Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(conf): support base64 encoded *_cert and *_cert_key #9367

Merged
merged 2 commits into from
Sep 2, 2022
Merged

feat(conf): support base64 encoded *_cert and *_cert_key #9367

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c9fde0d
feat(config): support base64 encoded *_cert and *_cert_key
samugi Sep 1, 2022
89b0eeb
feat(config): add support for base64url encoding
samugi Sep 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions kong/conf_loader/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ local utils = require "kong.tools.utils"
local log = require "kong.cmd.utils.log"
local env = require "kong.cmd.utils.env"
local ffi = require "ffi"
local base64 = require "ngx.base64"


local fmt = string.format
Expand All @@ -44,6 +45,8 @@ local abspath = pl_path.abspath
local tostring = tostring
local tonumber = tonumber
local setmetatable = setmetatable
local decode_base64 = ngx.decode_base64
local decode_base64url = base64.decode_base64url


local get_phase do
Expand Down Expand Up @@ -622,6 +625,26 @@ local function infer_value(value, typ, opts)
end


local function try_base64_decode(vals)
bungle marked this conversation as resolved.
Show resolved Hide resolved
if type(vals) == "table" then
for i, v in ipairs(vals) do
vals[i] = decode_base64(v)
or decode_base64url(v)
or v
end
return vals
end

if type(vals) == "string" then
return decode_base64(vals)
or decode_base64url(vals)
or vals
end

return vals
end


-- Validate properties (type/enum/custom) and infer their type.
-- @param[type=table] conf The configuration table to treat.
local function check_and_infer(conf, opts)
Expand All @@ -646,6 +669,18 @@ local function check_and_infer(conf, opts)
conf[k] = value
end

-- decode base64 for supported fields
for _, prefix in ipairs({
"ssl",
"admin_ssl",
"status_ssl",
"client_ssl",
"cluster"
}) do
conf[prefix .. "_cert"] = try_base64_decode(conf[prefix .. "_cert"])
conf[prefix .. "_cert_key"] = try_base64_decode(conf[prefix .. "_cert_key"])
end

---------------------
-- custom validations
---------------------
Expand Down
39 changes: 39 additions & 0 deletions spec/01-unit/03-conf_loader_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -728,6 +728,45 @@ describe("Configuration loader", function()
assert.is_nil(conf)
end)
describe("SSL", function()
it("accepts and decodes valid base64 values", function()
local ssl_fixtures = require "spec.fixtures.ssl"
local prefixes = {
"ssl",
"admin_ssl",
"status_ssl",
"client_ssl",
"cluster"
}
local cert = ssl_fixtures.cert
local key = ssl_fixtures.key
local cert_base64 = ngx.encode_base64(cert)
local key_base64 = ngx.encode_base64(key)
local params = {}
for _, prefix in ipairs(prefixes) do
params[prefix .. "_cert"] = cert_base64
params[prefix .. "_cert_key"] = key_base64
end
local conf, err = conf_loader(nil, params)

assert.is_nil(err)
assert.is_table(conf)
for _, prefix in ipairs(prefixes) do
local certs = conf[prefix .. "_cert"]
local keys = conf[prefix .. "_cert_key"]

if type(certs) == "table" then
for i = 1, #certs do
assert.equals(cert, certs[i])
assert.equals(key, keys[i])
end
end

if type(certs) == "string" then
assert.equals(cert, certs)
assert.equals(key, keys)
end
end
end)
describe("proxy", function()
it("does not check SSL cert and key if SSL is off", function()
local conf, err = conf_loader(nil, {
Expand Down