feat(response-ratelimiting) redis ssl (#8595)

Co-authored-by: Qi <call_far@outlook.com> Co-authored-by: Yusheng Li <leeys.top@gmail.com>
Kong · Nov 16, 2022 · a10d8b4 · a10d8b4
1 parent b71b03e
commit a10d8b4
Show file tree

Hide file tree

Showing 7 changed files with 1,123 additions and 933 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -108,6 +108,10 @@
   cookies are not persistend across browser restarts. Thanks [@tschaume](https://github.com/tschaume)
   for this contribution!
   [#8187](https://github.com/Kong/kong/pull/8187)
+- **Response-rate-limiting**: add support for Redis SSL, through configuration properties
+  `redis_ssl` (can be set to `true` or `false`), `ssl_verify`, and `ssl_server_name`.
+  [#8595](https://github.com/Kong/kong/pull/8595)
+  Thanks [@dominikkukacka](https://github.com/dominikkukacka)!
 
 #### Performance
 

diff --git a/kong/clustering/compat/removed_fields.lua b/kong/clustering/compat/removed_fields.lua
@@ -69,5 +69,10 @@ return {
       "error_code",
       "error_message",
     },
+    response_ratelimiting = {
+      "redis_ssl",
+      "redis_ssl_verify",
+      "redis_server_name",
+    },
   },
 }
diff --git a/kong/plugins/response-ratelimiting/policies/init.lua b/kong/plugins/response-ratelimiting/policies/init.lua
@@ -55,11 +55,19 @@ local function get_redis_connection(conf)
   local red = redis:new()
   red:set_timeout(conf.redis_timeout)
 
+  sock_opts.ssl = conf.redis_ssl
+  sock_opts.ssl_verify = conf.redis_ssl_verify
+  sock_opts.server_name = conf.redis_server_name
+
   -- use a special pool name only if redis_database is set to non-zero
   -- otherwise use the default pool name host:port
-  sock_opts.pool = conf.redis_database and
-                   conf.redis_host .. ":" .. conf.redis_port ..
-                   ":" .. conf.redis_database
+  if conf.redis_database ~= 0 then
+    sock_opts.pool = fmt( "%s:%d;%d",
+                          conf.redis_host,
+                          conf.redis_port,
+                          conf.redis_database)
+  end
+
   local ok, err = red:connect(conf.redis_host, conf.redis_port,
                               sock_opts)
   if not ok then

diff --git a/kong/plugins/response-ratelimiting/schema.lua b/kong/plugins/response-ratelimiting/schema.lua
@@ -75,6 +75,9 @@ return {
           { redis_port = typedefs.port({ default = 6379 }), },
           { redis_password = { type = "string", len_min = 0, referenceable = true }, },
           { redis_username = { type = "string", referenceable = true }, },
+          { redis_ssl = { type = "boolean", required = true, default = false, }, },
+          { redis_ssl_verify = { type = "boolean", required = true, default = false }, },
+          { redis_server_name = typedefs.sni },
           { redis_timeout = { type = "number", default = 2000 }, },
           { redis_database = { type = "number", default = 0 }, },
           { block_on_first_violation = { type = "boolean", required = true, default = false }, },

diff --git a/spec/01-unit/19-hybrid/03-fields-removal_spec.lua b/spec/01-unit/19-hybrid/03-fields-removal_spec.lua
@@ -69,6 +69,11 @@ describe("kong.clustering.control_plane", function()
         "redis_ssl_verify",
         "redis_server_name",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2003000000))
 
     assert.same({
@@ -99,6 +104,11 @@ describe("kong.clustering.control_plane", function()
         "redis_ssl_verify",
         "redis_server_name",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2003003003))
 
     assert.same({
@@ -129,6 +139,11 @@ describe("kong.clustering.control_plane", function()
         "redis_ssl_verify",
         "redis_server_name",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2003004000))
 
     assert.same({
@@ -159,6 +174,11 @@ describe("kong.clustering.control_plane", function()
         "redis_ssl_verify",
         "redis_server_name",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2004001000))
 
     assert.same({
@@ -179,6 +199,11 @@ describe("kong.clustering.control_plane", function()
         "redis_ssl_verify",
         "redis_server_name",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2004001002))
 
     assert.same({
@@ -199,6 +224,11 @@ describe("kong.clustering.control_plane", function()
         "redis_ssl_verify",
         "redis_server_name",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2005000000))
 
     assert.same({
@@ -209,19 +239,34 @@ describe("kong.clustering.control_plane", function()
         "redis_ssl_verify",
         "redis_server_name",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2006000000))
 
     assert.same({
       rate_limiting = {
         "error_code",
         "error_message",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2007000000))
  assert.same({
       rate_limiting = {
         "error_code",
         "error_message",
       },
+      response_ratelimiting = {
+        "redis_ssl",
+        "redis_ssl_verify",
+        "redis_server_name",
+      },
     }, cp._get_removed_fields(2008000000))
     assert.same(nil, cp._get_removed_fields(3001000000))
   end)