THREESCALE-10973 - Support Financial-grade API (FAPI) - Baseline profile

[tkan145]

What

This PR support https://issues.redhat.com/browse/THREESCALE-10973. Specially it satisfy the following requirements from the FAPI - baseline profile

• shall set the response header x-fapi-interaction-id to the value received from the corresponding FAPI client request header or to a RFC4122 UUID value if the request header was not provided to track the interaction, e.g., x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a;
• shall log the value of x-fapi-interaction-id in the log entry; and
• shall not reject requests with a x-fapi-customer-ip-address header containing a valid IPv4 or IPv6 address.

Verification steps:

• Create an apicast-config.json file with the following content

cat <<EOF >apicast-config.json
{
  "services": [
    {
      "backend_version": "1",
      "id": "1",
      "proxy": {
        "hosts": [
          "one"
        ],
        "api_backend": "https://echo-api.3scale.net:443",
        "authentication_method": "2",
        "backend": {
          "endpoint": "http://127.0.0.1:8081",
          "host": "backend"
        },
        "policy_chain": [
          {
            "name": "apicast.policy.fapi",
            "configuration": {}
          },
          {
            "name": "apicast.policy.apicast"
          }
        ],
        "proxy_rules": [
          {
            "http_method": "GET",
            "pattern": "/",
            "metric_system_name": "hits",
            "delta": 1,
            "parameters": [],
            "querystring_parameters": {}
          }
        ]
      }
    }
  ]
}
EOF

• Checkout this branch and start dev environment

make development
make dependencies

• Run apicast locally

THREESCALE_DEPLOYMENT_ENV=staging APICAST_LOG_LEVEL=warn APICAST_WORKER=1 APICAST_CONFIGURATION_LOADER=lazy APICAST_CONFIGURATION_CACHE=0 THREESCALE_CONFIG_FILE=apicast-config.json ./bin/apicast

• Capture apicast IP

APICAST_IP=$(docker inspect apicast_build_0-development-1 | yq e -P '.[0].NetworkSettings.Networks.apicast_build_0_default.IPAddress' -)

• Send a request

curl -i -k -H "Host: one" "http://${APICAST_IP}:8080/test?user_key="

• Response should be 200 and contains x-fapi-transaction-id header

 ▲ ~ curl -i -k -H "Host: one" "http://${APICAST_IP}:8080/test?user_key="
HTTP/1.1 200 OK
Server: openresty
Date: Thu, 06 Jun 2024 06:16:46 GMT
Content-Type: application/json
Content-Length: 573
Connection: keep-alive
x-3scale-echo-api: echo-api/1.0.3
vary: Origin
x-content-type-options: nosniff
x-envoy-upstream-service-time: 1
x-fapi-transaction-id: dff315e7-1e11-4150-b9dd-c18b05dc4fb4

• Stop APIcast

CTLR-C

• Update apicast-config.json with the following

19c19,21
<             "configuration": {}
---
>             "configuration": {
>                 "validate_x_fapi_customer_ip_address": true
>             }

• Start APIcast again

THREESCALE_DEPLOYMENT_ENV=staging APICAST_LOG_LEVEL=warn APICAST_WORKER=1 APICAST_CONFIGURATION_LOADER=lazy APICAST_CONFIGURATION_CACHE=0 THREESCALE_CONFIG_FILE=apicast-config.json ./bin/apicast

• Send a request with invalid IP for x-fapi-customer-ip-address

curl -i -k -H "Host: one" -H "x-fapi-customer-ip-address: invalid" "http://${APICAST_IP}:8080/test?user_key="

APIcast should return a 403 error

HTTP/1.1 403 Forbidden
Server: openresty
Date: Thu, 06 Jun 2024 06:23:32 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
x-fapi-transaction-id: a01625e4-3fcf-47c2-b591-7259020a2ab4

invalid request

[eguzki]

impressive job! 🏅

[mayorova]

Ehm... I think it needs to be x-fapi-interaction-id, not transaction 😅