mirror of https://github.com/grpc/grpc.git
walkerdu
4 years ago
commit
ef13dcb411
67 changed files with 3267 additions and 277 deletions
@ -0,0 +1,58 @@ |
||||
# Copyright 2017 gRPC authors. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); |
||||
# you may not use this file except in compliance with the License. |
||||
# You may obtain a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, |
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
# See the License for the specific language governing permissions and |
||||
# limitations under the License. |
||||
|
||||
find_package(re2 QUIET CONFIG) |
||||
if(re2_FOUND) |
||||
message(STATUS "Found RE2 via CMake.") |
||||
return() |
||||
endif() |
||||
|
||||
find_package(PkgConfig REQUIRED) |
||||
# TODO(junyer): Use the IMPORTED_TARGET option whenever CMake 3.6 (or newer) |
||||
# becomes the minimum required: that will take care of the add_library() and |
||||
# set_property() calls; then we can simply alias PkgConfig::RE2 as re2::re2. |
||||
# For now, we can only set INTERFACE_* properties that existed in CMake 3.5. |
||||
pkg_check_modules(RE2 QUIET re2) |
||||
if(RE2_FOUND) |
||||
set(re2_FOUND "${RE2_FOUND}") |
||||
add_library(re2::re2 INTERFACE IMPORTED) |
||||
if(RE2_INCLUDE_DIRS) |
||||
set_property(TARGET re2::re2 PROPERTY |
||||
INTERFACE_INCLUDE_DIRECTORIES "${RE2_INCLUDE_DIRS}") |
||||
endif() |
||||
if(RE2_CFLAGS_OTHER) |
||||
# Filter out the -std flag, which is handled by CMAKE_CXX_STANDARD. |
||||
# TODO(junyer): Use the FILTER option whenever CMake 3.6 (or newer) |
||||
# becomes the minimum required: that will allow this to be concise. |
||||
foreach(flag IN LISTS RE2_CFLAGS_OTHER) |
||||
if("${flag}" MATCHES "^-std=") |
||||
list(REMOVE_ITEM RE2_CFLAGS_OTHER "${flag}") |
||||
endif() |
||||
endforeach() |
||||
set_property(TARGET re2::re2 PROPERTY |
||||
INTERFACE_COMPILE_OPTIONS "${RE2_CFLAGS_OTHER}") |
||||
endif() |
||||
if(RE2_LDFLAGS) |
||||
set_property(TARGET re2::re2 PROPERTY |
||||
INTERFACE_LINK_LIBRARIES "${RE2_LDFLAGS}") |
||||
endif() |
||||
message(STATUS "Found RE2 via pkg-config.") |
||||
return() |
||||
endif() |
||||
|
||||
if(re2_FIND_REQUIRED) |
||||
message(FATAL_ERROR "Failed to find RE2.") |
||||
elseif(NOT re2_FIND_QUIETLY) |
||||
message(WARNING "Failed to find RE2.") |
||||
endif() |
||||
@ -0,0 +1,59 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_FACTORY_H |
||||
#define GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_FACTORY_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "src/core/lib/iomgr/error.h" |
||||
#include "src/core/lib/json/json.h" |
||||
#include "src/core/lib/security/certificate_provider.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
// Factories for plugins. Each plugin implementation should create its own
|
||||
// factory implementation and register an instance with the registry.
|
||||
class CertificateProviderFactory { |
||||
public: |
||||
// Interface for configs for CertificateProviders.
|
||||
class Config { |
||||
public: |
||||
virtual ~Config() = default; |
||||
|
||||
// Name of the type of the CertificateProvider. Unique to each type of
|
||||
// config.
|
||||
virtual const char* name() const = 0; |
||||
}; |
||||
|
||||
virtual ~CertificateProviderFactory() = default; |
||||
|
||||
// Name of the plugin.
|
||||
virtual const char* name() const = 0; |
||||
|
||||
virtual std::unique_ptr<Config> CreateCertificateProviderConfig( |
||||
const Json& config_json, grpc_error** error) = 0; |
||||
|
||||
// Create a CertificateProvider instance from config.
|
||||
virtual RefCountedPtr<grpc_tls_certificate_provider> |
||||
CreateCertificateProvider(std::unique_ptr<Config> config) = 0; |
||||
}; |
||||
|
||||
} // namespace grpc_core
|
||||
|
||||
#endif // GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_FACTORY_H
|
||||
@ -0,0 +1,103 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "absl/container/inlined_vector.h" |
||||
|
||||
#include "src/core/ext/xds/certificate_provider_registry.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
namespace { |
||||
|
||||
class RegistryState { |
||||
public: |
||||
void RegisterCertificateProviderFactory( |
||||
std::unique_ptr<CertificateProviderFactory> factory) { |
||||
gpr_log(GPR_DEBUG, "registering certificate provider factory for \"%s\"", |
||||
factory->name()); |
||||
for (size_t i = 0; i < factories_.size(); ++i) { |
||||
GPR_ASSERT(strcmp(factories_[i]->name(), factory->name()) != 0); |
||||
} |
||||
factories_.push_back(std::move(factory)); |
||||
} |
||||
|
||||
CertificateProviderFactory* LookupCertificateProviderFactory( |
||||
absl::string_view name) const { |
||||
for (size_t i = 0; i < factories_.size(); ++i) { |
||||
if (name == factories_[i]->name()) { |
||||
return factories_[i].get(); |
||||
} |
||||
} |
||||
return nullptr; |
||||
} |
||||
|
||||
private: |
||||
// We currently support 3 factories without doing additional
|
||||
// allocation. This number could be raised if there is a case where
|
||||
// more factories are needed and the additional allocations are
|
||||
// hurting performance (which is unlikely, since these allocations
|
||||
// only occur at gRPC initialization time).
|
||||
absl::InlinedVector<std::unique_ptr<CertificateProviderFactory>, 3> |
||||
factories_; |
||||
}; |
||||
|
||||
static RegistryState* g_state = nullptr; |
||||
|
||||
} // namespace
|
||||
|
||||
//
|
||||
// CertificateProviderRegistry
|
||||
//
|
||||
|
||||
CertificateProviderFactory* |
||||
CertificateProviderRegistry::LookupCertificateProviderFactory( |
||||
absl::string_view name) { |
||||
GPR_ASSERT(g_state != nullptr); |
||||
return g_state->LookupCertificateProviderFactory(name); |
||||
} |
||||
|
||||
void CertificateProviderRegistry::InitRegistry() { |
||||
if (g_state == nullptr) g_state = new RegistryState(); |
||||
} |
||||
|
||||
void CertificateProviderRegistry::ShutdownRegistry() { |
||||
delete g_state; |
||||
g_state = nullptr; |
||||
} |
||||
|
||||
void CertificateProviderRegistry::RegisterCertificateProviderFactory( |
||||
std::unique_ptr<CertificateProviderFactory> factory) { |
||||
InitRegistry(); |
||||
g_state->RegisterCertificateProviderFactory(std::move(factory)); |
||||
} |
||||
|
||||
} // namespace grpc_core
|
||||
|
||||
//
|
||||
// Plugin registration
|
||||
//
|
||||
|
||||
void grpc_certificate_provider_registry_init() { |
||||
grpc_core::CertificateProviderRegistry::InitRegistry(); |
||||
} |
||||
|
||||
void grpc_certificate_provider_registry_shutdown() { |
||||
grpc_core::CertificateProviderRegistry::ShutdownRegistry(); |
||||
} |
||||
@ -0,0 +1,57 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_REGISTRY_H |
||||
#define GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_REGISTRY_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include <string> |
||||
|
||||
#include "src/core/ext/xds/certificate_provider_factory.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
// Global registry for all the certificate provider plugins.
|
||||
class CertificateProviderRegistry { |
||||
public: |
||||
// Returns the factory for the plugin keyed by name.
|
||||
static CertificateProviderFactory* LookupCertificateProviderFactory( |
||||
absl::string_view name); |
||||
|
||||
// The following methods are used to create and populate the
|
||||
// CertificateProviderRegistry. NOT THREAD SAFE -- to be used only during
|
||||
// global gRPC initialization and shutdown.
|
||||
|
||||
// Global initialization of the registry.
|
||||
static void InitRegistry(); |
||||
|
||||
// Global shutdown of the registry.
|
||||
static void ShutdownRegistry(); |
||||
|
||||
// Register a provider with the registry. Can only be called after calling
|
||||
// InitRegistry(). The key of the factory is extracted from factory
|
||||
// parameter with method CertificateProviderFactory::name. If the same key
|
||||
// is registered twice, an exception is raised.
|
||||
static void RegisterCertificateProviderFactory( |
||||
std::unique_ptr<CertificateProviderFactory> factory); |
||||
}; |
||||
|
||||
} // namespace grpc_core
|
||||
|
||||
#endif // GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_REGISTRY_H
|
||||
@ -0,0 +1,50 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#ifndef GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_STORE_H |
||||
#define GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_STORE_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include <map> |
||||
|
||||
#include "src/core/lib/gprpp/ref_counted_ptr.h" |
||||
#include "src/core/lib/gprpp/sync.h" |
||||
#include "src/core/lib/security/certificate_provider.h" |
||||
|
||||
namespace grpc_core { |
||||
|
||||
// Map for xDS based grpc_tls_certificate_provider instances.
|
||||
class CertificateProviderStore { |
||||
public: |
||||
// If a provider corresponding to the config is found, a raw pointer to the
|
||||
// grpc_tls_certificate_provider in the map is returned. If no provider is
|
||||
// found for a key, a new provider is created. The CertificateProviderStore
|
||||
// maintains a ref to the grpc_tls_certificate_provider for its entire
|
||||
// lifetime.
|
||||
RefCountedPtr<grpc_tls_certificate_provider> CreateOrGetCertificateProvider( |
||||
absl::string_view key); |
||||
|
||||
private: |
||||
// Underlying map for the providers.
|
||||
std::map<std::string, RefCountedPtr<grpc_tls_certificate_provider>> map_; |
||||
}; |
||||
|
||||
} // namespace grpc_core
|
||||
|
||||
#endif // GRPC_CORE_EXT_XDS_CERTIFICATE_PROVIDER_STORE_H
|
||||
@ -0,0 +1,321 @@ |
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h" |
||||
|
||||
#include <grpc/support/alloc.h> |
||||
#include <grpc/support/log.h> |
||||
#include <grpc/support/string_util.h> |
||||
#include <stdlib.h> |
||||
#include <string.h> |
||||
|
||||
void grpc_tls_certificate_distributor::SetKeyMaterials( |
||||
const std::string& cert_name, absl::optional<std::string> pem_root_certs, |
||||
absl::optional<PemKeyCertPairList> pem_key_cert_pairs) { |
||||
GPR_ASSERT(pem_root_certs.has_value() || pem_key_cert_pairs.has_value()); |
||||
grpc_core::MutexLock lock(&mu_); |
||||
auto& cert_info = certificate_info_map_[cert_name]; |
||||
if (pem_root_certs.has_value()) { |
||||
// Successful credential updates will clear any pre-existing error.
|
||||
cert_info.SetRootError(GRPC_ERROR_NONE); |
||||
for (auto* watcher_ptr : cert_info.root_cert_watchers) { |
||||
GPR_ASSERT(watcher_ptr != nullptr); |
||||
const auto watcher_it = watchers_.find(watcher_ptr); |
||||
GPR_ASSERT(watcher_it != watchers_.end()); |
||||
GPR_ASSERT(watcher_it->second.root_cert_name.has_value()); |
||||
absl::optional<PemKeyCertPairList> pem_key_cert_pairs_to_report; |
||||
if (pem_key_cert_pairs.has_value() && |
||||
watcher_it->second.identity_cert_name == cert_name) { |
||||
pem_key_cert_pairs_to_report = pem_key_cert_pairs; |
||||
} else if (watcher_it->second.identity_cert_name.has_value()) { |
||||
auto& identity_cert_info = |
||||
certificate_info_map_[*watcher_it->second.identity_cert_name]; |
||||
pem_key_cert_pairs_to_report = identity_cert_info.pem_key_cert_pairs; |
||||
} |
||||
watcher_ptr->OnCertificatesChanged( |
||||
pem_root_certs, std::move(pem_key_cert_pairs_to_report)); |
||||
} |
||||
cert_info.pem_root_certs = std::move(*pem_root_certs); |
||||
} |
||||
if (pem_key_cert_pairs.has_value()) { |
||||
// Successful credential updates will clear any pre-existing error.
|
||||
cert_info.SetIdentityError(GRPC_ERROR_NONE); |
||||
for (const auto watcher_ptr : cert_info.identity_cert_watchers) { |
||||
GPR_ASSERT(watcher_ptr != nullptr); |
||||
const auto watcher_it = watchers_.find(watcher_ptr); |
||||
GPR_ASSERT(watcher_it != watchers_.end()); |
||||
GPR_ASSERT(watcher_it->second.identity_cert_name.has_value()); |
||||
absl::optional<absl::string_view> pem_root_certs_to_report; |
||||
if (pem_root_certs.has_value() && |
||||
watcher_it->second.root_cert_name == cert_name) { |
||||
// In this case, We've already sent the credential updates at the time
|
||||
// when checking pem_root_certs, so we will skip here.
