From dd9df614443e919490f3f08be3699c2486325449 Mon Sep 17 00:00:00 2001 From: Thibault Charbonnier Date: Wed, 1 Jul 2015 01:13:19 +0200 Subject: [PATCH] feat: blocking consumer_id for SSL Handled with a custom check in SSL's `on_insert` event. Waiting for global plugins implementation for a cleaner, more generic solution. Fix #322 --- kong/dao/schemas/plugins_configurations.lua | 13 +- kong/dao/schemas_validation.lua | 2 +- kong/plugins/ssl/schema.lua | 1 + spec/plugins/ssl/access_spec.lua | 99 ++++++++++ spec/plugins/ssl/api_spec.lua | 36 ++++ spec/plugins/ssl/fixtures.lua | 32 ++++ spec/plugins/ssl_spec.lua | 194 -------------------- spec/unit/dao/entities_schemas_spec.lua | 33 +++- 8 files changed, 213 insertions(+), 197 deletions(-) create mode 100644 spec/plugins/ssl/access_spec.lua create mode 100644 spec/plugins/ssl/api_spec.lua create mode 100644 spec/plugins/ssl/fixtures.lua delete mode 100644 spec/plugins/ssl_spec.lua diff --git a/kong/dao/schemas/plugins_configurations.lua b/kong/dao/schemas/plugins_configurations.lua index 89764d2f0595..08092220f48b 100644 --- a/kong/dao/schemas/plugins_configurations.lua +++ b/kong/dao/schemas/plugins_configurations.lua @@ -26,7 +26,18 @@ return { value = { type = "table", schema = load_value_schema }, enabled = { type = "boolean", default = true } }, - on_insert = function(plugin_t, dao) + on_insert = function(plugin_t, dao, schema) + -- Load the value schema + local value_schema, err = schema.fields.value.schema(plugin_t) + if err then + return false, err + end + + -- Check if the schema has a `no_consumer` field + if value_schema.no_consumer and plugin_t.consumer_id ~= nil and plugin_t.consumer_id ~= constants.DATABASE_NULL_ID then + return false, DaoError("No consumer can be configured for that plugin", constants.DATABASE_ERROR_TYPES.SCHEMA) + end + local res, err = dao.plugins_configurations:find_by_keys({ name = plugin_t.name, api_id = plugin_t.api_id, diff --git a/kong/dao/schemas_validation.lua b/kong/dao/schemas_validation.lua index 04dbd387fe43..78ca8517f7dd 100644 --- a/kong/dao/schemas_validation.lua +++ b/kong/dao/schemas_validation.lua @@ -195,7 +195,7 @@ end function _M.on_insert(t, schema, dao) if schema.on_insert and type(schema.on_insert) == "function" then - local valid, err = schema.on_insert(t, dao) + local valid, err = schema.on_insert(t, dao, schema) if not valid or err then return false, err else diff --git a/kong/plugins/ssl/schema.lua b/kong/plugins/ssl/schema.lua index f3a329a23a8b..11c897eacd77 100644 --- a/kong/plugins/ssl/schema.lua +++ b/kong/plugins/ssl/schema.lua @@ -18,6 +18,7 @@ local function validate_key(v) end return { + no_consumer = true, fields = { cert = { required = true, type = "string", func = validate_cert }, key = { required = true, type = "string", func = validate_key }, diff --git a/spec/plugins/ssl/access_spec.lua b/spec/plugins/ssl/access_spec.lua new file mode 100644 index 000000000000..cda24bc31b2c --- /dev/null +++ b/spec/plugins/ssl/access_spec.lua @@ -0,0 +1,99 @@ +local spec_helper = require "spec.spec_helpers" +local ssl_util = require "kong.plugins.ssl.ssl_util" +local url = require "socket.url" +local IO = require "kong.tools.io" +local http_client = require "kong.tools.http_client" +local cjson = require "cjson" +local ssl_fixtures = require "spec.plugins.ssl.fixtures" + +local STUB_GET_SSL_URL = spec_helper.STUB_GET_SSL_URL +local STUB_GET_URL = spec_helper.STUB_GET_URL +local API_URL = spec_helper.API_URL + +describe("SSL Plugin", function() + + setup(function() + spec_helper.prepare_db() + spec_helper.insert_fixtures { + api = { + { name = "API TESTS 11 (ssl)", public_dns = "ssl1.com", target_url = "http://mockbin.com" }, + { name = "API TESTS 12 (ssl)", public_dns = "ssl2.com", target_url = "http://mockbin.com" }, + { name = "API TESTS 13 (ssl)", public_dns = "ssl3.com", target_url = "http://mockbin.com" } + }, + plugin_configuration = { + { name = "ssl", value = { cert = ssl_fixtures.cert, key = ssl_fixtures.key }, __api = 1 }, + { name = "ssl", value = { cert = ssl_fixtures.cert, key = ssl_fixtures.key, only_https = true }, __api = 2 } + } + } + + spec_helper.start_kong() + end) + + teardown(function() + spec_helper.stop_kong() + end) + + describe("SSL Util", function() + + it("should not convert an invalid cert to DER", function() + assert.falsy(ssl_util.cert_to_der("asd")) + end) + + it("should convert a valid cert to DER", function() + assert.truthy(ssl_util.cert_to_der(ssl_fixtures.cert)) + end) + + it("should not convert an invalid key to DER", function() + assert.falsy(ssl_util.key_to_der("asd")) + end) + + it("should convert a valid key to DER", function() + assert.truthy(ssl_util.key_to_der(ssl_fixtures.key)) + end) + + end) + + describe("SSL Resolution", function() + + it("should return default CERTIFICATE when requesting other APIs", function() + local parsed_url = url.parse(STUB_GET_SSL_URL) + local res = IO.os_execute("(echo \"GET /\"; sleep 2) | openssl s_client -connect "..parsed_url.host..":"..tostring(parsed_url.port).." -servername test4.com") + + assert.truthy(res:match("US/ST=California/L=San Francisco/O=Kong/OU=IT/CN=localhost")) + end) + + it("should work when requesting a specific API", function() + local parsed_url = url.parse(STUB_GET_SSL_URL) + local res = IO.os_execute("(echo \"GET /\"; sleep 2) | openssl s_client -connect "..parsed_url.host..":"..tostring(parsed_url.port).." -servername ssl1.com") + + assert.truthy(res:match("US/ST=California/L=San Francisco/O=Kong/OU=IT/CN=ssl1.com")) + end) + + end) + + describe("only_https", function() + + it("should block request without https", function() + local response, status, headers = http_client.get(STUB_GET_URL, nil, { host = "ssl2.com" }) + assert.are.equal(426, status) + assert.are.same("close, Upgrade", headers.connection) + assert.are.same("TLS/1.0, HTTP/1.1", headers.upgrade) + assert.are.same("Please use HTTPS protocol", cjson.decode(response).message) + end) + + it("should not block request with https", function() + local _, status = http_client.get(STUB_GET_SSL_URL, nil, { host = "ssl2.com" }) + assert.are.equal(200, status) + end) + + end) + + describe("should work with curl", function() + local response = http_client.get(API_URL.."