refactor(cli): extract network primitives to runtime/network.rs

GamePad64 · GamePad64 · commit 53a1f2ecb55d · 2026-04-20T01:42:06.000+03:00
Moves cidr_contains and host_matches out of http_policy.rs into a
dedicated runtime/network.rs module. Both are generic network-policy
helpers that won't stay HTTP-specific: when raw TCP/UDP policy lands
for wasi:sockets, it'll call the same primitives. Keeping them in a
neutral module avoids circular or upward dependencies between
http_policy and a future socket_policy.

host_matches also picks up case-insensitive suffix comparison (the old
version only case-folded the apex); 7 unit tests cover exact match,
apex wildcard, subdomain wildcard, family-mismatch CIDRs, malformed
CIDRs, and IPv6.

Drops the duplicated host_matches_exact_and_wildcard and
cidr_contains_basic tests from http_policy.rs — they're more thorough
in network.rs now.
diff --git a/act-cli/src/runtime/http_policy.rs b/act-cli/src/runtime/http_policy.rs
@@ -33,6 +33,7 @@ use http::Uri;
 use wasmtime_wasi::TrappableError;
 
 use crate::config::{HttpConfig, HttpRule, PolicyMode};
+use crate::runtime::network::{cidr_contains, host_matches};
 
 type P2ErrorCode = wasmtime_wasi_http::p2::bindings::http::types::ErrorCode;
 type P3ErrorCode = wasmtime_wasi_http::p3::bindings::http::types::ErrorCode;
@@ -132,19 +133,6 @@ fn rule_matches(rule: &HttpRule, method: Option<&str>, uri: &Uri) -> bool {
     true
 }
 
-fn host_matches(pattern: &str, host: &str) -> bool {
-    if let Some(suffix) = pattern.strip_prefix("*.") {
-        return host == suffix || host.ends_with(&format!(".{}", suffix));
-    }
-    host.eq_ignore_ascii_case(pattern)
-}
-
-fn cidr_contains(spec: &str, ip: IpAddr) -> bool {
-    spec.parse::<cidr::IpCidr>()
-        .map(|c| c.contains(&ip))
-        .unwrap_or(false)
-}
-
 fn deny_reason(method: Option<&str>, uri: &Uri) -> String {
     format!("blocked by ACT policy: {} {}", method.unwrap_or("?"), uri)
 }
@@ -318,23 +306,6 @@ mod tests {
         PolicyHttpHooks::new(cfg)
     }
 
-    #[test]
-    fn host_matches_exact_and_wildcard() {
-        assert!(host_matches("api.example.com", "api.example.com"));
-        assert!(!host_matches("api.example.com", "api2.example.com"));
-        assert!(host_matches("*.example.com", "api.example.com"));
-        assert!(host_matches("*.example.com", "example.com"));
-        assert!(!host_matches("*.example.com", "api.other.com"));
-    }
-
-    #[test]
-    fn cidr_contains_basic() {
-        assert!(cidr_contains("10.0.0.0/8", "10.1.2.3".parse().unwrap()));
-        assert!(!cidr_contains("10.0.0.0/8", "11.0.0.0".parse().unwrap()));
-        assert!(cidr_contains("127.0.0.0/8", "127.1.2.3".parse().unwrap()));
-        assert!(cidr_contains("0.0.0.0/0", "8.8.8.8".parse().unwrap()));
-    }
-
     #[test]
     fn mode_deny_blocks_everything() {
         let h = hooks(HttpConfig {
diff --git a/act-cli/src/runtime/mod.rs b/act-cli/src/runtime/mod.rs
@@ -13,6 +13,7 @@ use wasmtime_wasi_http::p3::WasiHttpCtxView;
 pub mod fs_matcher;
 pub mod fs_policy;
 pub mod http_policy;
+pub mod network;
 
