credentials/xds: Handle no acceptedSANs correctly. (#3965)

2020-10-22 13:37:57 -07:00
parent 37b72f944a
commit eb7fc22e45
2 changed files with 27 additions and 14 deletions
--- a/credentials/xds/xds.go
+++ b/credentials/xds/xds.go
@ -174,6 +174,11 @@ func (hi *HandshakeInfo) makeTLSConfig(ctx context.Context) (*tls.Config, error)
 }

 func (hi *HandshakeInfo) matchingSANExists(cert *x509.Certificate) bool {
+	if len(hi.acceptedSANs) == 0 {
+		// An empty list of acceptedSANs means "accept everything".
+		return true
+	}
+
 	var sans []string
 	// SANs can be specified in any of these four fields on the parsed cert.
 	sans = append(sans, cert.DNSNames...)
--- a/credentials/xds/xds_test.go
+++ b/credentials/xds/xds_test.go
@ -358,26 +358,37 @@ func (s) TestClientCredsSuccess(t *testing.T) {
 	tests := []struct {
 		desc             string
 		handshakeFunc    testHandshakeFunc
-		rootProvider     certprovider.Provider
-		identityProvider certprovider.Provider
+		handshakeInfoCtx func(ctx context.Context) context.Context
 	}{
 		{
-			// Since we don't specify rootProvider and identityProvider here,
-			// the test does not add a HandshakeInfo context value, and thereby
-			// the ClientHandshake() method will delegate to the fallback.
 			desc:          "fallback",
 			handshakeFunc: testServerTLSHandshake,
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				// Since we don't add a HandshakeInfo to the context, the
+				// ClientHandshake() method will delegate to the fallback.
+				return ctx
+			},
 		},
 		{
 			desc:          "TLS",
 			handshakeFunc: testServerTLSHandshake,
-			rootProvider:  makeRootProvider(t, "x509/server_ca_cert.pem"),
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN)
+			},
 		},
 		{
-			desc:             "mTLS",
-			handshakeFunc:    testServerMutualTLSHandshake,
-			rootProvider:     makeRootProvider(t, "x509/server_ca_cert.pem"),
-			identityProvider: makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"),
+			desc:          "mTLS",
+			handshakeFunc: testServerMutualTLSHandshake,
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), defaultTestCertSAN)
+			},
+		},
+		{
+			desc:          "mTLS with no acceptedSANs specified",
+			handshakeFunc: testServerMutualTLSHandshake,
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"))
+			},
 		},
 	}

@ -400,10 +411,7 @@ func (s) TestClientCredsSuccess(t *testing.T) {

 			ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
 			defer cancel()
-			if test.rootProvider != nil || test.identityProvider != nil {
-				ctx = newTestContextWithHandshakeInfo(ctx, test.rootProvider, test.identityProvider, defaultTestCertSAN)
-			}
-			_, ai, err := creds.ClientHandshake(ctx, authority, conn)
+			_, ai, err := creds.ClientHandshake(test.handshakeInfoCtx(ctx), authority, conn)
 			if err != nil {
 				t.Fatalf("ClientHandshake() returned failed: %q", err)
 			}