From 6e973bde2ff1bd3e3e716eea641fa9ef7854ac6f Mon Sep 17 00:00:00 2001 From: Qi Date: Tue, 29 Mar 2022 10:06:10 +0800 Subject: [PATCH 01/12] Update kong_defaults.lua --- kong/templates/kong_defaults.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/templates/kong_defaults.lua b/kong/templates/kong_defaults.lua index 20c6923336e..7d2eb6adad9 100644 --- a/kong/templates/kong_defaults.lua +++ b/kong/templates/kong_defaults.lua @@ -163,7 +163,7 @@ worker_consistency = strict worker_state_update_frequency = 5 lua_socket_pool_size = 30 -lua_ssl_trusted_certificate = NONE +lua_ssl_trusted_certificate = system lua_ssl_verify_depth = 1 lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 lua_package_path = ./?.lua;./?/init.lua; From 73730b47d4e450f2385c50a7d48647e025703ac4 Mon Sep 17 00:00:00 2001 From: Qi Date: Tue, 29 Mar 2022 15:03:22 +0800 Subject: [PATCH 02/12] fix ci --- spec/01-unit/03-conf_loader_spec.lua | 13 +++++----- spec/01-unit/04-prefix_handler_spec.lua | 7 ++--- spec/helpers.lua | 34 +++++++++++++++++++++++++ 3 files changed, 44 insertions(+), 10 deletions(-) diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua index ecd5ec6f6f6..fc38f49fded 100644 --- a/spec/01-unit/03-conf_loader_spec.lua +++ b/spec/01-unit/03-conf_loader_spec.lua @@ -851,9 +851,8 @@ describe("Configuration loader", function() cluster_cert_key = "spec/fixtures/kong_clustering.key", }) assert.is_nil(errors) - assert.same({ - pl_path.abspath("spec/fixtures/kong_clustering.crt"), - }, conf.lua_ssl_trusted_certificate) + assert.has_value(conf.lua_ssl_trusted_certificate, + pl_path.abspath("spec/fixtures/kong_clustering.crt")) assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined) local conf, _, errors = conf_loader(nil, { @@ -865,9 +864,8 @@ describe("Configuration loader", function() cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt", }) assert.is_nil(errors) - assert.same({ - pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"), - }, conf.lua_ssl_trusted_certificate) + assert.has_value(conf.lua_ssl_trusted_certificate, + pl_path.abspath("spec/fixtures/kong_clustering_ca.crt")) assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined) end) it("doen't overwrite lua_ssl_trusted_certificate when autoload cluster_cert or cluster_ca_cert", function() @@ -911,7 +909,8 @@ describe("Configuration loader", function() cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt", }) assert.is_nil(errors) - assert.same({}, conf.lua_ssl_trusted_certificate) + assert.not_has_value(conf.lua_ssl_trusted_certificate, + pl_path.abspath("spec/fixtures/kong_clustering_ca.crt")) end) it("resolves SSL cert/key to absolute path", function() local conf, err = conf_loader(nil, { diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua index 8b32b232755..05f16ab7528 100644 --- a/spec/01-unit/04-prefix_handler_spec.lua +++ b/spec/01-unit/04-prefix_handler_spec.lua @@ -108,7 +108,7 @@ describe("NGINX conf compiler", function() assert.matches("listen%s+127%.0%.0%.1:9001;", kong_nginx_conf) assert.matches("server_name%s+kong;", kong_nginx_conf) assert.matches("server_name%s+kong_admin;", kong_nginx_conf) - assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true) + assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf) end) it("compiles with custom conf", function() local conf = assert(conf_loader(helpers.test_conf_path, { @@ -235,10 +235,10 @@ describe("NGINX conf compiler", function() local kong_nginx_conf = prefix_handler.compile_kong_conf(conf) assert.matches("lua_ssl_verify_depth%s+1;", kong_nginx_conf) end) - it("does not include lua_ssl_trusted_certificate by default", function() + it("includes default lua_ssl_trusted_certificate", function() local conf = assert(conf_loader(helpers.test_conf_path)) local kong_nginx_conf = prefix_handler.compile_kong_conf(conf) - assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true) + assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf) end) it("sets lua_ssl_trusted_certificate to a combined file (single entry)", function() local conf = assert(conf_loader(helpers.test_conf_path, { @@ -780,6 +780,7 @@ describe("NGINX conf compiler", function() local config = assert(conf_loader(helpers.test_conf_path, { prefix = "inexistent" })) + prefix_handler.prepare_prefix(config) assert(prefix_handler.prepare_prefix(config)) assert.truthy(exists("inexistent")) end) diff --git a/spec/helpers.lua b/spec/helpers.lua index 8ab1c655a7d..e77e9a19b10 100644 --- a/spec/helpers.lua +++ b/spec/helpers.lua @@ -1910,6 +1910,40 @@ luassert:register("assertion", "cn", assert_cn, "assertion.cn.positive") + +local function assert_has_value(state, args) + assert(type(args[1]) == "table", + "Expected first argument to be a table") + + for _, v in pairs(args[1]) do + if v == args[2] then + return true + end + end + + return false +end + +say:set("assertion.has_value.negative", [[ +Expected table to have the given value. +Passed in +%s +Expected value +%s +]]) +say:set("assertion.has_value.positive", [[ +Expected table to not have the given value. +Passed in +%s +Expected value +%s +]]) + +luassert:register("assertion", "has_value", assert_has_value, + "assertion.has_value.negative", + "assertion.has_value.positive") + + do --- Generic modifier "logfile" -- Will set an "errlog_path" value in the assertion state. From b7deab6319f9d0208e44302f506cbbd34c879b1e Mon Sep 17 00:00:00 2001 From: Qi Date: Tue, 29 Mar 2022 16:17:03 +0800 Subject: [PATCH 03/12] add comments for new assertion --- spec/helpers.lua | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/spec/helpers.lua b/spec/helpers.lua index e77e9a19b10..8026f3451a3 100644 --- a/spec/helpers.lua +++ b/spec/helpers.lua @@ -1910,7 +1910,14 @@ luassert:register("assertion", "cn", assert_cn, "assertion.cn.positive") - +--- Assertions to check whether a value exists in a table +-- @function has_value +-- @param table +-- @param value +-- @return exists? +-- @usage +-- assert.has_value({"foo"}, "foo") -- true +-- assert.not_has_value({"foo"}, "bar") -- true local function assert_has_value(state, args) assert(type(args[1]) == "table", "Expected first argument to be a table") From afb9e56e9f2686cd3bcc280cd4bc9d78515fb75a Mon Sep 17 00:00:00 2001 From: Qi Date: Tue, 29 Mar 2022 16:47:17 +0800 Subject: [PATCH 04/12] docs(CHANGELOG) update --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bd579c2043..64bcedfe64e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -75,6 +75,13 @@ - Bumped inspect from 3.1.2 to 3.1.3 [#8589](https://github.com/Kong/kong/pull/8589) + +### Changes +##### Configuration + +- Change the default of `lua_ssl_trusted_certificate` to `system`. + [#8602](https://github.com/Kong/kong/pull/8602) + ### Fixes #### Core From d6202c22809a0a4f138cb9d58a4631f1b3de6ad5 Mon Sep 17 00:00:00 2001 From: Qi Date: Wed, 30 Mar 2022 15:32:41 +0800 Subject: [PATCH 05/12] roll back one line of `spec/01-unit/04-prefix_handler_spec.lua` --- spec/01-unit/04-prefix_handler_spec.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua index 05f16ab7528..452e6b3c2dc 100644 --- a/spec/01-unit/04-prefix_handler_spec.lua +++ b/spec/01-unit/04-prefix_handler_spec.lua @@ -780,7 +780,6 @@ describe("NGINX conf compiler", function() local config = assert(conf_loader(helpers.test_conf_path, { prefix = "inexistent" })) - prefix_handler.prepare_prefix(config) assert(prefix_handler.prepare_prefix(config)) assert.truthy(exists("inexistent")) end) From 6e88a887193099f5cef76a2978b3b028b7151c8a Mon Sep 17 00:00:00 2001 From: Qi Date: Thu, 31 Mar 2022 14:53:25 +0800 Subject: [PATCH 06/12] roll back `spec/helpers.lua` --- spec/helpers.lua | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/spec/helpers.lua b/spec/helpers.lua index 8026f3451a3..1917904aed7 100644 --- a/spec/helpers.lua +++ b/spec/helpers.lua @@ -1909,48 +1909,6 @@ luassert:register("assertion", "cn", assert_cn, "assertion.cn.negative", "assertion.cn.positive") - ---- Assertions to check whether a value exists in a table --- @function has_value --- @param table --- @param value --- @return exists? --- @usage --- assert.has_value({"foo"}, "foo") -- true --- assert.not_has_value({"foo"}, "bar") -- true -local function assert_has_value(state, args) - assert(type(args[1]) == "table", - "Expected first argument to be a table") - - for _, v in pairs(args[1]) do - if v == args[2] then - return true - end - end - - return false -end - -say:set("assertion.has_value.negative", [[ -Expected table to have the given value. -Passed in -%s -Expected value -%s -]]) -say:set("assertion.has_value.positive", [[ -Expected table to not have the given value. -Passed in -%s -Expected value -%s -]]) - -luassert:register("assertion", "has_value", assert_has_value, - "assertion.has_value.negative", - "assertion.has_value.positive") - - do --- Generic modifier "logfile" -- Will set an "errlog_path" value in the assertion state. From ad5ccfafcc16a6c2eb6e4c23eb544ec72b959cf8 Mon Sep 17 00:00:00 2001 From: Qi Date: Thu, 31 Mar 2022 14:53:50 +0800 Subject: [PATCH 07/12] update `spec/01-unit/03-conf_loader_spec.lua` --- spec/01-unit/03-conf_loader_spec.lua | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua index fc38f49fded..f328abed7c1 100644 --- a/spec/01-unit/03-conf_loader_spec.lua +++ b/spec/01-unit/03-conf_loader_spec.lua @@ -851,8 +851,10 @@ describe("Configuration loader", function() cluster_cert_key = "spec/fixtures/kong_clustering.key", }) assert.is_nil(errors) - assert.has_value(conf.lua_ssl_trusted_certificate, - pl_path.abspath("spec/fixtures/kong_clustering.crt")) + assert.contains( + pl_path.abspath("spec/fixtures/kong_clustering.crt"), + conf.lua_ssl_trusted_certificate + ) assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined) local conf, _, errors = conf_loader(nil, { @@ -864,8 +866,10 @@ describe("Configuration loader", function() cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt", }) assert.is_nil(errors) - assert.has_value(conf.lua_ssl_trusted_certificate, - pl_path.abspath("spec/fixtures/kong_clustering_ca.crt")) + assert.contains( + pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"), + conf.lua_ssl_trusted_certificate + ) assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined) end) it("doen't overwrite lua_ssl_trusted_certificate when autoload cluster_cert or cluster_ca_cert", function() @@ -909,8 +913,10 @@ describe("Configuration loader", function() cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt", }) assert.is_nil(errors) - assert.not_has_value(conf.lua_ssl_trusted_certificate, - pl_path.abspath("spec/fixtures/kong_clustering_ca.crt")) + assert.not_contains( + pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"), + conf.lua_ssl_trusted_certificate + ) end) it("resolves SSL cert/key to absolute path", function() local conf, err = conf_loader(nil, { From f3e81d433123a039ce9952d0731c5e3bbc806eb2 Mon Sep 17 00:00:00 2001 From: Qi Date: Thu, 31 Mar 2022 15:06:59 +0800 Subject: [PATCH 08/12] update CHANGELOG --- CHANGELOG.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 64bcedfe64e..147ec5a4472 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -76,11 +76,12 @@ [#8589](https://github.com/Kong/kong/pull/8589) -### Changes +### Breaking Changes ##### Configuration -- Change the default of `lua_ssl_trusted_certificate` to `system`. - [#8602](https://github.com/Kong/kong/pull/8602) +- Change the default of `lua_ssl_trusted_certificate` to `system` + [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep + working as before, please manually set it to `NONE` before upgrading. ### Fixes From 2f15d8acfd16f38abee8a1fc12bba4f42e5c6edc Mon Sep 17 00:00:00 2001 From: Qi Date: Wed, 6 Apr 2022 19:27:16 +0800 Subject: [PATCH 09/12] update file `kong.conf.default` --- kong.conf.default | 54 +++++++++++++++++++++++------------------------ 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/kong.conf.default b/kong.conf.default index 4c91e39dd3f..a8018f28b0d 100644 --- a/kong.conf.default +++ b/kong.conf.default @@ -1379,33 +1379,33 @@ # https://github.com/openresty/lua-nginx-module -#lua_ssl_trusted_certificate = # Comma-separated list of paths to certificate - # authority files for Lua cosockets in PEM format. - # - # The