Skip to content

feat(sandbox): add L7 query parameter matchers#617

Open
johntmyers wants to merge 2 commits intomainfrom
feat/615-query-parameter-matching
Open

feat(sandbox): add L7 query parameter matchers#617
johntmyers wants to merge 2 commits intomainfrom
feat/615-query-parameter-matching

Conversation

@johntmyers
Copy link
Collaborator

@johntmyers johntmyers commented Mar 25, 2026

Summary

Add L7 query parameter matching for REST allow rules with glob and any-of matchers. This enables explicit filtering of query keys and values (including duplicate keys) while preserving current behavior when no query matcher is defined.

Related Issue

Closes #615

Changes

  • Extended policy proto with L7Allow.query and L7QueryMatcher (glob or any).
  • Added YAML/schema conversion support in openshell-policy for both query matcher shapes.
  • Parsed and percent-decoded request query params in REST request processing and passed them into OPA inputs.
  • Added Rego policy logic for query matching, including duplicate-value semantics.
  • Added sandbox OPA tests covering matcher behavior and serialization.
  • Added e2e tests for query matcher enforcement and no-query-rule fallback behavior.
  • Updated architecture and user docs for the new query matcher rules.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Executed:

  • mise run pre-commit (fails due pre-existing missing SPDX headers in architecture/plans/567-policy-l4.yaml, architecture/plans/567-policy-workaround.yaml, architecture/plans/567-policy.yaml, architecture/plans/567-test-server.py)
  • PYTHONPATH=python .venv/bin/pytest -q e2e/python/test_sandbox_policy.py -k 'l7_query_matchers_enforced or l7_rule_without_query_matcher_allows_any_query_params' (blocked by local environment: openshell-server persistence not initialized)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@johntmyers
feat(sandbox): add L7 query parameter matchers
bce18ce 
Signed-off-by: John Myers <9696606+johntmyers@users.noreply.github.com>
@johntmyers johntmyers requested a review from a team as a code owner March 25, 2026 23:20
@johntmyers johntmyers self-assigned this Mar 25, 2026
@github-actions
Copy link

github-actions bot commented Mar 25, 2026
edited
Loading

PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://NVIDIA.github.io/OpenShell/pr-preview/pr-617/

Built to branch gh-pages at 2026-03-26 00:28 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

@johntmyers johntmyers added the test:e2e Requires end-to-end coverage label Mar 25, 2026
@johntmyers
fix(sandbox): decode + as space in query params and validate glob syntax
b2a197b 
Three improvements from PR #617 review:

1. Decode + as space in query string values per the
   application/x-www-form-urlencoded convention. This matches Python's
   urllib.parse, JavaScript's URLSearchParams, Go's url.ParseQuery, and
   most HTTP frameworks. Literal + should be sent as %2B.

2. Add glob pattern syntax validation (warnings) for query matchers.
   Checks for unclosed brackets and braces in glob/any patterns. These
   are warnings (not errors) because OPA's glob.match is forgiving,
   but they surface likely typos during policy loading.

3. Add missing test cases: empty query values, keys without values,
   unicode after percent-decoding, empty query strings, and literal +
   via %2B encoding.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@johntmyers johntmyers

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add query parameter matching to L7 network policies

1 participant

@johntmyers