From 3dd5bdb78ee9aa4b4f602ec241a4b52b1b0ae353 Mon Sep 17 00:00:00 2001 From: Niklaus Schen <8458369+Water-Melon@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:47:33 +0800 Subject: [PATCH 01/18] chore(test): remove prefix directory when stop_kong called (#12691) If the prefix is not cleaned up when stop_kong is called, it could impact subsequent tests, especially when later tests start Kong by a shell command, the Kong instance might be started up with the default `servroot` prefix. KAG-3808 --- .../04-admin_api/03-consumers_routes_spec.lua | 2 +- .../04-admin_api/04-plugins_routes_spec.lua | 2 +- .../04-admin_api/09-routes_routes_spec.lua | 4 ++-- .../04-admin_api/10-services_routes_spec.lua | 2 +- spec/02-integration/04-admin_api/15-off_spec.lua | 10 +++++----- spec/02-integration/04-admin_api/19-vaults_spec.lua | 2 +- .../04-admin_api/21-admin-api-keys_spec.lua | 2 +- .../04-admin_api/21-truncated_arguments_spec.lua | 2 +- .../04-admin_api/25-max_safe_integer_spec.lua | 4 ++-- .../05-proxy/04-plugins_triggering_spec.lua | 6 +++--- spec/02-integration/05-proxy/09-websockets_spec.lua | 2 +- spec/02-integration/05-proxy/11-handler_spec.lua | 6 +++--- .../05-proxy/13-error_handlers_spec.lua | 2 +- .../05-proxy/25-upstream_keepalive_spec.lua | 2 +- .../02-core_entities_invalidations_spec.lua | 12 ++++++------ spec/02-integration/11-dbless/01-respawn_spec.lua | 2 +- spec/02-integration/11-dbless/02-workers_spec.lua | 2 +- .../11-dbless/03-config_persistence_spec.lua | 4 ++-- spec/02-integration/13-vaults/05-ttl_spec.lua | 2 +- spec/02-integration/13-vaults/07-resurrect_spec.lua | 2 +- .../01-legacy_queue_parameter_warning_spec.lua | 2 +- .../19-hmac-auth/04-invalidations_spec.lua | 2 +- .../20-ldap-auth/02-invalidations_spec.lua | 2 +- spec/03-plugins/23-rate-limiting/03-api_spec.lua | 2 +- .../24-response-rate-limiting/04-access_spec.lua | 12 ++++++------ spec/03-plugins/29-acme/05-redis_storage_spec.lua | 2 +- spec/03-plugins/31-proxy-cache/02-access_spec.lua | 2 +- spec/03-plugins/31-proxy-cache/03-api_spec.lua | 2 +- .../31-proxy-cache/04-invalidations_spec.lua | 4 ++-- .../38-ai-proxy/02-openai_integration_spec.lua | 2 +- .../38-ai-proxy/03-anthropic_integration_spec.lua | 2 +- .../38-ai-proxy/04-cohere_integration_spec.lua | 2 +- .../38-ai-proxy/05-azure_integration_spec.lua | 2 +- .../38-ai-proxy/06-mistral_integration_spec.lua | 2 +- .../38-ai-proxy/07-llama2_integration_spec.lua | 2 +- .../38-ai-proxy/08-encoding_integration_spec.lua | 2 +- .../02-integration_spec.lua | 2 +- .../02-integration_spec.lua | 2 +- .../41-ai-prompt-decorator/02-integration_spec.lua | 2 +- .../42-ai-prompt-guard/02-integration_spec.lua | 2 +- .../43-ai-prompt-template/02-integration_spec.lua | 2 +- .../plugins/acme/migrations/003_350_to_360_spec.lua | 2 +- .../http-log/migrations/001_280_to_300_spec.lua | 2 +- .../opentelemetry/migrations/001_331_to_332_spec.lua | 2 +- .../rate-limiting/migrations/006_350_to_360_spec.lua | 2 +- .../migrations/001_350_to_360_spec.lua | 2 +- 46 files changed, 68 insertions(+), 68 deletions(-) diff --git a/spec/02-integration/04-admin_api/03-consumers_routes_spec.lua b/spec/02-integration/04-admin_api/03-consumers_routes_spec.lua index 31d66bf29be..d5251bd7c67 100644 --- a/spec/02-integration/04-admin_api/03-consumers_routes_spec.lua +++ b/spec/02-integration/04-admin_api/03-consumers_routes_spec.lua @@ -46,7 +46,7 @@ describe("Admin API (#" .. strategy .. "): ", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/04-plugins_routes_spec.lua b/spec/02-integration/04-admin_api/04-plugins_routes_spec.lua index 2cdd40ce158..f1f52be0787 100644 --- a/spec/02-integration/04-admin_api/04-plugins_routes_spec.lua +++ b/spec/02-integration/04-admin_api/04-plugins_routes_spec.lua @@ -24,7 +24,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/09-routes_routes_spec.lua b/spec/02-integration/04-admin_api/09-routes_routes_spec.lua index 20ab5d8a573..e358bf1d706 100644 --- a/spec/02-integration/04-admin_api/09-routes_routes_spec.lua +++ b/spec/02-integration/04-admin_api/09-routes_routes_spec.lua @@ -35,7 +35,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() @@ -1966,7 +1966,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/10-services_routes_spec.lua b/spec/02-integration/04-admin_api/10-services_routes_spec.lua index b1fe3be1cc7..32dbcd052ff 100644 --- a/spec/02-integration/04-admin_api/10-services_routes_spec.lua +++ b/spec/02-integration/04-admin_api/10-services_routes_spec.lua @@ -35,7 +35,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/15-off_spec.lua b/spec/02-integration/04-admin_api/15-off_spec.lua index 655a9e621bb..3ca5d34b80e 100644 --- a/spec/02-integration/04-admin_api/15-off_spec.lua +++ b/spec/02-integration/04-admin_api/15-off_spec.lua @@ -57,7 +57,7 @@ describe("Admin API #off", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() @@ -2741,7 +2741,7 @@ describe("Admin API (concurrency tests) #off", function() end) after_each(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() if client then client:close() @@ -2862,7 +2862,7 @@ describe("Admin API #off with Unique Foreign #unique", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() @@ -3005,7 +3005,7 @@ describe("Admin API #off with cache key vs endpoint key #unique", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() @@ -3073,7 +3073,7 @@ describe("Admin API #off worker_consistency=eventual", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/19-vaults_spec.lua b/spec/02-integration/04-admin_api/19-vaults_spec.lua index aa451805164..08063e30fe0 100644 --- a/spec/02-integration/04-admin_api/19-vaults_spec.lua +++ b/spec/02-integration/04-admin_api/19-vaults_spec.lua @@ -21,7 +21,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/21-admin-api-keys_spec.lua b/spec/02-integration/04-admin_api/21-admin-api-keys_spec.lua index a4c6203b485..ac6a7981f6e 100644 --- a/spec/02-integration/04-admin_api/21-admin-api-keys_spec.lua +++ b/spec/02-integration/04-admin_api/21-admin-api-keys_spec.lua @@ -27,7 +27,7 @@ for _, strategy in helpers.all_strategies() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/21-truncated_arguments_spec.lua b/spec/02-integration/04-admin_api/21-truncated_arguments_spec.lua index 03d342edaf3..3a4071642b2 100644 --- a/spec/02-integration/04-admin_api/21-truncated_arguments_spec.lua +++ b/spec/02-integration/04-admin_api/21-truncated_arguments_spec.lua @@ -18,7 +18,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/04-admin_api/25-max_safe_integer_spec.lua b/spec/02-integration/04-admin_api/25-max_safe_integer_spec.lua index a54ff945225..ec51f1d644a 100644 --- a/spec/02-integration/04-admin_api/25-max_safe_integer_spec.lua +++ b/spec/02-integration/04-admin_api/25-max_safe_integer_spec.lua @@ -25,7 +25,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() @@ -63,7 +63,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/05-proxy/04-plugins_triggering_spec.lua b/spec/02-integration/05-proxy/04-plugins_triggering_spec.lua index 81e54483425..5f729b22194 100644 --- a/spec/02-integration/05-proxy/04-plugins_triggering_spec.lua +++ b/spec/02-integration/05-proxy/04-plugins_triggering_spec.lua @@ -232,7 +232,7 @@ for _, strategy in helpers.each_strategy() do lazy_teardown(function() if proxy_client then proxy_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("checks global configuration without credentials", function() @@ -744,7 +744,7 @@ for _, strategy in helpers.each_strategy() do lazy_teardown(function() helpers.stop_kong("servroot2") - helpers.stop_kong(nil, true) + helpers.stop_kong() end) @@ -1277,7 +1277,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("certificate phase clears context, fix #7054", function() diff --git a/spec/02-integration/05-proxy/09-websockets_spec.lua b/spec/02-integration/05-proxy/09-websockets_spec.lua index b88b6b788f5..a70d8a4c585 100644 --- a/spec/02-integration/05-proxy/09-websockets_spec.lua +++ b/spec/02-integration/05-proxy/09-websockets_spec.lua @@ -42,7 +42,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) local function open_socket(uri) diff --git a/spec/02-integration/05-proxy/11-handler_spec.lua b/spec/02-integration/05-proxy/11-handler_spec.lua index fbd048b2a5b..ec374a65804 100644 --- a/spec/02-integration/05-proxy/11-handler_spec.lua +++ b/spec/02-integration/05-proxy/11-handler_spec.lua @@ -43,7 +43,7 @@ for _, strategy in helpers.each_strategy() do lazy_teardown(function() if admin_client then admin_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("runs", function() @@ -101,7 +101,7 @@ for _, strategy in helpers.each_strategy() do lazy_teardown(function() if admin_client then admin_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("doesn't run", function() @@ -175,7 +175,7 @@ for _, strategy in helpers.each_strategy() do lazy_teardown(function() if admin_client then admin_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("doesn't run", function() diff --git a/spec/02-integration/05-proxy/13-error_handlers_spec.lua b/spec/02-integration/05-proxy/13-error_handlers_spec.lua index a755d515bed..e56c8bc22d0 100644 --- a/spec/02-integration/05-proxy/13-error_handlers_spec.lua +++ b/spec/02-integration/05-proxy/13-error_handlers_spec.lua @@ -12,7 +12,7 @@ describe("Proxy error handlers", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/05-proxy/25-upstream_keepalive_spec.lua b/spec/02-integration/05-proxy/25-upstream_keepalive_spec.lua index 91ee0e436df..c9421795755 100644 --- a/spec/02-integration/05-proxy/25-upstream_keepalive_spec.lua +++ b/spec/02-integration/05-proxy/25-upstream_keepalive_spec.lua @@ -125,7 +125,7 @@ describe("#postgres upstream keepalive", function() proxy_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) diff --git a/spec/02-integration/06-invalidations/02-core_entities_invalidations_spec.lua b/spec/02-integration/06-invalidations/02-core_entities_invalidations_spec.lua index 5a895803bd8..d9946e39b04 100644 --- a/spec/02-integration/06-invalidations/02-core_entities_invalidations_spec.lua +++ b/spec/02-integration/06-invalidations/02-core_entities_invalidations_spec.lua @@ -82,8 +82,8 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong("servroot1", true) - helpers.stop_kong("servroot2", true) + helpers.stop_kong("servroot1") + helpers.stop_kong("servroot2") end) before_each(function() @@ -1196,8 +1196,8 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong("servroot1", true) - helpers.stop_kong("servroot2", true) + helpers.stop_kong("servroot1") + helpers.stop_kong("servroot2") end) before_each(function() @@ -1337,8 +1337,8 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong("servroot1", true) - helpers.stop_kong("servroot2", true) + helpers.stop_kong("servroot1") + helpers.stop_kong("servroot2") end) before_each(function() diff --git a/spec/02-integration/11-dbless/01-respawn_spec.lua b/spec/02-integration/11-dbless/01-respawn_spec.lua index 5f263067bd7..3536ebcfdc2 100644 --- a/spec/02-integration/11-dbless/01-respawn_spec.lua +++ b/spec/02-integration/11-dbless/01-respawn_spec.lua @@ -57,7 +57,7 @@ describe("worker respawn", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/02-integration/11-dbless/02-workers_spec.lua b/spec/02-integration/11-dbless/02-workers_spec.lua index 242294d616f..fd7a002cfa5 100644 --- a/spec/02-integration/11-dbless/02-workers_spec.lua +++ b/spec/02-integration/11-dbless/02-workers_spec.lua @@ -29,7 +29,7 @@ describe("Workers initialization #off", function() lazy_teardown(function() admin_client:close() proxy_client:close() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("restarts worker correctly without issues on the init_worker phase when config includes 1000+ plugins", function() diff --git a/spec/02-integration/11-dbless/03-config_persistence_spec.lua b/spec/02-integration/11-dbless/03-config_persistence_spec.lua index e4c51f4025b..f49d4958986 100644 --- a/spec/02-integration/11-dbless/03-config_persistence_spec.lua +++ b/spec/02-integration/11-dbless/03-config_persistence_spec.lua @@ -21,7 +21,7 @@ describe("dbless persistence #off", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("loads the lmdb config on restarts", function() @@ -113,7 +113,7 @@ describe("dbless persistence with a declarative config #off", function() end) after_each(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) lazy_teardown(function() os.remove(yaml_file) diff --git a/spec/02-integration/13-vaults/05-ttl_spec.lua b/spec/02-integration/13-vaults/05-ttl_spec.lua index e6f65fd5646..f3eaf983499 100644 --- a/spec/02-integration/13-vaults/05-ttl_spec.lua +++ b/spec/02-integration/13-vaults/05-ttl_spec.lua @@ -183,7 +183,7 @@ describe("vault ttl and rotation (#" .. strategy .. ") #" .. vault.name, functio client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() vault:teardown() helpers.unsetenv("KONG_LUA_PATH_OVERRIDE") diff --git a/spec/02-integration/13-vaults/07-resurrect_spec.lua b/spec/02-integration/13-vaults/07-resurrect_spec.lua index d91bbcabd86..38b42e227ba 100644 --- a/spec/02-integration/13-vaults/07-resurrect_spec.lua +++ b/spec/02-integration/13-vaults/07-resurrect_spec.lua @@ -188,7 +188,7 @@ describe("vault resurrect_ttl and rotation (#" .. strategy .. ") #" .. vault.nam client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() vault:teardown() helpers.unsetenv("KONG_LUA_PATH_OVERRIDE") diff --git a/spec/03-plugins/01-legacy_queue_parameter_warning_spec.lua b/spec/03-plugins/01-legacy_queue_parameter_warning_spec.lua index 440ea7637d3..8390383533d 100644 --- a/spec/03-plugins/01-legacy_queue_parameter_warning_spec.lua +++ b/spec/03-plugins/01-legacy_queue_parameter_warning_spec.lua @@ -32,7 +32,7 @@ for _, strategy in helpers.each_strategy() do if admin_client then admin_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/19-hmac-auth/04-invalidations_spec.lua b/spec/03-plugins/19-hmac-auth/04-invalidations_spec.lua index e235e38e54c..79194afbac2 100644 --- a/spec/03-plugins/19-hmac-auth/04-invalidations_spec.lua +++ b/spec/03-plugins/19-hmac-auth/04-invalidations_spec.lua @@ -58,7 +58,7 @@ for _, strategy in helpers.each_strategy() do admin_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) local function hmac_sha1_binary(secret, data) diff --git a/spec/03-plugins/20-ldap-auth/02-invalidations_spec.lua b/spec/03-plugins/20-ldap-auth/02-invalidations_spec.lua index 054db47fed0..551db0978c7 100644 --- a/spec/03-plugins/20-ldap-auth/02-invalidations_spec.lua +++ b/spec/03-plugins/20-ldap-auth/02-invalidations_spec.lua @@ -63,7 +63,7 @@ for _, ldap_strategy in pairs(ldap_strategies) do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) local function cache_key(conf, username, password) diff --git a/spec/03-plugins/23-rate-limiting/03-api_spec.lua b/spec/03-plugins/23-rate-limiting/03-api_spec.lua index 1e862bdc3a7..a6a3f83ca05 100644 --- a/spec/03-plugins/23-rate-limiting/03-api_spec.lua +++ b/spec/03-plugins/23-rate-limiting/03-api_spec.lua @@ -21,7 +21,7 @@ for _, strategy in helpers.each_strategy() do admin_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) describe("POST", function() diff --git a/spec/03-plugins/24-response-rate-limiting/04-access_spec.lua b/spec/03-plugins/24-response-rate-limiting/04-access_spec.lua index c7def76fe69..ed269177ead 100644 --- a/spec/03-plugins/24-response-rate-limiting/04-access_spec.lua +++ b/spec/03-plugins/24-response-rate-limiting/04-access_spec.lua @@ -375,7 +375,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) describe("Without authentication (IP address)", function() @@ -619,7 +619,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("expires a counter", function() @@ -696,7 +696,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("blocks when the consumer exceeds their quota, no matter what service/route used", function() @@ -739,7 +739,7 @@ for _, strategy in helpers.each_strategy() do end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() @@ -828,7 +828,7 @@ for _, strategy in helpers.each_strategy() do end) after_each(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("does not work if an error occurs", function() @@ -930,7 +930,7 @@ for _, strategy in helpers.each_strategy() do end) after_each(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("does not work if an error occurs", function() diff --git a/spec/03-plugins/29-acme/05-redis_storage_spec.lua b/spec/03-plugins/29-acme/05-redis_storage_spec.lua index 3298dcbaf01..d383c0c66c7 100644 --- a/spec/03-plugins/29-acme/05-redis_storage_spec.lua +++ b/spec/03-plugins/29-acme/05-redis_storage_spec.lua @@ -252,7 +252,7 @@ describe("Plugin: acme (storage.redis)", function() end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/31-proxy-cache/02-access_spec.lua b/spec/03-plugins/31-proxy-cache/02-access_spec.lua index aa8b350773d..1dc0c5bb930 100644 --- a/spec/03-plugins/31-proxy-cache/02-access_spec.lua +++ b/spec/03-plugins/31-proxy-cache/02-access_spec.lua @@ -364,7 +364,7 @@ do admin_client:close() end - helpers.stop_kong(nil, true) + helpers.stop_kong() end) it("caches a simple request", function() diff --git a/spec/03-plugins/31-proxy-cache/03-api_spec.lua b/spec/03-plugins/31-proxy-cache/03-api_spec.lua index 81191c8558d..ac5268396fb 100644 --- a/spec/03-plugins/31-proxy-cache/03-api_spec.lua +++ b/spec/03-plugins/31-proxy-cache/03-api_spec.lua @@ -64,7 +64,7 @@ describe("Plugin: proxy-cache", function() end) teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) describe("(schema)", function() diff --git a/spec/03-plugins/31-proxy-cache/04-invalidations_spec.lua b/spec/03-plugins/31-proxy-cache/04-invalidations_spec.lua index e21abd9cd4e..b40d8729a00 100644 --- a/spec/03-plugins/31-proxy-cache/04-invalidations_spec.lua +++ b/spec/03-plugins/31-proxy-cache/04-invalidations_spec.lua @@ -98,8 +98,8 @@ describe("proxy-cache invalidations via: " .. strategy, function() end) teardown(function() - helpers.stop_kong("servroot1", true) - helpers.stop_kong("servroot2", true) + helpers.stop_kong("servroot1") + helpers.stop_kong("servroot2") end) before_each(function() diff --git a/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua b/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua index 409ed8096ab..8919fbe0652 100644 --- a/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua @@ -512,7 +512,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua b/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua index a9feb38baec..224f0a6b705 100644 --- a/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua @@ -365,7 +365,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua b/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua index 621fbcd786b..33023874373 100644 --- a/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua @@ -358,7 +358,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua b/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua index d976689f92a..96d9645a401 100644 --- a/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua @@ -372,7 +372,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua b/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua index 16bcea29ecd..49612408f1d 100644 --- a/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua @@ -309,7 +309,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua b/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua index b41aaa6e11a..aa74ef9fd5b 100644 --- a/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua @@ -157,7 +157,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/38-ai-proxy/08-encoding_integration_spec.lua b/spec/03-plugins/38-ai-proxy/08-encoding_integration_spec.lua index b11c16a973f..049920e460b 100644 --- a/spec/03-plugins/38-ai-proxy/08-encoding_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/08-encoding_integration_spec.lua @@ -237,7 +237,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/39-ai-request-transformer/02-integration_spec.lua b/spec/03-plugins/39-ai-request-transformer/02-integration_spec.lua index 7ddedad91fb..662fb4c9e11 100644 --- a/spec/03-plugins/39-ai-request-transformer/02-integration_spec.lua +++ b/spec/03-plugins/39-ai-request-transformer/02-integration_spec.lua @@ -188,7 +188,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/40-ai-response-transformer/02-integration_spec.lua b/spec/03-plugins/40-ai-response-transformer/02-integration_spec.lua index 40c55add51d..2fdd5b11e71 100644 --- a/spec/03-plugins/40-ai-response-transformer/02-integration_spec.lua +++ b/spec/03-plugins/40-ai-response-transformer/02-integration_spec.lua @@ -304,7 +304,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/41-ai-prompt-decorator/02-integration_spec.lua b/spec/03-plugins/41-ai-prompt-decorator/02-integration_spec.lua index 6cba00bcdc4..4fdc8b02532 100644 --- a/spec/03-plugins/41-ai-prompt-decorator/02-integration_spec.lua +++ b/spec/03-plugins/41-ai-prompt-decorator/02-integration_spec.lua @@ -54,7 +54,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/42-ai-prompt-guard/02-integration_spec.lua b/spec/03-plugins/42-ai-prompt-guard/02-integration_spec.lua index d5ffdf8b535..05258f659cc 100644 --- a/spec/03-plugins/42-ai-prompt-guard/02-integration_spec.lua +++ b/spec/03-plugins/42-ai-prompt-guard/02-integration_spec.lua @@ -130,7 +130,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/03-plugins/43-ai-prompt-template/02-integration_spec.lua b/spec/03-plugins/43-ai-prompt-template/02-integration_spec.lua index 412add965af..5b7b38cf581 100644 --- a/spec/03-plugins/43-ai-prompt-template/02-integration_spec.lua +++ b/spec/03-plugins/43-ai-prompt-template/02-integration_spec.lua @@ -125,7 +125,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then end) lazy_teardown(function() - helpers.stop_kong(nil, true) + helpers.stop_kong() end) before_each(function() diff --git a/spec/05-migration/plugins/acme/migrations/003_350_to_360_spec.lua b/spec/05-migration/plugins/acme/migrations/003_350_to_360_spec.lua index 77dae348495..b0df35c13cf 100644 --- a/spec/05-migration/plugins/acme/migrations/003_350_to_360_spec.lua +++ b/spec/05-migration/plugins/acme/migrations/003_350_to_360_spec.lua @@ -9,7 +9,7 @@ if uh.database_type() == 'postgres' then end) lazy_teardown(function () - assert(uh.stop_kong(nil, true)) + assert(uh.stop_kong()) end) uh.setup(function () diff --git a/spec/05-migration/plugins/http-log/migrations/001_280_to_300_spec.lua b/spec/05-migration/plugins/http-log/migrations/001_280_to_300_spec.lua index 1264a2c8f10..adadc50f5cc 100644 --- a/spec/05-migration/plugins/http-log/migrations/001_280_to_300_spec.lua +++ b/spec/05-migration/plugins/http-log/migrations/001_280_to_300_spec.lua @@ -18,7 +18,7 @@ handler("http-log plugin migration", function() end) lazy_teardown(function () - assert(uh.stop_kong(nil, true)) + assert(uh.stop_kong()) end) local log_server_url = "http://localhost:" .. HTTP_PORT .. "/" diff --git a/spec/05-migration/plugins/opentelemetry/migrations/001_331_to_332_spec.lua b/spec/05-migration/plugins/opentelemetry/migrations/001_331_to_332_spec.lua index b385c2db05f..98ac32422df 100644 --- a/spec/05-migration/plugins/opentelemetry/migrations/001_331_to_332_spec.lua +++ b/spec/05-migration/plugins/opentelemetry/migrations/001_331_to_332_spec.lua @@ -11,7 +11,7 @@ if uh.database_type() == 'postgres' then end) lazy_teardown(function () - assert(uh.stop_kong(nil, true)) + assert(uh.stop_kong()) end) uh.setup(function () diff --git a/spec/05-migration/plugins/rate-limiting/migrations/006_350_to_360_spec.lua b/spec/05-migration/plugins/rate-limiting/migrations/006_350_to_360_spec.lua index 29ab4ff1228..de963af442b 100644 --- a/spec/05-migration/plugins/rate-limiting/migrations/006_350_to_360_spec.lua +++ b/spec/05-migration/plugins/rate-limiting/migrations/006_350_to_360_spec.lua @@ -10,7 +10,7 @@ if uh.database_type() == 'postgres' then end) lazy_teardown(function () - assert(uh.stop_kong(nil, true)) + assert(uh.stop_kong()) end) uh.setup(function () diff --git a/spec/05-migration/plugins/response-ratelimiting/migrations/001_350_to_360_spec.lua b/spec/05-migration/plugins/response-ratelimiting/migrations/001_350_to_360_spec.lua index d574bd9cfc7..77a47a9a94b 100644 --- a/spec/05-migration/plugins/response-ratelimiting/migrations/001_350_to_360_spec.lua +++ b/spec/05-migration/plugins/response-ratelimiting/migrations/001_350_to_360_spec.lua @@ -10,7 +10,7 @@ if uh.database_type() == 'postgres' then end) lazy_teardown(function () - assert(uh.stop_kong(nil, true)) + assert(uh.stop_kong()) end) uh.setup(function () From 109e0b88c7d4b9a5e3e9665314d5ad5a6e0cdda2 Mon Sep 17 00:00:00 2001 From: Qi Date: Thu, 7 Mar 2024 13:37:15 +0800 Subject: [PATCH 02/18] chore(CI): fix the workflow that comments the docker image on the commit (#12693) Replace `${{ secrets.GHA_COMMENT_TOKEN }}` with `${{ secrets.GITHUB_TOKEN }}`. The `${{ secrets.GHA_COMMENT_TOKEN }}` needs to be manually rotated, replacing it by `${{ secrets.GITHUB_TOKEN }}`, which is generated by each run of the workflow, so we don't need to rotate token anymore. --- .github/workflows/release.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bc07e202999..b8f92d511e5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,6 +42,7 @@ env: # PRs opened from fork and from dependabot don't have access to repo secrets HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} + jobs: metadata: name: Metadata @@ -313,6 +314,10 @@ jobs: needs: [metadata, build-packages] runs-on: ubuntu-22.04 + permissions: + # create comments on commits for docker images needs the `write` permission + contents: write + strategy: fail-fast: false matrix: @@ -402,7 +407,7 @@ jobs: if: github.event_name == 'push' && matrix.label == 'ubuntu' uses: peter-evans/commit-comment@5a6f8285b8f2e8376e41fe1b563db48e6cf78c09 # v3.0.0 with: - token: ${{ secrets.GHA_COMMENT_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} body: | ### Bazel Build Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}` From b57e553754ad8169fc604b7f1cbb16f561c97568 Mon Sep 17 00:00:00 2001 From: Joshua Schmid Date: Fri, 8 Mar 2024 09:33:13 +0100 Subject: [PATCH 03/18] feat(jwt): add support for ES512, PS256, PS384, PS512 * feat(jwt): add support for ES512, PS256, PS384 and PS512 --------- Signed-off-by: Joshua Schmid --- changelog/unreleased/kong/feat-jwt-es512.yml | 4 + kong/plugins/jwt/daos.lua | 14 +- kong/plugins/jwt/jwt_parser.lua | 68 ++++++- spec/03-plugins/16-jwt/01-jwt_parser_spec.lua | 80 ++++++++ spec/03-plugins/16-jwt/03-access_spec.lua | 189 +++++++++++++++++- spec/03-plugins/16-jwt/fixtures.lua | 137 +++++++++++++ 6 files changed, 487 insertions(+), 5 deletions(-) create mode 100644 changelog/unreleased/kong/feat-jwt-es512.yml diff --git a/changelog/unreleased/kong/feat-jwt-es512.yml b/changelog/unreleased/kong/feat-jwt-es512.yml new file mode 100644 index 00000000000..3dd646f3b40 --- /dev/null +++ b/changelog/unreleased/kong/feat-jwt-es512.yml @@ -0,0 +1,4 @@ +message: | + Addded support for ES512, PS256, PS384, PS512 algorithms in JWT plugin +type: feature +scope: Plugin diff --git a/kong/plugins/jwt/daos.lua b/kong/plugins/jwt/daos.lua index d18089bf562..cafc042ac43 100644 --- a/kong/plugins/jwt/daos.lua +++ b/kong/plugins/jwt/daos.lua @@ -37,7 +37,11 @@ return { "RS384", "RS512", "ES256", - "ES384" + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", }, }, }, { tags = typedefs.tags }, @@ -45,7 +49,13 @@ return { entity_checks = { { conditional = { if_field = "algorithm", if_match = { - match_any = { patterns = { "^RS256$", "^RS384$", "^RS512$" }, }, + match_any = { patterns = { "^RS256$", + "^RS384$", + "^RS512$", + "^PS256$", + "^PS384$", + "^PS512$", + }, }, }, then_field = "rsa_public_key", then_match = { diff --git a/kong/plugins/jwt/jwt_parser.lua b/kong/plugins/jwt/jwt_parser.lua index 502d45a9ff6..a4d1d5501e8 100644 --- a/kong/plugins/jwt/jwt_parser.lua +++ b/kong/plugins/jwt/jwt_parser.lua @@ -66,6 +66,39 @@ local alg_sign = { return nil end return sig + end, + ES512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", nil, { ecdsa_use_raw = true })) + if not sig then + return nil + end + return sig + end, + + PS256 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS384 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig + end, + PS512 = function(data, key) + local pkey = openssl_pkey.new(key) + local sig = assert(pkey:sign(data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING)) + if not sig then + return nil + end + return sig end } @@ -119,7 +152,40 @@ local alg_verify = { local pkey, _ = openssl_pkey.new(key) assert(#signature == 96, "Signature must be 96 bytes.") return pkey:verify(signature, data, "sha384", nil, { ecdsa_use_raw = true }) - end + end, + + ES512 = function(data, signature, key) + -- Signing and validation with the ECDSA P-384 SHA-384 and ECDSA P-521 + -- SHA-512 algorithms is performed identically to the procedure for + -- ECDSA P-256 SHA-256 -- just using the corresponding hash algorithms + -- with correspondingly larger result values. For ECDSA P-384 SHA-384, + -- R and S will be 384 bits each, resulting in a 96-octet sequence. For + -- ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a + -- 132-octet sequence. + local pkey, _ = openssl_pkey.new(key) + assert(#signature == 132, "Signature must be 132 bytes.") + return pkey:verify(signature, data, "sha512", nil, { ecdsa_use_raw = true }) + end, + + PS256 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha256", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS384 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha384", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + PS512 = function(data, signature, key) + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + assert(#signature == 256, "Signature must be 256 bytes") + return pkey:verify(signature, data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) + end, + } diff --git a/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua b/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua index 5ef5af77d51..08c3c2f3fe1 100644 --- a/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua +++ b/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua @@ -94,6 +94,54 @@ describe("Plugin: jwt (parser)", function() local jwt = assert(jwt_parser:new(token)) assert.True(jwt:verify_signature(fixtures.es384_public_key)) end) + + it("should encode using ES512", function() + local token = jwt_parser.encode({ + sub = "5656565656", + name = "Jane Doe", + admin = true + }, fixtures.es512_private_key, 'ES512') + + assert.truthy(token) + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.es512_public_key)) + end) + it("should encode using PS256", function() + local token = jwt_parser.encode({ + sub = "5656565656", + name = "Jane Doe", + admin = true + }, fixtures.ps256_private_key, 'PS256') + + assert.truthy(token) + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ps256_public_key)) + end) + + it("should encode using PS384", function() + local token = jwt_parser.encode({ + sub = "5656565656", + name = "Jane Doe", + admin = true + }, fixtures.ps384_private_key, 'PS384') + + assert.truthy(token) + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ps384_public_key)) + end) + + it("should encode using PS512", function() + local token = jwt_parser.encode({ + sub = "5656565656", + name = "Jane Doe", + admin = true + }, fixtures.ps512_private_key, 'PS512') + + assert.truthy(token) + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ps512_public_key)) + end) + end) describe("Decoding", function() it("throws an error if not given a string", function() @@ -181,6 +229,38 @@ describe("Plugin: jwt (parser)", function() assert.False(jwt:verify_signature(fixtures.rs256_public_key)) end end) + it("using ES512", function() + for _ = 1, 500 do + local token = jwt_parser.encode({sub = "foo"}, fixtures.es512_private_key, 'ES512') + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.es512_public_key)) + assert.False(jwt:verify_signature(fixtures.rs256_public_key)) + end + end) + it("using PS256", function() + for _ = 1, 500 do + local token = jwt_parser.encode({sub = "foo"}, fixtures.ps256_private_key, 'PS256') + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ps256_public_key)) + assert.False(jwt:verify_signature(fixtures.es256_public_key)) + end + end) + it("using PS384", function() + for _ = 1, 500 do + local token = jwt_parser.encode({sub = "foo"}, fixtures.ps384_private_key, 'PS384') + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ps384_public_key)) + assert.False(jwt:verify_signature(fixtures.es256_public_key)) + end + end) + it("using PS512", function() + for _ = 1, 500 do + local token = jwt_parser.encode({sub = "foo"}, fixtures.ps512_private_key, 'PS512') + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ps512_public_key)) + assert.False(jwt:verify_signature(fixtures.es256_public_key)) + end + end) end) describe("verify registered claims", function() it("requires claims passed as arguments", function() diff --git a/spec/03-plugins/16-jwt/03-access_spec.lua b/spec/03-plugins/16-jwt/03-access_spec.lua index e4b2682ac53..a4d42013f47 100644 --- a/spec/03-plugins/16-jwt/03-access_spec.lua +++ b/spec/03-plugins/16-jwt/03-access_spec.lua @@ -22,6 +22,10 @@ for _, strategy in helpers.each_strategy() do local rsa_jwt_secret_3 local rsa_jwt_secret_4 local rsa_jwt_secret_5 + local rsa_jwt_secret_6 + local rsa_jwt_secret_7 + local rsa_jwt_secret_8 + local rsa_jwt_secret_9 local hs_jwt_secret_1 local hs_jwt_secret_2 local proxy_client @@ -66,6 +70,10 @@ for _, strategy in helpers.each_strategy() do local consumer8 = consumers:insert({ username = "jwt_tests_hs_consumer_8" }) local consumer9 = consumers:insert({ username = "jwt_tests_rsa_consumer_9" }) local consumer10 = consumers:insert({ username = "jwt_tests_rsa_consumer_10"}) + local consumer11 = consumers:insert({ username = "jwt_tests_rsa_consumer_11"}) + local consumer12 = consumers:insert({ username = "jwt_tests_rsa_consumer_12"}) + local consumer13 = consumers:insert({ username = "jwt_tests_rsa_consumer_13"}) + local consumer14 = consumers:insert({ username = "jwt_tests_rsa_consumer_14"}) local anonymous_user = consumers:insert({ username = "no-body" }) local plugins = bp.plugins @@ -168,8 +176,6 @@ for _, strategy in helpers.each_strategy() do ctx_check_field = "authenticated_jwt_token" }, }) - - jwt_secret = bp.jwt_secrets:insert { consumer = { id = consumer1.id } } jwt_secret_2 = bp.jwt_secrets:insert { consumer = { id = consumer6.id } } base64_jwt_secret = bp.jwt_secrets:insert { consumer = { id = consumer2.id } } @@ -204,6 +210,30 @@ for _, strategy in helpers.each_strategy() do rsa_public_key = fixtures.es384_public_key } + rsa_jwt_secret_6 = bp.jwt_secrets:insert { + consumer = { id = consumer11.id }, + algorithm = "ES512", + rsa_public_key = fixtures.es512_public_key + } + + rsa_jwt_secret_7 = bp.jwt_secrets:insert { + consumer = { id = consumer12.id }, + algorithm = "PS256", + rsa_public_key = fixtures.ps256_public_key + } + + rsa_jwt_secret_8 = bp.jwt_secrets:insert { + consumer = { id = consumer13.id }, + algorithm = "PS384", + rsa_public_key = fixtures.ps384_public_key + } + + rsa_jwt_secret_9 = bp.jwt_secrets:insert { + consumer = { id = consumer14.id }, + algorithm = "PS512", + rsa_public_key = fixtures.ps512_public_key + } + hs_jwt_secret_1 = bp.jwt_secrets:insert { consumer = { id = consumer7.id }, algorithm = "HS384", @@ -750,6 +780,44 @@ for _, strategy in helpers.each_strategy() do end) end) + describe("ES512", function() + it("verifies JWT", function() + PAYLOAD.iss = rsa_jwt_secret_6.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.es512_private_key, "ES512") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_11", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_6.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + it("identifies Consumer", function() + PAYLOAD.iss = rsa_jwt_secret_6.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.es512_private_key, "ES512") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_11", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_6.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + end) describe("ES384", function() it("verifies JWT", function() @@ -788,6 +856,123 @@ for _, strategy in helpers.each_strategy() do end) end) + describe("PS256", function() + it("verifies JWT", function() + PAYLOAD.iss = rsa_jwt_secret_7.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ps256_private_key, "PS256") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_12", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_7.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + it("identifies Consumer", function() + PAYLOAD.iss = rsa_jwt_secret_7.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ps256_private_key, "PS256") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_12", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_7.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + end) + + describe("PS384", function() + it("verifies JWT", function() + PAYLOAD.iss = rsa_jwt_secret_8.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ps384_private_key, "PS384") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_13", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_8.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + it("identifies Consumer", function() + PAYLOAD.iss = rsa_jwt_secret_8.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ps384_private_key, "PS384") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_13", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_8.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + end) + + describe("PS512", function() + it("verifies JWT", function() + PAYLOAD.iss = rsa_jwt_secret_9.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ps512_private_key, "PS512") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_14", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_9.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + it("identifies Consumer", function() + PAYLOAD.iss = rsa_jwt_secret_9.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ps512_private_key, "PS512") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_14", body.headers["x-consumer-username"]) + assert.equal(rsa_jwt_secret_9.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + end) + describe("HS386", function() it("proxies the request with token and consumer headers if it was verified", function() PAYLOAD.iss = hs_jwt_secret_1.key diff --git a/spec/03-plugins/16-jwt/fixtures.lua b/spec/03-plugins/16-jwt/fixtures.lua index 7da17bfff66..c816c5a5a3b 100644 --- a/spec/03-plugins/16-jwt/fixtures.lua +++ b/spec/03-plugins/16-jwt/fixtures.lua @@ -150,6 +150,143 @@ MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAErFpnvWb5O3A/2DkYVCbgfNP0LZtr+R0L RAtNBSs2RN0KT9ppGITPRe2uAGj58ebs -----END PUBLIC KEY----- ]], +es512_private_key = [[ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAWT73PVm/Ry1jd3pM2VFD9neWfLhs1PBYU8UmCrj2mMUXwk8FQy+X +QVdIdwjpYnDgrxEdBbiuSDWxQq3LbNnnJzagBwYFK4EEACOhgYkDgYYABAGzP5K5 +cY2xWPv0KMDNKoxRmX/TJVFH9VHoLBmj9H6/gDLtYQ/plQVuDLX/QPeXug4CgsPX +28p7G0/JOQoKeP423ABYSBOf5RZoV3OE3miHh2fd0nf7T5khZEhkHj6twR2swADe +U2RCz4If+3hk3cKhAr01B2XYRgI3FFx8hV4wParxLQ== +-----END EC PRIVATE KEY----- +]], +es512_public_key = [[ +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBsz+SuXGNsVj79CjAzSqMUZl/0yVR +R/VR6CwZo/R+v4Ay7WEP6ZUFbgy1/0D3l7oOAoLD19vKextPyTkKCnj+NtwAWEgT +n+UWaFdzhN5oh4dn3dJ3+0+ZIWRIZB4+rcEdrMAA3lNkQs+CH/t4ZN3CoQK9NQdl +2EYCNxRcfIVeMD2q8S0= +-----END PUBLIC KEY----- +]], +ps256_private_key = [[ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtbY9gPRzIvw+XRr3dyzXTqhbhk5XoVm+JBL75ZqaMAvk8lcK +vOhkU9g+m13L5f0zS2IUKWn3mRCBwFYjb25myVW3qy028x3M2w605qP6cXhJR/et +NlhBtFWqSPCaZFKSxjBADZvKoGDraRrO1su5jQLtfZVv4Ave6ozeN6o5rGNUhE1b +n5DvD1r4jtKc9FmXkcQxx2qln+K3z3xC6f25MUoU1sRTLsDXzPDYqCTgiIHURW7b +G3gwRaaf7IWfsLTf13IBSJc2/gW3eQka4/FepHBV14DbTVefV4rUt3vin/IxKeRe +zaPA+alyPvUaqcDfbe1DLx2hTZasgKyOBDxHuQIDAQABAoIBABT6ccoPHrJDrRb+ +Z6K7e212MB/WsFT9SX98bhatRT8GBoPoYuHZkgigguTYvLMkCt2ZeIKp/FbwYgxw +nWVuWWFF2z8gyJLjhjyli2LDvGSIeqxbdqS7JnXBfJfwaCCsLEwDcsenbGqc2dy/ +5rCDY1v5Yi3xGFIFSNJrGjYSudcSC6G2doVsX1pJj5QU7hHbkUo+YvWiBTY0k0rx +O+62fT7H/xi7fHoxnr4lVPiieaQUTg13gck2po90+CJDtXCms8tRCmCYwn9Jefyf +mYz2Jm6Wxl7ulpVgvUgHca79ViWdah9/wXUeqLNQ7exc1UIOnGHO5qkzypc/MruB +RVmBDeECgYEA/4RIuAF61SbLtn0Z8DyxNh7J+5nXUOkhKm28OsYLXMJZjyciahUr +uKpFjAhLl8iNYp6MfGKTUW5XTKuzmxlZ1/luD50nrEXV3A0oJaMWBX7sSypLNn0D +2mha/ATewz3Bg1Z6Nh3eWBM6y4EiMKhhUfBlR8OsU5o//ECISw6/5qECgYEAtg44 +rY1MnwkOjMsT6xqLXcnkwfD+nUUKHrg126hZnCxyDzr5l1Td2ztzZUqQr6Cp3OU+ +kgI4jENXALAWg6V/f47Y2CYxZ6gHAkx2113SPvim6g6O+v0N/elwpE1cnaC9ldo4 +OWFEBbNvKdeitBwh+q/qJaJD8SXUrq3GhKHBghkCgYEA0xD64MSYKqq5bC061+/K +kuIsBuG1suhgtSOgcQxXJnCEenPhQa/rRcehW2MezmqkH+rIMZdcCdAT3QmYe24d +gQJRoCQ5OV0Wo4daunxVHIUTu6NcLc5m+GtrfPKo8K56w3sTyNAzcp2v25r4Gyl7 ++quRfg5ss0KfyEemThoI+wECgYBF3I05ZDib6sDPnHpnRMdoVTpYhh9ewIiSo0Pf +p+nDOXcHiy0OOn3sTBMLMqL1EmU8pCfvpbSHdqvjUq9BE3gqvelOgNGCooMWCbut +B47PpWF//dg2TndZEYStOBarUmyOHbBnrICK44FsABiqnwUXCvyCNpN17XuBEKRW +bzAvuQKBgQCDYL6jXe3wGrAl6NxPEWTRI5gIe5GKnqDCv97HN7iYlZgjl0DtXV82 +9CR6PLl1Ev9I8GszKPo17rk1Hwy84rzo9ndlP0K7JiVLmf2cDmi/cUmUHq8uS6P4 +8NWyW582YletSfoI78YCVB0nvkRSzR+KfcLyUIdRxHSU639sYQMs5Q== +-----END RSA PRIVATE KEY----- +]], +ps256_public_key = [[ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtbY9gPRzIvw+XRr3dyzX +Tqhbhk5XoVm+JBL75ZqaMAvk8lcKvOhkU9g+m13L5f0zS2IUKWn3mRCBwFYjb25m +yVW3qy028x3M2w605qP6cXhJR/etNlhBtFWqSPCaZFKSxjBADZvKoGDraRrO1su5 +jQLtfZVv4Ave6ozeN6o5rGNUhE1bn5DvD1r4jtKc9FmXkcQxx2qln+K3z3xC6f25 +MUoU1sRTLsDXzPDYqCTgiIHURW7bG3gwRaaf7IWfsLTf13IBSJc2/gW3eQka4/Fe +pHBV14DbTVefV4rUt3vin/IxKeRezaPA+alyPvUaqcDfbe1DLx2hTZasgKyOBDxH +uQIDAQAB +-----END PUBLIC KEY----- +]], +ps384_private_key = [[ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA1qz02EfyPx96zSG4W67waC5wFcJUb9tO7PZmxEGHjQj20Mlw +4sbwJYMy/o1PZzz6gktCPkpCqNc2to1jtvjKx9H5IWtHlu8c503vCFAsaV2l5fvm +yc/qCQLIVoGt/c9TG/SyPTdgJxUM4Vs8OlWI3jxPbINsZDqUKyxH4jsWgSTPwKli +YXpwyovqEvSKhJ+qeJ4Y8o8k0T1ieYg9tWlgDGxQceGGCyyD/jfiZHe4H0FQJXpA +EAyvRInaFRyWs1QtAoTZl4/QJtLITQubT5jIv9atfAzQovE9bSgT0ZCPt3Usd9qF +ueNqY5bM++tC5V37i3EO+5NpjeB7u2qLRatmZwIDAQABAoIBABZ0xjH/qKwIt3hQ +0C+rB5PmU6w7BUkkKEfqaIqcDjlnGCZ0A/587+8En+d30bgLbWsGw1mvu/Rceuky +th0UPmYTpVtlFPqJbb0Wbmwwssyc0rdRl+1BdgpWQ62k6BX2Q4vXl3OG4OSFs7C5 +Mf4qJ2ST63z+7G45oHk5qxVTuAFvLqeyiKpaqEESpg8+5GcCTNznMwAsk+vPT7E6 +j62nw9aA8+nMWI3KDgNCvle6abrX8UlEQSXOJFH4XIqrTKiXXN8XqnTh84yNbHY0 +P66DI0QAUZ41Wf+O3A3f+16C3Ikbrvkp9yHXXJeex+sLbaEQWKfC6xESOjSBPyZy +EQQWQh0CgYEA/Z+X5T220E6mxV83C/PAF1VO7UbGwivy8N+uDhs6XezihF5ju/b9 +sQEwSflOuNFudTbc+y80xX8VEGWIjsUFDytPLf0Jk4Lij0FD5Zq4ywfaGIlahnvd +7jGKW1DMGTy4+HuriNFjOSnABvdLPjejo5qU6Dvst0HtljIe+KT6kVUCgYEA2K/u +zY98Dm4B5Fi9Jx0t7HP8JMR2i9HZofUumgUKacG0dr1aCic0agt4uE9ZacHbvOHl +1AvenIZNujTSSXh+TMgVqomcm4IgPpYpqbD19OaWL1Hrnvqf77PbXRunk6nfIjwK +h+J9JsCJjFl0LATd9boFJBQ9Nn+TiY4asXKxiMsCgYEAiigJokK/9zEg/5sibUxW +c19xIyfO1a8DI9t1ARIr9UY5DkosohOllmpDV8iK7XqIZSmBrwLECGF1o/zrKnqA +iwbYlwCj2ssNh2PSDJz/1PluALexrFiFSF+MMroMtCKz0AfuJRWKq3TmueS0BCxi +45gtTWR3SkyLk6mx3VhhdhECgYEAwoqZ1NYoo+/iJPgCwtYwv+SWERCN+hQq13yA +HWm/Ipn1gtGXwBvYtAielqMu/IM+3ELYC9uoPlFaAX6g+bODeT3+LcEk6H0Yo/g/ +aYlmGTzYw51B9NbAtv18SgilGC7gFSVgswUGJb+g/m/lnAu2l4IuUWkWWBKMDGiX +0I7Pk6cCgYEA+it3gpl3unOUg+SOBOZzy7qRMfcmYFL1vLhdWRIij93indNQQA0B +l37q27Iq+pVn5dSywOAS2TrqbTAauuuSUOZMqAprgvxgF66w4iUXN+QnkivSMx8f +SZndqyNIKXem/OuUXrkmf40ZPGSu+JSEWkBISch1aEnhnIkybU5pebA= +-----END RSA PRIVATE KEY----- +]], +ps384_public_key = [[ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1qz02EfyPx96zSG4W67w +aC5wFcJUb9tO7PZmxEGHjQj20Mlw4sbwJYMy/o1PZzz6gktCPkpCqNc2to1jtvjK +x9H5IWtHlu8c503vCFAsaV2l5fvmyc/qCQLIVoGt/c9TG/SyPTdgJxUM4Vs8OlWI +3jxPbINsZDqUKyxH4jsWgSTPwKliYXpwyovqEvSKhJ+qeJ4Y8o8k0T1ieYg9tWlg +DGxQceGGCyyD/jfiZHe4H0FQJXpAEAyvRInaFRyWs1QtAoTZl4/QJtLITQubT5jI +v9atfAzQovE9bSgT0ZCPt3Usd9qFueNqY5bM++tC5V37i3EO+5NpjeB7u2qLRatm +ZwIDAQAB +-----END PUBLIC KEY----- +]], +ps512_private_key = [[ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA4HtLVmfjX69xUhJFpqR0759O4mRcBwbwI0TVROff+rZP5z0v ++B83i40ImDiP+V8XyMHzZsWNoKxtYiyf2RkjmxrEJ2wfqsX+lzNJI2HZr+j1nY2L +Srpt7DrOhnL8XxR+sa5Hl+RZFsbXJ58u6Njn0cF1Yw2gFn1ytAbu1xUyaYlDBPS8 +U1GiqgYC8IKSYEZEZFn6jNfkgOqjlvGZkGlCKFFlITU6dvS0zwNp5HHWD9mTvAL6 +1uf9RyGcwyMSanYAIjM5GT1pYPa7RHPLKJ/pVv1PBULdZ0AMZzzBFW77zIA3kxth +cBLB3C0N8mvPLjgfimyD4dK9j8v7lZoheCKC5QIDAQABAoIBABtf7bgDwz6P7onL +oKLJu1jdXIlPI8nXlsE2S6uzeyTfxq60T306kVN7R2kIvMX0Sro4rK4DuVm2rUAj +oPqgji8D/JeyH8p7iqh1oJ2n+RvylME52ZqrUWxVX4oVy6DspuaUEjb7qcGVTfeO ++fF7QgnaRa5movcbJTm+/rFL7HHiCLZRFePcn5DJH3tzLqpgJaY9UxQgqaumCHEj +nNOKL/O1waZ3ekZsU0SqQX0f1a/6XszHnvf96SQPwux4n5u3XoTsO/1CYxrOkNM2 ++SRZFM21CEFwE3GFqyaY/S4bKjPHaOkL8mB1kxoSX12zRAdspkx6GpJO2jIWRoF8 +fMgQJqECgYEA/H/n8/3DeqJRw8amWG1bvsdURQGhY8BoG0AUuxSjIWPReE6gYZ+2 +PVuDw03XMfKEx1Go8yX2gM781zkANedFRaw3hPR+mbhfHbv8c3+FPUKug0+7+onx +7wJFzAVNHdWKt/WEs2O9ljpNYRP2AT4KCUsnsBE+nIsWYJ0Np3xk0E8CgYEA45f0 +j0luRVOIrLHY08fnMJaFSFUF4oD3xFRtNN521T1FEhnI1+INNhL4Jnri0LWLrS3t +AEWsASWZqDDYaph+C9AY4z8xFvzY2Cih/2brOlchwohqSQ89TvixInMJQa6koKhz +uChEJLmHu7rBmdT+wJ8YhopRnUXIjKDQLwLCGIsCgYBJHD/tRezz9Uv3g+1mbUPD +WbPsxywT1gJO4Z8fDDqv0Fc2no2RtszttzHPuxo0PCR2Eg75WGSnp0dOihKliPFl +2xe4R5Lgr6Ha2jOeva22rzgYjV3AjXCf4+iRyncpzEr+OPjTeG3MsdT15vG0KmJ9 +jmVPda7LZPp1vwPVGw+VwQKBgGKKDSnouiSr+TYEPoPbPl7MHOLnZQffnObVQv8r +/rlusLQYk9vclKm/5s8KT5/bqqENjFqcz88jT3cBxwHICnLk45Gob4GrcduNJC6n +idsVlJlcZOBDB+FkTZVDx1M34TFqHcgzLuXTqk/+mQoYrUAK4hyGULXOW/l/OwPP +pufnAoGBAJtoxuSLyztQZqsrbGwPRYaot/+irOPD9VjUJlevshliABPUIVBO/8HW +vw5Vm6okpSSKB18TliwGNAmYPmHYqOoPHRuwfciDMh5ThyV2KRgiVgHb8Nk53uWY +bE70hIJfbI58PV7xNof6ilZaCqyiDV2TCfKtf6g+gQIgGL/kZcjP +-----END RSA PRIVATE KEY----- +]], +ps512_public_key = [[ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4HtLVmfjX69xUhJFpqR0 +759O4mRcBwbwI0TVROff+rZP5z0v+B83i40ImDiP+V8XyMHzZsWNoKxtYiyf2Rkj +mxrEJ2wfqsX+lzNJI2HZr+j1nY2LSrpt7DrOhnL8XxR+sa5Hl+RZFsbXJ58u6Njn +0cF1Yw2gFn1ytAbu1xUyaYlDBPS8U1GiqgYC8IKSYEZEZFn6jNfkgOqjlvGZkGlC +KFFlITU6dvS0zwNp5HHWD9mTvAL61uf9RyGcwyMSanYAIjM5GT1pYPa7RHPLKJ/p +Vv1PBULdZ0AMZzzBFW77zIA3kxthcBLB3C0N8mvPLjgfimyD4dK9j8v7lZoheCKC +5QIDAQAB +-----END PUBLIC KEY----- +]], hs384_secret = u([[ zxhk1H1Y11ax99xO20EGf00FDAOuPb9kEOmOQZMpR1BElx7sWjBIX2okAJiqjulH OZpsjcgbzfCq69apm6f2K28PTvIvS8ni_CG46_huUTBqosCmdEr-kZDvKBLsppfG From 2bf7e5a628516e0335018608b687190b65d16ab5 Mon Sep 17 00:00:00 2001 From: Joshua Schmid Date: Fri, 8 Mar 2024 09:40:10 +0100 Subject: [PATCH 04/18] chore: bump cherry-pick action to v1.2.0 (#12701) --- .github/workflows/cherry-picks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cherry-picks.yml b/.github/workflows/cherry-picks.yml index 5d59cc8e34b..39e4dbba875 100644 --- a/.github/workflows/cherry-picks.yml +++ b/.github/workflows/cherry-picks.yml @@ -26,7 +26,7 @@ jobs: with: token: ${{ secrets.CHERRY_PICK_TOKEN }} - name: Create backport pull requests - uses: jschmid1/cross-repo-cherrypick-action@2d2a475d31b060ac21521b5eda0a78876bbae94e #v1.1.0 + uses: jschmid1/cross-repo-cherrypick-action@9d2ead0043acba474373992c8175f2b8ffcdb31c #v1.2.0 id: cherry_pick with: token: ${{ secrets.CHERRY_PICK_TOKEN }} From 3c9d09cdb4abbabef05ed00c8b73aff57bd2aa4c Mon Sep 17 00:00:00 2001 From: Guilherme Salazar Date: Tue, 12 Mar 2024 09:50:37 -0300 Subject: [PATCH 05/18] docs(readme): remove mentions to contributor t-shirt We now offer digital badges to contributors! Co-Authored-by: Kaitlyn Barnard --- CONTRIBUTING.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 27e9623d64a..c21f80968db 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -37,7 +37,7 @@ Consult the Table of Contents below, and jump to the desired section. * [Writing changelog](#writing-changelog) * [Writing performant code](#writing-performant-code) * [Adding Changelog](#adding-changelog) - * [Contributor T-shirt](#contributor-t-shirt) + * [Contributor Badge](#contributor-badge) * [Code style](#code-style) * [Table of Contents - Code style](#table-of-contents---code-style) * [Modules](#modules) @@ -205,7 +205,7 @@ to it if necessary. If your Pull Request was accepted and fixes a bug, adds functionality, or makes it significantly easier to use or understand Kong, congratulations! You are now an official contributor to Kong. Get in touch with us to receive -your very own [Contributor T-shirt](#contributor-t-shirt)! +your very own [Contributor Badge](#contributor-badge)! Your change will be included in the subsequent release Changelog, and we will not forget to include your name if you are an external contributor. :wink: @@ -542,7 +542,7 @@ language you are using. :smile: #### Adding Changelog -Every patch, except those +Every patch, except those documentation-only changes, requires a changelog entry to be present inside your Pull Request. Please follow [the changelog instructions](https://github.com/Kong/gateway-changelog) @@ -550,18 +550,19 @@ to create the appropriate changelog file your Pull Request. [Back to TOC](#table-of-contents) -### Contributor T-shirt +### Contributor Badge If your Pull Request to [Kong/kong](https://github.com/Kong/kong) was accepted, and it fixes a bug, adds functionality, or makes it significantly easier to use or understand Kong, congratulations! You are eligible to -receive the very special Contributor T-shirt! Go ahead and fill out the +receive the very special digital Contributor Badge! Go ahead and fill out the [Contributors Submissions form](https://goo.gl/forms/5w6mxLaE4tz2YM0L2). -Proudly wear your T-shirt and show it to us by tagging +Proudly display your Badge and show it to us by tagging [@thekonginc](https://twitter.com/thekonginc) on Twitter! -![Kong Contributor T-shirt](https://konghq.com/wp-content/uploads/2018/04/100-contributor-t-shirt-1024x768.jpg) +*Badges expire after 1 year, at which point you may submit a new contribution +to renew the badge.* [Back to TOC](#table-of-contents) From 9c2c7b3053f1e21b5dbcd36c0d77946ab42218e4 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Mon, 4 Mar 2024 12:08:23 +0800 Subject: [PATCH 06/18] refactor(router/atc): ensure to validate possible routes fields fix is_empty_field add protocols for stream tests tests for tls_passthrough fix-snis-tls-passthrough-in-trad-compat.yml style lint --- ...ix-snis-tls-passthrough-in-trad-compat.yml | 5 ++ kong/db/schema/entities/routes.lua | 21 +++++- kong/router/transform.lua | 4 +- spec/01-unit/08-router_spec.lua | 66 +++++++++++++++++++ 4 files changed, 92 insertions(+), 4 deletions(-) create mode 100644 changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml diff --git a/changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml b/changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml new file mode 100644 index 00000000000..bd3f49e4f26 --- /dev/null +++ b/changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml @@ -0,0 +1,5 @@ +message: | + fix an issue where SNI-based routing does not work + using tls_passthrough and the traditional_compatible router flavor +type: bugfix +scope: Core diff --git a/kong/db/schema/entities/routes.lua b/kong/db/schema/entities/routes.lua index 148a2b8aab2..d166c70d29f 100644 --- a/kong/db/schema/entities/routes.lua +++ b/kong/db/schema/entities/routes.lua @@ -130,10 +130,29 @@ else } if kong_router_flavor == "traditional_compatible" then + local is_empty_field = require("kong.router.transform").is_empty_field + table.insert(entity_checks, { custom_entity_check = { + field_sources = { "id", "protocols", + "snis", "sources", "destinations", + "methods", "hosts", "paths", "headers", + }, run_with_missing_fields = true, - fn = validate_route, + fn = function(entity) + if is_empty_field(entity.snis) and + is_empty_field(entity.sources) and + is_empty_field(entity.destinations) and + is_empty_field(entity.methods) and + is_empty_field(entity.hosts) and + is_empty_field(entity.paths) and + is_empty_field(entity.headers) + then + return true + end + + return validate_route(entity) + end, }} ) end diff --git a/kong/router/transform.lua b/kong/router/transform.lua index 141525e1ec5..2933bc1c32a 100644 --- a/kong/router/transform.lua +++ b/kong/router/transform.lua @@ -524,9 +524,7 @@ local function get_priority(route) -- stream expression - if not is_empty_field(srcs) or - not is_empty_field(dsts) - then + if is_stream_route(route) then return stream_get_priority(snis, srcs, dsts) end diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index 3078c907f82..9e7a9e2cba1 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4307,6 +4307,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tcp", }, sources = { { ip = "127.0.0.1" }, { ip = "127.0.0.2" }, @@ -4317,6 +4318,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", + protocols = { "tcp", }, sources = { { port = 65001 }, { port = 65002 }, @@ -4328,6 +4330,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8103", + protocols = { "tcp", }, sources = { { ip = "127.168.0.0/8" }, } @@ -4338,6 +4341,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8104", + protocols = { "tcp", }, sources = { { ip = "127.0.0.1", port = 65001 }, } @@ -4347,6 +4351,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8105", + protocols = { "tcp", }, sources = { { ip = "127.0.0.2", port = 65300 }, { ip = "127.168.0.0/16", port = 65301 }, @@ -4416,6 +4421,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tcp", }, destinations = { { ip = "127.0.0.1" }, { ip = "127.0.0.2" }, @@ -4426,6 +4432,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", + protocols = { "tcp", }, destinations = { { port = 65001 }, { port = 65002 }, @@ -4437,6 +4444,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8103", + protocols = { "tcp", }, destinations = { { ip = "127.168.0.0/8" }, } @@ -4447,6 +4455,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8104", + protocols = { "tcp", }, destinations = { { ip = "127.0.0.1", port = 65001 }, } @@ -4456,6 +4465,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8105", + protocols = { "tcp", }, destinations = { { ip = "127.0.0.2", port = 65300 }, { ip = "127.168.0.0/16", port = 65301 }, @@ -4613,6 +4623,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tls", }, snis = { "www.example.org" }, } }, @@ -4620,6 +4631,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", + protocols = { "tls", }, sources = { { ip = "127.0.0.1" }, } @@ -4629,6 +4641,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8103", + protocols = { "tls", }, destinations = { { ip = "172.168.0.1" }, } @@ -4655,6 +4668,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tls", }, snis = { "www.example.org" }, } }, @@ -4662,6 +4676,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", + protocols = { "tls", }, sources = { { ip = "127.0.0.1" }, }, @@ -5033,6 +5048,57 @@ do assert.same("/bar", match_t.upstream_uri) end) end) + + describe("Router (flavor = " .. flavor .. ")", function() + reload_router(flavor, "stream") + + it("[#stream SNI-based routing does work using tls_passthrough]", function() + local use_case = { + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tls_passthrough", }, + snis = { "www.example.com" }, + preserve_host = true, + }, + }, + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", + protocols = { "tls_passthrough", }, + snis = { "www.example.org" }, + preserve_host = true, + }, + }, + } + + local router = assert(new_router(use_case)) + + local _ngx = { + var = { + ssl_preread_server_name = "www.example.com", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + + assert.truthy(match_t) + assert.same(use_case[1].route, match_t.route) + + local _ngx = { + var = { + ssl_preread_server_name = "www.example.org", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + + assert.truthy(match_t) + assert.same(use_case[2].route, match_t.route) + end) + end) end -- local flavor = "traditional_compatible" do From 5319aa76ed62dbbefe177ca75df4ce56f2236759 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Thu, 7 Mar 2024 09:24:14 +0800 Subject: [PATCH 07/18] docs(changelog): add change log entry for #12650 --- .../unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml b/changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml index bd3f49e4f26..ab00e318f63 100644 --- a/changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml +++ b/changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml @@ -1,5 +1,5 @@ message: | - fix an issue where SNI-based routing does not work + Fixed an issue where SNI-based routing does not work using tls_passthrough and the traditional_compatible router flavor type: bugfix scope: Core From 1eea537ee632875fb8e744351923947d0de7e047 Mon Sep 17 00:00:00 2001 From: samugi Date: Mon, 4 Mar 2024 15:32:24 +0100 Subject: [PATCH 08/18] feat(schema): add deprecation field attribute Add a deprecation record field attribute to identify fields that are deprecated. The attribute requires the `message` and `removed_version` fields to be configured, which are used to generate a warning when the deprecated field is configured (uses `kong.deprecation`). Updated schemas of the following plugins: * OpenTelemetry * DataDog * StatsD * HTTP Log --- .../kong/plugin-schema-deprecation-record.yml | 3 ++ kong/db/schema/init.lua | 12 +++++ kong/db/schema/metaschema.lua | 14 +++++ kong/plugins/datadog/schema.lua | 51 ++++++++----------- kong/plugins/http-log/schema.lua | 46 ++++++++--------- kong/plugins/opentelemetry/schema.lua | 33 +++++------- kong/plugins/statsd/schema.lua | 42 +++++++-------- .../04-admin_api/02-kong_routes_spec.lua | 26 +++++++++- .../kong/plugins/dummy/schema.lua | 8 ++- 9 files changed, 134 insertions(+), 101 deletions(-) create mode 100644 changelog/unreleased/kong/plugin-schema-deprecation-record.yml diff --git a/changelog/unreleased/kong/plugin-schema-deprecation-record.yml b/changelog/unreleased/kong/plugin-schema-deprecation-record.yml new file mode 100644 index 00000000000..25689e6e2fe --- /dev/null +++ b/changelog/unreleased/kong/plugin-schema-deprecation-record.yml @@ -0,0 +1,3 @@ +message: "**Schema**: Added a deprecation field attribute to identify deprecated fields" +type: feature +scope: Configuration diff --git a/kong/db/schema/init.lua b/kong/db/schema/init.lua index 89862852ab0..535ab24d44b 100644 --- a/kong/db/schema/init.lua +++ b/kong/db/schema/init.lua @@ -7,6 +7,8 @@ local nkeys = require "table.nkeys" local is_reference = require "kong.pdk.vault".is_reference local json = require "kong.db.schema.json" local cjson_safe = require "cjson.safe" +local deprecation = require "kong.deprecation" +local deepcompare = require "pl.tablex".deepcompare local setmetatable = setmetatable @@ -882,6 +884,16 @@ function Schema:validate_field(field, value) return nil, validation_errors.SUBSCHEMA_ABSTRACT_FIELD end + if field.deprecation then + local old_default = field.deprecation.old_default + local should_warn = old_default == nil + or not deepcompare(value, old_default) + if should_warn then + deprecation(field.deprecation.message, + { after = field.deprecation.removal_in_version, }) + end + end + if field.type == "array" then if not is_sequence(value) then return nil, validation_errors.ARRAY diff --git a/kong/db/schema/metaschema.lua b/kong/db/schema/metaschema.lua index 5c35424c402..deef4f5852a 100644 --- a/kong/db/schema/metaschema.lua +++ b/kong/db/schema/metaschema.lua @@ -192,6 +192,20 @@ local field_schema = { { encrypted = { type = "boolean" }, }, { referenceable = { type = "boolean" }, }, { json_schema = json_metaschema }, + -- Deprecation attribute: used to mark a field as deprecated + -- Results in `message` and `removal_in_version` to be printed in a warning + -- (via kong.deprecation) when the field is used. + -- If `old_default` is not set, the warning message is always printed. + -- If `old_default` is set, the warning message is only printed when the + -- field's value is different from the value of `old_default`. + { deprecation = { + type = "record", + fields = { + { message = { type = "string", required = true } }, + { removal_in_version = { type = "string", required = true } }, + { old_default = { type = "any", required = false } }, + }, + } }, } diff --git a/kong/plugins/datadog/schema.lua b/kong/plugins/datadog/schema.lua index ed80c2929b6..e660f63e22c 100644 --- a/kong/plugins/datadog/schema.lua +++ b/kong/plugins/datadog/schema.lua @@ -1,5 +1,4 @@ local typedefs = require "kong.db.schema.typedefs" -local deprecation = require("kong.deprecation") local STAT_NAMES = { "kong_latency", @@ -89,17 +88,30 @@ return { consumer_tag = { description = "String to be attached as tag of the consumer.", type = "string", default = "consumer" }, }, { - retry_count = { description = "Number of times to retry when sending data to the upstream server.", - type = "integer" }, }, + retry_count = { + description = "Number of times to retry when sending data to the upstream server.", + type = "integer", + deprecation = { + message = "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", + removal_in_version = "4.0", + old_default = 10 }, }, }, { queue_size = { - description = "Maximum number of log entries to be sent on each message to the upstream server.", - type = "integer" }, }, + description = "Maximum number of log entries to be sent on each message to the upstream server.", + type = "integer", + deprecation = { + message = "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + removal_in_version = "4.0", + old_default = 1 }, }, }, { flush_timeout = { - description = - "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - type = "number" }, }, + description = + "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + type = "number", + deprecation = { + message = "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + removal_in_version = "4.0", + old_default = 2 }, }, }, { queue = typedefs.queue }, { metrics = { @@ -135,29 +147,6 @@ return { }, }, }, - - entity_checks = { - { - custom_entity_check = { - field_sources = { "retry_count", "queue_size", "flush_timeout" }, - fn = function(entity) - if (entity.retry_count or ngx.null) ~= ngx.null and entity.retry_count ~= 10 then - deprecation("datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", - { after = "4.0", }) - end - if (entity.queue_size or ngx.null) ~= ngx.null and entity.queue_size ~= 1 then - deprecation("datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - { after = "4.0", }) - end - if (entity.flush_timeout or ngx.null) ~= ngx.null and entity.flush_timeout ~= 2 then - deprecation("datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - { after = "4.0", }) - end - return true - end - } - }, - }, }, }, }, diff --git a/kong/plugins/http-log/schema.lua b/kong/plugins/http-log/schema.lua index ef2dfdcdebc..430761a5ed4 100644 --- a/kong/plugins/http-log/schema.lua +++ b/kong/plugins/http-log/schema.lua @@ -1,6 +1,5 @@ local typedefs = require "kong.db.schema.typedefs" local url = require "socket.url" -local deprecation = require("kong.deprecation") return { @@ -15,9 +14,27 @@ return { { content_type = { description = "Indicates the type of data sent. The only available option is `application/json`.", type = "string", default = "application/json", one_of = { "application/json", "application/json; charset=utf-8" }, }, }, { timeout = { description = "An optional timeout in milliseconds when sending data to the upstream server.", type = "number", default = 10000 }, }, { keepalive = { description = "An optional value in milliseconds that defines how long an idle connection will live before being closed.", type = "number", default = 60000 }, }, - { retry_count = { description = "Number of times to retry when sending data to the upstream server.", type = "integer" }, }, - { queue_size = { description = "Maximum number of log entries to be sent on each message to the upstream server.", type = "integer" }, }, - { flush_timeout = { description = "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", type = "number" }, }, + { retry_count = { + description = "Number of times to retry when sending data to the upstream server.", + type = "integer", + deprecation = { + message = "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", + removal_in_version = "4.0", + old_default = 10 }, }, }, + { queue_size = { + description = "Maximum number of log entries to be sent on each message to the upstream server.", + type = "integer", + deprecation = { + message = "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + removal_in_version = "4.0", + old_default = 1 }, }, }, + { flush_timeout = { + description = "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + type = "number", + deprecation = { + message = "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + removal_in_version = "4.0", + old_default = 2 }, }, }, { headers = { description = "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", type = "map", keys = typedefs.header_name { match_none = { @@ -43,27 +60,6 @@ return { { queue = typedefs.queue }, { custom_fields_by_lua = typedefs.lua_code }, }, - - entity_checks = { - { custom_entity_check = { - field_sources = { "retry_count", "queue_size", "flush_timeout" }, - fn = function(entity) - if (entity.retry_count or ngx.null) ~= ngx.null and entity.retry_count ~= 10 then - deprecation("http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", - { after = "4.0", }) - end - if (entity.queue_size or ngx.null) ~= ngx.null and entity.queue_size ~= 1 then - deprecation("http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - { after = "4.0", }) - end - if (entity.flush_timeout or ngx.null) ~= ngx.null and entity.flush_timeout ~= 2 then - deprecation("http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - { after = "4.0", }) - end - return true - end - } }, - }, custom_validator = function(config) -- check no double userinfo + authorization header local parsed_url = url.parse(config.http_endpoint) diff --git a/kong/plugins/opentelemetry/schema.lua b/kong/plugins/opentelemetry/schema.lua index 85d8f4c1834..59181655c1a 100644 --- a/kong/plugins/opentelemetry/schema.lua +++ b/kong/plugins/opentelemetry/schema.lua @@ -1,6 +1,5 @@ local typedefs = require "kong.db.schema.typedefs" local Schema = require "kong.db.schema" -local deprecation = require("kong.deprecation") local function custom_validator(attributes) for _, v in pairs(attributes) do @@ -50,8 +49,20 @@ return { max_batch_size = 200, }, } }, - { batch_span_count = { description = "The number of spans to be sent in a single batch.", type = "integer" } }, - { batch_flush_delay = { description = "The delay, in seconds, between two consecutive batches.", type = "integer" } }, + { batch_span_count = { + description = "The number of spans to be sent in a single batch.", + type = "integer", + deprecation = { + message = "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", + removal_in_version = "4.0", + old_default = 200 }, }, }, + { batch_flush_delay = { + description = "The delay, in seconds, between two consecutive batches.", + type = "integer", + deprecation = { + message = "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", + removal_in_version = "4.0", + old_default = 3, }, }, }, { connect_timeout = typedefs.timeout { default = 1000 } }, { send_timeout = typedefs.timeout { default = 5000 } }, { read_timeout = typedefs.timeout { default = 5000 } }, @@ -71,22 +82,6 @@ return { default = nil, } }, }, - entity_checks = { - { custom_entity_check = { - field_sources = { "batch_span_count", "batch_flush_delay" }, - fn = function(entity) - if (entity.batch_span_count or ngx.null) ~= ngx.null and entity.batch_span_count ~= 200 then - deprecation("opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", - { after = "4.0", }) - end - if (entity.batch_flush_delay or ngx.null) ~= ngx.null and entity.batch_flush_delay ~= 3 then - deprecation("opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", - { after = "4.0", }) - end - return true - end - } }, - }, }, }, }, } diff --git a/kong/plugins/statsd/schema.lua b/kong/plugins/statsd/schema.lua index 3eb70d587cb..c55151b0b59 100644 --- a/kong/plugins/statsd/schema.lua +++ b/kong/plugins/statsd/schema.lua @@ -1,6 +1,5 @@ local typedefs = require "kong.db.schema.typedefs" local constants = require "kong.plugins.statsd.constants" -local deprecation = require("kong.deprecation") local METRIC_NAMES = { @@ -196,32 +195,27 @@ return { { consumer_identifier_default = { type = "string", required = true, default = "custom_id", one_of = CONSUMER_IDENTIFIERS }, }, { service_identifier_default = { type = "string", required = true, default = "service_name_or_host", one_of = SERVICE_IDENTIFIERS }, }, { workspace_identifier_default = { type = "string", required = true, default = "workspace_id", one_of = WORKSPACE_IDENTIFIERS }, }, - { retry_count = { type = "integer" }, }, - { queue_size = { type = "integer" }, }, - { flush_timeout = { type = "number" }, }, + { retry_count = { + type = "integer", + deprecation = { + message = "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", + removal_in_version = "4.0", + old_default = 10 }, }, }, + { queue_size = { + type = "integer", + deprecation = { + message = "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + removal_in_version = "4.0", + old_default = 1 }, }, }, + { flush_timeout = { + type = "number", + deprecation = { + message = "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + removal_in_version = "4.0", + old_default = 2 }, }, }, { tag_style = { type = "string", required = false, one_of = TAG_TYPE }, }, { queue = typedefs.queue }, }, - entity_checks = { - { custom_entity_check = { - field_sources = { "retry_count", "queue_size", "flush_timeout" }, - fn = function(entity) - if (entity.retry_count or ngx.null) ~= ngx.null and entity.retry_count ~= 10 then - deprecation("statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", - { after = "4.0", }) - end - if (entity.queue_size or ngx.null) ~= ngx.null and entity.queue_size ~= 1 then - deprecation("statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - { after = "4.0", }) - end - if (entity.flush_timeout or ngx.null) ~= ngx.null and entity.flush_timeout ~= 2 then - deprecation("statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - { after = "4.0", }) - end - return true - end - } }, - }, }, }, }, diff --git a/spec/02-integration/04-admin_api/02-kong_routes_spec.lua b/spec/02-integration/04-admin_api/02-kong_routes_spec.lua index 7c28d682fac..4c3c502a119 100644 --- a/spec/02-integration/04-admin_api/02-kong_routes_spec.lua +++ b/spec/02-integration/04-admin_api/02-kong_routes_spec.lua @@ -18,7 +18,7 @@ describe("Admin API - Kong routes with strategy #" .. strategy, function() helpers.get_db_utils(nil, {}) -- runs migrations assert(helpers.start_kong { database = strategy, - plugins = "bundled,reports-api", + plugins = "bundled,reports-api,dummy", pg_password = "hide_me" }) client = helpers.admin_client(10000) @@ -518,6 +518,30 @@ describe("Admin API - Kong routes with strategy #" .. strategy, function() local json = cjson.decode(body) assert.same({ message = "No plugin named 'not-present'" }, json) end) + it("returns information about a deprecated field", function() + local res = assert(client:send { + method = "GET", + path = "/schemas/plugins/dummy", + }) + local body = assert.res_status(200, res) + local json = cjson.decode(body) + assert.is_table(json.fields) + + local found = false + for _, f in ipairs(json.fields) do + local config_fields = f.config and f.config.fields + for _, cf in ipairs(config_fields or {}) do + local deprecation = cf.old_field and cf.old_field.deprecation + if deprecation then + assert.is_string(deprecation.message) + assert.is_number(deprecation.old_default) + assert.is_string(deprecation.removal_in_version) + found = true + end + end + end + assert(found) + end) end) describe("/schemas/:db_entity_name/validate", function() diff --git a/spec/fixtures/custom_plugins/kong/plugins/dummy/schema.lua b/spec/fixtures/custom_plugins/kong/plugins/dummy/schema.lua index c4b203142b4..9f689e48544 100644 --- a/spec/fixtures/custom_plugins/kong/plugins/dummy/schema.lua +++ b/spec/fixtures/custom_plugins/kong/plugins/dummy/schema.lua @@ -18,7 +18,13 @@ return { }}, { append_body = { type = "string" } }, { resp_code = { type = "number" } }, - { test_try = { type = "boolean", default = false}} + { test_try = { type = "boolean", default = false}}, + { old_field = { + type = "number", + deprecation = { + message = "dummy: old_field is deprecated", + removal_in_version = "x.y.z", + old_default = 42 }, }, } }, }, }, From 649060add58a4c4b28a1c351d5d98432abb8cc4c Mon Sep 17 00:00:00 2001 From: samugi Date: Tue, 5 Mar 2024 15:05:47 +0100 Subject: [PATCH 09/18] chore(schema): convert shorthand fields deprecations convert shorthand fields usages of the deprecation module to the new attribute-based deprecation. --- kong/plugins/acme/schema.lua | 21 +++++---- kong/plugins/rate-limiting/schema.lua | 46 +++++++++++-------- kong/plugins/response-ratelimiting/schema.lua | 46 +++++++++++-------- 3 files changed, 66 insertions(+), 47 deletions(-) diff --git a/kong/plugins/acme/schema.lua b/kong/plugins/acme/schema.lua index 1c4d03be53d..5ccc3ffdf4a 100644 --- a/kong/plugins/acme/schema.lua +++ b/kong/plugins/acme/schema.lua @@ -1,7 +1,6 @@ local typedefs = require "kong.db.schema.typedefs" local reserved_words = require "kong.plugins.acme.reserved_words" local redis_schema = require "kong.tools.redis.schema" -local deprecation = require("kong.deprecation") local tablex = require "pl.tablex" @@ -43,18 +42,20 @@ local LEGACY_SCHEMA_TRANSLATIONS = { type = "string", len_min = 0, translate_backwards = {'password'}, + deprecation = { + message = "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", - { after = "4.0", }) return { password = value } end }}, { ssl_server_name = { type = "string", translate_backwards = {'server_name'}, + deprecation = { + message = "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", - { after = "4.0", }) return { server_name = value } end }}, @@ -62,18 +63,20 @@ local LEGACY_SCHEMA_TRANSLATIONS = { type = "string", len_min = 0, translate_backwards = {'extra_options', 'namespace'}, + deprecation = { + message = "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", - { after = "4.0", }) return { extra_options = { namespace = value } } end }}, { scan_count = { type = "integer", translate_backwards = {'extra_options', 'scan_count'}, + deprecation = { + message = "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", - { after = "4.0", }) return { extra_options = { scan_count = value } } end }}, diff --git a/kong/plugins/rate-limiting/schema.lua b/kong/plugins/rate-limiting/schema.lua index 21d48bfe29b..8928fb87fcd 100644 --- a/kong/plugins/rate-limiting/schema.lua +++ b/kong/plugins/rate-limiting/schema.lua @@ -1,6 +1,5 @@ local typedefs = require "kong.db.schema.typedefs" local redis_schema = require "kong.tools.redis.schema" -local deprecation = require "kong.deprecation" local SYNC_RATE_REALTIME = -1 @@ -104,18 +103,20 @@ return { { redis_host = { type = "string", translate_backwards = {'redis', 'host'}, + deprecation = { + message = "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", - { after = "4.0", }) return { redis = { host = value } } end } }, { redis_port = { type = "integer", translate_backwards = {'redis', 'port'}, + deprecation = { + message = "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", - { after = "4.0", }) return { redis = { port = value } } end } }, @@ -123,63 +124,70 @@ return { type = "string", len_min = 0, translate_backwards = {'redis', 'password'}, + deprecation = { + message = "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", - { after = "4.0", }) return { redis = { password = value } } end } }, { redis_username = { type = "string", translate_backwards = {'redis', 'username'}, + deprecation = { + message = "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", - { after = "4.0", }) return { redis = { username = value } } end } }, { redis_ssl = { type = "boolean", translate_backwards = {'redis', 'ssl'}, + deprecation = { + message = "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - { after = "4.0", }) return { redis = { ssl = value } } end } }, { redis_ssl_verify = { type = "boolean", translate_backwards = {'redis', 'ssl_verify'}, + deprecation = { + message = "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - { after = "4.0", }) return { redis = { ssl_verify = value } } end } }, { redis_server_name = { type = "string", translate_backwards = {'redis', 'server_name'}, + deprecation = { + message = "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - { after = "4.0", }) return { redis = { server_name = value } } end } }, { redis_timeout = { type = "integer", translate_backwards = {'redis', 'timeout'}, + deprecation = { + message = "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - { after = "4.0", }) return { redis = { timeout = value } } end } }, { redis_database = { type = "integer", translate_backwards = {'redis', 'database'}, + deprecation = { + message = "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", - { after = "4.0", }) return { redis = { database = value } } end } }, diff --git a/kong/plugins/response-ratelimiting/schema.lua b/kong/plugins/response-ratelimiting/schema.lua index 4c6f765343b..d919ced5a8e 100644 --- a/kong/plugins/response-ratelimiting/schema.lua +++ b/kong/plugins/response-ratelimiting/schema.lua @@ -1,6 +1,5 @@ local typedefs = require "kong.db.schema.typedefs" local redis_schema = require "kong.tools.redis.schema" -local deprecation = require "kong.deprecation" local ORDERED_PERIODS = { "second", "minute", "hour", "day", "month", "year" } @@ -143,18 +142,20 @@ return { { redis_host = { type = "string", translate_backwards = {'redis', 'host'}, + deprecation = { + message = "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", - { after = "4.0", }) return { redis = { host = value } } end } }, { redis_port = { type = "integer", translate_backwards = {'redis', 'port'}, + deprecation = { + message = "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", - { after = "4.0", }) return { redis = { port = value } } end } }, @@ -162,63 +163,70 @@ return { type = "string", len_min = 0, translate_backwards = {'redis', 'password'}, + deprecation = { + message = "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", - { after = "4.0", }) return { redis = { password = value } } end } }, { redis_username = { type = "string", translate_backwards = {'redis', 'username'}, + deprecation = { + message = "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", - { after = "4.0", }) return { redis = { username = value } } end } }, { redis_ssl = { type = "boolean", translate_backwards = {'redis', 'ssl'}, + deprecation = { + message = "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - { after = "4.0", }) return { redis = { ssl = value } } end } }, { redis_ssl_verify = { type = "boolean", translate_backwards = {'redis', 'ssl_verify'}, + deprecation = { + message = "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - { after = "4.0", }) return { redis = { ssl_verify = value } } end } }, { redis_server_name = { type = "string", translate_backwards = {'redis', 'server_name'}, + deprecation = { + message = "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - { after = "4.0", }) return { redis = { server_name = value } } end } }, { redis_timeout = { type = "integer", translate_backwards = {'redis', 'timeout'}, + deprecation = { + message = "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - { after = "4.0", }) return { redis = { timeout = value } } end } }, { redis_database = { type = "integer", translate_backwards = {'redis', 'database'}, + deprecation = { + message = "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + removal_in_version = "4.0", }, func = function(value) - deprecation("response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", - { after = "4.0", }) return { redis = { database = value } } end } }, From 284bf47a8fed496898701a64eb3828cbb1691743 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 13 Mar 2024 12:19:25 +0100 Subject: [PATCH 10/18] fix(jwt): add missing pkey sanity check for ES384 and ES512 * add missing pkey sanity check and harmonize pkey:verify usage --- changelog/unreleased/kong/fix-jwt-plugin-check.yml | 3 +++ kong/plugins/jwt/jwt_parser.lua | 14 +++++--------- 2 files changed, 8 insertions(+), 9 deletions(-) create mode 100644 changelog/unreleased/kong/fix-jwt-plugin-check.yml diff --git a/changelog/unreleased/kong/fix-jwt-plugin-check.yml b/changelog/unreleased/kong/fix-jwt-plugin-check.yml new file mode 100644 index 00000000000..bbf3ed71b84 --- /dev/null +++ b/changelog/unreleased/kong/fix-jwt-plugin-check.yml @@ -0,0 +1,3 @@ +message: "**Jwt**: fix an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms." +type: bugfix +scope: Plugin diff --git a/kong/plugins/jwt/jwt_parser.lua b/kong/plugins/jwt/jwt_parser.lua index a4d1d5501e8..d8994b5facd 100644 --- a/kong/plugins/jwt/jwt_parser.lua +++ b/kong/plugins/jwt/jwt_parser.lua @@ -111,23 +111,17 @@ local alg_verify = { RS256 = function(data, signature, key) local pkey, _ = openssl_pkey.new(key) assert(pkey, "Consumer Public Key is Invalid") - local digest = openssl_digest.new("sha256") - assert(digest:update(data)) - return pkey:verify(signature, digest) + return pkey:verify(signature, data, "sha256") end, RS384 = function(data, signature, key) local pkey, _ = openssl_pkey.new(key) assert(pkey, "Consumer Public Key is Invalid") - local digest = openssl_digest.new("sha384") - assert(digest:update(data)) - return pkey:verify(signature, digest) + return pkey:verify(signature, data, "sha384") end, RS512 = function(data, signature, key) local pkey, _ = openssl_pkey.new(key) assert(pkey, "Consumer Public Key is Invalid") - local digest = openssl_digest.new("sha512") - assert(digest:update(data)) - return pkey:verify(signature, digest) + return pkey:verify(signature, data, "sha512") end, -- https://www.rfc-editor.org/rfc/rfc7518#section-3.4 ES256 = function(data, signature, key) @@ -150,6 +144,7 @@ local alg_verify = { -- ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a -- 132-octet sequence. local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") assert(#signature == 96, "Signature must be 96 bytes.") return pkey:verify(signature, data, "sha384", nil, { ecdsa_use_raw = true }) end, @@ -163,6 +158,7 @@ local alg_verify = { -- ECDSA P-521 SHA-512, R and S will be 521 bits each, resulting in a -- 132-octet sequence. local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") assert(#signature == 132, "Signature must be 132 bytes.") return pkey:verify(signature, data, "sha512", nil, { ecdsa_use_raw = true }) end, From 5fea640028e7e04c4f92328b6760b30c0528d37f Mon Sep 17 00:00:00 2001 From: Aapo Talvensaari Date: Wed, 13 Mar 2024 13:51:40 +0200 Subject: [PATCH 11/18] chore(patches): cleanup the pcre2 regex patch (#12705) ### Summary This adds two commits from @zhongweiy as found here: https://github.com/openresty/lua-nginx-module/pull/2291 https://github.com/openresty/stream-lua-nginx-module/pull/341 They are cleanups to original patch. Signed-off-by: Aapo Talvensaari --- ...a-0.10.26_03-regex-memory-corruption.patch | 61 ++++++++++++++---- ...ua-0.0.14_03-regex-memory-corruption.patch | 63 +++++++++++++++---- 2 files changed, 101 insertions(+), 23 deletions(-) diff --git a/build/openresty/patches/ngx_lua-0.10.26_03-regex-memory-corruption.patch b/build/openresty/patches/ngx_lua-0.10.26_03-regex-memory-corruption.patch index 1c40fd5fa57..7de60af5e0d 100644 --- a/build/openresty/patches/ngx_lua-0.10.26_03-regex-memory-corruption.patch +++ b/build/openresty/patches/ngx_lua-0.10.26_03-regex-memory-corruption.patch @@ -1,38 +1,77 @@ diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c -index 1b52fa2..30c1650 100644 +index 1b52fa2..646b483 100644 --- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c +++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_regex.c -@@ -688,11 +688,11 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags, +@@ -591,7 +591,11 @@ ngx_http_lua_ffi_compile_regex(const unsigned char *pat, size_t pat_len, + re_comp.captures = 0; + + } else { ++#if (NGX_PCRE2) ++ ovecsize = (re_comp.captures + 1) * 2; ++#else + ovecsize = (re_comp.captures + 1) * 3; ++#endif + } + + dd("allocating cap with size: %d", (int) ovecsize); +@@ -684,21 +688,21 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags, + { + int rc, exec_opts = 0; + size_t *ov; +- ngx_uint_t ovecsize, n, i; ++ ngx_uint_t ovecpair, n, i; ngx_pool_t *old_pool; if (flags & NGX_LUA_RE_MODE_DFA) { - ovecsize = 2; -+ ovecsize = 1; ++ ovecpair = 1; re->ncaptures = 0; } else { - ovecsize = (re->ncaptures + 1) * 3; -+ ovecsize = re->ncaptures + 1; ++ ovecpair = re->ncaptures + 1; } old_pool = ngx_http_lua_pcre_malloc_init(NULL); -@@ -710,7 +710,7 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags, + + if (ngx_regex_match_data == NULL +- || ovecsize > ngx_regex_match_data_size) ++ || ovecpair > ngx_regex_match_data_size) + { + /* + * Allocate a match data if not yet allocated or smaller than +@@ -709,8 +713,8 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags, + pcre2_match_data_free(ngx_regex_match_data); } - ngx_regex_match_data_size = ovecsize; +- ngx_regex_match_data_size = ovecsize; - ngx_regex_match_data = pcre2_match_data_create(ovecsize / 3, NULL); -+ ngx_regex_match_data = pcre2_match_data_create(ovecsize, NULL); ++ ngx_regex_match_data_size = ovecpair; ++ ngx_regex_match_data = pcre2_match_data_create(ovecpair, NULL); if (ngx_regex_match_data == NULL) { rc = PCRE2_ERROR_NOMEMORY; -@@ -756,8 +756,8 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags, - "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize); +@@ -741,7 +745,7 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags, + #if (NGX_DEBUG) + ngx_log_debug4(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "pcre2_match failed: flags 0x%05Xd, options 0x%08Xd, " +- "rc %d, ovecsize %ui", flags, exec_opts, rc, ovecsize); ++ "rc %d, ovecpair %ui", flags, exec_opts, rc, ovecpair); + #endif + + goto failed; +@@ -753,11 +757,11 @@ ngx_http_lua_ffi_exec_regex(ngx_http_lua_regex_t *re, int flags, + #if (NGX_DEBUG) + ngx_log_debug5(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "pcre2_match: flags 0x%05Xd, options 0x%08Xd, rc %d, " +- "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize); ++ "n %ui, ovecpair %ui", flags, exec_opts, rc, n, ovecpair); #endif - if (!(flags & NGX_LUA_RE_MODE_DFA) && n > ovecsize / 3) { - n = ovecsize / 3; -+ if (n > ovecsize) { -+ n = ovecsize; ++ if (n > ovecpair) { ++ n = ovecpair; } for (i = 0; i < n; i++) { diff --git a/build/openresty/patches/ngx_stream_lua-0.0.14_03-regex-memory-corruption.patch b/build/openresty/patches/ngx_stream_lua-0.0.14_03-regex-memory-corruption.patch index 197a0e054b8..42bb7f4c6af 100644 --- a/build/openresty/patches/ngx_stream_lua-0.0.14_03-regex-memory-corruption.patch +++ b/build/openresty/patches/ngx_stream_lua-0.0.14_03-regex-memory-corruption.patch @@ -1,42 +1,81 @@ diff --git a/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c b/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c -index e32744e..241ec00 100644 +index e32744e..080e5dd 100644 --- a/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c +++ b/bundle/ngx_stream_lua-0.0.14/src/ngx_stream_lua_regex.c -@@ -695,11 +695,11 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, +@@ -598,7 +598,11 @@ ngx_stream_lua_ffi_compile_regex(const unsigned char *pat, size_t pat_len, + re_comp.captures = 0; + + } else { ++#if (NGX_PCRE2) ++ ovecsize = (re_comp.captures + 1) * 2; ++#else + ovecsize = (re_comp.captures + 1) * 3; ++#endif + } + + dd("allocating cap with size: %d", (int) ovecsize); +@@ -691,21 +695,21 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, + { + int rc, exec_opts = 0; + size_t *ov; +- ngx_uint_t ovecsize, n, i; ++ ngx_uint_t ovecpair, n, i; ngx_pool_t *old_pool; if (flags & NGX_LUA_RE_MODE_DFA) { - ovecsize = 2; -+ ovecsize = 1; ++ ovecpair = 1; re->ncaptures = 0; } else { - ovecsize = (re->ncaptures + 1) * 3; -+ ovecsize = re->ncaptures + 1; ++ ovecpair = re->ncaptures + 1; } old_pool = ngx_stream_lua_pcre_malloc_init(NULL); -@@ -717,7 +717,7 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, + + if (ngx_regex_match_data == NULL +- || ovecsize > ngx_regex_match_data_size) ++ || ovecpair > ngx_regex_match_data_size) + { + /* + * Allocate a match data if not yet allocated or smaller than +@@ -716,8 +720,8 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, + pcre2_match_data_free(ngx_regex_match_data); } - ngx_regex_match_data_size = ovecsize; +- ngx_regex_match_data_size = ovecsize; - ngx_regex_match_data = pcre2_match_data_create(ovecsize / 3, NULL); -+ ngx_regex_match_data = pcre2_match_data_create(ovecsize, NULL); ++ ngx_regex_match_data_size = ovecpair; ++ ngx_regex_match_data = pcre2_match_data_create(ovecpair, NULL); if (ngx_regex_match_data == NULL) { rc = PCRE2_ERROR_NOMEMORY; -@@ -762,8 +762,8 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, - "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize); +@@ -747,7 +751,7 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, + #if (NGX_DEBUG) + ngx_log_debug4(NGX_LOG_DEBUG_STREAM, ngx_cycle->log, 0, + "pcre2_match failed: flags 0x%05Xd, options 0x%08Xd, rc %d, " +- "ovecsize %ui", flags, exec_opts, rc, ovecsize); ++ "ovecpair %ui", flags, exec_opts, rc, ovecpair); + #endif + + goto failed; +@@ -759,11 +763,11 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, + #if (NGX_DEBUG) + ngx_log_debug5(NGX_LOG_DEBUG_STREAM, ngx_cycle->log, 0, + "pcre2_match: flags 0x%05Xd, options 0x%08Xd, rc %d, " +- "n %ui, ovecsize %ui", flags, exec_opts, rc, n, ovecsize); ++ "n %ui, ovecpair %ui", flags, exec_opts, rc, n, ovecpair); #endif - if (!(flags & NGX_LUA_RE_MODE_DFA) && n > ovecsize / 3) { - n = ovecsize / 3; -+ if (n > ovecsize) { -+ n = ovecsize; ++ if (n > ovecpair) { ++ n = ovecpair; } for (i = 0; i < n; i++) { -@@ -796,6 +796,21 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, +@@ -796,6 +800,21 @@ ngx_stream_lua_ffi_exec_regex(ngx_stream_lua_regex_t *re, int flags, re->ncaptures = 0; } else { From f89cbb7435dedd7de630719a3d625fc9bb520c75 Mon Sep 17 00:00:00 2001 From: "Koelbel, Martin (096)" Date: Tue, 12 Mar 2024 15:04:17 +0100 Subject: [PATCH 12/18] Add EdDSA algorithm --- changelog/unreleased/kong/feat-jwt-eddsa.yml | 4 ++ kong/plugins/jwt/daos.lua | 2 + kong/plugins/jwt/jwt_parser.lua | 12 +++- spec/03-plugins/16-jwt/01-jwt_parser_spec.lua | 24 +++++++ spec/03-plugins/16-jwt/03-access_spec.lua | 70 +++++++++++++++++++ spec/03-plugins/16-jwt/fixtures.lua | 22 ++++++ 6 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/kong/feat-jwt-eddsa.yml diff --git a/changelog/unreleased/kong/feat-jwt-eddsa.yml b/changelog/unreleased/kong/feat-jwt-eddsa.yml new file mode 100644 index 00000000000..f6095ed55fd --- /dev/null +++ b/changelog/unreleased/kong/feat-jwt-eddsa.yml @@ -0,0 +1,4 @@ +message: | + Addded support for EdDSA algorithms in JWT plugin +type: feature +scope: Plugin diff --git a/kong/plugins/jwt/daos.lua b/kong/plugins/jwt/daos.lua index cafc042ac43..32c46d2da27 100644 --- a/kong/plugins/jwt/daos.lua +++ b/kong/plugins/jwt/daos.lua @@ -42,6 +42,7 @@ return { "PS256", "PS384", "PS512", + "EdDSA", }, }, }, { tags = typedefs.tags }, @@ -55,6 +56,7 @@ return { "^PS256$", "^PS384$", "^PS512$", + "^EdDSA$", }, }, }, then_field = "rsa_public_key", diff --git a/kong/plugins/jwt/jwt_parser.lua b/kong/plugins/jwt/jwt_parser.lua index d8994b5facd..b1cce974408 100644 --- a/kong/plugins/jwt/jwt_parser.lua +++ b/kong/plugins/jwt/jwt_parser.lua @@ -99,6 +99,10 @@ local alg_sign = { return nil end return sig + end, + EdDSA = function(data, key) + local pkey = assert(openssl_pkey.new(key)) + return assert(pkey:sign(data)) end } @@ -181,7 +185,13 @@ local alg_verify = { assert(#signature == 256, "Signature must be 256 bytes") return pkey:verify(signature, data, "sha512", openssl_pkey.PADDINGS.RSA_PKCS1_PSS_PADDING) end, - + EdDSA = function(data, signature, key) + -- Support of EdDSA alg typ according to RFC 8037 + -- https://www.rfc-editor.org/rfc/rfc8037 + local pkey, _ = openssl_pkey.new(key) + assert(pkey, "Consumer Public Key is Invalid") + return pkey:verify(signature, data) + end } diff --git a/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua b/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua index 08c3c2f3fe1..b53633dc023 100644 --- a/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua +++ b/spec/03-plugins/16-jwt/01-jwt_parser_spec.lua @@ -142,6 +142,30 @@ describe("Plugin: jwt (parser)", function() assert.True(jwt:verify_signature(fixtures.ps512_public_key)) end) + it("should encode using EdDSA with Ed25519 key", function() + local token = jwt_parser.encode({ + sub = "5656565656", + name = "Jane Doe", + admin = true + }, fixtures.ed25519_private_key, 'EdDSA') + + assert.truthy(token) + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ed25519_public_key)) + end) + + it("should encode using EdDSA with Ed448 key", function() + local token = jwt_parser.encode({ + sub = "5656565656", + name = "Jane Doe", + admin = true + }, fixtures.ed448_private_key, 'EdDSA') + + assert.truthy(token) + local jwt = assert(jwt_parser:new(token)) + assert.True(jwt:verify_signature(fixtures.ed448_public_key)) + end) + end) describe("Decoding", function() it("throws an error if not given a string", function() diff --git a/spec/03-plugins/16-jwt/03-access_spec.lua b/spec/03-plugins/16-jwt/03-access_spec.lua index a4d42013f47..d091fb8e478 100644 --- a/spec/03-plugins/16-jwt/03-access_spec.lua +++ b/spec/03-plugins/16-jwt/03-access_spec.lua @@ -26,6 +26,8 @@ for _, strategy in helpers.each_strategy() do local rsa_jwt_secret_7 local rsa_jwt_secret_8 local rsa_jwt_secret_9 + local rsa_jwt_secret_10 + local rsa_jwt_secret_11 local hs_jwt_secret_1 local hs_jwt_secret_2 local proxy_client @@ -74,6 +76,8 @@ for _, strategy in helpers.each_strategy() do local consumer12 = consumers:insert({ username = "jwt_tests_rsa_consumer_12"}) local consumer13 = consumers:insert({ username = "jwt_tests_rsa_consumer_13"}) local consumer14 = consumers:insert({ username = "jwt_tests_rsa_consumer_14"}) + local consumer15 = consumers:insert({ username = "jwt_tests_rsa_consumer_15"}) + local consumer16 = consumers:insert({ username = "jwt_tests_rsa_consumer_16"}) local anonymous_user = consumers:insert({ username = "no-body" }) local plugins = bp.plugins @@ -234,6 +238,18 @@ for _, strategy in helpers.each_strategy() do rsa_public_key = fixtures.ps512_public_key } + rsa_jwt_secret_10 = bp.jwt_secrets:insert { + consumer = { id = consumer15.id }, + algorithm = "EdDSA", + rsa_public_key = fixtures.ed25519_public_key + } + + rsa_jwt_secret_11 = bp.jwt_secrets:insert { + consumer = { id = consumer16.id }, + algorithm = "EdDSA", + rsa_public_key = fixtures.ed448_public_key + } + hs_jwt_secret_1 = bp.jwt_secrets:insert { consumer = { id = consumer7.id }, algorithm = "HS384", @@ -973,6 +989,60 @@ for _, strategy in helpers.each_strategy() do end) end) + describe("EdDSA", function() + it("verifies JWT with Ed25519 key", function() + PAYLOAD.iss = rsa_jwt_secret_10.