Checkpoint

2025-10-06 22:25:23 +02:00
parent a23259cfdc
commit a254b306f2
48 changed files with 3327 additions and 212 deletions
--- a/testdata/policy/bogons.rego
+++ b/testdata/policy/bogons.rego
@@ -1,58 +0,0 @@
-package styx
-
-import input.request as http_request
-
-default permit := false
-default reject := 0
-default template := ""
-
-# Bogon networks
-bogons := [
-    "0.0.0.0/8",          # "This" network
-    "10.0.0.0/8",         # RFC1918 Private-use networks
-    "100.64.0.0/10",      # Carrier-grade NAT
-    "127.0.0.0/8",        # Loopback
-    "169.254.0.0/16",     # Link local
-    "172.16.0.0/12",      # RFC1918 Private-use networks
-    "192.0.0.0/24",       # IETF protocol assignments
-    "192.0.2.0/24",       # TEST-NET-1
-    "192.168.0.0/16",     # RFC1918 Private-use networks
-    "198.18.0.0/15",      # Network interconnect device benchmark testing
-    "198.51.100.0/24",    # TEST-NET-2
-    "203.0.113.0/24",     # TEST-NET-3
-    "224.0.0.0/4",        # Multicast
-    "240.0.0.0/4",        # Reserved for future use
-    "255.255.255.255/32", # Limited broadcast
-]
-
-# Resolve HTTP host to IPs
-addrs := styx.lookup_ip_addr(http_request.host)
-
-template := "template/blocked.html" if {
-    some cidr in bogons
-    net.cidr_contains(cidr, http_request.host)
-}
-
-template := "template/blocked.html" if {
-    some addr in addrs
-    some cidr in bogons
-    net.cidr_contains(cidr, addr)
-}
-
-permit if {
-    template == ""
-}
-
-errors contains "Bogon destination not allowed" if {
-    template != ""
-}
-
-errors contains "Could not lookup host" if {
-    count(addrs) == 0
-}
-
-errors contains addr if {
-    some addr in addrs
-    some cidr in bogons
-    net.cidr_contains(cidr, addr)
-}
--- a/testdata/policy/childsafe.rego
+++ b/testdata/policy/childsafe.rego
@@ -1,56 +0,0 @@
-package styx
-
-import input.client as client
-import input.request as http_request
-
-# HTTP -> HTTPS redirects for allowed domains
-redirect = concat("", ["https://", http_request.host, http_request.path]) if {
-    _social
-    http_request.scheme == "http"
-}
-
-reject = 403 if {
-    _childsafe_network
-    _social
-}
-
-reject = 403 if {
-    _childsafe_network
-    _toxic
-}
-
-# Sensitive domains are always allowed
-permit if {
-    _sensitive
-}
-
-permit if {
-    reject != 0
-}
-
-_sensitive if {
-    styx.in_domains("sensitive", http_request.host)
-}
-
-_social if {
-    styx.in_domains("social", http_request.host)
-    print("Domain in social", http_request.host)
-}
-
-errors contains "Social networking domain not allowed" if {
-    reject != 0
-    _social
-}
-
-_toxic if {
-    styx.in_domains("toxic", http_request.host)
-}
-
-errors contains "Toxic domain not allowed" if {
-    reject != 0
-    _toxic
-}
-
-_childsafe_network if {
-    styx.in_networks("kids", client.ip)
-}
--- a/testdata/policy/custom/childsafe.rego
+++ b/testdata/policy/custom/childsafe.rego
@@ -0,0 +1,102 @@
+package custom
+
+_social_domains := [
+	"reddit.com",
+	"roblox.com",
+	# X
+	"twitter.com",
+	"x.com",
+	# YouTube
+	"googlevideo.com",
+	"youtube.com",
+	"youtu.be",
+	"ytimg.com",
+]
+
+_toxic_domains := [
+	# Facebook
+	"facebook.com",
+	"facebook.net",
+	"fbsbx.com",
+	# Pinterest
+	"pinterest.com",
+	# TikTok
+	"isnssdk.com",
+	"musical.ly",
+	"musically.app.link",
+	"musically-alternate.app.link",
+	"musemuse.cn",
+	"sgsnssdk.com",
+	"tiktok.com",
+	"tiktok.org",
+	"tiktokcdn.com",
+	"tiktokcdn-eu.com",
+	"tiktokv.com",
+]
+
+in_domains(list, name) if {
+	some item in list
+	lower(name) == lower(item)
+}
+
+in_domains(list, name) if {
+	some item in list
+	endswith(lower(name), sprintf(".%s", [lower(item)]))
+}
+
+# METADATA
+# description: Apply childssfe rules to the request, reject if it's a social
+#              site between off-hours, reject if it's toxic.
