Add UnitTest to verify updateTrustCredentials rotate (#11798)

AlbumenJ · web-flow · commit 73721acc0d34 · 2025-01-09T11:53:36.000-08:00
* Add lastUpdateTime to avoid read
diff --git a/util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java b/util/src/main/java/io/grpc/util/AdvancedTlsX509TrustManager.java
@@ -265,7 +265,7 @@ public Closeable updateTrustCredentials(File trustCertFile, long period, TimeUni
     }
     final ScheduledFuture<?> future =
         checkNotNull(executor, "executor").scheduleWithFixedDelay(
-            new LoadFilePathExecution(trustCertFile), period, period, unit);
+            new LoadFilePathExecution(trustCertFile, updatedTime), period, period, unit);
     return () -> future.cancel(false);
   }
 
@@ -312,9 +312,9 @@ private class LoadFilePathExecution implements Runnable {
     File file;
     long currentTime;
 
-    public LoadFilePathExecution(File file) {
+    public LoadFilePathExecution(File file, long currentTime) {
       this.file = file;
-      this.currentTime = 0;
+      this.currentTime = currentTime;
     }
 
     @Override
diff --git a/util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java b/util/src/test/java/io/grpc/util/AdvancedTlsX509TrustManagerTest.java
@@ -24,6 +24,7 @@
 import static org.mockito.Mockito.when;
 
 import com.google.common.collect.Iterables;
+import com.google.common.io.Files;
 import io.grpc.internal.FakeClock;
 import io.grpc.internal.testing.TestUtils;
 import io.grpc.testing.TlsTesting;
@@ -57,21 +58,28 @@ public class AdvancedTlsX509TrustManagerTest {
 
   private static final String CA_PEM_FILE = "ca.pem";
   private static final String SERVER_0_PEM_FILE = "server0.pem";
+  private static final String SERVER_1_PEM_FILE = "server1.pem";
   private File caCertFile;
   private File serverCert0File;
+  private File serverCert1File;
 
   private X509Certificate[] caCert;
   private X509Certificate[] serverCert0;
+  private X509Certificate[] serverCert1;
 
+  private FakeClock fakeClock;
   private ScheduledExecutorService executor;
 
   @Before
   public void setUp() throws IOException, GeneralSecurityException {
-    executor = new FakeClock().getScheduledExecutorService();
+    fakeClock = new FakeClock();
+    executor = fakeClock.getScheduledExecutorService();
     caCertFile = TestUtils.loadCert(CA_PEM_FILE);
     caCert = CertificateUtils.getX509Certificates(TlsTesting.loadCert(CA_PEM_FILE));
     serverCert0File = TestUtils.loadCert(SERVER_0_PEM_FILE);
     serverCert0 = CertificateUtils.getX509Certificates(TlsTesting.loadCert(SERVER_0_PEM_FILE));
+    serverCert1File = TestUtils.loadCert(SERVER_1_PEM_FILE);
+    serverCert1 = CertificateUtils.getX509Certificates(TlsTesting.loadCert(SERVER_1_PEM_FILE));
   }
 
   @Test
@@ -147,6 +155,39 @@ public void clientTrustedWithSocketTest() throws Exception {
     assertEquals("No handshake session", ce.getMessage());
   }
 
+  @Test
+  public void updateTrustCredentials_rotate() throws GeneralSecurityException, IOException {
+    AdvancedTlsX509TrustManager trustManager = AdvancedTlsX509TrustManager.newBuilder().build();
+    trustManager.updateTrustCredentials(serverCert0File);
+    assertArrayEquals(serverCert0, trustManager.getAcceptedIssuers());
+
+    trustManager.updateTrustCredentials(serverCert0File, 1, TimeUnit.MINUTES,
+        executor);
+    assertArrayEquals(serverCert0, trustManager.getAcceptedIssuers());
+
+    fakeClock.forwardTime(1, TimeUnit.MINUTES);
+    assertArrayEquals(serverCert0, trustManager.getAcceptedIssuers());
+
+    serverCert0File.setLastModified(serverCert0File.lastModified() - 10);
+
+    fakeClock.forwardTime(1, TimeUnit.MINUTES);
+    assertArrayEquals(serverCert0, trustManager.getAcceptedIssuers());
+
+    long beforeModify = serverCert0File.lastModified();
+    Files.copy(serverCert1File, serverCert0File);
+    serverCert0File.setLastModified(beforeModify);
+
+    // although file content changed, file modification time is not changed
+    fakeClock.forwardTime(1, TimeUnit.MINUTES);
+    assertArrayEquals(serverCert0, trustManager.getAcceptedIssuers());
+
+    serverCert0File.setLastModified(beforeModify + 10);
+
+    // file modification time changed
+    fakeClock.forwardTime(1, TimeUnit.MINUTES);
+    assertArrayEquals(serverCert1, trustManager.getAcceptedIssuers());
+  }
+
   private static class TestHandler extends Handler {
     private final List<LogRecord> records = new ArrayList<>();
 

Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ public Closeable updateTrustCredentials(File trustCertFile, long period, TimeUni`
`265`	`265`	`}`
`266`	`266`	`final ScheduledFuture<?> future =`
`267`	`267`	`checkNotNull(executor, "executor").scheduleWithFixedDelay(`
`268`		`- new LoadFilePathExecution(trustCertFile), period, period, unit);`
	`268`	`+ new LoadFilePathExecution(trustCertFile, updatedTime), period, period, unit);`
`269`	`269`	`return () -> future.cancel(false);`
`270`	`270`	`}`
`271`	`271`
`@@ -312,9 +312,9 @@ private class LoadFilePathExecution implements Runnable {`
`312`	`312`	`File file;`
`313`	`313`	`long currentTime;`
`314`	`314`
`315`		`- public LoadFilePathExecution(File file) {`
	`315`	`+ public LoadFilePathExecution(File file, long currentTime) {`
`316`	`316`	`this.file = file;`
`317`		`- this.currentTime = 0;`
	`317`	`+ this.currentTime = currentTime;`
`318`	`318`	`}`
`319`	`319`
`320`	`320`	`@Override`