Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

xds_end2end_test: Fix race in security tests (#29408)

Browse Source 
* xds_end2end_test: Fix race in security tests

* Reviewer comments
pull/29424/head
Yash Tibrewal 3 years ago committed by GitHub
parent 050eb43430
commit 136055b043
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 113 additions and 269 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 382
      test/cpp/end2end/xds/xds_end2end_test.cc

382
test/cpp/end2end/xds/xds_end2end_test.cc
Unescape View File

@ -41,6 +41,7 @@
#include "absl/strings/str_format.h" #include "absl/strings/str_format.h"
#include "absl/strings/str_join.h" #include "absl/strings/str_join.h"
#include "absl/strings/str_replace.h" #include "absl/strings/str_replace.h"
#include "absl/synchronization/mutex.h"
#include "absl/types/optional.h" #include "absl/types/optional.h"
#include <grpc/grpc.h> #include <grpc/grpc.h>
@ -157,6 +158,22 @@ class FakeCertificateProvider final : public grpc_tls_certificate_provider {
}; };
using CertDataMap = std::map<std::string /*cert_name */, CertData>; using CertDataMap = std::map<std::string /*cert_name */, CertData>;
class CertDataMapWrapper {
public:
CertDataMap Get() {
absl::MutexLock lock(&mu_);
return cert_data_map_;
}
void Set(CertDataMap data) {
absl::MutexLock lock(&mu_);
cert_data_map_ = std::move(data);
}
private:
absl::Mutex mu_;
CertDataMap cert_data_map_ ABSL_GUARDED_BY(mu_);
};
explicit FakeCertificateProvider(CertDataMap cert_data_map) explicit FakeCertificateProvider(CertDataMap cert_data_map)
: distributor_( : distributor_(
@ -227,7 +244,8 @@ class FakeCertificateProviderFactory
}; };
FakeCertificateProviderFactory( FakeCertificateProviderFactory(
const char* name, FakeCertificateProvider::CertDataMap** cert_data_map) const char* name,
FakeCertificateProvider::CertDataMapWrapper* cert_data_map)
: name_(name), cert_data_map_(cert_data_map) { : name_(name), cert_data_map_(cert_data_map) {
GPR_ASSERT(cert_data_map != nullptr); GPR_ASSERT(cert_data_map != nullptr);
} }
@ -244,18 +262,19 @@ class FakeCertificateProviderFactory
CreateCertificateProvider( CreateCertificateProvider(
grpc_core::RefCountedPtr<grpc_core::CertificateProviderFactory::Config> grpc_core::RefCountedPtr<grpc_core::CertificateProviderFactory::Config>
/*config*/) override { /*config*/) override {
if (*cert_data_map_ == nullptr) return nullptr; GPR_ASSERT(cert_data_map_ != nullptr);
return grpc_core::MakeRefCounted<FakeCertificateProvider>(**cert_data_map_); return grpc_core::MakeRefCounted<FakeCertificateProvider>(
cert_data_map_->Get());
} }
private: private:
const char* name_; const char* name_;
FakeCertificateProvider::CertDataMap** cert_data_map_; FakeCertificateProvider::CertDataMapWrapper* cert_data_map_;
}; };
// Global variables for each provider. // Global variables for each provider.
FakeCertificateProvider::CertDataMap* g_fake1_cert_data_map = nullptr; FakeCertificateProvider::CertDataMapWrapper* g_fake1_cert_data_map = nullptr;
FakeCertificateProvider::CertDataMap* g_fake2_cert_data_map = nullptr; FakeCertificateProvider::CertDataMapWrapper* g_fake2_cert_data_map = nullptr;
// A No-op HTTP filter used for verifying parsing logic. // A No-op HTTP filter used for verifying parsing logic.
