Enables EndpointValidation (Azure#47111)

* Enables EndpointValidation

* Update Configs.java

* Fixing test failures

* Update TestSuiteBase.java

* Create InvalidHostnameTest.java

* Update InvalidHostnameTest.java

* Updating changelog

* Updated changelogs

* Adding tests for direct mode

* Fixing test flakiness due to Client leak

* Fixed changelog

* Iterating on test fixes

* Adding more memory related logs

* Iterating on test fixes

* Revert unnecessary changes

* Update TestSuiteBase.java

* Update TestSuiteBase.java

* Update TestSuiteBase.java

* Update log4j2-test.properties

* Update RxDocumentClientImpl.java

* Update InvalidHostnameTest.java

* Update CosmosDiagnosticsTest.java

Author: FabianMeiswinkel

sdk/cosmos/azure-cosmos-encryption/CHANGELOG.md

@@ -9,6 +9,7 @@
 #### Bugs Fixed
 
 #### Other Changes
+* Enabled hostname validation for RNTBD connections to backend - [PR 47111](https://github.com/Azure/azure-sdk-for-java/pull/47111)
 
 ### 2.24.0 (2025-10-21)
 #### Other Changes

sdk/cosmos/azure-cosmos-kafka-connect/CHANGELOG.md

@@ -9,6 +9,7 @@
 #### Bugs Fixed
 
 #### Other Changes
+* Enabled hostname validation for RNTBD connections to backend - [PR 47111](https://github.com/Azure/azure-sdk-for-java/pull/47111)
 
 ### 2.6.1 (2025-11-18)
 

sdk/cosmos/azure-cosmos-spark_3-3_2-12/CHANGELOG.md

@@ -9,6 +9,7 @@
 #### Bugs Fixed
 
 #### Other Changes
+* Enabled hostname validation for RNTBD connections to backend - [PR 47111](https://github.com/Azure/azure-sdk-for-java/pull/47111)
 
 ### 4.41.0 (2025-10-21)
 

sdk/cosmos/azure-cosmos-spark_3-4_2-12/CHANGELOG.md

@@ -9,6 +9,7 @@
 #### Bugs Fixed
 
 #### Other Changes
+* Enabled hostname validation for RNTBD connections to backend - [PR 47111](https://github.com/Azure/azure-sdk-for-java/pull/47111)
 
 ### 4.41.0 (2025-10-21)
 

sdk/cosmos/azure-cosmos-spark_3-5_2-12/CHANGELOG.md

@@ -9,6 +9,7 @@
 #### Bugs Fixed
 
 #### Other Changes
+* Enabled hostname validation for RNTBD connections to backend - [PR 47111](https://github.com/Azure/azure-sdk-for-java/pull/47111)
 
 ### 4.41.0 (2025-10-21)
 

sdk/cosmos/azure-cosmos-tests/src/test/java/com/azure/cosmos/CosmosDiagnosticsTest.java

@@ -569,8 +569,16 @@ public void databaseAccountToClients() {
             String diagnostics = createResponse.getDiagnostics().toString();
 
             // assert diagnostics shows the correct format for tracking client instances
-            assertThat(diagnostics).contains(String.format("\"clientEndpoints\"" +
-                    ":{\"%s\"", TestConfigurations.HOST));
+            String prefix = "\"clientEndpoints\":{";
+            int startIndex = diagnostics.indexOf(prefix);
+            assertThat(startIndex).isGreaterThanOrEqualTo(0);
+            startIndex += prefix.length();
+            int endIndex = diagnostics.indexOf("}", startIndex);
+            assertThat(endIndex).isGreaterThan(startIndex);
+            int matchingIndex = diagnostics.indexOf(TestConfigurations.HOST, startIndex);
+            assertThat(matchingIndex).isGreaterThanOrEqualTo(startIndex);
+            assertThat(matchingIndex).isLessThanOrEqualTo(endIndex);
+
             // track number of clients currently mapped to account
             int clientsIndex = diagnostics.indexOf("\"clientEndpoints\":");
             // we do end at +120 to ensure we grab the bracket even if the account is very long or if
@@ -592,8 +600,14 @@ public void databaseAccountToClients() {
             createResponse = cosmosContainer.createItem(internalObjectNode);
             diagnostics = createResponse.getDiagnostics().toString();
             // assert diagnostics shows the correct format for tracking client instances
-            assertThat(diagnostics).contains(String.format("\"clientEndpoints\"" +
-                ":{\"%s\"", TestConfigurations.HOST));
+            startIndex = diagnostics.indexOf(prefix);
+            assertThat(startIndex).isGreaterThanOrEqualTo(0);
+            startIndex += prefix.length();
+            endIndex = diagnostics.indexOf("}", startIndex);
+            assertThat(endIndex).isGreaterThan(startIndex);
+            matchingIndex = diagnostics.indexOf(TestConfigurations.HOST, startIndex);
+            assertThat(matchingIndex).isGreaterThanOrEqualTo(startIndex);
+            assertThat(matchingIndex).isLessThanOrEqualTo(endIndex);
             // grab new value and assert one additional client is mapped to the same account used previously
             clientsIndex = diagnostics.indexOf("\"clientEndpoints\":");
             substrings = diagnostics.substring(clientsIndex, clientsIndex + 120)

