From 3a0fbaa96ae1b7670a47189cd3c7242ef51744a9 Mon Sep 17 00:00:00 2001 From: xumin Date: Tue, 15 Oct 2024 15:56:12 +0800 Subject: [PATCH] feat(ssl): add function to get request ssl pointer To support: KAG-5388 KAG-5473 --- README.md | 16 +++++++++++ lualib/resty/kong/tls.lua | 25 ++++++++++++++++- src/ngx_http_lua_kong_ssl.c | 22 +++++++++++++++ stream/src/ngx_stream_lua_kong_module.c | 22 +++++++++++++++ t/001-tls.t | 36 +++++++++++++++++++++++++ t/stream/003-tls.t | 32 ++++++++++++++++++++++ 6 files changed, 152 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5dc6f2aa..62d97a26 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ Table of Contents * [resty.kong.tls.set\_upstream\_ssl\_verify](#restykongtlsset_upstream_ssl_verify) * [resty.kong.tls.set\_upstream\_ssl\_verify\_depth](#restykongtlsset_upstream_ssl_verify_depth) * [resty.kong.tls.get\_ssl\_pointer](#restykongtlsget_ssl_pointer) + * [resty.kong.tls.get\_request\_ssl\_pointer](#restykongtlsget_request_ssl_pointer) * [resty.kong.grpc.set\_authority](#restykonggrpcset_authority) * [resty.kong.tls.disable\_proxy\_ssl](#restykongtlsdisable_proxy_ssl) * [resty.kong.var.patch\_metatable](#restykongvarpatch_metatable) @@ -367,6 +368,21 @@ describing the error will be returned. [Back to TOC](#table-of-contents) +resty.kong.tls.get\_request\_ssl\_pointer +---------------------------------------------------- +**syntax:** *ssl_ptr, err = resty.kong.get\_request\_ssl\_pointer()* + +**context:** *client_hello_by_lua*, *ssl_certificate_by_lua*, *rewrite_by_lua*, access_by_lua*, content_by_lua*, log_by_lua**, *preread_by_lua** + +**subsystems:** *http* *stream* + +Retrieves the OpenSSL `SSL*` object for the current tcpsock `sock`. + +On success, this function returns the pointer of type `SSL`. Otherwise `nil` and a string +describing the error will be returned. + +[Back to TOC](#table-of-contents) + resty.kong.grpc.set\_authority ------------------------------ **syntax:** *ok, err = resty.kong.grpc.set_authority(new_authority)* diff --git a/lualib/resty/kong/tls.lua b/lualib/resty/kong/tls.lua index 23c591ce..6bc375ce 100644 --- a/lualib/resty/kong/tls.lua +++ b/lualib/resty/kong/tls.lua @@ -40,7 +40,7 @@ local kong_lua_kong_ffi_set_upstream_ssl_trusted_store local kong_lua_kong_ffi_set_upstream_ssl_verify local kong_lua_kong_ffi_set_upstream_ssl_verify_depth local kong_lua_kong_ffi_get_socket_ssl - +local kong_lua_kong_ffi_get_request_ssl if subsystem == "http" then ffi.cdef([[ typedef struct ssl_st SSL; @@ -59,6 +59,8 @@ if subsystem == "http" then int depth); int ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u, void **ssl_conn); + int ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r, + void **ssl_conn); ]]) kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_http_lua_kong_ffi_get_full_client_certificate_chain @@ -68,6 +70,8 @@ if subsystem == "http" then kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth kong_lua_kong_ffi_get_socket_ssl = C.ngx_http_lua_kong_ffi_get_socket_ssl + kong_lua_kong_ffi_get_request_ssl = C.ngx_http_lua_kong_ffi_get_request_ssl + elseif subsystem == 'stream' then ffi.cdef([[ @@ -88,6 +92,8 @@ elseif subsystem == 'stream' then int depth); int ngx_stream_lua_kong_get_socket_ssl(ngx_stream_lua_socket_tcp_upstream_t *u, void **ssl_conn); + int ngx_stream_lua_kong_ffi_get_request_ssl(ngx_stream_lua_request_t *r, + void **ssl_conn); ]]) kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_stream_lua_kong_ffi_get_full_client_certificate_chain @@ -97,6 +103,7 @@ elseif subsystem == 'stream' then kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify_depth kong_lua_kong_ffi_get_socket_ssl = C.ngx_stream_lua_kong_get_socket_ssl + kong_lua_kong_ffi_get_request_ssl = C.ngx_stream_lua_kong_ffi_get_request_ssl else error("unknown subsystem: " .. subsystem) end @@ -151,6 +158,22 @@ function _M.get_ssl_pointer(sock) end +function _M.get_request_ssl_pointer() + if get_phase() ~= 'ssl_cert' then + error("API disabled in the current context") + end + + local r = get_request() + + local ret = kong_lua_kong_ffi_get_request_ssl(r, void_pp) + if ret ~= NGX_OK then + return nil, "no ssl object" + end + + return ffi_cast(ssl_type, void_pp[0]) +end + + do local ALLOWED_PHASES = { ['rewrite'] = true, diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index b0d3e8cf..f5f61193 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -70,6 +70,28 @@ ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u, void } +int +ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r, void **ssl_conn) +{ +#if (NGX_SSL) + if (ssl_conn == NULL) { + return NGX_ABORT; + } + + ngx_connection_t *c = r->connection; + + if (c && (c->ssl) && (c->ssl->connection)) { + *ssl_conn = c->ssl->connection; + return NGX_OK; + } + + return NGX_ERROR; +#else + return NGX_ABORT; +#endif +} + + #if (NGX_HTTP_SSL) /* diff --git a/stream/src/ngx_stream_lua_kong_module.c b/stream/src/ngx_stream_lua_kong_module.c index 41b8b7f0..0ab1088b 100644 --- a/stream/src/ngx_stream_lua_kong_module.c +++ b/stream/src/ngx_stream_lua_kong_module.c @@ -323,3 +323,25 @@ void **ssl_conn) #endif } + +int +ngx_stream_lua_kong_ffi_get_request_ssl(ngx_stream_lua_request_t *r, void **ssl_conn) +{ +#if (NGX_SSL) + if (ssl_conn == NULL) { + return NGX_ABORT; + } + + ngx_connection_t *c = r->connection; + + if (c && (c->ssl) && (c->ssl->connection)) { + *ssl_conn = c->ssl->connection; + return NGX_OK; + } + + return NGX_ERROR; +#else + return NGX_ABORT; +#endif +} + diff --git a/t/001-tls.t b/t/001-tls.t index ada5e479..cb334315 100644 --- a/t/001-tls.t +++ b/t/001-tls.t @@ -495,3 +495,39 @@ ok --- no_error_log [error] [emerg] + + + + +=== TEST 8: ssl.get_request_ssl_pointer works well +--- stream_config + lua_package_path "../lua-resty-core/lib/?.lua;lualib/?.lua;;"; + lua_ssl_protocols SSLV3 TLSv1 TLSv1.1 TLSv1.2; + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name example.com; + ssl_certificate ../../cert/example.com.crt; + ssl_certificate_key ../../cert/example.com.key; + ssl_session_cache off; + ssl_session_tickets on; + server_tokens off; + + content_by_lua_block { + local ssl = require "resty.kong.tls" + if ssl.get_request_ssl_pointer() == nil then + ngx.say("cannot get socket") + else + ngx.say("ok") + end + } + } + +--- request +GET /t +--- response_body +ok +--- no_error_log +[error] +[emerg] +--- skip_nginx +7: < 1.21.4 diff --git a/t/stream/003-tls.t b/t/stream/003-tls.t index 0d86c3c7..7f4483b9 100644 --- a/t/stream/003-tls.t +++ b/t/stream/003-tls.t @@ -440,3 +440,35 @@ ok [emerg] --- skip_nginx 7: < 1.21.4 + + + + +=== TEST 8: ssl.get_request_ssl_pointer works well +--- stream_config + lua_package_path "../lua-resty-core/lib/?.lua;lualib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + ssl_certificate ../../cert/example.com.crt; + ssl_certificate_key ../../cert/example.com.key; + ssl_session_cache off; + ssl_session_tickets on; + + content_by_lua_block { + local ssl = require "resty.kong.tls" + if ssl.get_request_ssl_pointer() == nil then + ngx.say("cannot get socket") + else + ngx.say("ok") + end + } + } + +--- response_body +ok +--- no_error_log +[error] +[emerg] +--- skip_nginx +7: < 1.21.4