Bring back v2 rule matchers

pkg/muxer/tcp/matcher_test.go

@@ -38,7 +38,7 @@ func Test_HostSNICatchAll(t *testing.T) {
 			muxer, err := NewMuxer()
 			require.NoError(t, err)
 
-			err = muxer.AddRoute(test.rule, 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
+			err = muxer.AddRoute(test.rule, "", 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
 			require.NoError(t, err)
 
 			handler, catchAll := muxer.Match(ConnData{
@@ -144,7 +144,7 @@ func Test_HostSNI(t *testing.T) {
 			muxer, err := NewMuxer()
 			require.NoError(t, err)
 
-			err = muxer.AddRoute(test.rule, 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
+			err = muxer.AddRoute(test.rule, "", 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
 			if test.buildErr {
 				require.Error(t, err)
 				return
@@ -227,7 +227,7 @@ func Test_HostSNIRegexp(t *testing.T) {
 			muxer, err := NewMuxer()
 			require.NoError(t, err)
 
-			err = muxer.AddRoute(test.rule, 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
+			err = muxer.AddRoute(test.rule, "", 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
 			if test.buildErr {
 				require.Error(t, err)
 				return
@@ -299,7 +299,7 @@ func Test_ClientIP(t *testing.T) {
 			muxer, err := NewMuxer()
 			require.NoError(t, err)
 
-			err = muxer.AddRoute(test.rule, 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
+			err = muxer.AddRoute(test.rule, "", 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
 			if test.buildErr {
 				require.Error(t, err)
 				return
@@ -363,7 +363,7 @@ func Test_ALPN(t *testing.T) {
 			muxer, err := NewMuxer()
 			require.NoError(t, err)
 
-			err = muxer.AddRoute(test.rule, 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
+			err = muxer.AddRoute(test.rule, "", 0, tcp.HandlerFunc(func(conn tcp.WriteCloser) {}))
 			if test.buildErr {
 				require.Error(t, err)
 				return

