MCPcopy
hub / github.com/grpc/grpc-go / TestClientSideXDS_SNISANValidation

Method TestClientSideXDS_SNISANValidation

test/xds/xds_client_sni_test.go:61–194  ·  view source on GitHub ↗

Tests the SNI and SAN validation logic by verifying that RPCs succeed when AutoSNISANValidation is enabled and the SNI matches a server certificate DNS SAN. Also verifies that RPCs fail with an 'Unavailable' status if the SNI is present but does not match any DNS SAN in the certificate.

(t *testing.T)

Source from the content-addressed store, hash-verified

59// SAN. Also verifies that RPCs fail with an 'Unavailable' status if the SNI is
60// present but does not match any DNS SAN in the certificate.
61func (s) TestClientSideXDS_SNISANValidation(t *testing.T) {
62 testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, true)
63
64 // Spin up an xDS management server.
65 mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t)
66
67 // Create test backends for two clusters:
68 // - backend1 configured with TLS creds, represents cluster1 (valid SNI)
69 // - backend2 configured with TLS creds, represents cluster2 (invalid SNI)
70 serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert)
71 server1 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds))
72 defer server1.Stop()
73 server2 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds))
74 defer server2.Stop()
75
76 const serviceName = "my-service-client-side-xds"
77 const routeConfigName = "route-" + serviceName
78 const clusterName1 = "cluster1-" + serviceName
79 const clusterName2 = "cluster2-" + serviceName
80 const endpointName1 = "endpoint1-" + serviceName
81 const endpointName2 = "endpoint2-" + serviceName
82
83 listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)}
84
85 // Route configuration:
86 // - "/grpc.testing.TestService/EmptyCall" --> cluster1 (valid SNI)
87 // - "/grpc.testing.TestService/UnaryCall" --> cluster2 (invalid SNI)
88 routes := []*v3routepb.RouteConfiguration{{
89 Name: routeConfigName,
90 VirtualHosts: []*v3routepb.VirtualHost{{
91 Domains: []string{serviceName},
92 Routes: []*v3routepb.Route{
93 {
94 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/EmptyCall"}},
95 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName1}}},
96 },
97 {
98 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/UnaryCall"}},
99 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName2}}},
100 },
101 },
102 }},
103 }}
104
105 // Configure cluster1 with valid SNI and AutoSniSanValidation set to true.
106 cluster1 := e2e.DefaultCluster(clusterName1, endpointName1, e2e.SecurityLevelMTLS)
107 cluster1.TransportSocket = &v3corepb.TransportSocket{
108 Name: "envoy.transport_sockets.tls",
109 ConfigType: &v3corepb.TransportSocket_TypedConfig{
110 TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{
111 Sni: validSNI,
112 AutoSniSanValidation: true,
113 CommonTlsContext: &v3tlspb.CommonTlsContext{
114 ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{
115 ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{InstanceName: e2e.ClientSideCertProviderInstance},
116 },
117 TlsCertificateCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{InstanceName: e2e.ClientSideCertProviderInstance},
118 },

Callers

nothing calls this directly

Calls 15

EmptyCallMethod · 0.95
UnaryCallMethod · 0.95
SetEnvConfigFunction · 0.92
StartTestServiceFunction · 0.92
CredsFunction · 0.92
DefaultClientListenerFunction · 0.92
DefaultClusterFunction · 0.92
MarshalAnyFunction · 0.92
DefaultEndpointFunction · 0.92
ParsePortFunction · 0.92

Tested by

no test coverage detected