Skip to content

Commit

Permalink
Merge pull request #1425 from Mashape/feat/postgres-ssl
Browse files Browse the repository at this point in the history
feat(postgres) implement SSL connections capability
  • Loading branch information
thibaultcha authored Jul 22, 2016
2 parents b3ece5f + 4dfddd4 commit 4c59404
Show file tree
Hide file tree
Showing 10 changed files with 51 additions and 30 deletions.
2 changes: 1 addition & 1 deletion kong-0.8.3-0.rockspec
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ dependencies = {
"lapis ~> 1.3.1-1",
"stringy ~> 0.4-1",
"lua-cassandra ~> 0.5.2",
"pgmoon ~> 1.4.0",
"pgmoon ~> 1.5.0",
"multipart ~> 0.3-2",
"lua-cjson ~> 2.1.0-1",
"lbase64 ~> 20120820-1",
Expand Down
29 changes: 20 additions & 9 deletions kong.conf.default
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,14 @@
#pg_password = kong # The password to authenticate if required.
#pg_database = kong # The database name to connect to.

#pg_ssl = off # Toggles client-server TLS connections
# between Kong and PostgreSQL.

#pg_ssl_verify = off # Toggles server certificate verification if
# `pg_ssl` is enabled.
# See the `lua_ssl_trusted_certificate`
# setting to specify a certificate authority.

#cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact
# points to your cluster.

Expand All @@ -132,12 +140,8 @@

#cassandra_ssl_verify = off # Toggles server certificate verification if
# `cassandra_ssl` is enabled.

#cassandra_ssl_trusted_cert = # Absolute path to the certificate
# authority file in PEM format. This setting
# will set the `lua_ssl_trusted_certificate`
# directive when Kong compiles the Nginx
# configuration file.
# See the `lua_ssl_trusted_certificate`
# setting to specify a certificate authority.

#cassandra_username = kong # Username when using the
# `PasswordAuthenticator` scheme.
Expand Down Expand Up @@ -250,11 +254,18 @@
# See the lua-nginx-module documentation for more informations:
# https://github.com/openresty/lua-nginx-module

#lua_ssl_trusted_certificate = # Absolute path to the certificate
# authority file for Lua cosockets in PEM
# format. This certificate will be the one
# used for verifying Kong's database
# connections, when `pg_ssl_verify` or
# `cassandra_ssl_verify` are enabled.

#lua_ssl_verify_depth = 1 # Sets the verification depth in the server
# certificates chain used by Lua cosockets.
# certificates chain used by Lua cosockets,
# set by `lua_ssl_trusted_certificate`.
# This includes the certificates configured
# for database connections, like
# `cassandra_ssl_trusted_cert`.
# for Kong's database connections.

#lua_code_cache = on # When disabled, every request will run in a
# separate Lua VM instance: all Lua modules
Expand Down
3 changes: 0 additions & 3 deletions kong/cmd/utils/prefix_handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,6 @@ local function compile_conf(kong_config, conf_template)
tostring = tostring
}

if kong_config.cassandra_ssl and kong_config.cassandra_ssl_trusted_cert then
compile_env["lua_ssl_trusted_certificate"] = kong_config.cassandra_ssl_trusted_cert
end
if kong_config.dnsmasq then
compile_env["dns_resolver"] = "127.0.0.1:"..kong_config.dnsmasq_port
end
Expand Down
2 changes: 2 additions & 0 deletions kong/conf_loader.lua
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ local CONF_INFERENCES = {

database = {enum = {"postgres", "cassandra"}},
pg_port = {typ = "number"},
pg_ssl = {typ = "boolean"},
pg_ssl_verify = {typ = "boolean"},

cassandra_contact_points = {typ = "array"},
cassandra_port = {typ = "number"},
Expand Down
2 changes: 1 addition & 1 deletion kong/dao/cassandra_db.lua
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ function CassandraDB:new(kong_config)
ssl_options = {
enabled = kong_config.cassandra_ssl,
verify = kong_config.cassandra_ssl_verify,
ca = kong_config.cassandra_ssl_trusted_cert
ca = kong_config.lua_ssl_trusted_certificate
}
}

Expand Down
9 changes: 6 additions & 3 deletions kong/dao/postgres_db.lua
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ function PostgresDB:new(kong_config)
port = kong_config.pg_port,
user = kong_config.pg_user,
password = kong_config.pg_password,
database = kong_config.pg_database
database = kong_config.pg_database,
ssl = kong_config.pg_ssl,
ssl_verify = kong_config.pg_ssl_verify,
cafile = kong_config.lua_ssl_trusted_certificate
}

