use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.
the class ProtocolNegotiatorsTest method clientTlsHandler_firesNegotiation.
@Test
public void clientTlsHandler_firesNegotiation() throws Exception {
SelfSignedCertificate cert = new SelfSignedCertificate("authority");
SslContext clientSslContext = GrpcSslContexts.configure(SslContextBuilder.forClient().trustManager(cert.cert())).build();
SslContext serverSslContext = GrpcSslContexts.configure(SslContextBuilder.forServer(cert.key(), cert.cert())).build();
FakeGrpcHttp2ConnectionHandler gh = FakeGrpcHttp2ConnectionHandler.newHandler();
ClientTlsProtocolNegotiator pn = new ClientTlsProtocolNegotiator(clientSslContext, null);
WriteBufferingAndExceptionHandler clientWbaeh = new WriteBufferingAndExceptionHandler(pn.newHandler(gh));
SocketAddress addr = new LocalAddress("addr");
ChannelHandler sh = ProtocolNegotiators.serverTls(serverSslContext).newHandler(FakeGrpcHttp2ConnectionHandler.noopHandler());
WriteBufferingAndExceptionHandler serverWbaeh = new WriteBufferingAndExceptionHandler(sh);
Channel s = new ServerBootstrap().childHandler(serverWbaeh).group(group).channel(LocalServerChannel.class).bind(addr).sync().channel();
Channel c = new Bootstrap().handler(clientWbaeh).channel(LocalChannel.class).group(group).register().sync().channel();
ChannelFuture write = c.writeAndFlush(NettyClientHandler.NOOP_MESSAGE);
c.connect(addr).sync();
write.sync();
boolean completed = gh.negotiated.await(TIMEOUT_SECONDS, TimeUnit.SECONDS);
if (!completed) {
assertTrue("failed to negotiated", write.await(TIMEOUT_SECONDS, TimeUnit.SECONDS));
// sync should fail if we are in this block.
write.sync();
throw new AssertionError("neither wrote nor negotiated");
}
c.close();
s.close();
pn.close();
assertThat(gh.securityInfo).isNotNull();
assertThat(gh.securityInfo.tls).isNotNull();
assertThat(gh.attrs.get(GrpcAttributes.ATTR_SECURITY_LEVEL)).isEqualTo(SecurityLevel.PRIVACY_AND_INTEGRITY);
assertThat(gh.attrs.get(Grpc.TRANSPORT_ATTR_SSL_SESSION)).isInstanceOf(SSLSession.class);
// This is not part of the ClientTls negotiation, but shows that the negotiation event happens
// in the right order.
assertThat(gh.attrs.get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR)).isEqualTo(addr);
}
use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.
the class NettyClientTransportTest method tlsNegotiationServerExecutorShouldSucceed.
/**
* Verifies that we can successfully build a server and client negotiator with tls and the
* executor passing in, and without resource leak after closing the negotiator.
*/
@Test
public void tlsNegotiationServerExecutorShouldSucceed() throws Exception {
// initialize the client and server Executor pool
TrackingObjectPoolForTest serverExecutorPool = new TrackingObjectPoolForTest();
TrackingObjectPoolForTest clientExecutorPool = new TrackingObjectPoolForTest();
assertEquals(false, serverExecutorPool.isInUse());
assertEquals(false, clientExecutorPool.isInUse());
File serverCert = TestUtils.loadCert("server1.pem");
File serverKey = TestUtils.loadCert("server1.key");
SslContext sslContext = GrpcSslContexts.forServer(serverCert, serverKey).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).clientAuth(ClientAuth.NONE).build();
negotiator = ProtocolNegotiators.serverTls(sslContext, serverExecutorPool);
startServer();
// after starting the server, the Executor in the server pool should be used
assertEquals(true, serverExecutorPool.isInUse());
File caCert = TestUtils.loadCert("ca.pem");
File clientCert = TestUtils.loadCert("client.pem");
File clientKey = TestUtils.loadCert("client.key");
SslContext clientContext = GrpcSslContexts.forClient().trustManager(caCert).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).keyManager(clientCert, clientKey).build();
ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, clientExecutorPool);
// after starting the client, the Executor in the client pool should be used
assertEquals(true, clientExecutorPool.isInUse());
final NettyClientTransport transport = newTransport(negotiator);
callMeMaybe(transport.start(clientTransportListener));
Rpc rpc = new Rpc(transport).halfClose();
rpc.waitForResponse();
// closing the negotiators should return the executors back to pool, and release the resource
negotiator.close();
assertEquals(false, clientExecutorPool.isInUse());
this.negotiator.close();
assertEquals(false, serverExecutorPool.isInUse());
}
use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.
