netrules

package

v0.4.0 Latest Latest Go to latest Published: Mar 19, 2026 License: MIT Imports: 4 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/majorcontext/moat

Links

Open Source Insights

Documentation ¶

Index ¶

func Check(policy string, hostRules []HostRules, host string, port int, ...) bool
func EvaluateRules(rules []Rule, method, path string) string
func MatchPath(pattern, reqPath string) bool
type HostMatcher
type HostRules
type NetworkRuleEntry
- func (e *NetworkRuleEntry) UnmarshalYAML(value *yaml.Node) error
type Rule
- func ParseRule(s string) (Rule, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Check ¶

func Check(policy string, hostRules []HostRules, host string, port int, method, path string, hostMatches HostMatcher) bool

Check is the single entry point for request-level rule evaluation. It determines whether a request to host:port with the given method and path is allowed under the given policy and rules.

Evaluation order:

Find matching host entry using hostMatches
If host has no sub-rules → allowed (host-level entry)
If host has sub-rules → evaluate in order, first match wins
No rule match → fall through to policy default (strict=deny, permissive=allow)
No host entry → fall through to policy default

func EvaluateRules ¶

func EvaluateRules(rules []Rule, method, path string) string

EvaluateRules evaluates an ordered list of rules against a request method and path. Returns "allow", "deny", or "" (no rule matched — fall through to policy default). First matching rule wins.

func MatchPath ¶

func MatchPath(pattern, reqPath string) bool

MatchPath checks if a request path matches a pattern. Patterns support:

"*" matches a single path segment
"**" matches zero or more path segments

Paths are normalized before matching (double slashes collapsed, trailing slashes removed, dot segments resolved). Query strings should be stripped before calling this function.

Types ¶

type HostMatcher ¶

type HostMatcher func(pattern, host string, port int) bool

HostMatcher checks if a host pattern matches a given host:port. This is provided by the caller (proxy package) to avoid importing proxy internals.

type HostRules ¶

type HostRules struct {
	Host  string `json:"host"`            // host pattern (e.g., "api.github.com", "*.example.com")
	Rules []Rule `json:"rules,omitempty"` // ordered rules; empty means host-level allow/deny only
}

HostRules holds the parsed rules for a single host entry.

type NetworkRuleEntry ¶

type NetworkRuleEntry struct {
	HostRules
}

NetworkRuleEntry is the YAML representation of a single entry in network.rules. It handles both plain host strings and host-with-rules maps.

func (*NetworkRuleEntry) UnmarshalYAML ¶

func (e *NetworkRuleEntry) UnmarshalYAML(value *yaml.Node) error

UnmarshalYAML handles both "host" strings and {"host": ["rule", ...]} maps.

type Rule ¶

type Rule struct {
	Action      string `json:"action"`       // "allow" or "deny"
	Method      string `json:"method"`       // HTTP method or "*"
	PathPattern string `json:"path_pattern"` // glob path pattern starting with "/"
}

Rule represents a parsed HTTP request rule (e.g., "allow GET /repos/*").

func ParseRule ¶

func ParseRule(s string) (Rule, error)

ParseRule parses a rule string like "allow GET /repos/*" into a Rule.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL