accesslog: add field to TLSProperties in data.accesslog.v3.AccessLogCommon (envoyproxy#31508)

liwanxue · Wanxue18 · code · web-flow · commit 24ffda3f4f4d · 2024-01-10T04:56:49.000Z
* accesslog: add field to TLSProperties in data.accesslog.v3.AccessLogCommon

Signed-off-by: Li &lt;wanxuli@ebay.com&gt;

* Update changelogs/current.yaml

Signed-off-by: code &lt;wangbaiping@corp.netease.com&gt;
Signed-off-by: Li &lt;wanxuli@ebay.com&gt;

Signed-off-by: Li &lt;929683467@qq.com&gt;

* fix intergration_test for issuer

Signed-off-by: Li &lt;wanxuli@ebay.com&gt;

Signed-off-by: Li &lt;929683467@qq.com&gt;

* fix missing value for issuerPeerCertificate in test case

Signed-off-by: Li &lt;wanxuli@ebay.com&gt;

Signed-off-by: Li &lt;929683467@qq.com&gt;

---------

Signed-off-by: Li &lt;wanxuli@ebay.com&gt;
Signed-off-by: Li &lt;929683467@qq.com&gt;
Co-authored-by: Li &lt;wanxuli@ebay.com&gt;
Co-authored-by: code &lt;wangbaiping@corp.netease.com&gt;
diff --git a/api/envoy/data/accesslog/v3/accesslog.proto b/api/envoy/data/accesslog/v3/accesslog.proto
@@ -409,6 +409,9 @@ message TLSProperties {
 
     // The subject field of the certificate.
     string subject = 2;
+
+    // The issuer field of the certificate.
+    string issuer = 3;
   }
 
   // Version of TLS that was negotiated.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -46,6 +46,9 @@ behavior_changes:
     Handle empty response bodies in ``grpc_http1_reverse_bridge``. This may cause problems for clients expecting the filter to crash
     for empty responses.  This behavioral change can be temporarily reverted by setting runtime guard
     ``envoy.reloadable_features.grpc_http1_reverse_bridge_handle_empty_response`` to ``false``.
+- area: access_log
+  change: |
+    Added issuer in certificate_properties to the gRPC access log service(AlS).
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*
diff --git a/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc b/source/extensions/access_loggers/grpc/grpc_access_log_utils.cc
@@ -204,6 +204,9 @@ void Utility::extractCommonAccessLogProperties(
     }
 
     peer_properties->set_subject(downstream_ssl_connection->subjectPeerCertificate());
+    peer_properties->set_issuer(
+        MessageUtil::sanitizeUtf8String(downstream_ssl_connection->issuerPeerCertificate()));
+
     tls_properties->set_tls_session_id(
         MessageUtil::sanitizeUtf8String(downstream_ssl_connection->sessionId()));
     tls_properties->set_tls_version(
diff --git a/test/extensions/access_loggers/grpc/http_grpc_access_log_impl_test.cc b/test/extensions/access_loggers/grpc/http_grpc_access_log_impl_test.cc
@@ -461,6 +461,8 @@ response: {}
     ON_CALL(*connection_info, uriSanLocalCertificate()).WillByDefault(Return(localSans));
     const std::string peerSubject = "peerSubject";
     ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(peerSubject));
+    const std::string peerIssuer = "peerIssuer";
+    ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(peerIssuer));
     const std::string localSubject = "localSubject";
     ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(localSubject));
     const std::string sessionId =
@@ -512,6 +514,7 @@ response: {}
       - uri: peerSan1
       - uri: peerSan2
       subject: peerSubject
+      issuer: peerIssuer
     tls_session_id: D62A523A65695219D46FE1FFE285A4C371425ACE421B110B5B8D11D3EB4D5F0B
 request:
   request_method: "METHOD_UNSPECIFIED"
@@ -530,6 +533,7 @@ response: {}
     auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
     const std::string empty;
     ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
+    ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
     const std::string tlsVersion = "TLSv1.2";
@@ -586,6 +590,7 @@ response: {}
     auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
     const std::string empty;
     ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
+    ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
     const std::string tlsVersion = "TLSv1.1";
@@ -642,6 +647,7 @@ response: {}
     auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
     const std::string empty;
     ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
+    ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
     const std::string tlsVersion = "TLSv1";
@@ -698,6 +704,7 @@ response: {}
     auto connection_info = std::make_shared<NiceMock<Ssl::MockConnectionInfo>>();
     const std::string empty;
     ON_CALL(*connection_info, subjectPeerCertificate()).WillByDefault(ReturnRef(empty));
+    ON_CALL(*connection_info, issuerPeerCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, subjectLocalCertificate()).WillByDefault(ReturnRef(empty));
     ON_CALL(*connection_info, sessionId()).WillByDefault(ReturnRef(empty));
     const std::string tlsVersion = "TLSv1.4";
diff --git a/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc b/test/extensions/access_loggers/grpc/tcp_grpc_access_log_integration_test.cc
@@ -536,6 +536,7 @@ TEST_P(TcpGrpcAccessLogIntegrationTest, SslTerminatedNoJA3) {
           subject_alt_name:
             uri: "spiffe://lyft.com/frontend-team"
           subject: "emailAddress=frontend-team@lyft.com,CN=Test Frontend Team,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
+          issuer: "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
       upstream_remote_address:
         socket_address:
       upstream_local_address:
@@ -600,6 +601,7 @@ TEST_P(TcpGrpcAccessLogIntegrationTest, SslTerminatedWithJA3) {
           subject_alt_name:
             uri: "spiffe://lyft.com/frontend-team"
           subject: "emailAddress=frontend-team@lyft.com,CN=Test Frontend Team,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
+          issuer: "CN=Test CA,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US"
       upstream_remote_address:
         socket_address:
       upstream_local_address:

Original file line number	Diff line number	Diff line change
`@@ -409,6 +409,9 @@ message TLSProperties {`
`409`	`409`
`410`	`410`	`// The subject field of the certificate.`
`411`	`411`	`string subject = 2;`
	`412`	`+`
	`413`	`+ // The issuer field of the certificate.`
	`414`	`+ string issuer = 3;`
`412`	`415`	`}`
`413`	`416`
`414`	`417`	`// Version of TLS that was negotiated.`
Original file line number	Diff line number	Diff line change
`@@ -204,6 +204,9 @@ void Utility::extractCommonAccessLogProperties(`
`204`	`204`	`}`
`205`	`205`
`206`	`206`	`peer_properties->set_subject(downstream_ssl_connection->subjectPeerCertificate());`
	`207`	`+ peer_properties->set_issuer(`
	`208`	`+ MessageUtil::sanitizeUtf8String(downstream_ssl_connection->issuerPeerCertificate()));`
	`209`	`+`
`207`	`210`	`tls_properties->set_tls_session_id(`
`208`	`211`	`MessageUtil::sanitizeUtf8String(downstream_ssl_connection->sessionId()));`
`209`	`212`	`tls_properties->set_tls_version(`