def setUp(self):
self.server = grpc.server(futures.ThreadPoolExecutor(max_workers=10))
services_pb2_grpc.add_FirstServiceServicer_to_server(
_server_application.FirstServiceServicer(), self.server)
self.cert_config_A = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)],
root_certificates=CA_2_PEM)
self.cert_config_B = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)],
root_certificates=CA_1_PEM)
self.cert_config_fetcher = CertConfigFetcher()
server_credentials = grpc.dynamic_ssl_server_credentials(
self.cert_config_A,
self.cert_config_fetcher,
require_client_authentication=True)
self.port = self.server.add_secure_port('[::]:0', server_credentials)
self.server.start()
def test_check_on_config_fetcher(self):
cert_config = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)],
root_certificates=CA_1_PEM)
with self.assertRaises(TypeError):
grpc.dynamic_ssl_server_credentials(cert_config, None)
with self.assertRaises(TypeError):
grpc.dynamic_ssl_server_credentials(cert_config, 1)
def setUp(self):
self.server = test_common.test_server()
services_pb2_grpc.add_FirstServiceServicer_to_server(
_server_application.FirstServiceServicer(), self.server)
switch_cert_on_client_num = 10
initial_cert_config = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)],
root_certificates=CA_2_PEM)
self.cert_config_fetcher = CertConfigFetcher()
server_credentials = grpc.dynamic_ssl_server_credentials(
initial_cert_config,
self.cert_config_fetcher,
require_client_authentication=self.require_client_auth())
self.port = self.server.add_secure_port('[::]:0', server_credentials)
self.server.start()
def setUp(self):
self.server = test_common.test_server()
services_pb2_grpc.add_FirstServiceServicer_to_server(
_server_application.FirstServiceServicer(), self.server)
switch_cert_on_client_num = 10
initial_cert_config = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)],
root_certificates=CA_2_PEM)
self.cert_config_fetcher = CertConfigFetcher()
server_credentials = grpc.dynamic_ssl_server_credentials(
initial_cert_config,
self.cert_config_fetcher,
require_client_authentication=self.require_client_auth())
self.port = self.server.add_secure_port('[::]:0', server_credentials)
self.server.start()
def _test(self):
# things should work...
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(
True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# client should reject server...
# fails because client trusts ca2 and so will reject server
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(
False,
root_certificates=CA_2_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# should work again...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(True, None)
self._do_one_shot_client_rpc(
True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertTrue(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# if with_client_auth, then client should be rejected by
# server because client uses key/cert1, but server trusts ca2,
# so server will reject
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(
not self.require_client_auth(),
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_1_PEM,
certificate_chain=CLIENT_CERT_CHAIN_1_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# should work again...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(
True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# now create the "persistent" clients
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
persistent_client_stub_A = _create_client_stub(
self.port,
True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
self._perform_rpc(persistent_client_stub_A, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
persistent_client_stub_B = _create_client_stub(
self.port,
True,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
self._perform_rpc(persistent_client_stub_B, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# moment of truth!! client should reject server because the
# server switch cert...
cert_config = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)],
root_certificates=CA_1_PEM)
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, cert_config)
self._do_one_shot_client_rpc(
False,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertEqual(call.returned_cert_config, cert_config,
'i= {}'.format(i))
# now should work again...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(
True,
root_certificates=CA_2_PEM,
private_key=CLIENT_KEY_1_PEM,
certificate_chain=CLIENT_CERT_CHAIN_1_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 1)
self.assertFalse(actual_calls[0].did_raise)
self.assertIsNone(actual_calls[0].returned_cert_config)
# client should be rejected by server if with_client_auth
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(
not self.require_client_auth(),
root_certificates=CA_2_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# here client should reject server...
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._do_one_shot_client_rpc(
False,
root_certificates=CA_1_PEM,
private_key=CLIENT_KEY_2_PEM,
certificate_chain=CLIENT_CERT_CHAIN_2_PEM)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertGreaterEqual(len(actual_calls), 1)
for i, call in enumerate(actual_calls):
self.assertFalse(call.did_raise, 'i= {}'.format(i))
self.assertIsNone(call.returned_cert_config, 'i= {}'.format(i))
# persistent clients should continue to work
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._perform_rpc(persistent_client_stub_A, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 0)
self.cert_config_fetcher.reset()
self.cert_config_fetcher.configure(False, None)
self._perform_rpc(persistent_client_stub_B, True)
actual_calls = self.cert_config_fetcher.getCalls()
self.assertEqual(len(actual_calls), 0)
def serve():
initial_cert_config = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)],
root_certificates=CA_2_PEM, # for verifying clients
)
global cert_config_fetcher
cert_config_fetcher = CertConfigFetcher()
server_credentials = grpc.dynamic_ssl_server_credentials(
initial_cert_config,
cert_config_fetcher,
require_client_authentication=True)
print("CA_2_PEM length: {}".format(len(CA_2_PEM)))
server = grpc.server(futures.ThreadPoolExecutor(max_workers=10))
helloworld_pb2_grpc.add_GreeterServicer_to_server(Greeter(), server)
server.add_secure_port('[::]:50051', server_credentials)
server.start()
numOfKeyboardInterrupts = 0
while True:
try:
while True:
time.sleep(_ONE_DAY_IN_SECONDS)
except KeyboardInterrupt:
numOfKeyboardInterrupts += 1
if (numOfKeyboardInterrupts == 1):
print("first interrupt: changing certs...")
cert_config_new = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_1_PEM, SERVER_CERT_CHAIN_1_PEM)],
root_certificates=CA_BOTH_PEM)
print("CA_BOTH_PEM length: {}".format(len(CA_BOTH_PEM)))
cert_config_fetcher.reset()
cert_config_fetcher.configure(False, cert_config_new)
print("certs changed")
continue
if (numOfKeyboardInterrupts == 2):
print("second interrupt: changing certs...")
cert_config_new = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)],
root_certificates=CA_BOTH_PEM)
print("SERVER_KEY_2_PEM length: {}".format(len(SERVER_KEY_2_PEM)))
print("SERVER_CERT_CHAIN_2_PEM length: {}".format(
len(SERVER_CERT_CHAIN_2_PEM)))
cert_config_fetcher.reset()
cert_config_fetcher.configure(False, cert_config_new)
print("certs changed")
continue
if (numOfKeyboardInterrupts == 3):
print("third interrupt: changing certs...")
cert_config_new = grpc.ssl_server_certificate_configuration(
[(SERVER_KEY_2_PEM, SERVER_CERT_CHAIN_2_PEM)],
root_certificates=CA_1_PEM)
print("CA_1_PEM length: {}".format(len(CA_1_PEM)))
cert_config_fetcher.reset()
cert_config_fetcher.configure(False, cert_config_new)
print("certs changed")
continue
if (numOfKeyboardInterrupts == 4):
print("fourth interrupt: stopping server...")
server.stop(0)
break
