fix(ai): AG-488 Correctly return GCP Model Armor 'floor' failures [aigw-only] (#14137)

tysoekong · fffonion · commit 5f11809e075d · 2025-10-30T13:40:11.000+08:00
"Floor" is set and then prompts must abide by specific rulesets (e.g. hate, violence) else it will be blocked.

Kong was not correctly handling a "bad" or "blocked" response from GCP. This PR makes that work.

With this patch, the user no longer gets 500 'an error occured' and instead gets 400:
diff --git a/changelog/unreleased/kong/fix-ai-gcp-model-armor-floor-blocked.yml b/changelog/unreleased/kong/fix-ai-gcp-model-armor-floor-blocked.yml
@@ -0,0 +1,4 @@
+message: >
+  **AI Plugins**: Fixed an issue where the Gemini provider would not correctly return Model Armor 'Floor' blocking responses to the caller.
+type: bugfix
+scope: Plugin
diff --git a/kong/llm/drivers/gemini.lua b/kong/llm/drivers/gemini.lua
@@ -658,6 +658,19 @@ local function extract_response_finish_reason(response_candidate)
   return "stop"
 end
 
+local function feedback_to_kong_error(promptFeedback)
+  if promptFeedback
+      and type(promptFeedback) == "table"
+  then
+    return {
+      error = true,
+      message = promptFeedback.blockReasonMessage or cjson.null,
+      reason = promptFeedback.blockReason or cjson.null,
+    }
+  end
+
+  return nil
+end
 
 local function extract_response_tool_calls(response_candidate)
   local tool_calls
@@ -782,6 +795,30 @@ local function from_gemini_chat_openai(response, model_info, route_type)
       }
     end
 
+  elseif response.promptFeedback then
+    kong_response = feedback_to_kong_error(response.promptFeedback)
+    
+    if get_global_ctx("stream_mode") then
+      set_global_ctx("blocked_by_guard", kong_response)
+    else
+      kong.response.set_status(400)  -- safety call this in case we have already returned from e.g. another AI plugin
+
+      -- This is duplicated DELIBERATELY - to avoid regression,
+      -- moving it outside of the block above may cause bugs that
+      -- we can't predict.
+      if response.usageMetadata and
+          (response.usageMetadata.promptTokenCount
+          or response.usageMetadata.candidatesTokenCount
+          or response.usageMetadata.totalTokenCount)
+      then
+        kong_response.usage = {
+          prompt_tokens = response.usageMetadata.promptTokenCount,
+          completion_tokens = response.usageMetadata.candidatesTokenCount,
+          total_tokens = response.usageMetadata.totalTokenCount,
+        }
+      end
+    end
+
   else -- probably a server fault or other unexpected response
     local err = "no generation candidates received from Gemini, or max_tokens too short"
     ngx.log(ngx.ERR, err)
diff --git a/spec/03-plugins/38-ai-proxy/11-gemini_integration_spec.lua b/spec/03-plugins/38-ai-proxy/11-gemini_integration_spec.lua
@@ -282,6 +282,46 @@ for _, strategy in helpers.all_strategies() do
           },
         }
 
