-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[TT-12550] policy key path permissions problem (#6437)
### **User description** Fixes two issues: - invalid regex in allowed urls would allow all requests to pass - mux path parameters unsupported `{id}` was considered literal (only regex supported) Input accessURL patterns are now handled by the mux library (GetPathRegexp). https://tyktech.atlassian.net/browse/TT-12550 ___ ### **PR Type** Bug fix, Enhancement, Tests ___ ### **Description** - Enhanced URL matching in `GranularAccessMiddleware` by converting mux path parameters to regex. - Improved logging to include path and pattern matching details. - Handled regex compilation errors gracefully by skipping invalid patterns. - Added new `RouteRegexString` function to convert mux routes to regex. - Introduced tests for `RouteRegexString` function. - Added test case for invalid regex in allowed URLs. ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>mw_granular_access.go</strong><dd><code>Enhance URL matching and logging in GranularAccessMiddleware</code></dd></summary> <hr> gateway/mw_granular_access.go <li>Added conversion of mux path parameters to regex.<br> <li> Improved logging for path and pattern matching.<br> <li> Handled regex compilation errors gracefully.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6437/files#diff-618f7d55751d572562a29506a13beba2da969436e974f8b51df7d9708c925436">+12/-6</a> </td> </tr> <tr> <td> <details> <summary><strong>route.go</strong><dd><code>Add RouteRegexString function for mux route conversion</code> </dd></summary> <hr> internal/httputil/route.go <li>Introduced <code>RouteRegexString</code> function to convert mux routes to regex.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6437/files#diff-be202cd339a918297746198e9c73364977d25886235f105762bce816ff46e11e">+44/-0</a> </td> </tr> </table></td></tr><tr><td><strong>Tests</strong></td><td><table> <tr> <td> <details> <summary><strong>mw_granular_access_test.go</strong><dd><code>Add test case for invalid regex in allowed URLs</code> </dd></summary> <hr> gateway/mw_granular_access_test.go - Added test case for invalid regex in allowed URLs. </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6437/files#diff-8e0d7cfef26688edd7d08334d955039dab5deb3caf860d29eff6d09894eaba20">+4/-0</a> </td> </tr> <tr> <td> <details> <summary><strong>route_test.go</strong><dd><code>Add tests for RouteRegexString function</code> </dd></summary> <hr> internal/httputil/route_test.go - Added tests for `RouteRegexString` function. </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6437/files#diff-a291c7018ab8c1fabe97ad7c94b8820dc47c889f79fb7376eb78c0abc3ccaed6">+24/-0</a> </td> </tr> </table></td></tr></tr></tbody></table> ___ > 💡 **PR-Agent usage**: >Comment `/help` on the PR to get a list of all available PR-Agent tools and their descriptions --------- Co-authored-by: Tit Petric <tit@tyk.io>
- Loading branch information
1 parent
7ee58e0
commit 40d8cf5
Showing
13 changed files
with
338 additions
and
63 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,49 @@ | ||
--- | ||
version: "3" | ||
|
||
vars: | ||
testArgs: -v | ||
|
||
tasks: | ||
default: | ||
desc: "Run tests" | ||
test: | ||
desc: "Run tests (requires redis)" | ||
cmds: | ||
- task: fmt | ||
- go test {{.testArgs}} -count=1 -cover -coverprofile=rate.cov -coverpkg=./... ./... | ||
|
||
bench: | ||
desc: "Run benchmarks" | ||
cmds: | ||
- task: fmt | ||
- go test {{.testArgs}} -count=1 -tags integration -bench=. -benchtime=10s -benchmem ./... | ||
|
||
fmt: | ||
internal: true | ||
desc: "Invoke fmt" | ||
cmds: | ||
- go fmt ./... | ||
- goimports -w . | ||
- go test -race -count=100 -cover . | ||
- go fmt ./... | ||
|
||
cover: | ||
desc: "Show source coverage" | ||
aliases: [coverage, cov] | ||
cmds: | ||
- go tool cover -func=rate.cov | ||
|
||
uncover: | ||
desc: "Show uncovered source" | ||
cmds: | ||
- uncover rate.cov | ||
|
||
lint: | ||
desc: "Lint docs" | ||
cmds: | ||
- schema-gen extract -o - | schema-gen lint -i - | ||
|
||
install:uncover: | ||
desc: "Install uncover" | ||
internal: true | ||
env: | ||
GOBIN: /usr/local/bin | ||
cmds: | ||
- go install github.com/gregoryv/uncover/...@latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
package httputil | ||
|
||
import ( | ||
"regexp" | ||
"strings" | ||
|
||
"github.com/gorilla/mux" | ||
|
||
"github.com/TykTechnologies/tyk/internal/maps" | ||
) | ||
|
||
// routeCache holds the raw routes as they are mapped to mux regular expressions. | ||
// e.g. `/foo` becomes `^/foo$` or similar, and parameters get matched and replaced. | ||
var pathRegexpCache = maps.NewStringMap() | ||
|
||
// GetPathRegexp will convert a mux route url to a regular expression string. | ||
// The results for subsequent invocations with the same parameters are cached. | ||
func GetPathRegexp(pattern string) (string, error) { | ||
val, ok := pathRegexpCache.Get(pattern) | ||
if ok { | ||
return val, nil | ||
} | ||
|
||
if IsMuxTemplate(pattern) { | ||
dummyRouter := mux.NewRouter() | ||
route := dummyRouter.PathPrefix(pattern) | ||
result, err := route.GetPathRegexp() | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
pathRegexpCache.Set(pattern, result) | ||
return result, nil | ||
} | ||
|
||
if strings.HasPrefix(pattern, "/") { | ||
return "^" + pattern, nil | ||
} | ||
return "^.*" + pattern, nil | ||
} | ||
|
||
// IsMuxTemplate determines if a pattern is a mux template by counting the number of opening and closing braces. | ||
func IsMuxTemplate(pattern string) bool { | ||
openBraces := strings.Count(pattern, "{") | ||
closeBraces := strings.Count(pattern, "}") | ||
return openBraces > 0 && openBraces == closeBraces | ||
} | ||
|
||
// StripListenPath will strip the listenPath from the passed urlPath. | ||
// If the listenPath contains mux variables, it will trim away the | ||
// matching pattern with a regular expression that mux provides. | ||
func StripListenPath(listenPath, urlPath string) (res string) { | ||
defer func() { | ||
if !strings.HasPrefix(res, "/") { | ||
res = "/" + res | ||
} | ||
}() | ||
|
||
res = urlPath | ||
|
||
// early return on the simple case | ||
if strings.HasPrefix(urlPath, listenPath) { | ||
res = strings.TrimPrefix(res, listenPath) | ||
return res | ||
} | ||
|
||
if !IsMuxTemplate(listenPath) { | ||
return res | ||
} | ||
|
||
tmp := new(mux.Route).PathPrefix(listenPath) | ||
s, err := tmp.GetPathRegexp() | ||
if err != nil { | ||
return res | ||
} | ||
|
||
reg := regexp.MustCompile(s) | ||
return reg.ReplaceAllString(res, "") | ||
} |
Oops, something went wrong.