From 18a7fb587dc1933922f5c74896d144206162f005 Mon Sep 17 00:00:00 2001 From: wiaamm Date: Sat, 13 Dec 2025 12:09:37 +0200 Subject: [PATCH] add getter functions for timeout --- .../open-appsec-waf-kong-plugin/handler.lua | 7 ++--- .../lua_attachment_wrapper.c | 26 +++++++++++++++++++ .../open-appsec-waf-kong-plugin/nano_ffi.lua | 26 +++++++++++++++++++ attachments/nano_attachment/nano_attachment.c | 19 ++++++++++++++ core/include/attachments/nano_attachment.h | 24 +++++++++++++++++ 5 files changed, 99 insertions(+), 3 deletions(-) diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua index a117c1d..1e4187d 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua @@ -89,13 +89,14 @@ function NanoHandler.access(conf) local chunk_size = 8192 local chunk_count = 0 local start_time = ngx.now() + local timeout_sec = nano.get_request_processing_timeout_sec() while true do ngx.update_time() local current_time = ngx.now() local elapsed = current_time - start_time - if elapsed > 3 then + if elapsed > timeout_sec then kong.log.warn("Request body reading timeout after ", elapsed, " seconds") file:close() return @@ -245,9 +246,10 @@ function NanoHandler.body_filter(conf) if not ctx.body_filter_start_time then ctx.body_filter_start_time = ngx.now() + ctx.body_filter_timeout_sec = nano.get_response_processing_timeout_sec() end local elapsed_time = ngx.now() - ctx.body_filter_start_time - if elapsed_time > 3 then + if elapsed_time > ctx.body_filter_timeout_sec then kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open") ctx.cleanup_needed = true -- Send buffered chunks before timeout @@ -316,7 +318,6 @@ function NanoHandler.body_filter(conf) if eof then kong.log.err("End of response body reached in body_filter, eof=true") - -- Call end_inspection if we haven't gotten ACCEPT verdict yet if ctx.body_seen or ctx.expect_body == false then kong.log.err("Calling end_inspection for response") local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c b/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c index 62b2f53..a0d36f7 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c @@ -507,6 +507,30 @@ static int lua_free_verdict_response(lua_State *L) { return 0; } +static int lua_get_request_processing_timeout_msec(lua_State *L) { + NanoAttachment* attachment = (NanoAttachment*)lua_touserdata(L, 1); + if (!attachment) { + lua_pushinteger(L, 3000); + return 1; + } + + uint32_t timeout = GetRequestProcessingTimeout(attachment); + lua_pushinteger(L, timeout); + return 1; +} + +static int lua_get_response_processing_timeout_msec(lua_State *L) { + NanoAttachment* attachment = (NanoAttachment*)lua_touserdata(L, 1); + if (!attachment) { + lua_pushinteger(L, 3000); + return 1; + } + + uint32_t timeout = GetResponseProcessingTimeout(attachment); + lua_pushinteger(L, timeout); + return 1; +} + static const struct luaL_Reg nano_attachment_lib[] = { {"init_nano_attachment", lua_init_nano_attachment}, {"get_web_response_type", lua_get_web_response_type}, @@ -529,6 +553,8 @@ static const struct luaL_Reg nano_attachment_lib[] = { {"free_verdict_response", lua_free_verdict_response}, {"send_body", lua_send_body}, {"end_inspection", lua_end_inspection}, + {"get_request_processing_timeout_msec", lua_get_request_processing_timeout_msec}, + {"get_response_processing_timeout_msec", lua_get_response_processing_timeout_msec}, {NULL, NULL} }; diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua index a688b1c..20401ba 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua @@ -489,4 +489,30 @@ function nano.end_inspection(session_id, session_data, chunk_type) return verdict, response end +function nano.get_request_processing_timeout_sec() + local worker_id = ngx.worker.id() + local attachment = nano.attachments[worker_id] + + if not attachment then + kong.log.warn("Attachment not available for worker ", worker_id, " - using default timeout") + return 3 + end + + local timeout_msec = nano_attachment.get_request_processing_timeout_msec(attachment) + return timeout_msec / 1000.0 +end + +function nano.get_response_processing_timeout_sec() + local worker_id = ngx.worker.id() + local attachment = nano.attachments[worker_id] + + if not attachment then + kong.log.warn("Attachment not available for worker ", worker_id, " - using default timeout") + return 3 + end + + local timeout_msec = nano_attachment.get_response_processing_timeout_msec(attachment) + return timeout_msec / 1000.0 +end + return nano \ No newline at end of file diff --git a/attachments/nano_attachment/nano_attachment.c b/attachments/nano_attachment/nano_attachment.c index f2dc921..8e13cbf 100755 --- a/attachments/nano_attachment/nano_attachment.c +++ b/attachments/nano_attachment/nano_attachment.c @@ -622,3 +622,22 @@ freeCompressedBody(NanoAttachment *attachment, HttpSessionData *session_data, Ht { nano_free_compressed_body(attachment, bodies, session_data); } + +uint32_t +GetRequestProcessingTimeout(NanoAttachment *attachment) +{ + if (attachment == NULL) { + return 3000; + } + return attachment->req_max_proccessing_ms_time; +} + +uint32_t +GetResponseProcessingTimeout(NanoAttachment *attachment) +{ + if (attachment == NULL) { + return 3000; + } + return attachment->res_max_proccessing_ms_time; +} + diff --git a/core/include/attachments/nano_attachment.h b/core/include/attachments/nano_attachment.h index 29017f6..7d9c743 100755 --- a/core/include/attachments/nano_attachment.h +++ b/core/include/attachments/nano_attachment.h @@ -266,4 +266,28 @@ freeCompressedBody( HttpBody *bodies ); +/// +/// @brief Gets the request processing timeout in milliseconds. +/// +/// This function retrieves the configured timeout value for request processing +/// from the NanoAttachment configuration. +/// +/// @param attachment A pointer to the NanoAttachment structure. +/// +/// @return The request processing timeout in milliseconds. +/// +uint32_t GetRequestProcessingTimeout(NanoAttachment *attachment); + +/// +/// @brief Gets the response processing timeout in milliseconds. +/// +/// This function retrieves the configured timeout value for response processing +/// from the NanoAttachment configuration. +/// +/// @param attachment A pointer to the NanoAttachment structure. +/// +/// @return The response processing timeout in milliseconds. +/// +uint32_t GetResponseProcessingTimeout(NanoAttachment *attachment); + #endif // __NANO_ATTACHMENT_H__