fix(aws-lambda) proxy correctly with lua-resty-http (#8406)

Fix some bugs and warts in the aws-lambda plugin: * Fix broken proxying by always using `https_proxy` with resty.http * Deprecate `proxy_scheme` config param Some minimal test coverage for proxying was added, and some defunct test cases were removed.
Kong · Feb 22, 2022 · 7029012 · 7029012
1 parent 4a6b5b3
commit 7029012
Show file tree

Hide file tree

Showing 11 changed files with 202 additions and 168 deletions.
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -155,11 +155,6 @@ jobs:
           - 6379:6379
         options: --entrypoint redis-server
 
-      squid:
-        image: datadog/squid
-        ports:
-          - 3128:3128
-
       zipkin:
         image: openzipkin/zipkin:2.19
         ports:
@@ -283,11 +278,6 @@ jobs:
           - 6379:6379
         options: --entrypoint redis-server
 
-      squid:
-        image: datadog/squid
-        ports:
-          - 3128:3128
-
       zipkin:
         image: openzipkin/zipkin:2.19
         ports:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 # Table of Contents
 
+- [2.7.2](#272)
 - [2.7.1](#271)
 - [2.7.0](#270)
 - [2.6.0](#260)
@@ -61,6 +62,18 @@
 - [0.10.0](#0100---20170307)
 - [0.9.9 and prior](#099---20170202)
 
+
+## [2.7.2] (UNRELEASED)
+
+### Fixes
+
+#### Plugins
+
+- **AWS-Lambda**: Fixed incorrect behavior when configured to use an http proxy
+    and deprecated the `proxy_scheme` config attribute for removal in 3.0
+    [#8406](https://github.com/Kong/kong/pull/8406)
+
+
 ## [2.7.1]
 
 ### Fixes

diff --git a/kong/plugins/aws-lambda/CHANGELOG.md b/kong/plugins/aws-lambda/CHANGELOG.md
@@ -11,9 +11,24 @@
 - upload to luarocks; `luarocks upload kong-plugin-aws-lambda-x.y.z-1.rockspec --api-key=abc...`
 - test rockspec; `luarocks install kong-plugin-aws-lambda`
 
+## aws-lambda 3.6.3 15-Feb-2022
 
-## unreleased
+- tests: update forward-proxy fixture
+- tests: remove old http proxy tests
+- fix: always use https_proxy
+- fix: deprecate proxy_scheme parameter
+- fix: ensure proxy_url scheme is http
 
+## aws-lambda 3.6.2 07-Sep-2021
+
+- chore: bump lua-resty-http from 0.15 to 0.16.1 [#7797](https://github.com/Kong/kong/pull/7797)
+
+## aws-lambda 3.6.1 07-Sep-2021
+- refactor: use error function instead of kong.log.err + kong.response.error [#7797](https://github.com/Kong/kong/pull/7797)
+
+## aws-lambda 3.6.0 30-Aug-2021
+
+- feat: add support for detecting AWS region from environment variable [#7765](https://github.com/Kong/kong/pull/7765)
 - fix: handle multivalueheaders [#59](https://github.com/Kong/kong-plugin-aws-lambda/pull/59)
 
 ## aws-lambda 3.5.4 22-Mar-2021

diff --git a/kong/plugins/aws-lambda/handler.lua b/kong/plugins/aws-lambda/handler.lua
@@ -17,6 +17,8 @@ local AWS_REGION do
   AWS_REGION = os.getenv("AWS_REGION") or os.getenv("AWS_DEFAULT_REGION")
 end
 
+local _logged_proxy_scheme_warning
+
 local fetch_credentials do
   local credential_sources = {
     require "kong.plugins.aws-lambda.iam-ecs-credentials",
@@ -44,7 +46,6 @@ local error = error
 local pairs = pairs
 local kong = kong
 local type = type
-local find = string.find
 local fmt = string.format
 
 
@@ -244,17 +245,17 @@ function AWSLambdaHandler:access(conf)
   local uri = port and fmt("https://%s:%d", host, port)
                     or fmt("https://%s", host)
 
+  if conf.proxy_scheme and not _logged_proxy_scheme_warning then
+    kong.log.warn("`proxy_scheme` is deprecated and will be removed in Kong 3.0")
+    _logged_proxy_scheme_warning = true
+  end
+
   local proxy_opts
   if conf.proxy_url then
-    if find(conf.proxy_url, "https", 1, true) == 1 then
-      proxy_opts = {
-        https_proxy = conf.proxy_url,
-      }
-    else
-      proxy_opts = {
-        http_proxy = conf.proxy_url,
-      }
-    end
+    -- lua-resty-http uses the request scheme to determine which of
+    -- http_proxy/https_proxy it will use, and from this plugin's POV, the
+    -- request scheme is always https
+    proxy_opts = { https_proxy = conf.proxy_url }
   end
 
