fix: use sendKey for rule matching if it's configured (#1735)

VinozzZ · robbkidd · web-flow · commit 7881f62988f4 · 2025-11-05T17:09:57.000-05:00
## Which problem is this PR solving?
Refinery uses the API key included in an incoming request to determine
the target environment and dataset. However, when a SendKey is
configured, it can override the original incoming API key in the
request.

When SendKey is configured to override, Refinery should resolve the
environment and dataset based on the SendKey, not the original incoming
API key. Otherwise, sampling rules may be incorrectly matched using the
wrong key.

This PR ensures that when a SendKey is applied, the environment/dataset
resolution and sampling rule matching are based on the SendKey.


## Short description of the changes

- Replaces the request’s APIKey header value with the configured
SendKey, when applicable
- Adds integration tests to validate SendKey-based resolution behavior

---------

Co-authored-by: Robb Kidd &lt;robbkidd@honeycomb.io&gt;
diff --git a/app/app_test.go b/app/app_test.go
diff --git a/collect/collect.go b/collect/collect.go
@@ -1351,18 +1351,6 @@ func (i *InMemCollector) sendTraces() {
 		i.Metrics.Histogram("collector_outgoing_queue", float64(len(i.outgoingTraces)))
 		_, span := otelutil.StartSpanMulti(context.Background(), i.Tracer, "sendTrace", map[string]interface{}{"num_spans": t.DescendantCount(), "outgoingTraces_size": len(i.outgoingTraces)})
 
-		// if we have a key replacement rule, we should
-		// replace the key with the new key
-		keycfg := i.Config.GetAccessKeyConfig()
-		overwriteWith, err := keycfg.GetReplaceKey(t.APIKey)
-		if err != nil {
-			i.Logger.Warn().Logf("error replacing key: %s", err.Error())
-			continue
-		}
-		if overwriteWith != t.APIKey {
-			t.APIKey = overwriteWith
-		}
-
 		for _, sp := range t.GetSpans() {
 			if sp.IsDecisionSpan() {
 				continue
diff --git a/collect/collect_test.go b/collect/collect_test.go
@@ -132,10 +132,6 @@ func TestAddRootSpan(t *testing.T) {
 			IncomingQueueSize: 5,
 			PeerQueueSize:     5,
 		},
-		GetAccessKeyConfigVal: config.AccessKeyConfig{
-			SendKey:     "another-key",
-			SendKeyMode: "all",
-		},
 	}
 	transmission := &transmit.MockTransmission{}
 	transmission.Start()
@@ -170,7 +166,6 @@ func TestAddRootSpan(t *testing.T) {
 	events := transmission.GetBlock(1)
 	require.Equal(t, 1, len(events), "adding a root span should send the span")
 	assert.Equal(t, "aoeu", events[0].Dataset, "sending a root span should immediately send that span via transmission")
-	assert.Equal(t, "another-key", events[0].APIKey, "api key should be replaced with the send key")
 
 	assert.Nil(t, coll.getFromCache(traceID1), "after sending the span, it should be removed from the cache")
 
@@ -190,7 +185,6 @@ func TestAddRootSpan(t *testing.T) {
 	events = transmission.GetBlock(1)
 	require.Equal(t, 1, len(events), "adding another root span should send the span")
 	assert.Equal(t, "aoeu", events[0].Dataset, "sending a root span should immediately send that span via transmission")
-	assert.Equal(t, "another-key", events[0].APIKey, "api key should be replaced with the send key")
 
 	assert.Nil(t, coll.getFromCache(traceID1), "after sending the span, it should be removed from the cache")
 
diff --git a/config/file_config.go b/config/file_config.go
@@ -95,11 +95,11 @@ type AccessKeyConfig struct {
 	AcceptOnlyListedKeys bool     `yaml:"AcceptOnlyListedKeys"`
 }
 
