Add L7 policies for user-agent blocking and required headers
Per-route HTTP-level blocking policies for L7 routes. Two rule types: block_user_agent (substring match against User-Agent, returns 403) and require_header (named header must be present, returns 403). Config: L7Policy struct with type/value fields, added as L7Policies slice on Route. Validated in config (type enum, non-empty value, warning if set on L4 routes). DB: Migration 4 creates l7_policies table with route_id FK (cascade delete), type CHECK constraint, UNIQUE(route_id, type, value). New l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy, GetRouteID. Seed updated to persist policies from config. L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates rules in order, returns 403 on first match, no-op if empty. Composed into the handler chain between context injection and reverse proxy. Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy mutation methods on ListenerState. handleL7 threads policies into l7.RouteConfig. Startup loads policies per L7 route from DB. Proto: L7Policy message, repeated l7_policies on Route. Three new RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the write-through pattern. Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy methods. CLI: mcproxyctl policies list/add/remove subcommands. Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match, header present/absent, multiple rules). 4 DB tests (CRUD, cascade, duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation). 2 end-to-end L7 tests (UA block, required header with allow/deny). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
114
cmd/mcproxyctl/policies.go
Normal file
114
cmd/mcproxyctl/policies.go
Normal file
@@ -0,0 +1,114 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
|
||||
mcproxy "git.wntrmute.dev/kyle/mc-proxy/client/mcproxy"
|
||||
)
|
||||
|
||||
func policiesCmd() *cobra.Command {
|
||||
cmd := &cobra.Command{
|
||||
Use: "policies",
|
||||
Short: "Manage L7 policies",
|
||||
Long: "Manage L7 HTTP policies for mc-proxy routes.",
|
||||
}
|
||||
|
||||
cmd.AddCommand(policiesListCmd())
|
||||
cmd.AddCommand(policiesAddCmd())
|
||||
cmd.AddCommand(policiesRemoveCmd())
|
||||
|
||||
return cmd
|
||||
}
|
||||
|
||||
func policiesListCmd() *cobra.Command {
|
||||
return &cobra.Command{
|
||||
Use: "list LISTENER HOSTNAME",
|
||||
Short: "List L7 policies for a route",
|
||||
Args: cobra.ExactArgs(2),
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
listenerAddr := args[0]
|
||||
hostname := args[1]
|
||||
client := clientFromContext(cmd.Context())
|
||||
|
||||
ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
|
||||
defer cancel()
|
||||
|
||||
policies, err := client.ListL7Policies(ctx, listenerAddr, hostname)
|
||||
if err != nil {
|
||||
return fmt.Errorf("listing policies: %w", err)
|
||||
}
|
||||
|
||||
if len(policies) == 0 {
|
||||
fmt.Printf("No L7 policies for %s on %s\n", hostname, listenerAddr)
|
||||
return nil
|
||||
}
|
||||
|
||||
fmt.Printf("L7 policies for %s on %s:\n", hostname, listenerAddr)
|
||||
for _, p := range policies {
|
||||
fmt.Printf(" %-20s %s\n", p.Type, p.Value)
|
||||
}
|
||||
return nil
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func policiesAddCmd() *cobra.Command {
|
||||
return &cobra.Command{
|
||||
Use: "add LISTENER HOSTNAME TYPE VALUE",
|
||||
Short: "Add an L7 policy",
|
||||
Long: "Add an L7 policy to a route. TYPE is block_user_agent or require_header.",
|
||||
Args: cobra.ExactArgs(4),
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
listenerAddr := args[0]
|
||||
hostname := args[1]
|
||||
policyType := args[2]
|
||||
policyValue := args[3]
|
||||
client := clientFromContext(cmd.Context())
|
||||
|
||||
ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
|
||||
defer cancel()
|
||||
|
||||
if err := client.AddL7Policy(ctx, listenerAddr, hostname, mcproxy.L7Policy{
|
||||
Type: policyType,
|
||||
Value: policyValue,
|
||||
}); err != nil {
|
||||
return fmt.Errorf("adding policy: %w", err)
|
||||
}
|
||||
|
||||
fmt.Printf("Added policy: %s %q on %s/%s\n", policyType, policyValue, listenerAddr, hostname)
|
||||
return nil
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func policiesRemoveCmd() *cobra.Command {
|
||||
return &cobra.Command{
|
||||
Use: "remove LISTENER HOSTNAME TYPE VALUE",
|
||||
Short: "Remove an L7 policy",
|
||||
Args: cobra.ExactArgs(4),
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
listenerAddr := args[0]
|
||||
hostname := args[1]
|
||||
policyType := args[2]
|
||||
policyValue := args[3]
|
||||
client := clientFromContext(cmd.Context())
|
||||
|
||||
ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
|
||||
defer cancel()
|
||||
|
||||
if err := client.RemoveL7Policy(ctx, listenerAddr, hostname, mcproxy.L7Policy{
|
||||
Type: policyType,
|
||||
Value: policyValue,
|
||||
}); err != nil {
|
||||
return fmt.Errorf("removing policy: %w", err)
|
||||
}
|
||||
|
||||
fmt.Printf("Removed policy: %s %q from %s/%s\n", policyType, policyValue, listenerAddr, hostname)
|
||||
return nil
|
||||
},
|
||||
}
|
||||
}
|
||||
@@ -58,6 +58,7 @@ func rootCmd() *cobra.Command {
|
||||
cmd.AddCommand(healthCmd())
|
||||
cmd.AddCommand(routesCmd())
|
||||
cmd.AddCommand(firewallCmd())
|
||||
cmd.AddCommand(policiesCmd())
|
||||
|
||||
return cmd
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user