class NoOpHttpFilter : public grpc_core::XdsHttpFilterImpl { class NoOpHttpFilter : public grpc_core::XdsHttpFilterImpl {
@ -5607,12 +5626,6 @@ class XdsSecurityTest : public XdsEnd2endTest {
balancer_->ads_service()->SetEdsResource(BuildEdsResource(args)); balancer_->ads_service()->SetEdsResource(BuildEdsResource(args));
} }
void TearDown() override {
g_fake1_cert_data_map = nullptr;
g_fake2_cert_data_map = nullptr;
XdsEnd2endTest::TearDown();
}
// Sends CDS updates with the new security configuration and verifies that // Sends CDS updates with the new security configuration and verifies that
// after propagation, this new configuration is used for connections. If \a // after propagation, this new configuration is used for connections. If \a
// identity_instance_name and \a root_instance_name are both empty, // identity_instance_name and \a root_instance_name are both empty,
@ -5822,9 +5835,7 @@ TEST_P(XdsSecurityTest, UnknownRootCertificateProvider) {
} }
TEST_P(XdsSecurityTest, UnknownIdentityCertificateProvider) { TEST_P(XdsSecurityTest, UnknownIdentityCertificateProvider) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -5843,14 +5854,11 @@ TEST_P(XdsSecurityTest, UnknownIdentityCertificateProvider) {
EXPECT_THAT(response_state->error_message, EXPECT_THAT(response_state->error_message,
::testing::HasSubstr( ::testing::HasSubstr(
"Unrecognized certificate provider instance name: unknown")); "Unrecognized certificate provider instance name: unknown"));
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TEST_P(XdsSecurityTest,
NacksCertificateValidationContextWithVerifyCertificateSpki) { NacksCertificateValidationContextWithVerifyCertificateSpki) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -5874,9 +5882,7 @@ TEST_P(XdsSecurityTest,
TEST_P(XdsSecurityTest, TEST_P(XdsSecurityTest,
NacksCertificateValidationContextWithVerifyCertificateHash) { NacksCertificateValidationContextWithVerifyCertificateHash) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -5900,9 +5906,7 @@ TEST_P(XdsSecurityTest,
TEST_P(XdsSecurityTest, TEST_P(XdsSecurityTest,
NacksCertificateValidationContextWithRequireSignedCertificateTimes) { NacksCertificateValidationContextWithRequireSignedCertificateTimes) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -5926,9 +5930,7 @@ TEST_P(XdsSecurityTest,
} }
TEST_P(XdsSecurityTest, NacksCertificateValidationContextWithCrl) { TEST_P(XdsSecurityTest, NacksCertificateValidationContextWithCrl) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -5951,9 +5953,7 @@ TEST_P(XdsSecurityTest, NacksCertificateValidationContextWithCrl) {
TEST_P(XdsSecurityTest, TEST_P(XdsSecurityTest,
NacksCertificateValidationContextWithCustomValidatorConfig) { NacksCertificateValidationContextWithCustomValidatorConfig) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -5976,9 +5976,7 @@ TEST_P(XdsSecurityTest,
} }
TEST_P(XdsSecurityTest, NacksValidationContextSdsSecretConfig) { TEST_P(XdsSecurityTest, NacksValidationContextSdsSecretConfig) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -5995,9 +5993,7 @@ TEST_P(XdsSecurityTest, NacksValidationContextSdsSecretConfig) {
} }
TEST_P(XdsSecurityTest, NacksTlsParams) { TEST_P(XdsSecurityTest, NacksTlsParams) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -6016,9 +6012,7 @@ TEST_P(XdsSecurityTest, NacksTlsParams) {
} }
TEST_P(XdsSecurityTest, NacksCustomHandshaker) { TEST_P(XdsSecurityTest, NacksCustomHandshaker) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -6038,9 +6032,7 @@ TEST_P(XdsSecurityTest, NacksCustomHandshaker) {
} }
TEST_P(XdsSecurityTest, NacksTlsCertificates) { TEST_P(XdsSecurityTest, NacksTlsCertificates) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -6059,9 +6051,7 @@ TEST_P(XdsSecurityTest, NacksTlsCertificates) {
} }
TEST_P(XdsSecurityTest, NacksTlsCertificateSdsSecretConfigs) { TEST_P(XdsSecurityTest, NacksTlsCertificateSdsSecretConfigs) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -6082,9 +6072,7 @@ TEST_P(XdsSecurityTest, NacksTlsCertificateSdsSecretConfigs) {
} }
TEST_P(XdsSecurityTest, TestTlsConfigurationInCombinedValidationContext) { TEST_P(XdsSecurityTest, TestTlsConfigurationInCombinedValidationContext) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -6105,9 +6093,7 @@ TEST_P(XdsSecurityTest, TestTlsConfigurationInCombinedValidationContext) {
// TODO(yashykt): Remove this test once we stop supporting old fields // TODO(yashykt): Remove this test once we stop supporting old fields
