From 79b489cc1998be38b0ae6908e55225c474f18358 Mon Sep 17 00:00:00 2001 From: Thibault Charbonnier Date: Tue, 14 Jul 2015 19:46:51 -0700 Subject: [PATCH 1/3] feat(dao) Add authentication capability Switch to lua-cassandra 0.3.3-0 and add some code to be able to use authentication and SSL encryption to communicate with a Cassandra cluster Properties to add to the cassandra.properties settings: ssl: true ssl_verify: true ssl_certificate: "/path/to/cluster-ca-certificate.pem" user: cassandra password: cassandra Former-commit-id: b7e1ecf25c871f56ba2888165f8788760a5a5a27 --- kong-0.4.1-1.rockspec | 2 +- kong/cli/utils/signal.lua | 3 +- kong/cli/utils/utils.lua | 3 -- kong/dao/cassandra/apis.lua | 4 +-- kong/dao/cassandra/base_dao.lua | 12 ++++---- kong/dao/cassandra/consumers.lua | 2 +- kong/dao/cassandra/factory.lua | 28 ++++++++++++++++--- kong/dao/cassandra/plugins_configurations.lua | 2 +- kong/plugins/ratelimiting/daos.lua | 2 +- .../dao/cassandra/base_dao_spec.lua | 2 +- 10 files changed, 40 insertions(+), 20 deletions(-) diff --git a/kong-0.4.1-1.rockspec b/kong-0.4.1-1.rockspec index 4298b39c4bab..ce503b049a65 100644 --- a/kong-0.4.1-1.rockspec +++ b/kong-0.4.1-1.rockspec @@ -19,7 +19,7 @@ dependencies = { "yaml ~> 1.1.1-1", "lapis ~> 1.1.0-1", "stringy ~> 0.4-1", - "kong-cassandra ~> 0.5-8", + "lua-cassandra ~> 0.3.3-0", "multipart ~> 0.1-3", "lua-path ~> 0.2.3-1", "lua-cjson ~> 2.1.0-1", diff --git a/kong/cli/utils/signal.lua b/kong/cli/utils/signal.lua index f461c2bde230..9313e9280c5d 100644 --- a/kong/cli/utils/signal.lua +++ b/kong/cli/utils/signal.lua @@ -112,7 +112,8 @@ local function prepare_nginx_working_dir(args_config) dns_resolver = "127.0.0.1:"..kong_config.dnsmasq_port, memory_cache_size = kong_config.memory_cache_size, ssl_cert = ssl_cert_path, - ssl_key = ssl_key_path + ssl_key = ssl_key_path, + lua_ssl_trusted_certificate = kong_config.databases_available[kong_config.database].properties.ssl_certificate or "no" } -- Auto-tune diff --git a/kong/cli/utils/utils.lua b/kong/cli/utils/utils.lua index 9fa9f99df5a8..901a8ab38f7e 100644 --- a/kong/cli/utils/utils.lua +++ b/kong/cli/utils/utils.lua @@ -55,9 +55,6 @@ end function Logger:error_exit(str) self:error(str) - -- Optional stacktrace - --print("") - --error("", 2) os.exit(1) end diff --git a/kong/dao/cassandra/apis.lua b/kong/dao/cassandra/apis.lua index 92c455d49947..5852f508b7e6 100644 --- a/kong/dao/cassandra/apis.lua +++ b/kong/dao/cassandra/apis.lua @@ -13,7 +13,7 @@ end function Apis:find_all() local apis = {} local select_q = query_builder.select(self._table) - for _, rows, page, err in Apis.super.execute(self, select_q, nil, nil, {auto_paging=true}) do + for rows, err in Apis.super.execute(self, select_q, nil, nil, {auto_paging=true}) do if err then return nil, err end @@ -37,7 +37,7 @@ function Apis:delete(where_t) local plugins_dao = self._factory.plugins_configurations local select_q, columns = query_builder.select(plugins_dao._table, {api_id = where_t.id}, plugins_dao._column_family_details) - for _, rows, page, err in plugins_dao:execute(select_q, columns, {api_id = where_t.id}, {auto_paging = true}) do + for rows, err in plugins_dao:execute(select_q, columns, {api_id = where_t.id}, {auto_paging = true}) do if err then return nil, err end diff --git a/kong/dao/cassandra/base_dao.lua b/kong/dao/cassandra/base_dao.lua index 27898a2cd670..82a08e4b485e 100644 --- a/kong/dao/cassandra/base_dao.lua +++ b/kong/dao/cassandra/base_dao.lua @@ -12,7 +12,7 @@ local Object = require "classic" local utils = require "kong.tools.utils" local uuid = require "uuid" -local cassandra_constants = require "cassandra.constants" +local cassandra_constants = cassandra.constants local error_types = constants.DATABASE_ERROR_TYPES local BaseDao = Object:extend() @@ -62,16 +62,18 @@ function BaseDao:_open_session(keyspace) local ok, err -- Start cassandra session - local session = cassandra.new() + local session = cassandra:new() session:set_timeout(self._properties.timeout) - ok, err = session:connect(self._properties.hosts, self._properties.port) + local options = self._factory:get_session_options() + + ok, err = session:connect(self._properties.hosts, self._properties.port, options) if not ok then return nil, DaoError(err, error_types.DATABASE) end local times, err = session:get_reused_times() - if err and err ~= "luasocket does not support reusable sockets" then + if err and err.message ~= "luasocket does not support reusable sockets" then return nil, DaoError(err, error_types.DATABASE) end @@ -92,7 +94,7 @@ end function BaseDao:_close_session(session) -- Back to the pool or close if using luasocket local ok, err = session:set_keepalive(self._properties.keepalive) - if not ok and err == "luasocket does not support reusable sockets" then + if not ok and err.message == "luasocket does not support reusable sockets" then ok, err = session:close() end diff --git a/kong/dao/cassandra/consumers.lua b/kong/dao/cassandra/consumers.lua index e5488c9cf732..b054e1d73545 100644 --- a/kong/dao/cassandra/consumers.lua +++ b/kong/dao/cassandra/consumers.lua @@ -22,7 +22,7 @@ function Consumers:delete(where_t) local select_q, columns = query_builder.select(plugins_dao._table, {consumer_id = where_t.id}, plugins_dao._column_family_details) -- delete all related plugins configurations - for _, rows, page, err in plugins_dao:execute(select_q, columns, {consumer_id = where_t.id}, {auto_paging = true}) do + for rows, err in plugins_dao:execute(select_q, columns, {consumer_id = where_t.id}, {auto_paging = true}) do if err then return nil, err end diff --git a/kong/dao/cassandra/factory.lua b/kong/dao/cassandra/factory.lua index 9a60c3aebe10..625a5444c740 100644 --- a/kong/dao/cassandra/factory.lua +++ b/kong/dao/cassandra/factory.lua @@ -67,6 +67,21 @@ function CassandraFactory:drop() end end +function CassandraFactory:get_session_options() + local options = { + ssl = self._properties.ssl, + ssl_verify = self._properties.ssl_verify, + ca_file = self._properties.ssl_certificate -- in case of using luasocket + } + + if self._properties.user and self._properties.password then + local PasswordAuthenticator = require "cassandra.authenticators.PasswordAuthenticator" + options.authenticator = PasswordAuthenticator(self._properties.user, self._properties.password) + end + + return options +end + -- Prepare all statements of collections `queries` property and put them -- in a statements cache -- @@ -88,9 +103,12 @@ function CassandraFactory:prepare() end -- Check cassandra is accessible - local session = cassandra.new() + local session = cassandra:new() session:set_timeout(self._properties.timeout) - local ok, co_err = session:connect(self._properties.hosts, self._properties.port) + + local options = self:get_session_options() + + local ok, co_err = session:connect(self._properties.hosts, self._properties.port, options) session:close() if not ok then @@ -114,10 +132,12 @@ end -- @return {string} error if any function CassandraFactory:execute_queries(queries, no_keyspace) local ok, err - local session = cassandra.new() + local session = cassandra:new() session:set_timeout(self._properties.timeout) - ok, err = session:connect(self._properties.hosts, self._properties.port) + local options = self:get_session_options() + + ok, err = session:connect(self._properties.hosts, self._properties.port, options) if not ok then return DaoError(err, constants.DATABASE_ERROR_TYPES.DATABASE) end diff --git a/kong/dao/cassandra/plugins_configurations.lua b/kong/dao/cassandra/plugins_configurations.lua index b2273af63ad4..f5a1547b13b1 100644 --- a/kong/dao/cassandra/plugins_configurations.lua +++ b/kong/dao/cassandra/plugins_configurations.lua @@ -55,7 +55,7 @@ function PluginsConfigurations:find_distinct() -- Execute query local distinct_names = {} - for _, rows, page, err in PluginsConfigurations.super.execute(self, select_q, nil, nil, {auto_paging=true}) do + for rows, err in PluginsConfigurations.super.execute(self, select_q, nil, nil, {auto_paging=true}) do if err then return nil, err end diff --git a/kong/plugins/ratelimiting/daos.lua b/kong/plugins/ratelimiting/daos.lua index 0bec02a918c3..692275e0838f 100644 --- a/kong/plugins/ratelimiting/daos.lua +++ b/kong/plugins/ratelimiting/daos.lua @@ -26,7 +26,7 @@ end function RateLimitingMetrics:increment(api_id, identifier, current_timestamp) local