tuxmain/mesozoa
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases Packages Wiki Activity Actions

working base

Browse source
This commit is contained in:
Pascal Engélibert 2025-04-06 00:03:47 +02:00
commit 616c17501a
11 changed files with 1142 additions and 243 deletions
Download patch file Download diff file Expand all files Collapse all files

38
src/challenge.html
View file

@ -8,10 +8,42 @@
<body>
<h1>Fighting crawlers</h1>
<script type="text/javascript">
/*setTimeout(function() {
document.cookie = "mesozoa=1234; max-age=3600";
const target_zeros = 15;
const sha256 = async (input) => {
const input_buf = new TextEncoder().encode(input);
const output_buf = await window.crypto.subtle.digest("SHA-256", input_buf);
return new Uint8Array(output_buf);
};
function verify_hash(hash) {
return Math.clz32((hash[0] << 24) | (hash[1] << 16) | (hash[2] << 8) | hash[3]) >= target_zeros;
}
function get_cookie(name) {
const value = "; "+document.cookie;
const parts = value.split("; "+name+"=");
return parts.pop().split(";").shift();
}
function submit_proof(proof) {
document.cookie = "mesozoa-proof="+proof+"; domain=127.0.0.1; path=/; max-age=3600; samesite=strict";
window.location.reload();
}, 1000);*/
}
function timeout(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
async function pow(seed, nonce) {
var stop = nonce + 1000;
for(; nonce < stop; nonce ++) {
if(verify_hash(await sha256(("00000000"+nonce).slice(-8)+seed))) {
console.log(await sha256(("00000000"+nonce).slice(-8)+seed));
console.log(("00000000"+nonce).slice(-8));
submit_proof(("00000000"+nonce).slice(-8));
return;
}
}
setTimeout(function() {
pow(seed, nonce);
}, 0);
}
pow(get_cookie("mesozoa-challenge"), 0);
</script>
</body>
</html>

47
src/challenge.rs
View file

@ -1,25 +1,40 @@
use base64::Engine;
use sha3::{Digest};
use sha3::Digest;
use subtle::ConstantTimeEq;
use crate::{CHALLENGE_TIMEOUT, MAC_LEN, SALT_LEN, SECRET_LEN};
pub fn check_challenge() -> bool {
false
pub fn check_challenge(seed: &[u8], proof: &[u8], target_zeros: u32) -> bool {
let mut hasher = sha2::Sha256::default();
hasher.update(proof);
hasher.update(seed);
let hash: [u8; 32] = hasher.finalize().into();
let prefix: [u8; 4] = hash[0..4].try_into().unwrap();
u32::from_be_bytes(prefix).leading_zeros() >= target_zeros
}
