tests.

Author: rmehta19

gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java

@@ -63,7 +63,10 @@
 import io.grpc.auth.MoreCallCredentials;
 import io.grpc.s2a.S2AChannelCredentials;
 import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
@@ -102,7 +105,8 @@ public final class InstantiatingGrpcChannelProvider implements TransportChannelP
   @VisibleForTesting
   static final String DIRECT_PATH_ENV_ENABLE_XDS = "GOOGLE_CLOUD_ENABLE_DIRECT_PATH_XDS";
 
-  private static final String S2A_ENV_ENABLE_USE_S2A = "EXPERIMENTAL_GOOGLE_API_USE_S2A";
+  @VisibleForTesting static final String S2A_ENV_ENABLE_USE_S2A = "EXPERIMENTAL_GOOGLE_API_USE_S2A";
+
   private static final String MTLS_MDS_ROOT = "/run/google-mds-mtls/root.crt";
   // The mTLS MDS credentials are formatted as the concatenation of a PEM-encoded certificate chain
   // followed by a PEM-encoded private key.
@@ -118,9 +122,11 @@ public final class InstantiatingGrpcChannelProvider implements TransportChannelP
   private final HeaderProvider headerProvider;
   private final String endpoint;
   private final String mtlsEndpoint;
-  // TODO: remove. envProvider currently provides DirectPath environment variable, and is only used
-  // during initial rollout for DirectPath. This provider will be removed once the DirectPath
-  // environment is not used.
+  // TODO: remove.
+  // envProvider currently provides DirectPath and S2A environment variables, and is only used
+  // during initial rollout for DirectPath and S2A. This provider will be removed once the
+  // DirectPath
+  // and S2A environment variables are not used.
   private final EnvironmentProvider envProvider;
   @Nullable private final GrpcInterceptorProvider interceptorProvider;
   @Nullable private final Integer maxInboundMessageSize;
@@ -472,21 +478,14 @@ boolean shouldUseS2A() {
   }
 
   @VisibleForTesting
-  ChannelCredentials createMtlsToS2AChannelCredentials() throws IOException {
-    if (!isOnComputeEngine()) {
-      // Currently, MTLS to MDS is only available on GCE. See:
-      // https://cloud.google.com/compute/docs/metadata/overview#https-mds
-      return null;
-    }
-    File privateKeyFile = new File(MTLS_MDS_CERT_CHAIN_AND_KEY);
-    File certChainFile = new File(MTLS_MDS_CERT_CHAIN_AND_KEY);
-    File trustBundleFile = new File(MTLS_MDS_ROOT);
-    if (!privateKeyFile.isFile() || !certChainFile.isFile() || !trustBundleFile.isFile()) {
+  ChannelCredentials createMtlsToS2AChannelCredentials(
+      InputStream trustBundle, InputStream privateKey, InputStream certChain) throws IOException {
+    if (trustBundle == null || privateKey == null || certChain == null) {
       return null;
     }
     return TlsChannelCredentials.newBuilder()
-        .keyManager(privateKeyFile, certChainFile)
-        .trustManager(trustBundleFile)
+        .keyManager(privateKey, certChain)
+        .trustManager(trustBundle)
         .build();
   }
 
@@ -496,14 +495,29 @@ ChannelCredentials createS2ASecuredChannelCredentials() {
     String plaintextAddress = s2aUtils.getPlaintextS2AAddress();
     String mtlsAddress = s2aUtils.getMtlsS2AAddress();
     if (!mtlsAddress.isEmpty()) {
+      // Currently, MTLS to MDS is only available on GCE. See:
+      // https://cloud.google.com/compute/docs/metadata/overview#https-mds
+      // Try to load MTLS-MDS creds.
+      InputStream trustBundle = null;
+      InputStream privateKey = null;
+      InputStream certChain = null;
+      try {
+        trustBundle = new FileInputStream(MTLS_MDS_ROOT);
+        privateKey = new FileInputStream(MTLS_MDS_CERT_CHAIN_AND_KEY);
+        certChain = new FileInputStream(MTLS_MDS_CERT_CHAIN_AND_KEY);
+      } catch (FileNotFoundException ignore) {
+        // Fallback to plaintext-to-S2A connection.
+      }
+      ChannelCredentials mtlsToS2AChannelCredentials = null;
       try {
         // Try to connect to S2A using mTLS.
-        ChannelCredentials mtlsToS2AChannelCredentials = createMtlsToS2AChannelCredentials();
-        if (mtlsToS2AChannelCredentials != null) {
-          return S2AChannelCredentials.newBuilder(mtlsAddress, mtlsToS2AChannelCredentials).build();
-        }
+        mtlsToS2AChannelCredentials =
+            createMtlsToS2AChannelCredentials(trustBundle, privateKey, certChain);
       } catch (IOException ignore) {
-        // Fallback to plaintext connection to S2A.
+        // Fallback to plaintext-to-S2A connection.
+      }
+      if (mtlsToS2AChannelCredentials != null) {
+        return S2AChannelCredentials.newBuilder(mtlsAddress, mtlsToS2AChannelCredentials).build();
       }
     }
 

