// // Copyright 2021 gRPC authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // #include #include #include #include #include #include #include #include "src/cpp/client/secure_credentials.h" #include "test/core/test_util/port.h" #include "test/core/test_util/test_config.h" #include "test/cpp/util/tls_test_utils.h" namespace { using ::grpc::experimental::ExternalCertificateVerifier; using ::grpc::experimental::HostNameCertificateVerifier; using ::grpc::experimental::NoOpCertificateVerifier; using ::grpc::experimental::TlsCustomVerificationCheckRequest; } // namespace namespace grpc { namespace testing { namespace { TEST(TlsCertificateVerifierTest, SyncCertificateVerifierSucceeds) { grpc_tls_custom_verification_check_request request; auto verifier = ExternalCertificateVerifier::Create(true); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_TRUE(sync_status.ok()) << sync_status.error_code() << " " << sync_status.error_message(); } TEST(TlsCertificateVerifierTest, SyncCertificateVerifierFails) { grpc_tls_custom_verification_check_request request; auto verifier = ExternalCertificateVerifier::Create(false); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_EQ(sync_status.error_code(), grpc::StatusCode::UNAUTHENTICATED); EXPECT_EQ(sync_status.error_message(), "SyncCertificateVerifier failed"); } TEST(TlsCertificateVerifierTest, AsyncCertificateVerifierSucceeds) { grpc_tls_custom_verification_check_request request; auto verifier = ExternalCertificateVerifier::Create(true); TlsCustomVerificationCheckRequest cpp_request(&request); std::function callback = [](grpc::Status async_status) { EXPECT_TRUE(async_status.ok()) << async_status.error_code() << " " << async_status.error_message(); }; grpc::Status sync_status; EXPECT_FALSE(verifier->Verify(&cpp_request, callback, &sync_status)); } TEST(TlsCertificateVerifierTest, AsyncCertificateVerifierFails) { grpc_tls_custom_verification_check_request request; auto verifier = ExternalCertificateVerifier::Create(false); TlsCustomVerificationCheckRequest cpp_request(&request); std::function callback = [](grpc::Status async_status) { EXPECT_EQ(async_status.error_code(), grpc::StatusCode::UNAUTHENTICATED); EXPECT_EQ(async_status.error_message(), "AsyncCertificateVerifier failed"); }; grpc::Status sync_status; EXPECT_FALSE(verifier->Verify(&cpp_request, callback, &sync_status)); } TEST(TlsCertificateVerifierTest, NoOpCertificateVerifierSucceeds) { grpc_tls_custom_verification_check_request request; memset(&request, 0, sizeof(request)); auto verifier = std::make_shared(); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_TRUE(sync_status.ok()) << sync_status.error_code() << " " << sync_status.error_message(); } TEST(TlsCertificateVerifierTest, HostNameCertificateVerifierSucceeds) { grpc_tls_custom_verification_check_request request; memset(&request, 0, sizeof(request)); request.target_name = "foo.bar.com"; request.peer_info.common_name = "foo.bar.com"; auto verifier = std::make_shared(); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_TRUE(sync_status.ok()) << sync_status.error_code() << " " << sync_status.error_message(); } TEST(TlsCertificateVerifierTest, HostNameCertificateVerifierFails) { grpc_tls_custom_verification_check_request request; memset(&request, 0, sizeof(request)); request.target_name = "foo.bar.com"; request.peer_info.common_name = "foo.baz.com"; auto verifier = std::make_shared(); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_EQ(sync_status.error_code(), grpc::StatusCode::UNAUTHENTICATED); EXPECT_EQ(sync_status.error_message(), "Hostname Verification Check failed."); } TEST(TlsCertificateVerifierTest, HostNameCertificateVerifierSucceedsMultipleFields) { grpc_tls_custom_verification_check_request request; memset(&request, 0, sizeof(request)); request.target_name = "foo.bar.com"; request.peer_info.common_name = "foo.baz.com"; char* dns_names[] = {const_cast("*.bar.com")}; request.peer_info.san_names.dns_names = dns_names; request.peer_info.san_names.dns_names_size = 1; auto verifier = std::make_shared(); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_TRUE(sync_status.ok()) << sync_status.error_code() << " " << sync_status.error_message(); } TEST(TlsCertificateVerifierTest, HostNameCertificateVerifierFailsMultipleFields) { grpc_tls_custom_verification_check_request request; memset(&request, 0, sizeof(request)); request.target_name = "foo.bar.com"; request.peer_info.common_name = "foo.baz.com"; char* dns_names[] = {const_cast("*.")}; request.peer_info.san_names.dns_names = dns_names; request.peer_info.san_names.dns_names_size = 1; auto verifier = std::make_shared(); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_EQ(sync_status.error_code(), grpc::StatusCode::UNAUTHENTICATED); EXPECT_EQ(sync_status.error_message(), "Hostname Verification Check failed."); } TEST(TlsCertificateVerifierTest, VerifiedRootCertSubjectVerifierSucceeds) { grpc_tls_custom_verification_check_request request; constexpr char kExpectedSubject[] = "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"; request.peer_info.verified_root_cert_subject = kExpectedSubject; auto verifier = ExternalCertificateVerifier::Create( kExpectedSubject); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; bool is_sync = verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_TRUE(is_sync); EXPECT_TRUE(sync_status.ok()) << sync_status.error_code() << " " << sync_status.error_message(); } TEST(TlsCertificateVerifierTest, VerifiedRootCertSubjectVerifierFailsNull) { grpc_tls_custom_verification_check_request request; constexpr char kExpectedSubject[] = "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"; request.peer_info.verified_root_cert_subject = nullptr; auto verifier = ExternalCertificateVerifier::Create( kExpectedSubject); TlsCustomVerificationCheckRequest cpp_request(&request); EXPECT_EQ(cpp_request.verified_root_cert_subject(), ""); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_EQ(sync_status.error_code(), grpc::StatusCode::UNAUTHENTICATED); EXPECT_EQ(sync_status.error_message(), "VerifiedRootCertSubjectVerifier failed"); } TEST(TlsCertificateVerifierTest, VerifiedRootCertSubjectVerifierFailsMismatch) { grpc_tls_custom_verification_check_request request; constexpr char kExpectedSubject[] = "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"; request.peer_info.verified_root_cert_subject = "BAD_SUBJECT"; auto verifier = ExternalCertificateVerifier::Create( kExpectedSubject); TlsCustomVerificationCheckRequest cpp_request(&request); grpc::Status sync_status; verifier->Verify(&cpp_request, nullptr, &sync_status); EXPECT_EQ(sync_status.error_code(), grpc::StatusCode::UNAUTHENTICATED); EXPECT_EQ(sync_status.error_message(), "VerifiedRootCertSubjectVerifier failed"); } } // namespace } // namespace testing } // namespace grpc int main(int argc, char** argv) { ::testing::InitGoogleTest(&argc, argv); grpc::testing::TestEnvironment env(&argc, argv); int ret = RUN_ALL_TESTS(); return ret; }