Expose downstream cert details in gRPC access logs

[snowp]

We're interested in having downstream cert details (OUs, CNs, SANs) be included in the gRPC access log. We'd be interested in both sides of the TLS handshake, so we want details about both the client cert used to establish the connection and details about the server cert that was used by Envoy.

To accomplish this, we'd probably have to expose either the Ssl::Connection or some smaller data structure containing the necessary data on StreamInfo. This would allow any access log to include this information, including the gRPC access log.

The access log would have to be extended. Here's a suggestion:

message CommonCertDetails {
  string ou = 1;
  string cn = 2;
  repeated san = 3;
}

message CertDetails {
  // Details about client cert.
  CommonCertDetails peer_certificate = 1;
  // Details about local server cert.
  CommonCertDetails local_certificate = 2;
}

This could then be included on the data.accesslog.v2.AccessLogCommon proto with a downstream_cert_details field.

cc @worldwise001 (let me know if i forgot anything)

[mattklein123]

See https://github.com/envoyproxy/envoy/blob/master/source/extensions/access_loggers/http_grpc/grpc_access_log_impl.cc#L178 and https://github.com/envoyproxy/envoy/blob/master/api/envoy/data/accesslog/v2/accesslog.proto#L195. Please add to the existing TLS info struct and implement all of it. :)

In terms of getting the info through to log() I would either have it be accessible from StreamInfo or just pass the const Connection directly to the log function.

[lizan]

To accomplish this, we'd probably have to expose either the Ssl::Connection or some smaller data structure containing the necessary data on StreamInfo. This would allow any access log to include this information, including the gRPC access log.

This sounds reasonable, while Ssl::Connection is named "connection", it is actually a bunch of properties of TLS connection info after I factored out transport socket. So we can just rename it and put into StreamInfo/FilterState (TLS transport socket should be able to write it with "write once" semantics).

[worldwise001]

I am happy to take this over from @snowp instead since I made the original request to him, and am willing to take a crack at this.

[snowp]

/assign @worldwise001

[repokitteh-read-only]

@worldwise001 cannot be assigned to this issue.

🐱

Caused by: a #4926 (comment) was created by @snowp.

see: more, trace.

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[snowp]

We're still planning on adding this, just haven't gotten around to it yet.

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.