gax-java/gax-grpc/src/test/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProviderTest.java

@@ -56,8 +56,10 @@
 import com.google.common.truth.Truth;
 import io.grpc.ManagedChannel;
 import io.grpc.ManagedChannelBuilder;
+import io.grpc.TlsChannelCredentials;
 import io.grpc.alts.ComputeEngineChannelBuilder;
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.GeneralSecurityException;
 import java.time.Duration;
 import java.util.ArrayList;
@@ -83,6 +85,7 @@
 
 class InstantiatingGrpcChannelProviderTest extends AbstractMtlsTransportChannelTest {
   private static final String DEFAULT_ENDPOINT = "test.googleapis.com:443";
+  private static final String DEFAULT_MTLS_ENDPOINT = "test.mtls.googleapis.com:443";
   private static final String API_KEY_HEADER_VALUE = "fake_api_key_2";
   private static final String API_KEY_AUTH_HEADER_KEY = "x-goog-api-key";
   private static String originalOSName;
@@ -129,6 +132,35 @@ void testEndpointBadPort() {
         () -> InstantiatingGrpcChannelProvider.newBuilder().setEndpoint("localhost:abcd"));
   }
 
+  @Test
+  void testMtlsEndpoint() {
+    InstantiatingGrpcChannelProvider.Builder builder =
+        InstantiatingGrpcChannelProvider.newBuilder();
+    builder.setMtlsEndpoint(DEFAULT_MTLS_ENDPOINT);
+    assertEquals(builder.getMtlsEndpoint(), DEFAULT_MTLS_ENDPOINT);
+
+    InstantiatingGrpcChannelProvider provider = builder.build();
+    assertEquals(provider.getMtlsEndpoint(), DEFAULT_MTLS_ENDPOINT);
+  }
+
+  @Test
+  void testMtlsEndpointNoPort() {
+    assertThrows(
+        IllegalArgumentException.class,
+        () ->
+            InstantiatingGrpcChannelProvider.newBuilder()
+                .setMtlsEndpoint("test.mtls.googleapis.com"));
+  }
+
+  @Test
+  void testMtlsEndpointBadPort() {
+    assertThrows(
+        IllegalArgumentException.class,
+        () ->
+            InstantiatingGrpcChannelProvider.newBuilder()
+                .setEndpoint("test.mtls.googleapis.com:abcd"));
+  }
+
   @Test
   void testKeepAlive() {
     final long millis = 15;
@@ -230,6 +262,7 @@ void testToBuilder() {
         InstantiatingGrpcChannelProvider.newBuilder()
             .setProcessorCount(2)
             .setEndpoint("fake.endpoint:443")
+            .setMtlsEndpoint("fake.endpoint:443")
             .setMaxInboundMessageSize(12345678)
             .setMaxInboundMetadataSize(4096)
             .setKeepAliveTimeDuration(keepaliveTime)
@@ -243,6 +276,7 @@ void testToBuilder() {
     InstantiatingGrpcChannelProvider.Builder builder = provider.toBuilder();
 
     assertThat(builder.getEndpoint()).isEqualTo("fake.endpoint:443");
+    assertThat(builder.getMtlsEndpoint()).isEqualTo("fake.endpoint:443");
     assertThat(builder.getMaxInboundMessageSize()).isEqualTo(12345678);
     assertThat(builder.getMaxInboundMetadataSize()).isEqualTo(4096);
     assertThat(builder.getKeepAliveTimeDuration()).isEqualTo(keepaliveTime);
@@ -980,6 +1014,142 @@ private FixedHeaderProvider getHeaderProviderWithApiKeyHeader() {
     return FixedHeaderProvider.create(header);
   }
 
