|  | @@ -34,18 +34,21 @@
 | 
	
		
			
				|  |  |  #include "absl/types/optional.h"
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  #include <grpc/grpc.h>
 | 
	
		
			
				|  |  | +#include <grpc/grpc_security.h>
 | 
	
		
			
				|  |  |  #include <grpc/support/alloc.h>
 | 
	
		
			
				|  |  |  #include <grpc/support/log.h>
 | 
	
		
			
				|  |  |  #include <grpc/support/time.h>
 | 
	
		
			
				|  |  |  #include <grpcpp/channel.h>
 | 
	
		
			
				|  |  |  #include <grpcpp/client_context.h>
 | 
	
		
			
				|  |  |  #include <grpcpp/create_channel.h>
 | 
	
		
			
				|  |  | +#include <grpcpp/security/tls_certificate_provider.h>
 | 
	
		
			
				|  |  |  #include <grpcpp/server.h>
 | 
	
		
			
				|  |  |  #include <grpcpp/server_builder.h>
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  #include "src/core/ext/filters/client_channel/backup_poller.h"
 | 
	
		
			
				|  |  |  #include "src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h"
 | 
	
		
			
				|  |  |  #include "src/core/ext/filters/client_channel/server_address.h"
 | 
	
		
			
				|  |  | +#include "src/core/ext/xds/certificate_provider_registry.h"
 | 
	
		
			
				|  |  |  #include "src/core/ext/xds/xds_api.h"
 | 
	
		
			
				|  |  |  #include "src/core/ext/xds/xds_channel_args.h"
 | 
	
		
			
				|  |  |  #include "src/core/ext/xds/xds_client.h"
 | 
	
	
		
			
				|  | @@ -55,6 +58,7 @@
 | 
	
		
			
				|  |  |  #include "src/core/lib/gprpp/map.h"
 | 
	
		
			
				|  |  |  #include "src/core/lib/gprpp/ref_counted_ptr.h"
 | 
	
		
			
				|  |  |  #include "src/core/lib/gprpp/sync.h"
 | 
	
		
			
				|  |  | +#include "src/core/lib/iomgr/load_file.h"
 | 
	
		
			
				|  |  |  #include "src/core/lib/iomgr/parse_address.h"
 | 
	
		
			
				|  |  |  #include "src/core/lib/iomgr/sockaddr.h"
 | 
	
		
			
				|  |  |  #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 | 
	
	
		
			
				|  | @@ -81,6 +85,7 @@
 | 
	
		
			
				|  |  |  #include "src/proto/grpc/testing/xds/v3/listener.grpc.pb.h"
 | 
	
		
			
				|  |  |  #include "src/proto/grpc/testing/xds/v3/lrs.grpc.pb.h"
 | 
	
		
			
				|  |  |  #include "src/proto/grpc/testing/xds/v3/route.grpc.pb.h"
 | 
	
		
			
				|  |  | +#include "src/proto/grpc/testing/xds/v3/tls.grpc.pb.h"
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  namespace grpc {
 | 
	
		
			
				|  |  |  namespace testing {
 | 
	
	
		
			
				|  | @@ -97,6 +102,7 @@ using ::envoy::config::listener::v3::Listener;
 | 
	
		
			
				|  |  |  using ::envoy::config::route::v3::RouteConfiguration;
 | 
	
		
			
				|  |  |  using ::envoy::extensions::filters::network::http_connection_manager::v3::
 | 
	
		
			
				|  |  |      HttpConnectionManager;
 | 
	
		
			
				|  |  | +using ::envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext;
 | 
	
		
			
				|  |  |  using ::envoy::type::v3::FractionalPercent;
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  constexpr char kLdsTypeUrl[] =
 | 
	
	
		
			
				|  | @@ -171,6 +177,14 @@ constexpr char kBootstrapFileV3[] =
 | 
	
		
			
				|  |  |      "      \"zone\": \"svl\",\n"
 | 
	
		
			
				|  |  |      "      \"subzone\": \"mp3\"\n"
 | 
	
		
			
				|  |  |      "    }\n"
 | 
	
		
			
				|  |  | +    "  },\n"
 | 
	
		
			
				|  |  | +    "  \"certificate_providers\": {\n"
 | 
	
		
			
				|  |  | +    "    \"fake_plugin1\": {\n"
 | 
	
		
			
				|  |  | +    "      \"plugin_name\": \"fake1\"\n"
 | 
	
		
			
				|  |  | +    "    },\n"
 | 
	
		
			
				|  |  | +    "    \"fake_plugin2\": {\n"
 | 
	
		
			
				|  |  | +    "      \"plugin_name\": \"fake2\"\n"
 | 
	
		
			
				|  |  | +    "    }\n"
 | 
	
		
			
				|  |  |      "  }\n"
 | 
	
		
			
				|  |  |      "}\n";
 | 
	
		
			
				|  |  |  
 | 
	
	
		
			
				|  | @@ -199,6 +213,13 @@ constexpr char kBootstrapFileV2[] =
 | 
	
		
			
				|  |  |      "    }\n"
 | 
	
		
			
				|  |  |      "  }\n"
 | 
	
		
			
				|  |  |      "}\n";
 | 
	
		
			
				|  |  | +constexpr char kCaCertPath[] = "src/core/tsi/test_creds/ca.pem";
 | 
	
		
			
				|  |  | +constexpr char kServerCertPath[] = "src/core/tsi/test_creds/server1.pem";
 | 
	
		
			
				|  |  | +constexpr char kServerKeyPath[] = "src/core/tsi/test_creds/server1.key";
 | 
	
		
			
				|  |  | +constexpr char kClientCertPath[] = "src/core/tsi/test_creds/client.pem";
 | 
	
		
			
				|  |  | +constexpr char kClientKeyPath[] = "src/core/tsi/test_creds/client.key";
 | 
	
		
			
				|  |  | +constexpr char kBadClientCertPath[] = "src/core/tsi/test_creds/badclient.pem";
 | 
	
		
			
				|  |  | +constexpr char kBadClientKeyPath[] = "src/core/tsi/test_creds/badclient.key";
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  char* g_bootstrap_file_v3;
 | 
	
