mirror of https://github.com/grpc/grpc.git
Merge pull request #24127 from yashykt/meshcaconfig
Add parsing logic for GoogleMeshCaConfigpull/24173/head
Yash Tibrewal
4 years ago
committed by
GitHub
commit
3ee45eceef
24 changed files with 1124 additions and 36 deletions
@ -0,0 +1,377 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h" |
||||
|
||||
#include <sstream> |
||||
#include <type_traits> |
||||
|
||||
#include "absl/strings/str_cat.h" |
||||
|
||||
#include <grpc/support/string_util.h> |
||||
|
||||
#include "src/core/lib/gpr/string.h" |
||||
#include "src/core/lib/iomgr/error.h" |
||||
#include "src/core/lib/json/json_util.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
namespace { |
||||
|
||||
const char* kMeshCaPlugin = "meshCA"; |
||||
|
||||
//
|
||||
// Helper functions for extracting types from JSON
|
||||
//
|
||||
template <typename NumericType, typename ErrorVectorType> |
||||
bool ExtractJsonType(const Json& json, const std::string& field_name, |
||||
NumericType* output, ErrorVectorType* error_list) { |
||||
static_assert(std::is_integral<NumericType>::value, "Integral required"); |
||||
if (json.type() != Json::Type::NUMBER) { |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, " error:type should be NUMBER") |
||||
.c_str())); |
||||
return false; |
||||
} |
||||
std::istringstream ss(json.string_value()); |
||||
ss >> *output; |
||||
// The JSON parsing API should have dealt with parsing errors, but check
|
||||
// anyway
|
||||
if (GPR_UNLIKELY(ss.bad())) { |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, " error:failed to parse.").c_str())); |
||||
return false; |
||||
} |
||||
return true; |
||||
} |
||||
|
||||
template <typename ErrorVectorType> |
||||
bool ExtractJsonType(const Json& json, const std::string& field_name, |
||||
bool* output, ErrorVectorType* error_list) { |
||||
switch (json.type()) { |
||||
case Json::Type::JSON_TRUE: |
||||
*output = true; |
||||
return true; |
||||
case Json::Type::JSON_FALSE: |
||||
*output = false; |
||||
return true; |
||||
default: |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, " error:type should be BOOLEAN") |
||||
.c_str())); |
||||
return false; |
||||
} |
||||
} |
||||
|
||||
template <typename ErrorVectorType> |
||||
bool ExtractJsonType(const Json& json, const std::string& field_name, |
||||
std::string* output, ErrorVectorType* error_list) { |
||||
if (json.type() != Json::Type::STRING) { |
||||
*output = ""; |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, " error:type should be STRING") |
||||
.c_str())); |
||||
return false; |
||||
} |
||||
*output = json.string_value(); |
||||
return true; |
||||
} |
||||
|
||||
template <typename ErrorVectorType> |
||||
bool ExtractJsonType(const Json& json, const std::string& field_name, |
||||
const Json::Array** output, ErrorVectorType* error_list) { |
||||
if (json.type() != Json::Type::ARRAY) { |
||||
*output = nullptr; |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, " error:type should be ARRAY") |
||||
.c_str())); |
||||
return false; |
||||
} |
||||
*output = &json.array_value(); |
||||
return true; |
||||
} |
||||
|
||||
template <typename ErrorVectorType> |
||||
bool ExtractJsonType(const Json& json, const std::string& field_name, |
||||
const Json::Object** output, ErrorVectorType* error_list) { |
||||
if (json.type() != Json::Type::OBJECT) { |
||||
*output = nullptr; |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, " error:type should be OBJECT") |
||||
.c_str())); |
||||
return false; |
||||
} |
||||
*output = &json.object_value(); |
||||
return true; |
||||
} |
||||
|
||||
template <typename ErrorVectorType> |
||||
bool ExtractJsonType(const Json& json, const std::string& field_name, |
||||
grpc_millis* output, ErrorVectorType* error_list) { |
||||
if (!ParseDurationFromJson(json, output)) { |
||||
*output = GRPC_MILLIS_INF_PAST; |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, |
||||
" error:type should be STRING of the form given by " |
||||
"google.proto.Duration.") |
||||
.c_str())); |
||||
return false; |
||||
} |
||||
return true; |
||||
} |
||||
|
||||
template <typename T, typename ErrorVectorType> |
||||
bool ParseJsonObjectField(const Json::Object& object, |
||||
const std::string& field_name, T* output, |
||||
ErrorVectorType* error_list, bool optional = false) { |
||||
auto it = object.find(field_name); |
||||
if (it == object.end()) { |
||||
