Implement multi-route matching and expansion.

[sporkmonger]

Fixes #74.
Backs out some of the changes in #311, which addressed #73, essentially solving #73 in a different way.

Summary by CodeRabbit

• New Tests

  • Introduction of new test configuration files (exact_resource_route.toml, inexact_resource_route.toml, nonprefixed_resource_route.toml, prefixed_resource_route.toml).

• Improvements

  • Simplified and consolidated route configurations by replacing individual route declarations with routes arrays across multiple configuration files.
  • Enhanced flexibility in defining routes with the addition of prefix and exact matching options.

• Bug Fixes

  • Updated resource configurations to ensure consistent handling of routes and plugins.

• Chores

  • Removed deprecated default_route field from internal structures for cleaner codebase.

[coderabbitai]

Walkthrough

The changes streamline the route configuration in the system by replacing individual route declarations with consolidated routes arrays. This update simplifies the management of routes, enhances user-friendliness, and addresses the handling of trailing slashes in route patterns.

Changes

Files/Groups	Change Summary
config/src/config.rs	Removed RoutePattern enum, updated Resource struct, added expand_routes method.
config/src/toml.rs	Restructured Resource struct, updated resource mappings, added default_resource_prefix and default_resource_exact functions.
config/tests/...	Modified multiple TOML test files to use routes arrays instead of individual route declarations, added new test files for specific route configurations.
ext-processor/src/service.rs	Removed default_route field from BulwarkProcessor struct, adjusted related implementations.
tests/...	Updated various test files to use consolidated routes arrays.

Assessment against linked issues

Objective	Addressed	Explanation
Improve ergonomics of trailing slash routes (#74)	✅

In the code's embrace, routes now align,
With slashes trailing, patterns shine.
Simplified paths, a friendly face,
Configurations fall into place.
🐇✨

Tip

New Features and Improvements

Review Settings

Introduced new personality profiles for code reviews. Users can now select between "Chill" and "Assertive" review tones to tailor feedback styles according to their preferences. The "Assertive" profile posts more comments and nitpicks the code more aggressively, while the "Chill" profile is more relaxed and posts fewer comments.

AST-based Instructions

CodeRabbit offers customizing reviews based on the Abstract Syntax Tree (AST) pattern matching. Read more about AST-based instructions in the documentation.

Community-driven AST-based Rules

We are kicking off a community-driven initiative to create and share AST-based rules. Users can now contribute their AST-based rules to detect security vulnerabilities, code smells, and anti-patterns. Please see the ast-grep-essentials repository for more information.

New Static Analysis Tools

We are continually expanding our support for static analysis tools. We have added support for biome, hadolint, and ast-grep. Update the settings in your .coderabbit.yaml file or head over to the settings page to enable or disable the tools you want to use.

Tone Settings

Users can now customize CodeRabbit to review code in the style of their favorite characters or personalities. Here are some of our favorite examples:

• Mr. T: "You must talk like Mr. T in all your code reviews. I pity the fool who doesn't!"
• Pirate: "Arr, matey! Ye must talk like a pirate in all yer code reviews. Yarrr!"
• Snarky: "You must be snarky in all your code reviews. Snark, snark, snark!"

Revamped Settings Page

We have redesigned the settings page for a more intuitive layout, enabling users to find and adjust settings quickly. This change was long overdue; it not only improves the user experience but also allows our development team to add more settings in the future with ease. Going forward, the changes to .coderabbit.yaml will be reflected in the settings page, and vice versa.

Miscellaneous

• Turn off free summarization: You can switch off free summarization of PRs opened by users not on a paid plan using the enable_free_tier setting.
• Knowledge-base scope: You can now set the scope of the knowledge base to either the repository (local) or the organization (global) level using the knowledge_base setting. In addition, you can specify Jira project keys and Linear team keys to limit the knowledge base scope for those integrations.
• High-level summary placement: You can now customize the location of the high-level summary in the PR description using the high_level_summary_placeholder setting (default @coderabbitai summary).
• Revamped request changes workflow: You can now configure CodeRabbit to auto-approve or request changes on PRs based on the review feedback using the request_changes_workflow setting.

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request cover a wide range of updates to the configuration files and processing logic for the Bulwark application. The key security-related observations are:

1. Removal of Wildcard Routes: The removal of wildcard routes (e.g., "/*params") is a positive change, as it reduces the potential attack surface and the risk of vulnerabilities related to path traversal or unintended access.

2. Improved Route Handling: The changes to the route handling logic, including the introduction of the Router struct and the simplified decision-making process, can enhance the overall security and maintainability of the application.

3. Plugin Configuration and Validation: The changes to the plugin handling, including the improved initialization and validation, are important to ensure that the plugins do not introduce any security vulnerabilities or unintended behavior.

4. Potential Sensitive Information Exposure: The configuration files may contain sensitive information, such as API keys or database credentials, which should be properly secured and not exposed.

5. Circular Inclusion and Validation: The presence of circular inclusions in the configuration files and the handling of invalid or malformed configuration data should be carefully reviewed to prevent potential denial-of-service vulnerabilities or other security issues.