sdk/cosmos/azure-cosmos-tests/src/test/java/com/azure/cosmos/InvalidHostnameTest.java

@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ *
+ */
+package com.azure.cosmos;
+
+import com.azure.cosmos.implementation.Configs;
+import com.azure.cosmos.implementation.GlobalEndpointManager;
+import com.azure.cosmos.implementation.GoneException;
+import com.azure.cosmos.implementation.HttpConstants;
+import com.azure.cosmos.implementation.InternalServerErrorException;
+import com.azure.cosmos.implementation.RxDocumentServiceRequest;
+import com.azure.cosmos.implementation.Utils;
+import com.azure.cosmos.implementation.directconnectivity.ReflectionUtils;
+import com.azure.cosmos.implementation.directconnectivity.StoreResponse;
+import com.azure.cosmos.implementation.directconnectivity.TransportClient;
+import com.azure.cosmos.implementation.directconnectivity.Uri;
+import com.azure.cosmos.implementation.directconnectivity.rntbd.ProactiveOpenConnectionsProcessor;
+import com.azure.cosmos.implementation.faultinjection.IFaultInjectorProvider;
+import com.azure.cosmos.models.CosmosContainerIdentity;
+import com.azure.cosmos.models.ThroughputProperties;
+import com.azure.cosmos.rx.TestSuiteBase;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.ByteBufAllocator;
+import org.testng.SkipException;
+import org.testng.annotations.Factory;
+import org.testng.annotations.Test;
+import reactor.core.publisher.Mono;
+
+import javax.net.ssl.SSLHandshakeException;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.UnknownHostException;
+import java.util.List;
+import java.util.UUID;
+
+import static org.assertj.core.api.Assertions.fail;
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class InvalidHostnameTest extends TestSuiteBase {
+    @Factory(dataProvider = "clientBuildersWithSessionConsistency")
+    public InvalidHostnameTest(CosmosClientBuilder clientBuilder) {
+        super(clientBuilder);
+    }
+
+    @Test(groups = { "fast", "fi-multi-master", "multi-region" }, timeOut = TIMEOUT)
+    public void gatewayConnectionFailsWhenHostnameIsInvalid() throws Exception {
+        gatewayConnectionFailsWhenHostnameIsInvalidCore(null);
+        gatewayConnectionFailsWhenHostnameIsInvalidCore(false);
+    }
+
+    @Test(groups = { "fast", "fi-multi-master", "multi-region" }, timeOut = TIMEOUT)
+    public void gatewayConnectionFailsWhenHostnameIsInvalidEvenWhenHostnameValidationIsDisabled() throws Exception {
+        gatewayConnectionFailsWhenHostnameIsInvalidCore(true);
+    }
+
+    @Test(groups = { "fast", "fi-multi-master", "multi-region" }, timeOut = TIMEOUT)
+    public void directConnectionSucceedsWhenHostnameIsInvalidAndHostnameValidationIsDisabled() throws Exception {
+        directConnectionTestCore(true);
+    }
+
+    @Test(groups = { "fast", "fi-multi-master", "multi-region" }, timeOut = TIMEOUT)
+    public void directConnectionFailsWhenHostnameIsInvalidAndHostnameValidationIsNotSet() throws Exception {
+        directConnectionFailsWhenHostnameIsInvalidCore(null);
+    }
+
+    @Test(groups = { "fast", "fi-multi-master", "multi-region" }, timeOut = TIMEOUT)
+    public void directConnectionFailsWhenHostnameIsInvalidAndHostnameValidationIsEnabled() throws Exception {
+        directConnectionFailsWhenHostnameIsInvalidCore(false);
+    }
+
+    private void directConnectionFailsWhenHostnameIsInvalidCore(Boolean disableHostnameValidation) throws Exception {
+        try {
+            directConnectionTestCore(disableHostnameValidation);
+            fail("The test should have failed with invalid hostname when hostname "
+                + "validation is enabled or not set.");
+        } catch (InternalServerErrorException cosmosException) {
+            assertThat(cosmosException.getStatusCode()).isEqualTo(500);
+            assertThat(cosmosException.getSubStatusCode())
+                .isEqualTo(HttpConstants.SubStatusCodes.INVALID_RESULT);
+            assertThat(cosmosException).hasCauseInstanceOf(RuntimeException.class);
+            RuntimeException runtimeException = (RuntimeException)cosmosException.getCause();
+            assertThat(runtimeException).hasCauseInstanceOf(GoneException.class);
+            GoneException goneException = (GoneException)runtimeException.getCause();
+            assertThat(goneException).hasCauseInstanceOf(SSLHandshakeException.class);
+            logger.info("Expected exception was thrown", cosmosException);
+        }
+    }
+
+    private void directConnectionTestCore(Boolean disableHostnameValidation) throws Exception {
+        CosmosDatabase createdDatabase = null;
+        CosmosClient client = null;
+        CosmosClientBuilder builder = getClientBuilder();
+
+        if (builder.getEndpoint().contains("localhost")) {
+            throw new SkipException("This test is irrelevant for emulator");
+        }
+
+        if (builder.getConnectionPolicy().getConnectionMode() != ConnectionMode.DIRECT) {
+            throw new SkipException("This test is only relevant for direct mode");
+        }
+
+        try {
+            if (disableHostnameValidation != null) {
+                System.setProperty("COSMOS.HOSTNAME_VALIDATION_DISABLED", disableHostnameValidation.toString());
+            } else {
+                System.clearProperty("COSMOS.HOSTNAME_VALIDATION_DISABLED");
+            }
+            Configs.resetIsHostnameValidationDisabledForTests();
+
+            client = builder.buildClient();
+
+            TransportClient originalTransportClient = ReflectionUtils.getTransportClient(client);
+
+            ReflectionUtils.setTransportClient(
+                client,
+                new HostnameInvalidationTransportClient(originalTransportClient));
+
+            String dbName = CosmosDatabaseForTest.generateId();
+            createdDatabase = createSyncDatabase(client, dbName);
+            createdDatabase.createContainer(
+                "TestContainer",
+                "/id",
+                ThroughputProperties.createManualThroughput(400));
+            CosmosContainer createdContainer = client.getDatabase(dbName).getContainer("TestContainer");