if (!optional) { |
||||
error_list->push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING( |
||||
absl::StrCat("field:", field_name, " error:does not exist.") |
||||
.c_str())); |
||||
} |
||||
return false; |
||||
} |
||||
auto& child_object_json = it->second; |
||||
return ExtractJsonType(child_object_json, field_name, output, error_list); |
||||
} |
||||
|
||||
} // namespace
|
||||
|
||||
//
|
||||
// GoogleMeshCaCertificateProviderFactory::Config
|
||||
//
|
||||
|
||||
const char* GoogleMeshCaCertificateProviderFactory::Config::name() const { |
||||
return kMeshCaPlugin; |
||||
} |
||||
|
||||
std::vector<grpc_error*> |
||||
GoogleMeshCaCertificateProviderFactory::Config::ParseJsonObjectStsService( |
||||
const Json::Object& sts_service) { |
||||
std::vector<grpc_error*> error_list_sts_service; |
||||
if (!ParseJsonObjectField(sts_service, "token_exchange_service_uri", |
||||
&sts_config_.token_exchange_service_uri, |
||||
&error_list_sts_service, true)) { |
||||
sts_config_.token_exchange_service_uri = |
||||
"securetoken.googleapis.com"; // default
|
||||
} |
||||
ParseJsonObjectField(sts_service, "resource", &sts_config_.resource, |
||||
&error_list_sts_service, true); |
||||
ParseJsonObjectField(sts_service, "audience", &sts_config_.audience, |
||||
&error_list_sts_service, true); |
||||
if (!ParseJsonObjectField(sts_service, "scope", &sts_config_.scope, |
||||
&error_list_sts_service, true)) { |
||||
sts_config_.scope = |
||||
"https://www.googleapis.com/auth/cloud-platform"; // default
|
||||
} |
||||
ParseJsonObjectField(sts_service, "requested_token_type", |
||||
&sts_config_.requested_token_type, |
||||
&error_list_sts_service, true); |
||||
ParseJsonObjectField(sts_service, "subject_token_path", |
||||
&sts_config_.subject_token_path, |
||||
&error_list_sts_service); |
||||
ParseJsonObjectField(sts_service, "subject_token_type", |
||||
&sts_config_.subject_token_type, |
||||
&error_list_sts_service); |
||||
ParseJsonObjectField(sts_service, "actor_token_path", |
||||
&sts_config_.actor_token_path, &error_list_sts_service, |
||||
true); |
||||
ParseJsonObjectField(sts_service, "actor_token_type", |
||||
&sts_config_.actor_token_type, &error_list_sts_service, |
||||
true); |
||||
return error_list_sts_service; |
||||
} |
||||
|
||||
std::vector<grpc_error*> |
||||
GoogleMeshCaCertificateProviderFactory::Config::ParseJsonObjectCallCredentials( |
||||
const Json::Object& call_credentials) { |
||||
std::vector<grpc_error*> error_list_call_credentials; |
||||
const Json::Object* sts_service = nullptr; |
||||
if (ParseJsonObjectField(call_credentials, "sts_service", &sts_service, |
||||
&error_list_call_credentials)) { |
||||
std::vector<grpc_error*> error_list_sts_service = |
||||
ParseJsonObjectStsService(*sts_service); |
||||
if (!error_list_sts_service.empty()) { |
||||
error_list_call_credentials.push_back(GRPC_ERROR_CREATE_FROM_VECTOR( |
||||
"field:sts_service", &error_list_sts_service)); |
||||
} |
||||
} |
||||
return error_list_call_credentials; |
||||
} |
||||
|
||||
std::vector<grpc_error*> |
||||
GoogleMeshCaCertificateProviderFactory::Config::ParseJsonObjectGoogleGrpc( |
||||
const Json::Object& google_grpc) { |
||||
std::vector<grpc_error*> error_list_google_grpc; |
||||
if (!ParseJsonObjectField(google_grpc, "target_uri", &endpoint_, |
||||
&error_list_google_grpc, true)) { |
||||
endpoint_ = "meshca.googleapis.com"; // Default target
|
||||
} |
||||
const Json::Array* call_credentials_array = nullptr; |
||||
if (ParseJsonObjectField(google_grpc, "call_credentials", |
||||
&call_credentials_array, &error_list_google_grpc)) { |
||||
if (call_credentials_array->size() != 1) { |
||||
error_list_google_grpc.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING( |
||||
"field:call_credentials error:Need exactly one entry.")); |
||||
} else { |
||||
const Json::Object* call_credentials = nullptr; |
||||
if (ExtractJsonType((*call_credentials_array)[0], "call_credentials[0]", |
||||
&call_credentials, &error_list_google_grpc)) { |
||||
std::vector<grpc_error*> error_list_call_credentials = |
||||
ParseJsonObjectCallCredentials(*call_credentials); |
||||
if (!error_list_call_credentials.empty()) { |
||||
error_list_google_grpc.push_back(GRPC_ERROR_CREATE_FROM_VECTOR( |
||||
"field:call_credentials", &error_list_call_credentials)); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
return error_list_google_grpc; |
||||
} |
