Tests that when the XDSSNIEnabled environment variable is set to false, SNI is not used for validation even if AutoSniSanValidation is true and SNI is set. It verifies that the system falls back to using explicit SAN matchers if provided, and the TLS handshake succeeds when they match the server cer
(t *testing.T)
| 609 | // provided, and the TLS handshake succeeds when they match the server |
| 610 | // certificate SAN. |
| 611 | func (s) TestClientSideXDS_SNIEnvVarDisabled(t *testing.T) { |
| 612 | testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, false) |
| 613 | |
| 614 | // Spin up an xDS management server. |
| 615 | mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t) |
| 616 | |
| 617 | // Create test backends. |
| 618 | serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert) |
| 619 | server1 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 620 | defer server1.Stop() |
| 621 | server2 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 622 | defer server2.Stop() |
| 623 | |
| 624 | // Configure client side xDS resources on the management server. |
| 625 | const serviceName = "my-service-client-side-xds" |
| 626 | const routeConfigName = "route-" + serviceName |
| 627 | const clusterName1 = "cluster1-" + serviceName |
| 628 | const clusterName2 = "cluster2-" + serviceName |
| 629 | const endpointName1 = "endpoint1-" + serviceName |
| 630 | const endpointName2 = "endpoint2-" + serviceName |
| 631 | |
| 632 | listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)} |
| 633 | |
| 634 | routes := []*v3routepb.RouteConfiguration{{ |
| 635 | Name: routeConfigName, |
| 636 | VirtualHosts: []*v3routepb.VirtualHost{{ |
| 637 | Domains: []string{serviceName}, |
| 638 | Routes: []*v3routepb.Route{ |
| 639 | { |
| 640 | Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/EmptyCall"}}, |
| 641 | Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName1}}}, |
| 642 | }, |
| 643 | { |
| 644 | Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/UnaryCall"}}, |
| 645 | Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName2}}}, |
| 646 | }, |
| 647 | }, |
| 648 | }}, |
| 649 | }} |
| 650 | |
| 651 | // cluster1 configuration with AutoSniSanValidation set to true and wrong SNI |
| 652 | // provided for the handshake. The validation falls back to using the explicit |
| 653 | // SAN matchers specified in the configuration which matches the server1's |
| 654 | // certificate SAN. |
| 655 | cluster1 := e2e.DefaultCluster(clusterName1, endpointName1, e2e.SecurityLevelMTLS) |
| 656 | cluster1.TransportSocket = &v3corepb.TransportSocket{ |
| 657 | Name: "envoy.transport_sockets.tls", |
| 658 | ConfigType: &v3corepb.TransportSocket_TypedConfig{ |
| 659 | TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{ |
| 660 | Sni: "incorrect.sni", |
| 661 | AutoSniSanValidation: true, |
| 662 | CommonTlsContext: &v3tlspb.CommonTlsContext{ |
| 663 | ValidationContextType: &v3tlspb.CommonTlsContext_CombinedValidationContext{ |
| 664 | CombinedValidationContext: &v3tlspb.CommonTlsContext_CombinedCertificateValidationContext{ |
| 665 | DefaultValidationContext: &v3tlspb.CertificateValidationContext{ |
| 666 | MatchSubjectAltNames: []*v3matcherpb.StringMatcher{ |
| 667 | {MatchPattern: &v3matcherpb.StringMatcher_Exact{Exact: "*.test.example.com"}}, |
| 668 | }, |
nothing calls this directly
no test coverage detected