Support exact endpoint configuration in interceptor policy

[thivindu]

Purpose

This pull request introduces support for specifying the exact path of the interceptor service that the request should hit in the interceptor policy.

Sample policy config in apk-conf -

apiPolicies:
  request:
    - policyName: "Interceptor"
      policyVersion: v1
      parameters:
        backendUrl: "http://auth-interceptor-svc.interceptor.svc.cluster.local:9081/api/v1/handle-token-request"
        headersEnabled: true
        bodyEnabled: true
        trailersEnabled: false
        contextEnabled: true

Related to - #3317

Goals

Support exact endpoint configuration in interceptor policy

Approach

This specifies a resource_path for interceptor service calls, enabling more flexible routing to interceptor endpoints. The changes ensure that the resource_path is propagated throughout the configuration, set in generated Lua scripts, and defaults to /api/v1/handle-request or /api/v1/handle-response if not provided. Additionally, the handling of base paths and their consistency across endpoints is improved.

Interceptor Resource Path Support

• Added a new ResourcePath field to the interceptor configuration structures (HTTPCallConfig, InterceptEndpoint) and ensured it is populated from configuration and policy parameters. This allows specifying custom resource paths for interceptor service calls. [1] [2] [3] [4] [5] [6] [7]
• Updated the Lua interceptor logic to use the provided resource_path, defaulting to /api/v1/handle-request or /api/v1/handle-response if not specified. This ensures backward compatibility and correct routing. [1] [2]
• Modified the Go templates that generate Lua configuration to include the resource_path in both request and response interceptor flows. [1] [2]

Configuration and Policy Handling

• Added the interceptorBasePath constant and updated the logic to extract and propagate the interceptor base path from backend mappings and policy parameters, ensuring the correct resource path is passed through the system. [1] [2] [3]

Testing and Validation

• Added new test API configurations (apk-conf files) that specify custom resource paths for various interceptor scenarios, ensuring the feature is thoroughly tested. [1] [2] [3] [4] [5]
• Updated test deployment images for the interceptor service to use a new image repository. [1] [2]
• Fixed a bug in the test step for waiting minutes (was incorrectly waiting seconds instead of minutes).

Documentation and Type Updates

• Updated Lua documentation comments to reflect the new resource_path and authority_header fields in the interceptor service list. [1] [2]

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f3674537-f762-4084-ad41-877a5c61215d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request introduces support for custom resource paths in interceptor configurations. The implementation adds a ResourcePath field to interceptor-related structures and propagates it through the interceptor policy configuration chain. Policy parameters are parsed to extract an optional InterceptorBasePath value, which is passed through API operation and HTTP route processing layers into the final Lua template configuration. The Lua interceptor handlers now conditionally apply the custom resource path instead of always overwriting with default paths, maintaining backward compatibility. Additionally, the PR updates test infrastructure components, including container images, test configurations, and a new Ballerina service for custom path interceptor testing.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description covers Purpose, Goals, and Approach sections with technical details. However, it lacks several required template sections including Documentation, Training, Certification, Marketing, and complete automation test coverage details.	Complete missing required sections: add Documentation (or N/A with explanation), Training links, Certification status, Marketing content links, and detailed automation test coverage information.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding support for exact endpoint configuration in interceptor policy, which aligns with the PR's core objective of enabling custom resource paths.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wso2-engineering]

Log Improvement Suggestion No: 1

Suggested change

	// validating the basepath to be same for all upstreams of an api
	if strings.TrimSuffix(ep.Basepath, "/") != basePath {
	if strings.TrimSuffix(ep.Basepath, "/") != strings.TrimSuffix(basePath, "/") {
	return nil, nil, errors.New("endpoint basepath mismatched for " + ep.RawURL + ". expected : " + basePath + " but found : " + ep.Basepath)
	}
	// validating the basepath to be same for all upstreams of an api
	if strings.TrimSuffix(ep.Basepath, "/") != strings.TrimSuffix(basePath, "/") {
	log.Errorf("Endpoint basepath mismatch for %s. Expected: %s, Found: %s", ep.RawURL, basePath, ep.Basepath)
	return nil, nil, errors.New("endpoint basepath mismatched for " + ep.RawURL + ". expected : " + basePath + " but found : " + ep.Basepath)
	}

