Add connection requested server name attribute to TCP read filter

include/istio/control/http/check_data.h

@@ -47,6 +47,9 @@ class CheckData {
   // Returns true if connection is mutual TLS enabled.
   virtual bool IsMutualTLS() const = 0;
 
+  // Get requested server name, SNI in case of TLS
+  virtual std::string GetRequestedServerName() const = 0;
+
   // These headers are extracted into top level attributes.
   // This is for standard HTTP headers.  It supports both HTTP/1.1 and HTTP2
   // They can be retrieved at O(1) speed by environment (Envoy).

include/istio/control/tcp/check_data.h

@@ -37,6 +37,9 @@ class CheckData {
   // Returns true if connection is mutual TLS enabled.
   virtual bool IsMutualTLS() const = 0;
 
+  // Get requested server name, SNI in case of TLS
+  virtual std::string GetRequestedServerName() const = 0;
+
   // Get downstream tcp connection id.
   virtual std::string GetConnectionId() const = 0;
 };

include/istio/utils/attribute_names.h

@@ -65,6 +65,7 @@ struct AttributeName {
   static const char kConnectionSendTotalBytes[];
   static const char kConnectionDuration[];
   static const char kConnectionMtls[];
+  static const char kConnectionRequestedServerName[];
   static const char kConnectionId[];
   // Record TCP connection status: open, continue, close
   static const char kConnectionEvent[];

src/envoy/http/mixer/check_data.cc

@@ -77,6 +77,14 @@ std::map<std::string, std::string> CheckData::GetRequestHeaders() const {
 
 bool CheckData::IsMutualTLS() const { return Utils::IsMutualTLS(connection_); }
 
+std::string CheckData::GetRequestedServerName() const {
+  if (connection_) {
+    return std::string(connection_->requestedServerName());
+  }
+
+  return "";
+}
+
 bool CheckData::FindHeaderByType(HttpCheckData::HeaderType header_type,
                                  std::string* value) const {
   switch (header_type) {

src/envoy/http/mixer/check_data.h

@@ -41,6 +41,7 @@ class CheckData : public ::istio::control::http::CheckData,
   std::map<std::string, std::string> GetRequestHeaders() const override;
 
   bool IsMutualTLS() const override;
+  std::string GetRequestedServerName() const override;
 
   bool FindHeaderByType(
       ::istio::control::http::CheckData::HeaderType header_type,

src/envoy/tcp/mixer/filter.cc

@@ -157,6 +157,10 @@ bool Filter::IsMutualTLS() const {
   return Utils::IsMutualTLS(&filter_callbacks_->connection());
 }
 
+std::string Filter::GetRequestedServerName() const {
+  return std::string(filter_callbacks_->connection().requestedServerName());
+}
+
 bool Filter::GetDestinationIpPort(std::string* str_ip, int* port) const {
   if (filter_callbacks_->upstreamHost() &&
       filter_callbacks_->upstreamHost()->address()) {

src/envoy/tcp/mixer/filter.h

@@ -53,6 +53,7 @@ class Filter : public Network::Filter,
   bool GetSourceIpPort(std::string* str_ip, int* port) const override;
   bool GetSourceUser(std::string* user) const override;
   bool IsMutualTLS() const override;
+  std::string GetRequestedServerName() const override;
 
   // ReportData virtual functions.
   bool GetDestinationIpPort(std::string* str_ip, int* port) const override;

src/istio/control/http/attributes_builder.cc

@@ -157,6 +157,12 @@ void AttributesBuilder::ExtractCheckAttributes(CheckData *check_data) {
   builder.AddBool(utils::AttributeName::kConnectionMtls,
                   check_data->IsMutualTLS());
 
