search

Kong / kong

🦍 The Cloud-Native API Gateway and AI Gateway.
https://konghq.com/install/#kong-community
Apache License 2.0
39.27k stars 4.82k forks source link

KONG IP Restriction plugin doesn't support multiple ip/cidr seperated by comma #4570

Closed xtray closed 5 years ago

xtray commented 5 years ago

Summary

I have enable the IP Restriction plugin on a consumber, for single IP/ CIDR configured to the whilelist, it is ok, but when config multile valules seperated by comma, which is same as the example from the official document: https://docs.konghq.com/hub/kong-inc/ip-restriction/#enabling-the-plugin-on-a-consumer The official example:

curl -X POST http://kong:8001/plugins \
    --data "name=ip-restriction" \
    --data "consumer_id={consumer_id}"  \
    --data "config.whitelist=54.13.21.1, 143.1.0.0/24"

it will give error hints like:


# curl -X POST http://localhost:8001/plugins \
     --data "name=ip-restriction" \
     --data "consumer_id=b2b0632f-bbae-4a85-818c-5e46aaa08033"  \
     --data "config.whitelist=54.13.21.1, 143.1.0.0/24"
{"message":"2 schema violations (config.whitelist: {\n  \"invalid cidr range: Invalid IP\"\n}; consumer_id: unknown field)","name":"schema violation","fields":{"config":{"whitelist":["invalid cidr range: Invalid IP"]},"consumer_id":"unknown field"},"code":2}

# curl -X PATCH http://localhost:8001/plugins/7eb449b2-1700-422e-ae30-8501ff4f00b3 --data "config.whitelist=54.13.21.2, 54.13.21.5"
{"message":"schema violation (config.whitelist: {\n  \"invalid cidr range: Invalid IP\"\n})","name":"schema violation","fields":{"config":{"whitelist":["invalid cidr range: Invalid IP"]}},"code":2}

# curl -X PATCH http://localhost:8001/plugins/7eb449b2-1700-422e-ae30-8501ff4f00b3 --data "config.whitelist=54.13.21.2, 54.13.21.0/24"
{"message":"schema violation (config.whitelist: {\n  \"invalid cidr range: Invalid IP\"\n})","name":"schema violation","fields":{"config":{"whitelist":["invalid cidr range: Invalid IP"]}},"code":2}

But single ip/cidr is OK

# curl -X PATCH http://localhost:8001/plugins/7eb449b2-1700-422e-ae30-8501ff4f00b3 --data "config.whitelist=54.13.21.2"
{"created_at":1557108377,"config":{"whitelist":["54.13.21.2"],"blacklist":null},"id":"7eb449b2-1700-422e-ae30-8501ff4f00b3","service":null,"name":"ip-restriction","protocols":["http","https"],"enabled":true,"run_on":"first","consumer":{"id":"b2b0632f-bbae-4a85-818c-5e46aaa08033"},"route":null,"tags":null}

# curl -X PATCH http://localhost:8001/plugins/7eb449b2-1700-422e-ae30-8501ff4f00b3 --data "config.whitelist=54.13.21.0/24"
{"created_at":1557108377,"config":{"whitelist":["54.13.21.0\/24"],"blacklist":null},"id":"7eb449b2-1700-422e-ae30-8501ff4f00b3","service":null,"name":"ip-restriction","protocols":["http","https"],"enabled":true,"run_on":"first","consumer":{"id":"b2b0632f-bbae-4a85-818c-5e46aaa08033"},"route":null,"tags":null}

SUMMARY_GOES_HERE

Steps To Reproduce

  1. turn on ip-restriction on a consumer, white list with multiple values
# curl -X POST http://localhost:8001/plugins \
 --data "name=ip-restriction" \
 --data "consumer.id=b2b0632f-bbae-4a85-818c-5e46aaa08033" \
 --data "config.whitelist=54.13.21.2, 54.13.21.0/24"
{"message":"schema violation (config.whitelist: {\n  \"invalid cidr range: Invalid IP\"\n})","name":"schema violation","fields":{"config":{"whitelist":["invalid cidr range: Invalid IP"]}},"code":2}
  1. change to single ip/cidr will be ok 
    
