mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f3249fdc3bed38ad48d9827ef1a7374c8f2040a
mc-proxy/internal/db/l7policies.go
Kyle Isom 42c7fffc3e Add L7 policies for user-agent blocking and required headers 
Per-route HTTP-level blocking policies for L7 routes. Two rule types:
block_user_agent (substring match against User-Agent, returns 403)
and require_header (named header must be present, returns 403).

Config: L7Policy struct with type/value fields, added as L7Policies
slice on Route. Validated in config (type enum, non-empty value,
warning if set on L4 routes).

DB: Migration 4 creates l7_policies table with route_id FK (cascade
delete), type CHECK constraint, UNIQUE(route_id, type, value). New
l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy,
GetRouteID. Seed updated to persist policies from config.

L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates
rules in order, returns 403 on first match, no-op if empty. Composed
into the handler chain between context injection and reverse proxy.

Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy
mutation methods on ListenerState. handleL7 threads policies into
l7.RouteConfig. Startup loads policies per L7 route from DB.

Proto: L7Policy message, repeated l7_policies on Route. Three new
RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the
write-through pattern.

Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy
methods. CLI: mcproxyctl policies list/add/remove subcommands.

Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match,
header present/absent, multiple rules). 4 DB tests (CRUD, cascade,
duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation).
2 end-to-end L7 tests (UA block, required header with allow/deny).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:11:05 -07:00

75 lines
2.1 KiB
Go
Raw Blame History

package db
import "fmt"
// L7Policy is a database L7 policy record.
type L7Policy struct {
ID int64
RouteID int64
Type string // "block_user_agent" or "require_header"
Value string
}
// ListL7Policies returns all L7 policies for a route.
func (s *Store) ListL7Policies(routeID int64) ([]L7Policy, error) {
rows, err := s.db.Query(
"SELECT id, route_id, type, value FROM l7_policies WHERE route_id = ? ORDER BY id",
routeID,
)
if err != nil {
return nil, fmt.Errorf("querying l7 policies: %w", err)
}
defer rows.Close()
var policies []L7Policy
for rows.Next() {
var p L7Policy
if err := rows.Scan(&p.ID, &p.RouteID, &p.Type, &p.Value); err != nil {
return nil, fmt.Errorf("scanning l7 policy: %w", err)
}
policies = append(policies, p)
}
return policies, rows.Err()
}
// CreateL7Policy inserts an L7 policy and returns its ID.
func (s *Store) CreateL7Policy(routeID int64, policyType, value string) (int64, error) {
result, err := s.db.Exec(
"INSERT INTO l7_policies (route_id, type, value) VALUES (?, ?, ?)",
routeID, policyType, value,
)
if err != nil {
return 0, fmt.Errorf("inserting l7 policy: %w", err)
}
return result.LastInsertId()
}
// DeleteL7Policy deletes an L7 policy by route ID, type, and value.
func (s *Store) DeleteL7Policy(routeID int64, policyType, value string) error {
result, err := s.db.Exec(
"DELETE FROM l7_policies WHERE route_id = ? AND type = ? AND value = ?",
routeID, policyType, value,
)
if err != nil {
return fmt.Errorf("deleting l7 policy: %w", err)
}
n, _ := result.RowsAffected()
if n == 0 {
return fmt.Errorf("l7 policy not found (route %d, type %q, value %q)", routeID, policyType, value)
}
return nil
}
// GetRouteID returns the route ID for a listener/hostname pair.
func (s *Store) GetRouteID(listenerID int64, hostname string) (int64, error) {
var id int64
err := s.db.QueryRow(
"SELECT id FROM routes WHERE listener_id = ? AND hostname = ?",
listenerID, hostname,
).Scan(&id)
if err != nil {
return 0, fmt.Errorf("looking up route %q on listener %d: %w", hostname, listenerID, err)
}
return id, nil
}
Reference in New Issue View Git Blame Copy Permalink