Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(router): fix tls_passthrough in expression flavor #11538

Merged
merged 13 commits into from
Sep 18, 2023
7 changes: 7 additions & 0 deletions CHANGELOG/unreleased/kong/11538.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
message: Fix an issue that protocol `tls_passthrough` can not work with expressions flavor
type: bugfix
scope: Core
prs:
- 11538
jiras:
- "KAG-2561"
4 changes: 3 additions & 1 deletion kong/router/expressions.lua
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ local function get_exp_and_priority(route)
-- give the chance for http redirection (301/302/307/308/426)
-- and allow tcp works with tls
if protocols and #protocols == 1 and
(protocols[1] == "https" or protocols[1] == "tls")
(protocols[1] == "https" or
protocols[1] == "tls" or
protocols[1] == "tls_passthrough")
then
return exp, route.priority
end
Expand Down
69 changes: 68 additions & 1 deletion spec/01-unit/08-router_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -4860,7 +4860,74 @@ end
do
local flavor = "expressions"

describe("Router (flavor = " .. flavor .. ")", function()
describe("Router (flavor = " .. flavor .. ") [stream]", function()
reload_router(flavor, "stream")

local use_case, router

local service = {
name = "service-invalid",
protocol = "tcp",
}

lazy_setup(function()
use_case = {
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8101",
protocols = { "tls" },
expression = [[tls.sni == "www.example.com"]],
priority = 100,
},
},
{
service = service,
route = {
id = "e8fb37f1-102d-461e-9c51-6608a6bb8102",
protocols = { "tls_passthrough" },
expression = [[tls.sni == "www.example.org"]],
priority = 100,
},
},
}

router = assert(new_router(use_case))
end)

it("exec() should match tls with tls.sni", function()
local _ngx = {
var = {
remote_port = 1000,
server_port = 1000,
ssl_preread_server_name = "www.example.com",
},
}
router._set_ngx(_ngx)
local match_t = router:exec()
assert.truthy(match_t)

assert.same(use_case[1].route, match_t.route)
end)

it("exec() should match tls_passthrough with tls.sni", function()
local _ngx = {
var = {
remote_port = 1000,
server_port = 1000,
ssl_preread_server_name = "www.example.org",
},
}
router._set_ngx(_ngx)
local match_t = router:exec()
assert.truthy(match_t)

assert.same(use_case[2].route, match_t.route)
end)

end)

describe("Router (flavor = " .. flavor .. ") [http]", function()
reload_router(flavor)

local use_case, router
Expand Down
2 changes: 1 addition & 1 deletion spec/02-integration/05-proxy/02-router_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -1410,7 +1410,7 @@ for _, strategy in helpers.each_strategy() do
end
end)

it_trad_only("matches a Route based on its 'snis' attribute", function()
it("matches a Route based on its 'snis' attribute", function()
-- config propagates to stream subsystems not instantly
-- try up to 10 seconds with step of 2 seconds
-- in vagrant it takes around 6 seconds
Expand Down