		
			
				|  |  |  char* g_bootstrap_file_v2;
 | 
	
	
		
			
				|  | @@ -268,9 +289,6 @@ class CountedService : public ServiceType {
 | 
	
		
			
				|  |  |    size_t response_count_ = 0;
 | 
	
		
			
				|  |  |  };
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -const char g_kCallCredsMdKey[] = "Balancer should not ...";
 | 
	
		
			
				|  |  | -const char g_kCallCredsMdValue[] = "... receive me";
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  |  template <typename RpcService>
 | 
	
		
			
				|  |  |  class BackendServiceImpl
 | 
	
		
			
				|  |  |      : public CountedService<TestMultipleServiceImpl<RpcService>> {
 | 
	
	
		
			
				|  | @@ -279,19 +297,20 @@ class BackendServiceImpl
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    Status Echo(ServerContext* context, const EchoRequest* request,
 | 
	
		
			
				|  |  |                EchoResponse* response) override {
 | 
	
		
			
				|  |  | -    // Backend should receive the call credentials metadata.
 | 
	
		
			
				|  |  | -    auto call_credentials_entry =
 | 
	
		
			
				|  |  | -        context->client_metadata().find(g_kCallCredsMdKey);
 | 
	
		
			
				|  |  | -    EXPECT_NE(call_credentials_entry, context->client_metadata().end());
 | 
	
		
			
				|  |  | -    if (call_credentials_entry != context->client_metadata().end()) {
 | 
	
		
			
				|  |  | -      EXPECT_EQ(call_credentials_entry->second, g_kCallCredsMdValue);
 | 
	
		
			
				|  |  | -    }
 | 
	
		
			
				|  |  | +    auto peer_identity = context->auth_context()->GetPeerIdentity();
 | 
	
		
			
				|  |  |      CountedService<TestMultipleServiceImpl<RpcService>>::IncreaseRequestCount();
 | 
	
		
			
				|  |  |      const auto status =
 | 
	
		
			
				|  |  |          TestMultipleServiceImpl<RpcService>::Echo(context, request, response);
 | 
	
		
			
				|  |  |      CountedService<
 | 
	
		
			
				|  |  |          TestMultipleServiceImpl<RpcService>>::IncreaseResponseCount();
 | 
	
		
			
				|  |  | -    AddClient(context->peer());
 | 
	
		
			
				|  |  | +    {
 | 
	
		
			
				|  |  | +      grpc_core::MutexLock lock(&mu_);
 | 
	
		
			
				|  |  | +      clients_.insert(context->peer());
 | 
	
		
			
				|  |  | +      last_peer_identity_.clear();
 | 
	
		
			
				|  |  | +      for (const auto& entry : peer_identity) {
 | 
	
		
			
				|  |  | +        last_peer_identity_.emplace_back(entry.data(), entry.size());
 | 
	
		
			
				|  |  | +      }
 | 
	
		
			
				|  |  | +    }
 | 
	
		
			
				|  |  |      return status;
 | 
	
		
			
				|  |  |    }
 | 
	
		
			
				|  |  |  
 | 
	
	
		
			
				|  | @@ -309,18 +328,19 @@ class BackendServiceImpl
 | 
	
		
			
				|  |  |    void Shutdown() {}
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    std::set<std::string> clients() {
 | 
	
		
			
				|  |  | -    grpc_core::MutexLock lock(&clients_mu_);
 | 
	
		
			
				|  |  | +    grpc_core::MutexLock lock(&mu_);
 | 
	
		
			
				|  |  |      return clients_;
 | 
	
		
			
				|  |  |    }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | - private:
 | 
	
		
			
				|  |  | -  void AddClient(const std::string& client) {
 | 
	
		
			
				|  |  | -    grpc_core::MutexLock lock(&clients_mu_);
 | 
	
		
			
				|  |  | -    clients_.insert(client);
 | 
	
		
			
				|  |  | +  const std::vector<std::string>& last_peer_identity() {
 | 
	
		
			
				|  |  | +    grpc_core::MutexLock lock(&mu_);
 | 
	
		
			
				|  |  | +    return last_peer_identity_;
 | 
	
		
			
				|  |  |    }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -  grpc_core::Mutex clients_mu_;
 | 
	
		
			
				|  |  | + private:
 | 
	
		
			
				|  |  | +  grpc_core::Mutex mu_;
 | 
	
		
			
				|  |  |    std::set<std::string> clients_;
 | 
	
		
			
				|  |  | +  std::vector<std::string> last_peer_identity_;
 | 
	
		
			
				|  |  |  };
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  class ClientStats {
 | 
	
	
		
			
				|  | @@ -670,9 +690,6 @@ class AdsServiceImpl : public std::enable_shared_from_this<AdsServiceImpl> {
 | 
	
		
			
				|  |  |        } else {
 | 
	
		
			
				|  |  |          parent_->seen_v3_client_ = true;
 | 
	
		
			
				|  |  |        }
 | 
	
		
			
				|  |  | -      // Balancer shouldn't receive the call credentials metadata.
 | 
	
		
			
				|  |  | -      EXPECT_EQ(context->client_metadata().find(g_kCallCredsMdKey),
 | 
	
		
			
				|  |  | -                context->client_metadata().end());
 | 
	
		
			
				|  |  |        // Take a reference of the AdsServiceImpl object, which will go
 | 
	
		
			
				|  |  |        // out of scope when this request handler returns.  This ensures
 | 
	
		
			
				|  |  |        // that the parent won't be destroyed until this stream is complete.
 | 
	
	
		
			
				|  | @@ -1286,22 +1303,26 @@ class LrsServiceImpl : public std::enable_shared_from_this<LrsServiceImpl> {
 | 
	
