, kTargetName,
530                                             &connector_args);
531   RefCountedPtr<grpc_channel_security_connector> other_connector =
532       credential->create_security_connector(nullptr, "", &other_connector_args);
533   // Comparing the equality of security connectors generated with different
534   // target names should fail.
535   EXPECT_NE(connector->cmp(other_connector.get()), 0);
536 }
537 
538 // Tests for ServerSecurityConnector.
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithAsyncExternalVerifierSucceeds)539 TEST_F(TlsSecurityConnectorTest,
540        ChannelSecurityConnectorWithAsyncExternalVerifierSucceeds) {
541   auto* async_verifier = new AsyncExternalVerifier(true);
542   auto* core_external_verifier =
543       new ExternalCertificateVerifier(async_verifier->base());
544   auto options = MakeRefCounted<grpc_tls_credentials_options>();
545   options->set_verify_server_cert(true);
546   options->set_certificate_verifier(core_external_verifier->Ref());
547   options->set_check_call_host(false);
548   RefCountedPtr<TlsCredentials> credential =
549       MakeRefCounted<TlsCredentials>(options);
550   ChannelArgs new_args;
551   RefCountedPtr<grpc_channel_security_connector> connector =
552       credential->create_security_connector(nullptr, kTargetName, &new_args);
553   EXPECT_NE(connector, nullptr);
554   TlsChannelSecurityConnector* tls_connector =
555       static_cast<TlsChannelSecurityConnector*>(connector.get());
556   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
557   // Construct a basic TSI Peer.
558   tsi_peer peer;
559   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
560   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
561                                                 "h2", strlen("h2"),
562                                                 &peer.properties[0]) == TSI_OK);
563   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
564                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
565                  &peer.properties[1]) == TSI_OK);
566   RefCountedPtr<grpc_auth_context> auth_context;
567   ExecCtx exec_ctx;
568   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
569       VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
570   tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
571                             on_peer_checked);
572   core_external_verifier->Unref();
573 }
574 
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithAsyncExternalVerifierFails)575 TEST_F(TlsSecurityConnectorTest,
576        ChannelSecurityConnectorWithAsyncExternalVerifierFails) {
577   auto* async_verifier = new AsyncExternalVerifier(false);
578   auto* core_external_verifier =
579       new ExternalCertificateVerifier(async_verifier->base());
580   auto options = MakeRefCounted<grpc_tls_credentials_options>();
581   options->set_verify_server_cert(true);
582   options->set_certificate_verifier(core_external_verifier->Ref());
583   options->set_check_call_host(false);
584   RefCountedPtr<TlsCredentials> credential =
585       MakeRefCounted<TlsCredentials>(options);
586   ChannelArgs new_args;
587   RefCountedPtr<grpc_channel_security_connector> connector =
588       credential->create_security_connector(nullptr, kTargetName, &new_args);
589   EXPECT_NE(connector, nullptr);
590   TlsChannelSecurityConnector* tls_connector =
591       static_cast<TlsChannelSecurityConnector*>(connector.get());
592   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
593   // Construct a basic TSI Peer.
594   tsi_peer peer;
595   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
596   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
597                                                 "h2", strlen("h2"),
598                                                 &peer.properties[0]) == TSI_OK);
599   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
600                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
601                  &peer.properties[1]) == TSI_OK);
602   RefCountedPtr<grpc_auth_context> auth_context;
603   const char* expected_error_msg =
604       "Custom verification check failed with error: UNAUTHENTICATED: "
605       "AsyncExternalVerifier failed";
606   ExecCtx exec_ctx;
607   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
608       VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
609       grpc_schedule_on_exec_ctx);
610   tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
611                             on_peer_checked);
612   core_external_verifier->Unref();
613 }
614 
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorHostnameVerifierSucceeds)615 TEST_F(TlsSecurityConnectorTest,
616        ChannelSecurityConnectorHostnameVerifierSucceeds) {
617   RefCountedPtr<grpc_tls_credentials_options> options =
618       MakeRefCounted<grpc_tls_credentials_options>();
619   options->set_verify_server_cert(true);
620   options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
621   options->set_check_call_host(false);
622   RefCountedPtr<TlsCredentials> credential =
623       MakeRefCounted<TlsCredentials>(options);
624   ChannelArgs new_args;
625   RefCountedPtr<grpc_channel_security_connector> connector =
626       credential->create_security_connector(nullptr, kTargetName, &new_args);
627   EXPECT_NE(connector, nullptr);
628   TlsChannelSecurityConnector* tls_connector =
629       static_cast<TlsChannelSecurityConnector*>(connector.get());
630   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
631   // Construct a full TSI Peer.
