Fallback flag when no sni is available to send to specify to use xds channel authority itself.

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -54,6 +54,9 @@
 @VisibleForTesting
 public final class SecurityProtocolNegotiators {
 
+  static boolean useChannelAuthorityIfNoSniApplicable =
+          GrpcUtil.getFlag("GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE", false);
+
   /** Name associated with individual address, if available (e.g., DNS name). */
   @EquivalentAddressGroup.Attr
   public static final Attributes.Key<String> ATTR_ADDRESS_NAME =
@@ -216,8 +219,12 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
       this.sslContextProviderSupplier = sslContextProviderSupplier;
       EnvoyServerProtoData.BaseTlsContext tlsContext = sslContextProviderSupplier.getTlsContext();
       UpstreamTlsContext upstreamTlsContext = ((UpstreamTlsContext) tlsContext);
-      sni = upstreamTlsContext.getAutoHostSni() && !Strings.isNullOrEmpty(endpointHostname)
+      String sniVal = upstreamTlsContext.getAutoHostSni() && !Strings.isNullOrEmpty(endpointHostname)
               ? endpointHostname : upstreamTlsContext.getSni();
+      if (Strings.isNullOrEmpty(sniVal) && useChannelAuthorityIfNoSniApplicable) {
+        sniVal = grpcHandler.getAuthority();
+      }
+      sni = sniVal;
     }
 
     @VisibleForTesting

xds/src/test/java/io/grpc/xds/internal/security/SecurityProtocolNegotiatorsTest.java

@@ -88,6 +88,7 @@ public class SecurityProtocolNegotiatorsTest {
 
   private static final String HOSTNAME = "hostname";
   private static final String SNI_IN_UTC = "sni-in-upstream-tls-context";
+  private static final String FAKE_AUTHORITY = "authority";
 
   private final GrpcHttp2ConnectionHandler grpcHandler =
       FakeGrpcHttp2ConnectionHandler.newHandler();
@@ -269,6 +270,29 @@ public void sniInClientSecurityHandler_autoHostSniIsFalse_usesSniFromUpstreamTls
     assertThat(clientSecurityHandler.getSni()).isEqualTo(SNI_IN_UTC);
   }
 
+  @Test
+  public void emptySni_useChannelAuthorityIfNoSniApplicableIsTrue_usesChannelAuthority() {
+    SecurityProtocolNegotiators.useChannelAuthorityIfNoSniApplicable = true;
+    try {
+      Bootstrapper.BootstrapInfo bootstrapInfoForClient = CommonBootstrapperTestUtils
+              .buildBootstrapInfo("google_cloud_private_spiffe-client", CLIENT_KEY_FILE, CLIENT_PEM_FILE,
+                      CA_PEM_FILE, null, null, null, null, null);
+      UpstreamTlsContext upstreamTlsContext =
+              CommonTlsContextTestsUtil
+                      .buildUpstreamTlsContext("google_cloud_private_spiffe-client", true, "", false);
+      SslContextProviderSupplier sslContextProviderSupplier =
+              new SslContextProviderSupplier(upstreamTlsContext,
+                      new TlsContextManagerImpl(bootstrapInfoForClient));
+
+      ClientSecurityHandler clientSecurityHandler =
+              new ClientSecurityHandler(grpcHandler, sslContextProviderSupplier, HOSTNAME);
+
+      assertThat(clientSecurityHandler.getSni()).isEqualTo(FAKE_AUTHORITY);
+    } finally {
+      SecurityProtocolNegotiators.useChannelAuthorityIfNoSniApplicable = false;
+    }
+  }
+
   @Test
   public void serverSecurityHandler_addLast()
       throws InterruptedException, TimeoutException, ExecutionException {
@@ -533,7 +557,7 @@ static FakeGrpcHttp2ConnectionHandler newHandler() {
 
     @Override
     public String getAuthority() {
-      return "authority";
+      return FAKE_AUTHORITY;
     }
   }
 }