|
||||
continue; |
||||
} else if (watcher_it->second.root_cert_name.has_value()) { |
||||
auto& root_cert_info = |
||||
certificate_info_map_[*watcher_it->second.root_cert_name]; |
||||
pem_root_certs_to_report = root_cert_info.pem_root_certs; |
||||
} |
||||
watcher_ptr->OnCertificatesChanged(pem_root_certs_to_report, |
||||
pem_key_cert_pairs); |
||||
} |
||||
cert_info.pem_key_cert_pairs = std::move(*pem_key_cert_pairs); |
||||
} |
||||
} |
||||
|
||||
bool grpc_tls_certificate_distributor::HasRootCerts( |
||||
const std::string& root_cert_name) { |
||||
grpc_core::MutexLock lock(&mu_); |
||||
const auto it = certificate_info_map_.find(root_cert_name); |
||||
return it != certificate_info_map_.end() && |
||||
!it->second.pem_root_certs.empty(); |
||||
}; |
||||
|
||||
bool grpc_tls_certificate_distributor::HasKeyCertPairs( |
||||
const std::string& identity_cert_name) { |
||||
grpc_core::MutexLock lock(&mu_); |
||||
const auto it = certificate_info_map_.find(identity_cert_name); |
||||
return it != certificate_info_map_.end() && |
||||
!it->second.pem_key_cert_pairs.empty(); |
||||
}; |
||||
|
||||
void grpc_tls_certificate_distributor::SetErrorForCert( |
||||
const std::string& cert_name, absl::optional<grpc_error*> root_cert_error, |
||||
absl::optional<grpc_error*> identity_cert_error) { |
||||
GPR_ASSERT(root_cert_error.has_value() || identity_cert_error.has_value()); |
||||
grpc_core::MutexLock lock(&mu_); |
||||
CertificateInfo& cert_info = certificate_info_map_[cert_name]; |
||||
if (root_cert_error.has_value()) { |
||||
for (auto* watcher_ptr : cert_info.root_cert_watchers) { |
||||
GPR_ASSERT(watcher_ptr != nullptr); |
||||
const auto watcher_it = watchers_.find(watcher_ptr); |
||||
GPR_ASSERT(watcher_it != watchers_.end()); |
||||
// identity_cert_error_to_report is the error of the identity cert this
|
||||
// watcher is watching, if there is any.
|
||||
grpc_error* identity_cert_error_to_report = GRPC_ERROR_NONE; |
||||
if (identity_cert_error.has_value() && |
||||
watcher_it->second.identity_cert_name == cert_name) { |
||||
identity_cert_error_to_report = *identity_cert_error; |
||||
} else if (watcher_it->second.identity_cert_name.has_value()) { |
||||
auto& identity_cert_info = |
||||
certificate_info_map_[*watcher_it->second.identity_cert_name]; |
||||
identity_cert_error_to_report = identity_cert_info.identity_cert_error; |
||||
} |
||||
watcher_ptr->OnError(GRPC_ERROR_REF(*root_cert_error), |
||||
GRPC_ERROR_REF(identity_cert_error_to_report)); |
||||
} |
||||
cert_info.SetRootError(*root_cert_error); |
||||
} |
||||
if (identity_cert_error.has_value()) { |
||||
for (auto* watcher_ptr : cert_info.identity_cert_watchers) { |
||||
GPR_ASSERT(watcher_ptr != nullptr); |
||||
const auto watcher_it = watchers_.find(watcher_ptr); |
||||
GPR_ASSERT(watcher_it != watchers_.end()); |
||||
// root_cert_error_to_report is the error of the root cert this watcher is
|
||||
// watching, if there is any.
|
||||
grpc_error* root_cert_error_to_report = GRPC_ERROR_NONE; |
||||
if (root_cert_error.has_value() && |
||||
watcher_it->second.root_cert_name == cert_name) { |
||||
// In this case, We've already sent the error updates at the time when
|
||||
// checking root_cert_error, so we will skip here.
|
||||
continue; |
||||
} else if (watcher_it->second.root_cert_name.has_value()) { |
||||
auto& root_cert_info = |
||||
certificate_info_map_[*watcher_it->second.root_cert_name]; |
||||
root_cert_error_to_report = root_cert_info.root_cert_error; |
||||
} |
||||
watcher_ptr->OnError(GRPC_ERROR_REF(root_cert_error_to_report), |
||||
GRPC_ERROR_REF(*identity_cert_error)); |
||||
} |
||||
cert_info.SetIdentityError(*identity_cert_error); |
||||
} |
||||
}; |
||||
|
||||
void grpc_tls_certificate_distributor::SetError(grpc_error* error) { |
||||
GPR_ASSERT(error != GRPC_ERROR_NONE); |
||||
grpc_core::MutexLock lock(&mu_); |
||||
for (const auto& watcher : watchers_) { |
||||
const auto watcher_ptr = watcher.first; |
||||
GPR_ASSERT(watcher_ptr != nullptr); |
||||
const auto& watcher_info = watcher.second; |
||||
watcher_ptr->OnError( |
||||
watcher_info.root_cert_name.has_value() ? GRPC_ERROR_REF(error) |
||||
: GRPC_ERROR_NONE, |
||||
watcher_info.identity_cert_name.has_value() ? GRPC_ERROR_REF(error) |
||||
: GRPC_ERROR_NONE); |
||||
} |
||||
for (auto& cert_info_entry : certificate_info_map_) { |
||||
auto& cert_info = cert_info_entry.second; |
||||
cert_info.SetRootError(GRPC_ERROR_REF(error)); |
||||
cert_info.SetIdentityError(GRPC_ERROR_REF(error)); |
||||
} |
||||
GRPC_ERROR_UNREF(error); |
||||
}; |
||||
|
||||
void grpc_tls_certificate_distributor::WatchTlsCertificates( |
||||
std::unique_ptr<TlsCertificatesWatcherInterface> watcher, |
||||
absl::optional<std::string> root_cert_name, |
||||
absl::optional<std::string> identity_cert_name) { |
||||
bool start_watching_root_cert = false; |
||||
bool already_watching_identity_for_root_cert = false; |
||||
bool start_watching_identity_cert = false; |
||||
bool already_watching_root_for_identity_cert = false; |
||||
GPR_ASSERT(root_cert_name.has_value() || identity_cert_name.has_value()); |
||||
TlsCertificatesWatcherInterface* watcher_ptr = watcher.get(); |
||||
GPR_ASSERT(watcher_ptr != nullptr); |
||||
// Update watchers_ and certificate_info_map_.
|
||||
{ |
||||
grpc_core::MutexLock lock(&mu_); |
||||
const auto watcher_it = watchers_.find(watcher_ptr); |
||||
// The caller needs to cancel the watcher first if it wants to re-register
|
||||
// the watcher.
|
||||
GPR_ASSERT(watcher_it == watchers_.end()); |
||||
watchers_[watcher_ptr] = {std::move(watcher), root_cert_name, |
||||
identity_cert_name}; |
||||
absl::optional<absl::string_view> updated_root_certs; |
||||
absl::optional<PemKeyCertPairList> updated_identity_pairs; |
||||
grpc_error* root_error = GRPC_ERROR_NONE; |
||||
grpc_error* identity_error = GRPC_ERROR_NONE; |
||||
if (root_cert_name.has_value()) { |
||||
CertificateInfo& cert_info = certificate_info_map_[*root_cert_name]; |
||||
start_watching_root_cert = cert_info.root_cert_watchers.empty(); |
||||
already_watching_identity_for_root_cert = |
||||
!cert_info.identity_cert_watchers.empty(); |
||||
cert_info.root_cert_watchers.insert(watcher_ptr); |
||||
root_error = GRPC_ERROR_REF(cert_info.root_cert_error); |
||||
// Empty credentials will be treated as no updates.
|
||||
if (!cert_info.pem_root_certs.empty()) { |
||||
updated_root_certs = cert_info.pem_root_certs; |
||||
} |
||||
} |
||||
if (identity_cert_name.has_value()) { |
||||
CertificateInfo& cert_info = certificate_info_map_[*identity_cert_name]; |
||||
start_watching_identity_cert = cert_info.identity_cert_watchers.empty(); |
||||
already_watching_root_for_identity_cert = |
||||
!cert_info.root_cert_watchers.empty(); |
||||
cert_info.identity_cert_watchers.insert(watcher_ptr); |
||||
identity_error = GRPC_ERROR_REF(cert_info.identity_cert_error); |
||||
// Empty credentials will be treated as no updates.
|
||||
if (!cert_info.pem_key_cert_pairs.empty()) { |
||||
updated_identity_pairs = cert_info.pem_key_cert_pairs; |
||||
} |
||||
} |
||||
// Notify this watcher if the certs it is watching already had some
|
||||
// contents. Note that an *_cert_error in cert_info only indicates error
|
||||
// occurred while trying to fetch the latest cert, but the updated_*_certs
|
||||
// should always be valid. So we will send the updates regardless of
|
||||
// *_cert_error.
|
||||
if (updated_root_certs.has_value() || updated_identity_pairs.has_value()) { |
||||
watcher_ptr->OnCertificatesChanged(updated_root_certs, |
||||
std::move(updated_identity_pairs)); |
||||
} |
||||
// Notify this watcher if the certs it is watching already had some errors.
|
||||
if (root_error != GRPC_ERROR_NONE || identity_error != GRPC_ERROR_NONE) { |
||||
watcher_ptr->OnError(GRPC_ERROR_REF(root_error), |
||||
GRPC_ERROR_REF(identity_error)); |
||||
} |
||||
GRPC_ERROR_UNREF(root_error); |
||||
GRPC_ERROR_UNREF(identity_error); |
||||
} |
||||
// Invoke watch status callback if needed.
|
||||
{ |
||||
grpc_core::MutexLock lock(&callback_mu_); |
||||
if (watch_status_callback_ != nullptr) { |
||||
if (root_cert_name == identity_cert_name && |
||||
(start_watching_root_cert || start_watching_identity_cert)) { |
||||
watch_status_callback_(*root_cert_name, start_watching_root_cert, |
||||
start_watching_identity_cert); |
||||
} else { |
||||
if (start_watching_root_cert) { |
||||
watch_status_callback_(*root_cert_name, true, |
||||
already_watching_identity_for_root_cert); |
||||
} |
||||
if (start_watching_identity_cert) { |
||||
watch_status_callback_(*identity_cert_name, |
||||
already_watching_root_for_identity_cert, true); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
}; |
||||
|
||||
void grpc_tls_certificate_distributor::CancelTlsCertificatesWatch( |
||||
TlsCertificatesWatcherInterface* watcher) { |
||||
absl::optional<std::string> root_cert_name; |
||||
absl::optional<std::string> identity_cert_name; |
||||
bool stop_watching_root_cert = false; |
||||
bool already_watching_identity_for_root_cert = false; |
||||
bool stop_watching_identity_cert = false; |
||||
bool already_watching_root_for_identity_cert = false; |
||||
// Update watchers_ and certificate_info_map_.
|
||||
{ |
||||
grpc_core::MutexLock lock(&mu_); |
||||
auto it = watchers_.find(watcher); |
||||
if (it == watchers_.end()) return; |
||||
WatcherInfo& watcher_info = it->second; |
||||
root_cert_name = std::move(watcher_info.root_cert_name); |
||||
identity_cert_name = std::move(watcher_info.identity_cert_name); |
||||
watchers_.erase(it); |
||||
if (root_cert_name.has_value()) { |
||||
auto it = certificate_info_map_.find(*root_cert_name); |
||||
GPR_ASSERT(it != certificate_info_map_.end()); |
||||
CertificateInfo& cert_info = it->second; |
||||
cert_info.root_cert_watchers.erase(watcher); |
||||
stop_watching_root_cert = cert_info.root_cert_watchers.empty(); |
||||
already_watching_identity_for_root_cert = |
||||
!cert_info.identity_cert_watchers.empty(); |
||||
if (stop_watching_root_cert && !already_watching_identity_for_root_cert) { |
||||
certificate_info_map_.erase(it); |
||||
} |
||||
} |
||||
if (identity_cert_name.has_value()) { |
||||
auto it = certificate_info_map_.find(*identity_cert_name); |
||||
GPR_ASSERT(it != certificate_info_map_.end()); |
||||
CertificateInfo& cert_info = it->second; |
||||
cert_info.identity_cert_watchers.erase(watcher); |
||||
stop_watching_identity_cert = cert_info.identity_cert_watchers.empty(); |
||||
already_watching_root_for_identity_cert = |
||||
!cert_info.root_cert_watchers.empty(); |
||||
if (stop_watching_identity_cert && |
||||
!already_watching_root_for_identity_cert) { |
||||
certificate_info_map_.erase(it); |
||||
} |
||||
} |
||||
} |
||||
// Invoke watch status callback if needed.
|
||||
{ |
||||
grpc_core::MutexLock lock(&callback_mu_); |
||||
if (watch_status_callback_ != nullptr) { |
||||
if (root_cert_name == identity_cert_name && |
||||
(stop_watching_root_cert || stop_watching_identity_cert)) { |
||||
watch_status_callback_(*root_cert_name, !stop_watching_root_cert, |
||||
!stop_watching_identity_cert); |
||||
} else { |
||||
if (stop_watching_root_cert) { |
||||
watch_status_callback_(*root_cert_name, false, |
||||
already_watching_identity_for_root_cert); |
||||
} |
||||
if (stop_watching_identity_cert) { |
||||
watch_status_callback_(*identity_cert_name, |
||||
already_watching_root_for_identity_cert, |
||||
false); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
}; |
||||
@ -0,0 +1,214 @@ |
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
|
||||
#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_DISTRIBUTOR_H |
||||
#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_DISTRIBUTOR_H |
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include <grpc/grpc_security.h> |
||||
|
||||
#include "absl/container/inlined_vector.h" |
||||
#include "absl/types/optional.h" |
||||
#include "src/core/lib/gprpp/ref_counted.h" |
||||
#include "src/core/lib/security/security_connector/ssl_utils.h" |
||||
|
||||
// TLS certificate distributor.
