From 4040df9f511ea06fc4df40a94b30918dd3f71fbd Mon Sep 17 00:00:00 2001
From: spacewander <spacewanderlzx@gmail.com>
Date: Mon, 13 Jun 2022 17:57:17 +0800
Subject: [PATCH] chore: validate etcd conf strictly

Signed-off-by: spacewander <spacewanderlzx@gmail.com>
---
 .github/workflows/chaos.yml   |  3 +-
 apisix/cli/schema.lua         | 14 ++++++-
 t/chaos/utils/Dockerfile      | 76 +++++++++++++++++++++++++++++++++++
 t/cli/test_validate_config.sh | 27 +++++++++++++
 4 files changed, 117 insertions(+), 3 deletions(-)
 create mode 100644 t/chaos/utils/Dockerfile

diff --git a/.github/workflows/chaos.yml b/.github/workflows/chaos.yml
index 677b6150d6eed..20b45f602c904 100644
--- a/.github/workflows/chaos.yml
+++ b/.github/workflows/chaos.yml
@@ -40,9 +40,8 @@ jobs:
       - name: Creating minikube cluster
         run: |
           bash ./t/chaos/utils/setup_chaos_utils.sh start_minikube
-          wget https://raw.githubusercontent.com/apache/apisix-docker/master/alpine-local/Dockerfile
           mkdir logs
-          docker build -t apache/apisix:alpine-local --build-arg APISIX_PATH=. -f Dockerfile .
+          docker build -t apache/apisix:alpine-local --build-arg APISIX_PATH=. -f ./t/chaos/utils/Dockerfile .
           minikube cache add apache/apisix:alpine-local -v 7 --alsologtostderr
 
       - name: Print cluster information
diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua
index 8c7a873214c1c..7afece3ab2399 100644
--- a/apisix/cli/schema.lua
+++ b/apisix/cli/schema.lua
@@ -212,8 +212,20 @@ local config_schema = {
                             type = "string",
                         },
                     }
+                },
+                prefix = {
+                    type = "string",
+                    pattern = [[^/[^/]+$]]
+                },
+                host = {
+                    type = "array",
+                    items = {
+                        type = "string",
+                        pattern = [[^https?://]]
+                    }
                 }
-            }
+            },
+            required = {"prefix", "host"}
         },
         wasm = {
             type = "object",
diff --git a/t/chaos/utils/Dockerfile b/t/chaos/utils/Dockerfile
new file mode 100644
index 0000000000000..90ee0f2cde5d4
--- /dev/null
+++ b/t/chaos/utils/Dockerfile
@@ -0,0 +1,76 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+ARG ENABLE_PROXY=false
+
+FROM openresty/openresty:1.19.3.2-alpine-fat AS production-stage
+
+ARG ENABLE_PROXY
+ARG APISIX_PATH
+COPY $APISIX_PATH ./apisix
+RUN set -x \
+    && (test "${ENABLE_PROXY}" != "true" || /bin/sed -i 's,http://dl-cdn.alpinelinux.org,https://mirrors.aliyun.com,g' /etc/apk/repositories) \
+    && apk add --no-cache --virtual .builddeps \
+    automake \
+    autoconf \
+    libtool \
+    pkgconfig \
+    cmake \
+    git \
+    openldap-dev \
+    openresty-pcre-dev \
+    && cd apisix \
+    && git config --global url.https://github.com/.insteadOf git://github.com/ \
+    && mkdir -p ~/.luarocks \
+    && luarocks config --local variable.PCRE_DIR /usr/local/openresty/pcre/ \
+    && make deps \
+    && cp -v bin/apisix /usr/bin/ \
+    && mv ../apisix /usr/local/apisix \
+    && apk del .builddeps build-base make unzip
+
+FROM alpine:3.13 AS last-stage
+
+ARG ENABLE_PROXY
+# add runtime for Apache APISIX
+RUN set -x \
+    && (test "${ENABLE_PROXY}" != "true" || /bin/sed -i 's,http://dl-cdn.alpinelinux.org,https://mirrors.aliyun.com,g' /etc/apk/repositories) \
+    && apk add --no-cache \
+        bash \
+        curl \
+        libstdc++ \
+        openldap \
+        tzdata
+
+WORKDIR /usr/local/apisix
+
+COPY --from=production-stage /usr/local/openresty/ /usr/local/openresty/
+COPY --from=production-stage /usr/local/apisix/ /usr/local/apisix/
+COPY --from=production-stage /usr/bin/apisix /usr/bin/apisix
+
+# forward request and error logs to docker log collector
+RUN mkdir -p logs && touch logs/access.log && touch logs/error.log \
+    && ln -sf /dev/stdout /usr/local/apisix/logs/access.log \
+    && ln -sf /dev/stderr /usr/local/apisix/logs/error.log
+
+ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin
+
+EXPOSE 9080 9443
+
+CMD ["sh", "-c", "/usr/bin/apisix init && /usr/bin/apisix init_etcd && /usr/local/openresty/bin/openresty -p /usr/local/apisix -g 'daemon off;'"]
+
+STOPSIGNAL SIGQUIT
+
diff --git a/t/cli/test_validate_config.sh b/t/cli/test_validate_config.sh
index 164d530fe0a4e..216f1d9fb14d8 100755
--- a/t/cli/test_validate_config.sh
+++ b/t/cli/test_validate_config.sh
@@ -202,3 +202,30 @@ if echo "$out" | grep "missing loopback or unspecified in the nginx_config.http.
 fi
 
 echo "passed: check the realip configuration for batch-requests"
+
+echo '
+etcd:
+    host:
+        - 127.0.0.1
+' > conf/config.yaml
+
+out=$(make init 2>&1 || true)
+if ! echo "$out" | grep 'property "host" validation failed'; then
+    echo "failed: should check etcd schema during init"
+    exit 1
+fi
+
+echo '
+etcd:
+    prefix: "/apisix/"
+    host:
+        - https://127.0.0.1
+' > conf/config.yaml
+
+out=$(make init 2>&1 || true)
+if ! echo "$out" | grep 'property "prefix" validation failed'; then
+    echo "failed: should check etcd schema during init"
+    exit 1
+fi
+
+echo "passed: check etcd schema during init"