fix(xds): Allow and normalize trailing dot (FQDN) in matchHostName

petit_baguette · petit_baguette · commit 95ff63c90392 · 2026-02-04T21:04:13.000+09:00
diff --git a/xds/src/main/java/io/grpc/xds/RoutingUtils.java b/xds/src/main/java/io/grpc/xds/RoutingUtils.java
@@ -92,15 +92,24 @@ static VirtualHost findVirtualHostForHostName(List<VirtualHost> virtualHosts, St
    * </ol>
    */
   private static boolean matchHostName(String hostName, String pattern) {
-    checkArgument(hostName.length() != 0 && !hostName.startsWith(".") && !hostName.endsWith("."),
+    checkArgument(hostName.length() != 0 && !hostName.startsWith("."),
         "Invalid host name");
-    checkArgument(pattern.length() != 0 && !pattern.startsWith(".") && !pattern.endsWith("."),
+    checkArgument(pattern.length() != 0 && !pattern.startsWith("."),
         "Invalid pattern/domain name");
 
     hostName = hostName.toLowerCase(Locale.US);
     pattern = pattern.toLowerCase(Locale.US);
     // hostName and pattern are now in lower case -- domain names are case-insensitive.
 
+    // Strip trailing dot to normalize FQDN (e.g. "example.com.") to a relative form,
+    // as per RFC 1034 Section 3.1 the two are semantically equivalent.
+    if (hostName.endsWith(".")) {
+      hostName = hostName.substring(0, hostName.length() - 1);
+    }
+    if (pattern.endsWith(".")) {
+      pattern = pattern.substring(0, pattern.length() - 1);
+    }
+
     if (!pattern.contains("*")) {
       // Not a wildcard pattern -- hostName and pattern must match exactly.
       return hostName.equals(pattern);
diff --git a/xds/src/main/java/io/grpc/xds/XdsNameResolver.java b/xds/src/main/java/io/grpc/xds/XdsNameResolver.java
@@ -354,15 +354,24 @@ private void updateResolutionResult(XdsConfig xdsConfig) {
    */
   @VisibleForTesting
   static boolean matchHostName(String hostName, String pattern) {
-    checkArgument(hostName.length() != 0 && !hostName.startsWith(".") && !hostName.endsWith("."),
+    checkArgument(hostName.length() != 0 && !hostName.startsWith("."),
         "Invalid host name");
-    checkArgument(pattern.length() != 0 && !pattern.startsWith(".") && !pattern.endsWith("."),
+    checkArgument(pattern.length() != 0 && !pattern.startsWith("."),
         "Invalid pattern/domain name");
 
     hostName = hostName.toLowerCase(Locale.US);
     pattern = pattern.toLowerCase(Locale.US);
     // hostName and pattern are now in lower case -- domain names are case-insensitive.
 
+    // Strip trailing dot to normalize FQDN (e.g. "example.com.") to a relative form,
+    // as per RFC 1034 Section 3.1 the two are semantically equivalent.
+    if (hostName.endsWith(".")) {
+      hostName = hostName.substring(0, hostName.length() - 1);
+    }
+    if (pattern.endsWith(".")) {
+      pattern = pattern.substring(0, pattern.length() - 1);
+    }
+
     if (!pattern.contains("*")) {
       // Not a wildcard pattern -- hostName and pattern must match exactly.
       return hostName.equals(pattern);
diff --git a/xds/src/test/java/io/grpc/xds/XdsNameResolverTest.java b/xds/src/test/java/io/grpc/xds/XdsNameResolverTest.java
@@ -2062,6 +2062,27 @@ public void matchHostName_postfixWildCard() {
     assertThat(XdsNameResolver.matchHostName("foo-bar", pattern)).isTrue();
   }
 
+  @Test
+  public void matchHostName_trailingDot() {
+    // FQDN (trailing dot) is semantically equivalent to the relative form per RFC 1034 Section 3.1.
+    assertThat(XdsNameResolver.matchHostName("foo.googleapis.com.", "foo.googleapis.com")).isTrue();
+    assertThat(XdsNameResolver.matchHostName("foo.googleapis.com", "foo.googleapis.com.")).isTrue();
+    assertThat(XdsNameResolver.matchHostName("foo.googleapis.com.", "foo.googleapis.com.")).isTrue();
+    assertThat(XdsNameResolver.matchHostName("bar.googleapis.com.", "foo.googleapis.com")).isFalse();
+
+    // Wildcard + trailing dot combinations.
+    String pattern = "*.foo.googleapis.com";
+    assertThat(XdsNameResolver.matchHostName("bar.foo.googleapis.com.", pattern)).isTrue();
+    assertThat(XdsNameResolver.matchHostName("bar.foo.googleapis.com", pattern + ".")).isTrue();
+    assertThat(XdsNameResolver.matchHostName("bar.foo.googleapis.com.", pattern + ".")).isTrue();
+    assertThat(XdsNameResolver.matchHostName("foo.googleapis.com.", pattern)).isFalse();
+
+    pattern = "foo.*";
+    assertThat(XdsNameResolver.matchHostName("foo.googleapis.com.", pattern)).isTrue();
+    assertThat(XdsNameResolver.matchHostName("foo.com.", pattern)).isTrue();
+    assertThat(XdsNameResolver.matchHostName("bar.googleapis.com.", pattern)).isFalse();
+  }
+
   @Test
   public void resolved_faultAbortInLdsUpdate() {
     resolver.start(mockListener);
