Match suffixes and prefixes in string constraints

sandhose · sandhose · commit 0ab0f13c7c13 · 2025-02-17T16:40:10.000+01:00
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
@@ -391,6 +391,8 @@ policy:
         literals: ["alice@example.com", "bob@example.com"]
         # Regular expressions that match allowed emails
         regexes: ["@example\\.com$"]
+        # Suffixes that match allowed emails
+        suffixes: ["@example.com"]
 
       # If specified, the email address *must not* match one of the banned addresses.
       # If unspecified, all email addresses are allowed.
@@ -401,6 +403,10 @@ policy:
         substrings: ["evil"]
         # Regular expressions that match banned emails
         regexes: ["@evil\\.corp$"]
+        # Suffixes that match banned emails
+        suffixes: ["@evil.corp"]
+        # Prefixes that match banned emails
+        prefixes: ["alice@"]
 
     requester:
       # List of IP addresses and CIDRs that are not allowed to register
@@ -414,6 +420,8 @@ policy:
         literals: ["Pretend this is Real;"]
         substrings: ["Chrome"]
         regexes: ["Chrome 1.*;"]
+        prefixes: ["Mozilla/"]
+        suffixes: ["Safari/605.1.15"]
 ```
 
 ## `rate_limiting`
diff --git a/policies/common/common.rego b/policies/common/common.rego
@@ -8,6 +8,10 @@ matches_string_constraints(str, constraints) if matches_substrings(str, constrai
 
 matches_string_constraints(str, constraints) if matches_literals(str, constraints.literals)
 
+matches_string_constraints(str, constraints) if matches_suffixes(str, constraints.suffixes)
+
+matches_string_constraints(str, constraints) if matches_prefixes(str, constraints.prefixes)
+
 matches_regexes(str, regexes) if {
 	some pattern in regexes
 	regex.match(pattern, str)
@@ -23,6 +27,16 @@ matches_literals(str, literals) if {
 	str == literal
 }
 
+matches_suffixes(str, suffixes) if {
+	some suffix in suffixes
+	endswith(str, suffix)
+}
+
+matches_prefixes(str, prefixes) if {
+	some prefix in prefixes
+	startswith(str, prefix)
+}
+
 # Normalize an IP address or CIDR to a CIDR
 normalize_cidr(ip) := ip if contains(ip, "/")
 
diff --git a/policies/common/common_test.rego b/policies/common/common_test.rego
@@ -18,6 +18,16 @@ test_match_regex if {
 	not common.matches_string_constraints("some string", {"regexes": ["^string"]})
 }
 
+test_match_prefix if {
+	common.matches_string_constraints("some string", {"prefixes": ["some"]})
+	not common.matches_string_constraints("some string", {"prefixes": ["string"]})
+}
+
+test_match_suffix if {
+	common.matches_string_constraints("some string", {"suffixes": ["string"]})
+	not common.matches_string_constraints("some string", {"suffixes": ["some"]})
+}
+
 test_ip_in_list if {
 	common.ip_in_list("192.168.1.1", ["192.168.1.1"])
 	common.ip_in_list("192.168.1.1", ["192.168.1.0/24"])
