Ensure that the apicast post_action phase runs only if access runs #985
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes a bug that was triggered when combining the APIcast policy with some policies that can deny the request, such as the IP check one.
APIcast can call 3scale backend's authrep in the
access
and thepost_action
phases depending on whether the request is cached or not. The problem is that some policies were callingngx.exit(4xx)
to deny a request, and that prevents some phases from running, but it does not skip the post_action one.In practice, this means that with a policy chain like
ip_check + apicast
, even when the IP check policy denied the request, post_action in apicast would run, and report to backend in certain cases.The bug does not affect all the policies that deny a request. In particular, policies that use the
errors
module (https://github.com/3scale/apicast/blob/64c2b2655051d66a90096c500c33be1f40ec4a75/gateway/src/apicast/errors.lua) instead of callingngx.exit()
directly were not affected. The reason is that the errors module setsngx.var.cached_key
to nil, and that prevents post_action from reporting to the 3scale backend.