admin: add support for displaying san in certs end point

[ramaraochavali]

Signed-off-by: Rama rama.rao@salesforce.com
Description: Adds support for displaying Subject Alternate Names as a comma separated list of string in /certs admin end point
Risk Level: Low
Testing: Automated
Docs Changes: Updated
Release Notes: Updated

[ggreenway]

This seems reasonable, but I'm curious how this output is being used, and if anyone depends on the exact formatting of it. Anyone at lyft want to chime in? @mattklein123 @ccaraman @junr03 @danielhochman ?

Also, the output is formatted pretty strangely: It outputs repeated json objects (but without a json array [] outside), and the values contain free-form text of "key: value, key2: value2," format. Should we fix this to be proper json, with each key:value as a json key:value? Then adding new fields in the future shouldn't break anyone.

[ggreenway]

revert: there's no reason to make something returned by-value const

[ggreenway]

I don't think this function is needed. There is already getDnsSansFromCertificate() and getUriSanFromCertificate(). You can just combine the results from those two.

[ramaraochavali]

Are you referring to these functions?

envoy/source/common/ssl/ssl_socket.h

Line 72 in f936fc6

// TODO: Move helper functions to the `Ssl::Utility` namespace.

There is a TODO to move them to Utility. So I have added them in Utitlity now and will do a follow-up PR to use these functions there as well. WDYT? If you are referring to some thing else, please let me know. I will use them.

[mattklein123]

This seems reasonable, but I'm curious how this output is being used, and if anyone depends on the exact formatting of it.

Right now this data is being just used for debugging. IMO we should take this opportunity to shift to a proto as we have done elsewhere. We can put this in the v1alpha namespace and then output JSON? Thoughts?

[ramaraochavali]

I agree that this format is not scalable. I was thinking that moving to proto/json might require a broader discussion. But if every one thinks, moving to proto/json is right thing to do here, I can turn in this PR in to that.

[mattklein123]

@ramaraochavali yeah I would just switch it. It's pretty easy to do.

[ramaraochavali]

@mattklein123 ok. Moved to protobuf/json implementation. Here is how it looks now. PTAL.

{
 "certificates": [
  {
   "ca_cert": {
    "path": "/git/envoy_files/certs/client-certs/ca.pem",
    "serial_number": "4114ea7c5d6cc0779e57c2b97c12a1940f2f9b7a",
    "subject_alt_names": [],
    "days_until_expiration": "2768"
   },
   "cert_chain": {
    "path": "/git/envoy_files/certs/client-certs/ca.pem",
    "serial_number": "5966c392",
    "subject_alt_names": [
     {
      "type": "DNS",
      "name": "localhost"
     }
    ],
    "days_until_expiration": "905"
   }
  },
  {
   "ca_cert": {
    "path": "/git/envoy_files/certs/client-certs/ca.pem",
    "serial_number": "4114ea7c5d6cc0779e57c2b97c12a1940f2f9b7a",
    "subject_alt_names": [],
    "days_until_expiration": "2768"
   },
   "cert_chain": {
    "path": "/git/envoy_files/certs/client-certs/ca.pem",
    "serial_number": "5966c392",
    "subject_alt_names": [
     {
      "type": "DNS",
      "name": "localhost"
     }
    ],
    "days_until_expiration": "905"
   }
  }
 ]
}

[mattklein123]

LGTM on the format! We can always change it later since it's alpha. I will review today. Thank you!

[mattklein123]

Very nice. 1 high level comment.

[mattklein123]

Would it be better to have these functions return the proto objects? Then the admin code can actually merge the protos and do the JSON conversion? I think that would be more useful in the future for programmatic access of this information?

[ramaraochavali]

Ok. Will make that change

[ramaraochavali]

@mattklein123 changed the methods to return proto objects. PTAL.

[mattklein123]

LGTM, small question/comment. @ggreenway can you take another pass and see if this works for you?

[mattklein123]

Shouldn't this return nullptr to indicate no details?

[mattklein123]

Same comment?

[ggreenway]

return nullptr in all these error cases

[ggreenway]

I think you can just assign, instead of doing MergeFrom, given that ca_certificate should be empty (eg we can replace instead of merge).

