fix: ext-auth crash bugfix

[hanxiantao]

Ⅰ. Describe what this PR did

修改 sendlocalresponse 之后 resume 导致 envoy crash 的问题

Ⅱ. Does this pull request fix one issue?

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

endpoint_mode为forward_auth时

1）认证成功

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.89

curl -kvv -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -H "x-user-id: 111111" -H "x-custom-1: test"

认证成功

认证请求Method为配置的request_method，认证请求path为配置的path

2）认证失败

curl -kvv -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -H "x-user-id: 111111" -H "x-custom-1: test"

认证失败

认证请求Method为配置的request_method，认证请求path为配置的path

认证白名单

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
    match_type: 'whitelist'
    match_list:
        - match_rule_domain: '*.bar.com'
          match_rule_path: '/foo/health'
          match_rule_type: 'exact'
        - match_rule_path: '/foo/metrics'
          match_rule_type: 'exact'
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.89

认证服务固定返回500

curl -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/health?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

只有第一次curl进入认证，返回401，其他请求均跳过认证

认证黑名单

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
    match_type: 'blacklist'
    match_list:
        - match_rule_domain: '*.bar.com'
          match_rule_path: '/foo/health'
          match_rule_type: 'exact'
        - match_rule_path: '/foo/metrics'
          match_rule_type: 'exact'
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.89

认证服务固定返回500

curl -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/health?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

第二、三次curl进入认证，返回401，第一次请求跳过认证

Ⅴ. Special notes for reviews

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 43.61%. Comparing base (ef31e09) to head (6d29767).
Report is 280 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1705      +/-   ##
==========================================
+ Coverage   35.91%   43.61%   +7.70%     
==========================================
  Files          69       76       +7     
  Lines       11576    12358     +782     
==========================================
+ Hits         4157     5390    +1233     
+ Misses       7104     6630     -474     
- Partials      315      338      +23     

see 70 files with indirect coverage changes

[hanxiantao]

@johnlanni 我加了下 cors 插件也没能复现出来，而且我发现使用 cors 的 wasm 插件时，如果认证失败（ext-auth 插件中调用了sendLocalResponse）了这里就不会设置跨域头了，如果认证成功的情况下是有的（Ingress 上的 cors 注解是认证成功和失败都会加跨域头的）

认证成功：

认证失败：

[johnlanni]

@hanxiantao 是cors插件的执行优先级（授权阶段 340）不如ext auth的执行优先级（认证阶段 360）高，插件执行是回形针式的，优先级高的最先执行decodeHeader，最晚执行 encodeHeader，且如果 decodeHeader 没有被执行，encodeHeader也不会被执行

[hanxiantao]

@hanxiantao 是cors插件的执行优先级（授权阶段 340）不如ext auth的执行优先级（认证阶段 360）高，插件执行是回形针式的，优先级高的最先执行decodeHeader，最晚执行 encodeHeader，且如果 decodeHeader 没有被执行，encodeHeader也不会被执行

嗯，理解了，我记得我调整了优先级试了下也不行，我晚点再验证下导致 envoy crash 的情况

[johnlanni]

LGTM