From 5a92dd018eb9e8a240ceec5d05b5596c35e698c3 Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Fri, 7 Nov 2025 17:37:21 +0100 Subject: [PATCH 1/7] added deapequal for fieldpolicies --- internals/proxy/middlewares/policy.go | 62 ++++++++++++------------ utils/request/requestkeys/requestkeys.go | 8 ++- 2 files changed, 37 insertions(+), 33 deletions(-) diff --git a/internals/proxy/middlewares/policy.go b/internals/proxy/middlewares/policy.go index 2eb54c96..8091ca9f 100644 --- a/internals/proxy/middlewares/policy.go +++ b/internals/proxy/middlewares/policy.go @@ -3,6 +3,7 @@ package middlewares import ( "errors" "net/http" + "reflect" "github.com/codeshelldev/secured-signal-api/internals/config/structure" log "github.com/codeshelldev/secured-signal-api/utils/logger" @@ -78,6 +79,18 @@ func getField(key string, body map[string]any, headers map[string][]string) (any return value, errors.New("field not found") } +func doPoliciesApply(body map[string]any, headers map[string][]string, policies map[string]structure.FieldPolicy) (bool, string) { + for key, policy := range policies { + value, err := getField(key, body, headers) + + if reflect.DeepEqual(value, policy.Value) && err == nil { + return true, key + } + } + + return false, "" +} + func doBlock(body map[string]any, headers map[string][]string, policies map[string]structure.FieldPolicy) (bool, string) { if policies == nil { return false, "" @@ -89,43 +102,28 @@ func doBlock(body map[string]any, headers map[string][]string, policies map[stri var cause string - var isExplictlyAllowed, isExplicitlyBlocked bool - - for field, policy := range allowed { - value, err := getField(field, body, headers) - - if value == policy.Value && err == nil { - isExplictlyAllowed = true - cause = field - break - } + isExplicitlyAllowed, cause := doPoliciesApply(body, headers, allowed) + isExplicitlyBlocked, cause := doPoliciesApply(body, headers, blocked) + + // explicit allow > block + if isExplicitlyAllowed { + return false, cause } - - for field, policy := range blocked { - value, err := getField(field, body, headers) - - if value == policy.Value && err == nil { - isExplicitlyBlocked = true - cause = field - break - } - } - - // Block all except explicitly Allowed - if len(blocked) == 0 && len(allowed) != 0 { - return !isExplictlyAllowed, cause + + if isExplicitlyBlocked { + return true, cause } - // Allow all except explicitly Blocked - if len(allowed) == 0 && len(blocked) != 0 { - return isExplicitlyBlocked, cause + // only allowed endpoints -> block anything not allowed + if len(allowed) > 0 && len(blocked) == 0 { + return true, cause } - // Excplicitly Blocked except excplictly Allowed - if len(blocked) != 0 && len(allowed) != 0 { - return isExplicitlyBlocked && !isExplictlyAllowed, cause + // only blocked endpoints -> allow anything not blocked + if len(blocked) > 0 && len(allowed) == 0 { + return false, cause } - // Block all - return true, "" + // no match -> default: block all + return true, cause } diff --git a/utils/request/requestkeys/requestkeys.go b/utils/request/requestkeys/requestkeys.go index 7bb7e81b..33b7f64b 100644 --- a/utils/request/requestkeys/requestkeys.go +++ b/utils/request/requestkeys/requestkeys.go @@ -46,10 +46,16 @@ func PrefixHeaders(headers map[string][]string) map[string][]string { return res } -func GetFromBodyAndHeaders(field Field, body map[string]any, headers map[string][]string) any { +func PrefixBodyAndHeaders(body map[string]any, headers map[string][]string) (map[string]any, map[string][]string) { body = PrefixBody(body) headers = PrefixHeaders(headers) + return body, headers +} + +func GetFromBodyAndHeaders(field Field, body map[string]any, headers map[string][]string) any { + body, headers = PrefixBodyAndHeaders(body, headers) + switch(field.Prefix) { case BodyPrefix: return GetByField(field, body) From 030542a71e3b9764aca154eed2c55f8aaa6bd8c6 Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Fri, 7 Nov 2025 17:41:34 +0100 Subject: [PATCH 2/7] simplify empty-detection --- internals/proxy/middlewares/policy.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/internals/proxy/middlewares/policy.go b/internals/proxy/middlewares/policy.go index 8091ca9f..e1c3a2b4 100644 --- a/internals/proxy/middlewares/policy.go +++ b/internals/proxy/middlewares/policy.go @@ -92,10 +92,9 @@ func doPoliciesApply(body map[string]any, headers map[string][]string, policies } func doBlock(body map[string]any, headers map[string][]string, policies map[string]structure.FieldPolicy) (bool, string) { - if policies == nil { - return false, "" - } else if len(policies) <= 0 { - return false, "" + if len(policies) == 0 { + // default: block all + return true, "" } allowed, blocked := getPolicies(policies) From 6a1e289c5c798d5cee10e40ed16e9afcde285fb2 Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Fri, 