diff --git a/source/extensions/filters/common/ext_authz/check_request_utils.cc b/source/extensions/filters/common/ext_authz/check_request_utils.cc index d243e04c5978..1a0f2d0cff8a 100644 --- a/source/extensions/filters/common/ext_authz/check_request_utils.cc +++ b/source/extensions/filters/common/ext_authz/check_request_utils.cc @@ -45,14 +45,24 @@ void CheckRequestUtils::setAttrContextPeer(envoy::service::auth::v2::AttributeCo if (local) { const auto uriSans = ssl->uriSanLocalCertificate(); if (uriSans.empty()) { - peer.set_principal(ssl->subjectLocalCertificate()); + const auto dnsSans = ssl->dnsSansLocalCertificate(); + if (dnsSans.empty()) { + peer.set_principal(ssl->subjectLocalCertificate()); + } else { + peer.set_principal(dnsSans[0]); + } } else { peer.set_principal(uriSans[0]); } } else { const auto uriSans = ssl->uriSanPeerCertificate(); if (uriSans.empty()) { - peer.set_principal(ssl->subjectPeerCertificate()); + const auto dnsSans = ssl->dnsSansPeerCertificate(); + if (dnsSans.empty()) { + peer.set_principal(ssl->subjectPeerCertificate()); + } else { + peer.set_principal(dnsSans[0]); + } } else { peer.set_principal(uriSans[0]); } diff --git a/test/extensions/filters/common/ext_authz/check_request_utils_test.cc b/test/extensions/filters/common/ext_authz/check_request_utils_test.cc index 7567a9a95023..cb40116c0491 100644 --- a/test/extensions/filters/common/ext_authz/check_request_utils_test.cc +++ b/test/extensions/filters/common/ext_authz/check_request_utils_test.cc @@ -127,7 +127,7 @@ TEST_F(CheckRequestUtilsTest, BasicHttpWithFullBody) { // Verify that createHttpCheck extract the proper attributes from the http request into CheckRequest // proto object. -TEST_F(CheckRequestUtilsTest, CheckAttrContextPeer) { +TEST_F(CheckRequestUtilsTest, CheckAttrContextPeerUriSans) { Http::TestHeaderMapImpl request_headers{{"x-envoy-downstream-service-cluster", "foo"}, {":path", "/bar"}}; envoy::service::auth::v2::CheckRequest request; @@ -155,6 +155,37 @@ TEST_F(CheckRequestUtilsTest, CheckAttrContextPeer) { EXPECT_EQ("value", request.attributes().context_extensions().at("key")); } +TEST_F(CheckRequestUtilsTest, CheckAttrContextPeerDnsSans) { + Http::TestHeaderMapImpl request_headers{{"x-envoy-downstream-service-cluster", "foo"}, + {":path", "/bar"}}; + envoy::service::auth::v2::CheckRequest request; + EXPECT_CALL(callbacks_, connection()).WillRepeatedly(Return(&connection_)); + EXPECT_CALL(connection_, remoteAddress()).WillRepeatedly(ReturnRef(addr_)); + EXPECT_CALL(connection_, localAddress()).WillRepeatedly(ReturnRef(addr_)); + EXPECT_CALL(Const(connection_), ssl()).WillRepeatedly(Return(&ssl_)); + EXPECT_CALL(callbacks_, streamId()).WillRepeatedly(Return(0)); + EXPECT_CALL(callbacks_, streamInfo()).WillRepeatedly(ReturnRef(req_info_)); + EXPECT_CALL(callbacks_, decodingBuffer()).Times(1); + EXPECT_CALL(req_info_, protocol()).WillRepeatedly(ReturnPointee(&protocol_)); + EXPECT_CALL(ssl_, uriSanPeerCertificate()).WillOnce(Return(std::vector{})); + EXPECT_CALL(ssl_, dnsSansPeerCertificate()).WillOnce(Return(std::vector{"source"})); + + EXPECT_CALL(ssl_, uriSanLocalCertificate()).WillOnce(Return(std::vector{})); + EXPECT_CALL(ssl_, dnsSansLocalCertificate()) + .WillOnce(Return(std::vector{"destination"})); + + Protobuf::Map context_extensions; + context_extensions["key"] = "value"; + + CheckRequestUtils::createHttpCheck(&callbacks_, request_headers, std::move(context_extensions), + request, false); + + EXPECT_EQ("source", request.attributes().source().principal()); + EXPECT_EQ("destination", request.attributes().destination().principal()); + EXPECT_EQ("foo", request.attributes().source().service()); + EXPECT_EQ("value", request.attributes().context_extensions().at("key")); +} + } // namespace } // namespace ExtAuthz } // namespace Common