refactor!: Rules are loaded into a radix trie instead of a list

charts/heimdall/crds/ruleset.yaml

@@ -27,7 +27,7 @@ spec:
     singular: ruleset
     listKind: RuleSetList
   versions:
-    - name: v1alpha3
+    - name: v1alpha4
       served: true
       storage: true
       schema:
@@ -75,20 +75,66 @@ spec:
                         description: How to match the rule
                         type: object
                         required:
-                          - url
+                          - path
+                          - methods
                         properties:
-                          url:
-                            description: The url to match
+                          scheme:
+                            description: The HTTP scheme, which should be matched. If not set, http and https are matched
+                            type: string
+                            maxLength: 5
+                          host_glob:
+                            description: Glob expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_regex'.
                             type: string
                             maxLength: 512
-                          strategy:
-                            description: Strategy to match the url. Can either be regex or glob.
+                          host_regex:
+                            description: Regular expression to match the host if required. If not set, all hosts are matched. Mutually exclusive with 'host_glob'.
                             type: string
-                            maxLength: 5
-                            default: glob
-                            enum:
-                              - regex
-                              - glob
+                            maxLength: 512
+                          path:
+                            description: The path to match
+                            type: object
+                            required:
+                              - expression
+                            properties:
+                              expression:
+                                description: The actual path expression to match. Simple and free (named) wildcards can be used
+                                type: string
+                                maxLength: 256
+                              glob:
+                                description: Additional glob expression the matched path should be matched against. Mutual exclusive with 'regex'.
+                                type: string
+                                maxLength: 256
+                              regex:
+                                description: Additional regular expression the matched path should be matched against. Mutual exclusive with 'glob'
+                                type: string
+                                maxLength: 256
+                          methods:
+                            description: The HTTP methods to match
+                            type: array
+                            minItems: 1
+                            items:
+                              type: string
+                              maxLength: 16
+                              enum:
+                                - "CONNECT"
+                                - "!CONNECT"
+                                - "DELETE"
+                                - "!DELETE"
+                                - "GET"
+                                - "!GET"
+                                - "HEAD"
+                                - "!HEAD"
+                                - "OPTIONS"
+                                - "!OPTIONS"
+                                - "PATCH"
+                                - "!PATCH"
+                                - "POST"
+                                - "!POST"
+                                - "PUT"
+                                - "!PUT"
+                                - "TRACE"
+                                - "!TRACE"
+                                - "ALL"
                       forward_to:
                         description: Where to forward the request to. Required only if heimdall is used in proxy operation mode.
                         type: object
@@ -125,33 +171,6 @@ spec:
                                 items:
                                   type: string
                                   maxLength: 128
-                      methods:
-                        description: The allowed HTTP methods
-                        type: array
-                        minItems: 1
-                        items:
-                          type: string
-                          maxLength: 16
-                          enum:
-                            - "CONNECT"
-                            - "!CONNECT"
-                            - "DELETE"
-                            - "!DELETE"
-                            - "GET"
-                            - "!GET"
-                            - "HEAD"
-                            - "!HEAD"
-                            - "OPTIONS"
-                            - "!OPTIONS"
-                            - "PATCH"
-                            - "!PATCH"
-                            - "POST"
-                            - "!POST"
-                            - "PUT"
-                            - "!PUT"
-                            - "TRACE"
-                            - "!TRACE"
-                            - "ALL"
                       execute:
                         description: The pipeline mechanisms to execute
                         type: array

charts/heimdall/templates/demo/test-rule.yaml

@@ -15,7 +15,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 {{- if .Values.demo.enabled }}
-apiVersion: heimdall.dadrus.github.com/v1alpha3
+apiVersion: heimdall.dadrus.github.com/v1alpha4
 kind: RuleSet
 metadata:
   name: {{ include "heimdall.demo.fullname" . }}-test-rule
@@ -26,7 +26,8 @@ spec:
   rules:
     - id: public-access
       match:
-        url: http://<**>/pub/<**>
+        path:
+          expression: /pub/**
       forward_to:
         host: {{ include "heimdall.demo.fullname" . }}.heimdall-demo.svc.cluster.local:8080
       execute:
@@ -35,7 +36,8 @@ spec:
         - finalizer: noop_finalizer
     - id: anonymous-access
       match:
-        url: http://<**>/anon/<**>
+        path:
+          expression: /anon/**
       forward_to:
         host: {{ include "heimdall.demo.fullname" . }}.heimdall-demo.svc.cluster.local:8080
       execute:

cmd/validate/test_data/invalid-ruleset-for-proxy-usage.yaml

@@ -1,13 +1,11 @@
-version: "1alpha3"
+version: "1alpha4"
 name: test-rule-set
 rules:
 - id: rule:foo
   match:
-    url: http://foo.bar/<**>
-    strategy: glob
-#  methods: # reuses default
-#    - GET
-#    - POST
+    scheme: http
+    host_glob: foo.bar
+    path: /**
   execute:
     - authenticator: unauthorized_authenticator
     - authenticator: jwt_authenticator1

