From a1c35dd673909451431747afe735e1a5e9ef5d91 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Mon, 11 Sep 2023 14:29:13 +0800 Subject: [PATCH 01/13] fix tls_passthough --- kong/router/expressions.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/router/expressions.lua b/kong/router/expressions.lua index ff54792be1fe..fbc0ef50a1d9 100644 --- a/kong/router/expressions.lua +++ b/kong/router/expressions.lua @@ -13,7 +13,7 @@ local LOGICAL_AND = atc.LOGICAL_AND -- map to normal protocol local PROTOCOLS_OVERRIDE = { - tls_passthrough = "tcp", + tls_passthrough = "tls", grpc = "http", grpcs = "https", } From a01a9622c9b6a15a7d8cdca4f513e66bf5c8f952 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Mon, 11 Sep 2023 14:36:24 +0800 Subject: [PATCH 02/13] 11538.yaml --- CHANGELOG/unreleased/kong/11538.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 CHANGELOG/unreleased/kong/11538.yaml diff --git a/CHANGELOG/unreleased/kong/11538.yaml b/CHANGELOG/unreleased/kong/11538.yaml new file mode 100644 index 000000000000..74c6161ffb26 --- /dev/null +++ b/CHANGELOG/unreleased/kong/11538.yaml @@ -0,0 +1,7 @@ +message: Fix an issue that protocol `tls_passthrough` can not work with expressions flavor +type: bugfix +scope: Core +prs: + - 11538 +jiras: +issues: From 890828a040edd46ecb3cf2c879533144ca50dce5 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Mon, 11 Sep 2023 14:37:46 +0800 Subject: [PATCH 03/13] 11538.yaml --- CHANGELOG/unreleased/kong/11538.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG/unreleased/kong/11538.yaml b/CHANGELOG/unreleased/kong/11538.yaml index 74c6161ffb26..946f7573dcfc 100644 --- a/CHANGELOG/unreleased/kong/11538.yaml +++ b/CHANGELOG/unreleased/kong/11538.yaml @@ -3,5 +3,3 @@ type: bugfix scope: Core prs: - 11538 -jiras: -issues: From 66fbfe056bf6409b7b6358f984e57178386d98c7 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Mon, 11 Sep 2023 14:56:10 +0800 Subject: [PATCH 04/13] add ticket in changelog --- CHANGELOG/unreleased/kong/11538.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG/unreleased/kong/11538.yaml b/CHANGELOG/unreleased/kong/11538.yaml index 946f7573dcfc..c7bbd050e54c 100644 --- a/CHANGELOG/unreleased/kong/11538.yaml +++ b/CHANGELOG/unreleased/kong/11538.yaml @@ -3,3 +3,5 @@ type: bugfix scope: Core prs: - 11538 +jiras: + - "KAG-2561" From 1a56de86b39afa92f02d97cf31a8ff526c6dbb3a Mon Sep 17 00:00:00 2001 From: chronolaw Date: Mon, 11 Sep 2023 15:33:54 +0800 Subject: [PATCH 05/13] check tls_passthough --- kong/router/expressions.lua | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kong/router/expressions.lua b/kong/router/expressions.lua index fbc0ef50a1d9..6790939699f1 100644 --- a/kong/router/expressions.lua +++ b/kong/router/expressions.lua @@ -13,7 +13,7 @@ local LOGICAL_AND = atc.LOGICAL_AND -- map to normal protocol local PROTOCOLS_OVERRIDE = { - tls_passthrough = "tls", + tls_passthrough = "tcp", grpc = "http", grpcs = "https", } @@ -32,7 +32,9 @@ local function get_exp_and_priority(route) -- give the chance for http redirection (301/302/307/308/426) -- and allow tcp works with tls if protocols and #protocols == 1 and - (protocols[1] == "https" or protocols[1] == "tls") + (protocols[1] == "https" or + protocols[1] == "tls" or + protocols[1] == "tls_passthrough") then return exp, route.priority end From 7c517e2add450274e23028449e3bd147c61ba87d Mon Sep 17 00:00:00 2001 From: chronolaw Date: Tue, 12 Sep 2023 14:26:58 +0800 Subject: [PATCH 06/13] add test case --- kong/router/expressions.lua | 2 +- spec/01-unit/08-router_spec.lua | 44 ++++++++++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/kong/router/expressions.lua b/kong/router/expressions.lua index 6790939699f1..b85d8c2d209a 100644 --- a/kong/router/expressions.lua +++ b/kong/router/expressions.lua @@ -34,7 +34,7 @@ local function get_exp_and_priority(route) if protocols and #protocols == 1 and (protocols[1] == "https" or protocols[1] == "tls" or - protocols[1] == "tls_passthrough") + protocols[1] == "tls_passthough") then return exp, route.priority end diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index 8cda0b46e7c6..a5b08beddb9a 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4860,7 +4860,7 @@ end do local flavor = "expressions" - describe("Router (flavor = " .. flavor .. ")", function() + describe("Router (flavor = " .. flavor .. ") [http] ", function() reload_router(flavor) local use_case, router @@ -4963,5 +4963,47 @@ do end) end) + + describe("Router (flavor = " .. flavor .. ") [stream] ", function() + reload_router(flavor, "stream") + + local use_case, router + + lazy_setup(function() + use_case = { + -- query has one value + { + service = { + name = "service-tls-passthough-invalid", + protocol = "tcp", + }, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tls_passthough" }, + expression = [[tls.sni == "www.example.org"]], + priority = 100, + }, + }, + } + + router = assert(new_router(use_case)) + end) + + it("exec() should match tls_passthough with tls.sni", function() + local _ngx = { + var = { + remote_port = 1000, + server_port = 1000, + ssl_preread_server_name = "www.example.org", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + assert.truthy(match_t) + + assert.same(use_case[1].route, match_t.route) + end) + + end) end From f4fbd18ad5ffcb45ad4babcd4c461d84d1aa127f Mon Sep 17 00:00:00 2001 From: chronolaw Date: Tue, 12 Sep 2023 14:27:50 +0800 Subject: [PATCH 07/13] typofix --- CHANGELOG/unreleased/kong/11538.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG/unreleased/kong/11538.yaml b/CHANGELOG/unreleased/kong/11538.yaml index c7bbd050e54c..7c8a65a32a44 100644 --- a/CHANGELOG/unreleased/kong/11538.yaml +++ b/CHANGELOG/unreleased/kong/11538.yaml @@ -1,4 +1,4 @@ -message: Fix an issue that protocol `tls_passthrough` can not work with expressions flavor +message: Fix an issue that protocol `tls_passthough` can not work with expressions flavor type: bugfix scope: Core prs: From 87bced3c7fa24816557459c7c96bae48f278716e Mon Sep 17 00:00:00 2001 From: chronolaw Date: Tue, 12 Sep 2023 14:36:15 +0800 Subject: [PATCH 08/13] more cases --- spec/01-unit/08-router_spec.lua | 41 ++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index a5b08beddb9a..8fd09b16fad0 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4860,7 +4860,7 @@ end do local flavor = "expressions" - describe("Router (flavor = " .. flavor .. ") [http] ", function() + describe("Router (flavor = " .. flavor .. ") [http]", function() reload_router(flavor) local use_case, router @@ -4964,21 +4964,31 @@ do end) - describe("Router (flavor = " .. flavor .. ") [stream] ", function() + describe("#only Router (flavor = " .. flavor .. ") [stream]", function() reload_router(flavor, "stream") local use_case, router + local service = { + name = "service-invalid", + protocol = "tcp", + } + lazy_setup(function() use_case = { - -- query has one value { - service = { - name = "service-tls-passthough-invalid", - protocol = "tcp", - }, + service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tls" }, + expression = [[tls.sni == "www.example.com"]], + priority = 100, + }, + }, + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", protocols = { "tls_passthough" }, expression = [[tls.sni == "www.example.org"]], priority = 100, @@ -4989,6 +4999,21 @@ do router = assert(new_router(use_case)) end) + it("exec() should match tls with tls.sni", function() + local _ngx = { + var = { + remote_port = 1000, + server_port = 1000, + ssl_preread_server_name = "www.example.com", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + assert.truthy(match_t) + + assert.same(use_case[1].route, match_t.route) + end) + it("exec() should match tls_passthough with tls.sni", function() local _ngx = { var = { @@ -5001,7 +5026,7 @@ do local match_t = router:exec() assert.truthy(match_t) - assert.same(use_case[1].route, match_t.route) + assert.same(use_case[2].route, match_t.route) end) end) From 600b5d1c0ffc043944f441a3009f9d8420232b4d Mon Sep 17 00:00:00 2001 From: chronolaw Date: Tue, 12 Sep 2023 14:41:19 +0800 Subject: [PATCH 09/13] remove #only --- spec/01-unit/08-router_spec.