Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Route based matching of rules #1766

Merged
merged 33 commits into from
Sep 11, 2024
Merged

feat: Route based matching of rules #1766

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
d427d28
renamed and moved request and pattern matcher as these are going to b…
dadrus Sep 9, 2024
7a0ddcf
radic tree implementation updated to allow matching of captured values
dadrus Sep 9, 2024
b0860e8
obsolete request matcher mock removed
dadrus Sep 9, 2024
142ca17
license header added to encoded_slash_handling file
dadrus Sep 9, 2024
9ac87f2
rule configuration updated to implement the new API
dadrus Sep 9, 2024
bd65ea6
rule interface updated, new route interface added
dadrus Sep 9, 2024
93f15d7
basis matchers for the new route based matching functionality
dadrus Sep 9, 2024
9dca4c5
rule implementation updated to adhere to the updated intrerface, rout…
dadrus Sep 9, 2024
3d604db
rule factory implementattion updated
dadrus Sep 9, 2024
65da350
rule repository implementation updated
dadrus Sep 9, 2024
060f4c0
filesystem provider test updated to use the new configuration
dadrus Sep 9, 2024
fb2ad8e
httpendpoint provider tests updated to use the new configuration
dadrus Sep 9, 2024
a34c8d8
cloudblob provider tests updated to use the new configuration
dadrus Sep 9, 2024
8bf37b2
kubernetes provider tests updated to use the new configuration
dadrus Sep 9, 2024
98901a0
configuration of rules used for validation tests updated
dadrus Sep 9, 2024
5a569ad
example rules updated
dadrus Sep 9, 2024
4387b60
ruleset crd updated
dadrus Sep 9, 2024
8a08054
rules file for docker-compose quickstart example updated
dadrus Sep 9, 2024
af01968
rules in kubernetes quickstart examples updated
dadrus Sep 9, 2024
04297e3
forcetypeassert disabled for tests
dadrus Sep 9, 2024
f75baec
linter warnings resolved
dadrus Sep 9, 2024
7ceaf79
small updates to the readme for docker-compose base quickstarts
dadrus Sep 10, 2024
5cf2b79
made debug log related to the new matching functionality more usable
dadrus Sep 10, 2024
3763bb7
not allowing usage of * as name for the wildcard
dadrus Sep 10, 2024
407b8d9
forgotten test updated
dadrus Sep 10, 2024
17c536e
typos in readmes fixed
dadrus Sep 10, 2024
33c61e6
Merge branch 'main' into feat/match_with_path_lists
dadrus Sep 10, 2024
cd03025
documentation updated
dadrus Sep 10, 2024
ade15f6
DockerHub readme updated
dadrus Sep 10, 2024
a1f5e55
small fix in example
dadrus Sep 10, 2024
238e612
small fix related to decoding of encoded slashes in paths and making …
dadrus Sep 11, 2024
fd45ef6
typo fixed
dadrus Sep 11, 2024
a7a4a67
better tests
dadrus Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .golangci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ issues:
- canonicalheader
- mnd
- err113
- forcetypeassert

