forked from thanos-io/thanos
-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathprotection_engine.go
More file actions
61 lines (51 loc) · 1.41 KB
/
protection_engine.go
File metadata and controls
61 lines (51 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
// Copyright (c) The Thanos Authors.
// Licensed under the Apache License 2.0.
package queryfrontend
import (
"context"
"sync"
)
// ProtectionEngine evaluates a list of rules against a query request.
type ProtectionEngine struct {
mu sync.Mutex
rules []*Rule
}
// NewProtectionEngine creates a new ProtectionEngine with the given rules.
func NewProtectionEngine(rules []*Rule) *ProtectionEngine {
return &ProtectionEngine{rules: rules}
}
// UpdateRules replaces the current rule set. Safe for concurrent use.
func (e *ProtectionEngine) UpdateRules(rules []*Rule) {
e.mu.Lock()
defer e.mu.Unlock()
e.rules = rules
}
// Evaluate runs all applicable rules against the request.
// Rules are evaluated in order; the first matching rule wins.
// Returns the updated context (with ProtectionResult if a rule triggered),
// the action to take, and any error.
func (e *ProtectionEngine) Evaluate(ctx context.Context, req thanosQueryReq) (*ProtectionResult, error) {
e.mu.Lock()
rules := e.rules
e.mu.Unlock()
for _, rule := range rules {
// Skip disabled rules.
if !rule.enabled {
continue
}
// Check actor filter.
if rule.actorRegex != nil && !rule.actorRegex.MatchString(req.actor) {
continue
}
matched, err := rule.protection.Run(ctx, req)
if !matched {
continue
}
return &ProtectionResult{
Triggered: true,
RuleName: rule.name,
Action: rule.action,
}, err
}
return nil, nil
}