feat: refactor ActionResult to RuleResult (#88)

Author: Copilot

.gitignore

@@ -24,3 +24,4 @@ logs/
 lastupdate.tmp
 commentsRouter*.go
 acme_account.key
+caswaf

routers/base.go

@@ -1,3 +1,17 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package routers
 
 import (

rule/rule.go

@@ -22,18 +22,19 @@ import (
 )
 
 type Rule interface {
-	checkRule(expressions []*object.Expression, req *http.Request) (bool, string, string, error)
+	checkRule(expressions []*object.Expression, req *http.Request) (*RuleResult, error)
 }
 
-type ActionResult struct {
-	Type       string
+type RuleResult struct {
+	Action     string
 	StatusCode int
+	Reason     string
 }
 
-func CheckRules(ruleIds []string, r *http.Request) (*ActionResult, string, error) {
+func CheckRules(ruleIds []string, r *http.Request) (*RuleResult, error) {
 	rules, err := object.GetRulesByRuleIds(ruleIds)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 	for i, rule := range rules {
 		var ruleObj Rule
@@ -51,63 +52,57 @@ func CheckRules(ruleIds []string, r *http.Request) (*ActionResult, string, error
 		case "Compound":
 			ruleObj = &CompoundRule{}
 		default:
-			return nil, "", fmt.Errorf("unknown rule type: %s for rule: %s", rule.Type, rule.GetId())
+			return nil, fmt.Errorf("unknown rule type: %s for rule: %s", rule.Type, rule.GetId())
 		}
 
-		isHit, action, reason, err := ruleObj.checkRule(rule.Expressions, r)
+		result, err := ruleObj.checkRule(rule.Expressions, r)
 		if err != nil {
-			return nil, "", err
+			return nil, err
 		}
 
-		// Use rule's action if no action specified by the rule check
-		if action == "" {
-			action = rule.Action
-		}
-		
-		// Determine status code
-		statusCode := rule.StatusCode
-		if statusCode == 0 {
-			// Set default status codes if not specified
-			switch action {
-			case "Block":
-				statusCode = 403
-			case "Drop":
-				statusCode = 400
-			case "Allow":
-				statusCode = 200
-			case "CAPTCHA":
-				statusCode = 302
-			default:
-				return nil, "", fmt.Errorf("unknown rule action: %s for rule: %s", action, rule.GetId())
+		if result != nil {
+			// Use rule's action if no action specified by the rule check
+			if result.Action == "" {
+				result.Action = rule.Action
 			}
-		}
-		
-		actionResult := &ActionResult{
-			Type:       action,
-			StatusCode: statusCode,
-		}
-		
-		if isHit {
-			if action == "Block" || action == "Drop" {
-				if rule.Reason != "" {
-					reason = rule.Reason
+			
+			// Determine status code
+			if result.StatusCode == 0 {
+				if rule.StatusCode != 0 {
+					result.StatusCode = rule.StatusCode
 				} else {
-					reason = fmt.Sprintf("hit rule %s: %s", ruleIds[i], reason)
+					// Set default status codes if not specified
+					switch result.Action {
+					case "Block":
+						result.StatusCode = 403
+					case "Drop":
+						result.StatusCode = 400
+					case "Allow":
+						result.StatusCode = 200
+					case "CAPTCHA":
+						result.StatusCode = 302
+					default:
+						return nil, fmt.Errorf("unknown rule action: %s for rule: %s", result.Action, rule.GetId())
+					}
+				}
+			}
+			
+			// Update reason if rule has custom reason
+			if result.Action == "Block" || result.Action == "Drop" {
+				if rule.Reason != "" {
+					result.Reason = rule.Reason
+				} else if result.Reason != "" {
+					result.Reason = fmt.Sprintf("hit rule %s: %s", ruleIds[i], result.Reason)
 				}
-				return actionResult, reason, nil
-			} else if action == "Allow" {
-				return actionResult, reason, nil
-			} else if action == "CAPTCHA" {
-				return actionResult, reason, nil
-			} else {
-				return nil, "", fmt.Errorf("unknown rule action: %s for rule: %s", action, rule.GetId())
 			}
+			
+			return result, nil
 		}
 	}
 
