[GitHub] [apisix] kingluo commented on a diff in pull request #9322: feat: route-level MTLS

["kingluo (via GitHub)" <gi...@apache.org>]

kingluo commented on code in PR #9322:
URL: https://github.com/apache/apisix/pull/9322#discussion_r1185877186


##########
apisix/init.lua:
##########
@@ -310,12 +313,38 @@ local function verify_tls_client(ctx)
 end
 
 
+local function uri_matches_skip_mtls_route_patterns(ssl, uri)
+    for _, pat in ipairs(ssl.value.client.skip_mtls_uri_regex) do
+        if ngx_re_match(uri, pat,  "jo") then
+            return true
+        end
+    end
+end
+
+
 local function verify_https_client(ctx)
     local scheme = ctx.var.scheme
     if scheme ~= "https" then
         return true
     end
 
+    local matched_ssl = ngx.ctx.matched_ssl
+    if matched_ssl.value.client
+        and matched_ssl.value.client.skip_mtls_uri_regex
+        and apisix_ssl.support_client_verification()
+        and (not uri_matches_skip_mtls_route_patterns(matched_ssl, ngx.var.uri)) then
+        local res = ctx.var.ssl_client_verify
+        if res ~= "SUCCESS" then
+            if res == "NONE" then
+                core.log.error("client certificate was not present")
+            else
+                core.log.error("client certificate verification is not passed: ", res)
+            end
+
+            return false
+        end

Review Comment:
   Not necessary, only logging statements there. Not so much intersection.
   The original code is for host check, which is a different logic, and it's better to keep the original version.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org