Save changes.

kannanjgithub · kannanjgithub · commit 968d56414900 · 2025-09-08T11:57:07.000Z
diff --git a/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java b/xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java
@@ -563,7 +563,7 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSys
           CertificateValidationContext.newBuilder()
               .setSystemRootCerts(
                   CertificateValidationContext.SystemRootCerts.newBuilder().build())
-              .build());
+              .build(), false);
     }
     return CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(
         "google_cloud_private_spiffe-client", "ROOT", null,
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java b/xds/src/test/java/io/grpc/xds/internal/security/ClientSslContextProviderFactoryTest.java
@@ -74,7 +74,7 @@ public void createCertProviderClientSslContextProvider() throws XdsInitializatio
             "gcp_id",
             "root-default",
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null);
+            /* staticCertValidationContext= */ null, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
@@ -105,7 +105,7 @@ public void bothPresent_expectCertProviderClientSslContextProvider()
             "gcp_id",
             "root-default",
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null);
+            /* staticCertValidationContext= */ null, false);
 
     CommonTlsContext.Builder builder = upstreamTlsContext.getCommonTlsContext().toBuilder();
     builder = addFilenames(builder, "foo.pem", "foo.key", "root.pem");
@@ -135,7 +135,7 @@ public void createCertProviderClientSslContextProvider_onlyRootCert()
                     "gcp_id",
                     "root-default",
                     /* alpnProtocols= */ null,
-                    /* staticCertValidationContext= */ null);
+                    /* staticCertValidationContext= */ null, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
@@ -169,7 +169,7 @@ public void createCertProviderClientSslContextProvider_withStaticContext()
                     "gcp_id",
                     "root-default",
                     /* alpnProtocols= */ null,
-                    staticCertValidationContext);
+                    staticCertValidationContext, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
@@ -199,7 +199,7 @@ public void createCertProviderClientSslContextProvider_2providers()
             "file_provider",
             "root-default",
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null);
+            /* staticCertValidationContext= */ null, false);
 
     Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
     clientSslContextProviderFactory =
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java
@@ -165,7 +165,7 @@ public static EnvoyServerProtoData.UpstreamTlsContext buildUpstreamTlsContext(
         commonInstanceName,
         "ROOT",
         null,
-        null);
+        null, false);
   }
 
   /** Gets a cert from contents of a resource. */
@@ -182,7 +182,8 @@ private static CommonTlsContext buildCommonTlsContextForCertProviderInstance(
       String rootInstanceName,
       String rootCertName,
       Iterable<String> alpnProtocols,
-      CertificateValidationContext staticCertValidationContext) {
+      CertificateValidationContext staticCertValidationContext,
+      boolean useSystemRootCerts) {
     CommonTlsContext.Builder builder = CommonTlsContext.newBuilder();
     if (certInstanceName != null) {
       builder =
@@ -193,7 +194,8 @@ private static CommonTlsContext buildCommonTlsContextForCertProviderInstance(
     }
     builder =
         addCertificateValidationContext(
-            builder, rootInstanceName, rootCertName, staticCertValidationContext);
+            builder, rootInstanceName, rootCertName, staticCertValidationContext,
+                useSystemRootCerts);
     if (alpnProtocols != null) {
       builder.addAllAlpnProtocols(alpnProtocols);
     }
@@ -228,7 +230,8 @@ private static CommonTlsContext.Builder addCertificateValidationContext(
       CommonTlsContext.Builder builder,
       String rootInstanceName,
       String rootCertName,
-      CertificateValidationContext staticCertValidationContext) {
+      CertificateValidationContext staticCertValidationContext,
+      boolean useSystemRootCerts) {
     CertificateValidationContext.Builder contextBuilder;
     if (staticCertValidationContext == null) {
       contextBuilder = CertificateValidationContext.newBuilder();
@@ -240,7 +243,7 @@ private static CommonTlsContext.Builder addCertificateValidationContext(
           .setInstanceName(rootInstanceName)
           .setCertificateName(rootCertName));
       builder.setValidationContext(contextBuilder.build());
-    } else {
+    } else if (useSystemRootCerts) {
       builder.setValidationContext(contextBuilder.setSystemRootCerts(
           CertificateValidationContext.SystemRootCerts.getDefaultInstance())
               .build());
@@ -277,15 +280,17 @@ private static CommonTlsContext.Builder addNewCertificateValidationContext(
           @Nullable String rootInstanceName,
           @Nullable String rootCertName,
           Iterable<String> alpnProtocols,
-          CertificateValidationContext staticCertValidationContext) {
+          CertificateValidationContext staticCertValidationContext,
+          boolean useSystemRootCerts) {
     return buildUpstreamTlsContext(
         buildCommonTlsContextForCertProviderInstance(
             certInstanceName,
             certName,
             rootInstanceName,
             rootCertName,
             alpnProtocols,
-            staticCertValidationContext));
+            staticCertValidationContext,
+            useSystemRootCerts));
   }
 