|
||||
struct grpc_tls_certificate_distributor |
||||
: public grpc_core::RefCounted<grpc_tls_certificate_distributor> { |
||||
public: |
||||
typedef absl::InlinedVector<grpc_core::PemKeyCertPair, 1> PemKeyCertPairList; |
||||
|
||||
// Interface for watching TLS certificates update.
|
||||
class TlsCertificatesWatcherInterface { |
||||
public: |
||||
virtual ~TlsCertificatesWatcherInterface() = default; |
||||
|
||||
// Handles the delivery of the updated root and identity certificates.
|
||||
// An absl::nullopt value indicates no corresponding contents for
|
||||
// root_certs or key_cert_pairs. Note that we will send updates of the
|
||||
// latest contents for both root and identity certificates, even when only
|
||||
// one side of it got updated.
|
||||
//
|
||||
// @param root_certs the contents of the reloaded root certs.
|
||||
// @param key_cert_pairs the contents of the reloaded identity key-cert
|
||||
// pairs.
|
||||
virtual void OnCertificatesChanged( |
||||
absl::optional<absl::string_view> root_certs, |
||||
absl::optional<PemKeyCertPairList> key_cert_pairs) = 0; |
||||
|
||||
// Handles an error that occurs while attempting to fetch certificate data.
|
||||
// Note that if a watcher sees an error, it simply means the Provider is
|
||||
// having problems renewing new data. If the watcher has previously received
|
||||
// several OnCertificatesChanged, all the data received from that function
|
||||
// is valid.
|
||||
// In that case, watcher might simply log the error. If the watcher hasn't
|
||||
// received any OnCertificatesChanged before the error occurs, no valid
|
||||
// data is available yet, and the watcher should either fail or "waiting"
|
||||
// for the valid data in a non-blocking way.
|
||||
//
|
||||
// @param root_cert_error the error occurred while reloading root
|
||||
// certificates.
|
||||
// @param identity_cert_error the error occurred while reloading identity
|
||||
// certificates.
|
||||
virtual void OnError(grpc_error* root_cert_error, |
||||
grpc_error* identity_cert_error) = 0; |
||||
}; |
||||
|
||||
// Sets the key materials based on their certificate name. Note that we are
|
||||
// not doing any copies for pem_root_certs and pem_key_cert_pairs. For
|
||||
// pem_root_certs, the original string contents need to outlive the
|
||||
// distributor; for pem_key_cert_pairs, internally it is taking two
|
||||
// unique_ptr(s) to the credential string, so the ownership is actually
|
||||
// transferred.
|
||||
//
|
||||
// @param cert_name The name of the certificates being updated.
|
||||
// @param pem_root_certs The content of root certificates.
|
||||
// @param pem_key_cert_pairs The content of identity key-cert pairs.
|
||||
void SetKeyMaterials(const std::string& cert_name, |
||||
absl::optional<std::string> pem_root_certs, |
||||
absl::optional<PemKeyCertPairList> pem_key_cert_pairs); |
||||
|
||||
bool HasRootCerts(const std::string& root_cert_name); |
||||
|
||||
bool HasKeyCertPairs(const std::string& identity_cert_name); |
||||
|
||||
// Propagates the error that the caller (e.g. Producer) encounters to all the
|
||||
// watchers watching a particular certificate name.
|
||||
//
|
||||
// @param cert_name The watching cert name of the watchers that the caller
|
||||
// wants to notify when encountering error.
|
||||
// @param root_cert_error The error that the caller encounters when reloading
|
||||
// root certs.
|
||||
// @param identity_cert_error The error that the caller encounters when
|
||||
// reloading identity certs.
|
||||
void SetErrorForCert(const std::string& cert_name, |
||||
absl::optional<grpc_error*> root_cert_error, |
||||
absl::optional<grpc_error*> identity_cert_error); |
||||
|
||||
// Propagates the error that the caller (e.g. Producer) encounters to all
|
||||
// watchers.
|
||||
//
|
||||
// @param error The error that the caller encounters.
|
||||
void SetError(grpc_error* error); |
||||
|
||||
// Sets the TLS certificate watch status callback function. The
|
||||
// grpc_tls_certificate_distributor will invoke this callback when a new
|
||||
// certificate name is watched by a newly registered watcher, or when a
|
||||
// certificate name is no longer watched by any watchers.
|
||||
// Note that when the callback shows a cert is no longer being watched, the
|
||||
// distributor will delete the corresponding certificate data from its cache,
|
||||
// and clear the corresponding error, if there is any. This means that if the
|
||||
// callback subsequently says the same cert is now being watched again, the
|
||||
// provider must re-provide the credentials or re-invoke the errors to the
|
||||
// distributor, to indicate a successful or failed reloading.
|
||||
// @param callback The callback function being set by the caller, e.g the
|
||||
// Producer. Note that this callback will be invoked for each certificate
|
||||
// name.
|
||||
//
|
||||
// For the parameters in the callback function:
|
||||
// string_value The name of the certificates being watched.
|
||||
// bool_value_1 If the root certificates with the specific name are being
|
||||
// watched. bool_value_2 If the identity certificates with the specific name
|
||||
// are being watched.
|
||||
void SetWatchStatusCallback( |
||||
std::function<void(std::string, bool, bool)> callback) { |
||||
grpc_core::MutexLock lock(&mu_); |
||||
watch_status_callback_ = callback; |
||||
}; |
||||
|
||||
// Registers a watcher. The caller may keep a raw pointer to the watcher,
|
||||
// which may be used only for cancellation. (Because the caller does not own
|
||||
// the watcher, the pointer must not be used for any other purpose.) At least
|
||||
// one of root_cert_name and identity_cert_name must be specified.
|
||||
//
|
||||
// @param watcher The watcher being registered.
|
||||
// @param root_cert_name The name of the root certificates that will be
|
||||
// watched. If set to absl::nullopt, the root certificates won't be watched.
|
||||
// @param identity_cert_name The name of the identity certificates that will
|
||||
// be watched. If set to absl::nullopt, the identity certificates won't be
|
||||
// watched.
|
||||
void WatchTlsCertificates( |
||||
std::unique_ptr<TlsCertificatesWatcherInterface> watcher, |
||||
absl::optional<std::string> root_cert_name, |
||||
absl::optional<std::string> identity_cert_name); |
||||
|
||||
// Cancels a watcher.
|
||||
//
|
||||
// @param watcher The watcher being cancelled.
|
||||
void CancelTlsCertificatesWatch(TlsCertificatesWatcherInterface* watcher); |
||||
|
||||
private: |
||||
// Contains the information about each watcher.
|
||||
struct WatcherInfo { |
||||
std::unique_ptr<TlsCertificatesWatcherInterface> watcher; |
||||
absl::optional<std::string> root_cert_name; |
||||
absl::optional<std::string> identity_cert_name; |
||||
}; |
||||
// CertificateInfo contains the credential contents and some additional
|
||||
// watcher information.
|
||||
// Note that having errors doesn't indicate the corresponding credentials are
|
||||
// invalid. For example, if root_cert_error != nullptr but pem_root_certs has
|
||||
// value, it simply means an error occurs while trying to fetch the latest
|
||||
// root certs, while pem_root_certs still contains the valid old data.
|
||||
struct CertificateInfo { |
||||
// The contents of the root certificates.
|
||||
std::string pem_root_certs; |
||||
// The contents of the identity key-certificate pairs.
|
||||
PemKeyCertPairList pem_key_cert_pairs; |
||||
// The root cert reloading error propagated by the caller.
|
||||
grpc_error* root_cert_error = GRPC_ERROR_NONE; |
||||
// The identity cert reloading error propagated by the caller.
|
||||
grpc_error* identity_cert_error = GRPC_ERROR_NONE; |
||||
// The set of watchers watching root certificates.
|
||||
// This is mainly used for quickly looking up the affected watchers while
|
||||
// performing a credential reloading.
|
||||
std::set<TlsCertificatesWatcherInterface*> root_cert_watchers; |
||||
// The set of watchers watching identity certificates. This is mainly used
|
||||
// for quickly looking up the affected watchers while performing a
|
||||
// credential reloading.
|
||||
std::set<TlsCertificatesWatcherInterface*> identity_cert_watchers; |
||||
|
||||
~CertificateInfo() { |
||||
GRPC_ERROR_UNREF(root_cert_error); |
||||
GRPC_ERROR_UNREF(identity_cert_error); |
||||
} |
||||
void SetRootError(grpc_error* error) { |
||||
GRPC_ERROR_UNREF(root_cert_error); |
||||
root_cert_error = error; |
||||
} |
||||
void SetIdentityError(grpc_error* error) { |
||||
GRPC_ERROR_UNREF(identity_cert_error); |
||||
identity_cert_error = error; |
||||
} |
||||
}; |
||||
|
||||
grpc_core::Mutex mu_; |
||||
// We need a dedicated mutex for watch_status_callback_ for allowing
|
||||
// callers(e.g. Producer) to directly set key materials in the callback
|
||||
// functions.
|
||||
grpc_core::Mutex callback_mu_; |
||||
// Stores information about each watcher.
|
||||
std::map<TlsCertificatesWatcherInterface*, WatcherInfo> watchers_; |
||||
// The callback to notify the caller, e.g. the Producer, that the watch status
|
||||
// is changed.
|
||||
std::function<void(std::string, bool, bool)> watch_status_callback_; |
||||
// Stores the names of each certificate, and their corresponding credential
|
||||
// contents as well as some additional watcher information.
|
||||
std::map<std::string, CertificateInfo> certificate_info_map_; |
||||
}; |
||||
|
||||
#endif // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_DISTRIBUTOR_H
|
||||
@ -0,0 +1,90 @@ |
||||
//
|
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
//
|
||||
|
||||
#include <grpc/support/port_platform.h> |
||||
|
||||
#include <gmock/gmock.h> |
||||
|
||||
#include "src/core/ext/xds/certificate_provider_registry.h" |
||||
|
||||
#include "test/core/util/test_config.h" |
||||
|
||||
namespace grpc_core { |
||||
namespace testing { |
||||
namespace { |
||||
|
||||
class FakeCertificateProviderFactory1 : public CertificateProviderFactory { |
||||
public: |
||||
const char* name() const override { return "fake1"; } |
||||
|
||||
std::unique_ptr<Config> CreateCertificateProviderConfig( |
||||
const Json& config_json, grpc_error** error) override { |
||||
return nullptr; |
||||
} |
||||
|
||||
RefCountedPtr<grpc_tls_certificate_provider> CreateCertificateProvider( |
||||
std::unique_ptr<Config> config) override { |
||||
return nullptr; |
||||
} |
||||
}; |
||||
|
||||
class FakeCertificateProviderFactory2 : public CertificateProviderFactory { |
||||
public: |
||||
const char* name() const override { return "fake2"; } |
||||
|
||||
std::unique_ptr<Config> CreateCertificateProviderConfig( |
||||
const Json& config_json, grpc_error** error) override { |
||||
return nullptr; |
||||
} |
||||
|
||||
RefCountedPtr<grpc_tls_certificate_provider> CreateCertificateProvider( |
||||
std::unique_ptr<Config> config) override { |
||||
return nullptr; |
||||
} |
||||
}; |
||||
|
||||
TEST(CertificateProviderRegistryTest, Basic) { |
||||
CertificateProviderRegistry::InitRegistry(); |
||||
auto* fake_factory_1 = new FakeCertificateProviderFactory1; |
||||
auto* fake_factory_2 = new FakeCertificateProviderFactory2; |
||||
CertificateProviderRegistry::RegisterCertificateProviderFactory( |
||||
std::unique_ptr<CertificateProviderFactory>(fake_factory_1)); |
||||
CertificateProviderRegistry::RegisterCertificateProviderFactory( |
||||
std::unique_ptr<CertificateProviderFactory>(fake_factory_2)); |
||||
EXPECT_EQ( |
||||
CertificateProviderRegistry::LookupCertificateProviderFactory("fake1"), |
||||
fake_factory_1); |
||||
EXPECT_EQ( |
||||
CertificateProviderRegistry::LookupCertificateProviderFactory("fake2"), |
||||
fake_factory_2); |
||||
EXPECT_EQ( |
||||
CertificateProviderRegistry::LookupCertificateProviderFactory("fake3"), |
||||
nullptr); |
||||
CertificateProviderRegistry::ShutdownRegistry(); |
||||
} |
||||
|
||||
} // namespace
|
||||
} // namespace testing
|
||||
} // namespace grpc_core
|
||||
|
||||
int main(int argc, char** argv) { |
||||
::testing::InitGoogleTest(&argc, argv); |
||||
grpc::testing::TestEnvironment env(argc, argv); |
||||
auto result = RUN_ALL_TESTS(); |
||||
return result; |
||||
} |
||||
@ -0,0 +1,968 @@ |
||||
//
|
||||
// Copyright 2020 gRPC authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
//
|
||||
|
||||
#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h" |
||||
|
||||
#include <gmock/gmock.h> |
||||
#include <grpc/support/alloc.h> |
||||
#include <grpc/support/log.h> |
||||
#include <grpc/support/string_util.h> |
||||
#include <gtest/gtest.h> |
||||
|
||||
#include <deque> |
||||
#include <list> |
||||
#include <string> |
||||
#include <thread> |
||||
|
||||
#include "src/core/lib/slice/slice_internal.h" |
||||
#include "test/core/util/test_config.h" |
||||
|
||||
namespace testing { |
||||
|
||||
constexpr const char* kCertName1 = "cert_1_name"; |
||||
constexpr const char* kCertName2 = "cert_2_name"; |
||||
constexpr const char* kRootCert1Name = "root_cert_1_name"; |
||||
constexpr const char* kRootCert1Contents = "root_cert_1_contents"; |
||||
constexpr const char* kRootCert2Name = "root_cert_2_name"; |
||||
constexpr const char* kRootCert2Contents = "root_cert_2_contents"; |
||||
constexpr const char* kIdentityCert1Name = "identity_cert_1_name"; |
||||
constexpr const char* kIdentityCert1PrivateKey = "identity_private_key_1"; |
||||
constexpr const char* kIdentityCert1Contents = "identity_cert_1_contents"; |
||||
constexpr const char* kIdentityCert2Name = "identity_cert_2_name"; |
||||
constexpr const char* kIdentityCert2PrivateKey = "identity_private_key_2"; |
||||
constexpr const char* kIdentityCert2Contents = "identity_cert_2_contents"; |
||||
constexpr const char* kErrorMessage = "error_message"; |
||||
constexpr const char* kRootErrorMessage = "root_error_message"; |
||||
constexpr const char* kIdentityErrorMessage = "identity_error_message"; |
||||
|
||||
class GrpcTlsCertificateDistributorTest : public ::testing::Test { |
||||
protected: |
||||
// Forward declaration.
