diff --git a/.requirements b/.requirements index 82e14ec44ff0..e338583920a1 100644 --- a/.requirements +++ b/.requirements @@ -9,7 +9,7 @@ LUA_KONG_NGINX_MODULE=4d19e8d19c6dbc07eba5cf6f5ebacad95266f928 # 0.6.0 LUA_RESTY_LMDB=951926f20b674a0622236a0e331b359df1c02d9b # 1.3.0 LUA_RESTY_EVENTS=8448a92cec36ac04ea522e78f6496ba03c9b1fd8 # 0.2.0 LUA_RESTY_WEBSOCKET=60eafc3d7153bceb16e6327074e0afc3d94b1316 # 0.4.0 -ATC_ROUTER=72cc8fddeac024c54c9c1fa5a25c28a72d79080e # 1.1.0 +ATC_ROUTER=b0d5e7e2a2ca59bb051959385d3e42d96c93bb98 # 1.2.0 KONG_MANAGER=nightly NGX_WASM_MODULE_BRANCH=main diff --git a/CHANGELOG.md b/CHANGELOG.md index a7e53c61e59a..750f8caf6423 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,9 @@ #### Core +- Enable `expressions` and `traditional_compatible` router flavor in stream subsystem. + [#11071](https://github.com/Kong/kong/pull/11071) + #### Admin API #### Kong Manager @@ -165,8 +168,9 @@ - Bumped pgmoon from 1.16.0 to 1.16.2 (Kong's fork) [#11181](https://github.com/Kong/kong/pull/11181) [#11229](https://github.com/Kong/kong/pull/11229) -- Bumped atc-router from 1.0.5 to 1.1.0 +- Bumped atc-router from 1.0.5 to 1.2.0 [#10100](https://github.com/Kong/kong/pull/10100) + [#11071](https://github.com/Kong/kong/pull/11071) - Bumped lua-resty-lmdb from 1.1.0 to 1.3.0 [#11227](https://github.com/Kong/kong/pull/11227) diff --git a/kong/router/atc.lua b/kong/router/atc.lua index 967ad9bd8f88..cd8efa841fc6 100644 --- a/kong/router/atc.lua +++ b/kong/router/atc.lua @@ -18,6 +18,7 @@ local assert = assert local setmetatable = setmetatable local pairs = pairs local ipairs = ipairs +local tonumber = tonumber local max = math.max @@ -49,6 +50,9 @@ local LOGICAL_OR = " || " local LOGICAL_AND = " && " +local is_http = ngx.config.subsystem == "http" + + -- reuse buffer object local values_buf = buffer.new(64) @@ -64,8 +68,11 @@ do }, ["Int"] = {"net.port", + "net.src.port", "net.dst.port", }, + ["IpAddr"] = {"net.src.ip", "net.dst.ip", + }, } CACHED_SCHEMA = schema.new() @@ -343,7 +350,6 @@ end -- example.*:123 => example.*, 123 local split_host_port do - local tonumber = tonumber local DEFAULT_HOSTS_LRUCACHE_SIZE = DEFAULT_MATCH_LRUCACHE_SIZE local memo_hp = lrucache.new(DEFAULT_HOSTS_LRUCACHE_SIZE) @@ -381,6 +387,8 @@ do end +if is_http then + function _M:select(req_method, req_uri, req_host, req_scheme, src_ip, src_port, dst_ip, dst_port, @@ -588,6 +596,140 @@ function _M:exec(ctx) return match_t end +else -- is stream subsystem + +function _M:select(_, _, _, scheme, + src_ip, src_port, + dst_ip, dst_port, + sni) + + check_select_params(nil, nil, nil, scheme, + src_ip, src_port, + dst_ip, dst_port, + sni) + + local c = context.new(self.schema) + + for _, field in ipairs(self.fields) do + if field == "net.protocol" then + assert(c:add_value(field, scheme)) + + elseif field == "tls.sni" then + local res, err = c:add_value(field, sni) + if not res then + return nil, err + end + + elseif field == "net.src.ip" then + assert(c:add_value(field, src_ip)) + + elseif field == "net.src.port" then + assert(c:add_value(field, src_port)) + + elseif field == "net.dst.ip" then + assert(c:add_value(field, dst_ip)) + + elseif field == "net.dst.port" then + assert(c:add_value(field, dst_port)) + + end -- if + end -- for + + local matched = self.router:execute(c) + if not matched then + return nil + end + + local uuid = c:get_result() + + local service = self.services[uuid] + local matched_route = self.routes[uuid] + + local service_protocol, _, --service_type + service_host, service_port, + service_hostname_type = get_service_info(service) + + return { + route = matched_route, + service = service, + upstream_url_t = { + type = service_hostname_type, + host = service_host, + port = service_port, + }, + upstream_scheme = service_protocol, + } +end + + +function _M:exec(ctx) + local src_ip = var.remote_addr + local dst_ip = var.server_addr + + local src_port = tonumber(var.remote_port, 10) + local dst_port = tonumber((ctx or ngx.ctx).host_port, 10) or + tonumber(var.server_port, 10) + + -- error value for non-TLS connections ignored intentionally + local sni = server_name() + + -- fallback to preread SNI if current connection doesn't terminate TLS + if not sni then + sni = var.ssl_preread_server_name + end + + local scheme + if var.protocol == "UDP" then + scheme = "udp" + else + scheme = sni and "tls" or "tcp" + end + + -- when proxying TLS request in second layer or doing TLS passthrough + -- rewrite the dst_ip, port back to what specified in proxy_protocol + if var.kong_tls_passthrough_block == "1" or var.ssl_protocol then + dst_ip = var.proxy_protocol_server_addr + dst_port = tonumber(var.proxy_protocol_server_port) + end + + local cache_key = (src_ip or "") .. "|" .. + (src_port or "") .. "|" .. + (dst_ip or "") .. "|" .. + (dst_port or "") .. "|" .. + (sni or "") + + local match_t = self.cache:get(cache_key) + if not match_t then + if self.cache_neg:get(cache_key) then + route_match_stat(ctx, "neg") + return nil + end + + local err + match_t, err = self:select(nil, nil, nil, scheme, + src_ip, src_port, + dst_ip, dst_port, + sni) + if not match_t then + if err then + ngx_log(ngx_ERR, "router returned an error: ", err) + end + + self.cache_neg:set(cache_key, true) + return nil + end + + self.cache:set(cache_key, match_t) + + else + route_match_stat(ctx, "pos") + end + + return match_t +end + +end -- if is_http + function _M._set_ngx(mock_ngx) if type(mock_ngx) ~= "table" then diff --git a/kong/router/compat.lua b/kong/router/compat.lua index c78ea3404cbb..99b66fe26433 100644 --- a/kong/router/compat.lua +++ b/kong/router/compat.lua @@ -17,6 +17,7 @@ local escape_str = atc.escape_str local is_empty_field = atc.is_empty_field local gen_for_field = atc.gen_for_field local split_host_port = atc.split_host_port +local parse_ip_addr = require("kong.router.utils").parse_ip_addr local type = type @@ -28,6 +29,9 @@ local byte = string.byte local bor, band, lshift = bit.bor, bit.band, bit.lshift +local is_http = ngx.config.subsystem == "http" + + local DOT = byte(".") local TILDE = byte("~") local ASTERISK = byte("*") @@ -41,6 +45,9 @@ local headers_buf = buffer.new(128) local single_header_buf = buffer.new(64) +-- sep: a seperator of expressions, like '&&' +-- idx: indicate whether or not to add 'sep' +-- for example, we should not add 'sep' for the first element in array local function buffer_append(buf, sep, str, idx) if #buf > 0 and (idx == nil or idx > 1) @@ -55,6 +62,7 @@ local OP_EQUAL = "==" local OP_PREFIX = "^=" local OP_POSTFIX = "=^" local OP_REGEX = "~" +local OP_IN = "in" local LOGICAL_OR = atc.LOGICAL_OR @@ -67,6 +75,68 @@ local LOGICAL_AND = atc.LOGICAL_AND local uuid_generator = assert(uuid.factory_v5('7f145bf9-0dce-4f91-98eb-debbce4b9f6b')) +local function gen_for_nets(ip_field, port_field, vals) + if is_empty_field(vals) then + return nil + end + + local nets_buf = buffer.new(64):put("(") + + for i = 1, #vals do + local v = vals[i] + + if type(v) ~= "table" then + ngx.log(ngx.ERR, "sources/destinations elements must be a table") + return nil + end + + if is_empty_field(v) then + ngx.log(ngx.ERR, "sources/destinations elements must not be empty") + return nil + end + + local ip = v.ip + local port = v.port + + local exp_ip, exp_port + + if ip then + local addr, mask = parse_ip_addr(ip) + + if mask then -- ip in cidr + exp_ip = ip_field .. " " .. OP_IN .. " " .. + addr .. "/" .. mask + + else -- ip == addr + exp_ip = ip_field .. " " .. OP_EQUAL .. " " .. + addr + end + end + + if port then + exp_port = port_field .. " " .. OP_EQUAL .. " " .. port + end + + if not ip then + buffer_append(nets_buf, LOGICAL_OR, exp_port, i) + goto continue + end + + if not port then + buffer_append(nets_buf, LOGICAL_OR, exp_ip, i) + goto continue + end + + buffer_append(nets_buf, LOGICAL_OR, + "(" .. exp_ip .. LOGICAL_AND .. exp_port .. ")", i) + + ::continue:: + end -- for + + return nets_buf:put(")"):get() +end + + local function get_expression(route) local methods = route.methods local hosts = route.hosts @@ -74,12 +144,10 @@ local function get_expression(route) local headers = route.headers local snis = route.snis - expr_buf:reset() + local srcs = route.sources + local dsts = route.destinations - local gen = gen_for_field("http.method", OP_EQUAL, methods) - if gen then - buffer_append(expr_buf, LOGICAL_AND, gen) - end + expr_buf:reset() local gen = gen_for_field("tls.sni", OP_EQUAL, snis, function(_, p) if #p > 1 and byte(p, -1) == DOT then @@ -92,11 +160,41 @@ local function get_expression(route) if gen then -- See #6425, if `net.protocol` is not `https` -- then SNI matching should simply not be considered - gen = "(net.protocol != \"https\"" .. LOGICAL_OR .. gen .. ")" + if srcs or dsts then + gen = "(net.protocol != \"tls\"" .. LOGICAL_OR .. gen .. ")" + else + gen = "(net.protocol != \"https\"" .. LOGICAL_OR .. gen .. ")" + end buffer_append(expr_buf, LOGICAL_AND, gen) end + -- stream expression + + do + local src_gen = gen_for_nets("net.src.ip", "net.src.port", srcs) + local dst_gen = gen_for_nets("net.dst.ip", "net.dst.port", dsts) + + if src_gen then + buffer_append(expr_buf, LOGICAL_AND, src_gen) + end + + if dst_gen then + buffer_append(expr_buf, LOGICAL_AND, dst_gen) + end + + if src_gen or dst_gen then + return expr_buf:get() + end + end + + -- http expression + + local gen = gen_for_field("http.method", OP_EQUAL, methods) + if gen then + buffer_append(expr_buf, LOGICAL_AND, gen) + end + if not is_empty_field(hosts) then hosts_buf:reset():put("(") @@ -186,6 +284,71 @@ do end +local stream_get_priority +do + -- compatible with http priority + local STREAM_SNI_BIT = lshift_uint64(0x01ULL, 61) + + -- IP > PORT > CIDR + local IP_BIT = lshift_uint64(0x01ULL, 3) + local PORT_BIT = lshift_uint64(0x01ULL, 2) + local CIDR_BIT = lshift_uint64(0x01ULL, 0) + + local function calc_ip_weight(ips) + local weight = 0x0ULL + + if is_empty_field(ips) then + return weight + end + + for i = 1, #ips do + local ip = ips[i].ip + local port = ips[i].port + + if ip then + if ip:find("/", 1, true) then + weight = bor(weight, CIDR_BIT) + + else + weight = bor(weight, IP_BIT) + end + end + + if port then + weight = bor(weight, PORT_BIT) + end + end + + return weight + end + + stream_get_priority = function(snis, srcs, dsts) + local match_weight = 0x0ULL + + -- [sni] has