pub fn compute_challenge_mac(secret: &[u8; SECRET_LEN], salt: &[u8; SALT_LEN], timestamp: [u8; 8], ip: &[u8], user_agent: &[u8]) -> [u8; MAC_LEN] {
pub fn compute_challenge_mac(
secret: &[u8; SECRET_LEN],
salt: &[u8; SALT_LEN],
timestamp: [u8; 8],
ip: &[u8],
user_agent: &[u8],
) -> [u8; MAC_LEN] {
let mut hasher = sha3::Sha3_256::default();
hasher.update(secret);
hasher.update(salt);
hasher.update(&timestamp);
hasher.update(timestamp);
hasher.update(ip);
hasher.update(b"/");
hasher.update(user_agent);
hasher.finalize().into()
}
pub fn format_challenge_cookie(salt: &[u8; SALT_LEN], timestamp: [u8; 8], mac: &[u8; MAC_LEN]) -> String {
pub fn format_challenge_cookie(
salt: &[u8; SALT_LEN],
timestamp: [u8; 8],
mac: &[u8; MAC_LEN],
) -> String {
let mut buf = Vec::new();
buf.extend_from_slice(salt);
buf.extend_from_slice(&timestamp);
@ -27,7 +42,12 @@ pub fn format_challenge_cookie(salt: &[u8; SALT_LEN], timestamp: [u8; 8], mac: &
base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(buf)
}
pub fn verify_challenge_cookie(cookie: &[u8], secret: &[u8; SECRET_LEN], user_agent: &[u8], ip: &[u8]) -> bool {
pub fn verify_challenge_cookie(
cookie: &[u8],
secret: &[u8; SECRET_LEN],
user_agent: &[u8],
ip: &[u8],
) -> bool {
let Ok(cookie_bytes) = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(cookie) else {
dbg!("invalid base64");
return false;
@ -36,14 +56,21 @@ pub fn verify_challenge_cookie(cookie: &[u8], secret: &[u8; SECRET_LEN], user_ag
dbg!("invalid len");
return false;
}
let timestamp: [u8; 8] = cookie_bytes[SALT_LEN..SALT_LEN+8].try_into().unwrap();
let timestamp: [u8; 8] = cookie_bytes[SALT_LEN..SALT_LEN + 8].try_into().unwrap();
let timestamp_time = u64::from_be_bytes(timestamp);
if timestamp_time.wrapping_add(CHALLENGE_TIMEOUT) < std::time::SystemTime::UNIX_EPOCH.elapsed().unwrap().as_secs() {
if timestamp_time.wrapping_add(CHALLENGE_TIMEOUT)
< std::time::SystemTime::UNIX_EPOCH
.elapsed()
.unwrap()
.as_secs()
{
dbg!("invalid time");
return false;
}
let salt: [u8; SALT_LEN] = cookie_bytes[0..SALT_LEN].try_into().unwrap();
let mac: [u8; MAC_LEN] = cookie_bytes[SALT_LEN + 8..SALT_LEN + 8 + MAC_LEN].try_into().unwrap();
let mac: [u8; MAC_LEN] = cookie_bytes[SALT_LEN + 8..SALT_LEN + 8 + MAC_LEN]
.try_into()
.unwrap();
let expected_mac = compute_challenge_mac(secret, &salt, timestamp, ip, user_agent);

