3scale
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -146,7 +146,8 @@ jobs:
       - run: make test-runtime-image gateway-logs --keep-going
       - login-docker:
           command: |
-            IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH}}"
+            CIRCLE_BRANCH_LOWER=`echo $CIRCLE_BRANCH | tr '[:upper:]' '[:lower:]'`
+            IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH_LOWER}}"
             if [ "${IMAGE_TAG}" == "master" ]
             then
               IMAGE_TAG="latest"
@@ -179,7 +180,8 @@ jobs:
 
       - login-docker:
           command: |
-            IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH}}-builder"
+            CIRCLE_BRANCH_LOWER=`echo $CIRCLE_BRANCH | tr '[:upper:]' '[:lower:]'`
+            IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH_LOWER}}-builder"
             if [ "${IMAGE_TAG}" == "master-builder" ]
             then
               IMAGE_TAG="latest-builder"
@@ -259,7 +261,7 @@ jobs:
 
   prove:
     executor: openresty
-
+    resource_class: medium+
     parallelism: 3
     steps:
       - attach-workspace
@@ -281,7 +283,7 @@ jobs:
     machine: true
     steps:
       - checkout
-      - run: IMAGE_TAG=${CIRCLE_TAG:-${CIRCLE_BRANCH}} make benchmark
+      - run: IMAGE_TAG=`echo $CIRCLE_BRANCH | tr '[:upper:]' '[:lower:]'` make benchmark
       - run: IMAGE_TAG=master make benchmark
       - store_artifacts:
           path: tmp/benchmark

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,11 +1,13 @@
 # Change Log
+
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 
 ## [3.11.0] 2021-09-03
+## [Unreleased]
 
 ### Fixed
 
@@ -31,6 +33,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fixed issues with OIDC filters [PR #1304](https://github.com/3scale/APIcast/pull/1304) [PR #1306](https://github.com/3scale/APIcast/pull/1306) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
 - Fixed issues with OIDC filters [PR #1304](https://github.com/3scale/APIcast/pull/1304) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
 - Fixed issues with Upstream MTLS certs [PR #1307](https://github.com/3scale/APIcast/pull/1307) [THREESCALE-7508](https://issues.redhat.com/browse/THREESCALE-7508)
+- Fixed warning messages [PR #1318](https://github.com/3scale/APIcast/pull/1318) [THREESCALE-7906](https://issues.redhat.com/browse/THREESCALE-7906)
+- Fixed dirty context [PR #1328](https://github.com/3scale/APIcast/pull/1328) [THREESCALE-8000](https://issues.redhat.com/browse/THREESCALE-8000) [THREESCALE-8007](https://issues.redhat.com/browse/THREESCALE-8007)
+- Fixed jwk alg confusion [PR #1329](https://github.com/3scale/APIcast/pull/1329) [THREESCALE-8249](https://issues.redhat.com/browse/THREESCALE-8249)
+- Fixed issue with resolving target server hostnames to IP when using CONNECT method [PR #1323](https://github.com/3scale/APIcast/pull/1323) [THREESCALE-7967](https://issues.redhat.com/browse/THREESCALE-7967)
+- Fixed issue with resolving target server hostnames to IPs when forwarding requests through http/s proxy [PR #1323](https://github.com/3scale/APIcast/pull/1323) [THREESCALE-7967](https://issues.redhat.com/browse/THREESCALE-7967)
+- Fixed dirty context [PR #1328](https://github.com/3scale/APIcast/pull/1328) [THREESCALE-8000](https://issues.redhat.com/browse/THREESCALE-8000) [THREESCALE-8007](https://issues.redhat.com/browse/THREESCALE-8007) [THREESCALE-8252](https://issues.redhat.com/browse/THREESCALE-8252)
+- Fixed dirty context (part 2 of PR #1328) when tls termination policy is in the policy chain [PR #1333](https://github.com/3scale/APIcast/pull/1333)
 
 ### Added
 
@@ -51,7 +60,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Added on_failed policy [PR#1286](https://github.com/3scale/APIcast/pull/1286) [THREESCALE-6705](https://issues.redhat.com/browse/THREESCALE-6705)
 - Master branch containers builds are now latest tag on quay.io [PR#1289](https://github.com/3scale/APIcast/pull/1289) [THREESCALE-7251](https://issues.redhat.com/browse/THREESCALE-7251)
 
-
 ## [3.10.0] 2021-01-04
 
 Beta1 is stable and moved to final release.
@@ -71,6 +79,7 @@ Beta1 is stable and moved to final release.
 ## [3.10.0-alpha1] 2020-10-13
 
