Search in sources :

Example 81 with SslContext

use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.

the class ProtocolNegotiatorsTest method clientTlsHandler_firesNegotiation.

@Test
public void clientTlsHandler_firesNegotiation() throws Exception {
    SelfSignedCertificate cert = new SelfSignedCertificate("authority");
    SslContext clientSslContext = GrpcSslContexts.configure(SslContextBuilder.forClient().trustManager(cert.cert())).build();
    SslContext serverSslContext = GrpcSslContexts.configure(SslContextBuilder.forServer(cert.key(), cert.cert())).build();
    FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
    ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext, null);
    WriteBufferingAndExceptionHandler clientWbaeh = new WriteBufferingAndExceptionHandler(pn.newHandler(gh));
    SocketAddress addr = new LocalAddress("addr");
    ChannelHandler sh = ProtocolNegotiators.serverTls(serverSslContext).newHandler(FakeGrpcHttp2ConnectionHandler.noopHandler());
    WriteBufferingAndExceptionHandler serverWbaeh = new WriteBufferingAndExceptionHandler(sh);
    Channel s = new ServerBootstrap().childHandler(serverWbaeh).group(group).channel(LocalServerChannel.class).bind(addr).sync().channel();
    Channel c = new Bootstrap().handler(clientWbaeh).channel(LocalChannel.class).group(group).register().sync().channel();
    ChannelFuture write = c.writeAndFlush(NettyClientHandler.NOOP_MESSAGE);
    c.connect(addr).sync();
    write.sync();
    boolean completed = gh.negotiated.await(TIMEOUT_SECONDS, TimeUnit.SECONDS);
    if (!completed) {
        assertTrue("failed to negotiated", write.await(TIMEOUT_SECONDS, TimeUnit.SECONDS));
        // sync should fail if we are in this block.
        write.sync();
        throw new AssertionError("neither wrote nor negotiated");
    }
    c.close();
    s.close();
    pn.close();
    assertThat(gh.securityInfo).isNotNull();
    assertThat(gh.securityInfo.tls).isNotNull();
    assertThat(gh.attrs.get(GrpcAttributes.ATTR_SECURITY_LEVEL)).isEqualTo(SecurityLevel.PRIVACY_AND_INTEGRITY);
    assertThat(gh.attrs.get(Grpc.TRANSPORT_ATTR_SSL_SESSION)).isInstanceOf(SSLSession.class);
    // This is not part of the ClientTls negotiation, but shows that the negotiation event happens
    // in the right order.
    assertThat(gh.attrs.get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR)).isEqualTo(addr);
}
Also used : ChannelFuture(io.netty.channel.ChannelFuture) ClientTlsProtocolNegotiator(io.grpc.netty.ProtocolNegotiators.ClientTlsProtocolNegotiator) SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate) LocalAddress(io.netty.channel.local.LocalAddress) LocalServerChannel(io.netty.channel.local.LocalServerChannel) Channel(io.netty.channel.Channel) LocalChannel(io.netty.channel.local.LocalChannel) EmbeddedChannel(io.netty.channel.embedded.EmbeddedChannel) ChannelHandler(io.netty.channel.ChannelHandler) ServerBootstrap(io.netty.bootstrap.ServerBootstrap) LocalServerChannel(io.netty.channel.local.LocalServerChannel) Bootstrap(io.netty.bootstrap.Bootstrap) ServerBootstrap(io.netty.bootstrap.ServerBootstrap) SocketAddress(java.net.SocketAddress) InetSocketAddress(java.net.InetSocketAddress) SslContext(io.netty.handler.ssl.SslContext) Test(org.junit.Test)

Example 82 with SslContext

use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.

the class NettyClientTransportTest method tlsNegotiationServerExecutorShouldSucceed.

/**
 * Verifies that we can successfully build a server and client negotiator with tls and the
 * executor passing in, and without resource leak after closing the negotiator.
 */
@Test
public void tlsNegotiationServerExecutorShouldSucceed() throws Exception {
    // initialize the client and server Executor pool
    TrackingObjectPoolForTest serverExecutorPool = new TrackingObjectPoolForTest();
    TrackingObjectPoolForTest clientExecutorPool = new TrackingObjectPoolForTest();
    assertEquals(false, serverExecutorPool.isInUse());
    assertEquals(false, clientExecutorPool.isInUse());
    File serverCert = TestUtils.loadCert("server1.pem");
    File serverKey = TestUtils.loadCert("server1.key");
    SslContext sslContext = GrpcSslContexts.forServer(serverCert, serverKey).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).clientAuth(ClientAuth.NONE).build();
    negotiator = ProtocolNegotiators.serverTls(sslContext, serverExecutorPool);
    startServer();
    // after starting the server, the Executor in the server pool should be used
    assertEquals(true, serverExecutorPool.isInUse());
    File caCert = TestUtils.loadCert("ca.pem");
    File clientCert = TestUtils.loadCert("client.pem");
    File clientKey = TestUtils.loadCert("client.key");
    SslContext clientContext = GrpcSslContexts.forClient().trustManager(caCert).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).keyManager(clientCert, clientKey).build();
    ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, clientExecutorPool);
    // after starting the client, the Executor in the client pool should be used
    assertEquals(true, clientExecutorPool.isInUse());
    final NettyClientTransport transport = newTransport(negotiator);
    callMeMaybe(transport.start(clientTransportListener));
    Rpc rpc = new Rpc(transport).halfClose();
    rpc.waitForResponse();
    // closing the negotiators should return the executors back to pool, and release the resource
    negotiator.close();
    assertEquals(false, clientExecutorPool.isInUse());
    this.negotiator.close();
    assertEquals(false, serverExecutorPool.isInUse());
}
Also used : TrackingObjectPoolForTest(io.grpc.netty.NettyTestUtil.TrackingObjectPoolForTest) File(java.io.File) SslContext(io.netty.handler.ssl.SslContext) TrackingObjectPoolForTest(io.grpc.netty.NettyTestUtil.TrackingObjectPoolForTest) Test(org.junit.Test)

Example 83 with SslContext

use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.

the class NettyClientTransportTest method tlsNegotiationFailurePropagatesToStatus.

