Add plugin ACL for source ip filtering (#3103)

* Add plugin ACL for source ip filtering Signed-off-by: An Xiao <hac@zju.edu.cn> * Allow all arguments to be optional and support multiple qtypes in a single policy Signed-off-by: An Xiao <hac@zju.edu.cn> * Add newline before third party imports Signed-off-by: An Xiao <hac@zju.edu.cn> * Use camel instead of underscore in method name Signed-off-by: An Xiao <hac@zju.edu.cn> * Start with an upper case letter in t.Errorf() Signed-off-by: An Xiao <hac@zju.edu.cn> * Use the qtype parse logic in miekg/dns Signed-off-by: An Xiao <hac@zju.edu.cn> * Use third party trie implementation as the ip filter Signed-off-by: An Xiao <hac@zju.edu.cn> * Update based on rdrozhdzh's comment Signed-off-by: An Xiao <hac@zju.edu.cn> * Change the type of action to int Signed-off-by: An Xiao <hac@zju.edu.cn> * Add IPv6 support Signed-off-by: An Xiao <hac@zju.edu.cn> * Update plugin.cfg Signed-off-by: An Xiao <hac@zju.edu.cn> * Remove file functionality Signed-off-by: An Xiao <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update README Signed-off-by: Xiao An <hac@zju.edu.cn> * remove comments Signed-off-by: Xiao An <hac@zju.edu.cn> * update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update dependency Signed-off-by: Xiao An <hac@zju.edu.cn> * Update Signed-off-by: Xiao An <hac@zju.edu.cn> * Update test Signed-off-by: Xiao An <hac@zju.edu.cn> * Add OWNERS Signed-off-by: Xiao An <hac@zju.edu.cn> * Refactor shouldBlock and skip useless check Signed-off-by: Xiao An <hac@zju.edu.cn> * Introduce ActionNone Signed-off-by: Xiao An <hac@zju.edu.cn> * Update label name Signed-off-by: Xiao An <hac@zju.edu.cn> * Avoid capitalizing private types Signed-off-by: Xiao An <hac@zju.edu.cn>
author: An Xiao <hac@zju.edu.cn> 2019-09-04 23:43:45 +0800
committer: Yong Tang <yong.tang.github@outlook.com> 2019-09-04 08:43:45 -0700
commit: 79f37a1460cc52ce6c63110f4df33316a36af3a5 (patch)
tree: 35b3ddcc68ba82eabb9393cb166b5de76a42bb29 /plugin/acl/setup_test.go
parent: 7894154bfd2f1960c6842318d8ee99c194a04179 (diff)
download: coredns-79f37a1460cc52ce6c63110f4df33316a36af3a5.tar.gz
coredns-79f37a1460cc52ce6c63110f4df33316a36af3a5.tar.zst
coredns-79f37a1460cc52ce6c63110f4df33316a36af3a5.zip
1 files changed, 245 insertions, 0 deletions
diff --git a/plugin/acl/setup_test.go b/plugin/acl/setup_test.go
new file mode 100644
index 000000000..f48da3f24
--- /dev/null
+++ b/plugin/acl/setup_test.go
@@ -0,0 +1,245 @@
+package acl
+
+import (
+	"testing"
+
+	"github.com/caddyserver/caddy"
+)
+
+func TestSetup(t *testing.T) {
+	tests := []struct {
+		name    string
+		config  string
+		wantErr bool
+	}{
+		// IPv4 tests.