 ### Added
+
 - Support Proxy Protocol [PR #1211](https://github.com/3scale/APIcast/pull/1211) [THREESCALE-5366](https://issues.redhat.com/browse/THREESCALE-5366)
 - Enable support to log credentials on logging policy [PR #1217](https://github.com/3scale/APIcast/pull/1217) [THREESCALE-5273](https://issues.redhat.com/browse/THREESCALE-5273)
 - Add a way to support more than 1000 services in a single instance  [PR #1222](https://github.com/3scale/APIcast/pull/1222) [THREESCALE-5308](https://issues.redhat.com/browse/THREESCALE-5308)
@@ -79,21 +88,21 @@ Beta1 is stable and moved to final release.
 - Add response/request content size limits [PR #1227](https://github.com/3scale/APIcast/pull/1227) [THREESCALE-5244](https://issues.redhat.com/browse/THREESCALE-5244)
 - Add HTTP codes policy [PR #1236](https://github.com/3scale/APIcast/pull/1236) [THREESCALE-6255](https://issues.redhat.com/browse/THREESCALE-6255)
 
-
-
 ### Fixed
+
 - Fixed issues with allow caching mode  and 3scale batcher [PR #1216](https://github.com/3scale/APIcast/pull/1216) [THREESCALE-5753](https://issues.redhat.com/browse/THREESCALE-5753)
 - Fixed issues when Auth Caching is disabled [PR #1225](https://github.com/3scale/APIcast/pull/1225) [THREESCALE-4464](https://issues.redhat.com/browse/THREESCALE-4464)
 - Fixed issues with service filter and OIDC [PR #1229](https://github.com/3scale/APIcast/pull/1229) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
 - Increased size of dictionaries used by the Batching policy to 20 MB. Users
-with many services might have experienced issues with this policy because the
-size of those dictionaries was not enough to store everything the policy needs
-to function correctly. [PR #1231](https://github.com/3scale/APIcast/pull/1231)
+  with many services might have experienced issues with this policy because the
+  size of those dictionaries was not enough to store everything the policy needs
+  to function correctly. [PR #1231](https://github.com/3scale/APIcast/pull/1231)
 - Fixed issue with Camel service over HTTPs when Routing Policy [PR #1230](https://github.com/3scale/APIcast/pull/1230) [THREESCALE-5891](https://issues.redhat.com/browse/THREESCALE-5891)
 - Fixed doc issue on SERVICES_FILTER parameter [PR #1233](https://github.com/3scale/APIcast/pull/1233) [THREESCALE-5421](https://issues.redhat.com/browse/THREESCALE-5421)
 - Non-alphanumeric metric name in 3scale-batcher policy [PR #1234](https://github.com/3scale/APIcast/pull/1234) [THREESCALE-4913](https://issues.redhat.com/browse/THREESCALE-4913)
 
 ## [3.9.1] 2020-10-13
+
 - Fixed issues when using fully qualified DNS query [PR #1235](https://github.com/3scale/APIcast/pull/1235) [THREESCALE-4752](https://issues.redhat.com/browse/THREESCALE-4752)
 - Fixed issues with OIDC validation [PR #1239](https://github.com/3scale/APIcast/pull/1239) [THREESCALE-6313](https://issues.redhat.com/browse/THREESCALE-6313)
 - Fixed issues with Liquid body size [PR #1240](https://github.com/3scale/APIcast/pull/1240) [THREESCALE-6315](https://issues.redhat.com/browse/THREESCALE-6315)
@@ -122,7 +131,6 @@ No issues found on beta1,so becames final release.
 - Fixed issues with path routing and query args [THREESCALE-5149](https://issues.redhat.com/browse/THREESCALE-5149) [PR #1190](https://github.com/3scale/APIcast/pull/1190)
 - Fixed issue with IPCheck policy when forwarder-for value contains port [THREESCALE-5258](https://issues.redhat.com/browse/THREESCALE-5258) [PR #1192](https://github.com/3scale/APIcast/pull/1192)
 
-
 ### Added
 
 - Added upstream Mutual TLS policy [THREESCALE-672](https://issues.jboss.org/browse/THREESCALE-672) [PR #1182](https://github.com/3scale/APIcast/pull/1182)
@@ -135,23 +143,23 @@ No issues found on beta1,so becames final release.
 - New content_caching Prometheus metric [THREESCALE-5439](https://issues.jboss.org/browse/THREESCALE-5439) [PR #1203](https://github.com/3scale/APIcast/pull/1203)
 - Added Camel policy [PR #1193](https://github.com/3scale/APIcast/pull/1193) [THREESCALE-4867](https://issues.jboss.org/browse/THREESCALE-4867)
 
-
 ## [3.8.0] - 2020-03-24
 
 `3.8.0-cr1` was considered final and became `3.8.0`.
 
