apisix icon indicating copy to clipboard operation
apisix copied to clipboard

Published 20 hours ago verified publisher icon apache

fix(env): support for uppercase reference to get ENV and SECRET

Open LinkinStars opened this issue 1 year ago • 9 comments

Description

Fixes #11141

"cert": "$ENV://APISIX_ENV_CERT",
"key": "$ENV://APISIX_ENV_KEY",

Only lowercase is matched in the 'cert' and 'key' parameters. To maintain consistency, match the uppercase as well.

Checklist

  • [x] I have explained the need for this PR and the problem it solves
  • [x] I have explained the changes or the new features added to this PR
  • [x] I have added tests corresponding to this change
  • [ ] I have updated the documentation to reflect this change
  • [x] I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

LinkinStars avatar Apr 19 '24 12:04 LinkinStars

@LinkinStars please add test cases as well

shreemaan-abhishek avatar Apr 21 '24 11:04 shreemaan-abhishek

also, please fix the code lint problem

shreemaan-abhishek avatar Apr 24 '24 14:04 shreemaan-abhishek

also, please fix the code lint problem

I think it's probably not a code issue that's causing the lint to not pass.

image

FYI: https://github.com/orgs/community/discussions/120966

LinkinStars avatar Apr 25 '24 11:04 LinkinStars

@LinkinStars, okay. Please rebase with master for the fix for CI failures.

shreemaan-abhishek avatar Apr 25 '24 13:04 shreemaan-abhishek

@LinkinStars I think using lowercase "$env://" and uppercase "$SECRET://" might still not work as the code hardcodes the case for sanity checks:

Hardcoding for secret reference: https://github.com/shreemaan-abhishek/apisix/blob/07b3cc3f63db8fc4ae3706baa324a76ee3049338/apisix/secret.lua#L34 https://github.com/shreemaan-abhishek/apisix/blob/07b3cc3f63db8fc4ae3706baa324a76ee3049338/apisix/secret.lua#L121

Hardcoding for env reference: https://github.com/shreemaan-abhishek/apisix/blob/07b3cc3f63db8fc4ae3706baa324a76ee3049338/apisix/core/env.lua#L30 https://github.com/shreemaan-abhishek/apisix/blob/07b3cc3f63db8fc4ae3706baa324a76ee3049338/apisix/core/env.lua#L70

If you were to write test cases covering the above situation it would fail. What could be a good solution for this?

shreemaan-abhishek avatar Apr 26 '24 02:04 shreemaan-abhishek

@shreemaan-abhishek

First, we discuss the issue of env.

After my testing, both the uppercase and lowercase should be supported after changes. There are two reasons for this

  1. unit test 18 passed https://github.com/shreemaan-abhishek/apisix/blob/07b3cc3f63db8fc4ae3706baa324a76ee3049338/t/router/radixtree-sni2.t#L700-L725
  2. user can use it after changing to lowercase https://github.com/apache/apisix/issues/11141#issuecomment-2051028533

After reading the code I found out why. For env, both checking and parsing converted the target to uppercase preferentially.

if string.has_prefix(upper(uri), core.env.PREFIX) then

Because when characters are cut, the character length is used. Both uppercase and lowercase lengths are the same, so there's no problem.

local path = sub(env_uri, #ENV_PREFIX + 1)

Secondly, let's discuss the secret.

Unfortunately, as you said, using the uppercase 'SECRET' is problematic.

I tried adding unit tests and found that they could not pass. The reason is quite simple: 'secret' is not converted to uppercase like 'env' before comparison and parsing.

Dig more. I find the git history. The 'secret' was previously modified by KMS, and there was uppercase conversion before.

1929250494

However, $SECRET has never been used. It's not even mentioned in the documentation.

So, in my opinion, I would not recommend supporting uppercase SECRET. I think the author who wrote the code at that time must have also considered that.

Of course, these are just my personal thoughts, if there is anything incorrect, please point it out.

All in all, there are two options.

  1. not support $SECRET
  2. suport $SECRET, just like the ENV. such asstring.has_prefix(upper(uri), secret.PREFIX)

LinkinStars avatar Apr 26 '24 11:04 LinkinStars

let's only support uppercase for ENV and leave secret as it is. Really appreciate the detailed explanation 🙏🏼

shreemaan-abhishek avatar Apr 29 '24 07:04 shreemaan-abhishek

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Jul 21 '24 10:07 github-actions[bot]

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Oct 04 '24 10:10 github-actions[bot]