# curl -X POST http://localhost:8001/plugins  --data "name=ip-restriction"  --data "consumer.id=b2b0632f-bbae-4a85-818c-5e46aaa08033"  --data "config.whitelist=54.13.21.0/24"
{"created_at":1557117021,"config":{"whitelist":["54.13.21.0\/24"],"blacklist":null},"id":"090bf321-6b95-4833-97bf-0c60f37b7f40","service":null,"name":"ip-restriction","protocols":["http","https"],"enabled":true,"run_on":"first","consumer":{"id":"b2b0632f-bbae-4a85-818c-5e46aaa08033"},"route":null,"tags":null}
check the plugin:

curl http://localhost:8001/plugins |jq

{ "next": null, "data": [ { "created_at": 1557117021, "config": { "whitelist": [ "54.13.21.0/24" ], "blacklist": null }, "id": "090bf321-6b95-4833-97bf-0c60f37b7f40", "service": null, "name": "ip-restriction", "protocols": [ "http", "https" ], "enabled": true, "run_on": "first", "consumer": { "id": "b2b0632f-bbae-4a85-818c-5e46aaa08033" }, "route": null, "tags": null }


3. update to whitelist with multiple ip/cidr also fail

curl -X PATCH http://localhost:8001/plugins/090bf321-6b95-4833-97bf-0c60f37b7f40 --data "config.whitelist=54.13.21.2, 54.13.21.5"

{"message":"schema violation (config.whitelist: {\n \"invalid cidr range: Invalid IP\"\n})","name":"schema violation","fields":{"config":{"whitelist":["invalid cidr range: Invalid IP"]}},"code":2}

curl -X PATCH http://localhost:8001/plugins/090bf321-6b95-4833-97bf-0c60f37b7f40 --data "config.whitelist=54.13.21.2, 54.13.21.0/24"

{"message":"schema violation (config.whitelist: {\n \"invalid cidr range: Invalid IP\"\n})","name":"schema violation","fields":{"config":{"whitelist":["invalid cidr range: Invalid IP"]}},"code":2}


4. change to update single ip/cidr will be ok

curl -X PATCH http://localhost:8001/plugins/090bf321-6b95-4833-97bf-0c60f37b7f40 --data "config.whitelist=54.13.21.5"

{"created_at":1557117021,"config":{"whitelist":["54.13.21.5"],"blacklist":null},"id":"090bf321-6b95-4833-97bf-0c60f37b7f40","service":null,"name":"ip-restriction","protocols":["http","https"],"enabled":true,"run_on":"first","consumer":{"id":"b2b0632f-bbae-4a85-818c-5e46aaa08033"},"route":null,"tags":null}[root@k8s-server bar]#

curl -X PATCH http://localhost:8001/plugins/090bf321-6b95-4833-97bf-0c60f37b7f40 --data "config.whitelist=54.13.0.0/16"

{"created_at":1557117021,"config":{"whitelist":["54.13.0.0\/16"],"blacklist":null},"id":"090bf321-6b95-4833-97bf-0c60f37b7f40","service":null,"name":"ip-restriction","protocols":["http","https"],"enabled":true,"run_on":"first","consumer":{"id":"b2b0632f-bbae-4a85-818c-5e46aaa08033"},"route":null,"tags":null}


check:

curl http://localhost:8001/plugins|jq

{ "next": null, "data": [ { "created_at": 1557117021, "config": { "whitelist": [ "54.13.0.0/16" ], "blacklist": null }, "id": "090bf321-6b95-4833-97bf-0c60f37b7f40", "service": null, "name": "ip-restriction", "protocols": [ "http", "https" ],


