Pull request: all: allow clientid in access settings

Updates #2624. Updates #3162. Squashed commit of the following: commit 68860da717a23a0bfeba14b7fe10b5e4ad38726d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 15:41:33 2021 +0300 all: imp types, names commit ebd4ec26636853d0d58c4e331e6a78feede20813 Merge: 239eb721 16e5e09c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 15:14:33 2021 +0300 Merge branch 'master' into 2624-clientid-access commit 239eb7215abc47e99a0300a0f4cf56002689b1a9 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 15:13:10 2021 +0300 all: fix client blocking check commit e6bece3ea8367b3cbe3d90702a3368c870ad4f13 Merge: 9935f2a3 9d1656b5 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 13:12:28 2021 +0300 Merge branch 'master' into 2624-clientid-access commit 9935f2a30bcfae2b853f3ef610c0ab7a56a8f448 Author: Ildar Kamalov <ik@adguard.com> Date: Tue Jun 29 11:26:51 2021 +0300 client: show block button for client id commit ed786a6a74a081cd89e9d67df3537a4fadd54831 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 25 15:56:23 2021 +0300 client: imp i18n commit 4fed21c68473ad408960c08a7d87624cabce1911 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 25 15:34:09 2021 +0300 all: imp i18n, docs commit 55e65c0d6b939560c53dcb834a4557eb3853d194 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 25 13:34:01 2021 +0300 all: fix cache, imp code, docs, tests commit c1e5a83e76deb44b1f92729bb9ddfcc6a96ac4a8 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Jun 24 19:27:12 2021 +0300 all: allow clientid in access settings
2021-06-29 15:53:28 +03:00
parent 16e5e09c2e
commit e08a64ebe4
33 changed files with 955 additions and 604 deletions
--- a/internal/dnsforward/access_test.go
+++ b/internal/dnsforward/access_test.go
@@ -8,99 +8,23 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func TestIsBlockedIP(t *testing.T) {
-	const (
-		ip int = iota
-		cidr
-	)
+func TestIsBlockedClientID(t *testing.T) {
+	clientID := "client-1"
+	clients := []string{clientID}

-	rules := []string{
-		ip:   "1.1.1.1",
-		cidr: "2.2.0.0/16",
-	}
+	a, err := newAccessCtx(clients, nil, nil)
+	require.NoError(t, err)

-	testCases := []struct {
-		name     string
-		allowed  bool
-		ip       net.IP
-		wantDis  bool
-		wantRule string
-	}{{
-		name:     "allow_ip",
-		allowed:  true,
-		ip:       net.IPv4(1, 1, 1, 1),
-		wantDis:  false,
-		wantRule: "",
-	}, {
-		name:     "disallow_ip",
-		allowed:  true,
-		ip:       net.IPv4(1, 1, 1, 2),
-		wantDis:  true,
-		wantRule: "",
-	}, {
-		name:     "allow_cidr",
-		allowed:  true,
-		ip:       net.IPv4(2, 2, 1, 1),
-		wantDis:  false,
-		wantRule: "",
-	}, {
-		name:     "disallow_cidr",
-		allowed:  true,
-		ip:       net.IPv4(2, 3, 1, 1),
-		wantDis:  true,
-		wantRule: "",
-	}, {
-		name:     "allow_ip",
-		allowed:  false,
-		ip:       net.IPv4(1, 1, 1, 1),
-		wantDis:  true,
-		wantRule: rules[ip],
-	}, {
-		name:     "disallow_ip",
-		allowed:  false,
-		ip:       net.IPv4(1, 1, 1, 2),
-		wantDis:  false,
-		wantRule: "",
-	}, {
-		name:     "allow_cidr",
-		allowed:  false,
-		ip:       net.IPv4(2, 2, 1, 1),
-		wantDis:  true,
-		wantRule: rules[cidr],
-	}, {
-		name:     "disallow_cidr",
-		allowed:  false,
-		ip:       net.IPv4(2, 3, 1, 1),
-		wantDis:  false,
-		wantRule: "",
-	}}
+	assert.False(t, a.isBlockedClientID(clientID))

-	for _, tc := range testCases {
-		prefix := "allowed_"
-		if !tc.allowed {
-			prefix = "disallowed_"
-		}
+	a, err = newAccessCtx(nil, clients, nil)
+	require.NoError(t, err)

-		t.Run(prefix+tc.name, func(t *testing.T) {
-			allowedRules := rules
-			var disallowedRules []string
-
-			if !tc.allowed {
-				allowedRules, disallowedRules = disallowedRules, allowedRules
-			}
-
-			aCtx, err := newAccessCtx(allowedRules, disallowedRules, nil)
-			require.NoError(t, err)
-
-			disallowed, rule := aCtx.IsBlockedIP(tc.ip)
-			assert.Equal(t, tc.wantDis, disallowed)
-			assert.Equal(t, tc.wantRule, rule)
-		})
-	}
+	assert.True(t, a.isBlockedClientID(clientID))
 }