+  @Test
+  void isGoogleS2AEnabled_envVarNotSet_returnsFalse() {
+    EnvironmentProvider envProvider = Mockito.mock(EnvironmentProvider.class);
+    Mockito.when(envProvider.getenv(InstantiatingGrpcChannelProvider.S2A_ENV_ENABLE_USE_S2A))
+        .thenReturn("false");
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+    Truth.assertThat(provider.isGoogleS2AEnabled()).isFalse();
+  }
+
+  @Test
+  void isGoogleS2AEnabled_envVarNotSet_returnsTrue() {
+    EnvironmentProvider envProvider = Mockito.mock(EnvironmentProvider.class);
+    Mockito.when(envProvider.getenv(InstantiatingGrpcChannelProvider.S2A_ENV_ENABLE_USE_S2A))
+        .thenReturn("true");
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+    Truth.assertThat(provider.isGoogleS2AEnabled()).isFalse();
+  }
+
+  @Test
+  void shouldUseS2A_envVarNotSet_returnsFalse() {
+    EnvironmentProvider envProvider = Mockito.mock(EnvironmentProvider.class);
+    Mockito.when(envProvider.getenv(InstantiatingGrpcChannelProvider.S2A_ENV_ENABLE_USE_S2A))
+        .thenReturn("false");
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setEndpoint(DEFAULT_MTLS_ENDPOINT)
+            .setMtlsEndpoint(DEFAULT_MTLS_ENDPOINT)
+            .setEnvProvider(envProvider)
+            .build();
+    Truth.assertThat(provider.shouldUseS2A()).isFalse();
+  }
+
+  @Test
+  void shouldUseS2A_mtlsEndpointNotSet_returnsFalse() {
+    EnvironmentProvider envProvider = Mockito.mock(EnvironmentProvider.class);
+    Mockito.when(envProvider.getenv(InstantiatingGrpcChannelProvider.S2A_ENV_ENABLE_USE_S2A))
+        .thenReturn("true");
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setEndpoint(DEFAULT_ENDPOINT)
+            .setEnvProvider(envProvider)
+            .build();
+    Truth.assertThat(provider.shouldUseS2A()).isFalse();
+  }
+
+  @Test
+  void shouldUseS2A_endpointOverrideIsSet_returnsFalse() {
+    EnvironmentProvider envProvider = Mockito.mock(EnvironmentProvider.class);
+    Mockito.when(envProvider.getenv(InstantiatingGrpcChannelProvider.S2A_ENV_ENABLE_USE_S2A))
+        .thenReturn("true");
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setEndpoint(DEFAULT_ENDPOINT)
+            .setMtlsEndpoint(DEFAULT_MTLS_ENDPOINT)
+            .setEnvProvider(envProvider)
+            .build();
+    Truth.assertThat(provider.shouldUseS2A()).isFalse();
+  }
+
+  @Test
+  void shouldUseS2A_nonGDUUniverse_returnsFalse() {
+    EnvironmentProvider envProvider = Mockito.mock(EnvironmentProvider.class);
+    Mockito.when(envProvider.getenv(InstantiatingGrpcChannelProvider.S2A_ENV_ENABLE_USE_S2A))
+        .thenReturn("true");
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setEndpoint("test.mtls.abcd.com:443")
+            .setMtlsEndpoint("test.mtls.abcd.com:443")
+            .setEnvProvider(envProvider)
+            .build();
+    Truth.assertThat(provider.shouldUseS2A()).isFalse();
+  }
+
+  @Test
+  void shouldUseS2A_returnsTrue() {
+    EnvironmentProvider envProvider = Mockito.mock(EnvironmentProvider.class);
+    Mockito.when(envProvider.getenv(InstantiatingGrpcChannelProvider.S2A_ENV_ENABLE_USE_S2A))
+        .thenReturn("true");
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder()
+            .setEndpoint(DEFAULT_MTLS_ENDPOINT)
+            .setMtlsEndpoint(DEFAULT_MTLS_ENDPOINT)
+            .setEnvProvider(envProvider)
+            .build();
+    Truth.assertThat(provider.shouldUseS2A()).isTrue();
+  }
+
+  @Test
+  void createMtlsToS2AChannelCredentials_missingAllFiles_throws() throws IOException {
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+    assertThat(provider.createMtlsToS2AChannelCredentials(null, null, null)).isNull();
+  }
+
+  @Test
+  void createMtlsToS2AChannelCredentials_missingRootFile_throws() throws IOException {
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+    InputStream privateKey = this.getClass().getClassLoader().getResourceAsStream("client_key.pem");
+    InputStream certChain = this.getClass().getClassLoader().getResourceAsStream("client_cert.pem");
+    assertThat(provider.createMtlsToS2AChannelCredentials(null, privateKey, certChain)).isNull();
+  }
+
+  @Test
+  void createMtlsToS2AChannelCredentials_missingKeyFile_throws() throws IOException {
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+    InputStream trustBundle = this.getClass().getClassLoader().getResourceAsStream("root_cert.pem");
+    InputStream certChain = this.getClass().getClassLoader().getResourceAsStream("client_cert.pem");
+    assertThat(provider.createMtlsToS2AChannelCredentials(trustBundle, null, certChain)).isNull();
+  }
+
+  @Test
+  void createMtlsToS2AChannelCredentials_missingCertChainFile_throws() throws IOException {
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+    InputStream trustBundle = this.getClass().getClassLoader().getResourceAsStream("root_cert.pem");
+    InputStream privateKey = this.getClass().getClassLoader().getResourceAsStream("client_key.pem");
+    assertThat(provider.createMtlsToS2AChannelCredentials(trustBundle, privateKey, null)).isNull();
+  }
+
+  @Test
+  void createMtlsToS2AChannelCredentials_success() throws IOException {
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+    InputStream trustBundle = this.getClass().getClassLoader().getResourceAsStream("root_cert.pem");
+    InputStream privateKey = this.getClass().getClassLoader().getResourceAsStream("client_key.pem");
+    InputStream certChain = this.getClass().getClassLoader().getResourceAsStream("client_cert.pem");
+    assertThat(trustBundle).isNotNull();
+    assertEquals(
+        provider.createMtlsToS2AChannelCredentials(trustBundle, privateKey, certChain).getClass(),
+        TlsChannelCredentials.class);
+  }
+
   private static class FakeLogHandler extends Handler {
 
