Separate tls::ServerName and identity::Id types

To prepare for the introduction of SPIFFE identities into Linkerd's
identity system, this change we need to begin to separate the
representation of an endpoint's SNI value and its "identity" for the
purposes of authentication.

This change introduces a new `tls::ServerName` type to represent the SNI
use case. The `tls::ClientTls` type now has distinct `ServerName` and
`ServerId` configurations to support distinct behavior for sending an
SNI value to the server server

The `identity::Name` type is genralized as `identity::Id`. In the
future, this type will be used to encompass both DNS-like and SPIFFE
identities. This type is specifically used for peer authentication (and
not for SNI negotiation).

The `identity::LocalId` type is removed. It was only being used as a
means for the local server name configuration.

Co-authored-by: <zahari@buoyant.io>

Cargo.lock

@@ -1364,6 +1364,7 @@ version = "0.1.0"
 dependencies = [
  "futures",
  "linkerd-conditional",
+ "linkerd-dns-name",
  "linkerd-error",
  "linkerd-identity",
  "linkerd-io",
@@ -1403,6 +1404,7 @@ name = "linkerd-meshtls-rustls"
 version = "0.1.0"
 dependencies = [
  "futures",
+ "linkerd-dns-name",
  "linkerd-error",
  "linkerd-identity",
  "linkerd-io",
@@ -1577,6 +1579,7 @@ version = "0.1.0"
 dependencies = [
  "futures",
  "http-body",
+ "linkerd-dns-name",
  "linkerd-error",
  "linkerd-identity",
  "linkerd-metrics",

linkerd/app/admin/src/stack.rs

@@ -36,7 +36,7 @@ struct NonHttpClient(Remote<ClientAddr>);
 
 #[derive(Debug, Error)]
 #[error("Unexpected TLS connection to {} from {}", self.0, self.1)]
-struct UnexpectedSni(tls::ServerId, Remote<ClientAddr>);
+struct UnexpectedSni(tls::ServerName, Remote<ClientAddr>);
 
 #[derive(Clone, Debug)]
 struct Tcp {

linkerd/app/gateway/src/http.rs

@@ -1,7 +1,6 @@
 use super::Gateway;
 use inbound::{GatewayAddr, GatewayDomainInvalid};
 use linkerd_app_core::{
-    identity,
     metrics::ServerLabel,
     profiles,
     proxy::{
@@ -104,9 +103,9 @@ impl Gateway {
             // Discard `T` and its associated client-specific metadata.
             .push_map_target(Target::discard_parent)
             // Add headers to prevent loops.
-            .push(NewHttpGateway::layer(identity::LocalId(
-                self.inbound.identity().name().clone(),
-            )))
+            .push(NewHttpGateway::layer(
+                self.inbound.identity().server_name().clone().into(),
+            ))
             .push_on_service(svc::LoadShed::layer())
             .lift_new()
             // After protocol-downgrade, we need to build an inner stack for

linkerd/app/gateway/src/http/gateway.rs

@@ -1,5 +1,6 @@
 use futures::{future, TryFutureExt};
 use linkerd_app_core::{
+    identity as id,
     proxy::http,
     svc::{self, layer},
     tls, Error,
@@ -15,7 +16,7 @@ use std::{
 #[derive(Clone, Debug)]
 pub(crate) struct NewHttpGateway<N> {
     inner: N,
-    local_id: tls::LocalId,
+    local_id: id::Id,
 }
 
 /// A `Service` middleware that fails requests that would loop. It reads and
@@ -25,19 +26,19 @@ pub(crate) struct HttpGateway<S> {
     inner: S,
     host: String,
     client_id: tls::ClientId,
-    local_id: tls::LocalId,
+    local_id: id::Id,
 }
 
 type ResponseFuture<T> = Pin<Box<dyn Future<Output = Result<T, Error>> + Send + 'static>>;
 
 // === impl NewHttpGateway ===
 
 impl<N> NewHttpGateway<N> {
-    pub fn new(inner: N, local_id: tls::LocalId) -> Self {
+    pub fn new(inner: N, local_id: id::Id) -> Self {
         Self { inner, local_id }
     }
 
