diff -Nru lua-resty-2402141948/debian/changelog lua-resty-2403271305/debian/changelog --- lua-resty-2402141948/debian/changelog 2024-02-14 18:48:58.000000000 +0000 +++ lua-resty-2403271305/debian/changelog 2024-03-27 12:05:58.000000000 +0000 @@ -1,7 +1,7 @@ -lua-resty (2402141948-3myguard1~jammy) jammy; urgency=medium +lua-resty (2403271305-3myguard1~jammy) jammy; urgency=medium * Modules from https://github.com/openresty and others - -- Thijs Eilander Wed, 14 Feb 2024 19:48:58 +0100 + -- Thijs Eilander Wed, 27 Mar 2024 13:05:58 +0100 diff -Nru lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/balancer.lua lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/balancer.lua --- lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/balancer.lua 2023-12-01 05:32:07.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/balancer.lua 2024-03-27 12:05:58.000000000 +0000 @@ -22,6 +22,7 @@ local ngx_lua_ffi_balancer_set_more_tries local ngx_lua_ffi_balancer_get_last_failure local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http +local ngx_lua_ffi_balancer_set_upstream_tls if subsystem == 'http' then @@ -41,6 +42,8 @@ int ngx_http_lua_ffi_balancer_recreate_request(ngx_http_request_t *r, char **err); + int ngx_http_lua_ffi_balancer_set_upstream_tls(ngx_http_request_t *r, + int on, char **err); ]] ngx_lua_ffi_balancer_set_current_peer = @@ -55,6 +58,9 @@ ngx_lua_ffi_balancer_set_timeouts = C.ngx_http_lua_ffi_balancer_set_timeouts + ngx_lua_ffi_balancer_set_upstream_tls = + C.ngx_http_lua_ffi_balancer_set_upstream_tls + elseif subsystem == 'stream' then ffi.cdef[[ int ngx_stream_lua_ffi_balancer_set_current_peer( @@ -228,6 +234,29 @@ return nil, "failed to recreate the upstream request" end + + + function _M.set_upstream_tls(on) + local r = get_request() + if not r then + return error("no request found") + end + + local rc + + if on == 0 or on == false then + on = 0 + else + on = 1 + end + + rc = ngx_lua_ffi_balancer_set_upstream_tls(r, on, errmsg); + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) + end end diff -Nru lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/balancer.md lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/balancer.md --- lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/balancer.md 2023-12-01 05:32:07.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/balancer.md 2024-03-27 12:05:58.000000000 +0000 @@ -13,11 +13,12 @@ * [stream subsystem](#stream-subsystem) * [Description](#description) * [Methods](#methods) + * [get_last_failure](#get_last_failure) + * [recreate_request](#recreate_request) * [set_current_peer](#set_current_peer) * [set_more_tries](#set_more_tries) - * [get_last_failure](#get_last_failure) * [set_timeouts](#set_timeouts) - * [recreate_request](#recreate_request) + * [set_upstream_tls](#set_upstream_tls) * [Community](#community) * [English Mailing List](#english-mailing-list) * [Chinese Mailing List](#chinese-mailing-list) @@ -270,6 +271,21 @@ [Back to TOC](#table-of-contents) +set_upstream_tls +------------ +**syntax:** `ok, err = balancer.set_upstream_tls(on)` + +**context:** *balancer_by_lua** + +Turn off the HTTPs or reenable the HTTPs for the upstream connection. + +- If `on` is `true`, then the https protocol will be used to connect to the upstream server. +- If `on` is `false`, then the http protocol will be used to connect to the upstream server. + +This function was first added in the `0.1.29` version of this library. + +[Back to TOC](#table-of-contents) + Community ========= diff -Nru lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/ocsp.lua lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/ocsp.lua --- lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/ocsp.lua 2023-12-01 05:32:07.