Save changes.

kannanjgithub · kannanjgithub · commit 0ca4f8b02790 · 2025-09-15T04:26:36.000Z
diff --git a/xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java b/xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java
@@ -96,7 +96,8 @@ public UpstreamTlsContext(io.envoyproxy.envoy.extensions.transport_sockets.tls.v
     public static UpstreamTlsContext fromEnvoyProtoUpstreamTlsContext(
         io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
             upstreamTlsContext) {
-      return new UpstreamTlsContext(upstreamTlsContext);
+      UpstreamTlsContext o = new UpstreamTlsContext(upstreamTlsContext);
+      return o;
     }
 
     public String getSni() {
@@ -113,7 +114,12 @@ public boolean getAutoSniSanValidation() {
 
     @Override
     public String toString() {
-      return "UpstreamTlsContext{" + "commonTlsContext=" + commonTlsContext + '}';
+      return "UpstreamTlsContext{" +
+          "commonTlsContext=" + commonTlsContext
+          + "sni=" + sni
+          + "\nauto_host_sni=" + auto_host_sni
+          + "\nauto_sni_san_validation=" + auto_sni_san_validation
+          + "}";
     }
   }
 
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java
@@ -63,6 +63,7 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
         staticCertValidationContext,
         upstreamTlsContext,
         certificateProviderStore);
+    this.sniForSanMatching = upstreamTlsContext.getAutoSniSanValidation()? sniForSanMatching : null;
     if (rootCertInstance == null
         && CommonTlsContextUtil.isUsingSystemRootCerts(tlsContext.getCommonTlsContext())
         && !isMtls()) {
@@ -74,7 +75,6 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP
         throw new RuntimeException(e);
       }
     }
-    this.sniForSanMatching = upstreamTlsContext.getAutoSniSanValidation()? sniForSanMatching : null;
   }
 
   @Override
diff --git a/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
@@ -221,7 +221,7 @@ public void tlsClientServer_useSystemRootCerts_noMtls_useCombinedValidationConte
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false, null);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false, null, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -248,7 +248,7 @@ public void tlsClientServer_useSystemRootCerts_noMtls_validationContext() throws
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, false, SAN_TO_MATCH, false, null);
+              CLIENT_PEM_FILE, false, SAN_TO_MATCH, false, null, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -271,7 +271,7 @@ public void tlsClientServer_useSystemRootCerts_mtls() throws Exception {
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SAN_TO_MATCH, true, null);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, true, null, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -299,7 +299,7 @@ public void tlsClientServer_useSystemRootCerts_noAutoSniValidation_failureToMatc
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, "server1.test.google.in", false, null);
+              CLIENT_PEM_FILE, true, "server1.test.google.in", false, null, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -330,9 +330,12 @@ public void tlsClientServer_useSystemRootCerts_autoSniValidation()
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
               CLIENT_PEM_FILE, true,
-              // won't be used
+              // SAN matcher in CommonValidationContext. Will be overridden by autoSniSanValidation
               "server1.test.google.in",
-              false, SAN_TO_MATCH);
+              false,
+              // SNI in UpstreamTlsContext
+              SAN_TO_MATCH,
+              true);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -359,7 +362,7 @@ public void tlsClientServer_useSystemRootCerts_requireClientAuth() throws Except
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false, null);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false, null, false);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -641,7 +644,11 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContext(String cli
   private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(
       String clientKeyFile,
       String clientPemFile,
-      boolean useCombinedValidationContext, String sanToMatch, boolean isMtls, String sni) {
+      boolean useCombinedValidationContext,
+      String sanToMatch,
+      boolean isMtls,
+      String sniInUpstreamTlsContext,
+      boolean autoSniSanValidation) {
     bootstrapInfoForClient = CommonBootstrapperTestUtils
         .buildBootstrapInfo("google_cloud_private_spiffe-client", clientKeyFile, clientPemFile,
             CA_PEM_FILE, null, null, null, null, null);
@@ -656,7 +663,7 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSys
               .addMatchSubjectAltNames(
                   StringMatcher.newBuilder()
                       .setExact(sanToMatch))
-              .build(), sni, false);
+              .build(), sniInUpstreamTlsContext, false, autoSniSanValidation);
     }
     return CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(
         "google_cloud_private_spiffe-client", "ROOT", null,
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java
@@ -79,7 +79,7 @@ public void createCertProviderClientSslContextProvider() throws XdsInitializatio
             "gcp_id",
             "root-default",
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null, null, false);
+            /* staticCertValidationContext= */ null, null, false, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
@@ -138,7 +138,7 @@ public void createCertProviderClientSslContextProvider_onlyRootCert()
                     "gcp_id",
                     "root-default",
                     /* alpnProtocols= */ null,
-                    /* staticCertValidationContext= */ null, null, false);
+                    /* staticCertValidationContext= */ null, null, false, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
@@ -172,7 +172,7 @@ public void createCertProviderClientSslContextProvider_withStaticContext()
                     "gcp_id",
                     "root-default",
                     /* alpnProtocols= */ null,
-                    staticCertValidationContext, null, false);
+                    staticCertValidationContext, null, false, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
@@ -202,7 +202,7 @@ public void createCertProviderClientSslContextProvider_2providers()
             "file_provider",
             "root-default",
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null, null, false);
+            /* staticCertValidationContext= */ null, null, false, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java
@@ -173,7 +173,7 @@ public static EnvoyServerProtoData.UpstreamTlsContext buildUpstreamTlsContext(
         null,
         null,
         sni,
-        autoHostSni);
+        autoHostSni, false);
   }
 
