Add glob pattern helper that handles multiple alternative boundaries

4 files changed, 205 insertions, 35 deletions

diff --git a/security-utils/pom.xml b/security-utils/pom.xml
index b7c7c110ad8..39a52fb12db 100644
--- a/security-utils/pom.xml
+++ b/security-utils/pom.xml
@@ -60,6 +60,16 @@
       <artifactId>mockito-core</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.vintage</groupId>
+      <artifactId>junit-vintage-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <plugins>
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java
new file mode 100644
index 00000000000..30d4186f8a5
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/GlobPattern.java
@@ -0,0 +1,82 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls.policy;
+
+import java.util.Arrays;
+import java.util.Objects;
+import java.util.regex.Pattern;
+
+/**
+ * Matching engine for glob patterns having where one ore more alternative characters acts a boundary for wildcard matching.
+ *
+ * @author bjorncs
+ */
+class GlobPattern {
+    private final String pattern;
+    private final char[] boundaries;
+    private final Pattern regexPattern;
+
+    GlobPattern(String pattern, char[] boundaries) {
+        this.pattern = pattern;
+        this.boundaries = boundaries;
+        this.regexPattern = toRegexPattern(pattern, boundaries);
+    }
+
+    boolean matches(String value) { return regexPattern.matcher(value).matches(); }
+
+    String asString() { return pattern; }
+    Pattern regexPattern() { return regexPattern; }
+    char[] boundaries() { return boundaries; }
+
+    private static Pattern toRegexPattern(String pattern, char[] boundaries) {
+        StringBuilder builder = new StringBuilder("^");
+        StringBuilder precedingCharactersToQuote = new StringBuilder();
+        char[] chars = pattern.toCharArray();
+        for (char c : chars) {
+            if (c == '?' || c == '*') {
+                builder.append(quotePrecedingLiteralsAndReset(precedingCharactersToQuote));
+                // Note: we explicitly stop matching at a separator boundary.
+                // This is to make matching less vulnerable to dirty tricks (e.g dot as boundary for hostnames).
+                // Same applies for single chars; they should only match _within_ a boundary.
+                builder.append("[^").append(Pattern.quote(new String(boundaries))).append("]");
+                if (c == '*') builder.append('*');
+            } else {
+                precedingCharactersToQuote.append(c);
+            }
+        }
+        return Pattern.compile(builder.append(quotePrecedingLiteralsAndReset(precedingCharactersToQuote)).append('$').toString());
+    }
+
+    // Combines multiple subsequent literals inside a single quote to simplify produced regex patterns
+    private static String quotePrecedingLiteralsAndReset(StringBuilder literals) {
+        if (literals.length() > 0) {
+            String quoted = literals.toString();
+            literals.setLength(0);
+            return Pattern.quote(quoted);
+        }
+        return "";
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        GlobPattern that = (GlobPattern) o;
+        return Objects.equals(pattern, that.pattern) && Arrays.equals(boundaries, that.boundaries);
+    }
+
+    @Override
+    public int hashCode() {
+        int result = Objects.hash(pattern);
+        result = 31 * result + Arrays.hashCode(boundaries);
+        return result;
+    }
+
+    @Override
+    public String toString() {
+        return "GlobPattern{" +
+                "pattern='" + pattern + '\'' +
+                ", boundaries=" + Arrays.toString(boundaries) +
+                ", regexPattern=" + regexPattern +
+                '}';
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java b/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java
index fd9a233d609..d59052a48ef 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/policy/HostGlobPattern.java
@@ -2,60 +2,32 @@
 package com.yahoo.security.tls.policy;
 
 import java.util.Objects;
-import java.util.regex.Pattern;
 
 /**
  * @author bjorncs
  */
 class HostGlobPattern implements RequiredPeerCredential.Pattern {
 
-    private final String pattern;
-    private final Pattern regexPattern;
+    private final GlobPattern globPattern;
 
     HostGlobPattern(String pattern) {
-        this.pattern = pattern;
-        this.regexPattern = toRegexPattern(pattern);
+        this.globPattern = new GlobPattern(pattern, new char[] {'.'});
     }
 
     @Override
     public String asString() {
-        return pattern;
+        return globPattern.asString();
     }
 
     @Override
     public boolean matches(String hostString) {
-        return regexPattern.matcher(hostString).matches();
-    }
-
-    private static Pattern toRegexPattern(String pattern) {
-        StringBuilder builder = new StringBuilder("^");
-        for (char c : pattern.toCharArray()) {
-            if (c == '*') {
-                // Note: we explicitly stop matching at a dot separator boundary.
-                // This is to make host name matching less vulnerable to dirty tricks.
-                builder.append("[^.]*");
-            } else if (c == '?') {
-                // Same applies for single chars; they should only match _within_ a dot boundary.
-                builder.append("[^.]");
-            } else if (isRegexMetaCharacter(c)){
-                builder.append("\\");
-                builder.append(c);
-            } else {
-                builder.append(c);
-            }
-        }
-        builder.append('$');
-        return Pattern.compile(builder.toString());
-    }
-
-    private static boolean isRegexMetaCharacter(char c) {
-        return "<([{\\^-=$!|]})?*+.>".indexOf(c) != -1; // note: includes '?' and '*'
+        return globPattern.matches(hostString);
     }
 
