From 99a482fcc7d7ea492c0f21db6d442f2c066f4141 Mon Sep 17 00:00:00 2001
From: Yinjie Chen <28548492+JimmyCYJ@users.noreply.github.com>
Date: Wed, 13 Dec 2017 09:19:16 -0800
Subject: [PATCH] Strip out "spiffe://" in the identity (#719)

* Strip out "spiffe://" in the identity

* Addressed some review comments.

* Addressed review comments.
---
 src/envoy/mixer/utils.cc | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/envoy/mixer/utils.cc b/src/envoy/mixer/utils.cc
index 8e1f60493536..893fcffffc57 100644
--- a/src/envoy/mixer/utils.cc
+++ b/src/envoy/mixer/utils.cc
@@ -20,6 +20,12 @@ namespace Envoy {
 namespace Http {
 namespace Utils {
 
+namespace {
+
+const std::string kSPIFFEPrefix("spiffe://");
+
+}  // namespace
+
 std::map<std::string, std::string> ExtractHeaders(const HeaderMap& header_map) {
   std::map<std::string, std::string> headers;
   header_map.iterate(
@@ -54,7 +60,14 @@ bool GetSourceUser(const Network::Connection* connection, std::string* user) {
   if (connection) {
     Ssl::Connection* ssl = const_cast<Ssl::Connection*>(connection->ssl());
     if (ssl != nullptr) {
-      *user = ssl->uriSanPeerCertificate();
+      std::string result = ssl->uriSanPeerCertificate();
+      if (result.length() >= kSPIFFEPrefix.length() &&
+          result.compare(0, kSPIFFEPrefix.length(), kSPIFFEPrefix) == 0) {
+        // Strip out the prefix "spiffe://" in the identity.
+        *user = result.substr(kSPIFFEPrefix.size());
+      } else {
+        *user = result;
+      }
       return true;
     }
   }