mirror of https://github.com/grpc/grpc.git
The C based gRPC (C++, Python, Ruby, Objective-C, PHP, C#)
https://grpc.io/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
355 lines
15 KiB
355 lines
15 KiB
/* |
|
* |
|
* Copyright 2015 gRPC authors. |
|
* |
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
* you may not use this file except in compliance with the License. |
|
* You may obtain a copy of the License at |
|
* |
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
* |
|
* Unless required by applicable law or agreed to in writing, software |
|
* distributed under the License is distributed on an "AS IS" BASIS, |
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
* See the License for the specific language governing permissions and |
|
* limitations under the License. |
|
* |
|
*/ |
|
|
|
#include <grpcpp/security/credentials.h> |
|
#include <grpcpp/security/tls_credentials_options.h> |
|
|
|
#include <memory> |
|
|
|
#include <gmock/gmock.h> |
|
#include <grpc/grpc.h> |
|
#include <gtest/gtest.h> |
|
|
|
#include "src/core/lib/gpr/env.h" |
|
#include "src/core/lib/gpr/tmpfile.h" |
|
#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" |
|
#include "src/cpp/client/secure_credentials.h" |
|
|
|
namespace grpc { |
|
namespace testing { |
|
|
|
class CredentialsTest : public ::testing::Test { |
|
protected: |
|
}; |
|
|
|
TEST_F(CredentialsTest, InvalidGoogleRefreshToken) { |
|
std::shared_ptr<CallCredentials> bad1 = GoogleRefreshTokenCredentials(""); |
|
EXPECT_EQ(static_cast<CallCredentials*>(nullptr), bad1.get()); |
|
} |
|
|
|
TEST_F(CredentialsTest, DefaultCredentials) { |
|
auto creds = GoogleDefaultCredentials(); |
|
} |
|
|
|
TEST_F(CredentialsTest, StsCredentialsOptionsCppToCore) { |
|
grpc::experimental::StsCredentialsOptions options; |
|
options.token_exchange_service_uri = "https://foo.com/exchange"; |
|
options.resource = "resource"; |
|
options.audience = "audience"; |
|
options.scope = "scope"; |
|
// options.requested_token_type explicitly not set. |
|
options.subject_token_path = "/foo/bar"; |
|
options.subject_token_type = "nice_token_type"; |
|
options.actor_token_path = "/foo/baz"; |
|
options.actor_token_type = "even_nicer_token_type"; |
|
grpc_sts_credentials_options core_opts = |
|
grpc_impl::experimental::StsCredentialsCppToCoreOptions(options); |
|
EXPECT_EQ(options.token_exchange_service_uri, |
|
core_opts.token_exchange_service_uri); |
|
EXPECT_EQ(options.resource, core_opts.resource); |
|
EXPECT_EQ(options.audience, core_opts.audience); |
|
EXPECT_EQ(options.scope, core_opts.scope); |
|
EXPECT_EQ(options.requested_token_type, core_opts.requested_token_type); |
|
EXPECT_EQ(options.subject_token_path, core_opts.subject_token_path); |
|
EXPECT_EQ(options.subject_token_type, core_opts.subject_token_type); |
|
EXPECT_EQ(options.actor_token_path, core_opts.actor_token_path); |
|
EXPECT_EQ(options.actor_token_type, core_opts.actor_token_type); |
|
} |
|
|
|
TEST_F(CredentialsTest, StsCredentialsOptionsJson) { |
|
const char valid_json[] = R"( |
|
{ |
|
"token_exchange_service_uri": "https://foo/exchange", |
|
"resource": "resource", |
|