|
||||
class TlsCertificatesTestWatcher; |
||||
|
||||
static grpc_tls_certificate_distributor::PemKeyCertPairList MakeCertKeyPairs( |
||||
const char* private_key, const char* certs) { |
||||
if (strcmp(private_key, "") == 0 && strcmp(certs, "") == 0) { |
||||
return {}; |
||||
} |
||||
grpc_ssl_pem_key_cert_pair* ssl_pair = |
||||
static_cast<grpc_ssl_pem_key_cert_pair*>( |
||||
gpr_malloc(sizeof(grpc_ssl_pem_key_cert_pair))); |
||||
ssl_pair->private_key = gpr_strdup(private_key); |
||||
ssl_pair->cert_chain = gpr_strdup(certs); |
||||
grpc_tls_certificate_distributor::PemKeyCertPairList pem_key_cert_pairs; |
||||
pem_key_cert_pairs.emplace_back(ssl_pair); |
||||
return pem_key_cert_pairs; |
||||
} |
||||
|
||||
// CredentialInfo contains the parameters when calling OnCertificatesChanged
|
||||
// of a watcher. When OnCertificatesChanged is invoked, we will push a
|
||||
// CredentialInfo to the cert_update_queue of state_, and check in each test
|
||||
// if the status updates are correct.
|
||||
struct CredentialInfo { |
||||
std::string root_certs; |
||||
grpc_tls_certificate_distributor::PemKeyCertPairList key_cert_pairs; |
||||
CredentialInfo( |
||||
std::string root, |
||||
grpc_tls_certificate_distributor::PemKeyCertPairList key_cert) |
||||
: root_certs(std::move(root)), key_cert_pairs(std::move(key_cert)) {} |
||||
bool operator==(const CredentialInfo& other) const { |
||||
return root_certs == other.root_certs && |
||||
key_cert_pairs == other.key_cert_pairs; |
||||
} |
||||
}; |
||||
|
||||
// ErrorInfo contains the parameters when calling OnError of a watcher. When
|
||||
// OnError is invoked, we will push a ErrorInfo to the error_queue of state_,
|
||||
// and check in each test if the status updates are correct.
|
||||
struct ErrorInfo { |
||||
std::string root_cert_str; |
||||
std::string identity_cert_str; |
||||
ErrorInfo(std::string root, std::string identity) |
||||
: root_cert_str(std::move(root)), |
||||
identity_cert_str(std::move(identity)) {} |
||||
bool operator==(const ErrorInfo& other) const { |
||||
return root_cert_str == other.root_cert_str && |
||||
identity_cert_str == other.identity_cert_str; |
||||
} |
||||
}; |
||||
|
||||
struct WatcherState { |
||||
TlsCertificatesTestWatcher* watcher = nullptr; |
||||
std::deque<CredentialInfo> cert_update_queue; |
||||
std::deque<ErrorInfo> error_queue; |
||||
|
||||
std::deque<CredentialInfo> GetCredentialQueue() { |
||||
// We move the data member value so the data member will be re-initiated
|
||||
// with size 0, and ready for the next check.
|
||||
return std::move(cert_update_queue); |
||||
} |
||||
std::deque<ErrorInfo> GetErrorQueue() { |
||||
// We move the data member value so the data member will be re-initiated
|
||||
// with size 0, and ready for the next check.
|
||||
return std::move(error_queue); |
||||
} |
||||
}; |
||||
|
||||
class TlsCertificatesTestWatcher : public grpc_tls_certificate_distributor:: |
||||
TlsCertificatesWatcherInterface { |
||||
public: |
||||
// ctor sets state->watcher to this.
|
||||
explicit TlsCertificatesTestWatcher(WatcherState* state) : state_(state) { |
||||
state_->watcher = this; |
||||
} |
||||
|
||||
// dtor sets state->watcher to nullptr.
|
||||
~TlsCertificatesTestWatcher() { state_->watcher = nullptr; } |
||||
|
||||
void OnCertificatesChanged( |
||||
absl::optional<absl::string_view> root_certs, |
||||
absl::optional<grpc_tls_certificate_distributor::PemKeyCertPairList> |
||||
key_cert_pairs) override { |
||||
std::string updated_root; |
||||
if (root_certs.has_value()) { |
||||
updated_root = std::string(*root_certs); |
||||
} |
||||
grpc_tls_certificate_distributor::PemKeyCertPairList updated_identity; |
||||
if (key_cert_pairs.has_value()) { |
||||
updated_identity = std::move(*key_cert_pairs); |
||||
} |
||||
state_->cert_update_queue.emplace_back(std::move(updated_root), |
||||
std::move(updated_identity)); |
||||
} |
||||
|
||||
void OnError(grpc_error* root_cert_error, |
||||
grpc_error* identity_cert_error) override { |
||||
GPR_ASSERT(root_cert_error != GRPC_ERROR_NONE || |
||||
identity_cert_error != GRPC_ERROR_NONE); |
||||
std::string root_error_str; |
||||
std::string identity_error_str; |
||||
if (root_cert_error != GRPC_ERROR_NONE) { |
||||
grpc_slice root_error_slice; |
||||
GPR_ASSERT(grpc_error_get_str( |
||||
root_cert_error, GRPC_ERROR_STR_DESCRIPTION, &root_error_slice)); |
||||
root_error_str = |
||||
std::string(grpc_core::StringViewFromSlice(root_error_slice)); |
||||
} |
||||
if (identity_cert_error != GRPC_ERROR_NONE) { |
||||
grpc_slice identity_error_slice; |
||||
GPR_ASSERT(grpc_error_get_str(identity_cert_error, |
||||
GRPC_ERROR_STR_DESCRIPTION, |
||||
&identity_error_slice)); |
||||
identity_error_str = |
||||
std::string(grpc_core::StringViewFromSlice(identity_error_slice)); |
||||
} |
||||
state_->error_queue.emplace_back(std::move(root_error_str), |
||||
std::move(identity_error_str)); |
||||
GRPC_ERROR_UNREF(root_cert_error); |
||||
GRPC_ERROR_UNREF(identity_cert_error); |
||||
} |
||||
|
||||
private: |
||||
WatcherState* state_; |
||||
}; |
||||
|
||||
// CallbackStatus contains the parameters when calling watch_status_callback_
|
||||
// of the distributor. When a particular callback is invoked, we will push a
|
||||
// CallbackStatus to a callback_queue_, and check in each test if the status
|
||||
// updates are correct.
|
||||
struct CallbackStatus { |
||||
std::string cert_name; |
||||
bool root_being_watched; |
||||
bool identity_being_watched; |
||||
CallbackStatus(std::string name, bool root_watched, bool identity_watched) |
||||
: cert_name(std::move(name)), |
||||
root_being_watched(root_watched), |
||||
identity_being_watched(identity_watched) {} |
||||
bool operator==(const CallbackStatus& other) const { |
||||
return cert_name == other.cert_name && |
||||
root_being_watched == other.root_being_watched && |
||||
identity_being_watched == other.identity_being_watched; |
||||
} |
||||
}; |
||||
|
||||
void SetUp() override { |
||||
distributor_.SetWatchStatusCallback([this](std::string cert_name, |
||||
bool root_being_watched, |
||||
bool identity_being_watched) { |
||||
callback_queue_.emplace_back(std::move(cert_name), root_being_watched, |
||||
identity_being_watched); |
||||
}); |
||||
} |
||||
|
||||
WatcherState* MakeWatcher(absl::optional<std::string> root_cert_name, |
||||
absl::optional<std::string> identity_cert_name) { |
||||
grpc_core::MutexLock lock(&mu_); |
||||
watchers_.emplace_back(); |
||||
// TlsCertificatesTestWatcher ctor takes a pointer to the WatcherState.
|
||||
// It sets WatcherState::watcher to point to itself.
|
||||
// The TlsCertificatesTestWatcher dtor will set WatcherState::watcher back
|
||||
// to nullptr to indicate that it's been destroyed.
|
||||
auto watcher = |
||||
absl::make_unique<TlsCertificatesTestWatcher>(&watchers_.back()); |
||||
distributor_.WatchTlsCertificates(std::move(watcher), |
||||
std::move(root_cert_name), |
||||
std::move(identity_cert_name)); |
||||
return &watchers_.back(); |
||||
} |
||||
|
||||
void CancelWatch(WatcherState* state) { |
||||
grpc_core::MutexLock lock(&mu_); |
||||
distributor_.CancelTlsCertificatesWatch(state->watcher); |
||||
EXPECT_EQ(state->watcher, nullptr); |
||||
} |
||||
|
||||
std::deque<CallbackStatus> GetCallbackQueue() { |
||||
// We move the data member value so the data member will be re-initiated
|
||||
// with size 0, and ready for the next check.
|
||||
return std::move(callback_queue_); |
||||
} |
||||
|
||||
grpc_tls_certificate_distributor distributor_; |
||||
// Use a std::list<> here to avoid the address invalidation caused by internal
|
||||
// reallocation of std::vector<>.
|
||||
std::list<WatcherState> watchers_; |
||||
std::deque<CallbackStatus> callback_queue_; |
||||
// This is to make watchers_ and callback_queue_ thread-safe.
|
||||
grpc_core::Mutex mu_; |
||||
}; |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, BasicCredentialBehaviors) { |
||||
EXPECT_FALSE(distributor_.HasRootCerts(kRootCert1Name)); |
||||
EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert1Name)); |
||||
// After setting the certificates to the corresponding cert names, the
|
||||
// distributor should possess the corresponding certs.
|
||||
distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents, |
||||
absl::nullopt); |
||||
EXPECT_TRUE(distributor_.HasRootCerts(kRootCert1Name)); |
||||
distributor_.SetKeyMaterials( |
||||
kIdentityCert1Name, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
EXPECT_TRUE(distributor_.HasKeyCertPairs(kIdentityCert1Name)); |
||||
// Querying a non-existing cert name should return false.
|
||||
EXPECT_FALSE(distributor_.HasRootCerts(kRootCert2Name)); |
||||
EXPECT_FALSE(distributor_.HasKeyCertPairs(kIdentityCert2Name)); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, UpdateCredentialsOnAnySide) { |
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, true))); |
||||
// SetKeyMaterials should trigger watcher's OnCertificatesChanged method.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
// Set root certs should trigger watcher's OnCertificatesChanged again.
|
||||
distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt); |
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert2Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
// Set identity certs should trigger watcher's OnCertificatesChanged again.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)); |
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert2Contents, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)))); |
||||
CancelWatch(watcher_state_1); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, SameIdentityNameDiffRootName) { |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = |
||||
MakeWatcher(kRootCert1Name, kIdentityCert1Name); |
||||
EXPECT_THAT( |
||||
GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false), |
||||
CallbackStatus(kIdentityCert1Name, false, true))); |
||||
// Register watcher 2.
|
||||
WatcherState* watcher_state_2 = |
||||
MakeWatcher(kRootCert2Name, kIdentityCert1Name); |
||||
EXPECT_THAT(GetCallbackQueue(), testing::ElementsAre(CallbackStatus( |
||||
kRootCert2Name, true, false))); |
||||
// Push credential updates to kRootCert1Name and check if the status works as
|
||||
// expected.
|
||||
distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents, |
||||
absl::nullopt); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert1Contents, {}))); |
||||
// Push credential updates to kRootCert2Name.
|
||||
distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents, |
||||
absl::nullopt); |
||||
// Check the updates are delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert2Contents, {}))); |
||||
// Push credential updates to kIdentityCert1Name and check if the status works
|
||||
// as expected.
|
||||
distributor_.SetKeyMaterials( |
||||
kIdentityCert1Name, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Check the updates are delivered to watcher 1 and watcher 2.
|
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
EXPECT_THAT( |
||||
watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert2Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
// Cancel watcher 1.
|
||||
CancelWatch(watcher_state_1); |
||||
EXPECT_THAT(GetCallbackQueue(), testing::ElementsAre(CallbackStatus( |
||||
kRootCert1Name, false, false))); |
||||
// Cancel watcher 2.
|
||||
CancelWatch(watcher_state_2); |
||||
EXPECT_THAT( |
||||
GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kRootCert2Name, false, false), |
||||
CallbackStatus(kIdentityCert1Name, false, false))); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, SameRootNameDiffIdentityName) { |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = |
||||
MakeWatcher(kRootCert1Name, kIdentityCert1Name); |
||||
EXPECT_THAT( |
||||
GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kRootCert1Name, true, false), |
||||
CallbackStatus(kIdentityCert1Name, false, true))); |
||||
// Register watcher 2.
