Skip to content

Commit

Permalink
feat(ssl): add function to get socket ssl
Browse files Browse the repository at this point in the history 
KAG-3791
  • Loading branch information
@Water-Melon
Water-Melon committed Apr 8, 2024
1 parent 4e0133a commit 1f3aa39
Show file tree
Hide file tree
Showing 3 changed files with 351 additions and 0 deletions.
23 changes: 23 additions & 0 deletions lualib/resty/kong/tls.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ local type = type
local error = error
local tostring = tostring
local C = ffi.C
local SOCKET_CTX_INDEX = 1
local ffi_string = ffi.string
local get_string_buf = base.get_string_buf
local size_ptr = base.get_size_ptr()
Expand All @@ -37,9 +38,12 @@ local kong_lua_kong_ffi_set_upstream_client_cert_and_key
local kong_lua_kong_ffi_set_upstream_ssl_trusted_store
local kong_lua_kong_ffi_set_upstream_ssl_verify
local kong_lua_kong_ffi_set_upstream_ssl_verify_depth
local kong_lua_kong_ffi_get_socket_ssl

if subsystem == "http" then
ffi.cdef([[
typedef struct ngx_http_lua_socket_tcp_upstream_s ngx_http_lua_socket_tcp_upstream_t;
int ngx_http_lua_kong_ffi_get_full_client_certificate_chain(
ngx_http_request_t *r, char *buf, size_t *buf_len);
const char *ngx_http_lua_kong_ffi_disable_session_reuse(ngx_http_request_t *r);
Expand All @@ -51,6 +55,8 @@ if subsystem == "http" then
int verify);
int ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth(ngx_http_request_t *r,
int depth);
int ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u,
void **ssl_conn);
]])

kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_http_lua_kong_ffi_get_full_client_certificate_chain
Expand All @@ -59,6 +65,7 @@ if subsystem == "http" then
kong_lua_kong_ffi_set_upstream_ssl_trusted_store = C.ngx_http_lua_kong_ffi_set_upstream_ssl_trusted_store
kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify
kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth
kong_lua_kong_ffi_get_socket_ssl = C.ngx_http_lua_kong_ffi_get_socket_ssl

elseif subsystem == 'stream' then
ffi.cdef([[
Expand Down Expand Up @@ -121,6 +128,22 @@ function _M.disable_session_reuse()
end


do
local void_pp = ffi.new("void *[1]")

function _M.get_ssl_pointer(sock)
local u = sock[SOCKET_CTX_INDEX]

local ret = kong_lua_kong_ffi_get_socket_ssl(u, void_pp)
if ret ~= NGX_OK then
return nil, "no ssl object"
end

return void_pp[0]
end
end


do
local ALLOWED_PHASES = {
['rewrite'] = true,
Expand Down
303 changes: 303 additions & 0 deletions src/ngx_http_lua_kong_common.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,309 @@
#include <ngx_http.h>
#include "ssl/ngx_lua_kong_ssl.h"

#include <nginx.h>
#include <ngx_core.h>
#include <ngx_http.h>
#include <stdint.h>
#include <luajit.h>
#include <lualib.h>
#include <lauxlib.h>


typedef struct ngx_http_lua_co_ctx_s ngx_http_lua_co_ctx_t;

typedef struct ngx_http_lua_posted_thread_s ngx_http_lua_posted_thread_t;

typedef struct {
#if (NGX_HTTP_SSL)
ngx_ssl_t *ssl; /* shared by SSL cosockets */
ngx_array_t *ssl_certificates;
ngx_array_t *ssl_certificate_keys;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
#if (nginx_version >= 1019004)
ngx_array_t *ssl_conf_commands;
#endif
#endif

ngx_flag_t force_read_body; /* whether force request body to
be read */

ngx_flag_t enable_code_cache; /* whether to enable
code cache */

ngx_flag_t http10_buffering;

