Merge branch 'master' into refactor/ai-analytics

.github/workflows/auto-assignee.yml

@@ -11,5 +11,5 @@ jobs:
       - name: assign-author
         # ignore the pull requests opened from PR because token is not correct
         if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'
-        uses: toshimaru/auto-author-assign@c1ffd6f64e20f8f5f61f4620a1e5f0b0908790ef
+        uses: toshimaru/auto-author-assign@ebd30f10fb56e46eb0759a14951f36991426fed0
 

.github/workflows/backport-fail-bot.yml

@@ -44,7 +44,7 @@ jobs:
         result-encoding: string
 
     - name: Send Slack Message
-      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
+      uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
       with:
         payload: ${{ steps.generate-payload.outputs.result }}
       env:

.github/workflows/changelog-requirement.yml

@@ -21,7 +21,7 @@ jobs:
 
       - name: Find changelog files
         id: changelog-list
-        uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # 41.0.1
+        uses: tj-actions/changed-files@aa08304bd477b800d468db44fe10f6c61f7f7b11 # 42.1.0
         with:
           files_yaml: |
             changelogs:

.github/workflows/cherry-picks.yml

@@ -26,7 +26,7 @@ jobs:
         with:
           token: ${{ secrets.CHERRY_PICK_TOKEN }}
       - name: Create backport pull requests
-        uses: jschmid1/cross-repo-cherrypick-action@2d2a475d31b060ac21521b5eda0a78876bbae94e #v1.1.0
+        uses: jschmid1/cross-repo-cherrypick-action@9d2ead0043acba474373992c8175f2b8ffcdb31c #v1.2.0
         id: cherry_pick
         with:
           token: ${{ secrets.CHERRY_PICK_TOKEN }}

.github/workflows/release-and-tests-fail-bot.yml

@@ -70,7 +70,7 @@ jobs:
         result-encoding: string
 
     - name: Send Slack Message
-      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
+      uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
       with:
         payload: ${{ steps.generate-payload.outputs.result }}
       env:

.github/workflows/release.yml

@@ -42,6 +42,7 @@ env:
   # PRs opened from fork and from dependabot don't have access to repo secrets
   HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }}
 
+
 jobs:
   metadata:
     name: Metadata
@@ -313,6 +314,10 @@ jobs:
     needs: [metadata, build-packages]
     runs-on: ubuntu-22.04
 
+    permissions:
+      # create comments on commits for docker images needs the `write` permission
+      contents: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -402,7 +407,7 @@ jobs:
       if: github.event_name == 'push' && matrix.label == 'ubuntu'
       uses: peter-evans/commit-comment@5a6f8285b8f2e8376e41fe1b563db48e6cf78c09 # v3.0.0
       with:
-        token: ${{ secrets.GHA_COMMENT_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
         body: |
           ### Bazel Build
           Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}`
@@ -493,15 +498,15 @@ jobs:
     - name: Scan AMD64 Image digest
       id: sbom_action_amd64
       if: steps.image_manifest_metadata.outputs.amd64_sha != ''
-      uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
+      uses: Kong/public-shared-actions/security-actions/scan-docker-image@v2
       with:
         asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64
         image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
 
     - name: Scan ARM64 Image digest
       if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
       id: sbom_action_arm64
-      uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
+      uses: Kong/public-shared-actions/security-actions/scan-docker-image@v2
       with:
         asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64
         image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}

CONTRIBUTING.md

@@ -37,7 +37,7 @@ Consult the Table of Contents below, and jump to the desired section.
             * [Writing changelog](#writing-changelog)
             * [Writing performant code](#writing-performant-code)
             * [Adding Changelog](#adding-changelog)
-        * [Contributor T-shirt](#contributor-t-shirt)
+        * [Contributor Badge](#contributor-badge)
     * [Code style](#code-style)
         * [Table of Contents - Code style](#table-of-contents---code-style)
         * [Modules](#modules)
@@ -205,7 +205,7 @@ to it if necessary.
 If your Pull Request was accepted and fixes a bug, adds functionality, or
 makes it significantly easier to use or understand Kong, congratulations!
 You are now an official contributor to Kong. Get in touch with us to receive
-your very own [Contributor T-shirt](#contributor-t-shirt)!
+your very own [Contributor Badge](#contributor-badge)!
 
