Bring up to date with latest XFCC implementation

Author: rmichela

grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XForwardedClientCert.java

@@ -10,6 +10,8 @@
 import io.grpc.Context;
 
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 /**
@@ -24,7 +26,8 @@ public class XForwardedClientCert {
 
     private String by = "";
     private String hash = "";
-    private String san = "";
+    private String sanUri = "";
+    private List<String> sanDns = new ArrayList<>();
     private String subject = "";
 
     void setBy(String by) {
@@ -35,14 +38,18 @@ void setHash(String hash) {
         this.hash = hash;
     }
 
-    void setSan(String san) {
-        this.san = san;
+    void setSanUri(String sanUri) {
+        this.sanUri = sanUri;
     }
 
     void setSubject(String subject) {
         this.subject = subject;
     }
 
+    void addSanDns(String sanDns) {
+        this.sanDns.add(sanDns);
+    }
+
     /**
      * @return The Subject Alternative Name (SAN) of the current proxy’s certificate.
      */
@@ -51,17 +58,24 @@ public String getBy() {
     }
 
     /**
-     * @return The SHA 256 diguest of the current client certificate.
+     * @return The SHA 256 digest of the current client certificate.
      */
     public String getHash() {
         return hash;
     }
 
     /**
-     * @return The SAN field (URI type) of the current client certificate.
+     * @return The URI type Subject Alternative Name field of the current client certificate.
+     */
+    public String getSanUri() {
+        return sanUri;
+    }
+
+    /**
+     * @return The DNS type Subject Alternative Name field(s) of the current client certificate.
      */
-    public String getSan() {
-        return san;
+    public Collection<String> getSanDns() {
+        return Collections.unmodifiableCollection(sanDns);
     }
 
     /**
@@ -80,8 +94,8 @@ public String toString() {
         if (!hash.isEmpty()) {
             kvp.add("Hash=" + enquote(hash));
         }
-        if (!san.isEmpty()) {
-            kvp.add("SAN=" + enquote(san));
+        if (!sanUri.isEmpty()) {
+            kvp.add("URI=" + enquote(sanUri));
         }
         if (!subject.isEmpty()) {
             kvp.add("Subject=" + enquote(subject));

grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XfccParser.java

@@ -37,8 +37,12 @@ static List<XForwardedClientCert> parse(String header) {
                 if (l.get(0).toLowerCase().equals("hash")) {
                     cert.setHash(dequote(l.get(1)));
                 }
-                if (l.get(0).toLowerCase().equals("san")) {
-                    cert.setSan(dequote(l.get(1)));
+                // Use "SAN:" instead of "URI:" for backward compatibility with previous mesh proxy releases.
+                if (l.get(0).toLowerCase().equals("san") || l.get(0).toLowerCase().equals("uri")) {
+                    cert.setSanUri(dequote(l.get(1)));
+                }
+                if (l.get(0).toLowerCase().equals("dns")) {
+                    cert.addSanDns(dequote(l.get(1)));
                 }
                 if (l.get(0).toLowerCase().equals("subject")) {
                     cert.setSubject(dequote(l.get(1)));

grpc-contrib/src/main/java/com/salesforce/grpc/contrib/xfcc/XfccServerInterceptor.java

@@ -14,7 +14,7 @@
 
 /**
  * {@code XfccServerInterceptor} parses the {@code x-forwarded-client-cert} (XFCC) header populated by TLS-terminating
- * reverse proxies. For example, Istio and Linkerd. If present, the parsed XFCC header is appended to the
+ * reverse proxies. For example: Envoy, Istio, and Linkerd. If present, the parsed XFCC header is appended to the
  * gRPC {@code Context}.
  *
  * @see <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers.html#config-http-conn-man-headers-x-forwarded-client-cert">Envoy XFCC Header</a>

grpc-contrib/src/test/java/com/salesforce/grpc/contrib/xfcc/XfccMarshallerTest.java

@@ -25,7 +25,7 @@ public void parseSimpleHeaderWorks() {
         assertThat(certs.size()).isEqualTo(1);
         assertThat(certs.get(0).getBy()).isEqualTo("http://frontend.lyft.com");
         assertThat(certs.get(0).getHash()).isEqualTo("468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688");
-        assertThat(certs.get(0).getSan()).isEqualTo("http://testclient.lyft.com");
+        assertThat(certs.get(0).getSanUri()).isEqualTo("http://testclient.lyft.com");
         assertThat(certs.get(0).getSubject()).isEmpty();
     }
     @Test

grpc-contrib/src/test/java/com/salesforce/grpc/contrib/xfcc/XfccParserTest.java

@@ -16,17 +16,59 @@
 
 public class XfccParserTest {
     @Test
-    public void parseSimpleHeaderWorks() {
+    public void parseLegacySanHeaderWorks() {
         String header = "By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;" +
                 "SAN=http://testclient.lyft.com";
         List<XForwardedClientCert> certs = XfccParser.parse(header);
 
         assertThat(certs.size()).isEqualTo(1);
         assertThat(certs.get(0).getBy()).isEqualTo("http://frontend.lyft.com");
         assertThat(certs.get(0).getHash()).isEqualTo("468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688");
-        assertThat(certs.get(0).getSan()).isEqualTo("http://testclient.lyft.com");
+        assertThat(certs.get(0).getSanUri()).isEqualTo("http://testclient.lyft.com");
         assertThat(certs.get(0).getSubject()).isEmpty();
+        assertThat(certs.get(0).getSanDns()).isEmpty();
     }
+
+    @Test
+    public void parseSimpleHeaderWorks() {
+        String header = "Hash=ebb216c5155a5fd8c8f082a07362b3c7b1a8ee2f98c20f6142b49fe5c2db90bd;DNS=test-tls-in;DNS=second-san;" +
+                "DNS=third-san;Subject=\"OU=0:test-tls-in,CN=localhost\"";
+        List<XForwardedClientCert> certs = XfccParser.parse(header);
+
+        assertThat(certs.size()).isEqualTo(1);
+        assertThat(certs.get(0).getBy()).isEmpty();
+        assertThat(certs.get(0).getHash()).isEqualTo("ebb216c5155a5fd8c8f082a07362b3c7b1a8ee2f98c20f6142b49fe5c2db90bd");
+        assertThat(certs.get(0).getSanUri()).isEmpty();
+        assertThat(certs.get(0).getSubject()).isEqualTo("OU=0:test-tls-in,CN=localhost");
+        assertThat(certs.get(0).getSanDns()).containsExactly("test-tls-in", "second-san", "third-san");
+    }
+
+    @Test
+    public void parseUriSanHeaderWorks() {
+        String header = "By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject=\"/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client\";URI=http://testclient.lyft.com";
+        List<XForwardedClientCert> certs = XfccParser.parse(header);
+
+        assertThat(certs.size()).isEqualTo(1);
+        assertThat(certs.get(0).getBy()).isEqualTo("http://frontend.lyft.com");
+        assertThat(certs.get(0).getHash()).isEqualTo("468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688");
+        assertThat(certs.get(0).getSanUri()).isEqualTo("http://testclient.lyft.com");
+        assertThat(certs.get(0).getSubject()).isEqualTo("/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client");
+        assertThat(certs.get(0).getSanDns()).isEmpty();
+    }
+
+    @Test
+    public void parseUriAndDnsSanHeaderWorks() {
+        String header = "By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;Subject=\"/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client\";URI=http://testclient.lyft.com;DNS=lyft.com;DNS=www.lyft.com";
+        List<XForwardedClientCert> certs = XfccParser.parse(header);
+
+        assertThat(certs.size()).isEqualTo(1);
+        assertThat(certs.get(0).getBy()).isEqualTo("http://frontend.lyft.com");
+        assertThat(certs.get(0).getHash()).isEqualTo("468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688");
+        assertThat(certs.get(0).getSanUri()).isEqualTo("http://testclient.lyft.com");
+        assertThat(certs.get(0).getSubject()).isEqualTo("/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client");
+        assertThat(certs.get(0).getSanDns()).containsExactly("lyft.com", "www.lyft.com");
+    }
+
     @Test
     public void parseCompoundHeaderWorks() {
         String header = "By=http://frontend.lyft.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de688;SAN=http://testclient.lyft.com," +