feat: release 2.10.3 (#5958)

Co-authored-by: kaihaojiang <kaihaojiang@tencent.com>
Co-authored-by: 罗泽轩 <spacewanderlzx@gmail.com>
Co-authored-by: jack.fu <jack.fu@yijinin.com>
Co-authored-by: sunaowei <sunaowei@neild>
Co-authored-by: cache-missing <90820067+cache-missing@users.noreply.github.com>
Co-authored-by: tzssangglass <tzssangglass@gmail.com>
Co-authored-by: 帅进超 <shuaijinchao@gmail.com>
Co-authored-by: leslie <59061168+leslie-tsang@users.noreply.github.com>
Co-authored-by: jackfu <jackfu1008@gmail.com>
Co-authored-by: S96EA <neild47@163.com>

Author: 11 people

.github/workflows/build.yml

@@ -25,7 +25,6 @@ jobs:
           - linux_openresty
           - linux_openresty_1_17
           - linux_tengine
-          - linux_apisix_master_luarocks
           - linux_apisix_current_luarocks
           - linux_openresty_mtls
 

CHANGELOG.md

@@ -23,6 +23,7 @@ title: Changelog
 
 ## Table of Contents
 
+- [2.10.3](#2103)
 - [2.10.2](#2102)
 - [2.10.1](#2101)
 - [2.10.0](#2100)
@@ -48,6 +49,26 @@ title: Changelog
 - [0.7.0](#070)
 - [0.6.0](#060)
 
+## 2.10.3
+
+### Bugfix
+
+- fix: str concat in error call [#5540](https://github.com/apache/apisix/pull/5540)
+- fix: ignore changes of /apisix/plugins/ [#5558](https://github.com/apache/apisix/pull/5558)
+- fix: invalid error after passive health check is changed [#5589](https://github.com/apache/apisix/pull/5589)
+- fix(batch-processor): we didn't free stale object actually [#5700](https://github.com/apache/apisix/pull/5700)
+- fix(patch): add global `math.randomseed` patch support [#5682](https://github.com/apache/apisix/pull/5682)
+- fix(log-rotate): after enabling compression collect log exceptions [#5715](https://github.com/apache/apisix/pull/5715)
+- feat(ext-plugin): avoid sending conf request more times [#5183](https://github.com/apache/apisix/pull/5183)
+- feat: use lock to ensure fetching token from shdict always [#5263](https://github.com/apache/apisix/pull/5263)
+- fix(ext-plugin): don't use stale key [#5782](https://github.com/apache/apisix/pull/5782)
+- fix(mqtt-proxy): client id can be empty [#5816](https://github.com/apache/apisix/pull/5816)
+- fix(sls-logger): log entry unable get millisecond timestamp [#5820](https://github.com/apache/apisix/pull/5820)
+- fix(ua-restriction): refine plugin configuration check logic [#5728](https://github.com/apache/apisix/pull/5728)
+- fix(cors): compatible with scenarios where origin is modified [#5890](https://github.com/apache/apisix/pull/5890)
+- fix(proxy-rewrite): make sure proxy-rewrite update the core.request.header cache [#5914](https://github.com/apache/apisix/pull/5914)
+- fix(mqtt): handle properties for MQTT 5 [#5916](https://github.com/apache/apisix/pull/5916)
+
 ## 2.10.2
 
 ### Bugfix

apisix/cli/ngx_tpl.lua

@@ -191,6 +191,9 @@ http {
     # for authz-keycloak
     lua_shared_dict access-tokens {* http.lua_shared_dict["access-tokens"] *}; # cache for service account access tokens
 
+    # for ext-plugin
+    lua_shared_dict ext-plugin {* http.lua_shared_dict["ext-plugin"] *}; # cache for ext-plugin
+
     # for custom shared dict
     {% if http.custom_lua_shared_dict then %}
     {% for cache_key, cache_size in pairs(http.custom_lua_shared_dict) do %}

apisix/core/version.lua

@@ -15,5 +15,5 @@
 -- limitations under the License.
 --
 return {
-    VERSION = "2.10.2"
+    VERSION = "2.10.3"
 }

apisix/patch.lua

@@ -20,18 +20,23 @@ local ipmatcher = require("resty.ipmatcher")
 local socket = require("socket")
 local unix_socket = require("socket.unix")
 local ssl = require("ssl")
+local ngx = ngx
 local get_phase = ngx.get_phase
 local ngx_socket = ngx.socket
 local original_tcp = ngx.socket.tcp
 local original_udp = ngx.socket.udp
 local concat_tab = table.concat
+local debug = debug
 local new_tab = require("table.new")
 local log = ngx.log
 local WARN = ngx.WARN
 local ipairs = ipairs
 local select = select
 local setmetatable = setmetatable
+local string = string
+local table = table
 local type = type
+local tonumber = tonumber
 
