From my perspective it would be better to keep consistent logic between real creation of certificates entity and validation of entity rather than simply removing sni field. To do this, we can refer to/reuse the same validation logics which are adopted in the dao/certificates and dao/sni

The necessity I think is to ensure that entity which is proved to be valid by endpoint /validate can be accepted by the upcoming post method.

Nice.
For my understanding. I think the endpoint /schema/:dn_entity_name/validate is the most important to validate the fields that belong to the schema. Second, to validate the field value if it is valid.

For my understanding. I think the endpoint /schema/:dn_entity_name/validate is the most important to validate the fields that belong to the schema. Second, to validate the field value if it is valid.

To this extent, the /validate endpoint just carry out some preliminary validations, which also makes sense.

Convert to draft for now as it requires more design discussion.

I'm wondering whether transient is the best name here 🤔 . What I think we're trying to achieve is adding a field to schema that's actually the reverse of type = "foreign" what sometimes is called backref.

transient sounds to me like a field that could be derived from other fields. For example we'd have somewhere a network address field which values would be:

{
  network_address = "127.0.0.1:8001"
}

Then transient fields might be:

{
  network_address = "127.0.0.1:8001",
  ip = "127.0.0.1",
  port = 8001
}

something that exists in another field but is returned for convenience and is not actually stored in database.

In future it might open us a door to realize backref dereferencing. Like certificates:each({ with = { "snis" } }). This way the certificates entity could pull also snis. Something that right now is done by: SNIS:list_for_certificate but could be just an addition to DAO functionality if we defined the interface in schema.

@nowNick
Thank you for your review. I agree with your part of your points.
My first thought. The transient keyword in Java is used to prevent certain member variables of an object from being serialized. By using it, we can enhance security, reduce serialization overhead, and ensure that only meaningful and necessary data is serialized. Therefore, I have adopted this approach to temporarily store data without persisting it to the database. Additionally, it can support the transformation and storage of other data during the deserialization process (if future support is needed). If we need to perform cascading queries to retrieve the corresponding objects, we might need other attributes (such as one-to-many or many-to-one relationships) to describe the data more appropriately.

Rebased on master as CI is always red

Schema changed. CC @GGabriele

@raoxiaoyan IMHO, the transient is able to exclude fields marked with it from persistence, in other word, these fields should or may be ignored during schema validation. This explains why one of test cases introduced in this PR which hits the endpoint of schema validation /schemas/certificates/validate can pass even though there is no special treatments for the sni field in the certificate json entity in the request body.
However, some previous test cases related to certificate creation fail after removing https://github.com/Kong/kong-ee/blob/2be9144914a6aea395aef2c80a5e1ebf9289ff9b/kong/db/dao/certificates.lua#L70 due to failures in schema validation. This is out of my expectation. WDYT?

This method adds schema field and allows snis field when validating certificates. However, the snis field is ignored when validating.

Suppose a scenario:

1. An Admin API is sent to validate a cert. The body also includes a snis field, like {"error", "not-exist" }.

2. The code only validates the cert part and returns 200 OK.

3. Another Admin API is sent to create the cert, and also includes the {"error", "not-exist" }. Will return 200 OK. Therefore, the invalid SNIs would be created, and cause error when doing SSL handshake.

   kong=# select * from snis ;
                     id                  |       created_at       |   name    |            certificate_id            | tags |                ws_id                 |       updated_at
   -------------------------------------- ------------------------ ----------- -------------------------------------- ------ -------------------------------------- ------------------------
    3f8e7c93-aa54-4437-86e8-6845e93f13e8 | 2024-07-26 09:06:00 00 | error     | 5bbb04a4-cd1b-498b-8dc0-64d797ec0f57 |      | d90e3613-56af-439e-acdf-7c5fd468dab8 | 2024-07-26 09:06:00 00
    345baaac-56b9-4480-9ef4-1465cd11c860 | 2024-07-26 09:07:05 00 | not-exist | 5bbb04a4-cd1b-498b-8dc0-64d797ec0f57 |      | d90e3613-56af-439e-acdf-7c5fd468dab8 | 2024-07-26 09:07:05 00
   (2 rows)
   

Thus, we are in a situation where the validation API passes but the SSL handshake fails.

This method adds schema field and allows snis field when validating certificates. However, the snis field is ignored when validating.

Suppose a scenario:

1. An Admin API is sent to validate a cert. The body also includes a snis field, like {"error", "not-exist" }.
2. The code only validates the cert part and returns 200 OK.
3. Another Admin API is sent to create the cert, and also includes the {"error", "not-exist" }. Will return 200 OK.

kong=# select * from snis ;
                  id                  |       created_at       |   name    |            certificate_id            | tags |                ws_id                 |       updated_at
-------------------------------------- ------------------------ ----------- -------------------------------------- ------ -------------------------------------- ------------------------
 3f8e7c93-aa54-4437-86e8-6845e93f13e8 | 2024-07-26 09:06:00 00 | error     | 5bbb04a4-cd1b-498b-8dc0-64d797ec0f57 |      | d90e3613-56af-439e-acdf-7c5fd468dab8 | 2024-07-26 09:06:00 00
 345baaac-56b9-4480-9ef4-1465cd11c860 | 2024-07-26 09:07:05 00 | not-exist | 5bbb04a4-cd1b-498b-8dc0-64d797ec0f57 |      | d90e3613-56af-439e-acdf-7c5fd468dab8 | 2024-07-26 09:07:05 00
(2 rows)

I didn't catch it. What do you mean?

Successfully created cherry-pick PR for master:

• https://github.com/kong/kong-ee/pull/9823