|
||||
WatcherState* watcher_state_2 = |
||||
MakeWatcher(kRootCert1Name, kIdentityCert2Name); |
||||
EXPECT_THAT(GetCallbackQueue(), testing::ElementsAre(CallbackStatus( |
||||
kIdentityCert2Name, false, true))); |
||||
// Push credential updates to kRootCert1Name and check if the status works as
|
||||
// expected.
|
||||
distributor_.SetKeyMaterials(kRootCert1Name, kRootCert1Contents, |
||||
absl::nullopt); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert1Contents, {}))); |
||||
// Check the updates are delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert1Contents, {}))); |
||||
// Push credential updates to SetKeyMaterials.
|
||||
distributor_.SetKeyMaterials( |
||||
kIdentityCert1Name, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
// Push credential updates to kIdentityCert2Name.
|
||||
distributor_.SetKeyMaterials( |
||||
kIdentityCert2Name, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)); |
||||
// Check the updates are delivered to watcher 2.
|
||||
EXPECT_THAT( |
||||
watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)))); |
||||
// Cancel watcher 1.
|
||||
CancelWatch(watcher_state_1); |
||||
EXPECT_THAT(GetCallbackQueue(), testing::ElementsAre(CallbackStatus( |
||||
kIdentityCert1Name, false, false))); |
||||
// Cancel watcher 2.
|
||||
CancelWatch(watcher_state_2); |
||||
EXPECT_THAT( |
||||
GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kRootCert1Name, false, false), |
||||
CallbackStatus(kIdentityCert2Name, false, false))); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
AddAndCancelFirstWatcherForSameRootAndIdentityCertName) { |
||||
// Register watcher 1 watching kCertName1 for both root and identity certs.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, true))); |
||||
// Push credential updates to kCertName1 and check if the status works as
|
||||
// expected.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
// Cancel watcher 1.
|
||||
CancelWatch(watcher_state_1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, false, false))); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
AddAndCancelFirstWatcherForIdentityCertNameWithRootBeingWatched) { |
||||
// Register watcher 1 watching kCertName1 for root certs.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, false))); |
||||
// Register watcher 2 watching kCertName1 for identity certs.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, true))); |
||||
// Push credential updates to kCertName1 and check if the status works as
|
||||
// expected.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert1Contents, {}))); |
||||
// Check the updates are delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
"", MakeCertKeyPairs(kIdentityCert1PrivateKey, |
||||
kIdentityCert1Contents)))); |
||||
// Push root cert updates to kCertName1.
|
||||
distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert2Contents, {}))); |
||||
// Check the updates are not delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), testing::ElementsAre()); |
||||
// Push identity cert updates to kCertName1.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)); |
||||
// Check the updates are not delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), testing::ElementsAre()); |
||||
// Check the updates are delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
"", MakeCertKeyPairs(kIdentityCert2PrivateKey, |
||||
kIdentityCert2Contents)))); |
||||
watcher_state_2->cert_update_queue.clear(); |
||||
// Cancel watcher 2.
|
||||
CancelWatch(watcher_state_2); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, false))); |
||||
// Cancel watcher 1.
|
||||
CancelWatch(watcher_state_1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, false, false))); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
AddAndCancelFirstWatcherForRootCertNameWithIdentityBeingWatched) { |
||||
// Register watcher 1 watching kCertName1 for identity certs.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(absl::nullopt, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, false, true))); |
||||
// Register watcher 2 watching kCertName1 for root certs.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(kCertName1, absl::nullopt); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, true))); |
||||
// Push credential updates to kCertName1 and check if the status works as
|
||||
// expected.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
"", MakeCertKeyPairs(kIdentityCert1PrivateKey, |
||||
kIdentityCert1Contents)))); |
||||
// Check the updates are delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert1Contents, {}))); |
||||
// Push root cert updates to kCertName1.
|
||||
distributor_.SetKeyMaterials(kCertName1, kRootCert2Contents, absl::nullopt); |
||||
// Check the updates are delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert2Contents, {}))); |
||||
// Check the updates are not delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), testing::ElementsAre()); |
||||
// Push identity cert updates to kCertName1.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)); |
||||
// Check the updates are not delivered to watcher 2.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), testing::ElementsAre()); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
"", MakeCertKeyPairs(kIdentityCert2PrivateKey, |
||||
kIdentityCert2Contents)))); |
||||
// Cancel watcher 2.
|
||||
CancelWatch(watcher_state_2); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, false, true))); |
||||
// Cancel watcher 1.
|
||||
CancelWatch(watcher_state_1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, false, false))); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
RemoveAllWatchersForCertNameAndAddAgain) { |
||||
// Register watcher 1 and watcher 2 watching kCertName1 for root and identity
|
||||
// certs.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, true))); |
||||
WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), testing::ElementsAre()); |
||||
// Push credential updates to kCertName1.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Cancel watcher 2.
|
||||
CancelWatch(watcher_state_2); |
||||
EXPECT_THAT(GetCallbackQueue(), testing::ElementsAre()); |
||||
// Cancel watcher 1.
|
||||
CancelWatch(watcher_state_1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, false, false))); |
||||
// Register watcher 3 watching kCertName for root and identity certs.
|
||||
WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, true))); |
||||
// Push credential updates to kCertName1.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert2Contents, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)); |
||||
// Check the updates are delivered to watcher 3.
|
||||
EXPECT_THAT( |
||||
watcher_state_3->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert2Contents, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)))); |
||||
// Cancel watcher 3.
|
||||
CancelWatch(watcher_state_3); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, false, false))); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, ResetCallbackToNull) { |
||||
// Register watcher 1 watching kCertName1 for root and identity certs.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
EXPECT_THAT(GetCallbackQueue(), |
||||
testing::ElementsAre(CallbackStatus(kCertName1, true, true))); |
||||
// Reset callback to nullptr.
|
||||
distributor_.SetWatchStatusCallback(nullptr); |
||||
// Cancel watcher 1 shouldn't trigger any callback.
|
||||
CancelWatch(watcher_state_1); |
||||
EXPECT_THAT(GetCallbackQueue(), testing::ElementsAre()); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, SetKeyMaterialsInCallback) { |
||||
distributor_.SetWatchStatusCallback([this](std::string cert_name, |
||||
bool root_being_watched, |
||||
bool identity_being_watched) { |
||||
distributor_.SetKeyMaterials( |
||||
cert_name, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
}); |
||||
auto verify_function = [this](std::string cert_name) { |
||||
WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name); |
||||
// Check the updates are delivered to watcher 1.
|
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, MakeCertKeyPairs(kIdentityCert1PrivateKey, |
||||
kIdentityCert1Contents)))); |
||||
CancelWatch(watcher_state_1); |
||||
}; |
||||
// Start 1000 threads that will register a watcher to a new cert name, verify
|
||||
// the key materials being set, and then cancel the watcher, to make sure the
|
||||
// lock mechanism in the distributor is safe.
|
||||
std::vector<std::thread> threads; |
||||
threads.reserve(1000); |
||||
for (int i = 0; i < 1000; ++i) { |
||||
threads.emplace_back(verify_function, std::to_string(i)); |
||||
} |
||||
for (auto& th : threads) { |
||||
th.join(); |
||||
} |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, WatchACertInfoWithValidCredentials) { |
||||
// Push credential updates to kCertName1.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Push root credential updates to kCertName2.
|
||||
distributor_.SetKeyMaterials(kRootCert2Name, kRootCert2Contents, |
||||
absl::nullopt); |
||||
// Push identity credential updates to kCertName2.
|
||||
distributor_.SetKeyMaterials( |
||||
kIdentityCert2Name, absl::nullopt, |
||||
MakeCertKeyPairs(kIdentityCert2PrivateKey, kIdentityCert2Contents)); |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
// watcher 1 should receive the credentials right away.
|
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
CancelWatch(watcher_state_1); |
||||
// Register watcher 2.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(kRootCert2Name, absl::nullopt); |
||||
// watcher 2 should receive the root credentials right away.
|
||||
EXPECT_THAT(watcher_state_2->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo(kRootCert2Contents, {}))); |
||||
// Register watcher 3.
|
||||
WatcherState* watcher_state_3 = |
||||
MakeWatcher(absl::nullopt, kIdentityCert2Name); |
||||
// watcher 3 should received the identity credentials right away.
|
||||
EXPECT_THAT(watcher_state_3->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
"", MakeCertKeyPairs(kIdentityCert2PrivateKey, |
||||
kIdentityCert2Contents)))); |
||||
CancelWatch(watcher_state_2); |
||||
CancelWatch(watcher_state_3); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
SetErrorForCertForBothRootAndIdentity) { |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
// Calling SetErrorForCert on both cert names should only call one OnError
|
||||
// on watcher 1.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre( |
||||
ErrorInfo(kRootErrorMessage, kIdentityErrorMessage))); |
||||
// Calling SetErrorForCert on root cert name should call OnError
|
||||
// on watcher 1 again.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage), |
||||
absl::nullopt); |
||||
EXPECT_THAT( |
||||
watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kErrorMessage, kIdentityErrorMessage))); |
||||
// Calling SetErrorForCert on identity cert name should call OnError
|
||||
// on watcher 1 again.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, absl::nullopt, |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage))); |
||||
distributor_.CancelTlsCertificatesWatch(watcher_state_1->watcher); |
||||
EXPECT_EQ(watcher_state_1->watcher, nullptr); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertForRootOrIdentity) { |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt); |
||||
// Calling SetErrorForCert on root name should only call one OnError
|
||||
// on watcher 1.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
absl::nullopt); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kRootErrorMessage, ""))); |
||||
// Calling SetErrorForCert on identity name should do nothing.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, absl::nullopt, |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), testing::ElementsAre()); |
||||
// Calling SetErrorForCert on both names should still get one OnError call.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kRootErrorMessage, ""))); |
||||
CancelWatch(watcher_state_1); |
||||
// Register watcher 2.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName1); |
||||
// Calling SetErrorForCert on identity name should only call one OnError
|
||||
// on watcher 2.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, absl::nullopt, |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage))); |
||||
// Calling SetErrorForCert on root name should do nothing.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
absl::nullopt); |
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), testing::ElementsAre()); |
||||
// Calling SetErrorForCert on both names should still get one OnError call.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage))); |
||||
CancelWatch(watcher_state_2); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
SetErrorForIdentityNameWithPreexistingErrorForRootName) { |
||||
// SetErrorForCert for kCertName1.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
// Register watcher 1 for kCertName1 as root and kCertName2 as identity.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2); |
||||
// Should trigger OnError call right away since kCertName1 has error.
|
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kRootErrorMessage, ""))); |
||||
// Calling SetErrorForCert on kCertName2 should trigger OnError with both
|
||||
// errors, because kCertName1 also has error.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName2, absl::nullopt, |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre( |
||||
ErrorInfo(kRootErrorMessage, kIdentityErrorMessage))); |
||||
CancelWatch(watcher_state_1); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
SetErrorForCertForRootNameWithSameNameForIdentityErrored) { |
||||
// SetErrorForCert for kCertName1.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
// Register watcher 1 for kCertName2 as root and kCertName1 as identity.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1); |
||||
// Should trigger OnError call right away since kCertName2 has error.
|
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage))); |
||||
// Calling SetErrorForCert on kCertName2 should trigger OnError with both
|
||||
// errors, because kCertName1 also has error.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName2, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
absl::nullopt); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre( |
||||
ErrorInfo(kRootErrorMessage, kIdentityErrorMessage))); |
||||
CancelWatch(watcher_state_1); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
SetErrorForIdentityNameWithoutErrorForRootName) { |
||||
// Register watcher 1 for kCertName1 as root and kCertName2 as identity.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName2); |
||||
// Should not trigger OnError.
|
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), testing::ElementsAre()); |
||||
// Calling SetErrorForCert on kCertName2 should trigger OnError.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName2, absl::nullopt, |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage))); |
||||
CancelWatch(watcher_state_1); |
||||
// Register watcher 2 for kCertName2 as identity and a non-existing name
|
||||
// kRootCert1Name as root.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, kCertName2); |
||||
// Should not trigger OnError.
|
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), testing::ElementsAre()); |
||||
// Calling SetErrorForCert on kCertName2 should trigger OnError.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName2, absl::nullopt, |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_2->error_queue, |
||||
testing::ElementsAre(ErrorInfo("", kIdentityErrorMessage))); |
||||
CancelWatch(watcher_state_2); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
SetErrorForRootNameWithPreexistingErrorForIdentityName) { |
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName2, kCertName1); |
||||
// Should not trigger OnError.
|
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), testing::ElementsAre()); |
||||
// Calling SetErrorForCert on kCertName2 should trigger OnError.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName2, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
absl::nullopt); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kRootErrorMessage, ""))); |
||||
CancelWatch(watcher_state_1); |
||||
// Register watcher 2 for kCertName2 as root and a non-existing name
|
||||
// kIdentityCert1Name as identity.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(kCertName2, kIdentityCert1Name); |
||||
// Should not trigger OnError.
|
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), testing::ElementsAre()); |
||||
// Calling SetErrorForCert on kCertName2 should trigger OnError.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName2, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
absl::nullopt); |
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kRootErrorMessage, ""))); |
||||
CancelWatch(watcher_state_2); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
CancelTheLastWatcherOnAnErroredCertInfo) { |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
// Calling SetErrorForCert on both cert names should only call one OnError
|
||||
// on watcher 1.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre( |
||||
ErrorInfo(kRootErrorMessage, kIdentityErrorMessage))); |
||||
// When watcher 1 is removed, the cert info entry should be removed.