		
			
				|  |  |  class TestType {
 | 
	
		
			
				|  |  |   public:
 | 
	
		
			
				|  |  |    TestType(bool use_xds_resolver, bool enable_load_reporting,
 | 
	
		
			
				|  |  | -           bool enable_rds_testing = false, bool use_v2 = false)
 | 
	
		
			
				|  |  | +           bool enable_rds_testing = false, bool use_v2 = false,
 | 
	
		
			
				|  |  | +           bool use_xds_credentials = false)
 | 
	
		
			
				|  |  |        : use_xds_resolver_(use_xds_resolver),
 | 
	
		
			
				|  |  |          enable_load_reporting_(enable_load_reporting),
 | 
	
		
			
				|  |  |          enable_rds_testing_(enable_rds_testing),
 | 
	
		
			
				|  |  | -        use_v2_(use_v2) {}
 | 
	
		
			
				|  |  | +        use_v2_(use_v2),
 | 
	
		
			
				|  |  | +        use_xds_credentials_(use_xds_credentials) {}
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    bool use_xds_resolver() const { return use_xds_resolver_; }
 | 
	
		
			
				|  |  |    bool enable_load_reporting() const { return enable_load_reporting_; }
 | 
	
		
			
				|  |  |    bool enable_rds_testing() const { return enable_rds_testing_; }
 | 
	
		
			
				|  |  |    bool use_v2() const { return use_v2_; }
 | 
	
		
			
				|  |  | +  bool use_xds_credentials() const { return use_xds_credentials_; }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    std::string AsString() const {
 | 
	
		
			
				|  |  |      std::string retval = (use_xds_resolver_ ? "XdsResolver" : "FakeResolver");
 | 
	
		
			
				|  |  |      retval += (use_v2_ ? "V2" : "V3");
 | 
	
		
			
				|  |  |      if (enable_load_reporting_) retval += "WithLoadReporting";
 | 
	
		
			
				|  |  |      if (enable_rds_testing_) retval += "Rds";
 | 
	
		
			
				|  |  | +    if (use_xds_credentials_) retval += "XdsCreds";
 | 
	
		
			
				|  |  |      return retval;
 | 
	
		
			
				|  |  |    }
 | 
	
		
			
				|  |  |  
 | 
	
	
		
			
				|  | @@ -1310,8 +1331,163 @@ class TestType {
 | 
	
		
			
				|  |  |    const bool enable_load_reporting_;
 | 
	
		
			
				|  |  |    const bool enable_rds_testing_;
 | 
	
		
			
				|  |  |    const bool use_v2_;
 | 
	
		
			
				|  |  | +  const bool use_xds_credentials_;
 | 
	
		
			
				|  |  |  };
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | +std::string ReadFile(const char* file_path) {
 | 
	
		
			
				|  |  | +  grpc_slice slice;
 | 
	
		
			
				|  |  | +  GPR_ASSERT(
 | 
	
		
			
				|  |  | +      GRPC_LOG_IF_ERROR("load_file", grpc_load_file(file_path, 0, &slice)));
 | 
	
		
			
				|  |  | +  std::string file_contents(grpc_core::StringViewFromSlice(slice));
 | 
	
		
			
				|  |  | +  grpc_slice_unref(slice);
 | 
	
		
			
				|  |  | +  return file_contents;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +grpc_core::PemKeyCertPairList ReadTlsIdentityPair(const char* key_path,
 | 
	
		
			
				|  |  | +                                                  const char* cert_path) {
 | 
	
		
			
				|  |  | +  grpc_ssl_pem_key_cert_pair* ssl_pair =
 | 
	
		
			
				|  |  | +      static_cast<grpc_ssl_pem_key_cert_pair*>(
 | 
	
		
			
				|  |  | +          gpr_malloc(sizeof(grpc_ssl_pem_key_cert_pair)));
 | 
	
		
			
				|  |  | +  ssl_pair->private_key = gpr_strdup(ReadFile(key_path).c_str());
 | 
	
		
			
				|  |  | +  ssl_pair->cert_chain = gpr_strdup(ReadFile(cert_path).c_str());
 | 
	
		
			
				|  |  | +  return grpc_core::PemKeyCertPairList{grpc_core::PemKeyCertPair(ssl_pair)};
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +// Based on StaticDataCertificateProvider, but provides alternate certificates
 | 
	
		
			
				|  |  | +// if the certificate name is not empty.
 | 
	
		
			
				|  |  | +class FakeCertificateProvider final : public grpc_tls_certificate_provider {
 | 
	
		
			
				|  |  | + public:
 | 
	
		
			
				|  |  | +  struct CertData {
 | 
	
		
			
				|  |  | +    std::string root_certificate;
 | 
	
		
			
				|  |  | +    grpc_core::PemKeyCertPairList identity_key_cert_pairs;
 | 
	
		
			
				|  |  | +  };
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  using CertDataMap = std::map<std::string /*cert_name */, CertData>;
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  explicit FakeCertificateProvider(CertDataMap cert_data_map)
 | 
	
		
			
				|  |  | +      : distributor_(
 | 
	
		
			
				|  |  | +            grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>()),
 | 
	
		
			
				|  |  | +        cert_data_map_(std::move(cert_data_map)) {
 | 
	
		
			
				|  |  | +    distributor_->SetWatchStatusCallback([this](std::string cert_name,
 | 
	
		
			
				|  |  | +                                                bool root_being_watched,
 | 
	
		
			
				|  |  | +                                                bool identity_being_watched) {
 | 
	
		
			
				|  |  | +      if (!root_being_watched && !identity_being_watched) return;
 | 
	
		
			
				|  |  | +      auto it = cert_data_map_.find(cert_name);
 | 
	
		
			
				|  |  | +      if (it == cert_data_map_.end()) {
 | 
	
		
			
				|  |  | +        grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
 | 
	
		
			
				|  |  | +            absl::StrCat("No certificates available for cert_name \"",
 | 
	
		
			
				|  |  | +                         cert_name, "\"")
 | 
	
		
			
				|  |  | +                .c_str());
 | 
	
		
			
				|  |  | +        distributor_->SetErrorForCert(cert_name, GRPC_ERROR_REF(error),
 | 
	
		
			
				|  |  | +                                      GRPC_ERROR_REF(error));
 | 
	
		
			
				|  |  | +        GRPC_ERROR_UNREF(error);
 | 
	
		
			
				|  |  | +      } else {
 | 
	
		
			
				|  |  | +        absl::optional<std::string> root_certificate;
 | 
	
		
			
				|  |  | +        absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pairs;
 | 
	
