coupergateway · johakoch · Apr 28, 2022 · Apr 25, 2022 · Apr 25, 2022 · Apr 25, 2022
diff --git a/config/request/context_key.go b/config/request/context_key.go
@@ -8,6 +8,7 @@ const (
 	AccessControls
 	BackendName
 	BackendParams
+	BackendTokenRequest
 	BetaGrantedPermissions
 	BetaRequiredPermission
 	BufferOptions

diff --git a/config/runtime/error_handler.go b/config/runtime/error_handler.go
@@ -12,9 +12,33 @@ import (
 	"github.com/avenga/couper/handler"
 )
 
-var wildcardMap = map[string][]string{
-	"api":      {"beta_insufficient_permissions"},
-	"endpoint": {"beta_insufficient_permissions", "sequence", "unexpected_status"},
+type wildcardValues map[string][]string
+
+var wildcardMap = map[string]wildcardValues{
+	"api": {
+		"backend": {
+			"backend_openapi_validation",
+			"backend_timeout",
+		},
+		"*": {
+			"backend_openapi_validation",
+			"backend_timeout",
+			"beta_insufficient_permissions",
+		},
+	},
+	"endpoint": {
+		"backend": {
+			"backend_openapi_validation",
+			"backend_timeout",
+		},
+		"*": {
+			"backend_openapi_validation",
+			"backend_timeout",
+			"beta_insufficient_permissions",
+			"sequence",
+			"unexpected_status",
+		},
+	},
 }
 
 func newErrorHandler(ctx *hcl.EvalContext, opts *protectedOptions, log *logrus.Entry,
@@ -33,19 +57,21 @@ func newErrorHandler(ctx *hcl.EvalContext, opts *protectedOptions, log *logrus.E
 			}
 		}
 
-		// this works if wildcard is the only "super kind"
-		if mappedKinds, mkExists := wildcardMap[ref]; mkExists {
-			// expand wildcard:
-			// * set wildcard error handler for mapped kinds, no error handler for this kind is already set
+		if mappedValues, mkExists := wildcardMap[ref]; mkExists {
+			// expand wildcards:
+			// * set wildcard error handler for mapped kinds, if no error handler for this kind is already set
 			// * remove wildcard error handler for wildcard
-			if wcHandler, wcExists := handlersPerKind["*"]; wcExists {
-				for _, mk := range mappedKinds {
-					if _, exists := handlersPerKind[mk]; !exists {
-						handlersPerKind[mk] = wcHandler
+			for key, values := range mappedValues {
+				if wcHandler, wcExists := handlersPerKind[key]; wcExists {
+					for _, mk := range values {
+						if _, exists := handlersPerKind[mk]; !exists {
+							handlersPerKind[mk] = wcHandler
+						}
 					}
+
+					delete(handlersPerKind, key)
 				}
 			}
-			delete(handlersPerKind, "*")
 		}
 
 		for k, h := range handlersPerKind {

diff --git a/docs/ERRORS.md b/docs/ERRORS.md
@@ -56,11 +56,17 @@ All errors have a specific type. You can find it in the log field `error_type`.
 
 | Type (and super types)                          | Description                                                                                             | Default handling                                                            |
 |:------------------------------------------------|:--------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------|
+| `backend`                                       | All catchable `backend` related errors | Send error template with status `502`. |
+| `backend_openapi_validation` (`backend`)        | Client request or backend response is invalid | Send error template with status code `400` for invalid client request or `502` for invalid backend response. |
+| `backend_timeout` (`backend`)                   | A backend request timed out | Send error template with status `504`. |
 | `beta_insufficient_permissions`                 | The permission required for the requested operation is not in the permissions granted to the requester. | Send error template with status `403`.                                      |
 
 ### Endpoint error types
 
 | Type (and super types)                          | Description                                                                                      | Default handling                                                            |
 |:------------------------------------------------|:-------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------|
+| `backend`                                       | All catchable `backend` related errors | Send error template with status `502`. |
+| `backend_openapi_validation` (`backend`)        | Client request or backend response is invalid | Send error template with status code `400` for invalid client request or `502` for invalid backend response. |
+| `backend_timeout` (`backend`)                   | A backend request timed out | Send error template with status `504`. |
 | `sequence`                                      | A `request` or `proxy` block request has been failed while depending on another one              | Send error template with status `502`.                                      |
 | `unexpected_status`                             | A `request` or `proxy` block response status code does not match the to `expected_status` list   | Send error template with status `502`.                                      |
diff --git a/errors/couper.go b/errors/couper.go
@@ -10,20 +10,18 @@ import (
 const Wildcard = "*"
 
 var (
-	AccessControl     = &Error{synopsis: "access control error", kinds: []string{"access_control"}, httpStatus: http.StatusForbidden}
-	Backend           = &Error{synopsis: "backend error", httpStatus: http.StatusBadGateway}
-	BackendTimeout    = &Error{synopsis: "backend timeout error", httpStatus: http.StatusGatewayTimeout}
-	BackendValidation = &Error{synopsis: "backend validation error", kinds: []string{"backend_validation"}, httpStatus: http.StatusBadRequest}
-	ClientRequest     = &Error{synopsis: "client request error", httpStatus: http.StatusBadRequest}
-	Endpoint          = &Error{synopsis: "endpoint error", kinds: []string{"endpoint"}, httpStatus: http.StatusBadGateway}
-	Evaluation        = &Error{synopsis: "expression evaluation error", kinds: []string{"evaluation"}, httpStatus: http.StatusInternalServerError}
-	Configuration     = &Error{synopsis: "configuration error", kinds: []string{"configuration"}, httpStatus: http.StatusInternalServerError}
-	MethodNotAllowed  = &Error{synopsis: "method not allowed error", httpStatus: http.StatusMethodNotAllowed}
-	Proxy             = &Error{synopsis: "proxy error", httpStatus: http.StatusBadGateway}
-	Request           = &Error{synopsis: "request error", httpStatus: http.StatusBadGateway}
-	RouteNotFound     = &Error{synopsis: "route not found error", httpStatus: http.StatusNotFound}
-	Server            = &Error{synopsis: "internal server error", httpStatus: http.StatusInternalServerError}
-	ServerShutdown    = &Error{synopsis: "server shutdown error", httpStatus: http.StatusInternalServerError}
+	AccessControl    = &Error{synopsis: "access control error", kinds: []string{"access_control"}, httpStatus: http.StatusForbidden}
+	Backend          = &Error{synopsis: "backend error", kinds: []string{"backend"}, httpStatus: http.StatusBadGateway}
+	ClientRequest    = &Error{synopsis: "client request error", httpStatus: http.StatusBadRequest}
+	Endpoint         = &Error{synopsis: "endpoint error", kinds: []string{"endpoint"}, httpStatus: http.StatusBadGateway}
+	Evaluation       = &Error{synopsis: "expression evaluation error", kinds: []string{"evaluation"}, httpStatus: http.StatusInternalServerError}
+	Configuration    = &Error{synopsis: "configuration error", kinds: []string{"configuration"}, httpStatus: http.StatusInternalServerError}
+	MethodNotAllowed = &Error{synopsis: "method not allowed error", httpStatus: http.StatusMethodNotAllowed}
+	Proxy            = &Error{synopsis: "proxy error", httpStatus: http.StatusBadGateway}
+	Request          = &Error{synopsis: "request error", httpStatus: http.StatusBadGateway}
+	RouteNotFound    = &Error{synopsis: "route not found error", httpStatus: http.StatusNotFound}
+	Server           = &Error{synopsis: "internal server error", httpStatus: http.StatusInternalServerError}
+	ServerShutdown   = &Error{synopsis: "server shutdown error", httpStatus: http.StatusInternalServerError}
 )
 
 func TypeToSnake(t interface{}) string {

diff --git a/errors/type_defintions.go b/errors/type_defintions.go
@@ -22,7 +22,9 @@ var Definitions = []*Error{
 
 	AccessControl.Kind("beta_insufficient_permissions"),
 
-	BackendValidation,
+	Backend,
+	Backend.Kind("backend_openapi_validation").Status(http.StatusBadRequest),
+	Backend.Kind("backend_timeout").Status(http.StatusGatewayTimeout),
 
