Fixes: upgrading to tyk 3.0.13 from 3.0.0

apidef/api_definitions.go

@@ -550,6 +550,7 @@ type ProxyConfig struct {
 		SSLInsecureSkipVerify bool     `bson:"ssl_insecure_skip_verify" json:"ssl_insecure_skip_verify"`
 		SSLCipherSuites       []string `bson:"ssl_ciphers" json:"ssl_ciphers"`
 		SSLMinVersion         uint16   `bson:"ssl_min_version" json:"ssl_min_version"`
+		SSLMaxVersion         uint16   `bson:"ssl_max_version" json:"ssl_max_version"`
 		//Cisco SSL RootCA check
 		SSLForceRootCACheck     bool   `bson:"ssl_force_rootca_check" json:"ssl_force_rootca_check"`
 		SSLRootCACert           string `bson:"ssl_rootca_cert" json:"ssl_rootca_cert"`

gateway/mw_jwt.go

@@ -225,7 +225,7 @@ func (k *JWTMiddleware) getSecretToVerifySignature(r *http.Request, token *jwt.T
 	if !rawKeyExists {
 		//Cisco change to try search "sitekey-<kid>"
 		sitekey := "sitekey-" + tykId
-		session, siteKeyExists := k.CheckSessionAndIdentityForValidKey(&sitekey, r)
+		session, siteKeyExists := k.CheckSessionAndIdentityForValidKey(sitekey, r)
 		if !siteKeyExists {
 			return nil, errors.New("token invalid, key not found")
 		} else {
@@ -593,13 +593,13 @@ func (k *JWTMiddleware) processOneToOneTokenMap(r *http.Request, token *jwt.Toke
 		//Cisco change to try search "sitekey-<kid>"
 		sitekey := "sitekey-" + tykId
 		k.Logger().Debug("Using sitekey ID: ", sitekey)
-		session, siteKeyExists := k.CheckSessionAndIdentityForValidKey(&sitekey, r)
+		session, siteKeyExists := k.CheckSessionAndIdentityForValidKey(sitekey, r)
 		if !siteKeyExists {
 			k.reportLoginFailure(tykId, r)
 			return errors.New("Key not authorized"), http.StatusForbidden
 		} else {
 			k.Logger().Debug("sitekey ID found.")
-			ctxSetSession(r, &session, sitekey, false)
+			ctxSetSession(r, &session, false)
 			ctxSetJWTContextVars(k.Spec, r, token)
 			return nil, http.StatusOK
 		}
@@ -692,7 +692,7 @@ func (k *JWTMiddleware) ProcessRequest(w http.ResponseWriter, r *http.Request, _
 			switch e := val.(type) {
 			case []byte:
 				//key, err := ParseRSAPublicKey(val)
-				key, err := jwt.ParseRSAPublicKeyFromPEM(val)
+				key, err := jwt.ParseRSAPublicKeyFromPEM(val.([]byte))
 				if err != nil {
 					logger.WithError(err).Error("Failed to decode JWT key")
 					return nil, errors.New("Failed to decode JWT key")

gateway/reverse_proxy.go

@@ -853,6 +853,20 @@ func (p *ReverseProxy) WrappedServeHTTP(rw http.ResponseWriter, req *http.Reques
 	}
 	var roundTripper *TykRoundTripper
 
+	// Do this before we make a shallow copy
+	session := ctxGetSession(req)
+
+	outreq := new(http.Request)
+	logreq := new(http.Request)
+
+	*outreq = *req // includes shallow copies of maps, but okay
+	*logreq = *req
+	// remove context data from the copies
+	setContext(outreq, context.Background())
+	setContext(logreq, context.Background())
+
+	p.logger.Debug("Upstream request URL: ", req.URL)
+
 	p.TykAPISpec.Lock()
 
 	// create HTTP transport
@@ -869,7 +883,7 @@ func (p *ReverseProxy) WrappedServeHTTP(rw http.ResponseWriter, req *http.Reques
 		//override the connect timeout value if X-Nd-Proxy-Timeout header is set
 		timeout = p.GetTimeoutFromProxyHeader(p.TykAPISpec, req, timeout)
 
-		p.TykAPISpec.HTTPTransport = httpTransport(timeout, rw, req, p)
+		p.TykAPISpec.HTTPTransport = httpTransport(timeout, rw, req, outreq, p)
 		p.TykAPISpec.HTTPTransportCreated = time.Now()
 
 		p.logger.Debug("Creating new transport")
@@ -894,20 +908,6 @@ func (p *ReverseProxy) WrappedServeHTTP(rw http.ResponseWriter, req *http.Reques
 		}()
 	}
 
