feat(wasm-go): add wasm go plugin unit test and ci workflow (#2809)

2026-06-06 19:27:33 +08:00 · 2025-08-28 20:02:03 +08:00
parent 3e0a5f02a7
commit a00b810be5
138 changed files with 27695 additions and 313 deletions
--- a/plugins/wasm-go/extensions/ext-auth/go.mod
+++ b/plugins/wasm-go/extensions/ext-auth/go.mod
@@ -5,8 +5,8 @@ go 1.24.1
 toolchain go1.24.4

 require (
-	github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20250611100342-5654e89a7a80
-	github.com/higress-group/wasm-go v1.0.0
+	github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20250822030947-8345453fddd0
+	github.com/higress-group/wasm-go v1.0.2-0.20250821081215-b573359becf8
 	github.com/stretchr/testify v1.9.0
 	github.com/tidwall/gjson v1.18.0
 )
@@ -15,8 +15,10 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/tetratelabs/wazero v1.7.2 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/resp v0.1.1 // indirect
+	github.com/tidwall/sjson v1.2.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/plugins/wasm-go/extensions/ext-auth/go.sum
+++ b/plugins/wasm-go/extensions/ext-auth/go.sum
@@ -2,14 +2,17 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20250611100342-5654e89a7a80 h1:xqmtTZI0JQ2O+Lg9/CE6c+Tw9KD6FnvWw8EpLVuuvfg=
-github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20250611100342-5654e89a7a80/go.mod h1:tRI2LfMudSkKHhyv1uex3BWzcice2s/l8Ah8axporfA=
-github.com/higress-group/wasm-go v1.0.0 h1:4Ik5n3FsJ5+r13KLQl2ky+8NuAE8dfWQwoKxXYD2KAw=
-github.com/higress-group/wasm-go v1.0.0/go.mod h1:ODBV27sjmhIW8Cqv3R74EUcTnbdkE69bmXBQFuRkY1M=
+github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20250822030947-8345453fddd0 h1:YGdj8KBzVjabU3STUfwMZghB+VlX6YLfJtLbrsWaOD0=
+github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20250822030947-8345453fddd0/go.mod h1:tRI2LfMudSkKHhyv1uex3BWzcice2s/l8Ah8axporfA=
+github.com/higress-group/wasm-go v1.0.2-0.20250821081215-b573359becf8 h1:rs+AH1wfZy4swzuAyiRXT7xPUm8gycXt9Gwy0tqOq0o=
+github.com/higress-group/wasm-go v1.0.2-0.20250821081215-b573359becf8/go.mod h1:9k7L730huS/q4V5iH9WLDgf5ZUHEtfhM/uXcegKDG/M=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tetratelabs/wazero v1.7.2 h1:1+z5nXJNwMLPAWaTePFi49SSTL0IMx/i3Fg8Yc25GDc=
+github.com/tetratelabs/wazero v1.7.2/go.mod h1:ytl6Zuh20R/eROuyDaGPkp82O9C/DJfXAwJfQ3X6/7Y=
+github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
 github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
@@ -19,6 +22,8 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/resp v0.1.1 h1:Ly20wkhqKTmDUPlyM1S7pWo5kk0tDu8OoC/vFArXmwE=
 github.com/tidwall/resp v0.1.1/go.mod h1:3/FrruOBAxPTPtundW0VXgmsQ4ZBA0Aw714lVYgwFa0=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/plugins/wasm-go/extensions/ext-auth/main_test.go
+++ b/plugins/wasm-go/extensions/ext-auth/main_test.go
@@ -0,0 +1,529 @@
+// Copyright (c) 2024 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/higress-group/proxy-wasm-go-sdk/proxywasm/types"
+	"github.com/higress-group/wasm-go/pkg/test"
+	"github.com/stretchr/testify/require"
+)
+
+// 测试配置：基本 envoy 模式配置
+var basicEnvoyConfig = func() json.RawMessage {
+	data, _ := json.Marshal(map[string]interface{}{
+		"http_service": map[string]interface{}{
+			"endpoint_mode": "envoy",
+			"endpoint": map[string]interface{}{
+				"service_name": "ext-auth.backend.svc.cluster.local",
+				"service_port": 8090,
+				"path_prefix":  "/auth",
+			},
+			"timeout": 1000,
+		},
+	})
+	return data
+}()
+
+// 测试配置：forward_auth 模式配置
+var forwardAuthConfig = func() json.RawMessage {
+	data, _ := json.Marshal(map[string]interface{}{
+		"http_service": map[string]interface{}{
+			"endpoint_mode": "forward_auth",
+			"endpoint": map[string]interface{}{
+				"service_name":   "ext-auth.backend.svc.cluster.local",
+				"service_port":   8090,
+				"path":           "/auth",
+				"request_method": "POST",
+			},
+			"timeout": 1000,
+		},
+	})
+	return data
+}()
+
+// 测试配置：带请求头过滤的配置
+var headersConfig = func() json.RawMessage {
