From c52347161b9a60537a08e9794f0bfd8367aaa4d4 Mon Sep 17 00:00:00 2001 From: Samuele Illuminati Date: Wed, 31 Aug 2022 18:19:04 +0200 Subject: [PATCH] feat(conf): add support for remaining variables (#9352) * move creation of certificate and key files in a separate block * add file creation for the remaining certs and keys: cluster_ and client_ * update configuration with generated path for cluster_* and client_* --- kong/cmd/utils/prefix_handler.lua | 72 +++++++++++++++++++++++----- kong/conf_loader/init.lua | 12 ++--- spec/01-unit/03-conf_loader_spec.lua | 24 +++++----- 3 files changed, 79 insertions(+), 29 deletions(-) diff --git a/kong/cmd/utils/prefix_handler.lua b/kong/cmd/utils/prefix_handler.lua index 5df529a06f1..bf5f3aaa4cb 100644 --- a/kong/cmd/utils/prefix_handler.lua +++ b/kong/cmd/utils/prefix_handler.lua @@ -461,24 +461,74 @@ local function prepare_prefix(kong_config, nginx_custom_template_path, skip_writ ssl_cert_key[1] = kong_config[prefix .. "ssl_cert_key_default"] ssl_cert[2] = kong_config[prefix .. "ssl_cert_default_ecdsa"] ssl_cert_key[2] = kong_config[prefix .. "ssl_cert_key_default_ecdsa"] + end + end + end - else - local ssl_path = join(kong_config.prefix, "ssl") - makepath(ssl_path) + -- create certs files and assign paths if needed + do - for i, cert in ipairs(ssl_cert) do - local path = join(ssl_path, target .. "-" .. i .. ".crt") - write_ssl_cert(path, cert) - ssl_cert[i] = path + local function write_file_set_path( + file, + format, + write_func, + ssl_path, + target, + config_key + ) + if type(file) == "string" then + if not exists(file) then + if not exists(ssl_path) then + makepath(ssl_path) + end + local path = join(ssl_path, target .. format) + write_func(path, file) + kong_config[config_key] = path end - for i, cert_key in ipairs(ssl_cert_key) do - local path = join(ssl_path, target .. "-" .. i .. ".key") - write_ssl_cert_key(path, cert_key) - ssl_cert_key[i] = path + else + for i, cert_key in ipairs(file) do + if not exists(cert_key) then + if not exists(ssl_path) then + makepath(ssl_path) + end + local path = join(ssl_path, target .. "-" .. i .. format) + write_func(path, cert_key) + file[i] = path + end end end end + + for _, target in ipairs({ + "proxy", + "admin", + "status", + "client", + "cluster" + }) do + + local prefix + if target == "proxy" then + prefix = "ssl" + elseif target == "cluster" then + prefix = target + else + prefix = target .. "_ssl" + end + + local cert_k = prefix .. "_cert" + local key_k = prefix .. "_cert_key" + local ssl_cert = kong_config[cert_k] + local ssl_cert_key = kong_config[key_k] + + if ssl_cert and ssl_cert_key and #ssl_cert > 0 and #ssl_cert_key > 0 then + local ssl_path = join(kong_config.prefix, "ssl") + + write_file_set_path(ssl_cert, ".crt", write_ssl_cert, ssl_path, target, cert_k) + write_file_set_path(ssl_cert_key, ".key", write_ssl_cert_key, ssl_path, target, key_k) + end + end end if kong_config.lua_ssl_trusted_certificate_combined then diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua index 6653b664bb6..00487455a12 100644 --- a/kong/conf_loader/init.lua +++ b/kong/conf_loader/init.lua @@ -752,7 +752,7 @@ local function check_and_infer(conf, opts) if not exists(cert) then local _, err = openssl_x509.new(cert) if err then - errors[#errors + 1] = prefix .. "ssl_cert: no such file at " .. cert + errors[#errors + 1] = prefix .. "ssl_cert: failed loading certificate from " .. cert end end end @@ -763,7 +763,7 @@ local function check_and_infer(conf, opts) if not exists(cert_key) then local _, err = openssl_pkey.new(cert_key) if err then - errors[#errors + 1] = prefix .. "ssl_cert_key: no such file at " .. cert_key + errors[#errors + 1] = prefix .. "ssl_cert_key: failed loading key from " .. cert_key end end end @@ -785,14 +785,14 @@ local function check_and_infer(conf, opts) if client_ssl_cert and not exists(client_ssl_cert) then local _, err = openssl_x509.new(client_ssl_cert) if err then - errors[#errors + 1] = "client_ssl_cert: no such file at " .. client_ssl_cert + errors[#errors + 1] = "client_ssl_cert: failed loading certificate from " .. client_ssl_cert end end if client_ssl_cert_key and not exists(client_ssl_cert_key) then local _, err = openssl_pkey.new(client_ssl_cert_key) if