632   tsi_peer peer;
633   GPR_ASSERT(tsi_construct_peer(7, &peer) == TSI_OK);
634   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
635                                                 "h2", strlen("h2"),
636                                                 &peer.properties[0]) == TSI_OK);
637   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
638                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
639                  &peer.properties[1]) == TSI_OK);
640   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
641                  TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
642              TSI_OK);
643   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
644                  TSI_SECURITY_LEVEL_PEER_PROPERTY,
645                  tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
646                  &peer.properties[3]) == TSI_OK);
647   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
648                  TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
649                  &peer.properties[4]) == TSI_OK);
650   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
651                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.bar.com",
652                  &peer.properties[5]) == TSI_OK);
653   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
654                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
655                  &peer.properties[6]) == TSI_OK);
656   RefCountedPtr<grpc_auth_context> auth_context;
657   ExecCtx exec_ctx;
658   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
659       VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
660   tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
661                             on_peer_checked);
662 }
663 
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorHostnameVerifierFails)664 TEST_F(TlsSecurityConnectorTest,
665        ChannelSecurityConnectorHostnameVerifierFails) {
666   RefCountedPtr<grpc_tls_credentials_options> options =
667       MakeRefCounted<grpc_tls_credentials_options>();
668   options->set_verify_server_cert(true);
669   options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
670   RefCountedPtr<TlsCredentials> credential =
671       MakeRefCounted<TlsCredentials>(options);
672   ChannelArgs new_args;
673   RefCountedPtr<grpc_channel_security_connector> connector =
674       credential->create_security_connector(nullptr, kTargetName, &new_args);
675   EXPECT_NE(connector, nullptr);
676   TlsChannelSecurityConnector* tls_connector =
677       static_cast<TlsChannelSecurityConnector*>(connector.get());
678   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
679   // Construct a full TSI Peer.
680   tsi_peer peer;
681   GPR_ASSERT(tsi_construct_peer(7, &peer) == TSI_OK);
682   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
683                                                 "h2", strlen("h2"),
684                                                 &peer.properties[0]) == TSI_OK);
685   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
686                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.com",
687                  &peer.properties[1]) == TSI_OK);
688   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
689                  TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
690              TSI_OK);
691   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
692                  TSI_SECURITY_LEVEL_PEER_PROPERTY,
693                  tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
694                  &peer.properties[3]) == TSI_OK);
695   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
696                  TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
697                  &peer.properties[4]) == TSI_OK);
698   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
699                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "*.com",
700                  &peer.properties[5]) == TSI_OK);
701   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
702                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
703                  &peer.properties[6]) == TSI_OK);
704   RefCountedPtr<grpc_auth_context> auth_context;
705   const char* expected_error_msg =
706       "Custom verification check failed with error: UNAUTHENTICATED: Hostname "
707       "Verification "
708       "Check failed.";
709   ExecCtx exec_ctx;
710   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
711       VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
712       grpc_schedule_on_exec_ctx);
713   tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
714                             on_peer_checked);
715 }
716 
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithVerifiedRootCertSubjectSucceeds)717 TEST_F(TlsSecurityConnectorTest,
718        ChannelSecurityConnectorWithVerifiedRootCertSubjectSucceeds) {
719   auto* sync_verifier = new SyncExternalVerifier(true);
720   ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
721   RefCountedPtr<grpc_tls_credentials_options> options =
722       MakeRefCounted<grpc_tls_credentials_options>();
723   options->set_verify_server_cert(true);
724   options->set_certificate_verifier(core_external_verifier.Ref());
725   options->set_check_call_host(false);
726   RefCountedPtr<TlsCredentials> credential =
727       MakeRefCounted<TlsCredentials>(options);
728   ChannelArgs new_args;
729   RefCountedPtr<grpc_channel_security_connector> connector =
730       credential->create_security_connector(nullptr, kTargetName, &new_args);
731   EXPECT_NE(connector, nullptr);
732   TlsChannelSecurityConnector* tls_connector =
733       static_cast<TlsChannelSecurityConnector*>(connector.get());
734   EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
735   // Construct a basic TSI Peer.
