proxy-wasm-go-sdk
proxy-wasm-go-sdk copied to clipboard
Published
20 hours ago •
tetratelabs
tetratelabs
No output for GetProperty method - network filter
Describe the bug / error
GetProperty call returns no output. This is in a network WASM filter.
I can tell the WASM filter is receiving data, because GetDownstreamData returns the data from downstream.
What is your Envoy/Istio version?
Envoy 1.26
What is the SDK version?
v0.22.0
What is your TinyGo version?
tinygo version 0.27.0 darwin/amd64 (using go version go1.20.3 and LLVM version 15.0.0)
URL or snippet of your code including Envoy configuration
package main
import (
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"
)
func main() {
proxywasm.SetVMContext(&vmContext{})
}
type vmContext struct {
types.DefaultVMContext
}
func (c *vmContext) NewPluginContext(contextID uint32) types.PluginContext {
return &pluginContext{}
}
type pluginContext struct {
// Embed the default plugin context here,
// so that we don't need to reimplement all the methods.
types.DefaultPluginContext
}
type networkContext struct {
types.DefaultTcpContext
}
// Override types.DefaultPluginContext.
func (ctx *pluginContext) NewTcpContext(contextID uint32) types.TcpContext {
return &networkContext{}
}
func (ctx *networkContext) OnNewConnection() types.Action {
proxywasm.LogInfo("New connection!")
return types.ActionContinue
}
func (ctx *networkContext) OnDownstreamData(dataSize int, endOfStream bool) types.Action {
if dataSize == 0 {
return types.ActionContinue
}
data, err := proxywasm.GetDownstreamData(0, dataSize)
if err != nil && err != types.ErrorStatusNotFound {
proxywasm.LogCriticalf("failed to get downstream data: %v", err)
return types.ActionContinue
}
proxywasm.LogInfof(">>>>>> downstream data received >>>>>>\n%s", string(data))
vmConfiguration, err := proxywasm.GetVMConfiguration()
proxywasm.LogInfof("vm configuration: %v", vmConfiguration)
certFound := false
// Connection attributes at:
// https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes#connection-attributes
requestScheme, err := proxywasm.GetProperty([]string{"request", "scheme"})
proxywasm.LogInfof("Request scheme: %s", string(requestScheme))
connectionId, err := proxywasm.GetProperty([]string{"connection", "id"})
proxywasm.LogInfof("mTLS?: %s", connectionId)
connectionMtls, err := proxywasm.GetProperty([]string{"connection", "mtls"})
proxywasm.LogInfof("mTLS?: %v", connectionMtls)
subjectPeerCert, err := proxywasm.GetProperty([]string{"connection", "subject_peer_certificate"})
if err != nil {
proxywasm.LogWarnf("Failed to get downstream subject peer cert: %v", err)
} else {
proxywasm.LogInfof("subject peer cert: %s", string(subjectPeerCert))
certFound = true
}
dnsSanPeerCert, err := proxywasm.GetProperty([]string{"connection", "dns_san_peer_certificate"})
if err != nil {
proxywasm.LogWarnf("Failed to get downstream DNS SAN peer cert: %v", err)
} else {
proxywasm.LogInfof("DNS SAN peer cert: %s", string(dnsSanPeerCert))
certFound = true
}
uriSanPeerCert, err := proxywasm.GetProperty([]string{"connection", "uri_san_peer_certificate"})
if err != nil {
proxywasm.LogWarnf("Failed to get downstream URI SAN peer cert: %v", err)
} else {
proxywasm.LogInfof("URI SAN peer cert: %s", string(uriSanPeerCert))
certFound = true
}
pluginVmId, err := proxywasm.GetProperty([]string{"plugin_vm_id"})
proxywasm.LogInfof("plugin vm id: %v", pluginVmId)
connectionInfo, err := proxywasm.GetPropertyMap([]string{"connection"})
proxywasm.LogInfof("connection info: %v", connectionInfo)
if !certFound {
proxywasm.LogWarnf("No peer cert found!")
}
return types.ActionContinue
}
// Override types.DefaultTcpContext.
func (ctx *networkContext) OnDownstreamClose(types.PeerType) {
proxywasm.LogInfo("downstream connection close!")
return
}
envoy.yaml:
---
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 9901
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 1443
filter_chains:
- filters:
# TCP Proxy
- name: envoy.filters.network.wasm
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
config:
name: "tls-auth"
root_id: "tls-auth"
vm_config:
runtime: "envoy.wasm.runtime.v8"
code:
local:
filename: "/etc/envoy/main.wasm"
allow_precompiled: true
fail_open: true
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
cluster: api
stat_prefix: api
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/envoy/chain.pem"
private_key:
filename: "/etc/envoy/private.pem"
clusters:
- name: api
load_assignment:
cluster_name: api
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 192.168.64.1
port_value: 8080
Additional context (Optional)
Log output from Envoy/WASM:
[2023-04-26 04:26:15.230][1][info][main] [external/envoy/source/server/server.cc:894] starting main dispatch loop
[2023-04-26 04:26:18.483][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: New connection!
[2023-04-26 04:26:18.713][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: >>>>>> downstream data received >>>>>>
GET / HTTP/1.1
Host: 192.168.64.2:1443
User-Agent: curl/7.87.0
Accept: */*
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: vm configuration: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: Request scheme:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?: [0]
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: subject peer cert:
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream DNS SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream URI SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: plugin vm id: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: connection info: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: vm configuration: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: Request scheme:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: mTLS?: [0]
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: subject peer cert:
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream DNS SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][warning][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1151] wasm log tls-auth tls-auth: Failed to get downstream URI SAN peer cert: error status returned by host: not found
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: plugin vm id: []
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: connection info: []
[2023-04-26 04:26:18.724][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: downstream connection close!
[2023-04-26 04:26:18.724][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: connection complete!
It's strange that even the vm info is not returned:
pluginVmId, err := proxywasm.GetProperty([]string{"plugin_vm_id"})
proxywasm.LogInfof("plugin vm id: %v", pluginVmId)```
Which results in log entry of:
[2023-04-26 04:26:18.718][13][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: plugin vm id: []
I tried writing an HTTP filter version of the TCP filter, making a bunch of GetProperty calls inside OnHttpRequestHeaders.
The same result - the request succeeds, but the GetProperty methods return no result.
Seems like I can fetch source.address inside OnDownstreamData. So I am able to fetch something.
if srcAddr, err := proxywasm.GetProperty([]string{"source", "address"}); err == nil {
proxywasm.LogInfof("Source address: %s", string(srcAddr))
}
which results in:
[2023-04-27 06:21:36.911][12][info][wasm] [external/envoy/source/extensions/common/wasm/context.cc:1148] wasm log tls-auth tls-auth: Source address: 192.168.64.1:61745
