vane_core/compile/
analyze.rs

1use crate::compile::expand::RawRuleSet;
2use crate::error::Error;
3use crate::fetch::FetchKind;
4use crate::metadata::{FetchMetadataProvider, MiddlewareMetadataProvider};
5use crate::predicate::{FieldPath, Predicate};
6use crate::rule::RawRule;
7
8#[derive(Copy, Clone, Eq, PartialEq, Ord, PartialOrd, Hash, Debug)]
9pub enum InspectionLevel {
10	L4Only,
11	L4Peek,
12	L7Header,
13	L7Body,
14}
15
16#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
17pub enum Posture {
18	L4,
19	L7,
20}
21
22#[derive(Debug, Clone)]
23pub struct AnalyzedRule {
24	pub raw: RawRule,
25	pub inspection_level: InspectionLevel,
26	pub specificity: usize,
27	pub posture: Posture,
28	pub needs_request_body: bool,
29	pub needs_response_body: bool,
30}
31
32#[derive(Debug, Clone)]
33pub struct AnalyzedRuleSet {
34	pub rules: Vec<AnalyzedRule>,
35	pub source_files: Vec<std::path::PathBuf>,
36}
37
38/// Compute per-rule inspection level, specificity, posture (L4 vs L7), and
39/// `LazyBuffer` per-side buffer triggers.
40///
41/// # Errors
42/// Returns [`Error::compile`] when a referenced middleware name is missing
43/// from the provider registry (so compile-time analysis cannot decide what
44/// phase it sits in or whether it buffers the body).
45pub fn analyze(
46	set: RawRuleSet,
47	mw_meta: &dyn MiddlewareMetadataProvider,
48	fetch_meta: &dyn FetchMetadataProvider,
49) -> Result<AnalyzedRuleSet, Error> {
50	let mut analyzed = Vec::with_capacity(set.rules.len());
51	for raw in set.rules {
52		analyzed.push(analyze_rule(raw, mw_meta, fetch_meta)?);
53	}
54	Ok(AnalyzedRuleSet { rules: analyzed, source_files: set.source_files })
55}
56
57fn analyze_rule(
58	raw: RawRule,
59	mw_meta: &dyn MiddlewareMetadataProvider,
60	fetch_meta: &dyn FetchMetadataProvider,
61) -> Result<AnalyzedRule, Error> {
62	let fetch_kind = Some(raw.terminate.kind);
63	let fetch_phase = fetch_phase_of(fetch_kind);
64
65	let mut max_level = InspectionLevel::L4Only;
66	let mut specificity = 0usize;
67	let mut reads_http_body = false;
68	if let Some(pred) = &raw.match_predicate {
69		walk_predicate(pred, &mut |p| match p {
70			Predicate::Check(c) => {
71				specificity += 1;
72				let lvl = field_path_inspection_level(&c.path);
73				if lvl > max_level {
74					max_level = lvl;
75				}
76				if matches!(c.path, FieldPath::HttpBody) {
77					reads_http_body = true;
78				}
79			}
80			Predicate::AnyOf(_) | Predicate::Not(_) => {}
81		});
82	}
83
84	let mut needs_request_body = reads_http_body;
85	let mut needs_response_body = false;
86	for mw_ref in &raw.middleware_chain {
87		let meta = mw_meta
88			.get(&mw_ref.name)
89			.ok_or_else(|| Error::compile(format!("unknown middleware: {:?}", mw_ref.name)))?;
90		if meta.needs_body {
91			match meta.kind {
92				crate::middleware::MiddlewareKind::L7Request => needs_request_body = true,
93				crate::middleware::MiddlewareKind::L7Response => needs_response_body = true,
94				crate::middleware::MiddlewareKind::L4Peek | crate::middleware::MiddlewareKind::L4Bytes => {}
95			}
96		}
97	}
98
99	// fetch_meta is consulted so unknown kinds fail compile consistently with
100	// how link will fail later; the metadata itself is not currently consumed
101	// in analyze (phase comes from the fixed FetchKind table below).