Overall, the changes in this pull request appear to be focused on improving the functionality, maintainability, and security of the Bulwark application. However, it's crucial to thoroughly review the implementation and the behavior of the application, especially the plugin functionality and the handling of user input, to ensure that no new security vulnerabilities are introduced.

Files Changed:

• crates/config/tests/circular_preset.toml: The changes remove the second [[resource]] block with the wildcard route, which can be considered a positive change from a security perspective.
• crates/config/tests/circular_include.toml: The file includes a circular include, which could potentially lead to a denial-of-service vulnerability if not handled properly.
• crates/config/src/toml.rs: The changes improve the configuration validation and route matching, which can enhance the overall security of the application.
• crates/config/src/config.rs: The changes to the Resource struct and the expand_routes method are focused on improving the functionality and maintainability of the configuration handling.
• crates/config/tests/duplicate_mixed.toml: The changes consolidate the routes and remove the wildcard route, which can be considered a positive change from a security perspective.
• crates/config/tests/duplicate_plugin.toml: The changes remove the wildcard route and consolidate the resource configuration, which may slightly reduce the potential attack surface.
• crates/config/tests/duplicate_preset.toml: The changes remove the wildcard route and consolidate the resource configuration, which may slightly reduce the potential attack surface.
• crates/config/tests/exact_resource_route.toml: The changes introduce the use of exact resource routes, which can help mitigate potential vulnerabilities related to path traversal or directory listing attacks.
• crates/config/tests/inexact_resource_route.toml: The use of inexact routing, especially for the /api/*suffix route, could potentially expose the application to security vulnerabilities if the input is not properly validated and sanitized.
• crates/config/tests/invalid_config_array.toml: The changes introduce the use of non-primitive values in the configuration, which could potentially lead to security issues if not handled properly.
• crates/config/tests/invalid_config_object.toml: The changes introduce the use of non-primitive values in the configuration, which could potentially lead to security issues if not handled properly.
• crates/config/tests/missing.toml: The changes remove the wildcard route, which can be considered a positive change from a security perspective.
• crates/config/tests/missing_include.toml: The presence of a missing configuration file inclusion could potentially reveal information about the application's internal structure or lead to unexpected behavior.
• crates/config/tests/prefixed_resource_route.toml: The changes introduce the use of prefixed resource routes, which could potentially lead to ambiguous routing or unintended behavior if not properly designed.
• crates/config/tests/nonprefixed_resource_route.toml: The absence of a prefix for the defined routes could potentially lead to increased attack surface and make the application more vulnerable to various types of attacks.
• tests/bulwark.toml:

Powered by DryRun Security

[coderabbitai]

Actionable comments posted: 5

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between a9428dc and 4d58e6a.

Files selected for processing (20)

• crates/config/src/config.rs (1 hunks)
• crates/config/src/toml.rs (8 hunks)
• crates/config/tests/circular_include.toml (1 hunks)
• crates/config/tests/circular_preset.toml (1 hunks)
• crates/config/tests/duplicate_mixed.toml (1 hunks)
• crates/config/tests/duplicate_plugin.toml (1 hunks)
• crates/config/tests/duplicate_preset.toml (1 hunks)
• crates/config/tests/exact_resource_route.toml (1 hunks)
• crates/config/tests/inexact_resource_route.toml (1 hunks)
• crates/config/tests/invalid_config_array.toml (1 hunks)
• crates/config/tests/invalid_config_object.toml (1 hunks)
• crates/config/tests/main.toml (1 hunks)
• crates/config/tests/missing.toml (1 hunks)
• crates/config/tests/missing_include.toml (1 hunks)
• crates/config/tests/nonprefixed_resource_route.toml (1 hunks)
• crates/config/tests/overlapping_preset.toml (1 hunks)
• crates/config/tests/prefixed_resource_route.toml (1 hunks)
• crates/ext-processor/src/service.rs (4 hunks)
• tests/bulwark.toml (1 hunks)
• tests/multi_phase.toml (1 hunks)

Files skipped from review due to trivial changes (1)

• crates/config/tests/nonprefixed_resource_route.toml

Additional comments not posted (17)

crates/config/tests/missing.toml (1)

2-2: The configuration correctly specifies multiple aspects (routes, plugins, timeout) for a resource, aligning with the PR's objectives.

crates/config/tests/invalid_config_array.toml (1)

7-7: The resource configuration is consistent with the new system design, supporting multiple routes and enhanced flexibility.

crates/config/tests/invalid_config_object.toml (1)

7-7: Resource configuration adheres to the updated system design, ensuring consistency across different configurations.

crates/config/tests/missing_include.toml (1)

10-10: Resource configuration is consistent with the updated system design, supporting multiple routes and enhanced flexibility.

crates/config/tests/circular_include.toml (1)

10-10: Resource configuration adheres to the updated system design, ensuring consistency across different configurations.

crates/config/tests/exact_resource_route.toml (1)

7-10: The resource configuration correctly specifies multiple routes and the 'exact' flag, aligning with the PR's objectives to enhance route handling flexibility.

crates/config/tests/prefixed_resource_route.toml (1)

6-10: The configuration correctly implements the prefixed route handling as intended.

crates/config/tests/duplicate_plugin.toml (1)

12-12: Ensure the duplication of plugin definitions is intentional and not an oversight.