   /** Gets a cert from contents of a resource. */
@@ -284,7 +284,10 @@ private static CommonTlsContext.Builder addNewCertificateValidationContext(
       @Nullable String rootInstanceName,
       @Nullable String rootCertName,
       Iterable<String> alpnProtocols,
-      CertificateValidationContext staticCertValidationContext, String sni, boolean autoHostSni) {
+      CertificateValidationContext staticCertValidationContext,
+      String sni,
+      boolean autoHostSni,
+      boolean autoSniSanValidation) {
     return buildUpstreamTlsContext(
         buildCommonTlsContextForCertProviderInstance(
             certInstanceName,
@@ -293,7 +296,7 @@ private static CommonTlsContext.Builder addNewCertificateValidationContext(
             rootCertName,
             alpnProtocols,
             staticCertValidationContext),
-        sni, autoHostSni, false);
+        sni, autoHostSni, autoSniSanValidation);
   }
 
   /** Helper method to build UpstreamTlsContext for CertProvider tests. */
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
@@ -94,7 +94,7 @@ private CertProviderClientSslContextProvider getSslContextProvider(
                       "root-default",
                       alpnProtocols,
                       staticCertValidationContext,
-                  null, false);
+                  null, false, false);
     }
     return (CertProviderClientSslContextProvider)
         certProviderClientSslContextProviderFactory.getProvider(

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP`
`63`	`63`	`staticCertValidationContext,`
`64`	`64`	`upstreamTlsContext,`
`65`	`65`	`certificateProviderStore);`
	`66`	`+ this.sniForSanMatching = upstreamTlsContext.getAutoSniSanValidation()? sniForSanMatching : null;`
`66`	`67`	`if (rootCertInstance == null`
`67`	`68`	`&& CommonTlsContextUtil.isUsingSystemRootCerts(tlsContext.getCommonTlsContext())`
`68`	`69`	`&& !isMtls()) {`
`@@ -74,7 +75,6 @@ final class CertProviderClientSslContextProvider extends CertProviderSslContextP`
`74`	`75`	`throw new RuntimeException(e);`
`75`	`76`	`}`
`76`	`77`	`}`
`77`		`- this.sniForSanMatching = upstreamTlsContext.getAutoSniSanValidation()? sniForSanMatching : null;`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ private CertProviderClientSslContextProvider getSslContextProvider(`
`94`	`94`	`"root-default",`
`95`	`95`	`alpnProtocols,`
`96`	`96`	`staticCertValidationContext,`
`97`		`- null, false);`
	`97`	`+ null, false, false);`
`98`	`98`	`}`
`99`	`99`	`return (CertProviderClientSslContextProvider)`
`100`	`100`	`certProviderClientSslContextProviderFactory.getProvider(`