-// IsAccepted checks if the given key is in the list of accepted keys.
-// if the key is not in the list, it returns an error with the key truncated to 8 characters for logging.
+// IsAccepted checks if the given key is in the list of received keys or a configured SendKey.
+// if not, it returns an error with the key truncated to 8 characters for logging.
 func (a *AccessKeyConfig) IsAccepted(key string) error {
 	if a.AcceptOnlyListedKeys {
-		if slices.Contains(a.ReceiveKeys, key) {
+		if (len(a.SendKey) > 0 && key == a.SendKey) || slices.Contains(a.ReceiveKeys, key) {
 			return nil
 		}
 
@@ -150,7 +150,10 @@ func (a *AccessKeyConfig) GetReplaceKey(apiKey string) (string, error) {
 				}
 			}
 		}
-		apiKey = overwriteWith
+
+		if overwriteWith != "" {
+			apiKey = overwriteWith
+		}
 	}
 
 	if apiKey == "" {
diff --git a/config/file_config_test.go b/config/file_config_test.go
@@ -67,11 +67,11 @@ func TestAccessKeyConfig_GetReplaceKey(t *testing.T) {
 			}
 			got, err := a.GetReplaceKey(tt.apiKey)
 			if (err != nil) != tt.wantErr {
-				t.Errorf("AccessKeyConfig.CheckAndMaybeReplaceKey() error = %v, wantErr %v", err, tt.wantErr)
+				t.Errorf("AccessKeyConfig.GetReplaceKey() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if got != tt.want {
-				t.Errorf("AccessKeyConfig.CheckAndMaybeReplaceKey() = '%v', want '%v'", got, tt.want)
+				t.Errorf("AccessKeyConfig.GetReplaceKey() = '%v', want '%v'", got, tt.want)
 			}
 		})
 	}
@@ -93,7 +93,9 @@ func TestAccessKeyConfig_IsAccepted(t *testing.T) {
 		{"no keys", fields{}, "key1", nil},
 		{"known key", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "key1", nil},
 		{"unknown key", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "key2", errors.New("api key key2... not found in list of authorized keys")},
-		{"accept missing key", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "", errors.New("api key ... not found in list of authorized keys")},
+		{"reject missing key with sendkey configured", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true, SendKey: "key2"}, "", errors.New("api key ... not found in list of authorized keys")},
+		{"reject missing key without sendkey configured", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "", errors.New("api key ... not found in list of authorized keys")},
+		{"accept sendkey", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true, SendKey: "key2"}, "key2", nil},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/config/mock.go b/config/mock.go
@@ -62,6 +62,10 @@ type MockConfig struct {
 	CfgHash                          string
 	RulesHash                        string
 
+	// Samplers allows per-dataset/environment sampler configuration
+	// Map key is the dataset name or environment, value is the sampler choice
+	Samplers map[string]*V2SamplerChoice
+
 	Mux sync.RWMutex
 }
 
@@ -252,11 +256,27 @@ func (m *MockConfig) GetOTelTracingConfig() OTelTracingConfig {
 	return m.GetOTelTracingConfigVal
 }
 
-// TODO: allow per-dataset mock values
+// GetSamplerConfigForDestName returns the sampler config for the given dataset/environment.
+// If Samplers map is populated, it will look up the dataset-specific config.
+// Falls back to GetSamplerTypeVal if Samplers is not set (backwards compatible).
 func (m *MockConfig) GetSamplerConfigForDestName(dataset string) (interface{}, string) {
 	m.Mux.RLock()
 	defer m.Mux.RUnlock()
 
+	// If Samplers map is configured, use it (mimics fileConfig behavior)
+	if m.Samplers != nil {
+		// Try to find the specific dataset/environment
+		if sampler, ok := m.Samplers[dataset]; ok {
+			return sampler.Sampler()
+		}
+
+		// Fall back to __default__
+		if sampler, ok := m.Samplers["__default__"]; ok {
+			return sampler.Sampler()
+		}
+	}
+
+	// Fall back to legacy behavior for backwards compatibility
 	return m.GetSamplerTypeVal, m.GetSamplerTypeName
 }
 
@@ -468,6 +488,31 @@ func (f *MockConfig) DetermineSamplerKey(apiKey, env, dataset string) string {
 }
 
 func (f *MockConfig) GetSamplingKeyFieldsForDestName(samplerKey string) []string {
+	f.Mux.RLock()
+	defer f.Mux.RUnlock()
+
+	// If Samplers map is configured, use it to get the correct sampler
+	if f.Samplers != nil {
+		// Try specific dataset/environment first
+		if sampler, ok := f.Samplers[samplerKey]; ok {
+			if cfg, _ := sampler.Sampler(); cfg != nil {
+				if fielder, ok := cfg.(GetSamplingFielder); ok {
+					return fielder.GetSamplingFields()
+				}
+			}
+		}
+
+		// Fall back to __default__
+		if sampler, ok := f.Samplers["__default__"]; ok {
+			if cfg, _ := sampler.Sampler(); cfg != nil {
+				if fielder, ok := cfg.(GetSamplingFielder); ok {
+					return fielder.GetSamplingFields()
+				}
+			}
+		}
+	}
+
+	// Fall back to legacy behavior
 	switch sampler := f.GetSamplerTypeVal.(type) {
 	case *DeterministicSamplerConfig:
 		return sampler.GetSamplingFields()
@@ -482,5 +527,4 @@ func (f *MockConfig) GetSamplingKeyFieldsForDestName(samplerKey string) []string
 	default:
 		return nil
 	}
-
 }
diff --git a/route/middleware.go b/route/middleware.go
@@ -50,6 +50,15 @@ func (r *Router) apiKeyProcessor(next http.Handler) http.Handler {
 			return
 		}
 
+		replacement, err := keycfg.GetReplaceKey(apiKey)
+		if err != nil {
+			r.handlerReturnWithError(w, ErrAuthInvalid, err)
+			return
+		}
+		if replacement != apiKey {
+			req.Header.Set(types.APIKeyHeader, replacement)
+		}
+
 		next.ServeHTTP(w, req)
 	})
 }
diff --git a/route/otlp_logs.go b/route/otlp_logs.go
@@ -18,6 +18,10 @@ func (r *Router) postOTLPLogs(w http.ResponseWriter, req *http.Request) {
 
 	ri := huskyotlp.GetRequestInfoFromHttpHeaders(req.Header)
 	apicfg := r.Config.GetAccessKeyConfig()
+	if err := apicfg.IsAccepted(ri.ApiKey); err != nil {
+		r.handleOTLPFailureResponse(w, req, huskyotlp.OTLPError{Message: err.Error(), HTTPStatusCode: http.StatusUnauthorized})
+		return
+	}
 	keyToUse, _ := apicfg.GetReplaceKey(ri.ApiKey)
 
 	if err := ri.ValidateLogsHeaders(); err != nil {
diff --git a/route/otlp_logs_test.go b/route/otlp_logs_test.go
@@ -128,7 +128,6 @@ func TestLogsOTLPHandler(t *testing.T) {
 		for _, tC := range testCases {
 			t.Run(tC.name, func(t *testing.T) {
 				muxxer := mux.NewRouter()
-				muxxer.Use(router.apiKeyProcessor)
 				router.AddOTLPMuxxer(muxxer)
 				server := httptest.NewServer(muxxer)
 				defer server.Close()
diff --git a/route/otlp_trace.go b/route/otlp_trace.go
@@ -26,6 +26,10 @@ func (r *Router) postOTLPTrace(w http.ResponseWriter, req *http.Request) {
 
 	ri := huskyotlp.GetRequestInfoFromHttpHeaders(req.Header)
 	apicfg := r.Config.GetAccessKeyConfig()
+	if err := apicfg.IsAccepted(ri.ApiKey); err != nil {
+		r.handleOTLPFailureResponse(w, req, huskyotlp.OTLPError{Message: err.Error(), HTTPStatusCode: http.StatusUnauthorized})
+		return
+	}
 	keyToUse, _ := apicfg.GetReplaceKey(ri.ApiKey)
 
