def setUp(self): self.server = grpc.server(futures.ThreadPoolExecutor(max_workers=10)) services_pb2_grpc.add_FirstServiceServicer_to_server( _server_application.FirstServiceServicer(), self.server) self.cert_config_A = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)], root_certificates=CA_2_PEM) self.cert_config_B = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)], root_certificates=CA_1_PEM) self.cert_config_fetcher = CertConfigFetcher() server_credentials = grpc.dynamic_ssl_server_credentials( self.cert_config_A, self.cert_config_fetcher, require_client_authentication=True) self.port = self.server.add_secure_port('[::]:0', server_credentials) self.server.start()
def test_check_on_config_fetcher(self): cert_config = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)], root_certificates=CA_1_PEM) with self.assertRaises(TypeError): grpc.dynamic_ssl_server_credentials(cert_config, None) with self.assertRaises(TypeError): grpc.dynamic_ssl_server_credentials(cert_config, 1)
def setUp(self): self.server = test_common.test_server() services_pb2_grpc.add_FirstServiceServicer_to_server( _server_application.FirstServiceServicer(), self.server) switch_cert_on_client_num = 10 initial_cert_config = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)], root_certificates=CA_2_PEM) self.cert_config_fetcher = CertConfigFetcher() server_credentials = grpc.dynamic_ssl_server_credentials( initial_cert_config, self.cert_config_fetcher, require_client_authentication=self.require_client_auth()) self.port = self.server.add_secure_port('[::]:0', server_credentials) self.server.start()
def _test(self): # things should work... self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc( True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # client should reject server... # fails because client trusts ca2 and so will reject server self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc( False, root_certificates=CA_2_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # should work again... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(True, None) self._do_one_shot_client_rpc( True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertTrue(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # if with_client_auth, then client should be rejected by # server because client uses key/cert1, but server trusts ca2, # so server will reject self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc( not self.require_client_auth(), root_certificates=CA_1_PEM, private_key=CLIENT_KEY_1_PEM, certificate_chain=CLIENT_CERT_CHAIN_1_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # should work again... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc( True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # now create the "persistent" clients self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) persistent_client_stub_A = _create_client_stub( self.port, True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) self._perform_rpc(persistent_client_stub_A, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) persistent_client_stub_B = _create_client_stub( self.port, True, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) self._perform_rpc(persistent_client_stub_B, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # moment of truth!! client should reject server because the # server switch cert... cert_config = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)], root_certificates=CA_1_PEM) self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, cert_config) self._do_one_shot_client_rpc( False, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertEqual(call.returned_cert_config, cert_config, 'i= {}'.format(i)) # now should work again... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc( True, root_certificates=CA_2_PEM, private_key=CLIENT_KEY_1_PEM, certificate_chain=CLIENT_CERT_CHAIN_1_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 1) self.assertFalse(actual_calls[0].did_raise) self.assertIsNone(actual_calls[0].returned_cert_config) # client should be rejected by server if with_client_auth self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc( not self.require_client_auth(), root_certificates=CA_2_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # here client should reject server... self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._do_one_shot_client_rpc( False, root_certificates=CA_1_PEM, private_key=CLIENT_KEY_2_PEM, certificate_chain=CLIENT_CERT_CHAIN_2_PEM) actual_calls = self.cert_config_fetcher.getCalls() self.assertGreaterEqual(len(actual_calls), 1) for i, call in enumerate(actual_calls): self.assertFalse(call.did_raise, 'i= {}'.format(i)) self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i)) # persistent clients should continue to work self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._perform_rpc(persistent_client_stub_A, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 0) self.cert_config_fetcher.reset() self.cert_config_fetcher.configure(False, None) self._perform_rpc(persistent_client_stub_B, True) actual_calls = self.cert_config_fetcher.getCalls() self.assertEqual(len(actual_calls), 0)
def serve(): initial_cert_config = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)], root_certificates=CA_2_PEM, # for verifying clients ) global cert_config_fetcher cert_config_fetcher = CertConfigFetcher() server_credentials = grpc.dynamic_ssl_server_credentials( initial_cert_config, cert_config_fetcher, require_client_authentication=True) print("CA_2_PEM length: {}".format(len(CA_2_PEM))) server = grpc.server(futures.ThreadPoolExecutor(max_workers=10)) helloworld_pb2_grpc.add_GreeterServicer_to_server(Greeter(), server) server.add_secure_port('[::]:50051', server_credentials) server.start() numOfKeyboardInterrupts = 0 while True: try: while True: time.sleep(_ONE_DAY_IN_SECONDS) except KeyboardInterrupt: numOfKeyboardInterrupts += 1 if (numOfKeyboardInterrupts == 1): print("first interrupt: changing certs...") cert_config_new = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)], root_certificates=CA_BOTH_PEM) print("CA_BOTH_PEM length: {}".format(len(CA_BOTH_PEM))) cert_config_fetcher.reset() cert_config_fetcher.configure(False, cert_config_new) print("certs changed") continue if (numOfKeyboardInterrupts == 2): print("second interrupt: changing certs...") cert_config_new = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)], root_certificates=CA_BOTH_PEM) print("SERVER_KEY_2_PEM length: {}".format(len(SERVER_KEY_2_PEM))) print("SERVER_CERT_CHAIN_2_PEM length: {}".format( len(SERVER_CERT_CHAIN_2_PEM))) cert_config_fetcher.reset() cert_config_fetcher.configure(False, cert_config_new) print("certs changed") continue if (numOfKeyboardInterrupts == 3): print("third interrupt: changing certs...") cert_config_new = grpc.ssl_server_certificate_configuration( [(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)], root_certificates=CA_1_PEM) print("CA_1_PEM length: {}".format(len(CA_1_PEM))) cert_config_fetcher.reset() cert_config_fetcher.configure(False, cert_config_new) print("certs changed") continue if (numOfKeyboardInterrupts == 4): print("fourth interrupt: stopping server...") server.stop(0) break