7 Nov 2025 19:16:29 +0100 Subject: [PATCH 3/7] changed default from block all to allow all --- internals/proxy/middlewares/policy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internals/proxy/middlewares/policy.go b/internals/proxy/middlewares/policy.go index e1c3a2b4..72518371 100644 --- a/internals/proxy/middlewares/policy.go +++ b/internals/proxy/middlewares/policy.go @@ -93,8 +93,8 @@ func doPoliciesApply(body map[string]any, headers map[string][]string, policies func doBlock(body map[string]any, headers map[string][]string, policies map[string]structure.FieldPolicy) (bool, string) { if len(policies) == 0 { - // default: block all - return true, "" + // default: allow all + return false, "" } allowed, blocked := getPolicies(policies) From 8470d64548257746ded307aae64d770043041d00 Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Fri, 7 Nov 2025 19:32:45 +0100 Subject: [PATCH 4/7] add faster equal checks for simple types --- internals/proxy/middlewares/policy.go | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/internals/proxy/middlewares/policy.go b/internals/proxy/middlewares/policy.go index 72518371..004f8a44 100644 --- a/internals/proxy/middlewares/policy.go +++ b/internals/proxy/middlewares/policy.go @@ -83,8 +83,33 @@ func doPoliciesApply(body map[string]any, headers map[string][]string, policies for key, policy := range policies { value, err := getField(key, body, headers) - if reflect.DeepEqual(value, policy.Value) && err == nil { - return true, key + if err != nil { + continue + } + + switch asserted := value.(type) { + case string: + policyValue, ok := policy.Value.(string) + + if ok && asserted == policyValue { + return true, key + } + case int: + policyValue, ok := policy.Value.(int); + + if ok && asserted == policyValue { + return true, key + } + case bool: + policyValue, ok := policy.Value.(bool) + + if ok && asserted == policyValue { + return true, key + } + default: + if reflect.DeepEqual(value, policy.Value) { + return true, key + } } } @@ -113,12 +138,12 @@ func doBlock(body map[string]any, headers map[string][]string, policies map[stri return true, cause } - // only allowed endpoints -> block anything not allowed + // only allow policies -> block anything not allowed if len(allowed) > 0 && len(blocked) == 0 { return true, cause } - // only blocked endpoints -> allow anything not blocked + // only block polcicies -> allow anything not blocked if len(blocked) > 0 && len(allowed) == 0 { return false, cause } From c6ad13b84ec57730c0ccde628b23ac70bf3284a7 Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Fri, 7 Nov 2025 19:33:32 +0100 Subject: [PATCH 5/7] debug incorrect equalcheck --- internals/proxy/middlewares/policy.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internals/proxy/middlewares/policy.go b/internals/proxy/middlewares/policy.go index 004f8a44..1dd6c848 100644 --- a/internals/proxy/middlewares/policy.go +++ b/internals/proxy/middlewares/policy.go @@ -128,6 +128,8 @@ func doBlock(body map[string]any, headers map[string][]string, policies map[stri isExplicitlyAllowed, cause := doPoliciesApply(body, headers, allowed) isExplicitlyBlocked, cause := doPoliciesApply(body, headers, blocked) + + log.Dev("Blocked: ", isExplicitlyBlocked, "; Allowed: ", isExplicitlyAllowed) // explicit allow > block if isExplicitlyAllowed { From b36e885019f74a56f1df559750f2d3d5a3a0f6ff Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Fri, 7 Nov 2025 19:38:48 +0100 Subject: [PATCH 6/7] off-topic: add bool to logger formatting --- utils/logger/logger.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/utils/logger/logger.go b/utils/logger/logger.go index fe265a72..3d173f16 100644 --- a/utils/logger/logger.go +++ b/utils/logger/logger.go @@ -60,6 +60,12 @@ func Format(data ...any) string { res += value case int: res += strconv.Itoa(value) + case bool: + if value { + res += "true" + } else { + res += "false" + } default: lines := strings.Split(jsonutils.Pretty(value), "\n") From dc9ba1c42e3d53f3e393c6825428bb16592d0690 Mon Sep 17 00:00:00 2001 From: CodeShell <122738806+CodeShellDev@users.noreply.github.com> Date: Fri, 7 Nov 2025 19:42:45 +0100 Subject: [PATCH 7/7] removed debugs --- internals/proxy/middlewares/policy.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/internals/proxy/middlewares/policy.go b/internals/proxy/middlewares/policy.go index 1dd6c848..004f8a44 100644 --- a/internals/proxy/middlewares/policy.go +++ b/internals/proxy/middlewares/policy.go @@ -128,8 +128,6 @@ func doBlock(body map[string]any, headers map[string][]string, policies map[stri isExplicitlyAllowed, cause := doPoliciesApply(body, headers, allowed) isExplicitlyBlocked, cause := doPoliciesApply(body, headers, blocked) - - log.Dev("Blocked: ", isExplicitlyBlocked, "; Allowed: ", isExplicitlyAllowed) // explicit allow > block if isExplicitlyAllowed {