pkg/muxer/tcp/matcher_v2.go

@@ -0,0 +1,240 @@
+package tcp
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
+	"github.com/rs/zerolog/log"
+	"github.com/traefik/traefik/v3/pkg/ip"
+)
+
+var tcpFuncsV2 = map[string]func(*matchersTree, ...string) error{
+	"ALPN":          alpnV2,
+	"ClientIP":      clientIPV2,
+	"HostSNI":       hostSNIV2,
+	"HostSNIRegexp": hostSNIRegexpV2,
+}
+
+func clientIPV2(tree *matchersTree, clientIPs ...string) error {
+	checker, err := ip.NewChecker(clientIPs)
+	if err != nil {
+		return fmt.Errorf("could not initialize IP Checker for \"ClientIP\" matcher: %w", err)
+	}
+
+	tree.matcher = func(meta ConnData) bool {
+		if meta.remoteIP == "" {
+			return false
+		}
+
+		ok, err := checker.Contains(meta.remoteIP)
+		if err != nil {
+			log.Warn().Err(err).Msg("ClientIP matcher: could not match remote address")
+			return false
+		}
+		return ok
+	}
+
+	return nil
+}
+
+// alpnV2 checks if any of the connection ALPN protocols matches one of the matcher protocols.
+func alpnV2(tree *matchersTree, protos ...string) error {
+	if len(protos) == 0 {
+		return errors.New("empty value for \"ALPN\" matcher is not allowed")
+	}
+
+	for _, proto := range protos {
+		if proto == tlsalpn01.ACMETLS1Protocol {
+			return fmt.Errorf("invalid protocol value for \"ALPN\" matcher, %q is not allowed", proto)
+		}
+	}
+
+	tree.matcher = func(meta ConnData) bool {
+		for _, proto := range meta.alpnProtos {
+			for _, filter := range protos {
+				if proto == filter {
+					return true
+				}
+			}
+		}
+
+		return false
+	}
+
+	return nil
+}
+
+// hostSNIV2 checks if the SNI Host of the connection match the matcher host.
+func hostSNIV2(tree *matchersTree, hosts ...string) error {
+	if len(hosts) == 0 {
+		return errors.New("empty value for \"HostSNI\" matcher is not allowed")
+	}
+
+	for i, host := range hosts {
+		// Special case to allow global wildcard
+		if host == "*" {
+			continue
+		}
+
+		if !hostOrIP.MatchString(host) {
+			return fmt.Errorf("invalid value for \"HostSNI\" matcher, %q is not a valid hostname or IP", host)
+		}
+
+		hosts[i] = strings.ToLower(host)
+	}
+
+	tree.matcher = func(meta ConnData) bool {
+		// Since a HostSNI(`*`) rule has been provided as catchAll for non-TLS TCP,
+		// it allows matching with an empty serverName.
+		// Which is why we make sure to take that case into account before
+		// checking meta.serverName.
+		if hosts[0] == "*" {
+			return true
+		}
+
+		if meta.serverName == "" {
+			return false
+		}
+
+		for _, host := range hosts {
+			if host == "*" {
+				return true
+			}
+
+			if host == meta.serverName {
+				return true
+			}
+
+			// trim trailing period in case of FQDN
+			host = strings.TrimSuffix(host, ".")
+			if host == meta.serverName {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	return nil
+}
+
+// hostSNIRegexpV2 checks if the SNI Host of the connection matches the matcher host regexp.
+func hostSNIRegexpV2(tree *matchersTree, templates ...string) error {
+	if len(templates) == 0 {
+		return fmt.Errorf("empty value for \"HostSNIRegexp\" matcher is not allowed")
+	}
+
+	var regexps []*regexp.Regexp
+
+	for _, template := range templates {
+		preparedPattern, err := preparePattern(template)
+		if err != nil {
+			return fmt.Errorf("invalid pattern value for \"HostSNIRegexp\" matcher, %q is not a valid pattern: %w", template, err)
+		}
+
+		regexp, err := regexp.Compile(preparedPattern)
+		if err != nil {
+			return err
+		}
+
+		regexps = append(regexps, regexp)
+	}
+
+	tree.matcher = func(meta ConnData) bool {
+		for _, regexp := range regexps {
+			if regexp.MatchString(meta.serverName) {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	return nil
+}
+
+// preparePattern builds a regexp pattern from the initial user defined expression.
+// This function reuses the code dedicated to host matching of the newRouteRegexp func from the gorilla/mux library.
+// https://github.com/containous/mux/tree/8ffa4f6d063c1e2b834a73be6a1515cca3992618.
+func preparePattern(template string) (string, error) {
+	// Check if it is well-formed.
+	idxs, errBraces := braceIndices(template)
+	if errBraces != nil {
+		return "", errBraces
+	}
+
+	defaultPattern := "[^.]+"
+	pattern := bytes.NewBufferString("")
+
+	// Host SNI matching is case-insensitive
+	_, _ = fmt.Fprint(pattern, "(?i)")
+
+	pattern.WriteByte('^')
+	var end int
+	for i := 0; i < len(idxs); i += 2 {
+		// Set all values we are interested in.
+		raw := template[end:idxs[i]]
+		end = idxs[i+1]
+		parts := strings.SplitN(template[idxs[i]+1:end-1], ":", 2)
+		name := parts[0]
+
+		patt := defaultPattern
+		if len(parts) == 2 {
+			patt = parts[1]
+		}
+
+		// Name or pattern can't be empty.
+		if name == "" || patt == "" {
+			return "", fmt.Errorf("mux: missing name or pattern in %q",
+				template[idxs[i]:end])
+		}
+
+		// Build the regexp pattern.
+		_, _ = fmt.Fprintf(pattern, "%s(?P<%s>%s)", regexp.QuoteMeta(raw), varGroupName(i/2), patt)
+	}
+
+	// Add the remaining.
+	raw := template[end:]
+	pattern.WriteString(regexp.QuoteMeta(raw))
+	pattern.WriteByte('$')
+
+	return pattern.String(), nil
+}
+
+// varGroupName builds a capturing group name for the indexed variable.
+// This function is a copy of varGroupName func from the gorilla/mux library.
+// https://github.com/containous/mux/tree/8ffa4f6d063c1e2b834a73be6a1515cca3992618.
+func varGroupName(idx int) string {
+	return "v" + strconv.Itoa(idx)
+}
+
+// braceIndices returns the first level curly brace indices from a string.
+// This function is a copy of braceIndices func from the gorilla/mux library.
+// https://github.com/containous/mux/tree/8ffa4f6d063c1e2b834a73be6a1515cca3992618.
+func braceIndices(s string) ([]int, error) {
+	var level, idx int
+	var idxs []int
+	for i := 0; i < len(s); i++ {
+		switch s[i] {
+		case '{':
+			if level++; level == 1 {
+				idx = i
+			}
+		case '}':
+			if level--; level == 0 {
+				idxs = append(idxs, idx, i+1)
+			} else if level < 0 {
+				return nil, fmt.Errorf("mux: unbalanced braces in %q", s)
+			}
+		}
+	}
+	if level != 0 {
+		return nil, fmt.Errorf("mux: unbalanced braces in %q", s)
+	}
+	return idxs, nil
+}

pkg/muxer/tcp/mux.go

@@ -41,8 +41,9 @@ func NewConnData(serverName string, conn tcp.WriteCloser, alpnProtos []string) (
 
 // Muxer defines a muxer that handles TCP routing with rules.
 type Muxer struct {
-	routes routes
-	parser predicate.Parser
+	routes   routes
+	parser   predicate.Parser
+	parserV2 predicate.Parser
 }
 
