Merge branch 'master' into feat/add_redis_in_limit_conn

.licenserc.yaml

@@ -54,5 +54,7 @@ header:
     - 'docs/**/*.md'
     - '.ignore_words'
     - '.luacheckrc'
+    # Exclude file contains certificate revocation information
+    - 't/certs/ocsp/index.txt'
 
   comment: on-failure

Makefile

@@ -46,7 +46,6 @@ ENV_LUAROCKS           ?= luarocks
 ENV_INST_PREFIX        ?= /usr
 ENV_INST_LUADIR        ?= $(ENV_INST_PREFIX)/share/lua/5.1
 ENV_INST_BINDIR        ?= $(ENV_INST_PREFIX)/bin
-ENV_HOMEBREW_PREFIX    ?= /usr/local
 ENV_RUNTIME_VER	     ?= $(shell $(ENV_NGINX_EXEC) -V 2>&1 | tr ' ' '\n'  | grep 'APISIX_RUNTIME_VER' | cut -d '=' -f2)
 
 -include .requirements
@@ -67,29 +66,6 @@ ifneq ($(shell test -d $(ENV_OPENSSL_PREFIX) && echo -n yes), yes)
 	endif
 endif
 
-# ENV patch for darwin
-ifeq ($(ENV_OS_NAME), darwin)
-	ifeq ($(ENV_OS_ARCH), arm64)
-		ENV_HOMEBREW_PREFIX := /opt/homebrew
-		ENV_INST_BINDIR := $(ENV_INST_PREFIX)/local/bin
-		ENV_INST_LUADIR := $(shell which lua | xargs realpath | sed 's/bin\/lua//g')
-	endif
-
-	# OSX archive `._` cache file
-	ENV_TAR      := COPYFILE_DISABLE=1 $(ENV_TAR)
-	ENV_LUAROCKS := $(ENV_LUAROCKS) --lua-dir=$(ENV_HOMEBREW_PREFIX)/opt/[email protected]
-
-	ifeq ($(shell test -d $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl && echo -n yes), yes)
-		ENV_OPENSSL_PREFIX := $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl
-	endif
-	ifeq ($(shell test -d $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl3 && echo -n yes), yes)
-		ENV_OPENSSL_PREFIX := $(ENV_HOMEBREW_PREFIX)/opt/openresty-openssl3
-	endif
-	ifeq ($(shell test -d $(ENV_HOMEBREW_PREFIX)/opt/pcre && echo -n yes), yes)
-		ENV_PCRE_PREFIX := $(ENV_HOMEBREW_PREFIX)/opt/pcre
-	endif
-endif
-
 
 # Makefile basic extension function
 _color_red    =\E[1;31m
@@ -144,13 +120,7 @@ endif
 .PHONY: help
 help:
 	@$(call func_echo_success_status, "Makefile rules:")
-	@echo
-	@if [ '$(ENV_OS_NAME)' = 'darwin' ]; then \
-		awk '{ if(match($$0, /^#{3}([^:]+):(.*)$$/)){ split($$0, res, ":"); gsub(/^#{3}[ ]*/, "", res[1]); _desc=$$0; gsub(/^#{3}([^:]+):[ \t]*/, "", _desc); printf("    make %-15s : %-10s\n", res[1], _desc) } }' Makefile; \
-	else \
-		awk '{ if(match($$0, /^\s*#{3}\s*([^:]+)\s*:\s*(.*)$$/, res)){ printf("    make %-15s : %-10s\n", res[1], res[2]) } }' Makefile; \
-	fi
-	@echo
+	@awk '{ if(match($$0, /^\s*#{3}\s*([^:]+)\s*:\s*(.*)$$/, res)){ printf("    make %-15s : %-10s\n", res[1], res[2]) } }' Makefile
 
