/*
*
* Copyright 2021 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package xds
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"net"
"net/netip"
"net/url"
"os"
"regexp"
"strings"
"testing"
"time"
"google.golang.org/grpc/testdata"
"google.golang.org/grpc/credentials/tls/certprovider"
"google.golang.org/grpc/internal/credentials/spiffe"
"google.golang.org/grpc/internal/xds/matcher"
)
type testCertProvider struct {
certprovider.Provider
}
type testCertProviderWithKeyMaterial struct {
certprovider.Provider
}
func TestDNSMatch(t *testing.T) {
tests := []struct {
desc string
host string
pattern string
wantMatch bool
}{
{
desc: "invalid wildcard 1",
host: "aa.example.com",
pattern: "*a.example.com",
wantMatch: false,
},
{
desc: "invalid wildcard 2",
host: "aa.example.com",
pattern: "a*.example.com",
wantMatch: false,
},
{
desc: "invalid wildcard 3",
host: "abc.example.com",
pattern: "a*c.example.com",
wantMatch: false,
},
{
desc: "wildcard in one of the middle components",
host: "abc.test.example.com",
pattern: "abc.*.example.com",
wantMatch: false,
},
{
desc: "single component wildcard",
host: "a.example.com",
pattern: "*",
wantMatch: false,
},
{
desc: "short host name",
host: "a.com",
pattern: "*.example.com",
wantMatch: false,
},
{
desc: "suffix mismatch",
host: "a.notexample.com",
pattern: "*.example.com",
wantMatch: false,
},
{
desc: "wildcard match across components",
host: "sub.test.example.com",
pattern: "*.example.com.",
wantMatch: false,
},
{
desc: "host doesn't end in period",
host: "test.example.com",
pattern: "test.example.com.",
wantMatch: true,
},
{
desc: "pattern doesn't end in period",
host: "test.example.com.",
pattern: "test.example.com",
wantMatch: true,
},
{
desc: "case insensitive",
host: "TEST.EXAMPLE.COM.",
pattern: "test.example.com.",
wantMatch: true,
},
{
desc: "simple match",
host: "test.example.com",
pattern: "test.example.com",
wantMatch: true,
},
{
desc: "good wildcard",
host: "a.example.com",
pattern: "*.example.com",
wantMatch: true,
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
gotMatch := dnsMatch(test.host, test.pattern)
if gotMatch != test.wantMatch {
t.Fatalf("dnsMatch(%s, %s) = %v, want %v", test.host, test.pattern, gotMatch, test.wantMatch)
}
})
}
}
func TestMatchingSANExists_FailureCases(t *testing.T) {
url1, err := url.Parse("http://golang.org")
if err != nil {
t.Fatalf("url.Parse() failed: %v", err)
}
url2, err := url.Parse("https://github.com/grpc/grpc-go")
if err != nil {
t.Fatalf("url.Parse() failed: %v", err)
}
inputCert := &x509.Certificate{
DNSNames: []string{"foo.bar.example.com", "bar.baz.test.com", "*.example.com"},
EmailAddresses: []string{"foobar@example.com", "barbaz@test.com"},
IPAddresses: []net.IP{
netip.MustParseAddr("192.0.0.1").AsSlice(),
netip.MustParseAddr("2001:db8::68").AsSlice(),
},
URIs: []*url.URL{url1, url2},
}
tests := []struct {
desc string
sanMatchers []matcher.StringMatcher
}{
{
desc: "exact match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("abcd.test.com"), nil, nil, nil, nil, false),
matcher.StringMatcherForTesting(newStringP("http://golang"), nil, nil, nil, nil, false),
matcher.StringMatcherForTesting(newStringP("HTTP://GOLANG.ORG"), nil, nil, nil, nil, false),
},
},
{
desc: "prefix match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, newStringP("i-aint-the-one"), nil, nil, nil, false),
matcher.StringMatcherForTesting(nil, newStringP("192.168.1.1"), nil, nil, nil, false),
matcher.StringMatcherForTesting(nil, newStringP("FOO.BAR"), nil, nil, nil, false),
},
},
{
desc: "suffix match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, newStringP("i-aint-the-one"), nil, nil, false),
matcher.StringMatcherForTesting(nil, nil, newStringP("1::68"), nil, nil, false),
matcher.StringMatcherForTesting(nil, nil, newStringP(".COM"), nil, nil, false),
},
},
{
desc: "regex match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, nil, nil, regexp.MustCompile(`.*\.examples\.com`), false),
matcher.StringMatcherForTesting(nil, nil, nil, nil, regexp.MustCompile(`192\.[0-9]{1,3}\.1\.1`), false),
},
},
{
desc: "contains match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, nil, newStringP("i-aint-the-one"), nil, false),
matcher.StringMatcherForTesting(nil, nil, nil, newStringP("2001:db8:1:1::68"), nil, false),
matcher.StringMatcherForTesting(nil, nil, nil, newStringP("GRPC"), nil, false),