+  std::string requested_server_name = check_data->GetRequestedServerName();
+  if (!requested_server_name.empty()) {
+    builder.AddString(utils::AttributeName::kConnectionRequestedServerName,
+                      requested_server_name);
+  }
+
   builder.AddTimestamp(utils::AttributeName::kRequestTime,
                        std::chrono::system_clock::now());
 

src/istio/control/http/attributes_builder_test.cc

@@ -89,6 +89,12 @@ attributes {
     bool_value: true
   }
 }
+attributes {
+  key: "connection.requested_server_name"
+  value {
+    string_value: "www.google.com"
+  }
+}
 attributes {
   key: "source.principal"
   value {
@@ -286,6 +292,8 @@ TEST(AttributesBuilderTest, TestCheckAttributes) {
   EXPECT_CALL(mock_data, IsMutualTLS()).WillOnce(Invoke([]() -> bool {
     return true;
   }));
+  EXPECT_CALL(mock_data, GetRequestedServerName())
+      .WillOnce(testing::Return("www.google.com"));
   EXPECT_CALL(mock_data, GetRequestHeaders())
       .WillOnce(Invoke([]() -> std::map<std::string, std::string> {
         std::map<std::string, std::string> map;
@@ -341,6 +349,8 @@ TEST(AttributesBuilderTest, TestCheckAttributesWithAuthNResult) {
   EXPECT_CALL(mock_data, IsMutualTLS()).WillOnce(Invoke([]() -> bool {
     return true;
   }));
+  EXPECT_CALL(mock_data, GetRequestedServerName())
+      .WillOnce(testing::Return("www.google.com"));
   EXPECT_CALL(mock_data, GetRequestHeaders())
       .WillOnce(Invoke([]() -> std::map<std::string, std::string> {
         std::map<std::string, std::string> map;

src/istio/control/http/mock_check_data.h

@@ -44,6 +44,7 @@ class MockCheckData : public CheckData {
   MOCK_CONST_METHOD1(GetAuthenticationResult,
                      bool(istio::authn::Result *result));
   MOCK_CONST_METHOD0(IsMutualTLS, bool());
+  MOCK_CONST_METHOD0(GetRequestedServerName, std::string());
 };
 
 // The mock object for HeaderUpdate interface.

src/istio/control/tcp/attributes_builder.cc

@@ -51,6 +51,12 @@ void AttributesBuilder::ExtractCheckAttributes(CheckData* check_data) {
   builder.AddBool(utils::AttributeName::kConnectionMtls,
                   check_data->IsMutualTLS());
 
+  std::string requested_server_name = check_data->GetRequestedServerName();
+  if (!requested_server_name.empty()) {
+    builder.AddString(utils::AttributeName::kConnectionRequestedServerName,
+                      requested_server_name);
+  }
+
   builder.AddTimestamp(utils::AttributeName::kContextTime,
                        std::chrono::system_clock::now());
   builder.AddString(utils::AttributeName::kContextProtocol, "tcp");

src/istio/control/tcp/attributes_builder_test.cc

@@ -67,6 +67,12 @@ attributes {
     bool_value: true
   }
 }
+attributes {
+  key: "connection.requested_server_name"
+  value {
+    string_value: "www.google.com"
+  }
+}
 attributes {
   key: "source.principal"
   value {
@@ -305,6 +311,8 @@ TEST(AttributesBuilderTest, TestCheckAttributes) {
         return true;
       }));
   EXPECT_CALL(mock_data, GetConnectionId()).WillOnce(Return("1234-5"));
+  EXPECT_CALL(mock_data, GetRequestedServerName())
+      .WillOnce(Return("www.google.com"));
 
   RequestContext request;
   AttributesBuilder builder(&request);

src/istio/control/tcp/mock_check_data.h

@@ -29,6 +29,7 @@ class MockCheckData : public CheckData {
   MOCK_CONST_METHOD2(GetSourceIpPort, bool(std::string* ip, int* port));
   MOCK_CONST_METHOD1(GetSourceUser, bool(std::string* user));
   MOCK_CONST_METHOD0(IsMutualTLS, bool());
+  MOCK_CONST_METHOD0(GetRequestedServerName, std::string());
   MOCK_CONST_METHOD0(GetConnectionId, std::string());
 };
 

src/istio/utils/attribute_names.cc

@@ -58,6 +58,9 @@ const char AttributeName::kConnectionSendTotalBytes[] =
     "connection.sent.bytes_total";
 const char AttributeName::kConnectionDuration[] = "connection.duration";
 const char AttributeName::kConnectionMtls[] = "connection.mtls";
+const char AttributeName::kConnectionRequestedServerName[] =
+    "connection.requested_server_name";
+
 // Downstream TCP connection id.
 const char AttributeName::kConnectionId[] = "connection.id";
 const char AttributeName::kConnectionEvent[] = "connection.event";