 	if err := ri.ValidateTracesHeaders(); err != nil {
@@ -49,11 +53,11 @@ func (r *Router) postOTLPTrace(w http.ResponseWriter, req *http.Request) {
 	var err error
 	switch ri.ContentType {
 	case "application/json":
-    r.Metrics.Increment(r.metricsNames.routerOtlpTraceHttpJson)
-    err = r.processOTLPRequestWithMsgp(ctx, w, req, ri, keyToUse)
+		r.Metrics.Increment(r.metricsNames.routerOtlpTraceHttpJson)
+		err = r.processOTLPRequestWithMsgp(ctx, w, req, ri, keyToUse)
 	case "application/x-protobuf", "application/protobuf":
 		r.Metrics.Increment(r.metricsNames.routerOtlpTraceHttpProto)
-    err = r.processOTLPRequestWithMsgp(ctx, w, req, ri, keyToUse)
+		err = r.processOTLPRequestWithMsgp(ctx, w, req, ri, keyToUse)
 	default:
 		err = errors.New("unsupported content type")
 	}
diff --git a/route/otlp_trace_test.go b/route/otlp_trace_test.go
@@ -303,7 +303,6 @@ func TestOTLPHandler(t *testing.T) {
 		for _, tC := range testCases {
 			t.Run(tC.name, func(t *testing.T) {
 				muxxer := mux.NewRouter()
-				muxxer.Use(router.apiKeyProcessor)
 				router.AddOTLPMuxxer(muxxer)
 				server := httptest.NewServer(muxxer)
 				defer server.Close()
diff --git a/route/route.go b/route/route.go
@@ -265,7 +265,6 @@ func (r *Router) LnS() {
 	authedMuxxer.Handle("/events/{datasetName}", otelhttp.NewHandler(http.HandlerFunc(r.event), "handle_event")).Name("event")
 	authedMuxxer.Handle("/batch/{datasetName}", otelhttp.NewHandler(http.HandlerFunc(r.batch), "handle_batch")).Name("batch")
 
-	// require an auth header for OTLP requests
 	r.AddOTLPMuxxer(muxxer)
 
 	// pass everything else through unmolested
@@ -1173,9 +1172,8 @@ func (r *Router) startGRPCHealthMonitor() {
 
 // AddOTLPMuxxer adds muxxer for OTLP requests
 func (r *Router) AddOTLPMuxxer(muxxer *mux.Router) {
-	// require an auth header for OTLP requests
+	// auth header is handled inside the postOTLPTrace and postOTLPLogs to prioritize content-type error handling
 	otlpMuxxer := muxxer.PathPrefix("/v1/").Methods("POST").Subrouter()
-	otlpMuxxer.Use(r.apiKeyProcessor)
 
 	// handle OTLP trace requests
 	otlpMuxxer.HandleFunc("/traces", r.postOTLPTrace).Name("otlp_traces")
diff --git a/sample/sample.go b/sample/sample.go
@@ -63,7 +63,7 @@ func (s *SamplerFactory) Start() error {
 // GetSamplerImplementationForKey returns the sampler implementation for the given
 // samplerKey (dataset for legacy keys, environment otherwise), or nil if it is not defined
 func (s *SamplerFactory) GetSamplerImplementationForKey(samplerKey string) Sampler {
-	c, _ := s.Config.GetSamplerConfigForDestName(samplerKey)
+	c, name := s.Config.GetSamplerConfigForDestName(samplerKey)
 
