chore(deps) bump resty.session from 3.10 to 4.0.0

CHANGELOG.md

@@ -75,6 +75,11 @@
 
 - **JWT**: JWT plugin now denies a request that has different tokens in the jwt token search locations.
   [#9946](https://github.com/Kong/kong/pull/9946)
+- **Session**: for sessions to work as expected it is required that all nodes run Kong >= 3.2.x.
+  For that reason it is advisable that during upgrades mixed versions of proxy nodes run for
+  as little as possible. During that time, the invalid sessions could cause failures and partial downtime.
+  All existing sessions are invalidated when upgrading to this version.
+  [#10199](https://github.com/Kong/kong/pull/10199)
 
 ### Additions
 
@@ -121,6 +126,8 @@
   Defaults to `nil` which means do not add any tags
   to the metrics.
   [#10118](https://github.com/Kong/kong/pull/10118)
+- **Session**: now uses lua-resty-session v4.0.0
+  [#10199](https://github.com/Kong/kong/pull/10199)
 
 #### Admin API
 
@@ -183,6 +190,8 @@
   [#10144](https://github.com/Kong/kong/pull/10144)
 - Bumped lua-kong-nginx-module from 0.5.0 to 0.5.1
   [#10181](https://github.com/Kong/kong/pull/10181)
+- Bumped lua-resty-session from 3.10 to 4.0.0
+  [#10199](https://github.com/Kong/kong/pull/10199)
 
 #### Core
 

kong-3.2.0-0.rockspec

@@ -40,7 +40,7 @@ dependencies = {
   "lua-resty-counter == 0.2.1",
   "lua-resty-ipmatcher == 0.6.1",
   "lua-resty-acme == 0.10.1",
-  "lua-resty-session == 3.10",
+  "lua-resty-session == 4.0.0",
   "lua-resty-timer-ng == 0.2.0",
 }
 build = {

kong/clustering/compat/init.lua

@@ -235,7 +235,16 @@ local function delete_at(t, key)
 end
 
 
-local function invalidate_keys_from_config(config_plugins, keys, log_suffix)
+local function rename_field(config, name_from, name_to, has_update)
+  if config[name_from] ~= nil then
+    config[name_to] = config[name_from]
+    return true
+  end
+  return has_update
+end
+
+
+local function invalidate_keys_from_config(config_plugins, keys, log_suffix, dp_version_num)
   if not config_plugins then
     return false
   end
@@ -246,8 +255,24 @@ local function invalidate_keys_from_config(config_plugins, keys, log_suffix)
     local config = t and t["config"]
     if config then
       local name = gsub(t["name"], "-", "_")
-
       if keys[name] ~= nil then
+        -- Any dataplane older than 3.2.0
+        if dp_version_num < 3002000000 then
+          -- OSS
+          if name == "session" then
+            has_update = rename_field(config, "idling_timeout", "cookie_idletime", has_update)
+            has_update = rename_field(config, "rolling_timeout", "cookie_lifetime", has_update)
+            has_update = rename_field(config, "stale_ttl", "cookie_discard", has_update)
+            has_update = rename_field(config, "cookie_same_site", "cookie_samesite", has_update)
+            has_update = rename_field(config, "cookie_http_only", "cookie_httponly", has_update)
+            has_update = rename_field(config, "remember", "cookie_persistent", has_update)
+
+            if config["cookie_samesite"] == "Default" then
+              config["cookie_samesite"] = "Lax"
+            end
+          end
+        end
+
         for _, key in ipairs(keys[name]) do
           if delete_at(config, key) then
             ngx_log(ngx_WARN, _log_prefix, name, " plugin contains configuration '", key,
@@ -329,7 +354,7 @@ function _M.update_compatible_payload(payload, dp_version, log_suffix)
 
   local fields = get_removed_fields(dp_version_num)
   if fields then
-    if invalidate_keys_from_config(config_table["plugins"], fields, log_suffix) then
+    if invalidate_keys_from_config(config_table["plugins"], fields, log_suffix, dp_version_num) then
       has_update = true
     end
   end
@@ -385,7 +410,7 @@ function _M.update_compatible_payload(payload, dp_version, log_suffix)
     end
   end
 
-  
+
   if dp_version_num < 3001000000 --[[ 3.1.0.0 ]] then
     local config_upstream = config_table["upstreams"]
     if config_upstream then

kong/clustering/compat/removed_fields.lua

@@ -34,10 +34,19 @@ return {
       "http_response_header_for_traceid",
     },
   },
-  -- Any dataplane older than 3.1.0
+  -- Any dataplane older than 3.2.0
   [3002000000] = {
     statsd = {
       "tag_style",
     },
-  }
+    session = {
+      "audience",
+      "absolute_timeout",
+      "remember_cookie_name",
+      "remember_rolling_timeout",
+      "remember_absolute_timeout",
+      "response_headers",
+      "request_headers",
+    },
+  },
 }

kong/plugins/session/access.lua

@@ -43,7 +43,7 @@ local function authenticate(consumer, credential_id, groups)
   if credential_id then
     credential = {
       id          = credential_id,
-      consumer_id = consumer.id
+      consumer_id = consumer.id,
     }
 
