tls: implement SPIFFE Certificate Validator for independent multiple …

…trust domain support (#14884)

Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. 
Risk Level: low (only adding the new extension point and one implementation for it)
Testing: unit tests and integration tests.
Docs Changes: 
Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support.

Signed-off-by: Takeshi Yoneda <[email protected]>

CODEOWNERS

@@ -41,6 +41,8 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/transport_sockets/alts @htuch @yangminzhu
 # tls transport socket extension
 /*/extensions/transport_sockets/tls @lizan @asraa @ggreenway
+# tls SPIFFE certificate validator extension
+/*/extensions/transport_sockets/tls/cert_validator/spiffe @mathetake @lizan
 # proxy protocol socket extension
 /*/extensions/transport_sockets/proxy_protocol @alyssawilk @wez470
 # common transport socket

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/type/matcher/v3/string.proto";
 
 import "google/protobuf/any.proto";
@@ -211,7 +212,7 @@ message TlsSessionTicketKeys {
       [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message CertificateValidationContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.CertificateValidationContext";
@@ -371,4 +372,16 @@ message CertificateValidationContext {
   // Certificate trust chain verification mode.
   TrustChainVerification trust_chain_verification = 10
       [(validate.rules).enum = {defined_only: true}];
+
+  // The configuration of an extension specific certificate validator.
+  // If specified, all validation is done by the specified validator,
+  // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
+  // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
+  // The following names are available here:
+  //
+  // .. _extension_envoy.tls.cert_validator.spiffe:
+  //
+  // **envoy.tls.cert_validator.spiffe**: `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
+  // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for more information.
+  config.core.v3.TypedExtensionConfig custom_validator_config = 12;
 }

api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto

@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
+option java_outer_classname = "TlsSpiffeValidatorConfigProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: SPIFFE Certificate Validator]
+
+// Configuration specific to the SPIFFE certificate validator provided at
+// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config>`.
+//
+// Example:
+//
+// .. code-block:: yaml
+//
+//  custom_validator_config:
+//    name: envoy.tls.cert_validator.spiffe
+//    typed_config:
+//      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
+//      trust_domains:
+//      - name: foo.com
+//        trust_bundle:
+//          filename: "foo.pem"
+//      - name: envoy.com
+//        trust_bundle:
+//          filename: "envoy.pem"
+//
+// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
+// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
+// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
+// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
+message SPIFFECertValidatorConfig {
+  message TrustDomain {
+    // Name of the trust domain, `example.com`, `foo.bar.gov` for example.
+    // Note that this must *not* have "spiffe://" prefix.
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
+    config.core.v3.DataSource trust_bundle = 2;
+  }
+
+  // This field specifies trust domains used for validating incoming X.509-SVID(s).
+  repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
+}

bazel/envoy_library.bzl

@@ -91,6 +91,7 @@ EXTENSION_CATEGORIES = [
     "envoy.tracers",
     "envoy.transport_sockets.downstream",
     "envoy.transport_sockets.upstream",
+    "envoy.tls.cert_validator",
     "envoy.upstreams",
     "envoy.wasm.runtime",
     "DELIBERATELY_OMITTED",

docs/root/version_history/current.rst

@@ -123,6 +123,7 @@ New Features
 * tcp_proxy: added a :ref:`use_post field <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.use_post>` for using HTTP POST to proxy TCP streams.
 * tcp_proxy: added a :ref:`headers_to_add field <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.headers_to_add>` for setting additional headers to the HTTP requests for TCP proxing.
 * thrift_proxy: added a :ref:`max_requests_per_connection field <envoy_v3_api_field_extensions.filters.network.thrift_proxy.v3.ThriftProxy.max_requests_per_connection>` for setting maximum requests for per downstream connection.
+* tls peer certificate validation: added :ref:`SPIFFE validator <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for supporting isolated multiple trust bundles in a single listener or cluster.
 
 Deprecated
 ----------