xref: /aosp_15_r20/external/grpc-grpc/test/cpp/common/alts_util_test.cc (revision cc02d7e222339f7a4f6ba5f422e6413f4bd931f2) 
1 //
2 //
3 // Copyright 2019 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #include <gtest/gtest.h>
20 
21 #include "upb/mem/arena.hpp"
22 
23 #include <grpcpp/security/alts_context.h>
24 #include <grpcpp/security/alts_util.h>
25 #include <grpcpp/security/auth_context.h>
26 
27 #include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
28 #include "src/cpp/common/secure_auth_context.h"
29 #include "src/proto/grpc/gcp/altscontext.upb.h"
30 #include "test/core/util/test_config.h"
31 #include "test/cpp/util/string_ref_helper.h"
32 
33 namespace grpc {
34 namespace {
35 
TEST(AltsUtilTest,NullAuthContext)36 TEST(AltsUtilTest, NullAuthContext) {
37   std::unique_ptr<experimental::AltsContext> alts_context =
38       experimental::GetAltsContextFromAuthContext(nullptr);
39   EXPECT_EQ(alts_context, nullptr);
40 }
41 
TEST(AltsUtilTest,EmptyAuthContext)42 TEST(AltsUtilTest, EmptyAuthContext) {
43   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
44       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
45   const std::shared_ptr<AuthContext> auth_context(
46       new SecureAuthContext(ctx.get()));
47   std::unique_ptr<experimental::AltsContext> alts_context =
48       experimental::GetAltsContextFromAuthContext(auth_context);
49   EXPECT_EQ(alts_context, nullptr);
50 }
51 
TEST(AltsUtilTest,AuthContextWithMoreThanOneAltsContext)52 TEST(AltsUtilTest, AuthContextWithMoreThanOneAltsContext) {
53   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
54       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
55   const std::shared_ptr<AuthContext> auth_context(
56       new SecureAuthContext(ctx.get()));
57   ctx.reset();
58   auth_context->AddProperty(TSI_ALTS_CONTEXT, "context1");
59   auth_context->AddProperty(TSI_ALTS_CONTEXT, "context2");
60   std::unique_ptr<experimental::AltsContext> alts_context =
61       experimental::GetAltsContextFromAuthContext(auth_context);
62   EXPECT_EQ(alts_context, nullptr);
63 }
64 
TEST(AltsUtilTest,AuthContextWithBadAltsContext)65 TEST(AltsUtilTest, AuthContextWithBadAltsContext) {
66   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
67       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
68   const std::shared_ptr<AuthContext> auth_context(
69       new SecureAuthContext(ctx.get()));
70   ctx.reset();
71   auth_context->AddProperty(TSI_ALTS_CONTEXT,
72                             "bad context string serialization");
73   std::unique_ptr<experimental::AltsContext> alts_context =
74       experimental::GetAltsContextFromAuthContext(auth_context);
75   EXPECT_EQ(alts_context, nullptr);
76 }
77 
TEST(AltsUtilTest,AuthContextWithGoodAltsContextWithoutRpcVersions)78 TEST(AltsUtilTest, AuthContextWithGoodAltsContextWithoutRpcVersions) {
79   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
80       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
81   const std::shared_ptr<AuthContext> auth_context(
82       new SecureAuthContext(ctx.get()));
83   ctx.reset();
84   std::string expected_ap("application protocol");
85   std::string expected_rp("record protocol");
86   std::string expected_peer("peer");
87   std::string expected_local("local");
88   std::string expected_peer_atrributes_key("peer");
89   std::string expected_peer_atrributes_value("attributes");
90   grpc_security_level expected_sl = GRPC_INTEGRITY_ONLY;
91   upb::Arena context_arena;
92   grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr());
93   grpc_gcp_AltsContext_set_application_protocol(
94       context,
95       upb_StringView_FromDataAndSize(expected_ap.data(), expected_ap.length()));
96   grpc_gcp_AltsContext_set_record_protocol(
97       context,
98       upb_StringView_FromDataAndSize(expected_rp.data(), expected_rp.length()));
99   grpc_gcp_AltsContext_set_security_level(context, expected_sl);
100   grpc_gcp_AltsContext_set_peer_service_account(
101       context, upb_StringView_FromDataAndSize(expected_peer.data(),
102                                               expected_peer.length()));
103   grpc_gcp_AltsContext_set_local_service_account(
104       context, upb_StringView_FromDataAndSize(expected_local.data(),
105                                               expected_local.length()));
106   grpc_gcp_AltsContext_peer_attributes_set(
107       context,
108       upb_StringView_FromDataAndSize(expected_peer_atrributes_key.data(),
109                                      expected_peer_atrributes_key.length()),
110       upb_StringView_FromDataAndSize(expected_peer_atrributes_value.data(),
111                                      expected_peer_atrributes_value.length()),
112       context_arena.ptr());
113   size_t serialized_ctx_length;
114   char* serialized_ctx = grpc_gcp_AltsContext_serialize(
115       context, context_arena.ptr(), &serialized_ctx_length);
116   EXPECT_NE(serialized_ctx, nullptr);
117   auth_context->AddProperty(TSI_ALTS_CONTEXT,
118                             string(serialized_ctx, serialized_ctx_length));
119   std::unique_ptr<experimental::AltsContext> alts_context =
120       experimental::GetAltsContextFromAuthContext(auth_context);
121   EXPECT_NE(alts_context, nullptr);
122   EXPECT_EQ(expected_ap, alts_context->application_protocol());
123   EXPECT_EQ(expected_rp, alts_context->record_protocol());
124   EXPECT_EQ(expected_peer, alts_context->peer_service_account());
125   EXPECT_EQ(expected_local, alts_context->local_service_account());
126   EXPECT_EQ(expected_sl, alts_context->security_level());
127   // all rpc versions should be 0 if not set
128   experimental::AltsContext::RpcProtocolVersions rpc_protocol_versions =
129       alts_context->peer_rpc_versions();
130   EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.major_version);
131   EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.minor_version);
132   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.major_version);
133   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.minor_version);
134   EXPECT_EQ(expected_peer_atrributes_value,
135             alts_context->peer_attributes().at(expected_peer_atrributes_key));
136 }
137 
TEST(AltsUtilTest,AuthContextWithGoodAltsContext)138 TEST(AltsUtilTest, AuthContextWithGoodAltsContext) {
139   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
140       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
141   const std::shared_ptr<AuthContext> auth_context(
142       new SecureAuthContext(ctx.get()));
143   ctx.reset();
144   upb::Arena context_arena;
145   grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr());
146   upb::Arena versions_arena;
147   grpc_gcp_RpcProtocolVersions* versions =
148       grpc_gcp_RpcProtocolVersions_new(versions_arena.ptr());
149   upb::Arena max_major_version_arena;
150   grpc_gcp_RpcProtocolVersions_Version* version =
151       grpc_gcp_RpcProtocolVersions_Version_new(max_major_version_arena.ptr());
152   grpc_gcp_RpcProtocolVersions_Version_set_major(version, 10);
153   grpc_gcp_RpcProtocolVersions_set_max_rpc_version(versions, version);
154   grpc_gcp_AltsContext_set_peer_rpc_versions(context, versions);
155   size_t serialized_ctx_length;
156   char* serialized_ctx = grpc_gcp_AltsContext_serialize(
157       context, context_arena.ptr(), &serialized_ctx_length);
158   EXPECT_NE(serialized_ctx, nullptr);
159   auth_context->AddProperty(TSI_ALTS_CONTEXT,
160                             string(serialized_ctx, serialized_ctx_length));
161   std::unique_ptr<experimental::AltsContext> alts_context =
162       experimental::GetAltsContextFromAuthContext(auth_context);
163   EXPECT_NE(alts_context, nullptr);
164   EXPECT_EQ("", alts_context->application_protocol());
165   EXPECT_EQ("", alts_context->record_protocol());
166   EXPECT_EQ("", alts_context->peer_service_account());
167   EXPECT_EQ("", alts_context->local_service_account());
168   EXPECT_EQ(GRPC_SECURITY_NONE, alts_context->security_level());
169   experimental::AltsContext::RpcProtocolVersions rpc_protocol_versions =
170       alts_context->peer_rpc_versions();
171   EXPECT_EQ(10, rpc_protocol_versions.max_rpc_version.major_version);
172   EXPECT_EQ(0, rpc_protocol_versions.max_rpc_version.minor_version);
173   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.major_version);
174   EXPECT_EQ(0, rpc_protocol_versions.min_rpc_version.minor_version);
175 }
176 
TEST(AltsUtilTest,AltsClientAuthzCheck)177 TEST(AltsUtilTest, AltsClientAuthzCheck) {
178   // AltsClientAuthzCheck function should return a permission denied error on
179   // the bad_auth_context, whose internal ALTS context does not exist
180   const std::shared_ptr<AuthContext> bad_auth_context(
181       new SecureAuthContext(nullptr));
182   std::vector<std::string> service_accounts{"client"};
183   grpc::Status status =
184       experimental::AltsClientAuthzCheck(bad_auth_context, service_accounts);
185   EXPECT_EQ(grpc::StatusCode::PERMISSION_DENIED, status.error_code());
186   // AltsClientAuthzCheck function should function normally when the peer name
187   // in ALTS context is listed in service_accounts
188   grpc_core::RefCountedPtr<grpc_auth_context> ctx =
189       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
190   const std::shared_ptr<AuthContext> auth_context(
191       new SecureAuthContext(ctx.get()));
192   ctx.reset();
193   std::string peer("good_client");
194   std::vector<std::string> good_service_accounts{"good_client",
195                                                  "good_client_1"};
196   std::vector<std::string> bad_service_accounts{"bad_client", "bad_client_1"};
197   upb::Arena context_arena;
198   grpc_gcp_AltsContext* context = grpc_gcp_AltsContext_new(context_arena.ptr());
199   grpc_gcp_AltsContext_set_peer_service_account(
200       context, upb_StringView_FromDataAndSize(peer.data(), peer.length()));
201   size_t serialized_ctx_length;
202   char* serialized_ctx = grpc_gcp_AltsContext_serialize(
203       context, context_arena.ptr(), &serialized_ctx_length);
204   EXPECT_NE(serialized_ctx, nullptr);
205   auth_context->AddProperty(TSI_ALTS_CONTEXT,
206                             string(serialized_ctx, serialized_ctx_length));
207   grpc::Status good_status =
208       experimental::AltsClientAuthzCheck(auth_context, good_service_accounts);
209   EXPECT_TRUE(good_status.ok());
210   grpc::Status bad_status =
211       experimental::AltsClientAuthzCheck(auth_context, bad_service_accounts);
212   EXPECT_EQ(grpc::StatusCode::PERMISSION_DENIED, bad_status.error_code());
213 }
214 
215 }  // namespace
216 }  // namespace grpc
217 
main(int argc,char ** argv)218 int main(int argc, char** argv) {
219   grpc::testing::TestEnvironment env(&argc, argv);
220   ::testing::InitGoogleTest(&argc, argv);
221   return RUN_ALL_TESTS();
222 }
223