"audience": "audience", |
|
"scope": "scope", |
|
"requested_token_type": "requested_token_type", |
|
"subject_token_path": "subject_token_path", |
|
"subject_token_type": "subject_token_type", |
|
"actor_token_path": "actor_token_path", |
|
"actor_token_type": "actor_token_type" |
|
})"; |
|
grpc::experimental::StsCredentialsOptions options; |
|
EXPECT_TRUE( |
|
grpc::experimental::StsCredentialsOptionsFromJson(valid_json, &options) |
|
.ok()); |
|
EXPECT_EQ(options.token_exchange_service_uri, "https://foo/exchange"); |
|
EXPECT_EQ(options.resource, "resource"); |
|
EXPECT_EQ(options.audience, "audience"); |
|
EXPECT_EQ(options.scope, "scope"); |
|
EXPECT_EQ(options.requested_token_type, "requested_token_type"); |
|
EXPECT_EQ(options.subject_token_path, "subject_token_path"); |
|
EXPECT_EQ(options.subject_token_type, "subject_token_type"); |
|
EXPECT_EQ(options.actor_token_path, "actor_token_path"); |
|
EXPECT_EQ(options.actor_token_type, "actor_token_type"); |
|
|
|
const char minimum_valid_json[] = R"( |
|
{ |
|
"token_exchange_service_uri": "https://foo/exchange", |
|
"subject_token_path": "subject_token_path", |
|
"subject_token_type": "subject_token_type" |
|
})"; |
|
EXPECT_TRUE(grpc::experimental::StsCredentialsOptionsFromJson( |
|
minimum_valid_json, &options) |
|
.ok()); |
|
EXPECT_EQ(options.token_exchange_service_uri, "https://foo/exchange"); |
|
EXPECT_EQ(options.resource, ""); |
|
EXPECT_EQ(options.audience, ""); |
|
EXPECT_EQ(options.scope, ""); |
|
EXPECT_EQ(options.requested_token_type, ""); |
|
EXPECT_EQ(options.subject_token_path, "subject_token_path"); |
|
EXPECT_EQ(options.subject_token_type, "subject_token_type"); |
|
EXPECT_EQ(options.actor_token_path, ""); |
|
EXPECT_EQ(options.actor_token_type, ""); |
|
|
|
const char invalid_json[] = R"( |
|
I'm not a valid JSON. |
|
)"; |
|
EXPECT_EQ( |
|
grpc::StatusCode::INVALID_ARGUMENT, |
|
grpc::experimental::StsCredentialsOptionsFromJson(invalid_json, &options) |
|
.error_code()); |
|
|
|
const char invalid_json_missing_subject_token_type[] = R"( |
|
{ |
|
"token_exchange_service_uri": "https://foo/exchange", |
|
"subject_token_path": "subject_token_path" |
|
})"; |
|
auto status = grpc::experimental::StsCredentialsOptionsFromJson( |
|
invalid_json_missing_subject_token_type, &options); |
|
EXPECT_EQ(grpc::StatusCode::INVALID_ARGUMENT, status.error_code()); |
|
EXPECT_THAT(status.error_message(), |
|
::testing::HasSubstr("subject_token_type")); |
|
|
|
const char invalid_json_missing_subject_token_path[] = R"( |
|
{ |
|
"token_exchange_service_uri": "https://foo/exchange", |
|
"subject_token_type": "subject_token_type" |
|
})"; |
|
status = grpc::experimental::StsCredentialsOptionsFromJson( |
|
invalid_json_missing_subject_token_path, &options); |
|
EXPECT_EQ(grpc::StatusCode::INVALID_ARGUMENT, status.error_code()); |
|
EXPECT_THAT(status.error_message(), |
|
::testing::HasSubstr("subject_token_path")); |
|
|
|
const char invalid_json_missing_token_exchange_uri[] = R"( |
|
{ |
|
"subject_token_path": "subject_token_path", |
|
"subject_token_type": "subject_token_type" |
|
})"; |
|
status = grpc::experimental::StsCredentialsOptionsFromJson( |