},
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
hi := NewHandshakeInfo(nil, nil, test.sanMatchers, false)
if hi.MatchingSANExists(inputCert) {
t.Fatalf("hi.MatchingSANExists(%+v) with SAN matchers +%v succeeded when expected to fail", inputCert, test.sanMatchers)
}
})
}
}
func TestMatchingSANExists_Success(t *testing.T) {
url1, err := url.Parse("http://golang.org")
if err != nil {
t.Fatalf("url.Parse() failed: %v", err)
}
url2, err := url.Parse("https://github.com/grpc/grpc-go")
if err != nil {
t.Fatalf("url.Parse() failed: %v", err)
}
inputCert := &x509.Certificate{
DNSNames: []string{"baz.test.com", "*.example.com"},
EmailAddresses: []string{"foobar@example.com", "barbaz@test.com"},
IPAddresses: []net.IP{
netip.MustParseAddr("192.0.0.1").AsSlice(),
netip.MustParseAddr("2001:db8::68").AsSlice(),
},
URIs: []*url.URL{url1, url2},
}
tests := []struct {
desc string
sanMatchers []matcher.StringMatcher
}{
{
desc: "no san matchers",
},
{
desc: "exact match dns wildcard",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, newStringP("192.168.1.1"), nil, nil, nil, false),
matcher.StringMatcherForTesting(newStringP("https://github.com/grpc/grpc-java"), nil, nil, nil, nil, false),
matcher.StringMatcherForTesting(newStringP("abc.example.com"), nil, nil, nil, nil, false),
},
},
{
desc: "exact match ignore case",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("FOOBAR@EXAMPLE.COM"), nil, nil, nil, nil, true),
},
},
{
desc: "prefix match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, newStringP(".co.in"), nil, nil, false),
matcher.StringMatcherForTesting(nil, newStringP("192.168.1.1"), nil, nil, nil, false),
matcher.StringMatcherForTesting(nil, newStringP("baz.test"), nil, nil, nil, false),
},
},
{
desc: "prefix match ignore case",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, newStringP("BAZ.test"), nil, nil, nil, true),
},
},
{
desc: "suffix match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, nil, nil, regexp.MustCompile(`192\.[0-9]{1,3}\.1\.1`), false),
matcher.StringMatcherForTesting(nil, nil, newStringP("192.168.1.1"), nil, nil, false),
matcher.StringMatcherForTesting(nil, nil, newStringP("@test.com"), nil, nil, false),
},
},
{
desc: "suffix match ignore case",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, newStringP("@test.COM"), nil, nil, true),
},
},
{
desc: "regex match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, nil, newStringP("https://github.com/grpc/grpc-java"), nil, false),
matcher.StringMatcherForTesting(nil, nil, nil, nil, regexp.MustCompile(`192\.[0-9]{1,3}\.1\.1`), false),
matcher.StringMatcherForTesting(nil, nil, nil, nil, regexp.MustCompile(`.*\.test\.com`), false),
},
},
{
desc: "contains match",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("https://github.com/grpc/grpc-java"), nil, nil, nil, nil, false),
matcher.StringMatcherForTesting(nil, nil, nil, newStringP("2001:68::db8"), nil, false),
matcher.StringMatcherForTesting(nil, nil, nil, newStringP("192.0.0"), nil, false),
},
},
{
desc: "contains match ignore case",
sanMatchers: []matcher.StringMatcher{
matcher.StringMatcherForTesting(nil, nil, nil, newStringP("GRPC"), nil, true),
},
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
hi := NewHandshakeInfo(nil, nil, test.sanMatchers, false)
if !hi.MatchingSANExists(inputCert) {
t.Fatalf("hi.MatchingSANExists(%+v) with SAN matchers +%v failed when expected to succeed", inputCert, test.sanMatchers)
}
})
}
}
func newStringP(s string) *string {
return &s
}
func TestEqual(t *testing.T) {
tests := []struct {
desc string
hi1 *HandshakeInfo
hi2 *HandshakeInfo
wantMatch bool
}{
{
desc: "both HandshakeInfo are nil",
hi1: nil,
hi2: nil,
wantMatch: true,
},
{
desc: "one HandshakeInfo is nil",
hi1: nil,
hi2: NewHandshakeInfo(&testCertProvider{}, nil, nil, false),
wantMatch: false,
},
{
desc: "different root providers",
hi1: NewHandshakeInfo(&testCertProvider{}, nil, nil, false),
hi2: NewHandshakeInfo(&testCertProvider{}, nil, nil, false),
wantMatch: false,
},
{
desc: "same providers, same SAN matchers",
hi1: NewHandshakeInfo(testCertProvider{}, testCertProvider{}, []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("foo.com"), nil, nil, nil, nil, false),
}, false),
hi2: NewHandshakeInfo(testCertProvider{}, testCertProvider{}, []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("foo.com"), nil, nil, nil, nil, false),
