Send local replies from envoy and only keep enforcer in the loop if n…

…ecessary
wso2 · Feb 27, 2025 · b241ec2 · b241ec2
1 parent f1d7778
commit b241ec2
Show file tree

Hide file tree

Showing 8 changed files with 80 additions and 12 deletions.
diff --git a/adapter/internal/oasparser/config_generator.go b/adapter/internal/oasparser/config_generator.go
@@ -482,9 +482,11 @@ func GetAPILevelJWTRequirements(adapterAPI *model.AdapterInternalAPI, selectedIs
 								},
 							})
 						}
-						requirements = append(requirements, &jwt.JwtRequirement{
-							RequiresType: &jwt.JwtRequirement_AllowMissingOrFailed{},
-						})
+						if adapterAPI.GetAPIType() == "GraphQL" || !adapterAPI.GetDisableMtls() {
+							requirements = append(requirements, &jwt.JwtRequirement{
+								RequiresType: &jwt.JwtRequirement_AllowMissingOrFailed{},
+							})
+						}						
 						return requirements
 					}(),
 				},

diff --git a/adapter/internal/oasparser/envoyconf/response_mapper.go b/adapter/internal/oasparser/envoyconf/response_mapper.go
@@ -64,6 +64,27 @@ func init() {
 
 func getErrorResponseMappers() []*hcmv3.ResponseMapper {
 	responseMappers := []*hcmv3.ResponseMapper{}
+	responseMappers = append(responseMappers, &hcmv3.ResponseMapper{
+		Filter: &access_logv3.AccessLogFilter{
+			FilterSpecifier: &access_logv3.AccessLogFilter_StatusCodeFilter{
+				StatusCodeFilter: &access_logv3.StatusCodeFilter{
+					Comparison: &access_logv3.ComparisonFilter{
+						Op: access_logv3.ComparisonFilter_EQ,
+						Value: &corev3.RuntimeUInt32{
+							DefaultValue: 401,
+							RuntimeKey: "key123",
+						},
+					},
+				},
+			},
+		},
+		StatusCode: wrapperspb.UInt32(401),
+		Body: &corev3.DataSource{
+			Specifier: &corev3.DataSource_InlineBytes{
+				InlineBytes: []byte("Invalid Credentials"),
+			},
+		},
+	})
 	conf := config.ReadConfigs()
 	if conf.Adapter.SoapErrorInXMLEnabled {
 		for flag, details := range errorResponseMap {

diff --git a/adapter/internal/oasparser/envoyconf/routes_configs.go b/adapter/internal/oasparser/envoyconf/routes_configs.go
@@ -127,7 +127,7 @@ func generateRouteMatch(routeRegex string) *routev3.RouteMatch {
 	return match
 }
 
-func generateRouteAction(apiType string, routeConfig *model.EndpointConfig, ratelimitCriteria *ratelimitCriteria, mirrorClusterNames []string, isBackendBasedAIRatelimitEnabled bool, descriptorValueForBackendBasedAIRatelimit string, weightedCluster *routev3.WeightedCluster_ClusterWeight, isWeighted bool) (action *routev3.Route_Route) {
+func generateRouteAction(apiType string, routeConfig *model.EndpointConfig, ratelimitCriteria *ratelimitCriteria, mirrorClusterNames []string, isBackendBasedAIRatelimitEnabled bool, descriptorValueForBackendBasedAIRatelimit string, weightedCluster *routev3.WeightedCluster_ClusterWeight, isWeighted bool, aiRoundRobinEnabled bool, clusterName string) (action *routev3.Route_Route) {
 
 	if isWeighted {
 		// check if weightedCluster is already in the list
@@ -163,7 +163,7 @@ func generateRouteAction(apiType string, routeConfig *model.EndpointConfig, rate
 				},
 			},
 		}
-	} else {
+	} else if aiRoundRobinEnabled {
 		action = &routev3.Route_Route{
 			Route: &routev3.RouteAction{
 				HostRewriteSpecifier: &routev3.RouteAction_AutoHostRewrite{
@@ -178,6 +178,21 @@ func generateRouteAction(apiType string, routeConfig *model.EndpointConfig, rate
 				},
 			},
 		}
+	} else {
+		action = &routev3.Route_Route{
+			Route: &routev3.RouteAction{
+				HostRewriteSpecifier: &routev3.RouteAction_AutoHostRewrite{
+					AutoHostRewrite: &wrapperspb.BoolValue{
+						Value: true,
+					},
+				},
+				UpgradeConfigs:    getUpgradeConfig(apiType),
+				MaxStreamDuration: getMaxStreamDuration(apiType),
+				ClusterSpecifier: &routev3.RouteAction_Cluster{
+					Cluster: clusterName,
+				},
+			},
+		}
 	}
 
