Copilot commented on code in PR #13061:
URL: https://github.com/apache/apisix/pull/13061#discussion_r2881427502
##########
t/node/ssl.t:
##########
@@ -241,3 +243,112 @@ fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri
+
+
+=== TEST 8: set ssl with cert, key and client ca in vault
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+
+ local data = {
+ snis = {"test.com"},
+ key = "$secret://vault/test/ssl/test.com.key",
+ cert = "$secret://vault/test/ssl/test.com.crt",
+ client = {
+ ca = "$secret://vault/test/ssl/test.com.3.client-ca.key"
Review Comment:
In TEST 8, the request data for the client CA uses the wrong vault key name:
`"$secret://vault/test/ssl/test.com.3.client-ca.key"`. The vault secret was
stored in TEST 1 as `test.com.3.client-ca.crt`, so the correct URI should be
`"$secret://vault/test/ssl/test.com.3.client-ca.crt"`. Using the `.key` suffix
will cause the vault lookup to fail at runtime in TEST 9 since the key does not
exist in vault.
The expected response body in the `t.test` call (line 273) correctly shows
`.crt`, but the input data (line 260) sends `.key`, causing a mismatch between
what is stored and what the test expects to see in the response.
```suggestion
ca = "$secret://vault/test/ssl/test.com.3.client-ca.crt"
```
##########
t/node/ssl.t:
##########
@@ -241,3 +243,112 @@ fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri
+
+
+=== TEST 8: set ssl with cert, key and client ca in vault
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+
+ local data = {
+ snis = {"test.com"},
+ key = "$secret://vault/test/ssl/test.com.key",
+ cert = "$secret://vault/test/ssl/test.com.crt",
+ client = {
+ ca = "$secret://vault/test/ssl/test.com.3.client-ca.key"
+ },
+ }
+
+ local code, body = t.test('/apisix/admin/ssls/1',
+ ngx.HTTP_PUT,
+ core.json.encode(data),
+ [[{
+ "value": {
+ "snis": ["test.com"],
+ "key": "$secret://vault/test/ssl/test.com.key",
+ "cert": "$secret://vault/test/ssl/test.com.crt",
+ "client": {
+ "ca":
"$secret://vault/test/ssl/test.com.3.client-ca.crt"
+ }
+ },
+ "key": "/apisix/ssls/1"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+
+
+=== TEST 9: access to https with test.com
+--- exec
+curl -s -k --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key
--cert ./t/certs/mtls_client.crt https://test.com:1994/hello
+--- response_body
+hello world
+--- error_log
+fetching data from env uri
+fetching data from env uri
+fetching data from env uri
+fetching data from env uri
Review Comment:
TEST 9 uses vault-based SSL configuration (cert, key, and client CA are all
`$secret://vault/...` URIs from TEST 8), but the `--- error_log` section
expects `fetching data from env uri` (which is the log message emitted when
fetching `$env://` URIs). Since the configuration uses vault secret URIs, the
actual log message would be `fetching data from secret uri` (emitted by
`fetch_by_uri_secret` in `apisix/secret.lua`). This mismatch will cause the
test to fail. Compare with TEST 5, which also uses vault secrets and correctly
expects `fetching data from secret uri`.
```suggestion
fetching data from secret uri
fetching data from secret uri
fetching data from secret uri
fetching data from secret uri
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
