address comment

ZetaoZhuang · ZetaoZhuang · commit 33e3b69d2c43 · 2025-10-29T21:00:00.000-07:00
diff --git a/cns/service.go b/cns/service.go
@@ -167,22 +167,40 @@ func verifyPeerCertificate(verifiedChains [][]*x509.Certificate, clientSubjectNa
 		return errors.New("no client certificate provided during mTLS")
 	}
 
+	// Get client leaf certificate
 	clientCert := verifiedChains[0][0]
 	// Match DNS names (case-insensitive)
-	dnsName := clientCert.DNSNames
-	for _, dns := range dnsName {
+	dnsNames := clientCert.DNSNames
+	for _, dns := range dnsNames {
 		if strings.EqualFold(dns, clientSubjectName) {
 			return nil
 		}
 	}
 
 	// If SANs didn't match, fall back to Common Name (CN) match.
 	clientCN := clientCert.Subject.CommonName
-	if clientCert.Subject.CommonName != "" && strings.EqualFold(clientCN, clientSubjectName) {
+	if clientCN != "" && strings.EqualFold(clientCN, clientSubjectName) {
 		return nil
 	}
-	return errors.Errorf("Failed to verify client certificate subject name during mTLS, clientSubjectName: %s, client cert SANs: %+v, CN: %s",
-		clientSubjectName, dnsName, clientCN)
+
+	// maskHalf of the DNS names
+	for i, dns := range dnsNames {
+		dnsNames[i] = maskHalf(dns)
+	}
+
+	return errors.Errorf("Failed to verify client certificate subject name during mTLS, clientSubjectName: %s, client cert SANs: %+v, clientCN: %s",
+		clientSubjectName, dnsNames, maskHalf(clientCN))
+}
+
+// maskHalf masks half of the input string with asterisks.
+func maskHalf(s string) string {
+	n := len(s)
+	if n == 0 {
+		return s
+	}
+
+	half := n / 2
+	return s[:half] + strings.Repeat("*", n-half)
 }
 
 func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error) {
diff --git a/cns/service_test.go b/cns/service_test.go
@@ -133,91 +133,108 @@ func TestNewService(t *testing.T) {
 	t.Run("NewServiceWithMutualTLS", func(t *testing.T) {
 		testCertFilePath := createTestCertificate(t)
 
-		TLSSetting := serverTLS.TlsSettings{
-			TLSPort:                   "10091",
-			TLSSubjectName:            "localhost",
-			TLSCertificatePath:        testCertFilePath,
-			UseMTLS:                   true,
-			MinTLSVersion:             "TLS 1.2",
-			MtlsClientCertSubjectName: "example.com",
-		}
-
-		TLSSettingWithDisallowedClientSN := serverTLS.TlsSettings{
-			TLSPort:                   "10092",
-			TLSSubjectName:            "localhost",
-			TLSCertificatePath:        testCertFilePath,
-			UseMTLS:                   true,
-			MinTLSVersion:             "TLS 1.2",
-			MtlsClientCertSubjectName: "random.com",
+		cases := []struct {
+			name                     string
+			tlsSettings              serverTLS.TlsSettings
+			handshakeFailureExpected bool
+		}{
+			{
+				name: "matching client SANs",
+				tlsSettings: serverTLS.TlsSettings{
+					TLSPort:                   "10091",
+					TLSSubjectName:            "localhost",
+					TLSCertificatePath:        testCertFilePath,
+					UseMTLS:                   true,
+					MinTLSVersion:             "TLS 1.2",
+					MtlsClientCertSubjectName: "example.com",
+				},
+				handshakeFailureExpected: false,
+			},
+			{
+				name: "matching client cert CN",
+				tlsSettings: serverTLS.TlsSettings{
+					TLSPort:                   "10093",
+					TLSSubjectName:            "localhost",
+					TLSCertificatePath:        testCertFilePath,
+					UseMTLS:                   true,
+					MinTLSVersion:             "TLS 1.2",
+					MtlsClientCertSubjectName: "foo.com", // Common Name from test certificate
+				},
+				handshakeFailureExpected: false,
+			},
+			{
+				name: "failing to match client SANs and CN",
+				tlsSettings: serverTLS.TlsSettings{
+					TLSPort:                   "10092",
+					TLSSubjectName:            "localhost",
+					TLSCertificatePath:        testCertFilePath,
+					UseMTLS:                   true,
+					MinTLSVersion:             "TLS 1.2",
+					MtlsClientCertSubjectName: "random.com",
+				},
+				handshakeFailureExpected: true,
+			},
 		}
 
