Tests that when AutoHostSNI is enabled, the endpoint's hostname is used for the ServerName even though SNI is specified. It verifies that the TLS handshake and subsequent RPC succeed because the resolved SNI i.e. the hostname matches the server's certificate SAN.
(t *testing.T)
| 198 | // handshake and subsequent RPC succeed because the resolved SNI i.e. the |
| 199 | // hostname matches the server's certificate SAN. |
| 200 | func (s) TestClientSideXDS_AutoHostSNI(t *testing.T) { |
| 201 | testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, true) |
| 202 | |
| 203 | // Spin up an xDS management server. |
| 204 | mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t) |
| 205 | |
| 206 | // Create test backend |
| 207 | serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert) |
| 208 | server := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 209 | defer server.Stop() |
| 210 | |
| 211 | // Configure client side xDS resources on the management server. |
| 212 | const serviceName = "my-service-client-side-xds" |
| 213 | const routeConfigName = "route-" + serviceName |
| 214 | const clusterName = "cluster-" + serviceName |
| 215 | const endpointName = "endpoint-" + serviceName |
| 216 | |
| 217 | listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)} |
| 218 | routes := []*v3routepb.RouteConfiguration{e2e.DefaultRouteConfig(routeConfigName, serviceName, clusterName)} |
| 219 | |
| 220 | // Configure the cluster with AutoHostSni and AutoSniSanValidation set to |
| 221 | // true with a invalid SNI. |
| 222 | cluster := e2e.DefaultCluster(clusterName, endpointName, e2e.SecurityLevelMTLS) |
| 223 | cluster.TransportSocket = &v3corepb.TransportSocket{ |
| 224 | Name: "envoy.transport_sockets.tls", |
| 225 | ConfigType: &v3corepb.TransportSocket_TypedConfig{ |
| 226 | TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{ |
| 227 | AutoHostSni: true, |
| 228 | AutoSniSanValidation: true, |
| 229 | Sni: "wrong.sni.domain", |
| 230 | CommonTlsContext: &v3tlspb.CommonTlsContext{ |
| 231 | ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{ |
| 232 | ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ |
| 233 | InstanceName: e2e.ClientSideCertProviderInstance, |
| 234 | CertificateName: "root", |
| 235 | }, |
| 236 | }, |
| 237 | TlsCertificateCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ |
| 238 | InstanceName: e2e.ClientSideCertProviderInstance, |
| 239 | CertificateName: "identity", |
| 240 | }, |
| 241 | }, |
| 242 | }), |
| 243 | }, |
| 244 | } |
| 245 | |
| 246 | // Endpoints configuring Hostname to the defaultTestCertSAN to verify |
| 247 | // AutoHostSni usage. |
| 248 | endpoints := []*v3endpointpb.ClusterLoadAssignment{ |
| 249 | e2e.EndpointResourceWithOptions(e2e.EndpointOptions{ |
| 250 | ClusterName: endpointName, |
| 251 | Host: "localhost", |
| 252 | Localities: []e2e.LocalityOptions{{ |
| 253 | Weight: 1, |
| 254 | Backends: []e2e.BackendOptions{{ |
| 255 | Ports: []uint32{testutils.ParsePort(t, server.Address)}, |
| 256 | Hostname: validSNI, |
| 257 | }}, |
nothing calls this directly
no test coverage detected