TEST_P(XdsSecurityTest, TEST_P(XdsSecurityTest,
TestTlsConfigurationInValidationContextCertificateProviderInstance) { TestTlsConfigurationInValidationContextCertificateProviderInstance) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
auto cluster = default_cluster_; auto cluster = default_cluster_;
auto* transport_socket = cluster.mutable_transport_socket(); auto* transport_socket = cluster.mutable_transport_socket();
transport_socket->set_name("envoy.transport_sockets.tls"); transport_socket->set_name("envoy.transport_sockets.tls");
@ -6125,68 +6111,48 @@ TEST_P(XdsSecurityTest,
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithNoSanMatchers) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithNoSanMatchers) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {}, authenticated_identity_); "", {}, authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithExactSanMatcher) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithExactSanMatcher) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithPrefixSanMatcher) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithPrefixSanMatcher) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_prefix_}, "", {server_san_prefix_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithSuffixSanMatcher) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithSuffixSanMatcher) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_suffix_}, "", {server_san_suffix_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithContainsSanMatcher) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithContainsSanMatcher) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_contains_}, "", {server_san_contains_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRegexSanMatcher) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRegexSanMatcher) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_regex_}, "", {server_san_regex_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithSanMatchersUpdate) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithSanMatchersUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration( UpdateAndVerifyXdsSecurityConfiguration(
"fake_plugin1", "", "fake_plugin1", "", "fake_plugin1", "", "fake_plugin1", "",
{server_san_exact_, server_san_prefix_}, authenticated_identity_); {server_san_exact_, server_san_prefix_}, authenticated_identity_);
@ -6196,16 +6162,11 @@ TEST_P(XdsSecurityTest, TestMtlsConfigurationWithSanMatchersUpdate) {
UpdateAndVerifyXdsSecurityConfiguration( UpdateAndVerifyXdsSecurityConfiguration(
"fake_plugin1", "", "fake_plugin1", "", "fake_plugin1", "", "fake_plugin1", "",
{server_san_prefix_, server_san_regex_}, authenticated_identity_); {server_san_prefix_, server_san_regex_}, authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRootPluginUpdate) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRootPluginUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"", {bad_root_cert_, bad_identity_pair_}}});
g_fake1_cert_data_map = &fake1_cert_map;
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"", {bad_root_cert_, bad_identity_pair_}}};
g_fake2_cert_data_map = &fake2_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
@ -6215,35 +6176,23 @@ TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRootPluginUpdate) {
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
g_fake2_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithIdentityPluginUpdate) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithIdentityPluginUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"", {root_cert_, fallback_identity_pair_}}});
g_fake1_cert_data_map = &fake1_cert_map;
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"", {root_cert_, fallback_identity_pair_}}};
g_fake2_cert_data_map = &fake2_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin2", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin2",
"", {server_san_exact_}, "", {server_san_exact_},
fallback_authenticated_identity_); fallback_authenticated_identity_);
g_fake1_cert_data_map = nullptr;
g_fake2_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithBothPluginsUpdated) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithBothPluginsUpdated) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"", {bad_root_cert_, bad_identity_pair_}},
g_fake1_cert_data_map = &fake1_cert_map; {"good", {root_cert_, fallback_identity_pair_}}});
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"", {bad_root_cert_, bad_identity_pair_}},
