fix(sni) stricter detection and handling of duplicate snis #2285
Conversation
|
if some of this is based on the unique constraint as mentioned in #2275 then there should also be a migration adding that constraint to the postgres schema. No? |
|
Err. The |
Just clarifying, the point there was that the constraint is not applied to cassandra. btw, this PR also fixes a few other misbehaviors, like creating certs and some SNI objects even when a PK violation is detected (yet still returning a 409). |
then we need to add a schema change then. Right? |
|
From what I can tell, the behavior seen is #2275 is a result of this PK definition for the cassandra ssl_servers_names table: https://github.com/Mashape/kong/blob/master/kong/dao/migrations/cassandra.lua#L238 Prior to this PR, we always created a new Certificate object, regardless of SNI name duplicates, which means that we never had a PK violation for cassandra when we try to insert the duplicate SNI (indeed, that's one behavior this PR fixes). So it seems the cassandra schema change here under the hood would actually be to alter the PK- which, from what I can tell, is not an option (it would involve copying and duplicating the table with the new PK- this sounds awful ;) ). It seems that we can handle this ourselves by adding the |
p0pr0ck5
force-pushed
the
fix/sni-conflict
branch
from
a61a5ff to
6572e00
Compare
kong/api/routes/certificates.lua
Outdated
| local seen = {} | ||
| if type(snis) == "table" then | ||
| for i = 1, #snis do | ||
| local sni_name = snis[i] |
There was a problem hiding this comment.
@p0pr0ck5 btw: why not use ipairs and implictly declare and assign sni_name? any specific reason you avoid that? (just wondering)
There was a problem hiding this comment.
ipairs is a bit slower than an iterative loop, due to the function call overhead, but given the likely scope of this, it probably wouldn't make much difference either way :) let me know if this is a blocker (doesnt seem like it)
There was a problem hiding this comment.
(also the existing code below follows the same pattern; maintaining consistency inside a module is important imo)
kong/api/routes/certificates.lua
Outdated
| -- its fairly inefficient that we have to loop twice over the datastore | ||
| -- but no support for OR queries means we gotsta! | ||
| local seen = {} | ||
| if type(snis) == "table" then |
There was a problem hiding this comment.
It seems this check is extraneous here. Following the beginning of this function, I believe snis can either be nil or a table. Hence, if snis then seems simpler and reasonable enough.
kong/api/routes/certificates.lua
Outdated
| local seen = {} | ||
| if type(snis) == "table" then | ||
| for i = 1, #snis do | ||
| local sni_name = snis[i] |
kong/api/routes/certificates.lua
Outdated
| -- dont add the certificate or any snis if we have an SNI conflict | ||
| -- its fairly inefficient that we have to loop twice over the datastore | ||
| -- but no support for OR queries means we gotsta! | ||
| local seen = {} |
There was a problem hiding this comment.
I believe this seen table does not have to belong to this scope, but can be scoped under the if snis then block?
thibaultcha
force-pushed
the
fix/sni-conflict
branch
2 times, most recently
from
6a92e26 to
6da94a8
Compare
Previously, if a duplicate SNI was detected as part of the 'snis' sugar param, we still created the certificate object, as well as any previously non-existant sni encountered before the conflicting element. This commit prevents creation of orphan entries by checking for the existence all posted snis before creating the certificate and sni objects. This commit also cleans up the naming schemes for admin API certificate routes integration tests (no functional change). Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
* new test to enforce the uniqueness of a SNI by its name * run `/certificates` and `/snis` tests with both PostgreSQL and Cassandra.
thibaultcha
force-pushed
the
fix/sni-conflict
branch
from
6da94a8 to
64a66b4
Compare
thibaultcha
added
pr/ready (but hold merge)
In such cold code paths, we can make the code more readable. Let's also not call SNIs "sni_name" since "sni" already carries this meaning.
thibaultcha
force-pushed
the
fix/sni-conflict
branch
from
60aa903 to
d1b196d
Compare
Previously, if a duplicate sni was detected as part of the 'snis'
sugar param, we still created the certificate object, as well as
any previously non-existant sni encountered before the conflicting
element. This commit prevents creation of orphan entries by checking
for the existence all posted snis before creating the certificate
and sni objects.
This commit also cleans up the naming schemes for admin API certificate
routes integration tests (no functional change).
Fixes issue #2275, among other behavioral inconsistencies.