Merge pull request #405 from Mashape/feat/cassandra-auth

[feature/dao] cassandra authentication + client encryption

Makefile

@@ -51,7 +51,7 @@ lint:
 	@find kong spec -name '*.lua' ! -name 'invalid-module.lua' | xargs luacheck -q
 
 test:
-	@busted spec/unit
+	@busted -v spec/unit
 
 test-integration:
 	@busted spec/integration
@@ -67,3 +67,6 @@ coverage:
 	@busted --coverage spec/
 	@luacov -c spec/.luacov
 	@tail -n 1 luacov.report.out | awk '{ print $$3 }'
+
+test-all:
+	@busted -v spec/

kong-0.4.1-1.rockspec

@@ -19,7 +19,7 @@ dependencies = {
   "yaml ~> 1.1.1-1",
   "lapis ~> 1.1.0-1",
   "stringy ~> 0.4-1",
-  "kong-cassandra ~> 0.5-8",
+  "lua-cassandra ~> 0.3.5-0",
   "multipart ~> 0.1-3",
   "lua-path ~> 0.2.3-1",
   "lua-cjson ~> 2.1.0-1",

kong.yml

@@ -113,6 +113,7 @@ nginx: |
     lua_shared_dict locks 100k;
     lua_shared_dict cache {{memory_cache_size}}m;
     lua_socket_log_errors off;
+    {{lua_ssl_trusted_certificate}}
 
     init_by_lua '
       kong = require "kong"

kong/cli/utils/signal.lua

@@ -102,6 +102,7 @@ local function prepare_nginx_working_dir(args_config)
   end
 
   local ssl_cert_path, ssl_key_path = cutils.get_ssl_cert_and_key(kong_config)
+  local trusted_ssl_cert_path = kong_config.databases_available[kong_config.database].properties.ssl_certificate -- DAO ssl cert
 
   -- Extract nginx config from kong config, replace any needed value
   local nginx_config = kong_config.nginx
@@ -112,7 +113,8 @@ local function prepare_nginx_working_dir(args_config)
     dns_resolver = "127.0.0.1:"..kong_config.dnsmasq_port,
     memory_cache_size = kong_config.memory_cache_size,
     ssl_cert = ssl_cert_path,
-    ssl_key = ssl_key_path
+    ssl_key = ssl_key_path,
+    lua_ssl_trusted_certificate = trusted_ssl_cert_path ~= nil and "lua_ssl_trusted_certificate \""..trusted_ssl_cert_path.."\";" or ""
   }
 
   -- Auto-tune

kong/cli/utils/utils.lua

@@ -55,9 +55,6 @@ end
 
 function Logger:error_exit(str)
   self:error(str)
-  -- Optional stacktrace
-  --print("")
-  --error("", 2)
   os.exit(1)
 end
 

kong/dao/cassandra/apis.lua

@@ -13,7 +13,7 @@ end
 function Apis:find_all()
   local apis = {}
   local select_q = query_builder.select(self._table)
-  for _, rows, page, err in Apis.super.execute(self, select_q, nil, nil, {auto_paging=true}) do
+  for rows, err in Apis.super.execute(self, select_q, nil, nil, {auto_paging=true}) do
     if err then
       return nil, err
     end
@@ -37,7 +37,7 @@ function Apis:delete(where_t)
   local plugins_dao = self._factory.plugins_configurations
   local select_q, columns = query_builder.select(plugins_dao._table, {api_id = where_t.id}, plugins_dao._column_family_details)
 
-  for _, rows, page, err in plugins_dao:execute(select_q, columns, {api_id = where_t.id}, {auto_paging = true}) do
+  for rows, err in plugins_dao:execute(select_q, columns, {api_id = where_t.id}, {auto_paging = true}) do
     if err then
       return nil, err
     end

kong/dao/cassandra/base_dao.lua

@@ -12,7 +12,7 @@ local Object = require "classic"
 local utils = require "kong.tools.utils"
 local uuid = require "uuid"
 
-local cassandra_constants = require "cassandra.constants"
+local cassandra_constants = cassandra.constants
 local error_types = constants.DATABASE_ERROR_TYPES
 
 local BaseDao = Object:extend()
@@ -62,16 +62,18 @@ function BaseDao:_open_session(keyspace)
   local ok, err
 
   -- Start cassandra session
-  local session = cassandra.new()
+  local session = cassandra:new()
   session:set_timeout(self._properties.timeout)
 
-  ok, err = session:connect(self._properties.hosts, self._properties.port)
+  local options = self._factory:get_session_options()
+
+  ok, err = session:connect(self._properties.hosts, self._properties.port, options)
   if not ok then
     return nil, DaoError(err, error_types.DATABASE)
   end
 
   local times, err = session:get_reused_times()
-  if err and err ~= "luasocket does not support reusable sockets" then
+  if err and err.message ~= "luasocket does not support reusable sockets" then
     return nil, DaoError(err, error_types.DATABASE)
   end
 
