Refactor example-e2e test #19
Conversation
M4tteoP
changed the title
M4tteoP
changed the title
This reverts commit bc55253.
example/envoy-config.yaml
Outdated
| @@ -3,23 +3,26 @@ static_resources: | |||
| - address: | |||
| socket_address: | |||
| address: 0.0.0.0 | |||
| port_value: 8001 | |||
| port_value: 80 | |||
There was a problem hiding this comment.
port 80 might not be the best choice for an example. One usually finds it occupied.
There was a problem hiding this comment.
I was mainly taking into account the usage of the example via docker-compose. In that case we will use ports 8080 and 8081 respectively for envoy and httpbin. Is it better to take into account also a standalone usage of the envoy config file?
example/envoy-config.yaml
Outdated
| filter_chains: | ||
| - filters: | ||
| - name: envoy.filters.network.http_connection_manager | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
| stat_prefix: ingress_http | ||
| codec_type: auto | ||
| http_protocol_options: | ||
| accept_http_10: true |
There was a problem hiding this comment.
Shall we add a comment on why this is needed?
There was a problem hiding this comment.
I removed this option from the example and left a commit on the config for ftw.
main.go
Outdated
| if err != nil { | ||
| proxywasm.LogCriticalf("failed to perform interruption on response body: %v", err) | ||
| } | ||
| // TODO(M4tteop): I'm looking for the Go version of StopIterationNoBuffer |
There was a problem hiding this comment.
Do you have any advice about it? I don't feel calling SendHttpResponse twice is really a safe option even if it is working as I wish (close the connection even if the client is still waiting for the body).
Update in order to give a bit more context: the WAF has not detected any malicious pattern up to the response body, so, in order to avoid leakage, I just want to drop the connection and send back an empty body.
There was a problem hiding this comment.
Looking at https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/proxy_wasm_enums.h#L37-L42 and https://github.com/tetratelabs/proxy-wasm-go-sdk/blob/main/proxywasm/types/types.go#L22-L27 I guess there was a reason to not to mimic outputs and also an alternative to not to buffer the response body so maybe @mathetake can provide some context.
There was a problem hiding this comment.
good q, I just wanted to simplify the API using the same status, rather than complex enums for each call back type (header, trailer, body/data, etc) as in C++.
I understand that you want to proactively drop the body, but in anyway the upcoming remaining body will be discarded immediately after the request fails, so do we REALLY want it?
main.go
Outdated
| proxywasm.LogCriticalf("failed to perform interruption on response body: %v", err) | ||
| } | ||
| // TODO(M4tteop): I'm looking for the Go version of StopIterationNoBuffer | ||
| // It is formally not correct to invoke SendHttpResponse during OnHttpResponseBody, but it is correctly closing the connection. |
There was a problem hiding this comment.
what does this mean? connection of what? what if it is http2?
There was a problem hiding this comment.
what I wanted to say is that with the current impl of envoy, it's impossible to make the request fail after you return Continue in OnHttpResponseHeader proxy-wasm/proxy-wasm-cpp-host#143
There was a problem hiding this comment.
that's the reason why we had the internal fork of cpp-host to change this behavior done by Takaya
There was a problem hiding this comment.
Thanks for confirming @mathetake. There are many proxy-wasm tasks we need to follow up on and finally have some budget for that so we'll try to make some progress there.
@M4tteoP In the meantime, it would be good to separate PRs for refactoring the example and response body logic. If you want to do the latter first, then my recommendation is to move ProcessResponseHeaders to OnHttpResponseBody). I can't find any coreruleset rules targeting response headers and this fits my intuition that there wouldn't be much to match there (maybe response cookies? But there isn't even a variable for that like there is for request cookies). There are a few response body rules though, so if we remove interruption in response headers we can still sanitize the response body when either interrupts there. What do you think?
main.go
Outdated
| err = proxywasm.ReplaceHttpResponseBody([]byte(``)) | ||
| if err != nil { | ||
| proxywasm.LogCriticalf("failed to perform interruption on response body: %v", err) |
There was a problem hiding this comment.
replacing with an empty buffer doesn't release anything in the host - it's just taking another string_view on the same memory region so this is just doing nothing.
| err = proxywasm.ReplaceHttpResponseBody([]byte(``)) | |
| if err != nil { | |
| proxywasm.LogCriticalf("failed to perform interruption on response body: %v", err) |
|
The conversation about response body logic continues in #26 |
|
If it sounds good, I propose to merge this PR addressing only the refactor of the e2e, temporary commenting tests about the response body. They will be added again as soon as we agree on a short-term solution #26. |
M4tteoP
changed the title
M4tteoP
changed the title
example/docker-compose.yml
Outdated
| volumes: | ||
| - logs:/home/envoy/logs:ro | ||
| tests: |
There was a problem hiding this comment.
I think you don't need this container for the example, the only reason this container is here, if I recall correctly is because you can curl the envoy directly from CI? If that is the case I recommend you create another docker-compose file in the e2e folder to include the script. See https://stackoverflow.com/questions/55650342/import-docker-compose-file-in-another-compose-file
On top of that, here I find a circular dependency: e2e depends on example and example depends on e2e (see https://github.com/corazawaf/coraza-proxy-wasm/pull/19/files#diff-fe02bc0074dfa40a0e1b60098921a60d187efae125046c3f008a5cdfa62cf028R60)
| func E2e() error { | ||
| return sh.RunV("docker-compose", "--file", "e2e/docker-compose.yml", "up", "--abort-on-container-exit") | ||
| return sh.RunV("docker-compose", "-f", "e2e/docker-compose.yml", "up", "--abort-on-container-exit", "tests") |
There was a problem hiding this comment.
Does this rely on the example (example/docker-compose.yml) to be up and running already? If that is the case I'd recommend you bootstrap services on both files but in any case the command should not require you to do a previous command. See https://docs.docker.com/compose/extends/
There was a problem hiding this comment.
Another option is of course to launch the example before the e2e
There was a problem hiding this comment.
mage e2e does not rely anymore on example/docker-compose.yml. I thought that a standalone and straightforward docker-compose was a cleaner alternative.
(Mainly had troubles with extends because of services with 'depends_on' cannot be extended).
Follows #12: