Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor!: Rules are loaded into a radix trie instead of a list #1358

Merged
merged 77 commits into from
Apr 30, 2024
Merged

refactor!: Rules are loaded into a radix trie instead of a list #1358

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
8fcb57c
new string utils function to find a common prefix length of two strings
dadrus Apr 12, 2024
7700693
initial implementation based on work from @davidspek
dadrus Apr 12, 2024
23deeaa
find method ensures unnamed wildcards are not included in the result
dadrus Apr 13, 2024
ecd178b
linter warnings resolved
dadrus Apr 13, 2024
55de764
first working version
dadrus Apr 16, 2024
e47a724
ruleset version updated to 1alpha4 respectively to v1alpha4 for kuber…
dadrus Apr 16, 2024
c467a90
ruleset version in helm chart updated
dadrus Apr 16, 2024
7a3787e
validation command test data updated
dadrus Apr 16, 2024
be24aa1
first updates to examples
dadrus Apr 16, 2024
109c95d
first changes to the docs
dadrus Apr 16, 2024
1256454
some linter warnings resolved
dadrus Apr 16, 2024
d6d6c8f
Merge branch 'main' into feat/radix_trie
dadrus Apr 17, 2024
3c6590f
some errors fixed, enhanced internal apis and linter warnings resolved
dadrus Apr 20, 2024
77312a0
some code reformatting
dadrus Apr 20, 2024
655c590
rule repository updated to cover additional new cases, implementation…
dadrus Apr 21, 2024
8ee0a96
more code comments
dadrus Apr 21, 2024
fc537cc
indextree simplifications and refactorings
dadrus Apr 21, 2024
c6f5790
repository impl updated to comply with the updated indextree api
dadrus Apr 21, 2024
672c4db
package indextree renamed to radixtree
dadrus Apr 21, 2024
4dad2ce
radixtree package move to x
dadrus Apr 21, 2024
4f89a3e
further renamings
dadrus Apr 21, 2024
0abc474
only rules from the same rule set can added to the same node
dadrus Apr 21, 2024
effbc98
better error handling and less dependencies in radix tree impl
dadrus Apr 22, 2024
55d7c23
lookup of requests with escaped parts in URL fixed
dadrus Apr 22, 2024
a94d5a2
useless test removed
dadrus Apr 22, 2024
6cd57a3
code simplifications
dadrus Apr 22, 2024
df558eb
proper handling of encoded slashes
dadrus Apr 22, 2024
12ce84d
new mock
dadrus Apr 22, 2024
c9a47d9
more tests and some fixes for found issues
dadrus Apr 22, 2024
18499b6
some code simplifications
dadrus Apr 22, 2024
aeecd3d
new mutex to ensure multiple providers can manage rules in parallel
dadrus Apr 22, 2024
bd29116
making updating rules index atomic, provider have access to the rule …
dadrus Apr 23, 2024
c225199
benchmark tests used for orientation only removed
dadrus Apr 23, 2024
3b3d992
linter earnings resolved
dadrus Apr 23, 2024
99d5e47
package comment moved
dadrus Apr 23, 2024
3b86421
more tests for radix tree
dadrus Apr 23, 2024
371bd44
radix tree update won't work as implemented - removed
dadrus Apr 23, 2024
2fa845e
linter warnings resolved
dadrus Apr 23, 2024
97d9c79
repository impl updated
dadrus Apr 23, 2024
d522eda
path prefix check removed as it doesn't make sense any more
dadrus Apr 23, 2024
c4c9705
the actual config for prefix checks removed
dadrus Apr 23, 2024
03291a9
backtracking test fixed
dadrus Apr 24, 2024
e7f476d
made backtracking configurable in the radix tree implementation
dadrus Apr 24, 2024
b74f31e
rule config updated to implement the new matching config api. More us…
dadrus Apr 24, 2024
a9b79c2
examle rule updated
dadrus Apr 24, 2024
bc3ef95
helm chart updated
dadrus Apr 24, 2024
00eea4f
rules in examples updated to use the new config api
dadrus Apr 24, 2024
f4ef1b4
implementing the config api described in the PR
dadrus Apr 27, 2024
d4a94b9
helm chart updated
dadrus Apr 27, 2024
a162f60
examples updated
dadrus Apr 27, 2024
57df03f
example rule and config updated
dadrus Apr 27, 2024
5a685b9
admission controller settings in helm chart updated to use the proper…
dadrus Apr 28, 2024
ef65689
version string updated in fortgotten places
dadrus Apr 28, 2024
f590945
DockerHub readme updated
dadrus Apr 28, 2024
9d4bbe7
docs updated; to be continued
dadrus Apr 28, 2024
e70c988
more docs updates
