feat(dao) move ssl certificates/snis to new DAO

[kikito]

This PR continues #3315:

Migrations

• ssl_certificates table renamed to certificates
• ssl_servers_names table renamed to snis. Added a new field (id, UUID) and made that the PK. But also added indexes for the name field.
• In postgresql these changes involved altering the tables. In Cassandra the changes involved copying all the records from the original tables to new tables (this was done with a custom migration helper which has its own PR).

Admin API

• /snis is automatically generated by the new DAO admin api generator-from-schema.
• /certificates is also generated, but it has some overrides, to deal with three "special" things:
  • the server_names accepts a comma-separated string or an array of strings. It
    allows "setting the server names in one go" when creating (POST) or updating
    (PATCH) a certificate.
  • the server_names attribute is automatically added to the certs when getting
    each one individually or when getting a list of them.
  • a certificate can be referenced by its id or also by the name attribute of
    any of its associated server_names.
• PUT is not allowed any more.
• Deactivates some /snis endpoints that are not needed any more:
  • GET /snis is not needed any more now that GET /certificates also returns the list of server names associated to every cert
  • POST /snisis not needed sincePOST /certificates/id/server_names` is easier to use and does the same
  • GET /snis/[name]/certificate was not needed since you can do GET /certificates/[name]` to get the same info
  • The only active server names endpoints are DELETE /snis/x (to remove a server name quickly), PATCH /snis/x (to move server names quickly between certificates), GET /snis/x (for symmetry with DELETE and PATCH).

DAO

• ssl_certificates and ssl_servers_names' schemas translated to new DAO's schemas (renamed to certificates and snis).
• I had to include a read-before-delete in all the generated dao:delete* methods. This read was needed in order to propagate the structure through the worker events so it could be deleted properly (worker events can use any attribute
  from the entitity, for example for the server names you need their name attribute. So if you delete a server name using its id you still need to read it in order to propagate an event with the name field).
• certificates has a custom DAO to deal with the server_names pseudo-attribute and for "looking for a certificate using one of its server names' name"
• server_names also has a custom DAO for "using the server names as if they were lists of strings", which is easier to do than "handling them as instances of the server_names schema".

Tests

• the DAO:delete* methods now returns the entity which was erased instead of true, so some tests had to be changed from is_true to is_truthy.
• the tests for PUT where just removed
• I also removed the admin api tests from spec-old-api because they were a carbon copy of the new ones (there are no APIs, Services or Routes involved in SSL). I double-checked that we don't do anything "extra" on it before removing.
• Added tests for the new admin API endpoints.

Related work

• The migrations are tested in tests(0.13_0.14) test ssl cert & snis migration kong-upgrade-tests#5
• Since we're doing the read-before-delete on the DAO we probably don't need the delete_by_field methods on the strategies (we can use the PK, we have it because of the "read"). We could remove those methods.

[bungle]

I think this is very invasive PR. It kinda points shortcomings in customizations. It is rhuge PR, KUDOS to that huge amount of work, also makes reviewing hard.

• It adds new migrations (both code and sql/cql), and even new quite big migration tools
• It renames entities
• It adds custom daos for both entities it adds, and a new field named super
• It adds custom routes for both entities it adds
• It adds two new error codes in endpoints

I kinda think this is good first step, but we should really work on merging the certificates and server_names. And then I think introducing snis rename to server_names just makes another breaking change here. First step, just transfer entities to new, and try not to break too much if they were in old too. Next step, refactor, merge, redesign it. Is that needed for safer migrations or something like that?

[bungle]

One more new line here.

[bungle]

New line maybe not needed, similar to pattern:

local ok, err = func()
if not ok then
end

E.g. where test follows immediately the declaration.

[kikito]

This is done

[bungle]

If they are not allowed, is 404 a better one? E.g. is there any endpoint /server_names that you can call with any method? If not with any, then I would go with 404. We could also add some support for autogenerator to remove endpoints, but not in this PR.

[bungle]

Same here, if this is the only:
/server_names/server_name

Endpoint, maybe we don't want to give reply that says that it is not allowed, users might try then other methods, and these seems no method allowed here. So I think it would be better to just have 404.

[bungle]

Instead of executing these one-by-one, could up make up an transaction and do them in one query that is wrapped in transaction?

[bungle]

new line after this

[bungle]

This leads to interesting situations, like certificate added, but no server_names added. Do we have any concerns of that?

[kikito]

I would rather not have that situation, but I honestly didn't know what else to do (we don't have transactions at this level, because Cassandra).

This code reflects what the old DAO code did - it makes as much "checks" as possible before writing anything to the db.

[bungle]

On line 47 it says "Server name already exists and here Server Name . I think in general these messages should be all lower case (because they are injected usually in different places), comments on that?

[bungle]

Do we want this, or was this for debugging?

[thibaultcha]

First round of review for me!

[thibaultcha]

The whole point of the new Admin API endpoints is to get rid of comma-separated strings and use the new arg[]= notation instead (for form-encoded payloads). Why supporting comma-separated lists then?

[thibaultcha]

assert() in a client-facing code path seems like this is a leftover or something?

[thibaultcha]

This looks conflicting with the above SCHEMA_VIOLATION error (as in, it basically falls under a subcategory of schema violations). I also dislike that this error producer accepts any error message, thus can throw any type of error and is up to interpretation... All errors produced in this file (except the database-ones) have specific, precise error messages. The goal being to avoid the proliferation and possibly, duplication of similar error types.

Any thought on this @hishamhm?

[hishamhm]

This looks conflicting with the above SCHEMA_VIOLATION error

I have mixed feelings about reusing the error messages for errors detected via different sources.

