diff --git a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc index 7cc3fa69b4a..43cb68800aa 100644 --- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc @@ -117,6 +117,8 @@ gpr_timespec TimeoutSecondsToDeadline(int64_t seconds) { } // namespace +static constexpr int64_t kMinimumFileWatcherRefreshIntervalSeconds = 1; + FileWatcherCertificateProvider::FileWatcherCertificateProvider( std::string private_key_path, std::string identity_certificate_path, std::string root_cert_path, int64_t refresh_interval_sec) @@ -125,6 +127,12 @@ FileWatcherCertificateProvider::FileWatcherCertificateProvider( root_cert_path_(std::move(root_cert_path)), refresh_interval_sec_(refresh_interval_sec), distributor_(MakeRefCounted()) { + if (refresh_interval_sec_ < kMinimumFileWatcherRefreshIntervalSeconds) { + gpr_log(GPR_INFO, + "FileWatcherCertificateProvider refresh_interval_sec_ set to value " + "less than minimum. Overriding configured value to minimum."); + refresh_interval_sec_ = kMinimumFileWatcherRefreshIntervalSeconds; + } // Private key and identity cert files must be both set or both unset. GPR_ASSERT(private_key_path_.empty() == identity_certificate_path_.empty()); // Must be watching either root or identity certs. @@ -381,6 +389,11 @@ FileWatcherCertificateProvider::ReadIdentityKeyCertPairFromFiles( return absl::nullopt; } +int64_t FileWatcherCertificateProvider::TestOnlyGetRefreshIntervalSecond() + const { + return refresh_interval_sec_; +} + absl::StatusOr PrivateKeyAndCertificateMatch( absl::string_view private_key, absl::string_view cert_chain) { if (private_key.empty()) { diff --git a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h index b9fe1069b42..22ccf7ebd74 100644 --- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h @@ -151,6 +151,8 @@ class FileWatcherCertificateProvider final UniqueTypeName type() const override; + int64_t TestOnlyGetRefreshIntervalSecond() const; + private: struct WatcherInfo { bool root_being_watched = false; diff --git a/test/core/security/grpc_tls_certificate_provider_test.cc b/test/core/security/grpc_tls_certificate_provider_test.cc index e0a95d5c097..e33742f0123 100644 --- a/test/core/security/grpc_tls_certificate_provider_test.cc +++ b/test/core/security/grpc_tls_certificate_provider_test.cc @@ -488,6 +488,13 @@ TEST_F(GrpcTlsCertificateProviderTest, CancelWatch(watcher_state_1); } +TEST_F(GrpcTlsCertificateProviderTest, + FileWatcherCertificateProviderTooShortRefreshIntervalIsOverwritten) { + FileWatcherCertificateProvider provider(SERVER_KEY_PATH, SERVER_CERT_PATH, + CA_CERT_PATH, 0); + ASSERT_THAT(provider.TestOnlyGetRefreshIntervalSecond(), 1); +} + TEST_F(GrpcTlsCertificateProviderTest, FailedKeyCertMatchOnEmptyPrivateKey) { absl::StatusOr status = PrivateKeyAndCertificateMatch(/*private_key=*/"", cert_chain_);