 	Endpoint.Kind("sequence"),
 	Endpoint.Kind("unexpected_status"),

diff --git a/errors/types_generated.go b/errors/types_generated.go
diff --git a/handler/transport/backend.go b/handler/transport/backend.go
@@ -216,7 +216,7 @@ func (b *Backend) RoundTrip(req *http.Request) (*http.Response, error) {
 func (b *Backend) openAPIValidate(req *http.Request, tc *Config, deadlineErr <-chan error) (*http.Response, error) {
 	requestValidationInput, err := b.openAPIValidator.ValidateRequest(req)
 	if err != nil {
-		return nil, errors.BackendValidation.Label(b.name).Kind("backend_request_validation").With(err)
+		return nil, errors.BackendOpenapiValidation.Label(b.name).With(err)
 	}
 
 	beresp, err := b.innerRoundTrip(req, tc, deadlineErr)
@@ -225,8 +225,7 @@ func (b *Backend) openAPIValidate(req *http.Request, tc *Config, deadlineErr <-c
 	}
 
 	if err = b.openAPIValidator.ValidateResponse(beresp, requestValidationInput); err != nil {
-		return nil, errors.BackendValidation.Label(b.name).Kind("backend_response_validation").
-			With(err).Status(http.StatusBadGateway)
+		return nil, errors.BackendOpenapiValidation.Label(b.name).With(err).Status(http.StatusBadGateway)
 	}
 
 	return beresp, nil
@@ -283,19 +282,17 @@ func (b *Backend) innerRoundTrip(req *http.Request, tc *Config, deadlineErr <-ch
 	return beresp, nil
 }
 
-const backendTokenRequest = "backendTokenRequest"
-
 func (b *Backend) withTokenRequest(req *http.Request) error {
 	if b.tokenRequest == nil {
 		return nil
 	}
 
-	trValue, _ := req.Context().Value(backendTokenRequest).(string)
+	trValue, _ := req.Context().Value(request.BackendTokenRequest).(string)
 	if trValue != "" { // prevent loop
 		return nil
 	}
 
-	ctx := context.WithValue(req.Context(), backendTokenRequest, "tr")
+	ctx := context.WithValue(req.Context(), request.BackendTokenRequest, "tr")
 	// Reset for upstream transport; prevent mixing values.
 	// tokenRequest will have their own backend configuration.
 	ctx = context.WithValue(ctx, request.BackendParams, nil)
@@ -310,7 +307,7 @@ func (b *Backend) withRetryTokenRequest(req *http.Request, res *http.Response) (
 		return false, nil
 	}
 
-	trValue, _ := req.Context().Value(backendTokenRequest).(string)
+	trValue, _ := req.Context().Value(request.BackendTokenRequest).(string)
 	if trValue != "" { // prevent loop
 		return false, nil
 	}

diff --git a/handler/transport/backend_test.go b/handler/transport/backend_test.go
@@ -203,7 +203,7 @@ func TestBackend_RoundTrip_Validation(t *testing.T) {
 			&config.OpenAPI{File: "testdata/upstream.yaml"},
 			http.MethodPost,
 			"/get",
-			"backend validation error",
+			"backend error",
 			"'POST /get': method not allowed",
 		},
 		{
@@ -219,7 +219,7 @@ func TestBackend_RoundTrip_Validation(t *testing.T) {
 			&config.OpenAPI{File: "testdata/upstream.yaml"},
 			http.MethodGet,
 			"/get?404",
-			"backend validation error",
+			"backend error",
 			"status is not supported",
 		},
 		{

diff --git a/handler/validation/openapi_test.go b/handler/validation/openapi_test.go
@@ -67,10 +67,10 @@ func TestOpenAPIValidator_ValidateRequest(t *testing.T) {
 		wantBody   bool
 		wantErrLog string
 	}{
-		{"GET without required query", "/a?b", nil, false, `backend validation error: parameter "b" in query has an error: value is required but missing`},
+		{"GET without required query", "/a?b", nil, false, `backend error: parameter "b" in query has an error: value is required but missing`},
 		{"GET with required query", "/a?b=value", nil, false, ""},
 		{"GET with required path", "/a/value", nil, false, ""},
-		{"GET with required path missing", "/a//", nil, false, `backend validation error: parameter "b" in query has an error: value is required but missing`},
+		{"GET with required path missing", "/a//", nil, false, `backend error: parameter "b" in query has an error: value is required but missing`},
 		{"GET with optional query", "/b", nil, false, ""},
 		{"GET with optional path param", "/b/a", nil, false, ""},
 		{"GET with required json body", "/json", strings.NewReader(`["hans", "wurst"]`), true, ""},

