feat(api) deactivate some /server_names endpoints, add specs

kong-0.13.0-0.rockspec

@@ -86,6 +86,7 @@ build = {
     ["kong.api.routes.cache"] = "kong/api/routes/cache.lua",
     ["kong.api.routes.upstreams"] = "kong/api/routes/upstreams.lua",
     ["kong.api.routes.certificates"] = "kong/api/routes/certificates.lua",
+    ["kong.api.routes.snis"] = "kong/api/routes/snis.lua",
 
     ["kong.tools.ip"] = "kong/tools/ip.lua",
     ["kong.tools.ciphers"] = "kong/tools/ciphers.lua",
@@ -127,12 +128,12 @@ build = {
     ["kong.db.errors"] = "kong/db/errors.lua",
     ["kong.db.dao"] = "kong/db/dao/init.lua",
     ["kong.db.dao.certificates"] = "kong/db/dao/certificates.lua",
-    ["kong.db.dao.server_names"] = "kong/db/dao/server_names.lua",
+    ["kong.db.dao.snis"] = "kong/db/dao/snis.lua",
     ["kong.db.schema"] = "kong/db/schema/init.lua",
     ["kong.db.schema.entities.routes"] = "kong/db/schema/entities/routes.lua",
     ["kong.db.schema.entities.services"] = "kong/db/schema/entities/services.lua",
     ["kong.db.schema.entities.certificates"] = "kong/db/schema/entities/certificates.lua",
-    ["kong.db.schema.entities.server_names"] = "kong/db/schema/entities/server_names.lua",
+    ["kong.db.schema.entities.snis"] = "kong/db/schema/entities/snis.lua",
     ["kong.db.schema.entity"] = "kong/db/schema/entity.lua",
     ["kong.db.schema.metaschema"] = "kong/db/schema/metaschema.lua",
     ["kong.db.schema.typedefs"] = "kong/db/schema/typedefs.lua",

kong/api/endpoints.lua

@@ -20,8 +20,6 @@ local ERRORS_HTTP_CODES = {
   [Errors.codes.NOT_FOUND]             = 404,
   [Errors.codes.INVALID_OFFSET]        = 400,
   [Errors.codes.DATABASE_ERROR]        = 500,
-  [Errors.codes.CONFLICTING_INPUT]     = 409,
-  [Errors.codes.INVALID_INPUT]         = 400,
 }
 
 

kong/api/routes/certificates.lua

@@ -1,56 +1,30 @@
 local endpoints   = require "kong.api.endpoints"
 local utils       = require "kong.tools.utils"
+local responses   = require "kong.tools.responses"
 
-local function get_cert_by_server_name_or_id(self, db, helpers)
-  local id = self.params.certificates
 
+local function get_cert_id_from_sni(self, db, helpers)
+  local id = self.params.certificates
   if not utils.is_valid_uuid(id) then
-    local cert, _, err_t = db.certificates:select_by_server_name(id)
+    local sni, _, err_t = db.snis:select_by_name(id)
     if err_t then
       return endpoints.handle_error(err_t)
     end
 
-    self.params.certificates = cert.id
+    if not sni then
+      responses.send_HTTP_NOT_FOUND("SNI not found")
+    end
+
+    self.params.certificates = sni.certificate.id
   end
 end
 
 
 return {
-  ["/certificates"] = {
-    -- override to include the server_names list when getting all certificates
-    GET = function(self, db, helpers)
-      local data, _, err_t, offset =
-        db.certificates:page_with_name_list(self.args.size,
-                                            self.args.offset)
-      if not data then
-        return endpoints.handle_error(err_t)
-      end
-
-      local next_page = offset and string.format("/certificates?offset=%s",
-                                                 ngx.escape_uri(offset)) or ngx.null
-
-      return helpers.responses.send_HTTP_OK {
-        data   = data,
-        offset = offset,
-        next   = next_page,
-      }
-    end,
-
-    -- override to accept the server_names param when creating a certificate
-    POST = function(self, db, helpers)
-      local data, _, err_t = db.certificates:insert_with_name_list(self.args.post)
-      if err_t then
-        return endpoints.handle_error(err_t)
-      end
-
-      return helpers.responses.send_HTTP_CREATED(data)
-    end,
-  },
-
   ["/certificates/:certificates"] = {
-    before = get_cert_by_server_name_or_id,
+    before = get_cert_id_from_sni,
 
