Skip to content

fix(opa): apply send_headers_upstream for headers absent from OPA response#13433

Open
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:fix/opa-honor-send-headers-upstream
Open

fix(opa): apply send_headers_upstream for headers absent from OPA response#13433
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:fix/opa-honor-send-headers-upstream

Conversation

@shreemaan-abhishek
Copy link
Copy Markdown
Contributor

@shreemaan-abhishek shreemaan-abhishek commented May 25, 2026

Description

When the opa plugin is configured with send_headers_upstream and the OPA server returns allow = true without including one of the configured headers in its response (or without a headers field at all), the plugin previously left any incoming request value for that header in place on the upstream call. The intent of send_headers_upstream is that the upstream sees only the values OPA returns for those names; the prior behavior diverged from that.

This change iterates the configured list and calls core.request.set_header(ctx, name, value) for every name in send_headers_upstream. When OPA does not return that header, value is nil and the incoming request header is cleared. The condition no longer short-circuits on a missing result.headers field.

t/plugin/opa3.t covers the case where OPA returns allow = true with no headers field and a configured header is sent by the client: the upstream must not see the client-supplied value.

Which issue(s) this PR fixes:

Fixes #

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@shreemaan-abhishek shreemaan-abhishek mentioned this pull request May 25, 2026
Closed
2 tasks
@shreemaan-abhishek shreemaan-abhishek force-pushed the fix/opa-honor-send-headers-upstream branch 2 times, most recently from f1b9983 to 8029525 Compare May 26, 2026 08:59
@shreemaan-abhishek
fix(opa): apply send_headers_upstream for headers absent from OPA res…
684b382 
…ponse

When send_headers_upstream lists a header that the OPA response omits,
the plugin previously left any incoming request value for that header
in place on the upstream call. Iterate the configured list and call
core.request.set_header(ctx, name, value) for every name, passing nil
when OPA does not return that header so the incoming value is cleared.
Also covers the case where the OPA response has no headers field.
@shreemaan-abhishek shreemaan-abhishek force-pushed the fix/opa-honor-send-headers-upstream branch from 8029525 to 684b382 Compare May 26, 2026 09:17
@shreemaan-abhishek shreemaan-abhishek marked this pull request as ready for review May 28, 2026 04:53
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@membphis membphis membphis approved these changes

@nic-6443 nic-6443 nic-6443 approved these changes

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shreemaan-abhishek @membphis @nic-6443