Bootstrap file validation for TLS channel creds

Author: Zgoda91

api/src/main/java/io/grpc/TlsChannelCredentials.java

@@ -26,6 +26,7 @@
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.TrustManager;
@@ -49,6 +50,7 @@ public static ChannelCredentials create() {
   private final List<KeyManager> keyManagers;
   private final byte[] rootCertificates;
   private final List<TrustManager> trustManagers;
+  private final Map<String, ?> customCertificatesConfig;
 
   TlsChannelCredentials(Builder builder) {
     fakeFeature = builder.fakeFeature;
@@ -58,6 +60,7 @@ public static ChannelCredentials create() {
     keyManagers = builder.keyManagers;
     rootCertificates = builder.rootCertificates;
     trustManagers = builder.trustManagers;
+    customCertificatesConfig = builder.customCertificatesConfig;
   }
 
   /**
@@ -121,6 +124,21 @@ public List<TrustManager> getTrustManagers() {
     return trustManagers;
   }
 
+  /**
+   * Returns custom certificates config. It contains following entries:
+   *
+   * <ul>
+   *   <li>{@code "ca_certificate_file"} key containing the path to the root certificate file</li>
+   *   <li>{@code "certificate_file"} key containing the path to the identity certificate file</li>
+   *   <li>{@code "private_key_file"} key containing the path to the private key</li>
+   *   <li>{@code "refresh_interval"} key specifying the frequency of updates to the above
+   * files</li>
+   * </ul>
+   */
+  public Map<String, ?> getCustomCertificatesConfig() {
+    return customCertificatesConfig;
+  }
+
   /**
    * Returns an empty set if this credential can be adequately understood via
    * the features listed, otherwise returns a hint of features that are lacking
@@ -228,6 +246,7 @@ public static final class Builder {
     private List<KeyManager> keyManagers;
     private byte[] rootCertificates;
     private List<TrustManager> trustManagers;
+    private Map<String, ?> customCertificatesConfig;
 
     private Builder() {}
 
@@ -355,6 +374,11 @@ public Builder trustManager(TrustManager... trustManagers) {
       return this;
     }
 
+    public Builder customCertificatesConfig(Map<String, ?> customCertificatesConfig) {
+      this.customCertificatesConfig = customCertificatesConfig;
+      return this;
+    }
+
     private void clearTrustManagers() {
       this.rootCertificates = null;
       this.trustManagers = null;

xds/src/main/java/io/grpc/xds/client/BootstrapperImpl.java

@@ -21,6 +21,7 @@
 import com.google.common.collect.ImmutableMap;
 import io.grpc.Internal;
 import io.grpc.InternalLogId;
+import io.grpc.TlsChannelCredentials;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.GrpcUtil.GrpcBuildVersion;
 import io.grpc.internal.JsonParser;
@@ -170,9 +171,9 @@ protected BootstrapInfo.Builder bootstrapBuilder(Map<String, ?> rawData)
     builder.node(nodeBuilder.build());
 
     Map<String, ?> certProvidersBlob = JsonUtil.getObject(rawData, "certificate_providers");
+    Map<String, CertificateProviderInfo> certProviders = new HashMap<>();
     if (certProvidersBlob != null) {
       logger.log(XdsLogLevel.INFO, "Configured with {0} cert providers", certProvidersBlob.size());
-      Map<String, CertificateProviderInfo> certProviders = new HashMap<>(certProvidersBlob.size());
       for (String name : certProvidersBlob.keySet()) {
         Map<String, ?> valueMap = JsonUtil.getObject(certProvidersBlob, name);
         String pluginName =
@@ -183,6 +184,21 @@ protected BootstrapInfo.Builder bootstrapBuilder(Map<String, ?> rawData)
             CertificateProviderInfo.create(pluginName, config);
         certProviders.put(name, certificateProviderInfo);
       }
+    }
+
+    for (ServerInfo serverInfo : servers) {
+      Object creds = serverInfo.implSpecificConfig();
+      if (creds instanceof TlsChannelCredentials) {
+        Map<String, ?> config = ((TlsChannelCredentials)creds).getCustomCertificatesConfig();
+        if (config != null) {
+          CertificateProviderInfo certificateProviderInfo =
+              CertificateProviderInfo.create("file_watcher", config);
+          certProviders.put("mtls_channel_creds_identity_certs", certificateProviderInfo);
+        }
+      }
+    }
+
+    if (!certProviders.isEmpty()) {
       builder.certProviders(certProviders);
     }
 

xds/src/main/java/io/grpc/xds/internal/TlsXdsCredentialsProvider.java

@@ -18,7 +18,10 @@
 
 import io.grpc.ChannelCredentials;
 import io.grpc.TlsChannelCredentials;
+import io.grpc.internal.JsonUtil;
 import io.grpc.xds.XdsCredentialsProvider;
+import java.io.File;
+import java.io.IOException;
 import java.util.Map;
 
