xds: Remove isXdsSniEnabled and align SNI logic with gRFC A101 (#12625)

## Description
Remove the `isXdsSniEnabled` (GRPC_EXPERIMENTAL_XDS_SNI) guard so that
SNI determination via xDS is always enabled. This aligns the behavior
with
**gRFC A101**, where SNI is determined by xDS configurations such as
`auto_host_sni` or `UpstreamTlsContext.sni`, without relying on an
experimental toggle.

This change does **not** remove the
`GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE` fallback logic, which
remains unchanged.

## Changes
- Remove the `isXdsSniEnabled` flag and the related conditional logic.
- Remove test cases that specifically covered behavior when the 
experimental flag was disabled, since the flag is no longer supported.

Ref #11784

Author: becomeStar

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -215,23 +215,19 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
       this.sslContextProviderSupplier = sslContextProviderSupplier;
       EnvoyServerProtoData.BaseTlsContext tlsContext = sslContextProviderSupplier.getTlsContext();
       UpstreamTlsContext upstreamTlsContext = ((UpstreamTlsContext) tlsContext);
-      if (CertificateUtils.isXdsSniEnabled) {
-        String sniToUse = upstreamTlsContext.getAutoHostSni()
-            && !Strings.isNullOrEmpty(endpointHostname)
-            ? endpointHostname : upstreamTlsContext.getSni();
-        if (sniToUse.isEmpty()) {
-          if (CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
-            sniToUse = grpcHandler.getAuthority();
-          }
-          autoSniSanValidationDoesNotApply = true;
-        } else {
-          autoSniSanValidationDoesNotApply = false;
+
+      String sniToUse = upstreamTlsContext.getAutoHostSni()
+          && !Strings.isNullOrEmpty(endpointHostname)
+          ? endpointHostname : upstreamTlsContext.getSni();
+      if (sniToUse.isEmpty()) {
+        if (CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
+          sniToUse = grpcHandler.getAuthority();
         }
-        sni = sniToUse;
+        autoSniSanValidationDoesNotApply = true;
       } else {
-        sni = grpcHandler.getAuthority();
         autoSniSanValidationDoesNotApply = false;
       }
+      sni = sniToUse;
     }
 
     @VisibleForTesting

xds/src/main/java/io/grpc/xds/internal/security/trust/CertificateUtils.java

@@ -30,7 +30,6 @@
  * Contains certificate utility method(s).
  */
 public final class CertificateUtils {
-  public static boolean isXdsSniEnabled = GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_SNI", true);
   public static boolean useChannelAuthorityIfNoSniApplicable
       = GrpcUtil.getFlag("GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE", false);
 

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -308,7 +308,7 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
 
   private List<StringMatcher> getAutoSniSanMatchers(SSLParameters sslParams) {
     List<StringMatcher> sniNamesToMatch = new ArrayList<>();
-    if (CertificateUtils.isXdsSniEnabled && autoSniSanValidation) {
+    if (autoSniSanValidation) {
       List<SNIServerName> serverNames = sslParams.getServerNames();
       if (serverNames != null) {
         for (SNIServerName serverName : serverNames) {

xds/src/test/java/io/grpc/xds/XdsSecurityClientServerTest.java

@@ -77,7 +77,6 @@
 import io.grpc.xds.internal.security.SslContextProviderSupplier;
 import io.grpc.xds.internal.security.TlsContextManagerImpl;
 import io.grpc.xds.internal.security.certprovider.FileWatcherCertificateProviderProvider;
-import io.grpc.xds.internal.security.trust.CertificateUtils;
 import io.netty.handler.ssl.NotSslRecordException;
 import java.io.File;
 import java.io.FileOutputStream;
@@ -317,7 +316,6 @@ public void tlsClientServer_noAutoSniValidation_failureToMatchSubjAltNames()
   @Test
   public void tlsClientServer_autoSniValidation_sniInUtc()
       throws Exception {
-    CertificateUtils.isXdsSniEnabled = true;
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -341,14 +339,12 @@ public void tlsClientServer_autoSniValidation_sniInUtc()
     } finally {
       Files.deleteIfExists(trustStoreFilePath);
       clearTrustStoreSystemProperties();
-      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void tlsClientServer_autoSniValidation_sniFromHostname()
       throws Exception {
-    CertificateUtils.isXdsSniEnabled = true;
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -375,14 +371,12 @@ public void tlsClientServer_autoSniValidation_sniFromHostname()
     } finally {
       Files.deleteIfExists(trustStoreFilePath);
       clearTrustStoreSystemProperties();
-      CertificateUtils.isXdsSniEnabled = false;
     }
   }
 
   @Test
   public void tlsClientServer_autoSniValidation_noSniApplicable_usesMatcherFromCmnVdnCtx()
       throws Exception {
-    CertificateUtils.isXdsSniEnabled = true;
     Path trustStoreFilePath = getCacertFilePathForTestCa();
     try {
       setTrustStoreSystemProperties(trustStoreFilePath.toAbsolutePath().toString());
@@ -406,7 +400,6 @@ public void tlsClientServer_autoSniValidation_noSniApplicable_usesMatcherFromCmn
     } finally {
       Files.deleteIfExists(trustStoreFilePath);
       clearTrustStoreSystemProperties();
-      CertificateUtils.isXdsSniEnabled = false;
     }
   }