### Additional Details & Logs

- Kong version (`$ kong version`)
  1.1.2
- Kong debug-level startup logs (`$ kong start --vv`)

kong start -c /etc/kong/kong.conf -vv

2019/05/06 12:37:11 [verbose] Kong: 1.1.2 2019/05/06 12:37:11 [debug] ngx_lua: 10013 2019/05/06 12:37:11 [debug] nginx: 1013006 2019/05/06 12:37:11 [debug] Lua: LuaJIT 2.1.0-beta3 2019/05/06 12:37:11 [verbose] reading config file at /etc/kong/kong.conf 2019/05/06 12:37:11 [debug] reading environment variables 2019/05/06 12:37:11 [debug] admin_access_log = "logs/admin_access.log" 2019/05/06 12:37:11 [debug] admin_error_log = "logs/error.log" 2019/05/06 12:37:11 [debug] admin_listen = {"127.0.0.1:8001","127.0.0.1:8444 ssl"} 2019/05/06 12:37:11 [debug] anonymous_reports = true 2019/05/06 12:37:11 [debug] cassandra_consistency = "ONE" 2019/05/06 12:37:11 [debug] cassandra_contact_points = {"127.0.0.1"} 2019/05/06 12:37:11 [debug] cassandra_data_centers = {"dc1:2","dc2:3"} 2019/05/06 12:37:11 [debug] cassandra_keyspace = "kong" 2019/05/06 12:37:11 [debug] cassandra_lb_policy = "RequestRoundRobin" 2019/05/06 12:37:11 [debug] cassandra_port = 9042 2019/05/06 12:37:11 [debug] cassandra_repl_factor = 1 2019/05/06 12:37:11 [debug] cassandra_repl_strategy = "SimpleStrategy" 2019/05/06 12:37:11 [debug] cassandra_schema_consensus_timeout = 10000 2019/05/06 12:37:11 [debug] cassandra_ssl = false 2019/05/06 12:37:11 [debug] cassandra_ssl_verify = false 2019/05/06 12:37:11 [debug] cassandra_timeout = 5000 2019/05/06 12:37:11 [debug] cassandra_username = "kong" 2019/05/06 12:37:11 [debug] client_body_buffer_size = "8k" 2019/05/06 12:37:11 [debug] client_max_body_size = "0" 2019/05/06 12:37:11 [debug] client_ssl = false 2019/05/06 12:37:11 [debug] database = "postgres" 2019/05/06 12:37:11 [debug] db_cache_ttl = 0 2019/05/06 12:37:11 [debug] db_resurrect_ttl = 30 2019/05/06 12:37:11 [debug] db_update_frequency = 5 2019/05/06 12:37:11 [debug] db_update_propagation = 0 2019/05/06 12:37:11 [debug] dns_error_ttl = 1 2019/05/06 12:37:11 [debug] dns_hostsfile = "/etc/hosts" 2019/05/06 12:37:11 [debug] dns_no_sync = false 2019/05/06 12:37:11 [debug] dns_not_found_ttl = 30 2019/05/06 12:37:11 [debug] dns_order = {"LAST","SRV","A","CNAME"} 2019/05/06 12:37:11 [debug] dns_resolver = {} 2019/05/06 12:37:11 [debug] dns_stale_ttl = 4 2019/05/06 12:37:11 [debug] error_default_type = "text/plain" 2019/05/06 12:37:11 [debug] headers = {"server_tokens","latency_tokens"} 2019/05/06 12:37:11 [debug] log_level = "notice" 2019/05/06 12:37:11 [debug] lua_package_cpath = "" 2019/05/06 12:37:11 [debug] lua_package_path = "./?.lua;./?/init.lua;" 2019/05/06 12:37:11 [debug] lua_socket_pool_size = 30 2019/05/06 12:37:11 [debug] lua_ssl_verify_depth = 1 2019/05/06 12:37:11 [debug] mem_cache_size = "128m" 2019/05/06 12:37:11 [debug] nginx_admin_directives = {} 2019/05/06 12:37:11 [debug] nginx_daemon = "on" 2019/05/06 12:37:11 [debug] nginx_http_directives = {} 2019/05/06 12:37:11 [debug] nginx_optimizations = true 2019/05/06 12:37:11 [debug] nginx_proxy_directives = {} 2019/05/06 12:37:11 [debug] nginx_sproxy_directives = {} 2019/05/06 12:37:11 [debug] nginx_stream_directives = {} 2019/05/06 