Rename content_type column to req_type for tls_events. Remove version col in favor of later use of req_body/resp_body. Clean up duplicated body field on tls::Frame type

ddelnano · ddelnano · commit 256b76e877cb · 2025-02-14T23:47:22.000Z
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/src/stirling/source_connectors/socket_tracer/protocols/tls/parse.cc b/src/stirling/source_connectors/socket_tracer/protocols/tls/parse.cc
@@ -18,6 +18,7 @@
 #include "src/stirling/source_connectors/socket_tracer/protocols/tls/parse.h"
 
 #include <map>
+#include <memory>
 #include <string>
 #include <utility>
 #include <vector>
@@ -41,7 +42,7 @@ constexpr size_t kSNIExtensionMinimumLength = 3;
 // In TLS 1.2 and earlier, gmt_unix_time is 4 bytes and Random is 28 bytes.
 constexpr size_t kRandomStructLength = 32;
 
-StatusOr<ParseState> ExtractSNIExtension(ReqExtensions* exts, BinaryDecoder* decoder) {
+StatusOr<ParseState> ExtractSNIExtension(SharedExtensions* exts, BinaryDecoder* decoder) {
   PX_ASSIGN_OR(auto server_name_list_length, decoder->ExtractBEInt<uint16_t>(),
                return ParseState::kInvalid);
   while (server_name_list_length > 0) {
@@ -75,7 +76,7 @@ StatusOr<ParseState> ExtractSNIExtension(ReqExtensions* exts, BinaryDecoder* dec
  * diagram: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_record
  */
 
-ParseState ParseFullFrame(BinaryDecoder* decoder, Frame* frame) {
+ParseState ParseFullFrame(SharedExtensions* extensions, BinaryDecoder* decoder, Frame* frame) {
   PX_ASSIGN_OR(auto raw_content_type, decoder->ExtractBEInt<uint8_t>(),
                return ParseState::kInvalid);
   auto content_type = magic_enum::enum_cast<tls::ContentType>(raw_content_type);
@@ -161,8 +162,6 @@ ParseState ParseFullFrame(BinaryDecoder* decoder, Frame* frame) {
     return ParseState::kSuccess;
   }
 
-  ReqExtensions req_extensions;
-  RespExtensions resp_extensions;
   while (extensions_length > 0) {
     PX_ASSIGN_OR(auto extension_type, decoder->ExtractBEInt<uint16_t>(),
                  return ParseState::kInvalid);
@@ -171,7 +170,7 @@ ParseState ParseFullFrame(BinaryDecoder* decoder, Frame* frame) {
 
     if (extension_length > 0) {
       if (extension_type == 0x00) {
-        if (!ExtractSNIExtension(&req_extensions, decoder).ok()) {
+        if (!ExtractSNIExtension(extensions, decoder).ok()) {
           return ParseState::kInvalid;
         }
       } else {
@@ -183,21 +182,17 @@ ParseState ParseFullFrame(BinaryDecoder* decoder, Frame* frame) {
 
     extensions_length -= kExtensionMinimumLength + extension_length;
   }
-  JSONObjectBuilder req_body_builder;
-  req_body_builder.WriteKVRecursive("extensions", req_extensions);
-  frame->req_body = req_body_builder.GetString();
-
-  JSONObjectBuilder resp_body_builder;
-  resp_body_builder.WriteKVRecursive("extensions", resp_extensions);
-  frame->resp_body = resp_body_builder.GetString();
+  JSONObjectBuilder body_builder;
+  body_builder.WriteKVRecursive("extensions", *extensions);
+  frame->body = body_builder.GetString();
 
   return ParseState::kSuccess;
 }
 
 }  // namespace tls
 
 template <>
-ParseState ParseFrame(message_type_t, std::string_view* buf, tls::Frame* frame, NoState*) {
+ParseState ParseFrame(message_type_t type, std::string_view* buf, tls::Frame* frame, NoState*) {
   // TLS record header is 5 bytes. The size of the record is in bytes 4 and 5.
   if (buf->length() < tls::kTLSRecordHeaderLength) {
     return ParseState::kNeedsMoreData;
@@ -208,7 +203,13 @@ ParseState ParseFrame(message_type_t, std::string_view* buf, tls::Frame* frame,
   }
 
