Merge pull request #3175 from processone/proxy_protocol_tls_info

Extract TLS informations that are delivered in PROXY protocol frame

(cherry picked from commit 29bb9c5)

Author: michaelklishin

deps/amqp_client/src/amqp_direct_connection.erl

@@ -195,14 +195,14 @@ socket_adapter_info(Sock, Protocol) ->
 
 maybe_ssl_info(Sock) ->
     RealSocket = rabbit_net:unwrap_socket(Sock),
-    case rabbit_net:is_ssl(RealSocket) of
-        true  -> [{ssl, true}] ++ ssl_info(RealSocket) ++ ssl_cert_info(RealSocket);
-        false -> [{ssl, false}]
+    case rabbit_net:proxy_ssl_info(RealSocket, rabbit_net:maybe_get_proxy_socket(Sock)) of
+        nossl -> [{ssl, false}];
+        Info -> [{ssl, true}] ++ ssl_info(Info) ++ ssl_cert_info(RealSocket)
     end.
 
-ssl_info(Sock) ->
+ssl_info(Info) ->
     {Protocol, KeyExchange, Cipher, Hash} =
-        case rabbit_net:ssl_info(Sock) of
+        case Info of
             {ok, Infos} ->
                 {_, P} = lists:keyfind(protocol, 1, Infos),
                 #{cipher := C,

deps/rabbit/src/rabbit_reader.erl

@@ -1506,7 +1506,8 @@ i(SockStat,           S) when SockStat =:= recv_oct;
                               SockStat =:= send_pend ->
     socket_info(fun (Sock) -> rabbit_net:getstat(Sock, [SockStat]) end,
                 fun ([{_, I}]) -> I end, S);
-i(ssl,                #v1{sock = Sock}) -> rabbit_net:is_ssl(Sock);
+i(ssl, #v1{sock = Sock, proxy_socket = ProxySock}) ->
+    rabbit_net:proxy_ssl_info(Sock, ProxySock) /= nossl;
 i(ssl_protocol,       S) -> ssl_info(fun ({P,         _}) -> P end, S);
 i(ssl_key_exchange,   S) -> ssl_info(fun ({_, {K, _, _}}) -> K end, S);
 i(ssl_cipher,         S) -> ssl_info(fun ({_, {_, C, _}}) -> C end, S);
@@ -1576,8 +1577,8 @@ socket_info(Get, Select, #v1{sock = Sock}) ->
         {error, _} -> 0
     end.
 
-ssl_info(F, #v1{sock = Sock}) ->
-    case rabbit_net:ssl_info(Sock) of
+ssl_info(F, #v1{sock = Sock, proxy_socket = ProxySock}) ->
+    case rabbit_net:proxy_ssl_info(Sock, ProxySock) of
         nossl       -> '';
         {error, _}  -> '';
         {ok, Items} ->

deps/rabbit_common/src/rabbit_net.erl

@@ -15,7 +15,7 @@
     setopts/2, send/2, close/1, fast_close/1, sockname/1, peername/1,
     peercert/1, connection_string/2, socket_ends/2, is_loopback/1,
     tcp_host/1, unwrap_socket/1, maybe_get_proxy_socket/1,
-    hostname/0, getifaddrs/0]).
+    hostname/0, getifaddrs/0, proxy_ssl_info/2]).
 
 %%---------------------------------------------------------------------------
 
@@ -34,6 +34,7 @@
 % -type host_or_ip() :: binary() | inet:ip_address().
 -spec is_ssl(socket()) -> boolean().
 -spec ssl_info(socket()) -> 'nossl' | ok_val_or_error([{atom(), any()}]).
+-spec proxy_ssl_info(socket(), ranch_proxy:proxy_socket()) -> 'nossl' | ok_val_or_error([{atom(), any()}]).
 -spec controlling_process(socket(), pid()) -> ok_or_any_error().
 -spec getstat(socket(), [stat_option()]) ->
           ok_val_or_error([{stat_option(), integer()}]).
@@ -98,6 +99,33 @@ ssl_info(Sock) when ?IS_SSL(Sock) ->
 ssl_info(_Sock) ->
     nossl.
 
