From 2150904f0114e183a05c901609dbbb7c66e2d631 Mon Sep 17 00:00:00 2001 From: Gao Hongtao Date: Fri, 27 Nov 2020 12:39:09 +0800 Subject: [PATCH] Include SAN to set mTLS property (#5908) * Include SAN to set mTLS property * Fix codes as SAN is a list. * Update the changelog. Signed-off-by: Gao Hongtao Co-authored-by: Wu Sheng --- CHANGES.md | 1 + .../envoy/als/LogEntry2MetricsAdapter.java | 29 +++++++++++++++---- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 2cf50a8235..ee96fbeae1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -57,6 +57,7 @@ Release Notes. * Add otel rules to ui template to observe Istio control plane. * Remove istio mixer * Support close influxdb batch write model. +* Check SAN in the ALS (m)TLS process. #### UI * Fix incorrect label in radial chart in topology. diff --git a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java index df3bab8fb7..0ded78ef52 100644 --- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java +++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java @@ -28,6 +28,7 @@ import io.envoyproxy.envoy.data.accesslog.v2.HTTPResponseProperties; import io.envoyproxy.envoy.data.accesslog.v2.ResponseFlags; import io.envoyproxy.envoy.data.accesslog.v2.TLSProperties; import java.time.Instant; +import java.util.List; import java.util.Optional; import lombok.RequiredArgsConstructor; import org.apache.skywalking.apm.network.common.v3.DetectPoint; @@ -156,14 +157,16 @@ public class LogEntry2MetricsAdapter { if (properties == null) { return NON_TLS; } - if (isNullOrEmpty(Optional.ofNullable(properties.getLocalCertificateProperties()) - .orElse(TLSProperties.CertificateProperties.newBuilder().build()) - .getSubject())) { + TLSProperties.CertificateProperties lp = Optional + .ofNullable(properties.getLocalCertificateProperties()) + .orElse(TLSProperties.CertificateProperties.newBuilder().build()); + if (isNullOrEmpty(lp.getSubject()) && !hasSAN(lp.getSubjectAltNameList())) { return NON_TLS; } - if (isNullOrEmpty(Optional.ofNullable(properties.getPeerCertificateProperties()) - .orElse(TLSProperties.CertificateProperties.newBuilder().build()) - .getSubject())) { + TLSProperties.CertificateProperties pp = Optional + .ofNullable(properties.getPeerCertificateProperties()) + .orElse(TLSProperties.CertificateProperties.newBuilder().build()); + if (isNullOrEmpty(pp.getSubject()) && !hasSAN(pp.getSubjectAltNameList())) { return TLS; } return M_TLS; @@ -217,4 +220,18 @@ public class LogEntry2MetricsAdapter { } return ""; } + + /** + * @param subjectAltNameList from ALS LocalCertificateProperties and PeerCertificateProperties + * @return true is there is at least one SAN, based on URI check. + */ + private static boolean hasSAN(List subjectAltNameList) { + for (final TLSProperties.CertificateProperties.SubjectAltName san : subjectAltNameList) { + // Don't check DNS for now, as it is tagged not-implemented in ALS v2 + if (!isNullOrEmpty(san.getUri())) { + return true; + } + } + return false; + } } -- GitLab