{"good", {root_cert_, fallback_identity_pair_}}};
g_fake2_cert_data_map = &fake2_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin2", "", "fake_plugin2", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin2", "", "fake_plugin2",
"", {}, {}, true /* failure */); "", {}, {}, true /* failure */);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
@ -6252,92 +6201,70 @@ TEST_P(XdsSecurityTest, TestMtlsConfigurationWithBothPluginsUpdated) {
UpdateAndVerifyXdsSecurityConfiguration( UpdateAndVerifyXdsSecurityConfiguration(
"fake_plugin2", "good", "fake_plugin2", "good", {server_san_prefix_}, "fake_plugin2", "good", "fake_plugin2", "good", {server_san_prefix_},
fallback_authenticated_identity_); fallback_authenticated_identity_);
g_fake1_cert_data_map = nullptr;
g_fake2_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRootCertificateNameUpdate) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRootCertificateNameUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"bad", {bad_root_cert_, bad_identity_pair_}}});
{"bad", {bad_root_cert_, bad_identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_regex_}, "", {server_san_regex_},
authenticated_identity_); authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "fake_plugin1",
"", {server_san_regex_}, {}, "", {server_san_regex_}, {},
true /* failure */); true /* failure */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TEST_P(XdsSecurityTest,
TestMtlsConfigurationWithIdentityCertificateNameUpdate) { TestMtlsConfigurationWithIdentityCertificateNameUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"bad", {bad_root_cert_, bad_identity_pair_}}});
{"bad", {bad_root_cert_, bad_identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"bad", {server_san_exact_}, {}, "bad", {server_san_exact_}, {},
true /* failure */); true /* failure */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TEST_P(XdsSecurityTest,
TestMtlsConfigurationWithIdentityCertificateNameUpdateGoodCerts) { TestMtlsConfigurationWithIdentityCertificateNameUpdateGoodCerts) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"good", {root_cert_, fallback_identity_pair_}}});
{"good", {root_cert_, fallback_identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"good", {server_san_exact_}, "good", {server_san_exact_},
fallback_authenticated_identity_); fallback_authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsConfigurationWithBothCertificateNamesUpdated) { TEST_P(XdsSecurityTest, TestMtlsConfigurationWithBothCertificateNamesUpdated) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"bad", {bad_root_cert_, bad_identity_pair_}}});
{"bad", {bad_root_cert_, bad_identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "fake_plugin1",
"bad", {server_san_prefix_}, {}, "bad", {server_san_prefix_}, {},
true /* failure */); true /* failure */);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_prefix_}, "", {server_san_prefix_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestTlsConfigurationWithNoSanMatchers) { TEST_P(XdsSecurityTest, TestTlsConfigurationWithNoSanMatchers) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", {}, UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", {},
{} /* unauthenticated */); {} /* unauthenticated */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestTlsConfigurationWithSanMatchers) { TEST_P(XdsSecurityTest, TestTlsConfigurationWithSanMatchers) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration( UpdateAndVerifyXdsSecurityConfiguration(
"fake_plugin1", "", "", "", "fake_plugin1", "", "", "",
{server_san_exact_, server_san_prefix_, server_san_regex_}, {server_san_exact_, server_san_prefix_, server_san_regex_},
{} /* unauthenticated */); {} /* unauthenticated */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestTlsConfigurationWithSanMatchersUpdate) { TEST_P(XdsSecurityTest, TestTlsConfigurationWithSanMatchersUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration( UpdateAndVerifyXdsSecurityConfiguration(
"fake_plugin1", "", "", "", {server_san_exact_, server_san_prefix_}, "fake_plugin1", "", "", "", {server_san_exact_, server_san_prefix_},
{} /* unauthenticated */); {} /* unauthenticated */);
@ -6347,117 +6274,88 @@ TEST_P(XdsSecurityTest, TestTlsConfigurationWithSanMatchersUpdate) {
UpdateAndVerifyXdsSecurityConfiguration( UpdateAndVerifyXdsSecurityConfiguration(
"fake_plugin1", "", "", "", {server_san_prefix_, server_san_regex_}, "fake_plugin1", "", "", "", {server_san_prefix_, server_san_regex_},