16
src/http.rs
View file

@ -38,19 +38,3 @@ impl<'a> Iterator for HeaderLineIterator<'a> {
None
}
}
pub fn parse_cookies<'a>(line: &'a [u8]) -> Option<&'a [u8]> {
if line.get(0..7) != Some(b"Cookie:") {
return None;
}
let mut waiting_for_name = true;
let mut iter = line.iter().enumerate().skip(7);
while let Some((i, c)) = iter.next() {
if *c == b' ' {
continue;
}
if waiting_for_name {}
//iter.advance_by(5);
}
None
}

265
src/main.rs
View file

@ -6,18 +6,19 @@ use http::HeaderLineIterator;
use policy::{CompiledPolicies, Policy};
use rand::Rng;
use regex::{bytes::Regex, bytes::RegexSet};
use std::{
io::{BufReader, Write}, net::SocketAddr, sync::atomic::ATOMIC_BOOL_INIT, time::Duration
};
use regex::bytes::Regex;
use std::{io::Write, net::SocketAddr, time::Duration};
use tokio::{
io::{AsyncWriteExt, ReadBuf}, net::TcpSocket, time::timeout
io::{AsyncWriteExt, ReadBuf},
net::{TcpSocket, TcpStream},
time::timeout,
};
const SALT_LEN: usize = 16;
const SECRET_LEN: usize = 32;
const MAC_LEN: usize = 32;
const CHALLENGE_TIMEOUT: u64 = 3600;
const TARGET_ZEROS: u32 = 15;
static CHALLENGE_BODY: &str = include_str!("challenge.html");
@ -36,28 +37,34 @@ async fn main() {
let listen_addr: SocketAddr = "127.0.0.1:8504".parse().unwrap();
let pass_addr: SocketAddr = "127.0.0.1:80".parse().unwrap();
let policy_groups = &[&[Policy {
name: String::from("Block"),
filter: policy::Filter::FirstLineMatch(String::from("GET /block")),
action: policy::Action::Drop,
priority: 0,
}]];
let policy_groups = vec![vec![
Policy {
name: String::from("Favicon"),
first_line_regex: String::from(r"^GET /favicon.ico"),
action: policy::Action::Allow,
},
Policy {
name: String::from("robots.txt"),
first_line_regex: String::from(r"^GET /robots.txt"),
action: policy::Action::Allow,
},
Policy {
name: String::from("Block"),
first_line_regex: String::from(r"^GET /block"),
action: policy::Action::Drop,
},
]];
let default_action = policy::Action::Challenge;
let secret: [u8; SECRET_LEN] = rng.r#gen();
let challenge_response = &*mk_static!(
String,
format!(
"HTTP/1.1 200\r\ncontent-type: text/html\r\ncontent-length: {}\r\n\r\n{}",
CHALLENGE_BODY.len(),
CHALLENGE_BODY
)
let policy_groups = &*mk_static!(
Vec<CompiledPolicies>,
policy_groups
.into_iter()
.map(CompiledPolicies::new)
.collect()
);
let policy_groups: Vec<CompiledPolicies> = policy_groups
.into_iter()
.map(|policies| CompiledPolicies::new(*policies))
.collect();
let socket = realm_syscall::new_tcp_socket(&listen_addr).unwrap();
socket.set_reuse_address(true).ok();
@ -68,16 +75,26 @@ async fn main() {
let listener = tokio::net::TcpListener::from_std(socket.into()).unwrap();
let proof_regex =
Regex::new(r"^Cookie: *(?:[^;=]+=[^;=]* *; *)*mesozoa-proof *= *([0-9a-zA-Z_-]{4})").unwrap();
Regex::new(r"^Cookie: *(?:[^;=]+=[^;=]* *; *)*mesozoa-proof *= *([0-9a-zA-Z_-]{8})")
.unwrap();
let challenge_regex =
Regex::new(r"^Cookie: *(?:[^;=]+=[^;=]* *; *)*mesozoa-challenge *= *([0-9a-zA-Z_-]{75})").unwrap();
let ip_regex =
Regex::new(r"^X-Forwarded-For: *([a-fA-F0-9.:]+)$").unwrap();
let user_agent_regex =
Regex::new(r"^User-Agent: *([a-zA-Z0-9.,:;/ _()-]+)$").unwrap();
