folk_plugin_http/

hooks.rs

//! Lua hook pipeline for folk-plugin-http.
//!
//! Hook scripts are pre-compiled to Lua bytecode at startup and executed
//! per-request on a fresh [`mlua::Lua`] VM instance.  Sync hooks run in
//! the request critical path; async hooks fire-and-forget via `tokio::spawn`.

use std::collections::HashMap;
use std::sync::Arc;
use std::time::{Duration, Instant};

use anyhow::anyhow;
use axum::body::Body;
use axum::http::Response;
use mlua::{HookTriggers, Lua, LuaOptions, StdLib, Table, Value as LuaValue, VmState};
use tracing::warn;

use crate::config::{HookConfig, HookErrorBehavior, HookMode};

// ── Public context types ──────────────────────────────────────────────────────

/// Context passed to `request.before` and `request.error` hooks.
#[derive(Debug, Clone)]
pub struct RequestContext {
    pub method: String,
    pub path: String,
    pub query: String,
    pub client_ip: String,
    pub request_id: String,
    /// Mutable in sync hooks — mutations propagate to subsequent hooks.
    pub headers: HashMap<String, String>,
    /// Arbitrary key-value bag, mutable in sync hooks.
    pub extra: HashMap<String, String>,
    /// Error message. Set only for `request.error` hooks.
    pub error: Option<String>,
    /// True when a previous sync hook short-circuited the pipeline.
    pub short_circuited: bool,
}

/// Context passed to `response.headers` and `response.after` hooks.
#[derive(Debug, Clone)]
pub struct ResponseContext {
    pub status: u16,
    /// Mutable in sync hooks — mutations propagate to subsequent hooks.
    pub resp_headers: HashMap<String, String>,
    /// Present only for `response.after` hooks. Raw bytes — no lossy UTF-8 conversion.
    pub body: Option<Vec<u8>>,
    /// True when a previous sync hook short-circuited the pipeline.
    pub short_circuited: bool,
}

// ── Hook result ───────────────────────────────────────────────────────────────

/// Outcome of running a hook stage.
pub enum HookResult {
    /// Continue normal processing.
    Continue,
    /// A sync hook returned a short-circuit response.
    ShortCircuit(Response<Body>),
}

// ── Internals ─────────────────────────────────────────────────────────────────

struct CompiledHook {
    config: HookConfig,
    /// Pre-compiled Lua bytecode.
    bytecode: Vec<u8>,
}

// ── HookEngine ────────────────────────────────────────────────────────────────

/// Holds all pre-compiled hooks for the lifetime of the server.
#[derive(Clone)]
pub struct HookEngine {
    hooks: Arc<Vec<CompiledHook>>,
}

impl HookEngine {
    /// Compile all hook scripts.
    ///
    /// If a script fails to compile and `required = false` (default), a WARN is
    /// emitted and the hook is skipped.  If `required = true`, compilation failure
    /// returns an error and aborts server startup — use this for security-critical
    /// hooks where a silently-missing hook would leave requests unprotected.
    pub fn new(configs: &[HookConfig]) -> anyhow::Result<Self> {
        let mut compiled = Vec::with_capacity(configs.len());
        for cfg in configs {
            match compile_script(cfg) {
                Ok(bytecode) => compiled.push(CompiledHook {
                    config: cfg.clone(),
                    bytecode,
                }),
                Err(e) => {
                    if cfg.required {
                        return Err(anyhow!(
                            "required lua hook script failed to compile \
                             (event = {}, script = {}): {}",
                            cfg.event,
                            cfg.lua.display(),
                            e
                        ));
                    }
                    warn!(
                        event = %cfg.event,
                        script = %cfg.lua.display(),
                        error = %e,
                        "lua hook script failed to compile — skipping"
                    );
                }
            }
        }
        Ok(Self {
            hooks: Arc::new(compiled),
        })
    }

    /// Run `request.before` hooks.
    pub fn run_request_before(&self, ctx: &mut RequestContext) -> HookResult {
        self.run_request_stage("request.before", ctx)
    }

    /// Run `request.error` hooks.
    ///
    /// Sync hooks run inline (critical path) and respect `fail_closed` /
    /// short-circuit.  Async hooks fire-and-forget.  Mirrors `run_request_before`.
    pub fn run_request_error(&self, ctx: &mut RequestContext) -> HookResult {
        self.run_request_stage("request.error", ctx)
    }

