mTLS client-server test from bootstrap configuration

Author: Zgoda91

xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java

@@ -51,8 +51,10 @@
 import io.grpc.Status;
 import io.grpc.StatusOr;
 import io.grpc.StatusRuntimeException;
+import io.grpc.TlsServerCredentials;
 import io.grpc.stub.StreamObserver;
 import io.grpc.testing.GrpcCleanupRule;
+import io.grpc.testing.TlsTesting;
 import io.grpc.testing.protobuf.SimpleRequest;
 import io.grpc.testing.protobuf.SimpleResponse;
 import io.grpc.testing.protobuf.SimpleServiceGrpc;
@@ -513,6 +515,36 @@ public void mtlsClientServer_changeServerContext_expectException()
     }
   }
 
+  @Test
+  public void mtlsClientServer_withClientAuthentication_withTlsChannelCredsFromBootstrap()
+      throws Exception {
+    final String mtlsCertProviderInstanceName = "mtls_channel_creds_identity_certs";
+
+    UpstreamTlsContext upstreamTlsContext =
+        setBootstrapInfoWithMTlsChannelCredsAndBuildUpstreamTlsContext(
+            mtlsCertProviderInstanceName, CLIENT_KEY_FILE, CLIENT_PEM_FILE, CA_PEM_FILE);
+    
+    DownstreamTlsContext downstreamTlsContext =
+        setBootstrapInfoWithMTlsChannelCredsAndBuildDownstreamTlsContext(
+            mtlsCertProviderInstanceName, SERVER_1_KEY_FILE, SERVER_1_PEM_FILE, CA_PEM_FILE);
+
+    ServerCredentials serverCreds = TlsServerCredentials.newBuilder()
+        .keyManager(TlsTesting.loadCert(SERVER_1_PEM_FILE), TlsTesting.loadCert(SERVER_1_KEY_FILE))
+        .trustManager(TlsTesting.loadCert(CA_PEM_FILE))
+        .clientAuth(TlsServerCredentials.ClientAuth.REQUIRE)
+        .build();
+
+    buildServer(
+        XdsServerBuilder.forPort(0, serverCreds)
+            .xdsClientPoolFactory(fakePoolFactory)
+            .addService(new SimpleServiceImpl()),
+        downstreamTlsContext);
+
+    SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
+            getBlockingStub(upstreamTlsContext, OVERRIDE_AUTHORITY);
+    assertThat(unaryRpc("buddy", blockingStub)).isEqualTo("Hello buddy");
+  }
+
   private void performMtlsTestAndGetListenerWatcher(
       UpstreamTlsContext upstreamTlsContext, String certInstanceName2,
       String privateKey2, String cert2, String trustCa2)
@@ -573,6 +605,22 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSys
             .build());
   }
 
+  private UpstreamTlsContext setBootstrapInfoWithMTlsChannelCredsAndBuildUpstreamTlsContext(
+      String instanceName, String clientKeyFile, String clientPemFile, String caCertFile) {
+    bootstrapInfoForClient = CommonBootstrapperTestUtils
+        .buildBootstrapInfoForMTlsChannelCredentialServerInfo(
+            instanceName, clientKeyFile, clientPemFile, caCertFile);
+    return CommonTlsContextTestsUtil.buildUpstreamTlsContext(instanceName, true);
+  }
+
+  private DownstreamTlsContext setBootstrapInfoWithMTlsChannelCredsAndBuildDownstreamTlsContext(
+      String instanceName, String serverKeyFile, String serverPemFile, String caCertFile) {
+    bootstrapInfoForServer = CommonBootstrapperTestUtils
+        .buildBootstrapInfoForMTlsChannelCredentialServerInfo(
+            instanceName, serverKeyFile, serverPemFile, caCertFile);
+    return CommonTlsContextTestsUtil.buildDownstreamTlsContext(instanceName, true, true);
+  }
+
   private void buildServerWithTlsContext(DownstreamTlsContext downstreamTlsContext)
       throws Exception {
     buildServerWithTlsContext(downstreamTlsContext, InsecureServerCredentials.create());

xds/src/test/java/io/grpc/xds/client/CommonBootstrapperTestUtils.java

@@ -20,12 +20,14 @@
 import com.google.common.collect.ImmutableMap;
 import io.grpc.ChannelCredentials;
 import io.grpc.InsecureChannelCredentials;
+import io.grpc.TlsChannelCredentials;
 import io.grpc.internal.BackoffPolicy;
 import io.grpc.internal.FakeClock;
 import io.grpc.internal.JsonParser;
 import io.grpc.xds.client.Bootstrapper.ServerInfo;
 import io.grpc.xds.internal.security.CommonTlsContextTestsUtil;
 import io.grpc.xds.internal.security.TlsContextManagerImpl;
+import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -160,6 +162,42 @@ public static Bootstrapper.BootstrapInfo buildBootstrapInfo(
         .build();
   }
 
+  public static Bootstrapper.BootstrapInfo buildBootstrapInfoForMTlsChannelCredentialServerInfo(
+      String instanceName, String privateKey, String cert, String trustCa) {
+    try {
+      privateKey = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(privateKey);
+      cert = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(cert);
+      trustCa = CommonTlsContextTestsUtil.getTempFileNameForResourcesFile(trustCa);
+    } catch (IOException ioe) {
+      throw new RuntimeException(ioe);
+    }
+
+    HashMap<String, String> config = new HashMap<>();
+    config.put("certificate_file", cert);
+    config.put("private_key_file", privateKey);
+    config.put("ca_certificate_file", trustCa);
+
+    ChannelCredentials creds;
+    try {
+      creds = TlsChannelCredentials.newBuilder()
+          .customCertificatesConfig(config)
+          .keyManager(new File(cert), new File(privateKey))
+          .trustManager(new File(trustCa))
+          .build();
+    } catch (IOException ioe) {
+      throw new RuntimeException(ioe);
+    }
+
+    // config for tls channel credentials and for certificate provider are the same
+    return Bootstrapper.BootstrapInfo.builder()
+        .servers(ImmutableList.<ServerInfo>of(ServerInfo.create(SERVER_URI, creds)))
+        .node(EnvoyProtoData.Node.newBuilder().build())
+        .certProviders(ImmutableMap.of(
+            instanceName,
+            Bootstrapper.CertificateProviderInfo.create("file_watcher", config)))
+        .build();
+  }
+
   public static boolean setEnableXdsFallback(boolean target) {
     boolean oldValue = BootstrapperImpl.enableXdsFallback;
     BootstrapperImpl.enableXdsFallback = target;