envoyproxy · mattklein123 · Aug 14, 2019 · Aug 7, 2019 · Aug 7, 2019 · Aug 7, 2019
diff --git a/docs/root/configuration/http_filters/lua_filter.rst b/docs/root/configuration/http_filters/lua_filter.rst
@@ -109,7 +109,8 @@ more details on the supported API.
     {
       [":method"] = "POST",
       [":path"] = "/",
-      [":authority"] = "lua_cluster"
+      [":authority"] = "lua_cluster",
+      ["set-cookie"] = { "lang=lua; Path=/", "type=binding; Path=/" }
     },
     "hello world",
     5000)
@@ -236,9 +237,9 @@ httpCall()
 
 Makes an HTTP call to an upstream host. Envoy will yield the script until the call completes or
 has an error. *cluster* is a string which maps to a configured cluster manager cluster. *headers*
-is a table of key/value pairs to send. Note that the *:method*, *:path*, and *:authority* headers
-must be set. *body* is an optional string of body data to send. *timeout* is an integer that
-specifies the call timeout in milliseconds.
+is a table of key/value pairs to send (the value can be a string or table of strings). Note that
+the *:method*, *:path*, and *:authority* headers must be set. *body* is an optional string of body
+data to send. *timeout* is an integer that specifies the call timeout in milliseconds.
 
 Returns *headers* which is a table of response headers. Returns *body* which is the string response
 body. May be nil if there is no body.
@@ -264,8 +265,9 @@ passed to subsequent filters. Meaning, the following Lua code is invalid:
     end
   end
 
-*headers* is a table of key/value pairs to send. Note that the *:status* header
-must be set. *body* is a string and supplies the optional response body. May be nil.
+*headers* is a table of key/value pairs to send (the value can be a string or table of strings).
+Note that the *:status* header must be set. *body* is a string and supplies the optional response
+body. May be nil.
 
 metadata()
 ^^^^^^^^^^
@@ -316,10 +318,10 @@ importPublicKey()
 ^^^^^^^^^^^^^^^^^
 
 .. code-block:: lua
-  
+
   pubkey = handle:importPublicKey(keyder, keyderLength)
 
-Returns public key which is used by :ref:`verifySignature <verify_signature>` to verify digital signature. 
+Returns public key which is used by :ref:`verifySignature <verify_signature>` to verify digital signature.
 
 .. _verify_signature:
 
@@ -330,13 +332,13 @@ verifySignature()
 
   ok, error = verifySignature(hashFunction, pubkey, signature, signatureLength, data, dataLength)
 
-Verify signature using provided parameters. *hashFunction* is the variable for hash function which be used 
-for verifying signature. *SHA1*, *SHA224*, *SHA256*, *SHA384* and *SHA512* are supported. 
-*pubkey* is the public key. *signature* is the signature to be verified. *signatureLength* is 
+Verify signature using provided parameters. *hashFunction* is the variable for hash function which be used
+for verifying signature. *SHA1*, *SHA224*, *SHA256*, *SHA384* and *SHA512* are supported.
+*pubkey* is the public key. *signature* is the signature to be verified. *signatureLength* is
 the length of the signature. *data* is the content which will be hashed. *dataLength* is the length of data.
 
 The function returns a pair. If the first element is *true*, the second element will be empty
-which means signature is verified; otherwise, the second element will store the error message. 
+which means signature is verified; otherwise, the second element will store the error message.
 
 .. _config_http_filters_lua_header_wrapper:
 

diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst
@@ -16,6 +16,7 @@ Version history
 * http: added the ability to reject HTTP/1.1 requests with invalid HTTP header values, using the runtime feature `envoy.reloadable_features.strict_header_validation`.
 * http: added the ability to :ref:`merge adjacent slashes<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.merge_slashes>` in the path.
 * listeners: added :ref:`HTTP inspector listener filter <config_listener_filters_http_inspector>`.
+* lua: extended `httpCall()` and `respond()` APIs to accept headers with entry values that can be a string or table of strings.
 * router: added :ref:`rq_retry_skipped_request_not_complete <config_http_filters_router_stats>` counter stat to router stats.
 * router check tool: add coverage reporting & enforcement.
 * tls: added verification of IP address SAN fields in certificates against configured SANs in the

