structured-proxy 2.0.0

Universal gRPC→REST transcoding proxy — config-driven, works with any gRPC service
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

//! Route-level access policies.
//!
//! Each policy matches requests by path glob and HTTP method, and declares
//! whether authentication is required and which roles the caller must hold.

use globset::GlobMatcher;

use crate::config::RoutePolicyConfig;

/// A compiled route policy.
pub struct RoutePolicy {
    matcher: GlobMatcher,
    methods: Vec<String>,
    /// Whether a valid token is required to reach the route.
    pub require_auth: bool,
    /// Roles the caller must all hold (AND semantics).
    pub required_roles: Vec<String>,
}

impl RoutePolicy {
    fn matches_method(&self, method: &str) -> bool {
        self.methods.iter().any(|m| m == "*" || m == method)
    }
}

/// A compiled set of route policies, matched in declaration order.
#[derive(Default)]
pub struct Policies {
    rules: Vec<RoutePolicy>,
}

impl Policies {
    /// Compile policy config; the first matching rule wins at request time.
    ///
    /// # Errors
    /// Returns an error when a path glob fails to compile.
    pub fn compile(configs: &[RoutePolicyConfig]) -> Result<Self, String> {
        let rules = configs
            .iter()
            .map(|c| {
                let matcher = globset::GlobBuilder::new(&c.path)
                    .literal_separator(true)
                    .build()
                    .map(|g| g.compile_matcher())
                    .map_err(|e| format!("invalid policy path {:?}: {e}", c.path))?;
                Ok(RoutePolicy {
                    matcher,
                    methods: c.methods.iter().map(|m| m.to_uppercase()).collect(),
                    require_auth: c.require_auth,
                    required_roles: c.required_roles.clone(),
                })
            })
            .collect::<Result<Vec<_>, String>>()?;
        Ok(Self { rules })
    }

    /// First policy matching `path` and `method` (method already uppercased).
    pub fn match_rule(&self, path: &str, method: &str) -> Option<&RoutePolicy> {
        self.rules
            .iter()
            .find(|r| r.matcher.is_match(path) && r.matches_method(method))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn policy(
        path: &str,
        methods: &[&str],
        require_auth: bool,
        roles: &[&str],
    ) -> RoutePolicyConfig {
        RoutePolicyConfig {
            path: path.to_string(),
            methods: methods.iter().map(|s| s.to_string()).collect(),
            require_auth,
            required_roles: roles.iter().map(|s| s.to_string()).collect(),
        }
    }

    #[test]
    fn matches_path_and_method() {
        let p = Policies::compile(&[policy("/v1/admin/**", &["GET", "POST"], true, &["admin"])])
            .unwrap();
        assert!(p.match_rule("/v1/admin/users", "GET").is_some());
        assert!(p.match_rule("/v1/admin/users", "POST").is_some());
        // Method not listed → no match.
        assert!(p.match_rule("/v1/admin/users", "DELETE").is_none());
        // Path outside the glob → no match.
        assert!(p.match_rule("/v1/public", "GET").is_none());
    }

    #[test]
    fn wildcard_method_matches_any() {
        let p = Policies::compile(&[policy("/v1/**", &["*"], true, &[])]).unwrap();
        assert!(p.match_rule("/v1/x", "PATCH").is_some());
    }

    #[test]
    fn first_matching_rule_wins() {
        let p = Policies::compile(&[
            policy("/v1/health", &["*"], false, &[]),
            policy("/v1/**", &["*"], true, &["admin"]),
        ])
        .unwrap();
        // Health rule comes first and does not require auth.
        assert!(!p.match_rule("/v1/health", "GET").unwrap().require_auth);
        // Everything else falls to the catch-all.
        assert!(p.match_rule("/v1/secret", "GET").unwrap().require_auth);
    }
}