@Test
public void tlsNegotiationFailurePropagatesToStatus() throws Exception {
    File serverCert = TestUtils.loadCert("server1.pem");
    File serverKey = TestUtils.loadCert("server1.key");
    // Don't trust ca.pem, so that client auth fails
    SslContext sslContext = GrpcSslContexts.forServer(serverCert, serverKey).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).clientAuth(ClientAuth.REQUIRE).build();
    negotiator = ProtocolNegotiators.serverTls(sslContext);
    startServer();
    File caCert = TestUtils.loadCert("ca.pem");
    File clientCert = TestUtils.loadCert("client.pem");
    File clientKey = TestUtils.loadCert("client.key");
    SslContext clientContext = GrpcSslContexts.forClient().trustManager(caCert).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).keyManager(clientCert, clientKey).build();
    ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext);
    final NettyClientTransport transport = newTransport(negotiator);
    callMeMaybe(transport.start(clientTransportListener));
    Rpc rpc = new Rpc(transport).halfClose();
    try {
        rpc.waitForClose();
        fail("expected exception");
    } catch (ExecutionException ex) {
        StatusException sre = (StatusException) ex.getCause();
        assertEquals(Status.Code.UNAVAILABLE, sre.getStatus().getCode());
        if (sre.getCause() instanceof SSLHandshakeException) {
            assertThat(sre).hasCauseThat().isInstanceOf(SSLHandshakeException.class);
            assertThat(sre).hasCauseThat().hasMessageThat().contains("SSLV3_ALERT_HANDSHAKE_FAILURE");
        } else {
            // Client cert verification is after handshake in TLSv1.3
            assertThat(sre).hasCauseThat().hasCauseThat().isInstanceOf(SSLException.class);
            assertThat(sre).hasCauseThat().hasMessageThat().contains("CERTIFICATE_REQUIRED");
        }
    }
}
Also used : StatusException(io.grpc.StatusException) ExecutionException(java.util.concurrent.ExecutionException) File(java.io.File) SSLException(javax.net.ssl.SSLException) SSLHandshakeException(javax.net.ssl.SSLHandshakeException) SslContext(io.netty.handler.ssl.SslContext) TrackingObjectPoolForTest(io.grpc.netty.NettyTestUtil.TrackingObjectPoolForTest) Test(org.junit.Test)

Example 84 with SslContext

use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.

the class NettyServerBuilderTest method failIfSslContextIsNotServer.

@Test
public void failIfSslContextIsNotServer() {
    SslContext sslContext = mock(SslContext.class);
    when(sslContext.isClient()).thenReturn(true);
    thrown.expect(IllegalArgumentException.class);
    thrown.expectMessage("Client SSL context can not be used for server");
    builder.sslContext(sslContext);
}
Also used : SslContext(io.netty.handler.ssl.SslContext) Test(org.junit.Test)

Example 85 with SslContext

use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.

the class NettyChannelBuilderTest method createProtocolNegotiatorByType_tlsWithExecutor.

@Test
public void createProtocolNegotiatorByType_tlsWithExecutor() throws Exception {
    TrackingObjectPoolForTest executorPool = new TrackingObjectPoolForTest();
    assertEquals(false, executorPool.isInUse());
    SslContext localSslContext = GrpcSslContexts.forClient().build();
    ProtocolNegotiator negotiator = NettyChannelBuilder.createProtocolNegotiatorByType(NegotiationType.TLS, localSslContext, executorPool);
    assertEquals(true, executorPool.isInUse());
    assertNotNull(negotiator);
    negotiator.close();
    assertEquals(false, executorPool.isInUse());
}
Also used : TrackingObjectPoolForTest(io.grpc.netty.NettyTestUtil.TrackingObjectPoolForTest) SslContext(io.netty.handler.ssl.SslContext) TrackingObjectPoolForTest(io.grpc.netty.NettyTestUtil.TrackingObjectPoolForTest) Test(org.junit.Test)

Aggregations

SslContext (io.netty.handler.ssl.SslContext)200 NioEventLoopGroup (io.netty.channel.nio.NioEventLoopGroup)63 EventLoopGroup (io.netty.channel.EventLoopGroup)52 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)50 Test (org.junit.Test)48 Channel (io.netty.channel.Channel)43 ServerBootstrap (io.netty.bootstrap.ServerBootstrap)41 SSLException (javax.net.ssl.SSLException)40 NioSocketChannel (io.netty.channel.socket.nio.NioSocketChannel)36 Bootstrap (io.netty.bootstrap.Bootstrap)35 LoggingHandler (io.netty.handler.logging.LoggingHandler)35 SocketChannel (io.netty.channel.socket.SocketChannel)34 NioServerSocketChannel (io.netty.channel.socket.nio.NioServerSocketChannel)33 SslHandler (io.netty.handler.ssl.SslHandler)26 SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)25 ChannelPipeline (io.netty.channel.ChannelPipeline)23 InetSocketAddress (java.net.InetSocketAddress)23 ChannelFuture (io.netty.channel.ChannelFuture)21 File (java.io.File)21 CertificateException (java.security.cert.CertificateException)20