dadrus Apr 29, 2024
dc3f1bf
json schema updated - suport for rule_path_match_prefix dropped
dadrus Apr 29, 2024
18ade03
description of rule_path_match_prefix removed from the documentation …
dadrus Apr 29, 2024
da6787e
config reference updated to reflect the changes introduced in this PR
dadrus Apr 29, 2024
212865e
more descriptions about rule matching and backtracking
dadrus Apr 29, 2024
5c248ef
json schema updated - backtracking_enabled added to the default_rule
dadrus Apr 29, 2024
127d4df
radixtree implementation updated to allow switching on or off backtrc…
dadrus Apr 29, 2024
eab6827
CRD updated to allow usage of the new backtracking_enabled property
dadrus Apr 29, 2024
115b96e
default rule impl updated to support the new property
dadrus Apr 29, 2024
07ec621
upstream rule config impl updated to allow usage of the new property
dadrus Apr 29, 2024
b371752
making use of the new backtracking_enabled property in rule implement…
dadrus Apr 29, 2024
da82458
configs used for validation tests updated
dadrus Apr 29, 2024
a8a6cba
example config updated
dadrus Apr 29, 2024
e0e21c9
docker compose quickstarts heimdall config updated
dadrus Apr 29, 2024
767f8ef
made configs better readable by adding empty lines; metallb config up…
dadrus Apr 29, 2024
b0d0d3d
notes in examples readme added
dadrus Apr 29, 2024
7bd03a3
support for and documentation of the respond.with.method_error removed
dadrus Apr 30, 2024
8622ea2
more docu
dadrus Apr 30, 2024
8b33ec7
made backtracking_enabled configurable together with additional condi…
dadrus Apr 30, 2024
2fd38b0
documentation updated
dadrus Apr 30, 2024
92b368b
example rule updated
dadrus Apr 30, 2024
6147096
better config validation converade in tests
dadrus Apr 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions DockerHub-README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,9 +107,6 @@ mechanisms:
type: jwt

default_rule:
methods:
- GET
- POST
execute:
- authenticator: anonymous_authenticator
- authorizer: deny_all_requests
Expand All @@ -124,11 +121,11 @@ providers:
Create a rule file (`rule.yaml`) with the following contents:

```yaml
version: "1alpha3"
version: "1alpha4"
rules:
- id: test-rule
match:
url: http://<**>/<**>
path: /**
forward_to:
host: upstream
execute:
Expand Down
3 changes: 1 addition & 2 deletions charts/heimdall/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
apiVersion: v2
name: heimdall
description: A cloud native Identity Aware Proxy and Access Control Decision Service
version: 0.13.1
version: 0.14.0
appVersion: latest
kubeVersion: ^1.19.0
type: application
Expand All @@ -43,5 +43,4 @@ keywords:
- iap
- auth-proxy
- identity-aware-proxy
- decision-api
- auth-filter
99 changes: 59 additions & 40 deletions charts/heimdall/crds/ruleset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ spec:
singular: ruleset
listKind: RuleSetList
versions:
- name: v1alpha3
- name: v1alpha4
served: true
storage: true
schema:
Expand Down Expand Up @@ -75,20 +75,66 @@ spec:
description: How to match the rule
type: object
required:
- url
- path
properties:
url:
description: The url to match
path:
description: The path to match
type: string
maxLength: 512
strategy:
description: Strategy to match the url. Can either be regex or glob.
type: string
maxLength: 5
default: glob
enum:
- regex
- glob
maxLength: 256
backtracking_enabled:
description: Wither this rule allows backtracking. Defaults to the value inherited from the default rule
type: boolean
with:
description: Additional constraints during request matching
type: object
properties:
methods:
description: The HTTP methods to match
type: array
minItems: 1
items:
type: string
maxLength: 16
enum:
- "CONNECT"
- "!CONNECT"
- "DELETE"
- "!DELETE"
- "GET"
- "!GET"
- "HEAD"
- "!HEAD"
- "OPTIONS"
- "!OPTIONS"
- "PATCH"
- "!PATCH"
- "POST"
- "!POST"
- "PUT"
- "!PUT"
- "TRACE"
- "!TRACE"
- "ALL"
scheme:
description: The HTTP scheme, which should be matched. If not set, http and https are matched
type: string
maxLength: 5
host_glob:
description: Glob expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_regex'.