higher priority than [src] or [dst] + if not is_empty_field(snis) then + match_weight = STREAM_SNI_BIT + end + + -- [src] + [dst] has higher priority than [sni] + if not is_empty_field(srcs) and + not is_empty_field(dsts) + then + match_weight = STREAM_SNI_BIT + end + + local src_bits = calc_ip_weight(srcs) + local dst_bits = calc_ip_weight(dsts) + + local priority = bor(match_weight, + lshift(src_bits, 4), + dst_bits) + + return priority + end +end + + local PLAIN_HOST_ONLY_BIT = lshift(0x01ULL, 60) local REGEX_URL_BIT = lshift(0x01ULL, 51) @@ -205,13 +368,26 @@ local REGEX_URL_BIT = lshift(0x01ULL, 51) -- | | | -- +-------------------------+-------------------------------------+ local function get_priority(route) + local snis = route.snis + local srcs = route.sources + local dsts = route.destinations + + -- stream expression + + if not is_empty_field(srcs) or + not is_empty_field(dsts) + then + return stream_get_priority(snis, srcs, dsts) + end + + -- http expression + local methods = route.methods local hosts = route.hosts local paths = route.paths local headers = route.headers - local snis = route.snis - local match_weight = 0 + local match_weight = 0 -- 0x0ULL if not is_empty_field(methods) then match_weight = match_weight + 1 @@ -373,7 +549,9 @@ function _M.new(routes_and_services, cache, cache_neg, old_router) return error("expected arg #1 routes to be a table", 2) end - routes_and_services = split_routes_and_services_by_path(routes_and_services) + if is_http then + routes_and_services = split_routes_and_services_by_path(routes_and_services) + end return atc.new(routes_and_services, cache, cache_neg, old_router, get_exp_and_priority) end diff --git a/kong/router/expressions.lua b/kong/router/expressions.lua index 7f10bc3161bc..ff54792be1fe 100644 --- a/kong/router/expressions.lua +++ b/kong/router/expressions.lua @@ -30,7 +30,10 @@ local function get_exp_and_priority(route) local protocols = route.protocols -- give the chance for http redirection (301/302/307/308/426) - if protocols and #protocols == 1 and protocols[1] == "https" then + -- and allow tcp works with tls + if protocols and #protocols == 1 and + (protocols[1] == "https" or protocols[1] == "tls") + then return exp, route.priority end diff --git a/kong/router/init.lua b/kong/router/init.lua index 42c3d44bd25a..ebd065c18bdb 100644 --- a/kong/router/init.lua +++ b/kong/router/init.lua @@ -11,7 +11,6 @@ local compat = require("kong.router.compat") local utils = require("kong.router.utils") -local is_http = ngx.config.subsystem == "http" local phonehome_statistics = utils.phonehome_statistics @@ -41,9 +40,8 @@ function _M.new(routes, cache, cache_neg, old_router) phonehome_statistics(routes) - if not is_http or - not flavor or flavor == "traditional" - then + if not flavor or flavor == "traditional" then + local trad, err = traditional.new(routes, cache, cache_neg) if not trad then return nil, err @@ -58,6 +56,7 @@ function _M.new(routes, cache, cache_neg, old_router) return expressions.new(routes, cache, cache_neg, old_router) end + -- flavor == "traditional_compatible" return compat.new(routes, cache, cache_neg, old_router) end diff --git a/kong/router/utils.lua b/kong/router/utils.lua index b04e5ae2e7cb..bb6bc064f778 100644 --- a/kong/router/utils.lua +++ b/kong/router/utils.lua @@ -383,6 +383,39 @@ do end +local parse_ip_addr +do + local bit = require("bit") + local ipmatcher = require("resty.ipmatcher") + + local band, lshift, rshift = bit.band, bit.lshift, bit.rshift + + parse_ip_addr = function(ip) + local addr, mask = ipmatcher.split_ip(ip) + + if not mask then + return addr + end + + local ipv4 = ipmatcher.parse_ipv4(addr) + + -- FIXME: support ipv6 + if not ipv4 then + return addr, mask + end + + local cidr = lshift(rshift(ipv4, 32 - mask), 32 - mask) + + local n1 = band( cidr , 0xff) + local n2 = band(rshift(cidr, 8), 0xff) + local n3 = band(rshift(cidr, 16), 0xff) + local n4 = band(rshift(cidr, 24), 0xff) + + return n4 .. "." .. n3 .. "." .. n2 .. "." .. n1, mask + end +end + + return { DEFAULT_MATCH_LRUCACHE_SIZE = DEFAULT_MATCH_LRUCACHE_SIZE, @@ -396,4 +429,6 @@ return { route_match_stat = route_match_stat, is_regex_magic = is_regex_magic, phonehome_statistics = phonehome_statistics, + + parse_ip_addr = parse_ip_addr, } diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index 1b942df5f704..bf3e77337679 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -3,14 +3,20 @@ local atc_compat = require "kong.router.compat" local path_handling_tests = require "spec.fixtures.router_path_handling_tests" local uuid = require("kong.tools.utils").uuid -local function reload_router(flavor) +local function reload_router(flavor, subsystem) _G.kong = { configuration = { router_flavor = flavor, }, } + ngx.config.subsystem = subsystem or "http" -- luacheck: ignore + + package.loaded["kong.router.atc"] = nil + package.loaded["kong.router.compat"] = nil + package.loaded["kong.router.expressions"] = nil package.loaded["kong.router"] = nil + Router = require "kong.router" end @@ -4205,8 +4211,11 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" end) - if flavor == "traditional" then + -- flavor == "traditional"/"traditional_compatible"/"expressions" describe("#stream context", function() + -- enable stream subsystem + reload_router(flavor, "stream") + describe("[sources]", function() local use_case, router @@ -4216,6 +4225,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", sources = { { ip = "127.0.0.1" }, { ip = "127.0.0.2" }, @@ -4225,6 +4235,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", sources = { { port = 65001 }, { port = 65002 }, @@ -4235,6 +4246,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8103", sources = { { ip = "127.168.0.0/8" }, } @@ -4244,6 +4256,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8104", sources = { { ip = "127.0.0.1", port = 65001 }, } @@ -4252,6 +4265,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8105", sources = { { ip = "127.0.0.2", port = 65300 }, { ip = "127.168.0.0/16", port = 65301 }, @@ -4316,6 +4330,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", destinations = { { ip = "127.0.0.1" }, { ip = "127.0.0.2" }, @@ -4325,6 +4340,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", destinations = { { port = 65001 }, { port = 65002 }, @@ -4335,6 +4351,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8103", destinations = { { ip = "127.168.0.0/8" }, } @@ -4344,6 +4361,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8104", destinations = { { ip = "127.0.0.1", port = 65001 }, } @@ -4352,6 +4370,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8105", destinations = { { ip = "127.0.0.2", port = 65300 }, { ip = "127.168.0.0/16", port = 65301 }, @@ -4423,6 +4442,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", snis = { "www.example.org" } } }, @@ -4430,6 +4450,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", hosts = { "sni.example.com", }, @@ -4444,6 +4465,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8103", hosts = { "sni.example.com", }, @@ -4459,6 +4481,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8104", hosts = { "sni.example.com", }, @@ -4483,7 +4506,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" assert.same(use_case[1].route, match_t.route) end) - it("[sni] is ignored for http request without shadowing routes with `protocols={'http'}`. Fixes #6425", function() + it_trad_only("[sni] is ignored for http request without shadowing routes with `protocols={'http'}`. Fixes #6425", function() local match_t = router_ignore_sni:select(nil, nil, "sni.example.com", "http", nil, nil, nil, nil, nil) @@ -4504,12 +4527,14 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", snis = { "www.example.org" }, } }, { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", sources = { { ip = "127.0.0.1" }, } @@ -4518,6 +4543,7 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8103", destinations = { { ip = "172.168.0.1" }, } @@ -4543,12 +4569,14 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", snis = { "www.example.org" }, } }, { service = service, route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", sources = { { ip = "127.0.0.1" }, }, @@ -4567,12 +4595,90 @@ for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" assert.same(use_case[2].route, match_t.route) end) end) - end - end) -end + -- flavor == "traditional"/"traditional_compatible"/"expressions" + -- only traditional_compatible should check 'empty' fields + if flavor == "traditional_compatible" then + describe("#stream context", function() + -- enable stream subsystem + reload_router(flavor, "stream") + local get_expression = require("kong.router.compat").get_expression + + describe("check empty route fields", function() + local use_case + + before_each(function() + use_case = { + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + snis = { "www.example.org" }, + sources = { + { ip = "127.0.0.1" }, + } + }, + }, + } + end) + + local empty_values = { {}, ngx.null, nil } + for i = 1, 3 do + local v = empty_values[i] + + it("empty snis", function() + use_case[1].route.snis = v + + assert.equal(get_expression(use_case[1].route), [[(net.src.ip == 127.0.0.1)]]) + assert(new_router(use_case)) + end) + + it("empty snis and src cidr", function() + use_case[1].route.snis = v + use_case[1].route.sources = {{ ip = "127.168.0.1/8" },} + + assert.equal(get_expression(use_case[1].route), [[(net.src.ip in 127.0.0.0/8)]]) + assert(new_router(use_case)) + end) + + it("empty snis and dst cidr", function() + use_case[1].route.snis = v + use_case[1].route.destinations = {{ ip = "192.168.0.1/16" },} + + assert.equal(get_expression(use_case[1].route), + [[(net.src.ip == 127.0.0.1) && (net.dst.ip in 192.168.0.0/16)]]) + assert(new_router(use_case)) + end) + + it("empty sources", function() + use_case[1].route.sources = v + use_case[1].route.destinations = {{ ip = "192.168.0.1/16" },} + + assert.equal(get_expression(use_case[1].route), + [[(net.protocol != "tls" || (tls.sni == "www.example.org")) && (net.dst.ip in 192.168.0.0/16)]]) + assert(new_router(use_case)) + end) + + it("empty destinations", function() + use_case[1].route.destinations = v + + assert.equal(get_expression(use_case[1].route), + [[(net.protocol != "tls" || (tls.sni == "www.example.org")) && (net.src.ip == 