cmd/validate/test_data/valid-ruleset.yaml

@@ -1,19 +1,17 @@
-version: "1alpha3"
+version: "1alpha4"
 name: test-rule-set
 rules:
 - id: rule:foo
   match:
-    url: http://foo.bar/<**>
-    strategy: glob
+    scheme: http
+    path: /**
+    host_glob: foo.bar
   forward_to:
     host: bar.foo
     rewrite:
       strip_path_prefix: /foo
       add_path_prefix: /baz
       strip_query_parameters: [boo]
-#  methods: # reuses default
-#    - GET
-#    - POST
   execute:
     - authenticator: unauthorized_authenticator
     - authenticator: jwt_authenticator1

docs/content/_index.adoc

@@ -15,15 +15,18 @@ Use declarative techniques you are already familiar with
 
 [source, yaml]
 ----
-apiVersion: heimdall.dadrus.github.com/v1alpha3
+apiVersion: heimdall.dadrus.github.com/v1alpha4
 kind: RuleSet
 metadata:
   name: My awesome service
 spec:
   rules:
     - id: my_api_rule
       match:
-        url: http://127.0.0.1:9090/api/<**>
+        scheme: http
+        host_glob: 127.0.0.1:9090
+        path:
+          expression: /api/**
       execute:
         - authenticator: keycloak
         - authorizer: opa

docs/content/docs/rules/regular_rule.adoc

@@ -26,46 +26,39 @@ The unique identifier of a rule. It must be unique across all rules loaded by th
 +
 Defines how to match a rule and supports the following properties:
 
-** *`url`*: _string_ (mandatory)
+** *`scheme`*: _string_ (optional)
 +
-Glob or Regex pattern of the endpoints of your upstream service, which this rule should apply to. Query parameters are ignored.
+Which HTTP scheme is allowed. If not specified, both http and https are accepted.
 
-** *`strategy`*: _string_ (optional)
+** *`host_glob`*: _string_ (optional)
 +
-Which strategy to use for matching of the value, provided in the `url` property. Can be one of:
+Glob expression to match the host. Used after the rule is matched with the `path` definition (see below). Mutually exclusive with `host_regex`.
++
+Head over to https://github.com/gobwas/glob[gobwas/glob] to get more insights about possible options.
 
-*** `regex` - to match `url` expressions by making use of regular expressions. Internally, heimdall makes use of Heimdall uses https://github.com/dlclark/regexp2[dlclark/regexp2] to implement this strategy. Head over to linked resource to get more insights about possible options.
+** *`host_regex`*: _string_ (optional)
 +
-.Regular expressions patterns
-====
-* `\https://mydomain.com/` matches `\https://mydomain.com/` and doesn't match `\https://mydomain.com/foo` or `\https://mydomain.com`.
-* `<https|http>://mydomain.com/<.*>` matches `\https://mydomain.com/` and `\http://mydomain.com/foo`. Doesn't match `\https://other-domain.com/` or `\https://mydomain.com`.
-* `\http://mydomain.com/<[[:digit:]]+>` matches `\http://mydomain.com/123`, but doesn't match `\http://mydomain/abc`.
-* `\http://mydomain.com/<(?!protected).*>` matches `\http://mydomain.com/resource`, but doesn't match `\http://mydomain.com/protected`.
-====
+Regular expression to match the host. Used after the rule is matched with the `path` definition (see below). Mutually exclusive with `host_glob`.
 
-*** `glob` - to match `url` expressions by making use of glob expressions. Internally, heimdall makes use of Heimdall uses https://github.com/gobwas/glob[gobwas/glob] to implement this strategy. Head over to linked resource to get more insights about possible options.
+** *`path`*: _PathExpression_ (mandatory)
 +
-.Glob patterns
-====
-* `\https://mydomain.com/<m?n>` matches `\https://mydomain.com/man` and does not match `\http://mydomain.com/foo`.
-* `\https://mydomain.com/<{foo*,bar*}>` matches `\https://mydomain.com/foo` or `\https://mydomain.com/bar` and doesn't match `\https://mydomain.com/any`.
-====
+Definitions on how to match the path.
 
-* *`allow_encoded_slashes`*: _string_ (optional)
+*** *`expression`*: _string_ (mandatory)
 +
-Defines how to handle url-encoded slashes in url paths while matching and forwarding the requests. Can be set to the one of the following values, defaulting to `off`:
+The actual matching expression. Simple and free (named and unnamed) wildcards can be used
 
-** *`off`* - Reject requests containing encoded slashes. Means, if the request URL contains an url-encoded slash (`%2F`), the rule will not match it.
-** *`on`* - Accept requests using encoded slashes, decoding them and making it transparent for the rules and the upstream url. That is, the `%2F` becomes a `/` and will be treated as such in all places.
-** *`no_decode`* - Accept requests using encoded slashes, but not touching them and showing them to the rules and the upstream. That is, the `%2F` just remains as is.
+*** *`glob`*: _string_ (optional)
++
+An additional glob expression, which should be satisfied after the request has been matched by the `expression` value. Mutually exclusive with `regex`.
 
