xds: fix to use the resource based TestUtils.loadCert (#6281)

grpc · Oct 15, 2019 · ddaf1c8 · ddaf1c8
1 parent eda5e2e
commit ddaf1c8
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 103 deletions.
diff --git a/xds/src/main/java/io/grpc/xds/sds/trust/CertificateUtils.java b/xds/src/main/java/io/grpc/xds/sds/trust/CertificateUtils.java
@@ -17,6 +17,7 @@
 package io.grpc.xds.sds.trust;
 
 import java.io.BufferedInputStream;
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.security.cert.Certificate;
@@ -38,10 +39,15 @@ private static synchronized void initInstance() throws CertificateException {
     }
   }
 
-  static synchronized X509Certificate[] toX509Certificates(String fileName)
+  /**
+   * Generates X509Certificate array from a file on disk.
+   *
+   * @param file a {@link File} containing the cert data
+   */
+  static synchronized X509Certificate[] toX509Certificates(File file)
       throws CertificateException, IOException {
     initInstance();
-    FileInputStream fis = new FileInputStream(fileName);
+    FileInputStream fis = new FileInputStream(file);
     BufferedInputStream bis = new BufferedInputStream(fis);
     try {
       Collection<? extends Certificate> certs = factory.generateCertificates(bis);

diff --git a/xds/src/test/certs/client.pem b/xds/src/test/certs/client.pem
diff --git a/xds/src/test/certs/server1.pem b/xds/src/test/certs/server1.pem
diff --git a/xds/src/test/java/io/grpc/xds/sds/trust/SdsX509TrustManagerTest.java b/xds/src/test/java/io/grpc/xds/sds/trust/SdsX509TrustManagerTest.java
@@ -19,13 +19,13 @@
 import static com.google.common.truth.Truth.assertThat;
 
 import io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
+import io.grpc.internal.testing.TestUtils;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import javax.net.ssl.X509ExtendedTrustManager;
 import org.junit.Assert;
-import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -39,102 +39,89 @@
  */
 @RunWith(JUnit4.class)
 public class SdsX509TrustManagerTest {
-  /**
-   * server1 has 4 SANs.
-   */
-  private static final String SERVER_1_PEM_FILE = "src/test/certs/server1.pem";
 
-  /**
-   * client has no SANs.
-   */
-  private static final String CLIENT_PEM_FILE = "src/test/certs/client.pem";
+  /** server1 has 4 SANs. */
+  private static final String SERVER_1_PEM_FILE = "server1.pem";
+
+  /** client has no SANs. */
+  private static final String CLIENT_PEM_FILE = "client.pem";
 
   @Rule
   public final MockitoRule mockitoRule = MockitoJUnit.rule();
 
   @Mock
   private X509ExtendedTrustManager mockDelegate;
 
-  @Ignore("test fails on blaze")
   @Test
   public void nullCertContextTest() throws CertificateException, IOException {
     SdsX509TrustManager trustManager = new SdsX509TrustManager(null, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     trustManager.verifySubjectAltNameInChain(certs);
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void emptySanListContextTest() throws CertificateException, IOException {
     CertificateValidationContext certContext = CertificateValidationContext.getDefaultInstance();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     trustManager.verifySubjectAltNameInChain(certs);
   }
 
   @Test
   public void missingPeerCerts() throws CertificateException, FileNotFoundException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
-            .addVerifySubjectAltName("foo.com")
-            .build();
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
     try {
       trustManager.verifySubjectAltNameInChain(null);
       Assert.fail("no exception thrown");
     } catch (CertificateException expected) {
-      assertThat(expected).hasMessageThat()
-              .isEqualTo("Peer certificate(s) missing");
+      assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing");
     }
   }
 