{} /* unauthenticated */); {} /* unauthenticated */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestTlsConfigurationWithRootCertificateNameUpdate) { TEST_P(XdsSecurityTest, TestTlsConfigurationWithRootCertificateNameUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"bad", {bad_root_cert_, bad_identity_pair_}}});
{"bad", {bad_root_cert_, bad_identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
{server_san_exact_}, {server_san_exact_},
{} /* unauthenticated */); {} /* unauthenticated */);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "", "", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "", "",
{server_san_exact_}, {}, {server_san_exact_}, {},
true /* failure */); true /* failure */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestTlsConfigurationWithRootPluginUpdate) { TEST_P(XdsSecurityTest, TestTlsConfigurationWithRootPluginUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"", {bad_root_cert_, bad_identity_pair_}}});
g_fake1_cert_data_map = &fake1_cert_map;
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"", {bad_root_cert_, bad_identity_pair_}}};
g_fake2_cert_data_map = &fake2_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
{server_san_exact_}, {server_san_exact_},
{} /* unauthenticated */); {} /* unauthenticated */);
UpdateAndVerifyXdsSecurityConfiguration( UpdateAndVerifyXdsSecurityConfiguration(
"fake_plugin2", "", "", "", {server_san_exact_}, {}, true /* failure */); "fake_plugin2", "", "", "", {server_san_exact_}, {}, true /* failure */);
g_fake1_cert_data_map = nullptr;
g_fake2_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestFallbackConfiguration) { TEST_P(XdsSecurityTest, TestFallbackConfiguration) {
UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {}, UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {},
fallback_authenticated_identity_); fallback_authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsToTls) { TEST_P(XdsSecurityTest, TestMtlsToTls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
{server_san_exact_}, {server_san_exact_},
{} /* unauthenticated */); {} /* unauthenticated */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestMtlsToFallback) { TEST_P(XdsSecurityTest, TestMtlsToFallback) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {}, UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {},
fallback_authenticated_identity_); fallback_authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestTlsToMtls) { TEST_P(XdsSecurityTest, TestTlsToMtls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
{server_san_exact_}, {server_san_exact_},
{} /* unauthenticated */); {} /* unauthenticated */);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestTlsToFallback) { TEST_P(XdsSecurityTest, TestTlsToFallback) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
{server_san_exact_}, {server_san_exact_},
{} /* unauthenticated */); {} /* unauthenticated */);
UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {}, UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {},
fallback_authenticated_identity_); fallback_authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestFallbackToMtls) { TEST_P(XdsSecurityTest, TestFallbackToMtls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {}, UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {},
fallback_authenticated_identity_); fallback_authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
"", {server_san_exact_}, "", {server_san_exact_},
authenticated_identity_); authenticated_identity_);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestFallbackToTls) { TEST_P(XdsSecurityTest, TestFallbackToTls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {}, UpdateAndVerifyXdsSecurityConfiguration("", "", "", "", {},
fallback_authenticated_identity_); fallback_authenticated_identity_);
UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "", UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
{server_san_exact_}, {server_san_exact_},
{} /* unauthenticated */); {} /* unauthenticated */);
g_fake1_cert_data_map = nullptr;
} }
TEST_P(XdsSecurityTest, TestFileWatcherCertificateProvider) { TEST_P(XdsSecurityTest, TestFileWatcherCertificateProvider) {
@ -6717,11 +6615,7 @@ class XdsServerSecurityTest : public XdsEnd2endTest {
balancer_->ads_service()->SetEdsResource(BuildEdsResource(args)); balancer_->ads_service()->SetEdsResource(BuildEdsResource(args));
} }
void TearDown() override { void TearDown() override { XdsEnd2endTest::TearDown(); }
g_fake1_cert_data_map = nullptr;