 	if routeConfig != nil {

diff --git a/adapter/internal/oasparser/envoyconf/routes_with_clusters.go b/adapter/internal/oasparser/envoyconf/routes_with_clusters.go
@@ -1008,6 +1008,19 @@ func createRoutes(params *routeCreateParams) (routes []*routev3.Route, err error
 		LuaLocal:       luaFilter,
 		wellknown.CORS: corsFilter,
 	}
+	if !resource.ShouldSendToEnforcer() {
+		perFilterConfigExtProc := extProcessorv3.ExtProcPerRoute{
+			Override: &extProcessorv3.ExtProcPerRoute_Disabled{
+				Disabled: true,
+			},
+		}
+		dataExtProc, _ := proto.Marshal(&perFilterConfigExtProc)
+		filterExtProc := &any.Any{
+			TypeUrl: extProcPerRouteName,
+			Value:   dataExtProc,
+		}
+		perRouteFilterConfigs[HTTPExternalProcessor] = filterExtProc
+	}
 	// if !params.isAiAPI {
 	// 	perFilterConfigExtProc := extProcessorv3.ExtProcPerRoute{
 	// 		Override: &extProcessorv3.ExtProcPerRoute_Disabled{
@@ -1284,8 +1297,8 @@ func createRoutes(params *routeCreateParams) (routes []*routev3.Route, err error
 				metadataValue := operation.GetMethod() + "_to_" + newMethod
 				match2.DynamicMetadata = generateMetadataMatcherForInternalRoutes(metadataValue)
 
-				action1 := generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, mirrorClusterNameList, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters)
-				action2 := generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, mirrorClusterNameList, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters)
+				action1 := generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, mirrorClusterNameList, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters, resource.AIModelBasedRoundRobin != nil, clusterName)
+				action2 := generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, mirrorClusterNameList, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters, resource.AIModelBasedRoundRobin != nil, clusterName)
 
 				requestHeadersToRemove := make([]string, 0)
 				// Create route1 for current method.
@@ -1310,7 +1323,7 @@ func createRoutes(params *routeCreateParams) (routes []*routev3.Route, err error
 			} else {
 				var action *routev3.Route_Route
 				if requestRedirectAction == nil {
-					action = generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, mirrorClusterNameList, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters)
+					action = generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, mirrorClusterNameList, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters, resource.AIModelBasedRoundRobin != nil, clusterName)
 				}
 				logger.LoggerOasparser.Debug("Creating routes for resource with policies", resourcePath, operation.GetMethod())
 				// create route for current method. Add policies to route config. Send via enforcer
@@ -1337,7 +1350,7 @@ func createRoutes(params *routeCreateParams) (routes []*routev3.Route, err error
 		}
 		match := generateRouteMatch(routePath)
 		match.Headers = generateHTTPMethodMatcher(methodRegex, clusterName)
-		action := generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, nil, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters)
+		action := generateRouteAction(apiType, routeConfig, rateLimitPolicyCriteria, nil, resource.GetEnableBackendBasedAIRatelimit() && params.isAiAPI, resource.GetBackendBasedAIRatelimitDescriptorValue(), &weightedCluster, isWeightedClusters, resource.AIModelBasedRoundRobin != nil, clusterName)
 		rewritePath := generateRoutePathForReWrite(basePath, resourcePath, pathMatchType)
 		action.Route.RegexRewrite = generateRegexMatchAndSubstitute(rewritePath, resourcePath, pathMatchType)
 		requestHeadersToRemove := make([]string, 0)

diff --git a/adapter/internal/oasparser/model/adapter_internal_api.go b/adapter/internal/oasparser/model/adapter_internal_api.go
@@ -538,7 +538,7 @@ func (adapterInternalAPI *AdapterInternalAPI) Validate() error {
 
 // SetInfoHTTPRouteCR populates resources and endpoints of adapterInternalAPI. httpRoute.Spec.Rules.Matches
 // are used to create resources and httpRoute.Spec.Rules.BackendRefs are used to create EndpointClusters.
-func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwapiv1.HTTPRoute, resourceParams ResourceParams, ruleIdxToAiRatelimitPolicyMapping map[int]*dpv1alpha3.AIRateLimitPolicy, extractTokenFrom string) error {
+func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwapiv1.HTTPRoute, resourceParams ResourceParams, ruleIdxToAiRatelimitPolicyMapping map[int]*dpv1alpha3.AIRateLimitPolicy, extractTokenFrom string, sendToEnforcer bool) error {
 	var resources []*Resource
 	outputAuthScheme := utils.TieBreaker(utils.GetPtrSlice(maps.Values(resourceParams.AuthSchemes)))
 	outputAPIPolicy := utils.TieBreaker(utils.GetPtrSlice(maps.Values(resourceParams.APIPolicies)))
@@ -985,7 +985,7 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwap
 				loggers.LoggerAPI.Debugf("ModelBasedRoundRobin extracted %v", extracted)
 				modelBasedRoundRobin = extracted
 			}
-
+			loggers.LoggerAPI.Debugf("resource path %+v methods %+v sendtoenforcer %+v", resourcePath, operations, sendToEnforcer || enableBackendBasedAIRatelimit)
 			resource := &Resource{
 				path:                                   resourcePath,
 				methods:                                operations,
@@ -997,6 +997,7 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoHTTPRouteCR(httpRoute *gwap
 				backendBasedAIRatelimitDescriptorValue: descriptorValue,
 				extractTokenFrom:                       extractTokenFrom,
 				AIModelBasedRoundRobin:                 modelBasedRoundRobin,
+				sendToEnforcer: 					   	sendToEnforcer || enableBackendBasedAIRatelimit,
 			}
 