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/ocsp.lua 2024-03-27 12:05:58.000000000 +0000 @@ -7,6 +7,7 @@ local ffi = require "ffi" local C = ffi.C +local ffi_new = ffi.new local ffi_str = ffi.string local get_request = base.get_request local error = error @@ -30,7 +31,7 @@ int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, size_t resp_len, const char *chain_data, size_t chain_len, - unsigned char *errbuf, size_t *errbuf_size); + unsigned char *errbuf, size_t *errbuf_size, long *valid); int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, const unsigned char *resp, size_t resp_len, char **err); @@ -98,8 +99,9 @@ end -function _M.validate_ocsp_response(resp, chain, max_errmsg_len) +local next_update_p = ffi_new("long[1]") +function _M.validate_ocsp_response(resp, chain, max_errmsg_len) local errbuf_size = max_errmsg_len if not errbuf_size then errbuf_size = get_string_buf_size() @@ -109,11 +111,17 @@ local sizep = get_size_ptr() sizep[0] = errbuf_size - local rc = C.ngx_http_lua_ffi_ssl_validate_ocsp_response( - resp, #resp, chain, #chain, errbuf, sizep) + local rc = C.ngx_http_lua_ffi_ssl_validate_ocsp_response(resp, #resp, + chain, #chain, + errbuf, sizep, + next_update_p) if rc == FFI_OK then - return true + local next_update = tonumber(next_update_p[0]) + if next_update == 0 then + next_update = nil + end + return true, next_update end -- rc == FFI_ERROR diff -Nru lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/ssl.lua lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/ssl.lua --- lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/ssl.lua 2024-02-02 00:57:31.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/ssl.lua 2024-03-27 12:05:58.000000000 +0000 @@ -39,6 +39,10 @@ local ngx_lua_ffi_free_cert local ngx_lua_ffi_free_priv_key local ngx_lua_ffi_ssl_verify_client +local ngx_lua_ffi_ssl_client_random +local ngx_lua_ffi_ssl_export_keying_material +local ngx_lua_ffi_ssl_export_keying_material_early +local ngx_lua_ffi_get_req_ssl_pointer if subsystem == 'http' then @@ -85,6 +89,8 @@ void *ngx_http_lua_ffi_parse_der_priv_key(const char *data, size_t len, char **err) ; + void *ngx_http_lua_ffi_get_req_ssl_pointer(void *r); + int ngx_http_lua_ffi_set_cert(void *r, void *cdata, char **err); int ngx_http_lua_ffi_set_priv_key(void *r, void *cdata, char **err); @@ -95,6 +101,19 @@ int ngx_http_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err); + + int ngx_http_lua_ffi_ssl_client_random(ngx_http_request_t *r, + const unsigned char *out, size_t *outlen, char **err); + + int ngx_http_lua_ffi_ssl_export_keying_material(void *r, + unsigned char *out, size_t out_size, + const char *label, size_t llen, + const unsigned char *ctx, size_t ctxlen, int use_ctx, char **err); + + int ngx_http_lua_ffi_ssl_export_keying_material_early(void *r, + unsigned char *out, size_t out_size, + const char *label, size_t llen, + const unsigned char *ctx, size_t ctxlen, char **err); ]] ngx_lua_ffi_ssl_set_der_certificate = @@ -118,6 +137,12 @@ ngx_lua_ffi_free_cert = C.ngx_http_lua_ffi_free_cert ngx_lua_ffi_free_priv_key = C.ngx_http_lua_ffi_free_priv_key ngx_lua_ffi_ssl_verify_client = C.ngx_http_lua_ffi_ssl_verify_client + ngx_lua_ffi_ssl_client_random = C.ngx_http_lua_ffi_ssl_client_random + ngx_lua_ffi_ssl_export_keying_material = + C.ngx_http_lua_ffi_ssl_export_keying_material + ngx_lua_ffi_ssl_export_keying_material_early = + C.ngx_http_lua_ffi_ssl_export_keying_material_early + ngx_lua_ffi_get_req_ssl_pointer = C.ngx_http_lua_ffi_get_req_ssl_pointer elseif