|
invalid_json_missing_token_exchange_uri, &options); |
|
EXPECT_EQ(grpc::StatusCode::INVALID_ARGUMENT, status.error_code()); |
|
EXPECT_THAT(status.error_message(), |
|
::testing::HasSubstr("token_exchange_service_uri")); |
|
} |
|
|
|
TEST_F(CredentialsTest, StsCredentialsOptionsFromEnv) { |
|
// Unset env and check expected failure. |
|
gpr_unsetenv("STS_CREDENTIALS"); |
|
grpc::experimental::StsCredentialsOptions options; |
|
auto status = grpc::experimental::StsCredentialsOptionsFromEnv(&options); |
|
EXPECT_EQ(grpc::StatusCode::NOT_FOUND, status.error_code()); |
|
|
|
// Set env and check for success. |
|
const char valid_json[] = R"( |
|
{ |
|
"token_exchange_service_uri": "https://foo/exchange", |
|
"subject_token_path": "subject_token_path", |
|
"subject_token_type": "subject_token_type" |
|
})"; |
|
char* creds_file_name; |
|
FILE* creds_file = gpr_tmpfile("sts_creds_options", &creds_file_name); |
|
ASSERT_NE(creds_file_name, nullptr); |
|
ASSERT_NE(creds_file, nullptr); |
|
ASSERT_EQ(sizeof(valid_json), |
|
fwrite(valid_json, 1, sizeof(valid_json), creds_file)); |
|
fclose(creds_file); |
|
gpr_setenv("STS_CREDENTIALS", creds_file_name); |
|
gpr_free(creds_file_name); |
|
status = grpc::experimental::StsCredentialsOptionsFromEnv(&options); |
|
EXPECT_TRUE(status.ok()); |
|
EXPECT_EQ(options.token_exchange_service_uri, "https://foo/exchange"); |
|
EXPECT_EQ(options.resource, ""); |
|
EXPECT_EQ(options.audience, ""); |
|
EXPECT_EQ(options.scope, ""); |
|
EXPECT_EQ(options.requested_token_type, ""); |
|
EXPECT_EQ(options.subject_token_path, "subject_token_path"); |
|
EXPECT_EQ(options.subject_token_type, "subject_token_type"); |
|
EXPECT_EQ(options.actor_token_path, ""); |
|
EXPECT_EQ(options.actor_token_type, ""); |
|
|
|
// Cleanup. |
|
gpr_unsetenv("STS_CREDENTIALS"); |
|
} |
|
|
|
typedef class ::grpc_impl::experimental::TlsKeyMaterialsConfig |
|
TlsKeyMaterialsConfig; |
|
|
|
TEST_F(CredentialsTest, TlsKeyMaterialsConfigCppToC) { |
|
TlsKeyMaterialsConfig config; |
|
struct TlsKeyMaterialsConfig::PemKeyCertPair pair = {"private_key", |
|
"cert_chain"}; |
|
::std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> pair_list = {pair}; |
|
config.set_key_materials("pem_root_certs", pair_list); |
|
grpc_tls_key_materials_config* c_config = config.c_key_materials(); |
|
EXPECT_STREQ("pem_root_certs", c_config->pem_root_certs()); |
|
EXPECT_EQ(1, static_cast<int>(c_config->pem_key_cert_pair_list().size())); |
|
EXPECT_STREQ(pair.private_key.c_str(), |
|
c_config->pem_key_cert_pair_list()[0].private_key()); |
|
EXPECT_STREQ(pair.cert_chain.c_str(), |
|
c_config->pem_key_cert_pair_list()[0].cert_chain()); |
|
gpr_free(c_config); |
|
} |
|
|
|
TEST_F(CredentialsTest, TlsKeyMaterialsCtoCpp) { |
|
grpc_tls_key_materials_config c_config; |
|
::grpc_core::PemKeyCertPair pem_key_cert_pair = |
|
::grpc_core::PemKeyCertPair("private_key", "cert_chain"); |
|
::grpc_core::InlinedVector<::grpc_core::PemKeyCertPair, 1> |
|
pem_key_cert_pair_list; |
|
pem_key_cert_pair_list.push_back(pem_key_cert_pair); |
|
c_config.set_key_materials( |
|
