CIDR bug fixes tied to matching patterns (#131)

jonessha · web-flow · commit 097b889ea983 · 2023-11-23T08:02:30.000-08:00
There were two bugs with CIDR:

    When an IP pattern was present and the incoming value was also an IP, we would convert the IP to a hex string before performing matching. Problem with this was that if there was also a rule present that used anything-but on this same field, the anything-but would always be satisfied, since the anything-but does not specify our internal hex format.
    When both a CIDR pattern and a numeric pattern were present and the incoming value was an IP, we would attempt to convert to a numeric value first, which would fail, and cause us to skip over CIDR matching and go straight to String matching.



* Fixing two bugs with CIDR matching

* Fixing indentation
diff --git a/pom.xml b/pom.xml
@@ -20,7 +20,7 @@
   <groupId>software.amazon.event.ruler</groupId>
   <artifactId>event-ruler</artifactId>
   <name>Event Ruler</name>
-  <version>1.6.0</version>
+  <version>1.7.0</version>
   <description>Event Ruler is a Java library that allows matching Rules to Events. An event is a list of fields,
     which may be given as name/value pairs or as a JSON object. A rule associates event field names with lists of
     possible values. There are two reasons to use Ruler: 1/ It's fast; the time it takes to match Events doesn't
diff --git a/src/main/software/amazon/event/ruler/ByteMachine.java b/src/main/software/amazon/event/ruler/ByteMachine.java
@@ -88,33 +88,41 @@ class ByteMachine {
     // Multiple different next-namestate steps can result from  processing a single field value, for example
     //  "foot" matches "foot" exactly, "foo" as a prefix, and "hand" as an anything-but.  So, this
     //  method returns a list.
-    Set<NameStateWithPattern> transitionOn(String valString) {
+    Set<NameStateWithPattern> transitionOn(final String valString) {
 
         // not thread-safe, but this is only used in the scope of this method on one thread
         final Set<NameStateWithPattern> transitionTo = new HashSet<>();
-        boolean fieldValueIsNumeric = false;
-        if (hasNumeric.get() > 0) {
-            try {
-                final double numerically = JavaDoubleParser.parseDouble(valString);
-                valString = ComparableNumber.generate(numerically);
-                fieldValueIsNumeric = true;
-            } catch (Exception e) {
-                // no-op, couldn't treat this as a sensible number
-            }
-        } else if (hasIP.get() > 0) {
+
+        // Do CIDR matching if there is at least one IP pattern, then move on to NUMERIC or STRING matching below.
+        if (hasIP.get() > 0) {
             try {
-                // we'll try both the quoted and unquoted version to help people whose events aren't
-                //  in JSON
+                // we'll try both the quoted and unquoted version to help people whose events aren't in JSON
+                String ipString;
                 if (valString.startsWith("\"") && valString.endsWith("\"")) {
-                    valString = CIDR.ipToString(valString.substring(1, valString.length() -1));
+                    ipString = CIDR.ipToString(valString.substring(1, valString.length() -1));
                 } else {
-                    valString = CIDR.ipToString(valString);
+                    ipString = CIDR.ipToString(valString);
                 }
+                doTransitionOn(ipString, transitionTo, TransitionValueType.CIDR);
             } catch (IllegalArgumentException e) {
                 // no-op, couldn't treat this as an IP address
             }
         }
-        doTransitionOn(valString, transitionTo, fieldValueIsNumeric);
+
+        // Do just one of NUMERIC or STRING matching. Do NUMERIC if machine has numeric patterns and provided value
+        // is a number. Otherwise, do STRING. We'll still get the correct behavior even if there are both numeric and
+        // string patterns present as no value can satisfy both a numeric and a string pattern. This is due to string
+        // patterns starting/ending with a double quotation, where as numeric patterns never do.
+        if (hasNumeric.get() > 0) {
+            try {
+                final double numerically = JavaDoubleParser.parseDouble(valString);
+                doTransitionOn(ComparableNumber.generate(numerically), transitionTo, TransitionValueType.NUMERIC);
+                return transitionTo;
+            } catch (Exception e) {
+                // no-op, couldn't treat this as a sensible number
+            }
+        }
+        doTransitionOn(valString, transitionTo, TransitionValueType.STRING);
         return transitionTo;
     }
 
@@ -454,7 +462,7 @@ private void checkAndDeleteStateAlongTraversedPath(
     }
 
     private void doTransitionOn(final String valString, final Set<NameStateWithPattern> transitionTo,
-                                boolean fieldValueIsNumeric) {
+                                TransitionValueType valueType) {
         final Map<NameState, List<Patterns>> failedAnythingButs = new HashMap<>();
         final byte[] val = valString.getBytes(StandardCharsets.UTF_8);
 