102	let _ = fetch_meta;
103
104	let posture = match fetch_phase {
105		FetchPhase::L4 if max_level <= InspectionLevel::L4Peek => Posture::L4,
106		FetchPhase::L4 => {
107			return Err(Error::compile(format!(
108				"rule {:?}: L7-level predicate on an L4 fetch is invalid",
109				raw.name
110			)));
111		}
112		FetchPhase::L7 => Posture::L7,
113	};
114
115	Ok(AnalyzedRule {
116		raw,
117		inspection_level: max_level,
118		specificity,
119		posture,
120		needs_request_body,
121		needs_response_body,
122	})
123}
124
125#[derive(Copy, Clone, Eq, PartialEq, Debug)]
126enum FetchPhase {
127	L4,
128	L7,
129}
130
131const fn fetch_phase_of(kind: Option<FetchKind>) -> FetchPhase {
132	match kind {
133		Some(FetchKind::L4Forward) => FetchPhase::L4,
134		_ => FetchPhase::L7,
135	}
136}
137
138fn walk_predicate(p: &Predicate, f: &mut impl FnMut(&Predicate)) {
139	f(p);
140	match p {
141		Predicate::AnyOf(a) => {
142			for child in &a.any_of {
143				walk_predicate(child, f);
144			}
145		}
146		Predicate::Not(n) => walk_predicate(&n.not, f),
147		Predicate::Check(_) => {}
148	}
149}
150
151const fn field_path_inspection_level(path: &FieldPath) -> InspectionLevel {
152	match path {
153		FieldPath::Transport
154		| FieldPath::RemoteIp
155		| FieldPath::RemotePort
156		| FieldPath::LocalIp
157		| FieldPath::LocalPort => InspectionLevel::L4Only,
158		FieldPath::Peek
159		| FieldPath::TlsSni
160		| FieldPath::TlsAlpn
161		| FieldPath::TlsVersion
162		| FieldPath::TlsPeerCertSubjectCn => InspectionLevel::L4Peek,
163		FieldPath::HttpMethod
164		| FieldPath::HttpUriPath
165		| FieldPath::HttpUriQuery
166		| FieldPath::HttpHeader(_) => InspectionLevel::L7Header,
167		FieldPath::HttpBody => InspectionLevel::L7Body,
168	}
169}
170
171#[cfg(test)]
172mod tests {
173	use super::*;
174	use crate::compile::expand::RawRuleSet;
175	use crate::fetch::{FetchOutputModes, FetchPhase as FetchMetaPhase};
176	use crate::metadata::{FetchMetadata, MiddlewareMetadata};
177	use crate::middleware::MiddlewareKind;
178	use serde_json::Value;
179
180	struct Providers;
181
182	#[allow(clippy::unnecessary_wraps)]
183	fn validate_ok(_: &Value) -> Result<(), Error> {
184		Ok(())
185	}
186
187	impl MiddlewareMetadataProvider for Providers {
188		fn get(&self, name: &str) -> Option<MiddlewareMetadata> {
189			match name {
190				"req_plain" => Some(MiddlewareMetadata {
191					kind: MiddlewareKind::L7Request,
192					stateless: true,
193					needs_body: false,
194					validate_args: validate_ok,
195				}),
196				"req_body" => Some(MiddlewareMetadata {
197					kind: MiddlewareKind::L7Request,
198					stateless: true,
199					needs_body: true,
200					validate_args: validate_ok,
201				}),
202				"resp_body" => Some(MiddlewareMetadata {
203					kind: MiddlewareKind::L7Response,
204					stateless: true,
205					needs_body: true,
206					validate_args: validate_ok,
207				}),
208				_ => None,
209			}
210		}
211	}
212
213	impl FetchMetadataProvider for Providers {
214		fn get(&self, kind: FetchKind) -> Option<FetchMetadata> {
215			Some(FetchMetadata {
216				kind,
217				phase: match kind {
218					FetchKind::L4Forward => FetchMetaPhase::L4,
219					_ => FetchMetaPhase::L7,
220				},
221				output_modes: match kind {
222					FetchKind::L4Forward => FetchOutputModes { response: false, tunnel: true },
