Add L7 policies for user-agent blocking and required headers
Per-route HTTP-level blocking policies for L7 routes. Two rule types: block_user_agent (substring match against User-Agent, returns 403) and require_header (named header must be present, returns 403). Config: L7Policy struct with type/value fields, added as L7Policies slice on Route. Validated in config (type enum, non-empty value, warning if set on L4 routes). DB: Migration 4 creates l7_policies table with route_id FK (cascade delete), type CHECK constraint, UNIQUE(route_id, type, value). New l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy, GetRouteID. Seed updated to persist policies from config. L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates rules in order, returns 403 on first match, no-op if empty. Composed into the handler chain between context injection and reverse proxy. Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy mutation methods on ListenerState. handleL7 threads policies into l7.RouteConfig. Startup loads policies per L7 route from DB. Proto: L7Policy message, repeated l7_policies on Route. Three new RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the write-through pattern. Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy methods. CLI: mcproxyctl policies list/add/remove subcommands. Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match, header present/absent, multiple rules). 4 DB tests (CRUD, cascade, duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation). 2 end-to-end L7 tests (UA block, required header with allow/deny). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -508,3 +508,95 @@ func TestMigrationV2Upgrade(t *testing.T) {
|
||||
t.Fatal("expected proxy_protocol = false")
|
||||
}
|
||||
}
|
||||
|
||||
func TestL7PolicyCRUD(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
|
||||
// Create policies.
|
||||
id1, err := store.CreateL7Policy(rid, "block_user_agent", "BadBot")
|
||||
if err != nil {
|
||||
t.Fatalf("create policy 1: %v", err)
|
||||
}
|
||||
if id1 == 0 {
|
||||
t.Fatal("expected non-zero policy ID")
|
||||
}
|
||||
|
||||
if _, err := store.CreateL7Policy(rid, "require_header", "X-API-Key"); err != nil {
|
||||
t.Fatalf("create policy 2: %v", err)
|
||||
}
|
||||
|
||||
// List policies.
|
||||
policies, err := store.ListL7Policies(rid)
|
||||
if err != nil {
|
||||
t.Fatalf("list: %v", err)
|
||||
}
|
||||
if len(policies) != 2 {
|
||||
t.Fatalf("got %d policies, want 2", len(policies))
|
||||
}
|
||||
|
||||
// Delete one.
|
||||
if err := store.DeleteL7Policy(rid, "block_user_agent", "BadBot"); err != nil {
|
||||
t.Fatalf("delete: %v", err)
|
||||
}
|
||||
|
||||
policies, _ = store.ListL7Policies(rid)
|
||||
if len(policies) != 1 {
|
||||
t.Fatalf("got %d policies after delete, want 1", len(policies))
|
||||
}
|
||||
if policies[0].Type != "require_header" {
|
||||
t.Fatalf("remaining policy type = %q, want %q", policies[0].Type, "require_header")
|
||||
}
|
||||
}
|
||||
|
||||
func TestL7PolicyCascadeDelete(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
store.CreateL7Policy(rid, "block_user_agent", "Bot")
|
||||
|
||||
// Deleting the route should cascade-delete its policies.
|
||||
store.DeleteRoute(lid, "api.test")
|
||||
|
||||
policies, _ := store.ListL7Policies(rid)
|
||||
if len(policies) != 0 {
|
||||
t.Fatalf("got %d policies after cascade delete, want 0", len(policies))
|
||||
}
|
||||
}
|
||||
|
||||
func TestL7PolicyDuplicate(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
|
||||
if _, err := store.CreateL7Policy(rid, "block_user_agent", "Bot"); err != nil {
|
||||
t.Fatalf("first create: %v", err)
|
||||
}
|
||||
if _, err := store.CreateL7Policy(rid, "block_user_agent", "Bot"); err == nil {
|
||||
t.Fatal("expected error for duplicate policy")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetRouteID(t *testing.T) {
|
||||
store := openTestDB(t)
|
||||
|
||||
lid, _ := store.CreateListener(":443", false, 0)
|
||||
store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
|
||||
|
||||
rid, err := store.GetRouteID(lid, "api.test")
|
||||
if err != nil {
|
||||
t.Fatalf("GetRouteID: %v", err)
|
||||
}
|
||||
if rid == 0 {
|
||||
t.Fatal("expected non-zero route ID")
|
||||
}
|
||||
|
||||
_, err = store.GetRouteID(lid, "nonexistent.test")
|
||||
if err == nil {
|
||||
t.Fatal("expected error for nonexistent route")
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user