Adds new partial string matching to header_rewrite (#12213)

Author: zwoop

doc/admin-guide/plugins/header_rewrite.en.rst

@@ -752,8 +752,17 @@ OR     Indicates that either the current condition or the next one must be
        true, as contrasted with the default behavior from ``[AND]``.
 NOCASE Indicates that the string comparison, or regular expression, should be
        case-insensitive. The default is to be case-sensitive.
+PRE    Make a prefix match on a string comparison.
+SUF    Make a suffix match on a string comparison.
+MID    Make a substring match on a string comparison.
+EXT    The substring match only applies to the file extension following a dot.
+       This is generally mostly useful for the ``URL:PATH`` part.
 ====== ========================================================================
 
+**Note**: At most, one of ``[PRE]``, ``[SUF]``, ``[MID]``, or ``[EXT]`` may be
+used at any time. They can however be used together with ``[NOCASE]]`` and the
+other flags.
+
 Operators
 ---------
 
@@ -1594,3 +1603,12 @@ limiting to the request.::
    cond %{REMAP_PSEUDO_HOOK} [AND]
    cond %{CLIENT-HEADER:Some-Special-Header} ="yes"
    run-plugin rate_limit.so "--limit=300 --error=429"
+
+Check the ``PATH`` file extension
+---------------------------------
+
+This rule will deny all requests for URIs with the ``.php`` file extension::
+
+   cond %{REMAP_PSEUDO_HOOK} [AND]
+   cond %{CLIENT-URL:PATH} ="php" [EXT,NOCASE]
+   set-status 403

plugins/header_rewrite/condition.cc

@@ -75,26 +75,50 @@ Condition::initialize(Parser &p)
     if (p.mod_exist("AND")) {
       TSError("[%s] Can't have both AND and OR in mods", PLUGIN_NAME);
     } else {
-      _mods = static_cast<CondModifiers>(_mods | COND_OR);
+      _mods |= CondModifiers::OR;
     }
   } else if (p.mod_exist("AND")) {
-    _mods = static_cast<CondModifiers>(_mods | COND_AND);
+    _mods |= CondModifiers::AND;
   }
 
   if (p.mod_exist("NOT")) {
-    _mods = static_cast<CondModifiers>(_mods | COND_NOT);
+    _mods |= CondModifiers::NOT;
   }
 
   // The NOCASE / CASE modifier is a bit special, since it ripples down into the Matchers for
   // strings and regexes.
+  int _substr_seen = 0;
+
   if (p.mod_exist("NOCASE")) {
-    _mods = static_cast<CondModifiers>(_mods | COND_NOCASE);
+    _mods |= CondModifiers::MOD_NOCASE;
   } else if (p.mod_exist("CASE")) {
-    // Nothing to do, this is the default
+    // Nothing to do — default is case-sensitive, but still allow this string for clearness.
+  }
+
+  if (p.mod_exist("EXT")) {
+    _mods |= CondModifiers::MOD_EXT;
+    _substr_seen++;
+  }
+  if (p.mod_exist("SUF")) {
+    _mods |= CondModifiers::MOD_SUF;
+    _substr_seen++;
+  }
+  if (p.mod_exist("PRE")) {
+    _mods |= CondModifiers::MOD_PRE;
+    _substr_seen++;
+  }
+  if (p.mod_exist("MID")) {
+    _mods |= CondModifiers::MOD_MID;
+    _substr_seen++;
+  }
+
+  if (_substr_seen > 1) {
+    throw std::runtime_error("Only one substring modifier (EXT, SUF, PRE, MID) may be used.");
   }
 
+  // Deal with the "last" modifier as well.
   if (p.mod_exist("L")) {
-    _mods = static_cast<CondModifiers>(_mods | COND_LAST);
+    _mods |= CondModifiers::MOD_L;
   }
 
   _cond_op = parse_matcher_op(p.get_arg());

plugins/header_rewrite/condition.h

@@ -54,12 +54,12 @@ class Condition : public Statement
   {
     bool rt = eval(res);
 