||||
|
||||
std::vector<grpc_error*> |
||||
GoogleMeshCaCertificateProviderFactory::Config::ParseJsonObjectGrpcServices( |
||||
const Json::Object& grpc_service) { |
||||
std::vector<grpc_error*> error_list_grpc_services; |
||||
const Json::Object* google_grpc = nullptr; |
||||
if (ParseJsonObjectField(grpc_service, "google_grpc", &google_grpc, |
||||
&error_list_grpc_services)) { |
||||
std::vector<grpc_error*> error_list_google_grpc = |
||||
ParseJsonObjectGoogleGrpc(*google_grpc); |
||||
if (!error_list_google_grpc.empty()) { |
||||
error_list_grpc_services.push_back(GRPC_ERROR_CREATE_FROM_VECTOR( |
||||
"field:google_grpc", &error_list_google_grpc)); |
||||
} |
||||
} |
||||
if (!ParseJsonObjectField(grpc_service, "timeout", &timeout_, |
||||
&error_list_grpc_services, true)) { |
||||
timeout_ = 10 * 1000; // 10sec default
|
||||
} |
||||
return error_list_grpc_services; |
||||
} |
||||
|
||||
std::vector<grpc_error*> |
||||
GoogleMeshCaCertificateProviderFactory::Config::ParseJsonObjectServer( |
||||
const Json::Object& server) { |
||||
std::vector<grpc_error*> error_list_server; |
||||
std::string api_type; |
||||
if (ParseJsonObjectField(server, "api_type", &api_type, &error_list_server, |
||||
true)) { |
||||
if (api_type != "GRPC") { |
||||
error_list_server.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING( |
||||
"field:api_type error:Only GRPC is supported")); |
||||
} |
||||
} |
||||
const Json::Array* grpc_services = nullptr; |
||||
if (ParseJsonObjectField(server, "grpc_services", &grpc_services, |
||||
&error_list_server)) { |
||||
if (grpc_services->size() != 1) { |
||||
error_list_server.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING( |
||||
"field:grpc_services error:Need exactly one entry")); |
||||
} else { |
||||
const Json::Object* grpc_service = nullptr; |
||||
if (ExtractJsonType((*grpc_services)[0], "grpc_services[0]", |
||||
&grpc_service, &error_list_server)) { |
||||
std::vector<grpc_error*> error_list_grpc_services = |
||||
ParseJsonObjectGrpcServices(*grpc_service); |
||||
if (!error_list_grpc_services.empty()) { |
||||
error_list_server.push_back(GRPC_ERROR_CREATE_FROM_VECTOR( |
||||
"field:grpc_services", &error_list_grpc_services)); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
return error_list_server; |
||||
} |
||||
|
||||
std::unique_ptr<GoogleMeshCaCertificateProviderFactory::Config> |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(const Json& config_json, |
||||
grpc_error** error) { |
||||
auto config = |
||||
absl::make_unique<GoogleMeshCaCertificateProviderFactory::Config>(); |
||||
if (config_json.type() != Json::Type::OBJECT) { |
||||
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING( |
||||
"error:config type should be OBJECT."); |
||||
return nullptr; |
||||
} |
||||
std::vector<grpc_error*> error_list; |
||||
const Json::Object* server = nullptr; |
||||
if (ParseJsonObjectField(config_json.object_value(), "server", &server, |
||||
&error_list)) { |
||||
std::vector<grpc_error*> error_list_server = |
||||
config->ParseJsonObjectServer(*server); |
||||
if (!error_list_server.empty()) { |
||||
error_list.push_back( |
||||
GRPC_ERROR_CREATE_FROM_VECTOR("field:server", &error_list_server)); |
||||
} |
||||
} |
||||
if (!ParseJsonObjectField(config_json.object_value(), "certificate_lifetime", |
||||
&config->certificate_lifetime_, &error_list, |
||||
true)) { |
||||
config->certificate_lifetime_ = 24 * 60 * 60 * 1000; // 24hrs default
|
||||
} |
||||
if (!ParseJsonObjectField(config_json.object_value(), "renewal_grace_period", |
||||
&config->renewal_grace_period_, &error_list, |
||||
true)) { |
||||
config->renewal_grace_period_ = 12 * 60 * 60 * 1000; // 12hrs default
|
||||
} |
||||
std::string key_type; |
||||
if (ParseJsonObjectField(config_json.object_value(), "key_type", &key_type, |
||||
&error_list, true)) { |
||||
if (key_type != "RSA") { |
||||
error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING( |
||||
"field:key_type error:Only RSA is supported.")); |
||||
} |
||||
} |
||||
if (!ParseJsonObjectField(config_json.object_value(), "key_size", |
||||
&config->key_size_, &error_list, true)) { |
||||
config->key_size_ = 2048; // default 2048 bit key size
|
||||
} |
||||
if (!ParseJsonObjectField(config_json.object_value(), "location", |
||||
&config->location_, &error_list, true)) { |
||||
// GCE/GKE Metadata server needs to be contacted to get the value.
