credentials: check and expose SPIFFE ID

[ZhenLian]

This PR does the following three things:

1. add a new field SpiffeID to the struct TLSInfo
2. add a function ParseSpiffeID to TLSInfo that will check the format of SPIFFE ID, and fill in
   if the check passes
3. call ParseSpiffeID at the end of ClientHandshake and ServerHandshake to fill the SpiffeID

After this change, users could use

ctx context.Context
p, ok := peer.FromContext(ctx)
tlsInfo, ok := p.AuthInfo.(credentials.TLSInfo)

to get the SPIFFE ID information(error handling omitted).

Note that parsing of URI fields is only supported in go version >= 1.10. For earlier versions, we log the error information and don't expose the field, and return a nil error.

[ZhenLian]

@jiangtaoli2016 Can you please first take a look at the correctness of the plumbing flow and SPIFFE ID check? Thanks in advance!

[ZhenLian]

F.Y.I. https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#23-maximum-spiffe-id-length this describes the maximum length of a SPIFFE ID.

[jiangtaoli2016]

Thanks Zhen for implementation! A minor comment.

[jiangtaoli2016]

Thanks @ZhenLian for revision. A few minor comments.

[jiangtaoli2016]

We should also choose a Golang readability reviewer.

[jiangtaoli2016]

PS: I am fine with not parsing SPIFFE ID for go version 1.9 and before -- for now. We may revisit this later.

[ZhenLian]

@doug Since this change touches some part of tls pkg, could you review it please? Thanks in advance!

[ZhenLian]

Sorry it seems I @ ed the wrong person... @dfawley this change touches some part of tls package. could you please take a look at this please? Feel free to let me know if you have any concerns.
Thank you so much!

[dfawley]

You can delete this; users don't need a log line every time they make a connection, and Go 1.9 isn't supported anyway.

[ZhenLian]

SG. I added a TODO above this function to remind me for the future deletion of this file. Please let me know if this works for you. Thanks!

[ZhenLian]

@dfawley This PR is ready again. Please let me know if it could be better improved. Thanks a lot for the review!

[dfawley]

I wouldn't consider SPIFFE to be "common" to all transport security implementations. I don't think it makes as much sense here, at least not if the only reason to move it was because this struct is already marked as experimental.

[ZhenLian]

Got it. I put it back to TLSInfo. Since TLSInfo itself is not EXPERIMENTAL, I marked only the SPIFFEID EXPERIMENTAL. Please let me know if it works:)

[ZhenLian]

@dfawley I'd like to provide some updates on this PR:
We found that the envoy RBAC assumed that the SPIFFE ID is the first URI entry, because for a valid SPIFFE certificate, there would always be exactly one URI field with spiffe scheme. We'd like to keep alignment with this, so after the change, a certificate with IDs, say "spiffe://foo/bar" and "https://foo/bar" would be considered as invalid(similar changes in C core).
For invalid certs, we'd also like to not return errors, but just to log the errors and not plumb the ID.
@jiangtaoli2016 since this includes some logic changes(although not much), can you please take a look at the latest commit first? Thank you so much!

[jiangtaoli2016]

Thanks much Zhen for quick revision!

[ZhenLian]

@dfawley Hi Doug, this PR is ready for review again (sorry for the back and forth) :)