gate v3 url pattern matching in feature flag

cherry-pick 3996bce
tgerakitis · Feb 3, 2022 · 2021629 · 2021629
1 parent 08f8b4d
commit 2021629
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 6 deletions.
diff --git a/internal/authorization/rbac/rbac_test.go b/internal/authorization/rbac/rbac_test.go
@@ -1,6 +1,7 @@
 package rbac
 
 import (
+	"github.com/mesosphere/traefik-forward-auth/internal/features"
 	"net/url"
 	"testing"
 
@@ -319,3 +320,7 @@ func TestRBACAuthorizer_AuthorizePatternTypes(t *testing.T) {
 		}
 	}
 }
+
+func init() {
+	features.EnableV3URLPatternMatchin()
+}
diff --git a/internal/authorization/urlpatterns.go b/internal/authorization/urlpatterns.go
@@ -5,6 +5,8 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+
+	"github.com/mesosphere/traefik-forward-auth/internal/features"
 )
 
 var (
@@ -118,9 +120,9 @@ func URLMatchesRegexp(url, regex string) bool {
 
 // URLMatchesWildcardPattern returns true if the URL matches the pattern containing optional wildcard '*' characters
 func URLMatchesWildcardPattern(url, pattern string) bool {
-	// original implementation:
-	// return pattern == url ||
-	//	 (strings.HasSuffix(pattern, "*") && strings.HasPrefix(url, strings.TrimRight(pattern, "*")))
-
-	return globalRECache.MatchString(url, pattern, true)
+	if features.V3URLPatternMatchingEnabled() {
+		return globalRECache.MatchString(url, pattern, true)
+	} else {
+		return pattern == url || (strings.HasSuffix(pattern, "*") && strings.HasPrefix(url, strings.TrimRight(pattern, "*")))
+	}
 }
diff --git a/internal/authorization/urlpatterns_test.go b/internal/authorization/urlpatterns_test.go
@@ -4,6 +4,8 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+
+	"github.com/mesosphere/traefik-forward-auth/internal/features"
 )
 
 func TestWildcardMatches(t *testing.T) {
@@ -28,7 +30,7 @@ func TestWildcardMatches(t *testing.T) {
 		{pattern: "/ops/portal/grafana/**", url: "/ops/portal/grafana/public/img/fav32.png", matches: true},
 		{pattern: "/ops/portal/grafana/**", url: "/ops/portal/grafana/public/build/runtime.3932bda029d2299a9d96.js", matches: true},
 	}
-
+	features.EnableV3URLPatternMatchin()
 	for _, c := range testCases {
 		if !assert.Equal(t, c.matches, URLMatchesWildcardPattern(c.url, c.pattern)) {
 			t.Logf("URLMatchesWildcardPattern(%v, %v) != %v", c.url, c.pattern, c.matches)
@@ -74,6 +76,29 @@ func TestRegexpMatches(t *testing.T) {
 		{pattern: `^https?://[^/]+/`, url: "https://www.google.com/", matches: true},
 	}
 
+	features.EnableV3URLPatternMatchin()
+	for _, c := range testCases {
+		if !assert.Equal(t, c.matches, URLMatchesRegexp(c.url, c.pattern)) {
+			t.Logf("URLMatchesRegexp(%v, %v) != %v", c.url, c.pattern, c.matches)
+		}
+	}
+}
+
+func TestOldPreV3Matching(t *testing.T) {
+	type test struct {
+		pattern string
+		url     string
+		matches bool
+	}
+
+	var testCases = []test{
+		{pattern: ``, url: "", matches: false},
+		{pattern: ``, url: "/", matches: false},
+		{pattern: `/`, url: "", matches: false},
+		{pattern: `/`, url: "/", matches: true},
+		{pattern: `/admin/*`, url: "/admin/sub1/sub2/index.html", matches: true},
+		{pattern: `/admin'`, url: "/admin/sub1/sub2/index.html", matches: false},
+	}
 	for _, c := range testCases {
 		if !assert.Equal(t, c.matches, URLMatchesRegexp(c.url, c.pattern)) {
 			t.Logf("URLMatchesRegexp(%v, %v) != %v", c.url, c.pattern, c.matches)

diff --git a/internal/configuration/config.go b/internal/configuration/config.go
@@ -19,6 +19,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/thomseddon/go-flags"
 
+	"github.com/mesosphere/traefik-forward-auth/internal/features"
 	internallog "github.com/mesosphere/traefik-forward-auth/internal/log"
 	"github.com/mesosphere/traefik-forward-auth/internal/util"
 )
@@ -75,6 +76,9 @@ type Config struct {
 	OIDCProvider        *oidc.Provider
 	Lifetime            time.Duration
 	ServiceAccountToken string
+
+	// Flags
+	EnableV3URLPatternMatching bool `long:"enable-v3-url-pattern-matching" env:"ENABLE_V3_URL_PATTERN_MATCHING" description:"Specifies weather to use v3 URL pattern matching as implemented in this commit: https://github.com/mesosphere/traefik-forward-auth/commit/36c3eee4c9fa262064848d4ddaca6652b96763b5"`
 }
 
 // NewConfig loads config from provided args or uses os.Args if nil
@@ -237,6 +241,9 @@ func (c *Config) Validate() {
 		}
 		c.ServiceAccountToken = strings.TrimSuffix(string(t), "\n")
 	}
+	if c.EnableV3URLPatternMatching {
+		features.EnableV3URLPatternMatchin()
+	}
 }
 
 // LoadOIDCProviderConfiguration loads the configuration of OpenID Connect provider

diff --git a/internal/features/vars.go b/internal/features/vars.go
@@ -0,0 +1,13 @@
+package features
+
+var (
+	v3URLPatternMatching bool
+)
+
+func EnableV3URLPatternMatchin() {
+	v3URLPatternMatching = true
+}
+
+func V3URLPatternMatchingEnabled() bool {
+	return v3URLPatternMatching
+}