 	// Default action if no rule matched
-	return &ActionResult{
-		Type:       "Allow",
+	return &RuleResult{
+		Action:     "Allow",
 		StatusCode: 200,
-	}, "", nil
+	}, nil
 }

rule/rule_compound.go

@@ -24,16 +24,16 @@ import (
 
 type CompoundRule struct{}
 
-func (r *CompoundRule) checkRule(expressions []*object.Expression, req *http.Request) (bool, string, string, error) {
+func (r *CompoundRule) checkRule(expressions []*object.Expression, req *http.Request) (*RuleResult, error) {
 	operators := util.NewStack()
 	res := true
 	for _, expression := range expressions {
 		isHit := true
-		action, _, err := CheckRules([]string{expression.Value}, req)
+		result, err := CheckRules([]string{expression.Value}, req)
 		if err != nil {
-			return false, "", "", err
+			return nil, err
 		}
-		if action.Type == "" {
+		if result == nil || result.Action == "" {
 			isHit = false
 		}
 		switch expression.Operator {
@@ -43,7 +43,7 @@ func (r *CompoundRule) checkRule(expressions []*object.Expression, req *http.Req
 			operators.Push(res)
 			res = isHit
 		default:
-			return false, "", "", fmt.Errorf("unknown operator: %s", expression.Operator)
+			return nil, fmt.Errorf("unknown operator: %s", expression.Operator)
 		}
 		if operators.Size() > 0 {
 			last, ok := operators.Pop()
@@ -53,5 +53,8 @@ func (r *CompoundRule) checkRule(expressions []*object.Expression, req *http.Req
 			}
 		}
 	}
-	return res, "", "", nil
+	if res {
+		return &RuleResult{}, nil
+	}
+	return nil, nil
 }

rule/rule_ip.go

@@ -26,11 +26,11 @@ import (
 
 type IpRule struct{}
 
-func (r *IpRule) checkRule(expressions []*object.Expression, req *http.Request) (bool, string, string, error) {
+func (r *IpRule) checkRule(expressions []*object.Expression, req *http.Request) (*RuleResult, error) {
 	clientIp := util.GetClientIp(req)
 	netIp, err := parseIp(clientIp)
 	if err != nil {
-		return false, "", "", err
+		return nil, err
 	}
 	for _, expression := range expressions {
 		reason := fmt.Sprintf("expression matched: \"%s %s %s\"", clientIp, expression.Operator, expression.Value)
@@ -39,40 +39,40 @@ func (r *IpRule) checkRule(expressions []*object.Expression, req *http.Request)
 			if strings.Contains(ip, "/") {
 				_, ipNet, err := net.ParseCIDR(ip)
 				if err != nil {
-					return false, "", "", err
+					return nil, err
 				}
 
 				switch expression.Operator {
 				case "is in":
 					if ipNet.Contains(netIp) {
-						return true, "", reason, nil
+						return &RuleResult{Reason: reason}, nil
 					}
 				case "is not in":
 					if !ipNet.Contains(netIp) {
-						return true, "", reason, nil
+						return &RuleResult{Reason: reason}, nil
 					}
 				default:
-					return false, "", "", fmt.Errorf("unknown operator: %s", expression.Operator)
+					return nil, fmt.Errorf("unknown operator: %s", expression.Operator)
 				}
 			} else if strings.ContainsAny(ip, ".:") {
 				switch expression.Operator {
 				case "is in":
 					if ip == clientIp {
-						return true, "", reason, nil
+						return &RuleResult{Reason: reason}, nil
 					}
 				case "is not in":
 					if ip != clientIp {
-						return true, "", reason, nil
+						return &RuleResult{Reason: reason}, nil
 					}
 				default:
-					return false, "", "", fmt.Errorf("unknown operator: %s", expression.Operator)
+					return nil, fmt.Errorf("unknown operator: %s", expression.Operator)
 				}
 			} else {
-				return false, "", "", fmt.Errorf("unknown IP or CIDR format: %s", ip)
+				return nil, fmt.Errorf("unknown IP or CIDR format: %s", ip)
 			}
 		}
 	}
-	return false, "", "", nil
+	return nil, nil
 }
 
 func parseIp(ipStr string) (net.IP, error) {

rule/rule_ip_rate.go

@@ -80,7 +80,7 @@ func (i *IpRateLimiter) GetLimiter(ip string) *rate.Limiter {
 	return limiter
 }
 
-func (r *IpRateRule) checkRule(expressions []*object.Expression, req *http.Request) (bool, string, string, error) {
+func (r *IpRateRule) checkRule(expressions []*object.Expression, req *http.Request) (*RuleResult, error) {
 	expression := expressions[0] // IpRate rule should have only one expression
 	clientIp := util.GetClientIp(req)
 
