mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
357ad60e42c1b551b41b53d7bd6bbbc28f38cec4
mc-proxy/internal/db/db_test.go
Kyle Isom 42c7fffc3e Add L7 policies for user-agent blocking and required headers 
Per-route HTTP-level blocking policies for L7 routes. Two rule types:
block_user_agent (substring match against User-Agent, returns 403)
and require_header (named header must be present, returns 403).

Config: L7Policy struct with type/value fields, added as L7Policies
slice on Route. Validated in config (type enum, non-empty value,
warning if set on L4 routes).

DB: Migration 4 creates l7_policies table with route_id FK (cascade
delete), type CHECK constraint, UNIQUE(route_id, type, value). New
l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy,
GetRouteID. Seed updated to persist policies from config.

L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates
rules in order, returns 403 on first match, no-op if empty. Composed
into the handler chain between context injection and reverse proxy.

Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy
mutation methods on ListenerState. handleL7 threads policies into
l7.RouteConfig. Startup loads policies per L7 route from DB.

Proto: L7Policy message, repeated l7_policies on Route. Three new
RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the
write-through pattern.

Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy
methods. CLI: mcproxyctl policies list/add/remove subcommands.

Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match,
header present/absent, multiple rules). 4 DB tests (CRUD, cascade,
duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation).
2 end-to-end L7 tests (UA block, required header with allow/deny).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:11:05 -07:00

