fix(bypass): httpLoader.Close leak, httpPlugin fail-closed, missing Close method
- Add missing httpLoader.Close() in localBypass.Close (was leaking HTTP loader resources) - Change httpPlugin.Contains to fail-open on errors, matching gRPC plugin - Add error logging on all httpPlugin error paths (previously silent) - Add httpPlugin.Close method to drain idle HTTP connections - Document bypassGroup.Contains whitelist AND / blacklist OR logic
This commit is contained in:
@@ -325,6 +325,9 @@ func (p *localBypass) Close() error {
|
|||||||
if p.options.redisLoader != nil {
|
if p.options.redisLoader != nil {
|
||||||
p.options.redisLoader.Close()
|
p.options.redisLoader.Close()
|
||||||
}
|
}
|
||||||
|
if p.options.httpLoader != nil {
|
||||||
|
p.options.httpLoader.Close()
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -338,6 +341,11 @@ func BypassGroup(bypasses ...bypass.Bypass) bypass.Bypass {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Contains evaluates all bypass rules in the group with the following logic:
|
||||||
|
// - Whitelist rules: ALL must match (AND logic). If any whitelist rule
|
||||||
|
// returns false, the combined whitelist result is false.
|
||||||
|
// - Blacklist rules: only evaluated if the whitelist result is false.
|
||||||
|
// ANY matching blacklist rule triggers a bypass (OR logic).
|
||||||
func (p *bypassGroup) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) bool {
|
func (p *bypassGroup) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) bool {
|
||||||
var whitelist, blacklist []bool
|
var whitelist, blacklist []bool
|
||||||
for _, bypass := range p.bypasses {
|
for _, bypass := range p.bypasses {
|
||||||
|
|||||||
+18
-7
@@ -50,9 +50,9 @@ func NewHTTPPlugin(name string, url string, opts ...plugin.Option) bypass.Bypass
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) (ok bool) {
|
func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) bool {
|
||||||
if p.client == nil {
|
if p.client == nil {
|
||||||
return
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
var options bypass.Options
|
var options bypass.Options
|
||||||
@@ -70,12 +70,14 @@ func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ..
|
|||||||
}
|
}
|
||||||
v, err := json.Marshal(&rb)
|
v, err := json.Marshal(&rb)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
p.log.Error(err)
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
req, err := http.NewRequestWithContext(ctx, http.MethodPost, p.url, bytes.NewReader(v))
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, p.url, bytes.NewReader(v))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
p.log.Error(err)
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
if p.header != nil {
|
if p.header != nil {
|
||||||
@@ -84,21 +86,30 @@ func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ..
|
|||||||
req.Header.Set("Content-Type", "application/json")
|
req.Header.Set("Content-Type", "application/json")
|
||||||
resp, err := p.client.Do(req)
|
resp, err := p.client.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
p.log.Error(err)
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
defer resp.Body.Close()
|
defer resp.Body.Close()
|
||||||
|
|
||||||
if resp.StatusCode != http.StatusOK {
|
if resp.StatusCode != http.StatusOK {
|
||||||
return
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
res := httpPluginResponse{}
|
res := httpPluginResponse{}
|
||||||
if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
|
if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
|
||||||
return
|
p.log.Error(err)
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
return res.OK
|
return res.OK
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *httpPlugin) Close() error {
|
||||||
|
if p.client != nil {
|
||||||
|
p.client.CloseIdleConnections()
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func (p *httpPlugin) IsWhitelist() bool {
|
func (p *httpPlugin) IsWhitelist() bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user