+	data, _ := json.Marshal(map[string]interface{}{
+		"http_service": map[string]interface{}{
+			"endpoint_mode": "envoy",
+			"endpoint": map[string]interface{}{
+				"service_name": "ext-auth.backend.svc.cluster.local",
+				"service_port": 8090,
+				"path_prefix":  "/auth",
+			},
+			"timeout": 1000,
+			"authorization_request": map[string]interface{}{
+				"allowed_headers": []map[string]interface{}{
+					{"exact": "x-auth-version"},
+					{"prefix": "x-custom"},
+				},
+				"headers_to_add": map[string]interface{}{
+					"x-envoy-header": "true",
+				},
+			},
+			"authorization_response": map[string]interface{}{
+				"allowed_upstream_headers": []map[string]interface{}{
+					{"exact": "x-user-id"},
+					{"exact": "x-auth-version"},
+				},
+				"allowed_client_headers": []map[string]interface{}{
+					{"exact": "x-auth-failed"},
+				},
+			},
+		},
+	})
+	return data
+}()
+
+// 测试配置：带请求体的配置
+var withRequestBodyConfig = func() json.RawMessage {
+	data, _ := json.Marshal(map[string]interface{}{
+		"http_service": map[string]interface{}{
+			"endpoint_mode": "envoy",
+			"endpoint": map[string]interface{}{
+				"service_name": "ext-auth.backend.svc.cluster.local",
+				"service_port": 8090,
+				"path_prefix":  "/auth",
+			},
+			"timeout": 1000,
+			"authorization_request": map[string]interface{}{
+				"with_request_body":      true,
+				"max_request_body_bytes": 1024,
+			},
+		},
+	})
+	return data
+}()
+
+// 测试配置：带黑白名单的配置
+var matchRulesConfig = func() json.RawMessage {
+	data, _ := json.Marshal(map[string]interface{}{
+		"http_service": map[string]interface{}{
+			"endpoint_mode": "envoy",
+			"endpoint": map[string]interface{}{
+				"service_name": "ext-auth.backend.svc.cluster.local",
+				"service_port": 8090,
+				"path_prefix":  "/auth",
+			},
+			"timeout": 1000,
+		},
+		"match_type": "whitelist",
+		"match_list": []map[string]interface{}{
+			{
+				"match_rule_domain": "api.example.com",
+				"match_rule_path":   "/public",
+				"match_rule_type":   "prefix",
+			},
+			{
+				"match_rule_method": []string{"GET"},
+				"match_rule_path":   "/health",
+				"match_rule_type":   "exact",
+			},
+		},
+	})
+	return data
+}()
+
+// 测试配置：失败模式配置
+var failureModeConfig = func() json.RawMessage {
+	data, _ := json.Marshal(map[string]interface{}{
+		"http_service": map[string]interface{}{
+			"endpoint_mode": "envoy",
+			"endpoint": map[string]interface{}{
+				"service_name": "ext-auth.backend.svc.cluster.local",
+				"service_port": 8090,
+				"path_prefix":  "/auth",
+			},
+			"timeout": 1000,
+		},
+		"failure_mode_allow":            true,
+		"failure_mode_allow_header_add": true,
+		"status_on_error":               500,
+	})
+	return data
+}()
+
+func TestParseConfig(t *testing.T) {
+	test.RunGoTest(t, func(t *testing.T) {
+		// 测试基本 envoy 模式配置解析
+		t.Run("basic envoy config", func(t *testing.T) {
+			host, status := test.NewTestHost(basicEnvoyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			config, err := host.GetMatchConfig()
+			require.NoError(t, err)
+			require.NotNil(t, config)
+		})
+
+		// 测试 forward_auth 模式配置解析
+		t.Run("forward auth config", func(t *testing.T) {
+			host, status := test.NewTestHost(forwardAuthConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			config, err := host.GetMatchConfig()
+			require.NoError(t, err)
+			require.NotNil(t, config)
+		})
+
+		// 测试带请求头过滤的配置解析
+		t.Run("headers config", func(t *testing.T) {
+			host, status := test.NewTestHost(headersConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			config, err := host.GetMatchConfig()
+			require.NoError(t, err)
+			require.NotNil(t, config)
+		})
+
+		// 测试带请求体的配置解析
+		t.Run("with request body config", func(t *testing.T) {
+			host, status := test.NewTestHost(withRequestBodyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			config, err := host.GetMatchConfig()
+			require.NoError(t, err)
+			require.NotNil(t, config)
+		})
+
+		// 测试带黑白名单的配置解析
+		t.Run("match rules config", func(t *testing.T) {
