From e450d3fb091b2789bfd7fb5204f246276703f521 Mon Sep 17 00:00:00 2001
From: An Tran <tkan145@gmail.com>
Date: Mon, 29 Apr 2024 19:21:29 +1000
Subject: [PATCH 1/4] Bump openresty to 1.21.4.3

---
 .circleci/config.yml     | 2 +-
 CHANGELOG.md             | 4 ++++
 Dockerfile               | 2 +-
 Dockerfile.devel         | 2 +-
 Makefile                 | 4 ++--
 docker-compose-devel.yml | 2 +-
 6 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 0dba7d54a..44cda2859 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -105,7 +105,7 @@ executors:
   openresty:
     working_directory: /opt/app-root/apicast
     docker:
-      - image: quay.io/3scale/apicast-ci:openresty-1.19.3-23
+      - image: quay.io/3scale/apicast-ci:openresty-1.21.4-1
       - image: redis:3.2.8-alpine
     environment:
       TEST_NGINX_BINARY: openresty
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e63dbe10c..d6b120c46 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 - Fixed 3scale Batcher policy unable to handle `app_id`/`access_token` contains special characters [PR #1457](https://github.com/3scale/APIcast/pull/1457) [THREESCALE-10934](https://issues.redhat.com/browse/THREESCALE-10934)
 
+### Added
+
+- Bump openresty to 1.21.4.3 [PR #1461](https://github.com/3scale/APIcast/pull/1461) [THREESCALE-10601](https://issues.redhat.com/browse/THREESCALE-10601)
+
 ## [3.15.0] 2024-04-04
 
 ### Fixed
diff --git a/Dockerfile b/Dockerfile
index 331d20a1f..6a5a6d37e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8:8.5
 
-ARG OPENRESTY_RPM_VERSION="1.19.3-23.el8"
+ARG OPENRESTY_RPM_VERSION="1.21.4-1.el8"
 ARG LUAROCKS_VERSION="2.3.0"
 ARG JAEGERTRACING_CPP_CLIENT_RPM_VERSION="0.3.1-13.el8"
 
diff --git a/Dockerfile.devel b/Dockerfile.devel
index a15afac47..6e983b9a8 100644
--- a/Dockerfile.devel
+++ b/Dockerfile.devel
@@ -1,6 +1,6 @@
 FROM registry.access.redhat.com/ubi8:8.5
 
-ARG OPENRESTY_RPM_VERSION="1.19.3-23.el8"
+ARG OPENRESTY_RPM_VERSION="1.21.4-1.el8"
 ARG LUAROCKS_VERSION="2.3.0"
 ARG JAEGERTRACING_CPP_CLIENT_RPM_VERSION="0.3.1-13.el8"
 
diff --git a/Makefile b/Makefile
index 01db96816..79fa72cdb 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,7 @@ NPROC ?= $(firstword $(shell nproc 2>/dev/null) 1)
 
 SEPARATOR="\n=============================================\n"
 
-DEVEL_IMAGE ?= quay.io/3scale/apicast-ci:openresty-1.19.3-23
+DEVEL_IMAGE ?= quay.io/3scale/apicast-ci:openresty-1.21.4-1
 DEVEL_DOCKERFILE ?= Dockerfile.devel
 
 RUNTIME_IMAGE ?= quay.io/3scale/apicast:latest
@@ -69,7 +69,7 @@ export COMPOSE_PROJECT_NAME
 #     docker push quay.io/3scale/apicast-ci:openresty-X.Y.Z-{release_number}
 # * update .circleci/config.yaml openresty executor with the image URL
 .PHONY: dev-build
-dev-build: export OPENRESTY_RPM_VERSION?=1.19.3
+dev-build: export OPENRESTY_RPM_VERSION?=1.21.4
 dev-build: export LUAROCKS_VERSION?=2.3.0
 dev-build: IMAGE_NAME ?= apicast-development:latest
 dev-build: ## Build development image
diff --git a/docker-compose-devel.yml b/docker-compose-devel.yml
index f1f9e927f..6e1185605 100644
--- a/docker-compose-devel.yml
+++ b/docker-compose-devel.yml
@@ -2,7 +2,7 @@
 version: '2.2'
 services:
   development:
-    image: ${IMAGE:-quay.io/3scale/apicast-ci:openresty-1.19.3-23}
+    image: ${IMAGE:-quay.io/3scale/apicast-ci:openresty-1.21.4-1}
     platform: "linux/amd64"
     depends_on:
       - redis

From 807689e37cd6097f0fa8058a33a17e64b9918475 Mon Sep 17 00:00:00 2001
From: An Tran <tkan145@gmail.com>
Date: Tue, 30 Apr 2024 15:25:13 +1000
Subject: [PATCH 2/4] [t] fix failed tests in apicast-policy-ip-check.t

