diff --git a/CHANGELOG.md b/CHANGELOG.md index 83556c9aa..b4ec6277d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ## [0.19.30] ### Changed +- add possibility to log custom header in RBAC +- add token information to RBAC logs - specify min and max supported envoy version - add option to run tests on specific envoy version, including min and max supported version diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt index 8b166015d..c8dcd69fc 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt @@ -97,6 +97,7 @@ class IncomingPermissionsProperties { var clientsAllowedToAllEndpoints = mutableListOf() var clientsLists = ClientsListsProperties() var overlappingPathsFix = false // TODO: to be removed when proved it did not mess up anything + var headersToLogInRbac: List = emptyList() } class SelectorMatching { diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/LuaFilterFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/LuaFilterFactory.kt index 0c3c0974f..fcd631649 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/LuaFilterFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/LuaFilterFactory.kt @@ -64,7 +64,9 @@ class LuaFilterFactory(private val incomingPermissionsProperties: IncomingPermis ), "service_name" to StringPropertyLua(group.serviceName), "discovery_service_name" to StringPropertyLua(group.discoveryServiceName ?: ""), - + "rbac_headers_to_log" to ListPropertyLua( + incomingPermissionsProperties.headersToLogInRbac.map(::StringPropertyLua) + ), ) + customLuaMetadata return Metadata.newBuilder() .putFilterMetadata("envoy.filters.http.lua", metadata.toValue().structValue) diff --git a/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua b/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua index c526d5b0a..d5d17cb59 100644 --- a/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua +++ b/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua @@ -1,62 +1,70 @@ function envoy_on_request(handle) - local path = handle:headers():get(":path") - local method = handle:headers():get(":method") - local authority = handle:headers():get(":authority") or "" - local lua_destination_authority = handle:headers():get("x-lua-destination-authority") or "" - local xff_header = handle:headers():get("x-forwarded-for") - local metadata = handle:streamInfo():dynamicMetadata() - local client_identity_header_names = handle:metadata():get("client_identity_headers") or {} - local clients_allowed_to_all_endpoints = handle:metadata():get("clients_allowed_to_all_endpoints") or {} - local request_id_header_names = handle:metadata():get("request_id_headers") or {} - local request_id = first_header_value_from_list(request_id_header_names, handle) - local trusted_header_name = handle:metadata():get("trusted_client_identity_header") or "" - local client_name = "" + local metadata = handle:metadata() + local client_identity_header_names = metadata:get('client_identity_headers') or {} + local clients_allowed_to_all_endpoints = metadata:get('clients_allowed_to_all_endpoints') or {} + local request_id_header_names = metadata:get('request_id_headers') or {} + local trusted_header_name = metadata:get('trusted_client_identity_header') or '' + + local headers = handle:headers() + local path = headers:get(':path') + local method = headers:get(':method') + local authority = headers:get(':authority') or '' + local lua_destination_authority = headers:get('x-lua-destination-authority') or '' + local xff_header = headers:get('x-forwarded-for') + + local request_id = first_header_value_from_list(request_id_header_names, headers) + local client_name = '' local allowed_client = false local trusted_client = false - if trusted_header_name ~= "" then - client_name = handle:headers():get(trusted_header_name) or "" + if trusted_header_name ~= '' then + client_name = headers:get(trusted_header_name) or '' allowed_client = is_allowed_client(client_name, clients_allowed_to_all_endpoints) - if client_name ~= "" then + if client_name ~= '' then trusted_client = true end end - if client_name == "" then - client_name = first_header_value_from_list(client_identity_header_names, handle) + if client_name == '' then + client_name = first_header_value_from_list(client_identity_header_names, headers) allowed_client = is_allowed_client(client_name, clients_allowed_to_all_endpoints) - if trusted_header_name ~= "" and client_name ~= "" and handle:connection():ssl() ~= nil then - client_name = client_name .. " (not trusted)" + if trusted_header_name ~= '' and client_name ~= '' and handle:connection():ssl() ~= nil then + client_name = client_name .. ' (not trusted)' end end - metadata:set("envoy.filters.http.lua", "request.info.path", path) - metadata:set("envoy.filters.http.lua", "request.info.method", method) - metadata:set("envoy.filters.http.lua", "request.info.xff_header", xff_header) - metadata:set("envoy.filters.http.lua", "request.info.client_name", client_name) - metadata:set("envoy.filters.http.lua", "request.info.trusted_client", trusted_client) - metadata:set("envoy.filters.http.lua", "request.info.allowed_client", allowed_client) - metadata:set("envoy.filters.http.lua", "request.info.request_id", request_id) - metadata:set("envoy.filters.http.lua", "request.info.authority", authority) - metadata:set("envoy.filters.http.lua", "request.info.lua_destination_authority", lua_destination_authority) + local dynamic_metadata = handle:streamInfo():dynamicMetadata() + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.path', path) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.method', method) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.xff_header', xff_header) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.client_name', client_name) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.trusted_client', trusted_client) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.allowed_client', allowed_client) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.request_id', request_id) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.authority', authority) + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.lua_destination_authority', lua_destination_authority) + local headers_to_log = metadata:get('rbac_headers_to_log') or {} + for _, header in ipairs(headers_to_log) do + dynamic_metadata:set('envoy.filters.http.lua', 'request.info.headers.'..header, headers:get(header)) + end end -function first_header_value_from_list(header_list, handle) +function first_header_value_from_list(header_list, headers) for _,h in ipairs(header_list) do - local value = handle:headers():get(h) or "" - if value ~= "" then + local value = headers:get(h) or '' + if value ~= '' then return value end end - return "" + return '' end function is_allowed_client(client_name, clients_allowed_to_all_endpoints) - if client_name == "" then + if client_name == '' then return false end for _,h in ipairs(clients_allowed_to_all_endpoints) do - if h ~= "" and client_name == h then + if h ~= '' and client_name == h then return true end end @@ -65,58 +73,80 @@ function is_allowed_client(client_name, clients_allowed_to_all_endpoints) end function envoy_on_response(handle) - local rbacMetadata = handle:streamInfo():dynamicMetadata():get("envoy.filters.http.rbac") or {} - local is_shadow_denied = (rbacMetadata["shadow_engine_result"] or "") == "denied" + local dynamic_metadata = handle:streamInfo():dynamicMetadata() + local rbacMetadata = dynamic_metadata:get('envoy.filters.http.rbac') or {} + local is_shadow_denied = (rbacMetadata['shadow_engine_result'] or '') == 'denied' if is_shadow_denied then - local lua_metadata = handle:streamInfo():dynamicMetadata():get("envoy.filters.http.lua") or {} - local upstream_request_time = handle:headers():get("x-envoy-upstream-service-time") - local status_code = handle:headers():get(":status") - local rbac_action = "shadow_denied" - if upstream_request_time == nil and status_code == "403" then - rbac_action = "denied" + local headers = handle:headers() + local lua_metadata = dynamic_metadata:get('envoy.filters.http.lua') or {} + local jwt_status = (dynamic_metadata:get('envoy.filters.http.header_to_metadata') or {})['jwt-status'] or 'missing' + local upstream_request_time = headers:get('x-envoy-upstream-service-time') + local status_code = headers:get(':status') + local rbac_action = 'shadow_denied' + if upstream_request_time == nil and status_code == '403' then + rbac_action = 'denied' end - log_request(lua_metadata, handle, rbac_action) + log_request(handle, lua_metadata, jwt_status, rbac_action) end end -function log_request(lua_metadata, handle, rbac_action) - local client_name = lua_metadata["request.info.client_name"] or "" - local trusted_client = lua_metadata["request.info.trusted_client"] or false - local path = lua_metadata["request.info.path"] or "" - local protocol = handle:connection():ssl() == nil and "http" or "https" - local method = lua_metadata["request.info.method"] or "" - local xff_header = lua_metadata["request.info.xff_header"] or "" - local source_ip = string.match(xff_header, '[^,]+$') or "" - local request_id = lua_metadata["request.info.request_id"] or "" - local status_code = handle:headers():get(":status") or "0" - local allowed_client = lua_metadata["request.info.allowed_client"] or false - local authority = lua_metadata["request.info.authority"] or "" - local lua_destination_authority = lua_metadata["request.info.lua_destination_authority"] or "" - handle:logInfo("\nINCOMING_PERMISSIONS { \"method\": \""..method.. - "\", \"path\": \""..path.. - "\", \"clientIp\": \""..source_ip.. - "\", \"clientName\": \""..escape(client_name).. - "\", \"trustedClient\": "..tostring(trusted_client).. - ", \"authority\": \""..escape(authority).. - "\", \"luaDestinationAuthority\": \""..escape(lua_destination_authority).. - "\", \"clientAllowedToAllEndpoints\": "..tostring(allowed_client).. - ", \"protocol\": \""..protocol.. - "\", \"requestId\": \""..escape(request_id).. - "\", \"statusCode\": "..status_code.. - ", \"rbacAction\": \""..rbac_action.."\" }") +function log_request(handle, lua_metadata, jwt_status, rbac_action) + local client_name = lua_metadata['request.info.client_name'] or '' + local trusted_client = lua_metadata['request.info.trusted_client'] or false + local path = lua_metadata['request.info.path'] or '' + local protocol = handle:connection():ssl() == nil and 'http' or 'https' + local method = lua_metadata['request.info.method'] or '' + local xff_header = lua_metadata['request.info.xff_header'] or '' + local source_ip = string.match(xff_header, '[^,]+$') or '' + local request_id = lua_metadata['request.info.request_id'] or '' + local status_code = handle:headers():get(':status') or '0' + local allowed_client = lua_metadata['request.info.allowed_client'] or false + local authority = lua_metadata['request.info.authority'] or '' + local lua_destination_authority = lua_metadata['request.info.lua_destination_authority'] or '' + + local message = { + '\nINCOMING_PERMISSIONS {"method":"', method, + '","path":"', path, + '","clientIp":"', source_ip, + '","clientName":"', escape(client_name), + '","trustedClient":', tostring(trusted_client), + ',"authority":"', escape(authority), + '","luaDestinationAuthority":"', escape(lua_destination_authority), + '","clientAllowedToAllEndpoints":', tostring(allowed_client), + ',"protocol":"', protocol, + '","requestId":"', escape(request_id), + '","statusCode":', status_code, + ',"rbacAction":"', rbac_action, '"' , + ',"jwtTokenStatus":"' , jwt_status, '"', + } + + local headers_to_log = handle:metadata():get('rbac_headers_to_log') or {} + for _, header in ipairs(headers_to_log) do + local value = lua_metadata['request.info.headers.'..header] + if value then + table.insert(message, ',"') + table.insert(message, header) + table.insert(message, '":"') + table.insert(message, tostring(escape(value))) + table.insert(message, '"') + end + end + table.insert(message, '}') + + handle:logInfo(table.concat(message, '')) end escapeList = { - ["\\"] = "\\\\", - ["\""] = "\\\"", - ["\b"] = "\\b", - ["\f"] = "\\f", - ["\n"] = "\\n", - ["\r"] = "\\r", - ["\t"] = "\\t", + ['\\'] = '\\\\', + ['\"'] = '\\\"', + ['\b'] = '\\b', + ['\f'] = '\\f', + ['\n'] = '\\n', + ['\r'] = '\\r', + ['\t'] = '\\t', } function escape(val) - return string.gsub(val, "[\\\"\b\f\n\r\t]", escapeList) + return string.gsub(val, '[\\\"\b\f\n\r\t]', escapeList) end diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt index 8a7d0e805..ec4356f5c 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt @@ -18,7 +18,8 @@ private class RbacLog( val clientIp: String? = null, val statusCode: String? = null, val requestId: String? = null, - val rbacAction: String? = null + val rbacAction: String? = null, + val jwtTokenStatus: String? = null, ) private const val RBAC_LOG_PREFIX = "INCOMING_PERMISSIONS" @@ -190,6 +191,7 @@ private fun ObjectAssert.matchesRbacAccessDeniedLog(logPredicate: RbacLo assertEqualProperty(parsed, logPredicate, RbacLog::requestId) assertEqualProperty(parsed, logPredicate, RbacLog::rbacAction) assertEqualProperty(parsed, logPredicate, RbacLog::statusCode) + assertEqualProperty(parsed, logPredicate, RbacLog::jwtTokenStatus) } private fun assertEqualProperty(actual: RbacLog, expected: RbacLog, supplier: RbacLog.