feat(*) add run_on_preflight defaults migrations for jwt and key-auth

PRs #2744 and #2857 implemented the preflight options (for a minor release). This adds the migrations including defaults (for a major release). From #2883 See #2643 #1292 #1535
Kong · Jan 19, 2018 · f475eeb · f475eeb
1 parent 0d82647
commit f475eeb
Show file tree

Hide file tree

Showing 9 changed files with 190 additions and 14 deletions.
diff --git a/kong-0.11.2-0.rockspec b/kong-0.11.2-0.rockspec
@@ -117,6 +117,7 @@ build = {
     ["kong.dao.dao"] = "kong/dao/dao.lua",
     ["kong.dao.factory"] = "kong/dao/factory.lua",
     ["kong.dao.model_factory"] = "kong/dao/model_factory.lua",
+    ["kong.dao.migrations.helpers"] = "kong/dao/migrations/helpers.lua",
     ["kong.dao.migrations.cassandra"] = "kong/dao/migrations/cassandra.lua",
     ["kong.dao.migrations.postgres"] = "kong/dao/migrations/postgres.lua",
 

diff --git a/kong/dao/db/cassandra.lua b/kong/dao/db/cassandra.lua
@@ -212,6 +212,10 @@ function _M:first_coordinator()
   return true
 end
 
+function _M:get_coordinator()
+  return coordinator, coordinator and nil or "no coordinator has been set"
+end
+
 function _M:coordinator_change_keyspace(keyspace)
   if not coordinator then
     return nil, "no coordinator"

diff --git a/kong/dao/migrations/helpers.lua b/kong/dao/migrations/helpers.lua
@@ -0,0 +1,99 @@
+local json_decode = require("cjson.safe").decode
+
+
+local _M = {}
+
+
+-- Iterator to update plugin configurations.
+-- It works indepedent of the underlying datastore.
+-- @param dao the dao to use
+-- @param plugin_name the name of the plugin whos configurations
+-- to iterate over
+-- @return `ok+config+update` where `ok` is a boolean, `config` is the plugin configuration
+-- table (or the error if not ok), and `update` is an update function to call with
+-- the updated configuration table
+-- @usage
+--    up = function(_, _, dao)
+--      for ok, config, update in plugin_config_iterator(dao, "jwt") do
+--        if not ok then
+--          return config
+--        end
+--        if config.run_on_preflight == nil then
+--          config.run_on_preflight = true
+--          local _, err = update(config)
+--          if err then
+--            return err
+--          end
+--        end
+--      end
+--    end
+function _M.plugin_config_iterator(dao, plugin_name)
+
+  -- iterates over rows
+  local run_rows = function(t)
+    for _, row in ipairs(t) do
+      if type(row.config) == "string" then
+        -- de-serialize in case of Cassandra
+        local json, err = json_decode(row.config)
+        if not json then
+          return nil, ("json decoding error '%s' while decoding '%s'"):format( 
+                      tostring(err), tostring(row.config))
+        end
+        row.config = json
+      end
+      coroutine.yield(row.config, function(updated_config)
+        if type(updated_config) ~= "table" then
+          return nil, "expected table, got " .. type(updated_config)
+        end
+        row.created_at = nil
+        row.config = updated_config
+        return dao.plugins:update(row, {id = row.id})
+      end)
+    end
+    return true
+  end
+
+  local coro
+  if dao.db_type == "cassandra" then
+    coro = coroutine.create(function()
+      local coordinator = dao.db:get_coordinator()
+      for rows, err in coordinator:iterate([[
+                SELECT * FROM plugins WHERE name = ']] .. plugin_name .. [[';
+              ]]) do
+        if err then
+          return nil, nil, err
+        end
+
+        assert(run_rows(rows))
+      end
+    end)
+
+  elseif dao.db_type == "postgres" then
+    coro = coroutine.create(function()
+      local rows, err = dao.db:query([[
+        SELECT * FROM plugins WHERE name = ']] .. plugin_name .. [[';
+      ]])
+      if err then
+        return nil, nil, err
+      end
+
+      assert(run_rows(rows))
+    end)
+
+  else
+    coro = coroutine.create(function()
+      return nil, nil, "unknown database type: " .. tostring(dao.db_type)
+    end)
+  end
+
+  return function()
+    local coro_ok, config, update, err = coroutine.resume(coro)
+    if not coro_ok then return false, config end  -- coroutine errored out
+    if err         then return false, err    end  -- dao soft error
+    if not config  then return nil           end  -- iterator done
+    return true, config, update
+  end
+end
+
+
+return _M
diff --git a/kong/plugins/jwt/handler.lua b/kong/plugins/jwt/handler.lua
@@ -177,11 +177,7 @@ function JwtHandler:access(conf)
   JwtHandler.super.access(self)
 
   -- check if preflight request and whether it should be authenticated
-  if conf.run_on_preflight == false and get_method() == "OPTIONS" then
-    -- FIXME: the above `== false` test is because existing entries in the db will
-    -- have `nil` and hence will by default start passing the preflight request
-    -- This should be fixed by a migration to update the actual entries
-    -- in the datastore
+  if not conf.run_on_preflight and get_method() == "OPTIONS" then
     return
   end
 

diff --git a/kong/plugins/jwt/migrations/cassandra.lua b/kong/plugins/jwt/migrations/cassandra.lua
@@ -1,3 +1,5 @@
+local plugin_config_iterator = require("kong.dao.migrations.helpers").plugin_config_iterator
+
 return {
   {
     name = "2015-06-09-jwt-auth",
@@ -29,5 +31,23 @@ return {
       ALTER TABLE jwt_secrets DROP algorithm;
       ALTER TABLE jwt_secrets DROP rsa_public_key;
     ]]
-  }
+  },
+  {
+    name = "2017-07-31-120200_jwt-auth_preflight_default",
+    up = function(_, _, dao)
+      for ok, config, update in plugin_config_iterator(dao, "jwt") do
+        if not ok then
+          return config
+        end
+        if config.run_on_preflight == nil then
+          config.run_on_preflight = true
+          local _, err = update(config)
+          if err then
+            return err
+          end
+        end
+      end
+    end,
+    down = function(_, _, dao) end  -- not implemented
+  },
 }
diff --git a/kong/plugins/jwt/migrations/postgres.lua b/kong/plugins/jwt/migrations/postgres.lua
@@ -1,3 +1,5 @@
+local plugin_config_iterator = require("kong.dao.migrations.helpers").plugin_config_iterator
+
 return {
   {
     name = "2015-06-09-jwt-auth",
@@ -47,5 +49,23 @@ return {
     down = [[
       ALTER TABLE jwt_secrets ADD CONSTRAINT jwt_secrets_secret_key UNIQUE(secret);
     ]],
-  }
+  },
+  {
+    name = "2017-07-31-120200_jwt-auth_preflight_default",
+    up = function(_, _, dao)
+      for ok, config, update in plugin_config_iterator(dao, "jwt") do
+        if not ok then
+          return config
+        end
+        if config.run_on_preflight == nil then
+          config.run_on_preflight = true
+          local _, err = update(config)
+          if err then
+            return err
+          end
+        end
+      end
+    end,
+    down = function(_, _, dao) end  -- not implemented
+  },
 }
diff --git a/kong/plugins/key-auth/handler.lua b/kong/plugins/key-auth/handler.lua
@@ -158,11 +158,7 @@ function KeyAuthHandler:access(conf)
   KeyAuthHandler.super.access(self)
 
   -- check if preflight request and whether it should be authenticated
-  if conf.run_on_preflight == false and get_method() == "OPTIONS" then
-    -- FIXME: the above `== false` test is because existing entries in the db will
-    -- have `nil` and hence will by default start passing the preflight request
-    -- This should be fixed by a migration to update the actual entries
-    -- in the datastore
+  if not conf.run_on_preflight and get_method() == "OPTIONS" then
     return
   end
 

diff --git a/kong/plugins/key-auth/migrations/cassandra.lua b/kong/plugins/key-auth/migrations/cassandra.lua
@@ -1,3 +1,5 @@
+local plugin_config_iterator = require("kong.dao.migrations.helpers").plugin_config_iterator
+
 return {
   {
     name = "2015-07-31-172400_init_keyauth",
@@ -16,5 +18,23 @@ return {
     down = [[
       DROP TABLE keyauth_credentials;
     ]]
-  }
+  },
+  {
+    name = "2017-07-31-120200_key-auth_preflight_default",
+    up = function(_, _, dao)
+      for ok, config, update in plugin_config_iterator(dao, "key-auth") do
+        if not ok then
+          return config
+        end
+        if config.run_on_preflight == nil then
+          config.run_on_preflight = true
+          local _, err = update(config)
+          if err then
+            return err
+          end
+        end
+      end
+    end,
+    down = function(_, _, dao) end  -- not implemented
+  },
 }
diff --git a/kong/plugins/key-auth/migrations/postgres.lua b/kong/plugins/key-auth/migrations/postgres.lua
@@ -1,3 +1,5 @@
+local plugin_config_iterator = require("kong.dao.migrations.helpers").plugin_config_iterator
+
 return {
   {
     name = "2015-07-31-172400_init_keyauth",
@@ -23,5 +25,23 @@ return {
     down = [[
       DROP TABLE keyauth_credentials;
     ]]
-  }
+  },
+  {
+    name = "2017-07-31-120200_key-auth_preflight_default",
+    up = function(_, _, dao)
+      for ok, config, update in plugin_config_iterator(dao, "key-auth") do
+        if not ok then
+          return config
+        end
+        if config.run_on_preflight == nil then
+          config.run_on_preflight = true
+          local _, err = update(config)
+          if err then
+            return err
+          end
+        end
+      end
+    end,
+    down = function(_, _, dao) end  -- not implemented
+  },
 }