split engine and rules code into separate files to make easier to read through

Author: bcpeinhardt

boundary.go

@@ -11,11 +11,11 @@ import (
 	"github.com/coder/boundary/audit"
 	"github.com/coder/boundary/jail"
 	"github.com/coder/boundary/proxy"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 type Config struct {
-	RuleEngine rules.Engine
+	RuleEngine rulesengine.Engine
 	Auditor    audit.Auditor
 	TLSConfig  *tls.Config
 	Logger     *slog.Logger

cli/cli.go

@@ -12,7 +12,7 @@ import (
 	"github.com/coder/boundary"
 	"github.com/coder/boundary/audit"
 	"github.com/coder/boundary/jail"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 	"github.com/coder/boundary/tls"
 	"github.com/coder/boundary/util"
 	"github.com/coder/serpent"
@@ -101,14 +101,14 @@ func Run(ctx context.Context, config Config, args []string) error {
 	}
 
 	// Parse allow rules
-	allowRules, err := rules.ParseAllowSpecs(config.AllowStrings)
+	allowRules, err := rulesengine.ParseAllowSpecs(config.AllowStrings)
 	if err != nil {
 		logger.Error("Failed to parse allow rules", "error", err)
 		return fmt.Errorf("failed to parse allow rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(allowRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(allowRules, logger)
 
 	// Create auditor
 	auditor := audit.NewLogAuditor(logger)

proxy/proxy.go

@@ -15,12 +15,12 @@ import (
 	"sync/atomic"
 
 	"github.com/coder/boundary/audit"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 // Server handles HTTP and HTTPS requests with rule-based filtering
 type Server struct {
-	ruleEngine rules.Engine
+	ruleEngine rulesengine.Engine
 	auditor    audit.Auditor
 	logger     *slog.Logger
 	tlsConfig  *tls.Config
@@ -33,7 +33,7 @@ type Server struct {
 // Config holds configuration for the proxy server
 type Config struct {
 	HTTPPort   int
-	RuleEngine rules.Engine
+	RuleEngine rulesengine.Engine
 	Auditor    audit.Auditor
 	Logger     *slog.Logger
 	TLSConfig  *tls.Config

proxy/proxy_test.go

@@ -17,7 +17,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/boundary/audit"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 // mockAuditor is a simple mock auditor for testing
@@ -35,13 +35,13 @@ func TestProxyServerBasicHTTP(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"method=*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}
@@ -116,13 +116,13 @@ func TestProxyServerBasicHTTPS(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"method=*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}
@@ -210,13 +210,13 @@ func TestProxyServerCONNECT(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"method=*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}

rulesengine/engine.go

@@ -0,0 +1,122 @@
+package rulesengine
+
+import (
+	"log/slog"
+	neturl "net/url"
+	"strings"
+)
+
+// Engine evaluates HTTP requests against a set of rules.
+type Engine struct {
+	rules  []Rule
+	logger *slog.Logger
+}
+
+// NewRuleEngine creates a new rule engine
+func NewRuleEngine(rules []Rule, logger *slog.Logger) Engine {
+	return Engine{
+		rules:  rules,
+		logger: logger,
+	}
+}
+
+// Result contains the result of rule evaluation
+type Result struct {
+	Allowed bool
+	Rule    string // The rule that matched (if any)
+}
+
+// Evaluate evaluates a request and returns both result and matching rule
+func (re *Engine) Evaluate(method, url string) Result {
+	// Check if any allow rule matches
+	for _, rule := range re.rules {
+		if re.matches(rule, method, url) {
+			return Result{
+				Allowed: true,
+				Rule:    rule.Raw,
+			}
+		}
+	}
+
+	// Default deny if no allow rules match
+	return Result{
+		Allowed: false,
+		Rule:    "",
+	}
+}
+
+// Matches checks if the rule matches the given method and URL using wildcard patterns
+func (re *Engine) matches(r Rule, method, url string) bool {
+
+	// Check method patterns if they exist
+	if r.MethodPatterns != nil {
+		methodMatches := false
+		for mp := range r.MethodPatterns {
+			if string(mp) == method || string(mp) == "*" {
+				methodMatches = true
+				break
+			}
+		}
+		if !methodMatches {
+			re.logger.Debug("rule does not match", "reason", "method pattern mismatch", "rule", r.Raw, "method", method, "url", url)
+			return false
+		}
+	}
+
+	parsedUrl, err := neturl.Parse(url)
+	if err != nil {
+		re.logger.Debug("rule does not match", "reason", "invalid URL", "rule", r.Raw, "method", method, "url", url, "error", err)
+		return false
+	}
+
+	if r.HostPattern != nil {
+		// For a host pattern to match, every label has to match or be an `*`.
+		// Subdomains also match automatically, meaning if the pattern is "example.com"
+		// and the real is "api.example.com", it should match. We check this by comparing
+		// from the end of the actual hostname with the pattern (which is in normal order).
+
+		labels := strings.Split(parsedUrl.Hostname(), ".")
+
+		// If the host pattern is longer than the actual host, it's definitely not a match
+		if len(r.HostPattern) > len(labels) {
+			re.logger.Debug("rule does not match", "reason", "host pattern too long", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.HostPattern), "hostname_labels", len(labels))
+			return false
+		}
+
+		// Since host patterns cannot end with asterisk, we only need to handle:
+		// "example.com" or "*.example.com" - match from the end (allowing subdomains)
+		for i, lp := range r.HostPattern {
+			labelIndex := len(labels) - len(r.HostPattern) + i
+			if string(lp) != labels[labelIndex] && lp != "*" {
+				re.logger.Debug("rule does not match", "reason", "host pattern label mismatch", "rule", r.Raw, "method", method, "url", url, "expected", string(lp), "actual", labels[labelIndex])
+				return false
+			}
+		}
+	}
+
+	if r.PathPattern != nil {
+		segments := strings.Split(parsedUrl.Path, "/")
+
+		// Skip the first empty segment if the path starts with "/"
+		if len(segments) > 0 && segments[0] == "" {
+			segments = segments[1:]
+		}
+
+		// If the path pattern is longer than the actual path, definitely not a match
+		if len(r.PathPattern) > len(segments) {
+			re.logger.Debug("rule does not match", "reason", "path pattern too long", "rule", r.Raw, "method", method, "url", url, "pattern_length", len(r.PathPattern), "path_segments", len(segments))
+			return false
+		}
+
+		// Each segment in the pattern must be either as asterisk or match the actual path segment
+		for i, sp := range r.PathPattern {
+			if string(sp) != segments[i] && sp != "*" {
+				re.logger.Debug("rule does not match", "reason", "path pattern segment mismatch", "rule", r.Raw, "method", method, "url", url, "expected", string(sp), "actual", segments[i])
+				return false
+			}
+		}
+	}
+
+	re.logger.Debug("rule matches", "reason", "all patterns matched", "rule", r.Raw, "method", method, "url", url)
+	return true
+}