chore: restore old script based tests, good for quick local testing

Author: coopernetes

git-proxy-java-core/src/main/java/org/finos/gitproxy/servlet/filter/UrlRuleAggregateFilter.java

@@ -53,15 +53,6 @@ public UrlRuleAggregateFilter(
         this(order, ALL_OPERATIONS, provider, urlRuleFilters, pathPrefix, null, null);
     }
 
-    public UrlRuleAggregateFilter(
-            int order,
-            GitProxyProvider provider,
-            List<UrlRuleFilter> urlRuleFilters,
-            String pathPrefix,
-            FetchStore fetchStore) {
-        this(order, ALL_OPERATIONS, provider, urlRuleFilters, pathPrefix, fetchStore, null);
-    }
-
     public UrlRuleAggregateFilter(
             int order,
             GitProxyProvider provider,
@@ -72,16 +63,6 @@ public UrlRuleAggregateFilter(
         this(order, ALL_OPERATIONS, provider, urlRuleFilters, pathPrefix, fetchStore, repoRegistry);
     }
 
-    public UrlRuleAggregateFilter(
-            int order,
-            Set<HttpOperation> applicableOperations,
-            GitProxyProvider provider,
-            List<UrlRuleFilter> urlRuleFilters,
-            String pathPrefix,
-            FetchStore fetchStore) {
-        this(order, applicableOperations, provider, urlRuleFilters, pathPrefix, fetchStore, null);
-    }
-
     public UrlRuleAggregateFilter(
             int order,
             Set<HttpOperation> applicableOperations,

git-proxy-java-core/src/main/java/org/finos/gitproxy/servlet/filter/UrlRuleEvaluator.java

@@ -3,6 +3,7 @@
 import java.nio.file.FileSystems;
 import java.nio.file.PathMatcher;
 import java.nio.file.Paths;
+import java.util.Comparator;
 import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.Pattern;
@@ -19,34 +20,28 @@
  * <p>Evaluation order:
  *
  * <ol>
- *   <li>Config deny rules — first match returns {@link Result.Denied}.
+ *   <li>Config rules — evaluated in ascending {@code order}, first match wins (allow or deny). This is firewall /
+ *       iptables semantics: a lower-numbered allow rule beats a higher-numbered deny rule and vice versa.
  *   <li>DB deny rules — first match returns {@link Result.Denied}.
- *   <li>If no allow rules are configured anywhere — returns {@link Result.OpenMode} (implicitly allowed).
- *   <li>Config allow rules — first match returns {@link Result.Allowed}.
  *   <li>DB allow rules — first match returns {@link Result.Allowed}.
- *   <li>Allow rules exist but none matched — returns {@link Result.NotAllowed}.
+ *   <li>No rule matched — returns {@link Result.NotAllowed} (fail-closed).
  * </ol>
  *
- * <p>DB rules are fetched once per evaluation (not twice), then split into deny/allow lists in memory.
+ * <p>DB rules are fetched once per evaluation (not twice), then split into deny/allow lists in memory. DB rules do not
+ * carry an {@code order} field and are therefore evaluated after all config rules.
  */
 @Slf4j
 public class UrlRuleEvaluator {
 
     /** Outcome of a single rule evaluation pass. */
-    public sealed interface Result permits Result.Denied, Result.Allowed, Result.OpenMode, Result.NotAllowed {
+    public sealed interface Result permits Result.Denied, Result.Allowed, Result.NotAllowed {
 
         /** A deny rule matched — request must be rejected. */
         record Denied(String ruleId) implements Result {}
 
         /** An allow rule matched — request may proceed. */
         record Allowed(String ruleId) implements Result {}
 
-        /**
-         * No allow rules are configured anywhere (neither config nor DB). The proxy is in open/permissive mode and the
-         * request may proceed.
-         */
-        record OpenMode() implements Result {}
-
         /** Allow rules are configured but none matched — request must be rejected. */
         record NotAllowed() implements Result {}
     }
@@ -58,7 +53,11 @@ record NotAllowed() implements Result {}
     private final GitProxyProvider provider;
 
     public UrlRuleEvaluator(List<UrlRuleFilter> configRules, RepoRegistry repoRegistry, GitProxyProvider provider) {
-        this.configRules = configRules != null ? configRules : List.of();
+        this.configRules = configRules != null
+                ? configRules.stream()
+                        .sorted(Comparator.comparingInt(UrlRuleFilter::getOrder))
+                        .toList()
+                : List.of();
         this.repoRegistry = repoRegistry;
         this.provider = provider;
     }
@@ -79,13 +78,23 @@ public Result evaluate(String slug, String owner, String name, HttpOperation ope
                 ? repoRegistry.findEnabledForProvider(provider.getProviderId())
                 : List.of();
 