diff --git a/server/http_endpoints_test.go b/server/http_endpoints_test.go
@@ -790,7 +790,7 @@ func TestEndpointSequenceBackendTimeout(t *testing.T) {
 		}
 
 		path := entry.Data["request"].(logging.Fields)["path"]
-		if entry.Message == "backend timeout error: anonymous_3_23: deadline exceeded" {
+		if entry.Message == "backend error: anonymous_3_23: deadline exceeded" {
 			ctxDeadlineSeen = true
 			if path != "/" {
 				t.Errorf("expected '/' to fail")

diff --git a/server/http_error_handler_test.go b/server/http_error_handler_test.go
@@ -1,6 +1,8 @@
 package server_test
 
 import (
+	"bytes"
+	"io"
 	"net/http"
 	"strings"
 	"testing"
@@ -123,6 +125,52 @@ func TestAccessControl_ErrorHandler_Configuration_Error(t *testing.T) {
 	}
 }
 
+func TestErrorHandler_Backend(t *testing.T) {
+	client := test.NewHTTPClient()
+
+	shutdown, _ := newCouper("testdata/integration/error_handler/05_couper.hcl", test.New(t))
+	defer shutdown()
+
+	type testcase struct {
+		path      string
+		expBody   string
+		expStatus int
+	}
+
+	for _, tc := range []testcase{
+		{"/api-backend", `{"api":"backend"}`, 405},
+		{"/api-backend-timeout", `{"api":"backend-timeout"}`, 405},
+		{"/api-backend-validation", `{"api":"backend-validation"}`, 405},
+		{"/api-anything", `{"api":"backend-backend-validation"}`, 405},
+		{"/backend", `{"endpoint":"backend"}`, 405},
+		{"/backend-timeout", `{"endpoint":"backend-timeout"}`, 405},
+		{"/backend-validation", `{"endpoint":"backend-validation"}`, 405},
+		{"/anything", `{"endpoint":"backend-backend-validation"}`, 405},
+	} {
+		t.Run(tc.path, func(st *testing.T) {
+			helper := test.New(st)
+
+			req, err := http.NewRequest(http.MethodGet, "http://anyserver:8080"+tc.path, nil)
+			helper.Must(err)
+
+			res, err := client.Do(req)
+			helper.Must(err)
+
+			if res.StatusCode != tc.expStatus {
+				st.Fatalf("want: %d, got: %d", tc.expStatus, res.StatusCode)
+			}
+
+			resBytes, err := io.ReadAll(res.Body)
+			defer res.Body.Close()
+			helper.Must(err)
+
+			if !bytes.Contains(resBytes, []byte(tc.expBody)) {
+				st.Fatalf("want: %s, got: %s", tc.expBody, resBytes)
+			}
+		})
+	}
+}
+
 func TestAccessControl_ErrorHandler_Permissions(t *testing.T) {
 	client := test.NewHTTPClient()
 

diff --git a/server/testdata/integration/error_handler/01_schema.yaml b/server/testdata/integration/error_handler/01_schema.yaml
@@ -0,0 +1,13 @@
+openapi: '3'
+info:
+  title: 'Test'
+  version: 'v1.2.3'
+paths:
+  /api-backend-validation:
+    get:
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: object
+        required: true
diff --git a/server/testdata/integration/error_handler/02_schema.yaml b/server/testdata/integration/error_handler/02_schema.yaml
@@ -0,0 +1,10 @@
+openapi: '3'
+info:
+  title: 'Test'
+  version: 'v1.2.3'
+paths:
+  /anything:
+    get:
+      responses:
+        405:
+          description: OK