From c1bfd67e88c254a25897c07d1056bd4052a0d99c Mon Sep 17 00:00:00 2001
From: jackwotherspoon <jackwoth@google.com>
Date: Mon, 30 Sep 2024 15:23:26 +0000
Subject: [PATCH] chore: add test for altname mismatch

---
 test/socket.ts | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/test/socket.ts b/test/socket.ts
index 5e5ab1c3..29df2072 100644
--- a/test/socket.ts
+++ b/test/socket.ts
@@ -101,3 +101,26 @@ t.test('validateCertificate mismatch', async t => {
     'should return a missing cert to verify error'
   );
 });
+
+t.test('validateCertificate mismatch CAS CA', async t => {
+  const cert = {
+    subjectaltname: 'DNS:abcde.12345.us-central1.sql.goog',
+  } as tls.PeerCertificate;
+  t.match(
+    validateCertificate(
+      {
+        projectId: 'my-project',
+        regionId: 'region-id',
+        instanceId: 'my-instance',
+      },
+      'GOOGLE_MANAGED_CAS_CA',
+      'bad.dns.us-central1.sql.goog'
+    )('hostname', cert),
+    {
+      message:
+        "Hostname/IP does not match certificate's altnames: Host: bad.dns.us-central1.sql.goog. is not in the cert's altnames: DNS:abcde.12345.us-central1.sql.goog",
+      code: 'ERR_TLS_CERT_ALTNAME_INVALID',
+    },
+    'should return an invalid altname error'
+  );
+});