linkerd_identity: split linkerd_identity::Id into DNS and URI variants

[zaharidichev]

Our linkerd_identity::Id type was capable of representing
only DNS-like SANs. In order to be able to perform SAN
verification on SPIFFE identities, in this PR we turn this
type into an enum that can represent either a DNS or URI ids.

Additionally the logic in `meshtls::verifier`` has been updated
to consider URI SANs as well.

Signed-off-by: Zahari Dichev [email protected]

[zaharidichev]

does that make sense for now ?

[codecov]

Codecov Report

Merging #2538 (2defa19) into main (31b2aea) will increase coverage by 0.05%.
The diff coverage is 84.84%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2538      +/-   ##
==========================================
+ Coverage   67.61%   67.66%   +0.05%     
==========================================
  Files         330      330              
  Lines       14781    14803      +22     
==========================================
+ Hits         9994    10017      +23     
+ Misses       4787     4786       -1     

Files	Coverage Δ
linkerd/app/inbound/src/policy.rs	90.00% <100.00%> (-1.49%)	⬇️
linkerd/app/outbound/src/http/require_id_header.rs	50.00% <100.00%> (+1.72%)	⬆️
linkerd/app/outbound/src/tcp/tagged_transport.rs	86.95% <ø> (ø)
linkerd/identity/src/lib.rs	100.00% <100.00%> (+9.09%)	⬆️
linkerd/meshtls/tests/util.rs	96.81% <100.00%> (+0.63%)	⬆️
linkerd/meshtls/verifier/src/lib.rs	92.85% <100.00%> (+5.90%)	⬆️
linkerd/proxy/api-resolve/src/metadata.rs	100.00% <100.00%> (ø)
linkerd/proxy/server-policy/src/authz.rs	71.11% <100.00%> (+1.34%)	⬆️
linkerd/tls/src/client.rs	67.21% <100.00%> (+3.72%)	⬆️
linkerd/app/outbound/src/http/concrete.rs	66.87% <33.33%> (ø)
... and 3 more

... and 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 31b2aea...2defa19. Read the comment docs.

[olix0r]

I'm not sure about the suitability of http::Uri to represent RFC 3986 URIs. The crate documentation makes no claims about satisfying the spec, and is designed to represent the HTTP-specific URI quirks.

I believe our primary options are:

• iref
• url

We already have a dependency on the url crate:

:; cargo tree -i url --depth 1
url v2.3.0
├── linkerd-http-route v0.1.0 (/workspaces/linkerd2-proxy/linkerd/http-route)
└── trust-dns-proto v0.22.0

so this is probably a more appealing target.

Also, it provides an Url::as_str, so we can avoid allocating strings on each comparison.

[olix0r]

I'm curious where this arises from. Is there a bug in the current name parsing? Is this not handled properly by the ID parser?

[olix0r]

You mentioned that this was already present but I do not see any other wildcard handling in the diff.

[zaharidichev]

Yes, this was present in the rustls client id extraction code: https://github.com/linkerd/linkerd2-proxy/blob/f4f606555e9c671694f4f21009ba7affe0aaacad/linkerd/meshtls/rustls/src/server.rs#L143C21-L143C21

[zaharidichev]

Seems this has been there for a while. Do you remember the precise reason?

[olix0r]

This comes from cd04d7a#diff-6eab3f24cc45f109bf10a46bd6be573f28ebd28d826dd38ffb5a7cb1cca46bc7L135-L143 -- there used to be an explicit variant.

It made sense to document this case when it was an explicit enum case we had to handle, but I don't think it makes any sense to explicitly handle a "*" DNS name: A "*" dns name must not be parsed by Id::parse_dns_name(dns).

[olix0r]

• Is it true that we don't actually enforce any requirements around spiffe:// IDs? This seems fine I just want to confirm that's the case.
• Given that, it seems beneficial to have a test that documents the behavior with, for instance, a http:// uri.

[olix0r]

Should we test round-tripping an Id through a parser? like:

something like

let id: Id = "uri://host:1234/path".parse().unwrap();
assert_eq!(id, id.to_string().parse().unwrap());

[olix0r]

codecov says we never hit InvalidId. is that true? should we test passing a DNS name to parse_uri?

[zaharidichev]

I have added a test for that

[zaharidichev]

Is it true that we don't actually enforce any requirements around spiffe:// IDs? This seems fine I just want to confirm that's the case.

Given that, it seems beneficial to have a test that documents the behavior with, for instance, a http:// uri.

It is true. I have added a test for that.

[olix0r]

I looked into this and (1) it appears that trust-dns has rebranded as hickory-dns, so we're going to have to be aware of that when we upgrade trust-dns; (2) and the latest version is on idna v0.4.

Normally, we'd follow up this PR with an upstream PR to update hickory-dns to idna 0.5 so that we can be sure to resolve this when we take the next hickory udpate.

These exceptions are fine temporarily, but each skip here means we're double-building dependencies. We try to keep this overhead manageable over time.

[olix0r]

This shouldn't be necessary: app-inbound and app-outbound pick up the vast majority of their dependencies via reexport from app-core:

linkerd2-proxy/linkerd/app/core/src/lib.rs

Lines 50 to 54 in 31b2aea

	pub mod identity {
	pub use linkerd_identity::*;
	pub use linkerd_meshtls::*;
	pub use linkerd_proxy_identity_client as client;
	}

[olix0r]

tioli

           .map(move |mut client_tls| {
                client_tls.alpn = if use_transport_header {
                    use linkerd_app_core::transport_header::PROTOCOL;
                    Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
                } else {
                    None
                };

                tls::ConditionalClientTls::Some(client_tls)

[olix0r]

alternately -- we could add a ClientTls::with_alpn(self, alpn: Option<AlpnProtocols>) -> ClientTls if you wanted to avoid the mut, so this would end up

           .map(move |client_tls| {
                tls::ConditionalClientTls::Some(client_tls.with_alpn(if use_transport_header {
                    use linkerd_app_core::transport_header::PROTOCOL;
                    Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
                } else {
                    None
                }))

[olix0r]

tioli -- the explicit annotation is no longer needed because we're not using an intermediate type.

Suggested change

	v.to_str().ok()?.parse::<identity::Id>().ok()
	v.to_str().ok()?.parse().ok()

[olix0r]

same suggestion as above could apply here

[olix0r]

and here

[olix0r]

I suspect you could leave this unchanged -- avoiding having to specifiy None in many cases -- and explicitly set the alpn field only when an override is necessary.

[olix0r]

There's nothing blocking merging this, though there are a few small cleanups/followups we should include.

[zaharidichev]

@olix0r I will address the followups, and we can merge after