Regex::new(r"^Cookie: *(?:[^;=]+=[^;=]* *; *)*mesozoa-challenge *= *([0-9a-zA-Z_-]{75})")
.unwrap();
let ip_regex = Regex::new(r"^X-Forwarded-For: *([a-fA-F0-9.:]+)$").unwrap();
let user_agent_regex = Regex::new(r"^User-Agent: *([a-zA-Z0-9.,:;/ _()-]+)$").unwrap();
let response_begin = &*mk_static!(
String,
format!(
"HTTP/1.1 200\r\n\
content-type: text/html\r\n\
content-length: {}\r\n",
CHALLENGE_BODY.len(),
)
);
loop {
let Ok((mut client_stream, client_addr)) = listener.accept().await else {
let Ok((mut client_stream, _client_addr)) = listener.accept().await else {
continue;
};
//client_stream.set_nodelay(true).ok();
@ -89,11 +106,12 @@ async fn main() {
tokio::spawn(async move {
let mut buf = [0u8; 1024];
let mut buf_reader = ReadBuf::new(&mut buf);
if let Err(_) = timeout(
if timeout(
Duration::from_millis(100),
std::future::poll_fn(|cx| client_stream.poll_peek(cx, &mut buf_reader)),
)
.await
.is_err()
{
println!("peek timeout");
return;
@ -102,85 +120,136 @@ async fn main() {
let mut stdout = std::io::stdout();
stdout.write_all(&buf).unwrap();
stdout.flush().unwrap();
println!("");
println!();
let mut header_line_iter = HeaderLineIterator::new(&buf);
let Some(first_line) = header_line_iter.next() else {
println!("Not HTTP, or too long line");
return;
};
// TODO matching
// for test we will challenge everything!
let mut req_challenge = None;
let mut req_proof = None;
let mut req_user_agent: &[u8] = &[];
let mut req_ip: &[u8] = &[];
for line in header_line_iter {
if let Some(Some(m)) = challenge_regex.captures(line).map(|c| c.get(1)) {
req_challenge = Some(m.as_bytes());
}
if let Some(Some(m)) = proof_regex.captures(line).map(|c| c.get(1)) {
req_proof = Some(m.as_bytes());
}
if let Some(Some(m)) = user_agent_regex.captures(line).map(|c| c.get(1)) {
req_user_agent = m.as_bytes();
}
if let Some(Some(m)) = ip_regex.captures(line).map(|c| c.get(1)) {
req_ip = m.as_bytes();
let mut action = default_action;
for policy_group in policy_groups.iter() {
if let Some(policy) = policy_group.evaluate(first_line) {
println!("Applying policy {}", policy.name);
action = policy.action;
break;
}
}
let mut allow = false;
if let Some(req_challenge) = req_challenge {
allow = challenge::verify_challenge_cookie(req_challenge, &secret, req_user_agent, req_ip);
}
if allow {
// TODO reuse connections
let pass_socket = realm_syscall::new_tcp_socket(&pass_addr).unwrap();
pass_socket.set_reuse_address(true).ok();
let pass_socket = TcpSocket::from_std_stream(pass_socket.into());
let mut pass_stream = pass_socket.connect(pass_addr).await.unwrap();
match realm_io::bidi_zero_copy(&mut client_stream, &mut pass_stream).await {
Ok(_) => {},
Err(ref e) if e.kind() == tokio::io::ErrorKind::InvalidInput => {
realm_io::bidi_copy(&mut client_stream, &mut pass_stream).await.unwrap();
match action {
policy::Action::Drop => {}
policy::Action::Allow => {
do_proxy(pass_addr, client_stream).await;
}
policy::Action::Challenge => {
let mut req_challenge = None;
let mut req_proof = None;
let mut req_user_agent: &[u8] = &[];
let mut req_ip: &[u8] = &[];
for line in header_line_iter {
