[upstream-mtls] Move certificate logic inside APIcast policy

3scale · Oct 10, 2024 · 5f7e0c0 · 5f7e0c0
1 parent 348364c
commit 5f7e0c0
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 49 deletions.
diff --git a/gateway/src/apicast/policy/apicast/apicast.lua b/gateway/src/apicast/policy/apicast/apicast.lua
@@ -5,6 +5,9 @@ local math = math
 local setmetatable = setmetatable
 local assert = assert
 local table_insert = table.insert
+local base = require "resty.core.base"
+local get_request = base.get_request
+local tls = require 'resty.tls'
 
 local user_agent = require('apicast.user_agent')
 
@@ -129,6 +132,7 @@ function _M:content(context)
     return errors.upstream_not_found(context.service)
   end
 
+  ngx.log(ngx.INFO, "\n---\n APICast content \n---\n")
   local upstream = assert(context[self].upstream, 'missing upstream')
 
   if upstream then
@@ -156,6 +160,42 @@ function _M:export()
     }
 end
 
-_M.balancer = balancer.call
+function _M:balancer(context)
+  -- All of this happens on balancer because this is subrequest inside APICAst
+  --to @upstream, so the request need to be the one that connects to the
+  --upstreamssl_client_raw_cert0
+  local r = get_request()
+  if not r then
+    ngx.log(ngx.WARN, "Invalid request")
+    return
+  end
+
+  if context.upstream_certificate and context.upstream_key then
+    local ok, err = tls.set_upstream_cert_and_key(r, context.upstream_certificate, context.upstream_key)
+    if ok ~= nil then
+      ngx.log(ngx.ERR, "Certificate cannot be set correctly, err: ", err)
+    end
+  end
+
+  if context.upstream_verify then
+    local ok, err = tls.set_upstream_ssl_verify(r, true, 1)
+    if ok ~= nil then
+      ngx.log(ngx.WARN, "Cannot verify SSL upstream connection, err: ", err)
+    end
+
+    if not context.upstream_ca_store then
+      ngx.log(ngx.WARN, "Set verify without including CA certificates")
+    end
+
+    ok, err = tls.set_upstream_ca_cert(r, context.upstream_ca_store)
+    if ok ~= nil then
+      ngx.log(ngx.WARN, "Cannot set a valid trusted CA store, err: ", err)
+    end
+  end
+
+  balancer:call(context)
+end
+
+-- _M.balancer = balancer.call
 
 return _M
diff --git a/gateway/src/apicast/policy/upstream_mtls/upstream_mtls.lua b/gateway/src/apicast/policy/upstream_mtls/upstream_mtls.lua
@@ -105,54 +105,11 @@ function _M.new(config)
   return self
 end
 
-
--- Set the certs for the upstream connection. Need to receive the pointers from
--- parse_* functions.
---- Public function to be able to unittest this.
-function _M.set_certs(r, cert, key)
-  local ok, err = tls.set_upstream_cert_and_key(r, cert, key)
-  if ok ~= nil then
-    ngx.log(ngx.ERR, "Certificate cannot be set correctly, err: ", err)
-  end
-end
-
-function _M.set_ca_cert(r, store)
-  local ok, err = tls.set_upstream_ca_cert(r, store)
-  if ok ~= nil then
-    ngx.log(ngx.WARN, "Cannot set a valid trusted CA store, err: ", err)
-    return
-  end
-end
-
--- All of this happens on balancer because this is subrequest inside APICAst
---to @upstream, so the request need to be the one that connects to the
---upstream0
-function _M:balancer(context)
-  local r = get_request()
-  if not r then
-    ngx.log(ngx.WARN, "Invalid request")
-    return
-  end
-
-  if self.cert and self.cert_key then
-    self.set_certs(r, self.cert, self.cert_key)
-  end
-
-  if not self.verify then
-    return
-  end
-
-  local ok, err = tls.set_upstream_ssl_verify(r, true, 1)
-  if ok ~= nil then
-    ngx.log(ngx.WARN, "Cannot verify SSL upstream connection, err: ", err)
-  end
-
-  if not self.ca_store then
-    ngx.log(ngx.WARN, "Set verify without including CA certificates")
-    return
-  end
-
-  self.set_ca_cert(r, self.ca_store)
+function _M:rewrite(context)
+  context.upstream_certificate = self.cert
+  context.upstream_key = self.cert_key
+  context.upstream_verify = self.verify
+  context.upstream_ca_store = self.ca_store
 end
 
 return _M