refactor: Use new ConnectSettings.DnsNames field to validate the server certificate's server name.

Author: hessjcg

core/src/main/java/com/google/cloud/sql/core/DefaultConnectionInfoRepository.java

@@ -19,6 +19,7 @@
 import com.google.api.client.googleapis.json.GoogleJsonResponseException;
 import com.google.api.services.sqladmin.SQLAdmin;
 import com.google.api.services.sqladmin.model.ConnectSettings;
+import com.google.api.services.sqladmin.model.DnsNameMapping;
 import com.google.api.services.sqladmin.model.GenerateEphemeralCertRequest;
 import com.google.api.services.sqladmin.model.GenerateEphemeralCertResponse;
 import com.google.api.services.sqladmin.model.IpMapping;
@@ -287,10 +288,31 @@ private InstanceMetadata fetchMetadata(CloudSqlInstanceName instanceName, AuthTy
       boolean pscEnabled =
           instanceMetadata.getPscEnabled() != null
               && instanceMetadata.getPscEnabled().booleanValue();
-      if (pscEnabled
-          && instanceMetadata.getDnsName() != null
-          && !instanceMetadata.getDnsName().isEmpty()) {
-        ipAddrs.put(IpType.PSC, instanceMetadata.getDnsName());
+
+      if (pscEnabled) {
+        // Search the dns_names field for the PSC DNS Name.
+        String pscDnsName = null;
+        if (instanceMetadata.getDnsNames() != null) {
+          for (DnsNameMapping dnm : instanceMetadata.getDnsNames()) {
+            if ("PRIVATE_SERVICE_CONNECT".equals(dnm.getConnectionType())
+                && "INSTANCE".equals(dnm.getDnsScope())) {
+              pscDnsName = dnm.getName();
+              break;
+            }
+          }
+        }
+
+        // If the psc dns name was not found, use the legacy dns_name field
+        if (pscDnsName == null
+            && instanceMetadata.getDnsName() != null
+            && !instanceMetadata.getDnsName().isEmpty()) {
+          pscDnsName = instanceMetadata.getDnsName();
+        }
+
+        // If the psc dns name was found, add it to the ipaddrs map.
+        if (pscDnsName != null) {
+          ipAddrs.put(IpType.PSC, pscDnsName);
+        }
       }
 
       // Verify the instance has at least one IP type assigned that can be used to connect.
@@ -301,6 +323,18 @@ private InstanceMetadata fetchMetadata(CloudSqlInstanceName instanceName, AuthTy
                     + "IP address.",
                 instanceName.getConnectionName()));
       }
+
+      // Find a DNS name to use to validate the certificate from the dns_names field. Any
+      // name in the list may be used to validate the server TLS certificate.
+      // Fall back to legacy dns_name field if necessary.
+      String serverName = null;
+      if (instanceMetadata.getDnsNames() != null && !instanceMetadata.getDnsNames().isEmpty()) {
+        serverName = instanceMetadata.getDnsNames().get(0).getName();
+      }
+      if (serverName == null) {
+        serverName = instanceMetadata.getDnsName();
+      }
+
       // Update the Server CA certificate used to create the SSL connection with the instance.
       try {
         List<Certificate> instanceCaCertificates =
@@ -313,7 +347,7 @@ private InstanceMetadata fetchMetadata(CloudSqlInstanceName instanceName, AuthTy
             ipAddrs,
             instanceCaCertificates,
             isCasManagedCertificate(instanceMetadata.getServerCaMode()),
-            instanceMetadata.getDnsName(),
+            serverName,
             pscEnabled);
       } catch (CertificateException ex) {
         throw new RuntimeException(

core/src/main/java/com/google/cloud/sql/core/InstanceCheckingTrustManger.java

@@ -96,10 +96,14 @@ private void checkCertificateChain(X509Certificate[] chain) throws CertificateEx
       throw new CertificateException("Subject is missing");
     }
 
-    if (instanceMetadata.isCasManagedCertificate() || instanceMetadata.isPscEnabled()) {
-      checkSan(chain);
-    } else {
+    // If the connector was configured without a DNS name and the
+    // instance metadata does not contain a domain name, use legacy CN validation
+    if (Strings.isNullOrEmpty(instanceMetadata.getInstanceName().getDomainName())
+        && Strings.isNullOrEmpty(instanceMetadata.getDnsName())) {
       checkCn(chain);
+    } else {
+      // If there is a DNS name, check the Subject Alternative Names.
+      checkSan(chain);
     }
   }
 

core/src/test/java/com/google/cloud/sql/core/DefaultConnectionInfoRepositoryTest.java

