update config name and error msgs

Author: ZetaoZhuang

cns/configuration/cns_config.json

@@ -36,5 +36,5 @@
         "PopulateHomeAzCacheRetryIntervalSecs": 60
     },
     "MinTLSVersion": "TLS 1.2",
-    "AllowedClientSubjectName": ""
+    "MtlsClientCertSubjectName": ""
 }

cns/configuration/configuration.go

@@ -59,7 +59,7 @@ type CNSConfig struct {
 	WireserverIP                string
 	GRPCSettings                GRPCSettings
 	MinTLSVersion               string
-	AllowedClientSubjectName    string
+	MtlsClientCertSubjectName   string
 }
 
 type TelemetrySettings struct {

cns/configuration/configuration_test.go

@@ -222,8 +222,8 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "localhost",
 					Port:      8080,
 				},
-				MinTLSVersion:            "TLS 1.2",
-				AllowedClientSubjectName: "",
+				MinTLSVersion:             "TLS 1.2",
+				MtlsClientCertSubjectName: "",
 			},
 		},
 		{
@@ -254,8 +254,8 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "192.168.1.1",
 					Port:      9090,
 				},
-				MinTLSVersion:            "TLS 1.3",
-				AllowedClientSubjectName: "example.com",
+				MinTLSVersion:             "TLS 1.3",
+				MtlsClientCertSubjectName: "example.com",
 			},
 			want: CNSConfig{
 				ChannelMode: "Other",
@@ -285,8 +285,8 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "192.168.1.1",
 					Port:      9090,
 				},
-				MinTLSVersion:            "TLS 1.3",
-				AllowedClientSubjectName: "example.com",
+				MinTLSVersion:             "TLS 1.3",
+				MtlsClientCertSubjectName: "example.com",
 			},
 		},
 	}

cns/service.go

@@ -158,22 +158,23 @@ func getTLSConfig(tlsSettings localtls.TlsSettings, errChan chan<- error) (*tls.
 
 // verifyPeerCertificate verifies the client certificate's subject name matches the expected subject name.
 func verifyPeerCertificate(rawCerts [][]byte, clientSubjectName string) error {
-	if len(rawCerts) == 0 {
-		return errors.New("no client certificate provided")
-	}
 	// no client subject name provided, skip verification
 	if clientSubjectName == "" {
 		return nil
 	}
 
+	if len(rawCerts) == 0 {
+		return errors.New("no client certificate provided during mTLS")
+	}
+
 	cert, err := x509.ParseCertificate(rawCerts[0])
 	if err != nil {
-		return errors.Errorf("failed to parse certificate: %v", err)
+		return errors.Errorf("Failed to parse client certificate during mTLS: %v", err)
 	}
 
 	err = cert.VerifyHostname(clientSubjectName)
 	if err != nil {
-		return errors.Errorf("failed to verify client certificate hostname: %v", err)
+		return errors.Errorf("Failed to verify client certificate subject name during mTLS: %v", err)
 	}
 	return nil
 }

cns/service/main.go

@@ -810,7 +810,7 @@ func main() {
 				KeyVaultCertificateRefreshInterval: time.Duration(cnsconfig.KeyVaultSettings.RefreshIntervalInHrs) * time.Hour,
 				UseMTLS:                            cnsconfig.UseMTLS,
 				MinTLSVersion:                      cnsconfig.MinTLSVersion,
-				AllowedClientSubjectName:           cnsconfig.AllowedClientSubjectName,
+				AllowedClientSubjectName:           cnsconfig.MtlsClientCertSubjectName,
 			}
 		}
 

cns/service_test.go

@@ -187,7 +187,7 @@ func TestNewService(t *testing.T) {
 			})
 			if handshakeFailureExpected {
 				require.Error(t, err)
-				require.ErrorContains(t, err, "failed to verify client certificate hostname")
+				require.ErrorContains(t, err, "Failed to verify client certificate subject name during mTLS")
 
 			} else {
 				require.NoError(t, err)