err then - errors[#errors + 1] = "client_ssl_cert_key: no such file at " .. + errors[#errors + 1] = "client_ssl_cert_key: failed loading key from " .. client_ssl_cert_key end end @@ -1013,14 +1013,14 @@ local function check_and_infer(conf, opts) if not exists(cluster_cert) then local _, err = openssl_x509.new(cluster_cert) if err then - errors[#errors + 1] = "cluster_cert: no such file at " .. cluster_cert + errors[#errors + 1] = "cluster_cert: failed loading certificate from " .. cluster_cert end end if not exists(cluster_cert_key) then local _, err = openssl_pkey.new(cluster_cert_key) if err then - errors[#errors + 1] = "cluster_cert_key: no such file at " .. cluster_cert_key + errors[#errors + 1] = "cluster_cert_key: failed loading key from " .. cluster_cert_key end end end diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua index f799dedd650..ac0c88a09f8 100644 --- a/spec/01-unit/03-conf_loader_spec.lua +++ b/spec/01-unit/03-conf_loader_spec.lua @@ -770,8 +770,8 @@ describe("Configuration loader", function() ssl_cert_key = "/path/cert_key.pem" }) assert.equal(2, #errors) - assert.contains("ssl_cert: no such file at /path/cert.pem", errors) - assert.contains("ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("ssl_cert: failed loading certificate from /path/cert.pem", errors) + assert.contains("ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) conf, _, errors = conf_loader(nil, { @@ -779,7 +779,7 @@ describe("Configuration loader", function() ssl_cert_key = "/path/cert_key.pem" }) assert.equal(1, #errors) - assert.contains("ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) end) it("requires SSL DH param file to exist", function() @@ -1050,8 +1050,8 @@ describe("Configuration loader", function() client_ssl_cert_key = "/path/cert_key.pem" }) assert.equal(2, #errors) - assert.contains("client_ssl_cert: no such file at /path/cert.pem", errors) - assert.contains("client_ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("client_ssl_cert: failed loading certificate from /path/cert.pem", errors) + assert.contains("client_ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) conf, _, errors = conf_loader(nil, { @@ -1060,7 +1060,7 @@ describe("Configuration loader", function() client_ssl_cert_key = "/path/cert_key.pem" }) assert.equal(1, #errors) - assert.contains("client_ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("client_ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) end) it("resolves SSL cert/key to absolute path", function() @@ -1117,8 +1117,8 @@ describe("Configuration loader", function() admin_ssl_cert_key = "/path/cert_key.pem" }) assert.equal(2, #errors) - assert.contains("admin_ssl_cert: no such file at /path/cert.pem", errors) - assert.contains("admin_ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("admin_ssl_cert: failed loading certificate from /path/cert.pem", errors) + assert.contains("admin_ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) conf, _, errors = conf_loader(nil, { @@ -1126,7 +1126,7 @@ describe("Configuration loader", function() admin_ssl_cert_key = "/path/cert_key.pem" }) assert.equal(1, #errors) - assert.contains("admin_ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("admin_ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) end) it("resolves SSL cert/key to absolute path", function() @@ -1188,8 +1188,8 @@ describe("Configuration loader", function() status_ssl_cert_key = "/path/cert_key.pem" }) assert.equal(2, #errors) - assert.contains("status_ssl_cert: no such file at /path/cert.pem", errors) - assert.contains("status_ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("status_ssl_cert: failed loading certificate from /path/cert.pem", errors) + assert.contains("status_ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) conf, _, errors = conf_loader(nil, { @@ -1198,7 +1198,7 @@ describe("Configuration loader", function() status_ssl_cert_key = "/path/cert_key.pem" }) assert.equal(1, #errors) - assert.contains("status_ssl_cert_key: no such file at /path/cert_key.pem", errors) + assert.contains("status_ssl_cert_key: failed loading key from /path/cert_key.pem", errors) assert.is_nil(conf) end) it("resolves SSL cert/key to absolute path", function()