 ## [3.8.0-cr1] - 2020-03-07
 
 ### Fixed
+
 - Fixed naming issues in policies [THREESCALE-4150](https://issues.jboss.org/browse/THREESCALE-4150) [PR #1167](https://github.com/3scale/APIcast/pull/1167)
 - Fixed issues on invalid config in logging policy [THREESCALE-4605](https://issues.jboss.org/browse/THREESCALE-4605) [PR #1168](https://github.com/3scale/APIcast/pull/1168)
 - Fixed issues with routing policy and GRPC one [THREESCALE-4684](https://issues.jboss.org/browse/THREESCALE-4684) [PR #1177](https://github.com/3scale/APIcast/pull/1177) [PR #1179](https://github.com/3scale/APIcast/pull/1179)
 
 ## [3.8.0-alpha2] - 2020-02-18
 
 ### Fixed
-- Check status is bigger than zero on caching policy [THREESCALE-4471](https://issues.jboss.org/browse/THREESCALE-4471) [PR #1163](https://github.com/3scale/APIcast/pull/1163)
 
+- Check status is bigger than zero on caching policy [THREESCALE-4471](https://issues.jboss.org/browse/THREESCALE-4471) [PR #1163](https://github.com/3scale/APIcast/pull/1163)
 
 ## [3.8.0-alpha1] - 2020-01-31
 
@@ -164,7 +172,6 @@ No issues found on beta1,so becames final release.
 - Added Request_id on ngx.log function. [THREESCALE-3644](https://issues.jboss.org/browse/THREESCALE-3644) [PR #1156](https://github.com/3scale/APIcast/pull/1156)
 - Logging policy add the option to log JWT claims [THREESCALE-4326](https://issues.jboss.org/browse/THREESCALE-4326) [PR #1160](https://github.com/3scale/APIcast/pull/1160)
 
-
 ### Fixed
 
 - When PATH routing was enabled the URL was not correctly escaped [THREESCALE-3468](https://issues.jboss.org/browse/THREESCALE-3468) [PR #1150](https://github.com/3scale/APIcast/pull/1150)
@@ -173,7 +180,6 @@ No issues found on beta1,so becames final release.
 - Fix issues with non-alphanumeric variables in liquid [THREESCALE-3968](https://issues.jboss.org/browse/THREESCALE-3968) [PR #1158](https://github.com/3scale/APIcast/pull/1158)
 - Fix issues with double mapping rules [THREESCALE-3950](https://issues.jboss.org/browse/THREESCALE-3950) [PR #1159](https://github.com/3scale/APIcast/pull/1159)
 
-
 ## [3.7.0] - 2019-11-27
 
 `3.7.0-rc2` was considered final and became `3.7.0`.
@@ -200,7 +206,6 @@ No issues found on beta1,so becames final release.
 
 - Fix issues with escaped characters in URI [THREESCALE-3468](https://issues.jboss.org/browse/THREESCALE-3468) [PR #1123](https://github.com/3scale/APIcast/pull/1123)
 
-
 ## [3.7.0-beta1]- 2019-09-13
 
 ### Added
@@ -240,7 +245,6 @@ No issues found on beta1,so becames final release.
 
 - Extended variables in Liquid template operations [PR #1081](https://github.com/3scale/APIcast/pull/1081), [THREESCALE-2927](https://issues.jboss.org/browse/THREESCALE-2927)
 
-
 ## [3.6.0-beta1] - 2019-06-18
 
 ### Added
@@ -371,11 +375,11 @@ Apart from the changes mentioned in this section, this version also includes the
 `3.3.0-cr2` was considered final and became `3.3.0`.
 
 - The configuration schema of the rate-limit policy has changed from `3.2.0` so
-if you were using it, please adapt your configuration file accordingly.
+  if you were using it, please adapt your configuration file accordingly.
 - The Native OAuth 2.0 flow is deprecated. Please consider using the OIDC
-integration instead.
+  integration instead.
 - The new conditional policy is considered experimental. The way conditions are
-expressed might change in future releases.
+  expressed might change in future releases.
 