-    -- override to include the server_names list when getting an individual certificate
+    -- override to include the snis list when getting an individual certificate
     GET = function(self, db, helpers)
       local pk = { id = self.params.certificates }
 
@@ -61,20 +35,10 @@ return {
 
       return helpers.responses.send_HTTP_OK(cert)
     end,
-
-    -- override to accept the server_names param when updating a certificate
-    PATCH = function(self, db, helpers)
-      local pk = { id = self.params.certificates }
-      local cert, _, err_t = db.certificates:update_with_name_list(pk, self.args.post)
-      if err_t then
-        return endpoints.handle_error(err_t)
-      end
-      return helpers.responses.send_HTTP_OK(cert)
-    end,
   },
 
-  ["/certificates/:certificates/server_names"] = {
-    before = get_cert_by_server_name_or_id,
+  ["/certificates/:certificates/snis"] = {
+    before = get_cert_id_from_sni,
   },
 }
 

kong/api/routes/snis.lua

@@ -0,0 +1,16 @@
+local function not_found(self, db, helpers)
+  return helpers.responses.send_HTTP_NOT_FOUND()
+end
+
+return {
+  -- GET / PATCH / DELETE /snis/sni are the only methods allowed
+
+  ["/snis"] = {
+    before = not_found,
+  },
+
+  ["/snis/:snis/certificate"] = {
+    before = not_found,
+  },
+
+}

kong/core/certificate.lua

@@ -15,27 +15,27 @@ end
 local _M = {}
 
 
-local function find_certificate(sn)
-  local row, err = singletons.db.server_names:select_by_name(sn)
+local function find_certificate(sni_name)
+  local row, err = singletons.db.snis:select_by_name(sni_name)
   if err then
     return nil, err
   end
 
   if not row then
-    log(DEBUG, "no server name registered for client-provided name: '",
-               sn, "'")
+    log(DEBUG, "no SNI registered for client-provided name: '",
+               sni_name, "'")
     return true
   end
 
-  -- fetch SSL certificate for this server name
+  -- fetch SSL certificate for this sni
 
   local certificate, err = singletons.db.certificates:select(row.certificate)
   if err then
     return nil, err
   end
 
   if not certificate then
-    return nil, "no SSL certificate configured for server name: " .. sn
+    return nil, "no SSL certificate configured for sni: " .. sni_name
   end
 
   return {
@@ -46,16 +46,16 @@ end
 
 
 function _M.execute()
-  -- retrieve server name or raw server IP
+  -- retrieve sni or raw server IP
 
   local sn, err = ssl.server_name()
   if err then
-    log(ERR, "could not retrieve Server Name Indication: ", err)
+    log(ERR, "could not retrieve SNI: ", err)
     return ngx.exit(ngx.ERROR)
   end
 
   if not sn then
-    log(DEBUG, "no Server Name Indication provided by client, serving ",
+    log(DEBUG, "no SNI provided by client, serving ",
                "default proxy SSL certificate")
     -- use fallback certificate
     return

kong/core/handler.lua

@@ -257,18 +257,18 @@ return {
 
         cache:invalidate("pem_ssl_certificates:"    .. sn.name)
         cache:invalidate("parsed_ssl_certificates:" .. sn.name)
-      end, "crud", "server_names")
+      end, "crud", "snis")
 
 
       worker_events.register(function(data)
         log(DEBUG, "[events] SSL cert updated, invalidating cached certificates")
         local certificate = data.entity
 
-        local rows, err = db.server_names:for_certificate({
+        local rows, err = db.snis:for_certificate({
           id = certificate.id
         })
         if not rows then
-          log(ERR, "[events] could not find associated server names for certificate: ",
+          log(ERR, "[events] could not find associated snis for certificate: ",
                    err)
         end
 

kong/dao/migrations/cassandra.lua

@@ -644,7 +644,7 @@ return {
         PRIMARY KEY (partition, id)
       );
 
-      CREATE TABLE IF NOT EXISTS server_names(
+      CREATE TABLE IF NOT EXISTS snis(
         partition text,
         id uuid,
         name text,
@@ -653,8 +653,8 @@ return {
         PRIMARY KEY (partition, id)
       );
 
-      CREATE INDEX IF NOT EXISTS server_names_name_idx ON server_names(name);
-      CREATE INDEX IF NOT EXISTS server_names_certificate_id_idx ON server_names(certificate_id);
+      CREATE INDEX IF NOT EXISTS snis_name_idx ON snis(name);
+      CREATE INDEX IF NOT EXISTS snis_certificate_id_idx ON snis(certificate_id);
     ]],
     down = nil
   },
@@ -707,8 +707,8 @@ return {
         partition_keys = { "name", "ssl_certificate_id" },
       }
 
