Skip to content

Commit

Permalink
feat(ssl): add function to get request ssl pointer
Browse files Browse the repository at this point in the history
To support:
KAG-5388
KAG-5473
  • Loading branch information
StarlightIbuki committed Oct 11, 2024
1 parent 7da8c7d commit bc83566
Show file tree
Hide file tree
Showing 5 changed files with 120 additions and 1 deletion.
16 changes: 16 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Table of Contents
* [resty.kong.tls.set\_upstream\_ssl\_verify](#restykongtlsset_upstream_ssl_verify)
* [resty.kong.tls.set\_upstream\_ssl\_verify\_depth](#restykongtlsset_upstream_ssl_verify_depth)
* [resty.kong.tls.get\_ssl\_pointer](#restykongtlsget_ssl_pointer)
* [resty.kong.tls.get\_request\_ssl\_pointer](#restykongtlsget_request_ssl_pointer)
* [resty.kong.grpc.set\_authority](#restykonggrpcset_authority)
* [resty.kong.tls.disable\_proxy\_ssl](#restykongtlsdisable_proxy_ssl)
* [resty.kong.var.patch\_metatable](#restykongvarpatch_metatable)
Expand Down Expand Up @@ -367,6 +368,21 @@ describing the error will be returned.

[Back to TOC](#table-of-contents)

resty.kong.tls.get\_request\_ssl\_pointer
----------------------------------------------------
**syntax:** *ssl_ptr, err = resty.kong.get\_request\_ssl\_pointer()*

**context:** *client_hello_by_lua*, *ssl_certificate_by_lua*, *rewrite_by_lua*, access_by_lua*, content_by_lua*, log_by_lua**, *preread_by_lua**

**subsystems:** *http* *stream*

Retrieves the OpenSSL `SSL*` object for the current tcpsock `sock`.

On success, this function returns the pointer of type `SSL`. Otherwise `nil` and a string
describing the error will be returned.

[Back to TOC](#table-of-contents)

resty.kong.grpc.set\_authority
------------------------------
**syntax:** *ok, err = resty.kong.grpc.set_authority(new_authority)*
Expand Down
25 changes: 24 additions & 1 deletion lualib/resty/kong/tls.lua
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ local kong_lua_kong_ffi_set_upstream_ssl_trusted_store
local kong_lua_kong_ffi_set_upstream_ssl_verify
local kong_lua_kong_ffi_set_upstream_ssl_verify_depth
local kong_lua_kong_ffi_get_socket_ssl

local kong_lua_kong_ffi_get_request_ssl
if subsystem == "http" then
ffi.cdef([[
typedef struct ssl_st SSL;
Expand All @@ -59,6 +59,8 @@ if subsystem == "http" then
int depth);
int ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u,
void **ssl_conn);
int ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r,
void **ssl_conn)
]])

kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_http_lua_kong_ffi_get_full_client_certificate_chain
Expand All @@ -68,6 +70,8 @@ if subsystem == "http" then
kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify
kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth
kong_lua_kong_ffi_get_socket_ssl = C.ngx_http_lua_kong_ffi_get_socket_ssl
kong_lua_kong_ffi_get_request_ssl = C.ngx_http_lua_kong_ffi_get_request_ssl


elseif subsystem == 'stream' then
ffi.cdef([[
Expand All @@ -88,6 +92,8 @@ elseif subsystem == 'stream' then
int depth);
int ngx_stream_lua_kong_get_socket_ssl(ngx_stream_lua_socket_tcp_upstream_t *u,
void **ssl_conn);
int ngx_stream_lua_kong_ffi_get_request_ssl(ngx_stream_lua_request_t *r,
void **ssl_conn);
]])

kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_stream_lua_kong_ffi_get_full_client_certificate_chain
Expand All @@ -97,6 +103,7 @@ elseif subsystem == 'stream' then
kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify
kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify_depth
kong_lua_kong_ffi_get_socket_ssl = C.ngx_stream_lua_kong_get_socket_ssl
kong_lua_kong_ffi_get_request_ssl = C.ngx_stream_lua_kong_ffi_get_request_ssl
else
error("unknown subsystem: " .. subsystem)
end
Expand Down Expand Up @@ -151,6 +158,22 @@ function _M.get_ssl_pointer(sock)
end


function _M.get_request_ssl_pointer()
if get_phase() ~= 'ssl_cert' then
error("API disabled in the current context")
end

local r = get_request()

local ret = kong_lua_kong_ffi_get_request_ssl(r, void_pp)
if ret ~= NGX_OK then
return nil, "no ssl object"
end

return ffi_cast(ssl_type, void_pp[0])
end


do
local ALLOWED_PHASES = {
['rewrite'] = true,
Expand Down
22 changes: 22 additions & 0 deletions src/ngx_http_lua_kong_ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,28 @@ ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u, void
}


int
ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r, void **ssl_conn)
{
#if (NGX_SSL)
if (ssl_conn == NULL) {
return NGX_ABORT;
}

ngx_connection_t *c = r->connection;

if (c && (c->ssl) && (c->ssl->connection)) {
*ssl_conn = c->ssl->connection;
return NGX_OK;
}

return NGX_ERROR;
#else
return NGX_ABORT;
#endif
}


#if (NGX_HTTP_SSL)

/*
Expand Down
22 changes: 22 additions & 0 deletions stream/src/ngx_stream_lua_kong_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -323,3 +323,25 @@ void **ssl_conn)
#endif
}


int
ngx_stream_lua_kong_ffi_get_request_ssl(ngx_stream_lua_request_t *r, void **ssl_conn)
{
#if (NGX_SSL)
if (ssl_conn == NULL) {
return NGX_ABORT;
}

ngx_connection_t *c = r->connection;

if (c && (c->ssl) && (c->ssl->connection)) {
*ssl_conn = c->ssl->connection;
return NGX_OK;
}

return NGX_ERROR;
#else
return NGX_ABORT;
#endif
}

36 changes: 36 additions & 0 deletions t/001-tls.t
Original file line number Diff line number Diff line change
Expand Up @@ -495,3 +495,39 @@ ok
--- no_error_log
[error]
[emerg]




=== TEST 8: ssl.get_request_ssl_pointer works well
--- stream_config
lua_package_path "../lua-resty-core/lib/?.lua;lualib/?.lua;;";
lua_ssl_protocols SSLV3 TLSv1 TLSv1.1 TLSv1.2;
server {
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
server_name example.com;
ssl_certificate ../../cert/example.com.crt;
ssl_certificate_key ../../cert/example.com.key;
ssl_session_cache off;
ssl_session_tickets on;
server_tokens off;

content_by_lua_block {
local ssl = require "resty.kong.tls"
if ssl.get_request_ssl_pointer() == nil then
ngx.say("cannot get socket")
else
ngx.say("ok")
end
}
}

--- request
GET /t
--- response_body
ok
--- no_error_log
[error]
[emerg]
--- skip_nginx
7: < 1.21.4

0 comments on commit bc83566

Please sign in to comment.