Skip to content

Commit

Permalink
Store rules path match in plaintext (#17)
Browse files Browse the repository at this point in the history
  • Loading branch information
arekkas authored Nov 7, 2017
1 parent 972a328 commit 6570b5d
Show file tree
Hide file tree
Showing 12 changed files with 58 additions and 51 deletions.
14 changes: 7 additions & 7 deletions director/director_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,14 @@ func TestProxy(t *testing.T) {
proxy := httptest.NewServer(&httputil.ReverseProxy{Director: d.Director, Transport: d})
defer proxy.Close()

publicRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPath: mustCompileRegex(t, "/users/[0-9]+"), AllowAnonymous: true}
disabledRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPath: mustCompileRegex(t, "/users/[0-9]+"), BypassAuthorization: true}
publicRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPathCompiled: mustCompileRegex(t, "/users/[0-9]+"), AllowAnonymous: true}
disabledRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPathCompiled: mustCompileRegex(t, "/users/[0-9]+"), BypassAuthorization: true}
privateRule := rule.Rule{
MatchesMethods: []string{"GET"},
MatchesPath: mustCompileRegex(t, "/users/([0-9]+)"),
RequiredResource: "users:$1",
RequiredAction: "get:$1",
RequiredScopes: []string{"users.create"},
MatchesMethods: []string{"GET"},
MatchesPathCompiled: mustCompileRegex(t, "/users/([0-9]+)"),
RequiredResource: "users:$1",
RequiredAction: "get:$1",
RequiredScopes: []string{"users.create"},
}

for k, tc := range []struct {
Expand Down
2 changes: 1 addition & 1 deletion docs/api.swagger.json
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,7 @@
"x-go-name": "MatchesMethods"
},
"matchesPath": {
"description": "MatchesPath is a regular expression of paths this rule matches.",
"description": "MatchesPathCompiled is a regular expression of paths this rule matches.",
"type": "string",
"x-go-name": "MatchesPath"
},
Expand Down
34 changes: 17 additions & 17 deletions evaluator/evaluator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,28 +31,28 @@ func mustGenerateURL(t *testing.T, u string) *url.URL {

func TestEvaluator(t *testing.T) {
we := NewWardenEvaluator(nil, nil, nil)
publicRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPath: mustCompileRegex(t, "/users/<[0-9]+>"), AllowAnonymous: true}
bypassACPRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPath: mustCompileRegex(t, "/users/<[0-9]+>"), BypassAccessControlPolicies: true}
publicRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPathCompiled: mustCompileRegex(t, "/users/<[0-9]+>"), AllowAnonymous: true}
bypassACPRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesPathCompiled: mustCompileRegex(t, "/users/<[0-9]+>"), BypassAccessControlPolicies: true}
privateRuleWithSubstitution := rule.Rule{
MatchesMethods: []string{"POST"},
MatchesPath: mustCompileRegex(t, "/users/<[0-9]+>"),
RequiredResource: "users:$1",
RequiredAction: "get:$1",
RequiredScopes: []string{"users.create"},
MatchesMethods: []string{"POST"},
MatchesPathCompiled: mustCompileRegex(t, "/users/<[0-9]+>"),
RequiredResource: "users:$1",
RequiredAction: "get:$1",
RequiredScopes: []string{"users.create"},
}
privateRuleWithoutSubstitution := rule.Rule{
MatchesMethods: []string{"POST"},
MatchesPath: mustCompileRegex(t, "/users<$|/([0-9]+)>"),
RequiredResource: "users",
RequiredAction: "get",
RequiredScopes: []string{"users.create"},
MatchesMethods: []string{"POST"},
MatchesPathCompiled: mustCompileRegex(t, "/users<$|/([0-9]+)>"),
RequiredResource: "users",
RequiredAction: "get",
RequiredScopes: []string{"users.create"},
}
privateRuleWithPartialSubstitution := rule.Rule{
MatchesMethods: []string{"POST"},
MatchesPath: mustCompileRegex(t, "/users<$|/([0-9]+)>"),
RequiredResource: "users:$2",
RequiredAction: "get",
RequiredScopes: []string{"users.create"},
MatchesMethods: []string{"POST"},
MatchesPathCompiled: mustCompileRegex(t, "/users<$|/([0-9]+)>"),
RequiredResource: "users:$2",
RequiredAction: "get",
RequiredScopes: []string{"users.create"},
}

