fix(plugins/ip-restriction): function cannot be called in preread phase

[merusso]

Summary

When configuring the IP Restriction plugin for TCP ingress, and this plugin rejects a connection due to the IP not being allowed, it writes the following error in Kong server logs:

proxy 2023/08/11 14:46:49 [warn] 2190#0: *3416565 [kong] handler.lua:33 IP address not allowed: 10.76.130.208 while prereading client data, client: 10.76.130.208, server: 0.0.0.0:2000
proxy 2023/08/11 14:46:49 [error] 2190#0: *3416565 lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/kong/pdk/private/phases.lua:97: function cannot be called in preread phase (only in: rewrite, access, response, header_filter, error, admin_api)
proxy stack traceback:
proxy coroutine 0:
proxy     [C]: in function 'error'
proxy     /usr/local/share/lua/5.1/kong/pdk/private/phases.lua:97: in function 'check_phase'
proxy     /usr/local/share/lua/5.1/kong/pdk/response.lua:1101: in function </usr/local/share/lua/5.1/kong/pdk/response.lua:1096>
proxy     /usr/local/share/lua/5.1/kong/init.lua:352: in function 'execute_plugins_iterator'
proxy     /usr/local/share/lua/5.1/kong/init.lua:868: in function 'preread'
proxy     preread_by_lua(nginx-kong-stream.conf:104):2: in main chunk while prereading client data, client: 10.76.130.208, server: 0.0.0.0:2000

The error is caused by a bug in the IP restriction plugin when handling TCP connections. The plugin calls function kong.response.error regardless of connection type, but this function isn't applicable to TCP.

To resolve the issue, this change alters the do_exit function to use ngx.exit instead of kong.response.error for TCP connections.

Checklist

• The Pull Request has tests
• A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
• There is a user-facing docs PR against https://github.com/Kong/developer.konghq.com - PUT DOCS PR HERE

Issue reference

Fix #14749

[chronolaw]

Could we add some tests for this fix? thanks.

[chronolaw]

@merusso could you change the merge target to "master" branch? thanks.

[merusso]

@merusso could you change the merge target to "master" branch? thanks.

I assumed if I did this that the fix would only be in the next release. Is that correct? What is the process for applying a fix to prior releases?

Edit: Changed merge target to master.

[chronolaw]

We also need a change log YAML, thanks.

[merusso]

Could we add some tests for this fix? thanks.

I added some asserts to existing tests to check for the logger error, but I'm unable to run the tests. Can you please verify?

I can't set up the environment correctly, getting an error attempting to use the dev container.

# make dev-legacy
Makefile:201: 'remove' target is deprecated, please use `make dev` instead

Error: Could not find rock 'kong' in /usr/local
Makefile:201: recipe for target 'remove' failed
make: [remove] Error 1 (ignored)

Error: Expected filename in format 'name-version-revision.rockspec'.
Makefile:218: recipe for target 'install-legacy' failed
make: *** [install-legacy] Error 1

[merusso]

We also need a change log YAML, thanks.

I think there's an issue with the changelog util. Was it moved? Should I create this YAML manually?

$ go install github.com/Kong/gateway-changelog@latest
go: github.com/Kong/gateway-changelog@latest: version constraints conflict:
        github.com/Kong/[email protected]: parsing go.mod:
        module declares its path as: github.com/Kong/changelog
                but was required as: github.com/Kong/gateway-changelog

Edit: I added it manually. IMO, the contributor docs here are confusing, maybe out of date?

[chronolaw]

@chobits could you take a look too? thanks.