Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(aws-lambda) proxy correctly with lua-resty-http #8406

Merged
merged 8 commits into from
Feb 16, 2022
Merged

fix(aws-lambda) proxy correctly with lua-resty-http #8406

merged 8 commits into from
Feb 16, 2022

Conversation

flrgh
Copy link
Contributor

@flrgh flrgh commented Feb 12, 2022

Summary

The aws-lambda plugin currently mishandles user proxy configuration, passing proxy_opts.http_proxy to resty.http when it ought to be passing proxy_opts.https_proxy (since the request to AWS lambda is always https).

This PR remedies that problem along with a couple other shortcomings surrounding the config schema:

  1. The proxy_scheme param is unused and is not needed with the current implementation (proxy_url expects a full url with scheme). This PR deprecates it, logging a warning that it will be removed in Kong 3.0.
  2. lua-resty-http does not support https connection to proxy, so extra validation has been added to proxy_url to ensure only http is used.

Testing

This plugin used to ship with it's own specialized http connect code (and tests). This is not used anymore, so the associated tests (spec/03-plugins/27-aws-lambda/50-http-proxy_spec.lua) have been removed, as they do not test anything specific to this plugin or its code.

The access handler tests didn't have any coverage for instances using an http proxy, so I sought to add one, which was a little bit more involved of a chore than I expected. The repo's CI pipeline stuff includes a squid container (previously used for the aforementioned http connect tests), but using this in tests is a royal pain:

  1. We can't mock DNS inside squid without significant effort
  2. We can't simply use 127.0.0.1 for all targets without requiring the container to run in host networking mode.

So I ditched squid and wrote a minimal TCP server that implements CONNECT (spec/fixtures/forward-proxy-server.lua). It's not awesome, but it gets the job done.

Result: the test coverage for aws-lambda+http proxy still leaves much to be desired, but this is a step in the right direction.

Full changelog

  • fix(aws-lambda) deprecate proxy_scheme parameter
  • fix(aws-lambda) always use https_proxy
  • fix(aws-lambda) ensure proxy_url scheme is http
  • tests(aws-lambda) remove old http proxy tests

Issue reference

Fix #8317

flrgh added 4 commits February 11, 2022 14:40
@flrgh
fix(aws-lambda) ensure proxy_url scheme is http
bd937ba 
lua-resty-http only supports http connections to the proxy, regardless
of request scheme
@flrgh
fix(aws-lambda) deprecate proxy_scheme parameter
1a5e52a 
This config parameter is not used anywhere.
@flrgh
fix(aws-lambda) always use https_proxy
302f1d0
@flrgh
tests(aws-lambda) remove old http proxy tests
ec4007e
@github-actions github-actions bot added chore Not part of the core functionality of kong, but still needed plugins/aws-lambda labels Feb 12, 2022
hbagdi
hbagdi reviewed Feb 14, 2022
View reviewed changes
kong/plugins/aws-lambda/schema.lua
@@ -75,6 +75,7 @@ return {
type = "boolean",
default = false,
} },
-- TODO: remove proxy_scheme in Kong 3.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bungle We should explore a "deprecated = true" property on the schema to manage these programmatically.

@flrgh flrgh requested review from aboudreault and a team February 15, 2022 18:36
aboudreault
aboudreault reviewed Feb 15, 2022
View reviewed changes
spec/fixtures/aws-lambda.lua
listen 13128;

content_by_lua_block {
require("spec.fixtures.forward-proxy-server").connect()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that

aboudreault
aboudreault approved these changes Feb 15, 2022
View reviewed changes
Copy link
Contributor

@aboudreault aboudreault left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to include this fix in 2.8.0. @flrgh @kikito do you agree?

If so, we just need to change the target to release/2.8.x and/or create another PR for it (cherry-pick).

@flrgh
Copy link
Contributor Author

flrgh commented Feb 16, 2022

I think we want to include this fix in 2.8.0. @flrgh @kikito do you agree?

Yes, this is intended to land in 2.8.0.

If so, we just need to change the target to release/2.8.x and/or create another PR for it (cherry-pick).

I don't have any strong preference here, so whatever you think is best!

@flrgh flrgh changed the base branch from master to release/2.8.x February 16, 2022 17:47
@flrgh flrgh merged commit 8c374ed into release/2.8.x Feb 16, 2022
@flrgh flrgh deleted the fix/aws-lambda-proxy branch February 16, 2022 18:28
flrgh added a commit that referenced this pull request Feb 22, 2022
@flrgh
fix(aws-lambda) proxy correctly with lua-resty-http (#8406)
7029012 
Fix some bugs and warts in the aws-lambda plugin:

* Fix broken proxying by always using `https_proxy` with resty.http
* Deprecate `proxy_scheme` config param

Some minimal test coverage for proxying was added, and some defunct test cases were removed.
This was referenced Feb 22, 2022
Merged
Merged
kikito pushed a commit that referenced this pull request Feb 23, 2022
@flrgh @kikito
fix(aws-lambda) proxy correctly with lua-resty-http (#8406)
90b0e36 
Fix some bugs and warts in the aws-lambda plugin:

* Fix broken proxying by always using `https_proxy` with resty.http
* Deprecate `proxy_scheme` config param

Some minimal test coverage for proxying was added, and some defunct test cases were removed.
@kikito kikito mentioned this pull request Feb 23, 2022
Merged
kikito pushed a commit that referenced this pull request Feb 23, 2022
@flrgh @kikito
fix(aws-lambda) proxy correctly with lua-resty-http (#8406)
fd58486 
Fix some bugs and warts in the aws-lambda plugin:

* Fix broken proxying by always using `https_proxy` with resty.http
* Deprecate `proxy_scheme` config param

Some minimal test coverage for proxying was added, and some defunct test cases were removed.
@kikito kikito mentioned this pull request Feb 24, 2022
Merged
@lena-larionova lena-larionova mentioned this pull request Feb 28, 2022
Merged
flrgh added a commit that referenced this pull request Mar 2, 2022
@flrgh
fix(aws-lambda) proxy correctly with lua-resty-http (#8406)
651d326 
Fix some bugs and warts in the aws-lambda plugin:

* Fix broken proxying by always using `https_proxy` with resty.http
* Deprecate `proxy_scheme` config param

Some minimal test coverage for proxying was added, and some defunct test cases were removed.
@merkle-rking merkle-rking mentioned this pull request Sep 21, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hbagdi hbagdi hbagdi left review comments

@aboudreault aboudreault aboudreault approved these changes

Assignees
No one assigned
Labels
chore Not part of the core functionality of kong, but still needed plugins/aws-lambda
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Timeout when calling lambda
3 participants
@flrgh @aboudreault @hbagdi