   -- Trigger request
@@ -326,6 +327,6 @@ function AWSLambdaHandler:access(conf)
 end
 
 AWSLambdaHandler.PRIORITY = 750
-AWSLambdaHandler.VERSION = "3.6.2"
+AWSLambdaHandler.VERSION = "3.6.3"
 
 return AWSLambdaHandler
diff --git a/...a/kong-plugin-aws-lambda-3.5.4-1.rockspec → ...a/kong-plugin-aws-lambda-3.6.3-0.rockspec b/...a/kong-plugin-aws-lambda-3.5.4-1.rockspec → ...a/kong-plugin-aws-lambda-3.6.3-0.rockspec
@@ -1,10 +1,10 @@
 package = "kong-plugin-aws-lambda"
-version = "3.5.4-1"
+version = "3.6.3-1"
 
 supported_platforms = {"linux", "macosx"}
 source = {
   url = "git://github.com/kong/kong-plugin-aws-lambda",
-  tag = "3.5.4",
+  tag = "3.6.3",
 }
 
 description = {
@@ -26,7 +26,6 @@ build = {
     ["kong.plugins.aws-lambda.iam-ecs-credentials"]  = "kong/plugins/aws-lambda/iam-ecs-credentials.lua",
     ["kong.plugins.aws-lambda.schema"]               = "kong/plugins/aws-lambda/schema.lua",
     ["kong.plugins.aws-lambda.v4"]                   = "kong/plugins/aws-lambda/v4.lua",
-    ["kong.plugins.aws-lambda.http.connect-better"]  = "kong/plugins/aws-lambda/http/connect-better.lua",
     ["kong.plugins.aws-lambda.request-util"]         = "kong/plugins/aws-lambda/request-util.lua",
   }
 }
diff --git a/kong/plugins/aws-lambda/schema.lua b/kong/plugins/aws-lambda/schema.lua
@@ -75,6 +75,7 @@ return {
           type = "boolean",
           default = false,
         } },
+        -- TODO: remove proxy_scheme in Kong 3.0
         { proxy_scheme = {
           type = "string",
           one_of = { "http", "https" }
@@ -93,7 +94,23 @@ return {
   } },
   entity_checks = {
     { mutually_required = { "config.aws_key", "config.aws_secret" } },
-    { mutually_required = { "config.proxy_scheme", "config.proxy_url" } },
     { mutually_exclusive = { "config.aws_region", "config.host" } },
+    { custom_entity_check = {
+        field_sources = { "config.proxy_url" },
+        fn = function(entity)
+          local proxy_url = entity.config and entity.config.proxy_url
+
+          if type(proxy_url) == "string" then
+            local scheme = proxy_url:match("^([^:]+)://")
+
+            if scheme and scheme ~= "http" then
+              return nil, "proxy_url scheme must be http"
+            end
+          end
+
+          return true
+        end,
+      }
+    },
   }
 }
diff --git a/spec/03-plugins/27-aws-lambda/02-schema_spec.lua b/spec/03-plugins/27-aws-lambda/02-schema_spec.lua
@@ -79,15 +79,18 @@ describe("Plugin: AWS Lambda (schema)", function()
     assert.falsy(ok)
   end)
 
-  it("errors if proxy_scheme is missing while proxy_url is provided", function()
-    local ok, err = v({
-      proxy_url = "http://hello.com/proxy",
-      aws_region = "us-east-1",
-      function_name = "my-function"
-    }, schema_def)
-
-    assert.equal("all or none of these fields must be set: 'config.proxy_scheme', 'config.proxy_url'", err["@entity"][1])
-    assert.falsy(ok)
+  it("errors with a non-http proxy_url", function()
+    for _, scheme in ipairs({"https", "ftp", "wss"}) do
+      local ok, err = v({
+        proxy_url = scheme .. "://squid:3128",
+        aws_region = "us-east-1",
+        function_name = "my-function"
+      }, schema_def)
+
+      assert.not_nil(err)
+      assert.falsy(ok)
+      assert.equals("proxy_url scheme must be http", err["@entity"][1])
+    end
   end)
 
   it("accepts a host", function()

diff --git a/spec/03-plugins/27-aws-lambda/50-http-proxy_spec.lua b/spec/03-plugins/27-aws-lambda/50-http-proxy_spec.lua