istio · hklai · Jul 11, 2018 · Jul 11, 2018 · Jul 11, 2018 · Jul 11, 2018
diff --git a/include/istio/control/http/check_data.h b/include/istio/control/http/check_data.h
@@ -47,6 +47,9 @@ class CheckData {
   // Returns true if connection is mutual TLS enabled.
   virtual bool IsMutualTLS() const = 0;
 
+  // Get requested server name, SNI in case of TLS
+  virtual bool GetRequestedServerName(std::string *name) const = 0;
+
   // These headers are extracted into top level attributes.
   // This is for standard HTTP headers.  It supports both HTTP/1.1 and HTTP2
   // They can be retrieved at O(1) speed by environment (Envoy).

diff --git a/include/istio/control/tcp/check_data.h b/include/istio/control/tcp/check_data.h
@@ -37,6 +37,9 @@ class CheckData {
   // Returns true if connection is mutual TLS enabled.
   virtual bool IsMutualTLS() const = 0;
 
+  // Get requested server name, SNI in case of TLS
+  virtual bool GetRequestedServerName(std::string* name) const = 0;
+
   // Get downstream tcp connection id.
   virtual std::string GetConnectionId() const = 0;
 };

diff --git a/include/istio/utils/attribute_names.h b/include/istio/utils/attribute_names.h
@@ -65,6 +65,7 @@ struct AttributeName {
   static const char kConnectionSendTotalBytes[];
   static const char kConnectionDuration[];
   static const char kConnectionMtls[];
+  static const char kConnectionRequestedServerName[];
   static const char kConnectionId[];
   // Record TCP connection status: open, continue, close
   static const char kConnectionEvent[];

diff --git a/src/envoy/http/mixer/check_data.cc b/src/envoy/http/mixer/check_data.cc
@@ -77,6 +77,10 @@ std::map<std::string, std::string> CheckData::GetRequestHeaders() const {
 
 bool CheckData::IsMutualTLS() const { return Utils::IsMutualTLS(connection_); }
 
+bool CheckData::GetRequestedServerName(std::string* name) const {
+  return Utils::GetRequestedServerName(connection_, name);
+}
+
 bool CheckData::FindHeaderByType(HttpCheckData::HeaderType header_type,
                                  std::string* value) const {
   switch (header_type) {

diff --git a/src/envoy/http/mixer/check_data.h b/src/envoy/http/mixer/check_data.h
@@ -42,6 +42,8 @@ class CheckData : public ::istio::control::http::CheckData,
 
   bool IsMutualTLS() const override;
 
+  bool GetRequestedServerName(std::string* name) const override;
+
   bool FindHeaderByType(
       ::istio::control::http::CheckData::HeaderType header_type,
       std::string* value) const override;

diff --git a/src/envoy/tcp/mixer/filter.cc b/src/envoy/tcp/mixer/filter.cc
@@ -157,6 +157,10 @@ bool Filter::IsMutualTLS() const {
   return Utils::IsMutualTLS(&filter_callbacks_->connection());
 }
 
+bool Filter::GetRequestedServerName(std::string* name) const {
+  return Utils::GetRequestedServerName(&filter_callbacks_->connection(), name);
+}
+
 bool Filter::GetDestinationIpPort(std::string* str_ip, int* port) const {
   if (filter_callbacks_->upstreamHost() &&
       filter_callbacks_->upstreamHost()->address()) {

diff --git a/src/envoy/tcp/mixer/filter.h b/src/envoy/tcp/mixer/filter.h
@@ -53,6 +53,7 @@ class Filter : public Network::Filter,
   bool GetSourceIpPort(std::string* str_ip, int* port) const override;
   bool GetSourceUser(std::string* user) const override;
   bool IsMutualTLS() const override;
+  bool GetRequestedServerName(std::string* name) const override;
 
   // ReportData virtual functions.
   bool GetDestinationIpPort(std::string* str_ip, int* port) const override;

diff --git a/src/envoy/utils/utils.cc b/src/envoy/utils/utils.cc
@@ -116,6 +116,16 @@ bool IsMutualTLS(const Network::Connection* connection) {
          connection->ssl()->peerCertificatePresented();
 }
 
+bool GetRequestedServerName(const Network::Connection* connection,
+                            std::string* name) {
+  if (connection) {
+    *name = std::string(connection->requestedServerName());
+    return true;
+  }
+
+  return false;
+}
+
 Status ParseJsonMessage(const std::string& json, Message* output) {
   ::google::protobuf::util::JsonParseOptions options;
   options.ignore_unknown_fields = true;

diff --git a/src/envoy/utils/utils.h b/src/envoy/utils/utils.h
@@ -43,6 +43,10 @@ bool GetSourceUser(const Network::Connection* connection, std::string* user);
 // Returns true if connection is mutual TLS enabled.
 bool IsMutualTLS(const Network::Connection* connection);
 
+// Get requested server name, SNI in case of TLS
+bool GetRequestedServerName(const Network::Connection* connection,
+                            std::string* name);
+
 // Parse JSON string into message.
 ::google::protobuf::util::Status ParseJsonMessage(
     const std::string& json, ::google::protobuf::Message* output);

diff --git a/src/istio/control/http/attributes_builder.cc b/src/istio/control/http/attributes_builder.cc
@@ -157,6 +157,12 @@ void AttributesBuilder::ExtractCheckAttributes(CheckData *check_data) {
   builder.AddBool(utils::AttributeName::kConnectionMtls,
                   check_data->IsMutualTLS());
 
