MCPcopy
hub / github.com/grpc/grpc-go / TestClientSideXDS_SNIEnvVarDisabled

Method TestClientSideXDS_SNIEnvVarDisabled

test/xds/xds_client_sni_test.go:611–765  ·  view source on GitHub ↗

Tests that when the XDSSNIEnabled environment variable is set to false, SNI is not used for validation even if AutoSniSanValidation is true and SNI is set. It verifies that the system falls back to using explicit SAN matchers if provided, and the TLS handshake succeeds when they match the server cer

(t *testing.T)

Source from the content-addressed store, hash-verified

609// provided, and the TLS handshake succeeds when they match the server
610// certificate SAN.
611func (s) TestClientSideXDS_SNIEnvVarDisabled(t *testing.T) {
612 testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, false)
613
614 // Spin up an xDS management server.
615 mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t)
616
617 // Create test backends.
618 serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert)
619 server1 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds))
620 defer server1.Stop()
621 server2 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds))
622 defer server2.Stop()
623
624 // Configure client side xDS resources on the management server.
625 const serviceName = "my-service-client-side-xds"
626 const routeConfigName = "route-" + serviceName
627 const clusterName1 = "cluster1-" + serviceName
628 const clusterName2 = "cluster2-" + serviceName
629 const endpointName1 = "endpoint1-" + serviceName
630 const endpointName2 = "endpoint2-" + serviceName
631
632 listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)}
633
634 routes := []*v3routepb.RouteConfiguration{{
635 Name: routeConfigName,
636 VirtualHosts: []*v3routepb.VirtualHost{{
637 Domains: []string{serviceName},
638 Routes: []*v3routepb.Route{
639 {
640 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/EmptyCall"}},
641 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName1}}},
642 },
643 {
644 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/UnaryCall"}},
645 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName2}}},
646 },
647 },
648 }},
649 }}
650
651 // cluster1 configuration with AutoSniSanValidation set to true and wrong SNI
652 // provided for the handshake. The validation falls back to using the explicit
653 // SAN matchers specified in the configuration which matches the server1's
654 // certificate SAN.
655 cluster1 := e2e.DefaultCluster(clusterName1, endpointName1, e2e.SecurityLevelMTLS)
656 cluster1.TransportSocket = &v3corepb.TransportSocket{
657 Name: "envoy.transport_sockets.tls",
658 ConfigType: &v3corepb.TransportSocket_TypedConfig{
659 TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{
660 Sni: "incorrect.sni",
661 AutoSniSanValidation: true,
662 CommonTlsContext: &v3tlspb.CommonTlsContext{
663 ValidationContextType: &v3tlspb.CommonTlsContext_CombinedValidationContext{
664 CombinedValidationContext: &v3tlspb.CommonTlsContext_CombinedCertificateValidationContext{
665 DefaultValidationContext: &v3tlspb.CertificateValidationContext{
666 MatchSubjectAltNames: []*v3matcherpb.StringMatcher{
667 {MatchPattern: &v3matcherpb.StringMatcher_Exact{Exact: "*.test.example.com"}},
668 },

Callers

nothing calls this directly

Calls 15

EmptyCallMethod · 0.95
UnaryCallMethod · 0.95
SetEnvConfigFunction · 0.92
StartTestServiceFunction · 0.92
CredsFunction · 0.92
DefaultClientListenerFunction · 0.92
DefaultClusterFunction · 0.92
MarshalAnyFunction · 0.92
DefaultEndpointFunction · 0.92
ParsePortFunction · 0.92

Tested by

no test coverage detected