Add L7 policies for user-agent blocking and required headers

Per-route HTTP-level blocking policies for L7 routes. Two rule types:
block_user_agent (substring match against User-Agent, returns 403)
and require_header (named header must be present, returns 403).

Config: L7Policy struct with type/value fields, added as L7Policies
slice on Route. Validated in config (type enum, non-empty value,
warning if set on L4 routes).

DB: Migration 4 creates l7_policies table with route_id FK (cascade
delete), type CHECK constraint, UNIQUE(route_id, type, value). New
l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy,
GetRouteID. Seed updated to persist policies from config.

L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates
rules in order, returns 403 on first match, no-op if empty. Composed
into the handler chain between context injection and reverse proxy.

Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy
mutation methods on ListenerState. handleL7 threads policies into
l7.RouteConfig. Startup loads policies per L7 route from DB.

Proto: L7Policy message, repeated l7_policies on Route. Three new
RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the
write-through pattern.

Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy
methods. CLI: mcproxyctl policies list/add/remove subcommands.

Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match,
header present/absent, multiple rules). 4 DB tests (CRUD, cascade,
duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation).
2 end-to-end L7 tests (UA block, required header with allow/deny).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/l7/policy.go

@@ -0,0 +1,38 @@
+package l7
+
+import (
+	"net/http"
+	"strings"
+)
+
+// PolicyRule defines an L7 blocking policy.
+type PolicyRule struct {
+	Type  string // "block_user_agent" or "require_header"
+	Value string
+}
+
+// PolicyMiddleware returns an http.Handler that evaluates L7 policies
+// before delegating to next. Returns HTTP 403 if any policy blocks.
+// If policies is empty, returns next unchanged.
+func PolicyMiddleware(policies []PolicyRule, next http.Handler) http.Handler {
+	if len(policies) == 0 {
+		return next
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for _, p := range policies {
+			switch p.Type {
+			case "block_user_agent":
+				if strings.Contains(r.UserAgent(), p.Value) {
+					w.WriteHeader(http.StatusForbidden)
+					return
+				}
+			case "require_header":
+				if r.Header.Get(p.Value) == "" {
+					w.WriteHeader(http.StatusForbidden)
+					return
+				}
+			}
+		}
+		next.ServeHTTP(w, r)
+	})
+}

internal/l7/policy_test.go

@@ -0,0 +1,158 @@
+package l7
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestPolicyMiddlewareNoPolicies(t *testing.T) {
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(200)
+	})
+
+	handler := PolicyMiddleware(nil, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if w.Code != 200 {
+		t.Fatalf("status = %d, want 200", w.Code)
+	}
+}
+
+func TestPolicyBlockUserAgentMatch(t *testing.T) {
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "block_user_agent", Value: "BadBot"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("User-Agent", "Mozilla/5.0 BadBot/1.0")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != 403 {
+		t.Fatalf("status = %d, want 403", w.Code)
+	}
+}
+
+func TestPolicyBlockUserAgentNoMatch(t *testing.T) {
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "block_user_agent", Value: "BadBot"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("User-Agent", "Mozilla/5.0 GoodBrowser/1.0")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if w.Code != 200 {
+		t.Fatalf("status = %d, want 200", w.Code)
+	}
+}
+
+func TestPolicyRequireHeaderPresent(t *testing.T) {
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "require_header", Value: "X-API-Key"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-API-Key", "secret")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if w.Code != 200 {
+		t.Fatalf("status = %d, want 200", w.Code)
+	}
+}
+
+func TestPolicyRequireHeaderAbsent(t *testing.T) {
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "require_header", Value: "X-API-Key"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != 403 {
+		t.Fatalf("status = %d, want 403", w.Code)
+	}
+}
+
+func TestPolicyMultipleRules(t *testing.T) {
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+	})
+
+	policies := []PolicyRule{
+		{Type: "block_user_agent", Value: "BadBot"},
+		{Type: "require_header", Value: "X-Token"},
+	}
+	handler := PolicyMiddleware(policies, next)
+
+	// Blocked by UA even though header is present.
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("User-Agent", "BadBot/1.0")
+	req.Header.Set("X-Token", "abc")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+	if w.Code != 403 {
+		t.Fatalf("UA block: status = %d, want 403", w.Code)
+	}
+
+	// Good UA but missing header.
+	req2 := httptest.NewRequest("GET", "/", nil)
+	req2.Header.Set("User-Agent", "GoodBot/1.0")
+	w2 := httptest.NewRecorder()
+	handler.ServeHTTP(w2, req2)
+	if w2.Code != 403 {
+		t.Fatalf("missing header: status = %d, want 403", w2.Code)
+	}
+
+	// Good UA and header present — passes.
+	req3 := httptest.NewRequest("GET", "/", nil)
+	req3.Header.Set("User-Agent", "GoodBot/1.0")
+	req3.Header.Set("X-Token", "abc")
+	w3 := httptest.NewRecorder()
+	handler.ServeHTTP(w3, req3)
+	if w3.Code != 200 {
+		t.Fatalf("pass: status = %d, want 200", w3.Code)
+	}
+}

internal/l7/serve.go

@@ -26,6 +26,7 @@ type RouteConfig struct {
 	BackendTLS        bool
 	SendProxyProtocol bool
 	ConnectTimeout    time.Duration
+	Policies          []PolicyRule
 }
 
