Populate origin.user attribute from the SAN field of client cert

src/envoy/mixer/http_control.cc

@@ -31,17 +31,19 @@ namespace Mixer {
 namespace {
 
 // Define attribute names
-const std::string kRequestPath = "request.path";
+const std::string kOriginUser = "origin.user";
+
+const std::string kRequestHeaders = "request.headers";
 const std::string kRequestHost = "request.host";
+const std::string kRequestPath = "request.path";
 const std::string kRequestSize = "request.size";
 const std::string kRequestTime = "request.time";
-const std::string kRequestHeaders = "request.headers";
 
 const std::string kResponseHeaders = "response.headers";
+const std::string kResponseHttpCode = "response.http.code";
+const std::string kResponseLatency = "response.latency";
 const std::string kResponseSize = "response.size";
 const std::string kResponseTime = "response.time";
-const std::string kResponseLatency = "response.latency";
-const std::string kResponseHttpCode = "response.http.code";
 
 Attributes::Value StringValue(const std::string& str) {
   Attributes::Value v;
@@ -169,9 +171,12 @@ void HttpControl::FillCheckAttributes(HeaderMap& header_map, Attributes* attr) {
   }
 }
 
-void HttpControl::Check(HttpRequestDataPtr request_data, HeaderMap& headers,
+void HttpControl::Check(HttpRequestDataPtr request_data, HeaderMap& headers, std::string origin_user,
                         DoneFunc on_done) {
   FillCheckAttributes(headers, &request_data->attributes);
+  if (origin_user != "") {
+    request_data->attributes.attributes[kOriginUser] = StringValue(origin_user);
+  }
   log().debug("Send Check: {}", request_data->attributes.DebugString());
   mixer_client_->Check(request_data->attributes, on_done);
 }

src/envoy/mixer/http_control.h

@@ -41,7 +41,7 @@ class HttpControl final : public Logger::Loggable<Logger::Id::http> {
               std::map<std::string, std::string>&& attributes);
 
   // Make mixer check call.
-  void Check(HttpRequestDataPtr request_data, HeaderMap& headers,
+  void Check(HttpRequestDataPtr request_data, HeaderMap& headers, std::string origin_user,
              ::istio::mixer_client::DoneFunc on_done);
 
   // Make mixer report call.

src/envoy/mixer/http_filter.cc

@@ -19,6 +19,7 @@
 #include "common/http/headers.h"
 #include "common/http/utility.h"
 #include "envoy/server/instance.h"
+#include "envoy/ssl/connection.h"
 #include "server/config/network/http_connection_manager.h"
 #include "src/envoy/mixer/http_control.h"
 #include "src/envoy/mixer/utils.h"
@@ -151,8 +152,15 @@ class Instance : public Http::StreamFilter, public Http::AccessLog::Instance {
     state_ = Calling;
     initiating_call_ = true;
     request_data_ = std::make_shared<HttpRequestData>();
+
+    std::string origin_user;
+    Ssl::Connection* ssl = const_cast<Ssl::Connection *>(decoder_callbacks_->ssl());
+    if (ssl != nullptr) {
+      origin_user = ssl->uriSanPeerCertificate();
+    }
+
     http_control_->Check(
-        request_data_, headers,
+        request_data_, headers, origin_user,
         wrapper([this](const Status& status) { completeCheck(status); }));
     initiating_call_ = false;
 
@@ -180,13 +188,15 @@ class Instance : public Http::StreamFilter, public Http::AccessLog::Instance {
     }
     return FilterTrailersStatus::Continue;
   }
+
   void setDecoderFilterCallbacks(
       StreamDecoderFilterCallbacks& callbacks) override {
     Log().debug("Called Mixer::Instance : {}", __func__);
     decoder_callbacks_ = &callbacks;
     decoder_callbacks_->addResetStreamCallback(
         [this]() { state_ = Responded; });
   }
+
   void completeCheck(const Status& status) {
     Log().debug("Called Mixer::Instance : check complete {}",
                 status.ToString());
@@ -197,6 +207,7 @@ class Instance : public Http::StreamFilter, public Http::AccessLog::Instance {
                               status.ToString());
       return;
     }
+
     state_ = Complete;
     if (!initiating_call_) {
       decoder_callbacks_->continueDecoding();
@@ -208,15 +219,18 @@ class Instance : public Http::StreamFilter, public Http::AccessLog::Instance {
     Log().debug("Called Mixer::Instance : {}", __func__);
     return FilterHeadersStatus::Continue;
   }
+
   virtual FilterDataStatus encodeData(Buffer::Instance& data,
                                       bool end_stream) override {
     Log().debug("Called Mixer::Instance : {}", __func__);
     return FilterDataStatus::Continue;
   }
+
   virtual FilterTrailersStatus encodeTrailers(HeaderMap& trailers) override {
     Log().debug("Called Mixer::Instance : {}", __func__);
     return FilterTrailersStatus::Continue;
   }
+
   virtual void setEncoderFilterCallbacks(
       StreamEncoderFilterCallbacks& callbacks) override {
     Log().debug("Called Mixer::Instance : {}", __func__);