		
			
				|  |  | +        if (root_being_watched) {
 | 
	
		
			
				|  |  | +          root_certificate = cert_data_map_[cert_name].root_certificate;
 | 
	
		
			
				|  |  | +        }
 | 
	
		
			
				|  |  | +        if (identity_being_watched) {
 | 
	
		
			
				|  |  | +          pem_key_cert_pairs =
 | 
	
		
			
				|  |  | +              cert_data_map_[cert_name].identity_key_cert_pairs;
 | 
	
		
			
				|  |  | +        }
 | 
	
		
			
				|  |  | +        distributor_->SetKeyMaterials(cert_name, std::move(root_certificate),
 | 
	
		
			
				|  |  | +                                      std::move(pem_key_cert_pairs));
 | 
	
		
			
				|  |  | +      }
 | 
	
		
			
				|  |  | +    });
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  ~FakeCertificateProvider() override {
 | 
	
		
			
				|  |  | +    distributor_->SetWatchStatusCallback(nullptr);
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor()
 | 
	
		
			
				|  |  | +      const override {
 | 
	
		
			
				|  |  | +    return distributor_;
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | + private:
 | 
	
		
			
				|  |  | +  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
 | 
	
		
			
				|  |  | +  CertDataMap cert_data_map_;
 | 
	
		
			
				|  |  | +};
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +class FakeCertificateProviderFactory
 | 
	
		
			
				|  |  | +    : public grpc_core::CertificateProviderFactory {
 | 
	
		
			
				|  |  | + public:
 | 
	
		
			
				|  |  | +  class Config : public grpc_core::CertificateProviderFactory::Config {
 | 
	
		
			
				|  |  | +   public:
 | 
	
		
			
				|  |  | +    explicit Config(const char* name) : name_(name) {}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +    const char* name() const override { return name_; }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +    std::string ToString() const override { return "{}"; }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +   private:
 | 
	
		
			
				|  |  | +    const char* name_;
 | 
	
		
			
				|  |  | +  };
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  FakeCertificateProviderFactory(
 | 
	
		
			
				|  |  | +      const char* name, FakeCertificateProvider::CertDataMap** cert_data_map)
 | 
	
		
			
				|  |  | +      : name_(name), cert_data_map_(cert_data_map) {
 | 
	
		
			
				|  |  | +    GPR_ASSERT(cert_data_map != nullptr);
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  const char* name() const override { return name_; }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  grpc_core::RefCountedPtr<grpc_core::CertificateProviderFactory::Config>
 | 
	
		
			
				|  |  | +  CreateCertificateProviderConfig(const grpc_core::Json& config_json,
 | 
	
		
			
				|  |  | +                                  grpc_error** error) override {
 | 
	
		
			
				|  |  | +    return grpc_core::MakeRefCounted<Config>(name_);
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  grpc_core::RefCountedPtr<grpc_tls_certificate_provider>
 | 
	
		
			
				|  |  | +  CreateCertificateProvider(
 | 
	
		
			
				|  |  | +      grpc_core::RefCountedPtr<grpc_core::CertificateProviderFactory::Config>
 | 
	
		
			
				|  |  | +          config) override {
 | 
	
		
			
				|  |  | +    return grpc_core::MakeRefCounted<FakeCertificateProvider>(
 | 
	
		
			
				|  |  | +        *cert_data_map_ == nullptr ? FakeCertificateProvider::CertDataMap()
 | 
	
		
			
				|  |  | +                                   : *(*cert_data_map_));
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | + private:
 | 
	
		
			
				|  |  | +  const char* name_;
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap** cert_data_map_;
 | 
	
		
			
				|  |  | +};
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +// Global variables for each provider.
 | 
	
		
			
				|  |  | +FakeCertificateProvider::CertDataMap* g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +FakeCertificateProvider::CertDataMap* g_fake2_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +int ServerAuthCheckSchedule(void* /* config_user_data */,
 | 
	
		
			
				|  |  | +                            grpc_tls_server_authorization_check_arg* arg) {
 | 
	
		
			
				|  |  | +  arg->success = 1;
 | 
	
		
			
				|  |  | +  arg->status = GRPC_STATUS_OK;
 | 
	
		
			
				|  |  | +  return 0; /* synchronous check */
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +std::shared_ptr<ChannelCredentials> CreateTlsFallbackCredentials() {
 | 
	
		
			
				|  |  | +  // TODO(yashykt): Switch to using C++ API once b/173823806 is fixed.
 | 
	
		
			
				|  |  | +  grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
 | 
	
		
			
				|  |  | +  grpc_tls_credentials_options_set_server_verification_option(
 | 
	
		
			
				|  |  | +      options, GRPC_TLS_SKIP_HOSTNAME_VERIFICATION);
 | 
	
		
			
				|  |  | +  grpc_tls_credentials_options_set_certificate_provider(
 | 
	
		
			
				|  |  | +      options,
 | 
	
		
			
				|  |  | +      grpc_core::MakeRefCounted<grpc_core::StaticDataCertificateProvider>(
 | 
	
		
			
				|  |  | +          ReadFile(kCaCertPath),
 | 
	
		
			
				|  |  | +          ReadTlsIdentityPair(kServerKeyPath, kServerCertPath))
 | 
	
		
			
				|  |  | +          .get());
 | 
	
		
			
				|  |  | +  grpc_tls_credentials_options_watch_root_certs(options);
 | 
	
		
			
				|  |  | +  grpc_tls_credentials_options_watch_identity_key_cert_pairs(options);
 | 
	
		
			
				|  |  | +  grpc_tls_server_authorization_check_config* check_config =
 | 
	
		
			
				|  |  | +      grpc_tls_server_authorization_check_config_create(
 | 
	
		
			
				|  |  | +          nullptr, ServerAuthCheckSchedule, nullptr, nullptr);
 | 
	
		
			
				|  |  | +  grpc_tls_credentials_options_set_server_authorization_check_config(
 | 
	
