refactor rules engine for key value structure with spec compliance (#61)

* add http token parsing

* add parsing hosts

* parse path

* update names to reflect we're pattern parsing

* wildcard tests

* implement top level matching

* don't reverse host pattern while parsing

* use the logger

* update proxy server tests to match new syntax

* remove trailing * support for hostname

* update usage in error messages

* update cli examples

* adding curl test to debug separate issue in ci

* Revert "adding curl test to debug separate issue in ci"

This reverts commit f743e6a.

* update e2e test to use key/value syntax

* remove superfluous interface from old impl

* split engine and rules code into separate files to make easier to read through

* mutate rest in parse allow rule to make pattern clearer

* mutate rest throughout rules

* don't allow comma separated rules

* remove custom parsed types in favor of stringly typed api

* adding e2e tests on allow rules progress

* update parsing to allow multiple paths in rule

* add multiple subdomains test

* update e2e tests

* whoops clean

* update error message in proxy

* fix url parsing when scheme missing

* test: add extra tests

* refactor: avoid unnecessary recursion

* test: add extra tests

---------

Co-authored-by: YEVHENII SHCHERBINA <[email protected]>

Author: bcpeinhardt

README.md

@@ -25,12 +25,12 @@ curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | ba
 
 ```bash
 # Allow only requests to github.com
-boundary --allow "github.com" -- curl https://github.com
+boundary --allow "domain=github.com" -- curl https://github.com
 
 # Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHub
 boundary \
-  --allow "github.com/api/issues/*" \
-  --allow "GET,HEAD github.com" \
+  --allow "domain=github.com path=/api/issues/*" \
+  --allow "method=GET,HEAD domain=github.com" \
   -- npm install
 
 # Default deny-all: everything is blocked unless explicitly allowed
@@ -41,25 +41,30 @@ boundary -- curl https://example.com
 
 ### Format
 ```text
---allow "pattern"                    # All HTTP methods allowed
---allow "METHOD[,METHOD] pattern"    # Specific methods only
+--allow "key=value [key=value ...]"
 ```
 
+**Keys:**
+- `method` - HTTP method(s), comma-separated (GET, POST, etc.)
+- `domain` - Domain/hostname pattern
+- `path` - URL path pattern(s), comma-separated
+
 ### Examples
 ```bash
-boundary --allow "github.com" -- git pull
-boundary --allow "*.github.com" -- npm install           # GitHub subdomains
-boundary --allow "api.*" -- ./app                        # Any API domain
-boundary --allow "GET,HEAD api.github.com" -- curl https://api.github.com
+boundary --allow "domain=github.com" -- git pull
+boundary --allow "domain=*.github.com" -- npm install           # GitHub subdomains
+boundary --allow "method=GET,HEAD domain=api.github.com" -- curl https://api.github.com
+boundary --allow "method=POST domain=api.example.com path=/users,/posts" -- ./app  # Multiple paths
+boundary --allow "path=/api/v1/*,/api/v2/*" -- curl https://api.example.com/api/v1/users
 ```
 
 Wildcards: `*` matches any characters. All traffic is denied unless explicitly allowed.
 
 ## Logging
 
 ```bash
-boundary --log-level info --allow "*" -- npm install     # Show all requests
-boundary --log-level debug --allow "github.com" -- git pull  # Debug info
+boundary --log-level info --allow "method=*" -- npm install     # Show all requests
+boundary --log-level debug --allow "domain=github.com" -- git pull  # Debug info
 ```
 
 **Log Levels:** `error`, `warn` (default), `info`, `debug`
@@ -70,10 +75,10 @@ When you can't or don't want to run with sudo privileges, use `--unprivileged`:
 
 ```bash
 # Run without network isolation (uses HTTP_PROXY/HTTPS_PROXY environment variables)
-boundary --unprivileged --allow "github.com" -- npm install
+boundary --unprivileged --allow "domain=github.com" -- npm install
 