|
||||
CancelWatch(watcher_state_1); |
||||
// Register watcher 2 on the same cert name.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(kCertName1, kCertName1); |
||||
// Should not trigger OnError call on watcher 2 right away.
|
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), testing::ElementsAre()); |
||||
CancelWatch(watcher_state_2); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
WatchErroredCertInfoWithValidCredentialData) { |
||||
// Push credential updates to kCertName1.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Calling SetErrorForCert on both cert names.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
// watcher 1 should receive both the old credentials and the error right away.
|
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre( |
||||
ErrorInfo(kRootErrorMessage, kIdentityErrorMessage))); |
||||
CancelWatch(watcher_state_1); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, |
||||
SetErrorForCertThenSuccessfulCredentialUpdates) { |
||||
// Calling SetErrorForCert on both cert names.
|
||||
distributor_.SetErrorForCert( |
||||
kCertName1, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
// Push credential updates to kCertName1.
|
||||
distributor_.SetKeyMaterials( |
||||
kCertName1, kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)); |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
// watcher 1 should only receive credential updates without any error, because
|
||||
// the previous error is wiped out by a successful update.
|
||||
EXPECT_THAT( |
||||
watcher_state_1->GetCredentialQueue(), |
||||
testing::ElementsAre(CredentialInfo( |
||||
kRootCert1Contents, |
||||
MakeCertKeyPairs(kIdentityCert1PrivateKey, kIdentityCert1Contents)))); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), testing::ElementsAre()); |
||||
CancelWatch(watcher_state_1); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, WatchCertInfoThenInvokeSetError) { |
||||
// Register watcher 1.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, kCertName1); |
||||
// Register watcher 2.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(kRootCert1Name, absl::nullopt); |
||||
// Register watcher 3.
|
||||
WatcherState* watcher_state_3 = |
||||
MakeWatcher(absl::nullopt, kIdentityCert1Name); |
||||
distributor_.SetError(GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage)); |
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kErrorMessage, kErrorMessage))); |
||||
EXPECT_THAT(watcher_state_2->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo(kErrorMessage, ""))); |
||||
EXPECT_THAT(watcher_state_3->GetErrorQueue(), |
||||
testing::ElementsAre(ErrorInfo("", kErrorMessage))); |
||||
CancelWatch(watcher_state_1); |
||||
CancelWatch(watcher_state_2); |
||||
CancelWatch(watcher_state_3); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, WatchErroredCertInfoBySetError) { |
||||
// Register watcher 1 watching kCertName1 as root.
|
||||
WatcherState* watcher_state_1 = MakeWatcher(kCertName1, absl::nullopt); |
||||
// Register watcher 2 watching kCertName2 as identity.
|
||||
WatcherState* watcher_state_2 = MakeWatcher(absl::nullopt, kCertName2); |
||||
// Call SetError and then cancel all watchers.
|
||||
distributor_.SetError(GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage)); |
||||
CancelWatch(watcher_state_1); |
||||
CancelWatch(watcher_state_2); |
||||
// Register watcher 3 watching kCertName1 as root and kCertName2 as identity
|
||||
// should not get the error updates.
|
||||
WatcherState* watcher_state_3 = MakeWatcher(kCertName1, kCertName2); |
||||
EXPECT_THAT(watcher_state_3->GetErrorQueue(), testing::ElementsAre()); |
||||
CancelWatch(watcher_state_3); |
||||
// Register watcher 4 watching kCertName2 as root and kCertName1 as identity
|
||||
// should not get the error updates.
|
||||
WatcherState* watcher_state_4 = MakeWatcher(kCertName2, kCertName1); |
||||
EXPECT_THAT(watcher_state_4->GetErrorQueue(), testing::ElementsAre()); |
||||
CancelWatch(watcher_state_4); |
||||
} |
||||
|
||||
TEST_F(GrpcTlsCertificateDistributorTest, SetErrorForCertInCallback) { |
||||
distributor_.SetWatchStatusCallback([this](std::string cert_name, |
||||
bool root_being_watched, |
||||
bool identity_being_watched) { |
||||
this->distributor_.SetErrorForCert( |
||||
cert_name, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kRootErrorMessage), |
||||
GRPC_ERROR_CREATE_FROM_STATIC_STRING(kIdentityErrorMessage)); |
||||
}); |
||||
auto verify_function = [this](std::string cert_name) { |
||||
WatcherState* watcher_state_1 = MakeWatcher(cert_name, cert_name); |
||||
// Check the errors are delivered to watcher 1.
|
||||
EXPECT_THAT(watcher_state_1->GetErrorQueue(), |
||||
testing::ElementsAre( |
||||
ErrorInfo(kRootErrorMessage, kIdentityErrorMessage))); |
||||
CancelWatch(watcher_state_1); |
||||
}; |
||||
// Start 1000 threads that will register a watcher to a new cert name, verify
|
||||
// the key materials being set, and then cancel the watcher, to make sure the
|
||||
// lock mechanism in the distributor is safe.
|
||||
std::vector<std::thread> threads; |
||||
threads.reserve(1000); |
||||
for (int i = 0; i < 1000; ++i) { |
||||
threads.emplace_back(verify_function, std::to_string(i)); |
||||
} |
||||
for (auto& th : threads) { |
||||
th.join(); |
||||
} |
||||
} |
||||
|
||||
} // namespace testing
|
||||
|
||||
int main(int argc, char** argv) { |
||||
grpc::testing::TestEnvironment env(argc, argv); |
||||
::testing::InitGoogleTest(&argc, argv); |
||||
grpc_init(); |
||||
int ret = RUN_ALL_TESTS(); |
||||
grpc_shutdown(); |
||||
return ret; |
||||
} |
||||
@ -0,0 +1,588 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2015 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
#include <unistd.h> |
||||
|
||||
#include <cstdlib> |
||||
#include <fstream> |
||||
#include <iostream> |
||||
#include <memory> |
||||
#include <ostream> |
||||
#include <queue> |
||||
#include <string> |
||||
|
||||
#include "absl/strings/str_format.h" |
||||
#include "absl/strings/str_join.h" |
||||
#include "gflags/gflags.h" |
||||
#include "google/protobuf/text_format.h" |
||||
#include "grpc/grpc.h" |
||||
#include "grpc/support/port_platform.h" |
||||
#include "grpcpp/channel.h" |
||||
#include "grpcpp/client_context.h" |
||||
#include "grpcpp/create_channel.h" |
||||
#include "grpcpp/ext/channelz_service_plugin.h" |
||||
#include "grpcpp/grpcpp.h" |
||||
#include "grpcpp/security/credentials.h" |
||||
#include "grpcpp/security/server_credentials.h" |
||||
#include "grpcpp/server.h" |
||||
#include "grpcpp/server_builder.h" |
||||
#include "grpcpp/server_context.h" |
||||
#include "src/core/lib/json/json.h" |
||||
#include "src/cpp/server/channelz/channelz_service.h" |
||||
#include "src/proto/grpc/channelz/channelz.pb.h" |
||||
#include "test/core/util/test_config.h" |
||||
#include "test/cpp/util/test_config.h" |
||||
#include "test/cpp/util/test_credentials_provider.h" |
||||
|
||||
DEFINE_string(server_address, "", "channelz server address"); |
||||
DEFINE_string(custom_credentials_type, "", "custom credentials type"); |
||||
DEFINE_int64(sampling_times, 1, "number of sampling"); |
||||
DEFINE_int64(sampling_interval_seconds, 0, "sampling interval in seconds"); |
||||
DEFINE_string(output_json, "", "output filename in json format"); |
||||
|
||||
namespace { |
||||
using grpc::ClientContext; |
||||
using grpc::Status; |
||||
using grpc::StatusCode; |
||||
using grpc::channelz::v1::GetChannelRequest; |
||||
using grpc::channelz::v1::GetChannelResponse; |
||||
using grpc::channelz::v1::GetServerRequest; |
||||
using grpc::channelz::v1::GetServerResponse; |
||||
using grpc::channelz::v1::GetServerSocketsRequest; |
||||
using grpc::channelz::v1::GetServerSocketsResponse; |
||||
using grpc::channelz::v1::GetServersRequest; |
||||
using grpc::channelz::v1::GetServersResponse; |
||||
using grpc::channelz::v1::GetSocketRequest; |
||||
using grpc::channelz::v1::GetSocketResponse; |
||||
using grpc::channelz::v1::GetSubchannelRequest; |
||||
using grpc::channelz::v1::GetSubchannelResponse; |
||||
using grpc::channelz::v1::GetTopChannelsRequest; |
||||
using grpc::channelz::v1::GetTopChannelsResponse; |
||||
} // namespace
|
||||
|
||||
class ChannelzSampler final { |
||||
public: |
||||
// Get server_id of a server
|
||||
int64_t GetServerID(const grpc::channelz::v1::Server& server) { |
||||
return server.ref().server_id(); |
||||
} |
||||
|
||||
// Get channel_id of a channel
|
||||
inline int64_t GetChannelID(const grpc::channelz::v1::Channel& channel) { |
||||
return channel.ref().channel_id(); |
||||
} |
||||
|
||||
// Get subchannel_id of a subchannel
|
||||
inline int64_t GetSubchannelID( |
||||
const grpc::channelz::v1::Subchannel& subchannel) { |
||||
return subchannel.ref().subchannel_id(); |
||||
} |
||||
|
||||
// Get socket_id of a socket
|
||||
inline int64_t GetSocketID(const grpc::channelz::v1::Socket& socket) { |
||||
return socket.ref().socket_id(); |
||||
} |
||||
|
||||
// Get name of a server
|
||||
inline std::string GetServerName(const grpc::channelz::v1::Server& server) { |
||||
return server.ref().name(); |
||||
} |
||||
|
||||
// Get name of a channel
|
||||
inline std::string GetChannelName( |
||||
const grpc::channelz::v1::Channel& channel) { |
||||
return channel.ref().name(); |
||||
} |
||||
|
||||
// Get name of a subchannel
|
||||
inline std::string GetSubchannelName( |
||||
const grpc::channelz::v1::Subchannel& subchannel) { |
||||
return subchannel.ref().name(); |
||||
} |
||||
|
||||
// Get name of a socket
|
||||
inline std::string GetSocketName(const grpc::channelz::v1::Socket& socket) { |
||||
return socket.ref().name(); |
||||
} |
||||
|
||||
// Get a channel based on channel_id
|
||||
grpc::channelz::v1::Channel GetChannelRPC(int64_t channel_id) { |
||||
GetChannelRequest get_channel_request; |
||||
get_channel_request.set_channel_id(channel_id); |
||||
GetChannelResponse get_channel_response; |
||||
ClientContext get_channel_context; |
||||
get_channel_context.set_deadline( |
||||
grpc_timeout_seconds_to_deadline(rpc_timeout_seconds_)); |
||||
Status status = channelz_stub_->GetChannel( |
||||
&get_channel_context, get_channel_request, &get_channel_response); |
||||
if (!status.ok()) { |
||||
gpr_log(GPR_ERROR, "GetChannelRPC failed: %s", |
||||
get_channel_context.debug_error_string().c_str()); |
||||
GPR_ASSERT(0); |
||||
} |
||||
return get_channel_response.channel(); |
||||
} |
||||
|
||||
// Get a subchannel based on subchannel_id
|
||||
grpc::channelz::v1::Subchannel GetSubchannelRPC(int64_t subchannel_id) { |
||||
GetSubchannelRequest get_subchannel_request; |
||||
get_subchannel_request.set_subchannel_id(subchannel_id); |
||||
GetSubchannelResponse get_subchannel_response; |
||||
ClientContext get_subchannel_context; |
||||
get_subchannel_context.set_deadline( |
||||
grpc_timeout_seconds_to_deadline(rpc_timeout_seconds_)); |
||||
Status status = channelz_stub_->GetSubchannel(&get_subchannel_context, |
||||
get_subchannel_request, |
||||
&get_subchannel_response); |
||||
if (!status.ok()) { |
||||
gpr_log(GPR_ERROR, "GetSubchannelRPC failed: %s", |
||||
get_subchannel_context.debug_error_string().c_str()); |
||||
GPR_ASSERT(0); |
||||
} |
||||
return get_subchannel_response.subchannel(); |
||||
} |
||||
|
||||
// get a socket based on socket_id
|
||||
grpc::channelz::v1::Socket GetSocketRPC(int64_t socket_id) { |
||||
GetSocketRequest get_socket_request; |