		
			
				|  |  | +      options, check_config);
 | 
	
		
			
				|  |  | +  auto channel_creds = std::make_shared<SecureChannelCredentials>(
 | 
	
		
			
				|  |  | +      grpc_tls_credentials_create(options));
 | 
	
		
			
				|  |  | +  return channel_creds;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  class XdsEnd2endTest : public ::testing::TestWithParam<TestType> {
 | 
	
		
			
				|  |  |   protected:
 | 
	
		
			
				|  |  |    XdsEnd2endTest(size_t num_backends, size_t num_balancers,
 | 
	
	
		
			
				|  | @@ -1457,18 +1633,12 @@ class XdsEnd2endTest : public ::testing::TestWithParam<TestType> {
 | 
	
		
			
				|  |  |      }
 | 
	
		
			
				|  |  |      std::string uri = absl::StrCat(
 | 
	
		
			
				|  |  |          GetParam().use_xds_resolver() ? "xds" : "fake", ":///", server_name);
 | 
	
		
			
				|  |  | -    // TODO(dgq): templatize tests to run everything using both secure and
 | 
	
		
			
				|  |  | -    // insecure channel credentials.
 | 
	
		
			
				|  |  | -    grpc_channel_credentials* channel_creds =
 | 
	
		
			
				|  |  | -        grpc_fake_transport_security_credentials_create();
 | 
	
		
			
				|  |  | -    grpc_call_credentials* call_creds = grpc_md_only_test_credentials_create(
 | 
	
		
			
				|  |  | -        g_kCallCredsMdKey, g_kCallCredsMdValue, false);
 | 
	
		
			
				|  |  | -    std::shared_ptr<ChannelCredentials> creds(
 | 
	
		
			
				|  |  | -        new SecureChannelCredentials(grpc_composite_channel_credentials_create(
 | 
	
		
			
				|  |  | -            channel_creds, call_creds, nullptr)));
 | 
	
		
			
				|  |  | -    call_creds->Unref();
 | 
	
		
			
				|  |  | -    channel_creds->Unref();
 | 
	
		
			
				|  |  | -    return ::grpc::CreateCustomChannel(uri, creds, args);
 | 
	
		
			
				|  |  | +    std::shared_ptr<ChannelCredentials> channel_creds =
 | 
	
		
			
				|  |  | +        GetParam().use_xds_credentials()
 | 
	
		
			
				|  |  | +            ? experimental::XdsCredentials(CreateTlsFallbackCredentials())
 | 
	
		
			
				|  |  | +            : std::make_shared<SecureChannelCredentials>(
 | 
	
		
			
				|  |  | +                  grpc_fake_transport_security_credentials_create());
 | 
	
		
			
				|  |  | +    return ::grpc::CreateCustomChannel(uri, channel_creds, args);
 | 
	
		
			
				|  |  |    }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |    enum RpcService {
 | 
	
	
		
			
				|  | @@ -1901,9 +2071,7 @@ class XdsEnd2endTest : public ::testing::TestWithParam<TestType> {
 | 
	
		
			
				|  |  |        std::ostringstream server_address;
 | 
	
		
			
				|  |  |        server_address << "localhost:" << port_;
 | 
	
		
			
				|  |  |        ServerBuilder builder;
 | 
	
		
			
				|  |  | -      std::shared_ptr<ServerCredentials> creds(new SecureServerCredentials(
 | 
	
		
			
				|  |  | -          grpc_fake_transport_security_server_credentials_create()));
 | 
	
		
			
				|  |  | -      builder.AddListeningPort(server_address.str(), creds);
 | 
	
		
			
				|  |  | +      builder.AddListeningPort(server_address.str(), Credentials());
 | 
	
		
			
				|  |  |        RegisterAllServices(&builder);
 | 
	
		
			
				|  |  |        server_ = builder.BuildAndStart();
 | 
	
		
			
				|  |  |        cond->Signal();
 | 
	
	
		
			
				|  | @@ -1919,6 +2087,11 @@ class XdsEnd2endTest : public ::testing::TestWithParam<TestType> {
 | 
	
		
			
				|  |  |        running_ = false;
 | 
	
		
			
				|  |  |      }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | +    virtual std::shared_ptr<ServerCredentials> Credentials() {
 | 
	
		
			
				|  |  | +      return std::make_shared<SecureServerCredentials>(
 | 
	
		
			
				|  |  | +          grpc_fake_transport_security_server_credentials_create());
 | 
	
		
			
				|  |  | +    }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |      int port() const { return port_; }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |     private:
 | 
	
	
		
			
				|  | @@ -1949,6 +2122,27 @@ class XdsEnd2endTest : public ::testing::TestWithParam<TestType> {
 | 
	
		
			
				|  |  |        return &backend_service2_;
 | 
	
		
			
				|  |  |      }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | +    std::shared_ptr<ServerCredentials> Credentials() override {
 | 
	
		
			
				|  |  | +      if (GetParam().use_xds_credentials()) {
 | 
	
		
			
				|  |  | +        std::string root_cert = ReadFile(kCaCertPath);
 | 
	
		
			
				|  |  | +        std::string identity_cert = ReadFile(kServerCertPath);
 | 
	
		
			
				|  |  | +        std::string private_key = ReadFile(kServerKeyPath);
 | 
	
		
			
				|  |  | +        std::vector<experimental::IdentityKeyCertPair> identity_key_cert_pairs =
 | 
	
		
			
				|  |  | +            {{private_key, identity_cert}};
 | 
	
		
			
				|  |  | +        auto certificate_provider =
 | 
	
		
			
				|  |  | +            std::make_shared<grpc::experimental::StaticDataCertificateProvider>(
 | 
	
		
			
				|  |  | +                root_cert, identity_key_cert_pairs);
 | 
	
		
			
				|  |  | +        grpc::experimental::TlsServerCredentialsOptions options(
 | 
	
		
			
				|  |  | +            certificate_provider);
 | 
	
		
			
				|  |  | +        options.watch_root_certs();
 | 
	
		
			
				|  |  | +        options.watch_identity_key_cert_pairs();
 | 
	
		
			
				|  |  | +        options.set_cert_request_type(
 | 
	
		
			
				|  |  | +            GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY);
 | 
	
