Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/maxpert/rues

Rule evaluation sidecar
https://github.com/maxpert/rues

Last synced: about 1 year ago
JSON representation

Rule evaluation sidecar

Awesome Lists containing this project

README 

          
# RuES - Expression Evaluation as Service 



RuES is a minimal JMES expression evaluation side-car, that uses [JMESPath](https://jmespath.org/), and it can handle 

arbitrary JSON. Which effectively makes it general purpose logical expression evaluation engine, just like 

[some](https://zerosteiner.github.io/rule-engine/) Python libraries that used to evaluate 

logical expression. This in turn can allow you implement complex stuff like Rule engine, 

RBAC, or Policy engines etc. 



Here is what makes RuES special:



 - **Lean and Zippy** - Checkout initial benchmarks below. Under `20 MB` with single CPU one will easily do 10K RPS. 

 - **Zero restarts** - Add/remove rules on fly by making changes in `rules.hjson` without restarting.

 - **HTTP & JSON** - Ubiquitous! No custom protocols, no shenanigans.

 - **UNIX philosophy** - Only evaluates rules, no fancy hooks or integrations. Dead simple!



## Why?



A very obvious question to ask might be, why RuES and why not just use a library? RuES can be beneficial in large 

scale scenarios with following benefits:



 - **Unified and consistent rules** - No need to deal with library differences, specially in a polyglot stack you

   won't have to worry about any inconsistencies, performance issues, or library maintenances.

 - **Isolated and scalable** - While embedded libraries can have a broader attack surface the isolated process

   gives you sandbox, and due to being lightweight have it as a sidecar giving you sub-millisecond latencies. 

   This not only allows developers to hand off security to the right team, but also allows you to scale 

   with your system.

 - **Centrally managed** - Allowing you to have centrally managed deployments, and rules. Changing rules doesn't

   even require a new deployment. The rules are live reloaded. That means with 0 downtime you can add/modify 

   rules on the fly. 



## Usage



Make sure you have `rules.hjson` in your current working directory when launching `rues`. Given following example

rules:



```hjson

{

  example_one: "value == `2`"

  example_two: "a.b"

}

```



Each rule is exposed under `/eval/{rule_name}` as `POST` endpoint, which in turn can be posted payload to evaluate

the expression. Simple use `curl` to test:



```

> curl -X POST http://localhost:8080/eval/example_one -H 'Content-Type: application/json' -d '{"value": 2}'

{"Success":{"expression":"value == `2`","name":"example_one","is_truthy":true,"value":true}}

> curl -X POST http://localhost:8080/eval/example_two -H 'Content-Type: application/json' -d '{"a": {"b": "Hello"}}'

{"Success":{"expression":"a.b","name":"example_two","is_truthy":true,"value":"Hello"}}

```



Response object contains `Success` if evaluation was successful. e.g.

```json

{

   "Success": {

      "name": "filter_active",

      "expression": "[?isActive] | length(@)",

      "is_truthy": true,

      "value": 2

   }

}

```



Response will have an `Error` if there was an error in expression or there was some violation while evaluating the 

expression (in which case `reason` will contain a reason):



```json

{

   "Error": {

      "name": "filter_registered",

      "expression": "[?matched('^201\\d', registered)] | length(@)",

      "reason": "Runtime error: Call to undefined function matched (line 0, column 9)\n[?matched('^201\\d', registered)] | length(@)\n         ^\n"

   }

}

```



Response will have a `NotFound` if the specified rule is not found:



```json

{

   "NotFound": {

      "name": "filter_register"

   }

}

```



### Batch Rules API 



Many times you need evaluate a set of rules against a payload. RuES supports evaluating a context against multiple 

rules using batch API. Given the rules file:



```hjson

{

  example_one: "c == `2`"

  example_two: "a.b"

}

```



One can invoke batch api by simply invoking `/eval` with `POST` data of:

```json

{

   "context": {

      "c": 3,

      "a": {

         "b": true

      } 

   },

   "rules": ["example_one", "example_two", "example_three"]

}

```



The rules will be evaluated in sequence of order they were passed in, and server will return an array response:



```json

[

   {"Success":{"expression":"c == `2`","name":"example_one","is_truthy":false,"value":false}},

   {"Success":{"expression":"a.b","name":"example_two","is_truthy":true,"value":true}},

   {"NotFound":{"name":"example_three"}}

]

```



## Additional functions



In addition to [built-in functions](https://jmespath.org/proposals/functions.html#built-in-functions) of JMES, there 

additional are following additional functions:



 - ✅ `string[] match(expref string $regex, string $element)` - Returns an array of all groups of regex matching 

   or a `null` if there is no match. Regex specs can be found [here](https://github.com/rust-lang/regex). 