g_fake2_cert_data_map = nullptr;
XdsEnd2endTest::TearDown();
}
void SetLdsUpdate(absl::string_view root_instance_name, void SetLdsUpdate(absl::string_view root_instance_name,
absl::string_view root_certificate_name, absl::string_view root_certificate_name,
@ -7054,8 +6948,7 @@ TEST_P(XdsServerSecurityTest, UnknownIdentityCertificateProvider) {
} }
TEST_P(XdsServerSecurityTest, UnknownRootCertificateProvider) { TEST_P(XdsServerSecurityTest, UnknownRootCertificateProvider) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
SetLdsUpdate("unknown", "", "fake_plugin1", "", false); SetLdsUpdate("unknown", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
const auto response_state = WaitForLdsNack(); const auto response_state = WaitForLdsNack();
@ -7067,9 +6960,7 @@ TEST_P(XdsServerSecurityTest, UnknownRootCertificateProvider) {
TEST_P(XdsServerSecurityTest, TEST_P(XdsServerSecurityTest,
TestDeprecateTlsCertificateCertificateProviderInstanceField) { TestDeprecateTlsCertificateCertificateProviderInstanceField) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
Listener listener = default_server_listener_; Listener listener = default_server_listener_;
auto* filter_chain = listener.mutable_default_filter_chain(); auto* filter_chain = listener.mutable_default_filter_chain();
filter_chain->mutable_filters()->at(0).mutable_typed_config()->PackFrom( filter_chain->mutable_filters()->at(0).mutable_typed_config()->PackFrom(
@ -7090,17 +6981,14 @@ TEST_P(XdsServerSecurityTest,
} }
TEST_P(XdsServerSecurityTest, CertificatesNotAvailable) { TEST_P(XdsServerSecurityTest, CertificatesNotAvailable) {
FakeCertificateProvider::CertDataMap fake1_cert_map; g_fake1_cert_data_map->Set({});
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
SendRpc([this]() { return CreateMtlsChannel(); }, {}, {}, SendRpc([this]() { return CreateMtlsChannel(); }, {}, {},
true /* test_expects_failure */); true /* test_expects_failure */);
} }
TEST_P(XdsServerSecurityTest, TestMtls) { TEST_P(XdsServerSecurityTest, TestMtls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7108,12 +6996,8 @@ TEST_P(XdsServerSecurityTest, TestMtls) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsWithRootPluginUpdate) { TEST_P(XdsServerSecurityTest, TestMtlsWithRootPluginUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"", {bad_root_cert_, bad_identity_pair_}}});
g_fake1_cert_data_map = &fake1_cert_map;
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"", {bad_root_cert_, bad_identity_pair_}}};
g_fake2_cert_data_map = &fake2_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7124,12 +7008,8 @@ TEST_P(XdsServerSecurityTest, TestMtlsWithRootPluginUpdate) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsWithIdentityPluginUpdate) { TEST_P(XdsServerSecurityTest, TestMtlsWithIdentityPluginUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"", {root_cert_, identity_pair_2_}}});
g_fake1_cert_data_map = &fake1_cert_map;
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"", {root_cert_, identity_pair_2_}}};
g_fake2_cert_data_map = &fake2_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7140,13 +7020,9 @@ TEST_P(XdsServerSecurityTest, TestMtlsWithIdentityPluginUpdate) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsWithBothPluginsUpdated) { TEST_P(XdsServerSecurityTest, TestMtlsWithBothPluginsUpdated) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"good", {root_cert_, identity_pair_2_}},
g_fake1_cert_data_map = &fake1_cert_map; {"", {bad_root_cert_, bad_identity_pair_}}});
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"good", {root_cert_, identity_pair_2_}},
{"", {bad_root_cert_, bad_identity_pair_}}};
g_fake2_cert_data_map = &fake2_cert_map;
SetLdsUpdate("fake_plugin2", "", "fake_plugin2", "", true); SetLdsUpdate("fake_plugin2", "", "fake_plugin2", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, {}, {}, SendRpc([this]() { return CreateMtlsChannel(); }, {}, {},
@ -7160,10 +7036,8 @@ TEST_P(XdsServerSecurityTest, TestMtlsWithBothPluginsUpdated) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsWithRootCertificateNameUpdate) { TEST_P(XdsServerSecurityTest, TestMtlsWithRootCertificateNameUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"bad", {bad_root_cert_, bad_identity_pair_}}});