736   std::string expected_subject =
737       "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU";
738   tsi_peer peer;
739   EXPECT_EQ(tsi_construct_peer(2, &peer), TSI_OK);
740   EXPECT_EQ(
741       tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
742                                          strlen("h2"), &peer.properties[0]),
743       TSI_OK);
744   EXPECT_EQ(tsi_construct_string_peer_property_from_cstring(
745                 TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY,
746                 expected_subject.c_str(), &peer.properties[1]),
747             TSI_OK);
748   RefCountedPtr<grpc_auth_context> auth_context;
749   ExecCtx exec_ctx;
750   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
751       VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
752   ChannelArgs args;
753   tls_connector->check_peer(peer, nullptr, args, &auth_context,
754                             on_peer_checked);
755 }
756 
757 //
758 // Tests for Certificate Providers in ServerSecurityConnector.
759 //
760 
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector)761 TEST_F(TlsSecurityConnectorTest,
762        RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
763   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
764       MakeRefCounted<grpc_tls_certificate_distributor>();
765   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
766   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
767                                identity_pairs_0_);
768   RefCountedPtr<grpc_tls_certificate_provider> provider =
769       MakeRefCounted<TlsTestCertificateProvider>(distributor);
770   RefCountedPtr<grpc_tls_credentials_options> options =
771       MakeRefCounted<grpc_tls_credentials_options>();
772   options->set_certificate_provider(provider);
773   options->set_watch_root_cert(true);
774   options->set_watch_identity_pair(true);
775   options->set_root_cert_name(kRootCertName);
776   options->set_identity_cert_name(kIdentityCertName);
777   RefCountedPtr<TlsServerCredentials> credential =
778       MakeRefCounted<TlsServerCredentials>(options);
779   RefCountedPtr<grpc_server_security_connector> connector =
780       credential->create_security_connector(ChannelArgs());
781   EXPECT_NE(connector, nullptr);
782   TlsServerSecurityConnector* tls_connector =
783       static_cast<TlsServerSecurityConnector*>(connector.get());
784   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
785   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
786   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
787   distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
788   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
789                                identity_pairs_1_);
790   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
791   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
792   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
793 }
794 
795 // Note that on server side, we don't have tests watching root certs only,
796 // because in TLS, the identity certs should always be presented. If we don't
797 // provide, it will try to load certs from some default system locations, and
798 // will hence fail on some systems.
TEST_F(TlsSecurityConnectorTest,IdentityCertsObtainedWhenCreateServerSecurityConnector)799 TEST_F(TlsSecurityConnectorTest,
800        IdentityCertsObtainedWhenCreateServerSecurityConnector) {
801   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
802       MakeRefCounted<grpc_tls_certificate_distributor>();
803   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
804   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
805                                identity_pairs_0_);
806   RefCountedPtr<grpc_tls_certificate_provider> provider =
807       MakeRefCounted<TlsTestCertificateProvider>(distributor);
808   // Create options only watching for identity certificates.
809   RefCountedPtr<grpc_tls_credentials_options> identity_options =
810       MakeRefCounted<grpc_tls_credentials_options>();
811   identity_options->set_certificate_provider(provider);
812   identity_options->set_watch_identity_pair(true);
813   identity_options->set_identity_cert_name(kIdentityCertName);
814   RefCountedPtr<TlsServerCredentials> identity_credential =
815       MakeRefCounted<TlsServerCredentials>(identity_options);
816   RefCountedPtr<grpc_server_security_connector> identity_connector =
817       identity_credential->create_security_connector(ChannelArgs());
818   EXPECT_NE(identity_connector, nullptr);
819   TlsServerSecurityConnector* tls_identity_connector =
820       static_cast<TlsServerSecurityConnector*>(identity_connector.get());
821   EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
822             nullptr);
823   EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
824             identity_pairs_0_);
825   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
826                                identity_pairs_1_);
827   EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
828             nullptr);
829   EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
830             identity_pairs_1_);
831 }
832 
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateServerSecurityConnector)833 TEST_F(TlsSecurityConnectorTest,
834        CertPartiallyObtainedWhenCreateServerSecurityConnector) {
835   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
836       MakeRefCounted<grpc_tls_certificate_distributor>();
837   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
838                                identity_pairs_0_);
839   RefCountedPtr<grpc_tls_certificate_provider> provider =
840       MakeRefCounted<TlsTestCertificateProvider>(distributor);
841   // Registered the options watching both certs, but only root certs are
842   // available at distributor right now.
843   RefCountedPtr<grpc_tls_credentials_options> options =
844       MakeRefCounted<grpc_tls_credentials_options>();
845   options->set_certificate_provider(provider);
846   options->set_watch_root_cert(true);
847   options->set_watch_identity_pair(true);
848   options->set_root_cert_name(kRootCertName);
849   options->set_identity_cert_name(kIdentityCertName);
850   RefCountedPtr<TlsServerCredentials> credential =
851       MakeRefCounted<TlsServerCredentials>(options);
852   RefCountedPtr<grpc_server_security_connector> connector =
853       credential->create_security_connector(ChannelArgs());
854   EXPECT_NE(connector, nullptr);
855   TlsServerSecurityConnector* tls_connector =
856       static_cast<TlsServerSecurityConnector*>(connector.get());
857   // The server_handshaker_factory_ shouldn't be updated.
858   EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
859   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
860   // After updating the root certs, the server_handshaker_factory_ should be
861   // updated.
862   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
863   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
864   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
865   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
866 }
867 
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForServerSecurityConnector)868 TEST_F(TlsSecurityConnectorTest,
869        DistributorHasErrorForServerSecurityConnector) {
870   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
871       MakeRefCounted<grpc_tls_certificate_distributor>();
872   distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
873   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
874                                identity_pairs_0_);
875   RefCountedPtr<grpc_tls_certificate_provider> provider =
876       MakeRefCounted<TlsTestCertificateProvider>(distributor);
877   RefCountedPtr<grpc_tls_credentials_options> options =
878       MakeRefCounted<grpc_tls_credentials_options>();
879   options->set_certificate_provider(provider);
880   options->set_watch_root_cert(true);
881   options->set_watch_identity_pair(true);
882   options->set_root_cert_name(kRootCertName);
883   options->set_identity_cert_name(kIdentityCertName);
884   RefCountedPtr<TlsServerCredentials> credential =
885       MakeRefCounted<TlsServerCredentials>(options);
886   RefCountedPtr<grpc_server_security_connector> connector =
887       credential->create_security_connector(ChannelArgs());
888   EXPECT_NE(connector, nullptr);
889   TlsServerSecurityConnector* tls_connector =
890       static_cast<TlsServerSecurityConnector*>(connector.get());
891   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
892   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
893   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
894   // Calling SetErrorForCert on distributor shouldn't invalidate the previous
895   // valid credentials.
