tls: Disambiguate client and server identities (#855)

The `tls::PeerIdentity` type is used to describe both remote clients and
servers. This can easily lead to confusion, as it can be ambiguous as to
whether an identity is a client's identity or a target server's
identity.

This change introduces new marker types:

- `identity::LocalId`: The local proxy's ID;
- `tls::server::ClientId`: A remote client ID; and
- `tls::client::ServerId`: A target server ID.

Furthermore, the `tls::ReasonForNoPeerName` has been split into distinct
`tls::server::NoClientId` and `tls::client::NoServerId` types. This
change eliminates the `tls::HasPeerIdentity` and `tls::{client,
server}::HasConfig` types, in favor of simple `Into` coercions.

This change requires changes to the metric labeling.

Author: olix0r

Cargo.lock

@@ -1098,8 +1098,8 @@ dependencies = [
  "http",
  "http-body",
  "indexmap",
- "linkerd-identity",
  "linkerd-proxy-core",
+ "linkerd-tls",
  "linkerd2-proxy-api",
  "pin-project 1.0.2",
  "prost",

linkerd/app/core/src/control.rs

@@ -19,7 +19,7 @@ pub struct Config {
 #[derive(Clone, Debug)]
 pub struct ControlAddr {
     pub addr: Addr,
-    pub identity: tls::PeerIdentity,
+    pub identity: tls::ConditionalServerId,
 }
 
 impl Into<Addr> for ControlAddr {
@@ -52,7 +52,8 @@ impl Config {
         B: http::HttpBody + Send + 'static,
         B::Data: Send,
         B::Error: Into<Error> + Send + Sync,
-        I: Clone + tls::client::HasConfig + Send + 'static,
+        I: Clone + Send + 'static,
+        for<'i> &'i I: Into<tls::client::Config>,
     {
         let backoff = {
             let backoff = self.connect.backoff;
@@ -208,12 +209,12 @@ mod client {
     #[derive(Clone, Hash, Debug, Eq, PartialEq)]
     pub struct Target {
         addr: SocketAddr,
-        server_name: tls::PeerIdentity,
+        server_id: tls::ConditionalServerId,
     }
 
     impl Target {
-        pub(super) fn new(addr: SocketAddr, server_name: tls::PeerIdentity) -> Self {
-            Self { addr, server_name }
+        pub(super) fn new(addr: SocketAddr, server_id: tls::ConditionalServerId) -> Self {
+            Self { addr, server_id }
         }
     }
 
@@ -230,9 +231,9 @@ mod client {
         }
     }
 
-    impl tls::HasPeerIdentity for Target {
-        fn peer_identity(&self) -> tls::PeerIdentity {
-            self.server_name.clone()
+    impl Into<tls::ConditionalServerId> for &'_ Target {
+        fn into(self) -> tls::ConditionalServerId {
+            self.server_id.clone()
         }
     }
 

linkerd/app/core/src/errors.rs

@@ -1,4 +1,3 @@
-use crate::proxy::identity;
 use http::{header::HeaderValue, StatusCode};
 use linkerd_errno::Errno;
 use linkerd_error::Error;
@@ -7,6 +6,7 @@ use linkerd_error_respond as respond;
 pub use linkerd_error_respond::RespondLayer;
 use linkerd_proxy_http::{client_handle::Close, ClientHandle, HasH2Reason};
 use linkerd_timeout::{error::ResponseTimeout, FailFastError};
+use linkerd_tls as tls;
 use pin_project::pin_project;
 use std::pin::Pin;
 use std::task::{Context, Poll};
@@ -334,8 +334,8 @@ fn code_header(code: grpc::Code) -> HeaderValue {
 
 #[derive(Debug)]
 pub struct IdentityRequired {
-    pub required: identity::Name,
-    pub found: Option<identity::Name>,
+    pub required: tls::client::ServerId,
+    pub found: Option<tls::client::ServerId>,
 }
 
