From e4ab8287d07552b1a647b1289246bbcd978cf432 Mon Sep 17 00:00:00 2001 From: sanjaypujare Date: Wed, 23 Jun 2021 11:13:19 -0700 Subject: [PATCH] xds: get rid of legacy SDS and file watching code (#8276) --- .../io/grpc/xds/CdsLoadBalancer2Test.java | 5 +- .../grpc/xds/ClusterImplLoadBalancerTest.java | 10 +- .../xds/ClusterResolverLoadBalancerTest.java | 5 +- .../grpc/xds/CommonBootstrapperTestUtils.java | 57 +++ .../io/grpc/xds/FilterChainMatchTest.java | 4 +- .../io/grpc/xds/XdsSdsClientServerTest.java | 120 +++-- .../ClientSslContextProviderFactoryTest.java | 76 --- .../sds/CommonTlsContextTestsUtil.java | 388 +++------------ .../sds/SdsProtocolNegotiatorsTest.java | 168 +++---- .../sds/SdsSslContextProviderTest.java | 263 ----------- .../SecretVolumeSslContextProviderTest.java | 444 ------------------ .../ServerSslContextProviderFactoryTest.java | 94 ---- .../sds/SslContextProviderSupplierTest.java | 6 +- .../internal/sds/TlsContextManagerTest.java | 55 ++- 14 files changed, 313 insertions(+), 1382 deletions(-) delete mode 100644 xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java delete mode 100644 xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java diff --git a/xds/src/test/java/io/grpc/xds/CdsLoadBalancer2Test.java b/xds/src/test/java/io/grpc/xds/CdsLoadBalancer2Test.java index 3875e66ded..6953ecca64 100644 --- a/xds/src/test/java/io/grpc/xds/CdsLoadBalancer2Test.java +++ b/xds/src/test/java/io/grpc/xds/CdsLoadBalancer2Test.java @@ -77,10 +77,7 @@ public class CdsLoadBalancer2Test { private static final String DNS_HOST_NAME = "backend-service-dns.googleapis.com:443"; private static final String LRS_SERVER_NAME = "lrs.googleapis.com"; private final UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CommonTlsContextTestsUtil.CLIENT_KEY_FILE, - CommonTlsContextTestsUtil.CLIENT_PEM_FILE, - CommonTlsContextTestsUtil.CA_PEM_FILE); + CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true); private final SynchronizationContext syncContext = new SynchronizationContext( new Thread.UncaughtExceptionHandler() { diff --git a/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java b/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java index 47926cae55..74aa85501a 100644 --- a/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java +++ b/xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java @@ -494,10 +494,7 @@ public class ClusterImplLoadBalancerTest { private void subtest_endpointAddressesAttachedWithTlsConfig(boolean enableSecurity) { UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CommonTlsContextTestsUtil.CLIENT_KEY_FILE, - CommonTlsContextTestsUtil.CLIENT_PEM_FILE, - CommonTlsContextTestsUtil.CA_PEM_FILE); + CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true); LoadBalancerProvider weightedTargetProvider = new WeightedTargetLoadBalancerProvider(); WeightedTargetConfig weightedTargetConfig = buildWeightedTargetConfig(ImmutableMap.of(locality, 10)); @@ -541,10 +538,7 @@ public class ClusterImplLoadBalancerTest { // Config with a new UpstreamTlsContext. upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CommonTlsContextTestsUtil.BAD_CLIENT_KEY_FILE, - CommonTlsContextTestsUtil.BAD_CLIENT_PEM_FILE, - CommonTlsContextTestsUtil.CA_PEM_FILE); + CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe1", true); config = new ClusterImplConfig(CLUSTER, EDS_SERVICE_NAME, LRS_SERVER_NAME, null, Collections.emptyList(), new PolicySelection(weightedTargetProvider, weightedTargetConfig), upstreamTlsContext); diff --git a/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java b/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java index b987ca95c3..26f1a2b3cf 100644 --- a/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java +++ b/xds/src/test/java/io/grpc/xds/ClusterResolverLoadBalancerTest.java @@ -111,10 +111,7 @@ public class ClusterResolverLoadBalancerTest { private final Locality locality3 = Locality.create("test-region-3", "test-zone-3", "test-subzone-3"); private final UpstreamTlsContext tlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CommonTlsContextTestsUtil.CLIENT_KEY_FILE, - CommonTlsContextTestsUtil.CLIENT_PEM_FILE, - CommonTlsContextTestsUtil.CA_PEM_FILE); + CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true); private final DiscoveryMechanism edsDiscoveryMechanism1 = DiscoveryMechanism.forEds(CLUSTER1, EDS_SERVICE_NAME1, LRS_SERVER_NAME, 100L, tlsContext); private final DiscoveryMechanism edsDiscoveryMechanism2 = diff --git a/xds/src/test/java/io/grpc/xds/CommonBootstrapperTestUtils.java b/xds/src/test/java/io/grpc/xds/CommonBootstrapperTestUtils.java index 15a63d6c23..d7c6dbc787 100644 --- a/xds/src/test/java/io/grpc/xds/CommonBootstrapperTestUtils.java +++ b/xds/src/test/java/io/grpc/xds/CommonBootstrapperTestUtils.java @@ -19,8 +19,11 @@ package io.grpc.xds; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import io.grpc.internal.JsonParser; +import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil; import java.io.IOException; +import java.util.HashMap; import java.util.Map; +import javax.annotation.Nullable; public class CommonBootstrapperTestUtils { private static final String FILE_WATCHER_CONFIG = "{\"path\": \"/etc/secret/certs\"}"; @@ -72,4 +75,58 @@ public class CommonBootstrapperTestUtils { throw new AssertionError(e); } } + + /** + * Build {@link Bootstrapper.BootstrapInfo} for certProviderInstance tests. + * Populates with temp file paths. + */ + public static Bootstrapper.BootstrapInfo buildBootstrapInfo( + String certInstanceName1, @Nullable String privateKey1, + @Nullable String cert1, + @Nullable String trustCa1, String certInstanceName2, String privateKey2, String cert2, + String trustCa2) { + // get temp file for each file + try { + if (privateKey1 != null) { + privateKey1 = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(privateKey1); + } + if (cert1 != null) { + cert1 = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(cert1); + } + if (trustCa1 != null) { + trustCa1 = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(trustCa1); + } + if (privateKey2 != null) { + privateKey2 = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(privateKey2); + } + if (cert2 != null) { + cert2 = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(cert2); + } + if (trustCa2 != null) { + trustCa2 = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(trustCa2); + } + } catch (IOException ioe) { + throw new RuntimeException(ioe); + } + HashMap config = new HashMap<>(); + config.put("certificate_file", cert1); + config.put("private_key_file", privateKey1); + config.put("ca_certificate_file", trustCa1); + Bootstrapper.CertificateProviderInfo certificateProviderInfo = + new Bootstrapper.CertificateProviderInfo("file_watcher", config); + HashMap certProviders = + new HashMap<>(); + certProviders.put(certInstanceName1, certificateProviderInfo); + if (certInstanceName2 != null) { + config = new HashMap<>(); + config.put("certificate_file", cert2); + config.put("private_key_file", privateKey2); + config.put("ca_certificate_file", trustCa2); + certificateProviderInfo = + new Bootstrapper.CertificateProviderInfo("file_watcher", config); + certProviders.put(certInstanceName2, certificateProviderInfo); + } + return new Bootstrapper.BootstrapInfo(null, EnvoyProtoData.Node.newBuilder().build(), + certProviders, null); + } } diff --git a/xds/src/test/java/io/grpc/xds/FilterChainMatchTest.java b/xds/src/test/java/io/grpc/xds/FilterChainMatchTest.java index f4d6f83a5b..8ee3e87a24 100644 --- a/xds/src/test/java/io/grpc/xds/FilterChainMatchTest.java +++ b/xds/src/test/java/io/grpc/xds/FilterChainMatchTest.java @@ -927,8 +927,8 @@ public class FilterChainMatchTest { registeredWatcher.onChanged(listenerUpdate); EnvoyServerProtoData.DownstreamTlsContext tlsContextPicked = getDownstreamTlsContext(); // assert defaultFilterChain match - assertThat(tlsContextPicked.getCommonTlsContext().getTlsCertificateSdsSecretConfigsList() - .get(0).getName()).isEqualTo("CERT3"); + assertThat(tlsContextPicked.getCommonTlsContext().getTlsCertificateCertificateProviderInstance() + .getCertificateName()).isEqualTo("CERT3"); } private void setupChannel(String localIp, String remoteIp, int remotePort) diff --git a/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java index e7690cf4af..321d5503cc 100644 --- a/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java +++ b/xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java @@ -82,7 +82,10 @@ public class XdsSdsClientServerTest { @Rule public final GrpcCleanupRule cleanupRule = new GrpcCleanupRule(); private int port; private FakeNameResolverFactory fakeNameResolverFactory; - private final TlsContextManagerImpl tlsContextManager = new TlsContextManagerImpl(null); + private Bootstrapper.BootstrapInfo bootstrapInfoForClient = null; + private Bootstrapper.BootstrapInfo bootstrapInfoForServer = null; + private TlsContextManagerImpl tlsContextManagerForClient; + private TlsContextManagerImpl tlsContextManagerForServer; @Before public void setUp() throws IOException { @@ -119,14 +122,13 @@ public class XdsSdsClientServerTest { @Test public void tlsClientServer_noClientAuthentication() throws IOException, URISyntaxException { DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, null); + setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, false, false); buildServerWithTlsContext(downstreamTlsContext); // for TLS, client only needs trustCa - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - /* privateKey= */ null, /* certChain= */ null, CA_PEM_FILE); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + CLIENT_KEY_FILE, + CLIENT_PEM_FILE, false); SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ "foo.test.google.fr"); @@ -137,14 +139,13 @@ public class XdsSdsClientServerTest { public void requireClientAuth_noClientCert_expectException() throws IOException, URISyntaxException { DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenamesWithClientCertRequired( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, CA_PEM_FILE); + setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, true, true); buildServerWithTlsContext(downstreamTlsContext); // for TLS, client only uses trustCa - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - /* privateKey= */ null, /* certChain= */ null, CA_PEM_FILE); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + CLIENT_KEY_FILE, + CLIENT_PEM_FILE, false); SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ "foo.test.google.fr"); @@ -166,13 +167,12 @@ public class XdsSdsClientServerTest { @Test public void noClientAuth_sendBadClientCert_passes() throws IOException, URISyntaxException { DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, /* trustCa= */ null); + setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, false, false); buildServerWithTlsContext(downstreamTlsContext); - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - BAD_CLIENT_KEY_FILE, BAD_CLIENT_PEM_FILE, CA_PEM_FILE); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + BAD_CLIENT_KEY_FILE, + BAD_CLIENT_PEM_FILE, true); SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ "foo.test.google.fr"); @@ -181,11 +181,11 @@ public class XdsSdsClientServerTest { @Test public void mtls_badClientCert_expectException() throws IOException, URISyntaxException { - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - BAD_CLIENT_KEY_FILE, BAD_CLIENT_PEM_FILE, CA_PEM_FILE); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + BAD_CLIENT_KEY_FILE, + BAD_CLIENT_PEM_FILE, true); try { - performMtlsTestAndGetListenerWatcher(upstreamTlsContext, false); + performMtlsTestAndGetListenerWatcher(upstreamTlsContext, false, null, null, null, null); fail("exception expected"); } catch (StatusRuntimeException sre) { if (sre.getCause() instanceof SSLHandshakeException) { @@ -202,27 +202,26 @@ public class XdsSdsClientServerTest { /** mTLS - client auth enabled. */ @Test public void mtlsClientServer_withClientAuthentication() throws IOException, URISyntaxException { - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); - performMtlsTestAndGetListenerWatcher(upstreamTlsContext, false); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + CLIENT_KEY_FILE, + CLIENT_PEM_FILE, true); + performMtlsTestAndGetListenerWatcher(upstreamTlsContext, false, null, null, null, null); } /** mTLS - client auth enabled - using {@link XdsChannelCredentials} API. */ @Test public void mtlsClientServer_withClientAuthentication_withXdsChannelCreds() throws IOException, URISyntaxException { - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); - performMtlsTestAndGetListenerWatcher(upstreamTlsContext, true); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + CLIENT_KEY_FILE, + CLIENT_PEM_FILE, true); + performMtlsTestAndGetListenerWatcher(upstreamTlsContext, true, null, null, null, null); } @Test public void tlsServer_plaintextClient_expectException() throws IOException, URISyntaxException { DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, null); + setBootstrapInfoAndBuildDownstreamTlsContext(null, null, null, null, false, false); buildServerWithTlsContext(downstreamTlsContext); SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = @@ -241,9 +240,9 @@ public class XdsSdsClientServerTest { buildServerWithTlsContext(/* downstreamTlsContext= */ null); // for TLS, client only needs trustCa - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - /* privateKey= */ null, /* certChain= */ null, CA_PEM_FILE); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + CLIENT_KEY_FILE, + CLIENT_PEM_FILE, false); SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ "foo.test.google.fr"); @@ -260,15 +259,18 @@ public class XdsSdsClientServerTest { @Test public void mtlsClientServer_changeServerContext_expectException() throws IOException, URISyntaxException { - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); + UpstreamTlsContext upstreamTlsContext = setBootstrapInfoAndBuildUpstreamTlsContext( + CLIENT_KEY_FILE, + CLIENT_PEM_FILE, true); + XdsClient.LdsResourceWatcher listenerWatcher = - performMtlsTestAndGetListenerWatcher(upstreamTlsContext, false); - DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( + performMtlsTestAndGetListenerWatcher(upstreamTlsContext, false, "cert-instance-name2", BAD_SERVER_KEY_FILE, BAD_SERVER_PEM_FILE, CA_PEM_FILE); - generateListenerUpdateToWatcher(downstreamTlsContext, listenerWatcher, tlsContextManager); + DownstreamTlsContext downstreamTlsContext = + CommonTlsContextTestsUtil.buildDownstreamTlsContext( + "cert-instance-name2", true, true); + generateListenerUpdateToWatcher(downstreamTlsContext, listenerWatcher, + tlsContextManagerForServer); try { SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub = getBlockingStub(upstreamTlsContext, "foo.test.google.fr"); @@ -281,11 +283,12 @@ public class XdsSdsClientServerTest { } private XdsClient.LdsResourceWatcher performMtlsTestAndGetListenerWatcher( - UpstreamTlsContext upstreamTlsContext, boolean newApi) + UpstreamTlsContext upstreamTlsContext, boolean newApi, String certInstanceName2, + String privateKey2, String cert2, String trustCa2) throws IOException, URISyntaxException { DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenamesWithClientCertRequired( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, CA_PEM_FILE); + setBootstrapInfoAndBuildDownstreamTlsContext(certInstanceName2, privateKey2, cert2, + trustCa2, true, true); final XdsClientWrapperForServerSds xdsClientWrapperForServerSds = createXdsClientWrapperForServerSds(port); @@ -302,6 +305,27 @@ public class XdsSdsClientServerTest { return listenerWatcher; } + private DownstreamTlsContext setBootstrapInfoAndBuildDownstreamTlsContext( + String certInstanceName2, + String privateKey2, + String cert2, String trustCa2, boolean hasRootCert, boolean requireClientCertificate) { + bootstrapInfoForServer = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-server", SERVER_1_KEY_FILE, + SERVER_1_PEM_FILE, CA_PEM_FILE, certInstanceName2, privateKey2, cert2, trustCa2); + return CommonTlsContextTestsUtil.buildDownstreamTlsContext( + "google_cloud_private_spiffe-server", hasRootCert, requireClientCertificate); + } + + private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContext(String clientKeyFile, + String clientPemFile, + boolean hasIdentityCert) { + bootstrapInfoForClient = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-client", clientKeyFile, clientPemFile, + CA_PEM_FILE, null, null, null, null); + return CommonTlsContextTestsUtil + .buildUpstreamTlsContext("google_cloud_private_spiffe-client", hasIdentityCert); + } + private void buildServerWithTlsContext(DownstreamTlsContext downstreamTlsContext) throws IOException { buildServerWithTlsContext(downstreamTlsContext, InsecureServerCredentials.create()); @@ -328,8 +352,9 @@ public class XdsSdsClientServerTest { /** Creates XdsClientWrapperForServerSds. */ private XdsClientWrapperForServerSds createXdsClientWrapperForServerSds(int port) { + tlsContextManagerForServer = new TlsContextManagerImpl(bootstrapInfoForServer); XdsClientWrapperForServerSds xdsClientWrapperForServerSds = - XdsServerTestHelper.createXdsClientWrapperForServerSds(port, tlsContextManager); + XdsServerTestHelper.createXdsClientWrapperForServerSds(port, tlsContextManagerForServer); xdsClientWrapperForServerSds.start(); return xdsClientWrapperForServerSds; } @@ -351,8 +376,10 @@ public class XdsSdsClientServerTest { throws IOException { XdsServerBuilder builder = XdsServerBuilder.forPort(port, serverCredentials) .addService(new SimpleServiceImpl()); + tlsContextManagerForServer = new TlsContextManagerImpl(bootstrapInfoForServer); XdsServerTestHelper.generateListenerUpdate( - xdsClientWrapperForServerSds.getListenerWatcher(), downstreamTlsContext, tlsContextManager); + xdsClientWrapperForServerSds.getListenerWatcher(), downstreamTlsContext, + tlsContextManagerForServer); cleanupRule.register(builder.buildServer(xdsClientWrapperForServerSds)).start(); } @@ -396,12 +423,13 @@ public class XdsSdsClientServerTest { } InetSocketAddress socketAddress = new InetSocketAddress(Inet4Address.getLoopbackAddress(), port); + tlsContextManagerForClient = new TlsContextManagerImpl(bootstrapInfoForClient); Attributes attrs = (upstreamTlsContext != null) ? Attributes.newBuilder() .set(InternalXdsAttributes.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER, new SslContextProviderSupplier( - upstreamTlsContext, tlsContextManager)) + upstreamTlsContext, tlsContextManagerForClient)) .build() : Attributes.EMPTY; fakeNameResolverFactory.setServers( diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java index e2d0fdab58..dfadee957c 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/ClientSslContextProviderFactoryTest.java @@ -17,9 +17,6 @@ package io.grpc.xds.internal.sds; import static com.google.common.truth.Truth.assertThat; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.mock; @@ -67,62 +64,6 @@ public class ClientSslContextProviderFactoryTest { new CertProviderClientSslContextProvider.Factory(certificateProviderStore); } - @Test - public void createSslContextProvider_allFilenames() { - clientSslContextProviderFactory = - new ClientSslContextProviderFactory( - null, certProviderClientSslContextProviderFactory); - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); - - SslContextProvider sslContextProvider = - clientSslContextProviderFactory.create(upstreamTlsContext); - assertThat(sslContextProvider).isNotNull(); - } - - @Test - public void createSslContextProvider_sdsConfigForTlsCert_expectException() { - clientSslContextProviderFactory = - new ClientSslContextProviderFactory( - null, certProviderClientSslContextProviderFactory); - CommonTlsContext commonTlsContext = - CommonTlsContextTestsUtil.buildCommonTlsContextFromSdsConfigForTlsCertificate( - /* name= */ "name", /* targetUri= */ "unix:/tmp/sds/path", CA_PEM_FILE); - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContext(commonTlsContext); - - try { - clientSslContextProviderFactory.create(upstreamTlsContext); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("unexpected TlsCertificateSdsSecretConfigs"); - } - } - - @Test - public void createSslContextProvider_sdsConfigForCertValidationContext_expectException() { - clientSslContextProviderFactory = - new ClientSslContextProviderFactory( - null, certProviderClientSslContextProviderFactory); - CommonTlsContext commonTlsContext = - CommonTlsContextTestsUtil.buildCommonTlsContextFromSdsConfigForValidationContext( - /* name= */ "name", - /* targetUri= */ "unix:/tmp/sds/path", - CLIENT_KEY_FILE, - CLIENT_PEM_FILE); - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContext(commonTlsContext); - - try { - SslContextProvider unused = - clientSslContextProviderFactory.create(upstreamTlsContext); - Assert.fail("no exception thrown"); - } catch (IllegalStateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("incorrect ValidationContextTypeCase"); - } - } - @Test public void createCertProviderClientSslContextProvider() throws XdsInitializationException { final CertificateProvider.DistributorWatcher[] watcherCaptor = @@ -267,23 +208,6 @@ public class ClientSslContextProviderFactoryTest { verifyWatcher(sslContextProvider, watcherCaptor[1]); } - @Test - public void createEmptyCommonTlsContext_exception() throws IOException { - clientSslContextProviderFactory = - new ClientSslContextProviderFactory( - null, certProviderClientSslContextProviderFactory); - UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames(null, null, null); - try { - clientSslContextProviderFactory.create(upstreamTlsContext); - Assert.fail("no exception thrown"); - } catch (UnsupportedOperationException expected) { - assertThat(expected) - .hasMessageThat() - .isEqualTo("Unsupported