fix(rewriter): prevent mixing of cached rule engines (#44)

2024-10-21 13:48:59 +02:00
parent 16fa751dc7
commit c611705d45
6 changed files with 76 additions and 29 deletions
--- a/internal/proxy/director/layer/authn/layer.go
+++ b/internal/proxy/director/layer/authn/layer.go
@ -10,6 +10,9 @@ import (
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/util"
+	"forge.cadoles.com/cadoles/bouncer/internal/rule"
+	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/Masterminds/sprig/v3"
 	"github.com/pkg/errors"
@ -21,6 +24,8 @@ type Layer struct {
 	auth      Authenticator
 	debug     bool

+	ruleEngineCache *util.RuleEngineCache[*Vars, *LayerOptions]
+
 	templateDir string
 }

@ -74,7 +79,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 				return
 			}

-			if err := l.applyRules(ctx, r, options, user); err != nil {
+			if err := l.applyRules(ctx, r, layer, options, user); err != nil {
 				if errors.Is(err, ErrForbidden) {
 					l.renderForbiddenPage(w, r, layer, options, user)
 					return
@ -189,6 +194,18 @@ func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc
 	opts := NewOptions(funcs...)

 	return &Layer{
+		ruleEngineCache: util.NewInMemoryRuleEngineCache[*Vars, *LayerOptions](func(options *LayerOptions) (*rule.Engine[*Vars], error) {
+			engine, err := rule.NewEngine[*Vars](
+				rule.WithRules(options.Rules...),
+				rule.WithExpr(getAuthnAPI()...),
+				ruleHTTP.WithRequestFuncs(),
+			)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			return engine, nil
+		}),
 		layerType:   layerType,
 		auth:        auth,
 		templateDir: opts.TemplateDir,
--- a/internal/proxy/director/layer/authn/layer_options.go
+++ b/internal/proxy/director/layer/authn/layer_options.go
@ -28,12 +28,13 @@ func DefaultLayerOptions() LayerOptions {
 	return LayerOptions{
 		MatchURLs: []string{"*"},
 		Rules: []string{
-			"del_headers('Remote-*')",
-			"set_header('Remote-User', user.subject)",
+			"del_headers(ctx, 'Remote-*')",
+			"set_header(ctx,'Remote-User', vars.user.subject)",
 			`map(
-				toPairs(user.attrs), {
+				toPairs(vars.user.attrs), {
 					let name = replace(lower(string(get(#, 0))), '_', '-');
 					set_header(
+						ctx,
 						'Remote-User-Attr-' + name, 
 						get(#, 1)
 					) 
--- a/internal/proxy/director/layer/authn/rules.go
+++ b/internal/proxy/director/layer/authn/rules.go
@ -4,8 +4,8 @@ import (
 	"context"
 	"net/http"

-	"forge.cadoles.com/cadoles/bouncer/internal/rule"
 	ruleHTTP "forge.cadoles.com/cadoles/bouncer/internal/rule/http"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/expr-lang/expr"
 	"github.com/pkg/errors"
 )
@ -14,17 +14,11 @@ type Vars struct {
 	User *User `expr:"user"`
 }

-func (l *Layer) applyRules(ctx context.Context, r *http.Request, options *LayerOptions, user *User) error {
-	rules := options.Rules
-	if len(rules) == 0 {
-		return nil
-	}
+func (l *Layer) applyRules(ctx context.Context, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) error {
+	key := string(layer.Proxy) + "-" + string(layer.Name)
+	revisionedEngine := l.ruleEngineCache.Get(key)

-	engine, err := rule.NewEngine[*Vars](
-		rule.WithRules(options.Rules...),
-		rule.WithExpr(getAuthnAPI()...),
-		ruleHTTP.WithRequestFuncs(),
-	)
+	engine, err := revisionedEngine.Get(ctx, layer.Revision, options)
 	if err != nil {
 		return errors.WithStack(err)
 	}