Merge remote-tracking branch 'Mashape/master'

* Mashape/master: Update README.md docs: document the new gitflow docs(changelog) 0.5.1 changes Adding X-Credential-Username to Basic Auth and HMAC Auth perf(base_dao) Cache session_uniq_addr result Update README.md Update README.md Add WWW-Authenticate header for reponses w/ status 401 Unauthorized. Version bump hmac migration fix Update README.md Update README.md hmac GH issues# 600 fix Changed URL of cloned repo chore(ci) bump Cassandra to 2.1.10 docs(readme) remove ci badges (c2f57a8) Update README.md fix(tests) fix config test broken because of Kong#580 allow admin api's to post json through Cors
xvaara · Oct 19, 2015 · dfde9c3 · dfde9c3
2 parents 99c0227 + 7d2ada1
commit dfde9c3
Show file tree

Hide file tree

Showing 17 changed files with 252 additions and 75 deletions.
diff --git a/.ci/setup_cassandra.sh b/.ci/setup_cassandra.sh
@@ -3,5 +3,5 @@
 CASSANDRA_BASE=apache-cassandra-$CASSANDRA_VERSION
 
 sudo rm -rf /var/lib/cassandra/*
-curl http://apache.mirrors.ionfish.org/cassandra/$CASSANDRA_VERSION/$CASSANDRA_BASE-bin.tar.gz | tar xz
+curl http://apache.arvixe.com/cassandra/$CASSANDRA_VERSION/$CASSANDRA_BASE-bin.tar.gz | tar xz
 sudo sh $CASSANDRA_BASE/bin/cassandra
diff --git a/.travis.yml b/.travis.yml
@@ -2,7 +2,7 @@ language: erlang
 
 env:
   global:
-    - CASSANDRA_VERSION=2.1.9
+    - CASSANDRA_VERSION=2.1.10
   matrix:
     - LUA=lua5.1
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,30 @@
 ## [Unreleased][unreleased]
 
+## [0.5.1] - 2015/10/13
+
+Fixing a few glitches we let out with 0.5.0!
+
+### Added
+
+- Basic Authentication and HMAC Authentication plugins now also send the `X-Credential-Username` to the upstream server.
+- Admin API now accept JSON when receiving a CORS request. [#580](https://github.com/Mashape/kong/pull/580)
+- Add a `WWW-Authenticate` header for HTTP 401 responses for basic-auth and key-auth. [#588](https://github.com/Mashape/kong/pull/588)
+
+### Changed
+
+- Protect Kong from POODLE SSL attacks by omitting SSLv3 (CVE-2014-3566). [#563](https://github.com/Mashape/kong/pull/563)
+- Remove support for key-auth key in body. [#566](https://github.com/Mashape/kong/pull/566)
+
+### Fixed
+
+- Plugins
+  - HMAC
+    - The migration for this plugin is now correctly being run. [#611](https://github.com/Mashape/kong/pull/611)
+    - Wrong username doesn't return HTTP 500 anymore, but 403. [#602](https://github.com/Mashape/kong/pull/602)
+  - JWT: `iss` not being found doesn't return HTTP 500 anymore, but 403. [#578](https://github.com/Mashape/kong/pull/578)
+  - OAuth2: client credentials flow does not include a refresh token anymore. [#562](https://github.com/Mashape/kong/issues/562)
+- Fix an occasional error when updating a plugin without a config. [#571](https://github.com/Mashape/kong/pull/571)
+
 ## [0.5.0] - 2015/09/25
 
 With new plugins, many improvements and bug fixes, this release comes with breaking changes that will require your attention.
@@ -310,7 +335,8 @@ First version running with Cassandra.
 - CLI `bin/kong` script.
 - Database migrations (using `db.lua`).
 
-[unreleased]: https://github.com/mashape/kong/compare/0.5.0...HEAD
+[unreleased]: https://github.com/mashape/kong/compare/0.5.1...next
+[0.5.1]: https://github.com/mashape/kong/compare/0.5.0...0.5.1
 [0.5.0]: https://github.com/mashape/kong/compare/0.4.2...0.5.0
 [0.4.2]: https://github.com/mashape/kong/compare/0.4.1...0.4.2
 [0.4.1]: https://github.com/mashape/kong/compare/0.4.0...0.4.1

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -6,7 +6,7 @@ Discuss it on the [Google Group](https://groups.google.com/forum/#!forum/konglay
 
 ## Found a bug?
 
-We would like to hear about it. Please [submit an issue][new-issue] on GitHub and we will follow up. Even better, we would appreaciate a [Pull Request][new-pr] with a fix for it.
+We would like to hear about it. Please [submit an issue][new-issue] on GitHub and we will follow up. Even better, we would appreaciate a [Pull Request][new-pr] with a fix for it. If the fix is urgent, feel free to open the PR against the `master` branch.
 