-      local server_names_def = {
-        name    = "server_names",
+      local snis_def = {
+        name    = "snis",
         columns = {
           partition      = "text",
           id             = "uuid",
@@ -721,8 +721,8 @@ return {
 
       local _, err = migration_helpers.cassandra.copy_records(dao,
         ssl_servers_names_def,
-        server_names_def, {
-          partition      = function() return cassandra.text("server_names") end,
+        snis_def, {
+          partition      = function() return cassandra.text("snis") end,
           id             = function() return cassandra.uuid(utils.uuid(3)) end,
           name           = "name",
           certificate_id = "ssl_certificate_id",

kong/dao/migrations/postgres.lua

@@ -695,69 +695,72 @@ return {
     down = nil
   },
   {
-    name = "2018-03-27-123400_prepare_certs_and_server_names",
+    name = "2018-03-27-123400_prepare_certs_and_snis",
     up = [[
       DO $$
       BEGIN
         ALTER TABLE ssl_certificates    RENAME TO certificates;
-        ALTER TABLE ssl_servers_names   RENAME TO server_names;
+        ALTER TABLE ssl_servers_names   RENAME TO snis;
       EXCEPTION WHEN duplicate_table THEN
         -- Do nothing, accept existing state
       END$$;
 
       DO $$
       BEGIN
-        ALTER TABLE server_names RENAME COLUMN ssl_certificate_id TO certificate_id;
-        ALTER TABLE server_names ADD    COLUMN id uuid;
+        ALTER TABLE snis RENAME COLUMN ssl_certificate_id TO certificate_id;
+        ALTER TABLE snis ADD    COLUMN id uuid;
       EXCEPTION WHEN undefined_column THEN
         -- Do nothing, accept existing state
       END$$;
     ]],
     down = nil
   },
   {
-    name = "2018-03-27-125400_fill_in_server_names_ids",
+    name = "2018-03-27-125400_fill_in_snis_ids",
     up = function(_, _, dao)
+      local fmt = string.format
+
       local rows, err = dao.db:query([[
-        SELECT * FROM server_names;
+        SELECT * FROM snis;
       ]])
       if err then
         return err
       end
+      local sql_buffer = { "BEGIN;" }
+      local len = #rows
+      for i = 1, len do
+        sql_buffer[i + 1] = fmt("UPDATE snis SET id = '%s' WHERE name = '%s';",
+                                utils.uuid(),
+                                rows[i].name)
+      end
+      sql_buffer[len + 2] = "COMMIT;"
 
-      local fmt = string.format
-
-      for _, row in ipairs(rows) do
-        local sql = fmt("UPDATE server_names SET id = '%s' WHERE name = '%s';",
-                        utils.uuid(),
-                        row.name)
-        local _, err = dao.db:query(sql)
-        if err then
-          return err
-        end
+      local _, err = dao.db:query(table.concat(sql_buffer))
+      if err then
+        return err
       end
     end,
     down = nil
   },
   {
-    name = "2018-03-27-130400_make_ids_primary_keys_in_server_names",
+    name = "2018-03-27-130400_make_ids_primary_keys_in_snis",
     up = [[
-      ALTER TABLE server_names
+      ALTER TABLE snis
         DROP CONSTRAINT IF EXISTS ssl_servers_names_pkey;
 
-      ALTER TABLE server_names
-        DROP CONSTRAINT IF EXISTS ssl_server_names_ssl_certificate_id_fkey;
+      ALTER TABLE snis
+        DROP CONSTRAINT IF EXISTS ssl_servers_names_ssl_certificate_id_fkey;
 
       DO $$
       BEGIN
-        ALTER TABLE server_names
-          ADD CONSTRAINT server_names_name_unique UNIQUE(name);
+        ALTER TABLE snis
+          ADD CONSTRAINT snis_name_unique UNIQUE(name);
 
-        ALTER TABLE server_names
+        ALTER TABLE snis
           ADD PRIMARY KEY (id);
 
-        ALTER TABLE server_names
-          ADD CONSTRAINT server_names_certificate_id_fkey
+        ALTER TABLE snis
+          ADD CONSTRAINT snis_certificate_id_fkey
           FOREIGN KEY (certificate_id)
           REFERENCES certificates;
       EXCEPTION WHEN duplicate_table THEN