-    pub fn layer(local_id: tls::LocalId) -> impl layer::Layer<N, Service = Self> + Clone {
+    pub fn layer(local_id: id::Id) -> impl layer::Layer<N, Service = Self> + Clone {
         layer::mk(move |inner| Self::new(inner, local_id.clone()))
     }
 }
@@ -77,7 +78,7 @@ where
     #[inline]
     fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
         // If the client ID is the same as the gateway's, then we're in a loop.
-        if *self.client_id == *self.local_id {
+        if *self.client_id == self.local_id {
             return Poll::Ready(Err(GatewayLoop.into()));
         }
 
@@ -95,7 +96,7 @@ where
         {
             if let Some(by) = fwd_by(forwarded) {
                 tracing::info!(%forwarded);
-                if by == self.local_id.as_str() {
+                if by == self.local_id.to_str() {
                     return Box::pin(future::err(GatewayLoop.into()));
                 }
             }

linkerd/app/gateway/src/http/tests.rs

@@ -219,7 +219,7 @@ impl Test {
 
         let new = NewHttpGateway::new(
             move |_: _| outbound.clone(),
-            tls::LocalId("gateway.id.test".parse().unwrap()),
+            "gateway.id.test".parse().unwrap(),
         );
 
         #[derive(Clone, Debug)]

linkerd/app/inbound/src/detect.rs

@@ -396,8 +396,8 @@ impl svc::Param<http::normalize_uri::DefaultAuthority> for Http {
     }
 }
 
-impl svc::Param<Option<identity::Name>> for Http {
-    fn param(&self) -> Option<identity::Name> {
+impl svc::Param<Option<identity::Id>> for Http {
+    fn param(&self) -> Option<identity::Id> {
         self.tls
             .status
             .value()

linkerd/app/inbound/src/http.rs

@@ -252,8 +252,8 @@ pub mod fuzz {
         }
     }
 
-    impl svc::Param<Option<identity::Name>> for Target {
-        fn param(&self) -> Option<identity::Name> {
+    impl svc::Param<Option<identity::Id>> for Target {
+        fn param(&self) -> Option<identity::Id> {
             None
         }
     }

linkerd/app/inbound/src/http/set_identity_header.rs

@@ -43,7 +43,7 @@ where
             .and_then(|tls| match tls {
                 tls::ServerTls::Established { client_id, .. } => {
                     client_id.as_ref().and_then(|id| {
-                        match http::HeaderValue::from_str(id.as_str()) {
+                        match http::HeaderValue::from_str(&id.to_str()) {
                             Ok(v) => Some(v),
                             Err(error) => {
                                 tracing::warn!(%error, "identity not a valid header value");

linkerd/app/inbound/src/http/tests.rs

@@ -770,8 +770,8 @@ impl svc::Param<http::normalize_uri::DefaultAuthority> for Target {
     }
 }
 
-impl svc::Param<Option<identity::Name>> for Target {
-    fn param(&self) -> Option<identity::Name> {
+impl svc::Param<Option<identity::Id>> for Target {
+    fn param(&self) -> Option<identity::Id> {
         None
     }
 }

linkerd/app/inbound/src/policy.rs

@@ -177,7 +177,8 @@ fn is_authorized(
                 client_id: Some(tls::server::ClientId(ref id)),
                 ..
             }) => {
-                identities.contains(id.as_str()) || suffixes.iter().any(|s| s.contains(id.as_str()))
+                identities.contains(&*id.to_str())
+                    || suffixes.iter().any(|s| s.contains(&id.to_str()))
             }
             _ => false,
         },

linkerd/app/outbound/src/http/concrete.rs

@@ -375,15 +375,13 @@ impl<T> svc::Param<tls::ConditionalClientTls> for Endpoint<T> {
             .identity()
             .cloned()
             .map(move |server_id| {
-                tls::ConditionalClientTls::Some(tls::ClientTls {
-                    server_id,
-                    alpn: if use_transport_header {
-                        use linkerd_app_core::transport_header::PROTOCOL;
-                        Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
-                    } else {
-                        None
-                    },
-                })
+                let alpn = if use_transport_header {
+                    use linkerd_app_core::transport_header::PROTOCOL;
+                    Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
+                } else {
+                    None
+                };
+                tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, alpn))
             })
             .unwrap_or(tls::ConditionalClientTls::None(
                 tls::NoClientTls::NotProvidedByServiceDiscovery,

