Save changes.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/GcpAuthenticationFilter.java

@@ -198,8 +198,6 @@ public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(
         } else {
           callOptions = callOptions.withCallCredentials(newCallCredentials);
         }
-        logger.log(XdsLogLevel.INFO, "Time to expiry of the auth token=" + callOptions.getDeadline().timeRemaining(
-            TimeUnit.SECONDS));
         return next.newCall(method, callOptions);
       }
     };

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProvider.java

@@ -85,18 +85,23 @@ protected final SslContextBuilder getSslContextBuilder(
     if (rootCertInstance != null) {
       if (savedSpiffeTrustMap != null) {
         sslContextBuilder = sslContextBuilder.trustManager(
-          new XdsTrustManagerFactory(
-              savedSpiffeTrustMap,
-              certificateValidationContext, sniForSanMatching));
+            new XdsTrustManagerFactory(
+                savedSpiffeTrustMap,
+                certificateValidationContext, sniForSanMatching));
       } else {
-        try {
-          sslContextBuilder = sslContextBuilder.trustManager(
-              new XdsTrustManagerFactory(
-                  getX509CertificatesFromSystemTrustStore(),
-                  certificateValidationContext));
-        } catch (KeyStoreException | NoSuchAlgorithmException e) {
-          throw new CertStoreException(e);
-        }
+        sslContextBuilder = sslContextBuilder.trustManager(
+            new XdsTrustManagerFactory(
+                savedTrustedRoots.toArray(new X509Certificate[0]),
+                certificateValidationContext, sniForSanMatching));
+      }
+    } else {
+      try {
+        sslContextBuilder = sslContextBuilder.trustManager(
+            new XdsTrustManagerFactory(
+                getX509CertificatesFromSystemTrustStore(),
+                certificateValidationContext, sniForSanMatching));
+      } catch (KeyStoreException | NoSuchAlgorithmException e) {
+        throw new CertStoreException(e);
       }
     }
     if (isMtls()) {

xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java

@@ -118,7 +118,7 @@
 @RunWith(Parameterized.class)
 public class XdsSecurityClientServerTest {
 
-  // TODO: Change this is a specific domain after
+  // TODO: Change this to a specific domain after
   // https://github.com/grpc/grpc-java/issues/12326 is fixed
   private static final String SAN_TO_MATCH = "*.test.google.fr";
 
@@ -223,7 +223,7 @@ public void tlsClientServer_useSystemRootCerts_noMtls_useCombinedValidationConte
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false, null);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -250,7 +250,7 @@ public void tlsClientServer_useSystemRootCerts_noMtls_validationContext() throws
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, false, SAN_TO_MATCH, false);
+              CLIENT_PEM_FILE, false, SAN_TO_MATCH, false, null);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -273,7 +273,7 @@ public void tlsClientServer_useSystemRootCerts_mtls() throws Exception {
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SAN_TO_MATCH, true);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, true, null);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -286,10 +286,11 @@ public void tlsClientServer_useSystemRootCerts_mtls() throws Exception {
 
   /**
    * Use system root ca cert for TLS channel - no mTLS.
-   * Subj Alt Names to match are specified in the validaton context.
+   * Subj Alt Names to match are specified in the validation context.
    */
   @Test
-  public void tlsClientServer_useSystemRootCerts_failureToMatchSubjAltNames() throws Exception {
+  public void tlsClientServer_useSystemRootCerts_noAutoSniValidation_failureToMatchSubjAltNames()
+      throws Exception {
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -300,7 +301,7 @@ public void tlsClientServer_useSystemRootCerts_failureToMatchSubjAltNames() thro
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, "server1.test.google.in", false);
+              CLIENT_PEM_FILE, true, "server1.test.google.in", false, null);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -317,6 +318,33 @@ public void tlsClientServer_useSystemRootCerts_failureToMatchSubjAltNames() thro
     }
   }
 
+  @Test
+  public void tlsClientServer_useSystemRootCerts_autoSniValidation()
+      throws Exception {
+    Path trustStoreFilePath = getCacertFilePathForTestCa();
+    try {
+      setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
+      DownstreamTlsContext downstreamTlsContext =
+          setBootstrapInfoAndBuildDownstreamTlsContext(SERVER_1_PEM_FILE, null, null, null, null,
+              null, false, false);
+      buildServerWithTlsContext(downstreamTlsContext);
+
+      UpstreamTlsContext upstreamTlsContext =
+          setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
+              CLIENT_PEM_FILE, true,
+              // won't be used
+              "server1.test.google.in",
+              false, SAN_TO_MATCH);
+
+      SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
+          getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
+      unaryRpc(/* requestMessage= */ "buddy", blockingStub);
+    } finally {
+      Files.deleteIfExists(trustStoreFilePath);
+      clearTrustStoreSystemProperties();
+    }
+  }
+
   /**
    * Use system root ca cert for TLS channel - mTLS.
    * Uses common_tls_context.combined_validation_context in upstream_tls_context.
@@ -333,7 +361,7 @@ public void tlsClientServer_useSystemRootCerts_requireClientAuth() throws Except
 
