Add l5d-client-id on inbound requests if meshed TLS

Cargo.toml

@@ -99,7 +99,6 @@ tokio-current-thread = "0.1.4"
 
 # Debug symbols end up chewing up several GB of disk space, so better to just
 # disable them.
-
 [profile.dev]
 debug = false
 [profile.test]
@@ -109,3 +108,4 @@ debug = false
 prost = { git = "https://github.com/hawkw/prost", branch = "s/tempdir/tempfile"}
 prost-derive = { git = "https://github.com/hawkw/prost", branch = "s/tempdir/tempfile"}
 prost-build = { git = "https://github.com/hawkw/prost", branch = "s/tempdir/tempfile"}
+webpki = { git = "https://github.com/seanmonstar/webpki", branch = "cert-dns-names" }

src/app/inbound.rs

@@ -16,7 +16,7 @@ use {Conditional, NameAddr};
 pub struct Endpoint {
     pub addr: SocketAddr,
     pub dst_name: Option<NameAddr>,
-    pub source_tls_status: tls::Status,
+    pub tls_client_id: tls::ConditionalIdentity,
 }
 
 #[derive(Clone, Debug, Default)]
@@ -52,10 +52,10 @@ impl tap::Inspect for Endpoint {
         req.extensions().get::<Source>().map(|s| s.remote)
     }
 
-    fn src_tls<B>(&self, req: &http::Request<B>) -> tls::Status {
+    fn src_tls<'a, B>(&self, req: &'a http::Request<B>) -> Conditional<&'a tls::Identity, tls::ReasonForNoTls> {
         req.extensions()
             .get::<Source>()
-            .map(|s| s.tls_status)
+            .map(|s| s.tls_peer.as_ref())
             .unwrap_or_else(|| Conditional::None(tls::ReasonForNoTls::Disabled))
     }
 
@@ -67,7 +67,7 @@ impl tap::Inspect for Endpoint {
         None
     }
 
-    fn dst_tls<B>(&self, _: &http::Request<B>) -> tls::Status {
+    fn dst_tls<B>(&self, _: &http::Request<B>) -> Conditional<&tls::Identity, tls::ReasonForNoTls> {
         Conditional::None(tls::ReasonForNoTls::InternalTraffic)
     }
 
@@ -104,8 +104,8 @@ impl<A> router::Recognize<http::Request<A>> for RecognizeEndpoint {
             .and_then(Source::orig_dst_if_not_local)
             .or(self.default_addr)?;
 
-        let source_tls_status = src
-            .map(|s| s.tls_status.clone())
+        let tls_client_id = src
+            .map(|s| s.tls_peer.clone())
             .unwrap_or_else(|| Conditional::None(tls::ReasonForNoTls::Disabled));
 
         let dst_name = req
@@ -118,7 +118,7 @@ impl<A> router::Recognize<http::Request<A>> for RecognizeEndpoint {
         Some(Endpoint {
             addr,
             dst_name,
-            source_tls_status,
+            tls_client_id,
         })
     }
 }
@@ -254,6 +254,137 @@ pub mod rewrite_loopback_addr {
     }
 }
 
