feat(cel): bind request.body_json for application/json content-types

ndreno · ndreno · commit 2d32c4f679ea · 2026-04-30T18:08:46.000+02:00
ADR-0030 §0 calls for a CEL plugin extension so AI consumer-policy
expressions like `request.body_json.model.startsWith('gpt-4o')` work
out of the box. Today the plugin only exposes `request.body` as a
raw string, which makes JSON-field access unusable in policies.

This adds `request.body_json` alongside the existing string `body`
binding when the inbound `content-type` is `application/json` or any
`application/*+json` vendor type (parameters like `; charset=utf-8`
are stripped). Non-JSON content-types and parse failures yield an
empty CEL map — `has(request.body_json.x)` evaluates cleanly.

Parse failures log a warning but never short-circuit the request: a
CEL plugin that returned 500 on every garbled body would let an
attacker take down every downstream policy with one bad byte.

Naming choice: `body_json` rather than auto-overloading `body` keeps
the change purely additive and never alters semantics for existing
expressions evaluating `request.body == ''`.

Tests cover field access, the AI consumer-policy example, vendor
+json content-types, charset-suffixed content-types, non-JSON
content-types, malformed JSON bodies (warning + empty map), and
empty request bodies.

Cargo.lock unrelated bump from a stale 0.6.0 → 0.6.3 alignment with
the workspace SDK/macros versions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **compiler**: `specs` field in `barbacane.yaml` — point to a folder (e.g., `specs: ./specs/`) and all `*.yaml`/`*.json` files are discovered automatically. Used by `barbacane dev` for zero-config operation and as a fallback for `barbacane compile` when `--spec` is omitted.
 - **cli**: `barbacane compile` now discovers specs from the manifest's `specs` folder when `--spec` is not provided — `barbacane compile -m barbacane.yaml -o api.bca` works with zero spec args.
 - **cli**: `barbacane init` now scaffolds a `specs/` directory and places the generated spec in `specs/api.yaml` with `specs: ./specs/` in the manifest.
+- **plugin**: `cel` now binds `request.body_json` in addition to the existing `request.body` string when the inbound `content-type` is `application/json` or any `application/*+json` vendor type. Enables consumer-policy expressions like `request.body_json.model.startsWith('gpt-4o')` without writing string-matching CEL. Empty map on non-JSON content-types and on parse failures (warning logged on failure; never short-circuits the request — a CEL plugin that 500s on every garbled body would let an attacker take down every downstream policy with one bad byte). Prereq for the AI consumer-policy examples in ADR-0030.
 
 #### AI Gateway middlewares (ADR-0024)
 - **`ai-prompt-guard` middleware plugin**: validates LLM chat-completion requests before dispatch — named profiles carry `max_messages`, `max_message_length`, regex `blocked_patterns`, and managed `system_template` with `{var}` substitution. Short-circuits with 400 + RFC 9457 problem+json on violation.
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@
   <a href="https://github.com/barbacane-dev/barbacane/actions/workflows/ci.yml"><img src="https://github.com/barbacane-dev/barbacane/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
   <a href="https://docs.barbacane.dev"><img src="https://img.shields.io/badge/docs-docs.barbacane.dev-blue" alt="Documentation"></a>
   <img src="https://img.shields.io/badge/unit%20tests-517%20passing-brightgreen" alt="Unit Tests">
-  <img src="https://img.shields.io/badge/plugin%20tests-777%20passing-brightgreen" alt="Plugin Tests">
+  <img src="https://img.shields.io/badge/plugin%20tests-784%20passing-brightgreen" alt="Plugin Tests">
   <img src="https://img.shields.io/badge/integration%20tests-275%20passing-brightgreen" alt="Integration Tests">
   <img src="https://img.shields.io/badge/cli%20tests-23%20passing-brightgreen" alt="CLI Tests">
   <img src="https://img.shields.io/badge/ui%20tests-44%20passing-brightgreen" alt="UI Tests">
diff --git a/plugins/cel/Cargo.lock b/plugins/cel/Cargo.lock
diff --git a/plugins/cel/src/lib.rs b/plugins/cel/src/lib.rs
@@ -125,6 +125,7 @@ impl CelPolicy {
             "body".to_string(),
             str_val(req.body_str().unwrap_or("")),
         );
+        request_map.insert("body_json".to_string(), parse_body_json(req));
         request_map.insert("client_ip".to_string(), str_val(&req.client_ip));
 
         // Headers as a map
@@ -239,6 +240,44 @@ fn btree_to_cel_map(map: &BTreeMap<String, String>) -> cel::Value {
     cel_map.into()
 }
 
+/// Empty CEL map. Returned as the `request.body_json` value when the body
+/// can't be parsed as JSON — keeps `has(request.body_json.x)` semantics clean.
+fn empty_cel_map() -> cel::Value {
+    HashMap::<String, cel::Value>::new().into()
+}
+
+/// Parse the request body as JSON when the inbound `content-type` advertises it
+/// (`application/json` or any `application/*+json` vendor type, ignoring `;`-suffixed
+/// parameters). Returns an empty map for non-JSON content-types and for malformed
+/// bodies; the latter logs a warning so operators see policy mis-applies, but never
+/// short-circuits the request — a CEL plugin that rejected on every malformed JSON
+/// would let an attacker take down every downstream policy by sending one bad byte.
+fn parse_body_json(req: &Request) -> cel::Value {
+    let content_type = match req.headers.get("content-type") {
+        Some(v) => v.split(';').next().unwrap_or("").trim().to_ascii_lowercase(),
+        None => return empty_cel_map(),
+    };
+    let is_json = content_type == "application/json"
+        || (content_type.starts_with("application/") && content_type.ends_with("+json"));
+    if !is_json {
+        return empty_cel_map();
+    }
+    let body = match req.body_str() {
+        Some(s) if !s.is_empty() => s,
+        _ => return empty_cel_map(),
+    };
+    match serde_json::from_str::<serde_json::Value>(body) {
+        Ok(v) => json_to_cel(v),
+        Err(e) => {
+            host::log_warn(&format!(
+                "cel: request body advertised {} but could not be parsed as JSON: {}",
+                content_type, e
+            ));
+            empty_cel_map()
+        }
+    }
+}
+
 /// Convert a serde_json::Value to a CEL value.
 fn json_to_cel(value: serde_json::Value) -> cel::Value {
     match value {
@@ -304,6 +343,14 @@ mod host {
             );
         }
     }
+
+    pub fn log_warn(msg: &str) {
+        #[link(wasm_import_module = "barbacane")]
+        extern "C" {
+            fn host_log(level: i32, msg_ptr: i32, msg_len: i32);
+        }
+        unsafe { host_log(2, msg.as_ptr() as i32, msg.len() as i32) }
+    }
 }
 
 #[cfg(not(target_arch = "wasm32"))]
@@ -313,6 +360,7 @@ mod host {
 
     thread_local! {
         static CONTEXT: RefCell<BTreeMap<String, String>> = const { RefCell::new(BTreeMap::new()) };
+        static WARNINGS: RefCell<Vec<String>> = const { RefCell::new(Vec::new()) };
     }
 
     pub fn context_set(key: &str, value: &str) {
@@ -321,6 +369,10 @@ mod host {
         });
     }
 
+    pub fn log_warn(msg: &str) {
+        WARNINGS.with(|w| w.borrow_mut().push(msg.to_string()));
+    }
+
     #[cfg(test)]
     pub fn get_context() -> BTreeMap<String, String> {
         CONTEXT.with(|ctx| ctx.borrow().clone())
@@ -330,6 +382,11 @@ mod host {
     pub fn reset_context() {
         CONTEXT.with(|ctx| ctx.borrow_mut().clear());
     }
+
+    #[cfg(test)]
+    pub fn take_warnings() -> Vec<String> {
+        WARNINGS.with(|w| std::mem::take(&mut *w.borrow_mut()))
+    }
 }
 
 // ---------------------------------------------------------------------------
@@ -647,6 +704,128 @@ mod tests {
         }
     }
 