   @Test
   public void emptyArrayPeerCerts() throws CertificateException, FileNotFoundException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
-            .addVerifySubjectAltName("foo.com")
-            .build();
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
     try {
       trustManager.verifySubjectAltNameInChain(new X509Certificate[0]);
       Assert.fail("no exception thrown");
     } catch (CertificateException expected) {
-      assertThat(expected).hasMessageThat()
-              .isEqualTo("Peer certificate(s) missing");
+      assertThat(expected).hasMessageThat().isEqualTo("Peer certificate(s) missing");
     }
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void noSansInPeerCerts() throws CertificateException, IOException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
-            .addVerifySubjectAltName("foo.com")
-            .build();
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder().addVerifySubjectAltName("foo.com").build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(CLIENT_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(CLIENT_PEM_FILE));
     try {
       trustManager.verifySubjectAltNameInChain(certs);
       Assert.fail("no exception thrown");
     } catch (CertificateException expected) {
-      assertThat(expected).hasMessageThat()
-              .isEqualTo("Peer certificate SAN check failed");
+      assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
     }
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void oneSanInPeerCertsVerifies() throws CertificateException, IOException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder()
             .addVerifySubjectAltName("waterzooi.test.google.be")
             .build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     trustManager.verifySubjectAltNameInChain(certs);
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void oneSanInPeerCertsVerifiesMultipleVerifySans()
       throws CertificateException, IOException {
@@ -144,18 +131,19 @@ public void oneSanInPeerCertsVerifiesMultipleVerifySans()
             .addVerifySubjectAltName("waterzooi.test.google.be")
             .build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     trustManager.verifySubjectAltNameInChain(certs);
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void oneSanInPeerCertsNotFoundException()
       throws CertificateException, IOException {
     CertificateValidationContext certContext =
         CertificateValidationContext.newBuilder().addVerifySubjectAltName("x.foo.com").build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     try {
       trustManager.verifySubjectAltNameInChain(certs);
       Assert.fail("no exception thrown");
@@ -164,85 +152,83 @@ public void oneSanInPeerCertsNotFoundException()
     }
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void wildcardSanInPeerCertsVerifiesMultipleVerifySans()
       throws CertificateException, IOException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder()
             .addVerifySubjectAltName("x.foo.com")
-            .addVerifySubjectAltName("abc.test.youtube.com")  // should match *.test.youtube.com
+            .addVerifySubjectAltName("abc.test.youtube.com") // should match *.test.youtube.com
             .build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     trustManager.verifySubjectAltNameInChain(certs);
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void wildcardSanInPeerCertsVerifiesMultipleVerifySans1()
       throws CertificateException, IOException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder()
             .addVerifySubjectAltName("x.foo.com")
-            .addVerifySubjectAltName("abc.test.google.fr")  // should match *.test.google.fr
+            .addVerifySubjectAltName("abc.test.google.fr") // should match *.test.google.fr
             .build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     trustManager.verifySubjectAltNameInChain(certs);
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void wildcardSanInPeerCertsSubdomainMismatch()
       throws CertificateException, IOException {
     // 2. Asterisk (*) cannot match across domain name labels.
     //    For example, *.example.com matches test.example.com but does not match
     //    sub.test.example.com.
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder()
             .addVerifySubjectAltName("sub.abc.test.youtube.com")
             .build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     try {
       trustManager.verifySubjectAltNameInChain(certs);
       Assert.fail("no exception thrown");
     } catch (CertificateException expected) {
-      assertThat(expected).hasMessageThat()
-              .isEqualTo("Peer certificate SAN check failed");
+      assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
     }
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void oneIpAddressInPeerCertsVerifies() throws CertificateException, IOException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder()
             .addVerifySubjectAltName("x.foo.com")
             .addVerifySubjectAltName("192.168.1.3")
             .build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     trustManager.verifySubjectAltNameInChain(certs);
   }
 
-  @Ignore("test fails on blaze")
   @Test
   public void oneIpAddressInPeerCertsMismatch() throws CertificateException, IOException {
-    CertificateValidationContext certContext = CertificateValidationContext
-            .newBuilder()
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder()
             .addVerifySubjectAltName("x.foo.com")
             .addVerifySubjectAltName("192.168.2.3")
             .build();
     SdsX509TrustManager trustManager = new SdsX509TrustManager(certContext, mockDelegate);
-    X509Certificate[] certs = CertificateUtils.toX509Certificates(SERVER_1_PEM_FILE);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TestUtils.loadCert(SERVER_1_PEM_FILE));
     try {
       trustManager.verifySubjectAltNameInChain(certs);
       Assert.fail("no exception thrown");
     } catch (CertificateException expected) {
-      assertThat(expected).hasMessageThat()
-              .isEqualTo("Peer certificate SAN check failed");
+      assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
     }
   }
 }