xds/src/test/java/io/grpc/xds/internal/certprovider/MeshCaCertificateProviderProviderTest.java

/*
 * Copyright 2020 The gRPC Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package io.grpc.xds.internal.certprovider;

import static com.google.common.truth.Truth.assertThat;
import static io.grpc.xds.internal.certprovider.MeshCaCertificateProviderProvider.RPC_TIMEOUT_SECONDS;
import static org.junit.Assert.fail;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.ArgumentMatchers.isNull;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;

import com.google.auth.oauth2.GoogleCredentials;
import io.grpc.internal.BackoffPolicy;
import io.grpc.internal.ExponentialBackoffPolicy;
import io.grpc.internal.TimeProvider;
import io.grpc.xds.internal.sts.StsCredentials;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;

/** Unit tests for {@link MeshCaCertificateProviderProvider}. */
@RunWith(JUnit4.class)
public class MeshCaCertificateProviderProviderTest {

  public static final String EXPECTED_AUDIENCE =
      "identitynamespace:test-project1.svc.id.goog:https://container.googleapis.com/v1/projects/test-project1/locations/test-zone2/clusters/test-cluster3";
  public static final String TMP_PATH_4 = "/tmp/path4";
  public static final String NON_DEFAULT_MESH_CA_URL = "nonDefaultMeshCaUrl";
  public static final String GKE_CLUSTER_URL =
      "https://container.googleapis.com/v1/projects/test-project1/locations/test-zone2/clusters/test-cluster3";

  @Mock
  StsCredentials.Factory stsCredentialsFactory;

  @Mock
  MeshCaCertificateProvider.MeshCaChannelFactory meshCaChannelFactory;

  @Mock
  BackoffPolicy.Provider backoffPolicyProvider;

  @Mock
  MeshCaCertificateProvider.Factory meshCaCertificateProviderFactory;

  @Mock
  private MeshCaCertificateProviderProvider.ScheduledExecutorServiceFactory
      scheduledExecutorServiceFactory;

  @Mock
  private TimeProvider timeProvider;

  private MeshCaCertificateProviderProvider provider;

  @Before
  public void setUp() throws IOException {
    MockitoAnnotations.initMocks(this);
    provider =
        new MeshCaCertificateProviderProvider(
            stsCredentialsFactory,
            meshCaChannelFactory,
            backoffPolicyProvider,
            meshCaCertificateProviderFactory,
            scheduledExecutorServiceFactory,
            timeProvider);
  }

  @Test
  public void providerRegisteredName() {
    CertificateProviderProvider certProviderProvider = CertificateProviderRegistry.getInstance()
        .getProvider(MeshCaCertificateProviderProvider.MESH_CA_NAME);
    assertThat(certProviderProvider).isInstanceOf(MeshCaCertificateProviderProvider.class);
    MeshCaCertificateProviderProvider meshCaCertificateProviderProvider =
        (MeshCaCertificateProviderProvider) certProviderProvider;
    assertThat(meshCaCertificateProviderProvider.stsCredentialsFactory)
        .isSameInstanceAs(StsCredentials.Factory.getInstance());
    assertThat(meshCaCertificateProviderProvider.meshCaChannelFactory)
        .isSameInstanceAs(MeshCaCertificateProvider.MeshCaChannelFactory.getInstance());
    assertThat(meshCaCertificateProviderProvider.backoffPolicyProvider)
        .isInstanceOf(ExponentialBackoffPolicy.Provider.class);
    assertThat(meshCaCertificateProviderProvider.meshCaCertificateProviderFactory)
        .isSameInstanceAs(MeshCaCertificateProvider.Factory.getInstance());
  }

  @Test
  public void createProvider_minimalConfig() {
    CertificateProvider.DistributorWatcher distWatcher =
        new CertificateProvider.DistributorWatcher();
    Map<String, String> map = buildMinimalMap();
    ScheduledExecutorService mockService = mock(ScheduledExecutorService.class);
    when(scheduledExecutorServiceFactory.create(
            eq(MeshCaCertificateProviderProvider.MESHCA_URL_DEFAULT)))
        .thenReturn(mockService);
    provider.createCertificateProvider(map, distWatcher, true);
    verify(stsCredentialsFactory, times(1))
        .create(
            eq(MeshCaCertificateProviderProvider.STS_URL_DEFAULT),
            eq(EXPECTED_AUDIENCE),
            eq(TMP_PATH_4));
    verify(meshCaCertificateProviderFactory, times(1))
        .create(
            eq(distWatcher),
            eq(true),
            eq(MeshCaCertificateProviderProvider.MESHCA_URL_DEFAULT),
            eq("test-zone2"),
            eq(MeshCaCertificateProviderProvider.CERT_VALIDITY_SECONDS_DEFAULT),
            eq(MeshCaCertificateProviderProvider.KEY_SIZE_DEFAULT),
            eq(MeshCaCertificateProviderProvider.KEY_ALGO_DEFAULT),
            eq(MeshCaCertificateProviderProvider.SIGNATURE_ALGO_DEFAULT),
            eq(meshCaChannelFactory),
            eq(backoffPolicyProvider),
            eq(MeshCaCertificateProviderProvider.RENEWAL_GRACE_PERIOD_SECONDS_DEFAULT),
            eq(MeshCaCertificateProviderProvider.MAX_RETRY_ATTEMPTS_DEFAULT),
            (GoogleCredentials) isNull(),
            eq(mockService),
            eq(timeProvider),
            eq(TimeUnit.SECONDS.toMillis(RPC_TIMEOUT_SECONDS)));
  }

