bug: Difference between ADC and APISIX schemas regarding secrets in client CA for upstream mTLS

[cybersec-jochenarnold]

Current Behavior

Schema does not allow using secret/env variables in SSL Client CA value.

curl http://127.0.0.1:9180/apisix/admin/ssls/1 -H "X-API-KEY: REDACTED" -X PUT -d '
{
     "cert" : "$env://SERVER_CERT",
     "key": "$env://SERVER_KEY",
     "snis": ["example.com"],
     "client": {
        "ca": "$env://CA_CERT"
     },
     "ssl_protocols": [
         "TLSv1.2",
         "TLSv1.3"
     ]
}'

{"error_msg":"invalid configuration: property \"client\" validation failed: property \"ca\" validation failed: string too short, expected at least 128, got 18"}

apisix/apisix/schema_def.lua

Line 841 in 2500db7

ca = certificate_scheme,

I can prepare a PR.

Expected Behavior

ADC schema allows secret var (secret, env) in this property.

I would expect APISIX to process this value as well. Current implementation via secret.fetch_secrets should already work.

https://github.com/api7/adc/blob/main/schema.json#L1129

          "client": {
            "type": "object",
            "properties": {
              "ca": {
                "anyOf": [
                  {
                    "type": "string",
                    "minLength": 128,
                    "maxLength": 65536
                  },
                  {
                    "type": "string",
                    "pattern": "^\\$(secret|env):\\/\\/"
                  }
                ]
              },
              ...

APISIX should allow certificate_scheme and secret_uri_schema.

apisix/apisix/schema_def.lua

Line 771 in 2500db7

local secret_uri_schema = {

{
            type = "array",
            items = {
                oneOf = {
                    certificate_scheme,
                    secret_uri_schema
                }
            }
        },

Error Logs

{"error_msg":"invalid configuration: property "client" validation failed: property "ca" validation failed: string too short, expected at least 128, got 18"}

Steps to Reproduce

Try to create SSL object with "$env://" as client ca value.

curl http://127.0.0.1:9180/apisix/admin/ssls/1 -H "X-API-KEY: REDACTED" -X PUT -d '
{
     "cert" : "$env://SERVER_CERT",
     "key": "$env://SERVER_KEY",
     "snis": ["example.com"],
     "client": {
        "ca": "$env://CA_CERT"
     },
     "ssl_protocols": [
         "TLSv1.2",
         "TLSv1.3"
     ]
}'

Environment

• APISIX version (run apisix version): 3.15.0
• Operating system (run uname -a): Ubuntu
• OpenResty / Nginx version (run openresty -V or nginx -V): penresty/1.27.1.2
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): -
• APISIX Dashboard version, if relevant: -
• Plugin runner version, for issues related to plugin runners: -
• LuaRocks version, for installation issues (run luarocks --version): -

[janiussyafiq]

@cybersec-jochenarnold would you be able to continue the fix? my previous PR addressed the issue, but test cases are still needed and need to pass CI hence needing some tweaking. PR would be welcomed!

[cybersec-jochenarnold]

@janiussyafiq no problem, I can add tests etc. by the end of the week.

[cybersec-jochenarnold]

@janiussyafiq I was not able to use you're linked branch/fork. I have created a new PR including you're changes.

#13061