grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

credentials/xds: Handle no acceptedSANs correctly. (#3965)

This commit is contained in:
Easwar Swaminathan 2020-10-22 13:37:57 -07:00 committed by GitHub
parent 37b72f944a
commit eb7fc22e45
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
credentials/xds/xds.go
View File

@ -174,6 +174,11 @@ func (hi *HandshakeInfo) makeTLSConfig(ctx context.Context) (*tls.Config, error)
} }
func (hi *HandshakeInfo) matchingSANExists(cert *x509.Certificate) bool { func (hi *HandshakeInfo) matchingSANExists(cert *x509.Certificate) bool {
if len(hi.acceptedSANs) == 0 {
// An empty list of acceptedSANs means "accept everything".
return true
}
var sans []string var sans []string
// SANs can be specified in any of these four fields on the parsed cert. // SANs can be specified in any of these four fields on the parsed cert.
sans = append(sans, cert.DNSNames...) sans = append(sans, cert.DNSNames...)

36
credentials/xds/xds_test.go
View File

@ -358,26 +358,37 @@ func (s) TestClientCredsSuccess(t *testing.T) {
tests := []struct { tests := []struct {
desc string desc string
handshakeFunc testHandshakeFunc handshakeFunc testHandshakeFunc
rootProvider certprovider.Provider handshakeInfoCtx func(ctx context.Context) context.Context
identityProvider certprovider.Provider
}{ }{
{ {
// Since we don't specify rootProvider and identityProvider here,
// the test does not add a HandshakeInfo context value, and thereby
// the ClientHandshake() method will delegate to the fallback.
desc: "fallback", desc: "fallback",
handshakeFunc: testServerTLSHandshake, handshakeFunc: testServerTLSHandshake,
handshakeInfoCtx: func(ctx context.Context) context.Context {
// Since we don't add a HandshakeInfo to the context, the
// ClientHandshake() method will delegate to the fallback.
return ctx
},
}, },
{ {
desc: "TLS", desc: "TLS",
handshakeFunc: testServerTLSHandshake, handshakeFunc: testServerTLSHandshake,
rootProvider: makeRootProvider(t, "x509/server_ca_cert.pem"), handshakeInfoCtx: func(ctx context.Context) context.Context {
return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN)
},
}, },
{ {
desc: "mTLS", desc: "mTLS",
handshakeFunc: testServerMutualTLSHandshake, handshakeFunc: testServerMutualTLSHandshake,
rootProvider: makeRootProvider(t, "x509/server_ca_cert.pem"), handshakeInfoCtx: func(ctx context.Context) context.Context {
identityProvider: makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), defaultTestCertSAN)
},
},
{
desc: "mTLS with no acceptedSANs specified",
handshakeFunc: testServerMutualTLSHandshake,
handshakeInfoCtx: func(ctx context.Context) context.Context {
return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"))
},
}, },
} }
@ -400,10 +411,7 @@ func (s) TestClientCredsSuccess(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
defer cancel() defer cancel()
if test.rootProvider != nil || test.identityProvider != nil { _, ai, err := creds.ClientHandshake(test.handshakeInfoCtx(ctx), authority, conn)
ctx = newTestContextWithHandshakeInfo(ctx, test.rootProvider, test.identityProvider, defaultTestCertSAN)
}
_, ai, err := creds.ClientHandshake(ctx, authority, conn)
if err != nil { if err != nil {
t.Fatalf("ClientHandshake() returned failed: %q", err) t.Fatalf("ClientHandshake() returned failed: %q", err)
} }