 ## [3.3.0-cr2] - 2018-09-25
 
@@ -667,6 +671,7 @@ expressed might change in future releases.
 - Live and ready endpoints now set correct Content-Type header in the response[PR #441](https://github.com/3scale/apicast/pull/441), [THREESCALE-377](https://issues.jboss.org/browse/THREESCALE-377)
 
 ## [3.1.0] - 2017-10-27
+
 - 3.1.0-rc2 was considered final and became 3.1.0.
 
 ## [3.1.0-rc2] - 2017-09-29
@@ -791,6 +796,7 @@ expressed might change in future releases.
 - Ability to Authenticate against API using RHSSO and OpenID Connect [PR #283](https://github.com/3scale/apicast/pull/283)
 
 ### Fixed
+
 - `http_ng` client supports auth passsed in the url, and default client options if the request options are missing for methods with body (POST, PUT, etc.) [PR #310](https://github.com/3scale/apicast/pull/310)
 - Fixed lazy configuration loader to recover from failures [PR #313](https://github.com/3scale/apicast/pull/313)
 - Fixed undefined variable `p` in post\_action [PR #316](https://github.com/3scale/apicast/pull/316)
@@ -815,6 +821,7 @@ expressed might change in future releases.
 ## [3.0.0-beta1] - 2017-03-03
 
 ### Changed
+
 - Lazy load DNS resolver to improve performance [PR #251](https://github.com/3scale/apicast/pull/251)
 - Execute queries to all defined nameservers in parallel [PR #260](https://github.com/3scale/apicast/pull/260)
 - `RESOLVER` ENV variable overrides all other nameservers detected from `/etc/resolv.conf` [PR #260](https://github.com/3scale/apicast/pull/260)
@@ -846,34 +853,43 @@ expressed might change in future releases.
 ## [3.0.0-alpha2] - 2017-02-06
 
 ### Added
+
 - A way to override backend endpoint [PR #248](https://github.com/3scale/apicast/pull/248)
 
 ### Changed
+
 - Cache all calls to `os.getenv` via custom module [PR #231](https://github.com/3scale/apicast/pull/231)
 - Bump s2i-openresty to 1.11.2.2-1 [PR #239](https://github.com/3scale/apicast/pull/239)
 - Use resty-resolver over nginx resolver for HTTP [PR #237](https://github.com/3scale/apicast/pull/237)
 - Use resty-resolver over nginx resolver for Redis [PR #237](https://github.com/3scale/apicast/pull/237)
 - Internal change to reduce global state [PR #233](https://github.com/3scale/apicast/pull/233)
 
 ### Fixed
+
 - [OAuth] Return correct state value back to client
 
 ### Removed
+
 - Nginx resolver directive auto detection. Rely on internal DNS resolver [PR #237](https://github.com/3scale/apicast/pull/237)
 
 ## [3.0.0-alpha1] - 2017-01-16
+
 ### Added
+
 - A CHANGELOG.md to track important changes
 - User-Agent header with APIcast version and system information [PR #214](https://github.com/3scale/apicast/pull/214)
 - Try to load configuration from V2 API [PR #193](https://github.com/3scale/apicast/pull/193)
 
 ### Changed
+
 - Require openresty 1.11.2 [PR #194](https://github.com/3scale/apicast/pull/194)
 - moved development from `v2` branch to `master` [PR #209](https://github.com/3scale/apicast/pull/209)
 - `X-3scale-Debug` HTTP header now uses Service Token [PR #217](https://github.com/3scale/apicast/pull/217)
 
 ## [2.0.0] - 2016-11-29
+
 ### Changed
+
 - Major rewrite using JSON configuration instead of code generation.
 
 [Unreleased]: https://github.com/3scale/apicast/compare/v3.10.0...HEAD

diff --git a/Makefile b/Makefile
@@ -221,7 +221,10 @@ rover: $(ROVER)
 $(S2I_CONTEXT)/Roverfile.lock : $(S2I_CONTEXT)/Roverfile $(S2I_CONTEXT)/apicast-scm-1.rockspec
 	$(ROVER) lock --roverfile=$(S2I_CONTEXT)/Roverfile
 
-lua_modules: $(ROVER) $(S2I_CONTEXT)/Roverfile.lock
+translate_git_protocol:
+	@git config --global url.https://github.com/.insteadOf git://github.com/
+
+lua_modules: $(ROVER) $(S2I_CONTEXT)/Roverfile.lock translate_git_protocol
 # This variable is to skip issues with openssl 1.1.1
 # https://github.com/wahern/luaossl/issues/175
 	EXTRA_CFLAGS="-DHAVE_EVP_KDF_CTX=1" $(ROVER) install --roverfile=$(S2I_CONTEXT)/Roverfile > /dev/null