 
 local config_local
@@ -86,6 +91,48 @@ do
 end
 
 
+do -- `math.randomseed` patch
+    -- `math.random` generates PRND(pseudo-random numbers) from the seed set by `math.randomseed`
+    -- Many module libraries use `ngx.time` and `ngx.worker.pid` to generate seeds which may
+    -- loss randomness in container env (where pids are identical, e.g. root pid is 1)
+    -- Kubernetes may launch multi instance with deployment RS at the same time, `ngx.time` may
+    -- get same return in the pods.
+    -- Therefore, this global patch enforce entire framework to use
+    -- the best-practice PRND generates.
+
+    local resty_random = require("resty.random")
+    local math_randomseed = math.randomseed
+    local seeded = {}
+
+    -- make linter happy
+    -- luacheck: ignore
+    math.randomseed = function()
+        local worker_pid = ngx.worker.pid()
+
+        -- check seed mark
+        if seeded[worker_pid] then
+            log(ngx.DEBUG, debug.traceback("Random seed has been inited", 2))
+            return
+        end
+
+        -- generate randomseed
+        -- chose 6 from APISIX's SIX, 256 ^ 6 should do the trick
+        -- it shouldn't be large than 16 to prevent overflow.
+        local random_bytes = resty_random.bytes(6)
+        local t = {}
+
+        for i = 1, #random_bytes do
+            t[i] = string.byte(random_bytes, i)
+        end
+
+        local s = table.concat(t)
+
+        math_randomseed(tonumber(s))
+        seeded[worker_pid] = true
+    end
+end -- do
+
+
 local patch_udp_socket
 do
     local old_udp_sock_setpeername

apisix/plugin.lua

@@ -234,7 +234,7 @@ function _M.load(config)
         local_conf, err = core.config.local_conf(true)
         if not local_conf then
             -- the error is unrecoverable, so we need to raise it
-            error("failed to load the configuration file: ", err)
+            error("failed to load the configuration file: " .. err)
         end
 
         http_plugin_names = local_conf.plugins
@@ -245,13 +245,15 @@ function _M.load(config)
         stream_plugin_names = {}
         local plugins_conf = config.value
         -- plugins_conf can be nil when another instance writes into etcd key "/apisix/plugins/"
-        if plugins_conf then
-            for _, conf in ipairs(plugins_conf) do
-                if conf.stream then
-                    core.table.insert(stream_plugin_names, conf.name)
-                else
-                    core.table.insert(http_plugin_names, conf.name)
-                end
+        if not plugins_conf then
+            return local_plugins
+        end
+
+        for _, conf in ipairs(plugins_conf) do
+            if conf.stream then
+                core.table.insert(stream_plugin_names, conf.name)
+            else
+                core.table.insert(http_plugin_names, conf.name)
             end
         end
     end

apisix/plugins/cors.lua

@@ -227,14 +227,16 @@ end
 
 
 function _M.rewrite(conf, ctx)
+    -- save the original request origin as it may be changed at other phase
+    ctx.original_request_origin = core.request.header(ctx, "Origin")
     if ctx.var.request_method == "OPTIONS" then
         return 200
     end
 end
 
 
 function _M.header_filter(conf, ctx)
-    local req_origin = core.request.header(ctx, "Origin")
+    local req_origin =  ctx.original_request_origin
     -- Try allow_origins first, if mismatched, try allow_origins_by_regex.
     local allow_origins
     allow_origins = process_with_allow_origins(conf, ctx, req_origin)

apisix/plugins/ext-plugin/init.lua

@@ -40,6 +40,7 @@ if is_http then
     ngx_pipe = require("ngx.pipe")
     events = require("resty.worker.events")
 end
+local resty_lock = require("resty.lock")
 local resty_signal = require "resty.signal"
 local bit = require("bit")
 local band = bit.band
@@ -63,11 +64,18 @@ local type = type
 
 
 local events_list
-local lrucache = core.lrucache.new({
-    type = "plugin",
-    invalid_stale = true,
-    ttl = helper.get_conf_token_cache_time(),
-})
+
+local function new_lrucache()
+    return core.lrucache.new({
+        type = "plugin",
+        invalid_stale = true,
+        ttl = helper.get_conf_token_cache_time(),
+    })
+end
+local lrucache = new_lrucache()
+
+local shdict_name = "ext-plugin"
+local shdict = ngx.shared[shdict_name]
 
 local schema = {
     type = "object",
@@ -293,14 +301,74 @@ local function handle_extra_info(ctx, input)
 end
 