subsystem == 'stream' then ffi.cdef[[ @@ -174,6 +199,9 @@ int ngx_stream_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err); + + int ngx_stream_lua_ffi_ssl_client_random(ngx_stream_lua_request_t *r, + unsigned char *out, size_t *outlen, char **err); ]] ngx_lua_ffi_ssl_set_der_certificate = @@ -187,7 +215,8 @@ ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der - ngx_lua_ffi_ssl_get_tls1_version = C.ngx_stream_lua_ffi_ssl_get_tls1_version + ngx_lua_ffi_ssl_get_tls1_version = + C.ngx_stream_lua_ffi_ssl_get_tls1_version ngx_lua_ffi_parse_pem_cert = C.ngx_stream_lua_ffi_parse_pem_cert ngx_lua_ffi_parse_der_cert = C.ngx_stream_lua_ffi_parse_der_cert ngx_lua_ffi_parse_pem_priv_key = C.ngx_stream_lua_ffi_parse_pem_priv_key @@ -197,6 +226,7 @@ ngx_lua_ffi_free_cert = C.ngx_stream_lua_ffi_free_cert ngx_lua_ffi_free_priv_key = C.ngx_stream_lua_ffi_free_priv_key ngx_lua_ffi_ssl_verify_client = C.ngx_stream_lua_ffi_ssl_verify_client + ngx_lua_ffi_ssl_client_random = C.ngx_stream_lua_ffi_ssl_client_random end @@ -237,7 +267,6 @@ return nil, ffi_str(errmsg[0]) end - function _M.set_der_priv_key(data) local r = get_request() if not r then @@ -474,6 +503,68 @@ end +function _M.export_keying_material(length, label, context) + local r = get_request() + if not r then + error("no request found") + end + + local outbuf = get_string_buf(length) + local use_context = context and 1 or 0 + local context_len = context and #context or 0 + + local rc = ngx_lua_ffi_ssl_export_keying_material(r, outbuf, length, + label, #label, context, context_len, use_context, errmsg) + + if rc == FFI_OK then + return ffi_str(outbuf, length) + end + + if rc == FFI_DECLINED then + return nil + end + + return nil, ffi_str(errmsg[0]) +end + + +function _M.export_keying_material_early(length, label, context) + local r = get_request() + if not r then + error("no request found") + end + + local outbuf = get_string_buf(length) + local context_len = context and #context or 0 + + local rc = ngx_lua_ffi_ssl_export_keying_material_early(r, outbuf, length, + label, #label, context, context_len, errmsg) + + if rc == FFI_OK then + return ffi_str(outbuf, length) + end + + if rc == FFI_DECLINED then + return nil + end + + return nil, ffi_str(errmsg[0]) +end + +function _M.get_req_ssl_pointer() + local r = get_request() + if not r then + error("no request found") + end + + local ssl = ngx_lua_ffi_get_req_ssl_pointer(r) + if ssl == nil then + return nil, "no ssl object" + end + + return ssl +end + do _M.SSL3_VERSION = 0x0300 _M.TLS1_VERSION = 0x0301 @@ -505,4 +596,31 @@ end +function _M.get_client_random(outlen) + local r = get_request() + if not r then + error("no request found") + end + + if outlen == nil then + outlen = 32 + end + + local out = get_string_buf(outlen) + local sizep = get_size_ptr() + sizep[0] = outlen + + local rc = ngx_lua_ffi_ssl_client_random(r, out, sizep, errmsg) + if rc == FFI_OK then + if outlen == 0 then + return tonumber(sizep[0]) + end + + return ffi_str(out, sizep[0]) + end + + return nil, ffi_str(errmsg[0]) +end + + return _M diff -Nru lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/ssl.md lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/ssl.md --- lua-resty-2402141948/debian/modules/lua-resty-core/lib/ngx/ssl.md 2024-02-02 00:57:31.