@@ -92,7 +94,7 @@ end
 function BaseDao:_close_session(session)
   -- Back to the pool or close if using luasocket
   local ok, err = session:set_keepalive(self._properties.keepalive)
-  if not ok and err == "luasocket does not support reusable sockets" then
+  if not ok and err.message == "luasocket does not support reusable sockets" then
     ok, err = session:close()
   end
 

kong/dao/cassandra/consumers.lua

@@ -22,7 +22,7 @@ function Consumers:delete(where_t)
   local select_q, columns = query_builder.select(plugins_dao._table, {consumer_id = where_t.id}, plugins_dao._column_family_details)
 
   -- delete all related plugins configurations
-  for _, rows, page, err in plugins_dao:execute(select_q, columns, {consumer_id = where_t.id}, {auto_paging = true}) do
+  for rows, err in plugins_dao:execute(select_q, columns, {consumer_id = where_t.id}, {auto_paging = true}) do
     if err then
       return nil, err
     end

kong/dao/cassandra/factory.lua

@@ -67,6 +67,21 @@ function CassandraFactory:drop()
   end
 end
 
+function CassandraFactory:get_session_options()
+  local options = {
+    ssl = self._properties.ssl,
+    ssl_verify = self._properties.ssl_verify,
+    ca_file = self._properties.ssl_certificate -- in case of using luasocket
+  }
+
+  if self._properties.user and self._properties.password then
+    local PasswordAuthenticator = require "cassandra.authenticators.PasswordAuthenticator"
+    options.authenticator = PasswordAuthenticator(self._properties.user, self._properties.password)
+  end
+
+  return options
+end
+
 -- Prepare all statements of collections `queries` property and put them
 -- in a statements cache
 --
@@ -88,9 +103,12 @@ function CassandraFactory:prepare()
   end
 
   -- Check cassandra is accessible
-  local session = cassandra.new()
+  local session = cassandra:new()
   session:set_timeout(self._properties.timeout)
-  local ok, co_err = session:connect(self._properties.hosts, self._properties.port)
+
+  local options = self:get_session_options()
+
+  local ok, co_err = session:connect(self._properties.hosts, self._properties.port, options)
   session:close()
 
   if not ok then
@@ -114,10 +132,12 @@ end
 -- @return {string} error if any
 function CassandraFactory:execute_queries(queries, no_keyspace)
   local ok, err
-  local session = cassandra.new()
+  local session = cassandra:new()
   session:set_timeout(self._properties.timeout)
 
-  ok, err = session:connect(self._properties.hosts, self._properties.port)
+  local options = self:get_session_options()
+
+  ok, err = session:connect(self._properties.hosts, self._properties.port, options)
   if not ok then
     return DaoError(err, constants.DATABASE_ERROR_TYPES.DATABASE)
   end

kong/dao/cassandra/plugins_configurations.lua

@@ -55,7 +55,7 @@ function PluginsConfigurations:find_distinct()
 
   -- Execute query
   local distinct_names = {}
-  for _, rows, page, err in PluginsConfigurations.super.execute(self, select_q, nil, nil, {auto_paging=true}) do
+  for rows, err in PluginsConfigurations.super.execute(self, select_q, nil, nil, {auto_paging=true}) do
     if err then
       return nil, err
     end

kong/plugins/ratelimiting/daos.lua

@@ -26,7 +26,7 @@ end
 
 function RateLimitingMetrics:increment(api_id, identifier, current_timestamp)
   local periods = timestamp.get_timestamps(current_timestamp)
-  local batch = cassandra.BatchStatement(cassandra.batch_types.COUNTER)
+  local batch = cassandra:BatchStatement(cassandra.batch_types.COUNTER)
 
   for period, period_date in pairs(periods) do
     batch:add(self.queries.increment_counter, {

spec/integration/dao/cassandra/base_dao_spec.lua

@@ -45,7 +45,7 @@ describe("Cassandra", function()
     spec_helper.prepare_db()
 
     -- Create a parallel session to verify the dao's behaviour
-    session = cassandra.new()
+    session = cassandra:new()
     session:set_timeout(configuration.cassandra.timeout)
 
     local _, err = session:connect(configuration.cassandra.hosts, configuration.cassandra.port)

spec/unit/statics_spec.lua

@@ -153,6 +153,7 @@ nginx: |
     lua_shared_dict locks 100k;
     lua_shared_dict cache {{memory_cache_size}}m;
     lua_socket_log_errors off;
+    {{lua_ssl_trusted_certificate}}
 
     init_by_lua '
       kong = require "kong"