@@ -51,7 +51,7 @@ public void testFetchInstanceData_returnsIpAddresses()
       throws ExecutionException, InterruptedException, GeneralSecurityException,
           OperatorCreationException {
     MockAdminApi mockAdminApi =
-        buildMockAdminApi(INSTANCE_CONNECTION_NAME, DATABASE_VERSION, DEFAULT_BASE_URL);
+        buildMockAdminApi(INSTANCE_CONNECTION_NAME, DATABASE_VERSION, DEFAULT_BASE_URL, false);
     ConnectorConfig config = new ConnectorConfig.Builder().build();
     ConnectionInfoRepository repo =
         new StubConnectionInfoRepositoryFactory(mockAdminApi.getHttpTransport())
@@ -85,7 +85,45 @@ public void testFetchInstanceData_returnsPscForNonIpDatabase()
         null,
         DATABASE_VERSION,
         SAMPLE_PCS_DNS_NAME,
-        DEFAULT_BASE_URL);
+        DEFAULT_BASE_URL,
+        false);
+    mockAdminApi.addGenerateEphemeralCertResponse(
+        INSTANCE_CONNECTION_NAME, Duration.ofHours(1), DEFAULT_BASE_URL);
+    ConnectorConfig config = new ConnectorConfig.Builder().build();
+
+    ConnectionInfoRepository repo =
+        new StubConnectionInfoRepositoryFactory(mockAdminApi.getHttpTransport())
+            .create(new StubCredentialFactory().create(), config);
+
+    ConnectionInfo connectionInfo =
+        repo.getConnectionInfo(
+                new CloudSqlInstanceName(INSTANCE_CONNECTION_NAME),
+                () -> Optional.empty(),
+                AuthType.PASSWORD,
+                newTestExecutor(),
+                Futures.immediateFuture(mockAdminApi.getClientKeyPair()))
+            .get();
+    assertThat(connectionInfo.getSslContext()).isInstanceOf(SSLContext.class);
+
+    Map<IpType, String> ipAddrs = connectionInfo.getIpAddrs();
+    assertThat(ipAddrs.get(IpType.PSC)).isEqualTo(SAMPLE_PCS_DNS_NAME);
+    assertThat(ipAddrs.size()).isEqualTo(1);
+  }
+
+  @Test
+  public void testFetchInstanceData_legacyPscDns_returnsPscForNonIpDatabase()
+      throws ExecutionException, InterruptedException, GeneralSecurityException,
+          OperatorCreationException {
+
+    MockAdminApi mockAdminApi = new MockAdminApi();
+    mockAdminApi.addConnectSettingsResponse(
+        INSTANCE_CONNECTION_NAME,
+        null,
+        null,
+        DATABASE_VERSION,
+        SAMPLE_PCS_DNS_NAME,
+        DEFAULT_BASE_URL,
+        true);
     mockAdminApi.addGenerateEphemeralCertResponse(
         INSTANCE_CONNECTION_NAME, Duration.ofHours(1), DEFAULT_BASE_URL);
     ConnectorConfig config = new ConnectorConfig.Builder().build();
@@ -122,7 +160,8 @@ private ListeningScheduledExecutorService newTestExecutor() {
   public void testFetchInstanceData_throwsException_whenIamAuthnIsNotSupported()
       throws GeneralSecurityException, OperatorCreationException {
     MockAdminApi mockAdminApi =
-        buildMockAdminApi(INSTANCE_CONNECTION_NAME, "SQLSERVER_2019_STANDARD", DEFAULT_BASE_URL);
+        buildMockAdminApi(
+            INSTANCE_CONNECTION_NAME, "SQLSERVER_2019_STANDARD", DEFAULT_BASE_URL, false);
     ConnectorConfig config = new ConnectorConfig.Builder().build();
     ConnectionInfoRepository repo =
         new StubConnectionInfoRepositoryFactory(mockAdminApi.getHttpTransport())
@@ -149,7 +188,7 @@ public void testFetchInstanceData_throwsException_whenIamAuthnIsNotSupported()
   public void testFetchInstanceData_throwsException_whenRequestsTimeout()
       throws GeneralSecurityException, OperatorCreationException {
     MockAdminApi mockAdminApi =
-        buildMockAdminApi(INSTANCE_CONNECTION_NAME, DATABASE_VERSION, DEFAULT_BASE_URL);
+        buildMockAdminApi(INSTANCE_CONNECTION_NAME, DATABASE_VERSION, DEFAULT_BASE_URL, false);
     ConnectorConfig config = new ConnectorConfig.Builder().build();
     ConnectionInfoRepository repo =
         new StubConnectionInfoRepositoryFactory(new BadConnectionFactory())
@@ -182,7 +221,7 @@ public void testSetAdminUrl_FetchInstanceData_returnsIpAddresses()
     String adminServicePath = "sqladmin/";
     String baseUrl = adminRootUrl + adminServicePath;
     MockAdminApi mockAdminApi =
-        buildMockAdminApi(INSTANCE_CONNECTION_NAME, DATABASE_VERSION, baseUrl);
+        buildMockAdminApi(INSTANCE_CONNECTION_NAME, DATABASE_VERSION, baseUrl, false);
     ConnectorConfig config =
         new ConnectorConfig.Builder()
             .withAdminRootUrl(adminRootUrl)
@@ -210,7 +249,7 @@ public void testSetAdminUrl_FetchInstanceData_returnsIpAddresses()
 