/apis/", {public_dns="ssl3.com"}) + local api_id = cjson.decode(response).data[1].id + local current_path = IO.os_execute("pwd") + local res = IO.os_execute("curl -s -o /dev/null -w \"%{http_code}\" "..API_URL.."/apis/"..api_id.."/plugins/ --form \"name=ssl\" --form \"value.cert=@"..current_path.."/ssl/kong-default.crt\" --form \"value.key=@"..current_path.."/ssl/kong-default.key\"") + assert.are.equal("201", res) + end) + +end) diff --git a/spec/plugins/ssl/api_spec.lua b/spec/plugins/ssl/api_spec.lua new file mode 100644 index 000000000000..fe538d6eb5a0 --- /dev/null +++ b/spec/plugins/ssl/api_spec.lua @@ -0,0 +1,36 @@ +local json = require "cjson" +local http_client = require "kong.tools.http_client" +local spec_helper = require "spec.spec_helpers" +local ssl_fixtures = require "spec.plugins.ssl.fixtures" + +describe("SSL API", function() + local BASE_URL + + setup(function() + spec_helper.prepare_db() + spec_helper.start_kong() + spec_helper.insert_fixtures { + api = { + {name = "mockbin", public_dns = "mockbin.com", target_url = "http://mockbin.com"} + } + } + BASE_URL = spec_helper.API_URL.."/apis/mockbin/plugins/" + end) + + teardown(function() + spec_helper.stop_kong() + end) + + describe("/apis/:api/plugins", function() + + it("should refuse to set a `consumer_id` if asked to", function() + local response, status = http_client.post_multipart(BASE_URL, + {name = "ssl", consumer_id = "0000", ["value.cert"] = ssl_fixtures.cert, ["value.key"] = ssl_fixtures.key} + ) + assert.equal(400, status) + local body = json.decode(response) + assert.equal("No consumer can be configured for that plugin", body.message) + end) + + end) +end) diff --git a/spec/plugins/ssl/fixtures.lua b/spec/plugins/ssl/fixtures.lua new file mode 100644 index 000000000000..69d7775e6abc --- /dev/null +++ b/spec/plugins/ssl/fixtures.lua @@ -0,0 +1,32 @@ +return { + cert = [[-----BEGIN CERTIFICATE----- +MIICSTCCAbICCQDZ7lxm1iUKmDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN +MAsGA1UECgwES29uZzELMAkGA1UECwwCSVQxETAPBgNVBAMMCHNzbDEuY29tMB4X +DTE1MDUxOTAwNTAzNloXDTE1MDYxODAwNTAzNlowaTELMAkGA1UEBhMCVVMxEzAR +BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV +BAoMBEtvbmcxCzAJBgNVBAsMAklUMREwDwYDVQQDDAhzc2wxLmNvbTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAxOixlvURWF+WfMbG4alhrd3JcavYOGxiBcOv +0qA2v2a89S5JyD43O2uC8TfE6JZc3UT5kjRKRqIA8QDTYn3XGoJwkvYd1w9oXm3R +sZXXbi05PD0oXABtIIbH+0NllXRucdeODlXLi80mCvhVIIDjHifqDRiukecZGapE +rvTsPjMCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCVQdpCfTZLJk0XUu5RnenHpamp +5ZRsdKA+jwE0kwuSWXx/WbsU35GJx1QVrfnmk7qJpwwg/ZbL/KMTUpY21a4ZyITQ +WKHxfY3Klqh18Ll7oBDa9fhuhPE4G8tIum/xY3Z3mHBuXDmBxARD0bOPEJtJQw+H +LGenf2mYrZBfL47wZw== +-----END CERTIFICATE-----]], + key = [[-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDE6LGW9RFYX5Z8xsbhqWGt3clxq9g4bGIFw6/SoDa/Zrz1LknI +Pjc7a4LxN8TollzdRPmSNEpGogDxANNifdcagnCS9h3XD2hebdGxldduLTk8PShc +AG0ghsf7Q2WVdG5x144OVcuLzSYK+FUggOMeJ+oNGK6R5xkZqkSu9Ow+MwIDAQAB +AoGAcYkqPLx5j9ct0ixbKGqd475qFJzdQ0tbCa/XhT7T0nDOqyBRcqBNAHnxOlzJ +sMJiMUNAE8kKusdWe5/aQoQErkVuO9sh1U6sPr7mVD/JWmE08MRzhMwxUVP+HsXM +EZky0M6TWNyghtvyElUiHTIW8quVdjn8oXQIbR/07VXEVmECQQDj6dHJ4XxXIvE1 +HQ+49EbbM9l7KFd7t2cpmng1+U4yqMGwNVk3MmEVKU8NiI/BVhznPvp0HH3QyLpV +ShPt9SltAkEA3SzAZ5/UhjycKXgLsgidwDVWOpYweWU7KDsfrr+cSJkmzw7y9WYr +vshdPYA2iSm83aY1vTzwSRV6udpZfBLiHwJBAJ1HfDie3JmdSWtn1LPEDymyDEEL +Q+PiWtTA/nfwxV/8ST16c0i+AXUC/sTOGrZG4MdMFLYP+1sbSksVRc+OwbkCQQCy +DFKfmOUnYyd7oq4XliQYFVfjNgCz2TB0RJROwuV29ANv8GLZ9nQE05tr5QkCBl2K +OUFNo/7zdp0jfIlI/pKVAkA04q30OSEBIHBj/MmapVVSRaQiYfSMLV176nA4xqhz +JkHk9MH9WKKGIchn0LvfUFHxTeBFERoREQo2A82B/WpO +-----END RSA PRIVATE KEY-----]] +} diff --git a/spec/plugins/ssl_spec.lua b/spec/plugins/ssl_spec.lua deleted file mode 100644 index 67be4819b23a..000000000000 --- a/spec/plugins/ssl_spec.lua +++ /dev/null @@ -1,194 +0,0 @@ -local spec_helper = require "spec.spec_helpers" -local ssl_util = require "kong.plugins.ssl.ssl_util" -local url = require "socket.url" -local IO = require "kong.tools.io" -local http_client = require "kong.tools.http_client" -local cjson = require "cjson" - -local STUB_GET_SSL_URL = spec_helper.STUB_GET_SSL_URL -local STUB_GET_URL = spec_helper.STUB_GET_URL -local API_URL = spec_helper.API_URL - -describe("SSL Plugin", function() - - setup(function() - spec_helper.prepare_db() - spec_helper.insert_fixtures { - api = { - { name = "API TESTS 11 (ssl)", public_dns = "ssl1.com", target_url = "http://mockbin.com" }, - { name = "API TESTS 12 (ssl)", public_dns = "ssl2.com", target_url = "http://mockbin.com" }, - { name = "API TESTS 13 (ssl)", public_dns = "ssl3.com", target_url = "http://mockbin.com" } - }, - plugin_configuration = { - { name = "ssl", value = { cert = [[ ------BEGIN CERTIFICATE----- -MIICSTCCAbICCQDZ7lxm1iUKmDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN -MAsGA1UECgwES29uZzELMAkGA1UECwwCSVQxETAPBgNVBAMMCHNzbDEuY29tMB4X -DTE1MDUxOTAwNTAzNloXDTE1MDYxODAwNTAzNlowaTELMAkGA1UEBhMCVVMxEzAR -BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV -BAoMBEtvbmcxCzAJBgNVBAsMAklUMREwDwYDVQQDDAhzc2wxLmNvbTCBnzANBgkq -hkiG9w0BAQEFAAOBjQAwgYkCgYEAxOixlvURWF+WfMbG4alhrd3JcavYOGxiBcOv -0qA2v2a89S5JyD43O2uC8TfE6JZc3UT5kjRKRqIA8QDTYn3XGoJwkvYd1w9oXm3R -sZXXbi05PD0oXABtIIbH+0NllXRucdeODlXLi80mCvhVIIDjHifqDRiukecZGapE -rvTsPjMCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCVQdpCfTZLJk0XUu5RnenHpamp -5ZRsdKA+jwE0kwuSWXx/WbsU35GJx1QVrfnmk7qJpwwg/ZbL/KMTUpY21a4ZyITQ -WKHxfY3Klqh18Ll7oBDa9fhuhPE4G8tIum/xY3Z3mHBuXDmBxARD0bOPEJtJQw+H -LGenf2mYrZBfL47wZw== ------END CERTIFICATE----- -]], key = [[ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDE6LGW9RFYX5Z8xsbhqWGt3clxq9g4bGIFw6/SoDa/Zrz1LknI -Pjc7a4LxN8TollzdRPmSNEpGogDxANNifdcagnCS9h3XD2hebdGxldduLTk8PShc -AG0ghsf7Q2WVdG5x144OVcuLzSYK+FUggOMeJ+oNGK6R5xkZqkSu9Ow+MwIDAQAB -AoGAcYkqPLx5j9ct0ixbKGqd475qFJzdQ0tbCa/XhT7T0nDOqyBRcqBNAHnxOlzJ -sMJiMUNAE8kKusdWe5/aQoQErkVuO9sh1U6sPr7mVD/JWmE08MRzhMwxUVP+HsXM -EZky0M6TWNyghtvyElUiHTIW8quVdjn8oXQIbR/07VXEVmECQQDj6dHJ4XxXIvE1 -HQ+49EbbM9l7KFd7t2cpmng1+U4yqMGwNVk3MmEVKU8NiI/BVhznPvp0HH3QyLpV -ShPt9SltAkEA3SzAZ5/UhjycKXgLsgidwDVWOpYweWU7KDsfrr+cSJkmzw7y9WYr -vshdPYA2iSm83aY1vTzwSRV6udpZfBLiHwJBAJ1HfDie3JmdSWtn1LPEDymyDEEL -Q+PiWtTA/nfwxV/8ST16c0i+AXUC/sTOGrZG4MdMFLYP+1sbSksVRc+OwbkCQQCy -DFKfmOUnYyd7oq4XliQYFVfjNgCz2TB0RJROwuV29ANv8GLZ9nQE05tr5QkCBl2K -OUFNo/7zdp0jfIlI/pKVAkA04q30OSEBIHBj/MmapVVSRaQiYfSMLV176nA4xqhz -JkHk9MH9WKKGIchn0LvfUFHxTeBFERoREQo2A82B/WpO ------END RSA PRIVATE KEY----- -]] }, __api = 1 }, - { name = "ssl", value = { cert = [[ ------BEGIN CERTIFICATE----- -MIICSTCCAbICCQDZ7lxm1iUKmDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN -MAsGA1UECgwES29uZzELMAkGA1UECwwCSVQxETAPBgNVBAMMCHNzbDEuY29tMB4X -DTE1MDUxOTAwNTAzNloXDTE1MDYxODAwNTAzNlowaTELMAkGA1UEBhMCVVMxEzAR -BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV -BAoMBEtvbmcxCzAJBgNVBAsMAklUMREwDwYDVQQDDAhzc2wxLmNvbTCBnzANBgkq -hkiG9w0BAQEFAAOBjQAwgYkCgYEAxOixlvURWF+WfMbG4alhrd3JcavYOGxiBcOv -0qA2v2a89S5JyD43O2uC8TfE6JZc3UT5kjRKRqIA8QDTYn3XGoJwkvYd1w9oXm3R -sZXXbi05PD0oXABtIIbH+0NllXRucdeODlXLi80mCvhVIIDjHifqDRiukecZGapE -rvTsPjMCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCVQdpCfTZLJk0XUu5RnenHpamp -5ZRsdKA+jwE0kwuSWXx/WbsU35GJx1QVrfnmk7qJpwwg/ZbL/KMTUpY21a4ZyITQ -WKHxfY3Klqh18Ll7oBDa9fhuhPE4G8tIum/xY3Z3mHBuXDmBxARD0bOPEJtJQw+H -LGenf2mYrZBfL47wZw== ------END CERTIFICATE----- -]], key = [[ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDE6LGW9RFYX5Z8xsbhqWGt3clxq9g4bGIFw6/SoDa/Zrz1LknI -Pjc7a4LxN8TollzdRPmSNEpGogDxANNifdcagnCS9h3XD2hebdGxldduLTk8PShc -AG0ghsf7Q2WVdG5x144OVcuLzSYK+FUggOMeJ+oNGK6R5xkZqkSu9Ow+MwIDAQAB -AoGAcYkqPLx5j9ct0ixbKGqd475qFJzdQ0tbCa/XhT7T0nDOqyBRcqBNAHnxOlzJ -sMJiMUNAE8kKusdWe5/aQoQErkVuO9sh1U6sPr7mVD/JWmE08MRzhMwxUVP+HsXM -EZky0M6TWNyghtvyElUiHTIW8quVdjn8oXQIbR/07VXEVmECQQDj6dHJ4XxXIvE1 -HQ+49EbbM9l7KFd7t2cpmng1+U4yqMGwNVk3MmEVKU8NiI/BVhznPvp0HH3QyLpV -ShPt9SltAkEA3SzAZ5/UhjycKXgLsgidwDVWOpYweWU7KDsfrr+cSJkmzw7y9WYr -vshdPYA2iSm83aY1vTzwSRV6udpZfBLiHwJBAJ1HfDie3JmdSWtn1LPEDymyDEEL -Q+PiWtTA/nfwxV/8ST16c0i+AXUC/sTOGrZG4MdMFLYP+1sbSksVRc+OwbkCQQCy -DFKfmOUnYyd7oq4XliQYFVfjNgCz2TB0RJROwuV29ANv8GLZ9nQE05tr5QkCBl2K -OUFNo/7zdp0jfIlI/pKVAkA04q30OSEBIHBj/MmapVVSRaQiYfSMLV176nA4xqhz -JkHk9MH9WKKGIchn0LvfUFHxTeBFERoREQo2A82B/WpO ------END RSA PRIVATE KEY----- -]], only_https = true }, __api = 2 } - } - } - - spec_helper.start_kong() - end) - - teardown(function() - spec_helper.stop_kong() - end) - - describe("SSL Util", function() - - it("should not convert an invalid cert to