-        // ── Step 1: deny rules ─────────────────────────────────────────────────
+        // ── Step 1: config rules — single ordered pass, first match wins ───────
         for (UrlRuleFilter f : configRules) {
-            if (f.getAccess() == AccessRule.Access.DENY && f.appliesTo(operation) && f.matchesRepo(slug, owner, name)) {
-                log.debug("Denied by config rule: {}", f);
+            if (!f.appliesTo(operation) || !f.matchesRepo(slug, owner, name)) continue;
+            if (f.getAccess() == AccessRule.Access.DENY) {
+                log.debug("Denied by config rule (order {}): {}", f.getOrder(), f);
                 return new Result.Denied(f.toString());
+            } else {
+                log.debug("Allowed by config rule (order {}): {}", f.getOrder(), f);
+                return new Result.Allowed(f.toString());
             }
         }
+
+        // ── Step 2: DB rules — deny first, then allow ──────────────────────────
+        List<AccessRule> dbAllow = dbRules.stream()
+                .filter(r -> r.getAccess() == AccessRule.Access.ALLOW && operationMatches(r, operation))
+                .toList();
+
         for (AccessRule rule : dbRules) {
             if (rule.getAccess() == AccessRule.Access.DENY
                     && operationMatches(rule, operation)
@@ -95,25 +104,7 @@ && matchesRepo(rule, slug, owner, name)) {
             }
         }
 
-        // ── Step 2: allow rules ────────────────────────────────────────────────
-        List<UrlRuleFilter> configAllow = configRules.stream()
-                .filter(f -> f.getAccess() == AccessRule.Access.ALLOW && f.appliesTo(operation))
-                .toList();
-        List<AccessRule> dbAllow = dbRules.stream()
-                .filter(r -> r.getAccess() == AccessRule.Access.ALLOW && operationMatches(r, operation))
-                .toList();
-
-        if (configAllow.isEmpty() && dbAllow.isEmpty()) {
-            log.debug("No allow rules configured for operation {} — open mode", operation);
-            return new Result.OpenMode();
-        }
-
-        for (UrlRuleFilter f : configAllow) {
-            if (f.matchesRepo(slug, owner, name)) {
-                log.debug("Allowed by config rule: {}", f);
-                return new Result.Allowed(f.toString());
-            }
-        }
+        // ── Step 3: allow rules matched ────────────────────────
         for (AccessRule rule : dbAllow) {
             if (matchesRepo(rule, slug, owner, name)) {
                 log.debug("Allowed by DB rule: id={}", rule.getId());

git-proxy-java-core/src/main/java/org/finos/gitproxy/servlet/filter/UrlRuleFilter.java

@@ -45,9 +45,7 @@ public enum Target {
 
     private static final String REGEX_PREFIX = "regex:";
 
-    // URL rule filters must be in the authorization range 50-199
-    private static final int MIN_ORDER = 50;
-    private static final int MAX_ORDER = 199;
+    private static final int MIN_ORDER = 1;
 
     @Getter
     private final AccessRule.Access access;
@@ -122,10 +120,8 @@ private static boolean isRegexPattern(String s) {
     }
 
     private static int validateOrder(int order) {
-        if (order < MIN_ORDER || order > MAX_ORDER) {
-            throw new IllegalArgumentException(String.format(
-                    "UrlRuleFilter order must be in the authorization range %d-%d (inclusive), but was %d",
-                    MIN_ORDER, MAX_ORDER, order));
+        if (order < MIN_ORDER) {
+            throw new IllegalArgumentException("UrlRuleFilter order must be >= " + MIN_ORDER + ", but was " + order);
         }
         return order;
     }

git-proxy-java-core/src/test/java/org/finos/gitproxy/servlet/filter/UrlRuleFilterTest.java