[ggreenway]

same here

[ramaraochavali]

@mattklein123 @ggreenway addressed the feedback. PTAL.

[ggreenway]

lgtm

[ggreenway]

Merge conflict :(

[mattklein123]

Doesn't this need to check for nullptr now? Same below? Can you add a test that covers this?

[ramaraochavali]

I thought context will not be created if files does not exist or not valid. Any way it is good to handle that case. I will add a test.

[lizan]

Prefer oneof here per https://github.com/envoyproxy/envoy/blob/master/api/STYLE.md

[ramaraochavali]

If I use oneof it would be converted to JSON as if I set empty value.

    "subject_alt_names": [
     {
      "name": "localhost",
      "DNS": ""
     }
    ],
    "days_until_expiration": "903"
   }

I think what we have as below is more readable. Are you suggesting some thing different here?

    "subject_alt_names": [
     {
      "name": "localhost",
      "type": "DNS"
     }
    ],
    "days_until_expiration": "903"
   }

[lizan]

No, I meant you should make this

message SubjectAlterativeName {
  oneof name {
    string dns = 1;
    string uri = 2;
  }
}

The JSON would be:

"subject_alt_names": [
     {
      "dns": "example.com"
     }
]

[ramaraochavali]

Ah.. I see. I will make that change

[lizan]

Should this just be expiration timestamp?

[ramaraochavali]

days_until_expiration looks at the chain also and computes the minimum of cert and chain. I think I will leave it like that for now as stats and others also use the same. If we can add another field to just dump expiration timestamp later?

[ramaraochavali]

reg expiration timestamp, just looked at it. There is no direct api now to get it. We will have to add one function , related tests etc. I will add it once this is merged in a follow-up PR.

[ramaraochavali]

@mattklein123 added test. PTAL.

[mattklein123]

Thanks, LGTM. One additional small comment that I missed last time. Sorry about that.

[mattklein123]

Sorry, I just noticed this is basically the same function as the previous one. Can you padd the SAN type as a parameter instead?

[ramaraochavali]

@mattklein123 no problem. Fixed. PTAL.

[lizan]

Move these tests to utility_test?

[ramaraochavali]

Will move

[lizan]

This is v1 config format to be removed soon, can you use v2 format?

[ramaraochavali]

I can use for these two tests. But rest of the tests are still using v1 config in this same file. I prefer to leave these two also in v1 for now and cleanup all of them to v2 in a separate PR if that is Ok.

[lizan]

Use MessageDifferencer instead of comparing JSON string.

[ramaraochavali]

I tried to use MessageDifferencer and setup is becoming complicated because we need to ignore certain fields like days_until_expired etc as they change. So I left this with string comparison.

[lizan]

You should be able to do that with PARTIAL scope. https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.util.message_differencer#MessageDifferencer.Scope.details

[lizan]

Shouldn't these be repeated? I know current /certs only print the 1st certificate in ca_cert and leaf certificate information in cert_chain for each TLS context, but we will need a full cert chain and CA cert?

[ramaraochavali]

Ok. My goal was to replicate what we have in /certs with subject alt names added. Do you mind creating issue with what you are describing here so that we can add it once it is merged?

[lizan]

Yeah I know you're just replicate current behavior of /certs, so make this repeated, and it is fine to only have one when you fill it.

[ramaraochavali]

ok. Do you mean for both cert chain and ca cert?

[lizan]

yes both

[lizan]

bssl::UniquePtr

[ramaraochavali]

changed

[lizan]

use TestEnvironment::readFileToStringForTest read into a string then use BIO? See how context_impl reads certificate. Also factor out that function for these 3 tests.

[ramaraochavali]

ok. I will refactor to this to a function in utility test using the same approach because rest of the context_test_impl also uses the same to be consistent.

[lizan]

Ah ok, filed #4635 to track them.

[ramaraochavali]

@lizan changed as suggested. PTAL.

[ramaraochavali]

@mattklein123 rebased master to resolve the conflicts. Can you PTAL?

[mattklein123]

LGTM, thank you! @lizan can you do the remainder of the review/merge?

[lizan]

@ramaraochavali can you merge master?

[ramaraochavali]

@lizan merged master. PTAL