ngx_http_handler_pt rewrite_handler;
ngx_http_handler_pt access_handler;
ngx_http_handler_pt content_handler;
ngx_http_handler_pt log_handler;
ngx_http_handler_pt header_filter_handler;

ngx_http_output_body_filter_pt body_filter_handler;



u_char *rewrite_chunkname;
ngx_http_complex_value_t rewrite_src; /* rewrite_by_lua
inline script/script
file path */

u_char *rewrite_src_key; /* cached key for rewrite_src */
int rewrite_src_ref;

u_char *access_chunkname;
ngx_http_complex_value_t access_src; /* access_by_lua
inline script/script
file path */

u_char *access_src_key; /* cached key for access_src */
int access_src_ref;

u_char *content_chunkname;
ngx_http_complex_value_t content_src; /* content_by_lua
inline script/script
file path */

u_char *content_src_key; /* cached key for content_src */
int content_src_ref;


u_char *log_chunkname;
ngx_http_complex_value_t log_src; /* log_by_lua inline script/script
file path */

u_char *log_src_key; /* cached key for log_src */
int log_src_ref;

ngx_http_complex_value_t header_filter_src; /* header_filter_by_lua
inline script/script
file path */

u_char *header_filter_chunkname;
u_char *header_filter_src_key;
/* cached key for header_filter_src */
int header_filter_src_ref;


ngx_http_complex_value_t body_filter_src;
u_char *body_filter_src_key;
u_char *body_filter_chunkname;
int body_filter_src_ref;

ngx_msec_t keepalive_timeout;
ngx_msec_t connect_timeout;
ngx_msec_t send_timeout;
ngx_msec_t read_timeout;

size_t send_lowat;
size_t buffer_size;

ngx_uint_t pool_size;

ngx_flag_t transform_underscores_in_resp_headers;
ngx_flag_t log_socket_errors;
ngx_flag_t check_client_abort;
ngx_flag_t use_default_type;
} ngx_http_lua_loc_conf_t;


struct ngx_http_lua_posted_thread_s {
ngx_http_lua_co_ctx_t *co_ctx;
ngx_http_lua_posted_thread_t *next;
};


struct ngx_http_lua_co_ctx_s {
void *data; /* user state for cosockets */

lua_State *co;
ngx_http_lua_co_ctx_t *parent_co_ctx;

ngx_http_lua_posted_thread_t *zombie_child_threads;
ngx_http_lua_posted_thread_t **next_zombie_child_thread;

ngx_http_cleanup_pt cleanup;

ngx_int_t *sr_statuses; /* all capture subrequest statuses */

ngx_http_headers_out_t **sr_headers;

ngx_str_t *sr_bodies; /* all captured subrequest bodies */

uint8_t *sr_flags;

unsigned nresults_from_worker_thread; /* number of results
* from worker
* thread callback */
unsigned nrets; /* ngx_http_lua_run_thread nrets arg. */

unsigned nsubreqs; /* number of subrequests of the
* current request */

unsigned pending_subreqs; /* number of subrequests being
waited */

ngx_event_t sleep; /* used for ngx.sleep */

ngx_queue_t sem_wait_queue;

#ifdef NGX_LUA_USE_ASSERT
int co_top; /* stack top after yielding/creation,
only for sanity checks */
#endif

int co_ref; /* reference to anchor the thread
coroutines (entry coroutine and user
threads) in the Lua registry,
preventing the thread coroutine
from beging collected by the
Lua GC */

unsigned waited_by_parent:1; /* whether being waited by
a parent coroutine */

unsigned co_status:3; /* the current coroutine's status */

unsigned flushing:1; /* indicates whether the current
coroutine is waiting for
ngx.flush(true) */

unsigned is_uthread:1; /* whether the current coroutine is
a user thread */

unsigned thread_spawn_yielded:1; /* yielded from
the ngx.thread.spawn()
call */
unsigned sem_resume_status:1;