-	// Do this before we make a shallow copy
-	session := ctxGetSession(req)
-
-	outreq := new(http.Request)
-	logreq := new(http.Request)
-
-	*outreq = *req // includes shallow copies of maps, but okay
-	*logreq = *req
-	// remove context data from the copies
-	setContext(outreq, context.Background())
-	setContext(logreq, context.Background())
-
-	p.logger.Debug("Upstream request URL: ", req.URL)
-
 	// We need to double set the context for the outbound request to reprocess the target
 	if p.TykAPISpec.URLRewriteEnabled && req.Context().Value(ctx.RetainHost) == true {
 		p.logger.Debug("Detected host rewrite, notifying director")
@@ -971,38 +971,15 @@ func (p *ReverseProxy) WrappedServeHTTP(rw http.ResponseWriter, req *http.Reques
 
 	// set up TLS certificates for upstream if needed
 	var tlsCertificates []tls.Certificate
-	if cert := getUpstreamCertificate(outreq.URL.Host, p.TykAPISpec); cert != nil {
+	if cert := getUpstreamCertificate(outreq.Host, p.TykAPISpec); cert != nil {
 		p.logger.Debug("Found upstream mutual TLS certificate")
 		tlsCertificates = []tls.Certificate{*cert}
 	}
 
 	p.TykAPISpec.Lock()
-
-	// create HTTP transport
-	createTransport := p.TykAPISpec.HTTPTransport == nil
-
-	// Check if timeouts are set for this endpoint
-	if !createTransport && config.Global().MaxConnTime != 0 {
-		createTransport = time.Since(p.TykAPISpec.HTTPTransportCreated) > time.Duration(config.Global().MaxConnTime)*time.Second
-	}
-
-	if createTransport {
-		_, timeout := p.CheckHardTimeoutEnforced(p.TykAPISpec, req)
-		p.TykAPISpec.HTTPTransport = httpTransport(timeout, rw, req, outreq, p)
-		p.TykAPISpec.HTTPTransportCreated = time.Now()
-	}
-
-	roundTripper = p.TykAPISpec.HTTPTransport
-
-	if roundTripper.transport != nil {
-		roundTripper.transport.TLSClientConfig.Certificates = tlsCertificates
-	}
+	roundTripper.transport.TLSClientConfig.Certificates = tlsCertificates
 	p.TykAPISpec.Unlock()
 
-	if outreq.URL.Scheme == "h2c" {
-		outreq.URL.Scheme = "http"
-	}
-
 	if p.TykAPISpec.Proxy.Transport.SSLForceCommonNameCheck || config.Global().SSLForceCommonNameCheck {
 		// if proxy is enabled, add CommonName verification in verifyPeerCertificate
 		// DialTLS is not executed if proxy is used
@@ -1144,7 +1121,7 @@ func (p *ReverseProxy) WrappedServeHTTP(rw http.ResponseWriter, req *http.Reques
 		}
 	}
 
-	ses := new(user.SessionState)
+	ses := user.NewSessionState()
 	if session != nil {
 		ses = session
 	}

go.mod

@@ -19,7 +19,6 @@ require (
 	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v0.4.1
 	github.com/buger/jsonparser v1.1.1
-	github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23
 	github.com/cenk/backoff v2.2.1+incompatible
 	github.com/cenkalti/backoff/v4 v4.0.2
 	github.com/certifi/gocertifi v0.0.0-20190905060710-a5e0173ced67 // indirect
@@ -34,9 +33,9 @@ require (
 	github.com/garyburd/redigo v1.6.2
 	github.com/gemnasium/logrus-graylog-hook v2.0.7+incompatible
 	github.com/getsentry/raven-go v0.2.0 // indirect
-	github.com/go-redis/redis/v8 v8.3.1
+	github.com/go-redis/redis/v8 v8.11.5
 	github.com/gocraft/health v0.0.0-20170925182251-8675af27fef0
-	github.com/golang/protobuf v1.4.2
+	github.com/golang/protobuf v1.5.2
 	github.com/google/btree v1.0.0 // indirect
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/websocket v1.4.2
@@ -83,9 +82,9 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v0.0.0-20171025060643-212d8a0df7ac
 	github.com/xenolf/lego v0.3.2-0.20170618175828-28ead50ff1ca // indirect
-	golang.org/x/crypto v0.0.0-20191227163750-53104e6ec876
-	golang.org/x/net v0.0.0-20200602114024-627f9648deb9
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/net v0.0.0-20210428140749-89ef3d95e781
+	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	google.golang.org/appengine v1.6.1 // indirect
 	google.golang.org/grpc v1.29.1