		
			
				|  |  | +        return grpc::experimental::TlsServerCredentials(options);
 | 
	
		
			
				|  |  | +      }
 | 
	
		
			
				|  |  | +      return ServerThread::Credentials();
 | 
	
		
			
				|  |  | +    }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |     private:
 | 
	
		
			
				|  |  |      void RegisterAllServices(ServerBuilder* builder) override {
 | 
	
		
			
				|  |  |        builder->RegisterService(&backend_service_);
 | 
	
	
		
			
				|  | @@ -5075,6 +5269,367 @@ TEST_P(CdsTest, WrongLrsServer) {
 | 
	
		
			
				|  |  |    EXPECT_EQ(response_state.error_message, "LRS ConfigSource is not self.");
 | 
	
		
			
				|  |  |  }
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | +class XdsSecurityTest : public BasicTest {
 | 
	
		
			
				|  |  | + protected:
 | 
	
		
			
				|  |  | +  static void SetUpTestCase() {
 | 
	
		
			
				|  |  | +    gpr_setenv("GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT", "true");
 | 
	
		
			
				|  |  | +    grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory(
 | 
	
		
			
				|  |  | +        absl::make_unique<FakeCertificateProviderFactory>(
 | 
	
		
			
				|  |  | +            "fake1", &g_fake1_cert_data_map));
 | 
	
		
			
				|  |  | +    grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory(
 | 
	
		
			
				|  |  | +        absl::make_unique<FakeCertificateProviderFactory>(
 | 
	
		
			
				|  |  | +            "fake2", &g_fake2_cert_data_map));
 | 
	
		
			
				|  |  | +    BasicTest::SetUpTestCase();
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  static void TearDownTestCase() {
 | 
	
		
			
				|  |  | +    BasicTest::TearDownTestCase();
 | 
	
		
			
				|  |  | +    gpr_unsetenv("GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT");
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  void SetUp() override {
 | 
	
		
			
				|  |  | +    BasicTest::SetUp();
 | 
	
		
			
				|  |  | +    root_cert_ = ReadFile(kCaCertPath);
 | 
	
		
			
				|  |  | +    bad_root_cert_ = ReadFile(kBadClientCertPath);
 | 
	
		
			
				|  |  | +    identity_pair_1_ = ReadTlsIdentityPair(kClientKeyPath, kClientCertPath);
 | 
	
		
			
				|  |  | +    identity_pair_2_ = ReadTlsIdentityPair(kServerKeyPath, kServerCertPath);
 | 
	
		
			
				|  |  | +    bad_identity_pair_ =
 | 
	
		
			
				|  |  | +        ReadTlsIdentityPair(kBadClientKeyPath, kBadClientCertPath);
 | 
	
		
			
				|  |  | +    authenticated_identity_1_ = {"testclient"};
 | 
	
		
			
				|  |  | +    authenticated_identity_2_ = {"*.test.google.fr", "waterzooi.test.google.be",
 | 
	
		
			
				|  |  | +                                 "*.test.youtube.com", "192.168.1.3"};
 | 
	
		
			
				|  |  | +    AdsServiceImpl::EdsResourceArgs args({
 | 
	
		
			
				|  |  | +        {"locality0", GetBackendPorts(0, 1)},
 | 
	
		
			
				|  |  | +    });
 | 
	
		
			
				|  |  | +    balancers_[0]->ads_service()->SetEdsResource(
 | 
	
		
			
				|  |  | +        BuildEdsResource(args, DefaultEdsServiceName()));
 | 
	
		
			
				|  |  | +    SetNextResolutionForLbChannelAllBalancers();
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  // Sends CDS updates with the new security configuration and verifies that
 | 
	
		
			
				|  |  | +  // after propagation, this new configuration is used for connections. If \a
 | 
	
		
			
				|  |  | +  // identity_instance_name and \a root_instance_name are both empty,
 | 
	
		
			
				|  |  | +  // connections are expected to use fallback credentials.
 | 
	
		
			
				|  |  | +  void UpdateAndVerifyXdsSecurityConfiguration(
 | 
	
		
			
				|  |  | +      absl::string_view root_instance_name,
 | 
	
		
			
				|  |  | +      absl::string_view root_certificate_name,
 | 
	
		
			
				|  |  | +      absl::string_view identity_instance_name,
 | 
	
		
			
				|  |  | +      absl::string_view identity_certificate_name,
 | 
	
		
			
				|  |  | +      const std::vector<std::string>& expected_authenticated_identity,
 | 
	
		
			
				|  |  | +      bool test_expects_failure = false) {
 | 
	
		
			
				|  |  | +    auto cluster = default_cluster_;
 | 
	
		
			
				|  |  | +    if (!identity_instance_name.empty() || !root_instance_name.empty()) {
 | 
	
		
			
				|  |  | +      auto* transport_socket = cluster.mutable_transport_socket();
 | 
	
		
			
				|  |  | +      transport_socket->set_name("envoy.transport_sockets.tls");
 | 
	
		
			
				|  |  | +      UpstreamTlsContext upstream_tls_context;
 | 
	
		
			
				|  |  | +      if (!identity_instance_name.empty()) {
 | 
	
		
			
				|  |  | +        upstream_tls_context.mutable_common_tls_context()
 | 
	
		
			
				|  |  | +            ->mutable_tls_certificate_certificate_provider_instance()
 | 
	
		
			
				|  |  | +            ->set_instance_name(std::string(identity_instance_name));
 | 
	
		
			
				|  |  | +        upstream_tls_context.mutable_common_tls_context()
 | 
	
		
			
				|  |  | +            ->mutable_tls_certificate_certificate_provider_instance()
 | 
	
		
			
				|  |  | +            ->set_certificate_name(std::string(identity_certificate_name));
 | 
	
		
			
				|  |  | +      }
 | 
	
		
			
				|  |  | +      if (!root_instance_name.empty()) {
 | 
	
		
			
				|  |  | +        upstream_tls_context.mutable_common_tls_context()
 | 
	
		
			
				|  |  | +            ->mutable_combined_validation_context()
 | 
	
		
			
				|  |  | +            ->mutable_validation_context_certificate_provider_instance()
 | 
	