127.0.0.1)]]) + assert(new_router(use_case)) + end) + end + end) + end) -- #stream context + end -- if flavor == "traditional_compatible" + end) -- describe("Router (flavor = +end -- for _, flavor + + +for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" }) do describe("[both regex and prefix with regex_priority]", function() + reload_router(flavor) + local use_case, router lazy_setup(function() @@ -4628,6 +4734,7 @@ describe("[both regex and prefix with regex_priority]", function() end) end) +end -- for flavor for _, flavor in ipairs({ "traditional", "traditional_compatible" }) do diff --git a/spec/02-integration/05-proxy/01-proxy_spec.lua b/spec/02-integration/05-proxy/01-proxy_spec.lua index 24959df4680a..c510b247532c 100644 --- a/spec/02-integration/05-proxy/01-proxy_spec.lua +++ b/spec/02-integration/05-proxy/01-proxy_spec.lua @@ -2,6 +2,7 @@ local helpers = require "spec.helpers" local utils = require "pl.utils" local stringx = require "pl.stringx" local http = require "resty.http" +local atc_compat = require "kong.router.compat" local function count_server_blocks(filename) @@ -138,9 +139,49 @@ describe("#stream proxy interface listeners", function() end) end) + +local function reload_router(flavor) + _G.kong = { + configuration = { + router_flavor = flavor, + }, + } + + helpers.setenv("KONG_ROUTER_FLAVOR", flavor) + + package.loaded["spec.helpers"] = nil + package.loaded["kong.global"] = nil + package.loaded["kong.cache"] = nil + package.loaded["kong.db"] = nil + package.loaded["kong.db.schema.entities.routes"] = nil + package.loaded["kong.db.schema.entities.routes_subschemas"] = nil + + helpers = require "spec.helpers" + + helpers.unsetenv("KONG_ROUTER_FLAVOR") +end + + +local function gen_route(flavor, r) + if flavor ~= "expressions" then + return r + end + + r.expression = atc_compat.get_expression(r) + r.priority = tonumber(atc_compat._get_priority(r)) + + r.destinations = nil + + return r +end + + +for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" }) do for _, strategy in helpers.each_strategy() do if strategy ~= "off" then - describe("[stream]", function() + describe("[stream" .. ", flavor = " .. flavor .. "]", function() + reload_router(flavor) + local MESSAGE = "echo, ping, pong. echo, ping, pong. echo, ping, pong.\n" lazy_setup(function() local bp = helpers.get_db_utils(strategy, { @@ -155,7 +196,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tcp", }) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { destinations = { { port = 19000 }, }, @@ -163,9 +204,9 @@ for _, strategy in helpers.each_strategy() do "tcp", }, service = service, - }) + }))) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { protocols = { "tcp" }, service = service, destinations = { @@ -176,9 +217,9 @@ for _, strategy in helpers.each_strategy() do { ip = "0.0.0.0" }, { port = 19004 }, } - }) + }))) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { protocols = { "tcp" }, service = service, destinations = { @@ -189,9 +230,9 @@ for _, strategy in helpers.each_strategy() do { ip = "0.0.0.0" }, { port = 19004 }, } - }) + }))) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { protocols = { "tcp" }, service = service, destinations = { @@ -202,9 +243,9 @@ for _, strategy in helpers.each_strategy() do { ip = "0.0.0.0" }, { port = 19004 }, } - }) + }))) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { protocols = { "tcp" }, service = service, destinations = { @@ -215,9 +256,9 @@ for _, strategy in helpers.each_strategy() do { ip = "0.0.0.0" }, { port = 19004 }, } - }) + }))) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { protocols = { "tcp" }, service = service, destinations = { @@ -228,9 +269,10 @@ for _, strategy in helpers.each_strategy() do { ip = "0.0.0.0" }, { port = 19004 }, } - }) + }))) assert(helpers.start_kong({ + router_flavor = flavor, database = strategy, stream_listen = helpers.get_proxy_ip(false) .. ":19000, " .. helpers.get_proxy_ip(false) .. ":18000, " .. @@ -284,3 +326,4 @@ for _, strategy in helpers.each_strategy() do end) end end +end -- for flavor diff --git a/spec/02-integration/05-proxy/06-ssl_spec.lua b/spec/02-integration/05-proxy/06-ssl_spec.lua index 112fe337ffe1..ce91dd55f9e7 100644 --- a/spec/02-integration/05-proxy/06-ssl_spec.lua +++ b/spec/02-integration/05-proxy/06-ssl_spec.lua @@ -596,9 +596,9 @@ for _, strategy in helpers.each_strategy() do end) end) - -- XXX: now flavor "expressions" does not support tcp/tls - if flavor ~= "expressions" then describe("TLS proxy [#" .. strategy .. ", flavor = " .. flavor .. "]", function() + reload_router(flavor) + lazy_setup(function() local bp = helpers.get_db_utils(strategy, { "routes", @@ -692,7 +692,6 @@ for _, strategy in helpers.each_strategy() do end) end) end) - end -- if flavor ~= "expressions" then describe("SSL [#" .. strategy .. ", flavor = " .. flavor .. "]", function() diff --git a/spec/02-integration/05-proxy/10-balancer/06-stream_spec.lua b/spec/02-integration/05-proxy/10-balancer/06-stream_spec.lua index f7fa323ca709..53dc73de26fa 100644 --- a/spec/02-integration/05-proxy/10-balancer/06-stream_spec.lua +++ b/spec/02-integration/05-proxy/10-balancer/06-stream_spec.lua @@ -1,8 +1,48 @@ local helpers = require "spec.helpers" +local atc_compat = require "kong.router.compat" +local function reload_router(flavor) + _G.kong = { + configuration = { + router_flavor = flavor, + }, + } + + helpers.setenv("KONG_ROUTER_FLAVOR", flavor) + + package.loaded["spec.helpers"] = nil + package.loaded["kong.global"] = nil + package.loaded["kong.cache"] = nil + package.loaded["kong.db"] = nil + package.loaded["kong.db.schema.entities.routes"] = nil + package.loaded["kong.db.schema.entities.routes_subschemas"] = nil + + helpers = require "spec.helpers" + + helpers.unsetenv("KONG_ROUTER_FLAVOR") +end + + +local function gen_route(flavor, r) + if flavor ~= "expressions" then + return r + end + + r.expression = atc_compat.get_expression(r) + r.priority = tonumber(atc_compat._get_priority(r)) + + r.destinations = nil + + return r +end + + +for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" }) do for _, strategy in helpers.each_strategy() do - describe("Balancer: least-connections [#" .. strategy .. "]", function() + describe("Balancer: least-connections [#" .. strategy .. ", flavor = " .. flavor .. "]", function() + reload_router(flavor) + local MESSAGE = "echo, ping, pong. echo, ping, pong. echo, ping, pong.\n" lazy_setup(function() local bp = helpers.get_db_utils(strategy, { @@ -30,7 +70,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tcp", } - bp.routes:insert { + bp.routes:insert(gen_route(flavor, { destinations = { { port = 19000 }, }, @@ -38,7 +78,7 @@ for _, strategy in helpers.each_strategy() do "tcp", }, service = service, - } + })) local upstream_retries = bp.upstreams:insert({ name = "tcp-upstream-retries", @@ -69,7 +109,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tcp", } - bp.routes:insert { + bp.routes:insert(gen_route(flavor, { destinations = { { port = 18000 }, }, @@ -77,9 +117,10 @@ for _, strategy in helpers.each_strategy() do "tcp", }, service = service_retries, - } + })) helpers.start_kong({ + router_flavor = flavor, database = strategy, stream_listen = helpers.get_proxy_ip(false) .. ":19000," .. helpers.get_proxy_ip(false) .. ":18000", @@ -116,3 +157,4 @@ for _, strategy in helpers.each_strategy() do end) end) end +end -- for flavor diff --git a/spec/02-integration/05-proxy/18-upstream_tls_spec.lua b/spec/02-integration/05-proxy/18-upstream_tls_spec.lua index 0acfd89de8a9..aaaaae5df5e9 100644 --- a/spec/02-integration/05-proxy/18-upstream_tls_spec.lua +++ b/spec/02-integration/05-proxy/18-upstream_tls_spec.lua @@ -1,9 +1,9 @@ local helpers = require "spec.helpers" local ssl_fixtures = require "spec.fixtures.ssl" +local atc_compat = require "kong.router.compat" local fixtures = { - dns_mock = helpers.dns_mock.new(), http_mock = { upstream_mtls = [[ server { @@ -44,14 +44,55 @@ local fixtures = { } -fixtures.dns_mock:A { - name = "example.com", - address = "127.0.0.1", -} +local function reload_router(flavor) + _G.kong = { + configuration = { + router_flavor = flavor, + }, + } + + helpers.setenv("KONG_ROUTER_FLAVOR", flavor) + + package.loaded["spec.helpers"] = nil + package.loaded["kong.global"] = nil + package.loaded["kong.cache"] = nil + package.loaded["kong.db"] = nil + package.loaded["kong.db.schema.entities.routes"] = nil + package.loaded["kong.db.schema.entities.routes_subschemas"] = nil + + helpers = require "spec.helpers" + + helpers.unsetenv("KONG_ROUTER_FLAVOR") + + fixtures.dns_mock = helpers.dns_mock.new({ mocks_only = true }) + fixtures.dns_mock:A { + name = "example.com", + address = "127.0.0.1", + } +end + + +local function gen_route(flavor, r) + if flavor ~= "expressions" then + return r + end + + r.expression = atc_compat.get_expression(r) + r.priority = tonumber(atc_compat._get_priority(r)) + r.hosts = nil + r.paths = nil + r.snis = nil + r.destinations = nil + + return r +end + + +for _, flavor in ipairs({ "traditional", "traditional_compatible" }) do for _, strategy in helpers.each_strategy() do - describe("overriding upstream TLS parameters for database #" .. strategy, function() + describe("overriding upstream TLS parameters for database [#" .. strategy .. ", flavor = " .. flavor .. "]", function() local admin_client local bp local service_mtls, service_tls @@ -63,6 +104,8 @@ for _, strategy in helpers.each_strategy() do local tls_upstream local tls_service_mtls_upstream + reload_router(flavor) + lazy_setup(function() bp = helpers.get_db_utils(strategy, { "routes", @@ -111,23 +154,23 @@ for _, strategy in helpers.each_strategy() do cert = ssl_fixtures.cert_ca, })) - assert(bp.routes:insert({ + assert(bp.routes:insert(gen_route(flavor,{ service = { id = service_mtls.id, }, hosts = { "example.com", }, paths = { "/mtls", }, - })) + }))) - assert(bp.routes:insert({ + assert(bp.routes:insert(gen_route(flavor,{ service = { id = service_tls.id, }, hosts = { "example.com", }, paths = { "/tls", }, - })) + }))) - assert(bp.routes:insert({ + assert(bp.routes:insert(gen_route(flavor,{ service = { id = service_mtls_upstream.id, }, hosts = { "example.com", }, paths = { "/mtls-upstream", }, - })) + }))) -- tls tls_service_mtls = assert(bp.services:insert({ @@ -155,7 +198,7 @@ for _, strategy in helpers.each_strategy() do