{"bad", {bad_root_cert_, bad_identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7174,10 +7048,8 @@ TEST_P(XdsServerSecurityTest, TestMtlsWithRootCertificateNameUpdate) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsWithIdentityCertificateNameUpdate) { TEST_P(XdsServerSecurityTest, TestMtlsWithIdentityCertificateNameUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"good", {root_cert_, identity_pair_2_}}});
{"good", {root_cert_, identity_pair_2_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7188,10 +7060,8 @@ TEST_P(XdsServerSecurityTest, TestMtlsWithIdentityCertificateNameUpdate) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsWithBothCertificateNamesUpdated) { TEST_P(XdsServerSecurityTest, TestMtlsWithBothCertificateNamesUpdated) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"good", {root_cert_, identity_pair_2_}}});
{"good", {root_cert_, identity_pair_2_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7202,9 +7072,7 @@ TEST_P(XdsServerSecurityTest, TestMtlsWithBothCertificateNamesUpdated) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsNotRequiringButProvidingClientCerts) { TEST_P(XdsServerSecurityTest, TestMtlsNotRequiringButProvidingClientCerts) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", false); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7212,9 +7080,7 @@ TEST_P(XdsServerSecurityTest, TestMtlsNotRequiringButProvidingClientCerts) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsNotRequiringAndNotProvidingClientCerts) { TEST_P(XdsServerSecurityTest, TestMtlsNotRequiringAndNotProvidingClientCerts) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", false); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateTlsChannel(); }, SendRpc([this]() { return CreateTlsChannel(); },
@ -7222,9 +7088,7 @@ TEST_P(XdsServerSecurityTest, TestMtlsNotRequiringAndNotProvidingClientCerts) {
} }
TEST_P(XdsServerSecurityTest, TestTls) { TEST_P(XdsServerSecurityTest, TestTls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("", "", "fake_plugin1", "", false); SetLdsUpdate("", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateTlsChannel(); }, SendRpc([this]() { return CreateTlsChannel(); },
@ -7232,12 +7096,8 @@ TEST_P(XdsServerSecurityTest, TestTls) {
} }
TEST_P(XdsServerSecurityTest, TestTlsWithIdentityPluginUpdate) { TEST_P(XdsServerSecurityTest, TestTlsWithIdentityPluginUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}}; g_fake2_cert_data_map->Set({{"", {root_cert_, identity_pair_2_}}});
g_fake1_cert_data_map = &fake1_cert_map;
FakeCertificateProvider::CertDataMap fake2_cert_map = {
{"", {root_cert_, identity_pair_2_}}};
g_fake2_cert_data_map = &fake2_cert_map;
SetLdsUpdate("", "", "fake_plugin1", "", false); SetLdsUpdate("", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateTlsChannel(); }, SendRpc([this]() { return CreateTlsChannel(); },
@ -7248,10 +7108,8 @@ TEST_P(XdsServerSecurityTest, TestTlsWithIdentityPluginUpdate) {
} }
TEST_P(XdsServerSecurityTest, TestTlsWithIdentityCertificateNameUpdate) { TEST_P(XdsServerSecurityTest, TestTlsWithIdentityCertificateNameUpdate) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}},
{"", {root_cert_, identity_pair_}}, {"good", {root_cert_, identity_pair_2_}}});
{"good", {root_cert_, identity_pair_2_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("", "", "fake_plugin1", "", false); SetLdsUpdate("", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateTlsChannel(); }, SendRpc([this]() { return CreateTlsChannel(); },
@ -7262,18 +7120,14 @@ TEST_P(XdsServerSecurityTest, TestTlsWithIdentityCertificateNameUpdate) {
} }
TEST_P(XdsServerSecurityTest, TestFallback) { TEST_P(XdsServerSecurityTest, TestFallback) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("", "", "", "", false); SetLdsUpdate("", "", "", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); SendRpc([this]() { return CreateInsecureChannel(); }, {}, {});
} }
TEST_P(XdsServerSecurityTest, TestMtlsToTls) { TEST_P(XdsServerSecurityTest, TestMtlsToTls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", true);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateTlsChannel(); }, {}, {}, SendRpc([this]() { return CreateTlsChannel(); }, {}, {},
@ -7284,9 +7138,7 @@ TEST_P(XdsServerSecurityTest, TestMtlsToTls) {
} }
TEST_P(XdsServerSecurityTest, TestTlsToMtls) { TEST_P(XdsServerSecurityTest, TestTlsToMtls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("", "", "fake_plugin1", "", false); SetLdsUpdate("", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateTlsChannel(); }, SendRpc([this]() { return CreateTlsChannel(); },
@ -7297,9 +7149,7 @@ TEST_P(XdsServerSecurityTest, TestTlsToMtls) {
} }
