feat(conf): support base64 encoded *_cert and *_cert_key (#9367)

* support base64 encoded *_cert and *_cert_key * support base64url encoding This adds a test case to ensure base64 encoded properties are corectly parsed and decoded.
Kong · Sep 2, 2022 · 2f595c2 · 2f595c2
1 parent 370171a
commit 2f595c2
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 0 deletions.
diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua
@@ -18,6 +18,7 @@ local utils = require "kong.tools.utils"
 local log = require "kong.cmd.utils.log"
 local env = require "kong.cmd.utils.env"
 local ffi = require "ffi"
+local base64 = require "ngx.base64"
 
 
 local fmt = string.format
@@ -44,6 +45,8 @@ local abspath = pl_path.abspath
 local tostring = tostring
 local tonumber = tonumber
 local setmetatable = setmetatable
+local decode_base64 = ngx.decode_base64
+local decode_base64url = base64.decode_base64url
 
 
 local get_phase do
@@ -622,6 +625,26 @@ local function infer_value(value, typ, opts)
 end
 
 
+local function try_base64_decode(vals)
+  if type(vals) == "table" then
+    for i, v in ipairs(vals) do
+      vals[i] = decode_base64(v)
+                or decode_base64url(v)
+                or v
+    end
+    return vals
+  end
+
+  if type(vals) == "string" then
+    return decode_base64(vals)
+           or decode_base64url(vals)
+           or vals
+  end
+
+  return vals
+end
+
+
 -- Validate properties (type/enum/custom) and infer their type.
 -- @param[type=table] conf The configuration table to treat.
 local function check_and_infer(conf, opts)
@@ -646,6 +669,18 @@ local function check_and_infer(conf, opts)
     conf[k] = value
   end
 
+  -- decode base64 for supported fields
+  for _, prefix in ipairs({
+    "ssl",
+    "admin_ssl",
+    "status_ssl",
+    "client_ssl",
+    "cluster"
+  }) do
+    conf[prefix .. "_cert"] = try_base64_decode(conf[prefix .. "_cert"])
+    conf[prefix .. "_cert_key"] = try_base64_decode(conf[prefix .. "_cert_key"])
+  end
+
   ---------------------
   -- custom validations
   ---------------------

diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
@@ -728,6 +728,45 @@ describe("Configuration loader", function()
       assert.is_nil(conf)
     end)
     describe("SSL", function()
+      it("accepts and decodes valid base64 values", function()
+        local ssl_fixtures = require "spec.fixtures.ssl"
+        local prefixes = {
+          "ssl",
+          "admin_ssl",
+          "status_ssl",
+          "client_ssl",
+          "cluster"
+        }
+        local cert = ssl_fixtures.cert
+        local key = ssl_fixtures.key
+        local cert_base64 = ngx.encode_base64(cert)
+        local key_base64 = ngx.encode_base64(key)
+        local params = {}
+        for _, prefix in ipairs(prefixes) do
+          params[prefix .. "_cert"] = cert_base64
+          params[prefix .. "_cert_key"] = key_base64
+        end
+        local conf, err = conf_loader(nil, params)
+
+        assert.is_nil(err)
+        assert.is_table(conf)
+        for _, prefix in ipairs(prefixes) do
+          local certs = conf[prefix .. "_cert"]
+          local keys = conf[prefix .. "_cert_key"]
+
+          if type(certs) == "table" then
+            for i = 1, #certs do
+              assert.equals(cert, certs[i])
+              assert.equals(key, keys[i])
+            end
+          end
+
+          if type(certs) == "string" then
+            assert.equals(cert, certs)
+            assert.equals(key, keys)
+          end
+        end
+      end)
       describe("proxy", function()
         it("does not check SSL cert and key if SSL is off", function()
           local conf, err = conf_loader(nil, {