-func TestIsBlockedDomain(t *testing.T) {
-	aCtx, err := newAccessCtx(nil, nil, []string{
+func TestIsBlockedHost(t *testing.T) {
+	a, err := newAccessCtx(nil, nil, []string{
 		"host1",
 		"*.host.com",
 		"||host3.com^",
@@ -108,50 +32,106 @@ func TestIsBlockedDomain(t *testing.T) {
 	require.NoError(t, err)

 	testCases := []struct {
-		name   string
-		domain string
-		want   bool
+		name string
+		host string
+		want bool
 	}{{
-		name:   "plain_match",
-		domain: "host1",
-		want:   true,
+		name: "plain_match",
+		host: "host1",
+		want: true,
 	}, {
-		name:   "plain_mismatch",
-		domain: "host2",
-		want:   false,
+		name: "plain_mismatch",
+		host: "host2",
+		want: false,
 	}, {
-		name:   "wildcard_type-1_match_short",
-		domain: "asdf.host.com",
-		want:   true,
+		name: "subdomain_match_short",
+		host: "asdf.host.com",
+		want: true,
 	}, {
-		name:   "wildcard_type-1_match_long",
-		domain: "qwer.asdf.host.com",
-		want:   true,
+		name: "subdomain_match_long",
+		host: "qwer.asdf.host.com",
+		want: true,
 	}, {
-		name:   "wildcard_type-1_mismatch_no-lead",
-		domain: "host.com",
-		want:   false,
+		name: "subdomain_mismatch_no_lead",
+		host: "host.com",
+		want: false,
 	}, {
-		name:   "wildcard_type-1_mismatch_bad-asterisk",
-		domain: "asdf.zhost.com",
-		want:   false,
+		name: "subdomain_mismatch_bad_asterisk",
+		host: "asdf.zhost.com",
+		want: false,
 	}, {
-		name:   "wildcard_type-2_match_simple",
-		domain: "host3.com",
-		want:   true,
+		name: "rule_match_simple",
+		host: "host3.com",
+		want: true,
 	}, {
-		name:   "wildcard_type-2_match_complex",
-		domain: "asdf.host3.com",
-		want:   true,
+		name: "rule_match_complex",
+		host: "asdf.host3.com",
+		want: true,
 	}, {
-		name:   "wildcard_type-2_mismatch",
-		domain: ".host3.com",
-		want:   false,
+		name: "rule_mismatch",
+		host: ".host3.com",
+		want: false,
 	}}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			assert.Equal(t, tc.want, aCtx.IsBlockedDomain(tc.domain))
+			assert.Equal(t, tc.want, a.isBlockedHost(tc.host))
 		})
 	}
 }
+
+func TestIsBlockedIP(t *testing.T) {
+	clients := []string{
+		"1.2.3.4",
+		"5.6.7.8/24",
+	}
+
+	allowCtx, err := newAccessCtx(clients, nil, nil)
+	require.NoError(t, err)
+
+	blockCtx, err := newAccessCtx(nil, clients, nil)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name        string
+		wantRule    string
+		ip          net.IP
+		wantBlocked bool
+	}{{
+		name:        "match_ip",
+		wantRule:    "1.2.3.4",
+		ip:          net.IP{1, 2, 3, 4},
+		wantBlocked: true,
+	}, {
+		name:        "match_cidr",
+		wantRule:    "5.6.7.8/24",
+		ip:          net.IP{5, 6, 7, 100},
+		wantBlocked: true,
+	}, {
+		name:        "no_match_ip",
+		wantRule:    "",
+		ip:          net.IP{9, 2, 3, 4},
+		wantBlocked: false,
+	}, {
+		name:        "no_match_cidr",
+		wantRule:    "",
+		ip:          net.IP{9, 6, 7, 100},
+		wantBlocked: false,
+	}}
+
+	t.Run("allow", func(t *testing.T) {
+		for _, tc := range testCases {
+			blocked, rule := allowCtx.isBlockedIP(tc.ip)
+			assert.Equal(t, !tc.wantBlocked, blocked)
+			assert.Equal(t, tc.wantRule, rule)
+		}
+	})
+
+	t.Run("block", func(t *testing.T) {
+		for _, tc := range testCases {
+			blocked, rule := blockCtx.isBlockedIP(tc.ip)
+			assert.Equal(t, tc.wantBlocked, blocked)
+			assert.Equal(t, tc.wantRule, rule)
+		}
+	})
+}