Skip to content

Commit

Permalink
accesslog: add field to TLSProperties in data.accesslog.v3.AccessLogC…
Browse files Browse the repository at this point in the history
…ommon (#31508)

* accesslog: add field to TLSProperties in data.accesslog.v3.AccessLogCommon

Signed-off-by: Li <[email protected]>

* Update changelogs/current.yaml

Signed-off-by: code <[email protected]>
Signed-off-by: Li <[email protected]>

Signed-off-by: Li <[email protected]>

* fix intergration_test for issuer

Signed-off-by: Li <[email protected]>

Signed-off-by: Li <[email protected]>

* fix missing value for issuerPeerCertificate in test case

Signed-off-by: Li <[email protected]>

Signed-off-by: Li <[email protected]>

---------

Signed-off-by: Li <[email protected]>
Signed-off-by: Li <[email protected]>
Co-authored-by: Li <[email protected]>
Co-authored-by: code <[email protected]>
  • Loading branch information
3 people authored Jan 10, 2024
1 parent c121ee4 commit 24ffda3
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 0 deletions.
3 changes: 3 additions & 0 deletions api/envoy/data/accesslog/v3/accesslog.proto
Original file line number Diff line number Diff line change
Expand Up @@ -409,6 +409,9 @@ message TLSProperties {

// The subject field of the certificate.
string subject = 2;

// The issuer field of the certificate.
string issuer = 3;
}

// Version of TLS that was negotiated.
Expand Down
3 changes: 3 additions & 0 deletions changelogs/current.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ behavior_changes:
Handle empty response bodies in ``grpc_http1_reverse_bridge``. This may cause problems for clients expecting the filter to crash
for empty responses. This behavioral change can be temporarily reverted by setting runtime guard
``envoy.reloadable_features.grpc_http1_reverse_bridge_handle_empty_response`` to ``false``.
- area: access_log
change: |
Added issuer in certificate_properties to the gRPC access log service(AlS).
minor_behavior_changes:
# *Changes that may cause incompatibilities for some users, but should not for most*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,9 @@ void Utility::extractCommonAccessLogProperties(
}

peer_properties->set_subject(downstream_ssl_connection->subjectPeerCertificate());
peer_properties->set_issuer(
MessageUtil::sanitizeUtf8String(downstream_ssl_connection->issuerPeerCertificate()));

tls_properties->set_tls_session_id(
MessageUtil::sanitizeUtf8String(downstream_ssl_connection->sessionId()));
tls_properties->set_tls_version(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,8 @@ response: {}
ON_CALL(*connection_info, uriSanLocalCertificate()).WillByDefault(Return(localSans));
const std::string peerSubject = "peerSubject";
ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(peerSubject));
const std::string peerIssuer = "peerIssuer";
ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(peerIssuer));
const std::string localSubject = "localSubject";
ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(localSubject));
const std::string sessionId =
Expand Down Expand Up @@ -512,6 +514,7 @@ response: {}
- uri: peerSan1
- uri: peerSan2
subject: peerSubject
issuer: peerIssuer
tls_session_id: D62A523A65695219D46FE1FFE285A4C371425ACE421B110B5B8D11D3EB4D5F0B
request:
request_method: "METHOD_UNSPECIFIED"
Expand All @@ -530,6 +533,7 @@ response: {}
auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
const std::string empty;
ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
const std::string tlsVersion = "TLSv1.2";
Expand Down Expand Up @@ -586,6 +590,7 @@ response: {}
auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
const std::string empty;
ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
const std::string tlsVersion = "TLSv1.1";
Expand Down Expand Up @@ -642,6 +647,7 @@ response: {}
auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
const std::string empty;
ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
const std::string tlsVersion = "TLSv1";
Expand Down Expand Up @@ -698,6 +704,7 @@ response: {}
auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
const std::string empty;
ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
const std::string tlsVersion = "TLSv1.4";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -536,6 +536,7 @@ TEST_P(TcpGrpcAccessLogIntegrationTest, SslTerminatedNoJA3) {
subject_alt_name:
uri: "spiffe://lyft.com/frontend-team"
subject: "[email protected],CN=Test Frontend Team,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
issuer: "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
upstream_remote_address:
socket_address:
upstream_local_address:
Expand Down Expand Up @@ -600,6 +601,7 @@ TEST_P(TcpGrpcAccessLogIntegrationTest, SslTerminatedWithJA3) {
subject_alt_name:
uri: "spiffe://lyft.com/frontend-team"
subject: "[email protected],CN=Test Frontend Team,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
issuer: "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
upstream_remote_address:
socket_address:
upstream_local_address:
Expand Down

0 comments on commit 24ffda3

Please sign in to comment.