DER", function() - assert.falsy(ssl_util.cert_to_der("asd")) - end) - - it("should convert a valid cert to DER", function() - assert.truthy(ssl_util.cert_to_der([[ ------BEGIN CERTIFICATE----- -MIICUTCCAboCCQDmzZoyut/faTANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQ -MA4GA1UECgwHTWFzaGFwZTELMAkGA1UECwwCSVQxEjAQBgNVBAMMCWxvY2FsaG9z -dDAeFw0xNTA1MTUwMDA4MzZaFw0xNjA1MTQwMDA4MzZaMG0xCzAJBgNVBAYTAlVT -MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAw -DgYDVQQKDAdNYXNoYXBlMQswCQYDVQQLDAJJVDESMBAGA1UEAwwJbG9jYWxob3N0 -MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDG3WEFIeL8YWyEaJ0L3QESzR9 -Epg9d2p/y1v0xQgrwkM6sRFX81oNGdXssOeXAHJM6BXmMSbhfC+i3AkRPloltnwl -yEylOBaGY0GlPehZ9x+UxDiNpnjDakWWqXoFn1vDAU8gLTmduGVIGsQxT32sF0Y9 -pFnbNQ0lU6cRe3/n8wIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAHpVwlC75/LTKepa -VKHXqpk5H1zYsj2byBhYOY5/+aYbNqfa2DaWE1zwv/J4E7wgKaeQHHgT2XBtYSRM -ZMG9SgECUHZ+A/OebWgSfZvXbsIZ+PLk46rlZQ0O73kkbAyMTGNRvfEPeDmw0TR2 -DYk+jZoTdElBV6PQAxysILNeJK5n ------END CERTIFICATE----- -]])) - end) - - it("should not convert an invalid key to DER", function() - assert.falsy(ssl_util.key_to_der("asd")) - end) - - it("should convert a valid key to DER", function() - assert.truthy(ssl_util.key_to_der([[ ------BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDDG3WEFIeL8YWyEaJ0L3QESzR9Epg9d2p/y1v0xQgrwkM6sRFX -81oNGdXssOeXAHJM6BXmMSbhfC+i3AkRPloltnwlyEylOBaGY0GlPehZ9x+UxDiN -pnjDakWWqXoFn1vDAU8gLTmduGVIGsQxT32sF0Y9pFnbNQ0lU6cRe3/n8wIDAQAB -AoGAdQQhBShy60Hd16Cv+FMFmBWq02C1ohfe7ep/qlwJvIT0YV0Vc9RmK/lUznKD -U5NW+j0v9TGBijc7MsgZQBhPY8aQXmwPfgaLq3YXjNJUITGwH0KAZe9WBiLObVZb -MDoa349PrjSpAkDryyF2wCmRBphUePd9BVeV/CR/a78BvSECQQDrWT2fqHjpSfKl -rjt9n29fWbj2Sfjkjaa+MK1l4tgDAVrfNLjsf6aXTBbSUWaTfpHG9E6frTMuE5pT -BcJf3TJJAkEA1DpBjavo8zpzjgmQ5SESrNB3+BYZYH9JRI91eIZYQzIvRgVRP+yG -vc0Hdhr1xSwN8XiFcVm24s5TEM+uE+bIWwJAQ24BKvJhGi4WuIOQBfEdPst9JAuT -pSA0qv9VXwC8dTf5KkR3y0LTnzusujuaUR4NdFxg/nzoUgZJzAm1ZDQDCQJBAKmq -sUG70A60CjHhv+8Ok8mJGIBD2qHk4QRo1Hc4oFOISXbnRV+fjtEqmu52+0lYwQTt -X3GRUb7dSFdGUVsjw8UCQH1sEtryRFIeCJgLT2p+UPYMNr6f/QYzpiK/M61xe2yf -IN2a44ptbkUjN8U0WeTGMBP/XfK3SvV6wAKAE3cDB2c= ------END RSA PRIVATE KEY----- -]])) - end) - - end) - - describe("SSL Resolution", function() - - it("should return default CERTIFICATE when requesting other APIs", function() - local parsed_url = url.parse(STUB_GET_SSL_URL) - local res = IO.os_execute("(echo \"GET /\"; sleep 2) | openssl s_client -connect "..parsed_url.host..":"..tostring(parsed_url.port).." -servername test4.com") - - assert.truthy(res:match("US/ST=California/L=San Francisco/O=Kong/OU=IT/CN=localhost")) - end) - - it("should work when requesting a specific API", function() - local parsed_url = url.parse(STUB_GET_SSL_URL) - local res = IO.os_execute("(echo \"GET /\"; sleep 2) | openssl s_client -connect "..parsed_url.host..":"..tostring(parsed_url.port).." -servername ssl1.com") - - assert.truthy(res:match("US/ST=California/L=San