http connection manager: adding support for dns san entries. Fixes #2535 (#564)

This will add a flag, which if enabled, dns san entries will be appended to the XFCC header. Signed-off-by: Shakti <shaktiprakash.das@salesforce.com>
7 years ago · c40deb34c7
parent 922ec7bbc7
commit c40deb34c7
2 changed files with 24 additions and 7 deletions
--- a/docs/root/configuration/http_conn_man/headers.rst
+++ b/docs/root/configuration/http_conn_man/headers.rst
@ -118,15 +118,22 @@ should be replaced by backslash-double-quote (\").
 The following keys are supported:
-1. ``By`` The Subject Alternative Name (SAN) of the current proxy's certificate.
+1. ``By`` The Subject Alternative Name (URI type) of the current proxy's certificate.
 2. ``Hash`` The SHA 256 diguest of the current client certificate.
-3. ``SAN`` The SAN field (URI type) of the current client certificate.
+3. ``Cert`` The entire client certificate in URL encoded PEM format.
 4. ``Subject`` The Subject field of the current client certificate. The value is always double-quoted.
 5. ``URI`` The URI type Subject Alternative Name field of the current client certificate.
 6. ``DNS`` The DNS type Subject Alternative Name field of the current client certificate. A client certificate may contain multiple DNS type Subject Alternative Names, each will be a separate key-value pair.
 A client certificate may contain multiple Subject Alternative Name types. For details on different Subject Alternative Name types, please refer `RFC 2459`_.
 .. _RFC 2459: https://tools.ietf.org/html/rfc2459#section-4.2.1.7
 Some examples of the XFCC header are:
-1. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";SAN=http://testclient.lyft.com``
+1. For one client certificate with only URI type Subject Alternative Name: ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";URI=http://testclient.lyft.com``
-2. ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;SAN=http://testclient.lyft.com,By=http://backend.lyft.com;Hash=9ba61d6425303443c0748a02dd8de688468ed33be74eee6556d90c0149c1309e;SAN=http://frontend.lyft.com``
+2. For two client certificates with only URI type Subject Alternative Name: ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;URI=http://testclient.lyft.com,By=http://backend.lyft.com;Hash=9ba61d6425303443c0748a02dd8de688468ed33be74eee6556d90c0149c1309e;URI=http://frontend.lyft.com``
 3. For one client certificate with both URI type and DNS type Subject Alternative Name: ``x-forwarded-client-cert: By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client";URI=http://testclient.lyft.com;DNS=lyft.com;DNS=www.lyft.com``
 How Envoy processes XFCC is specified by the
 :ref:`forward_client_cert<config_http_conn_man_forward_client_cert>` and the
--- a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@ -209,13 +209,22 @@ message HttpConnectionManager {
    // Whether to forward the subject of the client cert. Defaults to false.
    google.protobuf.BoolValue subject = 1;
-    // Whether to forward the SAN of the client cert. Defaults to false.
+    // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
-    google.protobuf.BoolValue san = 2;
+    // false. This field is deprecated, use URI field instead.
    google.protobuf.BoolValue san = 2 [deprecated = true];
    // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
    // XFCC header comma separated from other values with the value Cert="PEM".
    // Defaults to false.
    bool cert = 3;
    // Whether to forward the DNS type Subject Alternative Names of the client cert.
    // Defaults to false.
    bool dns = 4;
    // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
    // false.
    bool uri = 5;
  };
  // This field is valid only when :ref:`forward_client_cert_details
@ -223,7 +232,8 @@ message HttpConnectionManager {
  // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in
  // the client certificate to be forwarded. Note that in the
  // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, *Hash* is always set, and
-  // *By* is always set when the client certificate presents the SAN value.
+  // *By* is always set when the client certificate presents the URI type Subject Alternative Name
  // value.
  SetCurrentClientCertDetails set_current_client_cert_details = 17;
  // If proxy_100_continue is true, Envoy will proxy incoming "Expect: