This is an automated email from the ASF dual-hosted git repository.
tokers pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 0c1b208 fix: correct the validation for ssl_trusted_certificate
(#3832)
0c1b208 is described below
commit 0c1b208588f6add7536956b96332f7cd83f9c100
Author: 罗泽轩 <[email protected]>
AuthorDate: Tue Mar 16 09:01:26 2021 +0800
fix: correct the validation for ssl_trusted_certificate (#3832)
Signed-off-by: spacewander <[email protected]>
---
apisix/cli/ops.lua | 11 ++++++++++-
bin/apisix | 4 ++--
rockspec/apisix-master-0.rockspec | 1 +
t/cli/test_validate_config.sh | 14 ++++++++++++++
4 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
index 6a206fa..1e8f4cf 100644
--- a/apisix/cli/ops.lua
+++ b/apisix/cli/ops.lua
@@ -22,6 +22,7 @@ local ngx_tpl = require("apisix.cli.ngx_tpl")
local profile = require("apisix.core.profile")
local template = require("resty.template")
local argparse = require("argparse")
+local pl_path = require("pl.path")
local stderr = io.stderr
local ipairs = ipairs
@@ -260,10 +261,18 @@ Please modify "admin_key" in conf/config.yaml .
end
if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
- local ok, err =
util.is_file_exist(yaml_conf.apisix.ssl.ssl_trusted_certificate)
+ local cert_path = yaml_conf.apisix.ssl.ssl_trusted_certificate
+ -- During validation, the path is relative to PWD
+ -- When Nginx starts, the path is relative to conf
+ -- Therefore we need to check the absolute version instead
+ cert_path = pl_path.abspath(cert_path)
+
+ local ok, err = util.is_file_exist(cert_path)
if not ok then
util.die(err, "\n")
end
+
+ yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path
end
local admin_api_mtls = yaml_conf.apisix.admin_api_mtls
diff --git a/bin/apisix b/bin/apisix
index 7a2e675..dbdc290 100755
--- a/bin/apisix
+++ b/bin/apisix
@@ -44,11 +44,11 @@ if [[ -e $OR_EXEC && "$OR_VER" =~ "1.19" ]]; then
# use the luajit of openresty
echo "$LUAJIT_BIN $APISIX_LUA $*"
- $LUAJIT_BIN $APISIX_LUA $*
+ exec $LUAJIT_BIN $APISIX_LUA $*
elif [[ "$LUA_VERSION" =~ "Lua 5.1" ]]; then
# OpenResty version is not 1.19, use Lua 5.1 by default
echo "lua $APISIX_LUA $*"
- lua $APISIX_LUA $*
+ exec lua $APISIX_LUA $*
else
echo "ERROR: Please check the version of OpenResty and Lua, OpenResty 1.19
and Lua 5.1 are recommended before install Apache APISIX."
fi
diff --git a/rockspec/apisix-master-0.rockspec
b/rockspec/apisix-master-0.rockspec
index ec96c6b..4020c80 100644
--- a/rockspec/apisix-master-0.rockspec
+++ b/rockspec/apisix-master-0.rockspec
@@ -65,6 +65,7 @@ dependencies = {
"luasocket = 3.0rc1-2",
"luasec = 0.9-1",
"lua-resty-consul = 0.3-2",
+ "penlight = 1.9.2-1",
}
build = {
diff --git a/t/cli/test_validate_config.sh b/t/cli/test_validate_config.sh
index 1d2659d..65ce692 100755
--- a/t/cli/test_validate_config.sh
+++ b/t/cli/test_validate_config.sh
@@ -33,3 +33,17 @@ if ! echo "$out" | grep 'dns_resolver_valid should be a
number'; then
fi
echo "passed: dns_resolver_valid should be a number"
+
+echo '
+apisix:
+ ssl:
+ ssl_trusted_certificate: t/certs/mtls_ca.crt
+' > conf/config.yaml
+
+out=$(make run 2>&1)
+if echo "$out" | grep 'no such file'; then
+ echo "failed: find the certificate correctly"
+ exit 1
+fi
+
+echo "passed: find the certificate correctly"