+*** *`regex`*: _string_ (optional)
 +
-CAUTION: Since the proxy integrating with heimdall, heimdall by itself, and the upstream service, all may treat the url-encoded slashes differently, accepting requests with url-encoded slashes can, depending on your rules, lead to https://cwe.mitre.org/data/definitions/436.html[Interpretation Conflict] vulnerabilities resulting in privilege escalations.
+An additional regular expression, which should be satisfied after the request has been matched by the `expression` value. Mutually exclusive with `glob`.
 
-* *`methods`*: _string array_ (optional)
+** *`methods`*: _string array_ (optional)
 +
-Which HTTP methods (`GET`, `POST`, `PATCH`, etc) are allowed for the matched URL. If not specified, every request to that URL will result in `405 Method Not Allowed` response from heimdall. If all methods should be allowed, one can use a special `ALL` placeholder. If all, except some specific methods should be allowed, one can specify `ALL` and remove specific methods by adding the `!` sign to the to be removed method. In that case you have to specify the value in braces. See also examples below.
+Which HTTP methods (`GET`, `POST`, `PATCH`, etc) are allowed for the matched URL. If not specified, no rule will feel responsible resulting in `404 Not Found` response from heimdall. If all methods should be allowed, one can use a special `ALL` placeholder. If all, except some specific methods should be allowed, one can specify `ALL` and remove specific methods by adding the `!` sign to the to be removed method. In that case you have to specify the value in braces. See also examples below.
 +
 .Methods list which effectively expands to all HTTP methods
 ====
@@ -87,6 +80,17 @@ methods:
 ----
 ====
 
+* *`allow_encoded_slashes`*: _string_ (optional)
++
+Defines how to handle url-encoded slashes in url paths while matching and forwarding the requests. Can be set to the one of the following values, defaulting to `off`:
+
+** *`off`* - Reject requests containing encoded slashes. Means, if the request URL contains an url-encoded slash (`%2F`), the rule will not match it.
+** *`on`* - Accept requests using encoded slashes, decoding them and making it transparent for the rules and the upstream url. That is, the `%2F` becomes a `/` and will be treated as such in all places.
+** *`no_decode`* - Accept requests using encoded slashes, but not touching them and showing them to the rules and the upstream. That is, the `%2F` just remains as is.
+
++
+CAUTION: Since the proxy integrating with heimdall, heimdall by itself, and the upstream service, all may treat the url-encoded slashes differently, accepting requests with url-encoded slashes can, depending on your rules, lead to https://cwe.mitre.org/data/definitions/436.html[Interpretation Conflict] vulnerabilities resulting in privilege escalations.
+
 * *`forward_to`*: _RequestForwarder_ (mandatory in Proxy operation mode)
 +
 Defines where to forward the proxied request to. Used only when heimdall is operated in the Proxy operation mode and supports the following properties:

docs/content/docs/rules/rule_sets.adoc

@@ -44,19 +44,23 @@ An imaginary rule set file defining two rules could look like shown below.
 
 [source, yaml]
 ----
-version: "1alpha3"
+version: "1alpha4"
 name: my-rule-set
 rules:
 - id: rule:1
   match:
-    url: https://my-service1.local/<**>
-  methods: [ "GET" ]
+    scheme: https
+    host_glob: my-service1.local
+    path: /**
+    methods: [ "GET" ]
   execute:
     - authorizer: foobar
 - id: rule:2
   match:
-    url: https://my-service2.local/<**>
-  methods: [ "GET" ]
+    scheme: https
+    host_glob: my-service2.local
+    path: /**
+    methods: [ "GET" ]
   execute:
     - authorizer: barfoo
 ----
@@ -108,7 +112,7 @@ $ kubectl apply -f https://raw.githubusercontent.com/dadrus/heimdall/main/charts
 ====
 [source, yaml]
 ----
-apiVersion: heimdall.dadrus.github.com/v1alpha3
+apiVersion: heimdall.dadrus.github.com/v1alpha4
 kind: RuleSet
 metadata:
   name: "<some name>"
@@ -117,7 +121,10 @@ spec:
   rules:
     - id: "<identifier of a rule 1>"
       match:
-        url: http://127.0.0.1:9090/foo/<**>
+        scheme: https
+        host_glob: 127.0.0.1:9090
+        path:
+          expression: /foo/**
       execute:
         - authenticator: foo
         - authorizer: bar