+			host, status := test.NewTestHost(matchRulesConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			config, err := host.GetMatchConfig()
+			require.NoError(t, err)
+			require.NotNil(t, config)
+		})
+
+		// 测试失败模式配置解析
+		t.Run("failure mode config", func(t *testing.T) {
+			host, status := test.NewTestHost(failureModeConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			config, err := host.GetMatchConfig()
+			require.NoError(t, err)
+			require.NotNil(t, config)
+		})
+	})
+}
+
+func TestOnHttpRequestHeaders(t *testing.T) {
+	test.RunTest(t, func(t *testing.T) {
+		// 测试基本 envoy 模式请求头处理
+		t.Run("basic envoy request headers", func(t *testing.T) {
+			host, status := test.NewTestHost(basicEnvoyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 设置请求头
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer token123"},
+				{"x-custom-header", "value"},
+			})
+
+			// 由于需要调用外部认证服务，应该返回 HeaderStopAllIterationAndWatermark
+			require.Equal(t, types.HeaderStopAllIterationAndWatermark, action)
+
+			// 模拟外部认证服务的HTTP调用响应
+			// 模拟成功响应（200状态码）
+			host.CallOnHttpCall([][2]string{
+				{":status", "200"},
+				{"x-user-id", "user123"},
+				{"x-auth-version", "1.0"},
+				{"content-type", "application/json"},
+			}, []byte(`{"authorized": true, "user": "user123"}`))
+
+			// 验证请求是否被恢复
+			require.Equal(t, types.ActionContinue, host.GetHttpStreamAction())
+
+			host.CompleteHttp()
+		})
+
+		// 测试 forward_auth 模式请求头处理
+		t.Run("forward auth request headers", func(t *testing.T) {
+			host, status := test.NewTestHost(forwardAuthConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 设置请求头
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "GET"},
+				{"authorization", "Bearer token123"},
+				{"x-custom-header", "value"},
+			})
+
+			// 由于需要调用外部认证服务，应该返回 HeaderStopAllIterationAndWatermark
+			require.Equal(t, types.HeaderStopAllIterationAndWatermark, action)
+
+			// 模拟外部认证服务的HTTP调用响应
+			// 模拟成功响应（200状态码）
+			host.CallOnHttpCall([][2]string{
+				{":status", "200"},
+				{"x-user-id", "user456"},
+				{"x-auth-version", "1.0"},
+				{"content-type", "application/json"},
+			}, []byte(`{"authorized": true, "user": "user456"}`))
+
+			// 验证请求是否被恢复
+			require.Equal(t, types.ActionContinue, host.GetHttpStreamAction())
+
+			host.CompleteHttp()
+		})
+
+		// 测试带请求头过滤的请求头处理
+		t.Run("headers filtered request headers", func(t *testing.T) {
+			host, status := test.NewTestHost(headersConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 设置请求头
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer token123"},
+				{"x-auth-version", "1.0"},
+				{"x-custom-header", "value"},
+				{"x-ignored-header", "ignored"},
+			})
+
+			// 由于需要调用外部认证服务，应该返回 HeaderStopAllIterationAndWatermark
+			require.Equal(t, types.HeaderStopAllIterationAndWatermark, action)
+
+			host.CompleteHttp()
+		})
+
+		// 测试带请求体的请求头处理
+		t.Run("with request body request headers", func(t *testing.T) {
+			host, status := test.NewTestHost(withRequestBodyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 设置请求头
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer token123"},
+				{"content-type", "application/json"},
+			})
+
+			// 由于需要读取请求体，应该返回 HeaderStopIteration
+			require.Equal(t, types.HeaderStopIteration, action)
+
+			host.CompleteHttp()
+		})
+
+		// 测试黑白名单匹配的请求头处理
+		t.Run("match rules request headers", func(t *testing.T) {
+			host, status := test.NewTestHost(matchRulesConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 测试白名单匹配的请求（应该跳过认证）
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "api.example.com"},
+				{":path", "/public/users"},
+				{":method", "GET"},
+			})
+
+			// 白名单匹配的请求应该直接通过
+			require.Equal(t, types.ActionContinue, action)
+
+			host.CompleteHttp()
+		})
+
+		// 测试黑白名单不匹配的请求头处理
+		t.Run("match rules no match request headers", func(t *testing.T) {
+			host, status := test.NewTestHost(matchRulesConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 测试不在白名单中的请求（应该进行认证）
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "api.example.com"},