if let Some(Some(m)) = challenge_regex.captures(line).map(|c| c.get(1)) {
req_challenge = Some(m.as_bytes());
}
if let Some(Some(m)) = proof_regex.captures(line).map(|c| c.get(1)) {
req_proof = Some(m.as_bytes());
}
if let Some(Some(m)) = user_agent_regex.captures(line).map(|c| c.get(1)) {
req_user_agent = m.as_bytes();
}
if let Some(Some(m)) = ip_regex.captures(line).map(|c| c.get(1)) {
req_ip = m.as_bytes();
}
}
let mut allow = false;
let mut valid_challenge = false;
if let (Some(req_challenge), Some(req_proof)) = (req_challenge, req_proof) {
valid_challenge = challenge::verify_challenge_cookie(
req_challenge,
&secret,
req_user_agent,
req_ip,
);
allow = dbg!(valid_challenge)
&& dbg!(challenge::check_challenge(
req_challenge,
req_proof,
TARGET_ZEROS
));
}
if allow {
do_proxy(pass_addr, client_stream).await;
} else {
let salt: [u8; SALT_LEN] = rand::thread_rng().r#gen();
let timestamp = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs();
let timestamp_bytes = timestamp.to_be_bytes();
let challenge_mac = challenge::compute_challenge_mac(
&secret,
&salt,
timestamp_bytes,
req_ip,
req_user_agent,
);
let challenge_cookie = challenge::format_challenge_cookie(
&salt,
timestamp_bytes,
&challenge_mac,
);
client_stream.writable().await.unwrap();
client_stream
.write_all(response_begin.as_bytes())
.await
.unwrap();
if !valid_challenge {
client_stream
.write_all(b"set-cookie: mesozoa-challenge=")
.await
.unwrap();
client_stream
.write_all(challenge_cookie.as_bytes())
.await
.unwrap();
client_stream.write_all(b"; domain=127.0.0.1; path=/; max-age=3600; samesite=strict\r\n").await.unwrap();
}
client_stream.write_all(b"\r\n").await.unwrap();
client_stream
.write_all(CHALLENGE_BODY.as_bytes())
.await
.unwrap();
}
Err(e) => panic!("err {}", e),
}
} else {
let salt: [u8; SALT_LEN] = rand::thread_rng().r#gen();
let timestamp = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap().as_secs();
let timestamp_bytes = timestamp.to_be_bytes();
let challenge_mac = challenge::compute_challenge_mac(&secret, &salt, timestamp_bytes, req_ip, req_user_agent);
let challenge_cookie = challenge::format_challenge_cookie(&salt, timestamp_bytes, &challenge_mac);
let response = format!(
"HTTP/1.1 200\r\n\
content-type: text/html\r\n\
content-length: {}\r\n\
set-cookie: mesozoa-challenge={}; max-age=3600; samesite=strict\r\n\
\r\n\
{}",
CHALLENGE_BODY.len(),
challenge_cookie,
CHALLENGE_BODY,
);
client_stream.writable().await.unwrap();
client_stream
.write_all(response.as_bytes())
.await
.unwrap();
}
});
}
}
async fn do_proxy(pass_addr: SocketAddr, mut client_stream: TcpStream) {
// TODO reuse connections
let pass_socket = realm_syscall::new_tcp_socket(&pass_addr).unwrap();
pass_socket.set_reuse_address(true).ok();
let pass_socket = TcpSocket::from_std_stream(pass_socket.into());
let mut pass_stream = pass_socket.connect(pass_addr).await.unwrap();
match realm_io::bidi_zero_copy(&mut client_stream, &mut pass_stream).await {
Ok(_) => {}
Err(ref e) if e.kind() == tokio::io::ErrorKind::InvalidInput => {
realm_io::bidi_copy(&mut client_stream, &mut pass_stream)
.await
.unwrap();
}
Err(e) => panic!("err {}", e),
}
}

