Haproxy route policy rules matching

docs/release-notes/artifacts/pr0401.yaml

@@ -0,0 +1,20 @@
+version_schema: 2
+
+changes:
+  - title: Added rule matching engine and request evaluation on creation
+    author: tphan025
+    type: minor
+    description: >
+      Added a rule matching engine that evaluates backend requests against rules
+      ordered by descending priority. Within the same priority group, deny rules
+      take precedence over allow rules. Integrated the engine into the bulk create
+      endpoint so that each new request is evaluated immediately and its status is
+      set to accepted, rejected, or pending accordingly. Included unit tests for the
+      matching logic and integration tests for rule evaluation during request creation.
+    urls:
+      pr:
+        - https://github.com/canonical/haproxy-operator/pull/401
+      related_doc:
+      related_issue:
+    visibility: public
+    highlight: false

haproxy-route-policy/policy/db_models.py

@@ -93,7 +93,7 @@ class BackendRequest(models.Model):
     hostname_acls: models.JSONField = models.JSONField(
         default=list, validators=[validate_hostname_acls], blank=True
     )
-    backend_name: models.TextField = models.TextField()
+    backend_name: models.TextField = models.TextField(unique=True)
     paths: models.JSONField = models.JSONField(
         default=list, validators=[validate_paths], blank=True
     )

haproxy-route-policy/policy/migrations/0001_initial.py

@@ -32,9 +32,19 @@ class Migration(migrations.Migration):
                         validators=[policy.db_models.validate_hostname_acls],
                     ),
                 ),
-                ("backend_name", models.TextField()),
-                ("paths", models.JSONField(blank=True, default=list)),
-                ("port", models.IntegerField()),
+                ("backend_name", models.TextField(unique=True)),
+                (
+                    "paths",
+                    models.JSONField(
+                        blank=True,
+                        default=list,
+                        validators=[policy.db_models.validate_paths],
+                    ),
+                ),
+                (
+                    "port",
+                    models.IntegerField(validators=[policy.db_models.validate_port]),
+                ),
                 (
                     "status",
                     models.TextField(

haproxy-route-policy/policy/migrations/0002_rule_alter_backendrequest_paths_and_more.py → haproxy-route-policy/policy/migrations/0002_rule.py

@@ -1,6 +1,5 @@
-# Generated by Django 6.0.3 on 2026-03-23 21:53
+# Generated by Django 6.0.3 on 2026-03-24 14:42
 
-import policy.db_models
 import uuid
 from django.db import migrations, models
 
@@ -40,16 +39,4 @@ class Migration(migrations.Migration):
                 ("updated_at", models.DateTimeField(auto_now=True)),
             ],
         ),
-        migrations.AlterField(
-            model_name="backendrequest",
-            name="paths",
-            field=models.JSONField(
-                blank=True, default=list, validators=[policy.db_models.validate_paths]
-            ),
-        ),
-        migrations.AlterField(
-            model_name="backendrequest",
-            name="port",
-            field=models.IntegerField(validators=[policy.db_models.validate_port]),
-        ),
     ]

haproxy-route-policy/policy/rule_engine.py

@@ -0,0 +1,122 @@
+# Copyright 2026 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+"""Rule matching engine for evaluating backend requests against rules.
+
+Rules are evaluated following these principles:
+    P1: Rules are grouped by priority and evaluated starting from the highest
+        priority group.
+    P2: Within the same priority group, "deny" rules take precedence over
+        "allow" rules.
+
+If no rules match a request, its status remains "pending".
+"""
+
+import logging
+from itertools import groupby
+from policy.db_models import (
+    BackendRequest,
+    Rule,
+    RULE_ACTION_ALLOW,
+    RULE_ACTION_DENY,
+    RULE_KIND_HOSTNAME_AND_PATH_MATCH,
+    REQUEST_STATUS_ACCEPTED,
+    REQUEST_STATUS_REJECTED,
+    REQUEST_STATUS_PENDING,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def _hostname_and_path_match(rule: Rule, request: BackendRequest) -> bool:
+    """Check if a hostname_and_path_match rule matches a backend request.
+
+    A rule matches if:
+        1. Any of the rule's `hostnames` appear in the request's `hostname_acls`
+           if `hostnames` is not empty.
+        2. Any of the rule's `paths` appear in the request's `paths`
+           if `paths` is not empty..
+
+    Args:
+        rule: The rule to check.
+        request: The backend request to evaluate.
+
+    Returns:
+        True if the rule matches the request, False otherwise.
+    """
+    rule_hostnames: list = rule.parameters.get("hostnames", [])
+    rule_paths: list = rule.parameters.get("paths", [])
+
+    # A rule with no hostnames can never match.
+    if not rule_hostnames:
+        return False
+
+    # At least one rule hostname must appear in the request's hostname_acls.
+    hostname_matched = bool(set(rule_hostnames).intersection(request.hostname_acls))
+    if not hostname_matched:
+        return False
+
+    # Empty rule paths means "match all paths" (wildcard).
+    if not rule_paths:
+        return True
+
+    # At least one rule path must appear in the request's paths.
+    return bool(set(rule_paths).intersection(request.paths))
+
+
+def evaluate_request(request: BackendRequest) -> str:
+    """Evaluate a backend request against all rules and return the resulting status.
+
+    Rules are fetched from the database, ordered by descending priority.
+    They are grouped by priority level and evaluated from highest to lowest.
+
+    Within the same priority group:
+        - If any "deny" rule matches, the request is rejected.
+        - If any "allow" rule matches (and no deny matched), the request is accepted.
+        - If no rules match at this priority level, move to the next group.
+
+    If no rules match at any priority level, the request stays "pending".
+
+    Args:
+        request: The backend request to evaluate.
+
+    Returns:
+        The resulting status string: "accepted", "rejected", or "pending".
+    """
+    rules = Rule.objects.all().order_by("-priority")
+
+    for _priority, group in groupby(rules, key=lambda rule: rule.priority):
+        allow_matched = False
+        deny_matched = False
+
+        for rule in group:
+            if not _matches(rule, request):
+                continue
+
+            if rule.action == RULE_ACTION_DENY:
+                deny_matched = True
+            elif rule.action == RULE_ACTION_ALLOW:
+                allow_matched = True
+
+        # P2: deny rules have priority over allow rules within the same priority level
+        if deny_matched:
+            return REQUEST_STATUS_REJECTED
+        if allow_matched:
+            return REQUEST_STATUS_ACCEPTED
+
+    return REQUEST_STATUS_PENDING
+
+
+def _matches(rule: Rule, request: BackendRequest) -> bool:
+    """Dispatch matching logic based on the rule kind.
+
+    Args:
+        rule: The rule to evaluate.
+        request: The backend request to evaluate against.
+
+    Returns:
+        True if the rule matches the request.
+    """
+    if rule.kind == RULE_KIND_HOSTNAME_AND_PATH_MATCH:
+        return _hostname_and_path_match(rule, request)
+    return False