     List<LogRecord> records = new ArrayList<>();

gax-java/gax-grpc/src/test/resources/README.md

@@ -0,0 +1,27 @@
+# Generating certificates and keys for testing mTLS-S2A
+
+Create root CA
+
+```
+openssl req -x509 -sha256 -days 7305 -newkey rsa:2048 -keyout root_key.pem -out
+root_cert.pem
+```
+
+Generate private key
+
+```
+openssl genrsa -out client_key.pem 2048
+```
+
+Generate CSR (set Common Name to localhost, leave all
+other fields blank)
+
+```
+openssl req -key client_key.pem -new -out client.csr -config config.cnf
+```
+
+Sign CSR for client
+
+```
+openssl x509 -req -CA root_cert.pem -CAkey root_key.pem -in client.csr -out client_cert.pem -days 7305
+```

gax-java/gax-grpc/src/test/resources/client_cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPTCCAiWgAwIBAgIUaarddwSWeE4jDC9kwxEr446ehqUwDQYJKoZIhvcNAQEL
+BQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4X
+DTI0MTAwMTIxNTk1NFoXDTQ0MTAwMTIxNTk1NFowFDESMBAGA1UEAwwJbG9jYWxo
+b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxlNsldt7yAU4KRuS
+2D2/FjNIE1US5olBm4HteTr++41WaELZJqNLRPPp052jEQU3aKSYNGZvUUO6buu7
+eFpz2SBNUVMyvmzzocjVAyyf4NQvDazYHWOb+/YCeUppTRWriz4V5sn47qJTQ8cd
+CGrTFeLHxUjx4nh/OiqVXP/KnF3EqPEuqph0ky7+GirnJgPRe+C5ERuGkJye8dmP
+yWGA2lSS6MeDe7JZTAMi08bAn7BuNpeBkOzz1msGGI9PnUanUs7GOPWTDdcQAVY8
+KMvHCuGaNMGpb4rOR2mm8LlbAbpTPz8Pkw4QtMCLkgsrz2CzXpVwnLsU7nDXJAIO
+B155lQIDAQABo0IwQDAdBgNVHQ4EFgQUSZEyIHLzkIw7AwkBaUjYfIrGVR4wHwYD
+VR0jBBgwFoAUcq3dtxAVA410YWyM0B4e+4umbiwwDQYJKoZIhvcNAQELBQADggEB
+AAz0bZ4ayrZLhA45xn0yvdpdqiCtiWikCRtxgE7VXHg/ziZJVMpBpAhbIGO5tIyd
+lttnRXHwz5DUwKiba4/bCEFe229BshQEql5qaqcbGbFfSly11WeqqnwR1N7c8Gpv
+pD9sVrx22seN0rTUk87MY/S7mzCxHqAx35zm/LTW3pWcgCTMKFHy4Gt4mpTnXkNA
+WkhP2OhW5RLiu6Whi0BEdb2TGG1+ctamgijKXb+gJeef5ehlHXG8eU862KF5UlEA
+NeQKBm/PpQxOMe0NdpatjN8QRoczku0Itiodng+OZ1o+2iSNG988uFRb3CUSnjtE
+R/HL6ULAFzo59EpIYxruU/w=
+-----END CERTIFICATE-----

