Add ALTS code to grpc/core

5 files changed, 474 insertions, 0 deletions

diff --git a/test/core/security/BUILD b/test/core/security/BUILD
index 9776e6d5fd..68de2d169f 100644
--- a/test/core/security/BUILD
+++ b/test/core/security/BUILD
@@ -161,3 +161,39 @@ grpc_cc_binary(
         "//test/core/util:grpc_test_util",
     ],
 )
+
+grpc_cc_test(
+    name = "check_gcp_environment_linux_test",
+    srcs = ["check_gcp_environment_linux_test.cc"],
+    language = "C++",
+    deps = [
+        "//:grpc",
+    ],
+)
+
+grpc_cc_test(
+    name = "check_gcp_environment_windows_test",
+    srcs = ["check_gcp_environment_windows_test.cc"],
+    language = "C++",
+    deps = [
+        "//:grpc",
+    ],
+)
+
+grpc_cc_test(
+    name = "grpc_alts_credentials_options_test",
+    srcs = ["grpc_alts_credentials_options_test.cc"],
+    language = "C++",
+    deps = [
+        "//:grpc",
+    ],
+)
+
+grpc_cc_test(
+    name = "alts_security_connector_test",
+    srcs = ["alts_security_connector_test.cc"],
+    language = "C++",
+    deps = [
+        "//:grpc",
+    ],
+)
diff --git a/test/core/security/alts_security_connector_test.cc b/test/core/security/alts_security_connector_test.cc
new file mode 100644
index 0000000000..103a493526
--- /dev/null
+++ b/test/core/security/alts_security_connector_test.cc
@@ -0,0 +1,166 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <grpc/grpc.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/security/security_connector/alts_security_connector.h"
+#include "src/core/lib/transport/transport.h"
+#include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
+#include "src/core/tsi/transport_security.h"
+
+using grpc_core::internal::grpc_alts_auth_context_from_tsi_peer;
+
+/* This file contains unit tests of grpc_alts_auth_context_from_tsi_peer(). */
+static void test_invalid_input_failure() {
+  tsi_peer peer;
+  grpc_auth_context* ctx;
+  GPR_ASSERT(grpc_alts_auth_context_from_tsi_peer(nullptr, &ctx) ==
+             GRPC_SECURITY_ERROR);
+  GPR_ASSERT(grpc_alts_auth_context_from_tsi_peer(&peer, nullptr) ==
+             GRPC_SECURITY_ERROR);
+}
+
+static void test_empty_certificate_type_failure() {
+  tsi_peer peer;
+  grpc_auth_context* ctx = nullptr;
+  GPR_ASSERT(tsi_construct_peer(0, &peer) == TSI_OK);
+  GPR_ASSERT(grpc_alts_auth_context_from_tsi_peer(&peer, &ctx) ==
+             GRPC_SECURITY_ERROR);
+  GPR_ASSERT(ctx == nullptr);
+  tsi_peer_destruct(&peer);
+}
+
+static void test_empty_peer_property_failure() {
+  tsi_peer peer;
+  grpc_auth_context* ctx;
+  GPR_ASSERT(tsi_construct_peer(1, &peer) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 TSI_CERTIFICATE_TYPE_PEER_PROPERTY, TSI_ALTS_CERTIFICATE_TYPE,
+                 &peer.properties[0]) == TSI_OK);
+  GPR_ASSERT(grpc_alts_auth_context_from_tsi_peer(&peer, &ctx) ==
+             GRPC_SECURITY_ERROR);
+  GPR_ASSERT(ctx == nullptr);
+  tsi_peer_destruct(&peer);
+}
+
+static void test_missing_rpc_protocol_versions_property_failure() {
+  tsi_peer peer;
+  grpc_auth_context* ctx;
+  GPR_ASSERT(tsi_construct_peer(kTsiAltsNumOfPeerProperties, &peer) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 TSI_CERTIFICATE_TYPE_PEER_PROPERTY, TSI_ALTS_CERTIFICATE_TYPE,
+                 &peer.properties[0]) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY, "alice",
+                 &peer.properties[1]) == TSI_OK);
+  GPR_ASSERT(grpc_alts_auth_context_from_tsi_peer(&peer, &ctx) ==
+             GRPC_SECURITY_ERROR);
+  GPR_ASSERT(ctx == nullptr);
+  tsi_peer_destruct(&peer);
+}
+
+static void test_unknown_peer_property_failure() {
+  tsi_peer peer;
+  grpc_auth_context* ctx;
+  GPR_ASSERT(tsi_construct_peer(kTsiAltsNumOfPeerProperties, &peer) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 TSI_CERTIFICATE_TYPE_PEER_PROPERTY, TSI_ALTS_CERTIFICATE_TYPE,