Francisco/O=Kong/OU=IT/CN=ssl1.com")) - end) - - end) - - describe("only_https", function() - - it("should block request without https", function() - local response, status, headers = http_client.get(STUB_GET_URL, nil, { host = "ssl2.com" }) - assert.are.equal(426, status) - assert.are.same("close, Upgrade", headers.connection) - assert.are.same("TLS/1.0, HTTP/1.1", headers.upgrade) - assert.are.same("Please use HTTPS protocol", cjson.decode(response).message) - end) - - it("should not block request with https", function() - local _, status = http_client.get(STUB_GET_SSL_URL, nil, { host = "ssl2.com" }) - assert.are.equal(200, status) - end) - - end) - - describe("should work with curl", function() - local response = http_client.get(API_URL.."/apis/", {public_dns="ssl3.com"}) - local api_id = cjson.decode(response).data[1].id - local current_path = IO.os_execute("pwd") - local res = IO.os_execute("curl -s -o /dev/null -w \"%{http_code}\" "..API_URL.."/apis/"..api_id.."/plugins/ --form \"name=ssl\" --form \"value.cert=@"..current_path.."/ssl/kong-default.crt\" --form \"value.key=@"..current_path.."/ssl/kong-default.key\"") - assert.are.equal("201", res) - end) - -end) diff --git a/spec/unit/dao/entities_schemas_spec.lua b/spec/unit/dao/entities_schemas_spec.lua index 1a47040ab9b6..c64dad441bed 100644 --- a/spec/unit/dao/entities_schemas_spec.lua +++ b/spec/unit/dao/entities_schemas_spec.lua @@ -1,7 +1,8 @@ local api_schema = require "kong.dao.schemas.apis" local consumer_schema = require "kong.dao.schemas.consumers" local plugins_configurations_schema = require "kong.dao.schemas.plugins_configurations" -local validate_fields = require("kong.dao.schemas_validation").validate_fields +local validations = require "kong.dao.schemas_validation" +local validate_fields = validations.validate_fields require "kong.tools.ngx_stub" @@ -197,5 +198,35 @@ describe("Entities Schemas", function() assert.equal("\"hello\" is not allowed. Allowed values are: \"second\", \"minute\", \"hour\", \"day\", \"month\", \"year\"", errors["value.period"]) end) + describe("on_insert", function() + it("should refuse `consumer_id` if specified in the value schema", function() + local stub_value_schema = { + no_consumer = true, + fields = { + string = {type = "string", required = true} + } + } + + plugins_configurations_schema.fields.value.schema = function() + return stub_value_schema + end + + local valid, err = validations.on_insert({name = "stub", api_id = "0000", consumer_id = "0000", value = {string = "foo"}}, plugins_configurations_schema) + assert.False(valid) + assert.equal("No consumer can be configured for that plugin", err.message) + + local dao_stub = { + plugins_configurations = { + find_by_keys = function() + return nil + end + } + } + + valid, err = validations.on_insert({name = "stub", api_id = "0000", value = {string = "foo"}}, plugins_configurations_schema, dao_stub) + assert.True(valid) + assert.falsy(err) + end) + end) end) end)