Merge pull request #1314 from eloycoto/3scale-2.11-stable-PR

Release 3scale 2.11 stable
3scale · Oct 1, 2021 · e1e4bcd · e1e4bcd
2 parents 29d4b6b + c6a0f15
commit e1e4bcd
Show file tree

Hide file tree

Showing 22 changed files with 399 additions and 50 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -109,12 +109,12 @@ executors:
     environment:
       S2I_VERSION: "1.1.12-2a783420"
       DOCKER_COMPOSE_VERSION: "1.16.1"
-      OPENRESTY_VERSION: "1.19.3.5-20-centos8"
+      OPENRESTY_VERSION: "1.19.3.6-20-centos8"
 
   openresty:
     working_directory: /opt/app-root/apicast
     docker:
-    - image: quay.io/3scale/s2i-openresty-centos7:1.19.3.5-20-centos8
+    - image: quay.io/3scale/s2i-openresty-centos7:1.19.3.6-20-centos8
     - image: redis:3.2.8-alpine
     environment:
       TEST_NGINX_BINARY: openresty
@@ -179,7 +179,7 @@ jobs:
 
       - login-docker:
           command: |
-            IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH}}"
+            IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH}}-builder"
             if [ "${IMAGE_TAG}" == "master-builder" ]
             then
               IMAGE_TAG="latest-builder"

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 
-## [Unreleased]
+## [3.11.0] 2021-09-03
 
 ### Fixed
 
@@ -20,6 +20,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fixed warning messages [PR #1282](https://github.com/3scale/APIcast/pull/1282) [THREESCALE-5816](https://issues.redhat.com/browse/THREESCALE-5816)
 - Fixed lua socket error on ssl_certificate [PR #1283](https://github.com/3scale/APIcast/pull/1283) [THREESCALE-7230](https://issues.redhat.com/browse/THREESCALE-7230)
 - Fixed Acess log header [PR #1284](https://github.com/3scale/APIcast/pull/1284) [THREESCALE-6193](https://issues.redhat.com/browse/THREESCALE-6193)
+- Fixed Payload limit jsonschema [PR #1293](https://github.com/3scale/APIcast/pull/1293) [THREESCALE-6965](https://issues.redhat.com/browse/THREESCALE-6965)
+- Fixed Status code overwrite policy jsonschema [PR #1294](https://github.com/3scale/APIcast/pull/1294) [THREESCALE-7238](https://issues.redhat.com/browse/THREESCALE-7238)
+- Fixed TLS host validation [PR #1295](https://github.com/3scale/APIcast/pull/1295) [THREESCALE-768](https://issues.redhat.com/browse/THREESCALE-768)
+- Fixed Status code overwrite policy jsonschema [PR #1296](https://github.com/3scale/APIcast/pull/1296) [THREESCALE-6415](https://issues.redhat.com/browse/THREESCALE-6415)
+- Fixed URL encoding on set-path [PR #1297](https://github.com/3scale/APIcast/pull/1297) [THREESCALE-5117](https://issues.redhat.com/browse/THREESCALE-5117)
+- Fixed trailing slash on routing policy [PR #1298](https://github.com/3scale/APIcast/pull/1298) [THREESCALE-7146](https://issues.redhat.com/browse/THREESCALE-7146)
+- Fixed race condition on caching mode [PR #1259](https://github.com/3scale/APIcast/pull/1259) [THREESCALE-4464](https://issues.redhat.com/browse/THREESCALE-4464)
+- Fixed Nginx filter issues on jsonschema [PR #1302](https://github.com/3scale/APIcast/pull/1302) [THREESCALE-7349](https://issues.redhat.com/browse/THREESCALE-7349)
+- Fixed issues with OIDC filters [PR #1304](https://github.com/3scale/APIcast/pull/1304) [PR #1306](https://github.com/3scale/APIcast/pull/1306) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
+- Fixed issues with OIDC filters [PR #1304](https://github.com/3scale/APIcast/pull/1304) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
+- Fixed issues with Upstream MTLS certs [PR #1307](https://github.com/3scale/APIcast/pull/1307) [THREESCALE-7508](https://issues.redhat.com/browse/THREESCALE-7508)
 