@@ -89,7 +89,10 @@ func (r *IpRateRule) checkRule(expressions []*object.Expression, req *http.Reque
 	if ok {
 		blockTime := util.ParseInt(expression.Value)
 		if time.Now().Sub(createAt) < time.Duration(blockTime)*time.Second {
-			return true, "Block", "Rate limit exceeded", nil
+			return &RuleResult{
+				Action: "Block",
+				Reason: "Rate limit exceeded",
+			}, nil
 		} else {
 			delete(blackList, clientIp)
 		}
@@ -112,17 +115,20 @@ func (r *IpRateRule) checkRule(expressions []*object.Expression, req *http.Reque
 		limiter.SetBurst(ipRateLimiter.b)
 		err := limiter.Wait(req.Context())
 		if err != nil {
-			return false, "", "", err
+			return nil, err
 		}
 	} else {
 		// If the rate limit is exceeded, add the client IP to the blacklist
 		allow := limiter.Allow()
 		if !allow {
 			blackList[r.ruleName] = map[string]time.Time{}
 			blackList[r.ruleName][clientIp] = time.Now()
-			return true, "Block", "Rate limit exceeded", nil
+			return &RuleResult{
+				Action: "Block",
+				Reason: "Rate limit exceeded",
+			}, nil
 		}
 	}
 
-	return false, "", "", nil
+	return nil, nil
 }

rule/rule_ip_rate_test.go

@@ -1,3 +1,17 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package rule
 
 import (
@@ -113,19 +127,26 @@ func TestIpRateRule_checkRule(t *testing.T) {
 				ruleName: tt.fields.ruleName,
 			}
 			for i, arg := range tt.args.args {
-				got, got1, got2, err := r.checkRule(arg.expressions, arg.req)
+				result, err := r.checkRule(arg.expressions, arg.req)
 				if (err != nil) != tt.wantErr[i] {
 					t.Errorf("checkRule() error = %v, wantErr %v", err, tt.wantErr)
 					return
 				}
+				got := result != nil
+				got1 := ""
+				got2 := ""
+				if result != nil {
+					got1 = result.Action
+					got2 = result.Reason
+				}
 				if got != tt.want[i] {
-					t.Errorf("checkRule() got = %v, want %v", got, tt.want)
+					t.Errorf("checkRule() got = %v, want %v", got, tt.want[i])
 				}
 				if got1 != tt.want1[i] {
-					t.Errorf("checkRule() got1 = %v, want %v", got1, tt.want1)
+					t.Errorf("checkRule() got1 = %v, want %v", got1, tt.want1[i])
 				}
 				if got2 != tt.want2[i] {
-					t.Errorf("checkRule() got2 = %v, want %v", got2, tt.want2)
+					t.Errorf("checkRule() got2 = %v, want %v", got2, tt.want2[i])
 				}
 			}
 		})

rule/rule_ua.go

@@ -25,39 +25,39 @@ import (
 
 type UaRule struct{}
 
-func (r *UaRule) checkRule(expressions []*object.Expression, req *http.Request) (bool, string, string, error) {
+func (r *UaRule) checkRule(expressions []*object.Expression, req *http.Request) (*RuleResult, error) {
 	userAgent := req.UserAgent()
 	for _, expression := range expressions {
 		ua := expression.Value
 		reason := fmt.Sprintf("expression matched: \"%s %s %s\"", userAgent, expression.Operator, expression.Value)
 		switch expression.Operator {
 		case "contains":
 			if strings.Contains(userAgent, ua) {
-				return true, "", reason, nil
+				return &RuleResult{Reason: reason}, nil
 			}
 		case "does not contain":
 			if !strings.Contains(userAgent, ua) {
-				return true, "", reason, nil
+				return &RuleResult{Reason: reason}, nil
 			}
 		case "equals":
 			if userAgent == ua {
-				return true, "", reason, nil
+				return &RuleResult{Reason: reason}, nil
 			}
 		case "does not equal":
 			if strings.Compare(userAgent, ua) != 0 {
-				return true, "", reason, nil
+				return &RuleResult{Reason: reason}, nil
 			}
 		case "match":
 			// regex match
 			isHit, err := regexp.MatchString(ua, userAgent)
 			if err != nil {
-				return false, "", "", err
+				return nil, err
 			}
 			if isHit {
-				return true, "", reason, nil
+				return &RuleResult{Reason: reason}, nil
 			}
 		}
 	}
 
-	return false, "", "", nil
+	return nil, nil
 }