special value `system` attempts to search for the - # "usual default" provided by each distro, according - # to an arbitrary heuristic. In the current implementation, - # The following pathnames will be tested in order, - # and the first one found will be used: - # - # - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo) - # - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6) - # - /etc/ssl/ca-bundle.pem (OpenSUSE) - # - /etc/pki/tls/cacert.pem (OpenELEC) - # - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7) - # - /etc/ssl/cert.pem (OpenBSD, Alpine) - # - # If no file is found on any of these paths, an error will - # be raised. - # - # `system` can be used by itself or in conjunction with other - # CA filepaths. - # - # When `pg_ssl_verify` or `cassandra_ssl_verify` - # are enabled, these certificate authority files will be - # used for verifying Kong's database connections. - # - # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate +#lua_ssl_trusted_certificate = system # Comma-separated list of paths to certificate + # authority files for Lua cosockets in PEM format. + # + # The special value `system` attempts to search for the + # "usual default" provided by each distro, according + # to an arbitrary heuristic. In the current implementation, + # The following pathnames will be tested in order, + # and the first one found will be used: + # + # - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo) + # - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6) + # - /etc/ssl/ca-bundle.pem (OpenSUSE) + # - /etc/pki/tls/cacert.pem (OpenELEC) + # - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7) + # - /etc/ssl/cert.pem (OpenBSD, Alpine) + # + # If no file is found on any of these paths, an error will + # be raised. + # + # `system` can be used by itself or in conjunction with other + # CA filepaths. + # + # When `pg_ssl_verify` or `cassandra_ssl_verify` + # are enabled, these certificate authority files will be + # used for verifying Kong's database connections. + # + # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate #lua_ssl_verify_depth = 1 # Sets the verification depth in the server # certificates chain used by Lua cosockets, From 039224bc2fea7714330ec983b50fb0da4cf471f0 Mon Sep 17 00:00:00 2001 From: Qi Date: Wed, 6 Apr 2022 20:07:13 +0800 Subject: [PATCH 10/12] fix changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ec9ea5d01e3..8a019ad5152 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -98,7 +98,8 @@ - Change the default of `lua_ssl_trusted_certificate` to `system` [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep - working as before, please manually set it to `NONE` before upgrading. + working as before, please manually set it to empty + (`lua_ssl_trusted_certificate = [nothing in here]`) before upgrading. ### Additions From b69546fd25a09d625de45b696a71935d1d2ee603 Mon Sep 17 00:00:00 2001 From: Qi Date: Wed, 6 Apr 2022 20:11:28 +0800 Subject: [PATCH 11/12] Update CHANGELOG.md Co-authored-by: Datong Sun --- CHANGELOG.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a019ad5152..f16e5041fb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,9 +97,7 @@ ##### Configuration - Change the default of `lua_ssl_trusted_certificate` to `system` - [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep - working as before, please manually set it to empty - (`lua_ssl_trusted_certificate = [nothing in here]`) before upgrading. + [#8602](https://github.com/Kong/kong/pull/8602). ### Additions From 2e8cf3b5c70d0d430cbe25242d195986f25bf81f Mon Sep 17 00:00:00 2001 From: Datong Sun Date: Wed, 6 Apr 2022 20:15:16 +0800 Subject: [PATCH 12/12] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f16e5041fb1..e560c083676 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,7 +97,7 @@ ##### Configuration - Change the default of `lua_ssl_trusted_certificate` to `system` - [#8602](https://github.com/Kong/kong/pull/8602). + [#8602](https://github.com/Kong/kong/pull/8602) to automatically load trusted CA list from system CA store. ### Additions