041106d623
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 17s
CI / ui (pull_request) Successful in 53s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m11s
Add a prod-only, in-memory IP ban enforced at the edge, fed by three signals:
sustained rate-limiter rejections (the IP-keyed public/email/admin classes — the
user class stays the backend soft-flag's concern), a honeypot decoy-path hit (the
contour caddy tags decoys with X-Scrabble-Honeypot and routes them to the gateway),
and a honeytoken (a planted bearer, GATEWAY_HONEYTOKEN). A banned IP is refused with
429 by the abuseGuard middleware before any work — covering the Connect edge, the
live stream and the static SPA/landing the per-op limiter never gated.
The ban is off by default: it keys by the real client IP the shared-NAT test contour
does not expose, so a ban there would be self-inflicted; detection still logs in the
contour, only the ban action is gated (GATEWAY_ABUSE_BAN_ENABLED). Rejection bans last
GATEWAY_ABUSE_BAN_DURATION; tripwire/honeytoken hits are near-zero-false-positive and
earn longer fixed bans. Each ban increments gateway_abuse_banned_total{reason}.
Operators see and lift active bans on the admin console's Throttled page; the gateway
syncs its active set to the backend every 30s (POST /api/v1/internal/bans/sync,
backend/internal/banview) and applies the operator unbans the response returns.
PRERELEASE phase AG. Docs baked into ARCHITECTURE / FUNCTIONAL (+ru) / both READMEs.
131 lines
3.9 KiB
Go
131 lines
3.9 KiB
Go
package connectsrv
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
"time"
|
|
|
|
"go.opentelemetry.io/otel/attribute"
|
|
sdkmetric "go.opentelemetry.io/otel/sdk/metric"
|
|
"go.opentelemetry.io/otel/sdk/metric/metricdata"
|
|
)
|
|
|
|
// TestEdgeMetric records Execute outcomes through a manual reader and asserts the
|
|
// edge_request_duration histogram splits by message_type and result.
|
|
func TestEdgeMetric(t *testing.T) {
|
|
ctx := context.Background()
|
|
reader := sdkmetric.NewManualReader()
|
|
meter := sdkmetric.NewMeterProvider(sdkmetric.WithReader(reader)).Meter("test")
|
|
m := newServerMetrics(meter)
|
|
|
|
m.recordEdge(ctx, "game.submit_play", "ok", time.Now().Add(-time.Millisecond))
|
|
m.recordEdge(ctx, "game.submit_play", "ok", time.Now().Add(-time.Millisecond))
|
|
m.recordEdge(ctx, "auth.guest", "domain", time.Now().Add(-time.Millisecond))
|
|
|
|
var rm metricdata.ResourceMetrics
|
|
if err := reader.Collect(ctx, &rm); err != nil {
|
|
t.Fatalf("collect: %v", err)
|
|
}
|
|
|
|
type key struct{ messageType, result string }
|
|
counts := map[key]uint64{}
|
|
for _, sm := range rm.ScopeMetrics {
|
|
for _, md := range sm.Metrics {
|
|
if md.Name != "edge_request_duration" {
|
|
continue
|
|
}
|
|
h, ok := md.Data.(metricdata.Histogram[float64])
|
|
if !ok {
|
|
t.Fatalf("edge_request_duration is not a float64 histogram")
|
|
}
|
|
for _, dp := range h.DataPoints {
|
|
mt, _ := dp.Attributes.Value(attribute.Key("message_type"))
|
|
res, _ := dp.Attributes.Value(attribute.Key("result"))
|
|
counts[key{mt.AsString(), res.AsString()}] += dp.Count
|
|
}
|
|
}
|
|
}
|
|
if got := counts[key{"game.submit_play", "ok"}]; got != 2 {
|
|
t.Errorf("edge game.submit_play/ok = %d, want 2", got)
|
|
}
|
|
if got := counts[key{"auth.guest", "domain"}]; got != 1 {
|
|
t.Errorf("edge auth.guest/domain = %d, want 1", got)
|
|
}
|
|
}
|
|
|
|
// TestRateLimitedMetric records limiter rejections through a manual reader and
|
|
// asserts gateway_rate_limited_total splits by class.
|
|
func TestRateLimitedMetric(t *testing.T) {
|
|
ctx := context.Background()
|
|
reader := sdkmetric.NewManualReader()
|
|
meter := sdkmetric.NewMeterProvider(sdkmetric.WithReader(reader)).Meter("test")
|
|
m := newServerMetrics(meter)
|
|
|
|
m.recordRateLimited(ctx, "user")
|
|
m.recordRateLimited(ctx, "user")
|
|
m.recordRateLimited(ctx, "public")
|
|
|
|
var rm metricdata.ResourceMetrics
|
|
if err := reader.Collect(ctx, &rm); err != nil {
|
|
t.Fatalf("collect: %v", err)
|
|
}
|
|
|
|
counts := map[string]int64{}
|
|
for _, sm := range rm.ScopeMetrics {
|
|
for _, md := range sm.Metrics {
|
|
if md.Name != "gateway_rate_limited_total" {
|
|
continue
|
|
}
|
|
sum, ok := md.Data.(metricdata.Sum[int64])
|
|
if !ok {
|
|
t.Fatalf("gateway_rate_limited_total is not an int64 sum")
|
|
}
|
|
for _, dp := range sum.DataPoints {
|
|
class, _ := dp.Attributes.Value(attribute.Key("class"))
|
|
counts[class.AsString()] += dp.Value
|
|
}
|
|
}
|
|
}
|
|
if counts["user"] != 2 || counts["public"] != 1 {
|
|
t.Errorf("rate_limited counts = %v, want user=2 public=1", counts)
|
|
}
|
|
}
|
|
|
|
// TestBannedMetric records ban events through a manual reader and asserts
|
|
// gateway_abuse_banned_total splits by reason.
|
|
func TestBannedMetric(t *testing.T) {
|
|
ctx := context.Background()
|
|
reader := sdkmetric.NewManualReader()
|
|
meter := sdkmetric.NewMeterProvider(sdkmetric.WithReader(reader)).Meter("test")
|
|
m := newServerMetrics(meter)
|
|
|
|
m.recordBan(ctx, "tripwire")
|
|
m.recordBan(ctx, "tripwire")
|
|
m.recordBan(ctx, "honeytoken")
|
|
|
|
var rm metricdata.ResourceMetrics
|
|
if err := reader.Collect(ctx, &rm); err != nil {
|
|
t.Fatalf("collect: %v", err)
|
|
}
|
|
|
|
counts := map[string]int64{}
|
|
for _, sm := range rm.ScopeMetrics {
|
|
for _, md := range sm.Metrics {
|
|
if md.Name != "gateway_abuse_banned_total" {
|
|
continue
|
|
}
|
|
sum, ok := md.Data.(metricdata.Sum[int64])
|
|
if !ok {
|
|
t.Fatalf("gateway_abuse_banned_total is not an int64 sum")
|
|
}
|
|
for _, dp := range sum.DataPoints {
|
|
reason, _ := dp.Attributes.Value(attribute.Key("reason"))
|
|
counts[reason.AsString()] += dp.Value
|
|
}
|
|
}
|
|
}
|
|
if counts["tripwire"] != 2 || counts["honeytoken"] != 1 {
|
|
t.Errorf("banned counts = %v, want tripwire=2 honeytoken=1", counts)
|
|
}
|
|
}
|