[wso2-engineering]

Log Improvement Suggestion No: 3

Suggested change

	if bp, ok := paramMap[constants.InterceptorBasePath]; ok {
	if bpStr, ok := bp.(string); ok && bpStr != "" {
	resourcePath = &bpStr
	}
	}
	if bp, ok := paramMap[constants.InterceptorBasePath]; ok {
	if bpStr, ok := bp.(string); ok && bpStr != "" {
	log.Debug("Setting interceptor resource path: ", bpStr)
	resourcePath = &bpStr
	}
	}

[wso2-engineering]

Log Improvement Suggestion No: 4

Suggested change

	if len(endpoints) > 0 {
	policyParameters[constants.InterceptorEndpoints] = endpoints
	policyParameters[constants.InterceptorServiceIncludes] = requestInterceptor.Includes
	if len(endpoints) > 0 {
	log.Debugf("Adding request interceptor for backend: %s with %d endpoints", backendName, len(endpoints))
	policyParameters[constants.InterceptorEndpoints] = endpoints

[wso2-engineering]

Log Improvement Suggestion No: 5

Suggested change

	if len(endpoints) > 0 {
	policyParameters[constants.InterceptorEndpoints] = endpoints
	policyParameters[constants.InterceptorServiceIncludes] = responseInterceptor.Includes
	if len(endpoints) > 0 {
	log.Debugf("Adding response interceptor for backend: %s with %d endpoints", backendName, len(endpoints))
	policyParameters[constants.InterceptorEndpoints] = endpoints

[wso2-engineering]

Log Improvement Suggestion No: 6

Suggested change

	endpoints := model.GetEndpoints(types.NamespacedName{Namespace: namespace, Name: interceptor.BackendRef.Name},
	gatewayBackendMapping)
	basePath := model.GetBackendBasePath(types.NamespacedName{Namespace: namespace, Name: interceptor.BackendRef.Name},
	endpoints := model.GetEndpoints(types.NamespacedName{Namespace: namespace, Name: interceptor.BackendRef.Name},
	gatewayBackendMapping)
	logger.Info("Retrieved endpoints for interceptor backend", "namespace", namespace, "backendName", interceptor.BackendRef.Name)

[wso2-engineering]

Log Improvement Suggestion No: 7

Suggested change

	var resourcePath *string
	if basePath != "" {
	resourcePath = &basePath
	}
	if basePath != "" {
	resourcePath = &basePath
	logger.Debug("Setting resource path for interceptor endpoint", "basePath", basePath, "clusterName", clusterName)
	}

[wso2-engineering]

Log Improvement Suggestion No: 8

Suggested change

	public void waitForMinute(int minute) throws InterruptedException {
	Thread.sleep(minute * 1000);
	Thread.sleep(minute * 60 * 1000);
	}
	@Then("I wait for {int} minute")
	public void waitForMinute(int minute) throws InterruptedException {
	log.debug("Waiting for {} minute(s)", minute);
	Thread.sleep(minute * 60 * 1000);
	}

[wso2-engineering]

Log Improvement Suggestion No: 9

Suggested change

	check ep0.attach(interceptorService, "/api/v1");
	check ep0.attach(customPathInterceptorService, "/custom/v2");
	check ep0.'start();
	check ep0.attach(interceptorService, "/api/v1");
	check ep0.attach(customPathInterceptorService, "/custom/v2");
	log:printInfo("Attached interceptor services to listener on port 8080");
	check ep0.'start();

[wso2-engineering]

Log Improvement Suggestion No: 10

Suggested change

	check ep1.attach(interceptorService, "/api/v1");
	check ep1.attach(customPathInterceptorService, "/custom/v2");
	check ep1.'start();
	check ep1.attach(interceptorService, "/api/v1");
	check ep1.attach(customPathInterceptorService, "/custom/v2");
	log:printInfo("Attached interceptor services to listener on port 8444");
	check ep1.'start();

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 3
#### Log Improvement Suggestion No: 4
#### Log Improvement Suggestion No: 5
#### Log Improvement Suggestion No: 6
#### Log Improvement Suggestion No: 7
#### Log Improvement Suggestion No: 8
#### Log Improvement Suggestion No: 9
#### Log Improvement Suggestion No: 10

[thivindu]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

adapter/internal/oasparser/model/adapter_internal_api.go (1)

1781-1848: ⚠️ Potential issue | 🟡 Minor

ResourcePath field not populated from vendor-extension interceptors.