|
||||
} |
||||
if (!error_list.empty()) { |
||||
*error = GRPC_ERROR_CREATE_FROM_VECTOR( |
||||
"Error parsing google Mesh CA config", &error_list); |
||||
return nullptr; |
||||
} |
||||
return config; |
||||
} |
||||
|
||||
//
|
||||
// GoogleMeshCaCertificateProviderFactory
|
||||
//
|
||||
|
||||
const char* GoogleMeshCaCertificateProviderFactory::name() const { |
||||
return kMeshCaPlugin; |
||||
} |
||||
|
||||
std::unique_ptr<CertificateProviderFactory::Config> |
||||
GoogleMeshCaCertificateProviderFactory::CreateCertificateProviderConfig( |
||||
const Json& config_json, grpc_error** error) { |
||||
return GoogleMeshCaCertificateProviderFactory::Config::Parse(config_json, |
||||
error); |
||||
} |
||||
|
||||
} // namespace grpc_core
|
||||
@ -0,0 +1,102 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPC_CORE_EXT_XDS_GOOGLE_MESH_CA_CERTIFICATE_PROVIDER_FACTORY_H |
||||
#define GRPC_CORE_EXT_XDS_GOOGLE_MESH_CA_CERTIFICATE_PROVIDER_FACTORY_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "src/core/ext/xds/certificate_provider_factory.h" |
||||
#include "src/core/lib/backoff/backoff.h" |
||||
#include "src/core/lib/gprpp/ref_counted.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
class GoogleMeshCaCertificateProviderFactory |
||||
: public CertificateProviderFactory { |
||||
public: |
||||
class Config : public CertificateProviderFactory::Config { |
||||
public: |
||||
struct StsConfig { |
||||
std::string token_exchange_service_uri; |
||||
std::string resource; |
||||
std::string audience; |
||||
std::string scope; |
||||
std::string requested_token_type; |
||||
std::string subject_token_path; |
||||
std::string subject_token_type; |
||||
std::string actor_token_path; |
||||
std::string actor_token_type; |
||||
}; |
||||
|
||||
const char* name() const override; |
||||
|
||||
const std::string& endpoint() const { return endpoint_; } |
||||
|
||||
const StsConfig& sts_config() const { return sts_config_; } |
||||
|
||||
grpc_millis timeout() const { return timeout_; } |
||||
|
||||
grpc_millis certificate_lifetime() const { return certificate_lifetime_; } |
||||
|
||||
grpc_millis renewal_grace_period() const { return renewal_grace_period_; } |
||||
|
||||
uint32_t key_size() const { return key_size_; } |
||||
|
||||
const std::string& location() const { return location_; } |
||||
|
||||
static std::unique_ptr<Config> Parse(const Json& config_json, |
||||
grpc_error** error); |
||||
|
||||
private: |
||||
// Helpers for parsing the config
|
||||
std::vector<grpc_error*> ParseJsonObjectStsService( |
||||
const Json::Object& sts_service); |
||||
std::vector<grpc_error*> ParseJsonObjectCallCredentials( |
||||
const Json::Object& call_credentials); |
||||
std::vector<grpc_error*> ParseJsonObjectGoogleGrpc( |
||||
const Json::Object& google_grpc); |
||||
std::vector<grpc_error*> ParseJsonObjectGrpcServices( |
||||
const Json::Object& grpc_service); |
||||
std::vector<grpc_error*> ParseJsonObjectServer(const Json::Object& server); |
||||
|
||||
std::string endpoint_; |
||||
StsConfig sts_config_; |
||||
grpc_millis timeout_; |
||||
grpc_millis certificate_lifetime_; |
||||
grpc_millis renewal_grace_period_; |
||||
uint32_t key_size_; |
||||
std::string location_; |
||||
}; |
||||
|
||||
const char* name() const override; |
||||
|
||||
std::unique_ptr<CertificateProviderFactory::Config> |
||||
CreateCertificateProviderConfig(const Json& config_json, |
||||
grpc_error** error) override; |
||||
|
||||
RefCountedPtr<grpc_tls_certificate_provider> CreateCertificateProvider( |
||||
std::unique_ptr<CertificateProviderFactory::Config> config) override { |
||||
// TODO(yashykt) : To be implemented
|