 impl std::fmt::Display for IdentityRequired {

linkerd/app/core/src/metrics.rs

@@ -2,8 +2,11 @@ pub use crate::{
     classify::{Class, SuccessOrFailure},
     control, dst, errors, http_metrics, http_metrics as metrics, opencensus, proxy,
     proxy::identity,
-    stack_metrics, telemetry,
-    transport::{self, labels::TlsStatus},
+    stack_metrics, telemetry, tls,
+    transport::{
+        self,
+        labels::{TlsAccept, TlsConnect},
+    },
 };
 use linkerd_addr::Addr;
 use linkerd_metrics::FmtLabels;
@@ -42,13 +45,24 @@ pub struct Metrics {
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct ControlLabels {
     addr: Addr,
-    tls_status: TlsStatus,
+    server_id: tls::ConditionalServerId,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub struct EndpointLabels {
-    pub direction: Direction,
-    pub tls_id: TlsStatus,
+pub enum EndpointLabels {
+    Inbound(InboundEndpointLabels),
+    Outbound(OutboundEndpointLabels),
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub struct InboundEndpointLabels {
+    pub client_id: tls::server::ConditionalTls,
+    pub authority: Option<http::uri::Authority>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub struct OutboundEndpointLabels {
+    pub server_id: tls::ConditionalServerId,
     pub authority: Option<http::uri::Authority>,
     pub labels: Option<String>,
 }
@@ -73,12 +87,6 @@ pub enum Direction {
     Out,
 }
 
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub enum TlsId {
-    ClientId(identity::Name),
-    ServerId(identity::Name),
-}
-
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 struct Authority<'a>(&'a http::uri::Authority);
 
@@ -189,15 +197,15 @@ impl From<&'_ control::ControlAddr> for ControlLabels {
     fn from(c: &'_ control::ControlAddr) -> Self {
         ControlLabels {
             addr: c.addr.clone(),
-            tls_status: c.identity.clone().map(TlsId::ServerId).into(),
+            server_id: c.identity.clone(),
         }
     }
 }
 
 impl FmtLabels for ControlLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(f, "addr=\"{}\",", self.addr)?;
-        self.tls_status.fmt_labels(f)?;
+        TlsConnect::from(&self.server_id).fmt_labels(f)?;
 
         Ok(())
     }
@@ -230,31 +238,72 @@ impl FmtLabels for RouteLabels {
 
 // === impl EndpointLabels ===
 
+impl From<InboundEndpointLabels> for EndpointLabels {
+    fn from(i: InboundEndpointLabels) -> Self {
+        Self::Inbound(i)
+    }
+}
+
+impl From<OutboundEndpointLabels> for EndpointLabels {
+    fn from(i: OutboundEndpointLabels) -> Self {
+        Self::Outbound(i)
+    }
+}
+
 impl FmtLabels for EndpointLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        let authority = self.authority.as_ref().map(Authority);
-        (&self.direction, authority).fmt_labels(f)?;
+        match self {
+            Self::Inbound(i) => (Direction::In, i).fmt_labels(f),
+            Self::Outbound(o) => (Direction::Out, o).fmt_labels(f),
+        }
+    }
+}
 
-        if let Some(labels) = self.labels.as_ref() {
-            write!(f, ",{}", labels)?;
+impl FmtLabels for InboundEndpointLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        if let Some(a) = self.authority.as_ref() {
+            Authority(a).fmt_labels(f)?;
+            write!(f, ",")?;
         }
 
-        write!(f, ",")?;
-        self.tls_id.fmt_labels(f)?;
+        TlsAccept::from(&self.client_id).fmt_labels(f)?;
 
         Ok(())
     }
 }
 
-impl FmtLabels for Direction {
+impl FmtLabels for OutboundEndpointLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        if let Some(a) = self.authority.as_ref() {
+            Authority(a).fmt_labels(f)?;
+            write!(f, ",")?;
+        }
+
+        TlsConnect::from(&self.server_id).fmt_labels(f)?;
+
+        if let Some(labels) = self.labels.as_ref() {
+            write!(f, ",{}", labels)?;
+        }
+
+        Ok(())
+    }
+}
+
+impl fmt::Display for Direction {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self {
-            Direction::In => write!(f, "direction=\"inbound\""),
-            Direction::Out => write!(f, "direction=\"outbound\""),
+            Self::In => write!(f, "inbound"),
+            Self::Out => write!(f, "outbound"),
         }
     }
 }
 
+impl FmtLabels for Direction {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "direction=\"{}\"", self)
+    }
+}
+
 impl<'a> FmtLabels for Authority<'a> {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(f, "authority=\"{}\"", self.0)
@@ -286,15 +335,6 @@ impl fmt::Display for SuccessOrFailure {
     }
 }
 
-impl FmtLabels for TlsId {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            TlsId::ClientId(ref id) => write!(f, "client_id=\"{}\"", id.as_ref()),
-            TlsId::ServerId(ref id) => write!(f, "server_id=\"{}\"", id.as_ref()),
-        }
-    }
-}
-
 // === impl StackLabels ===
 
 impl StackLabels {