() -> T) { diff --git a/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua b/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua index 212cf3d49..f8a4ed494 100644 --- a/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua +++ b/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua @@ -1,23 +1,32 @@ -require("ingress_rbac_logging") +require('ingress_rbac_logging') local _ = match._ local contains = function(substring) return match.matches(substring, nil, true) end -local function formatLog(method, path, source_ip, client_name, protocol, request_id, status_code, trusted_client, allowed_client, rbac_action, authority, lua_authority) - return "\nINCOMING_PERMISSIONS { \"method\": \""..method.. - "\", \"path\": \""..path.. - "\", \"clientIp\": \""..source_ip.. - "\", \"clientName\": \""..escape(client_name).. - "\", \"trustedClient\": "..tostring(trusted_client).. - ", \"authority\": \""..escape(authority).. - "\", \"luaDestinationAuthority\": \""..escape(lua_authority).. - "\", \"clientAllowedToAllEndpoints\": "..tostring(allowed_client).. - ", \"protocol\": \""..protocol.. - "\", \"requestId\": \""..escape(request_id).. - "\", \"statusCode\": "..status_code.. - ", \"rbacAction\": \""..rbac_action.."\" }" +local function formatLog(method, path, source_ip, client_name, protocol, request_id, status_code, trusted_client, allowed_client, rbac_action, authority, lua_authority, jwt_token_status, headers_to_log) + local message = "\nINCOMING_PERMISSIONS {\"method\":\""..method.. + "\",\"path\":\""..path.. + "\",\"clientIp\":\""..source_ip.. + "\",\"clientName\":\""..escape(client_name).. + "\",\"trustedClient\":"..tostring(trusted_client).. + ",\"authority\":\""..escape(authority).. + "\",\"luaDestinationAuthority\":\""..escape(lua_authority).. + "\",\"clientAllowedToAllEndpoints\":"..tostring(allowed_client).. + ",\"protocol\":\""..protocol.. + "\",\"requestId\":\""..escape(request_id).. + "\",\"statusCode\":"..status_code.. + ",\"rbacAction\":\""..rbac_action.. + "\",\"jwtTokenStatus\":\""..jwt_token_status.. "\"" + + if headers_to_log then + for k,v in pairs(headers_to_log) do + message = message..',"'..k..'":"'..v..'"' + end + end + + return message..'}' end -local function handlerMock(headers, dynamic_metadata, https, filter_metadata) +local function handlerMock(headers, dynamic_metadata, https, filter_metadata, logs) local metadata_mock = mock({ set = function() end, get = function(_, key) return dynamic_metadata[key] end @@ -331,18 +340,38 @@ describe("envoy_on_request:", function() assert.spy(dynamic_metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.path", "/path") assert.spy(dynamic_metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.method", "GET") end) + + it('should set dynamic metadata for custom headers', function() + -- given + local headers = { + ['test-header'] = 'header-value' + } + local filter_metadata = { + ['rbac_headers_to_log'] = {'test-header'} + } + + local handle = handlerMock(headers, {}, nil, filter_metadata) + local metadata = handle:streamInfo():dynamicMetadata() + + -- when + envoy_on_request(handle) + + -- then + assert.spy(metadata.set).was_called_with(_, 'envoy.filters.http.lua', 'request.info.headers.test-header', 'header-value') + end) end) describe("envoy_on_response:", function() local headers - local metadata + local dynamic_metadata local ssl + local metadata before_each(function () headers = { [':status'] = '403' } - metadata = { + dynamic_metadata = { ['envoy.filters.http.rbac'] = { ['shadow_engine_result'] = 'denied' }, @@ -357,13 +386,14 @@ describe("envoy_on_response:", function() } } ssl = true + metadata = {} end) describe("should log unauthorized requests:", function () it("https request", function () -- given - local handle = handlerMock(headers, metadata, ssl) + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -381,7 +411,8 @@ describe("envoy_on_response:", function() false, "denied", "authority", - "lua_authority" + "lua_authority", + "missing" )) assert.spy(handle.logInfo).was_called(1) end) @@ -389,7 +420,7 @@ describe("envoy_on_response:", function() it("http request", function () -- given ssl = false - local handle = handlerMock(headers, metadata, ssl) + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -407,7 +438,8 @@ describe("envoy_on_response:", function() false, "denied", "authority", - "lua_authority" + "lua_authority", + "missing" )) assert.spy(handle.logInfo).was_called(1) end) @@ -415,7 +447,7 @@ describe("envoy_on_response:", function() it("as logged when status code is different than 403", function () -- given headers[':status'] = '503' - local handle = handlerMock(headers, metadata, ssl) + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -433,7 +465,8 @@ describe("envoy_on_response:", function() false, "shadow_denied", "authority", - "lua_authority" + "lua_authority", + "missing" )) assert.spy(handle.logInfo).was_called(1) end) @@ -442,7 +475,7 @@ describe("envoy_on_response:", function() -- given