       UpstreamTlsContext upstreamTlsContext =
           setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(CLIENT_KEY_FILE,
-              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false);
+              CLIENT_PEM_FILE, true, SAN_TO_MATCH, false, null);
 
       SimpleServiceGrpc.SimpleServiceBlockingStub blockingStub =
           getBlockingStub(upstreamTlsContext, /* overrideAuthority= */ OVERRIDE_AUTHORITY);
@@ -615,7 +643,7 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContext(String cli
   private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSystemRootCerts(
       String clientKeyFile,
       String clientPemFile,
-      boolean useCombinedValidationContext, String sanToMatch, boolean isMtls) {
+      boolean useCombinedValidationContext, String sanToMatch, boolean isMtls, String sni) {
     bootstrapInfoForClient = CommonBootstrapperTestUtils
         .buildBootstrapInfo("google_cloud_private_spiffe-client", clientKeyFile, clientPemFile,
             CA_PEM_FILE, null, null, null, null, null);
@@ -630,7 +658,7 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSys
               .addMatchSubjectAltNames(
                   StringMatcher.newBuilder()
                       .setExact(sanToMatch))
-              .build());
+              .build(), sni, false);
     }
     return CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(
         "google_cloud_private_spiffe-client", "ROOT", null,

xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java

@@ -149,9 +149,12 @@ public static String getTempFileNameForResourcesFile(String resFile) throws IOEx
    * Helper method to build UpstreamTlsContext for above tests. Called from other classes as well.
    */
   static EnvoyServerProtoData.UpstreamTlsContext buildUpstreamTlsContext(
-      CommonTlsContext commonTlsContext, String sni, boolean autoHostSni) {
+      CommonTlsContext commonTlsContext, String sni, boolean autoHostSni, boolean autoSniSanValidation) {
     UpstreamTlsContext.Builder upstreamTlsContext =
-        UpstreamTlsContext.newBuilder().setCommonTlsContext(commonTlsContext).setAutoHostSni(autoHostSni);
+        UpstreamTlsContext.newBuilder()
+            .setCommonTlsContext(commonTlsContext)
+            .setAutoHostSni(autoHostSni)
+            .setAutoSniSanValidation(autoSniSanValidation);
     if (sni != null) {
       upstreamTlsContext.setSni(sni);
     }
@@ -290,7 +293,7 @@ private static CommonTlsContext.Builder addNewCertificateValidationContext(
             rootCertName,
             alpnProtocols,
             staticCertValidationContext),
-        sni, autoHostSni);
+        sni, autoHostSni, false);
   }
 
   /** Helper method to build UpstreamTlsContext for CertProvider tests. */
@@ -309,7 +312,7 @@ private static CommonTlsContext.Builder addNewCertificateValidationContext(
             rootInstanceName,
             rootCertName,
             alpnProtocols,
-            staticCertValidationContext), null, false);
+            staticCertValidationContext), null, false, false);
   }
 
   /** Helper method to build DownstreamTlsContext for CertProvider tests. */

xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java

@@ -124,7 +124,7 @@ public void clientSecurityProtocolNegotiatorNewHandler_noFallback_expectExceptio
   @Test
   public void clientSecurityProtocolNegotiatorNewHandler_withTlsContextAttribute() {
     UpstreamTlsContext upstreamTlsContext =
-        CommonTlsContextTestsUtil.buildUpstreamTlsContext(CommonTlsContext.newBuilder().build(), null, false);
+        CommonTlsContextTestsUtil.buildUpstreamTlsContext(CommonTlsContext.newBuilder().build(), null, false, false);
     ClientSecurityProtocolNegotiator pn =
         new ClientSecurityProtocolNegotiator(InternalProtocolNegotiators.plaintext());
     GrpcHttp2ConnectionHandler mockHandler = mock(GrpcHttp2ConnectionHandler.class);
@@ -146,7 +146,7 @@ public void clientSecurityProtocolNegotiatorNewHandler_withTlsContextAttribute()
   @Test
   public void clientSecurityProtocolNegotiatorNewHandler_autoHostSni_hostnameIsPassedToClientSecurityHandler() {
     UpstreamTlsContext upstreamTlsContext =
-            CommonTlsContextTestsUtil.buildUpstreamTlsContext(CommonTlsContext.newBuilder().build(), null, true);
+            CommonTlsContextTestsUtil.buildUpstreamTlsContext(CommonTlsContext.newBuilder().build(), null, true, false);
     ClientSecurityProtocolNegotiator pn =
             new ClientSecurityProtocolNegotiator(InternalProtocolNegotiators.plaintext());
     GrpcHttp2ConnectionHandler mockHandler = mock(GrpcHttp2ConnectionHandler.class);