+            ObjectNode newObject = Utils.getSimpleObjectMapper().createObjectNode();
+            newObject.put("id", UUID.randomUUID().toString());
+            createdContainer.upsertItem(newObject);
+        }
+        finally {
+            if (createdDatabase != null) {
+                safeDeleteSyncDatabase(createdDatabase);
+            }
+
+            if (client != null) {
+                safeCloseSyncClient(client);
+            }
+
+            System.clearProperty("COSMOS.HOSTNAME_VALIDATION_DISABLED");
+            Configs.resetIsHostnameValidationDisabledForTests();
+        }
+    }
+
+    private void gatewayConnectionFailsWhenHostnameIsInvalidCore(Boolean disableHostnameValidation) throws Exception {
+        CosmosDatabase createdDatabase = null;
+        CosmosClient client = null;
+        CosmosClientBuilder builder = getClientBuilder();
+
+        if (builder.getEndpoint().contains("localhost")) {
+            throw new SkipException("This test is irrelevant for emulator");
+        }
+
+        try {
+            if (disableHostnameValidation != null) {
+                System.setProperty("COSMOS.HOSTNAME_VALIDATION_DISABLED", disableHostnameValidation.toString());
+            } else {
+                System.clearProperty("COSMOS.HOSTNAME_VALIDATION_DISABLED");
+            }
+            Configs.resetIsHostnameValidationDisabledForTests();
+
+            URI uri = URI.create(builder.getEndpoint());
+            InetAddress address = InetAddress.getByName(uri.getHost());
+            URI uriWithInvalidHostname = new URI(
+                uri.getScheme(),
+                uri.getUserInfo(),
+                address.getHostAddress(), // Use the DNS-resolved IP-address as new hostname - this is invalid form TLS cert perspective
+                uri.getPort(),
+                uri.getPath(),
+                uri.getQuery(),
+                uri.getFragment()
+            );
+            builder.endpoint(uriWithInvalidHostname.toString());
+            client = builder.buildClient();
+            String dbName = CosmosDatabaseForTest.generateId();
+            createdDatabase = createSyncDatabase(client, dbName);
+            fail("The attempt to connect to the Gateway endpoint to create a database "
+                + "should have failed due to invalid hostname.");
+        } catch (RuntimeException e) {
+            assertThat(e).hasCauseInstanceOf(CosmosException.class);
+            CosmosException cosmosException = (CosmosException)e.getCause();
+            assertThat(cosmosException.getStatusCode()).isEqualTo(503);
+            assertThat(cosmosException.getSubStatusCode())
+                .isEqualTo(HttpConstants.SubStatusCodes.GATEWAY_ENDPOINT_UNAVAILABLE);
+            assertThat(cosmosException).hasCauseInstanceOf(SSLHandshakeException.class);
+            logger.info("Expected exception was thrown", cosmosException);
+        }
+        finally {
+            if (createdDatabase != null) {
+                safeDeleteSyncDatabase(createdDatabase);
+            }
+
+            if (client != null) {
+                safeCloseSyncClient(client);
+            }
+
+            System.clearProperty("COSMOS.HOSTNAME_VALIDATION_DISABLED");
+            Configs.resetIsHostnameValidationDisabledForTests();
+        }
+    }
+
+    private static class HostnameInvalidationTransportClient extends TransportClient {
+        private final TransportClient inner;
+
+        public HostnameInvalidationTransportClient(TransportClient transportClient) {
+            this.inner = transportClient;
+        }
+
+        @Override
+        public void close() throws Exception {
+            this.inner.close();
+        }
+
+        @Override
+        public Mono<StoreResponse> invokeStoreAsync(Uri physicalAddress, RxDocumentServiceRequest request) {
+            URI uri = physicalAddress.getURI();
+            InetAddress address = null;
+            try {
+                address = InetAddress.getByName(uri.getHost());
+            } catch (UnknownHostException e) {
+                throw new RuntimeException(e);
+            }
+            String uriWithInvalidHostname;
+            try {
+                uriWithInvalidHostname = new URI(
+                    uri.getScheme(),
+                    uri.getUserInfo(),
+                    address.getHostAddress(), // Use the DNS-resolved IP-address as new hostname - this is invalid form TLS cert perspective
+                    uri.getPort(),
+                    uri.getPath(),
+                    uri.getQuery(),
+                    uri.getFragment()
+                ).toString();
+            } catch (URISyntaxException e) {
+                throw new RuntimeException(e);
+            }
+
+            Uri ipBasedAddress = Uri.create(uriWithInvalidHostname);
+
+            logger.info("Changed physical address '{}' into '{}'.", physicalAddress, ipBasedAddress);
+
+            return this
+                .inner
+                .invokeStoreAsync(ipBasedAddress, request)
+                .onErrorMap(t -> new RuntimeException(t));
+        }
+
+        @Override
+        public void configureFaultInjectorProvider(IFaultInjectorProvider injectorProvider) {
+            this.inner.configureFaultInjectorProvider(injectorProvider);
+        }
+
+        @Override
+        public GlobalEndpointManager getGlobalEndpointManager() {
+            return this.inner.getGlobalEndpointManager();
+        }
+
+        @Override
+        public ProactiveOpenConnectionsProcessor getProactiveOpenConnectionsProcessor() {
+            return this.inner.getProactiveOpenConnectionsProcessor();
+        }
+
+        @Override
+        public void recordOpenConnectionsAndInitCachesCompleted(List<CosmosContainerIdentity> cosmosContainerIdentities) {
+            this.inner.recordOpenConnectionsAndInitCachesCompleted(cosmosContainerIdentities);
+        }
+
+        @Override
+        public void recordOpenConnectionsAndInitCachesStarted(List<CosmosContainerIdentity> cosmosContainerIdentities) {
+            this.inner.recordOpenConnectionsAndInitCachesStarted(cosmosContainerIdentities);
+        }
+    }
+}

