Fixes reentrance issue on SendLocalReply

go/gosdk/abi.go

@@ -92,7 +92,8 @@ bool envoy_dynamic_module_callback_http_get_response_body_vector_size(
     uintptr_t filter_envoy_ptr, size_t* size);
 
 #cgo noescape envoy_dynamic_module_callback_http_send_response
-#cgo nocallback envoy_dynamic_module_callback_http_send_response
+// Uncomment once https://github.com/envoyproxy/envoy/pull/39206 is merged.
+// #cgo nocallback envoy_dynamic_module_callback_http_send_response
 void envoy_dynamic_module_callback_http_send_response(
     uintptr_t filter_envoy_ptr, uint32_t status_code,
     uintptr_t headers_vector, size_t headers_vector_size,
@@ -219,10 +220,7 @@ func envoy_dynamic_module_on_http_filter_request_body(
 }
 
 //export envoy_dynamic_module_on_http_filter_request_trailers
-func envoy_dynamic_module_on_http_filter_request_trailers(
-	filterEnvoyPtr uintptr,
-	filterModulePtr uintptr,
-) uintptr {
+func envoy_dynamic_module_on_http_filter_request_trailers(uintptr, uintptr) uintptr {
 	return 0
 }
 
@@ -249,18 +247,12 @@ func envoy_dynamic_module_on_http_filter_response_body(
 }
 
 //export envoy_dynamic_module_on_http_filter_response_trailers
-func envoy_dynamic_module_on_http_filter_response_trailers(
-	filterEnvoyPtr uintptr,
-	filterModulePtr uintptr,
-) uintptr {
+func envoy_dynamic_module_on_http_filter_response_trailers(uintptr, uintptr) uintptr {
 	return 0
 }
 
 //export envoy_dynamic_module_on_http_filter_stream_complete
-func envoy_dynamic_module_on_http_filter_stream_complete(
-	filterEnvoyPtr uintptr,
-	filterModulePtr uintptr,
-) {
+func envoy_dynamic_module_on_http_filter_stream_complete(uintptr, uintptr) {
 }
 
 // GetRequestHeader implements [EnvoyHttpFilter].

go/header_auth.go

@@ -14,7 +14,10 @@ type (
 		authHeaderName string
 	}
 	// headerAuthFilter implements [gosdk.HttpFilter].
-	headerAuthFilter struct{ authHeaderName string }
+	headerAuthFilter struct {
+		authHeaderName            string
+		sendOnResponseHeaderPhase bool
+	}
 )
 
 // Destroy implements [gosdk.HttpFilterConfig].
@@ -26,29 +29,34 @@ func (p headerAuthFilterConfig) NewFilter() gosdk.HttpFilter {
 }
 
 // Destroy implements [gosdk.HttpFilter].
-func (p headerAuthFilter) Destroy() {}
+func (p *headerAuthFilter) Destroy() {}
 
 // RequestHeaders implements [gosdk.HttpFilter].
-func (p headerAuthFilter) RequestHeaders(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.RequestHeadersStatus {
-	_, ok := e.GetRequestHeader(p.authHeaderName)
+func (p *headerAuthFilter) RequestHeaders(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.RequestHeadersStatus {
+	v, ok := e.GetRequestHeader(p.authHeaderName)
 	if !ok {
-		e.SendLocalReply(http.StatusUnauthorized, [][2]string{{"Content-Type", "text/plain"}}, []byte("Unauthorized by Go Module\n"))
+		e.SendLocalReply(http.StatusUnauthorized, [][2]string{{"Content-Type", "text/plain"}}, []byte("Unauthorized by Go Module at on_request_headers\n"))
 		return gosdk.RequestHeadersStatusStopIteration
 	}
+	p.sendOnResponseHeaderPhase = v == "on_response_headers"
 	return gosdk.RequestHeadersStatusContinue
 }
 
 // RequestBody implements [gosdk.HttpFilter].
-func (p headerAuthFilter) RequestBody(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.RequestBodyStatus {
+func (p *headerAuthFilter) RequestBody(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.RequestBodyStatus {
 	return gosdk.RequestBodyStatusContinue
 }
 
 // ResponseHeaders implements [gosdk.HttpFilter].
-func (p headerAuthFilter) ResponseHeaders(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.ResponseHeadersStatus {
+func (p *headerAuthFilter) ResponseHeaders(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.ResponseHeadersStatus {
+	if p.sendOnResponseHeaderPhase {
+		e.SendLocalReply(http.StatusUnauthorized, [][2]string{{"Content-Type", "text/plain"}}, []byte("Unauthorized by Go Module at on_response_headers\n"))
+		return gosdk.ResponseHeadersStatusStopIteration
+	}
 	return gosdk.ResponseHeadersStatusContinue
 }
 
 // ResponseBody implements [gosdk.HttpFilter].
-func (p headerAuthFilter) ResponseBody(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.ResponseBodyStatus {
+func (p *headerAuthFilter) ResponseBody(e gosdk.EnvoyHttpFilter, endOfStream bool) gosdk.ResponseBodyStatus {
 	return gosdk.ResponseBodyStatusContinue
 }

integration/main_test.go

@@ -195,12 +195,10 @@ func TestIntegration(t *testing.T) {
 			return true
 		}, 30*time.Second, 200*time.Millisecond)
 
-		got200 := false
-		got403 := false
 		require.Eventually(t, func() bool {
 			req, err := http.NewRequest("GET", "http://localhost:1063/uuid", nil)
 			require.NoError(t, err)
-			req.Header.Add(gomoduleAuthHeader, "anything")
+			req.Header.Add(gomoduleAuthHeader, "on_response_headers")
 			resp, err := http.DefaultClient.Do(req)
 			if err != nil {
 				t.Logf("Envoy not ready yet: %v", err)
@@ -210,10 +208,27 @@ func TestIntegration(t *testing.T) {
 				require.NoError(t, resp.Body.Close())
 			}()
 			body, err := io.ReadAll(resp.Body)
+			require.NoError(t, err)
+			t.Logf("response: status=%d body=%s", resp.StatusCode, string(body))
+			return resp.StatusCode == 401
+		}, 30*time.Second, 200*time.Millisecond)
+
+		got200 := false
+		got403 := false
+		require.Eventually(t, func() bool {
+			req, err := http.NewRequest("GET", "http://localhost:1063/uuid", nil)
+			require.NoError(t, err)
+			req.Header.Add(gomoduleAuthHeader, "anything")
+			resp, err := http.DefaultClient.Do(req)
 			if err != nil {
 				t.Logf("Envoy not ready yet: %v", err)
 				return false
 			}
+			defer func() {
+				require.NoError(t, resp.Body.Close())
+			}()
+			body, err := io.ReadAll(resp.Body)
+			require.NoError(t, err)
 			t.Logf("response: status=%d body=%s", resp.StatusCode, string(body))
 			if resp.StatusCode == 200 {
 				got200 = true