 
 ### deps : Installing dependencies
@@ -161,7 +131,6 @@ deps: install-runtime
 		mkdir -p ~/.luarocks; \
 		$(ENV_LUAROCKS) config $(ENV_LUAROCKS_FLAG_LOCAL) variables.OPENSSL_LIBDIR $(addprefix $(ENV_OPENSSL_PREFIX), /lib); \
 		$(ENV_LUAROCKS) config $(ENV_LUAROCKS_FLAG_LOCAL) variables.OPENSSL_INCDIR $(addprefix $(ENV_OPENSSL_PREFIX), /include); \
-		[ '$(ENV_OS_NAME)' == 'darwin' ] && $(ENV_LUAROCKS) config $(ENV_LUAROCKS_FLAG_LOCAL) variables.PCRE_INCDIR $(addprefix $(ENV_PCRE_PREFIX), /include); \
 		$(ENV_LUAROCKS) install apisix-master-0.rockspec --tree deps --only-deps $(ENV_LUAROCKS_SERVER_OPT); \
 	else \
 		$(call func_echo_warn_status, "WARNING: You're not using LuaRocks 3.x; please remove the luarocks and reinstall it via https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh"); \

apisix-master-0.rockspec

@@ -17,7 +17,7 @@
 
 package = "apisix"
 version = "master-0"
-supported_platforms = {"linux", "macosx"}
+supported_platforms = {"linux"}
 
 source = {
     url = "git://github.com/apache/apisix",
@@ -46,7 +46,7 @@ dependencies = {
     "lua-resty-cookie = 0.2.0-1",
     "lua-resty-session = 3.10",
     "opentracing-openresty = 0.1",
-    "lua-resty-radixtree = 2.8.2",
+    "lua-resty-radixtree = 2.9.1",
     "lua-protobuf = 0.5.0-1",
     "lua-resty-openidc = 1.7.6-3",
     "luafilesystem = 1.7.0-2",

apisix/cli/file.lua

@@ -175,7 +175,7 @@ local function path_is_multi_type(path, type_val)
         return true
     end
 
-    if path == "apisix->ssl->key_encrypt_salt" then
+    if path == "apisix->data_encryption->keyring" then
         return true
     end
 

apisix/cli/ngx_tpl.lua

@@ -334,6 +334,10 @@ http {
     lua_shared_dict access-tokens {* http.lua_shared_dict["access-tokens"] *}; # cache for service account access tokens
     {% end %}
 
+    {% if enabled_plugins["ocsp-stapling"] then %}
+    lua_shared_dict ocsp-stapling {* http.lua_shared_dict["ocsp-stapling"] *}; # cache for ocsp-stapling
+    {% end %}
+
     {% if enabled_plugins["ext-plugin-pre-req"] or enabled_plugins["ext-plugin-post-req"] then %}
     lua_shared_dict ext-plugin {* http.lua_shared_dict["ext-plugin"] *}; # cache for ext-plugin
     {% end %}

apisix/cli/schema.lua

@@ -224,7 +224,12 @@ local config_schema = {
                                 }
                             }
                         },
-                        key_encrypt_salt = {
+                    }
+                },
+                data_encryption = {
+                    type = "object",
+                    properties = {
+                        keyring = {
                             anyOf = {
                                 {
                                     type = "array",

apisix/init.lua

@@ -191,6 +191,7 @@ function _M.http_ssl_client_hello_phase()
         core.log.error("failed to find SNI: " .. (err or advise))
         ngx_exit(-1)
     end
+    local tls_ext_status_req = apisix_ssl.get_status_request_ext()
 
     local ngx_ctx = ngx.ctx
     local api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
@@ -201,6 +202,7 @@ function _M.http_ssl_client_hello_phase()
     ngx_ctx.matched_ssl = api_ctx.matched_ssl
     core.tablepool.release("api_ctx", api_ctx)
     ngx_ctx.api_ctx = nil
+    ngx_ctx.tls_ext_status_req = tls_ext_status_req
 
     if not ok then
         if err then

apisix/plugin.lua

@@ -906,7 +906,8 @@ local enable_data_encryption
 local function enable_gde()
     if enable_data_encryption == nil then
         enable_data_encryption =
-            core.table.try_read_attr(local_conf, "apisix", "data_encryption", "enable")
+            core.table.try_read_attr(local_conf, "apisix", "data_encryption",
+                    "enable_encrypt_fields")
         _M.enable_data_encryption = enable_data_encryption
     end
 