headers[':status'] = '200' headers['x-envoy-upstream-service-time'] = '10' - local handle = handlerMock(headers, metadata, ssl) + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -460,16 +493,17 @@ describe("envoy_on_response:", function() false, "shadow_denied", "authority", - "lua_authority" + "lua_authority", + "missing" )) assert.spy(handle.logInfo).was_called(1) end) it("request with no lua filter metadata fields saved", function () -- given - metadata['envoy.filters.http.lua'] = {} + dynamic_metadata['envoy.filters.http.lua'] = {} headers = {} - local handle = handlerMock(headers, metadata, ssl) + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -487,16 +521,17 @@ describe("envoy_on_response:", function() false, "shadow_denied", "", - "" + "", + "missing" )) assert.spy(handle.logInfo).was_called(1) end) it("request with no lua filter metadata saved", function () -- given - metadata['envoy.filters.http.lua'] = nil + dynamic_metadata['envoy.filters.http.lua'] = nil headers = {} - local handle = handlerMock(headers, metadata, ssl) + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -514,15 +549,16 @@ describe("envoy_on_response:", function() false, "shadow_denied", "", - "" + "", + "missing" )) assert.spy(handle.logInfo).was_called(1) end) it("request with empty path", function () -- given - metadata['envoy.filters.http.lua']['request.info.path'] = '' - local handle = handlerMock(headers, metadata, ssl) + dynamic_metadata['envoy.filters.http.lua']['request.info.path'] = '' + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -540,7 +576,37 @@ describe("envoy_on_response:", function() false, "denied", "authority", - "lua_authority" + "lua_authority", + "missing" + )) + assert.spy(handle.logInfo).was_called(1) + end) + + it('with populated header values', function() + -- given + dynamic_metadata['envoy.filters.http.lua']['request.info.headers.test-header'] = 'test-value' + metadata['rbac_headers_to_log'] = { 'test-header' } + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) + + -- when + envoy_on_response(handle) + + -- then + assert.spy(handle.logInfo).was_called_with(_, formatLog( + "POST", + "/path?query=val", + "127.1.1.3", + "service-first", + "https", + "", + "403", + false, + false, + "denied", + "authority", + "lua_authority", + "missing", + {['test-header'] = 'test-value'} )) assert.spy(handle.logInfo).was_called(1) end) @@ -550,10 +616,10 @@ describe("envoy_on_response:", function() it("with globally allowed client", function () -- given - metadata['envoy.filters.http.rbac']['shadow_engine_result'] = 'denied' - metadata['envoy.filters.http.lua']['request.info.allowed_client'] = true + dynamic_metadata['envoy.filters.http.rbac']['shadow_engine_result'] = 'denied' + dynamic_metadata['envoy.filters.http.lua']['request.info.allowed_client'] = true headers['x-envoy-upstream-service-time'] = '10' - local handle = handlerMock(headers, metadata, ssl) + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -571,7 +637,8 @@ describe("envoy_on_response:", function() true, "shadow_denied", "authority", - "lua_authority" + "lua_authority", + "missing" )) assert.spy(handle.logInfo).was_called(1) end) @@ -581,9 +648,8 @@ describe("envoy_on_response:", function() it("request with no rbac metadata", function() -- given - metadata = {} - local handle = handlerMock(headers, metadata, ssl) - local metadataMock = handle:streamInfo():dynamicMetadata() + dynamic_metadata = {} + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -594,9 +660,8 @@ describe("envoy_on_response:", function() it("authorized request", function() -- given - metadata['envoy.filters.http.rbac']['shadow_engine_result'] = 'allowed' - local handle = handlerMock(headers, metadata, ssl) - local metadataMock = handle:streamInfo():dynamicMetadata() + dynamic_metadata['envoy.filters.http.rbac']['shadow_engine_result'] = 'allowed' + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) @@ -621,14 +686,14 @@ describe("envoy_on_response:", function() it("'"..xff.."' -> '"..expected_client_ip.."'", function () -- given - metadata['envoy.filters.http.lua']['request.info.xff_header'] = xff - local handle = handlerMock(headers, metadata, ssl) + dynamic_metadata['envoy.filters.http.lua']['request.info.xff_header'] = xff + local handle = handlerMock(headers, dynamic_metadata, ssl, metadata) -- when envoy_on_response(handle) -- then - assert.spy(handle.logInfo).was_called_with(_, contains("\"clientIp\": \""..expected_client_ip.."\"")) + assert.spy(handle.logInfo).was_called_with(_, contains('"clientIp":"'..expected_client_ip..'"')) end) end end)