add upstream info

include/istio/control/http/report_data.h

@@ -74,6 +74,12 @@ class ReportData {
   // Useful for logging info generated by custom codecs.
   virtual const ::google::protobuf::Map<std::string, ::google::protobuf::Struct>
       &GetDynamicFilterState() const = 0;
+
+  // Get upstream mTLS status.
+  virtual bool IsUpstreamMutualTLS() const = 0;
+
+  // Get upstream failure reason.
+  virtual const std::string &GetUpstreamFailureReason() const = 0;
 };
 
 }  // namespace http

include/istio/control/tcp/report_data.h

@@ -58,6 +58,11 @@ class ReportData {
   virtual const ::google::protobuf::Map<::std::string,
                                         ::google::protobuf::Struct>
       &GetDynamicFilterState() const = 0;
+
+  // Get upstream mTLS status.
+  virtual bool IsUpstreamMutualTLS() const = 0;
+
+  virtual const std::string &GetUpstreamFailureReason() const = 0;
 };
 
 }  // namespace tcp

include/istio/utils/attribute_names.h

@@ -81,6 +81,8 @@ struct AttributeName {
   static const char kConnectionId[];
   // Record TCP connection status: open, continue, close
   static const char kConnectionEvent[];
+  static const char kUpstreamMtls[];
+  static const char kUpstreamFailureReason[];
 
   // Context attributes
   static const char kContextProtocol[];

src/envoy/http/mixer/report_data.h

@@ -175,6 +175,14 @@ class ReportData : public ::istio::control::http::ReportData,
       &GetDynamicFilterState() const override {
     return info_.dynamicMetadata().filter_metadata();
   }
+
+  bool IsUpstreamMutualTLS() const override {
+    return Utils::IsUpstreamMutualTLS(info_);
+  }
+
+  const std::string &GetUpstreamFailureReason() const override {
+    return info_.upstreamTransportFailureReason();
+  }
 };
 
 }  // namespace Mixer

src/envoy/tcp/mixer/filter.cc

@@ -247,6 +247,17 @@ std::string Filter::GetConnectionId() const {
   return uuid_connection_id;
 }
 
+bool Filter::IsUpstreamMutualTLS() const {
+  return Utils::IsUpstreamMutualTLS(
+      filter_callbacks_->connection().streamInfo());
+}
+
+const std::string &Filter::GetUpstreamFailureReason() const {
+  return filter_callbacks_->connection()
+      .streamInfo()
+      .upstreamTransportFailureReason();
+}
+
 void Filter::OnReportTimer() {
   handler_->Report(this, ConnectionEvent::CONTINUE);
   clearCachedFilterMetadata();

src/envoy/tcp/mixer/filter.h

@@ -65,6 +65,8 @@ class Filter : public Network::Filter,
   void GetReportInfo(
       ::istio::control::tcp::ReportData::ReportInfo *data) const override;
   std::string GetConnectionId() const override;
+  bool IsUpstreamMutualTLS() const override;
+  const std::string &GetUpstreamFailureReason() const override;
 
   void cacheFilterMetadata(
       const ::google::protobuf::Map<std::string, ::google::protobuf::Struct>

src/envoy/utils/utils.cc

@@ -178,6 +178,11 @@ bool IsMutualTLS(const Network::Connection* connection) {
          connection->ssl()->peerCertificatePresented();
 }
 
+bool IsUpstreamMutualTLS(const StreamInfo::StreamInfo& stream_info) {
+  const auto ssl = stream_info.upstreamSslConnection();
+  return ssl != nullptr && ssl->peerCertificatePresented();
+}
+
 bool GetRequestedServerName(const Network::Connection* connection,
                             std::string* name) {
   if (connection && !connection->requestedServerName().empty()) {

src/envoy/utils/utils.h

@@ -52,9 +52,12 @@ bool GetPrincipal(const Network::Connection* connection, bool peer,
 bool GetTrustDomain(const Network::Connection* connection, bool peer,
                     std::string* trust_domain);
 
-// Returns true if connection is mutual TLS enabled.
+// Returns true if downstream connection is mutual TLS enabled.
 bool IsMutualTLS(const Network::Connection* connection);
 