+				{":path", "/private/users"},
+				{":method", "POST"},
+			})
+
+			// 不在白名单中的请求应该进行认证
+			require.Equal(t, types.HeaderStopAllIterationAndWatermark, action)
+
+			// 模拟外部认证服务的HTTP调用响应
+			// 模拟认证失败响应（401状态码）
+			host.CallOnHttpCall([][2]string{
+				{":status", "401"},
+				{"x-auth-failed", "true"},
+				{"content-type", "application/json"},
+			}, []byte(`{"authorized": false, "message": "Invalid token"}`))
+
+			host.CompleteHttp()
+		})
+
+		// 测试认证失败的情况
+		t.Run("authentication failed", func(t *testing.T) {
+			host, status := test.NewTestHost(basicEnvoyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 设置请求头
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer invalid-token"},
+			})
+
+			// 由于需要调用外部认证服务，应该返回 HeaderStopAllIterationAndWatermark
+			require.Equal(t, types.HeaderStopAllIterationAndWatermark, action)
+
+			// 模拟外部认证服务的HTTP调用响应
+			// 模拟认证失败响应（403状态码）
+			host.CallOnHttpCall([][2]string{
+				{":status", "403"},
+				{"x-auth-failed", "true"},
+				{"content-type", "application/json"},
+			}, []byte(`{"authorized": false, "message": "Access denied"}`))
+
+			host.CompleteHttp()
+		})
+
+		// 测试认证服务返回5xx错误的情况
+		t.Run("authentication service error", func(t *testing.T) {
+			host, status := test.NewTestHost(basicEnvoyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 设置请求头
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer token123"},
+			})
+
+			// 由于需要调用外部认证服务，应该返回 HeaderStopAllIterationAndWatermark
+			require.Equal(t, types.HeaderStopAllIterationAndWatermark, action)
+
+			// 模拟外部认证服务的HTTP调用响应
+			// 模拟服务错误响应（500状态码）
+			host.CallOnHttpCall([][2]string{
+				{":status", "500"},
+				{"x-auth-error", "true"},
+				{"content-type", "application/json"},
+			}, []byte(`{"error": "Internal server error"}`))
+
+			host.CompleteHttp()
+		})
+
+		// 测试失败模式允许的情况
+		t.Run("failure mode allow", func(t *testing.T) {
+			host, status := test.NewTestHost(failureModeConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 设置请求头
+			action := host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer token123"},
+			})
+
+			// 由于需要调用外部认证服务，应该返回 HeaderStopAllIterationAndWatermark
+			require.Equal(t, types.HeaderStopAllIterationAndWatermark, action)
+
+			// 模拟外部认证服务的HTTP调用响应
+			// 模拟服务错误响应（500状态码），但由于配置了失败模式允许，请求应该通过
+			host.CallOnHttpCall([][2]string{
+				{":status", "500"},
+				{"x-auth-error", "true"},
+				{"content-type", "application/json"},
+			}, []byte(`{"error": "Internal server error"}`))
+
+			// 验证请求是否被恢复（失败模式允许的情况下）
+			require.Equal(t, types.ActionContinue, host.GetHttpStreamAction())
+
+			host.CompleteHttp()
+		})
+	})
+}
+
+func TestOnHttpRequestBody(t *testing.T) {
+	test.RunTest(t, func(t *testing.T) {
+		// 测试带请求体的请求体处理
+		t.Run("with request body", func(t *testing.T) {
+			host, status := test.NewTestHost(withRequestBodyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 先处理请求头
+			host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer token123"},
+				{"content-type", "application/json"},
+			})
+
+			// 处理请求体
+			requestBody := `{"username": "test", "password": "password123"}`
+			action := host.CallOnHttpRequestBody([]byte(requestBody))
+
+			// 由于需要调用外部认证服务，应该返回 DataStopIterationAndBuffer
+			require.Equal(t, types.DataStopIterationAndBuffer, action)
+
+			host.CompleteHttp()
+		})
+
+		// 测试不带请求体的请求体处理
+		t.Run("without request body", func(t *testing.T) {
+			host, status := test.NewTestHost(basicEnvoyConfig)
+			defer host.Reset()
+			require.Equal(t, types.OnPluginStartStatusOK, status)
+
+			// 先处理请求头
+			host.CallOnHttpRequestHeaders([][2]string{
+				{":authority", "example.com"},
+				{":path", "/users"},
+				{":method", "POST"},
+				{"authorization", "Bearer token123"},
+			})
+
+			// 处理请求体
+			requestBody := `{"username": "test", "password": "password123"}`
+			action := host.CallOnHttpRequestBody([]byte(requestBody))
+
+			// 不带请求体配置的请求应该直接通过
+			require.Equal(t, types.ActionContinue, action)
+
+			host.CompleteHttp()
+		})
+	})
+}