hrw4u: Allow negation with the 'in' keyword (#12871)

* hrw4u: Allow negation with the 'in' keyword

* Addresses CoPilot's concerns

Author: zwoop

doc/admin-guide/configuration/hrw4u.en.rst

@@ -388,6 +388,7 @@ Operator             HRW4U Syntax              Description
 ~                    foo ~ /pattern/           Regular expression match
 !~                   foo !~ /pattern/          Regular expression non-match
 in [...]             foo in ["a", "b"]         Membership in a list of values
+!in [...]            foo !in ["a", "b"]        Negated membership in a list of values
 ==================== ========================= ============================================
 
 Modifiers
@@ -570,6 +571,30 @@ Query string when the Origin server times out or the connection is refused::
        }
    }
 
+Flag Unrecognized ASNs
+----------------------
+
+This rule flags requests whose origin ASN is not in a known allowlist,
+using the negated membership operator ``!in``::
+
+   REMAP {
+       if geo.ASN !in ["64496", "64511"] {
+           inbound.req.X-Known-ASN = "false";
+       }
+   }
+
+Restrict to Internal Networks
+-----------------------------
+
+This rule rejects requests that do not originate from known internal
+IP ranges, using ``!in`` with an IP range::
+
+   REMAP {
+       if inbound.ip !in {192.168.0.0/16, 10.0.0.0/8} {
+           http.status = 403;
+       }
+   }
+
 Check for existence of a header
 -------------------------------
 

tools/hrw4u/grammar/hrw4u.g4

@@ -192,7 +192,9 @@ comparison
     : comparable (EQUALS | NEQ | GT | LT) value modifier?
     | comparable (TILDE | NOT_TILDE) regex modifier?
     | comparable IN set modifier?
+    | comparable '!' IN set modifier?
     | comparable IN iprange
+    | comparable '!' IN iprange
     ;
 
 modifier

tools/hrw4u/src/hrw_symbols.py

@@ -382,7 +382,9 @@ def negate_expression(self, term: str) -> str:
             return t
         if " ~ " in t and " !~ " not in t:
             return t.replace(" ~ ", " !~ ", 1)
-        if any(op in t for op in (" in ", " > ", " < ")):
+        if " in " in t:
+            return t.replace(" in ", " !in ", 1)
+        if any(op in t for op in (" > ", " < ")):
             return f"!({t})"
         if t.endswith(')'):
             return f"!{t}"

tools/hrw4u/src/visitor.py

@@ -74,7 +74,7 @@ def _cached_hook_mapping(self, section_name: str) -> str:
 
     def _make_condition(self, cond_text: str, last: bool = False, negate: bool = False) -> str:
         self._dbg(f"make_condition: {cond_text} last={last} negate={negate}")
-        self._cond_state.not_ |= negate
+        self._cond_state.not_ ^= negate
         self._cond_state.last = last
         return f"cond {cond_text}"
 
@@ -480,7 +480,13 @@ def visitComparison(self, ctx, *, last: bool = False) -> None:
             if not lhs:
                 return
             operator = ctx.getChild(1)
-            negate = operator.symbol.type in (hrw4uParser.NEQ, hrw4uParser.NOT_TILDE)
+
+            # Detect negation: '!=' and '!~' are single tokens (NEQ, NOT_TILDE),
+            # but '!in' is two separate tokens ('!' + IN).
+            if operator.getText() == '!':
+                negate = True
+            else:
+                negate = operator.symbol.type in (hrw4uParser.NEQ, hrw4uParser.NOT_TILDE)
 
             match ctx:
                 case _ if ctx.value():

tools/hrw4u/tests/data/conds/double-negation.ast.txt

@@ -0,0 +1 @@
+(program (programItem (section REMAP { (sectionBody (conditional (ifStatement if (condition (expression (term (factor ! (factor ( (expression (term (factor (comparison (comparable inbound.req.X-Debug) != (value "keep"))))) )))))) (block { (blockItem (statement inbound.req.X-Found = (value "yes") ;)) })))) })) <EOF>)

tools/hrw4u/tests/data/conds/double-negation.input.txt

@@ -0,0 +1,5 @@
+REMAP {
+    if !(inbound.req.X-Debug != "keep") {
+        inbound.req.X-Found = "yes";
+    }
+}

tools/hrw4u/tests/data/conds/double-negation.output.txt

@@ -0,0 +1,5 @@
+cond %{REMAP_PSEUDO_HOOK} [AND]
+cond %{GROUP}
+    cond %{CLIENT-HEADER:X-Debug} ="keep"
+cond %{GROUP:END}
+    set-header X-Found "yes"

tools/hrw4u/tests/data/conds/exceptions.txt

@@ -3,3 +3,5 @@
 #
 # Implicit = comparisons
 implicit-cmp.input: u4wrh
+# Double negation !(x != y) cancels to x == y, reverse can't reconstruct the original form
+double-negation.input: hrw4u

tools/hrw4u/tests/data/conds/not-in-ip.ast.txt

@@ -0,0 +1 @@
+(program (programItem (section SEND_REQUEST { (sectionBody (conditional (ifStatement if (condition (expression (term (factor (comparison (comparable inbound.ip) ! in (iprange { (ip (ipv4 192.168.0.0/16)) , (ip (ipv4 10.0.0.0/8)) })))))) (block { (blockItem (statement outbound.req.X-External = (value "true") ;)) })))) })) <EOF>)

tools/hrw4u/tests/data/conds/not-in-ip.input.txt

@@ -0,0 +1,5 @@
+SEND_REQUEST {
+    if inbound.ip !in {192.168.0.0/16, 10.0.0.0/8} {
+        outbound.req.X-External = "true";
+    }
+}