 // NewMuxer returns a TCP muxer.
@@ -57,7 +58,20 @@ func NewMuxer() (*Muxer, error) {
 		return nil, fmt.Errorf("error while creating rules parser: %w", err)
 	}
 
-	return &Muxer{parser: parser}, nil
+	var matchersV2 []string
+	for matcher := range tcpFuncsV2 {
+		matchersV2 = append(matchersV2, matcher)
+	}
+
+	parserV2, err := rules.NewParser(matchersV2)
+	if err != nil {
+		return nil, fmt.Errorf("error while creating v2 rules parser: %w", err)
+	}
+
+	return &Muxer{
+		parser:   parser,
+		parserV2: parserV2,
+	}, nil
 }
 
 // Match returns the handler of the first route matching the connection metadata,
@@ -106,10 +120,26 @@ func GetRulePriority(rule string) int {
 
 // AddRoute adds a new route, associated to the given handler, at the given
 // priority, to the muxer.
-func (m *Muxer) AddRoute(rule string, priority int, handler tcp.Handler) error {
-	parse, err := m.parser.Parse(rule)
-	if err != nil {
-		return fmt.Errorf("error while parsing rule %s: %w", rule, err)
+func (m *Muxer) AddRoute(rule string, syntax string, priority int, handler tcp.Handler) error {
+	var parse interface{}
+	var err error
+	var matcherFuncs map[string]func(*matchersTree, ...string) error
+
+	switch syntax {
+	case "v2":
+		parse, err = m.parserV2.Parse(rule)
+		if err != nil {
+			return fmt.Errorf("error while parsing rule %s: %w", rule, err)
+		}
+
+		matcherFuncs = tcpFuncsV2
+	default:
+		parse, err = m.parser.Parse(rule)
+		if err != nil {
+			return fmt.Errorf("error while parsing rule %s: %w", rule, err)
+		}
+
+		matcherFuncs = tcpFuncs
 	}
 
 	buildTree, ok := parse.(rules.TreeBuilder)
@@ -120,7 +150,7 @@ func (m *Muxer) AddRoute(rule string, priority int, handler tcp.Handler) error {
 	ruleTree := buildTree()
 
 	var matchers matchersTree
-	err = matchers.addRule(ruleTree)
+	err = matchers.addRule(ruleTree, matcherFuncs)
 	if err != nil {
 		return fmt.Errorf("error while adding rule %s: %w", rule, err)
 	}
@@ -155,6 +185,9 @@ func ParseHostSNI(rule string) ([]string, error) {
 	for matcher := range tcpFuncs {
 		matchers = append(matchers, matcher)
 	}
+	for matcher := range tcpFuncsV2 {
+		matchers = append(matchers, matcher)
+	}
 
 	parser, err := rules.NewParser(matchers)
 	if err != nil {
@@ -237,25 +270,27 @@ func (m *matchersTree) match(meta ConnData) bool {
 	}
 }
 
-func (m *matchersTree) addRule(rule *rules.Tree) error {
+type matcherFuncs map[string]func(*matchersTree, ...string) error
+
+func (m *matchersTree) addRule(rule *rules.Tree, funcs matcherFuncs) error {
 	switch rule.Matcher {
 	case "and", "or":
 		m.operator = rule.Matcher
 		m.left = &matchersTree{}
-		err := m.left.addRule(rule.RuleLeft)
+		err := m.left.addRule(rule.RuleLeft, funcs)
 		if err != nil {
 			return err
 		}
 
 		m.right = &matchersTree{}
-		return m.right.addRule(rule.RuleRight)
+		return m.right.addRule(rule.RuleRight, funcs)
 	default:
 		err := rules.CheckRule(rule)
 		if err != nil {
 			return err
 		}
 
-		err = tcpFuncs[rule.Matcher](m, rule.Value...)
+		err = funcs[rule.Matcher](m, rule.Value...)
 		if err != nil {
 			return err
 		}

pkg/muxer/tcp/mux_test.go

@@ -277,7 +277,7 @@ func Test_addTCPRoute(t *testing.T) {
 			router, err := NewMuxer()
 			require.NoError(t, err)
 
-			err = router.AddRoute(test.rule, 0, handler)
+			err = router.AddRoute(test.rule, "", 0, handler)
 			if test.routeErr {
 				require.Error(t, err)
 				return
@@ -447,7 +447,7 @@ func Test_Priority(t *testing.T) {
 			matchedRule := ""
 			for rule, priority := range test.rules {
 				rule := rule
-				err := muxer.AddRoute(rule, priority, tcp.HandlerFunc(func(conn tcp.WriteCloser) {
+				err := muxer.AddRoute(rule, "", priority, tcp.HandlerFunc(func(conn tcp.WriteCloser) {
 					matchedRule = rule
 				}))
 				require.NoError(t, err)