 			resource.endpoints = &EndpointCluster{

diff --git a/adapter/internal/oasparser/model/resource.go b/adapter/internal/oasparser/model/resource.go
@@ -49,6 +49,7 @@ type Resource struct {
 	enableBackendBasedAIRatelimit          bool
 	backendBasedAIRatelimitDescriptorValue string
 	extractTokenFrom                       string
+	sendToEnforcer                         bool
 }
 
 // GetEndpointSecurity returns the endpoint security object of a given resource.
@@ -213,3 +214,8 @@ func (resource *Resource) GetBackendBasedAIRatelimitDescriptorValue() string {
 func (resource *Resource) GetExtractTokenFromValue() string {
 	return resource.extractTokenFrom
 }
+
+// ShouldSendToEnforcer returns the value of sendToEnforcer
+func (resource *Resource) ShouldSendToEnforcer() bool {
+	return resource.sendToEnforcer
+}
diff --git a/adapter/internal/operator/controllers/dp/api_controller.go b/adapter/internal/operator/controllers/dp/api_controller.go
@@ -956,6 +956,7 @@ func (apiReconciler *APIReconciler) getAPIPolicyChildrenRefs(ctx context.Context
 				aiProviderPtr := utils.GetAIProvider(ctx, apiReconciler.client, apiPolicy.Namespace,
 					apiPolicy.Spec.Default.AIProvider.Name, &api)
 				if aiProviderPtr != nil {
+					loggers.LoggerAPKOperator.Debugf("API Name: %s, AI Provider: %+v", api.Spec.APIName, aiProviderPtr)
 					aiProvider = aiProviderPtr
 				}
 			}
@@ -987,6 +988,7 @@ func (apiReconciler *APIReconciler) getAPIPolicyChildrenRefs(ctx context.Context
 				aiProviderPtr := utils.GetAIProvider(ctx, apiReconciler.client, apiPolicy.Namespace,
 					apiPolicy.Spec.Override.AIProvider.Name, &api)
 				if aiProviderPtr != nil {
+					loggers.LoggerAPKOperator.Debugf("API Name: %s, AI Provider: %+v", api.Spec.APIName, aiProviderPtr)
 					aiProvider = aiProviderPtr
 				}
 			}
@@ -1130,6 +1132,7 @@ func (apiReconciler *APIReconciler) getAPIPolicyChildrenRefs(ctx context.Context
 			}
 		}
 	}
+	loggers.LoggerAPKOperator.Debugf("API Name: %s, AI Provider: %+v", api.Spec.APIName, aiProvider)
 	return interceptorServices, backendJWTs, subscriptionValidation, aiProvider, resolvedModelBasedRoundRobin, nil
 }
 

diff --git a/adapter/internal/operator/synchronizer/rest_api.go b/adapter/internal/operator/synchronizer/rest_api.go
@@ -108,7 +108,14 @@ func generateAdapterInternalAPI(apiState APIState, httpRouteState *HTTPRouteStat
 		RateLimitPolicies:         apiState.RateLimitPolicies,
 		ResourceRateLimitPolicies: apiState.ResourceRateLimitPolicies,
 	}
-	if err := adapterInternalAPI.SetInfoHTTPRouteCR(httpRouteState.HTTPRouteCombined, resourceParams, httpRouteState.RuleIdxToAiRatelimitPolicyMapping, apiState.AIProvider.Spec.RateLimitFields.PromptTokens.In); err != nil {
+	sendToEnforcer := false
+	if apiState.MutualSSL != nil {
+		sendToEnforcer = !apiState.MutualSSL.Disabled
+	}
+	if (apiState.AIProvider != nil && apiState.AIProvider.Name != "") || apiState.SubscriptionValidation {
+		sendToEnforcer = true
+	}
+	if err := adapterInternalAPI.SetInfoHTTPRouteCR(httpRouteState.HTTPRouteCombined, resourceParams, httpRouteState.RuleIdxToAiRatelimitPolicyMapping, apiState.AIProvider.Spec.RateLimitFields.PromptTokens.In, sendToEnforcer); err != nil {
 		loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2631, logging.MAJOR, "Error setting HttpRoute CR info to adapterInternalAPI. %v", err))
 		return nil, err
 	}