It turns out that sending a non-200 HTTP status code was against the
gRPC spec and the older versions of the `grpc` library just didn't
validate that. The validation was added in v1.40.0, which is the version
that we couldn't update to before.
With this fix the error is still parsed correctly on the client side.
But this requires a small change to the L402 spec because the status
code is no longer 402.
In this commit, we modify the `GetPrice` method and interface to accept
the full request instead of _just_ the path. For backwards compat, we
leave the path in place, but also include the full serialized HTTP
request.
From the docs:
PreferServerCipherSuites is a legacy field and has no effect.
It used to control whether the server would follow the client's or the
server's preference. Servers now select the best mutually supported
cipher suite based on logic that takes into account inferred client
hardware, server hardware, and security.
As of Go 1.16, functionality provided in io/ioutil has been depreciated
in favour of the io or os packages. Now that Go has been
upgraded in go.mod, the linter will not pass without these changes.
We want aperture to handle some of the incoming requests on its own,
without forwarding/proxying them to a remote backend. Those "local"
services can register themselves and will be given every request for
inspection. If a service decides to handle it locally, the request is
passed to that service and not forwarded.
This commit adds a DynamicPrice member to the Services struct and uses
its values to determine if a GRPCPricer or DefaultPricer should be
initialised. The commit also updates the sample-conf.yaml file with the
new config options.
The last bugfix added some explicit header fields in an attempt of
fixing an issue with error responses. Unfortunately they weren't
strictly needed for the fix but ended up causing issues in a non-error
case.
This commit removes those header fields again and makes sure the "auth
header not found in response" header doesn't occur anymore.
The target service name remains unused in its current form, but will be
required in order to verify that an incoming request with an LSAT
attached is authorized to access the service being attempted. We can
derive this from the request's host field, but we choose to extend the
methods with the additional parameter in order to prevent parsing the
host field again to determine which service is being accessed.
The service limiter holds all of the constraints that should be applied
to a given service at the base tier. These are currently static and are
parsed from the proxy's configuration file as a temporary work-around.
Eventually, we plan to integrate this with etcd as well in order to
achieve dynamic service discovery.
