address comment

Author: ZetaoZhuang

cns/service.go

@@ -184,12 +184,13 @@ func verifyPeerCertificate(verifiedChains [][]*x509.Certificate, clientSubjectNa
 	}
 
 	// maskHalf of the DNS names
+	maskedDNS := make([]string, len(dnsNames))
 	for i, dns := range dnsNames {
-		dnsNames[i] = maskHalf(dns)
+		maskedDNS[i] = maskHalf(dns)
 	}
 
 	return errors.Errorf("Failed to verify client certificate subject name during mTLS, clientSubjectName: %s, client cert SANs: %+v, clientCN: %s",
-		clientSubjectName, dnsNames, maskHalf(clientCN))
+		clientSubjectName, maskedDNS, maskHalf(clientCN))
 }
 
 // maskHalf masks half of the input string with asterisks.

cns/service_test.go

@@ -207,29 +207,29 @@ func TestNewService(t *testing.T) {
 				req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, tlsURL, http.NoBody)
 				require.NoError(t, err)
 				resp, err := client.Do(req)
-				t.Cleanup(func() {
-					if resp != nil && resp.Body != nil {
-						resp.Body.Close()
-					}
-				})
 				if tc.handshakeFailureExpected {
 					require.Error(t, err)
 					require.ErrorContains(t, err, "Failed to verify client certificate subject name during mTLS")
 				} else {
 					require.NoError(t, err)
+					t.Cleanup(func() {
+						if resp != nil && resp.Body != nil {
+							resp.Body.Close()
+						}
+					})
 				}
 
 				// HTTP listener
 				httpClient := &http.Client{}
 				req, err = http.NewRequestWithContext(context.TODO(), http.MethodGet, "http://localhost:10090", http.NoBody)
 				require.NoError(t, err)
 				resp, err = httpClient.Do(req)
+				require.NoError(t, err)
 				t.Cleanup(func() {
 					if resp != nil && resp.Body != nil {
 						resp.Body.Close()
 					}
 				})
-				require.NoError(t, err)
 
 				// Cleanup
 				svc.Uninitialize()