for k, tc := range []struct {
Expand Down
4 changes: 2 additions & 2 deletions evaluator/evaluator_warden.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,8 +132,8 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
func (d *WardenEvaluator) prepareAccessRequests(r *http.Request, token string, rl *rule.Rule) swagger.WardenTokenAccessRequest {
return swagger.WardenTokenAccessRequest{
Scopes: rl.RequiredScopes,
Action: rl.MatchesPath.ReplaceAllString(r.URL.Path, rl.RequiredAction),
Resource: rl.MatchesPath.ReplaceAllString(r.URL.Path, rl.RequiredResource),
Action: rl.MatchesPathCompiled.ReplaceAllString(r.URL.Path, rl.RequiredAction),
Resource: rl.MatchesPathCompiled.ReplaceAllString(r.URL.Path, rl.RequiredResource),
Token: token,
Context: map[string]interface{}{
"remoteIpAddress": realip.RealIP(r),
Expand Down
2 changes: 1 addition & 1 deletion rule/doc.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ type jsonRule struct {
// MatchesMethods is a list of HTTP methods that this rule matches.
MatchesMethods []string `json:"matchesMethods"`

// MatchesPath is a regular expression of paths this rule matches.
// MatchesPathCompiled is a regular expression of paths this rule matches.
MatchesPath string `json:"matchesPath"`

// RequiredScopes is a list of scopes that are required by this rule.
Expand Down
5 changes: 3 additions & 2 deletions rule/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,8 @@ func toRule(rule *jsonRule) (*Rule, error) {

return &Rule{
ID: rule.ID,
MatchesPath: exp,
MatchesPathCompiled: exp,
MatchesPath: rule.MatchesPath,
MatchesMethods: rule.MatchesMethods,
RequiredScopes: rule.RequiredScopes,
RequiredAction: rule.RequiredAction,
Expand All @@ -220,7 +221,7 @@ func toRule(rule *jsonRule) (*Rule, error) {
func encodeRule(r *Rule) *jsonRule {
return &jsonRule{
ID: r.ID,
MatchesPath: r.MatchesPath.String(),
MatchesPath: r.MatchesPath,
MatchesMethods: r.MatchesMethods,
RequiredScopes: r.RequiredScopes,
RequiredAction: r.RequiredAction,
Expand Down
5 changes: 3 additions & 2 deletions rule/manager_sql.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ func (r *sqlRule) toRule() (*Rule, error) {
return &Rule{
ID: r.ID,
MatchesMethods: methods,
MatchesPath: exp,
MatchesPathCompiled: exp,
MatchesPath: r.MatchesPath,
RequiredScopes: scopes,
RequiredAction: r.RequiredAction,
RequiredResource: r.RequiredResource,
Expand All @@ -59,7 +60,7 @@ func toSqlRule(r *Rule) *sqlRule {
return &sqlRule{
ID: r.ID,
MatchesMethods: strings.Join(r.MatchesMethods, " "),
MatchesPath: r.MatchesPath.String(),
MatchesPath: r.MatchesPath,
RequiredScopes: strings.Join(r.RequiredScopes, " "),
RequiredAction: r.RequiredAction,
RequiredResource: r.RequiredResource,
Expand Down
18 changes: 10 additions & 8 deletions rule/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,18 +50,20 @@ func TestManagers(t *testing.T) {
for k, manager := range managers {

