Skip to content

Commit

Permalink
fix(certificates): validate the certificates schema failed if snis
Browse files Browse the repository at this point in the history
…was in the request body
  • Loading branch information
raoxiaoyan committed Jul 16, 2024
1 parent 8f9b82d commit e01f2d8
Show file tree
Hide file tree
Showing 6 changed files with 81 additions and 17 deletions.
3 changes: 3 additions & 0 deletions changelog/unreleased/kong/certificates_schema_validate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: "Fixed an issue where validation of the certificate schema failed if the `snis` field was present in the request body."
scope: Admin API
type: bugfix
1 change: 1 addition & 0 deletions kong/db/schema/entities/certificates.lua
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ return {
{ cert_alt = typedefs.certificate { required = false, referenceable = true }, },
{ key_alt = typedefs.key { required = false, referenceable = true, encrypted = true }, },
{ tags = typedefs.tags },
{ snis = { type = "array", elements = typedefs.sni, required = false, transient = true }, },
},

entity_checks = {
Expand Down
10 changes: 10 additions & 0 deletions kong/db/schema/metaschema.lua
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,8 @@ local field_schema = {
{ encrypted = { type = "boolean" }, },
{ referenceable = { type = "boolean" }, },
{ json_schema = json_metaschema },
-- Transient attribute: used to mark a field as a non-db column
{ transient = { type = "boolean" }, },
-- Deprecation attribute: used to mark a field as deprecated
-- Results in `message` and `removal_in_version` to be printed in a warning
-- (via kong.deprecation) when the field is used.
Expand Down Expand Up @@ -490,6 +492,14 @@ local attribute_types = {
json_schema = {
["json"] = true,
},
transient = {
["string"] = true,
["number"] = true,
["integer"] = true,
["array"] = true,
["set"] = true,
["boolean"] = true,
},
}


Expand Down
5 changes: 5 additions & 0 deletions kong/db/strategies/postgres/init.lua
Original file line number Diff line number Diff line change
Expand Up @@ -844,6 +844,10 @@ function _M.new(connector, schema, errors)


for field_name, field in schema:each_field() do
if field.transient == true then
goto continue
end

if field.type == "foreign" then
local foreign_schema = field.schema
local foreign_key_names = {}
Expand Down Expand Up @@ -925,6 +929,7 @@ function _M.new(connector, schema, errors)

insert(fields, prepared_field)
end
::continue::
end

local primary_key_names = {}
Expand Down
41 changes: 41 additions & 0 deletions spec/02-integration/04-admin_api/02-kong_routes_spec.lua
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
local helpers = require "spec.helpers"
local ssl_fixtures = require "spec.fixtures.ssl"
local cjson = require "cjson"
local constants = require "kong.constants"
local Errors = require "kong.db.errors"

local UUID_PATTERN = "%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x"

Expand Down Expand Up @@ -554,6 +556,45 @@ describe("Admin API - Kong routes with strategy #" .. strategy, function()
local json = cjson.decode(body)
assert.equal("schema validation successful", json.message)
end)

it("returns 200 on certificates schema with snis", function()

local res = assert(client:post("/schemas/certificates/validate", {
body = {
cert = ssl_fixtures.cert,
key = ssl_fixtures.key,
snis = {"a", "b", "c" },
},
headers = { ["Content-Type"] = "application/json" }
}))
local body = assert.res_status(200, res)
local json = cjson.decode(body)
assert.equal("schema validation successful", json.message)
end)

it("returns 400 on certificates schema with invalid snis", function()

local res = assert(client:post("/schemas/certificates/validate", {
body = {
cert = ssl_fixtures.cert,
key = ssl_fixtures.key,
snis = {"120.0.9.32:90" },
},
headers = { ["Content-Type"] = "application/json" }
}))
local body = assert.res_status(400, res)
local json = cjson.decode(body)
local expected_body = {
fields= {
snis= { "must not be an IP" }
},
name= "schema violation",
message= "schema violation (snis.1: must not be an IP)",
code= Errors.codes.SCHEMA_VIOLATION,
}
assert.same(expected_body, json)
end)

it("returns 200 on a valid plugin schema", function()
local res = assert(client:post("/schemas/plugins/validate", {
body = {
Expand Down
38 changes: 21 additions & 17 deletions spec/02-integration/04-admin_api/06-certificates_routes_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,23 @@ describe("Admin API: #" .. strategy, function()
local n2 = get_name()
local names = { n1, n2 }

local certificate = {
cert = ssl_fixtures.cert,
key = ssl_fixtures.key,
snis = names,
}

local validate_res = client:post("/schemas/certificates/validate", {
body = certificate,
headers = { ["Content-Type"] = "application/json" },
})

local validate_body = assert.res_status(200, validate_res)
local json = cjson.decode(validate_body)
assert.equal("schema validation successful", json.message)

local res = client:post("/certificates", {
body = {
cert = ssl_fixtures.cert,
key = ssl_fixtures.key,
snis = names,
},
body = certificate,
headers = { ["Content-Type"] = "application/json" },
})

Expand Down Expand Up @@ -370,9 +381,8 @@ describe("Admin API: #" .. strategy, function()
assert.equal(cjson.null, json.key_alt)

assert.same({ n1 }, json.snis)
json.snis = nil

local in_db = assert(db.certificates:select({ id = id }, { nulls = true }))
local in_db = assert(db.certificates:select_with_name_list({ id = id }, { nulls = true }))
assert.same(json, in_db)
end)

Expand All @@ -395,9 +405,8 @@ describe("Admin API: #" .. strategy, function()
assert.equal(cjson.null, json.key_alt)

assert.same({ n1, n2 }, json.snis)
json.snis = nil

local in_db = assert(db.certificates:select(json, { nulls = true }))
local in_db = assert(db.certificates:select_with_name_list(json, { nulls = true }))
assert.same(json, in_db)
end)

Expand All @@ -420,9 +429,8 @@ describe("Admin API: #" .. strategy, function()
assert.equal(cjson.null, json.key_alt)

assert.same({ n1, n2 }, json.snis)
json.snis = nil

local in_db = assert(db.certificates:select(json, { nulls = true }))
local in_db = assert(db.certificates:select_with_name_list(json, { nulls = true }))
assert.same(json, in_db)
end)

Expand All @@ -444,9 +452,7 @@ describe("Admin API: #" .. strategy, function()
assert.same({}, json.snis)
assert.truthy(certificate.updated_at < json.updated_at)

json.snis = nil

local in_db = assert(db.certificates:select(certificate, { nulls = true }))
local in_db = assert(db.certificates:select_with_name_list(certificate, { nulls = true }))
assert.same(json, in_db)
end)

Expand All @@ -470,9 +476,7 @@ describe("Admin API: #" .. strategy, function()
assert.same(ssl_fixtures.key_alt_ecdsa, json.key_alt)
assert.same({}, json.snis)

json.snis = nil

local in_db = assert(db.certificates:select(certificate, { nulls = true }))
local in_db = assert(db.certificates:select_with_name_list(certificate, { nulls = true }))
assert.same(json, in_db)
end)

Expand Down

0 comments on commit e01f2d8

Please sign in to comment.