refactor(rules): replace UrlRuleFilter with AccessRule; UrlRuleEvaluator uses UrlRuleRegistry as single source

- Delete UrlRuleFilter (HTTP filter used as a data container — wrong abstraction)
- UrlRuleEvaluator now takes UrlRuleRegistry directly; no configRules field
- UrlRuleAggregateFilter and RepositoryUrlRuleHook take UrlRuleRegistry
- StoreAndForwardReceivePackFactory drops List<UrlRuleFilter> parameter
- JettyConfigurationBuilder: buildUrlRuleFilters(provider) → buildConfigRules()
  returning List<AccessRule>; one AccessRule per (provider, pattern) entry
- GitProxyServletRegistrar seeds config rules via registry.seedFromConfig() once
  at startup before the provider loop
- Rename RepoRegistry → UrlRuleRegistry throughout
- Rule evaluation: firewall/iptables semantics — single ordered list, first match
  wins; fail-closed (no matching rule → NotAllowed)
- Remove OpenMode concept; proxy is always fail-closed
- Tests rewritten to use AccessRule + InMemoryUrlRuleRegistry

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: coopernetes

…s/gitproxy/db/CompositeRepoRegistry.java …itproxy/db/CompositeUrlRuleRegistry.javagit-proxy-java-core/src/main/java/org/finos/gitproxy/db/CompositeRepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/CompositeUrlRuleRegistry.java git-proxy-java-core/src/main/java/org/finos/gitproxy/db/CompositeRepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/CompositeUrlRuleRegistry.java

@@ -7,20 +7,20 @@
 import org.finos.gitproxy.db.model.AccessRule;
 
 /**
- * A {@link RepoRegistry} that merges read-only config-seeded rules (in-memory) with operator-managed rules (DB-backed).
- * CONFIG rules are never written to the database, so there are no stale duplicates across restarts.
+ * A {@link UrlRuleRegistry} that merges read-only config-seeded rules (in-memory) with operator-managed rules
+ * (DB-backed). CONFIG rules are never written to the database, so there are no stale duplicates across restarts.
  *
  * <ul>
  *   <li>Reads ({@link #findAll}, {@link #findEnabledForProvider}) return merged results sorted by {@code rule_order}.
  *   <li>Writes ({@link #save}, {@link #update}, {@link #delete}) delegate only to the DB registry.
  * </ul>
  */
-public class CompositeRepoRegistry implements RepoRegistry {
+public class CompositeUrlRuleRegistry implements UrlRuleRegistry {
 
-    private final RepoRegistry configRegistry;
-    private final RepoRegistry dbRegistry;
+    private final UrlRuleRegistry configRegistry;
+    private final UrlRuleRegistry dbRegistry;
 
-    public CompositeRepoRegistry(RepoRegistry configRegistry, RepoRegistry dbRegistry) {
+    public CompositeUrlRuleRegistry(UrlRuleRegistry configRegistry, UrlRuleRegistry dbRegistry) {
         this.configRegistry = configRegistry;
         this.dbRegistry = dbRegistry;
     }
@@ -47,9 +47,7 @@ public void delete(String id) {
 
     @Override
     public Optional<AccessRule> findById(String id) {
-        Optional<AccessRule> fromDb = dbRegistry.findById(id);
-        if (fromDb.isPresent()) return fromDb;
-        return configRegistry.findById(id);
+        return dbRegistry.findById(id).or(() -> configRegistry.findById(id));
     }
 
     @Override
@@ -64,8 +62,8 @@ public List<AccessRule> findEnabledForProvider(String provider) {
 
     /**
      * Re-seeds the in-memory config registry with a new set of CONFIG rules. DB-sourced rules are not affected. This
-     * override is necessary because the default {@link RepoRegistry#seedFromConfig} would incorrectly attempt to delete
-     * config rules via the DB registry.
+     * override is necessary because the default {@link UrlRuleRegistry#seedFromConfig} would incorrectly attempt to
+     * delete config rules via the DB registry.
      */
     @Override
     public void seedFromConfig(List<AccessRule> rules) {

git-proxy-java-core/src/main/java/org/finos/gitproxy/db/MongoStoreFactory.java

@@ -4,7 +4,7 @@
 import com.mongodb.client.MongoClients;
 import org.finos.gitproxy.db.mongo.MongoFetchStore;
 import org.finos.gitproxy.db.mongo.MongoPushStore;
-import org.finos.gitproxy.db.mongo.MongoRepoRegistry;
+import org.finos.gitproxy.db.mongo.MongoUrlRuleRegistry;
 import org.finos.gitproxy.permission.MongoRepoPermissionStore;
 import org.finos.gitproxy.permission.RepoPermissionStore;
 import org.finos.gitproxy.user.MongoUserStore;
@@ -39,9 +39,9 @@ public FetchStore fetchStore() {
         return store;
     }
 