+  std::string requested_server_name;
+  if (check_data->GetRequestedServerName(&requested_server_name)) {
+    builder.AddString(utils::AttributeName::kConnectionRequestedServerName,
+                      requested_server_name);
+  }
+
   builder.AddTimestamp(utils::AttributeName::kRequestTime,
                        std::chrono::system_clock::now());
 

diff --git a/src/istio/control/http/attributes_builder_test.cc b/src/istio/control/http/attributes_builder_test.cc
@@ -89,6 +89,12 @@ attributes {
     bool_value: true
   }
 }
+attributes {
+  key: "connection.requested_server_name"
+  value {
+    string_value: "www.google.com"
+  }
+}
 attributes {
   key: "source.principal"
   value {
@@ -286,6 +292,11 @@ TEST(AttributesBuilderTest, TestCheckAttributes) {
   EXPECT_CALL(mock_data, IsMutualTLS()).WillOnce(Invoke([]() -> bool {
     return true;
   }));
+  EXPECT_CALL(mock_data, GetRequestedServerName(_))
+      .WillOnce(Invoke([](std::string *name) -> bool {
+        *name = "www.google.com";
+        return true;
+      }));
   EXPECT_CALL(mock_data, GetRequestHeaders())
       .WillOnce(Invoke([]() -> std::map<std::string, std::string> {
         std::map<std::string, std::string> map;
@@ -341,6 +352,11 @@ TEST(AttributesBuilderTest, TestCheckAttributesWithAuthNResult) {
   EXPECT_CALL(mock_data, IsMutualTLS()).WillOnce(Invoke([]() -> bool {
     return true;
   }));
+  EXPECT_CALL(mock_data, GetRequestedServerName(_))
+      .WillOnce(Invoke([](std::string *name) -> bool {
+        *name = "www.google.com";
+        return true;
+      }));
   EXPECT_CALL(mock_data, GetRequestHeaders())
       .WillOnce(Invoke([]() -> std::map<std::string, std::string> {
         std::map<std::string, std::string> map;

diff --git a/src/istio/control/http/mock_check_data.h b/src/istio/control/http/mock_check_data.h
@@ -44,6 +44,7 @@ class MockCheckData : public CheckData {
   MOCK_CONST_METHOD1(GetAuthenticationResult,
                      bool(istio::authn::Result *result));
   MOCK_CONST_METHOD0(IsMutualTLS, bool());
+  MOCK_CONST_METHOD1(GetRequestedServerName, bool(std::string *name));
 };
 
 // The mock object for HeaderUpdate interface.

diff --git a/src/istio/control/tcp/attributes_builder.cc b/src/istio/control/tcp/attributes_builder.cc
@@ -51,6 +51,12 @@ void AttributesBuilder::ExtractCheckAttributes(CheckData* check_data) {
   builder.AddBool(utils::AttributeName::kConnectionMtls,
                   check_data->IsMutualTLS());
 
+  std::string requested_server_name;
+  if (check_data->GetRequestedServerName(&requested_server_name)) {
+    builder.AddString(utils::AttributeName::kConnectionRequestedServerName,
+                      requested_server_name);
+  }
+
   builder.AddTimestamp(utils::AttributeName::kContextTime,
                        std::chrono::system_clock::now());
   builder.AddString(utils::AttributeName::kContextProtocol, "tcp");

diff --git a/src/istio/control/tcp/attributes_builder_test.cc b/src/istio/control/tcp/attributes_builder_test.cc
@@ -67,6 +67,12 @@ attributes {
     bool_value: true
   }
 }
+attributes {
+  key: "connection.requested_server_name"
+  value {
+    string_value: "www.google.com"
+  }
+}
 attributes {
   key: "source.principal"
   value {
@@ -305,7 +311,11 @@ TEST(AttributesBuilderTest, TestCheckAttributes) {
         return true;
       }));
   EXPECT_CALL(mock_data, GetConnectionId()).WillOnce(Return("1234-5"));
-
+  EXPECT_CALL(mock_data, GetRequestedServerName(_))
+      .WillOnce(Invoke([](std::string* name) -> bool {
+        *name = "www.google.com";
+        return true;
+      }));
   RequestContext request;
   AttributesBuilder builder(&request);
   builder.ExtractCheckAttributes(&mock_data);

diff --git a/src/istio/control/tcp/mock_check_data.h b/src/istio/control/tcp/mock_check_data.h
@@ -29,6 +29,7 @@ class MockCheckData : public CheckData {
   MOCK_CONST_METHOD2(GetSourceIpPort, bool(std::string* ip, int* port));
   MOCK_CONST_METHOD1(GetSourceUser, bool(std::string* user));
   MOCK_CONST_METHOD0(IsMutualTLS, bool());
+  MOCK_CONST_METHOD1(GetRequestedServerName, bool(std::string* name));
   MOCK_CONST_METHOD0(GetConnectionId, std::string());
 };
 

diff --git a/src/istio/utils/attribute_names.cc b/src/istio/utils/attribute_names.cc
@@ -58,6 +58,9 @@ const char AttributeName::kConnectionSendTotalBytes[] =
     "connection.sent.bytes_total";
 const char AttributeName::kConnectionDuration[] = "connection.duration";
 const char AttributeName::kConnectionMtls[] = "connection.mtls";
+const char AttributeName::kConnectionRequestedServerName[] =
+    "connection.requested_server_name";
+
 // Downstream TCP connection id.
 const char AttributeName::kConnectionId[] = "connection.id";
 const char AttributeName::kConnectionEvent[] = "connection.event";