+		{
+			"Blacklist 1",
+			`acl {
+				block type A net 192.168.0.0/16
+			}`,
+			false,
+		},
+		{
+			"Blacklist 2",
+			`acl {
+				block type * net 192.168.0.0/16
+			}`,
+			false,
+		},
+		{
+			"Blacklist 3",
+			`acl {
+				block type A net *
+			}`,
+			false,
+		},
+		{
+			"Blacklist 4",
+			`acl {
+				allow type * net 192.168.1.0/24
+				block type * net 192.168.0.0/16
+			}`,
+			false,
+		},
+		{
+			"Whitelist 1",
+			`acl {
+				allow type * net 192.168.0.0/16
+				block type * net *
+			}`,
+			false,
+		},
+		{
+			"fine-grained 1",
+			`acl a.example.org {
+				block type * net 192.168.1.0/24
+			}`,
+			false,
+		},
+		{
+			"fine-grained 2",
+			`acl a.example.org {
+				block type * net 192.168.1.0/24
+			}
+			acl b.example.org {
+				block type * net 192.168.2.0/24
+			}`,
+			false,
+		},
+		{
+			"Multiple Networks 1",
+			`acl example.org {
+				block type * net 192.168.1.0/24 192.168.3.0/24
+			}`,
+			false,
+		},
+		{
+			"Multiple Qtypes 1",
+			`acl example.org {
+				block type TXT ANY CNAME net 192.168.3.0/24
+			}`,
+			false,
+		},
+		{
+			"Missing argument 1",
+			`acl {
+				block A net 192.168.0.0/16
+			}`,
+			true,
+		},
+		{
+			"Missing argument 2",
+			`acl {
+				block type net 192.168.0.0/16
+			}`,
+			true,
+		},
+		{
+			"Illegal argument 1",
+			`acl {
+				block type ABC net 192.168.0.0/16
+			}`,
+			true,
+		},
+		{
+			"Illegal argument 2",
+			`acl {
+				blck type A net 192.168.0.0/16
+			}`,
+			true,
+		},
+		{
+			"Illegal argument 3",
+			`acl {
+				block type A net 192.168.0/16
+			}`,
+			true,
+		},
+		{
+			"Illegal argument 4",
+			`acl {
+				block type A net 192.168.0.0/33
+			}`,
+			true,
+		},
+		// IPv6 tests.
+		{
+			"Blacklist 1 IPv6",
+			`acl {
+				block type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+			}`,
+			false,
+		},
+		{
+			"Blacklist 2 IPv6",
+			`acl {
+				block type * net 2001:db8:85a3::8a2e:370:7334
+			}`,
+			false,
+		},
+		{
+			"Blacklist 3 IPv6",
+			`acl {
+				block type A
+			}`,
+			false,
+		},
+		{
+			"Blacklist 4 IPv6",
+			`acl {
+				allow net 2001:db8:abcd:0012::0/64
+				block net 2001:db8:abcd:0012::0/48
+			}`,
+			false,
+		},
+		{
+			"Whitelist 1 IPv6",
+			`acl {
+				allow net 2001:db8:abcd:0012::0/64
+				block
+			}`,
+			false,
+		},
+		{
+			"fine-grained 1 IPv6",
+			`acl a.example.org {
+				block net 2001:db8:abcd:0012::0/64
+			}`,
+			false,
+		},
+		{
+			"fine-grained 2 IPv6",
+			`acl a.example.org {
+				block net 2001:db8:abcd:0012::0/64
+			}
+			acl b.example.org {
+				block net 2001:db8:abcd:0013::0/64
+			}`,
+			false,
+		},
+		{
+			"Multiple Networks 1 IPv6",
+			`acl example.org {
+				block net 2001:db8:abcd:0012::0/64 2001:db8:85a3::8a2e:370:7334/64
+			}`,
+			false,
+		},
+		{
+			"Illegal argument 1 IPv6",
+			`acl {
+				block type A net 2001::85a3::8a2e:370:7334
+			}`,
+			true,
+		},
+		{
+			"Illegal argument 2 IPv6",
+			`acl {
+				block type A net 2001:db8:85a3:::8a2e:370:7334
+			}`,
+			true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctr := caddy.NewTestController("dns", tt.config)
+			if err := setup(ctr); (err != nil) != tt.wantErr {
+				t.Errorf("Error: setup() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestNormalize(t *testing.T) {
+	type args struct {
+		rawNet string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			"Network range 1",
+			args{"10.218.10.8/24"},
+			"10.218.10.8/24",
+		},
+		{
+			"IP address 1",
+			args{"10.218.10.8"},
+			"10.218.10.8/32",
+		},
+		{
+			"IPv6 address 1",
+			args{"2001:0db8:85a3:0000:0000:8a2e:0370:7334"},
+			"2001:0db8:85a3:0000:0000:8a2e:0370:7334/128",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := normalize(tt.args.rawNet); got != tt.want {
+				t.Errorf("Error: normalize() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
author	An Xiao <hac@zju.edu.cn>	2019-09-04 23:43:45 +0800
committer	Yong Tang <yong.tang.github@outlook.com>	2019-09-04 08:43:45 -0700
commit	79f37a1460cc52ce6c63110f4df33316a36af3a5 (patch)
tree	35b3ddcc68ba82eabb9393cb166b5de76a42bb29 /plugin/acl/setup_test.go
parent	7894154bfd2f1960c6842318d8ee99c194a04179 (diff)
download	coredns-79f37a1460cc52ce6c63110f4df33316a36af3a5.tar.gz coredns-79f37a1460cc52ce6c63110f4df33316a36af3a5.tar.zst coredns-79f37a1460cc52ce6c63110f4df33316a36af3a5.zip