+// Returns true if upstream connection is mutual TLS enabled.
+bool IsUpstreamMutualTLS(const StreamInfo::StreamInfo& stream_info);
+
 // Get requested server name, SNI in case of TLS
 bool GetRequestedServerName(const Network::Connection* connection,
                             std::string* name);

src/istio/control/http/attributes_builder.cc

@@ -280,6 +280,14 @@ void AttributesBuilder::ExtractReportAttributes(
   }
 
   builder.FlattenMapOfStringToStruct(report_data->GetDynamicFilterState());
+
+  builder.AddBool(utils::AttributeName::kUpstreamMtls,
+                  report_data->IsUpstreamMutualTLS());
+  const std::string &failure_reason = report_data->GetUpstreamFailureReason();
+  if (!failure_reason.empty()) {
+    builder.AddString(utils::AttributeName::kUpstreamFailureReason,
+                      failure_reason);
+  }
 }
 
 }  // namespace http

src/istio/control/http/attributes_builder_test.cc

@@ -438,6 +438,18 @@ attributes {
     }
   }
 }
+attributes {
+  key: "upstream.mtls"
+  value {
+    bool_value: false
+  }
+}
+attributes {
+  key: "upstream.failure_reason"
+  value {
+    string_value: "wrong cert"
+  }
+}
 )";
 
 constexpr char kAuthenticationResultStruct[] = R"(
@@ -809,6 +821,11 @@ TEST(AttributesBuilderTest, TestReportAttributes) {
       }));
   EXPECT_CALL(mock_data, GetDynamicFilterState())
       .WillOnce(ReturnRef(filter_metadata));
+  EXPECT_CALL(mock_data, IsUpstreamMutualTLS())
+      .WillOnce(testing::Return(false));
+  std::string failure_reason = "wrong cert";
+  EXPECT_CALL(mock_data, GetUpstreamFailureReason())
+      .WillOnce(ReturnRef(failure_reason));
 
   istio::mixer::v1::Attributes attributes;
   AttributesBuilder builder(&attributes);
@@ -889,6 +906,11 @@ TEST(AttributesBuilderTest, TestReportAttributesWithDestIP) {
       }));
   EXPECT_CALL(mock_data, GetDynamicFilterState())
       .WillOnce(ReturnRef(filter_metadata));
+  EXPECT_CALL(mock_data, IsUpstreamMutualTLS())
+      .WillOnce(testing::Return(false));
+  std::string failure_reason = "wrong cert";
+  EXPECT_CALL(mock_data, GetUpstreamFailureReason())
+      .WillOnce(ReturnRef(failure_reason));
 
   istio::mixer::v1::Attributes attributes;
   SetDestinationIp(&attributes, "1.2.3.4");

src/istio/control/http/mock_report_data.h

@@ -38,6 +38,8 @@ class MockReportData : public ReportData {
       GetDynamicFilterState,
       const ::google::protobuf::Map<std::string, ::google::protobuf::Struct>
           &());
+  MOCK_CONST_METHOD0(IsUpstreamMutualTLS, bool());
+  MOCK_CONST_METHOD0(GetUpstreamFailureReason, const std::string &());
 };
 
 }  // namespace http

src/istio/control/http/request_handler_impl_test.cc

@@ -395,6 +395,13 @@ TEST_F(RequestHandlerImplTest, TestHandlerReport) {
   EXPECT_CALL(mock_report, GetDynamicFilterState())
       .Times(1)
       .WillOnce(ReturnRef(filter_metadata));
+  EXPECT_CALL(mock_report, IsUpstreamMutualTLS())
+      .Times(1)
+      .WillOnce(testing::Return(true));
+  const std::string empty;
+  EXPECT_CALL(mock_report, GetUpstreamFailureReason())
+      .Times(1)
+      .WillOnce(ReturnRef(empty));
 
   // Report should be called.
   EXPECT_CALL(*mock_client_, Report(_)).Times(1);
@@ -414,6 +421,8 @@ TEST_F(RequestHandlerImplTest, TestHandlerDisabledReport) {
   EXPECT_CALL(mock_report, GetResponseHeaders()).Times(0);
   EXPECT_CALL(mock_report, GetReportInfo(_)).Times(0);
   EXPECT_CALL(mock_report, GetDynamicFilterState()).Times(0);
+  EXPECT_CALL(mock_report, IsUpstreamMutualTLS()).Times(0);
+  EXPECT_CALL(mock_report, GetUpstreamFailureReason()).Times(0);
 
   // Report should NOT be called.
   EXPECT_CALL(*mock_client_, Report(_)).Times(0);
@@ -452,6 +461,8 @@ TEST_F(RequestHandlerImplTest, TestEmptyConfig) {
   EXPECT_CALL(mock_report, GetResponseHeaders()).Times(0);
   EXPECT_CALL(mock_report, GetReportInfo(_)).Times(0);
   EXPECT_CALL(mock_report, GetDynamicFilterState()).Times(0);
+  EXPECT_CALL(mock_report, IsUpstreamMutualTLS()).Times(0);
+  EXPECT_CALL(mock_report, GetUpstreamFailureReason()).Times(0);
 