 # Useful in containers or restricted environments
-boundary --unprivileged --allow "*.npmjs.org" --allow "registry.npmjs.org" -- npm install
+boundary --unprivileged --allow "domain=*.npmjs.org" --allow "domain=registry.npmjs.org" -- npm install
 ```
 
 **Unprivileged Mode:**

boundary.go

@@ -11,16 +11,16 @@ import (
 	"github.com/coder/boundary/audit"
 	"github.com/coder/boundary/jail"
 	"github.com/coder/boundary/proxy"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 type Config struct {
-	RuleEngine rules.Evaluator
-	Auditor    audit.Auditor
-	TLSConfig  *tls.Config
-	Logger     *slog.Logger
-	Jailer     jail.Jailer
-	ProxyPort  int
+	RuleEngine   rulesengine.Engine
+	Auditor      audit.Auditor
+	TLSConfig    *tls.Config
+	Logger       *slog.Logger
+	Jailer       jail.Jailer
+	ProxyPort    int
 	PprofEnabled bool
 	PprofPort    int
 }

cli/cli.go

@@ -16,7 +16,7 @@ import (
 	"github.com/coder/boundary"
 	"github.com/coder/boundary/audit"
 	"github.com/coder/boundary/jail"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 	"github.com/coder/boundary/tls"
 	"github.com/coder/boundary/util"
 	"github.com/coder/serpent"
@@ -43,10 +43,10 @@ func NewCommand() *serpent.Command {
 	// may be called something different when used as a subcommand / there will be a leading binary (i.e. `coder boundary` vs. `boundary`).
 	cmd.Long += `Examples:
   # Allow only requests to github.com
-  boundary --allow "github.com" -- curl https://github.com
+  boundary --allow "domain=github.com" -- curl https://github.com
 
   # Monitor all requests to specific domains (allow only those)
-  boundary --allow "github.com/api/issues/*" --allow "GET,HEAD github.com" -- npm install
+  boundary --allow "domain=github.com path=/api/issues/*" --allow "method=GET,HEAD domain=github.com" -- npm install
 
   # Block everything by default (implicit)`
 
@@ -171,14 +171,14 @@ func Run(ctx context.Context, config Config, args []string) error {
 	}
 
 	// Parse allow rules
-	allowRules, err := rules.ParseAllowSpecs(config.AllowStrings)
+	allowRules, err := rulesengine.ParseAllowSpecs(config.AllowStrings)
 	if err != nil {
 		logger.Error("Failed to parse allow rules", "error", err)
 		return fmt.Errorf("failed to parse allow rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(allowRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(allowRules, logger)
 
 	// Create auditor
 	auditor := audit.NewLogAuditor(logger)

e2e_tests/boundary_integration_test.go

@@ -70,8 +70,8 @@ func TestBoundaryIntegration(t *testing.T) {
 
 	// Start boundary process with sudo
 	boundaryCmd := exec.CommandContext(ctx, "/tmp/boundary-test",
-		"--allow", "dev.coder.com",
-		"--allow", "jsonplaceholder.typicode.com",
+		"--allow", "domain=dev.coder.com",
+		"--allow", "domain=jsonplaceholder.typicode.com",
 		"--log-level", "debug",
 		"--", "/bin/bash", "-c", "/usr/bin/sleep 10 && /usr/bin/echo 'Test completed'")
 
@@ -215,7 +215,7 @@ func TestContentLengthHeader(t *testing.T) {
 
 	// Start boundary process with sudo
 	boundaryCmd := exec.CommandContext(ctx, "/tmp/boundary-test",
-		"--allow", "example.com",
+		"--allow", "domain=example.com",
 		"--log-level", "debug",
 		"--", "/bin/bash", "-c", "/usr/bin/sleep 10 && /usr/bin/echo 'Test completed'")
 

e2e_tests/iptables_cleanup_test.go

@@ -50,8 +50,8 @@ func TestIPTablesCleanup(t *testing.T) {
 
 	// Start boundary process with sudo
 	boundaryCmd := exec.CommandContext(ctx, "/tmp/boundary-test",
-		"--allow", "dev.coder.com",
-		"--allow", "jsonplaceholder.typicode.com",
+		"--allow", "domain=dev.coder.com",
+		"--allow", "domain=jsonplaceholder.typicode.com",
 		"--log-level", "debug",
 		"--", "/bin/bash", "-c", "/usr/bin/sleep 10 && /usr/bin/echo 'Test completed'")
 

proxy/proxy.go

@@ -19,12 +19,12 @@ import (
 	"time"
 
 	"github.com/coder/boundary/audit"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 // Server handles HTTP and HTTPS requests with rule-based filtering
 type Server struct {
-	ruleEngine rules.Evaluator
+	ruleEngine rulesengine.Engine
 	auditor    audit.Auditor
 	logger     *slog.Logger
 	tlsConfig  *tls.Config
@@ -40,7 +40,7 @@ type Server struct {
 // Config holds configuration for the proxy server
 type Config struct {
 	HTTPPort     int
-	RuleEngine   rules.Evaluator
+	RuleEngine   rulesengine.Engine
 	Auditor      audit.Auditor
 	Logger       *slog.Logger
 	TLSConfig    *tls.Config
@@ -440,8 +440,8 @@ Request: %s %s
 Host: %s
 
 To allow this request, restart boundary with:
-  --allow "%s"                    # Allow all methods to this host
-  --allow "%s %s"          # Allow only %s requests to this host
+  --allow "domain=%s"                    # Allow all methods to this host
+  --allow "method=%s domain=%s"          # Allow only %s requests to this host
 
 For more help: https://github.com/coder/boundary
 `,

proxy/proxy_test.go

@@ -17,7 +17,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/boundary/audit"
-	"github.com/coder/boundary/rules"
+	"github.com/coder/boundary/rulesengine"
 )
 
 // mockAuditor is a simple mock auditor for testing
@@ -35,13 +35,13 @@ func TestProxyServerBasicHTTP(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}
@@ -116,13 +116,13 @@ func TestProxyServerBasicHTTPS(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}
@@ -143,7 +143,7 @@ func TestProxyServerBasicHTTPS(t *testing.T) {
 		Gid:       gid,
 	})
 	require.NoError(t, err)
-	
+
 	// Setup TLS to get cert path for jailer
 	tlsConfig, caCertPath, configDir, err := certManager.SetupTLSAndWriteCACert()
 	require.NoError(t, err)
@@ -212,13 +212,13 @@ func TestProxyServerCONNECT(t *testing.T) {
 	}))
 
 	// Create test rules (allow all for testing)
-	testRules, err := rules.ParseAllowSpecs([]string{"*"})
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
 	if err != nil {
 		t.Fatalf("Failed to parse test rules: %v", err)
 	}
 
 	// Create rule engine
-	ruleEngine := rules.NewRuleEngine(testRules, logger)
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
 
 	// Create mock auditor
 	auditor := &mockAuditor{}