TEST_P(XdsServerSecurityTest, TestMtlsToFallback) { TEST_P(XdsServerSecurityTest, TestMtlsToFallback) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", false); SetLdsUpdate("fake_plugin1", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateMtlsChannel(); }, SendRpc([this]() { return CreateMtlsChannel(); },
@ -7309,9 +7159,7 @@ TEST_P(XdsServerSecurityTest, TestMtlsToFallback) {
} }
TEST_P(XdsServerSecurityTest, TestFallbackToMtls) { TEST_P(XdsServerSecurityTest, TestFallbackToMtls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("", "", "", "", false); SetLdsUpdate("", "", "", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); SendRpc([this]() { return CreateInsecureChannel(); }, {}, {});
@ -7321,9 +7169,7 @@ TEST_P(XdsServerSecurityTest, TestFallbackToMtls) {
} }
TEST_P(XdsServerSecurityTest, TestTlsToFallback) { TEST_P(XdsServerSecurityTest, TestTlsToFallback) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("", "", "fake_plugin1", "", false); SetLdsUpdate("", "", "fake_plugin1", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateTlsChannel(); }, SendRpc([this]() { return CreateTlsChannel(); },
@ -7333,9 +7179,7 @@ TEST_P(XdsServerSecurityTest, TestTlsToFallback) {
} }
TEST_P(XdsServerSecurityTest, TestFallbackToTls) { TEST_P(XdsServerSecurityTest, TestFallbackToTls) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
SetLdsUpdate("", "", "", "", false); SetLdsUpdate("", "", "", "", false);
backends_[0]->Start(); backends_[0]->Start();
SendRpc([this]() { return CreateInsecureChannel(); }, {}, {}); SendRpc([this]() { return CreateInsecureChannel(); }, {}, {});
@ -7515,9 +7359,7 @@ TEST_P(XdsEnabledServerStatusNotificationTest,
ExistingRpcsFailOnResourceUpdateAfterDrainGraceTimeExpires) { ExistingRpcsFailOnResourceUpdateAfterDrainGraceTimeExpires) {
constexpr int kDrainGraceTimeMs = 100; constexpr int kDrainGraceTimeMs = 100;
xds_drain_grace_time_ms_ = kDrainGraceTimeMs; xds_drain_grace_time_ms_ = kDrainGraceTimeMs;
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
// Send a valid LDS update to get the server to start listening // Send a valid LDS update to get the server to start listening
SetValidLdsUpdate(); SetValidLdsUpdate();
backends_[0]->Start(); backends_[0]->Start();
@ -9088,9 +8930,7 @@ TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionRemoteIpPrincipal) {
} }
TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionAuthenticatedPrincipal) { TEST_P(XdsRbacTestWithActionPermutations, AnyPermissionAuthenticatedPrincipal) {
FakeCertificateProvider::CertDataMap fake1_cert_map = { g_fake1_cert_data_map->Set({{"", {root_cert_, identity_pair_}}});
{"", {root_cert_, identity_pair_}}};
g_fake1_cert_data_map = &fake1_cert_map;
Listener listener = default_server_listener_; Listener listener = default_server_listener_;
auto* filter_chain = listener.mutable_default_filter_chain(); auto* filter_chain = listener.mutable_default_filter_chain();
auto* transport_socket = filter_chain->mutable_transport_socket(); auto* transport_socket = filter_chain->mutable_transport_socket();
@ -10520,12 +10360,16 @@ int main(int argc, char** argv) {
// Workaround Apple CFStream bug // Workaround Apple CFStream bug
gpr_setenv("grpc_cfstream", "0"); gpr_setenv("grpc_cfstream", "0");
#endif #endif
grpc::testing::FakeCertificateProvider::CertDataMapWrapper cert_data_map_1;
grpc::testing::g_fake1_cert_data_map = &cert_data_map_1;
grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory( grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory(
absl::make_unique<grpc::testing::FakeCertificateProviderFactory>( absl::make_unique<grpc::testing::FakeCertificateProviderFactory>(
"fake1", &grpc::testing::g_fake1_cert_data_map)); "fake1", grpc::testing::g_fake1_cert_data_map));
grpc::testing::FakeCertificateProvider::CertDataMapWrapper cert_data_map_2;
grpc::testing::g_fake2_cert_data_map = &cert_data_map_2;
grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory( grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory(
absl::make_unique<grpc::testing::FakeCertificateProviderFactory>( absl::make_unique<grpc::testing::FakeCertificateProviderFactory>(
"fake2", &grpc::testing::g_fake2_cert_data_map)); "fake2", grpc::testing::g_fake2_cert_data_map));
grpc_init(); grpc_init();
grpc::testing::ConnectionAttemptInjector::Init(); grpc::testing::ConnectionAttemptInjector::Init();
grpc_core::XdsHttpFilterRegistry::RegisterFilter( grpc_core::XdsHttpFilterRegistry::RegisterFilter(

Write Preview
Loading…
Cancel
Save