GetInterceptor builds InterceptEndpoint from x-wso2-request-interceptor / x-wso2-response-interceptor vendor extensions but does not set ResourcePath. The method explicitly extracts and discards the basepath from the serviceURL with a warning (lines 1798-1801), unlike operation-level interceptors sourced through APIPolicy which extract and assign the basepath to ResourcePath (see api_operation.go:164-169).

If path-based routing or resource path awareness is required for vendor-extension interceptors, consider extracting the serviceURL basepath and assigning it to ResourcePath instead of discarding it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@adapter/internal/oasparser/model/adapter_internal_api.go` around lines 1781 -
1848, GetInterceptor currently parses serviceURL via getHTTPEndpoint but logs
and ignores endpoint.Basepath; populate the InterceptEndpoint.ResourcePath from
that basepath instead of discarding it. Update the return value in
GetInterceptor to set ResourcePath: endpoint.Basepath (or empty string if no
basepath) when building the InterceptEndpoint so vendor-extension interceptors
carry the resource path similar to operation-level interceptors (see api
operation handling in APIOperation). Also ensure the code continues to warn if a
basepath is present but still assigns it to ResourcePath.

🧹 Nitpick comments (1)

adapter/internal/oasparser/model/http_route.go (1)

129-140: LGTM: consistent injection of InterceptorBasePath for both request and response interceptors.

basePath is derived from the same resolved backend used to build endpoints and is only attached when endpoints exist, matching the downstream consumer in api_operation.go.

Minor nit: GetBackendBasePath is invoked before the len(endpoints) > 0 guard and its result is discarded when no endpoints are present. Moving the call inside the guard would be slightly cleaner, but it's a no-op read so this is optional.

Also applies to: 152-163

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@adapter/internal/oasparser/model/http_route.go` around lines 129 - 140, Move
the GetBackendBasePath call inside the endpoints existence guard to avoid
calling it when endpoints are empty: in the block that already calls
GetEndpoints(backendName, backendMapping) and checks if len(endpoints) > 0, call
GetBackendBasePath(backendName, backendMapping) there and then set
policyParameters[constants.InterceptorBasePath] = basePath before appending the
Policy to policies.Request; apply the same change to the analogous response
interceptor block (the code around where Policy with PolicyName
constants.PolicyResponseInterceptor is constructed, currently around the second
block similar to lines 152-163).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/k8s-resources/interceptor-service.yaml`:
- Line 62: The manifest uses a personal Docker Hub image with a floating tag
("thivindu/interceptor_service:latest"); replace that image reference with an
organization-owned registry image and pin to an immutable tag or digest (e.g.,
orgName/interceptor_service:vX.Y.Z or orgName/interceptor_service@sha256:...) so
tests are reproducible; update the same image string wherever it appears in the
related test manifests (the other two test CR artifacts that reference the
identical image) to the new org-scoped, pinned tag/digest.

---

Outside diff comments:
In `@adapter/internal/oasparser/model/adapter_internal_api.go`:
- Around line 1781-1848: GetInterceptor currently parses serviceURL via
getHTTPEndpoint but logs and ignores endpoint.Basepath; populate the
InterceptEndpoint.ResourcePath from that basepath instead of discarding it.
Update the return value in GetInterceptor to set ResourcePath: endpoint.Basepath
(or empty string if no basepath) when building the InterceptEndpoint so
vendor-extension interceptors carry the resource path similar to operation-level
interceptors (see api operation handling in APIOperation). Also ensure the code
continues to warn if a basepath is present but still assigns it to ResourcePath.

