From 9f1435e9f8e4599f383130863629b83e0b1e9286 Mon Sep 17 00:00:00 2001
From: Anton Engelhardt <antoncengelhardt@icloud.com>
Date: Sun, 1 Sep 2024 18:50:54 +0200
Subject: [PATCH 1/2] fix(exclude): get scheme to parse url, more debug logs
 and yaml fmt

Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
---
 README.md          |  2 +-
 demo/configmap.yml |  9 ++++++---
 envoy.yaml         |  9 ++++++---
 k8s/configmap.yml  |  9 ++++++---
 src/lib.rs         | 16 ++++++++++++++--
 5 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index fbf345ac..47d0816e 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,7 @@ The plugin is configured via the `envoy.yaml`-file. The following configuration
 | `reload_interval_in_hours` | `u64` | The interval in hours, after which the OIDC configuration is reloaded. | `24` | ✅ |
 | `exclude_hosts` | `Vec<Regex>` | A comma separated list Hosts (in Regex expressions), that are excluded from the filter. | `["localhost:10000"]` | ❌ |
 | `exclude_paths` | `Vec<Regex>` | A comma separated list of paths (in Regex expressions), that are excluded from the filter. | `["/health"]` | ❌ |
-| `exclude_urls` | `Vec<Regex>` | A comma separated list of URLs (in Regex expressions), that are excluded from the filter. | `["localhost:10000/health"]` | ❌ |
+| `exclude_urls` | `Vec<Regex>` | A comma separated list of URLs (in Regex expressions), that are excluded from the filter. | `["http://localhost:10000/health"]` | ❌ |
 | `access_token_header_name` | `string` | If set, this name will be used to forward the access token to the backend. | `X-Access-Token` | ❌ |
 | `access_token_header_prefix` | `string` | The prefix of the header, that is used to forward the access token, if empty "" is used. | `Bearer ` | ❌ |
 | `id_token_header_name` | `string` | If set, this name will be used to forward the id token to the backend. | `X-Id-Token` | ❌ |
diff --git a/demo/configmap.yml b/demo/configmap.yml
index 6f9d57f0..b6ffdf60 100644
--- a/demo/configmap.yml
+++ b/demo/configmap.yml
@@ -44,9 +44,12 @@ data:
                               config_endpoint: "https://demo-wasm-oidc-plugin.eu.auth0.com/.well-known/openid-configuration"
                               reload_interval_in_h: 1 # in hours
 
-                              exclude_hosts: [] # or ["httpbin.org"]
-                              exclude_paths: [] # or ["/favicon.ico"]
-                              exclude_urls: [] # or ["http://localhost:10000/#/HTTP_Methods/get_get"]
+                              exclude_hosts:
+                                # - "httpbin.org"
+                              exclude_paths:
+                                # - "/favicon.ico"
+                              exclude_urls:
+                                # - https://httpbin.org/favicon.ico
 
                               access_token_header_name: # or "Authorization"
                               access_token_header_prefix: "Bearer "
diff --git a/envoy.yaml b/envoy.yaml
index e84da21b..55b5e2d4 100644
--- a/envoy.yaml
+++ b/envoy.yaml
@@ -34,9 +34,12 @@ static_resources:
                           config_endpoint: "https://accounts.google.com/.well-known/openid-configuration"
                           reload_interval_in_h: 1 # in hours
 
-                          exclude_hosts: [] # or ["httpbin.org"]
-                          exclude_paths: [] # or ["/favicon.ico"]
-                          exclude_urls: [] # or ["http://localhost:10000/#/HTTP_Methods/get_get"]
+                          exclude_hosts:
+                            # - "httpbin.org"
+                          exclude_paths:
+                            # - "/favicon.ico"
+                          exclude_urls:
+                            # - https://httpbin.org/favicon.ico
 
                           access_token_header_name: # or "Authorization"
                           access_token_header_prefix: "Bearer "
diff --git a/k8s/configmap.yml b/k8s/configmap.yml
index 748adb1b..cf1c7db7 100644
--- a/k8s/configmap.yml
+++ b/k8s/configmap.yml
@@ -45,9 +45,12 @@ data:
                               config_endpoint: "https://accounts.google.com/.well-known/openid-configuration"
                               reload_interval_in_h: 1 # in hours
 
-                              exclude_hosts: [] # or ["httpbin.org"]
-                              exclude_paths: [] # or ["/favicon.ico"]
-                              exclude_urls: [] # or ["http://localhost:10000/#/HTTP_Methods/get_get"]
+                              exclude_hosts:
+                                # - "httpbin.org"
+                              exclude_paths:
+                                # - "/favicon.ico"
+                              exclude_urls:
+                                # - https://httpbin.org/favicon.ico
 
                               access_token_header_name: # or "Authorization"
                               access_token_header_prefix: "Bearer "
diff --git a/src/lib.rs b/src/lib.rs
index 81c7943e..97b6aa33 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -108,9 +108,16 @@ struct ConfiguredOidc {
 impl HttpContext for ConfiguredOidc {
     /// This function is called when the request headers are received.
     fn on_http_request_headers(&mut self, _: usize, _: bool) -> Action {
-        // Check if the host regex matches one of the exclude hosts. If so, forward the request.
+
+        // Get the host, path and scheme from the request headers
         let host = self.get_host().unwrap_or_default();
+        debug!("host: {}", host);
         let path = self.get_http_request_header(":path").unwrap_or_default();
+        debug!("path: {}", path);
+        let scheme = self
+            .get_http_request_header(":scheme")
+            .unwrap_or("http".to_string());
+        debug!("scheme: {}", scheme);
 
         // Health check
         if path == "/plugin-health" {
@@ -118,6 +125,7 @@ impl HttpContext for ConfiguredOidc {
             return Action::Pause;
         }
 
+        // If the host is one of the exclude hosts, forward the request
         if self
             .plugin_config
             .exclude_hosts
@@ -141,8 +149,11 @@ impl HttpContext for ConfiguredOidc {
             return Action::Continue;
         }
 
-        let url = Url::parse(&format!("{}{}", host, path))
+        // Parse the URL and check if it is excluded
+        let url = Url::parse(&format!("{}://{}{}", scheme, host, path))
             .unwrap_or(Url::parse("http://example.com").unwrap());
+        debug!("url: {}", url);
+
         if self
             .plugin_config
             .exclude_urls
@@ -154,6 +165,7 @@ impl HttpContext for ConfiguredOidc {
             return Action::Continue;
         }
 
+        // If the request is for the OIDC callback, e.g the code is returned, this filter
         // exchanges the code for a token. The response is caught in on_http_call_response.
         // If the dispatch fails, a 503 is returned.
         if path.starts_with(self.plugin_config.redirect_uri.path()) {

From 833fa58c93340e21992d2ae34a0b724b74536f71 Mon Sep 17 00:00:00 2001
From: Anton Engelhardt <antoncengelhardt@icloud.com>
Date: Sun, 1 Sep 2024 18:56:20 +0200
Subject: [PATCH 2/2] style: fmt

Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
---
 src/lib.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/lib.rs b/src/lib.rs
index 97b6aa33..16ac38e7 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -108,7 +108,6 @@ struct ConfiguredOidc {
 impl HttpContext for ConfiguredOidc {
     /// This function is called when the request headers are received.
     fn on_http_request_headers(&mut self, _: usize, _: bool) -> Action {
-
         // Get the host, path and scheme from the request headers
         let host = self.get_host().unwrap_or_default();
         debug!("host: {}", host);