 // contextKey is an unexported type for context keys in this package.
@@ -74,10 +75,12 @@ func Serve(ctx context.Context, conn net.Conn, peeked []byte, route RouteConfig,
 		return fmt.Errorf("creating reverse proxy: %w", err)
 	}
 
-	// Wrap the handler to inject the real client IP into the request context.
+	// Build handler chain: context injection → L7 policies → reverse proxy.
+	var inner http.Handler = rp
+	inner = PolicyMiddleware(route.Policies, inner)
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		r = r.WithContext(context.WithValue(r.Context(), clientAddrKey, clientAddr))
-		rp.ServeHTTP(w, r)
+		inner.ServeHTTP(w, r)
 	})
 
 	// Serve HTTP on the TLS connection. Use HTTP/2 if negotiated,

internal/l7/serve_test.go

@@ -551,3 +551,115 @@ func TestL7HTTP11Fallback(t *testing.T) {
 		t.Fatal("empty response body")
 	}
 }
+
+func TestL7PolicyBlocksUserAgentE2E(t *testing.T) {
+	certPath, keyPath := testCert(t, "policy.test")
+
+	backendAddr := startH2CBackend(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, "should-not-reach")
+	}))
+
+	proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("proxy listen: %v", err)
+	}
+	defer proxyLn.Close()
+
+	route := RouteConfig{
+		Backend:        backendAddr,
+		TLSCert:        certPath,
+		TLSKey:         keyPath,
+		ConnectTimeout: 5 * time.Second,
+		Policies: []PolicyRule{
+			{Type: "block_user_agent", Value: "EvilBot"},
+		},
+	}
+
+	go func() {
+		conn, err := proxyLn.Accept()
+		if err != nil {
+			return
+		}
+		logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+		Serve(context.Background(), conn, nil, route, netip.MustParseAddrPort("203.0.113.50:12345"), logger)
+	}()
+
+	client := dialTLSToProxy(t, proxyLn.Addr().String(), "policy.test")
+	req, _ := http.NewRequest("GET", "https://policy.test/", nil)
+	req.Header.Set("User-Agent", "EvilBot/1.0")
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("GET: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 403 {
+		t.Fatalf("status = %d, want 403", resp.StatusCode)
+	}
+}
+
+func TestL7PolicyRequiresHeaderE2E(t *testing.T) {
+	certPath, keyPath := testCert(t, "reqhdr.test")
+
+	backendAddr := startH2CBackend(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, "ok")
+	}))
+
+	proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("proxy listen: %v", err)
+	}
+	defer proxyLn.Close()
+
+	route := RouteConfig{
+		Backend:        backendAddr,
+		TLSCert:        certPath,
+		TLSKey:         keyPath,
+		ConnectTimeout: 5 * time.Second,
+		Policies: []PolicyRule{
+			{Type: "require_header", Value: "X-Auth-Token"},
+		},
+	}
+
+	// Accept two connections (one blocked, one allowed).
+	go func() {
+		for range 2 {
+			conn, err := proxyLn.Accept()
+			if err != nil {
+				return
+			}
+			go func() {
+				logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+				Serve(context.Background(), conn, nil, route, netip.MustParseAddrPort("203.0.113.50:12345"), logger)
+			}()
+		}
+	}()
+
+	// Without the required header → 403.
+	client1 := dialTLSToProxy(t, proxyLn.Addr().String(), "reqhdr.test")
+	resp1, err := client1.Get("https://reqhdr.test/")
+	if err != nil {
+		t.Fatalf("GET without header: %v", err)
+	}
+	resp1.Body.Close()
+	if resp1.StatusCode != 403 {
+		t.Fatalf("without header: status = %d, want 403", resp1.StatusCode)
+	}
+
+	// With the required header → 200.
+	client2 := dialTLSToProxy(t, proxyLn.Addr().String(), "reqhdr.test")
+	req, _ := http.NewRequest("GET", "https://reqhdr.test/", nil)
+	req.Header.Set("X-Auth-Token", "valid-token")
+	resp2, err := client2.Do(req)
+	if err != nil {
+		t.Fatalf("GET with header: %v", err)
+	}
+	defer resp2.Body.Close()
+	body, _ := io.ReadAll(resp2.Body)
+	if resp2.StatusCode != 200 {
+		t.Fatalf("with header: status = %d, want 200", resp2.StatusCode)
+	}
+	if string(body) != "ok" {
+		t.Fatalf("body = %q, want %q", body, "ok")
+	}
+}