destination.principal derivation fix

src/istio/control/http/attributes_builder.cc

@@ -67,9 +67,16 @@ void AttributesBuilder::ExtractRequestHeaderAttributes(CheckData *check_data) {
 }
 
 void AttributesBuilder::ExtractAuthAttributes(CheckData *check_data) {
+  utils::AttributesBuilder builder(&request_->attributes);
+
+  std::string destination_principal;
+  if (check_data->GetPrincipal(false, &destination_principal)) {
+    builder.AddString(utils::AttributeName::kDestinationPrincipal,
+                      destination_principal);
+  }
+
   istio::authn::Result authn_result;
   if (check_data->GetAuthenticationResult(&authn_result)) {
-    utils::AttributesBuilder builder(&request_->attributes);
     if (!authn_result.principal().empty()) {
       builder.AddString(utils::AttributeName::kRequestAuthPrincipal,
                         authn_result.principal());
@@ -110,7 +117,6 @@ void AttributesBuilder::ExtractAuthAttributes(CheckData *check_data) {
   // Fallback to extract from jwt filter directly. This can be removed once
   // authn filter is in place.
   std::map<std::string, std::string> payload;
-  utils::AttributesBuilder builder(&request_->attributes);
   if (check_data->GetJWTPayload(&payload) && !payload.empty()) {
     // Populate auth attributes.
     if (payload.count("iss") > 0 && payload.count("sub") > 0) {
@@ -134,12 +140,6 @@ void AttributesBuilder::ExtractAuthAttributes(CheckData *check_data) {
     builder.AddString(utils::AttributeName::kSourceUser, source_user);
     builder.AddString(utils::AttributeName::kSourcePrincipal, source_user);
   }
-
-  std::string destination_principal;
-  if (check_data->GetPrincipal(false, &destination_principal)) {
-    builder.AddString(utils::AttributeName::kDestinationPrincipal,
-                      destination_principal);
-  }
 }  // namespace http
 
 void AttributesBuilder::ExtractForwardedAttributes(CheckData *check_data) {

src/istio/control/http/attributes_builder_test.cc

@@ -374,6 +374,15 @@ TEST(AttributesBuilderTest, TestCheckAttributesWithAuthNResult) {
   EXPECT_CALL(mock_data, IsMutualTLS()).WillOnce(Invoke([]() -> bool {
     return true;
   }));
+  EXPECT_CALL(mock_data, GetPrincipal(_, _))
+      .WillRepeatedly(Invoke([](bool peer, std::string *user) -> bool {
+        if (peer) {
+          *user = "test_user";
+        } else {
+          *user = "destination_user";
+        }
+        return true;
+      }));
   EXPECT_CALL(mock_data, GetRequestedServerName(_))
       .WillOnce(Invoke([](std::string *name) -> bool {
         *name = "www.google.com";
@@ -443,10 +452,6 @@ TEST(AttributesBuilderTest, TestCheckAttributesWithAuthNResult) {
         .mutable_attributes())[utils::AttributeName::kRequestAuthRawClaims]
       .set_string_value("test_raw_claims");
 
-  // strip destination.principal for JWT-based authn
-  (*expected_attributes.mutable_attributes())
-      .erase(utils::AttributeName::kDestinationPrincipal);
-
   EXPECT_TRUE(
       MessageDifferencer::Equals(request.attributes, expected_attributes));
 }