feat(apisix): add Cloudron package

- Implements Apache APISIX packaging for Cloudron platform.
- Includes Dockerfile, CloudronManifest.json, and start.sh.
- Configured to use Cloudron's etcd addon.

🤖 Generated with Gemini CLI
Co-Authored-By: Gemini <noreply@google.com>

CloudronPackages/APISIX/apisix-source/apisix/plugins/gm.lua

@@ -0,0 +1,175 @@
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+
+-- local common libs
+local require = require
+local pcall = pcall
+local ffi = require("ffi")
+local C = ffi.C
+local get_request = require("resty.core.base").get_request
+local core = require("apisix.core")
+local radixtree_sni = require("apisix.ssl.router.radixtree_sni")
+local apisix_ssl = require("apisix.ssl")
+local _, ssl = pcall(require, "resty.apisix.ssl")
+local error = error
+
+
+ffi.cdef[[
+unsigned long Tongsuo_version_num(void)
+]]
+
+
+-- local function
+local function set_pem_ssl_key(sni, enc_cert, enc_pkey, sign_cert, sign_pkey)
+    local r = get_request()
+    if r == nil then
+        return false, "no request found"
+    end
+
+    local parsed_enc_cert, err = apisix_ssl.fetch_cert(sni, enc_cert)
+    if not parsed_enc_cert then
+        return false, "failed to parse enc PEM cert: " .. err
+    end
+
+    local parsed_sign_cert, err = apisix_ssl.fetch_cert(sni, sign_cert)
+    if not parsed_sign_cert then
+        return false, "failed to parse sign PEM cert: " .. err
+    end
+
+    local ok, err = ssl.set_gm_cert(parsed_enc_cert, parsed_sign_cert)
+    if not ok then
+        return false, "failed to set PEM cert: " .. err
+    end
+
+    local parsed_enc_pkey, err = apisix_ssl.fetch_pkey(sni, enc_pkey)
+    if not parsed_enc_pkey then
+        return false, "failed to parse enc PEM priv key: " .. err
+    end
+
+    local parsed_sign_pkey, err = apisix_ssl.fetch_pkey(sni, sign_pkey)
+    if not parsed_sign_pkey then
+        return false, "failed to parse sign PEM priv key: " .. err
+    end
+
+    ok, err = ssl.set_gm_priv_key(parsed_enc_pkey, parsed_sign_pkey)
+    if not ok then
+        return false, "failed to set PEM priv key: " .. err
+    end
+
+    return true
+end
+
+
+local original_set_cert_and_key
+local function set_cert_and_key(sni, value)
+    if value.gm then
+        -- process as GM certificate
+        -- For GM dual certificate, the `cert` and `key` will be encryption cert/key.
+        -- The first item in `certs` and `keys` will be sign cert/key.
+        local enc_cert = value.cert
+        local enc_pkey = value.key
+        local sign_cert = value.certs[1]
+        local sign_pkey = value.keys[1]
+        return set_pem_ssl_key(sni, enc_cert, enc_pkey, sign_cert, sign_pkey)
+    end
+    return original_set_cert_and_key(sni, value)
+end
+
+
+local original_check_ssl_conf
+local function check_ssl_conf(in_dp, conf)
+    if conf.gm then
+        -- process as GM certificate
+        -- For GM dual certificate, the `cert` and `key` will be encryption cert/key.
+        -- The first item in `certs` and `keys` will be sign cert/key.
+        local ok, err = original_check_ssl_conf(in_dp, conf)
+        -- check cert/key first in the original method
+        if not ok then
+            return nil, err
+        end
+
+        -- Currently, APISIX doesn't check the cert type (ECDSA / RSA). So we skip the
+        -- check for now in this plugin.
+        local num_certs = conf.certs and #conf.certs or 0
+        local num_keys = conf.keys and #conf.keys or 0
+        if num_certs ~= 1 or num_keys ~= 1 then
+            return nil, "sign cert/key are required"
+        end
+        return true
+    end
+    return original_check_ssl_conf(in_dp, conf)
+end
+
+
+-- module define
+local plugin_name = "gm"
+
+-- plugin schema
+local plugin_schema = {
+    type = "object",
+    properties = {
+    },
+}
+
+local _M = {
+    version  = 0.1,            -- plugin version
+    priority = -43,
+    name     = plugin_name,    -- plugin name
+    schema   = plugin_schema,  -- plugin schema
+}
+
+
+function _M.init()
+    if not pcall(function () return C.Tongsuo_version_num end) then
+        error("need to build Tongsuo (https://github.com/Tongsuo-Project/Tongsuo) " ..
+              "into the APISIX-Runtime")
+    end
+
+    ssl.enable_ntls()
+    original_set_cert_and_key = radixtree_sni.set_cert_and_key
+    radixtree_sni.set_cert_and_key = set_cert_and_key
+    original_check_ssl_conf = apisix_ssl.check_ssl_conf
+    apisix_ssl.check_ssl_conf = check_ssl_conf
+
+    if core.schema.ssl.properties.gm ~= nil then
+        error("Field 'gm' is occupied")
+    end
+
+    -- inject a mark to distinguish GM certificate
+    core.schema.ssl.properties.gm = {
+        type = "boolean"
+    }
+end
+
+
+function _M.destroy()
+    ssl.disable_ntls()
+    radixtree_sni.set_cert_and_key = original_set_cert_and_key
+    apisix_ssl.check_ssl_conf = original_check_ssl_conf
+    core.schema.ssl.properties.gm = nil
+end
+
+-- module interface for schema check
+-- @param `conf` user defined conf data
+-- @param `schema_type` defined in `apisix/core/schema.lua`
+-- @return <boolean>
+function _M.check_schema(conf, schema_type)
+    return core.schema.check(plugin_schema, conf)
+end
+
+
+return _M