Add L7 policies for user-agent blocking and required headers

Per-route HTTP-level blocking policies for L7 routes. Two rule types: block_user_agent (substring match against User-Agent, returns 403) and require_header (named header must be present, returns 403). Config: L7Policy struct with type/value fields, added as L7Policies slice on Route. Validated in config (type enum, non-empty value, warning if set on L4 routes). DB: Migration 4 creates l7_policies table with route_id FK (cascade delete), type CHECK constraint, UNIQUE(route_id, type, value). New l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy, GetRouteID. Seed updated to persist policies from config. L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates rules in order, returns 403 on first match, no-op if empty. Composed into the handler chain between context injection and reverse proxy. Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy mutation methods on ListenerState. handleL7 threads policies into l7.RouteConfig. Startup loads policies per L7 route from DB. Proto: L7Policy message, repeated l7_policies on Route. Three new RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the write-through pattern. Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy methods. CLI: mcproxyctl policies list/add/remove subcommands. Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match, header present/absent, multiple rules). 4 DB tests (CRUD, cascade, duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation). 2 end-to-end L7 tests (UA block, required header with allow/deny). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:11:05 -07:00
parent 1ad42dbbee
commit 42c7fffc3e
20 changed files with 1613 additions and 136 deletions
--- a/internal/l7/serve_test.go
+++ b/internal/l7/serve_test.go
@@ -551,3 +551,115 @@ func TestL7HTTP11Fallback(t *testing.T) {
 		t.Fatal("empty response body")
 	}
 }
+
+func TestL7PolicyBlocksUserAgentE2E(t *testing.T) {
+	certPath, keyPath := testCert(t, "policy.test")
+
+	backendAddr := startH2CBackend(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, "should-not-reach")
+	}))
+
+	proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("proxy listen: %v", err)
+	}
+	defer proxyLn.Close()
+
+	route := RouteConfig{
+		Backend:        backendAddr,
+		TLSCert:        certPath,
+		TLSKey:         keyPath,
+		ConnectTimeout: 5 * time.Second,
+		Policies: []PolicyRule{
+			{Type: "block_user_agent", Value: "EvilBot"},
+		},
+	}
+
+	go func() {
+		conn, err := proxyLn.Accept()
+		if err != nil {
+			return
+		}
+		logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+		Serve(context.Background(), conn, nil, route, netip.MustParseAddrPort("203.0.113.50:12345"), logger)
+	}()
+
+	client := dialTLSToProxy(t, proxyLn.Addr().String(), "policy.test")
+	req, _ := http.NewRequest("GET", "https://policy.test/", nil)
+	req.Header.Set("User-Agent", "EvilBot/1.0")
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("GET: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 403 {
+		t.Fatalf("status = %d, want 403", resp.StatusCode)
+	}
+}
+
+func TestL7PolicyRequiresHeaderE2E(t *testing.T) {
+	certPath, keyPath := testCert(t, "reqhdr.test")
+
+	backendAddr := startH2CBackend(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, "ok")
+	}))
+
+	proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("proxy listen: %v", err)
+	}
+	defer proxyLn.Close()
+
+	route := RouteConfig{
+		Backend:        backendAddr,
+		TLSCert:        certPath,
+		TLSKey:         keyPath,
+		ConnectTimeout: 5 * time.Second,
+		Policies: []PolicyRule{
+			{Type: "require_header", Value: "X-Auth-Token"},
+		},
+	}
+
+	// Accept two connections (one blocked, one allowed).
+	go func() {
+		for range 2 {
+			conn, err := proxyLn.Accept()
+			if err != nil {
+				return
+			}
+			go func() {
+				logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+				Serve(context.Background(), conn, nil, route, netip.MustParseAddrPort("203.0.113.50:12345"), logger)
+			}()
+		}
+	}()
+
+	// Without the required header → 403.
+	client1 := dialTLSToProxy(t, proxyLn.Addr().String(), "reqhdr.test")
+	resp1, err := client1.Get("https://reqhdr.test/")
+	if err != nil {
+		t.Fatalf("GET without header: %v", err)
+	}
+	resp1.Body.Close()
+	if resp1.StatusCode != 403 {
+		t.Fatalf("without header: status = %d, want 403", resp1.StatusCode)
+	}
+
+	// With the required header → 200.
+	client2 := dialTLSToProxy(t, proxyLn.Addr().String(), "reqhdr.test")
+	req, _ := http.NewRequest("GET", "https://reqhdr.test/", nil)
+	req.Header.Set("X-Auth-Token", "valid-token")
+	resp2, err := client2.Do(req)
+	if err != nil {
+		t.Fatalf("GET with header: %v", err)
+	}
+	defer resp2.Body.Close()
+	body, _ := io.ReadAll(resp2.Body)
+	if resp2.StatusCode != 200 {
+		t.Fatalf("with header: status = %d, want 200", resp2.StatusCode)
+	}
+	if string(body) != "ok" {
+		t.Fatalf("body = %q, want %q", body, "ok")
+	}
+}