::grpc_core::UniquePtr<char>(gpr_strdup("pem_root_certs")), |
|
pem_key_cert_pair_list); |
|
::std::shared_ptr<TlsKeyMaterialsConfig> cpp_config = |
|
::grpc_impl::experimental::tls_key_materials_c_to_cpp(&c_config); |
|
EXPECT_STREQ("pem_root_certs", cpp_config->pem_root_certs().c_str()); |
|
::std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> cpp_pair_list = |
|
cpp_config->pem_key_cert_pair_list(); |
|
EXPECT_EQ(1, static_cast<int>(cpp_pair_list.size())); |
|
EXPECT_STREQ("private_key", cpp_pair_list[0].private_key.c_str()); |
|
EXPECT_STREQ("cert_chain", cpp_pair_list[0].cert_chain.c_str()); |
|
} |
|
|
|
typedef class ::grpc_impl::experimental::TlsCredentialReloadArg |
|
TlsCredentialReloadArg; |
|
typedef class ::grpc_impl::experimental::TlsCredentialReloadConfig |
|
TlsCredentialReloadConfig; |
|
typedef void (*grpcpp_tls_on_credential_reload_done_cb)( |
|
TlsCredentialReloadArg* arg); |
|
|
|
TEST_F(CredentialsTest, TlsCredentialReloadArgCppToC) { |
|
TlsCredentialReloadArg arg; |
|
arg.set_cb(static_cast<grpcpp_tls_on_credential_reload_done_cb>(nullptr)); |
|
arg.set_cb_user_data(nullptr); |
|
::std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config; |
|
struct TlsKeyMaterialsConfig::PemKeyCertPair pair1 = {"private_key1", |
|
"cert_chain1"}; |
|
struct TlsKeyMaterialsConfig::PemKeyCertPair pair2 = {"private_key2", "cert_chain2"}; |
|
::std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> pair_list = {pair1, pair2}; |
|
key_materials_config->set_key_materials("pem_root_certs", pair_list); |
|
arg.set_key_materials_config(key_materials_config); |
|
arg.set_status(GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW); |
|
arg.set_error_details("error_details"); |
|
grpc_tls_credential_reload_arg* c_arg = arg.c_credential_reload_arg(); |
|
EXPECT_EQ(c_arg->cb, |
|
static_cast<grpc_tls_on_credential_reload_done_cb>(nullptr)); |
|
EXPECT_EQ(c_arg->cb_user_data, nullptr); |
|
EXPECT_EQ(c_arg->key_materials_config->pem_root_certs(), "pem_root_certs"); |
|
EXPECT_EQ(c_arg->key_materials_config->pem_key_cert_pair_list()[0].private_key(), "private_key1"); |
|
EXPECT_EQ(c_arg->key_materials_config->pem_key_cert_pair_list()[1].private_key(), "private_key2"); |
|
EXPECT_EQ(c_arg->key_materials_config->pem_key_cert_pair_list()[0].cert_chain(), "cert_chain1"); |
|
EXPECT_EQ(c_arg->key_materials_config->pem_key_cert_pair_list()[1].cert_chain(), "cert_chain2"); |
|
EXPECT_EQ(c_arg->status, GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW); |
|
EXPECT_STREQ(c_arg->error_details, "error_details"); |
|
} |
|
|
|
/** |
|
TEST_F(CredentialsTest, TlsCredentialReloadConfigCppToC) { |
|
TlsCredentialReloadConfig config = |
|
TlsCredentialReloadConfig(nullptr, nullptr, nullptr, nullptr); |
|
grpc_tls_credential_reload_config* c_config = config.c_credential_reload(); |
|
EXPECT_EQ(c_config, nullptr); |
|
// EXPECT_NE(c_config, nullptr); |
|
// TODO: add tests to compare schedule, cancel, destruct fields. |
|
} |
|
|
|
typedef class ::grpc_impl::experimental::TlsServerAuthorizationCheckArg |
|
TlsServerAuthorizationCheckArg; |
|
typedef class ::grpc_impl::experimental::TlsServerAuthorizationCheckConfig |