+                 &peer.properties[0]) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 "unknown", "alice", &peer.properties[1]) == TSI_OK);
+  GPR_ASSERT(grpc_alts_auth_context_from_tsi_peer(&peer, &ctx) ==
+             GRPC_SECURITY_ERROR);
+  GPR_ASSERT(ctx == nullptr);
+  tsi_peer_destruct(&peer);
+}
+
+static bool test_identity(const grpc_auth_context* ctx,
+                          const char* expected_property_name,
+                          const char* expected_identity) {
+  grpc_auth_property_iterator it;
+  const grpc_auth_property* prop;
+  GPR_ASSERT(grpc_auth_context_peer_is_authenticated(ctx));
+  it = grpc_auth_context_peer_identity(ctx);
+  prop = grpc_auth_property_iterator_next(&it);
+  GPR_ASSERT(prop != nullptr);
+  if (strcmp(prop->name, expected_property_name) != 0) {
+    gpr_log(GPR_ERROR, "Expected peer identity property name %s and got %s.",
+            expected_property_name, prop->name);
+    return false;
+  }
+  if (strncmp(prop->value, expected_identity, prop->value_length) != 0) {
+    gpr_log(GPR_ERROR, "Expected peer identity %s and got got %s.",
+            expected_identity, prop->value);
+    return false;
+  }
+  return true;
+}
+
+static void test_alts_peer_to_auth_context_success() {
+  tsi_peer peer;
+  grpc_auth_context* ctx;
+  GPR_ASSERT(tsi_construct_peer(kTsiAltsNumOfPeerProperties, &peer) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 TSI_CERTIFICATE_TYPE_PEER_PROPERTY, TSI_ALTS_CERTIFICATE_TYPE,
+                 &peer.properties[0]) == TSI_OK);
+  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
+                 TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY, "alice",
+                 &peer.properties[1]) == TSI_OK);
+  grpc_gcp_rpc_protocol_versions peer_versions;
+  grpc_gcp_rpc_protocol_versions_set_max(&peer_versions,
+                                         GRPC_PROTOCOL_VERSION_MAX_MAJOR,
+                                         GRPC_PROTOCOL_VERSION_MAX_MINOR);
+  grpc_gcp_rpc_protocol_versions_set_min(&peer_versions,
+                                         GRPC_PROTOCOL_VERSION_MIN_MAJOR,
+                                         GRPC_PROTOCOL_VERSION_MIN_MINOR);
+  grpc_slice serialized_peer_versions;
+  GPR_ASSERT(grpc_gcp_rpc_protocol_versions_encode(&peer_versions,
+                                                   &serialized_peer_versions));
+
+  GPR_ASSERT(tsi_construct_string_peer_property(
+                 TSI_ALTS_RPC_VERSIONS,
+                 reinterpret_cast<char*>(
+                     GRPC_SLICE_START_PTR(serialized_peer_versions)),
+                 GRPC_SLICE_LENGTH(serialized_peer_versions),
+                 &peer.properties[2]) == TSI_OK);
+  GPR_ASSERT(grpc_alts_auth_context_from_tsi_peer(&peer, &ctx) ==
+             GRPC_SECURITY_OK);
+  GPR_ASSERT(
+      test_identity(ctx, TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY, "alice"));
+  GRPC_AUTH_CONTEXT_UNREF(ctx, "test");
+  grpc_slice_unref(serialized_peer_versions);
+  tsi_peer_destruct(&peer);
+}
+
+int main(int argc, char** argv) {
+  /* Test. */
+  test_invalid_input_failure();
+  test_empty_certificate_type_failure();
+  test_empty_peer_property_failure();
+  test_unknown_peer_property_failure();
+  test_missing_rpc_protocol_versions_property_failure();
+  test_alts_peer_to_auth_context_success();
+
+  return 0;
+}
diff --git a/test/core/security/check_gcp_environment_linux_test.cc b/test/core/security/check_gcp_environment_linux_test.cc
new file mode 100644
index 0000000000..6c436a3945
--- /dev/null
+++ b/test/core/security/check_gcp_environment_linux_test.cc
@@ -0,0 +1,83 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
+
+#if GPR_LINUX
+
+#include <stdio.h>
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/gpr/tmpfile.h"
+
+static bool check_bios_data_linux_test(const char* data) {
+  /* Create a file with contents data. */
+  char* filename = nullptr;
+  FILE* fp = gpr_tmpfile("check_gcp_environment_test", &filename);
