proposal: response-side policies#7
Merged
Merged
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
eval.zig:
- New evaluateWithTarget(arena, input, ast, target_rule). evaluate()
becomes a thin wrapper targeting 'allow'.
main.zig:
- New evaluate_target wasm export: same shape as evaluate plus an
explicit target_rule pointer/length pair. Lets generic-ABI hosts
drive non-default rules without going through proxy-wasm.
proxy_wasm.zig:
- proxy_on_response_headers builds {response: {status, headers}}
from the response header map and runs evaluateWithTarget against
'allow_response'. Deny short-circuits with proxy_send_local_response(503).
- :status pseudo-header fetched individually for the same wamr-host
reason that drives request-side path.
- Unchanged: request-headers path stays on 'allow'.
Tests:
- src/eval.zig: 3 unit cases (5xx denies, default allows, missing
target rule denies, allow target preserved).
- test/run.mjs and test/run_wasmtime.py: 3 cases each driving the
new evaluate_target export end-to-end through the wasm boundary.
Release build grows from 50K to 55K. ci.yml gains test-unit job in
line with the other implementation branches.
Three medium-priority concerns from the review needed reconciliation
between the design doc and the v1 implementation:
1. Replacement contract: doc claimed structured replacement (status /
body / headers from the rule's value). v1 actually returns bool
from the evaluator and does a fixed 503 on deny. The structured
replacement requires the evaluator to surface json.Value plus a
discriminator and is deferred to a follow-up PR. Doc now splits
'v1' (fixed 503) from 'deferred' (structured).
2. 503 vs 403 asymmetry: doc didn't say which deny code response-side
uses, request-side already returns 403. v1 uses 503 on the
response side (upstream being replaced) vs 403 on the request
side (request rejected before upstream). Doc now states this
explicitly as intentional.
3. Backward compat for nested input shape: doc showed
'{request, response}' nested input which would have broken
existing input.method / input.path refs. v1 keeps the request-side
input flat (unchanged) and adds 'input.response.*' ONLY for the
allow_response target rule. input.request.* is reserved for the
v2 post-snapshot picture. Doc now shows v1 vs v2 input shapes
separately and clarifies 'allow' policies are untouched.
Per-context state section also corrected: v1 does not snapshot
request fields. The snapshot lives behind body-aware-policies.md
(PR #6) and shows up here only when that lands.
kanywst
force-pushed
the
feat/response-side-policies
branch
from
f622c6a to
76e0bf7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Design doc only. Tracks the response-side policies item from ROADMAP near term.
See
docs/proposals/response-side-policies.md.Summary:
allow_response(vsallow) so request-side policies stay backward compatible.proxy_on_response_headersto evaluate against an input shape withrequestandresponsesubtrees.proxy_send_local_responseusing parameters from the rule'svalueexpression.Status: design only, no implementation.