   BinaryDecoder decoder(*buf);
-  auto parse_result = tls::ParseFullFrame(&decoder, frame);
+  std::unique_ptr<tls::SharedExtensions> extensions;
+  if (type == kRequest) {
+    extensions = std::make_unique<tls::ReqExtensions>();
+  } else {
+    extensions = std::make_unique<tls::RespExtensions>();
+  }
+  auto parse_result = tls::ParseFullFrame(extensions.get(), &decoder, frame);
   if (parse_result == ParseState::kSuccess) {
     buf->remove_prefix(length + tls::kTLSRecordHeaderLength);
   }
diff --git a/src/stirling/source_connectors/socket_tracer/protocols/tls/parse.h b/src/stirling/source_connectors/socket_tracer/protocols/tls/parse.h
@@ -28,7 +28,7 @@ namespace stirling {
 namespace protocols {
 namespace tls {
 
-ParseState ParseFullFrame(BinaryDecoder* decoder, Frame* frame);
+ParseState ParseFullFrame(SharedExtensions* extensions, BinaryDecoder* decoder, Frame* frame);
 
 }
 
diff --git a/src/stirling/source_connectors/socket_tracer/protocols/tls/types.h b/src/stirling/source_connectors/socket_tracer/protocols/tls/types.h
@@ -187,20 +187,23 @@ enum class ExtensionType : uint16_t {
 // Extensions that are common to both the client and server side
 // of a TLS handshake
 struct SharedExtensions {
-  void ToJSON(::px::utils::JSONObjectBuilder* /*builder*/) const {}
+  std::vector<std::string> server_names;
+
+  virtual void ToJSON(::px::utils::JSONObjectBuilder* /*builder*/) const {}
+  virtual ~SharedExtensions() = default;
 };
 
 struct ReqExtensions : public SharedExtensions {
-  std::vector<std::string> server_names;
-
-  void ToJSON(::px::utils::JSONObjectBuilder* builder) const {
+  void ToJSON(::px::utils::JSONObjectBuilder* builder) const override {
     SharedExtensions::ToJSON(builder);
     builder->WriteKV("server_name", server_names);
   }
 };
 
 struct RespExtensions : public SharedExtensions {
-  void ToJSON(::px::utils::JSONObjectBuilder* builder) const { SharedExtensions::ToJSON(builder); }
+  void ToJSON(::px::utils::JSONObjectBuilder* builder) const override {
+    SharedExtensions::ToJSON(builder);
+  }
 };
 
 struct Frame : public FrameBase {
@@ -217,8 +220,7 @@ struct Frame : public FrameBase {
   LegacyVersion handshake_version;
 
   std::string session_id;
-  std::string req_body;
-  std::string resp_body;
+  std::string body;
 
   bool consumed = false;
 
@@ -227,9 +229,8 @@ struct Frame : public FrameBase {
   std::string ToString() const override {
     return absl::Substitute(
         "TLS Frame [len=$0 content_type=$1 legacy_version=$2 handshake_version=$3 "
-        "handshake_type=$4 req_body=$5 resp_body=$6]",
-        length, content_type, legacy_version, handshake_version, handshake_type, req_body,
-        resp_body);
+        "handshake_type=$4 body=$5]",
+        length, content_type, legacy_version, handshake_version, handshake_type, body);
   }
 };
 