    /// Run `response.headers` hooks.
    pub fn run_response_headers(&self, ctx: &mut ResponseContext) -> HookResult {
        self.run_response_stage("response.headers", ctx)
    }

    /// Run `response.after` hooks.
    pub fn run_response_after(&self, ctx: &mut ResponseContext) -> HookResult {
        self.run_response_stage("response.after", ctx)
    }

    /// Returns true when at least one compiled hook is registered for `event`.
    pub fn has_event(&self, event: &str) -> bool {
        self.hooks.iter().any(|h| h.config.event == event)
    }

    // ── Internal stage runners ────────────────────────────────────────────────

    fn run_request_stage(&self, event: &str, ctx: &mut RequestContext) -> HookResult {
        let hooks: Vec<_> = self
            .hooks
            .iter()
            .filter(|h| h.config.event == event)
            .collect();

        let (sync_hooks, async_hooks): (Vec<_>, Vec<_>) = hooks
            .into_iter()
            .partition(|h| h.config.mode == HookMode::Sync);

        let mut sc_response: Option<Response<Body>> = None;

        for hook in &sync_hooks {
            if sc_response.is_some() {
                break;
            }
            let timeout = Duration::from_millis(hook.config.timeout_ms);
            match exec_request_hook_mut(&hook.bytecode, ctx, timeout) {
                Ok(Some(resp)) => {
                    ctx.short_circuited = true;
                    sc_response = Some(resp);
                }
                Ok(None) => {}
                Err(e) => {
                    warn!(
                        event = event,
                        script = %hook.config.lua.display(),
                        error = %e,
                        "lua sync hook error"
                    );
                    if hook.config.on_error == HookErrorBehavior::FailClosed {
                        return HookResult::ShortCircuit(internal_error_response());
                    }
                }
            }
        }

        // Spawn async hooks with a read-only snapshot (taken after sync phase).
        let ctx_snap = ctx.clone();
        for hook in async_hooks {
            let bytecode = hook.bytecode.clone();
            let snap = ctx_snap.clone();
            let timeout = Duration::from_millis(hook.config.timeout_ms);
            tokio::spawn(async move {
                if let Err(e) = exec_request_hook(&bytecode, &snap, timeout) {
                    warn!(error = %e, "lua async request hook failed");
                }
            });
        }

        match sc_response {
            Some(resp) => HookResult::ShortCircuit(resp),
            None => HookResult::Continue,
        }
    }

    fn run_response_stage(&self, event: &str, ctx: &mut ResponseContext) -> HookResult {
        let hooks: Vec<_> = self
            .hooks
            .iter()
            .filter(|h| h.config.event == event)
            .collect();

        let (sync_hooks, async_hooks): (Vec<_>, Vec<_>) = hooks
            .into_iter()
            .partition(|h| h.config.mode == HookMode::Sync);

        let mut sc_response: Option<Response<Body>> = None;

        for hook in &sync_hooks {
            if sc_response.is_some() {
                break;
            }
            let timeout = Duration::from_millis(hook.config.timeout_ms);
            match exec_response_hook_mut(&hook.bytecode, ctx, timeout) {
                Ok(Some(resp)) => {
                    ctx.short_circuited = true;
                    sc_response = Some(resp);
                }
                Ok(None) => {}
                Err(e) => {
                    warn!(
                        event = event,
                        script = %hook.config.lua.display(),
                        error = %e,
                        "lua sync response hook error"
                    );
                    if hook.config.on_error == HookErrorBehavior::FailClosed {
                        return HookResult::ShortCircuit(internal_error_response());
                    }
                }
            }
        }

        let ctx_snap = ctx.clone();
        for hook in async_hooks {
            let bytecode = hook.bytecode.clone();
            let snap = ctx_snap.clone();
            let timeout = Duration::from_millis(hook.config.timeout_ms);
            tokio::spawn(async move {
                if let Err(e) = exec_response_hook(&bytecode, &snap, timeout) {
                    warn!(error = %e, "lua async response hook failed");
                }
            });
        }

        match sc_response {
            Some(resp) => HookResult::ShortCircuit(resp),
            None => HookResult::Continue,
        }
    }
}

