access logging: pass downstream TLS information to access logs#6144
access logging: pass downstream TLS information to access logs#6144htuch merged 17 commits intoenvoyproxy:masterfrom
Conversation
Passes along the Ssl::ConnectionInfo to StreamInfo, allowing it to be read in access loggers. Updates both the formatter and gRPC access logger with uri san/subject details, and wires up the SNI to the gRPC access log. Signed-off-by: Snow Pettersen <snowp@squareup.com>
|
This only exposes the SSL information that I found readily available, but it should be easy to expose whatever bits anyone's interested now by adding getters to |
|
/retest |
|
🐴 hold your horses - no failures detected, yet. |
|
|
||
| namespace { | ||
|
|
||
| // Helper that handles the case when the ConectionInfo is missiring or if the desired value is |
|
|
||
| message CertificateProperties { | ||
| // The URI in the SAN field of the certificate. | ||
| string uri_san = 1; |
There was a problem hiding this comment.
this is not quite reflect what is in X.509, perhaps something like:
message SubjectAltName {
oneof {
string uri;
string dns;
}
}
repeated SubjectAltName subject_alt_names;
There was a problem hiding this comment.
Yeah, seems like SAN should be a repeated.
There was a problem hiding this comment.
Sorry. I did not see this earlier. We already have CertificateDetails message which does what @lizan mentioned above. Probably there is a chance to reuse here
envoy/api/envoy/admin/v2alpha/certs.proto
Line 30 in 4a5f858
| * @return the const SSL connection data if this is an SSL connection, or nullptr if it is not. | ||
| */ | ||
| virtual const Ssl::Connection* ssl() const PURE; | ||
| virtual const Ssl::ConnectionInfo* ssl() const PURE; |
There was a problem hiding this comment.
Is it possible to remove this interface from Connection and move into StreamInfo? If the change will be too heavy just leave a TODO.
There was a problem hiding this comment.
I'll add a TODO, it seems to require changing a bunch of functions that pass the connection around
| } | ||
|
|
||
| void setDownstreamSslConnection(const Ssl::ConnectionInfo* connection_info) override { | ||
| downstream_ssl_info_ = connection_info; |
There was a problem hiding this comment.
I'm slightly worried that StreamInfoImpl might outlive Ssl::ConnectionInfo, will that be the case?
There was a problem hiding this comment.
From what I can tell it seems like Ssl::ConnectionInfo/Network::Connection comes from the FilterManagerImpl which should outlive the Filters that the StreamInfoImpl belongs to. Do you think it would be useful to expose the ConnectionInfo as a shared ptr to avoid potential lifetime issues in the future?
There was a problem hiding this comment.
No I think it is fine to leave as is.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
| * Base connection interface for all SSL connections. | ||
| */ | ||
| class Connection { | ||
| class ConnectionInfo { |
|
|
||
| // Helper that handles the case when the ConectionInfo is missiring or if the desired value is | ||
| // empty. | ||
| StreamInfoFormatter::FieldExtractor sslConnectionStringInfoExtractor( |
There was a problem hiding this comment.
Not sure if sslConnectionInfoStringExtractor sounds better.
| // empty. | ||
| StreamInfoFormatter::FieldExtractor sslConnectionStringInfoExtractor( | ||
| std::function<std::string(const Ssl::ConnectionInfo& connection_info)> string_extractor) { | ||
| return [=](const StreamInfo::StreamInfo& stream_info) { |
|
|
||
| // Helper that handles the case when the ConectionInfo is missiring or if the desired value is | ||
| // empty. | ||
| StreamInfoFormatter::FieldExtractor sslConnectionStringInfoExtractor( |
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
| TCP | ||
| String value set on ssl connection socket for Server Name Indication (SNI) | ||
|
|
||
| %DOWNSTREAM_LOCAL_URI_SAN% |
There was a problem hiding this comment.
Not directly actionable in this PR perhaps, but need to think about how to structurally express those field in logging format and keep file access log feature parity with gRPC. We'll likely have upstream TLS set for this as well, and other properties which is defined in accesslog.proto.
Some random idea would be making the proto representation as first class, and have some expression in file access log to represent extractor from there.
| } else if (field_name == "DOWNSTREAM_PEER_URI_SAN") { | ||
| field_extractor_ = | ||
| sslConnectionInfoStringExtractor([](const Ssl::ConnectionInfo& connection_info) { | ||
| return connection_info.uriSanPeerCertificate(); |
There was a problem hiding this comment.
When I look at how SslSocket::uriSanPeerCertificate() implemented today, it seems that it should really be returning all SAN. Should we fix this, so that we create template patterns that are stable and forward compatible? CC @PiotrSikora
There was a problem hiding this comment.
Sure I don't mind fixing that. I'll just have all current usage just use the first SAN from the new function
| message SubjectAltName { | ||
| oneof san { | ||
| string uri = 1; | ||
| string dns = 2; |
There was a problem hiding this comment.
A not implemented annotation is also fine.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
|
@snowp need master merge. |
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Looks good, just one question (which is somewhat orthogonal to what you're doing here anyway..).
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
LGTM, needs master merge. Do we want release notes?
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Signed-off-by: Snow Pettersen <snowp@squareup.com>
5 participants
Passes along the Ssl::ConnectionInfo (renamed from Ssl::Connection)
to StreamInfo, allowing it to be read in access loggers. Updates both
the formatter and gRPC access logger with uri san/subject details,
and adds the SNI to the gRPC access log.
Signed-off-by: Snow Pettersen snowp@squareup.com
Risk Level: Low
Testing: Unit tests
Docs Changes: Added description for new access log formats
Release Notes: n/a
#4926