linkerd/app/outbound/src/http/require_id_header.rs

@@ -1,5 +1,5 @@
 use futures::{future, TryFutureExt};
-use linkerd_app_core::{identity, svc, tls, Conditional, Error};
+use linkerd_app_core::{dns, identity, svc, tls, Conditional, Error};
 use std::task::{Context, Poll};
 use thiserror::Error;
 use tracing::{debug, trace};
@@ -57,9 +57,10 @@ type ResponseFuture<F, T, E> =
 
 impl<S> RequireIdentity<S> {
     #[inline]
-    fn extract_id<B>(req: &mut http::Request<B>) -> Option<identity::Name> {
+    fn extract_id<B>(req: &mut http::Request<B>) -> Option<identity::Id> {
         let v = req.headers_mut().remove(HEADER_NAME)?;
-        v.to_str().ok()?.parse().ok()
+        let n = v.to_str().ok()?.parse::<dns::Name>().ok()?;
+        Some(n.into())
     }
 }
 

linkerd/app/outbound/src/opaq/concrete.rs

@@ -284,15 +284,13 @@ impl<T> svc::Param<tls::ConditionalClientTls> for Endpoint<T> {
             .identity()
             .cloned()
             .map(move |server_id| {
-                tls::ConditionalClientTls::Some(tls::ClientTls {
-                    server_id,
-                    alpn: if use_transport_header {
-                        use linkerd_app_core::transport_header::PROTOCOL;
-                        Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
-                    } else {
-                        None
-                    },
-                })
+                let alpn = if use_transport_header {
+                    use linkerd_app_core::transport_header::PROTOCOL;
+                    Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
+                } else {
+                    None
+                };
+                tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, alpn))
             })
             .unwrap_or(tls::ConditionalClientTls::None(
                 tls::NoClientTls::NotProvidedByServiceDiscovery,

linkerd/app/outbound/src/tcp/tagged_transport.rs

@@ -142,7 +142,6 @@ mod test {
     use super::*;
     use futures::future;
     use linkerd_app_core::{
-        identity,
         io::{self, AsyncWriteExt},
         tls,
         transport::{ClientAddr, Local},
@@ -163,12 +162,10 @@ mod test {
             self.server_id
                 .clone()
                 .map(|server_id| {
-                    tls::ConditionalClientTls::Some(tls::ClientTls {
-                        server_id,
-                        alpn: Some(tls::client::AlpnProtocols(vec![
-                            transport_header::PROTOCOL.into()
-                        ])),
-                    })
+                    let alpn = Some(tls::client::AlpnProtocols(vec![
+                        transport_header::PROTOCOL.into()
+                    ]));
+                    tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, alpn))
                 })
                 .unwrap_or(tls::ConditionalClientTls::None(
                     tls::NoClientTls::NotProvidedByServiceDiscovery,
@@ -261,9 +258,7 @@ mod test {
 
         let e = Endpoint {
             port_override: Some(4143),
-            server_id: Some(tls::ServerId(
-                identity::Name::from_str("server.id").unwrap(),
-            )),
+            server_id: Some(tls::ServerId("server.id".parse().unwrap())),
             authority: None,
             proto: None,
         };
@@ -285,9 +280,7 @@ mod test {
 
         let e = Endpoint {
             port_override: Some(4143),
-            server_id: Some(tls::ServerId(
-                identity::Name::from_str("server.id").unwrap(),
-            )),
+            server_id: Some(tls::ServerId("server.id".parse().unwrap())),
             authority: Some(http::uri::Authority::from_str("foo.bar.example.com:5555").unwrap()),
             proto: None,
         };
@@ -309,9 +302,7 @@ mod test {
 
         let e = Endpoint {
             port_override: Some(4143),
-            server_id: Some(tls::ServerId(
-                identity::Name::from_str("server.id").unwrap(),
-            )),
+            server_id: Some(tls::ServerId("server.id".parse().unwrap())),
             authority: None,
             proto: None,
         };
@@ -333,9 +324,7 @@ mod test {
 
