bug: errors on SSL object's schema and certificates loading

[bzp2010]

Current Behavior

The ssl object definition in the apisix/schema_def.lua file mentions that it allows for input in the form of sni, cert, key, snis, certs, keys, i.e. it allows for multiple SNIs to be configured for a single SSL object, and support multiple certificate pairs.

In the following logic flow it is written:

["if"] = {
    properties = {
        type = {
            enum = {"server"},
        },
    },
},
["then"] = {
    oneOf = {
        {required = {"sni", "key", "cert"}},
        {required = {"snis", "key", "cert"}}
    }
},
["else"] = {required = {"key", "cert"}},

This means that I can't pass schema check with certs and keys configured anyway. So what is the point of certs and keys?

I think this is a significant bug. And it's been around for 20 months [#7221].

---

Further, even if I manually change it to certs and keys, it doesn't configure properly and more bugs are happening.

Even if there are no bugs sent, there is a logical error in schema, why snis, certs, keys must exist at the same time? it is absurd.

A possible option is to allow oneOf:

sni + cert + key
snis + cert + key
sni + certs + keys
snis + certs + keys

By the way, I don't think this has anything to do with the GM plugin, which implements [#8389] after the bug.

Expected Behavior

Allows multiple certificates to be properly configured on a single SSL object via the APISIX Admin API.

Error Logs

No response

Steps to Reproduce

1. Use following cmd:

curl --location --request PUT '127.0.0.1:9181/apisix/admin/ssls/1' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data '{
    "snis": [
        "xxx.com"
    ],
    "certs": [
        "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    ],
    "keys": [
        "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    ],
    "status": 1
}'

2. Receive response like:

{"error_msg":"invalid configuration: then clause did not match"}

Environment

• APISIX version (run apisix version): 3.8.0
• Operating system (run uname -a): not related
• OpenResty / Nginx version (run openresty -V or nginx -V): not related
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): not related
• APISIX Dashboard version, if relevant: not related
• Plugin runner version, for issues related to plugin runners: not related
• LuaRocks version, for installation issues (run luarocks --version): not related

[bzp2010]

There is some misunderstanding here, the docs say that the first certificate should be configured using cert and subsequent ones using certs. nevertheless, this is really rather unintuitive and counter-intuitive.....