 ### Added
 
@@ -920,3 +931,4 @@ expressed might change in future releases.
 [3.10.0-alpha2]: https://github.com/3scale/apicast/compare/v3.10.0-alpha1..v3.10.0-alpha2
 [3.10.0-beta1]: https://github.com/3scale/apicast/compare/v3.10.0-alpha2..v3.10.0-beta1
 [3.10.0]: https://github.com/3scale/apicast/compare/v3.10.0-beta1..v3.10.0
+[3.11.0]: https://github.com/3scale/apicast/compare/v3.10.0..v3.11.0
diff --git a/gateway/src/apicast/configuration_loader/oidc.lua b/gateway/src/apicast/configuration_loader/oidc.lua
@@ -40,7 +40,8 @@ function _M.call(...)
         for i,service in ipairs(config.services or empty) do
             -- Assign false instead of nil to avoid sparse arrays. cjson raises
             -- an error by default when converting sparse arrays.
-            oidc[i] = oidc[i] or load_service(service) or false
+            oidc[i] = oidc[i] or load_service(service) or { service_id = service.id}
+            -- oidc[i] = oidc[i] or load_service(service) or false
         end
 
         config.oidc = oidc

diff --git a/gateway/src/apicast/configuration_loader/remote_v2.lua b/gateway/src/apicast/configuration_loader/remote_v2.lua
@@ -129,15 +129,22 @@ local function parse_resp_body(self, resp_body)
     local original_proxy_config = deepcopy(proxy_config)
 
     local service = configuration.parse_service(proxy_config.content)
+
+    -- We always assign a oidc to the service, even an empty one with the
+    -- service_id, if not on APICAST_SERVICES_LIST will fail on filtering
     local oidc = self:oidc_issuer_configuration(service)
+    if not oidc then
+      oidc = {}
+    end
 
-    -- Assign false instead of nil to avoid sparse arrays. cjson raises an
-    -- error by default when converting sparse arrays.
-    config.oidc[i] = oidc or false
+    -- deepcopy because this can be cached, and we want to have a deepcopy to
+    -- avoid issues with service_id
+    local oidc_copy = deepcopy(oidc)
+    oidc_copy.service_id = service.id
 
+    config.oidc[i] = oidc_copy
     config.services[i] = original_proxy_config.content
   end
-
   return cjson.encode(config)
 end
 

diff --git a/gateway/src/apicast/policy/caching/caching.lua b/gateway/src/apicast/policy/caching/caching.lua
@@ -101,17 +101,26 @@ local function handler(config)
   return res
 end
 
+local function is_disabled(config)
+  return config.caching_type and config.caching_type == "none"
+end
+
 --- Initialize a Caching policy.
 -- @tparam[opt] table config
 -- @field caching_type Caching type (strict, resilient, allow, none)
 function _M.new(config)
   local self = new(config)
   self.cache_handler = handler(config or {})
+  self.is_disabled = is_disabled(config or {})
   return self
 end
 
+
 function _M:export()
-  return { cache_handler = self.cache_handler }
+  return {
+    cache_handler = self.cache_handler,
+    cache_is_disabled = self.is_disabled
+  }
 end
 
 return _M
diff --git a/gateway/src/apicast/policy/nginx_filters/apicast-policy.json b/gateway/src/apicast/policy/nginx_filters/apicast-policy.json
@@ -20,6 +20,7 @@
       "headers": {
         "type": "array",
         "title": "Headers to filter",
+        "minItems": 1,
         "items": {
           "type": "object",
           "properties": {

diff --git a/gateway/src/apicast/policy/payload_limits/apicast-policy.json b/gateway/src/apicast/policy/payload_limits/apicast-policy.json
@@ -33,7 +33,6 @@
                 0
             ]
         }
-    },
-    "additionalProperties": true
+    }
   }
 }
diff --git a/gateway/src/apicast/policy/routing/rule.lua b/gateway/src/apicast/policy/routing/rule.lua
@@ -44,6 +44,9 @@ local function init_operation(config_operation)
 end
 
 local function init_condition(config_condition)
+  if not config_condition.operations then
+    config_condition.operations = {}
+  end
   local operations = tab_new(#config_condition.operations, 0)
 
   for _, operation in ipairs(config_condition.operations) do

diff --git a/gateway/src/apicast/policy/statuscode_overwrite/apicast-policy.json b/gateway/src/apicast/policy/statuscode_overwrite/apicast-policy.json
@@ -2,8 +2,9 @@
   "$schema": "http://apicast.io/policy-v1.1/schema#manifest#",
   "name": "HTTP Status Code Overwrite",
   "summary": "Modify the HTTP status code returned by the upstream",
-  "description":
-    ["Configures a 1-1 mapping for upstream's http codes."],
+  "description": [
+    "Configures a 1-1 mapping for upstream's http codes."
+  ],
   "version": "builtin",
   "configuration": {
     "type": "object",
@@ -20,26 +21,27 @@
           "properties": {
             "upstream": {
               "description": "Upstream HTTP code to replace",
+              "title": "Upstream",
               "type": "integer",
               "minimum": 100,
               "maximum": 600
             },
             "apicast": {
-               "title": "Return HTTP code",
+              "title": "Return HTTP code",
               "description": "HTTP code to return",
               "type": "integer",
               "minimum": 100,
               "maximum": 600
             }
           }
         }
-
       }
     },
     "properties": {
       "http_statuses": {
         "title": "HTTP status codes map",
-        "$ref": "#/definitions/codes" }
+        "$ref": "#/definitions/codes"
+      }
     }
   }
 }
diff --git a/gateway/src/apicast/policy/upstream_mtls/upstream_mtls.lua b/gateway/src/apicast/policy/upstream_mtls/upstream_mtls.lua
@@ -146,7 +146,7 @@ end
 