sdk/cosmos/azure-cosmos-tests/src/test/java/com/azure/cosmos/implementation/directconnectivity/RntbdTransportClientTest.java

@@ -1138,6 +1138,11 @@ public URI serviceEndpoint() {
             return null;
         }
 
+        @Override
+        public URI serverKeyUsedAsActualRemoteAddress() {
+            return this.remoteURI;
+        }
+
         @Override
         public void injectConnectionErrors(String ruleId, double threshold, Class<?> eventType) {
             throw new NotImplementedException("injectConnectionErrors is not supported in FakeEndpoint");

sdk/cosmos/azure-cosmos/CHANGELOG.md

@@ -10,6 +10,7 @@
 * Fixed a possible memory leak (Netty buffers) in Gateway mode caused by a race condition when timeouts are happening. - [47228](https://github.com/Azure/azure-sdk-for-java/pull/47228) and [47251](https://github.com/Azure/azure-sdk-for-java/pull/47251)
 
 #### Other Changes
+* Enabled hostname validation for RNTBD connections to backend - [PR 47111](https://github.com/Azure/azure-sdk-for-java/pull/47111)
 * Changed to use incremental change feed to get partition key ranges. - [46810](https://github.com/Azure/azure-sdk-for-java/pull/46810)
 
 ### 4.75.0 (2025-10-21)