||||
get_socket_request.set_socket_id(socket_id); |
||||
GetSocketResponse get_socket_response; |
||||
ClientContext get_socket_context; |
||||
get_socket_context.set_deadline( |
||||
grpc_timeout_seconds_to_deadline(rpc_timeout_seconds_)); |
||||
Status status = channelz_stub_->GetSocket( |
||||
&get_socket_context, get_socket_request, &get_socket_response); |
||||
if (!status.ok()) { |
||||
gpr_log(GPR_ERROR, "GetSocketRPC failed: %s", |
||||
get_socket_context.debug_error_string().c_str()); |
||||
GPR_ASSERT(0); |
||||
} |
||||
return get_socket_response.socket(); |
||||
} |
||||
|
||||
// get the descedent channels/subchannels/sockets of a channel
|
||||
// push descedent channels/subchannels to queue for layer traverse
|
||||
// store descedent channels/subchannels/sockets for dumping data
|
||||
void GetChannelDescedence( |
||||
const grpc::channelz::v1::Channel& channel, |
||||
std::queue<grpc::channelz::v1::Channel>& channel_queue, |
||||
std::queue<grpc::channelz::v1::Subchannel>& subchannel_queue) { |
||||
std::cout << " Channel ID" << GetChannelID(channel) << "_" |
||||
<< GetChannelName(channel) << " descendence - "; |
||||
if (channel.channel_ref_size() > 0 || channel.subchannel_ref_size() > 0) { |
||||
if (channel.channel_ref_size() > 0) { |
||||
std::cout << "channel: "; |
||||
for (const auto& _channelref : channel.channel_ref()) { |
||||
int64_t ch_id = _channelref.channel_id(); |
||||
std::cout << "ID" << ch_id << "_" << _channelref.name() << " "; |
||||
grpc::channelz::v1::Channel ch = GetChannelRPC(ch_id); |
||||
channel_queue.push(ch); |
||||
if (CheckID(ch_id)) { |
||||
all_channels_.push_back(ch); |
||||
StoreChannelInJson(ch); |
||||
} |
||||
} |
||||
if (channel.subchannel_ref_size() > 0) { |
||||
std::cout << ", "; |
||||
} |
||||
} |
||||
if (channel.subchannel_ref_size() > 0) { |
||||
std::cout << "subchannel: "; |
||||
for (const auto& _subchannelref : channel.subchannel_ref()) { |
||||
int64_t subch_id = _subchannelref.subchannel_id(); |
||||
std::cout << "ID" << subch_id << "_" << _subchannelref.name() << " "; |
||||
grpc::channelz::v1::Subchannel subch = GetSubchannelRPC(subch_id); |
||||
subchannel_queue.push(subch); |
||||
if (CheckID(subch_id)) { |
||||
all_subchannels_.push_back(subch); |
||||
StoreSubchannelInJson(subch); |
||||
} |
||||
} |
||||
} |
||||
} else if (channel.socket_ref_size() > 0) { |
||||
std::cout << "socket: "; |
||||
for (const auto& _socketref : channel.socket_ref()) { |
||||
int64_t so_id = _socketref.socket_id(); |
||||
std::cout << "ID" << so_id << "_" << _socketref.name() << " "; |
||||
grpc::channelz::v1::Socket so = GetSocketRPC(so_id); |
||||
if (CheckID(so_id)) { |
||||
all_sockets_.push_back(so); |
||||
StoreSocketInJson(so); |
||||
} |
||||
} |
||||
} |
||||
std::cout << std::endl; |
||||
} |
||||
|
||||
// get the descedent channels/subchannels/sockets of a subchannel
|
||||
// push descedent channels/subchannels to queue for layer traverse
|
||||
// store descedent channels/subchannels/sockets for dumping data
|
||||
void GetSubchannelDescedence( |
||||
grpc::channelz::v1::Subchannel& subchannel, |
||||
std::queue<grpc::channelz::v1::Channel>& channel_queue, |
||||
std::queue<grpc::channelz::v1::Subchannel>& subchannel_queue) { |
||||
std::cout << " Subchannel ID" << GetSubchannelID(subchannel) << "_" |
||||
<< GetSubchannelName(subchannel) << " descendence - "; |
||||
if (subchannel.channel_ref_size() > 0 || |
||||
subchannel.subchannel_ref_size() > 0) { |
||||
if (subchannel.channel_ref_size() > 0) { |
||||
std::cout << "channel: "; |
||||
for (const auto& _channelref : subchannel.channel_ref()) { |
||||
int64_t ch_id = _channelref.channel_id(); |
||||
std::cout << "ID" << ch_id << "_" << _channelref.name() << " "; |
||||
grpc::channelz::v1::Channel ch = GetChannelRPC(ch_id); |
||||
channel_queue.push(ch); |
||||
if (CheckID(ch_id)) { |
||||
all_channels_.push_back(ch); |
||||
StoreChannelInJson(ch); |
||||
} |
||||
} |
||||
if (subchannel.subchannel_ref_size() > 0) { |
||||
std::cout << ", "; |
||||
} |
||||
} |
||||
if (subchannel.subchannel_ref_size() > 0) { |
||||
std::cout << "subchannel: "; |
||||
for (const auto& _subchannelref : subchannel.subchannel_ref()) { |
||||
int64_t subch_id = _subchannelref.subchannel_id(); |
||||
std::cout << "ID" << subch_id << "_" << _subchannelref.name() << " "; |
||||
grpc::channelz::v1::Subchannel subch = GetSubchannelRPC(subch_id); |
||||
subchannel_queue.push(subch); |
||||
if (CheckID(subch_id)) { |
||||
all_subchannels_.push_back(subch); |
||||
StoreSubchannelInJson(subch); |
||||
} |
||||
} |
||||
} |
||||
} else if (subchannel.socket_ref_size() > 0) { |
||||
std::cout << "socket: "; |
||||
for (const auto& _socketref : subchannel.socket_ref()) { |
||||
int64_t so_id = _socketref.socket_id(); |
||||
std::cout << "ID" << so_id << "_" << _socketref.name() << " "; |
||||
grpc::channelz::v1::Socket so = GetSocketRPC(so_id); |
||||
if (CheckID(so_id)) { |
||||
all_sockets_.push_back(so); |
||||
StoreSocketInJson(so); |
||||
} |
||||
} |
||||
} |
||||
std::cout << std::endl; |
||||
} |
||||
|
||||
// Set up the channelz sampler client
|
||||
// Initialize json as an array
|
||||
void Setup(const std::string& custom_credentials_type, |
||||
const std::string& server_address) { |
||||
json_ = grpc_core::Json::Array(); |
||||
rpc_timeout_seconds_ = 20; |
||||
grpc::ChannelArguments channel_args; |
||||
std::shared_ptr<grpc::ChannelCredentials> channel_creds = |
||||
grpc::testing::GetCredentialsProvider()->GetChannelCredentials( |
||||
custom_credentials_type, &channel_args); |
||||
if (!channel_creds) { |
||||
gpr_log(GPR_ERROR, |
||||
"Wrong user credential type: %s. Allowed credential types: " |
||||
"INSECURE_CREDENTIALS, ssl, alts, google_default_credentials.", |
||||
custom_credentials_type.c_str()); |
||||
GPR_ASSERT(0); |
||||
} |
||||
std::shared_ptr<grpc::Channel> channel = |
||||
CreateChannel(server_address, channel_creds); |
||||
channelz_stub_ = grpc::channelz::v1::Channelz::NewStub(channel); |
||||
} |
||||
|
||||
// Get all servers, keep querying until getting all
|
||||
// Store servers for dumping data
|
||||
// Need to check id repeating for servers
|
||||
void GetServersRPC() { |
||||
int64_t server_start_id = 0; |
||||
while (true) { |
||||
GetServersRequest get_servers_request; |
||||
GetServersResponse get_servers_response; |
||||
ClientContext get_servers_context; |
||||
get_servers_context.set_deadline( |
||||
grpc_timeout_seconds_to_deadline(rpc_timeout_seconds_)); |
||||
get_servers_request.set_start_server_id(server_start_id); |
||||
Status status = channelz_stub_->GetServers( |
||||
&get_servers_context, get_servers_request, &get_servers_response); |
||||
if (!status.ok()) { |
||||
if (status.error_code() == StatusCode::UNIMPLEMENTED) { |
||||
gpr_log(GPR_ERROR, |
||||
"Error status UNIMPLEMENTED. Please check and make sure " |
||||
"channelz has been registered on the server being queried."); |
||||
} else { |
||||
gpr_log(GPR_ERROR, |
||||
"GetServers RPC with GetServersRequest.server_start_id=%d, " |
||||
"failed: %s", |
||||
int(server_start_id), |
||||
get_servers_context.debug_error_string().c_str()); |
||||
} |
||||
GPR_ASSERT(0); |
||||
} |
||||
for (const auto& _server : get_servers_response.server()) { |
||||
all_servers_.push_back(_server); |
||||
StoreServerInJson(_server); |
||||
} |
||||
if (!get_servers_response.end()) { |
||||
server_start_id = GetServerID(all_servers_.back()) + 1; |
||||
} else { |
||||
break; |
||||
} |
||||
} |
||||
std::cout << "Number of servers = " << all_servers_.size() << std::endl; |
||||
} |
||||
|
||||
// Get sockets that belongs to servers
|
||||
// Store sockets for dumping data
|
||||
void GetSocketsOfServers() { |
||||
for (const auto& _server : all_servers_) { |
||||
std::cout << "Server ID" << GetServerID(_server) << "_" |
||||
<< GetServerName(_server) << " listen_socket - "; |
||||
for (const auto& _socket : _server.listen_socket()) { |
||||
int64_t so_id = _socket.socket_id(); |
||||
std::cout << "ID" << so_id << "_" << _socket.name() << " "; |
||||
if (CheckID(so_id)) { |
||||
grpc::channelz::v1::Socket so = GetSocketRPC(so_id); |
||||
all_sockets_.push_back(so); |
||||
StoreSocketInJson(so); |
||||
} |
||||
} |
||||
std::cout << std::endl; |
||||
} |
||||
} |
||||
|
||||
// Get all top channels, keep querying until getting all
|
||||
// Store channels for dumping data
|
||||
// No need to check id repeating for top channels
|
||||
void GetTopChannelsRPC() { |
||||
int64_t channel_start_id = 0; |
||||
while (true) { |
||||
GetTopChannelsRequest get_top_channels_request; |
||||
GetTopChannelsResponse get_top_channels_response; |
||||
ClientContext get_top_channels_context; |
||||
get_top_channels_context.set_deadline( |
||||
grpc_timeout_seconds_to_deadline(rpc_timeout_seconds_)); |
||||
get_top_channels_request.set_start_channel_id(channel_start_id); |
||||
Status status = channelz_stub_->GetTopChannels( |
||||
&get_top_channels_context, get_top_channels_request, |
||||
&get_top_channels_response); |
||||
if (!status.ok()) { |
||||
gpr_log(GPR_ERROR, |
||||
"GetTopChannels RPC with " |
||||
"GetTopChannelsRequest.channel_start_id=%d failed: %s", |
||||
int(channel_start_id), |
||||
get_top_channels_context.debug_error_string().c_str()); |
||||
GPR_ASSERT(0); |
||||
} |
||||
for (const auto& _topchannel : get_top_channels_response.channel()) { |
||||
top_channels_.push_back(_topchannel); |
||||
all_channels_.push_back(_topchannel); |
||||
StoreChannelInJson(_topchannel); |
||||
} |
||||
if (!get_top_channels_response.end()) { |
||||
channel_start_id = GetChannelID(top_channels_.back()) + 1; |
||||
} else { |
||||
break; |
||||
} |
||||
} |
||||
std::cout << std::endl |
||||
<< "Number of top channels = " << top_channels_.size() |
||||
<< std::endl; |
||||
} |
||||
|
||||
// layer traverse for each top channel
|
||||
void TraverseTopChannels() { |
||||
for (const auto& _topchannel : top_channels_) { |
||||
int tree_depth = 0; |
||||
std::queue<grpc::channelz::v1::Channel> channel_queue; |
||||
std::queue<grpc::channelz::v1::Subchannel> subchannel_queue; |
||||
std::cout << "Tree depth = " << tree_depth << std::endl; |
||||
GetChannelDescedence(_topchannel, channel_queue, subchannel_queue); |
||||
while (!channel_queue.empty() || !subchannel_queue.empty()) { |
||||
++tree_depth; |
||||
std::cout << "Tree depth = " << tree_depth << std::endl; |
||||
int ch_q_size = channel_queue.size(); |
||||
int subch_q_size = subchannel_queue.size(); |
||||
for (int i = 0; i < ch_q_size; ++i) { |
||||
grpc::channelz::v1::Channel ch = channel_queue.front(); |
||||
channel_queue.pop(); |
||||
GetChannelDescedence(ch, channel_queue, subchannel_queue); |
||||
} |
||||
for (int i = 0; i < subch_q_size; ++i) { |
||||
grpc::channelz::v1::Subchannel subch = subchannel_queue.front(); |
||||
subchannel_queue.pop(); |
||||
GetSubchannelDescedence(subch, channel_queue, subchannel_queue); |
||||
} |
||||
} |
||||
std::cout << std::endl; |
||||
} |
||||
} |
||||
|
||||
// dump data of all entities to stdout
|
||||
void DumpStdout() { |
||||
std::string data_str; |
||||
for (const auto& _channel : all_channels_) { |
||||
std::cout << "channel ID" << GetChannelID(_channel) << "_" |
||||
<< GetChannelName(_channel) << " data:" << std::endl; |
||||
// TODO(mohanli): TextFormat::PrintToString records time as seconds and
|
||||
// nanos. Need a more human readable way.