-    /** Create and initialize a {@link RepoRegistry} backed by this factory's client. */
-    public RepoRegistry repoRegistry() {
-        MongoRepoRegistry store = new MongoRepoRegistry(client, databaseName);
+    /** Create and initialize a {@link UrlRuleRegistry} backed by this factory's client. */
+    public UrlRuleRegistry repoRegistry() {
+        MongoUrlRuleRegistry store = new MongoUrlRuleRegistry(client, databaseName);
         store.initialize();
         return store;
     }

…/org/finos/gitproxy/db/RepoRegistry.java …g/finos/gitproxy/db/UrlRuleRegistry.javagit-proxy-java-core/src/main/java/org/finos/gitproxy/db/RepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/UrlRuleRegistry.java git-proxy-java-core/src/main/java/org/finos/gitproxy/db/RepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/UrlRuleRegistry.java

@@ -11,7 +11,7 @@
  * <p>Rules seeded from YAML configuration have {@code source = CONFIG}; rules created via the REST API have
  * {@code source = DB}. Both are stored together and evaluated identically by the filter chain.
  */
-public interface RepoRegistry {
+public interface UrlRuleRegistry {
 
     /** Persist a new rule. */
     void save(AccessRule rule);

…s/gitproxy/db/jdbc/JdbcRepoRegistry.java …itproxy/db/jdbc/JdbcUrlRuleRegistry.javagit-proxy-java-core/src/main/java/org/finos/gitproxy/db/jdbc/JdbcRepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/jdbc/JdbcUrlRuleRegistry.java git-proxy-java-core/src/main/java/org/finos/gitproxy/db/jdbc/JdbcRepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/jdbc/JdbcUrlRuleRegistry.java

@@ -4,22 +4,22 @@
 import java.util.Map;
 import java.util.Optional;
 import javax.sql.DataSource;
-import org.finos.gitproxy.db.RepoRegistry;
+import org.finos.gitproxy.db.UrlRuleRegistry;
 import org.finos.gitproxy.db.jdbc.mapper.AccessRuleRowMapper;
 import org.finos.gitproxy.db.model.AccessRule;
 import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
 import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
 import org.springframework.jdbc.datasource.DataSourceTransactionManager;
 import org.springframework.transaction.support.TransactionTemplate;
 
-/** JDBC-backed {@link RepoRegistry}. Works with H2 and PostgreSQL. */
-public class JdbcRepoRegistry implements RepoRegistry {
+/** JDBC-backed {@link UrlRuleRegistry}. Works with H2 and PostgreSQL. */
+public class JdbcUrlRuleRegistry implements UrlRuleRegistry {
 
     private final DataSource dataSource;
     private final NamedParameterJdbcTemplate jdbc;
     private final TransactionTemplate tx;
 
-    public JdbcRepoRegistry(DataSource dataSource) {
+    public JdbcUrlRuleRegistry(DataSource dataSource) {
         this.dataSource = dataSource;
         this.jdbc = new NamedParameterJdbcTemplate(dataSource);
         this.tx = new TransactionTemplate(new DataSourceTransactionManager(dataSource));

git-proxy-java-core/src/main/java/org/finos/gitproxy/db/memory/InMemoryRepoRegistry.java

@@ -10,20 +10,20 @@
 import java.util.List;
 import java.util.Optional;
 import org.bson.Document;
-import org.finos.gitproxy.db.RepoRegistry;
+import org.finos.gitproxy.db.UrlRuleRegistry;
 import org.finos.gitproxy.db.model.AccessRule;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-/** MongoDB implementation of {@link RepoRegistry}. */
-public class MongoRepoRegistry implements RepoRegistry {
+/** MongoDB implementation of {@link UrlRuleRegistry}. */
+public class MongoUrlRuleRegistry implements UrlRuleRegistry {
 
-    private static final Logger log = LoggerFactory.getLogger(MongoRepoRegistry.class);
+    private static final Logger log = LoggerFactory.getLogger(MongoUrlRuleRegistry.class);
     private static final String COLLECTION_NAME = "access_rules";
 
     private final MongoDatabase database;
 