   @SuppressWarnings("SameParameterValue")
   private MockAdminApi buildMockAdminApi(
-      String instanceConnectionName, String databaseVersion, String baseUrl)
+      String instanceConnectionName, String databaseVersion, String baseUrl, boolean legacyDnsName)
       throws GeneralSecurityException, OperatorCreationException {
     MockAdminApi mockAdminApi = new MockAdminApi();
     mockAdminApi.addConnectSettingsResponse(
@@ -219,7 +258,8 @@ private MockAdminApi buildMockAdminApi(
         SAMPLE_PRIVATE_IP,
         databaseVersion,
         SAMPLE_PCS_DNS_NAME,
-        baseUrl);
+        baseUrl,
+        legacyDnsName);
     mockAdminApi.addGenerateEphemeralCertResponse(
         instanceConnectionName, Duration.ofHours(1), baseUrl);
     return mockAdminApi;

core/src/test/java/com/google/cloud/sql/core/MockAdminApi.java

@@ -26,6 +26,7 @@
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
 import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.services.sqladmin.model.ConnectSettings;
+import com.google.api.services.sqladmin.model.DnsNameMapping;
 import com.google.api.services.sqladmin.model.GenerateEphemeralCertResponse;
 import com.google.api.services.sqladmin.model.IpMapping;
 import com.google.api.services.sqladmin.model.SslCert;
@@ -38,6 +39,7 @@
 import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Date;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
@@ -83,7 +85,8 @@ public void addConnectSettingsResponse(
       String privateIp,
       String databaseVersion,
       String pscHostname,
-      String baseUrl) {
+      String baseUrl,
+      boolean legacyPscDnsName) {
     CloudSqlInstanceName cloudSqlInstanceName = new CloudSqlInstanceName(instanceConnectionName);
 
     ArrayList<IpMapping> ipMappings = new ArrayList<>();
@@ -103,10 +106,19 @@ public void addConnectSettingsResponse(
             .setServerCaCert(new SslCert().setCert(TestKeys.getServerCertPem()))
             .setDatabaseVersion(databaseVersion)
             .setPscEnabled(pscHostname != null)
-            .setDnsName(pscHostname)
             .setPscEnabled(pscHostname != null)
             .setRegion(cloudSqlInstanceName.getRegionId());
     settings.setFactory(GsonFactory.getDefaultInstance());
+    if (legacyPscDnsName) {
+      settings.setDnsName(pscHostname);
+    } else {
+      settings.setDnsNames(
+          Collections.singletonList(
+              new DnsNameMapping()
+                  .setDnsScope("INSTANCE")
+                  .setConnectionType("PRIVATE_SERVICE_CONNECT")
+                  .setName(pscHostname)));
+    }
 
     connectSettingsRequests.add(
         new ConnectSettingsRequest(cloudSqlInstanceName, settings, baseUrl));

pom.xml

@@ -148,7 +148,7 @@
       <dependency>
         <groupId>com.google.apis</groupId>
         <artifactId>google-api-services-sqladmin</artifactId>
-        <version>v1beta4-rev20250205-2.0.0</version>
+        <version>v1beta4-rev20250226-2.0.0</version>
       </dependency>
       <dependency>
         <groupId>com.google.http-client</groupId>