Previously, header contains space or control character were
considered invalid and were ignore by default. But in nginx
1.21.1, it now always returns an error instead if spaces or
control characters are used in a header
---
 t/apicast-policy-ip-check.t | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/t/apicast-policy-ip-check.t b/t/apicast-policy-ip-check.t
index 894c17872..3b65e4153 100644
--- a/t/apicast-policy-ip-check.t
+++ b/t/apicast-policy-ip-check.t
@@ -360,6 +360,8 @@ is always the valid one.
 [403, 200]
 
 === TEST 11: X-forwarded-for header with invalid data
+From 1.21.1, nginx will always returns an error if spaces or control
+characters are used in a header name
 --- configuration
 {
   "services": [
@@ -385,11 +387,9 @@ is always the valid one.
 }
 --- request
 GET /
---- response_body
-IP address not allowed
 --- more_headers eval
 X-forwarded-for: ,9.9.9.9
---- error_code: 403
+--- error_code: 400
 --- no_error_log
 [error]
 
@@ -420,10 +420,8 @@ X-forwarded-for: ,9.9.9.9
 }
 --- request
 GET /
---- response_body
-IP address not allowed
 --- more_headers eval
 X-forwarded-for: ,
---- error_code: 403
+--- error_code: 400
 --- no_error_log
 [error]

From 37dbe50dad1074c1a0b74467944456180a35c972 Mon Sep 17 00:00:00 2001
From: An Tran <tkan145@gmail.com>
Date: Tue, 30 Apr 2024 15:59:21 +1000
Subject: [PATCH 3/4] [t] fix failed test in apicast-policy-tls.t

In 1.21.4 openresty sock:handshake return cdata type instead of
userdata

Reference: https://github.com/openresty/lua-nginx-module/pull/1602
---
 t/apicast-policy-tls.t | 2 +-
 t/listen-https.t       | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/t/apicast-policy-tls.t b/t/apicast-policy-tls.t
index d3575497b..e1eb0423e 100644
--- a/t/apicast-policy-tls.t
+++ b/t/apicast-policy-tls.t
@@ -76,7 +76,7 @@ content_by_lua_block {
 }
 --- response_body
 connected: 1
-ssl handshake: userdata
+ssl handshake: cdata
 HTTP/1.1 200 OK
 --- no_error_log
 [error]
diff --git a/t/listen-https.t b/t/listen-https.t
index cbf0088c9..13e0e18d2 100644
--- a/t/listen-https.t
+++ b/t/listen-https.t
@@ -38,7 +38,7 @@ content_by_lua_block {
 }
 --- response_body
 connected: 1
-ssl handshake: userdata
+ssl handshake: cdata
 --- error_code: 200
 --- no_error_log
 [error]
@@ -110,7 +110,7 @@ content_by_lua_block {
 }
 --- response_body
 connected: 1
-ssl handshake: userdata
+ssl handshake: cdata
 --- error_code: 200
 --- no_error_log
 [error]
@@ -210,11 +210,11 @@ content_by_lua_block {
 }
 --- response_body
 connected: 1
-ssl handshake: userdata
+ssl handshake: cdata
 HTTP/1.1 201 Created
 
 connected: 1
-ssl handshake: userdata
+ssl handshake: cdata
 HTTP/1.1 202 Accepted
 --- error_code: 200
 --- grep_error_log eval: qr/Falling back to routing by host/

From f8f80174df1a03acc0ad04918b53fdbfbab23d55 Mon Sep 17 00:00:00 2001
From: An Tran <tkan145@gmail.com>
Date: Wed, 1 May 2024 11:42:12 +1000
Subject: [PATCH 4/4] [t] Fix failed tests in apicast-policy-3scale-batcher.t

Previously context.apply() is set in PR#1038. Due to ctx_ref
is nil in the test, the context also has nil value. However in
openresty 1.21.4 set ngx.ctx to a non-table value is considered
harmful and will return error. Therefore, we need to remove
context.apply() from the test.

Ref: https://github.com/openresty/lua-resty-core/pull/333
---
 t/apicast-policy-3scale-batcher.t | 2 --
 1 file changed, 2 deletions(-)

diff --git a/t/apicast-policy-3scale-batcher.t b/t/apicast-policy-3scale-batcher.t
index 33e94480f..40d5530eb 100644
--- a/t/apicast-policy-3scale-batcher.t
+++ b/t/apicast-policy-3scale-batcher.t
@@ -401,7 +401,6 @@ auth cache on every request (see rewrite_by_lua_block).
 --- upstream env
   location /api-backend {
     rewrite_by_lua_block {
-      require('resty.ctx').apply()
       ngx.shared.cached_auths:flush_all()
     }
      echo 'yay, api backend';
@@ -583,7 +582,6 @@ auth cache on every request (see rewrite_by_lua_block).
 --- upstream env
   location /api-backend {
     rewrite_by_lua_block {
-      require('resty.ctx').apply()
       ngx.shared.cached_auths:flush_all()
     }
      echo 'yay, api backend';