From 7690ecca9c5f864fc02741abadc811f17ed1d8db Mon Sep 17 00:00:00 2001 From: spacewander Date: Mon, 15 Mar 2021 19:36:10 +0800 Subject: [PATCH] fix: correct the validation for ssl_trusted_certificate Signed-off-by: spacewander --- apisix/cli/ops.lua | 11 ++++++++++- bin/apisix | 4 ++-- rockspec/apisix-master-0.rockspec | 1 + t/cli/test_validate_config.sh | 14 ++++++++++++++ 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua index 6a206fab232a..1e8f4cf58e8a 100644 --- a/apisix/cli/ops.lua +++ b/apisix/cli/ops.lua @@ -22,6 +22,7 @@ local ngx_tpl = require("apisix.cli.ngx_tpl") local profile = require("apisix.core.profile") local template = require("resty.template") local argparse = require("argparse") +local pl_path = require("pl.path") local stderr = io.stderr local ipairs = ipairs @@ -260,10 +261,18 @@ Please modify "admin_key" in conf/config.yaml . end if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then - local ok, err = util.is_file_exist(yaml_conf.apisix.ssl.ssl_trusted_certificate) + local cert_path = yaml_conf.apisix.ssl.ssl_trusted_certificate + -- During validation, the path is relative to PWD + -- When Nginx starts, the path is relative to conf + -- Therefore we need to check the absolute version instead + cert_path = pl_path.abspath(cert_path) + + local ok, err = util.is_file_exist(cert_path) if not ok then util.die(err, "\n") end + + yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path end local admin_api_mtls = yaml_conf.apisix.admin_api_mtls diff --git a/bin/apisix b/bin/apisix index 7a2e6753aaa9..dbdc29023414 100755 --- a/bin/apisix +++ b/bin/apisix @@ -44,11 +44,11 @@ if [[ -e $OR_EXEC && "$OR_VER" =~ "1.19" ]]; then # use the luajit of openresty echo "$LUAJIT_BIN $APISIX_LUA $*" - $LUAJIT_BIN $APISIX_LUA $* + exec $LUAJIT_BIN $APISIX_LUA $* elif [[ "$LUA_VERSION" =~ "Lua 5.1" ]]; then # OpenResty version is not 1.19, use Lua 5.1 by default echo "lua $APISIX_LUA $*" - lua $APISIX_LUA $* + exec lua $APISIX_LUA $* else echo "ERROR: Please check the version of OpenResty and Lua, OpenResty 1.19 and Lua 5.1 are recommended before install Apache APISIX." fi diff --git a/rockspec/apisix-master-0.rockspec b/rockspec/apisix-master-0.rockspec index ec96c6b2c048..4020c80ecba6 100644 --- a/rockspec/apisix-master-0.rockspec +++ b/rockspec/apisix-master-0.rockspec @@ -65,6 +65,7 @@ dependencies = { "luasocket = 3.0rc1-2", "luasec = 0.9-1", "lua-resty-consul = 0.3-2", + "penlight = 1.9.2-1", } build = { diff --git a/t/cli/test_validate_config.sh b/t/cli/test_validate_config.sh index 1d2659d405b2..65ce69277aa6 100755 --- a/t/cli/test_validate_config.sh +++ b/t/cli/test_validate_config.sh @@ -33,3 +33,17 @@ if ! echo "$out" | grep 'dns_resolver_valid should be a number'; then fi echo "passed: dns_resolver_valid should be a number" + +echo ' +apisix: + ssl: + ssl_trusted_certificate: t/certs/mtls_ca.crt +' > conf/config.yaml + +out=$(make run 2>&1) +if echo "$out" | grep 'no such file'; then + echo "failed: find the certificate correctly" + exit 1 +fi + +echo "passed: find the certificate correctly"