type: string
maxLength: 512
host_regex:
description: Regular expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_glob'.
type: string
maxLength: 512
path_glob:
description: Additional glob expression the matched path should be matched against. Mutual exclusive with 'regex'.
type: string
maxLength: 256
path_regex:
description: Additional regular expression the matched path should be matched against. Mutual exclusive with 'glob'
type: string
maxLength: 256
forward_to:
description: Where to forward the request to. Required only if heimdall is used in proxy operation mode.
type: object
Expand Down Expand Up @@ -125,33 +171,6 @@ spec:
items:
type: string
maxLength: 128
methods:
description: The allowed HTTP methods
type: array
minItems: 1
items:
type: string
maxLength: 16
enum:
- "CONNECT"
- "!CONNECT"
- "DELETE"
- "!DELETE"
- "GET"
- "!GET"
- "HEAD"
- "!HEAD"
- "OPTIONS"
- "!OPTIONS"
- "PATCH"
- "!PATCH"
- "POST"
- "!POST"
- "PUT"
- "!PUT"
- "TRACE"
- "!TRACE"
- "ALL"
execute:
description: The pipeline mechanisms to execute
type: array
Expand Down
3 changes: 0 additions & 3 deletions charts/heimdall/templates/demo/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,6 @@ data:
type: noop

default_rule:
methods:
- GET
- POST
execute:
- authenticator: anonymous_authenticator
- authorizer: deny_all_requests
Expand Down
6 changes: 3 additions & 3 deletions charts/heimdall/templates/demo/test-rule.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
# SPDX-License-Identifier: Apache-2.0

{{- if .Values.demo.enabled }}
apiVersion: heimdall.dadrus.github.com/v1alpha3
apiVersion: heimdall.dadrus.github.com/v1alpha4
kind: RuleSet
metadata:
name: {{ include "heimdall.demo.fullname" . }}-test-rule
Expand All @@ -26,7 +26,7 @@ spec:
rules:
- id: public-access
match:
url: http://<**>/pub/<**>
path: /pub/**
forward_to:
host: {{ include "heimdall.demo.fullname" . }}.heimdall-demo.svc.cluster.local:8080
execute:
Expand All @@ -35,7 +35,7 @@ spec:
- finalizer: noop_finalizer
- id: anonymous-access
match:
url: http://<**>/anon/<**>
path: /anon/**
forward_to:
host: {{ include "heimdall.demo.fullname" . }}.heimdall-demo.svc.cluster.local:8080
execute:
Expand Down
2 changes: 1 addition & 1 deletion charts/heimdall/templates/heimdall/admissioncontroller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ webhooks:
{{- end }}
rules:
- apiGroups: ["heimdall.dadrus.github.com"]
apiVersions: ["v1alpha3"]
apiVersions: ["v1alpha4"]
operations: ["CREATE", "UPDATE"]
resources: ["rulesets"]
scope: "Namespaced"
Expand Down
18 changes: 10 additions & 8 deletions cmd/validate/ruleset.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,11 @@ import (
"github.com/spf13/cobra"

"github.com/dadrus/heimdall/internal/config"
"github.com/dadrus/heimdall/internal/heimdall"
"github.com/dadrus/heimdall/internal/rules"
"github.com/dadrus/heimdall/internal/rules/event"
"github.com/dadrus/heimdall/internal/rules/mechanisms"
"github.com/dadrus/heimdall/internal/rules/provider/filesystem"
"github.com/dadrus/heimdall/internal/rules/rule"
)

// NewValidateRulesCommand represents the "validate rules" command.