   /** Helper method to build UpstreamTlsContext for CertProvider tests. */
@@ -324,7 +329,8 @@ private static CommonTlsContext.Builder addNewCertificateValidationContext(
             rootInstanceName,
             rootCertName,
             alpnProtocols,
-            staticCertValidationContext), requireClientCert);
+            staticCertValidationContext,
+false), requireClientCert);
   }
 
   /** Helper method to build DownstreamTlsContext for CertProvider tests. */
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
@@ -68,19 +68,21 @@ public void setUp() throws Exception {
 
   /** Helper method to build CertProviderClientSslContextProvider. */
   private CertProviderClientSslContextProvider getSslContextProvider(
-      String certInstanceName,
-      String rootInstanceName,
-      Bootstrapper.BootstrapInfo bootstrapInfo,
-      Iterable<String> alpnProtocols,
-      CertificateValidationContext staticCertValidationContext) {
+          String certInstanceName,
+          String rootInstanceName,
+          Bootstrapper.BootstrapInfo bootstrapInfo,
+          Iterable<String> alpnProtocols,
+          CertificateValidationContext staticCertValidationContext,
+          boolean useSystemRootCerts) {
     EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext =
         CommonTlsContextTestsUtil.buildUpstreamTlsContextForCertProviderInstance(
             certInstanceName,
             "cert-default",
             rootInstanceName,
             "root-default",
             alpnProtocols,
-            staticCertValidationContext);
+            staticCertValidationContext,
+            useSystemRootCerts);
     return (CertProviderClientSslContextProvider)
         certProviderClientSslContextProviderFactory.getProvider(
             upstreamTlsContext,
@@ -122,7 +124,7 @@ public void testProviderForClient_mtls() throws Exception {
             "gcp_id",
             CommonBootstrapperTestUtils.getTestBootstrapInfo(),
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null);
+            /* staticCertValidationContext= */ null, false);
 
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
@@ -185,7 +187,8 @@ public void testProviderForClient_systemRootCerts() throws Exception {
                     null,
                     CommonBootstrapperTestUtils.getTestBootstrapInfo(),
                     /* alpnProtocols= */ null,
-                    /* staticCertValidationContext= */ null);
+                    /* staticCertValidationContext= */ null,
+                    true);
 
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
@@ -305,7 +308,7 @@ public void testProviderForClient_queueExecutor() throws Exception {
             "gcp_id",
             CommonBootstrapperTestUtils.getTestBootstrapInfo(),
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null);
+            /* staticCertValidationContext= */ null, false);
     QueuedExecutor queuedExecutor = new QueuedExecutor();
 
     TestCallback testCallback =
@@ -338,7 +341,7 @@ public void testProviderForClient_tls() throws Exception {
             "gcp_id",
             CommonBootstrapperTestUtils.getTestBootstrapInfo(),
             /* alpnProtocols= */ null,
-            /* staticCertValidationContext= */ null);
+            /* staticCertValidationContext= */ null, false);
 
     assertThat(provider.savedKey).isNull();
     assertThat(provider.savedCertChain).isNull();
@@ -375,7 +378,7 @@ public void testProviderForClient_sslContextException_onError() throws Exception
                     "gcp_id",
                     CommonBootstrapperTestUtils.getTestBootstrapInfo(),
                     /* alpnProtocols= */null,
-                    staticCertValidationContext);
+                    staticCertValidationContext, false);
 
     TestCallback testCallback = new TestCallback(MoreExecutors.directExecutor());
     provider.addCallback(testCallback);
@@ -407,7 +410,7 @@ public void testProviderForClient_rootInstanceNull_and_notUsingSystemRootCerts_e
           /* rootInstanceName= */ null,
           CommonBootstrapperTestUtils.getTestBootstrapInfo(),
           /* alpnProtocols= */ null,
-          /* staticCertValidationContext= */ null);
+          /* staticCertValidationContext= */ null, false);
       fail("exception expected");
     } catch (UnsupportedOperationException expected) {
       assertThat(expected).hasMessageThat().contains("Unsupported configurations in "
@@ -430,7 +433,7 @@ public void testProviderForClient_rootInstanceNull_but_isUsingSystemRootCerts_va
         CertificateValidationContext.newBuilder()
             .setSystemRootCerts(
                 CertificateValidationContext.SystemRootCerts.newBuilder().build())
-            .build());
+            .build(), false);
   }
 
   static class QueuedExecutor implements Executor {

Original file line number	Diff line number	Diff line change
`@@ -563,7 +563,7 @@ private UpstreamTlsContext setBootstrapInfoAndBuildUpstreamTlsContextForUsingSys`
`563`	`563`	`CertificateValidationContext.newBuilder()`
`564`	`564`	`.setSystemRootCerts(`
`565`	`565`	`CertificateValidationContext.SystemRootCerts.newBuilder().build())`
`566`		`- .build());`
	`566`	`+ .build(), false);`
`567`	`567`	`}`
`568`	`568`	`return CommonTlsContextTestsUtil.buildNewUpstreamTlsContextForCertProviderInstance(`
`569`	`569`	`"google_cloud_private_spiffe-client", "ROOT", null,`