@@ -490,7 +498,7 @@ private void doTransitionOn(final String valString, final Set<NameStateWithPatte
                             break;
                         case NUMERIC_EQ:
                             // only matches at last character
-                            if (fieldValueIsNumeric && valIndex == (val.length - 1)) {
+                            if (valueType == TransitionValueType.NUMERIC && valIndex == (val.length - 1)) {
                                 transitionTo.add(new NameStateWithPattern(match.getNextNameState(), match.getPattern()));
                             }
                             break;
@@ -510,15 +518,17 @@ private void doTransitionOn(final String valString, final Set<NameStateWithPatte
                         case NUMERIC_RANGE:
                             // as soon as you see the match, you've matched
                             Range range = (Range) match.getPattern();
-                            if ((fieldValueIsNumeric && !range.isCIDR) || (!fieldValueIsNumeric && range.isCIDR)) {
+                            if ((valueType == TransitionValueType.NUMERIC && !range.isCIDR) ||
+                                    (valueType != TransitionValueType.NUMERIC && range.isCIDR)) {
                                 transitionTo.add(new NameStateWithPattern(match.getNextNameState(), match.getPattern()));
                             }
                             break;
 
                         case ANYTHING_BUT:
                             AnythingBut anythingBut = (AnythingBut) match.getPattern();
                             // only applies if at last character
-                            if (valIndex == (val.length - 1) && anythingBut.isNumeric() == fieldValueIsNumeric) {
+                            if (valIndex == (val.length - 1) &&
+                                    anythingBut.isNumeric() == (valueType == TransitionValueType.NUMERIC)) {
                                 addToAnythingButsMap(failedAnythingButs, match.getNextNameState(), match.getPattern());
                             }
                             break;
@@ -546,8 +556,9 @@ private void doTransitionOn(final String valString, final Set<NameStateWithPatte
         }
 
         // This may look like premature optimization, but the first "if" here yields roughly 10x performance
-        // improvement.
-        if (!anythingButs.isEmpty()) {
+        // improvement. We exclude CIDR because the value will have been transformed, causing the anythingBut to always
+        // match. Wait for NUMERIC or STRING matching to harvest anythingBut matches.
+        if (!anythingButs.isEmpty() && valueType != TransitionValueType.CIDR) {
             for (Map.Entry<NameState, List<Patterns>> entry : anythingButs.entrySet()) {
                 boolean failedAnythingButsContainsKey = failedAnythingButs.containsKey(entry.getKey());
                 for (Patterns pattern : entry.getValue()) {
@@ -1835,7 +1846,7 @@ private static ByteTransition getTransitionForMultiBytes(SingleByteTransition tr
         return coalesce(candidates);
     }
 
-    private static void addTransitionNextState(ByteState state, InputCharacter character, InputCharacter[] characters,
+    private void addTransitionNextState(ByteState state, InputCharacter character, InputCharacter[] characters,
                                                int currentIndex, ByteState prevState, Patterns pattern,
                                                ByteState nextState, NameState nameState) {
         if (isWildcard(character)) {
@@ -2088,4 +2099,10 @@ public String toString() {
                 ", anythingButs=" + anythingButs +
                 '}';
     }
+
+    enum TransitionValueType {
+        NUMERIC,
+        CIDR,
+        STRING
+    };
 }
diff --git a/src/test/software/amazon/event/ruler/ACMachineTest.java b/src/test/software/amazon/event/ruler/ACMachineTest.java
@@ -2308,4 +2308,95 @@ public void testInitialSharedNameStateAlreadyExistsWithNonLeadingValue() throws
         assertEquals(1, matches.size());
         assertTrue(matches.contains("rule2"));
     }
+
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": \"10.0.1.200\"}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForJSONEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButPrefixRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": {\"prefix\": \"10.0.\"}}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForJSONEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButSuffixRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": {\"suffix\": \"1.200\"}}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForJSONEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButEqualsIgnoreCaseRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": {\"equals-ignore-case\": \"10.0.1.200\"}}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForJSONEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithNumericRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"numeric\": [\">\", 0, \"<=\", 5]}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForJSONEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
 }
diff --git a/src/test/software/amazon/event/ruler/MachineTest.java b/src/test/software/amazon/event/ruler/MachineTest.java
@@ -2168,6 +2168,96 @@ public void testInitialSharedNameStateAlreadyExistsWithNonLeadingValue() throws
         assertTrue(matches.contains("rule2"));
     }
 
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": \"10.0.1.200\"}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButPrefixRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": {\"prefix\": \"10.0.\"}}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButSuffixRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": {\"suffix\": \"1.200\"}}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithMatchingAnythingButEqualsIgnoreCaseRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"anything-but\": {\"equals-ignore-case\": \"10.0.1.200\"}}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
+    @Test
+    public void testCIDRRuleWithNumericRule() throws Exception {
+        String rule1 = "{\"ip\": [{\"numeric\": [\">\", 0, \"<=\", 5]}]}";
+        String rule2 = "{\"ip\": [\"10.0.1.200\"]}";
+
+        Machine machine = new Machine();
+        machine.addRule("rule1", rule1);
+        machine.addRule("rule2", rule2);
+
+        String event = "{" +
+                "\"ip\": \"10.0.1.200\"" +
+        "}";
+
+        List<String> matches = machine.rulesForEvent(event);
+        assertEquals(1, matches.size());
+        assertTrue(matches.contains("rule2"));
+    }
+
     @Test
     public void testApproxSizeForSimplestPossibleMachine() throws Exception {
         String rule1 = "{ \"a\" : [ 1 ] }";