   // Report should NOT be called.
   EXPECT_CALL(*mock_client_, Report(_)).Times(0);

src/istio/control/tcp/attributes_builder.cc

@@ -137,6 +137,15 @@ void AttributesBuilder::ExtractReportAttributes(
 
   builder.AddTimestamp(utils::AttributeName::kContextTime,
                        std::chrono::system_clock::now());
+
+  builder.AddBool(utils::AttributeName::kUpstreamMtls,
+                  report_data->IsUpstreamMutualTLS());
+
+  const std::string &failure_reason = report_data->GetUpstreamFailureReason();
+  if (!failure_reason.empty()) {
+    builder.AddString(utils::AttributeName::kUpstreamFailureReason,
+                      failure_reason);
+  }
 }
 
 }  // namespace tcp

src/istio/control/tcp/attributes_builder_test.cc

@@ -178,6 +178,12 @@ attributes {
     }
   }
 }
+attributes {
+  key: "upstream.mtls"
+  value {
+    bool_value: true
+  }
+}
 )";
 
 const char kReportAttributes[] = R"(
@@ -271,6 +277,12 @@ attributes {
     }
   }
 }
+attributes {
+  key: "upstream.mtls"
+  value {
+    bool_value: true
+  }
+}
 )";
 
 const char kDeltaOneReportAttributes[] = R"(
@@ -344,6 +356,12 @@ attributes {
     }
   }
 }
+attributes {
+  key: "upstream.mtls"
+  value {
+    bool_value: true
+  }
+}
 )";
 
 const char kDeltaTwoReportAttributes[] = R"(
@@ -417,6 +435,12 @@ attributes {
     }
   }
 }
+attributes {
+  key: "upstream.mtls"
+  value {
+    bool_value: true
+  }
+}
 )";
 
 void ClearContextTime(istio::mixer::v1::Attributes *attributes) {
@@ -526,6 +550,10 @@ TEST(AttributesBuilderTest, TestReportAttributes) {
         info->send_bytes = 678;
         info->duration = std::chrono::nanoseconds(4);
       }));
+  EXPECT_CALL(mock_data, IsUpstreamMutualTLS()).WillRepeatedly(Return(true));
+  const std::string failure_reason;
+  EXPECT_CALL(mock_data, GetUpstreamFailureReason())
+      .WillRepeatedly(ReturnRef(failure_reason));
 
   istio::mixer::v1::Attributes attributes;
   AttributesBuilder builder(&attributes);

src/istio/control/tcp/mock_report_data.h

@@ -33,6 +33,8 @@ class MockReportData : public ReportData {
       const ::google::protobuf::Map<std::string, ::google::protobuf::Struct>
           &());
   MOCK_CONST_METHOD1(GetReportInfo, void(ReportInfo *info));
+  MOCK_CONST_METHOD0(IsUpstreamMutualTLS, bool());
+  MOCK_CONST_METHOD0(GetUpstreamFailureReason, const std::string &());
 };
 
 }  // namespace tcp

src/istio/control/tcp/request_handler_impl_test.cc

@@ -151,6 +151,13 @@ TEST_F(RequestHandlerImplTest, TestHandlerReport) {
   EXPECT_CALL(mock_data, GetDynamicFilterState())
       .Times(1)
       .WillOnce(ReturnRef(filter_metadata));
+  EXPECT_CALL(mock_data, IsUpstreamMutualTLS())
+      .Times(1)
+      .WillOnce(testing::Return(true));
+  const std::string empty;
+  EXPECT_CALL(mock_data, GetUpstreamFailureReason())
+      .Times(1)
+      .WillOnce(ReturnRef(empty));
 
   // Report should be called.
   EXPECT_CALL(*mock_client_, Report(_)).Times(1);

src/istio/utils/attribute_names.cc

@@ -75,6 +75,8 @@ const char AttributeName::kConnectionDuration[] = "connection.duration";
 const char AttributeName::kConnectionMtls[] = "connection.mtls";
 const char AttributeName::kConnectionRequestedServerName[] =
     "connection.requested_server_name";
+const char AttributeName::kUpstreamMtls[] = "upstream.mtls";
+const char AttributeName::kUpstreamFailureReason[] = "upstream.failure_reason";
 
 // Downstream TCP connection id.
 const char AttributeName::kConnectionId[] = "connection.id";