linters-settings:
exhaustive:
Expand Down
3 changes: 2 additions & 1 deletion DockerHub-README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,8 @@ version: "1alpha4"
rules:
- id: test-rule
match:
path: /**
routes:
- path: /**
forward_to:
host: upstream
execute:
Expand Down
149 changes: 94 additions & 55 deletions charts/heimdall/crds/ruleset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ spec:
type: array
minItems: 1
items:
description: A himedall rule defining the pipeline mechanisms
description: A heimdall rule defining the pipeline mechanisms
type: object
required:
- id
Expand All @@ -75,66 +75,105 @@ spec:
description: How to match the rule
type: object
required:
- path
- routes
properties:
path:
description: The path to match
type: string
maxLength: 256
routes:
description: Routes to match
type: array
minItems: 1
items:
description: Definition of a single route
type: object
required:
- path
properties:
path:
description: The path to match
type: string
maxLength: 512
path_params:
description: Optional matching definitions for the captured wildcard
type: array
items:
description: Matching definition for a single wildcard
type: object
required:
- name
- type
- value
properties:
name:
description: The name of a wildcard
type: string
maxLength: 64
type:
description: The type of the matching expression
type: string
maxLength: 5
enum:
- "exact"
- "glob"
- "regex"
value:
description: The actual matching expression
type: string
maxLength: 256
backtracking_enabled:
description: Wither this rule allows backtracking. Defaults to the value inherited from the default rule
type: boolean
with:
description: Additional constraints during request matching
type: object
properties:
methods:
description: The HTTP methods to match
type: array
minItems: 1
items:
methods:
description: The HTTP methods to match
type: array
minItems: 1
items:
type: string
maxLength: 16
enum:
- "CONNECT"
- "!CONNECT"
- "DELETE"
- "!DELETE"
- "GET"
- "!GET"
- "HEAD"
- "!HEAD"
- "OPTIONS"
- "!OPTIONS"
- "PATCH"
- "!PATCH"
- "POST"
- "!POST"
- "PUT"
- "!PUT"
- "TRACE"
- "!TRACE"
- "ALL"
scheme:
description: The HTTP scheme, which should be matched. If not set, http and https are matched
type: string
maxLength: 5
hosts:
description: Optional expressions to match the host if required. If not set, all hosts are matched.
type: array
items:
description: Expression to match a host
type: object
required:
- type
- value
properties:
type:
description: The type of the host matching expression
type: string
maxLength: 16
maxLength: 5
enum:
- "CONNECT"
- "!CONNECT"
- "DELETE"
- "!DELETE"
- "GET"
- "!GET"
- "HEAD"
- "!HEAD"
- "OPTIONS"
- "!OPTIONS"
- "PATCH"
- "!PATCH"
- "POST"
- "!POST"
- "PUT"
- "!PUT"
- "TRACE"
- "!TRACE"
- "ALL"
scheme:
description: The HTTP scheme, which should be matched. If not set, http and https are matched
type: string
maxLength: 5
host_glob:
description: Glob expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_regex'.
type: string
maxLength: 512
host_regex:
description: Regular expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_glob'.
type: string
maxLength: 512
path_glob:
description: Additional glob expression the matched path should be matched against. Mutual exclusive with 'regex'.
type: string
maxLength: 256
path_regex:
description: Additional regular expression the matched path should be matched against. Mutual exclusive with 'glob'
type: string
maxLength: 256
- "exact"
- "glob"
- "regex"
value:
description: The actual host matching expression
type: string
maxLength: 256
forward_to:
description: Where to forward the request to. Required only if heimdall is used in proxy operation mode.
type: object
Expand Down
12 changes: 7 additions & 5 deletions cmd/validate/test_data/invalid-ruleset-for-proxy-usage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,13 @@ name: test-rule-set
rules:
- id: rule:foo
match:
path: /**
with:
scheme: http
host_glob: foo.bar
methods: [ GET, POST ]
routes:
- path: /**
scheme: http
hosts:
- type: glob
value: foo.bar
methods: [ GET, POST ]
execute:
- authenticator: unauthorized_authenticator
- authenticator: jwt_authenticator1
Expand Down
16 changes: 9 additions & 7 deletions cmd/validate/test_data/valid-ruleset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,16 @@ name: test-rule-set
rules:
- id: rule:foo
match:
path: /**
routes:
- path: /**
backtracking_enabled: true
with:
scheme: http
host_glob: foo.bar
methods:
- POST
- PUT
scheme: http
hosts:
- type: glob
value: foo.bar
methods:
- POST
- PUT
forward_to:
host: bar.foo
rewrite:
Expand Down
10 changes: 6 additions & 4 deletions docs/content/_index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,12 @@ spec:
rules:
- id: my_api_rule
match:
path: /api/**
with:
scheme: http
host_glob: 127.0.0.1:9090
routes:
- path: /api/**
scheme: http
hosts:
- type: exact
value: 127.0.0.1:9090
execute:
- authenticator: keycloak
- authorizer: opa
Expand Down
22 changes: 12 additions & 10 deletions docs/content/docs/concepts/operating_modes.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,14 @@ And there is a rule, which allows anonymous requests and sets a header with subj
----
id: rule:my-service:anonymous-api-access
match:
path: /my-service/api
with:
scheme: http
host_glob: my-backend-service
methods:
- GET
routes:
- path: /my-service/api
scheme: http
hosts:
- type: exact
value: my-backend-service
methods:
- GET
execute:
- authenticator: anonymous-authn
- finalizer: id-header
Expand Down Expand Up @@ -147,10 +149,10 @@ And there is a rule, which allows anonymous requests and sets a header with subj
----
id: rule:my-service:anonymous-api-access
match:
path: /my-service/api
with:
methods:
- GET
routes:
- path: /my-service/api
methods:
- GET
forward_to:
host: my-backend-service:8888
execute:
Expand Down
3 changes: 2 additions & 1 deletion docs/content/docs/configuration/types.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -565,7 +565,8 @@ auth:
headers:
X-My-First-Header: foobar
X-My-Second-Header: barfoo
enable_http_cache: true
http_cache:
enabled: true
----

====
Expand Down
12 changes: 8 additions & 4 deletions docs/content/docs/getting_started/protect_an_app.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,8 @@ version: "1alpha4"
rules:
- id: demo:public # <1>
match:
path: /public
routes:
- path: /public
forward_to:
host: upstream:8081
execute:
Expand All @@ -146,9 +147,12 @@ rules:

- id: demo:protected # <2>
match:
path: /:user
with:
path_glob: "{/user,/admin}"
routes:
- path: /:user
path_params:
- name: user
type: glob
value: "{user,admin}"
forward_to:
host: upstream:8081
execute:
Expand Down
3 changes: 2 additions & 1 deletion docs/content/docs/rules/default_rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ Obviously, the authentication & authorization pipeline (defined in the `execute`
----
id: rule:my-service:protected-api
match:
path: /foo
routes:
- path: /foo
execute:
- authorizer: allow_all_requests_authz
----
Expand Down
10 changes: 6 additions & 4 deletions docs/content/docs/rules/providers.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,12 @@ name: my-rule-set
rules:
- id: rule:1
match:
path: /**
with:
host_glob: my-service1.local
methods: [ "GET" ]
routes:
- path: /**
hosts:
- type: exact
value: my-service1.local
methods: [ "GET" ]
forward_to:
host: ${UPSTREAM_HOST:="default-backend:8080"}
execute:
Expand Down
Loading
Loading