MCPcopy
hub / github.com/grpc/grpc-go / TestClientSideXDS_FallbackSANMatchers

Method TestClientSideXDS_FallbackSANMatchers

test/xds/xds_client_sni_test.go:452–604  ·  view source on GitHub ↗

TestClientSideXDS_FallbackSANMatchers tests that when AutoSniSanValidation is true, and no SNI is provided by the control plane and AutoHostSNI is not set, the validation falls back to using the explicit SAN matchers specified in the configuration. It verifies that RPCs succeed when the fallback mat

(t *testing.T)

Source from the content-addressed store, hash-verified

450// configuration. It verifies that RPCs succeed when the fallback matchers match
451// the server certificate SAN and fail when they do not.
452func (s) TestClientSideXDS_FallbackSANMatchers(t *testing.T) {
453 testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, true)
454
455 // Spin up an xDS management server.
456 mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t)
457
458 // Create test backends.
459 serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert)
460 server1 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds))
461 defer server1.Stop()
462 server2 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds))
463 defer server2.Stop()
464
465 // Configure client side xDS resources on the management server.
466 const serviceName = "my-service-client-side-xds"
467 const routeConfigName = "route-" + serviceName
468 const clusterName1 = "cluster1-" + serviceName
469 const clusterName2 = "cluster2-" + serviceName
470 const endpointName1 = "endpoint1-" + serviceName
471 const endpointName2 = "endpoint2-" + serviceName
472
473 listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)}
474
475 routes := []*v3routepb.RouteConfiguration{{
476 Name: routeConfigName,
477 VirtualHosts: []*v3routepb.VirtualHost{{
478 Domains: []string{serviceName},
479 Routes: []*v3routepb.Route{
480 {
481 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/EmptyCall"}},
482 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName1}}},
483 },
484 {
485 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/UnaryCall"}},
486 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName2}}},
487 },
488 },
489 }},
490 }}
491
492 // Configure cluster1 with AutoSniSanValidation set to true and no SNI
493 // provided for the handshake. The validation falls back to using the explicit
494 // SAN matchers specified in the configuration which matches the server1's
495 // certificate SAN.
496 cluster1 := e2e.DefaultCluster(clusterName1, endpointName1, e2e.SecurityLevelMTLS)
497 cluster1.TransportSocket = &v3corepb.TransportSocket{
498 Name: "envoy.transport_sockets.tls",
499 ConfigType: &v3corepb.TransportSocket_TypedConfig{
500 TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{
501 AutoSniSanValidation: true,
502 CommonTlsContext: &v3tlspb.CommonTlsContext{
503 ValidationContextType: &v3tlspb.CommonTlsContext_CombinedValidationContext{
504 CombinedValidationContext: &v3tlspb.CommonTlsContext_CombinedCertificateValidationContext{
505 DefaultValidationContext: &v3tlspb.CertificateValidationContext{
506 MatchSubjectAltNames: []*v3matcherpb.StringMatcher{
507 {MatchPattern: &v3matcherpb.StringMatcher_Exact{Exact: "*.test.example.com"}},
508 },
509 CaCertificateProviderInstance: &v3tlspb.CertificateProviderPluginInstance{

Callers

nothing calls this directly

Calls 15

EmptyCallMethod · 0.95
UnaryCallMethod · 0.95
SetEnvConfigFunction · 0.92
StartTestServiceFunction · 0.92
CredsFunction · 0.92
DefaultClientListenerFunction · 0.92
DefaultClusterFunction · 0.92
MarshalAnyFunction · 0.92
DefaultEndpointFunction · 0.92
ParsePortFunction · 0.92

Tested by

no test coverage detected