 ## Want a feature?
 
@@ -36,7 +36,7 @@ Before submitting your Pull Request please make sure to:
 - Consider squashing your commits. We prefer your initial changes to be squashed into a single commit. Later, if we ask you to make changes, add them as separate commits. This makes them easier to review. As a final step before merging we will either ask you to squash all commits yourself or we'll do it for you.
 - Run the test suite with `make test-all`.
 
-If all went well, we are eager to see your contribution, feel free to submit your Pull Request!
+If all went well, we are eager to see your contribution, feel free to submit your Pull Request against the `next` branch.
 
 [new-issue]: #submitting-an-issue
 [new-pr]: #submitting-a-pull-request
diff --git a/README.md b/README.md
@@ -1,15 +1,14 @@
 # Microservice & API Management Layer
-
-[![Gitter Badge][gitter-badge]][gitter-url]
-
 [![][kong-logo]][kong-url]
 
-Kong was created at [Mashape][mashape-url] to secure, manage and extend Microservices & APIs, while handling billions of requests per month. Kong is powered by the battle-tested tech of **NGINX** with a focus on scalability, high performance & reliability. 
+Kong [was created](http://stackshare.io/mashape/how-mashape-manages-over-15-000-apis-microservices) at [Mashape](https://www.mashape.com) to secure, manage and extend Microservices & APIs, while handling billions of requests per month. Kong is powered by the battle-tested tech of **NGINX** with a focus on scalability, high performance & reliability.
 
 [Website](http://getkong.org) |
 [Documentation](http://getkong.org/docs) |
 [Installation](http://getkong.org/install) |
-[Mailing List](https://groups.google.com/forum/#!forum/konglayer) 
+[Mailing List][google-groups-url]
+
+[![Gitter Badge][gitter-badge]][gitter-url]
 
 
 ## Summary
@@ -38,7 +37,7 @@ Kong was created at [Mashape][mashape-url] to secure, manage and extend Microser
   - **ACL**: Acccess Control for your API Consumers.
   - **IP-restriction**: Whitelist or blacklist IPs that can make requests.
   - **Response-Rate-Limiting**: Rate limiting based on custom response header value.
-  - **Analytics**: Visualize, Inspect and Monitor API traffic with [Mashape Analytics](https://apianalytics.com).
+  - **Analytics**: Visualize, Inspect and Monitor API traffic with [Mashape Analytics](https://apianalytics.com) (Galileo).
   - **SSL**: Setup a specific SSL certificate for an underlying service or API.
   - **Monitoring**: Live monitoring provides key load and performance server metrics.
   - **Authentication**: Manage consumer credentials query string and header tokens.
@@ -64,59 +63,57 @@ We've load tested Kong and Cassandra on AWS; you can see our [benchmark report h
 Kong comes in many shapes. While this repository contains its core's source code, other repos are also under active development:
 
 - [Kong Docker](https://github.com/Mashape/docker-kong): A Dockerfile for running Kong in Docker.
+- [Kong Packages](https://github.com/Mashape/kong-distributions): Packaging scripts for deb, rpm and osx distributions.
 - [Kong Vagrant](https://github.com/Mashape/kong-vagrant): A Vagrantfile for provisioning a development ready environment for Kong.
 - [Kong Homebrew](https://github.com/Mashape/homebrew-kong): Homebrew Formula for Kong.
 - [Kong CloudFormation](https://github.com/Mashape/kong-dist-cloudformation): Kong in a 1-click deployment for AWS EC2
 - [Kong AWS AMI](https://aws.amazon.com/marketplace/pp/B014GHERVU/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1440801656966): Kong AMI on the AWS Marketplace.
-- [Kong Packages](https://github.com/Mashape/kong-distributions): Packaging scripts for deb, rpm and osx distributions.
+- [Kong on Microsoft Azure](https://github.com/Mashape/kong-azure): Run Kong using Azure Resource Manager.
+
 
-## Community Resources and Tools 
+## Community Resources and Tools
 
 Resources:
 