-		TLSSettingWithClientCertCN := serverTLS.TlsSettings{
-			TLSPort:                   "10093",
-			TLSSubjectName:            "localhost",
-			TLSCertificatePath:        testCertFilePath,
-			UseMTLS:                   true,
-			MinTLSVersion:             "TLS 1.2",
-			MtlsClientCertSubjectName: "foo.com", // Common Name from test certificate
-		}
+		for _, tc := range cases {
+			t.Run(tc.name, func(t *testing.T) {
+				config.TLSSettings = tc.tlsSettings
 
-		runMutualTLSTest := func(tlsSettings serverTLS.TlsSettings, handshakeFailureExpected bool) {
-			config.TLSSettings = tlsSettings
-			svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
-			require.NoError(t, err)
-			require.IsType(t, &Service{}, svc)
+				svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
+				require.NoError(t, err)
+				require.IsType(t, &Service{}, svc)
 
-			svc.SetOption(acn.OptCnsURL, "")
-			svc.SetOption(acn.OptCnsPort, "")
+				svc.SetOption(acn.OptCnsURL, "")
+				svc.SetOption(acn.OptCnsPort, "")
 
-			err = svc.Initialize(config)
-			require.NoError(t, err)
+				err = svc.Initialize(config)
+				require.NoError(t, err)
 
-			err = svc.StartListener(config)
-			require.NoError(t, err)
+				err = svc.StartListener(config)
+				require.NoError(t, err)
 
-			mTLSConfig, err := getTLSConfigFromFile(config.TLSSettings)
-			require.NoError(t, err)
+				mTLSConfig, err := getTLSConfigFromFile(config.TLSSettings)
+				require.NoError(t, err)
 
-			client := &http.Client{
-				Transport: &http.Transport{
-					TLSClientConfig: mTLSConfig,
-				},
-			}
+				client := &http.Client{
+					Transport: &http.Transport{
+						TLSClientConfig: mTLSConfig,
+					},
+				}
 
-			tlsURL := "https://localhost:" + tlsSettings.TLSPort
-			// TLS listener
-			req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, tlsURL, http.NoBody)
-			require.NoError(t, err)
-			resp, err := client.Do(req)
-			t.Cleanup(func() {
-				if resp != nil && resp.Body != nil {
-					resp.Body.Close()
+				tlsURL := "https://localhost:" + tc.tlsSettings.TLSPort
+				// TLS listener
+				req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, tlsURL, http.NoBody)
+				require.NoError(t, err)
+				resp, err := client.Do(req)
+				t.Cleanup(func() {
+					if resp != nil && resp.Body != nil {
+						resp.Body.Close()
+					}
+				})
+				if tc.handshakeFailureExpected {
+					require.Error(t, err)
+					require.ErrorContains(t, err, "Failed to verify client certificate subject name during mTLS")
+				} else {
+					require.NoError(t, err)
 				}
-			})
-			if handshakeFailureExpected {
-				require.Error(t, err)
-				require.ErrorContains(t, err, "Failed to verify client certificate subject name during mTLS")
 
-			} else {
+				// HTTP listener
+				httpClient := &http.Client{}
+				req, err = http.NewRequestWithContext(context.TODO(), http.MethodGet, "http://localhost:10090", http.NoBody)
+				require.NoError(t, err)
+				resp, err = httpClient.Do(req)
+				t.Cleanup(func() {
+					if resp != nil && resp.Body != nil {
+						resp.Body.Close()
+					}
+				})
 				require.NoError(t, err)
-			}
 
-			// HTTP listener
-			httpClient := &http.Client{}
-			req, err = http.NewRequestWithContext(context.TODO(), http.MethodGet, "http://localhost:10090", http.NoBody)
-			require.NoError(t, err)
-			resp, err = httpClient.Do(req)
-			t.Cleanup(func() {
-				resp.Body.Close()
+				// Cleanup
+				svc.Uninitialize()
 			})
-			require.NoError(t, err)
-
-			// Cleanup
-			svc.Uninitialize()
 		}
-		runMutualTLSTest(TLSSetting, false)
-		runMutualTLSTest(TLSSettingWithClientCertCN, false)
-		runMutualTLSTest(TLSSettingWithDisallowedClientSN, true)
 	})
 }
 
@@ -389,3 +406,28 @@ func TestTLSVersionNumber(t *testing.T) {
 		require.NoError(t, err)
 	})
 }
+
+func TestMaskHalf(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{"empty", "", ""},
+		{"one char string", "e", "*"},
+		{"two chars string", "ex", "e*"},
+		{"three chars string", "exa", "e**"},
+		{"four chars string", "exam", "ex**"},
+		{"five chars string", "examp", "ex***"},
+		{"long string", "example.com", "examp******"},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := maskHalf(tc.in)
+			if got != tc.want {
+				t.Fatalf("maskHalf(%s) = %s, want %s", tc.in, got, tc.want)
+			}
+		})
+	}
+}
