Skip to content

Commit

Permalink
feat: Route based matching of rules (#1766)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dadrus
dadrus authored Sep 11, 2024
1 parent 0f10620 commit 8ef379d
Show file tree
Hide file tree
Showing 57 changed files with 2,256 additions and 1,766 deletions.
1 change: 1 addition & 0 deletions .golangci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ issues:
- canonicalheader
- mnd
- err113
- forcetypeassert

linters-settings:
exhaustive:
Expand Down
3 changes: 2 additions & 1 deletion DockerHub-README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,8 @@ version: "1alpha4"
rules:
- id: test-rule
match:
path: /**
routes:
- path: /**
forward_to:
host: upstream
execute:
Expand Down
149 changes: 94 additions & 55 deletions charts/heimdall/crds/ruleset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ spec:
type: array
minItems: 1
items:
description: A himedall rule defining the pipeline mechanisms
description: A heimdall rule defining the pipeline mechanisms
type: object
required:
- id
Expand All @@ -75,66 +75,105 @@ spec:
description: How to match the rule
type: object
required:
- path
- routes
properties:
path:
description: The path to match
type: string
maxLength: 256
routes:
description: Routes to match
type: array
minItems: 1
items:
description: Definition of a single route
type: object
required:
- path
properties:
path:
description: The path to match
type: string
maxLength: 512
path_params:
description: Optional matching definitions for the captured wildcard
type: array
items:
description: Matching definition for a single wildcard
type: object
required:
- name
- type
- value
properties:
name:
description: The name of a wildcard
type: string
maxLength: 64
type:
description: The type of the matching expression
type: string
maxLength: 5
enum:
- "exact"
- "glob"
- "regex"
value:
description: The actual matching expression
type: string
maxLength: 256
backtracking_enabled:
description: Wither this rule allows backtracking. Defaults to the value inherited from the default rule
type: boolean
with:
description: Additional constraints during request matching
type: object
properties:
methods:
description: The HTTP methods to match
type: array
minItems: 1
items:
methods:
description: The HTTP methods to match
type: array
minItems: 1
items:
type: string
maxLength: 16
enum:
- "CONNECT"
- "!CONNECT"
- "DELETE"
- "!DELETE"
- "GET"
- "!GET"
- "HEAD"
- "!HEAD"
- "OPTIONS"
- "!OPTIONS"
- "PATCH"
- "!PATCH"
- "POST"
- "!POST"
- "PUT"
- "!PUT"
- "TRACE"
- "!TRACE"
- "ALL"
scheme:
description: The HTTP scheme, which should be matched. If not set, http and https are matched
type: string
maxLength: 5
hosts:
description: Optional expressions to match the host if required. If not set, all hosts are matched.
type: array
items:
description: Expression to match a host
type: object
required:
- type
- value
properties:
type:
description: The type of the host matching expression
type: string
maxLength: 16
maxLength: 5
enum:
- "CONNECT"
- "!CONNECT"
- "DELETE"
- "!DELETE"
- "GET"
- "!GET"
- "HEAD"
- "!HEAD"
- "OPTIONS"
- "!OPTIONS"
- "PATCH"
- "!PATCH"
- "POST"
- "!POST"
- "PUT"
- "!PUT"
- "TRACE"
- "!TRACE"
- "ALL"
scheme:
description: The HTTP scheme, which should be matched. If not set, http and https are matched
type: string
maxLength: 5
host_glob:
description: Glob expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_regex'.
type: string
maxLength: 512
host_regex:
description: Regular expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_glob'.
type: string
maxLength: 512
path_glob:
description: Additional glob expression the matched path should be matched against. Mutual exclusive with 'regex'.
type: string
maxLength: 256
path_regex:
description: Additional regular expression the matched path should be matched against. Mutual exclusive with 'glob'
type: string
maxLength: 256
- "exact"
- "glob"
- "regex"
value:
description: The actual host matching expression