198
src/policy.bak.rs Normal file
View file

@ -0,0 +1,198 @@
use regex::bytes::{Regex, RegexSet, SetMatches};
#[derive(Clone, Debug)]
pub enum Action {
Allow,
Challenge,
Drop,
}
#[derive(Clone, Debug)]
pub enum Filter {
Bool(bool),
FirstLineMatch(String),
HeaderLineMatch(String),
And(Vec<Filter>),
Or(Vec<Filter>),
Not(Box<Filter>),
}
impl Filter {
fn compile<'a>(
&'a self,
first_line_regexes: &mut Vec<&'a str>,
header_line_regexes: &mut Vec<&'a str>,
) -> CompiledFilter {
match self {
Filter::Bool(v) => CompiledFilter::Bool(*v),
Filter::And(filters) => CompiledFilter::And(
filters
.iter()
.map(|filter| filter.compile(first_line_regexes, header_line_regexes))
.collect(),
),
Filter::Or(filters) => CompiledFilter::Or(
filters
.iter()
.map(|filter| filter.compile(first_line_regexes, header_line_regexes))
.collect(),
),
Filter::Not(filter) => CompiledFilter::Not(Box::new(
filter.compile(first_line_regexes, header_line_regexes),
)),
Filter::FirstLineMatch(regex) => {
let filter = CompiledFilter::FirstLineMatch(first_line_regexes.len());
first_line_regexes.push(regex);
filter
}
Filter::HeaderLineMatch(regex) => {
let filter = CompiledFilter::HeaderLineMatch(header_line_regexes.len());
header_line_regexes.push(regex);
filter
}
}
}
}
#[derive(Clone, Debug)]
pub struct Policy {
pub name: String,
pub filter: Filter,
pub action: Action,
pub priority: i32,
}
pub enum CompiledFilter {
Bool(bool),
FirstLineMatch(usize),
HeaderLineMatch(usize),
And(Vec<CompiledFilter>),
Or(Vec<CompiledFilter>),
Not(Box<CompiledFilter>),
}
/*impl CompiledFilter {
fn evaluate(&self, matches: &SetMatches) -> bool {
match self {
Self::And(filters) => filters.iter().all(Self::evaluate),
Self::Or(filters) => filters.iter().any(Self::evaluate),
Self::Bool(b) => *b,
Self::Not(filter) => !filter.evaluate(matches),
Self::FirstLineMatch(regex_id) => matches.matched(regex_id),
Self::HeaderLineMatch(regex_id) => matches.matched(regex_id),
}
}
}*/
pub struct CompiledPolicy {
pub name: String,
pub filter: CompiledFilter,
pub priority: i32,
pub action: Action,
}
pub struct CompiledPolicies {
pub first_line_regex_set: Option<RegexSet>,
pub header_line_regex_set: Option<RegexSet>,
pub policies: Vec<CompiledPolicy>,
}
pub enum RegexOrRegexSet {
Many(RegexSet),
One(Regex),
None,
}
impl TryInto<RegexOrRegexSet> for Vec<&str> {
type Error = regex::Error;
fn try_into(self) -> Result<RegexOrRegexSet, regex::Error> {
Ok(match self.len() {
0 => RegexOrRegexSet::None,
1 => RegexOrRegexSet::One(Regex::new(self[0])?),
_ => RegexOrRegexSet::Many(RegexSet::new(self)?)
})
}
}
impl CompiledPolicies {
pub fn new<'a>(policies: impl IntoIterator<Item = &'a Policy>) -> Self {
let mut first_line_regexes = Vec::new();
let mut header_line_regexes = Vec::new();
let mut compiled_policies = Vec::new();
for policy in policies {
let compiled_policy = CompiledPolicy {
name: policy.name.clone(),
filter: policy
.filter
.compile(&mut first_line_regexes, &mut header_line_regexes),
priority: policy.priority,
action: policy.action.clone(),
};
compiled_policies.push(compiled_policy);
}
CompiledPolicies {
first_line_regex_set: if first_line_regexes.is_empty() {
None
} else {
Some(RegexSet::new(&first_line_regexes).unwrap())
},
header_line_regex_set: if header_line_regexes.is_empty() {
None
} else {
Some(RegexSet::new(&header_line_regexes).unwrap())
},
policies: compiled_policies,
}
}
/*pub fn evaluate<'a>(
&self,
mut header_lines: impl Iterator<Item = &'a [u8]>,
) -> Result<Option<&CompiledPolicy>, PolicyEvaluationError> {
let mut best_policy: Option<&CompiledPolicy> = None;
let first_line = header_lines
.next()
.ok_or(PolicyEvaluationError::NoFirstLine)?;
if let Some(first_line_regex_set) = &self.first_line_regex_set {
let matches = first_line_regex_set.matches(first_line);
for policy in self.policies.iter() {
}
let policy = &self.policies[matched];
if let Some(best_policy) = &mut best_policy {
if policy.priority < best_policy.priority {
*best_policy = policy;
}
} else {
best_policy = Some(policy);
}
}
if let Some(header_line_regex_set) = &self.header_line_regex_set {
for header_line in header_lines {
for matched in header_line_regex_set.matches(header_line) {
let policy = &self.policies[matched];
if let Some(best_policy) = &mut best_policy {
if policy.priority < best_policy.priority {
*best_policy = policy;
}
} else {
best_policy = Some(policy);
}
}
}
}
Ok(best_policy)
}*/
}
#[derive(Debug)]
pub enum PolicyEvaluationError {
/// First HTTP line is too long or absent
NoFirstLine,
}

