Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

access log / route headers: Expose more downstream TLS information #7019

Merged
merged 7 commits into from
May 31, 2019
Merged

access log / route headers: Expose more downstream TLS information #7019

merged 7 commits into from
May 31, 2019

Conversation

mikegrass
Copy link
Contributor

Description:

  • New accessors added for querying information about the established TLS session: issuerPeerCertificate(), ciphersuiteId(), ciphersuiteString(), tlsVersion().
  • access_log_formatter.cc and header_formatter.cc updated with new variables for exposing downstream TLS information.
  • grpc_access_log_impl.cc updated to fill in existing (but previously-hidden) ciphersuite and tls version fields.
  • Unit tests updated to exercise the above changes.

Risk Level: Low
Testing: Unit tests and ad-hoc manual testing
Docs Changes: Updated docs/root/configuration/access_log.rst and docs/root/configuration/http_conn_man/headers.rst with information on new variables.
Release Notes: Updated docs/root/intro/version_history.rst to note the changes.

More incremental progress on #3296.

@mikegrass
access log / route headers: Expose more downstream TLS information
a334309 
* New accessors added for querying information about the established TLS session: issuerPeerCertificate(), ciphersuiteId(), ciphersuiteString(), tlsVersion().

* access_log_formatter.cc and header_formatter.cc updated with new variables for exposing downstream TLS information.

* grpc_access_log_impl.cc updated to fill in existing (but previously-hidden) ciphersuite and tls version fields.

* Unit tests updated to exercise the above changes.

Signed-off-by: Mike Grass <mgrass@salesforce.com>
@mikegrass
Merge remote-tracking branch 'upstream/master' into tls-headers
3c70959 
Signed-off-by: Mike Grass <mgrass@salesforce.com>
@mikegrass
Copy link
Contributor Author

/retest

@repokitteh-read-only
Copy link

🔨 rebuilding ci/circleci: tsan (failed build)

🐱

Caused by: a #7019 (comment) was created by @mikegrass.

see: more, trace.

@repokitteh-read-only
Copy link

🤷‍♀️ nothing to rebuild.

🐱

Caused by: a #7019 (comment) was created by @mikegrass.

see: more, trace.

@mikegrass
Merge remote-tracking branch 'upstream/master' into tls-headers
f5d568c 
Signed-off-by: Mike Grass <mgrass@salesforce.com>
@mikegrass
Copy link
Contributor Author

@mattklein123 thanks for assigning a reviewer! @zuercher looking forward to your feedback!

@mikegrass
Copy link
Contributor Author

@zuercher -- anything I can do to help move this review along?

@mikegrass
Merge branch 'master' into tls-headers
f5d964d 
Signed-off-by: Mike Grass <mgrass@salesforce.com>
zuercher
zuercher reviewed May 29, 2019
View reviewed changes
Copy link
Member

@zuercher zuercher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the slow response. This looks good, just the one-off above and one other small change. Thanks for your patience!

source/extensions/transport_sockets/tls/utility.cc
case CertName::Subject:
name = X509_get_subject_name(&cert);
break;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually we'll add a default case with a NOT_REACHED_GCOVR_EXCL_LINE statement to help detect missing cases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, thank you!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This default shouldn't be needed at all since you cover all cases. Can you remove?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mattklein123 Sure -- I've removed it in the latest commit.

@mikegrass
Re-sort version_history after merge
db3eb32 
Signed-off-by: Mike Grass <mgrass@salesforce.com>
@mikegrass
Add default case with NOT_REACHED_GCOVR_EXCL_LINE to help detect miss…
a02e937 
…ing cases

Signed-off-by: Mike Grass <mgrass@salesforce.com>
zuercher
zuercher previously approved these changes May 30, 2019
View reviewed changes
Copy link
Member

@zuercher zuercher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mikegrass
Copy link
Contributor Author

Thanks for the review @zuercher! Is there anyone else who needs to review before this can be merged?

mattklein123
mattklein123 requested changes May 31, 2019
View reviewed changes
Copy link
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM w/ small nit. Great stuff!

/wait

source/extensions/transport_sockets/tls/utility.cc
case CertName::Subject:
name = X509_get_subject_name(&cert);
break;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This default shouldn't be needed at all since you cover all cases. Can you remove?

@mattklein123 mattklein123 self-assigned this May 31, 2019
@mikegrass
Remove default case
eb8bd35 
Signed-off-by: Mike Grass <mgrass@salesforce.com>
@mattklein123
Copy link
Member

@mikegrass friendly request to not force push in the future, it makes reviews more difficult. Thank you!

mattklein123
mattklein123 approved these changes May 31, 2019
View reviewed changes
Copy link
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@mattklein123 mattklein123 merged commit a42273b into envoyproxy:master May 31, 2019
@mikegrass
Copy link
Contributor Author

@mikegrass friendly request to not force push in the future, it makes reviews more difficult. Thank you!

@mattklein123 apologies for that! I had moved to a new computer just yesterday and had neglected to run the support/bootstrap script to set up git hooks, so my last commit was missing DCO. I followed the instructions at https://github.com/envoyproxy/envoy/blob/master/CONTRIBUTING.md#fixing-dco to fix DCO on that last commit.

Thank you for the review!

@mikegrass mikegrass deleted the tls-headers branch May 31, 2019 20:19
@ramaraochavali ramaraochavali mentioned this pull request Jun 21, 2019
Closed
@PiotrSikora PiotrSikora mentioned this pull request Jun 26, 2019
Merged
@ramaraochavali ramaraochavali mentioned this pull request Jul 22, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattklein123 mattklein123 mattklein123 approved these changes

@zuercher zuercher zuercher left review comments

Assignees

@zuercher zuercher

@mattklein123 mattklein123

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mikegrass @mattklein123 @zuercher