configurations in UpstreamTlsContext!"); - } - } - @Test public void createNullCommonTlsContext_exception() throws IOException { clientSslContextProviderFactory = diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java index 4b20c87164..35e2f35818 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/CommonTlsContextTestsUtil.java @@ -19,25 +19,14 @@ package io.grpc.xds.internal.sds; import static com.google.common.truth.Truth.assertThat; import static java.nio.charset.StandardCharsets.UTF_8; -import com.google.common.base.Strings; import com.google.common.io.CharStreams; import com.google.common.util.concurrent.MoreExecutors; import com.google.protobuf.BoolValue; -import com.google.protobuf.Struct; -import com.google.protobuf.Value; -import io.envoyproxy.envoy.api.v2.core.ApiConfigSource.ApiType; -import io.envoyproxy.envoy.api.v2.core.GrpcService.GoogleGrpc; -import io.envoyproxy.envoy.config.core.v3.ApiConfigSource; -import io.envoyproxy.envoy.config.core.v3.ConfigSource; -import io.envoyproxy.envoy.config.core.v3.DataSource; -import io.envoyproxy.envoy.config.core.v3.GrpcService; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CombinedCertificateValidationContext; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext; import io.envoyproxy.envoy.type.matcher.v3.StringMatcher; import io.grpc.internal.testing.TestUtils; @@ -72,193 +61,39 @@ public class CommonTlsContextTestsUtil { public static final String BAD_CLIENT_PEM_FILE = "badclient.pem"; public static final String BAD_CLIENT_KEY_FILE = "badclient.key"; - static io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig buildSdsSecretConfigV2( - String name, String targetUri, String channelType) { - io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig = null; - if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) { - sdsSecretConfig = - io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig.newBuilder() - .setName(name) - .setSdsConfig(buildConfigSourceV2(targetUri, channelType)) - .build(); - } - return sdsSecretConfig; - } - - private static SdsSecretConfig - buildSdsSecretConfig(String name, String targetUri, String channelType) { - SdsSecretConfig sdsSecretConfig = null; - if (!Strings.isNullOrEmpty(name) && !Strings.isNullOrEmpty(targetUri)) { - sdsSecretConfig = - SdsSecretConfig.newBuilder() - .setName(name) - .setSdsConfig(buildConfigSource(targetUri, channelType)) - .build(); - } - return sdsSecretConfig; - } - - /** - * Builds a {@link io.envoyproxy.envoy.api.v2.core.ConfigSource} for the given targetUri. - * - * @param channelType specifying "inproc" creates an Inprocess channel for testing. - */ - private static io.envoyproxy.envoy.api.v2.core.ConfigSource buildConfigSourceV2( - String targetUri, String channelType) { - GoogleGrpc.Builder googleGrpcBuilder = GoogleGrpc.newBuilder().setTargetUri(targetUri); - if (channelType != null) { - Struct.Builder structBuilder = Struct.newBuilder() - .putFields("channelType", Value.newBuilder().setStringValue(channelType).build()); - googleGrpcBuilder.setConfig(structBuilder.build()); - } - return io.envoyproxy.envoy.api.v2.core.ConfigSource.newBuilder() - .setApiConfigSource( - io.envoyproxy.envoy.api.v2.core.ApiConfigSource.newBuilder() - .setApiType(ApiType.GRPC) - .addGrpcServices( - io.envoyproxy.envoy.api.v2.core.GrpcService.newBuilder() - .setGoogleGrpc(googleGrpcBuilder.build()) - .build()) - .build()) - .build(); - } - - /** - * Builds a {@link ConfigSource} for the given targetUri. - * - * @param channelType specifying "inproc" creates an Inprocess channel for testing. - */ - private static ConfigSource buildConfigSource(String targetUri, String channelType) { - GrpcService.GoogleGrpc.Builder googleGrpcBuilder = - GrpcService.GoogleGrpc.newBuilder().setTargetUri(targetUri); - if (channelType != null) { - Struct.Builder structBuilder = Struct.newBuilder() - .putFields("channelType", Value.newBuilder().setStringValue(channelType).build()); - googleGrpcBuilder.setConfig(structBuilder.build()); - } - return ConfigSource.newBuilder() - .setApiConfigSource( - ApiConfigSource.newBuilder() - .setApiType(ApiConfigSource.ApiType.GRPC) - .addGrpcServices(GrpcService.newBuilder().setGoogleGrpc(googleGrpcBuilder)) - .build()) - .build(); - } - - static CommonTlsContext buildCommonTlsContextFromSdsConfigForValidationContext( - String name, String targetUri, String privateKey, String certChain) { - SdsSecretConfig sdsSecretConfig = - buildSdsSecretConfig(name, targetUri, /* channelType= */ null); - - CommonTlsContext.Builder builder = - CommonTlsContext.newBuilder().setValidationContextSdsSecretConfig(sdsSecretConfig); - - if (!Strings.isNullOrEmpty(privateKey) && !Strings.isNullOrEmpty(certChain)) { - builder.addTlsCertificates( - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setFilename(certChain)) - .setPrivateKey(DataSource.newBuilder().setFilename(privateKey)) - .build()); - } - return builder.build(); - } - - static CommonTlsContext buildCommonTlsContextFromSdsConfigForTlsCertificate( - String name, String targetUri, String trustCa) { - - SdsSecretConfig sdsSecretConfig = - buildSdsSecretConfig(name, targetUri, /* channelType= */ null); - CommonTlsContext.Builder builder = - CommonTlsContext.newBuilder().addTlsCertificateSdsSecretConfigs(sdsSecretConfig); - - if (!Strings.isNullOrEmpty(trustCa)) { - builder.setValidationContext( - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setFilename(trustCa)) - .build()); - } - return builder.build(); - } - - /** takes additional values and creates CombinedCertificateValidationContext as needed. */ - @SuppressWarnings("deprecation") - static io.envoyproxy.envoy.api.v2.auth.CommonTlsContext - buildCommonTlsContextWithAdditionalValuesV2( - String certName, - String certTargetUri, - String validationContextName, - String validationContextTargetUri, - Iterable verifySubjectAltNames, - Iterable alpnNames, - String channelType) { - - io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.Builder builder = - io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.newBuilder(); - - io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig sdsSecretConfig = - buildSdsSecretConfigV2(certName, certTargetUri, channelType); - if (sdsSecretConfig != null) { - builder.addTlsCertificateSdsSecretConfigs(sdsSecretConfig); - } - sdsSecretConfig = - buildSdsSecretConfigV2(validationContextName, validationContextTargetUri, channelType); - io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext certValidationContext = - verifySubjectAltNames == null ? null - : io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.newBuilder() - .addAllVerifySubjectAltName(verifySubjectAltNames).build(); - - if (sdsSecretConfig != null && certValidationContext != null) { - io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext - combined = - io.envoyproxy.envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext - .newBuilder() - .setDefaultValidationContext(certValidationContext) - .setValidationContextSdsSecretConfig(sdsSecretConfig) - .build(); - builder.setCombinedValidationContext(combined); - } else if (sdsSecretConfig != null) { - builder.setValidationContextSdsSecretConfig(sdsSecretConfig); - } else if (certValidationContext != null) { - builder.setValidationContext(certValidationContext); - } - if (alpnNames != null) { - builder.addAllAlpnProtocols(alpnNames); - } - return builder.build(); - } - /** takes additional values and creates CombinedCertificateValidationContext as needed. */ static CommonTlsContext buildCommonTlsContextWithAdditionalValues( - String certName, - String certTargetUri, - String validationContextName, - String validationContextTargetUri, + String certInstanceName, String certName, + String validationContextCertInstanceName, String validationContextCertName, Iterable matchSubjectAltNames, - Iterable alpnNames, - String channelType) { + Iterable alpnNames) { CommonTlsContext.Builder builder = CommonTlsContext.newBuilder(); - SdsSecretConfig sdsSecretConfig = buildSdsSecretConfig(certName, certTargetUri, channelType); - if (sdsSecretConfig != null) { - builder.addTlsCertificateSdsSecretConfigs(sdsSecretConfig); + CertificateProviderInstance certificateProviderInstance = CertificateProviderInstance + .newBuilder().setInstanceName(certInstanceName).setCertificateName(certName).build(); + if (certificateProviderInstance != null) { + builder.setTlsCertificateCertificateProviderInstance(certificateProviderInstance); } - sdsSecretConfig = - buildSdsSecretConfig(validationContextName, validationContextTargetUri, channelType); + CertificateProviderInstance validationCertificateProviderInstance = + CertificateProviderInstance.newBuilder().setInstanceName(validationContextCertInstanceName) + .setCertificateName(validationContextCertName).build(); CertificateValidationContext certValidationContext = matchSubjectAltNames == null ? null : CertificateValidationContext.newBuilder() .addAllMatchSubjectAltNames(matchSubjectAltNames) .build(); - if (sdsSecretConfig != null && certValidationContext != null) { + if (validationCertificateProviderInstance != null && certValidationContext != null) { CombinedCertificateValidationContext.Builder combinedBuilder = CombinedCertificateValidationContext.newBuilder() .setDefaultValidationContext(certValidationContext) - .setValidationContextSdsSecretConfig(sdsSecretConfig); + .setValidationContextCertificateProviderInstance( + validationCertificateProviderInstance); builder.setCombinedValidationContext(combinedBuilder); - } else if (sdsSecretConfig != null) { - builder.setValidationContextSdsSecretConfig(sdsSecretConfig); + } else if (validationCertificateProviderInstance != null) { + builder + .setValidationContextCertificateProviderInstance(validationCertificateProviderInstance); } else if (certValidationContext != null) { builder.setValidationContext(certValidationContext); } @@ -268,18 +103,6 @@ public class CommonTlsContextTestsUtil { return builder.build(); } - /** Helper method to build DownstreamTlsContext for multiple test classes. */ - static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext buildDownstreamTlsContextV2( - io.envoyproxy.envoy.api.v2.auth.CommonTlsContext commonTlsContext, - boolean requireClientCert) { - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext downstreamTlsContext = - io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext.newBuilder() - .setCommonTlsContext(commonTlsContext) - .setRequireClientCertificate(BoolValue.of(requireClientCert)) - .build(); - return downstreamTlsContext; - } - /** Helper method to build DownstreamTlsContext for multiple test classes. */ static DownstreamTlsContext buildDownstreamTlsContext( CommonTlsContext commonTlsContext, boolean requireClientCert) { @@ -291,6 +114,20 @@ public class CommonTlsContextTestsUtil { return downstreamTlsContext; } + /** Helper