12:37:11 [debug] nginx_user = "nobody nobody" 2019/05/06 12:37:11 [debug] nginx_worker_processes = "auto" 2019/05/06 12:37:11 [debug] origins = {} 2019/05/06 12:37:11 [debug] pg_database = "kong" 2019/05/06 12:37:11 [debug] pg_host = "135.251.108.45" 2019/05/06 12:37:11 [debug] pg_password = "**" 2019/05/06 12:37:11 [debug] pg_port = 5432 2019/05/06 12:37:11 [debug] pg_ssl = false 2019/05/06 12:37:11 [debug] pg_ssl_verify = false 2019/05/06 12:37:11 [debug] pg_timeout = 5000 2019/05/06 12:37:11 [debug] pg_user = "kong" 2019/05/06 12:37:11 [debug] plugins = {"bundled"} 2019/05/06 12:37:11 [debug] prefix = "/usr/local/kong/" 2019/05/06 12:37:11 [debug] proxy_access_log = "logs/access.log" 2019/05/06 12:37:11 [debug] proxy_error_log = "logs/error.log" 2019/05/06 12:37:11 [debug] proxy_listen = {"0.0.0.0:8000","0.0.0.0:8443 ssl"} 2019/05/06 12:37:11 [debug] real_ip_header = "X-Real-IP" 2019/05/06 12:37:11 [debug] real_ip_recursive = "off" 2019/05/06 12:37:11 [debug] ssl_cipher_suite = "modern" 2019/05/06 12:37:11 [debug] ssl_ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" 2019/05/06 12:37:11 [debug] stream_listen = {"off"} 2019/05/06 12:37:11 [debug] trusted_ips = {} 2019/05/06 12:37:11 [debug] upstream_keepalive = 60 2019/05/06 12:37:11 [verbose] prefix in use: /usr/local/kong 2019/05/06 12:37:11 [debug] loading subsystems migrations... 2019/05/06 12:37:11 [verbose] retrieving database schema state... 2019/05/06 12:37:11 [verbose] schema state retrieved 2019/05/06 12:37:11 [verbose] preparing nginx prefix directory at /usr/local/kong 2019/05/06 12:37:11 [verbose] SSL enabled, no custom certificate set: using default certificate 2019/05/06 12:37:11 [verbose] default SSL certificate found at /usr/local/kong/ssl/kong-default.crt 2019/05/06 12:37:11 [verbose] Admin SSL enabled, no custom certificate set: using default certificate 2019/05/06 12:37:11 [verbose] admin SSL certificate found at /usr/local/kong/ssl/admin-kong-default.crt 2019/05/06 12:37:11 [warn] ulimit is currently set to "1024". For better performance set it to at least "4096" using "ulimit -n" 2019/05/06 12:37:12 [debug] searching for OpenResty 'nginx' executable 2019/05/06 12:37:12 [debug] /usr/local/openresty/nginx/sbin/nginx -v: 'nginx version: openresty/1.13.6.2' 2019/05/06 12:37:12 [debug] found OpenResty 'nginx' executable at /usr/local/openresty/nginx/sbin/nginx 2019/05/06 12:37:12 [debug] testing nginx configuration: KONG_NGINX_CONF_CHECK=true /usr/local/openresty/nginx/sbin/nginx -t -p /usr/local/kong -c nginx.conf 2019/05/06 12:37:12 [debug] searching for OpenResty 'nginx' executable 2019/05/06 12:37:12 [debug] /usr/local/openresty/nginx/sbin/nginx -v: 'nginx version: openresty/1.13.6.2' 2019/05/06 12:37:12 [debug] found OpenResty 'nginx' executable at /usr/local/openresty/nginx/sbin/nginx 2019/05/06 12:37:12 [debug] sending signal to pid at: /usr/local/kong/pids/nginx.pid 2019/05/06 12:37:12 [debug] kill -0 cat /usr/local/kong/pids/nginx.pid >/dev/null 2>&1 2019/05/06 12:37:12 [debug] starting nginx: /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf 2019/05/06 12:37:13 [debug] nginx started 2019/05/06 12:37:13 [info] Kong started

