1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <memory>
20
21 #include "absl/types/optional.h"
22 #include "gtest/gtest.h"
23
24 #include <grpc/grpc.h>
25 #include <grpc/grpc_security.h>
26 #include <grpc/status.h>
27 #include <grpc/support/log.h>
28
29 #include "src/core/lib/channel/channel_args.h"
30 #include "src/core/lib/gprpp/time.h"
31 #include "src/core/lib/security/credentials/credentials.h"
32 #include "test/core/end2end/end2end_tests.h"
33
34 namespace grpc_core {
35 namespace {
36
37 const char iam_token[] = "token";
38 const char iam_selector[] = "selector";
39 const char overridden_iam_token[] = "overridden_token";
40 const char overridden_iam_selector[] = "overridden_selector";
41 const char fake_md_key[] = "fake_key";
42 const char fake_md_value[] = "fake_value";
43 const char overridden_fake_md_key[] = "overridden_fake_key";
44 const char overridden_fake_md_value[] = "overridden_fake_value";
45
PrintAuthContext(bool is_client,const grpc_auth_context * ctx)46 void PrintAuthContext(bool is_client, const grpc_auth_context* ctx) {
47 const grpc_auth_property* p;
48 grpc_auth_property_iterator it;
49 gpr_log(GPR_INFO, "%s peer:", is_client ? "client" : "server");
50 gpr_log(GPR_INFO, "\tauthenticated: %s",
51 grpc_auth_context_peer_is_authenticated(ctx) ? "YES" : "NO");
52 it = grpc_auth_context_peer_identity(ctx);
53 while ((p = grpc_auth_property_iterator_next(&it)) != nullptr) {
54 gpr_log(GPR_INFO, "\t\t%s: %s", p->name, p->value);
55 }
56 gpr_log(GPR_INFO, "\tall properties:");
57 it = grpc_auth_context_property_iterator(ctx);
58 while ((p = grpc_auth_property_iterator_next(&it)) != nullptr) {
59 gpr_log(GPR_INFO, "\t\t%s: %s", p->name, p->value);
60 }
61 }
62
TestRequestResponseWithPayloadAndCallCreds(CoreEnd2endTest & test,bool use_secure_call_creds)63 void TestRequestResponseWithPayloadAndCallCreds(CoreEnd2endTest& test,
64 bool use_secure_call_creds) {
65 auto c = test.NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
66 grpc_call_credentials* creds;
67 if (use_secure_call_creds) {
68 creds =
69 grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
70 } else {
71 creds = grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
72 }
73 EXPECT_NE(creds, nullptr);
74 c.SetCredentials(creds);
75 CoreEnd2endTest::IncomingMetadata server_initial_metadata;
76 CoreEnd2endTest::IncomingMessage server_message;
77 CoreEnd2endTest::IncomingStatusOnClient server_status;
78 c.NewBatch(1)
79 .SendInitialMetadata({})
80 .SendMessage("hello world")
81 .SendCloseFromClient()
82 .RecvInitialMetadata(server_initial_metadata)
83 .RecvMessage(server_message)
84 .RecvStatusOnClient(server_status);
85 auto s = test.RequestCall(101);
86 test.Expect(101, true);
87 test.Step();
88 PrintAuthContext(false, s.GetAuthContext().get());
89 PrintAuthContext(true, c.GetAuthContext().get());
90 // Cannot set creds on the server call object.