 /**
@@ -30,7 +33,42 @@ public final class TlsXdsCredentialsProvider extends XdsCredentialsProvider {
 
   @Override
   protected ChannelCredentials newChannelCredentials(Map<String, ?> jsonConfig) {
-    return TlsChannelCredentials.create();
+    TlsChannelCredentials.Builder builder = TlsChannelCredentials.newBuilder();
+
+    if (jsonConfig == null) {
+      return builder.build();
+    }
+
+    // use trust certificate file path from bootstrap config if provided; else use system default
+    String rootCertPath = JsonUtil.getString(jsonConfig, "ca_certificate_file");
+    if (rootCertPath != null) {
+      try {
+        builder.trustManager(new File(rootCertPath));
+      } catch (IOException e) {
+        return null;
+      }
+    }
+
+    // use certificate chain and private key file paths from bootstrap config if provided. Mind that
+    // both JSON values must be either set (mTLS case) or both unset (TLS case)
+    String certChainPath = JsonUtil.getString(jsonConfig, "certificate_file");
+    String privateKeyPath = JsonUtil.getString(jsonConfig, "private_key_file");
+    if (certChainPath != null && privateKeyPath != null) {
+      try {
+        builder.keyManager(new File(certChainPath), new File(privateKeyPath));
+      } catch (IOException e) {
+        return null;
+      }
+    } else if (certChainPath != null || privateKeyPath != null) {
+      return null;
+    }
+
+    // save json config when custom certificate paths were provided in a bootstrap
+    if (rootCertPath != null || certChainPath != null) {
+      builder.customCertificatesConfig(jsonConfig);
+    }
+    
+    return builder.build();
   }
 
   @Override

xds/src/test/java/io/grpc/xds/GrpcBootstrapperImplTest.java

@@ -17,6 +17,9 @@
 package io.grpc.xds;
 
 import static com.google.common.truth.Truth.assertThat;
+import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CA_PEM_FILE;
+import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_KEY_FILE;
+import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.fail;
 import static org.mockito.Mockito.mock;
@@ -26,9 +29,11 @@
 import com.google.common.collect.Iterables;
 import io.grpc.internal.GrpcUtil;
 import io.grpc.internal.GrpcUtil.GrpcBuildVersion;
+import io.grpc.internal.testing.TestUtils;
 import io.grpc.xds.client.Bootstrapper;
 import io.grpc.xds.client.Bootstrapper.AuthorityInfo;
 import io.grpc.xds.client.Bootstrapper.BootstrapInfo;
+import io.grpc.xds.client.Bootstrapper.CertificateProviderInfo;
 import io.grpc.xds.client.Bootstrapper.ServerInfo;
 import io.grpc.xds.client.BootstrapperImpl;
 import io.grpc.xds.client.CommonBootstrapperTestUtils;
@@ -896,6 +901,60 @@ public void badFederationConfig() {
     }
   }
 
