Include SAN to set mTLS property (#5908)

* Include SAN to set mTLS property * Fix codes as SAN is a list. * Update the changelog. Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> Co-authored-by: Wu Sheng <wu.sheng@foxmail.com>

Include SAN to set mTLS property (#5908)
* Include SAN to set mTLS property * Fix codes as SAN is a list. * Update the changelog. Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> Co-authored-by: Wu Sheng <wu.sheng@foxmail.com>
2150904f · Gao Hongtao · GitHub · 9a61835c · 2150904f · 2150904f
2 changed file
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -57,6 +57,7 @@ Release Notes.
 * Add otel rules to ui template to observe Istio control plane.
 * Remove istio mixer
 * Support close influxdb batch write model.
+* Check SAN in the ALS (m)TLS process.
 #### UI
 * Fix incorrect label in radial chart in topology.

--- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java
+++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/envoy/als/LogEntry2MetricsAdapter.java
@@ -28,6 +28,7 @@ import io.envoyproxy.envoy.data.accesslog.v2.HTTPResponseProperties;
 import io.envoyproxy.envoy.data.accesslog.v2.ResponseFlags;
 import io.envoyproxy.envoy.data.accesslog.v2.TLSProperties;
 import java.time.Instant;
+import java.util.List;
 import java.util.Optional;
 import lombok.RequiredArgsConstructor;
 import org.apache.skywalking.apm.network.common.v3.DetectPoint;
@@ -156,14 +157,16 @@ public class LogEntry2MetricsAdapter {
        if (properties == null) {
            return NON_TLS;
        }
-        if (isNullOrEmpty(Optional.ofNullable(properties.getLocalCertificateProperties())
+        TLSProperties.CertificateProperties lp = Optional
-                                  .orElse(TLSProperties.CertificateProperties.newBuilder().build())
+            .ofNullable(properties.getLocalCertificateProperties())
-                                  .getSubject())) {
+            .orElse(TLSProperties.CertificateProperties.newBuilder().build());
+        if (isNullOrEmpty(lp.getSubject()) && !hasSAN(lp.getSubjectAltNameList())) {
            return NON_TLS;
        }
-        if (isNullOrEmpty(Optional.ofNullable(properties.getPeerCertificateProperties())
+        TLSProperties.CertificateProperties pp = Optional
-                                  .orElse(TLSProperties.CertificateProperties.newBuilder().build())
+            .ofNullable(properties.getPeerCertificateProperties())
-                                  .getSubject())) {
+            .orElse(TLSProperties.CertificateProperties.newBuilder().build());
+        if (isNullOrEmpty(pp.getSubject()) && !hasSAN(pp.getSubjectAltNameList())) {
            return TLS;
        }
        return M_TLS;
@@ -217,4 +220,18 @@ public class LogEntry2MetricsAdapter {
        }
        return "";
    }
+    /**
+     * @param subjectAltNameList from ALS LocalCertificateProperties and PeerCertificateProperties
+     * @return true is there is at least one SAN, based on URI check.
+     */
+    private static boolean hasSAN(List<TLSProperties.CertificateProperties.SubjectAltName> subjectAltNameList) {
+        for (final TLSProperties.CertificateProperties.SubjectAltName san : subjectAltNameList) {
+            // Don't check DNS for now, as it is tagged not-implemented in ALS v2
+            if (!isNullOrEmpty(san.getUri())) {
+                return true;
+            }
+        }
+        return false;
+    }
 }