diff --git a/Cargo.lock b/Cargo.lock index 3b45ae3667..70e2985315 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1208,7 +1208,6 @@ dependencies = [ "linkerd-app-test", "linkerd-http-access-log", "linkerd-http-metrics", - "linkerd-identity", "linkerd-idle-cache", "linkerd-io", "linkerd-meshtls", diff --git a/linkerd/app/inbound/Cargo.toml b/linkerd/app/inbound/Cargo.toml index 19aad97fdd..64b5651eef 100644 --- a/linkerd/app/inbound/Cargo.toml +++ b/linkerd/app/inbound/Cargo.toml @@ -30,7 +30,6 @@ linkerd-meshtls-rustls = { path = "../../meshtls/rustls", optional = true } linkerd-proxy-client-policy = { path = "../../proxy/client-policy" } linkerd-tonic-watch = { path = "../../tonic-watch" } linkerd2-proxy-api = { version = "0.12", features = ["inbound"] } -linkerd-identity = { path = "../../identity" } once_cell = "1" parking_lot = "0.12" rangemap = "1" diff --git a/linkerd/app/inbound/src/policy.rs b/linkerd/app/inbound/src/policy.rs index be7e2159cd..176c92551d 100644 --- a/linkerd/app/inbound/src/policy.rs +++ b/linkerd/app/inbound/src/policy.rs @@ -17,11 +17,11 @@ pub use self::{ pub use linkerd_app_core::metrics::ServerLabel; use linkerd_app_core::{ + identity as id, metrics::{RouteAuthzLabels, ServerAuthzLabels}, tls, transport::{ClientAddr, OrigDstAddr, Remote}, }; -use linkerd_identity as id; use linkerd_idle_cache::Cached; pub use linkerd_proxy_server_policy::{ authz::Suffix, diff --git a/linkerd/app/outbound/src/http/concrete.rs b/linkerd/app/outbound/src/http/concrete.rs index eeb04f6437..bf255e7749 100644 --- a/linkerd/app/outbound/src/http/concrete.rs +++ b/linkerd/app/outbound/src/http/concrete.rs @@ -353,19 +353,15 @@ impl svc::Param for Endpoint { self.metadata .identity() .cloned() - .map(move |client_tls| { - let alpn = if use_transport_header { + .map(move |mut client_tls| { + client_tls.alpn = if use_transport_header { use linkerd_app_core::transport_header::PROTOCOL; Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()])) } else { None }; - tls::ConditionalClientTls::Some(tls::ClientTls::new( - client_tls.server_id, - client_tls.server_name, - alpn, - )) + tls::ConditionalClientTls::Some(client_tls) }) .unwrap_or(tls::ConditionalClientTls::None( tls::NoClientTls::NotProvidedByServiceDiscovery, diff --git a/linkerd/app/outbound/src/http/require_id_header.rs b/linkerd/app/outbound/src/http/require_id_header.rs index 451169ffad..c8f6f872ec 100644 --- a/linkerd/app/outbound/src/http/require_id_header.rs +++ b/linkerd/app/outbound/src/http/require_id_header.rs @@ -59,7 +59,7 @@ impl RequireIdentity { #[inline] fn extract_id(req: &mut http::Request) -> Option { let v = req.headers_mut().remove(HEADER_NAME)?; - v.to_str().ok()?.parse::().ok() + v.to_str().ok()?.parse().ok() } } diff --git a/linkerd/app/outbound/src/opaq/concrete.rs b/linkerd/app/outbound/src/opaq/concrete.rs index 29ab0431f9..b2172af521 100644 --- a/linkerd/app/outbound/src/opaq/concrete.rs +++ b/linkerd/app/outbound/src/opaq/concrete.rs @@ -283,18 +283,15 @@ impl svc::Param for Endpoint { self.metadata .identity() .cloned() - .map(move |client_tls| { - let alpn = if use_transport_header { + .map(move |mut client_tls| { + client_tls.alpn = if use_transport_header { use linkerd_app_core::transport_header::PROTOCOL; Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()])) } else { None }; - tls::ConditionalClientTls::Some(tls::ClientTls::new( - client_tls.server_id, - client_tls.server_name, - alpn, - )) + + tls::ConditionalClientTls::Some(client_tls) }) .unwrap_or(tls::ConditionalClientTls::None( tls::NoClientTls::NotProvidedByServiceDiscovery, diff --git a/linkerd/app/outbound/src/tcp/tagged_transport.rs b/linkerd/app/outbound/src/tcp/tagged_transport.rs index 336338e5a1..a1ddcfb1c3 100644 --- a/linkerd/app/outbound/src/tcp/tagged_transport.rs +++ b/linkerd/app/outbound/src/tcp/tagged_transport.rs @@ -161,15 +161,13 @@ mod test { fn param(&self) -> tls::ConditionalClientTls { self.identity .clone() - .map(|client_tls| { + .map(move |mut client_tls| { let alpn = Some(tls::client::AlpnProtocols(vec![ transport_header::PROTOCOL.into() ])); - tls::ConditionalClientTls::Some(tls::ClientTls::new( - client_tls.server_id, - client_tls.server_name, - alpn, - )) + client_tls.alpn = alpn; + + tls::ConditionalClientTls::Some(client_tls) }) .unwrap_or(tls::ConditionalClientTls::None( tls::NoClientTls::NotProvidedByServiceDiscovery, @@ -265,7 +263,7 @@ mod test { let e = Endpoint { port_override: Some(4143), - identity: Some(tls::ClientTls::new(server_id, server_name, None)), + identity: Some(tls::ClientTls::new(server_id, server_name)), authority: None, proto: None, }; @@ -290,7 +288,7 @@ mod test { let e = Endpoint { port_override: Some(4143), - identity: Some(tls::ClientTls::new(server_id, server_name, None)), + identity: Some(tls::ClientTls::new(server_id, server_name)), authority: Some(http::uri::Authority::from_str("foo.bar.example.com:5555").unwrap()), proto: None, }; @@ -315,7 +313,7 @@ mod test { let e = Endpoint { port_override: Some(4143), - identity: Some(tls::ClientTls::new(server_id, server_name, None)), + identity: Some(tls::ClientTls::new(server_id, server_name)), authority: None, proto: None, }; @@ -340,7 +338,7 @@ mod test { let e = Endpoint { port_override: Some(4143), - identity: Some(tls::ClientTls::new(server_id, server_name, None)), + identity: Some(tls::ClientTls::new(server_id, server_name)), authority: None, proto: Some(SessionProtocol::Http1), }; @@ -365,7 +363,7 @@ mod test { let e = Endpoint { port_override: Some(4143), - identity: Some(tls::ClientTls::new(server_id, server_name, None)), + identity: Some(tls::ClientTls::new(server_id, server_name)), authority: Some(http::uri::Authority::from_str("foo.bar.example.com:5555").unwrap()), proto: Some(SessionProtocol::Http1), }; @@ -390,7 +388,7 @@ mod test { let e = Endpoint { port_override: Some(4143), - identity: Some(tls::ClientTls::new(server_id, server_name, None)), + identity: Some(tls::ClientTls::new(server_id, server_name)), authority: None, proto: Some(SessionProtocol::Http1), }; diff --git a/linkerd/app/src/env.rs b/linkerd/app/src/env.rs index 09c76ab871..a30ca5f231 100644 --- a/linkerd/app/src/env.rs +++ b/linkerd/app/src/env.rs @@ -1155,7 +1155,6 @@ pub fn parse_control_addr( identity: Conditional::Some(tls::ClientTls::new( tls::ServerId(name.clone().into()), tls::ServerName(name), - None, )), })), _ => { diff --git a/linkerd/meshtls/tests/util.rs b/linkerd/meshtls/tests/util.rs index 3a82361df0..d1e9794947 100644 --- a/linkerd/meshtls/tests/util.rs +++ b/linkerd/meshtls/tests/util.rs @@ -53,11 +53,7 @@ pub async fn proxy_to_proxy_tls_works(mode: meshtls::Mode) { let server_name = tls::ServerName(test_util::FOO_NS1.name.parse().unwrap()); let (client_result, server_result) = run_test( client_tls.clone(), - Conditional::Some(tls::ClientTls::new( - server_id.clone(), - server_name.clone(), - None, - )), + Conditional::Some(tls::ClientTls::new(server_id.clone(), server_name.clone())), |conn| write_then_read(conn, PING), server_tls, |(_, conn)| read_then_write(conn, PING.len(), PONG), @@ -68,7 +64,6 @@ pub async fn proxy_to_proxy_tls_works(mode: meshtls::Mode) { Some(Conditional::Some(tls::ClientTls::new( server_id, server_name, - None ))) ); assert_eq!(&client_result.result.expect("pong")[..], PONG); @@ -93,11 +88,7 @@ pub async fn proxy_to_proxy_tls_pass_through_when_identity_does_not_match(mode: let (client_result, server_result) = run_test( client_tls, - Conditional::Some(tls::ClientTls::new( - server_id.clone(), - server_name.clone(), - None, - )), + Conditional::Some(tls::ClientTls::new(server_id.clone(), server_name.clone())), |conn| write_then_read(conn, PING), server_tls, |(_, conn)| read_then_write(conn, START_OF_TLS.len(), PONG), diff --git a/linkerd/meshtls/verifier/src/lib.rs b/linkerd/meshtls/verifier/src/lib.rs index ff8d8e17d9..e2d55392ab 100644 --- a/linkerd/meshtls/verifier/src/lib.rs +++ b/linkerd/meshtls/verifier/src/lib.rs @@ -14,13 +14,7 @@ fn extract_ids_from_cert(cert: &[u8]) -> Result> { .iter() .filter_map(|n| { let id = match n { - GeneralName::DNSName(dns) => { - if *dns == "*" { - // Wildcards can perhaps be handled in a future path... - return None; - } - Id::parse_dns_name(dns) - } + GeneralName::DNSName(dns) => Id::parse_dns_name(dns), GeneralName::URI(uri) => Id::parse_uri(uri), _ => return None, }; diff --git a/linkerd/proxy/api-resolve/src/pb.rs b/linkerd/proxy/api-resolve/src/pb.rs index 3fd5816cdb..3d343b776e 100644 --- a/linkerd/proxy/api-resolve/src/pb.rs +++ b/linkerd/proxy/api-resolve/src/pb.rs @@ -57,7 +57,7 @@ fn to_identity(pb: TlsIdentity) -> Option { let Strategy::DnsLikeIdentity(i) = pb.strategy?; match (ServerId::from_str(&i.name), ServerName::from_str(&i.name)) { - (Ok(i), Ok(n)) => Some(ClientTls::new(i, n, None)), + (Ok(i), Ok(n)) => Some(ClientTls::new(i, n)), (_, _) => { tracing::warn!("Ignoring invalid identity: {}", i.name); None diff --git a/linkerd/tls/src/client.rs b/linkerd/tls/src/client.rs index d7027dac36..181e78d6e5 100644 --- a/linkerd/tls/src/client.rs +++ b/linkerd/tls/src/client.rs @@ -79,11 +79,11 @@ pub struct ConnectMeta { impl ClientTls { // XXX(ver) We'll have to change this when ServerIds are not necessarily DNS names. - pub fn new(server_id: ServerId, server_name: ServerName, alpn: Option) -> Self { + pub fn new(server_id: ServerId, server_name: ServerName) -> Self { Self { server_name, server_id, - alpn, + alpn: None, } } }