gax-java/gax-grpc/src/test/resources/client_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGU2yV23vIBTgp
+G5LYPb8WM0gTVRLmiUGbge15Ov77jVZoQtkmo0tE8+nTnaMRBTdopJg0Zm9RQ7pu
+67t4WnPZIE1RUzK+bPOhyNUDLJ/g1C8NrNgdY5v79gJ5SmlNFauLPhXmyfjuolND
+xx0IatMV4sfFSPHieH86KpVc/8qcXcSo8S6qmHSTLv4aKucmA9F74LkRG4aQnJ7x
+2Y/JYYDaVJLox4N7sllMAyLTxsCfsG42l4GQ7PPWawYYj0+dRqdSzsY49ZMN1xAB
+Vjwoy8cK4Zo0walvis5HaabwuVsBulM/Pw+TDhC0wIuSCyvPYLNelXCcuxTucNck
+Ag4HXnmVAgMBAAECggEAKuW9jXaBgiS63o1jyFkmvWcPNntG0M2sfrXuRzQfFgse
+vwOCk8xrSflWQNsOe+58ayp6746ekl3LdBWSIbiy6SqG/sm3pp/LXNmjVYHv/QH4
+QYV643R5t1ihdVnGiBFhXwdpVleme/tpdjYZzgnJKak5W69o/nrgzhSK5ShAy2xM
+j0XXbgdqG+4JxPb5BZmjHHfXAXUfgSORMdfArkbgFBRc9wL/6JVTXjeAMy5WX9qe
+5UQsSOYkwc9P2snifC/jdIhjHQOkkx59O0FgukJEFZPoagVG1duWQbnNDr7QVHCJ
+jV6dg9tIT4SXD3uPSPbgNGlRUseIakCzrhHARJuA2wKBgQD/h8zoh0KaqKyViCYw
+XKOFpm1pAFnp2GiDOblxNubNFAXEWnC+FlkvO/z1s0zVuYELUqfxcYMSXJFEVelK
+rfjZtoC5oxqWGqLo9iCj7pa8t+ipulYcLt2SWc7eZPD4T4lzeEf1Qz77aKcz34sa
+dv9lzQkDvhR/Mv1VeEGFHiq2VwKBgQDGsLcTGH5Yxs//LRSY8TigBkQEDrH5NvXu
+2jtAzZhy1Yhsoa5eiZkhnnzM6+n05ovfZLcy6s7dnwP1Y+C79vs+DKMBsodtDG5z
+YpsB0VrXYa6P6pCqkcz0Bz9xdo5sOhAK3AKnX6jd29XBDdeYsw/lxHLG24wProTD
+cCYFqtaj8wKBgQCaqKT68DL9zK14a8lBaDCIyexaqx3AjXzkP+Hfhi03XrEG4P5v
+7rLYBeTbCUSt7vMN2V9QoTWFvYUm6SCkVJvTmcRblz6WL1T+z0l+LwAJBP7LC77m
+m+77j2PH8yxt/iXhP6G97o+GNxdMLDbTM8bs5KZaH4fkXQY73uc5HMMZTQKBgEZS
+7blYhf+t/ph2wD+RwVUCYrh86wkmJs2veCFro3WhlnO8lhbn5Mc9bTaqmVgQ8ZjT
+8POYoDdYvPHxs+1TcYF4v4kuQziZmc5FLE/sZZauADb38tQsXrpQhmgGakpsEpmF
+XXsYJJDB6lo2KATn+8x7R5SSyHQUdPEnlI2U9ft5AoGBAJw0NJiM1EzRS8xq0DmO
+AvQaPjo01o2hH6wghws8gDQwrj0eHraHgVi7zo0VkaHJbO7ahKPudset3N7owJhA
+CUAPPRtv5wn0amAyNz77f1dz4Gys3AkcchflqhbEaQpzKYx4kX0adclur4WJ/DVm
+P7DI977SHCVB4FVMbXMEkBjN
+-----END PRIVATE KEY-----