Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(plugins/acme): username/password is a valid authentication method #13496

Merged
merged 2 commits into from
Aug 19, 2024

Conversation

gruceo
Copy link
Contributor

@gruceo gruceo commented Aug 13, 2024

Fixed an issue where username and password were not accepted as valid authentication methods.

Depends on this PR of lua-resty-acme: fffonion/lua-resty-acme#121

Fix FTI-6143

Summary

Checklist

  • The Pull Request has tests
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Issue reference

Fix FTI-6143

@gruceo gruceo requested review from fffonion and nowNick August 13, 2024 18:49
@github-actions github-actions bot added plugins/acme cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee labels Aug 13, 2024
@github-actions github-actions bot added the chore Not part of the core functionality of kong, but still needed label Aug 13, 2024
@gruceo gruceo force-pushed the acme-username branch 3 times, most recently from 5ae44a9 to 2501475 Compare August 13, 2024 22:10
@gruceo gruceo marked this pull request as ready for review August 14, 2024 00:04
Copy link
Contributor

@nowNick nowNick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! 👍

@gruceo gruceo added this to the 3.8.0 milestone Aug 14, 2024
@gruceo gruceo requested a review from fffonion August 14, 2024 13:41
@gruceo gruceo changed the title fix(plugins): username and password are accepted authentication methods fix(plugins/acme): username/password is a valid authentication method Aug 14, 2024
@gruceo
Copy link
Contributor Author

gruceo commented Aug 15, 2024

@fffonion can you take another look at the PR, please?

Copy link
Contributor

@fffonion fffonion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one comment about changelog, otherwise lgtm

@@ -0,0 +1,3 @@
message: "**ACME**: Fixed an issue where username and password were not accepted as valid authentication methods."
type: bugfix
scope: Plugin
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we probably need an addtional changelog for the bumped dependency, as I
heard from @AndyZhang0707

Copy link
Contributor Author

@gruceo gruceo Aug 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 004627a

@fffonion
Copy link
Contributor

also note the tests failed in spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua:340

@@ -43,6 +43,21 @@ local compatible_checkers = {
function (config_table, dp_version, log_suffix)
local has_update
for _, plugin in ipairs(config_table.plugins or {}) do
if plugin.name == 'acme' then
local config = plugin.config
if config.storage_config.redis.username ~= nil then
Copy link
Contributor Author

@gruceo gruceo Aug 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @fffonion. The test failure in spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua:340 was actually eye-opening. It revealed that removing the new username/password fields will cause issues to older DPs. Therefore I'm going with the safest option which is to not do anything (just log the warning instead). I'd like some input from @nowNick here as well.

This is the updated log warning in the CP side when we create acme plugin and have DP 3.6.1:

kong-cp  | 2024/08/15 22:21:38 [warn] 1811#0: *1294 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis username which is incompatible with dataplane version 3.6.1 and will not work in this release.. [id: e79130ba-32cb-456d-a541-9a159d072142, host: 0c0d4012bade, ip: 172.18.0.8, version: 3.6.1], client: 172.18.0.8, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=e79130ba-32cb-456d-a541-9a159d072142&node_hostname=0c0d4012bade&node_version=3.6.1 HTTP/1.1", host: "kong-cp:8005"
kong-cp  | 2024/08/15 22:21:38 [warn] 1811#0: *1294 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis password which is incompatible with dataplane version 3.6.1 and will not work in this release. Please use redis.auth config instead.. [id: e79130ba-32cb-456d-a541-9a159d072142, host: 0c0d4012bade, ip: 172.18.0.8, version: 3.6.1], client: 172.18.0.8, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=e79130ba-32cb-456d-a541-9a159d072142&node_hostname=0c0d4012bade&node_version=3.6.1 HTTP/1.1", host: "kong-cp:8005"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do not remove it via

config.storage_config.redis.username = nil
config.storage_config.redis.password = nil

The config will be refused by DP. A log warning may be not enough.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't get refused. Added a test to prove it: 3ff5eb8

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting. How can the older schema validate the storage_config if it has unknown fields in it? This might be a sign of something else being wrong. E.g. sub-record validation does not work or something?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the test here is probably wrong that send @gruceo to wrong direction.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bungle I think it's because some of the storage_config fields like username and password are actually supported in some older versions, it's just that the acme plugin didn't use it. I added this extra test: 8f1cb44

As you can see, username and password are supported until 3.6.1 but not in 3.5.0. In a 3.8.x CP pushing unkwnon fields to a 3.5.0 DP, the config reverts to older schema here: https://github.com/Kong/kong/blob/master/kong/clustering/compat/checkers.lua#L141-L162

kong-cp  | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis username which is incompatible with dataplane version 3.5.0 and will not work in this release. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
kong-cp  | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis password which is incompatible with dataplane version 3.5.0 and will not work in this release. Please use redis.auth config instead. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
kong-cp  | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 adapts acme plugin redis configuration to older version which is incompatible with dataplane version 3.5.0 and will revert to older schema. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"

cc @nowNick

.github/workflows/build_and_test.yml Show resolved Hide resolved
@@ -43,6 +43,21 @@ local compatible_checkers = {
function (config_table, dp_version, log_suffix)
local has_update
for _, plugin in ipairs(config_table.plugins or {}) do
if plugin.name == 'acme' then
local config = plugin.config
if config.storage_config.redis.username ~= nil then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do not remove it via

config.storage_config.redis.username = nil
config.storage_config.redis.password = nil

The config will be refused by DP. A log warning may be not enough.

@brentos brentos self-requested a review August 16, 2024 16:40
Fixed an issue where username and password were not accepted as a valid
authentication method. This is already accepted as valid authentication
method in other plugins that use the shared Redis library such as the
rate-limiting plugin.

Depends on this PR of lua-resty-acme: fffonion/lua-resty-acme#121

Fix FTI-6143
@gruceo gruceo removed the cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee label Aug 19, 2024
@gruceo gruceo merged commit 28c5f6a into master Aug 19, 2024
29 checks passed
@gruceo gruceo deleted the acme-username branch August 19, 2024 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chore Not part of the core functionality of kong, but still needed core/clustering plugins/acme size/L
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants