Skip to content

Commit a1ce896

Browse files
SkyeYoungjizhuozhi
SkyeYoung
authored and
jizhuozhi
committed
fix: when only tls.verify, skip the logic of judging client cert (apache#12527)
* fix: judge cert in tls to avoid only `tls.verify` * docs(admin-api): add missing tls.verify * docs: typo * test: add tls.verify only cases * test: adjust cases
1 parent 2755f21 commit a1ce896

File tree

5 files changed

+118
-2
lines changed

5 files changed

+118
-2
lines changed

apisix/upstream.lua

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -261,8 +261,8 @@ function _M.set_by_route(route, api_ctx)
261261
local checker = healthcheck_manager.fetch_checker(up_conf.resource_key, resource_version)
262262
api_ctx.up_checker = checker
263263
local scheme = up_conf.scheme
264-
if (scheme == "https" or scheme == "grpcs") and up_conf.tls then
265-
264+
local tls_has_cert = up_conf.tls and (up_conf.tls.client_cert or up_conf.tls.client_cert_id)
265+
if (scheme == "https" or scheme == "grpcs") and tls_has_cert then
266266
local client_cert, client_key
267267
if up_conf.tls.client_cert_id then
268268
client_cert = api_ctx.upstream_ssl.cert

docs/en/latest/admin-api.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1019,6 +1019,7 @@ In addition to the equalization algorithm selections, Upstream also supports pas
10191019
| tls.client_cert | False, can't be used with `tls.client_cert_id` | HTTPS certificate | Sets the client certificate while connecting to a TLS Upstream. | |
10201020
| tls.client_key | False, can't be used with `tls.client_cert_id` | HTTPS certificate private key | Sets the client private key while connecting to a TLS Upstream. | |
10211021
| tls.client_cert_id | False, can't be used with `tls.client_cert` and `tls.client_key` | SSL | Set the referenced [SSL](#ssl) id. | |
1022+
| tls.verify | False, currently only kafka upstream is supported | Boolean | Turn on server certificate verification, currently only kafka upstream is supported. | |
10221023
| keepalive_pool.size | False | Auxiliary | Sets `keepalive` directive dynamically. | |
10231024
| keepalive_pool.idle_timeout | False | Auxiliary | Sets `keepalive_timeout` directive dynamically. | |
10241025
| keepalive_pool.requests | False | Auxiliary | Sets `keepalive_requests` directive dynamically. | |

docs/zh/latest/admin-api.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1027,6 +1027,7 @@ APISIX 的 Upstream 除了基本的负载均衡算法选择外,还支持对上
10271027
| tls.client_cert | 否,不能和 `tls.client_cert_id` 一起使用 | https 证书 | 设置跟上游通信时的客户端证书,详细信息请参考下文。 | |
10281028
| tls.client_key | 否,不能和 `tls.client_cert_id` 一起使用 | https 证书私钥 | 设置跟上游通信时的客户端私钥,详细信息请参考下文。 | |
10291029
| tls.client_cert_id | 否,不能和 `tls.client_cert`、`tls.client_key` 一起使用 | SSL | 设置引用的 SSL id,详见 [SSL](#ssl)。 | |
1030+
| tls.verify |否,目前仅支持 Kafka 上游。 | Boolean | 开启服务器证书验证功能,目前仅支持 Kafka 上游。 | |
10301031
|keepalive_pool.size | 否 | 辅助 | 动态设置 `keepalive` 指令,详细信息请参考下文。 |
10311032
|keepalive_pool.idle_timeout | 否 | 辅助 | 动态设置 `keepalive_timeout` 指令,详细信息请参考下文。 |
10321033
|keepalive_pool.requests | 否 | 辅助 | 动态设置 `keepalive_requests` 指令,详细信息请参考下文。 |

t/core/schema_def.t

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,19 @@ passed
232232
assert(not ok)
233233
assert(err ~= nil)
234234
235+
upstream = {
236+
nodes = {
237+
["127.0.0.1:8080"] = 1
238+
},
239+
type = "roundrobin",
240+
tls = {
241+
verify = false
242+
}
243+
}
244+
local ok, err = core.schema.check(schema_def.upstream, upstream)
245+
assert(ok)
246+
assert(err == nil)
247+
235248
ngx.say("passed")
236249
}
237250
}

t/node/upstream-mtls.t

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -682,3 +682,104 @@ GET /hello
682682
--- error_code: 502
683683
--- error_log
684684
failed to get ssl cert: ssl id [1] not exits
685+
686+
687+
688+
=== TEST 19: `tls.verify` only
689+
--- config
690+
location /t {
691+
content_by_lua_block {
692+
local t = require("lib.test_admin")
693+
local json = require("toolkit.json")
694+
local ssl_cert = t.read_file("t/certs/mtls_client.crt")
695+
local data = {
696+
upstream = {
697+
scheme = "https",
698+
type = "roundrobin",
699+
nodes = {
700+
["127.0.0.1:1983"] = 1,
701+
},
702+
tls = {
703+
verify = true
704+
}
705+
},
706+
uri = "/hello"
707+
}
708+
local code, body = t.test('/apisix/admin/routes/1',
709+
ngx.HTTP_PUT,
710+
json.encode(data)
711+
)
712+
713+
if code >= 300 then
714+
ngx.status = code
715+
end
716+
ngx.say(body)
717+
}
718+
}
719+
--- request
720+
GET /t
721+
--- response_body
722+
passed
723+
724+
725+
726+
=== TEST 20: hit
727+
When only `tls.verify` is present, the matching logic related to
728+
`client_cert`, `client_key` or `client_cert_id` should not be entered
729+
--- request
730+
GET /hello
731+
--- response_body
732+
hello world
733+
734+
735+
736+
=== TEST 21: set `verify` with `client_cert`, `client_key`
737+
--- config
738+
location /t {
739+
content_by_lua_block {
740+
local t = require("lib.test_admin")
741+
local json = require("toolkit.json")
742+
local ssl_cert = t.read_file("t/certs/mtls_client.crt")
743+
local ssl_key = t.read_file("t/certs/mtls_client.key")
744+
local data = {
745+
upstream = {
746+
scheme = "https",
747+
type = "roundrobin",
748+
nodes = {
749+
["127.0.0.1:1983"] = 1,
750+
},
751+
tls = {
752+
client_cert = ssl_cert,
753+
client_key = ssl_key,
754+
verify = true
755+
}
756+
},
757+
uri = "/hello"
758+
}
759+
local code, body = t.test('/apisix/admin/routes/1',
760+
ngx.HTTP_PUT,
761+
json.encode(data)
762+
)
763+
764+
if code >= 300 then
765+
ngx.status = code
766+
end
767+
ngx.say(body)
768+
}
769+
}
770+
--- request
771+
GET /t
772+
--- response_body
773+
passed
774+
775+
776+
777+
=== TEST 22: hit
778+
`tls.verify` does not affect the parsing of `client_cert`, `client_key`
779+
--- upstream_server_config
780+
ssl_client_certificate ../../certs/mtls_ca.crt;
781+
ssl_verify_client on;
782+
--- request
783+
GET /hello
784+
--- response_body
785+
hello world

0 commit comments

Comments
 (0)