  @Test
  public void createProvider_missingGkeUrl_expectException() {
    CertificateProvider.DistributorWatcher distWatcher =
            new CertificateProvider.DistributorWatcher();
    Map<String, String> map = buildMinimalMap();
    map.remove("gkeClusterUrl");
    try {
      provider.createCertificateProvider(map, distWatcher, true);
      fail("exception expected");
    } catch (NullPointerException npe) {
      assertThat(npe).hasMessageThat().isEqualTo("gkeClusterUrl is required in the config");
    }
  }

  @Test
  public void createProvider_missingGkeSaJwtLocation_expectException() {
    CertificateProvider.DistributorWatcher distWatcher =
            new CertificateProvider.DistributorWatcher();
    Map<String, String> map = buildMinimalMap();
    map.remove("gkeSaJwtLocation");
    try {
      provider.createCertificateProvider(map, distWatcher, true);
      fail("exception expected");
    } catch (NullPointerException npe) {
      assertThat(npe).hasMessageThat().isEqualTo("gkeSaJwtLocation is required in the config");
    }
  }

  @Test
  public void createProvider_missingProject_expectException() {
    CertificateProvider.DistributorWatcher distWatcher =
            new CertificateProvider.DistributorWatcher();
    Map<String, String> map = buildMinimalMap();
    map.put(
        "gkeClusterUrl",
        "https://container.googleapis.com/v1/project/test-project1/locations/test-zone2/clusters/test-cluster3");
    try {
      provider.createCertificateProvider(map, distWatcher, true);
      fail("exception expected");
    } catch (IllegalStateException ex) {
      assertThat(ex).hasMessageThat().isEqualTo("gkeClusterUrl does not have correct format");
    }
  }

  @Test
  public void createProvider_nonDefaultFullConfig() {
    CertificateProvider.DistributorWatcher distWatcher =
            new CertificateProvider.DistributorWatcher();
    Map<String, String> map = buildFullMap();
    ScheduledExecutorService mockService = mock(ScheduledExecutorService.class);
    when(scheduledExecutorServiceFactory.create(eq(NON_DEFAULT_MESH_CA_URL)))
        .thenReturn(mockService);
    provider.createCertificateProvider(map, distWatcher, true);
    verify(stsCredentialsFactory, times(1))
            .create(
                    eq("nonDefaultStsUrl"),
                    eq(EXPECTED_AUDIENCE),
                    eq(TMP_PATH_4));
    verify(meshCaCertificateProviderFactory, times(1))
            .create(
                    eq(distWatcher),
                    eq(true),
                    eq(NON_DEFAULT_MESH_CA_URL),
                    eq("test-zone2"),
                    eq(234567L),
                    eq(4096),
                    eq("KEY-ALGO1"),
                    eq("SIG-ALGO2"),
                    eq(meshCaChannelFactory),
                    eq(backoffPolicyProvider),
                    eq(4321L),
                    eq(9),
                    (GoogleCredentials) isNull(),
                    eq(mockService),
                    eq(timeProvider),
                    eq(TimeUnit.SECONDS.toMillis(RPC_TIMEOUT_SECONDS)));
  }

  private Map<String, String> buildFullMap() {
    Map<String, String> map = new HashMap<>();
    map.put("gkeClusterUrl", GKE_CLUSTER_URL);
    map.put("gkeSaJwtLocation", TMP_PATH_4);
    map.put("meshCaUrl", NON_DEFAULT_MESH_CA_URL);
    map.put("rpcTimeoutSeconds", "123");
    map.put("certValiditySeconds", "234567");
    map.put("renewalGracePeriodSeconds", "4321");
    map.put("keyAlgo", "KEY-ALGO1");
    map.put("keySize", "4096");
    map.put("signatureAlgo", "SIG-ALGO2");
    map.put("maxRetryAttempts", "9");
    map.put("stsUrl", "nonDefaultStsUrl");
    return map;
  }

  private Map<String, String> buildMinimalMap() {
    Map<String, String> map = new HashMap<>();
    map.put("gkeClusterUrl", GKE_CLUSTER_URL);
    map.put("gkeSaJwtLocation", TMP_PATH_4);
    return map;
  }
}