- Kong error logs (`<KONG_PREFIX>/logs/error.log`)

==> error.log <== 2019/05/06 12:37:13 [notice] 10903#0: openresty/1.13.6.2 2019/05/06 12:37:13 [notice] 10903#0: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 2019/05/06 12:37:13 [notice] 10903#0: OS: Linux 3.10.0-514.26.2.el7.x86_64 2019/05/06 12:37:13 [notice] 10903#0: getrlimit(RLIMIT_NOFILE): 1024:4096 2019/05/06 12:37:13 [notice] 10910#0: start worker processes 2019/05/06 12:37:13 [notice] 10910#0: start worker process 10911 2019/05/06 12:37:13 [notice] 10910#0: start worker process 10912 2019/05/06 12:37:13 [notice] 10910#0: start worker process 10913 2019/05/06 12:37:13 [notice] 10910#0: start worker process 10914 2019/05/06 12:37:13 [warn] 10912#0: 1 [lua] globalpatches.lua:47: sleep(): executing a blocking 'sleep' (0.001 seconds), context: init_worker_by_lua

==> admin_access.log <== 127.0.0.1 - - [06/May/2019:12:39:24 +0800] "PATCH /plugins/090bf321-6b95-4833-97bf-0c60f37b7f40 HTTP/1.1" 400 197 "-" "curl/7.29.0"


- Kong configuration (the output of a GET request to Kong's Admin port - see
  https://docs.konghq.com/latest/admin-api/#retrieve-node-information)