 function _M.set_ca_cert(r, store)
   local val = C.ngx_http_apicast_ffi_set_proxy_ca_cert(r, store)
-  if val == ngx.OK then
+  if val ~= ngx.OK then
     ngx.log(ngx.WARN, "Cannot set a valid trusted CA store")
     return
   end
@@ -170,17 +170,17 @@ function _M:balancer(context)
     return
   end
 
+  local val = C.ngx_http_apicast_ffi_set_ssl_verify(r, ffi.new("int", 1), ffi.new("int", 1))
+  if val ~= ngx.OK then
+    ngx.log(ngx.WARN, "Cannot verify SSL upstream connection")
+  end
+
   if not self.ca_store then
     ngx.log(ngx.WARN, "Set verify without including CA certificates")
     return
   end
 
   self.set_ca_cert(r, self.ca_store)
-
-  local val = C.ngx_http_apicast_ffi_set_ssl_verify(r, ffi.new("int", 1), ffi.new("int", 1))
-  if val ~= ngx.OK then
-    ngx.log(ngx.WARN, "Cannot verify SSL upstream connection")
-  end
 end
 
 return _M
diff --git a/gateway/src/apicast/proxy.lua b/gateway/src/apicast/proxy.lua
@@ -129,7 +129,7 @@ function _M:authorize(context, service, usage, credentials, ttl)
   local cache = self.cache
   local is_known = cache:get(cached_key)
 
-  if is_known == 200 then
+  if is_known == 200 and context.cache_is_disabled ~= true then
     ngx.log(ngx.DEBUG, 'apicast cache hit key: ', cached_key)
     ngx.var.cached_key = cached_key
   else

diff --git a/gateway/src/apicast/upstream.lua b/gateway/src/apicast/upstream.lua
@@ -135,7 +135,10 @@ function _M:append_path(path)
     if not self.uri.path then
       self.uri.path = "/"
     end
-    self.uri.path = resty_url.join(self.uri.path, tmp_path)
+
+    if tmp_path ~= "" then
+      self.uri.path = resty_url.join(self.uri.path, tmp_path)
+    end
 
     -- If query is already present, do not need to add more.
     if tmp_query and tmp_query ~= "" then
@@ -160,7 +163,7 @@ function _M:rewrite_request()
 
     local uri = self.uri
     if uri.path then
-        ngx.req.set_uri(ngx.unescape_uri(prefix_path(uri.path)))
+        ngx.req.set_uri(prefix_path(uri.path))
     end
 
     if uri.query then

diff --git a/gateway/src/apicast/version.lua b/gateway/src/apicast/version.lua
@@ -1 +1 @@
-return "3.6.0"
+return "3.11.0"
diff --git a/spec/configuration_loader/remote_v2_spec.lua b/spec/configuration_loader/remote_v2_spec.lua
@@ -549,7 +549,10 @@ UwIDAQAB
       assert.truthy(config)
       assert.equals('string', type(config))
 
-      assert.equals(1, #(cjson.decode(config).services))
+      result_config = cjson.decode(config)
+      assert.equals(1, #result_config.services)
+      assert.equals(1, #result_config.oidc)
+      assert.same('2', result_config.oidc[1].service_id)
     end)
 
