fix(bypass): httpLoader.Close leak, httpPlugin fail-closed, missing Close method
- Add missing httpLoader.Close() in localBypass.Close (was leaking HTTP loader resources) - Change httpPlugin.Contains to fail-open on errors, matching gRPC plugin - Add error logging on all httpPlugin error paths (previously silent) - Add httpPlugin.Close method to drain idle HTTP connections - Document bypassGroup.Contains whitelist AND / blacklist OR logic
This commit is contained in:
@@ -325,6 +325,9 @@ func (p *localBypass) Close() error {
|
||||
if p.options.redisLoader != nil {
|
||||
p.options.redisLoader.Close()
|
||||
}
|
||||
if p.options.httpLoader != nil {
|
||||
p.options.httpLoader.Close()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -338,6 +341,11 @@ func BypassGroup(bypasses ...bypass.Bypass) bypass.Bypass {
|
||||
}
|
||||
}
|
||||
|
||||
// Contains evaluates all bypass rules in the group with the following logic:
|
||||
// - Whitelist rules: ALL must match (AND logic). If any whitelist rule
|
||||
// returns false, the combined whitelist result is false.
|
||||
// - Blacklist rules: only evaluated if the whitelist result is false.
|
||||
// ANY matching blacklist rule triggers a bypass (OR logic).
|
||||
func (p *bypassGroup) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) bool {
|
||||
var whitelist, blacklist []bool
|
||||
for _, bypass := range p.bypasses {
|
||||
|
||||
+18
-7
@@ -50,9 +50,9 @@ func NewHTTPPlugin(name string, url string, opts ...plugin.Option) bypass.Bypass
|
||||
}
|
||||
}
|
||||
|
||||
func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) (ok bool) {
|
||||
func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) bool {
|
||||
if p.client == nil {
|
||||
return
|
||||
return true
|
||||
}
|
||||
|
||||
var options bypass.Options
|
||||
@@ -70,12 +70,14 @@ func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ..
|
||||
}
|
||||
v, err := json.Marshal(&rb)
|
||||
if err != nil {
|
||||
return
|
||||
p.log.Error(err)
|
||||
return true
|
||||
}
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodPost, p.url, bytes.NewReader(v))
|
||||
if err != nil {
|
||||
return
|
||||
p.log.Error(err)
|
||||
return true
|
||||
}
|
||||
|
||||
if p.header != nil {
|
||||
@@ -84,21 +86,30 @@ func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ..
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
resp, err := p.client.Do(req)
|
||||
if err != nil {
|
||||
return
|
||||
p.log.Error(err)
|
||||
return true
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return
|
||||
return true
|
||||
}
|
||||
|
||||
res := httpPluginResponse{}
|
||||
if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
|
||||
return
|
||||
p.log.Error(err)
|
||||
return true
|
||||
}
|
||||
return res.OK
|
||||
}
|
||||
|
||||
func (p *httpPlugin) Close() error {
|
||||
if p.client != nil {
|
||||
p.client.CloseIdleConnections()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p *httpPlugin) IsWhitelist() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user