@@ -122,20 +122,14 @@ private GitRequestDetails makeDetails(String owner, String name, String slug) {
     void urlRule_orderBelowMinimum_throws() {
         assertThrows(
                 IllegalArgumentException.class,
-                () -> new UrlRuleFilter(49, GITHUB, List.of("owner"), UrlRuleFilter.Target.OWNER));
-    }
-
-    @Test
-    void urlRule_orderAboveMaximum_throws() {
-        assertThrows(
-                IllegalArgumentException.class,
-                () -> new UrlRuleFilter(200, GITHUB, List.of("owner"), UrlRuleFilter.Target.OWNER));
+                () -> new UrlRuleFilter(0, GITHUB, List.of("owner"), UrlRuleFilter.Target.OWNER));
     }
 
     @Test
     void urlRule_validOrder_succeeds() {
-        assertDoesNotThrow(() -> new UrlRuleFilter(50, GITHUB, List.of("owner"), UrlRuleFilter.Target.OWNER));
-        assertDoesNotThrow(() -> new UrlRuleFilter(199, GITHUB, List.of("owner"), UrlRuleFilter.Target.OWNER));
+        assertDoesNotThrow(() -> new UrlRuleFilter(1, GITHUB, List.of("owner"), UrlRuleFilter.Target.OWNER));
+        assertDoesNotThrow(
+                () -> new UrlRuleFilter(Integer.MAX_VALUE, GITHUB, List.of("owner"), UrlRuleFilter.Target.OWNER));
     }
 
     @Test

git-proxy-java-dashboard/frontend/src/pages/Repos.tsx

@@ -10,7 +10,7 @@ interface ActiveRepo {
   blockedFetchCount: number
 }
 
-interface AccessRule {
+interface Rule {
   id: string
   provider: string | null
   slug: string | null
@@ -123,7 +123,7 @@ function AddRuleModal({
   onCreated,
 }: {
   onClose: () => void
-  onCreated: (rule: AccessRule) => void
+  onCreated: (rule: Rule) => void
 }) {
   const [form, setForm] = useState<AddRuleForm>(DEFAULT_FORM)
   const [error, setError] = useState<string | null>(null)
@@ -207,7 +207,7 @@ function AddRuleModal({
     <div className="fixed inset-0 bg-black/40 flex items-center justify-center z-50">
       <div className="bg-white rounded-lg shadow-xl w-full max-w-md p-6 space-y-4">
         <div className="flex items-center justify-between">
-          <h3 className="text-lg font-semibold text-gray-800">Add Access Rule</h3>
+          <h3 className="text-lg font-semibold text-gray-800">Add Rule</h3>
           <button
             onClick={onClose}
             className="text-gray-400 hover:text-gray-600 text-xl leading-none"
@@ -388,7 +388,7 @@ function AddRuleModal({
 export function Repos() {
   const [tab, setTab] = useState<Tab>('active')
   const [activeRepos, setActiveRepos] = useState<ActiveRepo[]>([])
-  const [rules, setRules] = useState<AccessRule[]>([])
+  const [rules, setRules] = useState<Rule[]>([])
   const [loadedTab, setLoadedTab] = useState<Tab | null>(null)
   const [showAddRule, setShowAddRule] = useState(false)
   const [providers, setProviders] = useState<{ name: string; id: string; host: string }[]>([])
@@ -442,7 +442,7 @@ export function Repos() {
                   : 'border-transparent text-gray-500 hover:text-gray-700'
               }`}
             >
-              {t === 'active' ? 'Active' : 'Access Rules'}
+              {t === 'active' ? 'Active' : 'Rules'}
             </button>
           ))}
         </div>
@@ -508,11 +508,11 @@ export function Repos() {
         </>
       )}
 
-      {/* Access rules tab */}
+      {/* Rules tab */}
       {!loading && tab === 'rules' && (
         <>
           {rules.length === 0 ? (
-            <p className="text-sm text-gray-400">No access rules configured.</p>
+            <p className="text-sm text-gray-400">No rules configured.</p>
           ) : (
             <div className="space-y-2">
               {rules.map((rule) => (