-    public MongoRepoRegistry(MongoClient mongoClient, String databaseName) {
+    public MongoUrlRuleRegistry(MongoClient mongoClient, String databaseName) {
         this.database = mongoClient.getDatabase(databaseName);
     }
 
@@ -53,7 +53,7 @@ public void delete(String id) {
     @Override
     public Optional<AccessRule> findById(String id) {
         Document doc = getCollection().find(Filters.eq("_id", id)).first();
-        return Optional.ofNullable(doc).map(MongoRepoRegistry::fromDocument);
+        return Optional.ofNullable(doc).map(MongoUrlRuleRegistry::fromDocument);
     }
 
     @Override

…gitproxy/db/mongo/MongoRepoRegistry.java …proxy/db/mongo/MongoUrlRuleRegistry.javagit-proxy-java-core/src/main/java/org/finos/gitproxy/db/mongo/MongoRepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/mongo/MongoUrlRuleRegistry.java git-proxy-java-core/src/main/java/org/finos/gitproxy/db/mongo/MongoRepoRegistry.java renamed to git-proxy-java-core/src/main/java/org/finos/gitproxy/db/mongo/MongoUrlRuleRegistry.java

@@ -5,16 +5,14 @@
 import static org.finos.gitproxy.git.GitClientUtils.sym;
 
 import java.util.Collection;
-import java.util.List;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
-import org.finos.gitproxy.db.RepoRegistry;
+import org.finos.gitproxy.db.UrlRuleRegistry;
 import org.finos.gitproxy.db.model.PushStep;
 import org.finos.gitproxy.db.model.StepStatus;
 import org.finos.gitproxy.provider.GitProxyProvider;
 import org.finos.gitproxy.servlet.filter.UrlRuleEvaluator;
-import org.finos.gitproxy.servlet.filter.UrlRuleFilter;
 
 /**
  * Pre-receive hook that enforces URL allow/deny rules in store-and-forward mode. Rule evaluation is delegated entirely
@@ -31,37 +29,20 @@ public class RepositoryUrlRuleHook implements GitProxyHook {
     private final ValidationContext validationContext;
     private final PushContext pushContext;
 
-    /** Open-mode constructor — no rules configured; always passes. Used in tests and simple setups. */
-    public RepositoryUrlRuleHook(PushContext pushContext) {
-        this(List.of(), null, null, null, pushContext);
-    }
-
     public RepositoryUrlRuleHook(
-            List<UrlRuleFilter> urlRuleFilters,
-            RepoRegistry repoRegistry,
+            UrlRuleRegistry urlRuleRegistry,
             GitProxyProvider provider,
             ValidationContext validationContext,
             PushContext pushContext) {
-        this.evaluator = new UrlRuleEvaluator(urlRuleFilters, repoRegistry, provider);
+        this.evaluator = new UrlRuleEvaluator(urlRuleRegistry, provider);
         this.validationContext = validationContext;
         this.pushContext = pushContext;
     }
 
     @Override
     public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
-        // Open mode: evaluator has no config rules and no registry
-        // (detected inside evaluator — returns OpenMode)
-
         String repoSlug = rp.getRepository().getConfig().getString("gitproxy", null, "repoSlug");
         if (repoSlug == null || repoSlug.isBlank()) {
-            // No repoSlug means we can't evaluate rules — fail closed
-            // Exception: if the evaluator is in pure open mode (no rules at all), allow it
-            UrlRuleEvaluator.Result probe = evaluator.evaluate(null, null, null, HttpOperation.PUSH);
-            if (probe instanceof UrlRuleEvaluator.Result.OpenMode) {
-                log.debug("No repoSlug and no rules configured — allowing push (open mode)");
-                recordPass();
-                return;
-            }
             log.warn("No repoSlug in repo config — cannot evaluate URL rules, blocking push (fail-closed)");
             blockPush(rp, commands, "Repository path unavailable");
             return;
@@ -84,12 +65,8 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
                 log.debug("Push allowed by rule: {}", a.ruleId());
                 recordPass();
             }
-            case UrlRuleEvaluator.Result.OpenMode m -> {
-                log.debug("Push allowed — open mode (no allow rules configured)");
-                recordPass();
-            }
             case UrlRuleEvaluator.Result.NotAllowed n -> {
-                log.debug("Push blocked — no allow rule matched");
+                log.debug("Push blocked — no rule matched");
                 blockPush(rp, commands, "Repository is not in the allow list");
             }
         }