type: string
maxLength: 256
forward_to:
description: Where to forward the request to. Required only if heimdall is used in proxy operation mode.
type: object
Expand Down
12 changes: 7 additions & 5 deletions cmd/validate/test_data/invalid-ruleset-for-proxy-usage.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,13 @@ name: test-rule-set
rules:
- id: rule:foo
match:
path: /**
with:
scheme: http
host_glob: foo.bar
methods: [ GET, POST ]
routes:
- path: /**
scheme: http
hosts:
- type: glob
value: foo.bar
methods: [ GET, POST ]
execute:
- authenticator: unauthorized_authenticator
- authenticator: jwt_authenticator1
Expand Down
16 changes: 9 additions & 7 deletions cmd/validate/test_data/valid-ruleset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,16 @@ name: test-rule-set
rules:
- id: rule:foo
match:
path: /**
routes:
- path: /**
backtracking_enabled: true
with:
scheme: http
host_glob: foo.bar
methods:
- POST
- PUT
scheme: http
hosts:
- type: glob
value: foo.bar
methods:
- POST
- PUT
forward_to:
host: bar.foo
rewrite:
Expand Down
10 changes: 6 additions & 4 deletions docs/content/_index.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,12 @@ spec:
rules:
- id: my_api_rule
match:
path: /api/**
with:
scheme: http
host_glob: 127.0.0.1:9090
routes:
- path: /api/**
scheme: http
hosts:
- type: exact
value: 127.0.0.1:9090
execute:
- authenticator: keycloak
- authorizer: opa
Expand Down
22 changes: 12 additions & 10 deletions docs/content/docs/concepts/operating_modes.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,14 @@ And there is a rule, which allows anonymous requests and sets a header with subj
----
id: rule:my-service:anonymous-api-access
match:
path: /my-service/api
with:
scheme: http
host_glob: my-backend-service
methods:
- GET
routes:
- path: /my-service/api
scheme: http
hosts:
- type: exact
value: my-backend-service
methods:
- GET
execute:
- authenticator: anonymous-authn
- finalizer: id-header
Expand Down Expand Up @@ -147,10 +149,10 @@ And there is a rule, which allows anonymous requests and sets a header with subj
----
id: rule:my-service:anonymous-api-access
match:
path: /my-service/api
with:
methods:
- GET
routes:
- path: /my-service/api
methods:
- GET
forward_to:
host: my-backend-service:8888
execute:
Expand Down
3 changes: 2 additions & 1 deletion docs/content/docs/configuration/types.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -565,7 +565,8 @@ auth:
headers:
X-My-First-Header: foobar
X-My-Second-Header: barfoo
enable_http_cache: true
http_cache:
enabled: true
----
====
Expand Down
12 changes: 8 additions & 4 deletions docs/content/docs/getting_started/protect_an_app.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,8 @@ version: "1alpha4"
rules:
- id: demo:public # <1>
match:
path: /public
routes:
- path: /public
forward_to:
host: upstream:8081
execute:
Expand All @@ -146,9 +147,12 @@ rules:
- id: demo:protected # <2>
match:
path: /:user
with:
path_glob: "{/user,/admin}"
routes:
- path: /:user
path_params:
- name: user
type: glob
value: "{user,admin}"
forward_to:
host: upstream:8081
execute:
Expand Down
3 changes: 2 additions & 1 deletion docs/content/docs/rules/default_rule.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ Obviously, the authentication & authorization pipeline (defined in the `execute`
----
id: rule:my-service:protected-api
match:
path: /foo
routes:
- path: /foo
execute:
- authorizer: allow_all_requests_authz
----
Expand Down
10 changes: 6 additions & 4 deletions docs/content/docs/rules/providers.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,12 @@ name: my-rule-set
rules:
- id: rule:1
match:
path: /**
with:
host_glob: my-service1.local
methods: [ "GET" ]
routes:
- path: /**
hosts:
- type: exact
value: my-service1.local
methods: [ "GET" ]
forward_to:
host: ${UPSTREAM_HOST:="default-backend:8080"}
execute:
Expand Down
Loading

0 comments on commit 8ef379d

Please sign in to comment.