From 9ffb6de2993681eb333ce353da8d794846695bc6 Mon Sep 17 00:00:00 2001
From: Kuat Yessenov <kuat@google.com>
Date: Thu, 26 Jul 2018 13:24:57 -0700
Subject: [PATCH 1/2] fix attribute extraction

Signed-off-by: Kuat Yessenov <kuat@google.com>
---
 src/istio/control/http/attributes_builder.cc | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/istio/control/http/attributes_builder.cc b/src/istio/control/http/attributes_builder.cc
index fdee19b5d81..efbe0bce199 100644
--- a/src/istio/control/http/attributes_builder.cc
+++ b/src/istio/control/http/attributes_builder.cc
@@ -67,9 +67,16 @@ void AttributesBuilder::ExtractRequestHeaderAttributes(CheckData *check_data) {
 }
 
 void AttributesBuilder::ExtractAuthAttributes(CheckData *check_data) {
+  utils::AttributesBuilder builder(&request_->attributes);
+
+  std::string destination_principal;
+  if (check_data->GetPrincipal(false, &destination_principal)) {
+    builder.AddString(utils::AttributeName::kDestinationPrincipal,
+                      destination_principal);
+  }
+
   istio::authn::Result authn_result;
   if (check_data->GetAuthenticationResult(&authn_result)) {
-    utils::AttributesBuilder builder(&request_->attributes);
     if (!authn_result.principal().empty()) {
       builder.AddString(utils::AttributeName::kRequestAuthPrincipal,
                         authn_result.principal());
@@ -110,7 +117,6 @@ void AttributesBuilder::ExtractAuthAttributes(CheckData *check_data) {
   // Fallback to extract from jwt filter directly. This can be removed once
   // authn filter is in place.
   std::map<std::string, std::string> payload;
-  utils::AttributesBuilder builder(&request_->attributes);
   if (check_data->GetJWTPayload(&payload) && !payload.empty()) {
     // Populate auth attributes.
     if (payload.count("iss") > 0 && payload.count("sub") > 0) {
@@ -134,12 +140,6 @@ void AttributesBuilder::ExtractAuthAttributes(CheckData *check_data) {
     builder.AddString(utils::AttributeName::kSourceUser, source_user);
     builder.AddString(utils::AttributeName::kSourcePrincipal, source_user);
   }
-
-  std::string destination_principal;
-  if (check_data->GetPrincipal(false, &destination_principal)) {
-    builder.AddString(utils::AttributeName::kDestinationPrincipal,
-                      destination_principal);
-  }
 }  // namespace http
 
 void AttributesBuilder::ExtractForwardedAttributes(CheckData *check_data) {

From e99d52660c5d774f06a64f244ee2de50a61fa7f6 Mon Sep 17 00:00:00 2001
From: Kuat Yessenov <kuat@google.com>
Date: Thu, 26 Jul 2018 14:23:00 -0700
Subject: [PATCH 2/2] seed mock

Signed-off-by: Kuat Yessenov <kuat@google.com>
---
 src/istio/control/http/attributes_builder_test.cc | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/istio/control/http/attributes_builder_test.cc b/src/istio/control/http/attributes_builder_test.cc
index 024fcb73fba..fee1fb4ee61 100644
--- a/src/istio/control/http/attributes_builder_test.cc
+++ b/src/istio/control/http/attributes_builder_test.cc
@@ -374,6 +374,15 @@ TEST(AttributesBuilderTest, TestCheckAttributesWithAuthNResult) {
   EXPECT_CALL(mock_data, IsMutualTLS()).WillOnce(Invoke([]() -> bool {
     return true;
   }));
+  EXPECT_CALL(mock_data, GetPrincipal(_, _))
+      .WillRepeatedly(Invoke([](bool peer, std::string *user) -> bool {
+        if (peer) {
+          *user = "test_user";
+        } else {
+          *user = "destination_user";
+        }
+        return true;
+      }));
   EXPECT_CALL(mock_data, GetRequestedServerName(_))
       .WillOnce(Invoke([](std::string *name) -> bool {
         *name = "www.google.com";
@@ -443,10 +452,6 @@ TEST(AttributesBuilderTest, TestCheckAttributesWithAuthNResult) {
         .mutable_attributes())[utils::AttributeName::kRequestAuthRawClaims]
       .set_string_value("test_raw_claims");
 
-  // strip destination.principal for JWT-based authn
-  (*expected_attributes.mutable_attributes())
-      .erase(utils::AttributeName::kDestinationPrincipal);
-
   EXPECT_TRUE(
       MessageDifferencer::Equals(request.attributes, expected_attributes));
 }