+  @Test
+  public void parseTlsChannelCredentialsWithCustomCertificatesConfig()
+      throws XdsInitializationException, IOException {
+    String rootCertPath = TestUtils.loadCert(CA_PEM_FILE).getAbsolutePath();
+    String certChainPath = TestUtils.loadCert(CLIENT_PEM_FILE).getAbsolutePath();
+    String privateKeyPath = TestUtils.loadCert(CLIENT_KEY_FILE).getAbsolutePath();
+
+    String rawData = "{\n"
+        + "  \"xds_servers\": [\n"
+        + "    {\n"
+        + "      \"server_uri\": \"" + SERVER_URI + "\",\n"
+        + "      \"channel_creds\": [\n"
+        + "        {\n"
+        + "          \"type\": \"tls\","
+        + "          \"config\": {\n"
+        + "            \"ca_certificate_file\": \"" + rootCertPath + "\",\n"
+        + "            \"certificate_file\": \"" + certChainPath + "\",\n"
+        + "            \"private_key_file\": \"" + privateKeyPath + "\"\n"
+        + "          }\n"
+        + "        }\n"
+        + "      ]\n"
+        + "    }\n"
+        + "  ]\n"
+        + "}";
+
+    bootstrapper.setFileReader(createFileReader(BOOTSTRAP_FILE_PATH, rawData));
+    BootstrapInfo info = bootstrapper.bootstrap();
+    assertThat(info.servers()).hasSize(1);
+    ServerInfo serverInfo = Iterables.getOnlyElement(info.servers());
+    assertThat(serverInfo.target()).isEqualTo(SERVER_URI);
+    assertThat(serverInfo.implSpecificConfig()).isEqualTo(
+        ImmutableMap.of(
+            "type", "tls",
+            "config", ImmutableMap.of(
+                "ca_certificate_file", rootCertPath,
+                "certificate_file", certChainPath,
+                "private_key_file", privateKeyPath)));
+    assertThat(info.node()).isEqualTo(getNodeBuilder().build());
+
+    assertThat(info.certProviders()).hasSize(1);
+    ImmutableMap<String, CertificateProviderInfo> certProviderInfo = info.certProviders();
+    assertThat(certProviderInfo.keySet()).containsExactly("mtls_channel_creds_identity_certs");
+    CertificateProviderInfo mtlsChannelCredCertProviderInfo =
+        certProviderInfo.get("mtls_channel_creds_identity_certs");
+    assertThat(mtlsChannelCredCertProviderInfo.config().keySet())
+        .containsExactly("ca_certificate_file", "certificate_file", "private_key_file");
+    assertThat(mtlsChannelCredCertProviderInfo.config().get("ca_certificate_file"))
+        .isEqualTo(rootCertPath);
+    assertThat(mtlsChannelCredCertProviderInfo.config().get("certificate_file"))
+        .isEqualTo(certChainPath);
+    assertThat(mtlsChannelCredCertProviderInfo.config().get("private_key_file"))
+        .isEqualTo(privateKeyPath);
+  }
+
   private static BootstrapperImpl.FileReader createFileReader(
       final String expectedPath, final String rawData) {
     return new BootstrapperImpl.FileReader() {

xds/src/test/java/io/grpc/xds/internal/TlsXdsCredentialsProviderTest.java

@@ -16,14 +16,21 @@
 
 package io.grpc.xds.internal;
 
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import com.google.common.collect.ImmutableMap;
+import io.grpc.ChannelCredentials;
 import io.grpc.InternalServiceProviders;
 import io.grpc.TlsChannelCredentials;
 import io.grpc.xds.XdsCredentialsProvider;
+import java.io.File;
+import java.util.Map;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
@@ -32,6 +39,9 @@
 public class TlsXdsCredentialsProviderTest {
   private TlsXdsCredentialsProvider provider = new TlsXdsCredentialsProvider();
 
+  @Rule
+  public TemporaryFolder tempFolder = new TemporaryFolder();
+
   @Test
   public void provided() {
     for (XdsCredentialsProvider current
@@ -50,8 +60,50 @@ public void isAvailable() {
   }
 
   @Test
-  public void channelCredentials() {
+  public void channelCredentialsWhenNullConfig() {
     assertSame(TlsChannelCredentials.class,
         provider.newChannelCredentials(null).getClass());
   }
+
+  @Test
+  public void channelCredentialsWhenNotExistingTrustFileConfig() {
+    Map<String, ?> jsonConfig = ImmutableMap.of(
+        "ca_certificate_file", "/tmp/not-exisiting-file.txt");
+    assertNull(provider.newChannelCredentials(jsonConfig));
+  }
+
+  @Test
+  public void channelCredentialsWhenNotExistingCertificateFileConfig() {
+    Map<String, ?> jsonConfig = ImmutableMap.of(
+        "certificate_file", "/tmp/not-exisiting-file.txt",
+        "private_key_file", "/tmp/not-exisiting-file-2.txt");
+    assertNull(provider.newChannelCredentials(jsonConfig));
+  }
+
+  @Test
+  public void channelCredentialsWhenInvalidConfig() throws Exception {
+    File certFile = tempFolder.newFile(new String("identity.cert"));
+    Map<String, ?> jsonConfig = ImmutableMap.of("certificate_file", certFile.toString());
+    assertNull(provider.newChannelCredentials(jsonConfig));
+  }
+
+  @Test
+  public void channelCredentialsWhenValidConfig() throws Exception {
+    File trustFile = tempFolder.newFile(new String("root.cert"));
+    File certFile = tempFolder.newFile(new String("identity.cert"));
+    File keyFile = tempFolder.newFile(new String("private.key"));
+
+    Map<String, ?> jsonConfig = ImmutableMap.of(
+        "ca_certificate_file", trustFile.toString(),
+        "certificate_file", certFile.toString(),
+        "private_key_file", keyFile.toString());
+
+    ChannelCredentials creds = provider.newChannelCredentials(jsonConfig);
+    assertSame(TlsChannelCredentials.class, creds.getClass());
+    assertSame(((TlsChannelCredentials) creds).getCustomCertificatesConfig(), jsonConfig);
+
+    trustFile.delete();
+    certFile.delete();
+    keyFile.delete();
+  }
 }