attributes: add connection.peer_certificate_valid attribute#45828
Open
thc1006 wants to merge 3 commits into
Open
attributes: add connection.peer_certificate_valid attribute#45828thc1006 wants to merge 3 commits into
thc1006 wants to merge 3 commits into
Conversation
Add the connection.peer_certificate_valid CEL attribute, a bool reflecting whether the downstream peer certificate was presented and validated. It exposes the existing Ssl::ConnectionInfo::peerCertificateValidated() and is implemented the same way as connection.mtls. In an optional mTLS setup (trust_chain_verification: ACCEPT_UNTRUSTED) the handshake succeeds even when the client certificate is untrusted. connection.mtls already reports whether a certificate was presented; this reports whether it validated, so RBAC, CEL and route matching can use it without resorting to a Lua filter. Risk Level: Low Testing: unit tests (test/extensions/filters/common/expr/context_test.cc) Docs Changes: yes Release Notes: yes Fixes envoyproxy#45660 Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
Correct "ceritificate" to "certificate" in the connection.mtls row of the CEL attributes table. Risk Level: Low Testing: n/a (documentation only) Docs Changes: yes Release Notes: no Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
thc1006
had a problem deploying
to
external-contributors
GitHub Actions
Error
|
Hi @thc1006, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
… test Add connection.peer_certificate_valid to the ext_proc RequestResponseAttributes integration test, asserting it is false on a non-TLS downstream connection (matching connection.mtls), and update the present-attribute count. Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
thc1006
requested review from
mattklein123,
tyxia,
yanavlasov and
yanjunxiang-google
as code owners
thc1006
requested a deployment
to
external-contributors
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: Add the connection.peer_certificate_valid CEL attribute, a bool indicating whether the downstream peer certificate was presented and validated.
Additional Description:
In optional mTLS configurations using
trust_chain_verification: ACCEPT_UNTRUSTED, Envoy may accept a downstream connection even when the presented client certificate is untrusted. The existingconnection.mtlsCEL attribute reports whether a peer certificate was presented, but it does not report whether that certificate was validated.This adds
connection.peer_certificate_valid, implemented alongsideconnection.mtlsand backed by the existingSsl::ConnectionInfo::peerCertificateValidated()API. The two attributes together distinguish the relevant downstream TLS states:connection.mtls=false,connection.peer_certificate_valid=falseconnection.mtls=true,connection.peer_certificate_valid=trueACCEPT_UNTRUSTED:connection.mtls=true,connection.peer_certificate_valid=falseNo interface change is needed. The implementation reuses the existing
peerCertificateValidated()getter and only exposes that state as a read-only CEL attribute.Risk Level: Low. This is an additive, read-only CEL attribute and does not change the TLS handshake, certificate validation path, or existing
connection.mtlsbehavior.Testing:
test/extensions/filters/common/expr/context_test.cc.ConnectionAttributestest covers the validated certificate case.ConnectionPeerCertificateNotValidatedto cover the presented-but-not-validated case.Docs Changes:
Added
connection.peer_certificate_validtodocs/root/intro/arch_overview/advanced/attributes.rst.Release Notes:
Added
changelogs/current/new_features/attributes__added-peer-certificate-valid-cel.rst.Platform Specific Features: None
AI usage:
This change was written with the assistance of generative AI tooling. I have reviewed it, fully understand it, and take ownership of the code.
Fixes #45660