From 6746b9fa0142d64a18149284b6fc2de14896f3d6 Mon Sep 17 00:00:00 2001
From: Zeping Bai <bzp2010@apache.org>
Date: Thu, 7 Nov 2024 15:12:07 +0800
Subject: [PATCH] fix(api7): mismatch fields in upstream mtls (#202)

---
 apps/cli/src/linter/exporter.ts            |  2 +-
 apps/cli/src/linter/schema.ts              | 14 +++++++------
 apps/cli/src/linter/specs/upstream.spec.ts | 24 ++++++++++++++++++++++
 libs/backend-api7/README.md                | 12 +++++++++--
 libs/backend-api7/src/typing.ts            |  6 ++++++
 libs/sdk/src/core/index.ts                 |  4 ++--
 schema.json                                | 10 ++-------
 7 files changed, 53 insertions(+), 19 deletions(-)

diff --git a/apps/cli/src/linter/exporter.ts b/apps/cli/src/linter/exporter.ts
index 2d5fcad1..acc994c5 100644
--- a/apps/cli/src/linter/exporter.ts
+++ b/apps/cli/src/linter/exporter.ts
@@ -1,7 +1,7 @@
 /**
  * Export jsonschema file by:
  *
- * $ ts-node apps/cli/src/linter/exporter.ts
+ * $ nx export-schema cli
  *
  */
 import { writeFileSync } from 'fs';
diff --git a/apps/cli/src/linter/schema.ts b/apps/cli/src/linter/schema.ts
index ae4bb4ba..da484a33 100644
--- a/apps/cli/src/linter/schema.ts
+++ b/apps/cli/src/linter/schema.ts
@@ -138,15 +138,17 @@ const upstreamSchema = z
     timeout: timeoutSchema.optional(),
     tls: z
       .object({
-        cert: z.string(),
-        key: z.string(),
-        client_cert_id: z.string(),
-        verify: z.boolean(),
+        client_cert: z.string().optional(),
+        client_key: z.string().optional(),
+        client_cert_id: z.string().optional(),
+        verify: z.boolean().optional(),
       })
+      .strict()
       .refine(
         (data) =>
-          (data.cert && data.key && !data.client_cert_id) ||
-          (data.client_cert_id && !data.cert && !data.key),
+          (data.client_cert && data.client_key && !data.client_cert_id) ||
+          (data.client_cert_id && !data.client_cert && !data.client_key),
+        'The client_cert and client_key certificate pair or client_cert_id SSL reference ID must be set',
       )
       .optional(),
     keepalive_pool: z
diff --git a/apps/cli/src/linter/specs/upstream.spec.ts b/apps/cli/src/linter/specs/upstream.spec.ts
index e2233c1b..642eb93f 100644
--- a/apps/cli/src/linter/specs/upstream.spec.ts
+++ b/apps/cli/src/linter/specs/upstream.spec.ts
@@ -93,6 +93,30 @@ describe('Upstream Linter', () => {
       } as ADCSDK.Configuration,
       expect: true,
     },
+    {
+      name: 'should only allow upstream mtls in client_cert and client_key',
+      input: {
+        services: [
+          {
+            name: 'Upstream mTLS',
+            upstream: {
+              nodes: [
+                {
+                  host: '1.1.1.1',
+                  port: 443,
+                  weight: 100,
+                },
+              ],
+              tls: {
+                client_cert: '0000',
+                client_key: '0000',
+              },
+            },
+          },
+        ],
+      } as ADCSDK.Configuration,
+      expect: true,
+    },
   ];
 
   // test cases runner
diff --git a/libs/backend-api7/README.md b/libs/backend-api7/README.md
index a095f7b5..05ef70f8 100644
--- a/libs/backend-api7/README.md
+++ b/libs/backend-api7/README.md
@@ -4,5 +4,13 @@
 
 | Features      | Supported |
 | ------------- | --------- |
-| Dump to ADC   | ✅        |
-| Sync from ADC | ✅        |
+| Dump to ADC   | ✅         |
+| Sync from ADC | ✅         |
+
+## Supported Versions
+
+| Versions | Supported |
+| -------- | --------- |
+| 3.2.14.6 | ✅         |
+| 3.2.15.2 | ✅         |
+| 3.2.16.2 | ✅         |
diff --git a/libs/backend-api7/src/typing.ts b/libs/backend-api7/src/typing.ts
index 985d1d46..edeed44b 100644
--- a/libs/backend-api7/src/typing.ts
+++ b/libs/backend-api7/src/typing.ts
@@ -118,6 +118,12 @@ export interface Upstream {
   retries?: number;
   retry_timeout?: number;
   timeout?: UpstreamTimeout;
+  tls?: {
+    client_cert: string;
+    client_key: string;
+    client_cert_id: string;
+    verify: boolean;
+  };
   keepalive_pool?: {
     size: number;
     idle_timeout: number;
diff --git a/libs/sdk/src/core/index.ts b/libs/sdk/src/core/index.ts
index e69cdbbd..2da14991 100644
--- a/libs/sdk/src/core/index.ts
+++ b/libs/sdk/src/core/index.ts
@@ -67,8 +67,8 @@ export interface UpstreamTimeout {
   read: number;
 }
 export interface UpstreamClientTLS {
-  cert: string;
-  key: string;
+  client_cert: string;
+  client_key: string;
   client_cert_id: string;
   verify: boolean;
 }
diff --git a/schema.json b/schema.json
index b2b23274..efed54a8 100644
--- a/schema.json
+++ b/schema.json
@@ -312,10 +312,10 @@
               "tls": {
                 "type": "object",
                 "properties": {
-                  "cert": {
+                  "client_cert": {
                     "type": "string"
                   },
-                  "key": {
+                  "client_key": {
                     "type": "string"
                   },
                   "client_cert_id": {
@@ -325,12 +325,6 @@
                     "type": "boolean"
                   }
                 },
-                "required": [
-                  "cert",
-                  "key",
-                  "client_cert_id",
-                  "verify"
-                ],
                 "additionalProperties": false
               },
               "keepalive_pool": {