From f40d8bf69feea738adcc5d4b2fa81cfb907a7f3c Mon Sep 17 00:00:00 2001
From: Dan Fuhry <dan@fuhry.com>
Date: Wed, 19 Nov 2025 09:14:51 -0500
Subject: [PATCH] [mtls] add common identity parser

Add a new function in `mtls`, `ParseIdentity`, which standardizes the following prefixes for identities:
- "user." for human users
- "ssl://" for publicly trusted certs
- the exact string "anonymous" for anonymous access
- all other strings are parsed as service identities

The etcd client is configured to follow this convention.
---
 mtls/identity.go   | 30 ++++++++++++++++++++++++------
 sd/etcd_factory.go |  2 +-
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/mtls/identity.go b/mtls/identity.go
index 8bc08f8..2f527d4 100644
--- a/mtls/identity.go
+++ b/mtls/identity.go
@@ -180,6 +180,28 @@ func (id *stubIdentity) IsValid() bool {
 	return false
 }
 
+func ParseIdentity(identity string) Identity {
+	const (
+		anonymousIdentityStr = "anonymous"
+		userPrefix           = "user."
+		sslPrefix            = "ssl://"
+	)
+
+	if identity == anonymousIdentityStr {
+		logger.V(3).Debugf("ParseIdentity(%q) -> Anonymous()", identity)
+		return Anonymous()
+	} else if strings.HasPrefix(identity, userPrefix) {
+		logger.V(3).Debugf("ParseIdentity(%q) -> NewUserIdentity(%q)", identity, strings.TrimPrefix(identity, userPrefix))
+		return NewUserIdentity(strings.TrimPrefix(identity, userPrefix))
+	} else if strings.HasPrefix(identity, sslPrefix) {
+		logger.V(3).Debugf("ParseIdentity(%q) -> NewSSLCertificate(%q)", identity, strings.TrimPrefix(identity, sslPrefix))
+		return NewSSLCertificate(strings.TrimPrefix(identity, sslPrefix))
+	}
+
+	logger.V(3).Debugf("ParseIdentity(%q) -> NewServiceIdentity(%q)", identity, identity)
+	return NewServiceIdentity(identity)
+}
+
 func NewServiceIdentity(service string) Identity {
 	for _, driver := range identityDrivers {
 		logger.V(1).Infof("trying driver %s to load service identity %s", driver.name, service)
@@ -216,7 +238,7 @@ func NewServiceIdentity(service string) Identity {
 
 func NewUserIdentity(username string) Identity {
 	for _, driver := range identityDrivers {
-		logger.V(1).Infof("trying driver %s to load service identity %s", driver.name, username)
+		logger.V(1).Infof("trying driver %s to load user identity %s", driver.name, username)
 		identity, err := driver.load(username)
 		if err == nil {
 			subst := &substantiatedIdentity{
@@ -317,10 +339,6 @@ func DefaultIdentity() Identity {
 		panic("cannot get default identity before flags are parsed")
 	}
 
-	if defaultMtlsIdentity == "anonymous" {
-		return Anonymous()
-	}
-
 	if defaultMtlsIdentity == "" {
 		userId, err := NewDefaultUserIdentity()
 		if err == nil && userId.IsValid() {
@@ -334,7 +352,7 @@ func DefaultIdentity() Identity {
 		return NewServiceIdentity(defaultDefaultIdentity)
 	}
 
-	return NewServiceIdentity(defaultMtlsIdentity)
+	return ParseIdentity(defaultMtlsIdentity)
 }
 
 // Anonymous returns an identity that supplies no client certificate
diff --git a/sd/etcd_factory.go b/sd/etcd_factory.go
index bd4badc..487417a 100644
--- a/sd/etcd_factory.go
+++ b/sd/etcd_factory.go
@@ -30,7 +30,7 @@ func NewDefaultEtcdClient() (*etcd_client.Client, error) {
 
 	logger := log.WithPrefix("etcd-client")
 
-	id := mtls.NewServiceIdentity(etcdMtlsId)
+	id := mtls.ParseIdentity(etcdMtlsId)
 	if !id.IsValid() {
 		id = mtls.DefaultIdentity()
 
-- 
2.50.1