Use Common Name instead of SPIFFE URI for mTLS app identity#1270
Merged
Use Common Name instead of SPIFFE URI for mTLS app identity#1270
Conversation
… app identity Motivation: Using the X.509 Subject CN (Common Name) is a more straightforward and broadly compatible approach for certificate-based identity. Modifications: - Renamed `SpiffeIdExtractor` to `CommonNameExtractor` and rewrote the extraction logic to parse the certificate. Result: - mTLS-based application authentication identifies clients by the CN field of the certificate.
📝 WalkthroughWalkthroughThis PR refactors certificate ID extraction from SPIFFE URI in Subject Alternative Names to Common Name in certificate Subject DN. It updates the core extractor implementation, renames the class accordingly, modifies test fixtures to match the new extraction approach, and updates UI help text and method visibility. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/CommonNameExtractor.java (1)
46-48: Consider using DEBUG level for parsing failures.While
TRACEis appropriate for high-frequency events, anInvalidNameExceptionduring DN parsing could indicate a certificate configuration issue worth investigating. Consider usingDEBUGlevel to make it slightly easier to troubleshoot without enabling full tracing.That said,
TRACEis acceptable if you expect this to be rare and want minimal log noise.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/CommonNameExtractor.java` around lines 46 - 48, Change the logging level in CommonNameExtractor's InvalidNameException catch block from TRACE to DEBUG: inside the catch (InvalidNameException e) block replace the logger.trace call with logger.debug so DN parsing failures are logged at debug level (preserving the exception parameter) to aid troubleshooting without enabling full tracing.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@webapp/src/dogma/features/app-identity/NewAppIdentity.tsx`:
- Around line 175-178: Update the helper text in NewAppIdentity.tsx to
accurately reflect the backend behavior: change the FormHelperText message
(within the NewAppIdentity component) to indicate that only the Common Name (CN)
from the certificate Subject DN is used by the CommonNameExtractor and remove
any mention of SPIFFE IDs or SAN extraction so users won't expect SPIFFE ID
support.
---
Nitpick comments:
In
`@server/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/CommonNameExtractor.java`:
- Around line 46-48: Change the logging level in CommonNameExtractor's
InvalidNameException catch block from TRACE to DEBUG: inside the catch
(InvalidNameException e) block replace the logger.trace call with logger.debug
so DN parsing failures are logged at debug level (preserving the exception
parameter) to aid troubleshooting without enabling full tracing.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 0337df10-95b0-4ec1-b3b7-c175e0ccae2f
📒 Files selected for processing (6)
gradle/scripts/lib/java-javadoc.gradleserver/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/ApplicationCertificateAuthorizer.javaserver/src/main/java/com/linecorp/centraldogma/server/internal/api/auth/CommonNameExtractor.javaserver/src/test/java/com/linecorp/centraldogma/server/internal/admin/auth/CertificateAppIdentityAuthTest.javaserver/src/test/java/com/linecorp/centraldogma/server/metadata/MetadataApiServiceTest.javawebapp/src/dogma/features/app-identity/NewAppIdentity.tsx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
Using the X.509 Subject CN (Common Name) is a more straightforward and broadly compatible approach for certificate-based identity.
Modifications:
SpiffeIdExtractortoCommonNameExtractorand rewrote the extraction logic to parse the certificate.Result: