ory · davidspek · Jul 10, 2023 · Jul 10, 2023 · Jul 10, 2023 · Jul 10, 2023
@@ -24,6 +24,7 @@ const (
 	PrometheusServeCollapseRequestPaths Key = "serve.prometheus.collapse_request_paths"
 	AccessRuleRepositories              Key = "access_rules.repositories"
 	AccessRuleMatchingStrategy          Key = "access_rules.matching_strategy"
+	AcccessRulePrefixMatchingEnabled    Key = "access_rules.prefix_matching_enabled"
 )
 
 // Authorizers

@@ -58,6 +58,7 @@ type Provider interface {
 
 	AccessRuleRepositories() []url.URL
 	AccessRuleMatchingStrategy() MatchingStrategy
+	AcccessRulePrefixMatchingEnabled() bool
 
 	ProxyServeAddress() string
 	APIServeAddress() string

@@ -172,6 +172,11 @@ func (v *KoanfProvider) AccessRuleMatchingStrategy() MatchingStrategy {
 	return MatchingStrategy(v.source.String(AccessRuleMatchingStrategy))
 }
 
+// AcccessRulePrefixMatching returns if prefix matching should be used.
+func (v *KoanfProvider) AcccessRulePrefixMatchingEnabled() bool {
+	return v.source.Bool(AcccessRulePrefixMatchingEnabled)
+}
+
 func (v *KoanfProvider) CORSEnabled(iface string) bool {
 	_, enabled := v.CORS(iface)
 	return enabled

@@ -103,6 +103,8 @@ access_rules:
     - https://path-to-my-rules/rules.json
   # Optional fields describing matching strategy, defaults to "regexp".
   matching_strategy: glob
+  # Optional fields describing if rules should be matched using path prefixes, defaults to false.
+  prefix_matching_enabled: false
 
 errors:
   fallback:

@@ -9,14 +9,14 @@ import (
 )
 
 type (
-	Protocol int
+	Protocol string
 
 	Matcher interface {
 		Match(ctx context.Context, method string, u *url.URL, protocol Protocol) (*Rule, error)
 	}
 )
 
 const (
-	ProtocolHTTP Protocol = iota
-	ProtocolGRPC
+	ProtocolHTTP Protocol = "http"
+	ProtocolGRPC Protocol = "grpc"
 )
@@ -99,6 +99,63 @@ var testRulesGlob = []Rule{
 	},
 }
 
+var testRulesPrefix = []Rule{
+	{
+		ID:             "foo1",
+		Match:          &Match{URL: "https://localhost:1234/<foo|bar>", Methods: []string{"POST"}},
+		Description:    "Create users rule",
+		Authorizer:     Handler{Handler: "allow", Config: []byte(`{"type":"any"}`)},
+		Authenticators: []Handler{{Handler: "anonymous", Config: []byte(`{"name":"anonymous1"}`)}},
+		Mutators:       []Handler{{Handler: "id_token", Config: []byte(`{"issuer":"anything"}`)}},
+		Upstream:       Upstream{URL: "http://localhost:1235/", StripPath: "/bar", PreserveHost: true},
+	},
+	{
+		ID:             "foo2",
+		Match:          &Match{URL: "https://localhost:1234/foo/<baz|bar>", Methods: []string{"POST"}},
+		Description:    "Create users rule",
+		Authorizer:     Handler{Handler: "allow", Config: []byte(`{"type":"any"}`)},
+		Authenticators: []Handler{{Handler: "anonymous", Config: []byte(`{"name":"anonymous1"}`)}},
+		Mutators:       []Handler{{Handler: "id_token", Config: []byte(`{"issuer":"anything"}`)}},
+		Upstream:       Upstream{URL: "http://localhost:1235/", StripPath: "/bar", PreserveHost: true},
+	},
+	{
+		ID:             "foo3",
+		Match:          &Match{URL: "https://localhost:1234/foo/something/<baz|bar>", Methods: []string{"POST"}},
+		Description:    "Create users rule",
+		Authorizer:     Handler{Handler: "allow", Config: []byte(`{"type":"any"}`)},
+		Authenticators: []Handler{{Handler: "anonymous", Config: []byte(`{"name":"anonymous1"}`)}},
+		Mutators:       []Handler{{Handler: "id_token", Config: []byte(`{"issuer":"anything"}`)}},
+		Upstream:       Upstream{URL: "http://localhost:1235/", StripPath: "/bar", PreserveHost: true},
+	},
+	{
+		ID:             "foo4",
+		Match:          &Match{URL: "https://localhost:34/<baz|bar>", Methods: []string{"GET"}},
+		Description:    "Get users rule",
+		Authorizer:     Handler{Handler: "deny", Config: []byte(`{"type":"any"}`)},
+		Authenticators: []Handler{{Handler: "oauth2_introspection", Config: []byte(`{"name":"anonymous1"}`)}},
+		Mutators:       []Handler{{Handler: "id_token", Config: []byte(`{"issuer":"anything"}`)}},
+		Upstream:       Upstream{URL: "http://localhost:333/", StripPath: "/foo", PreserveHost: false},
+	},
+	{
+		ID:             "foo5",
+		Match:          &Match{URL: "https://localhost:343/<baz|bar>", Methods: []string{"GET"}},
+		Description:    "Get users rule",
+		Authorizer:     Handler{Handler: "deny"},
+		Authenticators: []Handler{{Handler: "oauth2_introspection"}},
+		Mutators:       []Handler{{Handler: "id_token"}},
+		Upstream:       Upstream{URL: "http://localhost:3333/", StripPath: "/foo", PreserveHost: false},
+	},
+	{
+		ID:             "grpc1",
+		Match:          &MatchGRPC{Authority: "bar.example.com", FullMethod: "grpc.api/Call"},
+		Description:    "gRPC Rule",
+		Authorizer:     Handler{Handler: "allow", Config: []byte(`{"type":"any"}`)},
+		Authenticators: []Handler{{Handler: "anonymous", Config: []byte(`{"name":"anonymous1"}`)}},
+		Mutators:       []Handler{{Handler: "id_token", Config: []byte(`{"issuer":"anything"}`)}},
+		Upstream:       Upstream{URL: "http://bar.example.com/", PreserveHost: false},
+	},
+}
+
 func TestMatcher(t *testing.T) {
 	type m interface {
 		Matcher
@@ -192,5 +249,43 @@ func TestMatcher(t *testing.T) {
 				testMatcher(t, matcher, "DELETE", "https://localhost:1234/foo", ProtocolHTTP, true, nil)
 			})
 		})
+		t.Run(fmt.Sprintf("prefix matcher=%s", name), func(t *testing.T) {
+			require.NoError(t, matcher.SetMatchingStrategy(context.Background(), configuration.Regexp))
+			require.NoError(t, matcher.SetPrefixMatching(context.Background(), true))
+			require.NoError(t, matcher.Set(context.Background(), []Rule{}))
+			t.Run("case=empty", func(t *testing.T) {
+				testMatcher(t, matcher, "GET", "https://localhost:34/baz", ProtocolHTTP, true, nil)
+				testMatcher(t, matcher, "POST", "https://localhost:1234/foo", ProtocolHTTP, true, nil)
+				testMatcher(t, matcher, "DELETE", "https://localhost:1234/foo", ProtocolHTTP, true, nil)
+			})
+
+			require.NoError(t, matcher.Set(context.Background(), testRulesPrefix))
+
+			t.Run("case=created", func(t *testing.T) {
+				testMatcher(t, matcher, "POST", "https://localhost:1234/", ProtocolHTTP, false, &testRulesPrefix[0])
+				testMatcher(t, matcher, "POST", "https://localhost:1234/foo", ProtocolHTTP, false, &testRulesPrefix[1])
+				testMatcher(t, matcher, "POST", "https://localhost:1234/foo/something/very/long", ProtocolHTTP, false, &testRulesPrefix[2])
+				testMatcher(t, matcher, "POST", "https://localhost:1234/foo/baz/something/very/long", ProtocolHTTP, false, &testRulesPrefix[1])
+				testMatcher(t, matcher, "GET", "https://localhost:34/baz", ProtocolHTTP, false, &testRulesPrefix[3])
+				testMatcher(t, matcher, "DELETE", "https://localhost:1234/foo", ProtocolHTTP, true, nil)
+				testMatcher(t, matcher, "POST", "grpc://bar.example.com/grpc.api/Call", ProtocolGRPC, false, &testRulesPrefix[5])
+			})
+
+			t.Run("case=cache", func(t *testing.T) {
+				r, err := matcher.Match(context.Background(), "GET", mustParseURL(t, "https://localhost:34/baz"), ProtocolHTTP)
+				require.NoError(t, err)
+				_, err = matcher.Get(context.Background(), r.ID)
+				require.NoError(t, err)
+				// assert.NotEmpty(t, got.matchingEngine.Checksum())
+			})
+
+			require.NoError(t, matcher.Set(context.Background(), testRulesPrefix[3:]))
+
+			t.Run("case=updated", func(t *testing.T) {
+				testMatcher(t, matcher, "GET", "https://localhost:34/baz", ProtocolHTTP, false, &testRulesPrefix[3])
+				testMatcher(t, matcher, "POST", "https://localhost:1234/foo", ProtocolHTTP, true, nil)
+				testMatcher(t, matcher, "DELETE", "https://localhost:1234/foo", ProtocolHTTP, true, nil)
+			})
+		})
 	}
 }
@@ -17,5 +17,7 @@ type Repository interface {
 	Count(context.Context) (int, error)
 	MatchingStrategy(context.Context) (configuration.MatchingStrategy, error)
 	SetMatchingStrategy(context.Context, configuration.MatchingStrategy) error
+	PrefixMatching(context.Context) (bool, error)
+	SetPrefixMatching(context.Context, bool) error
 	ReadyChecker(*http.Request) error
 }
@@ -30,7 +30,9 @@ type RepositoryMemory struct {
 	rules            []Rule
 	invalidRules     []Rule
 	matchingStrategy configuration.MatchingStrategy
+	prefixMatching   bool
 	r                repositoryMemoryRegistry
+	trie             *Trie
 }
 
 // MatchingStrategy returns current MatchingStrategy.
@@ -48,17 +50,36 @@ func (m *RepositoryMemory) SetMatchingStrategy(_ context.Context, ms configurati
 	return nil
 }
 
+// PrefixMatching returns current PrefixMatching.
+func (m *RepositoryMemory) PrefixMatching(_ context.Context) (bool, error) {
+	m.RLock()
+	defer m.RUnlock()
+	return m.prefixMatching, nil
+}
+
+// SetPrefixMatching updates PrefixMatching.
+func (m *RepositoryMemory) SetPrefixMatching(_ context.Context, enabled bool) error {
+	m.Lock()
+	defer m.Unlock()
+	m.prefixMatching = enabled
+	return nil
+}
+
 func NewRepositoryMemory(r repositoryMemoryRegistry) *RepositoryMemory {
 	return &RepositoryMemory{
 		r:     r,
 		rules: make([]Rule, 0),
+		trie:  NewTrie(),
 	}
 }
 
 // WithRules sets rules without validation. For testing only.
 func (m *RepositoryMemory) WithRules(rules []Rule) {
 	m.Lock()
 	m.rules = rules
+	for _, rule := range rules {
+		m.trie.InsertRule(rule)
+	}
 	m.Unlock()
 }
 
@@ -97,13 +118,24 @@ func (m *RepositoryMemory) Set(ctx context.Context, rules []Rule) error {
 	m.rules = make([]Rule, 0, len(rules))
 	m.invalidRules = make([]Rule, 0)
 
+	// Reset the trie if we are using prefix matching and the rules have changed.
+	if m.prefixMatching {
+		m.trie = NewTrie()
+	}
+
 	for _, check := range rules {
 		if err := m.r.RuleValidator().Validate(&check); err != nil {
 			m.r.Logger().WithError(err).WithField("rule_id", check.ID).
 				Errorf("A Rule uses a malformed configuration and all URLs matching this rule will not work. You should resolve this issue now.")
 			m.invalidRules = append(m.invalidRules, check)
 		} else {
 			m.rules = append(m.rules, check)
+			if m.prefixMatching {
+				if err := m.trie.InsertRule(check); err != nil {
+					m.r.Logger().WithError(err).WithField("rule_id", check.ID).
+						Errorf("A Prefix Rule could not be loaded into the trie so all requests will be sent to the closest matching prefix. You should resolve this issue now.")
+				}
+			}
 		}
 	}
 
@@ -119,20 +151,41 @@ func (m *RepositoryMemory) Match(ctx context.Context, method string, u *url.URL,
 	defer m.Unlock()
 
 	var rules []*Rule
-	for k := range m.rules {
-		r := &m.rules[k]
-		if matched, err := r.IsMatching(m.matchingStrategy, method, u, protocol); err != nil {
-			return nil, errors.WithStack(err)
-		} else if matched {
-			rules = append(rules, r)
+
+	if m.prefixMatching {
+		if m.trie.root == nil {
+			return nil, errors.WithStack(errors.New("prefix trie is nil"))
+		} else {
+			matchedRules := m.trie.Match(method, u, protocol)
+			for _, r := range matchedRules {
+				// if there are multiple rules that match, we will procede to filter them using the matching strategy
+				if len(matchedRules) > 1 {
+					if matched, err := r.IsMatching(m.matchingStrategy, method, u, protocol); err != nil {
+						return nil, errors.WithStack(err)
+					} else if matched {
+						rules = append(rules, &r)
+					}
+				} else {
+					rules = append(rules, &r)
+				}
+			}
 		}
-	}
-	for k := range m.invalidRules {
-		r := &m.invalidRules[k]
-		if matched, err := r.IsMatching(m.matchingStrategy, method, u, protocol); err != nil {
-			return nil, errors.WithStack(err)
-		} else if matched {
-			rules = append(rules, r)
+	} else {
+		for k := range m.rules {
+			r := &m.rules[k]
+			if matched, err := r.IsMatching(m.matchingStrategy, method, u, protocol); err != nil {
+				return nil, errors.WithStack(err)
+			} else if matched {
+				rules = append(rules, r)
+			}
+		}
+		for k := range m.invalidRules {
+			r := &m.invalidRules[k]
+			if matched, err := r.IsMatching(m.matchingStrategy, method, u, protocol); err != nil {
+				return nil, errors.WithStack(err)
+			} else if matched {
+				rules = append(rules, r)
+			}
 		}
 	}