/
matcher.go
209 lines (172 loc) · 4.43 KB
/
matcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
package block
import (
"bytes"
"errors"
"io"
"sync"
"github.com/zalando/skipper/metrics"
"github.com/zalando/skipper/proxy"
)
type toblockKeys struct{ str []byte }
const (
readBufferSize uint64 = 8192
)
type maxBufferHandling int
const (
maxBufferBestEffort maxBufferHandling = iota
maxBufferAbort
)
// matcher provides a reader that wraps an input reader, and blocks the request
// if a pattern was found.
//
// It reads enough data until at least a complete match of the
// pattern is met or the maxBufferSize is reached. When the pattern matches the entire
// buffered input, the replaced content is returned to the caller when maxBufferSize is
// reached. This also means that more replacements can happen than if we edited the
// entire content in one piece, but this is necessary to be able to use the matcher for
// input with unknown length.
//
// When the maxBufferHandling is set to maxBufferAbort, then the streaming is aborted
// and the rest of the payload is dropped.
//
// To limit the number of repeated scans over the buffered data, the size of the
// additional data read from the input grows exponentially with every iteration that
// didn't result with any matched data blocked. If there was any matched data
// the read size is reset to the initial value.
//
// When the input returns an error, e.g. EOF, the matcher finishes matching the buffered
// data, blocks or return it to the caller.
//
// When the matcher is closed, it doesn't read anymore from the input or return any
// buffered data. If the input implements io.Closer, closing the matcher closes the
// input, too.
type matcher struct {
once sync.Once
input io.ReadCloser
toblockList []toblockKeys
maxBufferSize uint64
maxBufferHandling maxBufferHandling
readBuffer []byte
ready *bytes.Buffer
pending *bytes.Buffer
metrics metrics.Metrics
err error
closed bool
}
var (
ErrMatcherBufferFull = errors.New("matcher buffer full")
)
func newMatcher(
input io.ReadCloser,
toblockList []toblockKeys,
maxBufferSize uint64,
mbh maxBufferHandling,
) *matcher {
rsize := readBufferSize
if maxBufferSize < rsize {
rsize = maxBufferSize
}
return &matcher{
once: sync.Once{},
input: input,
toblockList: toblockList,
maxBufferSize: maxBufferSize,
maxBufferHandling: mbh,
readBuffer: make([]byte, rsize),
pending: bytes.NewBuffer(nil),
ready: bytes.NewBuffer(nil),
metrics: metrics.Default,
}
}
func (m *matcher) readNTimes(times int) (bool, error) {
var consumedInput bool
for i := 0; i < times; i++ {
n, err := m.input.Read(m.readBuffer)
m.pending.Write(m.readBuffer[:n])
if n > 0 {
consumedInput = true
}
if err != nil {
return consumedInput, err
}
}
return consumedInput, nil
}
func (m *matcher) match(b []byte) (int, error) {
var consumed int
for _, s := range m.toblockList {
if bytes.Contains(b, s.str) {
b = nil
return 0, proxy.ErrBlocked
}
}
consumed += len(b)
return consumed, nil
}
func (m *matcher) fill(requested int) error {
readSize := 1
for m.ready.Len() < requested {
consumedInput, err := m.readNTimes(readSize)
if !consumedInput {
io.CopyBuffer(m.ready, m.pending, m.readBuffer)
return err
}
if uint64(m.pending.Len()) > m.maxBufferSize {
switch m.maxBufferHandling {
case maxBufferAbort:
return ErrMatcherBufferFull
default:
_, err := m.match(m.pending.Bytes())
if err != nil {
return err
}
m.pending.Reset()
readSize = 1
}
}
readSize *= 2
}
return nil
}
func (m *matcher) Read(p []byte) (int, error) {
if m.closed {
return 0, ErrClosed
}
if m.ready.Len() == 0 && m.err != nil {
return 0, m.err
}
if m.ready.Len() < len(p) {
m.err = m.fill(len(p))
}
if m.err == ErrMatcherBufferFull {
return 0, ErrMatcherBufferFull
}
if m.err == proxy.ErrBlocked {
m.metrics.IncCounter("blocked.requests")
return 0, proxy.ErrBlocked
}
n, _ := m.ready.Read(p)
if n == 0 && len(p) > 0 && m.err != nil {
return 0, m.err
}
n, err := m.match(p)
if err != nil {
m.closed = true
if err == proxy.ErrBlocked {
m.metrics.IncCounter("blocked.requests")
}
return 0, err
}
return n, nil
}
// Close closes the undelrying reader if it implements io.Closer.
func (m *matcher) Close() error {
var err error
m.once.Do(func() {
m.closed = true
if c, ok := m.input.(io.Closer); ok {
err = c.Close()
}
})
return err
}