}, false),
wantMatch: true,
},
{
desc: "same providers, different SAN matchers",
hi1: NewHandshakeInfo(testCertProvider{}, testCertProvider{}, []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("foo.com"), nil, nil, nil, nil, false),
}, false),
hi2: NewHandshakeInfo(testCertProvider{}, testCertProvider{}, []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("bar.com"), nil, nil, nil, nil, false),
}, false),
wantMatch: false,
},
{
desc: "same SAN matchers with different content",
hi1: NewHandshakeInfo(&testCertProvider{}, &testCertProvider{}, []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("foo.com"), nil, nil, nil, nil, false),
}, false),
hi2: NewHandshakeInfo(&testCertProvider{}, &testCertProvider{}, []matcher.StringMatcher{
matcher.StringMatcherForTesting(newStringP("foo.com"), nil, nil, nil, nil, false),
matcher.StringMatcherForTesting(newStringP("bar.com"), nil, nil, nil, nil, false),
}, false),
wantMatch: false,
},
{
desc: "different requireClientCert flags",
hi1: NewHandshakeInfo(&testCertProvider{}, &testCertProvider{}, nil, true),
hi2: NewHandshakeInfo(&testCertProvider{}, &testCertProvider{}, nil, false),
wantMatch: false,
},
{
desc: "same identity provider, different root provider",
hi1: NewHandshakeInfo(&testCertProvider{}, testCertProvider{}, nil, false),
hi2: NewHandshakeInfo(&testCertProvider{}, testCertProvider{}, nil, false),
wantMatch: false,
},
{
desc: "different identity provider, same root provider",
hi1: NewHandshakeInfo(testCertProvider{}, &testCertProvider{}, nil, false),
hi2: NewHandshakeInfo(testCertProvider{}, &testCertProvider{}, nil, false),
wantMatch: false,
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
if gotMatch := test.hi1.Equal(test.hi2); gotMatch != test.wantMatch {
t.Errorf("hi1.Equal(hi2) = %v; wantMatch %v", gotMatch, test.wantMatch)
}
})
}
}
func (p *testCertProviderWithKeyMaterial) KeyMaterial(_ context.Context) (*certprovider.KeyMaterial, error) {
km := &certprovider.KeyMaterial{}
spiffeBundleMapContents, err := os.ReadFile(testdata.Path("spiffe_end2end/client_spiffebundle.json"))
if err != nil {
return nil, err
}
bundleMap, err := spiffe.BundleMapFromBytes(spiffeBundleMapContents)
if err != nil {
return nil, err
}
km.SPIFFEBundleMap = bundleMap
rootFileContents, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
if err != nil {
return nil, err
}
trustPool := x509.NewCertPool()
if !trustPool.AppendCertsFromPEM(rootFileContents) {
return nil, fmt.Errorf("Failed to parse root certificate")
}
km.Roots = trustPool
certFileContents, err := os.ReadFile(testdata.Path("spiffe_end2end/client_spiffe.pem"))
if err != nil {
return nil, err
}
keyFileContents, err := os.ReadFile(testdata.Path("spiffe_end2end/client.key"))
if err != nil {
return nil, err
}
cert, err := tls.X509KeyPair(certFileContents, keyFileContents)
if err != nil {
return nil, err
}
km.Certs = []tls.Certificate{cert}
return km, nil
}
func TestBuildVerifyFuncFailures(t *testing.T) {
tests := []struct {
desc string
peerCertChain [][]byte
wantErr string
}{
{
desc: "invalid x509",
peerCertChain: [][]byte{[]byte("NOT_A_CERT")},
wantErr: "x509: malformed certificate",
},
{
desc: "invalid SPIFFE ID in peer cert",
// server1.pem doesn't have a valid SPIFFE ID, so attempted to get a
// root from the SPIFFE Bundle Map will fail
peerCertChain: loadCert(t, testdata.Path("server1.pem"), testdata.Path("server1.key")),
wantErr: "spiffe: could not get spiffe ID from peer leaf cert but verification with spiffe trust map was configure",
},
}
testProvider := testCertProviderWithKeyMaterial{}
hi := NewHandshakeInfo(&testProvider, &testProvider, nil, true)
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
defer cancel()
cfg, err := hi.ClientSideTLSConfig(ctx)
if err != nil {
t.Fatalf("hi.ClientSideTLSConfig() failed with err %v", err)
}
for _, tc := range tests {
t.Run(tc.desc, func(t *testing.T) {
err = cfg.VerifyPeerCertificate(tc.peerCertChain, nil)
if !strings.Contains(err.Error(), tc.wantErr) {
t.Errorf("VerifyPeerCertificate got err %v, want: %v", err, tc.wantErr)
}
})
}
}
func loadCert(t *testing.T, certPath, keyPath string) [][]byte {
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
t.Fatalf("LoadX509KeyPair(%s, %s) failed: %v", certPath, keyPath, err)
}
return cert.Certificate
}