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-core/lib/ngx/ssl.md 2024-03-27 12:05:58.000000000 +0000 @@ -29,6 +29,10 @@ * [set_cert](#set_cert) * [set_priv_key](#set_priv_key) * [verify_client](#verify_client) + * [get_client_random](#get_client_random) + * [export_keying_material](#export_keying_material) + * [export_keying_material_early](#export_keying_material_early) + * [get_req_ssl_pointer](#get_req_ssl_pointer) * [Community](#community) * [English Mailing List](#english-mailing-list) * [Chinese Mailing List](#chinese-mailing-list) @@ -323,6 +327,76 @@ [Back to TOC](#table-of-contents) +export_keying_material +---------------------- +**syntax:** *key, err = ssl.export_keying_material(length, label, context)* + +context: *set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua** + +Return a key derived from the SSL master secret. + +As described in RFC8446 section 7.5 this function returns key material that is derived from the SSL master secret and can be used on the application level. The returned key material is of the given length. Label is mandatory and requires a special format that is described in RFC5705 section 4. Context is optional but note that in TLSv1.2 and below a zero length context is treated differently from no context at all, and will result in different keying material being returned. In TLSv1.3 a zero length context is that same as no context at all and will result in the same keying material being returned. + +The following code snippet shows how to derive a new key that can be used on the application level. + +```lua +local ssl = require "ngx.ssl" + +local key_length = 16 +local label = "EXPERIMENTAL my label" +local context = "\x00\x01\x02\x03" + +local key, err = ssl.export_keying_material(key_length, label, context) +if not key then + ngx.log(ngx.ERR, "failed to derive key ", err) + return +end + +-- use key... + +end +``` + +This function can be called in any context where downstream https is used. + +[Back to TOC](#table-of-contents) + + +export_keying_material_early +---------------------------- +**syntax:** *key, err = ssl.export_keying_material_early(length, label, context)* + +context: *set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua** + +Returns a key derived from the SSL early exporter master secret. + +As described in RFC8446 section 7.5 this function returns key material that is derived from the SSL early exporter master secret and can be used on the application level. The returned key material is of the given length. Label is mandatory and requires a special format that is described in RFC5705 section 4. This function is only usable with TLSv1.3, and derives keying material using the early_exporter_master_secret (as defined in the TLS 1.3 RFC). For the client, the early_exporter_master_secret is only available when the client attempts to send 0-RTT data. For the server, it is only available when the server accepts 0-RTT data. + +The following code snippet shows how to derive a new key that can be used on the application level. + +```lua +local ssl = require "ngx.ssl" + +local key_length = 16 +local label = "EXPERIMENTAL my label" +local context = "\x00\x01\x02\x03" + +local key, err = ssl.export_keying_material_early(key_length, label, context) +if not key then + ngx.log(ngx.ERR, "failed to derive key ", err) + return +end + +-- use key... + +end +``` + +This function can be called in any context where downstream https TLS1.3 is used. + +[Back to TOC](#table-of-contents) + + raw_client_addr --------------- **syntax:** *addr_data, addr_type, err = ssl.raw_client_addr()* @@ -557,6 +631,40 @@ [Back to TOC](#table-of-contents) +get_client_random +----------- +**syntax:** *client_random = ssl.get_client_random(outlen?)