Add L7 policies for user-agent blocking and required headers

Per-route HTTP-level blocking policies for L7 routes. Two rule types: block_user_agent (substring match against User-Agent, returns 403) and require_header (named header must be present, returns 403). Config: L7Policy struct with type/value fields, added as L7Policies slice on Route. Validated in config (type enum, non-empty value, warning if set on L4 routes). DB: Migration 4 creates l7_policies table with route_id FK (cascade delete), type CHECK constraint, UNIQUE(route_id, type, value). New l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy, GetRouteID. Seed updated to persist policies from config. L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates rules in order, returns 403 on first match, no-op if empty. Composed into the handler chain between context injection and reverse proxy. Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy mutation methods on ListenerState. handleL7 threads policies into l7.RouteConfig. Startup loads policies per L7 route from DB. Proto: L7Policy message, repeated l7_policies on Route. Three new RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the write-through pattern. Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy methods. CLI: mcproxyctl policies list/add/remove subcommands. Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match, header present/absent, multiple rules). 4 DB tests (CRUD, cascade, duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation). 2 end-to-end L7 tests (UA block, required header with allow/deny). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:11:05 -07:00
parent 1ad42dbbee
commit 42c7fffc3e
20 changed files with 1613 additions and 136 deletions
--- a/internal/grpcserver/grpcserver_test.go
+++ b/internal/grpcserver/grpcserver_test.go
@@ -735,3 +735,97 @@ func TestSetListenerMaxConnectionsNotFound(t *testing.T) {
 		t.Fatalf("expected NotFound, got %v", err)
 	}
 }
+
+func TestAddListL7Policy(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	_, err := env.client.AddL7Policy(ctx, &pb.AddL7PolicyRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+		Policy:       &pb.L7Policy{Type: "block_user_agent", Value: "BadBot"},
+	})
+	if err != nil {
+		t.Fatalf("AddL7Policy: %v", err)
+	}
+
+	resp, err := env.client.ListL7Policies(ctx, &pb.ListL7PoliciesRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+	})
+	if err != nil {
+		t.Fatalf("ListL7Policies: %v", err)
+	}
+	if len(resp.Policies) != 1 {
+		t.Fatalf("got %d policies, want 1", len(resp.Policies))
+	}
+	if resp.Policies[0].Type != "block_user_agent" || resp.Policies[0].Value != "BadBot" {
+		t.Fatalf("policy = %v, want block_user_agent/BadBot", resp.Policies[0])
+	}
+
+	routeResp, _ := env.client.ListRoutes(ctx, &pb.ListRoutesRequest{ListenerAddr: ":443"})
+	for _, r := range routeResp.Routes {
+		if r.Hostname == "a.test" && len(r.L7Policies) != 1 {
+			t.Fatalf("ListRoutes: route has %d policies, want 1", len(r.L7Policies))
+		}
+	}
+}
+
+func TestRemoveL7Policy(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	env.client.AddL7Policy(ctx, &pb.AddL7PolicyRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+		Policy:       &pb.L7Policy{Type: "require_header", Value: "X-Token"},
+	})
+
+	_, err := env.client.RemoveL7Policy(ctx, &pb.RemoveL7PolicyRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+		Policy:       &pb.L7Policy{Type: "require_header", Value: "X-Token"},
+	})
+	if err != nil {
+		t.Fatalf("RemoveL7Policy: %v", err)
+	}
+
+	resp, _ := env.client.ListL7Policies(ctx, &pb.ListL7PoliciesRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+	})
+	if len(resp.Policies) != 0 {
+		t.Fatalf("got %d policies after remove, want 0", len(resp.Policies))
+	}
+}
+
+func TestAddL7PolicyValidation(t *testing.T) {
+	env := setup(t)
+	ctx := context.Background()
+
+	_, err := env.client.AddL7Policy(ctx, &pb.AddL7PolicyRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+		Policy:       &pb.L7Policy{Type: "invalid_type", Value: "x"},
+	})
+	if err == nil {
+		t.Fatal("expected error for invalid policy type")
+	}
+
+	_, err = env.client.AddL7Policy(ctx, &pb.AddL7PolicyRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+		Policy:       &pb.L7Policy{Type: "block_user_agent", Value: ""},
+	})
+	if err == nil {
+		t.Fatal("expected error for empty policy value")
+	}
+
+	_, err = env.client.AddL7Policy(ctx, &pb.AddL7PolicyRequest{
+		ListenerAddr: ":443",
+		Hostname:     "a.test",
+	})
+	if err == nil {
+		t.Fatal("expected error for nil policy")
+	}
+}