128
src/policy.rs
View file

@ -1,143 +1,41 @@
use regex::{Regex, RegexSet};
use regex::bytes::RegexSet;
#[derive(Clone, Debug)]
#[derive(Clone, Copy, Debug)]
pub enum Action {
Allow,
Challenge,
Drop,
}
#[derive(Clone, Debug)]
pub enum Filter {
Bool(bool),
FirstLineMatch(String),
HeaderLineMatch(String),
And(Vec<Filter>),
Or(Vec<Filter>),
Not(Box<Filter>),
}
impl Filter {
fn compile<'a>(
&'a self,
first_line_regexes: &mut Vec<&'a str>,
header_line_regexes: &mut Vec<&'a str>,
) -> CompiledFilter {
match self {
Filter::Bool(v) => CompiledFilter::Bool(*v),
Filter::And(filters) => CompiledFilter::And(
filters
.iter()
.map(|filter| filter.compile(first_line_regexes, header_line_regexes))
.collect(),
),
Filter::Or(filters) => CompiledFilter::Or(
filters
.iter()
.map(|filter| filter.compile(first_line_regexes, header_line_regexes))
.collect(),
),
Filter::Not(filter) => CompiledFilter::Not(Box::new(
filter.compile(first_line_regexes, header_line_regexes),
)),
Filter::FirstLineMatch(regex) => {
let filter = CompiledFilter::FirstLineMatch(first_line_regexes.len());
first_line_regexes.push(regex);
filter
}
Filter::HeaderLineMatch(regex) => {
let filter = CompiledFilter::HeaderLineMatch(header_line_regexes.len());
header_line_regexes.push(regex);
filter
}
}
}
}
#[derive(Clone, Debug)]
pub struct Policy {
pub name: String,
pub filter: Filter,
pub action: Action,
pub priority: i32,
}
pub enum CompiledFilter {
Bool(bool),
FirstLineMatch(usize),
HeaderLineMatch(usize),
And(Vec<CompiledFilter>),
Or(Vec<CompiledFilter>),
Not(Box<CompiledFilter>),
}
pub struct CompiledPolicy {
pub name: String,
pub filter: CompiledFilter,
pub priority: i32,
pub first_line_regex: String,
pub action: Action,
}
pub struct CompiledPolicies {
pub first_line_regex_set: Option<RegexSet>,
pub header_line_regex_set: Option<RegexSet>,
pub policies: Vec<CompiledPolicy>,
pub first_line_regex_set: RegexSet,
pub policies: Vec<Policy>,
}
impl CompiledPolicies {
pub fn new<'a>(policies: impl IntoIterator<Item = &'a Policy>) -> Self {
pub fn new(policies: Vec<Policy>) -> Self {
let mut first_line_regexes = Vec::new();
let mut header_line_regexes = Vec::new();
let mut compiled_policies = Vec::new();
for policy in policies {
let compiled_policy = CompiledPolicy {
name: policy.name.clone(),
filter: policy
.filter
.compile(&mut first_line_regexes, &mut header_line_regexes),
priority: policy.priority,
action: policy.action.clone(),
};
compiled_policies.push(compiled_policy);
for policy in policies.iter() {
first_line_regexes.push(&policy.first_line_regex);
}
CompiledPolicies {
first_line_regex_set: if first_line_regexes.is_empty() {
None
} else {
Some(RegexSet::new(&first_line_regexes).unwrap())
},
header_line_regex_set: if header_line_regexes.is_empty() {
None
} else {
Some(RegexSet::new(&header_line_regexes).unwrap())
},
policies: compiled_policies,
first_line_regex_set: RegexSet::new(&first_line_regexes).unwrap(),
policies,
}
}
pub fn evaluate<'a>(
&self,
mut header_lines: impl Iterator<Item = &'a [u8]>,
) -> Result<Option<&CompiledPolicy>, PolicyEvaluationError> {
let mut best_policy = None;
let mut best_priority = i32::MAX;
pub fn evaluate(&self, first_line: &[u8]) -> Option<&Policy> {
let matches = self.first_line_regex_set.matches(first_line);
let first_line = header_lines
.next()
.ok_or(PolicyEvaluationError::NoFirstLine)?;
if let Some(first_line_regex_set) = &self.first_line_regex_set {
//let matches = first_line_regex_set.matches(first_line);
}
Ok(best_policy)
matches.into_iter().next().map(|i| &self.policies[i])
}
}
#[derive(Debug)]
pub enum PolicyEvaluationError {
/// First HTTP line is too long or absent
NoFirstLine,
}