-    if (_mods & COND_NOT) {
+    if (has_modifier(_mods, CondModifiers::NOT)) {
       rt = !rt;
     }
 
     if (_next) {
-      if (_mods & COND_OR) {
+      if (has_modifier(_mods, CondModifiers::OR)) {
         return rt || (static_cast<Condition *>(_next)->do_eval(res));
       } else { // AND is the default
         // Short circuit if we're an AND and the first condition is FALSE.
@@ -79,7 +79,7 @@ class Condition : public Statement
   bool
   last() const
   {
-    return _mods & COND_LAST;
+    return has_modifier(_mods, CondModifiers::MOD_L);
   }
 
   CondModifiers
@@ -129,5 +129,5 @@ class Condition : public Statement
   Matcher    *_matcher       = nullptr;
 
 private:
-  CondModifiers _mods = COND_NONE;
+  CondModifiers _mods = CondModifiers::NONE;
 };

plugins/header_rewrite/matcher.cc

@@ -32,12 +32,10 @@ void
 Matchers<std::string>::set(const std::string &d, CondModifiers mods)
 {
   _data = d;
-  if (mods & COND_NOCASE) {
-    _nocase = true;
-  }
+  _mods = mods;
 
   if (_op == MATCH_REGULAR_EXPRESSION) {
-    if (!_reHelper.setRegexMatch(_data, _nocase)) {
+    if (!_reHelper.setRegexMatch(_data, has_modifier(_mods, CondModifiers::MOD_NOCASE))) {
       std::stringstream ss;
 
       ss << _data;
@@ -50,28 +48,63 @@ Matchers<std::string>::set(const std::string &d, CondModifiers mods)
   }
 }
 
-// Special case for strings, to allow for insensitive case comparisons for std::string matchers.
 template <>
 bool
 Matchers<std::string>::test_eq(const std::string &t) const
 {
-  bool r = false;
-
-  if (_data.length() == t.length()) {
-    if (_nocase) {
-      // ToDo: in C++20, this would be nicer with std::range, e.g.
-      // r = std::ranges::equal(_data, t, [](char c1, char c2) { return std::tolower(c1) == std::tolower(c2); });
-      r = std::equal(_data.begin(), _data.end(), t.begin(), [](char c1, char c2) {
-        return std::tolower(static_cast<unsigned char>(c1)) == std::tolower(static_cast<unsigned char>(c2));
-      });
-    } else {
-      r = (t == _data);
+  std::string_view lhs    = _data;
+  std::string_view rhs    = t;
+  bool             result = false;
+
+  // ToDo: in C++20, we should be able to use std::ranges::equal, but this breaks on Ubuntu CI
+  // return std::ranges::equal(a, b, [](char c1, char c2) {
+  //   return std::tolower(static_cast<unsigned char>(c1)) == std::tolower(static_cast<unsigned char>(c2));
+  // });
+  // Case-aware comparison
+  auto compare = [&](const std::string_view a, const std::string_view b) -> bool {
+    if (has_modifier(_mods, CondModifiers::MOD_NOCASE)) {
+      return a.size() == b.size() && std::equal(a.begin(), a.end(), b.begin(), [](char c1, char c2) {
+               return std::tolower(static_cast<unsigned char>(c1)) == std::tolower(static_cast<unsigned char>(c2));
+             });
+    }
+    return a == b;
+  };
+
+  // Case-aware substring match
+  auto contains = [&](const std::string_view haystack, const std::string_view &needle) -> bool {
+    if (!has_modifier(_mods, CondModifiers::MOD_NOCASE)) {
+      return haystack.find(needle) != std::string_view::npos;
+    }
+    auto it = std::search(haystack.begin(), haystack.end(), needle.begin(), needle.end(), [](char c1, char c2) {
+      return std::tolower(static_cast<unsigned char>(c1)) == std::tolower(static_cast<unsigned char>(c2));
+    });
+    return it != haystack.end();
+  };
+
+  if (has_modifier(_mods, CondModifiers::MOD_EXT)) {
+    auto dot = rhs.rfind('.');
+    if (dot != std::string_view::npos && dot + 1 < rhs.size()) {
+      result = compare(rhs.substr(dot + 1), lhs);
+    }
+  } else if (has_modifier(_mods, CondModifiers::MOD_SUF)) {
+    if (rhs.size() >= lhs.size()) {
+      result = compare(rhs.substr(rhs.size() - lhs.size()), lhs);
+    }
+  } else if (has_modifier(_mods, CondModifiers::MOD_PRE)) {
+    if (rhs.size() >= lhs.size()) {
+      result = compare(rhs.substr(0, lhs.size()), lhs);
+    }
+  } else if (has_modifier(_mods, CondModifiers::MOD_MID)) {
+    result = contains(rhs, lhs);
+  } else {
+    if (rhs.size() == lhs.size()) {
+      result = compare(rhs, lhs);
     }
   }
 
   if (pi_dbg_ctl.on()) {
-    debug_helper(t, " == ", r);
+    debug_helper(t, " == ", result);
   }
 