unsigned is_wrap:1; /* set when creating coroutines via
coroutine.wrap */

unsigned propagate_error:1; /* set when propagating an error
from a coroutine to its
parent */
};


typedef struct ngx_http_lua_socket_tcp_upstream_s
ngx_http_lua_socket_tcp_upstream_t;


typedef struct ngx_http_lua_socket_udata_queue_s
ngx_http_lua_socket_udata_queue_t;


typedef
int (*ngx_http_lua_socket_tcp_retval_handler)(ngx_http_request_t *r,
ngx_http_lua_socket_tcp_upstream_t *u, lua_State *L);


typedef void (*ngx_http_lua_socket_tcp_upstream_handler_pt)
(ngx_http_request_t *r, ngx_http_lua_socket_tcp_upstream_t *u);


typedef struct {
lua_State *lua_vm;

ngx_int_t size;
ngx_queue_t cache_connect_op;
ngx_queue_t wait_connect_op;

/* connections == active connections + pending connect operations,
* while active connections == out-of-pool reused connections
* + in-pool connections */
ngx_int_t connections;

/* queues of ngx_http_lua_socket_pool_item_t: */
ngx_queue_t cache;
ngx_queue_t free;

ngx_int_t backlog;

u_char key[1];

} ngx_http_lua_socket_pool_t;


struct ngx_http_lua_socket_tcp_upstream_s {
ngx_http_lua_socket_tcp_retval_handler read_prepare_retvals;
ngx_http_lua_socket_tcp_retval_handler write_prepare_retvals;
ngx_http_lua_socket_tcp_upstream_handler_pt read_event_handler;
ngx_http_lua_socket_tcp_upstream_handler_pt write_event_handler;

ngx_http_lua_socket_udata_queue_t *udata_queue;

ngx_http_lua_socket_pool_t *socket_pool;

ngx_http_lua_loc_conf_t *conf;
ngx_http_cleanup_pt *cleanup;
ngx_http_request_t *request;
ngx_peer_connection_t peer;

ngx_msec_t read_timeout;
ngx_msec_t send_timeout;
ngx_msec_t connect_timeout;

ngx_http_upstream_resolved_t *resolved;

ngx_chain_t *bufs_in; /* input data buffers */
ngx_chain_t *buf_in; /* last input data buffer */
ngx_buf_t buffer; /* receive buffer */

size_t length;
size_t rest;

ngx_err_t socket_errno;

ngx_int_t (*input_filter)(void *data, ssize_t bytes);
void *input_filter_ctx;

size_t request_len;
ngx_chain_t *request_bufs;

ngx_http_lua_co_ctx_t *read_co_ctx;
ngx_http_lua_co_ctx_t *write_co_ctx;

ngx_uint_t reused;

#if (NGX_HTTP_SSL)
ngx_str_t ssl_name;
ngx_ssl_session_t *ssl_session_ret;
const char *error_ret;
int openssl_error_code_ret;
#endif

ngx_chain_t *busy_bufs;

unsigned ft_type:16;
unsigned no_close:1;
unsigned conn_waiting:1;
unsigned read_waiting:1;
unsigned write_waiting:1;
unsigned eof:1;
unsigned body_downstream:1;
unsigned raw_downstream:1;
unsigned read_closed:1;
unsigned write_closed:1;
unsigned conn_closed:1;
#if (NGX_HTTP_SSL)
unsigned ssl_verify:1;
unsigned ssl_session_reuse:1;
#endif
};


struct ngx_http_lua_socket_udata_queue_s {
ngx_pool_t *pool;
ngx_queue_t queue;
ngx_queue_t free;
int len;
int capacity;
};
typedef struct {
ngx_lua_kong_ssl_ctx_t ssl_ctx;
ngx_str_t grpc_authority;
Expand Down
Loading

0 comments on commit 1f3aa39

Please sign in to comment.