Fix error handling for ExternalAuth

This corrects an issue where the error body was being hidden for the external auth handler. It also adds the ca-certs into the runtime Docker image for when the gateway is calling an external plugin exposed over HTTPS. Tested with OAuth2 plugin. Signed-off-by: Alex Ellis <alexellis2@gmail.com>
2025-06-08 16:26:47 +00:00 · 2019-06-14 19:17:25 +01:00 · 2019-06-14 19:17:25 +01:00 · e3c976a428
commit e3c976a428
parent 3b027d3005
3 changed files with 11 additions and 3 deletions
--- a/gateway/Dockerfile
+++ b/gateway/Dockerfile
@ -33,7 +33,7 @@ RUN license-check -path ./ --verbose=false "Alex Ellis" "OpenFaaS Project" "Open
    -X github.com/openfaas/faas/gateway/version.Version=${VERSION}" \
    -a -installsuffix cgo -o gateway .

-FROM alpine:3.8
+FROM alpine:3.9

 LABEL org.label-schema.license="MIT" \
    org.label-schema.vcs-url="https://github.com/openfaas/faas" \
@ -43,7 +43,8 @@ LABEL org.label-schema.license="MIT" \
    org.label-schema.docker.schema-version="1.0"

 RUN addgroup -S app \
-    && adduser -S -g app app
+    && adduser -S -g app app \
+    && apk add --no-cache ca-certificates

 WORKDIR /home/app

--- a/gateway/handlers/external_auth.go
+++ b/gateway/handlers/external_auth.go
@ -3,6 +3,7 @@ package handlers
 import (
 	"context"
 	"io"
+	"log"
 	"net/http"
 	"time"
 )
@ -22,7 +23,8 @@ func MakeExternalAuthHandler(next http.HandlerFunc, upstreamTimeout time.Duratio

 		res, err := http.DefaultClient.Do(req.WithContext(deadlineContext))
 		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			log.Printf("ExternalAuthHandler: %s", err.Error())
 			return
 		}

--- a/gateway/handlers/external_auth_test.go
+++ b/gateway/handlers/external_auth_test.go
@ -4,6 +4,7 @@ import (
 	"bytes"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 )
@ -206,6 +207,10 @@ func Test_External_Auth_Wrapper_TimeoutGivesInternalServerError(t *testing.T) {
 	if rr.Code != want {
 		t.Errorf("Status incorrect, want: %d, but got %d", want, rr.Code)
 	}
+	wantSubstring := "context deadline exceeded\n"
+	if !strings.HasSuffix(string(rr.Body.Bytes()), wantSubstring) {
+		t.Errorf("Body incorrect, want to have suffix: %q, but got %q", []byte(wantSubstring), rr.Body)
+	}
 }

 // // Test_External_Auth_Wrapper_PassesValidAuthButOnly200IsValid this test exists