     clear_header(constants.HEADERS.ANONYMOUS)
@@ -65,10 +65,11 @@ end
 
 
 function _M.execute(conf)
-  local s, present, reason = kong_session.open_session(conf)
-  if not present then
-    if reason then
-      kong.log.debug("session not present (", reason, ")")
+  -- check if session exists
+  local session, err, exists = kong_session.open_session(conf)
+  if not exists then
+    if err then
+      kong.log.debug("session not present (", err, ")")
     else
       kong.log.debug("session not present")
     end
@@ -79,17 +80,23 @@ function _M.execute(conf)
   -- check if incoming request is trying to logout
   if kong_session.logout(conf) then
     kong.log.debug("session logging out")
-    s:destroy()
+    local ok, err = session:logout()
+    if not ok then
+      if err then
+        kong.log.warn("session logout failed (", err, ")")
+      else
+        kong.log.warn("session logout failed")
+      end
+    end
+
     return kong.response.exit(200)
   end
 
+  local consumer_id, credential_id, groups = kong_session.get_session_data(session)
 
-  local cid, credential, groups = kong_session.retrieve_session_data(s)
-
-  local consumer_cache_key = kong.db.consumers:cache_key(cid)
+  local consumer_cache_key = kong.db.consumers:cache_key(consumer_id)
   local consumer, err = kong.cache:get(consumer_cache_key, nil,
-                                       kong.client.load_consumer, cid)
-
+                                       kong.client.load_consumer, consumer_id)
   if err then
     kong.log.err("could not load consumer: ", err)
     return
@@ -98,14 +105,32 @@ function _M.execute(conf)
   -- destroy sessions with invalid consumer_id
   if not consumer then
     kong.log.debug("failed to find consumer, destroying session")
-    return s:destroy()
+    local ok, err = session:logout()
+    if not ok then
+      if err then
+        kong.log.warn("session logout failed (", err, ")")
+      else
+        kong.log.warn("session logout failed")
+      end
+    end
+
+    return
+  end
+
+  local ok, err = session:refresh()
+  if not ok then
+    if err then
+      kong.log.warn("session refresh failed (", err, ")")
+    else
+      kong.log.warn("session refresh failed")
+    end
   end
 
-  s:start()
+  session:set_headers()
 
-  authenticate(consumer, credential, groups)
+  kong.ctx.shared.authenticated_session = session
 
-  kong.ctx.shared.authenticated_session = s
+  authenticate(consumer, credential_id, groups)
 end
 
 

kong/plugins/session/daos.lua

@@ -1,5 +1,6 @@
 local typedefs = require "kong.db.schema.typedefs"
 
+
 return {
   {
     primary_key = { "id" },

kong/plugins/session/handler.lua

@@ -9,12 +9,12 @@ local KongSessionHandler = {
 }
 
 
-function KongSessionHandler.header_filter(_, conf)
+function KongSessionHandler:header_filter(conf)
   header_filter.execute(conf)
 end
 
 
-function KongSessionHandler.access(_, conf)
+function KongSessionHandler:access(conf)
   access.execute(conf)
 end
 

kong/plugins/session/header_filter.lua

@@ -10,7 +10,7 @@ local assert = assert
 local function get_authenticated_groups()
   local authenticated_groups = ngx.ctx.authenticated_groups
   if authenticated_groups == nil then
-    return nil
+    return
   end
 
   assert(type(authenticated_groups) == "table",
@@ -29,19 +29,26 @@ function _M.execute(conf)
 
   if not credential then
     -- don't open sessions for anonymous users
-    kong.log.debug("anonymous: no credential.")
+    kong.log.debug("anonymous: no credential")
     return
   end
 
   local credential_id = credential.id
-  local consumer_id = consumer and consumer.id
+
+  local subject
+  local consumer_id
+  if consumer then
+    consumer_id = consumer.id
+    subject = consumer.username or consumer.custom_id or consumer_id
+  end
 
   -- if session exists and the data in the session matches the ctx then
   -- don't worry about saving the session data or sending cookie
-  local s = kong.ctx.shared.authenticated_session
-  if s and s.present then
-    local cid, cred_id = kong_session.retrieve_session_data(s)
-    if cred_id == credential_id and cid == consumer_id
+  local session = kong.ctx.shared.authenticated_session
+  if session then
+    local session_consumer_id, session_credential_id = kong_session.get_session_data(session)
+    if session_credential_id == credential_id and
+       session_consumer_id   == consumer_id
     then
       return
     end
@@ -51,12 +58,27 @@ function _M.execute(conf)
   -- create new session and save the data / send the Set-Cookie header
   if consumer_id then
     local groups = get_authenticated_groups()
-    s = s or kong_session.open_session(conf)
-    kong_session.store_session_data(s,
-                                    consumer_id,
-                                    credential_id or consumer_id,
-                                    groups)
-    s:save()
+    if not session then
+      session = kong_session.open_session(conf)
+    end
+
+    kong_session.set_session_data(session,
+                                  consumer_id,
+                                  credential_id or consumer_id,
+                                  groups)
+
+    session:set_subject(subject)
+
+    local ok, err = session:save()
+    if not ok then
+      if err then
+        kong.log.err("session save failed (", err, ")")
+      else
+        kong.log.err("session save failed")
+      end
+    end
+
+    session:set_response_headers()
   end
 end