+/// Adds `l5d-client-id` headers to http::Requests derived from the
+/// TlsIdentity of a `Source`.
+pub mod client_id {
+    use std::marker::PhantomData;
+
+    use futures::Poll;
+    use http::{self, header::HeaderValue};
+
+    use proxy::server::Source;
+    use Conditional;
+    use svc;
+
+    #[derive(Debug)]
+    pub struct Layer<B>(PhantomData<fn() -> B>);
+
+    #[derive(Debug)]
+    pub struct Stack<M, B> {
+        inner: M,
+        _marker: PhantomData<fn() -> B>,
+    }
+
+    #[derive(Debug)]
+    pub struct Service<S, B> {
+        inner: S,
+        value: HeaderValue,
+        _marker: PhantomData<fn() -> B>,
+    }
+
+    pub fn layer<B>() -> Layer<B> {
+        Layer(PhantomData)
+    }
+
+    impl<B> Clone for Layer<B> {
+        fn clone(&self) -> Self {
+            Layer(PhantomData)
+        }
+    }
+
+    impl<M, B> svc::Layer<Source, Source, M> for Layer<B>
+    where
+        M: svc::Stack<Source>,
+    {
+        type Value = <Stack<M, B> as svc::Stack<Source>>::Value;
+        type Error = <Stack<M, B> as svc::Stack<Source>>::Error;
+        type Stack = Stack<M, B>;
+
+        fn bind(&self, inner: M) -> Self::Stack {
+            Stack {
+                inner,
+                _marker: PhantomData,
+            }
+        }
+    }
+
+    // === impl Stack ===
+
+    impl<M: Clone, B> Clone for Stack<M, B> {
+        fn clone(&self) -> Self {
+            Stack {
+                inner: self.inner.clone(),
+                _marker: PhantomData,
+            }
+        }
+    }
+
+    impl<M, B> svc::Stack<Source> for Stack<M, B>
+    where
+        M: svc::Stack<Source>,
+    {
+        type Value = svc::Either<Service<M::Value, B>, M::Value>;
+        type Error = M::Error;
+
+        fn make(&self, source: &Source) -> Result<Self::Value, Self::Error> {
+            let svc = self.inner.make(source)?;
+
+            if let Conditional::Some(ref id) = source.tls_peer {
+                match HeaderValue::from_str(id.as_ref()) {
+                    Ok(value) => {
+                        debug!("l5d-client-id enabled for {:?}", source);
+                        return Ok(svc::Either::A(Service {
+                            inner: svc,
+                            value,
+                            _marker: PhantomData,
+                        }));
+                    },
+                    Err(_err) => {
+                        warn!("l5d-client-id identity header is invalid: {:?}", source);
+                    }
+                }
+            }
+
+            trace!("l5d-client-id not enabled for {:?}", source);
+            Ok(svc::Either::B(svc))
+        }
+    }
+
+    // === impl Service ===
+
+    impl<S: Clone, B> Clone for Service<S, B> {
+        fn clone(&self) -> Self {
+            Service {
+                inner: self.inner.clone(),
+                value: self.value.clone(),
+                _marker: PhantomData,
+            }
+        }
+    }
+
+    impl<S, B> svc::Service<http::Request<B>> for Service<S, B>
+    where
+        S: svc::Service<http::Request<B>>,
+    {
+        type Response = S::Response;
+        type Error = S::Error;
+        type Future = S::Future;
+
+        fn poll_ready(&mut self) -> Poll<(), Self::Error> {
+            self.inner.poll_ready()
+        }
+
+        fn call(&mut self, mut req: http::Request<B>) -> Self::Future {
+            req.headers_mut().insert(
+                super::super::L5D_CLIENT_ID,
+                self.value.clone()
+            );
+
+            self.inner.call(req)
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use http;
@@ -266,15 +397,15 @@ mod tests {
     use Conditional;
 
     fn make_h1_endpoint(addr: net::SocketAddr) -> Endpoint {
-        let source_tls_status = TLS_DISABLED;
+        let tls_client_id = TLS_DISABLED;
         Endpoint {
             addr,
             dst_name: None,
-            source_tls_status,
+            tls_client_id,
         }
     }
 
-    const TLS_DISABLED: Conditional<(), tls::ReasonForNoTls> =
+    const TLS_DISABLED: tls::ConditionalIdentity =
         Conditional::None(tls::ReasonForNoTls::Disabled);
 
     quickcheck! {

src/app/main.rs

@@ -442,6 +442,7 @@ where
                 let addr_router = addr_stack
                     .push(buffer::layer(MAX_IN_FLIGHT))
                     .push(limit::layer(MAX_IN_FLIGHT))
+                    .push(strip_header::request::layer(super::L5D_CLIENT_ID))
                     .push(strip_header::request::layer(super::DST_OVERRIDE_HEADER))
                     .push(router::layer(|req: &http::Request<_>| {
                         super::http_request_l5d_override_dst_addr(req)
@@ -489,7 +490,7 @@ where
 
             let inbound = {
                 use super::inbound::{
-                    orig_proto_downgrade, rewrite_loopback_addr, Endpoint, RecognizeEndpoint,
+                    client_id, orig_proto_downgrade, rewrite_loopback_addr, Endpoint, RecognizeEndpoint,
                 };
 
                 let capacity = config.inbound_router_capacity;
@@ -607,7 +608,9 @@ where
                 let source_stack = dst_router
                     .push(orig_proto_downgrade::layer())
                     .push(insert_target::layer())
+                    .push(client_id::layer())
                     .push(strip_header::response::layer(super::L5D_SERVER_ID))
+                    .push(strip_header::request::layer(super::L5D_CLIENT_ID))
                     .push(strip_header::request::layer(super::DST_OVERRIDE_HEADER));
 
                 // As the inbound proxy accepts connections, we don't do any

src/app/metric_labels.rs

@@ -20,7 +20,7 @@ pub struct ControlLabels {
 pub struct EndpointLabels {
     addr: net::SocketAddr,
     direction: Direction,
-    tls_status: tls::Status,
+    tls_id: Conditional<TlsId, tls::ReasonForNoTls>,
     dst_name: Option<NameAddr>,
     labels: Option<String>,
 }
@@ -37,6 +37,12 @@ enum Direction {
     Out,
 }
 
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+enum TlsId {
+    ClientId(tls::Identity),
+    ServerId(tls::Identity),
+}
+
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 struct Authority<'a>(&'a NameAddr);
 
