Skip to content

Commit

Permalink
refactor(router/atc): ensure to validate possible routes fields
Browse files Browse the repository at this point in the history 
fix is_empty_field

add protocols for stream tests

tests for tls_passthrough

fix-snis-tls-passthrough-in-trad-compat.yml

style lint
  • Loading branch information
@chronolaw @ADD-SP
chronolaw authored and ADD-SP committed Mar 13, 2024
1 parent 3c9d09c commit 9c2c7b3
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 4 deletions.
5 changes: 5 additions & 0 deletions changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
message: |
fix an issue where SNI-based routing does not work
using tls_passthrough and the traditional_compatible router flavor
type: bugfix
scope: Core
21 changes: 20 additions & 1 deletion kong/db/schema/entities/routes.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,29 @@ else
}

if kong_router_flavor == "traditional_compatible" then
local is_empty_field = require("kong.router.transform").is_empty_field

table.insert(entity_checks,
{ custom_entity_check = {
field_sources = { "id", "protocols",
"snis", "sources", "destinations",
"methods", "hosts", "paths", "headers",
},
run_with_missing_fields = true,
fn = validate_route,
fn = function(entity)
if is_empty_field(entity.snis) and
is_empty_field(entity.sources) and
is_empty_field(entity.destinations) and
is_empty_field(entity.methods) and
is_empty_field(entity.hosts) and
is_empty_field(entity.paths) and
is_empty_field(entity.headers)
then
return true
end

return validate_route(entity)
end,
}}
)
end
Expand Down
4 changes: 1 addition & 3 deletions kong/router/transform.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -524,9 +524,7 @@ local function get_priority(route)

-- stream expression

if not is_empty_field(srcs) or
not is_empty_field(dsts)
then
if is_stream_route(route) then
return stream_get_priority(snis, srcs, dsts)
end

Expand Down
66 changes: 66 additions & 0 deletions spec/01-unit/08-router_spec.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4307,6 +4307,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tcp", },
sources = {
{ ip = "127.0.0.1" },
{ ip = "127.0.0.2" },
Expand All @@ -4317,6 +4318,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tcp", },
sources = {
{ port = 65001 },
{ port = 65002 },
Expand All @@ -4328,6 +4330,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8103",
protocols = { "tcp", },
sources = {
{ ip = "127.168.0.0/8" },
}
Expand All @@ -4338,6 +4341,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8104",
protocols = { "tcp", },
sources = {
{ ip = "127.0.0.1", port = 65001 },
}
Expand All @@ -4347,6 +4351,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8105",
protocols = { "tcp", },
sources = {
{ ip = "127.0.0.2", port = 65300 },
{ ip = "127.168.0.0/16", port = 65301 },
Expand Down Expand Up @@ -4416,6 +4421,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tcp", },
destinations = {
{ ip = "127.0.0.1" },
{ ip = "127.0.0.2" },
Expand All @@ -4426,6 +4432,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tcp", },
destinations = {
{ port = 65001 },
{ port = 65002 },
Expand All @@ -4437,6 +4444,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8103",
protocols = { "tcp", },
destinations = {
{ ip = "127.168.0.0/8" },
}
Expand All @@ -4447,6 +4455,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8104",
protocols = { "tcp", },
destinations = {
{ ip = "127.0.0.1", port = 65001 },
}
Expand All @@ -4456,6 +4465,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8105",
protocols = { "tcp", },
destinations = {
{ ip = "127.0.0.2", port = 65300 },
{ ip = "127.168.0.0/16", port = 65301 },
Expand Down Expand Up @@ -4613,13 +4623,15 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tls", },
snis = { "www.example.org" },
}
},
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tls", },
sources = {
{ ip = "127.0.0.1" },
}
Expand All @@ -4629,6 +4641,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8103",
protocols = { "tls", },
destinations = {
{ ip = "172.168.0.1" },
}
Expand All @@ -4655,13 +4668,15 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tls", },
snis = { "www.example.org" },
}
},
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tls", },
sources = {
{ ip = "127.0.0.1" },
},
Expand Down Expand Up @@ -5033,6 +5048,57 @@ do
assert.same("/bar", match_t.upstream_uri)
end)
end)

describe("Router (flavor = " .. flavor .. ")", function()
reload_router(flavor, "stream")

it("[#stream SNI-based routing does work using tls_passthrough]", function()
local use_case = {
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tls_passthrough", },
snis = { "www.example.com" },
preserve_host = true,
},
},
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tls_passthrough", },
snis = { "www.example.org" },
preserve_host = true,
},
},
}

local router = assert(new_router(use_case))

local _ngx = {
var = {
ssl_preread_server_name = "www.example.com",
},
}
router._set_ngx(_ngx)
local match_t = router:exec()

assert.truthy(match_t)
assert.same(use_case[1].route, match_t.route)

local _ngx = {
var = {
ssl_preread_server_name = "www.example.org",
},
}
router._set_ngx(_ngx)
local match_t = router:exec()

assert.truthy(match_t)
assert.same(use_case[2].route, match_t.route)
end)
end)
end -- local flavor = "traditional_compatible"

do
Expand Down

0 comments on commit 9c2c7b3

Please sign in to comment.