Match suffixes and prefixes in string constraints

2025-02-17 16:40:10 +01:00
parent a4bece6a77
commit 993342ef58
3 changed files with 32 additions and 0 deletions
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -391,6 +391,8 @@ policy:
        literals: ["alice@example.com", "bob@example.com"]
        # Regular expressions that match allowed emails
        regexes: ["@example\\.com$"]
+        # Suffixes that match allowed emails
+        suffixes: ["@example.com"]

      # If specified, the email address *must not* match one of the banned addresses.
      # If unspecified, all email addresses are allowed.
@@ -401,6 +403,10 @@ policy:
        substrings: ["evil"]
        # Regular expressions that match banned emails
        regexes: ["@evil\\.corp$"]
+        # Suffixes that match banned emails
+        suffixes: ["@evil.corp"]
+        # Prefixes that match banned emails
+        prefixes: ["alice@"]

    requester:
      # List of IP addresses and CIDRs that are not allowed to register
@@ -414,6 +420,8 @@ policy:
        literals: ["Pretend this is Real;"]
        substrings: ["Chrome"]
        regexes: ["Chrome 1.*;"]
+        prefixes: ["Mozilla/"]
+        suffixes: ["Safari/605.1.15"]
 ```

 ## `rate_limiting`
--- a/policies/common/common.rego
+++ b/policies/common/common.rego
@@ -8,6 +8,10 @@ matches_string_constraints(str, constraints) if matches_substrings(str, constrai

 matches_string_constraints(str, constraints) if matches_literals(str, constraints.literals)

+matches_string_constraints(str, constraints) if matches_suffixes(str, constraints.suffixes)
+
+matches_string_constraints(str, constraints) if matches_prefixes(str, constraints.prefixes)
+
 matches_regexes(str, regexes) if {
 	some pattern in regexes
 	regex.match(pattern, str)
@@ -23,6 +27,16 @@ matches_literals(str, literals) if {
 	str == literal
 }

+matches_suffixes(str, suffixes) if {
+	some suffix in suffixes
+	endswith(str, suffix)
+}
+
+matches_prefixes(str, prefixes) if {
+	some prefix in prefixes
+	startswith(str, prefix)
+}
+
 # Normalize an IP address or CIDR to a CIDR
 normalize_cidr(ip) := ip if contains(ip, "/")

--- a/policies/common/common_test.rego
+++ b/policies/common/common_test.rego
@@ -18,6 +18,16 @@ test_match_regex if {
 	not common.matches_string_constraints("some string", {"regexes": ["^string"]})
 }

+test_match_prefix if {
+	common.matches_string_constraints("some string", {"prefixes": ["some"]})
+	not common.matches_string_constraints("some string", {"prefixes": ["string"]})
+}
+
+test_match_suffix if {
+	common.matches_string_constraints("some string", {"suffixes": ["string"]})
+	not common.matches_string_constraints("some string", {"suffixes": ["some"]})
+}
+
 test_ip_in_list if {
 	common.ip_in_list("192.168.1.1", ["192.168.1.1"])
 	common.ip_in_list("192.168.1.1", ["192.168.1.0/24"])