         let e = Endpoint {
             port_override: Some(4143),
-            server_id: Some(tls::ServerId(
-                identity::Name::from_str("server.id").unwrap(),
-            )),
+            server_id: Some(tls::ServerId("server.id".parse().unwrap())),
             authority: None,
             proto: Some(SessionProtocol::Http1),
         };
@@ -357,9 +346,7 @@ mod test {
 
         let e = Endpoint {
             port_override: Some(4143),
-            server_id: Some(tls::ServerId(
-                identity::Name::from_str("server.id").unwrap(),
-            )),
+            server_id: Some(tls::ServerId("server.id".parse().unwrap())),
             authority: Some(http::uri::Authority::from_str("foo.bar.example.com:5555").unwrap()),
             proto: Some(SessionProtocol::Http1),
         };
@@ -381,9 +368,7 @@ mod test {
 
         let e = Endpoint {
             port_override: Some(4143),
-            server_id: Some(tls::ServerId(
-                identity::Name::from_str("server.id").unwrap(),
-            )),
+            server_id: Some(tls::ServerId("server.id".parse().unwrap())),
             authority: None,
             proto: Some(SessionProtocol::Http1),
         };

linkerd/app/src/env.rs

@@ -982,8 +982,15 @@ fn parse_port_range_set(s: &str) -> Result<RangeInclusiveSet<u16>, ParseError> {
     Ok(set)
 }
 
-pub(super) fn parse_identity(s: &str) -> Result<identity::Name, ParseError> {
-    identity::Name::from_str(s).map_err(|identity::InvalidName| {
+pub(super) fn parse_dns_name(s: &str) -> Result<dns::Name, ParseError> {
+    s.parse().map_err(|_| {
+        error!("Not a valid identity name: {}", s);
+        ParseError::NameError
+    })
+}
+
+pub(super) fn parse_identity(s: &str) -> Result<identity::Id, ParseError> {
+    s.parse().map_err(|_| {
         error!("Not a valid identity name: {}", s);
         ParseError::NameError
     })
@@ -1130,7 +1137,7 @@ pub fn parse_control_addr<S: Strings>(
     base: &str,
 ) -> Result<Option<ControlAddr>, EnvError> {
     let a = parse(strings, &format!("{}_ADDR", base), parse_addr)?;
-    let n = parse(strings, &format!("{}_NAME", base), parse_identity)?;
+    let n = parse(strings, &format!("{}_NAME", base), parse_dns_name)?;
     match (a, n) {
         (None, None) => Ok(None),
         (Some(ref addr), _) if addr.is_loopback() => Ok(Some(ControlAddr {
@@ -1139,7 +1146,7 @@ pub fn parse_control_addr<S: Strings>(
         })),
         (Some(addr), Some(name)) => Ok(Some(ControlAddr {
             addr,
-            identity: Conditional::Some(tls::ServerId(name).into()),
+            identity: Conditional::Some(tls::ClientTls::new(tls::ServerId(name.into()), None)),
         })),
         _ => {
             error!("{}_ADDR and {}_NAME must be specified together", base, base);
@@ -1165,7 +1172,7 @@ pub fn parse_identity_config<S: Strings>(
             ParseError::InvalidTokenSource
         })
     });
-    let li = parse(strings, ENV_IDENTITY_IDENTITY_LOCAL_NAME, parse_identity);
+    let li = parse(strings, ENV_IDENTITY_IDENTITY_LOCAL_NAME, parse_dns_name);
     let min_refresh = parse(strings, ENV_IDENTITY_MIN_REFRESH, parse_duration);
     let max_refresh = parse(strings, ENV_IDENTITY_MAX_REFRESH, parse_duration);
 
@@ -1235,7 +1242,7 @@ pub fn parse_identity_config<S: Strings>(
                 max_refresh: max_refresh.unwrap_or(DEFAULT_IDENTITY_MAX_REFRESH),
             };
             let docs = identity::Documents {
-                id: identity::LocalId(local_name),
+                server_name: local_name,
                 trust_anchors_pem,
                 key_pkcs8: key?,
                 csr_der: csr?,