 Your change will be included in the subsequent release Changelog, and we will
 not forget to include your name if you are an external contributor. :wink:
@@ -542,26 +542,27 @@ language you are using. :smile:
 
 #### Adding Changelog
 
-Every patch, except those 
+Every patch, except those
 documentation-only changes, requires a changelog entry to be present inside your Pull Request.
 
 Please follow [the changelog instructions](https://github.com/Kong/gateway-changelog)
 to create the appropriate changelog file your Pull Request.
 
 [Back to TOC](#table-of-contents)
 
-### Contributor T-shirt
+### Contributor Badge
 
 If your Pull Request to [Kong/kong](https://github.com/Kong/kong) was
 accepted, and it fixes a bug, adds functionality, or makes it significantly
 easier to use or understand Kong, congratulations! You are eligible to
-receive the very special Contributor T-shirt! Go ahead and fill out the
+receive the very special digital Contributor Badge! Go ahead and fill out the
 [Contributors Submissions form](https://goo.gl/forms/5w6mxLaE4tz2YM0L2).
 
-Proudly wear your T-shirt and show it to us by tagging
+Proudly display your Badge and show it to us by tagging
 [@thekonginc](https://twitter.com/thekonginc) on Twitter!
 
-![Kong Contributor T-shirt](https://konghq.com/wp-content/uploads/2018/04/100-contributor-t-shirt-1024x768.jpg)
+*Badges expire after 1 year, at which point you may submit a new contribution
+to renew the badge.*
 
 [Back to TOC](#table-of-contents)
 

build/openresty/patches/ngx_lua-0.10.26_03-regex-memory-corruption.patch

@@ -1,38 +1,77 @@
 diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c
-index 1b52fa2..30c1650 100644
+index 1b52fa2..646b483 100644
 --- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c
 +++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c
-@@ -688,11 +688,11 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags,
+@@ -591,7 +591,11 @@ ngx_http_lua_ffi_compile_regex(const unsigned char *pat, size_t pat_len,
+         re_comp.captures = 0;
+
+     } else {
++#if (NGX_PCRE2)
++        ovecsize = (re_comp.captures + 1) * 2;
++#else
+         ovecsize = (re_comp.captures + 1) * 3;
++#endif
+     }
+
+     dd("allocating cap with size: %d", (int) ovecsize);
+@@ -684,21 +688,21 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags,
+ {
+     int          rc, exec_opts = 0;
+     size_t      *ov;
+-    ngx_uint_t   ovecsize, n, i;
++    ngx_uint_t   ovecpair, n, i;
      ngx_pool_t  *old_pool;
 
      if (flags & NGX_LUA_RE_MODE_DFA) {
 -        ovecsize = 2;
-+        ovecsize = 1;
++        ovecpair = 1;
          re->ncaptures = 0;
 
      } else {
 -        ovecsize = (re->ncaptures + 1) * 3;
-+        ovecsize = re->ncaptures + 1;
++        ovecpair = re->ncaptures + 1;
      }
 
      old_pool = ngx_http_lua_pcre_malloc_init(NULL);
-@@ -710,7 +710,7 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags,
+
+     if (ngx_regex_match_data == NULL
+-        || ovecsize > ngx_regex_match_data_size)
++        || ovecpair > ngx_regex_match_data_size)
+     {
+         /*
+          * Allocate a match data if not yet allocated or smaller than
+@@ -709,8 +713,8 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags,
+             pcre2_match_data_free(ngx_regex_match_data);
          }
 