91 EXPECT_NE(grpc_call_set_credentials(s.c_call(), nullptr), GRPC_CALL_OK);
92 CoreEnd2endTest::IncomingMessage client_message;
93 s.NewBatch(102).SendInitialMetadata({}).RecvMessage(client_message);
94 test.Expect(102, true);
95 test.Step();
96 CoreEnd2endTest::IncomingCloseOnServer client_close;
97 s.NewBatch(103)
98 .RecvCloseOnServer(client_close)
99 .SendMessage("hello you")
100 .SendStatusFromServer(GRPC_STATUS_OK, "xyz", {});
101 test.Expect(103, true);
102 test.Expect(1, true);
103 test.Step();
104 EXPECT_EQ(server_status.status(), GRPC_STATUS_OK);
105 EXPECT_EQ(server_status.message(), "xyz");
106 EXPECT_EQ(s.method(), "/foo");
107 EXPECT_FALSE(client_close.was_cancelled());
108 EXPECT_EQ(client_message.payload(), "hello world");
109 EXPECT_EQ(server_message.payload(), "hello you");
110 if (use_secure_call_creds) {
111 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
112 iam_token);
113 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
114 iam_selector);
115 } else {
116 EXPECT_EQ(s.GetInitialMetadata(fake_md_key), fake_md_value);
117 }
118 }
119
TestRequestResponseWithPayloadAndOverriddenCallCreds(CoreEnd2endTest & test,bool use_secure_call_creds)120 void TestRequestResponseWithPayloadAndOverriddenCallCreds(
121 CoreEnd2endTest& test, bool use_secure_call_creds) {
122 auto c = test.NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
123 grpc_call_credentials* creds;
124 if (use_secure_call_creds) {
125 creds =
126 grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
127 } else {
128 creds = grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
129 }
130 EXPECT_NE(creds, nullptr);
131 c.SetCredentials(creds);
132 if (use_secure_call_creds) {
133 creds = grpc_google_iam_credentials_create(
134 overridden_iam_token, overridden_iam_selector, nullptr);
135 } else {
136 creds = grpc_md_only_test_credentials_create(overridden_fake_md_key,
137 overridden_fake_md_value);
138 }
139 c.SetCredentials(creds);
140 CoreEnd2endTest::IncomingMetadata server_initial_metadata;
141 CoreEnd2endTest::IncomingMessage server_message;
142 CoreEnd2endTest::IncomingStatusOnClient server_status;
143 c.NewBatch(1)
144 .SendInitialMetadata({})
145 .SendMessage("hello world")
146 .SendCloseFromClient()
147 .RecvInitialMetadata(server_initial_metadata)
148 .RecvMessage(server_message)
149 .RecvStatusOnClient(server_status);
150 auto s = test.RequestCall(101);
151 test.Expect(101, true);
152 test.Step();
153 PrintAuthContext(false, s.GetAuthContext().get());
154 PrintAuthContext(true, c.GetAuthContext().get());
155 // Cannot set creds on the server call object.
156 EXPECT_NE(grpc_call_set_credentials(s.c_call(), nullptr), GRPC_CALL_OK);
157 CoreEnd2endTest::IncomingMessage client_message;
158 s.NewBatch(102).SendInitialMetadata({}).RecvMessage(client_message);
159 test.Expect(102, true);
160 test.Step();
161 CoreEnd2endTest::IncomingCloseOnServer client_close;
162 s.NewBatch(103)
163 .RecvCloseOnServer(client_close)
164 .SendMessage("hello you")
165 .SendStatusFromServer(GRPC_STATUS_OK, "xyz", {});
166 test.Expect(103, true);
167 test.Expect(1, true);
168 test.Step();
169 EXPECT_EQ(server_status.status(), GRPC_STATUS_OK);
170 EXPECT_EQ(server_status.message(), "xyz");
171 EXPECT_EQ(s.method(), "/foo");
172 EXPECT_FALSE(client_close.was_cancelled());
173 EXPECT_EQ(client_message.payload(), "hello world");
174 EXPECT_EQ(server_message.payload(), "hello you");
175 if (use_secure_call_creds) {
176 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
177 overridden_iam_token);