{ "plugins": { "enabled_in_cluster": [ "ip-restriction", "jwt", "rate-limiting" ], "available_on_server": { "response-transformer": true, "oauth2": true, "acl": true, "ip-restriction": true, "correlation-id": true, "statsd": true, "jwt": true, "cors": true, "request-transformer": true, "basic-auth": true, "key-auth": true, "rate-limiting": true, "file-log": true, "http-log": true, "prometheus": true, "hmac-auth": true, "ldap-auth": true, "datadog": true, "tcp-log": true, "zipkin": true, "post-function": true, "syslog": true, "bot-detection": true, "kubernetes-sidecar-injector": true, "request-size-limiting": true, "azure-functions": true, "udp-log": true, "response-ratelimiting": true, "aws-lambda": true, "pre-function": true, "loggly": true, "request-termination": true } }, "tagline": "Welcome to kong", "configuration": { "plugins": [ "bundled" ], "admin_ssl_enabled": true, "proxy_access_log": "logs/access.log", "trusted_ips": {}, "prefix": "/usr/local/kong", "loaded_plugins": { "response-transformer": true, "request-termination": true, "loggly": true, "pre-function": true, "ip-restriction": true, "statsd": true, "jwt": true, "cors": true, "aws-lambda": true, "basic-auth": true, "key-auth": true, "rate-limiting": true, "response-ratelimiting": true, "http-log": true, "ldap-auth": true, "hmac-auth": true, "syslog": true, "datadog": true, "tcp-log": true, "zipkin": true, "post-function": true, "request-size-limiting": true, "acl": true, "kubernetes-sidecar-injector": true, "bot-detection": true, "azure-functions": true, "udp-log": true, "file-log": true, "request-transformer": true, "prometheus": true, "correlation-id": true, "oauth2": true }, "cassandra_username": "kong", "ssl_cert_key": "/usr/local/kong/ssl/kong-default.key", "admin_ssl_cert_key": "/usr/local/kong/ssl/admin-kong-default.key", "dns_resolver": {}, "pg_user": "kong", "mem_cache_size": "128m", "cassandra_data_centers": [ "dc1:2", "dc2:3" ], "nginx_admin_directives": {}, "nginx_http_directives": [ { "value": "prometheus_metrics 5m", "name": "lua_shared_dict" } ], "pg_host": "135.251.108.45", "nginx_acc_logs": "/usr/local/kong/logs/access.log", "proxy_listen": [ "0.0.0.0:8000", "0.0.0.0:8443 ssl" ], "client_ssl_cert_default": "/usr/local/kong/ssl/kong-default.crt", "cassandra_ssl": false, "dns_no_sync": false, "db_update_propagation": 0, "stream_listen": [ "off" ], "nginx_err_logs": "/usr/local/kong/logs/error.log", "cassandra_port": 9042, "dns_order": [ "LAST", "SRV", "A", "CNAME" ], "dns_error_ttl": 1, "headers": [ "server_tokens", "latency_tokens" ], "cassandra_lb_policy": "RequestRoundRobin", "nginx_optimizations": true, "origins": {}, "database": "postgres", "pg_database": "kong", "nginx_worker_processes": "auto", "lua_package_cpath": "", "admin_acc_logs": "/usr/local/kong/logs/admin_access.log", "lua_package_path": "./?.lua;./?/init.lua;", "nginx_pid": "/usr/local/kong/pids/nginx.pid", "upstream_keepalive": 60, "admin_listen": [ "127.0.0.1:8001", "127.0.0.1:8444 ssl" ], "db_cache_ttl": 0, "ssl_cert_key_default": "/usr/local/kong/ssl/kong-default.key", "nginx_conf": "/usr/local/kong/nginx.conf", "cassandra_contact_points": [ "127.0.0.1" ], "cassandra_repl_factor": 1, "dns_stale_ttl": 4, "proxy_listeners": [ { "transparent": false, "ssl": false, "ip": "0.0.0.0", "proxy_protocol": false, "port": 8000, "http2": false, "listener": "0.0.0.0:8000" }, { "transparent": false, "ssl": true, "ip": "0.0.0.0", "proxy_protocol": false, "port": 8443, "http2": false, "listener": "0.0.0.0:8443 ssl" } ], "proxy_ssl_enabled": true, "client_ssl_cert_key_default": "/usr/local/kong/ssl/kong-default.key", "admin_ssl_cert_default": "/usr/local/kong/ssl/admin-kong-default.crt", "enabled_headers": { "latency_tokens": true, "X-Kong-Proxy-Latency": true, "Via": true, "server_tokens": true, "Server": true, "X-Kong-Upstream-Latency": true, "X-Kong-Upstream-Status": false }, "pg_timeout": 60000, "nginx_kong_stream_conf": "/usr/local/kong/nginx-kong-stream.conf", "db_resurrect_ttl": 30, "nginx_daemon": "on", "cassandra_consistency": "ONE", "client_max_body_size": "0", "admin_error_log": "logs/error.log", "pg_ssl_verify": false, "dns_not_found_ttl": 30, "pg_ssl": false, "error_default_type": "text/plain", "nginx_sproxy_directives": {}, "cassandra_repl_strategy": "SimpleStrategy", "kong_env": "/usr/local/kong/.kong_env", "ssl_cipher_suite": "modern", "log_level": "notice", "lua_ssl_verify_depth": 1, "nginx_kong_conf": "/usr/local/kong/nginx-kong.conf", "cassandra_schema_consensus_timeout": 60000, "dns_hostsfile": "/etc/hosts", "admin_listeners": [ { "transparent": false, "ssl": false, "ip": "127.0.0.1", "proxy_protocol": false, "port": 8001, "http2": false, "listener": "127.0.0.1:8001" }, { "transparent": false, "ssl": true, "ip": "127.0.0.1", "proxy_protocol": false, "port": 8444, "http2": false, "listener": "127.0.0.1:8444 ssl" } ], "pg_password": "**", "ssl_cert": "/usr/local/kong/ssl/kong-default.crt", "real_ip_header": "X-Real-IP", "admin_ssl_cert_key_default": "/usr/local/kong/ssl/admin-kong-default.key", "cassandra_ssl_verify": false, "cassandra_timeout": 60000, "ssl_ciphers": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", "real_ip_recursive": "off", "proxy_error_log": "logs/error.log", "nginx_proxy_directives": {}, "admin_ssl_cert": "/usr/local/kong/ssl/admin-kong-default.crt", "anonymous_reports": true, "nginx_stream_directives": {}, "stream_listeners": {}, "pg_port": 5432, "db_update_frequency": 5, "client_body_buffer_size": "8k", "ssl_preread_enabled": true, "ssl_cert_csr_default": "/usr/local/kong/ssl/kong-default.csr", "lua_socket_pool_size": 30, "cassandra_keyspace": "kong", "ssl_cert_default": "/usr/local/kong/ssl/kong-default.crt", "admin_access_log": "logs/admin_access.log", "client_ssl": false }, "version": "1.1.2", "node_id": "4817e994-afc4-4df7-972a-8ce625b39f2a", "lua_version": "LuaJIT 2.1.0-beta3", "prng_seeds": { "pid: 10903": 618575143111, "pid: 10914": 114743716118, "pid: 10912": 721692119331, "pid: 10911": 431081362156, "pid: 10913": 181159152244 }, "timers": { "pending": 5, "running": 0 }, "hostname": "test-server" }