||||
return nullptr; |
||||
} |
||||
}; |
||||
|
||||
} // namespace grpc_core
|
||||
|
||||
#endif // GRPC_CORE_EXT_XDS_GOOGLE_MESH_CA_CERTIFICATE_PROVIDER_FACTORY_H
|
||||
@ -0,0 +1,58 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "src/core/lib/json/json_util.h" |
||||
|
||||
#include <grpc/support/string_util.h> |
||||
|
||||
#include "src/core/lib/gpr/string.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
bool ParseDurationFromJson(const Json& field, grpc_millis* duration) { |
||||
if (field.type() != Json::Type::STRING) return false; |
||||
size_t len = field.string_value().size(); |
||||
if (field.string_value()[len - 1] != 's') return false; |
||||
grpc_core::UniquePtr<char> buf(gpr_strdup(field.string_value().c_str())); |
||||
*(buf.get() + len - 1) = '\0'; // Remove trailing 's'.
|
||||
char* decimal_point = strchr(buf.get(), '.'); |
||||
int nanos = 0; |
||||
if (decimal_point != nullptr) { |
||||
*decimal_point = '\0'; |
||||
nanos = gpr_parse_nonnegative_int(decimal_point + 1); |
||||
if (nanos == -1) { |
||||
return false; |
||||
} |
||||
int num_digits = static_cast<int>(strlen(decimal_point + 1)); |
||||
if (num_digits > 9) { // We don't accept greater precision than nanos.
|
||||
return false; |
||||
} |
||||
for (int i = 0; i < (9 - num_digits); ++i) { |
||||
nanos *= 10; |
||||
} |
||||
} |
||||
int seconds = |
||||
decimal_point == buf.get() ? 0 : gpr_parse_nonnegative_int(buf.get()); |
||||
if (seconds == -1) return false; |
||||
*duration = seconds * GPR_MS_PER_SEC + nanos / GPR_NS_PER_MS; |
||||
return true; |
||||
} |
||||
|
||||
} // namespace grpc_core
|
||||
@ -0,0 +1,37 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPC_CORE_LIB_JSON_JSON_UTIL_H |
||||
#define GRPC_CORE_LIB_JSON_JSON_UTIL_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "src/core/lib/iomgr/exec_ctx.h" |
||||
#include "src/core/lib/json/json.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
// Parses a JSON field of the form generated for a google.proto.Duration
|
||||
// proto message, as per:
|
||||
// https://developers.google.com/protocol-buffers/docs/proto3#json
|
||||
// Returns true on success, false otherwise.
|
||||
bool ParseDurationFromJson(const Json& field, grpc_millis* duration); |
||||
|
||||
} // namespace grpc_core
|
||||
|
||||
#endif // GRPC_CORE_LIB_JSON_JSON_UTIL_H
|
||||
@ -0,0 +1,31 @@ |
||||
# Copyright 2020 gRPC authors. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
load("//bazel:grpc_build_system.bzl", "grpc_cc_test", "grpc_package") |
||||
|
||||
grpc_package(name = "test/core/client_channel") |
||||
|
||||
licenses(["notice"]) |
||||
|
||||
grpc_cc_test( |
||||
name = "google_mesh_ca_certificate_provider_factory_test", |
||||
srcs = ["google_mesh_ca_certificate_provider_factory_test.cc"], |
||||
external_deps = ["gtest"], |
||||
language = "C++", |
||||
deps = [ |
||||
"//:gpr", |
||||
"//:grpc", |
||||
"//test/core/util:grpc_test_util", |
||||
], |
||||
) |
||||
@ -0,0 +1,367 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#include <gmock/gmock.h> |
||||
#include <gtest/gtest.h> |
||||
|
||||
#include <grpc/grpc.h> |
||||
|
||||
#include "src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h" |
||||
#include "test/core/util/test_config.h" |
||||
|
||||
namespace grpc_core { |
||||
namespace testing { |
||||
namespace { |
||||
|
||||
TEST(GoogleMeshCaConfigTest, Basic) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": \"GRPC\"," |
||||
" \"grpc_services\": [{" |
||||
" \"google_grpc\": {" |
||||
" \"target_uri\": \"newmeshca.googleapis.com\"," |
||||
" \"channel_credentials\": { \"google_default\": {}}," |
||||
" \"call_credentials\": [{" |
