TestClientSideXDS_FallbackSANMatchers tests that when AutoSniSanValidation is true, and no SNI is provided by the control plane and AutoHostSNI is not set, the validation falls back to using the explicit SAN matchers specified in the configuration. It verifies that RPCs succeed when the fallback mat
(t *testing.T)
| 450 | // configuration. It verifies that RPCs succeed when the fallback matchers match |
| 451 | // the server certificate SAN and fail when they do not. |
| 452 | func (s) TestClientSideXDS_FallbackSANMatchers(t *testing.T) { |
| 453 | testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, true) |
| 454 | |
| 455 | // Spin up an xDS management server. |
| 456 | mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t) |
| 457 | |
| 458 | // Create test backends. |
| 459 | serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert) |
| 460 | server1 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 461 | defer server1.Stop() |
| 462 | server2 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 463 | defer server2.Stop() |
| 464 | |
| 465 | // Configure client side xDS resources on the management server. |
| 466 | const serviceName = "my-service-client-side-xds" |
| 467 | const routeConfigName = "route-" + serviceName |
| 468 | const clusterName1 = "cluster1-" + serviceName |
| 469 | const clusterName2 = "cluster2-" + serviceName |
| 470 | const endpointName1 = "endpoint1-" + serviceName |
| 471 | const endpointName2 = "endpoint2-" + serviceName |
| 472 | |
| 473 | listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)} |
| 474 | |
| 475 | routes := []*v3routepb.RouteConfiguration{{ |
| 476 | Name: routeConfigName, |
| 477 | VirtualHosts: []*v3routepb.VirtualHost{{ |
| 478 | Domains: []string{serviceName}, |
| 479 | Routes: []*v3routepb.Route{ |
| 480 | { |
| 481 | Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/EmptyCall"}}, |
| 482 | Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName1}}}, |
| 483 | }, |
| 484 | { |
| 485 | Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/UnaryCall"}}, |
| 486 | Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName2}}}, |
| 487 | }, |
| 488 | }, |
| 489 | }}, |
| 490 | }} |
| 491 | |
| 492 | // Configure cluster1 with AutoSniSanValidation set to true and no SNI |
| 493 | // provided for the handshake. The validation falls back to using the explicit |
| 494 | // SAN matchers specified in the configuration which matches the server1's |
| 495 | // certificate SAN. |
| 496 | cluster1 := e2e.DefaultCluster(clusterName1, endpointName1, e2e.SecurityLevelMTLS) |
| 497 | cluster1.TransportSocket = &v3corepb.TransportSocket{ |
| 498 | Name: "envoy.transport_sockets.tls", |
| 499 | ConfigType: &v3corepb.TransportSocket_TypedConfig{ |
| 500 | TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{ |
| 501 | AutoSniSanValidation: true, |
| 502 | CommonTlsContext: &v3tlspb.CommonTlsContext{ |
| 503 | ValidationContextType: &v3tlspb.CommonTlsContext_CombinedValidationContext{ |
| 504 | CombinedValidationContext: &v3tlspb.CommonTlsContext_CombinedCertificateValidationContext{ |
| 505 | DefaultValidationContext: &v3tlspb.CertificateValidationContext{ |
| 506 | MatchSubjectAltNames: []*v3matcherpb.StringMatcher{ |
| 507 | {MatchPattern: &v3matcherpb.StringMatcher_Exact{Exact: "*.test.example.com"}}, |
| 508 | }, |
| 509 | CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{ |
nothing calls this directly
no test coverage detected