223					FetchKind::WebSocketUpgrade => FetchOutputModes { response: true, tunnel: true },
224					_ => FetchOutputModes { response: true, tunnel: false },
225				},
226				validate_args: validate_ok,
227			})
228		}
229	}
230
231	fn set(rules: Vec<RawRule>) -> RawRuleSet {
232		RawRuleSet { rules, source_files: vec![] }
233	}
234
235	fn parse_rule(j: serde_json::Value) -> RawRule {
236		serde_json::from_value(j).expect("parse rule")
237	}
238
239	#[test]
240	fn http_body_predicate_sets_request_body_flag_and_l7body_level() {
241		let rule = parse_rule(serde_json::json!({
242			"name": "r",
243			"listen": [":443"],
244			"match": { "http.body": { "contains": "admin" } },
245			"terminate": { "type": "http_proxy" },
246		}));
247		let out = analyze(set(vec![rule]), &Providers, &Providers).expect("analyze");
248		let a = &out.rules[0];
249		assert!(a.needs_request_body);
250		assert!(!a.needs_response_body);
251		assert_eq!(a.inspection_level, InspectionLevel::L7Body);
252		assert_eq!(a.posture, Posture::L7);
253	}
254
255	#[test]
256	fn l7_request_needs_body_middleware_flags_request_side() {
257		let rule = parse_rule(serde_json::json!({
258			"name": "r",
259			"listen": [":443"],
260			"middleware_chain": [{ "use": "req_body" }],
261			"terminate": { "type": "http_proxy" },
262		}));
263		let out = analyze(set(vec![rule]), &Providers, &Providers).expect("analyze");
264		assert!(out.rules[0].needs_request_body);
265		assert!(!out.rules[0].needs_response_body);
266	}
267
268	#[test]
269	fn l7_response_needs_body_middleware_flags_response_side() {
270		let rule = parse_rule(serde_json::json!({
271			"name": "r",
272			"listen": [":443"],
273			"middleware_chain": [{ "use": "resp_body" }],
274			"terminate": { "type": "http_proxy" },
275		}));
276		let out = analyze(set(vec![rule]), &Providers, &Providers).expect("analyze");
277		assert!(!out.rules[0].needs_request_body);
278		assert!(out.rules[0].needs_response_body);
279	}
280
281	#[test]
282	fn l4_fetch_with_l7_predicate_errors() {
283		let rule = parse_rule(serde_json::json!({
284			"name": "r",
285			"listen": [":22"],
286			"match": { "http.method": { "equals": "GET" } },
287			"terminate": { "type": "tcp_forward", "upstream": "10.0.0.1:22" },
288		}));
289		let err = analyze(set(vec![rule]), &Providers, &Providers).expect_err("must error");
290		assert!(err.to_string().contains("L7-level predicate"));
291	}
292
293	#[test]
294	fn unknown_middleware_name_errors() {
295		let rule = parse_rule(serde_json::json!({
296			"name": "r",
297			"listen": [":443"],
298			"middleware_chain": [{ "use": "does_not_exist" }],
299			"terminate": { "type": "http_proxy" },
300		}));
301		let err = analyze(set(vec![rule]), &Providers, &Providers).expect_err("must error");
302		assert!(err.to_string().contains("does_not_exist"));
303	}
304
305	#[test]
306	fn specificity_counts_check_predicates() {
307		let rule = parse_rule(serde_json::json!({
308			"name": "r",
309			"listen": [":443"],
310			"match": {
311				"any_of": [
312					{ "tls.sni": { "equals": "a" } },
313					{ "tls.sni": { "equals": "b" } },
314				],
315			},
316			"terminate": { "type": "http_proxy" },
317		}));
318		let out = analyze(set(vec![rule]), &Providers, &Providers).expect("analyze");
319		assert_eq!(out.rules[0].specificity, 2);
320	}
321}
vane_core/compile/analyze.rs

vane_core/compile/
analyze.rs
