Set ClientIdentifier in request

Summary: What? - ClientIdentifier = Hash string of primary (non-host) tls client identities - *Last diff* added ClientIdentifier field in RequestCommon which will be extracted in codegen (next diff) to pass the ClientIdentifier in header to memcache server - **This diff** will extract the hash string of tls identities`tlsClientIdentifier` from `Cpp2ConnContext` and set it on request (i.e. field added in last diff) - This code path is ONLY for proxies and will be executed during shadow testing ONLY WHY? - SAP and uCache are working on securing look-aside cache called "Key Client Binding" feature where we bind keys in uCache with ClientIdentities. This ensures that cached data is restricted to the specific client who has access to the backed service. - Design doc: https://fburl.com/gdoc/psjwp58j Reviewed By: lenar-f Differential Revision: D62452893 fbshipit-source-id: 9e16c0cb6ee2af9fa1b73576f2ca8d6699a1c47e
facebook · Sep 30, 2024 · 2f32271 · 2f32271
1 parent e7c6c79
commit 2f32271
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/mcrouter/ServerOnRequest.h b/mcrouter/ServerOnRequest.h
@@ -11,6 +11,7 @@
 #include <cassert>
 #include <memory>
 
+#include "core_infra_security/thrift_authentication_module/detail/ClientIdentifierHelper.h"
 #include "mcrouter/CarbonRouterClient.h"
 #include "mcrouter/RequestAclChecker.h"
 #include "mcrouter/config.h"
@@ -55,12 +56,14 @@ class ServerOnRequest {
       bool enablePassThroughMode,
       bool remoteThread,
       ExternalStatsHandler& statsHandler,
-      bool requestAclCheckerEnable)
+      bool requestAclCheckerEnable,
+      bool enableKeyClientBinding = false)
       : client_(client),
         eventBase_(eventBase),
         retainSourceIp_(retainSourceIp),
         enablePassThroughMode_(enablePassThroughMode),
-        remoteThread_(remoteThread) {
+        remoteThread_(remoteThread),
+        enableKeyClientBinding_(enableKeyClientBinding) {
     if constexpr (RouterInfo::useRequestAclChecker) {
       aclChecker_ = std::make_unique<RequestAclChecker>(
           statsHandler, requestAclCheckerEnable);
@@ -162,6 +165,20 @@ class ServerOnRequest {
     auto& reqRef = rctx->req;
     auto& ctxRef = rctx->ctx;
 
+    // Set hashed TLS client identities on request to propogate from proxy ->
+    // memcache server only IF enableKeyClientBinding_ is enabled.
+    if (FOLLY_UNLIKELY(enableKeyClientBinding_) &&
+        ctxRef.getThriftRequestContext()) {
+      auto mayBeHashedIdentities =
+          core_infra_security::thrift_authentication_module::detail::
+              getTlsClientIdentifier(*ctxRef.getThriftRequestContext());
+      // if has valid hashed identity string, set it on the request
+      if (mayBeHashedIdentities.hasValue() &&
+          std::holds_alternative<std::string>(mayBeHashedIdentities.value())) {
+        reqRef.setClientIdentifier(
+            std::get<std::string>(mayBeHashedIdentities.value()));
+      }
+    }
     // if we are reusing the request buffer, adjust the start offset and set
     // it to the request.
     if (reusableRequestBuffer) {
@@ -198,6 +215,7 @@ class ServerOnRequest {
   const bool enablePassThroughMode_{false};
   const bool remoteThread_{false};
   std::unique_ptr<RequestAclChecker> aclChecker_;
+  const bool enableKeyClientBinding_{false};
 };
 
 } // namespace mcrouter