||||
" \"sts_service\": {" |
||||
" \"token_exchange_service_uri\": " |
||||
"\"newsecuretoken.googleapis.com\"," |
||||
" \"resource\": \"newmeshca.googleapis.com\"," |
||||
" \"audience\": \"newmeshca.googleapis.com\"," |
||||
" \"scope\": " |
||||
"\"https://www.newgoogleapis.com/auth/cloud-platform\"," |
||||
" \"requested_token_type\": " |
||||
"\"urn:ietf:params:oauth:token-type:jwt\"," |
||||
" \"subject_token_path\": \"/etc/secret/sajwt.token\"," |
||||
" \"subject_token_type\": " |
||||
"\"urn:ietf:params:oauth:token-type:jwt\"," |
||||
" \"actor_token_path\": \"/etc/secret/sajwt.token\"," |
||||
" \"actor_token_type\": " |
||||
"\"urn:ietf:params:oauth:token-type:jwt\"" |
||||
" }" |
||||
" }]" |
||||
" }," |
||||
" \"timeout\": \"20s\"" |
||||
" }]" |
||||
" }," |
||||
" \"certificate_lifetime\": \"400s\"," |
||||
" \"renewal_grace_period\": \"100s\"," |
||||
" \"key_type\": \"RSA\"," |
||||
" \"key_size\": 1024," |
||||
" \"location\": " |
||||
"\"https://container.googleapis.com/v1/project/test-project1/locations/" |
||||
"test-zone2/clusters/test-cluster3\"" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
EXPECT_EQ(config->endpoint(), "newmeshca.googleapis.com"); |
||||
EXPECT_EQ(config->sts_config().token_exchange_service_uri, |
||||
"newsecuretoken.googleapis.com"); |
||||
EXPECT_EQ(config->sts_config().resource, "newmeshca.googleapis.com"); |
||||
EXPECT_EQ(config->sts_config().audience, "newmeshca.googleapis.com"); |
||||
EXPECT_EQ(config->sts_config().scope, |
||||
"https://www.newgoogleapis.com/auth/cloud-platform"); |
||||
EXPECT_EQ(config->sts_config().requested_token_type, |
||||
"urn:ietf:params:oauth:token-type:jwt"); |
||||
EXPECT_EQ(config->sts_config().subject_token_path, "/etc/secret/sajwt.token"); |
||||
EXPECT_EQ(config->sts_config().subject_token_type, |
||||
"urn:ietf:params:oauth:token-type:jwt"); |
||||
EXPECT_EQ(config->sts_config().actor_token_path, "/etc/secret/sajwt.token"); |
||||
EXPECT_EQ(config->sts_config().actor_token_type, |
||||
"urn:ietf:params:oauth:token-type:jwt"); |
||||
EXPECT_EQ(config->timeout(), 20 * 1000); |
||||
EXPECT_EQ(config->certificate_lifetime(), 400 * 1000); |
||||
EXPECT_EQ(config->renewal_grace_period(), 100 * 1000); |
||||
EXPECT_EQ(config->key_size(), 1024); |
||||
EXPECT_EQ(config->location(), |
||||
"https://container.googleapis.com/v1/project/test-project1/" |
||||
"locations/test-zone2/clusters/test-cluster3"); |
||||
} |
||||
|
||||
TEST(GoogleMeshCaConfigTest, Defaults) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": \"GRPC\"," |
||||
" \"grpc_services\": [{" |
||||
" \"google_grpc\": {" |
||||
" \"call_credentials\": [{" |
||||
" \"sts_service\": {" |
||||
" \"scope\": " |
||||
"\"https://www.googleapis.com/auth/cloud-platform\"," |
||||
" \"subject_token_path\": \"/etc/secret/sajwt.token\"," |
||||
" \"subject_token_type\": " |
||||
"\"urn:ietf:params:oauth:token-type:jwt\"" |
||||
" }" |
||||
" }]" |
||||
" }" |
||||
" }]" |
||||
" }," |
||||
" \"location\": " |
||||
"\"https://container.googleapis.com/v1/project/test-project1/locations/" |
||||
"test-zone2/clusters/test-cluster3\"" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
EXPECT_EQ(config->endpoint(), "meshca.googleapis.com"); |
||||
EXPECT_EQ(config->sts_config().token_exchange_service_uri, |
||||
"securetoken.googleapis.com"); |
||||
EXPECT_EQ(config->sts_config().resource, ""); |
||||
EXPECT_EQ(config->sts_config().audience, ""); |
||||
EXPECT_EQ(config->sts_config().scope, |
||||
"https://www.googleapis.com/auth/cloud-platform"); |
||||
EXPECT_EQ(config->sts_config().requested_token_type, ""); |
||||
EXPECT_EQ(config->sts_config().subject_token_path, "/etc/secret/sajwt.token"); |
