Add L7 policies for user-agent blocking and required headers
Per-route HTTP-level blocking policies for L7 routes. Two rule types: block_user_agent (substring match against User-Agent, returns 403) and require_header (named header must be present, returns 403). Config: L7Policy struct with type/value fields, added as L7Policies slice on Route. Validated in config (type enum, non-empty value, warning if set on L4 routes). DB: Migration 4 creates l7_policies table with route_id FK (cascade delete), type CHECK constraint, UNIQUE(route_id, type, value). New l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy, GetRouteID. Seed updated to persist policies from config. L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates rules in order, returns 403 on first match, no-op if empty. Composed into the handler chain between context injection and reverse proxy. Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy mutation methods on ListenerState. handleL7 threads policies into l7.RouteConfig. Startup loads policies per L7 route from DB. Proto: L7Policy message, repeated l7_policies on Route. Three new RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the write-through pattern. Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy methods. CLI: mcproxyctl policies list/add/remove subcommands. Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match, header present/absent, multiple rules). 4 DB tests (CRUD, cascade, duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation). 2 end-to-end L7 tests (UA block, required header with allow/deny). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -508,3 +508,95 @@ func TestMigrationV2Upgrade(t *testing.T) {
|
||||
t.Fatal("expected proxy_protocol = false")
|
||||
}
|
||||
}
|
||||
|
||||
func TestL7PolicyCRUD(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
|
||||
// Create policies.
|
||||
id1, err := store.CreateL7Policy(rid, "block_user_agent", "BadBot")
|
||||
if err != nil {
|
||||
t.Fatalf("create policy 1: %v", err)
|
||||
}
|
||||
if id1 == 0 {
|
||||
t.Fatal("expected non-zero policy ID")
|
||||
}
|
||||
|
||||
if _, err := store.CreateL7Policy(rid, "require_header", "X-API-Key"); err != nil {
|
||||
t.Fatalf("create policy 2: %v", err)
|
||||
}
|
||||
|
||||
// List policies.
|
||||
policies, err := store.ListL7Policies(rid)
|
||||
if err != nil {
|
||||
t.Fatalf("list: %v", err)
|
||||
}
|
||||
if len(policies) != 2 {
|
||||
t.Fatalf("got %d policies, want 2", len(policies))
|
||||
}
|
||||
|
||||
// Delete one.
|
||||
if err := store.DeleteL7Policy(rid, "block_user_agent", "BadBot"); err != nil {
|
||||
t.Fatalf("delete: %v", err)
|
||||
}
|
||||
|
||||
policies, _ = store.ListL7Policies(rid)
|
||||
if len(policies) != 1 {
|
||||
t.Fatalf("got %d policies after delete, want 1", len(policies))
|
||||
}
|
||||
if policies[0].Type != "require_header" {
|
||||
t.Fatalf("remaining policy type = %q, want %q", policies[0].Type, "require_header")
|
||||
}
|
||||
}
|
||||
|
||||
func TestL7PolicyCascadeDelete(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
store.CreateL7Policy(rid, "block_user_agent", "Bot")
|
||||
|
||||
// Deleting the route should cascade-delete its policies.
|
||||
store.DeleteRoute(lid, "api.test")
|
||||
|
||||
policies, _ := store.ListL7Policies(rid)
|
||||
if len(policies) != 0 {
|
||||
t.Fatalf("got %d policies after cascade delete, want 0", len(policies))
|
||||
}
|
||||
}
|
||||
|
||||
func TestL7PolicyDuplicate(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
|
||||
if _, err := store.CreateL7Policy(rid, "block_user_agent", "Bot"); err != nil {
|
||||
t.Fatalf("first create: %v", err)
|
||||
}
|
||||
if _, err := store.CreateL7Policy(rid, "block_user_agent", "Bot"); err == nil {
|
||||
t.Fatal("expected error for duplicate policy")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetRouteID(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
|
||||
rid, err := store.GetRouteID(lid, "api.test")
|
||||
if err != nil {
|
||||
t.Fatalf("GetRouteID: %v", err)
|
||||
}
|
||||
if rid == 0 {
|
||||
t.Fatal("expected non-zero route ID")
|
||||
}
|
||||
|
||||
_, err = store.GetRouteID(lid, "nonexistent.test")
|
||||
if err == nil {
|
||||
t.Fatal("expected error for nonexistent route")
|
||||
}
|
||||
}
|
||||
|
||||
74
internal/db/l7policies.go
Normal file
74
internal/db/l7policies.go
Normal file
@@ -0,0 +1,74 @@
|
||||
package db
|
||||
|
||||
import "fmt"
|
||||
|
||||
// L7Policy is a database L7 policy record.
|
||||
type L7Policy struct {
|
||||
ID int64
|
||||
RouteID int64
|
||||
Type string // "block_user_agent" or "require_header"
|
||||
Value string
|
||||
}
|
||||
|
||||
// ListL7Policies returns all L7 policies for a route.