-- [Kong mentioned for the Empire PaaS](http://engineering.remind.com/introducing-empire/)  
+- [Kong mentioned for the Empire PaaS](http://engineering.remind.com/introducing-empire/)
 - [Kong Getting Started Tutorials in Japanese](http://dev.classmethod.jp/etc/kong-api-aggregator/)
-- [Configuring Kong](http://rotlogix.com/2015/06/18/configuring-kong-for-a-services-layer/)
 - [Realtime API Management with Pushpin](http://blog.fanout.io/2015/07/14/realtime-api-management-pushpin-kong/)
 - [How to Create your own Plugin](http://streamdata.io/blog/developing-an-helloworld-kong-plugin/)
 - [Instaclustr Partners with Kong](https://www.instaclustr.com/instaclustr-partners-with-mashape-to-deliver-managed-cassandra-for-kong/)
-
-
+- [The story behind Kong](http://stackshare.io/mashape/how-mashape-manages-over-15-000-apis-microservices)
+- [How to deploy Kong on Azure](https://jeremiedevillard.wordpress.com/2015/10/12/deploy-kong-api-management-using-azure-resource-manager/)
 
 Tools:
 
 - [Kong on Tutum](https://github.com/Sillelien/docker-kong)
-- [Kong Admin GUI in JS](https://github.com/rsdevigo/jungle) 
+- [Kong Admin GUI in JS](https://github.com/rsdevigo/jungle)
 - [Kong Admin GUI in Py](https://github.com/vikingco/django-kong-admin)
+- [Kong UI](https://github.com/msaraf/kong-ui)
 - [Chef Cookbook for Kong](https://github.com/zuazo/kong-cookbook)
 - [Python Client for Kong API](https://pypi.python.org/pypi/python-kong/)
 - [Kong with Instaclustr](https://www.instaclustr.com/products/kong/)
 
-
-
-
 ## Roadmap
 
 You can find a detailed Roadmap of Kong on the [Wiki](https://github.com/Mashape/kong/wiki).
 
-## Development 
-
-[![Build Status][travis-badge]][travis-url]
-[![Circle CI][circleci-badge]][circleci-url]
+## Development
 
-If you are planning on developing on Kong (writing your own plugin or contribute to the core), you'll need a development installation.
+If you are planning on developing on Kong (writing your own plugin or contribute to the core), you'll need a development installation. The `next` branch holds the latest unreleased source code.
 
 #### Vagrant
 
 You can use a Vagrant box running Kong and Cassandra that you can find at [Mashape/kong-vagrant](https://github.com/Mashape/kong-vagrant).
 
 #### Source Install
 
-First, you will need to already have Kong installed. Install Kong by following one of the methods described at [getkong.org/download](http://getkong.org/download). Then, make sure you have downloaded [Cassandra](http://cassandra.apache.org/download/) and that it is running. These steps will override your Kong installation with the latest source from the master branch:
+First, you will need to already have Kong installed. Install Kong by following one of the methods described at [getkong.org/download](http://getkong.org/download). Then, make sure you have downloaded [Cassandra](http://cassandra.apache.org/download/) and that it is running. These steps will override your Kong installation with the latest source code:
 
 ```shell
+# clone the repo and use the next branch
 $ git clone https://github.com/Mashape/kong
 $ cd kong/
+$ git checkout next
 
 # Build and install Kong globally using Luarocks, overriding the version previously installed
 $ [sudo] make install
@@ -173,19 +170,12 @@ limitations under the License.
 ```
 
 [kong-url]: http://getkong.org/
-[kong-docs]: http://getkong.org/docs/
 
 [kong-logo]: http://i.imgur.com/4jyQQAZ.png
 [kong-benefits]: http://cl.ly/image/1B3J3b3h1H1c/Image%202015-07-07%20at%206.57.25%20PM.png
 
 [mashape-url]: https://www.mashape.com
 
-[travis-url]: https://travis-ci.org/Mashape/kong
-[travis-badge]: https://img.shields.io/travis/Mashape/kong.svg?style=flat
-
-[circleci-url]: https://circleci.com/gh/Mashape/kong
-[circleci-badge]: https://circleci.com/gh/Mashape/kong.svg?style=shield
-
 [gitter-url]: https://gitter.im/Mashape/kong
 [gitter-badge]: https://img.shields.io/badge/Gitter-Join%20Chat-blue.svg
 

diff --git a/UPDATE.md b/UPDATE.md
@@ -55,7 +55,7 @@ properties:
 # First, make sure you are already running Kong 0.4.2
 
 # Clone the Kong git repository if you don't already have it:
-$ git clone git@github.com:Mashape/kong.git
+$ git clone https://github.com/Mashape/kong.git
 