+    // --- request.body_json access (ADR-0030) ---
+
+    #[test]
+    fn eval_body_json_field_access() {
+        let mut config = create_config("request.body_json.foo == 'bar'");
+        let mut req = create_request();
+        req.body = Some(br#"{"foo":"bar"}"#.to_vec());
+        match config.on_request(req) {
+            Action::Continue(_) => {}
+            Action::ShortCircuit(resp) => panic!("expected continue, got status {}", resp.status),
+        }
+    }
+
+    #[test]
+    fn eval_body_json_ai_consumer_policy_example() {
+        // The motivating ADR-0030 example: per-tier model gating. CEL access-control
+        // mode treats `true` as allow / `false` as deny, so the policy is the
+        // negation of "non-premium asks for gpt-4o".
+        let mut config = create_config(
+            "!(request.body_json.model.startsWith('gpt-4o') && request.claims.tier != 'premium')",
+        );
+
+        let mut req_blocked = create_request();
+        req_blocked.headers.insert(
+            "x-auth-claims".to_string(),
+            r#"{"tier":"free"}"#.to_string(),
+        );
+        req_blocked.body = Some(br#"{"model":"gpt-4o-mini"}"#.to_vec());
+        match config.on_request(req_blocked) {
+            Action::Continue(_) => panic!("expected 403 for free tier on gpt-4o-mini"),
+            Action::ShortCircuit(resp) => assert_eq!(resp.status, 403),
+        }
+
+        let mut req_allowed = create_request();
+        req_allowed.headers.insert(
+            "x-auth-claims".to_string(),
+            r#"{"tier":"premium"}"#.to_string(),
+        );
+        req_allowed.body = Some(br#"{"model":"gpt-4o"}"#.to_vec());
+        match config.on_request(req_allowed) {
+            Action::Continue(_) => {}
+            Action::ShortCircuit(resp) => panic!("expected continue, got status {}", resp.status),
+        }
+    }
+
+    #[test]
+    fn eval_body_json_vendor_plus_json_content_type() {
+        let mut config = create_config("request.body_json.kind == 'event'");
+        let mut req = create_request();
+        req.headers.insert(
+            "content-type".to_string(),
+            "application/vnd.api+json".to_string(),
+        );
+        req.body = Some(br#"{"kind":"event"}"#.to_vec());
+        match config.on_request(req) {
+            Action::Continue(_) => {}
+            Action::ShortCircuit(resp) => panic!("expected continue, got status {}", resp.status),
+        }
+    }
+
+    #[test]
+    fn eval_body_json_content_type_with_charset_param() {
+        let mut config = create_config("request.body_json.foo == 'bar'");
+        let mut req = create_request();
+        req.headers.insert(
+            "content-type".to_string(),
+            "application/json; charset=utf-8".to_string(),
+        );
+        req.body = Some(br#"{"foo":"bar"}"#.to_vec());
+        match config.on_request(req) {
+            Action::Continue(_) => {}
+            Action::ShortCircuit(resp) => panic!("expected continue, got status {}", resp.status),
+        }
+    }
+
+    #[test]
+    fn eval_body_json_non_json_content_type_yields_empty_map() {
+        // text/plain → body_json is an empty map → has() returns false, not an error.
+        let mut config = create_config("!has(request.body_json.foo)");
+        let mut req = create_request();
+        req.headers
+            .insert("content-type".to_string(), "text/plain".to_string());
+        req.body = Some(b"this is not json".to_vec());
+        match config.on_request(req) {
+            Action::Continue(_) => {}
+            Action::ShortCircuit(resp) => panic!("expected continue, got status {}", resp.status),
+        }
+    }
+
+    #[test]
+    fn eval_body_json_malformed_body_logs_warning_and_yields_empty_map() {
+        // Malformed JSON with a JSON content-type must NOT short-circuit the request —
+        // a CEL plugin that 500s on every garbled body would let an attacker take down
+        // every downstream policy with one bad byte. Instead: empty map + log warning.
+        let _ = host::take_warnings(); // clear any prior test's warnings
+
+        let mut config = create_config("!has(request.body_json.foo)");
+        let mut req = create_request();
+        req.body = Some(b"not-actually-json{".to_vec());
+        match config.on_request(req) {
+            Action::Continue(_) => {}
+            Action::ShortCircuit(resp) => panic!("expected continue, got status {}", resp.status),
+        }
+
+        let warnings = host::take_warnings();
+        assert!(
+            warnings.iter().any(|w| w.contains("could not be parsed as JSON")),
+            "expected a parse-failure warning, got {:?}",
+            warnings
+        );
+    }
+
+    #[test]
+    fn eval_body_json_empty_body_yields_empty_map() {
+        let mut config = create_config("!has(request.body_json.foo)");
+        let req = create_request(); // body is None
+        match config.on_request(req) {
+            Action::Continue(_) => {}
+            Action::ShortCircuit(resp) => panic!("expected continue, got status {}", resp.status),
+        }
+    }
+
     // --- Error handling ---
 
     #[test]