|
||||
::google::protobuf::TextFormat::PrintToString(_channel.data(), &data_str); |
||||
printf("%s\n", data_str.c_str()); |
||||
} |
||||
for (const auto& _subchannel : all_subchannels_) { |
||||
std::cout << "subchannel ID" << GetSubchannelID(_subchannel) << "_" |
||||
<< GetSubchannelName(_subchannel) << " data:" << std::endl; |
||||
::google::protobuf::TextFormat::PrintToString(_subchannel.data(), |
||||
&data_str); |
||||
printf("%s\n", data_str.c_str()); |
||||
} |
||||
for (const auto& _server : all_servers_) { |
||||
std::cout << "server ID" << GetServerID(_server) << "_" |
||||
<< GetServerName(_server) << " data:" << std::endl; |
||||
::google::protobuf::TextFormat::PrintToString(_server.data(), &data_str); |
||||
printf("%s\n", data_str.c_str()); |
||||
} |
||||
for (const auto& _socket : all_sockets_) { |
||||
std::cout << "socket ID" << GetSocketID(_socket) << "_" |
||||
<< GetSocketName(_socket) << " data:" << std::endl; |
||||
::google::protobuf::TextFormat::PrintToString(_socket.data(), &data_str); |
||||
printf("%s\n", data_str.c_str()); |
||||
} |
||||
} |
||||
|
||||
// Store a channel in Json
|
||||
void StoreChannelInJson(const grpc::channelz::v1::Channel& channel) { |
||||
std::string id = grpc::to_string(GetChannelID(channel)); |
||||
std::string type = "Channel"; |
||||
std::string description; |
||||
::google::protobuf::TextFormat::PrintToString(channel.data(), &description); |
||||
grpc_core::Json description_json = grpc_core::Json(description); |
||||
StoreEntityInJson(id, type, description_json); |
||||
} |
||||
|
||||
// Store a subchannel in Json
|
||||
void StoreSubchannelInJson(const grpc::channelz::v1::Subchannel& subchannel) { |
||||
std::string id = grpc::to_string(GetSubchannelID(subchannel)); |
||||
std::string type = "Subchannel"; |
||||
std::string description; |
||||
::google::protobuf::TextFormat::PrintToString(subchannel.data(), |
||||
&description); |
||||
grpc_core::Json description_json = grpc_core::Json(description); |
||||
StoreEntityInJson(id, type, description_json); |
||||
} |
||||
|
||||
// Store a server in Json
|
||||
void StoreServerInJson(const grpc::channelz::v1::Server& server) { |
||||
std::string id = grpc::to_string(GetServerID(server)); |
||||
std::string type = "Server"; |
||||
std::string description; |
||||
::google::protobuf::TextFormat::PrintToString(server.data(), &description); |
||||
grpc_core::Json description_json = grpc_core::Json(description); |
||||
StoreEntityInJson(id, type, description_json); |
||||
} |
||||
|
||||
// Store a socket in Json
|
||||
void StoreSocketInJson(const grpc::channelz::v1::Socket& socket) { |
||||
std::string id = grpc::to_string(GetSocketID(socket)); |
||||
std::string type = "Socket"; |
||||
std::string description; |
||||
::google::protobuf::TextFormat::PrintToString(socket.data(), &description); |
||||
grpc_core::Json description_json = grpc_core::Json(description); |
||||
StoreEntityInJson(id, type, description_json); |
||||
} |
||||
|
||||
// Store an entity in Json
|
||||
void StoreEntityInJson(std::string& id, std::string& type, |
||||
const grpc_core::Json& description) { |
||||
std::string start, finish; |
||||
gpr_timespec ago = gpr_time_sub( |
||||
now_, |
||||
gpr_time_from_seconds(FLAGS_sampling_interval_seconds, GPR_TIMESPAN)); |
||||
std::stringstream ss; |
||||
const time_t time_now = now_.tv_sec; |
||||
ss << std::put_time(std::localtime(&time_now), "%F %T"); |
||||
finish = ss.str(); // example: "2019-02-01 12:12:18"
|
||||
ss.str(""); |
||||
const time_t time_ago = ago.tv_sec; |
||||
ss << std::put_time(std::localtime(&time_ago), "%F %T"); |
||||
start = ss.str(); |
||||
grpc_core::Json obj = |
||||
grpc_core::Json::Object{{"Task", absl::StrFormat("%s_ID%s", type, id)}, |
||||
{"Start", start}, |
||||
{"Finish", finish}, |
||||
{"ID", id}, |
||||
{"Type", type}, |
||||
{"Description", description}}; |
||||
json_.mutable_array()->push_back(obj); |
||||
} |
||||
|
||||
// Dump data in json
|
||||
std::string DumpJson() { return json_.Dump(); } |
||||
|
||||
// Check if one entity has been recorded
|
||||
bool CheckID(int64_t id) { |
||||
if (id_set_.count(id) == 0) { |
||||
id_set_.insert(id); |
||||
return true; |
||||
} else { |
||||
return false; |
||||
} |
||||
} |
||||
|
||||
// Record current time
|
||||
void RecordNow() { now_ = gpr_now(GPR_CLOCK_REALTIME); } |
||||
|
||||
private: |
||||
std::unique_ptr<grpc::channelz::v1::Channelz::Stub> channelz_stub_; |
||||
std::vector<grpc::channelz::v1::Channel> top_channels_; |
||||
std::vector<grpc::channelz::v1::Server> all_servers_; |
||||
std::vector<grpc::channelz::v1::Channel> all_channels_; |
||||
std::vector<grpc::channelz::v1::Subchannel> all_subchannels_; |
||||
std::vector<grpc::channelz::v1::Socket> all_sockets_; |
||||
std::unordered_set<int64_t> id_set_; |
||||
grpc_core::Json json_; |
||||
int64_t rpc_timeout_seconds_; |
||||
gpr_timespec now_; |
||||
}; |
||||
|
||||
int main(int argc, char** argv) { |
||||
grpc::testing::TestEnvironment env(argc, argv); |
||||
grpc::testing::InitTest(&argc, &argv, true); |
||||
std::ofstream output_file(FLAGS_output_json); |
||||
for (int i = 0; i < FLAGS_sampling_times; ++i) { |
||||
ChannelzSampler channelz_sampler; |
||||
channelz_sampler.Setup(FLAGS_custom_credentials_type, FLAGS_server_address); |
||||
std::cout << "Wait for sampling interval " |
||||
<< FLAGS_sampling_interval_seconds << "s..." << std::endl; |
||||
const gpr_timespec kDelay = gpr_time_add( |
||||
gpr_now(GPR_CLOCK_MONOTONIC), |
||||
gpr_time_from_seconds(FLAGS_sampling_interval_seconds, GPR_TIMESPAN)); |
||||
gpr_sleep_until(kDelay); |
||||
std::cout << "##### " << i << "th sampling #####" << std::endl; |
||||
channelz_sampler.RecordNow(); |
||||
channelz_sampler.GetServersRPC(); |
||||
channelz_sampler.GetSocketsOfServers(); |
||||
channelz_sampler.GetTopChannelsRPC(); |
||||
channelz_sampler.TraverseTopChannels(); |
||||
channelz_sampler.DumpStdout(); |
||||
if (!FLAGS_output_json.empty()) { |
||||
output_file << channelz_sampler.DumpJson() << "\n" << std::flush; |
||||
} |
||||
} |
||||
output_file.close(); |
||||
return 0; |
||||
} |
||||
@ -0,0 +1,176 @@ |
||||
/*
|
||||
* |
||||
* Copyright 2016 gRPC authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
#include <stdlib.h> |
||||
#include <unistd.h> |
||||
|
||||
#include <cstdlib> |
||||
#include <iostream> |
||||
#include <memory> |
||||
#include <string> |
||||
#include <thread> |
||||
|
||||
#include "grpc/grpc.h" |
||||
#include "grpc/support/alloc.h" |
||||
#include "grpc/support/port_platform.h" |
||||
#include "grpcpp/channel.h" |
||||
#include "grpcpp/client_context.h" |
||||
#include "grpcpp/create_channel.h" |
||||
#include "grpcpp/ext/channelz_service_plugin.h" |
||||
#include "grpcpp/grpcpp.h" |
||||
#include "grpcpp/security/credentials.h" |
||||
#include "grpcpp/security/server_credentials.h" |
||||
#include "grpcpp/server.h" |
||||
#include "grpcpp/server_builder.h" |
||||
#include "grpcpp/server_context.h" |
||||
#include "gtest/gtest.h" |
||||
#include "src/core/lib/gpr/env.h" |
||||
#include "src/cpp/server/channelz/channelz_service.h" |
||||
#include "src/proto/grpc/testing/test.grpc.pb.h" |
||||
#include "test/core/util/test_config.h" |
||||
#include "test/cpp/util/subprocess.h" |
||||
#include "test/cpp/util/test_credentials_provider.h" |
||||
|
||||
static std::string g_root; |
||||
|
||||
namespace { |
||||
using grpc::ClientContext; |
||||
using grpc::Server; |
||||
using grpc::ServerBuilder; |
||||
using grpc::ServerContext; |
||||
using grpc::Status; |
||||
} // namespace
|
||||
|
||||
// Test variables
|
||||
std::string server_address("0.0.0.0:10000"); |
||||
std::string custom_credentials_type("INSECURE_CREDENTIALS"); |
||||
std::string sampling_times = "2"; |
||||
std::string sampling_interval_seconds = "3"; |
||||
std::string output_json("output.json"); |
||||
|
||||
// Creata an echo server
|
||||
class EchoServerImpl final : public grpc::testing::TestService::Service { |
||||
Status EmptyCall(::grpc::ServerContext* context, |
||||
const grpc::testing::Empty* request, |
||||
grpc::testing::Empty* response) { |
||||
return Status::OK; |
||||
} |
||||
}; |
||||
|
||||
// Run client in a thread
|
||||
void RunClient(const std::string& client_id, gpr_event* done_ev) { |
||||
grpc::ChannelArguments channel_args; |
||||
std::shared_ptr<grpc::ChannelCredentials> channel_creds = |
||||
grpc::testing::GetCredentialsProvider()->GetChannelCredentials( |
||||
custom_credentials_type, &channel_args); |
||||
std::unique_ptr<grpc::testing::TestService::Stub> stub = |
||||
grpc::testing::TestService::NewStub( |
||||
grpc::CreateChannel(server_address, channel_creds)); |
||||
gpr_log(GPR_INFO, "Client %s is echoing!", client_id.c_str()); |
||||
while (true) { |
||||
if (gpr_event_wait(done_ev, grpc_timeout_seconds_to_deadline(1)) != |
||||
nullptr) { |
||||
return; |
||||
} |
||||
grpc::testing::Empty request; |
||||
grpc::testing::Empty response; |
||||
ClientContext context; |
||||
Status status = stub->EmptyCall(&context, request, &response); |
||||
if (!status.ok()) { |
||||
gpr_log(GPR_ERROR, "Client echo failed."); |
||||
GPR_ASSERT(0); |
||||
} |
||||
} |
||||
} |
||||
|
||||
// Create the channelz to test the connection to the server
|
||||
bool WaitForConnection(int wait_server_seconds) { |
||||
grpc::ChannelArguments channel_args; |
||||
std::shared_ptr<grpc::ChannelCredentials> channel_creds = |
||||
grpc::testing::GetCredentialsProvider()->GetChannelCredentials( |
||||
custom_credentials_type, &channel_args); |
||||
auto channel = grpc::CreateChannel(server_address, channel_creds); |
||||
return channel->WaitForConnected( |
||||
grpc_timeout_seconds_to_deadline(wait_server_seconds)); |
||||
} |
||||
|
||||
// Test the channelz sampler
|
||||
TEST(ChannelzSamplerTest, SimpleTest) { |
||||
// start server
|
||||
::grpc::channelz::experimental::InitChannelzService(); |
||||
EchoServerImpl service; |
||||
grpc::ServerBuilder builder; |
||||
auto server_creds = |
||||
grpc::testing::GetCredentialsProvider()->GetServerCredentials( |
||||
custom_credentials_type); |
||||
builder.AddListeningPort(server_address, server_creds); |
||||
builder.RegisterService(&service); |
||||
std::unique_ptr<Server> server(builder.BuildAndStart()); |
||||
gpr_log(GPR_INFO, "Server listening on %s", server_address.c_str()); |
||||
const int kWaitForServerSeconds = 10; |
||||
ASSERT_TRUE(WaitForConnection(kWaitForServerSeconds)); |
||||
// client threads
|
||||
gpr_event done_ev1, done_ev2; |
||||
gpr_event_init(&done_ev1); |
||||
gpr_event_init(&done_ev2); |
||||
std::thread client_thread_1(RunClient, "1", &done_ev1); |
||||
std::thread client_thread_2(RunClient, "2", &done_ev2); |
||||
// Run the channelz sampler
|
||||
grpc::SubProcess* test_driver = new grpc::SubProcess( |
||||
{g_root + "/channelz_sampler", "--server_address=" + server_address, |
||||
"--custom_credentials_type=" + custom_credentials_type, |
||||
"--sampling_times=" + sampling_times, |
||||
"--sampling_interval_seconds=" + sampling_interval_seconds, |
||||
"--output_json=" + output_json}); |
||||
int status = test_driver->Join(); |
||||
if (WIFEXITED(status)) { |
||||
if (WEXITSTATUS(status)) { |
||||
gpr_log(GPR_ERROR, |
||||
"Channelz sampler test test-runner exited with code %d", |
||||
WEXITSTATUS(status)); |
||||
GPR_ASSERT(0); // log the line number of the assertion failure
|
||||
} |
||||
} else if (WIFSIGNALED(status)) { |
||||
gpr_log(GPR_ERROR, "Channelz sampler test test-runner ended from signal %d", |
||||
WTERMSIG(status)); |
||||
GPR_ASSERT(0); |
||||
} else { |
||||
gpr_log(GPR_ERROR, |
||||
"Channelz sampler test test-runner ended with unknown status %d", |
||||
status); |
||||
GPR_ASSERT(0); |
||||
} |
||||
delete test_driver; |
||||
gpr_event_set(&done_ev1, (void*)1); |
||||
gpr_event_set(&done_ev2, (void*)1); |
||||
client_thread_1.join(); |
||||
client_thread_2.join(); |
||||
} |
||||
|
||||
int main(int argc, char** argv) { |
||||
grpc::testing::TestEnvironment env(argc, argv); |
||||
::testing::InitGoogleTest(&argc, argv); |
||||
std::string me = argv[0]; |
||||
auto lslash = me.rfind('/'); |
||||
if (lslash != std::string::npos) { |
||||
g_root = me.substr(0, lslash); |
||||
} else { |
||||
g_root = "."; |
||||
} |
||||
int ret = RUN_ALL_TESTS(); |
||||
return ret; |
||||
} |
||||
Loading…
Reference in new issue