 	var sampler Sampler
 
@@ -83,7 +83,7 @@ func (s *SamplerFactory) GetSamplerImplementationForKey(samplerKey string) Sampl
 	case *config.WindowedThroughputSamplerConfig:
 		sampler = &WindowedThroughputSampler{Config: c, Logger: s.Logger, Metrics: s.Metrics}
 	default:
-		s.Logger.Error().Logf("unknown sampler type %T. Exiting.", c)
+		s.Logger.Error().Logf("can not continue with an unknown sampler type %T with name %s. Exiting.", c, name)
 		os.Exit(1)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -95,11 +95,11 @@ type AccessKeyConfig struct {`
`95`	`95`	AcceptOnlyListedKeys bool `yaml:"AcceptOnlyListedKeys"`
`96`	`96`	`}`
`97`	`97`
`98`		`-// IsAccepted checks if the given key is in the list of accepted keys.`
`99`		`-// if the key is not in the list, it returns an error with the key truncated to 8 characters for logging.`
	`98`	`+// IsAccepted checks if the given key is in the list of received keys or a configured SendKey.`
	`99`	`+// if not, it returns an error with the key truncated to 8 characters for logging.`
`100`	`100`	`func (a *AccessKeyConfig) IsAccepted(key string) error {`
`101`	`101`	`if a.AcceptOnlyListedKeys {`
`102`		`- if slices.Contains(a.ReceiveKeys, key) {`
	`102`	`+ if (len(a.SendKey) > 0 && key == a.SendKey) \|\| slices.Contains(a.ReceiveKeys, key) {`
`103`	`103`	`return nil`
`104`	`104`	`}`
`105`	`105`
`@@ -150,7 +150,10 @@ func (a *AccessKeyConfig) GetReplaceKey(apiKey string) (string, error) {`
`150`	`150`	`}`
`151`	`151`	`}`
`152`	`152`	`}`
`153`		`- apiKey = overwriteWith`
	`153`	`+`
	`154`	`+ if overwriteWith != "" {`
	`155`	`+ apiKey = overwriteWith`
	`156`	`+ }`
`154`	`157`	`}`
`155`	`158`
`156`	`159`	`if apiKey == "" {`
Original file line number	Diff line number	Diff line change
`@@ -67,11 +67,11 @@ func TestAccessKeyConfig_GetReplaceKey(t *testing.T) {`
`67`	`67`	`}`
`68`	`68`	`got, err := a.GetReplaceKey(tt.apiKey)`
`69`	`69`	`if (err != nil) != tt.wantErr {`
`70`		`- t.Errorf("AccessKeyConfig.CheckAndMaybeReplaceKey() error = %v, wantErr %v", err, tt.wantErr)`
	`70`	`+ t.Errorf("AccessKeyConfig.GetReplaceKey() error = %v, wantErr %v", err, tt.wantErr)`
`71`	`71`	`return`
`72`	`72`	`}`
`73`	`73`	`if got != tt.want {`
`74`		`- t.Errorf("AccessKeyConfig.CheckAndMaybeReplaceKey() = '%v', want '%v'", got, tt.want)`
	`74`	`+ t.Errorf("AccessKeyConfig.GetReplaceKey() = '%v', want '%v'", got, tt.want)`
`75`	`75`	`}`
`76`	`76`	`})`
`77`	`77`	`}`
`@@ -93,7 +93,9 @@ func TestAccessKeyConfig_IsAccepted(t *testing.T) {`
`93`	`93`	`{"no keys", fields{}, "key1", nil},`
`94`	`94`	`{"known key", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "key1", nil},`
`95`	`95`	`{"unknown key", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "key2", errors.New("api key key2... not found in list of authorized keys")},`
`96`		`- {"accept missing key", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "", errors.New("api key ... not found in list of authorized keys")},`
	`96`	`+ {"reject missing key with sendkey configured", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true, SendKey: "key2"}, "", errors.New("api key ... not found in list of authorized keys")},`
	`97`	`+ {"reject missing key without sendkey configured", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true}, "", errors.New("api key ... not found in list of authorized keys")},`
	`98`	`+ {"accept sendkey", fields{ReceiveKeys: []string{"key1"}, AcceptOnlyListedKeys: true, SendKey: "key2"}, "key2", nil},`
`97`	`99`	`}`
`98`	`100`	`for _, tt := range tests {`
`99`	`101`	`t.Run(tt.name, func(t *testing.T) {`