178 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
179 overridden_iam_selector);
180 } else {
181 EXPECT_EQ(s.GetInitialMetadata(overridden_fake_md_key),
182 overridden_fake_md_value);
183 }
184 }
185
TestRequestResponseWithPayloadAndDeletedCallCreds(CoreEnd2endTest & test,bool use_secure_call_creds)186 void TestRequestResponseWithPayloadAndDeletedCallCreds(
187 CoreEnd2endTest& test, bool use_secure_call_creds) {
188 auto c = test.NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
189 grpc_call_credentials* creds;
190 if (use_secure_call_creds) {
191 creds =
192 grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
193 } else {
194 creds = grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
195 }
196 EXPECT_NE(creds, nullptr);
197 c.SetCredentials(creds);
198 c.SetCredentials(nullptr);
199 CoreEnd2endTest::IncomingMetadata server_initial_metadata;
200 CoreEnd2endTest::IncomingMessage server_message;
201 CoreEnd2endTest::IncomingStatusOnClient server_status;
202 c.NewBatch(1)
203 .SendInitialMetadata({})
204 .SendMessage("hello world")
205 .SendCloseFromClient()
206 .RecvInitialMetadata(server_initial_metadata)
207 .RecvMessage(server_message)
208 .RecvStatusOnClient(server_status);
209 auto s = test.RequestCall(101);
210 test.Expect(101, true);
211 test.Step();
212 PrintAuthContext(false, s.GetAuthContext().get());
213 PrintAuthContext(true, c.GetAuthContext().get());
214 // Cannot set creds on the server call object.
215 EXPECT_NE(grpc_call_set_credentials(s.c_call(), nullptr), GRPC_CALL_OK);
216 CoreEnd2endTest::IncomingMessage client_message;
217 s.NewBatch(102).SendInitialMetadata({}).RecvMessage(client_message);
218 test.Expect(102, true);
219 test.Step();
220 CoreEnd2endTest::IncomingCloseOnServer client_close;
221 s.NewBatch(103)
222 .RecvCloseOnServer(client_close)
223 .SendMessage("hello you")
224 .SendStatusFromServer(GRPC_STATUS_OK, "xyz", {});
225 test.Expect(103, true);
226 test.Expect(1, true);
227 test.Step();
228 EXPECT_EQ(server_status.status(), GRPC_STATUS_OK);
229 EXPECT_EQ(server_status.message(), "xyz");
230 EXPECT_EQ(s.method(), "/foo");
231 EXPECT_FALSE(client_close.was_cancelled());
232 EXPECT_EQ(client_message.payload(), "hello world");
233 EXPECT_EQ(server_message.payload(), "hello you");
234 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORIZATION_TOKEN_METADATA_KEY),
235 absl::nullopt);
236 EXPECT_EQ(s.GetInitialMetadata(GRPC_IAM_AUTHORITY_SELECTOR_METADATA_KEY),
237 absl::nullopt);
238 EXPECT_EQ(s.GetInitialMetadata(fake_md_key), absl::nullopt);
239 }
240
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestWithServerRejectingClientCreds)241 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
242 RequestWithServerRejectingClientCreds) {
243 InitClient(ChannelArgs());
244 InitServer(ChannelArgs().Set(FAIL_AUTH_CHECK_SERVER_ARG_NAME, true));
245 auto c = NewClientCall("/foo").Timeout(Duration::Minutes(1)).Create();
246 auto* creds =
247 grpc_md_only_test_credentials_create(fake_md_key, fake_md_value);
248 EXPECT_NE(creds, nullptr);
249 c.SetCredentials(creds);
250 CoreEnd2endTest::IncomingMetadata server_initial_metadata;
251 CoreEnd2endTest::IncomingMessage server_message;
252 CoreEnd2endTest::IncomingStatusOnClient server_status;
253 c.NewBatch(1)
254 .SendInitialMetadata({})
255 .SendMessage("hello world")
256 .SendCloseFromClient()
257 .RecvInitialMetadata(server_initial_metadata)
258 .RecvMessage(server_message)
259 .RecvStatusOnClient(server_status);
260 Expect(1, true);
261 Step();
