xds/rbac: skip degenerate empty URI SANs in authenticatedMatcher

[ateliertoby]

Summary

The authenticatedMatcher in the xDS RBAC engine treats len(cert.URIs) > 0 as "URI SANs are present". However, a certificate can contain a degenerate empty URI SAN (url.URL{}) where String() returns "". This satisfies the length check but produces an empty-string identity, which:

• Does not match any SPIFFE-based DENY prefix rules, silently evading them
• Prevents fallthrough to DNS SANs or Subject DN per the precedence logic added in xds/rbac: enforce strict presence-based short-circuit in authenticatedMatcher #9111

This PR adds a pre-scan to skip degenerate URI entries before deciding whether URI SANs constitute a present identity source.

Root cause

Commit 94b9449 (#9111) correctly enforces strict identity source precedence per gRFC A41. But the len(cert.URIs) > 0 check does not account for Go's x509.Certificate.URIs containing entries like &url.URL{}, which x509.CreateCertificate() accepts without error.

Fix

Before treating URI SANs as "present", scan for at least one entry where String() != "". If all URI entries are degenerate, fall through to DNS SANs as if no URI SANs existed.

Test plan

• New TestAuthenticatedMatcherEmptyURISAN with 5 cases covering empty URI SAN fallthrough, mixed empty/valid URIs, and no-fallthrough when valid URIs exist
• All existing TestAuthenticatedMatcherIdentitySourcePrecedence tests pass (no regression)

RELEASE NOTES:

• xds/rbac: Fix authenticatedMatcher to skip degenerate empty URI SANs when determining the identity source, preventing silent DENY rule evasion.

[linux-foundation-easycla]

• ❌ The email address for the commit (310c57b, 562cd89) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please visit our EasyCLA portal and chat with our support bot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.03%. Comparing base (7c47d2a) to head (562cd89).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9123      +/-   ##
==========================================
- Coverage   83.21%   83.03%   -0.18%     
==========================================
  Files         413      413              
  Lines       33482    33487       +5     
==========================================
- Hits        27863    27807      -56     
- Misses       4212     4249      +37     
- Partials     1407     1431      +24     

Files with missing lines	Coverage Δ
internal/xds/rbac/matchers.go	78.08% <100.00%> (+0.51%)	⬆️

... and 27 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ateliertoby]

I have signed the CLA. Please recheck.