diff --git a/source/extensions/filters/http/lua/lua_filter.cc b/source/extensions/filters/http/lua/lua_filter.cc
@@ -146,9 +146,19 @@ Http::HeaderMapPtr StreamHandleWrapper::buildHeadersFromTable(lua_State* state,
   while (lua_next(state, table_index) != 0) {
     // Uses 'key' (at index -2) and 'value' (at index -1).
     const char* key = luaL_checkstring(state, -2);
-    const char* value = luaL_checkstring(state, -1);
-    headers->addCopy(Http::LowerCaseString(key), value);
-
+    // Check if the current value is a table, we iterate through the table and add each element of
+    // it as a header entry value for the current key.
+    if (lua_istable(state, -1)) {
+      lua_pushnil(state);
+      while (lua_next(state, -2) != 0) {
+        const char* value = luaL_checkstring(state, -1);
+        headers->addCopy(Http::LowerCaseString(key), value);
+        lua_pop(state, 1);
+      }
+    } else {
+      const char* value = luaL_checkstring(state, -1);
+      headers->addCopy(Http::LowerCaseString(key), value);
+    }
     // Removes 'value'; keeps 'key' for next iteration. This is the input for lua_next() so that
     // it can push the next key/value pair onto the stack.
     lua_pop(state, 1);

diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc
@@ -744,7 +744,8 @@ TEST_F(LuaHttpFilterTest, HttpCall) {
         {
           [":method"] = "POST",
           [":path"] = "/",
-          [":authority"] = "foo"
+          [":authority"] = "foo",
+          ["set-cookie"] = { "flavor=chocolate; Path=/", "variant=chewy; Path=/" }
         },
         "hello world",
         5000)
@@ -770,6 +771,8 @@ TEST_F(LuaHttpFilterTest, HttpCall) {
             EXPECT_EQ((Http::TestHeaderMapImpl{{":path", "/"},
                                                {":method", "POST"},
                                                {":authority", "foo"},
+                                               {"set-cookie", "flavor=chocolate; Path=/"},
+                                               {"set-cookie", "variant=chewy; Path=/"},
                                                {"content-length", "11"}}),
                       message->headers());
             callbacks = &cb;
@@ -959,7 +962,10 @@ TEST_F(LuaHttpFilterTest, HttpCallImmediateResponse) {
         nil,
         5000)
       request_handle:respond(
-        {[":status"] = "403"},
+        {
+          [":status"] = "403",
+          ["set-cookie"] = { "flavor=chocolate; Path=/", "variant=chewy; Path=/" }
+        },
         nil)
     end
   )EOF"};
@@ -988,7 +994,9 @@ TEST_F(LuaHttpFilterTest, HttpCallImmediateResponse) {
 
   Http::MessagePtr response_message(new Http::ResponseMessageImpl(
       Http::HeaderMapPtr{new Http::TestHeaderMapImpl{{":status", "200"}}}));
-  Http::TestHeaderMapImpl expected_headers{{":status", "403"}};
+  Http::TestHeaderMapImpl expected_headers{{":status", "403"},
+                                           {"set-cookie", "flavor=chocolate; Path=/"},
+                                           {"set-cookie", "variant=chewy; Path=/"}};
   EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&expected_headers), true));
   callbacks->onSuccess(std::move(response_message));
 }
@@ -1668,28 +1676,28 @@ TEST_F(LuaHttpFilterTest, SignatureVerify) {
 
       rawsig = signature:fromhex()
 
-      ok, error = request_handle:verifySignature(hashFunc, pubkey, rawsig, string.len(rawsig), data, string.len(data)) 
+      ok, error = request_handle:verifySignature(hashFunc, pubkey, rawsig, string.len(rawsig), data, string.len(data))
       if ok then
         request_handle:logTrace("signature is valid")
       else
         request_handle:logTrace(error)
       end
 
-      ok, error = request_handle:verifySignature("unknown", pubkey, rawsig, string.len(rawsig), data, string.len(data)) 
+      ok, error = request_handle:verifySignature("unknown", pubkey, rawsig, string.len(rawsig), data, string.len(data))
       if ok then
         request_handle:logTrace("signature is valid")
       else
         request_handle:logTrace(error)
       end
 
-      ok, error = request_handle:verifySignature(hashFunc, pubkey, "0000", 4, data, string.len(data)) 
+      ok, error = request_handle:verifySignature(hashFunc, pubkey, "0000", 4, data, string.len(data))
       if ok then
         request_handle:logTrace("signature is valid")
       else
         request_handle:logTrace(error)
       end
 
-      ok, error = request_handle:verifySignature(hashFunc, pubkey, rawsig, string.len(rawsig), "xxxx", 4) 
+      ok, error = request_handle:verifySignature(hashFunc, pubkey, rawsig, string.len(rawsig), "xxxx", 4)
       if ok then
         request_handle:logTrace("signature is valid")
       else