tighten and document path regex

BenTheElder · BenTheElder · commit 204224e6bae5 · 2024-07-12T09:29:35.000-07:00
diff --git a/infra/gcp/terraform/modules/oci-proxy/cloud-armor.tf b/infra/gcp/terraform/modules/oci-proxy/cloud-armor.tf
@@ -69,7 +69,14 @@ resource "google_compute_security_policy" "cloud-armor" {
     priority = "1"
     match {
       expr {
-        expression = "!request.path.matches('(?:^/$)|(?:^/privacy$)|(?:^/v2/)')"
+        # allow:
+        # our homepage info redirect: /
+        # our privacy info redirect: /privacy
+        # OCI ping: /v2
+        # OCI pull / list calls: /v2/<name>/(blobs|manifests|tags)/<reference>
+        # https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints
+        # NOTE: AR doesn't support referrers API
+        expression = "!request.path.matches('(?:^/?$)|(?:^/privacy$)|(?:^/v2/?$)|(?:^/v2/.+/(:?blobs|manifests|tags)/.+$)')"
       }
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,14 @@ resource "google_compute_security_policy" "cloud-armor" {`
`69`	`69`	`priority = "1"`
`70`	`70`	`match {`
`71`	`71`	`expr {`
`72`		`- expression = "!request.path.matches('(?:^/$)\|(?:^/privacy$)\|(?:^/v2/)')"`
	`72`	`+ # allow:`
	`73`	`+ # our homepage info redirect: /`
	`74`	`+ # our privacy info redirect: /privacy`
	`75`	`+ # OCI ping: /v2`
	`76`	`+ # OCI pull / list calls: /v2/<name>/(blobs\|manifests\|tags)/<reference>`
	`77`	`+ # https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints`
	`78`	`+ # NOTE: AR doesn't support referrers API`
	`79`	`+ expression = "!request.path.matches('(?:^/?$)\|(?:^/privacy$)\|(?:^/v2/?$)\|(?:^/v2/.+/(:?blobs\|manifests\|tags)/.+$)')"`
`73`	`80`	`}`
`74`	`81`	`}`
`75`	`82`	`}`