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ed25519_private_key, "EdDSA") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal(rsa_jwt_secret_10.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + it("verifies JWT with Ed448 key", function() + PAYLOAD.iss = rsa_jwt_secret_11.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ed448_private_key, "EdDSA") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal(rsa_jwt_secret_11.key, body.headers["x-credential-identifier"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + it("identifies Consumer", function() + PAYLOAD.iss = rsa_jwt_secret_10.key + local jwt = jwt_encoder.encode(PAYLOAD, fixtures.ed25519_private_key, "EdDSA") + local authorization = "Bearer " .. jwt + local res = assert(proxy_client:send { + method = "GET", + path = "/request", + headers = { + ["Authorization"] = authorization, + ["Host"] = "jwt1.test", + } + }) + local body = cjson.decode(assert.res_status(200, res)) + assert.equal(authorization, body.headers.authorization) + assert.equal("jwt_tests_rsa_consumer_15", body.headers["x-consumer-username"]) + assert.equal(nil, body.headers["x-credential-username"]) + end) + end) + describe("HS386", function() it("proxies the request with token and consumer headers if it was verified", function() PAYLOAD.iss = hs_jwt_secret_1.key diff --git a/spec/03-plugins/16-jwt/fixtures.lua b/spec/03-plugins/16-jwt/fixtures.lua index c816c5a5a3b..58924b4503d 100644 --- a/spec/03-plugins/16-jwt/fixtures.lua +++ b/spec/03-plugins/16-jwt/fixtures.lua @@ -287,6 +287,28 @@ Vv1PBULdZ0AMZzzBFW77zIA3kxthcBLB3C0N8mvPLjgfimyD4dK9j8v7lZoheCKC 5QIDAQAB -----END PUBLIC KEY----- ]], +ed448_private_key = [[ +-----BEGIN PRIVATE KEY----- +MEcCAQAwBQYDK2VxBDsEOV3hg//s9c2Ahjrhrf4Wz2u16RyZm7xKj9bTreD7z3Hr +ravo3fvLad9VY0eUjuhfplE7PJ8HVnInaw== +-----END PRIVATE KEY----- +]], +ed448_public_key = [[ +-----BEGIN PUBLIC KEY----- +MEMwBQYDK2VxAzoAeFbeVK5Kv6jnE06XuaQk7aUCV+TjyyB1PI4cHWxCEuWZMHrw ++Q2jl6VsEZ1h792RxRE8E0OBJjmA +-----END PUBLIC KEY----- +]], +ed25519_private_key = [[ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIPojZUis9iVUYwbo+PMs7CeF294UmQqW417VNgaZ2AZ3 +-----END PRIVATE KEY----- +]], +ed25519_public_key = [[ +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEAoJ7Hm7fVc7IQh6RqgR9+Dw0pvB0iqEaGXZex6FlwyGk= +-----END PUBLIC KEY----- +]], hs384_secret = u([[ zxhk1H1Y11ax99xO20EGf00FDAOuPb9kEOmOQZMpR1BElx7sWjBIX2okAJiqjulH OZpsjcgbzfCq69apm6f2K28PTvIvS8ni_CG46_huUTBqosCmdEr-kZDvKBLsppfG From ddaf6160f826b4010c91703d0dd3cc1b86cd76c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 15:43:27 +0200 Subject: [PATCH 13/18] chore(deps): bump Kong/public-shared-actions from 1 to 2 (#12684) Bumps [Kong/public-shared-actions](https://github.com/kong/public-shared-actions) from 1 to 2. - [Release notes](https://github.com/kong/public-shared-actions/releases) - [Commits](https://github.com/kong/public-shared-actions/compare/v1...v2) --- updated-dependencies: - dependency-name: Kong/public-shared-actions dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b8f92d511e5..a1be7993e77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -498,7 +498,7 @@ jobs: - name: Scan AMD64 Image digest id: sbom_action_amd64 if: steps.image_manifest_metadata.outputs.amd64_sha != '' - uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@v2 with: asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64 image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} @@ -506,7 +506,7 @@ jobs: - name: Scan ARM64 Image digest if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' id: sbom_action_arm64 - uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@v2 with: asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64 image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} From 71985154516f9a2f5e3e1a67851a93701db230fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 15:50:20 +0200 Subject: [PATCH 14/18] chore(deps): bump slackapi/slack-github-action from 1.24.0 to 1.25.0 (#12445) Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 1.24.0 to 1.25.0. - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Commits](https://github.com/slackapi/slack-github-action/compare/e28cf165c92ffef168d23c5c9000cffc8a25e117...6c661ce58804a1a20f6dc5fbee7f0381b469e001) --- updated-dependencies: - dependency-name: slackapi/slack-github-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/backport-fail-bot.yml | 2 +- .github/workflows/release-and-tests-fail-bot.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/backport-fail-bot.yml b/.github/workflows/backport-fail-bot.yml index 9d83c6df036..d1098c6ecee 100644 --- a/.github/workflows/backport-fail-bot.yml +++ b/.github/workflows/backport-fail-bot.yml @@ -44,7 +44,7 @@ jobs: result-encoding: string - name: Send Slack Message - uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 + uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 with: payload: ${{ steps.generate-payload.outputs.result }} env: diff --git a/.github/workflows/release-and-tests-fail-bot.yml b/.github/workflows/release-and-tests-fail-bot.yml index 1dc12b6f913..8b12ca3f2ab 100644 --- a/.github/workflows/release-and-tests-fail-bot.yml +++ b/.github/workflows/release-and-tests-fail-bot.yml @@ -70,7 +70,7 @@ jobs: result-encoding: string - name: Send Slack Message - uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 + uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 with: payload: ${{ steps.generate-payload.outputs.result }} env: From 6fda9c1559a63a136d8e8b4f67c49ba52309a1b7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 15:57:07 +0200 Subject: [PATCH 15/18] chore(deps): bump tj-actions/changed-files from 41.0.1 to 42.1.0 (#12721) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 41.0.1 to 42.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/716b1e13042866565e00e85fd4ec490e186c4a2f...aa08304bd477b800d468db44fe10f6c61f7f7b11) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/changelog-requirement.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/changelog-requirement.yml b/.github/workflows/changelog-requirement.yml index 65402ef3f7d..f60b15fb702 100644 --- a/.github/workflows/changelog-requirement.yml +++ b/.github/workflows/changelog-requirement.yml @@ -21,7 +21,7 @@ jobs: - name: Find changelog files id: changelog-list - uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # 41.0.1 + uses: tj-actions/changed-files@aa08304bd477b800d468db44fe10f6c61f7f7b11 # 42.1.0 with: files_yaml: | changelogs: From 6461d243d76346cf4012d843be7f02cd9b49e949 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 15:57:36 +0200 Subject: [PATCH 16/18] chore(deps): bump toshimaru/auto-author-assign from 2.0.1 to 2.1.0 (#12389) Bumps [toshimaru/auto-author-assign](https://github.com/toshimaru/auto-author-assign) from 2.0.1 to 2.1.0. - [Release notes](https://github.com/toshimaru/auto-author-assign/releases) - [Changelog](https://github.com/toshimaru/auto-author-assign/blob/main/CHANGELOG.md) - [Commits](https://github.com/toshimaru/auto-author-assign/compare/c1ffd6f64e20f8f5f61f4620a1e5f0b0908790ef...ebd30f10fb56e46eb0759a14951f36991426fed0) --- updated-dependencies: - dependency-name: toshimaru/auto-author-assign dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/auto-assignee.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-assignee.yml b/.github/workflows/auto-assignee.yml index dcd8f1c4c34..864056be2a0 100644 --- a/.github/workflows/auto-assignee.yml +++ b/.github/workflows/auto-assignee.yml @@ -11,5 +11,5 @@ jobs: - name: assign-author # ignore the pull requests opened from PR because token is not correct if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' - uses: toshimaru/auto-author-assign@c1ffd6f64e20f8f5f61f4620a1e5f0b0908790ef + uses: toshimaru/auto-author-assign@ebd30f10fb56e46eb0759a14951f36991426fed0 From 97c265176959a463e2e60931f0274ff627ced554 Mon Sep 17 00:00:00 2001 From: Guilherme Salazar Date: Wed, 13 Mar 2024 11:15:09 -0300 Subject: [PATCH 17/18] fix(pluginserver): ensure a change to plugin config takes effect (#12718) --- changelog/unreleased/kong/fix-external-plugin-instance.yml | 5 +++++ kong/runloop/plugin_servers/init.lua | 3 +++ 2 files changed, 8 insertions(+) create mode 100644 changelog/unreleased/kong/fix-external-plugin-instance.yml diff --git a/changelog/unreleased/kong/fix-external-plugin-instance.yml b/changelog/unreleased/kong/fix-external-plugin-instance.yml new file mode 100644 index 00000000000..b92665f2d9b --- /dev/null +++ b/changelog/unreleased/kong/fix-external-plugin-instance.yml @@ -0,0 +1,5 @@ +message: | + Fix an issue where an external plugin (Go, Javascript, or Python) would fail to + apply a change to the plugin config via the Admin API. +type: bugfix +scope: Configuration diff --git a/kong/runloop/plugin_servers/init.lua b/kong/runloop/plugin_servers/init.lua index 6c3937efc8e..316bb11012c 100644 --- a/kong/runloop/plugin_servers/init.lua +++ b/kong/runloop/plugin_servers/init.lua @@ -213,6 +213,7 @@ function get_instance_id(plugin_name, conf) if instance_info and instance_info.id + and instance_info.seq == conf.__seq__ and instance_info.conf and instance_info.conf.__plugin_id == key then -- exact match, return it @@ -224,6 +225,7 @@ function get_instance_id(plugin_name, conf) -- we're the first, put something to claim instance_info = { conf = conf, + seq = conf.__seq__, } running_instances[key] = instance_info else @@ -246,6 +248,7 @@ function get_instance_id(plugin_name, conf) instance_info.id = new_instance_info.id instance_info.plugin_name = plugin_name instance_info.conf = new_instance_info.conf + instance_info.seq = new_instance_info.seq instance_info.Config = new_instance_info.Config instance_info.rpc = new_instance_info.rpc From cea6f246c1115a4ac18440718af07c9f91179352 Mon Sep 17 00:00:00 2001 From: Aapo Talvensaari Date: Wed, 13 Mar 2024 16:40:38 +0200 Subject: [PATCH 18/18] fix(dns): resolv.conf options timeout: 0 is ignored (#12640) ### Summary The `options timeout: 0` has a specific meaning in `resolv.conf`. It means that the request will be sent to all nameservers without waiting and whoever answers first, will be accepted. In Kong the `options timeout: 0` cause actually all the DNS queries themselves to timeout. This is bad as some platforms tend to follow `options timeout: 0` as a good practice when having more than one resolver. Kong should in future support parallel thread based resolving from multiple resolvers, but first we need to get this fix to stop it causing issues. Signed-off-by: Aapo Talvensaari --- .../kong/fix-dns-resolv-timeout-zero.yml | 3 +++ kong/resty/dns/client.lua | 12 ++++++++++-- t/03-dns-client/00-sanity.t | 19 ++++++++++++++++++- 3 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 changelog/unreleased/kong/fix-dns-resolv-timeout-zero.yml diff --git a/changelog/unreleased/kong/fix-dns-resolv-timeout-zero.yml b/changelog/unreleased/kong/fix-dns-resolv-timeout-zero.yml new file mode 100644 index 00000000000..fc0df3caee1 --- /dev/null +++ b/changelog/unreleased/kong/fix-dns-resolv-timeout-zero.yml @@ -0,0 +1,3 @@ +message: "**DNS Client**: Ignore a non-positive values on resolv.conf for options timeout, and use a default value of 2 seconds instead." +type: bugfix +scope: Core diff --git a/kong/resty/dns/client.lua b/kong/resty/dns/client.lua index 78cf91d29b5..7725e5fb0f7 100644 --- a/kong/resty/dns/client.lua +++ b/kong/resty/dns/client.lua @@ -32,6 +32,7 @@ local log = ngx.log local ERR = ngx.ERR local WARN = ngx.WARN local ALERT = ngx.ALERT +local NOTICE = ngx.NOTICE local DEBUG = ngx.DEBUG --[[ DEBUG = ngx.WARN @@ -54,6 +55,8 @@ local req_dyn_hook_run_hooks = req_dyn_hook.run_hooks local DOT = string_byte(".") local COLON = string_byte(":") +local DEFAULT_TIMEOUT = 2000 -- 2000 is openresty default + local EMPTY = setmetatable({}, {__newindex = function() error("The 'EMPTY' table is read-only") end}) @@ -621,10 +624,15 @@ _M.init = function(options) if resolv.options.timeout then options.timeout = resolv.options.timeout * 1000 else - options.timeout = 2000 -- 2000 is openresty default + options.timeout = DEFAULT_TIMEOUT end end - log(DEBUG, PREFIX, "timeout = ", options.timeout, " ms") + if options.timeout > 0 then + log(DEBUG, PREFIX, "timeout = ", options.timeout, " ms") + else + log(NOTICE, PREFIX, "timeout = ", DEFAULT_TIMEOUT, " ms (a non-positive timeout of ", options.timeout, " configured - using default timeout)") + options.timeout = DEFAULT_TIMEOUT + end -- setup the search order options.ndots = options.ndots or resolv.options.ndots or 1 diff --git a/t/03-dns-client/00-sanity.t b/t/03-dns-client/00-sanity.t index 0c365c576ef..2856ea84b08 100644 --- a/t/03-dns-client/00-sanity.t +++ b/t/03-dns-client/00-sanity.t @@ -2,7 +2,7 @@ use strict; use warnings FATAL => 'all'; use Test::Nginx::Socket::Lua; -plan tests => 2; +plan tests => 5; run_tests(); @@ -25,3 +25,20 @@ GET /t --- response_body 127.0.0.1 --- no_error_log + + + +=== TEST 2: load lua-resty-dns-client +--- config + location = /t { + access_by_lua_block { + local client = require("kong.resty.dns.client") + assert(client.init({ timeout = 0 })) + ngx.exit(200) + } + } +--- request +GET /t +--- error_log +[notice] +timeout = 2000 ms (a non-positive timeout of 0 configured - using default timeout)