feat: added sanitization for route expressions (#1731)

* feat: added sanitization for route expressions

* fix: added some fixes and integration tests

* tests: removed integration tests for now

* ci: added router_flavour in ci

* tests: corrected test-utils

* ci: corrected kong setup script

* tests: corrected test-utils

* tests: skipping older tests when router_flavour=expressions

* tests: corrected test-utils

* fix: improved expression sanitisation

* tests: added test-case for not operator

Author: Prashansa-K

.ci/setup_kong_ee.sh

@@ -62,6 +62,8 @@ KlBs7O9y+fc4AIIn6JD+9tymB1TWEn1B+3Vv6jmtzbztuCQTbJ6rTT3CFcE6TdyJ
 readonly KONG_IMAGE=${KONG_IMAGE:-kong/kong-gateway}
 readonly GATEWAY_CONTAINER_NAME=kong
 
+KONG_ROUTER_FLAVOR=${KONG_ROUTER_FLAVOR:-'traditional_compatible'}
+
 initNetwork
 initDb
 initMigrations "${KONG_IMAGE}" \
@@ -78,6 +80,7 @@ docker run \
     -e "KONG_LICENSE_DATA=$KONG_LICENSE_DATA" \
     -e "MY_SECRET_CERT=$MY_SECRET_CERT" \
     -e "MY_SECRET_KEY=$MY_SECRET_KEY" \
+    -e "KONG_ROUTER_FLAVOR=${KONG_ROUTER_FLAVOR}" \
     -p 8000:8000 \
     -p 8443:8443 \
     -p 8001:8001 \

.github/workflows/integration-enterprise.yaml

@@ -28,9 +28,13 @@ jobs:
         - 'kong/kong-gateway:3.10'
         - 'kong/kong-gateway:3.11'
         - 'kong/kong-gateway-dev:latest'
+        router_flavor:
+          - 'traditional_compatible'
+          - 'expressions'
     env:
       KONG_ANONYMOUS_REPORTS: "off"
       KONG_IMAGE: ${{ matrix.kong_image }}
+      KONG_ROUTER_FLAVOR: ${{ matrix.router_flavor }}
 
     runs-on: ubuntu-latest
     steps:

sanitize/custom_entity_specific.go

@@ -24,6 +24,7 @@ var (
 	FCertificate  = "FCertificate"
 	CACertificate = "CACertificate"
 	Key           = "Key"
+	Route         = "Route"
 )
 
 func (s *Sanitizer) handleEntity(entityName string, fieldValue reflect.Value) error {
@@ -38,6 +39,8 @@ func (s *Sanitizer) handleEntity(entityName string, fieldValue reflect.Value) er
 		return s.handleCACertificate(fieldValue)
 	case Key:
 		return s.handleKey(fieldValue)
+	case Route:
+		return s.handleRoute(fieldValue)
 	default:
 		return fmt.Errorf("no specific handler for entity: %s", entityName)
 	}
@@ -119,6 +122,23 @@ func (s *Sanitizer) handleKey(fieldValue reflect.Value) error {
 	return s.setFieldValue(fieldValue, *sanitisedKey, Key)
 }
 
+func (s *Sanitizer) handleRoute(fieldValue reflect.Value) error {
+	route := fieldValue.Interface().(kong.Route)
+
+	if route.Expression == nil {
+		// If the route does not have an expression, we can proceed with normal sanitization
+		return nil
+	}
+
+	sanitizedRoute := route.DeepCopy()
+	originalExpression := *route.Expression
+	sanitizedExpression := s.sanitizeExpression(originalExpression)
+	s.sanitizedMap[originalExpression] = sanitizedExpression
+	sanitizedRoute.Expression = &sanitizedExpression
+
+	return s.setFieldValue(fieldValue, *sanitizedRoute, Route)
+}
+
 // generateTestCertAndKey generates a test certificate and key pair.
 // It returns the certificate PEM, key PEM, and certificate digest.
 // If isCA is true, it generates a CA certificate; otherwise, it generates a regular certificate.

sanitize/exempts.go

@@ -18,7 +18,7 @@ var entityLevelExemptedFields = map[string]map[string]struct{}{
 	"Partial":             {"Type": {}},
 	"PartialLink":         {"Path": {}},
 	"Plugin":              {"Name": {}},
-	"Route":               {"Methods": {}},
+	"Route":               {"Methods": {}, "Expression": {}},
 
 	// Special handling
 	"CACertificate": {"Cert": {}, "CertDigest": {}},
@@ -53,6 +53,7 @@ var entitiesToHandleDifferently = map[string]struct{}{
 	"CACertificate": {},
 	"FCertificate":  {},
 	"Key":           {},
+	"Route":         {},
 }
 
 // dynamically generated maps of exempted fields from schemas