Initial import

2025-09-26 08:49:53 +02:00
commit a76650da35
35 changed files with 4660 additions and 0 deletions
--- a/proxy/policy/policy_test.go
+++ b/proxy/policy/policy_test.go
@@ -0,0 +1,139 @@
+package policy
+
+import (
+	"net"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"git.maze.io/maze/styx/internal/netutil"
+	"git.maze.io/maze/styx/proxy/match"
+	"github.com/miekg/dns"
+)
+
+type testInDomainList struct {
+	t    *testing.T
+	list []string
+}
+
+func (testInDomainList) Name() string { return "testInDomainList" }
+func (l testInDomainList) MatchesRequest(r *http.Request) bool {
+	for _, domain := range l.list {
+		if dns.IsSubDomain(domain, netutil.Host(r.URL.Host)) {
+			l.t.Logf("domain %s contains %s", domain, r.URL.Host)
+			return true
+		}
+		l.t.Logf("domain %s does not contain %s", domain, r.URL.Host)
+	}
+	return false
+}
+
+func testInDomain(t *testing.T, domains ...string) match.Matcher {
+	return &testInDomainList{t: t, list: domains}
+}
+
+type testInNetworkList struct {
+	t    *testing.T
+	list []*net.IPNet
+}
+
+func (testInNetworkList) Name() string { return "testInNetworkList" }
+func (l testInNetworkList) MatchesIP(ip net.IP) bool {
+	for _, ipnet := range l.list {
+		if ipnet.Contains(ip) {
+			l.t.Logf("network %s contains %s", ipnet, ip)
+			return true
+		}
+		l.t.Logf("network %s does not contain %s", ipnet, ip)
+	}
+	return false
+}
+
+func testInNetwork(t *testing.T, cidr string) match.Matcher {
+	t.Helper()
+	_, ipnet, err := net.ParseCIDR(cidr)
+	if err != nil {
+		panic(err)
+	}
+	return testInNetworkList{t: t, list: []*net.IPNet{ipnet}}
+}
+
+func TestPolicy(t *testing.T) {
+	var (
+		yes  = true
+		nope = false
+	)
+	p := &Policy{
+		Rules: []*rawRule{
+			{
+				Rule: &requestRule{
+					domainOrNetworkRule: domainOrNetworkRule{
+						matchers: []match.Matcher{testInNetwork(t, "127.0.0.0/8")},
+						isSource: []bool{true},
+					},
+				},
+			},
+			{
+				Rule: &requestRule{
+					domainOrNetworkRule: domainOrNetworkRule{
+						matchers: []match.Matcher{testInNetwork(t, "127.0.0.0/8")},
+						isSource: []bool{false},
+					},
+					Permit: &yes,
+				},
+			},
+			{
+				Rule: &requestRule{
+					domainOrNetworkRule: domainOrNetworkRule{
+						matchers: []match.Matcher{testInDomain(t, "maze.io", "maze.engineering")},
+					},
+					Permit: &yes,
+				},
+			},
+			{
+				Rule: &requestRule{
+					domainOrNetworkRule: domainOrNetworkRule{
+						matchers: []match.Matcher{testInDomain(t, "google.com")},
+					},
+					Permit: &nope,
+				},
+			},
+		},
+	}
+
+	r := &http.Request{
+		URL:        &url.URL{Scheme: "http", Host: "golang.org:80"},
+		RemoteAddr: "127.0.0.1:1234",
+	}
+	if v := p.PermitRequest(r); v != nil {
+		t.Errorf("expected request to return no verdict, got %t", *v)
+	}
+
+	p.Rules[0].Rule.(*requestRule).Permit = &yes
+	if v := p.PermitRequest(r); v == nil || *v != yes {
+		t.Errorf("expected request to return %t, %v", yes, v)
+	}
+
+	r.RemoteAddr = "192.168.1.2:3456"
+	if v := p.PermitRequest(r); v != nil {
+		t.Errorf("expected request to return no verdict, got %t", *v)
+	}
+	if v := p.PermitIntercept(r); v != nil {
+		t.Errorf("expected request to return no verdict, got %t", *v)
+	}
+
+	r.URL.Host = "maze.io"
+	if v := p.PermitRequest(r); v == nil || *v != yes {
+		t.Errorf("expected request to return %t, %v", yes, v)
+	}
+
+	r.URL.Host = "google.com"
+	if v := p.PermitRequest(r); v == nil || *v != nope {
+		t.Errorf("expected request to return %t, %v", nope, v)
+	}
+
+	r.URL.Host = "localhost:80"
+	if v := p.PermitRequest(r); v == nil || *v != yes {
+		t.Errorf("expected request to return %t, %v", yes, v)
+	}
+}