diff --git a/src/stirling/source_connectors/socket_tracer/socket_trace_connector.cc b/src/stirling/source_connectors/socket_tracer/socket_trace_connector.cc
@@ -1721,10 +1721,9 @@ void SocketTraceConnector::AppendMessage(ConnectorContext* ctx, const ConnTracke
   r.Append<r.ColIndex("local_addr")>(conn_tracker.local_endpoint().AddrStr());
   r.Append<r.ColIndex("local_port")>(conn_tracker.local_endpoint().port());
   r.Append<r.ColIndex("trace_role")>(conn_tracker.role());
-  r.Append<r.ColIndex("content_type")>(static_cast<uint64_t>(req_message.content_type));
-  r.Append<r.ColIndex("version")>(static_cast<uint64_t>(req_message.legacy_version));
-  r.Append<r.ColIndex("req_body")>(req_message.req_body, kMaxTLSBodyBytes);
-  r.Append<r.ColIndex("resp_body")>(resp_message.resp_body, kMaxTLSBodyBytes);
+  r.Append<r.ColIndex("req_type")>(static_cast<uint64_t>(req_message.content_type));
+  r.Append<r.ColIndex("req_body")>(req_message.body, kMaxTLSBodyBytes);
+  r.Append<r.ColIndex("resp_body")>(resp_message.body, kMaxTLSBodyBytes);
   r.Append<r.ColIndex("latency")>(
       CalculateLatency(req_message.timestamp_ns, resp_message.timestamp_ns));
 #ifndef NDEBUG
diff --git a/src/stirling/source_connectors/socket_tracer/testing/protocol_checkers.cc b/src/stirling/source_connectors/socket_tracer/testing/protocol_checkers.cc
@@ -113,9 +113,9 @@ std::vector<tls::Record> ToRecordVector(const types::ColumnWrapperRecordBatch& r
   std::vector<tls::Record> result;
 
   for (const auto& idx : indices) {
-    auto version = rb[kTLSVersionIdx]->Get<types::Int64Value>(idx);
     tls::Record r;
-    r.req.legacy_version = static_cast<tls::LegacyVersion>(version.val);
+    r.req.body = rb[kTLSReqBodyIdx]->Get<types::StringValue>(idx);
+    r.resp.body = rb[kTLSRespBodyIdx]->Get<types::StringValue>(idx);
     result.push_back(r);
   }
   return result;
diff --git a/src/stirling/source_connectors/socket_tracer/tls_table.h b/src/stirling/source_connectors/socket_tracer/tls_table.h
@@ -37,19 +37,15 @@ static constexpr DataElement kTLSElements[] = {
         canonical_data_elements::kLocalAddr,
         canonical_data_elements::kLocalPort,
         canonical_data_elements::kTraceRole,
-        {"content_type", "The content type of the TLS record (e.g. handshake, alert, heartbeat, etc)",
+        {"req_type", "The content type of the TLS record (e.g. handshake, alert, heartbeat, etc)",
          types::DataType::INT64,
          types::SemanticType::ST_NONE,
          types::PatternType::GENERAL_ENUM},
-        {"version", "Version of TLS record",
-         types::DataType::INT64,
-         types::SemanticType::ST_NONE,
-         types::PatternType::GENERAL_ENUM},
-        {"req_body", "Request body in JSON format. Structure depends on content type (e.g. handshakes contain TLS extensions)",
+        {"req_body", "Request body in JSON format. Structure depends on content type (e.g. handshakes contain TLS extensions, version negotiated, etc.)",
          types::DataType::STRING,
          types::SemanticType::ST_NONE,
          types::PatternType::STRUCTURED},
-        {"resp_body", "Response body in JSON format. Structure depends on content type (e.g. handshakes contain TLS extensions)",
+        {"resp_body", "Response body in JSON format. Structure depends on content type (e.g. handshakes contain TLS extensions, version negotiated, etc.)",
          types::DataType::STRING,
          types::SemanticType::ST_NONE,
          types::PatternType::STRUCTURED},
@@ -65,9 +61,9 @@ static constexpr auto kTLSTable =
 DEFINE_PRINT_TABLE(TLS)
 
 constexpr int kTLSUPIDIdx = kTLSTable.ColIndex("upid");
-constexpr int kTLSCmdIdx = kTLSTable.ColIndex("content_type");
-constexpr int kTLSVersionIdx = kTLSTable.ColIndex("version");
+constexpr int kTLSCmdIdx = kTLSTable.ColIndex("req_type");
 constexpr int kTLSReqBodyIdx = kTLSTable.ColIndex("req_body");
+constexpr int kTLSRespBodyIdx = kTLSTable.ColIndex("resp_body");
 