host = "example.com" })) - assert(bp.routes:insert({ + assert(bp.routes:insert(gen_route(flavor,{ service = { id = tls_service_mtls.id, }, destinations = { { @@ -165,9 +208,9 @@ for _, strategy in helpers.each_strategy() do protocols = { "tls", }, - })) + }))) - assert(bp.routes:insert({ + assert(bp.routes:insert(gen_route(flavor,{ service = { id = tls_service_tls.id, }, destinations = { { @@ -177,9 +220,9 @@ for _, strategy in helpers.each_strategy() do protocols = { "tls", }, - })) + }))) - assert(bp.routes:insert({ + assert(bp.routes:insert(gen_route(flavor,{ service = { id = tls_service_mtls_upstream.id, }, destinations = { { @@ -189,10 +232,11 @@ for _, strategy in helpers.each_strategy() do protocols = { "tls", }, - })) + }))) assert(helpers.start_kong({ + router_flavor = flavor, database = strategy, nginx_conf = "spec/fixtures/custom_nginx.template", stream_listen = helpers.get_proxy_ip(false) .. ":19000," @@ -760,3 +804,4 @@ for _, strategy in helpers.each_strategy() do end end) end +end -- for flavor diff --git a/spec/02-integration/05-proxy/23-context_spec.lua b/spec/02-integration/05-proxy/23-context_spec.lua index b0fd8911ec15..603dd21ee75e 100644 --- a/spec/02-integration/05-proxy/23-context_spec.lua +++ b/spec/02-integration/05-proxy/23-context_spec.lua @@ -1,10 +1,51 @@ local helpers = require "spec.helpers" local null = ngx.null +local atc_compat = require "kong.router.compat" +local function reload_router(flavor) + _G.kong = { + configuration = { + router_flavor = flavor, + }, + } + + helpers.setenv("KONG_ROUTER_FLAVOR", flavor) + + package.loaded["spec.helpers"] = nil + package.loaded["kong.global"] = nil + package.loaded["kong.cache"] = nil + package.loaded["kong.db"] = nil + package.loaded["kong.db.schema.entities.routes"] = nil + package.loaded["kong.db.schema.entities.routes_subschemas"] = nil + + helpers = require "spec.helpers" + + helpers.unsetenv("KONG_ROUTER_FLAVOR") +end + + +local function gen_route(flavor, r) + if flavor ~= "expressions" then + return r + end + + r.expression = atc_compat.get_expression(r) + r.priority = tonumber(atc_compat._get_priority(r)) + + r.paths = nil + r.destinations = nil + + return r +end + + +for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" }) do for _, strategy in helpers.each_strategy() do - describe("Context Tests [#" .. strategy .. "]", function() + describe("Context Tests [#" .. strategy .. ", flavor = " .. flavor .. "]", function() describe("[http]", function() + reload_router(flavor) + local proxy_client lazy_setup(function() local bp = helpers.get_db_utils(strategy, { @@ -16,9 +57,9 @@ for _, strategy in helpers.each_strategy() do "ctx-tests-response", }) - local unbuff_route = bp.routes:insert { + local unbuff_route = bp.routes:insert(gen_route(flavor, { paths = { "/" }, - } + })) bp.plugins:insert { name = "ctx-tests", @@ -33,9 +74,9 @@ for _, strategy in helpers.each_strategy() do } } - local buffered_route = bp.routes:insert { + local buffered_route = bp.routes:insert(gen_route(flavor, { paths = { "/buffered" }, - } + })) bp.plugins:insert { name = "ctx-tests", @@ -50,9 +91,9 @@ for _, strategy in helpers.each_strategy() do } } - local response_route = bp.routes:insert { + local response_route = bp.routes:insert(gen_route(flavor, { paths = { "/response" }, - } + })) bp.plugins:insert { name = "ctx-tests-response", @@ -68,6 +109,7 @@ for _, strategy in helpers.each_strategy() do } assert(helpers.start_kong({ + router_flavor = flavor, database = strategy, plugins = "bundled,ctx-tests,ctx-tests-response", nginx_conf = "spec/fixtures/custom_nginx.template", @@ -128,6 +170,8 @@ for _, strategy in helpers.each_strategy() do if strategy ~= "off" then describe("[stream]", function() + reload_router(flavor) + local MESSAGE = "echo, ping, pong. echo, ping, pong. echo, ping, pong.\n" local tcp_client lazy_setup(function() @@ -145,7 +189,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tcp", }) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { destinations = { { port = 19000 }, }, @@ -153,7 +197,7 @@ for _, strategy in helpers.each_strategy() do "tcp", }, service = service, - }) + }))) bp.plugins:insert { name = "ctx-tests", @@ -166,6 +210,7 @@ for _, strategy in helpers.each_strategy() do } assert(helpers.start_kong({ + router_flavor = flavor, database = strategy, stream_listen = helpers.get_proxy_ip(false) .. ":19000", plugins = "bundled,ctx-tests", @@ -197,3 +242,4 @@ for _, strategy in helpers.each_strategy() do end end) end +end -- for flavor diff --git a/spec/02-integration/05-proxy/26-udp_spec.lua b/spec/02-integration/05-proxy/26-udp_spec.lua index fee0b85d50d1..4be4717032e9 100644 --- a/spec/02-integration/05-proxy/26-udp_spec.lua +++ b/spec/02-integration/05-proxy/26-udp_spec.lua @@ -1,12 +1,52 @@ local helpers = require "spec.helpers" +local atc_compat = require "kong.router.compat" local UDP_PROXY_PORT = 26001 +local function reload_router(flavor) + _G.kong = { + configuration = { + router_flavor = flavor, + }, + } + + helpers.setenv("KONG_ROUTER_FLAVOR", flavor) + + package.loaded["spec.helpers"] = nil + package.loaded["kong.global"] = nil + package.loaded["kong.cache"] = nil + package.loaded["kong.db"] = nil + package.loaded["kong.db.schema.entities.routes"] = nil + package.loaded["kong.db.schema.entities.routes_subschemas"] = nil + + helpers = require "spec.helpers" + + helpers.unsetenv("KONG_ROUTER_FLAVOR") +end + + +local function gen_route(flavor, r) + if flavor ~= "expressions" then + return r + end + + r.expression = atc_compat.get_expression(r) + r.priority = tonumber(atc_compat._get_priority(r)) + + r.sources = nil + + return r +end + + +for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" }) do for _, strategy in helpers.each_strategy() do - describe("UDP Proxying [#" .. strategy .. "]", function() + describe("UDP Proxying [#" .. strategy .. ", flavor = " .. flavor .. "]", function() + reload_router(flavor) + lazy_setup(function() local bp = helpers.get_db_utils(strategy, { "routes", @@ -18,13 +58,14 @@ for _, strategy in helpers.each_strategy() do url = "udp://127.0.0.1:" .. helpers.mock_upstream_stream_port, }) - assert(bp.routes:insert { + assert(bp.routes:insert(gen_route(flavor, { protocols = { "udp" }, service = service, sources = { { ip = "127.0.0.1", }, } - }) + }))) assert(helpers.start_kong { + router_flavor = flavor, database = strategy, nginx_conf = "spec/fixtures/custom_nginx.template", stream_listen = "127.0.0.1:" .. UDP_PROXY_PORT .. " udp", @@ -47,3 +88,4 @@ for _, strategy in helpers.each_strategy() do end) end) end +end -- for flavor diff --git a/spec/02-integration/05-proxy/28-stream_plugins_triggering_spec.lua b/spec/02-integration/05-proxy/28-stream_plugins_triggering_spec.lua index 3c53c4e6bc72..c0546d2e8fc1 100644 --- a/spec/02-integration/05-proxy/28-stream_plugins_triggering_spec.lua +++ b/spec/02-integration/05-proxy/28-stream_plugins_triggering_spec.lua @@ -1,6 +1,7 @@ local helpers = require "spec.helpers" local pl_file = require "pl.file" local cjson = require "cjson" +local atc_compat = require "kong.router.compat" local TEST_CONF = helpers.test_conf @@ -69,8 +70,48 @@ local function assert_phases(phrases) end end + +local function reload_router(flavor) + _G.kong = { + configuration = { + router_flavor = flavor, + }, + } + + helpers.setenv("KONG_ROUTER_FLAVOR", flavor) + + package.loaded["spec.helpers"] = nil + package.loaded["kong.global"] = nil + package.loaded["kong.cache"] = nil + package.loaded["kong.db"] = nil + package.loaded["kong.db.schema.entities.routes"] = nil + package.loaded["kong.db.schema.entities.routes_subschemas"] = nil + + helpers = require "spec.helpers" + + helpers.unsetenv("KONG_ROUTER_FLAVOR") +end + + +local function gen_route(flavor, r) + if flavor ~= "expressions" then + return r + end + + r.expression = atc_compat.get_expression(r) + r.priority = tonumber(atc_compat._get_priority(r)) + + r.destinations = nil + + return r +end + + +for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" }) do for _, strategy in helpers.each_strategy() do - describe("#stream Proxying [#" .. strategy .. "]", function() + describe("#stream Proxying [#" .. strategy .. ", flavor = " .. flavor .. "]", function() + reload_router(flavor) + local bp before_each(function() @@ -89,7 +130,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tcp" }) - bp.routes:insert { + bp.routes:insert(gen_route(flavor, { destinations = { { port = 19000, @@ -99,7 +140,7 @@ for _, strategy in helpers.each_strategy() do "tcp", }, service = tcp_srv, - } + })) local tls_srv = bp.services:insert({ name = "tls", @@ -108,7 +149,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tls" }) - bp.routes:insert { + bp.routes:insert(gen_route(flavor, { destinations = { { port = 19443, @@ -118,13 +159,14 @@ for _, strategy in helpers.each_strategy() do "tls", }, service = tls_srv, - } + })) bp.plugins:insert { name = "logger", } assert(helpers.start_kong({ + router_flavor = flavor, database = strategy, nginx_conf = "spec/fixtures/custom_nginx.template", plugins = "logger", @@ -163,7 +205,9 @@ for _, strategy in helpers.each_strategy() do end) end) - describe("#stream Proxying [#" .. strategy .. "]", function() + describe("#stream Proxying [#" .. strategy .. ", flavor = " .. flavor .. "]", function() + reload_router(flavor) + local bp before_each(function() @@ -183,7 +227,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tcp" }) - bp.routes:insert { + bp.routes:insert(gen_route(flavor, { destinations = { { port = 19000, @@ -193,7 +237,7 @@ for _, strategy in helpers.each_strategy() do "tcp", }, service = tcp_srv, - } + })) local tls_srv = bp.services:insert({ name = "tls", @@ -202,7 +246,7 @@ for _, strategy in helpers.each_strategy() do protocol = "tls" }) - bp.routes:insert { + bp.routes:insert(gen_route(flavor, { destinations = { { port = 19443, @@ -212,7 +256,7 @@ for _, strategy in helpers.each_strategy() do "tls", }, service = tls_srv, - } + })) bp.plugins:insert { name = "logger", @@ -227,6 +271,7 @@ for _, strategy in helpers.each_strategy() do } assert(helpers.start_kong({ + router_flavor = flavor, database = strategy, nginx_conf = "spec/fixtures/custom_nginx.template", plugins = "logger,short-circuit", @@ -277,3 +322,4 @@ for _, strategy in helpers.each_strategy() do end) end) end +end -- for flavor