Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Named capturing matchers #1038

Closed
3 tasks done
netthier opened this issue Nov 15, 2023 · 0 comments · Fixed by #1358
Closed
3 tasks done

Named capturing matchers #1038

netthier opened this issue Nov 15, 2023 · 0 comments · Fixed by #1358
Labels
feature Used for new features
Milestone
v0.15.0

Comments

@netthier
Copy link
Contributor

Preflight checklist

Describe the background of your feature request

Authorizing based on path components is currently a bit hacky.
If I have an API like /file/<uuid>/delete I need to both match the <uuid> part exactly and then again retrieve it inside of the authorizer by extracting it out of .Request.URL.Path. This kind of double matching is in my opinion error-prone, and retrieving path segments from the full path via regular expressions or numeric indexing is not very readable, especially if the template is defined separately from the rule.

Describe your idea

I propose an additional kind of matcher, which would always be named and equivalent to the <*> glob (though to be useful #1037 needs to be implemented in some capacity).
This matcher would be trivially convertable to regexp, where named capturing shouldn't be an issue (unlike with the current glob library).
Compare

rules:
  - id: rule:1
    match:
      url: http://hosty.mchostface/files/<*>/delete
    forward_to:
      host: server:8080
    methods:
      - ALL
    execute:
      - authorizer: openfga_check # remote authorizer 
        config:
          # Note: I originally wanted to do this with values, but apparently they cannot template? They should be able to :v
          payload: |
            {
              "user": {{ .Subject.ID | quote }},
              "relation": "can_delete",
              "object": "file:{{ index (splitList "/" .Request.URL.Path) 2 }}"
            }

and

rules:
  - id: rule:1
    match:
      url: http://hosty.mchostface/files/<:uuid>/delete
    forward_to:
      host: server:8080
    methods:
      - ALL
    execute:
      - authorizer: openfga_check # remote authorizer 
        config:
          payload: |
            {
              "user": {{ .Subject.ID | quote }},
              "relation": "can_delete",
              "object": "file:{{ .Request.URL.Captures.uuid }}"
            }

Are there any workarounds or alternatives?

See the first example above

Version

dev (cda0a84)

Additional Context

Originally suggested on Discord here: https://discord.com/channels/1100447190796742698/1174322443859538000/1174322443859538000
@netthier netthier added the feature Used for new features label Nov 15, 2023
@dadrus dadrus added this to the v0.13.0-alpha milestone Nov 15, 2023
@dadrus dadrus modified the milestones: v0.13.0-alpha, v0.14.0-alpha Jan 3, 2024
@dadrus dadrus modified the milestones: v0.14.0-alpha, next Mar 11, 2024
@dadrus dadrus mentioned this issue Apr 12, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Used for new features
Projects
None yet
Milestone
v0.15.0
Development

Successfully merging a pull request may close this issue.

refactor!: Rules are loaded into a radix trie instead of a list dadrus/heimdall
2 participants
@dadrus @netthier