@@ -92,7 +98,7 @@ impl From<inbound::Endpoint> for EndpointLabels {
             addr: ep.addr,
             dst_name: ep.dst_name,
             direction: Direction::In,
-            tls_status: ep.source_tls_status,
+            tls_id: ep.tls_client_id.map(TlsId::ClientId),
             labels: None,
         }
     }
@@ -117,7 +123,7 @@ impl From<outbound::Endpoint> for EndpointLabels {
             addr: ep.connect.addr,
             dst_name: ep.dst_name,
             direction: Direction::Out,
-            tls_status: ep.connect.tls_status(),
+            tls_id: ep.connect.tls_server_identity().map(|id| TlsId::ServerId(id.clone())),
             labels: prefix_labels("dst", ep.metadata.labels().into_iter()),
         }
     }
@@ -133,7 +139,12 @@ impl FmtLabels for EndpointLabels {
         }
 
         write!(f, ",")?;
-        self.tls_status.fmt_labels(f)?;
+        tls::Status::from(&self.tls_id).fmt_labels(f)?;
+
+        if let Conditional::Some(ref id) = self.tls_id {
+            write!(f, ",")?;
+            id.fmt_labels(f)?;
+        }
 
         Ok(())
     }
@@ -206,3 +217,16 @@ impl FmtLabels for tls::Status {
         }
     }
 }
+
+impl FmtLabels for TlsId {
+    fn fmt_labels(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self {
+            TlsId::ClientId(ref id) => {
+                write!(f, "client_id=\"{}\"", id.as_ref())
+            },
+            TlsId::ServerId(ref id) => {
+                write!(f, "server_id=\"{}\"", id.as_ref())
+            },
+        }
+    }
+}

src/app/mod.rs

@@ -18,6 +18,7 @@ use addr::{self, Addr};
 const CANONICAL_DST_HEADER: &'static str = "l5d-dst-canonical";
 pub const DST_OVERRIDE_HEADER: &'static str = "l5d-dst-override";
 const L5D_SERVER_ID: &'static str = "l5d-server-id";
+const L5D_CLIENT_ID: &'static str = "l5d-client-id";
 
 pub fn init() -> Result<config::Config, config::Error> {
     use convert::TryFrom;

src/app/outbound.rs

@@ -62,7 +62,7 @@ impl tap::Inspect for Endpoint {
         req.extensions().get::<Source>().map(|s| s.remote)
     }
 
-    fn src_tls<B>(&self, _: &http::Request<B>) -> tls::Status {
+    fn src_tls<'a, B>(&self, _: &'a http::Request<B>) -> Conditional<&'a tls::Identity, tls::ReasonForNoTls> {
         Conditional::None(tls::ReasonForNoTls::InternalTraffic)
     }
 
@@ -74,8 +74,8 @@ impl tap::Inspect for Endpoint {
         Some(self.metadata.labels())
     }
 
-    fn dst_tls<B>(&self, _: &http::Request<B>) -> tls::Status {
-        self.metadata.tls_status()
+    fn dst_tls<B>(&self, _: &http::Request<B>) -> Conditional<&tls::Identity, tls::ReasonForNoTls> {
+        self.connect.tls_server_identity()
     }
 
     fn route_labels<B>(&self, req: &http::Request<B>) -> Option<Arc<IndexMap<String, String>>> {
@@ -346,28 +346,18 @@ pub mod server_id {
         fn make(&self, endpoint: &Endpoint) -> Result<Self::Value, Self::Error> {
             let svc = self.inner.make(endpoint)?;
 
-            if endpoint.connect.tls.is_some() {
-                match endpoint.metadata.tls_identity() {
-                    Conditional::Some(id) => match HeaderValue::from_str(id.as_ref()) {
-                        Ok(value) => {
-                            debug!("l5d-server-id enabled for {:?}", endpoint);
-                            return Ok(svc::Either::A(Service {
-                                inner: svc,
-                                value,
-                                _marker: PhantomData,
-                            }));
-                        },
-                        Err(_err) => {
-                            warn!("l5d-server-id identity header is invalid: {:?}", endpoint);
-                        }
+            if let Conditional::Some(id) = endpoint.connect.tls_server_identity() {
+                match HeaderValue::from_str(id.as_ref()) {
+                    Ok(value) => {
+                        debug!("l5d-server-id enabled for {:?}", endpoint);
+                        return Ok(svc::Either::A(Service {
+                            inner: svc,
+                            value,
+                            _marker: PhantomData,
+                        }));
                     },
-                    Conditional::None(why) => {
-                        error!("endpoint tls is some, but no identity ({:?}): {:?}", why, endpoint);
-
-                        // This is a bug, so panic in tests!
-                        if cfg!(debug_assertions) {
-                            panic!("endpoint tls is some, but no identity ({:?}): {:?}", why, endpoint);
-                        }
+                    Err(_err) => {
+                        warn!("l5d-server-id identity header is invalid: {:?}", endpoint);
                     },
                 }
             }