feat: adding custom SNI for etcd TLS requests (#145)

tzssangglass · web-flow · commit 0fa6b3deb055 · 2021-09-29T16:31:56.000+08:00
Signed-off-by: tzssangglass &lt;tzssangglass@gmail.com&gt;
diff --git a/api_v3.md b/api_v3.md
@@ -45,6 +45,7 @@ Method
   - `ssl_key_path`： string - path to the client key
   - `serializer`: string - serializer type, default `json`, also support `raw` to keep origin string value.
   - `extra_headers`: table - adding custom headers for etcd requests.
+  - `sni`: string - adding custom SNI fot etcd TLS requests.
 
 The client method returns either a `etcd` object or an `error string`.
 
diff --git a/lib/resty/etcd/v3.lua b/lib/resty/etcd/v3.lua
@@ -88,6 +88,7 @@ local function http_request_uri(self, http_cli, method, uri, body, headers, keep
         ssl_verify = self.ssl_verify,
         ssl_cert_path = self.ssl_cert_path,
         ssl_key_path = self.ssl_key_path,
+        ssl_server_name = self.sni,
     })
 
     if err then
@@ -208,6 +209,7 @@ function _M.new(opts)
     end
     local serializer = opts.serializer
     local extra_headers = opts.extra_headers
+    local sni        = opts.sni
 
     if not typeof.uint(timeout) then
         return nil, 'opts.timeout must be unsigned integer'
@@ -286,6 +288,7 @@ function _M.new(opts)
             ssl_cert_path = opts.ssl_cert_path,
             ssl_key_path = opts.ssl_key_path,
             extra_headers = extra_headers,
+            sni        = sni,
         },
         mt)
 end
@@ -676,6 +679,7 @@ local function request_chunk(self, method, path, opts, timeout)
         body    = body,
         query   = query,
         headers = headers,
+        ssl_server_name = self.sni,
     })
     utils.log_info("http request method: ", method, " path: ", path,
              " body: ", body, " query: ", query)
diff --git a/t/v3/sni.t b/t/v3/sni.t
@@ -0,0 +1,188 @@
+use Test::Nginx::Socket::Lua;
+
+log_level('info');
+no_long_string();
+repeat_each(1);
+
+my $enable_tls = $ENV{ETCD_ENABLE_MTLS};
+if ($enable_tls eq "TRUE") {
+    plan 'no_plan';
+} else {
+    plan(skip_all => "etcd is not capable for mTLS connection");
+}
+
+my $http_config = <<'_EOC_';
+    lua_socket_log_errors off;
+    lua_package_path 'lib/?.lua;/usr/share/lua/5.1/?.lua;;';
+    lua_ssl_trusted_certificate  ../../../t/certs/mtls_ca.crt;
+    init_by_lua_block {
+        local cjson = require("cjson.safe")
+
+        function check_res(data, err, val, status)
+            if err then
+                ngx.say("err: ", err)
+                ngx.exit(200)
+            end
+
+            if val then
+                if data.body.kvs==nil then
+                    ngx.exit(404)
+                end
+                if data.body.kvs and val ~= data.body.kvs[1].value then
+                    ngx.say("failed to check value")
+                    ngx.log(ngx.ERR, "failed to check value, got: ", data.body.kvs[1].value,
+                            ", expect: ", val)
+                    ngx.exit(200)
+                else
+                    ngx.say("checked val as expect: ", val)
+                end
+            end
+
+            if status and status ~= data.status then
+                ngx.exit(data.status)
+            end
+        end
+
+        function new_etcd(ssl_verify, ssl_cert_path, ssl_key_path, sni)
+            return require "resty.etcd" .new({
+                protocol = "v3",
+                api_prefix = "/v3",
+                http_host = {
+                    "https://127.0.0.1:12379",
+                    "https://127.0.0.1:22379",
+                    "https://127.0.0.1:32379",
+                },
+                ssl_verify = ssl_verify,
+                ssl_cert_path = ssl_cert_path or "t/certs/mtls_client.crt",
+                ssl_key_path = ssl_key_path or "t/certs/mtls_client.key",
+                sni = sni,
+            })
+        end
+    }
+_EOC_
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+
+    if (!$block->http_config) {
+        $block->set_value("http_config", $http_config);
+    }
+
+    if (!$block->no_error_log && !$block->error_log) {
+        $block->set_value("no_error_log", "[error]\n[alert]");
+    }
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: without sni, use host(127.0.0.1) as sni by default
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(true)
+            local res, err = etcd:set("/test", { a='abc'})
+            if err then
+                ngx.say(err)
+            else
+                ngx.say("done")
+            end
+        }
+    }
+--- response_body
+certificate host mismatch
+
+
+
+=== TEST 2: certificate host mismatch (requesy uri)
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(true, nil, nil, "wrong.sni")
+            local res, err = etcd:set("/test", { a='abc'})
+            if err then
+                ngx.say(err)
+            else
+                ngx.say("done")
+            end
+        }
+    }
+--- response_body
+certificate host mismatch
+
+
+
+=== TEST 3: sni match server cert common name (requesy uri)
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(true, nil, nil, "admin.apisix.dev")
+            local res, err = etcd:set("/test", { a='abc'})
+            if err then
+                ngx.say(err)
+            else
+                ngx.say("done")
+            end
+        }
+    }
+--- response_body
+done
+
+
+
+=== TEST 4: certificate host mismatch (requesy chunk)
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(true, nil, nil, "127.0.0.1")
+            local res, err = etcd:set("/test", "abc")
+            check_res(res, err)
+
+            ngx.timer.at(0.1, function ()
+                etcd:set("/test", "bcd3")
+            end)
+
+            local cur_time = ngx.now()
+            local body_chunk_fun, err = etcd:watch("/test", {timeout = 0.5})
+            if not body_chunk_fun then
+                ngx.say("failed to watch: ", err)
+            else
+                ngx.say("done")
+            end
+
+        }
+    }
+--- response_body
+err: certificate host mismatch
+
+
+
+=== TEST 5: sni match server cert common name (requesy chunk)
+--- config
+    location /t {
+        content_by_lua_block {
+            local etcd, err = new_etcd(true, nil, nil, "admin.apisix.dev")
+            local res, err = etcd:set("/test", "abc")
+            check_res(res, err)
+
+            ngx.timer.at(0.1, function ()
+                etcd:set("/test", "bcd3")
+            end)
+
+            local cur_time = ngx.now()
+            local body_chunk_fun, err = etcd:watch("/test", {timeout = 0.5})
+            if not body_chunk_fun then
+                ngx.say("failed to watch: ", err)
+            else
+                ngx.say("done")
+            end
+
+        }
+    }
+--- response_body
+done