* + +**context:** *any* + +Returns the random value sent from the client to the server during the initial SSL/TLS handshake. + +The `outlen` parameter indicates the maximum length of the client_random value returned. +If the `outlen` is zero, this function returns the total length of the client_random value. +If omitted, will use the value 32. + +This function can be called in any context where downstream https is used, but in the context of [ssl_client_hello_by_lua*](https://github.com/openresty/lua-nginx-module/#ssl_client_hello_by_lua_block), it can not return the real client_random value, just a string filled with 0. + +[Back to TOC](#table-of-contents) + + +get_req_ssl_pointer +------------ +**syntax:** *ssl_ptr, err = ssl.get_req_ssl_pointer()* + +**context:** *any* + +Retrieves the OpenSSL `SSL*` object for the current downstream connection. + +Returns an FFI pointer on success, or a `nil` value and a string describing the error otherwise. + +If you need to retain the pointer beyond the current phase then you will need to use OpenSSL's `SSL_up_ref` to increase the reference count. +If you do, ensure that your reference is released with `SSL_free`. + +This function was first added in version `0.1.16`. + +[Back to TOC](#table-of-contents) + Community ========= diff -Nru lua-resty-2402141948/debian/modules/lua-resty-http/lib/resty/http.lua lua-resty-2403271305/debian/modules/lua-resty-http/lib/resty/http.lua --- lua-resty-2402141948/debian/modules/lua-resty-http/lib/resty/http.lua 2023-12-01 05:32:18.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-http/lib/resty/http.lua 2024-03-27 12:05:58.000000000 +0000 @@ -106,7 +106,7 @@ local _M = { - _VERSION = '0.17.1', + _VERSION = '0.17.2', } _M._USER_AGENT = "lua-resty-http/" .. _M._VERSION .. " (Lua) ngx_lua/" .. ngx.config.ngx_lua_version diff -Nru lua-resty-2402141948/debian/modules/lua-resty-http/lib/resty/http_connect.lua lua-resty-2403271305/debian/modules/lua-resty-http/lib/resty/http_connect.lua --- lua-resty-2402141948/debian/modules/lua-resty-http/lib/resty/http_connect.lua 2023-12-01 05:32:18.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-http/lib/resty/http_connect.lua 2024-03-27 12:05:58.000000000 +0000 @@ -1,8 +1,26 @@ +local ffi = require "ffi" local ngx_re_gmatch = ngx.re.gmatch local ngx_re_sub = ngx.re.sub local ngx_re_find = ngx.re.find local ngx_log = ngx.log local ngx_WARN = ngx.WARN +local ngx_DEBUG = ngx.DEBUG +local to_hex = require("resty.string").to_hex +local ffi_gc = ffi.gc +local ffi_cast = ffi.cast +local type = type + +local lib_chain, lib_x509, lib_pkey +local openssl_available, res = xpcall(function() + lib_chain = require("resty.openssl.x509.chain") + lib_x509 = require("resty.openssl.x509") + lib_pkey = require("resty.openssl.pkey") +end, debug.traceback) + +if not openssl_available then + ngx_log(ngx_WARN, "failed to load module `resty.openssl.*`, \z + mTLS isn't supported without lua-resty-openssl:\n", res) +end --[[ A connection function that incorporates: @@ -148,7 +166,7 @@ local proxy_uri_t proxy_uri_t, err = self:parse_uri(proxy_uri) if not proxy_uri_t then - return nil, "uri parse error: ", err + return nil, "uri parse error: " .. err end local proxy_scheme = proxy_uri_t[1] @@ -160,6 +178,61 @@ proxy_port = proxy_uri_t[3] end + local cert_hash + if ssl and ssl_client_cert and ssl_client_priv_key then + local cert_type = type(ssl_client_cert) + local key_type = type(ssl_client_priv_key) + + if cert_type ~= "cdata" then + return nil, "bad ssl_client_cert: cdata expected, got " .. cert_type + end + + if key_type ~= "cdata" then + return nil, "bad ssl_client_priv_key: cdata expected, got " .. key_type + end + + if not openssl_available then + return nil, "module `resty.openssl.