     it('returns nil and an error if the config is not a valid', function()
@@ -562,5 +565,62 @@ UwIDAQAB
       assert.is_nil(config)
       assert.equals('Expected object key string but found invalid token at character 3', err)
     end)
+
+    it('returns configuration with oidc config complete', function()
+
+      env.set('THREESCALE_DEPLOYMENT_ENV', 'production')
+      test_backend.expect{ url = 'http://example.com/something/with/path/production.json?host=foobar.example.com' }.
+        respond_with{ status = 200, body = cjson.encode({ proxy_configs = {
+          {
+            proxy_config = {
+              version = 42,
+              environment = 'staging',
+              content = { 
+                id = 2, 
+                backend_version = 1,
+                proxy = { oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/' }
+              }
+            }
+          }
+        }})}
+
+      test_backend.expect{ url = "http://idp.example.com/auth/realms/foo/.well-known/openid-configuration" }.
+      respond_with{
+        status = 200,
+        headers = { content_type = 'application/json' },
+        body = [[
+            {
+              "issuer": "https://idp.example.com/auth/realms/foo",
+              "jwks_uri": "https://idp.example.com/auth/realms/foo/jwks",
+              "id_token_signing_alg_values_supported": [ "RS256" ]
+            }
+          ]]
+      }
+
+      test_backend.expect{ url = "https://idp.example.com/auth/realms/foo/jwks" }.
+      respond_with{
+        status = 200,
+        headers = { content_type = 'application/json' },
+        body =  [[
+            { "keys": [{
+                "kid": "3g-I9PWt6NrznPLcbE4zZrakXar27FDKEpqRPlD2i2Y",
+                "kty": "RSA",
+                "n": "iqXwBiZgN2q1dCKU1P_vzyiGacdQhfqgxQST7GFlWU_PUljV9uHrLOadWadpxRAuskNpXWsrKoU_hDxtSpUIRJj6hL5YTlrvv-IbFwPNtD8LnOfKL043_ZdSOe3aT4R4NrBxUomndILUESlhqddylVMCGXQ81OB73muc9ovR68Ajzn8KzpU_qegh8iHwk-SQvJxIIvgNJCJTC6BWnwS9Bw2ns0fQOZZRjWFRVh8BjkVdqa4vCAb6zw8hpR1y9uSNG-fqUAPHy5IYQaD8k8QX0obxJ0fld61fH-Wr3ENpn9YZWYBcKvnwLm2bvxqmNVBzW4rhGEZb9mf-KrSagD5GUw",
+                "e": "AQAB"
+            }] }
+        ]]
+      }
+
+      local config = assert(loader:index('foobar.example.com'))
+
+      assert.truthy(config)
+      assert.equals('string', type(config))
+
+      result_config = cjson.decode(config)
+      assert.equals(1, #result_config.services)
+      assert.equals(1, #result_config.oidc)
+      assert.same('2', result_config.oidc[1].service_id)
+      assert.same('https://idp.example.com/auth/realms/foo', result_config.oidc[1].config.issuer)
+    end)
   end)
 end)
diff --git a/spec/upstream_spec.lua b/spec/upstream_spec.lua
@@ -80,6 +80,12 @@ describe('Upstream', function()
             assert.same(up.uri.path, "/test/")
         end)
 
+        it('trailing slash is not appended', function()
+            local up = Upstream.new('http://host:8090/test')
+            up:append_path("")
+            assert.same(up.uri.path, "/test")
+        end)
+
     end)
 
     local function stub_ngx_request()

diff --git a/t/apicast-policy-maintenance-mode.t b/t/apicast-policy-maintenance-mode.t
@@ -188,7 +188,6 @@ Content-Type: application/json
 
 
 === TEST 5: Maintenance mode is applied with routing policy + matching upstream condition
-
 --- configuration
 {
   "services": [
@@ -204,7 +203,7 @@ Content-Type: application/json
             "configuration": {
               "rules": [
                 {
-                    "url": "http://test:$TEST_NGINX_SERVER_PORT/b1",
+                    "url": "http://test:$TEST_NGINX_SERVER_PORT/b1/",
                     "condition": {
                         "operations": [
                             {
@@ -219,7 +218,7 @@ Content-Type: application/json
               ]
             }
           },
-          { 
+          {
             "name": "apicast.policy.maintenance_mode",
             "configuration": {
                 "condition": {
@@ -514,4 +513,4 @@ GET /?user_key=value
 Service Unavailable - Maintenance
 --- error_code: 503
 --- no_error_log
-[error]
+[error]
diff --git a/t/apicast-policy-payload_limits.t b/t/apicast-policy-payload_limits.t
@@ -183,6 +183,7 @@ yay, api backend
 
 
 === TEST 4: Response limit set to 100 rejects the request
+--- timeout: 5s
 --- backend
   location /transactions/authrep.xml {
     content_by_lua_block {
@@ -245,6 +246,7 @@ Content-Length: 17
 
 
 === TEST 5: Request body size smaller than the limit
+--- timeout: 5s
 --- backend
   location /transactions/authrep.xml {
     content_by_lua_block {
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,7 +33,6 @@ @@
                 ]
             }
-        },
-        "additionalProperties": true
+        }
       }
     }