---

Nitpick comments:
In `@adapter/internal/oasparser/model/http_route.go`:
- Around line 129-140: Move the GetBackendBasePath call inside the endpoints
existence guard to avoid calling it when endpoints are empty: in the block that
already calls GetEndpoints(backendName, backendMapping) and checks if
len(endpoints) > 0, call GetBackendBasePath(backendName, backendMapping) there
and then set policyParameters[constants.InterceptorBasePath] = basePath before
appending the Policy to policies.Request; apply the same change to the analogous
response interceptor block (the code around where Policy with PolicyName
constants.PolicyResponseInterceptor is constructed, currently around the second
block similar to lines 152-163).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ceaa2bc6-9b72-4d60-ba20-ba4d3ab5a3da

📥 Commits

Reviewing files that changed from the base of the PR and between 04059fc and de68530.

📒 Files selected for processing (31)

• adapter/internal/interceptor/interceptor.go
• adapter/internal/oasparser/constants/constants.go
• adapter/internal/oasparser/envoyconf/routes_with_clusters.go
• adapter/internal/oasparser/model/adapter_internal_api.go
• adapter/internal/oasparser/model/api_operation.go
• adapter/internal/oasparser/model/http_route.go
• adapter/internal/operator/synchronizer/gateway_synchronizer.go
• gateway/router/resources/interceptor/lib/interceptor.lua
• test/cucumber-tests/CRs/agent-artifacts.yaml
• test/cucumber-tests/CRs/artifacts.yaml
• test/cucumber-tests/src/test/java/org/wso2/apk/integration/api/BaseSteps.java
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathOperationRequestAndResponse.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathOperationRequestDefaultResponse.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathOperationRequestInterceptor.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathOperationResponseInterceptor.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathRequestAndResponse.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathRequestDefaultResponse.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathRequestInterceptor.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withCustomPathResponseInterceptor.apk-conf
• test/cucumber-tests/src/test/resources/artifacts/apk-confs/interceptors/withDefaultRequestCustomPathResponse.apk-conf
• test/cucumber-tests/src/test/resources/tests/api/APIDefinitionEndpoint.feature
• test/cucumber-tests/src/test/resources/tests/api/GlobalInterceptor.feature
• test/cucumber-tests/src/test/resources/tests/api/Interceptor.feature
• test/cucumber-tests/src/test/resources/tests/api/InterceptorCustomPath.feature
• test/cucumber-tests/src/test/resources/tests/api/resourceInterceptor.feature
• test/cucumber-tests/src/test/resources/tests/api/resourceInterceptorCustomPath.feature
• test/interceptor-backend/ballerina/Dependencies.toml
• test/interceptor-backend/ballerina/Dockerfile
• test/interceptor-backend/ballerina/customPathInterceptor.bal
• test/interceptor-backend/ballerina/init.bal
• test/k8s-resources/interceptor-service.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Image now points to a personal Docker Hub namespace.

thivindu/interceptor_service:latest is a personal account repository, and the tag is floating (:latest). For a shared test manifest, consider:

• Publishing under an organization-owned registry (e.g., the WSO2 namespace used previously) so the image lifecycle is not tied to an individual contributor.
• Pinning to an immutable tag or digest to make test runs reproducible and avoid silent drift.

The same concern applies to the identical image references in test/cucumber-tests/CRs/artifacts.yaml (line 164) and test/cucumber-tests/CRs/agent-artifacts.yaml (line 164).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/k8s-resources/interceptor-service.yaml` at line 62, The manifest uses a
personal Docker Hub image with a floating tag
("thivindu/interceptor_service:latest"); replace that image reference with an
organization-owned registry image and pin to an immutable tag or digest (e.g.,
orgName/interceptor_service:vX.Y.Z or orgName/interceptor_service@sha256:...) so
tests are reproducible; update the same image string wherever it appears in the
related test manifests (the other two test CR artifacts that reference the
identical image) to the new org-scoped, pinned tag/digest.

[Tharsanan1]

why are we downgrading the versions?

[thivindu]

The Ballerina version in the Ballerina.toml is 2201.5.0 and the Dependencies.toml is auto generated when we build the project so that it is set to the ballerina version that is used in the development enviorment.

[Tharsanan1]

this could affect other flows as well

[thivindu]

Fixed via - cdb2a04