Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No output for GetProperty method - network filter #377

Open
paulchoi opened this issue Apr 26, 2023 · 3 comments
Open

No output for GetProperty method - network filter #377

paulchoi opened this issue Apr 26, 2023 · 3 comments

Comments

@paulchoi
Copy link

paulchoi commented Apr 26, 2023
edited

Describe the bug / error

GetProperty call returns no output. This is in a network WASM filter.
I can tell the WASM filter is receiving data, because GetDownstreamData returns the data from downstream.

What is your Envoy/Istio version?

Envoy 1.26

What is the SDK version?

v0.22.0

What is your TinyGo version?

tinygo version 0.27.0 darwin/amd64 (using go version go1.20.3 and LLVM version 15.0.0)

URL or snippet of your code including Envoy configuration

package main

import (
	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"
)

func main() {
	proxywasm.SetVMContext(&vmContext{})
}

type vmContext struct {
	types.DefaultVMContext
}

func (c *vmContext) NewPluginContext(contextID uint32) types.PluginContext {
	return &pluginContext{}
}

type pluginContext struct {
	// Embed the default plugin context here,
	// so that we don't need to reimplement all the methods.
	types.DefaultPluginContext
}

type networkContext struct {
	types.DefaultTcpContext
}

// Override types.DefaultPluginContext.
func (ctx *pluginContext) NewTcpContext(contextID uint32) types.TcpContext {
	return &networkContext{}
}

func (ctx *networkContext) OnNewConnection() types.Action {
	proxywasm.LogInfo("New connection!")
	return types.ActionContinue
}

func (ctx *networkContext) OnDownstreamData(dataSize int, endOfStream bool) types.Action {
	if dataSize == 0 {
		return types.ActionContinue
	}

	data, err := proxywasm.GetDownstreamData(0, dataSize)
	if err != nil && err != types.ErrorStatusNotFound {
		proxywasm.LogCriticalf("failed to get downstream data: %v", err)
		return types.ActionContinue
	}

	proxywasm.LogInfof(">>>>>> downstream data received >>>>>>\n%s", string(data))

	vmConfiguration, err := proxywasm.GetVMConfiguration()
	proxywasm.LogInfof("vm configuration: %v", vmConfiguration)

	certFound := false
	// Connection attributes at:
	// https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes#connection-attributes

	requestScheme, err := proxywasm.GetProperty([]string{"request", "scheme"})
	proxywasm.LogInfof("Request scheme: %s", string(requestScheme))

	connectionId, err := proxywasm.GetProperty([]string{"connection", "id"})
	proxywasm.LogInfof("mTLS?: %s", connectionId)

	connectionMtls, err := proxywasm.GetProperty([]string{"connection", "mtls"})
	proxywasm.LogInfof("mTLS?: %v", connectionMtls)

	subjectPeerCert, err := proxywasm.GetProperty([]string{"connection", "subject_peer_certificate"})
	if err != nil {
		proxywasm.LogWarnf("Failed to get downstream subject peer cert: %v", err)
	} else {
		proxywasm.LogInfof("subject peer cert: %s", string(subjectPeerCert))
		certFound = true
	}

	dnsSanPeerCert, err := proxywasm.GetProperty([]string{"connection", "dns_san_peer_certificate"})
	if err != nil {
		proxywasm.LogWarnf("Failed to get downstream DNS SAN peer cert: %v", err)
	} else {
		proxywasm.LogInfof("DNS SAN peer cert: %s", string(dnsSanPeerCert))
		certFound = true
	}

	uriSanPeerCert, err := proxywasm.GetProperty([]string{"connection", "uri_san_peer_certificate"})
	if err != nil {
		proxywasm.LogWarnf("Failed to get downstream URI SAN peer cert: %v", err)
	} else {
		proxywasm.LogInfof("URI SAN peer cert: %s", string(uriSanPeerCert))
		certFound = true
	}

	pluginVmId, err := proxywasm.GetProperty([]string{"plugin_vm_id"})
	proxywasm.LogInfof("plugin vm id: %v", pluginVmId)

	connectionInfo, err := proxywasm.GetPropertyMap([]string{"connection"})
	proxywasm.LogInfof("connection info: %v", connectionInfo)

	if !certFound {
		proxywasm.LogWarnf("No peer cert found!")
	}

	return types.ActionContinue
}

// Override types.DefaultTcpContext.
func (ctx *networkContext) OnDownstreamClose(types.PeerType) {
	proxywasm.LogInfo("downstream connection close!")
	return
}

envoy.yaml:

---
admin:
  address:
    socket_address:
      address: 127.0.0.1
      port_value: 9901

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 1443
    filter_chains:
    - filters:
    # TCP Proxy
      - name: envoy.filters.network.wasm
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
          config:
            name: "tls-auth"
            root_id: "tls-auth"
            vm_config:
              runtime: "envoy.wasm.runtime.v8"
              code:
                local:
                  filename: "/etc/envoy/main.wasm"
              allow_precompiled: true
            fail_open: true

      - name: envoy.filters.network.tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          cluster: api
          stat_prefix: api

      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificates:
              - certificate_chain: 
                  filename: "/etc/envoy/chain.pem"
                private_key: 
                  filename: "/etc/envoy/private.pem"

  clusters:
  - name: api
    load_assignment:
      cluster_name: api
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 192.168.64.1
                port_value: 8080

Additional context (Optional)

Log output from Envoy/WASM:

[2023-04-26 04:26:15.230][1][info][main] [external/envoy/source/server/server.cc:894] starting main dispatch loop
[2023-04-26 04:26:18.483][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: New connection!
[2023-04-26 04:26:18.713][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: >>>>>> downstream data received >>>>>>
GET / HTTP/1.1
Host: 192.168.64.2:1443
User-Agent: curl/7.87.0
Accept: */*


[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: vm configuration: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: Request scheme:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?: [0]
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: subject peer cert:
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream DNS SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream URI SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: plugin vm id: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: connection info: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: vm configuration: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: Request scheme:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?: [0]
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: subject peer cert:
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream DNS SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream URI SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: plugin vm id: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: connection info: []
[2023-04-26 04:26:18.724][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: downstream connection close!
[2023-04-26 04:26:18.724][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: connection complete!
@paulchoi
Copy link
Author

It's strange that even the vm info is not returned:

	pluginVmId, err := proxywasm.GetProperty([]string{"plugin_vm_id"})
	proxywasm.LogInfof("plugin vm id: %v", pluginVmId)```

Which results in log entry of:

[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: plugin vm id: []

@paulchoi paulchoi changed the title No output for GetProperty method No output for GetProperty method - network filter Apr 26, 2023
@paulchoi
Copy link
Author

I tried writing an HTTP filter version of the TCP filter, making a bunch of GetProperty calls inside OnHttpRequestHeaders.

The same result - the request succeeds, but the GetProperty methods return no result.

@paulchoi
Copy link
Author

Seems like I can fetch source.address inside OnDownstreamData. So I am able to fetch something.

	if srcAddr, err := proxywasm.GetProperty([]string{"source", "address"}); err == nil {
		proxywasm.LogInfof("Source address: %s", string(srcAddr))
	}

which results in:

[2023-04-27 06:21:36.911][12][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: Source address: 192.168.64.1:61745

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paulchoi