1 files changed, 62 insertions, 10 deletions

diff --git a/grpc/test/core/security/tls_security_connector_test.cc b/grpc/test/core/security/tls_security_connector_test.cc
index c6f744da..c041fd92 100644
--- a/grpc/test/core/security/tls_security_connector_test.cc
+++ b/grpc/test/core/security/tls_security_connector_test.cc
@@ -146,10 +146,59 @@ TEST_F(TlsSecurityConnectorTest,
   grpc_channel_args_destroy(new_args);
 }
 
-// Note that on client side, we don't have tests watching identity certs only,
-// because in TLS, the trust certs should always be presented. If we don't
-// provide, it will try to load certs from some default system locations, and
-// will hence fail on some systems.
+TEST_F(TlsSecurityConnectorTest,
+       SystemRootsWhenCreateChannelSecurityConnector) {
+  // Create options watching for no certificates.
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
+      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
+  grpc_core::RefCountedPtr<TlsCredentials> root_credential =
+      grpc_core::MakeRefCounted<TlsCredentials>(root_options);
+  grpc_channel_args* root_new_args = nullptr;
+  grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
+      root_credential->create_security_connector(nullptr, "some_target",
+                                                 nullptr, &root_new_args);
+  EXPECT_NE(root_connector, nullptr);
+  grpc_core::TlsChannelSecurityConnector* tls_root_connector =
+      static_cast<grpc_core::TlsChannelSecurityConnector*>(
+          root_connector.get());
+  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
+  grpc_channel_args_destroy(root_new_args);
+}
+
+TEST_F(TlsSecurityConnectorTest,
+       SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
+  grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
+      grpc_core::MakeRefCounted<grpc_tls_certificate_distributor>();
+  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
+                               identity_pairs_0_);
+  grpc_core::RefCountedPtr<::grpc_tls_certificate_provider> provider =
+      grpc_core::MakeRefCounted<TlsTestCertificateProvider>(distributor);
+  // Create options only watching for identity certificates.
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> root_options =
+      grpc_core::MakeRefCounted<grpc_tls_credentials_options>();
+  root_options->set_certificate_provider(provider);
+  root_options->set_watch_identity_pair(true);
+  root_options->set_identity_cert_name(kIdentityCertName);
+  grpc_core::RefCountedPtr<TlsCredentials> root_credential =
+      grpc_core::MakeRefCounted<TlsCredentials>(root_options);
+  grpc_channel_args* root_new_args = nullptr;
+  grpc_core::RefCountedPtr<grpc_channel_security_connector> root_connector =
+      root_credential->create_security_connector(nullptr, "some_target",
+                                                 nullptr, &root_new_args);
+  EXPECT_NE(root_connector, nullptr);
+  grpc_core::TlsChannelSecurityConnector* tls_root_connector =
+      static_cast<grpc_core::TlsChannelSecurityConnector*>(
+          root_connector.get());
+  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
+  EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
+  // If we have a root update, we shouldn't receive them in security connector,
+  // since we claimed to use default system roots.
+  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
+  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
+  EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
+  grpc_channel_args_destroy(root_new_args);
+}
+
 TEST_F(TlsSecurityConnectorTest,
        RootCertsObtainedWhenCreateChannelSecurityConnector) {
   grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor =
@@ -303,7 +352,8 @@ TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameSuccess) {
   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, target_name,
                  &peer.properties[0]) == TSI_OK);
-  grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
+  grpc_error_handle error =
+      grpc_core::internal::TlsCheckHostName(target_name, &peer);
   tsi_peer_destruct(&peer);
   EXPECT_EQ(error, GRPC_ERROR_NONE);
   GRPC_ERROR_UNREF(error);
@@ -317,7 +367,8 @@ TEST_F(TlsSecurityConnectorTest, TlsCheckHostNameFail) {
   GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
                  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, another_name,
                  &peer.properties[0]) == TSI_OK);
-  grpc_error* error = grpc_core::internal::TlsCheckHostName(target_name, &peer);
+  grpc_error_handle error =
+      grpc_core::internal::TlsCheckHostName(target_name, &peer);
   tsi_peer_destruct(&peer);
   EXPECT_NE(error, GRPC_ERROR_NONE);
   GRPC_ERROR_UNREF(error);
@@ -343,7 +394,7 @@ TEST_F(TlsSecurityConnectorTest,
   grpc_core::RefCountedPtr<TlsServerCredentials> credential =
       grpc_core::MakeRefCounted<TlsServerCredentials>(options);
   grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
-      credential->create_security_connector();
+      credential->create_security_connector(nullptr);
   EXPECT_NE(connector, nullptr);
   grpc_core::TlsServerSecurityConnector* tls_connector =
       static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
@@ -380,7 +431,7 @@ TEST_F(TlsSecurityConnectorTest,
   grpc_core::RefCountedPtr<TlsServerCredentials> identity_credential =
       grpc_core::MakeRefCounted<TlsServerCredentials>(identity_options);
   grpc_core::RefCountedPtr<grpc_server_security_connector> identity_connector =
-      identity_credential->create_security_connector();
+      identity_credential->create_security_connector(nullptr);
   EXPECT_NE(identity_connector, nullptr);
   grpc_core::TlsServerSecurityConnector* tls_identity_connector =
       static_cast<grpc_core::TlsServerSecurityConnector*>(
@@ -417,7 +468,7 @@ TEST_F(TlsSecurityConnectorTest,
   grpc_core::RefCountedPtr<TlsServerCredentials> credential =
       grpc_core::MakeRefCounted<TlsServerCredentials>(options);
   grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
-      credential->create_security_connector();
+      credential->create_security_connector(nullptr);
   EXPECT_NE(connector, nullptr);
   grpc_core::TlsServerSecurityConnector* tls_connector =
       static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
@@ -451,7 +502,7 @@ TEST_F(TlsSecurityConnectorTest,
   grpc_core::RefCountedPtr<TlsServerCredentials> credential =
       grpc_core::MakeRefCounted<TlsServerCredentials>(options);
   grpc_core::RefCountedPtr<grpc_server_security_connector> connector =
-      credential->create_security_connector();
+      credential->create_security_connector(nullptr);
   EXPECT_NE(connector, nullptr);
   grpc_core::TlsServerSecurityConnector* tls_connector =
       static_cast<grpc_core::TlsServerSecurityConnector*>(connector.get());
@@ -495,6 +546,7 @@ TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
 
 int main(int argc, char** argv) {
   grpc::testing::TestEnvironment env(argc, argv);
+  GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
   ::testing::InitGoogleTest(&argc, argv);
   grpc_init();
   int ret = RUN_ALL_TESTS();