method to build DownstreamTlsContext for multiple test classes. */ + public static EnvoyServerProtoData.DownstreamTlsContext buildDownstreamTlsContext( + String commonInstanceName, boolean hasRootCert, + boolean requireClientCertificate) { + return buildDownstreamTlsContextForCertProviderInstance( + commonInstanceName, + "default", + hasRootCert ? commonInstanceName : null, + hasRootCert ? "ROOT" : null, + /* alpnProtocols= */ null, + /* staticCertValidationContext= */ null, + /* requireClientCert= */ requireClientCertificate); + } + /** Helper method to build internal DownstreamTlsContext for multiple test classes. */ static EnvoyServerProtoData.DownstreamTlsContext buildInternalDownstreamTlsContext( CommonTlsContext commonTlsContext, boolean requireClientCert) { @@ -298,36 +135,18 @@ public class CommonTlsContextTestsUtil { buildDownstreamTlsContext(commonTlsContext, requireClientCert)); } - /** Helper method for creating DownstreamTlsContext values with names. */ - public static io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext - buildTestDownstreamTlsContextV2(String certName, String validationContextName) { - return buildDownstreamTlsContextV2( - buildCommonTlsContextWithAdditionalValuesV2( - certName, - "unix:/var/run/sds/uds_path", - validationContextName, - "unix:/var/run/sds/uds_path", - Arrays.asList("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob"), - Arrays.asList("managed-tls"), - null), - /* requireClientCert= */ false); - } - /** Helper method for creating DownstreamTlsContext values with names. */ public static DownstreamTlsContext buildTestDownstreamTlsContext( - String certName, String validationContextName) { + String certName, String validationContextCertName) { return buildDownstreamTlsContext( buildCommonTlsContextWithAdditionalValues( - certName, - "unix:/var/run/sds/uds_path", - validationContextName, - "unix:/var/run/sds/uds_path", + "cert-instance-name", certName, + "val-cert-instance-name", validationContextCertName, Arrays.asList( StringMatcher.newBuilder() .setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob") .build()), - Arrays.asList("managed-tls"), - null), + Arrays.asList("managed-tls")), /* requireClientCert= */ false); } @@ -341,103 +160,6 @@ public class CommonTlsContextTestsUtil { return TestUtils.loadCert(resFile).getAbsolutePath(); } - /** - * Helper method to build DownstreamTlsContext for above tests. Called from other classes as well. - */ - public static EnvoyServerProtoData.DownstreamTlsContext buildDownstreamTlsContextFromFilenames( - @Nullable String privateKey, @Nullable String certChain, @Nullable String trustCa) { - return buildDownstreamTlsContextFromFilenamesWithClientAuth(privateKey, certChain, trustCa, - false); - } - - /** - * Helper method to build DownstreamTlsContext for above tests. Called from other classes as well. - */ - public static EnvoyServerProtoData.DownstreamTlsContext - buildDownstreamTlsContextFromFilenamesWithClientCertRequired( - @Nullable String privateKey, @Nullable String certChain, @Nullable String trustCa) { - return buildDownstreamTlsContextFromFilenamesWithClientAuth(privateKey, certChain, trustCa, - true); - } - - private static EnvoyServerProtoData.DownstreamTlsContext - buildDownstreamTlsContextFromFilenamesWithClientAuth( - @Nullable String privateKey, - @Nullable String certChain, - @Nullable String trustCa, - boolean requireClientCert) { - // get temp file for each file - try { - if (certChain != null) { - certChain = getTempFileNameForResourcesFile(certChain); - } - if (privateKey != null) { - privateKey = getTempFileNameForResourcesFile(privateKey); - } - if (trustCa != null) { - trustCa = getTempFileNameForResourcesFile(trustCa); - } - } catch (IOException ioe) { - throw new RuntimeException(ioe); - } - return buildInternalDownstreamTlsContext( - buildCommonTlsContextFromFilenames(privateKey, certChain, trustCa), requireClientCert); - } - - /** - * Helper method to build UpstreamTlsContext for above tests. Called from other classes as well. - */ - public static EnvoyServerProtoData.UpstreamTlsContext buildUpstreamTlsContextFromFilenames( - @Nullable String privateKey, @Nullable String certChain, @Nullable String trustCa) { - try { - if (certChain != null) { - certChain = getTempFileNameForResourcesFile(certChain); - } - if (privateKey != null) { - privateKey = getTempFileNameForResourcesFile(privateKey); - } - if (trustCa != null) { - trustCa = getTempFileNameForResourcesFile(trustCa); - } - } catch (IOException ioe) { - throw new RuntimeException(ioe); - } - return buildUpstreamTlsContext( - buildCommonTlsContextFromFilenames(privateKey, certChain, trustCa)); - } - - private static CommonTlsContext buildCommonTlsContextFromFilenames( - String privateKey, String certChain, String trustCa) { - TlsCertificate tlsCert = null; - if (!Strings.isNullOrEmpty(privateKey) && !Strings.isNullOrEmpty(certChain)) { - tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setFilename(certChain)) - .setPrivateKey(DataSource.newBuilder().setFilename(privateKey)) - .build(); - } - CertificateValidationContext certContext = null; - if (!Strings.isNullOrEmpty(trustCa)) { - certContext = - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setFilename(trustCa)) - .build(); - } - return getCommonTlsContext(tlsCert, certContext); - } - - static CommonTlsContext getCommonTlsContext( - TlsCertificate tlsCertificate, CertificateValidationContext certContext) { - CommonTlsContext.Builder builder = CommonTlsContext.newBuilder(); - if (tlsCertificate != null) { - builder = builder.addTlsCertificates(tlsCertificate); - } - if (certContext != null) { - builder = builder.setValidationContext(certContext); - } - return builder.build(); - } - /** * Helper method to build UpstreamTlsContext for above tests. Called from other classes as well. */ @@ -449,6 +171,18 @@ public class CommonTlsContextTestsUtil { upstreamTlsContext); } + /** Helper method to build UpstreamTlsContext for multiple test classes. */ + public static EnvoyServerProtoData.UpstreamTlsContext buildUpstreamTlsContext( + String commonInstanceName, boolean hasIdentityCert) { + return buildUpstreamTlsContextForCertProviderInstance( + hasIdentityCert ? commonInstanceName : null, + hasIdentityCert ? "default" : null, + commonInstanceName, + "ROOT", + null, + null); + } + /** Gets a cert from contents of a resource. */ public static X509Certificate getCertFromResourceName(String resourceName) throws IOException, CertificateException { @@ -516,22 +250,6 @@ public class CommonTlsContextTestsUtil { return builder; } - static CommonTlsContext.Builder addCertificateValidationContext( - CommonTlsContext.Builder builder, - String name, - String targetUri, - String channelType, - CertificateValidationContext staticCertValidationContext) { - SdsSecretConfig sdsSecretConfig = buildSdsSecretConfig(name, targetUri, channelType); - - CombinedCertificateValidationContext combined = - CombinedCertificateValidationContext.newBuilder() - .setDefaultValidationContext(staticCertValidationContext) - .setValidationContextSdsSecretConfig(sdsSecretConfig) - .build(); - return builder.setCombinedValidationContext(combined); - } - /** Helper method to build UpstreamTlsContext for CertProvider tests. */ public static EnvoyServerProtoData.UpstreamTlsContext buildUpstreamTlsContextForCertProviderInstance( @@ -562,13 +280,13 @@ public class CommonTlsContextTestsUtil { CertificateValidationContext staticCertValidationContext, boolean requireClientCert) { return buildInternalDownstreamTlsContext( - buildCommonTlsContextForCertProviderInstance( - certInstanceName, - certName, - rootInstanceName, - rootCertName, - alpnProtocols, - staticCertValidationContext), requireClientCert); + buildCommonTlsContextForCertProviderInstance( + certInstanceName, + certName, + rootInstanceName, + rootCertName, + alpnProtocols, + staticCertValidationContext), requireClientCert); } diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java index 1f1d32644e..2a6a3c8cc3 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SdsProtocolNegotiatorsTest.java @@ -31,20 +31,19 @@ import static org.mockito.Mockito.doNothing; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; -import com.google.common.base.Strings; -import io.envoyproxy.envoy.config.core.v3.DataSource; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; +import com.google.common.util.concurrent.MoreExecutors; +import com.google.common.util.concurrent.SettableFuture; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; import io.grpc.Attributes; import io.grpc.ChannelLogger; import io.grpc.ChannelLogger.ChannelLogLevel; import io.grpc.internal.TestUtils.NoopChannelLogger; -import io.grpc.internal.testing.TestUtils; import io.grpc.netty.GrpcHttp2ConnectionHandler; import io.grpc.netty.InternalProtocolNegotiationEvent; import io.grpc.netty.InternalProtocolNegotiator.ProtocolNegotiator; import io.grpc.netty.InternalProtocolNegotiators; +import io.grpc.xds.Bootstrapper; +import io.grpc.xds.CommonBootstrapperTestUtils; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.InternalXdsAttributes; @@ -66,6 +65,7 @@ import io.netty.handler.codec.http2.DefaultHttp2FrameWriter; import io.netty.handler.codec.http2.Http2ConnectionDecoder; import io.netty.handler.codec.http2.Http2ConnectionEncoder; import io.netty.handler.codec.http2.Http2Settings; +import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslHandler; import io.netty.handler.ssl.SslHandshakeCompletionEvent; import java.io.IOException; @@ -74,6 +74,9 @@ import java.net.SocketAddress; import java.security.cert.CertStoreException; import java.util.Iterator; import java.util.Map; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; @@ -89,70 +92,6 @@ public class SdsProtocolNegotiatorsTest { private ChannelPipeline pipeline = channel.pipeline(); private ChannelHandlerContext channelHandlerCtx; - private static String getTempFileNameForResourcesFile(String resFile) throws IOException { - return Strings.isNullOrEmpty(resFile) ? null : TestUtils.loadCert(resFile).getAbsolutePath(); - } - - /** Builds DownstreamTlsContext from file-names. */ - private static DownstreamTlsContext buildDownstreamTlsContextFromFilenames( - String privateKey, String certChain, String trustCa) throws IOException { - return buildDownstreamTlsContext( - buildCommonTlsContextFromFilenames(privateKey, certChain, trustCa)); - } - - /** Builds UpstreamTlsContext from file-names. */ - private static UpstreamTlsContext buildUpstreamTlsContextFromFilenames( - String privateKey, String certChain, String trustCa) throws IOException { - return CommonTlsContextTestsUtil.buildUpstreamTlsContext( - buildCommonTlsContextFromFilenames(privateKey, certChain, trustCa)); - } - - /** Builds DownstreamTlsContext from commonTlsContext. */ - private static DownstreamTlsContext