262 EXPECT_EQ(server_status.status(), GRPC_STATUS_UNAUTHENTICATED);
263 }
264
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndCallCreds)265 CORE_END2END_TEST(PerCallCredsTest, RequestResponseWithPayloadAndCallCreds) {
266 TestRequestResponseWithPayloadAndCallCreds(*this, true);
267 }
268
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndOverriddenCallCreds)269 CORE_END2END_TEST(PerCallCredsTest,
270 RequestResponseWithPayloadAndOverriddenCallCreds) {
271 TestRequestResponseWithPayloadAndOverriddenCallCreds(*this, true);
272 }
273
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndDeletedCallCreds)274 CORE_END2END_TEST(PerCallCredsTest,
275 RequestResponseWithPayloadAndDeletedCallCreds) {
276 TestRequestResponseWithPayloadAndDeletedCallCreds(*this, true);
277 }
278
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndInsecureCallCreds)279 CORE_END2END_TEST(PerCallCredsTest,
280 RequestResponseWithPayloadAndInsecureCallCreds) {
281 TestRequestResponseWithPayloadAndCallCreds(*this, false);
282 }
283
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndOverriddenInsecureCallCreds)284 CORE_END2END_TEST(PerCallCredsTest,
285 RequestResponseWithPayloadAndOverriddenInsecureCallCreds) {
286 TestRequestResponseWithPayloadAndOverriddenCallCreds(*this, false);
287 }
288
CORE_END2END_TEST(PerCallCredsTest,RequestResponseWithPayloadAndDeletedInsecureCallCreds)289 CORE_END2END_TEST(PerCallCredsTest,
290 RequestResponseWithPayloadAndDeletedInsecureCallCreds) {
291 TestRequestResponseWithPayloadAndDeletedCallCreds(*this, false);
292 }
293
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestResponseWithPayloadAndInsecureCallCreds)294 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
295 RequestResponseWithPayloadAndInsecureCallCreds) {
296 TestRequestResponseWithPayloadAndCallCreds(*this, false);
297 }
298
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestResponseWithPayloadAndOverriddenInsecureCallCreds)299 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
300 RequestResponseWithPayloadAndOverriddenInsecureCallCreds) {
301 TestRequestResponseWithPayloadAndOverriddenCallCreds(*this, false);
302 }
303
CORE_END2END_TEST(PerCallCredsOnInsecureTest,RequestResponseWithPayloadAndDeletedInsecureCallCreds)304 CORE_END2END_TEST(PerCallCredsOnInsecureTest,
305 RequestResponseWithPayloadAndDeletedInsecureCallCreds) {
306 TestRequestResponseWithPayloadAndDeletedCallCreds(*this, false);
307 }
308
CORE_END2END_TEST(PerCallCredsOnInsecureTest,FailToSendCallCreds)309 CORE_END2END_TEST(PerCallCredsOnInsecureTest, FailToSendCallCreds) {
310 auto c = NewClientCall("/foo").Timeout(Duration::Seconds(5)).Create();
311 grpc_call_credentials* creds;
312 creds = grpc_google_iam_credentials_create(iam_token, iam_selector, nullptr);
313 EXPECT_NE(creds, nullptr);
314 c.SetCredentials(creds);
315 CoreEnd2endTest::IncomingMetadata server_initial_metadata;
316 CoreEnd2endTest::IncomingMessage server_message;
317 CoreEnd2endTest::IncomingStatusOnClient server_status;
318 c.NewBatch(1)
319 .SendInitialMetadata({})
320 .SendMessage("hello world")
321 .SendCloseFromClient()
322 .RecvInitialMetadata(server_initial_metadata)
323 .RecvMessage(server_message)
324 .RecvStatusOnClient(server_status);
325 // Expect the call to fail since the channel credentials did not satisfy the
326 // minimum security level requirements.
327 Expect(1, true);
328 Step();
329 EXPECT_EQ(server_status.status(), GRPC_STATUS_UNAUTHENTICATED);
330 }
331
332 } // namespace
333 } // namespace grpc_core
334