 }  // namespace stirling
 }  // namespace px
diff --git a/src/stirling/source_connectors/socket_tracer/tls_trace_bpf_test.cc b/src/stirling/source_connectors/socket_tracer/tls_trace_bpf_test.cc
@@ -48,11 +48,6 @@ using ::testing::SizeIs;
 using ::testing::StrEq;
 using ::testing::UnorderedElementsAre;
 
-struct TraceRecords {
-  std::vector<tls::Record> tls_records;
-  std::vector<std::string> req_body;
-};
-
 class NginxOpenSSL_3_0_8_ContainerWrapper
     : public ::px::stirling::testing::NginxOpenSSL_3_0_8_Container {
  public:
@@ -80,15 +75,6 @@ tls::Record GetExpectedTLSRecord() {
   return expected_record;
 }
 
-inline std::vector<std::string> GetRequestBody(const types::ColumnWrapperRecordBatch& rb,
-                                               const std::vector<size_t>& indices) {
-  std::vector<std::string> exts;
-  for (size_t idx : indices) {
-    exts.push_back(rb[kTLSReqBodyIdx]->Get<types::StringValue>(idx));
-  }
-  return exts;
-}
-
 class TLSVersionParameterizedTest
     : public SocketTraceBPFTestFixture</* TClientSideTracing */ false>,
       public ::testing::WithParamInterface<std::string> {
@@ -125,15 +111,15 @@ class TLSVersionParameterizedTest
     client.Wait();
     this->StopTransferDataThread();
 
-    TraceRecords records = this->GetTraceRecords(this->server_.PID());
-    EXPECT_THAT(records.tls_records, SizeIs(1));
-    EXPECT_THAT(records.req_body, SizeIs(1));
+    auto records = this->GetTraceRecords(this->server_.PID());
+    EXPECT_THAT(records, SizeIs(1));
+    EXPECT_GT(records[0].req.body.size(), 0);
     auto sni_str = R"({"extensions":{"server_name":["test-host"]}})";
-    EXPECT_THAT(records.req_body[0], StrEq(sni_str));
+    EXPECT_THAT(records[0].req.body, StrEq(sni_str));
   }
 
   // Returns the trace records of the process specified by the input pid.
-  TraceRecords GetTraceRecords(int pid) {
+  std::vector<tls::Record> GetTraceRecords(int pid) {
     std::vector<TaggedRecordBatch> tablets =
         this->ConsumeRecords(SocketTraceConnector::kTLSTableNum);
     if (tablets.empty()) {
@@ -142,11 +128,7 @@ class TLSVersionParameterizedTest
     types::ColumnWrapperRecordBatch record_batch = tablets[0].records;
     std::vector<size_t> server_record_indices =
         FindRecordIdxMatchesPID(record_batch, kTLSUPIDIdx, pid);
-    std::vector<tls::Record> tls_records =
-        ToRecordVector<tls::Record>(record_batch, server_record_indices);
-    std::vector<std::string> extensions = GetRequestBody(record_batch, server_record_indices);
-
-    return {std::move(tls_records), std::move(extensions)};
+    return ToRecordVector<tls::Record>(record_batch, server_record_indices);
   }
 
   NginxOpenSSL_3_0_8_ContainerWrapper server_;

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ namespace stirling {`
`28`	`28`	`namespace protocols {`
`29`	`29`	`namespace tls {`
`30`	`30`
`31`		`-ParseState ParseFullFrame(BinaryDecoder* decoder, Frame* frame);`
	`31`	`+ParseState ParseFullFrame(SharedExtensions* extensions, BinaryDecoder* decoder, Frame* frame);`
`32`	`32`
`33`	`33`	`}`
`34`	`34`