||||
EXPECT_EQ(config->sts_config().subject_token_type, |
||||
"urn:ietf:params:oauth:token-type:jwt"); |
||||
EXPECT_EQ(config->sts_config().actor_token_path, ""); |
||||
EXPECT_EQ(config->sts_config().actor_token_type, ""); |
||||
EXPECT_EQ(config->timeout(), 10 * 1000); |
||||
EXPECT_EQ(config->certificate_lifetime(), 24 * 60 * 60 * 1000); |
||||
EXPECT_EQ(config->renewal_grace_period(), 12 * 60 * 60 * 1000); |
||||
EXPECT_EQ(config->key_size(), 2048); |
||||
EXPECT_EQ(config->location(), |
||||
"https://container.googleapis.com/v1/project/test-project1/" |
||||
"locations/test-zone2/clusters/test-cluster3"); |
||||
} |
||||
|
||||
TEST(GoogleMeshCaConfigTest, WrongExpectedValues) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": \"REST\"," |
||||
" \"grpc_services\": [{" |
||||
" \"google_grpc\": {" |
||||
" \"call_credentials\": [{" |
||||
" \"sts_service\": {" |
||||
" \"scope\": " |
||||
"\"https://www.googleapis.com/auth/cloud-platform\"," |
||||
" \"subject_token_path\": \"/etc/secret/sajwt.token\"," |
||||
" \"subject_token_type\": " |
||||
"\"urn:ietf:params:oauth:token-type:jwt\"" |
||||
" }" |
||||
" }]" |
||||
" }" |
||||
" }]" |
||||
" }," |
||||
" \"key_type\": \"DSA\"," |
||||
" \"location\": " |
||||
"\"https://container.googleapis.com/v1/project/test-project1/locations/" |
||||
"test-zone2/clusters/test-cluster3\"" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
EXPECT_THAT( |
||||
grpc_error_string(error), |
||||
::testing::ContainsRegex("field:api_type error:Only GRPC is supported.*" |
||||
"field:key_type error:Only RSA is supported")); |
||||
GRPC_ERROR_UNREF(error); |
||||
} |
||||
|
||||
TEST(GoogleMeshCaConfigTest, WrongTypes) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": 123," |
||||
" \"grpc_services\": [{" |
||||
" \"google_grpc\": {" |
||||
" \"target_uri\": 123," |
||||
" \"call_credentials\": [{" |
||||
" \"sts_service\": {" |
||||
" \"token_exchange_service_uri\": 123," |
||||
" \"resource\": 123," |
||||
" \"audience\": 123," |
||||
" \"scope\": 123," |
||||
" \"requested_token_type\": 123," |
||||
" \"subject_token_path\": 123," |
||||
" \"subject_token_type\": 123," |
||||
" \"actor_token_path\": 123," |
||||
" \"actor_token_type\": 123" |
||||
" }" |
||||
" }]" |
||||
" }," |
||||
" \"timeout\": 20" |
||||
" }]" |
||||
" }," |
||||
" \"certificate_lifetime\": 400," |
||||
" \"renewal_grace_period\": 100," |
||||
" \"key_type\": 123," |
||||
" \"key_size\": \"1024\"," |
||||
" \"location\": 123" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
EXPECT_THAT( |
||||
grpc_error_string(error), |
||||
::testing::ContainsRegex( |
||||
"field:server.*field:api_type error:type should be STRING.*" |
||||
"field:grpc_services.*field:google_grpc.*field:target_uri " |
||||
"error:type should be STRING.*" |
||||
"field:call_credentials.*field:sts_service.*field:token_exchange_" |
||||
"service_uri error:type should be STRING.*" |
||||
"field:resource error:type should be STRING.*" |
||||
"field:audience error:type should be STRING.*" |
||||
"field:scope error:type should be STRING.*" |
||||
"field:requested_token_type error:type should be STRING.*" |
||||
"field:subject_token_path error:type should be STRING.*" |
||||
"field:subject_token_type error:type should be STRING.*" |
||||
"field:actor_token_path error:type should be STRING.*" |
||||
"field:actor_token_type error:type should be STRING.*" |
||||
"field:timeout error:type should be STRING of the form given by " |
||||
"google.proto.Duration.*" |
||||
"field:certificate_lifetime error:type should be STRING of the form " |
||||
"given by google.proto.Duration.*" |
||||