 
+local function fetch_token(key)
+    if shdict then
+        return shdict:get(key)
+    else
+        core.log.error('shm "ext-plugin" not found')
+        return nil
+    end
+end
+
+
+local function store_token(key, token)
+    if shdict then
+        local exp = helper.get_conf_token_cache_time()
+        -- early expiry, lrucache in critical state sends prepare_conf_req as original behaviour
+        exp = exp * 0.9
+        local success, err, forcible = shdict:set(key, token, exp)
+        if not success then
+            core.log.error("ext-plugin:failed to set conf token, err: ", err)
+        end
+        if forcible then
+            core.log.warn("ext-plugin:set valid items forcibly overwritten")
+        end
+    else
+        core.log.error('shm "ext-plugin" not found')
+    end
+end
+
+
+local function flush_token()
+    if shdict then
+        core.log.warn("flush conf token in shared dict")
+        shdict:flush_all()
+    else
+        core.log.error('shm "ext-plugin" not found')
+    end
+end
+
+
 local rpc_call
 local rpc_handlers = {
     nil,
     function (conf, ctx, sock, unique_key)
+        local token = fetch_token(unique_key)
+        if token then
+            core.log.info("fetch token from shared dict, token: ", token)
+            return token
+        end
+
+        local lock, err = resty_lock:new(shdict_name)
+        if not lock then
+            return nil, "failed to create lock: " .. err
+        end
+
+        local elapsed, err = lock:lock("prepare_conf")
+        if not elapsed then
+            return nil, "failed to acquire the lock: " .. err
+        end
+
+        local token = fetch_token(unique_key)
+        if token then
+            lock:unlock()
+            core.log.info("fetch token from shared dict, token: ", token)
+            return token
+        end
+
         builder:Clear()
 
         local key = builder:CreateString(unique_key)
-
         local conf_vec
         if conf.conf then
             local len = #conf.conf
@@ -331,23 +399,30 @@ local rpc_handlers = {
 
         local ok, err = send(sock, constants.RPC_PREPARE_CONF, builder:Output())
         if not ok then
+            lock:unlock()
             return nil, "failed to send RPC_PREPARE_CONF: " .. err
         end
 
         local ty, resp = receive(sock)
         if ty == nil then
+            lock:unlock()
             return nil, "failed to receive RPC_PREPARE_CONF: " .. resp
         end
 
         if ty ~= constants.RPC_PREPARE_CONF then
+            lock:unlock()
             return nil, "failed to receive RPC_PREPARE_CONF: unexpected type " .. ty
         end
 
         local buf = flatbuffers.binaryArray.New(resp)
         local pcr = prepare_conf_resp.GetRootAsResp(buf, 0)
-        local token = pcr:ConfToken()
+        token = pcr:ConfToken()
 
         core.log.notice("get conf token: ", token, " conf: ", core.json.delay_encode(conf.conf))
+        store_token(unique_key, token)
+
+        lock:unlock()
+
         return token
     end,
     function (conf, ctx, sock, entry)
@@ -471,7 +546,6 @@ local rpc_handlers = {
         local buf = flatbuffers.binaryArray.New(resp)
         local call_resp = http_req_call_resp.GetRootAsResp(buf, 0)
         local action_type = call_resp:ActionType()
-
         if action_type == http_req_call_action.Stop then
             local action = call_resp:Action()
             local stop = http_req_call_stop.New()
@@ -588,15 +662,14 @@ rpc_call = function (ty, conf, ctx, ...)
 end
 
 
-local function create_lrucache()
+local function recreate_lrucache()
+    flush_token()
+
     if lrucache then
         core.log.warn("flush conf token lrucache")
     end
 
-    lrucache = core.lrucache.new({
-        type = "plugin",
-        ttl = helper.get_conf_token_cache_time(),
-    })
+    lrucache = new_lrucache()
 end
 
 
@@ -620,7 +693,7 @@ function _M.communicate(conf, ctx, plugin_name)
         end
 
         core.log.warn("refresh cache and try again")
-        create_lrucache()
+        recreate_lrucache()
     end
 
     core.log.error(err)
@@ -717,7 +790,7 @@ function _M.init_worker()
     )
 
     -- flush cache when runner exited
-    events.register(create_lrucache, events_list._source, events_list.runner_exit)
+    events.register(recreate_lrucache, events_list._source, events_list.runner_exit)
 
     -- note that the runner is run under the same user as the Nginx master
     if process.type() == "privileged agent" then

apisix/plugins/http-logger.lua

@@ -25,6 +25,7 @@ local plugin          = require("apisix.plugin")
 local ngx      = ngx
 local tostring = tostring
 local ipairs   = ipairs
+local pairs    = pairs
 local timer_at = ngx.timer.at
 
 local plugin_name = "http-logger"
@@ -150,7 +151,7 @@ local function remove_stale_objects(premature)
         return
     end
 
-    for key, batch in ipairs(buffers) do
+    for key, batch in pairs(buffers) do
         if #batch.entry_buffer.entries == 0 and #batch.batch_to_process == 0 then
             core.log.warn("removing batch processor stale object, conf: ",
                           core.json.delay_encode(key))