*` not available, mTLS isn't supported without lua-resty-openssl" + end + + -- convert from `void*` to `OPENSSL_STACK*` + local cert_chain, err = lib_chain.dup(ffi_cast("OPENSSL_STACK*", ssl_client_cert)) + if not cert_chain then + return nil, "failed to dup the ssl_client_cert: " .. err + end + + if #cert_chain < 1 then + return nil, "no cert in ssl_client_cert" + end + + local cert, err = lib_x509.dup(cert_chain[1].ctx) + if not cert then + return nil, "failed to dup the x509: " .. err + end + + -- convert from `void*` to `EVP_PKEY*` + local key, err = lib_pkey.new(ffi_cast("EVP_PKEY*", ssl_client_priv_key)) + if not key then + return nil, "failed to new the pkey: " .. err + end + + -- should not free the cdata passed in + ffi_gc(key.ctx, nil) + + -- check the private key in order to make sure the caller is indeed the holder of the cert + ok, err = cert:check_private_key(key) + if not ok then + return nil, "the private key doesn't match the cert: " .. err + end + + cert_hash, err = cert:digest("sha256") + if not cert_hash then + return nil, "failed to calculate the digest of the cert: " .. err + end + + cert_hash = to_hex(cert_hash) -- convert to hex so that it's printable + end + -- construct a poolname unique within proxy and ssl info if not poolname then poolname = (request_scheme or "") @@ -170,12 +243,15 @@ .. ":" .. tostring(ssl_verify) .. ":" .. (proxy_uri or "") .. ":" .. (request_scheme == "https" and proxy_authorization or "") + .. ":" .. (cert_hash or "") -- in the above we only add the 'proxy_authorization' as part of the poolname -- when the request is https. Because in that case the CONNECT request (which -- carries the authorization header) is part of the connect procedure, whereas -- with a plain http request the authorization is part of the actual request. end + ngx_log(ngx_DEBUG, "poolname: ", poolname) + -- do TCP level connection local tcp_opts = { pool = poolname, pool_size = pool_size, backlog = backlog } if proxy then @@ -184,7 +260,7 @@ if not ok then return nil, "failed to connect to: " .. (proxy_host or "") .. ":" .. (proxy_port or "") .. - ": ", err + ": " .. err end if ssl and sock:getreusedtimes() == 0 then @@ -204,7 +280,7 @@ }) if not res then - return nil, "failed to issue CONNECT to proxy:", err + return nil, "failed to issue CONNECT to proxy: " .. err end if res.status < 200 or res.status > 299 then @@ -234,13 +310,13 @@ -- Experimental mTLS support if ssl_client_cert and ssl_client_priv_key then if type(sock.setclientcert) ~= "function" then - ngx_log(ngx_WARN, "cannot use SSL client cert and key without mTLS support") + return nil, "cannot use SSL client cert and key without mTLS support" else - ok, err = sock:setclientcert(ssl_client_cert, ssl_client_priv_key) - if not ok then - ngx_log(ngx_WARN, "could not set client certificate: ", err) - end + ok, err = sock:setclientcert(ssl_client_cert, ssl_client_priv_key) + if not ok then + return nil, "could not set client certificate: " .. err + end end end diff -Nru lua-resty-2402141948/debian/modules/lua-resty-http/lib/resty/http_headers.lua lua-resty-2403271305/debian/modules/lua-resty-http/lib/resty/http_headers.lua --- lua-resty-2402141948/debian/modules/lua-resty-http/lib/resty/http_headers.lua 2023-12-01 05:32:18.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-http/lib/resty/http_headers.lua 2024-03-27 12:05:58.000000000 +0000 @@ -4,7 +4,7 @@ local str_lower = string.lower local _M = { - _VERSION = '0.17.1', + _VERSION = '0.17.2', } diff -Nru lua-resty-2402141948/debian/modules/lua-resty-http/lua-resty-http-0.17.1-0.rockspec lua-resty-2403271305/debian/modules/lua-resty-http/lua-resty-http-0.17.1-0.rockspec --- lua-resty-2402141948/debian/modules/lua-resty-http/lua-resty-http-0.17.1-0.rockspec 2023-12-01 05:32:18.