896   distributor->SetErrorForCert(kRootCertName, GRPC_ERROR_CREATE(kErrorMessage),
897                                absl::nullopt);
898   distributor->SetErrorForCert(kIdentityCertName, absl::nullopt,
899                                GRPC_ERROR_CREATE(kErrorMessage));
900   EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
901   EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
902   EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
903 }
904 
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoCredentials)905 TEST_F(TlsSecurityConnectorTest,
906        CreateServerSecurityConnectorFailNoCredentials) {
907   auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
908       nullptr, MakeRefCounted<grpc_tls_credentials_options>());
909   EXPECT_EQ(connector, nullptr);
910 }
911 
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoOptions)912 TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
913   RefCountedPtr<grpc_tls_credentials_options> options =
914       MakeRefCounted<grpc_tls_credentials_options>();
915   RefCountedPtr<TlsServerCredentials> credential =
916       MakeRefCounted<TlsServerCredentials>(options);
917   auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
918       credential, nullptr);
919   EXPECT_EQ(connector, nullptr);
920 }
921 
TEST_F(TlsSecurityConnectorTest,CompareServerSecurityConnectorSucceedsOnSameCredentials)922 TEST_F(TlsSecurityConnectorTest,
923        CompareServerSecurityConnectorSucceedsOnSameCredentials) {
924   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
925       MakeRefCounted<grpc_tls_certificate_distributor>();
926   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
927                                identity_pairs_0_);
928   RefCountedPtr<grpc_tls_certificate_provider> provider =
929       MakeRefCounted<TlsTestCertificateProvider>(distributor);
930   auto options = MakeRefCounted<grpc_tls_credentials_options>();
931   options->set_certificate_provider(provider);
932   options->set_watch_identity_pair(true);
933   options->set_identity_cert_name(kIdentityCertName);
934   RefCountedPtr<TlsServerCredentials> credential =
935       MakeRefCounted<TlsServerCredentials>(options);
936   RefCountedPtr<grpc_server_security_connector> connector =
937       credential->create_security_connector(ChannelArgs());
938   RefCountedPtr<grpc_server_security_connector> other_connector =
939       credential->create_security_connector(ChannelArgs());
940   // Comparing the equality of security connectors generated from the same
941   // server credentials with same settings should succeed.
942   EXPECT_EQ(connector->cmp(other_connector.get()), 0);
943 }
944 
TEST_F(TlsSecurityConnectorTest,CompareServerSecurityConnectorFailsOnDifferentServerCredentials)945 TEST_F(TlsSecurityConnectorTest,
946        CompareServerSecurityConnectorFailsOnDifferentServerCredentials) {
947   RefCountedPtr<grpc_tls_certificate_distributor> distributor =
948       MakeRefCounted<grpc_tls_certificate_distributor>();
949   distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
950                                identity_pairs_0_);
951   RefCountedPtr<grpc_tls_certificate_provider> provider =
952       MakeRefCounted<TlsTestCertificateProvider>(distributor);
953   auto options = MakeRefCounted<grpc_tls_credentials_options>();
954   options->set_certificate_provider(provider);
955   options->set_watch_identity_pair(true);
956   options->set_identity_cert_name(kIdentityCertName);
957   RefCountedPtr<TlsServerCredentials> credential =
958       MakeRefCounted<TlsServerCredentials>(options);
959   RefCountedPtr<grpc_server_security_connector> connector =
960       credential->create_security_connector(ChannelArgs());
961   RefCountedPtr<TlsServerCredentials> other_credential =
962       MakeRefCounted<TlsServerCredentials>(options);
963   RefCountedPtr<grpc_server_security_connector> other_connector =
964       other_credential->create_security_connector(ChannelArgs());
965   // Comparing the equality of security connectors generated from different
966   // server credentials should fail.