apisix/plugins/body-transformer.lua

@@ -34,7 +34,7 @@ local next              = next
 local transform_schema = {
     type = "object",
     properties = {
-        input_format = { type = "string", enum = {"xml", "json", "encoded", "args"} },
+        input_format = { type = "string", enum = {"xml", "json", "encoded", "args", "plain"} },
         template = { type = "string" },
         template_is_base64 = { type = "boolean" },
     },
@@ -129,7 +129,7 @@ end
 local function transform(conf, body, typ, ctx, request_method)
     local out = {}
     local format = conf[typ].input_format
-    if body or request_method == "GET" then
+    if (body or request_method == "GET") and format ~= "plain" then
         local err
         if format then
             out, err = decoders[format](body)

apisix/plugins/grpc-web.lua

@@ -21,6 +21,8 @@ local req_set_uri       = ngx.req.set_uri
 local req_set_body_data = ngx.req.set_body_data
 local decode_base64     = ngx.decode_base64
 local encode_base64     = ngx.encode_base64
+local bit               = require("bit")
+local string            = string
 
 
 local ALLOW_METHOD_OPTIONS = "OPTIONS"
@@ -87,7 +89,7 @@ function _M.access(conf, ctx)
     -- set grpc path
     if not (ctx.curr_req_matched and ctx.curr_req_matched[":ext"]) then
         core.log.error("routing configuration error, grpc-web plugin only supports ",
-                       "`prefix matching` pattern routing")
+            "`prefix matching` pattern routing")
         return 400
     end
 
@@ -130,6 +132,7 @@ function _M.header_filter(conf, ctx)
         core.response.set_header("Access-Control-Allow-Origin", DEFAULT_CORS_ALLOW_ORIGIN)
     end
     core.response.set_header("Content-Type", ctx.grpc_web_mime)
+    core.response.set_header("Access-Control-Expose-Headers", "grpc-message,grpc-status")
 end
 
 function _M.body_filter(conf, ctx)
@@ -147,6 +150,50 @@ function _M.body_filter(conf, ctx)
         chunk = encode_base64(chunk)
         ngx_arg[1] = chunk
     end
+
+    --[[
+    upstream_trailer_* available since NGINX version 1.13.10 :
+    https://nginx.org/en/docs/http/ngx_http_upstream_module.html#var_upstream_trailer_
+
+    grpc-web trailer format reference:
+    envoyproxy/envoy/source/extensions/filters/http/grpc_web/grpc_web_filter.cc
+
+    Format for grpc-web trailer
+        1 byte: 0x80
+        4 bytes: length of the trailer
+        n bytes: trailer
+
+    --]]
+    local status = ctx.var.upstream_trailer_grpc_status
+    local message = ctx.var.upstream_trailer_grpc_message
+    if status ~= "" and status ~= nil then
+        local status_str = "grpc-status:" .. status
+        local status_msg = "grpc-message:" .. ( message or "")
+        local grpc_web_trailer = status_str .. "\r\n" .. status_msg .. "\r\n"
+        local len = #grpc_web_trailer
+
+        -- 1 byte: 0x80
+        local trailer_buf = string.char(0x80)
+        -- 4 bytes: length of the trailer
+        trailer_buf = trailer_buf .. string.char(
+            bit.band(bit.rshift(len, 24), 0xff),
+            bit.band(bit.rshift(len, 16), 0xff),
+            bit.band(bit.rshift(len, 8), 0xff),
+            bit.band(len, 0xff)
+        )
+        -- n bytes: trailer
+        trailer_buf = trailer_buf .. grpc_web_trailer
+
+        if ctx.grpc_web_encoding == CONTENT_ENCODING_BINARY then
+            ngx_arg[1] = ngx_arg[1] .. trailer_buf
+        else
+            ngx_arg[1] = ngx_arg[1] .. encode_base64(trailer_buf)
+        end
+
+        -- clear trailer
+        ctx.var.upstream_trailer_grpc_status = nil
+        ctx.var.upstream_trailer_grpc_message = nil
+    end
 end
 
 return _M

apisix/plugins/jwe-decrypt.lua

@@ -110,7 +110,7 @@ local function jwe_decrypt_with_obj(o, consumer)
         secret,
         nil,
         cipher,
-        {iv = o.iv}
+        {iv = dec(o.iv)}
     )
 
     local decrypted = aes_default:decrypt(dec(o.ciphertext), dec(o.tag))