|
TlsServerAuthorizationCheckConfig; |
|
|
|
TEST_F(CredentialsTest, TlsServerAuthorizationCheckArgCppToC) { |
|
TlsServerAuthorizationCheckArg arg; |
|
// Only sync server authorization check supported currently, |
|
// so we use a nullptr call back function. |
|
arg.set_cb(nullptr); |
|
arg.set_cb_user_data(nullptr); |
|
arg.set_success(1); |
|
arg.set_peer_cert("peer_cert"); |
|
arg.set_status(GRPC_STATUS_OK); |
|
arg.set_target_name("target_name"); |
|
arg.set_error_details("error_details"); |
|
grpc_tls_server_authorization_check_arg* c_arg = |
|
arg.c_server_authorization_check_arg(); |
|
// EXPECT_NE(c_arg, nullptr); |
|
EXPECT_EQ(c_arg->cb, nullptr); |
|
EXPECT_EQ(c_arg->cb_user_data, nullptr); |
|
RecordProperty("TlsServerAuthorizationCheckArgCppToC::c_arg->success", |
|
c_arg->success); EXPECT_EQ(c_arg->success, 1); |
|
RecordProperty("TlsServerAuthorizationCheckArgCppToC::c_arg->peer_cert", |
|
c_arg->peer_cert); EXPECT_STREQ(c_arg->peer_cert, "peer_cert"); |
|
RecordProperty("TlsServerAuthorizationCheckArgCppToC::c_arg->target_name", |
|
c_arg->target_name); EXPECT_STREQ(c_arg->target_name, "target_name"); |
|
EXPECT_EQ(c_arg->status, GRPC_STATUS_OK); |
|
RecordProperty("TlsServerAuthorizationCheckArgCppToC::c_arg->error_details", |
|
c_arg->error_details); EXPECT_STREQ(c_arg->error_details, "error_details"); |
|
} |
|
|
|
TEST_F(CredentialsTest, TlsServerAuthorizationCheckCppToC) { |
|
TlsServerAuthorizationCheckConfig config = |
|
TlsServerAuthorizationCheckConfig(nullptr, nullptr, nullptr, nullptr); |
|
grpc_tls_server_authorization_check_config* c_config = |
|
config.c_server_authorization_check(); |
|
EXPECT_EQ(c_config, nullptr); // Because c_server_authn_check not implemented |
|
// TODO: add tests to compare schedule, cancel, destruct fields. |
|
} |
|
|
|
typedef class ::grpc_impl::experimental::TlsCredentialsOptions |
|
TlsCredentialsOptions; |
|
|
|
TEST_F(CredentialsTest, TlsCredentialsOptionsCppToC) { |
|
TlsCredentialsOptions options; |
|
options.set_cert_request_type(GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY); |
|
::std::shared_ptr<TlsKeyMaterialsConfig> key_materials_config( |
|
new TlsKeyMaterialsConfig()); |
|
struct TlsKeyMaterialsConfig::PemKeyCertPair pair = {"private_key", |
|
"cert_chain"}; |
|
::std::vector<TlsKeyMaterialsConfig::PemKeyCertPair> pair_list = {pair}; |
|
key_materials_config->set_key_materials("pem_root_certs", pair_list); |
|
options.set_key_materials_config(key_materials_config); |
|
// TODO: add instances of credential reload and server authorization check to |
|
// options. |
|
grpc_tls_credentials_options* c_options = options.c_credentials_options(); |
|
EXPECT_EQ(c_options->cert_request_type(), |
|
GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY); |
|
EXPECT_EQ(c_options->key_materials_config(), |
|
key_materials_config->c_key_materials()); |
|
gpr_free(c_options); |
|
} |
|
**/ |
|
|
|
} // namespace testing |
|
} // namespace grpc |
|
|
|
int main(int argc, char** argv) { |
|
::testing::InitGoogleTest(&argc, argv); |
|
int ret = RUN_ALL_TESTS(); |
|
return ret; |
|
}
|
|
|