+  GPR_ASSERT(filename != nullptr);
+  GPR_ASSERT(fp != nullptr);
+  GPR_ASSERT(fwrite(data, 1, strlen(data), fp) == strlen(data));
+  fclose(fp);
+  bool result = grpc_core::internal::check_bios_data(
+      reinterpret_cast<const char*>(filename));
+  /* Cleanup. */
+  remove(filename);
+  gpr_free(filename);
+  return result;
+}
+
+static void test_gcp_environment_check_success() {
+  /* Exact match. */
+  GPR_ASSERT(check_bios_data_linux_test("Google"));
+  GPR_ASSERT(check_bios_data_linux_test("Google Compute Engine"));
+  /* With leading and trailing whitespaces. */
+  GPR_ASSERT(check_bios_data_linux_test(" Google  "));
+  GPR_ASSERT(check_bios_data_linux_test("Google  "));
+  GPR_ASSERT(check_bios_data_linux_test("   Google"));
+  GPR_ASSERT(check_bios_data_linux_test("  Google Compute Engine  "));
+  GPR_ASSERT(check_bios_data_linux_test("Google Compute Engine  "));
+  GPR_ASSERT(check_bios_data_linux_test("  Google Compute Engine"));
+  /* With leading and trailing \t and \n. */
+  GPR_ASSERT(check_bios_data_linux_test("\t\tGoogle Compute Engine\t"));
+  GPR_ASSERT(check_bios_data_linux_test("Google Compute Engine\n"));
+  GPR_ASSERT(check_bios_data_linux_test("\n\n\tGoogle Compute Engine \n\t\t"));
+}
+
+static void test_gcp_environment_check_failure() {
+  GPR_ASSERT(!check_bios_data_linux_test("non_existing-file"));
+  GPR_ASSERT(!check_bios_data_linux_test("Google-Chrome"));
+  GPR_ASSERT(!check_bios_data_linux_test("Amazon"));
+  GPR_ASSERT(!check_bios_data_linux_test("Google-Chrome\t\t"));
+  GPR_ASSERT(!check_bios_data_linux_test("Amazon"));
+}
+
+int main(int argc, char** argv) {
+  /* Tests. */
+  test_gcp_environment_check_success();
+  test_gcp_environment_check_failure();
+  return 0;
+}
+
+#else  // GPR_LINUX
+
+int main(int argc, char** argv) { return 0; }
+
+#endif  // GPR_LINUX
diff --git a/test/core/security/check_gcp_environment_windows_test.cc b/test/core/security/check_gcp_environment_windows_test.cc
new file mode 100644
index 0000000000..46179b747d
--- /dev/null
+++ b/test/core/security/check_gcp_environment_windows_test.cc
@@ -0,0 +1,71 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
+
+#ifdef GPR_WINDOWS
+
+#include <stdio.h>
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include "src/core/lib/gpr/tmpfile.h"
+
+static bool check_bios_data_windows_test(const char* data) {
+  /* Create a file with contents data. */
+  char* filename = nullptr;
+  FILE* fp = gpr_tmpfile("check_gcp_environment_test", &filename);
+  GPR_ASSERT(filename != nullptr);
+  GPR_ASSERT(fp != nullptr);
+  GPR_ASSERT(fwrite(data, 1, strlen(data), fp) == strlen(data));
+  fclose(fp);
+  bool result = grpc_core::internal::check_bios_data(
+      reinterpret_cast<const char*>(filename));
+  /* Cleanup. */
+  remove(filename);
+  gpr_free(filename);
+  return result;
+}
+
+static void test_gcp_environment_check_success() {
+  GPR_ASSERT(check_bios_data_windows_test("Google"));
+  GPR_ASSERT(check_bios_data_windows_test("Google\n"));
+  GPR_ASSERT(check_bios_data_windows_test("Google\r"));
+  GPR_ASSERT(check_bios_data_windows_test("Google\r\n"));
+  GPR_ASSERT(check_bios_data_windows_test("   Google   \r\n"));
+  GPR_ASSERT(check_bios_data_windows_test(" \t\t Google\r\n"));
+  GPR_ASSERT(check_bios_data_windows_test(" \t\t Google\t\t  \r\n"));
+}
+
+static void test_gcp_environment_check_failure() {
+  GPR_ASSERT(!check_bios_data_windows_test("\t\tAmazon\n"));
+  GPR_ASSERT(!check_bios_data_windows_test("  Amazon\r\n"));
+}
+
+int main(int argc, char** argv) {
+  /* Tests. */
+  test_gcp_environment_check_success();
+  test_gcp_environment_check_failure();
+  return 0;
+}
+#else  // GPR_WINDOWS
+
+int main(int argc, char** argv) { return 0; }
+
+#endif  // GPR_WINDOWS
diff --git a/test/core/security/grpc_alts_credentials_options_test.cc b/test/core/security/grpc_alts_credentials_options_test.cc