buildDownstreamTlsContext(CommonTlsContext commonTlsContext) { - io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - downstreamTlsContext = - io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - .newBuilder() - .setCommonTlsContext(commonTlsContext) - .build(); - return DownstreamTlsContext.fromEnvoyProtoDownstreamTlsContext(downstreamTlsContext); - } - - private static CommonTlsContext buildCommonTlsContextFromFilenames( - String privateKey, String certChain, String trustCa) throws IOException { - TlsCertificate tlsCert = null; - privateKey = getTempFileNameForResourcesFile(privateKey); - certChain = getTempFileNameForResourcesFile(certChain); - trustCa = getTempFileNameForResourcesFile(trustCa); - if (!Strings.isNullOrEmpty(privateKey) && !Strings.isNullOrEmpty(certChain)) { - tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setFilename(certChain)) - .setPrivateKey(DataSource.newBuilder().setFilename(privateKey)) - .build(); - } - CertificateValidationContext certContext = null; - if (!Strings.isNullOrEmpty(trustCa)) { - certContext = - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setFilename(trustCa)) - .build(); - } - return getCommonTlsContext(tlsCert, certContext); - } - - private static CommonTlsContext getCommonTlsContext( - TlsCertificate tlsCertificate, CertificateValidationContext certContext) { - CommonTlsContext.Builder builder = CommonTlsContext.newBuilder(); - if (tlsCertificate != null) { - builder = builder.addTlsCertificates(tlsCertificate); - } - if (certContext != null) { - builder = builder.setValidationContext(certContext); - } - return builder.build(); - } - @Test public void clientSdsProtocolNegotiatorNewHandler_noTlsContextAttribute() { ChannelHandler mockChannelHandler = mock(ChannelHandler.class); @@ -181,8 +120,7 @@ public class SdsProtocolNegotiatorsTest { @Test public void clientSdsProtocolNegotiatorNewHandler_withTlsContextAttribute() { UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContext( - getCommonTlsContext(/* tlsCertificate= */ null, /* certContext= */ null)); + CommonTlsContextTestsUtil.buildUpstreamTlsContext(CommonTlsContext.newBuilder().build()); ClientSdsProtocolNegotiator pn = new ClientSdsProtocolNegotiator(InternalProtocolNegotiators.plaintext()); GrpcHttp2ConnectionHandler mockHandler = mock(GrpcHttp2ConnectionHandler.class); @@ -202,12 +140,18 @@ public class SdsProtocolNegotiatorsTest { } @Test - public void clientSdsHandler_addLast() throws IOException { + public void clientSdsHandler_addLast() + throws InterruptedException, TimeoutException, ExecutionException { + Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE, + CA_PEM_FILE, null, null, null, null); UpstreamTlsContext upstreamTlsContext = - buildUpstreamTlsContextFromFilenames(CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); + CommonTlsContextTestsUtil + .buildUpstreamTlsContext("google_cloud_private_spiffe-client", true); SslContextProviderSupplier sslContextProviderSupplier = - new SslContextProviderSupplier(upstreamTlsContext, new TlsContextManagerImpl(null)); + new SslContextProviderSupplier(upstreamTlsContext, + new TlsContextManagerImpl(bootstrapInfoForClient)); SdsProtocolNegotiators.ClientSdsHandler clientSdsHandler = new SdsProtocolNegotiators.ClientSdsHandler(grpcHandler, sslContextProviderSupplier); pipeline.addLast(clientSdsHandler); @@ -216,7 +160,23 @@ public class SdsProtocolNegotiatorsTest { // kick off protocol negotiation. pipeline.fireUserEventTriggered(InternalProtocolNegotiationEvent.getDefault()); - channel.runPendingTasks(); // need this for tasks to execute on eventLoop + final SettableFuture future = SettableFuture.create(); + sslContextProviderSupplier + .updateSslContext(new SslContextProvider.Callback(MoreExecutors.directExecutor()) { + @Override + public void updateSecret(SslContext sslContext) { + future.set(sslContext); + } + + @Override + protected void onException(Throwable throwable) { + future.set(throwable); + } + }); + channel.runPendingTasks(); + Object fromFuture = future.get(2, TimeUnit.SECONDS); + assertThat(fromFuture).isInstanceOf(SslContext.class); + channel.runPendingTasks(); channelHandlerCtx = pipeline.context(clientSdsHandler); assertThat(channelHandlerCtx).isNull(); @@ -229,7 +189,8 @@ public class SdsProtocolNegotiatorsTest { } @Test - public void serverSdsHandler_addLast() throws IOException { + public void serverSdsHandler_addLast() + throws InterruptedException, TimeoutException, ExecutionException { // we need InetSocketAddress instead of EmbeddedSocketAddress as localAddress for this test channel = new EmbeddedChannel() { @@ -244,12 +205,17 @@ public class SdsProtocolNegotiatorsTest { } }; pipeline = channel.pipeline(); + Bootstrapper.BootstrapInfo bootstrapInfoForServer = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-server", SERVER_1_KEY_FILE, + SERVER_1_PEM_FILE, CA_PEM_FILE, null, null, null, null); DownstreamTlsContext downstreamTlsContext = - buildDownstreamTlsContextFromFilenames(SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, CA_PEM_FILE); + CommonTlsContextTestsUtil.buildDownstreamTlsContext( + "google_cloud_private_spiffe-server", true, true); + TlsContextManagerImpl tlsContextManager = new TlsContextManagerImpl(bootstrapInfoForServer); XdsClientWrapperForServerSds xdsClientWrapperForServerSds = XdsClientWrapperForServerSdsTestMisc.createXdsClientWrapperForServerSds( - 80, downstreamTlsContext, new TlsContextManagerImpl(null)); + 80, downstreamTlsContext, tlsContextManager); SdsProtocolNegotiators.HandlerPickerHandler handlerPickerHandler = new SdsProtocolNegotiators.HandlerPickerHandler(grpcHandler, xdsClientWrapperForServerSds, InternalProtocolNegotiators.serverPlaintext()); @@ -263,7 +229,26 @@ public class SdsProtocolNegotiatorsTest { assertThat(channelHandlerCtx).isNull(); channelHandlerCtx = pipeline.context(SdsProtocolNegotiators.ServerSdsHandler.class); assertThat(channelHandlerCtx).isNotNull(); + + SslContextProviderSupplier sslContextProviderSupplier = + new SslContextProviderSupplier(downstreamTlsContext, tlsContextManager); + final SettableFuture future = SettableFuture.create(); + sslContextProviderSupplier + .updateSslContext(new SslContextProvider.Callback(MoreExecutors.directExecutor()) { + @Override + public void updateSecret(SslContext sslContext) { + future.set(sslContext); + } + + @Override + protected void onException(Throwable throwable) { + future.set(throwable); + } + }); channel.runPendingTasks(); // need this for tasks to execute on eventLoop + Object fromFuture = future.get(2, TimeUnit.SECONDS); + assertThat(fromFuture).isInstanceOf(SslContext.class); + channel.runPendingTasks(); channelHandlerCtx = pipeline.context(SdsProtocolNegotiators.ServerSdsHandler.class); assertThat(channelHandlerCtx).isNull(); @@ -365,12 +350,17 @@ public class SdsProtocolNegotiatorsTest { @Test public void clientSdsProtocolNegotiatorNewHandler_fireProtocolNegotiationEvent() - throws IOException, InterruptedException { + throws InterruptedException, TimeoutException, ExecutionException { + Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE, + CA_PEM_FILE, null, null, null, null); UpstreamTlsContext upstreamTlsContext = - buildUpstreamTlsContextFromFilenames(CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); + CommonTlsContextTestsUtil + .buildUpstreamTlsContext("google_cloud_private_spiffe-client", true); SslContextProviderSupplier sslContextProviderSupplier = - new SslContextProviderSupplier(upstreamTlsContext, new TlsContextManagerImpl(null)); + new SslContextProviderSupplier(upstreamTlsContext, + new TlsContextManagerImpl(bootstrapInfoForClient)); SdsProtocolNegotiators.ClientSdsHandler clientSdsHandler = new SdsProtocolNegotiators.ClientSdsHandler(grpcHandler, sslContextProviderSupplier); @@ -380,7 +370,23 @@ public class SdsProtocolNegotiatorsTest { // kick off protocol negotiation. pipeline.fireUserEventTriggered(InternalProtocolNegotiationEvent.getDefault()); + final SettableFuture future = SettableFuture.create(); + sslContextProviderSupplier + .updateSslContext(new SslContextProvider.Callback(MoreExecutors.directExecutor()) { + @Override + public void updateSecret(SslContext sslContext) { + future.set(sslContext); + } + + @Override + protected void onException(Throwable throwable) { + future.set(throwable); + } + }); channel.runPendingTasks(); // need this for tasks to execute on eventLoop + Object fromFuture = future.get(5, TimeUnit.SECONDS); + assertThat(fromFuture).isInstanceOf(SslContext.class); + channel.runPendingTasks(); channelHandlerCtx = pipeline.context(clientSdsHandler); assertThat(channelHandlerCtx).isNull(); Object sslEvent = SslHandshakeCompletionEvent.SUCCESS; diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java deleted file mode 100644 index 6ecb533e28..0000000000 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SdsSslContextProviderTest.java +++ /dev/null @@ -1,263 +0,0 @@ -/* - * Copyright 2019 The gRPC Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package io.grpc.xds.internal.sds; - -import static com.google.common.truth.Truth.assertThat; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.doChecksOnSslContext; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.getValueThruCallback; -import static io.grpc.xds.internal.sds.SdsClientTest.getOneCertificateValidationContextSecret; -import static io.grpc.xds.internal.sds.SdsClientTest.getOneTlsCertSecret; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - -import com.google.common.util.concurrent.MoreExecutors; -import io.envoyproxy.envoy.api.v2.core.Node; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext; -import io.envoyproxy.envoy.type.matcher.v3.StringMatcher; -import io.grpc.Status.Code; -import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.TestCallback; -import java.io.IOException; -import java.util.Arrays; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** Unit tests for {@link SdsClientSslContextProvider}. */ -@RunWith(JUnit4.class) -public class SdsSslContextProviderTest { - - private TestSdsServer.ServerMock serverMock; - private TestSdsServer server; - private Node node; - - @Before - public void setUp() throws Exception { - serverMock = mock(TestSdsServer.ServerMock.class); - server = new TestSdsServer(serverMock); - server.startServer(/* name= */ "inproc", /* useUds= */ false, /* useInterceptor= */ false); - - node = Node.newBuilder().setId("sds-client-temp-test1").build(); - } - - @After - public void teardown() throws InterruptedException { - server.shutdown(); - } - - /** Helper method to build SdsClientSslContextProvider from given names. */ - private SdsClientSslContextProvider getSdsClientSslContextProvider( - String certName, - String validationContextName, - Iterable matchSubjectAltNames, - Iterable alpnProtocols) - throws IOException { - - CommonTlsContext commonTlsContext = - CommonTlsContextTestsUtil.buildCommonTlsContextWithAdditionalValues( - certName, - /* certTargetUri= */ "inproc", - validationContextName, - /* validationContextTargetUri= */ "inproc", - matchSubjectAltNames, - alpnProtocols, - /* channelType= */ "inproc"); - - return SdsClientSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildUpstreamTlsContext(commonTlsContext), - node, - MoreExecutors.directExecutor(), - MoreExecutors.directExecutor()); - } - - /** Helper method to build SdsServerSslContextProvider from given names. */ - private SdsServerSslContextProvider getSdsServerSslContextProvider( - String certName, - String validationContextName, - Iterable matchSubjectAltNames, - Iterable alpnProtocols) - throws IOException { - - CommonTlsContext commonTlsContext = - CommonTlsContextTestsUtil.buildCommonTlsContextWithAdditionalValues( - certName, - /* certTargetUri= */ "inproc", - validationContextName, - /* validationContextTargetUri= */ "inproc", - matchSubjectAltNames, - alpnProtocols, - /* channelType= */ "inproc"); - - return SdsServerSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildInternalDownstreamTlsContext( - commonTlsContext, /* requireClientCert= */ false), - node, - MoreExecutors.directExecutor(), - MoreExecutors.directExecutor()); - } - - @Test - public void testProviderForServer() throws IOException { - when(serverMock.getSecretFor(/* name= */ "cert1")) - .thenReturn(getOneTlsCertSecret(/* name= */ "cert1", SERVER_1_KEY_FILE, SERVER_1_PEM_FILE)); - when(serverMock.getSecretFor(/* name= */ "valid1")) - .thenReturn(getOneCertificateValidationContextSecret(/* name= */ "valid1", CA_PEM_FILE)); - - SdsServerSslContextProvider provider = - getSdsServerSslContextProvider("cert1", "valid1", null, null); - TestCallback testCallback = getValueThruCallback(provider); - - doChecksOnSslContext(true, testCallback.updatedSslContext, /* expectedApnProtos= */ null); - } - - @Test - public void testProviderForClient() throws IOException { - when(serverMock.getSecretFor(/* name= */ "cert1")) - .thenReturn(getOneTlsCertSecret(/* name= */ "cert1", CLIENT_KEY_FILE, CLIENT_PEM_FILE)); - when(serverMock.getSecretFor("valid1")) - .thenReturn(getOneCertificateValidationContextSecret(/* name= */ "valid1", CA_PEM_FILE)); - - SdsClientSslContextProvider provider = - getSdsClientSslContextProvider( - /* certName= */ "cert1", - /* validationContextName= */ "valid1", - /* matchSubjectAltNames= */ null, - /* alpnProtocols= */ null); - TestCallback testCallback = getValueThruCallback(provider); - - doChecksOnSslContext(false, testCallback.updatedSslContext, /* expectedApnProtos= */ null); - } - - @Test - public void testProviderForServer_onlyCert() throws IOException { - when(serverMock.getSecretFor(/* name= */ "cert1")) - .thenReturn(getOneTlsCertSecret(/* name= */ "cert1", SERVER_1_KEY_FILE, SERVER_1_PEM_FILE)); - - SdsServerSslContextProvider provider = - getSdsServerSslContextProvider( - /* certName= */ "cert1", - /* validationContextName= */ null, - /* matchSubjectAltNames= */ null, - /* alpnProtocols= */ null); - TestCallback testCallback = getValueThruCallback(provider); - - doChecksOnSslContext(true, testCallback.updatedSslContext, /* expectedApnProtos= */ null); - } - - @Test - public void getProviderForClient_onlyTrust() throws IOException { - when(serverMock.getSecretFor(/* name= */ "valid1")) - .thenReturn(getOneCertificateValidationContextSecret(/* name= */ "valid1", CA_PEM_FILE)); - - SdsClientSslContextProvider provider = - getSdsClientSslContextProvider( - /* certName= */ null, - /* validationContextName= */ "valid1", - /* matchSubjectAltNames= */ null, - null); - TestCallback testCallback = getValueThruCallback(provider); - - doChecksOnSslContext(false, testCallback.updatedSslContext, /* expectedApnProtos= */ null); - } - - @Test - public void getProviderForServer_noCert_throwsException() throws IOException { - when(serverMock.getSecretFor(/* name= */ "valid1")) - .thenReturn(getOneCertificateValidationContextSecret(/* name= */ "valid1", CA_PEM_FILE)); - - SdsServerSslContextProvider provider = - getSdsServerSslContextProvider( - /* certName= */ null, - /* validationContextName= */ "valid1", - /* matchSubjectAltNames= */ null, - /* alpnProtocols= */ null); - TestCallback testCallback = getValueThruCallback(provider); - - assertThat(server.lastNack).isNotNull(); - assertThat(server.lastNack.getVersionInfo()).isEmpty(); - assertThat(server.lastNack.getResponseNonce()).isEmpty(); - com.google.rpc.Status errorDetail = server.lastNack.getErrorDetail(); - assertThat(errorDetail.getCode()).isEqualTo(Code.UNKNOWN.value()); - assertThat(errorDetail.getMessage()).isEqualTo("Secret not updated"); - assertThat(testCallback.updatedSslContext).isNull(); - } - - @Test - public void testProviderForClient_withSubjectAltNames() throws IOException { - when(serverMock.getSecretFor(/* name= */ "cert1")) - .thenReturn(getOneTlsCertSecret(/* name= */ "cert1", CLIENT_KEY_FILE, CLIENT_PEM_FILE)); - when(serverMock.getSecretFor("valid1")) - .thenReturn(getOneCertificateValidationContextSecret(/* name= */ "valid1", CA_PEM_FILE)); - - SdsClientSslContextProvider provider = - getSdsClientSslContextProvider( - /* certName= */ "cert1", - /* validationContextName= */ "valid1", - Arrays.asList( - StringMatcher.newBuilder() - .setExact("spiffe://grpc-sds-testing.svc.id.goog/ns/default/sa/bob") - .build()), - /* alpnProtocols= */ null); - - TestCallback testCallback = getValueThruCallback(provider); - doChecksOnSslContext(false, testCallback.updatedSslContext, /* expectedApnProtos= */ null); - } - - @Test - public void testProviderForClient_withAlpnProtocols() throws IOException { - when(serverMock.getSecretFor(/* name= */ "cert1")) - .thenReturn(getOneTlsCertSecret(/* name= */ "cert1", CLIENT_KEY_FILE, CLIENT_PEM_FILE)); - when(serverMock.getSecretFor("valid1")) - .thenReturn(getOneCertificateValidationContextSecret(/* name= */ "valid1", CA_PEM_FILE)); - - SdsClientSslContextProvider provider = - getSdsClientSslContextProvider( - /* certName= */ "cert1", - /* validationContextName= */ "valid1", - /* matchSubjectAltNames= */ null, - /* alpnProtocols= */ Arrays.asList("managed-mtls", "h2")); - TestCallback testCallback = getValueThruCallback(provider); - - doChecksOnSslContext( - false, testCallback.updatedSslContext, Arrays.asList("managed-mtls", "h2")); - } - - @Test - public void testProviderForServer_withAlpnProtocols() throws IOException { - when(serverMock.getSecretFor(/* name= */ "cert1")) - .thenReturn(getOneTlsCertSecret(/* name= */ "cert1", SERVER_1_KEY_FILE, SERVER_1_PEM_FILE)); - when(serverMock.getSecretFor(/* name= */ "valid1")) - .thenReturn(getOneCertificateValidationContextSecret(/* name= */ "valid1", CA_PEM_FILE)); - - SdsServerSslContextProvider provider = - getSdsServerSslContextProvider( - /* certName= */ "cert1", - /* validationContextName= */ "valid1", - /* matchSubjectAltNames= */ null, - /* alpnProtocols= */ Arrays.asList("managed-mtls", "h2")); - TestCallback testCallback = getValueThruCallback(provider); - - doChecksOnSslContext( - true, testCallback.updatedSslContext, Arrays.asList("managed-mtls", "h2")); - } -} diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java deleted file mode 100644 index 44a5c461dc..0000000000 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SecretVolumeSslContextProviderTest.java +++ /dev/null @@ -1,444 +0,0 @@ -/* - * Copyright 2019 The gRPC Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package io.grpc.xds.internal.sds; - -import static com.google.common.truth.Truth.assertThat; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.doChecksOnSslContext; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.getValueThruCallback; - -import io.envoyproxy.envoy.config.core.v3.DataSource; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; -import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate; -import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.TestCallback; -import io.netty.handler.ssl.SslContext; -import java.io.IOException; -import java.security.cert.CertStoreException; -import java.security.cert.CertificateException; -import org.junit.Assert; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TemporaryFolder; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -/** Unit tests for {@link SecretVolumeClientSslContextProvider}. */ -@RunWith(JUnit4.class) -public class SecretVolumeSslContextProviderTest { - - @Rule public TemporaryFolder temporaryFolder = new TemporaryFolder(); - - @Test - public void validateCertificateContext_nullAndNotOptional_throwsException() { - // expect exception when certContext is null and not optional - try { - CommonTlsContextUtil.validateCertificateContext( - /* certContext= */ null, /* optional= */ false); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("certContext is required"); - } - } - - @Test - public void validateCertificateContext_missingTrustCa_throwsException() { - // expect exception when certContext has no CA and not optional - CertificateValidationContext certContext = CertificateValidationContext.getDefaultInstance(); - try { - CommonTlsContextUtil.validateCertificateContext(certContext, /* optional= */ false); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("certContext is required"); - } - } - - @Test - public void validateCertificateContext_nullAndOptional() { - // certContext argument can be null when optional - CertificateValidationContext certContext = - CommonTlsContextUtil.validateCertificateContext( - /* certContext= */ null, /* optional= */ true); - assertThat(certContext).isNull(); - } - - @Test - public void validateCertificateContext_missingTrustCaOptional() { - // certContext argument can have missing CA when optional - CertificateValidationContext certContext = CertificateValidationContext.getDefaultInstance(); - assertThat(CommonTlsContextUtil.validateCertificateContext(certContext, /* optional= */ true)) - .isNull(); - } - - @Test - public void validateCertificateContext_inlineString_throwsException() { - // expect exception when certContext doesn't use filename (inline string) - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setInlineString("foo")) - .build(); - try { - CommonTlsContextUtil.validateCertificateContext(certContext, /* optional= */ false); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void validateCertificateContext_filename() { - // validation succeeds and returns same instance when filename provided - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setFilename("bar")) - .build(); - assertThat(CommonTlsContextUtil.validateCertificateContext(certContext, /* optional= */ false)) - .isSameInstanceAs(certContext); - } - - @Test - public void validateTlsCertificate_nullAndNotOptional_throwsException() { - // expect exception when tlsCertificate is null and not optional - try { - CommonTlsContextUtil.validateTlsCertificate( - /* tlsCertificate= */ null, /* optional= */ false); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("tlsCertificate is required"); - } - } - - @Test - public void validateTlsCertificate_nullOptional() { - assertThat( - CommonTlsContextUtil.validateTlsCertificate( - /* tlsCertificate= */ null, /* optional= */ true)) - .isNull(); - } - - @Test - public void validateTlsCertificate_defaultInstance_returnsNull() { - // tlsCertificate is not null but has no value (default instance): expect null - TlsCertificate tlsCert = TlsCertificate.getDefaultInstance(); - assertThat(CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ true)).isNull(); - } - - @Test - public void validateTlsCertificate_missingCertChainNotOptional_throwsException() { - // expect exception when tlsCertificate has missing certChain and not optional - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setPrivateKey(DataSource.newBuilder().setInlineString("foo")) - .build(); - try { - CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ false); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void validateTlsCertificate_missingCertChainOptional_throwsException() { - // expect exception when tlsCertificate has missing certChain even if optional - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setPrivateKey(DataSource.newBuilder().setInlineString("foo")) - .build(); - try { - CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ true); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void validateTlsCertificate_missingPrivateKeyNotOptional_throwsException() { - // expect exception when tlsCertificate has missing private key and not optional - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setInlineString("foo")) - .build(); - try { - CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ false); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void validateTlsCertificate_missingPrivateKeyOptional_throwsException() { - // expect exception when tlsCertificate has missing private key even if optional - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setInlineString("foo")) - .build(); - try { - CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ true); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void validateTlsCertificate_optional_returnsSameInstance() { - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setFilename("foo")) - .setPrivateKey(DataSource.newBuilder().setFilename("bar")) - .build(); - assertThat(CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ true)) - .isSameInstanceAs(tlsCert); - } - - @Test - public void validateTlsCertificate_notOptional_returnsSameInstance() { - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setFilename("foo")) - .setPrivateKey(DataSource.newBuilder().setFilename("bar")) - .build(); - assertThat(CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ false)) - .isSameInstanceAs(tlsCert); - } - - @Test - public void validateTlsCertificate_certChainInlineString_throwsException() { - // expect exception when tlsCertificate has certChain as inline string - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setInlineString("foo")) - .setPrivateKey(DataSource.newBuilder().setFilename("bar")) - .build(); - try { - CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ true); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void validateTlsCertificate_privateKeyInlineString_throwsException() { - // expect exception when tlsCertificate has private key as inline string - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setPrivateKey(DataSource.newBuilder().setInlineString("foo")) - .setCertificateChain(DataSource.newBuilder().setFilename("bar")) - .build(); - try { - CommonTlsContextUtil.validateTlsCertificate(tlsCert, /* optional= */ true); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void getProviderForServer_defaultTlsCertificate_throwsException() { - TlsCertificate tlsCert = TlsCertificate.getDefaultInstance(); - try { - SecretVolumeServerSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildInternalDownstreamTlsContext( - CommonTlsContextTestsUtil.getCommonTlsContext(tlsCert, /* certContext= */ null), - /* requireClientCert= */ false)); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void getProviderForServer_certContextWithInlineString_throwsException() { - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setFilename("foo")) - .setPrivateKey(DataSource.newBuilder().setFilename("bar")) - .build(); - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setInlineString("foo")) - .build(); - try { - SecretVolumeServerSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildInternalDownstreamTlsContext( - CommonTlsContextTestsUtil.getCommonTlsContext(tlsCert, certContext), - /* requireClientCert= */ false)); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected.getMessage()).isEqualTo("filename expected"); - } - } - - @Test - public void getProviderForClient_defaultCertContext_throwsException() { - CertificateValidationContext certContext = CertificateValidationContext.getDefaultInstance(); - try { - SecretVolumeClientSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildUpstreamTlsContext( - CommonTlsContextTestsUtil.getCommonTlsContext( - /* tlsCertificate= */ null, certContext))); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("certContext is required"); - } - } - - @Test - public void getProviderForClient_certWithPrivateKeyInlineString_throwsException() { - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setFilename("foo")) - .setPrivateKey(DataSource.newBuilder().setInlineString("bar")) - .build(); - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setFilename("foo")) - .build(); - try { - SecretVolumeClientSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildUpstreamTlsContext( - CommonTlsContextTestsUtil.getCommonTlsContext(tlsCert, certContext))); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - @Test - public void getProviderForClient_certWithCertChainInlineString_throwsException() { - TlsCertificate tlsCert = - TlsCertificate.newBuilder() - .setCertificateChain(DataSource.newBuilder().setInlineString("foo")) - .setPrivateKey(DataSource.newBuilder().setFilename("bar")) - .build(); - CertificateValidationContext certContext = - CertificateValidationContext.newBuilder() - .setTrustedCa(DataSource.newBuilder().setFilename("foo")) - .build(); - try { - SecretVolumeClientSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildUpstreamTlsContext( - CommonTlsContextTestsUtil.getCommonTlsContext(tlsCert, certContext))); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("filename expected"); - } - } - - /** - * Helper method to build SecretVolumeSslContextProvider, call buildSslContext on it and - * check returned SslContext. - */ - private static void sslContextForEitherWithBothCertAndTrust( - boolean server, String pemFile, String keyFile, String caFile) - throws IOException, CertificateException, CertStoreException { - SslContext sslContext = null; - if (server) { - SecretVolumeServerSslContextProvider provider = - SecretVolumeServerSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - keyFile, pemFile, caFile)); - - sslContext = provider.buildSslContextFromSecrets(); - } else { - SecretVolumeClientSslContextProvider provider = - SecretVolumeClientSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - keyFile, pemFile, caFile)); - - sslContext = provider.buildSslContextFromSecrets(); - } - doChecksOnSslContext(server, sslContext, /* expectedApnProtos= */ null); - } - - @Test - public void getProviderForServer() throws IOException, CertificateException, CertStoreException { - sslContextForEitherWithBothCertAndTrust( - true, SERVER_1_PEM_FILE, SERVER_1_KEY_FILE, CA_PEM_FILE); - } - - @Test - public void getProviderForClient() throws IOException, CertificateException, CertStoreException { - sslContextForEitherWithBothCertAndTrust(false, CLIENT_PEM_FILE, CLIENT_KEY_FILE, CA_PEM_FILE); - } - - @Test - public void getProviderForServer_onlyCert() - throws IOException, CertificateException, CertStoreException { - sslContextForEitherWithBothCertAndTrust(true, SERVER_1_PEM_FILE, SERVER_1_KEY_FILE, null); - } - - @Test - public void getProviderForClient_onlyTrust() - throws IOException, CertificateException, CertStoreException { - sslContextForEitherWithBothCertAndTrust(false, null, null, CA_PEM_FILE); - } - - @Test - public void getProviderForServer_badFile_throwsException() - throws IOException, CertificateException, CertStoreException { - try { - sslContextForEitherWithBothCertAndTrust(true, SERVER_1_PEM_FILE, SERVER_1_PEM_FILE, null); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().contains("File does not contain valid private key"); - } - } - - @Test - public void getProviderForServer_both_callsback() throws IOException { - SecretVolumeServerSslContextProvider provider = - SecretVolumeServerSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, CA_PEM_FILE)); - - TestCallback testCallback = getValueThruCallback(provider); - doChecksOnSslContext(true, testCallback.updatedSslContext, /* expectedApnProtos= */ null); - } - - @Test - public void getProviderForClient_both_callsback() throws IOException { - SecretVolumeClientSslContextProvider provider = - SecretVolumeClientSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE)); - - TestCallback testCallback = getValueThruCallback(provider); - doChecksOnSslContext(false, testCallback.updatedSslContext, /* expectedApnProtos= */ null); - } - - // note this test generates stack-trace but can be safely ignored - @Test - public void getProviderForClient_both_callsback_setException() throws IOException { - SecretVolumeClientSslContextProvider provider = - SecretVolumeClientSslContextProvider.getProvider( - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_PEM_FILE, CLIENT_PEM_FILE, CA_PEM_FILE)); - TestCallback testCallback = getValueThruCallback(provider); - assertThat(testCallback.updatedSslContext).isNull(); - assertThat(testCallback.updatedThrowable).isInstanceOf(IllegalArgumentException.class); - assertThat(testCallback.updatedThrowable).hasMessageThat() - .contains("File does not contain valid private key"); - } -} diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java index b6a0fdd2e2..a4bab618a3 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/ServerSslContextProviderFactoryTest.java @@ -19,9 +19,6 @@ package io.grpc.xds.internal.sds; import static com.google.common.truth.Truth.assertThat; import static io.grpc.xds.internal.sds.ClientSslContextProviderFactoryTest.createAndRegisterProviderProvider; import static io.grpc.xds.internal.sds.ClientSslContextProviderFactoryTest.verifyWatcher; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_KEY_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import com.google.common.collect.ImmutableSet; import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext; @@ -36,8 +33,6 @@ import io.grpc.xds.internal.certprovider.CertProviderServerSslContextProvider; import io.grpc.xds.internal.certprovider.CertificateProvider; import io.grpc.xds.internal.certprovider.CertificateProviderRegistry; import io.grpc.xds.internal.certprovider.CertificateProviderStore; -import java.io.IOException; -import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -60,62 +55,6 @@ public class ServerSslContextProviderFactoryTest { new CertProviderServerSslContextProvider.Factory(certificateProviderStore); } - @Test - public void createSslContextProvider_allFilenames() { - serverSslContextProviderFactory = - new ServerSslContextProviderFactory( - null, certProviderServerSslContextProviderFactory); - DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, CA_PEM_FILE); - - SslContextProvider sslContextProvider = - serverSslContextProviderFactory.create(downstreamTlsContext); - assertThat(sslContextProvider).isNotNull(); - } - - @Test - public void createSslContextProvider_sdsConfigForTlsCert_expectException() { - serverSslContextProviderFactory = - new ServerSslContextProviderFactory( - null, certProviderServerSslContextProviderFactory); - CommonTlsContext commonTlsContext = - CommonTlsContextTestsUtil.buildCommonTlsContextFromSdsConfigForTlsCertificate( - "name", "unix:/tmp/sds/path", CA_PEM_FILE); - DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildInternalDownstreamTlsContext( - commonTlsContext, /* requireClientCert= */ false); - - try { - SslContextProvider unused = - serverSslContextProviderFactory.create(downstreamTlsContext); - Assert.fail("no exception thrown"); - } catch (IllegalArgumentException expected) { - assertThat(expected).hasMessageThat().isEqualTo("unexpected TlsCertificateSdsSecretConfigs"); - } - } - - @Test - public void createSslContextProvider_sdsConfigForCertValidationContext_expectException() { - serverSslContextProviderFactory = - new ServerSslContextProviderFactory( - null, certProviderServerSslContextProviderFactory); - CommonTlsContext commonTlsContext = - CommonTlsContextTestsUtil.buildCommonTlsContextFromSdsConfigForValidationContext( - "name", "unix:/tmp/sds/path", SERVER_1_KEY_FILE, SERVER_1_PEM_FILE); - DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildInternalDownstreamTlsContext( - commonTlsContext, /* requireClientCert= */ false); - - try { - SslContextProvider unused = - serverSslContextProviderFactory.create(downstreamTlsContext); - Assert.fail("no exception thrown"); - } catch (IllegalStateException expected) { - assertThat(expected).hasMessageThat().isEqualTo("incorrect ValidationContextTypeCase"); - } - } - @Test public void createCertProviderServerSslContextProvider() throws XdsInitializationException { final CertificateProvider.DistributorWatcher[] watcherCaptor = @@ -267,37 +206,4 @@ public class ServerSslContextProviderFactoryTest { verifyWatcher(sslContextProvider, watcherCaptor[0]); verifyWatcher(sslContextProvider, watcherCaptor[1]); } - - @Test - public void createEmptyCommonTlsContext_exception() throws IOException { - DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames(null, null, null); - serverSslContextProviderFactory = - new ServerSslContextProviderFactory( - null, certProviderServerSslContextProviderFactory); - try { - serverSslContextProviderFactory.create(downstreamTlsContext); - Assert.fail("no exception thrown"); - } catch (UnsupportedOperationException expected) { - assertThat(expected) - .hasMessageThat() - .isEqualTo("Unsupported configurations in DownstreamTlsContext!"); - } - } - - @Test - public void createNullCommonTlsContext_exception() throws IOException { - serverSslContextProviderFactory = - new ServerSslContextProviderFactory( - null, certProviderServerSslContextProviderFactory); - DownstreamTlsContext downstreamTlsContext = new DownstreamTlsContext(null, true); - try { - serverSslContextProviderFactory.create(downstreamTlsContext); - Assert.fail("no exception thrown"); - } catch (NullPointerException expected) { - assertThat(expected) - .hasMessageThat() - .isEqualTo("downstreamTlsContext should have CommonTlsContext"); - } - } } diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/SslContextProviderSupplierTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/SslContextProviderSupplierTest.java index 0395f3055e..ec2c85e5b8 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/SslContextProviderSupplierTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/SslContextProviderSupplierTest.java @@ -17,9 +17,6 @@ package io.grpc.xds.internal.sds; import static com.google.common.truth.Truth.assertThat; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CA_PEM_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_KEY_FILE; -import static io.grpc.xds.internal.sds.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.any; import static org.mockito.Mockito.doReturn; @@ -63,8 +60,7 @@ public class SslContextProviderSupplierTest { private void prepareSupplier() { upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); + CommonTlsContextTestsUtil.buildUpstreamTlsContext("google_cloud_private_spiffe", true); mockSslContextProvider = mock(SslContextProvider.class); doReturn(mockSslContextProvider) .when(mockTlsContextManager) diff --git a/xds/src/test/java/io/grpc/xds/internal/sds/TlsContextManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/sds/TlsContextManagerTest.java index 5f6ba418e1..7634bfee37 100644 --- a/xds/src/test/java/io/grpc/xds/internal/sds/TlsContextManagerTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/sds/TlsContextManagerTest.java @@ -30,6 +30,8 @@ import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; +import io.grpc.xds.Bootstrapper; +import io.grpc.xds.CommonBootstrapperTestUtils; import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext; import io.grpc.xds.EnvoyServerProtoData.UpstreamTlsContext; import io.grpc.xds.internal.sds.ReferenceCountingMap.ValueFactory; @@ -53,11 +55,14 @@ public class TlsContextManagerTest { @Test public void createServerSslContextProvider() { + Bootstrapper.BootstrapInfo bootstrapInfoForServer = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-server", SERVER_1_KEY_FILE, + SERVER_1_PEM_FILE, CA_PEM_FILE, null, null, null, null); DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, /* trustCa= */ null); + CommonTlsContextTestsUtil.buildDownstreamTlsContext( + "google_cloud_private_spiffe-server", false, false); - TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(null); + TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(bootstrapInfoForServer); SslContextProvider serverSecretProvider = tlsContextManagerImpl.findOrCreateServerSslContextProvider(downstreamTlsContext); assertThat(serverSecretProvider).isNotNull(); @@ -69,11 +74,14 @@ public class TlsContextManagerTest { @Test public void createClientSslContextProvider() { + Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE, + CA_PEM_FILE, null, null, null, null); UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - /* privateKey= */ null, /* certChain= */ null, CA_PEM_FILE); + CommonTlsContextTestsUtil + .buildUpstreamTlsContext("google_cloud_private_spiffe-client", false); - TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(null); + TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(bootstrapInfoForClient); SslContextProvider clientSecretProvider = tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext); assertThat(clientSecretProvider).isNotNull(); @@ -85,18 +93,23 @@ public class TlsContextManagerTest { @Test public void createServerSslContextProvider_differentInstance() { + Bootstrapper.BootstrapInfo bootstrapInfoForServer = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-server", SERVER_1_KEY_FILE, + SERVER_1_PEM_FILE, CA_PEM_FILE, "cert-instance2", SERVER_0_KEY_FILE, SERVER_0_PEM_FILE, + CA_PEM_FILE); DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, /* trustCa= */ null); + CommonTlsContextTestsUtil.buildDownstreamTlsContext( + "google_cloud_private_spiffe-server", false, false); - TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(null); + TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(bootstrapInfoForServer); SslContextProvider serverSecretProvider = tlsContextManagerImpl.findOrCreateServerSslContextProvider(downstreamTlsContext); assertThat(serverSecretProvider).isNotNull(); DownstreamTlsContext downstreamTlsContext1 = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_0_KEY_FILE, SERVER_0_PEM_FILE, CA_PEM_FILE); + CommonTlsContextTestsUtil.buildDownstreamTlsContext( + "cert-instance2", true, true); + SslContextProvider serverSecretProvider1 = tlsContextManagerImpl.findOrCreateServerSslContextProvider(downstreamTlsContext1); assertThat(serverSecretProvider1).isNotNull(); @@ -105,18 +118,20 @@ public class TlsContextManagerTest { @Test public void createClientSslContextProvider_differentInstance() { + Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils + .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE, + CA_PEM_FILE, "cert-instance-2", CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - /* privateKey= */ null, /* certChain= */ null, CA_PEM_FILE); + CommonTlsContextTestsUtil + .buildUpstreamTlsContext("google_cloud_private_spiffe-client", false); - TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(null); + TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(bootstrapInfoForClient); SslContextProvider clientSecretProvider = tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext); assertThat(clientSecretProvider).isNotNull(); UpstreamTlsContext upstreamTlsContext1 = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); + CommonTlsContextTestsUtil.buildUpstreamTlsContext("cert-instance-2", true); SslContextProvider clientSecretProvider1 = tlsContextManagerImpl.findOrCreateClientSslContextProvider(upstreamTlsContext1); @@ -126,8 +141,8 @@ public class TlsContextManagerTest { @Test public void createServerSslContextProvider_releaseInstance() { DownstreamTlsContext downstreamTlsContext = - CommonTlsContextTestsUtil.buildDownstreamTlsContextFromFilenames( - SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, /* trustCa= */ null); + CommonTlsContextTestsUtil.buildDownstreamTlsContext( + "google_cloud_private_spiffe-server", false, false); TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(mockClientFactory, mockServerFactory); @@ -145,8 +160,8 @@ public class TlsContextManagerTest { @Test public void createClientSslContextProvider_releaseInstance() { UpstreamTlsContext upstreamTlsContext = - CommonTlsContextTestsUtil.buildUpstreamTlsContextFromFilenames( - CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE); + CommonTlsContextTestsUtil + .buildUpstreamTlsContext("google_cloud_private_spiffe-client", true); TlsContextManagerImpl tlsContextManagerImpl = new TlsContextManagerImpl(mockClientFactory, mockServerFactory);