r1 := Rule{
ID: "foo1",
Description: "Create users rule",
MatchesPath: mustCompileRegex(t, "/users/([0-9]+)"),
MatchesMethods: []string{"POST"},
RequiredResource: "users:$1",
RequiredAction: "create:$1",
RequiredScopes: []string{"users.create"},
ID: "foo1",
Description: "Create users rule",
MatchesPathCompiled: mustCompileRegex(t, "/users/([0-9]+)"),
MatchesPath: "/users/([0-9]+)",
MatchesMethods: []string{"POST"},
RequiredResource: "users:$1",
RequiredAction: "create:$1",
RequiredScopes: []string{"users.create"},
}
r2 := Rule{
ID: "foo2",
Description: "Get users rule",
MatchesPath: mustCompileRegex(t, "/users/([0-9]+)"),
MatchesPathCompiled: mustCompileRegex(t, "/users/([0-9]+)"),
MatchesPath: "/users/([0-9]+)",
MatchesMethods: []string{"GET"},
AllowAnonymous: true,
RequiredScopes: []string{},
Expand Down
12 changes: 6 additions & 6 deletions rule/matcher_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@ func generateDummyRules(amount int) []Rule {
for i := 0; i < amount; i++ {
exp, _ := compiler.CompileRegex(expressions[(i%(len(expressions)))]+"([0-"+strconv.Itoa(i)+"]+)", '<', '>')
rules[i] = Rule{
ID: strconv.Itoa(i),
MatchesMethods: methods[:i%(len(methods))],
RequiredScopes: scopes[:i%(len(scopes))],
RequiredAction: actions[i%(len(actions))],
RequiredResource: resources[i%(len(resources))],
MatchesPath: exp,
ID: strconv.Itoa(i),
MatchesMethods: methods[:i%(len(methods))],
RequiredScopes: scopes[:i%(len(scopes))],
RequiredAction: actions[i%(len(actions))],
RequiredResource: resources[i%(len(resources))],
MatchesPathCompiled: exp,
}
}
return rules
Expand Down
9 changes: 6 additions & 3 deletions rule/rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,11 @@ type Rule struct {
// MatchesMethods is a list of HTTP methods that this rule matches.
MatchesMethods []string

// MatchesPathCompiled is a regular expression of paths this rule matches.
MatchesPathCompiled *regexp.Regexp

// MatchesPath is a regular expression of paths this rule matches.
MatchesPath *regexp.Regexp
MatchesPath string

// RequiredScopes is a list of scopes that are required by this rule.
RequiredScopes []string
Expand Down Expand Up @@ -46,8 +49,8 @@ func (r *Rule) MatchesURL(method string, u *url.URL) error {
return errors.Errorf("Method %s does not match any of %v", method, r.MatchesMethods)
}

if !r.MatchesPath.MatchString(u.Path) {
return errors.Errorf("Path %s does not match %s", u.Path, r.MatchesPath.String())
if !r.MatchesPathCompiled.MatchString(u.Path) {
return errors.Errorf("Path %s does not match %s", u.Path, r.MatchesPath)
}

return nil
Expand Down
2 changes: 1 addition & 1 deletion sdk/swagger/docs/Rule.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Name | Type | Description | Notes
**Description** | **string** | Description describes the rule. | [optional] [default to null]
**Id** | **string** | ID the a unique id of a rule. | [optional] [default to null]
**MatchesMethods** | **[]string** | MatchesMethods is a list of HTTP methods that this rule matches. | [optional] [default to null]
**MatchesPath** | **string** | MatchesPath is a regular expression of paths this rule matches. | [optional] [default to null]
**MatchesPath** | **string** | MatchesPathCompiled is a regular expression of paths this rule matches. | [optional] [default to null]
**RequiredAction** | **string** | RequiredScopes is the action this rule requires. | [optional] [default to null]
**RequiredResource** | **string** | RequiredScopes is the resource this rule requires. | [optional] [default to null]
**RequiredScopes** | **[]string** | RequiredScopes is a list of scopes that are required by this rule. | [optional] [default to null]
Expand Down
2 changes: 1 addition & 1 deletion sdk/swagger/rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ type Rule struct {
// MatchesMethods is a list of HTTP methods that this rule matches.
MatchesMethods []string `json:"matchesMethods,omitempty"`

// MatchesPath is a regular expression of paths this rule matches.
// MatchesPathCompiled is a regular expression of paths this rule matches.
MatchesPath string `json:"matchesPath,omitempty"`

// RequiredScopes is the action this rule requires.
Expand Down

0 comments on commit 6570b5d

Please sign in to comment.