 # Go to the 'scripts/' folder:
 $ cd kong/scripts

diff --git a/kong-0.5.0-1.rockspec → kong-0.5.1-1.rockspec b/kong-0.5.0-1.rockspec → kong-0.5.1-1.rockspec
@@ -1,9 +1,9 @@
 package = "kong"
-version = "0.5.0-1"
+version = "0.5.1-1"
 supported_platforms = {"linux", "macosx"}
 source = {
   url = "git://github.com/Mashape/kong",
-  tag = "0.5.0"
+  tag = "0.5.1"
 }
 description = {
   summary = "Kong is a scalable and customizable API Management Layer built on top of Nginx.",
@@ -214,7 +214,8 @@ build = {
     ["kong.plugins.jwt.api"] = "kong/plugins/jwt/api.lua",
     ["kong.plugins.jwt.daos"] = "kong/plugins/jwt/daos.lua",
     ["kong.plugins.jwt.jwt_parser"] = "kong/plugins/jwt/jwt_parser.lua",
-
+
+    ["kong.plugins.hmac-auth.migrations.cassandra"] = "kong/plugins/hmac-auth/migrations/cassandra.lua",
     ["kong.plugins.hmac-auth.handler"] = "kong/plugins/hmac-auth/handler.lua",
     ["kong.plugins.hmac-auth.access"] = "kong/plugins/hmac-auth/access.lua",
     ["kong.plugins.hmac-auth.schema"] = "kong/plugins/hmac-auth/schema.lua",

diff --git a/kong.yml b/kong.yml
@@ -197,6 +197,7 @@ nginx: |
           ngx.header["Access-Control-Allow-Origin"] = "*"
           if ngx.req.get_method() == "OPTIONS" then
             ngx.header["Access-Control-Allow-Methods"] = "GET,HEAD,PUT,PATCH,POST,DELETE"
+            ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
             ngx.exit(204)
           end
           local lapis = require "lapis"

diff --git a/kong/constants.lua b/kong/constants.lua
@@ -1,4 +1,4 @@
-local VERSION = "0.5.0"
+local VERSION = "0.5.1"
 
 return {
   NAME = "kong",
@@ -38,6 +38,7 @@ return {
     CONSUMER_ID = "X-Consumer-ID",
     CONSUMER_CUSTOM_ID = "X-Consumer-Custom-ID",
     CONSUMER_USERNAME = "X-Consumer-Username",
+    CREDENTIAL_USERNAME = "X-Credential-Username",
     RATELIMIT_LIMIT = "X-RateLimit-Limit",
     RATELIMIT_REMAINING = "X-RateLimit-Remaining"
   },

diff --git a/kong/dao/cassandra/base_dao.lua b/kong/dao/cassandra/base_dao.lua
@@ -157,9 +157,10 @@ function BaseDao:get_or_prepare_stmt(session, query)
   end
 
   local statement, err
+  local session_addr = session_uniq_addr(session)
   -- Retrieve the prepared statement from cache or prepare and cache
-  if self._statements_cache[session_uniq_addr(session)] and self._statements_cache[session_uniq_addr(session)][query] then
-    statement = self._statements_cache[session_uniq_addr(session)][query]
+  if self._statements_cache[session_addr] and self._statements_cache[session_addr][query] then
+    statement = self._statements_cache[session_addr][query]
   else
     statement, err = self:prepare_stmt(session, query)
     if err then
@@ -333,13 +334,14 @@ function BaseDao:prepare_stmt(session, query)
   if prepare_err then
     return nil, DaoError("Failed to prepare statement: \""..query.."\". "..prepare_err, error_types.DATABASE)
   else
+    local session_addr = session_uniq_addr(session)
     -- cache of prepared statements must be specific to each node
-    if not self._statements_cache[session_uniq_addr(session)] then
-      self._statements_cache[session_uniq_addr(session)] = {}
+    if not self._statements_cache[session_addr] then
+      self._statements_cache[session_addr] = {}
     end
 
     -- cache key is the non-striped/non-formatted query from _queries
-    self._statements_cache[session_uniq_addr(session)][query] = prepared_stmt
+    self._statements_cache[session_addr][query] = prepared_stmt
     return prepared_stmt
   end
 end

diff --git a/kong/plugins/basic-auth/access.lua b/kong/plugins/basic-auth/access.lua
@@ -85,6 +85,7 @@ function _M.execute(conf)
   -- If both headers are missing, return 401
   if not (ngx.req.get_headers()[AUTHORIZATION] or ngx.req.get_headers()[PROXY_AUTHORIZATION]) then
     ngx.ctx.stop_phases = true
+    ngx.header["WWW-Authenticate"] = "Basic realm=\""..constants.NAME.."\""
     return responses.send_HTTP_UNAUTHORIZED()
   end
 