     @Override
     public String toString() {
         return "HostGlobPattern{" +
-                "pattern='" + pattern + '\'' +
+                "pattern='" + globPattern + '\'' +
                 '}';
     }
 
@@ -64,11 +36,11 @@ class HostGlobPattern implements RequiredPeerCredential.Pattern {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         HostGlobPattern that = (HostGlobPattern) o;
-        return Objects.equals(pattern, that.pattern);
+        return Objects.equals(globPattern, that.globPattern);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(pattern);
+        return Objects.hash(globPattern);
     }
 }
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java b/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java
new file mode 100644
index 00000000000..bd51799980c
--- /dev/null
+++ b/security-utils/src/test/java/com/yahoo/security/tls/policy/GlobPatternTest.java
@@ -0,0 +1,106 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls.policy;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.Arrays;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * @author bjorncs
+ */
+class GlobPatternTest {
+
+    @Test
+    public void glob_without_wildcards_matches_entire_string() {
+        assertMatches("foo", ".", "foo");
+        assertNotMatches("foo", ".", "fooo");
+        assertNotMatches("foo", ".", "ffoo");
+        assertPatternHasRegex("foo", ".", "^\\Qfoo\\E$");
+    }
+
+    @Test
+    public void wildcard_glob_can_match_prefix() {
+        assertMatches("foo*", ".", "foo");
+        assertMatches("foo*", ".", "foobar");
+        assertNotMatches("foo*", ".", "ffoo");
+    }
+
+    @Test
+    public void wildcard_glob_can_match_suffix() {
+        assertMatches("*foo", ".", "foo");
+        assertMatches("*foo", ".", "ffoo");
+        assertNotMatches("*foo", ".", "fooo");
+    }
+
+    @Test
+    public void wildcard_glob_can_match_substring() {
+        assertMatches("f*o", ".", "fo");
+        assertMatches("f*o", ".", "foo");
+        assertMatches("f*o", ".", "ffoo");
+        assertNotMatches("f*o", ".", "boo");
+    }
+
+    @Test
+    public void wildcard_glob_does_not_cross_multiple_dot_delimiter_boundaries() {
+        assertMatches("*.bar.baz", ".", "foo.bar.baz");
+        assertMatches("*.bar.baz", ".", ".bar.baz");
+        assertNotMatches("*.bar.baz", ".", "zoid.foo.bar.baz");
+        assertMatches("foo.*.baz", ".", "foo.bar.baz");
+        assertNotMatches("foo.*.baz", ".", "foo.bar.zoid.baz");
+
+        assertPatternHasRegex("*.bar.baz", ".", "^[^\\Q.\\E]*\\Q.bar.baz\\E$");
+    }
+
+    @Test
+    public void single_char_glob_matches_non_dot_characters() {
+        assertMatches("f?o", ".", "foo");
+        assertNotMatches("f?o", ".", "fooo");
+        assertNotMatches("f?o", ".", "ffoo");
+        assertNotMatches("f?o", ".", "f.o");
+    }
+
+    @Test
+    public void other_regex_meta_characters_are_matched_as_literal_characters() {
+        String literals = "<([{\\^-=$!|]})+.>";
+        assertMatches(literals, ".", literals);
+        assertPatternHasRegex(literals, ".", "^\\Q<([{\\^-=$!|]})+.>\\E$");
+    }
+
+    @Test
+    public void handles_patterns_with_multiple_alternative_boundaries() {
+        assertMatches("https://*.vespa.ai/", "./", "https://docs.vespa.ai/");
+        assertMatches("https://vespa.ai/*.world", "./", "https://vespa.ai/hello.world");
+        assertNotMatches("https://vespa.ai/*/", "./", "https://vespa.ai/hello.world/");
+        assertMatches("https://vespa.ai/*/index.html", "./", "https://vespa.ai/path/index.html");
+    }
+
+    private void assertMatches(String pattern, String boundaries, String value) {
+        GlobPattern p = globPattern(pattern, boundaries);
+        assertTrue(
+                p.matches(value),
+                () -> String.format("Expected '%s' with boundaries '%s' to match '%s'",
+                        pattern, Arrays.toString(p.boundaries()), value));
+    }
+
+    private void assertNotMatches(String pattern, String boundaries, String value) {
+        GlobPattern p = globPattern(pattern, boundaries);
+        assertFalse(
+                p.matches(value),
+                () -> String.format("Expected '%s' with boundaries '%s' to not match '%s'",
+                        pattern, Arrays.toString(p.boundaries()), value));
+    }
+
+    private void assertPatternHasRegex(String pattern, String boundaries, String expectedPattern) {
+        GlobPattern p = globPattern(pattern, boundaries);
+        assertEquals(expectedPattern, p.regexPattern().pattern());
+    }
+
+    private static GlobPattern globPattern(String pattern, String boundaries) {
+        return new GlobPattern(pattern, boundaries.toCharArray());
+    }
+
+}
\ No newline at end of file