967   EXPECT_NE(connector->cmp(other_connector.get()), 0);
968 }
969 
970 //
971 // Tests for Certificate Verifier in ServerSecurityConnector.
972 //
973 
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithSyncExternalVerifierSucceeds)974 TEST_F(TlsSecurityConnectorTest,
975        ServerSecurityConnectorWithSyncExternalVerifierSucceeds) {
976   auto* sync_verifier = new SyncExternalVerifier(true);
977   ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
978   RefCountedPtr<grpc_tls_credentials_options> options =
979       MakeRefCounted<grpc_tls_credentials_options>();
980   options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
981   options->set_certificate_verifier(core_external_verifier.Ref());
982   auto provider =
983       MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
984   options->set_certificate_provider(std::move(provider));
985   options->set_watch_identity_pair(true);
986   auto credentials = MakeRefCounted<TlsServerCredentials>(options);
987   auto connector = credentials->create_security_connector(ChannelArgs());
988   // Construct a basic TSI Peer.
989   tsi_peer peer;
990   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
991   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
992                                                 "h2", strlen("h2"),
993                                                 &peer.properties[0]) == TSI_OK);
994   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
995                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
996                  &peer.properties[1]) == TSI_OK);
997   RefCountedPtr<grpc_auth_context> auth_context;
998   ExecCtx exec_ctx;
999   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1000       VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1001   ChannelArgs args;
1002   connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1003 }
1004 
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithSyncExternalVerifierFails)1005 TEST_F(TlsSecurityConnectorTest,
1006        ServerSecurityConnectorWithSyncExternalVerifierFails) {
1007   auto* sync_verifier = new SyncExternalVerifier(false);
1008   ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
1009   RefCountedPtr<grpc_tls_credentials_options> options =
1010       MakeRefCounted<grpc_tls_credentials_options>();
1011   options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1012   options->set_certificate_verifier(core_external_verifier.Ref());
1013   auto provider =
1014       MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1015   options->set_certificate_provider(std::move(provider));
1016   options->set_watch_identity_pair(true);
1017   auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1018   auto connector = credentials->create_security_connector(ChannelArgs());
1019   // Construct a basic TSI Peer.
1020   tsi_peer peer;
1021   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1022   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1023                                                 "h2", strlen("h2"),
1024                                                 &peer.properties[0]) == TSI_OK);
1025   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1026                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1027                  &peer.properties[1]) == TSI_OK);
1028   RefCountedPtr<grpc_auth_context> auth_context;
1029   const char* expected_error_msg =
1030       "Custom verification check failed with error: UNAUTHENTICATED: "
1031       "SyncExternalVerifier failed";
1032   ExecCtx exec_ctx;
1033   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1034       VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1035       grpc_schedule_on_exec_ctx);
1036   ChannelArgs args;
1037   connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1038 }
1039 
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithAsyncExternalVerifierSucceeds)1040 TEST_F(TlsSecurityConnectorTest,
1041        ServerSecurityConnectorWithAsyncExternalVerifierSucceeds) {
1042   auto* async_verifier = new AsyncExternalVerifier(true);
1043   auto* core_external_verifier =
1044       new ExternalCertificateVerifier(async_verifier->base());
1045   auto options = MakeRefCounted<grpc_tls_credentials_options>();
1046   options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1047   options->set_certificate_verifier(core_external_verifier->Ref());
1048   auto provider =
1049       MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1050   options->set_certificate_provider(std::move(provider));
1051   options->set_watch_identity_pair(true);
1052   auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1053   auto connector = credentials->create_security_connector(ChannelArgs());
1054   // Construct a basic TSI Peer.