   Regexes are compiled and cached in LRU order. The given Regex has to be an expression with string 

   literal e.g. `&'\d+'` this is required so that regexes are always string literal and never 

   variables eliminating any possibility of regex injection via variables, preventing any

   exploits or accidental explosion of regex patterns. Examples:

   ```jmes

   [?match(&'^[a-z0-9_-]{3,16}$', username)]

   [?match(&'^[a-z0-9_-]{3,16}$', 'user_123')]

   [?match(&'([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))', date)]

   ```

 - ✅ `bool valid_email(string $element)` - Returns `true` or `false` based on email format. In 

   addition to formatting it also excludes temporary email addresses. Examples:

   ```jmes

   [?valid_email('user123@gmail.com')]

   [?!valid_email('janette@guerrillamailblock.com')]

   [?valid_email(contact.email)]

   ```

 - ✅ `number now()` - Returns current time unix timestamp as 64-bit float with number of seconds since `1970-01-01`

   the fractional part of timestamp contains upto microseconds of the timestamp. Examples:

   ```jmes

   now()

   > 1641257813.803243

   ```

 - ✅ `number duration(string $element)` - Parses a duration string with same specs as 

   [systemd.time](https://www.freedesktop.org/software/systemd/man/systemd.time.html#Parsing%20Time%20Spans) and returns

   a unix timestamp just like `now`. This will allow anyone to perform addition/subtraction operations on timestamps,

   Examples:

   ```jmes

   duration('1min100ms')

   > 60.1

   duration('1h')

   > 360.0

   ```

 - 🚧 `number parse_datetime(string $element[, string $format = 'rfc3339'])` (To be implemented yet) - Converts 

   datetime in given format to a timestamp. The timestamp then in turn can be used to 

   do comparisons or reformatting. 

 - 🚧 `string to_datetime(number $element[, string $format = 'rfc3339'])` (To be implemented yet) - Converts

   timestamp to a given string format.

 - 🚧 `bool in_geo_fence(number[] $center, number $radius, number[] $element)` (To be implemented yet) - Returns `true`

   or `false` if the `$element` lies within the `$radius` of `$center`.

 - 🚧 `number[][] filter_in_geo_fence(number[] $center, number $radius, number[][] $elements) ` (To be implemented yet) - 

   Returns all elements that lie within geo fence of given radius and center.

 - 🚧 `bool match_glob(string $pattern, string $element)` (To be implemented yet) - Returns `true` or `false` 

   if the `$element` is a glob match of the `$pattern`.



## Configuration variables



 - `CONFIG_PATH` - path to rules file, file can be `.json`, `.yaml`, or `.hjson`. Default: `rules.hjson`

 - `BIND_ADDRESS` - service address to bind to. Default: `0.0.0.0:8080`



## Benchmarks



My brief stress testing shows with a single CPU core (single worker), 3 rules, and payload size of 1.6 KB. Server was 

easily able to handle 10K RPS (even with sustained load) under **19 MB of RSS** memory footprint, and a p99 of 4ms.



```

$ cat vegeta_attack.txt | vegeta attack -duration=10s -rate=10000 | vegeta report 

Requests      [total, rate, throughput]         100000, 10000.20, 9999.80

Duration      [total, attack, wait]             10s, 10s, 394.927µs

Latencies     [min, mean, 50, 90, 95, 99, max]  107.266µs, 811.954µs, 285.329µs, 2.128ms, 2.654ms, 4.517ms, 12.373ms

Bytes In      [total, mean]                     9566673, 95.67

Bytes Out     [total, mean]                     166000000, 1660.00

Success       [ratio]                           100.00%

Status Codes  [code:count]                      200:100000  

Error Set:

```



With two CPU cores (two workers), the results were even better:

```

$ cat vegeta_attack.txt | vegeta attack -duration=10s -rate=10000 | vegeta report

Requests      [total, rate, throughput]         100000, 10000.30, 10000.08

Duration      [total, attack, wait]             10s, 10s, 217.653µs

Latencies     [min, mean, 50, 90, 95, 99, max]  111.479µs, 270.125µs, 219.274µs, 413.215µs, 564.181µs, 1.021ms, 8.184ms

Bytes In      [total, mean]                     9566673, 95.67

Bytes Out     [total, mean]                     166000000, 1660.00

Success       [ratio]                           100.00%

Status Codes  [code:count]                      200:100000  

Error Set:

```



All the rules, and data has been shipped under `stress_test`. Feel free to share your results, and I will be more 

than happy to include your results.