Expand Down Expand Up @@ -55,8 +56,6 @@ func NewValidateRulesCommand() *cobra.Command {
}

func validateRuleSet(cmd *cobra.Command, args []string) error {
const queueSize = 50

envPrefix, _ := cmd.Flags().GetString("env-config-prefix")
logger := zerolog.Nop()

Expand Down Expand Up @@ -90,14 +89,17 @@ func validateRuleSet(cmd *cobra.Command, args []string) error {
return err
}

queue := make(event.RuleSetChangedEventQueue, queueSize)

defer close(queue)

provider, err := filesystem.NewProvider(conf, rules.NewRuleSetProcessor(queue, rFactory, logger), logger)
provider, err := filesystem.NewProvider(conf, rules.NewRuleSetProcessor(&noopRepository{}, rFactory), logger)
if err != nil {
return err
}

return provider.Start(context.Background())
}

type noopRepository struct{}

func (*noopRepository) FindRule(_ heimdall.Context) (rule.Rule, error) { return nil, nil }
func (*noopRepository) AddRuleSet(_ string, _ []rule.Rule) error { return nil }
func (*noopRepository) UpdateRuleSet(_ string, _ []rule.Rule) error { return nil }
func (*noopRepository) DeleteRuleSet(_ string) error { return nil }
2 changes: 1 addition & 1 deletion cmd/validate/ruleset_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ func TestRunValidateRulesCommand(t *testing.T) {
proxyMode: true,
confFile: "test_data/config.yaml",
rulesFile: "test_data/invalid-ruleset-for-proxy-usage.yaml",
expError: "no forward_to",
expError: "requires forward_to",
},
{
uc: "everything is valid for proxy mode usage",
Expand Down
10 changes: 3 additions & 7 deletions cmd/validate/test_data/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,9 +171,7 @@ mechanisms:
to: http://127.0.0.1:4433/self-service/login/browser?return_to={{ .Request.URL | urlenc }}

default_rule:
methods:
- GET
- POST
backtracking_enabled: false
execute:
- authenticator: anonymous_authenticator
- finalizer: jwt
Expand All @@ -189,8 +187,8 @@ providers:
watch_interval: 5m
endpoints:
- url: http://foo.bar/rules.yaml
rule_path_match_prefix: /foo
enable_http_cache: true
http_cache:
enabled: true
- url: http://bar.foo/rules.yaml
headers:
bla: bla
Expand All @@ -209,10 +207,8 @@ providers:
buckets:
- url: gs://my-bucket
prefix: service1
rule_path_match_prefix: /service1
- url: gs://my-bucket
prefix: service2
rule_path_match_prefix: /service2
- url: s3://my-bucket/my-rule-set

kubernetes:
Expand Down
12 changes: 6 additions & 6 deletions cmd/validate/test_data/invalid-ruleset-for-proxy-usage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
version: "1alpha3"
version: "1alpha4"
name: test-rule-set
rules:
- id: rule:foo
match:
url: http://foo.bar/<**>
strategy: glob
# methods: # reuses default
# - GET
# - POST
path: /**
with:
scheme: http
host_glob: foo.bar
methods: [ GET, POST ]
execute:
- authenticator: unauthorized_authenticator
- authenticator: jwt_authenticator1
Expand Down
15 changes: 9 additions & 6 deletions cmd/validate/test_data/valid-ruleset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,22 @@
version: "1alpha3"
version: "1alpha4"
name: test-rule-set
rules:
- id: rule:foo
match:
url: http://foo.bar/<**>
strategy: glob
path: /**
backtracking_enabled: true
with:
scheme: http
host_glob: foo.bar
methods:
- POST
- PUT
forward_to:
host: bar.foo
rewrite:
strip_path_prefix: /foo
add_path_prefix: /baz
strip_query_parameters: [boo]
# methods: # reuses default
# - GET
# - POST
execute:
- authenticator: unauthorized_authenticator
- authenticator: jwt_authenticator1
Expand Down
7 changes: 5 additions & 2 deletions docs/content/_index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,18 @@ Use declarative techniques you are already familiar with

[source, yaml]
----
apiVersion: heimdall.dadrus.github.com/v1alpha3
apiVersion: heimdall.dadrus.github.com/v1alpha4
kind: RuleSet
metadata:
name: My awesome service
spec:
rules:
- id: my_api_rule
match:
url: http://127.0.0.1:9090/api/<**>
path: /api/**
with:
scheme: http
host_glob: 127.0.0.1:9090
execute:
- authenticator: keycloak
- authorizer: opa
Expand Down
16 changes: 10 additions & 6 deletions docs/content/docs/concepts/operating_modes.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,12 @@ And there is a rule, which allows anonymous requests and sets a header with subj
----
id: rule:my-service:anonymous-api-access
match:
url: http://my-backend-service/my-service/api
methods:
- GET
path: /my-service/api
with:
scheme: http
host_glob: my-backend-service
methods:
- GET
execute:
- authenticator: anonymous-authn
- finalizer: id-header
Expand Down Expand Up @@ -144,11 +147,12 @@ And there is a rule, which allows anonymous requests and sets a header with subj
----
id: rule:my-service:anonymous-api-access
match:
url: <**>/my-service/api
path: /my-service/api
with:
methods:
- GET
forward_to:
host: my-backend-service:8888
methods:
- GET
execute:
- authenticator: anonymous-authn
- finalizer: id-header
Expand Down
Loading
Loading