From 838438cedbb0a71d268402501fd4f8dd10daa23d Mon Sep 17 00:00:00 2001
From: ZhenLian <zhenlian@google.com>
Date: Fri, 17 Sep 2021 09:45:41 -0700
Subject: [PATCH] AdvancedTls: add functions to load credentials from static
 files (#8525)

* AdvancedTls: add functions to load credentials from static files
---
 .../grpc/util/AdvancedTlsX509KeyManager.java  | 15 ++++++++
 .../util/AdvancedTlsX509TrustManager.java     | 14 +++++++
 .../java/io/grpc/netty/AdvancedTlsTest.java   | 38 +++++++++++++++++++
 3 files changed, 67 insertions(+)

diff --git a/core/src/main/java/io/grpc/util/AdvancedTlsX509KeyManager.java b/core/src/main/java/io/grpc/util/AdvancedTlsX509KeyManager.java
index 8541c6b5280..9c9102b12cb 100644
--- a/core/src/main/java/io/grpc/util/AdvancedTlsX509KeyManager.java
+++ b/core/src/main/java/io/grpc/util/AdvancedTlsX509KeyManager.java
@@ -141,6 +141,21 @@ public Closeable updateIdentityCredentialsFromFile(File keyFile, File certFile,
     };
   }
 
+  /**
+   * Updates the private key and certificate chains from the local file paths.
+   *
+   * @param keyFile  the file on disk holding the private key
+   * @param certFile  the file on disk holding the certificate chain
+   */
+  public void updateIdentityCredentialsFromFile(File keyFile, File certFile) throws IOException,
+      GeneralSecurityException {
+    UpdateResult newResult = readAndUpdate(keyFile, certFile, 0, 0);
+    if (!newResult.success) {
+      throw new GeneralSecurityException(
+          "Files were unmodified before their initial update. Probably a bug.");
+    }
+  }
+
   private static class KeyInfo {
     // The private key and the cert chain we will use to send to peers to prove our identity.
     final PrivateKey key;
diff --git a/core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java b/core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
index ad69fe4abfa..51bf57aeb34 100644
--- a/core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
+++ b/core/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
@@ -255,6 +255,20 @@ public void run() {
     }
   }
 
+  /**
+   * Updates the trust certificates from a local file path.
+   *
+   * @param trustCertFile  the file on disk holding the trust certificates
+   */
+  public void updateTrustCredentialsFromFile(File trustCertFile) throws IOException,
+      GeneralSecurityException {
+    long updatedTime = readAndUpdate(trustCertFile, 0);
+    if (updatedTime == 0) {
+      throw new GeneralSecurityException(
+          "Files were unmodified before their initial update. Probably a bug.");
+    }
+  }
+
   /**
    * Reads the trust certificates specified in the path location, and update the key store if the
    * modified time has changed since last read.
diff --git a/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java b/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
index 9e0d8170c40..6b5a96b45ab 100644
--- a/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
+++ b/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
@@ -388,6 +388,44 @@ public void onFileReloadingKeyManagerTrustManagerTest() throws Exception {
     clientTrustShutdown.close();
   }
 
+  @Test
+  public void onFileLoadingKeyManagerTrustManagerTest() throws Exception {
+    // Create & start a server.
+    AdvancedTlsX509KeyManager serverKeyManager = new AdvancedTlsX509KeyManager();
+    serverKeyManager.updateIdentityCredentialsFromFile(serverKey0File, serverCert0File);
+    AdvancedTlsX509TrustManager serverTrustManager = AdvancedTlsX509TrustManager.newBuilder()
+        .setVerification(Verification.CERTIFICATE_ONLY_VERIFICATION)
+        .build();
+    serverTrustManager.updateTrustCredentialsFromFile(caCertFile);
+    ServerCredentials serverCredentials = TlsServerCredentials.newBuilder()
+        .keyManager(serverKeyManager).trustManager(serverTrustManager)
+        .clientAuth(ClientAuth.REQUIRE).build();
+    server = Grpc.newServerBuilderForPort(0, serverCredentials).addService(
+        new SimpleServiceImpl()).build().start();
+    // Create a client to connect.
+    AdvancedTlsX509KeyManager clientKeyManager = new AdvancedTlsX509KeyManager();
+    clientKeyManager.updateIdentityCredentialsFromFile(clientKey0File, clientCert0File);
+    AdvancedTlsX509TrustManager clientTrustManager = AdvancedTlsX509TrustManager.newBuilder()
+        .setVerification(Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION)
+        .build();
+    clientTrustManager.updateTrustCredentialsFromFile(caCertFile);
+    ChannelCredentials channelCredentials = TlsChannelCredentials.newBuilder()
+        .keyManager(clientKeyManager).trustManager(clientTrustManager).build();
+    channel = Grpc.newChannelBuilderForAddress("localhost", server.getPort(), channelCredentials)
+        .overrideAuthority("foo.test.google.com.au").build();
+    // Start the connection.
+    try {
+      SimpleServiceGrpc.SimpleServiceBlockingStub client =
+          SimpleServiceGrpc.newBlockingStub(channel);
+      // Send an actual request, via the full GRPC & network stack, and check that a proper
+      // response comes back.
+      client.unaryRpc(SimpleRequest.getDefaultInstance());
+    } catch (StatusRuntimeException e) {
+      e.printStackTrace();
+      fail("Find error: " + e.getMessage());
+    }
+  }
+
   @Test
   public void onFileReloadingKeyManagerBadInitialContentTest() throws Exception {
     exceptionRule.expect(GeneralSecurityException.class);