diff --git a/docker-compose-devel.yml b/docker-compose-devel.yml
@@ -1,7 +1,7 @@
 version: '2.2'
 services:
   development:
-    image: ${IMAGE:-quay.io/3scale/s2i-openresty-centos7:master}
+    image: ${IMAGE:-quay.io/3scale/s2i-openresty-centos7:1.19.3.6-20-centos8}
     depends_on:
       - redis
     working_dir: /home/centos/

diff --git a/gateway/Roverfile.lock b/gateway/Roverfile.lock
@@ -10,7 +10,8 @@ fifo 0.2-0||development
 http 0.3-0||development
 inspect 3.1.1-0||production
 ldoc 1.4.6-2||development
-liquid 0.1.7-1||production
+date 2.2-2||production
+liquid 0.1.8-1||production
 jsonschema 0.8-0|aa4740624cca4c10585bd7d086b42aa0b9ab14fa|testing
 lpeg 1.0.2-1||development
 lpeg_patterns 0.5-0||development

diff --git a/gateway/http.d/apicast.conf.liquid b/gateway/http.d/apicast.conf.liquid
@@ -1,9 +1,20 @@
 log_format time '[$time_local] $target_host:$server_port $remote_addr:$remote_port "$request" $status $body_bytes_sent ($request_time) $post_action_impact';
 
-map $status $extended_access_log {
+# Use maps as variables because some logs can be raised out of the server context 
+# where variables cannot be set, this allow us to avoid a warning
+map "" $extended_access_log {
     default '';
 }
 
+map "" $access_logs_enabled {
+  default '1';
+}
+
+map "" $extended_access_logs_enabled {
+  default '0';
+}
+
+
 log_format extended escape=none '$extended_access_log';
 
 server {
@@ -50,9 +61,7 @@ server {
 server {
   {% capture log_buffer %} {%if log_buffer_size %}buffer={{ log_buffer_size }} {% endif %} {% endcapture %}
 
-  set $access_logs_enabled '1';
   access_log {{ access_log_file | default: "/dev/stdout" }} time if=$access_logs_enabled {{ log_buffer }};
-  set $extended_access_logs_enabled '0';
   access_log {{ access_log_file | default: "/dev/stdout" }} extended if=$extended_access_logs_enabled {{ log_buffer }};
 
   {%- assign http_port = port.apicast | default: 8080 %}

diff --git a/gateway/src/apicast/configuration_loader/remote_v2.lua b/gateway/src/apicast/configuration_loader/remote_v2.lua
@@ -104,7 +104,7 @@ local function endpoint_for_services_with_host(portal_endpoint, env, host)
   local query_args = encode_args({ host = host })
 
   return format(
-      "%s/admin/api/services/proxy/configs/%s.json?%s",
+      "%s/admin/api/account/proxy_configs/%s.json?%s",
       portal_endpoint,
       env,
       query_args

diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua
@@ -58,6 +58,7 @@ function _M.resolve(uri)
     return ip, port
 end
 
+-- #TODO: This local function is no longer called as of PR#1323 and should be removed
 local function resolve(uri)
     local host = uri.host
     local port = uri.port
@@ -70,12 +71,12 @@ local function resolve(uri)
 end
 
 local function absolute_url(uri)
-    local host, port = resolve(uri)
-
+-- target server requires hostname not IP and DNS resolution is left to the proxy itself as specified in the RFC #7231
+-- https://httpwg.org/specs/rfc7231.html#CONNECT
     return format('%s://%s:%s%s',
             uri.scheme,
-            host,
-            port,
+            uri.host,
+            uri.port,
             uri.path or '/'
     )
 end

diff --git a/gateway/src/apicast/oauth/oidc.lua b/gateway/src/apicast/oauth/oidc.lua
@@ -103,9 +103,9 @@ local function timestamp_to_seconds_from_now(expiry, clock)
   return ttl
 end
 
-local function find_public_key(jwt, keys)
+local function find_jwk(jwt, keys)
   local jwk = keys and keys[jwt.header.kid]
-  if jwk then return jwk.pem end
+  if jwk then return jwk end
 end
 
 -- Parses the token - in this case we assume it's a JWT token
@@ -182,8 +182,13 @@ function _M:verify(jwt, cache_key)
     return false, '[jwt] invalid alg'
   end
 
-  -- TODO: this should be able to use DER format instead of PEM
-  local pubkey = find_public_key(jwt, self.keys)
+  -- Find jwk with matching kid for current JWT in request
+  local jwk_obj = find_jwk(jwt, self.keys)
+
+  local pubkey = jwk_obj.pem
+  if jwk_obj.alg ~= jwt.header.alg then
+    return false, '[jwt] alg mismatch'
+  end
 
   jwt = JWT:verify_jwt_obj(pubkey, jwt, self.jwt_claims)