+proxy_ssl_info(Sock, {rabbit_proxy_socket, _, ProxyInfo}) ->
+    case ProxyInfo of
+        #{ssl := #{version := Version, cipher := Cipher}} ->
+            Proto = case Version of
+                        <<"SSL3">> -> 'ssl3';
+                        <<"TLSv1">> -> 'tlsv1';
+                        <<"TLSv1.1">> -> 'tlsv1.1';
+                        <<"TLSv1.2">> -> 'tlsv1.2';
+                        <<"TLSv1.3">> -> 'tlsv1.3';
+                        _ -> nossl
+                    end,
+            CipherSuite = case ssl:str_to_suite(binary_to_list(Cipher)) of
+                              #{} = CS -> CS;
+                              _ -> ssl_info(Sock)
+                          end,
+            case {Proto, CipherSuite} of
+                {nossl, _} -> ssl_info(Sock);
+                {_, nossl} -> ssl_info(Sock);
+                _ -> {ok, [{protocol, Proto}, {selected_cipher_suite, CipherSuite}]}
+            end;
+        _ ->
+            ssl_info(Sock)
+    end;
+proxy_ssl_info(Sock, _) ->
+    ssl_info(Sock).
+
+
 controlling_process(Sock, Pid) when ?IS_SSL(Sock) ->
     ssl:controlling_process(Sock, Pid);
 controlling_process(Sock, Pid) when is_port(Sock) ->

deps/rabbitmq_amqp1_0/src/rabbit_amqp1_0_reader.erl

@@ -793,8 +793,8 @@ socket_info(Get, Select, #v1{sock = Sock}) ->
         {error, _} -> ''
     end.
 
-ssl_info(F, #v1{sock = Sock}) ->
-    case rabbit_net:ssl_info(Sock) of
+ssl_info(F, #v1{sock = Sock, proxy_socket = ProxySock}) ->
+    case rabbit_net:proxy_ssl_info(Sock, ProxySock) of
         nossl       -> '';
         {error, _}  -> '';
         {ok, Items} ->

deps/rabbitmq_stream/src/rabbit_stream_reader.erl

@@ -82,7 +82,8 @@
          resource_alarm :: boolean(),
          send_file_oct ::
              atomics:atomics_ref(), % number of bytes sent with send_file (for metrics)
-         transport :: tcp | ssl}).
+         transport :: tcp | ssl,
+         proxy_socket :: undefined | ranch_proxy:proxy_socket()}).
 -record(configuration,
         {initial_credits :: integer(),
          credits_required_for_unblocking :: integer(),
@@ -224,7 +225,8 @@ init([KeepaliveSup,
                                frame_max = FrameMax,
                                resource_alarm = false,
                                send_file_oct = SendFileOct,
-                               transport = ConnTransport},
+                               transport = ConnTransport,
+                               proxy_socket = rabbit_net:maybe_get_proxy_socket(Sock)},
             State =
             #stream_connection_state{consumers = #{},
                                      blocked = false,
@@ -2776,8 +2778,8 @@ i(host, #stream_connection{host = Host}, _) ->
     Host;
 i(peer_host, #stream_connection{peer_host = PeerHost}, _) ->
     PeerHost;
-i(ssl, #stream_connection{socket = Socket}, _) ->
-    rabbit_net:is_ssl(Socket);
+i(ssl, #stream_connection{socket = Socket, proxy_socket = ProxySock}, _) ->
+    rabbit_net:proxy_ssl_info(Socket, ProxySock) /= nossl;
 i(peer_cert_subject, S, _) ->
     cert_info(fun rabbit_ssl:peer_cert_subject/1, S);
 i(peer_cert_issuer, S, _) ->
@@ -2843,8 +2845,8 @@ cert_info(F, #stream_connection{socket = Sock}) ->
             list_to_binary(F(Cert))
     end.
 
-ssl_info(F, #stream_connection{socket = Sock}) ->
-    case rabbit_net:ssl_info(Sock) of
+ssl_info(F, #stream_connection{socket = Sock, proxy_socket = ProxySock}) ->
+    case rabbit_net:proxy_ssl_info(Sock, ProxySock) of
         nossl ->
             '';
         {error, _} ->