proxy config: support path regex in allowed requests (#2731)

lyft · Jul 19, 2023 · a97fa67 · a97fa67
1 parent b6d33f4
commit a97fa67
Show file tree

Hide file tree

Showing 7 changed files with 356 additions and 47 deletions.
diff --git a/api/config/module/proxy/v1/proxy.proto b/api/config/module/proxy/v1/proxy.proto
@@ -22,6 +22,12 @@ message Service {
 }
 
 message AllowRequest {
-  string path = 1 [ (validate.rules).string.min_len = 1 ];
+  oneof path_type {
+    option (validate.required) = true;
+    // Must match the request path exactly
+    string path = 1 [ (validate.rules).string.min_len = 1 ];
+    // Request path must match the regex pattern
+    string path_regex = 3 [ (validate.rules).string.min_len = 1 ];
+  }
   string method = 2 [ (validate.rules).string.min_len = 1 ];
 }
diff --git a/backend/api/config/module/proxy/v1/proxy.pb.go b/backend/api/config/module/proxy/v1/proxy.pb.go
diff --git a/backend/api/config/module/proxy/v1/proxy.pb.validate.go b/backend/api/config/module/proxy/v1/proxy.pb.validate.go
diff --git a/backend/module/proxy/proxy.go b/backend/module/proxy/proxy.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strings"
 
 	"github.com/golang/protobuf/ptypes/any"
@@ -35,14 +36,9 @@ func New(cfg *any.Any, log *zap.Logger, scope tally.Scope) (module.Module, error
 		return nil, err
 	}
 
-	// Validate that each services constructs a parsable URL
-	for _, service := range config.Services {
-		for _, ar := range service.AllowedRequests {
-			_, err := url.Parse(fmt.Sprintf("%s%s", service.Host, ar.Path))
-			if err != nil {
-				return nil, fmt.Errorf("unable to parse the configured URL for service [%s]", service.Name)
-			}
-		}
+	err = validateConfigPaths(config)
+	if err != nil {
+		return nil, err
 	}
 
 	m := &mod{
@@ -205,13 +201,25 @@ func isAllowedRequest(services []*proxyv1cfg.Service, service, path, method stri
 	for _, s := range services {
 		if s.Name == service {
 			for _, ar := range s.AllowedRequests {
-				parsedUrl, err := url.Parse(fmt.Sprintf("%s%s", s.Host, path))
-				if err != nil {
-					return false, err
-				}
-
-				if parsedUrl.Path == ar.Path && strings.EqualFold(method, ar.Method) {
-					return true, nil
+				switch t := ar.PathType.(type) {
+				case *proxyv1cfg.AllowRequest_Path:
+					parsedUrl, err := url.Parse(fmt.Sprintf("%s%s", s.Host, path))
+					if err != nil {
+						return false, err
+					}
+					if parsedUrl.Path == t.Path && strings.EqualFold(method, ar.Method) {
+						return true, nil
+					}
+				case *proxyv1cfg.AllowRequest_PathRegex:
+					r, err := regexp.Compile(t.PathRegex)
+					if err != nil {
+						return false, err
+					}
+					if r.MatchString(path) {
+						return true, nil
+					}
+				default:
+					return false, fmt.Errorf("path type not supported: %T", t)
 				}
 			}
 			// return early here as were done checking allowed request for this service
@@ -235,3 +243,27 @@ func addExcludedHeaders(request *http.Request) {
 		request.Host = hostHeader
 	}
 }
+
+func validateConfigPaths(config *proxyv1cfg.Config) error {
+	for _, service := range config.Services {
+		for _, ar := range service.AllowedRequests {
+			switch t := ar.PathType.(type) {
+			case *proxyv1cfg.AllowRequest_Path:
+				// For exact path type, validate that string constructs a parsable URL
+				_, err := url.Parse(fmt.Sprintf("%s%s", service.Host, t.Path))
+				if err != nil {
+					return fmt.Errorf("unable to parse the configured URL for service [%s]", service.Name)
+				}
+			case *proxyv1cfg.AllowRequest_PathRegex:
+				// For path regex type, validate that expression can be parsed
+				_, err := regexp.Compile(t.PathRegex)
+				if err != nil {
+					return err
+				}
+			default:
+				return fmt.Errorf("path type not supported: %T", t)
+			}
+		}
+	}
+	return nil
+}