		
			
				|  |  | +            ->set_instance_name(std::string(root_instance_name));
 | 
	
		
			
				|  |  | +        upstream_tls_context.mutable_common_tls_context()
 | 
	
		
			
				|  |  | +            ->mutable_combined_validation_context()
 | 
	
		
			
				|  |  | +            ->mutable_validation_context_certificate_provider_instance()
 | 
	
		
			
				|  |  | +            ->set_certificate_name(std::string(root_certificate_name));
 | 
	
		
			
				|  |  | +      }
 | 
	
		
			
				|  |  | +      transport_socket->mutable_typed_config()->PackFrom(upstream_tls_context);
 | 
	
		
			
				|  |  | +    }
 | 
	
		
			
				|  |  | +    balancers_[0]->ads_service()->SetCdsResource(cluster);
 | 
	
		
			
				|  |  | +    // The updates might take time to have an effect, so use a retry loop.
 | 
	
		
			
				|  |  | +    constexpr int kRetryCount = 10;
 | 
	
		
			
				|  |  | +    int num_tries = 0;
 | 
	
		
			
				|  |  | +    for (; num_tries < kRetryCount; num_tries++) {
 | 
	
		
			
				|  |  | +      // Give some time for the updates to propagate.
 | 
	
		
			
				|  |  | +      gpr_sleep_until(grpc_timeout_milliseconds_to_deadline(100));
 | 
	
		
			
				|  |  | +      ShutdownBackend(0);
 | 
	
		
			
				|  |  | +      StartBackend(0);
 | 
	
		
			
				|  |  | +      ResetBackendCounters();
 | 
	
		
			
				|  |  | +      if (test_expects_failure) {
 | 
	
		
			
				|  |  | +        if (!SendRpc().ok()) break;
 | 
	
		
			
				|  |  | +      } else {
 | 
	
		
			
				|  |  | +        WaitForBackend(0);
 | 
	
		
			
				|  |  | +        if (SendRpc().ok() &&
 | 
	
		
			
				|  |  | +            backends_[0]->backend_service()->request_count() == 1UL &&
 | 
	
		
			
				|  |  | +            backends_[0]->backend_service()->last_peer_identity() ==
 | 
	
		
			
				|  |  | +                expected_authenticated_identity) {
 | 
	
		
			
				|  |  | +          break;
 | 
	
		
			
				|  |  | +        }
 | 
	
		
			
				|  |  | +      }
 | 
	
		
			
				|  |  | +    }
 | 
	
		
			
				|  |  | +    EXPECT_TRUE(num_tries < kRetryCount);
 | 
	
		
			
				|  |  | +  }
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +  std::string root_cert_;
 | 
	
		
			
				|  |  | +  std::string bad_root_cert_;
 | 
	
		
			
				|  |  | +  grpc_core::PemKeyCertPairList identity_pair_1_;
 | 
	
		
			
				|  |  | +  grpc_core::PemKeyCertPairList identity_pair_2_;
 | 
	
		
			
				|  |  | +  grpc_core::PemKeyCertPairList bad_identity_pair_;
 | 
	
		
			
				|  |  | +  std::vector<std::string> authenticated_identity_1_;
 | 
	
		
			
				|  |  | +  std::vector<std::string> authenticated_identity_2_;
 | 
	
		
			
				|  |  | +};
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, UnknownRootCertificateProvider) {
 | 
	
		
			
				|  |  | +  auto cluster = default_cluster_;
 | 
	
		
			
				|  |  | +  auto* transport_socket = cluster.mutable_transport_socket();
 | 
	
		
			
				|  |  | +  transport_socket->set_name("envoy.transport_sockets.tls");
 | 
	
		
			
				|  |  | +  UpstreamTlsContext upstream_tls_context;
 | 
	
		
			
				|  |  | +  upstream_tls_context.mutable_common_tls_context()
 | 
	
		
			
				|  |  | +      ->mutable_combined_validation_context()
 | 
	
		
			
				|  |  | +      ->mutable_validation_context_certificate_provider_instance()
 | 
	
		
			
				|  |  | +      ->set_instance_name("unknown");
 | 
	
		
			
				|  |  | +  transport_socket->mutable_typed_config()->PackFrom(upstream_tls_context);
 | 
	
		
			
				|  |  | +  balancers_[0]->ads_service()->SetCdsResource(cluster);
 | 
	
		
			
				|  |  | +  CheckRpcSendFailure(1, RpcOptions(), StatusCode::UNAVAILABLE);
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, UnknownIdentityCertificateProvider) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  auto cluster = default_cluster_;
 | 
	
		
			
				|  |  | +  auto* transport_socket = cluster.mutable_transport_socket();
 | 
	
		
			
				|  |  | +  transport_socket->set_name("envoy.transport_sockets.tls");
 | 
	
		
			
				|  |  | +  UpstreamTlsContext upstream_tls_context;
 | 
	
		
			
				|  |  | +  upstream_tls_context.mutable_common_tls_context()
 | 
	
		
			
				|  |  | +      ->mutable_tls_certificate_certificate_provider_instance()
 | 
	
		
			
				|  |  | +      ->set_instance_name("unknown");
 | 
	
		
			
				|  |  | +  upstream_tls_context.mutable_common_tls_context()
 | 
	
		
			
				|  |  | +      ->mutable_combined_validation_context()
 | 
	
		
			
				|  |  | +      ->mutable_validation_context_certificate_provider_instance()
 | 
	
		
			
				|  |  | +      ->set_instance_name("fake_plugin1");
 | 
	
		
			
				|  |  | +  transport_socket->mutable_typed_config()->PackFrom(upstream_tls_context);
 | 
	
		
			
				|  |  | +  balancers_[0]->ads_service()->SetCdsResource(cluster);
 | 
	
		
			
				|  |  | +  CheckRpcSendFailure(1, RpcOptions(), StatusCode::UNAVAILABLE);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsConfiguration) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRootPluginUpdate) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake2_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {bad_root_cert_, bad_identity_pair_}}};
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = &fake2_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin2", "",
 | 
	
