Skip to content

Commit

Permalink
feat(ssl): add function to get request ssl pointer
Browse files Browse the repository at this point in the history
To support:
KAG-5388
KAG-5473

Co-authored-by: Qi <[email protected]>
  • Loading branch information
StarlightIbuki and ADD-SP committed Oct 16, 2024
1 parent e2b4d03 commit bef1fec
Show file tree
Hide file tree
Showing 6 changed files with 127 additions and 3 deletions.
16 changes: 16 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Table of Contents
* [resty.kong.tls.set\_upstream\_ssl\_verify](#restykongtlsset_upstream_ssl_verify)
* [resty.kong.tls.set\_upstream\_ssl\_verify\_depth](#restykongtlsset_upstream_ssl_verify_depth)
* [resty.kong.tls.get\_ssl\_pointer](#restykongtlsget_ssl_pointer)
* [resty.kong.tls.get\_request\_ssl\_pointer](#restykongtlsget_request_ssl_pointer)
* [resty.kong.grpc.set\_authority](#restykonggrpcset_authority)
* [resty.kong.tls.disable\_proxy\_ssl](#restykongtlsdisable_proxy_ssl)
* [resty.kong.var.patch\_metatable](#restykongvarpatch_metatable)
Expand Down Expand Up @@ -367,6 +368,21 @@ describing the error will be returned.

[Back to TOC](#table-of-contents)

resty.kong.tls.get\_request\_ssl\_pointer
----------------------------------------------------
**syntax:** *ssl_ptr, err = resty.kong.get\_request\_ssl\_pointer()*

**context:** *client_hello_by_lua&#42;, *ssl_certificate_by_lua&#42;, *rewrite_by_lua&#42;, access_by_lua&#42;, content_by_lua&#42;, log_by_lua&#42;*, *preread_by_lua&#42;*

**subsystems:** *http* *stream*

Retrieves the OpenSSL `SSL*` object for the current tcpsock `sock`.

On success, this function returns the pointer of type `SSL`. Otherwise `nil` and a string
describing the error will be returned.

[Back to TOC](#table-of-contents)

resty.kong.grpc.set\_authority
------------------------------
**syntax:** *ok, err = resty.kong.grpc.set_authority(new_authority)*
Expand Down
21 changes: 20 additions & 1 deletion lualib/resty/kong/tls.lua
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ local kong_lua_kong_ffi_set_upstream_ssl_trusted_store
local kong_lua_kong_ffi_set_upstream_ssl_verify
local kong_lua_kong_ffi_set_upstream_ssl_verify_depth
local kong_lua_kong_ffi_get_socket_ssl

local kong_lua_kong_ffi_get_request_ssl
if subsystem == "http" then
ffi.cdef([[
typedef struct ssl_st SSL;
Expand All @@ -59,6 +59,8 @@ if subsystem == "http" then
int depth);
int ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u,
void **ssl_conn);
int ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r,
void **ssl_conn);
]])

kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_http_lua_kong_ffi_get_full_client_certificate_chain
Expand All @@ -68,6 +70,8 @@ if subsystem == "http" then
kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify
kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth
kong_lua_kong_ffi_get_socket_ssl = C.ngx_http_lua_kong_ffi_get_socket_ssl
kong_lua_kong_ffi_get_request_ssl = C.ngx_http_lua_kong_ffi_get_request_ssl


elseif subsystem == 'stream' then
ffi.cdef([[
Expand Down Expand Up @@ -97,6 +101,9 @@ elseif subsystem == 'stream' then
kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify
kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify_depth
kong_lua_kong_ffi_get_socket_ssl = C.ngx_stream_lua_kong_get_socket_ssl
kong_lua_kong_ffi_get_request_ssl = function()
error("API not available for the current subsystem")
end
else
error("unknown subsystem: " .. subsystem)
end
Expand Down Expand Up @@ -151,6 +158,18 @@ function _M.get_ssl_pointer(sock)
end


function _M.get_request_ssl_pointer()
local r = get_request()

local ret = kong_lua_kong_ffi_get_request_ssl(r, void_pp)
if ret ~= NGX_OK then
return nil, "no ssl object"
end

return ffi_cast(ssl_type, void_pp[0])
end


do
local ALLOWED_PHASES = {
['rewrite'] = true,
Expand Down
23 changes: 23 additions & 0 deletions src/ngx_http_lua_kong_ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,29 @@ ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u, void
}


int
ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r, void **ssl_conn)
{
#if (NGX_SSL)
if (ssl_conn == NULL) {
return NGX_ABORT;
}

ngx_connection_t *c = r->connection;

if (c && (c->ssl) && (c->ssl->connection)) {
*ssl_conn = c->ssl->connection;
return NGX_OK;
}

return NGX_ERROR;

#else
return NGX_ABORT;
#endif
}


#if (NGX_HTTP_SSL)

/*
Expand Down
1 change: 0 additions & 1 deletion stream/src/ngx_stream_lua_kong_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -322,4 +322,3 @@ void **ssl_conn)
return NGX_ABORT;
#endif
}

45 changes: 44 additions & 1 deletion t/001-tls.t
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use Cwd qw(cwd);

repeat_each(2);

plan tests => repeat_each() * (blocks() * 7 - 4);
plan tests => repeat_each() * (blocks() * 7 - 7);

my $pwd = cwd();

Expand Down Expand Up @@ -495,3 +495,46 @@ ok
--- no_error_log
[error]
[emerg]
=== TEST 8: ssl.get_request_ssl_pointer works well
--- http_config
lua_package_path "../lua-resty-core/lib/?.lua;lualib/?.lua;;";
lua_ssl_protocols SSLV3 TLSv1 TLSv1.1 TLSv1.2;
server {
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
server_name example.com;
ssl_certificate ../../cert/example.com.crt;
ssl_certificate_key ../../cert/example.com.key;
ssl_session_cache off;
ssl_session_tickets on;
server_tokens off;
location / {
content_by_lua_block {
local ssl = require "resty.kong.tls"
if ssl.get_request_ssl_pointer() == nil then
ngx.say("cannot get socket")
else
ngx.say("ok")
end
}
}
}
--- config
server_tokens off;
location /t {
proxy_pass https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
--- request
GET /t
--- response_body
ok
--- no_error_log
[error]
[emerg]
24 changes: 24 additions & 0 deletions valgrind.suppress
Original file line number Diff line number Diff line change
Expand Up @@ -295,3 +295,27 @@
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_malloc
fun:ssl_session_dup_intern
fun:ssl_session_dup
fun:tls_process_new_session_ticket
fun:read_state_machine
fun:state_machine
fun:ssl3_read_bytes
fun:ssl3_read_internal
fun:ssl3_read_internal
fun:ssl3_read
fun:SSL_read
fun:ngx_ssl_recv
fun:ngx_http_upstream_process_header
fun:ngx_http_upstream_handler
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}

0 comments on commit bef1fec

Please sign in to comment.