Add support for SPIFFE TLS Ids

[zaharidichev]

This PR adds support for TLS ids that are in SPIFFE format (URI). Notable changes:

• san verification logic has been extracted into a separate crate (llinkerd-meshtls-util)
• tests for ID extraction and validation logic are happening in this crate
• the linkerd_identity::Id type has been turned into an enum that can be either a DNS URI type
• the Metadata type now carries both ServerName and ServerId information

[hawkw]

that matches an x509...what?

[hawkw]

style nit, take it or leave it: consider maybe just moving the bulleted list to comments on the variants?

Suggested change

	Dns(linkerd_dns_name::Name),
	Uri(http::Uri),
	/// A a DNS-like identity string that matches an x509 DNS SAN.
	Dns(linkerd_dns_name::Name),
	/// A SPIFFE ID in URI form, that matches an x509
	Uri(http::Uri),

[hawkw]

is the Id::Uri variant intended to be SPIFFE-specific? we might want to name the variant something like SpiffeUri or Spiffe, to make that clearer, especially if we later support other identity mechanisms that also use URIs?

[olix0r]

I would argue that this type shouldn't make any SPIFFE requirements. That seems like more of an x509-handling concern than a restriction we care about in linkerd's core types.

[hawkw]

Okay, that's kind of the question I was getting at --- I wasn't sure whether this variant represented a spiffe-specific thing or not.

[hawkw]

typo:

Suggested change

	// according to requirements otlined in:
	// according to requirements outlined in:

[hawkw]

it's quite unfortunate that this allocates (in to_string()) --- the DNS version just borrows the string. AFAICT there is no way to borrow an underlying string from an http::Uri, as the parts of the URI may have come from different string slices --- it's intended more as a builder for URIs to be sent in HTTP requests.

i wonder if representing the Uri variant using http::Uri is actually the best representation, since we use Id::to_str a lot, and it's a shame to have to allocate a new String to format the URI into every time we want to log it or whatever. we could, alternatively, change the representation to store both an http::Uri and an Arc<str> or something, so that the formatting of the URI into a string representation only happens once, and subsequent to_str calls just borrow that? I dunno...

[hawkw]

TIOLI: might be nicer as

Suggested change

	let der = cert
	.to_der()
	.map_err(
	|error| tracing::warn!(%error, "Failed to encode client end cert to der"),
	)
	.ok()?;
	util::client_identity(&der).map(ClientId)
	match cert.to_der() {
	Ok(der) => util::client_identity(&der).map(ClientId),
	Err(error) => {
	tracing::warn!(%error, "Failed to encode client end cert to der");
	None
	}
	}

[hawkw]

nit, take it or leave it: i might have called this linkerd-meshtls-core, following the naming scheme we use elsewhere in the project?

[olix0r]

Can we perhaps change this to store a tls::ClientTls? This also opens the option to pass through ALPN settings (later).

    tls: Option<tls::ClientTls>,

I'd hope this makes the handling of names/ids less verbose throughout most of the app code.

[olix0r]

This would also make sense as a discrete change to help minimize the diff we need to consider for URI handling.

[olix0r]

Since this changes our DNSName validation, I think we should make this change discretely from the rest of this PR. I.e. a targetted PR that adds a new linkerd-meshtls-verifier crate using x509_parser, without URI handling.

[zaharidichev]

@hawkw @olix0r Thanks for the thoughtful feedback, I am closing this PR now in order to split it into smaller, more focused changes, starting with #2534