603 lines
15 KiB
Go
Raw Blame History

package db
import (
"path/filepath"
"testing"
"git.wntrmute.dev/kyle/mc-proxy/internal/config"
)
func openTestDB(t *testing.T) *Store {
t.Helper()
dir := t.TempDir()
store, err := Open(filepath.Join(dir, "test.db"))
if err != nil {
t.Fatalf("open: %v", err)
}
if err := store.Migrate(); err != nil {
t.Fatalf("migrate: %v", err)
}
t.Cleanup(func() { store.Close() })
return store
}
func TestMigrate(t *testing.T) {
store := openTestDB(t)
// Running migrate again should be idempotent.
if err := store.Migrate(); err != nil {
t.Fatalf("second migrate: %v", err)
}
}
func TestIsEmpty(t *testing.T) {
store := openTestDB(t)
empty, err := store.IsEmpty()
if err != nil {
t.Fatalf("is empty: %v", err)
}
if !empty {
t.Fatal("expected empty database")
}
if _, err := store.CreateListener(":443", false, 0); err != nil {
t.Fatalf("create listener: %v", err)
}
empty, err = store.IsEmpty()
if err != nil {
t.Fatalf("is empty: %v", err)
}
if empty {
t.Fatal("expected non-empty database")
}
}
func TestListenerCRUD(t *testing.T) {
store := openTestDB(t)
id, err := store.CreateListener(":443", false, 0)
if err != nil {
t.Fatalf("create: %v", err)
}
if id == 0 {
t.Fatal("expected non-zero ID")
}
listeners, err := store.ListListeners()
if err != nil {
t.Fatalf("list: %v", err)
}
if len(listeners) != 1 {
t.Fatalf("got %d listeners, want 1", len(listeners))
}
if listeners[0].Addr != ":443" {
t.Fatalf("got addr %q, want %q", listeners[0].Addr, ":443")
}
if listeners[0].ProxyProtocol {
t.Fatal("expected proxy_protocol = false")
}
l, err := store.GetListenerByAddr(":443")
if err != nil {
t.Fatalf("get by addr: %v", err)
}
if l.ID != id {
t.Fatalf("got ID %d, want %d", l.ID, id)
}
if err := store.DeleteListener(id); err != nil {
t.Fatalf("delete: %v", err)
}
listeners, err = store.ListListeners()
if err != nil {
t.Fatalf("list after delete: %v", err)
}
if len(listeners) != 0 {
t.Fatalf("got %d listeners after delete, want 0", len(listeners))
}
}
func TestListenerProxyProtocol(t *testing.T) {
store := openTestDB(t)
id, err := store.CreateListener(":443", true, 0)
if err != nil {
t.Fatalf("create: %v", err)
}
l, err := store.GetListenerByAddr(":443")
if err != nil {
t.Fatalf("get by addr: %v", err)
}
if l.ID != id {
t.Fatalf("got ID %d, want %d", l.ID, id)
}
if !l.ProxyProtocol {
t.Fatal("expected proxy_protocol = true")
}
}
func TestListenerMaxConnections(t *testing.T) {
store := openTestDB(t)
id, err := store.CreateListener(":443", false, 5000)
if err != nil {
t.Fatalf("create: %v", err)
}
l, err := store.GetListenerByAddr(":443")
if err != nil {
t.Fatalf("get: %v", err)
}
if l.MaxConnections != 5000 {
t.Fatalf("max_connections = %d, want 5000", l.MaxConnections)
}
// Update max connections.
if err := store.UpdateListenerMaxConns(id, 10000); err != nil {
t.Fatalf("update: %v", err)
}
l, err = store.GetListenerByAddr(":443")
if err != nil {
t.Fatalf("get after update: %v", err)
}
if l.MaxConnections != 10000 {
t.Fatalf("max_connections = %d, want 10000", l.MaxConnections)
}
// Set to 0 (unlimited).
if err := store.UpdateListenerMaxConns(id, 0); err != nil {
t.Fatalf("update to 0: %v", err)
}
l, _ = store.GetListenerByAddr(":443")
if l.MaxConnections != 0 {
t.Fatalf("max_connections = %d, want 0", l.MaxConnections)
}
}
func TestListenerDuplicateAddr(t *testing.T) {
store := openTestDB(t)
if _, err := store.CreateListener(":443", false, 0); err != nil {
t.Fatalf("first create: %v", err)
}
if _, err := store.CreateListener(":443", false, 0); err == nil {
t.Fatal("expected error for duplicate addr")
}
}
func TestRouteCRUD(t *testing.T) {