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index 8fd09b16fad0..721bd23f4d25 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4964,7 +4964,7 @@ do end) - describe("#only Router (flavor = " .. flavor .. ") [stream]", function() + describe("Router (flavor = " .. flavor .. ") [stream]", function() reload_router(flavor, "stream") local use_case, router From 26af89787028c67a5bdcc2fcbbbb333ce1175d85 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Tue, 12 Sep 2023 17:01:30 +0800 Subject: [PATCH 10/13] fix typo --- CHANGELOG/unreleased/kong/11538.yaml | 2 +- kong/router/expressions.lua | 2 +- spec/01-unit/08-router_spec.lua | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG/unreleased/kong/11538.yaml b/CHANGELOG/unreleased/kong/11538.yaml index 7c8a65a32a44..c7bbd050e54c 100644 --- a/CHANGELOG/unreleased/kong/11538.yaml +++ b/CHANGELOG/unreleased/kong/11538.yaml @@ -1,4 +1,4 @@ -message: Fix an issue that protocol `tls_passthough` can not work with expressions flavor +message: Fix an issue that protocol `tls_passthrough` can not work with expressions flavor type: bugfix scope: Core prs: diff --git a/kong/router/expressions.lua b/kong/router/expressions.lua index b85d8c2d209a..6790939699f1 100644 --- a/kong/router/expressions.lua +++ b/kong/router/expressions.lua @@ -34,7 +34,7 @@ local function get_exp_and_priority(route) if protocols and #protocols == 1 and (protocols[1] == "https" or protocols[1] == "tls" or - protocols[1] == "tls_passthough") + protocols[1] == "tls_passthrough") then return exp, route.priority end diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index 721bd23f4d25..33f116d7970f 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4989,7 +4989,7 @@ do service = service, route = { id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", - protocols = { "tls_passthough" }, + protocols = { "tls_passthrough" }, expression = [[tls.sni == "www.example.org"]], priority = 100, }, @@ -5014,7 +5014,7 @@ do assert.same(use_case[1].route, match_t.route) end) - it("exec() should match tls_passthough with tls.sni", function() + it("exec() should match tls_passthrough with tls.sni", function() local _ngx = { var = { remote_port = 1000, From 3dbe659e6a389fb21af3c4cb4eb620c47d588f25 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Tue, 12 Sep 2023 17:26:28 +0800 Subject: [PATCH 11/13] enable more tests --- spec/02-integration/05-proxy/02-router_spec.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/02-integration/05-proxy/02-router_spec.lua b/spec/02-integration/05-proxy/02-router_spec.lua index e6a3c30e0395..d8c1ad223291 100644 --- a/spec/02-integration/05-proxy/02-router_spec.lua +++ b/spec/02-integration/05-proxy/02-router_spec.lua @@ -1410,7 +1410,7 @@ for _, strategy in helpers.each_strategy() do end end) - it_trad_only("matches a Route based on its 'snis' attribute", function() + it("matches a Route based on its 'snis' attribute", function() -- config propagates to stream subsystems not instantly -- try up to 10 seconds with step of 2 seconds -- in vagrant it takes around 6 seconds From 9d93c1f7309455a06f9f828ec2e650ddbbc7dc36 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Wed, 13 Sep 2023 08:43:39 +0800 Subject: [PATCH 12/13] try fix unit test --- spec/01-unit/08-router_spec.lua | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index 33f116d7970f..df443ae04787 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4964,6 +4964,7 @@ do end) + --[==[ describe("Router (flavor = " .. flavor .. ") [stream]", function() reload_router(flavor, "stream") @@ -5030,5 +5031,6 @@ do end) end) + --]==] end From 8a4aa006af65584a695736c08fdd2008080dd856 Mon Sep 17 00:00:00 2001 From: chronolaw Date: Wed, 13 Sep 2023 09:15:14 +0800 Subject: [PATCH 13/13] move stream test in front of http test --- spec/01-unit/08-router_spec.lua | 136 ++++++++++++++++---------------- 1 file changed, 67 insertions(+), 69 deletions(-) diff --git a/spec/01-unit/08-router_spec.lua b/spec/01-unit/08-router_spec.lua index df443ae04787..b8b39777f697 100644 --- a/spec/01-unit/08-router_spec.lua +++ b/spec/01-unit/08-router_spec.lua @@ -4860,6 +4860,73 @@ end do local flavor = "expressions" + describe("Router (flavor = " .. flavor .. ") [stream]", function() + reload_router(flavor, "stream") + + local use_case, router + + local service = { + name = "service-invalid", + protocol = "tcp", + } + + lazy_setup(function() + use_case = { + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", + protocols = { "tls" }, + expression = [[tls.sni == "www.example.com"]], + priority = 100, + }, + }, + { + service = service, + route = { + id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", + protocols = { "tls_passthrough" }, + expression = [[tls.sni == "www.example.org"]], + priority = 100, + }, + }, + } + + router = assert(new_router(use_case)) + end) + + it("exec() should match tls with tls.sni", function() + local _ngx = { + var = { + remote_port = 1000, + server_port = 1000, + ssl_preread_server_name = "www.example.com", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + assert.truthy(match_t) + + assert.same(use_case[1].route, match_t.route) + end) + + it("exec() should match tls_passthrough with tls.sni", function() + local _ngx = { + var = { + remote_port = 1000, + server_port = 1000, + ssl_preread_server_name = "www.example.org", + }, + } + router._set_ngx(_ngx) + local match_t = router:exec() + assert.truthy(match_t) + + assert.same(use_case[2].route, match_t.route) + end) + + end) + describe("Router (flavor = " .. flavor .. ") [http]", function() reload_router(flavor) @@ -4963,74 +5030,5 @@ do end) end) - - --[==[ - describe("Router (flavor = " .. flavor .. ") [stream]", function() - reload_router(flavor, "stream") - - local use_case, router - - local service = { - name = "service-invalid", - protocol = "tcp", - } - - lazy_setup(function() - use_case = { - { - service = service, - route = { - id = "e8fb37f1-102d-461e-9c51-6608a6bb8101", - protocols = { "tls" }, - expression = [[tls.sni == "www.example.com"]], - priority = 100, - }, - }, - { - service = service, - route = { - id = "e8fb37f1-102d-461e-9c51-6608a6bb8102", - protocols = { "tls_passthrough" }, - expression = [[tls.sni == "www.example.org"]], - priority = 100, - }, - }, - } - - router = assert(new_router(use_case)) - end) - - it("exec() should match tls with tls.sni", function() - local _ngx = { - var = { - remote_port = 1000, - server_port = 1000, - ssl_preread_server_name = "www.example.com", - }, - } - router._set_ngx(_ngx) - local match_t = router:exec() - assert.truthy(match_t) - - assert.same(use_case[1].route, match_t.route) - end) - - it("exec() should match tls_passthrough with tls.sni", function() - local _ngx = { - var = { - remote_port = 1000, - server_port = 1000, - ssl_preread_server_name = "www.example.org", - }, - } - router._set_ngx(_ngx) - local match_t = router:exec() - assert.truthy(match_t) - - assert.same(use_case[2].route, match_t.route) - end) - - end) - --]==] end