the class NettyClientTransportTest method tlsNegotiationFailurePropagatesToStatus.
@Test
public void tlsNegotiationFailurePropagatesToStatus() throws Exception {
File serverCert = TestUtils.loadCert("server1.pem");
File serverKey = TestUtils.loadCert("server1.key");
// Don't trust ca.pem, so that client auth fails
SslContext sslContext = GrpcSslContexts.forServer(serverCert, serverKey).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).clientAuth(ClientAuth.REQUIRE).build();
negotiator = ProtocolNegotiators.serverTls(sslContext);
startServer();
File caCert = TestUtils.loadCert("ca.pem");
File clientCert = TestUtils.loadCert("client.pem");
File clientKey = TestUtils.loadCert("client.key");
SslContext clientContext = GrpcSslContexts.forClient().trustManager(caCert).ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).keyManager(clientCert, clientKey).build();
ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext);
final NettyClientTransport transport = newTransport(negotiator);
callMeMaybe(transport.start(clientTransportListener));
Rpc rpc = new Rpc(transport).halfClose();
try {
rpc.waitForClose();
fail("expected exception");
} catch (ExecutionException ex) {
StatusException sre = (StatusException) ex.getCause();
assertEquals(Status.Code.UNAVAILABLE, sre.getStatus().getCode());
if (sre.getCause() instanceof SSLHandshakeException) {
assertThat(sre).hasCauseThat().isInstanceOf(SSLHandshakeException.class);
assertThat(sre).hasCauseThat().hasMessageThat().contains("SSLV3_ALERT_HANDSHAKE_FAILURE");
} else {
// Client cert verification is after handshake in TLSv1.3
assertThat(sre).hasCauseThat().hasCauseThat().isInstanceOf(SSLException.class);
assertThat(sre).hasCauseThat().hasMessageThat().contains("CERTIFICATE_REQUIRED");
}
}
}
use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.
the class NettyServerBuilderTest method failIfSslContextIsNotServer.
@Test
public void failIfSslContextIsNotServer() {
SslContext sslContext = mock(SslContext.class);
when(sslContext.isClient()).thenReturn(true);
thrown.expect(IllegalArgumentException.class);
thrown.expectMessage("Client SSL context can not be used for server");
builder.sslContext(sslContext);
}
use of io.netty.handler.ssl.SslContext in project grpc-java by grpc.
the class NettyChannelBuilderTest method createProtocolNegotiatorByType_tlsWithExecutor.
@Test
public void createProtocolNegotiatorByType_tlsWithExecutor() throws Exception {
TrackingObjectPoolForTest executorPool = new TrackingObjectPoolForTest();
assertEquals(false, executorPool.isInUse());
SslContext localSslContext = GrpcSslContexts.forClient().build();
ProtocolNegotiator negotiator = NettyChannelBuilder.createProtocolNegotiatorByType(NegotiationType.TLS, localSslContext, executorPool);
assertEquals(true, executorPool.isInUse());
assertNotNull(negotiator);
negotiator.close();
assertEquals(false, executorPool.isInUse());
}
Aggregations