-         ngx_regex_match_data_size = ovecsize;
+-        ngx_regex_match_data_size = ovecsize;
 -        ngx_regex_match_data = pcre2_match_data_create(ovecsize / 3, NULL);
-+        ngx_regex_match_data = pcre2_match_data_create(ovecsize, NULL);
++        ngx_regex_match_data_size = ovecpair;
++        ngx_regex_match_data = pcre2_match_data_create(ovecpair, NULL);
 
          if (ngx_regex_match_data == NULL) {
              rc = PCRE2_ERROR_NOMEMORY;
-@@ -756,8 +756,8 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags,
-                    "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize);
+@@ -741,7 +745,7 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags,
+ #if (NGX_DEBUG)
+         ngx_log_debug4(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
+                        "pcre2_match failed: flags 0x%05Xd, options 0x%08Xd, "
+-                       "rc %d, ovecsize %ui", flags, exec_opts, rc, ovecsize);
++                       "rc %d, ovecpair %ui", flags, exec_opts, rc, ovecpair);
+ #endif
+
+         goto failed;
+@@ -753,11 +757,11 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags,
+ #if (NGX_DEBUG)
+     ngx_log_debug5(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
+                    "pcre2_match: flags 0x%05Xd, options 0x%08Xd, rc %d, "
+-                   "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize);
++                   "n %ui, ovecpair %ui", flags, exec_opts, rc, n, ovecpair);
  #endif
 
 -    if (!(flags & NGX_LUA_RE_MODE_DFA) && n > ovecsize / 3) {
 -        n = ovecsize / 3;
-+    if (n > ovecsize) {
-+        n = ovecsize;
++    if (n > ovecpair) {
++        n = ovecpair;
      }
 
      for (i = 0; i < n; i++) {

build/openresty/patches/ngx_stream_lua-0.0.14_03-regex-memory-corruption.patch

@@ -1,42 +1,81 @@
 diff --git a/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c b/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c
-index e32744e..241ec00 100644
+index e32744e..080e5dd 100644
 --- a/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c
 +++ b/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c
-@@ -695,11 +695,11 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
+@@ -598,7 +598,11 @@ ngx_stream_lua_ffi_compile_regex(const unsigned char *pat, size_t pat_len,
+         re_comp.captures = 0;
+
+     } else {
++#if (NGX_PCRE2)
++        ovecsize = (re_comp.captures + 1) * 2;
++#else
+         ovecsize = (re_comp.captures + 1) * 3;
++#endif
+     }
+
+     dd("allocating cap with size: %d", (int) ovecsize);
+@@ -691,21 +695,21 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
+ {
+     int          rc, exec_opts = 0;
+     size_t      *ov;
+-    ngx_uint_t   ovecsize, n, i;
++    ngx_uint_t   ovecpair, n, i;
      ngx_pool_t  *old_pool;
 
      if (flags & NGX_LUA_RE_MODE_DFA) {
 -        ovecsize = 2;
-+        ovecsize = 1;
++        ovecpair = 1;
          re->ncaptures = 0;
 
      } else {
 -        ovecsize = (re->ncaptures + 1) * 3;
-+        ovecsize = re->ncaptures + 1;
++        ovecpair = re->ncaptures + 1;
      }
 
      old_pool = ngx_stream_lua_pcre_malloc_init(NULL);
-@@ -717,7 +717,7 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
+
+     if (ngx_regex_match_data == NULL
+-        || ovecsize > ngx_regex_match_data_size)
++        || ovecpair > ngx_regex_match_data_size)
+     {
+         /*
+          * Allocate a match data if not yet allocated or smaller than
+@@ -716,8 +720,8 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
+             pcre2_match_data_free(ngx_regex_match_data);
          }
 
-         ngx_regex_match_data_size = ovecsize;
+-        ngx_regex_match_data_size = ovecsize;
 -        ngx_regex_match_data = pcre2_match_data_create(ovecsize / 3, NULL);
-+        ngx_regex_match_data = pcre2_match_data_create(ovecsize, NULL);
++        ngx_regex_match_data_size = ovecpair;
++        ngx_regex_match_data = pcre2_match_data_create(ovecpair, NULL);
 
