[mtls] add common identity parser

Add a new function in `mtls`, `ParseIdentity`, which standardizes the following prefixes for identities:
- "user." for human users
- "ssl://" for publicly trusted certs
- the exact string "anonymous" for anonymous access
- all other strings are parsed as service identities

The etcd client is configured to follow this convention.

diff --git a/mtls/identity.go b/mtls/identity.go
index 8bc08f8cf8ab8a011ceb6cc62d87faa26889b550..2f527d483f862321a284243154e171602146bd8f 100644 (file)
--- a/mtls/identity.go
+++ b/mtls/identity.go
@@ -180,6 +180,28 @@ func (id *stubIdentity) IsValid() bool {
        return false
 }
 
+func ParseIdentity(identity string) Identity {
+       const (
+               anonymousIdentityStr = "anonymous"
+               userPrefix           = "user."
+               sslPrefix            = "ssl://"
+       )
+
+       if identity == anonymousIdentityStr {
+               logger.V(3).Debugf("ParseIdentity(%q) -> Anonymous()", identity)
+               return Anonymous()
+       } else if strings.HasPrefix(identity, userPrefix) {
+               logger.V(3).Debugf("ParseIdentity(%q) -> NewUserIdentity(%q)", identity, strings.TrimPrefix(identity, userPrefix))
+               return NewUserIdentity(strings.TrimPrefix(identity, userPrefix))
+       } else if strings.HasPrefix(identity, sslPrefix) {
+               logger.V(3).Debugf("ParseIdentity(%q) -> NewSSLCertificate(%q)", identity, strings.TrimPrefix(identity, sslPrefix))
+               return NewSSLCertificate(strings.TrimPrefix(identity, sslPrefix))
+       }
+
+       logger.V(3).Debugf("ParseIdentity(%q) -> NewServiceIdentity(%q)", identity, identity)
+       return NewServiceIdentity(identity)
+}
+
 func NewServiceIdentity(service string) Identity {
        for _, driver := range identityDrivers {
                logger.V(1).Infof("trying driver %s to load service identity %s", driver.name, service)
@@ -216,7 +238,7 @@ func NewServiceIdentity(service string) Identity {
 
 func NewUserIdentity(username string) Identity {
        for _, driver := range identityDrivers {
-               logger.V(1).Infof("trying driver %s to load service identity %s", driver.name, username)
+               logger.V(1).Infof("trying driver %s to load user identity %s", driver.name, username)
                identity, err := driver.load(username)
                if err == nil {
                        subst := &substantiatedIdentity{
@@ -317,10 +339,6 @@ func DefaultIdentity() Identity {
                panic("cannot get default identity before flags are parsed")
        }
 
-       if defaultMtlsIdentity == "anonymous" {
-               return Anonymous()
-       }
-
        if defaultMtlsIdentity == "" {
                userId, err := NewDefaultUserIdentity()
                if err == nil && userId.IsValid() {
@@ -334,7 +352,7 @@ func DefaultIdentity() Identity {
                return NewServiceIdentity(defaultDefaultIdentity)
        }
 
-       return NewServiceIdentity(defaultMtlsIdentity)
+       return ParseIdentity(defaultMtlsIdentity)
 }
 
 // Anonymous returns an identity that supplies no client certificate

diff --git a/sd/etcd_factory.go b/sd/etcd_factory.go
index bd4badc507c945a715b7229e221b8e32094d965f..487417a941cdefc1b266e81ba13ee50232bd0822 100644 (file)
--- a/sd/etcd_factory.go
+++ b/sd/etcd_factory.go
@@ -30,7 +30,7 @@ func NewDefaultEtcdClient() (*etcd_client.Client, error) {
 
        logger := log.WithPrefix("etcd-client")
 
-       id := mtls.NewServiceIdentity(etcdMtlsId)
+       id := mtls.ParseIdentity(etcdMtlsId)
        if !id.IsValid() {
                id = mtls.DefaultIdentity()