v0.0.4-1 - Implement fault_tolerant like rate-limiting plugin

carnei-ro · Nov 11, 2020 · cba2fb9 · cba2fb9
1 parent 8b5efe9
commit cba2fb9
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -10,7 +10,11 @@ Custom Kong plugin to allow for fine grained Authorization through [Open Policy
 
 Plugin will continue the request to the upstream target if OPA responds with `true`, else the plugin will return a `403 Forbidden`.
 
-Rsponses will add the header `X-Kong-Authz-Latency` to requests which have been impacted by the plugin and the header `X-Kong-Authz-Cache` when cache is enabled.
+Plugin will add the response headers:
+
+- `X-Kong-Authz-Latency`: Latency generated by the plugin
+- `X-Kong-Authz-Cache`: "Miss" or "Hit" when cache is enabled
+- `X-Kong-Authz-Skip`: "true" when `fault_tolerant` is enabled and Kong had troubles
 
 Plugin priority: `799`
 
@@ -48,6 +52,7 @@ Plugin priority: `799`
 |`redis_password`             |Redis Password to connect   |`string`| |
 |`redis_timeout_in_ms`        |Redis Timeout (in miliseconds)   |`integer`| 500 |
 |`redis_database`             |Redis Database to Use   |`integer`| 0 |
+|`fault_tolerant`             |Determines if the requests should be proxied even if Kong has troubles connecting a third-party. If `true` requests will be proxied anyways effectively disabling the authorization step. If `false` then the clients will see 500 errors.|`boolean`| false   |
 
 #### YAMLs
 
@@ -84,6 +89,7 @@ config:
   redis_password: null
   redis_timeout_in_ms: 500
   redis_database: 0
+  fault_tolerant: false
 ```
 
 #### Example

diff --git a/opa/access.lua b/opa/access.lua
@@ -183,7 +183,13 @@ function _M.execute(conf)
     body, err = request_to_opa(conf, opa_body_json)
   end
   if (not body) or (err) then
-    return kong.response.exit(500, { message = "An unexpected error occurred", error = err })
+    if conf.fault_tolerant then
+      kong.response.set_header("X-Kong-Authz-Latency", (ngx.now() - start_time))
+      kong.response.set_header("X-Kong-Authz-Skip", "true"))
+      return true
+    else
+      return kong.response.exit(500, { message = "An unexpected error occurred", error = err })
+    end
   end
   body = cjson.decode(body)
 

diff --git a/opa/handler.lua b/opa/handler.lua
@@ -3,7 +3,7 @@ local access = require("kong.plugins." .. plugin_name .. ".access")
 
 local plugin = {
   PRIORITY = 799,
-  VERSION = "0.0.3-1"
+  VERSION = "0.0.4-1"
 }
 
 function plugin:access(plugin_conf)

diff --git a/opa/schema.lua b/opa/schema.lua
@@ -150,6 +150,11 @@ return {
             type = "string",
             len_min = 1,
           } },
+          { fault_tolerant = {
+            type = "boolean",
+            default = true,
+            required = true
+          } },
         },
       },
     },