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-http/lua-resty-http-0.17.1-0.rockspec 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -package = "lua-resty-http" -version = "0.17.1-0" -source = { - url = "git://github.com/ledgetech/lua-resty-http", - tag = "v0.17.1" -} -description = { - summary = "Lua HTTP client cosocket driver for OpenResty / ngx_lua.", - homepage = "https://github.com/ledgetech/lua-resty-http", - license = "2-clause BSD", - maintainer = "James Hurst " -} -dependencies = { - "lua >= 5.1" -} -build = { - type = "builtin", - modules = { - ["resty.http"] = "lib/resty/http.lua", - ["resty.http_headers"] = "lib/resty/http_headers.lua", - ["resty.http_connect"] = "lib/resty/http_connect.lua" - } -} diff -Nru lua-resty-2402141948/debian/modules/lua-resty-http/lua-resty-http-0.17.2-0.rockspec lua-resty-2403271305/debian/modules/lua-resty-http/lua-resty-http-0.17.2-0.rockspec --- lua-resty-2402141948/debian/modules/lua-resty-http/lua-resty-http-0.17.2-0.rockspec 1970-01-01 00:00:00.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-http/lua-resty-http-0.17.2-0.rockspec 2024-03-27 12:05:58.000000000 +0000 @@ -0,0 +1,23 @@ +package = "lua-resty-http" +version = "0.17.2-0" +source = { + url = "git://github.com/ledgetech/lua-resty-http", + tag = "v0.17.2" +} +description = { + summary = "Lua HTTP client cosocket driver for OpenResty / ngx_lua.", + homepage = "https://github.com/ledgetech/lua-resty-http", + license = "2-clause BSD", + maintainer = "James Hurst " +} +dependencies = { + "lua >= 5.1" +} +build = { + type = "builtin", + modules = { + ["resty.http"] = "lib/resty/http.lua", + ["resty.http_headers"] = "lib/resty/http_headers.lua", + ["resty.http_connect"] = "lib/resty/http_connect.lua" + } +} diff -Nru lua-resty-2402141948/debian/modules/lua-resty-lrucache/README.markdown lua-resty-2403271305/debian/modules/lua-resty-lrucache/README.markdown --- lua-resty-2402141948/debian/modules/lua-resty-lrucache/README.markdown 2024-02-02 00:57:32.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-lrucache/README.markdown 2024-03-27 12:05:58.000000000 +0000 @@ -304,14 +304,14 @@ You can install this module with the following command to resolve the above problem. ```bash -cd lua-resty-core +cd lua-resty-lrucache sudo make install LUA_LIB_DIR=/usr/local/share/lua/5.1 ``` You can also change the installation directory to any other directory you like with the LUA_LIB_DIR argument. ```bash -cd lua-resty-core +cd lua-resty-lrucache sudo make install LUA_LIB_DIR=/opt/nginx/lualib ``` diff -Nru lua-resty-2402141948/debian/modules/lua-resty-openidc/lib/resty/openidc.lua lua-resty-2403271305/debian/modules/lua-resty-openidc/lib/resty/openidc.lua --- lua-resty-2402141948/debian/modules/lua-resty-openidc/lib/resty/openidc.lua 2023-12-01 05:32:17.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-openidc/lib/resty/openidc.lua 2024-03-27 12:05:58.000000000 +0000 @@ -623,6 +623,17 @@ log(DEBUG, "userinfo response: ", res.body) + -- handle if the response type is a jwt/signed payload + local responseType = string.lower(res.headers["Content-Type"]) + if string.find(responseType, "application/jwt") then + local json, err = openidc.jwt_verify(res.body, opts) + if err then + err = "userinfo jwt could not be verified: " .. err + return nil, err + end + return json + end + -- parse the response from the user info endpoint return openidc_parse_json_response(res) end diff -Nru lua-resty-2402141948/debian/modules/lua-resty-openidc/tests/spec/test_support.lua lua-resty-2403271305/debian/modules/lua-resty-openidc/tests/spec/test_support.lua --- lua-resty-2402141948/debian/modules/lua-resty-openidc/tests/spec/test_support.lua 2023-12-01 05:32:17.