periods = timestamp.get_timestamps(current_timestamp) - local batch = cassandra.BatchStatement(cassandra.batch_types.COUNTER) + local batch = cassandra:BatchStatement(cassandra.batch_types.COUNTER) for period, period_date in pairs(periods) do batch:add(self.queries.increment_counter, { diff --git a/spec/integration/dao/cassandra/base_dao_spec.lua b/spec/integration/dao/cassandra/base_dao_spec.lua index 5193b31fb468..ec5c2478a6d7 100644 --- a/spec/integration/dao/cassandra/base_dao_spec.lua +++ b/spec/integration/dao/cassandra/base_dao_spec.lua @@ -45,7 +45,7 @@ describe("Cassandra", function() spec_helper.prepare_db() -- Create a parallel session to verify the dao's behaviour - session = cassandra.new() + session = cassandra:new() session:set_timeout(configuration.cassandra.timeout) local _, err = session:connect(configuration.cassandra.hosts, configuration.cassandra.port) From 55d22cc2d95868cb0c4b9c5cc4fea0cf13a7e63a Mon Sep 17 00:00:00 2001 From: Thibault Charbonnier Date: Wed, 15 Jul 2015 15:27:18 -0700 Subject: [PATCH 2/3] feat(cass ssl) bump driver to 0.3.5 and missing nginx directive Former-commit-id: 5dd4e9ad28b0a612f95c1f898890f371960105f1 --- kong-0.4.1-1.rockspec | 2 +- kong.yml | 1 + kong/cli/utils/signal.lua | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/kong-0.4.1-1.rockspec b/kong-0.4.1-1.rockspec index ce503b049a65..640109571cae 100644 --- a/kong-0.4.1-1.rockspec +++ b/kong-0.4.1-1.rockspec @@ -19,7 +19,7 @@ dependencies = { "yaml ~> 1.1.1-1", "lapis ~> 1.1.0-1", "stringy ~> 0.4-1", - "lua-cassandra ~> 0.3.3-0", + "lua-cassandra ~> 0.3.5-0", "multipart ~> 0.1-3", "lua-path ~> 0.2.3-1", "lua-cjson ~> 2.1.0-1", diff --git a/kong.yml b/kong.yml index ab0f38ba1063..d7270211f159 100644 --- a/kong.yml +++ b/kong.yml @@ -113,6 +113,7 @@ nginx: | lua_shared_dict locks 100k; lua_shared_dict cache {{memory_cache_size}}m; lua_socket_log_errors off; + {{lua_ssl_trusted_certificate}} init_by_lua ' kong = require "kong" diff --git a/kong/cli/utils/signal.lua b/kong/cli/utils/signal.lua index 9313e9280c5d..a2f030bad9f4 100644 --- a/kong/cli/utils/signal.lua +++ b/kong/cli/utils/signal.lua @@ -102,6 +102,7 @@ local function prepare_nginx_working_dir(args_config) end local ssl_cert_path, ssl_key_path = cutils.get_ssl_cert_and_key(kong_config) + local trusted_ssl_cert_path = kong_config.databases_available[kong_config.database].properties.ssl_certificate -- DAO ssl cert -- Extract nginx config from kong config, replace any needed value local nginx_config = kong_config.nginx @@ -113,7 +114,7 @@ local function prepare_nginx_working_dir(args_config) memory_cache_size = kong_config.memory_cache_size, ssl_cert = ssl_cert_path, ssl_key = ssl_key_path, - lua_ssl_trusted_certificate = kong_config.databases_available[kong_config.database].properties.ssl_certificate or "no" + lua_ssl_trusted_certificate = trusted_ssl_cert_path ~= nil and "lua_ssl_trusted_certificate \""..trusted_ssl_cert_path.."\";" or "" } -- Auto-tune From b6163e5f4586f9ffa44c2e406da257fea42b0e62 Mon Sep 17 00:00:00 2001 From: Thibault Charbonnier Date: Tue, 21 Jul 2015 12:17:27 -0700 Subject: [PATCH 3/3] fix(tests) enable error traces and fix config test Former-commit-id: 5b9d50ecb7c0f7c7a4a0718c7fc99711067e1fef --- Makefile | 5 ++++- spec/unit/statics_spec.lua | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f05945d8561a..2921e04c24b8 100644 --- a/Makefile +++ b/Makefile @@ -51,7 +51,7 @@ lint: @find kong spec -name '*.lua' ! -name 'invalid-module.lua' | xargs luacheck -q test: - @busted spec/unit + @busted -v spec/unit test-integration: @busted spec/integration @@ -67,3 +67,6 @@ coverage: @busted --coverage spec/ @luacov -c spec/.luacov @tail -n 1 luacov.report.out | awk '{ print $$3 }' + +test-all: + @busted -v spec/ diff --git a/spec/unit/statics_spec.lua b/spec/unit/statics_spec.lua index e5fd9b122e6f..44a194d1cd4f 100644 --- a/spec/unit/statics_spec.lua +++ b/spec/unit/statics_spec.lua @@ -153,6 +153,7 @@ nginx: | lua_shared_dict locks 100k; lua_shared_dict cache {{memory_cache_size}}m; lua_socket_log_errors off; + {{lua_ssl_trusted_certificate}} init_by_lua ' kong = require "kong"