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/RepositoryUrlRuleHook.java

@@ -21,12 +21,11 @@
 import org.finos.gitproxy.config.GpgConfig;
 import org.finos.gitproxy.config.SecretScanConfig;
 import org.finos.gitproxy.db.PushStore;
-import org.finos.gitproxy.db.RepoRegistry;
+import org.finos.gitproxy.db.UrlRuleRegistry;
 import org.finos.gitproxy.permission.RepoPermissionService;
 import org.finos.gitproxy.provider.BitbucketProvider;
 import org.finos.gitproxy.provider.GitProxyProvider;
 import org.finos.gitproxy.service.PushIdentityResolver;
-import org.finos.gitproxy.servlet.filter.UrlRuleFilter;
 
 /**
  * Factory that creates {@link ReceivePack} instances for store-and-forward push handling. Extracts credentials from the
@@ -50,8 +49,7 @@ public class StoreAndForwardReceivePackFactory implements ReceivePackFactory<Htt
     private final ApprovalGateway approvalGateway;
     private final String serviceUrl;
     private final Duration heartbeatInterval;
-    private final List<UrlRuleFilter> urlRuleFilters;
-    private final RepoRegistry repoRegistry;
+    private final UrlRuleRegistry urlRuleRegistry;
 
     /** Stop the validation hook chain after the first failure (see {@link ServerConfig#isFailFast()}). */
     private boolean failFast = false;
@@ -87,7 +85,6 @@ public StoreAndForwardReceivePackFactory(
                 approvalGateway,
                 null,
                 DEFAULT_HEARTBEAT_INTERVAL,
-                List.of(),
                 null);
     }
 
@@ -113,11 +110,9 @@ public StoreAndForwardReceivePackFactory(
                 approvalGateway,
                 serviceUrl,
                 heartbeatInterval,
-                List.of(),
                 null);
     }
 
-    /** Live-reload constructor with URL rule enforcement. */
     public StoreAndForwardReceivePackFactory(
             GitProxyProvider provider,
             Supplier<CommitConfig> commitConfigSupplier,
@@ -130,8 +125,7 @@ public StoreAndForwardReceivePackFactory(
             ApprovalGateway approvalGateway,
             String serviceUrl,
             Duration heartbeatInterval,
-            List<UrlRuleFilter> urlRuleFilters,
-            RepoRegistry repoRegistry) {
+            UrlRuleRegistry urlRuleRegistry) {
         this.provider = provider;
         this.commitConfigSupplier = commitConfigSupplier;
         this.diffScanConfigSupplier =
@@ -145,8 +139,7 @@ public StoreAndForwardReceivePackFactory(
         this.approvalGateway = approvalGateway;
         this.serviceUrl = serviceUrl;
         this.heartbeatInterval = heartbeatInterval != null ? heartbeatInterval : DEFAULT_HEARTBEAT_INTERVAL;
-        this.urlRuleFilters = urlRuleFilters != null ? urlRuleFilters : List.of();
-        this.repoRegistry = repoRegistry;
+        this.urlRuleRegistry = urlRuleRegistry;
     }
 
     @Override
@@ -241,7 +234,7 @@ public ReceivePack create(HttpServletRequest req, Repository db)
 
         // Build and sort the orderable validation hook list
         List<GitProxyHook> validationHooks = new ArrayList<>(List.of(
-                new RepositoryUrlRuleHook(urlRuleFilters, repoRegistry, provider, validationContext, pushContext),
+                new RepositoryUrlRuleHook(urlRuleRegistry, provider, validationContext, pushContext),
                 permissionHook,
                 identityVerificationHook,
                 new CheckEmptyBranchHook(pushContext),

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/StoreAndForwardReceivePackFactory.java

@@ -1,13 +1,14 @@
 package org.finos.gitproxy.provider;
 
 import java.util.List;
+import org.finos.gitproxy.db.UrlRuleRegistry;
 
 /**
  * Registry of configured git proxy providers. Keyed by the friendly name used as the config map key (e.g.
  * {@code github}, {@code internal-gitlab}), independent of the internal {@code type/host} provider ID used for request
  * routing.
  *
- * <p>Consistent with {@link org.finos.gitproxy.db.RepoRegistry} — a lookup/discovery mechanism, not a CRUD store.
+ * <p>Consistent with {@link UrlRuleRegistry} — a lookup/discovery mechanism, not a CRUD store.
  */
 public interface ProviderRegistry {