Add per-IP rate limiting and Unix socket support for gRPC admin API
Rate limiting: per-source-IP connection rate limiter in the firewall layer with configurable limit and sliding window. Blocklisted IPs are rejected before rate limit evaluation to avoid wasting quota. Unix socket: the gRPC admin API can now listen on a Unix domain socket (no TLS required), secured by file permissions (0600), as a simpler alternative for local-only access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -195,6 +195,113 @@ addr = ":8443"
|
||||
}
|
||||
}
|
||||
|
||||
func TestGRPCIsUnixSocket(t *testing.T) {
|
||||
tests := []struct {
|
||||
addr string
|
||||
want bool
|
||||
}{
|
||||
{"/var/run/mc-proxy.sock", true},
|
||||
{"unix:/var/run/mc-proxy.sock", true},
|
||||
{"127.0.0.1:9090", false},
|
||||
{":9090", false},
|
||||
{"", false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
g := GRPC{Addr: tt.addr}
|
||||
if got := g.IsUnixSocket(); got != tt.want {
|
||||
t.Fatalf("IsUnixSocket(%q) = %v, want %v", tt.addr, got, tt.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateGRPCUnixNoTLS(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
path := filepath.Join(dir, "test.toml")
|
||||
|
||||
data := `
|
||||
[database]
|
||||
path = "/tmp/test.db"
|
||||
|
||||
[grpc]
|
||||
addr = "/var/run/mc-proxy.sock"
|
||||
`
|
||||
if err := os.WriteFile(path, []byte(data), 0600); err != nil {
|
||||
t.Fatalf("write config: %v", err)
|
||||
}
|
||||
|
||||
_, err := Load(path)
|
||||
if err != nil {
|
||||
t.Fatalf("expected Unix socket without TLS to be valid, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateGRPCTCPRequiresTLS(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
path := filepath.Join(dir, "test.toml")
|
||||
|
||||
data := `
|
||||
[database]
|
||||
path = "/tmp/test.db"
|
||||
|
||||
[grpc]
|
||||
addr = "127.0.0.1:9090"
|
||||
`
|
||||
if err := os.WriteFile(path, []byte(data), 0600); err != nil {
|
||||
t.Fatalf("write config: %v", err)
|
||||
}
|
||||
|
||||
_, err := Load(path)
|
||||
if err == nil {
|
||||
t.Fatal("expected error for TCP gRPC addr without TLS certs")
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateRateLimitRequiresWindow(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
path := filepath.Join(dir, "test.toml")
|
||||
|
||||
data := `
|
||||
[database]
|
||||
path = "/tmp/test.db"
|
||||
|
||||
[firewall]
|
||||
rate_limit = 100
|
||||
`
|
||||
if err := os.WriteFile(path, []byte(data), 0600); err != nil {
|
||||
t.Fatalf("write config: %v", err)
|
||||
}
|
||||
|
||||
_, err := Load(path)
|
||||
if err == nil {
|
||||
t.Fatal("expected error for rate_limit without rate_window")
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateRateLimitWithWindow(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
path := filepath.Join(dir, "test.toml")
|
||||
|
||||
data := `
|
||||
[database]
|
||||
path = "/tmp/test.db"
|
||||
|
||||
[firewall]
|
||||
rate_limit = 100
|
||||
rate_window = "1m"
|
||||
`
|
||||
if err := os.WriteFile(path, []byte(data), 0600); err != nil {
|
||||
t.Fatalf("write config: %v", err)
|
||||
}
|
||||
|
||||
cfg, err := Load(path)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if cfg.Firewall.RateLimit != 100 {
|
||||
t.Fatalf("got rate_limit %d, want 100", cfg.Firewall.RateLimit)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDuration(t *testing.T) {
|
||||
var d Duration
|
||||
if err := d.UnmarshalText([]byte("5s")); err != nil {
|
||||
|
||||
Reference in New Issue
Block a user