mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9cba3241e81a2dee4084d0a5fda1da104c964b68
mc-proxy/internal/firewall/firewall_test.go
Kyle Isom 9cba3241e8 Add SQLite persistence and write-through gRPC mutations 
Database (internal/db) stores listeners, routes, and firewall rules with
WAL mode, foreign keys, and idempotent migrations. First run seeds from
TOML config; subsequent runs load from DB as source of truth.

gRPC admin API now writes to the database before updating in-memory state
(write-through cache pattern). Adds snapshot command for VACUUM INTO
backups. Refactors firewall.New to accept raw rule slices instead of
config struct for flexibility.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 03:07:30 -07:00

153 lines
3.2 KiB
Go
Raw Blame History

package firewall
import (
"net/netip"
"testing"
)
func TestEmptyFirewall(t *testing.T) {
fw, err := New("", nil, nil, nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer fw.Close()
addrs := []string{"192.168.1.1", "10.0.0.1", "::1", "2001:db8::1"}
for _, a := range addrs {
addr := netip.MustParseAddr(a)
if fw.Blocked(addr) {
t.Fatalf("empty firewall blocked %s", addr)
}
}
}
func TestIPBlocking(t *testing.T) {
fw, err := New("", []string{"192.0.2.1", "2001:db8::dead"}, nil, nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer fw.Close()
tests := []struct {
addr string
blocked bool
}{
{"192.0.2.1", true},
{"192.0.2.2", false},
{"2001:db8::dead", true},
{"2001:db8::beef", false},
}
for _, tt := range tests {
addr := netip.MustParseAddr(tt.addr)
if got := fw.Blocked(addr); got != tt.blocked {
t.Fatalf("Blocked(%s) = %v, want %v", tt.addr, got, tt.blocked)
}
}
}
func TestCIDRBlocking(t *testing.T) {
fw, err := New("", nil, []string{"198.51.100.0/24", "2001:db8::/32"}, nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer fw.Close()
tests := []struct {
addr string
blocked bool
}{
{"198.51.100.1", true},
{"198.51.100.254", true},
{"198.51.101.1", false},
{"2001:db8::1", true},
{"2001:db9::1", false},
}
for _, tt := range tests {
addr := netip.MustParseAddr(tt.addr)
if got := fw.Blocked(addr); got != tt.blocked {
t.Fatalf("Blocked(%s) = %v, want %v", tt.addr, got, tt.blocked)
}
}
}
func TestIPv4MappedIPv6(t *testing.T) {
fw, err := New("", []string{"192.0.2.1"}, nil, nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer fw.Close()
addr := netip.MustParseAddr("::ffff:192.0.2.1")
if !fw.Blocked(addr) {
t.Fatal("expected IPv4-mapped IPv6 address to be blocked")
}
}
func TestInvalidIP(t *testing.T) {
_, err := New("", []string{"not-an-ip"}, nil, nil)
if err == nil {
t.Fatal("expected error for invalid IP")
}
}
func TestInvalidCIDR(t *testing.T) {
_, err := New("", nil, []string{"not-a-cidr"}, nil)
if err == nil {
t.Fatal("expected error for invalid CIDR")
}
}
func TestCombinedRules(t *testing.T) {
fw, err := New("", []string{"10.0.0.1"}, []string{"192.168.0.0/16"}, nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer fw.Close()
tests := []struct {
addr string
blocked bool
}{
{"10.0.0.1", true},
{"10.0.0.2", false},
{"192.168.1.1", true},
{"172.16.0.1", false},
}
for _, tt := range tests {
addr := netip.MustParseAddr(tt.addr)
if got := fw.Blocked(addr); got != tt.blocked {
t.Fatalf("Blocked(%s) = %v, want %v", tt.addr, got, tt.blocked)
}
}
}
func TestRuntimeMutation(t *testing.T) {
fw, err := New("", nil, nil, nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer fw.Close()
addr := netip.MustParseAddr("10.0.0.1")
if fw.Blocked(addr) {
t.Fatal("should not be blocked initially")
}
if err := fw.AddIP("10.0.0.1"); err != nil {
t.Fatalf("add IP: %v", err)
}
if !fw.Blocked(addr) {
t.Fatal("should be blocked after AddIP")
}
if err := fw.RemoveIP("10.0.0.1"); err != nil {
t.Fatalf("remove IP: %v", err)
}
if fw.Blocked(addr) {
t.Fatal("should not be blocked after RemoveIP")
}
}
Reference in New Issue View Git Blame Copy Permalink