On the one hand, for the user perspective I agree that the way bad input parameters were caught shouldn't affect the error message, it's an implementation detail. On the other hand, debugging gets harder when we get reports of SCHEMA_VIOLATION from the field and these don't come from the schema library.

I don't think it's the case for certificates, but if something like this starts happening in other parts of the code it could easily trip up plugin authors ("but my schema looks okay!"). But as you said, certs/snis are "abnormal" in that sense, so it's probably fine to make an exception for it in the name of better user-visible consistency.

In that case, the SCHEMA_VIOLATION should be formatted in a way consistent with those produced by the schema library (e.g. listing the offending fields, etc).

I also dislike that this error producer accepts any error message

Definitely agree with this. It shouldn't just forward the full error message, it should construct a message like the other functions in this module.

[kikito]

I have removed both my custom errors and used schema violations everywhere. All the errors happen on the context of the snis magical pseudo-attribute, so it does not look bad (all errors appear "scoped" by snis).

[thibaultcha]

Why choosing this return value (1) for the methods in this module instead of the conventional true?

[thibaultcha]

:certificates -> :certificate_id? Or even :certificate_id_or_sni if we allow querying by SNI as well

[bungle]

I think you need to use what @kikito used to override autogenerated.

[kikito]

I confirm that is the case. The auto-generated route is "certificates/certificates" so I must use the same name in order to override stuff.

[kikito]

That is exactly the reason. The auto-generated route is /certificates/:certificates.

We would have had to add a param called "singular_name" or something similar to the schema in order to be able to do fancy things like sometimes using singulars instead of plurals everywhere.

[thibaultcha]

The code would be simplified if we avoided returning nil from this function, and instead always return a table (empty if no names):

if type(input) == "table" then
  name_list = utils.shallow_copy(input)

elseif input == ngx.null then
  name_list = {}

else
  -- maybe throw an error here, looks like a programming error
end

-- ...

return setmetatable(name_list, cjson.empty_array_mt)

This way, the below insert_with_name_list() method could do:

if #name_list > 0 then

end

-- ...

cert.snis = name_list -- no need for cjson.empty_array fallback

[kikito]

The idea I was going for was this:

• If you don't set the snis variable at all, it remains as it was (no programming error, maybe you where just missing a char on the key and are updating just that).
• If you set the snis variable, it will create/delete whatever snis is necessary. This includes passing an empty table (all snis will be removed)
• If you pass a json null, it is as if you passed an empty table.

If I do the change you propose, there are two drawbacks:

• Either we consider that an empty table means "no changes" (which I think is confusing).
• Or we require the user to pass the snis param every time they want to make a change on a cert, even for changing the cert or key (otherwise we set of an error).

If you think this is worth it, I will implement it, but I wanted to warn you about the costs first.

[thibaultcha]

This is one of my biggest concerns with this PR. We need to find a way to avoid this at all costs.

[kikito]

I think the problem is that we have still not decided how to "refer to other tables from the DAO of one table" in the new DAO at least.

Quick solution: I think I can change kong.db.dao.init so that db is an attribute of self here, so we can do self.db.snis:whatever instead of singletons.db.snis:whatever. Would that be ok?

[thibaultcha]

Our rationale was to not return the number of affected rows from delete() (because of the lack of support from Cassandra for this). Is the rationale behind this return value to indicate that no row was deleted?

[kikito]

Yes. With the read-before-delete you know which rows will (should) be affected by a delete. The 0 means "I could not find any rows". I can replace it with a true if you prefer.

[thibaultcha]

Let's maybe make the description more precise: "a conflict with already inserted DB values"?

I recall discussing this with @bungle, and since this will result from UNIQUE constraints set in PostgreSQL, we wanted to name this value UNIQUE_VIOLATION to stay consistent with other _VIOLATION error types we already defined.

Since the certs/sni entities are already abnormal in the sense that they validate their own values and produce their own errors, I would rather avoid spreading that abnormality to the errors as well. So in other words, the conflict errors produced by certs/sni validations are not because of DB/schema UNIQUE constraints, but I don't think that matters and I think they can throw UNIQUE_VIOLATION which has the same semantics.

[kikito]

I have chosen to use schema violations instead. The errors always happen in the context of the snis magical meta-param, so it "fits" to just use schema violations for those (so they are scoped inside snis).

[kikito]

I made a change that makes kong/admin/routes/certificates.lua smaller: instead of "adding new methods" to the Certificates DAO (like Certificates:page_with_name_list or Certificates:insert_with_name_list) I just overrode the default (Certificates:page and Certificates:insert). These are the methods the generated admin api uses, so I didn't have to override those any more.

I did not dare changing Certificates:select because it is used in other places besides the Admin API, generating more queries for getting all the SNIS every time a cert was selected. So I still had to override one of the generated methods.

[bungle]

This is going to be merged on Wednesday, May 2nd. If you still want to comment, this is your final chance.

[gszr]

Left a few minor comments on style.

[gszr]

a bit curious: assigning explicitly for style?

[bungle]

@Salazar I made other changes to this except this. I see it is always "defined" in other places, sometimes with empty function and sometimes with nil. Go figure. Didn't feel too bad for leaving them, :-)

[gszr]

perhaps no new line for consistency?

[gszr]

new line after opening {

[gszr]

perhaps no new line for consistency?

[gszr]

style: two blank lines

[thibaultcha]

the tests for PUT where just removed

With PUT now back into the picture, they should probably be kept?

[thibaultcha]

This entire file has duplicate contents (open it locally on this branch) this absolutely needs to be fixed prior to the merge.

[bungle]

The PUT was moved to later work, and it is not blocking this merge.

[Ehekatl]

POST /snisis not needed sincePOST /certificates/id/server_names` is easier to use and does the same

where I can find the related doc?