new file mode 100644
index 0000000000..1217065507
--- /dev/null
+++ b/test/core/security/grpc_alts_credentials_options_test.cc
@@ -0,0 +1,118 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <grpc/grpc.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/security/credentials/alts/grpc_alts_credentials_options.h"
+
+#define ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_1 "abc@google.com"
+#define ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_2 "def@google.com"
+
+const size_t kTargetServiceAccountNum = 2;
+
+static void test_add_target_service_account_failure() {
+  /* Initialization. */
+  grpc_alts_credentials_options* options =
+      grpc_alts_credentials_client_options_create();
+  auto client_options =
+      reinterpret_cast<grpc_alts_credentials_client_options*>(options);
+
+  /* Test. */
+  GPR_ASSERT(!grpc_alts_credentials_client_options_add_target_service_account(
+      client_options, nullptr));
+  GPR_ASSERT(!grpc_alts_credentials_client_options_add_target_service_account(
+      nullptr, ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_1));
+
+  /* Cleanup. */
+  grpc_alts_credentials_options_destroy(options);
+}
+
+static void test_copy_client_options_failure() {
+  /* Initialization. */
+  grpc_alts_credentials_options* options =
+      grpc_alts_credentials_client_options_create();
+
+  /* Test. */
+  GPR_ASSERT(grpc_alts_credentials_options_copy(nullptr) == nullptr);
+
+  /* Cleanup. */
+  grpc_alts_credentials_options_destroy(options);
+}
+
+static size_t get_target_service_account_num(
+    grpc_alts_credentials_client_options* options) {
+  size_t num = 0;
+  target_service_account* node = options->target_account_list_head;
+  while (node != nullptr) {
+    num++;
+    node = node->next;
+  }
+  return num;
+}
+
+static void test_client_options_api_success() {
+  /* Initialization. */
+  grpc_alts_credentials_options* options =
+      grpc_alts_credentials_client_options_create();
+  auto client_options =
+      reinterpret_cast<grpc_alts_credentials_client_options*>(options);
+
+  /* Set client options fields. */
+  grpc_alts_credentials_client_options_add_target_service_account(
+      client_options, ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_1);
+  grpc_alts_credentials_client_options_add_target_service_account(
+      client_options, ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_2);
+
+  /* Validate client option fields. */
+  GPR_ASSERT(get_target_service_account_num(client_options) ==
+             kTargetServiceAccountNum);
+  GPR_ASSERT(strcmp(client_options->target_account_list_head->data,
+                    ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_2) == 0);
+  GPR_ASSERT(strcmp(client_options->target_account_list_head->next->data,
+                    ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_1) == 0);
+
+  /* Perform a copy operation and validate its correctness. */
+  grpc_alts_credentials_options* new_options =
+      grpc_alts_credentials_options_copy(options);
+  auto new_client_options =
+      reinterpret_cast<grpc_alts_credentials_client_options*>(new_options);
+
+  GPR_ASSERT(get_target_service_account_num(new_client_options) ==
+             kTargetServiceAccountNum);
+  GPR_ASSERT(strcmp(new_client_options->target_account_list_head->data,
+                    ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_2) == 0);
+  GPR_ASSERT(strcmp(new_client_options->target_account_list_head->next->data,
+                    ALTS_CLIENT_OPTIONS_TEST_TARGET_SERVICE_ACCOUNT_1) == 0);
+
+  /* Cleanup.*/
+  grpc_alts_credentials_options_destroy(options);
+  grpc_alts_credentials_options_destroy(new_options);
+}
+
+int main(int argc, char** argv) {
+  /* Test. */
+  test_add_target_service_account_failure();
+  test_copy_client_options_failure();
+  test_client_options_api_success();
+  return 0;
+}