// ── Script compilation ────────────────────────────────────────────────────────

fn compile_script(cfg: &HookConfig) -> Result<Vec<u8>, String> {
    let source =
        std::fs::read_to_string(&cfg.lua).map_err(|e| format!("read {:?}: {e}", cfg.lua))?;
    let lua = make_lua()?;
    let func = lua
        .load(&source)
        .into_function()
        .map_err(|e| format!("compile {:?}: {e}", cfg.lua))?;
    // dump() returns Vec<u8> directly in mlua 0.10
    Ok(func.dump(false))
}

fn make_lua() -> Result<Lua, String> {
    // Safe subset — no io, os, debug, package, coroutine.
    Lua::new_with(
        StdLib::TABLE | StdLib::STRING | StdLib::MATH | StdLib::UTF8,
        LuaOptions::default(),
    )
    .map_err(|e| format!("lua init: {e}"))
}

// ── Per-request execution helpers ─────────────────────────────────────────────

/// Execute bytecode with an immutable RequestContext.  Used for async hooks.
fn exec_request_hook(
    bytecode: &[u8],
    ctx: &RequestContext,
    timeout: Duration,
) -> Result<Option<Response<Body>>, String> {
    let lua = make_lua()?;
    install_timeout(&lua, timeout)?;

    let t = build_request_table(&lua, ctx)?;
    lua.globals().set("ctx", t).map_err(|e| e.to_string())?;

    let func = lua
        .load(bytecode)
        .into_function()
        .map_err(|e| e.to_string())?;
    let result: LuaValue = func.call(()).map_err(|e| e.to_string())?;
    response_from_lua(result)
}

/// Execute bytecode with a mutable RequestContext — mutations to headers/extra
/// are written back into `ctx` so subsequent sync hooks see them.
fn exec_request_hook_mut(
    bytecode: &[u8],
    ctx: &mut RequestContext,
    timeout: Duration,
) -> Result<Option<Response<Body>>, String> {
    let lua = make_lua()?;
    install_timeout(&lua, timeout)?;

    let t = build_request_table(&lua, ctx)?;
    lua.globals().set("ctx", t).map_err(|e| e.to_string())?;

    let func = lua
        .load(bytecode)
        .into_function()
        .map_err(|e| e.to_string())?;
    let result: LuaValue = func.call(()).map_err(|e| e.to_string())?;

    // Write back mutations.
    let ctx_global: Table = lua.globals().get("ctx").map_err(|e| e.to_string())?;
    let headers_table: Table = ctx_global.get("headers").map_err(|e| e.to_string())?;
    ctx.headers = lua_table_to_map(&headers_table)?;
    let extra_table: Table = ctx_global.get("extra").map_err(|e| e.to_string())?;
    ctx.extra = lua_table_to_map(&extra_table)?;

    response_from_lua(result)
}

/// Execute bytecode with an immutable ResponseContext.  Used for async hooks.
fn exec_response_hook(
    bytecode: &[u8],
    ctx: &ResponseContext,
    timeout: Duration,
) -> Result<Option<Response<Body>>, String> {
    let lua = make_lua()?;
    install_timeout(&lua, timeout)?;

    let t = build_response_table(&lua, ctx)?;
    lua.globals().set("ctx", t).map_err(|e| e.to_string())?;

    let func = lua
        .load(bytecode)
        .into_function()
        .map_err(|e| e.to_string())?;
    let result: LuaValue = func.call(()).map_err(|e| e.to_string())?;
    response_from_lua(result)
}

/// Execute bytecode with a mutable ResponseContext — mutations to resp_headers
/// and body are written back.
fn exec_response_hook_mut(
    bytecode: &[u8],
    ctx: &mut ResponseContext,
    timeout: Duration,
) -> Result<Option<Response<Body>>, String> {
    let lua = make_lua()?;
    install_timeout(&lua, timeout)?;

    let t = build_response_table(&lua, ctx)?;
    lua.globals().set("ctx", t).map_err(|e| e.to_string())?;

    let func = lua
        .load(bytecode)
        .into_function()
        .map_err(|e| e.to_string())?;
    let result: LuaValue = func.call(()).map_err(|e| e.to_string())?;