@@ -117,6 +118,7 @@ function _M.execute(conf)
   ngx.req.set_header(constants.HEADERS.CONSUMER_ID, consumer.id)
   ngx.req.set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
   ngx.req.set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
+  ngx.req.set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
   ngx.ctx.authenticated_entity = credential
 end
 

diff --git a/kong/plugins/hmac-auth/access.lua b/kong/plugins/hmac-auth/access.lua
@@ -11,6 +11,7 @@ local ngx_parse_time = ngx.parse_http_time
 local ngx_sha1 = ngx.hmac_sha1
 local ngx_set_header = ngx.req.set_header
 local ngx_set_headers = ngx.req.get_headers
+local ngx_log = ngx.log
 
 local split = stringy.split
 
@@ -28,13 +29,13 @@ local function retrieve_hmac_fields(request, headers, header_name, conf)
   if authorization_header then
     local iterator, iter_err = ngx_gmatch(authorization_header, "\\s*[Hh]mac\\s*username=\"(.+)\",\\s*algorithm=\"(.+)\",\\s*headers=\"(.+)\",\\s*signature=\"(.+)\"")
     if not iterator then
-      ngx.log(ngx.ERR, iter_err)
+      ngx_log(ngx.ERR, iter_err)
       return
     end
 
     local m, err = iterator()
     if err then
-      ngx.log(ngx.ERR, err)
+      ngx_log(ngx.ERR, err)
       return 
     end
 
@@ -91,10 +92,10 @@ local function hmacauth_credential_key(username)
   return "hmacauth_credentials/"..username
 end
 
-local function load_secret(username)
-  local secret
+local function load_credential(username)
+  local credential
   if username then
-      secret = cache.get_or_set(hmacauth_credential_key(username), function()
+      credential = cache.get_or_set(hmacauth_credential_key(username), function()
       local keys, err = dao.hmacauth_credentials:find_by_keys { username = username }
       local result
       if err then
@@ -105,7 +106,7 @@ local function load_secret(username)
       return result
     end)
   end
-  return secret
+  return credential
 end
 
 local function validate_clock_skew(headers, allowed_clock_skew)
@@ -150,16 +151,19 @@ function _M.execute(conf)
   end
 
   -- validate signature
-  local secret = load_secret(hmac_params.username)
-  hmac_params.secret = secret.secret
+  local credential = load_credential(hmac_params.username)
+  if not credential then
+    responses.send_HTTP_FORBIDDEN(SIGNATURE_NOT_VALID)
+  end    
+  hmac_params.secret = credential.secret
   if not validate_signature(ngx.req, hmac_params, headers) then
     ngx.ctx.stop_phases = true -- interrupt other phases of this request
     return responses.send_HTTP_FORBIDDEN("HMAC signature does not match")
   end
 
   -- Retrieve consumer
-  local consumer = cache.get_or_set(cache.consumer_key(secret.consumer_id), function()
-    local result, err = dao.consumers:find_by_primary_key({ id = secret.consumer_id })
+  local consumer = cache.get_or_set(cache.consumer_key(credential.consumer_id), function()
+    local result, err = dao.consumers:find_by_primary_key({ id = credential.consumer_id })
     if err then
       return responses.send_HTTP_INTERNAL_SERVER_ERROR(err)
     end
@@ -169,6 +173,7 @@ function _M.execute(conf)
   ngx_set_header(constants.HEADERS.CONSUMER_ID, consumer.id)
   ngx_set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
   ngx_set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
+  ngx.req.set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
   ngx.ctx.authenticated_entity = secret
 end
 

diff --git a/kong/plugins/key-auth/access.lua b/kong/plugins/key-auth/access.lua
@@ -72,6 +72,7 @@ function _M.execute(conf)
   -- No key found in the request's headers or parameters
   if not key_found then
     ngx.ctx.stop_phases = true
+    ngx.header["WWW-Authenticate"] = "Key realm=\""..constants.NAME.."\""
     return responses.send_HTTP_UNAUTHORIZED("No API Key found in headers, body or querystring")
   end
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,7 @@ language: erlang @@
     env:
       global:
-        - CASSANDRA_VERSION=2.1.9
+        - CASSANDRA_VERSION=2.1.10
       matrix:
         - LUA=lua5.1
@@ Expand Down @@