From fe2369400c4bcecb6d77de858bb4401e912bf82f Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Tue, 9 Jun 2020 13:45:03 -0600
Subject: [PATCH] proxy: only set validation context if trusted_ca is used
 (#863)

* proxy: only set validation context if trusted_ca is used

* fix test
---
 internal/controlplane/xds_listeners.go      | 21 +++++++++++++--------
 internal/controlplane/xds_listeners_test.go |  5 +----
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/internal/controlplane/xds_listeners.go b/internal/controlplane/xds_listeners.go
index 3341c8a25..9eaf81ba7 100644
--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@@ -348,17 +348,22 @@ func buildDownstreamTLSContext(options *config.Options, domain string) *envoy_ex
 		trustedCA = inlineFilename(options.ClientCAFile)
 	}
 
+	var validationContext *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext
+	if trustedCA != nil {
+		validationContext = &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
+			ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
+				TrustedCa:              trustedCA,
+				TrustChainVerification: envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext_ACCEPT_UNTRUSTED,
+			},
+		}
+	}
+
 	envoyCert := envoyTLSCertificateFromGoTLSCertificate(cert)
 	return &envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext{
 		CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{
-			TlsCertificates: []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert},
-			AlpnProtocols:   []string{"h2", "http/1.1"},
-			ValidationContextType: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
-				ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
-					TrustedCa:              trustedCA,
-					TrustChainVerification: envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext_ACCEPT_UNTRUSTED,
-				},
-			},
+			TlsCertificates:       []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert},
+			AlpnProtocols:         []string{"h2", "http/1.1"},
+			ValidationContextType: validationContext,
 		},
 	}
 }
diff --git a/internal/controlplane/xds_listeners_test.go b/internal/controlplane/xds_listeners_test.go
index 18050b492..2e36f6eb2 100644
--- a/internal/controlplane/xds_listeners_test.go
+++ b/internal/controlplane/xds_listeners_test.go
@@ -313,10 +313,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 						"filename": "`+keyFileName+`"
 					}
 				}
-			],
-			"validationContext": {
-				"trustChainVerification": "ACCEPT_UNTRUSTED"
-			}
+			]
 		}
 	}`, downstreamTLSContext)
 }