+        -- 400 chat fails Model Armor "Floor".
+        -- NOT related to the "ai-gcp-model-armor" plugin.
+        local chat_fail_model_armor = assert(bp.routes:insert({
+          service = empty_service,
+          protocols = { "http" },
+          strip_path = true,
+          paths = { "/gemini/llm/v1/chat/fail-model-armor" },
+        }))
+        bp.plugins:insert({
+          name = "ai-proxy-advanced",
+          id = "27544c15-3c8c-5c3f-c98a-69990644aaaa",
+          route = { id = chat_fail_model_armor.id },
+          config = {
+            targets = {
+              {
+                route_type = "llm/v1/chat",
+                auth = {
+                  header_name = "Authorization",
+                  header_value = "Bearer gemini-key",
+                },
+                logging = {
+                  log_payloads = false,
+                  log_statistics = false,
+                },
+                model = {
+                  name = "gemini-2.5-flash",
+                  provider = "gemini",
+                  options = {
+                    max_tokens = 256,
+                    temperature = 1.0,
+                    upstream_url = "http://" .. helpers.mock_upstream_host .. ":" .. MOCK_PORTS._GEMINI .. "/v1/chat/completions/fail-model-armor",
+                    input_cost = 15.0,
+                    output_cost = 15.0,
+                  },
+                },
+              },
+            },
+          },
+        })
+
         ----
         -- ANTHROPIC MODELS
         ----
@@ -435,6 +475,26 @@ for _, strategy in helpers.all_strategies() do
             local json = cjson.decode(body)
             assert.equals("gemini-2.0-flash-079", json.model)
           end)
+
+          it("bad request fails gcp model armor floor settings", function()
+            local r = client:get("/gemini/llm/v1/chat/fail-model-armor", {
+              headers = {
+                ["content-type"] = "application/json",
+                ["accept"] = "application/json",
+              },
+              -- the body doesn't matter - the mock server always returns the error we want
+              body = pl_file.read("spec/fixtures/ai-proxy/openai/llm-v1-chat/requests/good.json"),
+            })
+            -- validate that the request succeeded, response status 400
+            local body = assert.res_status(400, r)
+            local json = cjson.decode(body)
+
+            assert.same(json, {
+              error = true,
+              message = "Blocked by Model Armor Floor Setting: The prompt violated Responsible AI Safety settings (Harassment), Prompt Injection and Jailbreak filters.",
+              reason = "MODEL_ARMOR"
+            })
+          end)
         end)
 
         describe("gemini (gemini) llm/v1/chat with query param auth", function()
diff --git a/spec/fixtures/ai-proxy/gemini/llm-v1-chat/responses/fails-model-armor-floor.json b/spec/fixtures/ai-proxy/gemini/llm-v1-chat/responses/fails-model-armor-floor.json
@@ -0,0 +1,12 @@
+{
+  "usageMetadata": {
+    "trafficType": "ON_DEMAND"
+  },
+  "createTime": "2025-09-13T22:15:16.223845Z",
+  "promptFeedback": {
+    "blockReasonMessage": "Blocked by Model Armor Floor Setting: The prompt violated Responsible AI Safety settings (Harassment), Prompt Injection and Jailbreak filters.",
+    "blockReason": "MODEL_ARMOR"
+  },
+  "responseId": "9OzFaOXUDdyZgLUPmd2_sA0",
+  "modelVersion": "gemini-2.5-flash"
+}
diff --git a/spec/fixtures/ai-proxy/mock_servers/gemini.lua.txt b/spec/fixtures/ai-proxy/mock_servers/gemini.lua.txt
@@ -75,4 +75,13 @@ server {
       end
     }
   }
+
+  location = "/v1/chat/completions/fail-model-armor" {
+    content_by_lua_block {
+      local pl_file = require "pl.file"
+
+      ngx.status = 200
+      ngx.print(pl_file.read("spec/fixtures/ai-proxy/gemini/llm-v1-chat/responses/fails-model-armor-floor.json"))
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -75,4 +75,13 @@ server {`
`75`	`75`	`end`
`76`	`76`	`}`
`77`	`77`	`}`
	`78`	`+`
	`79`	`+ location = "/v1/chat/completions/fail-model-armor" {`
	`80`	`+ content_by_lua_block {`
	`81`	`+ local pl_file = require "pl.file"`
	`82`	`+`
	`83`	`+ ngx.status = 200`
	`84`	`+ ngx.print(pl_file.read("spec/fixtures/ai-proxy/gemini/llm-v1-chat/responses/fails-model-armor-floor.json"))`
	`85`	`+ }`
	`86`	`+ }`
`78`	`87`	`}`