"field:renewal_grace_period error:type should be STRING of the form " |
||||
"given by google.proto.Duration..*" |
||||
"field:key_type error:type should be STRING.*" |
||||
"field:key_size error:type should be NUMBER.*" |
||||
"field:location error:type should be STRING")); |
||||
GRPC_ERROR_UNREF(error); |
||||
} |
||||
|
||||
TEST(GoogleMeshCaConfigTest, GrpcServicesNotAnArray) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": \"GRPC\"," |
||||
" \"grpc_services\": 123" |
||||
" }," |
||||
" \"location\": " |
||||
"\"https://container.googleapis.com/v1/project/test-project1/locations/" |
||||
"test-zone2/clusters/test-cluster3\"" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
EXPECT_THAT( |
||||
grpc_error_string(error), |
||||
::testing::ContainsRegex( |
||||
"field:server.*field:grpc_services error:type should be ARRAY")); |
||||
GRPC_ERROR_UNREF(error); |
||||
} |
||||
|
||||
TEST(GoogleMeshCaConfigTest, GoogleGrpcNotAnObject) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": \"GRPC\"," |
||||
" \"grpc_services\": [{" |
||||
" \"google_grpc\": 123" |
||||
" }]" |
||||
" }," |
||||
" \"location\": " |
||||
"\"https://container.googleapis.com/v1/project/test-project1/locations/" |
||||
"test-zone2/clusters/test-cluster3\"" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
EXPECT_THAT( |
||||
grpc_error_string(error), |
||||
::testing::ContainsRegex("field:server.*field:grpc_services.*field:" |
||||
"google_grpc error:type should be OBJECT")); |
||||
GRPC_ERROR_UNREF(error); |
||||
} |
||||
|
||||
TEST(GoogleMeshCaConfigTest, CallCredentialsNotAnArray) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": \"GRPC\"," |
||||
" \"grpc_services\": [{" |
||||
" \"google_grpc\": {" |
||||
" \"call_credentials\": 123" |
||||
" }" |
||||
" }]" |
||||
" }," |
||||
" \"location\": " |
||||
"\"https://container.googleapis.com/v1/project/test-project1/locations/" |
||||
"test-zone2/clusters/test-cluster3\"" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
EXPECT_THAT(grpc_error_string(error), |
||||
::testing::ContainsRegex( |
||||
"field:server.*field:grpc_services.*field:google_grpc.*" |
||||
"field:call_credentials error:type should be ARRAY")); |
||||
GRPC_ERROR_UNREF(error); |
||||
} |
||||
|
||||
TEST(GoogleMeshCaConfigTest, StsServiceNotAnObject) { |
||||
const char* json_str = |
||||
"{" |
||||
" \"server\": {" |
||||
" \"api_type\": \"GRPC\"," |
||||
" \"grpc_services\": [{" |
||||
" \"google_grpc\": {" |
||||
" \"call_credentials\": [{" |
||||
" \"sts_service\": 123" |
||||
" }]" |
||||
" }" |
||||
" }]" |
||||
" }," |
||||
" \"location\": " |
||||
"\"https://container.googleapis.com/v1/project/test-project1/locations/" |
||||
"test-zone2/clusters/test-cluster3\"" |
||||
"}"; |
||||
grpc_error* error = GRPC_ERROR_NONE; |
||||
Json json = Json::Parse(json_str, &error); |
||||
ASSERT_EQ(error, GRPC_ERROR_NONE) << grpc_error_string(error); |
||||
auto config = |
||||
GoogleMeshCaCertificateProviderFactory::Config::Parse(json, &error); |
||||
EXPECT_THAT( |
||||
grpc_error_string(error), |
||||
::testing::ContainsRegex( |
||||
"field:server.*field:grpc_services.*field:google_grpc.*field:" |
||||
"call_credentials.*field:sts_service error:type should be OBJECT")); |
||||
GRPC_ERROR_UNREF(error); |
||||
} |
||||
|
||||
} // namespace
|
||||
} // namespace testing
|
||||
} // namespace grpc_core
|
||||
|
||||
int main(int argc, char** argv) { |
||||
::testing::InitGoogleTest(&argc, argv); |
||||
grpc::testing::TestEnvironment env(argc, argv); |
||||
grpc_init(); |
||||
auto result = RUN_ALL_TESTS(); |
||||
grpc_shutdown(); |
||||
return result; |
||||
} |
||||
Loading…
Reference in new issue