+# entrypoint: true
+default redirect := ""
+
+# HTTP -> HTTPS redirects for allowed domains
+redirect := location if {
+	_social
+	input.request.scheme == "http"
+	location := sprintf("https://%s%s", [input.request.host, input.request.path])
+}
+
+default reject := 0
+
+template := "template/blocked.html" if {
+	_childsafe_network
+	_social
+	# styx.time_between("18:00", "16:00") # allowed between 16:00-18:00
+}
+
+template := "template/blocked.html" if {
+	_toxic
+}
+
+# Sensitive domains are always allowed
+permit if {
+	_sensitive
+	reject != 0
+}
+
+_sensitive if {
+	styx.domains_contain("sensitive", input.request.host)
+}
+
+_social if {
+	#styx.domains_contain("social", input.request.host)
+	in_domains(_social_domains, input.request.host)
+}
+
+_toxic if {
+	in_domains(_toxic_domains, input.request.host)
+}
+
+_childsafe_network if {
+	styx.networks_contain("kids", input.client.ip)
+}
+
+errors contains "Request to social networking site outside of allowed hours" if {
+	_childsafe_network
+	_social
+}
+
+errors contains "Request to toxic site" if {
+	_toxic
+}
--- a/testdata/policy/intercept.rego
+++ b/testdata/policy/intercept.rego
@@ -1,21 +0,0 @@
-package styx.intercept
-
-reject := 403 if {
-    _target_blocked
-}
-
-template := "template/intercepted.html" if {
-    _target_blocked
-} 
-
-errors contains "Intercepted" if {
-    _target_blocked
-}
-
-_target_blocked if {
-    styx.in_domains("bad", input.request.host)
-}
-
-_target_blocked if {
-    styx.in_networks("bogons", input.client.ip)
-}
--- a/testdata/policy/styx/bogons.rego
+++ b/testdata/policy/styx/bogons.rego
@@ -0,0 +1,54 @@
+package styx
+
+# Bogon networks
+_bogons := [
+	"0.0.0.0/8", # "This" network
+	"10.0.0.0/8", # RFC1918 Private-use networks
+	"100.64.0.0/10", # Carrier-grade NAT
+	"127.0.0.0/8", # Loopback
+	"169.254.0.0/16", # Link local
+	"172.16.0.0/12", # RFC1918 Private-use networks
+	"192.0.0.0/24", # IETF protocol assignments
+	"192.0.2.0/24", # TEST-NET-1
+	"192.168.0.0/16", # RFC1918 Private-use networks
+	"198.18.0.0/15", # Network interconnect device benchmark testing
+	"198.51.100.0/24", # TEST-NET-2
+	"203.0.113.0/24", # TEST-NET-3
+	"224.0.0.0/4", # Multicast
+	"240.0.0.0/4", # Reserved for future use
+	"255.255.255.255/32", # Limited broadcast
+]
+
+# METADATA
+# description: Reject requests to bogon targets.
+# entrypoint: true
+default permit := false
+
+permit if {
+	template == ""
+}
+
+default template := ""
+
+template := "template/blocked.html" if {
+	_bogon
+}
+
+errors contains "Bogon destination not allowed" if {
+	_bogon
+}
+
+errors contains _bogon if {
+	_bogon
+}
+
+_bogon := addr if {
+	some addr in styx.lookup_ip_addr(input.request.host)
+	some cidr in _bogons
+	net.cidr_contains(cidr, addr)
+}
+
+_bogon := input.request.host if {
+	some cidr in _bogons
+	net.cidr_contains(cidr, input.request.host)
+}
--- a/testdata/policy/styx/intercept.rego
+++ b/testdata/policy/styx/intercept.rego
@@ -0,0 +1,25 @@
+package styx.intercept
+
+reject := 403 if {
+	_bad
+}
+
+template := "template/blocked.html" if {
+	_bogon
+}
+
+errors contains "Bad domain" if {
+	_bad
+}
+
+errors contains "Bogon target" if {
+	_bogon
+}
+
+_bad if {
+	styx.domains_contain("bad", input.request.host)
+}
+
+_bogon if {
+	styx.domains_contain("bogons", input.client.ip)
+}