-  return r;
+  return result;
 }

plugins/header_rewrite/matcher.h

@@ -24,6 +24,7 @@
 #include <string>
 #include <sstream>
 #include <stdexcept>
+#include <type_traits>
 
 #include "swoc/swoc_ip.h"
 
@@ -44,16 +45,52 @@ enum MatcherOps {
 };
 
 // Condition modifiers
-enum CondModifiers {
-  COND_NONE   = 0,
-  COND_OR     = 1,
-  COND_AND    = 2,
-  COND_NOT    = 4,
-  COND_NOCASE = 8,
-  COND_LAST   = 16,
-  COND_CHAIN  = 32 // Not implemented
+enum class CondModifiers : int {
+  NONE       = 0,
+  OR         = 1 << 0,
+  AND        = 1 << 1,
+  NOT        = 1 << 2,
+  MOD_NOCASE = 1 << 3,
+  MOD_L      = 1 << 4,
+  MOD_EXT    = 1 << 5,
+  MOD_PRE    = 1 << 6,
+  MOD_SUF    = 1 << 7,
+  MOD_MID    = 1 << 8, // Essentially a substring
 };
 
+inline CondModifiers
+operator|(CondModifiers a, const CondModifiers b)
+{
+  using U = std::underlying_type_t<CondModifiers>;
+  return static_cast<CondModifiers>(static_cast<U>(a) | static_cast<U>(b));
+}
+
+inline CondModifiers
+operator&(CondModifiers a, const CondModifiers b)
+{
+  using U = std::underlying_type_t<CondModifiers>;
+  return static_cast<CondModifiers>(static_cast<U>(a) & static_cast<U>(b));
+}
+
+inline CondModifiers &
+operator|=(CondModifiers &a, const CondModifiers b)
+{
+  return a = a | b;
+}
+
+inline CondModifiers &
+operator&=(CondModifiers &a, const CondModifiers b)
+{
+  return a = a & b;
+}
+
+inline bool
+has_modifier(const CondModifiers flags, const CondModifiers bit)
+{
+  using U = std::underlying_type_t<CondModifiers>;
+  return static_cast<U>(flags) & static_cast<U>(bit);
+}
+
 ///////////////////////////////////////////////////////////////////////////////
 // Base class for all Matchers (this is also the interface)
 //
@@ -93,9 +130,7 @@ template <class T> class Matchers : public Matcher
   set(const T &d, CondModifiers mods)
   {
     _data = d;
-    if (mods & COND_NOCASE) {
-      _nocase = true;
-    }
+    _mods = mods;
   }
 
   // Evaluate this matcher
@@ -191,7 +226,8 @@ template <class T> class Matchers : public Matcher
   bool
   test_reg(const std::string &t, const Resources &res) const
   {
-    Dbg(pi_dbg_ctl, "Test regular expression %s : %s (NOCASE = %d)", _data.c_str(), t.c_str(), static_cast<int>(_nocase));
+    Dbg(pi_dbg_ctl, "Test regular expression %s : %s (NOCASE = %s)", _data.c_str(), t.c_str(),
+        has_modifier(_mods, CondModifiers::MOD_NOCASE) ? "true" : "false");
     int count = _reHelper.regexMatch(t.c_str(), t.length(), const_cast<Resources &>(res).ovector);
 
     if (count > 0) {
@@ -205,9 +241,9 @@ template <class T> class Matchers : public Matcher
     return false;
   }
 
-  T           _data;
-  regexHelper _reHelper;
-  bool        _nocase = false;
+  T             _data;
+  regexHelper   _reHelper;
+  CondModifiers _mods = CondModifiers::NONE;
 };
 
 // Specializations for the strings, since they can be both strings and regexes