store := openTestDB(t)
listenerID, err := store.CreateListener(":443", false, 0)
if err != nil {
t.Fatalf("create listener: %v", err)
}
routeID, err := store.CreateRoute(listenerID, "example.com", "127.0.0.1:8443", "l4", "", "", false, false)
if err != nil {
t.Fatalf("create route: %v", err)
}
if routeID == 0 {
t.Fatal("expected non-zero route ID")
}
routes, err := store.ListRoutes(listenerID)
if err != nil {
t.Fatalf("list routes: %v", err)
}
if len(routes) != 1 {
t.Fatalf("got %d routes, want 1", len(routes))
}
if routes[0].Hostname != "example.com" {
t.Fatalf("got hostname %q, want %q", routes[0].Hostname, "example.com")
}
if routes[0].Mode != "l4" {
t.Fatalf("got mode %q, want %q", routes[0].Mode, "l4")
}
if err := store.DeleteRoute(listenerID, "example.com"); err != nil {
t.Fatalf("delete route: %v", err)
}
routes, err = store.ListRoutes(listenerID)
if err != nil {
t.Fatalf("list after delete: %v", err)
}
if len(routes) != 0 {
t.Fatalf("got %d routes after delete, want 0", len(routes))
}
}
func TestRouteL7Fields(t *testing.T) {
store := openTestDB(t)
listenerID, _ := store.CreateListener(":443", false, 0)
_, err := store.CreateRoute(listenerID, "api.example.com", "127.0.0.1:8080", "l7",
"/certs/api.crt", "/certs/api.key", false, true)
if err != nil {
t.Fatalf("create L7 route: %v", err)
}
routes, err := store.ListRoutes(listenerID)
if err != nil {
t.Fatalf("list routes: %v", err)
}
if len(routes) != 1 {
t.Fatalf("got %d routes, want 1", len(routes))
}
r := routes[0]
if r.Mode != "l7" {
t.Fatalf("mode = %q, want %q", r.Mode, "l7")
}
if r.TLSCert != "/certs/api.crt" {
t.Fatalf("tls_cert = %q, want %q", r.TLSCert, "/certs/api.crt")
}
if r.TLSKey != "/certs/api.key" {
t.Fatalf("tls_key = %q, want %q", r.TLSKey, "/certs/api.key")
}
if r.BackendTLS {
t.Fatal("expected backend_tls = false")
}
if !r.SendProxyProtocol {
t.Fatal("expected send_proxy_protocol = true")
}
}
func TestRouteDuplicateHostname(t *testing.T) {
store := openTestDB(t)
listenerID, _ := store.CreateListener(":443", false, 0)
if _, err := store.CreateRoute(listenerID, "example.com", "127.0.0.1:8443", "l4", "", "", false, false); err != nil {
t.Fatalf("first create: %v", err)
}
if _, err := store.CreateRoute(listenerID, "example.com", "127.0.0.1:9443", "l4", "", "", false, false); err == nil {
t.Fatal("expected error for duplicate hostname on same listener")
}
}
func TestRouteCascadeDelete(t *testing.T) {
store := openTestDB(t)
listenerID, _ := store.CreateListener(":443", false, 0)
store.CreateRoute(listenerID, "a.example.com", "127.0.0.1:8443", "l4", "", "", false, false)
store.CreateRoute(listenerID, "b.example.com", "127.0.0.1:9443", "l4", "", "", false, false)
if err := store.DeleteListener(listenerID); err != nil {
t.Fatalf("delete listener: %v", err)
}
routes, err := store.ListRoutes(listenerID)
if err != nil {
t.Fatalf("list routes: %v", err)
}
if len(routes) != 0 {
t.Fatalf("got %d routes after cascade delete, want 0", len(routes))
}
}
func TestFirewallRuleCRUD(t *testing.T) {
store := openTestDB(t)
id, err := store.CreateFirewallRule("ip", "192.0.2.1")
if err != nil {
t.Fatalf("create: %v", err)
}
if id == 0 {
t.Fatal("expected non-zero ID")
}
if _, err := store.CreateFirewallRule("cidr", "198.51.100.0/24"); err != nil {
t.Fatalf("create cidr: %v", err)
}
if _, err := store.CreateFirewallRule("country", "CN"); err != nil {
t.Fatalf("create country: %v", err)
}
rules, err := store.ListFirewallRules()
if err != nil {
t.Fatalf("list: %v", err)
}
if len(rules) != 3 {
t.Fatalf("got %d rules, want 3", len(rules))
}
if err := store.DeleteFirewallRule("ip", "192.0.2.1"); err != nil {
