Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(db/schema): ensure to validate possible routes fields #12681

Merged
merged 2 commits into from
Mar 13, 2024
Merged

refactor(db/schema): ensure to validate possible routes fields #12681

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7422900
refactor(router/atc): ensure to validate possible routes fields
chronolaw Mar 4, 2024
087d1c5
docs(changelog): add change log entry for #12650
chronolaw Mar 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions changelog/unreleased/kong/fix-snis-tls-passthrough-in-trad-compat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
message: |
Fixed an issue where SNI-based routing does not work
using tls_passthrough and the traditional_compatible router flavor
type: bugfix
scope: Core
21 changes: 20 additions & 1 deletion kong/db/schema/entities/routes.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,29 @@ else
}

if kong_router_flavor == "traditional_compatible" then
local is_empty_field = require("kong.router.transform").is_empty_field

table.insert(entity_checks,
{ custom_entity_check = {
field_sources = { "id", "protocols",
"snis", "sources", "destinations",
"methods", "hosts", "paths", "headers",
},
run_with_missing_fields = true,
fn = validate_route,
fn = function(entity)
if is_empty_field(entity.snis) and
is_empty_field(entity.sources) and
is_empty_field(entity.destinations) and
is_empty_field(entity.methods) and
is_empty_field(entity.hosts) and
is_empty_field(entity.paths) and
is_empty_field(entity.headers)
then
return true
end

return validate_route(entity)
end,
}}
)
end
Expand Down
4 changes: 1 addition & 3 deletions kong/router/transform.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -524,9 +524,7 @@ local function get_priority(route)

-- stream expression

if not is_empty_field(srcs) or
not is_empty_field(dsts)
then
if is_stream_route(route) then
return stream_get_priority(snis, srcs, dsts)
end

Expand Down
66 changes: 66 additions & 0 deletions spec/01-unit/08-router_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4307,6 +4307,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tcp", },
sources = {
{ ip = "127.0.0.1" },
{ ip = "127.0.0.2" },
Expand All @@ -4317,6 +4318,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tcp", },
sources = {
{ port = 65001 },
{ port = 65002 },
Expand All @@ -4328,6 +4330,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8103",
protocols = { "tcp", },
sources = {
{ ip = "127.168.0.0/8" },
}
Expand All @@ -4338,6 +4341,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8104",
protocols = { "tcp", },
sources = {
{ ip = "127.0.0.1", port = 65001 },
}
Expand All @@ -4347,6 +4351,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8105",
protocols = { "tcp", },
sources = {
{ ip = "127.0.0.2", port = 65300 },
{ ip = "127.168.0.0/16", port = 65301 },
Expand Down Expand Up @@ -4416,6 +4421,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tcp", },
destinations = {
{ ip = "127.0.0.1" },
{ ip = "127.0.0.2" },
Expand All @@ -4426,6 +4432,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tcp", },
destinations = {
{ port = 65001 },
{ port = 65002 },
Expand All @@ -4437,6 +4444,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8103",
protocols = { "tcp", },
destinations = {
{ ip = "127.168.0.0/8" },
}
Expand All @@ -4447,6 +4455,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8104",
protocols = { "tcp", },
destinations = {
{ ip = "127.0.0.1", port = 65001 },
}
Expand All @@ -4456,6 +4465,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8105",
protocols = { "tcp", },
destinations = {
{ ip = "127.0.0.2", port = 65300 },
{ ip = "127.168.0.0/16", port = 65301 },
Expand Down Expand Up @@ -4613,13 +4623,15 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tls", },
snis = { "www.example.org" },
}
},
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tls", },
sources = {
{ ip = "127.0.0.1" },
}
Expand All @@ -4629,6 +4641,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8103",
protocols = { "tls", },
destinations = {
{ ip = "172.168.0.1" },
}
Expand All @@ -4655,13 +4668,15 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions"
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tls", },
snis = { "www.example.org" },
}
},
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tls", },
sources = {
{ ip = "127.0.0.1" },
},
Expand Down Expand Up @@ -5033,6 +5048,57 @@ do
assert.same("/bar", match_t.upstream_uri)
end)
end)

describe("Router (flavor = " .. flavor .. ")", function()
reload_router(flavor, "stream")

it("[#stream SNI-based routing does work using tls_passthrough]", function()
local use_case = {
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tls_passthrough", },
snis = { "www.example.com" },
preserve_host = true,
},
},
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tls_passthrough", },
snis = { "www.example.org" },
preserve_host = true,
},
},
}

local router = assert(new_router(use_case))

local _ngx = {
var = {
ssl_preread_server_name = "www.example.com",
},
}
router._set_ngx(_ngx)
local match_t = router:exec()

assert.truthy(match_t)
assert.same(use_case[1].route, match_t.route)

local _ngx = {
var = {
ssl_preread_server_name = "www.example.org",
},
}
router._set_ngx(_ngx)
local match_t = router:exec()

assert.truthy(match_t)
assert.same(use_case[2].route, match_t.route)
end)
end)
end -- local flavor = "traditional_compatible"

do
Expand Down
Loading