 // Generated bindings from WIT — fully auto-generated, no manual patching.
 #[allow(unused_mut, unused_variables, dead_code)]
diff --git a/act-cli/src/runtime/network.rs b/act-cli/src/runtime/network.rs
@@ -0,0 +1,82 @@
+//! Network-policy primitives shared between HTTP and (upcoming) raw TCP/UDP
+//! policy paths. Keep this module free of HTTP- or socket-specific config
+//! types so it can be consumed from any direction — the `HttpConfig` matcher
+//! and a future `SocketConfig` matcher both end up calling the same
+//! `cidr_contains` / `host_matches` logic.
+
+use std::net::IpAddr;
+
+/// Does `cidr` (e.g. `"10.0.0.0/8"` or `"fc00::/7"`) contain `ip`? Parses via
+/// the `cidr` crate; returns `false` for malformed specs rather than
+/// panicking. Family mismatch (v4 rule vs v6 ip) is also `false`.
+pub fn cidr_contains(cidr: &str, ip: IpAddr) -> bool {
+    cidr.parse::<cidr::IpCidr>()
+        .map(|c| c.contains(&ip))
+        .unwrap_or(false)
+}
+
+/// Host-pattern match. Supports exact match (case-insensitive) and
+/// `*.suffix` wildcards. `*.example.com` matches both `example.com` and any
+/// subdomain `foo.example.com` / `a.b.example.com`.
+pub fn host_matches(pattern: &str, host: &str) -> bool {
+    if let Some(suffix) = pattern.strip_prefix("*.") {
+        return host.eq_ignore_ascii_case(suffix)
+            || host
+                .to_ascii_lowercase()
+                .ends_with(&format!(".{}", suffix.to_ascii_lowercase()));
+    }
+    host.eq_ignore_ascii_case(pattern)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn cidr_basic_ipv4() {
+        assert!(cidr_contains("10.0.0.0/8", "10.1.2.3".parse().unwrap()));
+        assert!(!cidr_contains("10.0.0.0/8", "11.0.0.0".parse().unwrap()));
+        assert!(cidr_contains("0.0.0.0/0", "8.8.8.8".parse().unwrap()));
+    }
+
+    #[test]
+    fn cidr_basic_ipv6() {
+        assert!(cidr_contains("fc00::/7", "fc00::1".parse().unwrap()));
+        assert!(!cidr_contains("fc00::/7", "2001:db8::1".parse().unwrap()));
+    }
+
+    #[test]
+    fn cidr_malformed_is_no_match() {
+        assert!(!cidr_contains("not-a-cidr", "10.0.0.1".parse().unwrap()));
+        assert!(!cidr_contains("10.0.0.0/99", "10.0.0.1".parse().unwrap()));
+    }
+
+    #[test]
+    fn cidr_family_mismatch_is_no_match() {
+        assert!(!cidr_contains("10.0.0.0/8", "::1".parse().unwrap()));
+        assert!(!cidr_contains("fc00::/7", "10.0.0.1".parse().unwrap()));
+    }
+
+    #[test]
+    fn host_exact_case_insensitive() {
+        assert!(host_matches("api.example.com", "api.example.com"));
+        assert!(host_matches("api.example.com", "API.EXAMPLE.COM"));
+        assert!(!host_matches("api.example.com", "api2.example.com"));
+    }
+
+    #[test]
+    fn host_wildcard_matches_apex_and_subdomains() {
+        assert!(host_matches("*.example.com", "example.com"));
+        assert!(host_matches("*.example.com", "api.example.com"));
+        assert!(host_matches("*.example.com", "a.b.example.com"));
+    }
+
+    #[test]
+    fn host_wildcard_rejects_unrelated_and_confusable_suffixes() {
+        assert!(!host_matches("*.example.com", "api.other.com"));
+        // Confusable: "evil.com" ending literally with ".example.com" shouldn't
+        // match if it's "notexample.com", but "evil.example.com" should.
+        assert!(!host_matches("*.example.com", "notexample.com"));
+        assert!(!host_matches("*.example.com", "example.com.evil.com"));
+    }
+}