    // Write back mutations.
    let ctx_global: Table = lua.globals().get("ctx").map_err(|e| e.to_string())?;
    let rh_table: Table = ctx_global.get("resp_headers").map_err(|e| e.to_string())?;
    ctx.resp_headers = lua_table_to_map(&rh_table)?;

    if ctx.body.is_some() {
        // Only write back body if it was present (response.after event).
        // Use mlua::String to preserve raw bytes — avoids any UTF-8 conversion.
        let new_body: Option<mlua::String> = ctx_global.get("body").ok();
        ctx.body = new_body.map(|s| s.as_bytes().to_vec());
    }

    response_from_lua(result)
}

// ── Table builders ────────────────────────────────────────────────────────────

fn build_request_table(lua: &Lua, ctx: &RequestContext) -> Result<Table, String> {
    let t = lua.create_table().map_err(|e| e.to_string())?;
    t.set("method", ctx.method.as_str())
        .map_err(|e| e.to_string())?;
    t.set("path", ctx.path.as_str())
        .map_err(|e| e.to_string())?;
    t.set("query", ctx.query.as_str())
        .map_err(|e| e.to_string())?;
    t.set("client_ip", ctx.client_ip.as_str())
        .map_err(|e| e.to_string())?;
    t.set("request_id", ctx.request_id.as_str())
        .map_err(|e| e.to_string())?;
    t.set("short_circuited", ctx.short_circuited)
        .map_err(|e| e.to_string())?;
    let headers = map_to_lua_table(lua, &ctx.headers)?;
    t.set("headers", headers).map_err(|e| e.to_string())?;
    let extra = map_to_lua_table(lua, &ctx.extra)?;
    t.set("extra", extra).map_err(|e| e.to_string())?;
    if let Some(ref err) = ctx.error {
        t.set("error", err.as_str()).map_err(|e| e.to_string())?;
    }
    Ok(t)
}

fn build_response_table(lua: &Lua, ctx: &ResponseContext) -> Result<Table, String> {
    let t = lua.create_table().map_err(|e| e.to_string())?;
    t.set("status", ctx.status).map_err(|e| e.to_string())?;
    t.set("short_circuited", ctx.short_circuited)
        .map_err(|e| e.to_string())?;
    let rh = map_to_lua_table(lua, &ctx.resp_headers)?;
    t.set("resp_headers", rh).map_err(|e| e.to_string())?;
    if let Some(ref body) = ctx.body {
        // Lua strings are byte strings — binary bodies pass through without corruption.
        let lua_str = lua.create_string(body).map_err(|e| e.to_string())?;
        t.set("body", lua_str).map_err(|e| e.to_string())?;
    }
    Ok(t)
}

// ── Small utilities ───────────────────────────────────────────────────────────

fn install_timeout(lua: &Lua, timeout: Duration) -> Result<(), String> {
    let start = Instant::now();
    lua.set_hook(
        HookTriggers::new().every_nth_instruction(100),
        move |_lua, _debug| {
            if start.elapsed() > timeout {
                Err(mlua::Error::runtime("lua hook timeout"))
            } else {
                Ok(VmState::Continue)
            }
        },
    );
    Ok(())
}

fn map_to_lua_table(lua: &Lua, map: &HashMap<String, String>) -> Result<Table, String> {
    let t = lua.create_table().map_err(|e| e.to_string())?;
    for (k, v) in map {
        t.set(k.as_str(), v.as_str()).map_err(|e| e.to_string())?;
    }
    Ok(t)
}

fn lua_table_to_map(table: &Table) -> Result<HashMap<String, String>, String> {
    let mut map = HashMap::new();
    for pair in table.clone().pairs::<String, String>() {
        let (k, v) = pair.map_err(|e| e.to_string())?;
        map.insert(k, v);
    }
    Ok(map)
}

fn response_from_lua(value: LuaValue) -> Result<Option<Response<Body>>, String> {
    match value {
        LuaValue::Nil => Ok(None),
        LuaValue::Table(t) => {
            let status: u16 = t.get("status").unwrap_or(200u16);
            let body: String = t.get("body").unwrap_or_default();
            let resp = Response::builder()
                .status(status)
                .body(Body::from(body))
                .map_err(|e| e.to_string())?;
            Ok(Some(resp))
        }
        _ => Ok(None),
    }
}

fn internal_error_response() -> Response<Body> {
    Response::builder()
        .status(500)
        .body(Body::from("internal server error (hook fail_closed)"))
        .unwrap()
}