t.Fatalf("delete: %v", err)
}
rules, err = store.ListFirewallRules()
if err != nil {
t.Fatalf("list after delete: %v", err)
}
if len(rules) != 2 {
t.Fatalf("got %d rules after delete, want 2", len(rules))
}
}
func TestFirewallRuleDuplicate(t *testing.T) {
store := openTestDB(t)
if _, err := store.CreateFirewallRule("ip", "192.0.2.1"); err != nil {
t.Fatalf("first create: %v", err)
}
if _, err := store.CreateFirewallRule("ip", "192.0.2.1"); err == nil {
t.Fatal("expected error for duplicate rule")
}
}
func TestSeed(t *testing.T) {
store := openTestDB(t)
listeners := []config.Listener{
{
Addr: ":443",
Routes: []config.Route{
{Hostname: "a.example.com", Backend: "127.0.0.1:8443", Mode: "l4"},
{Hostname: "b.example.com", Backend: "127.0.0.1:9443"},
},
},
{
Addr: ":8443",
ProxyProtocol: true,
Routes: []config.Route{
{Hostname: "c.example.com", Backend: "127.0.0.1:18443", Mode: "l4", SendProxyProtocol: true},
},
},
}
fw := config.Firewall{
BlockedIPs: []string{"192.0.2.1"},
BlockedCIDRs: []string{"198.51.100.0/24"},
BlockedCountries: []string{"cn", "KP"},
}
if err := store.Seed(listeners, fw); err != nil {
t.Fatalf("seed: %v", err)
}
dbListeners, err := store.ListListeners()
if err != nil {
t.Fatalf("list listeners: %v", err)
}
if len(dbListeners) != 2 {
t.Fatalf("got %d listeners, want 2", len(dbListeners))
}
if !dbListeners[1].ProxyProtocol {
t.Fatal("expected listener 2 proxy_protocol = true")
}
routes, err := store.ListRoutes(dbListeners[0].ID)
if err != nil {
t.Fatalf("list routes: %v", err)
}
if len(routes) != 2 {
t.Fatalf("got %d routes for listener 0, want 2", len(routes))
}
// Verify mode defaults to "l4" even when empty in config.
for _, r := range routes {
if r.Mode != "l4" {
t.Fatalf("route %q mode = %q, want %q", r.Hostname, r.Mode, "l4")
}
}
// Verify send_proxy_protocol on listener 2's route.
routes2, err := store.ListRoutes(dbListeners[1].ID)
if err != nil {
t.Fatalf("list routes listener 2: %v", err)
}
if len(routes2) != 1 {
t.Fatalf("got %d routes for listener 1, want 1", len(routes2))
}
if !routes2[0].SendProxyProtocol {
t.Fatal("expected send_proxy_protocol = true on listener 2 route")
}
rules, err := store.ListFirewallRules()
if err != nil {
t.Fatalf("list firewall rules: %v", err)
}
if len(rules) != 4 {
t.Fatalf("got %d firewall rules, want 4", len(rules))
}
}
func TestSnapshot(t *testing.T) {
store := openTestDB(t)
store.CreateListener(":443", false, 0)
dest := filepath.Join(t.TempDir(), "backup.db")
if err := store.Snapshot(dest); err != nil {
t.Fatalf("snapshot: %v", err)
}
// Open the snapshot and verify.
backup, err := Open(dest)
if err != nil {
t.Fatalf("open backup: %v", err)
}
defer backup.Close()
if err := backup.Migrate(); err != nil {
t.Fatalf("migrate backup: %v", err)
}
listeners, err := backup.ListListeners()
if err != nil {
t.Fatalf("list from backup: %v", err)
}
if len(listeners) != 1 {
t.Fatalf("backup has %d listeners, want 1", len(listeners))
}
}
func TestDeleteNonexistent(t *testing.T) {
store := openTestDB(t)
if err := store.DeleteListener(999); err == nil {
t.Fatal("expected error deleting nonexistent listener")
}
if err := store.DeleteRoute(999, "example.com"); err == nil {
t.Fatal("expected error deleting nonexistent route")
}
if err := store.DeleteFirewallRule("ip", "1.2.3.4"); err == nil {
t.Fatal("expected error deleting nonexistent firewall rule")
}
}
// TestMigrationV2Upgrade verifies that migration v2 adds new columns
// to an existing v1 database without data loss.
func TestMigrationV2Upgrade(t *testing.T) {
dir := t.TempDir()
store, err := Open(filepath.Join(dir, "test.db"))
if err != nil {
t.Fatalf("open: %v", err)