		
			
				|  |  | +                                          "fake_plugin1" /* bad root */, "", {},
 | 
	
		
			
				|  |  | +                                          true /* failure */);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsConfigurationWithIdentityPluginUpdate) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake2_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_2_}}};
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = &fake2_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin2",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsConfigurationWithBothPluginsUpdated) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake2_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {bad_root_cert_, bad_identity_pair_}},
 | 
	
		
			
				|  |  | +      {"good", {root_cert_, identity_pair_2_}}};
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = &fake2_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin2", "", "fake_plugin2",
 | 
	
		
			
				|  |  | +                                          "", {}, true /* failure */);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin2", "good",
 | 
	
		
			
				|  |  | +                                          "fake_plugin2", "good",
 | 
	
		
			
				|  |  | +                                          authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsConfigurationWithRootCertificateNameUpdate) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}},
 | 
	
		
			
				|  |  | +      {"bad", {bad_root_cert_, bad_identity_pair_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", {}, true /* failure */);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest,
 | 
	
		
			
				|  |  | +       TestMtlsConfigurationWithIdentityCertificateNameUpdate) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}},
 | 
	
		
			
				|  |  | +      {"bad", {bad_root_cert_, bad_identity_pair_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "bad", {}, true /* failure */);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest,
 | 
	
		
			
				|  |  | +       TestMtlsConfigurationWithIdentityCertificateNameUpdateGoodCerts) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}},
 | 
	
		
			
				|  |  | +      {"good", {root_cert_, identity_pair_2_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "good", authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsConfigurationWithBothCertificateNamesUpdated) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}},
 | 
	
		
			
				|  |  | +      {"bad", {bad_root_cert_, bad_identity_pair_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "bad", {}, true /* failure */);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestTlsConfiguration) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
 | 
	
		
			
				|  |  | +                                          {} /* unauthenticated */);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestTlsConfigurationWithRootCertificateNameUpdate) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}},
 | 
	
		
			
				|  |  | +      {"bad", {bad_root_cert_, bad_identity_pair_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
 | 
	
		
			
				|  |  | +                                          {} /* unauthenticated */);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "bad", "", "", {},
 | 
	
		
			
				|  |  | +                                          true /* failure */);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestTlsConfigurationWithRootPluginUpdate) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake2_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {bad_root_cert_, bad_identity_pair_}}};
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = &fake2_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
 | 
	
		
			
				|  |  | +                                          {} /* unauthenticated */);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin2", "", "", "", {},
 | 
	
		
			
				|  |  | +                                          true /* failure */);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +  g_fake2_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestFallbackConfiguration) {
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("", "", "", "",
 | 
	
		
			
				|  |  | +                                          authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsToTls) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
 | 
	
		
			
				|  |  | +                                          {} /* unauthenticated */);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestMtlsToFallback) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("", "", "", "",
 | 
	
		
			
				|  |  | +                                          authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestTlsToMtls) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
 | 
	
		
			
				|  |  | +                                          {} /* unauthenticated */);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestTlsToFallback) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
 | 
	
		
			
				|  |  | +                                          {} /* unauthenticated */);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("", "", "", "",
 | 
	
		
			
				|  |  | +                                          authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestFallbackToMtls) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("", "", "", "",
 | 
	
		
			
				|  |  | +                                          authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "fake_plugin1",
 | 
	
		
			
				|  |  | +                                          "", authenticated_identity_1_);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +TEST_P(XdsSecurityTest, TestFallbackToTls) {
 | 
	
		
			
				|  |  | +  FakeCertificateProvider::CertDataMap fake1_cert_map = {
 | 
	
		
			
				|  |  | +      {"", {root_cert_, identity_pair_1_}}};
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = &fake1_cert_map;
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("", "", "", "",
 | 
	
		
			
				|  |  | +                                          authenticated_identity_2_);
 | 
	
		
			
				|  |  | +  UpdateAndVerifyXdsSecurityConfiguration("fake_plugin1", "", "", "",
 | 
	
		
			
				|  |  | +                                          {} /* unauthenticated */);
 | 
	
		
			
				|  |  | +  g_fake1_cert_data_map = nullptr;
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  using EdsTest = BasicTest;
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  // Tests that EDS client should send a NACK if the EDS update contains
 | 
	
	
		
			
				|  | @@ -6358,6 +6913,7 @@ std::string TestTypeName(const ::testing::TestParamInfo<TestType>& info) {
 | 
	
		
			
				|  |  |  // - enable_load_reporting
 | 
	
		
			
				|  |  |  // - enable_rds_testing = false
 | 
	
		
			
				|  |  |  // - use_v2 = false
 | 
	
		
			
				|  |  | +// - use_xds_credentials = false
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  INSTANTIATE_TEST_SUITE_P(XdsTest, BasicTest,
 | 
	
		
			
				|  |  |                           ::testing::Values(TestType(false, true),
 | 
	
	
		
			
				|  | @@ -6396,6 +6952,15 @@ INSTANTIATE_TEST_SUITE_P(XdsTest, CdsTest,
 | 
	
		
			
				|  |  |                                             TestType(true, true)),
 | 
	
		
			
				|  |  |                           &TestTypeName);
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | +// CDS depends on XdsResolver.
 | 
	
		
			
				|  |  | +// Security depends on v3.
 | 
	
		
			
				|  |  | +// Not enabling load reporting or RDS, since those are irrelevant to these
 | 
	
		
			
				|  |  | +// tests.
 | 
	
		
			
				|  |  | +INSTANTIATE_TEST_SUITE_P(XdsTest, XdsSecurityTest,
 | 
	
		
			
				|  |  | +                         ::testing::Values(TestType(true, false, false, false,
 | 
	
		
			
				|  |  | +                                                    true)),
 | 
	
		
			
				|  |  | +                         &TestTypeName);
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  // EDS could be tested with or without XdsResolver, but the tests would
 | 
	
		
			
				|  |  |  // be the same either way, so we test it only with XdsResolver.
 | 
	
		
			
				|  |  |  INSTANTIATE_TEST_SUITE_P(XdsTest, EdsTest,
 |