|
||||
func (s *Store) ListL7Policies(routeID int64) ([]L7Policy, error) {
|
||||
rows, err := s.db.Query(
|
||||
"SELECT id, route_id, type, value FROM l7_policies WHERE route_id = ? ORDER BY id",
|
||||
routeID,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("querying l7 policies: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
var policies []L7Policy
|
||||
for rows.Next() {
|
||||
var p L7Policy
|
||||
if err := rows.Scan(&p.ID, &p.RouteID, &p.Type, &p.Value); err != nil {
|
||||
return nil, fmt.Errorf("scanning l7 policy: %w", err)
|
||||
}
|
||||
policies = append(policies, p)
|
||||
}
|
||||
return policies, rows.Err()
|
||||
}
|
||||
|
||||
// CreateL7Policy inserts an L7 policy and returns its ID.
|
||||
func (s *Store) CreateL7Policy(routeID int64, policyType, value string) (int64, error) {
|
||||
result, err := s.db.Exec(
|
||||
"INSERT INTO l7_policies (route_id, type, value) VALUES (?, ?, ?)",
|
||||
routeID, policyType, value,
|
||||
)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("inserting l7 policy: %w", err)
|
||||
}
|
||||
return result.LastInsertId()
|
||||
}
|
||||
|
||||
// DeleteL7Policy deletes an L7 policy by route ID, type, and value.
|
||||
func (s *Store) DeleteL7Policy(routeID int64, policyType, value string) error {
|
||||
result, err := s.db.Exec(
|
||||
"DELETE FROM l7_policies WHERE route_id = ? AND type = ? AND value = ?",
|
||||
routeID, policyType, value,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("deleting l7 policy: %w", err)
|
||||
}
|
||||
n, _ := result.RowsAffected()
|
||||
if n == 0 {
|
||||
return fmt.Errorf("l7 policy not found (route %d, type %q, value %q)", routeID, policyType, value)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetRouteID returns the route ID for a listener/hostname pair.
|
||||
func (s *Store) GetRouteID(listenerID int64, hostname string) (int64, error) {
|
||||
var id int64
|
||||
err := s.db.QueryRow(
|
||||
"SELECT id FROM routes WHERE listener_id = ? AND hostname = ?",
|
||||
listenerID, hostname,
|
||||
).Scan(&id)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("looking up route %q on listener %d: %w", hostname, listenerID, err)
|
||||
}
|
||||
return id, nil
|
||||
}
|
||||
@@ -45,6 +45,19 @@ ALTER TABLE routes ADD COLUMN send_proxy_protocol INTEGER NOT NULL DEFAULT 0;`,
|
||||
Name: "add_listener_max_connections",
|
||||
SQL: `ALTER TABLE listeners ADD COLUMN max_connections INTEGER NOT NULL DEFAULT 0;`,
|
||||
},
|
||||
{
|
||||
Version: 4,
|
||||
Name: "create_l7_policies_table",
|
||||
SQL: `
|
||||
CREATE TABLE IF NOT EXISTS l7_policies (
|
||||
id INTEGER PRIMARY KEY,
|
||||
route_id INTEGER NOT NULL REFERENCES routes(id) ON DELETE CASCADE,
|
||||
type TEXT NOT NULL CHECK(type IN ('block_user_agent', 'require_header')),
|
||||
value TEXT NOT NULL,
|
||||
UNIQUE(route_id, type, value)
|
||||
);
|
||||
CREATE INDEX IF NOT EXISTS idx_l7_policies_route ON l7_policies(route_id);`,
|
||||
},
|
||||
}
|
||||
|
||||
// Migrate runs all unapplied migrations sequentially.
|
||||
|
||||
@@ -31,7 +31,7 @@ func (s *Store) Seed(listeners []config.Listener, fw config.Firewall) error {
|
||||
if mode == "" {
|
||||
mode = "l4"
|
||||
}
|
||||
_, err := tx.Exec(
|
||||
routeResult, err := tx.Exec(
|
||||
`INSERT INTO routes (listener_id, hostname, backend, mode, tls_cert, tls_key, backend_tls, send_proxy_protocol)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
listenerID, strings.ToLower(r.Hostname), r.Backend,
|
||||
@@ -40,6 +40,18 @@ func (s *Store) Seed(listeners []config.Listener, fw config.Firewall) error {
|
||||
if err != nil {
|
||||
return fmt.Errorf("seeding route %q on listener %q: %w", r.Hostname, l.Addr, err)
|
||||
}
|
||||
|
||||
if len(r.L7Policies) > 0 {
|
||||
routeID, _ := routeResult.LastInsertId()
|
||||
for _, p := range r.L7Policies {
|
||||
if _, err := tx.Exec(
|
||||
"INSERT INTO l7_policies (route_id, type, value) VALUES (?, ?, ?)",
|
||||
routeID, p.Type, p.Value,
|
||||
); err != nil {
|
||||
return fmt.Errorf("seeding l7 policy on route %q: %w", r.Hostname, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user