Tests the SNI and SAN validation logic by verifying that RPCs succeed when AutoSNISANValidation is enabled and the SNI matches a server certificate DNS SAN. Also verifies that RPCs fail with an 'Unavailable' status if the SNI is present but does not match any DNS SAN in the certificate.
(t *testing.T)
| 59 | // SAN. Also verifies that RPCs fail with an 'Unavailable' status if the SNI is |
| 60 | // present but does not match any DNS SAN in the certificate. |
| 61 | func (s) TestClientSideXDS_SNISANValidation(t *testing.T) { |
| 62 | testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, true) |
| 63 | |
| 64 | // Spin up an xDS management server. |
| 65 | mgmtServer, nodeID, _, xdsResolver := setup.ManagementServerAndResolver(t) |
| 66 | |
| 67 | // Create test backends for two clusters: |
| 68 | // - backend1 configured with TLS creds, represents cluster1 (valid SNI) |
| 69 | // - backend2 configured with TLS creds, represents cluster2 (invalid SNI) |
| 70 | serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert) |
| 71 | server1 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 72 | defer server1.Stop() |
| 73 | server2 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) |
| 74 | defer server2.Stop() |
| 75 | |
| 76 | const serviceName = "my-service-client-side-xds" |
| 77 | const routeConfigName = "route-" + serviceName |
| 78 | const clusterName1 = "cluster1-" + serviceName |
| 79 | const clusterName2 = "cluster2-" + serviceName |
| 80 | const endpointName1 = "endpoint1-" + serviceName |
| 81 | const endpointName2 = "endpoint2-" + serviceName |
| 82 | |
| 83 | listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)} |
| 84 | |
| 85 | // Route configuration: |
| 86 | // - "/grpc.testing.TestService/EmptyCall" --> cluster1 (valid SNI) |
| 87 | // - "/grpc.testing.TestService/UnaryCall" --> cluster2 (invalid SNI) |
| 88 | routes := []*v3routepb.RouteConfiguration{{ |
| 89 | Name: routeConfigName, |
| 90 | VirtualHosts: []*v3routepb.VirtualHost{{ |
| 91 | Domains: []string{serviceName}, |
| 92 | Routes: []*v3routepb.Route{ |
| 93 | { |
| 94 | Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/EmptyCall"}}, |
| 95 | Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName1}}}, |
| 96 | }, |
| 97 | { |
| 98 | Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/UnaryCall"}}, |
| 99 | Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName2}}}, |
| 100 | }, |
| 101 | }, |
| 102 | }}, |
| 103 | }} |
| 104 | |
| 105 | // Configure cluster1 with valid SNI and AutoSniSanValidation set to true. |
| 106 | cluster1 := e2e.DefaultCluster(clusterName1, endpointName1, e2e.SecurityLevelMTLS) |
| 107 | cluster1.TransportSocket = &v3corepb.TransportSocket{ |
| 108 | Name: "envoy.transport_sockets.tls", |
| 109 | ConfigType: &v3corepb.TransportSocket_TypedConfig{ |
| 110 | TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{ |
| 111 | Sni: validSNI, |
| 112 | AutoSniSanValidation: true, |
| 113 | CommonTlsContext: &v3tlspb.CommonTlsContext{ |
| 114 | ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{ |
| 115 | ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{InstanceName: e2e.ClientSideCertProviderInstance}, |
| 116 | }, |
| 117 | TlsCertificateCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{InstanceName: e2e.ClientSideCertProviderInstance}, |
| 118 | }, |
nothing calls this directly
no test coverage detected