}
t.Cleanup(func() { store.Close() })
// Run full migrations (v1 + v2).
if err := store.Migrate(); err != nil {
t.Fatalf("migrate: %v", err)
}
// Insert a listener and route with defaults to verify new columns work.
lid, err := store.CreateListener(":443", false, 0)
if err != nil {
t.Fatalf("create listener: %v", err)
}
_, err = store.CreateRoute(lid, "test.example.com", "127.0.0.1:8443", "l4", "", "", false, false)
if err != nil {
t.Fatalf("create route: %v", err)
}
// Read back and verify defaults.
routes, err := store.ListRoutes(lid)
if err != nil {
t.Fatalf("list routes: %v", err)
}
if len(routes) != 1 {
t.Fatalf("got %d routes, want 1", len(routes))
}
r := routes[0]
if r.Mode != "l4" {
t.Fatalf("mode = %q, want %q", r.Mode, "l4")
}
if r.TLSCert != "" || r.TLSKey != "" {
t.Fatalf("expected empty cert/key, got cert=%q key=%q", r.TLSCert, r.TLSKey)
}
if r.BackendTLS || r.SendProxyProtocol {
t.Fatal("expected false for backend_tls and send_proxy_protocol")
}
listeners, err := store.ListListeners()
if err != nil {
t.Fatalf("list listeners: %v", err)
}
if listeners[0].ProxyProtocol {
t.Fatal("expected proxy_protocol = false")
}
}
func TestL7PolicyCRUD(t *testing.T) {
store := openTestDB(t)
lid, _ := store.CreateListener(":443", false, 0)
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
// Create policies.
id1, err := store.CreateL7Policy(rid, "block_user_agent", "BadBot")
if err != nil {
t.Fatalf("create policy 1: %v", err)
}
if id1 == 0 {
t.Fatal("expected non-zero policy ID")
}
if _, err := store.CreateL7Policy(rid, "require_header", "X-API-Key"); err != nil {
t.Fatalf("create policy 2: %v", err)
}
// List policies.
policies, err := store.ListL7Policies(rid)
if err != nil {
t.Fatalf("list: %v", err)
}
if len(policies) != 2 {
t.Fatalf("got %d policies, want 2", len(policies))
}
// Delete one.
if err := store.DeleteL7Policy(rid, "block_user_agent", "BadBot"); err != nil {
t.Fatalf("delete: %v", err)
}
policies, _ = store.ListL7Policies(rid)
if len(policies) != 1 {
t.Fatalf("got %d policies after delete, want 1", len(policies))
}
if policies[0].Type != "require_header" {
t.Fatalf("remaining policy type = %q, want %q", policies[0].Type, "require_header")
}
}
func TestL7PolicyCascadeDelete(t *testing.T) {
store := openTestDB(t)
lid, _ := store.CreateListener(":443", false, 0)
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
store.CreateL7Policy(rid, "block_user_agent", "Bot")
// Deleting the route should cascade-delete its policies.
store.DeleteRoute(lid, "api.test")
policies, _ := store.ListL7Policies(rid)
if len(policies) != 0 {
t.Fatalf("got %d policies after cascade delete, want 0", len(policies))
}
}
func TestL7PolicyDuplicate(t *testing.T) {
store := openTestDB(t)
lid, _ := store.CreateListener(":443", false, 0)
rid, _ := store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
if _, err := store.CreateL7Policy(rid, "block_user_agent", "Bot"); err != nil {
t.Fatalf("first create: %v", err)
}
if _, err := store.CreateL7Policy(rid, "block_user_agent", "Bot"); err == nil {
t.Fatal("expected error for duplicate policy")
}
}
func TestGetRouteID(t *testing.T) {
store := openTestDB(t)
lid, _ := store.CreateListener(":443", false, 0)
store.CreateRoute(lid, "api.test", "127.0.0.1:8080", "l7", "/c.pem", "/k.pem", false, false)
rid, err := store.GetRouteID(lid, "api.test")
if err != nil {
t.Fatalf("GetRouteID: %v", err)
}
if rid == 0 {
t.Fatal("expected non-zero route ID")
}
_, err = store.GetRouteID(lid, "nonexistent.test")
if err == nil {
t.Fatal("expected error for nonexistent route")
}
}
Reference in New Issue View Git Blame Copy Permalink