          if (ngx_regex_match_data == NULL) {
              rc = PCRE2_ERROR_NOMEMORY;
-@@ -762,8 +762,8 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
-                    "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize);
+@@ -747,7 +751,7 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
+ #if (NGX_DEBUG)
+     ngx_log_debug4(NGX_LOG_DEBUG_STREAM, ngx_cycle->log, 0,
+                    "pcre2_match failed: flags 0x%05Xd, options 0x%08Xd, rc %d, "
+-                   "ovecsize %ui", flags, exec_opts, rc, ovecsize);
++                   "ovecpair %ui", flags, exec_opts, rc, ovecpair);
+ #endif
+
+         goto failed;
+@@ -759,11 +763,11 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
+ #if (NGX_DEBUG)
+     ngx_log_debug5(NGX_LOG_DEBUG_STREAM, ngx_cycle->log, 0,
+                    "pcre2_match: flags 0x%05Xd, options 0x%08Xd, rc %d, "
+-                   "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize);
++                   "n %ui, ovecpair %ui", flags, exec_opts, rc, n, ovecpair);
  #endif
 
 -    if (!(flags & NGX_LUA_RE_MODE_DFA) && n > ovecsize / 3) {
 -        n = ovecsize / 3;
-+    if (n > ovecsize) {
-+        n = ovecsize;
++    if (n > ovecpair) {
++        n = ovecpair;
      }
 
      for (i = 0; i < n; i++) {
-@@ -796,6 +796,21 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
+@@ -796,6 +800,21 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags,
          re->ncaptures = 0;
 
      } else {

changelog/unreleased/kong/feat-jwt-eddsa.yml

@@ -0,0 +1,4 @@
+message: |
+  Addded support for EdDSA algorithms in JWT plugin
+type: feature
+scope: Plugin

changelog/unreleased/kong/feat-jwt-es512.yml

@@ -0,0 +1,4 @@
+message: |
+  Addded support for ES512, PS256, PS384, PS512 algorithms in JWT plugin
+type: feature
+scope: Plugin

changelog/unreleased/kong/fix-dns-resolv-timeout-zero.yml

@@ -0,0 +1,3 @@
+message: "**DNS Client**: Ignore a non-positive values on resolv.conf for options timeout, and use a default value of 2 seconds instead."
+type: bugfix
+scope: Core

changelog/unreleased/kong/fix-external-plugin-instance.yml

@@ -0,0 +1,5 @@
+message: |
+    Fix an issue where an external plugin (Go, Javascript, or Python) would fail to
+    apply a change to the plugin config via the Admin API.
+type: bugfix
+scope: Configuration

changelog/unreleased/kong/fix-jwt-plugin-check.yml

@@ -0,0 +1,3 @@
+message: "**Jwt**: fix an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms."
+type: bugfix
+scope: Plugin

changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml

@@ -0,0 +1,5 @@
+message: |
+  Fixed an issue where SNI-based routing does not work
+  using tls_passthrough and the traditional_compatible router flavor
+type: bugfix
+scope: Core

changelog/unreleased/kong/plugin-schema-deprecation-record.yml

@@ -0,0 +1,3 @@
+message: "**Schema**: Added a deprecation field attribute to identify deprecated fields"
+type: feature
+scope: Configuration

kong/db/schema/entities/routes.lua

@@ -130,10 +130,29 @@ else
   }
 
   if kong_router_flavor == "traditional_compatible" then
+    local is_empty_field = require("kong.router.transform").is_empty_field
+
     table.insert(entity_checks,
       { custom_entity_check = {
+        field_sources = { "id", "protocols",
+                          "snis", "sources", "destinations",
+                          "methods", "hosts", "paths", "headers",
+                        },
         run_with_missing_fields = true,
-        fn = validate_route,
+        fn = function(entity)
+          if is_empty_field(entity.snis) and
+             is_empty_field(entity.sources) and
+             is_empty_field(entity.destinations) and
+             is_empty_field(entity.methods) and
+             is_empty_field(entity.hosts) and
+             is_empty_field(entity.paths) and
+             is_empty_field(entity.headers)
+          then
+            return true
+          end
+
+          return validate_route(entity)
+        end,
       }}
     )
   end