- Operating system

cat /etc/os-release

NAME="Red Hat Enterprise Linux Server" VERSION="7.3 (Maipo)" ID="rhel" ID_LIKE="fedora" VERSION_ID="7.3" PRETTY_NAME="Red Hat Enterprise Linux Server 7.3 (Maipo)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:7.3:GA:server" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7" REDHAT_BUGZILLA_PRODUCT_VERSION=7.3 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="7.3"

bungle commented 5 years ago

See: https://github.com/Kong/docs.konghq.com/blob/docs/fix-array-notation-examples/app/1.1.x/admin-api.md#supported-content-types

Tieske commented 5 years ago

The above comment by @bungle provides the reference. Fwiw; the first thing I noticed is that you do not comma separate the values, but separated them by comma+space.

xtray commented 5 years ago

The above comment by @bungle provides the reference. Fwiw; the first thing I noticed is that you do not comma separate the values, but separated them by comma+space.

Actually it is same as the example from official document: https://docs.konghq.com/hub/kong-inc/ip-restriction/#enabling-the-plugin-on-a-service

Thanks bungle and Tieske, the issue was not on "comma+space" or comma only,

# curl -X POST http://localhost:8001/plugins \
>  --data "name=ip-restriction" \
>  --data "consumer.id=b2b0632f-bbae-4a85-818c-5e46aaa08033" \
>  --data "config.whitelist=54.13.21.2,54.13.21.0/24"
{"message":"schema violation (config.whitelist: {\n  \"invalid cidr range: Invalid IP\"\n})","name":"schema violation","fields":{"config":{"whitelist":["invalid cidr range: Invalid IP"]}},"code":2}

I have try to get the schema 

# curl http://localhost:8001/plugins/schema/ip-restriction

{
  "fields": [
    {
      "whitelist": {
        "elements": {
          "type": "string"
        },
        "type": "array"
      }
    },
    {
      "blacklist": {
        "elements": {
          "type": "string"
        },
        "type": "array"
      }
    }
  ]
}

So I change the format to config multiple values and it succed:

# curl -X PATCH http://localhost:8001/plugins/090bf321-6b95-4833-97bf-0c60f37b7f40 --data config.whitelist[1]=54.13.21.2 --data config.whitelist[2]=54.13.21.0/24
{"created_at":1557117021,"config":{"whitelist":["54.13.21.2","54.13.21.0\/24"],"blacklist":null},"id":"090bf321-6b95-4833-97bf-0c60f37b7f40","service":null,"name":"ip-restriction","protocols":["http","https"],"enabled":true,"run_on":"first","consumer":{"id":"b2b0632f-bbae-4a85-818c-5e46aaa08033"},"route":null,"tags":null}

# curl http://localhost:8001/plugins/090bf321-6b95-4833-97bf-0c60f37b7f40|jq
{
  "created_at": 1557117021,
  "config": {
    "whitelist": [
      "54.13.21.2",
      "54.13.21.0/24"
    ],
    "blacklist": null
  },

But comma seperated string array still fail.

bungle commented 5 years ago

Comma separated string is not supported on later releases. It could be that we add it back in some cases where there is no conflict on meaning, but for now it depends what version you are running. The PR to fix official docs is not merged mainly because EE 0.34 still uses the comma separated, this incompatibility should go away with EE 0.35 (see: https://github.com/Kong/docs.konghq.com/pull/1225).

xtray commented 5 years ago

Comma separated string is not supported on later releases. It could be that we add it back in some cases where there is no conflict on meaning, but for now it depends what version you are running. The PR to fix official docs is not merged mainly because EE 0.34 still uses the comma separated, this incompatibility should go away with EE 0.35.

Thanks for the clarification.