PostgresDB.super.new(self, "postgres", conn_opts)
Expand Down Expand Up @@ -112,7 +115,7 @@ local function parse_error(err_str)
err = Errors.foreign {[col] = value}
end
end

return err or Errors.db(err_str)
end

Expand Down Expand Up @@ -208,7 +211,7 @@ function PostgresDB:deserialize_rows(rows, schema)
local json = require "cjson"
for i, row in ipairs(rows) do
for col, value in pairs(row) do
if type(value) == "string" and schema.fields[col] and
if type(value) == "string" and schema.fields[col] and
(schema.fields[col].type == "table" or schema.fields[col].type == "array") then
rows[i][col] = json.decode(value)
end
Expand Down
4 changes: 3 additions & 1 deletion kong/templates/kong_defaults.lua
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ pg_port = 5432
pg_database = kong
pg_user = kong
pg_password = NONE
pg_ssl = off
pg_ssl_verify = off
cassandra_contact_points = 127.0.0.1
cassandra_port = 9042
cassandra_keyspace = kong
Expand All @@ -31,7 +33,6 @@ cassandra_consistency = ONE
cassandra_timeout = 5000
cassandra_ssl = off
cassandra_ssl_verify = off
cassandra_ssl_trusted_cert = NONE
cassandra_username = kong
cassandra_password = NONE
Expand All @@ -47,6 +48,7 @@ dnsmasq_port = 8053
dns_resolver = NONE
lua_code_cache = on
lua_ssl_trusted_certificate = NONE
lua_ssl_verify_depth = 1
lua_package_path = ?/init.lua;./kong/?.lua
lua_package_cpath = NONE
Expand Down
2 changes: 1 addition & 1 deletion kong/templates/nginx_kong.lua
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ lua_shared_dict cassandra 1m;
lua_shared_dict cassandra_prepared 5m;
lua_socket_log_errors off;
> if lua_ssl_trusted_certificate then
lua_ssl_trusted_certificate '${{lua_ssl_trusted_certificate}}';
lua_ssl_trusted_certificate '${{LUA_SSL_TRUSTED_CERTIFICATE}}';
lua_ssl_verify_depth ${{LUA_SSL_VERIFY_DEPTH}};
> end
Expand Down
14 changes: 11 additions & 3 deletions spec/01-unit/02-conf_loader_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -99,21 +99,29 @@ describe("Configuration loader", function()
assert.True(conf.anonymous_reports)
assert.False(conf.cassandra_ssl)
assert.False(conf.cassandra_ssl_verify)
assert.False(conf.pg_ssl)
assert.False(conf.pg_ssl_verify)

conf = assert(conf_loader(nil, {
cassandra_ssl = true
cassandra_ssl = true,
pg_ssl = true
}))
assert.True(conf.cassandra_ssl)
assert.True(conf.pg_ssl)

conf = assert(conf_loader(nil, {
cassandra_ssl = "on"
cassandra_ssl = "on",
pg_ssl = "on"
}))
assert.True(conf.cassandra_ssl)
assert.True(conf.pg_ssl)

conf = assert(conf_loader(nil, {
cassandra_ssl = "true"
cassandra_ssl = "true",
pg_ssl = "true"
}))
assert.True(conf.cassandra_ssl)
assert.True(conf.pg_ssl)
end)
it("infer arrays (comma-separated strings)", function()
local conf = assert(conf_loader())
Expand Down
14 changes: 6 additions & 8 deletions spec/01-unit/03-prefix_handler_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -69,19 +69,17 @@ describe("NGINX conf compiler", function()
assert.not_matches("ssl_protocols", kong_nginx_conf)
assert.not_matches("ssl_certificate_by_lua_block", kong_nginx_conf)
end)
it("sets lua_ssl_trusted_certificate from cassandra_ssl_trusted_cert", function()
it("does not include lua_ssl_trusted_certificate/lua_ssl_verify_depth by default", function()
local conf = assert(conf_loader(helpers.test_conf_path, {
cassandra_ssl = true,
cassandra_ssl_trusted_cert = "/path/to/ca.cert"
lua_ssl_verify_depth = "2"
}))
local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
assert.matches("lua_ssl_trusted_certificate '/path/to/ca.cert';", kong_nginx_conf, nil, true)
assert.matches("lua_ssl_verify_depth 1;", kong_nginx_conf, nil, true)
assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true)
assert.not_matches("lua_ssl_verify_depth", kong_nginx_conf, nil, true)
end)
it("sets lua_ssl_verify_depth", function()
it("sets lua_ssl_trusted_certificate/lua_ssl_verify_depth", function()
local conf = assert(conf_loader(helpers.test_conf_path, {
cassandra_ssl = true,
cassandra_ssl_trusted_cert = "/path/to/ca.cert",
lua_ssl_trusted_certificate = "/path/to/ca.cert",
lua_ssl_verify_depth = "2"
}))
local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
Expand Down

0 comments on commit 4c59404

Please sign in to comment.