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-openidc/tests/spec/test_support.lua 2024-03-27 12:05:58.000000000 +0000 @@ -326,6 +326,15 @@ } } + location /user-info-signed { + content_by_lua_block { + local auth = ngx.req.get_headers()["Authorization"] + ngx.header.content_type = 'application/jwt;charset=UTF-8' + local signed_userinfo = test_globals.create_jwt(USERINFO) + ngx.print(signed_userinfo) + } + } + location /introspection { content_by_lua_block { ngx.req.read_body() diff -Nru lua-resty-2402141948/debian/modules/lua-resty-openidc/tests/spec/userinfo_spec.lua lua-resty-2403271305/debian/modules/lua-resty-openidc/tests/spec/userinfo_spec.lua --- lua-resty-2402141948/debian/modules/lua-resty-openidc/tests/spec/userinfo_spec.lua 2023-12-01 05:32:17.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-openidc/tests/spec/userinfo_spec.lua 2024-03-27 12:05:58.000000000 +0000 @@ -169,3 +169,26 @@ assert.error_log_contains("JSON decoding failed") end) end) + +describe("when userinfo endpoint returns a JWT", function() + test_support.start_server({ + oidc_opts = { + discovery = { + userinfo_endpoint = "http://127.0.0.1/user-info-signed", + token_endpoint_auth_methods_supported = { "private_key_jwt" }, + }, + token_endpoint_auth_method = "private_key_jwt", + client_rsa_private_key = test_support.load("/spec/private_rsa_key.pem"), + public_key = test_support.load("/spec/public_rsa_key.pem"), + }, + }) + teardown(test_support.stop_server) + local _, status = test_support.login() + it("login succeeds", function() + assert.are.equals(302, status) + end) + it("an error has not been logged", function() + assert.is_not.error_log_contains("JSON decoding failed") + assert.is_not.error_log_contains("userinfo jwt could not be verified") + end) +end) diff -Nru lua-resty-2402141948/debian/modules/lua-resty-redis/lib/resty/redis.lua lua-resty-2403271305/debian/modules/lua-resty-redis/lib/resty/redis.lua --- lua-resty-2402141948/debian/modules/lua-resty-redis/lib/resty/redis.lua 2023-12-01 05:32:12.000000000 +0000 +++ lua-resty-2403271305/debian/modules/lua-resty-redis/lib/resty/redis.lua 2024-03-27 12:05:58.000000000 +0000 @@ -16,6 +16,7 @@ local tostring = tostring local rawget = rawget local select = select +local tb_clear = require "table.clear" --local error = error @@ -24,7 +25,8 @@ new_tab = function (narr, nrec) return {} end end - +local tab_pool_len = 0 +local tab_pool = new_tab(16, 0) local _M = new_tab(0, 55) _M._VERSION = '0.30' @@ -59,6 +61,27 @@ local mt = { __index = _M } +local function get_tab_from_pool() + if tab_pool_len > 0 then + tab_pool_len = tab_pool_len - 1 + return tab_pool[tab_pool_len + 1] + end + + return new_tab(24, 0) -- one field takes 5 slots +end + + +local function put_tab_into_pool(tab) + if tab_pool_len >= 32 then + return + end + + tb_clear(tab) + tab_pool_len = tab_pool_len + 1 + tab_pool[tab_pool_len] = tab +end + + function _M.new(self) local sock, err = tcp() if not sock then @@ -305,9 +328,11 @@ local function _gen_req(args) local nargs = #args - local req = new_tab(nargs * 5 + 1, 0) - req[1] = "*" .. nargs .. "\r\n" - local nbits = 2 + local req = get_tab_from_pool() + req[1] = "*" + req[2] = nargs + req[3] = "\r\n" + local nbits = 4 for i = 1, nargs do local arg = args[i] @@ -355,6 +380,8 @@ -- print("request: ", table.concat(req)) local bytes, err = sock:send(req) + put_tab_into_pool(req) + if not bytes then return nil, err end @@ -625,6 +652,10 @@ end local bytes, err = sock:send(reqs) + for _, req in ipairs(reqs) do + put_tab_into_pool(req) + end + if not bytes then return nil, err end