Verification successful

Ensure the duplication of plugin definitions is intentional and not an oversight.

---

Ensure the duplication of plugin definitions is intentional and not an oversight.

---

The duplication of plugin definitions in duplicate_plugin.toml is intentional and is used to test the handling of duplicate named plugins or presets. This is confirmed by the test case test_load_config_duplicate_plugin in crates/config/src/toml.rs, which expects an error due to the duplicate plugin named 'blank_slate'.

• crates/config/src/toml.rs, lines around test_load_config_duplicate_plugin

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Check for intentional duplication of plugin definitions in `duplicate_plugin.toml`.

# Test: Search for duplicate plugin definitions. Expect: Comments or documentation justifying duplication.
rg --type toml $'ref = "blank_slate"' crates/config/tests/duplicate_plugin.toml

Length of output: 120

---

---

Script:

#!/bin/bash
# Description: Search for related documentation or comments explaining the duplication of plugin definitions.

# Test: Search for any mention of `duplicate_plugin.toml` in the repository to find related documentation or comments.
rg 'duplicate_plugin.toml'

Length of output: 117

---

---

Script:

#!/bin/bash
# Description: Examine the context around the reference to `duplicate_plugin.toml` in `crates/config/src/toml.rs`.

# Test: Display lines around the reference to `duplicate_plugin.toml` to find any comments or documentation explaining the duplication.
rg --context 10 'duplicate_plugin.toml' crates/config/src/toml.rs

Length of output: 686

crates/config/tests/inexact_resource_route.toml (1)

6-10: The configuration correctly implements the inexact route handling as intended.

tests/bulwark.toml (1)

16-16: The configuration correctly implements the intended route handling.

crates/config/tests/duplicate_mixed.toml (1)

16-16: The change from a single route to a routes array aligns with the PR objectives to handle routes more flexibly. This should enhance the configuration's clarity and maintainability.

tests/multi_phase.toml (1)

17-17: The addition of multiple routes to the resource configuration is consistent with the PR's goal of improving route handling. This should enhance flexibility in route configuration.

crates/config/tests/circular_preset.toml (1)

20-20: The change from a single route to a routes array aligns with the PR objectives to handle routes more flexibly. This should enhance the configuration's clarity and maintainability.

crates/config/tests/main.toml (1)

26-26: The change from a single route to a routes array aligns with the PR objectives to handle routes more flexibly. This should enhance the configuration's clarity and maintainability.

crates/config/src/config.rs (1)

453-453: The changes to the Resource struct and the addition of the expand_routes method align with the PR objectives to handle routes more flexibly and intuitively. The method implementation is robust, handling both exact and prefix conditions effectively.

Also applies to: 461-499

crates/config/src/toml.rs (2)

466-470: Ensure proper initialization of Resource fields.

The changes to the Resource struct to include routes, prefix, and exact fields align with the PR objectives to handle multiple routes and improve route matching logic. Make sure that all instances of Resource are properly initialized with these new fields to avoid runtime errors.

---

674-683: Verify the transformation logic in expand_routes.

The transformation logic in expand_routes is crucial for ensuring that routes are correctly expanded based on the exact and prefix flags. It's important to verify that this method handles all edge cases correctly, especially with complex route patterns.

Verification successful

---

The expand_routes method in crates/config/src/config.rs has been fully retrieved and reviewed. The method correctly handles the transformation of routes based on the exact and prefix flags. It ensures that routes are expanded appropriately by adding or removing trailing slashes and appending wildcard suffixes when necessary.

• The exact flag ensures that routes ending with a slash are handled correctly, and routes without a wildcard or trailing slash are appended with a slash.
• The prefix flag appends a wildcard suffix to routes that do not already contain a wildcard.

The method also sorts the routes by length in descending order before returning them.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify the correct transformation of routes in the `expand_routes` method.

# Test: Search for the usage of `expand_routes` method. Expect: Correct transformation of routes.
rg --type rust $'expand_routes'

Length of output: 235

---

---

Script:

#!/bin/bash
# Retrieve the implementation of the `expand_routes` method from `crates/config/src/config.rs`.
ast-grep --lang rust --pattern $'fn expand_routes($_, $_, $_) {
  $$$
}' crates/config/src/config.rs

Length of output: 101

---

---

Script:

#!/bin/bash
# Use `rg` to search for the `expand_routes` method definition and retrieve its implementation from `crates/config/src/config.rs`.
rg 'fn expand_routes' -A 20 crates/config/src/config.rs

Length of output: 938

---

---

Script:

#!/bin/bash
# Use `rg` to search for the `expand_routes` method definition and retrieve more lines to get the complete implementation from `crates/config/src/config.rs`.
rg 'fn expand_routes' -A 40 crates/config/src/config.rs

Length of output: 1681