Kyle Isom
42c7fffc3e
Per-route HTTP-level blocking policies for L7 routes. Two rule types: block_user_agent (substring match against User-Agent, returns 403) and require_header (named header must be present, returns 403). Config: L7Policy struct with type/value fields, added as L7Policies slice on Route. Validated in config (type enum, non-empty value, warning if set on L4 routes). DB: Migration 4 creates l7_policies table with route_id FK (cascade delete), type CHECK constraint, UNIQUE(route_id, type, value). New l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy, GetRouteID. Seed updated to persist policies from config. L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates rules in order, returns 403 on first match, no-op if empty. Composed into the handler chain between context injection and reverse proxy. Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy mutation methods on ListenerState. handleL7 threads policies into l7.RouteConfig. Startup loads policies per L7 route from DB. Proto: L7Policy message, repeated l7_policies on Route. Three new RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the write-through pattern. Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy methods. CLI: mcproxyctl policies list/add/remove subcommands. Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match, header present/absent, multiple rules). 4 DB tests (CRUD, cascade, duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation). 2 end-to-end L7 tests (UA block, required header with allow/deny). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
67 lines
2.0 KiB
Go
67 lines
2.0 KiB
Go
package db
|
|
|
|
import (
|
|
mcdsldb "git.wntrmute.dev/kyle/mcdsl/db"
|
|
)
|
|
|
|
// Migrations is the ordered list of schema migrations for mc-proxy.
|
|
var Migrations = []mcdsldb.Migration{
|
|
{
|
|
Version: 1,
|
|
Name: "create_core_tables",
|
|
SQL: `
|
|
CREATE TABLE IF NOT EXISTS listeners (
|
|
id INTEGER PRIMARY KEY,
|
|
addr TEXT NOT NULL UNIQUE
|
|
);
|
|
CREATE TABLE IF NOT EXISTS routes (
|
|
id INTEGER PRIMARY KEY,
|
|
listener_id INTEGER NOT NULL REFERENCES listeners(id) ON DELETE CASCADE,
|
|
hostname TEXT NOT NULL,
|
|
backend TEXT NOT NULL,
|
|
UNIQUE(listener_id, hostname)
|
|
);
|
|
CREATE INDEX IF NOT EXISTS idx_routes_listener ON routes(listener_id);
|
|
CREATE TABLE IF NOT EXISTS firewall_rules (
|
|
id INTEGER PRIMARY KEY,
|
|
type TEXT NOT NULL CHECK(type IN ('ip', 'cidr', 'country')),
|
|
value TEXT NOT NULL,
|
|
UNIQUE(type, value)
|
|
);`,
|
|
},
|
|
{
|
|
Version: 2,
|
|
Name: "add_proxy_protocol_and_l7_fields",
|
|
SQL: `
|
|
ALTER TABLE listeners ADD COLUMN proxy_protocol INTEGER NOT NULL DEFAULT 0;
|
|
ALTER TABLE routes ADD COLUMN mode TEXT NOT NULL DEFAULT 'l4' CHECK(mode IN ('l4', 'l7'));
|
|
ALTER TABLE routes ADD COLUMN tls_cert TEXT NOT NULL DEFAULT '';
|
|
ALTER TABLE routes ADD COLUMN tls_key TEXT NOT NULL DEFAULT '';
|
|
ALTER TABLE routes ADD COLUMN backend_tls INTEGER NOT NULL DEFAULT 0;
|
|
ALTER TABLE routes ADD COLUMN send_proxy_protocol INTEGER NOT NULL DEFAULT 0;`,
|
|
},
|
|
{
|
|
Version: 3,
|
|
Name: "add_listener_max_connections",
|
|
SQL: `ALTER TABLE listeners ADD COLUMN max_connections INTEGER NOT NULL DEFAULT 0;`,
|
|
},
|
|
{
|
|
Version: 4,
|
|
Name: "create_l7_policies_table",
|
|
SQL: `
|
|
CREATE TABLE IF NOT EXISTS l7_policies (
|
|
id INTEGER PRIMARY KEY,
|
|
route_id INTEGER NOT NULL REFERENCES routes(id) ON DELETE CASCADE,
|
|
type TEXT NOT NULL CHECK(type IN ('block_user_agent', 'require_header')),
|
|
value TEXT NOT NULL,
|
|
UNIQUE(route_id, type, value)
|
|
);
|
|
CREATE INDEX IF NOT EXISTS idx_l7_policies_route ON l7_policies(route_id);`,
|
|
},
|
|
}
|
|
|
|
// Migrate runs all unapplied migrations sequentially.
|
|
func (s *Store) Migrate() error {
|
|
return mcdsldb.Migrate(s.db, Migrations)
|
|
}
|