1055   tsi_peer peer;
1056   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1057   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1058                                                 "h2", strlen("h2"),
1059                                                 &peer.properties[0]) == TSI_OK);
1060   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1061                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1062                  &peer.properties[1]) == TSI_OK);
1063   RefCountedPtr<grpc_auth_context> auth_context;
1064   ExecCtx exec_ctx;
1065   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1066       VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1067   ChannelArgs args;
1068   connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1069   core_external_verifier->Unref();
1070 }
1071 
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithAsyncExternalVerifierFails)1072 TEST_F(TlsSecurityConnectorTest,
1073        ServerSecurityConnectorWithAsyncExternalVerifierFails) {
1074   auto* async_verifier = new AsyncExternalVerifier(false);
1075   auto* core_external_verifier =
1076       new ExternalCertificateVerifier(async_verifier->base());
1077   RefCountedPtr<grpc_tls_credentials_options> options =
1078       MakeRefCounted<grpc_tls_credentials_options>();
1079   options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1080   options->set_certificate_verifier(core_external_verifier->Ref());
1081   auto provider =
1082       MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1083   options->set_certificate_provider(std::move(provider));
1084   options->set_watch_identity_pair(true);
1085   auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1086   auto connector = credentials->create_security_connector(ChannelArgs());
1087   // Construct a basic TSI Peer.
1088   tsi_peer peer;
1089   GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1090   GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1091                                                 "h2", strlen("h2"),
1092                                                 &peer.properties[0]) == TSI_OK);
1093   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1094                  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1095                  &peer.properties[1]) == TSI_OK);
1096   RefCountedPtr<grpc_auth_context> auth_context;
1097   const char* expected_error_msg =
1098       "Custom verification check failed with error: UNAUTHENTICATED: "
1099       "AsyncExternalVerifier failed";
1100   ExecCtx exec_ctx;
1101   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1102       VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1103       grpc_schedule_on_exec_ctx);
1104   ChannelArgs args;
1105   connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1106   core_external_verifier->Unref();
1107 }
1108 
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithVerifiedRootSubjectCertSucceeds)1109 TEST_F(TlsSecurityConnectorTest,
1110        ServerSecurityConnectorWithVerifiedRootSubjectCertSucceeds) {
1111   auto* sync_verifier = new SyncExternalVerifier(true);
1112   ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
1113   RefCountedPtr<grpc_tls_credentials_options> options =
1114       MakeRefCounted<grpc_tls_credentials_options>();
1115   options->set_cert_request_type(
1116       GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
1117   options->set_certificate_verifier(core_external_verifier.Ref());
1118   auto provider =
1119       MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1120   options->set_certificate_provider(std::move(provider));
1121   options->set_watch_identity_pair(true);
1122   auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1123   auto connector = credentials->create_security_connector(ChannelArgs());
1124   // Construct a basic TSI Peer.
1125   std::string expected_subject =
1126       "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU";
1127   tsi_peer peer;
1128   EXPECT_EQ(tsi_construct_peer(2, &peer), TSI_OK);
1129   EXPECT_EQ(
1130       tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
1131                                          strlen("h2"), &peer.properties[0]),
1132       TSI_OK);
1133   EXPECT_EQ(tsi_construct_string_peer_property_from_cstring(
1134                 TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY,
1135                 expected_subject.c_str(), &peer.properties[1]),
1136             TSI_OK);
1137   RefCountedPtr<grpc_auth_context> auth_context;
1138   ExecCtx exec_ctx;
1139   grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1140       VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1141   ChannelArgs args;
1142   connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1143 }
1144 }  // namespace testing
1145 }  // namespace grpc_core
1146 
main(int argc,char ** argv)1147 int main(int argc, char** argv) {
1148   grpc::testing::TestEnvironment env(&argc, argv);
1149   grpc_core::ConfigVars::Overrides overrides;
1150   overrides.default_ssl_roots_file_path = CA_CERT_PATH;
1151   grpc_core::ConfigVars::SetOverrides(overrides);
1152   ::testing::InitGoogleTest(&argc, argv);
1153   grpc_init();
1154   int ret = RUN_ALL_TESTS();
1155   grpc_shutdown();
1156   return ret;
1157 }
1158